kotovalexarian-likes-github/ruby--ruby
1
0
Fork 0
mirror of https://github.com/ruby/ruby.git synced 2022-11-09 12:17:21 -05:00
Code Releases Activity

[ruby/openssl] test: adjust test cases for LibreSSL 3.2.4

Browse source 
LibreSSL 3.2.4 made the certificate verification logic back closer to
pre-3.2.2 one, which is more compatible with OpenSSL.

Part of the fixes added by commit a0e98d48c91f ("Enhance TLS 1.3 support
on LibreSSL 3.2/3.3", 2020-12-03) is required for 3.2.2 and 3.2.3 only
(and ~3.3.1, however 3.3 does not have a stable release yet). Since both
releases are security fix, it should be safe to remove those special
treatment from our test suite.

While we are at it, TestSSL#test_ecdh_curves is split into TLS 1.2 and
TLS 1.3 variants for clarity.

https://github.com/ruby/openssl/commit/a9954bac22
This commit is contained in:
Kazuki Yamaguchi 2021-02-25 17:28:23 +09:00
parent 1eb6d8aa63
commit a3f97007bb
Notes: git 2021-03-16 20:38:41 +09:00
4 changed files with 50 additions and 39 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

44
test/openssl/test_ssl.rb
View file

@ -458,11 +458,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
ssl.sync_close = true ssl.sync_close = true
begin begin
assert_raise(OpenSSL::SSL::SSLError){ ssl.connect } assert_raise(OpenSSL::SSL::SSLError){ ssl.connect }
assert_include( assert_equal(OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN, ssl.verify_result)
[
OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN,
OpenSSL::X509::V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
], ssl.verify_result)
ensure ensure
ssl.close ssl.close
end end
@ -930,7 +926,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
["keyUsage", "keyEncipherment,digitalSignature", true], ["keyUsage", "keyEncipherment,digitalSignature", true],
["subjectAltName", san], ["subjectAltName", san],
] ]
ctx.cert = issue_cert(@svr, @svr_key, 4, exts, @ca_cert, @ca_key) ctx.cert = issue_cert(@svr, @svr_key, 4, exts, @ca_cert, @ca_key)
ctx.key = @svr_key ctx.key = @svr_key
} }
@ -1015,7 +1011,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
start_server(ignore_listener_error: true) { |port| start_server(ignore_listener_error: true) { |port|
ctx = OpenSSL::SSL::SSLContext.new ctx = OpenSSL::SSL::SSLContext.new
ctx.set_params ctx.set_params
assert_raise_with_message(OpenSSL::SSL::SSLError, /self signed|unable to get local issuer certificate/) { assert_raise_with_message(OpenSSL::SSL::SSLError, /self signed/) {
server_connect(port, ctx) server_connect(port, ctx)
} }
} }
@ -1617,13 +1613,13 @@ end
end end
end end
def test_ecdh_curves def test_ecdh_curves_tls12
pend "EC is disabled" unless defined?(OpenSSL::PKey::EC) pend "EC is disabled" unless defined?(OpenSSL::PKey::EC)
ctx_proc = -> ctx { ctx_proc = -> ctx {
# Enable both ECDHE (~ TLS 1.2) cipher suites and TLS 1.3 # Enable both ECDHE (~ TLS 1.2) cipher suites and TLS 1.3
ctx.ciphers = "DEFAULT:!kRSA:!kEDH" ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION
ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION if libressl?(3, 2, 0) ctx.ciphers = "kEECDH"
ctx.ecdh_curves = "P-384:P-521" ctx.ecdh_curves = "P-384:P-521"
} }
start_server(ctx_proc: ctx_proc, ignore_listener_error: true) do |port| start_server(ctx_proc: ctx_proc, ignore_listener_error: true) do |port|
@ -1632,13 +1628,9 @@ end
server_connect(port, ctx) { |ssl| server_connect(port, ctx) { |ssl|
cs = ssl.cipher[0] cs = ssl.cipher[0]
if /\ATLS/ =~ cs # Is TLS 1.3 is used? assert_match (/\AECDH/), cs
if ssl.respond_to?(:tmp_key)
assert_equal "secp384r1", ssl.tmp_key.group.curve_name assert_equal "secp384r1", ssl.tmp_key.group.curve_name
else
assert_match (/\AECDH/), cs
if ssl.respond_to?(:tmp_key)
assert_equal "secp384r1", ssl.tmp_key.group.curve_name
end
end end
ssl.puts "abc"; assert_equal "abc\n", ssl.gets ssl.puts "abc"; assert_equal "abc\n", ssl.gets
} }
@ -1662,6 +1654,26 @@ end
end end
end end
def test_ecdh_curves_tls13
pend "EC is disabled" unless defined?(OpenSSL::PKey::EC)
pend "TLS 1.3 not supported" unless tls13_supported?
ctx_proc = -> ctx {
# Assume TLS 1.3 is enabled and chosen by default
ctx.ecdh_curves = "P-384:P-521"
}
start_server(ctx_proc: ctx_proc, ignore_listener_error: true) do |port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.ecdh_curves = "P-256:P-384" # disable P-521
server_connect(port, ctx) { |ssl|
assert_equal "TLSv1.3", ssl.ssl_version
assert_equal "secp384r1", ssl.tmp_key.group.curve_name
ssl.puts "abc"; assert_equal "abc\n", ssl.gets
}
end
end
def test_security_level def test_security_level
ctx = OpenSSL::SSL::SSLContext.new ctx = OpenSSL::SSL::SSLContext.new
begin begin

2
test/openssl/test_ts.rb
View file

@ -387,7 +387,6 @@ _end_of_pem_
end end
def test_verify_ee_wrong_root_no_intermediate def test_verify_ee_wrong_root_no_intermediate
pend "LibreSSL 3.2.2 Timestamp Issue" if libressl?(3, 2, 2)
assert_raise(OpenSSL::Timestamp::TimestampError) do assert_raise(OpenSSL::Timestamp::TimestampError) do
ts, req = timestamp_ee ts, req = timestamp_ee
ts.verify(req, intermediate_store) ts.verify(req, intermediate_store)
@ -395,7 +394,6 @@ _end_of_pem_
end end
def test_verify_ee_wrong_root_wrong_intermediate def test_verify_ee_wrong_root_wrong_intermediate
pend "LibreSSL 3.2.2 Timestamp Issue" if libressl?(3, 2, 2)
assert_raise(OpenSSL::Timestamp::TimestampError) do assert_raise(OpenSSL::Timestamp::TimestampError) do
ts, req = timestamp_ee ts, req = timestamp_ee
ts.verify(req, intermediate_store, [ca_cert]) ts.verify(req, intermediate_store, [ca_cert])

35
test/openssl/test_x509store.rb
View file

@ -32,17 +32,15 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase
assert_equal true, store.verify(cert1) assert_equal true, store.verify(cert1)
assert_equal true, store.verify(cert2) assert_equal true, store.verify(cert2)
unless libressl?(3, 2, 2) # X509::Store#add_path
# X509::Store#add_path Dir.mktmpdir do |dir|
Dir.mktmpdir do |dir| hash1 = "%08x.%d" % [cert1_subj.hash, 0]
hash1 = "%08x.%d" % [cert1_subj.hash, 0] File.write(File.join(dir, hash1), cert1.to_pem)
File.write(File.join(dir, hash1), cert1.to_pem) store = OpenSSL::X509::Store.new
store = OpenSSL::X509::Store.new store.add_path(dir)
store.add_path(dir)
assert_equal true, store.verify(cert1) assert_equal true, store.verify(cert1)
assert_equal false, store.verify(cert2) assert_equal false, store.verify(cert2)
end
end end
# OpenSSL < 1.1.1 leaks an error on a duplicate certificate # OpenSSL < 1.1.1 leaks an error on a duplicate certificate
@ -77,8 +75,8 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase
# Nothing trusted # Nothing trusted
store = OpenSSL::X509::Store.new store = OpenSSL::X509::Store.new
assert_equal(false, store.verify(ee1_cert, [ca2_cert, ca1_cert])) assert_equal(false, store.verify(ee1_cert, [ca2_cert, ca1_cert]))
assert_include([OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN, OpenSSL::X509::V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY], store.error) assert_equal(OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN, store.error)
assert_match(/self.signed|unable to get local issuer certificate/i, store.error_string) assert_match(/self.signed/i, store.error_string)
# CA1 trusted, CA2 missing # CA1 trusted, CA2 missing
store = OpenSSL::X509::Store.new store = OpenSSL::X509::Store.new
@ -188,7 +186,7 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase
store.purpose = OpenSSL::X509::PURPOSE_CRL_SIGN store.purpose = OpenSSL::X509::PURPOSE_CRL_SIGN
store.add_cert(ca1_cert) store.add_cert(ca1_cert)
assert_equal(true, store.verify(ca1_cert)) assert_equal(true, store.verify(ca1_cert))
assert_equal(libressl?(3, 2, 2), store.verify(ee1_cert)) assert_equal(false, store.verify(ee1_cert))
end end
def test_verify_validity_period def test_verify_validity_period
@ -284,7 +282,7 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase
store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK
store.add_cert(ca1_cert) store.add_cert(ca1_cert)
assert_equal(false, store.verify(ca2_cert)) assert_equal(false, store.verify(ca2_cert))
assert_include([OpenSSL::X509::V_ERR_UNABLE_TO_GET_CRL, OpenSSL::X509::V_ERR_UNSPECIFIED], store.error) assert_equal(OpenSSL::X509::V_ERR_UNABLE_TO_GET_CRL, store.error)
# Intermediate CA revoked EE2 # Intermediate CA revoked EE2
store = OpenSSL::X509::Store.new store = OpenSSL::X509::Store.new
@ -324,14 +322,9 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase
store.add_cert(ca2_cert) store.add_cert(ca2_cert)
store.add_crl(ca1_crl1) store.add_crl(ca1_crl1)
store.add_crl(ca2_crl2) # issued by ca2 but expired store.add_crl(ca2_crl2) # issued by ca2 but expired
if libressl?(3, 2, 2) assert_equal(true, store.verify(ca2_cert))
assert_equal(false, store.verify(ca2_cert))
assert_include([OpenSSL::X509::V_ERR_CRL_SIGNATURE_FAILURE, OpenSSL::X509::V_ERR_UNSPECIFIED], store.error)
else
assert_equal(true, store.verify(ca2_cert))
end
assert_equal(false, store.verify(ee1_cert)) assert_equal(false, store.verify(ee1_cert))
assert_include([OpenSSL::X509::V_ERR_CRL_HAS_EXPIRED, OpenSSL::X509::V_ERR_UNSPECIFIED], store.error) assert_equal(OpenSSL::X509::V_ERR_CRL_HAS_EXPIRED, store.error)
assert_equal(false, store.verify(ee2_cert)) assert_equal(false, store.verify(ee2_cert))
end end

8
test/openssl/utils.rb
View file

@ -196,6 +196,14 @@ class OpenSSL::SSLTestCase < OpenSSL::TestCase
rescue rescue
end end
def tls13_supported?
return false unless defined?(OpenSSL::SSL::TLS1_3_VERSION)
ctx = OpenSSL::SSL::SSLContext.new
ctx.min_version = ctx.max_version = OpenSSL::SSL::TLS1_3_VERSION
true
rescue
end
def readwrite_loop(ctx, ssl) def readwrite_loop(ctx, ssl)
while line = ssl.gets while line = ssl.gets
ssl.write(line) ssl.write(line)