openssl: clear OpenSSL error queue before return to Ruby

* ext/openssl/ossl_x509cert.c (ossl_x509_verify): X509_verify() family may put errors on 0 return (0 means verification failure). Clear OpenSSL error queue before return to Ruby. Since the queue is thread global, remaining errors in the queue can cause an unexpected error in the next OpenSSL operation. [ruby-core:48284] [Bug #7215] * ext/openssl/ossl_x509crl.c (ossl_x509crl_verify): ditto. * ext/openssl/ossl_x509req.c (ossl_x509req_verify): ditto. * ext/openssl/ossl_x509store.c (ossl_x509stctx_verify): ditto. * ext/openssl/ossl_pkey_dh.c (dh_generate): clear the OpenSSL error queue before re-raising exception. * ext/openssl/ossl_pkey_dsa.c (dsa_generate): ditto. * ext/openssl/ossl_pkey_rsa.c (rsa_generate): ditto. * ext/openssl/ossl_ssl.c (ossl_start_ssl): ditto. * test/openssl: check that OpenSSL.errors is empty every time after running a test case. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55051 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2022-11-09 12:17:21 -05:00 · 2016-05-18 04:07:47 +00:00 · 2016-05-18 04:07:47 +00:00 · c8cb26252a
commit c8cb26252a
parent d66e88dc2c
36 changed files with 124 additions and 107 deletions
--- a/26
+++ b/26
@ -1,3 +1,29 @@
+Wed May 18 13:03:07 2016  Kazuki Yamaguchi  <k@rhe.jp>
+
+	* ext/openssl/ossl_x509cert.c (ossl_x509_verify): X509_verify()
+	  family may put errors on 0 return (0 means verification failure).
+	  Clear OpenSSL error queue before return to Ruby. Since the queue is
+	  thread global, remaining errors in the queue can cause an unexpected
+	  error in the next OpenSSL operation.  [ruby-core:48284] [Bug #7215]
+
+	* ext/openssl/ossl_x509crl.c (ossl_x509crl_verify): ditto.
+
+	* ext/openssl/ossl_x509req.c (ossl_x509req_verify): ditto.
+
+	* ext/openssl/ossl_x509store.c (ossl_x509stctx_verify): ditto.
+
+	* ext/openssl/ossl_pkey_dh.c (dh_generate): clear the OpenSSL error
+	  queue before re-raising exception.
+
+	* ext/openssl/ossl_pkey_dsa.c (dsa_generate): ditto.
+
+	* ext/openssl/ossl_pkey_rsa.c (rsa_generate): ditto.
+
+	* ext/openssl/ossl_ssl.c (ossl_start_ssl): ditto.
+
+	* test/openssl: check that OpenSSL.errors is empty every time after
+	  running a test case.
+
 Wed May 18 12:07:42 2016  Kazuki Yamaguchi  <k@rhe.jp>

 	* ext/openssl/ossl.c (ossl_clear_error): Extracted from
--- a/ext/openssl/ossl_pkey_dh.c
+++ b/ext/openssl/ossl_pkey_dh.c
@ -129,7 +129,11 @@ dh_generate(int size, int gen)

    if (!gen_arg.result) {
 	DH_free(dh);
-	if (cb_arg.state) rb_jump_tag(cb_arg.state);
+	if (cb_arg.state) {
+	    /* Clear OpenSSL error queue before re-raising. */
+	    ossl_clear_error();
+	    rb_jump_tag(cb_arg.state);
+	}
 	return 0;
    }
 #else
--- a/ext/openssl/ossl_pkey_dsa.c
+++ b/ext/openssl/ossl_pkey_dsa.c
@ -135,7 +135,14 @@ dsa_generate(int size)
    }
    if (!gen_arg.result) {
 	DSA_free(dsa);
-	if (cb_arg.state) rb_jump_tag(cb_arg.state);
+	if (cb_arg.state) {
+	    /* Clear OpenSSL error queue before re-raising. By the way, the
+	     * documentation of DSA_generate_parameters_ex() says the error code
+	     * can be obtained by ERR_get_error(), but the default
+	     * implementation, dsa_builtin_paramgen() doesn't put any error... */
+	    ossl_clear_error();
+	    rb_jump_tag(cb_arg.state);
+	}
 	return 0;
    }
 #else
--- a/ext/openssl/ossl_pkey_rsa.c
+++ b/ext/openssl/ossl_pkey_rsa.c
@ -139,7 +139,11 @@ rsa_generate(int size, unsigned long exp)
    if (!gen_arg.result) {
 	BN_free(e);
 	RSA_free(rsa);
-	if (cb_arg.state) rb_jump_tag(cb_arg.state);
+	if (cb_arg.state) {
+	    /* must clear OpenSSL error stack */
+	    ossl_clear_error();
+	    rb_jump_tag(cb_arg.state);
+	}
 	return 0;
    }

--- a/ext/openssl/ossl_ssl.c
+++ b/ext/openssl/ossl_ssl.c
@ -1288,8 +1288,11 @@ ossl_start_ssl(VALUE self, int (*func)(), const char *funcname, VALUE opts)
 	ret = func(ssl);

        cb_state = rb_ivar_get(self, ID_callback_state);
-        if (!NIL_P(cb_state))
-            rb_jump_tag(NUM2INT(cb_state));
+        if (!NIL_P(cb_state)) {
+	    /* must cleanup OpenSSL error stack before re-raising */
+	    ossl_clear_error();
+	    rb_jump_tag(NUM2INT(cb_state));
+	}

 	if (ret > 0)
 	    break;
--- a/ext/openssl/ossl_x509cert.c
+++ b/ext/openssl/ossl_x509cert.c
@ -591,18 +591,19 @@ ossl_x509_verify(VALUE self, VALUE key)
 {
    X509 *x509;
    EVP_PKEY *pkey;
-    int i;

    pkey = GetPKeyPtr(key); /* NO NEED TO DUP */
    GetX509(self, x509);
-    if ((i = X509_verify(x509, pkey)) < 0) {
+
+    switch (X509_verify(x509, pkey)) {
+      case 1:
+	return Qtrue;
+      case 0:
+	ossl_clear_error();
+	return Qfalse;
+      default:
 	ossl_raise(eX509CertError, NULL);
    }
-    if (i > 0) {
-	return Qtrue;
-    }
-
-    return Qfalse;
 }

 /*
--- a/ext/openssl/ossl_x509crl.c
+++ b/ext/openssl/ossl_x509crl.c
@ -360,17 +360,17 @@ static VALUE
 ossl_x509crl_verify(VALUE self, VALUE key)
 {
    X509_CRL *crl;
-    int ret;

    GetX509CRL(self, crl);
-    if ((ret = X509_CRL_verify(crl, GetPKeyPtr(key))) < 0) {
+    switch (X509_CRL_verify(crl, GetPKeyPtr(key))) {
+      case 1:
+	return Qtrue;
+      case 0:
+	ossl_clear_error();
+	return Qfalse;
+      default:
 	ossl_raise(eX509CRLError, NULL);
    }
-    if (ret == 1) {
-	return Qtrue;
-    }
-
-    return Qfalse;
 }

 static VALUE
--- a/ext/openssl/ossl_x509req.c
+++ b/ext/openssl/ossl_x509req.c
@ -375,18 +375,18 @@ ossl_x509req_verify(VALUE self, VALUE key)
 {
    X509_REQ *req;
    EVP_PKEY *pkey;
-    int i;

    GetX509Req(self, req);
    pkey = GetPKeyPtr(key); /* NO NEED TO DUP */
-    if ((i = X509_REQ_verify(req, pkey)) < 0) {
+    switch (X509_REQ_verify(req, pkey)) {
+      case 1:
+	return Qtrue;
+      case 0:
+	ossl_clear_error();
+	return Qfalse;
+      default:
 	ossl_raise(eX509ReqError, NULL);
    }
-    if (i > 0) {
-	return Qtrue;
-    }
-
-    return Qfalse;
 }

 static VALUE
--- a/ext/openssl/ossl_x509store.c
+++ b/ext/openssl/ossl_x509store.c
@ -464,14 +464,20 @@ static VALUE
 ossl_x509stctx_verify(VALUE self)
 {
    X509_STORE_CTX *ctx;
-    int result;

    GetX509StCtx(self, ctx);
    X509_STORE_CTX_set_ex_data(ctx, ossl_verify_cb_idx,
-                               (void*)rb_iv_get(self, "@verify_callback"));
-    result = X509_verify_cert(ctx);
+			       (void *)rb_iv_get(self, "@verify_callback"));

-    return result ? Qtrue : Qfalse;
+    switch (X509_verify_cert(ctx)) {
+      case 1:
+	return Qtrue;
+      case 0:
+	ossl_clear_error();
+	return Qfalse;
+      default:
+	ossl_raise(eX509CertError, NULL);
+    }
 }

 static VALUE
--- a/test/openssl/test_asn1.rb
+++ b/test/openssl/test_asn1.rb
@ -1,7 +1,7 @@
 # frozen_string_literal: false
 require_relative 'utils'

-class  OpenSSL::TestASN1 < Test::Unit::TestCase
+class  OpenSSL::TestASN1 < OpenSSL::TestCase
  def test_decode
    subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCA")
    key = OpenSSL::TestUtils::TEST_KEY_RSA1024
--- a/test/openssl/test_bn.rb
+++ b/test/openssl/test_bn.rb
@ -3,7 +3,7 @@ require_relative 'utils'

 if defined?(OpenSSL::TestUtils)

-class OpenSSL::TestBN < Test::Unit::TestCase
+class OpenSSL::TestBN < OpenSSL::TestCase
  def test_new_str
    e1 = OpenSSL::BN.new(999.to_s(16), 16) # OpenSSL::BN.new(str, 16) must be most stable
    e2 = OpenSSL::BN.new((2**107-1).to_s(16), 16)
--- a/test/openssl/test_buffering.rb
+++ b/test/openssl/test_buffering.rb
@ -2,7 +2,7 @@
 require_relative 'utils'
 require 'stringio'

-class OpenSSL::TestBuffering < Test::Unit::TestCase
+class OpenSSL::TestBuffering < OpenSSL::TestCase

  class IO
    include OpenSSL::Buffering
--- a/test/openssl/test_cipher.rb
+++ b/test/openssl/test_cipher.rb
@ -3,7 +3,7 @@ require_relative 'utils'

 if defined?(OpenSSL::TestUtils)

-class OpenSSL::TestCipher < Test::Unit::TestCase
+class OpenSSL::TestCipher < OpenSSL::TestCase

  class << self

@ -34,6 +34,7 @@ class OpenSSL::TestCipher < Test::Unit::TestCase
  end

  def teardown
+    super
    @c1 = @c2 = nil
  end

--- a/test/openssl/test_config.rb
+++ b/test/openssl/test_config.rb
@ -1,7 +1,7 @@
 # frozen_string_literal: false
 require_relative 'utils'

-class OpenSSL::TestConfig < Test::Unit::TestCase
+class OpenSSL::TestConfig < OpenSSL::TestCase
  def setup
    file = Tempfile.open("openssl.cnf")
    file << <<__EOD__
@ -18,6 +18,7 @@ __EOD__
  end

  def teardown
+    super
    @tmpfile.close!
  end

--- a/test/openssl/test_digest.rb
+++ b/test/openssl/test_digest.rb
@ -3,7 +3,7 @@ require_relative 'utils'

 if defined?(OpenSSL::TestUtils)

-class OpenSSL::TestDigest < Test::Unit::TestCase
+class OpenSSL::TestDigest < OpenSSL::TestCase
  def setup
    @d1 = OpenSSL::Digest.new("MD5")
    @d2 = OpenSSL::Digest::MD5.new
@ -12,6 +12,7 @@ class OpenSSL::TestDigest < Test::Unit::TestCase
  end

  def teardown
+    super
    @d1 = @d2 = @md = nil
  end

--- a/test/openssl/test_engine.rb
+++ b/test/openssl/test_engine.rb
@ -1,9 +1,10 @@
 # frozen_string_literal: false
 require_relative 'utils'

-class OpenSSL::TestEngine < Test::Unit::TestCase
+class OpenSSL::TestEngine < OpenSSL::TestCase

  def teardown
+    super
    OpenSSL::Engine.cleanup # [ruby-core:40669]
    assert_equal(0, OpenSSL::Engine.engines.size)
  end
--- a/test/openssl/test_fips.rb
+++ b/test/openssl/test_fips.rb
@ -3,7 +3,7 @@ require_relative 'utils'

 if defined?(OpenSSL::TestUtils)

-class OpenSSL::TestFIPS < Test::Unit::TestCase
+class OpenSSL::TestFIPS < OpenSSL::TestCase

  def test_fips_mode_is_reentrant
    OpenSSL.fips_mode = false
--- a/test/openssl/test_hmac.rb
+++ b/test/openssl/test_hmac.rb
@ -3,7 +3,7 @@

 require_relative 'utils'

-class OpenSSL::TestHMAC < Test::Unit::TestCase
+class OpenSSL::TestHMAC < OpenSSL::TestCase
  def setup
    @digest = OpenSSL::Digest::MD5
    @key = "KEY"
@ -12,9 +12,6 @@ class OpenSSL::TestHMAC < Test::Unit::TestCase
    @h2 = OpenSSL::HMAC.new(@key, "MD5")
  end

-  def teardown
-  end
-
  def test_hmac
    @h1.update(@data)
    @h2.update(@data)
--- a/test/openssl/test_ns_spki.rb
+++ b/test/openssl/test_ns_spki.rb
@ -3,7 +3,7 @@ require_relative 'utils'

 if defined?(OpenSSL::TestUtils)

-class OpenSSL::TestNSSPI < Test::Unit::TestCase
+class OpenSSL::TestNSSPI < OpenSSL::TestCase
  def setup
    # This request data is adopt from the specification of
    # "Netscape Extensions for User Key Generation".
--- a/test/openssl/test_ocsp.rb
+++ b/test/openssl/test_ocsp.rb
@ -3,7 +3,7 @@ require_relative "utils"

 if defined?(OpenSSL::TestUtils)

-class OpenSSL::TestOCSP < Test::Unit::TestCase
+class OpenSSL::TestOCSP < OpenSSL::TestCase
  def setup
    ca_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCA")
    ca_key = OpenSSL::TestUtils::TEST_KEY_RSA1024
--- a/test/openssl/test_pair.rb
+++ b/test/openssl/test_pair.rb
@ -517,36 +517,36 @@ module OpenSSL::TestPairM
  end
 end

-class OpenSSL::TestEOF1 < Test::Unit::TestCase
+class OpenSSL::TestEOF1 < OpenSSL::TestCase
  include TestEOF
  include OpenSSL::SSLPair
  include OpenSSL::TestEOF1M
 end

-class OpenSSL::TestEOF1LowlevelSocket < Test::Unit::TestCase
+class OpenSSL::TestEOF1LowlevelSocket < OpenSSL::TestCase
  include TestEOF
  include OpenSSL::SSLPairLowlevelSocket
  include OpenSSL::TestEOF1M
 end

-class OpenSSL::TestEOF2 < Test::Unit::TestCase
+class OpenSSL::TestEOF2 < OpenSSL::TestCase
  include TestEOF
  include OpenSSL::SSLPair
  include OpenSSL::TestEOF2M
 end

-class OpenSSL::TestEOF2LowlevelSocket < Test::Unit::TestCase
+class OpenSSL::TestEOF2LowlevelSocket < OpenSSL::TestCase
  include TestEOF
  include OpenSSL::SSLPairLowlevelSocket
  include OpenSSL::TestEOF2M
 end

-class OpenSSL::TestPair < Test::Unit::TestCase
+class OpenSSL::TestPair < OpenSSL::TestCase
  include OpenSSL::SSLPair
  include OpenSSL::TestPairM
 end

-class OpenSSL::TestPairLowlevelSocket < Test::Unit::TestCase
+class OpenSSL::TestPairLowlevelSocket < OpenSSL::TestCase
  include OpenSSL::SSLPairLowlevelSocket
  include OpenSSL::TestPairM
 end
--- a/test/openssl/test_pkcs12.rb
+++ b/test/openssl/test_pkcs12.rb
@ -4,7 +4,7 @@ require_relative "utils"
 if defined?(OpenSSL::TestUtils)

 module OpenSSL
-  class TestPKCS12 < Test::Unit::TestCase
+  class TestPKCS12 < OpenSSL::TestCase
    include OpenSSL::TestUtils

    def setup
--- a/test/openssl/test_pkcs5.rb
+++ b/test/openssl/test_pkcs5.rb
@ -1,7 +1,7 @@
 # frozen_string_literal: false
 require_relative 'utils'

-class OpenSSL::TestPKCS5 < Test::Unit::TestCase
+class OpenSSL::TestPKCS5 < OpenSSL::TestCase

  def test_pbkdf2_hmac_sha1_rfc6070_c_1_len_20
    p ="password"
--- a/test/openssl/test_pkcs7.rb
+++ b/test/openssl/test_pkcs7.rb
@ -3,7 +3,7 @@ require_relative 'utils'

 if defined?(OpenSSL::TestUtils)

-class OpenSSL::TestPKCS7 < Test::Unit::TestCase
+class OpenSSL::TestPKCS7 < OpenSSL::TestCase
  def setup
    @rsa1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024
    @rsa2048 = OpenSSL::TestUtils::TEST_KEY_RSA2048
--- a/test/openssl/test_pkey_dh.rb
+++ b/test/openssl/test_pkey_dh.rb
@ -3,7 +3,7 @@ require_relative 'utils'

 if defined?(OpenSSL::TestUtils)

-class OpenSSL::TestPKeyDH < Test::Unit::TestCase
+class OpenSSL::TestPKeyDH < OpenSSL::TestCase

  NEW_KEYLEN = 256

--- a/test/openssl/test_pkey_dsa.rb
+++ b/test/openssl/test_pkey_dsa.rb
@ -4,7 +4,7 @@ require 'base64'

 if defined?(OpenSSL::TestUtils)

-class OpenSSL::TestPKeyDSA < Test::Unit::TestCase
+class OpenSSL::TestPKeyDSA < OpenSSL::TestCase
  def test_private
    key = OpenSSL::PKey::DSA.new(256)
    assert(key.private?)
@ -20,7 +20,6 @@ class OpenSSL::TestPKeyDSA < Test::Unit::TestCase
    key = OpenSSL::PKey::DSA.new 256
    pem  = key.public_key.to_pem
    OpenSSL::PKey::DSA.new pem
-    assert_equal([], OpenSSL.errors)
  end

  def test_new_break
@ -84,7 +83,6 @@ end
    assert_equal(g, key.g)
    assert_equal(y, key.pub_key)
    assert_equal(nil, key.priv_key)
-    assert_equal([], OpenSSL.errors)
  end

  def test_read_DSAPublicKey_pem
@ -109,7 +107,6 @@ fWLOqqkzFeRrYMDzUpl36XktY6Yq8EJYlW9pCMmBVNy/dQ==
    assert_equal(g, key.g)
    assert_equal(y, key.pub_key)
    assert_equal(nil, key.priv_key)
-    assert_equal([], OpenSSL.errors)
  end

  def test_read_DSA_PUBKEY_pem
@ -135,7 +132,6 @@ YNMbNw==
    assert_equal(g, key.g)
    assert_equal(y, key.pub_key)
    assert_equal(nil, key.priv_key)
-    assert_equal([], OpenSSL.errors)
  end

  def test_export_format_is_DSA_PUBKEY_pem
@ -165,7 +161,6 @@ YNMbNw==
    pub_key = OpenSSL::ASN1.decode(seq[1].value)
    assert_equal(OpenSSL::ASN1::INTEGER, pub_key.tag)
    assert_equal(key.pub_key, pub_key.value)
-    assert_equal([], OpenSSL.errors)
  end

  def test_read_private_key_der
@ -174,7 +169,6 @@ YNMbNw==
    key2 = OpenSSL::PKey.read(der)
    assert(key2.private?)
    assert_equal(der, key2.to_der)
-    assert_equal([], OpenSSL.errors)
  end

  def test_read_private_key_pem
@ -183,7 +177,6 @@ YNMbNw==
    key2 = OpenSSL::PKey.read(pem)
    assert(key2.private?)
    assert_equal(pem, key2.to_pem)
-    assert_equal([], OpenSSL.errors)
  end

  def test_read_public_key_der
@ -192,7 +185,6 @@ YNMbNw==
    key2 = OpenSSL::PKey.read(der)
    assert(!key2.private?)
    assert_equal(der, key2.to_der)
-    assert_equal([], OpenSSL.errors)
  end

  def test_read_public_key_pem
@ -201,7 +193,6 @@ YNMbNw==
    key2 = OpenSSL::PKey.read(pem)
    assert(!key2.private?)
    assert_equal(pem, key2.to_pem)
-    assert_equal([], OpenSSL.errors)
  end

  def test_read_private_key_pem_pw
@ -216,7 +207,6 @@ YNMbNw==
    key2 = OpenSSL::PKey.read(pem, 'secret')
    assert(key2.private?)
    #omit pem equality check, will be different due to cipher iv
-    assert_equal([], OpenSSL.errors)
  end

  def test_export_password_length
--- a/test/openssl/test_pkey_ec.rb
+++ b/test/openssl/test_pkey_ec.rb
@ -3,7 +3,7 @@ require_relative 'utils'

 if defined?(OpenSSL::TestUtils) && defined?(OpenSSL::PKey::EC)

-class OpenSSL::TestEC < Test::Unit::TestCase
+class OpenSSL::TestEC < OpenSSL::TestCase
  def setup
    @data1 = 'foo'
    @data2 = 'bar' * 1000 # data too long for DSA sig
@ -131,7 +131,6 @@ class OpenSSL::TestEC < Test::Unit::TestCase
    ec2 = OpenSSL::PKey.read(der)
    assert(ec2.private_key?)
    assert_equal(der, ec2.to_der)
-    assert_equal([], OpenSSL.errors)
  end

  def test_read_private_key_pem
@ -140,7 +139,6 @@ class OpenSSL::TestEC < Test::Unit::TestCase
    ec2 = OpenSSL::PKey.read(pem)
    assert(ec2.private_key?)
    assert_equal(pem, ec2.to_pem)
-    assert_equal([], OpenSSL.errors)
  end

  def test_read_public_key_der
@ -151,7 +149,6 @@ class OpenSSL::TestEC < Test::Unit::TestCase
    ec3 = OpenSSL::PKey.read(der)
    assert(!ec3.private_key?)
    assert_equal(der, ec3.to_der)
-    assert_equal([], OpenSSL.errors)
  end

  def test_read_public_key_pem
@ -162,7 +159,6 @@ class OpenSSL::TestEC < Test::Unit::TestCase
    ec3 = OpenSSL::PKey.read(pem)
    assert(!ec3.private_key?)
    assert_equal(pem, ec3.to_pem)
-    assert_equal([], OpenSSL.errors)
  end

  def test_read_private_key_pem_pw
@ -177,7 +173,6 @@ class OpenSSL::TestEC < Test::Unit::TestCase
    ec2 = OpenSSL::PKey.read(pem, 'secret')
    assert(ec2.private_key?)
    #omit pem equality check, will be different due to cipher iv
-    assert_equal([], OpenSSL.errors)
  end

  def test_export_password_length
--- a/test/openssl/test_pkey_rsa.rb
+++ b/test/openssl/test_pkey_rsa.rb
@ -4,7 +4,7 @@ require 'base64'

 if defined?(OpenSSL::TestUtils)

-class OpenSSL::TestPKeyRSA < Test::Unit::TestCase
+class OpenSSL::TestPKeyRSA < OpenSSL::TestCase
  def test_padding
    key = OpenSSL::PKey::RSA.new(512, 3)

@ -180,7 +180,6 @@ AudJR1JobbIbDJrQu6AXnWh5k/YtAgMBAAE=
    assert_equal(nil, key.d)
    assert_equal(nil, key.p)
    assert_equal(nil, key.q)
-    assert_equal([], OpenSSL.errors)
  end

  def test_read_RSA_PUBKEY_pem
@ -201,7 +200,6 @@ AwEAAQ==
    assert_equal(nil, key.d)
    assert_equal(nil, key.p)
    assert_equal(nil, key.q)
-    assert_equal([], OpenSSL.errors)
  end

  def test_export_format_is_RSA_PUBKEY
@ -223,7 +221,6 @@ AwEAAQ==
    key = OpenSSL::PKey.read(der)
    assert(key.private?)
    assert_equal(der, key.to_der)
-    assert_equal([], OpenSSL.errors)
  end

  def test_read_private_key_pem
@ -231,7 +228,6 @@ AwEAAQ==
    key = OpenSSL::PKey.read(pem)
    assert(key.private?)
    assert_equal(pem, key.to_pem)
-    assert_equal([], OpenSSL.errors)
  end

  def test_read_public_key_der
@ -239,7 +235,6 @@ AwEAAQ==
    key = OpenSSL::PKey.read(der)
    assert(!key.private?)
    assert_equal(der, key.to_der)
-    assert_equal([], OpenSSL.errors)
  end

  def test_read_public_key_pem
@ -247,7 +242,6 @@ AwEAAQ==
    key = OpenSSL::PKey.read(pem)
    assert(!key.private?)
    assert_equal(pem, key.to_pem)
-    assert_equal([], OpenSSL.errors)
  end

  def test_read_private_key_pem_pw
@ -261,7 +255,6 @@ AwEAAQ==
    key = OpenSSL::PKey.read(pem, 'secret')
    assert(key.private?)
    #omit pem equality check, will be different due to cipher iv
-    assert_equal([], OpenSSL.errors)
  end

  def test_read_private_key_pem_pw_exception
@ -272,7 +265,6 @@ AwEAAQ==
        raise RuntimeError
      end
    end
-    assert_equal([], OpenSSL.errors)
  end

  def test_export_password_length
@ -306,7 +298,6 @@ AwEAAQ==
    assert_equal(key.n, pub_key.value[0].value)
    assert_equal(OpenSSL::ASN1::INTEGER, pub_key.value[1].tag)
    assert_equal(key.e, pub_key.value[1].value)
-    assert_equal([], OpenSSL.errors)
  end

 end
--- a/test/openssl/test_random.rb
+++ b/test/openssl/test_random.rb
@ -4,7 +4,7 @@ begin
 rescue LoadError
 end

-class OpenSSL::TestRandom < Test::Unit::TestCase
+class OpenSSL::TestRandom < OpenSSL::TestCase
  def test_random_bytes
    assert_equal("", OpenSSL::Random.random_bytes(0))
    assert_equal(12, OpenSSL::Random.random_bytes(12).bytesize)
--- a/test/openssl/test_x509cert.rb
+++ b/test/openssl/test_x509cert.rb
@ -3,7 +3,7 @@ require_relative "utils"

 if defined?(OpenSSL::TestUtils)

-class OpenSSL::TestX509Certificate < Test::Unit::TestCase
+class OpenSSL::TestX509Certificate < OpenSSL::TestCase
  def setup
    @rsa1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024
    @rsa2048 = OpenSSL::TestUtils::TEST_KEY_RSA2048
@ -14,9 +14,6 @@ class OpenSSL::TestX509Certificate < Test::Unit::TestCase
    @ee2 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE2")
  end

-  def teardown
-  end
-
  def issue_cert(*args)
    OpenSSL::TestUtils.issue_cert(*args)
  end
--- a/test/openssl/test_x509crl.rb
+++ b/test/openssl/test_x509crl.rb
@ -3,7 +3,7 @@ require_relative "utils"

 if defined?(OpenSSL::TestUtils)

-class OpenSSL::TestX509CRL < Test::Unit::TestCase
+class OpenSSL::TestX509CRL < OpenSSL::TestCase
  def setup
    @rsa1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024
    @rsa2048 = OpenSSL::TestUtils::TEST_KEY_RSA2048
@ -14,9 +14,6 @@ class OpenSSL::TestX509CRL < Test::Unit::TestCase
    @ee2 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE2")
  end

-  def teardown
-  end
-
  def issue_crl(*args)
    OpenSSL::TestUtils.issue_crl(*args)
  end
--- a/test/openssl/test_x509ext.rb
+++ b/test/openssl/test_x509ext.rb
@ -3,7 +3,7 @@ require_relative 'utils'

 if defined?(OpenSSL::TestUtils)

-class OpenSSL::TestX509Extension < Test::Unit::TestCase
+class OpenSSL::TestX509Extension < OpenSSL::TestCase
  def setup
    @basic_constraints_value = OpenSSL::ASN1::Sequence([
      OpenSSL::ASN1::Boolean(true),   # CA
@ -16,9 +16,6 @@ class OpenSSL::TestX509Extension < Test::Unit::TestCase
    ])
  end

-  def teardown
-  end
-
  def test_new
    ext = OpenSSL::X509::Extension.new(@basic_constraints.to_der)
    assert_equal("basicConstraints", ext.oid)
--- a/test/openssl/test_x509name.rb
+++ b/test/openssl/test_x509name.rb
@ -4,7 +4,7 @@ require_relative 'utils'

 if defined?(OpenSSL::TestUtils)

-class OpenSSL::TestX509Name < Test::Unit::TestCase
+class OpenSSL::TestX509Name < OpenSSL::TestCase
  OpenSSL::ASN1::ObjectId.register(
    "1.2.840.113549.1.9.1", "emailAddress", "emailAddress")
  OpenSSL::ASN1::ObjectId.register(
@ -15,9 +15,6 @@ class OpenSSL::TestX509Name < Test::Unit::TestCase
    @obj_type_tmpl.update(OpenSSL::X509::Name::OBJECT_TYPE_TEMPLATE)
  end

-  def teardown
-  end
-
  def test_s_new
    dn = [ ["C", "JP"], ["O", "example"], ["CN", "www.example.jp"] ]
    name = OpenSSL::X509::Name.new(dn)
--- a/test/openssl/test_x509req.rb
+++ b/test/openssl/test_x509req.rb
@ -3,7 +3,7 @@ require_relative "utils"

 if defined?(OpenSSL::TestUtils)

-class OpenSSL::TestX509Request < Test::Unit::TestCase
+class OpenSSL::TestX509Request < OpenSSL::TestCase
  def setup
    @rsa1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024
    @rsa2048 = OpenSSL::TestUtils::TEST_KEY_RSA2048
--- a/test/openssl/test_x509store.rb
+++ b/test/openssl/test_x509store.rb
@ -3,7 +3,7 @@ require_relative "utils"

 if defined?(OpenSSL::TestUtils)

-class OpenSSL::TestX509Store < Test::Unit::TestCase
+class OpenSSL::TestX509Store < OpenSSL::TestCase
  def setup
    @rsa1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024
    @rsa2048 = OpenSSL::TestUtils::TEST_KEY_RSA2048
@ -15,9 +15,6 @@ class OpenSSL::TestX509Store < Test::Unit::TestCase
    @ee2 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE2")
  end

-  def teardown
-  end
-
  def test_nosegv_on_cleanup
    cert  = OpenSSL::X509::Certificate.new
    store = OpenSSL::X509::Store.new
--- a/test/openssl/utils.rb
+++ b/test/openssl/utils.rb
@ -181,7 +181,14 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC
    end
  end

-  class OpenSSL::SSLTestCase < Test::Unit::TestCase
+  class OpenSSL::TestCase < Test::Unit::TestCase
+    def teardown
+      # OpenSSL error stack must be empty
+      assert_equal([], OpenSSL.errors)
+    end
+  end
+
+  class OpenSSL::SSLTestCase < OpenSSL::TestCase
    RUBY = EnvUtil.rubybin
    ITERATIONS = ($0 == __FILE__) ? 100 : 10

@ -206,9 +213,6 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC
      @server = nil
    end

-    def teardown
-    end
-
    def issue_cert(*arg)
      OpenSSL::TestUtils.issue_cert(*arg)
    end