PageRenderTime 63ms CodeModel.GetById 19ms RepoModel.GetById 1ms app.codeStats 0ms

/projects/jruby-1.7.3/test/externals/ruby1.8/openssl/test_ssl.rb

https://gitlab.com/essere.lab.public/qualitas.class-corpus
Ruby | 1032 lines | 893 code | 108 blank | 31 comment | 22 complexity | 563258e3e2b1fa14e442895f345b0811 MD5 | raw file
    

  1. begin
    2. 

  2.   require "openssl"
    3. 

  3.   require File.join(File.dirname(__FILE__), "utils.rb")
    4. 

  4. rescue LoadError
    5. 

  5. end
    6. 

  6. require "rbconfig"
    7. 

  7. require "socket"
    8. 

  8. require "test/unit"
    9. 

  9. require 'tempfile'
    10. 

  10. 

  11. if defined?(OpenSSL)
    12. 

  12. 

  13. class OpenSSL::TestSSL < Test::Unit::TestCase
    14. 

  14.   RUBY = ENV["RUBY"] || File.join(
    15. 

  15.     ::Config::CONFIG["bindir"],
    16. 

  16.     ::Config::CONFIG["ruby_install_name"] + ::Config::CONFIG["EXEEXT"]
    17. 

  17.   )
    18. 

  18.   SSL_SERVER = File.join(File.dirname(__FILE__), "ssl_server.rb")
    19. 

  19.   PORT = 20443
    20. 

  20.   ITERATIONS = ($0 == __FILE__) ? 100 : 10
    21. 

  21. 

  22.   # NOT USED: Disable in-proc process launching and either run jruby with
    23. 

  23.   # specified args or yield args to a given block
    24. 

  24.   def jruby_oop(*args)
    25. 

  25.     prev_in_process = JRuby.runtime.instance_config.run_ruby_in_process
    26. 

  26.     JRuby.runtime.instance_config.run_ruby_in_process = false
    27. 

  27.     if block_given?
    28. 

  28.       yield args
    29. 

  29.     else
    30. 

  30.       `#{RUBY} #{args.join(' ')}`
    31. 

  31.     end
    32. 

  32.   ensure
    33. 

  33.     JRuby.runtime.instance_config.run_ruby_in_process = prev_in_process
    34. 

  34.   end
    35. 

  35. 

  36.   def setup
    37. 

  37.     @ca_key  = OpenSSL::TestUtils::TEST_KEY_RSA2048
    38. 

  38.     @svr_key = OpenSSL::TestUtils::TEST_KEY_RSA1024
    39. 

  39.     @cli_key = OpenSSL::TestUtils::TEST_KEY_DSA256
    40. 

  40.     @ca  = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
    41. 

  41.     @svr = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=localhost")
    42. 

  42.     @cli = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=localhost")
    43. 

  43. 

  44.     now = Time.at(Time.now.to_i)
    45. 

  45.     ca_exts = [
    46. 

  46.       ["basicConstraints","CA:TRUE",true],
    47. 

  47.       ["keyUsage","cRLSign,keyCertSign",true],
    48. 

  48.     ]
    49. 

  49.     ee_exts = [
    50. 

  50.       ["keyUsage","keyEncipherment,digitalSignature",true],
    51. 

  51.     ]
    52. 

  52.     @ca_cert  = issue_cert(@ca, @ca_key, 1, now, now+3600, ca_exts,
    53. 

  53.                            nil, nil, OpenSSL::Digest::SHA1.new)
    54. 

  54.     @svr_cert = issue_cert(@svr, @svr_key, 2, now, now+1800, ee_exts,
    55. 

  55.                            @ca_cert, @ca_key, OpenSSL::Digest::SHA1.new)
    56. 

  56.     @cli_cert = issue_cert(@cli, @cli_key, 3, now, now+1800, ee_exts,
    57. 

  57.                            @ca_cert, @ca_key, OpenSSL::Digest::SHA1.new)
    58. 

  58.     @server = nil
    59. 

  59.   end
    60. 

  60. 

  61.   def teardown
    62. 

  62.   end
    63. 

  63. 

  64.   def issue_cert(*arg)
    65. 

  65.     OpenSSL::TestUtils.issue_cert(*arg)
    66. 

  66.   end
    67. 

  67. 

  68.   def issue_crl(*arg)
    69. 

  69.     OpenSSL::TestUtils.issue_crl(*arg)
    70. 

  70.   end
    71. 

  71. 

  72.   def choose_port(port)
    73. 

  73.     tcps = nil
    74. 

  74.     100.times{ |i|
    75. 

  75.       begin
    76. 

  76.         tcps = TCPServer.new("127.0.0.1", port+i)
    77. 

  77.         port = port + i
    78. 

  78.         break
    79. 

  79.       rescue Errno::EADDRINUSE
    80. 

  80.         next
    81. 

  81.       end
    82. 

  82.     }
    83. 

  83.     return tcps, port
    84. 

  84.   end
    85. 

  85. 

  86.   def readwrite_loop(ctx, ssl)
    87. 

  87.     while line = ssl.gets
    88. 

  88.       if line =~ /^STARTTLS$/
    89. 

  89.         ssl.accept
    90. 

  90.         next
    91. 

  91.       end
    92. 

  92.       ssl.write(line)
    93. 

  93.     end
    94. 

  94.   rescue OpenSSL::SSL::SSLError
    95. 

  95.   rescue IOError
    96. 

  96.   ensure
    97. 

  97.     ssl.close rescue nil
    98. 

  98.   end
    99. 

  99. 

  100.   def server_loop(ctx, ssls, server_proc)
    101. 

  101.     loop do
    102. 

  102.       ssl = nil
    103. 

  103.       begin
    104. 

  104.         ssl = ssls.accept
    105. 

  105.       rescue OpenSSL::SSL::SSLError
    106. 

  106.         retry
    107. 

  107.       end
    108. 

  108. 

  109.       Thread.start do
    110. 

  110.         Thread.current.abort_on_exception = true
    111. 

  111.         server_proc.call(ctx, ssl)
    112. 

  112.       end
    113. 

  113.     end
    114. 

  114.   rescue Errno::EBADF, IOError, Errno::EINVAL, Errno::ECONNABORTED
    115. 

  115.   end
    116. 

  116. 

  117.   def start_server(port0, verify_mode, start_immediately, args = {}, &block)
    118. 

  118.     ctx_proc = args[:ctx_proc]
    119. 

  119.     server_proc = args[:server_proc]
    120. 

  120.     server_proc ||= method(:readwrite_loop)
    121. 

  121. 

  122.     store = OpenSSL::X509::Store.new
    123. 

  123.     store.add_cert(@ca_cert)
    124. 

  124.     store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
    125. 

  125.     ctx = OpenSSL::SSL::SSLContext.new
    126. 

  126.     ctx.cert_store = store
    127. 

  127.     #ctx.extra_chain_cert = [ ca_cert ]
    128. 

  128.     ctx.cert = @svr_cert
    129. 

  129.     ctx.key = @svr_key
    130. 

  130.     ctx.verify_mode = verify_mode
    131. 

  131.     ctx_proc.call(ctx) if ctx_proc
    132. 

  132. 

  133.     Socket.do_not_reverse_lookup = true
    134. 

  134.     tcps, port = choose_port(port0)
    135. 

  135. 

  136.     ssls = OpenSSL::SSL::SSLServer.new(tcps, ctx)
    137. 

  137.     ssls.start_immediately = start_immediately
    138. 

  138. 

  139.     begin
    140. 

  140.       server = Thread.new do
    141. 

  141.         Thread.current.abort_on_exception = true
    142. 

  142.         server_loop(ctx, ssls, server_proc)
    143. 

  143.       end
    144. 

  144. 

  145.       $stderr.printf("%s started: pid=%d port=%d\n", SSL_SERVER, $$, port) if $DEBUG
    146. 

  146. 

  147.       block.call(server, port.to_i)
    148. 

  148.     ensure
    149. 

  149.       tcps.close if (tcps)
    150. 

  150.       if (server)
    151. 

  151.         server.join(5)
    152. 

  152.         if server.alive?
    153. 

  153.           server.kill
    154. 

  154.           server.join
    155. 

  155.           flunk("TCPServer was closed and SSLServer is still alive") unless $!
    156. 

  156.         end
    157. 

  157.       end
    158. 

  158.     end
    159. 

  159.   end
    160. 

  160. 

  161.   def starttls(ssl)
    162. 

  162.     ssl.puts("STARTTLS")
    163. 

  163. 

  164.     sleep 1   # When this line is eliminated, process on Cygwin blocks
    165. 

  165.               # forever at ssl.connect. But I don't know why it does.
    166. 

    167. 

  167.     ssl.connect
    168. 

  168.   end
    169. 

  169. 

  170.   def test_ctx_setup
    171. 

  171.     ctx = OpenSSL::SSL::SSLContext.new
    172. 

  172.     assert_equal(ctx.setup, true)
    173. 

  173.     assert_equal(ctx.setup, nil)
    174. 

  174.   end
    175. 

  175. 

  176.   def test_connect_and_close
    177. 

  177.     start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){|server, port|
    178. 

  178.       sock = TCPSocket.new("127.0.0.1", port)
    179. 

  179.       ssl = OpenSSL::SSL::SSLSocket.new(sock)
    180. 

  180.       assert(ssl.connect)
    181. 

  181.       ssl.close
    182. 

  182.       assert(!sock.closed?)
    183. 

  183.       sock.close
    184. 

  184. 

  185.       sock = TCPSocket.new("127.0.0.1", port)
    186. 

  186.       ssl = OpenSSL::SSL::SSLSocket.new(sock)
    187. 

  187.       ssl.sync_close = true  # !!
    188. 

  188.       assert(ssl.connect)
    189. 

  189.       ssl.close
    190. 

  190.       assert(sock.closed?)
    191. 

  191.     }
    192. 

  192.   end
    193. 

  193. 

  194.   def test_read_and_write
    195. 

  195.     start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){|server, port|
    196. 

  196.       sock = TCPSocket.new("127.0.0.1", port)
    197. 

  197.       ssl = OpenSSL::SSL::SSLSocket.new(sock)
    198. 

  198.       ssl.sync_close = true
    199. 

  199.       ssl.connect
    200. 

  200. 

  201.       assert_raise(ArgumentError) { ssl.sysread(-1) }
    202. 

  202. 

  203.       # puts and gets
    204. 

  204.       ITERATIONS.times{
    205. 

  205.         str = "x" * 100 + "\n"
    206. 

  206.         ssl.puts(str)
    207. 

  207.         assert_equal(str, ssl.gets)
    208. 

  208.       }
    209. 

  209. 

  210.       # read and write
    211. 

  211.       ITERATIONS.times{|i|
    212. 

  212.         str = "x" * 100 + "\n"
    213. 

  213.         ssl.write(str)
    214. 

  214.         assert_equal(str, ssl.read(str.size))
    215. 

  215. 

  216.         str = "x" * i * 100 + "\n"
    217. 

  217.         buf = ""
    218. 

  218.         ssl.write(str)
    219. 

  219.         assert_equal(buf.object_id, ssl.read(str.size, buf).object_id)
    220. 

  220.         assert_equal(str, buf)
    221. 

  221.       }
    222. 

  222. 

  223.       ssl.close
    224. 

  224.     }
    225. 

  225.   end
    226. 

  226. 

  227.   def sysread_size(ssl, size)
    228. 

  228.     buf = ''
    229. 

  229.     while buf.bytesize < size
    230. 

  230.       buf += ssl.sysread(size - buf.bytesize)
    231. 

  231.     end
    232. 

  232.     buf
    233. 

  233.   end
    234. 

  234. 

  235.   def test_sysread_chunks
    236. 

  236.     args = {}
    237. 

  237.     args[:server_proc] = proc { |ctx, ssl|
    238. 

  238.       while line = ssl.gets
    239. 

  239.         if line =~ /^STARTTLS$/
    240. 

  240.           ssl.accept
    241. 

  241.           next
    242. 

  242.         end
    243. 

  243.         ssl.write("0" * 800)
    244. 

  244.         ssl.write("1" * 200)
    245. 

  245.         ssl.close
    246. 

  246.         break
    247. 

  247.       end
    248. 

  248.     }
    249. 

  249.     start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true, args){|server, port|
    250. 

  250.       sock = TCPSocket.new("127.0.0.1", port)
    251. 

  251.       ssl = OpenSSL::SSL::SSLSocket.new(sock)
    252. 

  252.       ssl.sync_close = true
    253. 

  253.       ssl.connect
    254. 

  254.       ssl.syswrite("hello\n")
    255. 

  255.       assert_equal("0" * 200, sysread_size(ssl, 200))
    256. 

  256.       assert_equal("0" * 200, sysread_size(ssl, 200))
    257. 

  257.       assert_equal("0" * 200, sysread_size(ssl, 200))
    258. 

  258.       assert_equal("0" * 200, sysread_size(ssl, 200))
    259. 

  259.       assert_equal("1" * 200, sysread_size(ssl, 200))
    260. 

  260.       ssl.close
    261. 

  261.     }
    262. 

  262.   end
    263. 

  263. 

  264.   def test_sysread_buffer
    265. 

  265.     start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){|server, port|
    266. 

  266.       sock = TCPSocket.new("127.0.0.1", port)
    267. 

  267.       ssl = OpenSSL::SSL::SSLSocket.new(sock)
    268. 

  268.       ssl.sync_close = true
    269. 

  269.       ssl.connect
    270. 

  270.       ITERATIONS.times{|i|
    271. 

  271.         # the given buffer is cleared before concatenating.
    272. 

  272.         # NB: SSLSocket#readpartial depends sysread.
    273. 

  273.         str = "x" * i * 100 + "\n"
    274. 

  274.         ssl.syswrite(str)
    275. 

  275.         buf = "asdf"
    276. 

  276.         assert_equal(buf.object_id, ssl.sysread(0, buf).object_id)
    277. 

  277.         assert_equal("", buf)
    278. 

  278. 

  279.         buf = "asdf"
    280. 

  280.         read = ssl.sysread(str.size, buf)
    281. 

  281.         assert(!read.empty?)
    282. 

  282.         assert_equal(buf.object_id, read.object_id)
    283. 

  283.         assert_equal(str[0, buf.bytesize], buf)
    284. 

  284.         sysread_size(ssl, str.bytesize - buf.bytesize) # drop unread bytes
    285. 

  285. 

  286.         ssl.syswrite(str)
    287. 

  287.         read = ssl.sysread(str.size, nil)
    288. 

  288.         assert(!read.empty?)
    289. 

  289.         assert_equal(str[0, read.bytesize], read)
    290. 

  290.         sysread_size(ssl, str.bytesize - read.bytesize) # drop unread bytes
    291. 

  291.       }
    292. 

  292.       ssl.close
    293. 

  293.     }
    294. 

  294.   end
    295. 

  295. 

  296.   def test_client_auth
    297. 

  297.     vflag = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
    298. 

  298.     start_server(PORT, vflag, true){|server, port|
    299. 

  299.       assert_raise(OpenSSL::SSL::SSLError){
    300. 

  300.         sock = TCPSocket.new("127.0.0.1", port)
    301. 

  301.         ssl = OpenSSL::SSL::SSLSocket.new(sock)
    302. 

  302.         ssl.connect
    303. 

  303.       }
    304. 

  304. 

  305.       ctx = OpenSSL::SSL::SSLContext.new
    306. 

  306.       ctx.key = @cli_key
    307. 

  307.       ctx.cert = @cli_cert
    308. 

  308.       sock = TCPSocket.new("127.0.0.1", port)
    309. 

  309.       ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
    310. 

  310.       ssl.sync_close = true
    311. 

  311.       ssl.connect
    312. 

  312.       ssl.puts("foo")
    313. 

  313.       assert_equal("foo\n", ssl.gets)
    314. 

  314.       ssl.close
    315. 

  315. 

  316.       called = nil
    317. 

  317.       ctx = OpenSSL::SSL::SSLContext.new
    318. 

  318.       ctx.client_cert_cb = Proc.new{ |sslconn|
    319. 

  319.         called = true
    320. 

  320.         [@cli_cert, @cli_key]
    321. 

  321.       }
    322. 

  322.       sock = TCPSocket.new("127.0.0.1", port)
    323. 

  323.       ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
    324. 

  324.       ssl.sync_close = true
    325. 

  325.       ssl.connect
    326. 

  326.       assert(called)
    327. 

  327.       ssl.puts("foo")
    328. 

  328.       assert_equal("foo\n", ssl.gets)
    329. 

  329.       ssl.close
    330. 

  330.     }
    331. 

  331.   end
    332. 

  332. 

  333.   def test_client_auth_with_server_store
    334. 

  334.     vflag = OpenSSL::SSL::VERIFY_PEER
    335. 

  335. 

  336.     localcacert_file = Tempfile.open("cafile")
    337. 

  337.     localcacert_file << @ca_cert.to_pem
    338. 

  338.     localcacert_file.close
    339. 

  339.     localcacert_path = localcacert_file.path
    340. 

  340. 

  341.     ssl_store = OpenSSL::X509::Store.new
    342. 

  342.     ssl_store.purpose = OpenSSL::X509::PURPOSE_ANY
    343. 

  343.     ssl_store.add_file(localcacert_path)
    344. 

  344. 

  345.     args = {}
    346. 

  346.     args[:ctx_proc] = proc { |server_ctx|
    347. 

  347.       server_ctx.cert = @svr_cert
    348. 

  348.       server_ctx.key = @svr_key
    349. 

  349.       server_ctx.verify_mode = vflag
    350. 

  350.       server_ctx.cert_store = ssl_store
    351. 

  351.     }
    352. 

  352. 

  353.     start_server(PORT, vflag, true, args){|server, port|
    354. 

  354.       ctx = OpenSSL::SSL::SSLContext.new
    355. 

  355.       ctx.cert = @cli_cert
    356. 

  356.       ctx.key = @cli_key
    357. 

  357.       sock = TCPSocket.new("127.0.0.1", port)
    358. 

  358.       ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
    359. 

  359.       ssl.sync_close = true
    360. 

  360.       ssl.connect
    361. 

  361.       ssl.puts("foo")
    362. 

  362.       assert_equal("foo\n", ssl.gets)
    363. 

  363.       ssl.close
    364. 

  364.       localcacert_file.unlink
    365. 

  365.     }
    366. 

  366.   end
    367. 

  367. 

  368.   def test_client_crl_with_server_store
    369. 

  369.     vflag = OpenSSL::SSL::VERIFY_PEER
    370. 

  370. 

  371.     localcacert_file = Tempfile.open("cafile")
    372. 

  372.     localcacert_file << @ca_cert.to_pem
    373. 

  373.     localcacert_file.close
    374. 

  374.     localcacert_path = localcacert_file.path
    375. 

  375. 

  376.     ssl_store = OpenSSL::X509::Store.new
    377. 

  377.     ssl_store.purpose = OpenSSL::X509::PURPOSE_ANY
    378. 

  378.     ssl_store.add_file(localcacert_path)
    379. 

  379.     ssl_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK
    380. 

  380. 

  381.     crl = issue_crl([], 1, Time.now, Time.now+1600, [],
    382. 

  382.                     @cli_cert, @ca_key, OpenSSL::Digest::SHA1.new)
    383. 

  383. 

  384.     ssl_store.add_crl(OpenSSL::X509::CRL.new(crl.to_pem))
    385. 

  385. 

  386.     args = {}
    387. 

  387.     args[:ctx_proc] = proc { |server_ctx|
    388. 

  388.       server_ctx.cert = @svr_cert
    389. 

  389.       server_ctx.key = @svr_key
    390. 

  390.       server_ctx.verify_mode = vflag
    391. 

  391.       server_ctx.cert_store = ssl_store
    392. 

  392.     }
    393. 

  393. 

  394.     start_server(PORT, vflag, true, args){|s, p|
    395. 

  395.       ctx = OpenSSL::SSL::SSLContext.new
    396. 

  396.       ctx.cert = @cli_cert
    397. 

  397.       ctx.key = @cli_key
    398. 

  398.       assert_raise(OpenSSL::SSL::SSLError){
    399. 

  399.         sock = TCPSocket.new("127.0.0.1", p)
    400. 

  400.         ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
    401. 

  401.         ssl.sync_close = true
    402. 

  402.         ssl.connect
    403. 

  403.         ssl.close
    404. 

  404.       }
    405. 

  405.       localcacert_file.unlink
    406. 

  406.     }
    407. 

  407.   end
    408. 

  408. 

  409.   def test_starttls
    410. 

  410.     start_server(PORT, OpenSSL::SSL::VERIFY_NONE, false){|server, port|
    411. 

  411.       sock = TCPSocket.new("127.0.0.1", port)
    412. 

  412.       ssl = OpenSSL::SSL::SSLSocket.new(sock)
    413. 

  413.       ssl.sync_close = true
    414. 

  414.       str = "x" * 1000 + "\n"
    415. 

  415. 

  416.       ITERATIONS.times{
    417. 

  417.         ssl.puts(str)
    418. 

  418.         assert_equal(str, ssl.gets)
    419. 

  419.       }
    420. 

  420. 

  421.       starttls(ssl)
    422. 

  422. 

  423.       ITERATIONS.times{
    424. 

  424.         ssl.puts(str)
    425. 

  425.         assert_equal(str, ssl.gets)
    426. 

  426.       }
    427. 

  427. 

  428.       ssl.close
    429. 

  429.     }
    430. 

  430.   end
    431. 

  431. 

  432.   def test_parallel
    433. 

  433.     GC.start
    434. 

  434.     start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){|server, port|
    435. 

  435.       ssls = []
    436. 

  436.       10.times{
    437. 

  437.         sock = TCPSocket.new("127.0.0.1", port)
    438. 

  438.         ssl = OpenSSL::SSL::SSLSocket.new(sock)
    439. 

  439.         ssl.connect
    440. 

  440.         ssl.sync_close = true
    441. 

  441.         ssls << ssl
    442. 

  442.       }
    443. 

  443.       str = "x" * 1000 + "\n"
    444. 

  444.       ITERATIONS.times{
    445. 

  445.         ssls.each{|ssl|
    446. 

  446.           ssl.puts(str)
    447. 

  447.           assert_equal(str, ssl.gets)
    448. 

  448.         }
    449. 

  449.       }
    450. 

  450.       ssls.each{|ssl| ssl.close }
    451. 

  451.     }
    452. 

  452.   end
    453. 

  453. 

  454.   def test_verify_result
    455. 

  455.     start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){|server, port|
    456. 

  456.       sock = TCPSocket.new("127.0.0.1", port)
    457. 

  457.       ctx = OpenSSL::SSL::SSLContext.new
    458. 

  458.       ctx.set_params
    459. 

  459.       ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
    460. 

  460.       assert_raise(OpenSSL::SSL::SSLError){ ssl.connect }
    461. 

  461.       assert_equal(OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN, ssl.verify_result)
    462. 

  462. 

  463.       sock = TCPSocket.new("127.0.0.1", port)
    464. 

  464.       ctx = OpenSSL::SSL::SSLContext.new
    465. 

  465.       ctx.set_params(
    466. 

  466.         :verify_callback => Proc.new do |preverify_ok, store_ctx|
    467. 

  467.           store_ctx.error = OpenSSL::X509::V_OK
    468. 

  468.           true
    469. 

  469.         end
    470. 

  470.       )
    471. 

  471.       ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
    472. 

  472.       ssl.connect
    473. 

  473.       assert_equal(OpenSSL::X509::V_OK, ssl.verify_result)
    474. 

  474. 

  475.       sock = TCPSocket.new("127.0.0.1", port)
    476. 

  476.       ctx = OpenSSL::SSL::SSLContext.new
    477. 

  477.       ctx.set_params(
    478. 

  478.         :verify_callback => Proc.new do |preverify_ok, store_ctx|
    479. 

  479.           store_ctx.error = OpenSSL::X509::V_ERR_APPLICATION_VERIFICATION
    480. 

  480.           false
    481. 

  481.         end
    482. 

  482.       )
    483. 

  483.       ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
    484. 

  484.       assert_raise(OpenSSL::SSL::SSLError){ ssl.connect }
    485. 

  485.       assert_equal(OpenSSL::X509::V_ERR_APPLICATION_VERIFICATION, ssl.verify_result)
    486. 

  486.     }
    487. 

  487.   end
    488. 

  488. 

  489.   def test_extra_chain_cert
    490. 

  490.     start_server(PORT, OpenSSL::SSL::VERIFY_PEER, true){|server, port|
    491. 

  491.       sock = TCPSocket.new("127.0.0.1", port)
    492. 

  492.       ctx = OpenSSL::SSL::SSLContext.new
    493. 

  493.       ctx.set_params
    494. 

  494.       ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
    495. 

  495.       assert_raise(OpenSSL::SSL::SSLError){ ssl.connect }
    496. 

  496.       assert_equal(OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN, ssl.verify_result)
    497. 

  497.     }
    498. 

  498.     # server returns a chain w/o root cert so the client verification fails
    499. 

  499.     # with UNABLE_TO_GET_ISSUER_CERT_LOCALLY not SELF_SIGNED_CERT_IN_CHAIN.
    500. 

  500.     args = {}
    501. 

  501.     args[:ctx_proc] = proc { |server_ctx|
    502. 

  502.       server_ctx.cert = @svr_cert
    503. 

  503.       server_ctx.key = @svr_key
    504. 

  504.       server_ctx.extra_chain_cert = [@svr_cert]
    505. 

  505.     }
    506. 

  506.     start_server(PORT, OpenSSL::SSL::VERIFY_PEER, true, args){|server, port|
    507. 

  507.       sock = TCPSocket.new("127.0.0.1", port)
    508. 

  508.       ctx = OpenSSL::SSL::SSLContext.new
    509. 

  509.       ctx.set_params
    510. 

  510.       ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
    511. 

  511.       assert_raise(OpenSSL::SSL::SSLError){ ssl.connect }
    512. 

  512.       assert_equal(OpenSSL::X509::V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, ssl.verify_result)
    513. 

  513.     }
    514. 

  514.   end
    515. 

  515. 

  516.   def test_client_ca
    517. 

  517.     args = {}
    518. 

  518.     vflag = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
    519. 

  519. 

  520.     # client_ca as a cert
    521. 

  521.     args[:ctx_proc] = proc { |server_ctx|
    522. 

  522.       server_ctx.cert = @svr_cert
    523. 

  523.       server_ctx.key = @svr_key
    524. 

  524.       server_ctx.client_ca = @ca_cert
    525. 

  525.     }
    526. 

  526.     start_server(PORT, vflag, true, args){|server, port|
    527. 

  527.       ctx = OpenSSL::SSL::SSLContext.new
    528. 

  528.       ctx.key = @cli_key
    529. 

  529.       ctx.cert = @cli_cert
    530. 

  530.       sock = TCPSocket.new("127.0.0.1", port)
    531. 

  531.       ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
    532. 

  532.       ssl.sync_close = true
    533. 

  533.       ssl.connect
    534. 

  534.       ssl.puts("foo")
    535. 

  535.       assert_equal("foo\n", ssl.gets)
    536. 

  536.     }
    537. 

  537. 

  538.     # client_ca as an array
    539. 

  539.     args[:ctx_proc] = proc { |server_ctx|
    540. 

  540.       server_ctx.cert = @svr_cert
    541. 

  541.       server_ctx.key = @svr_key
    542. 

  542.       server_ctx.client_ca = [@ca_cert, @svr_cert]
    543. 

  543.     }
    544. 

  544.     start_server(PORT, vflag, true, args){|server, port|
    545. 

  545.       ctx = OpenSSL::SSL::SSLContext.new
    546. 

  546.       ctx.key = @cli_key
    547. 

  547.       ctx.cert = @cli_cert
    548. 

  548.       sock = TCPSocket.new("127.0.0.1", port)
    549. 

  549.       ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
    550. 

  550.       ssl.sync_close = true
    551. 

  551.       ssl.connect
    552. 

  552.       ssl.puts("foo")
    553. 

  553.       assert_equal("foo\n", ssl.gets)
    554. 

  554.     }
    555. 

  555.   end
    556. 

  556. 

  557.   def test_sslctx_ssl_version_client
    558. 

  558.     start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){|server, port|
    559. 

  559.       sock = TCPSocket.new("127.0.0.1", port)
    560. 

  560.       ctx = OpenSSL::SSL::SSLContext.new
    561. 

  561.       ctx.set_params
    562. 

  562.       ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
    563. 

  563.       ctx.ssl_version = "TLSv1"
    564. 

  564.       ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
    565. 

  565.       assert_nothing_raised do
    566. 

  566.         ssl.connect
    567. 

  567.       end
    568. 

  568.       ssl.puts("hello TLSv1")
    569. 

  569.       ssl.close
    570. 

  570.       sock.close
    571. 

  571.       #
    572. 

  572.       sock = TCPSocket.new("127.0.0.1", port)
    573. 

  573.       ctx.ssl_version = "SSLv3"
    574. 

  574.       ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
    575. 

  575.       assert_nothing_raised do
    576. 

  576.         ssl.connect
    577. 

  577.       end
    578. 

  578.       ssl.puts("hello SSLv3")
    579. 

  579.       ssl.close
    580. 

  580.       sock.close
    581. 

  581.       #
    582. 

  582.       sock = TCPSocket.new("127.0.0.1", port)
    583. 

  583.       ctx.ssl_version = "SSLv3_server"
    584. 

  584.       ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
    585. 

  585.       assert_raise(OpenSSL::SSL::SSLError) do
    586. 

  586.         ssl.connect
    587. 

  587.       end
    588. 

  588.       sock.close
    589. 

  589.       #
    590. 

  590.       sock = TCPSocket.new("127.0.0.1", port)
    591. 

  591.       ctx.ssl_version = "TLSv1_client"
    592. 

  592.       ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
    593. 

  593.       assert_nothing_raised do
    594. 

  594.         ssl.connect
    595. 

  595.       end
    596. 

  596.       ssl.puts("hello TLSv1_client")
    597. 

  597.       ssl.close
    598. 

  598.       sock.close
    599. 

  599.     }
    600. 

  600.   end
    601. 

  601. 

  602.   def test_sslctx_ssl_version
    603. 

  603.     args = {}
    604. 

  604.     args[:ctx_proc] = proc { |server_ctx|
    605. 

  605.       server_ctx.ssl_version = "TLSv1"
    606. 

  606.     }
    607. 

  607.     start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true, args){|server, port|
    608. 

  608.       sock = TCPSocket.new("127.0.0.1", port)
    609. 

  609.       ctx = OpenSSL::SSL::SSLContext.new
    610. 

  610.       ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
    611. 

  611.       ctx.ssl_version = "TLSv1"
    612. 

  612.       ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
    613. 

  613.       assert_nothing_raised do
    614. 

  614.         ssl.connect
    615. 

  615.       end
    616. 

  616.       ssl.puts("hello TLSv1")
    617. 

  617.       ssl.close
    618. 

  618.       sock.close
    619. 

  619.       #
    620. 

  620.       sock = TCPSocket.new("127.0.0.1", port)
    621. 

  621.       ctx.ssl_version = "SSLv3"
    622. 

  622.       ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
    623. 

  623.       assert_raise(OpenSSL::SSL::SSLError) do
    624. 

  624.         ssl.connect
    625. 

  625.       end
    626. 

  626.     }
    627. 

  627.   end
    628. 

  628. 

  629.   def test_verify_depth
    630. 

  630.     vflag = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
    631. 

  631.     args = {}
    632. 

  632.     # depth == 1 => OK
    633. 

  633.     args[:ctx_proc] = proc { |server_ctx|
    634. 

  634.       server_ctx.cert = @svr_cert
    635. 

  635.       server_ctx.key = @svr_key
    636. 

  636.       server_ctx.verify_mode = vflag
    637. 

  637.       server_ctx.verify_depth = 1
    638. 

  638.     }
    639. 

  639.     start_server(PORT, vflag, true, args){|server, port|
    640. 

  640.       ctx = OpenSSL::SSL::SSLContext.new
    641. 

  641.       ctx.key = @cli_key
    642. 

  642.       ctx.cert = @cli_cert
    643. 

  643.       sock = TCPSocket.new("127.0.0.1", port)
    644. 

  644.       ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
    645. 

  645.       assert_nothing_raised do
    646. 

  646.         ssl.connect
    647. 

  647.       end
    648. 

  648.       ssl.close
    649. 

  649.     }
    650. 

  650.     # depth == 0 => error
    651. 

  651.     error = nil
    652. 

  652.     args[:ctx_proc] = proc { |server_ctx|
    653. 

  653.       server_ctx.cert = @svr_cert
    654. 

  654.       server_ctx.key = @svr_key
    655. 

  655.       server_ctx.verify_mode = vflag
    656. 

  656.       server_ctx.verify_depth = 0
    657. 

  657.       server_ctx.verify_callback = proc { |preverify_ok, store_ctx|
    658. 

  658.         error = store_ctx.error
    659. 

  659.         preverify_ok
    660. 

  660.       }
    661. 

  661.     }
    662. 

  662.     start_server(PORT, vflag, true, args){|server, port|
    663. 

  663.       ctx = OpenSSL::SSL::SSLContext.new
    664. 

  664.       ctx.key = @cli_key
    665. 

  665.       ctx.cert = @cli_cert
    666. 

  666.       sock = TCPSocket.new("127.0.0.1", port)
    667. 

  667.       ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
    668. 

  668.       assert_raises(OpenSSL::SSL::SSLError) do
    669. 

  669.         ssl.connect
    670. 

  670.       end
    671. 

  671.       ssl.close
    672. 

  672.     }
    673. 

  673.     assert_equal OpenSSL::X509::V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, error
    674. 

  674.   end
    675. 

  675. 

  676.   def test_sslctx_set_params
    677. 

  677.     start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){|server, port|
    678. 

  678.       sock = TCPSocket.new("127.0.0.1", port)
    679. 

  679.       ctx = OpenSSL::SSL::SSLContext.new
    680. 

  680.       ctx.set_params
    681. 

  681.       assert_equal(OpenSSL::SSL::VERIFY_PEER, ctx.verify_mode)
    682. 

  682.       assert_equal(OpenSSL::SSL::OP_ALL, ctx.options)
    683. 

  683.       ciphers = ctx.ciphers
    684. 

  684.       ciphers_versions = ciphers.collect{|_, v, _, _| v }
    685. 

  685.       ciphers_names = ciphers.collect{|v, _, _, _| v }
    686. 

  686.       assert(ciphers_names.all?{|v| /ADH/ !~ v })
    687. 

  687.       assert(ciphers_versions.all?{|v| /SSLv2/ !~ v })
    688. 

  688.       ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
    689. 

  689.       assert_raise(OpenSSL::SSL::SSLError){ ssl.connect }
    690. 

  690.       assert_equal(OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN, ssl.verify_result)
    691. 

  691.     }
    692. 

  692.   end
    693. 

  693. 

  694.   def test_sslctx_ciphers
    695. 

  695.     c = OpenSSL::SSL::SSLContext.new
    696. 

  696. 

  697.     c.ciphers = 'DEFAULT'
    698. 

  698.     default = c.ciphers
    699. 

  699.     assert(default.size > 0)
    700. 

  700. 

  701.     c.ciphers = 'ALL'
    702. 

  702.     all = c.ciphers
    703. 

  703.     assert(all.size > 0)
    704. 

  704. 

  705.     c.ciphers = 'LOW'
    706. 

  706.     low = c.ciphers
    707. 

  707.     assert(low.size > 0)
    708. 

  708. 

  709.     c.ciphers = 'MEDIUM'
    710. 

  710.     medium = c.ciphers
    711. 

  711.     assert(medium.size > 0)
    712. 

  712. 

  713.     c.ciphers = 'HIGH'
    714. 

  714.     high = c.ciphers
    715. 

  715.     assert(high.size > 0)
    716. 

  716. 

  717.     c.ciphers = 'EXP'
    718. 

  718.     exp = c.ciphers
    719. 

  719.     assert(exp.size > 0)
    720. 

  720. 

  721.     # -
    722. 

  722.     c.ciphers = 'ALL:-LOW'
    723. 

  723.     assert_equal(all - low, c.ciphers)
    724. 

  724.     c.ciphers = 'ALL:-MEDIUM'
    725. 

  725.     assert_equal(all - medium, c.ciphers)
    726. 

  726.     c.ciphers = 'ALL:-HIGH'
    727. 

  727.     assert_equal(all - high, c.ciphers)
    728. 

  728.     c.ciphers = 'ALL:-EXP'
    729. 

  729.     assert_equal(all - exp, c.ciphers)
    730. 

  730.     c.ciphers = 'ALL:-LOW:-MEDIUM'
    731. 

  731.     assert_equal(all - low - medium, c.ciphers)
    732. 

  732.     c.ciphers = 'ALL:-LOW:-MEDIUM:-HIGH'
    733. 

  733.     assert_equal(all - low - medium - high, c.ciphers)
    734. 

  734.     assert_raise(OpenSSL::SSL::SSLError) do
    735. 

  735.       # should be empty for OpenSSL/0.9.8l. check OpenSSL changes if this test fail.
    736. 

  736.       c.ciphers = 'ALL:-LOW:-MEDIUM:-HIGH:-EXP'
    737. 

  737.     end
    738. 

  738. 

  739.     # !
    740. 

  740.     c.ciphers = 'ALL:-LOW:LOW'
    741. 

  741.     assert_equal(all.sort, c.ciphers.sort)
    742. 

  742.     c.ciphers = 'ALL:!LOW:LOW'
    743. 

  743.     assert_equal(all - low, c.ciphers)
    744. 

  744.     c.ciphers = 'ALL:!LOW:+LOW'
    745. 

  745.     assert_equal(all - low, c.ciphers)
    746. 

  746. 

  747.     # +
    748. 

  748.     c.ciphers = 'HIGH:LOW:+LOW'
    749. 

  749.     assert_equal(high + low, c.ciphers)
    750. 

  750.     c.ciphers = 'HIGH:LOW:+HIGH'
    751. 

  751.     assert_equal(low + high, c.ciphers)
    752. 

  752. 

  753.     # name+name
    754. 

  754.     c.ciphers = 'RC4'
    755. 

  755.     rc4 = c.ciphers
    756. 

  756.     c.ciphers = 'RSA'
    757. 

  757.     rsa = c.ciphers
    758. 

  758.     c.ciphers = 'RC4+RSA'
    759. 

  759.     assert_equal(rc4&rsa, c.ciphers) 
    760. 

  760.     c.ciphers = 'RSA+RC4'
    761. 

  761.     assert_equal(rc4&rsa, c.ciphers) 
    762. 

  762.     c.ciphers = 'ALL:RSA+RC4'
    763. 

  763.     assert_equal(all + ((rc4&rsa) - all), c.ciphers) 
    764. 

  764.   end
    765. 

  765. 

  766.   def test_sslctx_options
    767. 

  767.     args = {}
    768. 

  768.     args[:ctx_proc] = proc { |server_ctx|
    769. 

  769.       # TLSv1 only
    770. 

  770.       server_ctx.options = OpenSSL::SSL::OP_NO_SSLv2|OpenSSL::SSL::OP_NO_SSLv3
    771. 

  771.     }
    772. 

  772.     start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true, args){|server, port|
    773. 

  773.       sock = TCPSocket.new("127.0.0.1", port)
    774. 

  774.       ctx = OpenSSL::SSL::SSLContext.new
    775. 

  775.       ctx.set_params
    776. 

  776.       ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
    777. 

  777.       ctx.options = OpenSSL::SSL::OP_NO_TLSv1
    778. 

  778.       ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
    779. 

  779.       assert_raise(OpenSSL::SSL::SSLError, Errno::ECONNRESET) do
    780. 

  780.         ssl.connect
    781. 

  781.       end
    782. 

  782.       ssl.close
    783. 

  783.       sock.close
    784. 

  784.       #
    785. 

  785.       sock = TCPSocket.new("127.0.0.1", port)
    786. 

  786.       ctx = OpenSSL::SSL::SSLContext.new
    787. 

  787.       ctx.set_params
    788. 

  788.       ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
    789. 

  789.       ctx.options = OpenSSL::SSL::OP_NO_SSLv3
    790. 

  790.       ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
    791. 

  791.       assert_nothing_raised do
    792. 

  792.         ssl.connect
    793. 

  793.       end
    794. 

  794.       ssl.close
    795. 

  795.       sock.close
    796. 

  796.     }
    797. 

  797.   end
    798. 

  798. 

  799.   def test_post_connection_check
    800. 

  800.     sslerr = OpenSSL::SSL::SSLError
    801. 

  801. 

  802.     start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){|server, port|
    803. 

  803.       sock = TCPSocket.new("127.0.0.1", port)
    804. 

  804.       ssl = OpenSSL::SSL::SSLSocket.new(sock)
    805. 

  805.       ssl.connect
    806. 

  806.       assert_raise(sslerr){ssl.post_connection_check("localhost.localdomain")}
    807. 

  807.       assert_raise(sslerr){ssl.post_connection_check("127.0.0.1")}
    808. 

  808.       assert(ssl.post_connection_check("localhost"))
    809. 

  809.       assert_raise(sslerr){ssl.post_connection_check("foo.example.com")}
    810. 

  810. 

  811.       cert = ssl.peer_cert
    812. 

  812.       assert(!OpenSSL::SSL.verify_certificate_identity(cert, "localhost.localdomain"))
    813. 

  813.       assert(!OpenSSL::SSL.verify_certificate_identity(cert, "127.0.0.1"))
    814. 

  814.       assert(OpenSSL::SSL.verify_certificate_identity(cert, "localhost"))
    815. 

  815.       assert(!OpenSSL::SSL.verify_certificate_identity(cert, "foo.example.com"))
    816. 

  816.     }
    817. 

  817. 

  818.     now = Time.now
    819. 

  819.     exts = [
    820. 

  820.       ["keyUsage","keyEncipherment,digitalSignature",true],
    821. 

  821.       ["subjectAltName","DNS:localhost.localdomain",false],
    822. 

  822.       ["subjectAltName","IP:127.0.0.1",false],
    823. 

  823.     ]
    824. 

  824.     @svr_cert = issue_cert(@svr, @svr_key, 4, now, now+1800, exts,
    825. 

  825.                            @ca_cert, @ca_key, OpenSSL::Digest::SHA1.new)
    826. 

  826.     start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){|server, port|
    827. 

  827.       sock = TCPSocket.new("127.0.0.1", port)
    828. 

  828.       ssl = OpenSSL::SSL::SSLSocket.new(sock)
    829. 

  829.       ssl.connect
    830. 

  830.       assert(ssl.post_connection_check("localhost.localdomain"))
    831. 

  831.       assert(ssl.post_connection_check("127.0.0.1"))
    832. 

  832.       assert_raise(sslerr){ssl.post_connection_check("localhost")}
    833. 

  833.       assert_raise(sslerr){ssl.post_connection_check("foo.example.com")}
    834. 

  834. 

  835.       cert = ssl.peer_cert
    836. 

  836.       assert(OpenSSL::SSL.verify_certificate_identity(cert, "localhost.localdomain"))
    837. 

  837.       assert(OpenSSL::SSL.verify_certificate_identity(cert, "127.0.0.1"))
    838. 

  838.       assert(!OpenSSL::SSL.verify_certificate_identity(cert, "localhost"))
    839. 

  839.       assert(!OpenSSL::SSL.verify_certificate_identity(cert, "foo.example.com"))
    840. 

  840.     }
    841. 

  841. 

  842.     now = Time.now
    843. 

  843.     exts = [
    844. 

  844.       ["keyUsage","keyEncipherment,digitalSignature",true],
    845. 

  845.       ["subjectAltName","DNS:*.localdomain",false],
    846. 

  846.     ]
    847. 

  847.     @svr_cert = issue_cert(@svr, @svr_key, 5, now, now+1800, exts,
    848. 

  848.                            @ca_cert, @ca_key, OpenSSL::Digest::SHA1.new)
    849. 

  849.     start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){|server, port|
    850. 

  850.       sock = TCPSocket.new("127.0.0.1", port)
    851. 

  851.       ssl = OpenSSL::SSL::SSLSocket.new(sock)
    852. 

  852.       ssl.connect
    853. 

  853.       assert(ssl.post_connection_check("localhost.localdomain"))
    854. 

  854.       assert_raise(sslerr){ssl.post_connection_check("127.0.0.1")}
    855. 

  855.       assert_raise(sslerr){ssl.post_connection_check("localhost")}
    856. 

  856.       assert_raise(sslerr){ssl.post_connection_check("foo.example.com")}
    857. 

  857.       cert = ssl.peer_cert
    858. 

  858.       assert(OpenSSL::SSL.verify_certificate_identity(cert, "localhost.localdomain"))
    859. 

  859.       assert(!OpenSSL::SSL.verify_certificate_identity(cert, "127.0.0.1"))
    860. 

  860.       assert(!OpenSSL::SSL.verify_certificate_identity(cert, "localhost"))
    861. 

  861.       assert(!OpenSSL::SSL.verify_certificate_identity(cert, "foo.example.com"))
    862. 

  862.     }
    863. 

  863.   end
    864. 

  864. 

  865.   def TODO_implement_SSLSession_test_client_session
    866. 

  866.     last_session = nil
    867. 

  867.     start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true) do |server, port|
    868. 

  868.       2.times do
    869. 

  869.         sock = TCPSocket.new("127.0.0.1", port)
    870. 

  870.         # Debian's openssl 0.9.8g-13 failed at assert(ssl.session_reused?),
    871. 

  871.         # when use default SSLContext. [ruby-dev:36167]
    872. 

  872.         ctx = OpenSSL::SSL::SSLContext.new("TLSv1")
    873. 

  873.         ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
    874. 

  874.         ssl.sync_close = true
    875. 

  875.         ssl.session = last_session if last_session
    876. 

  876.         ssl.connect
    877. 

  877. 

  878.         session = ssl.session
    879. 

  879.         if last_session
    880. 

  880.           assert(ssl.session_reused?)
    881. 

  881. 

  882.           if session.respond_to?(:id)
    883. 

  883.             assert_equal(session.id, last_session.id)
    884. 

  884.           end
    885. 

  885.           assert_equal(session.to_pem, last_session.to_pem)
    886. 

  886.           assert_equal(session.to_der, last_session.to_der)
    887. 

  887.           # Older version of OpenSSL may not be consistent.  Look up which versions later.
    888. 

  888.           assert_equal(session.to_text, last_session.to_text)
    889. 

  889.         else
    890. 

  890.           assert(!ssl.session_reused?)
    891. 

  891.         end
    892. 

  892.         last_session = session
    893. 

  893. 

  894.         str = "x" * 100 + "\n"
    895. 

  895.         ssl.puts(str)
    896. 

  896.         assert_equal(str, ssl.gets)
    897. 

  897. 

  898.         ssl.close
    899. 

  899.       end
    900. 

  900.     end
    901. 

  901.   end
    902. 

  902. 

  903.   def TODO_implement_SSLSession_test_server_session
    904. 

  904.     connections = 0
    905. 

  905.     saved_session = nil
    906. 

  906. 

  907.     ctx_proc = Proc.new do |ctx, ssl|
    908. 

  908. # add test for session callbacks here
    909. 

  909.     end
    910. 

  910. 

  911.     server_proc = Proc.new do |ctx, ssl|
    912. 

  912.       session = ssl.session
    913. 

  913.       stats = ctx.session_cache_stats
    914. 

  914. 

  915.       case connections
    916. 

  916.       when 0
    917. 

  917.         assert_equal(stats[:cache_num], 1)
    918. 

  918.         assert_equal(stats[:cache_hits], 0)
    919. 

  919.         assert_equal(stats[:cache_misses], 0)
    920. 

  920.         assert(!ssl.session_reused?)
    921. 

  921.       when 1
    922. 

  922.         assert_equal(stats[:cache_num], 1)
    923. 

  923.         assert_equal(stats[:cache_hits], 1)
    924. 

  924.         assert_equal(stats[:cache_misses], 0)
    925. 

  925.         assert(ssl.session_reused?)
    926. 

  926.         ctx.session_remove(session)
    927. 

  927.         saved_session = session
    928. 

  928.       when 2
    929. 

  929.         assert_equal(stats[:cache_num], 1)
    930. 

  930.         assert_equal(stats[:cache_hits], 1)
    931. 

  931.         assert_equal(stats[:cache_misses], 1)
    932. 

  932.         assert(!ssl.session_reused?)
    933. 

  933.         ctx.session_add(saved_session)
    934. 

  934.       when 3
    935. 

  935.         assert_equal(stats[:cache_num], 2)
    936. 

  936.         assert_equal(stats[:cache_hits], 2)
    937. 

  937.         assert_equal(stats[:cache_misses], 1)
    938. 

  938.         assert(ssl.session_reused?)
    939. 

  939.         ctx.flush_sessions(Time.now + 5000)
    940. 

  940.       when 4
    941. 

  941.         assert_equal(stats[:cache_num], 1)
    942. 

  942.         assert_equal(stats[:cache_hits], 2)
    943. 

  943.         assert_equal(stats[:cache_misses], 2)
    944. 

  944.         assert(!ssl.session_reused?)
    945. 

  945.         ctx.session_add(saved_session)
    946. 

  946.       end
    947. 

  947.       connections += 1
    948. 

  948. 

  949.       readwrite_loop(ctx, ssl)
    950. 

  950.     end
    951. 

  951. 

  952.     first_session = nil
    953. 

  953.     start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true, :ctx_proc => ctx_proc, :server_proc => server_proc) do |server, port|
    954. 

  954.       10.times do |i|
    955. 

  955.         sock = TCPSocket.new("127.0.0.1", port)
    956. 

  956.         ctx = OpenSSL::SSL::SSLContext.new
    957. 

  957.         if defined?(OpenSSL::SSL::OP_NO_TICKET)
    958. 

  958.           # disable RFC4507 support
    959. 

  959.           ctx.options = OpenSSL::SSL::OP_NO_TICKET
    960. 

  960.         end
    961. 

  961.         ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
    962. 

  962.         ssl.sync_close = true
    963. 

  963.         ssl.session = first_session if first_session
    964. 

  964.         ssl.connect
    965. 

  965. 

  966.         session = ssl.session
    967. 

  967.         if first_session
    968. 

  968.           case i
    969. 

  969.           when 1; assert(ssl.session_reused?)
    970. 

  970.           when 2; assert(!ssl.session_reused?)
    971. 

  971.           when 3; assert(ssl.session_reused?)
    972. 

  972.           when 4; assert(!ssl.session_reused?)
    973. 

  973.           when 5..10; assert(ssl.session_reused?)
    974. 

  974.           end
    975. 

  975.         end
    976. 

  976.         first_session ||= session
    977. 

  977. 

  978.         str = "x" * 100 + "\n"
    979. 

  979.         ssl.puts(str)
    980. 

  980.         assert_equal(str, ssl.gets)
    981. 

  981. 

  982.         ssl.close
    983. 

  983.       end
    984. 

  984.     end
    985. 

  985.   end
    986. 

  986. 

  987.   def test_tlsext_hostname
    988. 

  988.     return unless OpenSSL::SSL::SSLSocket.instance_methods.include?("hostname")
    989. 

  989. 

  990.     ctx_proc = Proc.new do |ctx, ssl|
    991. 

  991.       foo_ctx = ctx.dup
    992. 

  992. 

  993.       ctx.servername_cb = Proc.new do |ssl2, hostname|
    994. 

  994.         case hostname
    995. 

  995.         when 'foo.example.com'
    996. 

  996.           foo_ctx
    997. 

  997.         when 'bar.example.com'
    998. 

  998.           nil
    999. 

  999.         else
    1000. 

  1000.           raise "unknown hostname #{hostname.inspect}"
    1001. 

  1001.         end
    1002. 

  1002.       end
    1003. 

  1003.     end
    1004. 

  1004. 

  1005.     server_proc = Proc.new do |ctx, ssl|
    1006. 

  1006.       readwrite_loop(ctx, ssl)
    1007. 

  1007.     end
    1008. 

  1008. 

  1009.     start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true, :ctx_proc => ctx_proc, :server_proc => server_proc) do |server, port|
    1010. 

  1010.       2.times do |i|
    1011. 

  1011.         sock = TCPSocket.new("127.0.0.1", port)
    1012. 

  1012.         ctx = OpenSSL::SSL::SSLContext.new
    1013. 

  1013.         if defined?(OpenSSL::SSL::OP_NO_TICKET)
    1014. 

  1014.           # disable RFC4507 support
    1015. 

  1015.           ctx.options = OpenSSL::SSL::OP_NO_TICKET
    1016. 

  1016.         end
    1017. 

  1017.         ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
    1018. 

  1018.         ssl.sync_close = true
    1019. 

  1019.         ssl.hostname = (i & 1 == 0) ? 'foo.example.com' : 'bar.example.com'
    1020. 

  1020.         ssl.connect
    1021. 

  1021. 

  1022.         str = "x" * 100 + "\n"
    1023. 

  1023.         ssl.puts(str)
    1024. 

  1024.         assert_equal(str, ssl.gets)
    1025. 

  1025. 

  1026.         ssl.close
    1027. 

  1027.       end
    1028. 

  1028.     end
    1029. 

  1029.   end
    1030. 

  1030. end
    1031. 

  1031. 

  1032. end
    1033. 

  1033.