Merge branch 'maint'

This also restores 'if defined?(OpenSSL)-end' wrapping the test code.
They have been removed erroneously by commit 4eb4b32 ("Remove
support for OpenSSL 0.9.8 and 1.0.0", 2016-11-30).

* maint:
  test/test_ssl: explicitly accept TLS 1.1 in corresponding test
  ssl: remove useless call to rb_thread_wait_fd()
  test/test_pair, test/test_ssl: fix for TLS 1.3
  test/test_ssl_session: rearrange tests
  test/test_ssl: move test_multibyte_read_write to test_pair
  test/test_ssl: remove test_invalid_shutdown_by_gc
  test/utils: do not use DSA certificates in SSL tests
  test/utils: add OpenSSL::TestUtils.openssl? and .libressl?
  test/utils: improve error handling in start_server
  test/utils: let server_loop close socket
  test/utils: do not set ecdh_curves in start_server
  test/utils: have start_server yield only the port number
  test/utils: add SSLTestCase#tls12_supported?
  test/utils: remove OpenSSL::TestUtils.silent
  test: fix formatting
  Rakefile: let sync:to_ruby know about test/openssl/fixtures
  cipher: update the documentation for Cipher#auth_tag=
  Backport "Merge branch 'topic/test-memory-leak'" to maint
  ssl: do not call session_remove_cb during GC

Author: rhenium

Rakefile

@@ -58,11 +58,12 @@ namespace :sync do
 
     paths = [
       ["ext/openssl/", "ext/openssl/"],
+      ["lib/", "ext/openssl/lib/"],
+      ["sample/", "sample/openssl/"],
+      ["test/fixtures/", "test/openssl/fixtures/"],
       ["test/utils.rb", "test/openssl/"],
       ["test/ut_eof.rb", "test/openssl/"],
       ["test/test_*", "test/openssl/"],
-      ["lib/", "ext/openssl/lib/"],
-      ["sample/", "sample/openssl/"],
       ["History.md", "ext/openssl/"],
     ]
     paths.each do |src, dst|

ext/openssl/ossl_cipher.c

@@ -620,13 +620,11 @@ ossl_cipher_get_auth_tag(int argc, VALUE *argv, VALUE self)
  *  call-seq:
  *     cipher.auth_tag = string -> string
  *
- *  Sets the authentication tag to verify the contents of the
- *  ciphertext. The tag must be set after calling Cipher#decrypt,
- *  Cipher#key= and Cipher#iv=, but before assigning the associated
- *  authenticated data using Cipher#auth_data= and of course, before
- *  decrypting any of the ciphertext. After all decryption is
- *  performed, the tag is verified automatically in the call to
- *  Cipher#final.
+ *  Sets the authentication tag to verify the integrity of the ciphertext.
+ *  This can be called only when the cipher supports AE. The tag must be set
+ *  after calling Cipher#decrypt, Cipher#key= and Cipher#iv=, but before
+ *  calling Cipher#final. After all decryption is performed, the tag is
+ *  verified automatically in the call to Cipher#final.
  *
  *  For OCB mode, the tag length must be supplied with #auth_tag_len=
  *  beforehand.

ext/openssl/ossl_ssl.c

@@ -470,6 +470,13 @@ ossl_sslctx_session_remove_cb(SSL_CTX *ctx, SSL_SESSION *sess)
     VALUE ary, sslctx_obj, sess_obj;
     int state = 0;
 
+    /*
+     * This callback is also called for all sessions in the internal store
+     * when SSL_CTX_free() is called.
+     */
+    if (rb_during_gc())
+	return;
+
     OSSL_Debug("SSL SESSION remove callback entered");
 
     sslctx_obj = (VALUE)SSL_CTX_get_ex_data(ctx, ossl_sslctx_ex_ptr_idx);
@@ -1689,8 +1696,6 @@ ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
     io = rb_attr_get(self, id_i_io);
     GetOpenFile(io, fptr);
     if (ssl_started(ssl)) {
-	if(!nonblock && SSL_pending(ssl) <= 0)
-	    rb_thread_wait_fd(fptr->fd);
 	for (;;){
 	    nread = SSL_read(ssl, RSTRING_PTR(str), RSTRING_LENINT(str));
 	    switch(ssl_get_error(ssl, nread)){

test/test_asn1.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: false
 require_relative 'utils'
 
+if defined?(OpenSSL)
+
 class  OpenSSL::TestASN1 < OpenSSL::TestCase
   def test_decode_x509_certificate
     subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCA")
@@ -677,5 +679,6 @@ def assert_universal(tag, asn1)
     end
     assert_equal(:UNIVERSAL, asn1.tag_class)
   end
+end
 
 end

test/test_bn.rb

@@ -3,6 +3,8 @@
 require_relative 'utils'
 require "prime"
 
+if defined?(OpenSSL)
+
 class OpenSSL::TestBN < OpenSSL::TestCase
   def setup
     super
@@ -270,3 +272,5 @@ def test_comparison
     assert_equal(0, @e1.ucmp(-999))
   end
 end
+
+end

test/test_buffering.rb

@@ -1,9 +1,9 @@
 # frozen_string_literal: false
 require_relative 'utils'
-require 'stringio'
 
-class OpenSSL::TestBuffering < OpenSSL::TestCase
+if defined?(OpenSSL)
 
+class OpenSSL::TestBuffering < OpenSSL::TestCase
   class IO
     include OpenSSL::Buffering
 
@@ -85,5 +85,6 @@ def test_each_byte
     end
     assert_equal([97, 98, 99], res)
   end
+end
 
 end

test/test_cipher.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: false
 require_relative 'utils'
 
+if defined?(OpenSSL)
+
 class OpenSSL::TestCipher < OpenSSL::TestCase
   module Helper
     def has_cipher?(name)
@@ -308,5 +310,6 @@ def new_decryptor(algo, **kwargs)
       kwargs.each {|k, v| cipher.send(:"#{k}=", v) }
     end
   end
+end
 
 end

test/test_config.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: false
 require_relative 'utils'
 
+if defined?(OpenSSL)
+
 class OpenSSL::TestConfig < OpenSSL::TestCase
   def setup
     super
@@ -171,7 +173,7 @@ def test_get_value_ENV
 
   def test_value
     # suppress deprecation warnings
-    OpenSSL::TestUtils.silent do
+    EnvUtil.suppress_warning do
       assert_equal('CA_default', @it.value('ca', 'default_ca'))
       assert_equal(nil, @it.value('ca', 'no such key'))
       assert_equal(nil, @it.value('no such section', 'no such key'))
@@ -184,7 +186,7 @@ def test_value
   end
 
   def test_value_ENV
-    OpenSSL::TestUtils.silent do
+    EnvUtil.suppress_warning do
       key = ENV.keys.first
       assert_not_nil(key) # make sure we have at least one ENV var.
       assert_equal(ENV[key], @it.value('ENV', key))
@@ -199,7 +201,7 @@ def test_aref
   end
 
   def test_section
-    OpenSSL::TestUtils.silent do
+    EnvUtil.suppress_warning do
       assert_equal({'HOME' => '.'}, @it.section('default'))
       assert_equal({'dir' => './demoCA', 'certs' => './certs'}, @it.section('CA_default'))
       assert_equal({}, @it.section('no_such_section'))
@@ -298,3 +300,5 @@ def test_clone
     assert_not_equal(@it.sections.sort, c.sections.sort)
   end
 end
+
+end

test/test_digest.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: false
 require_relative 'utils'
 
+if defined?(OpenSSL)
+
 class OpenSSL::TestDigest < OpenSSL::TestCase
   def setup
     super
@@ -53,7 +55,7 @@ def test_reset
 
   def test_digest_constants
     algs = %w(MD4 MD5 RIPEMD160 SHA1 SHA224 SHA256 SHA384 SHA512)
-    if OpenSSL::OPENSSL_VERSION_NUMBER < 0x10100000
+    if !libressl? && !openssl?(1, 1, 0)
       algs += %w(DSS1 SHA)
     end
     algs.each do |alg|
@@ -115,3 +117,5 @@ def check_digest(oid)
     assert_not_nil(d)
   end
 end
+
+end

test/test_engine.rb

@@ -1,8 +1,9 @@
 # frozen_string_literal: false
 require_relative 'utils'
 
-class OpenSSL::TestEngine < OpenSSL::TestCase
+if defined?(OpenSSL) && defined?(OpenSSL::Engine)
 
+class OpenSSL::TestEngine < OpenSSL::TestCase
   def test_engines_free # [ruby-dev:44173]
     with_openssl <<-'end;'
       OpenSSL::Engine.load("openssl")
@@ -95,5 +96,6 @@ def crypt_data(data, key, mode)
       cipher.update(data) + cipher.final
     end
   end
+end
 
-end if defined?(OpenSSL::Engine)
+end