Skip to content

Commit

Permalink
Merge branch 'maint-3.0' into maint-3.1
Browse files Browse the repository at this point in the history
* maint-3.0:
  pkcs7: raise PKCS7Error for PKCS7 without content in PKCS7.read_smime
  pkcs7: raise ArgumentError for PKCS7 with no content in PKCS7.new
  cipher: fix buffer overflow in Cipher#update
  ssl: allow failure on test_connect_certificate_verify_failed_exception_message
  .github/workflows/test.yml: synchronize with master
  Only CSR version 1 (encoded as 0) is allowed by PKIX standards
  test_asn1.rb: Remove the assertions of the time string format without second.
  test/openssl/test_asn1.rb: skip failing tests on LibreSSL 3.6.0
  Use EVP_Digest{Sign,Verify} when available
  Fix performance regression in do_write(s)
  • Loading branch information
rhenium committed May 2, 2024
2 parents c263cd4 + 3b71ccf commit 09122c5
Show file tree
Hide file tree
Showing 9 changed files with 127 additions and 40 deletions.
75 changes: 59 additions & 16 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,13 @@ name: CI
on: [push, pull_request]

jobs:
ruby-versions:
uses: ruby/actions/.github/workflows/ruby_versions.yml@master
with:
engine: cruby-truffleruby
min_version: 2.6
test:
needs: ruby-versions
name: >-
${{ matrix.os }} ${{ matrix.ruby }}
runs-on: ${{ matrix.os }}
Expand All @@ -12,17 +18,21 @@ jobs:
matrix:
# ubuntu-22.04 uses OpenSSL 3.0, ubuntu-20.04 uses OpenSSL 1.1.1
os: [ ubuntu-22.04, ubuntu-20.04, macos-latest, windows-latest ]
ruby: [ head, "3.1", "3.0", "2.7", "2.6" ]
ruby: ${{ fromJson(needs.ruby-versions.outputs.versions) }}
exclude:
# uses non-standard MSYS2 OpenSSL 3 package
- { os: windows-latest, ruby: head }
- { os: windows-latest, ruby: truffleruby }
- { os: windows-latest, ruby: truffleruby-head }
- { os: macos-latest, ruby: truffleruby }
- { os: ubuntu-20.04, ruby: truffleruby }
include:
- { os: windows-latest, ruby: ucrt }
- { os: windows-latest, ruby: mswin }

steps:
- name: repo checkout
uses: actions/checkout@v3
uses: actions/checkout@v4

- name: load ruby
uses: ruby/setup-ruby@v1
Expand All @@ -32,48 +42,73 @@ jobs:
- name: depends
run: bundle install

# Enable the verbose option in mkmf.rb to print the compiling commands.
- name: enable mkmf verbose
run: echo "MAKEFLAGS=V=1" >> $GITHUB_ENV
if: runner.os == 'Linux' || runner.os == 'macOS'

- name: set flags to check compiler warnings.
run: echo "RUBY_OPENSSL_EXTCFLAGS=-Werror" >> $GITHUB_ENV
if: ${{ !matrix.skip-warnings }}

- name: compile
run: rake compile -- --enable-debug
run: rake compile

- name: test
run: rake test TESTOPTS="-v --no-show-detail-immediately" OSSL_MDEBUG=1
run: rake test TESTOPTS="-v --no-show-detail-immediately"
timeout-minutes: 5

test-openssls:
name: >-
${{ matrix.openssl }}
${{ matrix.openssl }} ${{ matrix.name-extra || '' }}
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [ ubuntu-latest ]
ruby: [ "3.0" ]
openssl:
# https://www.openssl.org/source/
- openssl-1.0.2u # EOL
- openssl-1.1.0l # EOL
- openssl-1.1.1s
- openssl-3.0.7
- openssl-1.1.1w # EOL
- openssl-3.0.13
- openssl-3.1.5
- openssl-3.2.1
- openssl-3.3.0
# http://www.libressl.org/releases.html
- libressl-3.1.5 # EOL
- libressl-3.2.7 # EOL
- libressl-3.3.6 # EOL
- libressl-3.4.3 # EOL
- libressl-3.5.3
- libressl-3.6.1
- libressl-3.7.0 # Development release
- libressl-3.5.3 # EOL
- libressl-3.6.3 # EOL
- libressl-3.7.3 # EOL
- libressl-3.8.4
- libressl-3.9.1
steps:
- name: repo checkout
uses: actions/checkout@v3
uses: actions/checkout@v4

- name: prepare openssl
run: |
# Enable Bash debugging option temporarily for debugging use.
set -x
mkdir -p tmp/build-openssl && cd tmp/build-openssl
case ${{ matrix.openssl }} in
openssl-*)
curl -OL https://ftp.openssl.org/source/${{ matrix.openssl }}.tar.gz
tar xf ${{ matrix.openssl }}.tar.gz && cd ${{ matrix.openssl }}
if [ -z "${{ matrix.git }}" ]; then
curl -OL https://ftp.openssl.org/source/${{ matrix.openssl }}.tar.gz
tar xf ${{ matrix.openssl }}.tar.gz && cd ${{ matrix.openssl }}
else
git clone -b ${{ matrix.branch }} --depth 1 ${{ matrix.git }} ${{ matrix.openssl }}
cd ${{ matrix.openssl }}
# Log the commit hash.
echo "Git commit: $(git rev-parse HEAD)"
fi
# shared is required for 1.0.x.
./Configure --prefix=$HOME/.openssl/${{ matrix.openssl }} --libdir=lib \
shared linux-x86_64
shared linux-x86_64 ${{ matrix.append-configure }}
make depend
;;
libressl-*)
Expand All @@ -96,9 +131,17 @@ jobs:
- name: depends
run: bundle install

- name: enable mkmf verbose
run: echo "MAKEFLAGS=V=1" >> $GITHUB_ENV
if: runner.os == 'Linux' || runner.os == 'macOS'

- name: set flags to check compiler warnings.
run: echo "RUBY_OPENSSL_EXTCFLAGS=-Werror" >> $GITHUB_ENV
if: ${{ !matrix.skip-warnings }}

- name: compile
run: rake compile -- --enable-debug --with-openssl-dir=$HOME/.openssl/${{ matrix.openssl }}
run: rake compile -- --with-openssl-dir=$HOME/.openssl/${{ matrix.openssl }}

- name: test
run: rake test TESTOPTS="-v --no-show-detail-immediately" OSSL_MDEBUG=1
run: rake test TESTOPTS="-v --no-show-detail-immediately"
timeout-minutes: 5
18 changes: 15 additions & 3 deletions ext/openssl/ossl_cipher.c
Original file line number Diff line number Diff line change
Expand Up @@ -386,11 +386,23 @@ ossl_cipher_update(int argc, VALUE *argv, VALUE self)
in = (unsigned char *)RSTRING_PTR(data);
in_len = RSTRING_LEN(data);
GetCipher(self, ctx);
out_len = in_len+EVP_CIPHER_CTX_block_size(ctx);
if (out_len <= 0) {

/*
* As of OpenSSL 3.2, there is no reliable way to determine the required
* output buffer size for arbitrary cipher modes.
* https://github.com/openssl/openssl/issues/22628
*
* in_len+block_size is usually sufficient, but AES key wrap with padding
* ciphers require in_len+15 even though they have a block size of 8 bytes.
*
* Using EVP_MAX_BLOCK_LENGTH (32) as a safe upper bound for ciphers
* currently implemented in OpenSSL, but this can change in the future.
*/
if (in_len > LONG_MAX - EVP_MAX_BLOCK_LENGTH) {
ossl_raise(rb_eRangeError,
"data too big to make output buffer: %ld bytes", in_len);
}
out_len = in_len + EVP_MAX_BLOCK_LENGTH;

if (NIL_P(str)) {
str = rb_str_new(0, out_len);
Expand All @@ -401,7 +413,7 @@ ossl_cipher_update(int argc, VALUE *argv, VALUE self)

if (!ossl_cipher_update_long(ctx, (unsigned char *)RSTRING_PTR(str), &out_len, in, in_len))
ossl_raise(eCipherError, NULL);
assert(out_len < RSTRING_LEN(str));
assert(out_len <= RSTRING_LEN(str));
rb_str_set_len(str, out_len);

return str;
Expand Down
8 changes: 7 additions & 1 deletion ext/openssl/ossl_pkcs7.c
Original file line number Diff line number Diff line change
Expand Up @@ -165,7 +165,11 @@ ossl_pkcs7_s_read_smime(VALUE klass, VALUE arg)
out = NULL;
pkcs7 = SMIME_read_PKCS7(in, &out);
BIO_free(in);
if(!pkcs7) ossl_raise(ePKCS7Error, NULL);
if (!pkcs7)
ossl_raise(ePKCS7Error, "Could not parse the PKCS7");
if (!pkcs7->d.ptr)
ossl_raise(ePKCS7Error, "No content in PKCS7");

data = out ? ossl_membio2str(out) : Qnil;
SetPKCS7(ret, pkcs7);
ossl_pkcs7_set_data(ret, data);
Expand Down Expand Up @@ -346,6 +350,8 @@ ossl_pkcs7_initialize(int argc, VALUE *argv, VALUE self)
BIO_free(in);
if (!p7)
ossl_raise(rb_eArgError, "Could not parse the PKCS7");
if (!p7->d.ptr)
ossl_raise(rb_eArgError, "No content in PKCS7");

RTYPEDDATA_DATA(self) = p7;
PKCS7_free(p7_orig);
Expand Down
17 changes: 11 additions & 6 deletions lib/openssl/buffering.rb
Original file line number Diff line number Diff line change
Expand Up @@ -348,13 +348,18 @@ def do_write(s)
@wbuffer << s
@wbuffer.force_encoding(Encoding::BINARY)
@sync ||= false
if @sync or @wbuffer.size > BLOCK_SIZE
until @wbuffer.empty?
begin
nwrote = syswrite(@wbuffer)
rescue Errno::EAGAIN
retry
buffer_size = @wbuffer.size
if @sync or buffer_size > BLOCK_SIZE
nwrote = 0
begin
while nwrote < buffer_size do
begin
nwrote += syswrite(@wbuffer[nwrote, buffer_size - nwrote])
rescue Errno::EAGAIN
retry
end
end
ensure
@wbuffer[0, nwrote] = ""
end
end
Expand Down
8 changes: 0 additions & 8 deletions test/openssl/test_asn1.rb
Original file line number Diff line number Diff line change
Expand Up @@ -406,10 +406,6 @@ def test_utctime
rescue OpenSSL::ASN1::ASN1Error
pend "No negative time_t support?"
end
# Seconds is omitted. LibreSSL 3.6.0 requires it
return if libressl?
decode_test B(%w{ 17 0B }) + "1609082343Z".b,
OpenSSL::ASN1::UTCTime.new(Time.utc(2016, 9, 8, 23, 43, 0))
# not implemented
# decode_test B(%w{ 17 11 }) + "500908234339+0930".b,
# OpenSSL::ASN1::UTCTime.new(Time.new(1950, 9, 8, 23, 43, 39, "+09:30"))
Expand All @@ -428,10 +424,6 @@ def test_generalizedtime
OpenSSL::ASN1::GeneralizedTime.new(Time.utc(2016, 12, 8, 19, 34, 29))
encode_decode_test B(%w{ 18 0F }) + "99990908234339Z".b,
OpenSSL::ASN1::GeneralizedTime.new(Time.utc(9999, 9, 8, 23, 43, 39))
# LibreSSL 3.6.0 requires the seconds element
return if libressl?
decode_test B(%w{ 18 0D }) + "201612081934Z".b,
OpenSSL::ASN1::GeneralizedTime.new(Time.utc(2016, 12, 8, 19, 34, 0))
# not implemented
# decode_test B(%w{ 18 13 }) + "20161208193439+0930".b,
# OpenSSL::ASN1::GeneralizedTime.new(Time.new(2016, 12, 8, 19, 34, 39, "+09:30"))
Expand Down
16 changes: 16 additions & 0 deletions test/openssl/test_cipher.rb
Original file line number Diff line number Diff line change
Expand Up @@ -331,6 +331,22 @@ def test_aes_gcm_key_iv_order_issue
assert_equal tag1, tag2
end

def test_aes_keywrap_pad
# RFC 5649 Section 6; The second example
kek = ["5840df6e29b02af1ab493b705bf16ea1ae8338f4dcc176a8"].pack("H*")
key = ["466f7250617369"].pack("H*")
wrap = ["afbeb0f07dfbf5419200f2ccb50bb24f"].pack("H*")

begin
cipher = OpenSSL::Cipher.new("id-aes192-wrap-pad").encrypt
rescue OpenSSL::Cipher::CipherError, RuntimeError
omit "id-aes192-wrap-pad is not supported: #$!"
end
cipher.key = kek
ct = cipher.update(key) << cipher.final
assert_equal wrap, ct
end

def test_non_aead_cipher_set_auth_data
assert_raise(OpenSSL::Cipher::CipherError) {
cipher = OpenSSL::Cipher.new("aes-128-cfb").encrypt
Expand Down
15 changes: 15 additions & 0 deletions test/openssl/test_pkcs7.rb
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,21 @@ def test_enveloped
assert_equal(data, p7.decrypt(@rsa1024))
end

def test_empty_signed_data_ruby_bug_19974
data = "-----BEGIN PKCS7-----\nMAsGCSqGSIb3DQEHAg==\n-----END PKCS7-----\n"
assert_raise(ArgumentError) { OpenSSL::PKCS7.new(data) }

data = <<END
MIME-Version: 1.0
Content-Disposition: attachment; filename="smime.p7m"
Content-Type: application/x-pkcs7-mime; smime-type=signed-data; name="smime.p7m"
Content-Transfer-Encoding: base64
#{data}
END
assert_raise(OpenSSL::PKCS7::PKCS7Error) { OpenSSL::PKCS7.read_smime(data) }
end

def test_graceful_parsing_failure #[ruby-core:43250]
contents = File.read(__FILE__)
assert_raise(ArgumentError) { OpenSSL::PKCS7.new(contents) }
Expand Down
3 changes: 3 additions & 0 deletions test/openssl/test_ssl.rb
Original file line number Diff line number Diff line change
Expand Up @@ -1043,6 +1043,9 @@ def test_verify_hostname_failure_error_code
end

def test_connect_certificate_verify_failed_exception_message
# Won't fix on the 3.0 branch
return if openssl?(3, 1, 0)

start_server(ignore_listener_error: true) { |port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.set_params
Expand Down
7 changes: 1 addition & 6 deletions test/openssl/test_x509req.rb
Original file line number Diff line number Diff line change
Expand Up @@ -39,11 +39,6 @@ def test_version
assert_equal(0, req.version)
req = OpenSSL::X509::Request.new(req.to_der)
assert_equal(0, req.version)

req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
assert_equal(1, req.version)
req = OpenSSL::X509::Request.new(req.to_der)
assert_equal(1, req.version)
end

def test_subject
Expand Down Expand Up @@ -106,7 +101,7 @@ def test_sign_and_verify_rsa_sha1
assert_equal(false, req.verify(@rsa2048))
assert_equal(false, request_error_returns_false { req.verify(@dsa256) })
assert_equal(false, request_error_returns_false { req.verify(@dsa512) })
req.version = 1
req.subject = OpenSSL::X509::Name.parse("/C=JP/CN=FooBarFooBar")
assert_equal(false, req.verify(@rsa1024))
rescue OpenSSL::X509::RequestError # RHEL 9 disables SHA1
end
Expand Down

0 comments on commit 09122c5

Please sign in to comment.