diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index f396c3502..fc4e847c3 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -3,19 +3,36 @@ name: CI on: [push, pull_request] jobs: + ruby-versions: + uses: ruby/actions/.github/workflows/ruby_versions.yml@master + with: + engine: cruby-truffleruby + min_version: 2.6 test: + needs: ruby-versions name: >- ${{ matrix.os }} ${{ matrix.ruby }} runs-on: ${{ matrix.os }} strategy: fail-fast: false matrix: - # ubuntu-latest is 22.04, uses OpenSSL 3 - os: [ ubuntu-20.04, macos-latest ] - ruby: [ head, "3.0", "2.7", "2.6" ] + # ubuntu-22.04 uses OpenSSL 3.0, ubuntu-20.04 uses OpenSSL 1.1.1 + os: [ ubuntu-22.04, ubuntu-20.04, macos-latest, windows-latest ] + ruby: ${{ fromJson(needs.ruby-versions.outputs.versions) }} + exclude: + # uses non-standard MSYS2 OpenSSL 3 package + - { os: windows-latest, ruby: head } + - { os: windows-latest, ruby: truffleruby } + - { os: windows-latest, ruby: truffleruby-head } + - { os: macos-latest, ruby: truffleruby } + - { os: ubuntu-20.04, ruby: truffleruby } + include: + - { os: windows-latest, ruby: ucrt } + - { os: windows-latest, ruby: mswin } + steps: - name: repo checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: load ruby uses: ruby/setup-ruby@v1 @@ -25,47 +42,25 @@ jobs: - name: depends run: bundle install - - name: compile - run: rake compile -- --enable-debug + # Enable the verbose option in mkmf.rb to print the compiling commands. + - name: enable mkmf verbose + run: echo "MAKEFLAGS=V=1" >> $GITHUB_ENV + if: runner.os == 'Linux' || runner.os == 'macOS' - - name: test - run: rake test TESTOPTS="-v --no-show-detail-immediately" OSSL_MDEBUG=1 + - name: set flags to check compiler warnings. + run: echo "RUBY_OPENSSL_EXTCFLAGS=-Werror" >> $GITHUB_ENV + if: ${{ !matrix.skip-warnings }} - test-windows: - name: >- - ${{ matrix.os }} ${{ matrix.ruby }} - runs-on: ${{ matrix.os }} - strategy: - fail-fast: false - matrix: - os: [ windows-latest ] - # current mswin build uses OpenSSL 3 - ruby: [ mingw, "3.0", "2.7", "2.6" ] - steps: - - name: repo checkout - uses: actions/checkout@v3 - - - name: load ruby, install/update gcc, install openssl - uses: MSP-Greg/setup-ruby-pkgs@v1 - with: - ruby-version: ${{ matrix.ruby }} - mingw: _upgrade_ openssl - - - name: depends - run: bundle install - - # pkg-config is disabled because it can pick up the different OpenSSL installation - # SSL_DIR is set as needed by MSP-Greg/setup-ruby-pkgs - # only used with mswin - name: compile - run: rake compile -- --enable-debug --without-pkg-config $env:SSL_DIR + run: rake compile - name: test - run: rake test TESTOPTS="-v --no-show-detail-immediately" OSSL_MDEBUG=1 + run: rake test TESTOPTS="-v --no-show-detail-immediately" + timeout-minutes: 5 test-openssls: name: >- - ${{ matrix.openssl }} + ${{ matrix.openssl }} ${{ matrix.name-extra || '' }} runs-on: ${{ matrix.os }} strategy: fail-fast: false @@ -73,27 +68,47 @@ jobs: os: [ ubuntu-latest ] ruby: [ "3.0" ] openssl: + # https://www.openssl.org/source/ - openssl-1.0.2u # EOL - openssl-1.1.0l # EOL - - openssl-1.1.1l - - openssl-3.0.1 + - openssl-1.1.1w # EOL + - openssl-3.0.13 + - openssl-3.1.5 + - openssl-3.2.1 + - openssl-3.3.0 + # http://www.libressl.org/releases.html - libressl-3.1.5 # EOL - - libressl-3.2.6 - - libressl-3.3.4 + - libressl-3.2.7 # EOL + - libressl-3.3.6 # EOL + - libressl-3.4.3 # EOL + - libressl-3.5.3 # EOL + - libressl-3.6.3 # EOL + - libressl-3.7.3 # EOL + - libressl-3.8.4 + - libressl-3.9.1 steps: - name: repo checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: prepare openssl run: | + # Enable Bash debugging option temporarily for debugging use. + set -x mkdir -p tmp/build-openssl && cd tmp/build-openssl case ${{ matrix.openssl }} in openssl-*) - curl -OL https://ftp.openssl.org/source/${{ matrix.openssl }}.tar.gz - tar xf ${{ matrix.openssl }}.tar.gz && cd ${{ matrix.openssl }} + if [ -z "${{ matrix.git }}" ]; then + curl -OL https://ftp.openssl.org/source/${{ matrix.openssl }}.tar.gz + tar xf ${{ matrix.openssl }}.tar.gz && cd ${{ matrix.openssl }} + else + git clone -b ${{ matrix.branch }} --depth 1 ${{ matrix.git }} ${{ matrix.openssl }} + cd ${{ matrix.openssl }} + # Log the commit hash. + echo "Git commit: $(git rev-parse HEAD)" + fi # shared is required for 1.0.x. ./Configure --prefix=$HOME/.openssl/${{ matrix.openssl }} --libdir=lib \ - shared linux-x86_64 + shared linux-x86_64 ${{ matrix.append-configure }} make depend ;; libressl-*) @@ -116,8 +131,17 @@ jobs: - name: depends run: bundle install + - name: enable mkmf verbose + run: echo "MAKEFLAGS=V=1" >> $GITHUB_ENV + if: runner.os == 'Linux' || runner.os == 'macOS' + + - name: set flags to check compiler warnings. + run: echo "RUBY_OPENSSL_EXTCFLAGS=-Werror" >> $GITHUB_ENV + if: ${{ !matrix.skip-warnings }} + - name: compile - run: rake compile -- --enable-debug --with-openssl-dir=$HOME/.openssl/${{ matrix.openssl }} + run: rake compile -- --with-openssl-dir=$HOME/.openssl/${{ matrix.openssl }} - name: test - run: rake test TESTOPTS="-v --no-show-detail-immediately" OSSL_MDEBUG=1 + run: rake test TESTOPTS="-v --no-show-detail-immediately" + timeout-minutes: 5 diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c index ec39e8bd7..476256679 100644 --- a/ext/openssl/ossl_pkey.c +++ b/ext/openssl/ossl_pkey.c @@ -951,7 +951,7 @@ ossl_pkey_sign(int argc, VALUE *argv, VALUE self) rb_jump_tag(state); } } -#if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER) +#if OSSL_OPENSSL_PREREQ(1, 1, 1) || OSSL_LIBRESSL_PREREQ(3, 4, 0) if (EVP_DigestSign(ctx, NULL, &siglen, (unsigned char *)RSTRING_PTR(data), RSTRING_LEN(data)) < 1) { EVP_MD_CTX_free(ctx); @@ -1056,7 +1056,7 @@ ossl_pkey_verify(int argc, VALUE *argv, VALUE self) rb_jump_tag(state); } } -#if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER) +#if OSSL_OPENSSL_PREREQ(1, 1, 1) || OSSL_LIBRESSL_PREREQ(3, 4, 0) ret = EVP_DigestVerify(ctx, (unsigned char *)RSTRING_PTR(sig), RSTRING_LEN(sig), (unsigned char *)RSTRING_PTR(data), RSTRING_LEN(data)); diff --git a/test/openssl/test_asn1.rb b/test/openssl/test_asn1.rb index 0fd797158..7e5b9692a 100644 --- a/test/openssl/test_asn1.rb +++ b/test/openssl/test_asn1.rb @@ -404,9 +404,6 @@ def test_set def test_utctime encode_decode_test B(%w{ 17 0D }) + "160908234339Z".b, OpenSSL::ASN1::UTCTime.new(Time.utc(2016, 9, 8, 23, 43, 39)) - # Seconds is omitted - decode_test B(%w{ 17 0B }) + "1609082343Z".b, - OpenSSL::ASN1::UTCTime.new(Time.utc(2016, 9, 8, 23, 43, 0)) begin # possible range of UTCTime is 1969-2068 currently encode_decode_test B(%w{ 17 0D }) + "690908234339Z".b, @@ -432,8 +429,6 @@ def test_generalizedtime OpenSSL::ASN1::GeneralizedTime.new(Time.utc(2016, 12, 8, 19, 34, 29)) encode_decode_test B(%w{ 18 0F }) + "99990908234339Z".b, OpenSSL::ASN1::GeneralizedTime.new(Time.utc(9999, 9, 8, 23, 43, 39)) - decode_test B(%w{ 18 0D }) + "201612081934Z".b, - OpenSSL::ASN1::GeneralizedTime.new(Time.utc(2016, 12, 8, 19, 34, 0)) # not implemented # decode_test B(%w{ 18 13 }) + "20161208193439+0930".b, # OpenSSL::ASN1::GeneralizedTime.new(Time.new(2016, 12, 8, 19, 34, 39, "+09:30")) diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb index 39964bf49..7172d0626 100644 --- a/test/openssl/test_ssl.rb +++ b/test/openssl/test_ssl.rb @@ -995,6 +995,9 @@ def test_verify_hostname_failure_error_code end def test_connect_certificate_verify_failed_exception_message + # Won't fix on the 3.0 branch + return if openssl?(3, 1, 0) + start_server(ignore_listener_error: true) { |port| ctx = OpenSSL::SSL::SSLContext.new ctx.set_params diff --git a/test/openssl/test_x509req.rb b/test/openssl/test_x509req.rb index ee9c678fb..bac9780d6 100644 --- a/test/openssl/test_x509req.rb +++ b/test/openssl/test_x509req.rb @@ -39,11 +39,6 @@ def test_version assert_equal(0, req.version) req = OpenSSL::X509::Request.new(req.to_der) assert_equal(0, req.version) - - req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA1')) - assert_equal(1, req.version) - req = OpenSSL::X509::Request.new(req.to_der) - assert_equal(1, req.version) end def test_subject @@ -106,7 +101,7 @@ def test_sign_and_verify_rsa_sha1 assert_equal(false, req.verify(@rsa2048)) assert_equal(false, request_error_returns_false { req.verify(@dsa256) }) assert_equal(false, request_error_returns_false { req.verify(@dsa512) }) - req.version = 1 + req.subject = OpenSSL::X509::Name.parse("/C=JP/CN=FooBarFooBar") assert_equal(false, req.verify(@rsa1024)) end