Backport test fixes to 3.0 #751
Merged
Commits on Apr 30, 2024
-
Use EVP_Digest{Sign,Verify} when available
[ This is a backport to the 3.0 branch. ] LibreSSL 3.4 added EVP_DigestSign() and EVP_DigestVerify(). Use them when available to prepare for the addition of Ed25519 support in LibreSSL 3.7. (cherry picked from commit 475b2bf)
-
test/openssl/test_asn1.rb: skip failing tests on LibreSSL 3.6.0
[ This is a backport to the 3.0 branch. ] LibreSSL 3.6.0 expects the seconds part in UTCTime and GeneralizedTime to be always present. LibreSSL 3.6.0 release note [1] says: > - The ASN.1 time parser has been refactored and rewritten using CBS. > It has been made stricter in that it now enforces the rules from > RFC 5280. [1] https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.0-relnotes.txt (cherry picked from commit bbc540f)
-
test_asn1.rb: Remove the assertions of the time string format without…
… second. [ This is a backport to the 3.0 branch. ] This commit fixes the following errors in the tests. Because the OpenSSL project changed the code to make the time string format without second invalid. So, we drop the assertions. ``` 1) Error: test_generalizedtime(OpenSSL::TestASN1): OpenSSL::ASN1::ASN1Error: generalizedtime is too short /home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode' /home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode_test' /home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:433:in `test_generalizedtime' 430: OpenSSL::ASN1::GeneralizedTime.new(Time.utc(9999, 9, 8, 23, 43, 39)) 431: # LibreSSL 3.6.0 requires the seconds element 432: return if libressl? => 433: decode_test B(%w{ 18 0D }) + "201612081934Z".b, 434: OpenSSL::ASN1::GeneralizedTime.new(Time.utc(2016, 12, 8, 19, 34, 0)) 435: # not implemented 436: # decode_test B(%w{ 18 13 }) + "20161208193439+0930".b, 2) Error: test_utctime(OpenSSL::TestASN1): OpenSSL::ASN1::ASN1Error: utctime is too short /home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode' /home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode_test' /home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:411:in `test_utctime' 408: end 409: # Seconds is omitted. LibreSSL 3.6.0 requires it 410: return if libressl? => 411: decode_test B(%w{ 17 0B }) + "1609082343Z".b, 412: OpenSSL::ASN1::UTCTime.new(Time.utc(2016, 9, 8, 23, 43, 0)) 413: # not implemented 414: # decode_test B(%w{ 17 11 }) + "500908234339+0930".b, ``` (cherry picked from commit 2e826d5) -
Only CSR version 1 (encoded as 0) is allowed by PKIX standards
[ This is a backport to the 3.0 branch. ] RFC 2986, section 4.1 only defines version 1 for CSRs. This version is encoded as a 0. Starting with OpenSSL 3.3, setting the CSR version to anything but 1 fails. Do not attempt to generate a CSR with invalid version (which now fails) and invalidate the CSR in test_sign_and_verify_rsa_sha1 by changing its subject rather than using an invalid version. This commit fixes the following error. ``` 2) Error: test_version(OpenSSL::TestX509Request): OpenSSL::X509::RequestError: X509_REQ_set_version: passed invalid argument /home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `version=' /home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `issue_csr' /home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:43:in `test_version' 40: req = OpenSSL::X509::Request.new(req.to_der) 41: assert_equal(0, req.version) 42: => 43: req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA256')) 44: assert_equal(1, req.version) 45: req = OpenSSL::X509::Request.new(req.to_der) 46: assert_equal(1, req.version) ``` (cherry picked from commit c06fdeb) -
.github/workflows/test.yml: synchronize with master
[ This is a backport to the 3.0 branch. ] Backport changes made to .github/workflows/test.yml in master branch, except: - Minimum version is Ruby 2.6 - FIPS-mode related changes are excluded (as it's not supported) This includes the following commits: fcf53d5 CI: Remove workaround for Ruby-3.2 and 3.3 on Windows 567b412 CI: Upgrade OpenSSL and LibreSSL versions. 405f1ee CI: Add OpenSSL no-legacy case. 9a99583 CI: Upgrade OpenSSL and LibreSSL versions. 6feeeb8 CI: Add the rubyinstaller2 issue link that legacy provider is not loaded. 7aed35a Windows Ruby 3.3: Workaround: Set OPENSSL_MODULES to find providers. adfb6bb CI: Add OpenSSL 3.2.0. fafe1af CI: Change the openssl_fips.cnf.tmpl and openssl_fips.cnf directories. f07e6f5 CI: Upgrade OpenSSL and LibreSSL versions. 0dda88d Merge pull request ruby#682 from ruby/dependabot/github_actions/actions/checkout-4 0b83eed Rakefile: Add test_fips task for convenience. b94314f Bump actions/checkout from 3 to 4 8c7a6a1 Remove OSSL_DEBUG compile-time option e35f190 CI: Replace "mode" in "FIPS mode" with "module". 61434f6 Rakefile: Print FIPS information in the `rake debug`. 7ec8024 CI: Add OpenSSL master branch head non-FIPS and FIPS cases. 24d8add CI: Upgrade OpenSSL versions. fddfc55 CI: Add OpenSSL 3.1 FIPS case. 58ce7fa .github/workflows/test.yml: add provider load path for Windows f6e57e1 CI: Fix a typo in the comment. [ci skip] 52402f6 CI: Check compiler warnings. f6ba75e Drop support for Ruby 2.6 3456770 CI: Upgrade OpenSSL and LibreSSL versions. 79786ca CI: Rename the key name "foo_bar" (underscore) to "foo-bar" (hyphen). 8149cdf CI: Add the test/openssl/test_pkey.rb on the FIPS mode case. 08e1981 CI: Enable the verbose mode in the mkmf.rb by env MAKEFLAGS. 121b3b2 Revert "CI: Enable the verbose mode in the mkmf.rb." a832f5c CI: Enable the verbose mode in the mkmf.rb. 18b0172 CI: Add OpenSSL FIPS mode case. af27f50 .github/workflows/test.yml: Update OpenSSL versions d277123 skip failing test with truffleruby and ubuntu-22.04 25352f4 Exclude truffleruby with macos-latest d7f90c7 Fix missing needs call 0640664 Try to run with TruffleRuby aeee125 Use ruby/actions/.github/workflows/ruby_versions.yml@master fd40742 .github/workflows/test.yml: update LibreSSL versions ff2fe4b Strip trailing spaces [ci skip] 9c24dcc Actions - Use Ubuntu 20.04 for 1.1.1 CI, misc fixes cc876f5 [CI] test.yml - test-openssls - use 1.1.1q, 3.0.5 0fb8d1b [CI] add Ubuntu-22.04 and update mswin, all are OpenSSL 3 1588686 Merge pull request ruby#505 from ruby/update-actions 9f901dc Test on LibreSSL 3.4 and 3.5 f2d072c Use actions/checkout@v3 699e274 Added 3.1 b28df90 Install openssl with vcpkg on mswin
-
ssl: allow failure on test_connect_certificate_verify_failed_exceptio…
…n_message [ This patch only applies to the 3.0 and 3.1 branch. ] It is a test case for SSLSocket generating an informative error message on a certificate verification failure. A change in OpenSSL 3.1 broke it and a generic error message is currently generated. This is fixed in the 3.2 branch by commit 5113777, but I decided not to backport the commit to the 3.0 branch because the diff doesn't apply cleanly.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.