Backport test fixes to 3.0

.github/workflows/test.yml

@@ -3,19 +3,36 @@ name: CI
 on: [push, pull_request]
 
 jobs:
+  ruby-versions:
+    uses: ruby/actions/.github/workflows/ruby_versions.yml@master
+    with:
+      engine: cruby-truffleruby
+      min_version: 2.6
   test:
+    needs: ruby-versions
     name: >-
       ${{ matrix.os }} ${{ matrix.ruby }}
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
       matrix:
-        # ubuntu-latest is 22.04, uses OpenSSL 3
-        os: [ ubuntu-20.04, macos-latest ]
-        ruby: [ head, "3.0", "2.7", "2.6" ]
+        # ubuntu-22.04 uses OpenSSL 3.0, ubuntu-20.04 uses OpenSSL 1.1.1
+        os: [ ubuntu-22.04, ubuntu-20.04, macos-latest, windows-latest ]
+        ruby: ${{ fromJson(needs.ruby-versions.outputs.versions) }}
+        exclude:
+          # uses non-standard MSYS2 OpenSSL 3 package
+          - { os: windows-latest, ruby: head }
+          - { os: windows-latest, ruby: truffleruby }
+          - { os: windows-latest, ruby: truffleruby-head }
+          - { os: macos-latest,   ruby: truffleruby }
+          - { os: ubuntu-20.04,   ruby: truffleruby }
+        include:
+          - { os: windows-latest, ruby: ucrt }
+          - { os: windows-latest, ruby: mswin }
+
     steps:
       - name: repo checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: load ruby
         uses: ruby/setup-ruby@v1
@@ -25,75 +42,73 @@ jobs:
       - name: depends
         run:  bundle install
 
-      - name: compile
-        run:  rake compile -- --enable-debug
+      # Enable the verbose option in mkmf.rb to print the compiling commands.
+      - name: enable mkmf verbose
+        run:  echo "MAKEFLAGS=V=1" >> $GITHUB_ENV
+        if: runner.os == 'Linux' || runner.os == 'macOS'
 
-      - name: test
-        run:  rake test TESTOPTS="-v --no-show-detail-immediately" OSSL_MDEBUG=1
+      - name: set flags to check compiler warnings.
+        run:  echo "RUBY_OPENSSL_EXTCFLAGS=-Werror" >> $GITHUB_ENV
+        if: ${{ !matrix.skip-warnings }}
 
-  test-windows:
-    name: >-
-      ${{ matrix.os }} ${{ matrix.ruby }}
-    runs-on: ${{ matrix.os }}
-    strategy:
-      fail-fast: false
-      matrix:
-        os: [ windows-latest ]
-        # current mswin build uses OpenSSL 3
-        ruby: [ mingw, "3.0", "2.7", "2.6" ]
-    steps:
-      - name: repo checkout
-        uses: actions/checkout@v3
-
-      - name: load ruby, install/update gcc, install openssl
-        uses: MSP-Greg/setup-ruby-pkgs@v1
-        with:
-          ruby-version: ${{ matrix.ruby }}
-          mingw: _upgrade_ openssl
-
-      - name: depends
-        run:  bundle install
-
-      # pkg-config is disabled because it can pick up the different OpenSSL installation
-      # SSL_DIR is set as needed by MSP-Greg/setup-ruby-pkgs
-      # only used with mswin
       - name: compile
-        run:  rake compile -- --enable-debug --without-pkg-config $env:SSL_DIR
+        run:  rake compile
 
       - name: test
-        run:  rake test TESTOPTS="-v --no-show-detail-immediately" OSSL_MDEBUG=1
+        run:  rake test TESTOPTS="-v --no-show-detail-immediately"
+        timeout-minutes: 5
 
   test-openssls:
     name: >-
-      ${{ matrix.openssl }}
+      ${{ matrix.openssl }} ${{ matrix.name-extra || '' }}
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
       matrix:
         os: [ ubuntu-latest ]
         ruby: [ "3.0" ]
         openssl:
+          # https://www.openssl.org/source/
           - openssl-1.0.2u # EOL
           - openssl-1.1.0l # EOL
-          - openssl-1.1.1l
-          - openssl-3.0.1
+          - openssl-1.1.1w # EOL
+          - openssl-3.0.13
+          - openssl-3.1.5
+          - openssl-3.2.1
+          - openssl-3.3.0
+          # http://www.libressl.org/releases.html
           - libressl-3.1.5 # EOL
-          - libressl-3.2.6
-          - libressl-3.3.4
+          - libressl-3.2.7 # EOL
+          - libressl-3.3.6 # EOL
+          - libressl-3.4.3 # EOL
+          - libressl-3.5.3 # EOL
+          - libressl-3.6.3 # EOL
+          - libressl-3.7.3 # EOL
+          - libressl-3.8.4
+          - libressl-3.9.1
     steps:
       - name: repo checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: prepare openssl
         run: |
+          # Enable Bash debugging option temporarily for debugging use.
+          set -x
           mkdir -p tmp/build-openssl && cd tmp/build-openssl
           case ${{ matrix.openssl }} in
           openssl-*)
-            curl -OL https://ftp.openssl.org/source/${{ matrix.openssl }}.tar.gz
-            tar xf ${{ matrix.openssl }}.tar.gz && cd ${{ matrix.openssl }}
+            if [ -z "${{ matrix.git }}" ]; then
+              curl -OL https://ftp.openssl.org/source/${{ matrix.openssl }}.tar.gz
+              tar xf ${{ matrix.openssl }}.tar.gz && cd ${{ matrix.openssl }}
+            else
+              git clone -b ${{ matrix.branch }} --depth 1 ${{ matrix.git }} ${{ matrix.openssl }}
+              cd ${{ matrix.openssl }}
+              # Log the commit hash.
+              echo "Git commit: $(git rev-parse HEAD)"
+            fi
             # shared is required for 1.0.x.
             ./Configure --prefix=$HOME/.openssl/${{ matrix.openssl }} --libdir=lib \
-                shared linux-x86_64
+                shared linux-x86_64 ${{ matrix.append-configure }}
             make depend
             ;;
           libressl-*)
@@ -116,8 +131,17 @@ jobs:
       - name: depends
         run:  bundle install
 
+      - name: enable mkmf verbose
+        run:  echo "MAKEFLAGS=V=1" >> $GITHUB_ENV
+        if: runner.os == 'Linux' || runner.os == 'macOS'
+
+      - name: set flags to check compiler warnings.
+        run:  echo "RUBY_OPENSSL_EXTCFLAGS=-Werror" >> $GITHUB_ENV
+        if: ${{ !matrix.skip-warnings }}
+
       - name: compile
-        run:  rake compile -- --enable-debug --with-openssl-dir=$HOME/.openssl/${{ matrix.openssl }}
+        run:  rake compile -- --with-openssl-dir=$HOME/.openssl/${{ matrix.openssl }}
 
       - name: test
-        run:  rake test TESTOPTS="-v --no-show-detail-immediately" OSSL_MDEBUG=1
+        run:  rake test TESTOPTS="-v --no-show-detail-immediately"
+        timeout-minutes: 5

ext/openssl/ossl_pkey.c

@@ -951,7 +951,7 @@ ossl_pkey_sign(int argc, VALUE *argv, VALUE self)
             rb_jump_tag(state);
         }
     }
-#if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER)
+#if OSSL_OPENSSL_PREREQ(1, 1, 1) || OSSL_LIBRESSL_PREREQ(3, 4, 0)
     if (EVP_DigestSign(ctx, NULL, &siglen, (unsigned char *)RSTRING_PTR(data),
                        RSTRING_LEN(data)) < 1) {
         EVP_MD_CTX_free(ctx);
@@ -1056,7 +1056,7 @@ ossl_pkey_verify(int argc, VALUE *argv, VALUE self)
             rb_jump_tag(state);
         }
     }
-#if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER)
+#if OSSL_OPENSSL_PREREQ(1, 1, 1) || OSSL_LIBRESSL_PREREQ(3, 4, 0)
     ret = EVP_DigestVerify(ctx, (unsigned char *)RSTRING_PTR(sig),
                            RSTRING_LEN(sig), (unsigned char *)RSTRING_PTR(data),
                            RSTRING_LEN(data));

test/openssl/test_asn1.rb

@@ -404,9 +404,6 @@ def test_set
   def test_utctime
     encode_decode_test B(%w{ 17 0D }) + "160908234339Z".b,
       OpenSSL::ASN1::UTCTime.new(Time.utc(2016, 9, 8, 23, 43, 39))
-    # Seconds is omitted
-    decode_test B(%w{ 17 0B }) + "1609082343Z".b,
-      OpenSSL::ASN1::UTCTime.new(Time.utc(2016, 9, 8, 23, 43, 0))
     begin
       # possible range of UTCTime is 1969-2068 currently
       encode_decode_test B(%w{ 17 0D }) + "690908234339Z".b,
@@ -432,8 +429,6 @@ def test_generalizedtime
       OpenSSL::ASN1::GeneralizedTime.new(Time.utc(2016, 12, 8, 19, 34, 29))
     encode_decode_test B(%w{ 18 0F }) + "99990908234339Z".b,
       OpenSSL::ASN1::GeneralizedTime.new(Time.utc(9999, 9, 8, 23, 43, 39))
-    decode_test B(%w{ 18 0D }) + "201612081934Z".b,
-      OpenSSL::ASN1::GeneralizedTime.new(Time.utc(2016, 12, 8, 19, 34, 0))
     # not implemented
     # decode_test B(%w{ 18 13 }) + "20161208193439+0930".b,
     #   OpenSSL::ASN1::GeneralizedTime.new(Time.new(2016, 12, 8, 19, 34, 39, "+09:30"))

test/openssl/test_ssl.rb

@@ -995,6 +995,9 @@ def test_verify_hostname_failure_error_code
   end
 
   def test_connect_certificate_verify_failed_exception_message
+    # Won't fix on the 3.0 branch
+    return if openssl?(3, 1, 0)
+
     start_server(ignore_listener_error: true) { |port|
       ctx = OpenSSL::SSL::SSLContext.new
       ctx.set_params

test/openssl/test_x509req.rb

@@ -39,11 +39,6 @@ def test_version
     assert_equal(0, req.version)
     req = OpenSSL::X509::Request.new(req.to_der)
     assert_equal(0, req.version)
-
-    req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA1'))
-    assert_equal(1, req.version)
-    req = OpenSSL::X509::Request.new(req.to_der)
-    assert_equal(1, req.version)
   end
 
   def test_subject
@@ -106,7 +101,7 @@ def test_sign_and_verify_rsa_sha1
     assert_equal(false, req.verify(@rsa2048))
     assert_equal(false, request_error_returns_false { req.verify(@dsa256) })
     assert_equal(false, request_error_returns_false { req.verify(@dsa512) })
-    req.version = 1
+    req.subject = OpenSSL::X509::Name.parse("/C=JP/CN=FooBarFooBar")
     assert_equal(false, req.verify(@rsa1024))
   end