Backport test fixes to 3.0 #751
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ This is a backport to the 3.0 branch. ] LibreSSL 3.4 added EVP_DigestSign() and EVP_DigestVerify(). Use them when available to prepare for the addition of Ed25519 support in LibreSSL 3.7. (cherry picked from commit 475b2bf)
[ This is a backport to the 3.0 branch. ] LibreSSL 3.6.0 expects the seconds part in UTCTime and GeneralizedTime to be always present. LibreSSL 3.6.0 release note [1] says: > - The ASN.1 time parser has been refactored and rewritten using CBS. > It has been made stricter in that it now enforces the rules from > RFC 5280. [1] https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.0-relnotes.txt (cherry picked from commit bbc540f)
… second.
[ This is a backport to the 3.0 branch. ]
This commit fixes the following errors in the tests.
Because the OpenSSL project changed the code to make the time string format
without second invalid. So, we drop the assertions.
```
1) Error: test_generalizedtime(OpenSSL::TestASN1): OpenSSL::ASN1::ASN1Error: generalizedtime is too short
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode_test'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:433:in `test_generalizedtime'
430: OpenSSL::ASN1::GeneralizedTime.new(Time.utc(9999, 9, 8, 23, 43, 39))
431: # LibreSSL 3.6.0 requires the seconds element
432: return if libressl?
=> 433: decode_test B(%w{ 18 0D }) + "201612081934Z".b,
434: OpenSSL::ASN1::GeneralizedTime.new(Time.utc(2016, 12, 8, 19, 34, 0))
435: # not implemented
436: # decode_test B(%w{ 18 13 }) + "20161208193439+0930".b,
2) Error: test_utctime(OpenSSL::TestASN1): OpenSSL::ASN1::ASN1Error: utctime is too short
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode_test'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:411:in `test_utctime'
408: end
409: # Seconds is omitted. LibreSSL 3.6.0 requires it
410: return if libressl?
=> 411: decode_test B(%w{ 17 0B }) + "1609082343Z".b,
412: OpenSSL::ASN1::UTCTime.new(Time.utc(2016, 9, 8, 23, 43, 0))
413: # not implemented
414: # decode_test B(%w{ 17 11 }) + "500908234339+0930".b,
```
(cherry picked from commit 2e826d5)
[ This is a backport to the 3.0 branch. ]
RFC 2986, section 4.1 only defines version 1 for CSRs. This version
is encoded as a 0. Starting with OpenSSL 3.3, setting the CSR version
to anything but 1 fails.
Do not attempt to generate a CSR with invalid version (which now fails)
and invalidate the CSR in test_sign_and_verify_rsa_sha1 by changing its
subject rather than using an invalid version.
This commit fixes the following error.
```
2) Error: test_version(OpenSSL::TestX509Request): OpenSSL::X509::RequestError:
X509_REQ_set_version: passed invalid argument
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `version='
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `issue_csr'
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:43:in
`test_version'
40: req = OpenSSL::X509::Request.new(req.to_der)
41: assert_equal(0, req.version)
42:
=> 43: req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
44: assert_equal(1, req.version)
45: req = OpenSSL::X509::Request.new(req.to_der)
46: assert_equal(1, req.version)
```
(cherry picked from commit c06fdeb)
[ This is a backport to the 3.0 branch. ] Backport changes made to .github/workflows/test.yml in master branch, except: - Minimum version is Ruby 2.6 - FIPS-mode related changes are excluded (as it's not supported) This includes the following commits: fcf53d5 CI: Remove workaround for Ruby-3.2 and 3.3 on Windows 567b412 CI: Upgrade OpenSSL and LibreSSL versions. 405f1ee CI: Add OpenSSL no-legacy case. 9a99583 CI: Upgrade OpenSSL and LibreSSL versions. 6feeeb8 CI: Add the rubyinstaller2 issue link that legacy provider is not loaded. 7aed35a Windows Ruby 3.3: Workaround: Set OPENSSL_MODULES to find providers. adfb6bb CI: Add OpenSSL 3.2.0. fafe1af CI: Change the openssl_fips.cnf.tmpl and openssl_fips.cnf directories. f07e6f5 CI: Upgrade OpenSSL and LibreSSL versions. 0dda88d Merge pull request ruby#682 from ruby/dependabot/github_actions/actions/checkout-4 0b83eed Rakefile: Add test_fips task for convenience. b94314f Bump actions/checkout from 3 to 4 8c7a6a1 Remove OSSL_DEBUG compile-time option e35f190 CI: Replace "mode" in "FIPS mode" with "module". 61434f6 Rakefile: Print FIPS information in the `rake debug`. 7ec8024 CI: Add OpenSSL master branch head non-FIPS and FIPS cases. 24d8add CI: Upgrade OpenSSL versions. fddfc55 CI: Add OpenSSL 3.1 FIPS case. 58ce7fa .github/workflows/test.yml: add provider load path for Windows f6e57e1 CI: Fix a typo in the comment. [ci skip] 52402f6 CI: Check compiler warnings. f6ba75e Drop support for Ruby 2.6 3456770 CI: Upgrade OpenSSL and LibreSSL versions. 79786ca CI: Rename the key name "foo_bar" (underscore) to "foo-bar" (hyphen). 8149cdf CI: Add the test/openssl/test_pkey.rb on the FIPS mode case. 08e1981 CI: Enable the verbose mode in the mkmf.rb by env MAKEFLAGS. 121b3b2 Revert "CI: Enable the verbose mode in the mkmf.rb." a832f5c CI: Enable the verbose mode in the mkmf.rb. 18b0172 CI: Add OpenSSL FIPS mode case. af27f50 .github/workflows/test.yml: Update OpenSSL versions d277123 skip failing test with truffleruby and ubuntu-22.04 25352f4 Exclude truffleruby with macos-latest d7f90c7 Fix missing needs call 0640664 Try to run with TruffleRuby aeee125 Use ruby/actions/.github/workflows/ruby_versions.yml@master fd40742 .github/workflows/test.yml: update LibreSSL versions ff2fe4b Strip trailing spaces [ci skip] 9c24dcc Actions - Use Ubuntu 20.04 for 1.1.1 CI, misc fixes cc876f5 [CI] test.yml - test-openssls - use 1.1.1q, 3.0.5 0fb8d1b [CI] add Ubuntu-22.04 and update mswin, all are OpenSSL 3 1588686 Merge pull request ruby#505 from ruby/update-actions 9f901dc Test on LibreSSL 3.4 and 3.5 f2d072c Use actions/checkout@v3 699e274 Added 3.1 b28df90 Install openssl with vcpkg on mswin
…n_message [ This patch only applies to the 3.0 and 3.1 branch. ] It is a test case for SSLSocket generating an informative error message on a certificate verification failure. A change in OpenSSL 3.1 broke it and a generic error message is currently generated. This is fixed in the 3.2 branch by commit 5113777, but I decided not to backport the commit to the 3.0 branch because the diff doesn't apply cleanly.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Let's make GitHub Actions happy before making a patch release.