Skip to content

Commit

Permalink
Merge branch 'maint-3.1' into maint-3.2
Browse files Browse the repository at this point in the history
* maint-3.1:
  .github/workflows/test.yml: synchronize with master
  pkcs7: fix memory leak in error path of PKCS7.new and .read_smime
  asn1: fix ObjectId#==
  x509: fix handling of multiple URIs in Certificate#crl_uris
  test_x509cert.rb: break up test_extension into smaller units
  • Loading branch information
rhenium committed Nov 12, 2024
2 parents 0b0a0df + 68fd941 commit 509fc7f
Show file tree
Hide file tree
Showing 6 changed files with 194 additions and 127 deletions.
144 changes: 68 additions & 76 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ jobs:
with:
engine: cruby-truffleruby
min_version: 2.7

test:
needs: ruby-versions
name: >-
Expand All @@ -20,12 +21,8 @@ jobs:
os: [ ubuntu-22.04, ubuntu-20.04, macos-latest, windows-latest ]
ruby: ${{ fromJson(needs.ruby-versions.outputs.versions) }}
exclude:
# uses non-standard MSYS2 OpenSSL 3 package
- { os: windows-latest, ruby: head }
- { os: windows-latest, ruby: truffleruby }
- { os: windows-latest, ruby: truffleruby-head }
- { os: macos-latest, ruby: truffleruby }
- { os: ubuntu-20.04, ruby: truffleruby }
include:
- { os: windows-latest, ruby: ucrt }
- { os: windows-latest, ruby: mswin }
Expand All @@ -38,44 +35,43 @@ jobs:
uses: ruby/setup-ruby@v1
with:
ruby-version: ${{ matrix.ruby }}

- name: depends
run: bundle install
bundler-cache: true # `bundle install` and cache

# Enable the verbose option in mkmf.rb to print the compiling commands.
- name: enable mkmf verbose
run: echo "MAKEFLAGS=V=1" >> $GITHUB_ENV
if: runner.os == 'Linux' || runner.os == 'macOS'

- name: set flags to check compiler warnings.
- name: set flags to check compiler warnings
run: echo "RUBY_OPENSSL_EXTCFLAGS=-Werror" >> $GITHUB_ENV
if: ${{ !matrix.skip-warnings }}

- name: compile
run: rake compile
- name: rake compile
run: bundle exec rake compile

- name: test
run: rake test TESTOPTS="-v --no-show-detail-immediately"
- name: rake test
run: bundle exec rake test TESTOPTS="-v --no-show-detail-immediately"
timeout-minutes: 5

test-openssls:
name: >-
${{ matrix.openssl }} ${{ matrix.name-extra || '' }}
runs-on: ${{ matrix.os }}
${{ matrix.openssl }} ${{ matrix.name-extra }}
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
os: [ ubuntu-latest ]
ruby: [ "3.0" ]
name-extra: [ '' ]
openssl:
# https://www.openssl.org/source/
# https://openssl-library.org/source/
- openssl-1.0.2u # EOL
- openssl-1.1.0l # EOL
- openssl-1.1.1w # EOL
- openssl-3.0.13
- openssl-3.1.5
- openssl-3.2.1
- openssl-3.3.0
- openssl-1.1.1w # EOL 2023-09-11, still used by RHEL 8 and Ubuntu 20.04
- openssl-3.0.15 # Supported until 2026-09-07
- openssl-3.1.7 # Supported until 2025-03-14
- openssl-3.2.3 # Supported until 2025-11-23
- openssl-3.3.2 # Supported until 2026-04-09
- openssl-3.4.0 # Supported until 2026-10-22
- openssl-master
# http://www.libressl.org/releases.html
- libressl-3.1.5 # EOL
- libressl-3.2.7 # EOL
Expand All @@ -84,93 +80,89 @@ jobs:
- libressl-3.5.3 # EOL
- libressl-3.6.3 # EOL
- libressl-3.7.3 # EOL
- libressl-3.8.4
- libressl-3.9.1
fips-enabled: [ false ]
- libressl-3.8.4 # EOL 2024-10-16
- libressl-3.9.2 # Supported until 2025-04-05
- libressl-4.0.0
include:
- { os: ubuntu-latest, ruby: "3.0", openssl: openssl-3.0.10, fips-enabled: true, append-configure: 'enable-fips', name-extra: 'fips' }
- { os: ubuntu-latest, ruby: "3.0", openssl: openssl-3.1.2, fips-enabled: true, append-configure: 'enable-fips', name-extra: 'fips' }
- { os: ubuntu-latest, ruby: "3.0", openssl: openssl-head, git: 'https://github.com/openssl/openssl.git', branch: 'master' }
- { os: ubuntu-latest, ruby: "3.0", openssl: openssl-head, git: 'https://github.com/openssl/openssl.git', branch: 'master', fips-enabled: true, append-configure: 'enable-fips', name-extra: 'fips' }
- { name-extra: 'with fips provider', openssl: openssl-3.0.15, fips-enabled: true }
- { name-extra: 'with fips provider', openssl: openssl-3.1.7, fips-enabled: true }
- { name-extra: 'with fips provider', openssl: openssl-3.2.3, fips-enabled: true }
- { name-extra: 'with fips provider', openssl: openssl-3.3.2, fips-enabled: true }
- { name-extra: 'without legacy provider', openssl: openssl-3.4.0, append-configure: 'no-legacy' }
steps:
- name: repo checkout
uses: actions/checkout@v4

- name: prepare openssl
- id: cache-openssl
uses: actions/cache@v4
with:
path: ~/openssl
key: openssl-${{ runner.os }}-${{ matrix.openssl }}-${{ matrix.append-configure || 'default' }}
if: matrix.openssl != 'openssl-master' && matrix.openssl != 'libressl-master'

- name: Compile OpenSSL library
if: steps.cache-openssl.outputs.cache-hit != 'true'
run: |
# Enable Bash debugging option temporarily for debugging use.
set -x
mkdir -p tmp/build-openssl && cd tmp/build-openssl
case ${{ matrix.openssl }} in
openssl-*)
if [ -z "${{ matrix.git }}" ]; then
curl -OL https://openssl.org/source/${{ matrix.openssl }}.tar.gz
tar xf ${{ matrix.openssl }}.tar.gz && cd ${{ matrix.openssl }}
else
git clone -b ${{ matrix.branch }} --depth 1 ${{ matrix.git }} ${{ matrix.openssl }}
cd ${{ matrix.openssl }}
# Log the commit hash.
echo "Git commit: $(git rev-parse HEAD)"
fi
openssl-1.*)
OPENSSL_COMMIT=$(echo ${{ matrix.openssl }} | sed -e 's/^openssl-/OpenSSL_/' | sed -e 's/\./_/g')
git clone -b $OPENSSL_COMMIT --depth 1 https://github.com/openssl/openssl.git .
echo "Git commit: $(git rev-parse HEAD)"
# shared is required for 1.0.x.
./Configure --prefix=$HOME/.openssl/${{ matrix.openssl }} --libdir=lib \
shared linux-x86_64 ${{ matrix.append-configure }}
make depend
./Configure --prefix=$HOME/openssl --libdir=lib shared linux-x86_64
make depend && make -j4 && make install_sw
;;
openssl-*)
OPENSSL_COMMIT=${{ matrix.openssl == 'openssl-master' && 'master' || matrix.openssl }}
git clone -b $OPENSSL_COMMIT --depth 1 https://github.com/openssl/openssl.git .
echo "Git commit: $(git rev-parse HEAD)"
./Configure --prefix=$HOME/openssl --libdir=lib enable-fips ${{ matrix.append-configure }}
make -j4 && make install_sw && make install_fips
;;
libressl-*)
curl -OL https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/${{ matrix.openssl }}.tar.gz
tar xf ${{ matrix.openssl }}.tar.gz && cd ${{ matrix.openssl }}
./configure --prefix=$HOME/.openssl/${{ matrix.openssl }}
curl -L https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/${{ matrix.openssl }}.tar.gz | \
tar xzf - --strip-components=1
./configure --prefix=$HOME/openssl
make -j4 && make install
;;
*)
false
;;
esac
make -j4
make install_sw
- name: prepare openssl fips
run: make install_fips
working-directory: tmp/build-openssl/${{ matrix.openssl }}
if: matrix.fips-enabled

- name: set the open installed directory
run: >
sed -e "s|OPENSSL_DIR|$HOME/.openssl/${{ matrix.openssl }}|"
tool/openssl_fips.cnf.tmpl > tmp/openssl_fips.cnf
if: matrix.fips-enabled

- name: set openssl config file path for fips.
run: echo "OPENSSL_CONF=$(pwd)/tmp/openssl_fips.cnf" >> $GITHUB_ENV
if: matrix.fips-enabled
- name: load ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: ${{ matrix.ruby }}

- name: depends
run: bundle install
ruby-version: '3.0'
bundler-cache: true

- name: enable mkmf verbose
run: echo "MAKEFLAGS=V=1" >> $GITHUB_ENV
if: runner.os == 'Linux' || runner.os == 'macOS'

- name: set flags to check compiler warnings.
- name: set flags to check compiler warnings
run: echo "RUBY_OPENSSL_EXTCFLAGS=-Werror" >> $GITHUB_ENV
if: ${{ !matrix.skip-warnings }}

- name: compile
run: rake compile -- --with-openssl-dir=$HOME/.openssl/${{ matrix.openssl }}
- name: rake compile
run: bundle exec rake compile -- --with-openssl-dir=$HOME/openssl

- name: test
run: rake test TESTOPTS="-v --no-show-detail-immediately"
- name: setup OpenSSL config file for fips
run: |
sed -e "s|OPENSSL_DIR|$HOME/openssl|" tool/openssl_fips.cnf.tmpl > tmp/openssl_fips.cnf
echo "OPENSSL_CONF=$(pwd)/tmp/openssl_fips.cnf" >> $GITHUB_ENV
if: matrix.fips-enabled

- name: rake test
run: bundle exec rake test TESTOPTS="-v --no-show-detail-immediately"
timeout-minutes: 5
if: ${{ !matrix.fips-enabled }}

# Run only the passing tests on the FIPS module as a temporary workaround.
# TODO Fix other tests, and run all the tests on FIPS module.
- name: test on fips module
run: |
rake test_fips TESTOPTS="-v --no-show-detail-immediately"
- name: rake test_fips
run: bundle exec rake test_fips TESTOPTS="-v --no-show-detail-immediately"
timeout-minutes: 5
if: matrix.fips-enabled
43 changes: 19 additions & 24 deletions ext/openssl/ossl_asn1.c
Original file line number Diff line number Diff line change
Expand Up @@ -1298,30 +1298,6 @@ ossl_asn1obj_get_ln(VALUE self)
return ret;
}

/*
* call-seq:
* oid == other_oid => true or false
*
* Returns +true+ if _other_oid_ is the same as _oid_
*/
static VALUE
ossl_asn1obj_eq(VALUE self, VALUE other)
{
VALUE valSelf, valOther;
int nidSelf, nidOther;

valSelf = ossl_asn1_get_value(self);
valOther = ossl_asn1_get_value(other);

if ((nidSelf = OBJ_txt2nid(StringValueCStr(valSelf))) == NID_undef)
ossl_raise(eASN1Error, "OBJ_txt2nid");

if ((nidOther = OBJ_txt2nid(StringValueCStr(valOther))) == NID_undef)
ossl_raise(eASN1Error, "OBJ_txt2nid");

return nidSelf == nidOther ? Qtrue : Qfalse;
}

static VALUE
asn1obj_get_oid_i(VALUE vobj)
{
Expand Down Expand Up @@ -1366,6 +1342,25 @@ ossl_asn1obj_get_oid(VALUE self)
return str;
}

/*
* call-seq:
* oid == other_oid => true or false
*
* Returns +true+ if _other_oid_ is the same as _oid_.
*/
static VALUE
ossl_asn1obj_eq(VALUE self, VALUE other)
{
VALUE oid1, oid2;

if (!rb_obj_is_kind_of(other, cASN1ObjectId))
return Qfalse;

oid1 = ossl_asn1obj_get_oid(self);
oid2 = ossl_asn1obj_get_oid(other);
return rb_str_equal(oid1, oid2);
}

#define OSSL_ASN1_IMPL_FACTORY_METHOD(klass) \
static VALUE ossl_asn1_##klass(int argc, VALUE *argv, VALUE self)\
{ return rb_funcall3(cASN1##klass, rb_intern("new"), argc, argv); }
Expand Down
8 changes: 6 additions & 2 deletions ext/openssl/ossl_pkcs7.c
Original file line number Diff line number Diff line change
Expand Up @@ -167,8 +167,10 @@ ossl_pkcs7_s_read_smime(VALUE klass, VALUE arg)
BIO_free(in);
if (!pkcs7)
ossl_raise(ePKCS7Error, "Could not parse the PKCS7");
if (!pkcs7->d.ptr)
if (!pkcs7->d.ptr) {
PKCS7_free(pkcs7);
ossl_raise(ePKCS7Error, "No content in PKCS7");
}

data = out ? ossl_membio2str(out) : Qnil;
SetPKCS7(ret, pkcs7);
Expand Down Expand Up @@ -350,8 +352,10 @@ ossl_pkcs7_initialize(int argc, VALUE *argv, VALUE self)
BIO_free(in);
if (!p7)
ossl_raise(rb_eArgError, "Could not parse the PKCS7");
if (!p7->d.ptr)
if (!p7->d.ptr) {
PKCS7_free(p7);
ossl_raise(rb_eArgError, "No content in PKCS7");
}

RTYPEDDATA_DATA(self) = p7;
PKCS7_free(p7_orig);
Expand Down
10 changes: 5 additions & 5 deletions lib/openssl/x509.rb
Original file line number Diff line number Diff line change
Expand Up @@ -122,8 +122,8 @@ module CRLDistributionPoints
include Helpers

# Get the distributionPoint fullName URI from the certificate's CRL
# distribution points extension, as described in RFC5280 Section
# 4.2.1.13
# distribution points extension, as described in RFC 5280 Section
# 4.2.1.13.
#
# Returns an array of strings or nil or raises ASN1::ASN1Error.
def crl_uris
Expand All @@ -135,19 +135,19 @@ def crl_uris
raise ASN1::ASN1Error, "invalid extension"
end

crl_uris = cdp_asn1.map do |crl_distribution_point|
crl_uris = cdp_asn1.flat_map do |crl_distribution_point|
distribution_point = crl_distribution_point.value.find do |v|
v.tag_class == :CONTEXT_SPECIFIC && v.tag == 0
end
full_name = distribution_point&.value&.find do |v|
v.tag_class == :CONTEXT_SPECIFIC && v.tag == 0
end
full_name&.value&.find do |v|
full_name&.value&.select do |v|
v.tag_class == :CONTEXT_SPECIFIC && v.tag == 6 # uniformResourceIdentifier
end
end

crl_uris&.map(&:value)
crl_uris.empty? ? nil : crl_uris.map(&:value)
end
end

Expand Down
17 changes: 12 additions & 5 deletions test/openssl/test_asn1.rb
Original file line number Diff line number Diff line change
Expand Up @@ -326,7 +326,9 @@ def test_object_identifier
oid = (0...100).to_a.join(".").b
obj = OpenSSL::ASN1::ObjectId.new(oid)
assert_equal oid, obj.oid
end

def test_object_identifier_equality
aki = [
OpenSSL::ASN1::ObjectId.new("authorityKeyIdentifier"),
OpenSSL::ASN1::ObjectId.new("X509v3 Authority Key Identifier"),
Expand All @@ -341,17 +343,22 @@ def test_object_identifier

aki.each do |a|
aki.each do |b|
assert a == b
assert_equal true, a == b
end

ski.each do |b|
refute a == b
assert_equal false, a == b
end
end

assert_raise(TypeError) {
OpenSSL::ASN1::ObjectId.new("authorityKeyIdentifier") == nil
}
obj1 = OpenSSL::ASN1::ObjectId.new("1.2.34.56789.10")
obj2 = OpenSSL::ASN1::ObjectId.new("1.2.34.56789.10")
obj3 = OpenSSL::ASN1::ObjectId.new("1.2.34.56789.11")
omit "OID 1.2.34.56789.10 is registered" if obj1.sn
assert_equal true, obj1 == obj2
assert_equal false, obj1 == obj3

assert_equal false, OpenSSL::ASN1::ObjectId.new("authorityKeyIdentifier") == nil
end

def test_sequence
Expand Down
Loading

0 comments on commit 509fc7f

Please sign in to comment.