OpenSSL::X509::StoreContext#current_cert returns an empty and invalid
OpenSSL::X509::Certificate instance if it is called before starting a
certificate verification.
https://redirect.github.com/ruby/openssl/pull/919 will change it to
return nil instead in such a case.
Adjust test_verify_certificate_extra_message to actually complete
StoreContext#verify so that it will not rely on this behavior.
823799088d
There are several issues with these which I'm not sure I'll have time to
address properly. I prefer to keep our default branch in a releasable
state just in case. Once they are fixed, this can be reverted.
We now run specs against a single version, so I prefer to keep a single
branch. Once we bump the major version, this will need very little
updates, and that seems fine.
3866d25a00
This reverts commit 4e8bbb07dd.
It broke RubyGems tests:
20250727T123003Z.fail.html.gz
OpenSSL::X509::StoreContext#current_cert incorrectly calls
ossl_x509_new() with NULL to create a bogus Certificate object, and a
test case in RubyGems relies on it. This will be reapplied when both
are fixed.
Among functions named ossl_*_new(), ossl_pkey_new() is now the only one
that takes ownership of the passed OpenSSL object instead of making a
copy or incrementing its reference counter. Rename it to make this
behavior easier to understand.
54c1c26eb5
Likewise, let it take a const pointer and not the ownership of the
OpenSSL object.
This fixes potential memory leak in OpenSSL::OCSP::BasicResponse#status.
7e0288ebbd
Similar to most of the other ossl_*_new() functions, let it take a const
pointer and make a copy of the object.
This also fixes a potential memory leak when the wrapper object
allocation fails.
eaabf6d8a3
Currently, calling ossl_bn_new() with a NULL argument allocates a new
OpenSSL::BN instance representing 0. This behavior is confusing. Raise
an exception if this is attempted, instead.
6fa793d997
This list was originally in alphabetical order. Sort it again.
This change should be safe since the .rb sources should only depend on
the extension and not each other.
eb3998728a
The key files were created by the following commands.
```
$ ${HOME}/.local/openssl-3.6.0-dev-fips-debug-8253b58d60/bin/openssl genpkey \
-algorithm mldsa65 \
-out mldsa65-1.pem
$ ${HOME}/.local/openssl-3.6.0-dev-fips-debug-8253b58d60/bin/openssl genpkey \
-algorithm mldsa65 \
-out mldsa65-2.pem
```
PQC algorithms, ML-KEM (FIPS 203) and ML-DSA (FIPS 204) used in the PQC tests
are supported on OpenSSL 3.5 or later.
https://openssl-library.org/post/2025-04-08-openssl-35-final-release/f3bb316018
If `load_uint8x16_4` has an external linkage, it is defined in
both `generator` and `parser` extension libraries. This duplicate
symbol causes a linker error when `--with-static-linked-ext` is
given, on some platforms.
020693b17a
- The `bundle plugin uninstall --all` was missing.
- The `bundle plugin install --local-git` was missing due to being
deprecated. We decided to reintroduce the doc for more clarity.
4da252945c
- Ref #8802
- ### Problem
Whenever a bundler command options is added, we want to make
sure that the associated command man page is updated to reflect
the new option (e.g. this mistake was made in #8624)
### Solution
In #8802 we discussed a bit on the implementation which would rely
on parsing ronn files and introduce some conventions on how options
documented in man pages should be written.
I figured I would try a simpler approach by just checking if the man
page of a command list options using a simple regex.
Pros:
- Simpler as we don't have to parse ronn files.
- No need to modify all existing man pages.
Cons:
- We can only verify one way (CLI options -> man pages).
If a CLI option get removed, we won't be able to warn that
the existing document man page option needs to be removed.
e10e60bd33
Running everything in `bundled_app` by default causes the `bundled_app`
helper to be used everytime, and that will create a scoped bundled_app
folder if it does not exist. That causes `bin/rake spec:deps` to create
an empty `tmp/2.1/bundled_app` folder which is a bit weird.
This commit changes specs to not switch to a (possibly empty)
bundled_app directory when not necessary (for example, when running
`gem` commands in order to setup test dependencies).
4bf89c0705
Previously this was listed as a suppression, but we actually want this
permanently unsanitized. This should be faster and more reliable since
TASN won't have to match against symbolicated backtraces.
This introduces a new method to encapsulate checking whether the current
Ractor owns the vm->ractor.sync lock. This allows us to disable TSan on
it since that operation should be safe, and still get validation of
other uses.
