EOC octets are required at the end of contents of a constructed encoding
that uses the indefinite length form. This cannot be assumed from the
end of the input. Raise an exception when necessary.
bc20c13a7c
Correctly pass the new object assigned by StringValue() to
ossl_ssl_write_internal_safe().
This is a follow-up to commit 0d8c17aa85 (Reduce
OpenSSL::Buffering#do_write overhead, 2024-12-21).
3ff096196a
The test case test_split_content fails on RHEL 9 and Fedora 41 because
their OpenSSL packages do not accept SHA-1 signatures. This was only
caught after commit 69fd7f8863 added the missing assertion.
While the example PKCS#7 structures could be simply regenerated with
SHA-256, this test case could be simplified because it is checking two
different things.
Replace test_split_content with separate test cases: one verifying
signed-data authenticatedAttributes and another for decoding BER input.
Fixes https://github.com/ruby/openssl/issues/875b32406b0c1
AWS-LC had been decoding the indefinite BER to an unusable output. We
should skip the test until indefinite BER decoding in AWS-LC is
properly fixed.
Changes:
1. AWS-LC will be looking to fix the parsing for indefinite BER
constructed strings in AWS-LC soon, so I've marked the test as `pend`
for now and removed the AWS-LC specific logic at the end.
2. I've added an assertion to verify that `OpenSSL::PKCS7.verify`
behaves correctly before doing content comparisons. I noticed this was
failing initially in AWS-LC, but that will be fixed soon as well. This
shouldn't effect OpenSSL/LibreSSL builds and should improve the test.
69fd7f8863
Commit aa7f03e18f broke test_minmax_version and test_fallback_scsv
on systems using OpenSSL 1.1.1 with a system-wide configuration file
that specifies MinProtocol=TLSv1.2.
20250228T003003Z.fail.html.gz
20250228T003003Z.fail.html.gz
These test cases were already broken before the commit, but they were
being skipped because check_supported_protocol_versions failed to detect
TLS 1.1 support. To avoid affected by the configuration file, explicitly
reset SSLContext#min_version when TLS 1.1 or older is required.
The test cases are also broken with OpenSSL 3.0 or later, but this is
not currently visible because it still fails to detect TLS 1.1 support.
This is caused by the default SSLContext#security_level value, as
OpenSSL 3.0 changed TLS 1.1 to be disabled at level 1.
6d0ea81b5e
As reported in <https://github.com/ruby/ruby/pull/12823>,
check_supported_protocol_versions is unstable and occasionally fails
with Errno::ECONNABORTED during SSLSocket#connect on Windows.
When the server-side SSLContext specifies an unsupported SSL/TLS
protocol version, start_server accepts a TCP connection but closes it
without reading ClientHello, as SSLSocket#accept immediately raises an
exception. With Winsock, this can cause the client-side
SSLSocket#connect to raise Errno::ECONNABORTED.
While the simplest fix is to add rescue Errno::ECONNABORTED, this method
can be simplified. Instead, let's set up a server that accepts all
protocol versions and test client connections with different settings.
aa7f03e18f
The "pend" are no longer necessary, as they work with all OpenSSL
variants we currently support. They were added in OpenSSL 1.1.1 and
LibreSSL 3.8.0. They are also supported by the current AWS-LC release.
This makes the SHA-3 tests run with AWS-LC correctly. AWS-LC does not
report SHA-3 in OpenSSL::Digest.digests.
e1a6e9c081
Starting with LibreSSL 3.5, OpenSSL::X509::ExtensionFactory refuses to
create SAN extensions that are not valid according to RFC 6125. While
this behavior makes sense, we need such invalid extensions to test our
own validation routine. Let's construct SAN extensions manually instead.
b420d6d739
As OpenSSL::OPENSSL_FIPS always returns true on OpenSSL >= 3.0.0, we cannot use
this constant as a flag to check whether the OpenSSL is FIPS or not.
See <d725783c5c/ext/openssl/ossl.c (L994-L1004)>.
Skip the test_fips_mode_get_with_fips_mode_set test in AWS-LC case.
Because we don't test `OpenSSL.fips_mode=` on AWS-LC for now. We cannot change
the value of the `OpenSSL.fips_mode` on AWS-LC.
The `OpenSSL.fips_mode` in AWS-LC behaves as follows.
On AWS-LC non-FIPS:
```
$ bundle exec ruby -I ./lib -ropenssl.so -e 'p OpenSSL.fips_mode'
false
$ bundle exec ruby -I ./lib -ropenssl.so -e 'OpenSSL.fips_mode = true; p OpenSSL.fips_mode'
-e:1:in 'OpenSSL.fips_mode=': Turning on FIPS mode failed (OpenSSL::OpenSSLError)
from -e:1:in '<main>'
$ bundle exec ruby -I ./lib -ropenssl.so -e 'OpenSSL.fips_mode = false; p OpenSSL.fips_mode'
false
```
On AWS-LC FIPS:
```
$ bundle exec ruby -I ./lib -ropenssl.so -e 'p OpenSSL.fips_mode'
true
$ bundle exec ruby -I ./lib -ropenssl.so -e 'OpenSSL.fips_mode = false; p OpenSSL.fips_mode'
-e:1:in 'OpenSSL.fips_mode=': Turning off FIPS mode failed (OpenSSL::OpenSSLError)
from -e:1:in '<main>'
$ bundle exec ruby -I ./lib -ropenssl.so -e 'OpenSSL.fips_mode = true; p OpenSSL.fips_mode'
true
```
fd3e3e722f
The SSL SESSION files we were originally testing against use DHE and
SSLv3. AWS-LC happens to have no support for either and we have newer
possible alternatives available, so I've updated the respective
files to use ECDHE-RSA-AES256-SHA with TLS 1.1 and 1.2. I've verified
that these work as expected with all libcryptos we support.
There are also a few SSL session discrepencies in AWS-LC when
compared to OpenSSL.
1. AWS-LC has no support for internal session caching on the
client-end.
2. AWS-LC supports internal session caching on the server, but
SSL_get1_session does not return a resumable session with TLS 1.3
in AWS-LC. Users have to use the SSL_CTX_sess_set_new_cb
(ctx.session_new_cb in Ruby) to retrieve the resumable session
ticket.
3. AWS-LC has no current support for external session caching in TLS
1.3.
ca384b8e2f
There are a few SSL discrepencies in AWS-LC when compared to OpenSSL.
1. AWS-LC has slightly different error messages (in all-caps).
2. AWS-LC has no support for DHE ciphersuites.
3. There are no concepts of SSL security levels within AWS-LC.
4. Similar to LibreSSL, there is no support for OPENSSL_CONF.
a60d050342
We reecently tweaked some break tests in test_pkey_dh.rb due to
different behavior with OpenSSL in FIPS mode.
AWS-LC does not inherit the same specific behavior, so tests
have been adjusted accordingly.
3117897dbc
EVP_DigestVerify in OpenSSL returns 0 to indicate a signature
verification failure and can return -1 to indicate other
failures, such as invalid ASN1 contents. ruby/openssl also
reflects that by returning false with 0 and raising an error
with -1.
EVP_DigestVerify in AWS-LC simply returns 0 for any failure.
be8ba76dc1
OpenSSL allows invalid EC keys or DH params to be parsed. The consuming
application can then run parameter/key checks to check the validity of
the parameters. We happen to run tests to verify that this behaves as
expected.
AWS-LC on the other hand, directly raises an error and disallows the
invalid state to be parsed, rather than making it parsable and checking
the validity later. Relevant tests have been adjusted accordingly to
reflect this.
febe50be1b
1. AWS-LC has no support for SMIME with PKCS7. That may change in the
near future, so I've marked that with "pend" for now.
2. AWS-LC doesn't support printing of PKCS7 contents with
PKCS7_print_ctx.
3. OpenSSL traditionally used indefinite-length encoding with
ASN1_TFLG_NDEF in its implementation for PKCS7 EncryptedContent.
AWS-LC uses explicit OCTET STRING headers to encode instead,
which leads to a slight difference in serialized ASN1 contents
from the two libraries.
78c585a9c2
AWS-LC's ASN1 parsing capabilities led to us examine some of our
ASN1 tests. One test in test_asn1.rb happens to use a tag number
of 8224. There are concerns with larger UNIVERSAL tags being
ambiguous with negative ASN1 Integers, so I've adjusted the test
to use CONTEXT_SPECIFIC instead with the same tag number (8224).
c73d9985ab
AWS-LC has a few minor functionalities removed from NCONF_get_string.
1. Expanding of $foo to a previously-parsed value was removed.
2. OpenSSL falls back to using "default" with an unknown "section".
AWS-LC does not support this behavior.
3. AWS-LC does not support parsing environment variables with "ENV"
like LibreSSL.
e8de3bbd1e
AWS-LC's FIPS mode is decided at compile time. FIPS in AWS-LC can't be
toggled on and off like OpenSSL, so tests that attempt to do so are
incompatible.
027de6732d
OpenSSL::SSL::SSLContext#cert_store= uses SSL_CTX_set_cert_store(). The
store is used for verifying peer certificates and for building
certificate chains to be sent to the peer if there is no chain
explicitly provided by SSLContext#extra_chain_cert=.
Do not specify it in the common test helper start_server, as most
callers do not require either function. Instead, update individual test
cases that use client certificates to explicitly specify it in ctx_proc.
A more direct test case is added to verify the latter function.
9daecee615
While it is not useful alone, it is still a valid content type. Some
methods on OpenSSL::PKCS7 are only meant to work with the signed-data
or enveloped-data content type. Add some assertions for their behavior
with unsupported content types. The next patches will update the
relevant code.
adb42b5b84
CI Changes
1. I've split the original patch up to make it easier to digest, but
that forces my hand to turn off testing in the AWS-LC CI for the time
being. However, do let me know if you would prefer to review the test
adjustments in the same PR and I can remove the temporary CI workaround.
2. AWS-LC has a few no-op functions and we use -Wdeprecated-declarations
to alert the consuming application of these. I've leveraged the
skip-warnings CI option so that the build doesn't fail.
Build Adjustments
1. AWS-LC FIPS mode is decided at compile time. This is different from
OpenSSL's togglable FIPS switch, so I've adjusted the build to account
for this.
2. AWS-LC does not support for the two KEY_SIG or KEY_EX flags that were
only ever supported by old MSIE.
3. AWS-LC has no current support for post handshake authentication in
TLS 1.3.
4. EC_GROUP structures for named curves in AWS-LC are constant, static,
and immutable by default. This means that the EC_GROUP_set_* functions
are essentially no-ops due to the immutability of the structure. We've
introduced a new API for consumers that depend on the OpenSSL's default
mutability of the EC_GROUP structure called
EC_GROUP_new_by_curve_name_mutable. Since Ruby has a bit of
functionality that's dependent on the mutability of these structures,
I've made the corresponding adjustments to allow things to work as
expected.
e53ec5a101
assert_handshake_error is useful for checking handshake failures
triggered by the peer, as the underlying socket may be closed
prematurely, leading to different exceptions depending on the platform
and timing.
However, when the local end aborts a handshake, the only possible
exception is OpenSSL::SSL::SSLError. Use stricter assertions in such
cases.
637ba65818
The list of NPN protocols is validated in SSLContext#setup.
The assert_handshake_error is misleading. The client is unable to start
a handshake at all because the server is not running.
e8db6ffd9e
Use start_server instead of start_server_version.
start_server_version is a wrapper around start_server that forces the
server to a specific protocol version using the now-deprecated method
SSLSocket#ssl_version=, but it does more than that. The slightly
different method signature and default values are confusing. Let's
use start_server directly.
22ed31d77e
The method has two forms, each corresponding to EC_POINT_mul() and
EC_POINTs_mul(). The latter form does not work with any OpenSSL or
LibreSSL versions that are still supported by upstream.
The latter form has an extremely confusing behavior, too, and using it
would print a deprecation warning since commit 812de4253d in 2020,
which went to 3.0.0. Let's remove it.
7343d3c559
Make these methods simple wrappers around
SSL_CTX_set_{min,max}_proto_version().
When we introduced these methods in commit 18603949d3 [1], which went
to v2.1.0, we added a private method to SSLContext that set both the
minimum and maximum protocol versions at the same time. This was to
allow emulating the behavior using SSL options on older OpenSSL versions
that lack SSL_CTX_set_{min,max}_proto_version(). Since we no longer
support OpenSSL 1.0.2, the related code has already been removed.
In OpenSSL 1.1.1 or later, setting the minimum or maximum version to 0
is not equivalent to leaving it unset. Similar to SSL options, which we
avoid overwriting as of commit 00bec0d905 and commit 77c3db2d65 [2],
a system-wide configuration file may define a default protocol version
bounds. Setting the minimum version should not unset the maximum
version, and vice versa.
[1] https://github.com/ruby/openssl/pull/142
[2] https://github.com/ruby/openssl/pull/7675766386321
Call ossl_pkey_check_public_key() to ensure that
EVP_PKEY_missing_parameters() passes. This check should be cheap.
DSA#{to_der,to_pem,export,to_s} and PKey#{public_to_der,public_to_pem}
cause a segfault if the receiver is an empty DSA instance with no
parameters set.
Fixes <https://github.com/ruby/openssl/issues/845>.
5aeed935e5
The benchmark library is planned to become a bundled gem in Ruby 3.5.
While we can add it in our Gemfile, it is only used in
test_memcmp_timing and the usage can be easily replaced with a few
Process.clock_gettime calls.
9a746ed1a4
The returned Hash from these methods contain 0 in place of a missing
parameter in the key, for example:
pkey = OpenSSL::PKey.read(OpenSSL::PKey::RSA.new(2048).public_to_pem)
pp pkey.params
#=>
# {"n"=>#<OpenSSL::BN 2869346734[...snip]>,
# "e"=>#<OpenSSL::BN 65537>,
# "d"=>#<OpenSSL::BN 0>,
# "p"=>#<OpenSSL::BN 0>,
# "q"=>#<OpenSSL::BN 0>,
# "dmp1"=>#<OpenSSL::BN 0>,
# "dmq1"=>#<OpenSSL::BN 0>,
# "iqmp"=>#<OpenSSL::BN 0>}
Let's use nil instead, which is more appropriate for indicating a
missing value.
f247ec3dec
Commit 3bbf5178a9 made blocking methods on SSLSocket follow the
IO#timeout= value. The commit changed io_wait_readable() to potentially
raise an exception without unlocking the String.
The String is currently locked for the entire duration of a #sysread
method call. This does not seem to be necessary, as SSL_read() does not
require that the same buffer is specified when retrying. Locking the
String during each SSL_read() call should be sufficient.
8f791d73f5
Drop support for OpenSSL 1.1.0. OpenSSL 1.1.0 was a non-LTS release and
it has reached upstream EOL in 2019-12 along with OpenSSL 1.0.2.
Distributions that shipped with OpenSSL 1.1.0 include:
- Debian 9 (EOL 2022-06)
- Ubuntu 18.04 LTS (EOL 2023-04)
ba83abe920
Drop support for OpenSSL 1.0.2. It has reached upstream EOL in 2019-12.
Most distributions that shipped with OpenSSL 1.0.2 have also reached
EOL, or provide a newer version in the package repository:
- RHEL 7 (EOL 2024-06)
- Ubuntu 16.04 LTS (EOL 2021-04)
- Amazon Linux 2 (EOL 2026-06, but OpenSSL 1.1.1 can be installed via
the openssl11{,-devel} package)
38ec6fd50e
This reverts the change made to this test case in commit a0e98d48c9
(Enhance TLS 1.3 support on LibreSSL 3.2/3.3, 2020-12-03).
Part of the test case was skipped on LibreSSL because LibreSSL 3.2.2
introduced a stricter check during creation of the extension. The check
was then relaxed in LibreSSL 3.4.0.
187b176ecd
