Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add more test coverage for Ruby/OpenSSL gem #2085

Merged
merged 1 commit into from
Dec 31, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
diff --git a/test/net/http/test_https.rb b/test/net/http/test_https.rb
index a24f5e0..26ab754 100644
--- a/test/net/http/test_https.rb
+++ b/test/net/http/test_https.rb
@@ -167,6 +167,8 @@ def test_session_reuse
def test_session_reuse_but_expire
# FIXME: The new_session_cb is known broken for clients in OpenSSL 1.1.0h.
omit if OpenSSL::OPENSSL_LIBRARY_VERSION.include?('OpenSSL 1.1.0h')
+ # "AWS-LC does not support internal session caching on the client".
+ omit if OpenSSL::OPENSSL_LIBRARY_VERSION.include?('AWS-LC')

http = Net::HTTP.new(HOST, config("port"))
http.use_ssl = true
@@ -237,7 +239,7 @@ def test_certificate_verify_failure
ex = assert_raise(OpenSSL::SSL::SSLError){
http.request_get("/") {|res| }
}
- assert_match(/certificate verify failed/, ex.message)
+ assert_match(/certificate verify failed|CERTIFICATE_VERIFY_FAILED/, ex.message)
unless /mswin|mingw/ =~ RUBY_PLATFORM
# on Windows, Errno::ECONNRESET will be raised, and it'll be eaten by
# WEBrick
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
From 226ae828c5cc2c87245417e9a372b9403c91a54c Mon Sep 17 00:00:00 2001
From: Jeremy Evans <code@jeremyevans.net>
Date: Tue, 4 Jun 2024 16:35:06 -0700
Subject: [PATCH] Fix wrong certificate version

OpenSSL::X509::Certificate#version= calls X509_set_version, and
that sets the version stored in the certificate. However, the
version stored in certificate is one less than the actual
certificate version (https://www.openssl.org/docs/manmaster/man3/X509_set_version.html).
There are no version 4 certificates, and when using recent LibreSSL,
drb ssl tests all fail without this change.
---
lib/drb/ssl.rb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/drb/ssl.rb b/lib/drb/ssl.rb
index 392d656..4e4d992 100644
--- a/lib/drb/ssl.rb
+++ b/lib/drb/ssl.rb
@@ -185,7 +185,7 @@ module DRb
}

cert = OpenSSL::X509::Certificate.new
- cert.version = 3
+ cert.version = 2
cert.serial = 0
name = OpenSSL::X509::Name.new(self[:SSLCertName])
cert.subject = name
--
2.25.1

23 changes: 17 additions & 6 deletions tests/ci/integration/run_ruby_integration.sh
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@ FIPS=${FIPS:-"0"}
SCRATCH_FOLDER="${SRC_ROOT}/RUBY_BUILD_ROOT"
RUBY_SRC_FOLDER="${SCRATCH_FOLDER}/ruby-src"
RUBY_PATCH_FOLDER="${SRC_ROOT}/tests/ci/integration/ruby_patch"
RUBY_BACKPORT_FOLDER="${SRC_ROOT}/tests/ci/integration/ruby_patch/ruby_release_backport"
RUBY_COMMON_FOLDER="${SRC_ROOT}/tests/ci/integration/ruby_patch/ruby_patch_common"
AWS_LC_BUILD_FOLDER="${SCRATCH_FOLDER}/aws-lc-build"
AWS_LC_INSTALL_FOLDER="${SCRATCH_FOLDER}/aws-lc-install"

Expand All @@ -45,26 +47,35 @@ function ruby_build() {
ldd "$(find "$PWD/install" -name "openssl.so")" | grep "${AWS_LC_INSTALL_FOLDER}/lib/libcrypto.so" || exit 1
ldd "$(find "$PWD/install" -name "openssl.so")" | grep "${AWS_LC_INSTALL_FOLDER}/lib/libssl.so" || exit 1

#TODO: add more relevant tests here
make test-all TESTS="test/openssl/*.rb"
make test-all TESTS="test/drb/*ssl*.rb"
make test-all TESTS="test/rubygems/test*.rb"

popd
}

function ruby_patch() {
local branch=${1}
local src_dir="${RUBY_SRC_FOLDER}/${branch}"
local patch_dir="${RUBY_PATCH_FOLDER}/${branch}"
if [[ ! $(find -L ${patch_dir} -type f -name '*.patch') ]]; then
local patch_dirs=("${RUBY_PATCH_FOLDER}/${branch}" "${RUBY_COMMON_FOLDER}")
if [[ ! $(find -L ${patch_dirs[0]} -type f -name '*.patch') ]]; then
echo "No patch for ${branch}!"
exit 1
fi
git clone https://github.com/ruby/ruby.git ${src_dir} \
--depth 1 \
--branch ${branch}
for patchfile in $(find -L ${patch_dir} -type f -name '*.patch'); do
echo "Apply patch ${patchfile}..."
cat ${patchfile} | patch -p1 --quiet -d ${src_dir}

# Add directory of backport patches if branch is not master.
if [[ "${branch}" != "master" ]]; then
patch_dirs+=("${RUBY_BACKPORT_FOLDER}")
fi

for patch_dir in "${patch_dirs[@]}"; do
for patchfile in $(find -L ${patch_dir} -type f -name '*.patch'); do
echo "Apply patch ${patchfile}..."
cat ${patchfile} | patch -p1 --quiet -d ${src_dir}
done
done
}

Expand Down
Loading