| Age | Commit message (Collapse) | Author |
|---|
|
An OpenSSL function sometimes puts more than one error entry into the
thread-local OpenSSL error queue. Currently, we use the highest-level
entry for generating the exception message and discard the rest.
Let ossl_make_error() capture all current OpenSSL error queue contents
into OpenSSL::OpenSSLError#errors and extend
OpenSSL::OpenSSLError#detailed_message to include the information.
An example:
$ ruby -Ilib -ropenssl -e'OpenSSL::X509::ExtensionFactory.new.create_ext("a", "b")'
-e:1:in 'OpenSSL::X509::ExtensionFactory#create_ext': a = b: error in extension (name=a, value=b) (OpenSSL::X509::ExtensionError)
OpenSSL error queue reported 2 errors:
error:11000082:X509 V3 routines:do_ext_nconf:unknown extension name
error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension (name=a, value=b)
from -e:1:in '<main>'
https://github.com/ruby/openssl/commit/d28f7a9a13
|
|
Use OpenSSL::TestCase instead of OpenSSL::SSLTestCase.
Prefer assert_true and assert_false over the bare assert and refute.
OpenSSL.fixed_length_secure_compare and OpenSSL.secure_compare will
only return true or false, and it should be checked.
https://github.com/ruby/openssl/commit/3d9938ed40
|
|
Update GitHub Actions workflows to set OSSL_TEST_ALL=1.
Exclude a few slow tests that are not critical for local development,
unless OSSL_TEST_ALL=1 is set. The bindings code paths are still reached
by other tests with smaller inputs, and failures in those would likely
indicate an issue in OpenSSL rather than in the bindings.
Newly excluded tests include generating large DSA keys and measuring
CRYPTO_memcmp() timing. These tests currently take nearly half of the
total runtime.
https://github.com/ruby/openssl/commit/382eca2aec
|
|
The benchmark library is planned to become a bundled gem in Ruby 3.5.
While we can add it in our Gemfile, it is only used in
test_memcmp_timing and the usage can be easily replaced with a few
Process.clock_gettime calls.
https://github.com/ruby/openssl/commit/9a746ed1a4
|
|
Notes:
Merged: https://github.com/ruby/ruby/pull/11490
|
|
The test case test_error_data utilizes the error message generated by
X509V3_EXT_nconf_nid(). The next commit will use X509V3_EXT_nconf(),
which generates a slightly different error message. Let's adapt the
check to it.
https://github.com/ruby/openssl/commit/9cdfa3a4d1
|
|
Error entries in the OpenSSL error queue may contain additional
contextual information associated with the error, which can be helpful
when debugging.
This "additional data" is currently only printed to stderr when
OpenSSL.debug is enabled. Let's include this in the exception messages
raised with ossl_raise(), too.
$ ruby -Ilib -ropenssl -e'OpenSSL.debug=true; OpenSSL::SSL::SSLContext.new.ecdh_curves="P-256:not-a-curve"'
-e:1: warning: error on stack: error:0A080106:SSL routines:gid_cb:passed invalid argument (group 'not-a-curve' cannot be set)
-e:1:in `ecdh_curves=': passed invalid argument (group 'not-a-curve' cannot be set) (OpenSSL::SSL::SSLError)
from -e:1:in `<main>'
https://github.com/ruby/openssl/commit/1c5bbdd68e
|
|
https://github.com/ruby/openssl/commit/b28fb2f05c
|
|
The test was too fragile. Actually, it fails on one of our CIs
immediately after it was merged to ruby/ruby.
https://gist.github.com/ko1/7ea4a5826641f79e2f9e041d83e45dba#file-brlog-trunk_clang_40-20200216-101730-L532-L535
https://gist.github.com/ko1/1c657746092b871359d8bf9e0ad28921#file-brlog-trunk-test4-20200216-104518-L473-L476
* Two measurements, a-b and a-c, must be interative instead of
sequential; the execution time will be easily affected by disturbance
(say, cron job or some external process invoked during measurement)
* The comparison of the two results must be relative instead of
absolute; slow machine may take several tens of seconds for each
execution, and one delta second is too small. The test cases of a, b,
and c are very extreme, so if the target method has a bug, the two
execution times would be very different. So I think it is enough to
check if the difference is less than 10 times.
This change is the same as https://github.com/ruby/openssl/pull/332
|
|
Import the master branch of ruby/openssl for preparing to release openssl-2.2.0
Notes:
Merged-By: hsbt <hsbt@ruby-lang.org>
|
