From ce7aa23f97273fa181be26aec33d3c6998e203c5 Mon Sep 17 00:00:00 2001
From: Bo Anderson <mail@boanderson.me>
Date: Thu, 9 Oct 2025 04:24:27 +0100
Subject: Update openssl gem to 3.2.2

---
 test/openssl/test_asn1.rb     | 17 +++++---
 test/openssl/test_bn.rb       | 48 ++++++++++++---------
 test/openssl/test_cipher.rb   | 40 +++++++++++++++++
 test/openssl/test_ossl.rb     | 12 ++++--
 test/openssl/test_pkcs7.rb    | 15 +++++++
 test/openssl/test_pkey_dsa.rb |  6 +++
 test/openssl/test_provider.rb | 17 +++++---
 test/openssl/test_x509cert.rb | 99 ++++++++++++++++++++++++++++++++++++-------
 8 files changed, 203 insertions(+), 51 deletions(-)

(limited to 'test/openssl')

diff --git a/test/openssl/test_asn1.rb b/test/openssl/test_asn1.rb
index 7b1722e5df..354b587895 100644
--- a/test/openssl/test_asn1.rb
+++ b/test/openssl/test_asn1.rb
@@ -326,7 +326,9 @@ class  OpenSSL::TestASN1 < OpenSSL::TestCase
     oid = (0...100).to_a.join(".").b
     obj = OpenSSL::ASN1::ObjectId.new(oid)
     assert_equal oid, obj.oid
+  end
 
+  def test_object_identifier_equality
     aki = [
       OpenSSL::ASN1::ObjectId.new("authorityKeyIdentifier"),
       OpenSSL::ASN1::ObjectId.new("X509v3 Authority Key Identifier"),
@@ -341,17 +343,22 @@ class  OpenSSL::TestASN1 < OpenSSL::TestCase
 
     aki.each do |a|
       aki.each do |b|
-        assert a == b
+        assert_equal true, a == b
       end
 
       ski.each do |b|
-        refute a == b
+        assert_equal false, a == b
       end
     end
 
-    assert_raise(TypeError) {
-      OpenSSL::ASN1::ObjectId.new("authorityKeyIdentifier") == nil
-    }
+    obj1 = OpenSSL::ASN1::ObjectId.new("1.2.34.56789.10")
+    obj2 = OpenSSL::ASN1::ObjectId.new("1.2.34.56789.10")
+    obj3 = OpenSSL::ASN1::ObjectId.new("1.2.34.56789.11")
+    omit "OID 1.2.34.56789.10 is registered" if obj1.sn
+    assert_equal true, obj1 == obj2
+    assert_equal false, obj1 == obj3
+
+    assert_equal false, OpenSSL::ASN1::ObjectId.new("authorityKeyIdentifier") == nil
   end
 
   def test_sequence
diff --git a/test/openssl/test_bn.rb b/test/openssl/test_bn.rb
index ea88ff06ce..3edb69658e 100644
--- a/test/openssl/test_bn.rb
+++ b/test/openssl/test_bn.rb
@@ -343,28 +343,36 @@ class OpenSSL::TestBN < OpenSSL::TestCase
     assert_equal(4, e.get_flags(OpenSSL::BN::CONSTTIME))
   end
 
-  if respond_to?(:ractor)
+  if defined?(Ractor) && respond_to?(:ractor)
+    unless Ractor.method_defined?(:value) # Ruby 3.4 or earlier
+      using Module.new {
+        refine Ractor do
+          alias value take
+        end
+      }
+    end
+
     ractor
     def test_ractor
-      assert_equal(@e1, Ractor.new { OpenSSL::BN.new("999") }.take)
-      assert_equal(@e3, Ractor.new { OpenSSL::BN.new("\a\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF", 2) }.take)
-      assert_equal("999", Ractor.new(@e1) { |e1| e1.to_s }.take)
-      assert_equal("07FFFFFFFFFFFFFFFFFFFFFFFFFF", Ractor.new(@e3) { |e3| e3.to_s(16) }.take)
-      assert_equal(2**107-1, Ractor.new(@e3) { _1.to_i }.take)
-      assert_equal([1000, -999], Ractor.new(@e2) { _1.coerce(1000) }.take)
-      assert_equal(false, Ractor.new  { 1.to_bn.zero? }.take)
-      assert_equal(true, Ractor.new { 1.to_bn.one? }.take)
-      assert_equal(true, Ractor.new(@e2) { _1.negative? }.take)
-      assert_equal("-03E7", Ractor.new(@e2) { _1.to_s(16) }.take)
-      assert_equal(2**107-1, Ractor.new(@e3) { _1.to_i }.take)
-      assert_equal([1000, -999], Ractor.new(@e2) { _1.coerce(1000) }.take)
-      assert_equal(true, Ractor.new { 0.to_bn.zero? }.take)
-      assert_equal(true, Ractor.new { 1.to_bn.one? }.take )
-      assert_equal(false,Ractor.new { 2.to_bn.odd? }.take)
-      assert_equal(true, Ractor.new(@e2) { _1.negative? }.take)
-      assert_include(128..255, Ractor.new { OpenSSL::BN.rand(8)}.take)
-      assert_include(0...2**32, Ractor.new { OpenSSL::BN.generate_prime(32) }.take)
-      assert_equal(0, Ractor.new { OpenSSL::BN.new(999).get_flags(OpenSSL::BN::CONSTTIME) }.take)
+      assert_equal(@e1, Ractor.new { OpenSSL::BN.new("999") }.value)
+      assert_equal(@e3, Ractor.new { OpenSSL::BN.new("\a\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF", 2) }.value)
+      assert_equal("999", Ractor.new(@e1) { |e1| e1.to_s }.value)
+      assert_equal("07FFFFFFFFFFFFFFFFFFFFFFFFFF", Ractor.new(@e3) { |e3| e3.to_s(16) }.value)
+      assert_equal(2**107-1, Ractor.new(@e3) { _1.to_i }.value)
+      assert_equal([1000, -999], Ractor.new(@e2) { _1.coerce(1000) }.value)
+      assert_equal(false, Ractor.new  { 1.to_bn.zero? }.value)
+      assert_equal(true, Ractor.new { 1.to_bn.one? }.value)
+      assert_equal(true, Ractor.new(@e2) { _1.negative? }.value)
+      assert_equal("-03E7", Ractor.new(@e2) { _1.to_s(16) }.value)
+      assert_equal(2**107-1, Ractor.new(@e3) { _1.to_i }.value)
+      assert_equal([1000, -999], Ractor.new(@e2) { _1.coerce(1000) }.value)
+      assert_equal(true, Ractor.new { 0.to_bn.zero? }.value)
+      assert_equal(true, Ractor.new { 1.to_bn.one? }.value )
+      assert_equal(false,Ractor.new { 2.to_bn.odd? }.value)
+      assert_equal(true, Ractor.new(@e2) { _1.negative? }.value)
+      assert_include(128..255, Ractor.new { OpenSSL::BN.rand(8)}.value)
+      assert_include(0...2**32, Ractor.new { OpenSSL::BN.generate_prime(32) }.value)
+      assert_equal(0, Ractor.new { OpenSSL::BN.new(999).get_flags(OpenSSL::BN::CONSTTIME) }.value)
     end
   end
 end
diff --git a/test/openssl/test_cipher.rb b/test/openssl/test_cipher.rb
index 8faa570648..cd0b3dcb44 100644
--- a/test/openssl/test_cipher.rb
+++ b/test/openssl/test_cipher.rb
@@ -128,6 +128,30 @@ class OpenSSL::TestCipher < OpenSSL::TestCase
     assert_equal pt, cipher.update(ct) << cipher.final
   end
 
+  def test_update_with_buffer
+    cipher = OpenSSL::Cipher.new("aes-128-ecb").encrypt
+    cipher.random_key
+    expected = cipher.update("data") << cipher.final
+    assert_equal 16, expected.bytesize
+
+    # Buffer is supplied
+    cipher.reset
+    buf = String.new
+    assert_same buf, cipher.update("data", buf)
+    assert_equal expected, buf + cipher.final
+
+    # Buffer is frozen
+    cipher.reset
+    assert_raise(FrozenError) { cipher.update("data", String.new.freeze) }
+
+    # Buffer is a shared string [ruby-core:120141] [Bug #20937]
+    cipher.reset
+    buf = "x" * 1024
+    shared = buf[-("data".bytesize + 32)..-1]
+    assert_same shared, cipher.update("data", shared)
+    assert_equal expected, shared + cipher.final
+  end
+
   def test_ciphers
     ciphers = OpenSSL::Cipher.ciphers
     assert_kind_of Array, ciphers
@@ -331,6 +355,22 @@ class OpenSSL::TestCipher < OpenSSL::TestCase
     assert_equal tag1, tag2
   end
 
+  def test_aes_keywrap_pad
+    # RFC 5649 Section 6; The second example
+    kek = ["5840df6e29b02af1ab493b705bf16ea1ae8338f4dcc176a8"].pack("H*")
+    key = ["466f7250617369"].pack("H*")
+    wrap = ["afbeb0f07dfbf5419200f2ccb50bb24f"].pack("H*")
+
+    begin
+      cipher = OpenSSL::Cipher.new("id-aes192-wrap-pad").encrypt
+    rescue OpenSSL::Cipher::CipherError, RuntimeError
+      omit "id-aes192-wrap-pad is not supported: #$!"
+    end
+    cipher.key = kek
+    ct = cipher.update(key) << cipher.final
+    assert_equal wrap, ct
+  end
+
   def test_non_aead_cipher_set_auth_data
     assert_raise(OpenSSL::Cipher::CipherError) {
       cipher = OpenSSL::Cipher.new("aes-128-cfb").encrypt
diff --git a/test/openssl/test_ossl.rb b/test/openssl/test_ossl.rb
index 979669a003..9f4b39d4f5 100644
--- a/test/openssl/test_ossl.rb
+++ b/test/openssl/test_ossl.rb
@@ -1,8 +1,6 @@
 # frozen_string_literal: true
 require_relative "utils"
 
-require 'benchmark'
-
 if defined?(OpenSSL)
 
 class OpenSSL::OSSL < OpenSSL::SSLTestCase
@@ -54,8 +52,14 @@ class OpenSSL::OSSL < OpenSSL::SSLTestCase
 
     a_b_time = a_c_time = 0
     100.times do
-      a_b_time += Benchmark.measure { 100.times { OpenSSL.fixed_length_secure_compare(a, b) } }.real
-      a_c_time += Benchmark.measure { 100.times { OpenSSL.fixed_length_secure_compare(a, c) } }.real
+      t1 = Process.clock_gettime(Process::CLOCK_MONOTONIC)
+      100.times { OpenSSL.fixed_length_secure_compare(a, b) }
+      t2 = Process.clock_gettime(Process::CLOCK_MONOTONIC)
+      100.times { OpenSSL.fixed_length_secure_compare(a, c) }
+      t3 = Process.clock_gettime(Process::CLOCK_MONOTONIC)
+
+      a_b_time += t2 - t1
+      a_c_time += t3 - t2
     end
     assert_operator(a_b_time, :<, a_c_time * 10, "fixed_length_secure_compare timing test failed")
     assert_operator(a_c_time, :<, a_b_time * 10, "fixed_length_secure_compare timing test failed")
diff --git a/test/openssl/test_pkcs7.rb b/test/openssl/test_pkcs7.rb
index ba8b93d034..96f3f1f6be 100644
--- a/test/openssl/test_pkcs7.rb
+++ b/test/openssl/test_pkcs7.rb
@@ -155,6 +155,21 @@ class OpenSSL::TestPKCS7 < OpenSSL::TestCase
     assert_equal(data, p7.decrypt(@rsa1024))
   end
 
+  def test_empty_signed_data_ruby_bug_19974
+    data = "-----BEGIN PKCS7-----\nMAsGCSqGSIb3DQEHAg==\n-----END PKCS7-----\n"
+    assert_raise(ArgumentError) { OpenSSL::PKCS7.new(data) }
+
+    data = <<END
+MIME-Version: 1.0
+Content-Disposition: attachment; filename="smime.p7m"
+Content-Type: application/x-pkcs7-mime; smime-type=signed-data; name="smime.p7m"
+Content-Transfer-Encoding: base64
+
+#{data}
+END
+    assert_raise(OpenSSL::PKCS7::PKCS7Error) { OpenSSL::PKCS7.read_smime(data) }
+  end
+
   def test_graceful_parsing_failure #[ruby-core:43250]
     contents = File.read(__FILE__)
     assert_raise(ArgumentError) { OpenSSL::PKCS7.new(contents) }
diff --git a/test/openssl/test_pkey_dsa.rb b/test/openssl/test_pkey_dsa.rb
index 3f64a80e32..35c3945c0d 100644
--- a/test/openssl/test_pkey_dsa.rb
+++ b/test/openssl/test_pkey_dsa.rb
@@ -28,6 +28,12 @@ class OpenSSL::TestPKeyDSA < OpenSSL::PKeyTestCase
     end
   end
 
+  def test_new_empty
+    key = OpenSSL::PKey::DSA.new
+    assert_nil(key.p)
+    assert_raise(OpenSSL::PKey::PKeyError) { key.to_der }
+  end
+
   def test_generate
     # DSA.generate used to call DSA_generate_parameters_ex(), which adjusts the
     # size of q according to the size of p
diff --git a/test/openssl/test_provider.rb b/test/openssl/test_provider.rb
index 7361a0e250..b0ffae9ce7 100644
--- a/test/openssl/test_provider.rb
+++ b/test/openssl/test_provider.rb
@@ -12,15 +12,14 @@ class OpenSSL::TestProvider < OpenSSL::TestCase
   end
 
   def test_openssl_provider_names
-    omit 'not working on freebsd RubyCI' if ENV['RUBYCI_NICKNAME'] =~ /freebsd/
     with_openssl <<-'end;'
-      legacy_provider = OpenSSL::Provider.load("legacy")
+      base_provider = OpenSSL::Provider.load("base")
       assert_equal(2, OpenSSL::Provider.provider_names.size)
-      assert_includes(OpenSSL::Provider.provider_names, "legacy")
+      assert_includes(OpenSSL::Provider.provider_names, "base")
 
-      assert_equal(true, legacy_provider.unload)
+      assert_equal(true, base_provider.unload)
       assert_equal(1, OpenSSL::Provider.provider_names.size)
-      assert_not_includes(OpenSSL::Provider.provider_names, "legacy")
+      assert_not_includes(OpenSSL::Provider.provider_names, "base")
     end;
   end
 
@@ -34,9 +33,13 @@ class OpenSSL::TestProvider < OpenSSL::TestCase
   end
 
   def test_openssl_legacy_provider
-    omit 'not working on freebsd RubyCI' if ENV['RUBYCI_NICKNAME'] =~ /freebsd/
     with_openssl(<<-'end;')
-      OpenSSL::Provider.load("legacy")
+      begin
+        OpenSSL::Provider.load("legacy")
+      rescue OpenSSL::Provider::ProviderError
+        omit "Only for OpenSSL with legacy provider"
+      end
+
       algo = "RC4"
       data = "a" * 1000
       key = OpenSSL::Random.random_bytes(16)
diff --git a/test/openssl/test_x509cert.rb b/test/openssl/test_x509cert.rb
index 64805504de..e39b6b6a4c 100644
--- a/test/openssl/test_x509cert.rb
+++ b/test/openssl/test_x509cert.rb
@@ -68,7 +68,7 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
     assert_equal(now.getutc, cert.not_after)
   end
 
-  def test_extension
+  def test_extension_factory
     ca_exts = [
       ["basicConstraints","CA:TRUE",true],
       ["keyUsage","keyCertSign, cRLSign",true],
@@ -76,9 +76,6 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
       ["authorityKeyIdentifier","issuer:always,keyid:always",false],
     ]
     ca_cert = issue_cert(@ca, @rsa2048, 1, ca_exts, nil, nil)
-    keyid = get_subject_key_id(ca_cert.to_der, hex: false)
-    assert_equal keyid, ca_cert.authority_key_identifier
-    assert_equal keyid, ca_cert.subject_key_identifier
     ca_cert.extensions.each_with_index{|ext, i|
       assert_equal(ca_exts[i].first, ext.oid)
       assert_equal(ca_exts[i].last, ext.critical?)
@@ -90,7 +87,6 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
       ["authorityKeyIdentifier","issuer:always,keyid:always",false],
       ["extendedKeyUsage","clientAuth, emailProtection, codeSigning",false],
       ["subjectAltName","email:ee1@ruby-lang.org",false],
-      ["authorityInfoAccess","caIssuers;URI:http://www.example.com/caIssuers,OCSP;URI:http://www.example.com/ocsp",false],
     ]
     ee1_cert = issue_cert(@ee1, @rsa1024, 2, ee1_exts, ca_cert, @rsa2048)
     assert_equal(ca_cert.subject.to_der, ee1_cert.issuer.to_der)
@@ -98,15 +94,54 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
       assert_equal(ee1_exts[i].first, ext.oid)
       assert_equal(ee1_exts[i].last, ext.critical?)
     }
-    assert_nil(ee1_cert.crl_uris)
+  end
+
+  def test_akiski
+    ca_cert = generate_cert(@ca, @rsa2048, 4, nil)
+    ef = OpenSSL::X509::ExtensionFactory.new(ca_cert, ca_cert)
+    ca_cert.add_extension(
+      ef.create_extension("subjectKeyIdentifier", "hash", false))
+    ca_cert.add_extension(
+      ef.create_extension("authorityKeyIdentifier", "issuer:always,keyid:always", false))
+    ca_cert.sign(@rsa2048, "sha256")
+
+    ca_keyid = get_subject_key_id(ca_cert.to_der, hex: false)
+    assert_equal ca_keyid, ca_cert.authority_key_identifier
+    assert_equal ca_keyid, ca_cert.subject_key_identifier
+
+    ee_cert = generate_cert(@ee1, Fixtures.pkey("p256"), 5, ca_cert)
+    ef = OpenSSL::X509::ExtensionFactory.new(ca_cert, ee_cert)
+    ee_cert.add_extension(
+      ef.create_extension("subjectKeyIdentifier", "hash", false))
+    ee_cert.add_extension(
+      ef.create_extension("authorityKeyIdentifier", "issuer:always,keyid:always", false))
+    ee_cert.sign(@rsa2048, "sha256")
+
+    ee_keyid = get_subject_key_id(ee_cert.to_der, hex: false)
+    assert_equal ca_keyid, ee_cert.authority_key_identifier
+    assert_equal ee_keyid, ee_cert.subject_key_identifier
+  end
+
+  def test_akiski_missing
+    cert = issue_cert(@ee1, @rsa2048, 1, [], nil, nil)
+    assert_nil(cert.authority_key_identifier)
+    assert_nil(cert.subject_key_identifier)
+  end
+
+  def test_crl_uris_no_crl_distribution_points
+    cert = issue_cert(@ee1, @rsa2048, 1, [], nil, nil)
+    assert_nil(cert.crl_uris)
+  end
 
+  def test_crl_uris
+    # Multiple DistributionPoint contains a single general name each
     ef = OpenSSL::X509::ExtensionFactory.new
     ef.config = OpenSSL::Config.parse(<<~_cnf_)
       [crlDistPts]
       URI.1 = http://www.example.com/crl
       URI.2 = ldap://ldap.example.com/cn=ca?certificateRevocationList;binary
     _cnf_
-    cdp_cert = generate_cert(@ee1, @rsa1024, 3, ca_cert)
+    cdp_cert = generate_cert(@ee1, @rsa2048, 3, nil)
     ef.subject_certificate = cdp_cert
     cdp_cert.add_extension(ef.create_extension("crlDistributionPoints", "@crlDistPts"))
     cdp_cert.sign(@rsa2048, "sha256")
@@ -114,9 +149,50 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
       ["http://www.example.com/crl", "ldap://ldap.example.com/cn=ca?certificateRevocationList;binary"],
       cdp_cert.crl_uris
     )
+  end
 
+  def test_crl_uris_multiple_general_names
+    # Single DistributionPoint contains multiple general names of type URI
     ef = OpenSSL::X509::ExtensionFactory.new
-    aia_cert = generate_cert(@ee1, @rsa1024, 4, ca_cert)
+    ef.config = OpenSSL::Config.parse(<<~_cnf_)
+      [crlDistPts_section]
+      fullname = URI:http://www.example.com/crl, URI:ldap://ldap.example.com/cn=ca?certificateRevocationList;binary
+    _cnf_
+    cdp_cert = generate_cert(@ee1, @rsa2048, 3, nil)
+    ef.subject_certificate = cdp_cert
+    cdp_cert.add_extension(ef.create_extension("crlDistributionPoints", "crlDistPts_section"))
+    cdp_cert.sign(@rsa2048, "sha256")
+    assert_equal(
+      ["http://www.example.com/crl", "ldap://ldap.example.com/cn=ca?certificateRevocationList;binary"],
+      cdp_cert.crl_uris
+    )
+  end
+
+  def test_crl_uris_no_uris
+    # The only DistributionPointName is a directoryName
+    ef = OpenSSL::X509::ExtensionFactory.new
+    ef.config = OpenSSL::Config.parse(<<~_cnf_)
+      [crlDistPts_section]
+      fullname = dirName:dirname_section
+      [dirname_section]
+      CN = dirname
+    _cnf_
+    cdp_cert = generate_cert(@ee1, @rsa2048, 3, nil)
+    ef.subject_certificate = cdp_cert
+    cdp_cert.add_extension(ef.create_extension("crlDistributionPoints", "crlDistPts_section"))
+    cdp_cert.sign(@rsa2048, "sha256")
+    assert_nil(cdp_cert.crl_uris)
+  end
+
+  def test_aia_missing
+    cert = issue_cert(@ee1, @rsa2048, 1, [], nil, nil)
+    assert_nil(cert.ca_issuer_uris)
+    assert_nil(cert.ocsp_uris)
+  end
+
+  def test_aia
+    ef = OpenSSL::X509::ExtensionFactory.new
+    aia_cert = generate_cert(@ee1, @rsa2048, 4, nil)
     ef.subject_certificate = aia_cert
     aia_cert.add_extension(
       ef.create_extension(
@@ -137,13 +213,6 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
       ["http://www.example.com/ocsp", "ldap://ldap.example.com/cn=ca?authorityInfoAccessOcsp;binary"],
       aia_cert.ocsp_uris
     )
-
-    no_exts_cert = issue_cert(@ca, @rsa2048, 5, [], nil, nil)
-    assert_equal nil, no_exts_cert.authority_key_identifier
-    assert_equal nil, no_exts_cert.subject_key_identifier
-    assert_equal nil, no_exts_cert.crl_uris
-    assert_equal nil, no_exts_cert.ca_issuer_uris
-    assert_equal nil, no_exts_cert.ocsp_uris
   end
 
   def test_invalid_extension
-- 
cgit v1.2.3