Handle empty signed data in PKCS7

.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: 'github-actions'
+    directory: '/'
+    schedule:
+      interval: 'weekly'

.github/workflows/test.yml

@@ -3,19 +3,36 @@ name: CI
 on: [push, pull_request]
 
 jobs:
+  ruby-versions:
+    uses: ruby/actions/.github/workflows/ruby_versions.yml@master
+    with:
+      engine: cruby-truffleruby
+      min_version: 2.7
   test:
+    needs: ruby-versions
     name: >-
       ${{ matrix.os }} ${{ matrix.ruby }}
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
       matrix:
-        # ubuntu-latest is 22.04, uses OpenSSL 3
-        os: [ ubuntu-20.04, macos-latest ]
-        ruby: [ head, "3.0", "2.7", "2.6" ]
+        # ubuntu-22.04 uses OpenSSL 3.0, ubuntu-20.04 uses OpenSSL 1.1.1
+        os: [ ubuntu-22.04, ubuntu-20.04, macos-latest, windows-latest ]
+        ruby: ${{ fromJson(needs.ruby-versions.outputs.versions) }}
+        exclude:
+          # uses non-standard MSYS2 OpenSSL 3 package
+          - { os: windows-latest, ruby: head }
+          - { os: windows-latest, ruby: truffleruby }
+          - { os: windows-latest, ruby: truffleruby-head }
+          - { os: macos-latest,   ruby: truffleruby }
+          - { os: ubuntu-20.04,   ruby: truffleruby }
+        include:
+          - { os: windows-latest, ruby: ucrt }
+          - { os: windows-latest, ruby: mswin }
+
     steps:
       - name: repo checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: load ruby
         uses: ruby/setup-ruby@v1
@@ -25,75 +42,82 @@ jobs:
       - name: depends
         run:  bundle install
 
-      - name: compile
-        run:  rake compile -- --enable-debug
+      # Enable the verbose option in mkmf.rb to print the compiling commands.
+      - name: enable mkmf verbose
+        run:  echo "MAKEFLAGS=V=1" >> $GITHUB_ENV
+        if: runner.os == 'Linux' || runner.os == 'macOS'
 
-      - name: test
-        run:  rake test TESTOPTS="-v --no-show-detail-immediately" OSSL_MDEBUG=1
+      - name: set flags to check compiler warnings.
+        run:  echo "RUBY_OPENSSL_EXTCFLAGS=-Werror" >> $GITHUB_ENV
+        if: ${{ !matrix.skip-warnings }}
 
-  test-windows:
-    name: >-
-      ${{ matrix.os }} ${{ matrix.ruby }}
-    runs-on: ${{ matrix.os }}
-    strategy:
-      fail-fast: false
-      matrix:
-        os: [ windows-latest ]
-        # current mswin build uses OpenSSL 3
-        ruby: [ mingw, "3.0", "2.7", "2.6" ]
-    steps:
-      - name: repo checkout
-        uses: actions/checkout@v3
+      # Enable provider search path for OpenSSL 3.0 in MSYS2.
+      # Remove when Ruby 3.2 build is updated
+      - name: enable windows provider search path
+        run: echo "OPENSSL_MODULES=$($env:RI_DEVKIT)\$($env:MSYSTEM_PREFIX)\lib\ossl-modules" >> $env:GITHUB_ENV
+        if: runner.os == 'Windows' && matrix.ruby == '3.2'
 
-      - name: load ruby, install/update gcc, install openssl
-        uses: MSP-Greg/setup-ruby-pkgs@v1
-        with:
-          ruby-version: ${{ matrix.ruby }}
-          mingw: _upgrade_ openssl
-
-      - name: depends
-        run:  bundle install
-
-      # pkg-config is disabled because it can pick up the different OpenSSL installation
-      # SSL_DIR is set as needed by MSP-Greg/setup-ruby-pkgs
-      # only used with mswin
       - name: compile
-        run:  rake compile -- --enable-debug --without-pkg-config $env:SSL_DIR
+        run:  rake compile
 
       - name: test
-        run:  rake test TESTOPTS="-v --no-show-detail-immediately" OSSL_MDEBUG=1
+        run:  rake test TESTOPTS="-v --no-show-detail-immediately"
+        timeout-minutes: 5
 
   test-openssls:
     name: >-
-      ${{ matrix.openssl }}
+      ${{ matrix.openssl }} ${{ matrix.name-extra || '' }}
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
       matrix:
         os: [ ubuntu-latest ]
         ruby: [ "3.0" ]
         openssl:
+          # https://www.openssl.org/source/
           - openssl-1.0.2u # EOL
           - openssl-1.1.0l # EOL
-          - openssl-1.1.1l
-          - openssl-3.0.1
+          - openssl-1.1.1w # EOL
+          - openssl-3.0.12
+          - openssl-3.1.4
+          # http://www.libressl.org/releases.html
           - libressl-3.1.5 # EOL
-          - libressl-3.2.6
-          - libressl-3.3.4
+          - libressl-3.2.7 # EOL
+          - libressl-3.3.6 # EOL
+          - libressl-3.4.3 # EOL
+          - libressl-3.5.3 # EOL
+          - libressl-3.6.3
+          - libressl-3.7.3
+          - libressl-3.8.1 # Development release
+        fips-enabled: [ false ]
+        include:
+          - { os: ubuntu-latest, ruby: "3.0", openssl: openssl-3.0.12, fips-enabled: true, append-configure: 'enable-fips', name-extra: 'fips' }
+          - { os: ubuntu-latest, ruby: "3.0", openssl: openssl-3.1.4, fips-enabled: true, append-configure: 'enable-fips', name-extra: 'fips' }
+          - { os: ubuntu-latest, ruby: "3.0", openssl: openssl-head, git: 'git://git.openssl.org/openssl.git', branch: 'master' }
+          - { os: ubuntu-latest, ruby: "3.0", openssl: openssl-head, git: 'git://git.openssl.org/openssl.git', branch: 'master', fips-enabled: true, append-configure: 'enable-fips', name-extra: 'fips' }
     steps:
       - name: repo checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: prepare openssl
         run: |
+          # Enable Bash debugging option temporarily for debugging use.
+          set -x
           mkdir -p tmp/build-openssl && cd tmp/build-openssl
           case ${{ matrix.openssl }} in
           openssl-*)
-            curl -OL https://ftp.openssl.org/source/${{ matrix.openssl }}.tar.gz
-            tar xf ${{ matrix.openssl }}.tar.gz && cd ${{ matrix.openssl }}
+            if [ -z "${{ matrix.git }}" ]; then
+              curl -OL https://ftp.openssl.org/source/${{ matrix.openssl }}.tar.gz
+              tar xf ${{ matrix.openssl }}.tar.gz && cd ${{ matrix.openssl }}
+            else
+              git clone -b ${{ matrix.branch }} --depth 1 ${{ matrix.git }} ${{ matrix.openssl }}
+              cd ${{ matrix.openssl }}
+              # Log the commit hash.
+              echo "Git commit: $(git rev-parse HEAD)"
+            fi
             # shared is required for 1.0.x.
             ./Configure --prefix=$HOME/.openssl/${{ matrix.openssl }} --libdir=lib \
-                shared linux-x86_64
+                shared linux-x86_64 ${{ matrix.append-configure }}
             make depend
             ;;
           libressl-*)
@@ -108,6 +132,22 @@ jobs:
           make -j4
           make install_sw
 
+      - name: prepare openssl fips
+        run: make install_fips
+        working-directory: tmp/build-openssl/${{ matrix.openssl }}
+        if: matrix.fips-enabled
+
+      - name: set the open installed directory
+        run: >
+          sed -e "s|OPENSSL_DIR|$HOME/.openssl/${{ matrix.openssl }}|"
+          test/openssl/fixtures/ssl/openssl_fips.cnf.tmpl >
+          test/openssl/fixtures/ssl/openssl_fips.cnf
+        if: matrix.fips-enabled
+
+      - name: set openssl config file path for fips.
+        run: echo "OPENSSL_CONF=$(pwd)/test/openssl/fixtures/ssl/openssl_fips.cnf" >> $GITHUB_ENV
+        if: matrix.fips-enabled
+
       - name: load ruby
         uses: ruby/setup-ruby@v1
         with:
@@ -116,8 +156,25 @@ jobs:
       - name: depends
         run:  bundle install
 
+      - name: enable mkmf verbose
+        run:  echo "MAKEFLAGS=V=1" >> $GITHUB_ENV
+        if: runner.os == 'Linux' || runner.os == 'macOS'
+
+      - name: set flags to check compiler warnings.
+        run:  echo "RUBY_OPENSSL_EXTCFLAGS=-Werror" >> $GITHUB_ENV
+        if: ${{ !matrix.skip-warnings }}
+
       - name: compile
-        run:  rake compile -- --enable-debug --with-openssl-dir=$HOME/.openssl/${{ matrix.openssl }}
+        run:  rake compile -- --with-openssl-dir=$HOME/.openssl/${{ matrix.openssl }}
 
       - name: test
-        run:  rake test TESTOPTS="-v --no-show-detail-immediately" OSSL_MDEBUG=1
+        run:  rake test TESTOPTS="-v --no-show-detail-immediately"
+        timeout-minutes: 5
+        if: ${{ !matrix.fips-enabled }}
+
+      # Run only the passing tests on the FIPS module as a temporary workaround.
+      # TODO Fix other tests, and run all the tests on FIPS module.
+      - name: test on fips module
+        run:  |
+          rake test_fips TESTOPTS="-v --no-show-detail-immediately"
+        if: matrix.fips-enabled

CONTRIBUTING.md

@@ -17,7 +17,7 @@ When reporting a bug, please make sure you include:
 * Ruby version (`ruby -v`)
 * `openssl` gem version (`gem list openssl` and `OpenSSL::VERSION`)
 * OpenSSL library version (`OpenSSL::OPENSSL_VERSION`)
-* A sample file that illustrates the problem or link to the repository or 
+* A sample file that illustrates the problem or link to the repository or
   gem that is associated with the bug.
 
 There are a number of unresolved issues and feature requests for openssl that

Gemfile

@@ -2,7 +2,11 @@ source "https://rubygems.org"
 
 gemspec
 
-gem "rake"
-gem "rake-compiler"
-gem "test-unit", "~> 3.0", ">= 3.4.6"
-gem "rdoc"
+group :development do
+  gem "rake"
+  gem "rake-compiler"
+  gem "test-unit", "~> 3.0", ">= 3.4.6"
+  gem "test-unit-ruby-core"
+  # In the case of Ruby whose rdoc is not a default gem.
+  gem "rdoc"
+end

History.md

@@ -1,3 +1,79 @@
+Version 3.2.0
+=============
+
+Compatibility
+-------------
+
+* Ruby >= 2.7
+  - Support for Ruby 2.6 has been removed. Note that Ruby 2.6 reached the
+    end-of-life in 2022-04.
+    [[GitHub #639]](https://github.com/ruby/openssl/pull/639)
+* OpenSSL >= 1.0.2 or LibreSSL >= 3.1
+
+Notable changes
+---------------
+
+* Add a stub gemspec for JRuby, which depends on the `jruby-openssl` gem.
+  [[GitHub #598]](https://github.com/ruby/openssl/pull/598)
+* Add support for the FIPS module in OpenSSL 3.0/3.1.
+  [[GitHub #608]](https://github.com/ruby/openssl/pull/608)
+* Rework `OpenSSL::PKey` routines for loading DER or PEM encoded keys for better
+  compatibility with OpenSSL 3.0/3.1 with the FIPS module.
+  [[GitHub #615]](https://github.com/ruby/openssl/pull/615)
+  [[GitHub #669]](https://github.com/ruby/openssl/pull/669)
+* Add `OpenSSL::Provider` module for loading and unloading OpenSSL 3 providers.
+  [[GitHub #635]](https://github.com/ruby/openssl/pull/635)
+* Add `OpenSSL::PKey.new_raw_private_key`, `.new_raw_public_key`,
+  `OpenSSL::PKey::PKey#raw_private_key`, and `#raw_public_key` for public key
+  algorithms that use "raw private/public key", such as X25519 and Ed25519.
+  [[GitHub #646]](https://github.com/ruby/openssl/pull/646)
+* Improve OpenSSL error messages to include additional information when
+  it is available in OpenSSL's error queue.
+  [[GitHub #648]](https://github.com/ruby/openssl/pull/648)
+* Change `OpenSSL::SSL::SSLContext#ca_file=` and `#ca_path=` to raise
+  `OpenSSL::SSL::SSLError` instead of printing a warning message.
+  [[GitHub #659]](https://github.com/ruby/openssl/pull/659)
+* Allow `OpenSSL::X509::ExtensionFactory#create_extension` to take OIDs in the
+  dotted-decimal notation.
+  [[GitHub #141]](https://github.com/ruby/openssl/pull/141)
+
+
+Version 3.1.0
+=============
+
+Ruby/OpenSSL 3.1 will be maintained for the lifetime of Ruby 3.2.
+
+Merged bug fixes in 2.2.3 and 3.0.2. Among the new features and changes are:
+
+Notable changes
+---------------
+
+* Add `OpenSSL::SSL::SSLContext#ciphersuites=` to allow setting TLS 1.3 cipher
+  suites.
+  [[GitHub #493]](https://github.com/ruby/openssl/pull/493)
+* Add `OpenSSL::SSL::SSLSocket#export_keying_material` for exporting keying
+  material of the session, as defined in RFC 5705.
+  [[GitHub #530]](https://github.com/ruby/openssl/pull/530)
+* Add `OpenSSL::SSL::SSLContext#keylog_cb=` for setting the TLS key logging
+  callback, which is useful for supporting NSS's SSLKEYLOGFILE debugging output.
+  [[GitHub #536]](https://github.com/ruby/openssl/pull/536)
+* Remove the default digest algorithm from `OpenSSL::OCSP::BasicResponse#sign`
+  and `OpenSSL::OCSP::Request#sign`. Omitting the 5th parameter of these
+  methods used to be equivalent of specifying SHA-1. This default value is now
+  removed and we will let the underlying OpenSSL library decide instead.
+  [[GitHub #507]](https://github.com/ruby/openssl/pull/507)
+* Add `OpenSSL::BN#mod_sqrt`.
+  [[GitHub #553]](https://github.com/ruby/openssl/pull/553)
+* Allow calling `OpenSSL::Cipher#update` with an empty string. This was
+  prohibited to workaround an ancient bug in OpenSSL.
+  [[GitHub #568]](https://github.com/ruby/openssl/pull/568)
+* Fix build on platforms without socket support, such as WASI. `OpenSSL::SSL`
+  will not be defined if OpenSSL is compiled with `OPENSSL_NO_SOCK`.
+  [[GitHub #558]](https://github.com/ruby/openssl/pull/558)
+* Improve support for recent LibreSSL versions. This includes HKDF support in
+  LibreSSL 3.6 and Ed25519 support in LibreSSL 3.7.
+
+
 Version 3.0.2
 =============