openssl 2.0.3 → 2.0.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4b5c2c4a14f27e6858cebe68afb2dce427cdd09b
-  data.tar.gz: c48f466785193b49bad39a5202baff609f5281ae
+  metadata.gz: 7038b25fd54bd0c3d69ac67508d48f28e755abda
+  data.tar.gz: 93d386d03cf4ef0639cf0278d2e048dd0ed7b5dc
 SHA512:
-  metadata.gz: 26e2de68a408824800206e610c0471f3f81d714d322b31cc0bf099792ca3963faff5a792286cf20919ac7fd11ed571194a91d38159a43d1b604ef0c5d7f28654
-  data.tar.gz: d962aca16f966b6679ab396b29998108193d98a6f0dad770c4c2b22b91fc24aee1bc75a698bcdc13e8e1aa5f2854b391e94f4a5fad6e97178aad24710a0d1632
+  metadata.gz: c1898849090209058a85e5fe2478dec5eb286dfadbd183d53197eb3fa856bb21a1232fafc2b66250676b552aaa43775f7eec5fa26634c559ebe888a2ea97f38b
+  data.tar.gz: 5ee71162da1ff99aed88c3aab1acbed70c6e6686cd8c163f908eb743cbc31c33283cb4577aa9945207d8cc950963f1497e038b443b6d69ce248d150036505eb1

data/History.md

@@ -1,3 +1,50 @@
+Version 2.0.4
+=============
+
+Bug fixes
+---------
+
+* It now compiles with LibreSSL without renaming on Windows (mswin).
+* A workaround for the error queue leak of X509_load_cert_crl_file() that
+  causes random errors is added.
+  [[Bug #11033]](https://bugs.ruby-lang.org/issues/11033)
+
+
+Version 2.0.3
+=============
+
+Bug fixes
+---------
+
+* OpenSSL::ASN1::Constructive#each which was broken by 2.0.0 is fixed.
+  [[ruby/openssl#96]](https://github.com/ruby/openssl/pull/96)
+* Fixed build with static OpenSSL libraries on Windows.
+  [[Bug #13080]](https://bugs.ruby-lang.org/issues/13080)
+* OpenSSL::X509::Name#eql? which was broken by 2.0.0 is fixed.
+
+
+Version 2.0.2
+=============
+
+Bug fixes
+---------
+
+* Fix build with early 0.9.8 series which did not have SSL_CTX_clear_options().
+  [ruby-core:78693]
+
+
+Version 2.0.1
+=============
+
+Bug fixes
+---------
+
+* A GC issue around OpenSSL::BN is fixed.
+  [[ruby/openssl#87]](https://github.com/ruby/openssl/issues/87)
+* OpenSSL::ASN1 now parses BER encoding of GeneralizedTime without seconds.
+  [[ruby/openssl#88]](https://github.com/ruby/openssl/pull/88)
+
+
 Version 2.0.0
 =============
 
@@ -23,7 +70,8 @@ Supported platforms
 Notable changes
 ---------------
 
-* Add support for OpenSSL 1.1.0. [[Feature #12324]](https://bugs.ruby-lang.org/issues/12324)
+* Add support for OpenSSL 1.1.0.
+  [[Feature #12324]](https://bugs.ruby-lang.org/issues/12324)
 * Add support for LibreSSL
 
 * OpenSSL::Cipher

data/ext/openssl/deprecation.rb

@@ -3,7 +3,7 @@ module OpenSSL
   def self.deprecated_warning_flag
     unless flag = (@deprecated_warning_flag ||= nil)
       if try_compile("", flag = "-Werror=deprecated-declarations")
-        if with_config("broken-apple-openssl")
+        if /darwin/ =~ RUBY_PLATFORM and with_config("broken-apple-openssl")
           flag = "-Wno-deprecated-declarations"
         end
         $warnflags << " #{flag}"

data/ext/openssl/extconf.rb

@@ -36,17 +36,59 @@ have_library("socket", "socket")
 
 Logging::message "=== Checking for required stuff... ===\n"
 result = pkg_config("openssl") && have_header("openssl/ssl.h")
-unless result
+
+def find_openssl_library
   if $mswin || $mingw
     # required for static OpenSSL libraries
     have_library("gdi32") # OpenSSL <= 1.0.2 (for RAND_screen())
     have_library("crypt32")
   end
 
-  result = have_header("openssl/ssl.h")
-  result &&= %w[crypto libeay32].any? {|lib| have_library(lib, "CRYPTO_malloc")}
-  result &&= %w[ssl ssleay32].any? {|lib| have_library(lib, "SSL_new")}
-  unless result
+  return false unless have_header("openssl/ssl.h")
+
+  ret = have_library("crypto", "CRYPTO_malloc") &&
+    have_library("ssl", "SSL_new")
+  return ret if ret
+
+  if $mswin
+    # OpenSSL >= 1.1.0: libcrypto.lib and libssl.lib.
+    if have_library("libcrypto", "CRYPTO_malloc") &&
+        have_library("libssl", "SSL_new")
+      return true
+    end
+
+    # OpenSSL <= 1.0.2: libeay32.lib and ssleay32.lib.
+    if have_library("libeay32", "CRYPTO_malloc") &&
+        have_library("ssleay32", "SSL_new")
+      return true
+    end
+
+    # LibreSSL: libcrypto-##.lib and libssl-##.lib, where ## is the ABI version
+    # number. We have to find the version number out by scanning libpath.
+    libpath = $LIBPATH.dup
+    libpath |= ENV["LIB"].split(File::PATH_SEPARATOR)
+    libpath.map! { |d| d.tr(File::ALT_SEPARATOR, File::SEPARATOR) }
+
+    ret = [
+      ["crypto", "CRYPTO_malloc"],
+      ["ssl", "SSL_new"]
+    ].all? do |base, func|
+      result = false
+      libs = ["lib#{base}-[0-9][0-9]", "lib#{base}-[0-9][0-9][0-9]"]
+      libs = Dir.glob(libs.map{|l| libpath.map{|d| File.join(d, l + ".*")}}.flatten).map{|path| File.basename(path, ".*")}.uniq
+      libs.each do |lib|
+        result = have_library(lib, func)
+        break if result
+      end
+      result
+    end
+    return ret if ret
+  end
+  return false
+end
+
+unless result
+  unless find_openssl_library
     Logging::message "=== Checking for required stuff failed. ===\n"
     Logging::message "Makefile wasn't created. Fix the errors above.\n"
     exit 1
@@ -60,7 +102,7 @@ unless result
   raise "OpenSSL 0.9.8 or later required."
 end
 
-unless OpenSSL.check_func("SSL_library_init()", "openssl/ssl.h")
+if /darwin/ =~ RUBY_PLATFORM and !OpenSSL.check_func("SSL_library_init()", "openssl/ssl.h")
   raise "Ignore OpenSSL broken by Apple.\nPlease use another openssl. (e.g. using `configure --with-openssl-dir=/path/to/openssl')"
 end
 

data/ext/openssl/ossl_bn.c

@@ -129,7 +129,7 @@ try_convert_to_bn(VALUE obj)
     if (rb_obj_is_kind_of(obj, cBN))
 	return obj;
     if (RB_INTEGER_TYPE_P(obj)) {
-	newobj = NewBN(cBN); /* Handle potencial mem leaks */
+	newobj = NewBN(cBN); /* Handle potential mem leaks */
 	bn = integer_to_bnptr(obj, NULL);
 	SetBN(newobj, bn);
     }

data/ext/openssl/ossl_cipher.c

@@ -23,7 +23,7 @@
 #define GetCipher(obj, ctx) do { \
     GetCipherInit((obj), (ctx)); \
     if (!(ctx)) { \
-	ossl_raise(rb_eRuntimeError, "Cipher not inititalized!"); \
+	ossl_raise(rb_eRuntimeError, "Cipher not initialized!"); \
     } \
 } while (0)
 #define SafeGetCipher(obj, ctx) do { \
@@ -122,7 +122,7 @@ ossl_cipher_initialize(VALUE self, VALUE str)
     name = StringValueCStr(str);
     GetCipherInit(self, ctx);
     if (ctx) {
-	ossl_raise(rb_eRuntimeError, "Cipher already inititalized!");
+	ossl_raise(rb_eRuntimeError, "Cipher already initialized!");
     }
     AllocCipher(self, ctx);
     if (!(cipher = EVP_get_cipherbyname(name))) {
@@ -418,7 +418,7 @@ ossl_cipher_update(int argc, VALUE *argv, VALUE self)
  *  Returns the remaining data held in the cipher object. Further calls to
  *  Cipher#update or Cipher#final will return garbage. This call should always
  *  be made as the last call of an encryption or decryption operation, after
- *  after having fed the entire plaintext or ciphertext to the Cipher instance.
+ *  having fed the entire plaintext or ciphertext to the Cipher instance.
  *
  *  If an authenticated cipher was used, a CipherError is raised if the tag
  *  could not be authenticated successfully. Only call this method after
@@ -1023,7 +1023,7 @@ Init_ossl_cipher(void)
      * An example using the GCM (Galois/Counter Mode). You have 16 bytes +key+,
      * 12 bytes (96 bits) +nonce+ and the associated data +auth_data+. Be sure
      * not to reuse the +key+ and +nonce+ pair. Reusing an nonce ruins the
-     * security gurantees of GCM mode.
+     * security guarantees of GCM mode.
      *
      *   cipher = OpenSSL::Cipher::AES.new(128, :GCM).encrypt
      *   cipher.key = key

data/ext/openssl/ossl_ns_spki.c

@@ -322,7 +322,7 @@ ossl_spki_verify(VALUE self, VALUE key)
 
 /* Document-class: OpenSSL::Netscape::SPKI
  *
- * A Simple Public Key Infrastructure implementation (pronounced "spookey").
+ * A Simple Public Key Infrastructure implementation (pronounced "spooky").
  * The structure is defined as
  *   PublicKeyAndChallenge ::= SEQUENCE {
  *     spki SubjectPublicKeyInfo,
@@ -348,7 +348,7 @@ ossl_spki_verify(VALUE self, VALUE key)
  *   spki.public_key = key.public_key
  *   spki.sign(key, OpenSSL::Digest::SHA256.new)
  *   #send a request containing this to a server generating a certificate
- * === Verifiying an SPKI request
+ * === Verifying an SPKI request
  *   request = #...
  *   spki = OpenSSL::Netscape::SPKI.new request
  *   unless spki.verify(spki.public_key)

data/ext/openssl/ossl_pkey_ec.c

@@ -296,7 +296,7 @@ ossl_ec_key_get_group(VALUE self)
  *   key.group = group
  *
  * Sets the EC::Group for the key. The group structure is internally copied so
- * modifition to +group+ after assigning to a key has no effect on the key.
+ * modification to +group+ after assigning to a key has no effect on the key.
  */
 static VALUE
 ossl_ec_key_set_group(VALUE self, VALUE group_v)
@@ -1597,11 +1597,11 @@ ossl_ec_point_to_bn(int argc, VALUE *argv, VALUE self)
  * Performs elliptic curve point multiplication.
  *
  * The first form calculates <tt>bn1 * point + bn2 * G</tt>, where +G+ is the
- * generator of the group of +point+. +bn2+ may be ommitted, and in that case,
+ * generator of the group of +point+. +bn2+ may be omitted, and in that case,
  * the result is just <tt>bn1 * point</tt>.
  *
  * The second form calculates <tt>bns[0] * point + bns[1] * points[0] + ...
- * + bns[-1] * points[-1] + bn2 * G</tt>. +bn2+ may be ommitted. +bns+ must be
+ * + bns[-1] * points[-1] + bn2 * G</tt>. +bn2+ may be omitted. +bns+ must be
  * an array of OpenSSL::BN. +points+ must be an array of
  * OpenSSL::PKey::EC::Point. Please note that <tt>points[0]</tt> is not
  * multiplied by <tt>bns[0]</tt>, but <tt>bns[1]</tt>.

data/ext/openssl/ossl_pkey_rsa.c

@@ -706,7 +706,7 @@ Init_ossl_rsa(void)
     /* Document-class: OpenSSL::PKey::RSA
      *
      * RSA is an asymmetric public key algorithm that has been formalized in
-     * RFC 3447. It is in widespread use in public key infrastuctures (PKI)
+     * RFC 3447. It is in widespread use in public key infrastructures (PKI)
      * where certificates (cf. OpenSSL::X509::Certificate) often are issued
      * on the basis of a public/private RSA key pair. RSA is used in a wide
      * field of applications such as secure (symmetric) key exchange, e.g.

data/ext/openssl/ossl_ssl.c

@@ -1483,7 +1483,8 @@ ossl_ssl_setup(VALUE self)
     GetOpenFile(io, fptr);
     rb_io_check_readable(fptr);
     rb_io_check_writable(fptr);
-    SSL_set_fd(ssl, TO_SOCKET(FPTR_TO_FD(fptr)));
+    if (!SSL_set_fd(ssl, TO_SOCKET(FPTR_TO_FD(fptr))))
+	ossl_raise(eSSLError, "SSL_set_fd");
 
     return Qtrue;
 }

data/ext/openssl/ossl_version.h

@@ -10,6 +10,6 @@
 #if !defined(_OSSL_VERSION_H_)
 #define _OSSL_VERSION_H_
 
-#define OSSL_VERSION "2.0.3"
+#define OSSL_VERSION "2.0.4"
 
 #endif /* _OSSL_VERSION_H_ */

data/ext/openssl/ossl_x509store.c

@@ -342,6 +342,15 @@ ossl_x509store_add_file(VALUE self, VALUE file)
     if(X509_LOOKUP_load_file(lookup, path, X509_FILETYPE_PEM) != 1){
         ossl_raise(eX509StoreError, NULL);
     }
+#if OPENSSL_VERSION_NUMBER < 0x10101000 || defined(LIBRESSL_VERSION_NUMBER)
+    /*
+     * X509_load_cert_crl_file() which is called from X509_LOOKUP_load_file()
+     * did not check the return value of X509_STORE_add_{cert,crl}(), leaking
+     * "cert already in hash table" errors on the error queue, if duplicate
+     * certificates are found. This will be fixed by OpenSSL 1.1.1.
+     */
+    ossl_clear_error();
+#endif
 
     return self;
 }

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: openssl
 version: !ruby/object:Gem::Version
-  version: 2.0.3
+  version: 2.0.4
 platform: ruby
 authors:
 - Martin Bosslet
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-01-31 00:00:00.000000000 Z
+date: 2017-06-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -77,8 +77,8 @@ extensions:
 - ext/openssl/extconf.rb
 extra_rdoc_files:
 - CONTRIBUTING.md
-- History.md
 - README.md
+- History.md
 files:
 - BSDL
 - CONTRIBUTING.md
@@ -171,7 +171,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.10
+rubygems_version: 2.6.12
 signing_key: 
 specification_version: 4
 summary: OpenSSL provides SSL, TLS and general purpose cryptography.