openssl 3.0.1 → 3.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: b75bcd65f8742364f4a513c5ec991648ef6c859b185f2ae87b3eeb1551ab743b
4
- data.tar.gz: 1e9674192c66fd95a3c201d9afd0d2d755da24ae2847e5abfd68734ba262c811
3
+ metadata.gz: 7e3734ac5044a3ae69b9fb618a0896867e28cfe1390220d802e9db114b449384
4
+ data.tar.gz: '0976489913ce74b9b7e83c013db968687c75d2b61715bdda5d6ced8a7b6cdd6a'
5
5
  SHA512:
6
- metadata.gz: c28bc1d26bb1ae082481d1615d381bd2026b094eae39ddaadbe2791a9bade505bdc0431f19539254f66520feca5b073b675d93c53117b5df880460e029f2641c
7
- data.tar.gz: b815b33563ece86bc99f7112db593765c8bc32c887511ef5caff77725d64fb3f78e470e1ae4fbec131d04eda464159852aac3373e485d36c47ef32b35f59d99c
6
+ metadata.gz: df86c47dd43a0d92ddaea6d9edd39cbac1eb963807eeb525c9e4be2a9820f1f5dfac017492082fcac63f93ceb3cb6d1a4e0d0574104bd61004c14b5a1866bd9f
7
+ data.tar.gz: 071d295fd05b9be5e941a9698977cdb62a02d6b1f83557243bf250d566db372f42df8338c6c9fb11af349c5df879c1ab7179042b2e5c44664431fa0eae1cd1b9
data/History.md CHANGED
@@ -1,3 +1,42 @@
1
+ Version 3.0.3
2
+ =============
3
+
4
+ Bug fixes
5
+ ---------
6
+
7
+ * Fix a performance regression introduced in v2.1.3 on a buffered write to
8
+ `SSLSocket`.
9
+ [[GitHub #706]](https://github.com/ruby/openssl/pull/706)
10
+ * Fix `OpenSSL::PKCS7` to handle PKCS#7 structures without content.
11
+ [[GitHub #690]](https://github.com/ruby/openssl/pull/690)
12
+ [[GitHub #752]](https://github.com/ruby/openssl/pull/752)
13
+ * Fix `OpenSSL::ASN1::ObjectId#==` with OIDs without a known name.
14
+ [[GitHub #791]](https://github.com/ruby/openssl/issues/791)
15
+ [[GitHub #792]](https://github.com/ruby/openssl/pull/792)
16
+ * Fix `OpenSSL::X509::Certificate#crl_uris` to handle CDP with multiple CRL
17
+ URIs.
18
+ [[GitHub #775]](https://github.com/ruby/openssl/issues/775)
19
+ [[GitHub #776]](https://github.com/ruby/openssl/pull/776)
20
+ * Fix `OpenSSL::Cipher#update` to always make the output buffer `String`
21
+ independent.
22
+ [[Bug #20937]](https://bugs.ruby-lang.org/issues/20937)
23
+ [[GitHub #824]](https://github.com/ruby/openssl/pull/824)
24
+
25
+
26
+ Version 3.0.2
27
+ =============
28
+
29
+ Merged changes in 2.2.3. Additionally, the following issues are fixed by this
30
+ release.
31
+
32
+ Bug fixes
33
+ ---------
34
+
35
+ * Fix OpenSSL::PKey::EC#check_key not working correctly on OpenSSL 3.0.
36
+ [[GitHub #563]](https://github.com/ruby/openssl/issues/563)
37
+ [[GitHub #580]](https://github.com/ruby/openssl/pull/580)
38
+
39
+
1
40
  Version 3.0.1
2
41
  =============
3
42
 
@@ -124,6 +163,21 @@ Notable changes
124
163
  [[GitHub #342]](https://github.com/ruby/openssl/issues/342)
125
164
 
126
165
 
166
+ Version 2.2.3
167
+ =============
168
+
169
+ Bug fixes
170
+ ---------
171
+
172
+ * Fix serveral methods in OpenSSL::PKey::EC::Point attempting to raise an error
173
+ with an incorrect class, which would end up with a TypeError.
174
+ [[GitHub #570]](https://github.com/ruby/openssl/pull/570)
175
+ * Fix OpenSSL::PKey::EC::Point#eql? and OpenSSL::PKey::EC::Group#eql?
176
+ incorrectly treated OpenSSL's internal errors as "not equal".
177
+ [[GitHub #564]](https://github.com/ruby/openssl/pull/564)
178
+ * Fix build with LibreSSL 3.5 or later.
179
+
180
+
127
181
  Version 2.2.2
128
182
  =============
129
183
 
data/ext/openssl/ossl.h CHANGED
@@ -43,13 +43,13 @@
43
43
  #ifndef LIBRESSL_VERSION_NUMBER
44
44
  # define OSSL_IS_LIBRESSL 0
45
45
  # define OSSL_OPENSSL_PREREQ(maj, min, pat) \
46
- (OPENSSL_VERSION_NUMBER >= (maj << 28) | (min << 20) | (pat << 12))
46
+ (OPENSSL_VERSION_NUMBER >= ((maj << 28) | (min << 20) | (pat << 12)))
47
47
  # define OSSL_LIBRESSL_PREREQ(maj, min, pat) 0
48
48
  #else
49
49
  # define OSSL_IS_LIBRESSL 1
50
50
  # define OSSL_OPENSSL_PREREQ(maj, min, pat) 0
51
51
  # define OSSL_LIBRESSL_PREREQ(maj, min, pat) \
52
- (LIBRESSL_VERSION_NUMBER >= (maj << 28) | (min << 20) | (pat << 12))
52
+ (LIBRESSL_VERSION_NUMBER >= ((maj << 28) | (min << 20) | (pat << 12)))
53
53
  #endif
54
54
 
55
55
  #if !defined(OPENSSL_NO_ENGINE) && !OSSL_OPENSSL_PREREQ(3, 0, 0)
@@ -1297,30 +1297,6 @@ ossl_asn1obj_get_ln(VALUE self)
1297
1297
  return ret;
1298
1298
  }
1299
1299
 
1300
- /*
1301
- * call-seq:
1302
- * oid == other_oid => true or false
1303
- *
1304
- * Returns +true+ if _other_oid_ is the same as _oid_
1305
- */
1306
- static VALUE
1307
- ossl_asn1obj_eq(VALUE self, VALUE other)
1308
- {
1309
- VALUE valSelf, valOther;
1310
- int nidSelf, nidOther;
1311
-
1312
- valSelf = ossl_asn1_get_value(self);
1313
- valOther = ossl_asn1_get_value(other);
1314
-
1315
- if ((nidSelf = OBJ_txt2nid(StringValueCStr(valSelf))) == NID_undef)
1316
- ossl_raise(eASN1Error, "OBJ_txt2nid");
1317
-
1318
- if ((nidOther = OBJ_txt2nid(StringValueCStr(valOther))) == NID_undef)
1319
- ossl_raise(eASN1Error, "OBJ_txt2nid");
1320
-
1321
- return nidSelf == nidOther ? Qtrue : Qfalse;
1322
- }
1323
-
1324
1300
  static VALUE
1325
1301
  asn1obj_get_oid_i(VALUE vobj)
1326
1302
  {
@@ -1365,6 +1341,25 @@ ossl_asn1obj_get_oid(VALUE self)
1365
1341
  return str;
1366
1342
  }
1367
1343
 
1344
+ /*
1345
+ * call-seq:
1346
+ * oid == other_oid => true or false
1347
+ *
1348
+ * Returns +true+ if _other_oid_ is the same as _oid_.
1349
+ */
1350
+ static VALUE
1351
+ ossl_asn1obj_eq(VALUE self, VALUE other)
1352
+ {
1353
+ VALUE oid1, oid2;
1354
+
1355
+ if (!rb_obj_is_kind_of(other, cASN1ObjectId))
1356
+ return Qfalse;
1357
+
1358
+ oid1 = ossl_asn1obj_get_oid(self);
1359
+ oid2 = ossl_asn1obj_get_oid(other);
1360
+ return rb_str_equal(oid1, oid2);
1361
+ }
1362
+
1368
1363
  #define OSSL_ASN1_IMPL_FACTORY_METHOD(klass) \
1369
1364
  static VALUE ossl_asn1_##klass(int argc, VALUE *argv, VALUE self)\
1370
1365
  { return rb_funcall3(cASN1##klass, rb_intern("new"), argc, argv); }
@@ -387,22 +387,37 @@ ossl_cipher_update(int argc, VALUE *argv, VALUE self)
387
387
  if ((in_len = RSTRING_LEN(data)) == 0)
388
388
  ossl_raise(rb_eArgError, "data must not be empty");
389
389
  GetCipher(self, ctx);
390
- out_len = in_len+EVP_CIPHER_CTX_block_size(ctx);
391
- if (out_len <= 0) {
390
+
391
+ /*
392
+ * As of OpenSSL 3.2, there is no reliable way to determine the required
393
+ * output buffer size for arbitrary cipher modes.
394
+ * https://github.com/openssl/openssl/issues/22628
395
+ *
396
+ * in_len+block_size is usually sufficient, but AES key wrap with padding
397
+ * ciphers require in_len+15 even though they have a block size of 8 bytes.
398
+ *
399
+ * Using EVP_MAX_BLOCK_LENGTH (32) as a safe upper bound for ciphers
400
+ * currently implemented in OpenSSL, but this can change in the future.
401
+ */
402
+ if (in_len > LONG_MAX - EVP_MAX_BLOCK_LENGTH) {
392
403
  ossl_raise(rb_eRangeError,
393
404
  "data too big to make output buffer: %ld bytes", in_len);
394
405
  }
406
+ out_len = in_len + EVP_MAX_BLOCK_LENGTH;
395
407
 
396
408
  if (NIL_P(str)) {
397
409
  str = rb_str_new(0, out_len);
398
410
  } else {
399
411
  StringValue(str);
400
- rb_str_resize(str, out_len);
412
+ if ((long)rb_str_capacity(str) >= out_len)
413
+ rb_str_modify(str);
414
+ else
415
+ rb_str_modify_expand(str, out_len - RSTRING_LEN(str));
401
416
  }
402
417
 
403
418
  if (!ossl_cipher_update_long(ctx, (unsigned char *)RSTRING_PTR(str), &out_len, in, in_len))
404
419
  ossl_raise(eCipherError, NULL);
405
- assert(out_len < RSTRING_LEN(str));
420
+ assert(out_len <= RSTRING_LEN(str));
406
421
  rb_str_set_len(str, out_len);
407
422
 
408
423
  return str;
@@ -232,6 +232,7 @@ ossl_digest_finish(int argc, VALUE *argv, VALUE self)
232
232
  str = rb_str_new(NULL, out_len);
233
233
  } else {
234
234
  StringValue(str);
235
+ rb_str_modify(str);
235
236
  rb_str_resize(str, out_len);
236
237
  }
237
238
 
@@ -165,7 +165,13 @@ ossl_pkcs7_s_read_smime(VALUE klass, VALUE arg)
165
165
  out = NULL;
166
166
  pkcs7 = SMIME_read_PKCS7(in, &out);
167
167
  BIO_free(in);
168
- if(!pkcs7) ossl_raise(ePKCS7Error, NULL);
168
+ if (!pkcs7)
169
+ ossl_raise(ePKCS7Error, "Could not parse the PKCS7");
170
+ if (!pkcs7->d.ptr) {
171
+ PKCS7_free(pkcs7);
172
+ ossl_raise(ePKCS7Error, "No content in PKCS7");
173
+ }
174
+
169
175
  data = out ? ossl_membio2str(out) : Qnil;
170
176
  SetPKCS7(ret, pkcs7);
171
177
  ossl_pkcs7_set_data(ret, data);
@@ -346,6 +352,10 @@ ossl_pkcs7_initialize(int argc, VALUE *argv, VALUE self)
346
352
  BIO_free(in);
347
353
  if (!p7)
348
354
  ossl_raise(rb_eArgError, "Could not parse the PKCS7");
355
+ if (!p7->d.ptr) {
356
+ PKCS7_free(p7);
357
+ ossl_raise(rb_eArgError, "No content in PKCS7");
358
+ }
349
359
 
350
360
  RTYPEDDATA_DATA(self) = p7;
351
361
  PKCS7_free(p7_orig);
@@ -710,7 +710,7 @@ ossl_pkey_export_traditional(int argc, VALUE *argv, VALUE self, int to_der)
710
710
  }
711
711
  }
712
712
  else {
713
- #if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER)
713
+ #if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_LIBRESSL_PREREQ(3, 5, 0)
714
714
  if (!PEM_write_bio_PrivateKey_traditional(bio, pkey, enc, NULL, 0,
715
715
  ossl_pem_passwd_cb,
716
716
  (void *)pass)) {
@@ -951,7 +951,7 @@ ossl_pkey_sign(int argc, VALUE *argv, VALUE self)
951
951
  rb_jump_tag(state);
952
952
  }
953
953
  }
954
- #if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER)
954
+ #if OSSL_OPENSSL_PREREQ(1, 1, 1) || OSSL_LIBRESSL_PREREQ(3, 4, 0)
955
955
  if (EVP_DigestSign(ctx, NULL, &siglen, (unsigned char *)RSTRING_PTR(data),
956
956
  RSTRING_LEN(data)) < 1) {
957
957
  EVP_MD_CTX_free(ctx);
@@ -1056,7 +1056,7 @@ ossl_pkey_verify(int argc, VALUE *argv, VALUE self)
1056
1056
  rb_jump_tag(state);
1057
1057
  }
1058
1058
  }
1059
- #if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER)
1059
+ #if OSSL_OPENSSL_PREREQ(1, 1, 1) || OSSL_LIBRESSL_PREREQ(3, 4, 0)
1060
1060
  ret = EVP_DigestVerify(ctx, (unsigned char *)RSTRING_PTR(sig),
1061
1061
  RSTRING_LEN(sig), (unsigned char *)RSTRING_PTR(data),
1062
1062
  RSTRING_LEN(data));
@@ -483,16 +483,28 @@ static VALUE ossl_ec_key_check_key(VALUE self)
483
483
  #ifdef HAVE_EVP_PKEY_CHECK
484
484
  EVP_PKEY *pkey;
485
485
  EVP_PKEY_CTX *pctx;
486
- int ret;
486
+ EC_KEY *ec;
487
487
 
488
488
  GetPKey(self, pkey);
489
+ GetEC(self, ec);
489
490
  pctx = EVP_PKEY_CTX_new(pkey, /* engine */NULL);
490
491
  if (!pctx)
491
- ossl_raise(eDHError, "EVP_PKEY_CTX_new");
492
- ret = EVP_PKEY_public_check(pctx);
492
+ ossl_raise(eECError, "EVP_PKEY_CTX_new");
493
+
494
+ if (EC_KEY_get0_private_key(ec) != NULL) {
495
+ if (EVP_PKEY_check(pctx) != 1) {
496
+ EVP_PKEY_CTX_free(pctx);
497
+ ossl_raise(eECError, "EVP_PKEY_check");
498
+ }
499
+ }
500
+ else {
501
+ if (EVP_PKEY_public_check(pctx) != 1) {
502
+ EVP_PKEY_CTX_free(pctx);
503
+ ossl_raise(eECError, "EVP_PKEY_public_check");
504
+ }
505
+ }
506
+
493
507
  EVP_PKEY_CTX_free(pctx);
494
- if (ret != 1)
495
- ossl_raise(eECError, "EVP_PKEY_public_check");
496
508
  #else
497
509
  EC_KEY *ec;
498
510
 
@@ -668,10 +680,11 @@ static VALUE ossl_ec_group_eql(VALUE a, VALUE b)
668
680
  GetECGroup(a, group1);
669
681
  GetECGroup(b, group2);
670
682
 
671
- if (EC_GROUP_cmp(group1, group2, ossl_bn_ctx) == 1)
672
- return Qfalse;
673
-
674
- return Qtrue;
683
+ switch (EC_GROUP_cmp(group1, group2, ossl_bn_ctx)) {
684
+ case 0: return Qtrue;
685
+ case 1: return Qfalse;
686
+ default: ossl_raise(eEC_GROUP, "EC_GROUP_cmp");
687
+ }
675
688
  }
676
689
 
677
690
  /*
@@ -1232,10 +1245,13 @@ static VALUE ossl_ec_point_eql(VALUE a, VALUE b)
1232
1245
  GetECPoint(b, point2);
1233
1246
  GetECGroup(group_v1, group);
1234
1247
 
1235
- if (EC_POINT_cmp(group, point1, point2, ossl_bn_ctx) == 1)
1236
- return Qfalse;
1248
+ switch (EC_POINT_cmp(group, point1, point2, ossl_bn_ctx)) {
1249
+ case 0: return Qtrue;
1250
+ case 1: return Qfalse;
1251
+ default: ossl_raise(eEC_POINT, "EC_POINT_cmp");
1252
+ }
1237
1253
 
1238
- return Qtrue;
1254
+ UNREACHABLE;
1239
1255
  }
1240
1256
 
1241
1257
  /*
@@ -1253,7 +1269,7 @@ static VALUE ossl_ec_point_is_at_infinity(VALUE self)
1253
1269
  switch (EC_POINT_is_at_infinity(group, point)) {
1254
1270
  case 1: return Qtrue;
1255
1271
  case 0: return Qfalse;
1256
- default: ossl_raise(cEC_POINT, "EC_POINT_is_at_infinity");
1272
+ default: ossl_raise(eEC_POINT, "EC_POINT_is_at_infinity");
1257
1273
  }
1258
1274
 
1259
1275
  UNREACHABLE;
@@ -1274,7 +1290,7 @@ static VALUE ossl_ec_point_is_on_curve(VALUE self)
1274
1290
  switch (EC_POINT_is_on_curve(group, point, ossl_bn_ctx)) {
1275
1291
  case 1: return Qtrue;
1276
1292
  case 0: return Qfalse;
1277
- default: ossl_raise(cEC_POINT, "EC_POINT_is_on_curve");
1293
+ default: ossl_raise(eEC_POINT, "EC_POINT_is_on_curve");
1278
1294
  }
1279
1295
 
1280
1296
  UNREACHABLE;
@@ -1297,7 +1313,7 @@ static VALUE ossl_ec_point_make_affine(VALUE self)
1297
1313
  rb_warn("OpenSSL::PKey::EC::Point#make_affine! is deprecated");
1298
1314
  #if !OSSL_OPENSSL_PREREQ(3, 0, 0)
1299
1315
  if (EC_POINT_make_affine(group, point, ossl_bn_ctx) != 1)
1300
- ossl_raise(cEC_POINT, "EC_POINT_make_affine");
1316
+ ossl_raise(eEC_POINT, "EC_POINT_make_affine");
1301
1317
  #endif
1302
1318
 
1303
1319
  return self;
@@ -1316,7 +1332,7 @@ static VALUE ossl_ec_point_invert(VALUE self)
1316
1332
  GetECPointGroup(self, group);
1317
1333
 
1318
1334
  if (EC_POINT_invert(group, point, ossl_bn_ctx) != 1)
1319
- ossl_raise(cEC_POINT, "EC_POINT_invert");
1335
+ ossl_raise(eEC_POINT, "EC_POINT_invert");
1320
1336
 
1321
1337
  return self;
1322
1338
  }
@@ -1334,7 +1350,7 @@ static VALUE ossl_ec_point_set_to_infinity(VALUE self)
1334
1350
  GetECPointGroup(self, group);
1335
1351
 
1336
1352
  if (EC_POINT_set_to_infinity(group, point) != 1)
1337
- ossl_raise(cEC_POINT, "EC_POINT_set_to_infinity");
1353
+ ossl_raise(eEC_POINT, "EC_POINT_set_to_infinity");
1338
1354
 
1339
1355
  return self;
1340
1356
  }
@@ -348,13 +348,18 @@ module OpenSSL::Buffering
348
348
  @wbuffer << s
349
349
  @wbuffer.force_encoding(Encoding::BINARY)
350
350
  @sync ||= false
351
- if @sync or @wbuffer.size > BLOCK_SIZE
352
- until @wbuffer.empty?
353
- begin
354
- nwrote = syswrite(@wbuffer)
355
- rescue Errno::EAGAIN
356
- retry
351
+ buffer_size = @wbuffer.size
352
+ if @sync or buffer_size > BLOCK_SIZE
353
+ nwrote = 0
354
+ begin
355
+ while nwrote < buffer_size do
356
+ begin
357
+ nwrote += syswrite(@wbuffer[nwrote, buffer_size - nwrote])
358
+ rescue Errno::EAGAIN
359
+ retry
360
+ end
357
361
  end
362
+ ensure
358
363
  @wbuffer[0, nwrote] = ""
359
364
  end
360
365
  end
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module OpenSSL
4
- VERSION = "3.0.1"
4
+ VERSION = "3.0.3"
5
5
  end
data/lib/openssl/x509.rb CHANGED
@@ -122,8 +122,8 @@ module OpenSSL
122
122
  include Helpers
123
123
 
124
124
  # Get the distributionPoint fullName URI from the certificate's CRL
125
- # distribution points extension, as described in RFC5280 Section
126
- # 4.2.1.13
125
+ # distribution points extension, as described in RFC 5280 Section
126
+ # 4.2.1.13.
127
127
  #
128
128
  # Returns an array of strings or nil or raises ASN1::ASN1Error.
129
129
  def crl_uris
@@ -135,19 +135,19 @@ module OpenSSL
135
135
  raise ASN1::ASN1Error, "invalid extension"
136
136
  end
137
137
 
138
- crl_uris = cdp_asn1.map do |crl_distribution_point|
138
+ crl_uris = cdp_asn1.flat_map do |crl_distribution_point|
139
139
  distribution_point = crl_distribution_point.value.find do |v|
140
140
  v.tag_class == :CONTEXT_SPECIFIC && v.tag == 0
141
141
  end
142
142
  full_name = distribution_point&.value&.find do |v|
143
143
  v.tag_class == :CONTEXT_SPECIFIC && v.tag == 0
144
144
  end
145
- full_name&.value&.find do |v|
145
+ full_name&.value&.select do |v|
146
146
  v.tag_class == :CONTEXT_SPECIFIC && v.tag == 6 # uniformResourceIdentifier
147
147
  end
148
148
  end
149
149
 
150
- crl_uris&.map(&:value)
150
+ crl_uris.empty? ? nil : crl_uris.map(&:value)
151
151
  end
152
152
  end
153
153
 
metadata CHANGED
@@ -1,17 +1,17 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: openssl
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.0.1
4
+ version: 3.0.3
5
5
  platform: ruby
6
+ original_platform: ''
6
7
  authors:
7
8
  - Martin Bosslet
8
9
  - SHIBATA Hiroshi
9
10
  - Zachary Scott
10
11
  - Kazuki Yamaguchi
11
- autorequire:
12
12
  bindir: bin
13
13
  cert_chain: []
14
- date: 2022-09-08 00:00:00.000000000 Z
14
+ date: 2024-12-18 00:00:00.000000000 Z
15
15
  dependencies: []
16
16
  description: It wraps the OpenSSL library.
17
17
  email:
@@ -100,7 +100,6 @@ licenses:
100
100
  - Ruby
101
101
  metadata:
102
102
  msys2_mingw_dependencies: openssl
103
- post_install_message:
104
103
  rdoc_options:
105
104
  - "--main"
106
105
  - README.md
@@ -117,8 +116,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
117
116
  - !ruby/object:Gem::Version
118
117
  version: '0'
119
118
  requirements: []
120
- rubygems_version: 3.3.8
121
- signing_key:
119
+ rubygems_version: 3.6.1
122
120
  specification_version: 4
123
121
  summary: OpenSSL provides SSL, TLS and general purpose cryptography.
124
122
  test_files: []