openssl 3.0.2 → 3.0.3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (11) hide show
  1. checksums.yaml +4 -4
  2. data/History.md +25 -0
  3. data/ext/openssl/ossl_asn1.c +19 -24
  4. data/ext/openssl/ossl_cipher.c +19 -4
  5. data/ext/openssl/ossl_digest.c +1 -0
  6. data/ext/openssl/ossl_pkcs7.c +11 -1
  7. data/ext/openssl/ossl_pkey.c +2 -2
  8. data/lib/openssl/buffering.rb +11 -6
  9. data/lib/openssl/version.rb +1 -1
  10. data/lib/openssl/x509.rb +5 -5
  11. metadata +4 -6
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: b8568ca84395c137b32a22127dcaa2125265d1f5b61a62ba1d56e2373b7a96c4
4
- data.tar.gz: 1cef2e5798b482c3096826306a3264b82626f6d6cb23f53d9a71025f5afa46b3
3
+ metadata.gz: 7e3734ac5044a3ae69b9fb618a0896867e28cfe1390220d802e9db114b449384
4
+ data.tar.gz: '0976489913ce74b9b7e83c013db968687c75d2b61715bdda5d6ced8a7b6cdd6a'
5
5
  SHA512:
6
- metadata.gz: 1bb9f6a40f535f4331097321296028fc2bdc8e5f90e6366c8db5c8e6dca771b55932c01479f667bd0751940917c83a9c98ca9ea70d7c622688cbb24432afdb36
7
- data.tar.gz: d9905167ac9e1ffc3201155d39d947e5b0e923797a09ba172a443d4a4040a5d8663edfdb30c935a6d2fa71438e8f8a0fec025c21b5af9290eb76b02a8c100326
6
+ metadata.gz: df86c47dd43a0d92ddaea6d9edd39cbac1eb963807eeb525c9e4be2a9820f1f5dfac017492082fcac63f93ceb3cb6d1a4e0d0574104bd61004c14b5a1866bd9f
7
+ data.tar.gz: 071d295fd05b9be5e941a9698977cdb62a02d6b1f83557243bf250d566db372f42df8338c6c9fb11af349c5df879c1ab7179042b2e5c44664431fa0eae1cd1b9
data/History.md CHANGED
@@ -1,3 +1,28 @@
1
+ Version 3.0.3
2
+ =============
3
+
4
+ Bug fixes
5
+ ---------
6
+
7
+ * Fix a performance regression introduced in v2.1.3 on a buffered write to
8
+ `SSLSocket`.
9
+ [[GitHub #706]](https://github.com/ruby/openssl/pull/706)
10
+ * Fix `OpenSSL::PKCS7` to handle PKCS#7 structures without content.
11
+ [[GitHub #690]](https://github.com/ruby/openssl/pull/690)
12
+ [[GitHub #752]](https://github.com/ruby/openssl/pull/752)
13
+ * Fix `OpenSSL::ASN1::ObjectId#==` with OIDs without a known name.
14
+ [[GitHub #791]](https://github.com/ruby/openssl/issues/791)
15
+ [[GitHub #792]](https://github.com/ruby/openssl/pull/792)
16
+ * Fix `OpenSSL::X509::Certificate#crl_uris` to handle CDP with multiple CRL
17
+ URIs.
18
+ [[GitHub #775]](https://github.com/ruby/openssl/issues/775)
19
+ [[GitHub #776]](https://github.com/ruby/openssl/pull/776)
20
+ * Fix `OpenSSL::Cipher#update` to always make the output buffer `String`
21
+ independent.
22
+ [[Bug #20937]](https://bugs.ruby-lang.org/issues/20937)
23
+ [[GitHub #824]](https://github.com/ruby/openssl/pull/824)
24
+
25
+
1
26
  Version 3.0.2
2
27
  =============
3
28
 
data/ext/openssl/ossl_asn1.c CHANGED
@@ -1297,30 +1297,6 @@ ossl_asn1obj_get_ln(VALUE self)
1297
1297
  return ret;
1298
1298
  }
1299
1299
 
1300
- /*
1301
- * call-seq:
1302
- * oid == other_oid => true or false
1303
- *
1304
- * Returns +true+ if _other_oid_ is the same as _oid_
1305
- */
1306
- static VALUE
1307
- ossl_asn1obj_eq(VALUE self, VALUE other)
1308
- {
1309
- VALUE valSelf, valOther;
1310
- int nidSelf, nidOther;
1311
-
1312
- valSelf = ossl_asn1_get_value(self);
1313
- valOther = ossl_asn1_get_value(other);
1314
-
1315
- if ((nidSelf = OBJ_txt2nid(StringValueCStr(valSelf))) == NID_undef)
1316
- ossl_raise(eASN1Error, "OBJ_txt2nid");
1317
-
1318
- if ((nidOther = OBJ_txt2nid(StringValueCStr(valOther))) == NID_undef)
1319
- ossl_raise(eASN1Error, "OBJ_txt2nid");
1320
-
1321
- return nidSelf == nidOther ? Qtrue : Qfalse;
1322
- }
1323
-
1324
1300
  static VALUE
1325
1301
  asn1obj_get_oid_i(VALUE vobj)
1326
1302
  {
@@ -1365,6 +1341,25 @@ ossl_asn1obj_get_oid(VALUE self)
1365
1341
  return str;
1366
1342
  }
1367
1343
 
1344
+ /*
1345
+ * call-seq:
1346
+ * oid == other_oid => true or false
1347
+ *
1348
+ * Returns +true+ if _other_oid_ is the same as _oid_.
1349
+ */
1350
+ static VALUE
1351
+ ossl_asn1obj_eq(VALUE self, VALUE other)
1352
+ {
1353
+ VALUE oid1, oid2;
1354
+
1355
+ if (!rb_obj_is_kind_of(other, cASN1ObjectId))
1356
+ return Qfalse;
1357
+
1358
+ oid1 = ossl_asn1obj_get_oid(self);
1359
+ oid2 = ossl_asn1obj_get_oid(other);
1360
+ return rb_str_equal(oid1, oid2);
1361
+ }
1362
+
1368
1363
  #define OSSL_ASN1_IMPL_FACTORY_METHOD(klass) \
1369
1364
  static VALUE ossl_asn1_##klass(int argc, VALUE *argv, VALUE self)\
1370
1365
  { return rb_funcall3(cASN1##klass, rb_intern("new"), argc, argv); }
data/ext/openssl/ossl_cipher.c CHANGED
@@ -387,22 +387,37 @@ ossl_cipher_update(int argc, VALUE *argv, VALUE self)
387
387
  if ((in_len = RSTRING_LEN(data)) == 0)
388
388
  ossl_raise(rb_eArgError, "data must not be empty");
389
389
  GetCipher(self, ctx);
390
- out_len = in_len+EVP_CIPHER_CTX_block_size(ctx);
391
- if (out_len <= 0) {
390
+
391
+ /*
392
+ * As of OpenSSL 3.2, there is no reliable way to determine the required
393
+ * output buffer size for arbitrary cipher modes.
394
+ * https://github.com/openssl/openssl/issues/22628
395
+ *
396
+ * in_len+block_size is usually sufficient, but AES key wrap with padding
397
+ * ciphers require in_len+15 even though they have a block size of 8 bytes.
398
+ *
399
+ * Using EVP_MAX_BLOCK_LENGTH (32) as a safe upper bound for ciphers
400
+ * currently implemented in OpenSSL, but this can change in the future.
401
+ */
402
+ if (in_len > LONG_MAX - EVP_MAX_BLOCK_LENGTH) {
392
403
  ossl_raise(rb_eRangeError,
393
404
  "data too big to make output buffer: %ld bytes", in_len);
394
405
  }
406
+ out_len = in_len + EVP_MAX_BLOCK_LENGTH;
395
407
 
396
408
  if (NIL_P(str)) {
397
409
  str = rb_str_new(0, out_len);
398
410
  } else {
399
411
  StringValue(str);
400
- rb_str_resize(str, out_len);
412
+ if ((long)rb_str_capacity(str) >= out_len)
413
+ rb_str_modify(str);
414
+ else
415
+ rb_str_modify_expand(str, out_len - RSTRING_LEN(str));
401
416
  }
402
417
 
403
418
  if (!ossl_cipher_update_long(ctx, (unsigned char *)RSTRING_PTR(str), &out_len, in, in_len))
404
419
  ossl_raise(eCipherError, NULL);
405
- assert(out_len < RSTRING_LEN(str));
420
+ assert(out_len <= RSTRING_LEN(str));
406
421
  rb_str_set_len(str, out_len);
407
422
 
408
423
  return str;
data/ext/openssl/ossl_digest.c CHANGED
@@ -232,6 +232,7 @@ ossl_digest_finish(int argc, VALUE *argv, VALUE self)
232
232
  str = rb_str_new(NULL, out_len);
233
233
  } else {
234
234
  StringValue(str);
235
+ rb_str_modify(str);
235
236
  rb_str_resize(str, out_len);
236
237
  }
237
238
 
data/ext/openssl/ossl_pkcs7.c CHANGED
@@ -165,7 +165,13 @@ ossl_pkcs7_s_read_smime(VALUE klass, VALUE arg)
165
165
  out = NULL;
166
166
  pkcs7 = SMIME_read_PKCS7(in, &out);
167
167
  BIO_free(in);
168
- if(!pkcs7) ossl_raise(ePKCS7Error, NULL);
168
+ if (!pkcs7)
169
+ ossl_raise(ePKCS7Error, "Could not parse the PKCS7");
170
+ if (!pkcs7->d.ptr) {
171
+ PKCS7_free(pkcs7);
172
+ ossl_raise(ePKCS7Error, "No content in PKCS7");
173
+ }
174
+
169
175
  data = out ? ossl_membio2str(out) : Qnil;
170
176
  SetPKCS7(ret, pkcs7);
171
177
  ossl_pkcs7_set_data(ret, data);
@@ -346,6 +352,10 @@ ossl_pkcs7_initialize(int argc, VALUE *argv, VALUE self)
346
352
  BIO_free(in);
347
353
  if (!p7)
348
354
  ossl_raise(rb_eArgError, "Could not parse the PKCS7");
355
+ if (!p7->d.ptr) {
356
+ PKCS7_free(p7);
357
+ ossl_raise(rb_eArgError, "No content in PKCS7");
358
+ }
349
359
 
350
360
  RTYPEDDATA_DATA(self) = p7;
351
361
  PKCS7_free(p7_orig);
data/ext/openssl/ossl_pkey.c CHANGED
@@ -951,7 +951,7 @@ ossl_pkey_sign(int argc, VALUE *argv, VALUE self)
951
951
  rb_jump_tag(state);
952
952
  }
953
953
  }
954
- #if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER)
954
+ #if OSSL_OPENSSL_PREREQ(1, 1, 1) || OSSL_LIBRESSL_PREREQ(3, 4, 0)
955
955
  if (EVP_DigestSign(ctx, NULL, &siglen, (unsigned char *)RSTRING_PTR(data),
956
956
  RSTRING_LEN(data)) < 1) {
957
957
  EVP_MD_CTX_free(ctx);
@@ -1056,7 +1056,7 @@ ossl_pkey_verify(int argc, VALUE *argv, VALUE self)
1056
1056
  rb_jump_tag(state);
1057
1057
  }
1058
1058
  }
1059
- #if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER)
1059
+ #if OSSL_OPENSSL_PREREQ(1, 1, 1) || OSSL_LIBRESSL_PREREQ(3, 4, 0)
1060
1060
  ret = EVP_DigestVerify(ctx, (unsigned char *)RSTRING_PTR(sig),
1061
1061
  RSTRING_LEN(sig), (unsigned char *)RSTRING_PTR(data),
1062
1062
  RSTRING_LEN(data));
data/lib/openssl/buffering.rb CHANGED
@@ -348,13 +348,18 @@ module OpenSSL::Buffering
348
348
  @wbuffer << s
349
349
  @wbuffer.force_encoding(Encoding::BINARY)
350
350
  @sync ||= false
351
- if @sync or @wbuffer.size > BLOCK_SIZE
352
- until @wbuffer.empty?
353
- begin
354
- nwrote = syswrite(@wbuffer)
355
- rescue Errno::EAGAIN
356
- retry
351
+ buffer_size = @wbuffer.size
352
+ if @sync or buffer_size > BLOCK_SIZE
353
+ nwrote = 0
354
+ begin
355
+ while nwrote < buffer_size do
356
+ begin
357
+ nwrote += syswrite(@wbuffer[nwrote, buffer_size - nwrote])
358
+ rescue Errno::EAGAIN
359
+ retry
360
+ end
357
361
  end
362
+ ensure
358
363
  @wbuffer[0, nwrote] = ""
359
364
  end
360
365
  end
data/lib/openssl/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module OpenSSL
4
- VERSION = "3.0.2"
4
+ VERSION = "3.0.3"
5
5
  end
data/lib/openssl/x509.rb CHANGED
@@ -122,8 +122,8 @@ module OpenSSL
122
122
  include Helpers
123
123
 
124
124
  # Get the distributionPoint fullName URI from the certificate's CRL
125
- # distribution points extension, as described in RFC5280 Section
126
- # 4.2.1.13
125
+ # distribution points extension, as described in RFC 5280 Section
126
+ # 4.2.1.13.
127
127
  #
128
128
  # Returns an array of strings or nil or raises ASN1::ASN1Error.
129
129
  def crl_uris
@@ -135,19 +135,19 @@ module OpenSSL
135
135
  raise ASN1::ASN1Error, "invalid extension"
136
136
  end
137
137
 
138
- crl_uris = cdp_asn1.map do |crl_distribution_point|
138
+ crl_uris = cdp_asn1.flat_map do |crl_distribution_point|
139
139
  distribution_point = crl_distribution_point.value.find do |v|
140
140
  v.tag_class == :CONTEXT_SPECIFIC && v.tag == 0
141
141
  end
142
142
  full_name = distribution_point&.value&.find do |v|
143
143
  v.tag_class == :CONTEXT_SPECIFIC && v.tag == 0
144
144
  end
145
- full_name&.value&.find do |v|
145
+ full_name&.value&.select do |v|
146
146
  v.tag_class == :CONTEXT_SPECIFIC && v.tag == 6 # uniformResourceIdentifier
147
147
  end
148
148
  end
149
149
 
150
- crl_uris&.map(&:value)
150
+ crl_uris.empty? ? nil : crl_uris.map(&:value)
151
151
  end
152
152
  end
153
153
 
metadata CHANGED
@@ -1,17 +1,17 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: openssl
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.0.2
4
+ version: 3.0.3
5
5
  platform: ruby
6
+ original_platform: ''
6
7
  authors:
7
8
  - Martin Bosslet
8
9
  - SHIBATA Hiroshi
9
10
  - Zachary Scott
10
11
  - Kazuki Yamaguchi
11
- autorequire:
12
12
  bindir: bin
13
13
  cert_chain: []
14
- date: 2022-12-23 00:00:00.000000000 Z
14
+ date: 2024-12-18 00:00:00.000000000 Z
15
15
  dependencies: []
16
16
  description: It wraps the OpenSSL library.
17
17
  email:
@@ -100,7 +100,6 @@ licenses:
100
100
  - Ruby
101
101
  metadata:
102
102
  msys2_mingw_dependencies: openssl
103
- post_install_message:
104
103
  rdoc_options:
105
104
  - "--main"
106
105
  - README.md
@@ -117,8 +116,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
117
116
  - !ruby/object:Gem::Version
118
117
  version: '0'
119
118
  requirements: []
120
- rubygems_version: 3.4.0.dev
121
- signing_key:
119
+ rubygems_version: 3.6.1
122
120
  specification_version: 4
123
121
  summary: OpenSSL provides SSL, TLS and general purpose cryptography.
124
122
  test_files: []