RubyGems - openssl - Versions diffs - 3.2.0 → 3.2.2 - Mend

openssl 3.2.0 → 3.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5040b959a35f5692d6d19e2bf520e1123da8133fff2f878cfc21c2ff0f145d6e
-  data.tar.gz: dfee6ebd76e423511aa0fc4630f8120edce8fe79d4f40ee7105ccad12c2d3340
+  metadata.gz: b0e45e3664b7a3f0ece679baf73ddb2da020d9255d1af3d40ed6e9cdd416ea93
+  data.tar.gz: 9628e1a30a0c953b631f8d2e0c0703f700594a3257fc5d5866f4834776504436
 SHA512:
-  metadata.gz: f542ec360be844382829f4bcc46b5cffdfcaf675b02ecdc1cd15a6e80c061476ee4582fdb201ef2dd0f430806d74036233eef3a5c23e5b4028560ad075ed706b
-  data.tar.gz: 0173033ebe6efb76b747cc80835cc9530dd664d038256bbdf963d4940b5f3bfad90be313554f548a911ac0977d4bdc33c088dfd3b6fb8e46db7bcd5d2ec34a8c
+  metadata.gz: 80d8c83ecee3e6279ff11923b370b2053960c8b964d9298882a69971bb135712a8ac7449cd3d6262b9120da922232703859a2cd83782b1ee9f770ce0db466607
+  data.tar.gz: 226de23eddbdfe81d734839cb719331061e90b3b86eeca651e6d51dded1556a76bcf2a0dd9e52f6a6cbba49c01985200eb6b907b8ac75df7041508fee45aaa22

data/History.md CHANGED Viewed

@@ -1,3 +1,15 @@
+Version 3.2.2
+=============
+Merged changes in 3.1.2.
+Version 3.2.1
+=============
+Merged changes in 3.0.3.
 Version 3.2.0
 =============
@@ -38,6 +50,29 @@ Notable changes
   [[GitHub #141]](https://github.com/ruby/openssl/pull/141)
+Version 3.1.2
+=============
+Bug fixes
+---------
+* Fix crash when attempting to export an incomplete `OpenSSL::PKey::DSA` key.
+  [[GitHub #845]](https://github.com/ruby/openssl/issues/845)
+  [[GitHub #847]](https://github.com/ruby/openssl/pull/847)
+* Remove the `OpenSSL::X509::V_FLAG_CRL_CHECK_ALL` flag from the default store
+  used by `OpenSSL::SSL::SSLContext#set_params`. It causes certificate
+  verification to fail with OpenSSL 3.6.0. It has no effect with any other
+  OpenSSL versions.
+  [[GitHub #949]](https://github.com/ruby/openssl/issues/949)
+  [[GitHub #950]](https://github.com/ruby/openssl/pull/950)
+Version 3.1.1
+=============
+Merged changes in 3.0.3.
 Version 3.1.0
 =============
@@ -74,6 +109,31 @@ Notable changes
   LibreSSL 3.6 and Ed25519 support in LibreSSL 3.7.
+Version 3.0.3
+=============
+Bug fixes
+---------
+* Fix a performance regression introduced in v2.1.3 on a buffered write to
+  `SSLSocket`.
+  [[GitHub #706]](https://github.com/ruby/openssl/pull/706)
+* Fix `OpenSSL::PKCS7` to handle PKCS#7 structures without content.
+  [[GitHub #690]](https://github.com/ruby/openssl/pull/690)
+  [[GitHub #752]](https://github.com/ruby/openssl/pull/752)
+* Fix `OpenSSL::ASN1::ObjectId#==` with OIDs without a known name.
+  [[GitHub #791]](https://github.com/ruby/openssl/issues/791)
+  [[GitHub #792]](https://github.com/ruby/openssl/pull/792)
+* Fix `OpenSSL::X509::Certificate#crl_uris` to handle CDP with multiple CRL
+  URIs.
+  [[GitHub #775]](https://github.com/ruby/openssl/issues/775)
+  [[GitHub #776]](https://github.com/ruby/openssl/pull/776)
+* Fix `OpenSSL::Cipher#update` to always make the output buffer `String`
+  independent.
+  [[Bug #20937]](https://bugs.ruby-lang.org/issues/20937)
+  [[GitHub #824]](https://github.com/ruby/openssl/pull/824)
 Version 3.0.2
 =============
@@ -457,7 +517,7 @@ Security fixes
 Bug fixes
 ---------
-* Fixed OpenSSL::PKey::*.{new,generate} immediately aborting if the thread is
+* Fixed OpenSSL::PKey::\*.{new,generate} immediately aborting if the thread is
   interrupted.
   [[Bug #14882]](https://bugs.ruby-lang.org/issues/14882)
   [[GitHub #205]](https://github.com/ruby/openssl/pull/205)

data/ext/openssl/ossl_asn1.c CHANGED Viewed

@@ -1298,30 +1298,6 @@ ossl_asn1obj_get_ln(VALUE self)
     return ret;
 }
-/*
- *  call-seq:
- *     oid == other_oid => true or false
- *
- *  Returns +true+ if _other_oid_ is the same as _oid_
- */
-static VALUE
-ossl_asn1obj_eq(VALUE self, VALUE other)
-{
-    VALUE valSelf, valOther;
-    int nidSelf, nidOther;
-    valSelf = ossl_asn1_get_value(self);
-    valOther = ossl_asn1_get_value(other);
-    if ((nidSelf = OBJ_txt2nid(StringValueCStr(valSelf))) == NID_undef)
-	ossl_raise(eASN1Error, "OBJ_txt2nid");
-    if ((nidOther = OBJ_txt2nid(StringValueCStr(valOther))) == NID_undef)
-	ossl_raise(eASN1Error, "OBJ_txt2nid");
-    return nidSelf == nidOther ? Qtrue : Qfalse;
-}
 static VALUE
 asn1obj_get_oid_i(VALUE vobj)
 {
@@ -1366,6 +1342,25 @@ ossl_asn1obj_get_oid(VALUE self)
     return str;
 }
+/*
+ *  call-seq:
+ *     oid == other_oid => true or false
+ *
+ *  Returns +true+ if _other_oid_ is the same as _oid_.
+ */
+static VALUE
+ossl_asn1obj_eq(VALUE self, VALUE other)
+{
+    VALUE oid1, oid2;
+    if (!rb_obj_is_kind_of(other, cASN1ObjectId))
+        return Qfalse;
+    oid1 = ossl_asn1obj_get_oid(self);
+    oid2 = ossl_asn1obj_get_oid(other);
+    return rb_str_equal(oid1, oid2);
+}
 #define OSSL_ASN1_IMPL_FACTORY_METHOD(klass) \
 static VALUE ossl_asn1_##klass(int argc, VALUE *argv, VALUE self)\
 { return rb_funcall3(cASN1##klass, rb_intern("new"), argc, argv); }

data/ext/openssl/ossl_cipher.c CHANGED Viewed

@@ -386,22 +386,37 @@ ossl_cipher_update(int argc, VALUE *argv, VALUE self)
     in = (unsigned char *)RSTRING_PTR(data);
     in_len = RSTRING_LEN(data);
     GetCipher(self, ctx);
-    out_len = in_len+EVP_CIPHER_CTX_block_size(ctx);
-    if (out_len <= 0) {
+    /*
+     * As of OpenSSL 3.2, there is no reliable way to determine the required
+     * output buffer size for arbitrary cipher modes.
+     * https://github.com/openssl/openssl/issues/22628
+     *
+     * in_len+block_size is usually sufficient, but AES key wrap with padding
+     * ciphers require in_len+15 even though they have a block size of 8 bytes.
+     *
+     * Using EVP_MAX_BLOCK_LENGTH (32) as a safe upper bound for ciphers
+     * currently implemented in OpenSSL, but this can change in the future.
+     */
+    if (in_len > LONG_MAX - EVP_MAX_BLOCK_LENGTH) {
 	ossl_raise(rb_eRangeError,
 		   "data too big to make output buffer: %ld bytes", in_len);
     }
+    out_len = in_len + EVP_MAX_BLOCK_LENGTH;
     if (NIL_P(str)) {
         str = rb_str_new(0, out_len);
     } else {
         StringValue(str);
-        rb_str_resize(str, out_len);
+        if ((long)rb_str_capacity(str) >= out_len)
+            rb_str_modify(str);
+        else
+            rb_str_modify_expand(str, out_len - RSTRING_LEN(str));
     }
     if (!ossl_cipher_update_long(ctx, (unsigned char *)RSTRING_PTR(str), &out_len, in, in_len))
 	ossl_raise(eCipherError, NULL);
-    assert(out_len < RSTRING_LEN(str));
+    assert(out_len <= RSTRING_LEN(str));
     rb_str_set_len(str, out_len);
     return str;

data/ext/openssl/ossl_digest.c CHANGED Viewed

@@ -232,6 +232,7 @@ ossl_digest_finish(int argc, VALUE *argv, VALUE self)
         str = rb_str_new(NULL, out_len);
     } else {
         StringValue(str);
+        rb_str_modify(str);
         rb_str_resize(str, out_len);
     }

data/ext/openssl/ossl_pkcs7.c CHANGED Viewed

@@ -165,7 +165,13 @@ ossl_pkcs7_s_read_smime(VALUE klass, VALUE arg)
     out = NULL;
     pkcs7 = SMIME_read_PKCS7(in, &out);
     BIO_free(in);
-    if(!pkcs7) ossl_raise(ePKCS7Error, NULL);
+    if (!pkcs7)
+        ossl_raise(ePKCS7Error, "Could not parse the PKCS7");
+    if (!pkcs7->d.ptr) {
+        PKCS7_free(pkcs7);
+        ossl_raise(ePKCS7Error, "No content in PKCS7");
+    }
     data = out ? ossl_membio2str(out) : Qnil;
     SetPKCS7(ret, pkcs7);
     ossl_pkcs7_set_data(ret, data);
@@ -346,6 +352,10 @@ ossl_pkcs7_initialize(int argc, VALUE *argv, VALUE self)
     BIO_free(in);
     if (!p7)
         ossl_raise(rb_eArgError, "Could not parse the PKCS7");
+    if (!p7->d.ptr) {
+        PKCS7_free(p7);
+        ossl_raise(rb_eArgError, "No content in PKCS7");
+    }
     RTYPEDDATA_DATA(self) = p7;
     PKCS7_free(p7_orig);

data/ext/openssl/ossl_pkey.c CHANGED Viewed

@@ -937,6 +937,7 @@ ossl_pkey_export_spki(VALUE self, int to_der)
     BIO *bio;
     GetPKey(self, pkey);
+    ossl_pkey_check_public_key(pkey);
     bio = BIO_new(BIO_s_mem());
     if (!bio)
 	ossl_raise(ePKeyError, "BIO_new");

data/lib/openssl/buffering.rb CHANGED Viewed

@@ -345,13 +345,18 @@ module OpenSSL::Buffering
     @wbuffer << s
     @wbuffer.force_encoding(Encoding::BINARY)
     @sync ||= false
-    if @sync or @wbuffer.size > BLOCK_SIZE
-      until @wbuffer.empty?
-        begin
-          nwrote = syswrite(@wbuffer)
-        rescue Errno::EAGAIN
-          retry
+    buffer_size = @wbuffer.size
+    if @sync or buffer_size > BLOCK_SIZE
+      nwrote = 0
+      begin
+        while nwrote < buffer_size do
+          begin
+            nwrote += syswrite(@wbuffer[nwrote, buffer_size - nwrote])
+          rescue Errno::EAGAIN
+            retry
+          end
         end
+      ensure
         @wbuffer[0, nwrote] = ""
       end
     end

data/lib/openssl/ssl.rb CHANGED Viewed

@@ -92,7 +92,6 @@ ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
       DEFAULT_CERT_STORE = OpenSSL::X509::Store.new # :nodoc:
       DEFAULT_CERT_STORE.set_default_paths
-      DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
       # A callback invoked when DH parameters are required for ephemeral DH key
       # exchange.

data/lib/openssl/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module OpenSSL
-  VERSION = "3.2.0"
+  VERSION = "3.2.2"
 end

data/lib/openssl/x509.rb CHANGED Viewed

@@ -122,8 +122,8 @@ module OpenSSL
         include Helpers
         # Get the distributionPoint fullName URI from the certificate's CRL
-        # distribution points extension, as described in RFC5280 Section
-        # 4.2.1.13
+        # distribution points extension, as described in RFC 5280 Section
+        # 4.2.1.13.
         #
         # Returns an array of strings or nil or raises ASN1::ASN1Error.
         def crl_uris
@@ -135,19 +135,19 @@ module OpenSSL
             raise ASN1::ASN1Error, "invalid extension"
           end
-          crl_uris = cdp_asn1.map do |crl_distribution_point|
+          crl_uris = cdp_asn1.flat_map do |crl_distribution_point|
             distribution_point = crl_distribution_point.value.find do |v|
               v.tag_class == :CONTEXT_SPECIFIC && v.tag == 0
             end
             full_name = distribution_point&.value&.find do |v|
               v.tag_class == :CONTEXT_SPECIFIC && v.tag == 0
             end
-            full_name&.value&.find do |v|
+            full_name&.value&.select do |v|
               v.tag_class == :CONTEXT_SPECIFIC && v.tag == 6 # uniformResourceIdentifier
             end
           end
-          crl_uris&.map(&:value)
+          crl_uris.empty? ? nil : crl_uris.map(&:value)
         end
       end

metadata CHANGED Viewed

@@ -1,17 +1,16 @@
 --- !ruby/object:Gem::Specification
 name: openssl
 version: !ruby/object:Gem::Version
-  version: 3.2.0
+  version: 3.2.2
 platform: ruby
 authors:
 - Martin Bosslet
 - SHIBATA Hiroshi
 - Zachary Scott
 - Kazuki Yamaguchi
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-09-21 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies: []
 description: OpenSSL for Ruby provides access to SSL/TLS and general-purpose cryptography
   based on the OpenSSL library.
@@ -103,7 +102,6 @@ licenses:
 - Ruby
 metadata:
   msys2_mingw_dependencies: openssl
-post_install_message:
 rdoc_options:
 - "--main"
 - README.md
@@ -120,8 +118,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.10
-signing_key:
+rubygems_version: 3.6.9
 specification_version: 4
 summary: SSL/TLS and general-purpose cryptography for Ruby
 test_files: []