openssl 3.2.0 → 3.3.0

data/lib/openssl/asn1.rb

@@ -0,0 +1,188 @@
+# frozen_string_literal: true
+#--
+#
+# = Ruby-space definitions that completes C-space funcs for ASN.1
+#
+# = Licence
+# This program is licensed under the same licence as Ruby.
+# (See the file 'COPYING'.)
+#++
+
+module OpenSSL
+  module ASN1
+    class ASN1Data
+      #
+      # Carries the value of a ASN.1 type.
+      # Please confer Constructive and Primitive for the mappings between
+      # ASN.1 data types and Ruby classes.
+      #
+      attr_accessor :value
+
+      # An Integer representing the tag number of this ASN1Data. Never +nil+.
+      attr_accessor :tag
+
+      # A Symbol representing the tag class of this ASN1Data. Never +nil+.
+      # See ASN1Data for possible values.
+      attr_accessor :tag_class
+
+      #
+      # Never +nil+. A boolean value indicating whether the encoding uses
+      # indefinite length (in the case of parsing) or whether an indefinite
+      # length form shall be used (in the encoding case).
+      # In DER, every value uses definite length form. But in scenarios where
+      # large amounts of data need to be transferred it might be desirable to
+      # have some kind of streaming support available.
+      # For example, huge OCTET STRINGs are preferably sent in smaller-sized
+      # chunks, each at a time.
+      # This is possible in BER by setting the length bytes of an encoding
+      # to zero and by this indicating that the following value will be
+      # sent in chunks. Indefinite length encodings are always constructed.
+      # The end of such a stream of chunks is indicated by sending a EOC
+      # (End of Content) tag. SETs and SEQUENCEs may use an indefinite length
+      # encoding, but also primitive types such as e.g. OCTET STRINGS or
+      # BIT STRINGS may leverage this functionality (cf. ITU-T X.690).
+      #
+      attr_accessor :indefinite_length
+
+      alias infinite_length indefinite_length
+      alias infinite_length= indefinite_length=
+
+      #
+      # :call-seq:
+      #    OpenSSL::ASN1::ASN1Data.new(value, tag, tag_class) => ASN1Data
+      #
+      # _value_: Please have a look at Constructive and Primitive to see how Ruby
+      # types are mapped to ASN.1 types and vice versa.
+      #
+      # _tag_: An Integer indicating the tag number.
+      #
+      # _tag_class_: A Symbol indicating the tag class. Please cf. ASN1 for
+      # possible values.
+      #
+      # == Example
+      #   asn1_int = OpenSSL::ASN1Data.new(42, 2, :UNIVERSAL) # => Same as OpenSSL::ASN1::Integer.new(42)
+      #   tagged_int = OpenSSL::ASN1Data.new(42, 0, :CONTEXT_SPECIFIC) # implicitly 0-tagged INTEGER
+      #
+      def initialize(value, tag, tag_class)
+        raise ASN1Error, "invalid tag class" unless tag_class.is_a?(Symbol)
+
+        @tag = tag
+        @value = value
+        @tag_class = tag_class
+        @indefinite_length = false
+      end
+    end
+
+    module TaggedASN1Data
+      #
+      # May be used as a hint for encoding a value either implicitly or
+      # explicitly by setting it either to +:IMPLICIT+ or to +:EXPLICIT+.
+      # _tagging_ is not set when a ASN.1 structure is parsed using
+      # OpenSSL::ASN1.decode.
+      #
+      attr_accessor :tagging
+
+      # :call-seq:
+      #    OpenSSL::ASN1::Primitive.new(value [, tag, tagging, tag_class ]) => Primitive
+      #
+      # _value_: is mandatory.
+      #
+      # _tag_: optional, may be specified for tagged values. If no _tag_ is
+      # specified, the UNIVERSAL tag corresponding to the Primitive sub-class
+      # is used by default.
+      #
+      # _tagging_: may be used as an encoding hint to encode a value either
+      # explicitly or implicitly, see ASN1 for possible values.
+      #
+      # _tag_class_: if _tag_ and _tagging_ are +nil+ then this is set to
+      # +:UNIVERSAL+ by default. If either _tag_ or _tagging_ are set then
+      # +:CONTEXT_SPECIFIC+ is used as the default. For possible values please
+      # cf. ASN1.
+      #
+      # == Example
+      #   int = OpenSSL::ASN1::Integer.new(42)
+      #   zero_tagged_int = OpenSSL::ASN1::Integer.new(42, 0, :IMPLICIT)
+      #   private_explicit_zero_tagged_int = OpenSSL::ASN1::Integer.new(42, 0, :EXPLICIT, :PRIVATE)
+      #
+      def initialize(value, tag = nil, tagging = nil, tag_class = nil)
+        tag ||= ASN1.take_default_tag(self.class)
+
+        raise ASN1Error, "must specify tag number" unless tag
+
+        if tagging
+          raise ASN1Error, "invalid tagging method" unless tagging.is_a?(Symbol)
+        end
+
+        tag_class ||= tagging ? :CONTEXT_SPECIFIC : :UNIVERSAL
+
+        raise ASN1Error, "invalid tag class" unless tag_class.is_a?(Symbol)
+
+        @tagging = tagging
+        super(value ,tag, tag_class)
+      end
+    end
+
+    class Primitive < ASN1Data
+      include TaggedASN1Data
+
+      undef_method :indefinite_length=
+      undef_method :infinite_length=
+    end
+
+    class Constructive < ASN1Data
+      include TaggedASN1Data
+      include Enumerable
+
+      # :call-seq:
+      #    asn1_ary.each { |asn1| block } => asn1_ary
+      #
+      # Calls the given block once for each element in self, passing that element
+      # as parameter _asn1_. If no block is given, an enumerator is returned
+      # instead.
+      #
+      # == Example
+      #   asn1_ary.each do |asn1|
+      #     puts asn1
+      #   end
+      #
+      def each(&blk)
+        @value.each(&blk)
+
+        self
+      end
+    end
+
+    class Boolean < Primitive ; end
+    class Integer < Primitive ; end
+    class Enumerated < Primitive ; end
+
+    class BitString < Primitive
+      attr_accessor :unused_bits
+
+      def initialize(*)
+        super
+
+        @unused_bits = 0
+      end
+    end
+
+    class EndOfContent < ASN1Data
+      def initialize
+        super("", 0, :UNIVERSAL)
+      end
+    end
+
+    # :nodoc:
+    def self.take_default_tag(klass)
+      tag = CLASS_TAG_MAP[klass]
+
+      return tag if tag
+
+      sklass = klass.superclass
+
+      return unless sklass
+
+      take_default_tag(sklass)
+    end
+  end
+end

data/lib/openssl/bn.rb

@@ -10,7 +10,7 @@
 #
 # = Licence
 # This program is licensed under the same licence as Ruby.
-# (See the file 'LICENCE'.)
+# (See the file 'COPYING'.)
 #++
 
 module OpenSSL

data/lib/openssl/buffering.rb

@@ -8,7 +8,7 @@
 #
 #= Licence
 #  This program is licensed under the same licence as Ruby.
-#  (See the file 'LICENCE'.)
+#  (See the file 'COPYING'.)
 #++
 
 ##
@@ -107,6 +107,12 @@ module OpenSSL::Buffering
     read(1)&.ord
   end
 
+  # Get the next 8bit byte. Raises EOFError on EOF
+  def readbyte
+    raise EOFError if eof?
+    getbyte
+  end
+
   ##
   # Reads _size_ bytes from the stream.  If _buf_ is provided it must
   # reference a string which will receive the data.
@@ -229,7 +235,7 @@ module OpenSSL::Buffering
   #
   # Unlike IO#gets the separator must be provided if a limit is provided.
 
-  def gets(eol=$/, limit=nil)
+  def gets(eol=$/, limit=nil, chomp: false)
     idx = @rbuffer.index(eol)
     until @eof
       break if idx
@@ -244,7 +250,11 @@ module OpenSSL::Buffering
     if size && limit && limit >= 0
       size = [size, limit].min
     end
-    consume_rbuff(size)
+    line = consume_rbuff(size)
+    if chomp && line
+      line.chomp!(eol)
+    end
+    line
   end
 
   ##
@@ -345,13 +355,18 @@ module OpenSSL::Buffering
     @wbuffer << s
     @wbuffer.force_encoding(Encoding::BINARY)
     @sync ||= false
-    if @sync or @wbuffer.size > BLOCK_SIZE
-      until @wbuffer.empty?
-        begin
-          nwrote = syswrite(@wbuffer)
-        rescue Errno::EAGAIN
-          retry
+    buffer_size = @wbuffer.size
+    if @sync or buffer_size > BLOCK_SIZE
+      nwrote = 0
+      begin
+        while nwrote < buffer_size do
+          begin
+            nwrote += syswrite(@wbuffer[nwrote, buffer_size - nwrote])
+          rescue Errno::EAGAIN
+            retry
+          end
         end
+      ensure
         @wbuffer[0, nwrote] = ""
       end
     end

data/lib/openssl/cipher.rb

@@ -9,7 +9,7 @@
 #
 # = Licence
 # This program is licensed under the same licence as Ruby.
-# (See the file 'LICENCE'.)
+# (See the file 'COPYING'.)
 #++
 
 module OpenSSL

data/lib/openssl/digest.rb

@@ -9,7 +9,7 @@
 #
 # = Licence
 # This program is licensed under the same licence as Ruby.
-# (See the file 'LICENCE'.)
+# (See the file 'COPYING'.)
 #++
 
 module OpenSSL

data/lib/openssl/marshal.rb

@@ -9,7 +9,7 @@
 #
 # = Licence
 # This program is licensed under the same licence as Ruby.
-# (See the file 'LICENCE'.)
+# (See the file 'COPYING'.)
 #++
 module OpenSSL
   module Marshal

data/lib/openssl/ssl.rb

@@ -7,7 +7,7 @@
 
 = Licence
   This program is licensed under the same licence as Ruby.
-  (See the file 'LICENCE'.)
+  (See the file 'COPYING'.)
 =end
 
 require "openssl/buffering"
@@ -22,7 +22,6 @@ module OpenSSL
   module SSL
     class SSLContext
       DEFAULT_PARAMS = { # :nodoc:
-        :min_version => OpenSSL::SSL::TLS1_VERSION,
         :verify_mode => OpenSSL::SSL::VERIFY_PEER,
         :verify_hostname => true,
         :options => -> {
@@ -55,6 +54,7 @@ ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
       if !(OpenSSL::OPENSSL_VERSION.start_with?("OpenSSL") &&
            OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10100000)
         DEFAULT_PARAMS.merge!(
+          min_version: OpenSSL::SSL::TLS1_VERSION,
           ciphers: %w{
             ECDHE-ECDSA-AES128-GCM-SHA256
             ECDHE-RSA-AES128-GCM-SHA256
@@ -125,7 +125,6 @@ ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
       # that this form is deprecated. New applications should use #min_version=
       # and #max_version= as necessary.
       def initialize(version = nil)
-        self.options |= OpenSSL::SSL::OP_ALL
         self.ssl_version = version if version
         self.verify_mode = OpenSSL::SSL::VERIFY_NONE
         self.verify_hostname = false
@@ -145,7 +144,7 @@ ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
       # used.
       def set_params(params={})
         params = DEFAULT_PARAMS.merge(params)
-        self.options = params.delete(:options) # set before min_version/max_version
+        self.options |= params.delete(:options) # set before min_version/max_version
         params.each{|name, value| self.__send__("#{name}=", value) }
         if self.verify_mode != OpenSSL::SSL::VERIFY_NONE
           unless self.ca_file or self.ca_path or self.cert_store
@@ -252,6 +251,14 @@ ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
         to_io.peeraddr
       end
 
+      def local_address
+        to_io.local_address
+      end
+
+      def remote_address
+        to_io.remote_address
+      end
+
       def setsockopt(level, optname, optval)
         to_io.setsockopt(level, optname, optval)
       end
@@ -271,6 +278,36 @@ ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
       def do_not_reverse_lookup=(flag)
         to_io.do_not_reverse_lookup = flag
       end
+
+      def close_on_exec=(value)
+        to_io.close_on_exec = value
+      end
+
+      def close_on_exec?
+        to_io.close_on_exec?
+      end
+
+      def wait(*args)
+        to_io.wait(*args)
+      end
+
+      def wait_readable(*args)
+        to_io.wait_readable(*args)
+      end
+
+      def wait_writable(*args)
+        to_io.wait_writable(*args)
+      end
+
+      if IO.method_defined?(:timeout)
+        def timeout
+          to_io.timeout
+        end
+
+        def timeout=(value)
+          to_io.timeout=(value)
+        end
+      end
     end
 
     def verify_certificate_identity(cert, hostname)
@@ -421,6 +458,32 @@ ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
         nil
       end
 
+      # Close the stream for reading.
+      # This method is ignored by OpenSSL as there is no reasonable way to
+      # implement it, but exists for compatibility with IO.
+      def close_read
+        # Unsupported and ignored.
+        # Just don't read any more.
+      end
+
+      # Closes the stream for writing. The behavior of this method depends on
+      # the version of OpenSSL and the TLS protocol in use.
+      #
+      # - Sends a 'close_notify' alert to the peer.
+      # - Does not wait for the peer's 'close_notify' alert in response.
+      #
+      # In TLS 1.2 and earlier:
+      # - On receipt of a 'close_notify' alert, responds with a 'close_notify'
+      #   alert of its own and close down the connection immediately,
+      #   discarding any pending writes.
+      #
+      # Therefore, on TLS 1.2, this method will cause the connection to be
+      # completely shut down. On TLS 1.3, the connection will remain open for
+      # reading only.
+      def close_write
+        stop
+      end
+
       private
 
       def using_anon_cipher?

data/lib/openssl/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module OpenSSL
-  VERSION = "3.2.0"
+  VERSION = "3.3.0"
 end

data/lib/openssl/x509.rb

@@ -9,7 +9,7 @@
 #
 # = Licence
 # This program is licensed under the same licence as Ruby.
-# (See the file 'LICENCE'.)
+# (See the file 'COPYING'.)
 #++
 
 require_relative 'marshal'
@@ -122,8 +122,8 @@ module OpenSSL
         include Helpers
 
         # Get the distributionPoint fullName URI from the certificate's CRL
-        # distribution points extension, as described in RFC5280 Section
-        # 4.2.1.13
+        # distribution points extension, as described in RFC 5280 Section
+        # 4.2.1.13.
         #
         # Returns an array of strings or nil or raises ASN1::ASN1Error.
         def crl_uris
@@ -135,19 +135,19 @@ module OpenSSL
             raise ASN1::ASN1Error, "invalid extension"
           end
 
-          crl_uris = cdp_asn1.map do |crl_distribution_point|
+          crl_uris = cdp_asn1.flat_map do |crl_distribution_point|
             distribution_point = crl_distribution_point.value.find do |v|
               v.tag_class == :CONTEXT_SPECIFIC && v.tag == 0
             end
             full_name = distribution_point&.value&.find do |v|
               v.tag_class == :CONTEXT_SPECIFIC && v.tag == 0
             end
-            full_name&.value&.find do |v|
+            full_name&.value&.select do |v|
               v.tag_class == :CONTEXT_SPECIFIC && v.tag == 6 # uniformResourceIdentifier
             end
           end
 
-          crl_uris&.map(&:value)
+          crl_uris.empty? ? nil : crl_uris.map(&:value)
         end
       end
 

data/lib/openssl.rb

@@ -7,12 +7,13 @@
 
 = Licence
   This program is licensed under the same licence as Ruby.
-  (See the file 'LICENCE'.)
+  (See the file 'COPYING'.)
 =end
 
 require 'openssl.so'
 
 require_relative 'openssl/bn'
+require_relative 'openssl/asn1'
 require_relative 'openssl/pkey'
 require_relative 'openssl/cipher'
 require_relative 'openssl/digest'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: openssl
 version: !ruby/object:Gem::Version
-  version: 3.2.0
+  version: 3.3.0
 platform: ruby
 authors:
 - Martin Bosslet
@@ -11,7 +11,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-09-21 00:00:00.000000000 Z
+date: 2024-12-21 00:00:00.000000000 Z
 dependencies: []
 description: OpenSSL for Ruby provides access to SSL/TLS and general-purpose cryptography
   based on the OpenSSL library.
@@ -27,8 +27,8 @@ extra_rdoc_files:
 files:
 - BSDL
 - CONTRIBUTING.md
+- COPYING
 - History.md
-- LICENSE.txt
 - README.md
 - ext/openssl/extconf.rb
 - ext/openssl/openssl_missing.c
@@ -87,6 +87,7 @@ files:
 - ext/openssl/ossl_x509revoked.c
 - ext/openssl/ossl_x509store.c
 - lib/openssl.rb
+- lib/openssl/asn1.rb
 - lib/openssl/bn.rb
 - lib/openssl/buffering.rb
 - lib/openssl/cipher.rb
@@ -101,6 +102,7 @@ files:
 homepage: https://github.com/ruby/openssl
 licenses:
 - Ruby
+- BSD-2-Clause
 metadata:
   msys2_mingw_dependencies: openssl
 post_install_message:
@@ -120,7 +122,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.10
+rubygems_version: 3.5.22
 signing_key:
 specification_version: 4
 summary: SSL/TLS and general-purpose cryptography for Ruby