openssl 2.0.5 → 2.0.6

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of openssl might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 5a6ee994e4089dd195689cf471c593fa31787cdb
4
- data.tar.gz: 7eeb660f5b68abf40b755d65c8c6d3e1033d98c3
3
+ metadata.gz: ff180f09fe084e079637b8a469304bb0f8fb1659
4
+ data.tar.gz: 459612fe58c8eff068a64cd3fa31bf7624ad2232
5
5
  SHA512:
6
- metadata.gz: a3369fcdbdb7799641c6ff5f2d4fa5ae8613ebb74c0791ba6e1a6fd0bab1d075f30bb27006b63335d3ab793ef90ffd9db15ba6595e7f26d38784cfd5b36e452e
7
- data.tar.gz: 42fc88ebab1692afa7bb178589aba6177c562841a2159cc404582fbf1ab31d4c6508aac014db44eb1a27b7d5e2e259eb202b7519ece33f2c1a068068028993d0
6
+ metadata.gz: 15303d9a24b3dd47ca0fa5bc49f95d33535f9d085eb08e610cb18765e022351623b325a3a70b6c8386a0ec986b53968a121b66521533552f9adef91c330aa326
7
+ data.tar.gz: 6d2f286a4b3cfcea4d7a71c4962b30e2050a81ce3bfef6abf51381d1299401199ce3b96651f2e77fb53e4595648fd90234cf1ae9617f04a0b464a9104c8ece2c
data/History.md CHANGED
@@ -1,3 +1,23 @@
1
+ Version 2.0.6
2
+ =============
3
+
4
+ Bug fixes
5
+ ---------
6
+
7
+ * The session_remove_cb set to an OpenSSL::SSL::SSLContext is no longer called
8
+ during GC.
9
+ * A possible deadlock in OpenSSL::SSL::SSLSocket#sysread is fixed.
10
+ [[GitHub #139]](https://github.com/ruby/openssl/pull/139)
11
+ * OpenSSL::BN#hash could return an unnormalized fixnum value on Windows.
12
+ [[Bug #13877]](https://bugs.ruby-lang.org/issues/13877)
13
+ * OpenSSL::SSL::SSLSocket#sysread and #sysread_nonblock set the length of the
14
+ destination buffer String to 0 on error.
15
+ [[GitHub #153]](https://github.com/ruby/openssl/pull/153)
16
+ * Possible deadlock is fixed. This happened only when built with older versions
17
+ of OpenSSL (before 1.1.0) or LibreSSL.
18
+ [[GitHub #155]](https://github.com/ruby/openssl/pull/155)
19
+
20
+
1
21
  Version 2.0.5
2
22
  =============
3
23
 
@@ -414,44 +414,123 @@ ossl_fips_mode_set(VALUE self, VALUE enabled)
414
414
  #endif
415
415
  }
416
416
 
417
+ #if defined(OSSL_DEBUG)
418
+ #if !defined(LIBRESSL_VERSION_NUMBER) && \
419
+ (OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(OPENSSL_NO_CRYPTO_MDEBUG) || \
420
+ defined(CRYPTO_malloc_debug_init))
421
+ /*
422
+ * call-seq:
423
+ * OpenSSL.mem_check_start -> nil
424
+ *
425
+ * Calls CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON). Starts tracking memory
426
+ * allocations. See also OpenSSL.print_mem_leaks.
427
+ *
428
+ * This is available only when built with a capable OpenSSL and --enable-debug
429
+ * configure option.
430
+ */
431
+ static VALUE
432
+ mem_check_start(VALUE self)
433
+ {
434
+ CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
435
+ return Qnil;
436
+ }
437
+
438
+ /*
439
+ * call-seq:
440
+ * OpenSSL.print_mem_leaks -> true | false
441
+ *
442
+ * For debugging the Ruby/OpenSSL library. Calls CRYPTO_mem_leaks_fp(stderr).
443
+ * Prints detected memory leaks to standard error. This cleans the global state
444
+ * up thus you cannot use any methods of the library after calling this.
445
+ *
446
+ * Returns true if leaks detected, false otherwise.
447
+ *
448
+ * This is available only when built with a capable OpenSSL and --enable-debug
449
+ * configure option.
450
+ *
451
+ * === Example
452
+ * OpenSSL.mem_check_start
453
+ * NOT_GCED = OpenSSL::PKey::RSA.new(256)
454
+ *
455
+ * END {
456
+ * GC.start
457
+ * OpenSSL.print_mem_leaks # will print the leakage
458
+ * }
459
+ */
460
+ static VALUE
461
+ print_mem_leaks(VALUE self)
462
+ {
463
+ #if OPENSSL_VERSION_NUMBER >= 0x10100000
464
+ int ret;
465
+ #endif
466
+
467
+ BN_CTX_free(ossl_bn_ctx);
468
+ ossl_bn_ctx = NULL;
469
+
470
+ #if OPENSSL_VERSION_NUMBER >= 0x10100000
471
+ ret = CRYPTO_mem_leaks_fp(stderr);
472
+ if (ret < 0)
473
+ ossl_raise(eOSSLError, "CRYPTO_mem_leaks_fp");
474
+ return ret ? Qfalse : Qtrue;
475
+ #else
476
+ CRYPTO_mem_leaks_fp(stderr);
477
+ return Qnil;
478
+ #endif
479
+ }
480
+ #endif
481
+ #endif
482
+
417
483
  #if !defined(HAVE_OPENSSL_110_THREADING_API)
418
484
  /**
419
485
  * Stores locks needed for OpenSSL thread safety
420
486
  */
421
- static rb_nativethread_lock_t *ossl_locks;
487
+ struct CRYPTO_dynlock_value {
488
+ rb_nativethread_lock_t lock;
489
+ rb_nativethread_id_t owner;
490
+ size_t count;
491
+ };
422
492
 
423
493
  static void
424
- ossl_lock_unlock(int mode, rb_nativethread_lock_t *lock)
494
+ ossl_lock_init(struct CRYPTO_dynlock_value *l)
425
495
  {
426
- if (mode & CRYPTO_LOCK) {
427
- rb_nativethread_lock_lock(lock);
428
- } else {
429
- rb_nativethread_lock_unlock(lock);
430
- }
496
+ rb_nativethread_lock_initialize(&l->lock);
497
+ l->count = 0;
431
498
  }
432
499
 
433
500
  static void
434
- ossl_lock_callback(int mode, int type, const char *file, int line)
501
+ ossl_lock_unlock(int mode, struct CRYPTO_dynlock_value *l)
435
502
  {
436
- ossl_lock_unlock(mode, &ossl_locks[type]);
503
+ if (mode & CRYPTO_LOCK) {
504
+ /* TODO: rb_nativethread_id_t is not necessarily compared with ==. */
505
+ rb_nativethread_id_t tid = rb_nativethread_self();
506
+ if (l->count && l->owner == tid) {
507
+ l->count++;
508
+ return;
509
+ }
510
+ rb_nativethread_lock_lock(&l->lock);
511
+ l->owner = tid;
512
+ l->count = 1;
513
+ } else {
514
+ if (!--l->count)
515
+ rb_nativethread_lock_unlock(&l->lock);
516
+ }
437
517
  }
438
518
 
439
- struct CRYPTO_dynlock_value {
440
- rb_nativethread_lock_t lock;
441
- };
442
-
443
519
  static struct CRYPTO_dynlock_value *
444
520
  ossl_dyn_create_callback(const char *file, int line)
445
521
  {
446
- struct CRYPTO_dynlock_value *dynlock = (struct CRYPTO_dynlock_value *)OPENSSL_malloc((int)sizeof(struct CRYPTO_dynlock_value));
447
- rb_nativethread_lock_initialize(&dynlock->lock);
522
+ /* Do not use xmalloc() here, since it may raise NoMemoryError */
523
+ struct CRYPTO_dynlock_value *dynlock =
524
+ OPENSSL_malloc(sizeof(struct CRYPTO_dynlock_value));
525
+ if (dynlock)
526
+ ossl_lock_init(dynlock);
448
527
  return dynlock;
449
528
  }
450
529
 
451
530
  static void
452
531
  ossl_dyn_lock_callback(int mode, struct CRYPTO_dynlock_value *l, const char *file, int line)
453
532
  {
454
- ossl_lock_unlock(mode, &l->lock);
533
+ ossl_lock_unlock(mode, l);
455
534
  }
456
535
 
457
536
  static void
@@ -475,21 +554,22 @@ static unsigned long ossl_thread_id(void)
475
554
  }
476
555
  #endif
477
556
 
557
+ static struct CRYPTO_dynlock_value *ossl_locks;
558
+
559
+ static void
560
+ ossl_lock_callback(int mode, int type, const char *file, int line)
561
+ {
562
+ ossl_lock_unlock(mode, &ossl_locks[type]);
563
+ }
564
+
478
565
  static void Init_ossl_locks(void)
479
566
  {
480
567
  int i;
481
568
  int num_locks = CRYPTO_num_locks();
482
569
 
483
- if ((unsigned)num_locks >= INT_MAX / (int)sizeof(VALUE)) {
484
- rb_raise(rb_eRuntimeError, "CRYPTO_num_locks() is too big: %d", num_locks);
485
- }
486
- ossl_locks = (rb_nativethread_lock_t *) OPENSSL_malloc(num_locks * (int)sizeof(rb_nativethread_lock_t));
487
- if (!ossl_locks) {
488
- rb_raise(rb_eNoMemError, "CRYPTO_num_locks() is too big: %d", num_locks);
489
- }
490
- for (i = 0; i < num_locks; i++) {
491
- rb_nativethread_lock_initialize(&ossl_locks[i]);
492
- }
570
+ ossl_locks = ALLOC_N(struct CRYPTO_dynlock_value, num_locks);
571
+ for (i = 0; i < num_locks; i++)
572
+ ossl_lock_init(&ossl_locks[i]);
493
573
 
494
574
  #ifdef HAVE_CRYPTO_THREADID_PTR
495
575
  CRYPTO_THREADID_set_callback(ossl_threadid_func);
@@ -1114,15 +1194,40 @@ Init_openssl(void)
1114
1194
  Init_ossl_ocsp();
1115
1195
  Init_ossl_engine();
1116
1196
  Init_ossl_asn1();
1117
- }
1118
1197
 
1119
1198
  #if defined(OSSL_DEBUG)
1120
- /*
1121
- * Check if all symbols are OK with 'make LDSHARED=gcc all'
1122
- */
1123
- int
1124
- main(int argc, char *argv[])
1125
- {
1126
- return 0;
1199
+ /*
1200
+ * For debugging Ruby/OpenSSL. Enable only when built with --enable-debug
1201
+ */
1202
+ #if !defined(LIBRESSL_VERSION_NUMBER) && \
1203
+ (OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(OPENSSL_NO_CRYPTO_MDEBUG) || \
1204
+ defined(CRYPTO_malloc_debug_init))
1205
+ rb_define_module_function(mOSSL, "mem_check_start", mem_check_start, 0);
1206
+ rb_define_module_function(mOSSL, "print_mem_leaks", print_mem_leaks, 0);
1207
+
1208
+ #if defined(CRYPTO_malloc_debug_init) /* <= 1.0.2 */
1209
+ CRYPTO_malloc_debug_init();
1210
+ #endif
1211
+
1212
+ #if defined(V_CRYPTO_MDEBUG_ALL) /* <= 1.0.2 */
1213
+ CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
1214
+ #endif
1215
+
1216
+ #if OPENSSL_VERSION_NUMBER < 0x10100000 /* <= 1.0.2 */
1217
+ {
1218
+ int i;
1219
+ /*
1220
+ * See crypto/ex_data.c; call def_get_class() immediately to avoid
1221
+ * allocations. 15 is the maximum number that is used as the class index
1222
+ * in OpenSSL 1.0.2.
1223
+ */
1224
+ for (i = 0; i <= 15; i++) {
1225
+ if (CRYPTO_get_ex_new_index(i, 0, (void *)"ossl-mdebug-dummy", 0, 0, 0) < 0)
1226
+ rb_raise(rb_eRuntimeError, "CRYPTO_get_ex_new_index for "
1227
+ "class index %d failed", i);
1228
+ }
1229
+ }
1230
+ #endif
1231
+ #endif
1232
+ #endif
1127
1233
  }
1128
- #endif /* OSSL_DEBUG */
@@ -953,7 +953,7 @@ ossl_bn_hash(VALUE self)
953
953
  ossl_raise(eBNError, NULL);
954
954
  }
955
955
 
956
- hash = INT2FIX(rb_memhash(buf, len));
956
+ hash = ST2FIX(rb_memhash(buf, len));
957
957
  xfree(buf);
958
958
 
959
959
  return hash;
@@ -631,13 +631,11 @@ ossl_cipher_get_auth_tag(int argc, VALUE *argv, VALUE self)
631
631
  * call-seq:
632
632
  * cipher.auth_tag = string -> string
633
633
  *
634
- * Sets the authentication tag to verify the contents of the
635
- * ciphertext. The tag must be set after calling Cipher#decrypt,
636
- * Cipher#key= and Cipher#iv=, but before assigning the associated
637
- * authenticated data using Cipher#auth_data= and of course, before
638
- * decrypting any of the ciphertext. After all decryption is
639
- * performed, the tag is verified automatically in the call to
640
- * Cipher#final.
634
+ * Sets the authentication tag to verify the integrity of the ciphertext.
635
+ * This can be called only when the cipher supports AE. The tag must be set
636
+ * after calling Cipher#decrypt, Cipher#key= and Cipher#iv=, but before
637
+ * calling Cipher#final. After all decryption is performed, the tag is
638
+ * verified automatically in the call to Cipher#final.
641
639
  *
642
640
  * For OCB mode, the tag length must be supplied with #auth_tag_len=
643
641
  * beforehand.
@@ -476,6 +476,13 @@ ossl_sslctx_session_remove_cb(SSL_CTX *ctx, SSL_SESSION *sess)
476
476
  void *ptr;
477
477
  int state = 0;
478
478
 
479
+ /*
480
+ * This callback is also called for all sessions in the internal store
481
+ * when SSL_CTX_free() is called.
482
+ */
483
+ if (rb_during_gc())
484
+ return;
485
+
479
486
  OSSL_Debug("SSL SESSION remove callback entered");
480
487
 
481
488
  if ((ptr = SSL_CTX_get_ex_data(ctx, ossl_ssl_ex_ptr_idx)) == NULL)
@@ -1681,22 +1688,26 @@ ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
1681
1688
  }
1682
1689
 
1683
1690
  ilen = NUM2INT(len);
1684
- if(NIL_P(str)) str = rb_str_new(0, ilen);
1685
- else{
1686
- StringValue(str);
1687
- rb_str_modify(str);
1688
- rb_str_resize(str, ilen);
1691
+ if (NIL_P(str))
1692
+ str = rb_str_new(0, ilen);
1693
+ else {
1694
+ StringValue(str);
1695
+ if (RSTRING_LEN(str) >= ilen)
1696
+ rb_str_modify(str);
1697
+ else
1698
+ rb_str_modify_expand(str, ilen - RSTRING_LEN(str));
1689
1699
  }
1690
- if(ilen == 0) return str;
1700
+ OBJ_TAINT(str);
1701
+ rb_str_set_len(str, 0);
1702
+ if (ilen == 0)
1703
+ return str;
1691
1704
 
1692
1705
  GetSSL(self, ssl);
1693
1706
  io = rb_attr_get(self, id_i_io);
1694
1707
  GetOpenFile(io, fptr);
1695
1708
  if (ssl_started(ssl)) {
1696
- if(!nonblock && SSL_pending(ssl) <= 0)
1697
- rb_thread_wait_fd(FPTR_TO_FD(fptr));
1698
1709
  for (;;){
1699
- nread = SSL_read(ssl, RSTRING_PTR(str), RSTRING_LENINT(str));
1710
+ nread = SSL_read(ssl, RSTRING_PTR(str), ilen);
1700
1711
  switch(ssl_get_error(ssl, nread)){
1701
1712
  case SSL_ERROR_NONE:
1702
1713
  goto end;
@@ -1746,8 +1757,6 @@ ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
1746
1757
 
1747
1758
  end:
1748
1759
  rb_str_set_len(str, nread);
1749
- OBJ_TAINT(str);
1750
-
1751
1760
  return str;
1752
1761
  }
1753
1762
 
@@ -10,6 +10,6 @@
10
10
  #if !defined(_OSSL_VERSION_H_)
11
11
  #define _OSSL_VERSION_H_
12
12
 
13
- #define OSSL_VERSION "2.0.5"
13
+ #define OSSL_VERSION "2.0.6"
14
14
 
15
15
  #endif /* _OSSL_VERSION_H_ */
@@ -15,9 +15,15 @@
15
15
 
16
16
  #define FPTR_TO_FD(fptr) ((fptr)->fd)
17
17
 
18
+ /* Ruby 2.4 */
18
19
  #ifndef RB_INTEGER_TYPE_P
19
- /* for Ruby 2.3 compatibility */
20
- #define RB_INTEGER_TYPE_P(obj) (RB_FIXNUM_P(obj) || RB_TYPE_P(obj, T_BIGNUM))
20
+ # define RB_INTEGER_TYPE_P(obj) (RB_FIXNUM_P(obj) || RB_TYPE_P(obj, T_BIGNUM))
21
+ #endif
22
+
23
+ /* Ruby 2.5 */
24
+ #ifndef ST2FIX
25
+ # define RB_ST2FIX(h) LONG2FIX((long)(h))
26
+ # define ST2FIX(h) RB_ST2FIX(h)
21
27
  #endif
22
28
 
23
29
  #endif /* _OSSL_RUBY_MISSING_H_ */
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: openssl
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.0.5
4
+ version: 2.0.6
5
5
  platform: ruby
6
6
  authors:
7
7
  - Martin Bosslet
@@ -11,7 +11,7 @@ authors:
11
11
  autorequire:
12
12
  bindir: bin
13
13
  cert_chain: []
14
- date: 2017-08-08 00:00:00.000000000 Z
14
+ date: 2017-09-24 00:00:00.000000000 Z
15
15
  dependencies:
16
16
  - !ruby/object:Gem::Dependency
17
17
  name: rake
@@ -77,8 +77,8 @@ extensions:
77
77
  - ext/openssl/extconf.rb
78
78
  extra_rdoc_files:
79
79
  - CONTRIBUTING.md
80
- - History.md
81
80
  - README.md
81
+ - History.md
82
82
  files:
83
83
  - BSDL
84
84
  - CONTRIBUTING.md
@@ -172,7 +172,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
172
172
  version: '0'
173
173
  requirements: []
174
174
  rubyforge_project:
175
- rubygems_version: 2.6.12
175
+ rubygems_version: 2.6.13
176
176
  signing_key:
177
177
  specification_version: 4
178
178
  summary: OpenSSL provides SSL, TLS and general purpose cryptography.