RubyGems - openssl - Versions diffs - 3.2.1-java → 3.3.0-java - Mend

openssl 3.2.1-java → 3.3.0-java

Files changed (5) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fd86299b603f070897e20a870d39421abb5ac5d9c50d110b335a78bb7d4132f3
-  data.tar.gz: b84f9c3f72c59a695da35229d86c5aa5c69002723ae815689c8362f694909cbf
+  metadata.gz: 41ca3fffe70ca4744fcbcb51f952105ae9a9f7698150fe2863123ff3c840898f
+  data.tar.gz: d9e2b148027e75497bad86ff40a83709c8024ac7feaa3d14faba9243ddcbdf4c
 SHA512:
-  metadata.gz: 3df3e82e81d9437557440560679b2d7c4af842c11b6ffe80c7363cc8d32d15210535a93b98170f1d82a53d1cdfef75230c2f86237a4a5f6ad90982b660b737cc
-  data.tar.gz: 1185bf1de8276fb1937e684da35d0ee9e892b2748e9749a6b254eb1125f58887884a60870dd52161c104c086615b0262d08cdb5ac32007f705f66b5100c5cf7b
+  metadata.gz: be1b780d7c7d77876c7896dd52076d4bf0cd4e973722c70ee71d3364ae4f58c951b064f93c4846206eaba7a63e14dd3a24ac8479336de02b17b11afbabe7e021
+  data.tar.gz: 452e68dc726140723010cb85b02987d015e8c914dcd87c704248e797562a25f5a01b5ff2005169c234cc58a4ac0e6fdfa3e5576b192e2d128d8c3b98d7d996de

data/CONTRIBUTING.md CHANGED Viewed

@@ -10,7 +10,7 @@ Bugs and feature requests are tracked on [GitHub].
 If you think you found a bug, file a ticket on GitHub. Please DO NOT report
 security issues here, there is a separate procedure which is described on
-["Security at ruby-lang.org"](https://www.ruby-lang.org/en/security/).
+["Security at ruby-lang.org"][Ruby Security].
 When reporting a bug, please make sure you include:
@@ -22,26 +22,25 @@ When reporting a bug, please make sure you include:
 There are a number of unresolved issues and feature requests for openssl that
 need review. Before submitting a new ticket, it is recommended to check
-[known issues].
+[known issues][Issues].
 ## Submitting patches
 Patches are also very welcome!
-Please submit a [pull request] with your changes.
+Please submit a [pull request][Compare changes] with your changes.
 Make sure that your branch does:
 * Have good commit messages
-* Follow Ruby's coding style ([DeveloperHowTo])
+* Follow Ruby's coding style ([Developer-How-To][Ruby Developer-How-To])
 * Pass the test suite successfully (see "Testing")
 ## Testing
 We have a test suite!
-Test cases are located under the
-[`test/openssl`](https://github.com/ruby/openssl/tree/master/test/openssl)
+Test cases are located under the [`test/openssl`][GitHub test/openssl]
 directory.
 You can run it with the following three commands:
@@ -54,31 +53,176 @@ $ bundle exec rake test
 ### With different versions of OpenSSL
-Ruby OpenSSL supports various versions of OpenSSL library. The test suite needs
-to pass on all supported combinations.
+Ruby OpenSSL supports various versions of the OpenSSL library. The test suite
+needs to pass on all supported combinations.
-Similarly to when installing `openssl` gem via the `gem` command,
-you can pass a `--with-openssl-dir` argument to `rake compile`
-to specify the OpenSSL library to build against.
+If you want to test, debug, report an issue, or contribute to the Ruby OpenSSL
+or [the OpenSSL project][OpenSSL] in the non-FIPS or the
+[FIPS][OpenSSL README-FIPS] case, compiling OpenSSL from the source by yourself
+is a good practice.
+The following steps are tested in Linux and GCC environment. You can adjust the
+commands in the steps for a different environment.
+To download the OpenSSL source from the Git repository, you can run the following
+commands:
+```
+$ git clone https://github.com/openssl/openssl.git
+$ cd openssl
+```
+You see the `master` branch used as a development branch. Testing against the
+latest OpenSSL master branch is a good practice to report an issue to the
+OpenSSL project.
+```
+$ git branch | grep '^*'
+* master
+```
+If you test against the latest stable branch, you can run the following command.
+In this example, the `openssl-3.1` branch is the stable branch of OpenSSL 3.1
+series.
+```
+$ git checkout openssl-3.1
+```
+To configure OpenSSL, you can run the following commands.
+In this example, we use the `OPENSSL_DIR` environment variable to specify the
+OpenSSL installed directory for convenience. Including the commit hash in the
+directory name is a good practice.
+```
+$ git rev-parse --short HEAD
+0bf18140f4
+$ OPENSSL_DIR=$HOME/.openssl/openssl-fips-debug-0bf18140f4
+```
+The following configuration options are useful in this case.
+You can check [OpenSSL installation document][OpenSSL INSTALL] for details.
+* `enable-fips`: Add an option to run with the OpenSSL FIPS module.
+* `enable-trace`: Add an option to enabling tracing log. You can trace logs by
+  implementing a code. See the man page [OSSL_TRACE(3)][OpenSSL OSSL_TRACE] for
+  details.
+* compiler flags
+  * `-Wl,-rpath,$(LIBRPATH)`: Set the runtime shared library path to run the
+    `openssl` command without the `LD_LIBRARY_PATH`. You can check
+    [this document][OpenSSL NOTES-UNIX] for details.
+  * `-O0 -g3 -ggdb3 -gdwarf-5`: You can set debugging compiler flags.
 ```
-$ ( curl -OL https://ftp.openssl.org/source/openssl-3.0.1.tar.gz &&
-    tar xf openssl-3.0.1.tar.gz &&
-    cd openssl-3.0.1 &&
-    ./config --prefix=$HOME/.openssl/openssl-3.0.1 --libdir=lib &&
-    make -j4 &&
-    make install )
+$ ./Configure \
+  --prefix=$OPENSSL_DIR \
+  --libdir=lib \
+  enable-fips \
+  enable-trace \
+  '-Wl,-rpath,$(LIBRPATH)' \
+  -O0 -g3 -ggdb3 -gdwarf-5
+$ make -j4
+$ make install
+```
+To print installed OpenSSL version, you can run the following command:
+```
+$ $OPENSSL_DIR/bin/openssl version
+OpenSSL 3.2.0-alpha3-dev  (Library: OpenSSL 3.2.0-alpha3-dev )
+```
+Change the current working directory into Ruby OpenSSL's source directory.
+To compile Ruby OpenSSL, you can run the following commands:
-$ # in Ruby/OpenSSL's source directory
+Similarly to when installing `openssl` gem via the `gem` command, you can pass a
+`--with-openssl-dir` argument to `rake compile` to specify the OpenSSL library
+ to build against.
+* `MAKEFLAGS="V=1"`: Enable the compiler command lines to print in
+  the log.
+* `RUBY_OPENSSL_EXTCFLAGS`: Set extra compiler flags to compile Ruby OpenSSL.
+```
 $ bundle exec rake clean
-$ bundle exec rake compile -- --with-openssl-dir=$HOME/.openssl/openssl-3.0.1
+$ MAKEFLAGS="V=1" \
+  RUBY_OPENSSL_EXTCFLAGS="-O0 -g3 -ggdb3 -gdwarf-5" \
+  bundle exec rake compile -- --with-openssl-dir=$OPENSSL_DIR
+```
+#### Testing normally in non-FIPS case
+To test Ruby OpenSSL, you can run the following command:
+```
 $ bundle exec rake test
 ```
-The GitHub Actions workflow file
-[`test.yml`](https://github.com/ruby/openssl/tree/master/.github/workflows/test.yml)
-contains useful information for building OpenSSL/LibreSSL and testing against
-them.
+#### Testing in FIPS case
+To use OpenSSL 3.0 or later versions in a FIPS-approved manner, you must load the
+`fips` and `base` providers, and also use the property query `fips=yes`. The
+property query is used when fetching cryptographic algorithm implementations.
+This must be done at the startup of a process to avoid implicitly loading the
+`default` provider which has the non-FIPS cryptographic algorithm
+implementations. See also the man page [fips_module(7)][OpenSSL fips_module].
+You can set this in your OpenSSL configuration file by either appropriately
+modifying the default OpenSSL configuration file located at
+`OpenSSL::Config::DEFAULT_CONFIG_FILE` or temporarily overriding it with the
+`OPENSSL_CONF` environment variable.
+In this example, we explain on the latter way.
+You can create a OpenSSL FIPS config `openssl_fips.cnf` file based on the
+`openssl_fips.cnf.tmpl` file in this repository, and replacing the placeholder
+`OPENSSL_DIR` with your OpenSSL installed directory.
+```
+$ sed -e "s|OPENSSL_DIR|$OPENSSL_DIR|" tool/openssl_fips.cnf.tmpl | \
+  tee $OPENSSL_DIR/ssl/openssl_fips.cnf
+```
+You can see the base and fips providers by running the following command if you
+setup the OpenSSL FIPS config file properly.
+```
+$ OPENSSL_CONF=$OPENSSL_DIR/ssl/openssl_fips.cnf \
+  $OPENSSL_DIR/bin/openssl list -providers
+Providers:
+  base
+    name: OpenSSL Base Provider
+    version: 3.2.0
+    status: active
+  fips
+    name: OpenSSL FIPS Provider
+    version: 3.2.0
+    status: active
+```
+You can run the current tests in the FIPS module case used in the GitHub
+Actions file `test.yml` explained in a later sentence.
+```
+$ OPENSSL_CONF=$OPENSSL_DIR/ssl/openssl_fips.cnf \
+  bundle exec rake test_fips
+```
+You can also run the all the tests in the FIPS module case. You see many
+failures. We are working in progress to fix the failures. Your contribution is
+welcome.
+```
+$ OPENSSL_CONF=$OPENSSL_DIR/ssl/openssl_fips.cnf \
+  TEST_RUBY_OPENSSL_FIPS_ENABLED=true \
+  bundle exec rake test
+```
+The GitHub Actions workflow file [`test.yml`][GitHub test.yml] contains useful
+information for building OpenSSL/LibreSSL and testing against them.
 ## Relation with Ruby source tree
@@ -103,7 +247,7 @@ security issue handling procedure for Ruby core.
 You can either use [HackerOne] or send an email to security@ruby-lang.org.
-Please see [Security] page on ruby-lang.org website for details.
+Please see [Security][Ruby Security] page on ruby-lang.org website for details.
 Reported problems will be published after a fix is released.
@@ -112,9 +256,16 @@ _Thanks for your contributions!_
   _\- The Ruby OpenSSL team_
 [GitHub]: https://github.com/ruby/openssl
-[known issues]: https://github.com/ruby/openssl/issues
-[DeveloperHowTo]: https://bugs.ruby-lang.org/projects/ruby/wiki/DeveloperHowto
+[Issues]: https://github.com/ruby/openssl/issues
+[Compare changes]: https://github.com/ruby/openssl/compare
+[GitHub test/openssl]: https://github.com/ruby/openssl/tree/master/test/openssl
+[GitHub test.yml]: https://github.com/ruby/openssl/tree/master/.github/workflows/test.yml
+[Ruby Developer-How-To]: https://github.com/ruby/ruby/wiki/Developer-How-To
+[Ruby Security]: https://www.ruby-lang.org/en/security/
 [HackerOne]: https://hackerone.com/ruby
-[Security]: https://www.ruby-lang.org/en/security/
-[pull request]: https://github.com/ruby/openssl/compare
-[History.md]: https://github.com/ruby/openssl/tree/master/History.md
+[OpenSSL]: https://www.openssl.org/
+[OpenSSL INSTALL]: https://github.com/openssl/openssl/blob/master/INSTALL.md
+[OpenSSL README-FIPS]: https://github.com/openssl/openssl/blob/master/README-FIPS.md
+[OpenSSL NOTES-UNIX]: https://github.com/openssl/openssl/blob/master/NOTES-UNIX.md
+[OpenSSL OSSL_TRACE]: https://www.openssl.org/docs/manmaster/man3/OSSL_TRACE.html
+[OpenSSL fips_module]: https://www.openssl.org/docs/manmaster/man7/fips_module.html

data/History.md CHANGED Viewed

@@ -1,3 +1,79 @@
+Version 3.3.0
+=============
+Compatibility
+-------------
+* Ruby version: 2.7 or later
+* OpenSSL version: OpenSSL 1.0.2 or later, and LibreSSL 3.1 or later
+Notable changes
+---------------
+* `OpenSSL::SSL`
+  - `OpenSSL::SSL::SSLSocket#set_params` no longer sets `#min_version=` to TLS
+    1.0 except when OpenSSL 1.0.2 is used. This has been done to disable
+    SSL 3.0, which is not supported by default in OpenSSL 1.1.0 or later, or in
+    LibreSSL. This lets it respect the system default if the system-wide
+    configuration file specifies a higher minimum protocol version.
+    [[GitHub #710]](https://github.com/ruby/openssl/pull/710)
+  - `OpenSSL::SSL::SSLSocket.new` no longer enables the `OpenSSL::SSL::OP_ALL`
+    SSL options by default and follows the system default.
+    [[GitHub #767]](https://github.com/ruby/openssl/pull/767)
+  - Add the following IO methods to `OpenSSL::SSL::SSLSocket`, which will pass
+    along to the underlying socket: `#local_address`, `#remote_address`,
+    `#close_on_exec=`, `#close_on_exec?`, `#wait`, `#wait_readable`, and
+    `#wait_writable`.
+    [[GitHub #708]](https://github.com/ruby/openssl/pull/708)
+  - Update `OpenSSL::SSL::SSLSocket#gets` to take the `chomp` keyword argument.
+    [[GitHub #708]](https://github.com/ruby/openssl/pull/708)
+  - Make `OpenSSL::SSL::SSLSocket` respect the `IO#timeout` value of the
+    underlying socket on Ruby 3.2 or later. `#timeout` and `#timeout=` methods
+    are also added.
+    [[GitHub #714]](https://github.com/ruby/openssl/pull/714)
+  - Add `OpenSSL::SSL::SSLSocket#close_read` and `#close_write`.
+    [[GitHub #743]](https://github.com/ruby/openssl/pull/743)
+  - Add `OpenSSL::Digest.digests` to get a list of all available digest
+    algorithms.
+    [[GitHub #726]](https://github.com/ruby/openssl/pull/726)
+  - Fix `OpenSSL::SSL::SSLSocket#read_nonblock` clearing the passed String
+    buffer when nothing can be read from the connection.
+    [[GitHub #739]](https://github.com/ruby/openssl/pull/739)
+* Add `#to_text` methods to `OpenSSL::Timestamp::Response`,
+  `OpenSSL::Timestamp::Request`, `OpenSSL::Timestamp::TokenInfo`, and
+  `OpenSSL::PKCS7` to get a human-readable representation of the object.
+  [[GitHub #756]](https://github.com/ruby/openssl/pull/756)
+* Add `OpenSSL::X509::Certificate#tbs_bytes` to get the DER encoding of the
+  TBSCertificate.
+  [[GitHub #753]](https://github.com/ruby/openssl/pull/753)
+* Allow passing `nil` as the digest algorithm to `#sign` methods on
+  `OpenSSL::X509::Certificate`, `OpenSSL::X509::Request`, and
+  `OpenSSL::X509::CRL`. This adds supports for signing with EdDSA keys.
+  [[GitHub #761]](https://github.com/ruby/openssl/pull/761)
+  [[GitHub #804]](https://github.com/ruby/openssl/pull/804)
+* Add `OpenSSL::SSL::SSLSocket#readbyte`.
+  [[GitHub #771]](https://github.com/ruby/openssl/pull/771)
+* Change `OpenSSL::X509::Store#time=` to set the time to the `X509_VERIFY_PARAM`
+  in the `X509_STORE`. This allows `OpenSSL::Timestamp::Response#verify` to
+  verify a signature with the specified timestamp.
+  [[GitHub #770]](https://github.com/ruby/openssl/pull/770)
+* Make `OpenSSL::PKCS7.encrypt`'s third parameter `cipher` mandatory. It had
+  an undocumented default value "RC2-40-CBC", which is not only insecure, but
+  also not supported in OpenSSL 3.0 or later.
+  [[GitHub #796]](https://github.com/ruby/openssl/pull/796)
+* Make `OpenSSL::BN` shareable between ractors when frozen.
+  [[GitHub #808]](https://github.com/ruby/openssl/pull/808)
+* Make `OpenSSL::Config` instances frozen by default, and make it shareable
+  between ractors. `OpenSSL::Config::DEFAULT_CONFIG_FILE` is also frozen.
+  [[GitHub #809]](https://github.com/ruby/openssl/pull/809)
+* Add `OpenSSL::PKCS12#set_mac` to configure the MAC parameters and recalculate
+  a MAC for the content.
+  [[GitHub #788]](https://github.com/ruby/openssl/pull/788)
+And various non-user-visible changes and bug fixes. Please see the commit
+history for more details.
 Version 3.2.1
 =============

data/README.md CHANGED Viewed

@@ -18,10 +18,11 @@ included as a default gem in [supported Ruby branches][Ruby Maintenance Branches
 |Version|Maintenance status             |Ruby compatibility|OpenSSL compatibility                       |
 |-------|-------------------------------|------------------|--------------------------------------------|
-|3.2.x  |normal maintenance (Ruby 3.3)  |Ruby 2.7+         |OpenSSL 1.0.2-3.1 (current) or LibreSSL 3.1+|
-|3.1.x  |normal maintenance (Ruby 3.2)  |Ruby 2.6+         |OpenSSL 1.0.2-3.1 (current) or LibreSSL 3.1+|
-|3.0.x  |normal maintenance (Ruby 3.1)  |Ruby 2.6+         |OpenSSL 1.0.2-3.1 (current) or LibreSSL 3.1+|
-|2.2.x  |security maintenance (Ruby 3.0)|Ruby 2.3+         |OpenSSL 1.0.1-1.1.1 or LibreSSL 2.9+        |
+|3.3.x  |normal maintenance (Ruby 3.4)  |Ruby 2.7+         |OpenSSL 1.0.2-3.4 (current) or LibreSSL 3.1+|
+|3.2.x  |normal maintenance (Ruby 3.3)  |Ruby 2.7+         |OpenSSL 1.0.2-3.4 (current) or LibreSSL 3.1+|
+|3.1.x  |normal maintenance (Ruby 3.2)  |Ruby 2.6+         |OpenSSL 1.0.2-3.4 (current) or LibreSSL 3.1+|
+|3.0.x  |security maintenance (Ruby 3.1)|Ruby 2.6+         |OpenSSL 1.0.2-3.4 (current) or LibreSSL 3.1+|
+|2.2.x  |end-of-life (Ruby 3.0)         |Ruby 2.3+         |OpenSSL 1.0.1-1.1.1 or LibreSSL 2.9+        |
 |2.1.x  |end-of-life (Ruby 2.5-2.7)     |Ruby 2.3+         |OpenSSL 1.0.1-1.1.1 or LibreSSL 2.5+        |
 |2.0.x  |end-of-life (Ruby 2.4)         |Ruby 2.3+         |OpenSSL 0.9.8-1.1.1 or LibreSSL 2.3+        |
@@ -32,8 +33,7 @@ included as a default gem in [supported Ruby branches][Ruby Maintenance Branches
 > **Note**
 > The openssl gem is included with Ruby by default, but you may wish to upgrade
-> it to a newer version available at
-> [rubygems.org](https://rubygems.org/gems/openssl).
+> it to a newer version available at [rubygems.org][RubyGems.org openssl].
 To upgrade it, you can use RubyGems:
@@ -59,6 +59,8 @@ gem 'openssl', git: 'https://github.com/ruby/openssl'
 After running `bundle install`, you should have the gem installed in your bundle.
+[RubyGems.org openssl]: https://rubygems.org/gems/openssl
 ## Usage
 Once installed, you can require "openssl" in your application.
@@ -80,4 +82,6 @@ Please read our [CONTRIBUTING.md] for instructions.
 ## Security
 Security issues should be reported to ruby-core by following the process
-described on ["Security at ruby-lang.org"](https://www.ruby-lang.org/en/security/).
+described on ["Security at ruby-lang.org"][Security].
+[Security]: https://www.ruby-lang.org/en/security/

metadata CHANGED Viewed

@@ -1,25 +1,24 @@
 --- !ruby/object:Gem::Specification
 name: openssl
 version: !ruby/object:Gem::Version
-  version: 3.2.1
+  version: 3.3.0
 platform: java
 authors:
 - Martin Bosslet
 - SHIBATA Hiroshi
 - Zachary Scott
 - Kazuki Yamaguchi
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-12-18 00:00:00.000000000 Z
+date: 2024-12-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
+  name: jruby-openssl
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.14'
-  name: jruby-openssl
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -44,9 +43,9 @@ files:
 homepage: https://github.com/ruby/openssl
 licenses:
 - Ruby
+- BSD-2-Clause
 metadata:
   msys2_mingw_dependencies: openssl
-post_install_message:
 rdoc_options:
 - "--main"
 - README.md
@@ -63,8 +62,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.26
-signing_key:
+rubygems_version: 3.6.1
 specification_version: 4
 summary: SSL/TLS and general-purpose cryptography for Ruby
 test_files: []