Commit fe805d67 authored by Antonio Terceiro's avatar Antonio Terceiro

New upstream version 2.0.5

parent 04f2764a
Version 2.0.5
=============
Bug fixes
---------
* Reading a PEM/DER-encoded private key or certificate from an IO object did
not work properly on mswin platforms.
[[ruby/openssl#128]](https://github.com/ruby/openssl/issues/128)
* Broken length check in the PEM passphrase callback is fixed.
* It failed to compile when OpenSSL is configured without TLS 1.0 support.
Version 2.0.4
=============
......
......@@ -34,8 +34,13 @@ task :install_dependencies do
gemspec = eval(File.read("openssl.gemspec"))
gemspec.development_dependencies.each do |dep|
print "Installing #{dep.name} (#{dep.requirement}) ... "
gem = Gem.install(dep.name, dep.requirement, force: true)
puts "#{gem[0].version}"
installed = dep.matching_specs
if installed.empty?
installed = Gem.install(dep.name, dep.requirement)
puts "#{installed[0].version}"
else
puts "(found #{installed[0].version})"
end
end
end
......
---
clone_depth: 10
install:
- SET PATH=C:\Ruby%ruby_version%\bin;%PATH%
- appveyor DownloadFile http://dl.bintray.com/oneclick/OpenKnapsack/x64/openssl-1.0.2j-x64-windows.tar.lzma
- 7z e openssl-1.0.2j-x64-windows.tar.lzma
- 7z x -y -oC:\Ruby%ruby_version% openssl-1.0.2j-x64-windows.tar
- ruby -S rake install_dependencies
- ps: |
$Env:PATH = "C:\Ruby${Env:ruby_version}\bin;${Env:PATH}"
if ($Env:ruby_version -match "^23" ) {
# RubyInstaller; download OpenSSL headers from OpenKnapsack Project
$Env:openssl_dir = "C:\Ruby${Env:ruby_version}"
appveyor DownloadFile http://dl.bintray.com/oneclick/OpenKnapsack/x64/openssl-1.0.2j-x64-windows.tar.lzma
7z e openssl-1.0.2j-x64-windows.tar.lzma
7z x -y -oC:\Ruby${Env:ruby_version} openssl-1.0.2j-x64-windows.tar
} else {
# RubyInstaller2; openssl package seems to be installed already
$Env:openssl_dir = "C:\msys64\mingw64"
}
- ruby -v
- openssl version
- rake install_dependencies
build_script:
- rake -rdevkit compile -- --with-openssl-dir=C:\Ruby%ruby_version%
- rake -rdevkit compile -- --with-openssl-dir=%openssl_dir%
test_script:
- rake test
deploy: off
environment:
matrix:
- ruby_version: "23-x64"
- ruby_version: "23-x64" # RI
- ruby_version: "24-x64" # RI2
......@@ -109,14 +109,10 @@ end
Logging::message "=== Checking for OpenSSL features... ===\n"
# compile options
# check OPENSSL_NO_{SSL2,SSL3_METHOD} macro: on some environment, these symbols
# exist even if compiled with no-ssl2 or no-ssl3-method.
unless have_macro("OPENSSL_NO_SSL2", "openssl/opensslconf.h")
have_func("SSLv2_method")
end
unless have_macro("OPENSSL_NO_SSL3_METHOD", "openssl/opensslconf.h")
have_func("SSLv3_method")
end
# SSLv2 and SSLv3 may be removed in future versions of OpenSSL, and even macros
# like OPENSSL_NO_SSL2 may not be defined.
have_func("SSLv2_method")
have_func("SSLv3_method")
have_func("TLSv1_1_method")
have_func("TLSv1_2_method")
have_func("RAND_egd")
......
......@@ -129,13 +129,6 @@ ossl_bin2hex(unsigned char *in, char *out, size_t inlen)
/*
* our default PEM callback
*/
/*
* OpenSSL requires passwords for PEM-encoded files to be at least four
* characters long. See crypto/pem/pem_lib.c (as of 1.0.2h)
*/
#define OSSL_MIN_PWD_LEN 4
VALUE
ossl_pem_passwd_value(VALUE pass)
{
......@@ -144,8 +137,6 @@ ossl_pem_passwd_value(VALUE pass)
StringValue(pass);
if (RSTRING_LEN(pass) < OSSL_MIN_PWD_LEN)
ossl_raise(eOSSLError, "password must be at least %d bytes", OSSL_MIN_PWD_LEN);
/* PEM_BUFSIZE is currently used as the second argument of pem_password_cb,
* that is +max_len+ of ossl_pem_passwd_cb() */
if (RSTRING_LEN(pass) > PEM_BUFSIZE)
......@@ -157,11 +148,10 @@ ossl_pem_passwd_value(VALUE pass)
static VALUE
ossl_pem_passwd_cb0(VALUE flag)
{
VALUE pass;
pass = rb_yield(flag);
SafeStringValue(pass);
VALUE pass = rb_yield(flag);
if (NIL_P(pass))
return Qnil;
StringValue(pass);
return pass;
}
......@@ -178,7 +168,7 @@ ossl_pem_passwd_cb(char *buf, int max_len, int flag, void *pwd_)
* bytes silently if the input is over 1024 bytes */
if (RB_TYPE_P(pass, T_STRING)) {
len = RSTRING_LEN(pass);
if (len >= OSSL_MIN_PWD_LEN && len <= max_len) {
if (len <= max_len) {
memcpy(buf, RSTRING_PTR(pass), len);
return (int)len;
}
......@@ -204,11 +194,9 @@ ossl_pem_passwd_cb(char *buf, int max_len, int flag, void *pwd_)
rb_set_errinfo(Qnil);
return -1;
}
if (NIL_P(pass))
return -1;
len = RSTRING_LEN(pass);
if (len < OSSL_MIN_PWD_LEN) {
rb_warning("password must be at least %d bytes", OSSL_MIN_PWD_LEN);
continue;
}
if (len > max_len) {
rb_warning("password must not be longer than %d bytes", max_len);
continue;
......
......@@ -10,48 +10,21 @@
#include "ossl.h"
BIO *
ossl_obj2bio(VALUE obj)
ossl_obj2bio(volatile VALUE *pobj)
{
VALUE obj = *pobj;
BIO *bio;
if (RB_TYPE_P(obj, T_FILE)) {
rb_io_t *fptr;
FILE *fp;
int fd;
GetOpenFile(obj, fptr);
rb_io_check_readable(fptr);
if ((fd = rb_cloexec_dup(FPTR_TO_FD(fptr))) < 0){
rb_sys_fail(0);
}
rb_update_max_fd(fd);
if (!(fp = fdopen(fd, "r"))){
int e = errno;
close(fd);
rb_syserr_fail(e, 0);
}
if (!(bio = BIO_new_fp(fp, BIO_CLOSE))){
fclose(fp);
ossl_raise(eOSSLError, NULL);
}
}
else {
StringValue(obj);
bio = BIO_new_mem_buf(RSTRING_PTR(obj), RSTRING_LENINT(obj));
if (!bio) ossl_raise(eOSSLError, NULL);
}
if (RB_TYPE_P(obj, T_FILE))
obj = rb_funcallv(obj, rb_intern("read"), 0, NULL);
StringValue(obj);
bio = BIO_new_mem_buf(RSTRING_PTR(obj), RSTRING_LENINT(obj));
if (!bio)
ossl_raise(eOSSLError, "BIO_new_mem_buf");
*pobj = obj;
return bio;
}
BIO *
ossl_protect_obj2bio(VALUE obj, int *status)
{
BIO *ret = NULL;
ret = (BIO*)rb_protect((VALUE (*)(VALUE))ossl_obj2bio, obj, status);
return ret;
}
VALUE
ossl_membio2str0(BIO *bio)
{
......
......@@ -10,8 +10,7 @@
#if !defined(_OSSL_BIO_H_)
#define _OSSL_BIO_H_
BIO *ossl_obj2bio(VALUE);
BIO *ossl_protect_obj2bio(VALUE,int*);
BIO *ossl_obj2bio(volatile VALUE *);
VALUE ossl_membio2str0(BIO*);
VALUE ossl_membio2str(BIO*);
VALUE ossl_protect_membio2str(BIO*,int*);
......
......@@ -41,7 +41,7 @@ DupConfigPtr(VALUE obj)
OSSL_Check_Kind(obj, cConfig);
str = rb_funcall(obj, rb_intern("to_s"), 0);
bio = ossl_obj2bio(str);
bio = ossl_obj2bio(&str);
conf = NCONF_new(NULL);
if(!conf){
BIO_free(bio);
......
......@@ -178,7 +178,7 @@ ossl_pkcs12_initialize(int argc, VALUE *argv, VALUE self)
if(rb_scan_args(argc, argv, "02", &arg, &pass) == 0) return self;
passphrase = NIL_P(pass) ? NULL : StringValueCStr(pass);
in = ossl_obj2bio(arg);
in = ossl_obj2bio(&arg);
d2i_PKCS12_bio(in, &pkcs);
DATA_PTR(self) = pkcs;
BIO_free(in);
......
......@@ -209,7 +209,7 @@ ossl_pkcs7_s_read_smime(VALUE klass, VALUE arg)
VALUE ret, data;
ret = NewPKCS7(cPKCS7);
in = ossl_obj2bio(arg);
in = ossl_obj2bio(&arg);
out = NULL;
pkcs7 = SMIME_read_PKCS7(in, &out);
BIO_free(in);
......@@ -241,7 +241,7 @@ ossl_pkcs7_s_write_smime(int argc, VALUE *argv, VALUE klass)
SafeGetPKCS7(pkcs7, p7);
if(!NIL_P(data) && PKCS7_is_detached(p7))
flg |= PKCS7_DETACHED;
in = NIL_P(data) ? NULL : ossl_obj2bio(data);
in = NIL_P(data) ? NULL : ossl_obj2bio(&data);
if(!(out = BIO_new(BIO_s_mem()))){
BIO_free(in);
ossl_raise(ePKCS7Error, NULL);
......@@ -278,7 +278,7 @@ ossl_pkcs7_s_sign(int argc, VALUE *argv, VALUE klass)
pkey = GetPrivPKeyPtr(key); /* NO NEED TO DUP */
flg = NIL_P(flags) ? 0 : NUM2INT(flags);
ret = NewPKCS7(cPKCS7);
in = ossl_obj2bio(data);
in = ossl_obj2bio(&data);
if(NIL_P(certs)) x509s = NULL;
else{
x509s = ossl_protect_x509_ary2sk(certs, &status);
......@@ -334,7 +334,7 @@ ossl_pkcs7_s_encrypt(int argc, VALUE *argv, VALUE klass)
else ciph = GetCipherPtr(cipher); /* NO NEED TO DUP */
flg = NIL_P(flags) ? 0 : NUM2INT(flags);
ret = NewPKCS7(cPKCS7);
in = ossl_obj2bio(data);
in = ossl_obj2bio(&data);
x509s = ossl_protect_x509_ary2sk(certs, &status);
if(status){
BIO_free(in);
......@@ -385,7 +385,7 @@ ossl_pkcs7_initialize(int argc, VALUE *argv, VALUE self)
if(rb_scan_args(argc, argv, "01", &arg) == 0)
return self;
arg = ossl_to_der_if_possible(arg);
in = ossl_obj2bio(arg);
in = ossl_obj2bio(&arg);
p7 = PEM_read_bio_PKCS7(in, &pkcs, NULL, NULL);
if (!p7) {
OSSL_BIO_reset(in);
......@@ -777,7 +777,7 @@ ossl_pkcs7_verify(int argc, VALUE *argv, VALUE self)
x509st = GetX509StorePtr(store);
flg = NIL_P(flags) ? 0 : NUM2INT(flags);
if(NIL_P(indata)) indata = ossl_pkcs7_get_data(self);
in = NIL_P(indata) ? NULL : ossl_obj2bio(indata);
in = NIL_P(indata) ? NULL : ossl_obj2bio(&indata);
if(NIL_P(certs)) x509s = NULL;
else{
x509s = ossl_protect_x509_ary2sk(certs, &status);
......@@ -844,7 +844,7 @@ ossl_pkcs7_add_data(VALUE self, VALUE data)
if(!PKCS7_content_new(pkcs7, NID_pkcs7_data))
ossl_raise(ePKCS7Error, NULL);
}
in = ossl_obj2bio(data);
in = ossl_obj2bio(&data);
if(!(out = PKCS7_dataInit(pkcs7, NULL))) goto err;
for(;;){
if((len = BIO_read(in, buf, sizeof(buf))) <= 0)
......
......@@ -144,7 +144,7 @@ ossl_pkey_new_from_data(int argc, VALUE *argv, VALUE self)
rb_scan_args(argc, argv, "11", &data, &pass);
pass = ossl_pem_passwd_value(pass);
bio = ossl_obj2bio(data);
bio = ossl_obj2bio(&data);
if (!(pkey = d2i_PrivateKey_bio(bio, NULL))) {
OSSL_BIO_reset(bio);
if (!(pkey = PEM_read_bio_PrivateKey(bio, NULL, ossl_pem_passwd_cb, (void *)pass))) {
......
......@@ -222,7 +222,7 @@ ossl_dh_initialize(int argc, VALUE *argv, VALUE self)
}
else {
arg = ossl_to_der_if_possible(arg);
in = ossl_obj2bio(arg);
in = ossl_obj2bio(&arg);
dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL);
if (!dh){
OSSL_BIO_reset(in);
......
......@@ -229,7 +229,7 @@ ossl_dsa_initialize(int argc, VALUE *argv, VALUE self)
else {
pass = ossl_pem_passwd_value(pass);
arg = ossl_to_der_if_possible(arg);
in = ossl_obj2bio(arg);
in = ossl_obj2bio(&arg);
dsa = PEM_read_bio_DSAPrivateKey(in, NULL, ossl_pem_passwd_cb, (void *)pass);
if (!dsa) {
OSSL_BIO_reset(in);
......
......@@ -217,7 +217,7 @@ static VALUE ossl_ec_key_initialize(int argc, VALUE *argv, VALUE self)
BIO *in;
pass = ossl_pem_passwd_value(pass);
in = ossl_obj2bio(arg);
in = ossl_obj2bio(&arg);
ec = PEM_read_bio_ECPrivateKey(in, NULL, ossl_pem_passwd_cb, (void *)pass);
if (!ec) {
......@@ -775,7 +775,7 @@ static VALUE ossl_ec_group_initialize(int argc, VALUE *argv, VALUE self)
if ((group = EC_GROUP_dup(arg1_group)) == NULL)
ossl_raise(eEC_GROUP, "EC_GROUP_dup");
} else {
BIO *in = ossl_obj2bio(arg1);
BIO *in = ossl_obj2bio(&arg1);
group = PEM_read_bio_ECPKParameters(in, NULL, NULL, NULL);
if (!group) {
......@@ -1381,7 +1381,7 @@ static VALUE ossl_ec_point_initialize(int argc, VALUE *argv, VALUE self)
point = EC_POINT_bn2point(group, bn, NULL, ossl_bn_ctx);
} else {
BIO *in = ossl_obj2bio(arg1);
BIO *in = ossl_obj2bio(&arg1);
/* BUG: finish me */
......
......@@ -236,7 +236,7 @@ ossl_rsa_initialize(int argc, VALUE *argv, VALUE self)
else {
pass = ossl_pem_passwd_value(pass);
arg = ossl_to_der_if_possible(arg);
in = ossl_obj2bio(arg);
in = ossl_obj2bio(&arg);
rsa = PEM_read_bio_RSAPrivateKey(in, NULL, ossl_pem_passwd_cb, (void *)pass);
if (!rsa) {
OSSL_BIO_reset(in);
......
......@@ -65,17 +65,19 @@ static const struct {
{ #name"_server", (SSL_METHOD *(*)(void))name##_server_method, version }, \
{ #name"_client", (SSL_METHOD *(*)(void))name##_client_method, version }
#endif
#if defined(HAVE_SSLV2_METHOD)
#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL2_METHOD) && defined(HAVE_SSLV2_METHOD)
OSSL_SSL_METHOD_ENTRY(SSLv2, SSL2_VERSION),
#endif
#if defined(HAVE_SSLV3_METHOD)
#if !defined(OPENSSL_NO_SSL3) && !defined(OPENSSL_NO_SSL3_METHOD) && defined(HAVE_SSLV3_METHOD)
OSSL_SSL_METHOD_ENTRY(SSLv3, SSL3_VERSION),
#endif
#if !defined(OPENSSL_NO_TLS1) && !defined(OPENSSL_NO_TLS1_METHOD)
OSSL_SSL_METHOD_ENTRY(TLSv1, TLS1_VERSION),
#if defined(HAVE_TLSV1_1_METHOD)
#endif
#if !defined(OPENSSL_NO_TLS1_1) && !defined(OPENSSL_NO_TLS1_1_METHOD) && defined(HAVE_TLSV1_1_METHOD)
OSSL_SSL_METHOD_ENTRY(TLSv1_1, TLS1_1_VERSION),
#endif
#if defined(HAVE_TLSV1_2_METHOD)
#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_2_METHOD) && defined(HAVE_TLSV1_2_METHOD)
OSSL_SSL_METHOD_ENTRY(TLSv1_2, TLS1_2_VERSION),
#endif
OSSL_SSL_METHOD_ENTRY(SSLv23, 0),
......
......@@ -49,7 +49,7 @@ static VALUE ossl_ssl_session_initialize(VALUE self, VALUE arg1)
if ((ctx = SSL_get1_session(ssl)) == NULL)
ossl_raise(eSSLSession, "no session available");
} else {
BIO *in = ossl_obj2bio(arg1);
BIO *in = ossl_obj2bio(&arg1);
ctx = PEM_read_bio_SSL_SESSION(in, NULL, NULL, NULL);
......
......@@ -10,6 +10,6 @@
#if !defined(_OSSL_VERSION_H_)
#define _OSSL_VERSION_H_
#define OSSL_VERSION "2.0.4"
#define OSSL_VERSION "2.0.5"
#endif /* _OSSL_VERSION_H_ */
......@@ -161,7 +161,7 @@ ossl_x509_initialize(int argc, VALUE *argv, VALUE self)
return self;
}
arg = ossl_to_der_if_possible(arg);
in = ossl_obj2bio(arg);
in = ossl_obj2bio(&arg);
x509 = PEM_read_bio_X509(in, &x, NULL, NULL);
DATA_PTR(self) = x;
if (!x509) {
......
......@@ -115,7 +115,7 @@ ossl_x509crl_initialize(int argc, VALUE *argv, VALUE self)
return self;
}
arg = ossl_to_der_if_possible(arg);
in = ossl_obj2bio(arg);
in = ossl_obj2bio(&arg);
crl = PEM_read_bio_X509_CRL(in, &x, NULL, NULL);
DATA_PTR(self) = x;
if (!crl) {
......
......@@ -123,7 +123,7 @@ ossl_x509req_initialize(int argc, VALUE *argv, VALUE self)
return self;
}
arg = ossl_to_der_if_possible(arg);
in = ossl_obj2bio(arg);
in = ossl_obj2bio(&arg);
req = PEM_read_bio_X509_REQ(in, &x, NULL, NULL);
DATA_PTR(self) = x;
if (!req) {
......
Gem::Specification.new do |spec|
spec.name = "openssl"
spec.version = "2.0.4"
spec.version = "2.0.5"
spec.authors = ["Martin Bosslet", "SHIBATA Hiroshi", "Zachary Scott", "Kazuki Yamaguchi"]
spec.email = ["ruby-core@ruby-lang.org"]
spec.summary = %q{OpenSSL provides SSL, TLS and general purpose cryptography.}
......@@ -21,4 +21,6 @@ Gem::Specification.new do |spec|
spec.add_development_dependency "rake-compiler"
spec.add_development_dependency "test-unit", "~> 3.0"
spec.add_development_dependency "rdoc"
spec.metadata["msys2_mingw_dependencies"] = "openssl"
end
......@@ -242,6 +242,17 @@ class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase
assert_equal pem, dup_public(RSA1024).export
end
def test_pem_passwd
key = RSA1024
pem3c = key.to_pem("aes-128-cbc", "key")
assert_match (/ENCRYPTED/), pem3c
assert_equal key.to_der, OpenSSL::PKey.read(pem3c, "key").to_der
assert_equal key.to_der, OpenSSL::PKey.read(pem3c) { "key" }.to_der
assert_raise(OpenSSL::PKey::PKeyError) {
OpenSSL::PKey.read(pem3c) { nil }
}
end
def test_dup
key = OpenSSL::PKey::RSA.generate(256, 17)
key2 = key.dup
......
......@@ -350,7 +350,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
assert_equal OpenSSL::SSL::VERIFY_PEER, ctx.verify_mode
ciphers_names = ctx.ciphers.collect{|v, _, _, _| v }
assert ciphers_names.all?{|v| /A(EC)?DH/ !~ v }, "anon ciphers are disabled"
assert ciphers_names.all?{|v| /(RC4|MD5|EXP|DES)/ !~ v }, "weak ciphers are disabled"
assert ciphers_names.all?{|v| /(RC4|MD5|EXP|DES(?!-EDE|-CBC3))/ !~ v }, "weak ciphers are disabled"
assert_equal 0, ctx.options & OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
if defined?(OpenSSL::SSL::OP_NO_COMPRESSION) # >= 1.0.0
assert_equal OpenSSL::SSL::OP_NO_COMPRESSION,
......@@ -810,7 +810,7 @@ if OpenSSL::SSL::SSLContext::METHODS.include?(:TLSv1) && OpenSSL::SSL::SSLContex
end
if OpenSSL::SSL::SSLContext::METHODS.include? :TLSv1_1
if OpenSSL::SSL::SSLContext::METHODS.include?(:TLSv1_1) && OpenSSL::SSL::SSLContext::METHODS.include?(:TLSv1)
def test_tls_v1_1
start_server_version(:TLSv1_1) { |server, port|
......@@ -837,7 +837,7 @@ if OpenSSL::SSL::SSLContext::METHODS.include? :TLSv1_1
end
if OpenSSL::SSL::SSLContext::METHODS.include? :TLSv1_2
if OpenSSL::SSL::SSLContext::METHODS.include?(:TLSv1_2) && OpenSSL::SSL::SSLContext::METHODS.include?(:TLSv1_1)
def test_tls_v1_2
start_server_version(:TLSv1_2) { |server, port|
......
......@@ -48,7 +48,7 @@ tddwpBAEDjcwMzA5NTYzMTU1MzAwpQMCARM=
Timeout.timeout(5) do
start_server do |server, port|
sock = TCPSocket.new("127.0.0.1", port)
ctx = OpenSSL::SSL::SSLContext.new("TLSv1")
ctx = OpenSSL::SSL::SSLContext.new
ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
ssl.sync_close = true
ssl.connect
......@@ -157,9 +157,7 @@ __EOS__
start_server do |server, port|
2.times do
sock = TCPSocket.new("127.0.0.1", port)
# Debian's openssl 0.9.8g-13 failed at assert(ssl.session_reused?),
# when use default SSLContext. [ruby-dev:36167]
ctx = OpenSSL::SSL::SSLContext.new("TLSv1")
ctx = OpenSSL::SSL::SSLContext.new
ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
ssl.sync_close = true
ssl.session = last_session if last_session
......
......@@ -178,6 +178,15 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
assert_equal(true, cert.check_private_key(@rsa2048))
end
def test_read_from_file
cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil)
Tempfile.create("cert") { |f|
f << cert.to_pem
f.rewind
assert_equal cert.to_der, OpenSSL::X509::Certificate.new(f).to_der
}
end
private
def certificate_error_returns_false
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment