diff options
-rw-r--r-- | CONTRIBUTING.md | 14 | ||||
-rw-r--r-- | ext/openssl/ossl_asn1.c | 2 | ||||
-rw-r--r-- | ext/openssl/ossl_pkcs7.c | 4 | ||||
-rw-r--r-- | lib/openssl/buffering.rb | 17 | ||||
-rw-r--r-- | lib/openssl/ssl.rb | 11 | ||||
-rw-r--r-- | openssl.gemspec | 1 | ||||
-rw-r--r-- | test/test_pkcs7.rb | 2 | ||||
-rw-r--r-- | test/test_ssl.rb | 6 |
8 files changed, 30 insertions, 27 deletions
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 6e6e2a54..89f7e1d2 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -12,12 +12,14 @@ If you think you found a bug, file a ticket on GitHub. Please DO NOT report security issues here, there is a separate procedure which is described on ["Security at ruby-lang.org"](https://www.ruby-lang.org/en/security/). -When reporting a bug, please make sure you include the version of Ruby, the -version of openssl gem, the version of the OpenSSL library, along with a sample -file that illustrates the problem or link to repository or gem that is -associated with the bug. - -There is a number of unresolved issues and feature requests for openssl that +When reporting a bug, please make sure you include: +* Ruby version +* OpenSSL gem version +* OpenSSL library version +* A sample file that illustrates the problem or link to the repository or + gem that is associated with the bug. + +There are a number of unresolved issues and feature requests for openssl that need review. Before submitting a new ticket, it is recommended to check [known issues] and [bugs.ruby-lang.org], the previous issue tracker. diff --git a/ext/openssl/ossl_asn1.c b/ext/openssl/ossl_asn1.c index 7b6c9738..ab45bd83 100644 --- a/ext/openssl/ossl_asn1.c +++ b/ext/openssl/ossl_asn1.c @@ -1824,6 +1824,7 @@ do{\ rb_define_method(cASN1EndOfContent, "to_der", ossl_asn1eoc_to_der, 0); class_tag_map = rb_hash_new(); + rb_global_variable(&class_tag_map); rb_hash_aset(class_tag_map, cASN1EndOfContent, INT2NUM(V_ASN1_EOC)); rb_hash_aset(class_tag_map, cASN1Boolean, INT2NUM(V_ASN1_BOOLEAN)); rb_hash_aset(class_tag_map, cASN1Integer, INT2NUM(V_ASN1_INTEGER)); @@ -1847,7 +1848,6 @@ do{\ rb_hash_aset(class_tag_map, cASN1GeneralString, INT2NUM(V_ASN1_GENERALSTRING)); rb_hash_aset(class_tag_map, cASN1UniversalString, INT2NUM(V_ASN1_UNIVERSALSTRING)); rb_hash_aset(class_tag_map, cASN1BMPString, INT2NUM(V_ASN1_BMPSTRING)); - rb_global_variable(&class_tag_map); id_each = rb_intern_const("each"); } diff --git a/ext/openssl/ossl_pkcs7.c b/ext/openssl/ossl_pkcs7.c index 79ba0bdf..28010c81 100644 --- a/ext/openssl/ossl_pkcs7.c +++ b/ext/openssl/ossl_pkcs7.c @@ -803,9 +803,9 @@ ossl_pkcs7_decrypt(int argc, VALUE *argv, VALUE self) BIO *out; VALUE str; - rb_scan_args(argc, argv, "21", &pkey, &cert, &flags); + rb_scan_args(argc, argv, "12", &pkey, &cert, &flags); key = GetPrivPKeyPtr(pkey); /* NO NEED TO DUP */ - x509 = GetX509CertPtr(cert); /* NO NEED TO DUP */ + x509 = NIL_P(cert) ? NULL : GetX509CertPtr(cert); /* NO NEED TO DUP */ flg = NIL_P(flags) ? 0 : NUM2INT(flags); GetPKCS7(self, p7); if(!(out = BIO_new(BIO_s_mem()))) diff --git a/lib/openssl/buffering.rb b/lib/openssl/buffering.rb index 935f61f0..5d1586e5 100644 --- a/lib/openssl/buffering.rb +++ b/lib/openssl/buffering.rb @@ -316,20 +316,15 @@ module OpenSSL::Buffering @wbuffer << s @wbuffer.force_encoding(Encoding::BINARY) @sync ||= false - if @sync or @wbuffer.size > BLOCK_SIZE or idx = @wbuffer.rindex($/) - remain = idx ? idx + $/.size : @wbuffer.length - nwritten = 0 - while remain > 0 - str = @wbuffer[nwritten,remain] + if @sync or @wbuffer.size > BLOCK_SIZE + until @wbuffer.empty? begin - nwrote = syswrite(str) + nwrote = syswrite(@wbuffer) rescue Errno::EAGAIN retry end - remain -= nwrote - nwritten += nwrote + @wbuffer[0, nwrote] = "" end - @wbuffer[0,nwritten] = "" end end @@ -409,9 +404,7 @@ module OpenSSL::Buffering end args.each{|arg| s << arg.to_s - if $/ && /\n\z/ !~ s - s << "\n" - end + s.sub!(/(?<!\n)\z/, "\n") } do_write(s) nil diff --git a/lib/openssl/ssl.rb b/lib/openssl/ssl.rb index 6a6f2b94..355eb2eb 100644 --- a/lib/openssl/ssl.rb +++ b/lib/openssl/ssl.rb @@ -12,6 +12,7 @@ require "openssl/buffering" require "io/nonblock" +require "ipaddr" module OpenSSL module SSL @@ -272,11 +273,11 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3 return true if verify_hostname(hostname, san.value) when 7 # iPAddress in GeneralName (RFC5280) should_verify_common_name = false - # follows GENERAL_NAME_print() in x509v3/v3_alt.c - if san.value.size == 4 - return true if san.value.unpack('C*').join('.') == hostname - elsif san.value.size == 16 - return true if san.value.unpack('n*').map { |e| sprintf("%X", e) }.join(':') == hostname + if san.value.size == 4 || san.value.size == 16 + begin + return true if san.value == IPAddr.new(hostname).hton + rescue IPAddr::InvalidAddressError + end end end } diff --git a/openssl.gemspec b/openssl.gemspec index f721f247..7c17cd54 100644 --- a/openssl.gemspec +++ b/openssl.gemspec @@ -17,6 +17,7 @@ Gem::Specification.new do |spec| spec.required_ruby_version = ">= 2.3.0" + spec.add_runtime_dependency "ipaddr" spec.add_development_dependency "rake" spec.add_development_dependency "rake-compiler" spec.add_development_dependency "test-unit", "~> 3.0" diff --git a/test/test_pkcs7.rb b/test/test_pkcs7.rb index 149d3b9b..6437112b 100644 --- a/test/test_pkcs7.rb +++ b/test/test_pkcs7.rb @@ -133,6 +133,8 @@ class OpenSSL::TestPKCS7 < OpenSSL::TestCase assert_equal(@ca_cert.subject.to_s, recip[1].issuer.to_s) assert_equal(3, recip[1].serial) assert_equal(data, p7.decrypt(@rsa1024, @ee2_cert)) + + assert_equal(data, p7.decrypt(@rsa1024)) end def test_graceful_parsing_failure #[ruby-core:43250] diff --git a/test/test_ssl.rb b/test/test_ssl.rb index 060c1f1c..b8016677 100644 --- a/test/test_ssl.rb +++ b/test/test_ssl.rb @@ -526,8 +526,12 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, "www.example.com\0.evil.com")) assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '192.168.7.255')) assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, '192.168.7.1')) - assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '13::17')) + assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, '13::17')) + assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '13::18')) assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, '13:0:0:0:0:0:0:17')) + assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '44:0:0:0:0:0:0:17')) + assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, '0013:0000:0000:0000:0000:0000:0000:0017')) + assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '1313:0000:0000:0000:0000:0000:0000:0017')) end end |