From 213003a99aa5ab5490239493256c1948f1d9e186 Mon Sep 17 00:00:00 2001 From: SHIBATA Hiroshi Date: Tue, 14 Feb 2017 09:18:45 +0900 Subject: Fix typos --- ext/openssl/ossl_cipher.c | 2 +- ext/openssl/ossl_pkey_ec.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'ext/openssl') diff --git a/ext/openssl/ossl_cipher.c b/ext/openssl/ossl_cipher.c index 73b667b2..9ab74a16 100644 --- a/ext/openssl/ossl_cipher.c +++ b/ext/openssl/ossl_cipher.c @@ -1023,7 +1023,7 @@ Init_ossl_cipher(void) * An example using the GCM (Galois/Counter Mode). You have 16 bytes +key+, * 12 bytes (96 bits) +nonce+ and the associated data +auth_data+. Be sure * not to reuse the +key+ and +nonce+ pair. Reusing an nonce ruins the - * security gurantees of GCM mode. + * security guarantees of GCM mode. * * cipher = OpenSSL::Cipher::AES.new(128, :GCM).encrypt * cipher.key = key diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c index fc3f034a..8434a4bc 100644 --- a/ext/openssl/ossl_pkey_ec.c +++ b/ext/openssl/ossl_pkey_ec.c @@ -1597,11 +1597,11 @@ ossl_ec_point_to_bn(int argc, VALUE *argv, VALUE self) * Performs elliptic curve point multiplication. * * The first form calculates bn1 * point + bn2 * G, where +G+ is the - * generator of the group of +point+. +bn2+ may be ommitted, and in that case, + * generator of the group of +point+. +bn2+ may be omitted, and in that case, * the result is just bn1 * point. * * The second form calculates bns[0] * point + bns[1] * points[0] + ... - * + bns[-1] * points[-1] + bn2 * G. +bn2+ may be ommitted. +bns+ must be + * + bns[-1] * points[-1] + bn2 * G. +bn2+ may be omitted. +bns+ must be * an array of OpenSSL::BN. +points+ must be an array of * OpenSSL::PKey::EC::Point. Please note that points[0] is not * multiplied by bns[0], but bns[1]. -- cgit v1.2.3 From 565a9e9fe31b8136f8a2b126320be8d92ca25b98 Mon Sep 17 00:00:00 2001 From: Kazuki Yamaguchi Date: Fri, 31 Mar 2017 15:36:35 +0900 Subject: ssl: check return value of SSL_set_fd() SSL_set_fd() may fail with 0 return if malloc() fails. Check that and raise an exception to avoid potential crash. --- ext/openssl/ossl_ssl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'ext/openssl') diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c index eef7dbec..e2c8eb5e 100644 --- a/ext/openssl/ossl_ssl.c +++ b/ext/openssl/ossl_ssl.c @@ -1483,7 +1483,8 @@ ossl_ssl_setup(VALUE self) GetOpenFile(io, fptr); rb_io_check_readable(fptr); rb_io_check_writable(fptr); - SSL_set_fd(ssl, TO_SOCKET(FPTR_TO_FD(fptr))); + if (!SSL_set_fd(ssl, TO_SOCKET(FPTR_TO_FD(fptr)))) + ossl_raise(eSSLError, "SSL_set_fd"); return Qtrue; } -- cgit v1.2.3 From 7eb1a3fa86312a1783f06374ee50b38ae97a5a71 Mon Sep 17 00:00:00 2001 From: Kazuki Yamaguchi Date: Tue, 7 Mar 2017 23:57:43 +0900 Subject: Fix typos --- ext/openssl/ossl_bn.c | 2 +- ext/openssl/ossl_cipher.c | 4 ++-- ext/openssl/ossl_ns_spki.c | 4 ++-- ext/openssl/ossl_pkey_ec.c | 2 +- ext/openssl/ossl_pkey_rsa.c | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) (limited to 'ext/openssl') diff --git a/ext/openssl/ossl_bn.c b/ext/openssl/ossl_bn.c index 4e371cb2..aa0f2c60 100644 --- a/ext/openssl/ossl_bn.c +++ b/ext/openssl/ossl_bn.c @@ -129,7 +129,7 @@ try_convert_to_bn(VALUE obj) if (rb_obj_is_kind_of(obj, cBN)) return obj; if (RB_INTEGER_TYPE_P(obj)) { - newobj = NewBN(cBN); /* Handle potencial mem leaks */ + newobj = NewBN(cBN); /* Handle potential mem leaks */ bn = integer_to_bnptr(obj, NULL); SetBN(newobj, bn); } diff --git a/ext/openssl/ossl_cipher.c b/ext/openssl/ossl_cipher.c index 9ab74a16..885b8e0a 100644 --- a/ext/openssl/ossl_cipher.c +++ b/ext/openssl/ossl_cipher.c @@ -23,7 +23,7 @@ #define GetCipher(obj, ctx) do { \ GetCipherInit((obj), (ctx)); \ if (!(ctx)) { \ - ossl_raise(rb_eRuntimeError, "Cipher not inititalized!"); \ + ossl_raise(rb_eRuntimeError, "Cipher not initialized!"); \ } \ } while (0) #define SafeGetCipher(obj, ctx) do { \ @@ -122,7 +122,7 @@ ossl_cipher_initialize(VALUE self, VALUE str) name = StringValueCStr(str); GetCipherInit(self, ctx); if (ctx) { - ossl_raise(rb_eRuntimeError, "Cipher already inititalized!"); + ossl_raise(rb_eRuntimeError, "Cipher already initialized!"); } AllocCipher(self, ctx); if (!(cipher = EVP_get_cipherbyname(name))) { diff --git a/ext/openssl/ossl_ns_spki.c b/ext/openssl/ossl_ns_spki.c index 98f6552e..4d978bd0 100644 --- a/ext/openssl/ossl_ns_spki.c +++ b/ext/openssl/ossl_ns_spki.c @@ -322,7 +322,7 @@ ossl_spki_verify(VALUE self, VALUE key) /* Document-class: OpenSSL::Netscape::SPKI * - * A Simple Public Key Infrastructure implementation (pronounced "spookey"). + * A Simple Public Key Infrastructure implementation (pronounced "spooky"). * The structure is defined as * PublicKeyAndChallenge ::= SEQUENCE { * spki SubjectPublicKeyInfo, @@ -348,7 +348,7 @@ ossl_spki_verify(VALUE self, VALUE key) * spki.public_key = key.public_key * spki.sign(key, OpenSSL::Digest::SHA256.new) * #send a request containing this to a server generating a certificate - * === Verifiying an SPKI request + * === Verifying an SPKI request * request = #... * spki = OpenSSL::Netscape::SPKI.new request * unless spki.verify(spki.public_key) diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c index 8434a4bc..10800d23 100644 --- a/ext/openssl/ossl_pkey_ec.c +++ b/ext/openssl/ossl_pkey_ec.c @@ -296,7 +296,7 @@ ossl_ec_key_get_group(VALUE self) * key.group = group * * Sets the EC::Group for the key. The group structure is internally copied so - * modifition to +group+ after assigning to a key has no effect on the key. + * modification to +group+ after assigning to a key has no effect on the key. */ static VALUE ossl_ec_key_set_group(VALUE self, VALUE group_v) diff --git a/ext/openssl/ossl_pkey_rsa.c b/ext/openssl/ossl_pkey_rsa.c index cea228d6..5aa09d0d 100644 --- a/ext/openssl/ossl_pkey_rsa.c +++ b/ext/openssl/ossl_pkey_rsa.c @@ -706,7 +706,7 @@ Init_ossl_rsa(void) /* Document-class: OpenSSL::PKey::RSA * * RSA is an asymmetric public key algorithm that has been formalized in - * RFC 3447. It is in widespread use in public key infrastuctures (PKI) + * RFC 3447. It is in widespread use in public key infrastructures (PKI) * where certificates (cf. OpenSSL::X509::Certificate) often are issued * on the basis of a public/private RSA key pair. RSA is used in a wide * field of applications such as secure (symmetric) key exchange, e.g. -- cgit v1.2.3 From e3929aa5481b2d5bedfdfef75865b2ea49938852 Mon Sep 17 00:00:00 2001 From: Vladimir Rybas Date: Fri, 21 Apr 2017 17:52:30 +0700 Subject: Fix documentation for OpenSSL::Cipher#final "after after having fed the entire plaintext..." is changed to "after having fed the entire plaintext..." --- ext/openssl/ossl_cipher.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'ext/openssl') diff --git a/ext/openssl/ossl_cipher.c b/ext/openssl/ossl_cipher.c index 885b8e0a..c2f0927a 100644 --- a/ext/openssl/ossl_cipher.c +++ b/ext/openssl/ossl_cipher.c @@ -418,7 +418,7 @@ ossl_cipher_update(int argc, VALUE *argv, VALUE self) * Returns the remaining data held in the cipher object. Further calls to * Cipher#update or Cipher#final will return garbage. This call should always * be made as the last call of an encryption or decryption operation, after - * after having fed the entire plaintext or ciphertext to the Cipher instance. + * having fed the entire plaintext or ciphertext to the Cipher instance. * * If an authenticated cipher was used, a CipherError is raised if the tag * could not be authenticated successfully. Only call this method after -- cgit v1.2.3 From 805882145bde3286d8fcfa1e6254be1522979ee7 Mon Sep 17 00:00:00 2001 From: Kazuki Yamaguchi Date: Wed, 14 Jun 2017 12:14:21 +0900 Subject: x509store: clear error queue after calling X509_LOOKUP_load_file() X509_LOOKUP_load_file(), which ends up calling X509_load_cert_crl_file() internally, may leave error entries in the queue even when it returns non-zero value (which indicates success). This will be fixed by OpenSSL 1.1.1, but can be worked around by clearing the error queue ourselves. Fixes: https://bugs.ruby-lang.org/issues/11033 --- ext/openssl/ossl_x509store.c | 9 +++++++++ test/test_x509store.rb | 23 +++++++++++++++++++++++ 2 files changed, 32 insertions(+) (limited to 'ext/openssl') diff --git a/ext/openssl/ossl_x509store.c b/ext/openssl/ossl_x509store.c index eb81e0d4..4becc8e3 100644 --- a/ext/openssl/ossl_x509store.c +++ b/ext/openssl/ossl_x509store.c @@ -342,6 +342,15 @@ ossl_x509store_add_file(VALUE self, VALUE file) if(X509_LOOKUP_load_file(lookup, path, X509_FILETYPE_PEM) != 1){ ossl_raise(eX509StoreError, NULL); } +#if OPENSSL_VERSION_NUMBER < 0x10101000 || defined(LIBRESSL_VERSION_NUMBER) + /* + * X509_load_cert_crl_file() which is called from X509_LOOKUP_load_file() + * did not check the return value of X509_STORE_add_{cert,crl}(), leaking + * "cert already in hash table" errors on the error queue, if duplicate + * certificates are found. This will be fixed by OpenSSL 1.1.1. + */ + ossl_clear_error(); +#endif return self; } diff --git a/test/test_x509store.rb b/test/test_x509store.rb index a5dfa206..c45233aa 100644 --- a/test/test_x509store.rb +++ b/test/test_x509store.rb @@ -34,6 +34,29 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase OpenSSL::TestUtils.issue_crl(*args) end + def test_add_file + ca_exts = [ + ["basicConstraints", "CA:TRUE", true], + ["keyUsage", "cRLSign,keyCertSign", true], + ] + cert1 = issue_cert(@ca1, @rsa1024, 1, ca_exts, nil, nil) + cert2 = issue_cert(@ca2, @rsa2048, 1, ca_exts, nil, nil) + tmpfile = Tempfile.open { |f| f << cert1.to_pem << cert2.to_pem; f } + + store = OpenSSL::X509::Store.new + assert_equal false, store.verify(cert1) + assert_equal false, store.verify(cert2) + store.add_file(tmpfile.path) + assert_equal true, store.verify(cert1) + assert_equal true, store.verify(cert2) + + # OpenSSL < 1.1.1 leaks an error on a duplicate certificate + assert_nothing_raised { store.add_file(tmpfile.path) } + assert_equal [], OpenSSL.errors + ensure + tmpfile and tmpfile.close! + end + def test_verify # OpenSSL uses time(2) while Time.now uses clock_gettime(CLOCK_REALTIME), # and there may be difference. -- cgit v1.2.3 From 110932770e3e4abddd6e744355651db60145e961 Mon Sep 17 00:00:00 2001 From: nobu Date: Fri, 10 Feb 2017 03:58:02 +0000 Subject: openssl: fix broken openssl check * ext/openssl/extconf.rb: check for broken OpenSSL only on mac OS. [ruby-core:79475] [Bug #13200] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@57591 b2dd03c8-39d4-4d8f-98ff-823fe69b080e --- ext/openssl/extconf.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'ext/openssl') diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb index 60bd518e..96982309 100644 --- a/ext/openssl/extconf.rb +++ b/ext/openssl/extconf.rb @@ -60,7 +60,7 @@ unless result raise "OpenSSL 0.9.8 or later required." end -unless OpenSSL.check_func("SSL_library_init()", "openssl/ssl.h") +if /darwin/ =~ RUBY_PLATFORM and !OpenSSL.check_func("SSL_library_init()", "openssl/ssl.h") raise "Ignore OpenSSL broken by Apple.\nPlease use another openssl. (e.g. using `configure --with-openssl-dir=/path/to/openssl')" end -- cgit v1.2.3 From 147748f92c782d2264b1ced43d08ca200df0e403 Mon Sep 17 00:00:00 2001 From: nobu Date: Fri, 10 Feb 2017 03:59:55 +0000 Subject: openssl: fix broken openssl check * ext/openssl/deprecation.rb: check for broken OpenSSL only on mac OS. [ruby-core:79475] [Bug #13200] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@57592 b2dd03c8-39d4-4d8f-98ff-823fe69b080e --- ext/openssl/deprecation.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'ext/openssl') diff --git a/ext/openssl/deprecation.rb b/ext/openssl/deprecation.rb index 7dfc87c1..0c3ab628 100644 --- a/ext/openssl/deprecation.rb +++ b/ext/openssl/deprecation.rb @@ -3,7 +3,7 @@ module OpenSSL def self.deprecated_warning_flag unless flag = (@deprecated_warning_flag ||= nil) if try_compile("", flag = "-Werror=deprecated-declarations") - if with_config("broken-apple-openssl") + if /darwin/ =~ RUBY_PLATFORM and with_config("broken-apple-openssl") flag = "-Wno-deprecated-declarations" end $warnflags << " #{flag}" -- cgit v1.2.3 From ad5564f879b8ddea1cfddc5db3f7888d33d5ee1b Mon Sep 17 00:00:00 2001 From: usa Date: Tue, 16 May 2017 08:03:53 +0000 Subject: Search SSL libraries by testing various filename patterns * ext/openssl/extconf.rb (find_openssl_library): should search by more flexible method, especially for LibreSSL on Windows. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@58742 b2dd03c8-39d4-4d8f-98ff-823fe69b080e --- ext/openssl/extconf.rb | 50 +++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 45 insertions(+), 5 deletions(-) (limited to 'ext/openssl') diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb index 96982309..250aabe4 100644 --- a/ext/openssl/extconf.rb +++ b/ext/openssl/extconf.rb @@ -36,17 +36,57 @@ have_library("socket", "socket") Logging::message "=== Checking for required stuff... ===\n" result = pkg_config("openssl") && have_header("openssl/ssl.h") -unless result + +def find_openssl_library if $mswin || $mingw # required for static OpenSSL libraries have_library("gdi32") # OpenSSL <= 1.0.2 (for RAND_screen()) have_library("crypt32") end - result = have_header("openssl/ssl.h") - result &&= %w[crypto libeay32].any? {|lib| have_library(lib, "CRYPTO_malloc")} - result &&= %w[ssl ssleay32].any? {|lib| have_library(lib, "SSL_new")} - unless result + return false unless have_header("openssl/ssl.h") + + libpath = $LIBPATH.dup + libpath |= ENV["LIB"].split(File::PATH_SEPARATOR).map{|d| d.tr(File::ALT_SEPARATOR, File::SEPARATOR)} if $mswin + + result = false + %w[crypto eay32].each do |base| + libs = [base] + if $mswin || $mingw + libs << "lib" + libs.first + if base == "crypto" + libs << libs.first + "-[0-9][0-9]" + libs << "lib" + libs.last + end + libs = Dir.glob(libs.map{|l| libpath.map{|d| File.join(d, l + ".*")}}.flatten).map{|path| File.basename(path, ".*")}.uniq + end + libs.each do |lib| + result = have_library(lib, "CRYPTO_malloc") + break if result + end + break if result + end + return false unless result + + %w[ssl ssleay32].each do |base| + libs = [base] + if $mswin || $mingw + libs << "lib" + libs.first + if base == "ssl" + libs << libs.first + "-[0-9][0-9]" + libs << "lib" + libs.last + end + libs = Dir.glob(libs.map{|l| libpath.map{|d| File.join(d, l + ".*")}}.flatten).map{|path| File.basename(path, ".*")}.uniq + end + libs.each do |lib| + return true if have_library(lib, "SSL_new") + end + end + return false +end + +unless result + unless find_openssl_library Logging::message "=== Checking for required stuff failed. ===\n" Logging::message "Makefile wasn't created. Fix the errors above.\n" exit 1 -- cgit v1.2.3 From e0049d573beb81a88777cfdb5634550308fc57f4 Mon Sep 17 00:00:00 2001 From: Kazuki Yamaguchi Date: Wed, 14 Jun 2017 14:07:29 +0900 Subject: extconf.rb: simplify searching libraries logic Clarify what it's doing. For non-Windows and MinGW platforms we can just give "crypto" and "ssl" to have_library. --- ext/openssl/extconf.rb | 64 ++++++++++++++++++++++++++------------------------ 1 file changed, 33 insertions(+), 31 deletions(-) (limited to 'ext/openssl') diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb index 250aabe4..8f604708 100644 --- a/ext/openssl/extconf.rb +++ b/ext/openssl/extconf.rb @@ -46,41 +46,43 @@ def find_openssl_library return false unless have_header("openssl/ssl.h") - libpath = $LIBPATH.dup - libpath |= ENV["LIB"].split(File::PATH_SEPARATOR).map{|d| d.tr(File::ALT_SEPARATOR, File::SEPARATOR)} if $mswin - - result = false - %w[crypto eay32].each do |base| - libs = [base] - if $mswin || $mingw - libs << "lib" + libs.first - if base == "crypto" - libs << libs.first + "-[0-9][0-9]" - libs << "lib" + libs.last - end - libs = Dir.glob(libs.map{|l| libpath.map{|d| File.join(d, l + ".*")}}.flatten).map{|path| File.basename(path, ".*")}.uniq + ret = have_library("crypto", "CRYPTO_malloc") && + have_library("ssl", "SSL_new") + return ret if ret + + if $mswin + # OpenSSL >= 1.1.0: libcrypto.lib and libssl.lib. + if have_library("libcrypto", "CRYPTO_malloc") && + have_library("libssl", "SSL_new") + return true end - libs.each do |lib| - result = have_library(lib, "CRYPTO_malloc") - break if result + + # OpenSSL <= 1.0.2: libeay32.lib and ssleay32.lib. + if have_library("libeay32", "CRYPTO_malloc") && + have_library("ssleay32", "SSL_new") + return true end - break if result - end - return false unless result - - %w[ssl ssleay32].each do |base| - libs = [base] - if $mswin || $mingw - libs << "lib" + libs.first - if base == "ssl" - libs << libs.first + "-[0-9][0-9]" - libs << "lib" + libs.last - end + + # LibreSSL: libcrypto-##.lib and libssl-##.lib, where ## is the ABI version + # number. We have to find the version number out by scanning libpath. + libpath = $LIBPATH.dup + libpath |= ENV["LIB"].split(File::PATH_SEPARATOR) + libpath.map! { |d| d.tr(File::ALT_SEPARATOR, File::SEPARATOR) } + + ret = [ + ["crypto", "CRYPTO_malloc"], + ["ssl", "SSL_new"] + ].all? do |base, func| + result = false + libs = ["lib#{base}-[0-9][0-9]", "lib#{base}-[0-9][0-9][0-9]"] libs = Dir.glob(libs.map{|l| libpath.map{|d| File.join(d, l + ".*")}}.flatten).map{|path| File.basename(path, ".*")}.uniq + libs.each do |lib| + result = have_library(lib, func) + break if result + end + result end - libs.each do |lib| - return true if have_library(lib, "SSL_new") - end + return ret if ret end return false end -- cgit v1.2.3 From dde512aa2d29bac496040af27c0d3487323b7552 Mon Sep 17 00:00:00 2001 From: Kazuki Yamaguchi Date: Wed, 14 Jun 2017 18:19:19 +0900 Subject: Ruby/OpenSSL 2.0.4 --- History.md | 12 ++++++++++++ ext/openssl/ossl_version.h | 2 +- openssl.gemspec | 2 +- 3 files changed, 14 insertions(+), 2 deletions(-) (limited to 'ext/openssl') diff --git a/History.md b/History.md index a215be87..bb499338 100644 --- a/History.md +++ b/History.md @@ -1,3 +1,15 @@ +Version 2.0.4 +============= + +Bug fixes +--------- + +* It now compiles with LibreSSL without renaming on Windows (mswin). +* A workaround for the error queue leak of X509_load_cert_crl_file() that + causes random errors is added. + [[Bug #11033]](https://bugs.ruby-lang.org/issues/11033) + + Version 2.0.3 ============= diff --git a/ext/openssl/ossl_version.h b/ext/openssl/ossl_version.h index b98533f4..d5b9ac20 100644 --- a/ext/openssl/ossl_version.h +++ b/ext/openssl/ossl_version.h @@ -10,6 +10,6 @@ #if !defined(_OSSL_VERSION_H_) #define _OSSL_VERSION_H_ -#define OSSL_VERSION "2.0.3" +#define OSSL_VERSION "2.0.4" #endif /* _OSSL_VERSION_H_ */ diff --git a/openssl.gemspec b/openssl.gemspec index da7a1765..e0080f2e 100644 --- a/openssl.gemspec +++ b/openssl.gemspec @@ -1,6 +1,6 @@ Gem::Specification.new do |spec| spec.name = "openssl" - spec.version = "2.0.3" + spec.version = "2.0.4" spec.authors = ["Martin Bosslet", "SHIBATA Hiroshi", "Zachary Scott", "Kazuki Yamaguchi"] spec.email = ["ruby-core@ruby-lang.org"] spec.summary = %q{OpenSSL provides SSL, TLS and general purpose cryptography.} -- cgit v1.2.3