ruby-changes:60350
From: Kazuki <ko1@a...>
Date: Tue, 10 Mar 2020 17:41:33 +0900 (JST)
Subject: [ruby-changes:60350] e4a26cd4f8 (master): openssl: sync with upstream repository
https://git.ruby-lang.org/ruby.git/commit/?id=e4a26cd4f8 From e4a26cd4f8e74e5d29de10a3a0ce5829829301b0 Mon Sep 17 00:00:00 2001 From: Kazuki Yamaguchi <k@r...> Date: Mon, 9 Mar 2020 18:26:19 +0900 Subject: openssl: sync with upstream repository Import current master (2c43241dc0ed) of ruby/openssl.git. Below are the commits that were made since the last batch at commit b99775b163ce (ruby/openssl.git commit f49e7110ca1e). Note that some of them have been applied already. ---------------------------------------------------------------- Benoit Daloze (1): Remove redundant and ignored workflow file DBL-Lee (1): add support for SHA512_256/SHA512_224 Hiroshi SHIBATA (2): Guard for OpenSSL::PKey::EC::Group::Error with unsupported platforms Fixed inconsistency directory structure with ruby/ruby repo Jeremy Evans (2): Fix keyword argument separation issues in OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock Remove taint support Kazuki Yamaguchi (26): config: support .include directive random: make OpenSSL::Random.pseudo_bytes alias of .random_bytes extconf.rb: get rid of -Werror=deprecated-declarations test/openssl/test_ssl: skip test_fallback_scsv if necessary ts: simplify OpenSSL::Timestamp::Request#algorithm History.md: add missing references to GitHub issues config: deprecate OpenSSL::Config#add_value and #[]= test/openssl/test_ssl: remove sleep from test_finished_messages test/openssl/test_ssl: fix random failure in SSLSocket.open test test/openssl/test_ssl: avoid explicitly-sized private keys test/openssl/test_ssl: remove commented-out test case test/openssl/test_ssl: allow kRSA tests to fail ssl: avoid declarations after statements engine: revert OpenSSL::Engine.load changes for cloudhsm engine: remove really outdated static engines engine: do not check for ENGINE_load_builtin_engines() engine: fix guards for 'dynamic' and 'cryptodev' engines lib/openssl.rb: require openssl/version.rb x509: add error code and verify flags constants ssl: set verify error code in the case of verify_hostname failure .github/workflows: merge CI jobs into a single workflow .github/workflows: test against different OpenSSL versions .travis.yml: fully migrate to GitHub Actions ssl: suppress test failure with SSLContext#add_certificate_chain_file ssl: remove test case test_puts_meta from test_pair Revert "Use version.rb in gemspec" MSP-Greg (2): .travis.yml - remove 2.3/1.0.2, 2.5/1.1.1, head/1.0.2 Use version.rb in gemspec Samuel Williams (1): Restore compatibility with older versions of Ruby. Yusuke Endoh (1): Make OpenSSL::OSSL#test_memcmp_timing robust diff --git a/ext/openssl/History.md b/ext/openssl/History.md index cdb44b1..929d919 100644 --- a/ext/openssl/History.md +++ b/ext/openssl/History.md @@ -1,34 +1,55 @@ https://github.com/ruby/ruby/blob/trunk/ext/openssl/History.md#L1 Version 2.2.0 (not yet released) ============= +Compatibility notes +------------------- + +* Remove unsupported MDC2, DSS, DSS1, and SHA algorithms. +* Remove `OpenSSL::PKCS7::SignerInfo#name` alias for `#issuer`. + [[GitHub #266]](https://github.com/ruby/openssl/pull/266) +* Deprecate `OpenSSL::Config#add_value` and `#[]=` for future removal. + [[GitHub #322]](https://github.com/ruby/openssl/pull/322) + + +Notable changes +--------------- + * Change default `OpenSSL::SSL::SSLServer#listen` backlog argument from 5 to `Socket::SOMAXCONN`. + [[GitHub #286]](https://github.com/ruby/openssl/issues/286) * Make `OpenSSL::HMAC#==` use a timing safe string comparison. -* Remove unsupported MDC2, DSS, DSS1, and SHA algorithms. + [[GitHub #284]](https://github.com/ruby/openssl/pull/284) * Add support for SHA3 and BLAKE digests. + [[GitHub #282]](https://github.com/ruby/openssl/pull/282) * Add `OpenSSL::SSL::SSLSocket.open` for opening a `TCPSocket` and returning an `OpenSSL::SSL::SSLSocket` for it. + [[GitHub #225]](https://github.com/ruby/openssl/issues/225) * Support marshalling of `OpenSSL::X509` objects. + [[GitHub #281]](https://github.com/ruby/openssl/pull/281) * Add `OpenSSL.secure_compare` for timing safe string comparison for strings of possibly unequal length. + [[GitHub #280]](https://github.com/ruby/openssl/pull/280) * Add `OpenSSL.fixed_length_secure_compare` for timing safe string comparison for strings of equal length. + [[GitHub #269]](https://github.com/ruby/openssl/pull/269) * Add `OpenSSL::SSL::SSLSocket#{finished_message,peer_finished_message}` for last finished message sent and received. + [[GitHub #250]](https://github.com/ruby/openssl/pull/250) * Add `OpenSSL::Timestamp` module for handing timestamp requests and responses. + [[GitHub #204]](https://github.com/ruby/openssl/pull/204) * Add helper methods for `OpenSSL::X509::Certificate`: `find_extension`, `subject_key_identifier`, `authority_key_identifier`, `crl_uris`, `ca_issuer_uris` and - `ocsp_uris`. -* Add helper methods for `OpenSSL::X509::CRL`: + `ocsp_uris`, and for `OpenSSL::X509::CRL`: `find_extension` and `subject_key_identifier`. -* Remove `OpenSSL::PKCS7::SignerInfo#name` alias for `#issuer`. -* Add `OpenSSL::ECPoint#add` for adding points to an elliptic curve - group. + [[GitHub #260]](https://github.com/ruby/openssl/pull/260) + [[GitHub #275]](https://github.com/ruby/openssl/pull/275) + [[GitHub #293]](https://github.com/ruby/openssl/pull/293) +* Add `OpenSSL::ECPoint#add` for performing elliptic curve point addition. [[GitHub #261]](https://github.com/ruby/openssl/pull/261) -* Make `OpenSSL::PKey::RSA#{export,to_der}` correctly check `key`, - `factors`, and `crt_params`. +* Make `OpenSSL::PKey::RSA#{export,to_der}` check `key`, `factors`, and + `crt_params` to do proper private key serialization. [[GitHub #258]](https://github.com/ruby/openssl/pull/258) * Add `OpenSSL::SSL::{SSLSocket,SSLServer}#fileno`, returning the underlying socket file descriptor number. @@ -40,16 +61,18 @@ Version 2.2.0 (not yet released) https://github.com/ruby/ruby/blob/trunk/ext/openssl/History.md#L61 * Add `OpenSSL::X509::Extension#value_der` for the raw value of the extension. [[GitHub #234]](https://github.com/ruby/openssl/pull/234) -* Signficantly reduce allocated memory in `OpenSSL::Buffering#do_write`. +* Significantly reduce allocated memory in `OpenSSL::Buffering#do_write`. [[GitHub #212]](https://github.com/ruby/openssl/pull/212) * Ensure all valid IPv6 addresses are considered valid as elements of subjectAlternativeName in certificates. [[GitHub #185]](https://github.com/ruby/openssl/pull/185) * Allow recipient's certificate to be omitted in PCKS7#decrypt. [[GitHub #183]](https://github.com/ruby/openssl/pull/183) -* Add support for reading keys in PKCS8 format and export via instance methods +* Add support for reading keys in PKCS #8 format and export via instance methods added to `OpenSSL::PKey` classes: `private_to_der`, `private_to_pem`, `public_to_der` and `public_to_pem`. + [[GitHub #297]](https://github.com/ruby/openssl/pull/297) + Version 2.1.2 ============= diff --git a/ext/openssl/deprecation.rb b/ext/openssl/deprecation.rb deleted file mode 100644 index fdf2d30..0000000 --- a/ext/openssl/deprecation.rb +++ /dev/null @@ -1,27 +0,0 @@ https://github.com/ruby/ruby/blob/trunk/ext/openssl/History.md#L0 -# frozen_string_literal: true -module OpenSSL - def self.deprecated_warning_flag - unless flag = (@deprecated_warning_flag ||= nil) - if try_compile("", flag = "-Werror=deprecated-declarations") - $warnflags << " #{flag}" - else - flag = "" - end - @deprecated_warning_flag = flag - end - flag - end - - def self.restore_warning_flag - $warnflags = @warnflags - end - - def self.check_func(func, header) - have_func(func, header, deprecated_warning_flag) - end - - def self.check_func_or_macro(func, header) - check_func(func, header) or - have_macro(func, header) && $defs.push("-DHAVE_#{func.upcase}") - end -end diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb index 87a682b..693e55c 100644 --- a/ext/openssl/extconf.rb +++ b/ext/openssl/extconf.rb @@ -12,16 +12,12 @@ https://github.com/ruby/ruby/blob/trunk/ext/openssl/extconf.rb#L12 =end require "mkmf" -require File.expand_path('../deprecation', __FILE__) dir_config("openssl") dir_config("kerberos") Logging::message "=== OpenSSL for Ruby configurator ===\n" -# Check with -Werror=deprecated-declarations if available -OpenSSL.deprecated_warning_flag - ## # Adds -DOSSL_DEBUG for compilation and some more targets when GCC is used # To turn it on, use: --with-debug or --enable-debug @@ -114,11 +110,10 @@ end https://github.com/ruby/ruby/blob/trunk/ext/openssl/extconf.rb#L110 Logging::message "=== Checking for OpenSSL features... ===\n" # compile options have_func("RAND_egd") -engines = %w{builtin_engines openbsd_dev_crypto dynamic 4758cca aep atalla chil - cswift nuron sureware ubsec padlock capi gmp gost cryptodev aesni - cloudhsm} +engines = %w{dynamic 4758cca aep atalla chil + cswift nuron sureware ubsec padlock capi gmp gost cryptodev} engines.each { |name| - OpenSSL.check_func_or_macro("ENGINE_load_#{name}", "openssl/engine.h") + have_func("ENGINE_load_#{name}()", "openssl/engine.h") } if ($mswin || $mingw) && have_macro("LIBRESSL_VERSION_NUMBER", "openssl/opensslv.h") @@ -130,9 +125,9 @@ have_func("EC_curve_nist2nid") https://github.com/ruby/ruby/blob/trunk/ext/openssl/extconf.rb#L125 have_func("X509_REVOKED_dup") have_func("X509_STORE_CTX_get0_store") have_func("SSL_CTX_set_alpn_select_cb") -OpenSSL.check_func_or_macro("SSL_CTX_set1_curves_list", "openssl/ssl.h") -OpenSSL.check_func_or_macro("SSL_CTX_set_ecdh_auto", "openssl/ssl.h") -OpenSSL.check_func_or_macro("SSL_get_server_tmp_key", "openssl/ssl.h") +have_func("SSL_CTX_set1_curves (... truncated) -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/