ruby-changes:73588
From: Kazuki <ko1@a...>
Date: Sat, 17 Sep 2022 16:00:00 +0900 (JST)
Subject: [ruby-changes:73588] b3969f769a (ruby_3_1): Merge openssl-3.0.1
https://git.ruby-lang.org/ruby.git/commit/?id=b3969f769a From b3969f769a40e09ce5307b58ac78fa732c398aad Mon Sep 17 00:00:00 2001 From: Kazuki Yamaguchi <k@r...> Date: Thu, 8 Sep 2022 23:10:09 +0900 Subject: Merge openssl-3.0.1 The changes can be found at: https://github.com/ruby/openssl/compare/v3.0.0...v3.0.1 --- ext/openssl/History.md | 40 +++++++++++++++++++++++++++++++++ ext/openssl/extconf.rb | 5 +++-- ext/openssl/lib/openssl/pkey.rb | 8 +++++++ ext/openssl/lib/openssl/version.rb | 2 +- ext/openssl/openssl.gemspec | 2 +- ext/openssl/ossl_hmac.c | 8 +++++++ ext/openssl/ossl_pkey.c | 46 +++++++++++++++++++++++++++++++++++--- ext/openssl/ossl_pkey_ec.c | 4 ++++ ext/openssl/ossl_x509cert.c | 6 ++--- ext/openssl/ossl_x509crl.c | 6 ++--- ext/openssl/ossl_x509req.c | 6 ++--- ext/openssl/ossl_x509revoked.c | 6 ++--- test/openssl/test_hmac.rb | 8 +++++++ test/openssl/test_pkey_dsa.rb | 19 ++++++++++++++++ test/openssl/test_pkey_ec.rb | 25 +++++++++++++++++++++ test/openssl/test_pkey_rsa.rb | 5 +++++ test/openssl/test_ssl.rb | 6 +++++ 17 files changed, 183 insertions(+), 19 deletions(-) diff --git a/ext/openssl/History.md b/ext/openssl/History.md index 479ec3b4a2..a4f6bd7fd6 100644 --- a/ext/openssl/History.md +++ b/ext/openssl/History.md @@ -1,3 +1,27 @@ https://github.com/ruby/ruby/blob/trunk/ext/openssl/History.md#L1 +Version 3.0.1 +============= + +Merged changes in 2.1.4 and 2.2.2. Additionally, the following issues are fixed +by this release. + +Bug fixes +--------- + +* Add missing type check in OpenSSL::PKey::PKey#sign's optional parameters. + [[GitHub #531]](https://github.com/ruby/openssl/pull/531) +* Work around OpenSSL 3.0's HMAC issues with a zero-length key. + [[GitHub #538]](https://github.com/ruby/openssl/pull/538) +* Fix a regression in OpenSSL::PKey::DSA.generate's default of 'q' size. + [[GitHub #483]](https://github.com/ruby/openssl/issues/483) + [[GitHub #539]](https://github.com/ruby/openssl/pull/539) +* Restore OpenSSL::PKey.read's ability to decode "openssl ecparam -genkey" + output when linked against OpenSSL 3.0. + [[GitHub #535]](https://github.com/ruby/openssl/pull/535) + [[GitHub #540]](https://github.com/ruby/openssl/pull/540) +* Restore error checks in OpenSSL::PKey::EC#{to_der,to_pem}. + [[GitHub #541]](https://github.com/ruby/openssl/pull/541) + + Version 3.0.0 ============= @@ -100,6 +124,12 @@ Notable changes https://github.com/ruby/ruby/blob/trunk/ext/openssl/History.md#L124 [[GitHub #342]](https://github.com/ruby/openssl/issues/342) +Version 2.2.2 +============= + +Merged changes in 2.1.4. + + Version 2.2.1 ============= @@ -194,6 +224,16 @@ Notable changes https://github.com/ruby/ruby/blob/trunk/ext/openssl/History.md#L224 [[GitHub #297]](https://github.com/ruby/openssl/pull/297) +Version 2.1.4 +============= + +Bug fixes +--------- + +* Do not use pkg-config if --with-openssl-dir option is specified. + [[GitHub #486]](https://github.com/ruby/openssl/pull/486) + + Version 2.1.3 ============= diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb index fedcb930f5..d2d7893a0a 100644 --- a/ext/openssl/extconf.rb +++ b/ext/openssl/extconf.rb @@ -13,7 +13,7 @@ https://github.com/ruby/ruby/blob/trunk/ext/openssl/extconf.rb#L13 require "mkmf" -dir_config("openssl") +dir_config_given = dir_config("openssl").any? dir_config("kerberos") Logging::message "=== OpenSSL for Ruby configurator ===\n" @@ -92,7 +92,7 @@ def find_openssl_library https://github.com/ruby/ruby/blob/trunk/ext/openssl/extconf.rb#L92 end Logging::message "=== Checking for required stuff... ===\n" -pkg_config_found = pkg_config("openssl") && have_header("openssl/ssl.h") +pkg_config_found = !dir_config_given && pkg_config("openssl") && have_header("openssl/ssl.h") if !pkg_config_found && !find_openssl_library Logging::message "=== Checking for required stuff failed. ===\n" @@ -169,6 +169,7 @@ have_func("SSL_CTX_set_post_handshake_auth") https://github.com/ruby/ruby/blob/trunk/ext/openssl/extconf.rb#L169 # added in 1.1.1 have_func("EVP_PKEY_check") +have_func("EVP_PKEY_new_raw_private_key") # added in 3.0.0 have_func("SSL_set0_tmp_dh_pkey") diff --git a/ext/openssl/lib/openssl/pkey.rb b/ext/openssl/lib/openssl/pkey.rb index c3e0629091..d51f066b89 100644 --- a/ext/openssl/lib/openssl/pkey.rb +++ b/ext/openssl/lib/openssl/pkey.rb @@ -167,8 +167,16 @@ module OpenSSL::PKey https://github.com/ruby/ruby/blob/trunk/ext/openssl/lib/openssl/pkey.rb#L167 # +size+:: # The desired key size in bits. def generate(size, &blk) + # FIPS 186-4 specifies four (L,N) pairs: (1024,160), (2048,224), + # (2048,256), and (3072,256). + # + # q size is derived here with compatibility with + # DSA_generator_parameters_ex() which previous versions of ruby/openssl + # used to call. + qsize = size >= 2048 ? 256 : 160 dsaparams = OpenSSL::PKey.generate_parameters("DSA", { "dsa_paramgen_bits" => size, + "dsa_paramgen_q_bits" => qsize, }, &blk) OpenSSL::PKey.generate_key(dsaparams) end diff --git a/ext/openssl/lib/openssl/version.rb b/ext/openssl/lib/openssl/version.rb index 5e60604353..b9e8444d4d 100644 --- a/ext/openssl/lib/openssl/version.rb +++ b/ext/openssl/lib/openssl/version.rb @@ -1,5 +1,5 @@ https://github.com/ruby/ruby/blob/trunk/ext/openssl/lib/openssl/version.rb#L1 # frozen_string_literal: true module OpenSSL - VERSION = "3.0.0" + VERSION = "3.0.1" end diff --git a/ext/openssl/openssl.gemspec b/ext/openssl/openssl.gemspec index c6cd818336..1c13505b97 100644 --- a/ext/openssl/openssl.gemspec +++ b/ext/openssl/openssl.gemspec @@ -1,6 +1,6 @@ https://github.com/ruby/ruby/blob/trunk/ext/openssl/openssl.gemspec#L1 Gem::Specification.new do |spec| spec.name = "openssl" - spec.version = "3.0.0" + spec.version = "3.0.1" spec.authors = ["Martin Bosslet", "SHIBATA Hiroshi", "Zachary Scott", "Kazuki Yamaguchi"] spec.email = ["ruby-core@r..."] spec.summary = %q{OpenSSL provides SSL, TLS and general purpose cryptography.} diff --git a/ext/openssl/ossl_hmac.c b/ext/openssl/ossl_hmac.c index bfe3a74b12..1a5f471a27 100644 --- a/ext/openssl/ossl_hmac.c +++ b/ext/openssl/ossl_hmac.c @@ -97,11 +97,19 @@ ossl_hmac_initialize(VALUE self, VALUE key, VALUE digest) https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_hmac.c#L97 GetHMAC(self, ctx); StringValue(key); +#ifdef HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY + pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, + (unsigned char *)RSTRING_PTR(key), + RSTRING_LENINT(key)); + if (!pkey) + ossl_raise(eHMACError, "EVP_PKEY_new_raw_private_key"); +#else pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, (unsigned char *)RSTRING_PTR(key), RSTRING_LENINT(key)); if (!pkey) ossl_raise(eHMACError, "EVP_PKEY_new_mac_key"); +#endif if (EVP_DigestSignInit(ctx, NULL, ossl_evp_get_digestbyname(digest), NULL, pkey) != 1) { EVP_PKEY_free(pkey); diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c index 2a4835a28d..ee143d66ee 100644 --- a/ext/openssl/ossl_pkey.c +++ b/ext/openssl/ossl_pkey.c @@ -99,17 +99,56 @@ ossl_pkey_read_generic(BIO *bio, VALUE pass) https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_pkey.c#L99 /* First check DER */ if (OSSL_DECODER_from_bio(dctx, bio) == 1) goto out; + OSSL_BIO_reset(bio); /* Then check PEM; multiple OSSL_DECODER_from_bio() calls may be needed */ - OSSL_BIO_reset(bio); if (OSSL_DECODER_CTX_set_input_type(dctx, "PEM") != 1) goto out; - while (OSSL_DECODER_from_bio(dctx, bio) != 1) { - if (BIO_eof(bio)) + /* + * First check for private key formats. This is to keep compatibility with + * ruby/openssl < 3.0 which decoded the following as a private key. + * + * $ openssl ecparam -name prime256v1 -genkey -outform PEM + * -----BEGIN EC PARAMETERS----- + * BggqhkjOPQMBBw== + * -----END EC PARAMETERS----- + * -----BEGIN EC PRIVATE KEY----- + * MHcCAQEEIAG8ugBbA5MHkqnZ9ujQF93OyUfL9tk8sxqM5Wv5tKg5oAoGCCqGSM49 + * AwEHoUQDQgAEVcjhJfkwqh5C7kGuhAf8XaAjVuG5ADwb5ayg/cJijCgs+GcXeedj + * 86avKpGH84DXUlB23C/kPt+6fXYlitUmXQ== + * -----END EC PRIVATE KEY----- + * + * While the first PEM block is a proper encoding of ECParameters, thus + * OSSL_DECODER_from_bio() would pick it up, ruby/openssl used to return + * the latter instead. Existing applications expect this behavior. + * + * Note that normally, the input is supposed to contain a single decodable + * PEM block only, so this special handling should not create a new problem. + */ + OSSL_DECODER_CTX_set_selection(dctx, EVP_PKEY_KEYPAIR); + while (1) { + if (OSSL_DECODER_from_bio(dctx, bio) == 1) goto out; + if (BIO_eof(bio)) + break; pos2 = BIO_tell(bio); if (pos2 < 0 || pos2 <= pos) + break; + ossl_clear_error(); + pos = pos2; + } + + OSSL_BIO_reset(bio); + OSSL_DECODER_CTX_set_selection(dctx, 0); + while (1) { + if (OSSL_DECODER_from_bio(dctx, bio) == 1) goto out; + if (BIO_eof(bio)) + break; + pos2 = BIO_tell(bio); + if (pos2 < 0 || pos2 <= pos) + break; + ossl_clear_error(); pos = pos2; } @@ -200,6 +239,7 @@ static VALUE https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_pkey.c#L239 pkey_ctx_apply_options0(VALUE args_v) { VALUE *args = (VALUE *)args_v; + Check_Type(args[1], T_HA (... truncated) -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/