Merge branch 'maint'

* maint:
  Ruby/OpenSSL 2.0.4
  History.md: add entries for 2.0.1-2.0.3
  History.md: wrap at 80 characters
  extconf.rb: simplify searching libraries logic
  Search SSL libraries by testing various filename patterns
  openssl: fix broken openssl check
  openssl: fix broken openssl check
  x509store: clear error queue after calling X509_LOOKUP_load_file()
  tool/sync-with-trunk: 'LASY' -> 'LAST'
  Update .travis.yml and Dockerfile
  test/test_x509store: skip OpenSSL::TestX509Store#test_set_errors
  Fix documentation for OpenSSL::Cipher#final
  Fix typos
  ssl: check return value of SSL_set_fd()
  test/test_ssl: fix typo in test_sysread_and_syswrite
  Fix typos
  test/test_pkey_ec: do not use dummy 0 order

.travis.yml

@@ -24,4 +24,13 @@ matrix:
  - env: RUBY_VERSION=ruby-2.4 OPENSSL_VERSION=libressl-2.3
  - env: RUBY_VERSION=ruby-2.4 OPENSSL_VERSION=libressl-2.4
  - env: RUBY_VERSION=ruby-2.4 OPENSSL_VERSION=libressl-2.5
+ - language: ruby
+ rvm: ruby-head
+ before_install:
+ - "rake install_dependencies"
+ script:
+ - "rake compile -- --enable-debug"
+ - "rake test"
  allow_failures:
+ - language: ruby
+ rvm: ruby-head

History.md

@@ -23,6 +23,53 @@ Deprecations
 ------------
 
 
+Version 2.0.4
+=============
+
+Bug fixes
+---------
+
+* It now compiles with LibreSSL without renaming on Windows (mswin).
+* A workaround for the error queue leak of X509_load_cert_crl_file() that
+ causes random errors is added.
+ [[Bug #11033]](https://bugs.ruby-lang.org/issues/11033)
+
+
+Version 2.0.3
+=============
+
+Bug fixes
+---------
+
+* OpenSSL::ASN1::Constructive#each which was broken by 2.0.0 is fixed.
+ [[ruby/openssl#96]](https://github.com/ruby/openssl/pull/96)
+* Fixed build with static OpenSSL libraries on Windows.
+ [[Bug #13080]](https://bugs.ruby-lang.org/issues/13080)
+* OpenSSL::X509::Name#eql? which was broken by 2.0.0 is fixed.
+
+
+Version 2.0.2
+=============
+
+Bug fixes
+---------
+
+* Fix build with early 0.9.8 series which did not have SSL_CTX_clear_options().
+ [ruby-core:78693]
+
+
+Version 2.0.1
+=============
+
+Bug fixes
+---------
+
+* A GC issue around OpenSSL::BN is fixed.
+ [[ruby/openssl#87]](https://github.com/ruby/openssl/issues/87)
+* OpenSSL::ASN1 now parses BER encoding of GeneralizedTime without seconds.
+ [[ruby/openssl#88]](https://github.com/ruby/openssl/pull/88)
+
+
 Version 2.0.0
 =============
 
@@ -48,7 +95,8 @@ Supported platforms
 Notable changes
 ---------------
 
-* Add support for OpenSSL 1.1.0. [[Feature #12324]](https://bugs.ruby-lang.org/issues/12324)
+* Add support for OpenSSL 1.1.0.
+ [[Feature #12324]](https://bugs.ruby-lang.org/issues/12324)
 * Add support for LibreSSL
 
 * OpenSSL::Cipher

ext/openssl/extconf.rb

@@ -36,25 +36,65 @@
 
 Logging::message "=== Checking for required stuff... ===\n"
 result = pkg_config("openssl") && have_header("openssl/ssl.h")
-unless result
+
+def find_openssl_library
  if $mswin || $mingw
  # required for static OpenSSL libraries
  have_library("gdi32") # OpenSSL <= 1.0.2 (for RAND_screen())
  have_library("crypt32")
  end
 
- result = %w[crypto libeay32].any? {|lib| have_library(lib, "CRYPTO_malloc")}
- result &&= %w[ssl ssleay32].any? {|lib| have_library(lib, "SSL_new")}
- unless result
+ return false unless have_header("openssl/ssl.h")
+
+ ret = have_library("crypto", "CRYPTO_malloc") &&
+ have_library("ssl", "SSL_new")
+ return ret if ret
+
+ if $mswin
+ # OpenSSL >= 1.1.0: libcrypto.lib and libssl.lib.
+ if have_library("libcrypto", "CRYPTO_malloc") &&
+ have_library("libssl", "SSL_new")
+ return true
+ end
+
+ # OpenSSL <= 1.0.2: libeay32.lib and ssleay32.lib.
+ if have_library("libeay32", "CRYPTO_malloc") &&
+ have_library("ssleay32", "SSL_new")
+ return true
+ end
+
+ # LibreSSL: libcrypto-##.lib and libssl-##.lib, where ## is the ABI version
+ # number. We have to find the version number out by scanning libpath.
+ libpath = $LIBPATH.dup
+ libpath |= ENV["LIB"].split(File::PATH_SEPARATOR)
+ libpath.map! { |d| d.tr(File::ALT_SEPARATOR, File::SEPARATOR) }
+
+ ret = [
+ ["crypto", "CRYPTO_malloc"],
+ ["ssl", "SSL_new"]
+ ].all? do |base, func|
+ result = false
+ libs = ["lib#{base}-[0-9][0-9]", "lib#{base}-[0-9][0-9][0-9]"]
+ libs = Dir.glob(libs.map{|l| libpath.map{|d| File.join(d, l + ".*")}}.flatten).map{|path| File.basename(path, ".*")}.uniq
+ libs.each do |lib|
+ result = have_library(lib, func)
+ break if result
+ end
+ result
+ end
+ return ret if ret
+ end
+ return false
+end
+
+unless result
+ unless find_openssl_library
+ Logging::message "=== Checking for required stuff failed. ===\n"
+ Logging::message "Makefile wasn't created. Fix the errors above.\n"
  raise "OpenSSL library could not be found. You might want to use " \
  "--with-openssl-dir=<dir> option to specify the prefix where OpenSSL " \
  "is installed."
  end
- unless have_header("openssl/ssl.h")
- raise "OpenSSL library itself was found, but the necessary header files " \
- "are missing. Installing \"development package\" of OpenSSL on your " \
- "system might help."
- end
 end
 
 unless checking_for("OpenSSL version is 1.0.1 or later") {

ext/openssl/ossl_bn.c

@@ -124,7 +124,7 @@ try_convert_to_bn(VALUE obj)
  if (rb_obj_is_kind_of(obj, cBN))
  return obj;
  if (RB_INTEGER_TYPE_P(obj)) {
- newobj = NewBN(cBN); /* Handle potencial mem leaks */
+ newobj = NewBN(cBN); /* Handle potential mem leaks */
  bn = integer_to_bnptr(obj, NULL);
  SetBN(newobj, bn);
  }

ext/openssl/ossl_cipher.c

@@ -23,7 +23,7 @@
 #define GetCipher(obj, ctx) do { \
  GetCipherInit((obj), (ctx)); \
  if (!(ctx)) { \
- ossl_raise(rb_eRuntimeError, "Cipher not inititalized!"); \
+ ossl_raise(rb_eRuntimeError, "Cipher not initialized!"); \
  } \
 } while (0)
 
@@ -118,7 +118,7 @@ ossl_cipher_initialize(VALUE self, VALUE str)
  name = StringValueCStr(str);
  GetCipherInit(self, ctx);
  if (ctx) {
- ossl_raise(rb_eRuntimeError, "Cipher already inititalized!");
+ ossl_raise(rb_eRuntimeError, "Cipher already initialized!");
  }
  AllocCipher(self, ctx);
  if (!(cipher = EVP_get_cipherbyname(name))) {
@@ -414,7 +414,7 @@ ossl_cipher_update(int argc, VALUE *argv, VALUE self)
  * Returns the remaining data held in the cipher object. Further calls to
  * Cipher#update or Cipher#final will return garbage. This call should always
  * be made as the last call of an encryption or decryption operation, after
- * after having fed the entire plaintext or ciphertext to the Cipher instance.
+ * having fed the entire plaintext or ciphertext to the Cipher instance.
  *
  * If an authenticated cipher was used, a CipherError is raised if the tag
  * could not be authenticated successfully. Only call this method after
@@ -1003,7 +1003,7 @@ Init_ossl_cipher(void)
  * An example using the GCM (Galois/Counter Mode). You have 16 bytes _key_,
  * 12 bytes (96 bits) _nonce_ and the associated data _auth_data_. Be sure
  * not to reuse the _key_ and _nonce_ pair. Reusing an nonce ruins the
- * security gurantees of GCM mode.
+ * security guarantees of GCM mode.
  *
  * cipher = OpenSSL::Cipher::AES.new(128, :GCM).encrypt
  * cipher.key = key

ext/openssl/ossl_ns_spki.c

@@ -322,7 +322,7 @@ ossl_spki_verify(VALUE self, VALUE key)
 
 /* Document-class: OpenSSL::Netscape::SPKI
  *
- * A Simple Public Key Infrastructure implementation (pronounced "spookey").
+ * A Simple Public Key Infrastructure implementation (pronounced "spooky").
  * The structure is defined as
  * PublicKeyAndChallenge ::= SEQUENCE {
  * spki SubjectPublicKeyInfo,
@@ -348,7 +348,7 @@ ossl_spki_verify(VALUE self, VALUE key)
  * spki.public_key = key.public_key
  * spki.sign(key, OpenSSL::Digest::SHA256.new)
  * #send a request containing this to a server generating a certificate
- * === Verifiying an SPKI request
+ * === Verifying an SPKI request
  * request = #...
  * spki = OpenSSL::Netscape::SPKI.new request
  * unless spki.verify(spki.public_key)

ext/openssl/ossl_pkey_ec.c

@@ -284,7 +284,7 @@ ossl_ec_key_get_group(VALUE self)
  * key.group = group
  *
  * Sets the EC::Group for the key. The group structure is internally copied so
- * modifition to _group_ after assigning to a key has no effect on the key.
+ * modification to _group_ after assigning to a key has no effect on the key.
  */
 static VALUE
 ossl_ec_key_set_group(VALUE self, VALUE group_v)
@@ -1585,11 +1585,11 @@ ossl_ec_point_to_bn(int argc, VALUE *argv, VALUE self)
  * Performs elliptic curve point multiplication.
  *
  * The first form calculates <tt>bn1 * point + bn2 * G</tt>, where +G+ is the
- * generator of the group of _point_. _bn2_ may be ommitted, and in that case,
+ * generator of the group of _point_. _bn2_ may be omitted, and in that case,
  * the result is just <tt>bn1 * point</tt>.
  *
  * The second form calculates <tt>bns[0] * point + bns[1] * points[0] + ...
- * + bns[-1] * points[-1] + bn2 * G</tt>. _bn2_ may be ommitted. _bns_ must be
+ * + bns[-1] * points[-1] + bn2 * G</tt>. _bn2_ may be omitted. _bns_ must be
  * an array of OpenSSL::BN. _points_ must be an array of
  * OpenSSL::PKey::EC::Point. Please note that <tt>points[0]</tt> is not
  * multiplied by <tt>bns[0]</tt>, but <tt>bns[1]</tt>.

ext/openssl/ossl_pkey_rsa.c

@@ -706,7 +706,7 @@ Init_ossl_rsa(void)
  /* Document-class: OpenSSL::PKey::RSA
  *
  * RSA is an asymmetric public key algorithm that has been formalized in
- * RFC 3447. It is in widespread use in public key infrastuctures (PKI)
+ * RFC 3447. It is in widespread use in public key infrastructures (PKI)
  * where certificates (cf. OpenSSL::X509::Certificate) often are issued
  * on the basis of a public/private RSA key pair. RSA is used in a wide
  * field of applications such as secure (symmetric) key exchange, e.g.

ext/openssl/ossl_ssl.c

@@ -1466,7 +1466,8 @@ ossl_ssl_setup(VALUE self)
  GetOpenFile(io, fptr);
  rb_io_check_readable(fptr);
  rb_io_check_writable(fptr);
- SSL_set_fd(ssl, TO_SOCKET(fptr->fd));
+ if (!SSL_set_fd(ssl, TO_SOCKET(fptr->fd)))
+ ossl_raise(eSSLError, "SSL_set_fd");
 
  return Qtrue;
 }

ext/openssl/ossl_x509store.c

@@ -313,6 +313,15 @@ ossl_x509store_add_file(VALUE self, VALUE file)
  if(X509_LOOKUP_load_file(lookup, path, X509_FILETYPE_PEM) != 1){
  ossl_raise(eX509StoreError, NULL);
  }
+#if OPENSSL_VERSION_NUMBER < 0x10101000 || defined(LIBRESSL_VERSION_NUMBER)
+ /*
+ * X509_load_cert_crl_file() which is called from X509_LOOKUP_load_file()
+ * did not check the return value of X509_STORE_add_{cert,crl}(), leaking
+ * "cert already in hash table" errors on the error queue, if duplicate
+ * certificates are found. This will be fixed by OpenSSL 1.1.1.
+ */
+ ossl_clear_error();
+#endif
 
  return self;
 }

test/test_pkcs7.rb

@@ -45,7 +45,7 @@ def test_signed
  assert_equal(@ee1_cert.serial, signers[0].serial)
  assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s)
 
- # Normaly OpenSSL tries to translate the supplied content into canonical
+ # Normally OpenSSL tries to translate the supplied content into canonical
  # MIME format (e.g. a newline character is converted into CR+LF).
  # If the content is a binary, PKCS7::BINARY flag should be used.
 

test/test_pkey_ec.rb

@@ -277,7 +277,7 @@ def test_ec_point_mul
  group = OpenSSL::PKey::EC::Group.new(:GFp, 17, 2, 2)
  group.point_conversion_form = :uncompressed
  gen = OpenSSL::PKey::EC::Point.new(group, OpenSSL::BN.new("040501", 16))
- group.set_generator(gen, 0, 0)
+ group.set_generator(gen, 19, 1)
 
  # 3 * (6, 3) = (16, 13)
  point_a = OpenSSL::PKey::EC::Point.new(group, OpenSSL::BN.new("040603", 16))

test/test_ssl.rb

@@ -64,7 +64,7 @@ def test_sysread_and_syswrite
  buf = ""
  ssl.syswrite(str)
  assert_same buf, ssl.sysread(str.size, buf)
- assert_equal(str, newstr)
+ assert_equal(str, buf)
  }
  }
  end

test/test_x509store.rb

@@ -24,6 +24,29 @@ def test_nosegv_on_cleanup
  ctx.verify
  end
 
+ def test_add_file
+ ca_exts = [
+ ["basicConstraints", "CA:TRUE", true],
+ ["keyUsage", "cRLSign,keyCertSign", true],
+ ]
+ cert1 = issue_cert(@ca1, @rsa1024, 1, ca_exts, nil, nil)
+ cert2 = issue_cert(@ca2, @rsa2048, 1, ca_exts, nil, nil)
+ tmpfile = Tempfile.open { |f| f << cert1.to_pem << cert2.to_pem; f }
+
+ store = OpenSSL::X509::Store.new
+ assert_equal false, store.verify(cert1)
+ assert_equal false, store.verify(cert2)
+ store.add_file(tmpfile.path)
+ assert_equal true, store.verify(cert1)
+ assert_equal true, store.verify(cert2)
+
+ # OpenSSL < 1.1.1 leaks an error on a duplicate certificate
+ assert_nothing_raised { store.add_file(tmpfile.path) }
+ assert_equal [], OpenSSL.errors
+ ensure
+ tmpfile and tmpfile.close!
+ end
+
  def test_verify
  # OpenSSL uses time(2) while Time.now uses clock_gettime(CLOCK_REALTIME),
  # and there may be difference.
@@ -184,6 +207,7 @@ def test_verify
  end
 
  def test_set_errors
+ return if OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10100000
  now = Time.now
  ca1_cert = issue_cert(@ca1, @rsa2048, 1, [], nil, nil)
  store = OpenSSL::X509::Store.new

tool/ruby-openssl-docker/Dockerfile

@@ -42,45 +42,45 @@ RUN curl -s https://www.openssl.org/source/openssl-1.0.2k.tar.gz | tar -C /build
  shared linux-x86_64 && \
  make && make install_sw
 
-RUN curl -s https://www.openssl.org/source/openssl-1.1.0d.tar.gz | tar -C /build/openssl -xzf - && \
- cd /build/openssl/openssl-1.1.0d && \
+RUN curl -s https://www.openssl.org/source/openssl-1.1.0e.tar.gz | tar -C /build/openssl -xzf - && \
+ cd /build/openssl/openssl-1.1.0e && \
  ./Configure \
  --prefix=/opt/openssl/openssl-1.1.0 \
  enable-crypto-mdebug enable-crypto-mdebug-backtrace \
  linux-x86_64 && \
  make && make install_sw
 
 # Supported libressl versions: 2.3-
-RUN curl -s http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.3.9.tar.gz | tar -C /build/openssl -xzf -
-RUN cd /build/openssl/libressl-2.3.9 && \
+RUN curl -s http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.3.10.tar.gz | tar -C /build/openssl -xzf -
+RUN cd /build/openssl/libressl-2.3.10 && \
  ./configure \
  --prefix=/opt/openssl/libressl-2.3 && \
  make && make install
 
-RUN curl -s http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.4.4.tar.gz | tar -C /build/openssl -xzf -
-RUN cd /build/openssl/libressl-2.4.4 && \
+RUN curl -s http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.4.5.tar.gz | tar -C /build/openssl -xzf -
+RUN cd /build/openssl/libressl-2.4.5 && \
  ./configure \
  --prefix=/opt/openssl/libressl-2.4 && \
  make && make install
 
-RUN curl -s http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.5.0.tar.gz | tar -C /build/openssl -xzf -
-RUN cd /build/openssl/libressl-2.5.0 && \
+RUN curl -s http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.5.4.tar.gz | tar -C /build/openssl -xzf -
+RUN cd /build/openssl/libressl-2.5.4 && \
  ./configure \
  --prefix=/opt/openssl/libressl-2.5 && \
  make && make install
 
 # Supported Ruby versions: 2.3-
 RUN mkdir -p /build/ruby
-RUN curl -s https://cache.ruby-lang.org/pub/ruby/2.3/ruby-2.3.3.tar.gz | tar -C /build/ruby -xzf - && \
- cd /build/ruby/ruby-2.3.3 && \
+RUN curl -s https://cache.ruby-lang.org/pub/ruby/2.3/ruby-2.3.4.tar.gz | tar -C /build/ruby -xzf - && \
+ cd /build/ruby/ruby-2.3.4 && \
  autoconf && ./configure \
  --without-openssl \
  --prefix=/opt/ruby/ruby-2.3 \
  --disable-install-doc && \
  make && make install
 
-RUN curl -s https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.0.tar.gz | tar -C /build/ruby -xzf - && \
- cd /build/ruby/ruby-2.4.0 && \
+RUN curl -s https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.1.tar.gz | tar -C /build/ruby -xzf - && \
+ cd /build/ruby/ruby-2.4.1 && \
  autoconf && ./configure \
  --without-openssl \
  --prefix=/opt/ruby/ruby-2.4 \