openssl: merge changes in v2.1.1

Commits in upstream repository since v2.1.0 can be found at: https://github.com/ruby/openssl/compare/v2.1.0...v2.1.1 ---------------------------------------------------------------- Kazuki Yamaguchi (7): test/utils: disable Thread's report_on_exception in start_server cipher: validate iterations argument for Cipher#pkcs5_keyivgen extconf.rb: fix build with LibreSSL 2.7.0 test/test_pkey_rsa: fix test failure with OpenSSL 1.1.1 test/test_ssl_session: set client protocol version explicitly Ruby/OpenSSL 2.0.8 Ruby/OpenSSL 2.1.1 git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63406 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2022-11-09 12:17:21 -05:00 · 2018-05-12 07:33:53 +00:00 · 2018-05-12 07:33:53 +00:00 · 961cbe5262
commit 961cbe5262
parent 23666ac1c1
8 changed files with 45 additions and 12 deletions
--- a/ext/openssl/History.md
+++ b/ext/openssl/History.md
@ -55,6 +55,20 @@ Notable changes
  [[GitHub #177]](https://github.com/ruby/openssl/pull/177)


+Version 2.0.8
+=============
+
+Bug fixes
+---------
+
+* OpenSSL::Cipher#pkcs5_keyivgen raises an error when a negative iteration
+  count is given.
+  [[GitHub #184]](https://github.com/ruby/openssl/pull/184)
+* Fixed build with LibreSSL 2.7.
+  [[GitHub #192]](https://github.com/ruby/openssl/issues/192)
+  [[GitHub #193]](https://github.com/ruby/openssl/pull/193)
+
+
 Version 2.0.7
 =============

--- a/ext/openssl/extconf.rb
+++ b/ext/openssl/extconf.rb
@ -125,8 +125,11 @@ OpenSSL.check_func_or_macro("SSL_get_server_tmp_key", "openssl/ssl.h")
 have_func("SSL_is_server")

 # added in 1.1.0
+if !have_struct_member("SSL", "ctx", "openssl/ssl.h") ||
+    try_static_assert("LIBRESSL_VERSION_NUMBER >= 0x2070000fL", "openssl/opensslv.h")
+  $defs.push("-DHAVE_OPAQUE_OPENSSL")
+end
 have_func("CRYPTO_lock") || $defs.push("-DHAVE_OPENSSL_110_THREADING_API")
-have_struct_member("SSL", "ctx", "openssl/ssl.h") || $defs.push("-DHAVE_OPAQUE_OPENSSL")
 have_func("BN_GENCB_new")
 have_func("BN_GENCB_free")
 have_func("BN_GENCB_get_arg")
--- a/ext/openssl/openssl.gemspec
+++ b/ext/openssl/openssl.gemspec
@ -1,16 +1,16 @@
 # -*- encoding: utf-8 -*-
-# stub: openssl 2.1.0 ruby lib
+# stub: openssl 2.1.1 ruby lib
 # stub: ext/openssl/extconf.rb

 Gem::Specification.new do |s|
  s.name = "openssl".freeze
-  s.version = "2.1.0"
+  s.version = "2.1.1"

  s.required_rubygems_version = Gem::Requirement.new(">= 0".freeze) if s.respond_to? :required_rubygems_version=
  s.metadata = { "msys2_mingw_dependencies" => "openssl" } if s.respond_to? :metadata=
  s.require_paths = ["lib".freeze]
  s.authors = ["Martin Bosslet".freeze, "SHIBATA Hiroshi".freeze, "Zachary Scott".freeze, "Kazuki Yamaguchi".freeze]
-  s.date = "2017-12-14"
+  s.date = "2018-05-12"
  s.description = "It wraps the OpenSSL library.".freeze
  s.email = ["ruby-core@ruby-lang.org".freeze]
  s.extensions = ["ext/openssl/extconf.rb".freeze]
@ -20,7 +20,7 @@ Gem::Specification.new do |s|
  s.licenses = ["Ruby".freeze]
  s.rdoc_options = ["--main".freeze, "README.md".freeze]
  s.required_ruby_version = Gem::Requirement.new(">= 2.3.0".freeze)
-  s.rubygems_version = "2.7.3".freeze
+  s.rubygems_version = "2.7.6".freeze
  s.summary = "OpenSSL provides SSL, TLS and general purpose cryptography.".freeze

  if s.respond_to? :specification_version then
--- a/ext/openssl/ossl_cipher.c
+++ b/ext/openssl/ossl_cipher.c
@ -317,6 +317,8 @@ ossl_cipher_pkcs5_keyivgen(int argc, VALUE *argv, VALUE self)
 	salt = (unsigned char *)RSTRING_PTR(vsalt);
    }
    iter = NIL_P(viter) ? 2048 : NUM2INT(viter);
+    if (iter <= 0)
+	rb_raise(rb_eArgError, "iterations must be a positive integer");
    digest = NIL_P(vdigest) ? EVP_md5() : ossl_evp_get_digestbyname(vdigest);
    GetCipher(self, ctx);
    EVP_BytesToKey(EVP_CIPHER_CTX_cipher(ctx), digest, salt,
--- a/ext/openssl/ossl_version.h
+++ b/ext/openssl/ossl_version.h
@ -10,6 +10,6 @@
 #if !defined(_OSSL_VERSION_H_)
 #define _OSSL_VERSION_H_

-#define OSSL_VERSION "2.1.0"
+#define OSSL_VERSION "2.1.1"

 #endif /* _OSSL_VERSION_H_ */
--- a/test/openssl/test_cipher.rb
+++ b/test/openssl/test_cipher.rb
@ -44,6 +44,9 @@ class OpenSSL::TestCipher < OpenSSL::TestCase
    s2 = cipher.update(pt) << cipher.final

    assert_equal s1, s2
+
+    cipher2 = OpenSSL::Cipher.new("DES-EDE3-CBC").encrypt
+    assert_raise(ArgumentError) { cipher2.pkcs5_keyivgen(pass, salt, -1, "MD5") }
  end

  def test_info
--- a/test/openssl/test_pkey_rsa.rb
+++ b/test/openssl/test_pkey_rsa.rb
@ -60,6 +60,13 @@ class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase
    end
  end

+  def test_generate
+    key = OpenSSL::PKey::RSA.generate(512, 17)
+    assert_equal 512, key.n.num_bits
+    assert_equal 17, key.e
+    assert_not_nil key.d
+  end
+
  def test_new_break
    assert_nil(OpenSSL::PKey::RSA.new(1024) { break })
    assert_raise(RuntimeError) do
@ -289,7 +296,7 @@ class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase
  end

  def test_dup
-    key = OpenSSL::PKey::RSA.generate(256, 17)
+    key = Fixtures.pkey("rsa1024")
    key2 = key.dup
    assert_equal key.params, key2.params
    key2.set_key(key2.n, 3, key2.d)
--- a/test/openssl/test_ssl_session.rb
+++ b/test/openssl/test_ssl_session.rb
@ -198,7 +198,9 @@ __EOS__
      first_session = nil
      10.times do |i|
        connections = i
-        server_connect_with_session(port, nil, first_session) { |ssl|
+        cctx = OpenSSL::SSL::SSLContext.new
+        cctx.ssl_version = :TLSv1_2
+        server_connect_with_session(port, cctx, first_session) { |ssl|
          ssl.puts("abc"); assert_equal "abc\n", ssl.gets
          first_session ||= ssl.session

@ -257,6 +259,8 @@ __EOS__

    connections = nil
    called = {}
+    cctx = OpenSSL::SSL::SSLContext.new
+    cctx.ssl_version = :TLSv1_2
    sctx = nil
    ctx_proc = Proc.new { |ctx|
      sctx = ctx
@ -292,7 +296,7 @@ __EOS__
    }
    start_server(ctx_proc: ctx_proc) do |port|
      connections = 0
-      sess0 = server_connect_with_session(port, nil, nil) { |ssl|
+      sess0 = server_connect_with_session(port, cctx, nil) { |ssl|
        ssl.puts("abc"); assert_equal "abc\n", ssl.gets
        assert_equal false, ssl.session_reused?
        ssl.session
@ -307,7 +311,7 @@ __EOS__

      # Internal cache hit
      connections = 1
-      server_connect_with_session(port, nil, sess0.dup) { |ssl|
+      server_connect_with_session(port, cctx, sess0.dup) { |ssl|
        ssl.puts("abc"); assert_equal "abc\n", ssl.gets
        assert_equal true, ssl.session_reused?
        ssl.session
@ -328,7 +332,7 @@ __EOS__

      # External cache hit
      connections = 2
-      sess2 = server_connect_with_session(port, nil, sess0.dup) { |ssl|
+      sess2 = server_connect_with_session(port, cctx, sess0.dup) { |ssl|
        ssl.puts("abc"); assert_equal "abc\n", ssl.gets
        if !ssl.session_reused? && openssl?(1, 1, 0) && !openssl?(1, 1, 0, 7)
          # OpenSSL >= 1.1.0, < 1.1.0g
@ -355,7 +359,7 @@ __EOS__

      # Cache miss
      connections = 3
-      sess3 = server_connect_with_session(port, nil, sess0.dup) { |ssl|
+      sess3 = server_connect_with_session(port, cctx, sess0.dup) { |ssl|
        ssl.puts("abc"); assert_equal "abc\n", ssl.gets
        assert_equal false, ssl.session_reused?
        ssl.session