Merge branch 'maint' into ky/test-fixtures-update-2.1

* maint: (108 commits)
  Ruby/OpenSSL 2.1.1
  Ruby/OpenSSL 2.1.0
  Fix test-all tests to avoid creating report_on_exception warnings
  pkey/ec: add support for octet string encoding of EC point
  pkey/ec: rearrange PKey::EC::Point#initialize
  ssl: remove a misleading comment
  test/test_ssl: prevent changing default internal encoding
  Ruby/OpenSSL 2.1.0.beta2
  test/test_x509crl: fix random failure
  test/test_x509cert: fix flaky test
  kdf: add HKDF support
  Drop support for LibreSSL 2.4
  test/test_ssl: fix test_security_level
  ssl: add SSLContext#add_certificate
  test/utils: remove a pointless .public_key call in issue_cert
  test/envutil: port assert_warning from Ruby trunk
  Add RSA sign_pss() and verify_pss() methods
  Fix build failure against OpenSSL 1.1 built with no-deprecated Thanks rhenium for the code review and fixes.
  TLS Fallback Signaling Cipher Suite Value
  buffering: let #write accept multiple arguments
  ...

Author: rhenium

.travis.yml

@@ -19,13 +19,10 @@ matrix:
   include:
     - env: RUBY_VERSION=ruby-2.3 OPENSSL_VERSION=openssl-1.0.2
     - env: RUBY_VERSION=ruby-2.4 OPENSSL_VERSION=openssl-1.0.2
-    - env: RUBY_VERSION=ruby-2.5 OPENSSL_VERSION=openssl-1.0.0
     - env: RUBY_VERSION=ruby-2.5 OPENSSL_VERSION=openssl-1.0.1
     - env: RUBY_VERSION=ruby-2.5 OPENSSL_VERSION=openssl-1.0.2
     - env: RUBY_VERSION=ruby-2.5 OPENSSL_VERSION=openssl-1.1.0
     - env: RUBY_VERSION=ruby-2.5 OPENSSL_VERSION=openssl-1.1.1
-    - env: RUBY_VERSION=ruby-2.5 OPENSSL_VERSION=libressl-2.3
-    - env: RUBY_VERSION=ruby-2.5 OPENSSL_VERSION=libressl-2.4
     - env: RUBY_VERSION=ruby-2.5 OPENSSL_VERSION=libressl-2.5
     - env: RUBY_VERSION=ruby-2.5 OPENSSL_VERSION=libressl-2.6
     - env: RUBY_VERSION=ruby-2.5 OPENSSL_VERSION=libressl-2.7

History.md

@@ -1,3 +1,60 @@
+Version 2.1.0
+=============
+
+Notable changes
+---------------
+
+* Support for OpenSSL versions before 1.0.1 and LibreSSL versions before 2.5
+  is removed.
+  [[GitHub #86]](https://github.com/ruby/openssl/pull/86)
+* OpenSSL::BN#negative?, #+@, and #-@ are added.
+* OpenSSL::SSL::SSLSocket#connect raises a more informative exception when
+  certificate verification fails.
+  [[GitHub #99]](https://github.com/ruby/openssl/pull/99)
+* OpenSSL::KDF module is newly added. In addition to PBKDF2-HMAC that has moved
+  from OpenSSL::PKCS5, scrypt and HKDF are supported.
+  [[GitHub #109]](https://github.com/ruby/openssl/pull/109)
+  [[GitHub #173]](https://github.com/ruby/openssl/pull/173)
+* OpenSSL.fips_mode is added. We had the setter, but not the getter.
+  [[GitHub #125]](https://github.com/ruby/openssl/pull/125)
+* OpenSSL::OCSP::Request#signed? is added.
+* OpenSSL::ASN1 handles the indefinite length form better. OpenSSL::ASN1.decode
+  no longer wrongly treats the end-of-contents octets as part of the content.
+  OpenSSL::ASN1::ASN1Data#infinite_length is renamed to #indefinite_length.
+  [[GitHub #98]](https://github.com/ruby/openssl/pull/98)
+* OpenSSL::X509::Name#add_entry now accepts two additional keyword arguments
+  'loc' and 'set'.
+  [[GitHub #94]](https://github.com/ruby/openssl/issues/94)
+* OpenSSL::SSL::SSLContext#min_version= and #max_version= are added to replace
+  #ssl_version= that was built on top of the deprecated OpenSSL C API. Use of
+  that method and the constant OpenSSL::SSL::SSLContext::METHODS is now
+  deprecated.
+  [[GitHub #142]](https://github.com/ruby/openssl/pull/142)
+* OpenSSL::X509::Name#to_utf8 is added.
+  [[GitHub #26]](https://github.com/ruby/openssl/issues/26)
+  [[GitHub #143]](https://github.com/ruby/openssl/pull/143)
+* OpenSSL::X509::{Extension,Attribute,Certificate,CRL,Revoked,Request} can be
+  compared with == operator.
+  [[GitHub #161]](https://github.com/ruby/openssl/pull/161)
+* TLS Fallback Signaling Cipher Suite Value (SCSV) support is added.
+  [[GitHub #165]](https://github.com/ruby/openssl/pull/165)
+* Build failure with OpenSSL 1.1 built with no-deprecated is fixed.
+  [[GitHub #160]](https://github.com/ruby/openssl/pull/160)
+* OpenSSL::Buffering#write accepts an arbitrary number of arguments.
+  [[Feature #9323]](https://bugs.ruby-lang.org/issues/9323)
+  [[GitHub #162]](https://github.com/ruby/openssl/pull/162)
+* OpenSSL::PKey::RSA#sign_pss and #verify_pss are added. They perform RSA-PSS
+  signature and verification.
+  [[GitHub #75]](https://github.com/ruby/openssl/issues/75)
+  [[GitHub #76]](https://github.com/ruby/openssl/pull/76)
+  [[GitHub #169]](https://github.com/ruby/openssl/pull/169)
+* OpenSSL::SSL::SSLContext#add_certificate is added.
+  [[GitHub #167]](https://github.com/ruby/openssl/pull/167)
+* OpenSSL::PKey::EC::Point#to_octet_string is added.
+  OpenSSL::PKey::EC::Point.new can now take String as the second argument.
+  [[GitHub #177]](https://github.com/ruby/openssl/pull/177)
+
+
 Version 2.0.8
 =============
 

README.md

@@ -27,7 +27,7 @@ Alternatively, you can install the gem with `bundler`:
 # Gemfile
 gem 'openssl'
 # or specify git master
-gem 'openssl', github: 'ruby/openssl'
+gem 'openssl', git: 'https://github.com/ruby/openssl'
 ```
 
 After doing `bundle install`, you should have the gem installed in your bundle.

Rakefile

@@ -20,7 +20,7 @@ RDoc::Task.new do |rdoc|
   rdoc.rdoc_files.include("*.md", "lib/**/*.rb", "ext/**/*.c")
 end
 
-task :test => :debug
+task :test => [:compile, :debug]
 task :debug do
   ruby "-I./lib -ropenssl -ve'puts OpenSSL::OPENSSL_VERSION, OpenSSL::OPENSSL_LIBRARY_VERSION'"
 end
@@ -77,3 +77,5 @@ namespace :sync do
     puts "Don't forget to update ext/openssl/depend"
   end
 end
+
+task :default => :test

ext/openssl/deprecation.rb

@@ -3,9 +3,6 @@ module OpenSSL
   def self.deprecated_warning_flag
     unless flag = (@deprecated_warning_flag ||= nil)
       if try_compile("", flag = "-Werror=deprecated-declarations")
-        if /darwin/ =~ RUBY_PLATFORM and with_config("broken-apple-openssl")
-          flag = "-Wno-deprecated-declarations"
-        end
         $warnflags << " #{flag}"
       else
         flag = ""

ext/openssl/extconf.rb

@@ -94,30 +94,19 @@ def find_openssl_library
   unless find_openssl_library
     Logging::message "=== Checking for required stuff failed. ===\n"
     Logging::message "Makefile wasn't created. Fix the errors above.\n"
-    exit 1
+    raise "OpenSSL library could not be found. You might want to use " \
+      "--with-openssl-dir=<dir> option to specify the prefix where OpenSSL " \
+      "is installed."
   end
 end
 
-result = checking_for("OpenSSL version is 0.9.8 or later") {
-  try_static_assert("OPENSSL_VERSION_NUMBER >= 0x00908000L", "openssl/opensslv.h")
-}
-unless result
-  raise "OpenSSL 0.9.8 or later required."
-end
-
-if /darwin/ =~ RUBY_PLATFORM and !OpenSSL.check_func("SSL_library_init()", "openssl/ssl.h")
-  raise "Ignore OpenSSL broken by Apple.\nPlease use another openssl. (e.g. using `configure --with-openssl-dir=/path/to/openssl')"
+unless checking_for("OpenSSL version is 1.0.1 or later") {
+    try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10001000L", "openssl/opensslv.h") }
+  raise "OpenSSL >= 1.0.1 or LibreSSL is required"
 end
 
 Logging::message "=== Checking for OpenSSL features... ===\n"
 # compile options
-
-# SSLv2 and SSLv3 may be removed in future versions of OpenSSL, and even macros
-# like OPENSSL_NO_SSL2 may not be defined.
-have_func("SSLv2_method")
-have_func("SSLv3_method")
-have_func("TLSv1_1_method")
-have_func("TLSv1_2_method")
 have_func("RAND_egd")
 engines = %w{builtin_engines openbsd_dev_crypto dynamic 4758cca aep atalla chil
              cswift nuron sureware ubsec padlock capi gmp gost cryptodev aesni}
@@ -129,30 +118,6 @@ def find_openssl_library
   $defs.push("-DNOCRYPT")
 end
 
-# added in 0.9.8X
-have_func("EVP_CIPHER_CTX_new")
-have_func("EVP_CIPHER_CTX_free")
-OpenSSL.check_func_or_macro("SSL_CTX_clear_options", "openssl/ssl.h")
-
-# added in 1.0.0
-have_func("ASN1_TIME_adj")
-have_func("EVP_CIPHER_CTX_copy")
-have_func("EVP_PKEY_base_id")
-have_func("HMAC_CTX_copy")
-have_func("PKCS5_PBKDF2_HMAC")
-have_func("X509_NAME_hash_old")
-have_func("X509_STORE_CTX_get0_current_crl")
-have_func("X509_STORE_set_verify_cb")
-have_func("i2d_ASN1_SET_ANY")
-have_func("SSL_SESSION_cmp") # removed
-OpenSSL.check_func_or_macro("SSL_set_tlsext_host_name", "openssl/ssl.h")
-have_struct_member("CRYPTO_THREADID", "ptr", "openssl/crypto.h")
-have_func("EVP_PKEY_get0")
-
-# added in 1.0.1
-have_func("SSL_CTX_set_next_proto_select_cb")
-have_macro("EVP_CTRL_GCM_GET_TAG", ['openssl/evp.h']) && $defs.push("-DHAVE_AUTHENTICATED_ENCRYPTION")
-
 # added in 1.0.2
 have_func("EC_curve_nist2nid")
 have_func("X509_REVOKED_dup")
@@ -199,6 +164,7 @@ def find_openssl_library
 have_func("SSL_CTX_get_security_level")
 have_func("X509_get0_notBefore")
 have_func("SSL_SESSION_get_protocol_version")
+have_func("EVP_PBE_scrypt")
 
 Logging::message "=== Checking done. ===\n"
 

ext/openssl/openssl_missing.c

@@ -20,73 +20,6 @@
 
 #include "openssl_missing.h"
 
-/* added in 0.9.8X */
-#if !defined(HAVE_EVP_CIPHER_CTX_NEW)
-EVP_CIPHER_CTX *
-ossl_EVP_CIPHER_CTX_new(void)
-{
-    EVP_CIPHER_CTX *ctx = OPENSSL_malloc(sizeof(EVP_CIPHER_CTX));
-    if (!ctx)
-	return NULL;
-    EVP_CIPHER_CTX_init(ctx);
-    return ctx;
-}
-#endif
-
-#if !defined(HAVE_EVP_CIPHER_CTX_FREE)
-void
-ossl_EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx)
-{
-    if (ctx) {
-	EVP_CIPHER_CTX_cleanup(ctx);
-	OPENSSL_free(ctx);
-    }
-}
-#endif
-
-/* added in 1.0.0 */
-#if !defined(HAVE_EVP_CIPHER_CTX_COPY)
-/*
- * this function does not exist in OpenSSL yet... or ever?.
- * a future version may break this function.
- * tested on 0.9.7d.
- */
-int
-ossl_EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in)
-{
-    memcpy(out, in, sizeof(EVP_CIPHER_CTX));
-
-#if !defined(OPENSSL_NO_ENGINE)
-    if (in->engine) ENGINE_add(out->engine);
-    if (in->cipher_data) {
-	out->cipher_data = OPENSSL_malloc(in->cipher->ctx_size);
-	memcpy(out->cipher_data, in->cipher_data, in->cipher->ctx_size);
-    }
-#endif
-
-    return 1;
-}
-#endif
-
-#if !defined(OPENSSL_NO_HMAC)
-#if !defined(HAVE_HMAC_CTX_COPY)
-int
-ossl_HMAC_CTX_copy(HMAC_CTX *out, HMAC_CTX *in)
-{
-    if (!out || !in)
-	return 0;
-
-    memcpy(out, in, sizeof(HMAC_CTX));
-
-    EVP_MD_CTX_copy(&out->md_ctx, &in->md_ctx);
-    EVP_MD_CTX_copy(&out->i_ctx, &in->i_ctx);
-    EVP_MD_CTX_copy(&out->o_ctx, &in->o_ctx);
-
-    return 1;
-}
-#endif /* HAVE_HMAC_CTX_COPY */
-#endif /* NO_HMAC */
-
 /* added in 1.0.2 */
 #if !defined(OPENSSL_NO_EC)
 #if !defined(HAVE_EC_CURVE_NIST2NID)

ext/openssl/openssl_missing.h

@@ -12,53 +12,6 @@
 
 #include "ruby/config.h"
 
-/* added in 0.9.8X */
-#if !defined(HAVE_EVP_CIPHER_CTX_NEW)
-EVP_CIPHER_CTX *ossl_EVP_CIPHER_CTX_new(void);
-#  define EVP_CIPHER_CTX_new ossl_EVP_CIPHER_CTX_new
-#endif
-
-#if !defined(HAVE_EVP_CIPHER_CTX_FREE)
-void ossl_EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *);
-#  define EVP_CIPHER_CTX_free ossl_EVP_CIPHER_CTX_free
-#endif
-
-#if !defined(HAVE_SSL_CTX_CLEAR_OPTIONS)
-#  define SSL_CTX_clear_options(ctx, op) ((ctx)->options &= ~(op))
-#endif
-
-/* added in 1.0.0 */
-#if !defined(HAVE_EVP_PKEY_BASE_ID)
-#  define EVP_PKEY_base_id(pkey) EVP_PKEY_type((pkey)->type)
-#endif
-
-#if !defined(HAVE_EVP_CIPHER_CTX_COPY)
-int ossl_EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *, const EVP_CIPHER_CTX *);
-#  define EVP_CIPHER_CTX_copy ossl_EVP_CIPHER_CTX_copy
-#endif
-
-#if !defined(HAVE_HMAC_CTX_COPY)
-int ossl_HMAC_CTX_copy(HMAC_CTX *out, HMAC_CTX *in);
-#  define HMAC_CTX_copy ossl_HMAC_CTX_copy
-#endif
-
-#if !defined(HAVE_X509_STORE_CTX_GET0_CURRENT_CRL)
-#  define X509_STORE_CTX_get0_current_crl(x) ((x)->current_crl)
-#endif
-
-#if !defined(HAVE_X509_STORE_SET_VERIFY_CB)
-#  define X509_STORE_set_verify_cb X509_STORE_set_verify_cb_func
-#endif
-
-#if !defined(HAVE_I2D_ASN1_SET_ANY)
-#  define i2d_ASN1_SET_ANY(sk, x) i2d_ASN1_SET_OF_ASN1_TYPE((sk), (x), \
-		i2d_ASN1_TYPE, V_ASN1_SET, V_ASN1_UNIVERSAL, 0)
-#endif
-
-#if !defined(HAVE_EVP_PKEY_GET0)
-#  define EVP_PKEY_get0(pk) (pk->pkey.ptr)
-#endif
-
 /* added in 1.0.2 */
 #if !defined(OPENSSL_NO_EC)
 #if !defined(HAVE_EC_CURVE_NIST2NID)
@@ -245,7 +198,7 @@ IMPL_PKEY_GETTER(EC_KEY, ec)
 #undef IMPL_KEY_ACCESSOR3
 #endif /* HAVE_OPAQUE_OPENSSL */
 
-#if defined(HAVE_AUTHENTICATED_ENCRYPTION) && !defined(EVP_CTRL_AEAD_GET_TAG)
+#if !defined(EVP_CTRL_AEAD_GET_TAG)
 #  define EVP_CTRL_AEAD_GET_TAG EVP_CTRL_GCM_GET_TAG
 #  define EVP_CTRL_AEAD_SET_TAG EVP_CTRL_GCM_SET_TAG
 #  define EVP_CTRL_AEAD_SET_IVLEN EVP_CTRL_GCM_SET_IVLEN
@@ -256,6 +209,10 @@ IMPL_PKEY_GETTER(EC_KEY, ec)
 #  define X509_get0_notAfter(x) X509_get_notAfter(x)
 #  define X509_CRL_get0_lastUpdate(x) X509_CRL_get_lastUpdate(x)
 #  define X509_CRL_get0_nextUpdate(x) X509_CRL_get_nextUpdate(x)
+#  define X509_set1_notBefore(x, t) X509_set_notBefore(x, t)
+#  define X509_set1_notAfter(x, t) X509_set_notAfter(x, t)
+#  define X509_CRL_set1_lastUpdate(x, t) X509_CRL_set_lastUpdate(x, t)
+#  define X509_CRL_set1_nextUpdate(x, t) X509_CRL_set_nextUpdate(x, t)
 #endif
 
 #if !defined(HAVE_SSL_SESSION_GET_PROTOCOL_VERSION)