Merge branch 'maint'

* maint:
  Ruby/OpenSSL 2.0.5
  ssl: fix compile error with OpenSSL 1.0.0
  ssl: remove unsupported TLS versions from SSLContext::METHODS
  Add msys2 library dependency tag in gem metadata
  ossl_pem_passwd_cb: handle nil from the block explicitly
  ossl_pem_passwd_cb: do not check for taintedness
  ossl_pem_passwd_cb: relax passphrase length constraint
  appveyor.yml: test against Ruby 2.4
  Rakefile: install_dependencies: install only when needed
  bio: do not use the FILE BIO method in ossl_obj2bio()
  bio: prevent possible GC issue in ossl_obj2bio()
  test/test_ssl: allow 3DES cipher suites in test_sslctx_set_params

Author: rhenium

History.md

@@ -23,6 +23,19 @@ Deprecations
 ------------
 
 
+Version 2.0.5
+=============
+
+Bug fixes
+---------
+
+* Reading a PEM/DER-encoded private key or certificate from an IO object did
+  not work properly on mswin platforms.
+  [[ruby/openssl#128]](https://github.com/ruby/openssl/issues/128)
+* Broken length check in the PEM passphrase callback is fixed.
+* It failed to compile when OpenSSL is configured without TLS 1.0 support.
+
+
 Version 2.0.4
 =============
 

Rakefile

@@ -34,8 +34,13 @@ task :install_dependencies do
   gemspec = eval(File.read("openssl.gemspec"))
   gemspec.development_dependencies.each do |dep|
     print "Installing #{dep.name} (#{dep.requirement}) ... "
-    gem = Gem.install(dep.name, dep.requirement, force: true)
-    puts "#{gem[0].version}"
+    installed = dep.matching_specs
+    if installed.empty?
+      installed = Gem.install(dep.name, dep.requirement)
+      puts "#{installed[0].version}"
+    else
+      puts "(found #{installed[0].version})"
+    end
   end
 end
 

appveyor.yml

@@ -1,16 +1,27 @@
 ---
 clone_depth: 10
 install:
-  - SET PATH=C:\Ruby%ruby_version%\bin;%PATH%
-  - appveyor DownloadFile http://dl.bintray.com/oneclick/OpenKnapsack/x64/openssl-1.0.2j-x64-windows.tar.lzma
-  - 7z e openssl-1.0.2j-x64-windows.tar.lzma
-  - 7z x -y -oC:\Ruby%ruby_version% openssl-1.0.2j-x64-windows.tar
-  - ruby -S rake install_dependencies
+  - ps: |
+      $Env:PATH = "C:\Ruby${Env:ruby_version}\bin;${Env:PATH}"
+      if ($Env:ruby_version -match "^23" ) {
+        # RubyInstaller; download OpenSSL headers from OpenKnapsack Project
+        $Env:openssl_dir = "C:\Ruby${Env:ruby_version}"
+        appveyor DownloadFile http://dl.bintray.com/oneclick/OpenKnapsack/x64/openssl-1.0.2j-x64-windows.tar.lzma
+        7z e openssl-1.0.2j-x64-windows.tar.lzma
+        7z x -y -oC:\Ruby${Env:ruby_version} openssl-1.0.2j-x64-windows.tar
+      } else {
+        # RubyInstaller2; openssl package seems to be installed already
+        $Env:openssl_dir = "C:\msys64\mingw64"
+      }
+  - ruby -v
+  - openssl version
+  - rake install_dependencies
 build_script:
-  - rake -rdevkit compile -- --with-openssl-dir=C:\Ruby%ruby_version% --enable-debug
+  - rake -rdevkit compile -- --with-openssl-dir=%openssl_dir% --enable-debug
 test_script:
   - rake test OSSL_MDEBUG=1
 deploy: off
 environment:
   matrix:
-    - ruby_version: "23-x64"
+    - ruby_version: "23-x64" # RI
+    - ruby_version: "24-x64" # RI2

ext/openssl/ossl.c

@@ -147,13 +147,6 @@ ossl_bin2hex(unsigned char *in, char *out, size_t inlen)
 /*
  * our default PEM callback
  */
-
-/*
- * OpenSSL requires passwords for PEM-encoded files to be at least four
- * characters long. See crypto/pem/pem_lib.c (as of 1.0.2h)
- */
-#define OSSL_MIN_PWD_LEN 4
-
 VALUE
 ossl_pem_passwd_value(VALUE pass)
 {
@@ -162,8 +155,6 @@ ossl_pem_passwd_value(VALUE pass)
 
     StringValue(pass);
 
-    if (RSTRING_LEN(pass) < OSSL_MIN_PWD_LEN)
-	ossl_raise(eOSSLError, "password must be at least %d bytes", OSSL_MIN_PWD_LEN);
     /* PEM_BUFSIZE is currently used as the second argument of pem_password_cb,
      * that is +max_len+ of ossl_pem_passwd_cb() */
     if (RSTRING_LEN(pass) > PEM_BUFSIZE)
@@ -175,11 +166,10 @@ ossl_pem_passwd_value(VALUE pass)
 static VALUE
 ossl_pem_passwd_cb0(VALUE flag)
 {
-    VALUE pass;
-
-    pass = rb_yield(flag);
-    SafeStringValue(pass);
-
+    VALUE pass = rb_yield(flag);
+    if (NIL_P(pass))
+	return Qnil;
+    StringValue(pass);
     return pass;
 }
 
@@ -196,7 +186,7 @@ ossl_pem_passwd_cb(char *buf, int max_len, int flag, void *pwd_)
 	 * bytes silently if the input is over 1024 bytes */
 	if (RB_TYPE_P(pass, T_STRING)) {
 	    len = RSTRING_LEN(pass);
-	    if (len >= OSSL_MIN_PWD_LEN && len <= max_len) {
+	    if (len <= max_len) {
 		memcpy(buf, RSTRING_PTR(pass), len);
 		return (int)len;
 	    }
@@ -222,11 +212,9 @@ ossl_pem_passwd_cb(char *buf, int max_len, int flag, void *pwd_)
 	    rb_set_errinfo(Qnil);
 	    return -1;
 	}
+	if (NIL_P(pass))
+	    return -1;
 	len = RSTRING_LEN(pass);
-	if (len < OSSL_MIN_PWD_LEN) {
-	    rb_warning("password must be at least %d bytes", OSSL_MIN_PWD_LEN);
-	    continue;
-	}
 	if (len > max_len) {
 	    rb_warning("password must not be longer than %d bytes", max_len);
 	    continue;

ext/openssl/ossl_bio.c

@@ -10,37 +10,18 @@
 #include "ossl.h"
 
 BIO *
-ossl_obj2bio(VALUE obj)
+ossl_obj2bio(volatile VALUE *pobj)
 {
+    VALUE obj = *pobj;
     BIO *bio;
 
-    if (RB_TYPE_P(obj, T_FILE)) {
-	rb_io_t *fptr;
-	FILE *fp;
-	int fd;
-
-	GetOpenFile(obj, fptr);
-	rb_io_check_readable(fptr);
-	if ((fd = rb_cloexec_dup(fptr->fd)) < 0){
-	    rb_sys_fail(0);
-	}
-        rb_update_max_fd(fd);
-	if (!(fp = fdopen(fd, "r"))){
-	    int e = errno;
-	    close(fd);
-	    rb_syserr_fail(e, 0);
-	}
-	if (!(bio = BIO_new_fp(fp, BIO_CLOSE))){
-	    fclose(fp);
-	    ossl_raise(eOSSLError, NULL);
-	}
-    }
-    else {
-	StringValue(obj);
-	bio = BIO_new_mem_buf(RSTRING_PTR(obj), RSTRING_LENINT(obj));
-	if (!bio) ossl_raise(eOSSLError, NULL);
-    }
-
+    if (RB_TYPE_P(obj, T_FILE))
+	obj = rb_funcallv(obj, rb_intern("read"), 0, NULL);
+    StringValue(obj);
+    bio = BIO_new_mem_buf(RSTRING_PTR(obj), RSTRING_LENINT(obj));
+    if (!bio)
+	ossl_raise(eOSSLError, "BIO_new_mem_buf");
+    *pobj = obj;
     return bio;
 }
 

ext/openssl/ossl_bio.h

@@ -10,7 +10,7 @@
 #if !defined(_OSSL_BIO_H_)
 #define _OSSL_BIO_H_
 
-BIO *ossl_obj2bio(VALUE);
+BIO *ossl_obj2bio(volatile VALUE *);
 VALUE ossl_membio2str(BIO*);
 
 #endif

ext/openssl/ossl_config.c

@@ -41,7 +41,7 @@ DupConfigPtr(VALUE obj)
 
     OSSL_Check_Kind(obj, cConfig);
     str = rb_funcall(obj, rb_intern("to_s"), 0);
-    bio = ossl_obj2bio(str);
+    bio = ossl_obj2bio(&str);
     conf = NCONF_new(NULL);
     if(!conf){
 	BIO_free(bio);

ext/openssl/ossl_pkcs12.c

@@ -173,7 +173,7 @@ ossl_pkcs12_initialize(int argc, VALUE *argv, VALUE self)
 
     if(rb_scan_args(argc, argv, "02", &arg, &pass) == 0) return self;
     passphrase = NIL_P(pass) ? NULL : StringValueCStr(pass);
-    in = ossl_obj2bio(arg);
+    in = ossl_obj2bio(&arg);
     d2i_PKCS12_bio(in, &pkcs);
     DATA_PTR(self) = pkcs;
     BIO_free(in);

ext/openssl/ossl_pkcs7.c

@@ -197,7 +197,7 @@ ossl_pkcs7_s_read_smime(VALUE klass, VALUE arg)
     VALUE ret, data;
 
     ret = NewPKCS7(cPKCS7);
-    in = ossl_obj2bio(arg);
+    in = ossl_obj2bio(&arg);
     out = NULL;
     pkcs7 = SMIME_read_PKCS7(in, &out);
     BIO_free(in);
@@ -229,7 +229,7 @@ ossl_pkcs7_s_write_smime(int argc, VALUE *argv, VALUE klass)
     GetPKCS7(pkcs7, p7);
     if(!NIL_P(data) && PKCS7_is_detached(p7))
 	flg |= PKCS7_DETACHED;
-    in = NIL_P(data) ? NULL : ossl_obj2bio(data);
+    in = NIL_P(data) ? NULL : ossl_obj2bio(&data);
     if(!(out = BIO_new(BIO_s_mem()))){
         BIO_free(in);
         ossl_raise(ePKCS7Error, NULL);
@@ -266,7 +266,7 @@ ossl_pkcs7_s_sign(int argc, VALUE *argv, VALUE klass)
     pkey = GetPrivPKeyPtr(key); /* NO NEED TO DUP */
     flg = NIL_P(flags) ? 0 : NUM2INT(flags);
     ret = NewPKCS7(cPKCS7);
-    in = ossl_obj2bio(data);
+    in = ossl_obj2bio(&data);
     if(NIL_P(certs)) x509s = NULL;
     else{
 	x509s = ossl_protect_x509_ary2sk(certs, &status);
@@ -322,7 +322,7 @@ ossl_pkcs7_s_encrypt(int argc, VALUE *argv, VALUE klass)
     else ciph = ossl_evp_get_cipherbyname(cipher);
     flg = NIL_P(flags) ? 0 : NUM2INT(flags);
     ret = NewPKCS7(cPKCS7);
-    in = ossl_obj2bio(data);
+    in = ossl_obj2bio(&data);
     x509s = ossl_protect_x509_ary2sk(certs, &status);
     if(status){
 	BIO_free(in);
@@ -373,7 +373,7 @@ ossl_pkcs7_initialize(int argc, VALUE *argv, VALUE self)
     if(rb_scan_args(argc, argv, "01", &arg) == 0)
 	return self;
     arg = ossl_to_der_if_possible(arg);
-    in = ossl_obj2bio(arg);
+    in = ossl_obj2bio(&arg);
     p7 = PEM_read_bio_PKCS7(in, &pkcs, NULL, NULL);
     if (!p7) {
 	OSSL_BIO_reset(in);
@@ -765,7 +765,7 @@ ossl_pkcs7_verify(int argc, VALUE *argv, VALUE self)
     x509st = GetX509StorePtr(store);
     flg = NIL_P(flags) ? 0 : NUM2INT(flags);
     if(NIL_P(indata)) indata = ossl_pkcs7_get_data(self);
-    in = NIL_P(indata) ? NULL : ossl_obj2bio(indata);
+    in = NIL_P(indata) ? NULL : ossl_obj2bio(&indata);
     if(NIL_P(certs)) x509s = NULL;
     else{
 	x509s = ossl_protect_x509_ary2sk(certs, &status);
@@ -832,7 +832,7 @@ ossl_pkcs7_add_data(VALUE self, VALUE data)
 	if(!PKCS7_content_new(pkcs7, NID_pkcs7_data))
 	    ossl_raise(ePKCS7Error, NULL);
     }
-    in = ossl_obj2bio(data);
+    in = ossl_obj2bio(&data);
     if(!(out = PKCS7_dataInit(pkcs7, NULL))) goto err;
     for(;;){
 	if((len = BIO_read(in, buf, sizeof(buf))) <= 0)

ext/openssl/ossl_pkey.c

@@ -144,7 +144,7 @@ ossl_pkey_new_from_data(int argc, VALUE *argv, VALUE self)
     rb_scan_args(argc, argv, "11", &data, &pass);
     pass = ossl_pem_passwd_value(pass);
 
-    bio = ossl_obj2bio(data);
+    bio = ossl_obj2bio(&data);
     if (!(pkey = d2i_PrivateKey_bio(bio, NULL))) {
 	OSSL_BIO_reset(bio);
 	if (!(pkey = PEM_read_bio_PrivateKey(bio, NULL, ossl_pem_passwd_cb, (void *)pass))) {