openssl 2.0.0.beta.2 → 2.0.0

data/ext/openssl/ossl_pkey.h

@@ -48,7 +48,6 @@ int ossl_generate_cb_2(int p, int n, BN_GENCB *cb);
 void ossl_generate_cb_stop(void *ptr);
 
 VALUE ossl_pkey_new(EVP_PKEY *);
-VALUE ossl_pkey_new_from_file(VALUE);
 EVP_PKEY *GetPKeyPtr(VALUE);
 EVP_PKEY *DupPKeyPtr(VALUE);
 EVP_PKEY *GetPrivPKeyPtr(VALUE);

data/ext/openssl/ossl_pkey_dh.c

@@ -460,7 +460,7 @@ ossl_dh_to_public_key(VALUE self)
 
     GetDH(self, orig_dh);
     dh = DHparams_dup(orig_dh); /* err check perfomed by dh_instance */
-    obj = dh_instance(CLASS_OF(self), dh);
+    obj = dh_instance(rb_obj_class(self), dh);
     if (obj == Qfalse) {
 	DH_free(dh);
 	ossl_raise(eDHError, NULL);

data/ext/openssl/ossl_pkey_dsa.c

@@ -491,7 +491,7 @@ ossl_dsa_to_public_key(VALUE self)
 	(i2d_of_void *)i2d_DSAPublicKey, (d2i_of_void *)d2i_DSAPublicKey, (char *)(dsa))
     dsa = DSAPublicKey_dup(EVP_PKEY_get0_DSA(pkey));
 #undef DSAPublicKey_dup
-    obj = dsa_instance(CLASS_OF(self), dsa);
+    obj = dsa_instance(rb_obj_class(self), dsa);
     if (obj == Qfalse) {
 	DSA_free(dsa);
 	ossl_raise(eDSAError, NULL);
@@ -499,8 +499,6 @@ ossl_dsa_to_public_key(VALUE self)
     return obj;
 }
 
-#define ossl_dsa_buf_size(dsa) (DSA_size(dsa) + 16)
-
 /*
  *  call-seq:
  *    dsa.syssign(string) -> aString
@@ -535,7 +533,7 @@ ossl_dsa_sign(VALUE self, VALUE data)
     if (!DSA_PRIVATE(self, dsa))
 	ossl_raise(eDSAError, "Private DSA key needed!");
     StringValue(data);
-    str = rb_str_new(0, ossl_dsa_buf_size(dsa));
+    str = rb_str_new(0, DSA_size(dsa));
     if (!DSA_sign(0, (unsigned char *)RSTRING_PTR(data), RSTRING_LENINT(data),
 		  (unsigned char *)RSTRING_PTR(str),
 		  &buf_len, dsa)) { /* type is ignored (0) */

data/ext/openssl/ossl_pkey_ec.c

@@ -643,11 +643,10 @@ static VALUE ossl_ec_key_dsa_sign_asn1(VALUE self, VALUE data)
     if (EC_KEY_get0_private_key(ec) == NULL)
 	ossl_raise(eECError, "Private EC key needed!");
 
-    str = rb_str_new(0, ECDSA_size(ec) + 16);
+    str = rb_str_new(0, ECDSA_size(ec));
     if (ECDSA_sign(0, (unsigned char *) RSTRING_PTR(data), RSTRING_LENINT(data), (unsigned char *) RSTRING_PTR(str), &buf_len, ec) != 1)
-         ossl_raise(eECError, "ECDSA_sign");
-
-    rb_str_resize(str, buf_len);
+	ossl_raise(eECError, "ECDSA_sign");
+    rb_str_set_len(str, buf_len);
 
     return str;
 }
@@ -1106,6 +1105,22 @@ static VALUE ossl_ec_group_get_point_conversion_form(VALUE self)
    return ID2SYM(ret);
 }
 
+static point_conversion_form_t
+parse_point_conversion_form_symbol(VALUE sym)
+{
+    ID id = SYM2ID(sym);
+
+    if (id == ID_uncompressed)
+	return POINT_CONVERSION_UNCOMPRESSED;
+    else if (id == ID_compressed)
+	return POINT_CONVERSION_COMPRESSED;
+    else if (id == ID_hybrid)
+	return POINT_CONVERSION_HYBRID;
+    else
+	ossl_raise(rb_eArgError, "unsupported point conversion form %+"PRIsVALUE
+		   " (expected :compressed, :uncompressed, or :hybrid)", sym);
+}
+
 /*
  * call-seq:
  *   group.point_conversion_form = form
@@ -1125,23 +1140,14 @@ static VALUE ossl_ec_group_get_point_conversion_form(VALUE self)
  *
  * See the OpenSSL documentation for EC_GROUP_set_point_conversion_form()
  */
-static VALUE ossl_ec_group_set_point_conversion_form(VALUE self, VALUE form_v)
+static VALUE
+ossl_ec_group_set_point_conversion_form(VALUE self, VALUE form_v)
 {
-    EC_GROUP *group = NULL;
+    EC_GROUP *group;
     point_conversion_form_t form;
-    ID form_id = SYM2ID(form_v);
 
     GetECGroup(self, group);
-
-    if (form_id == ID_uncompressed) {
-        form = POINT_CONVERSION_UNCOMPRESSED;
-    } else if (form_id == ID_compressed) {
-        form = POINT_CONVERSION_COMPRESSED;
-    } else if (form_id == ID_hybrid) {
-        form = POINT_CONVERSION_HYBRID;
-    } else {
-        ossl_raise(rb_eArgError, "form must be :compressed, :uncompressed, or :hybrid");
-    }
+    form = parse_point_conversion_form_symbol(form_v);
 
     EC_GROUP_set_point_conversion_form(group, form);
 
@@ -1191,7 +1197,7 @@ static VALUE ossl_ec_group_set_seed(VALUE self, VALUE seed)
 
 /*
  * call-seq:
- *   group.degree   => Fixnum
+ *   group.degree   => integer
  *
  * See the OpenSSL documentation for EC_GROUP_get_degree()
  */
@@ -1549,22 +1555,30 @@ static VALUE ossl_ec_point_set_to_infinity(VALUE self)
 
 /*
  * call-seq:
- *   point.to_bn   => OpenSSL::BN
+ *   point.to_bn(conversion_form = nil) => OpenSSL::BN
+ *
+ * Convert the EC point into an octet string and store in an OpenSSL::BN. If
+ * +conversion_form+ is given, the point data is converted using the specified
+ * form. If not given, the default form set in the EC::Group object is used.
  *
- *  See the OpenSSL documentation for EC_POINT_point2bn()
+ * See also EC::Point#point_conversion_form=.
  */
-static VALUE ossl_ec_point_to_bn(VALUE self)
+static VALUE
+ossl_ec_point_to_bn(int argc, VALUE *argv, VALUE self)
 {
     EC_POINT *point;
-    VALUE bn_obj;
+    VALUE form_obj, bn_obj;
     const EC_GROUP *group;
     point_conversion_form_t form;
     BIGNUM *bn;
 
     GetECPoint(self, point);
     GetECPointGroup(self, group);
-
-    form = EC_GROUP_get_point_conversion_form(group);
+    rb_scan_args(argc, argv, "01", &form_obj);
+    if (NIL_P(form_obj))
+	form = EC_GROUP_get_point_conversion_form(group);
+    else
+	form = parse_point_conversion_form_symbol(form_obj);
 
     bn_obj = rb_obj_alloc(cBN);
     bn = GetBNPtr(bn_obj);
@@ -1793,7 +1807,7 @@ void Init_ossl_ec(void)
     rb_define_method(cEC_POINT, "set_to_infinity!", ossl_ec_point_set_to_infinity, 0);
 /* all the other methods */
 
-    rb_define_method(cEC_POINT, "to_bn", ossl_ec_point_to_bn, 0);
+    rb_define_method(cEC_POINT, "to_bn", ossl_ec_point_to_bn, -1);
     rb_define_method(cEC_POINT, "mul", ossl_ec_point_mul, -1);
 
     id_i_group = rb_intern("@group");

data/ext/openssl/ossl_pkey_rsa.c

@@ -404,8 +404,6 @@ ossl_rsa_to_der(VALUE self)
     return str;
 }
 
-#define ossl_rsa_buf_size(rsa) (RSA_size(rsa)+16)
-
 /*
  * call-seq:
  *   rsa.public_encrypt(string)          => String
@@ -429,7 +427,7 @@ ossl_rsa_public_encrypt(int argc, VALUE *argv, VALUE self)
     rb_scan_args(argc, argv, "11", &buffer, &padding);
     pad = (argc == 1) ? RSA_PKCS1_PADDING : NUM2INT(padding);
     StringValue(buffer);
-    str = rb_str_new(0, ossl_rsa_buf_size(rsa));
+    str = rb_str_new(0, RSA_size(rsa));
     buf_len = RSA_public_encrypt(RSTRING_LENINT(buffer), (unsigned char *)RSTRING_PTR(buffer),
 				 (unsigned char *)RSTRING_PTR(str), rsa, pad);
     if (buf_len < 0) ossl_raise(eRSAError, NULL);
@@ -461,7 +459,7 @@ ossl_rsa_public_decrypt(int argc, VALUE *argv, VALUE self)
     rb_scan_args(argc, argv, "11", &buffer, &padding);
     pad = (argc == 1) ? RSA_PKCS1_PADDING : NUM2INT(padding);
     StringValue(buffer);
-    str = rb_str_new(0, ossl_rsa_buf_size(rsa));
+    str = rb_str_new(0, RSA_size(rsa));
     buf_len = RSA_public_decrypt(RSTRING_LENINT(buffer), (unsigned char *)RSTRING_PTR(buffer),
 				 (unsigned char *)RSTRING_PTR(str), rsa, pad);
     if (buf_len < 0) ossl_raise(eRSAError, NULL);
@@ -495,7 +493,7 @@ ossl_rsa_private_encrypt(int argc, VALUE *argv, VALUE self)
     rb_scan_args(argc, argv, "11", &buffer, &padding);
     pad = (argc == 1) ? RSA_PKCS1_PADDING : NUM2INT(padding);
     StringValue(buffer);
-    str = rb_str_new(0, ossl_rsa_buf_size(rsa));
+    str = rb_str_new(0, RSA_size(rsa));
     buf_len = RSA_private_encrypt(RSTRING_LENINT(buffer), (unsigned char *)RSTRING_PTR(buffer),
 				  (unsigned char *)RSTRING_PTR(str), rsa, pad);
     if (buf_len < 0) ossl_raise(eRSAError, NULL);
@@ -529,7 +527,7 @@ ossl_rsa_private_decrypt(int argc, VALUE *argv, VALUE self)
     rb_scan_args(argc, argv, "11", &buffer, &padding);
     pad = (argc == 1) ? RSA_PKCS1_PADDING : NUM2INT(padding);
     StringValue(buffer);
-    str = rb_str_new(0, ossl_rsa_buf_size(rsa));
+    str = rb_str_new(0, RSA_size(rsa));
     buf_len = RSA_private_decrypt(RSTRING_LENINT(buffer), (unsigned char *)RSTRING_PTR(buffer),
 				  (unsigned char *)RSTRING_PTR(str), rsa, pad);
     if (buf_len < 0) ossl_raise(eRSAError, NULL);
@@ -620,7 +618,7 @@ ossl_rsa_to_public_key(VALUE self)
     GetPKeyRSA(self, pkey);
     /* err check performed by rsa_instance */
     rsa = RSAPublicKey_dup(EVP_PKEY_get0_RSA(pkey));
-    obj = rsa_instance(CLASS_OF(self), rsa);
+    obj = rsa_instance(rb_obj_class(self), rsa);
     if (obj == Qfalse) {
 	RSA_free(rsa);
 	ossl_raise(eRSAError, NULL);

data/ext/openssl/ossl_ssl.c

@@ -11,10 +11,6 @@
  */
 #include "ossl.h"
 
-#if defined(HAVE_UNISTD_H)
-#  include <unistd.h> /* for read(), and write() */
-#endif
-
 #define numberof(ary) (int)(sizeof(ary)/sizeof((ary)[0]))
 
 #ifdef _WIN32
@@ -36,7 +32,7 @@ VALUE cSSLSocket;
 static VALUE eSSLErrorWaitReadable;
 static VALUE eSSLErrorWaitWritable;
 
-static ID ID_callback_state;
+static ID ID_callback_state, id_tmp_dh_callback, id_tmp_ecdh_callback;
 static VALUE sym_exception, sym_wait_readable, sym_wait_writable;
 
 static ID id_i_cert_store, id_i_ca_file, id_i_ca_path, id_i_verify_mode,
@@ -223,69 +219,90 @@ ossl_client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
     return 1;
 }
 
-#if !defined(OPENSSL_NO_DH)
-static VALUE
-ossl_call_tmp_dh_callback(VALUE args)
+#if !defined(OPENSSL_NO_DH) || \
+    !defined(OPENSSL_NO_EC) && defined(HAVE_SSL_CTX_SET_TMP_ECDH_CALLBACK)
+struct tmp_dh_callback_args {
+    VALUE ssl_obj;
+    ID id;
+    int type;
+    int is_export;
+    int keylength;
+};
+
+static EVP_PKEY *
+ossl_call_tmp_dh_callback(struct tmp_dh_callback_args *args)
 {
     VALUE cb, dh;
     EVP_PKEY *pkey;
 
-    cb = rb_funcall(rb_ary_entry(args, 0), rb_intern("tmp_dh_callback"), 0);
-
-    if (NIL_P(cb)) return Qfalse;
-    dh = rb_apply(cb, rb_intern("call"), args);
+    cb = rb_funcall(args->ssl_obj, args->id, 0);
+    if (NIL_P(cb))
+	return NULL;
+    dh = rb_funcall(cb, rb_intern("call"), 3,
+		    args->ssl_obj, INT2NUM(args->is_export), INT2NUM(args->keylength));
     pkey = GetPKeyPtr(dh);
-    if (EVP_PKEY_base_id(pkey) != EVP_PKEY_DH) return Qfalse;
+    if (EVP_PKEY_base_id(pkey) != args->type)
+	return NULL;
 
-    return dh;
+    return pkey;
 }
+#endif
 
-static DH*
+#if !defined(OPENSSL_NO_DH)
+static DH *
 ossl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
 {
-    VALUE args, dh, rb_ssl;
+    VALUE rb_ssl;
+    EVP_PKEY *pkey;
+    struct tmp_dh_callback_args args;
+    int state;
 
     rb_ssl = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
+    args.ssl_obj = rb_ssl;
+    args.id = id_tmp_dh_callback;
+    args.is_export = is_export;
+    args.keylength = keylength;
+    args.type = EVP_PKEY_DH;
+
+    pkey = (EVP_PKEY *)rb_protect((VALUE (*)(VALUE))ossl_call_tmp_dh_callback,
+				  (VALUE)&args, &state);
+    if (state) {
+	rb_ivar_set(rb_ssl, ID_callback_state, INT2NUM(state));
+	return NULL;
+    }
+    if (!pkey)
+	return NULL;
 
-    args = rb_ary_new_from_args(3, rb_ssl, INT2NUM(is_export), INT2NUM(keylength));
-
-    dh = rb_protect(ossl_call_tmp_dh_callback, args, NULL);
-    if (!RTEST(dh)) return NULL;
-
-    return EVP_PKEY_get0_DH(GetPKeyPtr(dh));
+    return EVP_PKEY_get0_DH(pkey);
 }
 #endif /* OPENSSL_NO_DH */
 
 #if !defined(OPENSSL_NO_EC) && defined(HAVE_SSL_CTX_SET_TMP_ECDH_CALLBACK)
-static VALUE
-ossl_call_tmp_ecdh_callback(VALUE args)
-{
-    VALUE cb, ecdh;
-    EVP_PKEY *pkey;
-
-    cb = rb_funcall(rb_ary_entry(args, 0), rb_intern("tmp_ecdh_callback"), 0);
-
-    if (NIL_P(cb)) return Qfalse;
-    ecdh = rb_apply(cb, rb_intern("call"), args);
-    pkey = GetPKeyPtr(ecdh);
-    if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) return Qfalse;
-
-    return ecdh;
-}
-
-static EC_KEY*
+static EC_KEY *
 ossl_tmp_ecdh_callback(SSL *ssl, int is_export, int keylength)
 {
-    VALUE args, ecdh, rb_ssl;
+    VALUE rb_ssl;
+    EVP_PKEY *pkey;
+    struct tmp_dh_callback_args args;
+    int state;
 
     rb_ssl = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
+    args.ssl_obj = rb_ssl;
+    args.id = id_tmp_ecdh_callback;
+    args.is_export = is_export;
+    args.keylength = keylength;
+    args.type = EVP_PKEY_EC;
+
+    pkey = (EVP_PKEY *)rb_protect((VALUE (*)(VALUE))ossl_call_tmp_dh_callback,
+				  (VALUE)&args, &state);
+    if (state) {
+	rb_ivar_set(rb_ssl, ID_callback_state, INT2NUM(state));
+	return NULL;
+    }
+    if (!pkey)
+	return NULL;
 
-    args = rb_ary_new_from_args(3, rb_ssl, INT2NUM(is_export), INT2NUM(keylength));
-
-    ecdh = rb_protect(ossl_call_tmp_ecdh_callback, args, NULL);
-    if (!RTEST(ecdh)) return NULL;
-
-    return EVP_PKEY_get0_EC_KEY(GetPKeyPtr(ecdh));
+    return EVP_PKEY_get0_EC_KEY(pkey);
 }
 #endif
 
@@ -636,7 +653,11 @@ ssl_npn_select_cb_common(SSL *ssl, VALUE cb, const unsigned char **out,
 {
     VALUE selected;
     int status;
-    struct npn_select_cb_common_args args = { cb, in, inlen };
+    struct npn_select_cb_common_args args;
+
+    args.cb = cb;
+    args.in = in;
+    args.inlen = inlen;
 
     selected = rb_protect(npn_select_cb_common_i, (VALUE)&args, &status);
     if (status) {
@@ -1372,24 +1393,6 @@ ssl_started(SSL *ssl)
     return SSL_get_fd(ssl) >= 0;
 }
 
-static void
-ossl_ssl_shutdown(SSL *ssl)
-{
-    int i;
-
-    /* 4 is from SSL_smart_shutdown() of mod_ssl.c (v2.2.19) */
-    /* It says max 2x pending + 2x data = 4 */
-    for (i = 0; i < 4; ++i) {
-	/*
-	 * Ignore the case SSL_shutdown returns -1. Empty handshake_func
-	 * must not happen.
-	 */
-	if (SSL_shutdown(ssl) != 0)
-	    break;
-    }
-    ossl_clear_error();
-}
-
 static void
 ossl_ssl_free(void *ssl)
 {
@@ -1492,19 +1495,15 @@ ossl_ssl_setup(VALUE self)
 static void
 write_would_block(int nonblock)
 {
-    if (nonblock) {
-        VALUE exc = ossl_exc_new(eSSLErrorWaitWritable, "write would block");
-        rb_exc_raise(exc);
-    }
+    if (nonblock)
+	ossl_raise(eSSLErrorWaitWritable, "write would block");
 }
 
 static void
 read_would_block(int nonblock)
 {
-    if (nonblock) {
-        VALUE exc = ossl_exc_new(eSSLErrorWaitReadable, "read would block");
-        rb_exc_raise(exc);
-    }
+    if (nonblock)
+	ossl_raise(eSSLErrorWaitReadable, "read would block");
 }
 
 static int
@@ -1710,11 +1709,21 @@ ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
                 rb_io_wait_readable(FPTR_TO_FD(fptr));
 		continue;
 	    case SSL_ERROR_SYSCALL:
-		if(ERR_peek_error() == 0 && nread == 0) {
-		    if (no_exception_p(opts)) { return Qnil; }
-		    rb_eof_error();
+		if (!ERR_peek_error()) {
+		    if (errno)
+			rb_sys_fail(0);
+		    else {
+			/*
+			 * The underlying BIO returned 0. This is actually a
+			 * protocol error. But unfortunately, not all
+			 * implementations cleanly shutdown the TLS connection
+			 * but just shutdown/close the TCP connection. So report
+			 * EOF for now...
+			 */
+			if (no_exception_p(opts)) { return Qnil; }
+			rb_eof_error();
+		    }
 		}
-		rb_sys_fail(0);
 	    default:
 		ossl_raise(eSSLError, "SSL_read");
 	    }
@@ -1867,11 +1876,24 @@ static VALUE
 ossl_ssl_stop(VALUE self)
 {
     SSL *ssl;
+    int ret;
 
     GetSSL(self, ssl);
+    if (!ssl_started(ssl))
+	return Qnil;
+    ret = SSL_shutdown(ssl);
+    if (ret == 1) /* Have already received close_notify */
+	return Qnil;
+    if (ret == 0) /* Sent close_notify, but we don't wait for reply */
+	return Qnil;
 
-    ossl_ssl_shutdown(ssl);
-
+    /*
+     * XXX: Something happened. Possibly it failed because the underlying socket
+     * is not writable/readable, since it is in non-blocking mode. We should do
+     * some proper error handling using SSL_get_error() and maybe retry, but we
+     * can't block here. Give up for now.
+     */
+    ossl_clear_error();
     return Qnil;
 }
 
@@ -2521,6 +2543,7 @@ Init_ossl_ssl(void)
     rb_define_method(cSSLContext, "security_level=", ossl_sslctx_set_security_level, 1);
 
     rb_define_method(cSSLContext, "setup", ossl_sslctx_setup, 0);
+    rb_define_alias(cSSLContext, "freeze", "setup");
 
     /*
      * No session caching for client or server
@@ -2687,6 +2710,9 @@ Init_ossl_ssl(void)
     sym_wait_readable = ID2SYM(rb_intern("wait_readable"));
     sym_wait_writable = ID2SYM(rb_intern("wait_writable"));
 
+    id_tmp_dh_callback = rb_intern("tmp_dh_callback");
+    id_tmp_ecdh_callback = rb_intern("tmp_ecdh_callback");
+
 #define DefIVarID(name) do \
     id_i_##name = rb_intern("@"#name); while (0)