RubyGems - openssl - Versions diffs - 2.1.0.beta2 → 2.1.3 - Mend

openssl 2.1.0.beta2 → 2.1.3

Files changed (29) hide show

checksums.yaml +4 -4
data/History.md +105 -2
data/ext/openssl/deprecation.rb +5 -1
data/ext/openssl/extconf.rb +34 -16
data/ext/openssl/openssl_missing.h +3 -3
data/ext/openssl/ossl.c +3 -2
data/ext/openssl/ossl.h +1 -1
data/ext/openssl/ossl_asn1.c +4 -3
data/ext/openssl/ossl_bn.c +27 -14
data/ext/openssl/ossl_cipher.c +2 -0
data/ext/openssl/ossl_digest.c +6 -2
data/ext/openssl/ossl_pkcs12.c +1 -0
data/ext/openssl/ossl_pkcs7.c +1 -0
data/ext/openssl/ossl_pkey.c +26 -3
data/ext/openssl/ossl_pkey.h +6 -6
data/ext/openssl/ossl_pkey_dh.c +1 -1
data/ext/openssl/ossl_pkey_ec.c +72 -86
data/ext/openssl/ossl_rand.c +0 -8
data/ext/openssl/ossl_ssl.c +111 -38
data/ext/openssl/ossl_version.h +1 -1
data/ext/openssl/ossl_x509.c +91 -0
data/ext/openssl/ossl_x509ext.c +1 -0
data/ext/openssl/ossl_x509name.c +8 -7
data/ext/openssl/ossl_x509store.c +40 -22
data/lib/openssl/buffering.rb +5 -12
data/lib/openssl/config.rb +36 -18
data/lib/openssl/pkey.rb +23 -1
data/lib/openssl/ssl.rb +6 -5
metadata +22 -9

data/ext/openssl/ossl_pkey_ec.c CHANGED Viewed

@@ -653,15 +653,15 @@ static VALUE ossl_ec_key_dsa_verify_asn1(VALUE self, VALUE data, VALUE sig)
     StringValue(data);
     StringValue(sig);
-    switch (ECDSA_verify(0, (unsigned char *) RSTRING_PTR(data), RSTRING_LENINT(data), (unsigned char *) RSTRING_PTR(sig), (int)RSTRING_LEN(sig), ec)) {
-    case 1:	return Qtrue;
-    case 0:	return Qfalse;
-    default:	break;
+    switch (ECDSA_verify(0, (unsigned char *)RSTRING_PTR(data), RSTRING_LENINT(data),
+                         (unsigned char *)RSTRING_PTR(sig), RSTRING_LENINT(sig), ec)) {
+      case 1:
+        return Qtrue;
+      case 0:
+        return Qfalse;
+      default:
+        ossl_raise(eECError, "ECDSA_verify");
     }
-    ossl_raise(eECError, "ECDSA_verify");
-    UNREACHABLE;
 }
 /*
@@ -1319,76 +1319,61 @@ ec_point_new(const EC_POINT *point, const EC_GROUP *group)
     return obj;
 }
+static VALUE ossl_ec_point_initialize_copy(VALUE, VALUE);
 /*
  * call-seq:
  *   OpenSSL::PKey::EC::Point.new(point)
- *   OpenSSL::PKey::EC::Point.new(group)
- *   OpenSSL::PKey::EC::Point.new(group, bn)
+ *   OpenSSL::PKey::EC::Point.new(group [, encoded_point])
+ *
+ * Creates a new instance of OpenSSL::PKey::EC::Point. If the only argument is
+ * an instance of EC::Point, a copy is returned. Otherwise, creates a point
+ * that belongs to _group_.
  *
- * See the OpenSSL documentation for EC_POINT_*
+ * _encoded_point_ is the octet string representation of the point. This
+ * must be either a String or an OpenSSL::BN.
  */
 static VALUE ossl_ec_point_initialize(int argc, VALUE *argv, VALUE self)
 {
     EC_POINT *point;
-    VALUE arg1, arg2;
-    VALUE group_v = Qnil;
-    const EC_GROUP *group = NULL;
+    VALUE group_v, arg2;
+    const EC_GROUP *group;
     TypedData_Get_Struct(self, EC_POINT, &ossl_ec_point_type, point);
     if (point)
-        ossl_raise(eEC_POINT, "EC_POINT already initialized");
-    switch (rb_scan_args(argc, argv, "11", &arg1, &arg2)) {
-    case 1:
-        if (rb_obj_is_kind_of(arg1, cEC_POINT)) {
-            const EC_POINT *arg_point;
-	    group_v = rb_attr_get(arg1, id_i_group);
-	    GetECGroup(group_v, group);
-	    GetECPoint(arg1, arg_point);
-            point = EC_POINT_dup(arg_point, group);
-        } else if (rb_obj_is_kind_of(arg1, cEC_GROUP)) {
-            group_v = arg1;
-            GetECGroup(group_v, group);
-            point = EC_POINT_new(group);
-        } else {
-            ossl_raise(eEC_POINT, "wrong argument type: must be OpenSSL::PKey::EC::Point or OpenSSL::Pkey::EC::Group");
-        }
-        break;
-     case 2:
-        if (!rb_obj_is_kind_of(arg1, cEC_GROUP))
-            ossl_raise(rb_eArgError, "1st argument must be OpenSSL::PKey::EC::Group");
-        group_v = arg1;
-        GetECGroup(group_v, group);
-        if (rb_obj_is_kind_of(arg2, cBN)) {
-            const BIGNUM *bn = GetBNPtr(arg2);
-            point = EC_POINT_bn2point(group, bn, NULL, ossl_bn_ctx);
-        } else {
-            BIO *in = ossl_obj2bio(&arg1);
-/* BUG: finish me */
-            BIO_free(in);
+	rb_raise(eEC_POINT, "EC_POINT already initialized");
-            if (point == NULL) {
-                ossl_raise(eEC_POINT, "unknown type for 2nd arg");
-            }
-        }
-        break;
-    default:
-        ossl_raise(rb_eArgError, "wrong number of arguments");
+    rb_scan_args(argc, argv, "11", &group_v, &arg2);
+    if (rb_obj_is_kind_of(group_v, cEC_POINT)) {
+	if (argc != 1)
+	    rb_raise(rb_eArgError, "invalid second argument");
+	return ossl_ec_point_initialize_copy(self, group_v);
     }
-    if (point == NULL)
-        ossl_raise(eEC_POINT, NULL);
-    if (NIL_P(group_v))
-        ossl_raise(rb_eRuntimeError, "missing group (internal error)");
+    GetECGroup(group_v, group);
+    if (argc == 1) {
+	point = EC_POINT_new(group);
+	if (!point)
+	    ossl_raise(eEC_POINT, "EC_POINT_new");
+    }
+    else {
+	if (rb_obj_is_kind_of(arg2, cBN)) {
+	    point = EC_POINT_bn2point(group, GetBNPtr(arg2), NULL, ossl_bn_ctx);
+	    if (!point)
+		ossl_raise(eEC_POINT, "EC_POINT_bn2point");
+	}
+	else {
+	    StringValue(arg2);
+	    point = EC_POINT_new(group);
+	    if (!point)
+		ossl_raise(eEC_POINT, "EC_POINT_new");
+	    if (!EC_POINT_oct2point(group, point,
+				    (unsigned char *)RSTRING_PTR(arg2),
+				    RSTRING_LEN(arg2), ossl_bn_ctx)) {
+		EC_POINT_free(point);
+		ossl_raise(eEC_POINT, "EC_POINT_oct2point");
+	    }
+	}
+    }
     RTYPEDDATA_DATA(self) = point;
     rb_ivar_set(self, id_i_group, group_v);
@@ -1543,38 +1528,38 @@ static VALUE ossl_ec_point_set_to_infinity(VALUE self)
 /*
  * call-seq:
- *   point.to_bn(conversion_form = nil) => OpenSSL::BN
+ *    point.to_octet_string(conversion_form) -> String
+ *
+ * Returns the octet string representation of the elliptic curve point.
  *
- * Convert the EC point into an octet string and store in an OpenSSL::BN. If
- * _conversion_form_ is given, the point data is converted using the specified
- * form. If not given, the default form set in the EC::Group object is used.
+ * _conversion_form_ specifies how the point is converted. Possible values are:
  *
- * See also EC::Point#point_conversion_form=.
+ * - +:compressed+
+ * - +:uncompressed+
+ * - +:hybrid+
  */
 static VALUE
-ossl_ec_point_to_bn(int argc, VALUE *argv, VALUE self)
+ossl_ec_point_to_octet_string(VALUE self, VALUE conversion_form)
 {
     EC_POINT *point;
-    VALUE form_obj, bn_obj;
     const EC_GROUP *group;
     point_conversion_form_t form;
-    BIGNUM *bn;
+    VALUE str;
+    size_t len;
     GetECPoint(self, point);
     GetECPointGroup(self, group);
-    rb_scan_args(argc, argv, "01", &form_obj);
-    if (NIL_P(form_obj))
-	form = EC_GROUP_get_point_conversion_form(group);
-    else
-	form = parse_point_conversion_form_symbol(form_obj);
-    bn_obj = rb_obj_alloc(cBN);
-    bn = GetBNPtr(bn_obj);
-    if (EC_POINT_point2bn(group, point, form, bn, ossl_bn_ctx) == NULL)
-        ossl_raise(eEC_POINT, "EC_POINT_point2bn");
-    return bn_obj;
+    form = parse_point_conversion_form_symbol(conversion_form);
+    len = EC_POINT_point2oct(group, point, form, NULL, 0, ossl_bn_ctx);
+    if (!len)
+	ossl_raise(eEC_POINT, "EC_POINT_point2oct");
+    str = rb_str_new(NULL, (long)len);
+    if (!EC_POINT_point2oct(group, point, form,
+			    (unsigned char *)RSTRING_PTR(str), len,
+			    ossl_bn_ctx))
+	ossl_raise(eEC_POINT, "EC_POINT_point2oct");
+    return str;
 }
 /*
@@ -1664,6 +1649,7 @@ static VALUE ossl_ec_point_mul(int argc, VALUE *argv, VALUE self)
 void Init_ossl_ec(void)
 {
+#undef rb_intern
 #if 0
     mPKey = rb_define_module_under(mOSSL, "PKey");
     cPKey = rb_define_class_under(mPKey, "PKey", rb_cObject);
@@ -1799,7 +1785,7 @@ void Init_ossl_ec(void)
     rb_define_method(cEC_POINT, "set_to_infinity!", ossl_ec_point_set_to_infinity, 0);
 /* all the other methods */
-    rb_define_method(cEC_POINT, "to_bn", ossl_ec_point_to_bn, -1);
+    rb_define_method(cEC_POINT, "to_octet_string", ossl_ec_point_to_octet_string, 1);
     rb_define_method(cEC_POINT, "mul", ossl_ec_point_mul, -1);
     id_i_group = rb_intern("@group");

data/ext/openssl/ossl_rand.c CHANGED Viewed

@@ -67,8 +67,6 @@ ossl_rand_add(VALUE self, VALUE str, VALUE entropy)
 static VALUE
 ossl_rand_load_file(VALUE self, VALUE filename)
 {
-    rb_check_safe_obj(filename);
     if(!RAND_load_file(StringValueCStr(filename), -1)) {
 	ossl_raise(eRandomError, NULL);
     }
@@ -86,8 +84,6 @@ ossl_rand_load_file(VALUE self, VALUE filename)
 static VALUE
 ossl_rand_write_file(VALUE self, VALUE filename)
 {
-    rb_check_safe_obj(filename);
     if (RAND_write_file(StringValueCStr(filename)) == -1) {
 	ossl_raise(eRandomError, NULL);
     }
@@ -164,8 +160,6 @@ ossl_rand_pseudo_bytes(VALUE self, VALUE len)
 static VALUE
 ossl_rand_egd(VALUE self, VALUE filename)
 {
-    rb_check_safe_obj(filename);
     if (RAND_egd(StringValueCStr(filename)) == -1) {
 	ossl_raise(eRandomError, NULL);
     }
@@ -186,8 +180,6 @@ ossl_rand_egd_bytes(VALUE self, VALUE filename, VALUE len)
 {
     int n = NUM2INT(len);
-    rb_check_safe_obj(filename);
     if (RAND_egd_bytes(StringValueCStr(filename), n) == -1) {
 	ossl_raise(eRandomError, NULL);
     }

data/ext/openssl/ossl_ssl.c CHANGED Viewed

@@ -13,6 +13,12 @@
 #define numberof(ary) (int)(sizeof(ary)/sizeof((ary)[0]))
+#if !defined(TLS1_3_VERSION) && \
+    defined(LIBRESSL_VERSION_NUMBER) && \
+    LIBRESSL_VERSION_NUMBER >= 0x3020000fL
+#  define TLS1_3_VERSION 0x0304
+#endif
 #ifdef _WIN32
 #  define TO_SOCKET(s) _get_osfhandle(s)
 #else
@@ -33,7 +39,7 @@ static VALUE eSSLErrorWaitReadable;
 static VALUE eSSLErrorWaitWritable;
 static ID id_call, ID_callback_state, id_tmp_dh_callback, id_tmp_ecdh_callback,
-	  id_npn_protocols_encoded;
+	  id_npn_protocols_encoded, id_each;
 static VALUE sym_exception, sym_wait_readable, sym_wait_writable;
 static ID id_i_cert_store, id_i_ca_file, id_i_ca_path, id_i_verify_mode,
@@ -53,6 +59,13 @@ static int ossl_sslctx_ex_ptr_idx;
 static int ossl_sslctx_ex_store_p;
 #endif
+static void
+ossl_sslctx_mark(void *ptr)
+{
+    SSL_CTX *ctx = ptr;
+    rb_gc_mark((VALUE)SSL_CTX_get_ex_data(ctx, ossl_sslctx_ex_ptr_idx));
+}
 static void
 ossl_sslctx_free(void *ptr)
 {
@@ -67,7 +80,7 @@ ossl_sslctx_free(void *ptr)
 static const rb_data_type_t ossl_sslctx_type = {
     "OpenSSL/SSL/CTX",
     {
-	0, ossl_sslctx_free,
+        ossl_sslctx_mark, ossl_sslctx_free,
     },
     0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
 };
@@ -184,8 +197,10 @@ ossl_sslctx_set_minmax_proto_version(VALUE self, VALUE min_v, VALUE max_v)
 	for (i = 0; i < numberof(options_map); i++) {
 	    sum |= options_map[i].opts;
-	    if (min && min > options_map[i].ver || max && max < options_map[i].ver)
+            if ((min && min > options_map[i].ver) ||
+                (max && max < options_map[i].ver)) {
 		opts |= options_map[i].opts;
+            }
 	}
 	SSL_CTX_clear_options(ctx, sum);
 	SSL_CTX_set_options(ctx, opts);
@@ -357,7 +372,14 @@ ossl_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 	    rb_ivar_set(ssl_obj, ID_callback_state, INT2NUM(status));
 	    return 0;
 	}
-	preverify_ok = ret == Qtrue;
+        if (ret != Qtrue) {
+            preverify_ok = 0;
+#if defined(X509_V_ERR_HOSTNAME_MISMATCH)
+            X509_STORE_CTX_set_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH);
+#else
+            X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REJECTED);
+#endif
+        }
     }
     return ossl_verify_cb_call(cb, preverify_ok, ctx);
@@ -377,9 +399,8 @@ ossl_call_session_get_cb(VALUE ary)
     return rb_funcallv(cb, id_call, 1, &ary);
 }
-/* this method is currently only called for servers (in OpenSSL <= 0.9.8e) */
 static SSL_SESSION *
-#if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER)
+#if (!defined(LIBRESSL_VERSION_NUMBER) ? OPENSSL_VERSION_NUMBER >= 0x10100000 : LIBRESSL_VERSION_NUMBER >= 0x2080000f)
 ossl_sslctx_session_get_cb(SSL *ssl, const unsigned char *buf, int len, int *copy)
 #else
 ossl_sslctx_session_get_cb(SSL *ssl, unsigned char *buf, int len, int *copy)
@@ -591,7 +612,7 @@ ssl_renegotiation_cb(const SSL *ssl)
 #if !defined(OPENSSL_NO_NEXTPROTONEG) || \
     defined(HAVE_SSL_CTX_SET_ALPN_SELECT_CB)
 static VALUE
-ssl_npn_encode_protocol_i(VALUE cur, VALUE encoded)
+ssl_npn_encode_protocol_i(RB_BLOCK_CALL_FUNC_ARGLIST(cur, encoded))
 {
     int len = RSTRING_LENINT(cur);
     char len_byte;
@@ -608,7 +629,7 @@ static VALUE
 ssl_encode_npn_protocols(VALUE protocols)
 {
     VALUE encoded = rb_str_new(NULL, 0);
-    rb_iterate(rb_each, protocols, ssl_npn_encode_protocol_i, encoded);
+    rb_block_call(protocols, id_each, 0, 0, ssl_npn_encode_protocol_i, encoded);
     return encoded;
 }
@@ -678,7 +699,7 @@ static int
 ssl_npn_advertise_cb(SSL *ssl, const unsigned char **out, unsigned int *outlen,
 		     void *arg)
 {
-    VALUE protocols = (VALUE)arg;
+    VALUE protocols = rb_attr_get((VALUE)arg, id_npn_protocols_encoded);
     *out = (const unsigned char *) RSTRING_PTR(protocols);
     *outlen = RSTRING_LENINT(protocols);
@@ -896,7 +917,7 @@ ossl_sslctx_setup(VALUE self)
     if (!NIL_P(val)) {
 	VALUE encoded = ssl_encode_npn_protocols(val);
 	rb_ivar_set(self, id_npn_protocols_encoded, encoded);
-	SSL_CTX_set_next_protos_advertised_cb(ctx, ssl_npn_advertise_cb, (void *)encoded);
+	SSL_CTX_set_next_protos_advertised_cb(ctx, ssl_npn_advertise_cb, (void *)self);
 	OSSL_Debug("SSL NPN advertise callback added");
     }
     if (RTEST(rb_attr_get(self, id_i_npn_select_cb))) {
@@ -1035,10 +1056,6 @@ ossl_sslctx_set_ciphers(VALUE self, VALUE v)
     }
     GetSSLCTX(self, ctx);
-    if(!ctx){
-        ossl_raise(eSSLError, "SSL_CTX is not initialized.");
-        return Qnil;
-    }
     if (!SSL_CTX_set_cipher_list(ctx, StringValueCStr(str))) {
         ossl_raise(eSSLError, "SSL_CTX_set_cipher_list");
     }
@@ -1518,6 +1535,14 @@ ssl_started(SSL *ssl)
     return SSL_get_fd(ssl) >= 0;
 }
+static void
+ossl_ssl_mark(void *ptr)
+{
+    SSL *ssl = ptr;
+    rb_gc_mark((VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx));
+    rb_gc_mark((VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_vcb_idx));
+}
 static void
 ossl_ssl_free(void *ssl)
 {
@@ -1527,7 +1552,7 @@ ossl_ssl_free(void *ssl)
 const rb_data_type_t ossl_ssl_type = {
     "OpenSSL/SSL",
     {
-	0, ossl_ssl_free,
+        ossl_ssl_mark, ossl_ssl_free,
     },
     0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
 };
@@ -1683,6 +1708,11 @@ ossl_start_ssl(VALUE self, int (*func)(), const char *funcname, VALUE opts)
             rb_io_wait_readable(fptr->fd);
             continue;
 	case SSL_ERROR_SYSCALL:
+#ifdef __APPLE__
+            /* See ossl_ssl_write_internal() */
+            if (errno == EPROTOTYPE)
+                continue;
+#endif
 	    if (errno) rb_sys_fail(funcname);
 	    ossl_raise(eSSLError, "%s SYSCALL returned=%d errno=%d state=%s", funcname, ret2, errno, SSL_state_string_long(ssl));
 #if defined(SSL_R_CERTIFICATE_VERIFY_FAILED)
@@ -1831,7 +1861,6 @@ ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
 	else
 	    rb_str_modify_expand(str, ilen - RSTRING_LEN(str));
     }
-    OBJ_TAINT(str);
     rb_str_set_len(str, 0);
     if (ilen == 0)
 	return str;
@@ -1840,26 +1869,36 @@ ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
     io = rb_attr_get(self, id_i_io);
     GetOpenFile(io, fptr);
     if (ssl_started(ssl)) {
-	for (;;){
+        rb_str_locktmp(str);
+        for (;;) {
 	    nread = SSL_read(ssl, RSTRING_PTR(str), ilen);
 	    switch(ssl_get_error(ssl, nread)){
 	    case SSL_ERROR_NONE:
+                rb_str_unlocktmp(str);
 		goto end;
 	    case SSL_ERROR_ZERO_RETURN:
+                rb_str_unlocktmp(str);
 		if (no_exception_p(opts)) { return Qnil; }
 		rb_eof_error();
 	    case SSL_ERROR_WANT_WRITE:
-		if (no_exception_p(opts)) { return sym_wait_writable; }
-                write_would_block(nonblock);
+                if (nonblock) {
+                    rb_str_unlocktmp(str);
+                    if (no_exception_p(opts)) { return sym_wait_writable; }
+                    write_would_block(nonblock);
+                }
                 rb_io_wait_writable(fptr->fd);
                 continue;
 	    case SSL_ERROR_WANT_READ:
-		if (no_exception_p(opts)) { return sym_wait_readable; }
-                read_would_block(nonblock);
+                if (nonblock) {
+                    rb_str_unlocktmp(str);
+                    if (no_exception_p(opts)) { return sym_wait_readable; }
+                    read_would_block(nonblock);
+                }
                 rb_io_wait_readable(fptr->fd);
 		continue;
 	    case SSL_ERROR_SYSCALL:
 		if (!ERR_peek_error()) {
+                    rb_str_unlocktmp(str);
 		    if (errno)
 			rb_sys_fail(0);
 		    else {
@@ -1874,19 +1913,32 @@ ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
 			rb_eof_error();
 		    }
 		}
+                /* fall through */
 	    default:
+                rb_str_unlocktmp(str);
 		ossl_raise(eSSLError, "SSL_read");
 	    }
         }
     }
     else {
-	ID meth = nonblock ? rb_intern("read_nonblock") : rb_intern("sysread");
-	rb_warning("SSL session is not started yet.");
-	if (nonblock)
-	    return rb_funcall(io, meth, 3, len, str, opts);
-	else
-	    return rb_funcall(io, meth, 2, len, str);
+        ID meth = nonblock ? rb_intern("read_nonblock") : rb_intern("sysread");
+        rb_warning("SSL session is not started yet.");
+#if defined(RB_PASS_KEYWORDS)
+        if (nonblock) {
+            VALUE argv[3];
+            argv[0] = len;
+            argv[1] = str;
+            argv[2] = opts;
+            return rb_funcallv_kw(io, meth, 3, argv, RB_PASS_KEYWORDS);
+        }
+#else
+        if (nonblock) {
+            return rb_funcall(io, meth, 3, len, str, opts);
+        }
+#endif
+        else
+            return rb_funcall(io, meth, 2, len, str);
     }
   end:
@@ -1934,21 +1986,21 @@ ossl_ssl_write_internal(VALUE self, VALUE str, VALUE opts)
     int nwrite = 0;
     rb_io_t *fptr;
     int nonblock = opts != Qfalse;
-    VALUE io;
+    VALUE tmp, io;
-    StringValue(str);
+    tmp = rb_str_new_frozen(StringValue(str));
     GetSSL(self, ssl);
     io = rb_attr_get(self, id_i_io);
     GetOpenFile(io, fptr);
     if (ssl_started(ssl)) {
-	for (;;){
-	    int num = RSTRING_LENINT(str);
+	for (;;) {
+	    int num = RSTRING_LENINT(tmp);
 	    /* SSL_write(3ssl) manpage states num == 0 is undefined */
 	    if (num == 0)
 		goto end;
-	    nwrite = SSL_write(ssl, RSTRING_PTR(str), num);
+	    nwrite = SSL_write(ssl, RSTRING_PTR(tmp), num);
 	    switch(ssl_get_error(ssl, nwrite)){
 	    case SSL_ERROR_NONE:
 		goto end;
@@ -1963,6 +2015,16 @@ ossl_ssl_write_internal(VALUE self, VALUE str, VALUE opts)
                 rb_io_wait_readable(fptr->fd);
                 continue;
 	    case SSL_ERROR_SYSCALL:
+#ifdef __APPLE__
+                /*
+                 * It appears that send syscall can return EPROTOTYPE if the
+                 * socket is being torn down. Retry to get a proper errno to
+                 * make the error handling in line with the socket library.
+                 * [Bug #14713] https://bugs.ruby-lang.org/issues/14713
+                 */
+                if (errno == EPROTOTYPE)
+                    continue;
+#endif
 		if (errno) rb_sys_fail(0);
 	    default:
 		ossl_raise(eSSLError, "SSL_write");
@@ -1973,11 +2035,21 @@ ossl_ssl_write_internal(VALUE self, VALUE str, VALUE opts)
 	ID meth = nonblock ?
 	    rb_intern("write_nonblock") : rb_intern("syswrite");
-	rb_warning("SSL session is not started yet.");
-	if (nonblock)
-	    return rb_funcall(io, meth, 2, str, opts);
-	else
-	    return rb_funcall(io, meth, 1, str);
+        rb_warning("SSL session is not started yet.");
+#if defined(RB_PASS_KEYWORDS)
+        if (nonblock) {
+            VALUE argv[2];
+            argv[0] = str;
+            argv[1] = opts;
+            return rb_funcallv_kw(io, meth, 2, argv, RB_PASS_KEYWORDS);
+        }
+#else
+        if (nonblock) {
+            return rb_funcall(io, meth, 2, str, opts);
+        }
+#endif
+        else
+            return rb_funcall(io, meth, 1, str);
     }
   end:
@@ -2920,6 +2992,7 @@ Init_ossl_ssl(void)
     id_tmp_dh_callback = rb_intern("tmp_dh_callback");
     id_tmp_ecdh_callback = rb_intern("tmp_ecdh_callback");
     id_npn_protocols_encoded = rb_intern("npn_protocols_encoded");
+    id_each = rb_intern_const("each");
 #define DefIVarID(name) do \
     id_i_##name = rb_intern("@"#name); while (0)

data/ext/openssl/ossl_version.h CHANGED Viewed

@@ -10,6 +10,6 @@
 #if !defined(_OSSL_VERSION_H_)
 #define _OSSL_VERSION_H_
-#define OSSL_VERSION "2.1.0"
+#define OSSL_VERSION "2.1.3"
 #endif /* _OSSL_VERSION_H_ */