openssl 2.1.0 → 3.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (64) hide show
  1. checksums.yaml +4 -4
  2. data/CONTRIBUTING.md +35 -45
  3. data/History.md +426 -0
  4. data/README.md +38 -21
  5. data/ext/openssl/extconf.rb +132 -72
  6. data/ext/openssl/openssl_missing.c +0 -66
  7. data/ext/openssl/openssl_missing.h +62 -46
  8. data/ext/openssl/ossl.c +177 -252
  9. data/ext/openssl/ossl.h +39 -17
  10. data/ext/openssl/ossl_asn1.c +53 -14
  11. data/ext/openssl/ossl_bn.c +288 -146
  12. data/ext/openssl/ossl_bn.h +2 -1
  13. data/ext/openssl/ossl_cipher.c +42 -32
  14. data/ext/openssl/ossl_config.c +412 -41
  15. data/ext/openssl/ossl_config.h +4 -7
  16. data/ext/openssl/ossl_digest.c +32 -63
  17. data/ext/openssl/ossl_engine.c +19 -28
  18. data/ext/openssl/ossl_hmac.c +61 -146
  19. data/ext/openssl/ossl_kdf.c +15 -23
  20. data/ext/openssl/ossl_ns_spki.c +2 -2
  21. data/ext/openssl/ossl_ocsp.c +17 -70
  22. data/ext/openssl/ossl_ocsp.h +3 -3
  23. data/ext/openssl/ossl_pkcs12.c +23 -4
  24. data/ext/openssl/ossl_pkcs7.c +49 -81
  25. data/ext/openssl/ossl_pkcs7.h +16 -0
  26. data/ext/openssl/ossl_pkey.c +1508 -195
  27. data/ext/openssl/ossl_pkey.h +41 -78
  28. data/ext/openssl/ossl_pkey_dh.c +153 -348
  29. data/ext/openssl/ossl_pkey_dsa.c +157 -413
  30. data/ext/openssl/ossl_pkey_ec.c +257 -343
  31. data/ext/openssl/ossl_pkey_rsa.c +166 -490
  32. data/ext/openssl/ossl_provider.c +211 -0
  33. data/ext/openssl/ossl_provider.h +5 -0
  34. data/ext/openssl/ossl_rand.c +2 -40
  35. data/ext/openssl/ossl_ssl.c +666 -456
  36. data/ext/openssl/ossl_ssl_session.c +29 -30
  37. data/ext/openssl/ossl_ts.c +1539 -0
  38. data/ext/openssl/ossl_ts.h +16 -0
  39. data/ext/openssl/ossl_x509.c +86 -1
  40. data/ext/openssl/ossl_x509attr.c +1 -1
  41. data/ext/openssl/ossl_x509cert.c +170 -14
  42. data/ext/openssl/ossl_x509crl.c +14 -11
  43. data/ext/openssl/ossl_x509ext.c +29 -9
  44. data/ext/openssl/ossl_x509name.c +24 -12
  45. data/ext/openssl/ossl_x509req.c +14 -11
  46. data/ext/openssl/ossl_x509revoked.c +4 -4
  47. data/ext/openssl/ossl_x509store.c +205 -96
  48. data/lib/openssl/bn.rb +1 -1
  49. data/lib/openssl/buffering.rb +42 -20
  50. data/lib/openssl/cipher.rb +1 -1
  51. data/lib/openssl/digest.rb +10 -16
  52. data/lib/openssl/hmac.rb +78 -0
  53. data/lib/openssl/marshal.rb +30 -0
  54. data/lib/openssl/pkcs5.rb +1 -1
  55. data/lib/openssl/pkey.rb +447 -1
  56. data/lib/openssl/ssl.rb +68 -24
  57. data/lib/openssl/version.rb +5 -0
  58. data/lib/openssl/x509.rb +177 -1
  59. data/lib/openssl.rb +24 -9
  60. metadata +18 -71
  61. data/ext/openssl/deprecation.rb +0 -23
  62. data/ext/openssl/ossl_version.h +0 -15
  63. data/ext/openssl/ruby_missing.h +0 -24
  64. data/lib/openssl/config.rb +0 -474
@@ -52,8 +52,15 @@ struct ossl_verify_cb_args {
52
52
  };
53
53
 
54
54
  static VALUE
55
- call_verify_cb_proc(struct ossl_verify_cb_args *args)
55
+ ossl_x509stctx_new_i(VALUE arg)
56
56
  {
57
+ return ossl_x509stctx_new((X509_STORE_CTX *)arg);
58
+ }
59
+
60
+ static VALUE
61
+ call_verify_cb_proc(VALUE arg)
62
+ {
63
+ struct ossl_verify_cb_args *args = (struct ossl_verify_cb_args *)arg;
57
64
  return rb_funcall(args->proc, rb_intern("call"), 2,
58
65
  args->preverify_ok, args->store_ctx);
59
66
  }
@@ -69,7 +76,7 @@ ossl_verify_cb_call(VALUE proc, int ok, X509_STORE_CTX *ctx)
69
76
  return ok;
70
77
 
71
78
  ret = Qfalse;
72
- rctx = rb_protect((VALUE(*)(VALUE))ossl_x509stctx_new, (VALUE)ctx, &state);
79
+ rctx = rb_protect(ossl_x509stctx_new_i, (VALUE)ctx, &state);
73
80
  if (state) {
74
81
  rb_set_errinfo(Qnil);
75
82
  rb_warn("StoreContext initialization failure");
@@ -78,7 +85,7 @@ ossl_verify_cb_call(VALUE proc, int ok, X509_STORE_CTX *ctx)
78
85
  args.proc = proc;
79
86
  args.preverify_ok = ok ? Qtrue : Qfalse;
80
87
  args.store_ctx = rctx;
81
- ret = rb_protect((VALUE(*)(VALUE))call_verify_cb_proc, (VALUE)&args, &state);
88
+ ret = rb_protect(call_verify_cb_proc, (VALUE)&args, &state);
82
89
  if (state) {
83
90
  rb_set_errinfo(Qnil);
84
91
  rb_warn("exception in verify_callback is ignored");
@@ -105,6 +112,16 @@ VALUE cX509Store;
105
112
  VALUE cX509StoreContext;
106
113
  VALUE eX509StoreError;
107
114
 
115
+ static void
116
+ ossl_x509store_mark(void *ptr)
117
+ {
118
+ X509_STORE *store = ptr;
119
+ // Note: this reference is stored as @verify_callback so we don't need to mark it.
120
+ // However we do need to ensure GC compaction won't move it, hence why
121
+ // we call rb_gc_mark here.
122
+ rb_gc_mark((VALUE)X509_STORE_get_ex_data(store, store_ex_verify_cb_idx));
123
+ }
124
+
108
125
  static void
109
126
  ossl_x509store_free(void *ptr)
110
127
  {
@@ -114,9 +131,9 @@ ossl_x509store_free(void *ptr)
114
131
  static const rb_data_type_t ossl_x509store_type = {
115
132
  "OpenSSL/X509/STORE",
116
133
  {
117
- 0, ossl_x509store_free,
134
+ ossl_x509store_mark, ossl_x509store_free,
118
135
  },
119
- 0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
136
+ 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
120
137
  };
121
138
 
122
139
  /*
@@ -157,9 +174,8 @@ ossl_x509store_alloc(VALUE klass)
157
174
  VALUE obj;
158
175
 
159
176
  obj = NewX509Store(klass);
160
- if((store = X509_STORE_new()) == NULL){
161
- ossl_raise(eX509StoreError, NULL);
162
- }
177
+ if ((store = X509_STORE_new()) == NULL)
178
+ ossl_raise(eX509StoreError, "X509_STORE_new");
163
179
  SetX509Store(obj, store);
164
180
 
165
181
  return obj;
@@ -174,8 +190,9 @@ ossl_x509store_set_vfy_cb(VALUE self, VALUE cb)
174
190
  X509_STORE *store;
175
191
 
176
192
  GetX509Store(self, store);
177
- X509_STORE_set_ex_data(store, store_ex_verify_cb_idx, (void *)cb);
178
193
  rb_iv_set(self, "@verify_callback", cb);
194
+ // We don't need to trigger a write barrier because `rb_iv_set` did it.
195
+ X509_STORE_set_ex_data(store, store_ex_verify_cb_idx, (void *)cb);
179
196
 
180
197
  return cb;
181
198
  }
@@ -192,8 +209,9 @@ ossl_x509store_initialize(int argc, VALUE *argv, VALUE self)
192
209
  {
193
210
  X509_STORE *store;
194
211
 
195
- /* BUG: This method takes any number of arguments but appears to ignore them. */
196
212
  GetX509Store(self, store);
213
+ if (argc != 0)
214
+ rb_warn("OpenSSL::X509::Store.new does not take any arguments");
197
215
  #if !defined(HAVE_OPAQUE_OPENSSL)
198
216
  /* [Bug #405] [Bug #1678] [Bug #3000]; already fixed? */
199
217
  store->ex_data.sk = NULL;
@@ -214,8 +232,16 @@ ossl_x509store_initialize(int argc, VALUE *argv, VALUE self)
214
232
  * call-seq:
215
233
  * store.flags = flags
216
234
  *
217
- * Sets _flags_ to the Store. _flags_ consists of zero or more of the constants
218
- * defined in with name V_FLAG_* or'ed together.
235
+ * Sets the default flags used by certificate chain verification performed with
236
+ * the Store.
237
+ *
238
+ * _flags_ consists of zero or more of the constants defined in OpenSSL::X509
239
+ * with name V_FLAG_* or'ed together.
240
+ *
241
+ * OpenSSL::X509::StoreContext#flags= can be used to change the flags for a
242
+ * single verification operation.
243
+ *
244
+ * See also the man page X509_VERIFY_PARAM_set_flags(3).
219
245
  */
220
246
  static VALUE
221
247
  ossl_x509store_set_flags(VALUE self, VALUE flags)
@@ -233,9 +259,9 @@ ossl_x509store_set_flags(VALUE self, VALUE flags)
233
259
  * call-seq:
234
260
  * store.purpose = purpose
235
261
  *
236
- * Sets the store's purpose to _purpose_. If specified, the verifications on
237
- * the store will check every untrusted certificate's extensions are consistent
238
- * with the purpose. The purpose is specified by constants:
262
+ * Sets the store's default verification purpose. If specified,
263
+ * the verifications on the store will check every certificate's extensions are
264
+ * consistent with the purpose. The purpose is specified by constants:
239
265
  *
240
266
  * * X509::PURPOSE_SSL_CLIENT
241
267
  * * X509::PURPOSE_SSL_SERVER
@@ -246,6 +272,11 @@ ossl_x509store_set_flags(VALUE self, VALUE flags)
246
272
  * * X509::PURPOSE_ANY
247
273
  * * X509::PURPOSE_OCSP_HELPER
248
274
  * * X509::PURPOSE_TIMESTAMP_SIGN
275
+ *
276
+ * OpenSSL::X509::StoreContext#purpose= can be used to change the value for a
277
+ * single verification operation.
278
+ *
279
+ * See also the man page X509_VERIFY_PARAM_set_purpose(3).
249
280
  */
250
281
  static VALUE
251
282
  ossl_x509store_set_purpose(VALUE self, VALUE purpose)
@@ -262,6 +293,14 @@ ossl_x509store_set_purpose(VALUE self, VALUE purpose)
262
293
  /*
263
294
  * call-seq:
264
295
  * store.trust = trust
296
+ *
297
+ * Sets the default trust settings used by the certificate verification with
298
+ * the store.
299
+ *
300
+ * OpenSSL::X509::StoreContext#trust= can be used to change the value for a
301
+ * single verification operation.
302
+ *
303
+ * See also the man page X509_VERIFY_PARAM_set_trust(3).
265
304
  */
266
305
  static VALUE
267
306
  ossl_x509store_set_trust(VALUE self, VALUE trust)
@@ -279,7 +318,13 @@ ossl_x509store_set_trust(VALUE self, VALUE trust)
279
318
  * call-seq:
280
319
  * store.time = time
281
320
  *
282
- * Sets the time to be used in verifications.
321
+ * Sets the time to be used in the certificate verifications with the store.
322
+ * By default, if not specified, the current system time is used.
323
+ *
324
+ * OpenSSL::X509::StoreContext#time= can be used to change the value for a
325
+ * single verification operation.
326
+ *
327
+ * See also the man page X509_VERIFY_PARAM_set_time(3).
283
328
  */
284
329
  static VALUE
285
330
  ossl_x509store_set_time(VALUE self, VALUE time)
@@ -295,24 +340,23 @@ ossl_x509store_set_time(VALUE self, VALUE time)
295
340
  * Adds the certificates in _file_ to the certificate store. _file_ is the path
296
341
  * to the file, and the file contains one or more certificates in PEM format
297
342
  * concatenated together.
343
+ *
344
+ * See also the man page X509_LOOKUP_file(3).
298
345
  */
299
346
  static VALUE
300
347
  ossl_x509store_add_file(VALUE self, VALUE file)
301
348
  {
302
349
  X509_STORE *store;
303
350
  X509_LOOKUP *lookup;
304
- char *path = NULL;
351
+ const char *path;
305
352
 
306
- if(file != Qnil){
307
- rb_check_safe_obj(file);
308
- path = StringValueCStr(file);
309
- }
310
353
  GetX509Store(self, store);
354
+ path = StringValueCStr(file);
311
355
  lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
312
- if(lookup == NULL) ossl_raise(eX509StoreError, NULL);
313
- if(X509_LOOKUP_load_file(lookup, path, X509_FILETYPE_PEM) != 1){
314
- ossl_raise(eX509StoreError, NULL);
315
- }
356
+ if (!lookup)
357
+ ossl_raise(eX509StoreError, "X509_STORE_add_lookup");
358
+ if (X509_LOOKUP_load_file(lookup, path, X509_FILETYPE_PEM) != 1)
359
+ ossl_raise(eX509StoreError, "X509_LOOKUP_load_file");
316
360
  #if OPENSSL_VERSION_NUMBER < 0x10101000 || defined(LIBRESSL_VERSION_NUMBER)
317
361
  /*
318
362
  * X509_load_cert_crl_file() which is called from X509_LOOKUP_load_file()
@@ -331,24 +375,23 @@ ossl_x509store_add_file(VALUE self, VALUE file)
331
375
  * store.add_path(path) -> self
332
376
  *
333
377
  * Adds _path_ as the hash dir to be looked up by the store.
378
+ *
379
+ * See also the man page X509_LOOKUP_hash_dir(3).
334
380
  */
335
381
  static VALUE
336
382
  ossl_x509store_add_path(VALUE self, VALUE dir)
337
383
  {
338
384
  X509_STORE *store;
339
385
  X509_LOOKUP *lookup;
340
- char *path = NULL;
386
+ const char *path;
341
387
 
342
- if(dir != Qnil){
343
- rb_check_safe_obj(dir);
344
- path = StringValueCStr(dir);
345
- }
346
388
  GetX509Store(self, store);
389
+ path = StringValueCStr(dir);
347
390
  lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
348
- if(lookup == NULL) ossl_raise(eX509StoreError, NULL);
349
- if(X509_LOOKUP_add_dir(lookup, path, X509_FILETYPE_PEM) != 1){
350
- ossl_raise(eX509StoreError, NULL);
351
- }
391
+ if (!lookup)
392
+ ossl_raise(eX509StoreError, "X509_STORE_add_lookup");
393
+ if (X509_LOOKUP_add_dir(lookup, path, X509_FILETYPE_PEM) != 1)
394
+ ossl_raise(eX509StoreError, "X509_LOOKUP_add_dir");
352
395
 
353
396
  return self;
354
397
  }
@@ -363,6 +406,8 @@ ossl_x509store_add_path(VALUE self, VALUE dir)
363
406
  *
364
407
  * * OpenSSL::X509::DEFAULT_CERT_FILE
365
408
  * * OpenSSL::X509::DEFAULT_CERT_DIR
409
+ *
410
+ * See also the man page X509_STORE_set_default_paths(3).
366
411
  */
367
412
  static VALUE
368
413
  ossl_x509store_set_default_paths(VALUE self)
@@ -370,18 +415,19 @@ ossl_x509store_set_default_paths(VALUE self)
370
415
  X509_STORE *store;
371
416
 
372
417
  GetX509Store(self, store);
373
- if (X509_STORE_set_default_paths(store) != 1){
374
- ossl_raise(eX509StoreError, NULL);
375
- }
418
+ if (X509_STORE_set_default_paths(store) != 1)
419
+ ossl_raise(eX509StoreError, "X509_STORE_set_default_paths");
376
420
 
377
421
  return Qnil;
378
422
  }
379
423
 
380
424
  /*
381
425
  * call-seq:
382
- * store.add_cert(cert)
426
+ * store.add_cert(cert) -> self
383
427
  *
384
428
  * Adds the OpenSSL::X509::Certificate _cert_ to the certificate store.
429
+ *
430
+ * See also the man page X509_STORE_add_cert(3).
385
431
  */
386
432
  static VALUE
387
433
  ossl_x509store_add_cert(VALUE self, VALUE arg)
@@ -391,9 +437,8 @@ ossl_x509store_add_cert(VALUE self, VALUE arg)
391
437
 
392
438
  cert = GetX509CertPtr(arg); /* NO NEED TO DUP */
393
439
  GetX509Store(self, store);
394
- if (X509_STORE_add_cert(store, cert) != 1){
395
- ossl_raise(eX509StoreError, NULL);
396
- }
440
+ if (X509_STORE_add_cert(store, cert) != 1)
441
+ ossl_raise(eX509StoreError, "X509_STORE_add_cert");
397
442
 
398
443
  return self;
399
444
  }
@@ -403,6 +448,8 @@ ossl_x509store_add_cert(VALUE self, VALUE arg)
403
448
  * store.add_crl(crl) -> self
404
449
  *
405
450
  * Adds the OpenSSL::X509::CRL _crl_ to the store.
451
+ *
452
+ * See also the man page X509_STORE_add_crl(3).
406
453
  */
407
454
  static VALUE
408
455
  ossl_x509store_add_crl(VALUE self, VALUE arg)
@@ -412,9 +459,8 @@ ossl_x509store_add_crl(VALUE self, VALUE arg)
412
459
 
413
460
  crl = GetX509CRLPtr(arg); /* NO NEED TO DUP */
414
461
  GetX509Store(self, store);
415
- if (X509_STORE_add_crl(store, crl) != 1){
416
- ossl_raise(eX509StoreError, NULL);
417
- }
462
+ if (X509_STORE_add_crl(store, crl) != 1)
463
+ ossl_raise(eX509StoreError, "X509_STORE_add_crl");
418
464
 
419
465
  return self;
420
466
  }
@@ -458,23 +504,19 @@ ossl_x509store_verify(int argc, VALUE *argv, VALUE self)
458
504
  return result;
459
505
  }
460
506
 
461
- /*
462
- * Public Functions
463
- */
464
- static void ossl_x509stctx_free(void*);
465
-
466
-
467
- static const rb_data_type_t ossl_x509stctx_type = {
468
- "OpenSSL/X509/STORE_CTX",
469
- {
470
- 0, ossl_x509stctx_free,
471
- },
472
- 0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
473
- };
474
-
475
507
  /*
476
508
  * Private functions
477
509
  */
510
+ static void
511
+ ossl_x509stctx_mark(void *ptr)
512
+ {
513
+ X509_STORE_CTX *ctx = ptr;
514
+ // Note: this reference is stored as @verify_callback so we don't need to mark it.
515
+ // However we do need to ensure GC compaction won't move it, hence why
516
+ // we call rb_gc_mark here.
517
+ rb_gc_mark((VALUE)X509_STORE_CTX_get_ex_data(ctx, stctx_ex_verify_cb_idx));
518
+ }
519
+
478
520
  static void
479
521
  ossl_x509stctx_free(void *ptr)
480
522
  {
@@ -486,6 +528,14 @@ ossl_x509stctx_free(void *ptr)
486
528
  X509_STORE_CTX_free(ctx);
487
529
  }
488
530
 
531
+ static const rb_data_type_t ossl_x509stctx_type = {
532
+ "OpenSSL/X509/STORE_CTX",
533
+ {
534
+ ossl_x509stctx_mark, ossl_x509stctx_free,
535
+ },
536
+ 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
537
+ };
538
+
489
539
  static VALUE
490
540
  ossl_x509stctx_alloc(VALUE klass)
491
541
  {
@@ -493,9 +543,8 @@ ossl_x509stctx_alloc(VALUE klass)
493
543
  VALUE obj;
494
544
 
495
545
  obj = NewX509StCtx(klass);
496
- if((ctx = X509_STORE_CTX_new()) == NULL){
497
- ossl_raise(eX509StoreError, NULL);
498
- }
546
+ if ((ctx = X509_STORE_CTX_new()) == NULL)
547
+ ossl_raise(eX509StoreError, "X509_STORE_CTX_new");
499
548
  SetX509StCtx(obj, ctx);
500
549
 
501
550
  return obj;
@@ -519,7 +568,9 @@ static VALUE ossl_x509stctx_set_time(VALUE, VALUE);
519
568
 
520
569
  /*
521
570
  * call-seq:
522
- * StoreContext.new(store, cert = nil, chain = nil)
571
+ * StoreContext.new(store, cert = nil, untrusted = nil)
572
+ *
573
+ * Sets up a StoreContext for a verification of the X.509 certificate _cert_.
523
574
  */
524
575
  static VALUE
525
576
  ossl_x509stctx_initialize(int argc, VALUE *argv, VALUE self)
@@ -529,15 +580,24 @@ ossl_x509stctx_initialize(int argc, VALUE *argv, VALUE self)
529
580
  X509_STORE *x509st;
530
581
  X509 *x509 = NULL;
531
582
  STACK_OF(X509) *x509s = NULL;
583
+ int state;
532
584
 
533
585
  rb_scan_args(argc, argv, "12", &store, &cert, &chain);
534
586
  GetX509StCtx(self, ctx);
535
587
  GetX509Store(store, x509st);
536
- if(!NIL_P(cert)) x509 = DupX509CertPtr(cert); /* NEED TO DUP */
537
- if(!NIL_P(chain)) x509s = ossl_x509_ary2sk(chain);
538
- if(X509_STORE_CTX_init(ctx, x509st, x509, x509s) != 1){
588
+ if (!NIL_P(cert))
589
+ x509 = DupX509CertPtr(cert); /* NEED TO DUP */
590
+ if (!NIL_P(chain)) {
591
+ x509s = ossl_protect_x509_ary2sk(chain, &state);
592
+ if (state) {
593
+ X509_free(x509);
594
+ rb_jump_tag(state);
595
+ }
596
+ }
597
+ if (X509_STORE_CTX_init(ctx, x509st, x509, x509s) != 1){
598
+ X509_free(x509);
539
599
  sk_X509_pop_free(x509s, X509_free);
540
- ossl_raise(eX509StoreError, NULL);
600
+ ossl_raise(eX509StoreError, "X509_STORE_CTX_init");
541
601
  }
542
602
  if (!NIL_P(t = rb_iv_get(store, "@time")))
543
603
  ossl_x509stctx_set_time(self, t);
@@ -550,6 +610,10 @@ ossl_x509stctx_initialize(int argc, VALUE *argv, VALUE self)
550
610
  /*
551
611
  * call-seq:
552
612
  * stctx.verify -> true | false
613
+ *
614
+ * Performs the certificate verification using the parameters set to _stctx_.
615
+ *
616
+ * See also the man page X509_verify_cert(3).
553
617
  */
554
618
  static VALUE
555
619
  ossl_x509stctx_verify(VALUE self)
@@ -557,53 +621,50 @@ ossl_x509stctx_verify(VALUE self)
557
621
  X509_STORE_CTX *ctx;
558
622
 
559
623
  GetX509StCtx(self, ctx);
560
- X509_STORE_CTX_set_ex_data(ctx, stctx_ex_verify_cb_idx,
561
- (void *)rb_iv_get(self, "@verify_callback"));
624
+ VALUE cb = rb_iv_get(self, "@verify_callback");
625
+ X509_STORE_CTX_set_ex_data(ctx, stctx_ex_verify_cb_idx, (void *)cb);
562
626
 
563
627
  switch (X509_verify_cert(ctx)) {
564
628
  case 1:
565
- return Qtrue;
629
+ return Qtrue;
566
630
  case 0:
567
- ossl_clear_error();
568
- return Qfalse;
631
+ ossl_clear_error();
632
+ return Qfalse;
569
633
  default:
570
- ossl_raise(eX509CertError, NULL);
634
+ ossl_raise(eX509CertError, "X509_verify_cert");
571
635
  }
572
636
  }
573
637
 
574
638
  /*
575
639
  * call-seq:
576
- * stctx.chain -> Array of X509::Certificate
640
+ * stctx.chain -> nil | Array of X509::Certificate
641
+ *
642
+ * Returns the verified chain.
643
+ *
644
+ * See also the man page X509_STORE_CTX_set0_verified_chain(3).
577
645
  */
578
646
  static VALUE
579
647
  ossl_x509stctx_get_chain(VALUE self)
580
648
  {
581
649
  X509_STORE_CTX *ctx;
582
- STACK_OF(X509) *chain;
583
- X509 *x509;
584
- int i, num;
585
- VALUE ary;
650
+ const STACK_OF(X509) *chain;
586
651
 
587
652
  GetX509StCtx(self, ctx);
588
- if((chain = X509_STORE_CTX_get0_chain(ctx)) == NULL){
589
- return Qnil;
590
- }
591
- if((num = sk_X509_num(chain)) < 0){
592
- OSSL_Debug("certs in chain < 0???");
593
- return rb_ary_new();
594
- }
595
- ary = rb_ary_new2(num);
596
- for(i = 0; i < num; i++) {
597
- x509 = sk_X509_value(chain, i);
598
- rb_ary_push(ary, ossl_x509_new(x509));
599
- }
600
-
601
- return ary;
653
+ chain = X509_STORE_CTX_get0_chain(ctx);
654
+ if (!chain)
655
+ return Qnil; /* Could be an empty array instead? */
656
+ return ossl_x509_sk2ary(chain);
602
657
  }
603
658
 
604
659
  /*
605
660
  * call-seq:
606
661
  * stctx.error -> Integer
662
+ *
663
+ * Returns the error code of _stctx_. This is typically called after #verify
664
+ * is done, or from the verification callback set to
665
+ * OpenSSL::X509::Store#verify_callback=.
666
+ *
667
+ * See also the man page X509_STORE_CTX_get_error(3).
607
668
  */
608
669
  static VALUE
609
670
  ossl_x509stctx_get_err(VALUE self)
@@ -618,6 +679,11 @@ ossl_x509stctx_get_err(VALUE self)
618
679
  /*
619
680
  * call-seq:
620
681
  * stctx.error = error_code
682
+ *
683
+ * Sets the error code of _stctx_. This is used by the verification callback
684
+ * set to OpenSSL::X509::Store#verify_callback=.
685
+ *
686
+ * See also the man page X509_STORE_CTX_set_error(3).
621
687
  */
622
688
  static VALUE
623
689
  ossl_x509stctx_set_error(VALUE self, VALUE err)
@@ -634,7 +700,10 @@ ossl_x509stctx_set_error(VALUE self, VALUE err)
634
700
  * call-seq:
635
701
  * stctx.error_string -> String
636
702
  *
637
- * Returns the error string corresponding to the error code retrieved by #error.
703
+ * Returns the human readable error string corresponding to the error code
704
+ * retrieved by #error.
705
+ *
706
+ * See also the man page X509_verify_cert_error_string(3).
638
707
  */
639
708
  static VALUE
640
709
  ossl_x509stctx_get_err_string(VALUE self)
@@ -651,6 +720,10 @@ ossl_x509stctx_get_err_string(VALUE self)
651
720
  /*
652
721
  * call-seq:
653
722
  * stctx.error_depth -> Integer
723
+ *
724
+ * Returns the depth of the chain. This is used in combination with #error.
725
+ *
726
+ * See also the man page X509_STORE_CTX_get_error_depth(3).
654
727
  */
655
728
  static VALUE
656
729
  ossl_x509stctx_get_err_depth(VALUE self)
@@ -665,6 +738,10 @@ ossl_x509stctx_get_err_depth(VALUE self)
665
738
  /*
666
739
  * call-seq:
667
740
  * stctx.current_cert -> X509::Certificate
741
+ *
742
+ * Returns the certificate which caused the error.
743
+ *
744
+ * See also the man page X509_STORE_CTX_get_current_cert(3).
668
745
  */
669
746
  static VALUE
670
747
  ossl_x509stctx_get_curr_cert(VALUE self)
@@ -679,6 +756,10 @@ ossl_x509stctx_get_curr_cert(VALUE self)
679
756
  /*
680
757
  * call-seq:
681
758
  * stctx.current_crl -> X509::CRL
759
+ *
760
+ * Returns the CRL which caused the error.
761
+ *
762
+ * See also the man page X509_STORE_CTX_get_current_crl(3).
682
763
  */
683
764
  static VALUE
684
765
  ossl_x509stctx_get_curr_crl(VALUE self)
@@ -698,7 +779,10 @@ ossl_x509stctx_get_curr_crl(VALUE self)
698
779
  * call-seq:
699
780
  * stctx.flags = flags
700
781
  *
701
- * Sets the verification flags to the context. See Store#flags=.
782
+ * Sets the verification flags to the context. This overrides the default value
783
+ * set by Store#flags=.
784
+ *
785
+ * See also the man page X509_VERIFY_PARAM_set_flags(3).
702
786
  */
703
787
  static VALUE
704
788
  ossl_x509stctx_set_flags(VALUE self, VALUE flags)
@@ -716,7 +800,10 @@ ossl_x509stctx_set_flags(VALUE self, VALUE flags)
716
800
  * call-seq:
717
801
  * stctx.purpose = purpose
718
802
  *
719
- * Sets the purpose of the context. See Store#purpose=.
803
+ * Sets the purpose of the context. This overrides the default value set by
804
+ * Store#purpose=.
805
+ *
806
+ * See also the man page X509_VERIFY_PARAM_set_purpose(3).
720
807
  */
721
808
  static VALUE
722
809
  ossl_x509stctx_set_purpose(VALUE self, VALUE purpose)
@@ -733,6 +820,11 @@ ossl_x509stctx_set_purpose(VALUE self, VALUE purpose)
733
820
  /*
734
821
  * call-seq:
735
822
  * stctx.trust = trust
823
+ *
824
+ * Sets the trust settings of the context. This overrides the default value set
825
+ * by Store#trust=.
826
+ *
827
+ * See also the man page X509_VERIFY_PARAM_set_trust(3).
736
828
  */
737
829
  static VALUE
738
830
  ossl_x509stctx_set_trust(VALUE self, VALUE trust)
@@ -751,6 +843,8 @@ ossl_x509stctx_set_trust(VALUE self, VALUE trust)
751
843
  * stctx.time = time
752
844
  *
753
845
  * Sets the time used in the verification. If not set, the current time is used.
846
+ *
847
+ * See also the man page X509_VERIFY_PARAM_set_time(3).
754
848
  */
755
849
  static VALUE
756
850
  ossl_x509stctx_set_time(VALUE self, VALUE time)
@@ -771,6 +865,7 @@ ossl_x509stctx_set_time(VALUE self, VALUE time)
771
865
  void
772
866
  Init_ossl_x509store(void)
773
867
  {
868
+ #undef rb_intern
774
869
  #if 0
775
870
  mOSSL = rb_define_module("OpenSSL");
776
871
  eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
@@ -825,23 +920,37 @@ Init_ossl_x509store(void)
825
920
  cX509Store = rb_define_class_under(mX509, "Store", rb_cObject);
826
921
  /*
827
922
  * The callback for additional certificate verification. It is invoked for
828
- * each untrusted certificate in the chain.
923
+ * each certificate in the chain and can be used to implement custom
924
+ * certificate verification conditions.
829
925
  *
830
926
  * The callback is invoked with two values, a boolean that indicates if the
831
927
  * pre-verification by OpenSSL has succeeded or not, and the StoreContext in
832
- * use. The callback must return either true or false.
928
+ * use.
929
+ *
930
+ * The callback can use StoreContext#error= to change the error code as
931
+ * needed. The callback must return either true or false.
932
+ *
933
+ * NOTE: any exception raised within the callback will be ignored.
934
+ *
935
+ * See also the man page X509_STORE_CTX_set_verify_cb(3).
833
936
  */
834
937
  rb_attr(cX509Store, rb_intern("verify_callback"), 1, 0, Qfalse);
835
938
  /*
836
939
  * The error code set by the last call of #verify.
940
+ *
941
+ * See also StoreContext#error.
837
942
  */
838
943
  rb_attr(cX509Store, rb_intern("error"), 1, 0, Qfalse);
839
944
  /*
840
945
  * The description for the error code set by the last call of #verify.
946
+ *
947
+ * See also StoreContext#error_string.
841
948
  */
842
949
  rb_attr(cX509Store, rb_intern("error_string"), 1, 0, Qfalse);
843
950
  /*
844
951
  * The certificate chain constructed by the last call of #verify.
952
+ *
953
+ * See also StoreContext#chain.
845
954
  */
846
955
  rb_attr(cX509Store, rb_intern("chain"), 1, 0, Qfalse);
847
956
  rb_define_alloc_func(cX509Store, ossl_x509store_alloc);
data/lib/openssl/bn.rb CHANGED
@@ -1,4 +1,4 @@
1
- # frozen_string_literal: false
1
+ # frozen_string_literal: true
2
2
  #--
3
3
  #
4
4
  # = Ruby-space definitions that completes C-space funcs for BN