openssl 2.1.2 → 3.0.0

data/ext/openssl/ossl_ts.h

@@ -0,0 +1,16 @@
+/*
+ *
+ * Copyright (C) 2010 Martin Bosslet <Martin.Bosslet@googlemail.com>
+ * All rights reserved.
+ */
+/*
+ * This program is licenced under the same licence as Ruby.
+ * (See the file 'LICENCE'.)
+ */
+
+#if !defined(_OSSL_TS_H_)
+#define _OSSL_TS_H_
+
+void Init_ossl_ts(void);
+
+#endif

data/ext/openssl/ossl_x509.c

@@ -44,7 +44,13 @@ Init_ossl_x509(void)
     Init_ossl_x509revoked();
     Init_ossl_x509store();
 
+    /* Constants are up-to-date with 1.1.1. */
+
+    /* Certificate verification error code */
     DefX509Const(V_OK);
+#if defined(X509_V_ERR_UNSPECIFIED) /* 1.0.1r, 1.0.2f, 1.1.0 */
+    DefX509Const(V_ERR_UNSPECIFIED);
+#endif
     DefX509Const(V_ERR_UNABLE_TO_GET_ISSUER_CERT);
     DefX509Const(V_ERR_UNABLE_TO_GET_CRL);
     DefX509Const(V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE);
@@ -76,8 +82,71 @@ Init_ossl_x509(void)
     DefX509Const(V_ERR_AKID_SKID_MISMATCH);
     DefX509Const(V_ERR_AKID_ISSUER_SERIAL_MISMATCH);
     DefX509Const(V_ERR_KEYUSAGE_NO_CERTSIGN);
+    DefX509Const(V_ERR_UNABLE_TO_GET_CRL_ISSUER);
+    DefX509Const(V_ERR_UNHANDLED_CRITICAL_EXTENSION);
+    DefX509Const(V_ERR_KEYUSAGE_NO_CRL_SIGN);
+    DefX509Const(V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION);
+    DefX509Const(V_ERR_INVALID_NON_CA);
+    DefX509Const(V_ERR_PROXY_PATH_LENGTH_EXCEEDED);
+    DefX509Const(V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE);
+    DefX509Const(V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED);
+    DefX509Const(V_ERR_INVALID_EXTENSION);
+    DefX509Const(V_ERR_INVALID_POLICY_EXTENSION);
+    DefX509Const(V_ERR_NO_EXPLICIT_POLICY);
+    DefX509Const(V_ERR_DIFFERENT_CRL_SCOPE);
+    DefX509Const(V_ERR_UNSUPPORTED_EXTENSION_FEATURE);
+    DefX509Const(V_ERR_UNNESTED_RESOURCE);
+    DefX509Const(V_ERR_PERMITTED_VIOLATION);
+    DefX509Const(V_ERR_EXCLUDED_VIOLATION);
+    DefX509Const(V_ERR_SUBTREE_MINMAX);
     DefX509Const(V_ERR_APPLICATION_VERIFICATION);
+    DefX509Const(V_ERR_UNSUPPORTED_CONSTRAINT_TYPE);
+    DefX509Const(V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX);
+    DefX509Const(V_ERR_UNSUPPORTED_NAME_SYNTAX);
+    DefX509Const(V_ERR_CRL_PATH_VALIDATION_ERROR);
+#if defined(X509_V_ERR_PATH_LOOP)
+    DefX509Const(V_ERR_PATH_LOOP);
+#endif
+#if defined(X509_V_ERR_SUITE_B_INVALID_VERSION)
+    DefX509Const(V_ERR_SUITE_B_INVALID_VERSION);
+    DefX509Const(V_ERR_SUITE_B_INVALID_ALGORITHM);
+    DefX509Const(V_ERR_SUITE_B_INVALID_CURVE);
+    DefX509Const(V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM);
+    DefX509Const(V_ERR_SUITE_B_LOS_NOT_ALLOWED);
+    DefX509Const(V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256);
+#endif
+    DefX509Const(V_ERR_HOSTNAME_MISMATCH);
+    DefX509Const(V_ERR_EMAIL_MISMATCH);
+    DefX509Const(V_ERR_IP_ADDRESS_MISMATCH);
+#if defined(X509_V_ERR_DANE_NO_MATCH)
+    DefX509Const(V_ERR_DANE_NO_MATCH);
+#endif
+#if defined(X509_V_ERR_EE_KEY_TOO_SMALL)
+    DefX509Const(V_ERR_EE_KEY_TOO_SMALL);
+    DefX509Const(V_ERR_CA_KEY_TOO_SMALL);
+    DefX509Const(V_ERR_CA_MD_TOO_WEAK);
+#endif
+#if defined(X509_V_ERR_INVALID_CALL)
+    DefX509Const(V_ERR_INVALID_CALL);
+#endif
+#if defined(X509_V_ERR_STORE_LOOKUP)
+    DefX509Const(V_ERR_STORE_LOOKUP);
+#endif
+#if defined(X509_V_ERR_NO_VALID_SCTS)
+    DefX509Const(V_ERR_NO_VALID_SCTS);
+#endif
+#if defined(X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION)
+    DefX509Const(V_ERR_PROXY_SUBJECT_NAME_VIOLATION);
+#endif
+#if defined(X509_V_ERR_OCSP_VERIFY_NEEDED)
+    DefX509Const(V_ERR_OCSP_VERIFY_NEEDED);
+    DefX509Const(V_ERR_OCSP_VERIFY_FAILED);
+    DefX509Const(V_ERR_OCSP_CERT_UNKNOWN);
+#endif
 
+    /* Certificate verify flags */
+    /* Set by Store#flags= and StoreContext#flags=. */
+    DefX509Const(V_FLAG_USE_CHECK_TIME);
     /* Set by Store#flags= and StoreContext#flags=. Enables CRL checking for the
      * certificate chain leaf. */
     DefX509Const(V_FLAG_CRL_CHECK);
@@ -116,12 +185,28 @@ Init_ossl_x509(void)
     /* Set by Store#flags= and StoreContext#flags=. Enables checking of the
      * signature of the root self-signed CA. */
     DefX509Const(V_FLAG_CHECK_SS_SIGNATURE);
-#if defined(X509_V_FLAG_TRUSTED_FIRST)
     /* Set by Store#flags= and StoreContext#flags=. When constructing a
      * certificate chain, search the Store first for the issuer certificate.
      * Enabled by default in OpenSSL >= 1.1.0. */
     DefX509Const(V_FLAG_TRUSTED_FIRST);
+#if defined(X509_V_FLAG_SUITEB_128_LOS_ONLY)
+    /* Set by Store#flags= and StoreContext#flags=.
+     * Enables Suite B 128 bit only mode. */
+    DefX509Const(V_FLAG_SUITEB_128_LOS_ONLY);
 #endif
+#if defined(X509_V_FLAG_SUITEB_192_LOS)
+    /* Set by Store#flags= and StoreContext#flags=.
+     * Enables Suite B 192 bit only mode. */
+    DefX509Const(V_FLAG_SUITEB_192_LOS);
+#endif
+#if defined(X509_V_FLAG_SUITEB_128_LOS)
+    /* Set by Store#flags= and StoreContext#flags=.
+     * Enables Suite B 128 bit mode allowing 192 bit algorithms. */
+    DefX509Const(V_FLAG_SUITEB_128_LOS);
+#endif
+    /* Set by Store#flags= and StoreContext#flags=.
+     * Allows partial chains if at least one certificate is in trusted store. */
+    DefX509Const(V_FLAG_PARTIAL_CHAIN);
 #if defined(X509_V_FLAG_NO_ALT_CHAINS)
     /* Set by Store#flags= and StoreContext#flags=. Suppresses searching for
      * a alternative chain. No effect in OpenSSL >= 1.1.0. */

data/ext/openssl/ossl_x509cert.c

@@ -115,24 +115,27 @@ static VALUE
 ossl_x509_initialize(int argc, VALUE *argv, VALUE self)
 {
     BIO *in;
-    X509 *x509, *x = DATA_PTR(self);
+    X509 *x509, *x509_orig = RTYPEDDATA_DATA(self);
     VALUE arg;
 
+    rb_check_frozen(self);
     if (rb_scan_args(argc, argv, "01", &arg) == 0) {
 	/* create just empty X509Cert */
 	return self;
     }
     arg = ossl_to_der_if_possible(arg);
     in = ossl_obj2bio(&arg);
-    x509 = PEM_read_bio_X509(in, &x, NULL, NULL);
-    DATA_PTR(self) = x;
+    x509 = d2i_X509_bio(in, NULL);
     if (!x509) {
-	OSSL_BIO_reset(in);
-	x509 = d2i_X509_bio(in, &x);
-	DATA_PTR(self) = x;
+        OSSL_BIO_reset(in);
+        x509 = PEM_read_bio_X509(in, NULL, NULL, NULL);
     }
     BIO_free(in);
-    if (!x509) ossl_raise(eX509CertError, NULL);
+    if (!x509)
+        ossl_raise(eX509CertError, "PEM_read_bio_X509");
+
+    RTYPEDDATA_DATA(self) = x509;
+    X509_free(x509_orig);
 
     return self;
 }
@@ -704,6 +707,157 @@ ossl_x509_eq(VALUE self, VALUE other)
     return !X509_cmp(a, b) ? Qtrue : Qfalse;
 }
 
+struct load_chained_certificates_arguments {
+    VALUE certificates;
+    X509 *certificate;
+};
+
+static VALUE
+load_chained_certificates_append_push(VALUE _arguments) {
+    struct load_chained_certificates_arguments *arguments = (struct load_chained_certificates_arguments*)_arguments;
+
+    if (arguments->certificates == Qnil) {
+        arguments->certificates = rb_ary_new();
+    }
+
+    rb_ary_push(arguments->certificates, ossl_x509_new(arguments->certificate));
+
+    return Qnil;
+}
+
+static VALUE
+load_chained_certificate_append_ensure(VALUE _arguments) {
+    struct load_chained_certificates_arguments *arguments = (struct load_chained_certificates_arguments*)_arguments;
+
+    X509_free(arguments->certificate);
+
+    return Qnil;
+}
+
+inline static VALUE
+load_chained_certificates_append(VALUE certificates, X509 *certificate) {
+    struct load_chained_certificates_arguments arguments;
+    arguments.certificates = certificates;
+    arguments.certificate = certificate;
+
+    rb_ensure(load_chained_certificates_append_push, (VALUE)&arguments, load_chained_certificate_append_ensure, (VALUE)&arguments);
+
+    return arguments.certificates;
+}
+
+static VALUE
+load_chained_certificates_PEM(BIO *in) {
+    VALUE certificates = Qnil;
+    X509 *certificate = PEM_read_bio_X509(in, NULL, NULL, NULL);
+
+    /* If we cannot read even one certificate: */
+    if (certificate == NULL) {
+        /* If we cannot read one certificate because we could not read the PEM encoding: */
+        if (ERR_GET_REASON(ERR_peek_last_error()) == PEM_R_NO_START_LINE) {
+            ossl_clear_error();
+        }
+
+        if (ERR_peek_last_error())
+            ossl_raise(eX509CertError, NULL);
+        else
+            return Qnil;
+    }
+
+    certificates = load_chained_certificates_append(Qnil, certificate);
+
+    while ((certificate = PEM_read_bio_X509(in, NULL, NULL, NULL))) {
+      load_chained_certificates_append(certificates, certificate);
+    }
+
+    /* We tried to read one more certificate but could not read start line: */
+    if (ERR_GET_REASON(ERR_peek_last_error()) == PEM_R_NO_START_LINE) {
+        /* This is not an error, it means we are finished: */
+        ossl_clear_error();
+
+        return certificates;
+    }
+
+    /* Alternatively, if we reached the end of the file and there was no error: */
+    if (BIO_eof(in) && !ERR_peek_last_error()) {
+        return certificates;
+    } else {
+        /* Otherwise, we tried to read a certificate but failed somewhere: */
+        ossl_raise(eX509CertError, NULL);
+    }
+}
+
+static VALUE
+load_chained_certificates_DER(BIO *in) {
+    X509 *certificate = d2i_X509_bio(in, NULL);
+
+    /* If we cannot read one certificate: */
+    if (certificate == NULL) {
+        /* Ignore error. We could not load. */
+        ossl_clear_error();
+
+        return Qnil;
+    }
+
+    return load_chained_certificates_append(Qnil, certificate);
+}
+
+static VALUE
+load_chained_certificates(VALUE _io) {
+    BIO *in = (BIO*)_io;
+    VALUE certificates = Qnil;
+
+    /*
+      DER is a binary format and it may contain octets within it that look like
+      PEM encoded certificates. So we need to check DER first.
+    */
+    certificates = load_chained_certificates_DER(in);
+
+    if (certificates != Qnil)
+        return certificates;
+
+    OSSL_BIO_reset(in);
+
+    certificates = load_chained_certificates_PEM(in);
+
+    if (certificates != Qnil)
+        return certificates;
+
+    /* Otherwise we couldn't read the output correctly so fail: */
+    ossl_raise(eX509CertError, "Could not detect format of certificate data!");
+}
+
+static VALUE
+load_chained_certificates_ensure(VALUE _io) {
+    BIO *in = (BIO*)_io;
+
+    BIO_free(in);
+
+    return Qnil;
+}
+
+/*
+ * call-seq:
+ *    OpenSSL::X509::Certificate.load(string) -> [certs...]
+ *    OpenSSL::X509::Certificate.load(file) -> [certs...]
+ *
+ * Read the chained certificates from the given input. Supports both PEM
+ * and DER encoded certificates.
+ *
+ * PEM is a text format and supports more than one certificate.
+ *
+ * DER is a binary format and only supports one certificate.
+ *
+ * If the file is empty, or contains only unrelated data, an
+ * +OpenSSL::X509::CertificateError+ exception will be raised.
+ */
+static VALUE
+ossl_x509_load(VALUE klass, VALUE buffer)
+{
+    BIO *in = ossl_obj2bio(&buffer);
+
+    return rb_ensure(load_chained_certificates, (VALUE)in, load_chained_certificates_ensure, (VALUE)in);
+}
+
 /*
  * INIT
  */
@@ -730,7 +884,7 @@ Init_ossl_x509cert(void)
      * Certificate is capable of handling DER-encoded certificates and
      * certificates encoded in OpenSSL's PEM format.
      *
-     *   raw = File.read "cert.cer" # DER- or PEM-encoded
+     *   raw = File.binread "cert.cer" # DER- or PEM-encoded
      *   certificate = OpenSSL::X509::Certificate.new raw
      *
      * === Saving a certificate to a file
@@ -788,7 +942,7 @@ Init_ossl_x509cert(void)
      *   root_ca.add_extension(ef.create_extension("keyUsage","keyCertSign, cRLSign", true))
      *   root_ca.add_extension(ef.create_extension("subjectKeyIdentifier","hash",false))
      *   root_ca.add_extension(ef.create_extension("authorityKeyIdentifier","keyid:always",false))
-     *   root_ca.sign(root_key, OpenSSL::Digest::SHA256.new)
+     *   root_ca.sign(root_key, OpenSSL::Digest.new('SHA256'))
      *
      * The next step is to create the end-entity certificate using the root CA
      * certificate.
@@ -807,11 +961,13 @@ Init_ossl_x509cert(void)
      *   ef.issuer_certificate = root_ca
      *   cert.add_extension(ef.create_extension("keyUsage","digitalSignature", true))
      *   cert.add_extension(ef.create_extension("subjectKeyIdentifier","hash",false))
-     *   cert.sign(root_key, OpenSSL::Digest::SHA256.new)
+     *   cert.sign(root_key, OpenSSL::Digest.new('SHA256'))
      *
      */
     cX509Cert = rb_define_class_under(mX509, "Certificate", rb_cObject);
 
+    rb_define_singleton_method(cX509Cert, "load", ossl_x509_load, 1);
+
     rb_define_alloc_func(cX509Cert, ossl_x509_alloc);
     rb_define_method(cX509Cert, "initialize", ossl_x509_initialize, -1);
     rb_define_method(cX509Cert, "initialize_copy", ossl_x509_copy, 1);

data/ext/openssl/ossl_x509crl.c

@@ -93,23 +93,26 @@ static VALUE
 ossl_x509crl_initialize(int argc, VALUE *argv, VALUE self)
 {
     BIO *in;
-    X509_CRL *crl, *x = DATA_PTR(self);
+    X509_CRL *crl, *crl_orig = RTYPEDDATA_DATA(self);
     VALUE arg;
 
+    rb_check_frozen(self);
     if (rb_scan_args(argc, argv, "01", &arg) == 0) {
 	return self;
     }
     arg = ossl_to_der_if_possible(arg);
     in = ossl_obj2bio(&arg);
-    crl = PEM_read_bio_X509_CRL(in, &x, NULL, NULL);
-    DATA_PTR(self) = x;
+    crl = d2i_X509_CRL_bio(in, NULL);
     if (!crl) {
-	OSSL_BIO_reset(in);
-	crl = d2i_X509_CRL_bio(in, &x);
-	DATA_PTR(self) = x;
+        OSSL_BIO_reset(in);
+        crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
     }
     BIO_free(in);
-    if (!crl) ossl_raise(eX509CRLError, NULL);
+    if (!crl)
+        ossl_raise(eX509CRLError, "PEM_read_bio_X509_CRL");
+
+    RTYPEDDATA_DATA(self) = crl;
+    X509_CRL_free(crl_orig);
 
     return self;
 }

data/ext/openssl/ossl_x509ext.c

@@ -226,11 +226,10 @@ ossl_x509extfactory_create_ext(int argc, VALUE *argv, VALUE self)
     GetX509ExtFactory(self, ctx);
     obj = NewX509Ext(cX509Ext);
     rconf = rb_iv_get(self, "@config");
-    conf = NIL_P(rconf) ? NULL : DupConfigPtr(rconf);
+    conf = NIL_P(rconf) ? NULL : GetConfig(rconf);
     X509V3_set_nconf(ctx, conf);
     ext = X509V3_EXT_nconf_nid(conf, ctx, nid, RSTRING_PTR(valstr));
     X509V3_set_ctx_nodb(ctx);
-    NCONF_free(conf);
     if (!ext){
 	ossl_raise(eX509ExtError, "%"PRIsVALUE" = %"PRIsVALUE, oid, valstr);
     }
@@ -402,6 +401,19 @@ ossl_x509ext_get_value(VALUE obj)
     return ret;
 }
 
+static VALUE
+ossl_x509ext_get_value_der(VALUE obj)
+{
+    X509_EXTENSION *ext;
+    ASN1_OCTET_STRING *value;
+
+    GetX509Ext(obj, ext);
+    if ((value = X509_EXTENSION_get_data(ext)) == NULL)
+	ossl_raise(eX509ExtError, NULL);
+
+    return rb_str_new((const char *)value->data, value->length);
+}
+
 static VALUE
 ossl_x509ext_get_critical(VALUE obj)
 {
@@ -472,6 +484,7 @@ Init_ossl_x509ext(void)
     rb_define_method(cX509Ext, "critical=", ossl_x509ext_set_critical, 1);
     rb_define_method(cX509Ext, "oid", ossl_x509ext_get_oid, 0);
     rb_define_method(cX509Ext, "value", ossl_x509ext_get_value, 0);
+    rb_define_method(cX509Ext, "value_der", ossl_x509ext_get_value_der, 0);
     rb_define_method(cX509Ext, "critical?", ossl_x509ext_get_critical, 0);
     rb_define_method(cX509Ext, "to_der", ossl_x509ext_to_der, 0);
 }

data/ext/openssl/ossl_x509name.c

@@ -270,7 +270,7 @@ x509name_print(VALUE self, unsigned long iflag)
     if (!out)
 	ossl_raise(eX509NameError, NULL);
     ret = X509_NAME_print_ex(out, name, 0, iflag);
-    if (ret < 0 || iflag == XN_FLAG_COMPAT && ret == 0) {
+    if (ret < 0 || (iflag == XN_FLAG_COMPAT && ret == 0)) {
 	BIO_free(out);
 	ossl_raise(eX509NameError, "X509_NAME_print_ex");
     }
@@ -291,7 +291,14 @@ x509name_print(VALUE self, unsigned long iflag)
  * * OpenSSL::X509::Name::MULTILINE
  *
  * If _format_ is omitted, the largely broken and traditional OpenSSL format
- * is used.
+ * (<tt>X509_NAME_oneline()</tt> format) is chosen.
+ *
+ * <b>Use of this method is discouraged.</b> None of the formats other than
+ * OpenSSL::X509::Name::RFC2253 is standardized and may show an inconsistent
+ * behavior through \OpenSSL versions.
+ *
+ * It is recommended to use #to_utf8 instead, which is equivalent to calling
+ * <tt>name.to_s(OpenSSL::X509::Name::RFC2253).force_encoding("UTF-8")</tt>.
  */
 static VALUE
 ossl_x509name_to_s(int argc, VALUE *argv, VALUE self)
@@ -387,17 +394,21 @@ ossl_x509name_cmp0(VALUE self, VALUE other)
 
 /*
  * call-seq:
- *    name.cmp(other) -> -1 | 0 | 1
- *    name <=> other  -> -1 | 0 | 1
+ *    name.cmp(other) -> -1 | 0 | 1 | nil
+ *    name <=> other  -> -1 | 0 | 1 | nil
  *
  * Compares this Name with _other_ and returns +0+ if they are the same and +-1+
  * or ++1+ if they are greater or less than each other respectively.
+ * Returns +nil+ if they are not comparable (i.e. different types).
  */
 static VALUE
 ossl_x509name_cmp(VALUE self, VALUE other)
 {
     int result;
 
+    if (!rb_obj_is_kind_of(other, cX509Name))
+	return Qnil;
+
     result = ossl_x509name_cmp0(self, other);
     if (result < 0) return INT2FIX(-1);
     if (result > 0) return INT2FIX(1);
@@ -494,7 +505,7 @@ ossl_x509name_to_der(VALUE self)
  * You can create a Name by parsing a distinguished name String or by
  * supplying the distinguished name as an Array.
  *
- *   name = OpenSSL::X509::Name.parse 'CN=nobody/DC=example'
+ *   name = OpenSSL::X509::Name.parse_rfc2253 'DC=example,CN=nobody'
  *
  *   name = OpenSSL::X509::Name.new [['CN', 'nobody'], ['DC', 'example']]
  */

data/ext/openssl/ossl_x509req.c

@@ -79,23 +79,26 @@ static VALUE
 ossl_x509req_initialize(int argc, VALUE *argv, VALUE self)
 {
     BIO *in;
-    X509_REQ *req, *x = DATA_PTR(self);
+    X509_REQ *req, *req_orig = RTYPEDDATA_DATA(self);
     VALUE arg;
 
+    rb_check_frozen(self);
     if (rb_scan_args(argc, argv, "01", &arg) == 0) {
 	return self;
     }
     arg = ossl_to_der_if_possible(arg);
     in = ossl_obj2bio(&arg);
-    req = PEM_read_bio_X509_REQ(in, &x, NULL, NULL);
-    DATA_PTR(self) = x;
+    req = d2i_X509_REQ_bio(in, NULL);
     if (!req) {
-	OSSL_BIO_reset(in);
-	req = d2i_X509_REQ_bio(in, &x);
-	DATA_PTR(self) = x;
+        OSSL_BIO_reset(in);
+        req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL);
     }
     BIO_free(in);
-    if (!req) ossl_raise(eX509ReqError, NULL);
+    if (!req)
+        ossl_raise(eX509ReqError, "PEM_read_bio_X509_REQ");
+
+    RTYPEDDATA_DATA(self) = req;
+    X509_REQ_free(req_orig);
 
     return self;
 }