openssl 2.1.4 → 2.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (48) hide show
  1. checksums.yaml +4 -4
  2. data/CONTRIBUTING.md +9 -7
  3. data/History.md +68 -37
  4. data/README.md +2 -2
  5. data/ext/openssl/extconf.rb +43 -41
  6. data/ext/openssl/openssl_missing.h +36 -1
  7. data/ext/openssl/ossl.c +49 -23
  8. data/ext/openssl/ossl.h +7 -4
  9. data/ext/openssl/ossl_asn1.c +25 -0
  10. data/ext/openssl/ossl_bn.c +16 -23
  11. data/ext/openssl/ossl_cipher.c +33 -24
  12. data/ext/openssl/ossl_digest.c +18 -57
  13. data/ext/openssl/ossl_engine.c +2 -12
  14. data/ext/openssl/ossl_hmac.c +5 -11
  15. data/ext/openssl/ossl_kdf.c +3 -19
  16. data/ext/openssl/ossl_ns_spki.c +1 -1
  17. data/ext/openssl/ossl_ocsp.c +6 -11
  18. data/ext/openssl/ossl_ocsp.h +3 -3
  19. data/ext/openssl/ossl_pkcs7.c +3 -19
  20. data/ext/openssl/ossl_pkcs7.h +16 -0
  21. data/ext/openssl/ossl_pkey.c +180 -14
  22. data/ext/openssl/ossl_pkey_dsa.c +2 -2
  23. data/ext/openssl/ossl_pkey_ec.c +37 -8
  24. data/ext/openssl/ossl_pkey_rsa.c +17 -9
  25. data/ext/openssl/ossl_rand.c +2 -32
  26. data/ext/openssl/ossl_ssl.c +78 -72
  27. data/ext/openssl/ossl_ts.c +1514 -0
  28. data/ext/openssl/ossl_ts.h +16 -0
  29. data/ext/openssl/ossl_x509cert.c +2 -2
  30. data/ext/openssl/ossl_x509ext.c +14 -0
  31. data/ext/openssl/ossl_x509name.c +7 -3
  32. data/ext/openssl/ossl_x509store.c +20 -39
  33. data/lib/openssl/bn.rb +1 -1
  34. data/lib/openssl/buffering.rb +28 -5
  35. data/lib/openssl/cipher.rb +1 -1
  36. data/lib/openssl/config.rb +17 -8
  37. data/lib/openssl/digest.rb +10 -12
  38. data/lib/openssl/hmac.rb +13 -0
  39. data/lib/openssl/marshal.rb +30 -0
  40. data/lib/openssl/pkcs5.rb +1 -1
  41. data/lib/openssl/pkey.rb +18 -1
  42. data/lib/openssl/ssl.rb +40 -2
  43. data/lib/openssl/version.rb +5 -0
  44. data/lib/openssl/x509.rb +155 -1
  45. data/lib/openssl.rb +25 -9
  46. metadata +13 -24
  47. data/ext/openssl/deprecation.rb +0 -27
  48. data/ext/openssl/ossl_version.h +0 -15
@@ -13,12 +13,6 @@
13
13
 
14
14
  #define numberof(ary) (int)(sizeof(ary)/sizeof((ary)[0]))
15
15
 
16
- #if !defined(TLS1_3_VERSION) && \
17
- defined(LIBRESSL_VERSION_NUMBER) && \
18
- LIBRESSL_VERSION_NUMBER >= 0x3020000fL
19
- # define TLS1_3_VERSION 0x0304
20
- #endif
21
-
22
16
  #ifdef _WIN32
23
17
  # define TO_SOCKET(s) _get_osfhandle(s)
24
18
  #else
@@ -39,7 +33,7 @@ static VALUE eSSLErrorWaitReadable;
39
33
  static VALUE eSSLErrorWaitWritable;
40
34
 
41
35
  static ID id_call, ID_callback_state, id_tmp_dh_callback, id_tmp_ecdh_callback,
42
- id_npn_protocols_encoded, id_each;
36
+ id_npn_protocols_encoded;
43
37
  static VALUE sym_exception, sym_wait_readable, sym_wait_writable;
44
38
 
45
39
  static ID id_i_cert_store, id_i_ca_file, id_i_ca_path, id_i_verify_mode,
@@ -59,13 +53,6 @@ static int ossl_sslctx_ex_ptr_idx;
59
53
  static int ossl_sslctx_ex_store_p;
60
54
  #endif
61
55
 
62
- static void
63
- ossl_sslctx_mark(void *ptr)
64
- {
65
- SSL_CTX *ctx = ptr;
66
- rb_gc_mark((VALUE)SSL_CTX_get_ex_data(ctx, ossl_sslctx_ex_ptr_idx));
67
- }
68
-
69
56
  static void
70
57
  ossl_sslctx_free(void *ptr)
71
58
  {
@@ -80,7 +67,7 @@ ossl_sslctx_free(void *ptr)
80
67
  static const rb_data_type_t ossl_sslctx_type = {
81
68
  "OpenSSL/SSL/CTX",
82
69
  {
83
- ossl_sslctx_mark, ossl_sslctx_free,
70
+ 0, ossl_sslctx_free,
84
71
  },
85
72
  0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
86
73
  };
@@ -629,7 +616,7 @@ static VALUE
629
616
  ssl_encode_npn_protocols(VALUE protocols)
630
617
  {
631
618
  VALUE encoded = rb_str_new(NULL, 0);
632
- rb_block_call(protocols, id_each, 0, 0, ssl_npn_encode_protocol_i, encoded);
619
+ rb_iterate(rb_each, protocols, ssl_npn_encode_protocol_i, encoded);
633
620
  return encoded;
634
621
  }
635
622
 
@@ -699,7 +686,7 @@ static int
699
686
  ssl_npn_advertise_cb(SSL *ssl, const unsigned char **out, unsigned int *outlen,
700
687
  void *arg)
701
688
  {
702
- VALUE protocols = rb_attr_get((VALUE)arg, id_npn_protocols_encoded);
689
+ VALUE protocols = (VALUE)arg;
703
690
 
704
691
  *out = (const unsigned char *) RSTRING_PTR(protocols);
705
692
  *outlen = RSTRING_LENINT(protocols);
@@ -830,6 +817,10 @@ ossl_sslctx_setup(VALUE self)
830
817
  }
831
818
  #endif /* OPENSSL_NO_EC */
832
819
 
820
+ #ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
821
+ SSL_CTX_set_post_handshake_auth(ctx, 1);
822
+ #endif
823
+
833
824
  val = rb_attr_get(self, id_i_cert_store);
834
825
  if (!NIL_P(val)) {
835
826
  X509_STORE *store = GetX509StorePtr(val); /* NO NEED TO DUP */
@@ -917,7 +908,7 @@ ossl_sslctx_setup(VALUE self)
917
908
  if (!NIL_P(val)) {
918
909
  VALUE encoded = ssl_encode_npn_protocols(val);
919
910
  rb_ivar_set(self, id_npn_protocols_encoded, encoded);
920
- SSL_CTX_set_next_protos_advertised_cb(ctx, ssl_npn_advertise_cb, (void *)self);
911
+ SSL_CTX_set_next_protos_advertised_cb(ctx, ssl_npn_advertise_cb, (void *)encoded);
921
912
  OSSL_Debug("SSL NPN advertise callback added");
922
913
  }
923
914
  if (RTEST(rb_attr_get(self, id_i_npn_select_cb))) {
@@ -1535,14 +1526,6 @@ ssl_started(SSL *ssl)
1535
1526
  return SSL_get_fd(ssl) >= 0;
1536
1527
  }
1537
1528
 
1538
- static void
1539
- ossl_ssl_mark(void *ptr)
1540
- {
1541
- SSL *ssl = ptr;
1542
- rb_gc_mark((VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx));
1543
- rb_gc_mark((VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_vcb_idx));
1544
- }
1545
-
1546
1529
  static void
1547
1530
  ossl_ssl_free(void *ssl)
1548
1531
  {
@@ -1552,7 +1535,7 @@ ossl_ssl_free(void *ssl)
1552
1535
  const rb_data_type_t ossl_ssl_type = {
1553
1536
  "OpenSSL/SSL",
1554
1537
  {
1555
- ossl_ssl_mark, ossl_ssl_free,
1538
+ 0, ossl_ssl_free,
1556
1539
  },
1557
1540
  0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
1558
1541
  };
@@ -1708,11 +1691,6 @@ ossl_start_ssl(VALUE self, int (*func)(), const char *funcname, VALUE opts)
1708
1691
  rb_io_wait_readable(fptr->fd);
1709
1692
  continue;
1710
1693
  case SSL_ERROR_SYSCALL:
1711
- #ifdef __APPLE__
1712
- /* See ossl_ssl_write_internal() */
1713
- if (errno == EPROTOTYPE)
1714
- continue;
1715
- #endif
1716
1694
  if (errno) rb_sys_fail(funcname);
1717
1695
  ossl_raise(eSSLError, "%s SYSCALL returned=%d errno=%d state=%s", funcname, ret2, errno, SSL_state_string_long(ssl));
1718
1696
  #if defined(SSL_R_CERTIFICATE_VERIFY_FAILED)
@@ -1869,36 +1847,26 @@ ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
1869
1847
  io = rb_attr_get(self, id_i_io);
1870
1848
  GetOpenFile(io, fptr);
1871
1849
  if (ssl_started(ssl)) {
1872
- rb_str_locktmp(str);
1873
- for (;;) {
1850
+ for (;;){
1874
1851
  nread = SSL_read(ssl, RSTRING_PTR(str), ilen);
1875
1852
  switch(ssl_get_error(ssl, nread)){
1876
1853
  case SSL_ERROR_NONE:
1877
- rb_str_unlocktmp(str);
1878
1854
  goto end;
1879
1855
  case SSL_ERROR_ZERO_RETURN:
1880
- rb_str_unlocktmp(str);
1881
1856
  if (no_exception_p(opts)) { return Qnil; }
1882
1857
  rb_eof_error();
1883
1858
  case SSL_ERROR_WANT_WRITE:
1884
- if (nonblock) {
1885
- rb_str_unlocktmp(str);
1886
- if (no_exception_p(opts)) { return sym_wait_writable; }
1887
- write_would_block(nonblock);
1888
- }
1859
+ if (no_exception_p(opts)) { return sym_wait_writable; }
1860
+ write_would_block(nonblock);
1889
1861
  rb_io_wait_writable(fptr->fd);
1890
1862
  continue;
1891
1863
  case SSL_ERROR_WANT_READ:
1892
- if (nonblock) {
1893
- rb_str_unlocktmp(str);
1894
- if (no_exception_p(opts)) { return sym_wait_readable; }
1895
- read_would_block(nonblock);
1896
- }
1864
+ if (no_exception_p(opts)) { return sym_wait_readable; }
1865
+ read_would_block(nonblock);
1897
1866
  rb_io_wait_readable(fptr->fd);
1898
1867
  continue;
1899
1868
  case SSL_ERROR_SYSCALL:
1900
1869
  if (!ERR_peek_error()) {
1901
- rb_str_unlocktmp(str);
1902
1870
  if (errno)
1903
1871
  rb_sys_fail(0);
1904
1872
  else {
@@ -1915,7 +1883,6 @@ ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
1915
1883
  }
1916
1884
  /* fall through */
1917
1885
  default:
1918
- rb_str_unlocktmp(str);
1919
1886
  ossl_raise(eSSLError, "SSL_read");
1920
1887
  }
1921
1888
  }
@@ -1986,21 +1953,21 @@ ossl_ssl_write_internal(VALUE self, VALUE str, VALUE opts)
1986
1953
  int nwrite = 0;
1987
1954
  rb_io_t *fptr;
1988
1955
  int nonblock = opts != Qfalse;
1989
- VALUE tmp, io;
1956
+ VALUE io;
1990
1957
 
1991
- tmp = rb_str_new_frozen(StringValue(str));
1958
+ StringValue(str);
1992
1959
  GetSSL(self, ssl);
1993
1960
  io = rb_attr_get(self, id_i_io);
1994
1961
  GetOpenFile(io, fptr);
1995
1962
  if (ssl_started(ssl)) {
1996
- for (;;) {
1997
- int num = RSTRING_LENINT(tmp);
1963
+ for (;;){
1964
+ int num = RSTRING_LENINT(str);
1998
1965
 
1999
1966
  /* SSL_write(3ssl) manpage states num == 0 is undefined */
2000
1967
  if (num == 0)
2001
1968
  goto end;
2002
1969
 
2003
- nwrite = SSL_write(ssl, RSTRING_PTR(tmp), num);
1970
+ nwrite = SSL_write(ssl, RSTRING_PTR(str), num);
2004
1971
  switch(ssl_get_error(ssl, nwrite)){
2005
1972
  case SSL_ERROR_NONE:
2006
1973
  goto end;
@@ -2015,16 +1982,6 @@ ossl_ssl_write_internal(VALUE self, VALUE str, VALUE opts)
2015
1982
  rb_io_wait_readable(fptr->fd);
2016
1983
  continue;
2017
1984
  case SSL_ERROR_SYSCALL:
2018
- #ifdef __APPLE__
2019
- /*
2020
- * It appears that send syscall can return EPROTOTYPE if the
2021
- * socket is being torn down. Retry to get a proper errno to
2022
- * make the error handling in line with the socket library.
2023
- * [Bug #14713] https://bugs.ruby-lang.org/issues/14713
2024
- */
2025
- if (errno == EPROTOTYPE)
2026
- continue;
2027
- #endif
2028
1985
  if (errno) rb_sys_fail(0);
2029
1986
  default:
2030
1987
  ossl_raise(eSSLError, "SSL_write");
@@ -2352,7 +2309,57 @@ ossl_ssl_get_verify_result(VALUE self)
2352
2309
 
2353
2310
  GetSSL(self, ssl);
2354
2311
 
2355
- return INT2NUM(SSL_get_verify_result(ssl));
2312
+ return LONG2NUM(SSL_get_verify_result(ssl));
2313
+ }
2314
+
2315
+ /*
2316
+ * call-seq:
2317
+ * ssl.finished_message => "finished message"
2318
+ *
2319
+ * Returns the last *Finished* message sent
2320
+ *
2321
+ */
2322
+ static VALUE
2323
+ ossl_ssl_get_finished(VALUE self)
2324
+ {
2325
+ SSL *ssl;
2326
+ char sizer[1], *buf;
2327
+ size_t len;
2328
+
2329
+ GetSSL(self, ssl);
2330
+
2331
+ len = SSL_get_finished(ssl, sizer, 0);
2332
+ if (len == 0)
2333
+ return Qnil;
2334
+
2335
+ buf = ALLOCA_N(char, len);
2336
+ SSL_get_finished(ssl, buf, len);
2337
+ return rb_str_new(buf, len);
2338
+ }
2339
+
2340
+ /*
2341
+ * call-seq:
2342
+ * ssl.peer_finished_message => "peer finished message"
2343
+ *
2344
+ * Returns the last *Finished* message received
2345
+ *
2346
+ */
2347
+ static VALUE
2348
+ ossl_ssl_get_peer_finished(VALUE self)
2349
+ {
2350
+ SSL *ssl;
2351
+ char sizer[1], *buf;
2352
+ size_t len;
2353
+
2354
+ GetSSL(self, ssl);
2355
+
2356
+ len = SSL_get_peer_finished(ssl, sizer, 0);
2357
+ if (len == 0)
2358
+ return Qnil;
2359
+
2360
+ buf = ALLOCA_N(char, len);
2361
+ SSL_get_peer_finished(ssl, buf, len);
2362
+ return rb_str_new(buf, len);
2356
2363
  }
2357
2364
 
2358
2365
  /*
@@ -2677,13 +2684,13 @@ Init_ossl_ssl(void)
2677
2684
  rb_define_const(mSSLExtConfig, "HAVE_TLSEXT_HOST_NAME", Qtrue);
2678
2685
 
2679
2686
  /*
2680
- * A callback invoked whenever a new handshake is initiated. May be used
2681
- * to disable renegotiation entirely.
2687
+ * A callback invoked whenever a new handshake is initiated on an
2688
+ * established connection. May be used to disable renegotiation entirely.
2682
2689
  *
2683
2690
  * The callback is invoked with the active SSLSocket. The callback's
2684
- * return value is irrelevant, normal return indicates "approval" of the
2691
+ * return value is ignored. A normal return indicates "approval" of the
2685
2692
  * renegotiation and will continue the process. To forbid renegotiation
2686
- * and to cancel the process, an Error may be raised within the callback.
2693
+ * and to cancel the process, raise an exception within the callback.
2687
2694
  *
2688
2695
  * === Disable client renegotiation
2689
2696
  *
@@ -2691,10 +2698,8 @@ Init_ossl_ssl(void)
2691
2698
  * renegotiation entirely. You may use a callback as follows to implement
2692
2699
  * this feature:
2693
2700
  *
2694
- * num_handshakes = 0
2695
2701
  * ctx.renegotiation_cb = lambda do |ssl|
2696
- * num_handshakes += 1
2697
- * raise RuntimeError.new("Client renegotiation disabled") if num_handshakes > 1
2702
+ * raise RuntimeError, "Client renegotiation disabled"
2698
2703
  * end
2699
2704
  */
2700
2705
  rb_attr(cSSLContext, rb_intern("renegotiation_cb"), 1, 1, Qfalse);
@@ -2872,6 +2877,8 @@ Init_ossl_ssl(void)
2872
2877
  rb_define_method(cSSLSocket, "client_ca", ossl_ssl_get_client_ca_list, 0);
2873
2878
  /* #hostname is defined in lib/openssl/ssl.rb */
2874
2879
  rb_define_method(cSSLSocket, "hostname=", ossl_ssl_set_hostname, 1);
2880
+ rb_define_method(cSSLSocket, "finished_message", ossl_ssl_get_finished, 0);
2881
+ rb_define_method(cSSLSocket, "peer_finished_message", ossl_ssl_get_peer_finished, 0);
2875
2882
  # ifdef HAVE_SSL_GET_SERVER_TMP_KEY
2876
2883
  rb_define_method(cSSLSocket, "tmp_key", ossl_ssl_tmp_key, 0);
2877
2884
  # endif
@@ -2992,7 +2999,6 @@ Init_ossl_ssl(void)
2992
2999
  id_tmp_dh_callback = rb_intern("tmp_dh_callback");
2993
3000
  id_tmp_ecdh_callback = rb_intern("tmp_ecdh_callback");
2994
3001
  id_npn_protocols_encoded = rb_intern("npn_protocols_encoded");
2995
- id_each = rb_intern_const("each");
2996
3002
 
2997
3003
  #define DefIVarID(name) do \
2998
3004
  id_i_##name = rb_intern("@"#name); while (0)