openssl 2.1.4 → 2.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CONTRIBUTING.md +9 -7
- data/History.md +68 -37
- data/README.md +2 -2
- data/ext/openssl/extconf.rb +43 -41
- data/ext/openssl/openssl_missing.h +36 -1
- data/ext/openssl/ossl.c +49 -23
- data/ext/openssl/ossl.h +7 -4
- data/ext/openssl/ossl_asn1.c +25 -0
- data/ext/openssl/ossl_bn.c +16 -23
- data/ext/openssl/ossl_cipher.c +33 -24
- data/ext/openssl/ossl_digest.c +18 -57
- data/ext/openssl/ossl_engine.c +2 -12
- data/ext/openssl/ossl_hmac.c +5 -11
- data/ext/openssl/ossl_kdf.c +3 -19
- data/ext/openssl/ossl_ns_spki.c +1 -1
- data/ext/openssl/ossl_ocsp.c +6 -11
- data/ext/openssl/ossl_ocsp.h +3 -3
- data/ext/openssl/ossl_pkcs7.c +3 -19
- data/ext/openssl/ossl_pkcs7.h +16 -0
- data/ext/openssl/ossl_pkey.c +180 -14
- data/ext/openssl/ossl_pkey_dsa.c +2 -2
- data/ext/openssl/ossl_pkey_ec.c +37 -8
- data/ext/openssl/ossl_pkey_rsa.c +17 -9
- data/ext/openssl/ossl_rand.c +2 -32
- data/ext/openssl/ossl_ssl.c +78 -72
- data/ext/openssl/ossl_ts.c +1514 -0
- data/ext/openssl/ossl_ts.h +16 -0
- data/ext/openssl/ossl_x509cert.c +2 -2
- data/ext/openssl/ossl_x509ext.c +14 -0
- data/ext/openssl/ossl_x509name.c +7 -3
- data/ext/openssl/ossl_x509store.c +20 -39
- data/lib/openssl/bn.rb +1 -1
- data/lib/openssl/buffering.rb +28 -5
- data/lib/openssl/cipher.rb +1 -1
- data/lib/openssl/config.rb +17 -8
- data/lib/openssl/digest.rb +10 -12
- data/lib/openssl/hmac.rb +13 -0
- data/lib/openssl/marshal.rb +30 -0
- data/lib/openssl/pkcs5.rb +1 -1
- data/lib/openssl/pkey.rb +18 -1
- data/lib/openssl/ssl.rb +40 -2
- data/lib/openssl/version.rb +5 -0
- data/lib/openssl/x509.rb +155 -1
- data/lib/openssl.rb +25 -9
- metadata +13 -24
- data/ext/openssl/deprecation.rb +0 -27
- data/ext/openssl/ossl_version.h +0 -15
data/ext/openssl/ossl_ssl.c
CHANGED
@@ -13,12 +13,6 @@
|
|
13
13
|
|
14
14
|
#define numberof(ary) (int)(sizeof(ary)/sizeof((ary)[0]))
|
15
15
|
|
16
|
-
#if !defined(TLS1_3_VERSION) && \
|
17
|
-
defined(LIBRESSL_VERSION_NUMBER) && \
|
18
|
-
LIBRESSL_VERSION_NUMBER >= 0x3020000fL
|
19
|
-
# define TLS1_3_VERSION 0x0304
|
20
|
-
#endif
|
21
|
-
|
22
16
|
#ifdef _WIN32
|
23
17
|
# define TO_SOCKET(s) _get_osfhandle(s)
|
24
18
|
#else
|
@@ -39,7 +33,7 @@ static VALUE eSSLErrorWaitReadable;
|
|
39
33
|
static VALUE eSSLErrorWaitWritable;
|
40
34
|
|
41
35
|
static ID id_call, ID_callback_state, id_tmp_dh_callback, id_tmp_ecdh_callback,
|
42
|
-
id_npn_protocols_encoded
|
36
|
+
id_npn_protocols_encoded;
|
43
37
|
static VALUE sym_exception, sym_wait_readable, sym_wait_writable;
|
44
38
|
|
45
39
|
static ID id_i_cert_store, id_i_ca_file, id_i_ca_path, id_i_verify_mode,
|
@@ -59,13 +53,6 @@ static int ossl_sslctx_ex_ptr_idx;
|
|
59
53
|
static int ossl_sslctx_ex_store_p;
|
60
54
|
#endif
|
61
55
|
|
62
|
-
static void
|
63
|
-
ossl_sslctx_mark(void *ptr)
|
64
|
-
{
|
65
|
-
SSL_CTX *ctx = ptr;
|
66
|
-
rb_gc_mark((VALUE)SSL_CTX_get_ex_data(ctx, ossl_sslctx_ex_ptr_idx));
|
67
|
-
}
|
68
|
-
|
69
56
|
static void
|
70
57
|
ossl_sslctx_free(void *ptr)
|
71
58
|
{
|
@@ -80,7 +67,7 @@ ossl_sslctx_free(void *ptr)
|
|
80
67
|
static const rb_data_type_t ossl_sslctx_type = {
|
81
68
|
"OpenSSL/SSL/CTX",
|
82
69
|
{
|
83
|
-
|
70
|
+
0, ossl_sslctx_free,
|
84
71
|
},
|
85
72
|
0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
|
86
73
|
};
|
@@ -629,7 +616,7 @@ static VALUE
|
|
629
616
|
ssl_encode_npn_protocols(VALUE protocols)
|
630
617
|
{
|
631
618
|
VALUE encoded = rb_str_new(NULL, 0);
|
632
|
-
|
619
|
+
rb_iterate(rb_each, protocols, ssl_npn_encode_protocol_i, encoded);
|
633
620
|
return encoded;
|
634
621
|
}
|
635
622
|
|
@@ -699,7 +686,7 @@ static int
|
|
699
686
|
ssl_npn_advertise_cb(SSL *ssl, const unsigned char **out, unsigned int *outlen,
|
700
687
|
void *arg)
|
701
688
|
{
|
702
|
-
VALUE protocols =
|
689
|
+
VALUE protocols = (VALUE)arg;
|
703
690
|
|
704
691
|
*out = (const unsigned char *) RSTRING_PTR(protocols);
|
705
692
|
*outlen = RSTRING_LENINT(protocols);
|
@@ -830,6 +817,10 @@ ossl_sslctx_setup(VALUE self)
|
|
830
817
|
}
|
831
818
|
#endif /* OPENSSL_NO_EC */
|
832
819
|
|
820
|
+
#ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
|
821
|
+
SSL_CTX_set_post_handshake_auth(ctx, 1);
|
822
|
+
#endif
|
823
|
+
|
833
824
|
val = rb_attr_get(self, id_i_cert_store);
|
834
825
|
if (!NIL_P(val)) {
|
835
826
|
X509_STORE *store = GetX509StorePtr(val); /* NO NEED TO DUP */
|
@@ -917,7 +908,7 @@ ossl_sslctx_setup(VALUE self)
|
|
917
908
|
if (!NIL_P(val)) {
|
918
909
|
VALUE encoded = ssl_encode_npn_protocols(val);
|
919
910
|
rb_ivar_set(self, id_npn_protocols_encoded, encoded);
|
920
|
-
SSL_CTX_set_next_protos_advertised_cb(ctx, ssl_npn_advertise_cb, (void *)
|
911
|
+
SSL_CTX_set_next_protos_advertised_cb(ctx, ssl_npn_advertise_cb, (void *)encoded);
|
921
912
|
OSSL_Debug("SSL NPN advertise callback added");
|
922
913
|
}
|
923
914
|
if (RTEST(rb_attr_get(self, id_i_npn_select_cb))) {
|
@@ -1535,14 +1526,6 @@ ssl_started(SSL *ssl)
|
|
1535
1526
|
return SSL_get_fd(ssl) >= 0;
|
1536
1527
|
}
|
1537
1528
|
|
1538
|
-
static void
|
1539
|
-
ossl_ssl_mark(void *ptr)
|
1540
|
-
{
|
1541
|
-
SSL *ssl = ptr;
|
1542
|
-
rb_gc_mark((VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx));
|
1543
|
-
rb_gc_mark((VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_vcb_idx));
|
1544
|
-
}
|
1545
|
-
|
1546
1529
|
static void
|
1547
1530
|
ossl_ssl_free(void *ssl)
|
1548
1531
|
{
|
@@ -1552,7 +1535,7 @@ ossl_ssl_free(void *ssl)
|
|
1552
1535
|
const rb_data_type_t ossl_ssl_type = {
|
1553
1536
|
"OpenSSL/SSL",
|
1554
1537
|
{
|
1555
|
-
|
1538
|
+
0, ossl_ssl_free,
|
1556
1539
|
},
|
1557
1540
|
0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
|
1558
1541
|
};
|
@@ -1708,11 +1691,6 @@ ossl_start_ssl(VALUE self, int (*func)(), const char *funcname, VALUE opts)
|
|
1708
1691
|
rb_io_wait_readable(fptr->fd);
|
1709
1692
|
continue;
|
1710
1693
|
case SSL_ERROR_SYSCALL:
|
1711
|
-
#ifdef __APPLE__
|
1712
|
-
/* See ossl_ssl_write_internal() */
|
1713
|
-
if (errno == EPROTOTYPE)
|
1714
|
-
continue;
|
1715
|
-
#endif
|
1716
1694
|
if (errno) rb_sys_fail(funcname);
|
1717
1695
|
ossl_raise(eSSLError, "%s SYSCALL returned=%d errno=%d state=%s", funcname, ret2, errno, SSL_state_string_long(ssl));
|
1718
1696
|
#if defined(SSL_R_CERTIFICATE_VERIFY_FAILED)
|
@@ -1869,36 +1847,26 @@ ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
|
|
1869
1847
|
io = rb_attr_get(self, id_i_io);
|
1870
1848
|
GetOpenFile(io, fptr);
|
1871
1849
|
if (ssl_started(ssl)) {
|
1872
|
-
|
1873
|
-
for (;;) {
|
1850
|
+
for (;;){
|
1874
1851
|
nread = SSL_read(ssl, RSTRING_PTR(str), ilen);
|
1875
1852
|
switch(ssl_get_error(ssl, nread)){
|
1876
1853
|
case SSL_ERROR_NONE:
|
1877
|
-
rb_str_unlocktmp(str);
|
1878
1854
|
goto end;
|
1879
1855
|
case SSL_ERROR_ZERO_RETURN:
|
1880
|
-
rb_str_unlocktmp(str);
|
1881
1856
|
if (no_exception_p(opts)) { return Qnil; }
|
1882
1857
|
rb_eof_error();
|
1883
1858
|
case SSL_ERROR_WANT_WRITE:
|
1884
|
-
|
1885
|
-
|
1886
|
-
if (no_exception_p(opts)) { return sym_wait_writable; }
|
1887
|
-
write_would_block(nonblock);
|
1888
|
-
}
|
1859
|
+
if (no_exception_p(opts)) { return sym_wait_writable; }
|
1860
|
+
write_would_block(nonblock);
|
1889
1861
|
rb_io_wait_writable(fptr->fd);
|
1890
1862
|
continue;
|
1891
1863
|
case SSL_ERROR_WANT_READ:
|
1892
|
-
|
1893
|
-
|
1894
|
-
if (no_exception_p(opts)) { return sym_wait_readable; }
|
1895
|
-
read_would_block(nonblock);
|
1896
|
-
}
|
1864
|
+
if (no_exception_p(opts)) { return sym_wait_readable; }
|
1865
|
+
read_would_block(nonblock);
|
1897
1866
|
rb_io_wait_readable(fptr->fd);
|
1898
1867
|
continue;
|
1899
1868
|
case SSL_ERROR_SYSCALL:
|
1900
1869
|
if (!ERR_peek_error()) {
|
1901
|
-
rb_str_unlocktmp(str);
|
1902
1870
|
if (errno)
|
1903
1871
|
rb_sys_fail(0);
|
1904
1872
|
else {
|
@@ -1915,7 +1883,6 @@ ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
|
|
1915
1883
|
}
|
1916
1884
|
/* fall through */
|
1917
1885
|
default:
|
1918
|
-
rb_str_unlocktmp(str);
|
1919
1886
|
ossl_raise(eSSLError, "SSL_read");
|
1920
1887
|
}
|
1921
1888
|
}
|
@@ -1986,21 +1953,21 @@ ossl_ssl_write_internal(VALUE self, VALUE str, VALUE opts)
|
|
1986
1953
|
int nwrite = 0;
|
1987
1954
|
rb_io_t *fptr;
|
1988
1955
|
int nonblock = opts != Qfalse;
|
1989
|
-
VALUE
|
1956
|
+
VALUE io;
|
1990
1957
|
|
1991
|
-
|
1958
|
+
StringValue(str);
|
1992
1959
|
GetSSL(self, ssl);
|
1993
1960
|
io = rb_attr_get(self, id_i_io);
|
1994
1961
|
GetOpenFile(io, fptr);
|
1995
1962
|
if (ssl_started(ssl)) {
|
1996
|
-
for (;;)
|
1997
|
-
int num = RSTRING_LENINT(
|
1963
|
+
for (;;){
|
1964
|
+
int num = RSTRING_LENINT(str);
|
1998
1965
|
|
1999
1966
|
/* SSL_write(3ssl) manpage states num == 0 is undefined */
|
2000
1967
|
if (num == 0)
|
2001
1968
|
goto end;
|
2002
1969
|
|
2003
|
-
nwrite = SSL_write(ssl, RSTRING_PTR(
|
1970
|
+
nwrite = SSL_write(ssl, RSTRING_PTR(str), num);
|
2004
1971
|
switch(ssl_get_error(ssl, nwrite)){
|
2005
1972
|
case SSL_ERROR_NONE:
|
2006
1973
|
goto end;
|
@@ -2015,16 +1982,6 @@ ossl_ssl_write_internal(VALUE self, VALUE str, VALUE opts)
|
|
2015
1982
|
rb_io_wait_readable(fptr->fd);
|
2016
1983
|
continue;
|
2017
1984
|
case SSL_ERROR_SYSCALL:
|
2018
|
-
#ifdef __APPLE__
|
2019
|
-
/*
|
2020
|
-
* It appears that send syscall can return EPROTOTYPE if the
|
2021
|
-
* socket is being torn down. Retry to get a proper errno to
|
2022
|
-
* make the error handling in line with the socket library.
|
2023
|
-
* [Bug #14713] https://bugs.ruby-lang.org/issues/14713
|
2024
|
-
*/
|
2025
|
-
if (errno == EPROTOTYPE)
|
2026
|
-
continue;
|
2027
|
-
#endif
|
2028
1985
|
if (errno) rb_sys_fail(0);
|
2029
1986
|
default:
|
2030
1987
|
ossl_raise(eSSLError, "SSL_write");
|
@@ -2352,7 +2309,57 @@ ossl_ssl_get_verify_result(VALUE self)
|
|
2352
2309
|
|
2353
2310
|
GetSSL(self, ssl);
|
2354
2311
|
|
2355
|
-
return
|
2312
|
+
return LONG2NUM(SSL_get_verify_result(ssl));
|
2313
|
+
}
|
2314
|
+
|
2315
|
+
/*
|
2316
|
+
* call-seq:
|
2317
|
+
* ssl.finished_message => "finished message"
|
2318
|
+
*
|
2319
|
+
* Returns the last *Finished* message sent
|
2320
|
+
*
|
2321
|
+
*/
|
2322
|
+
static VALUE
|
2323
|
+
ossl_ssl_get_finished(VALUE self)
|
2324
|
+
{
|
2325
|
+
SSL *ssl;
|
2326
|
+
char sizer[1], *buf;
|
2327
|
+
size_t len;
|
2328
|
+
|
2329
|
+
GetSSL(self, ssl);
|
2330
|
+
|
2331
|
+
len = SSL_get_finished(ssl, sizer, 0);
|
2332
|
+
if (len == 0)
|
2333
|
+
return Qnil;
|
2334
|
+
|
2335
|
+
buf = ALLOCA_N(char, len);
|
2336
|
+
SSL_get_finished(ssl, buf, len);
|
2337
|
+
return rb_str_new(buf, len);
|
2338
|
+
}
|
2339
|
+
|
2340
|
+
/*
|
2341
|
+
* call-seq:
|
2342
|
+
* ssl.peer_finished_message => "peer finished message"
|
2343
|
+
*
|
2344
|
+
* Returns the last *Finished* message received
|
2345
|
+
*
|
2346
|
+
*/
|
2347
|
+
static VALUE
|
2348
|
+
ossl_ssl_get_peer_finished(VALUE self)
|
2349
|
+
{
|
2350
|
+
SSL *ssl;
|
2351
|
+
char sizer[1], *buf;
|
2352
|
+
size_t len;
|
2353
|
+
|
2354
|
+
GetSSL(self, ssl);
|
2355
|
+
|
2356
|
+
len = SSL_get_peer_finished(ssl, sizer, 0);
|
2357
|
+
if (len == 0)
|
2358
|
+
return Qnil;
|
2359
|
+
|
2360
|
+
buf = ALLOCA_N(char, len);
|
2361
|
+
SSL_get_peer_finished(ssl, buf, len);
|
2362
|
+
return rb_str_new(buf, len);
|
2356
2363
|
}
|
2357
2364
|
|
2358
2365
|
/*
|
@@ -2677,13 +2684,13 @@ Init_ossl_ssl(void)
|
|
2677
2684
|
rb_define_const(mSSLExtConfig, "HAVE_TLSEXT_HOST_NAME", Qtrue);
|
2678
2685
|
|
2679
2686
|
/*
|
2680
|
-
* A callback invoked whenever a new handshake is initiated
|
2681
|
-
* to disable renegotiation entirely.
|
2687
|
+
* A callback invoked whenever a new handshake is initiated on an
|
2688
|
+
* established connection. May be used to disable renegotiation entirely.
|
2682
2689
|
*
|
2683
2690
|
* The callback is invoked with the active SSLSocket. The callback's
|
2684
|
-
* return value is
|
2691
|
+
* return value is ignored. A normal return indicates "approval" of the
|
2685
2692
|
* renegotiation and will continue the process. To forbid renegotiation
|
2686
|
-
* and to cancel the process, an
|
2693
|
+
* and to cancel the process, raise an exception within the callback.
|
2687
2694
|
*
|
2688
2695
|
* === Disable client renegotiation
|
2689
2696
|
*
|
@@ -2691,10 +2698,8 @@ Init_ossl_ssl(void)
|
|
2691
2698
|
* renegotiation entirely. You may use a callback as follows to implement
|
2692
2699
|
* this feature:
|
2693
2700
|
*
|
2694
|
-
* num_handshakes = 0
|
2695
2701
|
* ctx.renegotiation_cb = lambda do |ssl|
|
2696
|
-
*
|
2697
|
-
* raise RuntimeError.new("Client renegotiation disabled") if num_handshakes > 1
|
2702
|
+
* raise RuntimeError, "Client renegotiation disabled"
|
2698
2703
|
* end
|
2699
2704
|
*/
|
2700
2705
|
rb_attr(cSSLContext, rb_intern("renegotiation_cb"), 1, 1, Qfalse);
|
@@ -2872,6 +2877,8 @@ Init_ossl_ssl(void)
|
|
2872
2877
|
rb_define_method(cSSLSocket, "client_ca", ossl_ssl_get_client_ca_list, 0);
|
2873
2878
|
/* #hostname is defined in lib/openssl/ssl.rb */
|
2874
2879
|
rb_define_method(cSSLSocket, "hostname=", ossl_ssl_set_hostname, 1);
|
2880
|
+
rb_define_method(cSSLSocket, "finished_message", ossl_ssl_get_finished, 0);
|
2881
|
+
rb_define_method(cSSLSocket, "peer_finished_message", ossl_ssl_get_peer_finished, 0);
|
2875
2882
|
# ifdef HAVE_SSL_GET_SERVER_TMP_KEY
|
2876
2883
|
rb_define_method(cSSLSocket, "tmp_key", ossl_ssl_tmp_key, 0);
|
2877
2884
|
# endif
|
@@ -2992,7 +2999,6 @@ Init_ossl_ssl(void)
|
|
2992
2999
|
id_tmp_dh_callback = rb_intern("tmp_dh_callback");
|
2993
3000
|
id_tmp_ecdh_callback = rb_intern("tmp_ecdh_callback");
|
2994
3001
|
id_npn_protocols_encoded = rb_intern("npn_protocols_encoded");
|
2995
|
-
id_each = rb_intern_const("each");
|
2996
3002
|
|
2997
3003
|
#define DefIVarID(name) do \
|
2998
3004
|
id_i_##name = rb_intern("@"#name); while (0)
|