openssl 2.1.4 → 2.2.0

data/ext/openssl/ossl_ts.h

@@ -0,0 +1,16 @@
+/*
+ *
+ * Copyright (C) 2010 Martin Bosslet <Martin.Bosslet@googlemail.com>
+ * All rights reserved.
+ */
+/*
+ * This program is licenced under the same licence as Ruby.
+ * (See the file 'LICENCE'.)
+ */
+
+#if !defined(_OSSL_TS_H_)
+#define _OSSL_TS_H_
+
+void Init_ossl_ts(void);
+
+#endif

data/ext/openssl/ossl_x509cert.c

@@ -788,7 +788,7 @@ Init_ossl_x509cert(void)
      *   root_ca.add_extension(ef.create_extension("keyUsage","keyCertSign, cRLSign", true))
      *   root_ca.add_extension(ef.create_extension("subjectKeyIdentifier","hash",false))
      *   root_ca.add_extension(ef.create_extension("authorityKeyIdentifier","keyid:always",false))
-     *   root_ca.sign(root_key, OpenSSL::Digest::SHA256.new)
+     *   root_ca.sign(root_key, OpenSSL::Digest.new('SHA256'))
      *
      * The next step is to create the end-entity certificate using the root CA
      * certificate.
@@ -807,7 +807,7 @@ Init_ossl_x509cert(void)
      *   ef.issuer_certificate = root_ca
      *   cert.add_extension(ef.create_extension("keyUsage","digitalSignature", true))
      *   cert.add_extension(ef.create_extension("subjectKeyIdentifier","hash",false))
-     *   cert.sign(root_key, OpenSSL::Digest::SHA256.new)
+     *   cert.sign(root_key, OpenSSL::Digest.new('SHA256'))
      *
      */
     cX509Cert = rb_define_class_under(mX509, "Certificate", rb_cObject);

data/ext/openssl/ossl_x509ext.c

@@ -402,6 +402,19 @@ ossl_x509ext_get_value(VALUE obj)
     return ret;
 }
 
+static VALUE
+ossl_x509ext_get_value_der(VALUE obj)
+{
+    X509_EXTENSION *ext;
+    ASN1_OCTET_STRING *value;
+
+    GetX509Ext(obj, ext);
+    if ((value = X509_EXTENSION_get_data(ext)) == NULL)
+	ossl_raise(eX509ExtError, NULL);
+
+    return rb_str_new((const char *)value->data, value->length);
+}
+
 static VALUE
 ossl_x509ext_get_critical(VALUE obj)
 {
@@ -472,6 +485,7 @@ Init_ossl_x509ext(void)
     rb_define_method(cX509Ext, "critical=", ossl_x509ext_set_critical, 1);
     rb_define_method(cX509Ext, "oid", ossl_x509ext_get_oid, 0);
     rb_define_method(cX509Ext, "value", ossl_x509ext_get_value, 0);
+    rb_define_method(cX509Ext, "value_der", ossl_x509ext_get_value_der, 0);
     rb_define_method(cX509Ext, "critical?", ossl_x509ext_get_critical, 0);
     rb_define_method(cX509Ext, "to_der", ossl_x509ext_to_der, 0);
 }

data/ext/openssl/ossl_x509name.c

@@ -387,17 +387,21 @@ ossl_x509name_cmp0(VALUE self, VALUE other)
 
 /*
  * call-seq:
- *    name.cmp(other) -> -1 | 0 | 1
- *    name <=> other  -> -1 | 0 | 1
+ *    name.cmp(other) -> -1 | 0 | 1 | nil
+ *    name <=> other  -> -1 | 0 | 1 | nil
  *
  * Compares this Name with _other_ and returns +0+ if they are the same and +-1+
  * or ++1+ if they are greater or less than each other respectively.
+ * Returns +nil+ if they are not comparable (i.e. different types).
  */
 static VALUE
 ossl_x509name_cmp(VALUE self, VALUE other)
 {
     int result;
 
+    if (!rb_obj_is_kind_of(other, cX509Name))
+	return Qnil;
+
     result = ossl_x509name_cmp0(self, other);
     if (result < 0) return INT2FIX(-1);
     if (result > 0) return INT2FIX(1);
@@ -494,7 +498,7 @@ ossl_x509name_to_der(VALUE self)
  * You can create a Name by parsing a distinguished name String or by
  * supplying the distinguished name as an Array.
  *
- *   name = OpenSSL::X509::Name.parse 'CN=nobody/DC=example'
+ *   name = OpenSSL::X509::Name.parse '/CN=nobody/DC=example'
  *
  *   name = OpenSSL::X509::Name.new [['CN', 'nobody'], ['DC', 'example']]
  */

data/ext/openssl/ossl_x509store.c

@@ -105,13 +105,6 @@ VALUE cX509Store;
 VALUE cX509StoreContext;
 VALUE eX509StoreError;
 
-static void
-ossl_x509store_mark(void *ptr)
-{
-    X509_STORE *store = ptr;
-    rb_gc_mark((VALUE)X509_STORE_get_ex_data(store, store_ex_verify_cb_idx));
-}
-
 static void
 ossl_x509store_free(void *ptr)
 {
@@ -121,7 +114,7 @@ ossl_x509store_free(void *ptr)
 static const rb_data_type_t ossl_x509store_type = {
     "OpenSSL/X509/STORE",
     {
-        ossl_x509store_mark, ossl_x509store_free,
+	0, ossl_x509store_free,
     },
     0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
 };
@@ -464,15 +457,22 @@ ossl_x509store_verify(int argc, VALUE *argv, VALUE self)
 }
 
 /*
- * Private functions
+ * Public Functions
  */
-static void
-ossl_x509stctx_mark(void *ptr)
-{
-    X509_STORE_CTX *ctx = ptr;
-    rb_gc_mark((VALUE)X509_STORE_CTX_get_ex_data(ctx, stctx_ex_verify_cb_idx));
-}
+static void ossl_x509stctx_free(void*);
+
 
+static const rb_data_type_t ossl_x509stctx_type = {
+    "OpenSSL/X509/STORE_CTX",
+    {
+	0, ossl_x509stctx_free,
+    },
+    0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
+};
+
+/*
+ * Private functions
+ */
 static void
 ossl_x509stctx_free(void *ptr)
 {
@@ -484,14 +484,6 @@ ossl_x509stctx_free(void *ptr)
     X509_STORE_CTX_free(ctx);
 }
 
-static const rb_data_type_t ossl_x509stctx_type = {
-    "OpenSSL/X509/STORE_CTX",
-    {
-        ossl_x509stctx_mark, ossl_x509stctx_free,
-    },
-    0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
-};
-
 static VALUE
 ossl_x509stctx_alloc(VALUE klass)
 {
@@ -525,9 +517,7 @@ static VALUE ossl_x509stctx_set_time(VALUE, VALUE);
 
 /*
  * call-seq:
- *   StoreContext.new(store, cert = nil, untrusted = nil)
- *
- * Sets up a StoreContext for a verification of the X.509 certificate _cert_.
+ *   StoreContext.new(store, cert = nil, chain = nil)
  */
 static VALUE
 ossl_x509stctx_initialize(int argc, VALUE *argv, VALUE self)
@@ -537,24 +527,15 @@ ossl_x509stctx_initialize(int argc, VALUE *argv, VALUE self)
     X509_STORE *x509st;
     X509 *x509 = NULL;
     STACK_OF(X509) *x509s = NULL;
-    int state;
 
     rb_scan_args(argc, argv, "12", &store, &cert, &chain);
     GetX509StCtx(self, ctx);
     GetX509Store(store, x509st);
-    if (!NIL_P(cert))
-        x509 = DupX509CertPtr(cert); /* NEED TO DUP */
-    if (!NIL_P(chain)) {
-        x509s = ossl_protect_x509_ary2sk(chain, &state);
-        if (state) {
-            X509_free(x509);
-            rb_jump_tag(state);
-        }
-    }
-    if (X509_STORE_CTX_init(ctx, x509st, x509, x509s) != 1){
-        X509_free(x509);
+    if(!NIL_P(cert)) x509 = DupX509CertPtr(cert); /* NEED TO DUP */
+    if(!NIL_P(chain)) x509s = ossl_x509_ary2sk(chain);
+    if(X509_STORE_CTX_init(ctx, x509st, x509, x509s) != 1){
         sk_X509_pop_free(x509s, X509_free);
-        ossl_raise(eX509StoreError, "X509_STORE_CTX_init");
+        ossl_raise(eX509StoreError, NULL);
     }
     if (!NIL_P(t = rb_iv_get(store, "@time")))
 	ossl_x509stctx_set_time(self, t);

data/lib/openssl/bn.rb

@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
 #--
 #
 # = Ruby-space definitions that completes C-space funcs for BN

data/lib/openssl/buffering.rb

@@ -1,5 +1,5 @@
 # coding: binary
-# frozen_string_literal: false
+# frozen_string_literal: true
 #--
 #= Info
 #  'OpenSSL for Ruby 2' project
@@ -22,6 +22,29 @@
 module OpenSSL::Buffering
   include Enumerable
 
+  # A buffer which will retain binary encoding.
+  class Buffer < String
+    BINARY = Encoding::BINARY
+
+    def initialize
+      super
+
+      force_encoding(BINARY)
+    end
+    
+    def << string
+      if string.encoding == BINARY
+        super(string)
+      else
+        super(string.b)
+      end
+
+      return self
+    end
+
+    alias concat <<
+  end
+
   ##
   # The "sync mode" of the SSLSocket.
   #
@@ -40,7 +63,7 @@ module OpenSSL::Buffering
   def initialize(*)
     super
     @eof = false
-    @rbuffer = ""
+    @rbuffer = Buffer.new
     @sync = @io.sync
   end
 
@@ -312,7 +335,7 @@ module OpenSSL::Buffering
   # buffer is flushed to the underlying socket.
 
   def do_write(s)
-    @wbuffer = "" unless defined? @wbuffer
+    @wbuffer = Buffer.new unless defined? @wbuffer
     @wbuffer << s
     @wbuffer.force_encoding(Encoding::BINARY)
     @sync ||= false
@@ -398,7 +421,7 @@ module OpenSSL::Buffering
   # See IO#puts for full details.
 
   def puts(*args)
-    s = ""
+    s = Buffer.new
     if args.empty?
       s << "\n"
     end
@@ -416,7 +439,7 @@ module OpenSSL::Buffering
   # See IO#print for full details.
 
   def print(*args)
-    s = ""
+    s = Buffer.new
     args.each{ |arg| s << arg.to_s }
     do_write(s)
     nil

data/lib/openssl/cipher.rb

@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
 #--
 # = Ruby-space predefined Cipher subclasses
 #

data/lib/openssl/config.rb

@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
 =begin
 = Ruby-space definitions that completes C-space funcs for Config
 
@@ -37,7 +37,7 @@ module OpenSSL
       def parse(string)
         c = new()
         parse_config(StringIO.new(string)).each do |section, hash|
-          c[section] = hash
+          c.set_section(section, hash)
         end
         c
       end
@@ -53,9 +53,8 @@ module OpenSSL
       def parse_config(io)
         begin
           parse_config_lines(io)
-        rescue ConfigError => e
-          e.message.replace("error in line #{io.lineno}: " + e.message)
-          raise
+        rescue => error
+          raise ConfigError, "error in line #{io.lineno}: " + error.message
         end
       end
 
@@ -267,7 +266,7 @@ module OpenSSL
       if filename
         File.open(filename.to_s) do |file|
           Config.parse_config(file).each do |section, hash|
-            self[section] = hash
+            set_section(section, hash)
           end
         end
       end
@@ -316,6 +315,8 @@ module OpenSSL
     end
 
     ##
+    # *Deprecated in v2.2.0*. This method will be removed in a future release.
+    #
     # Set the target _key_ with a given _value_ under a specific _section_.
     #
     # Given the following configurating file being loaded:
@@ -370,6 +371,8 @@ module OpenSSL
     end
 
     ##
+    # *Deprecated in v2.2.0*. This method will be removed in a future release.
+    #
     # Sets a specific _section_ name with a Hash _pairs_.
     #
     # Given the following configuration being created:
@@ -395,9 +398,13 @@ module OpenSSL
     #
     def []=(section, pairs)
       check_modify
-      @data[section] ||= {}
+      set_section(section, pairs)
+    end
+
+    def set_section(section, pairs) # :nodoc:
+      hash = @data[section] ||= {}
       pairs.each do |key, value|
-        self.add_value(section, key, value)
+        hash[key] = value
       end
     end
 
@@ -482,6 +489,8 @@ module OpenSSL
     end
 
     def check_modify
+      warn "#{caller(2, 1)[0]}: warning: do not modify OpenSSL::Config; this " \
+        "method is deprecated and will be removed in a future release."
       raise TypeError.new("Insecure: can't modify OpenSSL config") if frozen?
     end
 

data/lib/openssl/digest.rb

@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
 #--
 # = Ruby-space predefined Digest subclasses
 #
@@ -15,11 +15,6 @@
 module OpenSSL
   class Digest
 
-    alg = %w(MD2 MD4 MD5 MDC2 RIPEMD160 SHA1 SHA224 SHA256 SHA384 SHA512)
-    if OPENSSL_VERSION_NUMBER < 0x10100000
-      alg += %w(DSS DSS1 SHA)
-    end
-
     # Return the hash value computed with _name_ Digest. _name_ is either the
     # long name or short name of a supported digest algorithm.
     #
@@ -29,23 +24,26 @@ module OpenSSL
     #
     # which is equivalent to:
     #
-    #   OpenSSL::Digest::SHA256.digest("abc")
+    #   OpenSSL::Digest.digest('SHA256', "abc")
 
     def self.digest(name, data)
       super(data, name)
     end
 
-    alg.each{|name|
+    %w(MD4 MD5 RIPEMD160 SHA1 SHA224 SHA256 SHA384 SHA512).each do |name|
       klass = Class.new(self) {
         define_method(:initialize, ->(data = nil) {super(name, data)})
       }
+
       singleton = (class << klass; self; end)
+
       singleton.class_eval{
-        define_method(:digest){|data| new.digest(data) }
-        define_method(:hexdigest){|data| new.hexdigest(data) }
+        define_method(:digest) {|data| new.digest(data)}
+        define_method(:hexdigest) {|data| new.hexdigest(data)}
       }
-      const_set(name, klass)
-    }
+
+      const_set(name.tr('-', '_'), klass)
+    end
 
     # Deprecated.
     #

data/lib/openssl/hmac.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module OpenSSL
+  class HMAC
+    # Securely compare with another HMAC instance in constant time.
+    def ==(other)
+      return false unless HMAC === other
+      return false unless self.digest.bytesize == other.digest.bytesize
+
+      OpenSSL.fixed_length_secure_compare(self.digest, other.digest)
+    end
+  end
+end

data/lib/openssl/marshal.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+#--
+# = Ruby-space definitions to add DER (de)serialization to classes
+#
+# = Info
+# 'OpenSSL for Ruby 2' project
+# Copyright (C) 2002  Michal Rokos <m.rokos@sh.cvut.cz>
+# All rights reserved.
+#
+# = Licence
+# This program is licensed under the same licence as Ruby.
+# (See the file 'LICENCE'.)
+#++
+module OpenSSL
+  module Marshal
+    def self.included(base)
+      base.extend(ClassMethods)
+    end
+
+    module ClassMethods
+      def _load(string)
+        new(string)
+      end
+    end
+
+    def _dump(_level)
+      to_der
+    end
+  end
+end

data/lib/openssl/pkcs5.rb

@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
 #--
 # Ruby/OpenSSL Project
 # Copyright (C) 2017 Ruby/OpenSSL Project Authors

data/lib/openssl/pkey.rb

@@ -1,11 +1,24 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
 #--
 # Ruby/OpenSSL Project
 # Copyright (C) 2017 Ruby/OpenSSL Project Authors
 #++
 
+require_relative 'marshal'
+
 module OpenSSL::PKey
+  class DH
+    include OpenSSL::Marshal
+  end
+
+  class DSA
+    include OpenSSL::Marshal
+  end
+
   if defined?(EC)
+  class EC
+    include OpenSSL::Marshal
+  end
   class EC::Point
     # :call-seq:
     #    point.to_bn([conversion_form]) -> OpenSSL::BN
@@ -22,4 +35,8 @@ module OpenSSL::PKey
     end
   end
   end
+
+  class RSA
+    include OpenSSL::Marshal
+  end
 end

data/lib/openssl/ssl.rb

@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
 =begin
 = Info
   'OpenSSL for Ruby 2' project
@@ -13,6 +13,7 @@
 require "openssl/buffering"
 require "io/nonblock"
 require "ipaddr"
+require "socket"
 
 module OpenSSL
   module SSL
@@ -231,6 +232,11 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
     end
 
     module SocketForwarder
+      # The file descriptor for the socket.
+      def fileno
+        to_io.fileno
+      end
+      
       def addr
         to_io.addr
       end
@@ -435,6 +441,38 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
       def session_get_cb
         @context.session_get_cb
       end
+
+      class << self
+
+        # call-seq:
+        #   open(remote_host, remote_port, local_host=nil, local_port=nil, context: nil)
+        #
+        # Creates a new instance of SSLSocket.
+        # _remote\_host_ and _remote\_port_ are used to open TCPSocket.
+        # If _local\_host_ and _local\_port_ are specified,
+        # then those parameters are used on the local end to establish the connection.
+        # If _context_ is provided,
+        # the SSL Sockets initial params will be taken from the context.
+        #
+        # === Examples
+        #
+        #   sock = OpenSSL::SSL::SSLSocket.open('localhost', 443)
+        #   sock.connect # Initiates a connection to localhost:443
+        #
+        # with SSLContext:
+        #
+        #   ctx = OpenSSL::SSL::SSLContext.new
+        #   sock = OpenSSL::SSL::SSLSocket.open('localhost', 443, context: ctx)
+        #   sock.connect # Initiates a connection to localhost:443 with SSLContext
+        def open(remote_host, remote_port, local_host=nil, local_port=nil, context: nil)
+          sock = ::TCPSocket.open(remote_host, remote_port, local_host, local_port)
+          if context.nil?
+            return OpenSSL::SSL::SSLSocket.new(sock)
+          else
+            return OpenSSL::SSL::SSLSocket.new(sock, context)
+          end
+        end
+      end
     end
 
     ##
@@ -465,7 +503,7 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
       end
 
       # See TCPServer#listen for details.
-      def listen(backlog=5)
+      def listen(backlog=Socket::SOMAXCONN)
         @svr.listen(backlog)
       end
 

data/lib/openssl/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module OpenSSL
+  VERSION = "2.2.0"
+end