openssl 2.1.4 → 2.2.2

data/ext/openssl/ossl_ts.h

@@ -0,0 +1,16 @@
+/*
+ *
+ * Copyright (C) 2010 Martin Bosslet <Martin.Bosslet@googlemail.com>
+ * All rights reserved.
+ */
+/*
+ * This program is licenced under the same licence as Ruby.
+ * (See the file 'LICENCE'.)
+ */
+
+#if !defined(_OSSL_TS_H_)
+#define _OSSL_TS_H_
+
+void Init_ossl_ts(void);
+
+#endif

data/ext/openssl/ossl_x509cert.c

@@ -788,7 +788,7 @@ Init_ossl_x509cert(void)
      *   root_ca.add_extension(ef.create_extension("keyUsage","keyCertSign, cRLSign", true))
      *   root_ca.add_extension(ef.create_extension("subjectKeyIdentifier","hash",false))
      *   root_ca.add_extension(ef.create_extension("authorityKeyIdentifier","keyid:always",false))
-     *   root_ca.sign(root_key, OpenSSL::Digest::SHA256.new)
+     *   root_ca.sign(root_key, OpenSSL::Digest.new('SHA256'))
      *
      * The next step is to create the end-entity certificate using the root CA
      * certificate.
@@ -807,7 +807,7 @@ Init_ossl_x509cert(void)
      *   ef.issuer_certificate = root_ca
      *   cert.add_extension(ef.create_extension("keyUsage","digitalSignature", true))
      *   cert.add_extension(ef.create_extension("subjectKeyIdentifier","hash",false))
-     *   cert.sign(root_key, OpenSSL::Digest::SHA256.new)
+     *   cert.sign(root_key, OpenSSL::Digest.new('SHA256'))
      *
      */
     cX509Cert = rb_define_class_under(mX509, "Certificate", rb_cObject);

data/ext/openssl/ossl_x509ext.c

@@ -402,6 +402,19 @@ ossl_x509ext_get_value(VALUE obj)
     return ret;
 }
 
+static VALUE
+ossl_x509ext_get_value_der(VALUE obj)
+{
+    X509_EXTENSION *ext;
+    ASN1_OCTET_STRING *value;
+
+    GetX509Ext(obj, ext);
+    if ((value = X509_EXTENSION_get_data(ext)) == NULL)
+	ossl_raise(eX509ExtError, NULL);
+
+    return rb_str_new((const char *)value->data, value->length);
+}
+
 static VALUE
 ossl_x509ext_get_critical(VALUE obj)
 {
@@ -472,6 +485,7 @@ Init_ossl_x509ext(void)
     rb_define_method(cX509Ext, "critical=", ossl_x509ext_set_critical, 1);
     rb_define_method(cX509Ext, "oid", ossl_x509ext_get_oid, 0);
     rb_define_method(cX509Ext, "value", ossl_x509ext_get_value, 0);
+    rb_define_method(cX509Ext, "value_der", ossl_x509ext_get_value_der, 0);
     rb_define_method(cX509Ext, "critical?", ossl_x509ext_get_critical, 0);
     rb_define_method(cX509Ext, "to_der", ossl_x509ext_to_der, 0);
 }

data/ext/openssl/ossl_x509name.c

@@ -387,17 +387,21 @@ ossl_x509name_cmp0(VALUE self, VALUE other)
 
 /*
  * call-seq:
- *    name.cmp(other) -> -1 | 0 | 1
- *    name <=> other  -> -1 | 0 | 1
+ *    name.cmp(other) -> -1 | 0 | 1 | nil
+ *    name <=> other  -> -1 | 0 | 1 | nil
  *
  * Compares this Name with _other_ and returns +0+ if they are the same and +-1+
  * or ++1+ if they are greater or less than each other respectively.
+ * Returns +nil+ if they are not comparable (i.e. different types).
  */
 static VALUE
 ossl_x509name_cmp(VALUE self, VALUE other)
 {
     int result;
 
+    if (!rb_obj_is_kind_of(other, cX509Name))
+	return Qnil;
+
     result = ossl_x509name_cmp0(self, other);
     if (result < 0) return INT2FIX(-1);
     if (result > 0) return INT2FIX(1);
@@ -494,7 +498,7 @@ ossl_x509name_to_der(VALUE self)
  * You can create a Name by parsing a distinguished name String or by
  * supplying the distinguished name as an Array.
  *
- *   name = OpenSSL::X509::Name.parse 'CN=nobody/DC=example'
+ *   name = OpenSSL::X509::Name.parse '/CN=nobody/DC=example'
  *
  *   name = OpenSSL::X509::Name.new [['CN', 'nobody'], ['DC', 'example']]
  */

data/lib/openssl/bn.rb

@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
 #--
 #
 # = Ruby-space definitions that completes C-space funcs for BN

data/lib/openssl/buffering.rb

@@ -1,5 +1,5 @@
 # coding: binary
-# frozen_string_literal: false
+# frozen_string_literal: true
 #--
 #= Info
 #  'OpenSSL for Ruby 2' project
@@ -22,6 +22,29 @@
 module OpenSSL::Buffering
   include Enumerable
 
+  # A buffer which will retain binary encoding.
+  class Buffer < String
+    BINARY = Encoding::BINARY
+
+    def initialize
+      super
+
+      force_encoding(BINARY)
+    end
+
+    def << string
+      if string.encoding == BINARY
+        super(string)
+      else
+        super(string.b)
+      end
+
+      return self
+    end
+
+    alias concat <<
+  end
+
   ##
   # The "sync mode" of the SSLSocket.
   #
@@ -40,7 +63,7 @@ module OpenSSL::Buffering
   def initialize(*)
     super
     @eof = false
-    @rbuffer = ""
+    @rbuffer = Buffer.new
     @sync = @io.sync
   end
 
@@ -312,7 +335,7 @@ module OpenSSL::Buffering
   # buffer is flushed to the underlying socket.
 
   def do_write(s)
-    @wbuffer = "" unless defined? @wbuffer
+    @wbuffer = Buffer.new unless defined? @wbuffer
     @wbuffer << s
     @wbuffer.force_encoding(Encoding::BINARY)
     @sync ||= false
@@ -398,7 +421,7 @@ module OpenSSL::Buffering
   # See IO#puts for full details.
 
   def puts(*args)
-    s = ""
+    s = Buffer.new
     if args.empty?
       s << "\n"
     end
@@ -416,7 +439,7 @@ module OpenSSL::Buffering
   # See IO#print for full details.
 
   def print(*args)
-    s = ""
+    s = Buffer.new
     args.each{ |arg| s << arg.to_s }
     do_write(s)
     nil

data/lib/openssl/cipher.rb

@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
 #--
 # = Ruby-space predefined Cipher subclasses
 #

data/lib/openssl/config.rb

@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
 =begin
 = Ruby-space definitions that completes C-space funcs for Config
 
@@ -37,7 +37,7 @@ module OpenSSL
       def parse(string)
         c = new()
         parse_config(StringIO.new(string)).each do |section, hash|
-          c[section] = hash
+          c.set_section(section, hash)
         end
         c
       end
@@ -53,9 +53,8 @@ module OpenSSL
       def parse_config(io)
         begin
           parse_config_lines(io)
-        rescue ConfigError => e
-          e.message.replace("error in line #{io.lineno}: " + e.message)
-          raise
+        rescue => error
+          raise ConfigError, "error in line #{io.lineno}: " + error.message
         end
       end
 
@@ -267,7 +266,7 @@ module OpenSSL
       if filename
         File.open(filename.to_s) do |file|
           Config.parse_config(file).each do |section, hash|
-            self[section] = hash
+            set_section(section, hash)
           end
         end
       end
@@ -316,6 +315,8 @@ module OpenSSL
     end
 
     ##
+    # *Deprecated in v2.2.0*. This method will be removed in a future release.
+    #
     # Set the target _key_ with a given _value_ under a specific _section_.
     #
     # Given the following configurating file being loaded:
@@ -370,6 +371,8 @@ module OpenSSL
     end
 
     ##
+    # *Deprecated in v2.2.0*. This method will be removed in a future release.
+    #
     # Sets a specific _section_ name with a Hash _pairs_.
     #
     # Given the following configuration being created:
@@ -395,9 +398,13 @@ module OpenSSL
     #
     def []=(section, pairs)
       check_modify
-      @data[section] ||= {}
+      set_section(section, pairs)
+    end
+
+    def set_section(section, pairs) # :nodoc:
+      hash = @data[section] ||= {}
       pairs.each do |key, value|
-        self.add_value(section, key, value)
+        hash[key] = value
       end
     end
 
@@ -482,6 +489,8 @@ module OpenSSL
     end
 
     def check_modify
+      warn "#{caller(2, 1)[0]}: warning: do not modify OpenSSL::Config; this " \
+        "method is deprecated and will be removed in a future release."
       raise TypeError.new("Insecure: can't modify OpenSSL config") if frozen?
     end
 

data/lib/openssl/digest.rb

@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
 #--
 # = Ruby-space predefined Digest subclasses
 #
@@ -15,11 +15,6 @@
 module OpenSSL
   class Digest
 
-    alg = %w(MD2 MD4 MD5 MDC2 RIPEMD160 SHA1 SHA224 SHA256 SHA384 SHA512)
-    if OPENSSL_VERSION_NUMBER < 0x10100000
-      alg += %w(DSS DSS1 SHA)
-    end
-
     # Return the hash value computed with _name_ Digest. _name_ is either the
     # long name or short name of a supported digest algorithm.
     #
@@ -29,23 +24,26 @@ module OpenSSL
     #
     # which is equivalent to:
     #
-    #   OpenSSL::Digest::SHA256.digest("abc")
+    #   OpenSSL::Digest.digest('SHA256', "abc")
 
     def self.digest(name, data)
       super(data, name)
     end
 
-    alg.each{|name|
+    %w(MD4 MD5 RIPEMD160 SHA1 SHA224 SHA256 SHA384 SHA512).each do |name|
       klass = Class.new(self) {
         define_method(:initialize, ->(data = nil) {super(name, data)})
       }
+
       singleton = (class << klass; self; end)
+
       singleton.class_eval{
-        define_method(:digest){|data| new.digest(data) }
-        define_method(:hexdigest){|data| new.hexdigest(data) }
+        define_method(:digest) {|data| new.digest(data)}
+        define_method(:hexdigest) {|data| new.hexdigest(data)}
       }
-      const_set(name, klass)
-    }
+
+      const_set(name.tr('-', '_'), klass)
+    end
 
     # Deprecated.
     #

data/lib/openssl/hmac.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module OpenSSL
+  class HMAC
+    # Securely compare with another HMAC instance in constant time.
+    def ==(other)
+      return false unless HMAC === other
+      return false unless self.digest.bytesize == other.digest.bytesize
+
+      OpenSSL.fixed_length_secure_compare(self.digest, other.digest)
+    end
+  end
+end

data/lib/openssl/marshal.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+#--
+# = Ruby-space definitions to add DER (de)serialization to classes
+#
+# = Info
+# 'OpenSSL for Ruby 2' project
+# Copyright (C) 2002  Michal Rokos <m.rokos@sh.cvut.cz>
+# All rights reserved.
+#
+# = Licence
+# This program is licensed under the same licence as Ruby.
+# (See the file 'LICENCE'.)
+#++
+module OpenSSL
+  module Marshal
+    def self.included(base)
+      base.extend(ClassMethods)
+    end
+
+    module ClassMethods
+      def _load(string)
+        new(string)
+      end
+    end
+
+    def _dump(_level)
+      to_der
+    end
+  end
+end

data/lib/openssl/pkcs5.rb

@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
 #--
 # Ruby/OpenSSL Project
 # Copyright (C) 2017 Ruby/OpenSSL Project Authors

data/lib/openssl/pkey.rb

@@ -1,11 +1,24 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
 #--
 # Ruby/OpenSSL Project
 # Copyright (C) 2017 Ruby/OpenSSL Project Authors
 #++
 
+require_relative 'marshal'
+
 module OpenSSL::PKey
+  class DH
+    include OpenSSL::Marshal
+  end
+
+  class DSA
+    include OpenSSL::Marshal
+  end
+
   if defined?(EC)
+  class EC
+    include OpenSSL::Marshal
+  end
   class EC::Point
     # :call-seq:
     #    point.to_bn([conversion_form]) -> OpenSSL::BN
@@ -22,4 +35,8 @@ module OpenSSL::PKey
     end
   end
   end
+
+  class RSA
+    include OpenSSL::Marshal
+  end
 end

data/lib/openssl/ssl.rb

@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
 =begin
 = Info
   'OpenSSL for Ruby 2' project
@@ -13,6 +13,7 @@
 require "openssl/buffering"
 require "io/nonblock"
 require "ipaddr"
+require "socket"
 
 module OpenSSL
   module SSL
@@ -231,6 +232,11 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
     end
 
     module SocketForwarder
+      # The file descriptor for the socket.
+      def fileno
+        to_io.fileno
+      end
+
       def addr
         to_io.addr
       end
@@ -435,6 +441,38 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
       def session_get_cb
         @context.session_get_cb
       end
+
+      class << self
+
+        # call-seq:
+        #   open(remote_host, remote_port, local_host=nil, local_port=nil, context: nil)
+        #
+        # Creates a new instance of SSLSocket.
+        # _remote\_host_ and _remote\_port_ are used to open TCPSocket.
+        # If _local\_host_ and _local\_port_ are specified,
+        # then those parameters are used on the local end to establish the connection.
+        # If _context_ is provided,
+        # the SSL Sockets initial params will be taken from the context.
+        #
+        # === Examples
+        #
+        #   sock = OpenSSL::SSL::SSLSocket.open('localhost', 443)
+        #   sock.connect # Initiates a connection to localhost:443
+        #
+        # with SSLContext:
+        #
+        #   ctx = OpenSSL::SSL::SSLContext.new
+        #   sock = OpenSSL::SSL::SSLSocket.open('localhost', 443, context: ctx)
+        #   sock.connect # Initiates a connection to localhost:443 with SSLContext
+        def open(remote_host, remote_port, local_host=nil, local_port=nil, context: nil)
+          sock = ::TCPSocket.open(remote_host, remote_port, local_host, local_port)
+          if context.nil?
+            return OpenSSL::SSL::SSLSocket.new(sock)
+          else
+            return OpenSSL::SSL::SSLSocket.new(sock, context)
+          end
+        end
+      end
     end
 
     ##
@@ -465,7 +503,7 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
       end
 
       # See TCPServer#listen for details.
-      def listen(backlog=5)
+      def listen(backlog=Socket::SOMAXCONN)
         @svr.listen(backlog)
       end
 

data/lib/openssl/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module OpenSSL
+  VERSION = "2.2.2"
+end

data/lib/openssl/x509.rb

@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
 #--
 # = Ruby-space definitions that completes C-space funcs for X509 and subclasses
 #
@@ -12,6 +12,8 @@
 # (See the file 'LICENCE'.)
 #++
 
+require_relative 'marshal'
+
 module OpenSSL
   module X509
     class ExtensionFactory
@@ -41,6 +43,8 @@ module OpenSSL
     end
 
     class Extension
+      include OpenSSL::Marshal
+
       def ==(other)
         return false unless Extension === other
         to_der == other.to_der
@@ -60,9 +64,146 @@ module OpenSSL
       def to_a
         [ self.oid, self.value, self.critical? ]
       end
+
+      module Helpers
+        def find_extension(oid)
+          extensions.find { |e| e.oid == oid }
+        end
+      end
+
+      module SubjectKeyIdentifier
+        include Helpers
+
+        # Get the subject's key identifier from the subjectKeyIdentifier
+        # exteension, as described in RFC5280 Section 4.2.1.2.
+        #
+        # Returns the binary String key identifier or nil or raises
+        # ASN1::ASN1Error.
+        def subject_key_identifier
+          ext = find_extension("subjectKeyIdentifier")
+          return nil if ext.nil?
+
+          ski_asn1 = ASN1.decode(ext.value_der)
+          if ext.critical? || ski_asn1.tag_class != :UNIVERSAL || ski_asn1.tag != ASN1::OCTET_STRING
+            raise ASN1::ASN1Error, "invalid extension"
+          end
+
+          ski_asn1.value
+        end
+      end
+
+      module AuthorityKeyIdentifier
+        include Helpers
+
+        # Get the issuing certificate's key identifier from the
+        # authorityKeyIdentifier extension, as described in RFC5280
+        # Section 4.2.1.1
+        #
+        # Returns the binary String keyIdentifier or nil or raises
+        # ASN1::ASN1Error.
+        def authority_key_identifier
+          ext = find_extension("authorityKeyIdentifier")
+          return nil if ext.nil?
+
+          aki_asn1 = ASN1.decode(ext.value_der)
+          if ext.critical? || aki_asn1.tag_class != :UNIVERSAL || aki_asn1.tag != ASN1::SEQUENCE
+            raise ASN1::ASN1Error, "invalid extension"
+          end
+
+          key_id = aki_asn1.value.find do |v|
+            v.tag_class == :CONTEXT_SPECIFIC && v.tag == 0
+          end
+
+          key_id.nil? ? nil : key_id.value
+        end
+      end
+
+      module CRLDistributionPoints
+        include Helpers
+
+        # Get the distributionPoint fullName URI from the certificate's CRL
+        # distribution points extension, as described in RFC5280 Section
+        # 4.2.1.13
+        #
+        # Returns an array of strings or nil or raises ASN1::ASN1Error.
+        def crl_uris
+          ext = find_extension("crlDistributionPoints")
+          return nil if ext.nil?
+
+          cdp_asn1 = ASN1.decode(ext.value_der)
+          if cdp_asn1.tag_class != :UNIVERSAL || cdp_asn1.tag != ASN1::SEQUENCE
+            raise ASN1::ASN1Error, "invalid extension"
+          end
+
+          crl_uris = cdp_asn1.map do |crl_distribution_point|
+            distribution_point = crl_distribution_point.value.find do |v|
+              v.tag_class == :CONTEXT_SPECIFIC && v.tag == 0
+            end
+            full_name = distribution_point&.value&.find do |v|
+              v.tag_class == :CONTEXT_SPECIFIC && v.tag == 0
+            end
+            full_name&.value&.find do |v|
+              v.tag_class == :CONTEXT_SPECIFIC && v.tag == 6 # uniformResourceIdentifier
+            end
+          end
+
+          crl_uris&.map(&:value)
+        end
+      end
+
+      module AuthorityInfoAccess
+        include Helpers
+
+        # Get the information and services for the issuer from the certificate's
+        # authority information access extension exteension, as described in RFC5280
+        # Section 4.2.2.1.
+        #
+        # Returns an array of strings or nil or raises ASN1::ASN1Error.
+        def ca_issuer_uris
+          aia_asn1 = parse_aia_asn1
+          return nil if aia_asn1.nil?
+
+          ca_issuer = aia_asn1.value.select do |authority_info_access|
+            authority_info_access.value.first.value == "caIssuers"
+          end
+
+          ca_issuer&.map(&:value)&.map(&:last)&.map(&:value)
+        end
+
+        # Get the URIs for OCSP from the certificate's authority information access
+        # extension exteension, as described in RFC5280 Section 4.2.2.1.
+        #
+        # Returns an array of strings or nil or raises ASN1::ASN1Error.
+        def ocsp_uris
+          aia_asn1 = parse_aia_asn1
+          return nil if aia_asn1.nil?
+
+          ocsp = aia_asn1.value.select do |authority_info_access|
+            authority_info_access.value.first.value == "OCSP"
+          end
+
+          ocsp&.map(&:value)&.map(&:last)&.map(&:value)
+        end
+
+        private
+
+          def parse_aia_asn1
+            ext = find_extension("authorityInfoAccess")
+            return nil if ext.nil?
+
+            aia_asn1 = ASN1.decode(ext.value_der)
+            if ext.critical? || aia_asn1.tag_class != :UNIVERSAL || aia_asn1.tag != ASN1::SEQUENCE
+              raise ASN1::ASN1Error, "invalid extension"
+            end
+
+            aia_asn1
+          end
+      end
     end
 
     class Name
+      include OpenSSL::Marshal
+
       module RFC2253DN
         Special = ',=+<>#;'
         HexChar = /[0-9a-fA-F]/
@@ -166,6 +307,8 @@ module OpenSSL
     end
 
     class Attribute
+      include OpenSSL::Marshal
+
       def ==(other)
         return false unless Attribute === other
         to_der == other.to_der
@@ -179,6 +322,12 @@ module OpenSSL
     end
 
     class Certificate
+      include OpenSSL::Marshal
+      include Extension::SubjectKeyIdentifier
+      include Extension::AuthorityKeyIdentifier
+      include Extension::CRLDistributionPoints
+      include Extension::AuthorityInfoAccess
+
       def pretty_print(q)
         q.object_group(self) {
           q.breakable
@@ -192,6 +341,9 @@ module OpenSSL
     end
 
     class CRL
+      include OpenSSL::Marshal
+      include Extension::AuthorityKeyIdentifier
+
       def ==(other)
         return false unless CRL === other
         to_der == other.to_der
@@ -206,6 +358,8 @@ module OpenSSL
     end
 
     class Request
+      include OpenSSL::Marshal
+
       def ==(other)
         return false unless Request === other
         to_der == other.to_der