openssl 2.2.0 → 2.2.3

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 6f52e266d6038d1d7173a58d9ad72207e7d492da086ef0ecf9484a8b1cac5156
4
- data.tar.gz: ca3211e0c3887311a9d0ac997c864e0cdd54fc0c7510d04c2497c9c99b97fd0c
3
+ metadata.gz: f857af7f016a99c4fa63e230d6d600b9fe1218bbd9db4b48a4d199e238d88d54
4
+ data.tar.gz: f0a5d84c663e4bbf75ffee3f307e2fb8c2cad5ccddb10ce1a72717b7cd7c5b43
5
5
  SHA512:
6
- metadata.gz: b20ff54093b47c1d1da2f90a41ee1787bcd6a3e14c26f86f4c117d5ec6703364c73df226da5bf357ec6440770b639dd92575e468caeaf38fd8815ef52fb9864f
7
- data.tar.gz: 6f64e438c1cc74cea40674a4d3d5926ecc3ea4a0701dd02514f990fcbcb8c525a364789f832ac649fe65e557522a9df983e5beca5f3476b3ec29f7a82b15f071
6
+ metadata.gz: 6f8c9773928207f07f5f905b826ddc7f2cd5019f6dcba3c3a08e920131646156eeb400b4b8540e509d53d3016a25e7a886ed6410eafda030852aeaa28d511491
7
+ data.tar.gz: 9baeda7c395d5e8b2830f418186a28dbd3a6f8476eee3ba0b3926f7a5aeaa81cd0614138c1d98c41a1a0db3f10b5aabcd6c34ec4700898c6bca28edbbdf9809d
data/History.md CHANGED
@@ -1,3 +1,41 @@
1
+ Version 2.2.3
2
+ =============
3
+
4
+ Bug fixes
5
+ ---------
6
+
7
+ * Fix serveral methods in OpenSSL::PKey::EC::Point attempting to raise an error
8
+ with an incorrect class, which would end up with a TypeError.
9
+ [[GitHub #570]](https://github.com/ruby/openssl/pull/570)
10
+ * Fix OpenSSL::PKey::EC::Point#eql? and OpenSSL::PKey::EC::Group#eql?
11
+ incorrectly treated OpenSSL's internal errors as "not equal".
12
+ [[GitHub #564]](https://github.com/ruby/openssl/pull/564)
13
+ * Fix build with LibreSSL 3.5 or later.
14
+
15
+
16
+ Version 2.2.2
17
+ =============
18
+
19
+ Merged changes in 2.1.4.
20
+
21
+
22
+ Version 2.2.1
23
+ =============
24
+
25
+ Merged changes in 2.1.3. Additionally, the following issues are fixed by this
26
+ release.
27
+
28
+ Bug fixes
29
+ ---------
30
+
31
+ * Fix crash in `OpenSSL::Timestamp::{Request,Response,TokenInfo}.new` when
32
+ invalid arguments are given.
33
+ [[GitHub #407]](https://github.com/ruby/openssl/pull/407)
34
+ * Fix `OpenSSL::Timestamp::Factory#create_timestamp` with LibreSSL on platforms
35
+ where `time_t` has a different size from `long`.
36
+ [[GitHub #454]](https://github.com/ruby/openssl/pull/454)
37
+
38
+
1
39
  Version 2.2.0
2
40
  =============
3
41
 
@@ -75,6 +113,52 @@ Notable changes
75
113
  [[GitHub #297]](https://github.com/ruby/openssl/pull/297)
76
114
 
77
115
 
116
+ Version 2.1.4
117
+ =============
118
+
119
+ Bug fixes
120
+ ---------
121
+
122
+ * Do not use pkg-config if --with-openssl-dir option is specified.
123
+ [[GitHub #486]](https://github.com/ruby/openssl/pull/486)
124
+
125
+
126
+ Version 2.1.3
127
+ =============
128
+
129
+ Bug fixes
130
+ ---------
131
+
132
+ * Fix deprecation warnings on Ruby 3.0.
133
+ * Add ".include" directive support in `OpenSSL::Config`.
134
+ [[GitHub #216]](https://github.com/ruby/openssl/pull/216)
135
+ * Fix handling of IPv6 address SANs.
136
+ [[GitHub #185]](https://github.com/ruby/openssl/pull/185)
137
+ * Hostname verification failure with `OpenSSL::SSL::SSLContext#verify_hostname=`
138
+ sets a proper error code.
139
+ [[GitHub #350]](https://github.com/ruby/openssl/pull/350)
140
+ * Fix crash with `OpenSSL::BN.new(nil, 2)`.
141
+ [[Bug #15760]](https://bugs.ruby-lang.org/issues/15760)
142
+ * `OpenSSL::SSL::SSLSocket#sys{read,write}` prevent internal string buffers from
143
+ being modified by another thread.
144
+ [[GitHub #453]](https://github.com/ruby/openssl/pull/453)
145
+ * Fix misuse of input record separator in `OpenSSL::Buffering` where it was
146
+ for output.
147
+ * Fix wrong interger casting in `OpenSSL::PKey::EC#dsa_verify_asn1`.
148
+ [[GitHub #460]](https://github.com/ruby/openssl/pull/460)
149
+ * `extconf.rb` explicitly checks that OpenSSL's version number is 1.0.1 or
150
+ newer but also less than 3.0. Ruby/OpenSSL v2.1.x and v2.2.x will not support
151
+ OpenSSL 3.0 API.
152
+ [[GitHub #458]](https://github.com/ruby/openssl/pull/458)
153
+ * Activate `digest` gem correctly. `digest` library could go into an
154
+ inconsistent state if there are multiple versions of `digest` is installed
155
+ and `openssl` is `require`d before `digest`.
156
+ [[GitHub #463]](https://github.com/ruby/openssl/pull/463)
157
+ * Fix GC.compact compatibility.
158
+ [[GitHub #464]](https://github.com/ruby/openssl/issues/464)
159
+ [[GitHub #465]](https://github.com/ruby/openssl/pull/465)
160
+
161
+
78
162
  Version 2.1.2
79
163
  =============
80
164
 
@@ -13,7 +13,7 @@
13
13
 
14
14
  require "mkmf"
15
15
 
16
- dir_config("openssl")
16
+ dir_config_given = dir_config("openssl").any?
17
17
  dir_config("kerberos")
18
18
 
19
19
  Logging::message "=== OpenSSL for Ruby configurator ===\n"
@@ -33,9 +33,6 @@ if $mswin || $mingw
33
33
  have_library("ws2_32")
34
34
  end
35
35
 
36
- Logging::message "=== Checking for required stuff... ===\n"
37
- result = pkg_config("openssl") && have_header("openssl/ssl.h")
38
-
39
36
  if $mingw
40
37
  append_cflags '-D_FORTIFY_SOURCE=2'
41
38
  append_ldflags '-fstack-protector'
@@ -92,19 +89,33 @@ def find_openssl_library
92
89
  return false
93
90
  end
94
91
 
95
- unless result
96
- unless find_openssl_library
97
- Logging::message "=== Checking for required stuff failed. ===\n"
98
- Logging::message "Makefile wasn't created. Fix the errors above.\n"
99
- raise "OpenSSL library could not be found. You might want to use " \
100
- "--with-openssl-dir=<dir> option to specify the prefix where OpenSSL " \
101
- "is installed."
102
- end
92
+ Logging::message "=== Checking for required stuff... ===\n"
93
+ pkg_config_found = !dir_config_given && pkg_config("openssl") && have_header("openssl/ssl.h")
94
+
95
+ if !pkg_config_found && !find_openssl_library
96
+ Logging::message "=== Checking for required stuff failed. ===\n"
97
+ Logging::message "Makefile wasn't created. Fix the errors above.\n"
98
+ raise "OpenSSL library could not be found. You might want to use " \
99
+ "--with-openssl-dir=<dir> option to specify the prefix where OpenSSL " \
100
+ "is installed."
101
+ end
102
+
103
+ version_ok = if have_macro("LIBRESSL_VERSION_NUMBER", "openssl/opensslv.h")
104
+ is_libressl = true
105
+ checking_for("LibreSSL version >= 2.5.0") {
106
+ try_static_assert("LIBRESSL_VERSION_NUMBER >= 0x20500000L", "openssl/opensslv.h") }
107
+ else
108
+ checking_for("OpenSSL version >= 1.0.1 and < 3.0.0") {
109
+ try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10001000L", "openssl/opensslv.h") &&
110
+ !try_static_assert("OPENSSL_VERSION_MAJOR >= 3", "openssl/opensslv.h") }
111
+ end
112
+ unless version_ok
113
+ raise "OpenSSL >= 1.0.1, < 3.0.0 or LibreSSL >= 2.5.0 is required"
103
114
  end
104
115
 
105
- unless checking_for("OpenSSL version is 1.0.1 or later") {
106
- try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10001000L", "openssl/opensslv.h") }
107
- raise "OpenSSL >= 1.0.1 or LibreSSL is required"
116
+ # Prevent wincrypt.h from being included, which defines conflicting macro with openssl/x509.h
117
+ if is_libressl && ($mswin || $mingw)
118
+ $defs.push("-DNOCRYPT")
108
119
  end
109
120
 
110
121
  Logging::message "=== Checking for OpenSSL features... ===\n"
@@ -116,10 +127,6 @@ engines.each { |name|
116
127
  have_func("ENGINE_load_#{name}()", "openssl/engine.h")
117
128
  }
118
129
 
119
- if ($mswin || $mingw) && have_macro("LIBRESSL_VERSION_NUMBER", "openssl/opensslv.h")
120
- $defs.push("-DNOCRYPT")
121
- end
122
-
123
130
  # added in 1.0.2
124
131
  have_func("EC_curve_nist2nid")
125
132
  have_func("X509_REVOKED_dup")
@@ -169,13 +176,16 @@ have_func("SSL_SESSION_get_protocol_version")
169
176
  have_func("TS_STATUS_INFO_get0_status")
170
177
  have_func("TS_STATUS_INFO_get0_text")
171
178
  have_func("TS_STATUS_INFO_get0_failure_info")
172
- have_func("TS_VERIFY_CTS_set_certs")
179
+ have_func("TS_VERIFY_CTS_set_certs(NULL, NULL)", "openssl/ts.h")
173
180
  have_func("TS_VERIFY_CTX_set_store")
174
181
  have_func("TS_VERIFY_CTX_add_flags")
175
182
  have_func("TS_RESP_CTX_set_time_cb")
176
183
  have_func("EVP_PBE_scrypt")
177
184
  have_func("SSL_CTX_set_post_handshake_auth")
178
185
 
186
+ # added in 3.0.0
187
+ have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", "openssl/ts.h")
188
+
179
189
  Logging::message "=== Checking done. ===\n"
180
190
 
181
191
  create_header
@@ -254,4 +254,9 @@ IMPL_PKEY_GETTER(EC_KEY, ec)
254
254
  } while (0)
255
255
  #endif
256
256
 
257
+ /* added in 3.0.0 */
258
+ #if !defined(HAVE_TS_VERIFY_CTX_SET_CERTS)
259
+ # define TS_VERIFY_CTX_set_certs(ctx, crts) TS_VERIFY_CTS_set_certs(ctx, crts)
260
+ #endif
261
+
257
262
  #endif /* _OSSL_OPENSSL_MISSING_H_ */
data/ext/openssl/ossl.c CHANGED
@@ -497,8 +497,11 @@ print_mem_leaks(VALUE self)
497
497
  int ret;
498
498
  #endif
499
499
 
500
- BN_CTX_free(ossl_bn_ctx);
501
- ossl_bn_ctx = NULL;
500
+ #ifndef HAVE_RB_EXT_RACTOR_SAFE
501
+ // for Ruby 2.x
502
+ void ossl_bn_ctx_free(void); // ossl_bn.c
503
+ ossl_bn_ctx_free();
504
+ #endif
502
505
 
503
506
  #if OPENSSL_VERSION_NUMBER >= 0x10100000
504
507
  ret = CRYPTO_mem_leaks_fp(stderr);
@@ -1126,6 +1129,10 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2)
1126
1129
  void
1127
1130
  Init_openssl(void)
1128
1131
  {
1132
+ #if HAVE_RB_EXT_RACTOR_SAFE
1133
+ rb_ext_ractor_safe(true);
1134
+ #endif
1135
+
1129
1136
  #undef rb_intern
1130
1137
  /*
1131
1138
  * Init timezone info
@@ -10,6 +10,10 @@
10
10
  /* modified by Michal Rokos <m.rokos@sh.cvut.cz> */
11
11
  #include "ossl.h"
12
12
 
13
+ #if HAVE_RB_EXT_RACTOR_SAFE
14
+ #include <ruby/ractor.h>
15
+ #endif
16
+
13
17
  #define NewBN(klass) \
14
18
  TypedData_Wrap_Struct((klass), &ossl_bn_type, 0)
15
19
  #define SetBN(obj, bn) do { \
@@ -150,12 +154,58 @@ ossl_bn_value_ptr(volatile VALUE *ptr)
150
154
  /*
151
155
  * Private
152
156
  */
153
- /*
154
- * BN_CTX - is used in more difficult math. ops
155
- * (Why just 1? Because Ruby itself isn't thread safe,
156
- * we don't need to care about threads)
157
- */
158
- BN_CTX *ossl_bn_ctx;
157
+
158
+ #if HAVE_RB_EXT_RACTOR_SAFE
159
+ void
160
+ ossl_bn_ctx_free(void *ptr)
161
+ {
162
+ BN_CTX *ctx = (BN_CTX *)ptr;
163
+ BN_CTX_free(ctx);
164
+ }
165
+
166
+ struct rb_ractor_local_storage_type ossl_bn_ctx_key_type = {
167
+ NULL, // mark
168
+ ossl_bn_ctx_free,
169
+ };
170
+
171
+ rb_ractor_local_key_t ossl_bn_ctx_key;
172
+
173
+ BN_CTX *
174
+ ossl_bn_ctx_get(void)
175
+ {
176
+ // stored in ractor local storage
177
+
178
+ BN_CTX *ctx = rb_ractor_local_storage_ptr(ossl_bn_ctx_key);
179
+ if (!ctx) {
180
+ if (!(ctx = BN_CTX_new())) {
181
+ ossl_raise(rb_eRuntimeError, "Cannot init BN_CTX");
182
+ }
183
+ rb_ractor_local_storage_ptr_set(ossl_bn_ctx_key, ctx);
184
+ }
185
+ return ctx;
186
+ }
187
+ #else
188
+ // for ruby 2.x
189
+ static BN_CTX *gv_ossl_bn_ctx;
190
+
191
+ BN_CTX *
192
+ ossl_bn_ctx_get(void)
193
+ {
194
+ if (gv_ossl_bn_ctx == NULL) {
195
+ if (!(gv_ossl_bn_ctx = BN_CTX_new())) {
196
+ ossl_raise(rb_eRuntimeError, "Cannot init BN_CTX");
197
+ }
198
+ }
199
+ return gv_ossl_bn_ctx;
200
+ }
201
+
202
+ void
203
+ ossl_bn_ctx_free(void)
204
+ {
205
+ BN_CTX_free(gv_ossl_bn_ctx);
206
+ gv_ossl_bn_ctx = NULL;
207
+ }
208
+ #endif
159
209
 
160
210
  static VALUE
161
211
  ossl_bn_alloc(VALUE klass)
@@ -403,7 +453,7 @@ ossl_bn_is_negative(VALUE self)
403
453
  if (!(result = BN_new())) { \
404
454
  ossl_raise(eBNError, NULL); \
405
455
  } \
406
- if (!BN_##func(result, bn, ossl_bn_ctx)) { \
456
+ if (BN_##func(result, bn, ossl_bn_ctx) <= 0) { \
407
457
  BN_free(result); \
408
458
  ossl_raise(eBNError, NULL); \
409
459
  } \
@@ -429,7 +479,7 @@ BIGNUM_1c(sqr)
429
479
  if (!(result = BN_new())) { \
430
480
  ossl_raise(eBNError, NULL); \
431
481
  } \
432
- if (!BN_##func(result, bn1, bn2)) { \
482
+ if (BN_##func(result, bn1, bn2) <= 0) { \
433
483
  BN_free(result); \
434
484
  ossl_raise(eBNError, NULL); \
435
485
  } \
@@ -462,7 +512,7 @@ BIGNUM_2(sub)
462
512
  if (!(result = BN_new())) { \
463
513
  ossl_raise(eBNError, NULL); \
464
514
  } \
465
- if (!BN_##func(result, bn1, bn2, ossl_bn_ctx)) { \
515
+ if (BN_##func(result, bn1, bn2, ossl_bn_ctx) <= 0) { \
466
516
  BN_free(result); \
467
517
  ossl_raise(eBNError, NULL); \
468
518
  } \
@@ -506,11 +556,21 @@ BIGNUM_2c(gcd)
506
556
  BIGNUM_2c(mod_sqr)
507
557
 
508
558
  /*
509
- * Document-method: OpenSSL::BN#mod_inverse
510
559
  * call-seq:
511
- * bn.mod_inverse(bn2) => aBN
560
+ * bn.mod_inverse(bn2) => aBN
512
561
  */
513
- BIGNUM_2c(mod_inverse)
562
+ static VALUE
563
+ ossl_bn_mod_inverse(VALUE self, VALUE other)
564
+ {
565
+ BIGNUM *bn1, *bn2 = GetBNPtr(other), *result;
566
+ VALUE obj;
567
+ GetBN(self, bn1);
568
+ obj = NewBN(rb_obj_class(self));
569
+ if (!(result = BN_mod_inverse(NULL, bn1, bn2, ossl_bn_ctx)))
570
+ ossl_raise(eBNError, "BN_mod_inverse");
571
+ SetBN(obj, result);
572
+ return obj;
573
+ }
514
574
 
515
575
  /*
516
576
  * call-seq:
@@ -559,7 +619,7 @@ ossl_bn_div(VALUE self, VALUE other)
559
619
  if (!(result = BN_new())) { \
560
620
  ossl_raise(eBNError, NULL); \
561
621
  } \
562
- if (!BN_##func(result, bn1, bn2, bn3, ossl_bn_ctx)) { \
622
+ if (BN_##func(result, bn1, bn2, bn3, ossl_bn_ctx) <= 0) { \
563
623
  BN_free(result); \
564
624
  ossl_raise(eBNError, NULL); \
565
625
  } \
@@ -601,7 +661,7 @@ BIGNUM_3c(mod_exp)
601
661
  { \
602
662
  BIGNUM *bn; \
603
663
  GetBN(self, bn); \
604
- if (!BN_##func(bn, NUM2INT(bit))) { \
664
+ if (BN_##func(bn, NUM2INT(bit)) <= 0) { \
605
665
  ossl_raise(eBNError, NULL); \
606
666
  } \
607
667
  return self; \
@@ -661,7 +721,7 @@ ossl_bn_is_bit_set(VALUE self, VALUE bit)
661
721
  if (!(result = BN_new())) { \
662
722
  ossl_raise(eBNError, NULL); \
663
723
  } \
664
- if (!BN_##func(result, bn, b)) { \
724
+ if (BN_##func(result, bn, b) <= 0) { \
665
725
  BN_free(result); \
666
726
  ossl_raise(eBNError, NULL); \
667
727
  } \
@@ -691,7 +751,7 @@ BIGNUM_SHIFT(rshift)
691
751
  int b; \
692
752
  b = NUM2INT(bits); \
693
753
  GetBN(self, bn); \
694
- if (!BN_##func(bn, bn, b)) \
754
+ if (BN_##func(bn, bn, b) <= 0) \
695
755
  ossl_raise(eBNError, NULL); \
696
756
  return self; \
697
757
  }
@@ -730,7 +790,7 @@ BIGNUM_SELF_SHIFT(rshift)
730
790
  if (!(result = BN_new())) { \
731
791
  ossl_raise(eBNError, NULL); \
732
792
  } \
733
- if (!BN_##func(result, b, top, bottom)) { \
793
+ if (BN_##func(result, b, top, bottom) <= 0) { \
734
794
  BN_free(result); \
735
795
  ossl_raise(eBNError, NULL); \
736
796
  } \
@@ -759,7 +819,7 @@ BIGNUM_RAND(pseudo_rand)
759
819
  if (!(result = BN_new())) { \
760
820
  ossl_raise(eBNError, NULL); \
761
821
  } \
762
- if (!BN_##func##_range(result, bn)) { \
822
+ if (BN_##func##_range(result, bn) <= 0) { \
763
823
  BN_free(result); \
764
824
  ossl_raise(eBNError, NULL); \
765
825
  } \
@@ -1092,9 +1152,11 @@ Init_ossl_bn(void)
1092
1152
  eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
1093
1153
  #endif
1094
1154
 
1095
- if (!(ossl_bn_ctx = BN_CTX_new())) {
1096
- ossl_raise(rb_eRuntimeError, "Cannot init BN_CTX");
1097
- }
1155
+ #ifdef HAVE_RB_EXT_RACTOR_SAFE
1156
+ ossl_bn_ctx_key = rb_ractor_local_storage_ptr_newkey(&ossl_bn_ctx_key_type);
1157
+ #else
1158
+ ossl_bn_ctx_get();
1159
+ #endif
1098
1160
 
1099
1161
  eBNError = rb_define_class_under(mOSSL, "BNError", eOSSLError);
1100
1162
 
@@ -13,7 +13,8 @@
13
13
  extern VALUE cBN;
14
14
  extern VALUE eBNError;
15
15
 
16
- extern BN_CTX *ossl_bn_ctx;
16
+ BN_CTX *ossl_bn_ctx_get(void);
17
+ #define ossl_bn_ctx ossl_bn_ctx_get()
17
18
 
18
19
  #define GetBNPtr(obj) ossl_bn_value_ptr(&(obj))
19
20
 
@@ -313,8 +313,6 @@ ossl_digest_block_length(VALUE self)
313
313
  void
314
314
  Init_ossl_digest(void)
315
315
  {
316
- rb_require("digest");
317
-
318
316
  #if 0
319
317
  mOSSL = rb_define_module("OpenSSL");
320
318
  eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
@@ -398,6 +396,12 @@ Init_ossl_digest(void)
398
396
  * digest2 = sha256.digest(data2)
399
397
  *
400
398
  */
399
+
400
+ /*
401
+ * Digest::Class is defined by the digest library. rb_require() cannot be
402
+ * used here because it bypasses RubyGems.
403
+ */
404
+ rb_funcall(Qnil, rb_intern_const("require"), 1, rb_str_new_cstr("digest"));
401
405
  cDigest = rb_define_class_under(mOSSL, "Digest", rb_path2class("Digest::Class"));
402
406
  /* Document-class: OpenSSL::Digest::DigestError
403
407
  *
@@ -1069,7 +1069,8 @@ ossl_ocspbres_verify(int argc, VALUE *argv, VALUE self)
1069
1069
  x509st = GetX509StorePtr(store);
1070
1070
  flg = NIL_P(flags) ? 0 : NUM2INT(flags);
1071
1071
  x509s = ossl_x509_ary2sk(certs);
1072
- #if (OPENSSL_VERSION_NUMBER < 0x1000202fL) || defined(LIBRESSL_VERSION_NUMBER)
1072
+ #if (OPENSSL_VERSION_NUMBER < 0x1000202fL) || \
1073
+ defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x30500000
1073
1074
  /*
1074
1075
  * OpenSSL had a bug that it doesn't use the certificates in x509s for
1075
1076
  * verifying the chain. This can be a problem when the response is signed by
@@ -653,15 +653,15 @@ static VALUE ossl_ec_key_dsa_verify_asn1(VALUE self, VALUE data, VALUE sig)
653
653
  StringValue(data);
654
654
  StringValue(sig);
655
655
 
656
- switch (ECDSA_verify(0, (unsigned char *) RSTRING_PTR(data), RSTRING_LENINT(data), (unsigned char *) RSTRING_PTR(sig), (int)RSTRING_LEN(sig), ec)) {
657
- case 1: return Qtrue;
658
- case 0: return Qfalse;
659
- default: break;
656
+ switch (ECDSA_verify(0, (unsigned char *)RSTRING_PTR(data), RSTRING_LENINT(data),
657
+ (unsigned char *)RSTRING_PTR(sig), RSTRING_LENINT(sig), ec)) {
658
+ case 1:
659
+ return Qtrue;
660
+ case 0:
661
+ return Qfalse;
662
+ default:
663
+ ossl_raise(eECError, "ECDSA_verify");
660
664
  }
661
-
662
- ossl_raise(eECError, "ECDSA_verify");
663
-
664
- UNREACHABLE;
665
665
  }
666
666
 
667
667
  /*
@@ -860,10 +860,11 @@ static VALUE ossl_ec_group_eql(VALUE a, VALUE b)
860
860
  GetECGroup(a, group1);
861
861
  GetECGroup(b, group2);
862
862
 
863
- if (EC_GROUP_cmp(group1, group2, ossl_bn_ctx) == 1)
864
- return Qfalse;
865
-
866
- return Qtrue;
863
+ switch (EC_GROUP_cmp(group1, group2, ossl_bn_ctx)) {
864
+ case 0: return Qtrue;
865
+ case 1: return Qfalse;
866
+ default: ossl_raise(eEC_GROUP, "EC_GROUP_cmp");
867
+ }
867
868
  }
868
869
 
869
870
  /*
@@ -1424,10 +1425,13 @@ static VALUE ossl_ec_point_eql(VALUE a, VALUE b)
1424
1425
  GetECPoint(b, point2);
1425
1426
  GetECGroup(group_v1, group);
1426
1427
 
1427
- if (EC_POINT_cmp(group, point1, point2, ossl_bn_ctx) == 1)
1428
- return Qfalse;
1428
+ switch (EC_POINT_cmp(group, point1, point2, ossl_bn_ctx)) {
1429
+ case 0: return Qtrue;
1430
+ case 1: return Qfalse;
1431
+ default: ossl_raise(eEC_POINT, "EC_POINT_cmp");
1432
+ }
1429
1433
 
1430
- return Qtrue;
1434
+ UNREACHABLE;
1431
1435
  }
1432
1436
 
1433
1437
  /*
@@ -1445,7 +1449,7 @@ static VALUE ossl_ec_point_is_at_infinity(VALUE self)
1445
1449
  switch (EC_POINT_is_at_infinity(group, point)) {
1446
1450
  case 1: return Qtrue;
1447
1451
  case 0: return Qfalse;
1448
- default: ossl_raise(cEC_POINT, "EC_POINT_is_at_infinity");
1452
+ default: ossl_raise(eEC_POINT, "EC_POINT_is_at_infinity");
1449
1453
  }
1450
1454
 
1451
1455
  UNREACHABLE;
@@ -1466,7 +1470,7 @@ static VALUE ossl_ec_point_is_on_curve(VALUE self)
1466
1470
  switch (EC_POINT_is_on_curve(group, point, ossl_bn_ctx)) {
1467
1471
  case 1: return Qtrue;
1468
1472
  case 0: return Qfalse;
1469
- default: ossl_raise(cEC_POINT, "EC_POINT_is_on_curve");
1473
+ default: ossl_raise(eEC_POINT, "EC_POINT_is_on_curve");
1470
1474
  }
1471
1475
 
1472
1476
  UNREACHABLE;
@@ -1485,7 +1489,7 @@ static VALUE ossl_ec_point_make_affine(VALUE self)
1485
1489
  GetECPointGroup(self, group);
1486
1490
 
1487
1491
  if (EC_POINT_make_affine(group, point, ossl_bn_ctx) != 1)
1488
- ossl_raise(cEC_POINT, "EC_POINT_make_affine");
1492
+ ossl_raise(eEC_POINT, "EC_POINT_make_affine");
1489
1493
 
1490
1494
  return self;
1491
1495
  }
@@ -1503,7 +1507,7 @@ static VALUE ossl_ec_point_invert(VALUE self)
1503
1507
  GetECPointGroup(self, group);
1504
1508
 
1505
1509
  if (EC_POINT_invert(group, point, ossl_bn_ctx) != 1)
1506
- ossl_raise(cEC_POINT, "EC_POINT_invert");
1510
+ ossl_raise(eEC_POINT, "EC_POINT_invert");
1507
1511
 
1508
1512
  return self;
1509
1513
  }
@@ -1521,7 +1525,7 @@ static VALUE ossl_ec_point_set_to_infinity(VALUE self)
1521
1525
  GetECPointGroup(self, group);
1522
1526
 
1523
1527
  if (EC_POINT_set_to_infinity(group, point) != 1)
1524
- ossl_raise(cEC_POINT, "EC_POINT_set_to_infinity");
1528
+ ossl_raise(eEC_POINT, "EC_POINT_set_to_infinity");
1525
1529
 
1526
1530
  return self;
1527
1531
  }
@@ -13,6 +13,12 @@
13
13
 
14
14
  #define numberof(ary) (int)(sizeof(ary)/sizeof((ary)[0]))
15
15
 
16
+ #if !defined(TLS1_3_VERSION) && \
17
+ defined(LIBRESSL_VERSION_NUMBER) && \
18
+ LIBRESSL_VERSION_NUMBER >= 0x3020000fL
19
+ # define TLS1_3_VERSION 0x0304
20
+ #endif
21
+
16
22
  #ifdef _WIN32
17
23
  # define TO_SOCKET(s) _get_osfhandle(s)
18
24
  #else
@@ -33,7 +39,7 @@ static VALUE eSSLErrorWaitReadable;
33
39
  static VALUE eSSLErrorWaitWritable;
34
40
 
35
41
  static ID id_call, ID_callback_state, id_tmp_dh_callback, id_tmp_ecdh_callback,
36
- id_npn_protocols_encoded;
42
+ id_npn_protocols_encoded, id_each;
37
43
  static VALUE sym_exception, sym_wait_readable, sym_wait_writable;
38
44
 
39
45
  static ID id_i_cert_store, id_i_ca_file, id_i_ca_path, id_i_verify_mode,
@@ -53,6 +59,13 @@ static int ossl_sslctx_ex_ptr_idx;
53
59
  static int ossl_sslctx_ex_store_p;
54
60
  #endif
55
61
 
62
+ static void
63
+ ossl_sslctx_mark(void *ptr)
64
+ {
65
+ SSL_CTX *ctx = ptr;
66
+ rb_gc_mark((VALUE)SSL_CTX_get_ex_data(ctx, ossl_sslctx_ex_ptr_idx));
67
+ }
68
+
56
69
  static void
57
70
  ossl_sslctx_free(void *ptr)
58
71
  {
@@ -67,7 +80,7 @@ ossl_sslctx_free(void *ptr)
67
80
  static const rb_data_type_t ossl_sslctx_type = {
68
81
  "OpenSSL/SSL/CTX",
69
82
  {
70
- 0, ossl_sslctx_free,
83
+ ossl_sslctx_mark, ossl_sslctx_free,
71
84
  },
72
85
  0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
73
86
  };
@@ -616,7 +629,7 @@ static VALUE
616
629
  ssl_encode_npn_protocols(VALUE protocols)
617
630
  {
618
631
  VALUE encoded = rb_str_new(NULL, 0);
619
- rb_iterate(rb_each, protocols, ssl_npn_encode_protocol_i, encoded);
632
+ rb_block_call(protocols, id_each, 0, 0, ssl_npn_encode_protocol_i, encoded);
620
633
  return encoded;
621
634
  }
622
635
 
@@ -686,7 +699,7 @@ static int
686
699
  ssl_npn_advertise_cb(SSL *ssl, const unsigned char **out, unsigned int *outlen,
687
700
  void *arg)
688
701
  {
689
- VALUE protocols = (VALUE)arg;
702
+ VALUE protocols = rb_attr_get((VALUE)arg, id_npn_protocols_encoded);
690
703
 
691
704
  *out = (const unsigned char *) RSTRING_PTR(protocols);
692
705
  *outlen = RSTRING_LENINT(protocols);
@@ -908,7 +921,7 @@ ossl_sslctx_setup(VALUE self)
908
921
  if (!NIL_P(val)) {
909
922
  VALUE encoded = ssl_encode_npn_protocols(val);
910
923
  rb_ivar_set(self, id_npn_protocols_encoded, encoded);
911
- SSL_CTX_set_next_protos_advertised_cb(ctx, ssl_npn_advertise_cb, (void *)encoded);
924
+ SSL_CTX_set_next_protos_advertised_cb(ctx, ssl_npn_advertise_cb, (void *)self);
912
925
  OSSL_Debug("SSL NPN advertise callback added");
913
926
  }
914
927
  if (RTEST(rb_attr_get(self, id_i_npn_select_cb))) {
@@ -1526,6 +1539,14 @@ ssl_started(SSL *ssl)
1526
1539
  return SSL_get_fd(ssl) >= 0;
1527
1540
  }
1528
1541
 
1542
+ static void
1543
+ ossl_ssl_mark(void *ptr)
1544
+ {
1545
+ SSL *ssl = ptr;
1546
+ rb_gc_mark((VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx));
1547
+ rb_gc_mark((VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_vcb_idx));
1548
+ }
1549
+
1529
1550
  static void
1530
1551
  ossl_ssl_free(void *ssl)
1531
1552
  {
@@ -1535,7 +1556,7 @@ ossl_ssl_free(void *ssl)
1535
1556
  const rb_data_type_t ossl_ssl_type = {
1536
1557
  "OpenSSL/SSL",
1537
1558
  {
1538
- 0, ossl_ssl_free,
1559
+ ossl_ssl_mark, ossl_ssl_free,
1539
1560
  },
1540
1561
  0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
1541
1562
  };
@@ -1691,6 +1712,11 @@ ossl_start_ssl(VALUE self, int (*func)(), const char *funcname, VALUE opts)
1691
1712
  rb_io_wait_readable(fptr->fd);
1692
1713
  continue;
1693
1714
  case SSL_ERROR_SYSCALL:
1715
+ #ifdef __APPLE__
1716
+ /* See ossl_ssl_write_internal() */
1717
+ if (errno == EPROTOTYPE)
1718
+ continue;
1719
+ #endif
1694
1720
  if (errno) rb_sys_fail(funcname);
1695
1721
  ossl_raise(eSSLError, "%s SYSCALL returned=%d errno=%d state=%s", funcname, ret2, errno, SSL_state_string_long(ssl));
1696
1722
  #if defined(SSL_R_CERTIFICATE_VERIFY_FAILED)
@@ -1847,26 +1873,36 @@ ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
1847
1873
  io = rb_attr_get(self, id_i_io);
1848
1874
  GetOpenFile(io, fptr);
1849
1875
  if (ssl_started(ssl)) {
1850
- for (;;){
1876
+ rb_str_locktmp(str);
1877
+ for (;;) {
1851
1878
  nread = SSL_read(ssl, RSTRING_PTR(str), ilen);
1852
1879
  switch(ssl_get_error(ssl, nread)){
1853
1880
  case SSL_ERROR_NONE:
1881
+ rb_str_unlocktmp(str);
1854
1882
  goto end;
1855
1883
  case SSL_ERROR_ZERO_RETURN:
1884
+ rb_str_unlocktmp(str);
1856
1885
  if (no_exception_p(opts)) { return Qnil; }
1857
1886
  rb_eof_error();
1858
1887
  case SSL_ERROR_WANT_WRITE:
1859
- if (no_exception_p(opts)) { return sym_wait_writable; }
1860
- write_would_block(nonblock);
1888
+ if (nonblock) {
1889
+ rb_str_unlocktmp(str);
1890
+ if (no_exception_p(opts)) { return sym_wait_writable; }
1891
+ write_would_block(nonblock);
1892
+ }
1861
1893
  rb_io_wait_writable(fptr->fd);
1862
1894
  continue;
1863
1895
  case SSL_ERROR_WANT_READ:
1864
- if (no_exception_p(opts)) { return sym_wait_readable; }
1865
- read_would_block(nonblock);
1896
+ if (nonblock) {
1897
+ rb_str_unlocktmp(str);
1898
+ if (no_exception_p(opts)) { return sym_wait_readable; }
1899
+ read_would_block(nonblock);
1900
+ }
1866
1901
  rb_io_wait_readable(fptr->fd);
1867
1902
  continue;
1868
1903
  case SSL_ERROR_SYSCALL:
1869
1904
  if (!ERR_peek_error()) {
1905
+ rb_str_unlocktmp(str);
1870
1906
  if (errno)
1871
1907
  rb_sys_fail(0);
1872
1908
  else {
@@ -1883,6 +1919,7 @@ ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
1883
1919
  }
1884
1920
  /* fall through */
1885
1921
  default:
1922
+ rb_str_unlocktmp(str);
1886
1923
  ossl_raise(eSSLError, "SSL_read");
1887
1924
  }
1888
1925
  }
@@ -1953,21 +1990,21 @@ ossl_ssl_write_internal(VALUE self, VALUE str, VALUE opts)
1953
1990
  int nwrite = 0;
1954
1991
  rb_io_t *fptr;
1955
1992
  int nonblock = opts != Qfalse;
1956
- VALUE io;
1993
+ VALUE tmp, io;
1957
1994
 
1958
- StringValue(str);
1995
+ tmp = rb_str_new_frozen(StringValue(str));
1959
1996
  GetSSL(self, ssl);
1960
1997
  io = rb_attr_get(self, id_i_io);
1961
1998
  GetOpenFile(io, fptr);
1962
1999
  if (ssl_started(ssl)) {
1963
- for (;;){
1964
- int num = RSTRING_LENINT(str);
2000
+ for (;;) {
2001
+ int num = RSTRING_LENINT(tmp);
1965
2002
 
1966
2003
  /* SSL_write(3ssl) manpage states num == 0 is undefined */
1967
2004
  if (num == 0)
1968
2005
  goto end;
1969
2006
 
1970
- nwrite = SSL_write(ssl, RSTRING_PTR(str), num);
2007
+ nwrite = SSL_write(ssl, RSTRING_PTR(tmp), num);
1971
2008
  switch(ssl_get_error(ssl, nwrite)){
1972
2009
  case SSL_ERROR_NONE:
1973
2010
  goto end;
@@ -1982,6 +2019,16 @@ ossl_ssl_write_internal(VALUE self, VALUE str, VALUE opts)
1982
2019
  rb_io_wait_readable(fptr->fd);
1983
2020
  continue;
1984
2021
  case SSL_ERROR_SYSCALL:
2022
+ #ifdef __APPLE__
2023
+ /*
2024
+ * It appears that send syscall can return EPROTOTYPE if the
2025
+ * socket is being torn down. Retry to get a proper errno to
2026
+ * make the error handling in line with the socket library.
2027
+ * [Bug #14713] https://bugs.ruby-lang.org/issues/14713
2028
+ */
2029
+ if (errno == EPROTOTYPE)
2030
+ continue;
2031
+ #endif
1985
2032
  if (errno) rb_sys_fail(0);
1986
2033
  default:
1987
2034
  ossl_raise(eSSLError, "SSL_write");
@@ -2456,8 +2503,6 @@ ossl_ssl_tmp_key(VALUE self)
2456
2503
  # endif /* defined(HAVE_SSL_GET_SERVER_TMP_KEY) */
2457
2504
  #endif /* !defined(OPENSSL_NO_SOCK) */
2458
2505
 
2459
- #undef rb_intern
2460
- #define rb_intern(s) rb_intern_const(s)
2461
2506
  void
2462
2507
  Init_ossl_ssl(void)
2463
2508
  {
@@ -2468,8 +2513,8 @@ Init_ossl_ssl(void)
2468
2513
  rb_mWaitWritable = rb_define_module_under(rb_cIO, "WaitWritable");
2469
2514
  #endif
2470
2515
 
2471
- id_call = rb_intern("call");
2472
- ID_callback_state = rb_intern("callback_state");
2516
+ id_call = rb_intern_const("call");
2517
+ ID_callback_state = rb_intern_const("callback_state");
2473
2518
 
2474
2519
  ossl_ssl_ex_vcb_idx = SSL_get_ex_new_index(0, (void *)"ossl_ssl_ex_vcb_idx", 0, 0, 0);
2475
2520
  if (ossl_ssl_ex_vcb_idx < 0)
@@ -2536,7 +2581,7 @@ Init_ossl_ssl(void)
2536
2581
  * The _cert_, _key_, and _extra_chain_cert_ attributes are deprecated.
2537
2582
  * It is recommended to use #add_certificate instead.
2538
2583
  */
2539
- rb_attr(cSSLContext, rb_intern("cert"), 1, 1, Qfalse);
2584
+ rb_attr(cSSLContext, rb_intern_const("cert"), 1, 1, Qfalse);
2540
2585
 
2541
2586
  /*
2542
2587
  * Context private key
@@ -2544,29 +2589,29 @@ Init_ossl_ssl(void)
2544
2589
  * The _cert_, _key_, and _extra_chain_cert_ attributes are deprecated.
2545
2590
  * It is recommended to use #add_certificate instead.
2546
2591
  */
2547
- rb_attr(cSSLContext, rb_intern("key"), 1, 1, Qfalse);
2592
+ rb_attr(cSSLContext, rb_intern_const("key"), 1, 1, Qfalse);
2548
2593
 
2549
2594
  /*
2550
2595
  * A certificate or Array of certificates that will be sent to the client.
2551
2596
  */
2552
- rb_attr(cSSLContext, rb_intern("client_ca"), 1, 1, Qfalse);
2597
+ rb_attr(cSSLContext, rb_intern_const("client_ca"), 1, 1, Qfalse);
2553
2598
 
2554
2599
  /*
2555
2600
  * The path to a file containing a PEM-format CA certificate
2556
2601
  */
2557
- rb_attr(cSSLContext, rb_intern("ca_file"), 1, 1, Qfalse);
2602
+ rb_attr(cSSLContext, rb_intern_const("ca_file"), 1, 1, Qfalse);
2558
2603
 
2559
2604
  /*
2560
2605
  * The path to a directory containing CA certificates in PEM format.
2561
2606
  *
2562
2607
  * Files are looked up by subject's X509 name's hash value.
2563
2608
  */
2564
- rb_attr(cSSLContext, rb_intern("ca_path"), 1, 1, Qfalse);
2609
+ rb_attr(cSSLContext, rb_intern_const("ca_path"), 1, 1, Qfalse);
2565
2610
 
2566
2611
  /*
2567
2612
  * Maximum session lifetime in seconds.
2568
2613
  */
2569
- rb_attr(cSSLContext, rb_intern("timeout"), 1, 1, Qfalse);
2614
+ rb_attr(cSSLContext, rb_intern_const("timeout"), 1, 1, Qfalse);
2570
2615
 
2571
2616
  /*
2572
2617
  * Session verification mode.
@@ -2579,12 +2624,12 @@ Init_ossl_ssl(void)
2579
2624
  *
2580
2625
  * See SSL_CTX_set_verify(3) for details.
2581
2626
  */
2582
- rb_attr(cSSLContext, rb_intern("verify_mode"), 1, 1, Qfalse);
2627
+ rb_attr(cSSLContext, rb_intern_const("verify_mode"), 1, 1, Qfalse);
2583
2628
 
2584
2629
  /*
2585
2630
  * Number of CA certificates to walk when verifying a certificate chain.
2586
2631
  */
2587
- rb_attr(cSSLContext, rb_intern("verify_depth"), 1, 1, Qfalse);
2632
+ rb_attr(cSSLContext, rb_intern_const("verify_depth"), 1, 1, Qfalse);
2588
2633
 
2589
2634
  /*
2590
2635
  * A callback for additional certificate verification. The callback is
@@ -2598,7 +2643,7 @@ Init_ossl_ssl(void)
2598
2643
  * If the callback returns +false+, the chain verification is immediately
2599
2644
  * stopped and a bad_certificate alert is then sent.
2600
2645
  */
2601
- rb_attr(cSSLContext, rb_intern("verify_callback"), 1, 1, Qfalse);
2646
+ rb_attr(cSSLContext, rb_intern_const("verify_callback"), 1, 1, Qfalse);
2602
2647
 
2603
2648
  /*
2604
2649
  * Whether to check the server certificate is valid for the hostname.
@@ -2606,12 +2651,12 @@ Init_ossl_ssl(void)
2606
2651
  * In order to make this work, verify_mode must be set to VERIFY_PEER and
2607
2652
  * the server hostname must be given by OpenSSL::SSL::SSLSocket#hostname=.
2608
2653
  */
2609
- rb_attr(cSSLContext, rb_intern("verify_hostname"), 1, 1, Qfalse);
2654
+ rb_attr(cSSLContext, rb_intern_const("verify_hostname"), 1, 1, Qfalse);
2610
2655
 
2611
2656
  /*
2612
2657
  * An OpenSSL::X509::Store used for certificate verification.
2613
2658
  */
2614
- rb_attr(cSSLContext, rb_intern("cert_store"), 1, 1, Qfalse);
2659
+ rb_attr(cSSLContext, rb_intern_const("cert_store"), 1, 1, Qfalse);
2615
2660
 
2616
2661
  /*
2617
2662
  * An Array of extra X509 certificates to be added to the certificate
@@ -2620,7 +2665,7 @@ Init_ossl_ssl(void)
2620
2665
  * The _cert_, _key_, and _extra_chain_cert_ attributes are deprecated.
2621
2666
  * It is recommended to use #add_certificate instead.
2622
2667
  */
2623
- rb_attr(cSSLContext, rb_intern("extra_chain_cert"), 1, 1, Qfalse);
2668
+ rb_attr(cSSLContext, rb_intern_const("extra_chain_cert"), 1, 1, Qfalse);
2624
2669
 
2625
2670
  /*
2626
2671
  * A callback invoked when a client certificate is requested by a server
@@ -2630,7 +2675,7 @@ Init_ossl_ssl(void)
2630
2675
  * containing an OpenSSL::X509::Certificate and an OpenSSL::PKey. If any
2631
2676
  * other value is returned the handshake is suspended.
2632
2677
  */
2633
- rb_attr(cSSLContext, rb_intern("client_cert_cb"), 1, 1, Qfalse);
2678
+ rb_attr(cSSLContext, rb_intern_const("client_cert_cb"), 1, 1, Qfalse);
2634
2679
 
2635
2680
  #if !defined(OPENSSL_NO_EC) && defined(HAVE_SSL_CTX_SET_TMP_ECDH_CALLBACK)
2636
2681
  /*
@@ -2643,7 +2688,7 @@ Init_ossl_ssl(void)
2643
2688
  * The callback is deprecated. This does not work with recent versions of
2644
2689
  * OpenSSL. Use OpenSSL::SSL::SSLContext#ecdh_curves= instead.
2645
2690
  */
2646
- rb_attr(cSSLContext, rb_intern("tmp_ecdh_callback"), 1, 1, Qfalse);
2691
+ rb_attr(cSSLContext, rb_intern_const("tmp_ecdh_callback"), 1, 1, Qfalse);
2647
2692
  #endif
2648
2693
 
2649
2694
  /*
@@ -2651,7 +2696,7 @@ Init_ossl_ssl(void)
2651
2696
  * sessions for multiple applications to be distinguished, for example, by
2652
2697
  * name.
2653
2698
  */
2654
- rb_attr(cSSLContext, rb_intern("session_id_context"), 1, 1, Qfalse);
2699
+ rb_attr(cSSLContext, rb_intern_const("session_id_context"), 1, 1, Qfalse);
2655
2700
 
2656
2701
  /*
2657
2702
  * A callback invoked on a server when a session is proposed by the client
@@ -2660,7 +2705,7 @@ Init_ossl_ssl(void)
2660
2705
  * The callback is invoked with the SSLSocket and session id. The
2661
2706
  * callback may return a Session from an external cache.
2662
2707
  */
2663
- rb_attr(cSSLContext, rb_intern("session_get_cb"), 1, 1, Qfalse);
2708
+ rb_attr(cSSLContext, rb_intern_const("session_get_cb"), 1, 1, Qfalse);
2664
2709
 
2665
2710
  /*
2666
2711
  * A callback invoked when a new session was negotiated.
@@ -2668,7 +2713,7 @@ Init_ossl_ssl(void)
2668
2713
  * The callback is invoked with an SSLSocket. If +false+ is returned the
2669
2714
  * session will be removed from the internal cache.
2670
2715
  */
2671
- rb_attr(cSSLContext, rb_intern("session_new_cb"), 1, 1, Qfalse);
2716
+ rb_attr(cSSLContext, rb_intern_const("session_new_cb"), 1, 1, Qfalse);
2672
2717
 
2673
2718
  /*
2674
2719
  * A callback invoked when a session is removed from the internal cache.
@@ -2679,7 +2724,7 @@ Init_ossl_ssl(void)
2679
2724
  * multi-threaded application. The callback is called inside a global lock
2680
2725
  * and it can randomly cause deadlock on Ruby thread switching.
2681
2726
  */
2682
- rb_attr(cSSLContext, rb_intern("session_remove_cb"), 1, 1, Qfalse);
2727
+ rb_attr(cSSLContext, rb_intern_const("session_remove_cb"), 1, 1, Qfalse);
2683
2728
 
2684
2729
  rb_define_const(mSSLExtConfig, "HAVE_TLSEXT_HOST_NAME", Qtrue);
2685
2730
 
@@ -2702,7 +2747,7 @@ Init_ossl_ssl(void)
2702
2747
  * raise RuntimeError, "Client renegotiation disabled"
2703
2748
  * end
2704
2749
  */
2705
- rb_attr(cSSLContext, rb_intern("renegotiation_cb"), 1, 1, Qfalse);
2750
+ rb_attr(cSSLContext, rb_intern_const("renegotiation_cb"), 1, 1, Qfalse);
2706
2751
  #ifndef OPENSSL_NO_NEXTPROTONEG
2707
2752
  /*
2708
2753
  * An Enumerable of Strings. Each String represents a protocol to be
@@ -2715,7 +2760,7 @@ Init_ossl_ssl(void)
2715
2760
  *
2716
2761
  * ctx.npn_protocols = ["http/1.1", "spdy/2"]
2717
2762
  */
2718
- rb_attr(cSSLContext, rb_intern("npn_protocols"), 1, 1, Qfalse);
2763
+ rb_attr(cSSLContext, rb_intern_const("npn_protocols"), 1, 1, Qfalse);
2719
2764
  /*
2720
2765
  * A callback invoked on the client side when the client needs to select
2721
2766
  * a protocol from the list sent by the server. Supported in OpenSSL 1.0.1
@@ -2732,7 +2777,7 @@ Init_ossl_ssl(void)
2732
2777
  * protocols.first
2733
2778
  * end
2734
2779
  */
2735
- rb_attr(cSSLContext, rb_intern("npn_select_cb"), 1, 1, Qfalse);
2780
+ rb_attr(cSSLContext, rb_intern_const("npn_select_cb"), 1, 1, Qfalse);
2736
2781
  #endif
2737
2782
 
2738
2783
  #ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
@@ -2747,7 +2792,7 @@ Init_ossl_ssl(void)
2747
2792
  *
2748
2793
  * ctx.alpn_protocols = ["http/1.1", "spdy/2", "h2"]
2749
2794
  */
2750
- rb_attr(cSSLContext, rb_intern("alpn_protocols"), 1, 1, Qfalse);
2795
+ rb_attr(cSSLContext, rb_intern_const("alpn_protocols"), 1, 1, Qfalse);
2751
2796
  /*
2752
2797
  * A callback invoked on the server side when the server needs to select
2753
2798
  * a protocol from the list sent by the client. Supported in OpenSSL 1.0.2
@@ -2764,7 +2809,7 @@ Init_ossl_ssl(void)
2764
2809
  * protocols.first
2765
2810
  * end
2766
2811
  */
2767
- rb_attr(cSSLContext, rb_intern("alpn_select_cb"), 1, 1, Qfalse);
2812
+ rb_attr(cSSLContext, rb_intern_const("alpn_select_cb"), 1, 1, Qfalse);
2768
2813
  #endif
2769
2814
 
2770
2815
  rb_define_alias(cSSLContext, "ssl_timeout", "timeout");
@@ -2992,16 +3037,17 @@ Init_ossl_ssl(void)
2992
3037
  #endif
2993
3038
 
2994
3039
 
2995
- sym_exception = ID2SYM(rb_intern("exception"));
2996
- sym_wait_readable = ID2SYM(rb_intern("wait_readable"));
2997
- sym_wait_writable = ID2SYM(rb_intern("wait_writable"));
3040
+ sym_exception = ID2SYM(rb_intern_const("exception"));
3041
+ sym_wait_readable = ID2SYM(rb_intern_const("wait_readable"));
3042
+ sym_wait_writable = ID2SYM(rb_intern_const("wait_writable"));
2998
3043
 
2999
- id_tmp_dh_callback = rb_intern("tmp_dh_callback");
3000
- id_tmp_ecdh_callback = rb_intern("tmp_ecdh_callback");
3001
- id_npn_protocols_encoded = rb_intern("npn_protocols_encoded");
3044
+ id_tmp_dh_callback = rb_intern_const("tmp_dh_callback");
3045
+ id_tmp_ecdh_callback = rb_intern_const("tmp_ecdh_callback");
3046
+ id_npn_protocols_encoded = rb_intern_const("npn_protocols_encoded");
3047
+ id_each = rb_intern_const("each");
3002
3048
 
3003
3049
  #define DefIVarID(name) do \
3004
- id_i_##name = rb_intern("@"#name); while (0)
3050
+ id_i_##name = rb_intern_const("@"#name); while (0)
3005
3051
 
3006
3052
  DefIVarID(cert_store);
3007
3053
  DefIVarID(ca_file);
@@ -68,9 +68,9 @@ static VALUE cTimestampRequest;
68
68
  static VALUE cTimestampResponse;
69
69
  static VALUE cTimestampTokenInfo;
70
70
  static VALUE cTimestampFactory;
71
- static ID sBAD_ALG, sBAD_REQUEST, sBAD_DATA_FORMAT, sTIME_NOT_AVAILABLE;
72
- static ID sUNACCEPTED_POLICY, sUNACCEPTED_EXTENSION, sADD_INFO_NOT_AVAILABLE;
73
- static ID sSYSTEM_FAILURE;
71
+ static VALUE sBAD_ALG, sBAD_REQUEST, sBAD_DATA_FORMAT, sTIME_NOT_AVAILABLE;
72
+ static VALUE sUNACCEPTED_POLICY, sUNACCEPTED_EXTENSION, sADD_INFO_NOT_AVAILABLE;
73
+ static VALUE sSYSTEM_FAILURE;
74
74
 
75
75
  static void
76
76
  ossl_ts_req_free(void *ptr)
@@ -205,8 +205,10 @@ ossl_ts_req_initialize(int argc, VALUE *argv, VALUE self)
205
205
  in = ossl_obj2bio(&arg);
206
206
  ts_req = d2i_TS_REQ_bio(in, &ts_req);
207
207
  BIO_free(in);
208
- if (!ts_req)
208
+ if (!ts_req) {
209
+ DATA_PTR(self) = NULL;
209
210
  ossl_raise(eTimestampError, "Error when decoding the timestamp request");
211
+ }
210
212
  DATA_PTR(self) = ts_req;
211
213
 
212
214
  return self;
@@ -529,8 +531,10 @@ ossl_ts_resp_initialize(VALUE self, VALUE der)
529
531
  in = ossl_obj2bio(&der);
530
532
  ts_resp = d2i_TS_RESP_bio(in, &ts_resp);
531
533
  BIO_free(in);
532
- if (!ts_resp)
534
+ if (!ts_resp) {
535
+ DATA_PTR(self) = NULL;
533
536
  ossl_raise(eTimestampError, "Error when decoding the timestamp response");
537
+ }
534
538
  DATA_PTR(self) = ts_resp;
535
539
 
536
540
  return self;
@@ -816,7 +820,7 @@ ossl_ts_resp_verify(int argc, VALUE *argv, VALUE self)
816
820
  X509_up_ref(cert);
817
821
  }
818
822
 
819
- TS_VERIFY_CTS_set_certs(ctx, x509inter);
823
+ TS_VERIFY_CTX_set_certs(ctx, x509inter);
820
824
  TS_VERIFY_CTX_add_flags(ctx, TS_VFY_SIGNATURE);
821
825
  TS_VERIFY_CTX_set_store(ctx, x509st);
822
826
 
@@ -871,8 +875,10 @@ ossl_ts_token_info_initialize(VALUE self, VALUE der)
871
875
  in = ossl_obj2bio(&der);
872
876
  info = d2i_TS_TST_INFO_bio(in, &info);
873
877
  BIO_free(in);
874
- if (!info)
878
+ if (!info) {
879
+ DATA_PTR(self) = NULL;
875
880
  ossl_raise(eTimestampError, "Error when decoding the timestamp token info");
881
+ }
876
882
  DATA_PTR(self) = info;
877
883
 
878
884
  return self;
@@ -1074,7 +1080,11 @@ ossl_tsfac_serial_cb(struct TS_resp_ctx *ctx, void *data)
1074
1080
  }
1075
1081
 
1076
1082
  static int
1083
+ #if !defined(LIBRESSL_VERSION_NUMBER)
1077
1084
  ossl_tsfac_time_cb(struct TS_resp_ctx *ctx, void *data, long *sec, long *usec)
1085
+ #else
1086
+ ossl_tsfac_time_cb(struct TS_resp_ctx *ctx, void *data, time_t *sec, long *usec)
1087
+ #endif
1078
1088
  {
1079
1089
  *sec = *((long *)data);
1080
1090
  *usec = 0;
@@ -1247,24 +1257,24 @@ Init_ossl_ts(void)
1247
1257
  * timestamp server rejects the message imprint algorithm used in the
1248
1258
  * +Request+
1249
1259
  */
1250
- sBAD_ALG = rb_intern("BAD_ALG");
1260
+ sBAD_ALG = ID2SYM(rb_intern_const("BAD_ALG"));
1251
1261
 
1252
1262
  /*
1253
1263
  * Possible return value for +Response#failure_info+. Indicates that the
1254
1264
  * timestamp server was not able to process the +Request+ properly.
1255
1265
  */
1256
- sBAD_REQUEST = rb_intern("BAD_REQUEST");
1266
+ sBAD_REQUEST = ID2SYM(rb_intern_const("BAD_REQUEST"));
1257
1267
  /*
1258
1268
  * Possible return value for +Response#failure_info+. Indicates that the
1259
1269
  * timestamp server was not able to parse certain data in the +Request+.
1260
1270
  */
1261
- sBAD_DATA_FORMAT = rb_intern("BAD_DATA_FORMAT");
1271
+ sBAD_DATA_FORMAT = ID2SYM(rb_intern_const("BAD_DATA_FORMAT"));
1262
1272
 
1263
- sTIME_NOT_AVAILABLE = rb_intern("TIME_NOT_AVAILABLE");
1264
- sUNACCEPTED_POLICY = rb_intern("UNACCEPTED_POLICY");
1265
- sUNACCEPTED_EXTENSION = rb_intern("UNACCEPTED_EXTENSION");
1266
- sADD_INFO_NOT_AVAILABLE = rb_intern("ADD_INFO_NOT_AVAILABLE");
1267
- sSYSTEM_FAILURE = rb_intern("SYSTEM_FAILURE");
1273
+ sTIME_NOT_AVAILABLE = ID2SYM(rb_intern_const("TIME_NOT_AVAILABLE"));
1274
+ sUNACCEPTED_POLICY = ID2SYM(rb_intern_const("UNACCEPTED_POLICY"));
1275
+ sUNACCEPTED_EXTENSION = ID2SYM(rb_intern_const("UNACCEPTED_EXTENSION"));
1276
+ sADD_INFO_NOT_AVAILABLE = ID2SYM(rb_intern_const("ADD_INFO_NOT_AVAILABLE"));
1277
+ sSYSTEM_FAILURE = ID2SYM(rb_intern_const("SYSTEM_FAILURE"));
1268
1278
 
1269
1279
  /* Document-class: OpenSSL::Timestamp
1270
1280
  * Provides classes and methods to request, create and validate
@@ -1503,11 +1513,11 @@ Init_ossl_ts(void)
1503
1513
  *
1504
1514
  */
1505
1515
  cTimestampFactory = rb_define_class_under(mTimestamp, "Factory", rb_cObject);
1506
- rb_attr(cTimestampFactory, rb_intern("allowed_digests"), 1, 1, 0);
1507
- rb_attr(cTimestampFactory, rb_intern("default_policy_id"), 1, 1, 0);
1508
- rb_attr(cTimestampFactory, rb_intern("serial_number"), 1, 1, 0);
1509
- rb_attr(cTimestampFactory, rb_intern("gen_time"), 1, 1, 0);
1510
- rb_attr(cTimestampFactory, rb_intern("additional_certs"), 1, 1, 0);
1516
+ rb_attr(cTimestampFactory, rb_intern_const("allowed_digests"), 1, 1, 0);
1517
+ rb_attr(cTimestampFactory, rb_intern_const("default_policy_id"), 1, 1, 0);
1518
+ rb_attr(cTimestampFactory, rb_intern_const("serial_number"), 1, 1, 0);
1519
+ rb_attr(cTimestampFactory, rb_intern_const("gen_time"), 1, 1, 0);
1520
+ rb_attr(cTimestampFactory, rb_intern_const("additional_certs"), 1, 1, 0);
1511
1521
  rb_define_method(cTimestampFactory, "create_timestamp", ossl_tsfac_create_ts, 3);
1512
1522
  }
1513
1523
 
@@ -105,6 +105,13 @@ VALUE cX509Store;
105
105
  VALUE cX509StoreContext;
106
106
  VALUE eX509StoreError;
107
107
 
108
+ static void
109
+ ossl_x509store_mark(void *ptr)
110
+ {
111
+ X509_STORE *store = ptr;
112
+ rb_gc_mark((VALUE)X509_STORE_get_ex_data(store, store_ex_verify_cb_idx));
113
+ }
114
+
108
115
  static void
109
116
  ossl_x509store_free(void *ptr)
110
117
  {
@@ -114,7 +121,7 @@ ossl_x509store_free(void *ptr)
114
121
  static const rb_data_type_t ossl_x509store_type = {
115
122
  "OpenSSL/X509/STORE",
116
123
  {
117
- 0, ossl_x509store_free,
124
+ ossl_x509store_mark, ossl_x509store_free,
118
125
  },
119
126
  0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
120
127
  };
@@ -456,23 +463,16 @@ ossl_x509store_verify(int argc, VALUE *argv, VALUE self)
456
463
  return result;
457
464
  }
458
465
 
459
- /*
460
- * Public Functions
461
- */
462
- static void ossl_x509stctx_free(void*);
463
-
464
-
465
- static const rb_data_type_t ossl_x509stctx_type = {
466
- "OpenSSL/X509/STORE_CTX",
467
- {
468
- 0, ossl_x509stctx_free,
469
- },
470
- 0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
471
- };
472
-
473
466
  /*
474
467
  * Private functions
475
468
  */
469
+ static void
470
+ ossl_x509stctx_mark(void *ptr)
471
+ {
472
+ X509_STORE_CTX *ctx = ptr;
473
+ rb_gc_mark((VALUE)X509_STORE_CTX_get_ex_data(ctx, stctx_ex_verify_cb_idx));
474
+ }
475
+
476
476
  static void
477
477
  ossl_x509stctx_free(void *ptr)
478
478
  {
@@ -484,6 +484,14 @@ ossl_x509stctx_free(void *ptr)
484
484
  X509_STORE_CTX_free(ctx);
485
485
  }
486
486
 
487
+ static const rb_data_type_t ossl_x509stctx_type = {
488
+ "OpenSSL/X509/STORE_CTX",
489
+ {
490
+ ossl_x509stctx_mark, ossl_x509stctx_free,
491
+ },
492
+ 0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
493
+ };
494
+
487
495
  static VALUE
488
496
  ossl_x509stctx_alloc(VALUE klass)
489
497
  {
@@ -517,7 +525,9 @@ static VALUE ossl_x509stctx_set_time(VALUE, VALUE);
517
525
 
518
526
  /*
519
527
  * call-seq:
520
- * StoreContext.new(store, cert = nil, chain = nil)
528
+ * StoreContext.new(store, cert = nil, untrusted = nil)
529
+ *
530
+ * Sets up a StoreContext for a verification of the X.509 certificate _cert_.
521
531
  */
522
532
  static VALUE
523
533
  ossl_x509stctx_initialize(int argc, VALUE *argv, VALUE self)
@@ -527,15 +537,24 @@ ossl_x509stctx_initialize(int argc, VALUE *argv, VALUE self)
527
537
  X509_STORE *x509st;
528
538
  X509 *x509 = NULL;
529
539
  STACK_OF(X509) *x509s = NULL;
540
+ int state;
530
541
 
531
542
  rb_scan_args(argc, argv, "12", &store, &cert, &chain);
532
543
  GetX509StCtx(self, ctx);
533
544
  GetX509Store(store, x509st);
534
- if(!NIL_P(cert)) x509 = DupX509CertPtr(cert); /* NEED TO DUP */
535
- if(!NIL_P(chain)) x509s = ossl_x509_ary2sk(chain);
536
- if(X509_STORE_CTX_init(ctx, x509st, x509, x509s) != 1){
545
+ if (!NIL_P(cert))
546
+ x509 = DupX509CertPtr(cert); /* NEED TO DUP */
547
+ if (!NIL_P(chain)) {
548
+ x509s = ossl_protect_x509_ary2sk(chain, &state);
549
+ if (state) {
550
+ X509_free(x509);
551
+ rb_jump_tag(state);
552
+ }
553
+ }
554
+ if (X509_STORE_CTX_init(ctx, x509st, x509, x509s) != 1){
555
+ X509_free(x509);
537
556
  sk_X509_pop_free(x509s, X509_free);
538
- ossl_raise(eX509StoreError, NULL);
557
+ ossl_raise(eX509StoreError, "X509_STORE_CTX_init");
539
558
  }
540
559
  if (!NIL_P(t = rb_iv_get(store, "@time")))
541
560
  ossl_x509stctx_set_time(self, t);
@@ -31,7 +31,7 @@ module OpenSSL::Buffering
31
31
 
32
32
  force_encoding(BINARY)
33
33
  end
34
-
34
+
35
35
  def << string
36
36
  if string.encoding == BINARY
37
37
  super(string)
data/lib/openssl/ssl.rb CHANGED
@@ -236,7 +236,7 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
236
236
  def fileno
237
237
  to_io.fileno
238
238
  end
239
-
239
+
240
240
  def addr
241
241
  to_io.addr
242
242
  end
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module OpenSSL
4
- VERSION = "2.2.0"
4
+ VERSION = "2.2.3"
5
5
  end
metadata CHANGED
@@ -1,32 +1,46 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: openssl
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.2.0
4
+ version: 2.2.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Martin Bosslet
8
8
  - SHIBATA Hiroshi
9
9
  - Zachary Scott
10
10
  - Kazuki Yamaguchi
11
- autorequire:
11
+ autorequire:
12
12
  bindir: bin
13
13
  cert_chain: []
14
- date: 2020-05-13 00:00:00.000000000 Z
14
+ date: 2022-12-23 00:00:00.000000000 Z
15
15
  dependencies:
16
16
  - !ruby/object:Gem::Dependency
17
- name: rake
17
+ name: ipaddr
18
18
  requirement: !ruby/object:Gem::Requirement
19
19
  requirements:
20
20
  - - ">="
21
21
  - !ruby/object:Gem::Version
22
22
  version: '0'
23
- type: :development
23
+ type: :runtime
24
24
  prerelease: false
25
25
  version_requirements: !ruby/object:Gem::Requirement
26
26
  requirements:
27
27
  - - ">="
28
28
  - !ruby/object:Gem::Version
29
29
  version: '0'
30
+ - !ruby/object:Gem::Dependency
31
+ name: rake
32
+ requirement: !ruby/object:Gem::Requirement
33
+ requirements:
34
+ - - ">="
35
+ - !ruby/object:Gem::Version
36
+ version: 11.2.0
37
+ type: :development
38
+ prerelease: false
39
+ version_requirements: !ruby/object:Gem::Requirement
40
+ requirements:
41
+ - - ">="
42
+ - !ruby/object:Gem::Version
43
+ version: 11.2.0
30
44
  - !ruby/object:Gem::Dependency
31
45
  name: rake-compiler
32
46
  requirement: !ruby/object:Gem::Requirement
@@ -158,7 +172,7 @@ licenses:
158
172
  - Ruby
159
173
  metadata:
160
174
  msys2_mingw_dependencies: openssl
161
- post_install_message:
175
+ post_install_message:
162
176
  rdoc_options:
163
177
  - "--main"
164
178
  - README.md
@@ -175,8 +189,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
175
189
  - !ruby/object:Gem::Version
176
190
  version: '0'
177
191
  requirements: []
178
- rubygems_version: 3.2.0.pre1
179
- signing_key:
192
+ rubygems_version: 3.4.0.dev
193
+ signing_key:
180
194
  specification_version: 4
181
195
  summary: OpenSSL provides SSL, TLS and general purpose cryptography.
182
196
  test_files: []