openssl 2.2.0 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (47) hide show
  1. checksums.yaml +4 -4
  2. data/CONTRIBUTING.md +32 -44
  3. data/History.md +155 -0
  4. data/ext/openssl/extconf.rb +43 -38
  5. data/ext/openssl/openssl_missing.c +0 -66
  6. data/ext/openssl/openssl_missing.h +26 -45
  7. data/ext/openssl/ossl.c +67 -47
  8. data/ext/openssl/ossl.h +20 -6
  9. data/ext/openssl/ossl_asn1.c +16 -4
  10. data/ext/openssl/ossl_bn.c +267 -143
  11. data/ext/openssl/ossl_bn.h +2 -1
  12. data/ext/openssl/ossl_cipher.c +11 -11
  13. data/ext/openssl/ossl_config.c +412 -41
  14. data/ext/openssl/ossl_config.h +4 -7
  15. data/ext/openssl/ossl_digest.c +15 -11
  16. data/ext/openssl/ossl_engine.c +16 -15
  17. data/ext/openssl/ossl_hmac.c +48 -135
  18. data/ext/openssl/ossl_kdf.c +8 -0
  19. data/ext/openssl/ossl_ocsp.c +3 -51
  20. data/ext/openssl/ossl_pkcs12.c +21 -3
  21. data/ext/openssl/ossl_pkcs7.c +42 -59
  22. data/ext/openssl/ossl_pkey.c +1102 -191
  23. data/ext/openssl/ossl_pkey.h +35 -72
  24. data/ext/openssl/ossl_pkey_dh.c +124 -334
  25. data/ext/openssl/ossl_pkey_dsa.c +93 -398
  26. data/ext/openssl/ossl_pkey_ec.c +126 -318
  27. data/ext/openssl/ossl_pkey_rsa.c +100 -487
  28. data/ext/openssl/ossl_ssl.c +322 -375
  29. data/ext/openssl/ossl_ssl_session.c +24 -29
  30. data/ext/openssl/ossl_ts.c +64 -39
  31. data/ext/openssl/ossl_x509.c +0 -6
  32. data/ext/openssl/ossl_x509cert.c +164 -8
  33. data/ext/openssl/ossl_x509crl.c +10 -7
  34. data/ext/openssl/ossl_x509ext.c +1 -2
  35. data/ext/openssl/ossl_x509name.c +9 -2
  36. data/ext/openssl/ossl_x509req.c +10 -7
  37. data/ext/openssl/ossl_x509store.c +193 -90
  38. data/lib/openssl/buffering.rb +10 -1
  39. data/lib/openssl/hmac.rb +65 -0
  40. data/lib/openssl/pkey.rb +417 -0
  41. data/lib/openssl/ssl.rb +8 -8
  42. data/lib/openssl/version.rb +1 -1
  43. data/lib/openssl/x509.rb +22 -0
  44. data/lib/openssl.rb +0 -1
  45. metadata +8 -66
  46. data/ext/openssl/ruby_missing.h +0 -24
  47. data/lib/openssl/config.rb +0 -501
data/ext/openssl/ossl.c CHANGED
@@ -9,13 +9,19 @@
9
9
  */
10
10
  #include "ossl.h"
11
11
  #include <stdarg.h> /* for ossl_raise */
12
- #include <ruby/thread_native.h> /* for OpenSSL < 1.1.0 locks */
12
+
13
+ /* OpenSSL >= 1.1.0 and LibreSSL >= 2.9.0 */
14
+ #if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER >= 0x10100000
15
+ # define HAVE_OPENSSL_110_THREADING_API
16
+ #else
17
+ # include <ruby/thread_native.h>
18
+ #endif
13
19
 
14
20
  /*
15
21
  * Data Conversion
16
22
  */
17
23
  #define OSSL_IMPL_ARY2SK(name, type, expected_class, dup) \
18
- STACK_OF(type) * \
24
+ VALUE \
19
25
  ossl_##name##_ary2sk0(VALUE ary) \
20
26
  { \
21
27
  STACK_OF(type) *sk; \
@@ -37,7 +43,7 @@ ossl_##name##_ary2sk0(VALUE ary) \
37
43
  x = dup(val); /* NEED TO DUP */ \
38
44
  sk_##type##_push(sk, x); \
39
45
  } \
40
- return sk; \
46
+ return (VALUE)sk; \
41
47
  } \
42
48
  \
43
49
  STACK_OF(type) * \
@@ -262,15 +268,11 @@ ossl_to_der_if_possible(VALUE obj)
262
268
  /*
263
269
  * Errors
264
270
  */
265
- static VALUE
266
- ossl_make_error(VALUE exc, const char *fmt, va_list args)
271
+ VALUE
272
+ ossl_make_error(VALUE exc, VALUE str)
267
273
  {
268
- VALUE str = Qnil;
269
274
  unsigned long e;
270
275
 
271
- if (fmt) {
272
- str = rb_vsprintf(fmt, args);
273
- }
274
276
  e = ERR_peek_last_error();
275
277
  if (e) {
276
278
  const char *msg = ERR_reason_error_string(e);
@@ -294,37 +296,48 @@ ossl_raise(VALUE exc, const char *fmt, ...)
294
296
  {
295
297
  va_list args;
296
298
  VALUE err;
297
- va_start(args, fmt);
298
- err = ossl_make_error(exc, fmt, args);
299
- va_end(args);
300
- rb_exc_raise(err);
299
+
300
+ if (fmt) {
301
+ va_start(args, fmt);
302
+ err = rb_vsprintf(fmt, args);
303
+ va_end(args);
304
+ }
305
+ else {
306
+ err = Qnil;
307
+ }
308
+
309
+ rb_exc_raise(ossl_make_error(exc, err));
301
310
  }
302
311
 
303
312
  void
304
313
  ossl_clear_error(void)
305
314
  {
306
315
  if (dOSSL == Qtrue) {
307
- unsigned long e;
308
- const char *file, *data, *errstr;
309
- int line, flags;
310
-
311
- while ((e = ERR_get_error_line_data(&file, &line, &data, &flags))) {
312
- errstr = ERR_error_string(e, NULL);
313
- if (!errstr)
314
- errstr = "(null)";
315
-
316
- if (flags & ERR_TXT_STRING) {
317
- if (!data)
318
- data = "(null)";
319
- rb_warn("error on stack: %s (%s)", errstr, data);
320
- }
321
- else {
322
- rb_warn("error on stack: %s", errstr);
323
- }
324
- }
316
+ unsigned long e;
317
+ const char *file, *data, *func, *lib, *reason;
318
+ char append[256] = "";
319
+ int line, flags;
320
+
321
+ #ifdef HAVE_ERR_GET_ERROR_ALL
322
+ while ((e = ERR_get_error_all(&file, &line, &func, &data, &flags))) {
323
+ #else
324
+ while ((e = ERR_get_error_line_data(&file, &line, &data, &flags))) {
325
+ func = ERR_func_error_string(e);
326
+ #endif
327
+ lib = ERR_lib_error_string(e);
328
+ reason = ERR_reason_error_string(e);
329
+
330
+ if (flags & ERR_TXT_STRING) {
331
+ if (!data)
332
+ data = "(null)";
333
+ snprintf(append, sizeof(append), " (%s)", data);
334
+ }
335
+ rb_warn("error on stack: error:%08lX:%s:%s:%s%s", e, lib ? lib : "",
336
+ func ? func : "", reason ? reason : "", append);
337
+ }
325
338
  }
326
339
  else {
327
- ERR_clear_error();
340
+ ERR_clear_error();
328
341
  }
329
342
  }
330
343
 
@@ -386,7 +399,7 @@ ossl_debug_get(VALUE self)
386
399
  * call-seq:
387
400
  * OpenSSL.debug = boolean -> boolean
388
401
  *
389
- * Turns on or off debug mode. With debug mode, all erros added to the OpenSSL
402
+ * Turns on or off debug mode. With debug mode, all errors added to the OpenSSL
390
403
  * error queue will be printed to stderr.
391
404
  */
392
405
  static VALUE
@@ -497,8 +510,11 @@ print_mem_leaks(VALUE self)
497
510
  int ret;
498
511
  #endif
499
512
 
500
- BN_CTX_free(ossl_bn_ctx);
501
- ossl_bn_ctx = NULL;
513
+ #ifndef HAVE_RB_EXT_RACTOR_SAFE
514
+ // for Ruby 2.x
515
+ void ossl_bn_ctx_free(void); // ossl_bn.c
516
+ ossl_bn_ctx_free();
517
+ #endif
502
518
 
503
519
  #if OPENSSL_VERSION_NUMBER >= 0x10100000
504
520
  ret = CRYPTO_mem_leaks_fp(stderr);
@@ -664,7 +680,7 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2)
664
680
  * ahold of the key may use it unless it is encrypted. In order to securely
665
681
  * export a key you may export it with a pass phrase.
666
682
  *
667
- * cipher = OpenSSL::Cipher.new 'AES-256-CBC'
683
+ * cipher = OpenSSL::Cipher.new 'aes-256-cbc'
668
684
  * pass_phrase = 'my secure pass phrase goes here'
669
685
  *
670
686
  * key_secure = key.export cipher, pass_phrase
@@ -679,13 +695,13 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2)
679
695
  *
680
696
  * A key can also be loaded from a file.
681
697
  *
682
- * key2 = OpenSSL::PKey::RSA.new File.read 'private_key.pem'
698
+ * key2 = OpenSSL::PKey.read File.read 'private_key.pem'
683
699
  * key2.public? # => true
684
700
  * key2.private? # => true
685
701
  *
686
702
  * or
687
703
  *
688
- * key3 = OpenSSL::PKey::RSA.new File.read 'public_key.pem'
704
+ * key3 = OpenSSL::PKey.read File.read 'public_key.pem'
689
705
  * key3.public? # => true
690
706
  * key3.private? # => false
691
707
  *
@@ -697,7 +713,7 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2)
697
713
  *
698
714
  * key4_pem = File.read 'private.secure.pem'
699
715
  * pass_phrase = 'my secure pass phrase goes here'
700
- * key4 = OpenSSL::PKey::RSA.new key4_pem, pass_phrase
716
+ * key4 = OpenSSL::PKey.read key4_pem, pass_phrase
701
717
  *
702
718
  * == RSA Encryption
703
719
  *
@@ -772,7 +788,7 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2)
772
788
  * using PBKDF2. PKCS #5 v2.0 recommends at least 8 bytes for the salt,
773
789
  * the number of iterations largely depends on the hardware being used.
774
790
  *
775
- * cipher = OpenSSL::Cipher.new 'AES-256-CBC'
791
+ * cipher = OpenSSL::Cipher.new 'aes-256-cbc'
776
792
  * cipher.encrypt
777
793
  * iv = cipher.random_iv
778
794
  *
@@ -795,7 +811,7 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2)
795
811
  * Use the same steps as before to derive the symmetric AES key, this time
796
812
  * setting the Cipher up for decryption.
797
813
  *
798
- * cipher = OpenSSL::Cipher.new 'AES-256-CBC'
814
+ * cipher = OpenSSL::Cipher.new 'aes-256-cbc'
799
815
  * cipher.decrypt
800
816
  * cipher.iv = iv # the one generated with #random_iv
801
817
  *
@@ -830,7 +846,7 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2)
830
846
  *
831
847
  * First set up the cipher for encryption
832
848
  *
833
- * encryptor = OpenSSL::Cipher.new 'AES-256-CBC'
849
+ * encryptor = OpenSSL::Cipher.new 'aes-256-cbc'
834
850
  * encryptor.encrypt
835
851
  * encryptor.pkcs5_keyivgen pass_phrase, salt
836
852
  *
@@ -843,7 +859,7 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2)
843
859
  *
844
860
  * Use a new Cipher instance set up for decryption
845
861
  *
846
- * decryptor = OpenSSL::Cipher.new 'AES-256-CBC'
862
+ * decryptor = OpenSSL::Cipher.new 'aes-256-cbc'
847
863
  * decryptor.decrypt
848
864
  * decryptor.pkcs5_keyivgen pass_phrase, salt
849
865
  *
@@ -931,7 +947,7 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2)
931
947
  * ca_key = OpenSSL::PKey::RSA.new 2048
932
948
  * pass_phrase = 'my secure pass phrase goes here'
933
949
  *
934
- * cipher = OpenSSL::Cipher.new 'AES-256-CBC'
950
+ * cipher = OpenSSL::Cipher.new 'aes-256-cbc'
935
951
  *
936
952
  * open 'ca_key.pem', 'w', 0400 do |io|
937
953
  * io.write ca_key.export(cipher, pass_phrase)
@@ -1069,13 +1085,13 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2)
1069
1085
  * loop do
1070
1086
  * ssl_connection = ssl_server.accept
1071
1087
  *
1072
- * data = connection.gets
1088
+ * data = ssl_connection.gets
1073
1089
  *
1074
1090
  * response = "I got #{data.dump}"
1075
1091
  * puts response
1076
1092
  *
1077
- * connection.puts "I got #{data.dump}"
1078
- * connection.close
1093
+ * ssl_connection.puts "I got #{data.dump}"
1094
+ * ssl_connection.close
1079
1095
  * end
1080
1096
  *
1081
1097
  * === SSL client
@@ -1126,6 +1142,10 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2)
1126
1142
  void
1127
1143
  Init_openssl(void)
1128
1144
  {
1145
+ #ifdef HAVE_RB_EXT_RACTOR_SAFE
1146
+ rb_ext_ractor_safe(true);
1147
+ #endif
1148
+
1129
1149
  #undef rb_intern
1130
1150
  /*
1131
1151
  * Init timezone info
data/ext/openssl/ossl.h CHANGED
@@ -18,22 +18,19 @@
18
18
  #include <ruby/io.h>
19
19
  #include <ruby/thread.h>
20
20
  #include <openssl/opensslv.h>
21
+
21
22
  #include <openssl/err.h>
22
23
  #include <openssl/asn1.h>
23
24
  #include <openssl/x509v3.h>
24
25
  #include <openssl/ssl.h>
25
26
  #include <openssl/pkcs12.h>
26
27
  #include <openssl/pkcs7.h>
27
- #include <openssl/hmac.h>
28
28
  #include <openssl/rand.h>
29
29
  #include <openssl/conf.h>
30
30
  #ifndef OPENSSL_NO_TS
31
31
  #include <openssl/ts.h>
32
32
  #endif
33
33
  #include <openssl/crypto.h>
34
- #if !defined(OPENSSL_NO_ENGINE)
35
- # include <openssl/engine.h>
36
- #endif
37
34
  #if !defined(OPENSSL_NO_OCSP)
38
35
  # include <openssl/ocsp.h>
39
36
  #endif
@@ -43,6 +40,22 @@
43
40
  #include <openssl/evp.h>
44
41
  #include <openssl/dh.h>
45
42
 
43
+ #ifndef LIBRESSL_VERSION_NUMBER
44
+ # define OSSL_IS_LIBRESSL 0
45
+ # define OSSL_OPENSSL_PREREQ(maj, min, pat) \
46
+ (OPENSSL_VERSION_NUMBER >= (maj << 28) | (min << 20) | (pat << 12))
47
+ # define OSSL_LIBRESSL_PREREQ(maj, min, pat) 0
48
+ #else
49
+ # define OSSL_IS_LIBRESSL 1
50
+ # define OSSL_OPENSSL_PREREQ(maj, min, pat) 0
51
+ # define OSSL_LIBRESSL_PREREQ(maj, min, pat) \
52
+ (LIBRESSL_VERSION_NUMBER >= (maj << 28) | (min << 20) | (pat << 12))
53
+ #endif
54
+
55
+ #if !defined(OPENSSL_NO_ENGINE) && !OSSL_OPENSSL_PREREQ(3, 0, 0)
56
+ # define OSSL_USE_ENGINE
57
+ #endif
58
+
46
59
  /*
47
60
  * Common Module
48
61
  */
@@ -121,7 +134,9 @@ int ossl_pem_passwd_cb(char *, int, int, void *);
121
134
  /*
122
135
  * ERRor messages
123
136
  */
124
- NORETURN(void ossl_raise(VALUE, const char *, ...));
137
+ PRINTF_ARGS(NORETURN(void ossl_raise(VALUE, const char *, ...)), 2, 3);
138
+ /* Make exception instance from str and OpenSSL error reason string. */
139
+ VALUE ossl_make_error(VALUE exc, VALUE str);
125
140
  /* Clear OpenSSL error queue. If dOSSL is set, rb_warn() them. */
126
141
  void ossl_clear_error(void);
127
142
 
@@ -154,7 +169,6 @@ void ossl_debug(const char *, ...);
154
169
  * Include all parts
155
170
  */
156
171
  #include "openssl_missing.h"
157
- #include "ruby_missing.h"
158
172
  #include "ossl_asn1.h"
159
173
  #include "ossl_bio.h"
160
174
  #include "ossl_bn.h"
@@ -69,6 +69,12 @@ asn1time_to_time(const ASN1_TIME *time)
69
69
  return rb_funcall2(rb_cTime, rb_intern("utc"), 6, argv);
70
70
  }
71
71
 
72
+ static VALUE
73
+ asn1time_to_time_i(VALUE arg)
74
+ {
75
+ return asn1time_to_time((ASN1_TIME *)arg);
76
+ }
77
+
72
78
  void
73
79
  ossl_time_split(VALUE time, time_t *sec, int *days)
74
80
  {
@@ -136,6 +142,12 @@ num_to_asn1integer(VALUE obj, ASN1_INTEGER *ai)
136
142
  return ai;
137
143
  }
138
144
 
145
+ static VALUE
146
+ asn1integer_to_num_i(VALUE arg)
147
+ {
148
+ return asn1integer_to_num((ASN1_INTEGER *)arg);
149
+ }
150
+
139
151
  /********/
140
152
  /*
141
153
  * ASN1 module
@@ -325,7 +337,7 @@ decode_int(unsigned char* der, long length)
325
337
  p = der;
326
338
  if(!(ai = d2i_ASN1_INTEGER(NULL, &p, length)))
327
339
  ossl_raise(eASN1Error, NULL);
328
- ret = rb_protect((VALUE (*)(VALUE))asn1integer_to_num,
340
+ ret = rb_protect(asn1integer_to_num_i,
329
341
  (VALUE)ai, &status);
330
342
  ASN1_INTEGER_free(ai);
331
343
  if(status) rb_jump_tag(status);
@@ -365,7 +377,7 @@ decode_enum(unsigned char* der, long length)
365
377
  p = der;
366
378
  if(!(ai = d2i_ASN1_ENUMERATED(NULL, &p, length)))
367
379
  ossl_raise(eASN1Error, NULL);
368
- ret = rb_protect((VALUE (*)(VALUE))asn1integer_to_num,
380
+ ret = rb_protect(asn1integer_to_num_i,
369
381
  (VALUE)ai, &status);
370
382
  ASN1_ENUMERATED_free(ai);
371
383
  if(status) rb_jump_tag(status);
@@ -427,7 +439,7 @@ decode_time(unsigned char* der, long length)
427
439
  p = der;
428
440
  if(!(time = d2i_ASN1_TIME(NULL, &p, length)))
429
441
  ossl_raise(eASN1Error, NULL);
430
- ret = rb_protect((VALUE (*)(VALUE))asn1time_to_time,
442
+ ret = rb_protect(asn1time_to_time_i,
431
443
  (VALUE)time, &status);
432
444
  ASN1_TIME_free(time);
433
445
  if(status) rb_jump_tag(status);
@@ -1510,7 +1522,7 @@ Init_ossl_asn1(void)
1510
1522
  *
1511
1523
  * An Array that stores the name of a given tag number. These names are
1512
1524
  * the same as the name of the tag constant that is additionally defined,
1513
- * e.g. UNIVERSAL_TAG_NAME[2] = "INTEGER" and OpenSSL::ASN1::INTEGER = 2.
1525
+ * e.g. +UNIVERSAL_TAG_NAME[2] = "INTEGER"+ and +OpenSSL::ASN1::INTEGER = 2+.
1514
1526
  *
1515
1527
  * == Example usage
1516
1528
  *