openssl 2.2.0 → 3.2.0

data/ext/openssl/ossl_engine.c

@@ -9,7 +9,8 @@
  */
 #include "ossl.h"
 
-#if !defined(OPENSSL_NO_ENGINE)
+#ifdef OSSL_USE_ENGINE
+# include <openssl/engine.h>
 
 #define NewEngine(klass) \
     TypedData_Wrap_Struct((klass), &ossl_engine_type, 0)
@@ -77,7 +78,7 @@ static const rb_data_type_t ossl_engine_type = {
     {
 	0, ossl_engine_free,
     },
-    0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
+    0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
 };
 
 /*
@@ -101,48 +102,48 @@ ossl_engine_s_load(int argc, VALUE *argv, VALUE klass)
         return Qtrue;
     }
     StringValueCStr(name);
-#if HAVE_ENGINE_LOAD_DYNAMIC
+#ifdef HAVE_ENGINE_LOAD_DYNAMIC
     OSSL_ENGINE_LOAD_IF_MATCH(dynamic, DYNAMIC);
 #endif
 #ifndef OPENSSL_NO_STATIC_ENGINE
-#if HAVE_ENGINE_LOAD_4758CCA
+#ifdef HAVE_ENGINE_LOAD_4758CCA
     OSSL_ENGINE_LOAD_IF_MATCH(4758cca, 4758CCA);
 #endif
-#if HAVE_ENGINE_LOAD_AEP
+#ifdef HAVE_ENGINE_LOAD_AEP
     OSSL_ENGINE_LOAD_IF_MATCH(aep, AEP);
 #endif
-#if HAVE_ENGINE_LOAD_ATALLA
+#ifdef HAVE_ENGINE_LOAD_ATALLA
     OSSL_ENGINE_LOAD_IF_MATCH(atalla, ATALLA);
 #endif
-#if HAVE_ENGINE_LOAD_CHIL
+#ifdef HAVE_ENGINE_LOAD_CHIL
     OSSL_ENGINE_LOAD_IF_MATCH(chil, CHIL);
 #endif
-#if HAVE_ENGINE_LOAD_CSWIFT
+#ifdef HAVE_ENGINE_LOAD_CSWIFT
     OSSL_ENGINE_LOAD_IF_MATCH(cswift, CSWIFT);
 #endif
-#if HAVE_ENGINE_LOAD_NURON
+#ifdef HAVE_ENGINE_LOAD_NURON
     OSSL_ENGINE_LOAD_IF_MATCH(nuron, NURON);
 #endif
-#if HAVE_ENGINE_LOAD_SUREWARE
+#ifdef HAVE_ENGINE_LOAD_SUREWARE
     OSSL_ENGINE_LOAD_IF_MATCH(sureware, SUREWARE);
 #endif
-#if HAVE_ENGINE_LOAD_UBSEC
+#ifdef HAVE_ENGINE_LOAD_UBSEC
     OSSL_ENGINE_LOAD_IF_MATCH(ubsec, UBSEC);
 #endif
-#if HAVE_ENGINE_LOAD_PADLOCK
+#ifdef HAVE_ENGINE_LOAD_PADLOCK
     OSSL_ENGINE_LOAD_IF_MATCH(padlock, PADLOCK);
 #endif
-#if HAVE_ENGINE_LOAD_CAPI
+#ifdef HAVE_ENGINE_LOAD_CAPI
     OSSL_ENGINE_LOAD_IF_MATCH(capi, CAPI);
 #endif
-#if HAVE_ENGINE_LOAD_GMP
+#ifdef HAVE_ENGINE_LOAD_GMP
     OSSL_ENGINE_LOAD_IF_MATCH(gmp, GMP);
 #endif
-#if HAVE_ENGINE_LOAD_GOST
+#ifdef HAVE_ENGINE_LOAD_GOST
     OSSL_ENGINE_LOAD_IF_MATCH(gost, GOST);
 #endif
 #endif
-#if HAVE_ENGINE_LOAD_CRYPTODEV
+#ifdef HAVE_ENGINE_LOAD_CRYPTODEV
     OSSL_ENGINE_LOAD_IF_MATCH(cryptodev, CRYPTODEV);
 #endif
     OSSL_ENGINE_LOAD_IF_MATCH(openssl, OPENSSL);

data/ext/openssl/ossl_hmac.c

@@ -7,14 +7,12 @@
  * This program is licensed under the same licence as Ruby.
  * (See the file 'LICENCE'.)
  */
-#if !defined(OPENSSL_NO_HMAC)
-
 #include "ossl.h"
 
 #define NewHMAC(klass) \
     TypedData_Wrap_Struct((klass), &ossl_hmac_type, 0)
 #define GetHMAC(obj, ctx) do { \
-    TypedData_Get_Struct((obj), HMAC_CTX, &ossl_hmac_type, (ctx)); \
+    TypedData_Get_Struct((obj), EVP_MD_CTX, &ossl_hmac_type, (ctx)); \
     if (!(ctx)) { \
 	ossl_raise(rb_eRuntimeError, "HMAC wasn't initialized"); \
     } \
@@ -36,7 +34,7 @@ VALUE eHMACError;
 static void
 ossl_hmac_free(void *ctx)
 {
-    HMAC_CTX_free(ctx);
+    EVP_MD_CTX_free(ctx);
 }
 
 static const rb_data_type_t ossl_hmac_type = {
@@ -44,19 +42,19 @@ static const rb_data_type_t ossl_hmac_type = {
     {
 	0, ossl_hmac_free,
     },
-    0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
+    0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
 };
 
 static VALUE
 ossl_hmac_alloc(VALUE klass)
 {
     VALUE obj;
-    HMAC_CTX *ctx;
+    EVP_MD_CTX *ctx;
 
     obj = NewHMAC(klass);
-    ctx = HMAC_CTX_new();
+    ctx = EVP_MD_CTX_new();
     if (!ctx)
-	ossl_raise(eHMACError, NULL);
+        ossl_raise(eHMACError, "EVP_MD_CTX");
     RTYPEDDATA_DATA(obj) = ctx;
 
     return obj;
@@ -76,8 +74,7 @@ ossl_hmac_alloc(VALUE klass)
  * === Example
  *
  *	key = 'key'
- * 	digest = OpenSSL::Digest.new('sha1')
- * 	instance = OpenSSL::HMAC.new(key, digest)
+ * 	instance = OpenSSL::HMAC.new(key, 'SHA1')
  * 	#=> f42bb0eeb018ebbd4597ae7213711ec60760843f
  * 	instance.class
  * 	#=> OpenSSL::HMAC
@@ -86,7 +83,7 @@ ossl_hmac_alloc(VALUE klass)
  *
  * Two instances can be securely compared with #== in constant time:
  *
- *	other_instance = OpenSSL::HMAC.new('key', OpenSSL::Digest.new('sha1'))
+ *	other_instance = OpenSSL::HMAC.new('key', 'SHA1')
  *  #=> f42bb0eeb018ebbd4597ae7213711ec60760843f
  *  instance == other_instance
  *  #=> true
@@ -95,12 +92,31 @@ ossl_hmac_alloc(VALUE klass)
 static VALUE
 ossl_hmac_initialize(VALUE self, VALUE key, VALUE digest)
 {
-    HMAC_CTX *ctx;
+    EVP_MD_CTX *ctx;
+    EVP_PKEY *pkey;
 
-    StringValue(key);
     GetHMAC(self, ctx);
-    HMAC_Init_ex(ctx, RSTRING_PTR(key), RSTRING_LENINT(key),
-		 ossl_evp_get_digestbyname(digest), NULL);
+    StringValue(key);
+#ifdef HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY
+    pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
+                                        (unsigned char *)RSTRING_PTR(key),
+                                        RSTRING_LENINT(key));
+    if (!pkey)
+        ossl_raise(eHMACError, "EVP_PKEY_new_raw_private_key");
+#else
+    pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
+                                (unsigned char *)RSTRING_PTR(key),
+                                RSTRING_LENINT(key));
+    if (!pkey)
+        ossl_raise(eHMACError, "EVP_PKEY_new_mac_key");
+#endif
+    if (EVP_DigestSignInit(ctx, NULL, ossl_evp_get_digestbyname(digest),
+                           NULL, pkey) != 1) {
+        EVP_PKEY_free(pkey);
+        ossl_raise(eHMACError, "EVP_DigestSignInit");
+    }
+    /* Decrement reference counter; EVP_MD_CTX still keeps it */
+    EVP_PKEY_free(pkey);
 
     return self;
 }
@@ -108,16 +124,15 @@ ossl_hmac_initialize(VALUE self, VALUE key, VALUE digest)
 static VALUE
 ossl_hmac_copy(VALUE self, VALUE other)
 {
-    HMAC_CTX *ctx1, *ctx2;
+    EVP_MD_CTX *ctx1, *ctx2;
 
     rb_check_frozen(self);
     if (self == other) return self;
 
     GetHMAC(self, ctx1);
     GetHMAC(other, ctx2);
-
-    if (!HMAC_CTX_copy(ctx1, ctx2))
-	ossl_raise(eHMACError, "HMAC_CTX_copy");
+    if (EVP_MD_CTX_copy(ctx1, ctx2) != 1)
+        ossl_raise(eHMACError, "EVP_MD_CTX_copy");
     return self;
 }
 
@@ -142,33 +157,16 @@ ossl_hmac_copy(VALUE self, VALUE other)
 static VALUE
 ossl_hmac_update(VALUE self, VALUE data)
 {
-    HMAC_CTX *ctx;
+    EVP_MD_CTX *ctx;
 
     StringValue(data);
     GetHMAC(self, ctx);
-    HMAC_Update(ctx, (unsigned char *)RSTRING_PTR(data), RSTRING_LEN(data));
+    if (EVP_DigestSignUpdate(ctx, RSTRING_PTR(data), RSTRING_LEN(data)) != 1)
+        ossl_raise(eHMACError, "EVP_DigestSignUpdate");
 
     return self;
 }
 
-static void
-hmac_final(HMAC_CTX *ctx, unsigned char *buf, unsigned int *buf_len)
-{
-    HMAC_CTX *final;
-
-    final = HMAC_CTX_new();
-    if (!final)
-	ossl_raise(eHMACError, "HMAC_CTX_new");
-
-    if (!HMAC_CTX_copy(final, ctx)) {
-	HMAC_CTX_free(final);
-	ossl_raise(eHMACError, "HMAC_CTX_copy");
-    }
-
-    HMAC_Final(final, buf, buf_len);
-    HMAC_CTX_free(final);
-}
-
 /*
  *  call-seq:
  *     hmac.digest -> string
@@ -176,7 +174,7 @@ hmac_final(HMAC_CTX *ctx, unsigned char *buf, unsigned int *buf_len)
  * Returns the authentication code an instance represents as a binary string.
  *
  * === Example
- *  instance = OpenSSL::HMAC.new('key', OpenSSL::Digest.new('sha1'))
+ *  instance = OpenSSL::HMAC.new('key', 'SHA1')
  *  #=> f42bb0eeb018ebbd4597ae7213711ec60760843f
  *  instance.digest
  *  #=> "\xF4+\xB0\xEE\xB0\x18\xEB\xBDE\x97\xAEr\x13q\x1E\xC6\a`\x84?"
@@ -184,15 +182,16 @@ hmac_final(HMAC_CTX *ctx, unsigned char *buf, unsigned int *buf_len)
 static VALUE
 ossl_hmac_digest(VALUE self)
 {
-    HMAC_CTX *ctx;
-    unsigned int buf_len;
+    EVP_MD_CTX *ctx;
+    size_t buf_len = EVP_MAX_MD_SIZE;
     VALUE ret;
 
     GetHMAC(self, ctx);
     ret = rb_str_new(NULL, EVP_MAX_MD_SIZE);
-    hmac_final(ctx, (unsigned char *)RSTRING_PTR(ret), &buf_len);
-    assert(buf_len <= EVP_MAX_MD_SIZE);
-    rb_str_set_len(ret, buf_len);
+    if (EVP_DigestSignFinal(ctx, (unsigned char *)RSTRING_PTR(ret),
+                            &buf_len) != 1)
+        ossl_raise(eHMACError, "EVP_DigestSignFinal");
+    rb_str_set_len(ret, (long)buf_len);
 
     return ret;
 }
@@ -207,13 +206,14 @@ ossl_hmac_digest(VALUE self)
 static VALUE
 ossl_hmac_hexdigest(VALUE self)
 {
-    HMAC_CTX *ctx;
+    EVP_MD_CTX *ctx;
     unsigned char buf[EVP_MAX_MD_SIZE];
-    unsigned int buf_len;
+    size_t buf_len = EVP_MAX_MD_SIZE;
     VALUE ret;
 
     GetHMAC(self, ctx);
-    hmac_final(ctx, buf, &buf_len);
+    if (EVP_DigestSignFinal(ctx, buf, &buf_len) != 1)
+        ossl_raise(eHMACError, "EVP_DigestSignFinal");
     ret = rb_str_new(NULL, buf_len * 2);
     ossl_bin2hex(buf, RSTRING_PTR(ret), buf_len);
 
@@ -230,7 +230,7 @@ ossl_hmac_hexdigest(VALUE self)
  * === Example
  *
  *	data = "The quick brown fox jumps over the lazy dog"
- * 	instance = OpenSSL::HMAC.new('key', OpenSSL::Digest.new('sha1'))
+ * 	instance = OpenSSL::HMAC.new('key', 'SHA1')
  * 	#=> f42bb0eeb018ebbd4597ae7213711ec60760843f
  *
  * 	instance.update(data)
@@ -242,84 +242,17 @@ ossl_hmac_hexdigest(VALUE self)
 static VALUE
 ossl_hmac_reset(VALUE self)
 {
-    HMAC_CTX *ctx;
+    EVP_MD_CTX *ctx;
+    EVP_PKEY *pkey;
 
     GetHMAC(self, ctx);
-    HMAC_Init_ex(ctx, NULL, 0, NULL, NULL);
+    pkey = EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_get_pkey_ctx(ctx));
+    if (EVP_DigestSignInit(ctx, NULL, EVP_MD_CTX_get0_md(ctx), NULL, pkey) != 1)
+        ossl_raise(eHMACError, "EVP_DigestSignInit");
 
     return self;
 }
 
-/*
- *  call-seq:
- *     HMAC.digest(digest, key, data) -> aString
- *
- * Returns the authentication code as a binary string. The _digest_ parameter
- * specifies the digest algorithm to use. This may be a String representing
- * the algorithm name or an instance of OpenSSL::Digest.
- *
- * === Example
- *
- *	key = 'key'
- * 	data = 'The quick brown fox jumps over the lazy dog'
- *
- * 	hmac = OpenSSL::HMAC.digest('sha1', key, data)
- * 	#=> "\xDE|\x9B\x85\xB8\xB7\x8A\xA6\xBC\x8Az6\xF7\n\x90p\x1C\x9D\xB4\xD9"
- *
- */
-static VALUE
-ossl_hmac_s_digest(VALUE klass, VALUE digest, VALUE key, VALUE data)
-{
-    unsigned char *buf;
-    unsigned int buf_len;
-
-    StringValue(key);
-    StringValue(data);
-    buf = HMAC(ossl_evp_get_digestbyname(digest), RSTRING_PTR(key),
-	       RSTRING_LENINT(key), (unsigned char *)RSTRING_PTR(data),
-	       RSTRING_LEN(data), NULL, &buf_len);
-
-    return rb_str_new((const char *)buf, buf_len);
-}
-
-/*
- *  call-seq:
- *     HMAC.hexdigest(digest, key, data) -> aString
- *
- * Returns the authentication code as a hex-encoded string. The _digest_
- * parameter specifies the digest algorithm to use. This may be a String
- * representing the algorithm name or an instance of OpenSSL::Digest.
- *
- * === Example
- *
- *	key = 'key'
- * 	data = 'The quick brown fox jumps over the lazy dog'
- *
- * 	hmac = OpenSSL::HMAC.hexdigest('sha1', key, data)
- * 	#=> "de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9"
- *
- */
-static VALUE
-ossl_hmac_s_hexdigest(VALUE klass, VALUE digest, VALUE key, VALUE data)
-{
-    unsigned char buf[EVP_MAX_MD_SIZE];
-    unsigned int buf_len;
-    VALUE ret;
-
-    StringValue(key);
-    StringValue(data);
-
-    if (!HMAC(ossl_evp_get_digestbyname(digest), RSTRING_PTR(key),
-	      RSTRING_LENINT(key), (unsigned char *)RSTRING_PTR(data),
-	      RSTRING_LEN(data), buf, &buf_len))
-	ossl_raise(eHMACError, "HMAC");
-
-    ret = rb_str_new(NULL, buf_len * 2);
-    ossl_bin2hex(buf, RSTRING_PTR(ret), buf_len);
-
-    return ret;
-}
-
 /*
  * INIT
  */
@@ -350,11 +283,10 @@ Init_ossl_hmac(void)
      *
      * === HMAC-SHA256 using incremental interface
      *
-     *   data1 = File.read("file1")
-     *   data2 = File.read("file2")
+     *   data1 = File.binread("file1")
+     *   data2 = File.binread("file2")
      *   key = "key"
-     *   digest = OpenSSL::Digest.new('SHA256')
-     *   hmac = OpenSSL::HMAC.new(key, digest)
+     *   hmac = OpenSSL::HMAC.new(key, 'SHA256')
      *   hmac << data1
      *   hmac << data2
      *   mac = hmac.digest
@@ -364,8 +296,6 @@ Init_ossl_hmac(void)
     cHMAC = rb_define_class_under(mOSSL, "HMAC", rb_cObject);
 
     rb_define_alloc_func(cHMAC, ossl_hmac_alloc);
-    rb_define_singleton_method(cHMAC, "digest", ossl_hmac_s_digest, 3);
-    rb_define_singleton_method(cHMAC, "hexdigest", ossl_hmac_s_hexdigest, 3);
 
     rb_define_method(cHMAC, "initialize", ossl_hmac_initialize, 2);
     rb_define_method(cHMAC, "initialize_copy", ossl_hmac_copy, 1);
@@ -378,12 +308,3 @@ Init_ossl_hmac(void)
     rb_define_alias(cHMAC, "inspect", "hexdigest");
     rb_define_alias(cHMAC, "to_s", "hexdigest");
 }
-
-#else /* NO_HMAC */
-#  warning >>> OpenSSL is compiled without HMAC support <<<
-void
-Init_ossl_hmac(void)
-{
-    rb_warning("HMAC is not available: OpenSSL is compiled without HMAC.");
-}
-#endif /* NO_HMAC */

data/ext/openssl/ossl_kdf.c

@@ -3,7 +3,7 @@
  * Copyright (C) 2007, 2017 Ruby/OpenSSL Project Authors
  */
 #include "ossl.h"
-#if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER)
+#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_LIBRESSL_PREREQ(3, 6, 0)
 # include <openssl/kdf.h>
 #endif
 
@@ -21,7 +21,7 @@ static VALUE mKDF, eKDF;
  * (https://tools.ietf.org/html/rfc2898#section-5.2).
  *
  * === Parameters
- * pass       :: The passphrase.
+ * pass       :: The password.
  * salt       :: The salt. Salts prevent attacks based on dictionaries of common
  *               passwords and attacks based on rainbow tables. It is a public
  *               value that can be safely stored along with the password (e.g.
@@ -141,7 +141,7 @@ kdf_scrypt(int argc, VALUE *argv, VALUE self)
 }
 #endif
 
-#if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER)
+#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_LIBRESSL_PREREQ(3, 6, 0)
 /*
  * call-seq:
  *    KDF.hkdf(ikm, salt:, info:, length:, hash:) -> String
@@ -163,6 +163,14 @@ kdf_scrypt(int argc, VALUE *argv, VALUE self)
  *   HashLen is the length of the hash function output in octets.
  * _hash_::
  *   The hash function.
+ *
+ * === Example
+ *   # The values from https://datatracker.ietf.org/doc/html/rfc5869#appendix-A.1
+ *   ikm = ["0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"].pack("H*")
+ *   salt = ["000102030405060708090a0b0c"].pack("H*")
+ *   info = ["f0f1f2f3f4f5f6f7f8f9"].pack("H*")
+ *   p OpenSSL::KDF.hkdf(ikm, salt: salt, info: info, length: 42, hash: "SHA256").unpack1("H*")
+ *   # => "3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865"
  */
 static VALUE
 kdf_hkdf(int argc, VALUE *argv, VALUE self)
@@ -297,7 +305,7 @@ Init_ossl_kdf(void)
 #if defined(HAVE_EVP_PBE_SCRYPT)
     rb_define_module_function(mKDF, "scrypt", kdf_scrypt, -1);
 #endif
-#if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER)
+#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_LIBRESSL_PREREQ(3, 6, 0)
     rb_define_module_function(mKDF, "hkdf", kdf_hkdf, -1);
 #endif
 }

data/ext/openssl/ossl_ns_spki.c

@@ -50,7 +50,7 @@ static const rb_data_type_t ossl_netscape_spki_type = {
     {
 	0, ossl_netscape_spki_free,
     },
-    0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
+    0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
 };
 
 static VALUE

data/ext/openssl/ossl_ocsp.c

@@ -86,7 +86,7 @@ static const rb_data_type_t ossl_ocsp_request_type = {
     {
 	0, ossl_ocsp_request_free,
     },
-    0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
+    0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
 };
 
 static void
@@ -100,7 +100,7 @@ static const rb_data_type_t ossl_ocsp_response_type = {
     {
 	0, ossl_ocsp_response_free,
     },
-    0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
+    0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
 };
 
 static void
@@ -114,7 +114,7 @@ static const rb_data_type_t ossl_ocsp_basicresp_type = {
     {
 	0, ossl_ocsp_basicresp_free,
     },
-    0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
+    0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
 };
 
 static void
@@ -128,7 +128,7 @@ static const rb_data_type_t ossl_ocsp_singleresp_type = {
     {
 	0, ossl_ocsp_singleresp_free,
     },
-    0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
+    0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
 };
 
 static void
@@ -142,7 +142,7 @@ static const rb_data_type_t ossl_ocsp_certid_type = {
     {
 	0, ossl_ocsp_certid_free,
     },
-    0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
+    0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
 };
 
 /*
@@ -157,7 +157,7 @@ ossl_ocspcertid_new(OCSP_CERTID *cid)
 }
 
 /*
- * OCSP::Resquest
+ * OCSP::Request
  */
 static VALUE
 ossl_ocspreq_alloc(VALUE klass)
@@ -382,7 +382,7 @@ ossl_ocspreq_sign(int argc, VALUE *argv, VALUE self)
     if (!NIL_P(flags))
 	flg = NUM2INT(flags);
     if (NIL_P(digest))
-	md = EVP_sha1();
+	md = NULL;
     else
 	md = ossl_evp_get_digestbyname(digest);
     if (NIL_P(certs))
@@ -803,7 +803,7 @@ add_status_convert_time(VALUE obj)
  * revocation, and must be one of OpenSSL::OCSP::REVOKED_STATUS_* constants.
  * _revocation_time_ is the time when the certificate is revoked.
  *
- * _this_update_ and _next_update_ indicate the time at which ths status is
+ * _this_update_ and _next_update_ indicate the time at which the status is
  * verified to be correct and the time at or before which newer information
  * will be available, respectively. _next_update_ is optional.
  *
@@ -1033,7 +1033,7 @@ ossl_ocspbres_sign(int argc, VALUE *argv, VALUE self)
     if (!NIL_P(flags))
 	flg = NUM2INT(flags);
     if (NIL_P(digest))
-	md = EVP_sha1();
+	md = NULL;
     else
 	md = ossl_evp_get_digestbyname(digest);
     if (NIL_P(certs))
@@ -1069,55 +1069,7 @@ ossl_ocspbres_verify(int argc, VALUE *argv, VALUE self)
     x509st = GetX509StorePtr(store);
     flg = NIL_P(flags) ? 0 : NUM2INT(flags);
     x509s = ossl_x509_ary2sk(certs);
-#if (OPENSSL_VERSION_NUMBER < 0x1000202fL) || defined(LIBRESSL_VERSION_NUMBER)
-    /*
-     * OpenSSL had a bug that it doesn't use the certificates in x509s for
-     * verifying the chain. This can be a problem when the response is signed by
-     * a certificate issued by an intermediate CA.
-     *
-     *       root_ca
-     *         |
-     *   intermediate_ca
-     *         |-------------|
-     *     end_entity    ocsp_signer
-     *
-     * When the certificate hierarchy is like this, and the response contains
-     * only ocsp_signer certificate, the following code wrongly fails.
-     *
-     *   store = OpenSSL::X509::Store.new; store.add_cert(root_ca)
-     *   basic_response.verify([intermediate_ca], store)
-     *
-     * So add the certificates in x509s to the embedded certificates list first.
-     *
-     * This is fixed in OpenSSL 0.9.8zg, 1.0.0s, 1.0.1n, 1.0.2b. But it still
-     * exists in LibreSSL 2.1.10, 2.2.9, 2.3.6, 2.4.1.
-     */
-    if (!(flg & (OCSP_NOCHAIN | OCSP_NOVERIFY)) &&
-	sk_X509_num(x509s) && sk_X509_num(bs->certs)) {
-	int i;
-
-	bs = ASN1_item_dup(ASN1_ITEM_rptr(OCSP_BASICRESP), bs);
-	if (!bs) {
-	    sk_X509_pop_free(x509s, X509_free);
-	    ossl_raise(eOCSPError, "ASN1_item_dup");
-	}
-
-	for (i = 0; i < sk_X509_num(x509s); i++) {
-	    if (!OCSP_basic_add1_cert(bs, sk_X509_value(x509s, i))) {
-		sk_X509_pop_free(x509s, X509_free);
-		OCSP_BASICRESP_free(bs);
-		ossl_raise(eOCSPError, "OCSP_basic_add1_cert");
-	    }
-	}
-	result = OCSP_basic_verify(bs, x509s, x509st, flg);
-	OCSP_BASICRESP_free(bs);
-    }
-    else {
-	result = OCSP_basic_verify(bs, x509s, x509st, flg);
-    }
-#else
     result = OCSP_basic_verify(bs, x509s, x509st, flg);
-#endif
     sk_X509_pop_free(x509s, X509_free);
     if (result <= 0)
 	ossl_clear_error();
@@ -1749,7 +1701,7 @@ Init_ossl_ocsp(void)
      *   require 'net/http'
      *
      *   http_response =
-     *     Net::HTTP.start ocsp_uri.hostname, ocsp.port do |http|
+     *     Net::HTTP.start ocsp_uri.hostname, ocsp_uri.port do |http|
      *       http.post ocsp_uri.path, request.to_der,
      *                 'content-type' => 'application/ocsp-request'
      *   end
@@ -1787,7 +1739,7 @@ Init_ossl_ocsp(void)
      *   single_response = basic_response.find_response(certificate_id)
      *
      *   unless single_response
-     *     raise 'basic_response does not have the status for the certificiate'
+     *     raise 'basic_response does not have the status for the certificate'
      *   end
      *
      * Then check the validity. A status issued in the future must be rejected.

data/ext/openssl/ossl_pkcs12.c

@@ -44,7 +44,7 @@ static const rb_data_type_t ossl_pkcs12_type = {
     {
 	0, ossl_pkcs12_free,
     },
-    0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
+    0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
 };
 
 static VALUE
@@ -149,6 +149,24 @@ ossl_pkcs12_s_create(int argc, VALUE *argv, VALUE self)
     return obj;
 }
 
+static VALUE
+ossl_pkey_new_i(VALUE arg)
+{
+    return ossl_pkey_new((EVP_PKEY *)arg);
+}
+
+static VALUE
+ossl_x509_new_i(VALUE arg)
+{
+    return ossl_x509_new((X509 *)arg);
+}
+
+static VALUE
+ossl_x509_sk2ary_i(VALUE arg)
+{
+    return ossl_x509_sk2ary((STACK_OF(X509) *)arg);
+}
+
 /*
  * call-seq:
  *    PKCS12.new -> pkcs12
@@ -186,15 +204,15 @@ ossl_pkcs12_initialize(int argc, VALUE *argv, VALUE self)
 	ossl_raise(ePKCS12Error, "PKCS12_parse");
     ERR_pop_to_mark();
     if (key) {
-	pkey = rb_protect((VALUE (*)(VALUE))ossl_pkey_new, (VALUE)key, &st);
+	pkey = rb_protect(ossl_pkey_new_i, (VALUE)key, &st);
 	if (st) goto err;
     }
     if (x509) {
-	cert = rb_protect((VALUE (*)(VALUE))ossl_x509_new, (VALUE)x509, &st);
+	cert = rb_protect(ossl_x509_new_i, (VALUE)x509, &st);
 	if (st) goto err;
     }
     if (x509s) {
-	ca = rb_protect((VALUE (*)(VALUE))ossl_x509_sk2ary, (VALUE)x509s, &st);
+	ca = rb_protect(ossl_x509_sk2ary_i, (VALUE)x509s, &st);
 	if (st) goto err;
     }