openssl 2.2.1 → 3.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (53) hide show
  1. checksums.yaml +4 -4
  2. data/CONTRIBUTING.md +33 -45
  3. data/History.md +248 -1
  4. data/README.md +36 -19
  5. data/ext/openssl/extconf.rb +101 -68
  6. data/ext/openssl/openssl_missing.c +0 -66
  7. data/ext/openssl/openssl_missing.h +26 -45
  8. data/ext/openssl/ossl.c +128 -237
  9. data/ext/openssl/ossl.h +31 -12
  10. data/ext/openssl/ossl_asn1.c +26 -13
  11. data/ext/openssl/ossl_bn.c +213 -139
  12. data/ext/openssl/ossl_cipher.c +13 -14
  13. data/ext/openssl/ossl_config.c +412 -41
  14. data/ext/openssl/ossl_config.h +4 -7
  15. data/ext/openssl/ossl_digest.c +10 -10
  16. data/ext/openssl/ossl_engine.c +17 -16
  17. data/ext/openssl/ossl_hmac.c +57 -136
  18. data/ext/openssl/ossl_kdf.c +12 -4
  19. data/ext/openssl/ossl_ns_spki.c +1 -1
  20. data/ext/openssl/ossl_ocsp.c +11 -59
  21. data/ext/openssl/ossl_pkcs12.c +22 -4
  22. data/ext/openssl/ossl_pkcs7.c +45 -62
  23. data/ext/openssl/ossl_pkey.c +1320 -196
  24. data/ext/openssl/ossl_pkey.h +36 -73
  25. data/ext/openssl/ossl_pkey_dh.c +152 -347
  26. data/ext/openssl/ossl_pkey_dsa.c +157 -413
  27. data/ext/openssl/ossl_pkey_ec.c +227 -343
  28. data/ext/openssl/ossl_pkey_rsa.c +159 -491
  29. data/ext/openssl/ossl_provider.c +211 -0
  30. data/ext/openssl/ossl_provider.h +5 -0
  31. data/ext/openssl/ossl_ssl.c +530 -450
  32. data/ext/openssl/ossl_ssl_session.c +29 -30
  33. data/ext/openssl/ossl_ts.c +38 -23
  34. data/ext/openssl/ossl_x509.c +0 -6
  35. data/ext/openssl/ossl_x509attr.c +1 -1
  36. data/ext/openssl/ossl_x509cert.c +168 -12
  37. data/ext/openssl/ossl_x509crl.c +14 -11
  38. data/ext/openssl/ossl_x509ext.c +14 -9
  39. data/ext/openssl/ossl_x509name.c +10 -3
  40. data/ext/openssl/ossl_x509req.c +14 -11
  41. data/ext/openssl/ossl_x509revoked.c +4 -4
  42. data/ext/openssl/ossl_x509store.c +166 -75
  43. data/lib/openssl/buffering.rb +9 -3
  44. data/lib/openssl/digest.rb +1 -5
  45. data/lib/openssl/hmac.rb +65 -0
  46. data/lib/openssl/pkey.rb +429 -0
  47. data/lib/openssl/ssl.rb +22 -17
  48. data/lib/openssl/version.rb +1 -1
  49. data/lib/openssl/x509.rb +22 -0
  50. data/lib/openssl.rb +0 -1
  51. metadata +10 -79
  52. data/ext/openssl/ruby_missing.h +0 -24
  53. data/lib/openssl/config.rb +0 -501
@@ -7,14 +7,12 @@
7
7
  * This program is licensed under the same licence as Ruby.
8
8
  * (See the file 'LICENCE'.)
9
9
  */
10
- #if !defined(OPENSSL_NO_HMAC)
11
-
12
10
  #include "ossl.h"
13
11
 
14
12
  #define NewHMAC(klass) \
15
13
  TypedData_Wrap_Struct((klass), &ossl_hmac_type, 0)
16
14
  #define GetHMAC(obj, ctx) do { \
17
- TypedData_Get_Struct((obj), HMAC_CTX, &ossl_hmac_type, (ctx)); \
15
+ TypedData_Get_Struct((obj), EVP_MD_CTX, &ossl_hmac_type, (ctx)); \
18
16
  if (!(ctx)) { \
19
17
  ossl_raise(rb_eRuntimeError, "HMAC wasn't initialized"); \
20
18
  } \
@@ -36,7 +34,7 @@ VALUE eHMACError;
36
34
  static void
37
35
  ossl_hmac_free(void *ctx)
38
36
  {
39
- HMAC_CTX_free(ctx);
37
+ EVP_MD_CTX_free(ctx);
40
38
  }
41
39
 
42
40
  static const rb_data_type_t ossl_hmac_type = {
@@ -44,19 +42,19 @@ static const rb_data_type_t ossl_hmac_type = {
44
42
  {
45
43
  0, ossl_hmac_free,
46
44
  },
47
- 0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
45
+ 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
48
46
  };
49
47
 
50
48
  static VALUE
51
49
  ossl_hmac_alloc(VALUE klass)
52
50
  {
53
51
  VALUE obj;
54
- HMAC_CTX *ctx;
52
+ EVP_MD_CTX *ctx;
55
53
 
56
54
  obj = NewHMAC(klass);
57
- ctx = HMAC_CTX_new();
55
+ ctx = EVP_MD_CTX_new();
58
56
  if (!ctx)
59
- ossl_raise(eHMACError, NULL);
57
+ ossl_raise(eHMACError, "EVP_MD_CTX");
60
58
  RTYPEDDATA_DATA(obj) = ctx;
61
59
 
62
60
  return obj;
@@ -76,8 +74,7 @@ ossl_hmac_alloc(VALUE klass)
76
74
  * === Example
77
75
  *
78
76
  * key = 'key'
79
- * digest = OpenSSL::Digest.new('sha1')
80
- * instance = OpenSSL::HMAC.new(key, digest)
77
+ * instance = OpenSSL::HMAC.new(key, 'SHA1')
81
78
  * #=> f42bb0eeb018ebbd4597ae7213711ec60760843f
82
79
  * instance.class
83
80
  * #=> OpenSSL::HMAC
@@ -86,7 +83,7 @@ ossl_hmac_alloc(VALUE klass)
86
83
  *
87
84
  * Two instances can be securely compared with #== in constant time:
88
85
  *
89
- * other_instance = OpenSSL::HMAC.new('key', OpenSSL::Digest.new('sha1'))
86
+ * other_instance = OpenSSL::HMAC.new('key', 'SHA1')
90
87
  * #=> f42bb0eeb018ebbd4597ae7213711ec60760843f
91
88
  * instance == other_instance
92
89
  * #=> true
@@ -95,12 +92,31 @@ ossl_hmac_alloc(VALUE klass)
95
92
  static VALUE
96
93
  ossl_hmac_initialize(VALUE self, VALUE key, VALUE digest)
97
94
  {
98
- HMAC_CTX *ctx;
95
+ EVP_MD_CTX *ctx;
96
+ EVP_PKEY *pkey;
99
97
 
100
- StringValue(key);
101
98
  GetHMAC(self, ctx);
102
- HMAC_Init_ex(ctx, RSTRING_PTR(key), RSTRING_LENINT(key),
103
- ossl_evp_get_digestbyname(digest), NULL);
99
+ StringValue(key);
100
+ #ifdef HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY
101
+ pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
102
+ (unsigned char *)RSTRING_PTR(key),
103
+ RSTRING_LENINT(key));
104
+ if (!pkey)
105
+ ossl_raise(eHMACError, "EVP_PKEY_new_raw_private_key");
106
+ #else
107
+ pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
108
+ (unsigned char *)RSTRING_PTR(key),
109
+ RSTRING_LENINT(key));
110
+ if (!pkey)
111
+ ossl_raise(eHMACError, "EVP_PKEY_new_mac_key");
112
+ #endif
113
+ if (EVP_DigestSignInit(ctx, NULL, ossl_evp_get_digestbyname(digest),
114
+ NULL, pkey) != 1) {
115
+ EVP_PKEY_free(pkey);
116
+ ossl_raise(eHMACError, "EVP_DigestSignInit");
117
+ }
118
+ /* Decrement reference counter; EVP_MD_CTX still keeps it */
119
+ EVP_PKEY_free(pkey);
104
120
 
105
121
  return self;
106
122
  }
@@ -108,16 +124,15 @@ ossl_hmac_initialize(VALUE self, VALUE key, VALUE digest)
108
124
  static VALUE
109
125
  ossl_hmac_copy(VALUE self, VALUE other)
110
126
  {
111
- HMAC_CTX *ctx1, *ctx2;
127
+ EVP_MD_CTX *ctx1, *ctx2;
112
128
 
113
129
  rb_check_frozen(self);
114
130
  if (self == other) return self;
115
131
 
116
132
  GetHMAC(self, ctx1);
117
133
  GetHMAC(other, ctx2);
118
-
119
- if (!HMAC_CTX_copy(ctx1, ctx2))
120
- ossl_raise(eHMACError, "HMAC_CTX_copy");
134
+ if (EVP_MD_CTX_copy(ctx1, ctx2) != 1)
135
+ ossl_raise(eHMACError, "EVP_MD_CTX_copy");
121
136
  return self;
122
137
  }
123
138
 
@@ -142,33 +157,16 @@ ossl_hmac_copy(VALUE self, VALUE other)
142
157
  static VALUE
143
158
  ossl_hmac_update(VALUE self, VALUE data)
144
159
  {
145
- HMAC_CTX *ctx;
160
+ EVP_MD_CTX *ctx;
146
161
 
147
162
  StringValue(data);
148
163
  GetHMAC(self, ctx);
149
- HMAC_Update(ctx, (unsigned char *)RSTRING_PTR(data), RSTRING_LEN(data));
164
+ if (EVP_DigestSignUpdate(ctx, RSTRING_PTR(data), RSTRING_LEN(data)) != 1)
165
+ ossl_raise(eHMACError, "EVP_DigestSignUpdate");
150
166
 
151
167
  return self;
152
168
  }
153
169
 
154
- static void
155
- hmac_final(HMAC_CTX *ctx, unsigned char *buf, unsigned int *buf_len)
156
- {
157
- HMAC_CTX *final;
158
-
159
- final = HMAC_CTX_new();
160
- if (!final)
161
- ossl_raise(eHMACError, "HMAC_CTX_new");
162
-
163
- if (!HMAC_CTX_copy(final, ctx)) {
164
- HMAC_CTX_free(final);
165
- ossl_raise(eHMACError, "HMAC_CTX_copy");
166
- }
167
-
168
- HMAC_Final(final, buf, buf_len);
169
- HMAC_CTX_free(final);
170
- }
171
-
172
170
  /*
173
171
  * call-seq:
174
172
  * hmac.digest -> string
@@ -176,7 +174,7 @@ hmac_final(HMAC_CTX *ctx, unsigned char *buf, unsigned int *buf_len)
176
174
  * Returns the authentication code an instance represents as a binary string.
177
175
  *
178
176
  * === Example
179
- * instance = OpenSSL::HMAC.new('key', OpenSSL::Digest.new('sha1'))
177
+ * instance = OpenSSL::HMAC.new('key', 'SHA1')
180
178
  * #=> f42bb0eeb018ebbd4597ae7213711ec60760843f
181
179
  * instance.digest
182
180
  * #=> "\xF4+\xB0\xEE\xB0\x18\xEB\xBDE\x97\xAEr\x13q\x1E\xC6\a`\x84?"
@@ -184,15 +182,16 @@ hmac_final(HMAC_CTX *ctx, unsigned char *buf, unsigned int *buf_len)
184
182
  static VALUE
185
183
  ossl_hmac_digest(VALUE self)
186
184
  {
187
- HMAC_CTX *ctx;
188
- unsigned int buf_len;
185
+ EVP_MD_CTX *ctx;
186
+ size_t buf_len = EVP_MAX_MD_SIZE;
189
187
  VALUE ret;
190
188
 
191
189
  GetHMAC(self, ctx);
192
190
  ret = rb_str_new(NULL, EVP_MAX_MD_SIZE);
193
- hmac_final(ctx, (unsigned char *)RSTRING_PTR(ret), &buf_len);
194
- assert(buf_len <= EVP_MAX_MD_SIZE);
195
- rb_str_set_len(ret, buf_len);
191
+ if (EVP_DigestSignFinal(ctx, (unsigned char *)RSTRING_PTR(ret),
192
+ &buf_len) != 1)
193
+ ossl_raise(eHMACError, "EVP_DigestSignFinal");
194
+ rb_str_set_len(ret, (long)buf_len);
196
195
 
197
196
  return ret;
198
197
  }
@@ -207,13 +206,14 @@ ossl_hmac_digest(VALUE self)
207
206
  static VALUE
208
207
  ossl_hmac_hexdigest(VALUE self)
209
208
  {
210
- HMAC_CTX *ctx;
209
+ EVP_MD_CTX *ctx;
211
210
  unsigned char buf[EVP_MAX_MD_SIZE];
212
- unsigned int buf_len;
211
+ size_t buf_len = EVP_MAX_MD_SIZE;
213
212
  VALUE ret;
214
213
 
215
214
  GetHMAC(self, ctx);
216
- hmac_final(ctx, buf, &buf_len);
215
+ if (EVP_DigestSignFinal(ctx, buf, &buf_len) != 1)
216
+ ossl_raise(eHMACError, "EVP_DigestSignFinal");
217
217
  ret = rb_str_new(NULL, buf_len * 2);
218
218
  ossl_bin2hex(buf, RSTRING_PTR(ret), buf_len);
219
219
 
@@ -230,7 +230,7 @@ ossl_hmac_hexdigest(VALUE self)
230
230
  * === Example
231
231
  *
232
232
  * data = "The quick brown fox jumps over the lazy dog"
233
- * instance = OpenSSL::HMAC.new('key', OpenSSL::Digest.new('sha1'))
233
+ * instance = OpenSSL::HMAC.new('key', 'SHA1')
234
234
  * #=> f42bb0eeb018ebbd4597ae7213711ec60760843f
235
235
  *
236
236
  * instance.update(data)
@@ -242,84 +242,17 @@ ossl_hmac_hexdigest(VALUE self)
242
242
  static VALUE
243
243
  ossl_hmac_reset(VALUE self)
244
244
  {
245
- HMAC_CTX *ctx;
245
+ EVP_MD_CTX *ctx;
246
+ EVP_PKEY *pkey;
246
247
 
247
248
  GetHMAC(self, ctx);
248
- HMAC_Init_ex(ctx, NULL, 0, NULL, NULL);
249
+ pkey = EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_get_pkey_ctx(ctx));
250
+ if (EVP_DigestSignInit(ctx, NULL, EVP_MD_CTX_get0_md(ctx), NULL, pkey) != 1)
251
+ ossl_raise(eHMACError, "EVP_DigestSignInit");
249
252
 
250
253
  return self;
251
254
  }
252
255
 
253
- /*
254
- * call-seq:
255
- * HMAC.digest(digest, key, data) -> aString
256
- *
257
- * Returns the authentication code as a binary string. The _digest_ parameter
258
- * specifies the digest algorithm to use. This may be a String representing
259
- * the algorithm name or an instance of OpenSSL::Digest.
260
- *
261
- * === Example
262
- *
263
- * key = 'key'
264
- * data = 'The quick brown fox jumps over the lazy dog'
265
- *
266
- * hmac = OpenSSL::HMAC.digest('sha1', key, data)
267
- * #=> "\xDE|\x9B\x85\xB8\xB7\x8A\xA6\xBC\x8Az6\xF7\n\x90p\x1C\x9D\xB4\xD9"
268
- *
269
- */
270
- static VALUE
271
- ossl_hmac_s_digest(VALUE klass, VALUE digest, VALUE key, VALUE data)
272
- {
273
- unsigned char *buf;
274
- unsigned int buf_len;
275
-
276
- StringValue(key);
277
- StringValue(data);
278
- buf = HMAC(ossl_evp_get_digestbyname(digest), RSTRING_PTR(key),
279
- RSTRING_LENINT(key), (unsigned char *)RSTRING_PTR(data),
280
- RSTRING_LEN(data), NULL, &buf_len);
281
-
282
- return rb_str_new((const char *)buf, buf_len);
283
- }
284
-
285
- /*
286
- * call-seq:
287
- * HMAC.hexdigest(digest, key, data) -> aString
288
- *
289
- * Returns the authentication code as a hex-encoded string. The _digest_
290
- * parameter specifies the digest algorithm to use. This may be a String
291
- * representing the algorithm name or an instance of OpenSSL::Digest.
292
- *
293
- * === Example
294
- *
295
- * key = 'key'
296
- * data = 'The quick brown fox jumps over the lazy dog'
297
- *
298
- * hmac = OpenSSL::HMAC.hexdigest('sha1', key, data)
299
- * #=> "de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9"
300
- *
301
- */
302
- static VALUE
303
- ossl_hmac_s_hexdigest(VALUE klass, VALUE digest, VALUE key, VALUE data)
304
- {
305
- unsigned char buf[EVP_MAX_MD_SIZE];
306
- unsigned int buf_len;
307
- VALUE ret;
308
-
309
- StringValue(key);
310
- StringValue(data);
311
-
312
- if (!HMAC(ossl_evp_get_digestbyname(digest), RSTRING_PTR(key),
313
- RSTRING_LENINT(key), (unsigned char *)RSTRING_PTR(data),
314
- RSTRING_LEN(data), buf, &buf_len))
315
- ossl_raise(eHMACError, "HMAC");
316
-
317
- ret = rb_str_new(NULL, buf_len * 2);
318
- ossl_bin2hex(buf, RSTRING_PTR(ret), buf_len);
319
-
320
- return ret;
321
- }
322
-
323
256
  /*
324
257
  * INIT
325
258
  */
@@ -350,11 +283,10 @@ Init_ossl_hmac(void)
350
283
  *
351
284
  * === HMAC-SHA256 using incremental interface
352
285
  *
353
- * data1 = File.read("file1")
354
- * data2 = File.read("file2")
286
+ * data1 = File.binread("file1")
287
+ * data2 = File.binread("file2")
355
288
  * key = "key"
356
- * digest = OpenSSL::Digest.new('SHA256')
357
- * hmac = OpenSSL::HMAC.new(key, digest)
289
+ * hmac = OpenSSL::HMAC.new(key, 'SHA256')
358
290
  * hmac << data1
359
291
  * hmac << data2
360
292
  * mac = hmac.digest
@@ -364,8 +296,6 @@ Init_ossl_hmac(void)
364
296
  cHMAC = rb_define_class_under(mOSSL, "HMAC", rb_cObject);
365
297
 
366
298
  rb_define_alloc_func(cHMAC, ossl_hmac_alloc);
367
- rb_define_singleton_method(cHMAC, "digest", ossl_hmac_s_digest, 3);
368
- rb_define_singleton_method(cHMAC, "hexdigest", ossl_hmac_s_hexdigest, 3);
369
299
 
370
300
  rb_define_method(cHMAC, "initialize", ossl_hmac_initialize, 2);
371
301
  rb_define_method(cHMAC, "initialize_copy", ossl_hmac_copy, 1);
@@ -378,12 +308,3 @@ Init_ossl_hmac(void)
378
308
  rb_define_alias(cHMAC, "inspect", "hexdigest");
379
309
  rb_define_alias(cHMAC, "to_s", "hexdigest");
380
310
  }
381
-
382
- #else /* NO_HMAC */
383
- # warning >>> OpenSSL is compiled without HMAC support <<<
384
- void
385
- Init_ossl_hmac(void)
386
- {
387
- rb_warning("HMAC is not available: OpenSSL is compiled without HMAC.");
388
- }
389
- #endif /* NO_HMAC */
@@ -3,7 +3,7 @@
3
3
  * Copyright (C) 2007, 2017 Ruby/OpenSSL Project Authors
4
4
  */
5
5
  #include "ossl.h"
6
- #if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER)
6
+ #if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_LIBRESSL_PREREQ(3, 6, 0)
7
7
  # include <openssl/kdf.h>
8
8
  #endif
9
9
 
@@ -21,7 +21,7 @@ static VALUE mKDF, eKDF;
21
21
  * (https://tools.ietf.org/html/rfc2898#section-5.2).
22
22
  *
23
23
  * === Parameters
24
- * pass :: The passphrase.
24
+ * pass :: The password.
25
25
  * salt :: The salt. Salts prevent attacks based on dictionaries of common
26
26
  * passwords and attacks based on rainbow tables. It is a public
27
27
  * value that can be safely stored along with the password (e.g.
@@ -141,7 +141,7 @@ kdf_scrypt(int argc, VALUE *argv, VALUE self)
141
141
  }
142
142
  #endif
143
143
 
144
- #if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER)
144
+ #if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_LIBRESSL_PREREQ(3, 6, 0)
145
145
  /*
146
146
  * call-seq:
147
147
  * KDF.hkdf(ikm, salt:, info:, length:, hash:) -> String
@@ -163,6 +163,14 @@ kdf_scrypt(int argc, VALUE *argv, VALUE self)
163
163
  * HashLen is the length of the hash function output in octets.
164
164
  * _hash_::
165
165
  * The hash function.
166
+ *
167
+ * === Example
168
+ * # The values from https://datatracker.ietf.org/doc/html/rfc5869#appendix-A.1
169
+ * ikm = ["0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"].pack("H*")
170
+ * salt = ["000102030405060708090a0b0c"].pack("H*")
171
+ * info = ["f0f1f2f3f4f5f6f7f8f9"].pack("H*")
172
+ * p OpenSSL::KDF.hkdf(ikm, salt: salt, info: info, length: 42, hash: "SHA256").unpack1("H*")
173
+ * # => "3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865"
166
174
  */
167
175
  static VALUE
168
176
  kdf_hkdf(int argc, VALUE *argv, VALUE self)
@@ -297,7 +305,7 @@ Init_ossl_kdf(void)
297
305
  #if defined(HAVE_EVP_PBE_SCRYPT)
298
306
  rb_define_module_function(mKDF, "scrypt", kdf_scrypt, -1);
299
307
  #endif
300
- #if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER)
308
+ #if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_LIBRESSL_PREREQ(3, 6, 0)
301
309
  rb_define_module_function(mKDF, "hkdf", kdf_hkdf, -1);
302
310
  #endif
303
311
  }
@@ -50,7 +50,7 @@ static const rb_data_type_t ossl_netscape_spki_type = {
50
50
  {
51
51
  0, ossl_netscape_spki_free,
52
52
  },
53
- 0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
53
+ 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
54
54
  };
55
55
 
56
56
  static VALUE
@@ -86,7 +86,7 @@ static const rb_data_type_t ossl_ocsp_request_type = {
86
86
  {
87
87
  0, ossl_ocsp_request_free,
88
88
  },
89
- 0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
89
+ 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
90
90
  };
91
91
 
92
92
  static void
@@ -100,7 +100,7 @@ static const rb_data_type_t ossl_ocsp_response_type = {
100
100
  {
101
101
  0, ossl_ocsp_response_free,
102
102
  },
103
- 0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
103
+ 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
104
104
  };
105
105
 
106
106
  static void
@@ -114,7 +114,7 @@ static const rb_data_type_t ossl_ocsp_basicresp_type = {
114
114
  {
115
115
  0, ossl_ocsp_basicresp_free,
116
116
  },
117
- 0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
117
+ 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
118
118
  };
119
119
 
120
120
  static void
@@ -128,7 +128,7 @@ static const rb_data_type_t ossl_ocsp_singleresp_type = {
128
128
  {
129
129
  0, ossl_ocsp_singleresp_free,
130
130
  },
131
- 0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
131
+ 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
132
132
  };
133
133
 
134
134
  static void
@@ -142,7 +142,7 @@ static const rb_data_type_t ossl_ocsp_certid_type = {
142
142
  {
143
143
  0, ossl_ocsp_certid_free,
144
144
  },
145
- 0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
145
+ 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
146
146
  };
147
147
 
148
148
  /*
@@ -157,7 +157,7 @@ ossl_ocspcertid_new(OCSP_CERTID *cid)
157
157
  }
158
158
 
159
159
  /*
160
- * OCSP::Resquest
160
+ * OCSP::Request
161
161
  */
162
162
  static VALUE
163
163
  ossl_ocspreq_alloc(VALUE klass)
@@ -382,7 +382,7 @@ ossl_ocspreq_sign(int argc, VALUE *argv, VALUE self)
382
382
  if (!NIL_P(flags))
383
383
  flg = NUM2INT(flags);
384
384
  if (NIL_P(digest))
385
- md = EVP_sha1();
385
+ md = NULL;
386
386
  else
387
387
  md = ossl_evp_get_digestbyname(digest);
388
388
  if (NIL_P(certs))
@@ -803,7 +803,7 @@ add_status_convert_time(VALUE obj)
803
803
  * revocation, and must be one of OpenSSL::OCSP::REVOKED_STATUS_* constants.
804
804
  * _revocation_time_ is the time when the certificate is revoked.
805
805
  *
806
- * _this_update_ and _next_update_ indicate the time at which ths status is
806
+ * _this_update_ and _next_update_ indicate the time at which the status is
807
807
  * verified to be correct and the time at or before which newer information
808
808
  * will be available, respectively. _next_update_ is optional.
809
809
  *
@@ -1033,7 +1033,7 @@ ossl_ocspbres_sign(int argc, VALUE *argv, VALUE self)
1033
1033
  if (!NIL_P(flags))
1034
1034
  flg = NUM2INT(flags);
1035
1035
  if (NIL_P(digest))
1036
- md = EVP_sha1();
1036
+ md = NULL;
1037
1037
  else
1038
1038
  md = ossl_evp_get_digestbyname(digest);
1039
1039
  if (NIL_P(certs))
@@ -1069,55 +1069,7 @@ ossl_ocspbres_verify(int argc, VALUE *argv, VALUE self)
1069
1069
  x509st = GetX509StorePtr(store);
1070
1070
  flg = NIL_P(flags) ? 0 : NUM2INT(flags);
1071
1071
  x509s = ossl_x509_ary2sk(certs);
1072
- #if (OPENSSL_VERSION_NUMBER < 0x1000202fL) || defined(LIBRESSL_VERSION_NUMBER)
1073
- /*
1074
- * OpenSSL had a bug that it doesn't use the certificates in x509s for
1075
- * verifying the chain. This can be a problem when the response is signed by
1076
- * a certificate issued by an intermediate CA.
1077
- *
1078
- * root_ca
1079
- * |
1080
- * intermediate_ca
1081
- * |-------------|
1082
- * end_entity ocsp_signer
1083
- *
1084
- * When the certificate hierarchy is like this, and the response contains
1085
- * only ocsp_signer certificate, the following code wrongly fails.
1086
- *
1087
- * store = OpenSSL::X509::Store.new; store.add_cert(root_ca)
1088
- * basic_response.verify([intermediate_ca], store)
1089
- *
1090
- * So add the certificates in x509s to the embedded certificates list first.
1091
- *
1092
- * This is fixed in OpenSSL 0.9.8zg, 1.0.0s, 1.0.1n, 1.0.2b. But it still
1093
- * exists in LibreSSL 2.1.10, 2.2.9, 2.3.6, 2.4.1.
1094
- */
1095
- if (!(flg & (OCSP_NOCHAIN | OCSP_NOVERIFY)) &&
1096
- sk_X509_num(x509s) && sk_X509_num(bs->certs)) {
1097
- int i;
1098
-
1099
- bs = ASN1_item_dup(ASN1_ITEM_rptr(OCSP_BASICRESP), bs);
1100
- if (!bs) {
1101
- sk_X509_pop_free(x509s, X509_free);
1102
- ossl_raise(eOCSPError, "ASN1_item_dup");
1103
- }
1104
-
1105
- for (i = 0; i < sk_X509_num(x509s); i++) {
1106
- if (!OCSP_basic_add1_cert(bs, sk_X509_value(x509s, i))) {
1107
- sk_X509_pop_free(x509s, X509_free);
1108
- OCSP_BASICRESP_free(bs);
1109
- ossl_raise(eOCSPError, "OCSP_basic_add1_cert");
1110
- }
1111
- }
1112
- result = OCSP_basic_verify(bs, x509s, x509st, flg);
1113
- OCSP_BASICRESP_free(bs);
1114
- }
1115
- else {
1116
- result = OCSP_basic_verify(bs, x509s, x509st, flg);
1117
- }
1118
- #else
1119
1072
  result = OCSP_basic_verify(bs, x509s, x509st, flg);
1120
- #endif
1121
1073
  sk_X509_pop_free(x509s, X509_free);
1122
1074
  if (result <= 0)
1123
1075
  ossl_clear_error();
@@ -1749,7 +1701,7 @@ Init_ossl_ocsp(void)
1749
1701
  * require 'net/http'
1750
1702
  *
1751
1703
  * http_response =
1752
- * Net::HTTP.start ocsp_uri.hostname, ocsp.port do |http|
1704
+ * Net::HTTP.start ocsp_uri.hostname, ocsp_uri.port do |http|
1753
1705
  * http.post ocsp_uri.path, request.to_der,
1754
1706
  * 'content-type' => 'application/ocsp-request'
1755
1707
  * end
@@ -1787,7 +1739,7 @@ Init_ossl_ocsp(void)
1787
1739
  * single_response = basic_response.find_response(certificate_id)
1788
1740
  *
1789
1741
  * unless single_response
1790
- * raise 'basic_response does not have the status for the certificiate'
1742
+ * raise 'basic_response does not have the status for the certificate'
1791
1743
  * end
1792
1744
  *
1793
1745
  * Then check the validity. A status issued in the future must be rejected.
@@ -44,7 +44,7 @@ static const rb_data_type_t ossl_pkcs12_type = {
44
44
  {
45
45
  0, ossl_pkcs12_free,
46
46
  },
47
- 0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
47
+ 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
48
48
  };
49
49
 
50
50
  static VALUE
@@ -149,6 +149,24 @@ ossl_pkcs12_s_create(int argc, VALUE *argv, VALUE self)
149
149
  return obj;
150
150
  }
151
151
 
152
+ static VALUE
153
+ ossl_pkey_new_i(VALUE arg)
154
+ {
155
+ return ossl_pkey_new((EVP_PKEY *)arg);
156
+ }
157
+
158
+ static VALUE
159
+ ossl_x509_new_i(VALUE arg)
160
+ {
161
+ return ossl_x509_new((X509 *)arg);
162
+ }
163
+
164
+ static VALUE
165
+ ossl_x509_sk2ary_i(VALUE arg)
166
+ {
167
+ return ossl_x509_sk2ary((STACK_OF(X509) *)arg);
168
+ }
169
+
152
170
  /*
153
171
  * call-seq:
154
172
  * PKCS12.new -> pkcs12
@@ -186,15 +204,15 @@ ossl_pkcs12_initialize(int argc, VALUE *argv, VALUE self)
186
204
  ossl_raise(ePKCS12Error, "PKCS12_parse");
187
205
  ERR_pop_to_mark();
188
206
  if (key) {
189
- pkey = rb_protect((VALUE (*)(VALUE))ossl_pkey_new, (VALUE)key, &st);
207
+ pkey = rb_protect(ossl_pkey_new_i, (VALUE)key, &st);
190
208
  if (st) goto err;
191
209
  }
192
210
  if (x509) {
193
- cert = rb_protect((VALUE (*)(VALUE))ossl_x509_new, (VALUE)x509, &st);
211
+ cert = rb_protect(ossl_x509_new_i, (VALUE)x509, &st);
194
212
  if (st) goto err;
195
213
  }
196
214
  if (x509s) {
197
- ca = rb_protect((VALUE (*)(VALUE))ossl_x509_sk2ary, (VALUE)x509s, &st);
215
+ ca = rb_protect(ossl_x509_sk2ary_i, (VALUE)x509s, &st);
198
216
  if (st) goto err;
199
217
  }
200
218