openssl 3.1.0 → 3.2.0

data/ext/openssl/ossl_pkey_ec.c

@@ -400,13 +400,61 @@ static VALUE ossl_ec_key_is_private(VALUE self)
 
 /*
  *  call-seq:
- *     key.export([cipher, pass_phrase]) => String
- *     key.to_pem([cipher, pass_phrase]) => String
+ *     key.export([cipher, password]) => String
+ *     key.to_pem([cipher, password]) => String
  *
- * Outputs the EC key in PEM encoding.  If _cipher_ and _pass_phrase_ are given
- * they will be used to encrypt the key.  _cipher_ must be an OpenSSL::Cipher
- * instance. Note that encryption will only be effective for a private key,
- * public keys will always be encoded in plain text.
+ * Serializes a private or public key to a PEM-encoding.
+ *
+ * [When the key contains public components only]
+ *
+ *   Serializes it into an X.509 SubjectPublicKeyInfo.
+ *   The parameters _cipher_ and _password_ are ignored.
+ *
+ *   A PEM-encoded key will look like:
+ *
+ *     -----BEGIN PUBLIC KEY-----
+ *     [...]
+ *     -----END PUBLIC KEY-----
+ *
+ *   Consider using #public_to_pem instead. This serializes the key into an
+ *   X.509 SubjectPublicKeyInfo regardless of whether it is a public key
+ *   or a private key.
+ *
+ * [When the key contains private components, and no parameters are given]
+ *
+ *   Serializes it into a SEC 1/RFC 5915 ECPrivateKey.
+ *
+ *   A PEM-encoded key will look like:
+ *
+ *     -----BEGIN EC PRIVATE KEY-----
+ *     [...]
+ *     -----END EC PRIVATE KEY-----
+ *
+ * [When the key contains private components, and _cipher_ and _password_ are given]
+ *
+ *   Serializes it into a SEC 1/RFC 5915 ECPrivateKey
+ *   and encrypts it in OpenSSL's traditional PEM encryption format.
+ *   _cipher_ must be a cipher name understood by OpenSSL::Cipher.new or an
+ *   instance of OpenSSL::Cipher.
+ *
+ *   An encrypted PEM-encoded key will look like:
+ *
+ *     -----BEGIN EC PRIVATE KEY-----
+ *     Proc-Type: 4,ENCRYPTED
+ *     DEK-Info: AES-128-CBC,733F5302505B34701FC41F5C0746E4C0
+ *
+ *     [...]
+ *     -----END EC PRIVATE KEY-----
+ *
+ *   Note that this format uses MD5 to derive the encryption key, and hence
+ *   will not be available on FIPS-compliant systems.
+ *
+ * <b>This method is kept for compatibility.</b>
+ * This should only be used when the SEC 1/RFC 5915 ECPrivateKey format is
+ * required.
+ *
+ * Consider using #public_to_pem (X.509 SubjectPublicKeyInfo) or #private_to_pem
+ * (PKCS #8 PrivateKeyInfo or EncryptedPrivateKeyInfo) instead.
  */
 static VALUE
 ossl_ec_key_export(int argc, VALUE *argv, VALUE self)
@@ -426,7 +474,15 @@ ossl_ec_key_export(int argc, VALUE *argv, VALUE self)
  *  call-seq:
  *     key.to_der   => String
  *
- *  See the OpenSSL documentation for i2d_ECPrivateKey_bio()
+ * Serializes a private or public key to a DER-encoding.
+ *
+ * See #to_pem for details.
+ *
+ * <b>This method is kept for compatibility.</b>
+ * This should only be used when the SEC 1/RFC 5915 ECPrivateKey format is
+ * required.
+ *
+ * Consider using #public_to_der or #private_to_der instead.
  */
 static VALUE
 ossl_ec_key_to_der(VALUE self)
@@ -483,7 +539,7 @@ static VALUE ossl_ec_key_check_key(VALUE self)
 #ifdef HAVE_EVP_PKEY_CHECK
     EVP_PKEY *pkey;
     EVP_PKEY_CTX *pctx;
-    EC_KEY *ec;
+    const EC_KEY *ec;
 
     GetPKey(self, pkey);
     GetEC(self, ec);
@@ -530,7 +586,7 @@ static const rb_data_type_t ossl_ec_group_type = {
     {
 	0, ossl_ec_group_free,
     },
-    0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
+    0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
 };
 
 static VALUE
@@ -1115,7 +1171,7 @@ static const rb_data_type_t ossl_ec_point_type = {
     {
 	0, ossl_ec_point_free,
     },
-    0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
+    0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
 };
 
 static VALUE

data/ext/openssl/ossl_pkey_rsa.c

@@ -50,8 +50,8 @@ VALUE eRSAError;
 /*
  * call-seq:
  *   RSA.new -> rsa
- *   RSA.new(encoded_key [, passphrase]) -> rsa
- *   RSA.new(encoded_key) { passphrase } -> rsa
+ *   RSA.new(encoded_key [, password ]) -> rsa
+ *   RSA.new(encoded_key) { password } -> rsa
  *   RSA.new(size [, exponent]) -> rsa
  *
  * Generates or loads an \RSA keypair.
@@ -61,9 +61,9 @@ VALUE eRSAError;
  * #set_crt_params.
  *
  * If called with a String, tries to parse as DER or PEM encoding of an \RSA key.
- * Note that, if _passphrase_ is not specified but the key is encrypted with a
- * passphrase, \OpenSSL will prompt for it.
- * See also OpenSSL::PKey.read which can parse keys of any kinds.
+ * Note that if _password_ is not specified, but the key is encrypted with a
+ * password, \OpenSSL will prompt for it.
+ * See also OpenSSL::PKey.read which can parse keys of any kind.
  *
  * If called with a number, generates a new key pair. This form works as an
  * alias of RSA.generate.
@@ -71,7 +71,7 @@ VALUE eRSAError;
  * Examples:
  *   OpenSSL::PKey::RSA.new 2048
  *   OpenSSL::PKey::RSA.new File.read 'rsa.pem'
- *   OpenSSL::PKey::RSA.new File.read('rsa.pem'), 'my pass phrase'
+ *   OpenSSL::PKey::RSA.new File.read('rsa.pem'), 'my password'
  */
 static VALUE
 ossl_rsa_initialize(int argc, VALUE *argv, VALUE self)
@@ -217,13 +217,61 @@ can_export_rsaprivatekey(VALUE self)
 
 /*
  * call-seq:
- *   rsa.export([cipher, pass_phrase]) => PEM-format String
- *   rsa.to_pem([cipher, pass_phrase]) => PEM-format String
- *   rsa.to_s([cipher, pass_phrase]) => PEM-format String
+ *   rsa.export([cipher, password]) => PEM-format String
+ *   rsa.to_pem([cipher, password]) => PEM-format String
+ *   rsa.to_s([cipher, password]) => PEM-format String
  *
- * Outputs this keypair in PEM encoding.  If _cipher_ and _pass_phrase_ are
- * given they will be used to encrypt the key.  _cipher_ must be an
- * OpenSSL::Cipher instance.
+ * Serializes a private or public key to a PEM-encoding.
+ *
+ * [When the key contains public components only]
+ *
+ *   Serializes it into an X.509 SubjectPublicKeyInfo.
+ *   The parameters _cipher_ and _password_ are ignored.
+ *
+ *   A PEM-encoded key will look like:
+ *
+ *     -----BEGIN PUBLIC KEY-----
+ *     [...]
+ *     -----END PUBLIC KEY-----
+ *
+ *   Consider using #public_to_pem instead. This serializes the key into an
+ *   X.509 SubjectPublicKeyInfo regardless of whether the key is a public key
+ *   or a private key.
+ *
+ * [When the key contains private components, and no parameters are given]
+ *
+ *   Serializes it into a PKCS #1 RSAPrivateKey.
+ *
+ *   A PEM-encoded key will look like:
+ *
+ *     -----BEGIN RSA PRIVATE KEY-----
+ *     [...]
+ *     -----END RSA PRIVATE KEY-----
+ *
+ * [When the key contains private components, and _cipher_ and _password_ are given]
+ *
+ *   Serializes it into a PKCS #1 RSAPrivateKey
+ *   and encrypts it in OpenSSL's traditional PEM encryption format.
+ *   _cipher_ must be a cipher name understood by OpenSSL::Cipher.new or an
+ *   instance of OpenSSL::Cipher.
+ *
+ *   An encrypted PEM-encoded key will look like:
+ *
+ *     -----BEGIN RSA PRIVATE KEY-----
+ *     Proc-Type: 4,ENCRYPTED
+ *     DEK-Info: AES-128-CBC,733F5302505B34701FC41F5C0746E4C0
+ *
+ *     [...]
+ *     -----END RSA PRIVATE KEY-----
+ *
+ *   Note that this format uses MD5 to derive the encryption key, and hence
+ *   will not be available on FIPS-compliant systems.
+ *
+ * <b>This method is kept for compatibility.</b>
+ * This should only be used when the PKCS #1 RSAPrivateKey format is required.
+ *
+ * Consider using #public_to_pem (X.509 SubjectPublicKeyInfo) or #private_to_pem
+ * (PKCS #8 PrivateKeyInfo or EncryptedPrivateKeyInfo) instead.
  */
 static VALUE
 ossl_rsa_export(int argc, VALUE *argv, VALUE self)
@@ -238,7 +286,14 @@ ossl_rsa_export(int argc, VALUE *argv, VALUE self)
  * call-seq:
  *   rsa.to_der => DER-format String
  *
- * Outputs this keypair in DER encoding.
+ * Serializes a private or public key to a DER-encoding.
+ *
+ * See #to_pem for details.
+ *
+ * <b>This method is kept for compatibility.</b>
+ * This should only be used when the PKCS #1 RSAPrivateKey format is required.
+ *
+ * Consider using #public_to_der or #private_to_der instead.
  */
 static VALUE
 ossl_rsa_to_der(VALUE self)

data/ext/openssl/ossl_provider.c

@@ -0,0 +1,211 @@
+/*
+ * This program is licensed under the same licence as Ruby.
+ * (See the file 'LICENCE'.)
+ */
+#include "ossl.h"
+
+#ifdef OSSL_USE_PROVIDER
+# include <openssl/provider.h>
+
+#define NewProvider(klass) \
+    TypedData_Wrap_Struct((klass), &ossl_provider_type, 0)
+#define SetProvider(obj, provider) do { \
+    if (!(provider)) { \
+        ossl_raise(rb_eRuntimeError, "Provider wasn't initialized."); \
+    } \
+    RTYPEDDATA_DATA(obj) = (provider); \
+} while(0)
+#define GetProvider(obj, provider) do { \
+    TypedData_Get_Struct((obj), OSSL_PROVIDER, &ossl_provider_type, (provider)); \
+    if (!(provider)) { \
+        ossl_raise(rb_eRuntimeError, "PROVIDER wasn't initialized."); \
+    } \
+} while (0)
+
+static const rb_data_type_t ossl_provider_type = {
+    "OpenSSL/Provider",
+    {
+        0,
+    },
+    0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
+};
+
+/*
+ * Classes
+ */
+/* Document-class: OpenSSL::Provider
+ *
+ * This class is the access to openssl's Provider
+ * See also, https://www.openssl.org/docs/manmaster/man7/provider.html
+ */
+static VALUE cProvider;
+/* Document-class: OpenSSL::Provider::ProviderError
+ *
+ * This is the generic exception for OpenSSL::Provider related errors
+ */
+static VALUE eProviderError;
+
+/*
+ * call-seq:
+ *    OpenSSL::Provider.load(name) -> provider
+ *
+ * This method loads and initializes a provider
+ */
+static VALUE
+ossl_provider_s_load(VALUE klass, VALUE name)
+{
+    OSSL_PROVIDER *provider = NULL;
+    VALUE obj;
+
+    const char *provider_name_ptr = StringValueCStr(name);
+
+    provider = OSSL_PROVIDER_load(NULL, provider_name_ptr);
+    if (provider == NULL) {
+        ossl_raise(eProviderError, "Failed to load %s provider", provider_name_ptr);
+    }
+    obj = NewProvider(klass);
+    SetProvider(obj, provider);
+
+    return obj;
+}
+
+struct ary_with_state { VALUE ary; int state; };
+struct rb_push_provider_name_args { OSSL_PROVIDER *prov; VALUE ary; };
+
+static VALUE
+rb_push_provider_name(VALUE rb_push_provider_name_args)
+{
+    struct rb_push_provider_name_args *args = (struct rb_push_provider_name_args *)rb_push_provider_name_args;
+
+    VALUE name = rb_str_new2(OSSL_PROVIDER_get0_name(args->prov));
+    return rb_ary_push(args->ary, name);
+}
+
+static int
+push_provider(OSSL_PROVIDER *prov, void *cbdata)
+{
+    struct ary_with_state *ary_with_state = (struct ary_with_state *)cbdata;
+    struct rb_push_provider_name_args args = { prov, ary_with_state->ary };
+
+    rb_protect(rb_push_provider_name, (VALUE)&args, &ary_with_state->state);
+    if (ary_with_state->state) {
+        return 0;
+    } else {
+        return 1;
+    }
+}
+
+/*
+ * call-seq:
+ *    OpenSSL::Provider.provider_names -> [provider_name, ...]
+ *
+ * Returns an array of currently loaded provider names.
+ */
+static VALUE
+ossl_provider_s_provider_names(VALUE klass)
+{
+    VALUE ary = rb_ary_new();
+    struct ary_with_state cbdata = { ary, 0 };
+
+    int result = OSSL_PROVIDER_do_all(NULL, &push_provider, (void*)&cbdata);
+    if (result != 1 ) {
+        if (cbdata.state) {
+            rb_jump_tag(cbdata.state);
+        } else {
+            ossl_raise(eProviderError, "Failed to load provider names");
+        }
+    }
+
+    return ary;
+}
+
+/*
+ * call-seq:
+ *    provider.unload -> true
+ *
+ * This method unloads this provider.
+ *
+ * if provider unload fails or already unloaded, it raises OpenSSL::Provider::ProviderError
+ */
+static VALUE
+ossl_provider_unload(VALUE self)
+{
+    OSSL_PROVIDER *prov;
+    if (RTYPEDDATA_DATA(self) == NULL) {
+        ossl_raise(eProviderError, "Provider already unloaded.");
+    }
+    GetProvider(self, prov);
+
+    int result = OSSL_PROVIDER_unload(prov);
+
+    if (result != 1) {
+        ossl_raise(eProviderError, "Failed to unload provider");
+    }
+    RTYPEDDATA_DATA(self) = NULL;
+    return Qtrue;
+}
+
+/*
+ * call-seq:
+ *    provider.name -> string
+ *
+ * Get the name of this provider.
+ *
+ * if this provider is already unloaded, it raises OpenSSL::Provider::ProviderError
+ */
+static VALUE
+ossl_provider_get_name(VALUE self)
+{
+    OSSL_PROVIDER *prov;
+    if (RTYPEDDATA_DATA(self) == NULL) {
+        ossl_raise(eProviderError, "Provider already unloaded.");
+    }
+    GetProvider(self, prov);
+
+    return rb_str_new2(OSSL_PROVIDER_get0_name(prov));
+}
+
+/*
+ * call-seq:
+ *    provider.inspect -> string
+ *
+ * Pretty prints this provider.
+ */
+static VALUE
+ossl_provider_inspect(VALUE self)
+{
+    OSSL_PROVIDER *prov;
+    if (RTYPEDDATA_DATA(self) == NULL ) {
+        return rb_sprintf("#<%"PRIsVALUE" unloaded provider>", rb_obj_class(self));
+    }
+    GetProvider(self, prov);
+
+    return rb_sprintf("#<%"PRIsVALUE" name=\"%s\">",
+                      rb_obj_class(self), OSSL_PROVIDER_get0_name(prov));
+}
+
+void
+Init_ossl_provider(void)
+{
+#if 0
+    mOSSL = rb_define_module("OpenSSL");
+    eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
+#endif
+
+    cProvider = rb_define_class_under(mOSSL, "Provider", rb_cObject);
+    eProviderError = rb_define_class_under(cProvider, "ProviderError", eOSSLError);
+
+    rb_undef_alloc_func(cProvider);
+    rb_define_singleton_method(cProvider, "load", ossl_provider_s_load, 1);
+    rb_define_singleton_method(cProvider, "provider_names", ossl_provider_s_provider_names, 0);
+
+    rb_define_method(cProvider, "unload", ossl_provider_unload, 0);
+    rb_define_method(cProvider, "name", ossl_provider_get_name, 0);
+    rb_define_method(cProvider, "inspect", ossl_provider_inspect, 0);
+}
+#else
+void
+Init_ossl_provider(void)
+{
+}
+#endif

data/ext/openssl/ossl_provider.h

@@ -0,0 +1,5 @@
+#if !defined(OSSL_PROVIDER_H)
+#define OSSL_PROVIDER_H
+
+void Init_ossl_provider(void);
+#endif