RubyGems - openssl - Versions diffs - 3.3.1 → 4.0.0 - Mend

openssl 3.3.1 → 4.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (55) hide show

checksums.yaml +4 -4
data/CONTRIBUTING.md +3 -0
data/History.md +107 -0
data/README.md +12 -11
data/ext/openssl/extconf.rb +30 -69
data/ext/openssl/openssl_missing.h +0 -206
data/ext/openssl/ossl.c +280 -301
data/ext/openssl/ossl.h +15 -10
data/ext/openssl/ossl_asn1.c +598 -406
data/ext/openssl/ossl_asn1.h +15 -1
data/ext/openssl/ossl_bio.c +3 -3
data/ext/openssl/ossl_bn.c +286 -291
data/ext/openssl/ossl_cipher.c +252 -203
data/ext/openssl/ossl_cipher.h +10 -1
data/ext/openssl/ossl_config.c +1 -6
data/ext/openssl/ossl_digest.c +74 -43
data/ext/openssl/ossl_digest.h +9 -1
data/ext/openssl/ossl_engine.c +39 -103
data/ext/openssl/ossl_hmac.c +30 -36
data/ext/openssl/ossl_kdf.c +42 -53
data/ext/openssl/ossl_ns_spki.c +31 -37
data/ext/openssl/ossl_ocsp.c +214 -241
data/ext/openssl/ossl_pkcs12.c +26 -26
data/ext/openssl/ossl_pkcs7.c +175 -145
data/ext/openssl/ossl_pkey.c +162 -178
data/ext/openssl/ossl_pkey.h +99 -99
data/ext/openssl/ossl_pkey_dh.c +32 -67
data/ext/openssl/ossl_pkey_dsa.c +16 -53
data/ext/openssl/ossl_pkey_ec.c +180 -236
data/ext/openssl/ossl_pkey_rsa.c +57 -102
data/ext/openssl/ossl_provider.c +0 -7
data/ext/openssl/ossl_rand.c +7 -14
data/ext/openssl/ossl_ssl.c +478 -353
data/ext/openssl/ossl_ssl.h +8 -8
data/ext/openssl/ossl_ssl_session.c +93 -97
data/ext/openssl/ossl_ts.c +81 -127
data/ext/openssl/ossl_x509.c +9 -28
data/ext/openssl/ossl_x509attr.c +33 -54
data/ext/openssl/ossl_x509cert.c +69 -100
data/ext/openssl/ossl_x509crl.c +78 -89
data/ext/openssl/ossl_x509ext.c +45 -66
data/ext/openssl/ossl_x509name.c +63 -88
data/ext/openssl/ossl_x509req.c +55 -62
data/ext/openssl/ossl_x509revoked.c +27 -41
data/ext/openssl/ossl_x509store.c +38 -56
data/lib/openssl/buffering.rb +30 -24
data/lib/openssl/digest.rb +1 -1
data/lib/openssl/pkey.rb +71 -49
data/lib/openssl/ssl.rb +12 -79
data/lib/openssl/version.rb +2 -1
data/lib/openssl/x509.rb +9 -0
data/lib/openssl.rb +9 -6
metadata +1 -3
data/ext/openssl/openssl_missing.c +0 -40
data/lib/openssl/asn1.rb +0 -188

data/ext/openssl/ossl_pkey_rsa.c CHANGED Viewed

@@ -14,13 +14,15 @@
 #define GetPKeyRSA(obj, pkey) do { \
     GetPKey((obj), (pkey)); \
     if (EVP_PKEY_base_id(pkey) != EVP_PKEY_RSA) { /* PARANOIA? */ \
-	ossl_raise(rb_eRuntimeError, "THIS IS NOT A RSA!") ; \
+        ossl_raise(rb_eRuntimeError, "THIS IS NOT A RSA!") ; \
     } \
 } while (0)
 #define GetRSA(obj, rsa) do { \
     EVP_PKEY *_pkey; \
     GetPKeyRSA((obj), _pkey); \
     (rsa) = EVP_PKEY_get0_RSA(_pkey); \
+    if ((rsa) == NULL) \
+        ossl_raise(ePKeyError, "failed to get RSA from EVP_PKEY"); \
 } while (0)
 static inline int
@@ -42,7 +44,6 @@ RSA_PRIVATE(VALUE obj, OSSL_3_const RSA *rsa)
  * Classes
  */
 VALUE cRSA;
-static VALUE eRSAError;
 /*
  * Private
@@ -59,6 +60,7 @@ static VALUE eRSAError;
  * If called without arguments, creates a new instance with no key components
  * set. They can be set individually by #set_key, #set_factors, and
  * #set_crt_params.
+ * This form is not compatible with OpenSSL 3.0 or later.
  *
  * If called with a String, tries to parse as DER or PEM encoding of an \RSA key.
  * Note that if _password_ is not specified, but the key is encrypted with a
@@ -89,10 +91,15 @@ ossl_rsa_initialize(int argc, VALUE *argv, VALUE self)
     /* The RSA.new(size, generator) form is handled by lib/openssl/pkey.rb */
     rb_scan_args(argc, argv, "02", &arg, &pass);
     if (argc == 0) {
-	rsa = RSA_new();
+#ifdef OSSL_HAVE_IMMUTABLE_PKEY
+        rb_raise(rb_eArgError, "OpenSSL::PKey::RSA.new cannot be called " \
+                 "without arguments; pkeys are immutable with OpenSSL 3.0");
+#else
+        rsa = RSA_new();
         if (!rsa)
-            ossl_raise(eRSAError, "RSA_new");
+            ossl_raise(ePKeyError, "RSA_new");
         goto legacy;
+#endif
     }
     pass = ossl_pem_passwd_value(pass);
@@ -113,12 +120,12 @@ ossl_rsa_initialize(int argc, VALUE *argv, VALUE self)
     pkey = ossl_pkey_read_generic(in, pass);
     BIO_free(in);
     if (!pkey)
-        ossl_raise(eRSAError, "Neither PUB key nor PRIV key");
+        ossl_raise(ePKeyError, "Neither PUB key nor PRIV key");
     type = EVP_PKEY_base_id(pkey);
     if (type != EVP_PKEY_RSA) {
         EVP_PKEY_free(pkey);
-        rb_raise(eRSAError, "incorrect pkey type: %s", OBJ_nid2sn(type));
+        rb_raise(ePKeyError, "incorrect pkey type: %s", OBJ_nid2sn(type));
     }
     RTYPEDDATA_DATA(self) = pkey;
     return self;
@@ -129,13 +136,14 @@ ossl_rsa_initialize(int argc, VALUE *argv, VALUE self)
     if (!pkey || EVP_PKEY_assign_RSA(pkey, rsa) != 1) {
         EVP_PKEY_free(pkey);
         RSA_free(rsa);
-        ossl_raise(eRSAError, "EVP_PKEY_assign_RSA");
+        ossl_raise(ePKeyError, "EVP_PKEY_assign_RSA");
     }
     RTYPEDDATA_DATA(self) = pkey;
     return self;
 }
 #ifndef HAVE_EVP_PKEY_DUP
+/* :nodoc: */
 static VALUE
 ossl_rsa_initialize_copy(VALUE self, VALUE other)
 {
@@ -151,12 +159,12 @@ ossl_rsa_initialize_copy(VALUE self, VALUE other)
                               (d2i_of_void *)d2i_RSAPrivateKey,
                               (char *)rsa);
     if (!rsa_new)
-	ossl_raise(eRSAError, "ASN1_dup");
+        ossl_raise(ePKeyError, "ASN1_dup");
     pkey = EVP_PKEY_new();
     if (!pkey || EVP_PKEY_assign_RSA(pkey, rsa_new) != 1) {
         RSA_free(rsa_new);
-        ossl_raise(eRSAError, "EVP_PKEY_assign_RSA");
+        ossl_raise(ePKeyError, "EVP_PKEY_assign_RSA");
     }
     RTYPEDDATA_DATA(self) = pkey;
@@ -311,7 +319,7 @@ ossl_rsa_to_der(VALUE self)
  * Signs _data_ using the Probabilistic Signature Scheme (RSA-PSS) and returns
  * the calculated signature.
  *
- * RSAError will be raised if an error occurs.
+ * PKeyError will be raised if an error occurs.
  *
  * See #verify_pss for the verification operation.
  *
@@ -340,7 +348,7 @@ ossl_rsa_to_der(VALUE self)
 static VALUE
 ossl_rsa_sign_pss(int argc, VALUE *argv, VALUE self)
 {
-    VALUE digest, data, options, kwargs[2], signature;
+    VALUE digest, data, options, kwargs[2], signature, mgf1md_holder, md_holder;
     static ID kwargs_ids[2];
     EVP_PKEY *pkey;
     EVP_PKEY_CTX *pkey_ctx;
@@ -350,46 +358,46 @@ ossl_rsa_sign_pss(int argc, VALUE *argv, VALUE self)
     int salt_len;
     if (!kwargs_ids[0]) {
-	kwargs_ids[0] = rb_intern_const("salt_length");
-	kwargs_ids[1] = rb_intern_const("mgf1_hash");
+        kwargs_ids[0] = rb_intern_const("salt_length");
+        kwargs_ids[1] = rb_intern_const("mgf1_hash");
     }
     rb_scan_args(argc, argv, "2:", &digest, &data, &options);
     rb_get_kwargs(options, kwargs_ids, 2, 0, kwargs);
     if (kwargs[0] == ID2SYM(rb_intern("max")))
-	salt_len = -2; /* RSA_PSS_SALTLEN_MAX_SIGN */
+        salt_len = -2; /* RSA_PSS_SALTLEN_MAX_SIGN */
     else if (kwargs[0] == ID2SYM(rb_intern("digest")))
-	salt_len = -1; /* RSA_PSS_SALTLEN_DIGEST */
+        salt_len = -1; /* RSA_PSS_SALTLEN_DIGEST */
     else
-	salt_len = NUM2INT(kwargs[0]);
-    mgf1md = ossl_evp_get_digestbyname(kwargs[1]);
+        salt_len = NUM2INT(kwargs[0]);
+    mgf1md = ossl_evp_md_fetch(kwargs[1], &mgf1md_holder);
     pkey = GetPrivPKeyPtr(self);
     buf_len = EVP_PKEY_size(pkey);
-    md = ossl_evp_get_digestbyname(digest);
+    md = ossl_evp_md_fetch(digest, &md_holder);
     StringValue(data);
     signature = rb_str_new(NULL, (long)buf_len);
     md_ctx = EVP_MD_CTX_new();
     if (!md_ctx)
-	goto err;
+        goto err;
     if (EVP_DigestSignInit(md_ctx, &pkey_ctx, md, NULL, pkey) != 1)
-	goto err;
+        goto err;
     if (EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING) != 1)
-	goto err;
+        goto err;
     if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, salt_len) != 1)
-	goto err;
+        goto err;
     if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, mgf1md) != 1)
-	goto err;
+        goto err;
     if (EVP_DigestSignUpdate(md_ctx, RSTRING_PTR(data), RSTRING_LEN(data)) != 1)
-	goto err;
+        goto err;
     if (EVP_DigestSignFinal(md_ctx, (unsigned char *)RSTRING_PTR(signature), &buf_len) != 1)
-	goto err;
+        goto err;
     rb_str_set_len(signature, (long)buf_len);
@@ -398,7 +406,7 @@ ossl_rsa_sign_pss(int argc, VALUE *argv, VALUE self)
   err:
     EVP_MD_CTX_free(md_ctx);
-    ossl_raise(eRSAError, NULL);
+    ossl_raise(ePKeyError, NULL);
 }
 /*
@@ -408,7 +416,7 @@ ossl_rsa_sign_pss(int argc, VALUE *argv, VALUE self)
  * Verifies _data_ using the Probabilistic Signature Scheme (RSA-PSS).
  *
  * The return value is +true+ if the signature is valid, +false+ otherwise.
- * RSAError will be raised if an error occurs.
+ * PKeyError will be raised if an error occurs.
  *
  * See #sign_pss for the signing operation and an example code.
  *
@@ -427,7 +435,7 @@ ossl_rsa_sign_pss(int argc, VALUE *argv, VALUE self)
 static VALUE
 ossl_rsa_verify_pss(int argc, VALUE *argv, VALUE self)
 {
-    VALUE digest, signature, data, options, kwargs[2];
+    VALUE digest, signature, data, options, kwargs[2], mgf1md_holder, md_holder;
     static ID kwargs_ids[2];
     EVP_PKEY *pkey;
     EVP_PKEY_CTX *pkey_ctx;
@@ -436,98 +444,61 @@ ossl_rsa_verify_pss(int argc, VALUE *argv, VALUE self)
     int result, salt_len;
     if (!kwargs_ids[0]) {
-	kwargs_ids[0] = rb_intern_const("salt_length");
-	kwargs_ids[1] = rb_intern_const("mgf1_hash");
+        kwargs_ids[0] = rb_intern_const("salt_length");
+        kwargs_ids[1] = rb_intern_const("mgf1_hash");
     }
     rb_scan_args(argc, argv, "3:", &digest, &signature, &data, &options);
     rb_get_kwargs(options, kwargs_ids, 2, 0, kwargs);
     if (kwargs[0] == ID2SYM(rb_intern("auto")))
-	salt_len = -2; /* RSA_PSS_SALTLEN_AUTO */
+        salt_len = -2; /* RSA_PSS_SALTLEN_AUTO */
     else if (kwargs[0] == ID2SYM(rb_intern("digest")))
-	salt_len = -1; /* RSA_PSS_SALTLEN_DIGEST */
+        salt_len = -1; /* RSA_PSS_SALTLEN_DIGEST */
     else
-	salt_len = NUM2INT(kwargs[0]);
-    mgf1md = ossl_evp_get_digestbyname(kwargs[1]);
+        salt_len = NUM2INT(kwargs[0]);
+    mgf1md = ossl_evp_md_fetch(kwargs[1], &mgf1md_holder);
     GetPKey(self, pkey);
-    md = ossl_evp_get_digestbyname(digest);
+    md = ossl_evp_md_fetch(digest, &md_holder);
     StringValue(signature);
     StringValue(data);
     md_ctx = EVP_MD_CTX_new();
     if (!md_ctx)
-	goto err;
+        goto err;
     if (EVP_DigestVerifyInit(md_ctx, &pkey_ctx, md, NULL, pkey) != 1)
-	goto err;
+        goto err;
     if (EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING) != 1)
-	goto err;
+        goto err;
     if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, salt_len) != 1)
-	goto err;
+        goto err;
     if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, mgf1md) != 1)
-	goto err;
+        goto err;
     if (EVP_DigestVerifyUpdate(md_ctx, RSTRING_PTR(data), RSTRING_LEN(data)) != 1)
-	goto err;
+        goto err;
     result = EVP_DigestVerifyFinal(md_ctx,
-				   (unsigned char *)RSTRING_PTR(signature),
-				   RSTRING_LEN(signature));
+                                   (unsigned char *)RSTRING_PTR(signature),
+                                   RSTRING_LEN(signature));
+    EVP_MD_CTX_free(md_ctx);
     switch (result) {
       case 0:
-	ossl_clear_error();
-	EVP_MD_CTX_free(md_ctx);
-	return Qfalse;
+        ossl_clear_error();
+        return Qfalse;
       case 1:
-	EVP_MD_CTX_free(md_ctx);
-	return Qtrue;
+        return Qtrue;
       default:
-	goto err;
+        ossl_raise(ePKeyError, "EVP_DigestVerifyFinal");
     }
   err:
     EVP_MD_CTX_free(md_ctx);
-    ossl_raise(eRSAError, NULL);
-}
-/*
- * call-seq:
- *   rsa.params => hash
- *
- * THIS METHOD IS INSECURE, PRIVATE INFORMATION CAN LEAK OUT!!!
- *
- * Stores all parameters of key to the hash.  The hash has keys 'n', 'e', 'd',
- * 'p', 'q', 'dmp1', 'dmq1', 'iqmp'.
- *
- * Don't use :-)) (It's up to you)
- */
-static VALUE
-ossl_rsa_get_params(VALUE self)
-{
-    OSSL_3_const RSA *rsa;
-    VALUE hash;
-    const BIGNUM *n, *e, *d, *p, *q, *dmp1, *dmq1, *iqmp;
-    GetRSA(self, rsa);
-    RSA_get0_key(rsa, &n, &e, &d);
-    RSA_get0_factors(rsa, &p, &q);
-    RSA_get0_crt_params(rsa, &dmp1, &dmq1, &iqmp);
-    hash = rb_hash_new();
-    rb_hash_aset(hash, rb_str_new2("n"), ossl_bn_new(n));
-    rb_hash_aset(hash, rb_str_new2("e"), ossl_bn_new(e));
-    rb_hash_aset(hash, rb_str_new2("d"), ossl_bn_new(d));
-    rb_hash_aset(hash, rb_str_new2("p"), ossl_bn_new(p));
-    rb_hash_aset(hash, rb_str_new2("q"), ossl_bn_new(q));
-    rb_hash_aset(hash, rb_str_new2("dmp1"), ossl_bn_new(dmp1));
-    rb_hash_aset(hash, rb_str_new2("dmq1"), ossl_bn_new(dmq1));
-    rb_hash_aset(hash, rb_str_new2("iqmp"), ossl_bn_new(iqmp));
-    return hash;
+    ossl_raise(ePKeyError, NULL);
 }
 /*
@@ -565,20 +536,6 @@ OSSL_PKEY_BN_DEF3(rsa, RSA, crt_params, dmp1, dmq1, iqmp)
 void
 Init_ossl_rsa(void)
 {
-#if 0
-    mPKey = rb_define_module_under(mOSSL, "PKey");
-    cPKey = rb_define_class_under(mPKey, "PKey", rb_cObject);
-    ePKeyError = rb_define_class_under(mPKey, "PKeyError", eOSSLError);
-#endif
-    /* Document-class: OpenSSL::PKey::RSAError
-     *
-     * Generic exception that is raised if an operation on an RSA PKey
-     * fails unexpectedly or in case an instantiation of an instance of RSA
-     * fails due to non-conformant input data.
-     */
-    eRSAError = rb_define_class_under(mPKey, "RSAError", ePKeyError);
     /* Document-class: OpenSSL::PKey::RSA
      *
      * RSA is an asymmetric public key algorithm that has been formalized in
@@ -617,8 +574,6 @@ Init_ossl_rsa(void)
     rb_define_method(cRSA, "set_factors", ossl_rsa_set_factors, 2);
     rb_define_method(cRSA, "set_crt_params", ossl_rsa_set_crt_params, 3);
-    rb_define_method(cRSA, "params", ossl_rsa_get_params, 0);
 /*
  * TODO: Test it
     rb_define_method(cRSA, "blinding_on!", ossl_rsa_blinding_on, 0);

data/ext/openssl/ossl_provider.c CHANGED Viewed

@@ -5,8 +5,6 @@
 #include "ossl.h"
 #ifdef OSSL_USE_PROVIDER
-# include <openssl/provider.h>
 #define NewProvider(klass) \
     TypedData_Wrap_Struct((klass), &ossl_provider_type, 0)
 #define SetProvider(obj, provider) do { \
@@ -187,11 +185,6 @@ ossl_provider_inspect(VALUE self)
 void
 Init_ossl_provider(void)
 {
-#if 0
-    mOSSL = rb_define_module("OpenSSL");
-    eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
-#endif
     cProvider = rb_define_class_under(mOSSL, "Provider", rb_cObject);
     eProviderError = rb_define_class_under(cProvider, "ProviderError", eOSSLError);

data/ext/openssl/ossl_rand.c CHANGED Viewed

@@ -68,7 +68,7 @@ static VALUE
 ossl_rand_load_file(VALUE self, VALUE filename)
 {
     if(!RAND_load_file(StringValueCStr(filename), -1)) {
-	ossl_raise(eRandomError, NULL);
+        ossl_raise(eRandomError, NULL);
     }
     return Qtrue;
 }
@@ -85,14 +85,14 @@ static VALUE
 ossl_rand_write_file(VALUE self, VALUE filename)
 {
     if (RAND_write_file(StringValueCStr(filename)) == -1) {
-	ossl_raise(eRandomError, NULL);
+        ossl_raise(eRandomError, NULL);
     }
     return Qtrue;
 }
 /*
  *  call-seq:
- *	random_bytes(length) -> string
+ *      random_bytes(length) -> string
  *
  * Generates a String with _length_ number of cryptographically strong
  * pseudo-random bytes.
@@ -112,9 +112,9 @@ ossl_rand_bytes(VALUE self, VALUE len)
     str = rb_str_new(0, n);
     ret = RAND_bytes((unsigned char *)RSTRING_PTR(str), n);
     if (ret == 0) {
-	ossl_raise(eRandomError, "RAND_bytes");
+        ossl_raise(eRandomError, "RAND_bytes");
     } else if (ret == -1) {
-	ossl_raise(eRandomError, "RAND_bytes is not supported");
+        ossl_raise(eRandomError, "RAND_bytes is not supported");
     }
     return str;
@@ -131,7 +131,7 @@ static VALUE
 ossl_rand_egd(VALUE self, VALUE filename)
 {
     if (RAND_egd(StringValueCStr(filename)) == -1) {
-	ossl_raise(eRandomError, NULL);
+        ossl_raise(eRandomError, NULL);
     }
     return Qtrue;
 }
@@ -151,7 +151,7 @@ ossl_rand_egd_bytes(VALUE self, VALUE filename, VALUE len)
     int n = NUM2INT(len);
     if (RAND_egd_bytes(StringValueCStr(filename), n) == -1) {
-	ossl_raise(eRandomError, NULL);
+        ossl_raise(eRandomError, NULL);
     }
     return Qtrue;
 }
@@ -175,11 +175,6 @@ ossl_rand_status(VALUE self)
 void
 Init_ossl_rand(void)
 {
-#if 0
-    mOSSL = rb_define_module("OpenSSL");
-    eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
-#endif
     mRandom = rb_define_module_under(mOSSL, "Random");
     eRandomError = rb_define_class_under(mRandom, "RandomError", eOSSLError);
@@ -189,9 +184,7 @@ Init_ossl_rand(void)
     rb_define_module_function(mRandom, "load_random_file", ossl_rand_load_file, 1);
     rb_define_module_function(mRandom, "write_random_file", ossl_rand_write_file, 1);
     rb_define_module_function(mRandom, "random_bytes", ossl_rand_bytes, 1);
-#if OPENSSL_VERSION_NUMBER < 0x10101000 || defined(LIBRESSL_VERSION_NUMBER)
     rb_define_alias(rb_singleton_class(mRandom), "pseudo_bytes", "random_bytes");
-#endif
 #ifdef HAVE_RAND_EGD
     rb_define_module_function(mRandom, "egd", ossl_rand_egd, 1);
     rb_define_module_function(mRandom, "egd_bytes", ossl_rand_egd_bytes, 2);