RubyGems - openssl - Versions diffs - 3.3.2 → 4.0.0 - Mend

openssl 3.3.2 → 4.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (55) hide show

checksums.yaml +4 -4
data/CONTRIBUTING.md +3 -0
data/History.md +85 -0
data/README.md +12 -11
data/ext/openssl/extconf.rb +30 -69
data/ext/openssl/openssl_missing.h +0 -206
data/ext/openssl/ossl.c +280 -301
data/ext/openssl/ossl.h +15 -10
data/ext/openssl/ossl_asn1.c +598 -406
data/ext/openssl/ossl_asn1.h +15 -1
data/ext/openssl/ossl_bio.c +3 -3
data/ext/openssl/ossl_bn.c +286 -291
data/ext/openssl/ossl_cipher.c +252 -203
data/ext/openssl/ossl_cipher.h +10 -1
data/ext/openssl/ossl_config.c +1 -6
data/ext/openssl/ossl_digest.c +74 -43
data/ext/openssl/ossl_digest.h +9 -1
data/ext/openssl/ossl_engine.c +39 -103
data/ext/openssl/ossl_hmac.c +30 -36
data/ext/openssl/ossl_kdf.c +42 -53
data/ext/openssl/ossl_ns_spki.c +31 -37
data/ext/openssl/ossl_ocsp.c +214 -241
data/ext/openssl/ossl_pkcs12.c +26 -26
data/ext/openssl/ossl_pkcs7.c +175 -145
data/ext/openssl/ossl_pkey.c +162 -178
data/ext/openssl/ossl_pkey.h +99 -99
data/ext/openssl/ossl_pkey_dh.c +31 -68
data/ext/openssl/ossl_pkey_dsa.c +15 -54
data/ext/openssl/ossl_pkey_ec.c +179 -237
data/ext/openssl/ossl_pkey_rsa.c +56 -103
data/ext/openssl/ossl_provider.c +0 -7
data/ext/openssl/ossl_rand.c +7 -14
data/ext/openssl/ossl_ssl.c +478 -353
data/ext/openssl/ossl_ssl.h +8 -8
data/ext/openssl/ossl_ssl_session.c +93 -97
data/ext/openssl/ossl_ts.c +81 -127
data/ext/openssl/ossl_x509.c +9 -28
data/ext/openssl/ossl_x509attr.c +33 -54
data/ext/openssl/ossl_x509cert.c +69 -100
data/ext/openssl/ossl_x509crl.c +78 -89
data/ext/openssl/ossl_x509ext.c +45 -66
data/ext/openssl/ossl_x509name.c +63 -88
data/ext/openssl/ossl_x509req.c +55 -62
data/ext/openssl/ossl_x509revoked.c +27 -41
data/ext/openssl/ossl_x509store.c +38 -56
data/lib/openssl/buffering.rb +30 -24
data/lib/openssl/digest.rb +1 -1
data/lib/openssl/pkey.rb +71 -49
data/lib/openssl/ssl.rb +12 -79
data/lib/openssl/version.rb +2 -1
data/lib/openssl/x509.rb +9 -0
data/lib/openssl.rb +9 -6
metadata +1 -3
data/ext/openssl/openssl_missing.c +0 -40
data/lib/openssl/asn1.rb +0 -188

data/ext/openssl/ossl_x509cert.c CHANGED Viewed

@@ -13,14 +13,14 @@
     TypedData_Wrap_Struct((klass), &ossl_x509_type, 0)
 #define SetX509(obj, x509) do { \
     if (!(x509)) { \
-	ossl_raise(rb_eRuntimeError, "CERT wasn't initialized!"); \
+        ossl_raise(rb_eRuntimeError, "CERT wasn't initialized!"); \
     } \
     RTYPEDDATA_DATA(obj) = (x509); \
 } while (0)
 #define GetX509(obj, x509) do { \
     TypedData_Get_Struct((obj), X509, &ossl_x509_type, (x509)); \
     if (!(x509)) { \
-	ossl_raise(rb_eRuntimeError, "CERT wasn't initialized!"); \
+        ossl_raise(rb_eRuntimeError, "CERT wasn't initialized!"); \
     } \
 } while (0)
@@ -39,7 +39,7 @@ ossl_x509_free(void *ptr)
 static const rb_data_type_t ossl_x509_type = {
     "OpenSSL/X509",
     {
-	0, ossl_x509_free,
+        0, ossl_x509_free,
     },
     0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
 };
@@ -54,14 +54,9 @@ ossl_x509_new(X509 *x509)
     VALUE obj;
     obj = NewX509(cX509Cert);
-    if (!x509) {
-	new = X509_new();
-    } else {
-	new = X509_dup(x509);
-    }
-    if (!new) {
-	ossl_raise(eX509CertError, NULL);
-    }
+    new = X509_dup(x509);
+    if (!new)
+        ossl_raise(eX509CertError, "X509_dup");
     SetX509(obj, new);
     return obj;
@@ -120,8 +115,8 @@ ossl_x509_initialize(int argc, VALUE *argv, VALUE self)
     rb_check_frozen(self);
     if (rb_scan_args(argc, argv, "01", &arg) == 0) {
-	/* create just empty X509Cert */
-	return self;
+        /* create just empty X509Cert */
+        return self;
     }
     arg = ossl_to_der_if_possible(arg);
     in = ossl_obj2bio(&arg);
@@ -140,6 +135,7 @@ ossl_x509_initialize(int argc, VALUE *argv, VALUE self)
     return self;
 }
+/* :nodoc: */
 static VALUE
 ossl_x509_copy(VALUE self, VALUE other)
 {
@@ -174,11 +170,11 @@ ossl_x509_to_der(VALUE self)
     GetX509(self, x509);
     if ((len = i2d_X509(x509, NULL)) <= 0)
-	ossl_raise(eX509CertError, NULL);
+        ossl_raise(eX509CertError, NULL);
     str = rb_str_new(0, len);
     p = (unsigned char *)RSTRING_PTR(str);
     if (i2d_X509(x509, &p) <= 0)
-	ossl_raise(eX509CertError, NULL);
+        ossl_raise(eX509CertError, NULL);
     ossl_str_adjust(str, p);
     return str;
@@ -200,8 +196,8 @@ ossl_x509_to_pem(VALUE self)
     if (!out) ossl_raise(eX509CertError, NULL);
     if (!PEM_write_bio_X509(out, x509)) {
-	BIO_free(out);
-	ossl_raise(eX509CertError, NULL);
+        BIO_free(out);
+        ossl_raise(eX509CertError, NULL);
     }
     str = ossl_membio2str(out);
@@ -225,8 +221,8 @@ ossl_x509_to_text(VALUE self)
     if (!out) ossl_raise(eX509CertError, NULL);
     if (!X509_print(out, x509)) {
-	BIO_free(out);
-	ossl_raise(eX509CertError, NULL);
+        BIO_free(out);
+        ossl_raise(eX509CertError, NULL);
     }
     str = ossl_membio2str(out);
@@ -246,7 +242,7 @@ ossl_x509_to_req(VALUE self)
     GetX509(self, x509);
     if (!(req = X509_to_X509_REQ(x509, NULL, EVP_md5()))) {
-	ossl_raise(eX509CertError, NULL);
+        ossl_raise(eX509CertError, NULL);
     }
     obj = ossl_x509req_new(req);
     X509_REQ_free(req);
@@ -280,11 +276,11 @@ ossl_x509_set_version(VALUE self, VALUE version)
     long ver;
     if ((ver = NUM2LONG(version)) < 0) {
-	ossl_raise(eX509CertError, "version must be >= 0!");
+        ossl_raise(eX509CertError, "version must be >= 0!");
     }
     GetX509(self, x509);
     if (!X509_set_version(x509, ver)) {
-	ossl_raise(eX509CertError, NULL);
+        ossl_raise(eX509CertError, NULL);
     }
     return version;
@@ -322,25 +318,23 @@ ossl_x509_set_serial(VALUE self, VALUE num)
 /*
  * call-seq:
  *    cert.signature_algorithm => string
+ *
+ * Returns the signature algorithm used to sign this certificate. This returns
+ * the algorithm name found in the TBSCertificate structure, not the outer
+ * \Certificate structure.
+ *
+ * Returns the long name of the signature algorithm, or the dotted decimal
+ * notation if \OpenSSL does not define a long name for it.
  */
 static VALUE
 ossl_x509_get_signature_algorithm(VALUE self)
 {
     X509 *x509;
-    BIO *out;
-    VALUE str;
+    const ASN1_OBJECT *obj;
     GetX509(self, x509);
-    out = BIO_new(BIO_s_mem());
-    if (!out) ossl_raise(eX509CertError, NULL);
-    if (!i2a_ASN1_OBJECT(out, X509_get0_tbs_sigalg(x509)->algorithm)) {
-	BIO_free(out);
-	ossl_raise(eX509CertError, NULL);
-    }
-    str = ossl_membio2str(out);
-    return str;
+    X509_ALGOR_get0(&obj, NULL, NULL, X509_get0_tbs_sigalg(x509));
+    return ossl_asn1obj_to_string_long_name(obj);
 }
 /*
@@ -355,7 +349,7 @@ ossl_x509_get_subject(VALUE self)
     GetX509(self, x509);
     if (!(name = X509_get_subject_name(x509))) { /* NO DUP - don't free! */
-	ossl_raise(eX509CertError, NULL);
+        ossl_raise(eX509CertError, NULL);
     }
     return ossl_x509name_new(name);
@@ -372,7 +366,7 @@ ossl_x509_set_subject(VALUE self, VALUE subject)
     GetX509(self, x509);
     if (!X509_set_subject_name(x509, GetX509NamePtr(subject))) { /* DUPs name */
-	ossl_raise(eX509CertError, NULL);
+        ossl_raise(eX509CertError, NULL);
     }
     return subject;
@@ -390,7 +384,7 @@ ossl_x509_get_issuer(VALUE self)
     GetX509(self, x509);
     if(!(name = X509_get_issuer_name(x509))) { /* NO DUP - don't free! */
-	ossl_raise(eX509CertError, NULL);
+        ossl_raise(eX509CertError, NULL);
     }
     return ossl_x509name_new(name);
@@ -407,7 +401,7 @@ ossl_x509_set_issuer(VALUE self, VALUE issuer)
     GetX509(self, x509);
     if (!X509_set_issuer_name(x509, GetX509NamePtr(issuer))) { /* DUPs name */
-	ossl_raise(eX509CertError, NULL);
+        ossl_raise(eX509CertError, NULL);
     }
     return issuer;
@@ -425,7 +419,7 @@ ossl_x509_get_not_before(VALUE self)
     GetX509(self, x509);
     if (!(asn1time = X509_get0_notBefore(x509))) {
-	ossl_raise(eX509CertError, NULL);
+        ossl_raise(eX509CertError, NULL);
     }
     return asn1time_to_time(asn1time);
@@ -444,8 +438,8 @@ ossl_x509_set_not_before(VALUE self, VALUE time)
     GetX509(self, x509);
     asn1time = ossl_x509_time_adjust(NULL, time);
     if (!X509_set1_notBefore(x509, asn1time)) {
-	ASN1_TIME_free(asn1time);
-	ossl_raise(eX509CertError, "X509_set_notBefore");
+        ASN1_TIME_free(asn1time);
+        ossl_raise(eX509CertError, "X509_set_notBefore");
     }
     ASN1_TIME_free(asn1time);
@@ -464,7 +458,7 @@ ossl_x509_get_not_after(VALUE self)
     GetX509(self, x509);
     if (!(asn1time = X509_get0_notAfter(x509))) {
-	ossl_raise(eX509CertError, NULL);
+        ossl_raise(eX509CertError, NULL);
     }
     return asn1time_to_time(asn1time);
@@ -483,8 +477,8 @@ ossl_x509_set_not_after(VALUE self, VALUE time)
     GetX509(self, x509);
     asn1time = ossl_x509_time_adjust(NULL, time);
     if (!X509_set1_notAfter(x509, asn1time)) {
-	ASN1_TIME_free(asn1time);
-	ossl_raise(eX509CertError, "X509_set_notAfter");
+        ASN1_TIME_free(asn1time);
+        ossl_raise(eX509CertError, "X509_set_notAfter");
     }
     ASN1_TIME_free(asn1time);
@@ -503,10 +497,10 @@ ossl_x509_get_public_key(VALUE self)
     GetX509(self, x509);
     if (!(pkey = X509_get_pubkey(x509))) { /* adds an reference */
-	ossl_raise(eX509CertError, NULL);
+        ossl_raise(eX509CertError, NULL);
     }
-    return ossl_pkey_new(pkey); /* NO DUP - OK */
+    return ossl_pkey_wrap(pkey);
 }
 /*
@@ -523,7 +517,7 @@ ossl_x509_set_public_key(VALUE self, VALUE key)
     pkey = GetPKeyPtr(key);
     ossl_pkey_check_public_key(pkey);
     if (!X509_set_pubkey(x509, pkey))
-	ossl_raise(eX509CertError, "X509_set_pubkey");
+        ossl_raise(eX509CertError, "X509_set_pubkey");
     return key;
 }
@@ -537,17 +531,14 @@ ossl_x509_sign(VALUE self, VALUE key, VALUE digest)
     X509 *x509;
     EVP_PKEY *pkey;
     const EVP_MD *md;
+    VALUE md_holder;
     pkey = GetPrivPKeyPtr(key); /* NO NEED TO DUP */
-    if (NIL_P(digest)) {
-        md = NULL; /* needed for some key types, e.g. Ed25519 */
-    } else {
-        md = ossl_evp_get_digestbyname(digest);
-    }
+    /* NULL needed for some key types, e.g. Ed25519 */
+    md = NIL_P(digest) ? NULL : ossl_evp_md_fetch(digest, &md_holder);
     GetX509(self, x509);
-    if (!X509_sign(x509, pkey, md)) {
-	ossl_raise(eX509CertError, NULL);
-    }
+    if (!X509_sign(x509, pkey, md))
+        ossl_raise(eX509CertError, "X509_sign");
     return self;
 }
@@ -570,12 +561,12 @@ ossl_x509_verify(VALUE self, VALUE key)
     ossl_pkey_check_public_key(pkey);
     switch (X509_verify(x509, pkey)) {
       case 1:
-	return Qtrue;
+        return Qtrue;
       case 0:
-	ossl_clear_error();
-	return Qfalse;
+        ossl_clear_error();
+        return Qfalse;
       default:
-	ossl_raise(eX509CertError, NULL);
+        ossl_raise(eX509CertError, NULL);
     }
 }
@@ -596,8 +587,8 @@ ossl_x509_check_private_key(VALUE self, VALUE key)
     pkey = GetPrivPKeyPtr(key); /* NO NEED TO DUP */
     GetX509(self, x509);
     if (!X509_check_private_key(x509, pkey)) {
-	ossl_clear_error();
-	return Qfalse;
+        ossl_clear_error();
+        return Qfalse;
     }
     return Qtrue;
@@ -617,13 +608,10 @@ ossl_x509_get_extensions(VALUE self)
     GetX509(self, x509);
     count = X509_get_ext_count(x509);
-    if (count < 0) {
-	return rb_ary_new();
-    }
-    ary = rb_ary_new2(count);
+    ary = rb_ary_new_capa(count);
     for (i=0; i<count; i++) {
-	ext = X509_get_ext(x509, i); /* NO DUP - don't free! */
-	rb_ary_push(ary, ossl_x509ext_new(ext));
+        ext = X509_get_ext(x509, i); /* NO DUP - don't free! */
+        rb_ary_push(ary, ossl_x509ext_new(ext));
     }
     return ary;
@@ -643,16 +631,16 @@ ossl_x509_set_extensions(VALUE self, VALUE ary)
     Check_Type(ary, T_ARRAY);
     /* All ary's members should be X509Extension */
     for (i=0; i<RARRAY_LEN(ary); i++) {
-	OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Ext);
+        OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Ext);
     }
     GetX509(self, x509);
     for (i = X509_get_ext_count(x509); i > 0; i--)
         X509_EXTENSION_free(X509_delete_ext(x509, 0));
     for (i=0; i<RARRAY_LEN(ary); i++) {
-	ext = GetX509ExtPtr(RARRAY_AREF(ary, i));
-	if (!X509_add_ext(x509, ext, -1)) { /* DUPs ext */
-	    ossl_raise(eX509CertError, "X509_add_ext");
-	}
+        ext = GetX509ExtPtr(RARRAY_AREF(ary, i));
+        if (!X509_add_ext(x509, ext, -1)) { /* DUPs ext */
+            ossl_raise(eX509CertError, "X509_add_ext");
+        }
     }
     return ary;
@@ -671,32 +659,24 @@ ossl_x509_add_extension(VALUE self, VALUE extension)
     GetX509(self, x509);
     ext = GetX509ExtPtr(extension);
     if (!X509_add_ext(x509, ext, -1)) { /* DUPs ext - FREE it */
-	ossl_raise(eX509CertError, NULL);
+        ossl_raise(eX509CertError, NULL);
     }
     return extension;
 }
-static VALUE
-ossl_x509_inspect(VALUE self)
-{
-    return rb_sprintf("#<%"PRIsVALUE": subject=%+"PRIsVALUE", "
-		      "issuer=%+"PRIsVALUE", serial=%+"PRIsVALUE", "
-		      "not_before=%+"PRIsVALUE", not_after=%+"PRIsVALUE">",
-		      rb_obj_class(self),
-		      ossl_x509_get_subject(self),
-		      ossl_x509_get_issuer(self),
-		      ossl_x509_get_serial(self),
-		      ossl_x509_get_not_before(self),
-		      ossl_x509_get_not_after(self));
-}
 /*
  * call-seq:
  *    cert1 == cert2 -> true | false
  *
  * Compares the two certificates. Note that this takes into account all fields,
  * not just the issuer name and the serial number.
+ *
+ * This method uses X509_cmp() from OpenSSL, which compares certificates based
+ * on their cached DER encodings. The comparison can be unreliable if a
+ * certificate is incomplete.
+ *
+ * See also the man page X509_cmp(3).
  */
 static VALUE
 ossl_x509_eq(VALUE self, VALUE other)
@@ -705,13 +685,12 @@ ossl_x509_eq(VALUE self, VALUE other)
     GetX509(self, a);
     if (!rb_obj_is_kind_of(other, cX509Cert))
-	return Qfalse;
+        return Qfalse;
     GetX509(other, b);
     return !X509_cmp(a, b) ? Qtrue : Qfalse;
 }
-#ifdef HAVE_I2D_RE_X509_TBS
 /*
  * call-seq:
  *    cert.tbs_bytes => string
@@ -741,7 +720,6 @@ ossl_x509_tbs_bytes(VALUE self)
     return str;
 }
-#endif
 struct load_chained_certificates_arguments {
     VALUE certificates;
@@ -802,7 +780,7 @@ load_chained_certificates_PEM(BIO *in) {
     certificates = load_chained_certificates_append(Qnil, certificate);
     while ((certificate = PEM_read_bio_X509(in, NULL, NULL, NULL))) {
-      load_chained_certificates_append(certificates, certificate);
+        load_chained_certificates_append(certificates, certificate);
     }
     /* We tried to read one more certificate but could not read start line: */
@@ -900,12 +878,6 @@ ossl_x509_load(VALUE klass, VALUE buffer)
 void
 Init_ossl_x509cert(void)
 {
-#if 0
-    mOSSL = rb_define_module("OpenSSL");
-    eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
-    mX509 = rb_define_module_under(mOSSL, "X509");
-#endif
     eX509CertError = rb_define_class_under(mX509, "CertificateError", eOSSLError);
     /* Document-class: OpenSSL::X509::Certificate
@@ -1033,9 +1005,6 @@ Init_ossl_x509cert(void)
     rb_define_method(cX509Cert, "extensions", ossl_x509_get_extensions, 0);
     rb_define_method(cX509Cert, "extensions=", ossl_x509_set_extensions, 1);
     rb_define_method(cX509Cert, "add_extension", ossl_x509_add_extension, 1);
-    rb_define_method(cX509Cert, "inspect", ossl_x509_inspect, 0);
     rb_define_method(cX509Cert, "==", ossl_x509_eq, 1);
-#ifdef HAVE_I2D_RE_X509_TBS
     rb_define_method(cX509Cert, "tbs_bytes", ossl_x509_tbs_bytes, 0);
-#endif
 }