openssl 3.3.2 → 4.0.0

data/ext/openssl/ossl_hmac.c

@@ -14,7 +14,7 @@
 #define GetHMAC(obj, ctx) do { \
     TypedData_Get_Struct((obj), EVP_MD_CTX, &ossl_hmac_type, (ctx)); \
     if (!(ctx)) { \
-	ossl_raise(rb_eRuntimeError, "HMAC wasn't initialized"); \
+        ossl_raise(rb_eRuntimeError, "HMAC wasn't initialized"); \
     } \
 } while (0)
 
@@ -23,6 +23,7 @@
  */
 static VALUE cHMAC;
 static VALUE eHMACError;
+static ID id_md_holder;
 
 /*
  * Public
@@ -40,7 +41,7 @@ ossl_hmac_free(void *ctx)
 static const rb_data_type_t ossl_hmac_type = {
     "OpenSSL/HMAC",
     {
-	0, ossl_hmac_free,
+        0, ossl_hmac_free,
     },
     0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
 };
@@ -73,17 +74,17 @@ ossl_hmac_alloc(VALUE klass)
  *
  * === Example
  *
- *	key = 'key'
- * 	instance = OpenSSL::HMAC.new(key, 'SHA1')
- * 	#=> f42bb0eeb018ebbd4597ae7213711ec60760843f
- * 	instance.class
- * 	#=> OpenSSL::HMAC
+ *      key = 'key'
+ *      instance = OpenSSL::HMAC.new(key, 'SHA1')
+ *      #=> f42bb0eeb018ebbd4597ae7213711ec60760843f
+ *      instance.class
+ *      #=> OpenSSL::HMAC
  *
  * === A note about comparisons
  *
  * Two instances can be securely compared with #== in constant time:
  *
- *	other_instance = OpenSSL::HMAC.new('key', 'SHA1')
+ *      other_instance = OpenSSL::HMAC.new('key', 'SHA1')
  *  #=> f42bb0eeb018ebbd4597ae7213711ec60760843f
  *  instance == other_instance
  *  #=> true
@@ -94,33 +95,29 @@ ossl_hmac_initialize(VALUE self, VALUE key, VALUE digest)
 {
     EVP_MD_CTX *ctx;
     EVP_PKEY *pkey;
+    const EVP_MD *md;
+    VALUE md_holder;
 
     GetHMAC(self, ctx);
     StringValue(key);
-#ifdef HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY
+    md = ossl_evp_md_fetch(digest, &md_holder);
     pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
                                         (unsigned char *)RSTRING_PTR(key),
                                         RSTRING_LENINT(key));
     if (!pkey)
         ossl_raise(eHMACError, "EVP_PKEY_new_raw_private_key");
-#else
-    pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
-                                (unsigned char *)RSTRING_PTR(key),
-                                RSTRING_LENINT(key));
-    if (!pkey)
-        ossl_raise(eHMACError, "EVP_PKEY_new_mac_key");
-#endif
-    if (EVP_DigestSignInit(ctx, NULL, ossl_evp_get_digestbyname(digest),
-                           NULL, pkey) != 1) {
+    if (EVP_DigestSignInit(ctx, NULL, md, NULL, pkey) != 1) {
         EVP_PKEY_free(pkey);
         ossl_raise(eHMACError, "EVP_DigestSignInit");
     }
+    rb_ivar_set(self, id_md_holder, md_holder);
     /* Decrement reference counter; EVP_MD_CTX still keeps it */
     EVP_PKEY_free(pkey);
 
     return self;
 }
 
+/* :nodoc: */
 static VALUE
 ossl_hmac_copy(VALUE self, VALUE other)
 {
@@ -145,13 +142,13 @@ ossl_hmac_copy(VALUE self, VALUE other)
  *
  * === Example
  *
- *	first_chunk = 'The quick brown fox jumps '
- * 	second_chunk = 'over the lazy dog'
+ *      first_chunk = 'The quick brown fox jumps '
+ *      second_chunk = 'over the lazy dog'
  *
- * 	instance.update(first_chunk)
- * 	#=> 5b9a8038a65d571076d97fe783989e52278a492a
- * 	instance.update(second_chunk)
- * 	#=> de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9
+ *      instance.update(first_chunk)
+ *      #=> 5b9a8038a65d571076d97fe783989e52278a492a
+ *      instance.update(second_chunk)
+ *      #=> de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9
  *
  */
 static VALUE
@@ -229,14 +226,14 @@ ossl_hmac_hexdigest(VALUE self)
  *
  * === Example
  *
- *	data = "The quick brown fox jumps over the lazy dog"
- * 	instance = OpenSSL::HMAC.new('key', 'SHA1')
- * 	#=> f42bb0eeb018ebbd4597ae7213711ec60760843f
+ *      data = "The quick brown fox jumps over the lazy dog"
+ *      instance = OpenSSL::HMAC.new('key', 'SHA1')
+ *      #=> f42bb0eeb018ebbd4597ae7213711ec60760843f
  *
- * 	instance.update(data)
- * 	#=> de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9
- * 	instance.reset
- * 	#=> f42bb0eeb018ebbd4597ae7213711ec60760843f
+ *      instance.update(data)
+ *      #=> de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9
+ *      instance.reset
+ *      #=> f42bb0eeb018ebbd4597ae7213711ec60760843f
  *
  */
 static VALUE
@@ -259,11 +256,6 @@ ossl_hmac_reset(VALUE self)
 void
 Init_ossl_hmac(void)
 {
-#if 0
-    mOSSL = rb_define_module("OpenSSL");
-    eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
-#endif
-
     /*
      * Document-class: OpenSSL::HMAC
      *
@@ -307,4 +299,6 @@ Init_ossl_hmac(void)
     rb_define_method(cHMAC, "hexdigest", ossl_hmac_hexdigest, 0);
     rb_define_alias(cHMAC, "inspect", "hexdigest");
     rb_define_alias(cHMAC, "to_s", "hexdigest");
+
+    id_md_holder = rb_intern_const("EVP_MD_holder");
 }

data/ext/openssl/ossl_kdf.c

@@ -3,9 +3,7 @@
  * Copyright (C) 2007, 2017 Ruby/OpenSSL Project Authors
  */
 #include "ossl.h"
-#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_LIBRESSL_PREREQ(3, 6, 0)
-# include <openssl/kdf.h>
-#endif
+#include <openssl/kdf.h>
 
 static VALUE mKDF, eKDF;
 
@@ -37,16 +35,16 @@ static VALUE mKDF, eKDF;
 static VALUE
 kdf_pbkdf2_hmac(int argc, VALUE *argv, VALUE self)
 {
-    VALUE pass, salt, opts, kwargs[4], str;
+    VALUE pass, salt, opts, kwargs[4], str, md_holder;
     static ID kwargs_ids[4];
     int iters, len;
     const EVP_MD *md;
 
     if (!kwargs_ids[0]) {
-	kwargs_ids[0] = rb_intern_const("salt");
-	kwargs_ids[1] = rb_intern_const("iterations");
-	kwargs_ids[2] = rb_intern_const("length");
-	kwargs_ids[3] = rb_intern_const("hash");
+        kwargs_ids[0] = rb_intern_const("salt");
+        kwargs_ids[1] = rb_intern_const("iterations");
+        kwargs_ids[2] = rb_intern_const("length");
+        kwargs_ids[3] = rb_intern_const("hash");
     }
     rb_scan_args(argc, argv, "1:", &pass, &opts);
     rb_get_kwargs(opts, kwargs_ids, 4, 0, kwargs);
@@ -55,14 +53,14 @@ kdf_pbkdf2_hmac(int argc, VALUE *argv, VALUE self)
     salt = StringValue(kwargs[0]);
     iters = NUM2INT(kwargs[1]);
     len = NUM2INT(kwargs[2]);
-    md = ossl_evp_get_digestbyname(kwargs[3]);
+    md = ossl_evp_md_fetch(kwargs[3], &md_holder);
 
     str = rb_str_new(0, len);
     if (!PKCS5_PBKDF2_HMAC(RSTRING_PTR(pass), RSTRING_LENINT(pass),
-			   (unsigned char *)RSTRING_PTR(salt),
-			   RSTRING_LENINT(salt), iters, md, len,
-			   (unsigned char *)RSTRING_PTR(str)))
-	ossl_raise(eKDF, "PKCS5_PBKDF2_HMAC");
+                           (unsigned char *)RSTRING_PTR(salt),
+                           RSTRING_LENINT(salt), iters, md, len,
+                           (unsigned char *)RSTRING_PTR(str)))
+        ossl_raise(eKDF, "PKCS5_PBKDF2_HMAC");
 
     return str;
 }
@@ -109,11 +107,11 @@ kdf_scrypt(int argc, VALUE *argv, VALUE self)
     uint64_t N, r, p, maxmem;
 
     if (!kwargs_ids[0]) {
-	kwargs_ids[0] = rb_intern_const("salt");
-	kwargs_ids[1] = rb_intern_const("N");
-	kwargs_ids[2] = rb_intern_const("r");
-	kwargs_ids[3] = rb_intern_const("p");
-	kwargs_ids[4] = rb_intern_const("length");
+        kwargs_ids[0] = rb_intern_const("salt");
+        kwargs_ids[1] = rb_intern_const("N");
+        kwargs_ids[2] = rb_intern_const("r");
+        kwargs_ids[3] = rb_intern_const("p");
+        kwargs_ids[4] = rb_intern_const("length");
     }
     rb_scan_args(argc, argv, "1:", &pass, &opts);
     rb_get_kwargs(opts, kwargs_ids, 5, 0, kwargs);
@@ -133,15 +131,14 @@ kdf_scrypt(int argc, VALUE *argv, VALUE self)
 
     str = rb_str_new(0, len);
     if (!EVP_PBE_scrypt(RSTRING_PTR(pass), RSTRING_LEN(pass),
-			(unsigned char *)RSTRING_PTR(salt), RSTRING_LEN(salt),
-			N, r, p, maxmem, (unsigned char *)RSTRING_PTR(str), len))
-	ossl_raise(eKDF, "EVP_PBE_scrypt");
+                        (unsigned char *)RSTRING_PTR(salt), RSTRING_LEN(salt),
+                        N, r, p, maxmem, (unsigned char *)RSTRING_PTR(str), len))
+        ossl_raise(eKDF, "EVP_PBE_scrypt");
 
     return str;
 }
 #endif
 
-#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_LIBRESSL_PREREQ(3, 6, 0)
 /*
  * call-seq:
  *    KDF.hkdf(ikm, salt:, info:, length:, hash:) -> String
@@ -175,7 +172,7 @@ kdf_scrypt(int argc, VALUE *argv, VALUE self)
 static VALUE
 kdf_hkdf(int argc, VALUE *argv, VALUE self)
 {
-    VALUE ikm, salt, info, opts, kwargs[4], str;
+    VALUE ikm, salt, info, opts, kwargs[4], str, md_holder;
     static ID kwargs_ids[4];
     int saltlen, ikmlen, infolen;
     size_t len;
@@ -183,10 +180,10 @@ kdf_hkdf(int argc, VALUE *argv, VALUE self)
     EVP_PKEY_CTX *pctx;
 
     if (!kwargs_ids[0]) {
-	kwargs_ids[0] = rb_intern_const("salt");
-	kwargs_ids[1] = rb_intern_const("info");
-	kwargs_ids[2] = rb_intern_const("length");
-	kwargs_ids[3] = rb_intern_const("hash");
+        kwargs_ids[0] = rb_intern_const("salt");
+        kwargs_ids[1] = rb_intern_const("info");
+        kwargs_ids[2] = rb_intern_const("length");
+        kwargs_ids[3] = rb_intern_const("hash");
     }
     rb_scan_args(argc, argv, "1:", &ikm, &opts);
     rb_get_kwargs(opts, kwargs_ids, 4, 0, kwargs);
@@ -199,55 +196,49 @@ kdf_hkdf(int argc, VALUE *argv, VALUE self)
     infolen = RSTRING_LENINT(info);
     len = (size_t)NUM2LONG(kwargs[2]);
     if (len > LONG_MAX)
-	rb_raise(rb_eArgError, "length must be non-negative");
-    md = ossl_evp_get_digestbyname(kwargs[3]);
+        rb_raise(rb_eArgError, "length must be non-negative");
+    md = ossl_evp_md_fetch(kwargs[3], &md_holder);
 
     str = rb_str_new(NULL, (long)len);
     pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
     if (!pctx)
-	ossl_raise(eKDF, "EVP_PKEY_CTX_new_id");
+        ossl_raise(eKDF, "EVP_PKEY_CTX_new_id");
     if (EVP_PKEY_derive_init(pctx) <= 0) {
-	EVP_PKEY_CTX_free(pctx);
-	ossl_raise(eKDF, "EVP_PKEY_derive_init");
+        EVP_PKEY_CTX_free(pctx);
+        ossl_raise(eKDF, "EVP_PKEY_derive_init");
     }
     if (EVP_PKEY_CTX_set_hkdf_md(pctx, md) <= 0) {
-	EVP_PKEY_CTX_free(pctx);
-	ossl_raise(eKDF, "EVP_PKEY_CTX_set_hkdf_md");
+        EVP_PKEY_CTX_free(pctx);
+        ossl_raise(eKDF, "EVP_PKEY_CTX_set_hkdf_md");
     }
     if (EVP_PKEY_CTX_set1_hkdf_salt(pctx, (unsigned char *)RSTRING_PTR(salt),
-				    saltlen) <= 0) {
-	EVP_PKEY_CTX_free(pctx);
-	ossl_raise(eKDF, "EVP_PKEY_CTX_set_hkdf_salt");
+                                    saltlen) <= 0) {
+        EVP_PKEY_CTX_free(pctx);
+        ossl_raise(eKDF, "EVP_PKEY_CTX_set_hkdf_salt");
     }
     if (EVP_PKEY_CTX_set1_hkdf_key(pctx, (unsigned char *)RSTRING_PTR(ikm),
-				   ikmlen) <= 0) {
-	EVP_PKEY_CTX_free(pctx);
-	ossl_raise(eKDF, "EVP_PKEY_CTX_set_hkdf_key");
+                                   ikmlen) <= 0) {
+        EVP_PKEY_CTX_free(pctx);
+        ossl_raise(eKDF, "EVP_PKEY_CTX_set_hkdf_key");
     }
     if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (unsigned char *)RSTRING_PTR(info),
-				    infolen) <= 0) {
-	EVP_PKEY_CTX_free(pctx);
-	ossl_raise(eKDF, "EVP_PKEY_CTX_set_hkdf_info");
+                                    infolen) <= 0) {
+        EVP_PKEY_CTX_free(pctx);
+        ossl_raise(eKDF, "EVP_PKEY_CTX_set_hkdf_info");
     }
     if (EVP_PKEY_derive(pctx, (unsigned char *)RSTRING_PTR(str), &len) <= 0) {
-	EVP_PKEY_CTX_free(pctx);
-	ossl_raise(eKDF, "EVP_PKEY_derive");
+        EVP_PKEY_CTX_free(pctx);
+        ossl_raise(eKDF, "EVP_PKEY_derive");
     }
     rb_str_set_len(str, (long)len);
     EVP_PKEY_CTX_free(pctx);
 
     return str;
 }
-#endif
 
 void
 Init_ossl_kdf(void)
 {
-#if 0
-    mOSSL = rb_define_module("OpenSSL");
-    eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
-#endif
-
     /*
      * Document-module: OpenSSL::KDF
      *
@@ -305,7 +296,5 @@ Init_ossl_kdf(void)
 #if defined(HAVE_EVP_PBE_SCRYPT)
     rb_define_module_function(mKDF, "scrypt", kdf_scrypt, -1);
 #endif
-#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_LIBRESSL_PREREQ(3, 6, 0)
     rb_define_module_function(mKDF, "hkdf", kdf_hkdf, -1);
-#endif
 }

data/ext/openssl/ossl_ns_spki.c

@@ -13,14 +13,14 @@
     TypedData_Wrap_Struct((klass), &ossl_netscape_spki_type, 0)
 #define SetSPKI(obj, spki) do { \
     if (!(spki)) { \
-	ossl_raise(rb_eRuntimeError, "SPKI wasn't initialized!"); \
+        ossl_raise(rb_eRuntimeError, "SPKI wasn't initialized!"); \
     } \
     RTYPEDDATA_DATA(obj) = (spki); \
 } while (0)
 #define GetSPKI(obj, spki) do { \
     TypedData_Get_Struct((obj), NETSCAPE_SPKI, &ossl_netscape_spki_type, (spki)); \
     if (!(spki)) { \
-	ossl_raise(rb_eRuntimeError, "SPKI wasn't initialized!"); \
+        ossl_raise(rb_eRuntimeError, "SPKI wasn't initialized!"); \
     } \
 } while (0)
 
@@ -48,7 +48,7 @@ ossl_netscape_spki_free(void *spki)
 static const rb_data_type_t ossl_netscape_spki_type = {
     "OpenSSL/NETSCAPE_SPKI",
     {
-	0, ossl_netscape_spki_free,
+        0, ossl_netscape_spki_free,
     },
     0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
 };
@@ -61,7 +61,7 @@ ossl_spki_alloc(VALUE klass)
 
     obj = NewSPKI(klass);
     if (!(spki = NETSCAPE_SPKI_new())) {
-	ossl_raise(eSPKIError, NULL);
+        ossl_raise(eSPKIError, NULL);
     }
     SetSPKI(obj, spki);
 
@@ -83,15 +83,15 @@ ossl_spki_initialize(int argc, VALUE *argv, VALUE self)
     const unsigned char *p;
 
     if (rb_scan_args(argc, argv, "01", &buffer) == 0) {
-	return self;
+        return self;
     }
     StringValue(buffer);
     if (!(spki = NETSCAPE_SPKI_b64_decode(RSTRING_PTR(buffer), RSTRING_LENINT(buffer)))) {
-	ossl_clear_error();
-	p = (unsigned char *)RSTRING_PTR(buffer);
-	if (!(spki = d2i_NETSCAPE_SPKI(NULL, &p, RSTRING_LEN(buffer)))) {
-	    ossl_raise(eSPKIError, NULL);
-	}
+        ossl_clear_error();
+        p = (unsigned char *)RSTRING_PTR(buffer);
+        if (!(spki = d2i_NETSCAPE_SPKI(NULL, &p, RSTRING_LEN(buffer)))) {
+            ossl_raise(eSPKIError, NULL);
+        }
     }
     NETSCAPE_SPKI_free(DATA_PTR(self));
     SetSPKI(self, spki);
@@ -140,7 +140,7 @@ ossl_spki_to_pem(VALUE self)
 
     GetSPKI(self, spki);
     if (!(data = NETSCAPE_SPKI_b64_encode(spki))) {
-	ossl_raise(eSPKIError, NULL);
+        ossl_raise(eSPKIError, NULL);
     }
     str = ossl_buf2str(data, rb_long2int(strlen(data)));
 
@@ -162,11 +162,11 @@ ossl_spki_print(VALUE self)
 
     GetSPKI(self, spki);
     if (!(out = BIO_new(BIO_s_mem()))) {
-	ossl_raise(eSPKIError, NULL);
+        ossl_raise(eSPKIError, NULL);
     }
     if (!NETSCAPE_SPKI_print(out, spki)) {
-	BIO_free(out);
-	ossl_raise(eSPKIError, NULL);
+        BIO_free(out);
+        ossl_raise(eSPKIError, NULL);
     }
 
     return ossl_membio2str(out);
@@ -187,10 +187,10 @@ ossl_spki_get_public_key(VALUE self)
 
     GetSPKI(self, spki);
     if (!(pkey = NETSCAPE_SPKI_get_pubkey(spki))) { /* adds an reference */
-	ossl_raise(eSPKIError, NULL);
+        ossl_raise(eSPKIError, NULL);
     }
 
-    return ossl_pkey_new(pkey); /* NO DUP - OK */
+    return ossl_pkey_wrap(pkey);
 }
 
 /*
@@ -214,7 +214,7 @@ ossl_spki_set_public_key(VALUE self, VALUE key)
     pkey = GetPKeyPtr(key);
     ossl_pkey_check_public_key(pkey);
     if (!NETSCAPE_SPKI_set_pubkey(spki, pkey))
-	ossl_raise(eSPKIError, "NETSCAPE_SPKI_set_pubkey");
+        ossl_raise(eSPKIError, "NETSCAPE_SPKI_set_pubkey");
     return key;
 }
 
@@ -230,13 +230,12 @@ ossl_spki_get_challenge(VALUE self)
     NETSCAPE_SPKI *spki;
 
     GetSPKI(self, spki);
-    if (spki->spkac->challenge->length <= 0) {
-	OSSL_Debug("Challenge.length <= 0?");
-	return rb_str_new(0, 0);
+    if (ASN1_STRING_length(spki->spkac->challenge) <= 0) {
+        OSSL_Debug("Challenge.length <= 0?");
+        return rb_str_new(0, 0);
     }
 
-    return rb_str_new((const char *)spki->spkac->challenge->data,
-		      spki->spkac->challenge->length);
+    return asn1str_to_str(spki->spkac->challenge);
 }
 
 /*
@@ -257,8 +256,8 @@ ossl_spki_set_challenge(VALUE self, VALUE str)
     StringValue(str);
     GetSPKI(self, spki);
     if (!ASN1_STRING_set(spki->spkac->challenge, RSTRING_PTR(str),
-			 RSTRING_LENINT(str))) {
-	ossl_raise(eSPKIError, NULL);
+                         RSTRING_LENINT(str))) {
+        ossl_raise(eSPKIError, NULL);
     }
 
     return str;
@@ -283,13 +282,13 @@ ossl_spki_sign(VALUE self, VALUE key, VALUE digest)
     NETSCAPE_SPKI *spki;
     EVP_PKEY *pkey;
     const EVP_MD *md;
+    VALUE md_holder;
 
     pkey = GetPrivPKeyPtr(key); /* NO NEED TO DUP */
-    md = ossl_evp_get_digestbyname(digest);
+    md = ossl_evp_md_fetch(digest, &md_holder);
     GetSPKI(self, spki);
-    if (!NETSCAPE_SPKI_sign(spki, pkey, md)) {
-	ossl_raise(eSPKIError, NULL);
-    }
+    if (!NETSCAPE_SPKI_sign(spki, pkey, md))
+        ossl_raise(eSPKIError, "NETSCAPE_SPKI_sign");
 
     return self;
 }
@@ -315,12 +314,12 @@ ossl_spki_verify(VALUE self, VALUE key)
     ossl_pkey_check_public_key(pkey);
     switch (NETSCAPE_SPKI_verify(spki, pkey)) {
       case 0:
-	ossl_clear_error();
-	return Qfalse;
+        ossl_clear_error();
+        return Qfalse;
       case 1:
-	return Qtrue;
+        return Qtrue;
       default:
-	ossl_raise(eSPKIError, "NETSCAPE_SPKI_verify");
+        ossl_raise(eSPKIError, "NETSCAPE_SPKI_verify");
     }
 }
 
@@ -378,11 +377,6 @@ ossl_spki_verify(VALUE self, VALUE key)
 void
 Init_ossl_ns_spki(void)
 {
-#if 0
-    mOSSL = rb_define_module("OpenSSL");
-    eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
-#endif
-
     mNetscape = rb_define_module_under(mOSSL, "Netscape");
 
     eSPKIError = rb_define_class_under(mNetscape, "SPKIError", eOSSLError);