rubysl-openssl 1.0.2 → 2.0.0

data/ext/rubysl/openssl/ossl_cipher.h

@@ -1,5 +1,5 @@
 /*
- * $Id: ossl_cipher.h 12496 2007-06-08 15:02:04Z technorama $
+ * $Id$
  * 'OpenSSL for Ruby' project
  * Copyright (C) 2001-2002  Michal Rokos <m.rokos@sh.cvut.cz>
  * All rights reserved.

data/ext/rubysl/openssl/ossl_config.c

@@ -1,5 +1,5 @@
 /*
- * $Id: ossl_config.c 29856 2010-11-22 07:21:45Z shyouhei $
+ * $Id$
  * 'OpenSSL for Ruby' project
  * Copyright (C) 2001-2002  Michal Rokos <m.rokos@sh.cvut.cz>
  * All rights reserved.
@@ -17,12 +17,10 @@
 VALUE cConfig;
 VALUE eConfigError;
 
-/* 
- * Public 
+/*
+ * Public
  */
 
-static CONF *parse_config(VALUE, CONF*);
-
 /*
  * GetConfigPtr is a public C-level function for getting OpenSSL CONF struct
  * from an OpenSSL::Config(eConfig) instance.  We decided to implement
@@ -57,6 +55,7 @@ GetConfigPtr(VALUE obj)
     return conf;
 }
 
+
 /*
  * INIT
  */

data/ext/rubysl/openssl/ossl_config.h

@@ -1,5 +1,5 @@
 /*
- * $Id: ossl_config.h 11708 2007-02-12 23:01:19Z shyouhei $
+ * $Id$
  * 'OpenSSL for Ruby' project
  * Copyright (C) 2001-2002  Michal Rokos <m.rokos@sh.cvut.cz>
  * All rights reserved.

data/ext/rubysl/openssl/ossl_digest.c

@@ -1,5 +1,5 @@
 /*
- * $Id: ossl_digest.c 15600 2008-02-25 08:48:57Z technorama $
+ * $Id$
  * 'OpenSSL for Ruby' project
  * Copyright (C) 2001-2002  Michal Rokos <m.rokos@sh.cvut.cz>
  * All rights reserved.
@@ -11,14 +11,14 @@
 #include "ossl.h"
 
 #define GetDigest(obj, ctx) do { \
-    Data_Get_Struct(obj, EVP_MD_CTX, ctx); \
-    if (!ctx) { \
+    Data_Get_Struct((obj), EVP_MD_CTX, (ctx)); \
+    if (!(ctx)) { \
 	ossl_raise(rb_eRuntimeError, "Digest CTX wasn't initialized!"); \
     } \
 } while (0)
 #define SafeGetDigest(obj, ctx) do { \
-    OSSL_Check_Kind(obj, cDigest); \
-    GetDigest(obj, ctx); \
+    OSSL_Check_Kind((obj), cDigest); \
+    GetDigest((obj), (ctx)); \
 } while (0)
 
 /*
@@ -36,12 +36,18 @@ const EVP_MD *
 GetDigestPtr(VALUE obj)
 {
     const EVP_MD *md;
+    ASN1_OBJECT *oid = NULL;
 
     if (TYPE(obj) == T_STRING) {
-    	const char *name = STR2CSTR(obj);
-
-        md = EVP_get_digestbyname(name);
-        if (!md)
+    	const char *name = StringValueCStr(obj);
+
+	md = EVP_get_digestbyname(name);
+	if (!md) {
+	    oid = OBJ_txt2obj(name, 0);
+	    md = EVP_get_digestbyobj(oid);
+	    ASN1_OBJECT_free(oid);
+	}
+	if(!md)
             ossl_raise(rb_eRuntimeError, "Unsupported digest algorithm (%s).", name);
     } else {
         EVP_MD_CTX *ctx;
@@ -56,14 +62,16 @@ GetDigestPtr(VALUE obj)
 
 VALUE
 ossl_digest_new(const EVP_MD *md)
-{  
+{
     VALUE ret;
     EVP_MD_CTX *ctx;
 
     ret = ossl_digest_alloc(cDigest);
     GetDigest(ret, ctx);
-    EVP_DigestInit_ex(ctx, md, NULL);
-   
+    if (EVP_DigestInit_ex(ctx, md, NULL) != 1) {
+	ossl_raise(eDigestError, "Digest initialization failed.");
+    }
+
     return ret;
 }
 
@@ -88,7 +96,20 @@ VALUE ossl_digest_update(VALUE, VALUE);
 
 /*
  *  call-seq:
- *     Digest.new(string) -> digest
+ *     Digest.new(string [, data]) -> Digest
+ *
+ * Creates a Digest instance based on +string+, which is either the ln
+ * (long name) or sn (short name) of a supported digest algorithm.
+ * If +data+ (a +String+) is given, it is used as the initial input to the
+ * Digest instance, i.e.
+ *   digest = OpenSSL::Digest.new('sha256', 'digestdata')
+ * is equal to
+ *   digest = OpenSSL::Digest.new('sha256')
+ *   digest.update('digestdata')
+ *
+ * === Example
+ *   digest = OpenSSL::Digest.new('sha1')
+ *
  *
  */
 static VALUE
@@ -96,7 +117,6 @@ ossl_digest_initialize(int argc, VALUE *argv, VALUE self)
 {
     EVP_MD_CTX *ctx;
     const EVP_MD *md;
-    char *name;
     VALUE type, data;
 
     rb_scan_args(argc, argv, "11", &type, &data);
@@ -104,8 +124,10 @@ ossl_digest_initialize(int argc, VALUE *argv, VALUE self)
     if (!NIL_P(data)) StringValue(data);
 
     GetDigest(self, ctx);
-    EVP_DigestInit_ex(ctx, md, NULL);
-    
+    if (EVP_DigestInit_ex(ctx, md, NULL) != 1) {
+	ossl_raise(eDigestError, "Digest initialization failed.");
+    }
+
     if (!NIL_P(data)) return ossl_digest_update(self, data);
     return self;
 }
@@ -114,7 +136,7 @@ static VALUE
 ossl_digest_copy(VALUE self, VALUE other)
 {
     EVP_MD_CTX *ctx1, *ctx2;
-    
+
     rb_check_frozen(self);
     if (self == other) return self;
 
@@ -131,6 +153,9 @@ ossl_digest_copy(VALUE self, VALUE other)
  *  call-seq:
  *     digest.reset -> self
  *
+ * Resets the Digest in the sense that any Digest#update that has been
+ * performed is abandoned and the Digest is set to its initial state again.
+ *
  */
 static VALUE
 ossl_digest_reset(VALUE self)
@@ -138,7 +163,9 @@ ossl_digest_reset(VALUE self)
     EVP_MD_CTX *ctx;
 
     GetDigest(self, ctx);
-    EVP_DigestInit_ex(ctx, EVP_MD_CTX_md(ctx), NULL);
+    if (EVP_DigestInit_ex(ctx, EVP_MD_CTX_md(ctx), NULL) != 1) {
+	ossl_raise(eDigestError, "Digest initialization failed.");
+    }
 
     return self;
 }
@@ -147,6 +174,16 @@ ossl_digest_reset(VALUE self)
  *  call-seq:
  *     digest.update(string) -> aString
  *
+ * Not every message digest can be computed in one single pass. If a message
+ * digest is to be computed from several subsequent sources, then each may
+ * be passed individually to the Digest instance.
+ *
+ * === Example
+ *   digest = OpenSSL::Digest::SHA256.new
+ *   digest.update('First input')
+ *   digest << 'Second input' # equivalent to digest.update('Second input')
+ *   result = digest.digest
+ *
  */
 VALUE
 ossl_digest_update(VALUE self, VALUE data)
@@ -182,7 +219,7 @@ ossl_digest_finish(int argc, VALUE *argv, VALUE self)
         rb_str_resize(str, EVP_MD_CTX_size(ctx));
     }
 
-    EVP_DigestFinal_ex(ctx, RSTRING_PTR(str), NULL);
+    EVP_DigestFinal_ex(ctx, (unsigned char *)RSTRING_PTR(str), NULL);
 
     return str;
 }
@@ -191,6 +228,12 @@ ossl_digest_finish(int argc, VALUE *argv, VALUE self)
  *  call-seq:
  *      digest.name -> string
  *
+ * Returns the sn of this Digest instance.
+ *
+ * === Example
+ *   digest = OpenSSL::Digest::SHA512.new
+ *   puts digest.name # => SHA512
+ *
  */
 static VALUE
 ossl_digest_name(VALUE self)
@@ -204,9 +247,15 @@ ossl_digest_name(VALUE self)
 
 /*
  *  call-seq:
- *      digest.digest_size -> integer
+ *      digest.digest_length -> integer
+ *
+ * Returns the output size of the digest, i.e. the length in bytes of the
+ * final message digest result.
+ *
+ * === Example
+ *   digest = OpenSSL::Digest::SHA1.new
+ *   puts digest.digest_length # => 20
  *
- *  Returns the output size of the digest.
  */
 static VALUE
 ossl_digest_size(VALUE self)
@@ -218,6 +267,19 @@ ossl_digest_size(VALUE self)
     return INT2NUM(EVP_MD_CTX_size(ctx));
 }
 
+/*
+ *  call-seq:
+ *      digest.block_length -> integer
+ *
+ * Returns the block length of the digest algorithm, i.e. the length in bytes
+ * of an individual block. Most modern algorithms partition a message to be
+ * digested into a sequence of fix-sized blocks that are processed
+ * consecutively.
+ *
+ * === Example
+ *   digest = OpenSSL::Digest::SHA1.new
+ *   puts digest.block_length # => 64
+ */
 static VALUE
 ossl_digest_block_length(VALUE self)
 {
@@ -234,13 +296,133 @@ ossl_digest_block_length(VALUE self)
 void
 Init_ossl_digest()
 {
-#if 0 /* let rdoc know about mOSSL */
-    mOSSL = rb_define_module("OpenSSL");
+    rb_require("digest");
+
+#if 0
+    mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
 #endif
 
+    /* Document-class: OpenSSL::Digest
+     *
+     * OpenSSL::Digest allows you to compute message digests (sometimes
+     * interchangeably called "hashes") of arbitrary data that are
+     * cryptographically secure, i.e. a Digest implements a secure one-way
+     * function.
+     *
+     * One-way functions offer some useful properties. E.g. given two
+     * distinct inputs the probability that both yield the same output
+     * is highly unlikely. Combined with the fact that every message digest
+     * algorithm has a fixed-length output of just a few bytes, digests are
+     * often used to create unique identifiers for arbitrary data. A common
+     * example is the creation of a unique id for binary documents that are
+     * stored in a database.
+     *
+     * Another useful characteristic of one-way functions (and thus the name)
+     * is that given a digest there is no indication about the original
+     * data that produced it, i.e. the only way to identify the original input
+     * is to "brute-force" through every possible combination of inputs.
+     *
+     * These characteristics make one-way functions also ideal companions
+     * for public key signature algorithms: instead of signing an entire
+     * document, first a hash of the document is produced with a considerably
+     * faster message digest algorithm and only the few bytes of its output
+     * need to be signed using the slower public key algorithm. To validate
+     * the integrity of a signed document, it suffices to re-compute the hash
+     * and verify that it is equal to that in the signature.
+     *
+     * Among the supported message digest algorithms are:
+     * * SHA, SHA1, SHA224, SHA256, SHA384 and SHA512
+     * * MD2, MD4, MDC2 and MD5
+     * * RIPEMD160
+     * * DSS, DSS1 (Pseudo algorithms to be used for DSA signatures. DSS is
+     *   equal to SHA and DSS1 is equal to SHA1)
+     *
+     * For each of these algorithms, there is a sub-class of Digest that
+     * can be instantiated as simply as e.g.
+     *
+     *   digest = OpenSSL::Digest::SHA1.new
+     *
+     * === Mapping between Digest class and sn/ln
+     *
+     * The sn (short names) and ln (long names) are defined in
+     * <openssl/object.h> and <openssl/obj_mac.h>. They are textual
+     * representations of ASN.1 OBJECT IDENTIFIERs. Each supported digest
+     * algorithm has an OBJECT IDENTIFIER associated to it and those again
+     * have short/long names assigned to them.
+     * E.g. the OBJECT IDENTIFIER for SHA-1 is 1.3.14.3.2.26 and its
+     * sn is "SHA1" and its ln is "sha1".
+     * ==== MD2
+     * * sn: MD2
+     * * ln: md2
+     * ==== MD4
+     * * sn: MD4
+     * * ln: md4
+     * ==== MD5
+     * * sn: MD5
+     * * ln: md5
+     * ==== SHA
+     * * sn: SHA
+     * * ln: SHA
+     * ==== SHA-1
+     * * sn: SHA1
+     * * ln: sha1
+     * ==== SHA-224
+     * * sn: SHA224
+     * * ln: sha224
+     * ==== SHA-256
+     * * sn: SHA256
+     * * ln: sha256
+     * ==== SHA-384
+     * * sn: SHA384
+     * * ln: sha384
+     * ==== SHA-512
+     * * sn: SHA512
+     * * ln: sha512
+     *
+     * "Breaking" a message digest algorithm means defying its one-way
+     * function characteristics, i.e. producing a collision or finding a way
+     * to get to the original data by means that are more efficient than
+     * brute-forcing etc. Most of the supported digest algorithms can be
+     * considered broken in this sense, even the very popular MD5 and SHA1
+     * algorithms. Should security be your highest concern, then you should
+     * probably rely on SHA224, SHA256, SHA384 or SHA512.
+     *
+     * === Hashing a file
+     *
+     *   data = File.read('document')
+     *   sha256 = OpenSSL::Digest::SHA256.new
+     *   digest = sha256.digest(data)
+     *
+     * === Hashing several pieces of data at once
+     *
+     *   data1 = File.read('file1')
+     *   data2 = File.read('file2')
+     *   data3 = File.read('file3')
+     *   sha256 = OpenSSL::Digest::SHA256.new
+     *   sha256 << data1
+     *   sha256 << data2
+     *   sha256 << data3
+     *   digest = sha256.digest
+     *
+     * === Reuse a Digest instance
+     *
+     *   data1 = File.read('file1')
+     *   sha256 = OpenSSL::Digest::SHA256.new
+     *   digest1 = sha256.digest(data1)
+     *
+     *   data2 = File.read('file2')
+     *   sha256.reset
+     *   digest2 = sha256.digest(data2)
+     *
+     */
     cDigest = rb_define_class_under(mOSSL, "Digest", rb_path2class("Digest::Class"));
+    /* Document-class: OpenSSL::Digest::DigestError
+     *
+     * Generic Exception class that is raised if an error occurs during a
+     * Digest operation.
+     */
     eDigestError = rb_define_class_under(cDigest, "DigestError", eOSSLError);
-	
+
     rb_define_alloc_func(cDigest, ossl_digest_alloc);
 
     rb_define_method(cDigest, "initialize", ossl_digest_initialize, -1);

data/ext/rubysl/openssl/ossl_digest.h

@@ -1,5 +1,5 @@
 /*
- * $Id: ossl_digest.h 12496 2007-06-08 15:02:04Z technorama $
+ * $Id$
  * 'OpenSSL for Ruby' project
  * Copyright (C) 2001-2002  Michal Rokos <m.rokos@sh.cvut.cz>
  * All rights reserved.

data/ext/rubysl/openssl/ossl_engine.c

@@ -13,23 +13,23 @@
 #if defined(OSSL_ENGINE_ENABLED)
 
 #define WrapEngine(klass, obj, engine) do { \
-    if (!engine) { \
+    if (!(engine)) { \
 	ossl_raise(rb_eRuntimeError, "ENGINE wasn't initialized."); \
     } \
-    obj = Data_Wrap_Struct(klass, 0, ENGINE_free, engine); \
+    (obj) = Data_Wrap_Struct((klass), 0, ENGINE_free, (engine)); \
 } while(0)
 #define GetEngine(obj, engine) do { \
-    Data_Get_Struct(obj, ENGINE, engine); \
-    if (!engine) { \
+    Data_Get_Struct((obj), ENGINE, (engine)); \
+    if (!(engine)) { \
         ossl_raise(rb_eRuntimeError, "ENGINE wasn't initialized."); \
     } \
 } while (0)
 #define SafeGetEngine(obj, engine) do { \
-    OSSL_Check_Kind(obj, cEngine); \
-    GetPKCS7(obj, engine); \
+    OSSL_Check_Kind((obj), cEngine); \
+    GetPKCS7((obj), (engine)); \
 } while (0)
 
-/* 
+/*
  * Classes
  */
 VALUE cEngine;
@@ -64,29 +64,47 @@ ossl_engine_s_load(int argc, VALUE *argv, VALUE klass)
 #if HAVE_ENGINE_LOAD_DYNAMIC
     OSSL_ENGINE_LOAD_IF_MATCH(dynamic);
 #endif
-#if HAVE_ENGINE_LOAD_CSWIFT
-    OSSL_ENGINE_LOAD_IF_MATCH(cswift);
+#if HAVE_ENGINE_LOAD_4758CCA
+    OSSL_ENGINE_LOAD_IF_MATCH(4758cca);
 #endif
-#if HAVE_ENGINE_LOAD_CHIL
-    OSSL_ENGINE_LOAD_IF_MATCH(chil);
+#if HAVE_ENGINE_LOAD_AEP
+    OSSL_ENGINE_LOAD_IF_MATCH(aep);
 #endif
 #if HAVE_ENGINE_LOAD_ATALLA
     OSSL_ENGINE_LOAD_IF_MATCH(atalla);
 #endif
+#if HAVE_ENGINE_LOAD_CHIL
+    OSSL_ENGINE_LOAD_IF_MATCH(chil);
+#endif
+#if HAVE_ENGINE_LOAD_CSWIFT
+    OSSL_ENGINE_LOAD_IF_MATCH(cswift);
+#endif
 #if HAVE_ENGINE_LOAD_NURON
     OSSL_ENGINE_LOAD_IF_MATCH(nuron);
 #endif
+#if HAVE_ENGINE_LOAD_SUREWARE
+    OSSL_ENGINE_LOAD_IF_MATCH(sureware);
+#endif
 #if HAVE_ENGINE_LOAD_UBSEC
     OSSL_ENGINE_LOAD_IF_MATCH(ubsec);
 #endif
-#if HAVE_ENGINE_LOAD_AEP
-    OSSL_ENGINE_LOAD_IF_MATCH(aep);
+#if HAVE_ENGINE_LOAD_PADLOCK
+    OSSL_ENGINE_LOAD_IF_MATCH(padlock);
 #endif
-#if HAVE_ENGINE_LOAD_SUREWARE
-    OSSL_ENGINE_LOAD_IF_MATCH(sureware);
+#if HAVE_ENGINE_LOAD_CAPI
+    OSSL_ENGINE_LOAD_IF_MATCH(capi);
 #endif
-#if HAVE_ENGINE_LOAD_4758CCA
-    OSSL_ENGINE_LOAD_IF_MATCH(4758cca);
+#if HAVE_ENGINE_LOAD_GMP
+    OSSL_ENGINE_LOAD_IF_MATCH(gmp);
+#endif
+#if HAVE_ENGINE_LOAD_GOST
+    OSSL_ENGINE_LOAD_IF_MATCH(gost);
+#endif
+#if HAVE_ENGINE_LOAD_CRYPTODEV
+    OSSL_ENGINE_LOAD_IF_MATCH(cryptodev);
+#endif
+#if HAVE_ENGINE_LOAD_AESNI
+    OSSL_ENGINE_LOAD_IF_MATCH(aesni);
 #endif
 #endif
 #ifdef HAVE_ENGINE_LOAD_OPENBSD_DEV_CRYPTO
@@ -115,7 +133,11 @@ ossl_engine_s_engines(VALUE klass)
 
     ary = rb_ary_new();
     for(e = ENGINE_get_first(); e; e = ENGINE_get_next(e)){
-        WrapEngine(klass, obj, e);
+	/* Need a ref count of two here because of ENGINE_free being
+	 * called internally by OpenSSL when moving to the next ENGINE
+	 * and by us when releasing the ENGINE reference */
+	ENGINE_up_ref(e);
+	WrapEngine(klass, obj, e);
         rb_ary_push(ary, obj);
     }
 
@@ -137,7 +159,7 @@ ossl_engine_s_by_id(VALUE klass, VALUE id)
     if(!ENGINE_init(e))
 	ossl_raise(eEngineError, NULL);
     ENGINE_ctrl(e, ENGINE_CTRL_SET_PASSWORD_CALLBACK,
-                0, NULL, (void(*)(void))ossl_pem_passwd_cb);
+		0, NULL, (void(*)(void))ossl_pem_passwd_cb);
     ERR_clear_error();
 
     return obj;
@@ -184,10 +206,10 @@ ossl_engine_finish(VALUE self)
     return Qnil;
 }
 
+#if defined(HAVE_ENGINE_GET_CIPHER)
 static VALUE
 ossl_engine_get_cipher(VALUE self, VALUE name)
 {
-#if defined(HAVE_ENGINE_GET_CIPHER)
     ENGINE *e;
     const EVP_CIPHER *ciph, *tmp;
     char *s;
@@ -202,15 +224,15 @@ ossl_engine_get_cipher(VALUE self, VALUE name)
     if(!ciph) ossl_raise(eEngineError, NULL);
 
     return ossl_cipher_new(ciph);
+}
 #else
-    rb_notimplement();
+#define ossl_engine_get_cipher rb_f_notimplement
 #endif
-}
 
+#if defined(HAVE_ENGINE_GET_DIGEST)
 static VALUE
 ossl_engine_get_digest(VALUE self, VALUE name)
 {
-#if defined(HAVE_ENGINE_GET_DIGEST)
     ENGINE *e;
     const EVP_MD *md, *tmp;
     char *s;
@@ -225,10 +247,10 @@ ossl_engine_get_digest(VALUE self, VALUE name)
     if(!md) ossl_raise(eEngineError, NULL);
 
     return ossl_digest_new(md);
+}
 #else
-    rb_notimplement();
+#define ossl_engine_get_digest rb_f_notimplement
 #endif
-}
 
 static VALUE
 ossl_engine_load_privkey(int argc, VALUE *argv, VALUE self)
@@ -345,7 +367,7 @@ ossl_engine_inspect(VALUE self)
 {
     VALUE str;
     const char *cname = rb_class2name(rb_obj_class(self));
-    
+
     str = rb_str_new2("#<");
     rb_str_cat2(str, cname);
     rb_str_cat2(str, " id=\"");