rubysl-openssl 2.10 → 2.11

data/ext/rubysl/openssl/ossl_pkey_dsa.c

@@ -7,19 +7,35 @@
  * This program is licensed under the same licence as Ruby.
  * (See the file 'LICENCE'.)
  */
-#if !defined(OPENSSL_NO_DSA)
-
 #include "ossl.h"
 
+#if !defined(OPENSSL_NO_DSA)
+
 #define GetPKeyDSA(obj, pkey) do { \
     GetPKey((obj), (pkey)); \
-    if (EVP_PKEY_type((pkey)->type) != EVP_PKEY_DSA) { /* PARANOIA? */ \
+    if (EVP_PKEY_base_id(pkey) != EVP_PKEY_DSA) { /* PARANOIA? */ \
 	ossl_raise(rb_eRuntimeError, "THIS IS NOT A DSA!"); \
     } \
 } while (0)
+#define GetDSA(obj, dsa) do { \
+    EVP_PKEY *_pkey; \
+    GetPKeyDSA((obj), _pkey); \
+    (dsa) = EVP_PKEY_get0_DSA(_pkey); \
+} while (0)
+
+static inline int
+DSA_HAS_PRIVATE(DSA *dsa)
+{
+    const BIGNUM *bn;
+    DSA_get0_key(dsa, NULL, &bn);
+    return !!bn;
+}
 
-#define DSA_HAS_PRIVATE(dsa) ((dsa)->priv_key)
-#define DSA_PRIVATE(obj,dsa) (DSA_HAS_PRIVATE(dsa)||OSSL_PKEY_IS_PRIVATE(obj))
+static inline int
+DSA_PRIVATE(VALUE obj, DSA *dsa)
+{
+    return DSA_HAS_PRIVATE(dsa) || OSSL_PKEY_IS_PRIVATE(obj);
+}
 
 /*
  * Classes
@@ -61,7 +77,7 @@ ossl_dsa_new(EVP_PKEY *pkey)
 	obj = dsa_instance(cDSA, DSA_new());
     } else {
 	obj = NewPKey(cDSA);
-	if (EVP_PKEY_type(pkey->type) != EVP_PKEY_DSA) {
+	if (EVP_PKEY_base_id(pkey) != EVP_PKEY_DSA) {
 	    ossl_raise(rb_eTypeError, "Not a DSA key!");
 	}
 	SetPKey(obj, pkey);
@@ -76,12 +92,9 @@ ossl_dsa_new(EVP_PKEY *pkey)
 /*
  * Private
  */
-#if defined(HAVE_DSA_GENERATE_PARAMETERS_EX) && HAVE_BN_GENCB
 struct dsa_blocking_gen_arg {
     DSA *dsa;
     int size;
-    unsigned char* seed;
-    int seed_len;
     int *counter;
     unsigned long *h;
     BN_GENCB *cb;
@@ -92,40 +105,35 @@ static void *
 dsa_blocking_gen(void *arg)
 {
     struct dsa_blocking_gen_arg *gen = (struct dsa_blocking_gen_arg *)arg;
-    gen->result = DSA_generate_parameters_ex(gen->dsa, gen->size, gen->seed, gen->seed_len, gen->counter, gen->h, gen->cb);
+    gen->result = DSA_generate_parameters_ex(gen->dsa, gen->size, NULL, 0,
+					     gen->counter, gen->h, gen->cb);
     return 0;
 }
-#endif
 
 static DSA *
 dsa_generate(int size)
 {
-#if defined(HAVE_DSA_GENERATE_PARAMETERS_EX) && HAVE_BN_GENCB
-    BN_GENCB cb;
-    struct ossl_generate_cb_arg cb_arg;
+    struct ossl_generate_cb_arg cb_arg = { 0 };
     struct dsa_blocking_gen_arg gen_arg;
     DSA *dsa = DSA_new();
-    unsigned char seed[20];
-    int seed_len = 20, counter;
+    BN_GENCB *cb = BN_GENCB_new();
+    int counter;
     unsigned long h;
 
-    if (!dsa) return 0;
-    if (RAND_bytes(seed, seed_len) <= 0) {
+    if (!dsa || !cb) {
 	DSA_free(dsa);
-	return 0;
+	BN_GENCB_free(cb);
+	return NULL;
     }
 
-    memset(&cb_arg, 0, sizeof(struct ossl_generate_cb_arg));
     if (rb_block_given_p())
 	cb_arg.yield = 1;
-    BN_GENCB_set(&cb, ossl_generate_cb_2, &cb_arg);
+    BN_GENCB_set(cb, ossl_generate_cb_2, &cb_arg);
     gen_arg.dsa = dsa;
     gen_arg.size = size;
-    gen_arg.seed = seed;
-    gen_arg.seed_len = seed_len;
     gen_arg.counter = &counter;
     gen_arg.h = &h;
-    gen_arg.cb = &cb;
+    gen_arg.cb = cb;
     if (cb_arg.yield == 1) {
 	/* we cannot release GVL when callback proc is supplied */
 	dsa_blocking_gen(&gen_arg);
@@ -133,28 +141,24 @@ dsa_generate(int size)
 	/* there's a chance to unblock */
 	rb_thread_call_without_gvl(dsa_blocking_gen, &gen_arg, ossl_generate_cb_stop, &cb_arg);
     }
+
+    BN_GENCB_free(cb);
     if (!gen_arg.result) {
 	DSA_free(dsa);
-	if (cb_arg.state) rb_jump_tag(cb_arg.state);
-	return 0;
-    }
-#else
-    DSA *dsa;
-    unsigned char seed[20];
-    int seed_len = 20, counter;
-    unsigned long h;
-
-    if (RAND_bytes(seed, seed_len) <= 0) {
-	return 0;
+	if (cb_arg.state) {
+	    /* Clear OpenSSL error queue before re-raising. By the way, the
+	     * documentation of DSA_generate_parameters_ex() says the error code
+	     * can be obtained by ERR_get_error(), but the default
+	     * implementation, dsa_builtin_paramgen() doesn't put any error... */
+	    ossl_clear_error();
+	    rb_jump_tag(cb_arg.state);
+	}
+	return NULL;
     }
-    dsa = DSA_generate_parameters(size, seed, seed_len, &counter, &h,
-	    rb_block_given_p() ? ossl_generate_cb : NULL, NULL);
-    if(!dsa) return 0;
-#endif
 
     if (!DSA_generate_key(dsa)) {
 	DSA_free(dsa);
-	return 0;
+	return NULL;
     }
 
     return dsa;
@@ -187,7 +191,9 @@ ossl_dsa_s_generate(VALUE klass, VALUE size)
 
 /*
  *  call-seq:
- *    DSA.new([size | string [, pass]) -> dsa
+ *    DSA.new -> dsa
+ *    DSA.new(size) -> dsa
+ *    DSA.new(string [, pass]) -> dsa
  *
  * Creates a new DSA instance by reading an existing key from +string+.
  *
@@ -209,23 +215,22 @@ ossl_dsa_initialize(int argc, VALUE *argv, VALUE self)
     EVP_PKEY *pkey;
     DSA *dsa;
     BIO *in;
-    char *passwd = NULL;
     VALUE arg, pass;
 
     GetPKey(self, pkey);
     if(rb_scan_args(argc, argv, "02", &arg, &pass) == 0) {
         dsa = DSA_new();
     }
-    else if (FIXNUM_P(arg)) {
-	if (!(dsa = dsa_generate(FIX2INT(arg)))) {
+    else if (RB_INTEGER_TYPE_P(arg)) {
+	if (!(dsa = dsa_generate(NUM2INT(arg)))) {
 	    ossl_raise(eDSAError, NULL);
 	}
     }
     else {
-	if (!NIL_P(pass)) passwd = StringValuePtr(pass);
+	pass = ossl_pem_passwd_value(pass);
 	arg = ossl_to_der_if_possible(arg);
-	in = ossl_obj2bio(arg);
-	dsa = PEM_read_bio_DSAPrivateKey(in, NULL, ossl_pem_passwd_cb, passwd);
+	in = ossl_obj2bio(&arg);
+	dsa = PEM_read_bio_DSAPrivateKey(in, NULL, ossl_pem_passwd_cb, (void *)pass);
 	if (!dsa) {
 	    OSSL_BIO_reset(in);
 	    dsa = PEM_read_bio_DSA_PUBKEY(in, NULL, NULL, NULL);
@@ -240,11 +245,14 @@ ossl_dsa_initialize(int argc, VALUE *argv, VALUE self)
 	}
 	if (!dsa) {
 	    OSSL_BIO_reset(in);
+#define PEM_read_bio_DSAPublicKey(bp,x,cb,u) (DSA *)PEM_ASN1_read_bio( \
+	(d2i_of_void *)d2i_DSAPublicKey, PEM_STRING_DSA_PUBLIC, (bp), (void **)(x), (cb), (u))
 	    dsa = PEM_read_bio_DSAPublicKey(in, NULL, NULL, NULL);
+#undef PEM_read_bio_DSAPublicKey
 	}
 	BIO_free(in);
 	if (!dsa) {
-	    ERR_clear_error();
+	    ossl_clear_error();
 	    ossl_raise(eDSAError, "Neither PUB key nor PRIV key");
 	}
     }
@@ -256,6 +264,26 @@ ossl_dsa_initialize(int argc, VALUE *argv, VALUE self)
     return self;
 }
 
+static VALUE
+ossl_dsa_initialize_copy(VALUE self, VALUE other)
+{
+    EVP_PKEY *pkey;
+    DSA *dsa, *dsa_new;
+
+    GetPKey(self, pkey);
+    if (EVP_PKEY_base_id(pkey) != EVP_PKEY_NONE)
+	ossl_raise(eDSAError, "DSA already initialized");
+    GetDSA(other, dsa);
+
+    dsa_new = ASN1_dup((i2d_of_void *)i2d_DSAPrivateKey, (d2i_of_void *)d2i_DSAPrivateKey, (char *)dsa);
+    if (!dsa_new)
+	ossl_raise(eDSAError, "ASN1_dup");
+
+    EVP_PKEY_assign_DSA(pkey, dsa_new);
+
+    return self;
+}
+
 /*
  *  call-seq:
  *    dsa.public? -> true | false
@@ -266,11 +294,13 @@ ossl_dsa_initialize(int argc, VALUE *argv, VALUE self)
 static VALUE
 ossl_dsa_is_public(VALUE self)
 {
-    EVP_PKEY *pkey;
+    DSA *dsa;
+    const BIGNUM *bn;
 
-    GetPKeyDSA(self, pkey);
+    GetDSA(self, dsa);
+    DSA_get0_key(dsa, &bn, NULL);
 
-    return (pkey->pkey.dsa->pub_key) ? Qtrue : Qfalse;
+    return bn ? Qtrue : Qfalse;
 }
 
 /*
@@ -283,11 +313,11 @@ ossl_dsa_is_public(VALUE self)
 static VALUE
 ossl_dsa_is_private(VALUE self)
 {
-    EVP_PKEY *pkey;
+    DSA *dsa;
 
-    GetPKeyDSA(self, pkey);
+    GetDSA(self, dsa);
 
-    return (DSA_PRIVATE(self, pkey->pkey.dsa)) ? Qtrue : Qfalse;
+    return DSA_PRIVATE(self, dsa) ? Qtrue : Qfalse;
 }
 
 /*
@@ -310,34 +340,28 @@ ossl_dsa_is_private(VALUE self)
 static VALUE
 ossl_dsa_export(int argc, VALUE *argv, VALUE self)
 {
-    EVP_PKEY *pkey;
+    DSA *dsa;
     BIO *out;
     const EVP_CIPHER *ciph = NULL;
-    char *passwd = NULL;
     VALUE cipher, pass, str;
 
-    GetPKeyDSA(self, pkey);
+    GetDSA(self, dsa);
     rb_scan_args(argc, argv, "02", &cipher, &pass);
     if (!NIL_P(cipher)) {
 	ciph = GetCipherPtr(cipher);
-	if (!NIL_P(pass)) {
-	    StringValue(pass);
-	    if (RSTRING_LENINT(pass) < OSSL_MIN_PWD_LEN)
-		ossl_raise(eOSSLError, "OpenSSL requires passwords to be at least four characters long");
-	    passwd = RSTRING_PTR(pass);
-	}
+	pass = ossl_pem_passwd_value(pass);
     }
     if (!(out = BIO_new(BIO_s_mem()))) {
 	ossl_raise(eDSAError, NULL);
     }
-    if (DSA_HAS_PRIVATE(pkey->pkey.dsa)) {
-	if (!PEM_write_bio_DSAPrivateKey(out, pkey->pkey.dsa, ciph,
-					 NULL, 0, ossl_pem_passwd_cb, passwd)){
+    if (DSA_HAS_PRIVATE(dsa)) {
+	if (!PEM_write_bio_DSAPrivateKey(out, dsa, ciph, NULL, 0,
+					 ossl_pem_passwd_cb, (void *)pass)){
 	    BIO_free(out);
 	    ossl_raise(eDSAError, NULL);
 	}
     } else {
-	if (!PEM_write_bio_DSA_PUBKEY(out, pkey->pkey.dsa)) {
+	if (!PEM_write_bio_DSA_PUBKEY(out, dsa)) {
 	    BIO_free(out);
 	    ossl_raise(eDSAError, NULL);
 	}
@@ -357,28 +381,29 @@ ossl_dsa_export(int argc, VALUE *argv, VALUE self)
 static VALUE
 ossl_dsa_to_der(VALUE self)
 {
-    EVP_PKEY *pkey;
-    int (*i2d_func)_((DSA*, unsigned char**));
+    DSA *dsa;
+    int (*i2d_func)(DSA *, unsigned char **);
     unsigned char *p;
     long len;
     VALUE str;
 
-    GetPKeyDSA(self, pkey);
-    if(DSA_HAS_PRIVATE(pkey->pkey.dsa))
-	i2d_func = (int(*)_((DSA*,unsigned char**)))i2d_DSAPrivateKey;
+    GetDSA(self, dsa);
+    if(DSA_HAS_PRIVATE(dsa))
+	i2d_func = (int (*)(DSA *,unsigned char **))i2d_DSAPrivateKey;
     else
 	i2d_func = i2d_DSA_PUBKEY;
-    if((len = i2d_func(pkey->pkey.dsa, NULL)) <= 0)
+    if((len = i2d_func(dsa, NULL)) <= 0)
 	ossl_raise(eDSAError, NULL);
     str = rb_str_new(0, len);
     p = (unsigned char *)RSTRING_PTR(str);
-    if(i2d_func(pkey->pkey.dsa, &p) < 0)
+    if(i2d_func(dsa, &p) < 0)
 	ossl_raise(eDSAError, NULL);
     ossl_str_adjust(str, p);
 
     return str;
 }
 
+
 /*
  *  call-seq:
  *    dsa.params -> hash
@@ -390,18 +415,20 @@ ossl_dsa_to_der(VALUE self)
 static VALUE
 ossl_dsa_get_params(VALUE self)
 {
-    EVP_PKEY *pkey;
+    DSA *dsa;
     VALUE hash;
+    const BIGNUM *p, *q, *g, *pub_key, *priv_key;
 
-    GetPKeyDSA(self, pkey);
+    GetDSA(self, dsa);
+    DSA_get0_pqg(dsa, &p, &q, &g);
+    DSA_get0_key(dsa, &pub_key, &priv_key);
 
     hash = rb_hash_new();
-
-    rb_hash_aset(hash, rb_str_new2("p"), ossl_bn_new(pkey->pkey.dsa->p));
-    rb_hash_aset(hash, rb_str_new2("q"), ossl_bn_new(pkey->pkey.dsa->q));
-    rb_hash_aset(hash, rb_str_new2("g"), ossl_bn_new(pkey->pkey.dsa->g));
-    rb_hash_aset(hash, rb_str_new2("pub_key"), ossl_bn_new(pkey->pkey.dsa->pub_key));
-    rb_hash_aset(hash, rb_str_new2("priv_key"), ossl_bn_new(pkey->pkey.dsa->priv_key));
+    rb_hash_aset(hash, rb_str_new2("p"), ossl_bn_new(p));
+    rb_hash_aset(hash, rb_str_new2("q"), ossl_bn_new(q));
+    rb_hash_aset(hash, rb_str_new2("g"), ossl_bn_new(g));
+    rb_hash_aset(hash, rb_str_new2("pub_key"), ossl_bn_new(pub_key));
+    rb_hash_aset(hash, rb_str_new2("priv_key"), ossl_bn_new(priv_key));
 
     return hash;
 }
@@ -417,15 +444,15 @@ ossl_dsa_get_params(VALUE self)
 static VALUE
 ossl_dsa_to_text(VALUE self)
 {
-    EVP_PKEY *pkey;
+    DSA *dsa;
     BIO *out;
     VALUE str;
 
-    GetPKeyDSA(self, pkey);
+    GetDSA(self, dsa);
     if (!(out = BIO_new(BIO_s_mem()))) {
 	ossl_raise(eDSAError, NULL);
     }
-    if (!DSA_print(out, pkey->pkey.dsa, 0)) { /* offset = 0 */
+    if (!DSA_print(out, dsa, 0)) { /* offset = 0 */
 	BIO_free(out);
 	ossl_raise(eDSAError, NULL);
     }
@@ -460,8 +487,11 @@ ossl_dsa_to_public_key(VALUE self)
 
     GetPKeyDSA(self, pkey);
     /* err check performed by dsa_instance */
-    dsa = DSAPublicKey_dup(pkey->pkey.dsa);
-    obj = dsa_instance(CLASS_OF(self), dsa);
+#define DSAPublicKey_dup(dsa) (DSA *)ASN1_dup( \
+	(i2d_of_void *)i2d_DSAPublicKey, (d2i_of_void *)d2i_DSAPublicKey, (char *)(dsa))
+    dsa = DSAPublicKey_dup(EVP_PKEY_get0_DSA(pkey));
+#undef DSAPublicKey_dup
+    obj = dsa_instance(rb_obj_class(self), dsa);
     if (obj == Qfalse) {
 	DSA_free(dsa);
 	ossl_raise(eDSAError, NULL);
@@ -469,8 +499,6 @@ ossl_dsa_to_public_key(VALUE self)
     return obj;
 }
 
-#define ossl_dsa_buf_size(pkey) (DSA_size((pkey)->pkey.dsa)+16)
-
 /*
  *  call-seq:
  *    dsa.syssign(string) -> aString
@@ -493,20 +521,22 @@ ossl_dsa_to_public_key(VALUE self)
 static VALUE
 ossl_dsa_sign(VALUE self, VALUE data)
 {
-    EVP_PKEY *pkey;
+    DSA *dsa;
+    const BIGNUM *dsa_q;
     unsigned int buf_len;
     VALUE str;
 
-    GetPKeyDSA(self, pkey);
-    if (!pkey->pkey.dsa->q)
+    GetDSA(self, dsa);
+    DSA_get0_pqg(dsa, NULL, &dsa_q, NULL);
+    if (!dsa_q)
 	ossl_raise(eDSAError, "incomplete DSA");
-    if (!DSA_PRIVATE(self, pkey->pkey.dsa))
+    if (!DSA_PRIVATE(self, dsa))
 	ossl_raise(eDSAError, "Private DSA key needed!");
     StringValue(data);
-    str = rb_str_new(0, ossl_dsa_buf_size(pkey));
+    str = rb_str_new(0, DSA_size(dsa));
     if (!DSA_sign(0, (unsigned char *)RSTRING_PTR(data), RSTRING_LENINT(data),
 		  (unsigned char *)RSTRING_PTR(str),
-		  &buf_len, pkey->pkey.dsa)) { /* type is ignored (0) */
+		  &buf_len, dsa)) { /* type is ignored (0) */
 	ossl_raise(eDSAError, NULL);
     }
     rb_str_set_len(str, buf_len);
@@ -536,15 +566,15 @@ ossl_dsa_sign(VALUE self, VALUE data)
 static VALUE
 ossl_dsa_verify(VALUE self, VALUE digest, VALUE sig)
 {
-    EVP_PKEY *pkey;
+    DSA *dsa;
     int ret;
 
-    GetPKeyDSA(self, pkey);
+    GetDSA(self, dsa);
     StringValue(digest);
     StringValue(sig);
     /* type is ignored (0) */
     ret = DSA_verify(0, (unsigned char *)RSTRING_PTR(digest), RSTRING_LENINT(digest),
-		     (unsigned char *)RSTRING_PTR(sig), RSTRING_LENINT(sig), pkey->pkey.dsa);
+		     (unsigned char *)RSTRING_PTR(sig), RSTRING_LENINT(sig), dsa);
     if (ret < 0) {
 	ossl_raise(eDSAError, NULL);
     }
@@ -555,11 +585,22 @@ ossl_dsa_verify(VALUE self, VALUE digest, VALUE sig)
     return Qfalse;
 }
 
-OSSL_PKEY_BN(dsa, p)
-OSSL_PKEY_BN(dsa, q)
-OSSL_PKEY_BN(dsa, g)
-OSSL_PKEY_BN(dsa, pub_key)
-OSSL_PKEY_BN(dsa, priv_key)
+/*
+ * Document-method: OpenSSL::PKey::DSA#set_pqg
+ * call-seq:
+ *   dsa.set_pqg(p, q, g) -> self
+ *
+ * Sets +p+, +q+, +g+ for the DSA instance.
+ */
+OSSL_PKEY_BN_DEF3(dsa, DSA, pqg, p, q, g)
+/*
+ * Document-method: OpenSSL::PKey::DSA#set_key
+ * call-seq:
+ *   dsa.set_key(pub_key, priv_key) -> self
+ *
+ * Sets +pub_key+ and +priv_key+ for the DSA instance. +priv_key+ may be nil.
+ */
+OSSL_PKEY_BN_DEF2(dsa, DSA, key, pub_key, priv_key)
 
 /*
  * INIT
@@ -568,8 +609,9 @@ void
 Init_ossl_dsa(void)
 {
 #if 0
-    mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL and mPKey */
     mPKey = rb_define_module_under(mOSSL, "PKey");
+    cPKey = rb_define_class_under(mPKey, "PKey", rb_cObject);
+    ePKeyError = rb_define_class_under(mPKey, "PKeyError", eOSSLError);
 #endif
 
     /* Document-class: OpenSSL::PKey::DSAError
@@ -596,6 +638,7 @@ Init_ossl_dsa(void)
 
     rb_define_singleton_method(cDSA, "generate", ossl_dsa_s_generate, 1);
     rb_define_method(cDSA, "initialize", ossl_dsa_initialize, -1);
+    rb_define_copy_func(cDSA, ossl_dsa_initialize_copy);
 
     rb_define_method(cDSA, "public?", ossl_dsa_is_public, 0);
     rb_define_method(cDSA, "private?", ossl_dsa_is_private, 0);
@@ -613,6 +656,8 @@ Init_ossl_dsa(void)
     DEF_OSSL_PKEY_BN(cDSA, dsa, g);
     DEF_OSSL_PKEY_BN(cDSA, dsa, pub_key);
     DEF_OSSL_PKEY_BN(cDSA, dsa, priv_key);
+    rb_define_method(cDSA, "set_pqg", ossl_dsa_set_pqg, 3);
+    rb_define_method(cDSA, "set_key", ossl_dsa_set_key, 2);
 
     rb_define_method(cDSA, "params", ossl_dsa_get_params, 0);
 }