rubysl-openssl 2.8.0 → 2.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 19d9a8d2e82e570750764173c6e7e693d066876f
-  data.tar.gz: ab7845b7a5181cb1b27d0ed567da460e972824fc
+  metadata.gz: 13acecc541e3c578d87adc0933287a23cf2cde35
+  data.tar.gz: 50cbbb8481c72db5eb8253c58bcb44a562fc9ebb
 SHA512:
-  metadata.gz: 618fb5415ed6cd7e2dc730c44c010931679397e7179cdcaee26ea59fe1fca1149fd0f4b61b1aefdb3ed0a2b7bf3b505dfd85dca0a3702bc054f274b3595a74f7
-  data.tar.gz: 88fe2cca8e0c251b3a3bc75b5619f1196e8b4b87d0f082775f627ef228970bd6385dde5dc7a2de24d076c219039cdb0c969039d6ebbb8653cbebc470ad5d81bc
+  metadata.gz: e426ad35e4100cf8e9f08d3d5eff5d755b32553135cabd91ddcf5d8fba047bd3a1fbd3547a7712f8b43a3ea61dae452d3d423676bafbbb8da24e1090fa5bc1a5
+  data.tar.gz: 46c0c561af85f5c8ba06b3a457be95e07fd5e4be8f5ce0091dd824bdba1c7c5e717cb0c95b8201b8d557776837d0f94a5424dc52aa875c2026c6b1cfa63c6b96

data/ext/rubysl/openssl/ossl_bio.c

@@ -29,8 +29,9 @@ ossl_obj2bio(VALUE obj)
 	}
         rb_update_max_fd(fd);
 	if (!(fp = fdopen(fd, "r"))){
+	    int e = errno;
 	    close(fd);
-	    rb_sys_fail(0);
+	    rb_syserr_fail(e, 0);
 	}
 	if (!(bio = BIO_new_fp(fp, BIO_CLOSE))){
 	    fclose(fp);

data/ext/rubysl/openssl/ossl_bn.c

@@ -82,8 +82,8 @@ ossl_bn_new(const BIGNUM *bn)
     return obj;
 }
 
-BIGNUM *
-GetBNPtr(VALUE obj)
+static BIGNUM *
+try_convert_to_bnptr(VALUE obj)
 {
     BIGNUM *bn = NULL;
     VALUE newobj;
@@ -100,14 +100,20 @@ GetBNPtr(VALUE obj)
 	}
 	SetBN(newobj, bn); /* Handle potencial mem leaks */
 	break;
-    case T_NIL:
-	break;
-    default:
-	ossl_raise(rb_eTypeError, "Cannot convert into OpenSSL::BN");
     }
     return bn;
 }
 
+BIGNUM *
+GetBNPtr(VALUE obj)
+{
+    BIGNUM *bn = try_convert_to_bnptr(obj);
+    if (!bn)
+	ossl_raise(rb_eTypeError, "Cannot convert into OpenSSL::BN");
+
+    return bn;
+}
+
 /*
  * Private
  */
@@ -841,20 +847,77 @@ BIGNUM_CMP(ucmp)
 
 /*
  *  call-seq:
- *     big.eql?(obj) => true or false
+ *     bn == obj => true or false
  *
- *  Returns <code>true</code> only if <i>obj</i> is a
- *  <code>Bignum</code> with the same value as <i>big</i>. Contrast this
+ *  Returns +true+ only if +obj+ has the same value as +bn+. Contrast this
+ *  with OpenSSL::BN#eql?, which requires obj to be OpenSSL::BN.
  */
 static VALUE
-ossl_bn_eql(VALUE self, VALUE other)
+ossl_bn_eq(VALUE self, VALUE other)
 {
-    if (ossl_bn_cmp(self, other) == INT2FIX(0)) {
+    BIGNUM *bn1, *bn2;
+
+    GetBN(self, bn1);
+    /* BNPtr may raise, so we can't use here */
+    bn2 = try_convert_to_bnptr(other);
+
+    if (bn2 && !BN_cmp(bn1, bn2)) {
 	return Qtrue;
     }
     return Qfalse;
 }
 
+/*
+ *  call-seq:
+ *     bn.eql?(obj) => true or false
+ *
+ *  Returns <code>true</code> only if <i>obj</i> is a
+ *  <code>OpenSSL::BN</code> with the same value as <i>big</i>. Contrast this
+ *  with OpenSSL::BN#==, which performs type conversions.
+ */
+static VALUE
+ossl_bn_eql(VALUE self, VALUE other)
+{
+    BIGNUM *bn1, *bn2;
+
+    if (!rb_obj_is_kind_of(other, cBN))
+	return Qfalse;
+    GetBN(self, bn1);
+    GetBN(other, bn2);
+
+    return BN_cmp(bn1, bn2) ? Qfalse : Qtrue;
+}
+
+/*
+ *  call-seq:
+ *     bn.hash => Integer
+ *
+ *  Returns a hash code for this object.
+ *
+ *  See also Object#hash.
+ */
+static VALUE
+ossl_bn_hash(VALUE self)
+{
+    BIGNUM *bn;
+    VALUE hash;
+    unsigned char *buf;
+    int len;
+
+    GetBN(self, bn);
+    len = BN_num_bytes(bn);
+    buf = xmalloc(len);
+    if (BN_bn2bin(bn, buf) != len) {
+	xfree(buf);
+	ossl_raise(eBNError, NULL);
+    }
+
+    hash = INT2FIX(rb_memhash(buf, len));
+    xfree(buf);
+
+    return hash;
+}
+
 /*
  * call-seq:
  *    bn.prime? => true | false
@@ -982,8 +1045,9 @@ Init_ossl_bn(void)
     rb_define_alias(cBN, "<=>", "cmp");
     rb_define_method(cBN, "ucmp", ossl_bn_ucmp, 1);
     rb_define_method(cBN, "eql?", ossl_bn_eql, 1);
-    rb_define_alias(cBN, "==", "eql?");
-    rb_define_alias(cBN, "===", "eql?");
+    rb_define_method(cBN, "hash", ossl_bn_hash, 0);
+    rb_define_method(cBN, "==", ossl_bn_eq, 1);
+    rb_define_alias(cBN, "===", "==");
     rb_define_method(cBN, "zero?", ossl_bn_is_zero, 0);
     rb_define_method(cBN, "one?", ossl_bn_is_one, 0);
     /* is_word */

data/ext/rubysl/openssl/ossl_config.c

@@ -26,13 +26,13 @@ VALUE eConfigError;
  */
 
 /*
- * GetConfigPtr is a public C-level function for getting OpenSSL CONF struct
+ * DupConfigPtr is a public C-level function for getting OpenSSL CONF struct
  * from an OpenSSL::Config(eConfig) instance.  We decided to implement
  * OpenSSL::Config in Ruby level but we need to pass native CONF struct for
  * some OpenSSL features such as X509V3_EXT_*.
  */
 CONF *
-GetConfigPtr(VALUE obj)
+DupConfigPtr(VALUE obj)
 {
     CONF *conf;
     VALUE str;
@@ -50,9 +50,10 @@ GetConfigPtr(VALUE obj)
     if(!NCONF_load_bio(conf, bio, &eline)){
 	BIO_free(bio);
 	NCONF_free(conf);
-	if (eline <= 0) ossl_raise(eConfigError, "wrong config format");
-	else ossl_raise(eConfigError, "error in line %d", eline);
-	ossl_raise(eConfigError, NULL);
+	if (eline <= 0)
+	    ossl_raise(eConfigError, "wrong config format");
+	else
+	    ossl_raise(eConfigError, "error in line %d", eline);
     }
     BIO_free(bio);
 

data/ext/rubysl/openssl/ossl_ocsp.c

@@ -271,12 +271,17 @@ static VALUE
 ossl_ocspreq_add_certid(VALUE self, VALUE certid)
 {
     OCSP_REQUEST *req;
-    OCSP_CERTID *id;
+    OCSP_CERTID *id, *id_new;
 
     GetOCSPReq(self, req);
     GetOCSPCertId(certid, id);
-    if(!OCSP_request_add0_id(req, OCSP_CERTID_dup(id)))
-	ossl_raise(eOCSPError, NULL);
+
+    if (!(id_new = OCSP_CERTID_dup(id)))
+	ossl_raise(eOCSPError, "OCSP_CERTID_dup");
+    if (!OCSP_request_add0_id(req, id_new)) {
+	OCSP_CERTID_free(id_new);
+	ossl_raise(eOCSPError, "OCSP_request_add0_id");
+    }
 
     return self;
 }

data/ext/rubysl/openssl/ossl_pkcs12.c

@@ -104,7 +104,6 @@ ossl_pkcs12_s_create(int argc, VALUE *argv, VALUE self)
     friendlyname = NIL_P(name) ? NULL : StringValuePtr(name);
     key = GetPKeyPtr(pkey);
     x509 = GetX509CertPtr(cert);
-    x509s = NIL_P(ca) ? NULL : ossl_x509_ary2sk(ca);
 /* TODO: make a VALUE to nid function */
     if (!NIL_P(key_nid)) {
         if ((nkey = OBJ_txt2nid(StringValuePtr(key_nid))) == NID_undef)
@@ -122,6 +121,7 @@ ossl_pkcs12_s_create(int argc, VALUE *argv, VALUE self)
         ktype = NUM2INT(keytype);
 
     obj = NewPKCS12(cPKCS12);
+    x509s = NIL_P(ca) ? NULL : ossl_x509_ary2sk(ca);
     p12 = PKCS12_create(passphrase, friendlyname, key, x509, x509s,
                         nkey, ncert, kiter, miter, ktype);
     sk_X509_pop_free(x509s, X509_free);
@@ -165,8 +165,12 @@ ossl_pkcs12_initialize(int argc, VALUE *argv, VALUE self)
     BIO_free(in);
 
     pkey = cert = ca = Qnil;
+    /* OpenSSL's bug; PKCS12_parse() puts errors even if it succeeds.
+     * Fixed in OpenSSL 1.0.0t, 1.0.1p, 1.0.2d */
+    ERR_set_mark();
     if(!PKCS12_parse(pkcs, passphrase, &key, &x509, &x509s))
 	ossl_raise(ePKCS12Error, "PKCS12_parse");
+    ERR_pop_to_mark();
     pkey = rb_protect((VALUE(*)_((VALUE)))ossl_pkey_new, (VALUE)key,
 		      &st); /* NO DUP */
     if(st) goto err;

data/ext/rubysl/openssl/ossl_pkcs7.c

@@ -755,7 +755,9 @@ ossl_pkcs7_verify(int argc, VALUE *argv, VALUE self)
     VALUE data;
     const char *msg;
 
+    GetPKCS7(self, p7);
     rb_scan_args(argc, argv, "22", &certs, &store, &indata, &flags);
+    x509st = GetX509StorePtr(store);
     flg = NIL_P(flags) ? 0 : NUM2INT(flags);
     if(NIL_P(indata)) indata = ossl_pkcs7_get_data(self);
     in = NIL_P(indata) ? NULL : ossl_obj2bio(indata);
@@ -767,8 +769,6 @@ ossl_pkcs7_verify(int argc, VALUE *argv, VALUE self)
 	    rb_jump_tag(status);
 	}
     }
-    x509st = GetX509StorePtr(store);
-    GetPKCS7(self, p7);
     if(!(out = BIO_new(BIO_s_mem()))){
 	BIO_free(in);
 	sk_X509_pop_free(x509s, X509_free);
@@ -776,13 +776,13 @@ ossl_pkcs7_verify(int argc, VALUE *argv, VALUE self)
     }
     ok = PKCS7_verify(p7, x509s, x509st, in, out, flg);
     BIO_free(in);
-    if (ok < 0) ossl_raise(ePKCS7Error, NULL);
+    sk_X509_pop_free(x509s, X509_free);
+    if (ok < 0) ossl_raise(ePKCS7Error, "PKCS7_verify");
     msg = ERR_reason_error_string(ERR_get_error());
     ossl_pkcs7_set_err_string(self, msg ? rb_str_new2(msg) : Qnil);
     ERR_clear_error();
     data = ossl_membio2str(out);
     ossl_pkcs7_set_data(self, data);
-    sk_X509_pop_free(x509s, X509_free);
 
     return (ok == 1) ? Qtrue : Qfalse;
 }
@@ -822,12 +822,12 @@ ossl_pkcs7_add_data(VALUE self, VALUE data)
     char buf[4096];
     int len;
 
-    in = ossl_obj2bio(data);
     GetPKCS7(self, pkcs7);
     if(PKCS7_type_is_signed(pkcs7)){
 	if(!PKCS7_content_new(pkcs7, NID_pkcs7_data))
 	    ossl_raise(ePKCS7Error, NULL);
     }
+    in = ossl_obj2bio(data);
     if(!(out = PKCS7_dataInit(pkcs7, NULL))) goto err;
     for(;;){
 	if((len = BIO_read(in, buf, sizeof(buf))) <= 0)
@@ -839,7 +839,7 @@ ossl_pkcs7_add_data(VALUE self, VALUE data)
     ossl_pkcs7_set_data(self, Qnil);
 
  err:
-    BIO_free(out);
+    BIO_free_all(out);
     BIO_free(in);
     if(ERR_peek_error()){
 	ossl_raise(ePKCS7Error, NULL);

data/ext/rubysl/openssl/ossl_pkey_dh.c

@@ -506,6 +506,8 @@ ossl_dh_compute_key(VALUE self, VALUE pub)
 
     GetPKeyDH(self, pkey);
     dh = pkey->pkey.dh;
+    if (!dh->p)
+	ossl_raise(eDHError, "incomplete DH");
     pub_key = GetBNPtr(pub);
     len = DH_size(dh);
     str = rb_str_new(0, len);

data/ext/rubysl/openssl/ossl_pkey_dsa.c

@@ -498,10 +498,11 @@ ossl_dsa_sign(VALUE self, VALUE data)
     VALUE str;
 
     GetPKeyDSA(self, pkey);
-    StringValue(data);
-    if (!DSA_PRIVATE(self, pkey->pkey.dsa)) {
+    if (!pkey->pkey.dsa->q)
+	ossl_raise(eDSAError, "incomplete DSA");
+    if (!DSA_PRIVATE(self, pkey->pkey.dsa))
 	ossl_raise(eDSAError, "Private DSA key needed!");
-    }
+    StringValue(data);
     str = rb_str_new(0, ossl_dsa_buf_size(pkey));
     if (!DSA_sign(0, (unsigned char *)RSTRING_PTR(data), RSTRING_LENINT(data),
 		  (unsigned char *)RSTRING_PTR(str),

data/ext/rubysl/openssl/ossl_pkey_ec.c

@@ -475,6 +475,7 @@ static VALUE ossl_ec_key_to_string(VALUE self, VALUE ciph, VALUE pass, int forma
     int private = 0;
     char *password = NULL;
     VALUE str;
+    const EVP_CIPHER *cipher = NULL;
 
     Require_EC_KEY(self, ec);
 
@@ -487,25 +488,22 @@ static VALUE ossl_ec_key_to_string(VALUE self, VALUE ciph, VALUE pass, int forma
     if (EC_KEY_get0_private_key(ec))
         private = 1;
 
+    if (!NIL_P(ciph)) {
+	cipher = GetCipherPtr(ciph);
+	if (!NIL_P(pass)) {
+	    StringValue(pass);
+	    if (RSTRING_LENINT(pass) < OSSL_MIN_PWD_LEN)
+		ossl_raise(eOSSLError, "OpenSSL requires passwords to be at least four characters long");
+	    password = RSTRING_PTR(pass);
+	}
+    }
+
     if (!(out = BIO_new(BIO_s_mem())))
         ossl_raise(eECError, "BIO_new(BIO_s_mem())");
 
     switch(format) {
     case EXPORT_PEM:
     	if (private) {
-	    const EVP_CIPHER *cipher;
-	    if (!NIL_P(ciph)) {
-		cipher = GetCipherPtr(ciph);
-		if (!NIL_P(pass)) {
-		    StringValue(pass);
-		    if (RSTRING_LENINT(pass) < OSSL_MIN_PWD_LEN)
-			ossl_raise(eOSSLError, "OpenSSL requires passwords to be at least four characters long");
-		    password = RSTRING_PTR(pass);
-		}
-	    }
-	    else {
-		cipher = NULL;
-	    }
             i = PEM_write_bio_ECPrivateKey(out, ec, cipher, NULL, 0, NULL, password);
     	} else {
             i = PEM_write_bio_EC_PUBKEY(out, ec);

data/ext/rubysl/openssl/ossl_pkey_rsa.c

@@ -391,6 +391,8 @@ ossl_rsa_public_encrypt(int argc, VALUE *argv, VALUE self)
     VALUE str, buffer, padding;
 
     GetPKeyRSA(self, pkey);
+    if (!pkey->pkey.rsa->n)
+	ossl_raise(eRSAError, "incomplete RSA");
     rb_scan_args(argc, argv, "11", &buffer, &padding);
     pad = (argc == 1) ? RSA_PKCS1_PADDING : NUM2INT(padding);
     StringValue(buffer);
@@ -420,6 +422,8 @@ ossl_rsa_public_decrypt(int argc, VALUE *argv, VALUE self)
     VALUE str, buffer, padding;
 
     GetPKeyRSA(self, pkey);
+    if (!pkey->pkey.rsa->n)
+	ossl_raise(eRSAError, "incomplete RSA");
     rb_scan_args(argc, argv, "11", &buffer, &padding);
     pad = (argc == 1) ? RSA_PKCS1_PADDING : NUM2INT(padding);
     StringValue(buffer);
@@ -449,9 +453,10 @@ ossl_rsa_private_encrypt(int argc, VALUE *argv, VALUE self)
     VALUE str, buffer, padding;
 
     GetPKeyRSA(self, pkey);
-    if (!RSA_PRIVATE(self, pkey->pkey.rsa)) {
-	ossl_raise(eRSAError, "private key needed.");
-    }
+    if (!pkey->pkey.rsa->n)
+	ossl_raise(eRSAError, "incomplete RSA");
+    if (!RSA_PRIVATE(self, pkey->pkey.rsa))
+	ossl_raise(eRSAError, "private key needed");
     rb_scan_args(argc, argv, "11", &buffer, &padding);
     pad = (argc == 1) ? RSA_PKCS1_PADDING : NUM2INT(padding);
     StringValue(buffer);
@@ -481,9 +486,10 @@ ossl_rsa_private_decrypt(int argc, VALUE *argv, VALUE self)
     VALUE str, buffer, padding;
 
     GetPKeyRSA(self, pkey);
-    if (!RSA_PRIVATE(self, pkey->pkey.rsa)) {
-	ossl_raise(eRSAError, "private key needed.");
-    }
+    if (!pkey->pkey.rsa->n)
+	ossl_raise(eRSAError, "incomplete RSA");
+    if (!RSA_PRIVATE(self, pkey->pkey.rsa))
+	ossl_raise(eRSAError, "private key needed");
     rb_scan_args(argc, argv, "11", &buffer, &padding);
     pad = (argc == 1) ? RSA_PKCS1_PADDING : NUM2INT(padding);
     StringValue(buffer);

data/ext/rubysl/openssl/ossl_ssl.c

@@ -544,7 +544,7 @@ ssl_renegotiation_cb(const SSL *ssl)
     (void) rb_funcall(cb, rb_intern("call"), 1, ssl_obj);
 }
 
-#ifdef HAVE_OPENSSL_NPN_NEGOTIATED
+#if defined(HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB) || defined(HAVE_SSL_CTX_SET_ALPN_SELECT_CB)
 static VALUE
 ssl_npn_encode_protocol_i(VALUE cur, VALUE encoded)
 {
@@ -568,18 +568,6 @@ ssl_encode_npn_protocols(VALUE protocols)
     return encoded;
 }
 
-static int
-ssl_npn_advertise_cb(SSL *ssl, const unsigned char **out, unsigned int *outlen, void *arg)
-{
-    VALUE sslctx_obj = (VALUE) arg;
-    VALUE protocols = rb_iv_get(sslctx_obj, "@_protocols");
-
-    *out = (const unsigned char *) RSTRING_PTR(protocols);
-    *outlen = RSTRING_LENINT(protocols);
-
-    return SSL_TLSEXT_ERR_OK;
-}
-
 static int
 ssl_npn_select_cb_common(VALUE cb, const unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen)
 {
@@ -609,6 +597,19 @@ ssl_npn_select_cb_common(VALUE cb, const unsigned char **out, unsigned char *out
     return SSL_TLSEXT_ERR_OK;
 }
 
+#ifdef HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB
+static int
+ssl_npn_advertise_cb(SSL *ssl, const unsigned char **out, unsigned int *outlen, void *arg)
+{
+    VALUE sslctx_obj = (VALUE) arg;
+    VALUE protocols = rb_iv_get(sslctx_obj, "@_protocols");
+
+    *out = (const unsigned char *) RSTRING_PTR(protocols);
+    *outlen = RSTRING_LENINT(protocols);
+
+    return SSL_TLSEXT_ERR_OK;
+}
+
 static int
 ssl_npn_select_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
 {
@@ -619,6 +620,7 @@ ssl_npn_select_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsi
 
     return ssl_npn_select_cb_common(cb, (const unsigned char **)out, outlen, in, inlen);
 }
+#endif
 
 #ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
 static int
@@ -632,8 +634,7 @@ ssl_alpn_select_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen, c
     return ssl_npn_select_cb_common(cb, out, outlen, in, inlen);
 }
 #endif
-
-#endif
+#endif /* HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB || HAVE_SSL_CTX_SET_ALPN_SELECT_CB */
 
 /* This function may serve as the entry point to support further
  * callbacks. */
@@ -687,8 +688,8 @@ ossl_sslctx_set_options(VALUE self, VALUE options)
  *    ctx.setup => nil # thereafter
  *
  * This method is called automatically when a new SSLSocket is created.
- * Normally you do not need to call this method (unless you are writing an
- * extension in C).
+ * However, it is not thread-safe and must be called before creating
+ * SSLSocket objects in a multi-threaded program.
  */
 static VALUE
 ossl_sslctx_setup(VALUE self)
@@ -793,7 +794,7 @@ ossl_sslctx_setup(VALUE self)
     val = ossl_sslctx_get_verify_dep(self);
     if(!NIL_P(val)) SSL_CTX_set_verify_depth(ctx, NUM2INT(val));
 
-#ifdef HAVE_OPENSSL_NPN_NEGOTIATED
+#ifdef HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB
     val = rb_iv_get(self, "@npn_protocols");
     if (!NIL_P(val)) {
 	rb_iv_set(self, "@_protocols", ssl_encode_npn_protocols(val));
@@ -806,7 +807,7 @@ ossl_sslctx_setup(VALUE self)
     }
 #endif
 
-#ifdef HAVE_SSL_CTX_SET_ALPN_PROTOS
+#ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
     val = rb_iv_get(self, "@alpn_protocols");
     if (!NIL_P(val)) {
 	VALUE rprotos = ssl_encode_npn_protocols(val);
@@ -1532,7 +1533,13 @@ ossl_ssl_write_internal(VALUE self, VALUE str, VALUE opts)
 
     if (ssl) {
 	for (;;){
-	    nwrite = SSL_write(ssl, RSTRING_PTR(str), RSTRING_LENINT(str));
+	    int num = RSTRING_LENINT(str);
+
+	    /* SSL_write(3ssl) manpage states num == 0 is undefined */
+	    if (num == 0)
+		goto end;
+
+	    nwrite = SSL_write(ssl, RSTRING_PTR(str), num);
 	    switch(ssl_get_error(ssl, nwrite)){
 	    case SSL_ERROR_NONE:
 		goto end;
@@ -1596,23 +1603,17 @@ ossl_ssl_write_nonblock(int argc, VALUE *argv, VALUE self)
  * call-seq:
  *    ssl.stop => nil
  *
- * Stops the SSL connection and prepares it for another connection.
+ * Sends "close notify" to the peer and tries to shut down the SSL connection
+ * gracefully.
  */
 static VALUE
 ossl_ssl_stop(VALUE self)
 {
     SSL *ssl;
 
-    /* ossl_ssl_data_get_struct() is not usable here because it may return
-     * from this function; */
-
-    GetSSL(self, ssl);
+    ossl_ssl_data_get_struct(self, ssl);
 
-    if (ssl) {
-	ossl_ssl_shutdown(ssl);
-	SSL_free(ssl);
-    }
-    DATA_PTR(self) = NULL;
+    ossl_ssl_shutdown(ssl);
 
     return Qnil;
 }
@@ -1861,7 +1862,7 @@ ossl_ssl_get_client_ca_list(VALUE self)
     return ossl_x509name_sk2ary(ca);
 }
 
-# ifdef HAVE_OPENSSL_NPN_NEGOTIATED
+# ifdef HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB
 /*
  * call-seq:
  *    ssl.npn_protocol => String
@@ -2132,7 +2133,7 @@ Init_ossl_ssl(void)
      *   end
      */
     rb_attr(cSSLContext, rb_intern("renegotiation_cb"), 1, 1, Qfalse);
-#ifdef HAVE_OPENSSL_NPN_NEGOTIATED
+#ifdef HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB
     /*
      * An Enumerable of Strings. Each String represents a protocol to be
      * advertised as the list of supported protocols for Next Protocol
@@ -2307,7 +2308,7 @@ Init_ossl_ssl(void)
 # ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
     rb_define_method(cSSLSocket, "alpn_protocol", ossl_ssl_alpn_protocol, 0);
 # endif
-# ifdef HAVE_OPENSSL_NPN_NEGOTIATED
+# ifdef HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB
     rb_define_method(cSSLSocket, "npn_protocol", ossl_ssl_npn_protocol, 0);
 # endif
 #endif

data/ext/rubysl/openssl/ossl_x509attr.c

@@ -72,16 +72,13 @@ ossl_x509attr_new(X509_ATTRIBUTE *attr)
 }
 
 X509_ATTRIBUTE *
-DupX509AttrPtr(VALUE obj)
+GetX509AttrPtr(VALUE obj)
 {
-    X509_ATTRIBUTE *attr, *new;
+    X509_ATTRIBUTE *attr;
 
     SafeGetX509Attr(obj, attr);
-    if (!(new = X509_ATTRIBUTE_dup(attr))) {
-	ossl_raise(eX509AttrError, NULL);
-    }
 
-    return new;
+    return attr;
 }
 
 /*
@@ -141,12 +138,15 @@ ossl_x509attr_set_oid(VALUE self, VALUE oid)
     ASN1_OBJECT *obj;
     char *s;
 
-    s = StringValuePtr(oid);
+    GetX509Attr(self, attr);
+    s = StringValueCStr(oid);
     obj = OBJ_txt2obj(s, 0);
-    if(!obj) obj = OBJ_txt2obj(s, 1);
     if(!obj) ossl_raise(eX509AttrError, NULL);
-    GetX509Attr(self, attr);
-    X509_ATTRIBUTE_set1_object(attr, obj);
+    if (!X509_ATTRIBUTE_set1_object(attr, obj)) {
+	ASN1_OBJECT_free(obj);
+	ossl_raise(eX509AttrError, "X509_ATTRIBUTE_set1_object");
+    }
+    ASN1_OBJECT_free(obj);
 
     return oid;
 }

data/ext/rubysl/openssl/ossl_x509crl.c

@@ -315,7 +315,8 @@ ossl_x509crl_set_revoked(VALUE self, VALUE ary)
     for (i=0; i<RARRAY_LEN(ary); i++) {
 	rev = DupX509RevokedPtr(RARRAY_AREF(ary, i));
 	if (!X509_CRL_add0_revoked(crl, rev)) { /* NO DUP - don't free! */
-	    ossl_raise(eX509CRLError, NULL);
+	    X509_REVOKED_free(rev);
+	    ossl_raise(eX509CRLError, "X509_CRL_add0_revoked");
 	}
     }
     X509_CRL_sort(crl);
@@ -332,7 +333,8 @@ ossl_x509crl_add_revoked(VALUE self, VALUE revoked)
     GetX509CRL(self, crl);
     rev = DupX509RevokedPtr(revoked);
     if (!X509_CRL_add0_revoked(crl, rev)) { /* NO DUP - don't free! */
-	ossl_raise(eX509CRLError, NULL);
+	X509_REVOKED_free(rev);
+	ossl_raise(eX509CRLError, "X509_CRL_add0_revoked");
     }
     X509_CRL_sort(crl);
 

data/ext/rubysl/openssl/ossl_x509ext.c

@@ -188,24 +188,6 @@ ossl_x509extfactory_set_crl(VALUE self, VALUE crl)
     return crl;
 }
 
-#ifdef HAVE_X509V3_SET_NCONF
-static VALUE
-ossl_x509extfactory_set_config(VALUE self, VALUE config)
-{
-    X509V3_CTX *ctx;
-    CONF *conf;
-
-    GetX509ExtFactory(self, ctx);
-    rb_iv_set(self, "@config", config);
-    conf = GetConfigPtr(config);  /* NO DUP NEEDED */
-    X509V3_set_nconf(ctx, conf);
-
-    return config;
-}
-#else
-#define ossl_x509extfactory_set_config rb_f_notimplement
-#endif
-
 static VALUE
 ossl_x509extfactory_initialize(int argc, VALUE *argv, VALUE self)
 {
@@ -264,8 +246,11 @@ ossl_x509extfactory_create_ext(int argc, VALUE *argv, VALUE self)
     obj = NewX509Ext(cX509Ext);
 #ifdef HAVE_X509V3_EXT_NCONF_NID
     rconf = rb_iv_get(self, "@config");
-    conf = NIL_P(rconf) ? NULL : GetConfigPtr(rconf);
+    conf = NIL_P(rconf) ? NULL : DupConfigPtr(rconf);
+    X509V3_set_nconf(ctx, conf);
     ext = X509V3_EXT_nconf_nid(conf, ctx, nid, RSTRING_PTR(valstr));
+    X509V3_set_ctx_nodb(ctx);
+    NCONF_free(conf);
 #else
     if (!empty_lhash) empty_lhash = lh_new(NULL, NULL);
     ext = X509V3_EXT_conf_nid(empty_lhash, ctx, nid, RSTRING_PTR(valstr));
@@ -339,14 +324,16 @@ ossl_x509ext_set_oid(VALUE self, VALUE oid)
 {
     X509_EXTENSION *ext;
     ASN1_OBJECT *obj;
-    char *s;
 
-    s = StringValuePtr(oid);
-    obj = OBJ_txt2obj(s, 0);
-    if(!obj) obj = OBJ_txt2obj(s, 1);
-    if(!obj) ossl_raise(eX509ExtError, NULL);
     GetX509Ext(self, ext);
-    X509_EXTENSION_set_object(ext, obj);
+    obj = OBJ_txt2obj(StringValueCStr(oid), 0);
+    if (!obj)
+	ossl_raise(eX509ExtError, "OBJ_txt2obj");
+    if (!X509_EXTENSION_set_object(ext, obj)) {
+	ASN1_OBJECT_free(obj);
+	ossl_raise(eX509ExtError, "X509_EXTENSION_set_object");
+    }
+    ASN1_OBJECT_free(obj);
 
     return oid;
 }
@@ -356,25 +343,16 @@ ossl_x509ext_set_value(VALUE self, VALUE data)
 {
     X509_EXTENSION *ext;
     ASN1_OCTET_STRING *asn1s;
-    char *s;
 
+    GetX509Ext(self, ext);
     data = ossl_to_der_if_possible(data);
     StringValue(data);
-    if(!(s = OPENSSL_malloc(RSTRING_LEN(data))))
-	ossl_raise(eX509ExtError, "malloc error");
-    memcpy(s, RSTRING_PTR(data), RSTRING_LEN(data));
-    if(!(asn1s = ASN1_OCTET_STRING_new())){
-	OPENSSL_free(s);
-	ossl_raise(eX509ExtError, NULL);
-    }
-    if(!M_ASN1_OCTET_STRING_set(asn1s, s, RSTRING_LENINT(data))){
-	OPENSSL_free(s);
-	ASN1_OCTET_STRING_free(asn1s);
-	ossl_raise(eX509ExtError, NULL);
+    asn1s = X509_EXTENSION_get_data(ext);
+
+    if (!ASN1_OCTET_STRING_set(asn1s, (unsigned char *)RSTRING_PTR(data),
+			       RSTRING_LENINT(data))) {
+	ossl_raise(eX509ExtError, "ASN1_OCTET_STRING_set");
     }
-    OPENSSL_free(s);
-    GetX509Ext(self, ext);
-    X509_EXTENSION_set_data(ext, asn1s);
 
     return data;
 }
@@ -476,13 +454,12 @@ Init_ossl_x509ext(void)
     rb_attr(cX509ExtFactory, rb_intern("subject_certificate"), 1, 0, Qfalse);
     rb_attr(cX509ExtFactory, rb_intern("subject_request"), 1, 0, Qfalse);
     rb_attr(cX509ExtFactory, rb_intern("crl"), 1, 0, Qfalse);
-    rb_attr(cX509ExtFactory, rb_intern("config"), 1, 0, Qfalse);
+    rb_attr(cX509ExtFactory, rb_intern("config"), 1, 1, Qfalse);
 
     rb_define_method(cX509ExtFactory, "issuer_certificate=", ossl_x509extfactory_set_issuer_cert, 1);
     rb_define_method(cX509ExtFactory, "subject_certificate=", ossl_x509extfactory_set_subject_cert, 1);
     rb_define_method(cX509ExtFactory, "subject_request=", ossl_x509extfactory_set_subject_req, 1);
     rb_define_method(cX509ExtFactory, "crl=", ossl_x509extfactory_set_crl, 1);
-    rb_define_method(cX509ExtFactory, "config=", ossl_x509extfactory_set_config, 1);
     rb_define_method(cX509ExtFactory, "create_ext", ossl_x509extfactory_create_ext, -1);
 
     cX509Ext = rb_define_class_under(mX509, "Extension", rb_cObject);

data/ext/rubysl/openssl/ossl_x509req.c

@@ -430,7 +430,7 @@ ossl_x509req_set_attributes(VALUE self, VALUE ary)
     req->req_info->attributes = NULL;
     for (i=0;i<RARRAY_LEN(ary); i++) {
 	item = RARRAY_AREF(ary, i);
-	attr = DupX509AttrPtr(item);
+	attr = GetX509AttrPtr(item);
 	if (!X509_REQ_add1_attr(req, attr)) {
 	    ossl_raise(eX509ReqError, NULL);
 	}
@@ -444,7 +444,7 @@ ossl_x509req_add_attribute(VALUE self, VALUE attr)
     X509_REQ *req;
 
     GetX509Req(self, req);
-    if (!X509_REQ_add1_attr(req, DupX509AttrPtr(attr))) {
+    if (!X509_REQ_add1_attr(req, GetX509AttrPtr(attr))) {
 	ossl_raise(eX509ReqError, NULL);
     }
 

data/ext/rubysl/openssl/ossl_x509revoked.c

@@ -200,7 +200,7 @@ ossl_x509revoked_set_extensions(VALUE self, VALUE ary)
     rev->extensions = NULL;
     for (i=0; i<RARRAY_LEN(ary); i++) {
 	item = RARRAY_AREF(ary, i);
-	ext = DupX509ExtPtr(item);
+	ext = GetX509ExtPtr(item);
 	if(!X509_REVOKED_add_ext(rev, ext, -1)) {
 	    ossl_raise(eX509RevError, NULL);
 	}
@@ -215,7 +215,7 @@ ossl_x509revoked_add_extension(VALUE self, VALUE ext)
     X509_REVOKED *rev;
 
     GetX509Rev(self, rev);
-    if(!X509_REVOKED_add_ext(rev, DupX509ExtPtr(ext), -1)) {
+    if (!X509_REVOKED_add_ext(rev, GetX509ExtPtr(ext), -1)) {
 	ossl_raise(eX509RevError, NULL);
     }
 

data/lib/openssl/ssl.rb

@@ -251,7 +251,7 @@ module OpenSSL
       include SocketForwarder
 
       if ExtConfig::OPENSSL_NO_SOCK
-        def initialize(io, ctx = nil); raise NotImplmentedError; end
+        def initialize(io, ctx = nil); raise NotImplementedError; end
       else
         if ExtConfig::HAVE_TLSEXT_HOST_NAME
           attr_accessor :hostname
@@ -290,7 +290,10 @@ module OpenSSL
       # call-seq:
       #    ssl.sysclose => nil
       #
-      # Shuts down the SSL connection and prepares it for another connection.
+      # Sends "close notify" to the peer and tries to shut down the SSL
+      # connection gracefully.
+      #
+      # If sync_close is set to +true+, the underlying IO is also closed.
       def sysclose
         return if closed?
         stop

data/lib/rubysl/openssl/version.rb

@@ -1,5 +1,5 @@
 module RubySL
   module OpenSSL
-    VERSION = "2.8.0"
+    VERSION = "2.9"
   end
 end

metadata

@@ -1,24 +1,24 @@
 --- !ruby/object:Gem::Specification
 name: rubysl-openssl
 version: !ruby/object:Gem::Version
-  version: 2.8.0
+  version: '2.9'
 platform: ruby
 authors:
 - Brian Shirai
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-12-29 00:00:00.000000000 Z
+date: 2016-10-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
-  type: :development
-  prerelease: false
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.3'
+  type: :development
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
@@ -26,13 +26,13 @@ dependencies:
         version: '1.3'
 - !ruby/object:Gem::Dependency
   name: rake
-  type: :development
-  prerelease: false
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '10.0'
+  type: :development
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
@@ -40,13 +40,13 @@ dependencies:
         version: '10.0'
 - !ruby/object:Gem::Dependency
   name: mspec
-  type: :development
-  prerelease: false
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.5'
+  type: :development
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
@@ -54,13 +54,13 @@ dependencies:
         version: '1.5'
 - !ruby/object:Gem::Dependency
   name: rubysl-prettyprint
-  type: :development
-  prerelease: false
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
+  type: :development
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
@@ -178,7 +178,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.8
+rubygems_version: 2.5.1
 signing_key: 
 specification_version: 4
 summary: Ruby standard library OpenSSL.