diff options
author | rhe <rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2016-06-05 15:35:12 +0000 |
---|---|---|
committer | rhe <rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2016-06-05 15:35:12 +0000 |
commit | 0a523ab20dfe5564b33d962eb5a470896c6521f2 (patch) | |
tree | 0fedb8288600b5a5810fdbf88ad5df61a6642901 | |
parent | 5df1a31c06f2cf140a4ab17aa7c1fde0784de46c (diff) | |
download | ruby-0a523ab20dfe5564b33d962eb5a470896c6521f2.tar.gz |
openssl: adapt to OpenSSL 1.1.0 opaque structs
* ext/openssl/extconf.rb: Check existence of accessor functions that
don't exist in OpenSSL 0.9.8. OpenSSL 1.1.0 made most of its
structures opaque and requires use of these accessor functions.
[ruby-core:75225] [Feature #12324]
* ext/openssl/openssl_missing.[ch]: Implement them if missing.
* ext/openssl/ossl*.c: Use these accessor functions.
* test/openssl/test_hmac.rb: Add missing test for HMAC#reset.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55287 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
-rw-r--r-- | ChangeLog | 13 | ||||
-rw-r--r-- | ext/openssl/extconf.rb | 26 | ||||
-rw-r--r-- | ext/openssl/openssl_missing.c | 78 | ||||
-rw-r--r-- | ext/openssl/openssl_missing.h | 96 | ||||
-rw-r--r-- | ext/openssl/ossl.c | 2 | ||||
-rw-r--r-- | ext/openssl/ossl_bn.c | 13 | ||||
-rw-r--r-- | ext/openssl/ossl_cipher.c | 35 | ||||
-rw-r--r-- | ext/openssl/ossl_hmac.c | 47 | ||||
-rw-r--r-- | ext/openssl/ossl_ocsp.c | 10 | ||||
-rw-r--r-- | ext/openssl/ossl_pkey.c | 37 | ||||
-rw-r--r-- | ext/openssl/ossl_pkey_dh.c | 20 | ||||
-rw-r--r-- | ext/openssl/ossl_pkey_dsa.c | 24 | ||||
-rw-r--r-- | ext/openssl/ossl_pkey_rsa.c | 28 | ||||
-rw-r--r-- | ext/openssl/ossl_ssl.c | 2 | ||||
-rw-r--r-- | ext/openssl/ossl_ssl_session.c | 17 | ||||
-rw-r--r-- | ext/openssl/ossl_x509attr.c | 81 | ||||
-rw-r--r-- | ext/openssl/ossl_x509cert.c | 10 | ||||
-rw-r--r-- | ext/openssl/ossl_x509crl.c | 27 | ||||
-rw-r--r-- | ext/openssl/ossl_x509name.c | 9 | ||||
-rw-r--r-- | ext/openssl/ossl_x509req.c | 8 | ||||
-rw-r--r-- | ext/openssl/ossl_x509revoked.c | 14 | ||||
-rw-r--r-- | ext/openssl/ossl_x509store.c | 22 | ||||
-rw-r--r-- | test/openssl/test_hmac.rb | 7 |
23 files changed, 456 insertions, 170 deletions
@@ -1,3 +1,16 @@ +Mon Jun 6 00:34:16 2016 Kazuki Yamaguchi <k@rhe.jp> + + * ext/openssl/extconf.rb: Check existence of accessor functions that + don't exist in OpenSSL 0.9.8. OpenSSL 1.1.0 made most of its + structures opaque and requires use of these accessor functions. + [ruby-core:75225] [Feature #12324] + + * ext/openssl/openssl_missing.[ch]: Implement them if missing. + + * ext/openssl/ossl*.c: Use these accessor functions. + + * test/openssl/test_hmac.rb: Add missing test for HMAC#reset. + Mon Jun 6 00:00:13 2016 Kazuki Yamaguchi <k@rhe.jp> * ext/openssl/openssl_missing.[ch]: Implement EVP_PKEY_get0_*() and diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb index d72517eb57..8c5dd969d1 100644 --- a/ext/openssl/extconf.rb +++ b/ext/openssl/extconf.rb @@ -84,6 +84,10 @@ engines.each { |name| OpenSSL.check_func_or_macro("ENGINE_load_#{name}", "openssl/engine.h") } +# added in 0.9.8X +have_func("EVP_CIPHER_CTX_new") +have_func("EVP_CIPHER_CTX_free") + # added in 1.0.0 have_func("ASN1_TIME_adj") have_func("EVP_CIPHER_CTX_copy") @@ -91,6 +95,9 @@ have_func("EVP_PKEY_base_id") have_func("HMAC_CTX_copy") have_func("PKCS5_PBKDF2_HMAC") have_func("X509_NAME_hash_old") +have_func("X509_STORE_CTX_get0_current_crl") +have_func("X509_STORE_set_verify_cb") +have_func("i2d_ASN1_SET_ANY") have_func("SSL_SESSION_cmp") # removed OpenSSL.check_func_or_macro("SSL_set_tlsext_host_name", "openssl/ssl.h") have_struct_member("CRYPTO_THREADID", "ptr", "openssl/crypto.h") @@ -102,6 +109,7 @@ have_macro("EVP_CTRL_GCM_GET_TAG", ['openssl/evp.h']) && $defs.push("-DHAVE_AUTH # added in 1.0.2 have_func("EC_curve_nist2nid") have_func("X509_REVOKED_dup") +have_func("X509_STORE_CTX_get0_store") have_func("SSL_CTX_set_alpn_select_cb") OpenSSL.check_func_or_macro("SSL_CTX_set1_curves_list", "openssl/ssl.h") OpenSSL.check_func_or_macro("SSL_CTX_set_ecdh_auto", "openssl/ssl.h") @@ -109,9 +117,27 @@ OpenSSL.check_func_or_macro("SSL_get_server_tmp_key", "openssl/ssl.h") # added in 1.1.0 have_func("CRYPTO_lock") || $defs.push("-DHAVE_OPENSSL_110_THREADING_API") +have_struct_member("SSL", "ctx", "openssl/ssl.h") || $defs.push("-DHAVE_OPAQUE_OPENSSL") +have_func("BN_GENCB_new") +have_func("BN_GENCB_free") +have_func("BN_GENCB_get_arg") +have_func("EVP_MD_CTX_new") +have_func("EVP_MD_CTX_free") +have_func("HMAC_CTX_new") +have_func("HMAC_CTX_free") OpenSSL.check_func("RAND_pseudo_bytes", "openssl/rand.h") # deprecated have_func("X509_STORE_get_ex_data") have_func("X509_STORE_set_ex_data") +have_func("X509_CRL_get0_signature") +have_func("X509_REQ_get0_signature") +have_func("X509_REVOKED_get0_serialNumber") +have_func("X509_REVOKED_get0_revocationDate") +have_func("X509_get0_tbs_sigalg") +have_func("X509_STORE_CTX_get0_untrusted") +have_func("X509_STORE_CTX_get0_cert") +have_func("X509_STORE_CTX_get0_chain") +have_func("OCSP_SINGLERESP_get0_id") +have_func("SSL_CTX_get_ciphers") have_func("X509_up_ref") have_func("X509_CRL_up_ref") have_func("X509_STORE_up_ref") diff --git a/ext/openssl/openssl_missing.c b/ext/openssl/openssl_missing.c index 796d8aa082..cb22647c86 100644 --- a/ext/openssl/openssl_missing.c +++ b/ext/openssl/openssl_missing.c @@ -20,6 +20,30 @@ #include "openssl_missing.h" +/* added in 0.9.8X */ +#if !defined(HAVE_EVP_CIPHER_CTX_NEW) +EVP_CIPHER_CTX * +EVP_CIPHER_CTX_new(void) +{ + EVP_CIPHER_CTX *ctx = OPENSSL_malloc(sizeof(EVP_CIPHER_CTX)); + if (!ctx) + return NULL; + EVP_CIPHER_CTX_init(ctx); + return ctx; +} +#endif + +#if !defined(HAVE_EVP_CIPHER_CTX_FREE) +void +EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx) +{ + if (ctx) { + EVP_CIPHER_CTX_cleanup(ctx); + OPENSSL_free(ctx); + } +} +#endif + /* added in 1.0.0 */ #if !defined(HAVE_EVP_CIPHER_CTX_COPY) /* @@ -46,15 +70,19 @@ EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in) #if !defined(OPENSSL_NO_HMAC) #if !defined(HAVE_HMAC_CTX_COPY) -void +int HMAC_CTX_copy(HMAC_CTX *out, HMAC_CTX *in) { - if (!out || !in) return; + if (!out || !in) + return 0; + memcpy(out, in, sizeof(HMAC_CTX)); EVP_MD_CTX_copy(&out->md_ctx, &in->md_ctx); EVP_MD_CTX_copy(&out->i_ctx, &in->i_ctx); EVP_MD_CTX_copy(&out->o_ctx, &in->o_ctx); + + return 1; } #endif /* HAVE_HMAC_CTX_COPY */ #endif /* NO_HMAC */ @@ -95,3 +123,49 @@ EC_curve_nist2nid(const char *name) } #endif #endif + +/*** added in 1.1.0 ***/ +#if !defined(HAVE_HMAC_CTX_NEW) +HMAC_CTX * +HMAC_CTX_new(void) +{ + HMAC_CTX *ctx = OPENSSL_malloc(sizeof(HMAC_CTX)); + if (!ctx) + return NULL; + HMAC_CTX_init(ctx); + return ctx; +} +#endif + +#if !defined(HAVE_HMAC_CTX_FREE) +void +HMAC_CTX_free(HMAC_CTX *ctx) +{ + if (ctx) { + HMAC_CTX_cleanup(ctx); + OPENSSL_free(ctx); + } +} +#endif + +#if !defined(HAVE_X509_CRL_GET0_SIGNATURE) +void +X509_CRL_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, X509_CRL *crl) +{ + if (psig != NULL) + *psig = crl->signature; + if (palg != NULL) + *palg = crl->sig_alg; +} +#endif + +#if !defined(HAVE_X509_REQ_GET0_SIGNATURE) +void +X509_REQ_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, X509_REQ *req) +{ + if (psig != NULL) + *psig = req->signature; + if (palg != NULL) + *palg = req->sig_alg; +} +#endif diff --git a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h index 22f16bf02f..ddd07b906c 100644 --- a/ext/openssl/openssl_missing.h +++ b/ext/openssl/openssl_missing.h @@ -10,6 +10,15 @@ #if !defined(_OSSL_OPENSSL_MISSING_H_) #define _OSSL_OPENSSL_MISSING_H_ +/* added in 0.9.8X */ +#if !defined(HAVE_EVP_CIPHER_CTX_NEW) +EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void); +#endif + +#if !defined(HAVE_EVP_CIPHER_CTX_FREE) +void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx); +#endif + /* added in 1.0.0 */ #if !defined(HAVE_EVP_PKEY_BASE_ID) # define EVP_PKEY_base_id(pkey) EVP_PKEY_type((pkey)->type) @@ -20,7 +29,20 @@ int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in); #endif #if !defined(HAVE_HMAC_CTX_COPY) -void HMAC_CTX_copy(HMAC_CTX *out, HMAC_CTX *in); +int HMAC_CTX_copy(HMAC_CTX *out, HMAC_CTX *in); +#endif + +#if !defined(HAVE_X509_STORE_CTX_GET0_CURRENT_CRL) +# define X509_STORE_CTX_get0_current_crl(x) ((x)->current_crl) +#endif + +#if !defined(HAVE_X509_STORE_SET_VERIFY_CB) +# define X509_STORE_set_verify_cb X509_STORE_set_verify_cb_func +#endif + +#if !defined(HAVE_I2D_ASN1_SET_ANY) +# define i2d_ASN1_SET_ANY(sk, x) i2d_ASN1_SET_OF_ASN1_TYPE((sk), (x), \ + i2d_ASN1_TYPE, V_ASN1_SET, V_ASN1_UNIVERSAL, 0) #endif /* added in 1.0.2 */ @@ -35,7 +57,39 @@ int EC_curve_nist2nid(const char *); (d2i_of_void *)d2i_X509_REVOKED, (char *)(rev)) #endif +#if !defined(HAVE_X509_STORE_CTX_GET0_STORE) +# define X509_STORE_CTX_get0_store(x) ((x)->ctx) +#endif + /* added in 1.1.0 */ +#if !defined(HAVE_BN_GENCB_NEW) +# define BN_GENCB_new() ((BN_GENCB *)OPENSSL_malloc(sizeof(BN_GENCB))) +#endif + +#if !defined(HAVE_BN_GENCB_FREE) +# define BN_GENCB_free(cb) OPENSSL_free(cb) +#endif + +#if !defined(HAVE_BN_GENCB_GET_ARG) +# define BN_GENCB_get_arg(cb) (cb)->arg +#endif + +#if !defined(HAVE_EVP_MD_CTX_NEW) +# define EVP_MD_CTX_new EVP_MD_CTX_create +#endif + +#if !defined(HAVE_EVP_MD_CTX_FREE) +# define EVP_MD_CTX_free EVP_MD_CTX_destroy +#endif + +#if !defined(HAVE_HMAC_CTX_NEW) +HMAC_CTX *HMAC_CTX_new(void); +#endif + +#if !defined(HAVE_HMAC_CTX_FREE) +void HMAC_CTX_free(HMAC_CTX *ctx); +#endif + #if !defined(HAVE_X509_STORE_GET_EX_DATA) # define X509_STORE_get_ex_data(x, idx) \ CRYPTO_get_ex_data(&(x)->ex_data, (idx)) @@ -49,6 +103,46 @@ int EC_curve_nist2nid(const char *); (newf), (dupf), (freef)) #endif +#if !defined(HAVE_X509_CRL_GET0_SIGNATURE) +void X509_CRL_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, X509_CRL *crl); +#endif + +#if !defined(HAVE_X509_REQ_GET0_SIGNATURE) +void X509_REQ_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, X509_REQ *req); +#endif + +#if !defined(HAVE_X509_REVOKED_GET0_SERIALNUMBER) +# define X509_REVOKED_get0_serialNumber(x) ((x)->serialNumber) +#endif + +#if !defined(HAVE_X509_REVOKED_GET0_REVOCATIONDATE) +# define X509_REVOKED_get0_revocationDate(x) ((x)->revocationDate) +#endif + +#if !defined(HAVE_X509_GET0_TBS_SIGALG) +# define X509_get0_tbs_sigalg(x) ((x)->cert_info->signature) +#endif + +#if !defined(HAVE_X509_STORE_CTX_GET0_UNTRUSTED) +# define X509_STORE_CTX_get0_untrusted(x) ((x)->untrusted) +#endif + +#if !defined(HAVE_X509_STORE_CTX_GET0_CERT) +# define X509_STORE_CTX_get0_cert(x) ((x)->cert) +#endif + +#if !defined(HAVE_X509_STORE_CTX_GET0_CHAIN) +# define X509_STORE_CTX_get0_chain(ctx) X509_STORE_CTX_get_chain(ctx) +#endif + +#if !defined(HAVE_OCSP_SINGLERESP_GET0_ID) +# define OCSP_SINGLERESP_get0_id(s) ((s)->certId) +#endif + +#if !defined(HAVE_SSL_CTX_GET_CIPHERS) +# define SSL_CTX_get_ciphers(ctx) ((ctx)->cipher_list) +#endif + #if !defined(HAVE_X509_UP_REF) # define X509_up_ref(x) \ CRYPTO_add(&(x)->references, 1, CRYPTO_LOCK_X509) diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c index 9f92b92893..83baa7b63c 100644 --- a/ext/openssl/ossl.c +++ b/ext/openssl/ossl.c @@ -258,7 +258,7 @@ ossl_verify_cb(int ok, X509_STORE_CTX *ctx) proc = (VALUE)X509_STORE_CTX_get_ex_data(ctx, ossl_store_ctx_ex_verify_cb_idx); if (!proc) - proc = (VALUE)X509_STORE_get_ex_data(ctx->ctx, ossl_store_ex_verify_cb_idx); + proc = (VALUE)X509_STORE_get_ex_data(X509_STORE_CTX_get0_store(ctx), ossl_store_ex_verify_cb_idx); if (!proc) return ok; if (!NIL_P(proc)) { diff --git a/ext/openssl/ossl_bn.c b/ext/openssl/ossl_bn.c index 4398ad8ad8..6a0a21eb83 100644 --- a/ext/openssl/ossl_bn.c +++ b/ext/openssl/ossl_bn.c @@ -37,17 +37,12 @@ ossl_bn_free(void *ptr) BN_clear_free(ptr); } -static size_t -ossl_bn_size(const void *ptr) -{ - return sizeof(BIGNUM); -} - static const rb_data_type_t ossl_bn_type = { "OpenSSL/BN", - {0, ossl_bn_free, ossl_bn_size,}, - 0, 0, - RUBY_TYPED_FREE_IMMEDIATELY, + { + 0, ossl_bn_free, + }, + 0, 0, RUBY_TYPED_FREE_IMMEDIATELY, }; /* diff --git a/ext/openssl/ossl_cipher.c b/ext/openssl/ossl_cipher.c index d56b3411e7..54e363faa2 100644 --- a/ext/openssl/ossl_cipher.c +++ b/ext/openssl/ossl_cipher.c @@ -11,10 +11,12 @@ #define NewCipher(klass) \ TypedData_Wrap_Struct((klass), &ossl_cipher_type, 0) -#define MakeCipher(obj, klass, ctx) \ - (obj) = TypedData_Make_Struct((klass), EVP_CIPHER_CTX, &ossl_cipher_type, (ctx)) -#define AllocCipher(obj, ctx) \ - (DATA_PTR(obj) = (ctx) = ZALLOC(EVP_CIPHER_CTX)) +#define AllocCipher(obj, ctx) do { \ + (ctx) = EVP_CIPHER_CTX_new(); \ + if (!(ctx)) \ + ossl_raise(rb_eRuntimeError, NULL); \ + RTYPEDDATA_DATA(obj) = (ctx); \ +} while (0) #define GetCipherInit(obj, ctx) do { \ TypedData_Get_Struct((obj), EVP_CIPHER_CTX, &ossl_cipher_type, (ctx)); \ } while (0) @@ -37,13 +39,13 @@ VALUE eCipherError; static VALUE ossl_cipher_alloc(VALUE klass); static void ossl_cipher_free(void *ptr); -static size_t ossl_cipher_memsize(const void *ptr); static const rb_data_type_t ossl_cipher_type = { "OpenSSL/Cipher", - {0, ossl_cipher_free, ossl_cipher_memsize,}, - 0, 0, - RUBY_TYPED_FREE_IMMEDIATELY, + { + 0, ossl_cipher_free, + }, + 0, 0, RUBY_TYPED_FREE_IMMEDIATELY, }; /* @@ -67,7 +69,6 @@ ossl_cipher_new(const EVP_CIPHER *cipher) ret = ossl_cipher_alloc(cCipher); AllocCipher(ret, ctx); - EVP_CIPHER_CTX_init(ctx); if (EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, -1) != 1) ossl_raise(eCipherError, NULL); @@ -87,13 +88,6 @@ ossl_cipher_free(void *ptr) } } -static size_t -ossl_cipher_memsize(const void *ptr) -{ - const EVP_CIPHER_CTX *ctx = ptr; - return sizeof(*ctx); -} - static VALUE ossl_cipher_alloc(VALUE klass) { @@ -114,7 +108,7 @@ ossl_cipher_initialize(VALUE self, VALUE str) EVP_CIPHER_CTX *ctx; const EVP_CIPHER *cipher; char *name; - unsigned char key[EVP_MAX_KEY_LENGTH]; + unsigned char dummy_key[EVP_MAX_KEY_LENGTH] = { 0 }; name = StringValueCStr(str); GetCipherInit(self, ctx); @@ -122,18 +116,19 @@ ossl_cipher_initialize(VALUE self, VALUE str) ossl_raise(rb_eRuntimeError, "Cipher already inititalized!"); } AllocCipher(self, ctx); - EVP_CIPHER_CTX_init(ctx); if (!(cipher = EVP_get_cipherbyname(name))) { ossl_raise(rb_eRuntimeError, "unsupported cipher algorithm (%"PRIsVALUE")", str); } /* + * EVP_CipherInit_ex() allows to specify NULL to key and IV, however some + * ciphers don't handle well (OpenSSL's bug). [Bug #2768] + * * The EVP which has EVP_CIPH_RAND_KEY flag (such as DES3) allows * uninitialized key, but other EVPs (such as AES) does not allow it. * Calling EVP_CipherUpdate() without initializing key causes SEGV so we * set the data filled with "\0" as the key by default. */ - memset(key, 0, EVP_MAX_KEY_LENGTH); - if (EVP_CipherInit_ex(ctx, cipher, NULL, key, NULL, -1) != 1) + if (EVP_CipherInit_ex(ctx, cipher, NULL, dummy_key, NULL, -1) != 1) ossl_raise(eCipherError, NULL); return self; diff --git a/ext/openssl/ossl_hmac.c b/ext/openssl/ossl_hmac.c index 5513cb20de..bb4b57846e 100644 --- a/ext/openssl/ossl_hmac.c +++ b/ext/openssl/ossl_hmac.c @@ -11,8 +11,8 @@ #include "ossl.h" -#define MakeHMAC(obj, klass, ctx) \ - (obj) = TypedData_Make_Struct((klass), HMAC_CTX, &ossl_hmac_type, (ctx)) +#define NewHMAC(klass) \ + TypedData_Wrap_Struct((klass), &ossl_hmac_type, 0) #define GetHMAC(obj, ctx) do { \ TypedData_Get_Struct((obj), HMAC_CTX, &ossl_hmac_type, (ctx)); \ if (!(ctx)) { \ @@ -40,8 +40,7 @@ VALUE eHMACError; static void ossl_hmac_free(void *ctx) { - HMAC_CTX_cleanup(ctx); - ruby_xfree(ctx); + HMAC_CTX_free(ctx); } static const rb_data_type_t ossl_hmac_type = { @@ -55,11 +54,14 @@ static const rb_data_type_t ossl_hmac_type = { static VALUE ossl_hmac_alloc(VALUE klass) { - HMAC_CTX *ctx; VALUE obj; + HMAC_CTX *ctx; - MakeHMAC(obj, klass, ctx); - HMAC_CTX_init(ctx); + obj = NewHMAC(klass); + ctx = HMAC_CTX_new(); + if (!ctx) + ossl_raise(eHMACError, NULL); + RTYPEDDATA_DATA(obj) = ctx; return obj; } @@ -107,8 +109,8 @@ ossl_hmac_initialize(VALUE self, VALUE key, VALUE digest) StringValue(key); GetHMAC(self, ctx); - HMAC_Init(ctx, RSTRING_PTR(key), RSTRING_LENINT(key), - GetDigestPtr(digest)); + HMAC_Init_ex(ctx, RSTRING_PTR(key), RSTRING_LENINT(key), + GetDigestPtr(digest), NULL); return self; } @@ -124,7 +126,8 @@ ossl_hmac_copy(VALUE self, VALUE other) GetHMAC(self, ctx1); SafeGetHMAC(other, ctx2); - HMAC_CTX_copy(ctx1, ctx2); + if (!HMAC_CTX_copy(ctx1, ctx2)) + ossl_raise(eHMACError, "HMAC_CTX_copy"); return self; } @@ -161,16 +164,24 @@ ossl_hmac_update(VALUE self, VALUE data) static void hmac_final(HMAC_CTX *ctx, unsigned char **buf, unsigned int *buf_len) { - HMAC_CTX final; + HMAC_CTX *final; + + final = HMAC_CTX_new(); + if (!final) + ossl_raise(eHMACError, "HMAC_CTX_new"); + + if (!HMAC_CTX_copy(final, ctx)) { + HMAC_CTX_free(final); + ossl_raise(eHMACError, "HMAC_CTX_copy"); + } - HMAC_CTX_copy(&final, ctx); - if (!(*buf = OPENSSL_malloc(HMAC_size(&final)))) { - HMAC_CTX_cleanup(&final); - OSSL_Debug("Allocating %d mem", HMAC_size(&final)); + if (!(*buf = OPENSSL_malloc(HMAC_size(final)))) { + HMAC_CTX_free(final); + OSSL_Debug("Allocating %d mem", (int)HMAC_size(final)); ossl_raise(eHMACError, "Cannot allocate memory for hmac"); } - HMAC_Final(&final, *buf, buf_len); - HMAC_CTX_cleanup(&final); + HMAC_Final(final, *buf, buf_len); + HMAC_CTX_free(final); } /* @@ -256,7 +267,7 @@ ossl_hmac_reset(VALUE self) HMAC_CTX *ctx; GetHMAC(self, ctx); - HMAC_Init(ctx, NULL, 0, NULL); + HMAC_Init_ex(ctx, NULL, 0, NULL, NULL); return self; } diff --git a/ext/openssl/ossl_ocsp.c b/ext/openssl/ossl_ocsp.c index 9f44bc202b..ae15d93bfa 100644 --- a/ext/openssl/ossl_ocsp.c +++ b/ext/openssl/ossl_ocsp.c @@ -708,8 +708,8 @@ ossl_ocspbres_add_status(VALUE self, VALUE cid, VALUE status, if(!NIL_P(ext)){ X509_EXTENSION *x509ext; - sk_X509_EXTENSION_pop_free(single->singleExtensions, X509_EXTENSION_free); - single->singleExtensions = NULL; + while ((x509ext = OCSP_SINGLERESP_delete_ext(single, 0))) + X509_EXTENSION_free(x509ext); for(i = 0; i < RARRAY_LEN(ext); i++){ x509ext = DupX509ExtPtr(RARRAY_AREF(ext, i)); if(!OCSP_SINGLERESP_add_ext(single, x509ext, -1)){ @@ -764,7 +764,7 @@ ossl_ocspbres_get_status(VALUE self) status = OCSP_single_get0_status(single, &reason, &revtime, &thisupd, &nextupd); if(status < 0) continue; - if(!(cid = OCSP_CERTID_dup(single->certId))) + if(!(cid = OCSP_CERTID_dup(OCSP_SINGLERESP_get0_id(single)))) ossl_raise(eOCSPError, NULL); ary = rb_ary_new(); rb_ary_push(ary, ossl_ocspcertid_new(cid)); @@ -963,10 +963,12 @@ static VALUE ossl_ocspcid_get_serial(VALUE self) { OCSP_CERTID *id; + ASN1_INTEGER *serial; GetOCSPCertId(self, id); + OCSP_id_get0_info(NULL, NULL, NULL, &serial, id); - return asn1integer_to_num(id->serialNumber); + return asn1integer_to_num(serial); } void diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c index c59a364654..4ae8e14e3e 100644 --- a/ext/openssl/ossl_pkey.c +++ b/ext/openssl/ossl_pkey.c @@ -27,7 +27,7 @@ ossl_generate_cb_2(int p, int n, BN_GENCB *cb) struct ossl_generate_cb_arg *arg; int state; - arg = (struct ossl_generate_cb_arg *)cb->arg; + arg = (struct ossl_generate_cb_arg *)BN_GENCB_get_arg(cb); if (arg->yield) { ary = rb_ary_new2(2); rb_ary_store(ary, 0, INT2NUM(p)); @@ -265,21 +265,26 @@ static VALUE ossl_pkey_sign(VALUE self, VALUE digest, VALUE data) { EVP_PKEY *pkey; - EVP_MD_CTX ctx; + const EVP_MD *md; + EVP_MD_CTX *ctx; unsigned int buf_len; VALUE str; int result; - if (rb_funcallv(self, id_private_q, 0, NULL) != Qtrue) { + if (rb_funcallv(self, id_private_q, 0, NULL) != Qtrue) ossl_raise(rb_eArgError, "Private key is needed."); - } GetPKey(self, pkey); - EVP_SignInit(&ctx, GetDigestPtr(digest)); + md = GetDigestPtr(digest); StringValue(data); - EVP_SignUpdate(&ctx, RSTRING_PTR(data), RSTRING_LEN(data)); str = rb_str_new(0, EVP_PKEY_size(pkey)+16); - result = EVP_SignFinal(&ctx, (unsigned char *)RSTRING_PTR(str), &buf_len, pkey); - EVP_MD_CTX_cleanup(&ctx); + + ctx = EVP_MD_CTX_new(); + if (!ctx) + ossl_raise(ePKeyError, "EVP_MD_CTX_new"); + EVP_SignInit(ctx, md); + EVP_SignUpdate(ctx, RSTRING_PTR(data), RSTRING_LEN(data)); + result = EVP_SignFinal(ctx, (unsigned char *)RSTRING_PTR(str), &buf_len, pkey); + EVP_MD_CTX_free(ctx); if (!result) ossl_raise(ePKeyError, NULL); assert((long)buf_len <= RSTRING_LEN(str)); @@ -313,16 +318,22 @@ static VALUE ossl_pkey_verify(VALUE self, VALUE digest, VALUE sig, VALUE data) { EVP_PKEY *pkey; - EVP_MD_CTX ctx; + const EVP_MD *md; + EVP_MD_CTX *ctx; int result; GetPKey(self, pkey); + md = GetDigestPtr(digest); StringValue(sig); StringValue(data); - EVP_VerifyInit(&ctx, GetDigestPtr(digest)); - EVP_VerifyUpdate(&ctx, RSTRING_PTR(data), RSTRING_LEN(data)); - result = EVP_VerifyFinal(&ctx, (unsigned char *)RSTRING_PTR(sig), RSTRING_LENINT(sig), pkey); - EVP_MD_CTX_cleanup(&ctx); + + ctx = EVP_MD_CTX_new(); + if (!ctx) + ossl_raise(ePKeyError, "EVP_MD_CTX_new"); + EVP_VerifyInit(ctx, md); + EVP_VerifyUpdate(ctx, RSTRING_PTR(data), RSTRING_LEN(data)); + result = EVP_VerifyFinal(ctx, (unsigned char *)RSTRING_PTR(sig), RSTRING_LENINT(sig), pkey); + EVP_MD_CTX_free(ctx); switch (result) { case 0: return Qfalse; diff --git a/ext/openssl/ossl_pkey_dh.c b/ext/openssl/ossl_pkey_dh.c index 9fdc48a98e..74402fb95e 100644 --- a/ext/openssl/ossl_pkey_dh.c +++ b/ext/openssl/ossl_pkey_dh.c @@ -97,21 +97,24 @@ dh_blocking_gen(void *arg) static DH * dh_generate(int size, int gen) { - BN_GENCB cb; - struct ossl_generate_cb_arg cb_arg; + struct ossl_generate_cb_arg cb_arg = { 0 }; struct dh_blocking_gen_arg gen_arg; DH *dh = DH_new(); + BN_GENCB *cb = BN_GENCB_new(); - if (!dh) return 0; + if (!dh || !cb) { + DH_free(dh); + BN_GENCB_free(cb); + return NULL; + } - memset(&cb_arg, 0, sizeof(struct ossl_generate_cb_arg)); if (rb_block_given_p()) cb_arg.yield = 1; - BN_GENCB_set(&cb, ossl_generate_cb_2, &cb_arg); + BN_GENCB_set(cb, ossl_generate_cb_2, &cb_arg); gen_arg.dh = dh; gen_arg.size = size; gen_arg.gen = gen; - gen_arg.cb = &cb; + gen_arg.cb = cb; if (cb_arg.yield == 1) { /* we cannot release GVL when callback proc is supplied */ dh_blocking_gen(&gen_arg); @@ -120,6 +123,7 @@ dh_generate(int size, int gen) rb_thread_call_without_gvl(dh_blocking_gen, &gen_arg, ossl_generate_cb_stop, &cb_arg); } + BN_GENCB_free(cb); if (!gen_arg.result) { DH_free(dh); if (cb_arg.state) { @@ -127,12 +131,12 @@ dh_generate(int size, int gen) ossl_clear_error(); rb_jump_tag(cb_arg.state); } - return 0; + return NULL; } if (!DH_generate_key(dh)) { DH_free(dh); - return 0; + return NULL; } return dh; diff --git a/ext/openssl/ossl_pkey_dsa.c b/ext/openssl/ossl_pkey_dsa.c index a30eba85d7..2824679053 100644 --- a/ext/openssl/ossl_pkey_dsa.c +++ b/ext/openssl/ossl_pkey_dsa.c @@ -114,31 +114,33 @@ dsa_blocking_gen(void *arg) static DSA * dsa_generate(int size) { - BN_GENCB cb; - struct ossl_generate_cb_arg cb_arg; + struct ossl_generate_cb_arg cb_arg = { 0 }; struct dsa_blocking_gen_arg gen_arg; DSA *dsa = DSA_new(); + BN_GENCB *cb = BN_GENCB_new(); unsigned char seed[20]; int seed_len = 20, counter; unsigned long h; - if (!dsa) return 0; - if (RAND_bytes(seed, seed_len) <= 0) { + if (RAND_bytes(seed, seed_len) <= 0) + return NULL; + + if (!dsa || !cb) { DSA_free(dsa); - return 0; + BN_GENCB_free(cb); + return NULL; } - memset(&cb_arg, 0, sizeof(struct ossl_generate_cb_arg)); if (rb_block_given_p()) cb_arg.yield = 1; - BN_GENCB_set(&cb, ossl_generate_cb_2, &cb_arg); + BN_GENCB_set(cb, ossl_generate_cb_2, &cb_arg); gen_arg.dsa = dsa; gen_arg.size = size; gen_arg.seed = seed; gen_arg.seed_len = seed_len; gen_arg.counter = &counter; gen_arg.h = &h; - gen_arg.cb = &cb; + gen_arg.cb = cb; if (cb_arg.yield == 1) { /* we cannot release GVL when callback proc is supplied */ dsa_blocking_gen(&gen_arg); @@ -146,6 +148,8 @@ dsa_generate(int size) /* there's a chance to unblock */ rb_thread_call_without_gvl(dsa_blocking_gen, &gen_arg, ossl_generate_cb_stop, &cb_arg); } + + BN_GENCB_free(cb); if (!gen_arg.result) { DSA_free(dsa); if (cb_arg.state) { @@ -156,12 +160,12 @@ dsa_generate(int size) ossl_clear_error(); rb_jump_tag(cb_arg.state); } - return 0; + return NULL; } if (!DSA_generate_key(dsa)) { DSA_free(dsa); - return 0; + return NULL; } return dsa; diff --git a/ext/openssl/ossl_pkey_rsa.c b/ext/openssl/ossl_pkey_rsa.c index 5d9bcb96be..1ee45d0f17 100644 --- a/ext/openssl/ossl_pkey_rsa.c +++ b/ext/openssl/ossl_pkey_rsa.c @@ -114,35 +114,36 @@ static RSA * rsa_generate(int size, unsigned long exp) { int i; - BN_GENCB cb; - struct ossl_generate_cb_arg cb_arg; + struct ossl_generate_cb_arg cb_arg = { 0 }; struct rsa_blocking_gen_arg gen_arg; RSA *rsa = RSA_new(); BIGNUM *e = BN_new(); + BN_GENCB *cb = BN_GENCB_new(); - if (!rsa || !e) { - if (e) BN_free(e); - if (rsa) RSA_free(rsa); - return 0; + if (!rsa || !e || !cb) { + RSA_free(rsa); + BN_free(e); + BN_GENCB_free(cb); + return NULL; } for (i = 0; i < (int)sizeof(exp) * 8; ++i) { if (exp & (1UL << i)) { if (BN_set_bit(e, i) == 0) { BN_free(e); RSA_free(rsa); - return 0; + BN_GENCB_free(cb); + return NULL; } } } - memset(&cb_arg, 0, sizeof(struct ossl_generate_cb_arg)); if (rb_block_given_p()) cb_arg.yield = 1; - BN_GENCB_set(&cb, ossl_generate_cb_2, &cb_arg); + BN_GENCB_set(cb, ossl_generate_cb_2, &cb_arg); gen_arg.rsa = rsa; gen_arg.e = e; gen_arg.size = size; - gen_arg.cb = &cb; + gen_arg.cb = cb; if (cb_arg.yield == 1) { /* we cannot release GVL when callback proc is supplied */ rsa_blocking_gen(&gen_arg); @@ -150,18 +151,19 @@ rsa_generate(int size, unsigned long exp) /* there's a chance to unblock */ rb_thread_call_without_gvl(rsa_blocking_gen, &gen_arg, ossl_generate_cb_stop, &cb_arg); } + + BN_GENCB_free(cb); + BN_free(e); if (!gen_arg.result) { - BN_free(e); RSA_free(rsa); if (cb_arg.state) { /* must clear OpenSSL error stack */ ossl_clear_error(); rb_jump_tag(cb_arg.state); } - return 0; + return NULL; } - BN_free(e); return rsa; } diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c index fd1ad746b9..4aca99fb6d 100644 --- a/ext/openssl/ossl_ssl.c +++ b/ext/openssl/ossl_ssl.c @@ -922,7 +922,7 @@ ossl_sslctx_get_ciphers(VALUE self) rb_warning("SSL_CTX is not initialized."); return Qnil; } - ciphers = ctx->cipher_list; + ciphers = SSL_CTX_get_ciphers(ctx); if (!ciphers) return rb_ary_new(); diff --git a/ext/openssl/ossl_ssl_session.c b/ext/openssl/ossl_ssl_session.c index 1b6df55c00..4836891d73 100644 --- a/ext/openssl/ossl_ssl_session.c +++ b/ext/openssl/ossl_ssl_session.c @@ -76,13 +76,22 @@ static VALUE ossl_ssl_session_initialize(VALUE self, VALUE arg1) #if HAVE_SSL_SESSION_CMP == 0 int SSL_SESSION_cmp(const SSL_SESSION *a,const SSL_SESSION *b) { - if (a->ssl_version != b->ssl_version || - a->session_id_length != b->session_id_length) + unsigned int a_len; + const unsigned char *a_sid = SSL_SESSION_get_id(a, &a_len); + unsigned int b_len; + const unsigned char *b_sid = SSL_SESSION_get_id(b, &b_len); + +#if !defined(HAVE_OPAQUE_OPENSSL) /* missing SSL_SESSION_get_ssl_version() ? */ + if (a->ssl_version != b->ssl_version) + return 1; +#endif + if (a_len != b_len) return 1; + #if defined(_WIN32) - return memcmp(a->session_id, b->session_id, a->session_id_length); + return memcmp(a_sid, b_sid, a_len); #else - return CRYPTO_memcmp(a->session_id, b->session_id, a->session_id_length); + return CRYPTO_memcmp(a_sid, b_sid, a_len); #endif } #endif diff --git a/ext/openssl/ossl_x509attr.c b/ext/openssl/ossl_x509attr.c index 7cd3fe6dfd..78ce236d96 100644 --- a/ext/openssl/ossl_x509attr.c +++ b/ext/openssl/ossl_x509attr.c @@ -186,22 +186,37 @@ static VALUE ossl_x509attr_set_value(VALUE self, VALUE value) { X509_ATTRIBUTE *attr; - ASN1_TYPE *a1type; + VALUE asn1_value; + int i, asn1_tag; OSSL_Check_Kind(value, cASN1Data); - if(!(a1type = ossl_asn1_get_asn1type(value))) - ossl_raise(eASN1Error, "could not get ASN1_TYPE"); - if(ASN1_TYPE_get(a1type) == V_ASN1_SEQUENCE){ - ASN1_TYPE_free(a1type); - ossl_raise(eASN1Error, "couldn't set SEQUENCE for attribute value."); - } + asn1_tag = NUM2INT(rb_attr_get(value, rb_intern("@tag"))); + asn1_value = rb_attr_get(value, rb_intern("@value")); + if (asn1_tag != V_ASN1_SET) + ossl_raise(eASN1Error, "argument must be ASN1::Set"); + if (!RB_TYPE_P(asn1_value, T_ARRAY)) + ossl_raise(eASN1Error, "ASN1::Set has non-array value"); + GetX509Attr(self, attr); - if(attr->value.set){ - if(attr->single) ASN1_TYPE_free(attr->value.single); - else sk_ASN1_TYPE_free(attr->value.set); + if (X509_ATTRIBUTE_count(attr)) { /* populated, reset first */ + ASN1_OBJECT *obj = X509_ATTRIBUTE_get0_object(attr); + X509_ATTRIBUTE *new_attr = X509_ATTRIBUTE_create_by_OBJ(NULL, obj, 0, NULL, -1); + if (!new_attr) + ossl_raise(eX509AttrError, NULL); + SetX509Attr(self, new_attr); + X509_ATTRIBUTE_free(attr); + attr = new_attr; + } + + for (i = 0; i < RARRAY_LEN(asn1_value); i++) { + ASN1_TYPE *a1type = ossl_asn1_get_asn1type(RARRAY_AREF(asn1_value, i)); + if (!X509_ATTRIBUTE_set1_data(attr, ASN1_TYPE_get(a1type), + a1type->value.ptr, -1)) { + ASN1_TYPE_free(a1type); + ossl_raise(eX509AttrError, NULL); + } + ASN1_TYPE_free(a1type); } - attr->single = 1; - attr->value.single = a1type; return value; } @@ -214,32 +229,34 @@ static VALUE ossl_x509attr_get_value(VALUE self) { X509_ATTRIBUTE *attr; - VALUE str, asn1; - long length; + STACK_OF(ASN1_TYPE) *sk; + VALUE str; + int i, count, len; unsigned char *p; GetX509Attr(self, attr); - if(attr->value.ptr == NULL) return Qnil; - if(attr->single){ - length = i2d_ASN1_TYPE(attr->value.single, NULL); - str = rb_str_new(0, length); - p = (unsigned char *)RSTRING_PTR(str); - i2d_ASN1_TYPE(attr->value.single, &p); - ossl_str_adjust(str, p); + /* there is no X509_ATTRIBUTE_get0_set() :( */ + if (!(sk = sk_ASN1_TYPE_new_null())) + ossl_raise(eX509AttrError, "sk_new"); + + count = X509_ATTRIBUTE_count(attr); + for (i = 0; i < count; i++) + sk_ASN1_TYPE_push(sk, X509_ATTRIBUTE_get0_type(attr, i)); + + if ((len = i2d_ASN1_SET_ANY(sk, NULL)) <= 0) { + sk_ASN1_TYPE_free(sk); + ossl_raise(eX509AttrError, NULL); } - else{ - length = i2d_ASN1_SET_OF_ASN1_TYPE(attr->value.set, - (unsigned char **) NULL, i2d_ASN1_TYPE, - V_ASN1_SET, V_ASN1_UNIVERSAL, 0); - str = rb_str_new(0, length); - p = (unsigned char *)RSTRING_PTR(str); - i2d_ASN1_SET_OF_ASN1_TYPE(attr->value.set, &p, - i2d_ASN1_TYPE, V_ASN1_SET, V_ASN1_UNIVERSAL, 0); - ossl_str_adjust(str, p); + str = rb_str_new(0, len); + p = (unsigned char *)RSTRING_PTR(str); + if (i2d_ASN1_SET_ANY(sk, &p) <= 0) { + sk_ASN1_TYPE_free(sk); + ossl_raise(eX509AttrError, NULL); } - asn1 = rb_funcall(mASN1, rb_intern("decode"), 1, str); + ossl_str_adjust(str, p); + sk_ASN1_TYPE_free(sk); - return asn1; + return rb_funcall(mASN1, rb_intern("decode"), 1, str); } /* diff --git a/ext/openssl/ossl_x509cert.c b/ext/openssl/ossl_x509cert.c index ca73a15e3a..a7e37960e5 100644 --- a/ext/openssl/ossl_x509cert.c +++ b/ext/openssl/ossl_x509cert.c @@ -349,9 +349,7 @@ ossl_x509_set_serial(VALUE self, VALUE num) X509 *x509; GetX509(self, x509); - - x509->cert_info->serialNumber = - num_to_asn1integer(num, X509_get_serialNumber(x509)); + X509_set_serialNumber(x509, num_to_asn1integer(num, X509_get_serialNumber(x509))); return num; } @@ -371,7 +369,7 @@ ossl_x509_get_signature_algorithm(VALUE self) out = BIO_new(BIO_s_mem()); if (!out) ossl_raise(eX509CertError, NULL); - if (!i2a_ASN1_OBJECT(out, x509->cert_info->signature->algorithm)) { + if (!i2a_ASN1_OBJECT(out, X509_get0_tbs_sigalg(x509)->algorithm)) { BIO_free(out); ossl_raise(eX509CertError, NULL); } @@ -666,8 +664,8 @@ ossl_x509_set_extensions(VALUE self, VALUE ary) OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Ext); } GetX509(self, x509); - sk_X509_EXTENSION_pop_free(x509->cert_info->extensions, X509_EXTENSION_free); - x509->cert_info->extensions = NULL; + while ((ext = X509_delete_ext(x509, 0))) + X509_EXTENSION_free(ext); for (i=0; i<RARRAY_LEN(ary); i++) { ext = DupX509ExtPtr(RARRAY_AREF(ary, i)); diff --git a/ext/openssl/ossl_x509crl.c b/ext/openssl/ossl_x509crl.c index 3dd94a19f9..2cbe4f941f 100644 --- a/ext/openssl/ossl_x509crl.c +++ b/ext/openssl/ossl_x509crl.c @@ -180,6 +180,7 @@ static VALUE ossl_x509crl_get_signature_algorithm(VALUE self) { X509_CRL *crl; + X509_ALGOR *alg; BIO *out; BUF_MEM *buf; VALUE str; @@ -188,7 +189,8 @@ ossl_x509crl_get_signature_algorithm(VALUE self) if (!(out = BIO_new(BIO_s_mem()))) { ossl_raise(eX509CRLError, NULL); } - if (!i2a_ASN1_OBJECT(out, crl->sig_alg->algorithm)) { + X509_CRL_get0_signature(NULL, &alg, crl); + if (!i2a_ASN1_OBJECT(out, alg->algorithm)) { BIO_free(out); ossl_raise(eX509CRLError, NULL); } @@ -237,7 +239,7 @@ ossl_x509crl_set_last_update(VALUE self, VALUE time) X509_CRL *crl; GetX509CRL(self, crl); - if (!ossl_x509_time_adjust(crl->crl->lastUpdate, time)) + if (!ossl_x509_time_adjust(X509_CRL_get_lastUpdate(crl), time)) ossl_raise(eX509CRLError, NULL); return time; @@ -257,11 +259,21 @@ static VALUE ossl_x509crl_set_next_update(VALUE self, VALUE time) { X509_CRL *crl; + ASN1_TIME *orig, *new; GetX509CRL(self, crl); - /* crl->crl->nextUpdate may be NULL at this time */ - if (!(crl->crl->nextUpdate = ossl_x509_time_adjust(crl->crl->nextUpdate, time))) + /* orig may be NULL at this time; in this case a new ASN1_TIME is created */ + orig = X509_CRL_get_nextUpdate(crl); + new = ossl_x509_time_adjust(orig, time); + + if (!X509_CRL_set_nextUpdate(crl, new)) { + if (!orig) + ASN1_TIME_free(new); ossl_raise(eX509CRLError, NULL); + } + /* X509_CRL_set_nextUpdate() dups when orig != new */ + if (!orig) + ASN1_TIME_free(new); return time; } @@ -304,8 +316,7 @@ ossl_x509crl_set_revoked(VALUE self, VALUE ary) OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Rev); } GetX509CRL(self, crl); - sk_X509_REVOKED_pop_free(crl->crl->revoked, X509_REVOKED_free); - crl->crl->revoked = NULL; + sk_X509_REVOKED_pop_free(X509_CRL_get_REVOKED(crl), X509_REVOKED_free); for (i=0; i<RARRAY_LEN(ary); i++) { rev = DupX509RevokedPtr(RARRAY_AREF(ary, i)); if (!X509_CRL_add0_revoked(crl, rev)) { /* NO DUP - don't free! */ @@ -478,8 +489,8 @@ ossl_x509crl_set_extensions(VALUE self, VALUE ary) OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Ext); } GetX509CRL(self, crl); - sk_X509_EXTENSION_pop_free(crl->crl->extensions, X509_EXTENSION_free); - crl->crl->extensions = NULL; + while ((ext = X509_CRL_delete_ext(crl, 0))) + X509_EXTENSION_free(ext); for (i=0; i<RARRAY_LEN(ary); i++) { ext = DupX509ExtPtr(RARRAY_AREF(ary, i)); if(!X509_CRL_add_ext(crl, ext, -1)) { /* DUPs ext - FREE it */ diff --git a/ext/openssl/ossl_x509name.c b/ext/openssl/ossl_x509name.c index a0e28e29ec..ff307c0626 100644 --- a/ext/openssl/ossl_x509name.c +++ b/ext/openssl/ossl_x509name.c @@ -282,6 +282,7 @@ ossl_x509name_to_a(VALUE self) char long_name[512]; const char *short_name; VALUE ary, vname, ret; + ASN1_STRING *value; GetX509Name(self, name); entries = X509_NAME_entry_count(name); @@ -294,7 +295,8 @@ ossl_x509name_to_a(VALUE self) if (!(entry = X509_NAME_get_entry(name, i))) { ossl_raise(eX509NameError, NULL); } - if (!i2t_ASN1_OBJECT(long_name, sizeof(long_name), entry->object)) { + if (!i2t_ASN1_OBJECT(long_name, sizeof(long_name), + X509_NAME_ENTRY_get_object(entry))) { ossl_raise(eX509NameError, NULL); } nid = OBJ_ln2nid(long_name); @@ -304,10 +306,11 @@ ossl_x509name_to_a(VALUE self) short_name = OBJ_nid2sn(nid); vname = rb_str_new2(short_name); /*do not free*/ } + value = X509_NAME_ENTRY_get_data(entry); ary = rb_ary_new3(3, vname, - rb_str_new((const char *)entry->value->data, entry->value->length), - INT2FIX(entry->value->type)); + rb_str_new((const char *)value->data, value->length), + INT2FIX(value->type)); rb_ary_push(ret, ary); } return ret; diff --git a/ext/openssl/ossl_x509req.c b/ext/openssl/ossl_x509req.c index c1cdca5fbe..9025d4fe28 100644 --- a/ext/openssl/ossl_x509req.c +++ b/ext/openssl/ossl_x509req.c @@ -302,6 +302,7 @@ static VALUE ossl_x509req_get_signature_algorithm(VALUE self) { X509_REQ *req; + X509_ALGOR *alg; BIO *out; BUF_MEM *buf; VALUE str; @@ -311,7 +312,8 @@ ossl_x509req_get_signature_algorithm(VALUE self) if (!(out = BIO_new(BIO_s_mem()))) { ossl_raise(eX509ReqError, NULL); } - if (!i2a_ASN1_OBJECT(out, req->sig_alg->algorithm)) { + X509_REQ_get0_signature(NULL, &alg, req); + if (!i2a_ASN1_OBJECT(out, alg->algorithm)) { BIO_free(out); ossl_raise(eX509ReqError, NULL); } @@ -426,8 +428,8 @@ ossl_x509req_set_attributes(VALUE self, VALUE ary) OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Attr); } GetX509Req(self, req); - sk_X509_ATTRIBUTE_pop_free(req->req_info->attributes, X509_ATTRIBUTE_free); - req->req_info->attributes = NULL; + while ((attr = X509_REQ_delete_attr(req, 0))) + X509_ATTRIBUTE_free(attr); for (i=0;i<RARRAY_LEN(ary); i++) { item = RARRAY_AREF(ary, i); attr = DupX509AttrPtr(item); diff --git a/ext/openssl/ossl_x509revoked.c b/ext/openssl/ossl_x509revoked.c index fc1a7d1337..067bec8cd4 100644 --- a/ext/openssl/ossl_x509revoked.c +++ b/ext/openssl/ossl_x509revoked.c @@ -116,16 +116,18 @@ ossl_x509revoked_get_serial(VALUE self) GetX509Rev(self, rev); - return asn1integer_to_num(rev->serialNumber); + return asn1integer_to_num(X509_REVOKED_get0_serialNumber(rev)); } static VALUE ossl_x509revoked_set_serial(VALUE self, VALUE num) { X509_REVOKED *rev; + ASN1_INTEGER *ai; GetX509Rev(self, rev); - rev->serialNumber = num_to_asn1integer(num, rev->serialNumber); + ai = X509_REVOKED_get0_serialNumber(rev); + X509_REVOKED_set_serialNumber(rev, num_to_asn1integer(num, ai)); return num; } @@ -137,7 +139,7 @@ ossl_x509revoked_get_time(VALUE self) GetX509Rev(self, rev); - return asn1time_to_time(rev->revocationDate); + return asn1time_to_time(X509_REVOKED_get0_revocationDate(rev)); } static VALUE @@ -146,7 +148,7 @@ ossl_x509revoked_set_time(VALUE self, VALUE time) X509_REVOKED *rev; GetX509Rev(self, rev); - if (!ossl_x509_time_adjust(rev->revocationDate, time)) + if (!ossl_x509_time_adjust(X509_REVOKED_get0_revocationDate(rev), time)) ossl_raise(eX509RevError, NULL); return time; @@ -193,8 +195,8 @@ ossl_x509revoked_set_extensions(VALUE self, VALUE ary) OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Ext); } GetX509Rev(self, rev); - sk_X509_EXTENSION_pop_free(rev->extensions, X509_EXTENSION_free); - rev->extensions = NULL; + while ((ext = X509_REVOKED_delete_ext(rev, 0))) + X509_EXTENSION_free(ext); for (i=0; i<RARRAY_LEN(ary); i++) { item = RARRAY_AREF(ary, i); ext = DupX509ExtPtr(item); diff --git a/ext/openssl/ossl_x509store.c b/ext/openssl/ossl_x509store.c index a98c182c5a..26426d1832 100644 --- a/ext/openssl/ossl_x509store.c +++ b/ext/openssl/ossl_x509store.c @@ -149,8 +149,11 @@ ossl_x509store_initialize(int argc, VALUE *argv, VALUE self) /* BUG: This method takes any number of arguments but appears to ignore them. */ GetX509Store(self, store); +#if !defined(HAVE_OPAQUE_OPENSSL) + /* [Bug #405] [Bug #1678] [Bug #3000]; already fixed? */ store->ex_data.sk = NULL; - X509_STORE_set_verify_cb_func(store, ossl_verify_cb); +#endif + X509_STORE_set_verify_cb(store, ossl_verify_cb); ossl_x509store_set_vfy_cb(self, Qnil); /* last verification status */ @@ -382,10 +385,10 @@ static void ossl_x509stctx_free(void *ptr) { X509_STORE_CTX *ctx = ptr; - if(ctx->untrusted) - sk_X509_pop_free(ctx->untrusted, X509_free); - if(ctx->cert) - X509_free(ctx->cert); + if (X509_STORE_CTX_get0_untrusted(ctx)) + sk_X509_pop_free(X509_STORE_CTX_get0_untrusted(ctx), X509_free); + if (X509_STORE_CTX_get0_cert(ctx)) + X509_free(X509_STORE_CTX_get0_cert(ctx)); X509_STORE_CTX_free(ctx); } @@ -465,7 +468,7 @@ ossl_x509stctx_get_chain(VALUE self) VALUE ary; GetX509StCtx(self, ctx); - if((chain = X509_STORE_CTX_get_chain(ctx)) == NULL){ + if((chain = X509_STORE_CTX_get0_chain(ctx)) == NULL){ return Qnil; } if((num = sk_X509_num(chain)) < 0){ @@ -538,11 +541,14 @@ static VALUE ossl_x509stctx_get_curr_crl(VALUE self) { X509_STORE_CTX *ctx; + X509_CRL *crl; GetX509StCtx(self, ctx); - if(!ctx->current_crl) return Qnil; + crl = X509_STORE_CTX_get0_current_crl(ctx); + if (!crl) + return Qnil; - return ossl_x509crl_new(ctx->current_crl); + return ossl_x509crl_new(crl); } static VALUE diff --git a/test/openssl/test_hmac.rb b/test/openssl/test_hmac.rb index 3c90a5de02..dd58e4ac98 100644 --- a/test/openssl/test_hmac.rb +++ b/test/openssl/test_hmac.rb @@ -36,4 +36,11 @@ class OpenSSL::TestHMAC < OpenSSL::TestCase result = hmac.update(data).hexdigest assert_equal "a13984b929a07912e4e21c5720876a8e150d6f67f854437206e7f86547248396", result end + + def test_reset_keep_key + first = @h1.update("test").hexdigest + @h2.reset + second = @h2.update("test").hexdigest + assert_equal first, second + end end if defined?(OpenSSL::TestUtils) |