summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorrhe <rhe@ruby-lang.org>2016-08-29 05:47:09 +0000
committerrhe <rhe@ruby-lang.org>2016-08-29 05:47:09 +0000
commit35599b7efe1a79441d80e6d1575398bf1cbf6442 (patch)
tree81894615695f962bf52101e11737bad3874620a3
parentf8316bff03aa6c510ac801b4367bab74a3b7c2c5 (diff)
downloadruby-openssl-history-35599b7efe1a79441d80e6d1575398bf1cbf6442.tar.gz
import Ruby/OpenSSL 2.0.0.beta.1
* NEWS, {ext,test,sample}/openssl: Import Ruby/OpenSSL 2.0.0.beta.1. ext/openssl is now converted into a default gem. The full commit history since r55538 can be found at: https://github.com/ruby/openssl/compare/08e1881f5663...v2.0.0.beta.1 [Feature #9612] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56027 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
-rw-r--r--ext/openssl/extconf.rb1
-rw-r--r--ext/openssl/openssl_missing.c6
-rw-r--r--ext/openssl/openssl_missing.h12
-rw-r--r--ext/openssl/ossl.c181
-rw-r--r--ext/openssl/ossl.h25
-rw-r--r--ext/openssl/ossl_asn1.c22
-rw-r--r--ext/openssl/ossl_asn1.h6
-rw-r--r--ext/openssl/ossl_bio.c4
-rw-r--r--ext/openssl/ossl_bn.c165
-rw-r--r--ext/openssl/ossl_cipher.c273
-rw-r--r--ext/openssl/ossl_config.c17
-rw-r--r--ext/openssl/ossl_config.h1
-rw-r--r--ext/openssl/ossl_digest.c30
-rw-r--r--ext/openssl/ossl_engine.c8
-rw-r--r--ext/openssl/ossl_hmac.c100
-rw-r--r--ext/openssl/ossl_ns_spki.c3
-rw-r--r--ext/openssl/ossl_ocsp.c108
-rw-r--r--ext/openssl/ossl_pkcs12.c37
-rw-r--r--ext/openssl/ossl_pkcs5.c18
-rw-r--r--ext/openssl/ossl_pkcs7.c17
-rw-r--r--ext/openssl/ossl_pkey.c42
-rw-r--r--ext/openssl/ossl_pkey.h2
-rw-r--r--ext/openssl/ossl_pkey_dh.c47
-rw-r--r--ext/openssl/ossl_pkey_dsa.c42
-rw-r--r--ext/openssl/ossl_pkey_ec.c377
-rw-r--r--ext/openssl/ossl_pkey_rsa.c38
-rw-r--r--ext/openssl/ossl_rand.c17
-rw-r--r--ext/openssl/ossl_ssl.c204
-rw-r--r--ext/openssl/ossl_ssl_session.c76
-rw-r--r--ext/openssl/ossl_version.h2
-rw-r--r--ext/openssl/ossl_x509.c80
-rw-r--r--ext/openssl/ossl_x509.h3
-rw-r--r--ext/openssl/ossl_x509attr.c44
-rw-r--r--ext/openssl/ossl_x509cert.c41
-rw-r--r--ext/openssl/ossl_x509crl.c65
-rw-r--r--ext/openssl/ossl_x509ext.c100
-rw-r--r--ext/openssl/ossl_x509name.c49
-rw-r--r--ext/openssl/ossl_x509req.c20
-rw-r--r--ext/openssl/ossl_x509revoked.c49
-rw-r--r--ext/openssl/ossl_x509store.c224
-rw-r--r--lib/openssl/cipher.rb38
-rw-r--r--lib/openssl/digest.rb12
-rw-r--r--lib/openssl/pkey.rb3
-rw-r--r--lib/openssl/ssl.rb112
-rw-r--r--sample/cipher.rb4
-rw-r--r--test/test_cipher.rb90
-rw-r--r--test/test_config.rb2
-rw-r--r--test/test_engine.rb13
-rw-r--r--test/test_ocsp.rb159
-rw-r--r--test/test_pair.rb34
-rw-r--r--test/test_partial_record_read.rb35
-rw-r--r--test/test_pkcs12.rb5
-rw-r--r--test/test_pkey.rb49
-rw-r--r--test/test_pkey_dh.rb78
-rw-r--r--test/test_pkey_dsa.rb275
-rw-r--r--test/test_pkey_ec.rb419
-rw-r--r--test/test_pkey_rsa.rb344
-rw-r--r--test/test_ssl.rb267
-rw-r--r--test/test_ssl_session.rb6
-rw-r--r--test/test_x509attr.rb11
-rw-r--r--test/test_x509crl.rb4
-rw-r--r--test/test_x509ext.rb30
-rw-r--r--test/test_x509name.rb5
-rw-r--r--test/test_x509req.rb7
-rw-r--r--test/test_x509store.rb7
-rw-r--r--test/ut_eof.rb129
-rw-r--r--test/utils.rb38
67 files changed, 2919 insertions, 1813 deletions
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
index ad92a28..bf78428 100644
--- a/ext/openssl/extconf.rb
+++ b/ext/openssl/extconf.rb
@@ -147,6 +147,7 @@ have_func("EVP_PKEY_up_ref")
OpenSSL.check_func_or_macro("SSL_CTX_set_tmp_ecdh_callback", "openssl/ssl.h") # removed
OpenSSL.check_func_or_macro("SSL_CTX_set_min_proto_version", "openssl/ssl.h")
have_func("SSL_CTX_get_security_level")
+have_func("X509_get0_notBefore")
Logging::message "=== Checking done. ===\n"
diff --git a/ext/openssl/openssl_missing.c b/ext/openssl/openssl_missing.c
index cb22647..cc13b7a 100644
--- a/ext/openssl/openssl_missing.c
+++ b/ext/openssl/openssl_missing.c
@@ -150,7 +150,8 @@ HMAC_CTX_free(HMAC_CTX *ctx)
#if !defined(HAVE_X509_CRL_GET0_SIGNATURE)
void
-X509_CRL_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, X509_CRL *crl)
+X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig,
+ const X509_ALGOR **palg)
{
if (psig != NULL)
*psig = crl->signature;
@@ -161,7 +162,8 @@ X509_CRL_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, X509_CRL *crl
#if !defined(HAVE_X509_REQ_GET0_SIGNATURE)
void
-X509_REQ_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, X509_REQ *req)
+X509_REQ_get0_signature(const X509_REQ *req, const ASN1_BIT_STRING **psig,
+ const X509_ALGOR **palg)
{
if (psig != NULL)
*psig = req->signature;
diff --git a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h
index 769c7c2..897d623 100644
--- a/ext/openssl/openssl_missing.h
+++ b/ext/openssl/openssl_missing.h
@@ -110,11 +110,11 @@ void HMAC_CTX_free(HMAC_CTX *ctx);
#endif
#if !defined(HAVE_X509_CRL_GET0_SIGNATURE)
-void X509_CRL_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, X509_CRL *crl);
+void X509_CRL_get0_signature(const X509_CRL *, const ASN1_BIT_STRING **, const X509_ALGOR **);
#endif
#if !defined(HAVE_X509_REQ_GET0_SIGNATURE)
-void X509_REQ_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, X509_REQ *req);
+void X509_REQ_get0_signature(const X509_REQ *, const ASN1_BIT_STRING **, const X509_ALGOR **);
#endif
#if !defined(HAVE_X509_REVOKED_GET0_SERIALNUMBER)
@@ -231,6 +231,14 @@ IMPL_PKEY_GETTER(EC_KEY, ec)
#if defined(HAVE_AUTHENTICATED_ENCRYPTION) && !defined(EVP_CTRL_AEAD_GET_TAG)
# define EVP_CTRL_AEAD_GET_TAG EVP_CTRL_GCM_GET_TAG
# define EVP_CTRL_AEAD_SET_TAG EVP_CTRL_GCM_SET_TAG
+# define EVP_CTRL_AEAD_SET_IVLEN EVP_CTRL_GCM_SET_IVLEN
+#endif
+
+#if !defined(HAVE_X509_GET0_NOTBEFORE)
+# define X509_get0_notBefore(x) X509_get_notBefore(x)
+# define X509_get0_notAfter(x) X509_get_notAfter(x)
+# define X509_CRL_get0_lastUpdate(x) X509_CRL_get_lastUpdate(x)
+# define X509_CRL_get0_nextUpdate(x) X509_CRL_get_nextUpdate(x)
#endif
#endif /* _OSSL_OPENSSL_MISSING_H_ */
diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c
index 83baa7b..a9000f2 100644
--- a/ext/openssl/ossl.c
+++ b/ext/openssl/ossl.c
@@ -9,40 +9,7 @@
*/
#include "ossl.h"
#include <stdarg.h> /* for ossl_raise */
-
-/*
- * String to HEXString conversion
- */
-int
-string2hex(const unsigned char *buf, int buf_len, char **hexbuf, int *hexbuf_len)
-{
- static const char hex[]="0123456789abcdef";
- int i, len;
-
- if (buf_len < 0 || buf_len > INT_MAX / 2) { /* PARANOIA? */
- return -1;
- }
- len = 2 * buf_len;
- if (!hexbuf) { /* if no buf, return calculated len */
- if (hexbuf_len) {
- *hexbuf_len = len;
- }
- return len;
- }
- if (!(*hexbuf = OPENSSL_malloc(len + 1))) {
- return -1;
- }
- for (i = 0; i < buf_len; i++) {
- (*hexbuf)[2 * i] = hex[((unsigned char)buf[i]) >> 4];
- (*hexbuf)[2 * i + 1] = hex[buf[i] & 0x0f];
- }
- (*hexbuf)[2 * i] = '\0';
-
- if (hexbuf_len) {
- *hexbuf_len = len;
- }
- return len;
-}
+#include <ruby/thread_native.h> /* for OpenSSL < 1.1.0 locks */
/*
* Data Conversion
@@ -77,7 +44,7 @@ STACK_OF(type) * \
ossl_protect_##name##_ary2sk(VALUE ary, int *status) \
{ \
return (STACK_OF(type)*)rb_protect( \
- (VALUE(*)_((VALUE)))ossl_##name##_ary2sk0, \
+ (VALUE (*)(VALUE))ossl_##name##_ary2sk0, \
ary, \
status); \
} \
@@ -97,7 +64,7 @@ OSSL_IMPL_ARY2SK(x509, X509, cX509Cert, DupX509CertPtr)
#define OSSL_IMPL_SK2ARY(name, type) \
VALUE \
-ossl_##name##_sk2ary(STACK_OF(type) *sk) \
+ossl_##name##_sk2ary(const STACK_OF(type) *sk) \
{ \
type *t; \
int i, num; \
@@ -136,7 +103,7 @@ ossl_buf2str(char *buf, int len)
VALUE str;
int status = 0;
- str = rb_protect((VALUE(*)_((VALUE)))ossl_str_new, len, &status);
+ str = rb_protect((VALUE (*)(VALUE))ossl_str_new, len, &status);
if(!NIL_P(str)) memcpy(RSTRING_PTR(str), buf, len);
OPENSSL_free(buf);
if(status) rb_jump_tag(status);
@@ -144,6 +111,21 @@ ossl_buf2str(char *buf, int len)
return str;
}
+void
+ossl_bin2hex(unsigned char *in, char *out, size_t inlen)
+{
+ const char *hex = "0123456789abcdef";
+ size_t i;
+
+ assert(inlen <= LONG_MAX / 2);
+ for (i = 0; i < inlen; i++) {
+ unsigned char p = in[i];
+
+ out[i * 2 + 0] = hex[p >> 4];
+ out[i * 2 + 1] = hex[p & 0x0f];
+ }
+}
+
/*
* our default PEM callback
*/
@@ -242,54 +224,54 @@ ossl_pem_passwd_cb(char *buf, int max_len, int flag, void *pwd_)
int ossl_store_ctx_ex_verify_cb_idx;
int ossl_store_ex_verify_cb_idx;
-VALUE
+struct ossl_verify_cb_args {
+ VALUE proc;
+ VALUE preverify_ok;
+ VALUE store_ctx;
+};
+
+static VALUE
ossl_call_verify_cb_proc(struct ossl_verify_cb_args *args)
{
return rb_funcall(args->proc, rb_intern("call"), 2,
- args->preverify_ok, args->store_ctx);
+ args->preverify_ok, args->store_ctx);
}
int
-ossl_verify_cb(int ok, X509_STORE_CTX *ctx)
+ossl_verify_cb_call(VALUE proc, int ok, X509_STORE_CTX *ctx)
{
- VALUE proc, rctx, ret;
+ VALUE rctx, ret;
struct ossl_verify_cb_args args;
- int state = 0;
+ int state;
- proc = (VALUE)X509_STORE_CTX_get_ex_data(ctx, ossl_store_ctx_ex_verify_cb_idx);
- if (!proc)
- proc = (VALUE)X509_STORE_get_ex_data(X509_STORE_CTX_get0_store(ctx), ossl_store_ex_verify_cb_idx);
- if (!proc)
+ if (NIL_P(proc))
return ok;
- if (!NIL_P(proc)) {
- ret = Qfalse;
- rctx = rb_protect((VALUE(*)(VALUE))ossl_x509stctx_new,
- (VALUE)ctx, &state);
+
+ ret = Qfalse;
+ rctx = rb_protect((VALUE(*)(VALUE))ossl_x509stctx_new, (VALUE)ctx, &state);
+ if (state) {
+ rb_set_errinfo(Qnil);
+ rb_warn("StoreContext initialization failure");
+ }
+ else {
+ args.proc = proc;
+ args.preverify_ok = ok ? Qtrue : Qfalse;
+ args.store_ctx = rctx;
+ ret = rb_protect((VALUE(*)(VALUE))ossl_call_verify_cb_proc, (VALUE)&args, &state);
if (state) {
rb_set_errinfo(Qnil);
- rb_warn("StoreContext initialization failure");
- }
- else {
- args.proc = proc;
- args.preverify_ok = ok ? Qtrue : Qfalse;
- args.store_ctx = rctx;
- ret = rb_protect((VALUE(*)(VALUE))ossl_call_verify_cb_proc, (VALUE)&args, &state);
- if (state) {
- rb_set_errinfo(Qnil);
- rb_warn("exception in verify_callback is ignored");
- }
- ossl_x509stctx_clear_ptr(rctx);
- }
- if (ret == Qtrue) {
- X509_STORE_CTX_set_error(ctx, X509_V_OK);
- ok = 1;
- }
- else{
- if (X509_STORE_CTX_get_error(ctx) == X509_V_OK) {
- X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REJECTED);
- }
- ok = 0;
+ rb_warn("exception in verify_callback is ignored");
}
+ ossl_x509stctx_clear_ptr(rctx);
+ }
+ if (ret == Qtrue) {
+ X509_STORE_CTX_set_error(ctx, X509_V_OK);
+ ok = 1;
+ }
+ else {
+ if (X509_STORE_CTX_get_error(ctx) == X509_V_OK)
+ X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REJECTED);
+ ok = 0;
}
return ok;
@@ -453,24 +435,14 @@ ossl_debug_get(VALUE self)
* call-seq:
* OpenSSL.debug = boolean -> boolean
*
- * Turns on or off CRYPTO_MEM_CHECK.
- * Also shows some debugging message on stderr.
+ * Turns on or off debug mode. With debug mode, all erros added to the OpenSSL
+ * error queue will be printed to stderr.
*/
static VALUE
ossl_debug_set(VALUE self, VALUE val)
{
- VALUE old = dOSSL;
- dOSSL = val;
-
- if (old != dOSSL) {
- if (dOSSL == Qtrue) {
- CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
- fprintf(stderr, "OSSL_DEBUG: IS NOW ON!\n");
- } else if (old == Qtrue) {
- CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_OFF);
- fprintf(stderr, "OSSL_DEBUG: IS NOW OFF!\n");
- }
- }
+ dOSSL = RTEST(val) ? Qtrue : Qfalse;
+
return val;
}
@@ -483,9 +455,8 @@ ossl_debug_set(VALUE self, VALUE val)
* so otherwise will result in an error.
*
* === Examples
- *
- * OpenSSL.fips_mode = true # turn FIPS mode on
- * OpenSSL.fips_mode = false # and off again
+ * OpenSSL.fips_mode = true # turn FIPS mode on
+ * OpenSSL.fips_mode = false # and off again
*/
static VALUE
ossl_fips_mode_set(VALUE self, VALUE enabled)
@@ -512,7 +483,6 @@ ossl_fips_mode_set(VALUE self, VALUE enabled)
/**
* Stores locks needed for OpenSSL thread safety
*/
-#include "ruby/thread_native.h"
static rb_nativethread_lock_t *ossl_locks;
static void
@@ -602,20 +572,6 @@ static void Init_ossl_locks(void)
* OpenSSL provides SSL, TLS and general purpose cryptography. It wraps the
* OpenSSL[http://www.openssl.org/] library.
*
- * = Install
- *
- * OpenSSL comes bundled with the Standard Library of Ruby.
- *
- * This means the OpenSSL extension is compiled with Ruby and packaged on
- * build. During compile time, Ruby will need to link against the OpenSSL
- * library on your system. However, you cannot use openssl provided by Apple to
- * build standard library openssl.
- *
- * If you use OSX, you should install another openssl and run ```./configure
- * --with-openssl-dir=/path/to/another-openssl```. For Homebrew user, run `brew
- * install openssl` and then ```./configure --with-openssl-dir=`brew --prefix
- * openssl` ```.
- *
* = Examples
*
* All examples assume you have loaded OpenSSL with:
@@ -660,10 +616,12 @@ static void Init_ossl_locks(void)
*
* key2 = OpenSSL::PKey::RSA.new File.read 'private_key.pem'
* key2.public? # => true
+ * key2.private? # => true
*
* or
*
* key3 = OpenSSL::PKey::RSA.new File.read 'public_key.pem'
+ * key3.public? # => true
* key3.private? # => false
*
* === Loading an Encrypted Key
@@ -910,7 +868,7 @@ static void Init_ossl_locks(void)
* ca_key = OpenSSL::PKey::RSA.new 2048
* pass_phrase = 'my secure pass phrase goes here'
*
- * cipher = OpenSSL::Cipher::Cipher.new 'AES-128-CBC'
+ * cipher = OpenSSL::Cipher.new 'AES-128-CBC'
*
* open 'ca_key.pem', 'w', 0400 do |io|
* io.write ca_key.export(cipher, pass_phrase)
@@ -1063,15 +1021,21 @@ static void Init_ossl_locks(void)
* SSLSocket#connect must be called to initiate the SSL handshake and start
* encryption. A key and certificate are not required for the client socket.
*
+ * Note that SSLSocket#close doesn't close the underlying socket by default. Set
+ * SSLSocket#sync_close to true if you want.
+ *
* require 'socket'
*
* tcp_socket = TCPSocket.new 'localhost', 5000
* ssl_client = OpenSSL::SSL::SSLSocket.new tcp_socket, context
+ * ssl_client.sync_close = true
* ssl_client.connect
*
* ssl_client.puts "hello server!"
* puts ssl_client.gets
*
+ * ssl_client.close # shutdown the TLS connection and close tcp_socket
+ *
* === Peer Verification
*
* An unverified SSL connection does not provide much security. For enhanced
@@ -1160,11 +1124,14 @@ Init_openssl(void)
/*
* Boolean indicating whether OpenSSL is FIPS-enabled or not
*/
+ rb_define_const(mOSSL, "OPENSSL_FIPS",
#ifdef OPENSSL_FIPS
- rb_define_const(mOSSL, "OPENSSL_FIPS", Qtrue);
+ Qtrue
#else
- rb_define_const(mOSSL, "OPENSSL_FIPS", Qfalse);
+ Qfalse
#endif
+ );
+
rb_define_module_function(mOSSL, "fips_mode=", ossl_fips_mode_set, 1);
/*
diff --git a/ext/openssl/ossl.h b/ext/openssl/ossl.h
index 2317fa8..864d068 100644
--- a/ext/openssl/ossl.h
+++ b/ext/openssl/ossl.h
@@ -97,19 +97,14 @@ extern VALUE eOSSLError;
} while (0)
/*
- * String to HEXString conversion
- */
-int string2hex(const unsigned char *, int, char **, int *);
-
-/*
* Data Conversion
*/
STACK_OF(X509) *ossl_x509_ary2sk0(VALUE);
STACK_OF(X509) *ossl_x509_ary2sk(VALUE);
STACK_OF(X509) *ossl_protect_x509_ary2sk(VALUE,int*);
-VALUE ossl_x509_sk2ary(STACK_OF(X509) *certs);
-VALUE ossl_x509crl_sk2ary(STACK_OF(X509_CRL) *crl);
-VALUE ossl_x509name_sk2ary(STACK_OF(X509_NAME) *names);
+VALUE ossl_x509_sk2ary(const STACK_OF(X509) *certs);
+VALUE ossl_x509crl_sk2ary(const STACK_OF(X509_CRL) *crl);
+VALUE ossl_x509name_sk2ary(const STACK_OF(X509_NAME) *names);
VALUE ossl_buf2str(char *buf, int len);
#define ossl_str_adjust(str, p) \
do{\
@@ -118,6 +113,11 @@ do{\
assert(newlen <= len);\
rb_str_set_len((str), newlen);\
}while(0)
+/*
+ * Convert binary string to hex string. The caller is responsible for
+ * ensuring out has (2 * len) bytes of capacity.
+ */
+void ossl_bin2hex(unsigned char *in, char *out, size_t len);
/*
* Our default PEM callback
@@ -154,14 +154,7 @@ void ossl_clear_error(void);
extern int ossl_store_ctx_ex_verify_cb_idx;
extern int ossl_store_ex_verify_cb_idx;
-struct ossl_verify_cb_args {
- VALUE proc;
- VALUE preverify_ok;
- VALUE store_ctx;
-};
-
-VALUE ossl_call_verify_cb_proc(struct ossl_verify_cb_args *);
-int ossl_verify_cb(int, X509_STORE_CTX *);
+int ossl_verify_cb_call(VALUE, int, X509_STORE_CTX *);
/*
* String to DER String
diff --git a/ext/openssl/ossl_asn1.c b/ext/openssl/ossl_asn1.c
index cbedd59..85b1f02 100644
--- a/ext/openssl/ossl_asn1.c
+++ b/ext/openssl/ossl_asn1.c
@@ -28,7 +28,7 @@ static VALUE ossl_asn1eoc_initialize(VALUE self);
* DATE conversion
*/
VALUE
-asn1time_to_time(ASN1_TIME *time)
+asn1time_to_time(const ASN1_TIME *time)
{
struct tm tm;
VALUE argv[6];
@@ -103,7 +103,7 @@ time_to_time_t(VALUE time)
* STRING conversion
*/
VALUE
-asn1str_to_str(ASN1_STRING *str)
+asn1str_to_str(const ASN1_STRING *str)
{
return rb_str_new((const char *)str->data, str->length);
}
@@ -114,7 +114,7 @@ asn1str_to_str(ASN1_STRING *str)
*/
#define DO_IT_VIA_RUBY 0
VALUE
-asn1integer_to_num(ASN1_INTEGER *ai)
+asn1integer_to_num(const ASN1_INTEGER *ai)
{
BIGNUM *bn;
#if DO_IT_VIA_RUBY
@@ -126,7 +126,8 @@ asn1integer_to_num(ASN1_INTEGER *ai)
ossl_raise(rb_eTypeError, "ASN1_INTEGER is NULL!");
}
if (ai->type == V_ASN1_ENUMERATED)
- bn = ASN1_ENUMERATED_to_BN(ai, NULL);
+ /* const_cast: workaround for old OpenSSL */
+ bn = ASN1_ENUMERATED_to_BN((ASN1_ENUMERATED *)ai, NULL);
else
bn = ASN1_INTEGER_to_BN(ai, NULL);
@@ -383,7 +384,7 @@ decode_int(unsigned char* der, long length)
p = der;
if(!(ai = d2i_ASN1_INTEGER(NULL, &p, length)))
ossl_raise(eASN1Error, NULL);
- ret = rb_protect((VALUE(*)_((VALUE)))asn1integer_to_num,
+ ret = rb_protect((VALUE (*)(VALUE))asn1integer_to_num,
(VALUE)ai, &status);
ASN1_INTEGER_free(ai);
if(status) rb_jump_tag(status);
@@ -423,7 +424,7 @@ decode_enum(unsigned char* der, long length)
p = der;
if(!(ai = d2i_ASN1_ENUMERATED(NULL, &p, length)))
ossl_raise(eASN1Error, NULL);
- ret = rb_protect((VALUE(*)_((VALUE)))asn1integer_to_num,
+ ret = rb_protect((VALUE (*)(VALUE))asn1integer_to_num,
(VALUE)ai, &status);
ASN1_ENUMERATED_free(ai);
if(status) rb_jump_tag(status);
@@ -485,7 +486,7 @@ decode_time(unsigned char* der, long length)
p = der;
if(!(time = d2i_ASN1_TIME(NULL, &p, length)))
ossl_raise(eASN1Error, NULL);
- ret = rb_protect((VALUE(*)_((VALUE)))asn1time_to_time,
+ ret = rb_protect((VALUE (*)(VALUE))asn1time_to_time,
(VALUE)time, &status);
ASN1_TIME_free(time);
if(status) rb_jump_tag(status);
@@ -1471,7 +1472,8 @@ Init_ossl_asn1(void)
int i;
#if 0
- mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
+ mOSSL = rb_define_module("OpenSSL");
+ eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
#endif
sUNIVERSAL = rb_intern("UNIVERSAL");
@@ -1806,10 +1808,6 @@ Init_ossl_asn1(void)
* it is not typically allocated this way, but rather that are received from
* parsed ASN1 encodings.
*
- * While OpenSSL::ASN1::ObjectId.new will allocate a new ObjectId, it is
- * not typically allocated this way, but rather that are received from
- * parsed ASN1 encodings.
- *
* === Additional attributes
* * +sn+: the short name as defined in <openssl/objects.h>.
* * +ln+: the long name as defined in <openssl/objects.h>.
diff --git a/ext/openssl/ossl_asn1.h b/ext/openssl/ossl_asn1.h
index b1c85a6..d6a170c 100644
--- a/ext/openssl/ossl_asn1.h
+++ b/ext/openssl/ossl_asn1.h
@@ -13,7 +13,7 @@
/*
* ASN1_DATE conversions
*/
-VALUE asn1time_to_time(ASN1_TIME *);
+VALUE asn1time_to_time(const ASN1_TIME *);
#if defined(HAVE_ASN1_TIME_ADJ)
/* Splits VALUE to seconds and offset days. VALUE is typically a Time or an
* Integer. This is used when updating ASN1_*TIME with ASN1_TIME_adj() or
@@ -27,12 +27,12 @@ time_t time_to_time_t(VALUE);
/*
* ASN1_STRING conversions
*/
-VALUE asn1str_to_str(ASN1_STRING *);
+VALUE asn1str_to_str(const ASN1_STRING *);
/*
* ASN1_INTEGER conversions
*/
-VALUE asn1integer_to_num(ASN1_INTEGER *);
+VALUE asn1integer_to_num(const ASN1_INTEGER *);
ASN1_INTEGER *num_to_asn1integer(VALUE, ASN1_INTEGER *);
/*
diff --git a/ext/openssl/ossl_bio.c b/ext/openssl/ossl_bio.c
index cd25826..feaf229 100644
--- a/ext/openssl/ossl_bio.c
+++ b/ext/openssl/ossl_bio.c
@@ -51,7 +51,7 @@ BIO *
ossl_protect_obj2bio(VALUE obj, int *status)
{
BIO *ret = NULL;
- ret = (BIO*)rb_protect((VALUE(*)_((VALUE)))ossl_obj2bio, obj, status);
+ ret = (BIO*)rb_protect((VALUE (*)(VALUE))ossl_obj2bio, obj, status);
return ret;
}
@@ -70,7 +70,7 @@ ossl_membio2str0(BIO *bio)
VALUE
ossl_protect_membio2str(BIO *bio, int *status)
{
- return rb_protect((VALUE(*)_((VALUE)))ossl_membio2str0, (VALUE)bio, status);
+ return rb_protect((VALUE (*)(VALUE))ossl_membio2str0, (VALUE)bio, status);
}
VALUE
diff --git a/ext/openssl/ossl_bn.c b/ext/openssl/ossl_bn.c
index 6a0a21e..19a868c 100644
--- a/ext/openssl/ossl_bn.c
+++ b/ext/openssl/ossl_bn.c
@@ -52,8 +52,6 @@ VALUE cBN;
/* Document-class: OpenSSL::BNError
*
- * BNError < OpenSSLError
- *
* Generic Error for all of OpenSSL::BN (big num)
*/
VALUE eBNError;
@@ -78,24 +76,65 @@ ossl_bn_new(const BIGNUM *bn)
}
static BIGNUM *
+integer_to_bnptr(VALUE obj, BIGNUM *orig)
+{
+ BIGNUM *bn;
+
+ if (FIXNUM_P(obj)) {
+ long i;
+ unsigned char bin[sizeof(long)];
+ long n = FIX2LONG(obj);
+ unsigned long un = labs(n);
+
+ for (i = sizeof(long) - 1; 0 <= i; i--) {
+ bin[i] = un & 0xff;
+ un >>= 8;
+ }
+
+ bn = BN_bin2bn(bin, sizeof(bin), orig);
+ if (!bn)
+ ossl_raise(eBNError, "BN_bin2bn");
+ if (n < 0)
+ BN_set_negative(bn, 1);
+ }
+ else { /* assuming Bignum */
+ size_t len = rb_absint_size(obj, NULL);
+ unsigned char *bin;
+ VALUE buf;
+ int sign;
+
+ if (INT_MAX < len) {
+ rb_raise(eBNError, "bignum too long");
+ }
+ bin = (unsigned char*)ALLOCV_N(unsigned char, buf, len);
+ sign = rb_integer_pack(obj, bin, len, 1, 0, INTEGER_PACK_BIG_ENDIAN);
+
+ bn = BN_bin2bn(bin, (int)len, orig);
+ ALLOCV_END(buf);
+ if (!bn)
+ ossl_raise(eBNError, "BN_bin2bn");
+ if (sign < 0)
+ BN_set_negative(bn, 1);
+ }
+
+ return bn;
+}
+
+static BIGNUM *
try_convert_to_bnptr(VALUE obj)
{
BIGNUM *bn = NULL;
VALUE newobj;
- if (RTEST(rb_obj_is_kind_of(obj, cBN))) {
+ if (rb_obj_is_kind_of(obj, cBN)) {
GetBN(obj, bn);
- } else switch (TYPE(obj)) {
- case T_FIXNUM:
- case T_BIGNUM:
- obj = rb_String(obj);
- newobj = NewBN(cBN); /* GC bug */
- if (!BN_dec2bn(&bn, StringValueCStr(obj))) {
- ossl_raise(eBNError, NULL);
- }
- SetBN(newobj, bn); /* Handle potencial mem leaks */
- break;
}
+ else if (RB_INTEGER_TYPE_P(obj)) {
+ newobj = NewBN(cBN); /* Handle potencial mem leaks */
+ bn = integer_to_bnptr(obj, NULL);
+ SetBN(newobj, bn);
+ }
+
return bn;
}
@@ -135,6 +174,7 @@ ossl_bn_alloc(VALUE klass)
/* Document-method: OpenSSL::BN.new
*
+ * call-seq:
* OpenSSL::BN.new => aBN
* OpenSSL::BN.new(bn) => aBN
* OpenSSL::BN.new(integer) => aBN
@@ -154,45 +194,13 @@ ossl_bn_initialize(int argc, VALUE *argv, VALUE self)
base = NUM2INT(bs);
}
- if (RB_TYPE_P(str, T_FIXNUM)) {
- long i;
- unsigned char bin[sizeof(long)];
- long n = FIX2LONG(str);
- unsigned long un = labs(n);
-
- for (i = sizeof(long) - 1; 0 <= i; i--) {
- bin[i] = un&0xff;
- un >>= 8;
- }
-
+ if (RB_INTEGER_TYPE_P(str)) {
GetBN(self, bn);
- if (!BN_bin2bn(bin, sizeof(bin), bn)) {
- ossl_raise(eBNError, NULL);
- }
- if (n < 0) BN_set_negative(bn, 1);
- return self;
- }
- else if (RB_TYPE_P(str, T_BIGNUM)) {
- size_t len = rb_absint_size(str, NULL);
- unsigned char *bin;
- VALUE buf;
- int sign;
-
- if (INT_MAX < len) {
- rb_raise(eBNError, "bignum too long");
- }
- bin = (unsigned char*)ALLOCV_N(unsigned char, buf, len);
- sign = rb_integer_pack(str, bin, len, 1, 0, INTEGER_PACK_BIG_ENDIAN);
+ integer_to_bnptr(str, bn);
- GetBN(self, bn);
- if (!BN_bin2bn(bin, (int)len, bn)) {
- ALLOCV_END(buf);
- ossl_raise(eBNError, NULL);
- }
- ALLOCV_END(buf);
- if (sign < 0) BN_set_negative(bn, 1);
return self;
}
+
if (RTEST(rb_obj_is_kind_of(str, cBN))) {
BIGNUM *other;
@@ -239,11 +247,11 @@ ossl_bn_initialize(int argc, VALUE *argv, VALUE self)
*
* === Parameters
* * +base+ - integer
- * * * Valid values:
- * * * * 0 - MPI
- * * * * 2 - binary
- * * * * 10 - the default
- * * * * 16 - hex
+ * Valid values:
+ * * 0 - MPI
+ * * 2 - binary
+ * * 10 - the default
+ * * 16 - hex
*/
static VALUE
ossl_bn_to_s(int argc, VALUE *argv, VALUE self)
@@ -346,18 +354,21 @@ ossl_bn_coerce(VALUE self, VALUE other)
/*
* Document-method: OpenSSL::BN#zero?
+ * call-seq:
* bn.zero? => true | false
*/
BIGNUM_BOOL1(is_zero)
/*
* Document-method: OpenSSL::BN#one?
+ * call-seq:
* bn.one? => true | false
*/
BIGNUM_BOOL1(is_one)
/*
* Document-method: OpenSSL::BN#odd?
+ * call-seq:
* bn.odd? => true | false
*/
BIGNUM_BOOL1(is_odd)
@@ -383,6 +394,7 @@ BIGNUM_BOOL1(is_odd)
/*
* Document-method: OpenSSL::BN#sqr
+ * call-seq:
* bn.sqr => aBN
*/
BIGNUM_1c(sqr)
@@ -408,12 +420,14 @@ BIGNUM_1c(sqr)
/*
* Document-method: OpenSSL::BN#+
+ * call-seq:
* bn + bn2 => aBN
*/
BIGNUM_2(add)
/*
* Document-method: OpenSSL::BN#-
+ * call-seq:
* bn - bn2 => aBN
*/
BIGNUM_2(sub)
@@ -439,42 +453,49 @@ BIGNUM_2(sub)
/*
* Document-method: OpenSSL::BN#*
+ * call-seq:
* bn * bn2 => aBN
*/
BIGNUM_2c(mul)
/*
* Document-method: OpenSSL::BN#%
+ * call-seq:
* bn % bn2 => aBN
*/
BIGNUM_2c(mod)
/*
* Document-method: OpenSSL::BN#**
+ * call-seq:
* bn ** bn2 => aBN
*/
BIGNUM_2c(exp)
/*
* Document-method: OpenSSL::BN#gcd
+ * call-seq:
* bn.gcd(bn2) => aBN
*/
BIGNUM_2c(gcd)
/*
* Document-method: OpenSSL::BN#mod_sqr
+ * call-seq:
* bn.mod_sqr(bn2) => aBN
*/
BIGNUM_2c(mod_sqr)
/*
* Document-method: OpenSSL::BN#mod_inverse
+ * call-seq:
* bn.mod_inverse(bn2) => aBN
*/
BIGNUM_2c(mod_inverse)
/*
* Document-method: OpenSSL::BN#/
+ * call-seq:
* bn1 / bn2 => [result, remainder]
*
* Division of OpenSSL::BN instances
@@ -529,24 +550,28 @@ ossl_bn_div(VALUE self, VALUE other)
/*
* Document-method: OpenSSL::BN#mod_add
+ * call-seq:
* bn.mod_add(bn1, bn2) -> aBN
*/
BIGNUM_3c(mod_add)
/*
* Document-method: OpenSSL::BN#mod_sub
+ * call-seq:
* bn.mod_sub(bn1, bn2) -> aBN
*/
BIGNUM_3c(mod_sub)
/*
* Document-method: OpenSSL::BN#mod_mul
+ * call-seq:
* bn.mod_mul(bn1, bn2) -> aBN
*/
BIGNUM_3c(mod_mul)
/*
* Document-method: OpenSSL::BN#mod_exp
+ * call-seq:
* bn.mod_exp(bn1, bn2) -> aBN
*/
BIGNUM_3c(mod_exp)
@@ -565,29 +590,31 @@ BIGNUM_3c(mod_exp)
/*
* Document-method: OpenSSL::BN#set_bit!
+ * call-seq:
* bn.set_bit!(bit) -> self
*/
BIGNUM_BIT(set_bit)
/*
* Document-method: OpenSSL::BN#clear_bit!
+ * call-seq:
* bn.clear_bit!(bit) -> self
*/
BIGNUM_BIT(clear_bit)
/*
* Document-method: OpenSSL::BN#mask_bit!
+ * call-seq:
* bn.mask_bit!(bit) -> self
*/
BIGNUM_BIT(mask_bits)
/* Document-method: OpenSSL::BN#bit_set?
+ * call-seq:
+ * bn.bit_set?(bit) => true | false
*
* Returns boolean of whether +bit+ is set.
* Bitwise operations for openssl BIGNUMs.
- *
- * bn.bit_set?(bit) => true | false
- *
*/
static VALUE
ossl_bn_is_bit_set(VALUE self, VALUE bit)
@@ -653,12 +680,14 @@ BIGNUM_SHIFT(rshift)
/*
* Document-method: OpenSSL::BN#lshift!
+ * call-seq:
* bn.lshift!(bits) -> self
*/
BIGNUM_SELF_SHIFT(lshift)
/*
* Document-method: OpenSSL::BN#rshift!
+ * call-seq:
* bn.rshift!(bits) -> self
*/
BIGNUM_SELF_SHIFT(rshift)
@@ -722,6 +751,7 @@ BIGNUM_RAND(pseudo_rand)
/*
* Document-method: OpenSSL::BN.rand_range
+ * call-seq:
* BN.rand_range(range) -> aBN
*
*/
@@ -729,6 +759,7 @@ BIGNUM_RAND_RANGE(rand)
/*
* Document-method: OpenSSL::BN.pseudo_rand_range
+ * call-seq:
* BN.pseudo_rand_range(range) -> aBN
*
*/
@@ -785,17 +816,19 @@ ossl_bn_s_generate_prime(int argc, VALUE *argv, VALUE klass)
{ \
BIGNUM *bn; \
GetBN(self, bn); \
- return INT2FIX(BN_##func(bn)); \
+ return INT2NUM(BN_##func(bn)); \
}
/*
* Document-method: OpenSSL::BN#num_bytes
+ * call-seq:
* bn.num_bytes => integer
*/
BIGNUM_NUM(num_bytes)
/*
* Document-method: OpenSSL::BN#num_bits
+ * call-seq:
* bn.num_bits => integer
*/
BIGNUM_NUM(num_bits)
@@ -824,21 +857,24 @@ ossl_bn_copy(VALUE self, VALUE other)
{ \
BIGNUM *bn1, *bn2 = GetBNPtr(other); \
GetBN(self, bn1); \
- return INT2FIX(BN_##func(bn1, bn2)); \
+ return INT2NUM(BN_##func(bn1, bn2)); \
}
/*
* Document-method: OpenSSL::BN#cmp
+ * call-seq:
* bn.cmp(bn2) => integer
*/
/*
* Document-method: OpenSSL::BN#<=>
+ * call-seq:
* bn <=> bn2 => integer
*/
BIGNUM_CMP(cmp)
/*
* Document-method: OpenSSL::BN#ucmp
+ * call-seq:
* bn.ucmp(bn2) => integer
*/
BIGNUM_CMP(ucmp)
@@ -921,9 +957,9 @@ ossl_bn_hash(VALUE self)
* bn.prime? => true | false
* bn.prime?(checks) => true | false
*
- * Performs a Miller-Rabin probabilistic primality test with +checks+
- * iterations. If +nchecks+ is not specified, a number of iterations is used
- * that yields a false positive rate of at most 2^-80 for random input.
+ * Performs a Miller-Rabin probabilistic primality test with +checks+
+ * iterations. If +nchecks+ is not specified, a number of iterations is used
+ * that yields a false positive rate of at most 2^-80 for random input.
*
* === Parameters
* * +checks+ - integer
@@ -957,8 +993,8 @@ ossl_bn_is_prime(int argc, VALUE *argv, VALUE self)
* bn.prime_fasttest?(checks) => true | false
* bn.prime_fasttest?(checks, trial_div) => true | false
*
- * Performs a Miller-Rabin primality test. This is same as #prime? except this
- * first attempts trial divisions with some small primes.
+ * Performs a Miller-Rabin primality test. This is same as #prime? except this
+ * first attempts trial divisions with some small primes.
*
* === Parameters
* * +checks+ - integer
@@ -1001,7 +1037,8 @@ void
Init_ossl_bn(void)
{
#if 0
- mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
+ mOSSL = rb_define_module("OpenSSL");
+ eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
#endif
if (!(ossl_bn_ctx = BN_CTX_new())) {
diff --git a/ext/openssl/ossl_cipher.c b/ext/openssl/ossl_cipher.c
index be7a032..f1f3459 100644
--- a/ext/openssl/ossl_cipher.c
+++ b/ext/openssl/ossl_cipher.c
@@ -36,6 +36,7 @@
*/
VALUE cCipher;
VALUE eCipherError;
+static ID id_auth_tag_len;
static VALUE ossl_cipher_alloc(VALUE klass);
static void ossl_cipher_free(void *ptr);
@@ -54,11 +55,24 @@ static const rb_data_type_t ossl_cipher_type = {
const EVP_CIPHER *
GetCipherPtr(VALUE obj)
{
- EVP_CIPHER_CTX *ctx;
+ if (rb_obj_is_kind_of(obj, cCipher)) {
+ EVP_CIPHER_CTX *ctx;
+
+ GetCipher(obj, ctx);
+
+ return EVP_CIPHER_CTX_cipher(ctx);
+ }
+ else {
+ const EVP_CIPHER *cipher;
- SafeGetCipher(obj, ctx);
+ StringValueCStr(obj);
+ cipher = EVP_get_cipherbyname(RSTRING_PTR(obj));
+ if (!cipher)
+ ossl_raise(rb_eArgError,
+ "unsupported cipher algorithm: %"PRIsVALUE, obj);
- return EVP_CIPHER_CTX_cipher(ctx);
+ return cipher;
+ }
}
VALUE
@@ -248,7 +262,7 @@ ossl_cipher_init(int argc, VALUE *argv, VALUE self, int mode)
*
* Make sure to call Cipher#encrypt or Cipher#decrypt before using any of the
* following methods:
- * * [key=, iv=, random_key, random_iv, pkcs5_keyivgen]
+ * * [#key=, #iv=, #random_key, #random_iv, #pkcs5_keyivgen]
*
* Internally calls EVP_CipherInit_ex(ctx, NULL, NULL, NULL, NULL, 1).
*/
@@ -266,7 +280,7 @@ ossl_cipher_encrypt(int argc, VALUE *argv, VALUE self)
*
* Make sure to call Cipher#encrypt or Cipher#decrypt before using any of the
* following methods:
- * * [key=, iv=, random_key, random_iv, pkcs5_keyivgen]
+ * * [#key=, #iv=, #random_key, #random_iv, #pkcs5_keyivgen]
*
* Internally calls EVP_CipherInit_ex(ctx, NULL, NULL, NULL, NULL, 0).
*/
@@ -278,20 +292,20 @@ ossl_cipher_decrypt(int argc, VALUE *argv, VALUE self)
/*
* call-seq:
- * cipher.pkcs5_keyivgen(pass [, salt [, iterations [, digest]]] ) -> nil
+ * cipher.pkcs5_keyivgen(pass, salt = nil, iterations = 2048, digest = "MD5") -> nil
*
* Generates and sets the key/IV based on a password.
*
- * WARNING: This method is only PKCS5 v1.5 compliant when using RC2, RC4-40,
+ * *WARNING*: This method is only PKCS5 v1.5 compliant when using RC2, RC4-40,
* or DES with MD5 or SHA1. Using anything else (like AES) will generate the
* key/iv using an OpenSSL specific method. This method is deprecated and
* should no longer be used. Use a PKCS5 v2 key generation method from
* OpenSSL::PKCS5 instead.
*
* === Parameters
- * +salt+ must be an 8 byte string if provided.
- * +iterations+ is a integer with a default of 2048.
- * +digest+ is a Digest object that defaults to 'MD5'
+ * * +salt+ must be an 8 byte string if provided.
+ * * +iterations+ is a integer with a default of 2048.
+ * * +digest+ is a Digest object that defaults to 'MD5'
*
* A minimum of 1000 iterations is recommended.
*
@@ -331,25 +345,23 @@ ossl_cipher_update_long(EVP_CIPHER_CTX *ctx, unsigned char *out, long *out_len_p
const unsigned char *in, long in_len)
{
int out_part_len;
+ int limit = INT_MAX / 2 + 1;
long out_len = 0;
-#define UPDATE_LENGTH_LIMIT INT_MAX
-
-#if SIZEOF_LONG > UPDATE_LENGTH_LIMIT
- if (in_len > UPDATE_LENGTH_LIMIT) {
- const int in_part_len = (UPDATE_LENGTH_LIMIT / 2 + 1) & ~1;
- do {
- if (!EVP_CipherUpdate(ctx, out ? (out + out_len) : 0,
- &out_part_len, in, in_part_len))
- return 0;
- out_len += out_part_len;
- in += in_part_len;
- } while ((in_len -= in_part_len) > UPDATE_LENGTH_LIMIT);
- }
-#endif
- if (!EVP_CipherUpdate(ctx, out ? (out + out_len) : 0,
- &out_part_len, in, (int)in_len))
- return 0;
- if (out_len_ptr) *out_len_ptr = out_len += out_part_len;
+
+ do {
+ int in_part_len = in_len > limit ? limit : (int)in_len;
+
+ if (!EVP_CipherUpdate(ctx, out ? (out + out_len) : 0,
+ &out_part_len, in, in_part_len))
+ return 0;
+
+ out_len += out_part_len;
+ in += in_part_len;
+ } while ((in_len -= limit) > 0);
+
+ if (out_len_ptr)
+ *out_len_ptr = out_len;
+
return 1;
}
@@ -362,9 +374,8 @@ ossl_cipher_update_long(EVP_CIPHER_CTX *ctx, unsigned char *out, long *out_len_p
* data chunk. When done, the output of Cipher#final should be additionally
* added to the result.
*
- * === Parameters
- * +data+ is a nonempty string.
- * +buffer+ is an optional string to store the result.
+ * If +buffer+ is given, the encryption/decryption result will be written to
+ * it. +buffer+ will be resized automatically.
*/
static VALUE
ossl_cipher_update(int argc, VALUE *argv, VALUE self)
@@ -499,12 +510,17 @@ static VALUE
ossl_cipher_set_iv(VALUE self, VALUE iv)
{
EVP_CIPHER_CTX *ctx;
- int iv_len;
+ int iv_len = 0;
StringValue(iv);
GetCipher(self, ctx);
- iv_len = EVP_CIPHER_CTX_iv_length(ctx);
+#if defined(HAVE_AUTHENTICATED_ENCRYPTION)
+ if (EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER)
+ iv_len = (int)(VALUE)EVP_CIPHER_CTX_get_app_data(ctx);
+#endif
+ if (!iv_len)
+ iv_len = EVP_CIPHER_CTX_iv_length(ctx);
if (RSTRING_LEN(iv) != iv_len)
ossl_raise(rb_eArgError, "iv must be %d bytes", iv_len);
@@ -562,8 +578,9 @@ ossl_cipher_set_auth_data(VALUE self, VALUE data)
* then set on the decryption cipher to authenticate the contents of the
* ciphertext against changes. If the optional integer parameter +tag_len+ is
* given, the returned tag will be +tag_len+ bytes long. If the parameter is
- * omitted, the maximum length of 16 bytes will be returned. For maximum
- * security, the default of 16 bytes should be chosen.
+ * omitted, the default length of 16 bytes or the length previously set by
+ * #auth_tag_len= will be used. For maximum security, the longest possible
+ * should be chosen.
*
* The tag may only be retrieved after calling Cipher#final.
*/
@@ -574,7 +591,10 @@ ossl_cipher_get_auth_tag(int argc, VALUE *argv, VALUE self)
EVP_CIPHER_CTX *ctx;
int tag_len = 16;
- if (rb_scan_args(argc, argv, "01", &vtag_len) == 1)
+ rb_scan_args(argc, argv, "01", &vtag_len);
+ if (NIL_P(vtag_len))
+ vtag_len = rb_attr_get(self, id_auth_tag_len);
+ if (!NIL_P(vtag_len))
tag_len = NUM2INT(vtag_len);
GetCipher(self, ctx);
@@ -600,6 +620,9 @@ ossl_cipher_get_auth_tag(int argc, VALUE *argv, VALUE self)
* decrypting any of the ciphertext. After all decryption is
* performed, the tag is verified automatically in the call to
* Cipher#final.
+ *
+ * For OCB mode, the tag length must be supplied with #auth_tag_len=
+ * beforehand.
*/
static VALUE
ossl_cipher_set_auth_tag(VALUE self, VALUE vtag)
@@ -624,6 +647,36 @@ ossl_cipher_set_auth_tag(VALUE self, VALUE vtag)
/*
* call-seq:
+ * cipher.auth_tag_len = Integer -> Integer
+ *
+ * Sets the length of the authentication tag to be generated or to be given for
+ * AEAD ciphers that requires it as in input parameter. Note that not all AEAD
+ * ciphers support this method.
+ *
+ * In OCB mode, the length must be supplied both when encrypting and when
+ * decrypting, and must be before specifying an IV.
+ */
+static VALUE
+ossl_cipher_set_auth_tag_len(VALUE self, VALUE vlen)
+{
+ int tag_len = NUM2INT(vlen);
+ EVP_CIPHER_CTX *ctx;
+
+ GetCipher(self, ctx);
+ if (!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER))
+ ossl_raise(eCipherError, "AEAD not supported by this cipher");
+
+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, tag_len, NULL))
+ ossl_raise(eCipherError, "unable to set authentication tag length");
+
+ /* for #auth_tag */
+ rb_ivar_set(self, id_auth_tag_len, INT2NUM(tag_len));
+
+ return vlen;
+}
+
+/*
+ * call-seq:
* cipher.authenticated? -> boolean
*
* Indicated whether this Cipher instance uses an Authenticated Encryption
@@ -638,11 +691,43 @@ ossl_cipher_is_authenticated(VALUE self)
return (EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER) ? Qtrue : Qfalse;
}
+
+/*
+ * call-seq:
+ * cipher.iv_len = integer -> integer
+ *
+ * Sets the IV/nonce length of the Cipher. Normally block ciphers don't allow
+ * changing the IV length, but some make use of IV for 'nonce'. You may need
+ * this for interoperability with other applications.
+ */
+static VALUE
+ossl_cipher_set_iv_length(VALUE self, VALUE iv_length)
+{
+ int len = NUM2INT(iv_length);
+ EVP_CIPHER_CTX *ctx;
+
+ GetCipher(self, ctx);
+ if (!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER))
+ ossl_raise(eCipherError, "cipher does not support AEAD");
+
+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, len, NULL))
+ ossl_raise(eCipherError, "unable to set IV length");
+
+ /*
+ * EVP_CIPHER_CTX_iv_length() returns the default length. So we need to save
+ * the length somewhere. Luckily currently we aren't using app_data.
+ */
+ EVP_CIPHER_CTX_set_app_data(ctx, (void *)(VALUE)len);
+
+ return iv_length;
+}
#else
#define ossl_cipher_set_auth_data rb_f_notimplement
#define ossl_cipher_get_auth_tag rb_f_notimplement
#define ossl_cipher_set_auth_tag rb_f_notimplement
+#define ossl_cipher_set_auth_tag_len rb_f_notimplement
#define ossl_cipher_is_authenticated rb_f_notimplement
+#define ossl_cipher_set_iv_length rb_f_notimplement
#endif
/*
@@ -692,36 +777,60 @@ ossl_cipher_set_padding(VALUE self, VALUE padding)
return padding;
}
-#define CIPHER_0ARG_INT(func) \
- static VALUE \
- ossl_cipher_##func(VALUE self) \
- { \
- EVP_CIPHER_CTX *ctx; \
- GetCipher(self, ctx); \
- return INT2NUM(EVP_CIPHER_##func(EVP_CIPHER_CTX_cipher(ctx))); \
- }
-
/*
* call-seq:
* cipher.key_len -> integer
*
* Returns the key length in bytes of the Cipher.
*/
-CIPHER_0ARG_INT(key_length)
+static VALUE
+ossl_cipher_key_length(VALUE self)
+{
+ EVP_CIPHER_CTX *ctx;
+
+ GetCipher(self, ctx);
+
+ return INT2NUM(EVP_CIPHER_CTX_key_length(ctx));
+}
+
/*
* call-seq:
* cipher.iv_len -> integer
*
* Returns the expected length in bytes for an IV for this Cipher.
*/
-CIPHER_0ARG_INT(iv_length)
+static VALUE
+ossl_cipher_iv_length(VALUE self)
+{
+ EVP_CIPHER_CTX *ctx;
+ int len = 0;
+
+ GetCipher(self, ctx);
+#if defined(HAVE_AUTHENTICATED_ENCRYPTION)
+ if (EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER)
+ len = (int)(VALUE)EVP_CIPHER_CTX_get_app_data(ctx);
+#endif
+ if (!len)
+ len = EVP_CIPHER_CTX_iv_length(ctx);
+
+ return INT2NUM(len);
+}
+
/*
* call-seq:
* cipher.block_size -> integer
*
* Returns the size in bytes of the blocks on which this Cipher operates on.
*/
-CIPHER_0ARG_INT(block_size)
+static VALUE
+ossl_cipher_block_size(VALUE self)
+{
+ EVP_CIPHER_CTX *ctx;
+
+ GetCipher(self, ctx);
+
+ return INT2NUM(EVP_CIPHER_CTX_block_size(ctx));
+}
/*
* INIT
@@ -730,7 +839,8 @@ void
Init_ossl_cipher(void)
{
#if 0
- mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
+ mOSSL = rb_define_module("OpenSSL");
+ eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
#endif
/* Document-class: OpenSSL::Cipher
@@ -843,16 +953,16 @@ Init_ossl_cipher(void)
* of the IV as a nonce (number used once) - it's public but random and
* unpredictable. A secure random IV can be created as follows
*
- * cipher = ...
- * cipher.encrypt
- * key = cipher.random_key
- * iv = cipher.random_iv # also sets the generated IV on the Cipher
+ * cipher = ...
+ * cipher.encrypt
+ * key = cipher.random_key
+ * iv = cipher.random_iv # also sets the generated IV on the Cipher
*
- * Although the key is generally a random value, too, it is a bad choice
- * as an IV. There are elaborate ways how an attacker can take advantage
- * of such an IV. As a general rule of thumb, exposing the key directly
- * or indirectly should be avoided at all cost and exceptions only be
- * made with good reason.
+ * Although the key is generally a random value, too, it is a bad choice
+ * as an IV. There are elaborate ways how an attacker can take advantage
+ * of such an IV. As a general rule of thumb, exposing the key directly
+ * or indirectly should be avoided at all cost and exceptions only be
+ * made with good reason.
*
* === Calling Cipher#final
*
@@ -906,29 +1016,42 @@ Init_ossl_cipher(void)
* could otherwise be exploited to modify ciphertexts in ways beneficial to
* potential attackers.
*
- * If no associated data is needed for encryption and later decryption,
- * the OpenSSL library still requires a value to be set - "" may be used in
- * case none is available. An example using the GCM (Galois Counter Mode):
+ * An associated data is used where there is additional information, such as
+ * headers or some metadata, that must be also authenticated but not
+ * necessarily need to be encrypted. If no associated data is needed for
+ * encryption and later decryption, the OpenSSL library still requires a
+ * value to be set - "" may be used in case none is available.
*
- * cipher = OpenSSL::Cipher.new("aes-128-gcm")
- * cipher.encrypt
- * key = cipher.random_key
- * iv = cipher.random_iv
- * cipher.auth_data = ""
+ * An example using the GCM (Galois/Counter Mode). You have 16 bytes +key+,
+ * 12 bytes (96 bits) +nonce+ and the associated data +auth_data+. Be sure
+ * not to reuse the +key+ and +nonce+ pair. Reusing an nonce ruins the
+ * security gurantees of GCM mode.
+ *
+ * cipher = OpenSSL::Cipher::AES.new(128, :GCM).encrypt
+ * cipher.key = key
+ * cipher.iv = nonce
+ * cipher.auth_data = auth_data
*
* encrypted = cipher.update(data) + cipher.final
- * tag = cipher.auth_tag
+ * tag = cipher.auth_tag # produces 16 bytes tag by default
*
- * decipher = OpenSSL::Cipher.new("aes-128-gcm")
- * decipher.decrypt
+ * Now you are the receiver. You know the +key+ and have received +nonce+,
+ * +auth_data+, +encrypted+ and +tag+ through an untrusted network. Note
+ * that GCM accepts an arbitrary length tag between 1 and 16 bytes. You may
+ * additionally need to check that the received tag has the correct length,
+ * or you allow attackers to forge a valid single byte tag for the tampered
+ * ciphertext with a probability of 1/256.
+ *
+ * raise "tag is truncated!" unless tag.bytesize == 16
+ * decipher = OpenSSL::Cipher::AES.new(128, :GCM).decrypt
* decipher.key = key
- * decipher.iv = iv
+ * decipher.iv = nonce
* decipher.auth_tag = tag
- * decipher.auth_data = ""
+ * decipher.auth_data = auth_data
*
- * plain = decipher.update(encrypted) + decipher.final
+ * decrypted = decipher.update(encrypted) + decipher.final
*
- * puts data == plain #=> true
+ * puts data == decrypted #=> true
*/
cCipher = rb_define_class_under(mOSSL, "Cipher", rb_cObject);
eCipherError = rb_define_class_under(cCipher, "CipherError", eOSSLError);
@@ -948,11 +1071,15 @@ Init_ossl_cipher(void)
rb_define_method(cCipher, "auth_data=", ossl_cipher_set_auth_data, 1);
rb_define_method(cCipher, "auth_tag=", ossl_cipher_set_auth_tag, 1);
rb_define_method(cCipher, "auth_tag", ossl_cipher_get_auth_tag, -1);
+ rb_define_method(cCipher, "auth_tag_len=", ossl_cipher_set_auth_tag_len, 1);
rb_define_method(cCipher, "authenticated?", ossl_cipher_is_authenticated, 0);
rb_define_method(cCipher, "key_len=", ossl_cipher_set_key_length, 1);
rb_define_method(cCipher, "key_len", ossl_cipher_key_length, 0);
rb_define_method(cCipher, "iv=", ossl_cipher_set_iv, 1);
+ rb_define_method(cCipher, "iv_len=", ossl_cipher_set_iv_length, 1);
rb_define_method(cCipher, "iv_len", ossl_cipher_iv_length, 0);
rb_define_method(cCipher, "block_size", ossl_cipher_block_size, 0);
rb_define_method(cCipher, "padding=", ossl_cipher_set_padding, 1);
+
+ id_auth_tag_len = rb_intern_const("auth_tag_len");
}
diff --git a/ext/openssl/ossl_config.c b/ext/openssl/ossl_config.c
index 4e00fbe..ebf6ae2 100644
--- a/ext/openssl/ossl_config.c
+++ b/ext/openssl/ossl_config.c
@@ -26,13 +26,13 @@ VALUE eConfigError;
*/
/*
- * GetConfigPtr is a public C-level function for getting OpenSSL CONF struct
+ * DupConfigPtr is a public C-level function for getting OpenSSL CONF struct
* from an OpenSSL::Config(eConfig) instance. We decided to implement
* OpenSSL::Config in Ruby level but we need to pass native CONF struct for
* some OpenSSL features such as X509V3_EXT_*.
*/
CONF *
-GetConfigPtr(VALUE obj)
+DupConfigPtr(VALUE obj)
{
CONF *conf;
VALUE str;
@@ -50,9 +50,10 @@ GetConfigPtr(VALUE obj)
if(!NCONF_load_bio(conf, bio, &eline)){
BIO_free(bio);
NCONF_free(conf);
- if (eline <= 0) ossl_raise(eConfigError, "wrong config format");
- else ossl_raise(eConfigError, "error in line %d", eline);
- ossl_raise(eConfigError, NULL);
+ if (eline <= 0)
+ ossl_raise(eConfigError, "wrong config format");
+ else
+ ossl_raise(eConfigError, "error in line %d", eline);
}
BIO_free(bio);
@@ -71,6 +72,12 @@ void
Init_ossl_config(void)
{
char *default_config_file;
+
+#if 0
+ mOSSL = rb_define_module("OpenSSL");
+ eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
+#endif
+
eConfigError = rb_define_class_under(mOSSL, "ConfigError", eOSSLError);
cConfig = rb_define_class_under(mOSSL, "Config", rb_cObject);
diff --git a/ext/openssl/ossl_config.h b/ext/openssl/ossl_config.h
index 077e2f7..627d297 100644
--- a/ext/openssl/ossl_config.h
+++ b/ext/openssl/ossl_config.h
@@ -13,7 +13,6 @@
extern VALUE cConfig;
extern VALUE eConfigError;
-CONF* GetConfigPtr(VALUE obj);
CONF* DupConfigPtr(VALUE obj);
void Init_ossl_config(void);
diff --git a/ext/openssl/ossl_digest.c b/ext/openssl/ossl_digest.c
index d137dc5..44d9618 100644
--- a/ext/openssl/ossl_digest.c
+++ b/ext/openssl/ossl_digest.c
@@ -111,17 +111,16 @@ VALUE ossl_digest_update(VALUE, VALUE);
*
* Creates a Digest instance based on +string+, which is either the ln
* (long name) or sn (short name) of a supported digest algorithm.
+ *
* If +data+ (a +String+) is given, it is used as the initial input to the
* Digest instance, i.e.
+ *
* digest = OpenSSL::Digest.new('sha256', 'digestdata')
+ *
* is equal to
+ *
* digest = OpenSSL::Digest.new('sha256')
* digest.update('digestdata')
- *
- * === Example
- * digest = OpenSSL::Digest.new('sha1')
- *
- *
*/
static VALUE
ossl_digest_initialize(int argc, VALUE *argv, VALUE self)
@@ -203,7 +202,9 @@ ossl_digest_update(VALUE self, VALUE data)
StringValue(data);
GetDigest(self, ctx);
- EVP_DigestUpdate(ctx, RSTRING_PTR(data), RSTRING_LEN(data));
+
+ if (!EVP_DigestUpdate(ctx, RSTRING_PTR(data), RSTRING_LEN(data)))
+ ossl_raise(eDigestError, "EVP_DigestUpdate");
return self;
}
@@ -218,19 +219,21 @@ ossl_digest_finish(int argc, VALUE *argv, VALUE self)
{
EVP_MD_CTX *ctx;
VALUE str;
-
- rb_scan_args(argc, argv, "01", &str);
+ int out_len;
GetDigest(self, ctx);
+ rb_scan_args(argc, argv, "01", &str);
+ out_len = EVP_MD_CTX_size(ctx);
if (NIL_P(str)) {
- str = rb_str_new(NULL, EVP_MD_CTX_size(ctx));
+ str = rb_str_new(NULL, out_len);
} else {
StringValue(str);
- rb_str_resize(str, EVP_MD_CTX_size(ctx));
+ rb_str_resize(str, out_len);
}
- EVP_DigestFinal_ex(ctx, (unsigned char *)RSTRING_PTR(str), NULL);
+ if (!EVP_DigestFinal_ex(ctx, (unsigned char *)RSTRING_PTR(str), NULL))
+ ossl_raise(eDigestError, "EVP_DigestFinal_ex");
return str;
}
@@ -239,7 +242,7 @@ ossl_digest_finish(int argc, VALUE *argv, VALUE self)
* call-seq:
* digest.name -> string
*
- * Returns the sn of this Digest instance.
+ * Returns the sn of this Digest algorithm.
*
* === Example
* digest = OpenSSL::Digest::SHA512.new
@@ -310,7 +313,8 @@ Init_ossl_digest(void)
rb_require("digest");
#if 0
- mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
+ mOSSL = rb_define_module("OpenSSL");
+ eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
#endif
/* Document-class: OpenSSL::Digest
diff --git a/ext/openssl/ossl_engine.c b/ext/openssl/ossl_engine.c
index 3abc44b..f4863b3 100644
--- a/ext/openssl/ossl_engine.c
+++ b/ext/openssl/ossl_engine.c
@@ -161,8 +161,6 @@ ossl_engine_s_load(int argc, VALUE *argv, VALUE klass)
* OpenSSL::Engine.load. However, running cleanup before exit is recommended.
*
* Note that this is needed and works only in OpenSSL < 1.1.0.
- *
- * See also, https://www.openssl.org/docs/crypto/engine.html
*/
static VALUE
ossl_engine_s_cleanup(VALUE self)
@@ -531,6 +529,11 @@ ossl_engine_inspect(VALUE self)
void
Init_ossl_engine(void)
{
+#if 0
+ mOSSL = rb_define_module("OpenSSL");
+ eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
+#endif
+
cEngine = rb_define_class_under(mOSSL, "Engine", rb_cObject);
eEngineError = rb_define_class_under(cEngine, "EngineError", eOSSLError);
@@ -540,6 +543,7 @@ Init_ossl_engine(void)
rb_define_singleton_method(cEngine, "engines", ossl_engine_s_engines, 0);
rb_define_singleton_method(cEngine, "by_id", ossl_engine_s_by_id, 1);
rb_undef_method(CLASS_OF(cEngine), "new");
+ rb_undef_method(cEngine, "initialize_copy");
rb_define_method(cEngine, "id", ossl_engine_get_id, 0);
rb_define_method(cEngine, "name", ossl_engine_get_name, 0);
diff --git a/ext/openssl/ossl_hmac.c b/ext/openssl/ossl_hmac.c
index bb4b578..270979e 100644
--- a/ext/openssl/ossl_hmac.c
+++ b/ext/openssl/ossl_hmac.c
@@ -162,7 +162,7 @@ ossl_hmac_update(VALUE self, VALUE data)
}
static void
-hmac_final(HMAC_CTX *ctx, unsigned char **buf, unsigned int *buf_len)
+hmac_final(HMAC_CTX *ctx, unsigned char *buf, unsigned int *buf_len)
{
HMAC_CTX *final;
@@ -175,12 +175,7 @@ hmac_final(HMAC_CTX *ctx, unsigned char **buf, unsigned int *buf_len)
ossl_raise(eHMACError, "HMAC_CTX_copy");
}
- if (!(*buf = OPENSSL_malloc(HMAC_size(final)))) {
- HMAC_CTX_free(final);
- OSSL_Debug("Allocating %d mem", (int)HMAC_size(final));
- ossl_raise(eHMACError, "Cannot allocate memory for hmac");
- }
- HMAC_Final(final, *buf, buf_len);
+ HMAC_Final(final, buf, buf_len);
HMAC_CTX_free(final);
}
@@ -191,26 +186,25 @@ hmac_final(HMAC_CTX *ctx, unsigned char **buf, unsigned int *buf_len)
* Returns the authentication code an instance represents as a binary string.
*
* === Example
- *
- * instance = OpenSSL::HMAC.new('key', OpenSSL::Digest.new('sha1'))
- * #=> f42bb0eeb018ebbd4597ae7213711ec60760843f
- * instance.digest
- * #=> "\xF4+\xB0\xEE\xB0\x18\xEB\xBDE\x97\xAEr\x13q\x1E\xC6\a`\x84?"
- *
+ * instance = OpenSSL::HMAC.new('key', OpenSSL::Digest.new('sha1'))
+ * #=> f42bb0eeb018ebbd4597ae7213711ec60760843f
+ * instance.digest
+ * #=> "\xF4+\xB0\xEE\xB0\x18\xEB\xBDE\x97\xAEr\x13q\x1E\xC6\a`\x84?"
*/
static VALUE
ossl_hmac_digest(VALUE self)
{
HMAC_CTX *ctx;
- unsigned char *buf;
unsigned int buf_len;
- VALUE digest;
+ VALUE ret;
GetHMAC(self, ctx);
- hmac_final(ctx, &buf, &buf_len);
- digest = ossl_buf2str((char *)buf, buf_len);
+ ret = rb_str_new(NULL, EVP_MAX_MD_SIZE);
+ hmac_final(ctx, (unsigned char *)RSTRING_PTR(ret), &buf_len);
+ assert(buf_len <= EVP_MAX_MD_SIZE);
+ rb_str_set_len(ret, buf_len);
- return digest;
+ return ret;
}
/*
@@ -219,27 +213,21 @@ ossl_hmac_digest(VALUE self)
*
* Returns the authentication code an instance represents as a hex-encoded
* string.
- *
*/
static VALUE
ossl_hmac_hexdigest(VALUE self)
{
HMAC_CTX *ctx;
- unsigned char *buf;
- char *hexbuf;
+ unsigned char buf[EVP_MAX_MD_SIZE];
unsigned int buf_len;
- VALUE hexdigest;
+ VALUE ret;
GetHMAC(self, ctx);
- hmac_final(ctx, &buf, &buf_len);
- if (string2hex(buf, buf_len, &hexbuf, NULL) != 2 * (int)buf_len) {
- OPENSSL_free(buf);
- ossl_raise(eHMACError, "Memory alloc error");
- }
- OPENSSL_free(buf);
- hexdigest = ossl_buf2str(hexbuf, 2 * buf_len);
+ hmac_final(ctx, buf, &buf_len);
+ ret = rb_str_new(NULL, buf_len * 2);
+ ossl_bin2hex(buf, RSTRING_PTR(ret), buf_len);
- return hexdigest;
+ return ret;
}
/*
@@ -323,22 +311,22 @@ ossl_hmac_s_digest(VALUE klass, VALUE digest, VALUE key, VALUE data)
static VALUE
ossl_hmac_s_hexdigest(VALUE klass, VALUE digest, VALUE key, VALUE data)
{
- unsigned char *buf;
- char *hexbuf;
+ unsigned char buf[EVP_MAX_MD_SIZE];
unsigned int buf_len;
- VALUE hexdigest;
+ VALUE ret;
StringValue(key);
StringValue(data);
- buf = HMAC(GetDigestPtr(digest), RSTRING_PTR(key), RSTRING_LENINT(key),
- (unsigned char *)RSTRING_PTR(data), RSTRING_LEN(data), NULL, &buf_len);
- if (string2hex(buf, buf_len, &hexbuf, NULL) != 2 * (int)buf_len) {
- ossl_raise(eHMACError, "Cannot convert buf to hexbuf");
- }
- hexdigest = ossl_buf2str(hexbuf, 2 * buf_len);
+ if (!HMAC(GetDigestPtr(digest), RSTRING_PTR(key), RSTRING_LENINT(key),
+ (unsigned char *)RSTRING_PTR(data), RSTRING_LEN(data),
+ buf, &buf_len))
+ ossl_raise(eHMACError, "HMAC");
+
+ ret = rb_str_new(NULL, buf_len * 2);
+ ossl_bin2hex(buf, RSTRING_PTR(ret), buf_len);
- return hexdigest;
+ return ret;
}
/*
@@ -348,10 +336,38 @@ void
Init_ossl_hmac(void)
{
#if 0
- /* :nodoc: */
- mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
+ mOSSL = rb_define_module("OpenSSL");
+ eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
#endif
+ /*
+ * Document-class: OpenSSL::HMAC
+ *
+ * OpenSSL::HMAC allows computing Hash-based Message Authentication Code
+ * (HMAC). It is a type of message authentication code (MAC) involving a
+ * hash function in combination with a key. HMAC can be used to verify the
+ * integrity of a message as well as the authenticity.
+ *
+ * OpenSSL::HMAC has a similar interface to OpenSSL::Digest.
+ *
+ * === HMAC-SHA256 using one-shot interface
+ *
+ * key = "key"
+ * data = "message-to-be-authenticated"
+ * mac = OpenSSL::HMAC.hexdigest("SHA256", key, data)
+ * #=> "cddb0db23f469c8bf072b21fd837149bd6ace9ab771cceef14c9e517cc93282e"
+ *
+ * === HMAC-SHA256 using incremental interface
+ *
+ * data1 = File.read("file1")
+ * data2 = File.read("file2")
+ * key = "key"
+ * digest = OpenSSL::Digest::SHA256.new
+ * hmac = OpenSSL::HMAC.new(key, digest)
+ * hmac << data1
+ * hmac << data2
+ * mac = hmac.digest
+ */
eHMACError = rb_define_class_under(mOSSL, "HMACError", eOSSLError);
cHMAC = rb_define_class_under(mOSSL, "HMAC", rb_cObject);
diff --git a/ext/openssl/ossl_ns_spki.c b/ext/openssl/ossl_ns_spki.c
index e93b1b0..2f7845b 100644
--- a/ext/openssl/ossl_ns_spki.c
+++ b/ext/openssl/ossl_ns_spki.c
@@ -380,7 +380,8 @@ void
Init_ossl_ns_spki(void)
{
#if 0
- mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
+ mOSSL = rb_define_module("OpenSSL");
+ eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
#endif
mNetscape = rb_define_module_under(mOSSL, "Netscape");
diff --git a/ext/openssl/ossl_ocsp.c b/ext/openssl/ossl_ocsp.c
index c0f2dfe..a8b3503 100644
--- a/ext/openssl/ossl_ocsp.c
+++ b/ext/openssl/ossl_ocsp.c
@@ -321,12 +321,17 @@ static VALUE
ossl_ocspreq_add_certid(VALUE self, VALUE certid)
{
OCSP_REQUEST *req;
- OCSP_CERTID *id;
+ OCSP_CERTID *id, *id_new;
GetOCSPReq(self, req);
GetOCSPCertId(certid, id);
- if(!OCSP_request_add0_id(req, OCSP_CERTID_dup(id)))
- ossl_raise(eOCSPError, NULL);
+
+ if (!(id_new = OCSP_CERTID_dup(id)))
+ ossl_raise(eOCSPError, "OCSP_CERTID_dup");
+ if (!OCSP_request_add0_id(req, id_new)) {
+ OCSP_CERTID_free(id_new);
+ ossl_raise(eOCSPError, "OCSP_request_add0_id");
+ }
return self;
}
@@ -368,14 +373,16 @@ ossl_ocspreq_get_certid(VALUE self)
*
* Signs this OCSP request using +cert+, +key+ and optional +digest+. If
* +digest+ is not specified, SHA-1 is used. +certs+ is an optional Array of
- * additional certificates that will be included in the request. If +certs+ is
- * not specified, flag OpenSSL::OCSP::NOCERTS is set. Pass an empty array to
- * include only the signer certificate.
+ * additional certificates which are included in the request in addition to
+ * the signer certificate. Note that if +certs+ is nil or not given, flag
+ * OpenSSL::OCSP::NOCERTS is enabled. Pass an empty array to include only the
+ * signer certificate.
*
- * +flags+ can include:
- * OpenSSL::OCSP::NOCERTS:: don't include certificates
+ * +flags+ can be a bitwise OR of the following constants:
+ *
+ * OpenSSL::OCSP::NOCERTS::
+ * Don't include any certificates in the request. +certs+ will be ignored.
*/
-
static VALUE
ossl_ocspreq_sign(int argc, VALUE *argv, VALUE self)
{
@@ -399,7 +406,7 @@ ossl_ocspreq_sign(int argc, VALUE *argv, VALUE self)
else
md = GetDigestPtr(digest);
if (NIL_P(certs))
- flags |= OCSP_NOCERTS;
+ flg |= OCSP_NOCERTS;
else
x509s = ossl_x509_ary2sk(certs);
@@ -435,7 +442,7 @@ ossl_ocspreq_verify(int argc, VALUE *argv, VALUE self)
x509s = ossl_x509_ary2sk(certs);
result = OCSP_request_verify(req, x509s, x509st, flg);
sk_X509_pop_free(x509s, X509_free);
- if (!result)
+ if (result <= 0)
ossl_clear_error();
return result > 0 ? Qtrue : Qfalse;
@@ -856,13 +863,11 @@ ossl_ocspbres_add_status(VALUE self, VALUE cid, VALUE status,
X509_EXTENSION *x509ext;
for(i = 0; i < RARRAY_LEN(ext); i++){
- x509ext = DupX509ExtPtr(RARRAY_AREF(ext, i));
+ x509ext = GetX509ExtPtr(RARRAY_AREF(ext, i));
if(!OCSP_SINGLERESP_add_ext(single, x509ext, -1)){
- X509_EXTENSION_free(x509ext);
error = 1;
goto err;
}
- X509_EXTENSION_free(x509ext);
}
}
@@ -911,7 +916,7 @@ ossl_ocspbres_get_status(VALUE self)
status = OCSP_single_get0_status(single, &reason, &revtime,
&thisupd, &nextupd);
if(status < 0) continue;
- if(!(cid = OCSP_CERTID_dup(OCSP_SINGLERESP_get0_id(single))))
+ if(!(cid = OCSP_CERTID_dup((OCSP_CERTID *)OCSP_SINGLERESP_get0_id(single)))) /* FIXME */
ossl_raise(eOCSPError, NULL);
ary = rb_ary_new();
rb_ary_push(ary, ossl_ocspcertid_new(cid));
@@ -1065,9 +1070,57 @@ ossl_ocspbres_verify(int argc, VALUE *argv, VALUE self)
x509st = GetX509StorePtr(store);
flg = NIL_P(flags) ? 0 : NUM2INT(flags);
x509s = ossl_x509_ary2sk(certs);
+#if (OPENSSL_VERSION_NUMBER < 0x1000202fL) || defined(LIBRESSL_VERSION_NUMBER)
+ /*
+ * OpenSSL had a bug that it doesn't use the certificates in x509s for
+ * verifying the chain. This can be a problem when the response is signed by
+ * a certificate issued by an intermediate CA.
+ *
+ * root_ca
+ * |
+ * intermediate_ca
+ * |-------------|
+ * end_entity ocsp_signer
+ *
+ * When the certificate hierarchy is like this, and the response contains
+ * only ocsp_signer certificate, the following code wrongly fails.
+ *
+ * store = OpenSSL::X509::Store.new; store.add_cert(root_ca)
+ * basic_response.verify([intermediate_ca], store)
+ *
+ * So add the certificates in x509s to the embedded certificates list first.
+ *
+ * This is fixed in OpenSSL 0.9.8zg, 1.0.0s, 1.0.1n, 1.0.2b. But it still
+ * exists in LibreSSL 2.1.10, 2.2.9, 2.3.6, 2.4.1.
+ */
+ if (!(flg & (OCSP_NOCHAIN | OCSP_NOVERIFY)) &&
+ sk_X509_num(x509s) && sk_X509_num(bs->certs)) {
+ int i;
+
+ bs = ASN1_item_dup(ASN1_ITEM_rptr(OCSP_BASICRESP), bs);
+ if (!bs) {
+ sk_X509_pop_free(x509s, X509_free);
+ ossl_raise(eOCSPError, "ASN1_item_dup");
+ }
+
+ for (i = 0; i < sk_X509_num(x509s); i++) {
+ if (!OCSP_basic_add1_cert(bs, sk_X509_value(x509s, i))) {
+ sk_X509_pop_free(x509s, X509_free);
+ OCSP_BASICRESP_free(bs);
+ ossl_raise(eOCSPError, "OCSP_basic_add1_cert");
+ }
+ }
+ result = OCSP_basic_verify(bs, x509s, x509st, flg);
+ OCSP_BASICRESP_free(bs);
+ }
+ else {
+ result = OCSP_basic_verify(bs, x509s, x509st, flg);
+ }
+#else
result = OCSP_basic_verify(bs, x509s, x509st, flg);
+#endif
sk_X509_pop_free(x509s, X509_free);
- if (!result)
+ if (result <= 0)
ossl_clear_error();
return result > 0 ? Qtrue : Qfalse;
@@ -1228,7 +1281,7 @@ ossl_ocspsres_get_certid(VALUE self)
OCSP_CERTID *id;
GetOCSPSingleRes(self, sres);
- id = OCSP_CERTID_dup(OCSP_SINGLERESP_get0_id(sres));
+ id = OCSP_CERTID_dup((OCSP_CERTID *)OCSP_SINGLERESP_get0_id(sres)); /* FIXME */
return ossl_ocspcertid_new(id);
}
@@ -1549,15 +1602,15 @@ ossl_ocspcid_get_issuer_name_hash(VALUE self)
{
OCSP_CERTID *id;
ASN1_OCTET_STRING *name_hash;
- char *hexbuf;
+ VALUE ret;
GetOCSPCertId(self, id);
OCSP_id_get0_info(&name_hash, NULL, NULL, NULL, id);
- if (string2hex(name_hash->data, name_hash->length, &hexbuf, NULL) < 0)
- ossl_raise(eOCSPError, "string2hex");
+ ret = rb_str_new(NULL, name_hash->length * 2);
+ ossl_bin2hex(name_hash->data, RSTRING_PTR(ret), name_hash->length);
- return ossl_buf2str(hexbuf, name_hash->length * 2);
+ return ret;
}
/*
@@ -1572,15 +1625,15 @@ ossl_ocspcid_get_issuer_key_hash(VALUE self)
{
OCSP_CERTID *id;
ASN1_OCTET_STRING *key_hash;
- char *hexbuf;
+ VALUE ret;
GetOCSPCertId(self, id);
OCSP_id_get0_info(NULL, NULL, &key_hash, NULL, id);
- if (string2hex(key_hash->data, key_hash->length, &hexbuf, NULL) < 0)
- ossl_raise(eOCSPError, "string2hex");
+ ret = rb_str_new(NULL, key_hash->length * 2);
+ ossl_bin2hex(key_hash->data, RSTRING_PTR(ret), key_hash->length);
- return ossl_buf2str(hexbuf, key_hash->length * 2);
+ return ret;
}
/*
@@ -1639,6 +1692,11 @@ ossl_ocspcid_to_der(VALUE self)
void
Init_ossl_ocsp(void)
{
+#if 0
+ mOSSL = rb_define_module("OpenSSL");
+ eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
+#endif
+
/*
* OpenSSL::OCSP implements Online Certificate Status Protocol requests
* and responses.
diff --git a/ext/openssl/ossl_pkcs12.c b/ext/openssl/ossl_pkcs12.c
index 5f84972..a7daad2 100644
--- a/ext/openssl/ossl_pkcs12.c
+++ b/ext/openssl/ossl_pkcs12.c
@@ -65,6 +65,25 @@ ossl_pkcs12_s_allocate(VALUE klass)
return obj;
}
+static VALUE
+ossl_pkcs12_initialize_copy(VALUE self, VALUE other)
+{
+ PKCS12 *p12, *p12_old, *p12_new;
+
+ rb_check_frozen(self);
+ GetPKCS12(self, p12_old);
+ SafeGetPKCS12(other, p12);
+
+ p12_new = ASN1_dup((i2d_of_void *)i2d_PKCS12, (d2i_of_void *)d2i_PKCS12, (char *)p12);
+ if (!p12_new)
+ ossl_raise(ePKCS12Error, "ASN1_dup");
+
+ SetPKCS12(self, p12_new);
+ PKCS12_free(p12_old);
+
+ return self;
+}
+
/*
* call-seq:
* PKCS12.create(pass, name, key, cert [, ca, [, key_pbe [, cert_pbe [, key_iter [, mac_iter [, keytype]]]]]])
@@ -74,8 +93,8 @@ ossl_pkcs12_s_allocate(VALUE klass)
* * +name+ - A string describing the key.
* * +key+ - Any PKey.
* * +cert+ - A X509::Certificate.
- * * * The public_key portion of the certificate must contain a valid public key.
- * * * The not_before and not_after fields must be filled in.
+ * * The public_key portion of the certificate must contain a valid public key.
+ * * The not_before and not_after fields must be filled in.
* * +ca+ - An optional array of X509::Certificate's.
* * +key_pbe+ - string
* * +cert_pbe+ - string
@@ -104,7 +123,6 @@ ossl_pkcs12_s_create(int argc, VALUE *argv, VALUE self)
friendlyname = NIL_P(name) ? NULL : StringValueCStr(name);
key = GetPKeyPtr(pkey);
x509 = GetX509CertPtr(cert);
- x509s = NIL_P(ca) ? NULL : ossl_x509_ary2sk(ca);
/* TODO: make a VALUE to nid function */
if (!NIL_P(key_nid)) {
if ((nkey = OBJ_txt2nid(StringValueCStr(key_nid))) == NID_undef)
@@ -122,6 +140,7 @@ ossl_pkcs12_s_create(int argc, VALUE *argv, VALUE self)
ktype = NUM2INT(keytype);
obj = NewPKCS12(cPKCS12);
+ x509s = NIL_P(ca) ? NULL : ossl_x509_ary2sk(ca);
p12 = PKCS12_create(passphrase, friendlyname, key, x509, x509s,
nkey, ncert, kiter, miter, ktype);
sk_X509_pop_free(x509s, X509_free);
@@ -171,14 +190,14 @@ ossl_pkcs12_initialize(int argc, VALUE *argv, VALUE self)
if(!PKCS12_parse(pkcs, passphrase, &key, &x509, &x509s))
ossl_raise(ePKCS12Error, "PKCS12_parse");
ERR_pop_to_mark();
- pkey = rb_protect((VALUE(*)_((VALUE)))ossl_pkey_new, (VALUE)key,
+ pkey = rb_protect((VALUE (*)(VALUE))ossl_pkey_new, (VALUE)key,
&st); /* NO DUP */
if(st) goto err;
- cert = rb_protect((VALUE(*)_((VALUE)))ossl_x509_new, (VALUE)x509, &st);
+ cert = rb_protect((VALUE (*)(VALUE))ossl_x509_new, (VALUE)x509, &st);
if(st) goto err;
if(x509s){
ca =
- rb_protect((VALUE(*)_((VALUE)))ossl_x509_sk2ary, (VALUE)x509s, &st);
+ rb_protect((VALUE (*)(VALUE))ossl_x509_sk2ary, (VALUE)x509s, &st);
if(st) goto err;
}
@@ -216,6 +235,11 @@ ossl_pkcs12_to_der(VALUE self)
void
Init_ossl_pkcs12(void)
{
+#if 0
+ mOSSL = rb_define_module("OpenSSL");
+ eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
+#endif
+
/*
* Defines a file format commonly used to store private keys with
* accompanying public key certificates, protected with a password-based
@@ -226,6 +250,7 @@ Init_ossl_pkcs12(void)
rb_define_singleton_method(cPKCS12, "create", ossl_pkcs12_s_create, -1);
rb_define_alloc_func(cPKCS12, ossl_pkcs12_s_allocate);
+ rb_define_copy_func(cPKCS12, ossl_pkcs12_initialize_copy);
rb_attr(cPKCS12, rb_intern("key"), 1, 0, Qfalse);
rb_attr(cPKCS12, rb_intern("certificate"), 1, 0, Qfalse);
rb_attr(cPKCS12, rb_intern("ca_certs"), 1, 0, Qfalse);
diff --git a/ext/openssl/ossl_pkcs5.c b/ext/openssl/ossl_pkcs5.c
index 56ed65f..47c5bfa 100644
--- a/ext/openssl/ossl_pkcs5.c
+++ b/ext/openssl/ossl_pkcs5.c
@@ -18,7 +18,7 @@ VALUE ePKCS5;
* * +keylen+ - integer
* * +digest+ - a string or OpenSSL::Digest object.
*
- * Available in OpenSSL 0.9.4.
+ * Available in OpenSSL >= 1.0.0.
*
* Digests other than SHA1 may not be supported by other cryptography libraries.
*/
@@ -60,7 +60,7 @@ ossl_pkcs5_pbkdf2_hmac(VALUE self, VALUE pass, VALUE salt, VALUE iter, VALUE key
*
* This method is available in almost any version of OpenSSL.
*
- * Conforms to rfc2898.
+ * Conforms to RFC 2898.
*/
static VALUE
ossl_pkcs5_pbkdf2_hmac_sha1(VALUE self, VALUE pass, VALUE salt, VALUE iter, VALUE keylen)
@@ -84,14 +84,10 @@ ossl_pkcs5_pbkdf2_hmac_sha1(VALUE self, VALUE pass, VALUE salt, VALUE iter, VALU
void
Init_ossl_pkcs5(void)
{
- /*
- * Password-based Encryption
- *
- */
-
- #if 0
- mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
- #endif
+#if 0
+ mOSSL = rb_define_module("OpenSSL");
+ eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
+#endif
/* Document-class: OpenSSL::PKCS5
*
@@ -104,7 +100,7 @@ Init_ossl_pkcs5(void)
*
* PKCS5 offers support for PBKDF2 with an OpenSSL::Digest::SHA1-based
* HMAC, or an arbitrary Digest if the underlying version of OpenSSL
- * already supports it (>= 0.9.4).
+ * already supports it (>= 1.0.0).
*
* === Parameters
* ==== Password
diff --git a/ext/openssl/ossl_pkcs7.c b/ext/openssl/ossl_pkcs7.c
index 5b7c07d..fd58b48 100644
--- a/ext/openssl/ossl_pkcs7.c
+++ b/ext/openssl/ossl_pkcs7.c
@@ -772,7 +772,9 @@ ossl_pkcs7_verify(int argc, VALUE *argv, VALUE self)
VALUE data;
const char *msg;
+ GetPKCS7(self, p7);
rb_scan_args(argc, argv, "22", &certs, &store, &indata, &flags);
+ x509st = GetX509StorePtr(store);
flg = NIL_P(flags) ? 0 : NUM2INT(flags);
if(NIL_P(indata)) indata = ossl_pkcs7_get_data(self);
in = NIL_P(indata) ? NULL : ossl_obj2bio(indata);
@@ -784,8 +786,6 @@ ossl_pkcs7_verify(int argc, VALUE *argv, VALUE self)
rb_jump_tag(status);
}
}
- x509st = GetX509StorePtr(store);
- GetPKCS7(self, p7);
if(!(out = BIO_new(BIO_s_mem()))){
BIO_free(in);
sk_X509_pop_free(x509s, X509_free);
@@ -793,13 +793,13 @@ ossl_pkcs7_verify(int argc, VALUE *argv, VALUE self)
}
ok = PKCS7_verify(p7, x509s, x509st, in, out, flg);
BIO_free(in);
- if (ok < 0) ossl_raise(ePKCS7Error, NULL);
+ sk_X509_pop_free(x509s, X509_free);
+ if (ok < 0) ossl_raise(ePKCS7Error, "PKCS7_verify");
msg = ERR_reason_error_string(ERR_get_error());
ossl_pkcs7_set_err_string(self, msg ? rb_str_new2(msg) : Qnil);
ossl_clear_error();
data = ossl_membio2str(out);
ossl_pkcs7_set_data(self, data);
- sk_X509_pop_free(x509s, X509_free);
return (ok == 1) ? Qtrue : Qfalse;
}
@@ -839,12 +839,12 @@ ossl_pkcs7_add_data(VALUE self, VALUE data)
char buf[4096];
int len;
- in = ossl_obj2bio(data);
GetPKCS7(self, pkcs7);
if(PKCS7_type_is_signed(pkcs7)){
if(!PKCS7_content_new(pkcs7, NID_pkcs7_data))
ossl_raise(ePKCS7Error, NULL);
}
+ in = ossl_obj2bio(data);
if(!(out = PKCS7_dataInit(pkcs7, NULL))) goto err;
for(;;){
if((len = BIO_read(in, buf, sizeof(buf))) <= 0)
@@ -856,7 +856,7 @@ ossl_pkcs7_add_data(VALUE self, VALUE data)
ossl_pkcs7_set_data(self, Qnil);
err:
- BIO_free(out);
+ BIO_free_all(out);
BIO_free(in);
if(ERR_peek_error()){
ossl_raise(ePKCS7Error, NULL);
@@ -1054,6 +1054,11 @@ ossl_pkcs7ri_get_enc_key(VALUE self)
void
Init_ossl_pkcs7(void)
{
+#if 0
+ mOSSL = rb_define_module("OpenSSL");
+ eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
+#endif
+
cPKCS7 = rb_define_class_under(mOSSL, "PKCS7", rb_cObject);
ePKCS7Error = rb_define_class_under(cPKCS7, "PKCS7Error", eOSSLError);
rb_define_singleton_method(cPKCS7, "read_smime", ossl_pkcs7_s_read_smime, 1);
diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c
index 4ae8e14..3c7c5e1 100644
--- a/ext/openssl/ossl_pkey.c
+++ b/ext/openssl/ossl_pkey.c
@@ -15,7 +15,7 @@
VALUE mPKey;
VALUE cPKey;
VALUE ePKeyError;
-ID id_private_q;
+static ID id_private_q;
/*
* callback for generating keys
@@ -123,16 +123,19 @@ ossl_pkey_new_from_file(VALUE filename)
/*
* call-seq:
- * OpenSSL::PKey.read(string [, pwd ] ) -> PKey
- * OpenSSL::PKey.read(file [, pwd ]) -> PKey
+ * OpenSSL::PKey.read(string [, pwd ]) -> PKey
+ * OpenSSL::PKey.read(io [, pwd ]) -> PKey
+ *
+ * Reads a DER or PEM encoded string from +string+ or +io+ and returns an
+ * instance of the appropriate PKey class.
*
* === Parameters
* * +string+ is a DER- or PEM-encoded string containing an arbitrary private
- * or public key.
- * * +file+ is an instance of +File+ containing a DER- or PEM-encoded
- * arbitrary private or public key.
+ * or public key.
+ * * +io+ is an instance of +IO+ containing a DER- or PEM-encoded
+ * arbitrary private or public key.
* * +pwd+ is an optional password in case +string+ or +file+ is an encrypted
- * PEM resource.
+ * PEM resource.
*/
static VALUE
ossl_pkey_new_from_data(int argc, VALUE *argv, VALUE self)
@@ -158,7 +161,8 @@ ossl_pkey_new_from_data(int argc, VALUE *argv, VALUE self)
BIO_free(bio);
if (!pkey)
- ossl_raise(rb_eArgError, "Could not parse PKey");
+ ossl_raise(ePKeyError, "Could not parse PKey");
+
return ossl_pkey_new(pkey);
}
@@ -196,20 +200,6 @@ DupPKeyPtr(VALUE obj)
return pkey;
}
-EVP_PKEY *
-DupPrivPKeyPtr(VALUE obj)
-{
- EVP_PKEY *pkey;
-
- if (rb_funcallv(obj, id_private_q, 0, NULL) != Qtrue) {
- ossl_raise(rb_eArgError, "Private key is needed.");
- }
- SafeGetPKey(obj, pkey);
- EVP_PKEY_up_ref(pkey);
-
- return pkey;
-}
-
/*
* Private
*/
@@ -271,9 +261,7 @@ ossl_pkey_sign(VALUE self, VALUE digest, VALUE data)
VALUE str;
int result;
- if (rb_funcallv(self, id_private_q, 0, NULL) != Qtrue)
- ossl_raise(rb_eArgError, "Private key is needed.");
- GetPKey(self, pkey);
+ pkey = GetPrivPKeyPtr(self);
md = GetDigestPtr(digest);
StringValue(data);
str = rb_str_new(0, EVP_PKEY_size(pkey)+16);
@@ -336,6 +324,7 @@ ossl_pkey_verify(VALUE self, VALUE digest, VALUE sig, VALUE data)
EVP_MD_CTX_free(ctx);
switch (result) {
case 0:
+ ossl_clear_error();
return Qfalse;
case 1:
return Qtrue;
@@ -352,7 +341,8 @@ void
Init_ossl_pkey(void)
{
#if 0
- mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
+ mOSSL = rb_define_module("OpenSSL");
+ eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
#endif
/* Document-module: OpenSSL::PKey
diff --git a/ext/openssl/ossl_pkey.h b/ext/openssl/ossl_pkey.h
index 1f68352..218f2eb 100644
--- a/ext/openssl/ossl_pkey.h
+++ b/ext/openssl/ossl_pkey.h
@@ -13,7 +13,6 @@
extern VALUE mPKey;
extern VALUE cPKey;
extern VALUE ePKeyError;
-extern ID id_private_q;
extern const rb_data_type_t ossl_evp_pkey_type;
#define OSSL_PKEY_SET_PRIVATE(obj) rb_iv_set((obj), "private", Qtrue)
@@ -53,7 +52,6 @@ VALUE ossl_pkey_new_from_file(VALUE);
EVP_PKEY *GetPKeyPtr(VALUE);
EVP_PKEY *DupPKeyPtr(VALUE);
EVP_PKEY *GetPrivPKeyPtr(VALUE);
-EVP_PKEY *DupPrivPKeyPtr(VALUE);
void Init_ossl_pkey(void);
/*
diff --git a/ext/openssl/ossl_pkey_dh.c b/ext/openssl/ossl_pkey_dh.c
index 139af15..938efe1 100644
--- a/ext/openssl/ossl_pkey_dh.c
+++ b/ext/openssl/ossl_pkey_dh.c
@@ -175,8 +175,10 @@ ossl_dh_s_generate(int argc, VALUE *argv, VALUE klass)
}
/*
- * call-seq:
- * DH.new([size [, generator] | string]) -> dh
+ * call-seq:
+ * DH.new -> dh
+ * DH.new(string) -> dh
+ * DH.new(size [, generator]) -> dh
*
* Either generates a DH instance from scratch or by reading already existing
* DH parameters from +string+. Note that when reading a DH instance from
@@ -210,11 +212,11 @@ ossl_dh_initialize(int argc, VALUE *argv, VALUE self)
if(rb_scan_args(argc, argv, "02", &arg, &gen) == 0) {
dh = DH_new();
}
- else if (FIXNUM_P(arg)) {
+ else if (RB_INTEGER_TYPE_P(arg)) {
if (!NIL_P(gen)) {
g = NUM2INT(gen);
}
- if (!(dh = dh_generate(FIX2INT(arg), g))) {
+ if (!(dh = dh_generate(NUM2INT(arg), g))) {
ossl_raise(eDHError, NULL);
}
}
@@ -525,7 +527,7 @@ ossl_dh_generate_key(VALUE self)
*
* === Parameters
* * +pub_bn+ is a OpenSSL::BN, *not* the DH instance returned by
- * DH#public_key as that contains the DH parameters only.
+ * DH#public_key as that contains the DH parameters only.
*/
static VALUE
ossl_dh_compute_key(VALUE self, VALUE pub)
@@ -550,7 +552,21 @@ ossl_dh_compute_key(VALUE self, VALUE pub)
return str;
}
+/*
+ * Document-method: OpenSSL::PKey::DH#set_pqg
+ * call-seq:
+ * dh.set_pqg(p, q, g) -> self
+ *
+ * Sets +p+, +q+, +g+ for the DH instance.
+ */
OSSL_PKEY_BN_DEF3(dh, DH, pqg, p, q, g)
+/*
+ * Document-method: OpenSSL::PKey::DH#set_key
+ * call-seq:
+ * dh.set_key(pub_key, priv_key) -> self
+ *
+ * Sets +pub_key+ and +priv_key+ for the DH instance. +priv_key+ may be nil.
+ */
OSSL_PKEY_BN_DEF2(dh, DH, key, pub_key, priv_key)
/*
@@ -560,8 +576,9 @@ void
Init_ossl_dh(void)
{
#if 0
- mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL and mPKey */
mPKey = rb_define_module_under(mOSSL, "PKey");
+ cPKey = rb_define_class_under(mPKey, "PKey", rb_cObject);
+ ePKeyError = rb_define_class_under(mPKey, "PKeyError", eOSSLError);
#endif
/* Document-class: OpenSSL::PKey::DHError
@@ -578,15 +595,15 @@ Init_ossl_dh(void)
* on.
*
* === Accessor methods for the Diffie-Hellman parameters
- * * DH#p
- * The prime (an OpenSSL::BN) of the Diffie-Hellman parameters.
- * * DH#g
- * The generator (an OpenSSL::BN) g of the Diffie-Hellman parameters.
- * * DH#pub_key
- * The per-session public key (an OpenSSL::BN) matching the private key.
- * This needs to be passed to DH#compute_key.
- * * DH#priv_key
- * The per-session private key, an OpenSSL::BN.
+ * DH#p::
+ * The prime (an OpenSSL::BN) of the Diffie-Hellman parameters.
+ * DH#g::
+ * The generator (an OpenSSL::BN) g of the Diffie-Hellman parameters.
+ * DH#pub_key::
+ * The per-session public key (an OpenSSL::BN) matching the private key.
+ * This needs to be passed to DH#compute_key.
+ * DH#priv_key::
+ * The per-session private key, an OpenSSL::BN.
*
* === Example of a key exchange
* dh1 = OpenSSL::PKey::DH.new(2048)
diff --git a/ext/openssl/ossl_pkey_dsa.c b/ext/openssl/ossl_pkey_dsa.c
index 1ddc0d4..3821cd8 100644
--- a/ext/openssl/ossl_pkey_dsa.c
+++ b/ext/openssl/ossl_pkey_dsa.c
@@ -95,8 +95,6 @@ ossl_dsa_new(EVP_PKEY *pkey)
struct dsa_blocking_gen_arg {
DSA *dsa;
int size;
- unsigned char* seed;
- int seed_len;
int *counter;
unsigned long *h;
BN_GENCB *cb;
@@ -107,7 +105,8 @@ static void *
dsa_blocking_gen(void *arg)
{
struct dsa_blocking_gen_arg *gen = (struct dsa_blocking_gen_arg *)arg;
- gen->result = DSA_generate_parameters_ex(gen->dsa, gen->size, gen->seed, gen->seed_len, gen->counter, gen->h, gen->cb);
+ gen->result = DSA_generate_parameters_ex(gen->dsa, gen->size, NULL, 0,
+ gen->counter, gen->h, gen->cb);
return 0;
}
@@ -118,13 +117,9 @@ dsa_generate(int size)
struct dsa_blocking_gen_arg gen_arg;
DSA *dsa = DSA_new();
BN_GENCB *cb = BN_GENCB_new();
- unsigned char seed[20];
- int seed_len = 20, counter;
+ int counter;
unsigned long h;
- if (RAND_bytes(seed, seed_len) <= 0)
- return NULL;
-
if (!dsa || !cb) {
DSA_free(dsa);
BN_GENCB_free(cb);
@@ -136,8 +131,6 @@ dsa_generate(int size)
BN_GENCB_set(cb, ossl_generate_cb_2, &cb_arg);
gen_arg.dsa = dsa;
gen_arg.size = size;
- gen_arg.seed = seed;
- gen_arg.seed_len = seed_len;
gen_arg.counter = &counter;
gen_arg.h = &h;
gen_arg.cb = cb;
@@ -198,7 +191,9 @@ ossl_dsa_s_generate(VALUE klass, VALUE size)
/*
* call-seq:
- * DSA.new([size | string [, pass]) -> dsa
+ * DSA.new -> dsa
+ * DSA.new(size) -> dsa
+ * DSA.new(string [, pass]) -> dsa
*
* Creates a new DSA instance by reading an existing key from +string+.
*
@@ -226,8 +221,8 @@ ossl_dsa_initialize(int argc, VALUE *argv, VALUE self)
if(rb_scan_args(argc, argv, "02", &arg, &pass) == 0) {
dsa = DSA_new();
}
- else if (FIXNUM_P(arg)) {
- if (!(dsa = dsa_generate(FIX2INT(arg)))) {
+ else if (RB_INTEGER_TYPE_P(arg)) {
+ if (!(dsa = dsa_generate(NUM2INT(arg)))) {
ossl_raise(eDSAError, NULL);
}
}
@@ -387,14 +382,14 @@ static VALUE
ossl_dsa_to_der(VALUE self)
{
DSA *dsa;
- int (*i2d_func)_((DSA*, unsigned char**));
+ int (*i2d_func)(DSA *, unsigned char **);
unsigned char *p;
long len;
VALUE str;
GetDSA(self, dsa);
if(DSA_HAS_PRIVATE(dsa))
- i2d_func = (int(*)_((DSA*,unsigned char**)))i2d_DSAPrivateKey;
+ i2d_func = (int (*)(DSA *,unsigned char **))i2d_DSAPrivateKey;
else
i2d_func = i2d_DSA_PUBKEY;
if((len = i2d_func(dsa, NULL)) <= 0)
@@ -592,7 +587,21 @@ ossl_dsa_verify(VALUE self, VALUE digest, VALUE sig)
return Qfalse;
}
+/*
+ * Document-method: OpenSSL::PKey::DSA#set_pqg
+ * call-seq:
+ * dsa.set_pqg(p, q, g) -> self
+ *
+ * Sets +p+, +q+, +g+ for the DSA instance.
+ */
OSSL_PKEY_BN_DEF3(dsa, DSA, pqg, p, q, g)
+/*
+ * Document-method: OpenSSL::PKey::DSA#set_key
+ * call-seq:
+ * dsa.set_key(pub_key, priv_key) -> self
+ *
+ * Sets +pub_key+ and +priv_key+ for the DSA instance. +priv_key+ may be nil.
+ */
OSSL_PKEY_BN_DEF2(dsa, DSA, key, pub_key, priv_key)
/*
@@ -602,8 +611,9 @@ void
Init_ossl_dsa(void)
{
#if 0
- mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL and mPKey */
mPKey = rb_define_module_under(mOSSL, "PKey");
+ cPKey = rb_define_class_under(mPKey, "PKey", rb_cObject);
+ ePKeyError = rb_define_class_under(mPKey, "PKeyError", eOSSLError);
#endif
/* Document-class: OpenSSL::PKey::DSAError
diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c
index 43eebd2..1b7705f 100644
--- a/ext/openssl/ossl_pkey_ec.c
+++ b/ext/openssl/ossl_pkey_ec.c
@@ -108,6 +108,8 @@ static ID ID_uncompressed;
static ID ID_compressed;
static ID ID_hybrid;
+static ID id_i_group, id_i_key;
+
static VALUE ec_instance(VALUE klass, EC_KEY *ec)
{
EVP_PKEY *pkey;
@@ -213,17 +215,16 @@ ossl_ec_key_s_generate(VALUE klass, VALUE arg)
return obj;
}
-/* call-seq:
- * OpenSSL::PKey::EC.new()
- * OpenSSL::PKey::EC.new(ec_key)
- * OpenSSL::PKey::EC.new(ec_group)
- * OpenSSL::PKey::EC.new("secp112r1")
- * OpenSSL::PKey::EC.new(pem_string)
- * OpenSSL::PKey::EC.new(pem_string [, pwd])
- * OpenSSL::PKey::EC.new(der_string)
+/*
+ * call-seq:
+ * OpenSSL::PKey::EC.new
+ * OpenSSL::PKey::EC.new(ec_key)
+ * OpenSSL::PKey::EC.new(ec_group)
+ * OpenSSL::PKey::EC.new("secp112r1")
+ * OpenSSL::PKey::EC.new(pem_string [, pwd])
+ * OpenSSL::PKey::EC.new(der_string)
*
- * See the OpenSSL documentation for:
- * EC_KEY_*
+ * Creates a new EC object from given arguments.
*/
static VALUE ossl_ec_key_initialize(int argc, VALUE *argv, VALUE self)
{
@@ -280,7 +281,7 @@ static VALUE ossl_ec_key_initialize(int argc, VALUE *argv, VALUE self)
ossl_raise(eECError, "EVP_PKEY_assign_EC_KEY");
}
- rb_iv_set(self, "@group", Qnil);
+ rb_ivar_set(self, id_i_group, Qnil);
return self;
}
@@ -303,7 +304,7 @@ ossl_ec_key_initialize_copy(VALUE self, VALUE other)
EC_KEY_free(ec_new);
ossl_raise(eECError, "EVP_PKEY_assign_EC_KEY");
}
- rb_iv_set(self, "@group", Qnil); /* EC_KEY_dup() also copies the EC_GROUP */
+ rb_ivar_set(self, id_i_group, Qnil); /* EC_KEY_dup() also copies the EC_GROUP */
return self;
}
@@ -324,7 +325,7 @@ static VALUE ossl_ec_key_get_group(VALUE self)
Require_EC_KEY(self, ec);
- group_v = rb_iv_get(self, "@group");
+ group_v = rb_attr_get(self, id_i_group);
if (!NIL_P(group_v))
return group_v;
@@ -333,8 +334,8 @@ static VALUE ossl_ec_key_get_group(VALUE self)
SafeGet_ec_group(group_v, ec_group);
ec_group->group = group;
ec_group->dont_free = 1;
- rb_iv_set(group_v, "@key", self);
- rb_iv_set(self, "@group", group_v);
+ rb_ivar_set(group_v, id_i_key, self);
+ rb_ivar_set(self, id_i_group, group_v);
return group_v;
}
@@ -366,17 +367,17 @@ static VALUE ossl_ec_key_set_group(VALUE self, VALUE group_v)
Require_EC_KEY(self, ec);
SafeRequire_EC_GROUP(group_v, group);
- old_group_v = rb_iv_get(self, "@group");
+ old_group_v = rb_attr_get(self, id_i_group);
if (!NIL_P(old_group_v)) {
ossl_ec_group *old_ec_group;
SafeGet_ec_group(old_group_v, old_ec_group);
old_ec_group->group = NULL;
old_ec_group->dont_free = 0;
- rb_iv_set(old_group_v, "@key", Qnil);
+ rb_ivar_set(old_group_v, id_i_key, Qnil);
}
- rb_iv_set(self, "@group", Qnil);
+ rb_ivar_set(self, id_i_group, Qnil);
if (EC_KEY_set_group(ec, group) != 1)
ossl_raise(eECError, "EC_KEY_set_group");
@@ -446,7 +447,7 @@ static VALUE ossl_ec_point_dup(const EC_POINT *point, VALUE group_v)
new_point->point = EC_POINT_dup(point, group);
if (new_point->point == NULL)
ossl_raise(eEC_POINT, "EC_POINT_dup");
- rb_iv_set(obj, "@group", group_v);
+ rb_ivar_set(obj, id_i_group, group_v);
return obj;
}
@@ -542,6 +543,7 @@ static VALUE ossl_ec_key_to_string(VALUE self, VALUE ciph, VALUE pass, int forma
int i = -1;
int private = 0;
VALUE str;
+ const EVP_CIPHER *cipher = NULL;
Require_EC_KEY(self, ec);
@@ -554,17 +556,17 @@ static VALUE ossl_ec_key_to_string(VALUE self, VALUE ciph, VALUE pass, int forma
if (EC_KEY_get0_private_key(ec))
private = 1;
+ if (!NIL_P(ciph)) {
+ cipher = GetCipherPtr(ciph);
+ pass = ossl_pem_passwd_value(pass);
+ }
+
if (!(out = BIO_new(BIO_s_mem())))
ossl_raise(eECError, "BIO_new(BIO_s_mem())");
switch(format) {
case EXPORT_PEM:
if (private) {
- const EVP_CIPHER *cipher = NULL;
- if (!NIL_P(ciph)) {
- cipher = GetCipherPtr(ciph);
- pass = ossl_pem_passwd_value(pass);
- }
i = PEM_write_bio_ECPrivateKey(out, ec, cipher, NULL, 0, ossl_pem_passwd_cb, (void *)pass);
} else {
i = PEM_write_bio_EC_PUBKEY(out, ec);
@@ -599,12 +601,10 @@ static VALUE ossl_ec_key_to_string(VALUE self, VALUE ciph, VALUE pass, int forma
* key.export([cipher, pass_phrase]) => String
* key.to_pem([cipher, pass_phrase]) => String
*
- * Outputs the EC key in PEM encoding. If +cipher+ and +pass_phrase+ are
- * given they will be used to encrypt the key. +cipher+ must be an
- * OpenSSL::Cipher::Cipher instance. Note that encryption will only be
- * effective for a private key, public keys will always be encoded in plain
- * text.
- *
+ * Outputs the EC key in PEM encoding. If +cipher+ and +pass_phrase+ are given
+ * they will be used to encrypt the key. +cipher+ must be an OpenSSL::Cipher
+ * instance. Note that encryption will only be effective for a private key,
+ * public keys will always be encoded in plain text.
*/
static VALUE ossl_ec_key_export(int argc, VALUE *argv, VALUE self)
{
@@ -804,21 +804,26 @@ static VALUE ossl_ec_group_alloc(VALUE klass)
return obj;
}
-/* call-seq:
- * OpenSSL::PKey::EC::Group.new("secp112r1")
- * OpenSSL::PKey::EC::Group.new(ec_group)
- * OpenSSL::PKey::EC::Group.new(pem_string)
- * OpenSSL::PKey::EC::Group.new(der_string)
- * OpenSSL::PKey::EC::Group.new(pem_file)
- * OpenSSL::PKey::EC::Group.new(der_file)
- * OpenSSL::PKey::EC::Group.new(:GFp_simple)
- * OpenSSL::PKey::EC::Group.new(:GFp_mult)
- * OpenSSL::PKey::EC::Group.new(:GFp_nist)
- * OpenSSL::PKey::EC::Group.new(:GF2m_simple)
- * OpenSSL::PKey::EC::Group.new(:GFp, bignum_p, bignum_a, bignum_b)
- * OpenSSL::PKey::EC::Group.new(:GF2m, bignum_p, bignum_a, bignum_b)
+/*
+ * call-seq:
+ * OpenSSL::PKey::EC::Group.new(ec_group)
+ * OpenSSL::PKey::EC::Group.new(pem_or_der_encoded)
+ * OpenSSL::PKey::EC::Group.new(ec_method)
+ * OpenSSL::PKey::EC::Group.new(:GFp, bignum_p, bignum_a, bignum_b)
+ * OpenSSL::PKey::EC::Group.new(:GF2m, bignum_p, bignum_a, bignum_b)
+ *
+ * Creates a new EC::Group object.
*
- * See the OpenSSL documentation for EC_GROUP_*
+ * +ec_method+ is a symbol that represents an EC_METHOD. Currently the following
+ * are supported:
+ *
+ * * :GFp_simple
+ * * :GFp_mont
+ * * :GFp_nist
+ * * :GF2m_simple
+ *
+ * If the first argument is :GFp or :GF2m, creates a new curve with given
+ * parameters.
*/
static VALUE ossl_ec_group_initialize(int argc, VALUE *argv, VALUE self)
{
@@ -941,15 +946,18 @@ ossl_ec_group_initialize_copy(VALUE self, VALUE other)
if (!ec_group->group)
ossl_raise(eEC_GROUP, "EC_GROUP_dup");
- rb_iv_set(self, "@key", Qnil);
+ rb_ivar_set(self, id_i_key, Qnil);
return self;
}
-/* call-seq:
- * group1.eql?(group2) => true | false
- * group1 == group2 => true | false
+/*
+ * call-seq:
+ * group1.eql?(group2) => true | false
+ * group1 == group2 => true | false
*
+ * Returns true if the two groups use the same curve and have the same
+ * parameters, false otherwise.
*/
static VALUE ossl_ec_group_eql(VALUE a, VALUE b)
{
@@ -964,10 +972,13 @@ static VALUE ossl_ec_group_eql(VALUE a, VALUE b)
return Qtrue;
}
-/* call-seq:
- * group.generator => ec_point
+/*
+ * call-seq:
+ * group.generator => ec_point
*
- * See the OpenSSL documentation for EC_GROUP_get0_generator()
+ * Returns the generator of the group.
+ *
+ * See the OpenSSL documentation for EC_GROUP_get0_generator()
*/
static VALUE ossl_ec_group_get_generator(VALUE self)
{
@@ -981,10 +992,14 @@ static VALUE ossl_ec_group_get_generator(VALUE self)
return point_obj;
}
-/* call-seq:
- * group.set_generator(generator, order, cofactor) => self
+/*
+ * call-seq:
+ * group.set_generator(generator, order, cofactor) => self
*
- * See the OpenSSL documentation for EC_GROUP_set_generator()
+ * Sets the curve parameters. +generator+ must be an instance of EC::Point that
+ * is on the curve. +order+ and +cofactor+ are integers.
+ *
+ * See the OpenSSL documentation for EC_GROUP_set_generator()
*/
static VALUE ossl_ec_group_set_generator(VALUE self, VALUE generator, VALUE order, VALUE cofactor)
{
@@ -1003,10 +1018,13 @@ static VALUE ossl_ec_group_set_generator(VALUE self, VALUE generator, VALUE orde
return self;
}
-/* call-seq:
- * group.get_order => order_bn
+/*
+ * call-seq:
+ * group.get_order => order_bn
+ *
+ * Returns the order of the group.
*
- * See the OpenSSL documentation for EC_GROUP_get_order()
+ * See the OpenSSL documentation for EC_GROUP_get_order()
*/
static VALUE ossl_ec_group_get_order(VALUE self)
{
@@ -1025,10 +1043,13 @@ static VALUE ossl_ec_group_get_order(VALUE self)
return bn_obj;
}
-/* call-seq:
- * group.get_cofactor => cofactor_bn
+/*
+ * call-seq:
+ * group.get_cofactor => cofactor_bn
+ *
+ * Returns the cofactor of the group.
*
- * See the OpenSSL documentation for EC_GROUP_get_cofactor()
+ * See the OpenSSL documentation for EC_GROUP_get_cofactor()
*/
static VALUE ossl_ec_group_get_cofactor(VALUE self)
{
@@ -1047,10 +1068,13 @@ static VALUE ossl_ec_group_get_cofactor(VALUE self)
return bn_obj;
}
-/* call-seq:
- * group.curve_name => String
+/*
+ * call-seq:
+ * group.curve_name => String
+ *
+ * Returns the curve name (sn).
*
- * See the OpenSSL documentation for EC_GROUP_get_curve_name()
+ * See the OpenSSL documentation for EC_GROUP_get_curve_name()
*/
static VALUE ossl_ec_group_get_curve_name(VALUE self)
{
@@ -1067,10 +1091,14 @@ static VALUE ossl_ec_group_get_curve_name(VALUE self)
return rb_str_new2(OBJ_nid2sn(nid));
}
-/* call-seq:
- * EC.builtin_curves => [[name, comment], ...]
+/*
+ * call-seq:
+ * EC.builtin_curves => [[sn, comment], ...]
+ *
+ * Obtains a list of all predefined curves by the OpenSSL. Curve names are
+ * returned as sn.
*
- * See the OpenSSL documentation for EC_builtin_curves()
+ * See the OpenSSL documentation for EC_get_builtin_curves().
*/
static VALUE ossl_s_builtin_curves(VALUE self)
{
@@ -1100,10 +1128,13 @@ static VALUE ossl_s_builtin_curves(VALUE self)
return ret;
}
-/* call-seq:
- * group.asn1_flag => Fixnum
+/*
+ * call-seq:
+ * group.asn1_flag -> Integer
+ *
+ * Returns the flags set on the group.
*
- * See the OpenSSL documentation for EC_GROUP_get_asn1_flag()
+ * See also #asn1_flag=.
*/
static VALUE ossl_ec_group_get_asn1_flag(VALUE self)
{
@@ -1114,13 +1145,22 @@ static VALUE ossl_ec_group_get_asn1_flag(VALUE self)
flag = EC_GROUP_get_asn1_flag(group);
- return INT2FIX(flag);
+ return INT2NUM(flag);
}
-/* call-seq:
- * group.asn1_flag = Fixnum => Fixnum
+/*
+ * call-seq:
+ * group.asn1_flag = flags
+ *
+ * Sets flags on the group. The flag value is used to determine how to encode
+ * the group: encode explicit parameters or named curve using an OID.
+ *
+ * The flag value can be either of:
+ *
+ * * EC::NAMED_CURVE
+ * * EC::EXPLICIT_CURVE
*
- * See the OpenSSL documentation for EC_GROUP_set_asn1_flag()
+ * See the OpenSSL documentation for EC_GROUP_set_asn1_flag().
*/
static VALUE ossl_ec_group_set_asn1_flag(VALUE self, VALUE flag_v)
{
@@ -1133,10 +1173,13 @@ static VALUE ossl_ec_group_set_asn1_flag(VALUE self, VALUE flag_v)
return flag_v;
}
-/* call-seq:
- * group.point_conversion_form => :uncompressed | :compressed | :hybrid
+/*
+ * call-seq:
+ * group.point_conversion_form -> Symbol
+ *
+ * Returns the form how EC::Point data is encoded as ASN.1.
*
- * See the OpenSSL documentation for EC_GROUP_get_point_conversion_form()
+ * See also #point_conversion_form=.
*/
static VALUE ossl_ec_group_get_point_conversion_form(VALUE self)
{
@@ -1158,10 +1201,24 @@ static VALUE ossl_ec_group_get_point_conversion_form(VALUE self)
return ID2SYM(ret);
}
-/* call-seq:
- * group.point_conversion_form = form => form
+/*
+ * call-seq:
+ * group.point_conversion_form = form
*
- * See the OpenSSL documentation for EC_GROUP_set_point_conversion_form()
+ * Sets the form how EC::Point data is encoded as ASN.1 as defined in X9.62.
+ *
+ * +format+ can be one of these:
+ *
+ * :compressed::
+ * Encoded as z||x, where z is an octet indicating which solution of the
+ * equation y is. z will be 0x02 or 0x03.
+ * :uncompressed::
+ * Encoded as z||x||y, where z is an octet 0x04.
+ * :hybrid::
+ * Encodes as z||x||y, where z is an octet indicating which solution of the
+ * equation y is. z will be 0x06 or 0x07.
+ *
+ * See the OpenSSL documentation for EC_GROUP_set_point_conversion_form()
*/
static VALUE ossl_ec_group_set_point_conversion_form(VALUE self, VALUE form_v)
{
@@ -1186,10 +1243,11 @@ static VALUE ossl_ec_group_set_point_conversion_form(VALUE self, VALUE form_v)
return form_v;
}
-/* call-seq:
- * group.seed => String or nil
+/*
+ * call-seq:
+ * group.seed => String or nil
*
- * See the OpenSSL documentation for EC_GROUP_get0_seed()
+ * See the OpenSSL documentation for EC_GROUP_get0_seed()
*/
static VALUE ossl_ec_group_get_seed(VALUE self)
{
@@ -1206,10 +1264,11 @@ static VALUE ossl_ec_group_get_seed(VALUE self)
return rb_str_new((const char *)EC_GROUP_get0_seed(group), seed_len);
}
-/* call-seq:
- * group.seed = seed => seed
+/*
+ * call-seq:
+ * group.seed = seed => seed
*
- * See the OpenSSL documentation for EC_GROUP_set_seed()
+ * See the OpenSSL documentation for EC_GROUP_set_seed()
*/
static VALUE ossl_ec_group_set_seed(VALUE self, VALUE seed)
{
@@ -1226,10 +1285,11 @@ static VALUE ossl_ec_group_set_seed(VALUE self, VALUE seed)
/* get/set curve GFp, GF2m */
-/* call-seq:
- * group.degree => Fixnum
+/*
+ * call-seq:
+ * group.degree => Fixnum
*
- * See the OpenSSL documentation for EC_GROUP_get_degree()
+ * See the OpenSSL documentation for EC_GROUP_get_degree()
*/
static VALUE ossl_ec_group_get_degree(VALUE self)
{
@@ -1274,8 +1334,9 @@ static VALUE ossl_ec_group_to_string(VALUE self, int format)
return str;
}
-/* call-seq:
- * group.to_pem => String
+/*
+ * call-seq:
+ * group.to_pem => String
*
* See the OpenSSL documentation for PEM_write_bio_ECPKParameters()
*/
@@ -1284,20 +1345,22 @@ static VALUE ossl_ec_group_to_pem(VALUE self)
return ossl_ec_group_to_string(self, EXPORT_PEM);
}
-/* call-seq:
- * group.to_der => String
+/*
+ * call-seq:
+ * group.to_der => String
*
- * See the OpenSSL documentation for i2d_ECPKParameters_bio()
+ * See the OpenSSL documentation for i2d_ECPKParameters_bio()
*/
static VALUE ossl_ec_group_to_der(VALUE self)
{
return ossl_ec_group_to_string(self, EXPORT_DER);
}
-/* call-seq:
- * group.to_text => String
+/*
+ * call-seq:
+ * group.to_text => String
*
- * See the OpenSSL documentation for ECPKParameters_print()
+ * See the OpenSSL documentation for ECPKParameters_print()
*/
static VALUE ossl_ec_group_to_text(VALUE self)
{
@@ -1346,12 +1409,12 @@ static VALUE ossl_ec_point_alloc(VALUE klass)
}
/*
- * call-seq:
- * OpenSSL::PKey::EC::Point.new(point)
- * OpenSSL::PKey::EC::Point.new(group)
- * OpenSSL::PKey::EC::Point.new(group, bn)
+ * call-seq:
+ * OpenSSL::PKey::EC::Point.new(point)
+ * OpenSSL::PKey::EC::Point.new(group)
+ * OpenSSL::PKey::EC::Point.new(group, bn)
*
- * See the OpenSSL documentation for EC_POINT_*
+ * See the OpenSSL documentation for EC_POINT_*
*/
static VALUE ossl_ec_point_initialize(int argc, VALUE *argv, VALUE self)
{
@@ -1370,7 +1433,7 @@ static VALUE ossl_ec_point_initialize(int argc, VALUE *argv, VALUE self)
if (rb_obj_is_kind_of(arg1, cEC_POINT)) {
const EC_POINT *arg_point;
- group_v = rb_iv_get(arg1, "@group");
+ group_v = rb_attr_get(arg1, id_i_group);
SafeRequire_EC_GROUP(group_v, group);
SafeRequire_EC_POINT(arg1, arg_point);
@@ -1419,7 +1482,7 @@ static VALUE ossl_ec_point_initialize(int argc, VALUE *argv, VALUE self)
ec_point->point = point;
- rb_iv_set(self, "@group", group_v);
+ rb_ivar_set(self, id_i_group, group_v);
return self;
}
@@ -1437,29 +1500,28 @@ ossl_ec_point_initialize_copy(VALUE self, VALUE other)
ossl_raise(eEC_POINT, "EC::Point already initialized");
SafeRequire_EC_POINT(other, orig);
- group_v = rb_obj_dup(rb_iv_get(other, "@group"));
+ group_v = rb_obj_dup(rb_attr_get(other, id_i_group));
SafeRequire_EC_GROUP(group_v, group);
ec_point->point = EC_POINT_dup(orig, group);
if (!ec_point->point)
ossl_raise(eEC_POINT, "EC_POINT_dup");
- rb_iv_set(self, "@key", Qnil);
- rb_iv_set(self, "@group", group_v);
+ rb_ivar_set(self, id_i_key, Qnil);
+ rb_ivar_set(self, id_i_group, group_v);
return self;
}
/*
- * call-seq:
- * point1.eql?(point2) => true | false
- * point1 == point2 => true | false
- *
+ * call-seq:
+ * point1.eql?(point2) => true | false
+ * point1 == point2 => true | false
*/
static VALUE ossl_ec_point_eql(VALUE a, VALUE b)
{
EC_POINT *point1, *point2;
- VALUE group_v1 = rb_iv_get(a, "@group");
- VALUE group_v2 = rb_iv_get(b, "@group");
+ VALUE group_v1 = rb_attr_get(a, id_i_group);
+ VALUE group_v2 = rb_attr_get(b, id_i_group);
const EC_GROUP *group;
if (ossl_ec_group_eql(group_v1, group_v2) == Qfalse)
@@ -1476,14 +1538,13 @@ static VALUE ossl_ec_point_eql(VALUE a, VALUE b)
}
/*
- * call-seq:
- * point.infinity? => true | false
- *
+ * call-seq:
+ * point.infinity? => true | false
*/
static VALUE ossl_ec_point_is_at_infinity(VALUE self)
{
EC_POINT *point;
- VALUE group_v = rb_iv_get(self, "@group");
+ VALUE group_v = rb_attr_get(self, id_i_group);
const EC_GROUP *group;
Require_EC_POINT(self, point);
@@ -1499,14 +1560,13 @@ static VALUE ossl_ec_point_is_at_infinity(VALUE self)
}
/*
- * call-seq:
- * point.on_curve? => true | false
- *
+ * call-seq:
+ * point.on_curve? => true | false
*/
static VALUE ossl_ec_point_is_on_curve(VALUE self)
{
EC_POINT *point;
- VALUE group_v = rb_iv_get(self, "@group");
+ VALUE group_v = rb_attr_get(self, id_i_group);
const EC_GROUP *group;
Require_EC_POINT(self, point);
@@ -1522,14 +1582,13 @@ static VALUE ossl_ec_point_is_on_curve(VALUE self)
}
/*
- * call-seq:
- * point.make_affine! => self
- *
+ * call-seq:
+ * point.make_affine! => self
*/
static VALUE ossl_ec_point_make_affine(VALUE self)
{
EC_POINT *point;
- VALUE group_v = rb_iv_get(self, "@group");
+ VALUE group_v = rb_attr_get(self, id_i_group);
const EC_GROUP *group;
Require_EC_POINT(self, point);
@@ -1542,14 +1601,13 @@ static VALUE ossl_ec_point_make_affine(VALUE self)
}
/*
- * call-seq:
- * point.invert! => self
- *
+ * call-seq:
+ * point.invert! => self
*/
static VALUE ossl_ec_point_invert(VALUE self)
{
EC_POINT *point;
- VALUE group_v = rb_iv_get(self, "@group");
+ VALUE group_v = rb_attr_get(self, id_i_group);
const EC_GROUP *group;
Require_EC_POINT(self, point);
@@ -1562,14 +1620,13 @@ static VALUE ossl_ec_point_invert(VALUE self)
}
/*
- * call-seq:
- * point.set_to_infinity! => self
- *
+ * call-seq:
+ * point.set_to_infinity! => self
*/
static VALUE ossl_ec_point_set_to_infinity(VALUE self)
{
EC_POINT *point;
- VALUE group_v = rb_iv_get(self, "@group");
+ VALUE group_v = rb_attr_get(self, id_i_group);
const EC_GROUP *group;
Require_EC_POINT(self, point);
@@ -1582,8 +1639,8 @@ static VALUE ossl_ec_point_set_to_infinity(VALUE self)
}
/*
- * call-seq:
- * point.to_bn => OpenSSL::BN
+ * call-seq:
+ * point.to_bn => OpenSSL::BN
*
* See the OpenSSL documentation for EC_POINT_point2bn()
*/
@@ -1591,7 +1648,7 @@ static VALUE ossl_ec_point_to_bn(VALUE self)
{
EC_POINT *point;
VALUE bn_obj;
- VALUE group_v = rb_iv_get(self, "@group");
+ VALUE group_v = rb_attr_get(self, id_i_group);
const EC_GROUP *group;
point_conversion_form_t form;
BIGNUM *bn;
@@ -1611,9 +1668,9 @@ static VALUE ossl_ec_point_to_bn(VALUE self)
}
/*
- * call-seq:
- * point.mul(bn1 [, bn2]) => point
- * point.mul(bns, points [, bn2]) => point
+ * call-seq:
+ * point.mul(bn1 [, bn2]) => point
+ * point.mul(bns, points [, bn2]) => point
*
* Performs elliptic curve point multiplication.
*
@@ -1631,7 +1688,7 @@ static VALUE ossl_ec_point_mul(int argc, VALUE *argv, VALUE self)
{
EC_POINT *point_self, *point_result;
const EC_GROUP *group;
- VALUE group_v = rb_iv_get(self, "@group");
+ VALUE group_v = rb_attr_get(self, id_i_group);
VALUE arg1, arg2, arg3, result;
const BIGNUM *bn_g = NULL;
@@ -1643,11 +1700,11 @@ static VALUE ossl_ec_point_mul(int argc, VALUE *argv, VALUE self)
Require_EC_POINT(result, point_result);
rb_scan_args(argc, argv, "12", &arg1, &arg2, &arg3);
- if (rb_obj_is_kind_of(arg1, cBN)) {
+ if (!RB_TYPE_P(arg1, T_ARRAY)) {
BIGNUM *bn = GetBNPtr(arg1);
- if (argc >= 2)
- bn_g = GetBNPtr(arg2);
+ if (!NIL_P(arg2))
+ bn_g = GetBNPtr(arg2);
if (EC_POINT_mul(group, point_result, bn_g, point_self, bn, ossl_bn_ctx) != 1)
ossl_raise(eEC_POINT, NULL);
} else {
@@ -1660,9 +1717,8 @@ static VALUE ossl_ec_point_mul(int argc, VALUE *argv, VALUE self)
const EC_POINT **points;
const BIGNUM **bignums;
- if (!rb_obj_is_kind_of(arg1, rb_cArray) ||
- !rb_obj_is_kind_of(arg2, rb_cArray))
- ossl_raise(rb_eTypeError, "points must be array");
+ Check_Type(arg1, T_ARRAY);
+ Check_Type(arg2, T_ARRAY);
if (RARRAY_LEN(arg1) != RARRAY_LEN(arg2) + 1) /* arg2 must be 1 larger */
ossl_raise(rb_eArgError, "bns must be 1 longer than points; see the documentation");
@@ -1676,7 +1732,7 @@ static VALUE ossl_ec_point_mul(int argc, VALUE *argv, VALUE self)
for (i = 0; i < num - 1; i++)
SafeRequire_EC_POINT(RARRAY_AREF(arg2, i), points[i + 1]);
- if (argc >= 3)
+ if (!NIL_P(arg3))
bn_g = GetBNPtr(arg3);
if (EC_POINTs_mul(group, point_result, bn_g, num, points, bignums, ossl_bn_ctx) != 1) {
@@ -1694,13 +1750,30 @@ static VALUE ossl_ec_point_mul(int argc, VALUE *argv, VALUE self)
void Init_ossl_ec(void)
{
-#ifdef DONT_NEED_RDOC_WORKAROUND
- mOSSL = rb_define_module("OpenSSL");
+#if 0
mPKey = rb_define_module_under(mOSSL, "PKey");
+ cPKey = rb_define_class_under(mPKey, "PKey", rb_cObject);
+ eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
+ ePKeyError = rb_define_class_under(mPKey, "PKeyError", eOSSLError);
#endif
eECError = rb_define_class_under(mPKey, "ECError", ePKeyError);
+ /*
+ * Document-class: OpenSSL::PKey::EC
+ *
+ * OpenSSL::PKey::EC provides access to Elliptic Curve Digital Signature
+ * Algorithm (ECDSA) and Elliptic Curve Diffie-Hellman (ECDH).
+ *
+ * === Key exchange
+ * ec1 = OpenSSL::PKey::EC.generate("prime256v1")
+ * ec2 = OpenSSL::PKey::EC.generate("prime256v1")
+ * # ec1 and ec2 have own private key respectively
+ * shared_key1 = ec1.dh_compute_key(ec2.public_key)
+ * shared_key2 = ec2.dh_compute_key(ec1.public_key)
+ *
+ * p shared_key1 == shared_key2 #=> true
+ */
cEC = rb_define_class_under(mPKey, "EC", cPKey);
cEC_GROUP = rb_define_class_under(cEC, "Group", rb_cObject);
cEC_POINT = rb_define_class_under(cEC, "Point", rb_cObject);
@@ -1718,7 +1791,10 @@ void Init_ossl_ec(void)
ID_compressed = rb_intern("compressed");
ID_hybrid = rb_intern("hybrid");
- rb_define_const(cEC, "NAMED_CURVE", ULONG2NUM(OPENSSL_EC_NAMED_CURVE));
+ rb_define_const(cEC, "NAMED_CURVE", INT2NUM(OPENSSL_EC_NAMED_CURVE));
+#if defined(OPENSSL_EC_EXPLICIT_CURVE)
+ rb_define_const(cEC, "EXPLICIT_CURVE", INT2NUM(OPENSSL_EC_EXPLICIT_CURVE));
+#endif
rb_define_singleton_method(cEC, "builtin_curves", ossl_s_builtin_curves, 0);
@@ -1811,6 +1887,9 @@ void Init_ossl_ec(void)
rb_define_method(cEC_POINT, "to_bn", ossl_ec_point_to_bn, 0);
rb_define_method(cEC_POINT, "mul", ossl_ec_point_mul, -1);
+
+ id_i_group = rb_intern("@group");
+ id_i_key = rb_intern("@key");
}
#else /* defined NO_EC */
diff --git a/ext/openssl/ossl_pkey_rsa.c b/ext/openssl/ossl_pkey_rsa.c
index f1b4f04..17a7494 100644
--- a/ext/openssl/ossl_pkey_rsa.c
+++ b/ext/openssl/ossl_pkey_rsa.c
@@ -229,8 +229,8 @@ ossl_rsa_initialize(int argc, VALUE *argv, VALUE self)
if(rb_scan_args(argc, argv, "02", &arg, &pass) == 0) {
rsa = RSA_new();
}
- else if (FIXNUM_P(arg)) {
- rsa = rsa_generate(FIX2INT(arg), NIL_P(pass) ? RSA_F4 : NUM2ULONG(pass));
+ else if (RB_INTEGER_TYPE_P(arg)) {
+ rsa = rsa_generate(NUM2INT(arg), NIL_P(pass) ? RSA_F4 : NUM2ULONG(pass));
if (!rsa) ossl_raise(eRSAError, NULL);
}
else {
@@ -335,7 +335,7 @@ ossl_rsa_is_private(VALUE self)
*
* Outputs this keypair in PEM encoding. If +cipher+ and +pass_phrase+ are
* given they will be used to encrypt the key. +cipher+ must be an
- * OpenSSL::Cipher::Cipher instance.
+ * OpenSSL::Cipher instance.
*/
static VALUE
ossl_rsa_export(int argc, VALUE *argv, VALUE self)
@@ -383,7 +383,7 @@ static VALUE
ossl_rsa_to_der(VALUE self)
{
RSA *rsa;
- int (*i2d_func)_((const RSA*, unsigned char**));
+ int (*i2d_func)(const RSA *, unsigned char **);
unsigned char *p;
long len;
VALUE str;
@@ -392,7 +392,7 @@ ossl_rsa_to_der(VALUE self)
if (RSA_HAS_PRIVATE(rsa))
i2d_func = i2d_RSAPrivateKey;
else
- i2d_func = (int (*)(const RSA*, unsigned char**))i2d_RSA_PUBKEY;
+ i2d_func = (int (*)(const RSA *, unsigned char **))i2d_RSA_PUBKEY;
if((len = i2d_func(rsa, NULL)) <= 0)
ossl_raise(eRSAError, NULL);
str = rb_str_new(0, len);
@@ -656,21 +656,45 @@ ossl_rsa_blinding_off(VALUE self)
}
*/
+/*
+ * Document-method: OpenSSL::PKey::RSA#set_key
+ * call-seq:
+ * rsa.set_key(n, e, d) -> self
+ *
+ * Sets +n+, +e+, +d+ for the RSA instance.
+ */
OSSL_PKEY_BN_DEF3(rsa, RSA, key, n, e, d)
+/*
+ * Document-method: OpenSSL::PKey::RSA#set_factors
+ * call-seq:
+ * rsa.set_factors(p, q) -> self
+ *
+ * Sets +p+, +q+ for the RSA instance.
+ */
OSSL_PKEY_BN_DEF2(rsa, RSA, factors, p, q)
+/*
+ * Document-method: OpenSSL::PKey::RSA#set_crt_params
+ * call-seq:
+ * rsa.set_crt_params(dmp1, dmq1, iqmp) -> self
+ *
+ * Sets +dmp1+, +dmq1+, +iqmp+ for the RSA instance. They are calculated by
+ * <tt>d mod (p - 1)</tt>, <tt>d mod (q - 1)</tt> and <tt>q^(-1) mod p</tt>
+ * respectively.
+ */
OSSL_PKEY_BN_DEF3(rsa, RSA, crt_params, dmp1, dmq1, iqmp)
/*
* INIT
*/
-#define DefRSAConst(x) rb_define_const(cRSA, #x,INT2FIX(RSA_##x))
+#define DefRSAConst(x) rb_define_const(cRSA, #x, INT2NUM(RSA_##x))
void
Init_ossl_rsa(void)
{
#if 0
- mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL and mPKey */
mPKey = rb_define_module_under(mOSSL, "PKey");
+ cPKey = rb_define_class_under(mPKey, "PKey", rb_cObject);
+ ePKeyError = rb_define_class_under(mPKey, "PKeyError", eOSSLError);
#endif
/* Document-class: OpenSSL::PKey::RSAError
diff --git a/ext/openssl/ossl_rand.c b/ext/openssl/ossl_rand.c
index ff07a41..688c525 100644
--- a/ext/openssl/ossl_rand.c
+++ b/ext/openssl/ossl_rand.c
@@ -41,13 +41,13 @@ ossl_rand_seed(VALUE self, VALUE str)
* The +entropy+ argument is (the lower bound of) an estimate of how much
* randomness is contained in +str+, measured in bytes.
*
- * Example:
+ * === Example
*
* pid = $$
* now = Time.now
* ary = [now.to_i, now.nsec, 1000, pid]
- * OpenSSL::Random.add(ary.join("").to_s, 0.0)
- * OpenSSL::Random.seed(ary.join("").to_s)
+ * OpenSSL::Random.add(ary.join, 0.0)
+ * OpenSSL::Random.seed(ary.join)
*/
static VALUE
ossl_rand_add(VALUE self, VALUE str, VALUE entropy)
@@ -101,10 +101,10 @@ ossl_rand_write_file(VALUE self, VALUE filename)
* Generates +string+ with +length+ number of cryptographically strong
* pseudo-random bytes.
*
- * Example:
+ * === Example
*
* OpenSSL::Random.random_bytes(12)
- * => "..."
+ * #=> "..."
*/
static VALUE
ossl_rand_bytes(VALUE self, VALUE len)
@@ -134,10 +134,10 @@ ossl_rand_bytes(VALUE self, VALUE len)
* Pseudo-random byte sequences generated by ::pseudo_bytes will be unique if
* they are of sufficient length, but are not necessarily unpredictable.
*
- * Example:
+ * === Example
*
* OpenSSL::Random.pseudo_bytes(12)
- * => "..."
+ * #=> "..."
*/
static VALUE
ossl_rand_pseudo_bytes(VALUE self, VALUE len)
@@ -214,7 +214,8 @@ void
Init_ossl_rand(void)
{
#if 0
- mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
+ mOSSL = rb_define_module("OpenSSL");
+ eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
#endif
mRandom = rb_define_module_under(mOSSL, "Random");
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
index a180ff2..9a499a7 100644
--- a/ext/openssl/ossl_ssl.c
+++ b/ext/openssl/ossl_ssl.c
@@ -64,18 +64,15 @@ static VALUE eSSLErrorWaitWritable;
#define ossl_sslctx_get_client_cert_cb(o) rb_iv_get((o),"@client_cert_cb")
#define ossl_sslctx_get_tmp_ecdh_cb(o) rb_iv_get((o),"@tmp_ecdh_callback")
#define ossl_sslctx_get_sess_id_ctx(o) rb_iv_get((o),"@session_id_context")
+#define ossl_sslctx_get_verify_hostname(o) rb_iv_get((o),"@verify_hostname")
#define ossl_ssl_get_io(o) rb_iv_get((o),"@io")
#define ossl_ssl_get_ctx(o) rb_iv_get((o),"@context")
-#define ossl_ssl_get_x509(o) rb_iv_get((o),"@x509")
-#define ossl_ssl_get_key(o) rb_iv_get((o),"@key")
#define ossl_ssl_set_io(o,v) rb_iv_set((o),"@io",(v))
#define ossl_ssl_set_ctx(o,v) rb_iv_set((o),"@context",(v))
#define ossl_ssl_set_sync_close(o,v) rb_iv_set((o),"@sync_close",(v))
#define ossl_ssl_set_hostname_v(o,v) rb_iv_set((o),"@hostname",(v))
-#define ossl_ssl_set_x509(o,v) rb_iv_set((o),"@x509",(v))
-#define ossl_ssl_set_key(o,v) rb_iv_set((o),"@key",(v))
#define ossl_ssl_set_tmp_dh(o,v) rb_iv_set((o),"@tmp_dh",(v))
#define ossl_ssl_set_tmp_ecdh(o,v) rb_iv_set((o),"@tmp_ecdh",(v))
@@ -183,6 +180,9 @@ ossl_sslctx_s_alloc(VALUE klass)
* ctx.ssl_version = :TLSv1
* ctx.ssl_version = "SSLv23_client"
*
+ * Sets the SSL/TLS protocol version for the context. This forces connections to
+ * use only the specified protocol version.
+ *
* You can get a list of valid versions with OpenSSL::SSL::SSLContext::METHODS
*/
static VALUE
@@ -225,28 +225,30 @@ ossl_call_client_cert_cb(VALUE obj)
{
VALUE cb, ary, cert, key;
- cb = rb_funcall(obj, rb_intern("client_cert_cb"), 0);
- if (NIL_P(cb)) return Qfalse;
+ cb = ossl_sslctx_get_client_cert_cb(ossl_ssl_get_ctx(obj));
+ if (NIL_P(cb))
+ return Qnil;
+
ary = rb_funcall(cb, rb_intern("call"), 1, obj);
Check_Type(ary, T_ARRAY);
GetX509CertPtr(cert = rb_ary_entry(ary, 0));
- GetPKeyPtr(key = rb_ary_entry(ary, 1));
- ossl_ssl_set_x509(obj, cert);
- ossl_ssl_set_key(obj, key);
+ GetPrivPKeyPtr(key = rb_ary_entry(ary, 1));
- return Qtrue;
+ return rb_ary_new3(2, cert, key);
}
static int
ossl_client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
{
- VALUE obj, success;
+ VALUE obj, ret;
obj = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
- success = rb_protect(ossl_call_client_cert_cb, obj, NULL);
- if (!RTEST(success)) return 0;
- *x509 = DupX509CertPtr(ossl_ssl_get_x509(obj));
- *pkey = DupPKeyPtr(ossl_ssl_get_key(obj));
+ ret = rb_protect(ossl_call_client_cert_cb, obj, NULL);
+ if (NIL_P(ret))
+ return 0;
+
+ *x509 = DupX509CertPtr(RARRAY_AREF(ret, 0));
+ *pkey = DupPKeyPtr(RARRAY_AREF(ret, 1));
return 1;
}
@@ -275,7 +277,7 @@ ossl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
rb_ssl = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
- args = rb_ary_new_from_args(3, rb_ssl, INT2FIX(is_export), INT2FIX(keylength));
+ args = rb_ary_new_from_args(3, rb_ssl, INT2NUM(is_export), INT2NUM(keylength));
dh = rb_protect(ossl_call_tmp_dh_callback, args, NULL);
if (!RTEST(dh)) return NULL;
@@ -309,7 +311,7 @@ ossl_tmp_ecdh_callback(SSL *ssl, int is_export, int keylength)
rb_ssl = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
- args = rb_ary_new_from_args(3, rb_ssl, INT2FIX(is_export), INT2FIX(keylength));
+ args = rb_ary_new_from_args(3, rb_ssl, INT2NUM(is_export), INT2NUM(keylength));
ecdh = rb_protect(ossl_call_tmp_ecdh_callback, args, NULL);
if (!RTEST(ecdh)) return NULL;
@@ -319,16 +321,50 @@ ossl_tmp_ecdh_callback(SSL *ssl, int is_export, int keylength)
}
#endif
+static VALUE
+call_verify_certificate_identity(VALUE ctx_v)
+{
+ X509_STORE_CTX *ctx = (X509_STORE_CTX *)ctx_v;
+ SSL *ssl;
+ VALUE ssl_obj, hostname, cert_obj;
+
+ ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
+ ssl_obj = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
+ hostname = rb_attr_get(ssl_obj, rb_intern("@hostname"));
+
+ if (!RTEST(hostname)) {
+ rb_warning("verify_hostname requires hostname to be set");
+ return Qtrue;
+ }
+
+ cert_obj = ossl_x509_new(X509_STORE_CTX_get_current_cert(ctx));
+ return rb_funcall(mSSL, rb_intern("verify_certificate_identity"), 2,
+ cert_obj, hostname);
+}
+
static int
ossl_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
{
- VALUE cb;
+ VALUE cb, ssl_obj, verify_hostname, ret;
SSL *ssl;
+ int status;
ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
cb = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_vcb_idx);
- X509_STORE_CTX_set_ex_data(ctx, ossl_store_ctx_ex_verify_cb_idx, (void *)cb);
- return ossl_verify_cb(preverify_ok, ctx);
+ ssl_obj = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
+ verify_hostname = ossl_sslctx_get_verify_hostname(ossl_ssl_get_ctx(ssl_obj));
+
+ if (preverify_ok && RTEST(verify_hostname) && !SSL_is_server(ssl) &&
+ !X509_STORE_CTX_get_error_depth(ctx)) {
+ ret = rb_protect(call_verify_certificate_identity, (VALUE)ctx, &status);
+ if (status) {
+ rb_ivar_set(ssl_obj, ID_callback_state, INT2NUM(status));
+ return 0;
+ }
+ preverify_ok = ret == Qtrue;
+ }
+
+ return ossl_verify_cb_call(cb, preverify_ok, ctx);
}
static VALUE
@@ -464,7 +500,7 @@ ossl_sslctx_session_remove_cb(SSL_CTX *ctx, SSL_SESSION *sess)
rb_ary_push(ary, sslctx_obj);
rb_ary_push(ary, sess_obj);
- rb_protect((VALUE(*)_((VALUE)))ossl_call_session_remove_cb, ary, &state);
+ rb_protect(ossl_call_session_remove_cb, ary, &state);
if (state) {
/*
the SSL_CTX is frozen, nowhere to save state.
@@ -540,7 +576,7 @@ ssl_servername_cb(SSL *ssl, int *ad, void *arg)
rb_ary_push(ary, ssl_obj);
rb_ary_push(ary, rb_str_new2(servername));
- rb_protect((VALUE(*)_((VALUE)))ossl_call_servername_cb, ary, &state);
+ rb_protect(ossl_call_servername_cb, ary, &state);
if (state) {
rb_ivar_set(ssl_obj, ID_callback_state, INT2NUM(state));
return SSL_TLSEXT_ERR_ALERT_FATAL;
@@ -624,8 +660,7 @@ ssl_npn_select_cb_common(VALUE cb, const unsigned char **out, unsigned char *out
static int
ssl_npn_advertise_cb(SSL *ssl, const unsigned char **out, unsigned int *outlen, void *arg)
{
- VALUE sslctx_obj = (VALUE) arg;
- VALUE protocols = rb_iv_get(sslctx_obj, "@_protocols");
+ VALUE protocols = (VALUE)arg;
*out = (const unsigned char *) RSTRING_PTR(protocols);
*outlen = RSTRING_LENINT(protocols);
@@ -776,7 +811,7 @@ ossl_sslctx_setup(VALUE self)
val = ossl_sslctx_get_cert(self);
cert = NIL_P(val) ? NULL : GetX509CertPtr(val); /* NO DUP NEEDED */
val = ossl_sslctx_get_key(self);
- key = NIL_P(val) ? NULL : GetPKeyPtr(val); /* NO DUP NEEDED */
+ key = NIL_P(val) ? NULL : GetPrivPKeyPtr(val); /* NO DUP NEEDED */
if (cert && key) {
if (!SSL_CTX_use_certificate(ctx, cert)) {
/* Adds a ref => Safe to FREE */
@@ -835,8 +870,8 @@ ossl_sslctx_setup(VALUE self)
#ifdef HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB
val = rb_iv_get(self, "@npn_protocols");
if (!NIL_P(val)) {
- rb_iv_set(self, "@_protocols", ssl_encode_npn_protocols(val));
- SSL_CTX_set_next_protos_advertised_cb(ctx, ssl_npn_advertise_cb, (void *) self);
+ VALUE encoded = ssl_encode_npn_protocols(val);
+ SSL_CTX_set_next_protos_advertised_cb(ctx, ssl_npn_advertise_cb, (void *)encoded);
OSSL_Debug("SSL NPN advertise callback added");
}
if (RTEST(rb_iv_get(self, "@npn_select_cb"))) {
@@ -903,8 +938,8 @@ ossl_ssl_cipher_to_ary(const SSL_CIPHER *cipher)
rb_ary_push(ary, rb_str_new2(SSL_CIPHER_get_name(cipher)));
rb_ary_push(ary, rb_str_new2(SSL_CIPHER_get_version(cipher)));
bits = SSL_CIPHER_get_bits(cipher, &alg_bits);
- rb_ary_push(ary, INT2FIX(bits));
- rb_ary_push(ary, INT2FIX(alg_bits));
+ rb_ary_push(ary, INT2NUM(bits));
+ rb_ary_push(ary, INT2NUM(alg_bits));
return ary;
}
@@ -913,7 +948,7 @@ ossl_ssl_cipher_to_ary(const SSL_CIPHER *cipher)
* call-seq:
* ctx.ciphers => [[name, version, bits, alg_bits], ...]
*
- * The list of ciphers configured for this context.
+ * The list of cipher suites configured for this context.
*/
static VALUE
ossl_sslctx_get_ciphers(VALUE self)
@@ -949,11 +984,9 @@ ossl_sslctx_get_ciphers(VALUE self)
* ctx.ciphers = [name, ...]
* ctx.ciphers = [[name, version, bits, alg_bits], ...]
*
- * Sets the list of available ciphers for this context. Note in a server
+ * Sets the list of available cipher suites for this context. Note in a server
* context some ciphers require the appropriate certificates. For example, an
- * RSA cipher can only be chosen when an RSA certificate is available.
- *
- * See also OpenSSL::Cipher and OpenSSL::Cipher::ciphers
+ * RSA cipher suite can only be chosen when an RSA certificate is available.
*/
static VALUE
ossl_sslctx_set_ciphers(VALUE self, VALUE v)
@@ -1056,7 +1089,11 @@ ossl_sslctx_set_ecdh_curves(VALUE self, VALUE arg)
if (!ec)
ossl_raise(eSSLError, NULL);
EC_KEY_set_asn1_flag(ec, OPENSSL_EC_NAMED_CURVE);
- SSL_CTX_set_tmp_ecdh(ctx, ec);
+ if (!SSL_CTX_set_tmp_ecdh(ctx, ec)) {
+ EC_KEY_free(ec);
+ ossl_raise(eSSLError, "SSL_CTX_set_tmp_ecdh");
+ }
+ EC_KEY_free(ec);
# if defined(HAVE_SSL_CTX_SET_ECDH_AUTO)
/* tmp_ecdh and ecdh_auto conflict. tmp_ecdh is ignored when ecdh_auto
* is enabled. So disable ecdh_auto. */
@@ -1088,7 +1125,7 @@ ossl_sslctx_get_security_level(VALUE self)
GetSSLCTX(self, ctx);
#if defined(HAVE_SSL_CTX_GET_SECURITY_LEVEL)
- return INT2FIX(SSL_CTX_get_security_level(ctx));
+ return INT2NUM(SSL_CTX_get_security_level(ctx));
#else
(void)ctx;
return INT2FIX(0);
@@ -1097,7 +1134,7 @@ ossl_sslctx_get_security_level(VALUE self)
/*
* call-seq:
- * ctx.security_level=(integer) -> Integer
+ * ctx.security_level = integer
*
* Sets the security level for the context. OpenSSL limits parameters according
* to the level. The "parameters" include: ciphersuites, curves, key sizes,
@@ -1138,7 +1175,7 @@ ossl_sslctx_set_security_level(VALUE self, VALUE value)
* call-seq:
* ctx.session_add(session) -> true | false
*
- * Adds +session+ to the session cache
+ * Adds +session+ to the session cache.
*/
static VALUE
ossl_sslctx_session_add(VALUE self, VALUE arg)
@@ -1156,7 +1193,7 @@ ossl_sslctx_session_add(VALUE self, VALUE arg)
* call-seq:
* ctx.session_remove(session) -> true | false
*
- * Removes +session+ from the session cache
+ * Removes +session+ from the session cache.
*/
static VALUE
ossl_sslctx_session_remove(VALUE self, VALUE arg)
@@ -1374,7 +1411,7 @@ ossl_ssl_s_alloc(VALUE klass)
* SSLSocket.new(io) => aSSLSocket
* SSLSocket.new(io, ctx) => aSSLSocket
*
- * Creates a new SSL socket from +io+ which must be a real ruby object (not an
+ * Creates a new SSL socket from +io+ which must be a real IO object (not an
* IO-like object that responds to read/write).
*
* If +ctx+ is provided the SSL Sockets initial params will be taken from
@@ -1950,7 +1987,8 @@ ossl_ssl_get_cipher(VALUE self)
* call-seq:
* ssl.state => string
*
- * A description of the current connection state.
+ * A description of the current connection state. This is for diagnostic
+ * purposes only.
*/
static VALUE
ossl_ssl_get_state(VALUE self)
@@ -1972,7 +2010,7 @@ ossl_ssl_get_state(VALUE self)
* call-seq:
* ssl.pending => Integer
*
- * The number of bytes that are immediately available for reading
+ * The number of bytes that are immediately available for reading.
*/
static VALUE
ossl_ssl_pending(VALUE self)
@@ -2021,6 +2059,7 @@ ossl_ssl_set_session(VALUE self, VALUE arg1)
return arg1;
}
+#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
/*
* call-seq:
* ssl.hostname = hostname -> hostname
@@ -2028,7 +2067,6 @@ ossl_ssl_set_session(VALUE self, VALUE arg1)
* Sets the server hostname used for SNI. This needs to be set before
* SSLSocket#connect.
*/
-#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
static VALUE
ossl_ssl_set_hostname(VALUE self, VALUE arg)
{
@@ -2066,7 +2104,7 @@ ossl_ssl_get_verify_result(VALUE self)
GetSSL(self, ssl);
- return INT2FIX(SSL_get_verify_result(ssl));
+ return INT2NUM(SSL_get_verify_result(ssl));
}
/*
@@ -2095,7 +2133,7 @@ ossl_ssl_get_client_ca_list(VALUE self)
# ifdef HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB
/*
* call-seq:
- * ssl.npn_protocol => String
+ * ssl.npn_protocol => String | nil
*
* Returns the protocol string that was finally selected by the client
* during the handshake.
@@ -2120,9 +2158,9 @@ ossl_ssl_npn_protocol(VALUE self)
# ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
/*
* call-seq:
- * ssl.alpn_protocol => String
+ * ssl.alpn_protocol => String | nil
*
- * Returns the ALPN protocol string that was finally selected by the client
+ * Returns the ALPN protocol string that was finally selected by the server
* during the handshake.
*/
static VALUE
@@ -2147,7 +2185,7 @@ ossl_ssl_alpn_protocol(VALUE self)
* call-seq:
* ssl.tmp_key => PKey or nil
*
- * Returns the ephemeral key used in case of forward secrecy cipher
+ * Returns the ephemeral key used in case of forward secrecy cipher.
*/
static VALUE
ossl_ssl_tmp_key(VALUE self)
@@ -2170,7 +2208,10 @@ Init_ossl_ssl(void)
VALUE ary;
#if 0
- mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
+ mOSSL = rb_define_module("OpenSSL");
+ eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
+ rb_mWaitReadable = rb_define_module_under(rb_cIO, "WaitReadable");
+ rb_mWaitWritable = rb_define_module_under(rb_cIO, "WaitWritable");
#endif
ID_callback_state = rb_intern("@callback_state");
@@ -2218,14 +2259,10 @@ Init_ossl_ssl(void)
*
* All attributes must be set before creating an SSLSocket as the
* SSLContext will be frozen afterward.
- *
- * The following attributes are available but don't show up in rdoc:
- * * ssl_version, cert, key, client_ca, ca_file, ca_path, timeout,
- * * verify_mode, verify_depth client_cert_cb, tmp_dh_callback,
- * * session_id_context, session_add_cb, session_new_cb, session_remove_cb
*/
cSSLContext = rb_define_class_under(mSSL, "SSLContext", rb_cObject);
rb_define_alloc_func(cSSLContext, ossl_sslctx_s_alloc);
+ rb_undef_method(cSSLContext, "initialize_copy");
/*
* Context certificate
@@ -2255,7 +2292,7 @@ Init_ossl_ssl(void)
rb_attr(cSSLContext, rb_intern("ca_path"), 1, 1, Qfalse);
/*
- * Maximum session lifetime.
+ * Maximum session lifetime in seconds.
*/
rb_attr(cSSLContext, rb_intern("timeout"), 1, 1, Qfalse);
@@ -2264,6 +2301,11 @@ Init_ossl_ssl(void)
*
* Valid modes are VERIFY_NONE, VERIFY_PEER, VERIFY_CLIENT_ONCE,
* VERIFY_FAIL_IF_NO_PEER_CERT and defined on OpenSSL::SSL
+ *
+ * The default mode is VERIFY_NONE, which does not perform any verification
+ * at all.
+ *
+ * See SSL_CTX_set_verify(3) for details.
*/
rb_attr(cSSLContext, rb_intern("verify_mode"), 1, 1, Qfalse);
@@ -2281,12 +2323,21 @@ Init_ossl_ssl(void)
* +store_context+ is an OpenSSL::X509::StoreContext containing the
* context used for certificate verification.
*
- * If the callback returns false verification is stopped.
+ * If the callback returns false, the chain verification is immediately
+ * stopped and a bad_certificate alert is then sent.
*/
rb_attr(cSSLContext, rb_intern("verify_callback"), 1, 1, Qfalse);
/*
- * An OpenSSL::X509::Store used for certificate verification
+ * Whether to check the server certificate is valid for the hostname.
+ *
+ * In order to make this work, verify_mode must be set to VERIFY_PEER and
+ * the server hostname must be given by OpenSSL::SSL::SSLSocket#hostname=.
+ */
+ rb_attr(cSSLContext, rb_intern("verify_hostname"), 1, 1, Qfalse);
+
+ /*
+ * An OpenSSL::X509::Store used for certificate verification.
*/
rb_attr(cSSLContext, rb_intern("cert_store"), 1, 1, Qfalse);
@@ -2410,7 +2461,7 @@ Init_ossl_ssl(void)
* === Example
*
* ctx.npn_select_cb = lambda do |protocols|
- * #inspect the protocols and select one
+ * # inspect the protocols and select one
* protocols.first
* end
*/
@@ -2420,10 +2471,10 @@ Init_ossl_ssl(void)
#ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
/*
* An Enumerable of Strings. Each String represents a protocol to be
- * advertised as the list of supported protocols for Application-Layer Protocol
- * Negotiation. Supported in OpenSSL 1.0.1 and higher. Has no effect
- * on the client side. If not set explicitly, the NPN extension will
- * not be sent by the server in the handshake.
+ * advertised as the list of supported protocols for Application-Layer
+ * Protocol Negotiation. Supported in OpenSSL 1.0.2 and higher. Has no
+ * effect on the server side. If not set explicitly, the ALPN extension will
+ * not be included in the handshake.
*
* === Example
*
@@ -2433,16 +2484,16 @@ Init_ossl_ssl(void)
/*
* A callback invoked on the server side when the server needs to select
* a protocol from the list sent by the client. Supported in OpenSSL 1.0.2
- * and higher. The server MUST select a protocol of those advertised by
+ * and higher. The callback must return a protocol of those advertised by
* the client. If none is acceptable, raising an error in the callback
* will cause the handshake to fail. Not setting this callback explicitly
- * means not supporting the ALPN extension on the client - any protocols
- * advertised by the server will be ignored.
+ * means not supporting the ALPN extension on the server - any protocols
+ * advertised by the client will be ignored.
*
* === Example
*
* ctx.alpn_select_cb = lambda do |protocols|
- * #inspect the protocols and select one
+ * # inspect the protocols and select one
* protocols.first
* end
*/
@@ -2463,22 +2514,22 @@ Init_ossl_ssl(void)
/*
* No session caching for client or server
*/
- rb_define_const(cSSLContext, "SESSION_CACHE_OFF", LONG2FIX(SSL_SESS_CACHE_OFF));
+ rb_define_const(cSSLContext, "SESSION_CACHE_OFF", LONG2NUM(SSL_SESS_CACHE_OFF));
/*
* Client sessions are added to the session cache
*/
- rb_define_const(cSSLContext, "SESSION_CACHE_CLIENT", LONG2FIX(SSL_SESS_CACHE_CLIENT)); /* doesn't actually do anything in 0.9.8e */
+ rb_define_const(cSSLContext, "SESSION_CACHE_CLIENT", LONG2NUM(SSL_SESS_CACHE_CLIENT)); /* doesn't actually do anything in 0.9.8e */
/*
* Server sessions are added to the session cache
*/
- rb_define_const(cSSLContext, "SESSION_CACHE_SERVER", LONG2FIX(SSL_SESS_CACHE_SERVER));
+ rb_define_const(cSSLContext, "SESSION_CACHE_SERVER", LONG2NUM(SSL_SESS_CACHE_SERVER));
/*
* Both client and server sessions are added to the session cache
*/
- rb_define_const(cSSLContext, "SESSION_CACHE_BOTH", LONG2FIX(SSL_SESS_CACHE_BOTH)); /* no different than CACHE_SERVER in 0.9.8e */
+ rb_define_const(cSSLContext, "SESSION_CACHE_BOTH", LONG2NUM(SSL_SESS_CACHE_BOTH)); /* no different than CACHE_SERVER in 0.9.8e */
/*
* Normally the session cache is checked for expired sessions every 255
@@ -2486,7 +2537,7 @@ Init_ossl_ssl(void)
* the automatic flushing may be disabled and #flush_sessions can be
* called explicitly.
*/
- rb_define_const(cSSLContext, "SESSION_CACHE_NO_AUTO_CLEAR", LONG2FIX(SSL_SESS_CACHE_NO_AUTO_CLEAR));
+ rb_define_const(cSSLContext, "SESSION_CACHE_NO_AUTO_CLEAR", LONG2NUM(SSL_SESS_CACHE_NO_AUTO_CLEAR));
/*
* Always perform external lookups of sessions even if they are in the
@@ -2494,18 +2545,18 @@ Init_ossl_ssl(void)
*
* This flag has no effect on clients
*/
- rb_define_const(cSSLContext, "SESSION_CACHE_NO_INTERNAL_LOOKUP", LONG2FIX(SSL_SESS_CACHE_NO_INTERNAL_LOOKUP));
+ rb_define_const(cSSLContext, "SESSION_CACHE_NO_INTERNAL_LOOKUP", LONG2NUM(SSL_SESS_CACHE_NO_INTERNAL_LOOKUP));
/*
* Never automatically store sessions in the internal store.
*/
- rb_define_const(cSSLContext, "SESSION_CACHE_NO_INTERNAL_STORE", LONG2FIX(SSL_SESS_CACHE_NO_INTERNAL_STORE));
+ rb_define_const(cSSLContext, "SESSION_CACHE_NO_INTERNAL_STORE", LONG2NUM(SSL_SESS_CACHE_NO_INTERNAL_STORE));
/*
* Enables both SESSION_CACHE_NO_INTERNAL_LOOKUP and
* SESSION_CACHE_NO_INTERNAL_STORE.
*/
- rb_define_const(cSSLContext, "SESSION_CACHE_NO_INTERNAL", LONG2FIX(SSL_SESS_CACHE_NO_INTERNAL));
+ rb_define_const(cSSLContext, "SESSION_CACHE_NO_INTERNAL", LONG2NUM(SSL_SESS_CACHE_NO_INTERNAL));
rb_define_method(cSSLContext, "session_add", ossl_sslctx_session_add, 1);
rb_define_method(cSSLContext, "session_remove", ossl_sslctx_session_remove, 1);
@@ -2528,10 +2579,6 @@ Init_ossl_ssl(void)
/*
* Document-class: OpenSSL::SSL::SSLSocket
- *
- * The following attributes are available but don't show up in rdoc.
- * * io, context, sync_close
- *
*/
cSSLSocket = rb_define_class_under(mSSL, "SSLSocket", rb_cObject);
#ifdef OPENSSL_NO_SOCK
@@ -2541,6 +2588,7 @@ Init_ossl_ssl(void)
rb_define_const(mSSLExtConfig, "OPENSSL_NO_SOCK", Qfalse);
rb_define_alloc_func(cSSLSocket, ossl_ssl_s_alloc);
rb_define_method(cSSLSocket, "initialize", ossl_ssl_initialize, -1);
+ rb_undef_method(cSSLSocket, "initialize_copy");
rb_define_method(cSSLSocket, "connect", ossl_ssl_connect, 0);
rb_define_method(cSSLSocket, "connect_nonblock", ossl_ssl_connect_nonblock, -1);
rb_define_method(cSSLSocket, "accept", ossl_ssl_accept, 0);
diff --git a/ext/openssl/ossl_ssl_session.c b/ext/openssl/ossl_ssl_session.c
index 4836891..fb7c0fb 100644
--- a/ext/openssl/ossl_ssl_session.c
+++ b/ext/openssl/ossl_ssl_session.c
@@ -28,12 +28,12 @@ static VALUE ossl_ssl_session_alloc(VALUE klass)
/*
* call-seq:
- * Session.new(SSLSocket | string) => session
+ * Session.new(ssl_socket) -> Session
+ * Session.new(string) -> Session
*
- * === Parameters
- * +SSLSocket+ is an OpenSSL::SSL::SSLSocket
- * +string+ must be a DER or PEM encoded Session.
-*/
+ * Creates a new Session object from an instance of SSLSocket or DER/PEM encoded
+ * String.
+ */
static VALUE ossl_ssl_session_initialize(VALUE self, VALUE arg1)
{
SSL_SESSION *ctx = NULL;
@@ -73,6 +73,26 @@ static VALUE ossl_ssl_session_initialize(VALUE self, VALUE arg1)
return self;
}
+static VALUE
+ossl_ssl_session_initialize_copy(VALUE self, VALUE other)
+{
+ SSL_SESSION *sess, *sess_other, *sess_new;
+
+ rb_check_frozen(self);
+ sess = RTYPEDDATA_DATA(self); /* XXX */
+ SafeGetSSLSession(other, sess_other);
+
+ sess_new = ASN1_dup((i2d_of_void *)i2d_SSL_SESSION, (d2i_of_void *)d2i_SSL_SESSION,
+ (char *)sess_other);
+ if (!sess_new)
+ ossl_raise(eSSLSession, "ASN1_dup");
+
+ RTYPEDDATA_DATA(self) = sess_new;
+ SSL_SESSION_free(sess);
+
+ return self;
+}
+
#if HAVE_SSL_SESSION_CMP == 0
int SSL_SESSION_cmp(const SSL_SESSION *a,const SSL_SESSION *b)
{
@@ -98,9 +118,10 @@ int SSL_SESSION_cmp(const SSL_SESSION *a,const SSL_SESSION *b)
/*
* call-seq:
- * session1 == session2 -> boolean
+ * session1 == session2 -> boolean
*
-*/
+ * Returns true if the two Session is the same, false if not.
+ */
static VALUE ossl_ssl_session_eq(VALUE val1, VALUE val2)
{
SSL_SESSION *ctx1, *ctx2;
@@ -118,9 +139,8 @@ static VALUE ossl_ssl_session_eq(VALUE val1, VALUE val2)
* call-seq:
* session.time -> Time
*
- * Gets start time of the session.
- *
-*/
+ * Returns the time at which the session was established.
+ */
static VALUE ossl_ssl_session_get_time(VALUE self)
{
SSL_SESSION *ctx;
@@ -138,11 +158,12 @@ static VALUE ossl_ssl_session_get_time(VALUE self)
/*
* call-seq:
- * session.timeout -> integer
+ * session.timeout -> Integer
*
- * Gets how long until the session expires in seconds.
+ * Returns the timeout value set for the session, in seconds from the
+ * established time.
*
-*/
+ */
static VALUE ossl_ssl_session_get_timeout(VALUE self)
{
SSL_SESSION *ctx;
@@ -157,12 +178,12 @@ static VALUE ossl_ssl_session_get_timeout(VALUE self)
/*
* call-seq:
- * session.time=(Time) -> Time
- * session.time=(integer) -> Time
+ * session.time = time
+ * session.time = integer
*
* Sets start time of the session. Time resolution is in seconds.
*
-*/
+ */
static VALUE ossl_ssl_session_set_time(VALUE self, VALUE time_v)
{
SSL_SESSION *ctx;
@@ -179,11 +200,10 @@ static VALUE ossl_ssl_session_set_time(VALUE self, VALUE time_v)
/*
* call-seq:
- * session.timeout=(integer) -> integer
+ * session.timeout = integer
*
* Sets how long until the session expires in seconds.
- *
-*/
+ */
static VALUE ossl_ssl_session_set_timeout(VALUE self, VALUE time_v)
{
SSL_SESSION *ctx;
@@ -197,7 +217,7 @@ static VALUE ossl_ssl_session_set_timeout(VALUE self, VALUE time_v)
/*
* call-seq:
- * session.id -> aString
+ * session.id -> String
*
* Returns the Session ID.
*/
@@ -216,10 +236,10 @@ static VALUE ossl_ssl_session_get_id(VALUE self)
/*
* call-seq:
- * session.to_der -> aString
+ * session.to_der -> String
*
* Returns an ASN1 encoded String that contains the Session object.
-*/
+ */
static VALUE ossl_ssl_session_to_der(VALUE self)
{
SSL_SESSION *ctx;
@@ -245,7 +265,7 @@ static VALUE ossl_ssl_session_to_der(VALUE self)
* session.to_pem -> String
*
* Returns a PEM encoded String that contains the Session object.
-*/
+ */
static VALUE ossl_ssl_session_to_pem(VALUE self)
{
SSL_SESSION *ctx;
@@ -277,8 +297,8 @@ static VALUE ossl_ssl_session_to_pem(VALUE self)
* call-seq:
* session.to_text -> String
*
- * Shows everything in the Session object.
-*/
+ * Shows everything in the Session object. This is for diagnostic purposes.
+ */
static VALUE ossl_ssl_session_to_text(VALUE self)
{
SSL_SESSION *ctx;
@@ -308,14 +328,16 @@ static VALUE ossl_ssl_session_to_text(VALUE self)
void Init_ossl_ssl_session(void)
{
#if 0
- mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
- mSSL = rb_define_module_under(mOSSL, "SSL");
+ mOSSL = rb_define_module("OpenSSL");
+ mSSL = rb_define_module_under(mOSSL, "SSL");
+ eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
#endif
cSSLSession = rb_define_class_under(mSSL, "Session", rb_cObject);
eSSLSession = rb_define_class_under(cSSLSession, "SessionError", eOSSLError);
rb_define_alloc_func(cSSLSession, ossl_ssl_session_alloc);
rb_define_method(cSSLSession, "initialize", ossl_ssl_session_initialize, 1);
+ rb_define_copy_func(cSSLSession, ossl_ssl_session_initialize_copy);
rb_define_method(cSSLSession, "==", ossl_ssl_session_eq, 1);
diff --git a/ext/openssl/ossl_version.h b/ext/openssl/ossl_version.h
index dcd026a..1744c1c 100644
--- a/ext/openssl/ossl_version.h
+++ b/ext/openssl/ossl_version.h
@@ -10,6 +10,6 @@
#if !defined(_OSSL_VERSION_H_)
#define _OSSL_VERSION_H_
-#define OSSL_VERSION "1.1.0"
+#define OSSL_VERSION "2.0.0"
#endif /* _OSSL_VERSION_H_ */
diff --git a/ext/openssl/ossl_x509.c b/ext/openssl/ossl_x509.c
index 14f794e..19ec274 100644
--- a/ext/openssl/ossl_x509.c
+++ b/ext/openssl/ossl_x509.c
@@ -11,7 +11,7 @@
VALUE mX509;
-#define DefX509Const(x) rb_define_const(mX509, #x,INT2FIX(X509_##x))
+#define DefX509Const(x) rb_define_const(mX509, #x, INT2NUM(X509_##x))
#define DefX509Default(x,i) \
rb_define_const(mX509, "DEFAULT_" #x, rb_str_new2(X509_get_default_##i()))
@@ -34,6 +34,10 @@ ossl_x509_time_adjust(ASN1_TIME *s, VALUE time)
void
Init_ossl_x509(void)
{
+#if 0
+ mOSSL = rb_define_module("OpenSSL");
+#endif
+
mX509 = rb_define_module_under(mOSSL, "X509");
Init_ossl_x509attr();
@@ -79,17 +83,88 @@ Init_ossl_x509(void)
DefX509Const(V_ERR_KEYUSAGE_NO_CERTSIGN);
DefX509Const(V_ERR_APPLICATION_VERIFICATION);
+ /* Set by Store#flags= and StoreContext#flags=. Enables CRL checking for the
+ * certificate chain leaf. */
DefX509Const(V_FLAG_CRL_CHECK);
+ /* Set by Store#flags= and StoreContext#flags=. Enables CRL checking for all
+ * certificates in the certificate chain */
DefX509Const(V_FLAG_CRL_CHECK_ALL);
+ /* Set by Store#flags= and StoreContext#flags=. Disables critical extension
+ * checking. */
+ DefX509Const(V_FLAG_IGNORE_CRITICAL);
+ /* Set by Store#flags= and StoreContext#flags=. Disables workarounds for
+ * broken certificates. */
+ DefX509Const(V_FLAG_X509_STRICT);
+ /* Set by Store#flags= and StoreContext#flags=. Enables proxy certificate
+ * verification. */
+ DefX509Const(V_FLAG_ALLOW_PROXY_CERTS);
+ /* Set by Store#flags= and StoreContext#flags=. Enables certificate policy
+ * constraints checking. */
+ DefX509Const(V_FLAG_POLICY_CHECK);
+ /* Set by Store#flags= and StoreContext#flags=.
+ * Implies V_FLAG_POLICY_CHECK */
+ DefX509Const(V_FLAG_EXPLICIT_POLICY);
+ /* Set by Store#flags= and StoreContext#flags=.
+ * Implies V_FLAG_POLICY_CHECK */
+ DefX509Const(V_FLAG_INHIBIT_ANY);
+ /* Set by Store#flags= and StoreContext#flags=.
+ * Implies V_FLAG_POLICY_CHECK */
+ DefX509Const(V_FLAG_INHIBIT_MAP);
+ /* Set by Store#flags= and StoreContext#flags=. */
+ DefX509Const(V_FLAG_NOTIFY_POLICY);
+#if defined(X509_V_FLAG_EXTENDED_CRL_SUPPORT)
+ /* Set by Store#flags= and StoreContext#flags=. Enables some additional
+ * features including support for indirect signed CRLs. */
+ DefX509Const(V_FLAG_EXTENDED_CRL_SUPPORT);
+#endif
+#if defined(X509_V_FLAG_USE_DELTAS)
+ /* Set by Store#flags= and StoreContext#flags=. Uses delta CRLs. If not
+ * specified, deltas are ignored. */
+ DefX509Const(V_FLAG_USE_DELTAS);
+#endif
+#if defined(X509_V_FLAG_CHECK_SS_SIGNATURE)
+ /* Set by Store#flags= and StoreContext#flags=. Enables checking of the
+ * signature of the root self-signed CA. */
+ DefX509Const(V_FLAG_CHECK_SS_SIGNATURE);
+#endif
+#if defined(X509_V_FLAG_TRUSTED_FIRST)
+ /* Set by Store#flags= and StoreContext#flags=. When constructing a
+ * certificate chain, search the Store first for the issuer certificate.
+ * Enabled by default in OpenSSL >= 1.1.0. */
+ DefX509Const(V_FLAG_TRUSTED_FIRST);
+#endif
+#if defined(X509_V_FLAG_NO_ALT_CHAINS)
+ /* Set by Store#flags= and StoreContext#flags=. Suppresses searching for
+ * a alternative chain. No effect in OpenSSL >= 1.1.0. */
+ DefX509Const(V_FLAG_NO_ALT_CHAINS);
+#endif
+#if defined(X509_V_FLAG_NO_CHECK_TIME)
+ /* Set by Store#flags= and StoreContext#flags=. Suppresses checking the
+ * validity period of certificates and CRLs. No effect when the current
+ * time is explicitly set by Store#time= or StoreContext#time=. */
+ DefX509Const(V_FLAG_NO_CHECK_TIME);
+#endif
+ /* Set by Store#purpose=. SSL/TLS client. */
DefX509Const(PURPOSE_SSL_CLIENT);
+ /* Set by Store#purpose=. SSL/TLS server. */
DefX509Const(PURPOSE_SSL_SERVER);
+ /* Set by Store#purpose=. Netscape SSL server. */
DefX509Const(PURPOSE_NS_SSL_SERVER);
+ /* Set by Store#purpose=. S/MIME signing. */
DefX509Const(PURPOSE_SMIME_SIGN);
+ /* Set by Store#purpose=. S/MIME encryption. */
DefX509Const(PURPOSE_SMIME_ENCRYPT);
+ /* Set by Store#purpose=. CRL signing */
DefX509Const(PURPOSE_CRL_SIGN);
+ /* Set by Store#purpose=. No checks. */
DefX509Const(PURPOSE_ANY);
+ /* Set by Store#purpose=. OCSP helper. */
DefX509Const(PURPOSE_OCSP_HELPER);
+#if defined(X509_PURPOSE_TIMESTAMP_SIGN)
+ /* Set by Store#purpose=. Time stamps signer. */
+ DefX509Const(PURPOSE_TIMESTAMP_SIGN);
+#endif
DefX509Const(TRUST_COMPAT);
DefX509Const(TRUST_SSL_CLIENT);
@@ -98,6 +173,9 @@ Init_ossl_x509(void)
DefX509Const(TRUST_OBJECT_SIGN);
DefX509Const(TRUST_OCSP_SIGN);
DefX509Const(TRUST_OCSP_REQUEST);
+#if defined(X509_TRUST_TSA)
+ DefX509Const(TRUST_TSA);
+#endif
DefX509Default(CERT_AREA, cert_area);
DefX509Default(CERT_DIR, cert_dir);
diff --git a/ext/openssl/ossl_x509.h b/ext/openssl/ossl_x509.h
index 5768048..c26da73 100644
--- a/ext/openssl/ossl_x509.h
+++ b/ext/openssl/ossl_x509.h
@@ -31,7 +31,7 @@ extern VALUE cX509Attr;
extern VALUE eX509AttrError;
VALUE ossl_x509attr_new(X509_ATTRIBUTE *);
-X509_ATTRIBUTE *DupX509AttrPtr(VALUE);
+X509_ATTRIBUTE *GetX509AttrPtr(VALUE);
void Init_ossl_x509attr(void);
/*
@@ -66,7 +66,6 @@ extern VALUE eX509ExtError;
VALUE ossl_x509ext_new(X509_EXTENSION *);
X509_EXTENSION *GetX509ExtPtr(VALUE);
-X509_EXTENSION *DupX509ExtPtr(VALUE);
void Init_ossl_x509ext(void);
/*
diff --git a/ext/openssl/ossl_x509attr.c b/ext/openssl/ossl_x509attr.c
index 78ce236..ae0b347 100644
--- a/ext/openssl/ossl_x509attr.c
+++ b/ext/openssl/ossl_x509attr.c
@@ -72,16 +72,13 @@ ossl_x509attr_new(X509_ATTRIBUTE *attr)
}
X509_ATTRIBUTE *
-DupX509AttrPtr(VALUE obj)
+GetX509AttrPtr(VALUE obj)
{
- X509_ATTRIBUTE *attr, *new;
+ X509_ATTRIBUTE *attr;
SafeGetX509Attr(obj, attr);
- if (!(new = X509_ATTRIBUTE_dup(attr))) {
- ossl_raise(eX509AttrError, NULL);
- }
- return new;
+ return attr;
}
/*
@@ -130,6 +127,25 @@ ossl_x509attr_initialize(int argc, VALUE *argv, VALUE self)
return self;
}
+static VALUE
+ossl_x509attr_initialize_copy(VALUE self, VALUE other)
+{
+ X509_ATTRIBUTE *attr, *attr_other, *attr_new;
+
+ rb_check_frozen(self);
+ GetX509Attr(self, attr);
+ SafeGetX509Attr(other, attr_other);
+
+ attr_new = X509_ATTRIBUTE_dup(attr_other);
+ if (!attr_new)
+ ossl_raise(eX509AttrError, "X509_ATTRIBUTE_dup");
+
+ SetX509Attr(self, attr_new);
+ X509_ATTRIBUTE_free(attr);
+
+ return self;
+}
+
/*
* call-seq:
* attr.oid = string => string
@@ -141,12 +157,15 @@ ossl_x509attr_set_oid(VALUE self, VALUE oid)
ASN1_OBJECT *obj;
char *s;
+ GetX509Attr(self, attr);
s = StringValueCStr(oid);
obj = OBJ_txt2obj(s, 0);
- if(!obj) obj = OBJ_txt2obj(s, 1);
if(!obj) ossl_raise(eX509AttrError, NULL);
- GetX509Attr(self, attr);
- X509_ATTRIBUTE_set1_object(attr, obj);
+ if (!X509_ATTRIBUTE_set1_object(attr, obj)) {
+ ASN1_OBJECT_free(obj);
+ ossl_raise(eX509AttrError, "X509_ATTRIBUTE_set1_object");
+ }
+ ASN1_OBJECT_free(obj);
return oid;
}
@@ -289,11 +308,18 @@ ossl_x509attr_to_der(VALUE self)
void
Init_ossl_x509attr(void)
{
+#if 0
+ mOSSL = rb_define_module("OpenSSL");
+ eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
+ mX509 = rb_define_module_under(mOSSL, "X509");
+#endif
+
eX509AttrError = rb_define_class_under(mX509, "AttributeError", eOSSLError);
cX509Attr = rb_define_class_under(mX509, "Attribute", rb_cObject);
rb_define_alloc_func(cX509Attr, ossl_x509attr_alloc);
rb_define_method(cX509Attr, "initialize", ossl_x509attr_initialize, -1);
+ rb_define_copy_func(cX509Attr, ossl_x509attr_initialize_copy);
rb_define_method(cX509Attr, "oid=", ossl_x509attr_set_oid, 1);
rb_define_method(cX509Attr, "oid", ossl_x509attr_get_oid, 0);
rb_define_method(cX509Attr, "value=", ossl_x509attr_set_value, 1);
diff --git a/ext/openssl/ossl_x509cert.c b/ext/openssl/ossl_x509cert.c
index a7e3796..ad1126d 100644
--- a/ext/openssl/ossl_x509cert.c
+++ b/ext/openssl/ossl_x509cert.c
@@ -456,10 +456,10 @@ static VALUE
ossl_x509_get_not_before(VALUE self)
{
X509 *x509;
- ASN1_UTCTIME *asn1time;
+ const ASN1_TIME *asn1time;
GetX509(self, x509);
- if (!(asn1time = X509_get_notBefore(x509))) { /* NO DUP - don't free! */
+ if (!(asn1time = X509_get0_notBefore(x509))) {
ossl_raise(eX509CertError, NULL);
}
@@ -474,10 +474,15 @@ static VALUE
ossl_x509_set_not_before(VALUE self, VALUE time)
{
X509 *x509;
+ ASN1_TIME *asn1time;
GetX509(self, x509);
- if (!ossl_x509_time_adjust(X509_get_notBefore(x509), time))
- ossl_raise(eX509CertError, NULL);
+ asn1time = ossl_x509_time_adjust(NULL, time);
+ if (!X509_set_notBefore(x509, asn1time)) {
+ ASN1_TIME_free(asn1time);
+ ossl_raise(eX509CertError, "X509_set_notBefore");
+ }
+ ASN1_TIME_free(asn1time);
return time;
}
@@ -490,10 +495,10 @@ static VALUE
ossl_x509_get_not_after(VALUE self)
{
X509 *x509;
- ASN1_TIME *asn1time;
+ const ASN1_TIME *asn1time;
GetX509(self, x509);
- if (!(asn1time = X509_get_notAfter(x509))) { /* NO DUP - don't free! */
+ if (!(asn1time = X509_get0_notAfter(x509))) {
ossl_raise(eX509CertError, NULL);
}
@@ -508,10 +513,15 @@ static VALUE
ossl_x509_set_not_after(VALUE self, VALUE time)
{
X509 *x509;
+ ASN1_TIME *asn1time;
GetX509(self, x509);
- if (!ossl_x509_time_adjust(X509_get_notAfter(x509), time))
- ossl_raise(eX509CertError, NULL);
+ asn1time = ossl_x509_time_adjust(NULL, time);
+ if (!X509_set_notAfter(x509, asn1time)) {
+ ASN1_TIME_free(asn1time);
+ ossl_raise(eX509CertError, "X509_set_notAfter");
+ }
+ ASN1_TIME_free(asn1time);
return time;
}
@@ -667,13 +677,10 @@ ossl_x509_set_extensions(VALUE self, VALUE ary)
while ((ext = X509_delete_ext(x509, 0)))
X509_EXTENSION_free(ext);
for (i=0; i<RARRAY_LEN(ary); i++) {
- ext = DupX509ExtPtr(RARRAY_AREF(ary, i));
-
- if (!X509_add_ext(x509, ext, -1)) { /* DUPs ext - FREE it */
- X509_EXTENSION_free(ext);
+ ext = GetX509ExtPtr(RARRAY_AREF(ary, i));
+ if (!X509_add_ext(x509, ext, -1)) { /* DUPs ext */
ossl_raise(eX509CertError, NULL);
}
- X509_EXTENSION_free(ext);
}
return ary;
@@ -690,12 +697,10 @@ ossl_x509_add_extension(VALUE self, VALUE extension)
X509_EXTENSION *ext;
GetX509(self, x509);
- ext = DupX509ExtPtr(extension);
+ ext = GetX509ExtPtr(extension);
if (!X509_add_ext(x509, ext, -1)) { /* DUPs ext - FREE it */
- X509_EXTENSION_free(ext);
ossl_raise(eX509CertError, NULL);
}
- X509_EXTENSION_free(ext);
return extension;
}
@@ -720,9 +725,9 @@ ossl_x509_inspect(VALUE self)
void
Init_ossl_x509cert(void)
{
-
#if 0
- mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
+ mOSSL = rb_define_module("OpenSSL");
+ eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
mX509 = rb_define_module_under(mOSSL, "X509");
#endif
diff --git a/ext/openssl/ossl_x509crl.c b/ext/openssl/ossl_x509crl.c
index 2cbe4f9..0ff5d2f 100644
--- a/ext/openssl/ossl_x509crl.c
+++ b/ext/openssl/ossl_x509crl.c
@@ -180,7 +180,7 @@ static VALUE
ossl_x509crl_get_signature_algorithm(VALUE self)
{
X509_CRL *crl;
- X509_ALGOR *alg;
+ const X509_ALGOR *alg;
BIO *out;
BUF_MEM *buf;
VALUE str;
@@ -189,7 +189,7 @@ ossl_x509crl_get_signature_algorithm(VALUE self)
if (!(out = BIO_new(BIO_s_mem()))) {
ossl_raise(eX509CRLError, NULL);
}
- X509_CRL_get0_signature(NULL, &alg, crl);
+ X509_CRL_get0_signature(crl, NULL, &alg);
if (!i2a_ASN1_OBJECT(out, alg->algorithm)) {
BIO_free(out);
ossl_raise(eX509CRLError, NULL);
@@ -230,17 +230,22 @@ ossl_x509crl_get_last_update(VALUE self)
GetX509CRL(self, crl);
- return asn1time_to_time(X509_CRL_get_lastUpdate(crl));
+ return asn1time_to_time(X509_CRL_get0_lastUpdate(crl));
}
static VALUE
ossl_x509crl_set_last_update(VALUE self, VALUE time)
{
X509_CRL *crl;
+ ASN1_TIME *asn1time;
GetX509CRL(self, crl);
- if (!ossl_x509_time_adjust(X509_CRL_get_lastUpdate(crl), time))
- ossl_raise(eX509CRLError, NULL);
+ asn1time = ossl_x509_time_adjust(NULL, time);
+ if (!X509_CRL_set_lastUpdate(crl, asn1time)) {
+ ASN1_TIME_free(asn1time);
+ ossl_raise(eX509CRLError, "X509_CRL_set_lastUpdate");
+ }
+ ASN1_TIME_free(asn1time);
return time;
}
@@ -252,28 +257,22 @@ ossl_x509crl_get_next_update(VALUE self)
GetX509CRL(self, crl);
- return asn1time_to_time(X509_CRL_get_nextUpdate(crl));
+ return asn1time_to_time(X509_CRL_get0_nextUpdate(crl));
}
static VALUE
ossl_x509crl_set_next_update(VALUE self, VALUE time)
{
X509_CRL *crl;
- ASN1_TIME *orig, *new;
+ ASN1_TIME *asn1time;
GetX509CRL(self, crl);
- /* orig may be NULL at this time; in this case a new ASN1_TIME is created */
- orig = X509_CRL_get_nextUpdate(crl);
- new = ossl_x509_time_adjust(orig, time);
-
- if (!X509_CRL_set_nextUpdate(crl, new)) {
- if (!orig)
- ASN1_TIME_free(new);
- ossl_raise(eX509CRLError, NULL);
+ asn1time = ossl_x509_time_adjust(NULL, time);
+ if (!X509_CRL_set_nextUpdate(crl, asn1time)) {
+ ASN1_TIME_free(asn1time);
+ ossl_raise(eX509CRLError, "X509_CRL_set_nextUpdate");
}
- /* X509_CRL_set_nextUpdate() dups when orig != new */
- if (!orig)
- ASN1_TIME_free(new);
+ ASN1_TIME_free(asn1time);
return time;
}
@@ -308,6 +307,7 @@ ossl_x509crl_set_revoked(VALUE self, VALUE ary)
{
X509_CRL *crl;
X509_REVOKED *rev;
+ STACK_OF(X509_REVOKED) *sk;
long i;
Check_Type(ary, T_ARRAY);
@@ -316,11 +316,15 @@ ossl_x509crl_set_revoked(VALUE self, VALUE ary)
OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Rev);
}
GetX509CRL(self, crl);
- sk_X509_REVOKED_pop_free(X509_CRL_get_REVOKED(crl), X509_REVOKED_free);
+ if ((sk = X509_CRL_get_REVOKED(crl))) {
+ while ((rev = sk_X509_REVOKED_pop(sk)))
+ X509_REVOKED_free(rev);
+ }
for (i=0; i<RARRAY_LEN(ary); i++) {
rev = DupX509RevokedPtr(RARRAY_AREF(ary, i));
if (!X509_CRL_add0_revoked(crl, rev)) { /* NO DUP - don't free! */
- ossl_raise(eX509CRLError, NULL);
+ X509_REVOKED_free(rev);
+ ossl_raise(eX509CRLError, "X509_CRL_add0_revoked");
}
}
X509_CRL_sort(crl);
@@ -337,7 +341,8 @@ ossl_x509crl_add_revoked(VALUE self, VALUE revoked)
GetX509CRL(self, crl);
rev = DupX509RevokedPtr(revoked);
if (!X509_CRL_add0_revoked(crl, rev)) { /* NO DUP - don't free! */
- ossl_raise(eX509CRLError, NULL);
+ X509_REVOKED_free(rev);
+ ossl_raise(eX509CRLError, "X509_CRL_add0_revoked");
}
X509_CRL_sort(crl);
@@ -492,12 +497,10 @@ ossl_x509crl_set_extensions(VALUE self, VALUE ary)
while ((ext = X509_CRL_delete_ext(crl, 0)))
X509_EXTENSION_free(ext);
for (i=0; i<RARRAY_LEN(ary); i++) {
- ext = DupX509ExtPtr(RARRAY_AREF(ary, i));
- if(!X509_CRL_add_ext(crl, ext, -1)) { /* DUPs ext - FREE it */
- X509_EXTENSION_free(ext);
+ ext = GetX509ExtPtr(RARRAY_AREF(ary, i)); /* NO NEED TO DUP */
+ if (!X509_CRL_add_ext(crl, ext, -1)) {
ossl_raise(eX509CRLError, NULL);
}
- X509_EXTENSION_free(ext);
}
return ary;
@@ -510,12 +513,10 @@ ossl_x509crl_add_extension(VALUE self, VALUE extension)
X509_EXTENSION *ext;
GetX509CRL(self, crl);
- ext = DupX509ExtPtr(extension);
- if (!X509_CRL_add_ext(crl, ext, -1)) { /* DUPs ext - FREE it */
- X509_EXTENSION_free(ext);
+ ext = GetX509ExtPtr(extension);
+ if (!X509_CRL_add_ext(crl, ext, -1)) {
ossl_raise(eX509CRLError, NULL);
}
- X509_EXTENSION_free(ext);
return extension;
}
@@ -526,6 +527,12 @@ ossl_x509crl_add_extension(VALUE self, VALUE extension)
void
Init_ossl_x509crl(void)
{
+#if 0
+ mOSSL = rb_define_module("OpenSSL");
+ eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
+ mX509 = rb_define_module_under(mOSSL, "X509");
+#endif
+
eX509CRLError = rb_define_class_under(mX509, "CRLError", eOSSLError);
cX509CRL = rb_define_class_under(mX509, "CRL", rb_cObject);
diff --git a/ext/openssl/ossl_x509ext.c b/ext/openssl/ossl_x509ext.c
index e581754..b92b078 100644
--- a/ext/openssl/ossl_x509ext.c
+++ b/ext/openssl/ossl_x509ext.c
@@ -95,19 +95,6 @@ GetX509ExtPtr(VALUE obj)
return ext;
}
-X509_EXTENSION *
-DupX509ExtPtr(VALUE obj)
-{
- X509_EXTENSION *ext, *new;
-
- SafeGetX509Ext(obj, ext);
- if (!(new = X509_EXTENSION_dup(ext))) {
- ossl_raise(eX509ExtError, NULL);
- }
-
- return new;
-}
-
/*
* Private
*/
@@ -189,20 +176,6 @@ ossl_x509extfactory_set_crl(VALUE self, VALUE crl)
}
static VALUE
-ossl_x509extfactory_set_config(VALUE self, VALUE config)
-{
- X509V3_CTX *ctx;
- CONF *conf;
-
- GetX509ExtFactory(self, ctx);
- rb_iv_set(self, "@config", config);
- conf = GetConfigPtr(config); /* NO DUP NEEDED */
- X509V3_set_nconf(ctx, conf);
-
- return config;
-}
-
-static VALUE
ossl_x509extfactory_initialize(int argc, VALUE *argv, VALUE self)
{
/*X509V3_CTX *ctx;*/
@@ -225,12 +198,11 @@ ossl_x509extfactory_initialize(int argc, VALUE *argv, VALUE self)
}
/*
- * Array to X509_EXTENSION
- * Structure:
- * ["ln", "value", bool_critical] or
- * ["sn", "value", bool_critical] or
- * ["ln", "critical,value"] or the same for sn
- * ["ln", "value"] => not critical
+ * call-seq:
+ * ef.create_ext(ln_or_sn, "value", critical = false) -> X509::Extension
+ * ef.create_ext(ln_or_sn, "critical,value") -> X509::Extension
+ *
+ * Creates a new X509::Extension with passed values. See also x509v3_config(5).
*/
static VALUE
ossl_x509extfactory_create_ext(int argc, VALUE *argv, VALUE self)
@@ -258,8 +230,11 @@ ossl_x509extfactory_create_ext(int argc, VALUE *argv, VALUE self)
GetX509ExtFactory(self, ctx);
obj = NewX509Ext(cX509Ext);
rconf = rb_iv_get(self, "@config");
- conf = NIL_P(rconf) ? NULL : GetConfigPtr(rconf);
+ conf = NIL_P(rconf) ? NULL : DupConfigPtr(rconf);
+ X509V3_set_nconf(ctx, conf);
ext = X509V3_EXT_nconf_nid(conf, ctx, nid, RSTRING_PTR(valstr));
+ X509V3_set_ctx_nodb(ctx);
+ NCONF_free(conf);
if (!ext){
ossl_raise(eX509ExtError, "%"PRIsVALUE" = %"PRIsVALUE, oid, valstr);
}
@@ -324,18 +299,39 @@ ossl_x509ext_initialize(int argc, VALUE *argv, VALUE self)
}
static VALUE
+ossl_x509ext_initialize_copy(VALUE self, VALUE other)
+{
+ X509_EXTENSION *ext, *ext_other, *ext_new;
+
+ rb_check_frozen(self);
+ GetX509Ext(self, ext);
+ SafeGetX509Ext(other, ext_other);
+
+ ext_new = X509_EXTENSION_dup(ext_other);
+ if (!ext_new)
+ ossl_raise(eX509ExtError, "X509_EXTENSION_dup");
+
+ SetX509Ext(self, ext_new);
+ X509_EXTENSION_free(ext);
+
+ return self;
+}
+
+static VALUE
ossl_x509ext_set_oid(VALUE self, VALUE oid)
{
X509_EXTENSION *ext;
ASN1_OBJECT *obj;
- char *s;
- s = StringValueCStr(oid);
- obj = OBJ_txt2obj(s, 0);
- if(!obj) obj = OBJ_txt2obj(s, 1);
- if(!obj) ossl_raise(eX509ExtError, NULL);
GetX509Ext(self, ext);
- X509_EXTENSION_set_object(ext, obj);
+ obj = OBJ_txt2obj(StringValueCStr(oid), 0);
+ if (!obj)
+ ossl_raise(eX509ExtError, "OBJ_txt2obj");
+ if (!X509_EXTENSION_set_object(ext, obj)) {
+ ASN1_OBJECT_free(obj);
+ ossl_raise(eX509ExtError, "X509_EXTENSION_set_object");
+ }
+ ASN1_OBJECT_free(obj);
return oid;
}
@@ -346,17 +342,15 @@ ossl_x509ext_set_value(VALUE self, VALUE data)
X509_EXTENSION *ext;
ASN1_OCTET_STRING *asn1s;
+ GetX509Ext(self, ext);
data = ossl_to_der_if_possible(data);
StringValue(data);
- if(!(asn1s = ASN1_OCTET_STRING_new())){
- ossl_raise(eX509ExtError, NULL);
- }
- if(!ASN1_STRING_set((ASN1_STRING *)asn1s, (unsigned char *)RSTRING_PTR(data), RSTRING_LENINT(data))){
- ASN1_OCTET_STRING_free(asn1s);
- ossl_raise(eX509ExtError, NULL);
+ asn1s = X509_EXTENSION_get_data(ext);
+
+ if (!ASN1_OCTET_STRING_set(asn1s, (unsigned char *)RSTRING_PTR(data),
+ RSTRING_LENINT(data))) {
+ ossl_raise(eX509ExtError, "ASN1_OCTET_STRING_set");
}
- GetX509Ext(self, ext);
- X509_EXTENSION_set_data(ext, asn1s);
return data;
}
@@ -447,6 +441,12 @@ ossl_x509ext_to_der(VALUE obj)
void
Init_ossl_x509ext(void)
{
+#if 0
+ mOSSL = rb_define_module("OpenSSL");
+ eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
+ mX509 = rb_define_module_under(mOSSL, "X509");
+#endif
+
eX509ExtError = rb_define_class_under(mX509, "ExtensionError", eOSSLError);
cX509ExtFactory = rb_define_class_under(mX509, "ExtensionFactory", rb_cObject);
@@ -458,18 +458,18 @@ Init_ossl_x509ext(void)
rb_attr(cX509ExtFactory, rb_intern("subject_certificate"), 1, 0, Qfalse);
rb_attr(cX509ExtFactory, rb_intern("subject_request"), 1, 0, Qfalse);
rb_attr(cX509ExtFactory, rb_intern("crl"), 1, 0, Qfalse);
- rb_attr(cX509ExtFactory, rb_intern("config"), 1, 0, Qfalse);
+ rb_attr(cX509ExtFactory, rb_intern("config"), 1, 1, Qfalse);
rb_define_method(cX509ExtFactory, "issuer_certificate=", ossl_x509extfactory_set_issuer_cert, 1);
rb_define_method(cX509ExtFactory, "subject_certificate=", ossl_x509extfactory_set_subject_cert, 1);
rb_define_method(cX509ExtFactory, "subject_request=", ossl_x509extfactory_set_subject_req, 1);
rb_define_method(cX509ExtFactory, "crl=", ossl_x509extfactory_set_crl, 1);
- rb_define_method(cX509ExtFactory, "config=", ossl_x509extfactory_set_config, 1);
rb_define_method(cX509ExtFactory, "create_ext", ossl_x509extfactory_create_ext, -1);
cX509Ext = rb_define_class_under(mX509, "Extension", rb_cObject);
rb_define_alloc_func(cX509Ext, ossl_x509ext_alloc);
rb_define_method(cX509Ext, "initialize", ossl_x509ext_initialize, -1);
+ rb_define_copy_func(cX509Ext, ossl_x509ext_initialize_copy);
rb_define_method(cX509Ext, "oid=", ossl_x509ext_set_oid, 1);
rb_define_method(cX509Ext, "value=", ossl_x509ext_set_value, 1);
rb_define_method(cX509Ext, "critical=", ossl_x509ext_set_critical, 1);
diff --git a/ext/openssl/ossl_x509name.c b/ext/openssl/ossl_x509name.c
index ff307c0..abbdc3b 100644
--- a/ext/openssl/ossl_x509name.c
+++ b/ext/openssl/ossl_x509name.c
@@ -181,6 +181,25 @@ ossl_x509name_initialize(int argc, VALUE *argv, VALUE self)
return self;
}
+static VALUE
+ossl_x509name_initialize_copy(VALUE self, VALUE other)
+{
+ X509_NAME *name, *name_other, *name_new;
+
+ rb_check_frozen(self);
+ GetX509Name(self, name);
+ SafeGetX509Name(other, name_other);
+
+ name_new = X509_NAME_dup(name_other);
+ if (!name_new)
+ ossl_raise(eX509NameError, "X509_NAME_dup");
+
+ SetX509Name(self, name_new);
+ X509_NAME_free(name);
+
+ return self;
+}
+
/*
* call-seq:
* name.add_entry(oid, value [, type]) => self
@@ -307,10 +326,7 @@ ossl_x509name_to_a(VALUE self)
vname = rb_str_new2(short_name); /*do not free*/
}
value = X509_NAME_ENTRY_get_data(entry);
- ary = rb_ary_new3(3,
- vname,
- rb_str_new((const char *)value->data, value->length),
- INT2FIX(value->type));
+ ary = rb_ary_new3(3, vname, asn1str_to_str(value), INT2NUM(value->type));
rb_ary_push(ret, ary);
}
return ret;
@@ -450,6 +466,12 @@ Init_ossl_x509name(void)
{
VALUE utf8str, ptrstr, ia5str, hash;
+#if 0
+ mOSSL = rb_define_module("OpenSSL");
+ eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
+ mX509 = rb_define_module_under(mOSSL, "X509");
+#endif
+
id_aref = rb_intern("[]");
eX509NameError = rb_define_class_under(mX509, "NameError", eOSSLError);
cX509Name = rb_define_class_under(mX509, "Name", rb_cObject);
@@ -458,6 +480,7 @@ Init_ossl_x509name(void)
rb_define_alloc_func(cX509Name, ossl_x509name_alloc);
rb_define_method(cX509Name, "initialize", ossl_x509name_initialize, -1);
+ rb_define_copy_func(cX509Name, ossl_x509name_initialize_copy);
rb_define_method(cX509Name, "add_entry", ossl_x509name_add_entry, -1);
rb_define_method(cX509Name, "to_s", ossl_x509name_to_s, -1);
rb_define_method(cX509Name, "to_a", ossl_x509name_to_a, 0);
@@ -474,8 +497,7 @@ Init_ossl_x509name(void)
ptrstr = INT2NUM(V_ASN1_PRINTABLESTRING);
ia5str = INT2NUM(V_ASN1_IA5STRING);
- /* Document-const: DEFAULT_OBJECT_TYPE
- *
+ /*
* The default object type for name entries.
*/
rb_define_const(cX509Name, "DEFAULT_OBJECT_TYPE", utf8str);
@@ -489,14 +511,12 @@ Init_ossl_x509name(void)
rb_hash_aset(hash, rb_str_new2("domainComponent"), ia5str);
rb_hash_aset(hash, rb_str_new2("emailAddress"), ia5str);
- /* Document-const: OBJECT_TYPE_TEMPLATE
- *
+ /*
* The default object type template for name entries.
*/
rb_define_const(cX509Name, "OBJECT_TYPE_TEMPLATE", hash);
- /* Document-const: COMPAT
- *
+ /*
* A flag for #to_s.
*
* Breaks the name returned into multiple lines if longer than 80
@@ -504,24 +524,21 @@ Init_ossl_x509name(void)
*/
rb_define_const(cX509Name, "COMPAT", ULONG2NUM(XN_FLAG_COMPAT));
- /* Document-const: RFC2253
- *
+ /*
* A flag for #to_s.
*
* Returns an RFC2253 format name.
*/
rb_define_const(cX509Name, "RFC2253", ULONG2NUM(XN_FLAG_RFC2253));
- /* Document-const: ONELINE
- *
+ /*
* A flag for #to_s.
*
* Returns a more readable format than RFC2253.
*/
rb_define_const(cX509Name, "ONELINE", ULONG2NUM(XN_FLAG_ONELINE));
- /* Document-const: MULTILINE
- *
+ /*
* A flag for #to_s.
*
* Returns a multiline format.
diff --git a/ext/openssl/ossl_x509req.c b/ext/openssl/ossl_x509req.c
index 9025d4f..d261997 100644
--- a/ext/openssl/ossl_x509req.c
+++ b/ext/openssl/ossl_x509req.c
@@ -250,7 +250,7 @@ ossl_x509req_get_version(VALUE self)
GetX509Req(self, req);
version = X509_REQ_get_version(req);
- return LONG2FIX(version);
+ return LONG2NUM(version);
}
static VALUE
@@ -259,12 +259,12 @@ ossl_x509req_set_version(VALUE self, VALUE version)
X509_REQ *req;
long ver;
- if ((ver = FIX2LONG(version)) < 0) {
+ if ((ver = NUM2LONG(version)) < 0) {
ossl_raise(eX509ReqError, "version must be >= 0!");
}
GetX509Req(self, req);
if (!X509_REQ_set_version(req, ver)) {
- ossl_raise(eX509ReqError, NULL);
+ ossl_raise(eX509ReqError, "X509_REQ_set_version");
}
return version;
@@ -302,7 +302,7 @@ static VALUE
ossl_x509req_get_signature_algorithm(VALUE self)
{
X509_REQ *req;
- X509_ALGOR *alg;
+ const X509_ALGOR *alg;
BIO *out;
BUF_MEM *buf;
VALUE str;
@@ -312,7 +312,7 @@ ossl_x509req_get_signature_algorithm(VALUE self)
if (!(out = BIO_new(BIO_s_mem()))) {
ossl_raise(eX509ReqError, NULL);
}
- X509_REQ_get0_signature(NULL, &alg, req);
+ X509_REQ_get0_signature(req, NULL, &alg);
if (!i2a_ASN1_OBJECT(out, alg->algorithm)) {
BIO_free(out);
ossl_raise(eX509ReqError, NULL);
@@ -432,7 +432,7 @@ ossl_x509req_set_attributes(VALUE self, VALUE ary)
X509_ATTRIBUTE_free(attr);
for (i=0;i<RARRAY_LEN(ary); i++) {
item = RARRAY_AREF(ary, i);
- attr = DupX509AttrPtr(item);
+ attr = GetX509AttrPtr(item);
if (!X509_REQ_add1_attr(req, attr)) {
ossl_raise(eX509ReqError, NULL);
}
@@ -446,7 +446,7 @@ ossl_x509req_add_attribute(VALUE self, VALUE attr)
X509_REQ *req;
GetX509Req(self, req);
- if (!X509_REQ_add1_attr(req, DupX509AttrPtr(attr))) {
+ if (!X509_REQ_add1_attr(req, GetX509AttrPtr(attr))) {
ossl_raise(eX509ReqError, NULL);
}
@@ -459,6 +459,12 @@ ossl_x509req_add_attribute(VALUE self, VALUE attr)
void
Init_ossl_x509req(void)
{
+#if 0
+ mOSSL = rb_define_module("OpenSSL");
+ eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
+ mX509 = rb_define_module_under(mOSSL, "X509");
+#endif
+
eX509ReqError = rb_define_class_under(mX509, "RequestError", eOSSLError);
cX509Req = rb_define_class_under(mX509, "Request", rb_cObject);
diff --git a/ext/openssl/ossl_x509revoked.c b/ext/openssl/ossl_x509revoked.c
index 067bec8..7960ea3 100644
--- a/ext/openssl/ossl_x509revoked.c
+++ b/ext/openssl/ossl_x509revoked.c
@@ -110,6 +110,25 @@ ossl_x509revoked_initialize(int argc, VALUE *argv, VALUE self)
}
static VALUE
+ossl_x509revoked_initialize_copy(VALUE self, VALUE other)
+{
+ X509_REVOKED *rev, *rev_other, *rev_new;
+
+ rb_check_frozen(self);
+ GetX509Rev(self, rev);
+ SafeGetX509Rev(other, rev_other);
+
+ rev_new = X509_REVOKED_dup(rev_other);
+ if (!rev_new)
+ ossl_raise(eX509RevError, "X509_REVOKED_dup");
+
+ SetX509Rev(self, rev_new);
+ X509_REVOKED_free(rev);
+
+ return self;
+}
+
+static VALUE
ossl_x509revoked_get_serial(VALUE self)
{
X509_REVOKED *rev;
@@ -123,11 +142,15 @@ static VALUE
ossl_x509revoked_set_serial(VALUE self, VALUE num)
{
X509_REVOKED *rev;
- ASN1_INTEGER *ai;
+ ASN1_INTEGER *asn1int;
GetX509Rev(self, rev);
- ai = X509_REVOKED_get0_serialNumber(rev);
- X509_REVOKED_set_serialNumber(rev, num_to_asn1integer(num, ai));
+ asn1int = num_to_asn1integer(num, NULL);
+ if (!X509_REVOKED_set_serialNumber(rev, asn1int)) {
+ ASN1_INTEGER_free(asn1int);
+ ossl_raise(eX509RevError, "X509_REVOKED_set_serialNumber");
+ }
+ ASN1_INTEGER_free(asn1int);
return num;
}
@@ -146,10 +169,15 @@ static VALUE
ossl_x509revoked_set_time(VALUE self, VALUE time)
{
X509_REVOKED *rev;
+ ASN1_TIME *asn1time;
GetX509Rev(self, rev);
- if (!ossl_x509_time_adjust(X509_REVOKED_get0_revocationDate(rev), time))
- ossl_raise(eX509RevError, NULL);
+ asn1time = ossl_x509_time_adjust(NULL, time);
+ if (!X509_REVOKED_set_revocationDate(rev, asn1time)) {
+ ASN1_TIME_free(asn1time);
+ ossl_raise(eX509RevError, "X509_REVOKED_set_revocationDate");
+ }
+ ASN1_TIME_free(asn1time);
return time;
}
@@ -199,7 +227,7 @@ ossl_x509revoked_set_extensions(VALUE self, VALUE ary)
X509_EXTENSION_free(ext);
for (i=0; i<RARRAY_LEN(ary); i++) {
item = RARRAY_AREF(ary, i);
- ext = DupX509ExtPtr(item);
+ ext = GetX509ExtPtr(item);
if(!X509_REVOKED_add_ext(rev, ext, -1)) {
ossl_raise(eX509RevError, NULL);
}
@@ -214,7 +242,7 @@ ossl_x509revoked_add_extension(VALUE self, VALUE ext)
X509_REVOKED *rev;
GetX509Rev(self, rev);
- if(!X509_REVOKED_add_ext(rev, DupX509ExtPtr(ext), -1)) {
+ if (!X509_REVOKED_add_ext(rev, GetX509ExtPtr(ext), -1)) {
ossl_raise(eX509RevError, NULL);
}
@@ -227,12 +255,19 @@ ossl_x509revoked_add_extension(VALUE self, VALUE ext)
void
Init_ossl_x509revoked(void)
{
+#if 0
+ mOSSL = rb_define_module("OpenSSL");
+ eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
+ mX509 = rb_define_module_under(mOSSL, "X509");
+#endif
+
eX509RevError = rb_define_class_under(mX509, "RevokedError", eOSSLError);
cX509Rev = rb_define_class_under(mX509, "Revoked", rb_cObject);
rb_define_alloc_func(cX509Rev, ossl_x509revoked_alloc);
rb_define_method(cX509Rev, "initialize", ossl_x509revoked_initialize, -1);
+ rb_define_copy_func(cX509Rev, ossl_x509revoked_initialize_copy);
rb_define_method(cX509Rev, "serial", ossl_x509revoked_get_serial, 0);
rb_define_method(cX509Rev, "serial=", ossl_x509revoked_set_serial, 1);
diff --git a/ext/openssl/ossl_x509store.c b/ext/openssl/ossl_x509store.c
index 26426d1..75f8238 100644
--- a/ext/openssl/ossl_x509store.c
+++ b/ext/openssl/ossl_x509store.c
@@ -106,6 +106,20 @@ DupX509StorePtr(VALUE obj)
/*
* Private functions
*/
+static int
+x509store_verify_cb(int ok, X509_STORE_CTX *ctx)
+{
+ VALUE proc;
+
+ proc = (VALUE)X509_STORE_CTX_get_ex_data(ctx, ossl_store_ctx_ex_verify_cb_idx);
+ if (!proc)
+ proc = (VALUE)X509_STORE_get_ex_data(X509_STORE_CTX_get0_store(ctx), ossl_store_ex_verify_cb_idx);
+ if (!proc)
+ return ok;
+
+ return ossl_verify_cb_call(proc, ok, ctx);
+}
+
static VALUE
ossl_x509store_alloc(VALUE klass)
{
@@ -141,6 +155,7 @@ ossl_x509store_set_vfy_cb(VALUE self, VALUE cb)
* call-seq:
* X509::Store.new => store
*
+ * Creates a new X509::Store.
*/
static VALUE
ossl_x509store_initialize(int argc, VALUE *argv, VALUE self)
@@ -153,7 +168,7 @@ ossl_x509store_initialize(int argc, VALUE *argv, VALUE self)
/* [Bug #405] [Bug #1678] [Bug #3000]; already fixed? */
store->ex_data.sk = NULL;
#endif
- X509_STORE_set_verify_cb(store, ossl_verify_cb);
+ X509_STORE_set_verify_cb(store, x509store_verify_cb);
ossl_x509store_set_vfy_cb(self, Qnil);
/* last verification status */
@@ -165,6 +180,13 @@ ossl_x509store_initialize(int argc, VALUE *argv, VALUE self)
return self;
}
+/*
+ * call-seq:
+ * store.flags = flag
+ *
+ * Sets +flag+ to the Store. +flag+ consists of zero or more of the constants
+ * defined in with name V_FLAG_* or'ed together.
+ */
static VALUE
ossl_x509store_set_flags(VALUE self, VALUE flags)
{
@@ -177,6 +199,24 @@ ossl_x509store_set_flags(VALUE self, VALUE flags)
return flags;
}
+/*
+ * call-seq:
+ * store.purpose = purpose
+ *
+ * Sets the store's purpose to +purpose+. If specified, the verifications on
+ * the store will check every untrusted certificate's extensions are consistent
+ * with the purpose. The purpose is specified by constants:
+ *
+ * * X509::PURPOSE_SSL_CLIENT
+ * * X509::PURPOSE_SSL_SERVER
+ * * X509::PURPOSE_NS_SSL_SERVER
+ * * X509::PURPOSE_SMIME_SIGN
+ * * X509::PURPOSE_SMIME_ENCRYPT
+ * * X509::PURPOSE_CRL_SIGN
+ * * X509::PURPOSE_ANY
+ * * X509::PURPOSE_OCSP_HELPER
+ * * X509::PURPOSE_TIMESTAMP_SIGN
+ */
static VALUE
ossl_x509store_set_purpose(VALUE self, VALUE purpose)
{
@@ -189,6 +229,10 @@ ossl_x509store_set_purpose(VALUE self, VALUE purpose)
return purpose;
}
+/*
+ * call-seq:
+ * store.trust = trust
+ */
static VALUE
ossl_x509store_set_trust(VALUE self, VALUE trust)
{
@@ -201,6 +245,12 @@ ossl_x509store_set_trust(VALUE self, VALUE trust)
return trust;
}
+/*
+ * call-seq:
+ * store.time = time
+ *
+ * Sets the time to be used in verifications.
+ */
static VALUE
ossl_x509store_set_time(VALUE self, VALUE time)
{
@@ -210,13 +260,11 @@ ossl_x509store_set_time(VALUE self, VALUE time)
/*
* call-seq:
- * store.add_file(file) -> store
- *
+ * store.add_file(file) -> self
*
* Adds the certificates in +file+ to the certificate store. The +file+ can
* contain multiple PEM-encoded certificates.
*/
-
static VALUE
ossl_x509store_add_file(VALUE self, VALUE file)
{
@@ -238,6 +286,12 @@ ossl_x509store_add_file(VALUE self, VALUE file)
return self;
}
+/*
+ * call-seq:
+ * store.add_path(path) -> self
+ *
+ * Adds +path+ as the hash dir to be looked up by the store.
+ */
static VALUE
ossl_x509store_add_path(VALUE self, VALUE dir)
{
@@ -263,11 +317,12 @@ ossl_x509store_add_path(VALUE self, VALUE dir)
* call-seq:
* store.set_default_paths
*
- * Adds the default certificates to the certificate store. These certificates
- * are loaded from the default configuration directory which can usually be
+ * Configures +store+ to look up CA certificates from the system default
+ * certificate store as needed basis. The location of the store can usually be
* determined by:
*
- * File.dirname OpenSSL::Config::DEFAULT_CONFIG_FILE
+ * * OpenSSL::X509::DEFAULT_CERT_FILE
+ * * OpenSSL::X509::DEFAULT_CERT_DIR
*/
static VALUE
ossl_x509store_set_default_paths(VALUE self)
@@ -288,7 +343,6 @@ ossl_x509store_set_default_paths(VALUE self)
*
* Adds the OpenSSL::X509::Certificate +cert+ to the certificate store.
*/
-
static VALUE
ossl_x509store_add_cert(VALUE self, VALUE arg)
{
@@ -304,6 +358,12 @@ ossl_x509store_add_cert(VALUE self, VALUE arg)
return self;
}
+/*
+ * call-seq:
+ * store.add_crl(crl) -> self
+ *
+ * Adds the OpenSSL::X509::CRL +crl+ to the store.
+ */
static VALUE
ossl_x509store_add_crl(VALUE self, VALUE arg)
{
@@ -323,6 +383,21 @@ static VALUE ossl_x509stctx_get_err(VALUE);
static VALUE ossl_x509stctx_get_err_string(VALUE);
static VALUE ossl_x509stctx_get_chain(VALUE);
+/*
+ * call-seq:
+ * store.verify(cert, chain = nil) -> true | false
+ *
+ * Performs a certificate verification on the OpenSSL::X509::Certificate +cert+.
+ *
+ * +chain+ can be an array of OpenSSL::X509::Certificate that is used to
+ * construct the certificate chain.
+ *
+ * If a block is given, it overrides the callback set by #verify_callback=.
+ *
+ * After finishing the verification, the error information can be retrieved by
+ * #error, #error_string, and the resuting complete certificate chain can be
+ * retrieved by #chain.
+ */
static VALUE
ossl_x509store_verify(int argc, VALUE *argv, VALUE self)
{
@@ -412,6 +487,10 @@ static VALUE ossl_x509stctx_set_purpose(VALUE, VALUE);
static VALUE ossl_x509stctx_set_trust(VALUE, VALUE);
static VALUE ossl_x509stctx_set_time(VALUE, VALUE);
+/*
+ * call-seq:
+ * StoreContext.new(store, cert = nil, chain = nil)
+ */
static VALUE
ossl_x509stctx_initialize(int argc, VALUE *argv, VALUE self)
{
@@ -438,6 +517,10 @@ ossl_x509stctx_initialize(int argc, VALUE *argv, VALUE self)
return self;
}
+/*
+ * call-seq:
+ * stctx.verify -> true | false
+ */
static VALUE
ossl_x509stctx_verify(VALUE self)
{
@@ -458,6 +541,10 @@ ossl_x509stctx_verify(VALUE self)
}
}
+/*
+ * call-seq:
+ * stctx.chain -> Array of X509::Certificate
+ */
static VALUE
ossl_x509stctx_get_chain(VALUE self)
{
@@ -484,6 +571,10 @@ ossl_x509stctx_get_chain(VALUE self)
return ary;
}
+/*
+ * call-seq:
+ * stctx.error -> Integer
+ */
static VALUE
ossl_x509stctx_get_err(VALUE self)
{
@@ -491,9 +582,13 @@ ossl_x509stctx_get_err(VALUE self)
GetX509StCtx(self, ctx);
- return INT2FIX(X509_STORE_CTX_get_error(ctx));
+ return INT2NUM(X509_STORE_CTX_get_error(ctx));
}
+/*
+ * call-seq:
+ * stctx.error = error_code
+ */
static VALUE
ossl_x509stctx_set_error(VALUE self, VALUE err)
{
@@ -505,6 +600,12 @@ ossl_x509stctx_set_error(VALUE self, VALUE err)
return err;
}
+/*
+ * call-seq:
+ * stctx.error_string -> String
+ *
+ * Returns the error string corresponding to the error code retrieved by #error.
+ */
static VALUE
ossl_x509stctx_get_err_string(VALUE self)
{
@@ -517,6 +618,10 @@ ossl_x509stctx_get_err_string(VALUE self)
return rb_str_new2(X509_verify_cert_error_string(err));
}
+/*
+ * call-seq:
+ * stctx.error_depth -> Integer
+ */
static VALUE
ossl_x509stctx_get_err_depth(VALUE self)
{
@@ -524,9 +629,13 @@ ossl_x509stctx_get_err_depth(VALUE self)
GetX509StCtx(self, ctx);
- return INT2FIX(X509_STORE_CTX_get_error_depth(ctx));
+ return INT2NUM(X509_STORE_CTX_get_error_depth(ctx));
}
+/*
+ * call-seq:
+ * stctx.current_cert -> X509::Certificate
+ */
static VALUE
ossl_x509stctx_get_curr_cert(VALUE self)
{
@@ -537,6 +646,10 @@ ossl_x509stctx_get_curr_cert(VALUE self)
return ossl_x509_new(X509_STORE_CTX_get_current_cert(ctx));
}
+/*
+ * call-seq:
+ * stctx.current_crl -> X509::CRL
+ */
static VALUE
ossl_x509stctx_get_curr_crl(VALUE self)
{
@@ -551,6 +664,12 @@ ossl_x509stctx_get_curr_crl(VALUE self)
return ossl_x509crl_new(crl);
}
+/*
+ * call-seq:
+ * stctx.flags = flags
+ *
+ * Sets the verification flags to the context. See Store#flags=.
+ */
static VALUE
ossl_x509stctx_set_flags(VALUE self, VALUE flags)
{
@@ -563,6 +682,12 @@ ossl_x509stctx_set_flags(VALUE self, VALUE flags)
return flags;
}
+/*
+ * call-seq:
+ * stctx.purpose = purpose
+ *
+ * Sets the purpose of the context. See Store#purpose=.
+ */
static VALUE
ossl_x509stctx_set_purpose(VALUE self, VALUE purpose)
{
@@ -575,6 +700,10 @@ ossl_x509stctx_set_purpose(VALUE self, VALUE purpose)
return purpose;
}
+/*
+ * call-seq:
+ * stctx.trust = trust
+ */
static VALUE
ossl_x509stctx_set_trust(VALUE self, VALUE trust)
{
@@ -589,7 +718,9 @@ ossl_x509stctx_set_trust(VALUE self, VALUE trust)
/*
* call-seq:
- * storectx.time = time => time
+ * stctx.time = time
+ *
+ * Sets the time used in the verification. If not set, the current time is used.
*/
static VALUE
ossl_x509stctx_set_time(VALUE self, VALUE time)
@@ -610,10 +741,9 @@ ossl_x509stctx_set_time(VALUE self, VALUE time)
void
Init_ossl_x509store(void)
{
- VALUE x509stctx;
-
#if 0
- mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
+ mOSSL = rb_define_module("OpenSSL");
+ eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
mX509 = rb_define_module_under(mOSSL, "X509");
#endif
@@ -631,11 +761,11 @@ Init_ossl_x509store(void)
*
* This will use your system's built-in certificates.
*
- * If your system does not have a default set of certificates you can
- * obtain a set from Mozilla here: http://curl.haxx.se/docs/caextract.html
- * (Note that this set does not have an HTTPS download option so you may
- * wish to use the firefox-db2pem.sh script to extract the certificates
- * from a local install to avoid man-in-the-middle attacks.)
+ * If your system does not have a default set of certificates you can obtain
+ * a set extracted from Mozilla CA certificate store by cURL maintainers
+ * here: https://curl.haxx.se/docs/caextract.html (You may wish to use the
+ * firefox-db2pem.sh script to extract the certificates from a local install
+ * to avoid man-in-the-middle attacks.)
*
* After downloading or generating a cacert.pem from the above link you
* can create a certificate store from the pem file like this:
@@ -646,6 +776,7 @@ Init_ossl_x509store(void)
* The certificate store can be used with an SSLSocket like this:
*
* ssl_context = OpenSSL::SSL::SSLContext.new
+ * ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER
* ssl_context.cert_store = cert_store
*
* tcp_socket = TCPSocket.open 'example.com', 443
@@ -654,12 +785,30 @@ Init_ossl_x509store(void)
*/
cX509Store = rb_define_class_under(mX509, "Store", rb_cObject);
+ /*
+ * The callback for additional certificate verification. It is invoked for
+ * each untrusted certificate in the chain.
+ *
+ * The callback is invoked with two values, a boolean that indicates if the
+ * pre-verification by OpenSSL has succeeded or not, and the StoreContext in
+ * use. The callback must return either true or false.
+ */
rb_attr(cX509Store, rb_intern("verify_callback"), 1, 0, Qfalse);
+ /*
+ * The error code set by the last call of #verify.
+ */
rb_attr(cX509Store, rb_intern("error"), 1, 0, Qfalse);
+ /*
+ * The description for the error code set by the last call of #verify.
+ */
rb_attr(cX509Store, rb_intern("error_string"), 1, 0, Qfalse);
+ /*
+ * The certificate chain constructed by the last call of #verify.
+ */
rb_attr(cX509Store, rb_intern("chain"), 1, 0, Qfalse);
rb_define_alloc_func(cX509Store, ossl_x509store_alloc);
rb_define_method(cX509Store, "initialize", ossl_x509store_initialize, -1);
+ rb_undef_method(cX509Store, "initialize_copy");
rb_define_method(cX509Store, "verify_callback=", ossl_x509store_set_vfy_cb, 1);
rb_define_method(cX509Store, "flags=", ossl_x509store_set_flags, 1);
rb_define_method(cX509Store, "purpose=", ossl_x509store_set_purpose, 1);
@@ -672,21 +821,26 @@ Init_ossl_x509store(void)
rb_define_method(cX509Store, "add_crl", ossl_x509store_add_crl, 1);
rb_define_method(cX509Store, "verify", ossl_x509store_verify, -1);
- cX509StoreContext = rb_define_class_under(mX509,"StoreContext",rb_cObject);
- x509stctx = cX509StoreContext;
+ /*
+ * Document-class: OpenSSL::X509::StoreContext
+ *
+ * A StoreContext is used while validating a single certificate and holds
+ * the status involved.
+ */
+ cX509StoreContext = rb_define_class_under(mX509,"StoreContext", rb_cObject);
rb_define_alloc_func(cX509StoreContext, ossl_x509stctx_alloc);
- rb_define_method(x509stctx,"initialize", ossl_x509stctx_initialize, -1);
- rb_define_method(x509stctx,"verify", ossl_x509stctx_verify, 0);
- rb_define_method(x509stctx,"chain", ossl_x509stctx_get_chain,0);
- rb_define_method(x509stctx,"error", ossl_x509stctx_get_err, 0);
- rb_define_method(x509stctx,"error=", ossl_x509stctx_set_error, 1);
- rb_define_method(x509stctx,"error_string",ossl_x509stctx_get_err_string,0);
- rb_define_method(x509stctx,"error_depth", ossl_x509stctx_get_err_depth, 0);
- rb_define_method(x509stctx,"current_cert",ossl_x509stctx_get_curr_cert, 0);
- rb_define_method(x509stctx,"current_crl", ossl_x509stctx_get_curr_crl, 0);
- rb_define_method(x509stctx,"flags=", ossl_x509stctx_set_flags, 1);
- rb_define_method(x509stctx,"purpose=", ossl_x509stctx_set_purpose, 1);
- rb_define_method(x509stctx,"trust=", ossl_x509stctx_set_trust, 1);
- rb_define_method(x509stctx,"time=", ossl_x509stctx_set_time, 1);
-
+ rb_define_method(cX509StoreContext, "initialize", ossl_x509stctx_initialize, -1);
+ rb_undef_method(cX509StoreContext, "initialize_copy");
+ rb_define_method(cX509StoreContext, "verify", ossl_x509stctx_verify, 0);
+ rb_define_method(cX509StoreContext, "chain", ossl_x509stctx_get_chain,0);
+ rb_define_method(cX509StoreContext, "error", ossl_x509stctx_get_err, 0);
+ rb_define_method(cX509StoreContext, "error=", ossl_x509stctx_set_error, 1);
+ rb_define_method(cX509StoreContext, "error_string", ossl_x509stctx_get_err_string,0);
+ rb_define_method(cX509StoreContext, "error_depth", ossl_x509stctx_get_err_depth, 0);
+ rb_define_method(cX509StoreContext, "current_cert", ossl_x509stctx_get_curr_cert, 0);
+ rb_define_method(cX509StoreContext, "current_crl", ossl_x509stctx_get_curr_crl, 0);
+ rb_define_method(cX509StoreContext, "flags=", ossl_x509stctx_set_flags, 1);
+ rb_define_method(cX509StoreContext, "purpose=", ossl_x509stctx_set_purpose, 1);
+ rb_define_method(cX509StoreContext, "trust=", ossl_x509stctx_set_trust, 1);
+ rb_define_method(cX509StoreContext, "time=", ossl_x509stctx_set_time, 1);
}
diff --git a/lib/openssl/cipher.rb b/lib/openssl/cipher.rb
index a69d5ac..af721b3 100644
--- a/lib/openssl/cipher.rb
+++ b/lib/openssl/cipher.rb
@@ -18,7 +18,7 @@ module OpenSSL
klass = Class.new(Cipher){
define_method(:initialize){|*args|
cipher_name = args.inject(name){|n, arg| "#{n}-#{arg}" }
- super(cipher_name)
+ super(cipher_name.downcase)
}
}
const_set(name, klass)
@@ -26,34 +26,42 @@ module OpenSSL
%w(128 192 256).each{|keylen|
klass = Class.new(Cipher){
- define_method(:initialize){|mode|
- mode ||= "CBC"
- cipher_name = "AES-#{keylen}-#{mode}"
- super(cipher_name)
+ define_method(:initialize){|mode = "CBC"|
+ super("aes-#{keylen}-#{mode}".downcase)
}
}
const_set("AES#{keylen}", klass)
}
- # Generate, set, and return a random key.
- # You must call cipher.encrypt or cipher.decrypt before calling this method.
+ # call-seq:
+ # cipher.random_key -> key
+ #
+ # Generate a random key with OpenSSL::Random.random_bytes and sets it to
+ # the cipher, and returns it.
+ #
+ # You must call #encrypt or #decrypt before calling this method.
def random_key
str = OpenSSL::Random.random_bytes(self.key_len)
self.key = str
- return str
end
- # Generate, set, and return a random iv.
- # You must call cipher.encrypt or cipher.decrypt before calling this method.
+ # call-seq:
+ # cipher.random_iv -> iv
+ #
+ # Generate a random IV with OpenSSL::Random.random_bytes and sets it to the
+ # cipher, and returns it.
+ #
+ # You must call #encrypt or #decrypt before calling this method.
def random_iv
str = OpenSSL::Random.random_bytes(self.iv_len)
self.iv = str
- return str
end
- # This class is only provided for backwards compatibility. Use OpenSSL::Cipher in the future.
- class Cipher < Cipher
- # add warning
- end
+ # Deprecated.
+ #
+ # This class is only provided for backwards compatibility.
+ # Use OpenSSL::Cipher.
+ class Cipher < Cipher; end
+ deprecate_constant :Cipher
end # Cipher
end # OpenSSL
diff --git a/lib/openssl/digest.rb b/lib/openssl/digest.rb
index 1a236cc..97ccbc9 100644
--- a/lib/openssl/digest.rb
+++ b/lib/openssl/digest.rb
@@ -53,15 +53,9 @@ module OpenSSL
# Deprecated.
#
# This class is only provided for backwards compatibility.
- class Digest < Digest # :nodoc:
- # Deprecated.
- #
- # See OpenSSL::Digest.new
- def initialize(*args)
- warn('Digest::Digest is deprecated; use Digest')
- super(*args)
- end
- end
+ # Use OpenSSL::Digest instead.
+ class Digest < Digest; end # :nodoc:
+ deprecate_constant :Digest
end # Digest
diff --git a/lib/openssl/pkey.rb b/lib/openssl/pkey.rb
index df126fd..9af5f78 100644
--- a/lib/openssl/pkey.rb
+++ b/lib/openssl/pkey.rb
@@ -4,6 +4,7 @@ module OpenSSL
if defined?(OpenSSL::PKey::DH)
class DH
+ # :nodoc:
DEFAULT_1024 = new <<-_end_of_pem_
-----BEGIN DH PARAMETERS-----
MIGHAoGBAJ0lOVy0VIr/JebWn0zDwY2h+rqITFOpdNr6ugsgvkDXuucdcChhYExJ
@@ -12,6 +13,7 @@ T4h7KZ/2zmjvV+eF8kBUHBJAojUlzxKj4QeO2x20FP9X5xmNUXeDAgEC
-----END DH PARAMETERS-----
_end_of_pem_
+ # :nodoc:
DEFAULT_2048 = new <<-_end_of_pem_
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA7E6kBrYiyvmKAMzQ7i8WvwVk9Y/+f8S7sCTN712KkK3cqd1jhJDY
@@ -24,6 +26,7 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
_end_of_pem_
end
+ # :nodoc:
DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen|
warn "using default DH parameters." if $VERBOSE
case keylen
diff --git a/lib/openssl/ssl.rb b/lib/openssl/ssl.rb
index 00c3275..519ea11 100644
--- a/lib/openssl/ssl.rb
+++ b/lib/openssl/ssl.rb
@@ -16,44 +16,11 @@ require "io/nonblock"
module OpenSSL
module SSL
class SSLContext
+ # :nodoc:
DEFAULT_PARAMS = {
:ssl_version => "SSLv23",
:verify_mode => OpenSSL::SSL::VERIFY_PEER,
- :ciphers => %w{
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
- DHE-RSA-AES128-GCM-SHA256
- DHE-DSS-AES128-GCM-SHA256
- DHE-RSA-AES256-GCM-SHA384
- DHE-DSS-AES256-GCM-SHA384
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-RSA-AES128-SHA256
- ECDHE-ECDSA-AES128-SHA
- ECDHE-RSA-AES128-SHA
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-RSA-AES256-SHA384
- ECDHE-ECDSA-AES256-SHA
- ECDHE-RSA-AES256-SHA
- DHE-RSA-AES128-SHA256
- DHE-RSA-AES256-SHA256
- DHE-RSA-AES128-SHA
- DHE-RSA-AES256-SHA
- DHE-DSS-AES128-SHA256
- DHE-DSS-AES256-SHA256
- DHE-DSS-AES128-SHA
- DHE-DSS-AES256-SHA
- AES128-GCM-SHA256
- AES256-GCM-SHA384
- AES128-SHA256
- AES256-SHA256
- AES128-SHA
- AES256-SHA
- ECDHE-ECDSA-RC4-SHA
- ECDHE-RSA-RC4-SHA
- RC4-SHA
- }.join(":"),
+ :verify_hostname => true,
:options => -> {
opts = OpenSSL::SSL::OP_ALL
opts &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
@@ -63,10 +30,50 @@ module OpenSSL
}.call
}
+ if !(OpenSSL::OPENSSL_VERSION.start_with?("OpenSSL") &&
+ OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10100000)
+ DEFAULT_PARAMS.merge!(
+ ciphers: %w{
+ ECDHE-ECDSA-AES128-GCM-SHA256
+ ECDHE-RSA-AES128-GCM-SHA256
+ ECDHE-ECDSA-AES256-GCM-SHA384
+ ECDHE-RSA-AES256-GCM-SHA384
+ DHE-RSA-AES128-GCM-SHA256
+ DHE-DSS-AES128-GCM-SHA256
+ DHE-RSA-AES256-GCM-SHA384
+ DHE-DSS-AES256-GCM-SHA384
+ ECDHE-ECDSA-AES128-SHA256
+ ECDHE-RSA-AES128-SHA256
+ ECDHE-ECDSA-AES128-SHA
+ ECDHE-RSA-AES128-SHA
+ ECDHE-ECDSA-AES256-SHA384
+ ECDHE-RSA-AES256-SHA384
+ ECDHE-ECDSA-AES256-SHA
+ ECDHE-RSA-AES256-SHA
+ DHE-RSA-AES128-SHA256
+ DHE-RSA-AES256-SHA256
+ DHE-RSA-AES128-SHA
+ DHE-RSA-AES256-SHA
+ DHE-DSS-AES128-SHA256
+ DHE-DSS-AES256-SHA256
+ DHE-DSS-AES128-SHA
+ DHE-DSS-AES256-SHA
+ AES128-GCM-SHA256
+ AES256-GCM-SHA384
+ AES128-SHA256
+ AES256-SHA256
+ AES128-SHA
+ AES256-SHA
+ }.join(":"),
+ )
+ end
+
+ # :nodoc:
DEFAULT_CERT_STORE = OpenSSL::X509::Store.new
DEFAULT_CERT_STORE.set_default_paths
DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
+ # :nodoc:
INIT_VARS = ["cert", "key", "client_ca", "ca_file", "ca_path",
"timeout", "verify_mode", "verify_depth", "renegotiation_cb",
"verify_callback", "cert_store", "extra_chain_cert",
@@ -74,7 +81,7 @@ module OpenSSL
"session_get_cb", "session_new_cb", "session_remove_cb",
"tmp_ecdh_callback", "servername_cb", "npn_protocols",
"alpn_protocols", "alpn_select_cb",
- "npn_select_cb"].map { |x| "@#{x}" }
+ "npn_select_cb", "verify_hostname"].map { |x| "@#{x}" }
# A callback invoked when DH parameters are required.
#
@@ -110,13 +117,17 @@ module OpenSSL
end
##
- # Sets the parameters for this SSL context to the values in +params+.
+ # call-seq:
+ # ctx.set_params(params = {}) -> params
+ #
+ # Sets saner defaults optimized for the use with HTTP-like protocols.
+ #
+ # If a Hash +params+ is given, the parameters are overridden with it.
# The keys in +params+ must be assignment methods on SSLContext.
#
# If the verify_mode is not VERIFY_NONE and ca_file, ca_path and
# cert_store are not set then the system default certificate store is
# used.
-
def set_params(params={})
params = DEFAULT_PARAMS.merge(params)
params.each{|name, value| self.__send__("#{name}=", value) }
@@ -251,10 +262,17 @@ module OpenSSL
attr_reader :hostname
end
- attr_reader :io, :context
- attr_accessor :sync_close
+ # The underlying IO object.
+ attr_reader :io
alias :to_io :io
+ # The SSLContext object used in this connection.
+ attr_reader :context
+
+ # Whether to close the underlying socket as well, when the SSL/TLS
+ # connection is shut down. This defaults to +false+.
+ attr_accessor :sync_close
+
# call-seq:
# ssl.sysclose => nil
#
@@ -268,8 +286,10 @@ module OpenSSL
io.close if sync_close
end
- ##
- # Perform hostname verification after an SSL connection is established
+ # call-seq:
+ # ssl.post_connection_check(hostname) -> true
+ #
+ # Perform hostname verification following RFC 6125.
#
# This method MUST be called after calling #connect to ensure that the
# hostname of a remote peer has been verified.
@@ -277,7 +297,8 @@ module OpenSSL
if peer_cert.nil?
msg = "Peer verification enabled, but no certificate received."
if using_anon_cipher?
- msg += " Anonymous cipher suite #{cipher[0]} was negotiated. Anonymous suites must be disabled to use peer verification."
+ msg += " Anonymous cipher suite #{cipher[0]} was negotiated. " \
+ "Anonymous suites must be disabled to use peer verification."
end
raise SSLError, msg
end
@@ -288,6 +309,11 @@ module OpenSSL
return true
end
+ # call-seq:
+ # ssl.session -> aSession
+ #
+ # Returns the SSLSession object currently used, or nil if the session is
+ # not established.
def session
SSL::Session.new(self)
rescue SSL::Session::SessionError
diff --git a/sample/cipher.rb b/sample/cipher.rb
index 58b10d6..a33dc3e 100644
--- a/sample/cipher.rb
+++ b/sample/cipher.rb
@@ -10,7 +10,7 @@ def crypt_by_password(alg, pass, salt, text)
puts
puts "--Encrypting--"
- enc = OpenSSL::Cipher::Cipher.new(alg)
+ enc = OpenSSL::Cipher.new(alg)
enc.encrypt
enc.pkcs5_keyivgen(pass, salt)
cipher = enc.update(text)
@@ -19,7 +19,7 @@ def crypt_by_password(alg, pass, salt, text)
puts
puts "--Decrypting--"
- dec = OpenSSL::Cipher::Cipher.new(alg)
+ dec = OpenSSL::Cipher.new(alg)
dec.decrypt
dec.pkcs5_keyivgen(pass, salt)
plain = dec.update(cipher)
diff --git a/test/test_cipher.rb b/test/test_cipher.rb
index ec14f46..74c5394 100644
--- a/test/test_cipher.rb
+++ b/test/test_cipher.rb
@@ -5,16 +5,12 @@ if defined?(OpenSSL::TestUtils)
class OpenSSL::TestCipher < OpenSSL::TestCase
+ @ciphers = OpenSSL::Cipher.ciphers
+
class << self
def has_cipher?(name)
- ciphers = OpenSSL::Cipher.ciphers
- # redefine method so we can use the cached ciphers value from the closure
- # and need not recompute the list each time
- define_singleton_method :has_cipher? do |name|
- ciphers.include?(name)
- end
- has_cipher?(name)
+ @ciphers.include?(name)
end
def has_ciphers?(list)
@@ -24,7 +20,7 @@ class OpenSSL::TestCipher < OpenSSL::TestCase
end
def setup
- @c1 = OpenSSL::Cipher::Cipher.new("DES-EDE3-CBC")
+ @c1 = OpenSSL::Cipher.new("DES-EDE3-CBC")
@c2 = OpenSSL::Cipher::DES.new(:EDE3, "CBC")
@key = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
@iv = "\0\0\0\0\0\0\0\0"
@@ -118,10 +114,9 @@ class OpenSSL::TestCipher < OpenSSL::TestCase
OpenSSL::Cipher.ciphers.each{|name|
next if /netbsd/ =~ RUBY_PLATFORM && /idea|rc5/i =~ name
begin
- assert_kind_of(OpenSSL::Cipher::Cipher, OpenSSL::Cipher::Cipher.new(name))
+ assert_kind_of(OpenSSL::Cipher, OpenSSL::Cipher.new(name))
rescue OpenSSL::Cipher::CipherError => e
- next if /wrap/ =~ name and e.message == 'wrap mode not allowed'
- raise
+ raise unless /wrap/ =~ name and /wrap mode not allowed/ =~ e.message
end
}
end
@@ -247,8 +242,81 @@ class OpenSSL::TestCipher < OpenSSL::TestCase
end
end
+ def test_aes_gcm_variable_iv_len
+ pt = "You should all use Authenticated Encryption!"
+ cipher = OpenSSL::Cipher.new("aes-128-gcm").encrypt
+ cipher.key = "x" * 16
+ assert_equal(12, cipher.iv_len)
+ cipher.iv = "a" * 12
+ ct1 = cipher.update(pt) << cipher.final
+ tag1 = cipher.auth_tag
+
+ cipher = OpenSSL::Cipher.new("aes-128-gcm").encrypt
+ cipher.key = "x" * 16
+ cipher.iv_len = 10
+ assert_equal(10, cipher.iv_len)
+ cipher.iv = "a" * 10
+ ct2 = cipher.update(pt) << cipher.final
+ tag2 = cipher.auth_tag
+
+ assert_not_equal ct1, ct2
+ assert_not_equal tag1, tag2
+
+ decipher = OpenSSL::Cipher.new("aes-128-gcm").decrypt
+ decipher.auth_tag = tag1
+ decipher.key = "x" * 16
+ decipher.iv_len = 12
+ decipher.iv = "a" * 12
+ assert_equal(pt, decipher.update(ct1) << decipher.final)
+
+ decipher.reset
+ decipher.auth_tag = tag2
+ assert_raise(OpenSSL::Cipher::CipherError) {
+ decipher.update(ct2) << decipher.final
+ }
+
+ decipher.reset
+ decipher.auth_tag = tag2
+ decipher.iv_len = 10
+ decipher.iv = "a" * 10
+ assert_equal(pt, decipher.update(ct2) << decipher.final)
+ end
+
end
+ def test_aes_ocb_tag_len
+ pt = "You should all use Authenticated Encryption!"
+ cipher = OpenSSL::Cipher.new("aes-128-ocb").encrypt
+ cipher.auth_tag_len = 14
+ cipher.iv_len = 8
+ key = cipher.random_key
+ iv = cipher.random_iv
+ cipher.auth_data = "aad"
+ ct = cipher.update(pt) + cipher.final
+ tag = cipher.auth_tag
+ assert_equal(14, tag.size)
+
+ decipher = OpenSSL::Cipher.new("aes-128-ocb").decrypt
+ decipher.auth_tag_len = 14
+ decipher.auth_tag = tag
+ decipher.iv_len = 8
+ decipher.key = key
+ decipher.iv = iv
+ decipher.auth_data = "aad"
+ assert_equal(pt, decipher.update(ct) + decipher.final)
+
+ decipher = OpenSSL::Cipher.new("aes-128-ocb").decrypt
+ decipher.auth_tag_len = 9
+ decipher.auth_tag = tag[0, 9]
+ decipher.iv_len = 8
+ decipher.key = key
+ decipher.iv = iv
+ decipher.auth_data = "aad"
+ assert_raise(OpenSSL::Cipher::CipherError) {
+ decipher.update(ct) + decipher.final
+ }
+ end if has_cipher?("aes-128-ocb")
+
private
def new_encryptor(algo)
diff --git a/test/test_config.rb b/test/test_config.rb
index bedd1d0..3e2e127 100644
--- a/test/test_config.rb
+++ b/test/test_config.rb
@@ -25,7 +25,7 @@ __EOD__
def test_constants
assert(defined?(OpenSSL::Config::DEFAULT_CONFIG_FILE))
config_file = OpenSSL::Config::DEFAULT_CONFIG_FILE
- skip "DEFAULT_CONFIG_FILE may return a wrong path on your platforms. [Bug #6830]" unless File.readable?(config_file)
+ pend "DEFAULT_CONFIG_FILE may return a wrong path on your platforms. [Bug #6830]" unless File.readable?(config_file)
assert_nothing_raised do
OpenSSL::Config.load(config_file)
end
diff --git a/test/test_engine.rb b/test/test_engine.rb
index bbf56a1..2d394cf 100644
--- a/test/test_engine.rb
+++ b/test/test_engine.rb
@@ -14,7 +14,7 @@ class OpenSSL::TestEngine < OpenSSL::TestCase
def test_openssl_engine_builtin
with_openssl <<-'end;'
orig = OpenSSL::Engine.engines
- skip "'openssl' is already loaded" if orig.any? { |e| e.id == "openssl" }
+ pend "'openssl' is already loaded" if orig.any? { |e| e.id == "openssl" }
engine = OpenSSL::Engine.load("openssl")
assert_equal(true, engine)
assert_equal(1, OpenSSL::Engine.engines.size - orig.size)
@@ -24,7 +24,7 @@ class OpenSSL::TestEngine < OpenSSL::TestCase
def test_openssl_engine_by_id_string
with_openssl <<-'end;'
orig = OpenSSL::Engine.engines
- skip "'openssl' is already loaded" if orig.any? { |e| e.id == "openssl" }
+ pend "'openssl' is already loaded" if orig.any? { |e| e.id == "openssl" }
engine = get_engine
assert_not_nil(engine)
assert_equal(1, OpenSSL::Engine.engines.size - orig.size)
@@ -72,11 +72,18 @@ class OpenSSL::TestEngine < OpenSSL::TestCase
end;
end
+ def test_dup
+ with_openssl <<-'end;'
+ engine = get_engine
+ assert_raise(NoMethodError) { engine.dup }
+ end;
+ end
+
private
# this is required because OpenSSL::Engine methods change global state
def with_openssl(code)
- assert_separately(["-ropenssl"], <<~"end;")
+ assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;")
require #{__FILE__.dump}
include OpenSSL::TestEngine::Utils
#{code}
diff --git a/test/test_ocsp.rb b/test/test_ocsp.rb
index f3e7c65..a69fd60 100644
--- a/test/test_ocsp.rb
+++ b/test/test_ocsp.rb
@@ -5,33 +5,47 @@ if defined?(OpenSSL::TestUtils)
class OpenSSL::TestOCSP < OpenSSL::TestCase
def setup
+ now = Time.at(Time.now.to_i) # suppress usec
+ dgst = OpenSSL::Digest::SHA1.new
+
+ # @ca_cert
+ # |
+ # @cert
+ # |----------|
+ # @cert2 @ocsp_cert
+
ca_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCA")
- ca_key = OpenSSL::TestUtils::TEST_KEY_RSA1024
- ca_serial = 0xabcabcabcabc
+ @ca_key = OpenSSL::TestUtils::TEST_KEY_RSA1024
ca_exts = [
["basicConstraints", "CA:TRUE", true],
["keyUsage", "cRLSign,keyCertSign", true],
]
-
- subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCert")
- @key = OpenSSL::TestUtils::TEST_KEY_RSA1024
- serial = 0xabcabcabcabd
-
- now = Time.at(Time.now.to_i) # suppress usec
- dgst = OpenSSL::Digest::SHA1.new
-
@ca_cert = OpenSSL::TestUtils.issue_cert(
- ca_subj, ca_key, ca_serial, now, now+3600, ca_exts, nil, nil, dgst)
+ ca_subj, @ca_key, 1, now, now+3600, ca_exts, nil, nil, dgst)
+
+ cert_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCA2")
+ @cert_key = OpenSSL::TestUtils::TEST_KEY_RSA1024
+ cert_exts = [
+ ["basicConstraints", "CA:TRUE", true],
+ ["keyUsage", "cRLSign,keyCertSign", true],
+ ]
@cert = OpenSSL::TestUtils.issue_cert(
- subj, @key, serial, now, now+3600, [], @ca_cert, ca_key, dgst)
+ cert_subj, @cert_key, 5, now, now+3600, cert_exts, @ca_cert, @ca_key, dgst)
- @key2 = OpenSSL::TestUtils::TEST_KEY_RSA2048
+ cert2_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCert")
+ @cert2_key = OpenSSL::TestUtils::TEST_KEY_RSA1024
cert2_exts = [
- ["extendedKeyUsage", "OCSPSigning", true],
]
@cert2 = OpenSSL::TestUtils.issue_cert(
- OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCert2"),
- @key2, serial+1, now, now+3600, cert2_exts, @ca_cert, ca_key, "SHA256")
+ cert2_subj, @cert2_key, 10, now, now+3600, cert2_exts, @cert, @cert_key, dgst)
+
+ ocsp_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCAOCSP")
+ @ocsp_key = OpenSSL::TestUtils::TEST_KEY_RSA2048
+ ocsp_exts = [
+ ["extendedKeyUsage", "OCSPSigning", true],
+ ]
+ @ocsp_cert = OpenSSL::TestUtils.issue_cert(
+ ocsp_subj, @ocsp_key, 100, now, now+3600, ocsp_exts, @cert, @cert_key, "SHA256")
end
def test_new_certificate_id
@@ -63,12 +77,13 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase
end
def test_certificate_id_der
- cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert) # hash algorithm defaults to SHA-1
+ cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert)
der = cid.to_der
asn1 = OpenSSL::ASN1.decode(der)
+ # hash algorithm defaults to SHA-1
assert_equal OpenSSL::ASN1.ObjectId("SHA1").to_der, asn1.value[0].value[0].to_der
- assert_equal OpenSSL::Digest::SHA1.digest(@cert.issuer.to_der), asn1.value[1].value
- assert_equal OpenSSL::Digest::SHA1.digest(OpenSSL::ASN1.decode(@ca_cert.to_der).value[0].value[6].value[1].value), asn1.value[2].value
+ assert_equal [cid.issuer_name_hash].pack("H*"), asn1.value[1].value
+ assert_equal [cid.issuer_key_hash].pack("H*"), asn1.value[2].value
assert_equal @cert.serial, asn1.value[3].value
assert_equal der, OpenSSL::OCSP::CertificateId.new(der).to_der
end
@@ -82,7 +97,7 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase
request = OpenSSL::OCSP::Request.new
cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new)
request.add_certid(cid)
- request.sign(@cert, @key, [@ca_cert], 0)
+ request.sign(@cert, @cert_key, [@ca_cert], 0)
asn1 = OpenSSL::ASN1.decode(request.to_der)
assert_equal cid.to_der, asn1.value[0].value.find { |a| a.tag_class == :UNIVERSAL }.value[0].value[0].to_der
assert_equal OpenSSL::ASN1.ObjectId("sha1WithRSAEncryption").to_der, asn1.value[1].value[0].value[0].value[0].to_der
@@ -92,40 +107,51 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase
end
def test_request_sign_verify
- request = OpenSSL::OCSP::Request.new
- cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new)
- request.add_certid(cid)
- request.sign(@cert, @key, nil, 0, "SHA1")
- assert_equal cid.to_der, request.certid.first.to_der
- store1 = OpenSSL::X509::Store.new; store1.add_cert(@ca_cert)
- assert_equal true, request.verify([@cert], store1)
- assert_equal true, request.verify([], store1)
- store2 = OpenSSL::X509::Store.new; store1.add_cert(@cert2)
- assert_equal false, request.verify([], store2)
- assert_equal true, request.verify([], store2, OpenSSL::OCSP::NOVERIFY)
+ cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert)
+ store = OpenSSL::X509::Store.new.add_cert(@ca_cert)
+
+ # with signer cert
+ req = OpenSSL::OCSP::Request.new.add_certid(cid)
+ req.sign(@cert, @cert_key, [])
+ assert_equal true, req.verify([], store)
+
+ # without signer cert
+ req = OpenSSL::OCSP::Request.new.add_certid(cid)
+ req.sign(@cert, @cert_key, nil)
+ assert_equal false, req.verify([@cert2], store)
+ assert_equal false, req.verify([], store) # no signer
+ assert_equal false, req.verify([], store, OpenSSL::OCSP::NOVERIFY)
+
+ assert_equal true, req.verify([@cert], store, OpenSSL::OCSP::NOINTERN)
+ ret = req.verify([@cert], store)
+ if ret || OpenSSL::OPENSSL_VERSION =~ /OpenSSL/ && OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10002000
+ assert_equal true, ret
+ else
+ # RT2560; OCSP_request_verify() does not find signer cert from 'certs' when
+ # OCSP_NOINTERN is not specified.
+ # fixed by OpenSSL 1.0.1j, 1.0.2 and LibreSSL 2.4.2
+ pend "RT2560: ocsp_req_find_signer"
+ end
end
def test_request_nonce
req0 = OpenSSL::OCSP::Request.new
- req1 = OpenSSL::OCSP::Request.new
- req1.add_nonce("NONCE")
- req2 = OpenSSL::OCSP::Request.new
- req2.add_nonce("NONCF")
+ req1 = OpenSSL::OCSP::Request.new.add_nonce("NONCE")
+ req2 = OpenSSL::OCSP::Request.new.add_nonce("ABCDE")
bres = OpenSSL::OCSP::BasicResponse.new
assert_equal 2, req0.check_nonce(bres)
bres.copy_nonce(req1)
+ assert_equal 3, req0.check_nonce(bres)
assert_equal 1, req1.check_nonce(bres)
bres.add_nonce("NONCE")
assert_equal 1, req1.check_nonce(bres)
assert_equal 0, req2.check_nonce(bres)
- assert_equal 3, req0.check_nonce(bres)
end
def test_request_dup
request = OpenSSL::OCSP::Request.new
cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new)
request.add_certid(cid)
- request.sign(@cert, @key, nil, 0, "SHA1")
assert_equal request.to_der, request.dup.to_der
end
@@ -134,37 +160,49 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase
cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new)
bres.add_status(cid, OpenSSL::OCSP::V_CERTSTATUS_GOOD, 0, nil, -300, 500, [])
bres.add_nonce("NONCE")
- bres.sign(@cert2, @key2, [@ca_cert], 0)
+ bres.sign(@ocsp_cert, @ocsp_key, [@ca_cert], 0)
der = bres.to_der
asn1 = OpenSSL::ASN1.decode(der)
- assert_equal cid.to_der, asn1.value[0].value.find { |a| a.class == OpenSSL::ASN1::Sequence }.value[0].value[0].to_der
- assert_equal OpenSSL::ASN1.Sequence([@cert2, @ca_cert]).to_der, asn1.value[3].value[0].to_der
+ assert_equal OpenSSL::ASN1.Sequence([@ocsp_cert, @ca_cert]).to_der, asn1.value[3].value[0].to_der
assert_equal der, OpenSSL::OCSP::BasicResponse.new(der).to_der
rescue TypeError
if /GENERALIZEDTIME/ =~ $!.message
- skip "OCSP_basic_sign() is broken"
+ pend "OCSP_basic_sign() is broken"
else
raise
end
end
def test_basic_response_sign_verify
- cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA256.new)
+ store = OpenSSL::X509::Store.new.add_cert(@ca_cert)
+
+ # signed by CA
+ bres = OpenSSL::OCSP::BasicResponse.new
+ cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, "SHA256")
+ bres.add_status(cid, OpenSSL::OCSP::V_CERTSTATUS_GOOD, nil, -400, -300, 500, [])
+ bres.sign(@ca_cert, @ca_key, nil, 0, "SHA256")
+ assert_equal false, bres.verify([], store) # signer not found
+ assert_equal true, bres.verify([@ca_cert], store)
+ bres.sign(@ca_cert, @ca_key, [], 0, "SHA256")
+ assert_equal true, bres.verify([], store)
+
+ # signed by OCSP signer
bres = OpenSSL::OCSP::BasicResponse.new
- bres.add_status(cid, OpenSSL::OCSP::V_CERTSTATUS_REVOKED, OpenSSL::OCSP::REVOKED_STATUS_UNSPECIFIED, -400, -300, 500, [])
- bres.sign(@cert2, @key2, [], 0, "SHA256") # how can I check the algorithm?
- store1 = OpenSSL::X509::Store.new; store1.add_cert(@ca_cert)
- assert_equal true, bres.verify([], store1)
- store2 = OpenSSL::X509::Store.new; store2.add_cert(@cert)
- assert_equal false, bres.verify([], store2)
- assert_equal true, bres.verify([], store2, OpenSSL::OCSP::NOVERIFY)
+ cid = OpenSSL::OCSP::CertificateId.new(@cert2, @cert)
+ bres.add_status(cid, OpenSSL::OCSP::V_CERTSTATUS_GOOD, nil, -400, -300, 500, [])
+ bres.sign(@ocsp_cert, @ocsp_key, [@cert])
+ assert_equal true, bres.verify([], store)
+ assert_equal false, bres.verify([], store, OpenSSL::OCSP::NOCHAIN)
+ # OpenSSL had a bug on this; test that our workaround works
+ bres.sign(@ocsp_cert, @ocsp_key, [])
+ assert_equal true, bres.verify([@cert], store)
end
def test_basic_response_dup
bres = OpenSSL::OCSP::BasicResponse.new
cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new)
bres.add_status(cid, OpenSSL::OCSP::V_CERTSTATUS_GOOD, 0, nil, -300, 500, [])
- bres.sign(@cert2, @key2, [@ca_cert], 0)
+ bres.sign(@ocsp_cert, @ocsp_key, [@ca_cert], 0)
assert_equal bres.to_der, bres.dup.to_der
end
@@ -172,7 +210,7 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase
bres = OpenSSL::OCSP::BasicResponse.new
now = Time.at(Time.now.to_i)
cid1 = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new)
- cid2 = OpenSSL::OCSP::CertificateId.new(@cert2, @ca_cert, OpenSSL::Digest::SHA1.new)
+ cid2 = OpenSSL::OCSP::CertificateId.new(@ocsp_cert, @ca_cert, OpenSSL::Digest::SHA1.new)
cid3 = OpenSSL::OCSP::CertificateId.new(@ca_cert, @ca_cert, OpenSSL::Digest::SHA1.new)
bres.add_status(cid1, OpenSSL::OCSP::V_CERTSTATUS_REVOKED, OpenSSL::OCSP::REVOKED_STATUS_UNSPECIFIED, now - 400, -300, nil, nil)
bres.add_status(cid2, OpenSSL::OCSP::V_CERTSTATUS_GOOD, nil, nil, -300, 500, [])
@@ -206,14 +244,14 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase
def test_single_response_check_validity
bres = OpenSSL::OCSP::BasicResponse.new
cid1 = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new)
- cid2 = OpenSSL::OCSP::CertificateId.new(@cert2, @ca_cert, OpenSSL::Digest::SHA1.new)
+ cid2 = OpenSSL::OCSP::CertificateId.new(@ocsp_cert, @ca_cert, OpenSSL::Digest::SHA1.new)
bres.add_status(cid1, OpenSSL::OCSP::V_CERTSTATUS_REVOKED, OpenSSL::OCSP::REVOKED_STATUS_UNSPECIFIED, -400, -300, -50, [])
bres.add_status(cid2, OpenSSL::OCSP::V_CERTSTATUS_REVOKED, OpenSSL::OCSP::REVOKED_STATUS_UNSPECIFIED, -400, -300, nil, [])
bres.add_status(cid2, OpenSSL::OCSP::V_CERTSTATUS_GOOD, nil, nil, Time.now + 100, nil, nil)
if bres.responses[2].check_validity # thisUpdate is in future; must fail
# LibreSSL bug; skip for now
- skip "OCSP_check_validity() is broken"
+ pend "OCSP_check_validity() is broken"
end
single1 = bres.responses[0]
@@ -226,11 +264,22 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase
assert_equal false, single2.check_validity(0, 200)
end
+ def test_response
+ bres = OpenSSL::OCSP::BasicResponse.new
+ cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new)
+ bres.add_status(cid, OpenSSL::OCSP::V_CERTSTATUS_GOOD, 0, nil, -300, 500, [])
+ bres.sign(@ocsp_cert, @ocsp_key, [])
+ res = OpenSSL::OCSP::Response.create(OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL, bres)
+
+ assert_equal bres.to_der, res.basic.to_der
+ assert_equal OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL, res.status
+ end
+
def test_response_der
bres = OpenSSL::OCSP::BasicResponse.new
cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new)
bres.add_status(cid, OpenSSL::OCSP::V_CERTSTATUS_GOOD, 0, nil, -300, 500, [])
- bres.sign(@cert2, @key2, [@ca_cert], 0)
+ bres.sign(@ocsp_cert, @ocsp_key, [@ca_cert], 0)
res = OpenSSL::OCSP::Response.create(OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL, bres)
der = res.to_der
asn1 = OpenSSL::ASN1.decode(der)
@@ -242,7 +291,7 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase
def test_response_dup
bres = OpenSSL::OCSP::BasicResponse.new
- bres.sign(@cert2, @key2, [@ca_cert], 0)
+ bres.sign(@ocsp_cert, @ocsp_key, [@ca_cert], 0)
res = OpenSSL::OCSP::Response.create(OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL, bres)
assert_equal res.to_der, res.dup.to_der
end
diff --git a/test/test_pair.rb b/test/test_pair.rb
index d611d0f..9250222 100644
--- a/test/test_pair.rb
+++ b/test/test_pair.rb
@@ -4,7 +4,7 @@ require_relative 'utils'
if defined?(OpenSSL::TestUtils)
require 'socket'
-require_relative '../ruby/ut_eof'
+require_relative 'ut_eof'
module OpenSSL::SSLPairM
def server
@@ -322,6 +322,16 @@ module OpenSSL::TestPairM
}
end
+ def test_partial_tls_record_read_nonblock
+ ssl_pair { |s1, s2|
+ # the beginning of a TLS record
+ s1.io.write("\x17")
+ # should raise a IO::WaitReadable since a full TLS record is not available
+ # for reading
+ assert_raise(IO::WaitReadable) { s2.read_nonblock(1) }
+ }
+ end
+
def tcp_pair
host = "127.0.0.1"
serv = TCPServer.new(host, 0)
@@ -341,7 +351,7 @@ module OpenSSL::TestPairM
ctx2.tmp_dh_callback = nil
sock1, sock2 = tcp_pair
s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
- accepted = s2.accept_nonblock(exception: false)
+ s2.accept_nonblock(exception: false)
ctx1 = OpenSSL::SSL::SSLContext.new
ctx1.ciphers = "DH"
@@ -350,16 +360,16 @@ module OpenSSL::TestPairM
s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
t = Thread.new { s1.connect }
- accept = s2.accept
+ EnvUtil.suppress_warning { # uses default callback
+ assert_nothing_raised { s2.accept }
+ }
assert_equal s1, t.value
- assert accept
ensure
t.join if t
s1.close if s1
s2.close if s2
sock1.close if sock1
sock2.close if sock2
- accepted.close if accepted.respond_to?(:close)
end
def test_connect_without_setting_dh_callback
@@ -368,7 +378,7 @@ module OpenSSL::TestPairM
ctx2.security_level = 0
sock1, sock2 = tcp_pair
s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
- accepted = s2.accept_nonblock(exception: false)
+ s2.accept_nonblock(exception: false)
ctx1 = OpenSSL::SSL::SSLContext.new
ctx1.ciphers = "DH"
@@ -376,16 +386,16 @@ module OpenSSL::TestPairM
s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
t = Thread.new { s1.connect }
- accept = s2.accept
+ EnvUtil.suppress_warning { # default DH
+ assert_nothing_raised { s2.accept }
+ }
assert_equal s1, t.value
- assert accept
ensure
t.join if t
s1.close if s1
s2.close if s2
sock1.close if sock1
sock2.close if sock2
- accepted.close if accepted.respond_to?(:close)
end
def test_ecdh_callback
@@ -422,11 +432,11 @@ module OpenSSL::TestPairM
end until rv == s1
end
- accepted = s2.accept
+ s2.accept
assert called, 'ecdh callback should be called'
rescue OpenSSL::SSL::SSLError => e
if e.message =~ /no cipher match/
- skip "ECDH cipher not supported."
+ pend "ECDH cipher not supported."
else
raise e
end
@@ -447,7 +457,7 @@ module OpenSSL::TestPairM
begin
ctx1.ciphers = "ECDH"
rescue OpenSSL::SSL::SSLError
- skip "ECDH is not enabled in this OpenSSL" if $!.message =~ /no cipher match/
+ pend "ECDH is not enabled in this OpenSSL" if $!.message =~ /no cipher match/
raise
end
ctx1.ecdh_curves = "P-384:P-521"
diff --git a/test/test_partial_record_read.rb b/test/test_partial_record_read.rb
deleted file mode 100644
index 71e644a..0000000
--- a/test/test_partial_record_read.rb
+++ /dev/null
@@ -1,35 +0,0 @@
-# frozen_string_literal: false
-require_relative "utils"
-
-if defined?(OpenSSL::TestUtils)
-
- class OpenSSL::TestPartialRecordRead < OpenSSL::SSLTestCase
- def test_partial_tls_record_read_nonblock
- start_server(OpenSSL::SSL::VERIFY_NONE, true, :server_proc =>
- Proc.new do |server_ctx, server_ssl|
- begin
- server_ssl.io.write("\x01") # the beginning of a TLS record
- sleep 6 # do not finish prematurely before the read by the client is attempted
- ensure
- server_ssl.close
- end
- end
- ) do |server, port|
- sock = TCPSocket.new("127.0.0.1", port)
- ssl = OpenSSL::SSL::SSLSocket.new(sock)
- ssl.sync_close = true
- begin
- ssl.connect
- sleep 3 # wait is required for the (incomplete) TLS record to arrive at the client socket
-
- # Should raise a IO::WaitReadable since a full TLS record is not available for reading.
- assert_raise(IO::WaitReadable) { ssl.read_nonblock(1) }
- ensure
- ssl.close
- end
- end
- end
-
- end
-
-end
diff --git a/test/test_pkcs12.rb b/test/test_pkcs12.rb
index 61fb447..7ab501c 100644
--- a/test/test_pkcs12.rb
+++ b/test/test_pkcs12.rb
@@ -180,6 +180,11 @@ Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es=
end
end
+ def test_dup
+ p12 = OpenSSL::PKCS12.create("pass", "name", TEST_KEY_RSA1024, @mycert)
+ assert_equal p12.to_der, p12.dup.to_der
+ end
+
private
def assert_cert expected, actual
[
diff --git a/test/test_pkey.rb b/test/test_pkey.rb
new file mode 100644
index 0000000..79647c8
--- /dev/null
+++ b/test/test_pkey.rb
@@ -0,0 +1,49 @@
+# frozen_string_literal: false
+require_relative "utils"
+
+if defined?(OpenSSL::TestUtils)
+
+class OpenSSL::TestPKey < OpenSSL::PKeyTestCase
+ PKEYS = {
+ OpenSSL::PKey::RSA => {
+ key: OpenSSL::TestUtils::TEST_KEY_RSA1024,
+ digest: OpenSSL::Digest::SHA1,
+ },
+ OpenSSL::PKey::DSA => {
+ key: OpenSSL::TestUtils::TEST_KEY_DSA512,
+ digest: OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST,
+ },
+ }
+ if defined?(OpenSSL::PKey::EC)
+ PKEYS[OpenSSL::PKey::EC] = {
+ key: OpenSSL::TestUtils::TEST_KEY_EC_P256V1,
+ digest: OpenSSL::Digest::SHA1,
+ }
+ end
+
+ def test_sign_verify
+ data = "Sign me!"
+ invalid_data = "Sign me?"
+ PKEYS.each do |klass, prop|
+ key = prop[:key]
+ pub_key = dup_public(prop[:key])
+ digest = prop[:digest].new
+ signature = key.sign(digest, data)
+ assert_equal(true, pub_key.verify(digest, signature, data))
+ assert_equal(false, pub_key.verify(digest, signature, invalid_data))
+ # digest state is irrelevant
+ digest << "unya"
+ assert_equal(true, pub_key.verify(digest, signature, data))
+ assert_equal(false, pub_key.verify(digest, signature, invalid_data))
+
+ if OpenSSL::OPENSSL_VERSION_NUMBER > 0x10000000
+ digest = OpenSSL::Digest::SHA256.new
+ signature = key.sign(digest, data)
+ assert_equal(true, pub_key.verify(digest, signature, data))
+ assert_equal(false, pub_key.verify(digest, signature, invalid_data))
+ end
+ end
+ end
+end
+
+end
diff --git a/test/test_pkey_dh.rb b/test/test_pkey_dh.rb
index 4d84f7a..470c952 100644
--- a/test/test_pkey_dh.rb
+++ b/test/test_pkey_dh.rb
@@ -3,33 +3,25 @@ require_relative 'utils'
if defined?(OpenSSL::TestUtils)
-class OpenSSL::TestPKeyDH < OpenSSL::TestCase
+class OpenSSL::TestPKeyDH < OpenSSL::PKeyTestCase
+ DH1024 = OpenSSL::TestUtils::TEST_KEY_DH1024
NEW_KEYLEN = 256
- def test_DEFAULT_1024
- params = <<-eop
------BEGIN DH PARAMETERS-----
-MIGHAoGBAJ0lOVy0VIr/JebWn0zDwY2h+rqITFOpdNr6ugsgvkDXuucdcChhYExJ
-AV/ZD2AWPbrTqV76mGRgJg4EddgT1zG0jq3rnFdMj2XzkBYx3BVvfR0Arnby0RHR
-T4h7KZ/2zmjvV+eF8kBUHBJAojUlzxKj4QeO2x20FP9X5xmNUXeDAgEC
------END DH PARAMETERS-----
- eop
- assert_equal params, OpenSSL::PKey::DH::DEFAULT_1024.to_s
- end
-
- def test_DEFAULT_2048
- params = <<-eop
------BEGIN DH PARAMETERS-----
-MIIBCAKCAQEA7E6kBrYiyvmKAMzQ7i8WvwVk9Y/+f8S7sCTN712KkK3cqd1jhJDY
-JbrYeNV3kUIKhPxWHhObHKpD1R84UpL+s2b55+iMd6GmL7OYmNIT/FccKhTcveab
-VBmZT86BZKYyf45hUF9FOuUM9xPzuK3Vd8oJQvfYMCd7LPC0taAEljQLR4Edf8E6
-YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
-1bNveX5wInh5GDx1FGhKBZ+s1H+aedudCm7sCgRwv8lKWYGiHzObSma8A86KG+MD
-7Lo5JquQ3DlBodj3IDyPrxIv96lvRPFtAwIBAg==
------END DH PARAMETERS-----
- eop
- assert_equal params, OpenSSL::PKey::DH::DEFAULT_2048.to_s
+ def test_DEFAULT_parameters
+ list = {
+ 1024 => OpenSSL::PKey::DH::DEFAULT_1024,
+ 2048 => OpenSSL::PKey::DH::DEFAULT_2048,
+ }
+
+ list.each do |expected_size, dh|
+ assert_equal expected_size, dh.p.num_bits
+ assert_predicate dh.p, :prime?
+ result, remainder = (dh.p - 1) / 2
+ assert_predicate result, :prime?
+ assert_equal 0, remainder
+ assert_no_key dh
+ end
end
def test_new
@@ -44,20 +36,26 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
end
end
- def test_to_der
- dh = OpenSSL::TestUtils::TEST_KEY_DH1024
- der = dh.to_der
- dh2 = OpenSSL::PKey::DH.new(der)
- assert_equal_params(dh, dh2)
- assert_no_key(dh2)
- end
-
- def test_to_pem
- dh = OpenSSL::TestUtils::TEST_KEY_DH1024
- pem = dh.to_pem
- dh2 = OpenSSL::PKey::DH.new(pem)
- assert_equal_params(dh, dh2)
- assert_no_key(dh2)
+ def test_DHparams
+ asn1 = OpenSSL::ASN1::Sequence([
+ OpenSSL::ASN1::Integer(DH1024.p),
+ OpenSSL::ASN1::Integer(DH1024.g)
+ ])
+ key = OpenSSL::PKey::DH.new(asn1.to_der)
+ assert_same_dh dup_public(DH1024), key
+
+ pem = <<~EOF
+ -----BEGIN DH PARAMETERS-----
+ MIGHAoGBAKnKQ8MNK6nYZzLrrcuTsLxuiJGXoOO5gT+tljOTbHBuiktdMTITzIY0
+ pFxIvjG05D7HoBZQfrR0c92NGWPkAiCkhQKB8JCbPVzwNLDy6DZ0pmofDKrEsYHG
+ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC
+ -----END DH PARAMETERS-----
+ EOF
+ key = OpenSSL::PKey::DH.new(pem)
+ assert_same_dh dup_public(DH1024), key
+
+ assert_equal asn1.to_der, DH1024.to_der
+ assert_equal pem, DH1024.export
end
def test_public_key
@@ -113,6 +111,10 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
assert(dh.pub_key)
assert(dh.priv_key)
end
+
+ def assert_same_dh(expected, key)
+ check_component(expected, key, [:p, :q, :g, :pub_key, :priv_key])
+ end
end
end
diff --git a/test/test_pkey_dsa.rb b/test/test_pkey_dsa.rb
index 9c29c03..d0ba8ec 100644
--- a/test/test_pkey_dsa.rb
+++ b/test/test_pkey_dsa.rb
@@ -4,7 +4,9 @@ require 'base64'
if defined?(OpenSSL::TestUtils)
-class OpenSSL::TestPKeyDSA < OpenSSL::TestCase
+class OpenSSL::TestPKeyDSA < OpenSSL::PKeyTestCase
+ DSA512 = OpenSSL::TestUtils::TEST_KEY_DSA512
+
def test_private
key = OpenSSL::PKey::DSA.new(256)
assert(key.private?)
@@ -20,6 +22,11 @@ class OpenSSL::TestPKeyDSA < OpenSSL::TestCase
key = OpenSSL::PKey::DSA.new 256
pem = key.public_key.to_pem
OpenSSL::PKey::DSA.new pem
+ if $0 == __FILE__
+ assert_nothing_raised {
+ key = OpenSSL::PKey::DSA.new 2048
+ }
+ end
end
def test_new_break
@@ -37,55 +44,102 @@ class OpenSSL::TestPKeyDSA < OpenSSL::TestCase
assert(key.sysverify(digest, sig))
end
- def test_sign_verify
- check_sign_verify(OpenSSL::Digest::DSS1.new)
- end if defined?(OpenSSL::Digest::DSS1)
-
-if (OpenSSL::OPENSSL_VERSION_NUMBER > 0x10000000)
- def test_sign_verify_sha1
- check_sign_verify(OpenSSL::Digest::SHA1.new)
- end
-
- def test_sign_verify_sha256
- check_sign_verify(OpenSSL::Digest::SHA256.new)
- end
-end
-
- def test_digest_state_irrelevant_verify
- key = OpenSSL::TestUtils::TEST_KEY_DSA256
- digest1 = OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new
- digest2 = OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new
- data = 'Sign me!'
- sig = key.sign(digest1, data)
- digest1.reset
- digest1 << 'Change state of digest1'
- assert(key.verify(digest1, sig, data))
- assert(key.verify(digest2, sig, data))
- end
+ def test_DSAPrivateKey
+ # OpenSSL DSAPrivateKey format; similar to RSAPrivateKey
+ asn1 = OpenSSL::ASN1::Sequence([
+ OpenSSL::ASN1::Integer(0),
+ OpenSSL::ASN1::Integer(DSA512.p),
+ OpenSSL::ASN1::Integer(DSA512.q),
+ OpenSSL::ASN1::Integer(DSA512.g),
+ OpenSSL::ASN1::Integer(DSA512.pub_key),
+ OpenSSL::ASN1::Integer(DSA512.priv_key)
+ ])
+ key = OpenSSL::PKey::DSA.new(asn1.to_der)
+ assert_predicate key, :private?
+ assert_same_dsa DSA512, key
+
+ pem = <<~EOF
+ -----BEGIN DSA PRIVATE KEY-----
+ MIH4AgEAAkEA5lB4GvEwjrsMlGDqGsxrbqeFRh6o9OWt6FgTYiEEHaOYhkIxv0Ok
+ RZPDNwOG997mDjBnvDJ1i56OmS3MbTnovwIVAJgub/aDrSDB4DZGH7UyarcaGy6D
+ AkB9HdFw/3td8K4l1FZHv7TCZeJ3ZLb7dF3TWoGUP003RCqoji3/lHdKoVdTQNuR
+ S/m6DlCwhjRjiQ/lBRgCLCcaAkEAjN891JBjzpMj4bWgsACmMggFf57DS0Ti+5++
+ Q1VB8qkJN7rA7/2HrCR3gTsWNb1YhAsnFsoeRscC+LxXoXi9OAIUBG98h4tilg6S
+ 55jreJD3Se3slps=
+ -----END DSA PRIVATE KEY-----
+ EOF
+ key = OpenSSL::PKey::DSA.new(pem)
+ assert_same_dsa DSA512, key
+
+ assert_equal asn1.to_der, DSA512.to_der
+ assert_equal pem, DSA512.export
+ end
+
+ def test_DSAPrivateKey_encrypted
+ # key = abcdef
+ pem = <<~EOF
+ -----BEGIN DSA PRIVATE KEY-----
+ Proc-Type: 4,ENCRYPTED
+ DEK-Info: AES-128-CBC,F8BB7BFC7EAB9118AC2E3DA16C8DB1D9
+
+ D2sIzsM9MLXBtlF4RW42u2GB9gX3HQ3prtVIjWPLaKBYoToRUiv8WKsjptfZuLSB
+ 74ZPdMS7VITM+W1HIxo/tjS80348Cwc9ou8H/E6WGat8ZUk/igLOUEII+coQS6qw
+ QpuLMcCIavevX0gjdjEIkojBB81TYDofA1Bp1z1zDI/2Zhw822xapI79ZF7Rmywt
+ OSyWzFaGipgDpdFsGzvT6//z0jMr0AuJVcZ0VJ5lyPGQZAeVBlbYEI4T72cC5Cz7
+ XvLiaUtum6/sASD2PQqdDNpgx/WA6Vs1Po2kIUQIM5TIwyJI0GdykZcYm6xIK/ta
+ Wgx6c8K+qBAIVrilw3EWxw==
+ -----END DSA PRIVATE KEY-----
+ EOF
+ key = OpenSSL::PKey::DSA.new(pem, "abcdef")
+ assert_same_dsa DSA512, key
+ key = OpenSSL::PKey::DSA.new(pem) { "abcdef" }
+ assert_same_dsa DSA512, key
+
+ cipher = OpenSSL::Cipher.new("aes-128-cbc")
+ exported = DSA512.to_pem(cipher, "abcdef\0\1")
+ assert_same_dsa DSA512, OpenSSL::PKey::DSA.new(exported, "abcdef\0\1")
+ assert_raise(OpenSSL::PKey::DSAError) {
+ OpenSSL::PKey::DSA.new(exported, "abcdef")
+ }
+ end
+
+ def test_PUBKEY
+ asn1 = OpenSSL::ASN1::Sequence([
+ OpenSSL::ASN1::Sequence([
+ OpenSSL::ASN1::ObjectId("DSA"),
+ OpenSSL::ASN1::Sequence([
+ OpenSSL::ASN1::Integer(DSA512.p),
+ OpenSSL::ASN1::Integer(DSA512.q),
+ OpenSSL::ASN1::Integer(DSA512.g)
+ ])
+ ]),
+ OpenSSL::ASN1::BitString(
+ OpenSSL::ASN1::Integer(DSA512.pub_key).to_der
+ )
+ ])
+ key = OpenSSL::PKey::DSA.new(asn1.to_der)
+ assert_not_predicate key, :private?
+ assert_same_dsa dup_public(DSA512), key
+
+ pem = <<~EOF
+ -----BEGIN PUBLIC KEY-----
+ MIHxMIGoBgcqhkjOOAQBMIGcAkEA5lB4GvEwjrsMlGDqGsxrbqeFRh6o9OWt6FgT
+ YiEEHaOYhkIxv0OkRZPDNwOG997mDjBnvDJ1i56OmS3MbTnovwIVAJgub/aDrSDB
+ 4DZGH7UyarcaGy6DAkB9HdFw/3td8K4l1FZHv7TCZeJ3ZLb7dF3TWoGUP003RCqo
+ ji3/lHdKoVdTQNuRS/m6DlCwhjRjiQ/lBRgCLCcaA0QAAkEAjN891JBjzpMj4bWg
+ sACmMggFf57DS0Ti+5++Q1VB8qkJN7rA7/2HrCR3gTsWNb1YhAsnFsoeRscC+LxX
+ oXi9OA==
+ -----END PUBLIC KEY-----
+ EOF
+ key = OpenSSL::PKey::DSA.new(pem)
+ assert_same_dsa dup_public(DSA512), key
- def test_read_DSA_PUBKEY
- p = 7188211954100152441468596248707152960171255279130004340103875772401008316444412091945435731597638374542374929457672178957081124632837356913990200866056699
- q = 957032439192465935099784319494405376402293318491
- g = 122928973717064636255205666162891733518376475981809749897454444301389338825906076467196186192907631719698166056821519884939865041993585844526937010746285
- y = 1235756183583465414789073313502727057075641172514181938731172021825149551960029708596057102104063395063907739571546165975727369183495540798749742124846271
- algo = OpenSSL::ASN1::ObjectId.new('DSA')
- params = OpenSSL::ASN1::Sequence.new([OpenSSL::ASN1::Integer.new(p),
- OpenSSL::ASN1::Integer.new(q),
- OpenSSL::ASN1::Integer.new(g)])
- algo_id = OpenSSL::ASN1::Sequence.new ([algo, params])
- pub_key = OpenSSL::ASN1::Integer.new(y)
- seq = OpenSSL::ASN1::Sequence.new([algo_id, OpenSSL::ASN1::BitString.new(pub_key.to_der)])
- key = OpenSSL::PKey::DSA.new(seq.to_der)
- assert(key.public?)
- assert(!key.private?)
- assert_equal(p, key.p)
- assert_equal(q, key.q)
- assert_equal(g, key.g)
- assert_equal(y, key.pub_key)
- assert_equal(nil, key.priv_key)
+ assert_equal asn1.to_der, dup_public(DSA512).to_der
+ assert_equal pem, dup_public(DSA512).export
end
def test_read_DSAPublicKey_pem
+ # TODO: where is the standard? PKey::DSA.new can read only PEM
p = 12260055936871293565827712385212529106400444521449663325576634579961635627321079536132296996623400607469624537382977152381984332395192110731059176842635699
q = 979494906553787301107832405790107343409973851677
g = 3731695366899846297271147240305742456317979984190506040697507048095553842519347835107669437969086119948785140453492839427038591924536131566350847469993845
@@ -109,127 +163,6 @@ fWLOqqkzFeRrYMDzUpl36XktY6Yq8EJYlW9pCMmBVNy/dQ==
assert_equal(nil, key.priv_key)
end
- def test_read_DSA_PUBKEY_pem
- p = 12260055936871293565827712385212529106400444521449663325576634579961635627321079536132296996623400607469624537382977152381984332395192110731059176842635699
- q = 979494906553787301107832405790107343409973851677
- g = 3731695366899846297271147240305742456317979984190506040697507048095553842519347835107669437969086119948785140453492839427038591924536131566350847469993845
- y = 10505239074982761504240823422422813362721498896040719759460296306305851824586095328615844661273887569281276387605297130014564808567159023649684010036304695
- pem = <<-EOF
------BEGIN PUBLIC KEY-----
-MIHxMIGoBgcqhkjOOAQBMIGcAkEA6hXntfQXEo78+s1r8yShbOQIpX+HOESnTNsV
-2yJzD6EiMntLpJ38WUOWjz0dBnYW69YnrAYszWPTSvf34XapswIVAKuSEhdIb6Kz
-fuHPUhoF4S52MHYdAkBHQCWhq8G+2yeDyhuyMtvsQqcH6lJ4ev8F0hDdUft9Ys6q
-qTMV5GtgwPNSmXfpeS1jpirwQliVb2kIyYFU3L91A0QAAkEAyJSJ+g+P/knVcgDw
-wTzC7Pwg/pWs2EMd/r+lYlXhNfzg0biuXRul8VR4VUC/phySExY0PdcqItkR/xYA
-YNMbNw==
------END PUBLIC KEY-----
- EOF
- key = OpenSSL::PKey::DSA.new(pem)
- assert(key.public?)
- assert(!key.private?)
- assert_equal(p, key.p)
- assert_equal(q, key.q)
- assert_equal(g, key.g)
- assert_equal(y, key.pub_key)
- assert_equal(nil, key.priv_key)
- end
-
- def test_export_format_is_DSA_PUBKEY_pem
- key = OpenSSL::TestUtils::TEST_KEY_DSA256
- pem = key.public_key.to_pem
- pem.gsub!(/^-+(\w|\s)+-+$/, "") # eliminate --------BEGIN...-------
- asn1 = OpenSSL::ASN1.decode(Base64.decode64(pem))
- assert_equal(OpenSSL::ASN1::SEQUENCE, asn1.tag)
- assert_equal(2, asn1.value.size)
- seq = asn1.value
- assert_equal(OpenSSL::ASN1::SEQUENCE, seq[0].tag)
- assert_equal(2, seq[0].value.size)
- algo_id = seq[0].value
- assert_equal(OpenSSL::ASN1::OBJECT, algo_id[0].tag)
- assert_equal('DSA', algo_id[0].value)
- assert_equal(OpenSSL::ASN1::SEQUENCE, algo_id[1].tag)
- assert_equal(3, algo_id[1].value.size)
- params = algo_id[1].value
- assert_equal(OpenSSL::ASN1::INTEGER, params[0].tag)
- assert_equal(key.p, params[0].value)
- assert_equal(OpenSSL::ASN1::INTEGER, params[1].tag)
- assert_equal(key.q, params[1].value)
- assert_equal(OpenSSL::ASN1::INTEGER, params[2].tag)
- assert_equal(key.g, params[2].value)
- assert_equal(OpenSSL::ASN1::BIT_STRING, seq[1].tag)
- assert_equal(0, seq[1].unused_bits)
- pub_key = OpenSSL::ASN1.decode(seq[1].value)
- assert_equal(OpenSSL::ASN1::INTEGER, pub_key.tag)
- assert_equal(key.pub_key, pub_key.value)
- end
-
- def test_read_private_key_der
- key = OpenSSL::TestUtils::TEST_KEY_DSA256
- der = key.to_der
- key2 = OpenSSL::PKey.read(der)
- assert(key2.private?)
- assert_equal(der, key2.to_der)
- end
-
- def test_read_private_key_pem
- key = OpenSSL::TestUtils::TEST_KEY_DSA256
- pem = key.to_pem
- key2 = OpenSSL::PKey.read(pem)
- assert(key2.private?)
- assert_equal(pem, key2.to_pem)
- end
-
- def test_read_public_key_der
- key = OpenSSL::TestUtils::TEST_KEY_DSA256.public_key
- der = key.to_der
- key2 = OpenSSL::PKey.read(der)
- assert(!key2.private?)
- assert_equal(der, key2.to_der)
- end
-
- def test_read_public_key_pem
- key = OpenSSL::TestUtils::TEST_KEY_DSA256.public_key
- pem = key.to_pem
- key2 = OpenSSL::PKey.read(pem)
- assert(!key2.private?)
- assert_equal(pem, key2.to_pem)
- end
-
- def test_read_private_key_pem_pw
- key = OpenSSL::TestUtils::TEST_KEY_DSA256
- pem = key.to_pem(OpenSSL::Cipher.new('AES-128-CBC'), 'secret')
- #callback form for password
- key2 = OpenSSL::PKey.read(pem) do
- 'secret'
- end
- assert(key2.private?)
- # pass password directly
- key2 = OpenSSL::PKey.read(pem, 'secret')
- assert(key2.private?)
- #omit pem equality check, will be different due to cipher iv
- end
-
- def test_export_password_length
- key = OpenSSL::TestUtils::TEST_KEY_DSA256
- assert_raise(OpenSSL::OpenSSLError) do
- key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'sec')
- end
- pem = key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'secr')
- assert(pem)
- end
-
- def test_export_password_funny
- key = OpenSSL::TestUtils::TEST_KEY_DSA256
- pem = key.export(OpenSSL::Cipher.new('AES-128-CBC'), "pass\0wd")
- assert_raise(ArgumentError) do
- OpenSSL::PKey.read(pem, "pass")
- end
- key2 = OpenSSL::PKey.read(pem, "pass\0wd")
- assert(key2.private?)
- key3 = OpenSSL::PKey::DSA.new(pem, "pass\0wd")
- assert(key3.private?)
- end
-
def test_dup
key = OpenSSL::PKey::DSA.new(256)
key2 = key.dup
@@ -239,12 +172,8 @@ YNMbNw==
end
private
-
- def check_sign_verify(digest)
- key = OpenSSL::TestUtils::TEST_KEY_DSA256
- data = 'Sign me!'
- sig = key.sign(digest, data)
- assert(key.verify(digest, sig, data))
+ def assert_same_dsa(expected, key)
+ check_component(expected, key, [:p, :q, :g, :pub_key, :priv_key])
end
end
diff --git a/test/test_pkey_ec.rb b/test/test_pkey_ec.rb
index 4498b2b..53aa5a1 100644
--- a/test/test_pkey_ec.rb
+++ b/test/test_pkey_ec.rb
@@ -3,64 +3,46 @@ require_relative 'utils'
if defined?(OpenSSL::TestUtils) && defined?(OpenSSL::PKey::EC)
-class OpenSSL::TestEC < OpenSSL::TestCase
- def setup
- @data1 = 'foo'
- @data2 = 'bar' * 1000 # data too long for DSA sig
+class OpenSSL::TestEC < OpenSSL::PKeyTestCase
+ P256 = OpenSSL::TestUtils::TEST_KEY_EC_P256V1
- @groups = []
- @keys = []
+ def test_ec_key
+ builtin_curves = OpenSSL::PKey::EC.builtin_curves
+ assert_not_empty builtin_curves
- OpenSSL::PKey::EC.builtin_curves.each do |curve, comment|
- group = OpenSSL::PKey::EC::Group.new(curve)
+ builtin_curves.each do |curve_name, comment|
+ # Oakley curves and X25519 are not suitable for signing and causes
+ # FIPS-selftest failure on some environment, so skip for now.
+ next if ["Oakley", "X25519"].any? { |n| curve_name.start_with?(n) }
- # Oakley curves and X25519 are not suitable for signing
- next if ["Oakley", "X25519"].any? { |n| curve.start_with?(n) }
-
- key = OpenSSL::PKey::EC.new(group)
+ key = OpenSSL::PKey::EC.new(curve_name)
key.generate_key!
- @groups << group
- @keys << key
+ assert_predicate key, :private?
+ assert_predicate key, :public?
+ assert_nothing_raised { key.check_key }
end
- end
-
- def test_dup
- key = OpenSSL::PKey::EC.new("prime256v1")
- key.generate_key!
- key2 = key.dup
- assert_equal key.to_der, key2.to_der
- key_tmp = OpenSSL::PKey::EC.new("prime256v1").generate_key!
- key2.private_key = key_tmp.private_key
- key2.public_key = key_tmp.public_key
- assert_not_equal key.to_der, key2.to_der
- group = key.group
- group2 = group.dup
- assert_equal group.to_der, group2.to_der
- group2.asn1_flag ^= OpenSSL::PKey::EC::NAMED_CURVE
- assert_not_equal group.to_der, group2.to_der
+ key1 = OpenSSL::PKey::EC.new("prime256v1").generate_key!
- point = key.public_key
- point2 = point.dup
- assert_equal point.to_bn, point2.to_bn
- point2.invert!
- assert_not_equal point.to_bn, point2.to_bn
- end
+ key2 = OpenSSL::PKey::EC.new
+ key2.group = key1.group
+ key2.private_key = key1.private_key
+ key2.public_key = key1.public_key
+ assert_equal key1.to_der, key2.to_der
- def compare_keys(k1, k2)
- assert_equal(k1.to_pem, k2.to_pem)
- end
+ key3 = OpenSSL::PKey::EC.new(key1)
+ assert_equal key1.to_der, key3.to_der
- def test_builtin_curves
- assert(!OpenSSL::PKey::EC.builtin_curves.empty?)
- end
+ key4 = OpenSSL::PKey::EC.new(key1.to_der)
+ assert_equal key1.to_der, key4.to_der
- def test_curve_names
- @groups.each_with_index do |group, idx|
- key = @keys[idx]
- assert_equal(group.curve_name, key.group.curve_name)
- end
+ key5 = key1.dup
+ assert_equal key1.to_der, key5.to_der
+ key_tmp = OpenSSL::PKey::EC.new("prime256v1").generate_key!
+ key5.private_key = key_tmp.private_key
+ key5.public_key = key_tmp.public_key
+ assert_not_equal key1.to_der, key5.to_der
end
def test_generate
@@ -73,173 +55,206 @@ class OpenSSL::TestEC < OpenSSL::TestCase
end
def test_check_key
- for key in @keys
- assert_equal(true, key.check_key)
- assert_equal(true, key.private?)
- assert_equal(true, key.public?)
- key2 = OpenSSL::PKey::EC.new(key.group)
- assert_equal(false, key2.private?)
- assert_equal(false, key2.public?)
- key2.public_key = key.public_key
- assert_equal(false, key2.private?)
- assert_equal(true, key2.public?)
- key2.private_key = key.private_key
- assert_equal(true, key2.private?)
- assert_equal(true, key2.public?)
- assert_equal(true, key2.check_key)
- key2.private_key += 1
- assert_raise(OpenSSL::PKey::ECError) { key2.check_key }
- end
- end
-
- def test_group_encoding
- for group in @groups
- for meth in [:to_der, :to_pem]
- txt = group.send(meth)
- gr = OpenSSL::PKey::EC::Group.new(txt)
-
- assert_equal(txt, gr.send(meth))
-
- assert_equal(group.generator.to_bn, gr.generator.to_bn)
- assert_equal(group.cofactor, gr.cofactor)
- assert_equal(group.order, gr.order)
- assert_equal(group.seed, gr.seed)
- assert_equal(group.degree, gr.degree)
- end
- end
- end
-
- def test_key_encoding
- for key in @keys
- group = key.group
-
- for meth in [:to_der, :to_pem]
- txt = key.send(meth)
- assert_equal(txt, OpenSSL::PKey::EC.new(txt).send(meth))
- end
-
- bn = key.public_key.to_bn
- assert_equal(bn, OpenSSL::PKey::EC::Point.new(group, bn).to_bn)
- end
- end
-
- def test_set_keys
- for key in @keys
- k = OpenSSL::PKey::EC.new
- k.group = key.group
- k.private_key = key.private_key
- k.public_key = key.public_key
-
- compare_keys(key, k)
- end
+ key = OpenSSL::PKey::EC.new("prime256v1").generate_key!
+ assert_equal(true, key.check_key)
+ assert_equal(true, key.private?)
+ assert_equal(true, key.public?)
+ key2 = OpenSSL::PKey::EC.new(key.group)
+ assert_equal(false, key2.private?)
+ assert_equal(false, key2.public?)
+ key2.public_key = key.public_key
+ assert_equal(false, key2.private?)
+ assert_equal(true, key2.public?)
+ key2.private_key = key.private_key
+ assert_equal(true, key2.private?)
+ assert_equal(true, key2.public?)
+ assert_equal(true, key2.check_key)
+ key2.private_key += 1
+ assert_raise(OpenSSL::PKey::ECError) { key2.check_key }
end
def test_dsa_sign_verify
- for key in @keys
- sig = key.dsa_sign_asn1(@data1)
- assert(key.dsa_verify_asn1(@data1, sig))
- end
+ data1 = "foo"
+ data2 = "bar"
+ key = OpenSSL::PKey::EC.new("prime256v1").generate_key!
+ sig = key.dsa_sign_asn1(data1)
+ assert_equal true, key.dsa_verify_asn1(data1, sig)
+ assert_equal false, key.dsa_verify_asn1(data2, sig)
end
def test_dsa_sign_asn1_FIPS186_3
- for key in @keys
- size = key.group.order.num_bits / 8 + 1
- dgst = (1..size).to_a.pack('C*')
- begin
- sig = key.dsa_sign_asn1(dgst)
- # dgst is auto-truncated according to FIPS186-3 after openssl-0.9.8m
- assert(key.dsa_verify_asn1(dgst + "garbage", sig))
- rescue OpenSSL::PKey::ECError => e
- # just an exception for longer dgst before openssl-0.9.8m
- assert_equal('ECDSA_sign: data too large for key size', e.message)
- # no need to do following tests
- return
- end
+ key = OpenSSL::PKey::EC.new("prime256v1").generate_key!
+ size = key.group.order.num_bits / 8 + 1
+ dgst = (1..size).to_a.pack('C*')
+ begin
+ sig = key.dsa_sign_asn1(dgst)
+ # dgst is auto-truncated according to FIPS186-3 after openssl-0.9.8m
+ assert(key.dsa_verify_asn1(dgst + "garbage", sig))
+ rescue OpenSSL::PKey::ECError => e
+ # just an exception for longer dgst before openssl-0.9.8m
+ assert_equal('ECDSA_sign: data too large for key size', e.message)
+ # no need to do following tests
+ return
end
end
def test_dh_compute_key
- for key in @keys
- k = OpenSSL::PKey::EC.new(key.group)
- k.generate_key!
-
- puba = key.public_key
- pubb = k.public_key
- a = key.dh_compute_key(pubb)
- b = k.dh_compute_key(puba)
- assert_equal(a, b)
- end
+ key_a = OpenSSL::PKey::EC.new("prime256v1").generate_key!
+ key_b = OpenSSL::PKey::EC.new(key_a.group).generate_key!
+
+ pub_a = key_a.public_key
+ pub_b = key_b.public_key
+ a = key_a.dh_compute_key(pub_b)
+ b = key_b.dh_compute_key(pub_a)
+ assert_equal a, b
end
- def test_read_private_key_der
- ec = OpenSSL::TestUtils::TEST_KEY_EC_P256V1
- der = ec.to_der
- ec2 = OpenSSL::PKey.read(der)
- assert(ec2.private_key?)
- assert_equal(der, ec2.to_der)
+ def test_ECPrivateKey
+ asn1 = OpenSSL::ASN1::Sequence([
+ OpenSSL::ASN1::Integer(1),
+ OpenSSL::ASN1::OctetString(P256.private_key.to_s(2)),
+ OpenSSL::ASN1::ASN1Data.new(
+ [OpenSSL::ASN1::ObjectId("prime256v1")],
+ 0, :CONTEXT_SPECIFIC
+ ),
+ OpenSSL::ASN1::ASN1Data.new(
+ [OpenSSL::ASN1::BitString(P256.public_key.to_bn.to_s(2))],
+ 1, :CONTEXT_SPECIFIC
+ )
+ ])
+ key = OpenSSL::PKey::EC.new(asn1.to_der)
+ assert_predicate key, :private?
+ assert_same_ec P256, key
+
+ pem = <<~EOF
+ -----BEGIN EC PRIVATE KEY-----
+ MHcCAQEEIID49FDqcf1O1eO8saTgG70UbXQw9Fqwseliit2aWhH1oAoGCCqGSM49
+ AwEHoUQDQgAEFglk2c+oVUIKQ64eZG9bhLNPWB7lSZ/ArK41eGy5wAzU/0G51Xtt
+ CeBUl+MahZtn9fO1JKdF4qJmS39dXnpENg==
+ -----END EC PRIVATE KEY-----
+ EOF
+ key = OpenSSL::PKey::EC.new(pem)
+ assert_same_ec P256, key
+
+ assert_equal asn1.to_der, P256.to_der
+ assert_equal pem, P256.export
end
- def test_read_private_key_pem
- ec = OpenSSL::TestUtils::TEST_KEY_EC_P256V1
- pem = ec.to_pem
- ec2 = OpenSSL::PKey.read(pem)
- assert(ec2.private_key?)
- assert_equal(pem, ec2.to_pem)
+ def test_ECPrivateKey_encrypted
+ # key = abcdef
+ pem = <<~EOF
+ -----BEGIN EC PRIVATE KEY-----
+ Proc-Type: 4,ENCRYPTED
+ DEK-Info: AES-128-CBC,85743EB6FAC9EA76BF99D9328AFD1A66
+
+ nhsP1NHxb53aeZdzUe9umKKyr+OIwQq67eP0ONM6E1vFTIcjkDcFLR6PhPFufF4m
+ y7E2HF+9uT1KPQhlE+D63i1m1Mvez6PWfNM34iOQp2vEhaoHHKlR3c43lLyzaZDI
+ 0/dGSU5SzFG+iT9iFXCwCvv+bxyegkBOyALFje1NAsM=
+ -----END EC PRIVATE KEY-----
+ EOF
+ key = OpenSSL::PKey::EC.new(pem, "abcdef")
+ assert_same_ec P256, key
+ key = OpenSSL::PKey::EC.new(pem) { "abcdef" }
+ assert_same_ec P256, key
+
+ cipher = OpenSSL::Cipher.new("aes-128-cbc")
+ exported = P256.to_pem(cipher, "abcdef\0\1")
+ assert_same_ec P256, OpenSSL::PKey::EC.new(exported, "abcdef\0\1")
+ assert_raise(OpenSSL::PKey::ECError) {
+ OpenSSL::PKey::EC.new(exported, "abcdef")
+ }
end
- def test_read_public_key_der
- ec = OpenSSL::TestUtils::TEST_KEY_EC_P256V1
- ec2 = OpenSSL::PKey::EC.new(ec.group)
- ec2.public_key = ec.public_key
- der = ec2.to_der
- ec3 = OpenSSL::PKey.read(der)
- assert(!ec3.private_key?)
- assert_equal(der, ec3.to_der)
+ def test_PUBKEY
+ asn1 = OpenSSL::ASN1::Sequence([
+ OpenSSL::ASN1::Sequence([
+ OpenSSL::ASN1::ObjectId("id-ecPublicKey"),
+ OpenSSL::ASN1::ObjectId("prime256v1")
+ ]),
+ OpenSSL::ASN1::BitString(
+ P256.public_key.to_bn.to_s(2)
+ )
+ ])
+ key = OpenSSL::PKey::EC.new(asn1.to_der)
+ assert_not_predicate key, :private?
+ assert_same_ec dup_public(P256), key
+
+ pem = <<~EOF
+ -----BEGIN PUBLIC KEY-----
+ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFglk2c+oVUIKQ64eZG9bhLNPWB7l
+ SZ/ArK41eGy5wAzU/0G51XttCeBUl+MahZtn9fO1JKdF4qJmS39dXnpENg==
+ -----END PUBLIC KEY-----
+ EOF
+ key = OpenSSL::PKey::EC.new(pem)
+ assert_same_ec dup_public(P256), key
+
+ assert_equal asn1.to_der, dup_public(P256).to_der
+ assert_equal pem, dup_public(P256).export
end
- def test_read_public_key_pem
- ec = OpenSSL::TestUtils::TEST_KEY_EC_P256V1
- ec2 = OpenSSL::PKey::EC.new(ec.group)
- ec2.public_key = ec.public_key
- pem = ec2.to_pem
- ec3 = OpenSSL::PKey.read(pem)
- assert(!ec3.private_key?)
- assert_equal(pem, ec3.to_pem)
+ def test_ec_group
+ group1 = OpenSSL::PKey::EC::Group.new("prime256v1")
+ key1 = OpenSSL::PKey::EC.new(group1)
+ assert_equal group1, key1.group
+
+ group2 = OpenSSL::PKey::EC::Group.new(group1)
+ assert_equal group1.to_der, group2.to_der
+ assert_equal group1, group2
+ group2.asn1_flag ^=OpenSSL::PKey::EC::NAMED_CURVE
+ assert_not_equal group1.to_der, group2.to_der
+ assert_equal group1, group2
+
+ group3 = group1.dup
+ assert_equal group1.to_der, group3.to_der
+
+ assert group1.asn1_flag & OpenSSL::PKey::EC::NAMED_CURVE # our default
+ der = group1.to_der
+ group4 = OpenSSL::PKey::EC::Group.new(der)
+ group1.point_conversion_form = group4.point_conversion_form = :uncompressed
+ assert_equal :uncompressed, group1.point_conversion_form
+ assert_equal :uncompressed, group4.point_conversion_form
+ assert_equal group1, group4
+ assert_equal group1.curve_name, group4.curve_name
+ assert_equal group1.generator.to_bn, group4.generator.to_bn
+ assert_equal group1.order, group4.order
+ assert_equal group1.cofactor, group4.cofactor
+ assert_equal group1.seed, group4.seed
+ assert_equal group1.degree, group4.degree
end
- def test_read_private_key_pem_pw
- ec = OpenSSL::TestUtils::TEST_KEY_EC_P256V1
- pem = ec.to_pem(OpenSSL::Cipher.new('AES-128-CBC'), 'secret')
- #callback form for password
- ec2 = OpenSSL::PKey.read(pem) do
- 'secret'
- end
- assert(ec2.private_key?)
- # pass password directly
- ec2 = OpenSSL::PKey.read(pem, 'secret')
- assert(ec2.private_key?)
- #omit pem equality check, will be different due to cipher iv
- end
+ def test_ec_point
+ group = OpenSSL::PKey::EC::Group.new("prime256v1")
+ key = OpenSSL::PKey::EC.new(group).generate_key!
+ point = key.public_key
- def test_export_password_length
- key = OpenSSL::TestUtils::TEST_KEY_EC_P256V1
- assert_raise(OpenSSL::OpenSSLError) do
- key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'sec')
- end
- pem = key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'secr')
- assert(pem)
- end
+ point2 = OpenSSL::PKey::EC::Point.new(group, point.to_bn)
+ assert_equal point, point2
+ assert_equal point.to_bn, point2.to_bn
+ point2.invert!
+ assert_not_equal point.to_bn, point2.to_bn
- def test_export_password_funny
- key = OpenSSL::TestUtils::TEST_KEY_EC_P256V1
- pem = key.export(OpenSSL::Cipher.new('AES-128-CBC'), "pass\0wd")
- assert_raise(ArgumentError) do
- OpenSSL::PKey.read(pem, "pass")
+ begin
+ group = OpenSSL::PKey::EC::Group.new(:GFp, 17, 2, 2)
+ group.point_conversion_form = :uncompressed
+ generator = OpenSSL::PKey::EC::Point.new(group, 0x040501.to_bn)
+ group.set_generator(generator, 19, 1)
+ point = OpenSSL::PKey::EC::Point.new(group, 0x040603.to_bn)
+ rescue OpenSSL::PKey::EC::Group::Error
+ pend "Patched OpenSSL rejected curve" if /unsupported field/ =~ $!.message
+ raise
end
- key2 = OpenSSL::PKey.read(pem, "pass\0wd")
- assert(key2.private_key?)
- key3 = OpenSSL::PKey::EC.new(pem, "pass\0wd")
- assert(key3.private_key?)
+
+ assert_equal 0x040603.to_bn, point.to_bn
+ assert_equal true, point.on_curve?
+ point.invert! # 8.5
+ assert_equal 0x04060E.to_bn, point.to_bn
+ assert_equal true, point.on_curve?
+
+ assert_equal false, point.infinity?
+ point.set_to_infinity!
+ assert_equal true, point.infinity?
+ assert_equal 0.to_bn, point.to_bn
+ assert_equal true, point.on_curve?
end
def test_ec_point_mul
@@ -247,44 +262,50 @@ class OpenSSL::TestEC < OpenSSL::TestCase
# y^2 = x^3 + 2x + 2 over F_17
# generator is (5, 1)
group = OpenSSL::PKey::EC::Group.new(:GFp, 17, 2, 2)
+ group.point_conversion_form = :uncompressed
gen = OpenSSL::PKey::EC::Point.new(group, OpenSSL::BN.new("040501", 16))
group.set_generator(gen, 0, 0)
# 3 * (6, 3) = (16, 13)
point_a = OpenSSL::PKey::EC::Point.new(group, OpenSSL::BN.new("040603", 16))
- result_a1 = point_a.mul(3.to_bn)
+ result_a1 = point_a.mul(3)
assert_equal("04100D", result_a1.to_bn.to_s(16))
# 3 * (6, 3) + 3 * (5, 1) = (7, 6)
- result_a2 = point_a.mul(3.to_bn, 3.to_bn)
+ result_a2 = point_a.mul(3, 3)
assert_equal("040706", result_a2.to_bn.to_s(16))
# 3 * point_a = 3 * (6, 3) = (16, 13)
- result_b1 = point_a.mul([3.to_bn], [])
+ result_b1 = point_a.mul([3], [])
assert_equal("04100D", result_b1.to_bn.to_s(16))
# 3 * point_a + 2 * point_a = 3 * (6, 3) + 2 * (6, 3) = (7, 11)
- result_b1 = point_a.mul([3.to_bn, 2.to_bn], [point_a])
+ result_b1 = point_a.mul([3, 2], [point_a])
assert_equal("04070B", result_b1.to_bn.to_s(16))
# 3 * point_a + 5 * point_a.group.generator = 3 * (6, 3) + 5 * (5, 1) = (13, 10)
- result_b1 = point_a.mul([3.to_bn], [], 5)
+ result_b1 = point_a.mul([3], [], 5)
assert_equal("040D0A", result_b1.to_bn.to_s(16))
rescue OpenSSL::PKey::EC::Group::Error
# CentOS patches OpenSSL to reject curves defined over Fp where p < 256 bits
raise if $!.message !~ /unsupported field/
end
- p256_key = OpenSSL::TestUtils::TEST_KEY_EC_P256V1
+ p256_key = P256
p256_g = p256_key.group
assert_equal(p256_key.public_key, p256_g.generator.mul(p256_key.private_key))
# invalid argument
point = p256_key.public_key
assert_raise(TypeError) { point.mul(nil) }
- assert_raise(ArgumentError) { point.mul([1.to_bn], [point]) }
- assert_raise(TypeError) { point.mul([1.to_bn], nil) }
+ assert_raise(ArgumentError) { point.mul([1], [point]) }
+ assert_raise(TypeError) { point.mul([1], nil) }
assert_raise(TypeError) { point.mul([nil], []) }
end
# test Group: asn1_flag, point_conversion
+ private
+
+ def assert_same_ec(expected, key)
+ check_component(expected, key, [:group, :public_key, :private_key])
+ end
end
end
diff --git a/test/test_pkey_rsa.rb b/test/test_pkey_rsa.rb
index 49e8cea..e211faa 100644
--- a/test/test_pkey_rsa.rb
+++ b/test/test_pkey_rsa.rb
@@ -4,7 +4,9 @@ require 'base64'
if defined?(OpenSSL::TestUtils)
-class OpenSSL::TestPKeyRSA < OpenSSL::TestCase
+class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase
+ RSA1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024
+
def test_padding
key = OpenSSL::PKey::RSA.new(512, 3)
@@ -68,46 +70,8 @@ class OpenSSL::TestPKeyRSA < OpenSSL::TestCase
end
end
- def test_sign_verify
- key = OpenSSL::TestUtils::TEST_KEY_RSA1024
- digest = OpenSSL::Digest::SHA1.new
- data = 'Sign me!'
- sig = key.sign(digest, data)
- assert(key.verify(digest, sig, data))
- end
-
- def test_sign_verify_memory_leak
- bug9743 = '[ruby-core:62038] [Bug #9743]'
- assert_no_memory_leak(%w[-ropenssl], <<-PREP, <<-CODE, bug9743, rss: true, timeout: 30)
- data = 'Sign me!'
- digest = OpenSSL::Digest::SHA512.new
- pkey = OpenSSL::PKey::RSA.new(2048)
- signature = pkey.sign(digest, data)
- pub_key = pkey.public_key
- PREP
- 20_000.times {
- pub_key.verify(digest, signature, data)
- }
- CODE
-
- assert_no_memory_leak(%w[-ropenssl], <<-PREP, <<-CODE, bug9743, rss: true, timeout: 30)
- data = 'Sign me!'
- digest = OpenSSL::Digest::SHA512.new
- pkey = OpenSSL::PKey::RSA.new(2048)
- signature = pkey.sign(digest, data)
- pub_key = pkey.public_key
- PREP
- 20_000.times {
- begin
- pub_key.verify(digest, signature, 1)
- rescue TypeError
- end
- }
- CODE
- end
-
def test_digest_state_irrelevant_sign
- key = OpenSSL::TestUtils::TEST_KEY_RSA1024
+ key = RSA1024
digest1 = OpenSSL::Digest::SHA1.new
digest2 = OpenSSL::Digest::SHA1.new
data = 'Sign me!'
@@ -118,7 +82,7 @@ class OpenSSL::TestPKeyRSA < OpenSSL::TestCase
end
def test_digest_state_irrelevant_verify
- key = OpenSSL::TestUtils::TEST_KEY_RSA1024
+ key = RSA1024
digest1 = OpenSSL::Digest::SHA1.new
digest2 = OpenSSL::Digest::SHA1.new
data = 'Sign me!'
@@ -129,169 +93,131 @@ class OpenSSL::TestPKeyRSA < OpenSSL::TestCase
assert(key.verify(digest2, sig, data))
end
- def test_read_RSAPublicKey
- modulus = 10664264882656732240315063514678024569492171560814833397008094754351396057398262071307709191731289492697968568138092052265293364132872019762410446076526351
- exponent = 65537
- seq = OpenSSL::ASN1::Sequence.new([OpenSSL::ASN1::Integer.new(modulus), OpenSSL::ASN1::Integer.new(exponent)])
- key = OpenSSL::PKey::RSA.new(seq.to_der)
- assert(key.public?)
- assert(!key.private?)
- assert_equal(modulus, key.n)
- assert_equal(exponent, key.e)
- assert_equal(nil, key.d)
- assert_equal(nil, key.p)
- assert_equal(nil, key.q)
- assert_equal([], OpenSSL.errors)
- end
-
- def test_read_RSA_PUBKEY
- modulus = 10664264882656732240315063514678024569492171560814833397008094754351396057398262071307709191731289492697968568138092052265293364132872019762410446076526351
- exponent = 65537
- algo = OpenSSL::ASN1::ObjectId.new('rsaEncryption')
- null_params = OpenSSL::ASN1::Null.new(nil)
- algo_id = OpenSSL::ASN1::Sequence.new ([algo, null_params])
- pub_key = OpenSSL::ASN1::Sequence.new([OpenSSL::ASN1::Integer.new(modulus), OpenSSL::ASN1::Integer.new(exponent)])
- seq = OpenSSL::ASN1::Sequence.new([algo_id, OpenSSL::ASN1::BitString.new(pub_key.to_der)])
- key = OpenSSL::PKey::RSA.new(seq.to_der)
- assert(key.public?)
- assert(!key.private?)
- assert_equal(modulus, key.n)
- assert_equal(exponent, key.e)
- assert_equal(nil, key.d)
- assert_equal(nil, key.p)
- assert_equal(nil, key.q)
- assert_equal([], OpenSSL.errors)
- end
-
- def test_read_RSAPublicKey_pem
- modulus = 9416340886363418692990906464787534854462163316648195510702927337693641649864839352187127240942127674615733815606532506566068276485089353644309497938966061
- exponent = 65537
- pem = <<-EOF
------BEGIN RSA PUBLIC KEY-----
-MEgCQQCzyh2RIZK62E2PbTWqUljD+K23XR9AGBKNtXjal6WD2yRGcLqzPJLNCa60
-AudJR1JobbIbDJrQu6AXnWh5k/YtAgMBAAE=
------END RSA PUBLIC KEY-----
+ def test_RSAPrivateKey
+ asn1 = OpenSSL::ASN1::Sequence([
+ OpenSSL::ASN1::Integer(0),
+ OpenSSL::ASN1::Integer(RSA1024.n),
+ OpenSSL::ASN1::Integer(RSA1024.e),
+ OpenSSL::ASN1::Integer(RSA1024.d),
+ OpenSSL::ASN1::Integer(RSA1024.p),
+ OpenSSL::ASN1::Integer(RSA1024.q),
+ OpenSSL::ASN1::Integer(RSA1024.dmp1),
+ OpenSSL::ASN1::Integer(RSA1024.dmq1),
+ OpenSSL::ASN1::Integer(RSA1024.iqmp)
+ ])
+ key = OpenSSL::PKey::RSA.new(asn1.to_der)
+ assert_predicate key, :private?
+ assert_same_rsa RSA1024, key
+
+ pem = <<~EOF
+ -----BEGIN RSA PRIVATE KEY-----
+ MIICXgIBAAKBgQDLwsSw1ECnPtT+PkOgHhcGA71nwC2/nL85VBGnRqDxOqjVh7Cx
+ aKPERYHsk4BPCkE3brtThPWc9kjHEQQ7uf9Y1rbCz0layNqHyywQEVLFmp1cpIt/
+ Q3geLv8ZD9pihowKJDyMDiN6ArYUmZczvW4976MU3+l54E6lF/JfFEU5hwIDAQAB
+ AoGBAKSl/MQarye1yOysqX6P8fDFQt68VvtXkNmlSiKOGuzyho0M+UVSFcs6k1L0
+ maDE25AMZUiGzuWHyaU55d7RXDgeskDMakD1v6ZejYtxJkSXbETOTLDwUWTn618T
+ gnb17tU1jktUtU67xK/08i/XodlgnQhs6VoHTuCh3Hu77O6RAkEA7+gxqBuZR572
+ 74/akiW/SuXm0SXPEviyO1MuSRwtI87B02D0qgV8D1UHRm4AhMnJ8MCs1809kMQE
+ JiQUCrp9mQJBANlt2ngBO14us6NnhuAseFDTBzCHXwUUu1YKHpMMmxpnGqaldGgX
+ sOZB3lgJsT9VlGf3YGYdkLTNVbogQKlKpB8CQQDiSwkb4vyQfDe8/NpU5Not0fII
+ 8jsDUCb+opWUTMmfbxWRR3FBNu8wnym/m19N4fFj8LqYzHX4KY0oVPu6qvJxAkEA
+ wa5snNekFcqONLIE4G5cosrIrb74sqL8GbGb+KuTAprzj5z1K8Bm0UW9lTjVDjDi
+ qRYgZfZSL+x1P/54+xTFSwJAY1FxA/N3QPCXCjPh5YqFxAMQs2VVYTfg+t0MEcJD
+ dPMQD5JX6g5HKnHFg2mZtoXQrWmJSn7p8GJK8yNTopEErA==
+ -----END RSA PRIVATE KEY-----
EOF
key = OpenSSL::PKey::RSA.new(pem)
- assert(key.public?)
- assert(!key.private?)
- assert_equal(modulus, key.n)
- assert_equal(exponent, key.e)
- assert_equal(nil, key.d)
- assert_equal(nil, key.p)
- assert_equal(nil, key.q)
+ assert_same_rsa RSA1024, key
+
+ assert_equal asn1.to_der, RSA1024.to_der
+ assert_equal pem, RSA1024.export
+ end
+
+ def test_RSAPrivateKey_encrypted
+ # key = abcdef
+ pem = <<~EOF
+ -----BEGIN RSA PRIVATE KEY-----
+ Proc-Type: 4,ENCRYPTED
+ DEK-Info: AES-128-CBC,733F5302505B34701FC41F5C0746E4C0
+
+ zgJniZZQfvv8TFx3LzV6zhAQVayvQVZlAYqFq2yWbbxzF7C+IBhKQle9IhUQ9j/y
+ /jkvol550LS8vZ7TX5WxyDLe12cdqzEvpR6jf3NbxiNysOCxwG4ErhaZGP+krcoB
+ ObuL0nvls/+3myy5reKEyy22+0GvTDjaChfr+FwJjXMG+IBCLscYdgZC1LQL6oAn
+ 9xY5DH3W7BW4wR5ttxvtN32TkfVQh8xi3jrLrduUh+hV8DTiAiLIhv0Vykwhep2p
+ WZA+7qbrYaYM8GLLgLrb6LfBoxeNxAEKiTpl1quFkm+Hk1dKq0EhVnxHf92x0zVF
+ jRGZxAMNcrlCoE4f5XK45epVZSZvihdo1k73GPbp84aZ5P/xlO4OwZ3i4uCQXynl
+ jE9c+I+4rRWKyPz9gkkqo0+teJL8ifeKt/3ab6FcdA0aArynqmsKJMktxmNu83We
+ YVGEHZPeOlyOQqPvZqWsLnXQUfg54OkbuV4/4mWSIzxFXdFy/AekSeJugpswMXqn
+ oNck4qySNyfnlyelppXyWWwDfVus9CVAGZmJQaJExHMT/rQFRVchlmY0Ddr5O264
+ gcjv90o1NBOc2fNcqjivuoX7ROqys4K/YdNQ1HhQ7usJghADNOtuLI8ZqMh9akXD
+ Eqp6Ne97wq1NiJj0nt3SJlzTnOyTjzrTe0Y+atPkVKp7SsjkATMI9JdhXwGhWd7a
+ qFVl0owZiDasgEhyG2K5L6r+yaJLYkPVXZYC/wtWC3NEchnDWZGQcXzB4xROCQkD
+ OlWNYDkPiZioeFkA3/fTMvG4moB2Pp9Q4GU5fJ6k43Ccu1up8dX/LumZb4ecg5/x
+ -----END RSA PRIVATE KEY-----
+ EOF
+ key = OpenSSL::PKey::RSA.new(pem, "abcdef")
+ assert_same_rsa RSA1024, key
+ key = OpenSSL::PKey::RSA.new(pem) { "abcdef" }
+ assert_same_rsa RSA1024, key
+
+ cipher = OpenSSL::Cipher.new("aes-128-cbc")
+ exported = RSA1024.to_pem(cipher, "abcdef\0\1")
+ assert_same_rsa RSA1024, OpenSSL::PKey::RSA.new(exported, "abcdef\0\1")
+ assert_raise(OpenSSL::PKey::RSAError) {
+ OpenSSL::PKey::RSA.new(exported, "abcdef")
+ }
end
- def test_read_RSA_PUBKEY_pem
- modulus = 9416340886363418692990906464787534854462163316648195510702927337693641649864839352187127240942127674615733815606532506566068276485089353644309497938966061
- exponent = 65537
- pem = <<-EOF
------BEGIN PUBLIC KEY-----
-MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALPKHZEhkrrYTY9tNapSWMP4rbdd
-H0AYEo21eNqXpYPbJEZwurM8ks0JrrQC50lHUmhtshsMmtC7oBedaHmT9i0C
-AwEAAQ==
------END PUBLIC KEY-----
+ def test_RSAPublicKey
+ asn1 = OpenSSL::ASN1::Sequence([
+ OpenSSL::ASN1::Integer(RSA1024.n),
+ OpenSSL::ASN1::Integer(RSA1024.e)
+ ])
+ key = OpenSSL::PKey::RSA.new(asn1.to_der)
+ assert_not_predicate key, :private?
+ assert_same_rsa dup_public(RSA1024), key
+
+ pem = <<~EOF
+ -----BEGIN RSA PUBLIC KEY-----
+ MIGJAoGBAMvCxLDUQKc+1P4+Q6AeFwYDvWfALb+cvzlUEadGoPE6qNWHsLFoo8RF
+ geyTgE8KQTduu1OE9Zz2SMcRBDu5/1jWtsLPSVrI2ofLLBARUsWanVyki39DeB4u
+ /xkP2mKGjAokPIwOI3oCthSZlzO9bj3voxTf6XngTqUX8l8URTmHAgMBAAE=
+ -----END RSA PUBLIC KEY-----
EOF
key = OpenSSL::PKey::RSA.new(pem)
- assert(key.public?)
- assert(!key.private?)
- assert_equal(modulus, key.n)
- assert_equal(exponent, key.e)
- assert_equal(nil, key.d)
- assert_equal(nil, key.p)
- assert_equal(nil, key.q)
- end
-
- def test_export_format_is_RSA_PUBKEY
- key = OpenSSL::PKey::RSA.new(512)
- asn1 = OpenSSL::ASN1.decode(key.public_key.to_der)
- check_PUBKEY(asn1, key)
- end
-
- def test_export_format_is_RSA_PUBKEY_pem
- key = OpenSSL::PKey::RSA.new(512)
- pem = key.public_key.to_pem
- pem.gsub!(/^-+(\w|\s)+-+$/, "") # eliminate --------BEGIN...-------
- asn1 = OpenSSL::ASN1.decode(Base64.decode64(pem))
- check_PUBKEY(asn1, key)
- end
-
- def test_read_private_key_der
- der = OpenSSL::TestUtils::TEST_KEY_RSA1024.to_der
- key = OpenSSL::PKey.read(der)
- assert(key.private?)
- assert_equal(der, key.to_der)
- end
-
- def test_read_private_key_pem
- pem = OpenSSL::TestUtils::TEST_KEY_RSA1024.to_pem
- key = OpenSSL::PKey.read(pem)
- assert(key.private?)
- assert_equal(pem, key.to_pem)
- end
-
- def test_read_public_key_der
- der = OpenSSL::TestUtils::TEST_KEY_RSA1024.public_key.to_der
- key = OpenSSL::PKey.read(der)
- assert(!key.private?)
- assert_equal(der, key.to_der)
- end
-
- def test_read_public_key_pem
- pem = OpenSSL::TestUtils::TEST_KEY_RSA1024.public_key.to_pem
- key = OpenSSL::PKey.read(pem)
- assert(!key.private?)
- assert_equal(pem, key.to_pem)
- end
-
- def test_read_private_key_pem_pw
- pem = OpenSSL::TestUtils::TEST_KEY_RSA1024.to_pem(OpenSSL::Cipher.new('AES-128-CBC'), 'secret')
- #callback form for password
- key = OpenSSL::PKey.read(pem) do
- 'secret'
- end
- assert(key.private?)
- # pass password directly
- key = OpenSSL::PKey.read(pem, 'secret')
- assert(key.private?)
- #omit pem equality check, will be different due to cipher iv
- end
-
- def test_read_private_key_pem_pw_exception
- pem = OpenSSL::TestUtils::TEST_KEY_RSA1024.to_pem(OpenSSL::Cipher.new('AES-128-CBC'), 'secret')
- # it raises an ArgumentError from PEM reading. The exception raised inside are ignored for now.
- assert_raise(ArgumentError) do
- OpenSSL::PKey.read(pem) do
- raise RuntimeError
- end
- end
- end
-
- def test_export_password_length
- key = OpenSSL::TestUtils::TEST_KEY_RSA1024
- assert_raise(OpenSSL::OpenSSLError) do
- key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'sec')
- end
- pem = key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'secr')
- assert(pem)
- end
+ assert_same_rsa dup_public(RSA1024), key
+ end
+
+ def test_PUBKEY
+ asn1 = OpenSSL::ASN1::Sequence([
+ OpenSSL::ASN1::Sequence([
+ OpenSSL::ASN1::ObjectId("rsaEncryption"),
+ OpenSSL::ASN1::Null(nil)
+ ]),
+ OpenSSL::ASN1::BitString(
+ OpenSSL::ASN1::Sequence([
+ OpenSSL::ASN1::Integer(RSA1024.n),
+ OpenSSL::ASN1::Integer(RSA1024.e)
+ ]).to_der
+ )
+ ])
+ key = OpenSSL::PKey::RSA.new(asn1.to_der)
+ assert_not_predicate key, :private?
+ assert_same_rsa dup_public(RSA1024), key
+
+ pem = <<~EOF
+ -----BEGIN PUBLIC KEY-----
+ MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDLwsSw1ECnPtT+PkOgHhcGA71n
+ wC2/nL85VBGnRqDxOqjVh7CxaKPERYHsk4BPCkE3brtThPWc9kjHEQQ7uf9Y1rbC
+ z0layNqHyywQEVLFmp1cpIt/Q3geLv8ZD9pihowKJDyMDiN6ArYUmZczvW4976MU
+ 3+l54E6lF/JfFEU5hwIDAQAB
+ -----END PUBLIC KEY-----
+ EOF
+ key = OpenSSL::PKey::RSA.new(pem)
+ assert_same_rsa dup_public(RSA1024), key
- def test_export_password_funny
- key = OpenSSL::TestUtils::TEST_KEY_RSA1024
- # this assertion may fail in the future because of OpenSSL change.
- # the current upper limit is 1024
- assert_raise(OpenSSL::OpenSSLError) do
- key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'secr' * 1024)
- end
- # password containing NUL byte
- pem = key.export(OpenSSL::Cipher.new('AES-128-CBC'), "pass\0wd")
- assert_raise(ArgumentError) do
- OpenSSL::PKey.read(pem, "pass")
- end
- key2 = OpenSSL::PKey.read(pem, "pass\0wd")
- assert(key2.private?)
- key3 = OpenSSL::PKey::RSA.new(pem, "pass\0wd")
- assert(key3.private?)
+ assert_equal asn1.to_der, dup_public(RSA1024).to_der
+ assert_equal pem, dup_public(RSA1024).export
end
def test_dup
@@ -303,29 +229,9 @@ AwEAAQ==
end
private
-
- def check_PUBKEY(asn1, key)
- assert_equal(OpenSSL::ASN1::SEQUENCE, asn1.tag)
- assert_equal(2, asn1.value.size)
- seq = asn1.value
- assert_equal(OpenSSL::ASN1::SEQUENCE, seq[0].tag)
- assert_equal(2, seq[0].value.size)
- algo_id = seq[0].value
- assert_equal(OpenSSL::ASN1::OBJECT, algo_id[0].tag)
- assert_equal('rsaEncryption', algo_id[0].value)
- assert_equal(OpenSSL::ASN1::NULL, algo_id[1].tag)
- assert_equal(nil, algo_id[1].value)
- assert_equal(OpenSSL::ASN1::BIT_STRING, seq[1].tag)
- assert_equal(0, seq[1].unused_bits)
- pub_key = OpenSSL::ASN1.decode(seq[1].value)
- assert_equal(OpenSSL::ASN1::SEQUENCE, pub_key.tag)
- assert_equal(2, pub_key.value.size)
- assert_equal(OpenSSL::ASN1::INTEGER, pub_key.value[0].tag)
- assert_equal(key.n, pub_key.value[0].value)
- assert_equal(OpenSSL::ASN1::INTEGER, pub_key.value[1].tag)
- assert_equal(key.e, pub_key.value[1].value)
+ def assert_same_rsa(expected, key)
+ check_component(expected, key, [:n, :e, :d, :p, :q, :dmp1, :dmq1, :iqmp])
end
-
end
end
diff --git a/test/test_ssl.rb b/test/test_ssl.rb
index b1dc223..1b9548a 100644
--- a/test/test_ssl.rb
+++ b/test/test_ssl.rb
@@ -66,9 +66,9 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
end
def test_not_started_session
- skip "non socket argument of SSLSocket.new is not supported on this platform" if /mswin|mingw/ =~ RUBY_PLATFORM
+ pend "non socket argument of SSLSocket.new is not supported on this platform" if /mswin|mingw/ =~ RUBY_PLATFORM
open(__FILE__) do |f|
- assert_nil OpenSSL::SSL::SSLSocket.new(f).cert
+ assert_nil EnvUtil.suppress_warning { OpenSSL::SSL::SSLSocket.new(f).cert }
end
end
@@ -196,16 +196,14 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
def test_client_auth_failure
vflag = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
start_server(vflag, true, :ignore_listener_error => true){|server, port|
- assert_raise(OpenSSL::SSL::SSLError, Errno::ECONNRESET){
- sock = TCPSocket.new("127.0.0.1", port)
- ssl = OpenSSL::SSL::SSLSocket.new(sock)
- ssl.sync_close = true
- begin
- ssl.connect
- ensure
- ssl.close
- end
- }
+ sock = TCPSocket.new("127.0.0.1", port)
+ ssl = OpenSSL::SSL::SSLSocket.new(sock)
+ ssl.sync_close = true
+ begin
+ assert_handshake_error { ssl.connect }
+ ensure
+ ssl.close
+ end
}
end
@@ -236,6 +234,24 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
}
end
+ def test_client_auth_public_key
+ vflag = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
+ start_server(vflag, true, ignore_listener_error: true) do |server, port|
+ assert_raise(ArgumentError) {
+ ctx = OpenSSL::SSL::SSLContext.new
+ ctx.key = @cli_key.public_key
+ ctx.cert = @cli_cert
+ server_connect(port, ctx) { }
+ }
+
+ ctx = OpenSSL::SSL::SSLContext.new
+ ctx.client_cert_cb = Proc.new{ |ssl|
+ [@cli_cert, @cli_key.public_key]
+ }
+ assert_handshake_error { server_connect(port, ctx) }
+ end
+ end
+
def test_client_ca
ctx_proc = Proc.new do |ctx|
ctx.client_ca = [@ca_cert]
@@ -321,7 +337,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
start_server(OpenSSL::SSL::VERIFY_NONE, true, :ignore_listener_error => true){|server, port|
sock = TCPSocket.new("127.0.0.1", port)
ctx = OpenSSL::SSL::SSLContext.new
- ctx.set_params
+ ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
ssl.sync_close = true
begin
@@ -335,12 +351,11 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
start_server(OpenSSL::SSL::VERIFY_NONE, true){|server, port|
sock = TCPSocket.new("127.0.0.1", port)
ctx = OpenSSL::SSL::SSLContext.new
- ctx.set_params(
- :verify_callback => Proc.new do |preverify_ok, store_ctx|
- store_ctx.error = OpenSSL::X509::V_OK
- true
- end
- )
+ ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
+ ctx.verify_callback = Proc.new do |preverify_ok, store_ctx|
+ store_ctx.error = OpenSSL::X509::V_OK
+ true
+ end
ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
ssl.sync_close = true
begin
@@ -354,12 +369,11 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
start_server(OpenSSL::SSL::VERIFY_NONE, true, :ignore_listener_error => true){|server, port|
sock = TCPSocket.new("127.0.0.1", port)
ctx = OpenSSL::SSL::SSLContext.new
- ctx.set_params(
- :verify_callback => Proc.new do |preverify_ok, store_ctx|
- store_ctx.error = OpenSSL::X509::V_ERR_APPLICATION_VERIFICATION
- false
- end
- )
+ ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
+ ctx.verify_callback = Proc.new do |preverify_ok, store_ctx|
+ store_ctx.error = OpenSSL::X509::V_ERR_APPLICATION_VERIFICATION
+ false
+ end
ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
ssl.sync_close = true
begin
@@ -375,12 +389,11 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
start_server(OpenSSL::SSL::VERIFY_NONE, true, :ignore_listener_error => true){|server, port|
sock = TCPSocket.new("127.0.0.1", port)
ctx = OpenSSL::SSL::SSLContext.new
- ctx.set_params(
- :verify_callback => Proc.new do |preverify_ok, store_ctx|
- store_ctx.error = OpenSSL::X509::V_OK
- raise RuntimeError
- end
- )
+ ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
+ ctx.verify_callback = Proc.new do |preverify_ok, store_ctx|
+ store_ctx.error = OpenSSL::X509::V_OK
+ raise RuntimeError
+ end
ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
ssl.sync_close = true
begin
@@ -396,26 +409,15 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
end
def test_sslctx_set_params
- start_server(OpenSSL::SSL::VERIFY_NONE, true, :ignore_listener_error => true){|server, port|
- sock = TCPSocket.new("127.0.0.1", port)
- ctx = OpenSSL::SSL::SSLContext.new
- ctx.set_params
- assert_equal(OpenSSL::SSL::VERIFY_PEER, ctx.verify_mode)
- assert_equal(OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:options], ctx.options)
- ciphers = ctx.ciphers
- ciphers_versions = ciphers.collect{|_, v, _, _| v }
- ciphers_names = ciphers.collect{|v, _, _, _| v }
- assert(ciphers_names.all?{|v| /A(EC)?DH/ !~ v })
- assert(ciphers_versions.all?{|v| /SSLv2/ !~ v })
- ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
- ssl.sync_close = true
- begin
- assert_raise(OpenSSL::SSL::SSLError){ ssl.connect }
- assert_equal(OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN, ssl.verify_result)
- ensure
- ssl.close
- end
- }
+ ctx = OpenSSL::SSL::SSLContext.new
+ ctx.set_params
+ assert_equal(OpenSSL::SSL::VERIFY_PEER, ctx.verify_mode)
+ ciphers = ctx.ciphers
+ ciphers_versions = ciphers.collect{|_, v, _, _| v }
+ ciphers_names = ciphers.collect{|v, _, _, _| v }
+ assert(ciphers_names.all?{|v| /A(EC)?DH/ !~ v })
+ assert(ciphers_names.all?{|v| /(RC4|MD5|EXP)/ !~ v })
+ assert(ciphers_versions.all?{|v| /SSLv2/ !~ v })
end
def test_post_connect_check_with_anon_ciphers
@@ -426,9 +428,9 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
ctx.ciphers = "aNULL"
ctx.security_level = 0
server_connect(port, ctx) { |ssl|
- msg = "Peer verification enabled, but no certificate received. Anonymous cipher suite " \
- "ADH-AES256-GCM-SHA384 was negotiated. Anonymous suites must be disabled to use peer verification."
- assert_raise_with_message(sslerr,msg){ssl.post_connection_check("localhost.localdomain")}
+ assert_raise_with_message(sslerr, /anonymous cipher suite/i){
+ ssl.post_connection_check("localhost.localdomain")
+ }
}
}
end if OpenSSL::ExtConfig::TLS_DH_anon_WITH_AES_256_GCM_SHA384
@@ -687,11 +689,11 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
hostname = 'example.org'
ctx3 = OpenSSL::SSL::SSLContext.new
- ctx3.ciphers = "DH"
+ ctx3.ciphers = "aNULL"
+ ctx3.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 }
ctx3.security_level = 0
ctx2 = OpenSSL::SSL::SSLContext.new
- ctx2.ciphers = "DH"
ctx2.servername_cb = lambda { |args| ctx3 }
sock1, sock2 = socketpair
@@ -699,7 +701,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
ctx1 = OpenSSL::SSL::SSLContext.new
- ctx1.ciphers = "DH"
+ ctx1.ciphers = "aNULL"
ctx1.security_level = 0
s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
@@ -722,7 +724,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
hostname = 'example.org'
ctx2 = OpenSSL::SSL::SSLContext.new
- ctx2.ciphers = "DH"
+ ctx2.ciphers = "aNULL"
+ ctx2.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 }
ctx2.security_level = 0
ctx2.servername_cb = lambda { |args| Object.new }
@@ -731,7 +734,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
ctx1 = OpenSSL::SSL::SSLContext.new
- ctx1.ciphers = "DH"
+ ctx1.ciphers = "aNULL"
ctx1.security_level = 0
s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
@@ -756,12 +759,12 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
hostname = 'example.org'
ctx3 = OpenSSL::SSL::SSLContext.new
- ctx3.ciphers = "DH"
+ ctx3.ciphers = "aNULL"
+ ctx3.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 }
ctx3.security_level = 0
assert_not_predicate ctx3, :frozen?
ctx2 = OpenSSL::SSL::SSLContext.new
- ctx2.ciphers = "DH"
ctx2.servername_cb = lambda { |args| ctx3 }
sock1, sock2 = socketpair
@@ -769,7 +772,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
ctx1 = OpenSSL::SSL::SSLContext.new
- ctx1.ciphers = "DH"
+ ctx1.ciphers = "aNULL"
ctx1.security_level = 0
s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
@@ -791,7 +794,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
hostname = 'example.org'
ctx2 = OpenSSL::SSL::SSLContext.new
- ctx2.ciphers = "DH"
+ ctx2.ciphers = "aNULL"
+ ctx2.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 }
ctx2.security_level = 0
ctx2.servername_cb = lambda { |args| nil }
@@ -800,7 +804,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
ctx1 = OpenSSL::SSL::SSLContext.new
- ctx1.ciphers = "DH"
+ ctx1.ciphers = "aNULL"
ctx1.security_level = 0
s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
@@ -823,7 +827,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
hostname = 'example.org'
ctx2 = OpenSSL::SSL::SSLContext.new
- ctx2.ciphers = "DH"
+ ctx2.ciphers = "aNULL"
+ ctx2.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 }
ctx2.security_level = 0
ctx2.servername_cb = lambda do |args|
cb_socket = args[0]
@@ -836,7 +841,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
ctx1 = OpenSSL::SSL::SSLContext.new
- ctx1.ciphers = "DH"
+ ctx1.ciphers = "aNULL"
ctx1.security_level = 0
s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
@@ -859,7 +864,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
return unless OpenSSL::SSL::SSLSocket.instance_methods.include?(:hostname)
ctx_proc = Proc.new do |ctx, ssl|
- foo_ctx = ctx.dup
+ foo_ctx = OpenSSL::SSL::SSLContext.new
ctx.servername_cb = Proc.new do |ssl2, hostname|
case hostname
@@ -892,6 +897,53 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
end
end
+ def test_verify_hostname_on_connect
+ ctx_proc = proc { |ctx|
+ now = Time.now
+ exts = [
+ ["keyUsage", "keyEncipherment,digitalSignature", true],
+ ["subjectAltName", "DNS:a.example.com,DNS:*.b.example.com," \
+ "DNS:c*.example.com,DNS:d.*.example.com"],
+ ]
+ ctx.cert = issue_cert(@svr, @svr_key, 4, now, now+1800, exts,
+ @ca_cert, @ca_key, OpenSSL::Digest::SHA1.new)
+ ctx.key = @svr_key
+ }
+
+ start_server(OpenSSL::SSL::VERIFY_NONE, true, ctx_proc: ctx_proc,
+ ignore_listener_error: true) do |svr, port|
+ ctx = OpenSSL::SSL::SSLContext.new
+ ctx.verify_hostname = true
+ ctx.cert_store = OpenSSL::X509::Store.new
+ ctx.cert_store.add_cert(@ca_cert)
+ ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
+
+ [
+ ["a.example.com", true],
+ ["A.Example.Com", true],
+ ["x.example.com", false],
+ ["b.example.com", false],
+ ["x.b.example.com", true],
+ ["cx.example.com", true],
+ ["d.x.example.com", false],
+ ].each do |name, expected_ok|
+ begin
+ sock = TCPSocket.new("127.0.0.1", port)
+ ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+ ssl.hostname = name
+ if expected_ok
+ assert_nothing_raised { ssl.connect }
+ else
+ assert_handshake_error { ssl.connect }
+ end
+ ensure
+ ssl.close if ssl
+ sock.close if sock
+ end
+ end
+ end
+ end
+
def test_multibyte_read_write
#German a umlaut
auml = [%w{ C3 A4 }.join('')].pack('H*')
@@ -932,10 +984,6 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
}
end
- # different OpenSSL versions react differently when facing a SSL/TLS version
- # that has been marked as forbidden, therefore either of these may be raised
- HANDSHAKE_ERRORS = [OpenSSL::SSL::SSLError, Errno::ECONNRESET]
-
if OpenSSL::SSL::SSLContext::METHODS.include?(:TLSv1) && OpenSSL::SSL::SSLContext::METHODS.include?(:SSLv3)
def test_forbid_ssl_v3_for_client
@@ -943,7 +991,7 @@ if OpenSSL::SSL::SSLContext::METHODS.include?(:TLSv1) && OpenSSL::SSL::SSLContex
start_server_version(:SSLv23, ctx_proc) { |server, port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.ssl_version = :SSLv3
- assert_raise(*HANDSHAKE_ERRORS) { server_connect(port, ctx) }
+ assert_handshake_error { server_connect(port, ctx) }
}
end
@@ -951,7 +999,7 @@ if OpenSSL::SSL::SSLContext::METHODS.include?(:TLSv1) && OpenSSL::SSL::SSLContex
start_server_version(:SSLv3) { |server, port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.options = OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_SSLv3
- assert_raise(*HANDSHAKE_ERRORS) { server_connect(port, ctx) }
+ assert_handshake_error { server_connect(port, ctx) }
}
end
@@ -970,7 +1018,7 @@ if OpenSSL::SSL::SSLContext::METHODS.include? :TLSv1_1
start_server_version(:SSLv23, ctx_proc) { |server, port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.ssl_version = :TLSv1
- assert_raise(*HANDSHAKE_ERRORS) { server_connect(port, ctx) }
+ assert_handshake_error { server_connect(port, ctx) }
}
end
@@ -978,7 +1026,7 @@ if OpenSSL::SSL::SSLContext::METHODS.include? :TLSv1_1
start_server_version(:TLSv1) { |server, port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.options = OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_TLSv1
- assert_raise(*HANDSHAKE_ERRORS) { server_connect(port, ctx) }
+ assert_handshake_error { server_connect(port, ctx) }
}
end
@@ -999,7 +1047,7 @@ if OpenSSL::SSL::SSLContext::METHODS.include? :TLSv1_2
start_server_version(:SSLv23, ctx_proc) { |server, port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.ssl_version = :TLSv1_1
- assert_raise(*HANDSHAKE_ERRORS) { server_connect(port, ctx) }
+ assert_handshake_error { server_connect(port, ctx) }
}
end if defined?(OpenSSL::SSL::OP_NO_TLSv1_1)
@@ -1007,7 +1055,7 @@ if OpenSSL::SSL::SSLContext::METHODS.include? :TLSv1_2
start_server_version(:TLSv1_1) { |server, port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.options = OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_TLSv1_1
- assert_raise(*HANDSHAKE_ERRORS) { server_connect(port, ctx) }
+ assert_handshake_error { server_connect(port, ctx) }
}
end if defined?(OpenSSL::SSL::OP_NO_TLSv1_1)
@@ -1016,7 +1064,7 @@ if OpenSSL::SSL::SSLContext::METHODS.include? :TLSv1_2
start_server_version(:SSLv23, ctx_proc) { |server, port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.ssl_version = :TLSv1_2
- assert_raise(*HANDSHAKE_ERRORS) { server_connect(port, ctx) }
+ assert_handshake_error { server_connect(port, ctx) }
}
end if defined?(OpenSSL::SSL::OP_NO_TLSv1_2)
@@ -1024,7 +1072,7 @@ if OpenSSL::SSL::SSLContext::METHODS.include? :TLSv1_2
start_server_version(:TLSv1_2) { |server, port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.options = OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_TLSv1_2
- assert_raise(*HANDSHAKE_ERRORS) { server_connect(port, ctx) }
+ assert_handshake_error { server_connect(port, ctx) }
}
end if defined?(OpenSSL::SSL::OP_NO_TLSv1_2)
@@ -1060,16 +1108,31 @@ if OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10002000
end
def test_alpn_protocol_selection_cancel
- ctx_proc = Proc.new { |ctx|
- ctx.alpn_select_cb = -> (protocols) { nil }
+ sock1, sock2 = socketpair
+
+ ctx1 = OpenSSL::SSL::SSLContext.new
+ ctx1.ciphers = "aNULL"
+ ctx1.security_level = 0
+ ctx1.alpn_select_cb = -> (protocols) { nil }
+ ssl1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
+
+ ctx2 = OpenSSL::SSL::SSLContext.new
+ ctx2.ciphers = "aNULL"
+ ctx2.security_level = 0
+ ctx2.alpn_protocols = ["http/1.1"]
+ ssl2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
+
+ t = Thread.new {
+ assert_handshake_error { ssl2.connect }
}
- assert_raise(MiniTest::Assertion) do # minitest/assertion comes from `assert_join_threads`
- start_server_version(:SSLv23, ctx_proc) { |server, port|
- ctx = OpenSSL::SSL::SSLContext.new
- ctx.alpn_protocols = ["http/1.1"]
- assert_raise(OpenSSL::SSL::SSLError) { server_connect(port, ctx) }
- }
- end
+ assert_raise(TypeError) { ssl1.accept }
+ ensure
+ sock1&.close
+ sock2&.close
+ ssl1&.close
+ ssl2&.close
+ t&.kill
+ t&.join
end
end
@@ -1127,7 +1190,7 @@ if OpenSSL::OPENSSL_VERSION_NUMBER > 0x10001000 &&
start_server_version(:SSLv23, ctx_proc) { |server, port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.npn_select_cb = -> (protocols) { protocols.first }
- assert_raise(*HANDSHAKE_ERRORS) { server_connect(port, ctx) }
+ assert_handshake_error { server_connect(port, ctx) }
}
end
@@ -1136,7 +1199,7 @@ if OpenSSL::OPENSSL_VERSION_NUMBER > 0x10001000 &&
start_server_version(:SSLv23, ctx_proc) { |server, port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.npn_select_cb = -> (protocols) { "a" * 256 }
- assert_raise(*HANDSHAKE_ERRORS) { server_connect(port, ctx) }
+ assert_handshake_error { server_connect(port, ctx) }
}
end
@@ -1182,6 +1245,7 @@ end
# test it doesn't cause a segmentation fault
ctx = OpenSSL::SSL::SSLContext.new
ctx.ciphers = "aNULL"
+ ctx.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 }
ctx.security_level = 0
sock1, sock2 = socketpair
@@ -1243,7 +1307,20 @@ end
# ctx.key = OpenSSL::TestUtils::TEST_KEY_RSA1024
# ctx.security_level = 2
# assert_raise(OpenSSL::SSL::SSLError) { ctx.key = OpenSSL::TestUtils::TEST_KEY_RSA1024 }
- skip "FIXME: SSLContext#key= currently does not raise because SSL_CTX_use_certificate() is delayed"
+ pend "FIXME: SSLContext#key= currently does not raise because SSL_CTX_use_certificate() is delayed"
+ end
+
+ def test_dup
+ ctx = OpenSSL::SSL::SSLContext.new
+ sock1, sock2 = socketpair
+ ssl = OpenSSL::SSL::SSLSocket.new(sock1, ctx)
+
+ assert_raise(NoMethodError) { ctx.dup }
+ assert_raise(NoMethodError) { ssl.dup }
+ ensure
+ ssl.close if ssl
+ sock1.close
+ sock2.close
end
private
@@ -1276,6 +1353,14 @@ end
sock.close
end
end
+
+ def assert_handshake_error
+ # different OpenSSL versions react differently when facing a SSL/TLS version
+ # that has been marked as forbidden, therefore either of these may be raised
+ assert_raise(OpenSSL::SSL::SSLError, Errno::ECONNRESET) {
+ yield
+ }
+ end
end
end
diff --git a/test/test_ssl_session.rb b/test/test_ssl_session.rb
index 84686f6..9bcec10 100644
--- a/test/test_ssl_session.rb
+++ b/test/test_ssl_session.rb
@@ -369,6 +369,12 @@ __EOS__
assert(called[:get1])
assert(called[:get2])
end
+
+ def test_dup
+ sess_orig = OpenSSL::SSL::Session.new(DUMMY_SESSION)
+ sess_dup = sess_orig.dup
+ assert_equal(sess_orig.to_der, sess_dup.to_der)
+ end
end
end
diff --git a/test/test_x509attr.rb b/test/test_x509attr.rb
index 1ba8a87..d7473f1 100644
--- a/test/test_x509attr.rb
+++ b/test/test_x509attr.rb
@@ -12,6 +12,9 @@ class OpenSSL::TestX509Attribute < OpenSSL::TestCase
attr = OpenSSL::X509::Attribute.new("extReq", val)
assert_equal("extReq", attr.oid)
assert_equal(val.to_der, attr.value.to_der)
+
+ attr = OpenSSL::X509::Attribute.new("1.2.840.113549.1.9.14", val)
+ assert_equal("extReq", attr.oid)
end
def test_from_der
@@ -51,6 +54,14 @@ class OpenSSL::TestX509Attribute < OpenSSL::TestCase
}
assert_equal(test_der, attr.to_der)
end
+
+ def test_dup
+ val = OpenSSL::ASN1::Set([
+ OpenSSL::ASN1::UTF8String("abc123")
+ ])
+ attr = OpenSSL::X509::Attribute.new("challengePassword", val)
+ assert_equal(attr.to_der, attr.dup.to_der)
+ end
end
end
diff --git a/test/test_x509crl.rb b/test/test_x509crl.rb
index fd66c97..cd1ccc9 100644
--- a/test/test_x509crl.rb
+++ b/test/test_x509crl.rb
@@ -112,6 +112,10 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase
assert_equal(1000, revoked.size)
assert_equal(1, revoked[0].serial)
assert_equal(1000, revoked[999].serial)
+
+ crl.revoked = revoked
+ revoked2 = crl.revoked
+ assert_equal(revoked.map(&:serial), revoked2.map(&:serial))
end
def test_extension
diff --git a/test/test_x509ext.rb b/test/test_x509ext.rb
index 99e2eda..79713c0 100644
--- a/test/test_x509ext.rb
+++ b/test/test_x509ext.rb
@@ -36,15 +36,15 @@ class OpenSSL::TestX509Extension < OpenSSL::TestCase
bc = ef.create_extension("basicConstraints", "CA:TRUE, pathlen:2", true)
assert_equal(@basic_constraints.to_der, bc.to_der)
- begin
- ef.config = OpenSSL::Config.parse(<<-_end_of_cnf_)
- [crlDistPts]
- URI.1 = http://www.example.com/crl
- URI.2 = ldap://ldap.example.com/cn=ca?certificateRevocationList;binary
- _end_of_cnf_
- rescue NotImplementedError
- return
- end
+ ef.config = OpenSSL::Config.parse(<<-_end_of_cnf_)
+ [crlDistPts]
+ URI.1 = http://www.example.com/crl
+ URI.2 = ldap://ldap.example.com/cn=ca?certificateRevocationList;binary
+
+ [certPolicies]
+ policyIdentifier = 2.23.140.1.2.1
+ CPS.1 = http://cps.example.com
+ _end_of_cnf_
cdp = ef.create_extension("crlDistributionPoints", "@crlDistPts")
assert_equal(false, cdp.critical?)
@@ -61,6 +61,18 @@ class OpenSSL::TestX509Extension < OpenSSL::TestCase
assert_match(
%r{URI:ldap://ldap.example.com/cn=ca\?certificateRevocationList;binary},
cdp.value)
+
+ cp = ef.create_extension("certificatePolicies", "@certPolicies")
+ assert_equal(false, cp.critical?)
+ assert_equal("certificatePolicies", cp.oid)
+ assert_match(%r{2.23.140.1.2.1}, cp.value)
+ assert_match(%r{http://cps.example.com}, cp.value)
+ end
+
+ def test_dup
+ ext = OpenSSL::X509::Extension.new(@basic_constraints.to_der)
+ assert_equal(@basic_constraints.to_der, ext.to_der)
+ assert_equal(ext.to_der, ext.dup.to_der)
end
end
diff --git a/test/test_x509name.rb b/test/test_x509name.rb
index b87d415..250f1d0 100644
--- a/test/test_x509name.rb
+++ b/test/test_x509name.rb
@@ -355,6 +355,11 @@ class OpenSSL::TestX509Name < OpenSSL::TestCase
expected = (d[0].ord & 0xff) | (d[1].ord & 0xff) << 8 | (d[2].ord & 0xff) << 16 | (d[3].ord & 0xff) << 24
assert_equal(expected, name_hash(name))
end
+
+ def test_dup
+ name = OpenSSL::X509::Name.parse("/CN=ruby-lang.org")
+ assert_equal(name.to_der, name.dup.to_der)
+ end
end
end
diff --git a/test/test_x509req.rb b/test/test_x509req.rb
index 53e5a43..086ccfb 100644
--- a/test/test_x509req.rb
+++ b/test/test_x509req.rb
@@ -139,7 +139,7 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase
req.version = 1
assert_equal(false, req.verify(@rsa1024))
rescue OpenSSL::X509::RequestError
- skip
+ pend
end if defined?(OpenSSL::Digest::DSS1)
def test_sign_and_verify_dsa_md5
@@ -147,6 +147,11 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase
issue_csr(0, @dn, @dsa512, OpenSSL::Digest::MD5.new) }
end
+ def test_dup
+ req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::SHA1.new)
+ assert_equal(req.to_der, req.dup.to_der)
+ end
+
private
def request_error_returns_false
diff --git a/test/test_x509store.rb b/test/test_x509store.rb
index 8dee167..e0fa07a 100644
--- a/test/test_x509store.rb
+++ b/test/test_x509store.rb
@@ -222,6 +222,13 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase
}
end
end
+
+ def test_dup
+ store = OpenSSL::X509::Store.new
+ assert_raise(NoMethodError) { store.dup }
+ ctx = OpenSSL::X509::StoreContext.new(store)
+ assert_raise(NoMethodError) { ctx.dup }
+ end
end
end
diff --git a/test/ut_eof.rb b/test/ut_eof.rb
new file mode 100644
index 0000000..fcd7a63
--- /dev/null
+++ b/test/ut_eof.rb
@@ -0,0 +1,129 @@
+# frozen_string_literal: false
+require 'test/unit'
+
+module TestEOF
+ def test_eof_0
+ open_file("") {|f|
+ assert_equal("", f.read(0))
+ assert_equal("", f.read(0))
+ assert_equal("", f.read)
+ assert_equal("", f.read(0))
+ assert_equal("", f.read(0))
+ }
+ open_file("") {|f|
+ assert_nil(f.read(1))
+ assert_equal("", f.read)
+ assert_nil(f.read(1))
+ }
+ open_file("") {|f|
+ s = "x"
+ assert_equal("", f.read(nil, s))
+ assert_equal("", s)
+ }
+ open_file("") {|f|
+ s = "x"
+ assert_nil(f.read(10, s))
+ assert_equal("", s)
+ }
+ end
+
+ def test_eof_0_rw
+ return unless respond_to? :open_file_rw
+ open_file_rw("") {|f|
+ assert_equal("", f.read)
+ assert_equal("", f.read)
+ assert_equal(0, f.syswrite(""))
+ assert_equal("", f.read)
+ }
+ end
+
+ def test_eof_1
+ open_file("a") {|f|
+ assert_equal("", f.read(0))
+ assert_equal("a", f.read(1))
+ assert_equal("" , f.read(0))
+ assert_equal("" , f.read(0))
+ assert_equal("", f.read)
+ assert_equal("", f.read(0))
+ assert_equal("", f.read(0))
+ }
+ open_file("a") {|f|
+ assert_equal("a", f.read(1))
+ assert_nil(f.read(1))
+ }
+ open_file("a") {|f|
+ assert_equal("a", f.read(2))
+ assert_nil(f.read(1))
+ assert_equal("", f.read)
+ assert_nil(f.read(1))
+ }
+ open_file("a") {|f|
+ assert_equal("a", f.read)
+ assert_nil(f.read(1))
+ assert_equal("", f.read)
+ assert_nil(f.read(1))
+ }
+ open_file("a") {|f|
+ assert_equal("a", f.read(2))
+ assert_equal("", f.read)
+ assert_equal("", f.read)
+ }
+ open_file("a") {|f|
+ assert_equal("a", f.read)
+ assert_equal("", f.read(0))
+ }
+ open_file("a") {|f|
+ s = "x"
+ assert_equal("a", f.read(nil, s))
+ assert_equal("a", s)
+ }
+ open_file("a") {|f|
+ s = "x"
+ assert_equal("a", f.read(10, s))
+ assert_equal("a", s)
+ }
+ end
+
+ def test_eof_2
+ open_file("") {|f|
+ assert_equal("", f.read)
+ assert_predicate(f, :eof?)
+ }
+ end
+
+ def test_eof_3
+ open_file("") {|f|
+ assert_predicate(f, :eof?)
+ }
+ end
+
+ module Seek
+ def open_file_seek(content, pos)
+ open_file(content) do |f|
+ f.seek(pos)
+ yield f
+ end
+ end
+
+ def test_eof_0_seek
+ open_file_seek("", 10) {|f|
+ assert_equal(10, f.pos)
+ assert_equal("", f.read(0))
+ assert_equal("", f.read)
+ assert_equal("", f.read(0))
+ assert_equal("", f.read)
+ }
+ end
+
+ def test_eof_1_seek
+ open_file_seek("a", 10) {|f|
+ assert_equal("", f.read)
+ assert_equal("", f.read)
+ }
+ open_file_seek("a", 1) {|f|
+ assert_equal("", f.read)
+ assert_equal("", f.read)
+ }
+ end
+ end
+end
diff --git a/test/utils.rb b/test/utils.rb
index f306b5d..2288a26 100644
--- a/test/utils.rb
+++ b/test/utils.rb
@@ -8,11 +8,13 @@ begin
OpenSSL.fips_mode=false
rescue LoadError
end
+
require "test/unit"
require "digest/md5"
require 'tempfile'
require "rbconfig"
require "socket"
+require "envutil"
module OpenSSL::TestUtils
TEST_KEY_RSA1024 = OpenSSL::PKey::RSA.new <<-_end_of_pem_
@@ -260,7 +262,7 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC
return
end
ssl = ssls.accept
- rescue OpenSSL::SSL::SSLError
+ rescue OpenSSL::SSL::SSLError, Errno::ECONNRESET
if ignore_listener_error
retry
else
@@ -348,5 +350,39 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC
end
end
+ class OpenSSL::PKeyTestCase < OpenSSL::TestCase
+ def check_component(base, test, keys)
+ keys.each { |comp|
+ assert_equal base.send(comp), test.send(comp)
+ }
+ end
+
+ def dup_public(key)
+ case key
+ when OpenSSL::PKey::RSA
+ rsa = OpenSSL::PKey::RSA.new
+ rsa.set_key(key.n, key.e, nil)
+ rsa
+ when OpenSSL::PKey::DSA
+ dsa = OpenSSL::PKey::DSA.new
+ dsa.set_pqg(key.p, key.q, key.g)
+ dsa.set_key(key.pub_key, nil)
+ dsa
+ when OpenSSL::PKey::DH
+ dh = OpenSSL::PKey::DH.new
+ dh.set_pqg(key.p, nil, key.g)
+ dh
+ else
+ if defined?(OpenSSL::PKey::EC) && OpenSSL::PKey::EC === key
+ ec = OpenSSL::PKey::EC.new(key.group)
+ ec.public_key = key.public_key
+ ec
+ else
+ raise "unknown key type"
+ end
+ end
+ end
+ end
+
end if defined?(OpenSSL::OPENSSL_LIBRARY_VERSION) and
/\AOpenSSL +0\./ !~ OpenSSL::OPENSSL_LIBRARY_VERSION