diff options
author | Kazuki Yamaguchi <k@rhe.jp> | 2016-06-29 22:23:58 +0900 |
---|---|---|
committer | Kazuki Yamaguchi <k@rhe.jp> | 2016-06-29 22:25:32 +0900 |
commit | 08e1881f5663ceb3527c8953f353dfaef42062fb (patch) | |
tree | 8a463451deb2f751e9e15623800d4fbc17a8b4bd | |
parent | dfed7a990d1f812a8d3efb84e644059c753187cc (diff) | |
parent | 32841963a3828cc40cd17462eae4d7fad96d418b (diff) | |
download | ruby-openssl-08e1881f5663ceb3527c8953f353dfaef42062fb.tar.gz |
Merge changes from Ruby trunk r55457..r55538
* ruby-trunk r55457..r55538: (4 commits)
(r55538) openssl: fix for OpenSSL 1.0.0t
(r55523) * ext/digest/md5/md5ossl.h: Remove excess semicolons. Sup..
(r55503) Refine assertion
(r55502) openssl: ignore test failure caused by LibreSSL bug
Sync-with-trunk: r55538
-rw-r--r-- | ext/openssl/ossl_ocsp.c | 58 | ||||
-rw-r--r-- | ext/openssl/ossl_pkey_rsa.c | 6 | ||||
-rw-r--r-- | test/test_ocsp.rb | 14 |
3 files changed, 50 insertions, 28 deletions
diff --git a/ext/openssl/ossl_ocsp.c b/ext/openssl/ossl_ocsp.c index bb5eb5a8..c0f2dfef 100644 --- a/ext/openssl/ossl_ocsp.c +++ b/ext/openssl/ossl_ocsp.c @@ -225,17 +225,20 @@ static VALUE ossl_ocspreq_initialize(int argc, VALUE *argv, VALUE self) { VALUE arg; + OCSP_REQUEST *req, *req_new; const unsigned char *p; rb_scan_args(argc, argv, "01", &arg); if(!NIL_P(arg)){ - OCSP_REQUEST *req; GetOCSPReq(self, req); arg = ossl_to_der_if_possible(arg); StringValue(arg); p = (unsigned char *)RSTRING_PTR(arg); - if (!d2i_OCSP_REQUEST(&req, &p, RSTRING_LEN(arg))) - ossl_raise(eOCSPError, "cannot load DER encoded request"); + req_new = d2i_OCSP_REQUEST(NULL, &p, RSTRING_LEN(arg)); + if (!req_new) + ossl_raise(eOCSPError, "d2i_OCSP_REQUEST"); + SetOCSPReq(self, req_new); + OCSP_REQUEST_free(req); } return self; @@ -536,17 +539,20 @@ static VALUE ossl_ocspres_initialize(int argc, VALUE *argv, VALUE self) { VALUE arg; + OCSP_RESPONSE *res, *res_new; const unsigned char *p; rb_scan_args(argc, argv, "01", &arg); if(!NIL_P(arg)){ - OCSP_RESPONSE *res; GetOCSPRes(self, res); arg = ossl_to_der_if_possible(arg); StringValue(arg); p = (unsigned char *)RSTRING_PTR(arg); - if (!d2i_OCSP_RESPONSE(&res, &p, RSTRING_LEN(arg))) - ossl_raise(eOCSPError, "cannot load DER encoded response"); + res_new = d2i_OCSP_RESPONSE(NULL, &p, RSTRING_LEN(arg)); + if (!res_new) + ossl_raise(eOCSPError, "d2i_OCSP_RESPONSE"); + SetOCSPRes(self, res_new); + OCSP_RESPONSE_free(res); } return self; @@ -688,17 +694,20 @@ static VALUE ossl_ocspbres_initialize(int argc, VALUE *argv, VALUE self) { VALUE arg; + OCSP_BASICRESP *res, *res_new; const unsigned char *p; rb_scan_args(argc, argv, "01", &arg); if (!NIL_P(arg)) { - OCSP_BASICRESP *res; GetOCSPBasicRes(self, res); arg = ossl_to_der_if_possible(arg); StringValue(arg); p = (unsigned char *)RSTRING_PTR(arg); - if (!d2i_OCSP_BASICRESP(&res, &p, RSTRING_LEN(arg))) + res_new = d2i_OCSP_BASICRESP(NULL, &p, RSTRING_LEN(arg)); + if (!res_new) ossl_raise(eOCSPError, "d2i_OCSP_BASICRESP"); + SetOCSPBasicRes(self, res_new); + OCSP_BASICRESP_free(res); } return self; @@ -1127,7 +1136,7 @@ ossl_ocspsres_alloc(VALUE klass) static VALUE ossl_ocspsres_initialize(VALUE self, VALUE arg) { - OCSP_SINGLERESP *res; + OCSP_SINGLERESP *res, *res_new; const unsigned char *p; arg = ossl_to_der_if_possible(arg); @@ -1135,8 +1144,11 @@ ossl_ocspsres_initialize(VALUE self, VALUE arg) GetOCSPSingleRes(self, res); p = (unsigned char*)RSTRING_PTR(arg); - if (!d2i_OCSP_SINGLERESP(&res, &p, RSTRING_LEN(arg))) + res_new = d2i_OCSP_SINGLERESP(NULL, &p, RSTRING_LEN(arg)); + if (!res_new) ossl_raise(eOCSPError, "d2i_OCSP_SINGLERESP"); + SetOCSPSingleRes(self, res_new); + OCSP_SINGLERESP_free(res); return self; } @@ -1432,9 +1444,7 @@ static VALUE ossl_ocspcid_initialize(int argc, VALUE *argv, VALUE self) { OCSP_CERTID *id, *newid; - X509 *x509s, *x509i; VALUE subject, issuer, digest; - const EVP_MD *md; GetOCSPCertId(self, id); if (rb_scan_args(argc, argv, "12", &subject, &issuer, &digest) == 1) { @@ -1444,25 +1454,25 @@ ossl_ocspcid_initialize(int argc, VALUE *argv, VALUE self) arg = ossl_to_der_if_possible(subject); StringValue(arg); p = (unsigned char *)RSTRING_PTR(arg); - if (!d2i_OCSP_CERTID(&id, &p, RSTRING_LEN(arg))) + newid = d2i_OCSP_CERTID(NULL, &p, RSTRING_LEN(arg)); + if (!newid) ossl_raise(eOCSPError, "d2i_OCSP_CERTID"); - - return self; } + else { + X509 *x509s, *x509i; + const EVP_MD *md; - x509s = GetX509CertPtr(subject); /* NO NEED TO DUP */ - x509i = GetX509CertPtr(issuer); /* NO NEED TO DUP */ + x509s = GetX509CertPtr(subject); /* NO NEED TO DUP */ + x509i = GetX509CertPtr(issuer); /* NO NEED TO DUP */ + md = !NIL_P(digest) ? GetDigestPtr(digest) : NULL; - if (!NIL_P(digest)) { - md = GetDigestPtr(digest); newid = OCSP_cert_to_id(md, x509s, x509i); - } else { - newid = OCSP_cert_to_id(NULL, x509s, x509i); + if (!newid) + ossl_raise(eOCSPError, "OCSP_cert_to_id"); } - if(!newid) - ossl_raise(eOCSPError, NULL); - OCSP_CERTID_free(id); + SetOCSPCertId(self, newid); + OCSP_CERTID_free(id); return self; } diff --git a/ext/openssl/ossl_pkey_rsa.c b/ext/openssl/ossl_pkey_rsa.c index 2326a70f..f1b4f04c 100644 --- a/ext/openssl/ossl_pkey_rsa.c +++ b/ext/openssl/ossl_pkey_rsa.c @@ -656,9 +656,9 @@ ossl_rsa_blinding_off(VALUE self) } */ -OSSL_PKEY_BN_DEF3(rsa, RSA, key, n, e, d); -OSSL_PKEY_BN_DEF2(rsa, RSA, factors, p, q); -OSSL_PKEY_BN_DEF3(rsa, RSA, crt_params, dmp1, dmq1, iqmp); +OSSL_PKEY_BN_DEF3(rsa, RSA, key, n, e, d) +OSSL_PKEY_BN_DEF2(rsa, RSA, factors, p, q) +OSSL_PKEY_BN_DEF3(rsa, RSA, crt_params, dmp1, dmq1, iqmp) /* * INIT diff --git a/test/test_ocsp.rb b/test/test_ocsp.rb index f1e34982..10f7c92d 100644 --- a/test/test_ocsp.rb +++ b/test/test_ocsp.rb @@ -140,6 +140,12 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase assert_equal cid.to_der, asn1.value[0].value.find { |a| a.class == OpenSSL::ASN1::Sequence }.value[0].value[0].to_der assert_equal OpenSSL::ASN1.Sequence([@cert2, @ca_cert]).to_der, asn1.value[3].value[0].to_der assert_equal der, OpenSSL::OCSP::BasicResponse.new(der).to_der + rescue TypeError + if /GENERALIZEDTIME/ =~ $!.message + pend "OCSP_basic_sign() is broken" + else + raise + end end def test_basic_response_sign_verify @@ -177,7 +183,7 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase assert_equal OpenSSL::OCSP::V_CERTSTATUS_REVOKED, single.cert_status assert_equal OpenSSL::OCSP::REVOKED_STATUS_UNSPECIFIED, single.revocation_reason assert_equal now - 400, single.revocation_time - assert_equal now - 300, single.this_update + assert_in_delta (now - 301), single.this_update, 1 assert_equal nil, single.next_update assert_equal [], single.extensions @@ -203,6 +209,12 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase cid2 = OpenSSL::OCSP::CertificateId.new(@cert2, @ca_cert, OpenSSL::Digest::SHA1.new) bres.add_status(cid1, OpenSSL::OCSP::V_CERTSTATUS_REVOKED, OpenSSL::OCSP::REVOKED_STATUS_UNSPECIFIED, -400, -300, -50, []) bres.add_status(cid2, OpenSSL::OCSP::V_CERTSTATUS_REVOKED, OpenSSL::OCSP::REVOKED_STATUS_UNSPECIFIED, -400, -300, nil, []) + bres.add_status(cid2, OpenSSL::OCSP::V_CERTSTATUS_GOOD, nil, nil, Time.now + 100, nil, nil) + + if bres.responses[2].check_validity # thisUpdate is in future; must fail + # LibreSSL bug; skip for now + pend "OCSP_check_validity() is broken" + end single1 = bres.responses[0] assert_equal false, single1.check_validity |