aboutsummaryrefslogtreecommitdiffstats
path: root/ext
diff options
context:
space:
mode:
Diffstat (limited to 'ext')
-rw-r--r--ext/openssl/ossl.c11
-rw-r--r--ext/openssl/ossl_bn.c104
-rw-r--r--ext/openssl/ossl_bn.h3
-rw-r--r--ext/openssl/ossl_ssl.c83
-rw-r--r--ext/openssl/ossl_ts.c32
-rw-r--r--ext/openssl/ossl_x509store.c19
6 files changed, 175 insertions, 77 deletions
diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c
index 523d72e2..7bdf3a2e 100644
--- a/ext/openssl/ossl.c
+++ b/ext/openssl/ossl.c
@@ -497,8 +497,11 @@ print_mem_leaks(VALUE self)
int ret;
#endif
- BN_CTX_free(ossl_bn_ctx);
- ossl_bn_ctx = NULL;
+#ifndef HAVE_RB_EXT_RACTOR_SAFE
+ // for Ruby 2.x
+ void ossl_bn_ctx_free(void); // ossl_bn.c
+ ossl_bn_ctx_free();
+#endif
#if OPENSSL_VERSION_NUMBER >= 0x10100000
ret = CRYPTO_mem_leaks_fp(stderr);
@@ -1126,6 +1129,10 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2)
void
Init_openssl(void)
{
+#if HAVE_RB_EXT_RACTOR_SAFE
+ rb_ext_ractor_safe(true);
+#endif
+
#undef rb_intern
/*
* Init timezone info
diff --git a/ext/openssl/ossl_bn.c b/ext/openssl/ossl_bn.c
index 6493e051..bec37299 100644
--- a/ext/openssl/ossl_bn.c
+++ b/ext/openssl/ossl_bn.c
@@ -10,6 +10,10 @@
/* modified by Michal Rokos <m.rokos@sh.cvut.cz> */
#include "ossl.h"
+#if HAVE_RB_EXT_RACTOR_SAFE
+#include <ruby/ractor.h>
+#endif
+
#define NewBN(klass) \
TypedData_Wrap_Struct((klass), &ossl_bn_type, 0)
#define SetBN(obj, bn) do { \
@@ -150,12 +154,58 @@ ossl_bn_value_ptr(volatile VALUE *ptr)
/*
* Private
*/
-/*
- * BN_CTX - is used in more difficult math. ops
- * (Why just 1? Because Ruby itself isn't thread safe,
- * we don't need to care about threads)
- */
-BN_CTX *ossl_bn_ctx;
+
+#if HAVE_RB_EXT_RACTOR_SAFE
+void
+ossl_bn_ctx_free(void *ptr)
+{
+ BN_CTX *ctx = (BN_CTX *)ptr;
+ BN_CTX_free(ctx);
+}
+
+struct rb_ractor_local_storage_type ossl_bn_ctx_key_type = {
+ NULL, // mark
+ ossl_bn_ctx_free,
+};
+
+rb_ractor_local_key_t ossl_bn_ctx_key;
+
+BN_CTX *
+ossl_bn_ctx_get(void)
+{
+ // stored in ractor local storage
+
+ BN_CTX *ctx = rb_ractor_local_storage_ptr(ossl_bn_ctx_key);
+ if (!ctx) {
+ if (!(ctx = BN_CTX_new())) {
+ ossl_raise(rb_eRuntimeError, "Cannot init BN_CTX");
+ }
+ rb_ractor_local_storage_ptr_set(ossl_bn_ctx_key, ctx);
+ }
+ return ctx;
+}
+#else
+// for ruby 2.x
+static BN_CTX *gv_ossl_bn_ctx;
+
+BN_CTX *
+ossl_bn_ctx_get(void)
+{
+ if (gv_ossl_bn_ctx == NULL) {
+ if (!(gv_ossl_bn_ctx = BN_CTX_new())) {
+ ossl_raise(rb_eRuntimeError, "Cannot init BN_CTX");
+ }
+ }
+ return gv_ossl_bn_ctx;
+}
+
+void
+ossl_bn_ctx_free(void)
+{
+ BN_CTX_free(gv_ossl_bn_ctx);
+ gv_ossl_bn_ctx = NULL;
+}
+#endif
static VALUE
ossl_bn_alloc(VALUE klass)
@@ -403,7 +453,7 @@ ossl_bn_is_negative(VALUE self)
if (!(result = BN_new())) { \
ossl_raise(eBNError, NULL); \
} \
- if (!BN_##func(result, bn, ossl_bn_ctx)) { \
+ if (BN_##func(result, bn, ossl_bn_ctx) <= 0) { \
BN_free(result); \
ossl_raise(eBNError, NULL); \
} \
@@ -429,7 +479,7 @@ BIGNUM_1c(sqr)
if (!(result = BN_new())) { \
ossl_raise(eBNError, NULL); \
} \
- if (!BN_##func(result, bn1, bn2)) { \
+ if (BN_##func(result, bn1, bn2) <= 0) { \
BN_free(result); \
ossl_raise(eBNError, NULL); \
} \
@@ -462,7 +512,7 @@ BIGNUM_2(sub)
if (!(result = BN_new())) { \
ossl_raise(eBNError, NULL); \
} \
- if (!BN_##func(result, bn1, bn2, ossl_bn_ctx)) { \
+ if (BN_##func(result, bn1, bn2, ossl_bn_ctx) <= 0) { \
BN_free(result); \
ossl_raise(eBNError, NULL); \
} \
@@ -506,11 +556,21 @@ BIGNUM_2c(gcd)
BIGNUM_2c(mod_sqr)
/*
- * Document-method: OpenSSL::BN#mod_inverse
* call-seq:
- * bn.mod_inverse(bn2) => aBN
+ * bn.mod_inverse(bn2) => aBN
*/
-BIGNUM_2c(mod_inverse)
+static VALUE
+ossl_bn_mod_inverse(VALUE self, VALUE other)
+{
+ BIGNUM *bn1, *bn2 = GetBNPtr(other), *result;
+ VALUE obj;
+ GetBN(self, bn1);
+ obj = NewBN(rb_obj_class(self));
+ if (!(result = BN_mod_inverse(NULL, bn1, bn2, ossl_bn_ctx)))
+ ossl_raise(eBNError, "BN_mod_inverse");
+ SetBN(obj, result);
+ return obj;
+}
/*
* call-seq:
@@ -559,7 +619,7 @@ ossl_bn_div(VALUE self, VALUE other)
if (!(result = BN_new())) { \
ossl_raise(eBNError, NULL); \
} \
- if (!BN_##func(result, bn1, bn2, bn3, ossl_bn_ctx)) { \
+ if (BN_##func(result, bn1, bn2, bn3, ossl_bn_ctx) <= 0) { \
BN_free(result); \
ossl_raise(eBNError, NULL); \
} \
@@ -601,7 +661,7 @@ BIGNUM_3c(mod_exp)
{ \
BIGNUM *bn; \
GetBN(self, bn); \
- if (!BN_##func(bn, NUM2INT(bit))) { \
+ if (BN_##func(bn, NUM2INT(bit)) <= 0) { \
ossl_raise(eBNError, NULL); \
} \
return self; \
@@ -661,7 +721,7 @@ ossl_bn_is_bit_set(VALUE self, VALUE bit)
if (!(result = BN_new())) { \
ossl_raise(eBNError, NULL); \
} \
- if (!BN_##func(result, bn, b)) { \
+ if (BN_##func(result, bn, b) <= 0) { \
BN_free(result); \
ossl_raise(eBNError, NULL); \
} \
@@ -691,7 +751,7 @@ BIGNUM_SHIFT(rshift)
int b; \
b = NUM2INT(bits); \
GetBN(self, bn); \
- if (!BN_##func(bn, bn, b)) \
+ if (BN_##func(bn, bn, b) <= 0) \
ossl_raise(eBNError, NULL); \
return self; \
}
@@ -730,7 +790,7 @@ BIGNUM_SELF_SHIFT(rshift)
if (!(result = BN_new())) { \
ossl_raise(eBNError, NULL); \
} \
- if (!BN_##func(result, b, top, bottom)) { \
+ if (BN_##func(result, b, top, bottom) <= 0) { \
BN_free(result); \
ossl_raise(eBNError, NULL); \
} \
@@ -759,7 +819,7 @@ BIGNUM_RAND(pseudo_rand)
if (!(result = BN_new())) { \
ossl_raise(eBNError, NULL); \
} \
- if (!BN_##func##_range(result, bn)) { \
+ if (BN_##func##_range(result, bn) <= 0) { \
BN_free(result); \
ossl_raise(eBNError, NULL); \
} \
@@ -1092,9 +1152,11 @@ Init_ossl_bn(void)
eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
#endif
- if (!(ossl_bn_ctx = BN_CTX_new())) {
- ossl_raise(rb_eRuntimeError, "Cannot init BN_CTX");
- }
+#ifdef HAVE_RB_EXT_RACTOR_SAFE
+ ossl_bn_ctx_key = rb_ractor_local_storage_ptr_newkey(&ossl_bn_ctx_key_type);
+#else
+ ossl_bn_ctx_get();
+#endif
eBNError = rb_define_class_under(mOSSL, "BNError", eOSSLError);
diff --git a/ext/openssl/ossl_bn.h b/ext/openssl/ossl_bn.h
index a19ba194..1cc041fc 100644
--- a/ext/openssl/ossl_bn.h
+++ b/ext/openssl/ossl_bn.h
@@ -13,7 +13,8 @@
extern VALUE cBN;
extern VALUE eBNError;
-extern BN_CTX *ossl_bn_ctx;
+BN_CTX *ossl_bn_ctx_get(void);
+#define ossl_bn_ctx ossl_bn_ctx_get()
#define GetBNPtr(obj) ossl_bn_value_ptr(&(obj))
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
index 35cf305f..c38142bf 100644
--- a/ext/openssl/ossl_ssl.c
+++ b/ext/openssl/ossl_ssl.c
@@ -13,6 +13,12 @@
#define numberof(ary) (int)(sizeof(ary)/sizeof((ary)[0]))
+#if !defined(TLS1_3_VERSION) && \
+ defined(LIBRESSL_VERSION_NUMBER) && \
+ LIBRESSL_VERSION_NUMBER >= 0x3020000fL
+# define TLS1_3_VERSION 0x0304
+#endif
+
#ifdef _WIN32
# define TO_SOCKET(s) _get_osfhandle(s)
#else
@@ -1641,6 +1647,11 @@ ossl_start_ssl(VALUE self, int (*func)(), const char *funcname, VALUE opts)
rb_io_wait_readable(fptr->fd);
continue;
case SSL_ERROR_SYSCALL:
+#ifdef __APPLE__
+ /* See ossl_ssl_write_internal() */
+ if (errno == EPROTOTYPE)
+ continue;
+#endif
if (errno) rb_sys_fail(funcname);
ossl_raise(eSSLError, "%s SYSCALL returned=%d errno=%d state=%s", funcname, ret2, errno, SSL_state_string_long(ssl));
#if defined(SSL_R_CERTIFICATE_VERIFY_FAILED)
@@ -1932,6 +1943,16 @@ ossl_ssl_write_internal(VALUE self, VALUE str, VALUE opts)
rb_io_wait_readable(fptr->fd);
continue;
case SSL_ERROR_SYSCALL:
+#ifdef __APPLE__
+ /*
+ * It appears that send syscall can return EPROTOTYPE if the
+ * socket is being torn down. Retry to get a proper errno to
+ * make the error handling in line with the socket library.
+ * [Bug #14713] https://bugs.ruby-lang.org/issues/14713
+ */
+ if (errno == EPROTOTYPE)
+ continue;
+#endif
if (errno) rb_sys_fail(0);
default:
ossl_raise(eSSLError, "SSL_write");
@@ -2406,8 +2427,6 @@ ossl_ssl_tmp_key(VALUE self)
# endif /* defined(HAVE_SSL_GET_SERVER_TMP_KEY) */
#endif /* !defined(OPENSSL_NO_SOCK) */
-#undef rb_intern
-#define rb_intern(s) rb_intern_const(s)
void
Init_ossl_ssl(void)
{
@@ -2418,8 +2437,8 @@ Init_ossl_ssl(void)
rb_mWaitWritable = rb_define_module_under(rb_cIO, "WaitWritable");
#endif
- id_call = rb_intern("call");
- ID_callback_state = rb_intern("callback_state");
+ id_call = rb_intern_const("call");
+ ID_callback_state = rb_intern_const("callback_state");
ossl_ssl_ex_vcb_idx = SSL_get_ex_new_index(0, (void *)"ossl_ssl_ex_vcb_idx", 0, 0, 0);
if (ossl_ssl_ex_vcb_idx < 0)
@@ -2486,7 +2505,7 @@ Init_ossl_ssl(void)
* The _cert_, _key_, and _extra_chain_cert_ attributes are deprecated.
* It is recommended to use #add_certificate instead.
*/
- rb_attr(cSSLContext, rb_intern("cert"), 1, 1, Qfalse);
+ rb_attr(cSSLContext, rb_intern_const("cert"), 1, 1, Qfalse);
/*
* Context private key
@@ -2494,29 +2513,29 @@ Init_ossl_ssl(void)
* The _cert_, _key_, and _extra_chain_cert_ attributes are deprecated.
* It is recommended to use #add_certificate instead.
*/
- rb_attr(cSSLContext, rb_intern("key"), 1, 1, Qfalse);
+ rb_attr(cSSLContext, rb_intern_const("key"), 1, 1, Qfalse);
/*
* A certificate or Array of certificates that will be sent to the client.
*/
- rb_attr(cSSLContext, rb_intern("client_ca"), 1, 1, Qfalse);
+ rb_attr(cSSLContext, rb_intern_const("client_ca"), 1, 1, Qfalse);
/*
* The path to a file containing a PEM-format CA certificate
*/
- rb_attr(cSSLContext, rb_intern("ca_file"), 1, 1, Qfalse);
+ rb_attr(cSSLContext, rb_intern_const("ca_file"), 1, 1, Qfalse);
/*
* The path to a directory containing CA certificates in PEM format.
*
* Files are looked up by subject's X509 name's hash value.
*/
- rb_attr(cSSLContext, rb_intern("ca_path"), 1, 1, Qfalse);
+ rb_attr(cSSLContext, rb_intern_const("ca_path"), 1, 1, Qfalse);
/*
* Maximum session lifetime in seconds.
*/
- rb_attr(cSSLContext, rb_intern("timeout"), 1, 1, Qfalse);
+ rb_attr(cSSLContext, rb_intern_const("timeout"), 1, 1, Qfalse);
/*
* Session verification mode.
@@ -2529,12 +2548,12 @@ Init_ossl_ssl(void)
*
* See SSL_CTX_set_verify(3) for details.
*/
- rb_attr(cSSLContext, rb_intern("verify_mode"), 1, 1, Qfalse);
+ rb_attr(cSSLContext, rb_intern_const("verify_mode"), 1, 1, Qfalse);
/*
* Number of CA certificates to walk when verifying a certificate chain.
*/
- rb_attr(cSSLContext, rb_intern("verify_depth"), 1, 1, Qfalse);
+ rb_attr(cSSLContext, rb_intern_const("verify_depth"), 1, 1, Qfalse);
/*
* A callback for additional certificate verification. The callback is
@@ -2548,7 +2567,7 @@ Init_ossl_ssl(void)
* If the callback returns +false+, the chain verification is immediately
* stopped and a bad_certificate alert is then sent.
*/
- rb_attr(cSSLContext, rb_intern("verify_callback"), 1, 1, Qfalse);
+ rb_attr(cSSLContext, rb_intern_const("verify_callback"), 1, 1, Qfalse);
/*
* Whether to check the server certificate is valid for the hostname.
@@ -2556,12 +2575,12 @@ Init_ossl_ssl(void)
* In order to make this work, verify_mode must be set to VERIFY_PEER and
* the server hostname must be given by OpenSSL::SSL::SSLSocket#hostname=.
*/
- rb_attr(cSSLContext, rb_intern("verify_hostname"), 1, 1, Qfalse);
+ rb_attr(cSSLContext, rb_intern_const("verify_hostname"), 1, 1, Qfalse);
/*
* An OpenSSL::X509::Store used for certificate verification.
*/
- rb_attr(cSSLContext, rb_intern("cert_store"), 1, 1, Qfalse);
+ rb_attr(cSSLContext, rb_intern_const("cert_store"), 1, 1, Qfalse);
/*
* An Array of extra X509 certificates to be added to the certificate
@@ -2570,7 +2589,7 @@ Init_ossl_ssl(void)
* The _cert_, _key_, and _extra_chain_cert_ attributes are deprecated.
* It is recommended to use #add_certificate instead.
*/
- rb_attr(cSSLContext, rb_intern("extra_chain_cert"), 1, 1, Qfalse);
+ rb_attr(cSSLContext, rb_intern_const("extra_chain_cert"), 1, 1, Qfalse);
/*
* A callback invoked when a client certificate is requested by a server
@@ -2580,14 +2599,14 @@ Init_ossl_ssl(void)
* containing an OpenSSL::X509::Certificate and an OpenSSL::PKey. If any
* other value is returned the handshake is suspended.
*/
- rb_attr(cSSLContext, rb_intern("client_cert_cb"), 1, 1, Qfalse);
+ rb_attr(cSSLContext, rb_intern_const("client_cert_cb"), 1, 1, Qfalse);
/*
* Sets the context in which a session can be reused. This allows
* sessions for multiple applications to be distinguished, for example, by
* name.
*/
- rb_attr(cSSLContext, rb_intern("session_id_context"), 1, 1, Qfalse);
+ rb_attr(cSSLContext, rb_intern_const("session_id_context"), 1, 1, Qfalse);
/*
* A callback invoked on a server when a session is proposed by the client
@@ -2596,7 +2615,7 @@ Init_ossl_ssl(void)
* The callback is invoked with the SSLSocket and session id. The
* callback may return a Session from an external cache.
*/
- rb_attr(cSSLContext, rb_intern("session_get_cb"), 1, 1, Qfalse);
+ rb_attr(cSSLContext, rb_intern_const("session_get_cb"), 1, 1, Qfalse);
/*
* A callback invoked when a new session was negotiated.
@@ -2604,7 +2623,7 @@ Init_ossl_ssl(void)
* The callback is invoked with an SSLSocket. If +false+ is returned the
* session will be removed from the internal cache.
*/
- rb_attr(cSSLContext, rb_intern("session_new_cb"), 1, 1, Qfalse);
+ rb_attr(cSSLContext, rb_intern_const("session_new_cb"), 1, 1, Qfalse);
/*
* A callback invoked when a session is removed from the internal cache.
@@ -2615,7 +2634,7 @@ Init_ossl_ssl(void)
* multi-threaded application. The callback is called inside a global lock
* and it can randomly cause deadlock on Ruby thread switching.
*/
- rb_attr(cSSLContext, rb_intern("session_remove_cb"), 1, 1, Qfalse);
+ rb_attr(cSSLContext, rb_intern_const("session_remove_cb"), 1, 1, Qfalse);
rb_define_const(mSSLExtConfig, "HAVE_TLSEXT_HOST_NAME", Qtrue);
@@ -2638,7 +2657,7 @@ Init_ossl_ssl(void)
* raise RuntimeError, "Client renegotiation disabled"
* end
*/
- rb_attr(cSSLContext, rb_intern("renegotiation_cb"), 1, 1, Qfalse);
+ rb_attr(cSSLContext, rb_intern_const("renegotiation_cb"), 1, 1, Qfalse);
#ifndef OPENSSL_NO_NEXTPROTONEG
/*
* An Enumerable of Strings. Each String represents a protocol to be
@@ -2651,7 +2670,7 @@ Init_ossl_ssl(void)
*
* ctx.npn_protocols = ["http/1.1", "spdy/2"]
*/
- rb_attr(cSSLContext, rb_intern("npn_protocols"), 1, 1, Qfalse);
+ rb_attr(cSSLContext, rb_intern_const("npn_protocols"), 1, 1, Qfalse);
/*
* A callback invoked on the client side when the client needs to select
* a protocol from the list sent by the server. Supported in OpenSSL 1.0.1
@@ -2668,7 +2687,7 @@ Init_ossl_ssl(void)
* protocols.first
* end
*/
- rb_attr(cSSLContext, rb_intern("npn_select_cb"), 1, 1, Qfalse);
+ rb_attr(cSSLContext, rb_intern_const("npn_select_cb"), 1, 1, Qfalse);
#endif
#ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
@@ -2683,7 +2702,7 @@ Init_ossl_ssl(void)
*
* ctx.alpn_protocols = ["http/1.1", "spdy/2", "h2"]
*/
- rb_attr(cSSLContext, rb_intern("alpn_protocols"), 1, 1, Qfalse);
+ rb_attr(cSSLContext, rb_intern_const("alpn_protocols"), 1, 1, Qfalse);
/*
* A callback invoked on the server side when the server needs to select
* a protocol from the list sent by the client. Supported in OpenSSL 1.0.2
@@ -2700,7 +2719,7 @@ Init_ossl_ssl(void)
* protocols.first
* end
*/
- rb_attr(cSSLContext, rb_intern("alpn_select_cb"), 1, 1, Qfalse);
+ rb_attr(cSSLContext, rb_intern_const("alpn_select_cb"), 1, 1, Qfalse);
#endif
rb_define_alias(cSSLContext, "ssl_timeout", "timeout");
@@ -2928,15 +2947,15 @@ Init_ossl_ssl(void)
#endif
- sym_exception = ID2SYM(rb_intern("exception"));
- sym_wait_readable = ID2SYM(rb_intern("wait_readable"));
- sym_wait_writable = ID2SYM(rb_intern("wait_writable"));
+ sym_exception = ID2SYM(rb_intern_const("exception"));
+ sym_wait_readable = ID2SYM(rb_intern_const("wait_readable"));
+ sym_wait_writable = ID2SYM(rb_intern_const("wait_writable"));
- id_tmp_dh_callback = rb_intern("tmp_dh_callback");
- id_npn_protocols_encoded = rb_intern("npn_protocols_encoded");
+ id_tmp_dh_callback = rb_intern_const("tmp_dh_callback");
+ id_npn_protocols_encoded = rb_intern_const("npn_protocols_encoded");
#define DefIVarID(name) do \
- id_i_##name = rb_intern("@"#name); while (0)
+ id_i_##name = rb_intern_const("@"#name); while (0)
DefIVarID(cert_store);
DefIVarID(ca_file);
diff --git a/ext/openssl/ossl_ts.c b/ext/openssl/ossl_ts.c
index d59c9348..9450e435 100644
--- a/ext/openssl/ossl_ts.c
+++ b/ext/openssl/ossl_ts.c
@@ -68,9 +68,9 @@ static VALUE cTimestampRequest;
static VALUE cTimestampResponse;
static VALUE cTimestampTokenInfo;
static VALUE cTimestampFactory;
-static ID sBAD_ALG, sBAD_REQUEST, sBAD_DATA_FORMAT, sTIME_NOT_AVAILABLE;
-static ID sUNACCEPTED_POLICY, sUNACCEPTED_EXTENSION, sADD_INFO_NOT_AVAILABLE;
-static ID sSYSTEM_FAILURE;
+static VALUE sBAD_ALG, sBAD_REQUEST, sBAD_DATA_FORMAT, sTIME_NOT_AVAILABLE;
+static VALUE sUNACCEPTED_POLICY, sUNACCEPTED_EXTENSION, sADD_INFO_NOT_AVAILABLE;
+static VALUE sSYSTEM_FAILURE;
static void
ossl_ts_req_free(void *ptr)
@@ -1247,24 +1247,24 @@ Init_ossl_ts(void)
* timestamp server rejects the message imprint algorithm used in the
* +Request+
*/
- sBAD_ALG = rb_intern("BAD_ALG");
+ sBAD_ALG = ID2SYM(rb_intern_const("BAD_ALG"));
/*
* Possible return value for +Response#failure_info+. Indicates that the
* timestamp server was not able to process the +Request+ properly.
*/
- sBAD_REQUEST = rb_intern("BAD_REQUEST");
+ sBAD_REQUEST = ID2SYM(rb_intern_const("BAD_REQUEST"));
/*
* Possible return value for +Response#failure_info+. Indicates that the
* timestamp server was not able to parse certain data in the +Request+.
*/
- sBAD_DATA_FORMAT = rb_intern("BAD_DATA_FORMAT");
+ sBAD_DATA_FORMAT = ID2SYM(rb_intern_const("BAD_DATA_FORMAT"));
- sTIME_NOT_AVAILABLE = rb_intern("TIME_NOT_AVAILABLE");
- sUNACCEPTED_POLICY = rb_intern("UNACCEPTED_POLICY");
- sUNACCEPTED_EXTENSION = rb_intern("UNACCEPTED_EXTENSION");
- sADD_INFO_NOT_AVAILABLE = rb_intern("ADD_INFO_NOT_AVAILABLE");
- sSYSTEM_FAILURE = rb_intern("SYSTEM_FAILURE");
+ sTIME_NOT_AVAILABLE = ID2SYM(rb_intern_const("TIME_NOT_AVAILABLE"));
+ sUNACCEPTED_POLICY = ID2SYM(rb_intern_const("UNACCEPTED_POLICY"));
+ sUNACCEPTED_EXTENSION = ID2SYM(rb_intern_const("UNACCEPTED_EXTENSION"));
+ sADD_INFO_NOT_AVAILABLE = ID2SYM(rb_intern_const("ADD_INFO_NOT_AVAILABLE"));
+ sSYSTEM_FAILURE = ID2SYM(rb_intern_const("SYSTEM_FAILURE"));
/* Document-class: OpenSSL::Timestamp
* Provides classes and methods to request, create and validate
@@ -1503,11 +1503,11 @@ Init_ossl_ts(void)
*
*/
cTimestampFactory = rb_define_class_under(mTimestamp, "Factory", rb_cObject);
- rb_attr(cTimestampFactory, rb_intern("allowed_digests"), 1, 1, 0);
- rb_attr(cTimestampFactory, rb_intern("default_policy_id"), 1, 1, 0);
- rb_attr(cTimestampFactory, rb_intern("serial_number"), 1, 1, 0);
- rb_attr(cTimestampFactory, rb_intern("gen_time"), 1, 1, 0);
- rb_attr(cTimestampFactory, rb_intern("additional_certs"), 1, 1, 0);
+ rb_attr(cTimestampFactory, rb_intern_const("allowed_digests"), 1, 1, 0);
+ rb_attr(cTimestampFactory, rb_intern_const("default_policy_id"), 1, 1, 0);
+ rb_attr(cTimestampFactory, rb_intern_const("serial_number"), 1, 1, 0);
+ rb_attr(cTimestampFactory, rb_intern_const("gen_time"), 1, 1, 0);
+ rb_attr(cTimestampFactory, rb_intern_const("additional_certs"), 1, 1, 0);
rb_define_method(cTimestampFactory, "create_timestamp", ossl_tsfac_create_ts, 3);
}
diff --git a/ext/openssl/ossl_x509store.c b/ext/openssl/ossl_x509store.c
index 1eaaf4b3..5e0ab8d8 100644
--- a/ext/openssl/ossl_x509store.c
+++ b/ext/openssl/ossl_x509store.c
@@ -546,7 +546,7 @@ static VALUE ossl_x509stctx_set_time(VALUE, VALUE);
/*
* call-seq:
- * StoreContext.new(store, cert = nil, chain = nil)
+ * StoreContext.new(store, cert = nil, untrusted = nil)
*
* Sets up a StoreContext for a verification of the X.509 certificate _cert_.
*/
@@ -558,15 +558,24 @@ ossl_x509stctx_initialize(int argc, VALUE *argv, VALUE self)
X509_STORE *x509st;
X509 *x509 = NULL;
STACK_OF(X509) *x509s = NULL;
+ int state;
rb_scan_args(argc, argv, "12", &store, &cert, &chain);
GetX509StCtx(self, ctx);
GetX509Store(store, x509st);
- if(!NIL_P(cert)) x509 = DupX509CertPtr(cert); /* NEED TO DUP */
- if(!NIL_P(chain)) x509s = ossl_x509_ary2sk(chain);
- if(X509_STORE_CTX_init(ctx, x509st, x509, x509s) != 1){
+ if (!NIL_P(cert))
+ x509 = DupX509CertPtr(cert); /* NEED TO DUP */
+ if (!NIL_P(chain)) {
+ x509s = ossl_protect_x509_ary2sk(chain, &state);
+ if (state) {
+ X509_free(x509);
+ rb_jump_tag(state);
+ }
+ }
+ if (X509_STORE_CTX_init(ctx, x509st, x509, x509s) != 1){
+ X509_free(x509);
sk_X509_pop_free(x509s, X509_free);
- ossl_raise(eX509StoreError, NULL);
+ ossl_raise(eX509StoreError, "X509_STORE_CTX_init");
}
if (!NIL_P(t = rb_iv_get(store, "@time")))
ossl_x509stctx_set_time(self, t);
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-10 04:49:50 +0000