openssl: import v2.0.1

Import Ruby/OpenSSL 2.0.1. The full commit history since 2.0.0 (imported
at r56946) can be found at:

  https://github.com/ruby/openssl/compare/v2.0.0...v2.0.1

This release contains only bug fixes. Note, the first two commits since
v2.0.0 are already imported at r56953 to make Travis and RubyCI green.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@57041 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

25 files changed, 81 insertions, 78 deletions

diff --git a/ext/openssl/openssl.gemspec b/ext/openssl/openssl.gemspec
index 2390da4e22..e8fd20f94e 100644
--- a/ext/openssl/openssl.gemspec
+++ b/ext/openssl/openssl.gemspec
@@ -1,15 +1,15 @@
 # -*- encoding: utf-8 -*-
-# stub: openssl 2.0.0 ruby lib
+# stub: openssl 2.0.1 ruby lib
 # stub: ext/openssl/extconf.rb
 
 Gem::Specification.new do |s|
   s.name = "openssl".freeze
-  s.version = "2.0.0"
+  s.version = "2.0.1"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0".freeze) if s.respond_to? :required_rubygems_version=
   s.require_paths = ["lib".freeze]
   s.authors = ["Martin Bosslet".freeze, "SHIBATA Hiroshi".freeze, "Zachary Scott".freeze, "Kazuki Yamaguchi".freeze]
-  s.date = "2016-11-30"
+  s.date = "2016-12-10"
   s.description = "It wraps the OpenSSL library.".freeze
   s.email = ["ruby-core@ruby-lang.org".freeze]
   s.extensions = ["ext/openssl/extconf.rb".freeze]
diff --git a/ext/openssl/ossl_asn1.c b/ext/openssl/ossl_asn1.c
index af8ae2a68d..534796f52a 100644
--- a/ext/openssl/ossl_asn1.c
+++ b/ext/openssl/ossl_asn1.c
@@ -47,9 +47,15 @@ asn1time_to_time(const ASN1_TIME *time)
 	}
 	break;
     case V_ASN1_GENERALIZEDTIME:
-	if (sscanf((const char *)time->data, "%4d%2d%2d%2d%2d%2dZ", &tm.tm_year, &tm.tm_mon,
-    		&tm.tm_mday, &tm.tm_hour, &tm.tm_min, &tm.tm_sec) != 6) {
-	    ossl_raise(rb_eTypeError, "bad GENERALIZEDTIME format" );
+	count = sscanf((const char *)time->data, "%4d%2d%2d%2d%2d%2dZ",
+		&tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour, &tm.tm_min,
+		&tm.tm_sec);
+	if (count == 5) {
+		tm.tm_sec = 0;
+	}
+	else if (count != 6) {
+		ossl_raise(rb_eTypeError, "bad GENERALIZEDTIME format: \"%s\"",
+			time->data);
 	}
 	break;
     default:
diff --git a/ext/openssl/ossl_bn.c b/ext/openssl/ossl_bn.c
index eaf62543a1..4e371cb201 100644
--- a/ext/openssl/ossl_bn.c
+++ b/ext/openssl/ossl_bn.c
@@ -120,30 +120,34 @@ integer_to_bnptr(VALUE obj, BIGNUM *orig)
     return bn;
 }
 
-static BIGNUM *
-try_convert_to_bnptr(VALUE obj)
+static VALUE
+try_convert_to_bn(VALUE obj)
 {
-    BIGNUM *bn = NULL;
-    VALUE newobj;
+    BIGNUM *bn;
+    VALUE newobj = Qnil;
 
-    if (rb_obj_is_kind_of(obj, cBN)) {
-	GetBN(obj, bn);
-    }
-    else if (RB_INTEGER_TYPE_P(obj)) {
+    if (rb_obj_is_kind_of(obj, cBN))
+	return obj;
+    if (RB_INTEGER_TYPE_P(obj)) {
 	newobj = NewBN(cBN); /* Handle potencial mem leaks */
 	bn = integer_to_bnptr(obj, NULL);
 	SetBN(newobj, bn);
     }
 
-    return bn;
+    return newobj;
 }
 
 BIGNUM *
-GetBNPtr(VALUE obj)
+ossl_bn_value_ptr(volatile VALUE *ptr)
 {
-    BIGNUM *bn = try_convert_to_bnptr(obj);
-    if (!bn)
+    VALUE tmp;
+    BIGNUM *bn;
+
+    tmp = try_convert_to_bn(*ptr);
+    if (NIL_P(tmp))
 	ossl_raise(rb_eTypeError, "Cannot convert into OpenSSL::BN");
+    GetBN(tmp, bn);
+    *ptr = tmp;
 
     return bn;
 }
@@ -893,10 +897,12 @@ ossl_bn_eq(VALUE self, VALUE other)
     BIGNUM *bn1, *bn2;
 
     GetBN(self, bn1);
-    /* BNPtr may raise, so we can't use here */
-    bn2 = try_convert_to_bnptr(other);
+    other = try_convert_to_bn(other);
+    if (NIL_P(other))
+	return Qfalse;
+    GetBN(other, bn2);
 
-    if (bn2 && !BN_cmp(bn1, bn2)) {
+    if (!BN_cmp(bn1, bn2)) {
 	return Qtrue;
     }
     return Qfalse;
diff --git a/ext/openssl/ossl_bn.h b/ext/openssl/ossl_bn.h
index 4cd9d0600a..a19ba19487 100644
--- a/ext/openssl/ossl_bn.h
+++ b/ext/openssl/ossl_bn.h
@@ -15,8 +15,10 @@ extern VALUE eBNError;
 
 extern BN_CTX *ossl_bn_ctx;
 
+#define GetBNPtr(obj) ossl_bn_value_ptr(&(obj))
+
 VALUE ossl_bn_new(const BIGNUM *);
-BIGNUM *GetBNPtr(VALUE);
+BIGNUM *ossl_bn_value_ptr(volatile VALUE *);
 void Init_ossl_bn(void);
 
 
diff --git a/ext/openssl/ossl_engine.c b/ext/openssl/ossl_engine.c
index e73bfb30f5..e840bfd92c 100644
--- a/ext/openssl/ossl_engine.c
+++ b/ext/openssl/ossl_engine.c
@@ -287,7 +287,7 @@ ossl_engine_finish(VALUE self)
  * This returns an OpenSSL::Cipher by +name+, if it is available in this
  * engine.
  *
- * A EngineError will be raised if the cipher is unavailable.
+ * An EngineError will be raised if the cipher is unavailable.
  *
  *    e = OpenSSL::Engine.by_id("openssl")
  *     => #<OpenSSL::Engine id="openssl" name="Software engine support">
diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c
index 5191c0f457..fc3f034a39 100644
--- a/ext/openssl/ossl_pkey_ec.c
+++ b/ext/openssl/ossl_pkey_ec.c
@@ -1635,7 +1635,7 @@ static VALUE ossl_ec_point_mul(int argc, VALUE *argv, VALUE self)
 	 * points  | self    | arg2[0] | arg2[1] | ...
 	 */
 	long i, num;
-	VALUE tmp_p, tmp_b;
+	VALUE bns_tmp, tmp_p, tmp_b;
 	const EC_POINT **points;
 	const BIGNUM **bignums;
 
@@ -1645,9 +1645,13 @@ static VALUE ossl_ec_point_mul(int argc, VALUE *argv, VALUE self)
 	    ossl_raise(rb_eArgError, "bns must be 1 longer than points; see the documentation");
 
 	num = RARRAY_LEN(arg1);
+	bns_tmp = rb_ary_tmp_new(num);
 	bignums = ALLOCV_N(const BIGNUM *, tmp_b, num);
-	for (i = 0; i < num; i++)
-	    bignums[i] = GetBNPtr(RARRAY_AREF(arg1, i));
+	for (i = 0; i < num; i++) {
+	    VALUE item = RARRAY_AREF(arg1, i);
+	    bignums[i] = GetBNPtr(item);
+	    rb_ary_push(bns_tmp, item);
+	}
 
 	points = ALLOCV_N(const EC_POINT *, tmp_p, num);
 	points[0] = point_self; /* self */
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
index 609ffdc643..eef7dbece6 100644
--- a/ext/openssl/ossl_ssl.c
+++ b/ext/openssl/ossl_ssl.c
@@ -32,7 +32,8 @@ VALUE cSSLSocket;
 static VALUE eSSLErrorWaitReadable;
 static VALUE eSSLErrorWaitWritable;
 
-static ID ID_callback_state, id_tmp_dh_callback, id_tmp_ecdh_callback;
+static ID ID_callback_state, id_tmp_dh_callback, id_tmp_ecdh_callback,
+	  id_npn_protocols_encoded;
 static VALUE sym_exception, sym_wait_readable, sym_wait_writable;
 
 static ID id_i_cert_store, id_i_ca_file, id_i_ca_path, id_i_verify_mode,
@@ -892,6 +893,7 @@ ossl_sslctx_setup(VALUE self)
     val = rb_attr_get(self, id_i_npn_protocols);
     if (!NIL_P(val)) {
 	VALUE encoded = ssl_encode_npn_protocols(val);
+	rb_ivar_set(self, id_npn_protocols_encoded, encoded);
 	SSL_CTX_set_next_protos_advertised_cb(ctx, ssl_npn_advertise_cb, (void *)encoded);
 	OSSL_Debug("SSL NPN advertise callback added");
     }
@@ -2712,6 +2714,7 @@ Init_ossl_ssl(void)
 
     id_tmp_dh_callback = rb_intern("tmp_dh_callback");
     id_tmp_ecdh_callback = rb_intern("tmp_ecdh_callback");
+    id_npn_protocols_encoded = rb_intern("npn_protocols_encoded");
 
 #define DefIVarID(name) do \
     id_i_##name = rb_intern("@"#name); while (0)
diff --git a/ext/openssl/ossl_version.h b/ext/openssl/ossl_version.h
index 1744c1cac4..2566b67a50 100644
--- a/ext/openssl/ossl_version.h
+++ b/ext/openssl/ossl_version.h
@@ -10,6 +10,6 @@
 #if !defined(_OSSL_VERSION_H_)
 #define _OSSL_VERSION_H_
 
-#define OSSL_VERSION "2.0.0"
+#define OSSL_VERSION "2.0.1"
 
 #endif /* _OSSL_VERSION_H_ */
diff --git a/test/openssl/test_asn1.rb b/test/openssl/test_asn1.rb
index 3a43541447..a0ac1ddbf5 100644
--- a/test/openssl/test_asn1.rb
+++ b/test/openssl/test_asn1.rb
@@ -275,6 +275,14 @@ rEzBQ0F9dUyqQ9gyRg8KHhDfv9HzT1d/rnUZMkoombwYBRIUChGCYV0GnJcan2Zm
     assert_equal 2 ** 31, OpenSSL::ASN1.decode(encoded).value.to_i
   end
 
+  def test_decode_generalisedtime
+    expected = Time.at 1481225640
+    assert_equal expected, OpenSSL::ASN1.decode("\x18\x0D201612081934Z").value
+
+    expected += 29
+    assert_equal expected, OpenSSL::ASN1.decode("\x18\x0F20161208193429Z").value
+  end
+
   def test_decode_enumerated
     encoded = OpenSSL::ASN1.Enumerated(0).to_der
     assert_equal "\x0a\x01\x00".b, encoded
diff --git a/test/openssl/test_buffering.rb b/test/openssl/test_buffering.rb
index 1f42cd3c31..f85353fc67 100644
--- a/test/openssl/test_buffering.rb
+++ b/test/openssl/test_buffering.rb
@@ -37,6 +37,7 @@ class OpenSSL::TestBuffering < OpenSSL::TestCase
   end
 
   def setup
+    super
     @io = IO.new
   end
 
diff --git a/test/openssl/test_config.rb b/test/openssl/test_config.rb
index 3e2e1273fb..786bce9d2f 100644
--- a/test/openssl/test_config.rb
+++ b/test/openssl/test_config.rb
@@ -3,6 +3,7 @@ require_relative 'utils'
 
 class OpenSSL::TestConfig < OpenSSL::TestCase
   def setup
+    super
     file = Tempfile.open("openssl.cnf")
     file << <<__EOD__
 HOME = .
diff --git a/test/openssl/test_digest.rb b/test/openssl/test_digest.rb
index 028889c173..9891d99ae3 100644
--- a/test/openssl/test_digest.rb
+++ b/test/openssl/test_digest.rb
@@ -5,6 +5,7 @@ if defined?(OpenSSL::TestUtils)
 
 class OpenSSL::TestDigest < OpenSSL::TestCase
   def setup
+    super
     @d1 = OpenSSL::Digest.new("MD5")
     @d2 = OpenSSL::Digest::MD5.new
   end
diff --git a/test/openssl/test_ns_spki.rb b/test/openssl/test_ns_spki.rb
index 4740c0b29e..ac34613fc2 100644
--- a/test/openssl/test_ns_spki.rb
+++ b/test/openssl/test_ns_spki.rb
@@ -5,6 +5,7 @@ if defined?(OpenSSL::TestUtils)
 
 class OpenSSL::TestNSSPI < OpenSSL::TestCase
   def setup
+    super
     # This request data is adopt from the specification of
     # "Netscape Extensions for User Key Generation".
     # -- http://wp.netscape.com/eng/security/comm4-keygen.html
diff --git a/test/openssl/test_ocsp.rb b/test/openssl/test_ocsp.rb
index 82d83d56f4..8881f25dd9 100644
--- a/test/openssl/test_ocsp.rb
+++ b/test/openssl/test_ocsp.rb
@@ -5,6 +5,7 @@ if defined?(OpenSSL::TestUtils)
 
 class OpenSSL::TestOCSP < OpenSSL::TestCase
   def setup
+    super
     # @ca_cert
     #   |
     # @cert
diff --git a/test/openssl/test_pair.rb b/test/openssl/test_pair.rb
index ad65327da0..9a5205f81c 100644
--- a/test/openssl/test_pair.rb
+++ b/test/openssl/test_pair.rb
@@ -295,7 +295,7 @@ module OpenSSL::TestPairM
       # fill up a socket so we hit EAGAIN
       written = String.new
       n = 0
-      buf = 'a' * 11
+      buf = 'a' * 4099
       case ret = s1.write_nonblock(buf, exception: false)
       when :wait_readable then break
       when :wait_writable then break
diff --git a/test/openssl/test_pkcs12.rb b/test/openssl/test_pkcs12.rb
index 8c9147a91e..403718b94f 100644
--- a/test/openssl/test_pkcs12.rb
+++ b/test/openssl/test_pkcs12.rb
@@ -8,6 +8,7 @@ module OpenSSL
     include OpenSSL::TestUtils
 
     def setup
+      super
       ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
       ca_exts = [
         ["basicConstraints","CA:TRUE",true],
diff --git a/test/openssl/test_pkcs7.rb b/test/openssl/test_pkcs7.rb
index b7b7520220..48d5999752 100644
--- a/test/openssl/test_pkcs7.rb
+++ b/test/openssl/test_pkcs7.rb
@@ -5,6 +5,7 @@ if defined?(OpenSSL::TestUtils)
 
 class OpenSSL::TestPKCS7 < OpenSSL::TestCase
   def setup
+    super
     @rsa1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024
     @rsa2048 = OpenSSL::TestUtils::TEST_KEY_RSA2048
     ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
diff --git a/test/openssl/test_pkey.rb b/test/openssl/test_pkey.rb
deleted file mode 100644
index 79647c8f1d..0000000000
--- a/test/openssl/test_pkey.rb
+++ /dev/null
@@ -1,49 +0,0 @@
-# frozen_string_literal: false
-require_relative "utils"
-
-if defined?(OpenSSL::TestUtils)
-
-class OpenSSL::TestPKey < OpenSSL::PKeyTestCase
-  PKEYS = {
-    OpenSSL::PKey::RSA => {
-      key: OpenSSL::TestUtils::TEST_KEY_RSA1024,
-      digest: OpenSSL::Digest::SHA1,
-    },
-    OpenSSL::PKey::DSA => {
-      key: OpenSSL::TestUtils::TEST_KEY_DSA512,
-      digest: OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST,
-    },
-  }
-  if defined?(OpenSSL::PKey::EC)
-    PKEYS[OpenSSL::PKey::EC] = {
-      key: OpenSSL::TestUtils::TEST_KEY_EC_P256V1,
-      digest: OpenSSL::Digest::SHA1,
-    }
-  end
-
-  def test_sign_verify
-    data = "Sign me!"
-    invalid_data = "Sign me?"
-    PKEYS.each do |klass, prop|
-      key = prop[:key]
-      pub_key = dup_public(prop[:key])
-      digest = prop[:digest].new
-      signature = key.sign(digest, data)
-      assert_equal(true, pub_key.verify(digest, signature, data))
-      assert_equal(false, pub_key.verify(digest, signature, invalid_data))
-      # digest state is irrelevant
-      digest << "unya"
-      assert_equal(true, pub_key.verify(digest, signature, data))
-      assert_equal(false, pub_key.verify(digest, signature, invalid_data))
-
-      if OpenSSL::OPENSSL_VERSION_NUMBER > 0x10000000
-        digest = OpenSSL::Digest::SHA256.new
-        signature = key.sign(digest, data)
-        assert_equal(true, pub_key.verify(digest, signature, data))
-        assert_equal(false, pub_key.verify(digest, signature, invalid_data))
-      end
-    end
-  end
-end
-
-end
diff --git a/test/openssl/test_x509cert.rb b/test/openssl/test_x509cert.rb
index fb757c44ec..0cfe4402ec 100644
--- a/test/openssl/test_x509cert.rb
+++ b/test/openssl/test_x509cert.rb
@@ -5,6 +5,7 @@ if defined?(OpenSSL::TestUtils)
 
 class OpenSSL::TestX509Certificate < OpenSSL::TestCase
   def setup
+    super
     @rsa1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024
     @rsa2048 = OpenSSL::TestUtils::TEST_KEY_RSA2048
     @dsa256  = OpenSSL::TestUtils::TEST_KEY_DSA256
diff --git a/test/openssl/test_x509crl.rb b/test/openssl/test_x509crl.rb
index f61de97163..44dfffc952 100644
--- a/test/openssl/test_x509crl.rb
+++ b/test/openssl/test_x509crl.rb
@@ -5,6 +5,7 @@ if defined?(OpenSSL::TestUtils)
 
 class OpenSSL::TestX509CRL < OpenSSL::TestCase
   def setup
+    super
     @rsa1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024
     @rsa2048 = OpenSSL::TestUtils::TEST_KEY_RSA2048
     @dsa256  = OpenSSL::TestUtils::TEST_KEY_DSA256
diff --git a/test/openssl/test_x509ext.rb b/test/openssl/test_x509ext.rb
index 79713c0fad..58f03168bc 100644
--- a/test/openssl/test_x509ext.rb
+++ b/test/openssl/test_x509ext.rb
@@ -5,6 +5,7 @@ if defined?(OpenSSL::TestUtils)
 
 class OpenSSL::TestX509Extension < OpenSSL::TestCase
   def setup
+    super
     @basic_constraints_value = OpenSSL::ASN1::Sequence([
       OpenSSL::ASN1::Boolean(true),   # CA
       OpenSSL::ASN1::Integer(2)       # pathlen
diff --git a/test/openssl/test_x509name.rb b/test/openssl/test_x509name.rb
index 78da4df140..b30a02e64a 100644
--- a/test/openssl/test_x509name.rb
+++ b/test/openssl/test_x509name.rb
@@ -6,6 +6,7 @@ if defined?(OpenSSL::TestUtils)
 
 class OpenSSL::TestX509Name < OpenSSL::TestCase
   def setup
+    super
     @obj_type_tmpl = Hash.new(OpenSSL::ASN1::PRINTABLESTRING)
     @obj_type_tmpl.update(OpenSSL::X509::Name::OBJECT_TYPE_TEMPLATE)
   end
diff --git a/test/openssl/test_x509req.rb b/test/openssl/test_x509req.rb
index 086ccfbdb1..585dda1bc6 100644
--- a/test/openssl/test_x509req.rb
+++ b/test/openssl/test_x509req.rb
@@ -5,6 +5,7 @@ if defined?(OpenSSL::TestUtils)
 
 class OpenSSL::TestX509Request < OpenSSL::TestCase
   def setup
+    super
     @rsa1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024
     @rsa2048 = OpenSSL::TestUtils::TEST_KEY_RSA2048
     @dsa256  = OpenSSL::TestUtils::TEST_KEY_DSA256
diff --git a/test/openssl/test_x509store.rb b/test/openssl/test_x509store.rb
index 6ca80c86bb..af0d8b2836 100644
--- a/test/openssl/test_x509store.rb
+++ b/test/openssl/test_x509store.rb
@@ -5,6 +5,7 @@ if defined?(OpenSSL::TestUtils)
 
 class OpenSSL::TestX509Store < OpenSSL::TestCase
   def setup
+    super
     @rsa1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024
     @rsa2048 = OpenSSL::TestUtils::TEST_KEY_RSA2048
     @dsa256  = OpenSSL::TestUtils::TEST_KEY_DSA256
diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb
index 43ecd79eca..bbc9c7efc2 100644
--- a/test/openssl/utils.rb
+++ b/test/openssl/utils.rb
@@ -201,7 +201,16 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC
   end
 
   class OpenSSL::TestCase < Test::Unit::TestCase
+    def setup
+      if ENV["OSSL_GC_STRESS"] == "1"
+        GC.stress = true
+      end
+    end
+
     def teardown
+      if ENV["OSSL_GC_STRESS"] == "1"
+        GC.stress = false
+      end
       # OpenSSL error stack must be empty
       assert_equal([], OpenSSL.errors)
     end
@@ -212,6 +221,7 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC
     ITERATIONS = ($0 == __FILE__) ? 100 : 10
 
     def setup
+      super
       @ca_key  = OpenSSL::TestUtils::TEST_KEY_RSA2048
       @svr_key = OpenSSL::TestUtils::TEST_KEY_RSA1024
       @cli_key = OpenSSL::TestUtils::TEST_KEY_DSA1024