kotovalexarian-likes-github/ruby--ruby
1
0
Fork 0
mirror of https://github.com/ruby/ruby.git synced 2022-11-09 12:17:21 -05:00
Code Releases Activity

import Ruby/OpenSSL 2.0.0.beta.1

Browse source 
* NEWS, {ext,test,sample}/openssl: Import Ruby/OpenSSL 2.0.0.beta.1.
  ext/openssl is now converted into a default gem. The full commit
  history since r55538 can be found at:
  https://github.com/ruby/openssl/compare/08e1881f5663...v2.0.0.beta.1
  [Feature #9612]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56027 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
This commit is contained in:
rhe 2016-08-29 05:47:09 +00:00
parent 28bf4d545f
commit c9dc0164b8
69 changed files with 2970 additions and 1813 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
NEWS
View file

@ -123,6 +123,12 @@ with all sufficient information, see the ChangeLog file or Redmine
* Add an into option. [Feature #11191]
* OpenSSL
* OpenSSL is extracted as a gem and the upstream has been migrated to
https://github.com/ruby/openssl. OpenSSL still remains as a default gem.
Refer to its History.md for the full release note. [Feature #9612]
=== Compatibility issues (excluding feature bug fixes)
* Array#sum and Enumerable#sum are implemented. [Feature #12217]

1
ext/openssl/extconf.rb
View file

@ -147,6 +147,7 @@ have_func("EVP_PKEY_up_ref")
OpenSSL.check_func_or_macro("SSL_CTX_set_tmp_ecdh_callback", "openssl/ssl.h") # removed
OpenSSL.check_func_or_macro("SSL_CTX_set_min_proto_version", "openssl/ssl.h")
have_func("SSL_CTX_get_security_level")
have_func("X509_get0_notBefore")
Logging::message "=== Checking done. ===\n"

38
ext/openssl/lib/openssl/cipher.rb
View file

@ -18,7 +18,7 @@ module OpenSSL
klass = Class.new(Cipher){
define_method(:initialize){|*args|
cipher_name = args.inject(name){|n, arg| "#{n}-#{arg}" }
super(cipher_name)
super(cipher_name.downcase)
}
}
const_set(name, klass)
@ -26,34 +26,42 @@ module OpenSSL
%w(128 192 256).each{|keylen|
klass = Class.new(Cipher){
define_method(:initialize){|mode|
mode ||= "CBC"
cipher_name = "AES-#{keylen}-#{mode}"
super(cipher_name)
define_method(:initialize){|mode = "CBC"|
super("aes-#{keylen}-#{mode}".downcase)
}
}
const_set("AES#{keylen}", klass)
}
# Generate, set, and return a random key.
# You must call cipher.encrypt or cipher.decrypt before calling this method.
# call-seq:
# cipher.random_key -> key
#
# Generate a random key with OpenSSL::Random.random_bytes and sets it to
# the cipher, and returns it.
#
# You must call #encrypt or #decrypt before calling this method.
def random_key
str = OpenSSL::Random.random_bytes(self.key_len)
self.key = str
return str
end
# Generate, set, and return a random iv.
# You must call cipher.encrypt or cipher.decrypt before calling this method.
# call-seq:
# cipher.random_iv -> iv
#
# Generate a random IV with OpenSSL::Random.random_bytes and sets it to the
# cipher, and returns it.
#
# You must call #encrypt or #decrypt before calling this method.
def random_iv
str = OpenSSL::Random.random_bytes(self.iv_len)
self.iv = str
return str
end
# This class is only provided for backwards compatibility. Use OpenSSL::Cipher in the future.
class Cipher < Cipher
# add warning
end
# Deprecated.
#
# This class is only provided for backwards compatibility.
# Use OpenSSL::Cipher.
class Cipher < Cipher; end
deprecate_constant :Cipher
end # Cipher
end # OpenSSL

12
ext/openssl/lib/openssl/digest.rb
View file

@ -53,15 +53,9 @@ module OpenSSL
# Deprecated.
#
# This class is only provided for backwards compatibility.
class Digest < Digest # :nodoc:
# Deprecated.
#
# See OpenSSL::Digest.new
def initialize(*args)
warn('Digest::Digest is deprecated; use Digest')
super(*args)
end
end
# Use OpenSSL::Digest instead.
class Digest < Digest; end # :nodoc:
deprecate_constant :Digest
end # Digest

3
ext/openssl/lib/openssl/pkey.rb
View file

@ -4,6 +4,7 @@ module OpenSSL
if defined?(OpenSSL::PKey::DH)
class DH
# :nodoc:
DEFAULT_1024 = new <<-_end_of_pem_
-----BEGIN DH PARAMETERS-----
MIGHAoGBAJ0lOVy0VIr/JebWn0zDwY2h+rqITFOpdNr6ugsgvkDXuucdcChhYExJ
@ -12,6 +13,7 @@ T4h7KZ/2zmjvV+eF8kBUHBJAojUlzxKj4QeO2x20FP9X5xmNUXeDAgEC
-----END DH PARAMETERS-----
_end_of_pem_
# :nodoc:
DEFAULT_2048 = new <<-_end_of_pem_
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA7E6kBrYiyvmKAMzQ7i8WvwVk9Y/+f8S7sCTN712KkK3cqd1jhJDY
@ -24,6 +26,7 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
_end_of_pem_
end
# :nodoc:
DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen|
warn "using default DH parameters." if $VERBOSE
case keylen

112
ext/openssl/lib/openssl/ssl.rb
View file

@ -16,44 +16,11 @@ require "io/nonblock"
module OpenSSL
module SSL
class SSLContext
# :nodoc:
DEFAULT_PARAMS = {
:ssl_version => "SSLv23",
:verify_mode => OpenSSL::SSL::VERIFY_PEER,
:ciphers => %w{
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-DSS-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
DHE-DSS-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA
ECDHE-RSA-AES256-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES256-SHA256
DHE-RSA-AES128-SHA
DHE-RSA-AES256-SHA
DHE-DSS-AES128-SHA256
DHE-DSS-AES256-SHA256
DHE-DSS-AES128-SHA
DHE-DSS-AES256-SHA
AES128-GCM-SHA256
AES256-GCM-SHA384
AES128-SHA256
AES256-SHA256
AES128-SHA
AES256-SHA
ECDHE-ECDSA-RC4-SHA
ECDHE-RSA-RC4-SHA
RC4-SHA
}.join(":"),
:verify_hostname => true,
:options => -> {
opts = OpenSSL::SSL::OP_ALL
opts &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
@ -63,10 +30,50 @@ module OpenSSL
}.call
}
if !(OpenSSL::OPENSSL_VERSION.start_with?("OpenSSL") &&
OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10100000)
DEFAULT_PARAMS.merge!(
ciphers: %w{
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-DSS-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
DHE-DSS-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA
ECDHE-RSA-AES256-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES256-SHA256
DHE-RSA-AES128-SHA
DHE-RSA-AES256-SHA
DHE-DSS-AES128-SHA256
DHE-DSS-AES256-SHA256
DHE-DSS-AES128-SHA
DHE-DSS-AES256-SHA
AES128-GCM-SHA256
AES256-GCM-SHA384
AES128-SHA256
AES256-SHA256
AES128-SHA
AES256-SHA
}.join(":"),
)
end
# :nodoc:
DEFAULT_CERT_STORE = OpenSSL::X509::Store.new
DEFAULT_CERT_STORE.set_default_paths
DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
# :nodoc:
INIT_VARS = ["cert", "key", "client_ca", "ca_file", "ca_path",
"timeout", "verify_mode", "verify_depth", "renegotiation_cb",
"verify_callback", "cert_store", "extra_chain_cert",
@ -74,7 +81,7 @@ module OpenSSL
"session_get_cb", "session_new_cb", "session_remove_cb",
"tmp_ecdh_callback", "servername_cb", "npn_protocols",
"alpn_protocols", "alpn_select_cb",
"npn_select_cb"].map { |x| "@#{x}" }
"npn_select_cb", "verify_hostname"].map { |x| "@#{x}" }
# A callback invoked when DH parameters are required.
#
@ -110,13 +117,17 @@ module OpenSSL
end
##
# Sets the parameters for this SSL context to the values in +params+.
# call-seq:
# ctx.set_params(params = {}) -> params
#
# Sets saner defaults optimized for the use with HTTP-like protocols.
#
# If a Hash +params+ is given, the parameters are overridden with it.
# The keys in +params+ must be assignment methods on SSLContext.
#
# If the verify_mode is not VERIFY_NONE and ca_file, ca_path and
# cert_store are not set then the system default certificate store is
# used.
def set_params(params={})
params = DEFAULT_PARAMS.merge(params)
params.each{|name, value| self.__send__("#{name}=", value) }
@ -251,10 +262,17 @@ module OpenSSL
attr_reader :hostname
end
attr_reader :io, :context
attr_accessor :sync_close
# The underlying IO object.
attr_reader :io
alias :to_io :io
# The SSLContext object used in this connection.
attr_reader :context
# Whether to close the underlying socket as well, when the SSL/TLS
# connection is shut down. This defaults to +false+.
attr_accessor :sync_close
# call-seq:
# ssl.sysclose => nil
#
@ -268,8 +286,10 @@ module OpenSSL
io.close if sync_close
end
##
# Perform hostname verification after an SSL connection is established
# call-seq:
# ssl.post_connection_check(hostname) -> true
#
# Perform hostname verification following RFC 6125.
#
# This method MUST be called after calling #connect to ensure that the
# hostname of a remote peer has been verified.
@ -277,7 +297,8 @@ module OpenSSL
if peer_cert.nil?
msg = "Peer verification enabled, but no certificate received."
if using_anon_cipher?
msg += " Anonymous cipher suite #{cipher[0]} was negotiated. Anonymous suites must be disabled to use peer verification."
msg += " Anonymous cipher suite #{cipher[0]} was negotiated. " \
"Anonymous suites must be disabled to use peer verification."
end
raise SSLError, msg
end
@ -288,6 +309,11 @@ module OpenSSL
return true
end
# call-seq:
# ssl.session -> aSession
#
# Returns the SSLSession object currently used, or nil if the session is
# not established.
def session
SSL::Session.new(self)
rescue SSL::Session::SessionError

45
ext/openssl/openssl.gemspec Normal file
View file

@ -0,0 +1,45 @@
# -*- encoding: utf-8 -*-
# stub: openssl 2.0.0.beta.1 ruby lib
# stub: ext/openssl/extconf.rb
Gem::Specification.new do |s|
s.name = "openssl".freeze
s.version = "2.0.0.beta.1"
s.required_rubygems_version = Gem::Requirement.new("> 1.3.1".freeze) if s.respond_to? :required_rubygems_version=
s.require_paths = ["lib".freeze]
s.authors = ["Martin Bosslet".freeze, "SHIBATA Hiroshi".freeze, "Zachary Scott".freeze, "Kazuki Yamaguchi".freeze]
s.date = "2016-08-29"
s.description = "It wraps the OpenSSL library.".freeze
s.email = ["ruby-core@ruby-lang.org".freeze]
s.extensions = ["ext/openssl/extconf.rb".freeze]
s.extra_rdoc_files = ["CONTRIBUTING.md".freeze, "History.md".freeze, "README.md".freeze]
s.files = ["BSDL".freeze, "CONTRIBUTING.md".freeze, "History.md".freeze, "LICENSE.txt".freeze, "README.md".freeze, "ext/openssl/deprecation.rb".freeze, "ext/openssl/extconf.rb".freeze, "ext/openssl/openssl_missing.c".freeze, "ext/openssl/openssl_missing.h".freeze, "ext/openssl/ossl.c".freeze, "ext/openssl/ossl.h".freeze, "ext/openssl/ossl_asn1.c".freeze, "ext/openssl/ossl_asn1.h".freeze, "ext/openssl/ossl_bio.c".freeze, "ext/openssl/ossl_bio.h".freeze, "ext/openssl/ossl_bn.c".freeze, "ext/openssl/ossl_bn.h".freeze, "ext/openssl/ossl_cipher.c".freeze, "ext/openssl/ossl_cipher.h".freeze, "ext/openssl/ossl_config.c".freeze, "ext/openssl/ossl_config.h".freeze, "ext/openssl/ossl_digest.c".freeze, "ext/openssl/ossl_digest.h".freeze, "ext/openssl/ossl_engine.c".freeze, "ext/openssl/ossl_engine.h".freeze, "ext/openssl/ossl_hmac.c".freeze, "ext/openssl/ossl_hmac.h".freeze, "ext/openssl/ossl_ns_spki.c".freeze, "ext/openssl/ossl_ns_spki.h".freeze, "ext/openssl/ossl_ocsp.c".freeze, "ext/openssl/ossl_ocsp.h".freeze, "ext/openssl/ossl_pkcs12.c".freeze, "ext/openssl/ossl_pkcs12.h".freeze, "ext/openssl/ossl_pkcs5.c".freeze, "ext/openssl/ossl_pkcs5.h".freeze, "ext/openssl/ossl_pkcs7.c".freeze, "ext/openssl/ossl_pkcs7.h".freeze, "ext/openssl/ossl_pkey.c".freeze, "ext/openssl/ossl_pkey.h".freeze, "ext/openssl/ossl_pkey_dh.c".freeze, "ext/openssl/ossl_pkey_dsa.c".freeze, "ext/openssl/ossl_pkey_ec.c".freeze, "ext/openssl/ossl_pkey_rsa.c".freeze, "ext/openssl/ossl_rand.c".freeze, "ext/openssl/ossl_rand.h".freeze, "ext/openssl/ossl_ssl.c".freeze, "ext/openssl/ossl_ssl.h".freeze, "ext/openssl/ossl_ssl_session.c".freeze, "ext/openssl/ossl_version.h".freeze, "ext/openssl/ossl_x509.c".freeze, "ext/openssl/ossl_x509.h".freeze, "ext/openssl/ossl_x509attr.c".freeze, "ext/openssl/ossl_x509cert.c".freeze, "ext/openssl/ossl_x509crl.c".freeze, "ext/openssl/ossl_x509ext.c".freeze, "ext/openssl/ossl_x509name.c".freeze, "ext/openssl/ossl_x509req.c".freeze, "ext/openssl/ossl_x509revoked.c".freeze, "ext/openssl/ossl_x509store.c".freeze, "ext/openssl/ruby_missing.h".freeze, "lib/openssl.rb".freeze, "lib/openssl/bn.rb".freeze, "lib/openssl/buffering.rb".freeze, "lib/openssl/cipher.rb".freeze, "lib/openssl/config.rb".freeze, "lib/openssl/digest.rb".freeze, "lib/openssl/pkey.rb".freeze, "lib/openssl/ssl.rb".freeze, "lib/openssl/x509.rb".freeze]
s.homepage = "https://www.ruby-lang.org/".freeze
s.licenses = ["Ruby".freeze]
s.rdoc_options = ["--main".freeze, "README.md".freeze]
s.required_ruby_version = Gem::Requirement.new(">= 2.3.0".freeze)
s.rubygems_version = "2.6.6".freeze
s.summary = "OpenSSL provides SSL, TLS and general purpose cryptography.".freeze
if s.respond_to? :specification_version then
s.specification_version = 4
if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
s.add_development_dependency(%q<rake>.freeze, ["~> 10.3"])
s.add_development_dependency(%q<rake-compiler>.freeze, ["~> 0.9"])
s.add_development_dependency(%q<test-unit>.freeze, ["~> 3.0"])
s.add_development_dependency(%q<rdoc>.freeze, ["~> 4.2"])
else
s.add_dependency(%q<rake>.freeze, ["~> 10.3"])
s.add_dependency(%q<rake-compiler>.freeze, ["~> 0.9"])
s.add_dependency(%q<test-unit>.freeze, ["~> 3.0"])
s.add_dependency(%q<rdoc>.freeze, ["~> 4.2"])
end
else
s.add_dependency(%q<rake>.freeze, ["~> 10.3"])
s.add_dependency(%q<rake-compiler>.freeze, ["~> 0.9"])
s.add_dependency(%q<test-unit>.freeze, ["~> 3.0"])
s.add_dependency(%q<rdoc>.freeze, ["~> 4.2"])
end
end

6
ext/openssl/openssl_missing.c
View file

@ -150,7 +150,8 @@ HMAC_CTX_free(HMAC_CTX *ctx)
#if !defined(HAVE_X509_CRL_GET0_SIGNATURE)
void
X509_CRL_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, X509_CRL *crl)
X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig,
const X509_ALGOR **palg)
{
if (psig != NULL)
*psig = crl->signature;
@ -161,7 +162,8 @@ X509_CRL_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, X509_CRL *crl
#if !defined(HAVE_X509_REQ_GET0_SIGNATURE)
void
X509_REQ_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, X509_REQ *req)
X509_REQ_get0_signature(const X509_REQ *req, const ASN1_BIT_STRING **psig,
const X509_ALGOR **palg)
{
if (psig != NULL)
*psig = req->signature;

12
ext/openssl/openssl_missing.h
View file

@ -110,11 +110,11 @@ void HMAC_CTX_free(HMAC_CTX *ctx);
#endif
#if !defined(HAVE_X509_CRL_GET0_SIGNATURE)
void X509_CRL_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, X509_CRL *crl);
void X509_CRL_get0_signature(const X509_CRL *, const ASN1_BIT_STRING **, const X509_ALGOR **);
#endif
#if !defined(HAVE_X509_REQ_GET0_SIGNATURE)
void X509_REQ_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, X509_REQ *req);
void X509_REQ_get0_signature(const X509_REQ *, const ASN1_BIT_STRING **, const X509_ALGOR **);
#endif
#if !defined(HAVE_X509_REVOKED_GET0_SERIALNUMBER)
@ -231,6 +231,14 @@ IMPL_PKEY_GETTER(EC_KEY, ec)
#if defined(HAVE_AUTHENTICATED_ENCRYPTION) && !defined(EVP_CTRL_AEAD_GET_TAG)
# define EVP_CTRL_AEAD_GET_TAG EVP_CTRL_GCM_GET_TAG
# define EVP_CTRL_AEAD_SET_TAG EVP_CTRL_GCM_SET_TAG
# define EVP_CTRL_AEAD_SET_IVLEN EVP_CTRL_GCM_SET_IVLEN
#endif
#if !defined(HAVE_X509_GET0_NOTBEFORE)
# define X509_get0_notBefore(x) X509_get_notBefore(x)
# define X509_get0_notAfter(x) X509_get_notAfter(x)
# define X509_CRL_get0_lastUpdate(x) X509_CRL_get_lastUpdate(x)
# define X509_CRL_get0_nextUpdate(x) X509_CRL_get_nextUpdate(x)
#endif
#endif /* _OSSL_OPENSSL_MISSING_H_ */

179
ext/openssl/ossl.c
View file

@ -9,40 +9,7 @@
*/
#include "ossl.h"
#include <stdarg.h> /* for ossl_raise */
/*
* String to HEXString conversion
*/
int
string2hex(const unsigned char *buf, int buf_len, char **hexbuf, int *hexbuf_len)
{
static const char hex[]="0123456789abcdef";
int i, len;
if (buf_len < 0 || buf_len > INT_MAX / 2) { /* PARANOIA? */
return -1;
}
len = 2 * buf_len;
if (!hexbuf) { /* if no buf, return calculated len */
if (hexbuf_len) {
*hexbuf_len = len;
}
return len;
}
if (!(*hexbuf = OPENSSL_malloc(len + 1))) {
return -1;
}
for (i = 0; i < buf_len; i++) {
(*hexbuf)[2 * i] = hex[((unsigned char)buf[i]) >> 4];
(*hexbuf)[2 * i + 1] = hex[buf[i] & 0x0f];
}
(*hexbuf)[2 * i] = '\0';
if (hexbuf_len) {
*hexbuf_len = len;
}
return len;
}
#include <ruby/thread_native.h> /* for OpenSSL < 1.1.0 locks */
/*
* Data Conversion
@ -77,7 +44,7 @@ STACK_OF(type) * \
ossl_protect_##name##_ary2sk(VALUE ary, int *status) \
{ \
return (STACK_OF(type)*)rb_protect( \
(VALUE(*)_((VALUE)))ossl_##name##_ary2sk0, \
(VALUE (*)(VALUE))ossl_##name##_ary2sk0, \
ary, \
status); \
} \
@ -97,7 +64,7 @@ OSSL_IMPL_ARY2SK(x509, X509, cX509Cert, DupX509CertPtr)
#define OSSL_IMPL_SK2ARY(name, type) \
VALUE \
ossl_##name##_sk2ary(STACK_OF(type) *sk) \
ossl_##name##_sk2ary(const STACK_OF(type) *sk) \
{ \
type *t; \
int i, num; \
@ -136,7 +103,7 @@ ossl_buf2str(char *buf, int len)
VALUE str;
int status = 0;
str = rb_protect((VALUE(*)_((VALUE)))ossl_str_new, len, &status);
str = rb_protect((VALUE (*)(VALUE))ossl_str_new, len, &status);
if(!NIL_P(str)) memcpy(RSTRING_PTR(str), buf, len);
OPENSSL_free(buf);
if(status) rb_jump_tag(status);
@ -144,6 +111,21 @@ ossl_buf2str(char *buf, int len)
return str;
}
void
ossl_bin2hex(unsigned char *in, char *out, size_t inlen)
{
const char *hex = "0123456789abcdef";
size_t i;
assert(inlen <= LONG_MAX / 2);
for (i = 0; i < inlen; i++) {
unsigned char p = in[i];
out[i * 2 + 0] = hex[p >> 4];
out[i * 2 + 1] = hex[p & 0x0f];
}
}
/*
* our default PEM callback
*/
@ -242,54 +224,54 @@ ossl_pem_passwd_cb(char *buf, int max_len, int flag, void *pwd_)
int ossl_store_ctx_ex_verify_cb_idx;
int ossl_store_ex_verify_cb_idx;
VALUE
struct ossl_verify_cb_args {
VALUE proc;
VALUE preverify_ok;
VALUE store_ctx;
};
static VALUE
ossl_call_verify_cb_proc(struct ossl_verify_cb_args *args)
{
return rb_funcall(args->proc, rb_intern("call"), 2,
args->preverify_ok, args->store_ctx);
args->preverify_ok, args->store_ctx);
}
int
ossl_verify_cb(int ok, X509_STORE_CTX *ctx)
ossl_verify_cb_call(VALUE proc, int ok, X509_STORE_CTX *ctx)
{
VALUE proc, rctx, ret;
VALUE rctx, ret;
struct ossl_verify_cb_args args;
int state = 0;
int state;
proc = (VALUE)X509_STORE_CTX_get_ex_data(ctx, ossl_store_ctx_ex_verify_cb_idx);
if (!proc)
proc = (VALUE)X509_STORE_get_ex_data(X509_STORE_CTX_get0_store(ctx), ossl_store_ex_verify_cb_idx);
if (!proc)
if (NIL_P(proc))
return ok;
if (!NIL_P(proc)) {
ret = Qfalse;
rctx = rb_protect((VALUE(*)(VALUE))ossl_x509stctx_new,
(VALUE)ctx, &state);
ret = Qfalse;
rctx = rb_protect((VALUE(*)(VALUE))ossl_x509stctx_new, (VALUE)ctx, &state);
if (state) {
rb_set_errinfo(Qnil);
rb_warn("StoreContext initialization failure");
}
else {
args.proc = proc;
args.preverify_ok = ok ? Qtrue : Qfalse;
args.store_ctx = rctx;
ret = rb_protect((VALUE(*)(VALUE))ossl_call_verify_cb_proc, (VALUE)&args, &state);
if (state) {
rb_set_errinfo(Qnil);
rb_warn("StoreContext initialization failure");
}
else {
args.proc = proc;
args.preverify_ok = ok ? Qtrue : Qfalse;
args.store_ctx = rctx;
ret = rb_protect((VALUE(*)(VALUE))ossl_call_verify_cb_proc, (VALUE)&args, &state);
if (state) {
rb_set_errinfo(Qnil);
rb_warn("exception in verify_callback is ignored");
}
ossl_x509stctx_clear_ptr(rctx);
}
if (ret == Qtrue) {
X509_STORE_CTX_set_error(ctx, X509_V_OK);
ok = 1;
}
else{
if (X509_STORE_CTX_get_error(ctx) == X509_V_OK) {
X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REJECTED);
}
ok = 0;
rb_warn("exception in verify_callback is ignored");
}
ossl_x509stctx_clear_ptr(rctx);
}
if (ret == Qtrue) {
X509_STORE_CTX_set_error(ctx, X509_V_OK);
ok = 1;
}
else {
if (X509_STORE_CTX_get_error(ctx) == X509_V_OK)
X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REJECTED);
ok = 0;
}
return ok;
@ -453,24 +435,14 @@ ossl_debug_get(VALUE self)
* call-seq:
* OpenSSL.debug = boolean -> boolean
*
* Turns on or off CRYPTO_MEM_CHECK.
* Also shows some debugging message on stderr.
* Turns on or off debug mode. With debug mode, all erros added to the OpenSSL
* error queue will be printed to stderr.
*/
static VALUE
ossl_debug_set(VALUE self, VALUE val)
{
VALUE old = dOSSL;
dOSSL = val;
dOSSL = RTEST(val) ? Qtrue : Qfalse;
if (old != dOSSL) {
if (dOSSL == Qtrue) {
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
fprintf(stderr, "OSSL_DEBUG: IS NOW ON!\n");
} else if (old == Qtrue) {
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_OFF);
fprintf(stderr, "OSSL_DEBUG: IS NOW OFF!\n");
}
}
return val;
}
@ -483,9 +455,8 @@ ossl_debug_set(VALUE self, VALUE val)
* so otherwise will result in an error.
*
* === Examples
*
* OpenSSL.fips_mode = true # turn FIPS mode on
* OpenSSL.fips_mode = false # and off again
* OpenSSL.fips_mode = true # turn FIPS mode on
* OpenSSL.fips_mode = false # and off again
*/
static VALUE
ossl_fips_mode_set(VALUE self, VALUE enabled)
@ -512,7 +483,6 @@ ossl_fips_mode_set(VALUE self, VALUE enabled)
/**
* Stores locks needed for OpenSSL thread safety
*/
#include "ruby/thread_native.h"
static rb_nativethread_lock_t *ossl_locks;
static void
@ -602,20 +572,6 @@ static void Init_ossl_locks(void)
* OpenSSL provides SSL, TLS and general purpose cryptography. It wraps the
* OpenSSL[http://www.openssl.org/] library.
*
* = Install
*
* OpenSSL comes bundled with the Standard Library of Ruby.
*
* This means the OpenSSL extension is compiled with Ruby and packaged on
* build. During compile time, Ruby will need to link against the OpenSSL
* library on your system. However, you cannot use openssl provided by Apple to
* build standard library openssl.
*
* If you use OSX, you should install another openssl and run ```./configure
* --with-openssl-dir=/path/to/another-openssl```. For Homebrew user, run `brew
* install openssl` and then ```./configure --with-openssl-dir=`brew --prefix
* openssl` ```.
*
* = Examples
*
* All examples assume you have loaded OpenSSL with:
@ -660,10 +616,12 @@ static void Init_ossl_locks(void)
*
* key2 = OpenSSL::PKey::RSA.new File.read 'private_key.pem'
* key2.public? # => true
* key2.private? # => true
*
* or
*
* key3 = OpenSSL::PKey::RSA.new File.read 'public_key.pem'
* key3.public? # => true
* key3.private? # => false
*
* === Loading an Encrypted Key
@ -910,7 +868,7 @@ static void Init_ossl_locks(void)
* ca_key = OpenSSL::PKey::RSA.new 2048
* pass_phrase = 'my secure pass phrase goes here'
*
* cipher = OpenSSL::Cipher::Cipher.new 'AES-128-CBC'
* cipher = OpenSSL::Cipher.new 'AES-128-CBC'
*
* open 'ca_key.pem', 'w', 0400 do |io|
* io.write ca_key.export(cipher, pass_phrase)
@ -1063,15 +1021,21 @@ static void Init_ossl_locks(void)
* SSLSocket#connect must be called to initiate the SSL handshake and start
* encryption. A key and certificate are not required for the client socket.
*
* Note that SSLSocket#close doesn't close the underlying socket by default. Set
* SSLSocket#sync_close to true if you want.
*
* require 'socket'
*
* tcp_socket = TCPSocket.new 'localhost', 5000
* ssl_client = OpenSSL::SSL::SSLSocket.new tcp_socket, context
* ssl_client.sync_close = true
* ssl_client.connect
*
* ssl_client.puts "hello server!"
* puts ssl_client.gets
*
* ssl_client.close # shutdown the TLS connection and close tcp_socket
*
* === Peer Verification
*
* An unverified SSL connection does not provide much security. For enhanced
@ -1160,11 +1124,14 @@ Init_openssl(void)
/*
* Boolean indicating whether OpenSSL is FIPS-enabled or not
*/
rb_define_const(mOSSL, "OPENSSL_FIPS",
#ifdef OPENSSL_FIPS
rb_define_const(mOSSL, "OPENSSL_FIPS", Qtrue);
Qtrue
#else
rb_define_const(mOSSL, "OPENSSL_FIPS", Qfalse);
Qfalse
#endif
);
rb_define_module_function(mOSSL, "fips_mode=", ossl_fips_mode_set, 1);
/*

25
ext/openssl/ossl.h
View file

@ -96,20 +96,15 @@ extern VALUE eOSSLError;
}\
} while (0)
/*
* String to HEXString conversion
*/
int string2hex(const unsigned char *, int, char **, int *);
/*
* Data Conversion
*/
STACK_OF(X509) *ossl_x509_ary2sk0(VALUE);
STACK_OF(X509) *ossl_x509_ary2sk(VALUE);
STACK_OF(X509) *ossl_protect_x509_ary2sk(VALUE,int*);
VALUE ossl_x509_sk2ary(STACK_OF(X509) *certs);
VALUE ossl_x509crl_sk2ary(STACK_OF(X509_CRL) *crl);
VALUE ossl_x509name_sk2ary(STACK_OF(X509_NAME) *names);
VALUE ossl_x509_sk2ary(const STACK_OF(X509) *certs);
VALUE ossl_x509crl_sk2ary(const STACK_OF(X509_CRL) *crl);
VALUE ossl_x509name_sk2ary(const STACK_OF(X509_NAME) *names);
VALUE ossl_buf2str(char *buf, int len);
#define ossl_str_adjust(str, p) \
do{\
@ -118,6 +113,11 @@ do{\
assert(newlen <= len);\
rb_str_set_len((str), newlen);\
}while(0)
/*
* Convert binary string to hex string. The caller is responsible for
* ensuring out has (2 * len) bytes of capacity.
*/
void ossl_bin2hex(unsigned char *in, char *out, size_t len);
/*
* Our default PEM callback
@ -154,14 +154,7 @@ void ossl_clear_error(void);
extern int ossl_store_ctx_ex_verify_cb_idx;
extern int ossl_store_ex_verify_cb_idx;
struct ossl_verify_cb_args {
VALUE proc;
VALUE preverify_ok;
VALUE store_ctx;
};
VALUE ossl_call_verify_cb_proc(struct ossl_verify_cb_args *);
int ossl_verify_cb(int, X509_STORE_CTX *);
int ossl_verify_cb_call(VALUE, int, X509_STORE_CTX *);
/*
* String to DER String

22
ext/openssl/ossl_asn1.c
View file

@ -28,7 +28,7 @@ static VALUE ossl_asn1eoc_initialize(VALUE self);
* DATE conversion
*/
VALUE
asn1time_to_time(ASN1_TIME *time)
asn1time_to_time(const ASN1_TIME *time)
{
struct tm tm;
VALUE argv[6];
@ -103,7 +103,7 @@ time_to_time_t(VALUE time)
* STRING conversion
*/
VALUE
asn1str_to_str(ASN1_STRING *str)
asn1str_to_str(const ASN1_STRING *str)
{
return rb_str_new((const char *)str->data, str->length);
}
@ -114,7 +114,7 @@ asn1str_to_str(ASN1_STRING *str)
*/
#define DO_IT_VIA_RUBY 0
VALUE
asn1integer_to_num(ASN1_INTEGER *ai)
asn1integer_to_num(const ASN1_INTEGER *ai)
{
BIGNUM *bn;
#if DO_IT_VIA_RUBY
@ -126,7 +126,8 @@ asn1integer_to_num(ASN1_INTEGER *ai)
ossl_raise(rb_eTypeError, "ASN1_INTEGER is NULL!");
}
if (ai->type == V_ASN1_ENUMERATED)
bn = ASN1_ENUMERATED_to_BN(ai, NULL);
/* const_cast: workaround for old OpenSSL */
bn = ASN1_ENUMERATED_to_BN((ASN1_ENUMERATED *)ai, NULL);
else
bn = ASN1_INTEGER_to_BN(ai, NULL);
@ -383,7 +384,7 @@ decode_int(unsigned char* der, long length)
p = der;
if(!(ai = d2i_ASN1_INTEGER(NULL, &p, length)))
ossl_raise(eASN1Error, NULL);
ret = rb_protect((VALUE(*)_((VALUE)))asn1integer_to_num,
ret = rb_protect((VALUE (*)(VALUE))asn1integer_to_num,
(VALUE)ai, &status);
ASN1_INTEGER_free(ai);
if(status) rb_jump_tag(status);
@ -423,7 +424,7 @@ decode_enum(unsigned char* der, long length)
p = der;
if(!(ai = d2i_ASN1_ENUMERATED(NULL, &p, length)))
ossl_raise(eASN1Error, NULL);
ret = rb_protect((VALUE(*)_((VALUE)))asn1integer_to_num,
ret = rb_protect((VALUE (*)(VALUE))asn1integer_to_num,
(VALUE)ai, &status);
ASN1_ENUMERATED_free(ai);
if(status) rb_jump_tag(status);
@ -485,7 +486,7 @@ decode_time(unsigned char* der, long length)
p = der;
if(!(time = d2i_ASN1_TIME(NULL, &p, length)))
ossl_raise(eASN1Error, NULL);
ret = rb_protect((VALUE(*)_((VALUE)))asn1time_to_time,
ret = rb_protect((VALUE (*)(VALUE))asn1time_to_time,
(VALUE)time, &status);
ASN1_TIME_free(time);
if(status) rb_jump_tag(status);
@ -1471,7 +1472,8 @@ Init_ossl_asn1(void)
int i;
#if 0
mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
mOSSL = rb_define_module("OpenSSL");
eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
#endif
sUNIVERSAL = rb_intern("UNIVERSAL");
@ -1806,10 +1808,6 @@ Init_ossl_asn1(void)
* it is not typically allocated this way, but rather that are received from
* parsed ASN1 encodings.
*
* While OpenSSL::ASN1::ObjectId.new will allocate a new ObjectId, it is
* not typically allocated this way, but rather that are received from
* parsed ASN1 encodings.
*
* === Additional attributes
* * +sn+: the short name as defined in <openssl/objects.h>.
* * +ln+: the long name as defined in <openssl/objects.h>.

6
ext/openssl/ossl_asn1.h
View file

@ -13,7 +13,7 @@
/*
* ASN1_DATE conversions
*/
VALUE asn1time_to_time(ASN1_TIME *);
VALUE asn1time_to_time(const ASN1_TIME *);
#if defined(HAVE_ASN1_TIME_ADJ)
/* Splits VALUE to seconds and offset days. VALUE is typically a Time or an
* Integer. This is used when updating ASN1_*TIME with ASN1_TIME_adj() or
@ -27,12 +27,12 @@ time_t time_to_time_t(VALUE);
/*
* ASN1_STRING conversions
*/
VALUE asn1str_to_str(ASN1_STRING *);
VALUE asn1str_to_str(const ASN1_STRING *);
/*
* ASN1_INTEGER conversions
*/
VALUE asn1integer_to_num(ASN1_INTEGER *);
VALUE asn1integer_to_num(const ASN1_INTEGER *);
ASN1_INTEGER *num_to_asn1integer(VALUE, ASN1_INTEGER *);
/*

4
ext/openssl/ossl_bio.c
View file

@ -51,7 +51,7 @@ BIO *
ossl_protect_obj2bio(VALUE obj, int *status)
{
BIO *ret = NULL;
ret = (BIO*)rb_protect((VALUE(*)_((VALUE)))ossl_obj2bio, obj, status);
ret = (BIO*)rb_protect((VALUE (*)(VALUE))ossl_obj2bio, obj, status);
return ret;
}
@ -70,7 +70,7 @@ ossl_membio2str0(BIO *bio)
VALUE
ossl_protect_membio2str(BIO *bio, int *status)
{
return rb_protect((VALUE(*)_((VALUE)))ossl_membio2str0, (VALUE)bio, status);
return rb_protect((VALUE (*)(VALUE))ossl_membio2str0, (VALUE)bio, status);
}
VALUE

165
ext/openssl/ossl_bn.c
View file

@ -51,8 +51,6 @@ static const rb_data_type_t ossl_bn_type = {
VALUE cBN;
/* Document-class: OpenSSL::BNError
*
* BNError < OpenSSLError
*
* Generic Error for all of OpenSSL::BN (big num)
*/
@ -77,25 +75,66 @@ ossl_bn_new(const BIGNUM *bn)
return obj;
}
static BIGNUM *
integer_to_bnptr(VALUE obj, BIGNUM *orig)
{
BIGNUM *bn;
if (FIXNUM_P(obj)) {
long i;
unsigned char bin[sizeof(long)];
long n = FIX2LONG(obj);
unsigned long un = labs(n);
for (i = sizeof(long) - 1; 0 <= i; i--) {
bin[i] = un & 0xff;
un >>= 8;
}
bn = BN_bin2bn(bin, sizeof(bin), orig);
if (!bn)
ossl_raise(eBNError, "BN_bin2bn");
if (n < 0)
BN_set_negative(bn, 1);
}
else { /* assuming Bignum */
size_t len = rb_absint_size(obj, NULL);
unsigned char *bin;
VALUE buf;
int sign;
if (INT_MAX < len) {
rb_raise(eBNError, "bignum too long");
}
bin = (unsigned char*)ALLOCV_N(unsigned char, buf, len);
sign = rb_integer_pack(obj, bin, len, 1, 0, INTEGER_PACK_BIG_ENDIAN);
bn = BN_bin2bn(bin, (int)len, orig);
ALLOCV_END(buf);
if (!bn)
ossl_raise(eBNError, "BN_bin2bn");
if (sign < 0)
BN_set_negative(bn, 1);
}
return bn;
}
static BIGNUM *
try_convert_to_bnptr(VALUE obj)
{
BIGNUM *bn = NULL;
VALUE newobj;
if (RTEST(rb_obj_is_kind_of(obj, cBN))) {
if (rb_obj_is_kind_of(obj, cBN)) {
GetBN(obj, bn);
} else switch (TYPE(obj)) {
case T_FIXNUM:
case T_BIGNUM:
obj = rb_String(obj);
newobj = NewBN(cBN); /* GC bug */
if (!BN_dec2bn(&bn, StringValueCStr(obj))) {
ossl_raise(eBNError, NULL);
}
SetBN(newobj, bn); /* Handle potencial mem leaks */
break;
}
else if (RB_INTEGER_TYPE_P(obj)) {
newobj = NewBN(cBN); /* Handle potencial mem leaks */
bn = integer_to_bnptr(obj, NULL);
SetBN(newobj, bn);
}
return bn;
}
@ -135,6 +174,7 @@ ossl_bn_alloc(VALUE klass)
/* Document-method: OpenSSL::BN.new
*
* call-seq:
* OpenSSL::BN.new => aBN
* OpenSSL::BN.new(bn) => aBN
* OpenSSL::BN.new(integer) => aBN
@ -154,45 +194,13 @@ ossl_bn_initialize(int argc, VALUE *argv, VALUE self)
base = NUM2INT(bs);
}
if (RB_TYPE_P(str, T_FIXNUM)) {
long i;
unsigned char bin[sizeof(long)];
long n = FIX2LONG(str);
unsigned long un = labs(n);
for (i = sizeof(long) - 1; 0 <= i; i--) {
bin[i] = un&0xff;
un >>= 8;
}
if (RB_INTEGER_TYPE_P(str)) {
GetBN(self, bn);
if (!BN_bin2bn(bin, sizeof(bin), bn)) {
ossl_raise(eBNError, NULL);
}
if (n < 0) BN_set_negative(bn, 1);
integer_to_bnptr(str, bn);
return self;
}
else if (RB_TYPE_P(str, T_BIGNUM)) {
size_t len = rb_absint_size(str, NULL);
unsigned char *bin;
VALUE buf;
int sign;
if (INT_MAX < len) {
rb_raise(eBNError, "bignum too long");
}
bin = (unsigned char*)ALLOCV_N(unsigned char, buf, len);
sign = rb_integer_pack(str, bin, len, 1, 0, INTEGER_PACK_BIG_ENDIAN);
GetBN(self, bn);
if (!BN_bin2bn(bin, (int)len, bn)) {
ALLOCV_END(buf);
ossl_raise(eBNError, NULL);
}
ALLOCV_END(buf);
if (sign < 0) BN_set_negative(bn, 1);
return self;
}
if (RTEST(rb_obj_is_kind_of(str, cBN))) {
BIGNUM *other;
@ -239,11 +247,11 @@ ossl_bn_initialize(int argc, VALUE *argv, VALUE self)
*
* === Parameters
* * +base+ - integer
* * * Valid values:
* * * * 0 - MPI
* * * * 2 - binary
* * * * 10 - the default
* * * * 16 - hex
* Valid values:
* * 0 - MPI
* * 2 - binary
* * 10 - the default
* * 16 - hex
*/
static VALUE
ossl_bn_to_s(int argc, VALUE *argv, VALUE self)
@ -346,18 +354,21 @@ ossl_bn_coerce(VALUE self, VALUE other)
/*
* Document-method: OpenSSL::BN#zero?
* call-seq:
* bn.zero? => true | false
*/
BIGNUM_BOOL1(is_zero)
/*
* Document-method: OpenSSL::BN#one?
* call-seq:
* bn.one? => true | false
*/
BIGNUM_BOOL1(is_one)
/*
* Document-method: OpenSSL::BN#odd?
* call-seq:
* bn.odd? => true | false
*/
BIGNUM_BOOL1(is_odd)
@ -383,6 +394,7 @@ BIGNUM_BOOL1(is_odd)
/*
* Document-method: OpenSSL::BN#sqr
* call-seq:
* bn.sqr => aBN
*/
BIGNUM_1c(sqr)
@ -408,12 +420,14 @@ BIGNUM_1c(sqr)
/*
* Document-method: OpenSSL::BN#+
* call-seq:
* bn + bn2 => aBN
*/
BIGNUM_2(add)
/*
* Document-method: OpenSSL::BN#-
* call-seq:
* bn - bn2 => aBN
*/
BIGNUM_2(sub)
@ -439,42 +453,49 @@ BIGNUM_2(sub)
/*
* Document-method: OpenSSL::BN#*
* call-seq:
* bn * bn2 => aBN
*/
BIGNUM_2c(mul)
/*
* Document-method: OpenSSL::BN#%
* call-seq:
* bn % bn2 => aBN
*/
BIGNUM_2c(mod)
/*
* Document-method: OpenSSL::BN#**
* call-seq:
* bn ** bn2 => aBN
*/
BIGNUM_2c(exp)
/*
* Document-method: OpenSSL::BN#gcd
* call-seq:
* bn.gcd(bn2) => aBN
*/
BIGNUM_2c(gcd)
/*
* Document-method: OpenSSL::BN#mod_sqr
* call-seq:
* bn.mod_sqr(bn2) => aBN
*/
BIGNUM_2c(mod_sqr)
/*
* Document-method: OpenSSL::BN#mod_inverse
* call-seq:
* bn.mod_inverse(bn2) => aBN
*/
BIGNUM_2c(mod_inverse)
/*
* Document-method: OpenSSL::BN#/
* call-seq:
* bn1 / bn2 => [result, remainder]
*
* Division of OpenSSL::BN instances
@ -529,24 +550,28 @@ ossl_bn_div(VALUE self, VALUE other)
/*
* Document-method: OpenSSL::BN#mod_add
* call-seq:
* bn.mod_add(bn1, bn2) -> aBN
*/
BIGNUM_3c(mod_add)
/*
* Document-method: OpenSSL::BN#mod_sub
* call-seq:
* bn.mod_sub(bn1, bn2) -> aBN
*/
BIGNUM_3c(mod_sub)
/*
* Document-method: OpenSSL::BN#mod_mul
* call-seq:
* bn.mod_mul(bn1, bn2) -> aBN
*/
BIGNUM_3c(mod_mul)
/*
* Document-method: OpenSSL::BN#mod_exp
* call-seq:
* bn.mod_exp(bn1, bn2) -> aBN
*/
BIGNUM_3c(mod_exp)
@ -565,29 +590,31 @@ BIGNUM_3c(mod_exp)
/*
* Document-method: OpenSSL::BN#set_bit!
* call-seq:
* bn.set_bit!(bit) -> self
*/
BIGNUM_BIT(set_bit)
/*
* Document-method: OpenSSL::BN#clear_bit!
* call-seq:
* bn.clear_bit!(bit) -> self
*/
BIGNUM_BIT(clear_bit)
/*
* Document-method: OpenSSL::BN#mask_bit!
* call-seq:
* bn.mask_bit!(bit) -> self
*/
BIGNUM_BIT(mask_bits)
/* Document-method: OpenSSL::BN#bit_set?
* call-seq:
* bn.bit_set?(bit) => true | false
*
* Returns boolean of whether +bit+ is set.
* Bitwise operations for openssl BIGNUMs.
*
* bn.bit_set?(bit) => true | false
*
*/
static VALUE
ossl_bn_is_bit_set(VALUE self, VALUE bit)
@ -653,12 +680,14 @@ BIGNUM_SHIFT(rshift)
/*
* Document-method: OpenSSL::BN#lshift!
* call-seq:
* bn.lshift!(bits) -> self
*/
BIGNUM_SELF_SHIFT(lshift)
/*
* Document-method: OpenSSL::BN#rshift!
* call-seq:
* bn.rshift!(bits) -> self
*/
BIGNUM_SELF_SHIFT(rshift)
@ -722,6 +751,7 @@ BIGNUM_RAND(pseudo_rand)
/*
* Document-method: OpenSSL::BN.rand_range
* call-seq:
* BN.rand_range(range) -> aBN
*
*/
@ -729,6 +759,7 @@ BIGNUM_RAND_RANGE(rand)
/*
* Document-method: OpenSSL::BN.pseudo_rand_range
* call-seq:
* BN.pseudo_rand_range(range) -> aBN
*
*/
@ -785,17 +816,19 @@ ossl_bn_s_generate_prime(int argc, VALUE *argv, VALUE klass)
{ \
BIGNUM *bn; \
GetBN(self, bn); \
return INT2FIX(BN_##func(bn)); \
return INT2NUM(BN_##func(bn)); \
}
/*
* Document-method: OpenSSL::BN#num_bytes
* call-seq:
* bn.num_bytes => integer
*/
BIGNUM_NUM(num_bytes)
/*
* Document-method: OpenSSL::BN#num_bits
* call-seq:
* bn.num_bits => integer
*/
BIGNUM_NUM(num_bits)
@ -824,21 +857,24 @@ ossl_bn_copy(VALUE self, VALUE other)
{ \
BIGNUM *bn1, *bn2 = GetBNPtr(other); \
GetBN(self, bn1); \
return INT2FIX(BN_##func(bn1, bn2)); \
return INT2NUM(BN_##func(bn1, bn2)); \
}
/*
* Document-method: OpenSSL::BN#cmp
* call-seq:
* bn.cmp(bn2) => integer
*/
/*
* Document-method: OpenSSL::BN#<=>
* call-seq:
* bn <=> bn2 => integer
*/
BIGNUM_CMP(cmp)
/*
* Document-method: OpenSSL::BN#ucmp
* call-seq:
* bn.ucmp(bn2) => integer
*/
BIGNUM_CMP(ucmp)
@ -921,9 +957,9 @@ ossl_bn_hash(VALUE self)
* bn.prime? => true | false
* bn.prime?(checks) => true | false
*
* Performs a Miller-Rabin probabilistic primality test with +checks+
* iterations. If +nchecks+ is not specified, a number of iterations is used
* that yields a false positive rate of at most 2^-80 for random input.
* Performs a Miller-Rabin probabilistic primality test with +checks+
* iterations. If +nchecks+ is not specified, a number of iterations is used
* that yields a false positive rate of at most 2^-80 for random input.
*
* === Parameters
* * +checks+ - integer
@ -957,8 +993,8 @@ ossl_bn_is_prime(int argc, VALUE *argv, VALUE self)
* bn.prime_fasttest?(checks) => true | false
* bn.prime_fasttest?(checks, trial_div) => true | false
*
* Performs a Miller-Rabin primality test. This is same as #prime? except this
* first attempts trial divisions with some small primes.
* Performs a Miller-Rabin primality test. This is same as #prime? except this
* first attempts trial divisions with some small primes.
*
* === Parameters
* * +checks+ - integer
@ -1001,7 +1037,8 @@ void
Init_ossl_bn(void)
{
#if 0
mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
mOSSL = rb_define_module("OpenSSL");
eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
#endif
if (!(ossl_bn_ctx = BN_CTX_new())) {

271
ext/openssl/ossl_cipher.c
View file

@ -36,6 +36,7 @@
*/
VALUE cCipher;
VALUE eCipherError;
static ID id_auth_tag_len;
static VALUE ossl_cipher_alloc(VALUE klass);
static void ossl_cipher_free(void *ptr);
@ -54,11 +55,24 @@ static const rb_data_type_t ossl_cipher_type = {
const EVP_CIPHER *
GetCipherPtr(VALUE obj)
{
EVP_CIPHER_CTX *ctx;
if (rb_obj_is_kind_of(obj, cCipher)) {
EVP_CIPHER_CTX *ctx;
SafeGetCipher(obj, ctx);
GetCipher(obj, ctx);
return EVP_CIPHER_CTX_cipher(ctx);
return EVP_CIPHER_CTX_cipher(ctx);
}
else {
const EVP_CIPHER *cipher;
StringValueCStr(obj);
cipher = EVP_get_cipherbyname(RSTRING_PTR(obj));
if (!cipher)
ossl_raise(rb_eArgError,
"unsupported cipher algorithm: %"PRIsVALUE, obj);
return cipher;
}
}
VALUE
@ -248,7 +262,7 @@ ossl_cipher_init(int argc, VALUE *argv, VALUE self, int mode)
*
* Make sure to call Cipher#encrypt or Cipher#decrypt before using any of the
* following methods:
* * [key=, iv=, random_key, random_iv, pkcs5_keyivgen]
* * [#key=, #iv=, #random_key, #random_iv, #pkcs5_keyivgen]
*
* Internally calls EVP_CipherInit_ex(ctx, NULL, NULL, NULL, NULL, 1).
*/
@ -266,7 +280,7 @@ ossl_cipher_encrypt(int argc, VALUE *argv, VALUE self)
*
* Make sure to call Cipher#encrypt or Cipher#decrypt before using any of the
* following methods:
* * [key=, iv=, random_key, random_iv, pkcs5_keyivgen]
* * [#key=, #iv=, #random_key, #random_iv, #pkcs5_keyivgen]
*
* Internally calls EVP_CipherInit_ex(ctx, NULL, NULL, NULL, NULL, 0).
*/
@ -278,20 +292,20 @@ ossl_cipher_decrypt(int argc, VALUE *argv, VALUE self)
/*
* call-seq:
* cipher.pkcs5_keyivgen(pass [, salt [, iterations [, digest]]] ) -> nil
* cipher.pkcs5_keyivgen(pass, salt = nil, iterations = 2048, digest = "MD5") -> nil
*
* Generates and sets the key/IV based on a password.
*
* WARNING: This method is only PKCS5 v1.5 compliant when using RC2, RC4-40,
* *WARNING*: This method is only PKCS5 v1.5 compliant when using RC2, RC4-40,
* or DES with MD5 or SHA1. Using anything else (like AES) will generate the
* key/iv using an OpenSSL specific method. This method is deprecated and
* should no longer be used. Use a PKCS5 v2 key generation method from
* OpenSSL::PKCS5 instead.
*
* === Parameters
* +salt+ must be an 8 byte string if provided.
* +iterations+ is a integer with a default of 2048.
* +digest+ is a Digest object that defaults to 'MD5'
* * +salt+ must be an 8 byte string if provided.
* * +iterations+ is a integer with a default of 2048.
* * +digest+ is a Digest object that defaults to 'MD5'
*
* A minimum of 1000 iterations is recommended.
*
@ -331,25 +345,23 @@ ossl_cipher_update_long(EVP_CIPHER_CTX *ctx, unsigned char *out, long *out_len_p
const unsigned char *in, long in_len)
{
int out_part_len;
int limit = INT_MAX / 2 + 1;
long out_len = 0;
#define UPDATE_LENGTH_LIMIT INT_MAX
#if SIZEOF_LONG > UPDATE_LENGTH_LIMIT
if (in_len > UPDATE_LENGTH_LIMIT) {
const int in_part_len = (UPDATE_LENGTH_LIMIT / 2 + 1) & ~1;
do {
if (!EVP_CipherUpdate(ctx, out ? (out + out_len) : 0,
&out_part_len, in, in_part_len))
return 0;
out_len += out_part_len;
in += in_part_len;
} while ((in_len -= in_part_len) > UPDATE_LENGTH_LIMIT);
}
#endif
if (!EVP_CipherUpdate(ctx, out ? (out + out_len) : 0,
&out_part_len, in, (int)in_len))
return 0;
if (out_len_ptr) *out_len_ptr = out_len += out_part_len;
do {
int in_part_len = in_len > limit ? limit : (int)in_len;
if (!EVP_CipherUpdate(ctx, out ? (out + out_len) : 0,
&out_part_len, in, in_part_len))
return 0;
out_len += out_part_len;
in += in_part_len;
} while ((in_len -= limit) > 0);
if (out_len_ptr)
*out_len_ptr = out_len;
return 1;
}
@ -362,9 +374,8 @@ ossl_cipher_update_long(EVP_CIPHER_CTX *ctx, unsigned char *out, long *out_len_p
* data chunk. When done, the output of Cipher#final should be additionally
* added to the result.
*
* === Parameters
* +data+ is a nonempty string.
* +buffer+ is an optional string to store the result.
* If +buffer+ is given, the encryption/decryption result will be written to
* it. +buffer+ will be resized automatically.
*/
static VALUE
ossl_cipher_update(int argc, VALUE *argv, VALUE self)
@ -499,12 +510,17 @@ static VALUE
ossl_cipher_set_iv(VALUE self, VALUE iv)
{
EVP_CIPHER_CTX *ctx;
int iv_len;
int iv_len = 0;
StringValue(iv);
GetCipher(self, ctx);
iv_len = EVP_CIPHER_CTX_iv_length(ctx);
#if defined(HAVE_AUTHENTICATED_ENCRYPTION)
if (EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER)
iv_len = (int)(VALUE)EVP_CIPHER_CTX_get_app_data(ctx);
#endif
if (!iv_len)
iv_len = EVP_CIPHER_CTX_iv_length(ctx);
if (RSTRING_LEN(iv) != iv_len)
ossl_raise(rb_eArgError, "iv must be %d bytes", iv_len);
@ -562,8 +578,9 @@ ossl_cipher_set_auth_data(VALUE self, VALUE data)
* then set on the decryption cipher to authenticate the contents of the
* ciphertext against changes. If the optional integer parameter +tag_len+ is
* given, the returned tag will be +tag_len+ bytes long. If the parameter is
* omitted, the maximum length of 16 bytes will be returned. For maximum
* security, the default of 16 bytes should be chosen.
* omitted, the default length of 16 bytes or the length previously set by
* #auth_tag_len= will be used. For maximum security, the longest possible
* should be chosen.
*
* The tag may only be retrieved after calling Cipher#final.
*/
@ -574,7 +591,10 @@ ossl_cipher_get_auth_tag(int argc, VALUE *argv, VALUE self)
EVP_CIPHER_CTX *ctx;
int tag_len = 16;
if (rb_scan_args(argc, argv, "01", &vtag_len) == 1)
rb_scan_args(argc, argv, "01", &vtag_len);
if (NIL_P(vtag_len))
vtag_len = rb_attr_get(self, id_auth_tag_len);
if (!NIL_P(vtag_len))
tag_len = NUM2INT(vtag_len);
GetCipher(self, ctx);
@ -600,6 +620,9 @@ ossl_cipher_get_auth_tag(int argc, VALUE *argv, VALUE self)
* decrypting any of the ciphertext. After all decryption is
* performed, the tag is verified automatically in the call to
* Cipher#final.
*
* For OCB mode, the tag length must be supplied with #auth_tag_len=
* beforehand.
*/
static VALUE
ossl_cipher_set_auth_tag(VALUE self, VALUE vtag)
@ -622,6 +645,36 @@ ossl_cipher_set_auth_tag(VALUE self, VALUE vtag)
return vtag;
}
/*
* call-seq:
* cipher.auth_tag_len = Integer -> Integer
*
* Sets the length of the authentication tag to be generated or to be given for
* AEAD ciphers that requires it as in input parameter. Note that not all AEAD
* ciphers support this method.
*
* In OCB mode, the length must be supplied both when encrypting and when
* decrypting, and must be before specifying an IV.
*/
static VALUE
ossl_cipher_set_auth_tag_len(VALUE self, VALUE vlen)
{
int tag_len = NUM2INT(vlen);
EVP_CIPHER_CTX *ctx;
GetCipher(self, ctx);
if (!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER))
ossl_raise(eCipherError, "AEAD not supported by this cipher");
if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, tag_len, NULL))
ossl_raise(eCipherError, "unable to set authentication tag length");
/* for #auth_tag */
rb_ivar_set(self, id_auth_tag_len, INT2NUM(tag_len));
return vlen;
}
/*
* call-seq:
* cipher.authenticated? -> boolean
@ -638,11 +691,43 @@ ossl_cipher_is_authenticated(VALUE self)
return (EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER) ? Qtrue : Qfalse;
}
/*
* call-seq:
* cipher.iv_len = integer -> integer
*
* Sets the IV/nonce length of the Cipher. Normally block ciphers don't allow
* changing the IV length, but some make use of IV for 'nonce'. You may need
* this for interoperability with other applications.
*/
static VALUE
ossl_cipher_set_iv_length(VALUE self, VALUE iv_length)
{
int len = NUM2INT(iv_length);
EVP_CIPHER_CTX *ctx;
GetCipher(self, ctx);
if (!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER))
ossl_raise(eCipherError, "cipher does not support AEAD");
if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, len, NULL))
ossl_raise(eCipherError, "unable to set IV length");
/*
* EVP_CIPHER_CTX_iv_length() returns the default length. So we need to save
* the length somewhere. Luckily currently we aren't using app_data.
*/
EVP_CIPHER_CTX_set_app_data(ctx, (void *)(VALUE)len);
return iv_length;
}
#else
#define ossl_cipher_set_auth_data rb_f_notimplement
#define ossl_cipher_get_auth_tag rb_f_notimplement
#define ossl_cipher_set_auth_tag rb_f_notimplement
#define ossl_cipher_set_auth_tag_len rb_f_notimplement
#define ossl_cipher_is_authenticated rb_f_notimplement
#define ossl_cipher_set_iv_length rb_f_notimplement
#endif
/*
@ -692,36 +777,60 @@ ossl_cipher_set_padding(VALUE self, VALUE padding)
return padding;
}
#define CIPHER_0ARG_INT(func) \
static VALUE \
ossl_cipher_##func(VALUE self) \
{ \
EVP_CIPHER_CTX *ctx; \
GetCipher(self, ctx); \
return INT2NUM(EVP_CIPHER_##func(EVP_CIPHER_CTX_cipher(ctx))); \
}
/*
* call-seq:
* cipher.key_len -> integer
*
* Returns the key length in bytes of the Cipher.
*/
CIPHER_0ARG_INT(key_length)
static VALUE
ossl_cipher_key_length(VALUE self)
{
EVP_CIPHER_CTX *ctx;
GetCipher(self, ctx);
return INT2NUM(EVP_CIPHER_CTX_key_length(ctx));
}
/*
* call-seq:
* cipher.iv_len -> integer
*
* Returns the expected length in bytes for an IV for this Cipher.
*/
CIPHER_0ARG_INT(iv_length)
static VALUE
ossl_cipher_iv_length(VALUE self)
{
EVP_CIPHER_CTX *ctx;
int len = 0;
GetCipher(self, ctx);
#if defined(HAVE_AUTHENTICATED_ENCRYPTION)
if (EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER)
len = (int)(VALUE)EVP_CIPHER_CTX_get_app_data(ctx);
#endif
if (!len)
len = EVP_CIPHER_CTX_iv_length(ctx);
return INT2NUM(len);
}
/*
* call-seq:
* cipher.block_size -> integer
*
* Returns the size in bytes of the blocks on which this Cipher operates on.
*/
CIPHER_0ARG_INT(block_size)
static VALUE
ossl_cipher_block_size(VALUE self)
{
EVP_CIPHER_CTX *ctx;
GetCipher(self, ctx);
return INT2NUM(EVP_CIPHER_CTX_block_size(ctx));
}
/*
* INIT
@ -730,7 +839,8 @@ void
Init_ossl_cipher(void)
{
#if 0
mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
mOSSL = rb_define_module("OpenSSL");
eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
#endif
/* Document-class: OpenSSL::Cipher
@ -843,16 +953,16 @@ Init_ossl_cipher(void)
* of the IV as a nonce (number used once) - it's public but random and
* unpredictable. A secure random IV can be created as follows
*
* cipher = ...
* cipher.encrypt
* key = cipher.random_key
* iv = cipher.random_iv # also sets the generated IV on the Cipher
* cipher = ...
* cipher.encrypt
* key = cipher.random_key
* iv = cipher.random_iv # also sets the generated IV on the Cipher
*
* Although the key is generally a random value, too, it is a bad choice
* as an IV. There are elaborate ways how an attacker can take advantage
* of such an IV. As a general rule of thumb, exposing the key directly
* or indirectly should be avoided at all cost and exceptions only be
* made with good reason.
* Although the key is generally a random value, too, it is a bad choice
* as an IV. There are elaborate ways how an attacker can take advantage
* of such an IV. As a general rule of thumb, exposing the key directly
* or indirectly should be avoided at all cost and exceptions only be
* made with good reason.
*
* === Calling Cipher#final
*
@ -906,29 +1016,42 @@ Init_ossl_cipher(void)
* could otherwise be exploited to modify ciphertexts in ways beneficial to
* potential attackers.
*
* If no associated data is needed for encryption and later decryption,
* the OpenSSL library still requires a value to be set - "" may be used in
* case none is available. An example using the GCM (Galois Counter Mode):
* An associated data is used where there is additional information, such as
* headers or some metadata, that must be also authenticated but not
* necessarily need to be encrypted. If no associated data is needed for
* encryption and later decryption, the OpenSSL library still requires a
* value to be set - "" may be used in case none is available.
*
* cipher = OpenSSL::Cipher.new("aes-128-gcm")
* cipher.encrypt
* key = cipher.random_key
* iv = cipher.random_iv
* cipher.auth_data = ""
* An example using the GCM (Galois/Counter Mode). You have 16 bytes +key+,
* 12 bytes (96 bits) +nonce+ and the associated data +auth_data+. Be sure
* not to reuse the +key+ and +nonce+ pair. Reusing an nonce ruins the
* security gurantees of GCM mode.
*
* cipher = OpenSSL::Cipher::AES.new(128, :GCM).encrypt
* cipher.key = key
* cipher.iv = nonce
* cipher.auth_data = auth_data
*
* encrypted = cipher.update(data) + cipher.final
* tag = cipher.auth_tag
* tag = cipher.auth_tag # produces 16 bytes tag by default
*
* decipher = OpenSSL::Cipher.new("aes-128-gcm")
* decipher.decrypt
* Now you are the receiver. You know the +key+ and have received +nonce+,
* +auth_data+, +encrypted+ and +tag+ through an untrusted network. Note
* that GCM accepts an arbitrary length tag between 1 and 16 bytes. You may
* additionally need to check that the received tag has the correct length,
* or you allow attackers to forge a valid single byte tag for the tampered
* ciphertext with a probability of 1/256.
*
* raise "tag is truncated!" unless tag.bytesize == 16
* decipher = OpenSSL::Cipher::AES.new(128, :GCM).decrypt
* decipher.key = key
* decipher.iv = iv
* decipher.iv = nonce
* decipher.auth_tag = tag
* decipher.auth_data = ""
* decipher.auth_data = auth_data
*
* plain = decipher.update(encrypted) + decipher.final
* decrypted = decipher.update(encrypted) + decipher.final
*
* puts data == plain #=> true
* puts data == decrypted #=> true
*/
cCipher = rb_define_class_under(mOSSL, "Cipher", rb_cObject);
eCipherError = rb_define_class_under(cCipher, "CipherError", eOSSLError);
@ -948,11 +1071,15 @@ Init_ossl_cipher(void)
rb_define_method(cCipher, "auth_data=", ossl_cipher_set_auth_data, 1);
rb_define_method(cCipher, "auth_tag=", ossl_cipher_set_auth_tag, 1);
rb_define_method(cCipher, "auth_tag", ossl_cipher_get_auth_tag, -1);
rb_define_method(cCipher, "auth_tag_len=", ossl_cipher_set_auth_tag_len, 1);
rb_define_method(cCipher, "authenticated?", ossl_cipher_is_authenticated, 0);
rb_define_method(cCipher, "key_len=", ossl_cipher_set_key_length, 1);
rb_define_method(cCipher, "key_len", ossl_cipher_key_length, 0);
rb_define_method(cCipher, "iv=", ossl_cipher_set_iv, 1);
rb_define_method(cCipher, "iv_len=", ossl_cipher_set_iv_length, 1);
rb_define_method(cCipher, "iv_len", ossl_cipher_iv_length, 0);
rb_define_method(cCipher, "block_size", ossl_cipher_block_size, 0);
rb_define_method(cCipher, "padding=", ossl_cipher_set_padding, 1);
id_auth_tag_len = rb_intern_const("auth_tag_len");
}

17
ext/openssl/ossl_config.c
View file

@ -26,13 +26,13 @@ VALUE eConfigError;
*/
/*
* GetConfigPtr is a public C-level function for getting OpenSSL CONF struct
* DupConfigPtr is a public C-level function for getting OpenSSL CONF struct
* from an OpenSSL::Config(eConfig) instance. We decided to implement
* OpenSSL::Config in Ruby level but we need to pass native CONF struct for
* some OpenSSL features such as X509V3_EXT_*.
*/
CONF *
GetConfigPtr(VALUE obj)
DupConfigPtr(VALUE obj)
{
CONF *conf;
VALUE str;
@ -50,9 +50,10 @@ GetConfigPtr(VALUE obj)
if(!NCONF_load_bio(conf, bio, &eline)){
BIO_free(bio);
NCONF_free(conf);
if (eline <= 0) ossl_raise(eConfigError, "wrong config format");
else ossl_raise(eConfigError, "error in line %d", eline);
ossl_raise(eConfigError, NULL);
if (eline <= 0)
ossl_raise(eConfigError, "wrong config format");
else
ossl_raise(eConfigError, "error in line %d", eline);
}
BIO_free(bio);
@ -71,6 +72,12 @@ void
Init_ossl_config(void)
{
char *default_config_file;
#if 0
mOSSL = rb_define_module("OpenSSL");
eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
#endif
eConfigError = rb_define_class_under(mOSSL, "ConfigError", eOSSLError);
cConfig = rb_define_class_under(mOSSL, "Config", rb_cObject);

1
ext/openssl/ossl_config.h
View file

@ -13,7 +13,6 @@
extern VALUE cConfig;
extern VALUE eConfigError;
CONF* GetConfigPtr(VALUE obj);
CONF* DupConfigPtr(VALUE obj);
void Init_ossl_config(void);

30
ext/openssl/ossl_digest.c
View file

@ -111,17 +111,16 @@ VALUE ossl_digest_update(VALUE, VALUE);
*
* Creates a Digest instance based on +string+, which is either the ln
* (long name) or sn (short name) of a supported digest algorithm.
*
* If +data+ (a +String+) is given, it is used as the initial input to the
* Digest instance, i.e.
*
* digest = OpenSSL::Digest.new('sha256', 'digestdata')
*
* is equal to
*
* digest = OpenSSL::Digest.new('sha256')
* digest.update('digestdata')
*
* === Example
* digest = OpenSSL::Digest.new('sha1')
*
*
*/
static VALUE
ossl_digest_initialize(int argc, VALUE *argv, VALUE self)
@ -203,7 +202,9 @@ ossl_digest_update(VALUE self, VALUE data)
StringValue(data);
GetDigest(self, ctx);
EVP_DigestUpdate(ctx, RSTRING_PTR(data), RSTRING_LEN(data));
if (!EVP_DigestUpdate(ctx, RSTRING_PTR(data), RSTRING_LEN(data)))
ossl_raise(eDigestError, "EVP_DigestUpdate");
return self;
}
@ -218,19 +219,21 @@ ossl_digest_finish(int argc, VALUE *argv, VALUE self)
{
EVP_MD_CTX *ctx;
VALUE str;
rb_scan_args(argc, argv, "01", &str);
int out_len;
GetDigest(self, ctx);
rb_scan_args(argc, argv, "01", &str);
out_len = EVP_MD_CTX_size(ctx);
if (NIL_P(str)) {
str = rb_str_new(NULL, EVP_MD_CTX_size(ctx));
str = rb_str_new(NULL, out_len);
} else {
StringValue(str);
rb_str_resize(str, EVP_MD_CTX_size(ctx));
rb_str_resize(str, out_len);
}
EVP_DigestFinal_ex(ctx, (unsigned char *)RSTRING_PTR(str), NULL);
if (!EVP_DigestFinal_ex(ctx, (unsigned char *)RSTRING_PTR(str), NULL))
ossl_raise(eDigestError, "EVP_DigestFinal_ex");
return str;
}
@ -239,7 +242,7 @@ ossl_digest_finish(int argc, VALUE *argv, VALUE self)
* call-seq:
* digest.name -> string
*
* Returns the sn of this Digest instance.
* Returns the sn of this Digest algorithm.
*
* === Example
* digest = OpenSSL::Digest::SHA512.new
@ -310,7 +313,8 @@ Init_ossl_digest(void)
rb_require("digest");
#if 0
mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
mOSSL = rb_define_module("OpenSSL");
eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
#endif
/* Document-class: OpenSSL::Digest

8
ext/openssl/ossl_engine.c
View file

@ -161,8 +161,6 @@ ossl_engine_s_load(int argc, VALUE *argv, VALUE klass)
* OpenSSL::Engine.load. However, running cleanup before exit is recommended.
*
* Note that this is needed and works only in OpenSSL < 1.1.0.
*
* See also, https://www.openssl.org/docs/crypto/engine.html
*/
static VALUE
ossl_engine_s_cleanup(VALUE self)
@ -531,6 +529,11 @@ ossl_engine_inspect(VALUE self)
void
Init_ossl_engine(void)
{
#if 0
mOSSL = rb_define_module("OpenSSL");
eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
#endif
cEngine = rb_define_class_under(mOSSL, "Engine", rb_cObject);
eEngineError = rb_define_class_under(cEngine, "EngineError", eOSSLError);
@ -540,6 +543,7 @@ Init_ossl_engine(void)
rb_define_singleton_method(cEngine, "engines", ossl_engine_s_engines, 0);
rb_define_singleton_method(cEngine, "by_id", ossl_engine_s_by_id, 1);
rb_undef_method(CLASS_OF(cEngine), "new");
rb_undef_method(cEngine, "initialize_copy");
rb_define_method(cEngine, "id", ossl_engine_get_id, 0);
rb_define_method(cEngine, "name", ossl_engine_get_name, 0);

100
ext/openssl/ossl_hmac.c
View file

@ -162,7 +162,7 @@ ossl_hmac_update(VALUE self, VALUE data)
}
static void
hmac_final(HMAC_CTX *ctx, unsigned char **buf, unsigned int *buf_len)
hmac_final(HMAC_CTX *ctx, unsigned char *buf, unsigned int *buf_len)
{
HMAC_CTX *final;
@ -175,12 +175,7 @@ hmac_final(HMAC_CTX *ctx, unsigned char **buf, unsigned int *buf_len)
ossl_raise(eHMACError, "HMAC_CTX_copy");
}
if (!(*buf = OPENSSL_malloc(HMAC_size(final)))) {
HMAC_CTX_free(final);
OSSL_Debug("Allocating %d mem", (int)HMAC_size(final));
ossl_raise(eHMACError, "Cannot allocate memory for hmac");
}
HMAC_Final(final, *buf, buf_len);
HMAC_Final(final, buf, buf_len);
HMAC_CTX_free(final);
}
@ -191,26 +186,25 @@ hmac_final(HMAC_CTX *ctx, unsigned char **buf, unsigned int *buf_len)
* Returns the authentication code an instance represents as a binary string.
*
* === Example
*
* instance = OpenSSL::HMAC.new('key', OpenSSL::Digest.new('sha1'))
* #=> f42bb0eeb018ebbd4597ae7213711ec60760843f
* instance.digest
* #=> "\xF4+\xB0\xEE\xB0\x18\xEB\xBDE\x97\xAEr\x13q\x1E\xC6\a`\x84?"
*
* instance = OpenSSL::HMAC.new('key', OpenSSL::Digest.new('sha1'))
* #=> f42bb0eeb018ebbd4597ae7213711ec60760843f
* instance.digest
* #=> "\xF4+\xB0\xEE\xB0\x18\xEB\xBDE\x97\xAEr\x13q\x1E\xC6\a`\x84?"
*/
static VALUE
ossl_hmac_digest(VALUE self)
{
HMAC_CTX *ctx;
unsigned char *buf;
unsigned int buf_len;
VALUE digest;
VALUE ret;
GetHMAC(self, ctx);
hmac_final(ctx, &buf, &buf_len);
digest = ossl_buf2str((char *)buf, buf_len);
ret = rb_str_new(NULL, EVP_MAX_MD_SIZE);
hmac_final(ctx, (unsigned char *)RSTRING_PTR(ret), &buf_len);
assert(buf_len <= EVP_MAX_MD_SIZE);
rb_str_set_len(ret, buf_len);
return digest;
return ret;
}
/*
@ -219,27 +213,21 @@ ossl_hmac_digest(VALUE self)
*
* Returns the authentication code an instance represents as a hex-encoded
* string.
*
*/
static VALUE
ossl_hmac_hexdigest(VALUE self)
{
HMAC_CTX *ctx;
unsigned char *buf;
char *hexbuf;
unsigned char buf[EVP_MAX_MD_SIZE];
unsigned int buf_len;
VALUE hexdigest;
VALUE ret;
GetHMAC(self, ctx);
hmac_final(ctx, &buf, &buf_len);
if (string2hex(buf, buf_len, &hexbuf, NULL) != 2 * (int)buf_len) {
OPENSSL_free(buf);
ossl_raise(eHMACError, "Memory alloc error");
}
OPENSSL_free(buf);
hexdigest = ossl_buf2str(hexbuf, 2 * buf_len);
hmac_final(ctx, buf, &buf_len);
ret = rb_str_new(NULL, buf_len * 2);
ossl_bin2hex(buf, RSTRING_PTR(ret), buf_len);
return hexdigest;
return ret;
}
/*
@ -323,22 +311,22 @@ ossl_hmac_s_digest(VALUE klass, VALUE digest, VALUE key, VALUE data)
static VALUE
ossl_hmac_s_hexdigest(VALUE klass, VALUE digest, VALUE key, VALUE data)
{
unsigned char *buf;
char *hexbuf;
unsigned char buf[EVP_MAX_MD_SIZE];
unsigned int buf_len;
VALUE hexdigest;
VALUE ret;
StringValue(key);
StringValue(data);
buf = HMAC(GetDigestPtr(digest), RSTRING_PTR(key), RSTRING_LENINT(key),
(unsigned char *)RSTRING_PTR(data), RSTRING_LEN(data), NULL, &buf_len);
if (string2hex(buf, buf_len, &hexbuf, NULL) != 2 * (int)buf_len) {
ossl_raise(eHMACError, "Cannot convert buf to hexbuf");
}
hexdigest = ossl_buf2str(hexbuf, 2 * buf_len);
if (!HMAC(GetDigestPtr(digest), RSTRING_PTR(key), RSTRING_LENINT(key),
(unsigned char *)RSTRING_PTR(data), RSTRING_LEN(data),
buf, &buf_len))
ossl_raise(eHMACError, "HMAC");
return hexdigest;
ret = rb_str_new(NULL, buf_len * 2);
ossl_bin2hex(buf, RSTRING_PTR(ret), buf_len);
return ret;
}
/*
@ -348,10 +336,38 @@ void
Init_ossl_hmac(void)
{
#if 0
/* :nodoc: */
mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
mOSSL = rb_define_module("OpenSSL");
eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
#endif
/*
* Document-class: OpenSSL::HMAC
*
* OpenSSL::HMAC allows computing Hash-based Message Authentication Code
* (HMAC). It is a type of message authentication code (MAC) involving a
* hash function in combination with a key. HMAC can be used to verify the
* integrity of a message as well as the authenticity.
*
* OpenSSL::HMAC has a similar interface to OpenSSL::Digest.
*
* === HMAC-SHA256 using one-shot interface
*
* key = "key"
* data = "message-to-be-authenticated"
* mac = OpenSSL::HMAC.hexdigest("SHA256", key, data)
* #=> "cddb0db23f469c8bf072b21fd837149bd6ace9ab771cceef14c9e517cc93282e"
*
* === HMAC-SHA256 using incremental interface
*
* data1 = File.read("file1")
* data2 = File.read("file2")
* key = "key"
* digest = OpenSSL::Digest::SHA256.new
* hmac = OpenSSL::HMAC.new(key, digest)
* hmac << data1
* hmac << data2
* mac = hmac.digest
*/
eHMACError = rb_define_class_under(mOSSL, "HMACError", eOSSLError);
cHMAC = rb_define_class_under(mOSSL, "HMAC", rb_cObject);

3
ext/openssl/ossl_ns_spki.c
View file

@ -380,7 +380,8 @@ void
Init_ossl_ns_spki(void)
{
#if 0
mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
mOSSL = rb_define_module("OpenSSL");
eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
#endif
mNetscape = rb_define_module_under(mOSSL, "Netscape");

108
ext/openssl/ossl_ocsp.c
View file

@ -321,12 +321,17 @@ static VALUE
ossl_ocspreq_add_certid(VALUE self, VALUE certid)
{
OCSP_REQUEST *req;
OCSP_CERTID *id;
OCSP_CERTID *id, *id_new;
GetOCSPReq(self, req);
GetOCSPCertId(certid, id);
if(!OCSP_request_add0_id(req, OCSP_CERTID_dup(id)))
ossl_raise(eOCSPError, NULL);
if (!(id_new = OCSP_CERTID_dup(id)))
ossl_raise(eOCSPError, "OCSP_CERTID_dup");
if (!OCSP_request_add0_id(req, id_new)) {
OCSP_CERTID_free(id_new);
ossl_raise(eOCSPError, "OCSP_request_add0_id");
}
return self;
}
@ -368,14 +373,16 @@ ossl_ocspreq_get_certid(VALUE self)
*
* Signs this OCSP request using +cert+, +key+ and optional +digest+. If
* +digest+ is not specified, SHA-1 is used. +certs+ is an optional Array of
* additional certificates that will be included in the request. If +certs+ is
* not specified, flag OpenSSL::OCSP::NOCERTS is set. Pass an empty array to
* include only the signer certificate.
* additional certificates which are included in the request in addition to
* the signer certificate. Note that if +certs+ is nil or not given, flag
* OpenSSL::OCSP::NOCERTS is enabled. Pass an empty array to include only the
* signer certificate.
*
* +flags+ can include:
* OpenSSL::OCSP::NOCERTS:: don't include certificates
* +flags+ can be a bitwise OR of the following constants:
*
* OpenSSL::OCSP::NOCERTS::
* Don't include any certificates in the request. +certs+ will be ignored.
*/
static VALUE
ossl_ocspreq_sign(int argc, VALUE *argv, VALUE self)
{
@ -399,7 +406,7 @@ ossl_ocspreq_sign(int argc, VALUE *argv, VALUE self)
else
md = GetDigestPtr(digest);
if (NIL_P(certs))
flags |= OCSP_NOCERTS;
flg |= OCSP_NOCERTS;
else
x509s = ossl_x509_ary2sk(certs);
@ -435,7 +442,7 @@ ossl_ocspreq_verify(int argc, VALUE *argv, VALUE self)
x509s = ossl_x509_ary2sk(certs);
result = OCSP_request_verify(req, x509s, x509st, flg);
sk_X509_pop_free(x509s, X509_free);
if (!result)
if (result <= 0)
ossl_clear_error();
return result > 0 ? Qtrue : Qfalse;
@ -856,13 +863,11 @@ ossl_ocspbres_add_status(VALUE self, VALUE cid, VALUE status,
X509_EXTENSION *x509ext;
for(i = 0; i < RARRAY_LEN(ext); i++){
x509ext = DupX509ExtPtr(RARRAY_AREF(ext, i));
x509ext = GetX509ExtPtr(RARRAY_AREF(ext, i));
if(!OCSP_SINGLERESP_add_ext(single, x509ext, -1)){
X509_EXTENSION_free(x509ext);
error = 1;
goto err;
}
X509_EXTENSION_free(x509ext);
}
}
@ -911,7 +916,7 @@ ossl_ocspbres_get_status(VALUE self)
status = OCSP_single_get0_status(single, &reason, &revtime,
&thisupd, &nextupd);
if(status < 0) continue;
if(!(cid = OCSP_CERTID_dup(OCSP_SINGLERESP_get0_id(single))))
if(!(cid = OCSP_CERTID_dup((OCSP_CERTID *)OCSP_SINGLERESP_get0_id(single)))) /* FIXME */
ossl_raise(eOCSPError, NULL);
ary = rb_ary_new();
rb_ary_push(ary, ossl_ocspcertid_new(cid));
@ -1065,9 +1070,57 @@ ossl_ocspbres_verify(int argc, VALUE *argv, VALUE self)
x509st = GetX509StorePtr(store);
flg = NIL_P(flags) ? 0 : NUM2INT(flags);
x509s = ossl_x509_ary2sk(certs);
#if (OPENSSL_VERSION_NUMBER < 0x1000202fL) || defined(LIBRESSL_VERSION_NUMBER)
/*
* OpenSSL had a bug that it doesn't use the certificates in x509s for
* verifying the chain. This can be a problem when the response is signed by
* a certificate issued by an intermediate CA.
*
* root_ca
* |
* intermediate_ca
* |-------------|
* end_entity ocsp_signer
*
* When the certificate hierarchy is like this, and the response contains
* only ocsp_signer certificate, the following code wrongly fails.
*
* store = OpenSSL::X509::Store.new; store.add_cert(root_ca)
* basic_response.verify([intermediate_ca], store)
*
* So add the certificates in x509s to the embedded certificates list first.
*
* This is fixed in OpenSSL 0.9.8zg, 1.0.0s, 1.0.1n, 1.0.2b. But it still
* exists in LibreSSL 2.1.10, 2.2.9, 2.3.6, 2.4.1.
*/
if (!(flg & (OCSP_NOCHAIN | OCSP_NOVERIFY)) &&
sk_X509_num(x509s) && sk_X509_num(bs->certs)) {
int i;
bs = ASN1_item_dup(ASN1_ITEM_rptr(OCSP_BASICRESP), bs);
if (!bs) {
sk_X509_pop_free(x509s, X509_free);
ossl_raise(eOCSPError, "ASN1_item_dup");
}
for (i = 0; i < sk_X509_num(x509s); i++) {
if (!OCSP_basic_add1_cert(bs, sk_X509_value(x509s, i))) {
sk_X509_pop_free(x509s, X509_free);
OCSP_BASICRESP_free(bs);
ossl_raise(eOCSPError, "OCSP_basic_add1_cert");
}
}
result = OCSP_basic_verify(bs, x509s, x509st, flg);
OCSP_BASICRESP_free(bs);
}
else {
result = OCSP_basic_verify(bs, x509s, x509st, flg);
}
#else
result = OCSP_basic_verify(bs, x509s, x509st, flg);
#endif
sk_X509_pop_free(x509s, X509_free);
if (!result)
if (result <= 0)
ossl_clear_error();
return result > 0 ? Qtrue : Qfalse;
@ -1228,7 +1281,7 @@ ossl_ocspsres_get_certid(VALUE self)
OCSP_CERTID *id;
GetOCSPSingleRes(self, sres);
id = OCSP_CERTID_dup(OCSP_SINGLERESP_get0_id(sres));
id = OCSP_CERTID_dup((OCSP_CERTID *)OCSP_SINGLERESP_get0_id(sres)); /* FIXME */
return ossl_ocspcertid_new(id);
}
@ -1549,15 +1602,15 @@ ossl_ocspcid_get_issuer_name_hash(VALUE self)
{
OCSP_CERTID *id;
ASN1_OCTET_STRING *name_hash;
char *hexbuf;
VALUE ret;
GetOCSPCertId(self, id);
OCSP_id_get0_info(&name_hash, NULL, NULL, NULL, id);
if (string2hex(name_hash->data, name_hash->length, &hexbuf, NULL) < 0)
ossl_raise(eOCSPError, "string2hex");
ret = rb_str_new(NULL, name_hash->length * 2);
ossl_bin2hex(name_hash->data, RSTRING_PTR(ret), name_hash->length);
return ossl_buf2str(hexbuf, name_hash->length * 2);
return ret;
}
/*
@ -1572,15 +1625,15 @@ ossl_ocspcid_get_issuer_key_hash(VALUE self)
{
OCSP_CERTID *id;
ASN1_OCTET_STRING *key_hash;
char *hexbuf;
VALUE ret;
GetOCSPCertId(self, id);
OCSP_id_get0_info(NULL, NULL, &key_hash, NULL, id);
if (string2hex(key_hash->data, key_hash->length, &hexbuf, NULL) < 0)
ossl_raise(eOCSPError, "string2hex");
ret = rb_str_new(NULL, key_hash->length * 2);
ossl_bin2hex(key_hash->data, RSTRING_PTR(ret), key_hash->length);
return ossl_buf2str(hexbuf, key_hash->length * 2);
return ret;
}
/*
@ -1639,6 +1692,11 @@ ossl_ocspcid_to_der(VALUE self)
void
Init_ossl_ocsp(void)
{
#if 0
mOSSL = rb_define_module("OpenSSL");
eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
#endif
/*
* OpenSSL::OCSP implements Online Certificate Status Protocol requests
* and responses.

37
ext/openssl/ossl_pkcs12.c
View file

@ -65,6 +65,25 @@ ossl_pkcs12_s_allocate(VALUE klass)
return obj;
}
static VALUE
ossl_pkcs12_initialize_copy(VALUE self, VALUE other)
{
PKCS12 *p12, *p12_old, *p12_new;
rb_check_frozen(self);
GetPKCS12(self, p12_old);
SafeGetPKCS12(other, p12);
p12_new = ASN1_dup((i2d_of_void *)i2d_PKCS12, (d2i_of_void *)d2i_PKCS12, (char *)p12);
if (!p12_new)
ossl_raise(ePKCS12Error, "ASN1_dup");
SetPKCS12(self, p12_new);
PKCS12_free(p12_old);
return self;
}
/*
* call-seq:
* PKCS12.create(pass, name, key, cert [, ca, [, key_pbe [, cert_pbe [, key_iter [, mac_iter [, keytype]]]]]])
@ -74,8 +93,8 @@ ossl_pkcs12_s_allocate(VALUE klass)
* * +name+ - A string describing the key.
* * +key+ - Any PKey.
* * +cert+ - A X509::Certificate.
* * * The public_key portion of the certificate must contain a valid public key.
* * * The not_before and not_after fields must be filled in.
* * The public_key portion of the certificate must contain a valid public key.
* * The not_before and not_after fields must be filled in.
* * +ca+ - An optional array of X509::Certificate's.
* * +key_pbe+ - string
* * +cert_pbe+ - string
@ -104,7 +123,6 @@ ossl_pkcs12_s_create(int argc, VALUE *argv, VALUE self)
friendlyname = NIL_P(name) ? NULL : StringValueCStr(name);
key = GetPKeyPtr(pkey);
x509 = GetX509CertPtr(cert);
x509s = NIL_P(ca) ? NULL : ossl_x509_ary2sk(ca);
/* TODO: make a VALUE to nid function */
if (!NIL_P(key_nid)) {
if ((nkey = OBJ_txt2nid(StringValueCStr(key_nid))) == NID_undef)
@ -122,6 +140,7 @@ ossl_pkcs12_s_create(int argc, VALUE *argv, VALUE self)
ktype = NUM2INT(keytype);
obj = NewPKCS12(cPKCS12);
x509s = NIL_P(ca) ? NULL : ossl_x509_ary2sk(ca);
p12 = PKCS12_create(passphrase, friendlyname, key, x509, x509s,
nkey, ncert, kiter, miter, ktype);
sk_X509_pop_free(x509s, X509_free);
@ -171,14 +190,14 @@ ossl_pkcs12_initialize(int argc, VALUE *argv, VALUE self)
if(!PKCS12_parse(pkcs, passphrase, &key, &x509, &x509s))
ossl_raise(ePKCS12Error, "PKCS12_parse");
ERR_pop_to_mark();
pkey = rb_protect((VALUE(*)_((VALUE)))ossl_pkey_new, (VALUE)key,
pkey = rb_protect((VALUE (*)(VALUE))ossl_pkey_new, (VALUE)key,
&st); /* NO DUP */
if(st) goto err;
cert = rb_protect((VALUE(*)_((VALUE)))ossl_x509_new, (VALUE)x509, &st);
cert = rb_protect((VALUE (*)(VALUE))ossl_x509_new, (VALUE)x509, &st);
if(st) goto err;
if(x509s){
ca =
rb_protect((VALUE(*)_((VALUE)))ossl_x509_sk2ary, (VALUE)x509s, &st);
rb_protect((VALUE (*)(VALUE))ossl_x509_sk2ary, (VALUE)x509s, &st);
if(st) goto err;
}
@ -216,6 +235,11 @@ ossl_pkcs12_to_der(VALUE self)
void
Init_ossl_pkcs12(void)
{
#if 0
mOSSL = rb_define_module("OpenSSL");
eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
#endif
/*
* Defines a file format commonly used to store private keys with
* accompanying public key certificates, protected with a password-based
@ -226,6 +250,7 @@ Init_ossl_pkcs12(void)
rb_define_singleton_method(cPKCS12, "create", ossl_pkcs12_s_create, -1);
rb_define_alloc_func(cPKCS12, ossl_pkcs12_s_allocate);
rb_define_copy_func(cPKCS12, ossl_pkcs12_initialize_copy);
rb_attr(cPKCS12, rb_intern("key"), 1, 0, Qfalse);
rb_attr(cPKCS12, rb_intern("certificate"), 1, 0, Qfalse);
rb_attr(cPKCS12, rb_intern("ca_certs"), 1, 0, Qfalse);

18
ext/openssl/ossl_pkcs5.c
View file

@ -18,7 +18,7 @@ VALUE ePKCS5;
* * +keylen+ - integer
* * +digest+ - a string or OpenSSL::Digest object.
*
* Available in OpenSSL 0.9.4.
* Available in OpenSSL >= 1.0.0.
*
* Digests other than SHA1 may not be supported by other cryptography libraries.
*/
@ -60,7 +60,7 @@ ossl_pkcs5_pbkdf2_hmac(VALUE self, VALUE pass, VALUE salt, VALUE iter, VALUE key
*
* This method is available in almost any version of OpenSSL.
*
* Conforms to rfc2898.
* Conforms to RFC 2898.
*/
static VALUE
ossl_pkcs5_pbkdf2_hmac_sha1(VALUE self, VALUE pass, VALUE salt, VALUE iter, VALUE keylen)
@ -84,14 +84,10 @@ ossl_pkcs5_pbkdf2_hmac_sha1(VALUE self, VALUE pass, VALUE salt, VALUE iter, VALU
void
Init_ossl_pkcs5(void)
{
/*
* Password-based Encryption
*
*/
#if 0
mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
#endif
#if 0
mOSSL = rb_define_module("OpenSSL");
eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
#endif
/* Document-class: OpenSSL::PKCS5
*
@ -104,7 +100,7 @@ Init_ossl_pkcs5(void)
*
* PKCS5 offers support for PBKDF2 with an OpenSSL::Digest::SHA1-based
* HMAC, or an arbitrary Digest if the underlying version of OpenSSL
* already supports it (>= 0.9.4).
* already supports it (>= 1.0.0).
*
* === Parameters
* ==== Password

17
ext/openssl/ossl_pkcs7.c
View file

@ -772,7 +772,9 @@ ossl_pkcs7_verify(int argc, VALUE *argv, VALUE self)
VALUE data;
const char *msg;
GetPKCS7(self, p7);
rb_scan_args(argc, argv, "22", &certs, &store, &indata, &flags);
x509st = GetX509StorePtr(store);
flg = NIL_P(flags) ? 0 : NUM2INT(flags);
if(NIL_P(indata)) indata = ossl_pkcs7_get_data(self);
in = NIL_P(indata) ? NULL : ossl_obj2bio(indata);
@ -784,8 +786,6 @@ ossl_pkcs7_verify(int argc, VALUE *argv, VALUE self)
rb_jump_tag(status);
}
}
x509st = GetX509StorePtr(store);
GetPKCS7(self, p7);
if(!(out = BIO_new(BIO_s_mem()))){
BIO_free(in);
sk_X509_pop_free(x509s, X509_free);
@ -793,13 +793,13 @@ ossl_pkcs7_verify(int argc, VALUE *argv, VALUE self)
}
ok = PKCS7_verify(p7, x509s, x509st, in, out, flg);
BIO_free(in);
if (ok < 0) ossl_raise(ePKCS7Error, NULL);
sk_X509_pop_free(x509s, X509_free);
if (ok < 0) ossl_raise(ePKCS7Error, "PKCS7_verify");
msg = ERR_reason_error_string(ERR_get_error());
ossl_pkcs7_set_err_string(self, msg ? rb_str_new2(msg) : Qnil);
ossl_clear_error();
data = ossl_membio2str(out);
ossl_pkcs7_set_data(self, data);
sk_X509_pop_free(x509s, X509_free);
return (ok == 1) ? Qtrue : Qfalse;
}
@ -839,12 +839,12 @@ ossl_pkcs7_add_data(VALUE self, VALUE data)
char buf[4096];
int len;
in = ossl_obj2bio(data);
GetPKCS7(self, pkcs7);
if(PKCS7_type_is_signed(pkcs7)){
if(!PKCS7_content_new(pkcs7, NID_pkcs7_data))
ossl_raise(ePKCS7Error, NULL);
}
in = ossl_obj2bio(data);
if(!(out = PKCS7_dataInit(pkcs7, NULL))) goto err;
for(;;){
if((len = BIO_read(in, buf, sizeof(buf))) <= 0)
@ -856,7 +856,7 @@ ossl_pkcs7_add_data(VALUE self, VALUE data)
ossl_pkcs7_set_data(self, Qnil);
err:
BIO_free(out);
BIO_free_all(out);
BIO_free(in);
if(ERR_peek_error()){
ossl_raise(ePKCS7Error, NULL);
@ -1054,6 +1054,11 @@ ossl_pkcs7ri_get_enc_key(VALUE self)
void
Init_ossl_pkcs7(void)
{
#if 0
mOSSL = rb_define_module("OpenSSL");
eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
#endif
cPKCS7 = rb_define_class_under(mOSSL, "PKCS7", rb_cObject);
ePKCS7Error = rb_define_class_under(cPKCS7, "PKCS7Error", eOSSLError);
rb_define_singleton_method(cPKCS7, "read_smime", ossl_pkcs7_s_read_smime, 1);

42
ext/openssl/ossl_pkey.c
View file

@ -15,7 +15,7 @@
VALUE mPKey;
VALUE cPKey;
VALUE ePKeyError;
ID id_private_q;
static ID id_private_q;
/*
* callback for generating keys
@ -123,16 +123,19 @@ ossl_pkey_new_from_file(VALUE filename)
/*
* call-seq:
* OpenSSL::PKey.read(string [, pwd ] ) -> PKey
* OpenSSL::PKey.read(file [, pwd ]) -> PKey
* OpenSSL::PKey.read(string [, pwd ]) -> PKey
* OpenSSL::PKey.read(io [, pwd ]) -> PKey
*
* Reads a DER or PEM encoded string from +string+ or +io+ and returns an
* instance of the appropriate PKey class.
*
* === Parameters
* * +string+ is a DER- or PEM-encoded string containing an arbitrary private
* or public key.
* * +file+ is an instance of +File+ containing a DER- or PEM-encoded
* arbitrary private or public key.
* or public key.
* * +io+ is an instance of +IO+ containing a DER- or PEM-encoded
* arbitrary private or public key.
* * +pwd+ is an optional password in case +string+ or +file+ is an encrypted
* PEM resource.
* PEM resource.
*/
static VALUE
ossl_pkey_new_from_data(int argc, VALUE *argv, VALUE self)
@ -158,7 +161,8 @@ ossl_pkey_new_from_data(int argc, VALUE *argv, VALUE self)
BIO_free(bio);
if (!pkey)
ossl_raise(rb_eArgError, "Could not parse PKey");
ossl_raise(ePKeyError, "Could not parse PKey");
return ossl_pkey_new(pkey);
}
@ -196,20 +200,6 @@ DupPKeyPtr(VALUE obj)
return pkey;
}
EVP_PKEY *
DupPrivPKeyPtr(VALUE obj)
{
EVP_PKEY *pkey;
if (rb_funcallv(obj, id_private_q, 0, NULL) != Qtrue) {
ossl_raise(rb_eArgError, "Private key is needed.");
}
SafeGetPKey(obj, pkey);
EVP_PKEY_up_ref(pkey);
return pkey;
}
/*
* Private
*/
@ -271,9 +261,7 @@ ossl_pkey_sign(VALUE self, VALUE digest, VALUE data)
VALUE str;
int result;
if (rb_funcallv(self, id_private_q, 0, NULL) != Qtrue)
ossl_raise(rb_eArgError, "Private key is needed.");
GetPKey(self, pkey);
pkey = GetPrivPKeyPtr(self);
md = GetDigestPtr(digest);
StringValue(data);
str = rb_str_new(0, EVP_PKEY_size(pkey)+16);
@ -336,6 +324,7 @@ ossl_pkey_verify(VALUE self, VALUE digest, VALUE sig, VALUE data)
EVP_MD_CTX_free(ctx);
switch (result) {
case 0:
ossl_clear_error();
return Qfalse;
case 1:
return Qtrue;
@ -352,7 +341,8 @@ void
Init_ossl_pkey(void)
{
#if 0
mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
mOSSL = rb_define_module("OpenSSL");
eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
#endif
/* Document-module: OpenSSL::PKey

2
ext/openssl/ossl_pkey.h
View file

@ -13,7 +13,6 @@
extern VALUE mPKey;
extern VALUE cPKey;
extern VALUE ePKeyError;
extern ID id_private_q;
extern const rb_data_type_t ossl_evp_pkey_type;
#define OSSL_PKEY_SET_PRIVATE(obj) rb_iv_set((obj), "private", Qtrue)
@ -53,7 +52,6 @@ VALUE ossl_pkey_new_from_file(VALUE);
EVP_PKEY *GetPKeyPtr(VALUE);
EVP_PKEY *DupPKeyPtr(VALUE);
EVP_PKEY *GetPrivPKeyPtr(VALUE);
EVP_PKEY *DupPrivPKeyPtr(VALUE);
void Init_ossl_pkey(void);
/*

47
ext/openssl/ossl_pkey_dh.c
View file

@ -175,8 +175,10 @@ ossl_dh_s_generate(int argc, VALUE *argv, VALUE klass)
}
/*
* call-seq:
* DH.new([size [, generator] | string]) -> dh
* call-seq:
* DH.new -> dh
* DH.new(string) -> dh
* DH.new(size [, generator]) -> dh
*
* Either generates a DH instance from scratch or by reading already existing
* DH parameters from +string+. Note that when reading a DH instance from
@ -210,11 +212,11 @@ ossl_dh_initialize(int argc, VALUE *argv, VALUE self)
if(rb_scan_args(argc, argv, "02", &arg, &gen) == 0) {
dh = DH_new();
}
else if (FIXNUM_P(arg)) {
else if (RB_INTEGER_TYPE_P(arg)) {
if (!NIL_P(gen)) {
g = NUM2INT(gen);
}
if (!(dh = dh_generate(FIX2INT(arg), g))) {
if (!(dh = dh_generate(NUM2INT(arg), g))) {
ossl_raise(eDHError, NULL);
}
}
@ -525,7 +527,7 @@ ossl_dh_generate_key(VALUE self)
*
* === Parameters
* * +pub_bn+ is a OpenSSL::BN, *not* the DH instance returned by
* DH#public_key as that contains the DH parameters only.
* DH#public_key as that contains the DH parameters only.
*/
static VALUE
ossl_dh_compute_key(VALUE self, VALUE pub)
@ -550,7 +552,21 @@ ossl_dh_compute_key(VALUE self, VALUE pub)
return str;
}
/*
* Document-method: OpenSSL::PKey::DH#set_pqg
* call-seq:
* dh.set_pqg(p, q, g) -> self
*
* Sets +p+, +q+, +g+ for the DH instance.
*/
OSSL_PKEY_BN_DEF3(dh, DH, pqg, p, q, g)
/*
* Document-method: OpenSSL::PKey::DH#set_key
* call-seq:
* dh.set_key(pub_key, priv_key) -> self
*
* Sets +pub_key+ and +priv_key+ for the DH instance. +priv_key+ may be nil.
*/
OSSL_PKEY_BN_DEF2(dh, DH, key, pub_key, priv_key)
/*
@ -560,8 +576,9 @@ void
Init_ossl_dh(void)
{
#if 0
mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL and mPKey */
mPKey = rb_define_module_under(mOSSL, "PKey");
cPKey = rb_define_class_under(mPKey, "PKey", rb_cObject);
ePKeyError = rb_define_class_under(mPKey, "PKeyError", eOSSLError);
#endif
/* Document-class: OpenSSL::PKey::DHError
@ -578,15 +595,15 @@ Init_ossl_dh(void)
* on.
*
* === Accessor methods for the Diffie-Hellman parameters
* * DH#p
* The prime (an OpenSSL::BN) of the Diffie-Hellman parameters.
* * DH#g
* The generator (an OpenSSL::BN) g of the Diffie-Hellman parameters.
* * DH#pub_key
* The per-session public key (an OpenSSL::BN) matching the private key.
* This needs to be passed to DH#compute_key.
* * DH#priv_key
* The per-session private key, an OpenSSL::BN.
* DH#p::
* The prime (an OpenSSL::BN) of the Diffie-Hellman parameters.
* DH#g::
* The generator (an OpenSSL::BN) g of the Diffie-Hellman parameters.
* DH#pub_key::
* The per-session public key (an OpenSSL::BN) matching the private key.
* This needs to be passed to DH#compute_key.
* DH#priv_key::
* The per-session private key, an OpenSSL::BN.
*
* === Example of a key exchange
* dh1 = OpenSSL::PKey::DH.new(2048)

42
ext/openssl/ossl_pkey_dsa.c
View file

@ -95,8 +95,6 @@ ossl_dsa_new(EVP_PKEY *pkey)
struct dsa_blocking_gen_arg {
DSA *dsa;
int size;
unsigned char* seed;
int seed_len;
int *counter;
unsigned long *h;
BN_GENCB *cb;
@ -107,7 +105,8 @@ static void *
dsa_blocking_gen(void *arg)
{
struct dsa_blocking_gen_arg *gen = (struct dsa_blocking_gen_arg *)arg;
gen->result = DSA_generate_parameters_ex(gen->dsa, gen->size, gen->seed, gen->seed_len, gen->counter, gen->h, gen->cb);
gen->result = DSA_generate_parameters_ex(gen->dsa, gen->size, NULL, 0,
gen->counter, gen->h, gen->cb);
return 0;
}
@ -118,13 +117,9 @@ dsa_generate(int size)
struct dsa_blocking_gen_arg gen_arg;
DSA *dsa = DSA_new();
BN_GENCB *cb = BN_GENCB_new();
unsigned char seed[20];
int seed_len = 20, counter;
int counter;
unsigned long h;
if (RAND_bytes(seed, seed_len) <= 0)
return NULL;
if (!dsa || !cb) {
DSA_free(dsa);
BN_GENCB_free(cb);
@ -136,8 +131,6 @@ dsa_generate(int size)
BN_GENCB_set(cb, ossl_generate_cb_2, &cb_arg);
gen_arg.dsa = dsa;
gen_arg.size = size;
gen_arg.seed = seed;
gen_arg.seed_len = seed_len;
gen_arg.counter = &counter;
gen_arg.h = &h;
gen_arg.cb = cb;
@ -198,7 +191,9 @@ ossl_dsa_s_generate(VALUE klass, VALUE size)
/*
* call-seq:
* DSA.new([size | string [, pass]) -> dsa
* DSA.new -> dsa
* DSA.new(size) -> dsa
* DSA.new(string [, pass]) -> dsa
*
* Creates a new DSA instance by reading an existing key from +string+.
*
@ -226,8 +221,8 @@ ossl_dsa_initialize(int argc, VALUE *argv, VALUE self)
if(rb_scan_args(argc, argv, "02", &arg, &pass) == 0) {
dsa = DSA_new();
}
else if (FIXNUM_P(arg)) {
if (!(dsa = dsa_generate(FIX2INT(arg)))) {
else if (RB_INTEGER_TYPE_P(arg)) {
if (!(dsa = dsa_generate(NUM2INT(arg)))) {
ossl_raise(eDSAError, NULL);
}
}
@ -387,14 +382,14 @@ static VALUE
ossl_dsa_to_der(VALUE self)
{
DSA *dsa;
int (*i2d_func)_((DSA*, unsigned char**));
int (*i2d_func)(DSA *, unsigned char **);
unsigned char *p;
long len;
VALUE str;
GetDSA(self, dsa);
if(DSA_HAS_PRIVATE(dsa))
i2d_func = (int(*)_((DSA*,unsigned char**)))i2d_DSAPrivateKey;
i2d_func = (int (*)(DSA *,unsigned char **))i2d_DSAPrivateKey;
else
i2d_func = i2d_DSA_PUBKEY;
if((len = i2d_func(dsa, NULL)) <= 0)
@ -592,7 +587,21 @@ ossl_dsa_verify(VALUE self, VALUE digest, VALUE sig)
return Qfalse;
}
/*
* Document-method: OpenSSL::PKey::DSA#set_pqg
* call-seq:
* dsa.set_pqg(p, q, g) -> self
*
* Sets +p+, +q+, +g+ for the DSA instance.
*/
OSSL_PKEY_BN_DEF3(dsa, DSA, pqg, p, q, g)
/*
* Document-method: OpenSSL::PKey::DSA#set_key
* call-seq:
* dsa.set_key(pub_key, priv_key) -> self
*
* Sets +pub_key+ and +priv_key+ for the DSA instance. +priv_key+ may be nil.
*/
OSSL_PKEY_BN_DEF2(dsa, DSA, key, pub_key, priv_key)
/*
@ -602,8 +611,9 @@ void
Init_ossl_dsa(void)
{
#if 0
mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL and mPKey */
mPKey = rb_define_module_under(mOSSL, "PKey");
cPKey = rb_define_class_under(mPKey, "PKey", rb_cObject);
ePKeyError = rb_define_class_under(mPKey, "PKeyError", eOSSLError);
#endif
/* Document-class: OpenSSL::PKey::DSAError

377
ext/openssl/ossl_pkey_ec.c
View file

@ -108,6 +108,8 @@ static ID ID_uncompressed;
static ID ID_compressed;
static ID ID_hybrid;
static ID id_i_group, id_i_key;
static VALUE ec_instance(VALUE klass, EC_KEY *ec)
{
EVP_PKEY *pkey;
@ -213,17 +215,16 @@ ossl_ec_key_s_generate(VALUE klass, VALUE arg)
return obj;
}
/* call-seq:
* OpenSSL::PKey::EC.new()
* OpenSSL::PKey::EC.new(ec_key)
* OpenSSL::PKey::EC.new(ec_group)
* OpenSSL::PKey::EC.new("secp112r1")
* OpenSSL::PKey::EC.new(pem_string)
* OpenSSL::PKey::EC.new(pem_string [, pwd])
* OpenSSL::PKey::EC.new(der_string)
/*
* call-seq:
* OpenSSL::PKey::EC.new
* OpenSSL::PKey::EC.new(ec_key)
* OpenSSL::PKey::EC.new(ec_group)
* OpenSSL::PKey::EC.new("secp112r1")
* OpenSSL::PKey::EC.new(pem_string [, pwd])
* OpenSSL::PKey::EC.new(der_string)
*
* See the OpenSSL documentation for:
* EC_KEY_*
* Creates a new EC object from given arguments.
*/
static VALUE ossl_ec_key_initialize(int argc, VALUE *argv, VALUE self)
{
@ -280,7 +281,7 @@ static VALUE ossl_ec_key_initialize(int argc, VALUE *argv, VALUE self)
ossl_raise(eECError, "EVP_PKEY_assign_EC_KEY");
}
rb_iv_set(self, "@group", Qnil);
rb_ivar_set(self, id_i_group, Qnil);
return self;
}
@ -303,7 +304,7 @@ ossl_ec_key_initialize_copy(VALUE self, VALUE other)
EC_KEY_free(ec_new);
ossl_raise(eECError, "EVP_PKEY_assign_EC_KEY");
}
rb_iv_set(self, "@group", Qnil); /* EC_KEY_dup() also copies the EC_GROUP */
rb_ivar_set(self, id_i_group, Qnil); /* EC_KEY_dup() also copies the EC_GROUP */
return self;
}
@ -324,7 +325,7 @@ static VALUE ossl_ec_key_get_group(VALUE self)
Require_EC_KEY(self, ec);
group_v = rb_iv_get(self, "@group");
group_v = rb_attr_get(self, id_i_group);
if (!NIL_P(group_v))
return group_v;
@ -333,8 +334,8 @@ static VALUE ossl_ec_key_get_group(VALUE self)
SafeGet_ec_group(group_v, ec_group);
ec_group->group = group;
ec_group->dont_free = 1;
rb_iv_set(group_v, "@key", self);
rb_iv_set(self, "@group", group_v);
rb_ivar_set(group_v, id_i_key, self);
rb_ivar_set(self, id_i_group, group_v);
return group_v;
}
@ -366,17 +367,17 @@ static VALUE ossl_ec_key_set_group(VALUE self, VALUE group_v)
Require_EC_KEY(self, ec);
SafeRequire_EC_GROUP(group_v, group);
old_group_v = rb_iv_get(self, "@group");
old_group_v = rb_attr_get(self, id_i_group);
if (!NIL_P(old_group_v)) {
ossl_ec_group *old_ec_group;
SafeGet_ec_group(old_group_v, old_ec_group);
old_ec_group->group = NULL;
old_ec_group->dont_free = 0;
rb_iv_set(old_group_v, "@key", Qnil);
rb_ivar_set(old_group_v, id_i_key, Qnil);
}
rb_iv_set(self, "@group", Qnil);
rb_ivar_set(self, id_i_group, Qnil);
if (EC_KEY_set_group(ec, group) != 1)
ossl_raise(eECError, "EC_KEY_set_group");
@ -446,7 +447,7 @@ static VALUE ossl_ec_point_dup(const EC_POINT *point, VALUE group_v)
new_point->point = EC_POINT_dup(point, group);
if (new_point->point == NULL)
ossl_raise(eEC_POINT, "EC_POINT_dup");
rb_iv_set(obj, "@group", group_v);
rb_ivar_set(obj, id_i_group, group_v);
return obj;
}
@ -542,6 +543,7 @@ static VALUE ossl_ec_key_to_string(VALUE self, VALUE ciph, VALUE pass, int forma
int i = -1;
int private = 0;
VALUE str;
const EVP_CIPHER *cipher = NULL;
Require_EC_KEY(self, ec);
@ -554,17 +556,17 @@ static VALUE ossl_ec_key_to_string(VALUE self, VALUE ciph, VALUE pass, int forma
if (EC_KEY_get0_private_key(ec))
private = 1;
if (!NIL_P(ciph)) {
cipher = GetCipherPtr(ciph);
pass = ossl_pem_passwd_value(pass);
}
if (!(out = BIO_new(BIO_s_mem())))
ossl_raise(eECError, "BIO_new(BIO_s_mem())");
switch(format) {
case EXPORT_PEM:
if (private) {
const EVP_CIPHER *cipher = NULL;
if (!NIL_P(ciph)) {
cipher = GetCipherPtr(ciph);
pass = ossl_pem_passwd_value(pass);
}
i = PEM_write_bio_ECPrivateKey(out, ec, cipher, NULL, 0, ossl_pem_passwd_cb, (void *)pass);
} else {
i = PEM_write_bio_EC_PUBKEY(out, ec);
@ -599,12 +601,10 @@ static VALUE ossl_ec_key_to_string(VALUE self, VALUE ciph, VALUE pass, int forma
* key.export([cipher, pass_phrase]) => String
* key.to_pem([cipher, pass_phrase]) => String
*
* Outputs the EC key in PEM encoding. If +cipher+ and +pass_phrase+ are
* given they will be used to encrypt the key. +cipher+ must be an
* OpenSSL::Cipher::Cipher instance. Note that encryption will only be
* effective for a private key, public keys will always be encoded in plain
* text.
*
* Outputs the EC key in PEM encoding. If +cipher+ and +pass_phrase+ are given
* they will be used to encrypt the key. +cipher+ must be an OpenSSL::Cipher
* instance. Note that encryption will only be effective for a private key,
* public keys will always be encoded in plain text.
*/
static VALUE ossl_ec_key_export(int argc, VALUE *argv, VALUE self)
{
@ -804,21 +804,26 @@ static VALUE ossl_ec_group_alloc(VALUE klass)
return obj;
}
/* call-seq:
* OpenSSL::PKey::EC::Group.new("secp112r1")
* OpenSSL::PKey::EC::Group.new(ec_group)
* OpenSSL::PKey::EC::Group.new(pem_string)
* OpenSSL::PKey::EC::Group.new(der_string)
* OpenSSL::PKey::EC::Group.new(pem_file)
* OpenSSL::PKey::EC::Group.new(der_file)
* OpenSSL::PKey::EC::Group.new(:GFp_simple)
* OpenSSL::PKey::EC::Group.new(:GFp_mult)
* OpenSSL::PKey::EC::Group.new(:GFp_nist)
* OpenSSL::PKey::EC::Group.new(:GF2m_simple)
* OpenSSL::PKey::EC::Group.new(:GFp, bignum_p, bignum_a, bignum_b)
* OpenSSL::PKey::EC::Group.new(:GF2m, bignum_p, bignum_a, bignum_b)
/*
* call-seq:
* OpenSSL::PKey::EC::Group.new(ec_group)
* OpenSSL::PKey::EC::Group.new(pem_or_der_encoded)
* OpenSSL::PKey::EC::Group.new(ec_method)
* OpenSSL::PKey::EC::Group.new(:GFp, bignum_p, bignum_a, bignum_b)
* OpenSSL::PKey::EC::Group.new(:GF2m, bignum_p, bignum_a, bignum_b)
*
* See the OpenSSL documentation for EC_GROUP_*
* Creates a new EC::Group object.
*
* +ec_method+ is a symbol that represents an EC_METHOD. Currently the following
* are supported:
*
* * :GFp_simple
* * :GFp_mont
* * :GFp_nist
* * :GF2m_simple
*
* If the first argument is :GFp or :GF2m, creates a new curve with given
* parameters.
*/
static VALUE ossl_ec_group_initialize(int argc, VALUE *argv, VALUE self)
{
@ -941,15 +946,18 @@ ossl_ec_group_initialize_copy(VALUE self, VALUE other)
if (!ec_group->group)
ossl_raise(eEC_GROUP, "EC_GROUP_dup");
rb_iv_set(self, "@key", Qnil);
rb_ivar_set(self, id_i_key, Qnil);
return self;
}
/* call-seq:
* group1.eql?(group2) => true | false
* group1 == group2 => true | false
/*
* call-seq:
* group1.eql?(group2) => true | false
* group1 == group2 => true | false
*
* Returns true if the two groups use the same curve and have the same
* parameters, false otherwise.
*/
static VALUE ossl_ec_group_eql(VALUE a, VALUE b)
{
@ -964,10 +972,13 @@ static VALUE ossl_ec_group_eql(VALUE a, VALUE b)
return Qtrue;
}
/* call-seq:
* group.generator => ec_point
/*
* call-seq:
* group.generator => ec_point
*
* See the OpenSSL documentation for EC_GROUP_get0_generator()
* Returns the generator of the group.
*
* See the OpenSSL documentation for EC_GROUP_get0_generator()
*/
static VALUE ossl_ec_group_get_generator(VALUE self)
{
@ -981,10 +992,14 @@ static VALUE ossl_ec_group_get_generator(VALUE self)
return point_obj;
}
/* call-seq:
* group.set_generator(generator, order, cofactor) => self
/*
* call-seq:
* group.set_generator(generator, order, cofactor) => self
*
* See the OpenSSL documentation for EC_GROUP_set_generator()
* Sets the curve parameters. +generator+ must be an instance of EC::Point that
* is on the curve. +order+ and +cofactor+ are integers.
*
* See the OpenSSL documentation for EC_GROUP_set_generator()
*/
static VALUE ossl_ec_group_set_generator(VALUE self, VALUE generator, VALUE order, VALUE cofactor)
{
@ -1003,10 +1018,13 @@ static VALUE ossl_ec_group_set_generator(VALUE self, VALUE generator, VALUE orde
return self;
}
/* call-seq:
* group.get_order => order_bn
/*
* call-seq:
* group.get_order => order_bn
*
* See the OpenSSL documentation for EC_GROUP_get_order()
* Returns the order of the group.
*
* See the OpenSSL documentation for EC_GROUP_get_order()
*/
static VALUE ossl_ec_group_get_order(VALUE self)
{
@ -1025,10 +1043,13 @@ static VALUE ossl_ec_group_get_order(VALUE self)
return bn_obj;
}
/* call-seq:
* group.get_cofactor => cofactor_bn
/*
* call-seq:
* group.get_cofactor => cofactor_bn
*
* See the OpenSSL documentation for EC_GROUP_get_cofactor()
* Returns the cofactor of the group.
*
* See the OpenSSL documentation for EC_GROUP_get_cofactor()
*/
static VALUE ossl_ec_group_get_cofactor(VALUE self)
{
@ -1047,10 +1068,13 @@ static VALUE ossl_ec_group_get_cofactor(VALUE self)
return bn_obj;
}
/* call-seq:
* group.curve_name => String
/*
* call-seq:
* group.curve_name => String
*
* See the OpenSSL documentation for EC_GROUP_get_curve_name()
* Returns the curve name (sn).
*
* See the OpenSSL documentation for EC_GROUP_get_curve_name()
*/
static VALUE ossl_ec_group_get_curve_name(VALUE self)
{
@ -1067,10 +1091,14 @@ static VALUE ossl_ec_group_get_curve_name(VALUE self)
return rb_str_new2(OBJ_nid2sn(nid));
}
/* call-seq:
* EC.builtin_curves => [[name, comment], ...]
/*
* call-seq:
* EC.builtin_curves => [[sn, comment], ...]
*
* See the OpenSSL documentation for EC_builtin_curves()
* Obtains a list of all predefined curves by the OpenSSL. Curve names are
* returned as sn.
*
* See the OpenSSL documentation for EC_get_builtin_curves().
*/
static VALUE ossl_s_builtin_curves(VALUE self)
{
@ -1100,10 +1128,13 @@ static VALUE ossl_s_builtin_curves(VALUE self)
return ret;
}
/* call-seq:
* group.asn1_flag => Fixnum
/*
* call-seq:
* group.asn1_flag -> Integer
*
* See the OpenSSL documentation for EC_GROUP_get_asn1_flag()
* Returns the flags set on the group.
*
* See also #asn1_flag=.
*/
static VALUE ossl_ec_group_get_asn1_flag(VALUE self)
{
@ -1114,13 +1145,22 @@ static VALUE ossl_ec_group_get_asn1_flag(VALUE self)
flag = EC_GROUP_get_asn1_flag(group);
return INT2FIX(flag);
return INT2NUM(flag);
}
/* call-seq:
* group.asn1_flag = Fixnum => Fixnum
/*
* call-seq:
* group.asn1_flag = flags
*
* See the OpenSSL documentation for EC_GROUP_set_asn1_flag()
* Sets flags on the group. The flag value is used to determine how to encode
* the group: encode explicit parameters or named curve using an OID.
*
* The flag value can be either of:
*
* * EC::NAMED_CURVE
* * EC::EXPLICIT_CURVE
*
* See the OpenSSL documentation for EC_GROUP_set_asn1_flag().
*/
static VALUE ossl_ec_group_set_asn1_flag(VALUE self, VALUE flag_v)
{
@ -1133,10 +1173,13 @@ static VALUE ossl_ec_group_set_asn1_flag(VALUE self, VALUE flag_v)
return flag_v;
}
/* call-seq:
* group.point_conversion_form => :uncompressed | :compressed | :hybrid
/*
* call-seq:
* group.point_conversion_form -> Symbol
*
* See the OpenSSL documentation for EC_GROUP_get_point_conversion_form()
* Returns the form how EC::Point data is encoded as ASN.1.
*
* See also #point_conversion_form=.
*/
static VALUE ossl_ec_group_get_point_conversion_form(VALUE self)
{
@ -1158,10 +1201,24 @@ static VALUE ossl_ec_group_get_point_conversion_form(VALUE self)
return ID2SYM(ret);
}
/* call-seq:
* group.point_conversion_form = form => form
/*
* call-seq:
* group.point_conversion_form = form
*
* See the OpenSSL documentation for EC_GROUP_set_point_conversion_form()
* Sets the form how EC::Point data is encoded as ASN.1 as defined in X9.62.
*
* +format+ can be one of these:
*
* :compressed::
* Encoded as z||x, where z is an octet indicating which solution of the
* equation y is. z will be 0x02 or 0x03.
* :uncompressed::
* Encoded as z||x||y, where z is an octet 0x04.
* :hybrid::
* Encodes as z||x||y, where z is an octet indicating which solution of the
* equation y is. z will be 0x06 or 0x07.
*
* See the OpenSSL documentation for EC_GROUP_set_point_conversion_form()
*/
static VALUE ossl_ec_group_set_point_conversion_form(VALUE self, VALUE form_v)
{
@ -1186,10 +1243,11 @@ static VALUE ossl_ec_group_set_point_conversion_form(VALUE self, VALUE form_v)
return form_v;
}
/* call-seq:
* group.seed => String or nil
/*
* call-seq:
* group.seed => String or nil
*
* See the OpenSSL documentation for EC_GROUP_get0_seed()
* See the OpenSSL documentation for EC_GROUP_get0_seed()
*/
static VALUE ossl_ec_group_get_seed(VALUE self)
{
@ -1206,10 +1264,11 @@ static VALUE ossl_ec_group_get_seed(VALUE self)
return rb_str_new((const char *)EC_GROUP_get0_seed(group), seed_len);
}
/* call-seq:
* group.seed = seed => seed
/*
* call-seq:
* group.seed = seed => seed
*
* See the OpenSSL documentation for EC_GROUP_set_seed()
* See the OpenSSL documentation for EC_GROUP_set_seed()
*/
static VALUE ossl_ec_group_set_seed(VALUE self, VALUE seed)
{
@ -1226,10 +1285,11 @@ static VALUE ossl_ec_group_set_seed(VALUE self, VALUE seed)
/* get/set curve GFp, GF2m */
/* call-seq:
* group.degree => Fixnum
/*
* call-seq:
* group.degree => Fixnum
*
* See the OpenSSL documentation for EC_GROUP_get_degree()
* See the OpenSSL documentation for EC_GROUP_get_degree()
*/
static VALUE ossl_ec_group_get_degree(VALUE self)
{
@ -1274,8 +1334,9 @@ static VALUE ossl_ec_group_to_string(VALUE self, int format)
return str;
}
/* call-seq:
* group.to_pem => String
/*
* call-seq:
* group.to_pem => String
*
* See the OpenSSL documentation for PEM_write_bio_ECPKParameters()
*/
@ -1284,20 +1345,22 @@ static VALUE ossl_ec_group_to_pem(VALUE self)
return ossl_ec_group_to_string(self, EXPORT_PEM);
}
/* call-seq:
* group.to_der => String
/*
* call-seq:
* group.to_der => String
*
* See the OpenSSL documentation for i2d_ECPKParameters_bio()
* See the OpenSSL documentation for i2d_ECPKParameters_bio()
*/
static VALUE ossl_ec_group_to_der(VALUE self)
{
return ossl_ec_group_to_string(self, EXPORT_DER);
}
/* call-seq:
* group.to_text => String
/*
* call-seq:
* group.to_text => String
*
* See the OpenSSL documentation for ECPKParameters_print()
* See the OpenSSL documentation for ECPKParameters_print()
*/
static VALUE ossl_ec_group_to_text(VALUE self)
{
@ -1346,12 +1409,12 @@ static VALUE ossl_ec_point_alloc(VALUE klass)
}
/*
* call-seq:
* OpenSSL::PKey::EC::Point.new(point)
* OpenSSL::PKey::EC::Point.new(group)
* OpenSSL::PKey::EC::Point.new(group, bn)
* call-seq:
* OpenSSL::PKey::EC::Point.new(point)
* OpenSSL::PKey::EC::Point.new(group)
* OpenSSL::PKey::EC::Point.new(group, bn)
*
* See the OpenSSL documentation for EC_POINT_*
* See the OpenSSL documentation for EC_POINT_*
*/
static VALUE ossl_ec_point_initialize(int argc, VALUE *argv, VALUE self)
{
@ -1370,7 +1433,7 @@ static VALUE ossl_ec_point_initialize(int argc, VALUE *argv, VALUE self)
if (rb_obj_is_kind_of(arg1, cEC_POINT)) {
const EC_POINT *arg_point;
group_v = rb_iv_get(arg1, "@group");
group_v = rb_attr_get(arg1, id_i_group);
SafeRequire_EC_GROUP(group_v, group);
SafeRequire_EC_POINT(arg1, arg_point);
@ -1419,7 +1482,7 @@ static VALUE ossl_ec_point_initialize(int argc, VALUE *argv, VALUE self)
ec_point->point = point;
rb_iv_set(self, "@group", group_v);
rb_ivar_set(self, id_i_group, group_v);
return self;
}
@ -1437,29 +1500,28 @@ ossl_ec_point_initialize_copy(VALUE self, VALUE other)
ossl_raise(eEC_POINT, "EC::Point already initialized");
SafeRequire_EC_POINT(other, orig);
group_v = rb_obj_dup(rb_iv_get(other, "@group"));
group_v = rb_obj_dup(rb_attr_get(other, id_i_group));
SafeRequire_EC_GROUP(group_v, group);
ec_point->point = EC_POINT_dup(orig, group);
if (!ec_point->point)
ossl_raise(eEC_POINT, "EC_POINT_dup");
rb_iv_set(self, "@key", Qnil);
rb_iv_set(self, "@group", group_v);
rb_ivar_set(self, id_i_key, Qnil);
rb_ivar_set(self, id_i_group, group_v);
return self;
}
/*
* call-seq:
* point1.eql?(point2) => true | false
* point1 == point2 => true | false
*
* call-seq:
* point1.eql?(point2) => true | false
* point1 == point2 => true | false
*/
static VALUE ossl_ec_point_eql(VALUE a, VALUE b)
{
EC_POINT *point1, *point2;
VALUE group_v1 = rb_iv_get(a, "@group");
VALUE group_v2 = rb_iv_get(b, "@group");
VALUE group_v1 = rb_attr_get(a, id_i_group);
VALUE group_v2 = rb_attr_get(b, id_i_group);
const EC_GROUP *group;
if (ossl_ec_group_eql(group_v1, group_v2) == Qfalse)
@ -1476,14 +1538,13 @@ static VALUE ossl_ec_point_eql(VALUE a, VALUE b)
}
/*
* call-seq:
* point.infinity? => true | false
*
* call-seq:
* point.infinity? => true | false
*/
static VALUE ossl_ec_point_is_at_infinity(VALUE self)
{
EC_POINT *point;
VALUE group_v = rb_iv_get(self, "@group");
VALUE group_v = rb_attr_get(self, id_i_group);
const EC_GROUP *group;
Require_EC_POINT(self, point);
@ -1499,14 +1560,13 @@ static VALUE ossl_ec_point_is_at_infinity(VALUE self)
}
/*
* call-seq:
* point.on_curve? => true | false
*
* call-seq:
* point.on_curve? => true | false
*/
static VALUE ossl_ec_point_is_on_curve(VALUE self)
{
EC_POINT *point;
VALUE group_v = rb_iv_get(self, "@group");
VALUE group_v = rb_attr_get(self, id_i_group);
const EC_GROUP *group;
Require_EC_POINT(self, point);
@ -1522,14 +1582,13 @@ static VALUE ossl_ec_point_is_on_curve(VALUE self)
}
/*
* call-seq:
* point.make_affine! => self
*
* call-seq:
* point.make_affine! => self
*/
static VALUE ossl_ec_point_make_affine(VALUE self)
{
EC_POINT *point;
VALUE group_v = rb_iv_get(self, "@group");
VALUE group_v = rb_attr_get(self, id_i_group);
const EC_GROUP *group;
Require_EC_POINT(self, point);
@ -1542,14 +1601,13 @@ static VALUE ossl_ec_point_make_affine(VALUE self)
}
/*
* call-seq:
* point.invert! => self
*
* call-seq:
* point.invert! => self
*/
static VALUE ossl_ec_point_invert(VALUE self)
{
EC_POINT *point;
VALUE group_v = rb_iv_get(self, "@group");
VALUE group_v = rb_attr_get(self, id_i_group);
const EC_GROUP *group;
Require_EC_POINT(self, point);
@ -1562,14 +1620,13 @@ static VALUE ossl_ec_point_invert(VALUE self)
}
/*
* call-seq:
* point.set_to_infinity! => self
*
* call-seq:
* point.set_to_infinity! => self
*/
static VALUE ossl_ec_point_set_to_infinity(VALUE self)
{
EC_POINT *point;
VALUE group_v = rb_iv_get(self, "@group");
VALUE group_v = rb_attr_get(self, id_i_group);
const EC_GROUP *group;
Require_EC_POINT(self, point);
@ -1582,8 +1639,8 @@ static VALUE ossl_ec_point_set_to_infinity(VALUE self)
}
/*
* call-seq:
* point.to_bn => OpenSSL::BN
* call-seq:
* point.to_bn => OpenSSL::BN
*
* See the OpenSSL documentation for EC_POINT_point2bn()
*/
@ -1591,7 +1648,7 @@ static VALUE ossl_ec_point_to_bn(VALUE self)
{
EC_POINT *point;
VALUE bn_obj;
VALUE group_v = rb_iv_get(self, "@group");
VALUE group_v = rb_attr_get(self, id_i_group);
const EC_GROUP *group;
point_conversion_form_t form;
BIGNUM *bn;
@ -1611,9 +1668,9 @@ static VALUE ossl_ec_point_to_bn(VALUE self)
}
/*
* call-seq:
* point.mul(bn1 [, bn2]) => point
* point.mul(bns, points [, bn2]) => point
* call-seq:
* point.mul(bn1 [, bn2]) => point
* point.mul(bns, points [, bn2]) => point
*
* Performs elliptic curve point multiplication.
*
@ -1631,7 +1688,7 @@ static VALUE ossl_ec_point_mul(int argc, VALUE *argv, VALUE self)
{
EC_POINT *point_self, *point_result;
const EC_GROUP *group;
VALUE group_v = rb_iv_get(self, "@group");
VALUE group_v = rb_attr_get(self, id_i_group);
VALUE arg1, arg2, arg3, result;
const BIGNUM *bn_g = NULL;
@ -1643,11 +1700,11 @@ static VALUE ossl_ec_point_mul(int argc, VALUE *argv, VALUE self)
Require_EC_POINT(result, point_result);
rb_scan_args(argc, argv, "12", &arg1, &arg2, &arg3);
if (rb_obj_is_kind_of(arg1, cBN)) {
if (!RB_TYPE_P(arg1, T_ARRAY)) {
BIGNUM *bn = GetBNPtr(arg1);
if (argc >= 2)
bn_g = GetBNPtr(arg2);
if (!NIL_P(arg2))
bn_g = GetBNPtr(arg2);
if (EC_POINT_mul(group, point_result, bn_g, point_self, bn, ossl_bn_ctx) != 1)
ossl_raise(eEC_POINT, NULL);
} else {
@ -1660,9 +1717,8 @@ static VALUE ossl_ec_point_mul(int argc, VALUE *argv, VALUE self)
const EC_POINT **points;
const BIGNUM **bignums;
if (!rb_obj_is_kind_of(arg1, rb_cArray) ||
!rb_obj_is_kind_of(arg2, rb_cArray))
ossl_raise(rb_eTypeError, "points must be array");
Check_Type(arg1, T_ARRAY);
Check_Type(arg2, T_ARRAY);
if (RARRAY_LEN(arg1) != RARRAY_LEN(arg2) + 1) /* arg2 must be 1 larger */
ossl_raise(rb_eArgError, "bns must be 1 longer than points; see the documentation");
@ -1676,7 +1732,7 @@ static VALUE ossl_ec_point_mul(int argc, VALUE *argv, VALUE self)
for (i = 0; i < num - 1; i++)
SafeRequire_EC_POINT(RARRAY_AREF(arg2, i), points[i + 1]);
if (argc >= 3)
if (!NIL_P(arg3))
bn_g = GetBNPtr(arg3);
if (EC_POINTs_mul(group, point_result, bn_g, num, points, bignums, ossl_bn_ctx) != 1) {
@ -1694,13 +1750,30 @@ static VALUE ossl_ec_point_mul(int argc, VALUE *argv, VALUE self)
void Init_ossl_ec(void)
{
#ifdef DONT_NEED_RDOC_WORKAROUND
mOSSL = rb_define_module("OpenSSL");
#if 0
mPKey = rb_define_module_under(mOSSL, "PKey");
cPKey = rb_define_class_under(mPKey, "PKey", rb_cObject);
eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
ePKeyError = rb_define_class_under(mPKey, "PKeyError", eOSSLError);
#endif
eECError = rb_define_class_under(mPKey, "ECError", ePKeyError);
/*
* Document-class: OpenSSL::PKey::EC
*
* OpenSSL::PKey::EC provides access to Elliptic Curve Digital Signature
* Algorithm (ECDSA) and Elliptic Curve Diffie-Hellman (ECDH).
*
* === Key exchange
* ec1 = OpenSSL::PKey::EC.generate("prime256v1")
* ec2 = OpenSSL::PKey::EC.generate("prime256v1")
* # ec1 and ec2 have own private key respectively
* shared_key1 = ec1.dh_compute_key(ec2.public_key)
* shared_key2 = ec2.dh_compute_key(ec1.public_key)
*
* p shared_key1 == shared_key2 #=> true
*/
cEC = rb_define_class_under(mPKey, "EC", cPKey);
cEC_GROUP = rb_define_class_under(cEC, "Group", rb_cObject);
cEC_POINT = rb_define_class_under(cEC, "Point", rb_cObject);
@ -1718,7 +1791,10 @@ void Init_ossl_ec(void)
ID_compressed = rb_intern("compressed");
ID_hybrid = rb_intern("hybrid");
rb_define_const(cEC, "NAMED_CURVE", ULONG2NUM(OPENSSL_EC_NAMED_CURVE));
rb_define_const(cEC, "NAMED_CURVE", INT2NUM(OPENSSL_EC_NAMED_CURVE));
#if defined(OPENSSL_EC_EXPLICIT_CURVE)
rb_define_const(cEC, "EXPLICIT_CURVE", INT2NUM(OPENSSL_EC_EXPLICIT_CURVE));
#endif
rb_define_singleton_method(cEC, "builtin_curves", ossl_s_builtin_curves, 0);
@ -1811,6 +1887,9 @@ void Init_ossl_ec(void)
rb_define_method(cEC_POINT, "to_bn", ossl_ec_point_to_bn, 0);
rb_define_method(cEC_POINT, "mul", ossl_ec_point_mul, -1);
id_i_group = rb_intern("@group");
id_i_key = rb_intern("@key");
}
#else /* defined NO_EC */

38
ext/openssl/ossl_pkey_rsa.c
View file

@ -229,8 +229,8 @@ ossl_rsa_initialize(int argc, VALUE *argv, VALUE self)
if(rb_scan_args(argc, argv, "02", &arg, &pass) == 0) {
rsa = RSA_new();
}
else if (FIXNUM_P(arg)) {
rsa = rsa_generate(FIX2INT(arg), NIL_P(pass) ? RSA_F4 : NUM2ULONG(pass));
else if (RB_INTEGER_TYPE_P(arg)) {
rsa = rsa_generate(NUM2INT(arg), NIL_P(pass) ? RSA_F4 : NUM2ULONG(pass));
if (!rsa) ossl_raise(eRSAError, NULL);
}
else {
@ -335,7 +335,7 @@ ossl_rsa_is_private(VALUE self)
*
* Outputs this keypair in PEM encoding. If +cipher+ and +pass_phrase+ are
* given they will be used to encrypt the key. +cipher+ must be an
* OpenSSL::Cipher::Cipher instance.
* OpenSSL::Cipher instance.
*/
static VALUE
ossl_rsa_export(int argc, VALUE *argv, VALUE self)
@ -383,7 +383,7 @@ static VALUE
ossl_rsa_to_der(VALUE self)
{
RSA *rsa;
int (*i2d_func)_((const RSA*, unsigned char**));
int (*i2d_func)(const RSA *, unsigned char **);
unsigned char *p;
long len;
VALUE str;
@ -392,7 +392,7 @@ ossl_rsa_to_der(VALUE self)
if (RSA_HAS_PRIVATE(rsa))
i2d_func = i2d_RSAPrivateKey;
else
i2d_func = (int (*)(const RSA*, unsigned char**))i2d_RSA_PUBKEY;
i2d_func = (int (*)(const RSA *, unsigned char **))i2d_RSA_PUBKEY;
if((len = i2d_func(rsa, NULL)) <= 0)
ossl_raise(eRSAError, NULL);
str = rb_str_new(0, len);
@ -656,21 +656,45 @@ ossl_rsa_blinding_off(VALUE self)
}
*/
/*
* Document-method: OpenSSL::PKey::RSA#set_key
* call-seq:
* rsa.set_key(n, e, d) -> self
*
* Sets +n+, +e+, +d+ for the RSA instance.
*/
OSSL_PKEY_BN_DEF3(rsa, RSA, key, n, e, d)
/*
* Document-method: OpenSSL::PKey::RSA#set_factors
* call-seq:
* rsa.set_factors(p, q) -> self
*
* Sets +p+, +q+ for the RSA instance.
*/
OSSL_PKEY_BN_DEF2(rsa, RSA, factors, p, q)
/*
* Document-method: OpenSSL::PKey::RSA#set_crt_params
* call-seq:
* rsa.set_crt_params(dmp1, dmq1, iqmp) -> self
*
* Sets +dmp1+, +dmq1+, +iqmp+ for the RSA instance. They are calculated by
* <tt>d mod (p - 1)</tt>, <tt>d mod (q - 1)</tt> and <tt>q^(-1) mod p</tt>
* respectively.
*/
OSSL_PKEY_BN_DEF3(rsa, RSA, crt_params, dmp1, dmq1, iqmp)
/*
* INIT
*/
#define DefRSAConst(x) rb_define_const(cRSA, #x,INT2FIX(RSA_##x))
#define DefRSAConst(x) rb_define_const(cRSA, #x, INT2NUM(RSA_##x))
void
Init_ossl_rsa(void)
{
#if 0
mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL and mPKey */
mPKey = rb_define_module_under(mOSSL, "PKey");
cPKey = rb_define_class_under(mPKey, "PKey", rb_cObject);
ePKeyError = rb_define_class_under(mPKey, "PKeyError", eOSSLError);
#endif
/* Document-class: OpenSSL::PKey::RSAError

17
ext/openssl/ossl_rand.c
View file

@ -41,13 +41,13 @@ ossl_rand_seed(VALUE self, VALUE str)
* The +entropy+ argument is (the lower bound of) an estimate of how much
* randomness is contained in +str+, measured in bytes.
*
* Example:
* === Example
*
* pid = $$
* now = Time.now
* ary = [now.to_i, now.nsec, 1000, pid]
* OpenSSL::Random.add(ary.join("").to_s, 0.0)
* OpenSSL::Random.seed(ary.join("").to_s)
* OpenSSL::Random.add(ary.join, 0.0)
* OpenSSL::Random.seed(ary.join)
*/
static VALUE
ossl_rand_add(VALUE self, VALUE str, VALUE entropy)
@ -101,10 +101,10 @@ ossl_rand_write_file(VALUE self, VALUE filename)
* Generates +string+ with +length+ number of cryptographically strong
* pseudo-random bytes.
*
* Example:
* === Example
*
* OpenSSL::Random.random_bytes(12)
* => "..."
* #=> "..."
*/
static VALUE
ossl_rand_bytes(VALUE self, VALUE len)
@ -134,10 +134,10 @@ ossl_rand_bytes(VALUE self, VALUE len)
* Pseudo-random byte sequences generated by ::pseudo_bytes will be unique if
* they are of sufficient length, but are not necessarily unpredictable.
*
* Example:
* === Example
*
* OpenSSL::Random.pseudo_bytes(12)
* => "..."
* #=> "..."
*/
static VALUE
ossl_rand_pseudo_bytes(VALUE self, VALUE len)
@ -214,7 +214,8 @@ void
Init_ossl_rand(void)
{
#if 0
mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
mOSSL = rb_define_module("OpenSSL");
eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
#endif
mRandom = rb_define_module_under(mOSSL, "Random");

204
ext/openssl/ossl_ssl.c
View file

@ -64,18 +64,15 @@ static VALUE eSSLErrorWaitWritable;
#define ossl_sslctx_get_client_cert_cb(o) rb_iv_get((o),"@client_cert_cb")
#define ossl_sslctx_get_tmp_ecdh_cb(o) rb_iv_get((o),"@tmp_ecdh_callback")
#define ossl_sslctx_get_sess_id_ctx(o) rb_iv_get((o),"@session_id_context")
#define ossl_sslctx_get_verify_hostname(o) rb_iv_get((o),"@verify_hostname")
#define ossl_ssl_get_io(o) rb_iv_get((o),"@io")
#define ossl_ssl_get_ctx(o) rb_iv_get((o),"@context")
#define ossl_ssl_get_x509(o) rb_iv_get((o),"@x509")
#define ossl_ssl_get_key(o) rb_iv_get((o),"@key")
#define ossl_ssl_set_io(o,v) rb_iv_set((o),"@io",(v))
#define ossl_ssl_set_ctx(o,v) rb_iv_set((o),"@context",(v))
#define ossl_ssl_set_sync_close(o,v) rb_iv_set((o),"@sync_close",(v))
#define ossl_ssl_set_hostname_v(o,v) rb_iv_set((o),"@hostname",(v))
#define ossl_ssl_set_x509(o,v) rb_iv_set((o),"@x509",(v))
#define ossl_ssl_set_key(o,v) rb_iv_set((o),"@key",(v))
#define ossl_ssl_set_tmp_dh(o,v) rb_iv_set((o),"@tmp_dh",(v))
#define ossl_ssl_set_tmp_ecdh(o,v) rb_iv_set((o),"@tmp_ecdh",(v))
@ -183,6 +180,9 @@ ossl_sslctx_s_alloc(VALUE klass)
* ctx.ssl_version = :TLSv1
* ctx.ssl_version = "SSLv23_client"
*
* Sets the SSL/TLS protocol version for the context. This forces connections to
* use only the specified protocol version.
*
* You can get a list of valid versions with OpenSSL::SSL::SSLContext::METHODS
*/
static VALUE
@ -225,28 +225,30 @@ ossl_call_client_cert_cb(VALUE obj)
{
VALUE cb, ary, cert, key;
cb = rb_funcall(obj, rb_intern("client_cert_cb"), 0);
if (NIL_P(cb)) return Qfalse;
cb = ossl_sslctx_get_client_cert_cb(ossl_ssl_get_ctx(obj));
if (NIL_P(cb))
return Qnil;
ary = rb_funcall(cb, rb_intern("call"), 1, obj);
Check_Type(ary, T_ARRAY);
GetX509CertPtr(cert = rb_ary_entry(ary, 0));
GetPKeyPtr(key = rb_ary_entry(ary, 1));
ossl_ssl_set_x509(obj, cert);
ossl_ssl_set_key(obj, key);
GetPrivPKeyPtr(key = rb_ary_entry(ary, 1));
return Qtrue;
return rb_ary_new3(2, cert, key);
}
static int
ossl_client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
{
VALUE obj, success;
VALUE obj, ret;
obj = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
success = rb_protect(ossl_call_client_cert_cb, obj, NULL);
if (!RTEST(success)) return 0;
*x509 = DupX509CertPtr(ossl_ssl_get_x509(obj));
*pkey = DupPKeyPtr(ossl_ssl_get_key(obj));
ret = rb_protect(ossl_call_client_cert_cb, obj, NULL);
if (NIL_P(ret))
return 0;
*x509 = DupX509CertPtr(RARRAY_AREF(ret, 0));
*pkey = DupPKeyPtr(RARRAY_AREF(ret, 1));
return 1;
}
@ -275,7 +277,7 @@ ossl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
rb_ssl = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
args = rb_ary_new_from_args(3, rb_ssl, INT2FIX(is_export), INT2FIX(keylength));
args = rb_ary_new_from_args(3, rb_ssl, INT2NUM(is_export), INT2NUM(keylength));
dh = rb_protect(ossl_call_tmp_dh_callback, args, NULL);
if (!RTEST(dh)) return NULL;
@ -309,7 +311,7 @@ ossl_tmp_ecdh_callback(SSL *ssl, int is_export, int keylength)
rb_ssl = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
args = rb_ary_new_from_args(3, rb_ssl, INT2FIX(is_export), INT2FIX(keylength));
args = rb_ary_new_from_args(3, rb_ssl, INT2NUM(is_export), INT2NUM(keylength));
ecdh = rb_protect(ossl_call_tmp_ecdh_callback, args, NULL);
if (!RTEST(ecdh)) return NULL;
@ -319,16 +321,50 @@ ossl_tmp_ecdh_callback(SSL *ssl, int is_export, int keylength)
}
#endif
static VALUE
call_verify_certificate_identity(VALUE ctx_v)
{
X509_STORE_CTX *ctx = (X509_STORE_CTX *)ctx_v;
SSL *ssl;
VALUE ssl_obj, hostname, cert_obj;
ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
ssl_obj = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
hostname = rb_attr_get(ssl_obj, rb_intern("@hostname"));
if (!RTEST(hostname)) {
rb_warning("verify_hostname requires hostname to be set");
return Qtrue;
}
cert_obj = ossl_x509_new(X509_STORE_CTX_get_current_cert(ctx));
return rb_funcall(mSSL, rb_intern("verify_certificate_identity"), 2,
cert_obj, hostname);
}
static int
ossl_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
{
VALUE cb;
VALUE cb, ssl_obj, verify_hostname, ret;
SSL *ssl;
int status;
ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
cb = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_vcb_idx);
X509_STORE_CTX_set_ex_data(ctx, ossl_store_ctx_ex_verify_cb_idx, (void *)cb);
return ossl_verify_cb(preverify_ok, ctx);
ssl_obj = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
verify_hostname = ossl_sslctx_get_verify_hostname(ossl_ssl_get_ctx(ssl_obj));
if (preverify_ok && RTEST(verify_hostname) && !SSL_is_server(ssl) &&
!X509_STORE_CTX_get_error_depth(ctx)) {
ret = rb_protect(call_verify_certificate_identity, (VALUE)ctx, &status);
if (status) {
rb_ivar_set(ssl_obj, ID_callback_state, INT2NUM(status));
return 0;
}
preverify_ok = ret == Qtrue;
}
return ossl_verify_cb_call(cb, preverify_ok, ctx);
}
static VALUE
@ -464,7 +500,7 @@ ossl_sslctx_session_remove_cb(SSL_CTX *ctx, SSL_SESSION *sess)
rb_ary_push(ary, sslctx_obj);
rb_ary_push(ary, sess_obj);
rb_protect((VALUE(*)_((VALUE)))ossl_call_session_remove_cb, ary, &state);
rb_protect(ossl_call_session_remove_cb, ary, &state);
if (state) {
/*
the SSL_CTX is frozen, nowhere to save state.
@ -540,7 +576,7 @@ ssl_servername_cb(SSL *ssl, int *ad, void *arg)
rb_ary_push(ary, ssl_obj);
rb_ary_push(ary, rb_str_new2(servername));
rb_protect((VALUE(*)_((VALUE)))ossl_call_servername_cb, ary, &state);
rb_protect(ossl_call_servername_cb, ary, &state);
if (state) {
rb_ivar_set(ssl_obj, ID_callback_state, INT2NUM(state));
return SSL_TLSEXT_ERR_ALERT_FATAL;
@ -624,8 +660,7 @@ ssl_npn_select_cb_common(VALUE cb, const unsigned char **out, unsigned char *out
static int
ssl_npn_advertise_cb(SSL *ssl, const unsigned char **out, unsigned int *outlen, void *arg)
{
VALUE sslctx_obj = (VALUE) arg;
VALUE protocols = rb_iv_get(sslctx_obj, "@_protocols");
VALUE protocols = (VALUE)arg;
*out = (const unsigned char *) RSTRING_PTR(protocols);
*outlen = RSTRING_LENINT(protocols);
@ -776,7 +811,7 @@ ossl_sslctx_setup(VALUE self)
val = ossl_sslctx_get_cert(self);
cert = NIL_P(val) ? NULL : GetX509CertPtr(val); /* NO DUP NEEDED */
val = ossl_sslctx_get_key(self);
key = NIL_P(val) ? NULL : GetPKeyPtr(val); /* NO DUP NEEDED */
key = NIL_P(val) ? NULL : GetPrivPKeyPtr(val); /* NO DUP NEEDED */
if (cert && key) {
if (!SSL_CTX_use_certificate(ctx, cert)) {
/* Adds a ref => Safe to FREE */
@ -835,8 +870,8 @@ ossl_sslctx_setup(VALUE self)
#ifdef HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB
val = rb_iv_get(self, "@npn_protocols");
if (!NIL_P(val)) {
rb_iv_set(self, "@_protocols", ssl_encode_npn_protocols(val));
SSL_CTX_set_next_protos_advertised_cb(ctx, ssl_npn_advertise_cb, (void *) self);
VALUE encoded = ssl_encode_npn_protocols(val);
SSL_CTX_set_next_protos_advertised_cb(ctx, ssl_npn_advertise_cb, (void *)encoded);
OSSL_Debug("SSL NPN advertise callback added");
}
if (RTEST(rb_iv_get(self, "@npn_select_cb"))) {
@ -903,8 +938,8 @@ ossl_ssl_cipher_to_ary(const SSL_CIPHER *cipher)
rb_ary_push(ary, rb_str_new2(SSL_CIPHER_get_name(cipher)));
rb_ary_push(ary, rb_str_new2(SSL_CIPHER_get_version(cipher)));
bits = SSL_CIPHER_get_bits(cipher, &alg_bits);
rb_ary_push(ary, INT2FIX(bits));
rb_ary_push(ary, INT2FIX(alg_bits));
rb_ary_push(ary, INT2NUM(bits));
rb_ary_push(ary, INT2NUM(alg_bits));
return ary;
}
@ -913,7 +948,7 @@ ossl_ssl_cipher_to_ary(const SSL_CIPHER *cipher)
* call-seq:
* ctx.ciphers => [[name, version, bits, alg_bits], ...]
*
* The list of ciphers configured for this context.
* The list of cipher suites configured for this context.
*/
static VALUE
ossl_sslctx_get_ciphers(VALUE self)
@ -949,11 +984,9 @@ ossl_sslctx_get_ciphers(VALUE self)
* ctx.ciphers = [name, ...]
* ctx.ciphers = [[name, version, bits, alg_bits], ...]
*
* Sets the list of available ciphers for this context. Note in a server
* Sets the list of available cipher suites for this context. Note in a server
* context some ciphers require the appropriate certificates. For example, an
* RSA cipher can only be chosen when an RSA certificate is available.
*
* See also OpenSSL::Cipher and OpenSSL::Cipher::ciphers
* RSA cipher suite can only be chosen when an RSA certificate is available.
*/
static VALUE
ossl_sslctx_set_ciphers(VALUE self, VALUE v)
@ -1056,7 +1089,11 @@ ossl_sslctx_set_ecdh_curves(VALUE self, VALUE arg)
if (!ec)
ossl_raise(eSSLError, NULL);
EC_KEY_set_asn1_flag(ec, OPENSSL_EC_NAMED_CURVE);
SSL_CTX_set_tmp_ecdh(ctx, ec);
if (!SSL_CTX_set_tmp_ecdh(ctx, ec)) {
EC_KEY_free(ec);
ossl_raise(eSSLError, "SSL_CTX_set_tmp_ecdh");
}
EC_KEY_free(ec);
# if defined(HAVE_SSL_CTX_SET_ECDH_AUTO)
/* tmp_ecdh and ecdh_auto conflict. tmp_ecdh is ignored when ecdh_auto
* is enabled. So disable ecdh_auto. */
@ -1088,7 +1125,7 @@ ossl_sslctx_get_security_level(VALUE self)
GetSSLCTX(self, ctx);
#if defined(HAVE_SSL_CTX_GET_SECURITY_LEVEL)
return INT2FIX(SSL_CTX_get_security_level(ctx));
return INT2NUM(SSL_CTX_get_security_level(ctx));
#else
(void)ctx;
return INT2FIX(0);
@ -1097,7 +1134,7 @@ ossl_sslctx_get_security_level(VALUE self)
/*
* call-seq:
* ctx.security_level=(integer) -> Integer
* ctx.security_level = integer
*
* Sets the security level for the context. OpenSSL limits parameters according
* to the level. The "parameters" include: ciphersuites, curves, key sizes,
@ -1138,7 +1175,7 @@ ossl_sslctx_set_security_level(VALUE self, VALUE value)
* call-seq:
* ctx.session_add(session) -> true | false
*
* Adds +session+ to the session cache
* Adds +session+ to the session cache.
*/
static VALUE
ossl_sslctx_session_add(VALUE self, VALUE arg)
@ -1156,7 +1193,7 @@ ossl_sslctx_session_add(VALUE self, VALUE arg)
* call-seq:
* ctx.session_remove(session) -> true | false
*
* Removes +session+ from the session cache
* Removes +session+ from the session cache.
*/
static VALUE
ossl_sslctx_session_remove(VALUE self, VALUE arg)
@ -1374,7 +1411,7 @@ ossl_ssl_s_alloc(VALUE klass)
* SSLSocket.new(io) => aSSLSocket
* SSLSocket.new(io, ctx) => aSSLSocket
*
* Creates a new SSL socket from +io+ which must be a real ruby object (not an
* Creates a new SSL socket from +io+ which must be a real IO object (not an
* IO-like object that responds to read/write).
*
* If +ctx+ is provided the SSL Sockets initial params will be taken from
@ -1950,7 +1987,8 @@ ossl_ssl_get_cipher(VALUE self)
* call-seq:
* ssl.state => string
*
* A description of the current connection state.
* A description of the current connection state. This is for diagnostic
* purposes only.
*/
static VALUE
ossl_ssl_get_state(VALUE self)
@ -1972,7 +2010,7 @@ ossl_ssl_get_state(VALUE self)
* call-seq:
* ssl.pending => Integer
*
* The number of bytes that are immediately available for reading
* The number of bytes that are immediately available for reading.
*/
static VALUE
ossl_ssl_pending(VALUE self)
@ -2021,6 +2059,7 @@ ossl_ssl_set_session(VALUE self, VALUE arg1)
return arg1;
}
#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
/*
* call-seq:
* ssl.hostname = hostname -> hostname
@ -2028,7 +2067,6 @@ ossl_ssl_set_session(VALUE self, VALUE arg1)
* Sets the server hostname used for SNI. This needs to be set before
* SSLSocket#connect.
*/
#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
static VALUE
ossl_ssl_set_hostname(VALUE self, VALUE arg)
{
@ -2066,7 +2104,7 @@ ossl_ssl_get_verify_result(VALUE self)
GetSSL(self, ssl);
return INT2FIX(SSL_get_verify_result(ssl));
return INT2NUM(SSL_get_verify_result(ssl));
}
/*
@ -2095,7 +2133,7 @@ ossl_ssl_get_client_ca_list(VALUE self)
# ifdef HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB
/*
* call-seq:
* ssl.npn_protocol => String
* ssl.npn_protocol => String | nil
*
* Returns the protocol string that was finally selected by the client
* during the handshake.
@ -2120,9 +2158,9 @@ ossl_ssl_npn_protocol(VALUE self)
# ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
/*
* call-seq:
* ssl.alpn_protocol => String
* ssl.alpn_protocol => String | nil
*
* Returns the ALPN protocol string that was finally selected by the client
* Returns the ALPN protocol string that was finally selected by the server
* during the handshake.
*/
static VALUE
@ -2147,7 +2185,7 @@ ossl_ssl_alpn_protocol(VALUE self)
* call-seq:
* ssl.tmp_key => PKey or nil
*
* Returns the ephemeral key used in case of forward secrecy cipher
* Returns the ephemeral key used in case of forward secrecy cipher.
*/
static VALUE
ossl_ssl_tmp_key(VALUE self)
@ -2170,7 +2208,10 @@ Init_ossl_ssl(void)
VALUE ary;
#if 0
mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
mOSSL = rb_define_module("OpenSSL");
eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
rb_mWaitReadable = rb_define_module_under(rb_cIO, "WaitReadable");
rb_mWaitWritable = rb_define_module_under(rb_cIO, "WaitWritable");
#endif
ID_callback_state = rb_intern("@callback_state");
@ -2218,14 +2259,10 @@ Init_ossl_ssl(void)
*
* All attributes must be set before creating an SSLSocket as the
* SSLContext will be frozen afterward.
*
* The following attributes are available but don't show up in rdoc:
* * ssl_version, cert, key, client_ca, ca_file, ca_path, timeout,
* * verify_mode, verify_depth client_cert_cb, tmp_dh_callback,
* * session_id_context, session_add_cb, session_new_cb, session_remove_cb
*/
cSSLContext = rb_define_class_under(mSSL, "SSLContext", rb_cObject);
rb_define_alloc_func(cSSLContext, ossl_sslctx_s_alloc);
rb_undef_method(cSSLContext, "initialize_copy");
/*
* Context certificate
@ -2255,7 +2292,7 @@ Init_ossl_ssl(void)
rb_attr(cSSLContext, rb_intern("ca_path"), 1, 1, Qfalse);
/*
* Maximum session lifetime.
* Maximum session lifetime in seconds.
*/
rb_attr(cSSLContext, rb_intern("timeout"), 1, 1, Qfalse);
@ -2264,6 +2301,11 @@ Init_ossl_ssl(void)
*
* Valid modes are VERIFY_NONE, VERIFY_PEER, VERIFY_CLIENT_ONCE,
* VERIFY_FAIL_IF_NO_PEER_CERT and defined on OpenSSL::SSL
*
* The default mode is VERIFY_NONE, which does not perform any verification
* at all.
*
* See SSL_CTX_set_verify(3) for details.
*/
rb_attr(cSSLContext, rb_intern("verify_mode"), 1, 1, Qfalse);
@ -2281,12 +2323,21 @@ Init_ossl_ssl(void)
* +store_context+ is an OpenSSL::X509::StoreContext containing the
* context used for certificate verification.
*
* If the callback returns false verification is stopped.
* If the callback returns false, the chain verification is immediately
* stopped and a bad_certificate alert is then sent.
*/
rb_attr(cSSLContext, rb_intern("verify_callback"), 1, 1, Qfalse);
/*
* An OpenSSL::X509::Store used for certificate verification
* Whether to check the server certificate is valid for the hostname.
*
* In order to make this work, verify_mode must be set to VERIFY_PEER and
* the server hostname must be given by OpenSSL::SSL::SSLSocket#hostname=.
*/
rb_attr(cSSLContext, rb_intern("verify_hostname"), 1, 1, Qfalse);
/*
* An OpenSSL::X509::Store used for certificate verification.
*/
rb_attr(cSSLContext, rb_intern("cert_store"), 1, 1, Qfalse);
@ -2410,7 +2461,7 @@ Init_ossl_ssl(void)
* === Example
*
* ctx.npn_select_cb = lambda do |protocols|
* #inspect the protocols and select one
* # inspect the protocols and select one
* protocols.first
* end
*/
@ -2420,10 +2471,10 @@ Init_ossl_ssl(void)
#ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
/*
* An Enumerable of Strings. Each String represents a protocol to be
* advertised as the list of supported protocols for Application-Layer Protocol
* Negotiation. Supported in OpenSSL 1.0.1 and higher. Has no effect
* on the client side. If not set explicitly, the NPN extension will
* not be sent by the server in the handshake.
* advertised as the list of supported protocols for Application-Layer
* Protocol Negotiation. Supported in OpenSSL 1.0.2 and higher. Has no
* effect on the server side. If not set explicitly, the ALPN extension will
* not be included in the handshake.
*
* === Example
*
@ -2433,16 +2484,16 @@ Init_ossl_ssl(void)
/*
* A callback invoked on the server side when the server needs to select
* a protocol from the list sent by the client. Supported in OpenSSL 1.0.2
* and higher. The server MUST select a protocol of those advertised by
* and higher. The callback must return a protocol of those advertised by
* the client. If none is acceptable, raising an error in the callback
* will cause the handshake to fail. Not setting this callback explicitly
* means not supporting the ALPN extension on the client - any protocols
* advertised by the server will be ignored.
* means not supporting the ALPN extension on the server - any protocols
* advertised by the client will be ignored.
*
* === Example
*
* ctx.alpn_select_cb = lambda do |protocols|
* #inspect the protocols and select one
* # inspect the protocols and select one
* protocols.first
* end
*/
@ -2463,22 +2514,22 @@ Init_ossl_ssl(void)
/*
* No session caching for client or server
*/
rb_define_const(cSSLContext, "SESSION_CACHE_OFF", LONG2FIX(SSL_SESS_CACHE_OFF));
rb_define_const(cSSLContext, "SESSION_CACHE_OFF", LONG2NUM(SSL_SESS_CACHE_OFF));
/*
* Client sessions are added to the session cache
*/
rb_define_const(cSSLContext, "SESSION_CACHE_CLIENT", LONG2FIX(SSL_SESS_CACHE_CLIENT)); /* doesn't actually do anything in 0.9.8e */
rb_define_const(cSSLContext, "SESSION_CACHE_CLIENT", LONG2NUM(SSL_SESS_CACHE_CLIENT)); /* doesn't actually do anything in 0.9.8e */
/*
* Server sessions are added to the session cache
*/
rb_define_const(cSSLContext, "SESSION_CACHE_SERVER", LONG2FIX(SSL_SESS_CACHE_SERVER));
rb_define_const(cSSLContext, "SESSION_CACHE_SERVER", LONG2NUM(SSL_SESS_CACHE_SERVER));
/*
* Both client and server sessions are added to the session cache
*/
rb_define_const(cSSLContext, "SESSION_CACHE_BOTH", LONG2FIX(SSL_SESS_CACHE_BOTH)); /* no different than CACHE_SERVER in 0.9.8e */
rb_define_const(cSSLContext, "SESSION_CACHE_BOTH", LONG2NUM(SSL_SESS_CACHE_BOTH)); /* no different than CACHE_SERVER in 0.9.8e */
/*
* Normally the session cache is checked for expired sessions every 255
@ -2486,7 +2537,7 @@ Init_ossl_ssl(void)
* the automatic flushing may be disabled and #flush_sessions can be
* called explicitly.
*/
rb_define_const(cSSLContext, "SESSION_CACHE_NO_AUTO_CLEAR", LONG2FIX(SSL_SESS_CACHE_NO_AUTO_CLEAR));
rb_define_const(cSSLContext, "SESSION_CACHE_NO_AUTO_CLEAR", LONG2NUM(SSL_SESS_CACHE_NO_AUTO_CLEAR));
/*
* Always perform external lookups of sessions even if they are in the
@ -2494,18 +2545,18 @@ Init_ossl_ssl(void)
*
* This flag has no effect on clients
*/
rb_define_const(cSSLContext, "SESSION_CACHE_NO_INTERNAL_LOOKUP", LONG2FIX(SSL_SESS_CACHE_NO_INTERNAL_LOOKUP));
rb_define_const(cSSLContext, "SESSION_CACHE_NO_INTERNAL_LOOKUP", LONG2NUM(SSL_SESS_CACHE_NO_INTERNAL_LOOKUP));
/*
* Never automatically store sessions in the internal store.
*/
rb_define_const(cSSLContext, "SESSION_CACHE_NO_INTERNAL_STORE", LONG2FIX(SSL_SESS_CACHE_NO_INTERNAL_STORE));
rb_define_const(cSSLContext, "SESSION_CACHE_NO_INTERNAL_STORE", LONG2NUM(SSL_SESS_CACHE_NO_INTERNAL_STORE));
/*
* Enables both SESSION_CACHE_NO_INTERNAL_LOOKUP and
* SESSION_CACHE_NO_INTERNAL_STORE.
*/
rb_define_const(cSSLContext, "SESSION_CACHE_NO_INTERNAL", LONG2FIX(SSL_SESS_CACHE_NO_INTERNAL));
rb_define_const(cSSLContext, "SESSION_CACHE_NO_INTERNAL", LONG2NUM(SSL_SESS_CACHE_NO_INTERNAL));
rb_define_method(cSSLContext, "session_add", ossl_sslctx_session_add, 1);
rb_define_method(cSSLContext, "session_remove", ossl_sslctx_session_remove, 1);
@ -2528,10 +2579,6 @@ Init_ossl_ssl(void)
/*
* Document-class: OpenSSL::SSL::SSLSocket
*
* The following attributes are available but don't show up in rdoc.
* * io, context, sync_close
*
*/
cSSLSocket = rb_define_class_under(mSSL, "SSLSocket", rb_cObject);
#ifdef OPENSSL_NO_SOCK
@ -2541,6 +2588,7 @@ Init_ossl_ssl(void)
rb_define_const(mSSLExtConfig, "OPENSSL_NO_SOCK", Qfalse);
rb_define_alloc_func(cSSLSocket, ossl_ssl_s_alloc);
rb_define_method(cSSLSocket, "initialize", ossl_ssl_initialize, -1);
rb_undef_method(cSSLSocket, "initialize_copy");
rb_define_method(cSSLSocket, "connect", ossl_ssl_connect, 0);
rb_define_method(cSSLSocket, "connect_nonblock", ossl_ssl_connect_nonblock, -1);
rb_define_method(cSSLSocket, "accept", ossl_ssl_accept, 0);

76
ext/openssl/ossl_ssl_session.c
View file

@ -28,12 +28,12 @@ static VALUE ossl_ssl_session_alloc(VALUE klass)
/*
* call-seq:
* Session.new(SSLSocket | string) => session
* Session.new(ssl_socket) -> Session
* Session.new(string) -> Session
*
* === Parameters
* +SSLSocket+ is an OpenSSL::SSL::SSLSocket
* +string+ must be a DER or PEM encoded Session.
*/
* Creates a new Session object from an instance of SSLSocket or DER/PEM encoded
* String.
*/
static VALUE ossl_ssl_session_initialize(VALUE self, VALUE arg1)
{
SSL_SESSION *ctx = NULL;
@ -73,6 +73,26 @@ static VALUE ossl_ssl_session_initialize(VALUE self, VALUE arg1)
return self;
}
static VALUE
ossl_ssl_session_initialize_copy(VALUE self, VALUE other)
{
SSL_SESSION *sess, *sess_other, *sess_new;
rb_check_frozen(self);
sess = RTYPEDDATA_DATA(self); /* XXX */
SafeGetSSLSession(other, sess_other);
sess_new = ASN1_dup((i2d_of_void *)i2d_SSL_SESSION, (d2i_of_void *)d2i_SSL_SESSION,
(char *)sess_other);
if (!sess_new)
ossl_raise(eSSLSession, "ASN1_dup");
RTYPEDDATA_DATA(self) = sess_new;
SSL_SESSION_free(sess);
return self;
}
#if HAVE_SSL_SESSION_CMP == 0
int SSL_SESSION_cmp(const SSL_SESSION *a,const SSL_SESSION *b)
{
@ -98,9 +118,10 @@ int SSL_SESSION_cmp(const SSL_SESSION *a,const SSL_SESSION *b)
/*
* call-seq:
* session1 == session2 -> boolean
* session1 == session2 -> boolean
*
*/
* Returns true if the two Session is the same, false if not.
*/
static VALUE ossl_ssl_session_eq(VALUE val1, VALUE val2)
{
SSL_SESSION *ctx1, *ctx2;
@ -118,9 +139,8 @@ static VALUE ossl_ssl_session_eq(VALUE val1, VALUE val2)
* call-seq:
* session.time -> Time
*
* Gets start time of the session.
*
*/
* Returns the time at which the session was established.
*/
static VALUE ossl_ssl_session_get_time(VALUE self)
{
SSL_SESSION *ctx;
@ -138,11 +158,12 @@ static VALUE ossl_ssl_session_get_time(VALUE self)
/*
* call-seq:
* session.timeout -> integer
* session.timeout -> Integer
*
* Gets how long until the session expires in seconds.
* Returns the timeout value set for the session, in seconds from the
* established time.
*
*/
*/
static VALUE ossl_ssl_session_get_timeout(VALUE self)
{
SSL_SESSION *ctx;
@ -157,12 +178,12 @@ static VALUE ossl_ssl_session_get_timeout(VALUE self)
/*
* call-seq:
* session.time=(Time) -> Time
* session.time=(integer) -> Time
* session.time = time
* session.time = integer
*
* Sets start time of the session. Time resolution is in seconds.
*
*/
*/
static VALUE ossl_ssl_session_set_time(VALUE self, VALUE time_v)
{
SSL_SESSION *ctx;
@ -179,11 +200,10 @@ static VALUE ossl_ssl_session_set_time(VALUE self, VALUE time_v)
/*
* call-seq:
* session.timeout=(integer) -> integer
* session.timeout = integer
*
* Sets how long until the session expires in seconds.
*
*/
*/
static VALUE ossl_ssl_session_set_timeout(VALUE self, VALUE time_v)
{
SSL_SESSION *ctx;
@ -197,7 +217,7 @@ static VALUE ossl_ssl_session_set_timeout(VALUE self, VALUE time_v)
/*
* call-seq:
* session.id -> aString
* session.id -> String
*
* Returns the Session ID.
*/
@ -216,10 +236,10 @@ static VALUE ossl_ssl_session_get_id(VALUE self)
/*
* call-seq:
* session.to_der -> aString
* session.to_der -> String
*
* Returns an ASN1 encoded String that contains the Session object.
*/
*/
static VALUE ossl_ssl_session_to_der(VALUE self)
{
SSL_SESSION *ctx;
@ -245,7 +265,7 @@ static VALUE ossl_ssl_session_to_der(VALUE self)
* session.to_pem -> String
*
* Returns a PEM encoded String that contains the Session object.
*/
*/
static VALUE ossl_ssl_session_to_pem(VALUE self)
{
SSL_SESSION *ctx;
@ -277,8 +297,8 @@ static VALUE ossl_ssl_session_to_pem(VALUE self)
* call-seq:
* session.to_text -> String
*
* Shows everything in the Session object.
*/
* Shows everything in the Session object. This is for diagnostic purposes.
*/
static VALUE ossl_ssl_session_to_text(VALUE self)
{
SSL_SESSION *ctx;
@ -308,14 +328,16 @@ static VALUE ossl_ssl_session_to_text(VALUE self)
void Init_ossl_ssl_session(void)
{
#if 0
mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
mSSL = rb_define_module_under(mOSSL, "SSL");
mOSSL = rb_define_module("OpenSSL");
mSSL = rb_define_module_under(mOSSL, "SSL");
eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
#endif
cSSLSession = rb_define_class_under(mSSL, "Session", rb_cObject);
eSSLSession = rb_define_class_under(cSSLSession, "SessionError", eOSSLError);
rb_define_alloc_func(cSSLSession, ossl_ssl_session_alloc);
rb_define_method(cSSLSession, "initialize", ossl_ssl_session_initialize, 1);
rb_define_copy_func(cSSLSession, ossl_ssl_session_initialize_copy);
rb_define_method(cSSLSession, "==", ossl_ssl_session_eq, 1);

2
ext/openssl/ossl_version.h
View file

@ -10,6 +10,6 @@
#if !defined(_OSSL_VERSION_H_)
#define _OSSL_VERSION_H_
#define OSSL_VERSION "1.1.0"
#define OSSL_VERSION "2.0.0"
#endif /* _OSSL_VERSION_H_ */

80
ext/openssl/ossl_x509.c
View file

@ -11,7 +11,7 @@
VALUE mX509;
#define DefX509Const(x) rb_define_const(mX509, #x,INT2FIX(X509_##x))
#define DefX509Const(x) rb_define_const(mX509, #x, INT2NUM(X509_##x))
#define DefX509Default(x,i) \
rb_define_const(mX509, "DEFAULT_" #x, rb_str_new2(X509_get_default_##i()))
@ -34,6 +34,10 @@ ossl_x509_time_adjust(ASN1_TIME *s, VALUE time)
void
Init_ossl_x509(void)
{
#if 0
mOSSL = rb_define_module("OpenSSL");
#endif
mX509 = rb_define_module_under(mOSSL, "X509");
Init_ossl_x509attr();
@ -79,17 +83,88 @@ Init_ossl_x509(void)
DefX509Const(V_ERR_KEYUSAGE_NO_CERTSIGN);
DefX509Const(V_ERR_APPLICATION_VERIFICATION);
/* Set by Store#flags= and StoreContext#flags=. Enables CRL checking for the
* certificate chain leaf. */
DefX509Const(V_FLAG_CRL_CHECK);
/* Set by Store#flags= and StoreContext#flags=. Enables CRL checking for all
* certificates in the certificate chain */
DefX509Const(V_FLAG_CRL_CHECK_ALL);
/* Set by Store#flags= and StoreContext#flags=. Disables critical extension
* checking. */
DefX509Const(V_FLAG_IGNORE_CRITICAL);
/* Set by Store#flags= and StoreContext#flags=. Disables workarounds for
* broken certificates. */
DefX509Const(V_FLAG_X509_STRICT);
/* Set by Store#flags= and StoreContext#flags=. Enables proxy certificate
* verification. */
DefX509Const(V_FLAG_ALLOW_PROXY_CERTS);
/* Set by Store#flags= and StoreContext#flags=. Enables certificate policy
* constraints checking. */
DefX509Const(V_FLAG_POLICY_CHECK);
/* Set by Store#flags= and StoreContext#flags=.
* Implies V_FLAG_POLICY_CHECK */
DefX509Const(V_FLAG_EXPLICIT_POLICY);
/* Set by Store#flags= and StoreContext#flags=.
* Implies V_FLAG_POLICY_CHECK */
DefX509Const(V_FLAG_INHIBIT_ANY);
/* Set by Store#flags= and StoreContext#flags=.
* Implies V_FLAG_POLICY_CHECK */
DefX509Const(V_FLAG_INHIBIT_MAP);
/* Set by Store#flags= and StoreContext#flags=. */
DefX509Const(V_FLAG_NOTIFY_POLICY);
#if defined(X509_V_FLAG_EXTENDED_CRL_SUPPORT)
/* Set by Store#flags= and StoreContext#flags=. Enables some additional
* features including support for indirect signed CRLs. */
DefX509Const(V_FLAG_EXTENDED_CRL_SUPPORT);
#endif
#if defined(X509_V_FLAG_USE_DELTAS)
/* Set by Store#flags= and StoreContext#flags=. Uses delta CRLs. If not
* specified, deltas are ignored. */
DefX509Const(V_FLAG_USE_DELTAS);
#endif
#if defined(X509_V_FLAG_CHECK_SS_SIGNATURE)
/* Set by Store#flags= and StoreContext#flags=. Enables checking of the
* signature of the root self-signed CA. */
DefX509Const(V_FLAG_CHECK_SS_SIGNATURE);
#endif
#if defined(X509_V_FLAG_TRUSTED_FIRST)
/* Set by Store#flags= and StoreContext#flags=. When constructing a
* certificate chain, search the Store first for the issuer certificate.
* Enabled by default in OpenSSL >= 1.1.0. */
DefX509Const(V_FLAG_TRUSTED_FIRST);
#endif
#if defined(X509_V_FLAG_NO_ALT_CHAINS)
/* Set by Store#flags= and StoreContext#flags=. Suppresses searching for
* a alternative chain. No effect in OpenSSL >= 1.1.0. */
DefX509Const(V_FLAG_NO_ALT_CHAINS);
#endif
#if defined(X509_V_FLAG_NO_CHECK_TIME)
/* Set by Store#flags= and StoreContext#flags=. Suppresses checking the
* validity period of certificates and CRLs. No effect when the current
* time is explicitly set by Store#time= or StoreContext#time=. */
DefX509Const(V_FLAG_NO_CHECK_TIME);
#endif
/* Set by Store#purpose=. SSL/TLS client. */
DefX509Const(PURPOSE_SSL_CLIENT);
/* Set by Store#purpose=. SSL/TLS server. */
DefX509Const(PURPOSE_SSL_SERVER);
/* Set by Store#purpose=. Netscape SSL server. */
DefX509Const(PURPOSE_NS_SSL_SERVER);
/* Set by Store#purpose=. S/MIME signing. */
DefX509Const(PURPOSE_SMIME_SIGN);
/* Set by Store#purpose=. S/MIME encryption. */
DefX509Const(PURPOSE_SMIME_ENCRYPT);
/* Set by Store#purpose=. CRL signing */
DefX509Const(PURPOSE_CRL_SIGN);
/* Set by Store#purpose=. No checks. */
DefX509Const(PURPOSE_ANY);
/* Set by Store#purpose=. OCSP helper. */
DefX509Const(PURPOSE_OCSP_HELPER);
#if defined(X509_PURPOSE_TIMESTAMP_SIGN)
/* Set by Store#purpose=. Time stamps signer. */
DefX509Const(PURPOSE_TIMESTAMP_SIGN);
#endif
DefX509Const(TRUST_COMPAT);
DefX509Const(TRUST_SSL_CLIENT);
@ -98,6 +173,9 @@ Init_ossl_x509(void)
DefX509Const(TRUST_OBJECT_SIGN);
DefX509Const(TRUST_OCSP_SIGN);
DefX509Const(TRUST_OCSP_REQUEST);
#if defined(X509_TRUST_TSA)
DefX509Const(TRUST_TSA);
#endif
DefX509Default(CERT_AREA, cert_area);
DefX509Default(CERT_DIR, cert_dir);

3
ext/openssl/ossl_x509.h
View file

@ -31,7 +31,7 @@ extern VALUE cX509Attr;
extern VALUE eX509AttrError;
VALUE ossl_x509attr_new(X509_ATTRIBUTE *);
X509_ATTRIBUTE *DupX509AttrPtr(VALUE);
X509_ATTRIBUTE *GetX509AttrPtr(VALUE);
void Init_ossl_x509attr(void);
/*
@ -66,7 +66,6 @@ extern VALUE eX509ExtError;
VALUE ossl_x509ext_new(X509_EXTENSION *);
X509_EXTENSION *GetX509ExtPtr(VALUE);
X509_EXTENSION *DupX509ExtPtr(VALUE);
void Init_ossl_x509ext(void);
/*

44
ext/openssl/ossl_x509attr.c
View file

@ -72,16 +72,13 @@ ossl_x509attr_new(X509_ATTRIBUTE *attr)
}
X509_ATTRIBUTE *
DupX509AttrPtr(VALUE obj)
GetX509AttrPtr(VALUE obj)
{
X509_ATTRIBUTE *attr, *new;
X509_ATTRIBUTE *attr;
SafeGetX509Attr(obj, attr);
if (!(new = X509_ATTRIBUTE_dup(attr))) {
ossl_raise(eX509AttrError, NULL);
}
return new;
return attr;
}
/*
@ -130,6 +127,25 @@ ossl_x509attr_initialize(int argc, VALUE *argv, VALUE self)
return self;
}
static VALUE
ossl_x509attr_initialize_copy(VALUE self, VALUE other)
{
X509_ATTRIBUTE *attr, *attr_other, *attr_new;
rb_check_frozen(self);
GetX509Attr(self, attr);
SafeGetX509Attr(other, attr_other);
attr_new = X509_ATTRIBUTE_dup(attr_other);
if (!attr_new)
ossl_raise(eX509AttrError, "X509_ATTRIBUTE_dup");
SetX509Attr(self, attr_new);
X509_ATTRIBUTE_free(attr);
return self;
}
/*
* call-seq:
* attr.oid = string => string
@ -141,12 +157,15 @@ ossl_x509attr_set_oid(VALUE self, VALUE oid)
ASN1_OBJECT *obj;
char *s;
GetX509Attr(self, attr);
s = StringValueCStr(oid);
obj = OBJ_txt2obj(s, 0);
if(!obj) obj = OBJ_txt2obj(s, 1);
if(!obj) ossl_raise(eX509AttrError, NULL);
GetX509Attr(self, attr);
X509_ATTRIBUTE_set1_object(attr, obj);
if (!X509_ATTRIBUTE_set1_object(attr, obj)) {
ASN1_OBJECT_free(obj);
ossl_raise(eX509AttrError, "X509_ATTRIBUTE_set1_object");
}
ASN1_OBJECT_free(obj);
return oid;
}
@ -289,11 +308,18 @@ ossl_x509attr_to_der(VALUE self)
void
Init_ossl_x509attr(void)
{
#if 0
mOSSL = rb_define_module("OpenSSL");
eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
mX509 = rb_define_module_under(mOSSL, "X509");
#endif
eX509AttrError = rb_define_class_under(mX509, "AttributeError", eOSSLError);
cX509Attr = rb_define_class_under(mX509, "Attribute", rb_cObject);
rb_define_alloc_func(cX509Attr, ossl_x509attr_alloc);
rb_define_method(cX509Attr, "initialize", ossl_x509attr_initialize, -1);
rb_define_copy_func(cX509Attr, ossl_x509attr_initialize_copy);
rb_define_method(cX509Attr, "oid=", ossl_x509attr_set_oid, 1);
rb_define_method(cX509Attr, "oid", ossl_x509attr_get_oid, 0);
rb_define_method(cX509Attr, "value=", ossl_x509attr_set_value, 1);

41
ext/openssl/ossl_x509cert.c
View file

@ -456,10 +456,10 @@ static VALUE
ossl_x509_get_not_before(VALUE self)
{
X509 *x509;
ASN1_UTCTIME *asn1time;
const ASN1_TIME *asn1time;
GetX509(self, x509);
if (!(asn1time = X509_get_notBefore(x509))) { /* NO DUP - don't free! */
if (!(asn1time = X509_get0_notBefore(x509))) {
ossl_raise(eX509CertError, NULL);
}
@ -474,10 +474,15 @@ static VALUE
ossl_x509_set_not_before(VALUE self, VALUE time)
{
X509 *x509;
ASN1_TIME *asn1time;
GetX509(self, x509);
if (!ossl_x509_time_adjust(X509_get_notBefore(x509), time))
ossl_raise(eX509CertError, NULL);
asn1time = ossl_x509_time_adjust(NULL, time);
if (!X509_set_notBefore(x509, asn1time)) {
ASN1_TIME_free(asn1time);
ossl_raise(eX509CertError, "X509_set_notBefore");
}
ASN1_TIME_free(asn1time);
return time;
}
@ -490,10 +495,10 @@ static VALUE
ossl_x509_get_not_after(VALUE self)
{
X509 *x509;
ASN1_TIME *asn1time;
const ASN1_TIME *asn1time;
GetX509(self, x509);
if (!(asn1time = X509_get_notAfter(x509))) { /* NO DUP - don't free! */
if (!(asn1time = X509_get0_notAfter(x509))) {
ossl_raise(eX509CertError, NULL);
}
@ -508,10 +513,15 @@ static VALUE
ossl_x509_set_not_after(VALUE self, VALUE time)
{
X509 *x509;
ASN1_TIME *asn1time;
GetX509(self, x509);
if (!ossl_x509_time_adjust(X509_get_notAfter(x509), time))
ossl_raise(eX509CertError, NULL);
asn1time = ossl_x509_time_adjust(NULL, time);
if (!X509_set_notAfter(x509, asn1time)) {
ASN1_TIME_free(asn1time);
ossl_raise(eX509CertError, "X509_set_notAfter");
}
ASN1_TIME_free(asn1time);
return time;
}
@ -667,13 +677,10 @@ ossl_x509_set_extensions(VALUE self, VALUE ary)
while ((ext = X509_delete_ext(x509, 0)))
X509_EXTENSION_free(ext);
for (i=0; i<RARRAY_LEN(ary); i++) {
ext = DupX509ExtPtr(RARRAY_AREF(ary, i));
if (!X509_add_ext(x509, ext, -1)) { /* DUPs ext - FREE it */
X509_EXTENSION_free(ext);
ext = GetX509ExtPtr(RARRAY_AREF(ary, i));
if (!X509_add_ext(x509, ext, -1)) { /* DUPs ext */
ossl_raise(eX509CertError, NULL);
}
X509_EXTENSION_free(ext);
}
return ary;
@ -690,12 +697,10 @@ ossl_x509_add_extension(VALUE self, VALUE extension)
X509_EXTENSION *ext;
GetX509(self, x509);
ext = DupX509ExtPtr(extension);
ext = GetX509ExtPtr(extension);
if (!X509_add_ext(x509, ext, -1)) { /* DUPs ext - FREE it */
X509_EXTENSION_free(ext);
ossl_raise(eX509CertError, NULL);
}
X509_EXTENSION_free(ext);
return extension;
}
@ -720,9 +725,9 @@ ossl_x509_inspect(VALUE self)
void
Init_ossl_x509cert(void)
{
#if 0
mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
mOSSL = rb_define_module("OpenSSL");
eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
mX509 = rb_define_module_under(mOSSL, "X509");
#endif

65
ext/openssl/ossl_x509crl.c
View file

@ -180,7 +180,7 @@ static VALUE
ossl_x509crl_get_signature_algorithm(VALUE self)
{
X509_CRL *crl;
X509_ALGOR *alg;
const X509_ALGOR *alg;
BIO *out;
BUF_MEM *buf;
VALUE str;
@ -189,7 +189,7 @@ ossl_x509crl_get_signature_algorithm(VALUE self)
if (!(out = BIO_new(BIO_s_mem()))) {
ossl_raise(eX509CRLError, NULL);
}
X509_CRL_get0_signature(NULL, &alg, crl);
X509_CRL_get0_signature(crl, NULL, &alg);
if (!i2a_ASN1_OBJECT(out, alg->algorithm)) {
BIO_free(out);
ossl_raise(eX509CRLError, NULL);
@ -230,17 +230,22 @@ ossl_x509crl_get_last_update(VALUE self)
GetX509CRL(self, crl);
return asn1time_to_time(X509_CRL_get_lastUpdate(crl));
return asn1time_to_time(X509_CRL_get0_lastUpdate(crl));
}
static VALUE
ossl_x509crl_set_last_update(VALUE self, VALUE time)
{
X509_CRL *crl;
ASN1_TIME *asn1time;
GetX509CRL(self, crl);
if (!ossl_x509_time_adjust(X509_CRL_get_lastUpdate(crl), time))
ossl_raise(eX509CRLError, NULL);
asn1time = ossl_x509_time_adjust(NULL, time);
if (!X509_CRL_set_lastUpdate(crl, asn1time)) {
ASN1_TIME_free(asn1time);
ossl_raise(eX509CRLError, "X509_CRL_set_lastUpdate");
}
ASN1_TIME_free(asn1time);
return time;
}
@ -252,28 +257,22 @@ ossl_x509crl_get_next_update(VALUE self)
GetX509CRL(self, crl);
return asn1time_to_time(X509_CRL_get_nextUpdate(crl));
return asn1time_to_time(X509_CRL_get0_nextUpdate(crl));
}
static VALUE
ossl_x509crl_set_next_update(VALUE self, VALUE time)
{
X509_CRL *crl;
ASN1_TIME *orig, *new;
ASN1_TIME *asn1time;
GetX509CRL(self, crl);
/* orig may be NULL at this time; in this case a new ASN1_TIME is created */
orig = X509_CRL_get_nextUpdate(crl);
new = ossl_x509_time_adjust(orig, time);
if (!X509_CRL_set_nextUpdate(crl, new)) {
if (!orig)
ASN1_TIME_free(new);
ossl_raise(eX509CRLError, NULL);
asn1time = ossl_x509_time_adjust(NULL, time);
if (!X509_CRL_set_nextUpdate(crl, asn1time)) {
ASN1_TIME_free(asn1time);
ossl_raise(eX509CRLError, "X509_CRL_set_nextUpdate");
}
/* X509_CRL_set_nextUpdate() dups when orig != new */
if (!orig)
ASN1_TIME_free(new);
ASN1_TIME_free(asn1time);
return time;
}
@ -308,6 +307,7 @@ ossl_x509crl_set_revoked(VALUE self, VALUE ary)
{
X509_CRL *crl;
X509_REVOKED *rev;
STACK_OF(X509_REVOKED) *sk;
long i;
Check_Type(ary, T_ARRAY);
@ -316,11 +316,15 @@ ossl_x509crl_set_revoked(VALUE self, VALUE ary)
OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Rev);
}
GetX509CRL(self, crl);
sk_X509_REVOKED_pop_free(X509_CRL_get_REVOKED(crl), X509_REVOKED_free);
if ((sk = X509_CRL_get_REVOKED(crl))) {
while ((rev = sk_X509_REVOKED_pop(sk)))
X509_REVOKED_free(rev);
}
for (i=0; i<RARRAY_LEN(ary); i++) {
rev = DupX509RevokedPtr(RARRAY_AREF(ary, i));
if (!X509_CRL_add0_revoked(crl, rev)) { /* NO DUP - don't free! */
ossl_raise(eX509CRLError, NULL);
X509_REVOKED_free(rev);
ossl_raise(eX509CRLError, "X509_CRL_add0_revoked");
}
}
X509_CRL_sort(crl);
@ -337,7 +341,8 @@ ossl_x509crl_add_revoked(VALUE self, VALUE revoked)
GetX509CRL(self, crl);
rev = DupX509RevokedPtr(revoked);
if (!X509_CRL_add0_revoked(crl, rev)) { /* NO DUP - don't free! */
ossl_raise(eX509CRLError, NULL);
X509_REVOKED_free(rev);
ossl_raise(eX509CRLError, "X509_CRL_add0_revoked");
}
X509_CRL_sort(crl);
@ -492,12 +497,10 @@ ossl_x509crl_set_extensions(VALUE self, VALUE ary)
while ((ext = X509_CRL_delete_ext(crl, 0)))
X509_EXTENSION_free(ext);
for (i=0; i<RARRAY_LEN(ary); i++) {
ext = DupX509ExtPtr(RARRAY_AREF(ary, i));
if(!X509_CRL_add_ext(crl, ext, -1)) { /* DUPs ext - FREE it */
X509_EXTENSION_free(ext);
ext = GetX509ExtPtr(RARRAY_AREF(ary, i)); /* NO NEED TO DUP */
if (!X509_CRL_add_ext(crl, ext, -1)) {
ossl_raise(eX509CRLError, NULL);
}
X509_EXTENSION_free(ext);
}
return ary;
@ -510,12 +513,10 @@ ossl_x509crl_add_extension(VALUE self, VALUE extension)
X509_EXTENSION *ext;
GetX509CRL(self, crl);
ext = DupX509ExtPtr(extension);
if (!X509_CRL_add_ext(crl, ext, -1)) { /* DUPs ext - FREE it */
X509_EXTENSION_free(ext);
ext = GetX509ExtPtr(extension);
if (!X509_CRL_add_ext(crl, ext, -1)) {
ossl_raise(eX509CRLError, NULL);
}
X509_EXTENSION_free(ext);
return extension;
}
@ -526,6 +527,12 @@ ossl_x509crl_add_extension(VALUE self, VALUE extension)
void
Init_ossl_x509crl(void)
{
#if 0
mOSSL = rb_define_module("OpenSSL");
eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
mX509 = rb_define_module_under(mOSSL, "X509");
#endif
eX509CRLError = rb_define_class_under(mX509, "CRLError", eOSSLError);
cX509CRL = rb_define_class_under(mX509, "CRL", rb_cObject);

100
ext/openssl/ossl_x509ext.c
View file

@ -95,19 +95,6 @@ GetX509ExtPtr(VALUE obj)
return ext;
}
X509_EXTENSION *
DupX509ExtPtr(VALUE obj)
{
X509_EXTENSION *ext, *new;
SafeGetX509Ext(obj, ext);
if (!(new = X509_EXTENSION_dup(ext))) {
ossl_raise(eX509ExtError, NULL);
}
return new;
}
/*
* Private
*/
@ -188,20 +175,6 @@ ossl_x509extfactory_set_crl(VALUE self, VALUE crl)
return crl;
}
static VALUE
ossl_x509extfactory_set_config(VALUE self, VALUE config)
{
X509V3_CTX *ctx;
CONF *conf;
GetX509ExtFactory(self, ctx);
rb_iv_set(self, "@config", config);
conf = GetConfigPtr(config); /* NO DUP NEEDED */
X509V3_set_nconf(ctx, conf);
return config;
}
static VALUE
ossl_x509extfactory_initialize(int argc, VALUE *argv, VALUE self)
{
@ -225,12 +198,11 @@ ossl_x509extfactory_initialize(int argc, VALUE *argv, VALUE self)
}
/*
* Array to X509_EXTENSION
* Structure:
* ["ln", "value", bool_critical] or
* ["sn", "value", bool_critical] or
* ["ln", "critical,value"] or the same for sn
* ["ln", "value"] => not critical
* call-seq:
* ef.create_ext(ln_or_sn, "value", critical = false) -> X509::Extension
* ef.create_ext(ln_or_sn, "critical,value") -> X509::Extension
*
* Creates a new X509::Extension with passed values. See also x509v3_config(5).
*/
static VALUE
ossl_x509extfactory_create_ext(int argc, VALUE *argv, VALUE self)
@ -258,8 +230,11 @@ ossl_x509extfactory_create_ext(int argc, VALUE *argv, VALUE self)
GetX509ExtFactory(self, ctx);
obj = NewX509Ext(cX509Ext);
rconf = rb_iv_get(self, "@config");
conf = NIL_P(rconf) ? NULL : GetConfigPtr(rconf);
conf = NIL_P(rconf) ? NULL : DupConfigPtr(rconf);
X509V3_set_nconf(ctx, conf);
ext = X509V3_EXT_nconf_nid(conf, ctx, nid, RSTRING_PTR(valstr));
X509V3_set_ctx_nodb(ctx);
NCONF_free(conf);
if (!ext){
ossl_raise(eX509ExtError, "%"PRIsVALUE" = %"PRIsVALUE, oid, valstr);
}
@ -323,19 +298,40 @@ ossl_x509ext_initialize(int argc, VALUE *argv, VALUE self)
return self;
}
static VALUE
ossl_x509ext_initialize_copy(VALUE self, VALUE other)
{
X509_EXTENSION *ext, *ext_other, *ext_new;
rb_check_frozen(self);
GetX509Ext(self, ext);
SafeGetX509Ext(other, ext_other);
ext_new = X509_EXTENSION_dup(ext_other);
if (!ext_new)
ossl_raise(eX509ExtError, "X509_EXTENSION_dup");
SetX509Ext(self, ext_new);
X509_EXTENSION_free(ext);
return self;
}
static VALUE
ossl_x509ext_set_oid(VALUE self, VALUE oid)
{
X509_EXTENSION *ext;
ASN1_OBJECT *obj;
char *s;
s = StringValueCStr(oid);
obj = OBJ_txt2obj(s, 0);
if(!obj) obj = OBJ_txt2obj(s, 1);
if(!obj) ossl_raise(eX509ExtError, NULL);
GetX509Ext(self, ext);
X509_EXTENSION_set_object(ext, obj);
obj = OBJ_txt2obj(StringValueCStr(oid), 0);
if (!obj)
ossl_raise(eX509ExtError, "OBJ_txt2obj");
if (!X509_EXTENSION_set_object(ext, obj)) {
ASN1_OBJECT_free(obj);
ossl_raise(eX509ExtError, "X509_EXTENSION_set_object");
}
ASN1_OBJECT_free(obj);
return oid;
}
@ -346,17 +342,15 @@ ossl_x509ext_set_value(VALUE self, VALUE data)
X509_EXTENSION *ext;
ASN1_OCTET_STRING *asn1s;
GetX509Ext(self, ext);
data = ossl_to_der_if_possible(data);
StringValue(data);
if(!(asn1s = ASN1_OCTET_STRING_new())){
ossl_raise(eX509ExtError, NULL);
asn1s = X509_EXTENSION_get_data(ext);
if (!ASN1_OCTET_STRING_set(asn1s, (unsigned char *)RSTRING_PTR(data),
RSTRING_LENINT(data))) {
ossl_raise(eX509ExtError, "ASN1_OCTET_STRING_set");
}
if(!ASN1_STRING_set((ASN1_STRING *)asn1s, (unsigned char *)RSTRING_PTR(data), RSTRING_LENINT(data))){
ASN1_OCTET_STRING_free(asn1s);
ossl_raise(eX509ExtError, NULL);
}
GetX509Ext(self, ext);
X509_EXTENSION_set_data(ext, asn1s);
return data;
}
@ -447,6 +441,12 @@ ossl_x509ext_to_der(VALUE obj)
void
Init_ossl_x509ext(void)
{
#if 0
mOSSL = rb_define_module("OpenSSL");
eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
mX509 = rb_define_module_under(mOSSL, "X509");
#endif
eX509ExtError = rb_define_class_under(mX509, "ExtensionError", eOSSLError);
cX509ExtFactory = rb_define_class_under(mX509, "ExtensionFactory", rb_cObject);
@ -458,18 +458,18 @@ Init_ossl_x509ext(void)
rb_attr(cX509ExtFactory, rb_intern("subject_certificate"), 1, 0, Qfalse);
rb_attr(cX509ExtFactory, rb_intern("subject_request"), 1, 0, Qfalse);
rb_attr(cX509ExtFactory, rb_intern("crl"), 1, 0, Qfalse);
rb_attr(cX509ExtFactory, rb_intern("config"), 1, 0, Qfalse);
rb_attr(cX509ExtFactory, rb_intern("config"), 1, 1, Qfalse);
rb_define_method(cX509ExtFactory, "issuer_certificate=", ossl_x509extfactory_set_issuer_cert, 1);
rb_define_method(cX509ExtFactory, "subject_certificate=", ossl_x509extfactory_set_subject_cert, 1);
rb_define_method(cX509ExtFactory, "subject_request=", ossl_x509extfactory_set_subject_req, 1);
rb_define_method(cX509ExtFactory, "crl=", ossl_x509extfactory_set_crl, 1);
rb_define_method(cX509ExtFactory, "config=", ossl_x509extfactory_set_config, 1);
rb_define_method(cX509ExtFactory, "create_ext", ossl_x509extfactory_create_ext, -1);
cX509Ext = rb_define_class_under(mX509, "Extension", rb_cObject);
rb_define_alloc_func(cX509Ext, ossl_x509ext_alloc);
rb_define_method(cX509Ext, "initialize", ossl_x509ext_initialize, -1);
rb_define_copy_func(cX509Ext, ossl_x509ext_initialize_copy);
rb_define_method(cX509Ext, "oid=", ossl_x509ext_set_oid, 1);
rb_define_method(cX509Ext, "value=", ossl_x509ext_set_value, 1);
rb_define_method(cX509Ext, "critical=", ossl_x509ext_set_critical, 1);

49
ext/openssl/ossl_x509name.c
View file

@ -181,6 +181,25 @@ ossl_x509name_initialize(int argc, VALUE *argv, VALUE self)
return self;
}
static VALUE
ossl_x509name_initialize_copy(VALUE self, VALUE other)
{
X509_NAME *name, *name_other, *name_new;
rb_check_frozen(self);
GetX509Name(self, name);
SafeGetX509Name(other, name_other);
name_new = X509_NAME_dup(name_other);
if (!name_new)
ossl_raise(eX509NameError, "X509_NAME_dup");
SetX509Name(self, name_new);
X509_NAME_free(name);
return self;
}
/*
* call-seq:
* name.add_entry(oid, value [, type]) => self
@ -307,10 +326,7 @@ ossl_x509name_to_a(VALUE self)
vname = rb_str_new2(short_name); /*do not free*/
}
value = X509_NAME_ENTRY_get_data(entry);
ary = rb_ary_new3(3,
vname,
rb_str_new((const char *)value->data, value->length),
INT2FIX(value->type));
ary = rb_ary_new3(3, vname, asn1str_to_str(value), INT2NUM(value->type));
rb_ary_push(ret, ary);
}
return ret;
@ -450,6 +466,12 @@ Init_ossl_x509name(void)
{
VALUE utf8str, ptrstr, ia5str, hash;
#if 0
mOSSL = rb_define_module("OpenSSL");
eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
mX509 = rb_define_module_under(mOSSL, "X509");
#endif
id_aref = rb_intern("[]");
eX509NameError = rb_define_class_under(mX509, "NameError", eOSSLError);
cX509Name = rb_define_class_under(mX509, "Name", rb_cObject);
@ -458,6 +480,7 @@ Init_ossl_x509name(void)
rb_define_alloc_func(cX509Name, ossl_x509name_alloc);
rb_define_method(cX509Name, "initialize", ossl_x509name_initialize, -1);
rb_define_copy_func(cX509Name, ossl_x509name_initialize_copy);
rb_define_method(cX509Name, "add_entry", ossl_x509name_add_entry, -1);
rb_define_method(cX509Name, "to_s", ossl_x509name_to_s, -1);
rb_define_method(cX509Name, "to_a", ossl_x509name_to_a, 0);
@ -474,8 +497,7 @@ Init_ossl_x509name(void)
ptrstr = INT2NUM(V_ASN1_PRINTABLESTRING);
ia5str = INT2NUM(V_ASN1_IA5STRING);
/* Document-const: DEFAULT_OBJECT_TYPE
*
/*
* The default object type for name entries.
*/
rb_define_const(cX509Name, "DEFAULT_OBJECT_TYPE", utf8str);
@ -489,14 +511,12 @@ Init_ossl_x509name(void)
rb_hash_aset(hash, rb_str_new2("domainComponent"), ia5str);
rb_hash_aset(hash, rb_str_new2("emailAddress"), ia5str);
/* Document-const: OBJECT_TYPE_TEMPLATE
*
/*
* The default object type template for name entries.
*/
rb_define_const(cX509Name, "OBJECT_TYPE_TEMPLATE", hash);
/* Document-const: COMPAT
*
/*
* A flag for #to_s.
*
* Breaks the name returned into multiple lines if longer than 80
@ -504,24 +524,21 @@ Init_ossl_x509name(void)
*/
rb_define_const(cX509Name, "COMPAT", ULONG2NUM(XN_FLAG_COMPAT));
/* Document-const: RFC2253
*
/*
* A flag for #to_s.
*
* Returns an RFC2253 format name.
*/
rb_define_const(cX509Name, "RFC2253", ULONG2NUM(XN_FLAG_RFC2253));
/* Document-const: ONELINE
*
/*
* A flag for #to_s.
*
* Returns a more readable format than RFC2253.
*/
rb_define_const(cX509Name, "ONELINE", ULONG2NUM(XN_FLAG_ONELINE));
/* Document-const: MULTILINE
*
/*
* A flag for #to_s.
*
* Returns a multiline format.

20
ext/openssl/ossl_x509req.c
View file

@ -250,7 +250,7 @@ ossl_x509req_get_version(VALUE self)
GetX509Req(self, req);
version = X509_REQ_get_version(req);
return LONG2FIX(version);
return LONG2NUM(version);
}
static VALUE
@ -259,12 +259,12 @@ ossl_x509req_set_version(VALUE self, VALUE version)
X509_REQ *req;
long ver;
if ((ver = FIX2LONG(version)) < 0) {
if ((ver = NUM2LONG(version)) < 0) {
ossl_raise(eX509ReqError, "version must be >= 0!");
}
GetX509Req(self, req);
if (!X509_REQ_set_version(req, ver)) {
ossl_raise(eX509ReqError, NULL);
ossl_raise(eX509ReqError, "X509_REQ_set_version");
}
return version;
@ -302,7 +302,7 @@ static VALUE
ossl_x509req_get_signature_algorithm(VALUE self)
{
X509_REQ *req;
X509_ALGOR *alg;
const X509_ALGOR *alg;
BIO *out;
BUF_MEM *buf;
VALUE str;
@ -312,7 +312,7 @@ ossl_x509req_get_signature_algorithm(VALUE self)
if (!(out = BIO_new(BIO_s_mem()))) {
ossl_raise(eX509ReqError, NULL);
}
X509_REQ_get0_signature(NULL, &alg, req);
X509_REQ_get0_signature(req, NULL, &alg);
if (!i2a_ASN1_OBJECT(out, alg->algorithm)) {
BIO_free(out);
ossl_raise(eX509ReqError, NULL);
@ -432,7 +432,7 @@ ossl_x509req_set_attributes(VALUE self, VALUE ary)
X509_ATTRIBUTE_free(attr);
for (i=0;i<RARRAY_LEN(ary); i++) {
item = RARRAY_AREF(ary, i);
attr = DupX509AttrPtr(item);
attr = GetX509AttrPtr(item);
if (!X509_REQ_add1_attr(req, attr)) {
ossl_raise(eX509ReqError, NULL);
}
@ -446,7 +446,7 @@ ossl_x509req_add_attribute(VALUE self, VALUE attr)
X509_REQ *req;
GetX509Req(self, req);
if (!X509_REQ_add1_attr(req, DupX509AttrPtr(attr))) {
if (!X509_REQ_add1_attr(req, GetX509AttrPtr(attr))) {
ossl_raise(eX509ReqError, NULL);
}
@ -459,6 +459,12 @@ ossl_x509req_add_attribute(VALUE self, VALUE attr)
void
Init_ossl_x509req(void)
{
#if 0
mOSSL = rb_define_module("OpenSSL");
eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
mX509 = rb_define_module_under(mOSSL, "X509");
#endif
eX509ReqError = rb_define_class_under(mX509, "RequestError", eOSSLError);
cX509Req = rb_define_class_under(mX509, "Request", rb_cObject);

49
ext/openssl/ossl_x509revoked.c
View file

@ -109,6 +109,25 @@ ossl_x509revoked_initialize(int argc, VALUE *argv, VALUE self)
return self;
}
static VALUE
ossl_x509revoked_initialize_copy(VALUE self, VALUE other)
{
X509_REVOKED *rev, *rev_other, *rev_new;
rb_check_frozen(self);
GetX509Rev(self, rev);
SafeGetX509Rev(other, rev_other);
rev_new = X509_REVOKED_dup(rev_other);
if (!rev_new)
ossl_raise(eX509RevError, "X509_REVOKED_dup");
SetX509Rev(self, rev_new);
X509_REVOKED_free(rev);
return self;
}
static VALUE
ossl_x509revoked_get_serial(VALUE self)
{
@ -123,11 +142,15 @@ static VALUE
ossl_x509revoked_set_serial(VALUE self, VALUE num)
{
X509_REVOKED *rev;
ASN1_INTEGER *ai;
ASN1_INTEGER *asn1int;
GetX509Rev(self, rev);
ai = X509_REVOKED_get0_serialNumber(rev);
X509_REVOKED_set_serialNumber(rev, num_to_asn1integer(num, ai));
asn1int = num_to_asn1integer(num, NULL);
if (!X509_REVOKED_set_serialNumber(rev, asn1int)) {
ASN1_INTEGER_free(asn1int);
ossl_raise(eX509RevError, "X509_REVOKED_set_serialNumber");
}
ASN1_INTEGER_free(asn1int);
return num;
}
@ -146,10 +169,15 @@ static VALUE
ossl_x509revoked_set_time(VALUE self, VALUE time)
{
X509_REVOKED *rev;
ASN1_TIME *asn1time;
GetX509Rev(self, rev);
if (!ossl_x509_time_adjust(X509_REVOKED_get0_revocationDate(rev), time))
ossl_raise(eX509RevError, NULL);
asn1time = ossl_x509_time_adjust(NULL, time);
if (!X509_REVOKED_set_revocationDate(rev, asn1time)) {
ASN1_TIME_free(asn1time);
ossl_raise(eX509RevError, "X509_REVOKED_set_revocationDate");
}
ASN1_TIME_free(asn1time);
return time;
}
@ -199,7 +227,7 @@ ossl_x509revoked_set_extensions(VALUE self, VALUE ary)
X509_EXTENSION_free(ext);
for (i=0; i<RARRAY_LEN(ary); i++) {
item = RARRAY_AREF(ary, i);
ext = DupX509ExtPtr(item);
ext = GetX509ExtPtr(item);
if(!X509_REVOKED_add_ext(rev, ext, -1)) {
ossl_raise(eX509RevError, NULL);
}
@ -214,7 +242,7 @@ ossl_x509revoked_add_extension(VALUE self, VALUE ext)
X509_REVOKED *rev;
GetX509Rev(self, rev);
if(!X509_REVOKED_add_ext(rev, DupX509ExtPtr(ext), -1)) {
if (!X509_REVOKED_add_ext(rev, GetX509ExtPtr(ext), -1)) {
ossl_raise(eX509RevError, NULL);
}
@ -227,12 +255,19 @@ ossl_x509revoked_add_extension(VALUE self, VALUE ext)
void
Init_ossl_x509revoked(void)
{
#if 0
mOSSL = rb_define_module("OpenSSL");
eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
mX509 = rb_define_module_under(mOSSL, "X509");
#endif
eX509RevError = rb_define_class_under(mX509, "RevokedError", eOSSLError);
cX509Rev = rb_define_class_under(mX509, "Revoked", rb_cObject);
rb_define_alloc_func(cX509Rev, ossl_x509revoked_alloc);
rb_define_method(cX509Rev, "initialize", ossl_x509revoked_initialize, -1);
rb_define_copy_func(cX509Rev, ossl_x509revoked_initialize_copy);
rb_define_method(cX509Rev, "serial", ossl_x509revoked_get_serial, 0);
rb_define_method(cX509Rev, "serial=", ossl_x509revoked_set_serial, 1);

224
ext/openssl/ossl_x509store.c
View file

@ -106,6 +106,20 @@ DupX509StorePtr(VALUE obj)
/*
* Private functions
*/
static int
x509store_verify_cb(int ok, X509_STORE_CTX *ctx)
{
VALUE proc;
proc = (VALUE)X509_STORE_CTX_get_ex_data(ctx, ossl_store_ctx_ex_verify_cb_idx);
if (!proc)
proc = (VALUE)X509_STORE_get_ex_data(X509_STORE_CTX_get0_store(ctx), ossl_store_ex_verify_cb_idx);
if (!proc)
return ok;
return ossl_verify_cb_call(proc, ok, ctx);
}
static VALUE
ossl_x509store_alloc(VALUE klass)
{
@ -141,6 +155,7 @@ ossl_x509store_set_vfy_cb(VALUE self, VALUE cb)
* call-seq:
* X509::Store.new => store
*
* Creates a new X509::Store.
*/
static VALUE
ossl_x509store_initialize(int argc, VALUE *argv, VALUE self)
@ -153,7 +168,7 @@ ossl_x509store_initialize(int argc, VALUE *argv, VALUE self)
/* [Bug #405] [Bug #1678] [Bug #3000]; already fixed? */
store->ex_data.sk = NULL;
#endif
X509_STORE_set_verify_cb(store, ossl_verify_cb);
X509_STORE_set_verify_cb(store, x509store_verify_cb);
ossl_x509store_set_vfy_cb(self, Qnil);
/* last verification status */
@ -165,6 +180,13 @@ ossl_x509store_initialize(int argc, VALUE *argv, VALUE self)
return self;
}
/*
* call-seq:
* store.flags = flag
*
* Sets +flag+ to the Store. +flag+ consists of zero or more of the constants
* defined in with name V_FLAG_* or'ed together.
*/
static VALUE
ossl_x509store_set_flags(VALUE self, VALUE flags)
{
@ -177,6 +199,24 @@ ossl_x509store_set_flags(VALUE self, VALUE flags)
return flags;
}
/*
* call-seq:
* store.purpose = purpose
*
* Sets the store's purpose to +purpose+. If specified, the verifications on
* the store will check every untrusted certificate's extensions are consistent
* with the purpose. The purpose is specified by constants:
*
* * X509::PURPOSE_SSL_CLIENT
* * X509::PURPOSE_SSL_SERVER
* * X509::PURPOSE_NS_SSL_SERVER
* * X509::PURPOSE_SMIME_SIGN
* * X509::PURPOSE_SMIME_ENCRYPT
* * X509::PURPOSE_CRL_SIGN
* * X509::PURPOSE_ANY
* * X509::PURPOSE_OCSP_HELPER
* * X509::PURPOSE_TIMESTAMP_SIGN
*/
static VALUE
ossl_x509store_set_purpose(VALUE self, VALUE purpose)
{
@ -189,6 +229,10 @@ ossl_x509store_set_purpose(VALUE self, VALUE purpose)
return purpose;
}
/*
* call-seq:
* store.trust = trust
*/
static VALUE
ossl_x509store_set_trust(VALUE self, VALUE trust)
{
@ -201,6 +245,12 @@ ossl_x509store_set_trust(VALUE self, VALUE trust)
return trust;
}
/*
* call-seq:
* store.time = time
*
* Sets the time to be used in verifications.
*/
static VALUE
ossl_x509store_set_time(VALUE self, VALUE time)
{
@ -210,13 +260,11 @@ ossl_x509store_set_time(VALUE self, VALUE time)
/*
* call-seq:
* store.add_file(file) -> store
*
* store.add_file(file) -> self
*
* Adds the certificates in +file+ to the certificate store. The +file+ can
* contain multiple PEM-encoded certificates.
*/
static VALUE
ossl_x509store_add_file(VALUE self, VALUE file)
{
@ -238,6 +286,12 @@ ossl_x509store_add_file(VALUE self, VALUE file)
return self;
}
/*
* call-seq:
* store.add_path(path) -> self
*
* Adds +path+ as the hash dir to be looked up by the store.
*/
static VALUE
ossl_x509store_add_path(VALUE self, VALUE dir)
{
@ -263,11 +317,12 @@ ossl_x509store_add_path(VALUE self, VALUE dir)
* call-seq:
* store.set_default_paths
*
* Adds the default certificates to the certificate store. These certificates
* are loaded from the default configuration directory which can usually be
* Configures +store+ to look up CA certificates from the system default
* certificate store as needed basis. The location of the store can usually be
* determined by:
*
* File.dirname OpenSSL::Config::DEFAULT_CONFIG_FILE
* * OpenSSL::X509::DEFAULT_CERT_FILE
* * OpenSSL::X509::DEFAULT_CERT_DIR
*/
static VALUE
ossl_x509store_set_default_paths(VALUE self)
@ -288,7 +343,6 @@ ossl_x509store_set_default_paths(VALUE self)
*
* Adds the OpenSSL::X509::Certificate +cert+ to the certificate store.
*/
static VALUE
ossl_x509store_add_cert(VALUE self, VALUE arg)
{
@ -304,6 +358,12 @@ ossl_x509store_add_cert(VALUE self, VALUE arg)
return self;
}
/*
* call-seq:
* store.add_crl(crl) -> self
*
* Adds the OpenSSL::X509::CRL +crl+ to the store.
*/
static VALUE
ossl_x509store_add_crl(VALUE self, VALUE arg)
{
@ -323,6 +383,21 @@ static VALUE ossl_x509stctx_get_err(VALUE);
static VALUE ossl_x509stctx_get_err_string(VALUE);
static VALUE ossl_x509stctx_get_chain(VALUE);
/*
* call-seq:
* store.verify(cert, chain = nil) -> true | false
*
* Performs a certificate verification on the OpenSSL::X509::Certificate +cert+.
*
* +chain+ can be an array of OpenSSL::X509::Certificate that is used to
* construct the certificate chain.
*
* If a block is given, it overrides the callback set by #verify_callback=.
*
* After finishing the verification, the error information can be retrieved by
* #error, #error_string, and the resuting complete certificate chain can be
* retrieved by #chain.
*/
static VALUE
ossl_x509store_verify(int argc, VALUE *argv, VALUE self)
{
@ -412,6 +487,10 @@ static VALUE ossl_x509stctx_set_purpose(VALUE, VALUE);
static VALUE ossl_x509stctx_set_trust(VALUE, VALUE);
static VALUE ossl_x509stctx_set_time(VALUE, VALUE);
/*
* call-seq:
* StoreContext.new(store, cert = nil, chain = nil)
*/
static VALUE
ossl_x509stctx_initialize(int argc, VALUE *argv, VALUE self)
{
@ -438,6 +517,10 @@ ossl_x509stctx_initialize(int argc, VALUE *argv, VALUE self)
return self;
}
/*
* call-seq:
* stctx.verify -> true | false
*/
static VALUE
ossl_x509stctx_verify(VALUE self)
{
@ -458,6 +541,10 @@ ossl_x509stctx_verify(VALUE self)
}
}
/*
* call-seq:
* stctx.chain -> Array of X509::Certificate
*/
static VALUE
ossl_x509stctx_get_chain(VALUE self)
{
@ -484,6 +571,10 @@ ossl_x509stctx_get_chain(VALUE self)
return ary;
}
/*
* call-seq:
* stctx.error -> Integer
*/
static VALUE
ossl_x509stctx_get_err(VALUE self)
{
@ -491,9 +582,13 @@ ossl_x509stctx_get_err(VALUE self)
GetX509StCtx(self, ctx);
return INT2FIX(X509_STORE_CTX_get_error(ctx));
return INT2NUM(X509_STORE_CTX_get_error(ctx));
}
/*
* call-seq:
* stctx.error = error_code
*/
static VALUE
ossl_x509stctx_set_error(VALUE self, VALUE err)
{
@ -505,6 +600,12 @@ ossl_x509stctx_set_error(VALUE self, VALUE err)
return err;
}
/*
* call-seq:
* stctx.error_string -> String
*
* Returns the error string corresponding to the error code retrieved by #error.
*/
static VALUE
ossl_x509stctx_get_err_string(VALUE self)
{
@ -517,6 +618,10 @@ ossl_x509stctx_get_err_string(VALUE self)
return rb_str_new2(X509_verify_cert_error_string(err));
}
/*
* call-seq:
* stctx.error_depth -> Integer
*/
static VALUE
ossl_x509stctx_get_err_depth(VALUE self)
{
@ -524,9 +629,13 @@ ossl_x509stctx_get_err_depth(VALUE self)
GetX509StCtx(self, ctx);
return INT2FIX(X509_STORE_CTX_get_error_depth(ctx));
return INT2NUM(X509_STORE_CTX_get_error_depth(ctx));
}
/*
* call-seq:
* stctx.current_cert -> X509::Certificate
*/
static VALUE
ossl_x509stctx_get_curr_cert(VALUE self)
{
@ -537,6 +646,10 @@ ossl_x509stctx_get_curr_cert(VALUE self)
return ossl_x509_new(X509_STORE_CTX_get_current_cert(ctx));
}
/*
* call-seq:
* stctx.current_crl -> X509::CRL
*/
static VALUE
ossl_x509stctx_get_curr_crl(VALUE self)
{
@ -551,6 +664,12 @@ ossl_x509stctx_get_curr_crl(VALUE self)
return ossl_x509crl_new(crl);
}
/*
* call-seq:
* stctx.flags = flags
*
* Sets the verification flags to the context. See Store#flags=.
*/
static VALUE
ossl_x509stctx_set_flags(VALUE self, VALUE flags)
{
@ -563,6 +682,12 @@ ossl_x509stctx_set_flags(VALUE self, VALUE flags)
return flags;
}
/*
* call-seq:
* stctx.purpose = purpose
*
* Sets the purpose of the context. See Store#purpose=.
*/
static VALUE
ossl_x509stctx_set_purpose(VALUE self, VALUE purpose)
{
@ -575,6 +700,10 @@ ossl_x509stctx_set_purpose(VALUE self, VALUE purpose)
return purpose;
}
/*
* call-seq:
* stctx.trust = trust
*/
static VALUE
ossl_x509stctx_set_trust(VALUE self, VALUE trust)
{
@ -589,7 +718,9 @@ ossl_x509stctx_set_trust(VALUE self, VALUE trust)
/*
* call-seq:
* storectx.time = time => time
* stctx.time = time
*
* Sets the time used in the verification. If not set, the current time is used.
*/
static VALUE
ossl_x509stctx_set_time(VALUE self, VALUE time)
@ -610,10 +741,9 @@ ossl_x509stctx_set_time(VALUE self, VALUE time)
void
Init_ossl_x509store(void)
{
VALUE x509stctx;
#if 0
mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
mOSSL = rb_define_module("OpenSSL");
eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
mX509 = rb_define_module_under(mOSSL, "X509");
#endif
@ -631,11 +761,11 @@ Init_ossl_x509store(void)
*
* This will use your system's built-in certificates.
*
* If your system does not have a default set of certificates you can
* obtain a set from Mozilla here: http://curl.haxx.se/docs/caextract.html
* (Note that this set does not have an HTTPS download option so you may
* wish to use the firefox-db2pem.sh script to extract the certificates
* from a local install to avoid man-in-the-middle attacks.)
* If your system does not have a default set of certificates you can obtain
* a set extracted from Mozilla CA certificate store by cURL maintainers
* here: https://curl.haxx.se/docs/caextract.html (You may wish to use the
* firefox-db2pem.sh script to extract the certificates from a local install
* to avoid man-in-the-middle attacks.)
*
* After downloading or generating a cacert.pem from the above link you
* can create a certificate store from the pem file like this:
@ -646,6 +776,7 @@ Init_ossl_x509store(void)
* The certificate store can be used with an SSLSocket like this:
*
* ssl_context = OpenSSL::SSL::SSLContext.new
* ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER
* ssl_context.cert_store = cert_store
*
* tcp_socket = TCPSocket.open 'example.com', 443
@ -654,12 +785,30 @@ Init_ossl_x509store(void)
*/
cX509Store = rb_define_class_under(mX509, "Store", rb_cObject);
/*
* The callback for additional certificate verification. It is invoked for
* each untrusted certificate in the chain.
*
* The callback is invoked with two values, a boolean that indicates if the
* pre-verification by OpenSSL has succeeded or not, and the StoreContext in
* use. The callback must return either true or false.
*/
rb_attr(cX509Store, rb_intern("verify_callback"), 1, 0, Qfalse);
/*
* The error code set by the last call of #verify.
*/
rb_attr(cX509Store, rb_intern("error"), 1, 0, Qfalse);
/*
* The description for the error code set by the last call of #verify.
*/
rb_attr(cX509Store, rb_intern("error_string"), 1, 0, Qfalse);
/*
* The certificate chain constructed by the last call of #verify.
*/
rb_attr(cX509Store, rb_intern("chain"), 1, 0, Qfalse);
rb_define_alloc_func(cX509Store, ossl_x509store_alloc);
rb_define_method(cX509Store, "initialize", ossl_x509store_initialize, -1);
rb_undef_method(cX509Store, "initialize_copy");
rb_define_method(cX509Store, "verify_callback=", ossl_x509store_set_vfy_cb, 1);
rb_define_method(cX509Store, "flags=", ossl_x509store_set_flags, 1);
rb_define_method(cX509Store, "purpose=", ossl_x509store_set_purpose, 1);
@ -672,21 +821,26 @@ Init_ossl_x509store(void)
rb_define_method(cX509Store, "add_crl", ossl_x509store_add_crl, 1);
rb_define_method(cX509Store, "verify", ossl_x509store_verify, -1);
cX509StoreContext = rb_define_class_under(mX509,"StoreContext",rb_cObject);
x509stctx = cX509StoreContext;
/*
* Document-class: OpenSSL::X509::StoreContext
*
* A StoreContext is used while validating a single certificate and holds
* the status involved.
*/
cX509StoreContext = rb_define_class_under(mX509,"StoreContext", rb_cObject);
rb_define_alloc_func(cX509StoreContext, ossl_x509stctx_alloc);
rb_define_method(x509stctx,"initialize", ossl_x509stctx_initialize, -1);
rb_define_method(x509stctx,"verify", ossl_x509stctx_verify, 0);
rb_define_method(x509stctx,"chain", ossl_x509stctx_get_chain,0);
rb_define_method(x509stctx,"error", ossl_x509stctx_get_err, 0);
rb_define_method(x509stctx,"error=", ossl_x509stctx_set_error, 1);
rb_define_method(x509stctx,"error_string",ossl_x509stctx_get_err_string,0);
rb_define_method(x509stctx,"error_depth", ossl_x509stctx_get_err_depth, 0);
rb_define_method(x509stctx,"current_cert",ossl_x509stctx_get_curr_cert, 0);
rb_define_method(x509stctx,"current_crl", ossl_x509stctx_get_curr_crl, 0);
rb_define_method(x509stctx,"flags=", ossl_x509stctx_set_flags, 1);
rb_define_method(x509stctx,"purpose=", ossl_x509stctx_set_purpose, 1);
rb_define_method(x509stctx,"trust=", ossl_x509stctx_set_trust, 1);
rb_define_method(x509stctx,"time=", ossl_x509stctx_set_time, 1);
rb_define_method(cX509StoreContext, "initialize", ossl_x509stctx_initialize, -1);
rb_undef_method(cX509StoreContext, "initialize_copy");
rb_define_method(cX509StoreContext, "verify", ossl_x509stctx_verify, 0);
rb_define_method(cX509StoreContext, "chain", ossl_x509stctx_get_chain,0);
rb_define_method(cX509StoreContext, "error", ossl_x509stctx_get_err, 0);
rb_define_method(cX509StoreContext, "error=", ossl_x509stctx_set_error, 1);
rb_define_method(cX509StoreContext, "error_string", ossl_x509stctx_get_err_string,0);
rb_define_method(cX509StoreContext, "error_depth", ossl_x509stctx_get_err_depth, 0);
rb_define_method(cX509StoreContext, "current_cert", ossl_x509stctx_get_curr_cert, 0);
rb_define_method(cX509StoreContext, "current_crl", ossl_x509stctx_get_curr_crl, 0);
rb_define_method(cX509StoreContext, "flags=", ossl_x509stctx_set_flags, 1);
rb_define_method(cX509StoreContext, "purpose=", ossl_x509stctx_set_purpose, 1);
rb_define_method(cX509StoreContext, "trust=", ossl_x509stctx_set_trust, 1);
rb_define_method(cX509StoreContext, "time=", ossl_x509stctx_set_time, 1);
}

4
sample/openssl/cipher.rb
View file

@ -10,7 +10,7 @@ def crypt_by_password(alg, pass, salt, text)
puts
puts "--Encrypting--"
enc = OpenSSL::Cipher::Cipher.new(alg)
enc = OpenSSL::Cipher.new(alg)
enc.encrypt
enc.pkcs5_keyivgen(pass, salt)
cipher = enc.update(text)
@ -19,7 +19,7 @@ def crypt_by_password(alg, pass, salt, text)
puts
puts "--Decrypting--"
dec = OpenSSL::Cipher::Cipher.new(alg)
dec = OpenSSL::Cipher.new(alg)
dec.decrypt
dec.pkcs5_keyivgen(pass, salt)
plain = dec.update(cipher)

90
test/openssl/test_cipher.rb
View file

@ -5,16 +5,12 @@ if defined?(OpenSSL::TestUtils)
class OpenSSL::TestCipher < OpenSSL::TestCase
@ciphers = OpenSSL::Cipher.ciphers
class << self
def has_cipher?(name)
ciphers = OpenSSL::Cipher.ciphers
# redefine method so we can use the cached ciphers value from the closure
# and need not recompute the list each time
define_singleton_method :has_cipher? do |name|
ciphers.include?(name)
end
has_cipher?(name)
@ciphers.include?(name)
end
def has_ciphers?(list)
@ -24,7 +20,7 @@ class OpenSSL::TestCipher < OpenSSL::TestCase
end
def setup
@c1 = OpenSSL::Cipher::Cipher.new("DES-EDE3-CBC")
@c1 = OpenSSL::Cipher.new("DES-EDE3-CBC")
@c2 = OpenSSL::Cipher::DES.new(:EDE3, "CBC")
@key = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
@iv = "\0\0\0\0\0\0\0\0"
@ -118,10 +114,9 @@ class OpenSSL::TestCipher < OpenSSL::TestCase
OpenSSL::Cipher.ciphers.each{|name|
next if /netbsd/ =~ RUBY_PLATFORM && /idea|rc5/i =~ name
begin
assert_kind_of(OpenSSL::Cipher::Cipher, OpenSSL::Cipher::Cipher.new(name))
assert_kind_of(OpenSSL::Cipher, OpenSSL::Cipher.new(name))
rescue OpenSSL::Cipher::CipherError => e
next if /wrap/ =~ name and e.message == 'wrap mode not allowed'
raise
raise unless /wrap/ =~ name and /wrap mode not allowed/ =~ e.message
end
}
end
@ -247,8 +242,81 @@ class OpenSSL::TestCipher < OpenSSL::TestCase
end
end
def test_aes_gcm_variable_iv_len
pt = "You should all use Authenticated Encryption!"
cipher = OpenSSL::Cipher.new("aes-128-gcm").encrypt
cipher.key = "x" * 16
assert_equal(12, cipher.iv_len)
cipher.iv = "a" * 12
ct1 = cipher.update(pt) << cipher.final
tag1 = cipher.auth_tag
cipher = OpenSSL::Cipher.new("aes-128-gcm").encrypt
cipher.key = "x" * 16
cipher.iv_len = 10
assert_equal(10, cipher.iv_len)
cipher.iv = "a" * 10
ct2 = cipher.update(pt) << cipher.final
tag2 = cipher.auth_tag
assert_not_equal ct1, ct2
assert_not_equal tag1, tag2
decipher = OpenSSL::Cipher.new("aes-128-gcm").decrypt
decipher.auth_tag = tag1
decipher.key = "x" * 16
decipher.iv_len = 12
decipher.iv = "a" * 12
assert_equal(pt, decipher.update(ct1) << decipher.final)
decipher.reset
decipher.auth_tag = tag2
assert_raise(OpenSSL::Cipher::CipherError) {
decipher.update(ct2) << decipher.final
}
decipher.reset
decipher.auth_tag = tag2
decipher.iv_len = 10
decipher.iv = "a" * 10
assert_equal(pt, decipher.update(ct2) << decipher.final)
end
end
def test_aes_ocb_tag_len
pt = "You should all use Authenticated Encryption!"
cipher = OpenSSL::Cipher.new("aes-128-ocb").encrypt
cipher.auth_tag_len = 14
cipher.iv_len = 8
key = cipher.random_key
iv = cipher.random_iv
cipher.auth_data = "aad"
ct = cipher.update(pt) + cipher.final
tag = cipher.auth_tag
assert_equal(14, tag.size)
decipher = OpenSSL::Cipher.new("aes-128-ocb").decrypt
decipher.auth_tag_len = 14
decipher.auth_tag = tag
decipher.iv_len = 8
decipher.key = key
decipher.iv = iv
decipher.auth_data = "aad"
assert_equal(pt, decipher.update(ct) + decipher.final)
decipher = OpenSSL::Cipher.new("aes-128-ocb").decrypt
decipher.auth_tag_len = 9
decipher.auth_tag = tag[0, 9]
decipher.iv_len = 8
decipher.key = key
decipher.iv = iv
decipher.auth_data = "aad"
assert_raise(OpenSSL::Cipher::CipherError) {
decipher.update(ct) + decipher.final
}
end if has_cipher?("aes-128-ocb")
private
def new_encryptor(algo)

2
test/openssl/test_config.rb
View file

@ -25,7 +25,7 @@ __EOD__
def test_constants
assert(defined?(OpenSSL::Config::DEFAULT_CONFIG_FILE))
config_file = OpenSSL::Config::DEFAULT_CONFIG_FILE
skip "DEFAULT_CONFIG_FILE may return a wrong path on your platforms. [Bug #6830]" unless File.readable?(config_file)
pend "DEFAULT_CONFIG_FILE may return a wrong path on your platforms. [Bug #6830]" unless File.readable?(config_file)
assert_nothing_raised do
OpenSSL::Config.load(config_file)
end

13
test/openssl/test_engine.rb
View file

@ -14,7 +14,7 @@ class OpenSSL::TestEngine < OpenSSL::TestCase
def test_openssl_engine_builtin
with_openssl <<-'end;'
orig = OpenSSL::Engine.engines
skip "'openssl' is already loaded" if orig.any? { |e| e.id == "openssl" }
pend "'openssl' is already loaded" if orig.any? { |e| e.id == "openssl" }
engine = OpenSSL::Engine.load("openssl")
assert_equal(true, engine)
assert_equal(1, OpenSSL::Engine.engines.size - orig.size)
@ -24,7 +24,7 @@ class OpenSSL::TestEngine < OpenSSL::TestCase
def test_openssl_engine_by_id_string
with_openssl <<-'end;'
orig = OpenSSL::Engine.engines
skip "'openssl' is already loaded" if orig.any? { |e| e.id == "openssl" }
pend "'openssl' is already loaded" if orig.any? { |e| e.id == "openssl" }
engine = get_engine
assert_not_nil(engine)
assert_equal(1, OpenSSL::Engine.engines.size - orig.size)
@ -72,11 +72,18 @@ class OpenSSL::TestEngine < OpenSSL::TestCase
end;
end
def test_dup
with_openssl <<-'end;'
engine = get_engine
assert_raise(NoMethodError) { engine.dup }
end;
end
private
# this is required because OpenSSL::Engine methods change global state
def with_openssl(code)
assert_separately(["-ropenssl"], <<~"end;")
assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;")
require #{__FILE__.dump}
include OpenSSL::TestEngine::Utils
#{code}

161
test/openssl/test_ocsp.rb
View file

@ -5,33 +5,47 @@ if defined?(OpenSSL::TestUtils)
class OpenSSL::TestOCSP < OpenSSL::TestCase
def setup
now = Time.at(Time.now.to_i) # suppress usec
dgst = OpenSSL::Digest::SHA1.new
# @ca_cert
# |
# @cert
# |----------|
# @cert2 @ocsp_cert
ca_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCA")
ca_key = OpenSSL::TestUtils::TEST_KEY_RSA1024
ca_serial = 0xabcabcabcabc
@ca_key = OpenSSL::TestUtils::TEST_KEY_RSA1024
ca_exts = [
["basicConstraints", "CA:TRUE", true],
["keyUsage", "cRLSign,keyCertSign", true],
]
subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCert")
@key = OpenSSL::TestUtils::TEST_KEY_RSA1024
serial = 0xabcabcabcabd
now = Time.at(Time.now.to_i) # suppress usec
dgst = OpenSSL::Digest::SHA1.new
@ca_cert = OpenSSL::TestUtils.issue_cert(
ca_subj, ca_key, ca_serial, now, now+3600, ca_exts, nil, nil, dgst)
@cert = OpenSSL::TestUtils.issue_cert(
subj, @key, serial, now, now+3600, [], @ca_cert, ca_key, dgst)
ca_subj, @ca_key, 1, now, now+3600, ca_exts, nil, nil, dgst)
@key2 = OpenSSL::TestUtils::TEST_KEY_RSA2048
cert_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCA2")
@cert_key = OpenSSL::TestUtils::TEST_KEY_RSA1024
cert_exts = [
["basicConstraints", "CA:TRUE", true],
["keyUsage", "cRLSign,keyCertSign", true],
]
@cert = OpenSSL::TestUtils.issue_cert(
cert_subj, @cert_key, 5, now, now+3600, cert_exts, @ca_cert, @ca_key, dgst)
cert2_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCert")
@cert2_key = OpenSSL::TestUtils::TEST_KEY_RSA1024
cert2_exts = [
["extendedKeyUsage", "OCSPSigning", true],
]
@cert2 = OpenSSL::TestUtils.issue_cert(
OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCert2"),
@key2, serial+1, now, now+3600, cert2_exts, @ca_cert, ca_key, "SHA256")
cert2_subj, @cert2_key, 10, now, now+3600, cert2_exts, @cert, @cert_key, dgst)
ocsp_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCAOCSP")
@ocsp_key = OpenSSL::TestUtils::TEST_KEY_RSA2048
ocsp_exts = [
["extendedKeyUsage", "OCSPSigning", true],
]
@ocsp_cert = OpenSSL::TestUtils.issue_cert(
ocsp_subj, @ocsp_key, 100, now, now+3600, ocsp_exts, @cert, @cert_key, "SHA256")
end
def test_new_certificate_id
@ -63,12 +77,13 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase
end
def test_certificate_id_der
cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert) # hash algorithm defaults to SHA-1
cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert)
der = cid.to_der
asn1 = OpenSSL::ASN1.decode(der)
# hash algorithm defaults to SHA-1
assert_equal OpenSSL::ASN1.ObjectId("SHA1").to_der, asn1.value[0].value[0].to_der
assert_equal OpenSSL::Digest::SHA1.digest(@cert.issuer.to_der), asn1.value[1].value
assert_equal OpenSSL::Digest::SHA1.digest(OpenSSL::ASN1.decode(@ca_cert.to_der).value[0].value[6].value[1].value), asn1.value[2].value
assert_equal [cid.issuer_name_hash].pack("H*"), asn1.value[1].value
assert_equal [cid.issuer_key_hash].pack("H*"), asn1.value[2].value
assert_equal @cert.serial, asn1.value[3].value
assert_equal der, OpenSSL::OCSP::CertificateId.new(der).to_der
end
@ -82,7 +97,7 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase
request = OpenSSL::OCSP::Request.new
cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new)
request.add_certid(cid)
request.sign(@cert, @key, [@ca_cert], 0)
request.sign(@cert, @cert_key, [@ca_cert], 0)
asn1 = OpenSSL::ASN1.decode(request.to_der)
assert_equal cid.to_der, asn1.value[0].value.find { |a| a.tag_class == :UNIVERSAL }.value[0].value[0].to_der
assert_equal OpenSSL::ASN1.ObjectId("sha1WithRSAEncryption").to_der, asn1.value[1].value[0].value[0].value[0].to_der
@ -92,40 +107,51 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase
end
def test_request_sign_verify
request = OpenSSL::OCSP::Request.new
cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new)
request.add_certid(cid)
request.sign(@cert, @key, nil, 0, "SHA1")
assert_equal cid.to_der, request.certid.first.to_der
store1 = OpenSSL::X509::Store.new; store1.add_cert(@ca_cert)
assert_equal true, request.verify([@cert], store1)
assert_equal true, request.verify([], store1)
store2 = OpenSSL::X509::Store.new; store1.add_cert(@cert2)
assert_equal false, request.verify([], store2)
assert_equal true, request.verify([], store2, OpenSSL::OCSP::NOVERIFY)
cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert)
store = OpenSSL::X509::Store.new.add_cert(@ca_cert)
# with signer cert
req = OpenSSL::OCSP::Request.new.add_certid(cid)
req.sign(@cert, @cert_key, [])
assert_equal true, req.verify([], store)
# without signer cert
req = OpenSSL::OCSP::Request.new.add_certid(cid)
req.sign(@cert, @cert_key, nil)
assert_equal false, req.verify([@cert2], store)
assert_equal false, req.verify([], store) # no signer
assert_equal false, req.verify([], store, OpenSSL::OCSP::NOVERIFY)
assert_equal true, req.verify([@cert], store, OpenSSL::OCSP::NOINTERN)
ret = req.verify([@cert], store)
if ret || OpenSSL::OPENSSL_VERSION =~ /OpenSSL/ && OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10002000
assert_equal true, ret
else
# RT2560; OCSP_request_verify() does not find signer cert from 'certs' when
# OCSP_NOINTERN is not specified.
# fixed by OpenSSL 1.0.1j, 1.0.2 and LibreSSL 2.4.2
pend "RT2560: ocsp_req_find_signer"
end
end
def test_request_nonce
req0 = OpenSSL::OCSP::Request.new
req1 = OpenSSL::OCSP::Request.new
req1.add_nonce("NONCE")
req2 = OpenSSL::OCSP::Request.new
req2.add_nonce("NONCF")
req1 = OpenSSL::OCSP::Request.new.add_nonce("NONCE")
req2 = OpenSSL::OCSP::Request.new.add_nonce("ABCDE")
bres = OpenSSL::OCSP::BasicResponse.new
assert_equal 2, req0.check_nonce(bres)
bres.copy_nonce(req1)
assert_equal 3, req0.check_nonce(bres)
assert_equal 1, req1.check_nonce(bres)
bres.add_nonce("NONCE")
assert_equal 1, req1.check_nonce(bres)
assert_equal 0, req2.check_nonce(bres)
assert_equal 3, req0.check_nonce(bres)
end
def test_request_dup
request = OpenSSL::OCSP::Request.new
cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new)
request.add_certid(cid)
request.sign(@cert, @key, nil, 0, "SHA1")
assert_equal request.to_der, request.dup.to_der
end
@ -134,37 +160,49 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase
cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new)
bres.add_status(cid, OpenSSL::OCSP::V_CERTSTATUS_GOOD, 0, nil, -300, 500, [])
bres.add_nonce("NONCE")
bres.sign(@cert2, @key2, [@ca_cert], 0)
bres.sign(@ocsp_cert, @ocsp_key, [@ca_cert], 0)
der = bres.to_der
asn1 = OpenSSL::ASN1.decode(der)
assert_equal cid.to_der, asn1.value[0].value.find { |a| a.class == OpenSSL::ASN1::Sequence }.value[0].value[0].to_der
assert_equal OpenSSL::ASN1.Sequence([@cert2, @ca_cert]).to_der, asn1.value[3].value[0].to_der
assert_equal OpenSSL::ASN1.Sequence([@ocsp_cert, @ca_cert]).to_der, asn1.value[3].value[0].to_der
assert_equal der, OpenSSL::OCSP::BasicResponse.new(der).to_der
rescue TypeError
if /GENERALIZEDTIME/ =~ $!.message
skip "OCSP_basic_sign() is broken"
pend "OCSP_basic_sign() is broken"
else
raise
end
end
def test_basic_response_sign_verify
cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA256.new)
store = OpenSSL::X509::Store.new.add_cert(@ca_cert)
# signed by CA
bres = OpenSSL::OCSP::BasicResponse.new
bres.add_status(cid, OpenSSL::OCSP::V_CERTSTATUS_REVOKED, OpenSSL::OCSP::REVOKED_STATUS_UNSPECIFIED, -400, -300, 500, [])
bres.sign(@cert2, @key2, [], 0, "SHA256") # how can I check the algorithm?
store1 = OpenSSL::X509::Store.new; store1.add_cert(@ca_cert)
assert_equal true, bres.verify([], store1)
store2 = OpenSSL::X509::Store.new; store2.add_cert(@cert)
assert_equal false, bres.verify([], store2)
assert_equal true, bres.verify([], store2, OpenSSL::OCSP::NOVERIFY)
cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, "SHA256")
bres.add_status(cid, OpenSSL::OCSP::V_CERTSTATUS_GOOD, nil, -400, -300, 500, [])
bres.sign(@ca_cert, @ca_key, nil, 0, "SHA256")
assert_equal false, bres.verify([], store) # signer not found
assert_equal true, bres.verify([@ca_cert], store)
bres.sign(@ca_cert, @ca_key, [], 0, "SHA256")
assert_equal true, bres.verify([], store)
# signed by OCSP signer
bres = OpenSSL::OCSP::BasicResponse.new
cid = OpenSSL::OCSP::CertificateId.new(@cert2, @cert)
bres.add_status(cid, OpenSSL::OCSP::V_CERTSTATUS_GOOD, nil, -400, -300, 500, [])
bres.sign(@ocsp_cert, @ocsp_key, [@cert])
assert_equal true, bres.verify([], store)
assert_equal false, bres.verify([], store, OpenSSL::OCSP::NOCHAIN)
# OpenSSL had a bug on this; test that our workaround works
bres.sign(@ocsp_cert, @ocsp_key, [])
assert_equal true, bres.verify([@cert], store)
end
def test_basic_response_dup
bres = OpenSSL::OCSP::BasicResponse.new
cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new)
bres.add_status(cid, OpenSSL::OCSP::V_CERTSTATUS_GOOD, 0, nil, -300, 500, [])
bres.sign(@cert2, @key2, [@ca_cert], 0)
bres.sign(@ocsp_cert, @ocsp_key, [@ca_cert], 0)
assert_equal bres.to_der, bres.dup.to_der
end
@ -172,7 +210,7 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase
bres = OpenSSL::OCSP::BasicResponse.new
now = Time.at(Time.now.to_i)
cid1 = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new)
cid2 = OpenSSL::OCSP::CertificateId.new(@cert2, @ca_cert, OpenSSL::Digest::SHA1.new)
cid2 = OpenSSL::OCSP::CertificateId.new(@ocsp_cert, @ca_cert, OpenSSL::Digest::SHA1.new)
cid3 = OpenSSL::OCSP::CertificateId.new(@ca_cert, @ca_cert, OpenSSL::Digest::SHA1.new)
bres.add_status(cid1, OpenSSL::OCSP::V_CERTSTATUS_REVOKED, OpenSSL::OCSP::REVOKED_STATUS_UNSPECIFIED, now - 400, -300, nil, nil)
bres.add_status(cid2, OpenSSL::OCSP::V_CERTSTATUS_GOOD, nil, nil, -300, 500, [])
@ -206,14 +244,14 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase
def test_single_response_check_validity
bres = OpenSSL::OCSP::BasicResponse.new
cid1 = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new)
cid2 = OpenSSL::OCSP::CertificateId.new(@cert2, @ca_cert, OpenSSL::Digest::SHA1.new)
cid2 = OpenSSL::OCSP::CertificateId.new(@ocsp_cert, @ca_cert, OpenSSL::Digest::SHA1.new)
bres.add_status(cid1, OpenSSL::OCSP::V_CERTSTATUS_REVOKED, OpenSSL::OCSP::REVOKED_STATUS_UNSPECIFIED, -400, -300, -50, [])
bres.add_status(cid2, OpenSSL::OCSP::V_CERTSTATUS_REVOKED, OpenSSL::OCSP::REVOKED_STATUS_UNSPECIFIED, -400, -300, nil, [])
bres.add_status(cid2, OpenSSL::OCSP::V_CERTSTATUS_GOOD, nil, nil, Time.now + 100, nil, nil)
if bres.responses[2].check_validity # thisUpdate is in future; must fail
# LibreSSL bug; skip for now
skip "OCSP_check_validity() is broken"
pend "OCSP_check_validity() is broken"
end
single1 = bres.responses[0]
@ -226,11 +264,22 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase
assert_equal false, single2.check_validity(0, 200)
end
def test_response
bres = OpenSSL::OCSP::BasicResponse.new
cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new)
bres.add_status(cid, OpenSSL::OCSP::V_CERTSTATUS_GOOD, 0, nil, -300, 500, [])
bres.sign(@ocsp_cert, @ocsp_key, [])
res = OpenSSL::OCSP::Response.create(OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL, bres)
assert_equal bres.to_der, res.basic.to_der
assert_equal OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL, res.status
end
def test_response_der
bres = OpenSSL::OCSP::BasicResponse.new
cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new)
bres.add_status(cid, OpenSSL::OCSP::V_CERTSTATUS_GOOD, 0, nil, -300, 500, [])
bres.sign(@cert2, @key2, [@ca_cert], 0)
bres.sign(@ocsp_cert, @ocsp_key, [@ca_cert], 0)
res = OpenSSL::OCSP::Response.create(OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL, bres)
der = res.to_der
asn1 = OpenSSL::ASN1.decode(der)
@ -242,7 +291,7 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase
def test_response_dup
bres = OpenSSL::OCSP::BasicResponse.new
bres.sign(@cert2, @key2, [@ca_cert], 0)
bres.sign(@ocsp_cert, @ocsp_key, [@ca_cert], 0)
res = OpenSSL::OCSP::Response.create(OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL, bres)
assert_equal res.to_der, res.dup.to_der
end

34
test/openssl/test_pair.rb
View file

@ -4,7 +4,7 @@ require_relative 'utils'
if defined?(OpenSSL::TestUtils)
require 'socket'
require_relative '../ruby/ut_eof'
require_relative 'ut_eof'
module OpenSSL::SSLPairM
def server
@ -322,6 +322,16 @@ module OpenSSL::TestPairM
}
end
def test_partial_tls_record_read_nonblock
ssl_pair { |s1, s2|
# the beginning of a TLS record
s1.io.write("\x17")
# should raise a IO::WaitReadable since a full TLS record is not available
# for reading
assert_raise(IO::WaitReadable) { s2.read_nonblock(1) }
}
end
def tcp_pair
host = "127.0.0.1"
serv = TCPServer.new(host, 0)
@ -341,7 +351,7 @@ module OpenSSL::TestPairM
ctx2.tmp_dh_callback = nil
sock1, sock2 = tcp_pair
s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
accepted = s2.accept_nonblock(exception: false)
s2.accept_nonblock(exception: false)
ctx1 = OpenSSL::SSL::SSLContext.new
ctx1.ciphers = "DH"
@ -350,16 +360,16 @@ module OpenSSL::TestPairM
s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
t = Thread.new { s1.connect }
accept = s2.accept
EnvUtil.suppress_warning { # uses default callback
assert_nothing_raised { s2.accept }
}
assert_equal s1, t.value
assert accept
ensure
t.join if t
s1.close if s1
s2.close if s2
sock1.close if sock1
sock2.close if sock2
accepted.close if accepted.respond_to?(:close)
end
def test_connect_without_setting_dh_callback
@ -368,7 +378,7 @@ module OpenSSL::TestPairM
ctx2.security_level = 0
sock1, sock2 = tcp_pair
s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
accepted = s2.accept_nonblock(exception: false)
s2.accept_nonblock(exception: false)
ctx1 = OpenSSL::SSL::SSLContext.new
ctx1.ciphers = "DH"
@ -376,16 +386,16 @@ module OpenSSL::TestPairM
s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
t = Thread.new { s1.connect }
accept = s2.accept
EnvUtil.suppress_warning { # default DH
assert_nothing_raised { s2.accept }
}
assert_equal s1, t.value
assert accept
ensure
t.join if t
s1.close if s1
s2.close if s2
sock1.close if sock1
sock2.close if sock2
accepted.close if accepted.respond_to?(:close)
end
def test_ecdh_callback
@ -422,11 +432,11 @@ module OpenSSL::TestPairM
end until rv == s1
end
accepted = s2.accept
s2.accept
assert called, 'ecdh callback should be called'
rescue OpenSSL::SSL::SSLError => e
if e.message =~ /no cipher match/
skip "ECDH cipher not supported."
pend "ECDH cipher not supported."
else
raise e
end
@ -447,7 +457,7 @@ module OpenSSL::TestPairM
begin
ctx1.ciphers = "ECDH"
rescue OpenSSL::SSL::SSLError
skip "ECDH is not enabled in this OpenSSL" if $!.message =~ /no cipher match/
pend "ECDH is not enabled in this OpenSSL" if $!.message =~ /no cipher match/
raise
end
ctx1.ecdh_curves = "P-384:P-521"

35
test/openssl/test_partial_record_read.rb
View file

@ -1,35 +0,0 @@
# frozen_string_literal: false
require_relative "utils"
if defined?(OpenSSL::TestUtils)
class OpenSSL::TestPartialRecordRead < OpenSSL::SSLTestCase
def test_partial_tls_record_read_nonblock
start_server(OpenSSL::SSL::VERIFY_NONE, true, :server_proc =>
Proc.new do |server_ctx, server_ssl|
begin
server_ssl.io.write("\x01") # the beginning of a TLS record
sleep 6 # do not finish prematurely before the read by the client is attempted
ensure
server_ssl.close
end
end
) do |server, port|
sock = TCPSocket.new("127.0.0.1", port)
ssl = OpenSSL::SSL::SSLSocket.new(sock)
ssl.sync_close = true
begin
ssl.connect
sleep 3 # wait is required for the (incomplete) TLS record to arrive at the client socket
# Should raise a IO::WaitReadable since a full TLS record is not available for reading.
assert_raise(IO::WaitReadable) { ssl.read_nonblock(1) }
ensure
ssl.close
end
end
end
end
end

5
test/openssl/test_pkcs12.rb
View file

@ -180,6 +180,11 @@ Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es=
end
end
def test_dup
p12 = OpenSSL::PKCS12.create("pass", "name", TEST_KEY_RSA1024, @mycert)
assert_equal p12.to_der, p12.dup.to_der
end
private
def assert_cert expected, actual
[

49
test/openssl/test_pkey.rb Normal file
View file

@ -0,0 +1,49 @@
# frozen_string_literal: false
require_relative "utils"
if defined?(OpenSSL::TestUtils)
class OpenSSL::TestPKey < OpenSSL::PKeyTestCase
PKEYS = {
OpenSSL::PKey::RSA => {
key: OpenSSL::TestUtils::TEST_KEY_RSA1024,
digest: OpenSSL::Digest::SHA1,
},
OpenSSL::PKey::DSA => {
key: OpenSSL::TestUtils::TEST_KEY_DSA512,
digest: OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST,
},
}
if defined?(OpenSSL::PKey::EC)
PKEYS[OpenSSL::PKey::EC] = {
key: OpenSSL::TestUtils::TEST_KEY_EC_P256V1,
digest: OpenSSL::Digest::SHA1,
}
end
def test_sign_verify
data = "Sign me!"
invalid_data = "Sign me?"
PKEYS.each do |klass, prop|
key = prop[:key]
pub_key = dup_public(prop[:key])
digest = prop[:digest].new
signature = key.sign(digest, data)
assert_equal(true, pub_key.verify(digest, signature, data))
assert_equal(false, pub_key.verify(digest, signature, invalid_data))
# digest state is irrelevant
digest << "unya"
assert_equal(true, pub_key.verify(digest, signature, data))
assert_equal(false, pub_key.verify(digest, signature, invalid_data))
if OpenSSL::OPENSSL_VERSION_NUMBER > 0x10000000
digest = OpenSSL::Digest::SHA256.new
signature = key.sign(digest, data)
assert_equal(true, pub_key.verify(digest, signature, data))
assert_equal(false, pub_key.verify(digest, signature, invalid_data))
end
end
end
end
end

74
test/openssl/test_pkey_dh.rb
View file

@ -3,33 +3,25 @@ require_relative 'utils'
if defined?(OpenSSL::TestUtils)
class OpenSSL::TestPKeyDH < OpenSSL::TestCase
class OpenSSL::TestPKeyDH < OpenSSL::PKeyTestCase
DH1024 = OpenSSL::TestUtils::TEST_KEY_DH1024
NEW_KEYLEN = 256
def test_DEFAULT_1024
params = <<-eop
-----BEGIN DH PARAMETERS-----
MIGHAoGBAJ0lOVy0VIr/JebWn0zDwY2h+rqITFOpdNr6ugsgvkDXuucdcChhYExJ
AV/ZD2AWPbrTqV76mGRgJg4EddgT1zG0jq3rnFdMj2XzkBYx3BVvfR0Arnby0RHR
T4h7KZ/2zmjvV+eF8kBUHBJAojUlzxKj4QeO2x20FP9X5xmNUXeDAgEC
-----END DH PARAMETERS-----
eop
assert_equal params, OpenSSL::PKey::DH::DEFAULT_1024.to_s
end
def test_DEFAULT_parameters
list = {
1024 => OpenSSL::PKey::DH::DEFAULT_1024,
2048 => OpenSSL::PKey::DH::DEFAULT_2048,
}
def test_DEFAULT_2048
params = <<-eop
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA7E6kBrYiyvmKAMzQ7i8WvwVk9Y/+f8S7sCTN712KkK3cqd1jhJDY
JbrYeNV3kUIKhPxWHhObHKpD1R84UpL+s2b55+iMd6GmL7OYmNIT/FccKhTcveab
VBmZT86BZKYyf45hUF9FOuUM9xPzuK3Vd8oJQvfYMCd7LPC0taAEljQLR4Edf8E6
YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
1bNveX5wInh5GDx1FGhKBZ+s1H+aedudCm7sCgRwv8lKWYGiHzObSma8A86KG+MD
7Lo5JquQ3DlBodj3IDyPrxIv96lvRPFtAwIBAg==
-----END DH PARAMETERS-----
eop
assert_equal params, OpenSSL::PKey::DH::DEFAULT_2048.to_s
list.each do |expected_size, dh|
assert_equal expected_size, dh.p.num_bits
assert_predicate dh.p, :prime?
result, remainder = (dh.p - 1) / 2
assert_predicate result, :prime?
assert_equal 0, remainder
assert_no_key dh
end
end
def test_new
@ -44,20 +36,26 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
end
end
def test_to_der
dh = OpenSSL::TestUtils::TEST_KEY_DH1024
der = dh.to_der
dh2 = OpenSSL::PKey::DH.new(der)
assert_equal_params(dh, dh2)
assert_no_key(dh2)
end
def test_DHparams
asn1 = OpenSSL::ASN1::Sequence([
OpenSSL::ASN1::Integer(DH1024.p),
OpenSSL::ASN1::Integer(DH1024.g)
])
key = OpenSSL::PKey::DH.new(asn1.to_der)
assert_same_dh dup_public(DH1024), key
def test_to_pem
dh = OpenSSL::TestUtils::TEST_KEY_DH1024
pem = dh.to_pem
dh2 = OpenSSL::PKey::DH.new(pem)
assert_equal_params(dh, dh2)
assert_no_key(dh2)
pem = <<~EOF
-----BEGIN DH PARAMETERS-----
MIGHAoGBAKnKQ8MNK6nYZzLrrcuTsLxuiJGXoOO5gT+tljOTbHBuiktdMTITzIY0
pFxIvjG05D7HoBZQfrR0c92NGWPkAiCkhQKB8JCbPVzwNLDy6DZ0pmofDKrEsYHG
AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC
-----END DH PARAMETERS-----
EOF
key = OpenSSL::PKey::DH.new(pem)
assert_same_dh dup_public(DH1024), key
assert_equal asn1.to_der, DH1024.to_der
assert_equal pem, DH1024.export
end
def test_public_key
@ -113,6 +111,10 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
assert(dh.pub_key)
assert(dh.priv_key)
end
def assert_same_dh(expected, key)
check_component(expected, key, [:p, :q, :g, :pub_key, :priv_key])
end
end
end

265
test/openssl/test_pkey_dsa.rb
View file

@ -4,7 +4,9 @@ require 'base64'
if defined?(OpenSSL::TestUtils)
class OpenSSL::TestPKeyDSA < OpenSSL::TestCase
class OpenSSL::TestPKeyDSA < OpenSSL::PKeyTestCase
DSA512 = OpenSSL::TestUtils::TEST_KEY_DSA512
def test_private
key = OpenSSL::PKey::DSA.new(256)
assert(key.private?)
@ -20,6 +22,11 @@ class OpenSSL::TestPKeyDSA < OpenSSL::TestCase
key = OpenSSL::PKey::DSA.new 256
pem = key.public_key.to_pem
OpenSSL::PKey::DSA.new pem
if $0 == __FILE__
assert_nothing_raised {
key = OpenSSL::PKey::DSA.new 2048
}
end
end
def test_new_break
@ -37,55 +44,102 @@ class OpenSSL::TestPKeyDSA < OpenSSL::TestCase
assert(key.sysverify(digest, sig))
end
def test_sign_verify
check_sign_verify(OpenSSL::Digest::DSS1.new)
end if defined?(OpenSSL::Digest::DSS1)
def test_DSAPrivateKey
# OpenSSL DSAPrivateKey format; similar to RSAPrivateKey
asn1 = OpenSSL::ASN1::Sequence([
OpenSSL::ASN1::Integer(0),
OpenSSL::ASN1::Integer(DSA512.p),
OpenSSL::ASN1::Integer(DSA512.q),
OpenSSL::ASN1::Integer(DSA512.g),
OpenSSL::ASN1::Integer(DSA512.pub_key),
OpenSSL::ASN1::Integer(DSA512.priv_key)
])
key = OpenSSL::PKey::DSA.new(asn1.to_der)
assert_predicate key, :private?
assert_same_dsa DSA512, key
if (OpenSSL::OPENSSL_VERSION_NUMBER > 0x10000000)
def test_sign_verify_sha1
check_sign_verify(OpenSSL::Digest::SHA1.new)
pem = <<~EOF
-----BEGIN DSA PRIVATE KEY-----
MIH4AgEAAkEA5lB4GvEwjrsMlGDqGsxrbqeFRh6o9OWt6FgTYiEEHaOYhkIxv0Ok
RZPDNwOG997mDjBnvDJ1i56OmS3MbTnovwIVAJgub/aDrSDB4DZGH7UyarcaGy6D
AkB9HdFw/3td8K4l1FZHv7TCZeJ3ZLb7dF3TWoGUP003RCqoji3/lHdKoVdTQNuR
S/m6DlCwhjRjiQ/lBRgCLCcaAkEAjN891JBjzpMj4bWgsACmMggFf57DS0Ti+5++
Q1VB8qkJN7rA7/2HrCR3gTsWNb1YhAsnFsoeRscC+LxXoXi9OAIUBG98h4tilg6S
55jreJD3Se3slps=
-----END DSA PRIVATE KEY-----
EOF
key = OpenSSL::PKey::DSA.new(pem)
assert_same_dsa DSA512, key
assert_equal asn1.to_der, DSA512.to_der
assert_equal pem, DSA512.export
end
def test_sign_verify_sha256
check_sign_verify(OpenSSL::Digest::SHA256.new)
end
end
def test_DSAPrivateKey_encrypted
# key = abcdef
pem = <<~EOF
-----BEGIN DSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,F8BB7BFC7EAB9118AC2E3DA16C8DB1D9
def test_digest_state_irrelevant_verify
key = OpenSSL::TestUtils::TEST_KEY_DSA256
digest1 = OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new
digest2 = OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new
data = 'Sign me!'
sig = key.sign(digest1, data)
digest1.reset
digest1 << 'Change state of digest1'
assert(key.verify(digest1, sig, data))
assert(key.verify(digest2, sig, data))
D2sIzsM9MLXBtlF4RW42u2GB9gX3HQ3prtVIjWPLaKBYoToRUiv8WKsjptfZuLSB
74ZPdMS7VITM+W1HIxo/tjS80348Cwc9ou8H/E6WGat8ZUk/igLOUEII+coQS6qw
QpuLMcCIavevX0gjdjEIkojBB81TYDofA1Bp1z1zDI/2Zhw822xapI79ZF7Rmywt
OSyWzFaGipgDpdFsGzvT6//z0jMr0AuJVcZ0VJ5lyPGQZAeVBlbYEI4T72cC5Cz7
XvLiaUtum6/sASD2PQqdDNpgx/WA6Vs1Po2kIUQIM5TIwyJI0GdykZcYm6xIK/ta
Wgx6c8K+qBAIVrilw3EWxw==
-----END DSA PRIVATE KEY-----
EOF
key = OpenSSL::PKey::DSA.new(pem, "abcdef")
assert_same_dsa DSA512, key
key = OpenSSL::PKey::DSA.new(pem) { "abcdef" }
assert_same_dsa DSA512, key
cipher = OpenSSL::Cipher.new("aes-128-cbc")
exported = DSA512.to_pem(cipher, "abcdef\0\1")
assert_same_dsa DSA512, OpenSSL::PKey::DSA.new(exported, "abcdef\0\1")
assert_raise(OpenSSL::PKey::DSAError) {
OpenSSL::PKey::DSA.new(exported, "abcdef")
}
end
def test_read_DSA_PUBKEY
p = 7188211954100152441468596248707152960171255279130004340103875772401008316444412091945435731597638374542374929457672178957081124632837356913990200866056699
q = 957032439192465935099784319494405376402293318491
g = 122928973717064636255205666162891733518376475981809749897454444301389338825906076467196186192907631719698166056821519884939865041993585844526937010746285
y = 1235756183583465414789073313502727057075641172514181938731172021825149551960029708596057102104063395063907739571546165975727369183495540798749742124846271
algo = OpenSSL::ASN1::ObjectId.new('DSA')
params = OpenSSL::ASN1::Sequence.new([OpenSSL::ASN1::Integer.new(p),
OpenSSL::ASN1::Integer.new(q),
OpenSSL::ASN1::Integer.new(g)])
algo_id = OpenSSL::ASN1::Sequence.new ([algo, params])
pub_key = OpenSSL::ASN1::Integer.new(y)
seq = OpenSSL::ASN1::Sequence.new([algo_id, OpenSSL::ASN1::BitString.new(pub_key.to_der)])
key = OpenSSL::PKey::DSA.new(seq.to_der)
assert(key.public?)
assert(!key.private?)
assert_equal(p, key.p)
assert_equal(q, key.q)
assert_equal(g, key.g)
assert_equal(y, key.pub_key)
assert_equal(nil, key.priv_key)
def test_PUBKEY
asn1 = OpenSSL::ASN1::Sequence([
OpenSSL::ASN1::Sequence([
OpenSSL::ASN1::ObjectId("DSA"),
OpenSSL::ASN1::Sequence([
OpenSSL::ASN1::Integer(DSA512.p),
OpenSSL::ASN1::Integer(DSA512.q),
OpenSSL::ASN1::Integer(DSA512.g)
])
]),
OpenSSL::ASN1::BitString(
OpenSSL::ASN1::Integer(DSA512.pub_key).to_der
)
])
key = OpenSSL::PKey::DSA.new(asn1.to_der)
assert_not_predicate key, :private?
assert_same_dsa dup_public(DSA512), key
pem = <<~EOF
-----BEGIN PUBLIC KEY-----
MIHxMIGoBgcqhkjOOAQBMIGcAkEA5lB4GvEwjrsMlGDqGsxrbqeFRh6o9OWt6FgT
YiEEHaOYhkIxv0OkRZPDNwOG997mDjBnvDJ1i56OmS3MbTnovwIVAJgub/aDrSDB
4DZGH7UyarcaGy6DAkB9HdFw/3td8K4l1FZHv7TCZeJ3ZLb7dF3TWoGUP003RCqo
ji3/lHdKoVdTQNuRS/m6DlCwhjRjiQ/lBRgCLCcaA0QAAkEAjN891JBjzpMj4bWg
sACmMggFf57DS0Ti+5++Q1VB8qkJN7rA7/2HrCR3gTsWNb1YhAsnFsoeRscC+LxX
oXi9OA==
-----END PUBLIC KEY-----
EOF
key = OpenSSL::PKey::DSA.new(pem)
assert_same_dsa dup_public(DSA512), key
assert_equal asn1.to_der, dup_public(DSA512).to_der
assert_equal pem, dup_public(DSA512).export
end
def test_read_DSAPublicKey_pem
# TODO: where is the standard? PKey::DSA.new can read only PEM
p = 12260055936871293565827712385212529106400444521449663325576634579961635627321079536132296996623400607469624537382977152381984332395192110731059176842635699
q = 979494906553787301107832405790107343409973851677
g = 3731695366899846297271147240305742456317979984190506040697507048095553842519347835107669437969086119948785140453492839427038591924536131566350847469993845
@ -109,127 +163,6 @@ fWLOqqkzFeRrYMDzUpl36XktY6Yq8EJYlW9pCMmBVNy/dQ==
assert_equal(nil, key.priv_key)
end
def test_read_DSA_PUBKEY_pem
p = 12260055936871293565827712385212529106400444521449663325576634579961635627321079536132296996623400607469624537382977152381984332395192110731059176842635699
q = 979494906553787301107832405790107343409973851677
g = 3731695366899846297271147240305742456317979984190506040697507048095553842519347835107669437969086119948785140453492839427038591924536131566350847469993845
y = 10505239074982761504240823422422813362721498896040719759460296306305851824586095328615844661273887569281276387605297130014564808567159023649684010036304695
pem = <<-EOF
-----BEGIN PUBLIC KEY-----
MIHxMIGoBgcqhkjOOAQBMIGcAkEA6hXntfQXEo78+s1r8yShbOQIpX+HOESnTNsV
2yJzD6EiMntLpJ38WUOWjz0dBnYW69YnrAYszWPTSvf34XapswIVAKuSEhdIb6Kz
fuHPUhoF4S52MHYdAkBHQCWhq8G+2yeDyhuyMtvsQqcH6lJ4ev8F0hDdUft9Ys6q
qTMV5GtgwPNSmXfpeS1jpirwQliVb2kIyYFU3L91A0QAAkEAyJSJ+g+P/knVcgDw
wTzC7Pwg/pWs2EMd/r+lYlXhNfzg0biuXRul8VR4VUC/phySExY0PdcqItkR/xYA
YNMbNw==
-----END PUBLIC KEY-----
EOF
key = OpenSSL::PKey::DSA.new(pem)
assert(key.public?)
assert(!key.private?)
assert_equal(p, key.p)
assert_equal(q, key.q)
assert_equal(g, key.g)
assert_equal(y, key.pub_key)
assert_equal(nil, key.priv_key)
end
def test_export_format_is_DSA_PUBKEY_pem
key = OpenSSL::TestUtils::TEST_KEY_DSA256
pem = key.public_key.to_pem
pem.gsub!(/^-+(\w|\s)+-+$/, "") # eliminate --------BEGIN...-------
asn1 = OpenSSL::ASN1.decode(Base64.decode64(pem))
assert_equal(OpenSSL::ASN1::SEQUENCE, asn1.tag)
assert_equal(2, asn1.value.size)
seq = asn1.value
assert_equal(OpenSSL::ASN1::SEQUENCE, seq[0].tag)
assert_equal(2, seq[0].value.size)
algo_id = seq[0].value
assert_equal(OpenSSL::ASN1::OBJECT, algo_id[0].tag)
assert_equal('DSA', algo_id[0].value)
assert_equal(OpenSSL::ASN1::SEQUENCE, algo_id[1].tag)
assert_equal(3, algo_id[1].value.size)
params = algo_id[1].value
assert_equal(OpenSSL::ASN1::INTEGER, params[0].tag)
assert_equal(key.p, params[0].value)
assert_equal(OpenSSL::ASN1::INTEGER, params[1].tag)
assert_equal(key.q, params[1].value)
assert_equal(OpenSSL::ASN1::INTEGER, params[2].tag)
assert_equal(key.g, params[2].value)
assert_equal(OpenSSL::ASN1::BIT_STRING, seq[1].tag)
assert_equal(0, seq[1].unused_bits)
pub_key = OpenSSL::ASN1.decode(seq[1].value)
assert_equal(OpenSSL::ASN1::INTEGER, pub_key.tag)
assert_equal(key.pub_key, pub_key.value)
end
def test_read_private_key_der
key = OpenSSL::TestUtils::TEST_KEY_DSA256
der = key.to_der
key2 = OpenSSL::PKey.read(der)
assert(key2.private?)
assert_equal(der, key2.to_der)
end
def test_read_private_key_pem
key = OpenSSL::TestUtils::TEST_KEY_DSA256
pem = key.to_pem
key2 = OpenSSL::PKey.read(pem)
assert(key2.private?)
assert_equal(pem, key2.to_pem)
end
def test_read_public_key_der
key = OpenSSL::TestUtils::TEST_KEY_DSA256.public_key
der = key.to_der
key2 = OpenSSL::PKey.read(der)
assert(!key2.private?)
assert_equal(der, key2.to_der)
end
def test_read_public_key_pem
key = OpenSSL::TestUtils::TEST_KEY_DSA256.public_key
pem = key.to_pem
key2 = OpenSSL::PKey.read(pem)
assert(!key2.private?)
assert_equal(pem, key2.to_pem)
end
def test_read_private_key_pem_pw
key = OpenSSL::TestUtils::TEST_KEY_DSA256
pem = key.to_pem(OpenSSL::Cipher.new('AES-128-CBC'), 'secret')
#callback form for password
key2 = OpenSSL::PKey.read(pem) do
'secret'
end
assert(key2.private?)
# pass password directly
key2 = OpenSSL::PKey.read(pem, 'secret')
assert(key2.private?)
#omit pem equality check, will be different due to cipher iv
end
def test_export_password_length
key = OpenSSL::TestUtils::TEST_KEY_DSA256
assert_raise(OpenSSL::OpenSSLError) do
key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'sec')
end
pem = key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'secr')
assert(pem)
end
def test_export_password_funny
key = OpenSSL::TestUtils::TEST_KEY_DSA256
pem = key.export(OpenSSL::Cipher.new('AES-128-CBC'), "pass\0wd")
assert_raise(ArgumentError) do
OpenSSL::PKey.read(pem, "pass")
end
key2 = OpenSSL::PKey.read(pem, "pass\0wd")
assert(key2.private?)
key3 = OpenSSL::PKey::DSA.new(pem, "pass\0wd")
assert(key3.private?)
end
def test_dup
key = OpenSSL::PKey::DSA.new(256)
key2 = key.dup
@ -239,12 +172,8 @@ YNMbNw==
end
private
def check_sign_verify(digest)
key = OpenSSL::TestUtils::TEST_KEY_DSA256
data = 'Sign me!'
sig = key.sign(digest, data)
assert(key.verify(digest, sig, data))
def assert_same_dsa(expected, key)
check_component(expected, key, [:p, :q, :g, :pub_key, :priv_key])
end
end

443
test/openssl/test_pkey_ec.rb
View file

@ -3,64 +3,46 @@ require_relative 'utils'
if defined?(OpenSSL::TestUtils) && defined?(OpenSSL::PKey::EC)
class OpenSSL::TestEC < OpenSSL::TestCase
def setup
@data1 = 'foo'
@data2 = 'bar' * 1000 # data too long for DSA sig
class OpenSSL::TestEC < OpenSSL::PKeyTestCase
P256 = OpenSSL::TestUtils::TEST_KEY_EC_P256V1
@groups = []
@keys = []
def test_ec_key
builtin_curves = OpenSSL::PKey::EC.builtin_curves
assert_not_empty builtin_curves
OpenSSL::PKey::EC.builtin_curves.each do |curve, comment|
group = OpenSSL::PKey::EC::Group.new(curve)
builtin_curves.each do |curve_name, comment|
# Oakley curves and X25519 are not suitable for signing and causes
# FIPS-selftest failure on some environment, so skip for now.
next if ["Oakley", "X25519"].any? { |n| curve_name.start_with?(n) }
# Oakley curves and X25519 are not suitable for signing
next if ["Oakley", "X25519"].any? { |n| curve.start_with?(n) }
key = OpenSSL::PKey::EC.new(group)
key = OpenSSL::PKey::EC.new(curve_name)
key.generate_key!
@groups << group
@keys << key
assert_predicate key, :private?
assert_predicate key, :public?
assert_nothing_raised { key.check_key }
end
end
def test_dup
key = OpenSSL::PKey::EC.new("prime256v1")
key.generate_key!
key2 = key.dup
assert_equal key.to_der, key2.to_der
key1 = OpenSSL::PKey::EC.new("prime256v1").generate_key!
key2 = OpenSSL::PKey::EC.new
key2.group = key1.group
key2.private_key = key1.private_key
key2.public_key = key1.public_key
assert_equal key1.to_der, key2.to_der
key3 = OpenSSL::PKey::EC.new(key1)
assert_equal key1.to_der, key3.to_der
key4 = OpenSSL::PKey::EC.new(key1.to_der)
assert_equal key1.to_der, key4.to_der
key5 = key1.dup
assert_equal key1.to_der, key5.to_der
key_tmp = OpenSSL::PKey::EC.new("prime256v1").generate_key!
key2.private_key = key_tmp.private_key
key2.public_key = key_tmp.public_key
assert_not_equal key.to_der, key2.to_der
group = key.group
group2 = group.dup
assert_equal group.to_der, group2.to_der
group2.asn1_flag ^= OpenSSL::PKey::EC::NAMED_CURVE
assert_not_equal group.to_der, group2.to_der
point = key.public_key
point2 = point.dup
assert_equal point.to_bn, point2.to_bn
point2.invert!
assert_not_equal point.to_bn, point2.to_bn
end
def compare_keys(k1, k2)
assert_equal(k1.to_pem, k2.to_pem)
end
def test_builtin_curves
assert(!OpenSSL::PKey::EC.builtin_curves.empty?)
end
def test_curve_names
@groups.each_with_index do |group, idx|
key = @keys[idx]
assert_equal(group.curve_name, key.group.curve_name)
end
key5.private_key = key_tmp.private_key
key5.public_key = key_tmp.public_key
assert_not_equal key1.to_der, key5.to_der
end
def test_generate
@ -73,173 +55,206 @@ class OpenSSL::TestEC < OpenSSL::TestCase
end
def test_check_key
for key in @keys
assert_equal(true, key.check_key)
assert_equal(true, key.private?)
assert_equal(true, key.public?)
key2 = OpenSSL::PKey::EC.new(key.group)
assert_equal(false, key2.private?)
assert_equal(false, key2.public?)
key2.public_key = key.public_key
assert_equal(false, key2.private?)
assert_equal(true, key2.public?)
key2.private_key = key.private_key
assert_equal(true, key2.private?)
assert_equal(true, key2.public?)
assert_equal(true, key2.check_key)
key2.private_key += 1
assert_raise(OpenSSL::PKey::ECError) { key2.check_key }
end
end
def test_group_encoding
for group in @groups
for meth in [:to_der, :to_pem]
txt = group.send(meth)
gr = OpenSSL::PKey::EC::Group.new(txt)
assert_equal(txt, gr.send(meth))
assert_equal(group.generator.to_bn, gr.generator.to_bn)
assert_equal(group.cofactor, gr.cofactor)
assert_equal(group.order, gr.order)
assert_equal(group.seed, gr.seed)
assert_equal(group.degree, gr.degree)
end
end
end
def test_key_encoding
for key in @keys
group = key.group
for meth in [:to_der, :to_pem]
txt = key.send(meth)
assert_equal(txt, OpenSSL::PKey::EC.new(txt).send(meth))
end
bn = key.public_key.to_bn
assert_equal(bn, OpenSSL::PKey::EC::Point.new(group, bn).to_bn)
end
end
def test_set_keys
for key in @keys
k = OpenSSL::PKey::EC.new
k.group = key.group
k.private_key = key.private_key
k.public_key = key.public_key
compare_keys(key, k)
end
key = OpenSSL::PKey::EC.new("prime256v1").generate_key!
assert_equal(true, key.check_key)
assert_equal(true, key.private?)
assert_equal(true, key.public?)
key2 = OpenSSL::PKey::EC.new(key.group)
assert_equal(false, key2.private?)
assert_equal(false, key2.public?)
key2.public_key = key.public_key
assert_equal(false, key2.private?)
assert_equal(true, key2.public?)
key2.private_key = key.private_key
assert_equal(true, key2.private?)
assert_equal(true, key2.public?)
assert_equal(true, key2.check_key)
key2.private_key += 1
assert_raise(OpenSSL::PKey::ECError) { key2.check_key }
end
def test_dsa_sign_verify
for key in @keys
sig = key.dsa_sign_asn1(@data1)
assert(key.dsa_verify_asn1(@data1, sig))
end
data1 = "foo"
data2 = "bar"
key = OpenSSL::PKey::EC.new("prime256v1").generate_key!
sig = key.dsa_sign_asn1(data1)
assert_equal true, key.dsa_verify_asn1(data1, sig)
assert_equal false, key.dsa_verify_asn1(data2, sig)
end
def test_dsa_sign_asn1_FIPS186_3
for key in @keys
size = key.group.order.num_bits / 8 + 1
dgst = (1..size).to_a.pack('C*')
begin
sig = key.dsa_sign_asn1(dgst)
# dgst is auto-truncated according to FIPS186-3 after openssl-0.9.8m
assert(key.dsa_verify_asn1(dgst + "garbage", sig))
rescue OpenSSL::PKey::ECError => e
# just an exception for longer dgst before openssl-0.9.8m
assert_equal('ECDSA_sign: data too large for key size', e.message)
# no need to do following tests
return
end
key = OpenSSL::PKey::EC.new("prime256v1").generate_key!
size = key.group.order.num_bits / 8 + 1
dgst = (1..size).to_a.pack('C*')
begin
sig = key.dsa_sign_asn1(dgst)
# dgst is auto-truncated according to FIPS186-3 after openssl-0.9.8m
assert(key.dsa_verify_asn1(dgst + "garbage", sig))
rescue OpenSSL::PKey::ECError => e
# just an exception for longer dgst before openssl-0.9.8m
assert_equal('ECDSA_sign: data too large for key size', e.message)
# no need to do following tests
return
end
end
def test_dh_compute_key
for key in @keys
k = OpenSSL::PKey::EC.new(key.group)
k.generate_key!
key_a = OpenSSL::PKey::EC.new("prime256v1").generate_key!
key_b = OpenSSL::PKey::EC.new(key_a.group).generate_key!
puba = key.public_key
pubb = k.public_key
a = key.dh_compute_key(pubb)
b = k.dh_compute_key(puba)
assert_equal(a, b)
pub_a = key_a.public_key
pub_b = key_b.public_key
a = key_a.dh_compute_key(pub_b)
b = key_b.dh_compute_key(pub_a)
assert_equal a, b
end
def test_ECPrivateKey
asn1 = OpenSSL::ASN1::Sequence([
OpenSSL::ASN1::Integer(1),
OpenSSL::ASN1::OctetString(P256.private_key.to_s(2)),
OpenSSL::ASN1::ASN1Data.new(
[OpenSSL::ASN1::ObjectId("prime256v1")],
0, :CONTEXT_SPECIFIC
),
OpenSSL::ASN1::ASN1Data.new(
[OpenSSL::ASN1::BitString(P256.public_key.to_bn.to_s(2))],
1, :CONTEXT_SPECIFIC
)
])
key = OpenSSL::PKey::EC.new(asn1.to_der)
assert_predicate key, :private?
assert_same_ec P256, key
pem = <<~EOF
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIID49FDqcf1O1eO8saTgG70UbXQw9Fqwseliit2aWhH1oAoGCCqGSM49
AwEHoUQDQgAEFglk2c+oVUIKQ64eZG9bhLNPWB7lSZ/ArK41eGy5wAzU/0G51Xtt
CeBUl+MahZtn9fO1JKdF4qJmS39dXnpENg==
-----END EC PRIVATE KEY-----
EOF
key = OpenSSL::PKey::EC.new(pem)
assert_same_ec P256, key
assert_equal asn1.to_der, P256.to_der
assert_equal pem, P256.export
end
def test_ECPrivateKey_encrypted
# key = abcdef
pem = <<~EOF
-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,85743EB6FAC9EA76BF99D9328AFD1A66
nhsP1NHxb53aeZdzUe9umKKyr+OIwQq67eP0ONM6E1vFTIcjkDcFLR6PhPFufF4m
y7E2HF+9uT1KPQhlE+D63i1m1Mvez6PWfNM34iOQp2vEhaoHHKlR3c43lLyzaZDI
0/dGSU5SzFG+iT9iFXCwCvv+bxyegkBOyALFje1NAsM=
-----END EC PRIVATE KEY-----
EOF
key = OpenSSL::PKey::EC.new(pem, "abcdef")
assert_same_ec P256, key
key = OpenSSL::PKey::EC.new(pem) { "abcdef" }
assert_same_ec P256, key
cipher = OpenSSL::Cipher.new("aes-128-cbc")
exported = P256.to_pem(cipher, "abcdef\0\1")
assert_same_ec P256, OpenSSL::PKey::EC.new(exported, "abcdef\0\1")
assert_raise(OpenSSL::PKey::ECError) {
OpenSSL::PKey::EC.new(exported, "abcdef")
}
end
def test_PUBKEY
asn1 = OpenSSL::ASN1::Sequence([
OpenSSL::ASN1::Sequence([
OpenSSL::ASN1::ObjectId("id-ecPublicKey"),
OpenSSL::ASN1::ObjectId("prime256v1")
]),
OpenSSL::ASN1::BitString(
P256.public_key.to_bn.to_s(2)
)
])
key = OpenSSL::PKey::EC.new(asn1.to_der)
assert_not_predicate key, :private?
assert_same_ec dup_public(P256), key
pem = <<~EOF
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFglk2c+oVUIKQ64eZG9bhLNPWB7l
SZ/ArK41eGy5wAzU/0G51XttCeBUl+MahZtn9fO1JKdF4qJmS39dXnpENg==
-----END PUBLIC KEY-----
EOF
key = OpenSSL::PKey::EC.new(pem)
assert_same_ec dup_public(P256), key
assert_equal asn1.to_der, dup_public(P256).to_der
assert_equal pem, dup_public(P256).export
end
def test_ec_group
group1 = OpenSSL::PKey::EC::Group.new("prime256v1")
key1 = OpenSSL::PKey::EC.new(group1)
assert_equal group1, key1.group
group2 = OpenSSL::PKey::EC::Group.new(group1)
assert_equal group1.to_der, group2.to_der
assert_equal group1, group2
group2.asn1_flag ^=OpenSSL::PKey::EC::NAMED_CURVE
assert_not_equal group1.to_der, group2.to_der
assert_equal group1, group2
group3 = group1.dup
assert_equal group1.to_der, group3.to_der
assert group1.asn1_flag & OpenSSL::PKey::EC::NAMED_CURVE # our default
der = group1.to_der
group4 = OpenSSL::PKey::EC::Group.new(der)
group1.point_conversion_form = group4.point_conversion_form = :uncompressed
assert_equal :uncompressed, group1.point_conversion_form
assert_equal :uncompressed, group4.point_conversion_form
assert_equal group1, group4
assert_equal group1.curve_name, group4.curve_name
assert_equal group1.generator.to_bn, group4.generator.to_bn
assert_equal group1.order, group4.order
assert_equal group1.cofactor, group4.cofactor
assert_equal group1.seed, group4.seed
assert_equal group1.degree, group4.degree
end
def test_ec_point
group = OpenSSL::PKey::EC::Group.new("prime256v1")
key = OpenSSL::PKey::EC.new(group).generate_key!
point = key.public_key
point2 = OpenSSL::PKey::EC::Point.new(group, point.to_bn)
assert_equal point, point2
assert_equal point.to_bn, point2.to_bn
point2.invert!
assert_not_equal point.to_bn, point2.to_bn
begin
group = OpenSSL::PKey::EC::Group.new(:GFp, 17, 2, 2)
group.point_conversion_form = :uncompressed
generator = OpenSSL::PKey::EC::Point.new(group, 0x040501.to_bn)
group.set_generator(generator, 19, 1)
point = OpenSSL::PKey::EC::Point.new(group, 0x040603.to_bn)
rescue OpenSSL::PKey::EC::Group::Error
pend "Patched OpenSSL rejected curve" if /unsupported field/ =~ $!.message
raise
end
end
def test_read_private_key_der
ec = OpenSSL::TestUtils::TEST_KEY_EC_P256V1
der = ec.to_der
ec2 = OpenSSL::PKey.read(der)
assert(ec2.private_key?)
assert_equal(der, ec2.to_der)
end
assert_equal 0x040603.to_bn, point.to_bn
assert_equal true, point.on_curve?
point.invert! # 8.5
assert_equal 0x04060E.to_bn, point.to_bn
assert_equal true, point.on_curve?
def test_read_private_key_pem
ec = OpenSSL::TestUtils::TEST_KEY_EC_P256V1
pem = ec.to_pem
ec2 = OpenSSL::PKey.read(pem)
assert(ec2.private_key?)
assert_equal(pem, ec2.to_pem)
end
def test_read_public_key_der
ec = OpenSSL::TestUtils::TEST_KEY_EC_P256V1
ec2 = OpenSSL::PKey::EC.new(ec.group)
ec2.public_key = ec.public_key
der = ec2.to_der
ec3 = OpenSSL::PKey.read(der)
assert(!ec3.private_key?)
assert_equal(der, ec3.to_der)
end
def test_read_public_key_pem
ec = OpenSSL::TestUtils::TEST_KEY_EC_P256V1
ec2 = OpenSSL::PKey::EC.new(ec.group)
ec2.public_key = ec.public_key
pem = ec2.to_pem
ec3 = OpenSSL::PKey.read(pem)
assert(!ec3.private_key?)
assert_equal(pem, ec3.to_pem)
end
def test_read_private_key_pem_pw
ec = OpenSSL::TestUtils::TEST_KEY_EC_P256V1
pem = ec.to_pem(OpenSSL::Cipher.new('AES-128-CBC'), 'secret')
#callback form for password
ec2 = OpenSSL::PKey.read(pem) do
'secret'
end
assert(ec2.private_key?)
# pass password directly
ec2 = OpenSSL::PKey.read(pem, 'secret')
assert(ec2.private_key?)
#omit pem equality check, will be different due to cipher iv
end
def test_export_password_length
key = OpenSSL::TestUtils::TEST_KEY_EC_P256V1
assert_raise(OpenSSL::OpenSSLError) do
key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'sec')
end
pem = key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'secr')
assert(pem)
end
def test_export_password_funny
key = OpenSSL::TestUtils::TEST_KEY_EC_P256V1
pem = key.export(OpenSSL::Cipher.new('AES-128-CBC'), "pass\0wd")
assert_raise(ArgumentError) do
OpenSSL::PKey.read(pem, "pass")
end
key2 = OpenSSL::PKey.read(pem, "pass\0wd")
assert(key2.private_key?)
key3 = OpenSSL::PKey::EC.new(pem, "pass\0wd")
assert(key3.private_key?)
assert_equal false, point.infinity?
point.set_to_infinity!
assert_equal true, point.infinity?
assert_equal 0.to_bn, point.to_bn
assert_equal true, point.on_curve?
end
def test_ec_point_mul
@ -247,44 +262,50 @@ class OpenSSL::TestEC < OpenSSL::TestCase
# y^2 = x^3 + 2x + 2 over F_17
# generator is (5, 1)
group = OpenSSL::PKey::EC::Group.new(:GFp, 17, 2, 2)
group.point_conversion_form = :uncompressed
gen = OpenSSL::PKey::EC::Point.new(group, OpenSSL::BN.new("040501", 16))
group.set_generator(gen, 0, 0)
# 3 * (6, 3) = (16, 13)
point_a = OpenSSL::PKey::EC::Point.new(group, OpenSSL::BN.new("040603", 16))
result_a1 = point_a.mul(3.to_bn)
result_a1 = point_a.mul(3)
assert_equal("04100D", result_a1.to_bn.to_s(16))
# 3 * (6, 3) + 3 * (5, 1) = (7, 6)
result_a2 = point_a.mul(3.to_bn, 3.to_bn)
result_a2 = point_a.mul(3, 3)
assert_equal("040706", result_a2.to_bn.to_s(16))
# 3 * point_a = 3 * (6, 3) = (16, 13)
result_b1 = point_a.mul([3.to_bn], [])
result_b1 = point_a.mul([3], [])
assert_equal("04100D", result_b1.to_bn.to_s(16))
# 3 * point_a + 2 * point_a = 3 * (6, 3) + 2 * (6, 3) = (7, 11)
result_b1 = point_a.mul([3.to_bn, 2.to_bn], [point_a])
result_b1 = point_a.mul([3, 2], [point_a])
assert_equal("04070B", result_b1.to_bn.to_s(16))
# 3 * point_a + 5 * point_a.group.generator = 3 * (6, 3) + 5 * (5, 1) = (13, 10)
result_b1 = point_a.mul([3.to_bn], [], 5)
result_b1 = point_a.mul([3], [], 5)
assert_equal("040D0A", result_b1.to_bn.to_s(16))
rescue OpenSSL::PKey::EC::Group::Error
# CentOS patches OpenSSL to reject curves defined over Fp where p < 256 bits
raise if $!.message !~ /unsupported field/
end
p256_key = OpenSSL::TestUtils::TEST_KEY_EC_P256V1
p256_key = P256
p256_g = p256_key.group
assert_equal(p256_key.public_key, p256_g.generator.mul(p256_key.private_key))
# invalid argument
point = p256_key.public_key
assert_raise(TypeError) { point.mul(nil) }
assert_raise(ArgumentError) { point.mul([1.to_bn], [point]) }
assert_raise(TypeError) { point.mul([1.to_bn], nil) }
assert_raise(ArgumentError) { point.mul([1], [point]) }
assert_raise(TypeError) { point.mul([1], nil) }
assert_raise(TypeError) { point.mul([nil], []) }
end
# test Group: asn1_flag, point_conversion
private
def assert_same_ec(expected, key)
check_component(expected, key, [:group, :public_key, :private_key])
end
end
end

336
test/openssl/test_pkey_rsa.rb
View file

@ -4,7 +4,9 @@ require 'base64'
if defined?(OpenSSL::TestUtils)
class OpenSSL::TestPKeyRSA < OpenSSL::TestCase
class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase
RSA1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024
def test_padding
key = OpenSSL::PKey::RSA.new(512, 3)
@ -68,46 +70,8 @@ class OpenSSL::TestPKeyRSA < OpenSSL::TestCase
end
end
def test_sign_verify
key = OpenSSL::TestUtils::TEST_KEY_RSA1024
digest = OpenSSL::Digest::SHA1.new
data = 'Sign me!'
sig = key.sign(digest, data)
assert(key.verify(digest, sig, data))
end
def test_sign_verify_memory_leak
bug9743 = '[ruby-core:62038] [Bug #9743]'
assert_no_memory_leak(%w[-ropenssl], <<-PREP, <<-CODE, bug9743, rss: true, timeout: 30)
data = 'Sign me!'
digest = OpenSSL::Digest::SHA512.new
pkey = OpenSSL::PKey::RSA.new(2048)
signature = pkey.sign(digest, data)
pub_key = pkey.public_key
PREP
20_000.times {
pub_key.verify(digest, signature, data)
}
CODE
assert_no_memory_leak(%w[-ropenssl], <<-PREP, <<-CODE, bug9743, rss: true, timeout: 30)
data = 'Sign me!'
digest = OpenSSL::Digest::SHA512.new
pkey = OpenSSL::PKey::RSA.new(2048)
signature = pkey.sign(digest, data)
pub_key = pkey.public_key
PREP
20_000.times {
begin
pub_key.verify(digest, signature, 1)
rescue TypeError
end
}
CODE
end
def test_digest_state_irrelevant_sign
key = OpenSSL::TestUtils::TEST_KEY_RSA1024
key = RSA1024
digest1 = OpenSSL::Digest::SHA1.new
digest2 = OpenSSL::Digest::SHA1.new
data = 'Sign me!'
@ -118,7 +82,7 @@ class OpenSSL::TestPKeyRSA < OpenSSL::TestCase
end
def test_digest_state_irrelevant_verify
key = OpenSSL::TestUtils::TEST_KEY_RSA1024
key = RSA1024
digest1 = OpenSSL::Digest::SHA1.new
digest2 = OpenSSL::Digest::SHA1.new
data = 'Sign me!'
@ -129,169 +93,131 @@ class OpenSSL::TestPKeyRSA < OpenSSL::TestCase
assert(key.verify(digest2, sig, data))
end
def test_read_RSAPublicKey
modulus = 10664264882656732240315063514678024569492171560814833397008094754351396057398262071307709191731289492697968568138092052265293364132872019762410446076526351
exponent = 65537
seq = OpenSSL::ASN1::Sequence.new([OpenSSL::ASN1::Integer.new(modulus), OpenSSL::ASN1::Integer.new(exponent)])
key = OpenSSL::PKey::RSA.new(seq.to_der)
assert(key.public?)
assert(!key.private?)
assert_equal(modulus, key.n)
assert_equal(exponent, key.e)
assert_equal(nil, key.d)
assert_equal(nil, key.p)
assert_equal(nil, key.q)
assert_equal([], OpenSSL.errors)
end
def test_RSAPrivateKey
asn1 = OpenSSL::ASN1::Sequence([
OpenSSL::ASN1::Integer(0),
OpenSSL::ASN1::Integer(RSA1024.n),
OpenSSL::ASN1::Integer(RSA1024.e),
OpenSSL::ASN1::Integer(RSA1024.d),
OpenSSL::ASN1::Integer(RSA1024.p),
OpenSSL::ASN1::Integer(RSA1024.q),
OpenSSL::ASN1::Integer(RSA1024.dmp1),
OpenSSL::ASN1::Integer(RSA1024.dmq1),
OpenSSL::ASN1::Integer(RSA1024.iqmp)
])
key = OpenSSL::PKey::RSA.new(asn1.to_der)
assert_predicate key, :private?
assert_same_rsa RSA1024, key
def test_read_RSA_PUBKEY
modulus = 10664264882656732240315063514678024569492171560814833397008094754351396057398262071307709191731289492697968568138092052265293364132872019762410446076526351
exponent = 65537
algo = OpenSSL::ASN1::ObjectId.new('rsaEncryption')
null_params = OpenSSL::ASN1::Null.new(nil)
algo_id = OpenSSL::ASN1::Sequence.new ([algo, null_params])
pub_key = OpenSSL::ASN1::Sequence.new([OpenSSL::ASN1::Integer.new(modulus), OpenSSL::ASN1::Integer.new(exponent)])
seq = OpenSSL::ASN1::Sequence.new([algo_id, OpenSSL::ASN1::BitString.new(pub_key.to_der)])
key = OpenSSL::PKey::RSA.new(seq.to_der)
assert(key.public?)
assert(!key.private?)
assert_equal(modulus, key.n)
assert_equal(exponent, key.e)
assert_equal(nil, key.d)
assert_equal(nil, key.p)
assert_equal(nil, key.q)
assert_equal([], OpenSSL.errors)
end
def test_read_RSAPublicKey_pem
modulus = 9416340886363418692990906464787534854462163316648195510702927337693641649864839352187127240942127674615733815606532506566068276485089353644309497938966061
exponent = 65537
pem = <<-EOF
-----BEGIN RSA PUBLIC KEY-----
MEgCQQCzyh2RIZK62E2PbTWqUljD+K23XR9AGBKNtXjal6WD2yRGcLqzPJLNCa60
AudJR1JobbIbDJrQu6AXnWh5k/YtAgMBAAE=
-----END RSA PUBLIC KEY-----
pem = <<~EOF
-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQDLwsSw1ECnPtT+PkOgHhcGA71nwC2/nL85VBGnRqDxOqjVh7Cx
aKPERYHsk4BPCkE3brtThPWc9kjHEQQ7uf9Y1rbCz0layNqHyywQEVLFmp1cpIt/
Q3geLv8ZD9pihowKJDyMDiN6ArYUmZczvW4976MU3+l54E6lF/JfFEU5hwIDAQAB
AoGBAKSl/MQarye1yOysqX6P8fDFQt68VvtXkNmlSiKOGuzyho0M+UVSFcs6k1L0
maDE25AMZUiGzuWHyaU55d7RXDgeskDMakD1v6ZejYtxJkSXbETOTLDwUWTn618T
gnb17tU1jktUtU67xK/08i/XodlgnQhs6VoHTuCh3Hu77O6RAkEA7+gxqBuZR572
74/akiW/SuXm0SXPEviyO1MuSRwtI87B02D0qgV8D1UHRm4AhMnJ8MCs1809kMQE
JiQUCrp9mQJBANlt2ngBO14us6NnhuAseFDTBzCHXwUUu1YKHpMMmxpnGqaldGgX
sOZB3lgJsT9VlGf3YGYdkLTNVbogQKlKpB8CQQDiSwkb4vyQfDe8/NpU5Not0fII
8jsDUCb+opWUTMmfbxWRR3FBNu8wnym/m19N4fFj8LqYzHX4KY0oVPu6qvJxAkEA
wa5snNekFcqONLIE4G5cosrIrb74sqL8GbGb+KuTAprzj5z1K8Bm0UW9lTjVDjDi
qRYgZfZSL+x1P/54+xTFSwJAY1FxA/N3QPCXCjPh5YqFxAMQs2VVYTfg+t0MEcJD
dPMQD5JX6g5HKnHFg2mZtoXQrWmJSn7p8GJK8yNTopEErA==
-----END RSA PRIVATE KEY-----
EOF
key = OpenSSL::PKey::RSA.new(pem)
assert(key.public?)
assert(!key.private?)
assert_equal(modulus, key.n)
assert_equal(exponent, key.e)
assert_equal(nil, key.d)
assert_equal(nil, key.p)
assert_equal(nil, key.q)
assert_same_rsa RSA1024, key
assert_equal asn1.to_der, RSA1024.to_der
assert_equal pem, RSA1024.export
end
def test_read_RSA_PUBKEY_pem
modulus = 9416340886363418692990906464787534854462163316648195510702927337693641649864839352187127240942127674615733815606532506566068276485089353644309497938966061
exponent = 65537
pem = <<-EOF
-----BEGIN PUBLIC KEY-----
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALPKHZEhkrrYTY9tNapSWMP4rbdd
H0AYEo21eNqXpYPbJEZwurM8ks0JrrQC50lHUmhtshsMmtC7oBedaHmT9i0C
AwEAAQ==
-----END PUBLIC KEY-----
def test_RSAPrivateKey_encrypted
# key = abcdef
pem = <<~EOF
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,733F5302505B34701FC41F5C0746E4C0
zgJniZZQfvv8TFx3LzV6zhAQVayvQVZlAYqFq2yWbbxzF7C+IBhKQle9IhUQ9j/y
/jkvol550LS8vZ7TX5WxyDLe12cdqzEvpR6jf3NbxiNysOCxwG4ErhaZGP+krcoB
ObuL0nvls/+3myy5reKEyy22+0GvTDjaChfr+FwJjXMG+IBCLscYdgZC1LQL6oAn
9xY5DH3W7BW4wR5ttxvtN32TkfVQh8xi3jrLrduUh+hV8DTiAiLIhv0Vykwhep2p
WZA+7qbrYaYM8GLLgLrb6LfBoxeNxAEKiTpl1quFkm+Hk1dKq0EhVnxHf92x0zVF
jRGZxAMNcrlCoE4f5XK45epVZSZvihdo1k73GPbp84aZ5P/xlO4OwZ3i4uCQXynl
jE9c+I+4rRWKyPz9gkkqo0+teJL8ifeKt/3ab6FcdA0aArynqmsKJMktxmNu83We
YVGEHZPeOlyOQqPvZqWsLnXQUfg54OkbuV4/4mWSIzxFXdFy/AekSeJugpswMXqn
oNck4qySNyfnlyelppXyWWwDfVus9CVAGZmJQaJExHMT/rQFRVchlmY0Ddr5O264
gcjv90o1NBOc2fNcqjivuoX7ROqys4K/YdNQ1HhQ7usJghADNOtuLI8ZqMh9akXD
Eqp6Ne97wq1NiJj0nt3SJlzTnOyTjzrTe0Y+atPkVKp7SsjkATMI9JdhXwGhWd7a
qFVl0owZiDasgEhyG2K5L6r+yaJLYkPVXZYC/wtWC3NEchnDWZGQcXzB4xROCQkD
OlWNYDkPiZioeFkA3/fTMvG4moB2Pp9Q4GU5fJ6k43Ccu1up8dX/LumZb4ecg5/x
-----END RSA PRIVATE KEY-----
EOF
key = OpenSSL::PKey::RSA.new(pem, "abcdef")
assert_same_rsa RSA1024, key
key = OpenSSL::PKey::RSA.new(pem) { "abcdef" }
assert_same_rsa RSA1024, key
cipher = OpenSSL::Cipher.new("aes-128-cbc")
exported = RSA1024.to_pem(cipher, "abcdef\0\1")
assert_same_rsa RSA1024, OpenSSL::PKey::RSA.new(exported, "abcdef\0\1")
assert_raise(OpenSSL::PKey::RSAError) {
OpenSSL::PKey::RSA.new(exported, "abcdef")
}
end
def test_RSAPublicKey
asn1 = OpenSSL::ASN1::Sequence([
OpenSSL::ASN1::Integer(RSA1024.n),
OpenSSL::ASN1::Integer(RSA1024.e)
])
key = OpenSSL::PKey::RSA.new(asn1.to_der)
assert_not_predicate key, :private?
assert_same_rsa dup_public(RSA1024), key
pem = <<~EOF
-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBAMvCxLDUQKc+1P4+Q6AeFwYDvWfALb+cvzlUEadGoPE6qNWHsLFoo8RF
geyTgE8KQTduu1OE9Zz2SMcRBDu5/1jWtsLPSVrI2ofLLBARUsWanVyki39DeB4u
/xkP2mKGjAokPIwOI3oCthSZlzO9bj3voxTf6XngTqUX8l8URTmHAgMBAAE=
-----END RSA PUBLIC KEY-----
EOF
key = OpenSSL::PKey::RSA.new(pem)
assert(key.public?)
assert(!key.private?)
assert_equal(modulus, key.n)
assert_equal(exponent, key.e)
assert_equal(nil, key.d)
assert_equal(nil, key.p)
assert_equal(nil, key.q)
assert_same_rsa dup_public(RSA1024), key
end
def test_export_format_is_RSA_PUBKEY
key = OpenSSL::PKey::RSA.new(512)
asn1 = OpenSSL::ASN1.decode(key.public_key.to_der)
check_PUBKEY(asn1, key)
end
def test_PUBKEY
asn1 = OpenSSL::ASN1::Sequence([
OpenSSL::ASN1::Sequence([
OpenSSL::ASN1::ObjectId("rsaEncryption"),
OpenSSL::ASN1::Null(nil)
]),
OpenSSL::ASN1::BitString(
OpenSSL::ASN1::Sequence([
OpenSSL::ASN1::Integer(RSA1024.n),
OpenSSL::ASN1::Integer(RSA1024.e)
]).to_der
)
])
key = OpenSSL::PKey::RSA.new(asn1.to_der)
assert_not_predicate key, :private?
assert_same_rsa dup_public(RSA1024), key
def test_export_format_is_RSA_PUBKEY_pem
key = OpenSSL::PKey::RSA.new(512)
pem = key.public_key.to_pem
pem.gsub!(/^-+(\w|\s)+-+$/, "") # eliminate --------BEGIN...-------
asn1 = OpenSSL::ASN1.decode(Base64.decode64(pem))
check_PUBKEY(asn1, key)
end
pem = <<~EOF
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDLwsSw1ECnPtT+PkOgHhcGA71n
wC2/nL85VBGnRqDxOqjVh7CxaKPERYHsk4BPCkE3brtThPWc9kjHEQQ7uf9Y1rbC
z0layNqHyywQEVLFmp1cpIt/Q3geLv8ZD9pihowKJDyMDiN6ArYUmZczvW4976MU
3+l54E6lF/JfFEU5hwIDAQAB
-----END PUBLIC KEY-----
EOF
key = OpenSSL::PKey::RSA.new(pem)
assert_same_rsa dup_public(RSA1024), key
def test_read_private_key_der
der = OpenSSL::TestUtils::TEST_KEY_RSA1024.to_der
key = OpenSSL::PKey.read(der)
assert(key.private?)
assert_equal(der, key.to_der)
end
def test_read_private_key_pem
pem = OpenSSL::TestUtils::TEST_KEY_RSA1024.to_pem
key = OpenSSL::PKey.read(pem)
assert(key.private?)
assert_equal(pem, key.to_pem)
end
def test_read_public_key_der
der = OpenSSL::TestUtils::TEST_KEY_RSA1024.public_key.to_der
key = OpenSSL::PKey.read(der)
assert(!key.private?)
assert_equal(der, key.to_der)
end
def test_read_public_key_pem
pem = OpenSSL::TestUtils::TEST_KEY_RSA1024.public_key.to_pem
key = OpenSSL::PKey.read(pem)
assert(!key.private?)
assert_equal(pem, key.to_pem)
end
def test_read_private_key_pem_pw
pem = OpenSSL::TestUtils::TEST_KEY_RSA1024.to_pem(OpenSSL::Cipher.new('AES-128-CBC'), 'secret')
#callback form for password
key = OpenSSL::PKey.read(pem) do
'secret'
end
assert(key.private?)
# pass password directly
key = OpenSSL::PKey.read(pem, 'secret')
assert(key.private?)
#omit pem equality check, will be different due to cipher iv
end
def test_read_private_key_pem_pw_exception
pem = OpenSSL::TestUtils::TEST_KEY_RSA1024.to_pem(OpenSSL::Cipher.new('AES-128-CBC'), 'secret')
# it raises an ArgumentError from PEM reading. The exception raised inside are ignored for now.
assert_raise(ArgumentError) do
OpenSSL::PKey.read(pem) do
raise RuntimeError
end
end
end
def test_export_password_length
key = OpenSSL::TestUtils::TEST_KEY_RSA1024
assert_raise(OpenSSL::OpenSSLError) do
key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'sec')
end
pem = key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'secr')
assert(pem)
end
def test_export_password_funny
key = OpenSSL::TestUtils::TEST_KEY_RSA1024
# this assertion may fail in the future because of OpenSSL change.
# the current upper limit is 1024
assert_raise(OpenSSL::OpenSSLError) do
key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'secr' * 1024)
end
# password containing NUL byte
pem = key.export(OpenSSL::Cipher.new('AES-128-CBC'), "pass\0wd")
assert_raise(ArgumentError) do
OpenSSL::PKey.read(pem, "pass")
end
key2 = OpenSSL::PKey.read(pem, "pass\0wd")
assert(key2.private?)
key3 = OpenSSL::PKey::RSA.new(pem, "pass\0wd")
assert(key3.private?)
assert_equal asn1.to_der, dup_public(RSA1024).to_der
assert_equal pem, dup_public(RSA1024).export
end
def test_dup
@ -303,29 +229,9 @@ AwEAAQ==
end
private
def check_PUBKEY(asn1, key)
assert_equal(OpenSSL::ASN1::SEQUENCE, asn1.tag)
assert_equal(2, asn1.value.size)
seq = asn1.value
assert_equal(OpenSSL::ASN1::SEQUENCE, seq[0].tag)
assert_equal(2, seq[0].value.size)
algo_id = seq[0].value
assert_equal(OpenSSL::ASN1::OBJECT, algo_id[0].tag)
assert_equal('rsaEncryption', algo_id[0].value)
assert_equal(OpenSSL::ASN1::NULL, algo_id[1].tag)
assert_equal(nil, algo_id[1].value)
assert_equal(OpenSSL::ASN1::BIT_STRING, seq[1].tag)
assert_equal(0, seq[1].unused_bits)
pub_key = OpenSSL::ASN1.decode(seq[1].value)
assert_equal(OpenSSL::ASN1::SEQUENCE, pub_key.tag)
assert_equal(2, pub_key.value.size)
assert_equal(OpenSSL::ASN1::INTEGER, pub_key.value[0].tag)
assert_equal(key.n, pub_key.value[0].value)
assert_equal(OpenSSL::ASN1::INTEGER, pub_key.value[1].tag)
assert_equal(key.e, pub_key.value[1].value)
def assert_same_rsa(expected, key)
check_component(expected, key, [:n, :e, :d, :p, :q, :dmp1, :dmq1, :iqmp])
end
end
end

267
test/openssl/test_ssl.rb
View file

@ -66,9 +66,9 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
end
def test_not_started_session
skip "non socket argument of SSLSocket.new is not supported on this platform" if /mswin|mingw/ =~ RUBY_PLATFORM
pend "non socket argument of SSLSocket.new is not supported on this platform" if /mswin|mingw/ =~ RUBY_PLATFORM
open(__FILE__) do |f|
assert_nil OpenSSL::SSL::SSLSocket.new(f).cert
assert_nil EnvUtil.suppress_warning { OpenSSL::SSL::SSLSocket.new(f).cert }
end
end
@ -196,16 +196,14 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
def test_client_auth_failure
vflag = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
start_server(vflag, true, :ignore_listener_error => true){|server, port|
assert_raise(OpenSSL::SSL::SSLError, Errno::ECONNRESET){
sock = TCPSocket.new("127.0.0.1", port)
ssl = OpenSSL::SSL::SSLSocket.new(sock)
ssl.sync_close = true
begin
ssl.connect
ensure
ssl.close
end
}
sock = TCPSocket.new("127.0.0.1", port)
ssl = OpenSSL::SSL::SSLSocket.new(sock)
ssl.sync_close = true
begin
assert_handshake_error { ssl.connect }
ensure
ssl.close
end
}
end
@ -236,6 +234,24 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
}
end
def test_client_auth_public_key
vflag = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
start_server(vflag, true, ignore_listener_error: true) do |server, port|
assert_raise(ArgumentError) {
ctx = OpenSSL::SSL::SSLContext.new
ctx.key = @cli_key.public_key
ctx.cert = @cli_cert
server_connect(port, ctx) { }
}
ctx = OpenSSL::SSL::SSLContext.new
ctx.client_cert_cb = Proc.new{ |ssl|
[@cli_cert, @cli_key.public_key]
}
assert_handshake_error { server_connect(port, ctx) }
end
end
def test_client_ca
ctx_proc = Proc.new do |ctx|
ctx.client_ca = [@ca_cert]
@ -321,7 +337,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
start_server(OpenSSL::SSL::VERIFY_NONE, true, :ignore_listener_error => true){|server, port|
sock = TCPSocket.new("127.0.0.1", port)
ctx = OpenSSL::SSL::SSLContext.new
ctx.set_params
ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
ssl.sync_close = true
begin
@ -335,12 +351,11 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
start_server(OpenSSL::SSL::VERIFY_NONE, true){|server, port|
sock = TCPSocket.new("127.0.0.1", port)
ctx = OpenSSL::SSL::SSLContext.new
ctx.set_params(
:verify_callback => Proc.new do |preverify_ok, store_ctx|
store_ctx.error = OpenSSL::X509::V_OK
true
end
)
ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
ctx.verify_callback = Proc.new do |preverify_ok, store_ctx|
store_ctx.error = OpenSSL::X509::V_OK
true
end
ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
ssl.sync_close = true
begin
@ -354,12 +369,11 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
start_server(OpenSSL::SSL::VERIFY_NONE, true, :ignore_listener_error => true){|server, port|
sock = TCPSocket.new("127.0.0.1", port)
ctx = OpenSSL::SSL::SSLContext.new
ctx.set_params(
:verify_callback => Proc.new do |preverify_ok, store_ctx|
store_ctx.error = OpenSSL::X509::V_ERR_APPLICATION_VERIFICATION
false
end
)
ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
ctx.verify_callback = Proc.new do |preverify_ok, store_ctx|
store_ctx.error = OpenSSL::X509::V_ERR_APPLICATION_VERIFICATION
false
end
ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
ssl.sync_close = true
begin
@ -375,12 +389,11 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
start_server(OpenSSL::SSL::VERIFY_NONE, true, :ignore_listener_error => true){|server, port|
sock = TCPSocket.new("127.0.0.1", port)
ctx = OpenSSL::SSL::SSLContext.new
ctx.set_params(
:verify_callback => Proc.new do |preverify_ok, store_ctx|
store_ctx.error = OpenSSL::X509::V_OK
raise RuntimeError
end
)
ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
ctx.verify_callback = Proc.new do |preverify_ok, store_ctx|
store_ctx.error = OpenSSL::X509::V_OK
raise RuntimeError
end
ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
ssl.sync_close = true
begin
@ -396,26 +409,15 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
end
def test_sslctx_set_params
start_server(OpenSSL::SSL::VERIFY_NONE, true, :ignore_listener_error => true){|server, port|
sock = TCPSocket.new("127.0.0.1", port)
ctx = OpenSSL::SSL::SSLContext.new
ctx.set_params
assert_equal(OpenSSL::SSL::VERIFY_PEER, ctx.verify_mode)
assert_equal(OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:options], ctx.options)
ciphers = ctx.ciphers
ciphers_versions = ciphers.collect{|_, v, _, _| v }
ciphers_names = ciphers.collect{|v, _, _, _| v }
assert(ciphers_names.all?{|v| /A(EC)?DH/ !~ v })
assert(ciphers_versions.all?{|v| /SSLv2/ !~ v })
ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
ssl.sync_close = true
begin
assert_raise(OpenSSL::SSL::SSLError){ ssl.connect }
assert_equal(OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN, ssl.verify_result)
ensure
ssl.close
end
}
ctx = OpenSSL::SSL::SSLContext.new
ctx.set_params
assert_equal(OpenSSL::SSL::VERIFY_PEER, ctx.verify_mode)
ciphers = ctx.ciphers
ciphers_versions = ciphers.collect{|_, v, _, _| v }
ciphers_names = ciphers.collect{|v, _, _, _| v }
assert(ciphers_names.all?{|v| /A(EC)?DH/ !~ v })
assert(ciphers_names.all?{|v| /(RC4|MD5|EXP)/ !~ v })
assert(ciphers_versions.all?{|v| /SSLv2/ !~ v })
end
def test_post_connect_check_with_anon_ciphers
@ -426,9 +428,9 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
ctx.ciphers = "aNULL"
ctx.security_level = 0
server_connect(port, ctx) { |ssl|
msg = "Peer verification enabled, but no certificate received. Anonymous cipher suite " \
"ADH-AES256-GCM-SHA384 was negotiated. Anonymous suites must be disabled to use peer verification."
assert_raise_with_message(sslerr,msg){ssl.post_connection_check("localhost.localdomain")}
assert_raise_with_message(sslerr, /anonymous cipher suite/i){
ssl.post_connection_check("localhost.localdomain")
}
}
}
end if OpenSSL::ExtConfig::TLS_DH_anon_WITH_AES_256_GCM_SHA384
@ -687,11 +689,11 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
hostname = 'example.org'
ctx3 = OpenSSL::SSL::SSLContext.new
ctx3.ciphers = "DH"
ctx3.ciphers = "aNULL"
ctx3.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 }
ctx3.security_level = 0
ctx2 = OpenSSL::SSL::SSLContext.new
ctx2.ciphers = "DH"
ctx2.servername_cb = lambda { |args| ctx3 }
sock1, sock2 = socketpair
@ -699,7 +701,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
ctx1 = OpenSSL::SSL::SSLContext.new
ctx1.ciphers = "DH"
ctx1.ciphers = "aNULL"
ctx1.security_level = 0
s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
@ -722,7 +724,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
hostname = 'example.org'
ctx2 = OpenSSL::SSL::SSLContext.new
ctx2.ciphers = "DH"
ctx2.ciphers = "aNULL"
ctx2.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 }
ctx2.security_level = 0
ctx2.servername_cb = lambda { |args| Object.new }
@ -731,7 +734,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
ctx1 = OpenSSL::SSL::SSLContext.new
ctx1.ciphers = "DH"
ctx1.ciphers = "aNULL"
ctx1.security_level = 0
s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
@ -756,12 +759,12 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
hostname = 'example.org'
ctx3 = OpenSSL::SSL::SSLContext.new
ctx3.ciphers = "DH"
ctx3.ciphers = "aNULL"
ctx3.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 }
ctx3.security_level = 0
assert_not_predicate ctx3, :frozen?
ctx2 = OpenSSL::SSL::SSLContext.new
ctx2.ciphers = "DH"
ctx2.servername_cb = lambda { |args| ctx3 }
sock1, sock2 = socketpair
@ -769,7 +772,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
ctx1 = OpenSSL::SSL::SSLContext.new
ctx1.ciphers = "DH"
ctx1.ciphers = "aNULL"
ctx1.security_level = 0
s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
@ -791,7 +794,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
hostname = 'example.org'
ctx2 = OpenSSL::SSL::SSLContext.new
ctx2.ciphers = "DH"
ctx2.ciphers = "aNULL"
ctx2.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 }
ctx2.security_level = 0
ctx2.servername_cb = lambda { |args| nil }
@ -800,7 +804,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
ctx1 = OpenSSL::SSL::SSLContext.new
ctx1.ciphers = "DH"
ctx1.ciphers = "aNULL"
ctx1.security_level = 0
s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
@ -823,7 +827,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
hostname = 'example.org'
ctx2 = OpenSSL::SSL::SSLContext.new
ctx2.ciphers = "DH"
ctx2.ciphers = "aNULL"
ctx2.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 }
ctx2.security_level = 0
ctx2.servername_cb = lambda do |args|
cb_socket = args[0]
@ -836,7 +841,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
ctx1 = OpenSSL::SSL::SSLContext.new
ctx1.ciphers = "DH"
ctx1.ciphers = "aNULL"
ctx1.security_level = 0
s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
@ -859,7 +864,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
return unless OpenSSL::SSL::SSLSocket.instance_methods.include?(:hostname)
ctx_proc = Proc.new do |ctx, ssl|
foo_ctx = ctx.dup
foo_ctx = OpenSSL::SSL::SSLContext.new
ctx.servername_cb = Proc.new do |ssl2, hostname|
case hostname
@ -892,6 +897,53 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
end
end
def test_verify_hostname_on_connect
ctx_proc = proc { |ctx|
now = Time.now
exts = [
["keyUsage", "keyEncipherment,digitalSignature", true],
["subjectAltName", "DNS:a.example.com,DNS:*.b.example.com," \
"DNS:c*.example.com,DNS:d.*.example.com"],
]
ctx.cert = issue_cert(@svr, @svr_key, 4, now, now+1800, exts,
@ca_cert, @ca_key, OpenSSL::Digest::SHA1.new)
ctx.key = @svr_key
}
start_server(OpenSSL::SSL::VERIFY_NONE, true, ctx_proc: ctx_proc,
ignore_listener_error: true) do |svr, port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.verify_hostname = true
ctx.cert_store = OpenSSL::X509::Store.new
ctx.cert_store.add_cert(@ca_cert)
ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
[
["a.example.com", true],
["A.Example.Com", true],
["x.example.com", false],
["b.example.com", false],
["x.b.example.com", true],
["cx.example.com", true],
["d.x.example.com", false],
].each do |name, expected_ok|
begin
sock = TCPSocket.new("127.0.0.1", port)
ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
ssl.hostname = name
if expected_ok
assert_nothing_raised { ssl.connect }
else
assert_handshake_error { ssl.connect }
end
ensure
ssl.close if ssl
sock.close if sock
end
end
end
end
def test_multibyte_read_write
#German a umlaut
auml = [%w{ C3 A4 }.join('')].pack('H*')
@ -932,10 +984,6 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
}
end
# different OpenSSL versions react differently when facing a SSL/TLS version
# that has been marked as forbidden, therefore either of these may be raised
HANDSHAKE_ERRORS = [OpenSSL::SSL::SSLError, Errno::ECONNRESET]
if OpenSSL::SSL::SSLContext::METHODS.include?(:TLSv1) && OpenSSL::SSL::SSLContext::METHODS.include?(:SSLv3)
def test_forbid_ssl_v3_for_client
@ -943,7 +991,7 @@ if OpenSSL::SSL::SSLContext::METHODS.include?(:TLSv1) && OpenSSL::SSL::SSLContex
start_server_version(:SSLv23, ctx_proc) { |server, port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.ssl_version = :SSLv3
assert_raise(*HANDSHAKE_ERRORS) { server_connect(port, ctx) }
assert_handshake_error { server_connect(port, ctx) }
}
end
@ -951,7 +999,7 @@ if OpenSSL::SSL::SSLContext::METHODS.include?(:TLSv1) && OpenSSL::SSL::SSLContex
start_server_version(:SSLv3) { |server, port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.options = OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_SSLv3
assert_raise(*HANDSHAKE_ERRORS) { server_connect(port, ctx) }
assert_handshake_error { server_connect(port, ctx) }
}
end
@ -970,7 +1018,7 @@ if OpenSSL::SSL::SSLContext::METHODS.include? :TLSv1_1
start_server_version(:SSLv23, ctx_proc) { |server, port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.ssl_version = :TLSv1
assert_raise(*HANDSHAKE_ERRORS) { server_connect(port, ctx) }
assert_handshake_error { server_connect(port, ctx) }
}
end
@ -978,7 +1026,7 @@ if OpenSSL::SSL::SSLContext::METHODS.include? :TLSv1_1
start_server_version(:TLSv1) { |server, port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.options = OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_TLSv1
assert_raise(*HANDSHAKE_ERRORS) { server_connect(port, ctx) }
assert_handshake_error { server_connect(port, ctx) }
}
end
@ -999,7 +1047,7 @@ if OpenSSL::SSL::SSLContext::METHODS.include? :TLSv1_2
start_server_version(:SSLv23, ctx_proc) { |server, port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.ssl_version = :TLSv1_1
assert_raise(*HANDSHAKE_ERRORS) { server_connect(port, ctx) }
assert_handshake_error { server_connect(port, ctx) }
}
end if defined?(OpenSSL::SSL::OP_NO_TLSv1_1)
@ -1007,7 +1055,7 @@ if OpenSSL::SSL::SSLContext::METHODS.include? :TLSv1_2
start_server_version(:TLSv1_1) { |server, port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.options = OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_TLSv1_1
assert_raise(*HANDSHAKE_ERRORS) { server_connect(port, ctx) }
assert_handshake_error { server_connect(port, ctx) }
}
end if defined?(OpenSSL::SSL::OP_NO_TLSv1_1)
@ -1016,7 +1064,7 @@ if OpenSSL::SSL::SSLContext::METHODS.include? :TLSv1_2
start_server_version(:SSLv23, ctx_proc) { |server, port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.ssl_version = :TLSv1_2
assert_raise(*HANDSHAKE_ERRORS) { server_connect(port, ctx) }
assert_handshake_error { server_connect(port, ctx) }
}
end if defined?(OpenSSL::SSL::OP_NO_TLSv1_2)
@ -1024,7 +1072,7 @@ if OpenSSL::SSL::SSLContext::METHODS.include? :TLSv1_2
start_server_version(:TLSv1_2) { |server, port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.options = OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_TLSv1_2
assert_raise(*HANDSHAKE_ERRORS) { server_connect(port, ctx) }
assert_handshake_error { server_connect(port, ctx) }
}
end if defined?(OpenSSL::SSL::OP_NO_TLSv1_2)
@ -1060,16 +1108,31 @@ if OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10002000
end
def test_alpn_protocol_selection_cancel
ctx_proc = Proc.new { |ctx|
ctx.alpn_select_cb = -> (protocols) { nil }
sock1, sock2 = socketpair
ctx1 = OpenSSL::SSL::SSLContext.new
ctx1.ciphers = "aNULL"
ctx1.security_level = 0
ctx1.alpn_select_cb = -> (protocols) { nil }
ssl1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
ctx2 = OpenSSL::SSL::SSLContext.new
ctx2.ciphers = "aNULL"
ctx2.security_level = 0
ctx2.alpn_protocols = ["http/1.1"]
ssl2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
t = Thread.new {
assert_handshake_error { ssl2.connect }
}
assert_raise(MiniTest::Assertion) do # minitest/assertion comes from `assert_join_threads`
start_server_version(:SSLv23, ctx_proc) { |server, port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.alpn_protocols = ["http/1.1"]
assert_raise(OpenSSL::SSL::SSLError) { server_connect(port, ctx) }
}
end
assert_raise(TypeError) { ssl1.accept }
ensure
sock1&.close
sock2&.close
ssl1&.close
ssl2&.close
t&.kill
t&.join
end
end
@ -1127,7 +1190,7 @@ if OpenSSL::OPENSSL_VERSION_NUMBER > 0x10001000 &&
start_server_version(:SSLv23, ctx_proc) { |server, port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.npn_select_cb = -> (protocols) { protocols.first }
assert_raise(*HANDSHAKE_ERRORS) { server_connect(port, ctx) }
assert_handshake_error { server_connect(port, ctx) }
}
end
@ -1136,7 +1199,7 @@ if OpenSSL::OPENSSL_VERSION_NUMBER > 0x10001000 &&
start_server_version(:SSLv23, ctx_proc) { |server, port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.npn_select_cb = -> (protocols) { "a" * 256 }
assert_raise(*HANDSHAKE_ERRORS) { server_connect(port, ctx) }
assert_handshake_error { server_connect(port, ctx) }
}
end
@ -1182,6 +1245,7 @@ end
# test it doesn't cause a segmentation fault
ctx = OpenSSL::SSL::SSLContext.new
ctx.ciphers = "aNULL"
ctx.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 }
ctx.security_level = 0
sock1, sock2 = socketpair
@ -1243,7 +1307,20 @@ end
# ctx.key = OpenSSL::TestUtils::TEST_KEY_RSA1024
# ctx.security_level = 2
# assert_raise(OpenSSL::SSL::SSLError) { ctx.key = OpenSSL::TestUtils::TEST_KEY_RSA1024 }
skip "FIXME: SSLContext#key= currently does not raise because SSL_CTX_use_certificate() is delayed"
pend "FIXME: SSLContext#key= currently does not raise because SSL_CTX_use_certificate() is delayed"
end
def test_dup
ctx = OpenSSL::SSL::SSLContext.new
sock1, sock2 = socketpair
ssl = OpenSSL::SSL::SSLSocket.new(sock1, ctx)
assert_raise(NoMethodError) { ctx.dup }
assert_raise(NoMethodError) { ssl.dup }
ensure
ssl.close if ssl
sock1.close
sock2.close
end
private
@ -1276,6 +1353,14 @@ end
sock.close
end
end
def assert_handshake_error
# different OpenSSL versions react differently when facing a SSL/TLS version
# that has been marked as forbidden, therefore either of these may be raised
assert_raise(OpenSSL::SSL::SSLError, Errno::ECONNRESET) {
yield
}
end
end
end

6
test/openssl/test_ssl_session.rb
View file

@ -369,6 +369,12 @@ __EOS__
assert(called[:get1])
assert(called[:get2])
end
def test_dup
sess_orig = OpenSSL::SSL::Session.new(DUMMY_SESSION)
sess_dup = sess_orig.dup
assert_equal(sess_orig.to_der, sess_dup.to_der)
end
end
end

11
test/openssl/test_x509attr.rb
View file

@ -12,6 +12,9 @@ class OpenSSL::TestX509Attribute < OpenSSL::TestCase
attr = OpenSSL::X509::Attribute.new("extReq", val)
assert_equal("extReq", attr.oid)
assert_equal(val.to_der, attr.value.to_der)
attr = OpenSSL::X509::Attribute.new("1.2.840.113549.1.9.14", val)
assert_equal("extReq", attr.oid)
end
def test_from_der
@ -51,6 +54,14 @@ class OpenSSL::TestX509Attribute < OpenSSL::TestCase
}
assert_equal(test_der, attr.to_der)
end
def test_dup
val = OpenSSL::ASN1::Set([
OpenSSL::ASN1::UTF8String("abc123")
])
attr = OpenSSL::X509::Attribute.new("challengePassword", val)
assert_equal(attr.to_der, attr.dup.to_der)
end
end
end

4
test/openssl/test_x509crl.rb
View file

@ -112,6 +112,10 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase
assert_equal(1000, revoked.size)
assert_equal(1, revoked[0].serial)
assert_equal(1000, revoked[999].serial)
crl.revoked = revoked
revoked2 = crl.revoked
assert_equal(revoked.map(&:serial), revoked2.map(&:serial))
end
def test_extension

30
test/openssl/test_x509ext.rb
View file

@ -36,15 +36,15 @@ class OpenSSL::TestX509Extension < OpenSSL::TestCase
bc = ef.create_extension("basicConstraints", "CA:TRUE, pathlen:2", true)
assert_equal(@basic_constraints.to_der, bc.to_der)
begin
ef.config = OpenSSL::Config.parse(<<-_end_of_cnf_)
[crlDistPts]
URI.1 = http://www.example.com/crl
URI.2 = ldap://ldap.example.com/cn=ca?certificateRevocationList;binary
_end_of_cnf_
rescue NotImplementedError
return
end
ef.config = OpenSSL::Config.parse(<<-_end_of_cnf_)
[crlDistPts]
URI.1 = http://www.example.com/crl
URI.2 = ldap://ldap.example.com/cn=ca?certificateRevocationList;binary
[certPolicies]
policyIdentifier = 2.23.140.1.2.1
CPS.1 = http://cps.example.com
_end_of_cnf_
cdp = ef.create_extension("crlDistributionPoints", "@crlDistPts")
assert_equal(false, cdp.critical?)
@ -61,6 +61,18 @@ class OpenSSL::TestX509Extension < OpenSSL::TestCase
assert_match(
%r{URI:ldap://ldap.example.com/cn=ca\?certificateRevocationList;binary},
cdp.value)
cp = ef.create_extension("certificatePolicies", "@certPolicies")
assert_equal(false, cp.critical?)
assert_equal("certificatePolicies", cp.oid)
assert_match(%r{2.23.140.1.2.1}, cp.value)
assert_match(%r{http://cps.example.com}, cp.value)
end
def test_dup
ext = OpenSSL::X509::Extension.new(@basic_constraints.to_der)
assert_equal(@basic_constraints.to_der, ext.to_der)
assert_equal(ext.to_der, ext.dup.to_der)
end
end

5
test/openssl/test_x509name.rb
View file

@ -355,6 +355,11 @@ class OpenSSL::TestX509Name < OpenSSL::TestCase
expected = (d[0].ord & 0xff) | (d[1].ord & 0xff) << 8 | (d[2].ord & 0xff) << 16 | (d[3].ord & 0xff) << 24
assert_equal(expected, name_hash(name))
end
def test_dup
name = OpenSSL::X509::Name.parse("/CN=ruby-lang.org")
assert_equal(name.to_der, name.dup.to_der)
end
end
end

7
test/openssl/test_x509req.rb
View file

@ -139,7 +139,7 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase
req.version = 1
assert_equal(false, req.verify(@rsa1024))
rescue OpenSSL::X509::RequestError
skip
pend
end if defined?(OpenSSL::Digest::DSS1)
def test_sign_and_verify_dsa_md5
@ -147,6 +147,11 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase
issue_csr(0, @dn, @dsa512, OpenSSL::Digest::MD5.new) }
end
def test_dup
req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::SHA1.new)
assert_equal(req.to_der, req.dup.to_der)
end
private
def request_error_returns_false

7
test/openssl/test_x509store.rb
View file

@ -222,6 +222,13 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase
}
end
end
def test_dup
store = OpenSSL::X509::Store.new
assert_raise(NoMethodError) { store.dup }
ctx = OpenSSL::X509::StoreContext.new(store)
assert_raise(NoMethodError) { ctx.dup }
end
end
end

129
test/openssl/ut_eof.rb Normal file
View file

@ -0,0 +1,129 @@
# frozen_string_literal: false
require 'test/unit'
module TestEOF
def test_eof_0
open_file("") {|f|
assert_equal("", f.read(0))
assert_equal("", f.read(0))
assert_equal("", f.read)
assert_equal("", f.read(0))
assert_equal("", f.read(0))
}
open_file("") {|f|
assert_nil(f.read(1))
assert_equal("", f.read)
assert_nil(f.read(1))
}
open_file("") {|f|
s = "x"
assert_equal("", f.read(nil, s))
assert_equal("", s)
}
open_file("") {|f|
s = "x"
assert_nil(f.read(10, s))
assert_equal("", s)
}
end
def test_eof_0_rw
return unless respond_to? :open_file_rw
open_file_rw("") {|f|
assert_equal("", f.read)
assert_equal("", f.read)
assert_equal(0, f.syswrite(""))
assert_equal("", f.read)
}
end
def test_eof_1
open_file("a") {|f|
assert_equal("", f.read(0))
assert_equal("a", f.read(1))
assert_equal("" , f.read(0))
assert_equal("" , f.read(0))
assert_equal("", f.read)
assert_equal("", f.read(0))
assert_equal("", f.read(0))
}
open_file("a") {|f|
assert_equal("a", f.read(1))
assert_nil(f.read(1))
}
open_file("a") {|f|
assert_equal("a", f.read(2))
assert_nil(f.read(1))
assert_equal("", f.read)
assert_nil(f.read(1))
}
open_file("a") {|f|
assert_equal("a", f.read)
assert_nil(f.read(1))
assert_equal("", f.read)
assert_nil(f.read(1))
}
open_file("a") {|f|
assert_equal("a", f.read(2))
assert_equal("", f.read)
assert_equal("", f.read)
}
open_file("a") {|f|
assert_equal("a", f.read)
assert_equal("", f.read(0))
}
open_file("a") {|f|
s = "x"
assert_equal("a", f.read(nil, s))
assert_equal("a", s)
}
open_file("a") {|f|
s = "x"
assert_equal("a", f.read(10, s))
assert_equal("a", s)
}
end
def test_eof_2
open_file("") {|f|
assert_equal("", f.read)
assert_predicate(f, :eof?)
}
end
def test_eof_3
open_file("") {|f|
assert_predicate(f, :eof?)
}
end
module Seek
def open_file_seek(content, pos)
open_file(content) do |f|
f.seek(pos)
yield f
end
end
def test_eof_0_seek
open_file_seek("", 10) {|f|
assert_equal(10, f.pos)
assert_equal("", f.read(0))
assert_equal("", f.read)
assert_equal("", f.read(0))
assert_equal("", f.read)
}
end
def test_eof_1_seek
open_file_seek("a", 10) {|f|
assert_equal("", f.read)
assert_equal("", f.read)
}
open_file_seek("a", 1) {|f|
assert_equal("", f.read)
assert_equal("", f.read)
}
end
end
end

38
test/openssl/utils.rb
View file

@ -8,11 +8,13 @@ begin
OpenSSL.fips_mode=false
rescue LoadError
end
require "test/unit"
require "digest/md5"
require 'tempfile'
require "rbconfig"
require "socket"
require "envutil"
module OpenSSL::TestUtils
TEST_KEY_RSA1024 = OpenSSL::PKey::RSA.new <<-_end_of_pem_
@ -260,7 +262,7 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC
return
end
ssl = ssls.accept
rescue OpenSSL::SSL::SSLError
rescue OpenSSL::SSL::SSLError, Errno::ECONNRESET
if ignore_listener_error
retry
else
@ -348,5 +350,39 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC
end
end
class OpenSSL::PKeyTestCase < OpenSSL::TestCase
def check_component(base, test, keys)
keys.each { |comp|
assert_equal base.send(comp), test.send(comp)
}
end
def dup_public(key)
case key
when OpenSSL::PKey::RSA
rsa = OpenSSL::PKey::RSA.new
rsa.set_key(key.n, key.e, nil)
rsa
when OpenSSL::PKey::DSA
dsa = OpenSSL::PKey::DSA.new
dsa.set_pqg(key.p, key.q, key.g)
dsa.set_key(key.pub_key, nil)
dsa
when OpenSSL::PKey::DH
dh = OpenSSL::PKey::DH.new
dh.set_pqg(key.p, nil, key.g)
dh
else
if defined?(OpenSSL::PKey::EC) && OpenSSL::PKey::EC === key
ec = OpenSSL::PKey::EC.new(key.group)
ec.public_key = key.public_key
ec
else
raise "unknown key type"
end
end
end
end
end if defined?(OpenSSL::OPENSSL_LIBRARY_VERSION) and
/\AOpenSSL +0\./ !~ OpenSSL::OPENSSL_LIBRARY_VERSION