summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorshyouhei <shyouhei@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2010-06-21 09:18:59 (GMT)
committershyouhei <shyouhei@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2010-06-21 09:18:59 (GMT)
commit1ae16961956c2459c0f29b676c5da9cb9cc875bf (patch)
tree37800b37cb336e24813ae4d74b26df81a361947b
parentc9915e5b08bbb58618b2bbc2dcbc9dafd5c1ba84 (diff)
merge revision(s) 26836:26859,26861,27921:
* ext/openssl/ossl_ssl_session.c (ossl_ssl_session_{get,set}_time{,out}): fixed a bug introduced by backporting. (see [ruby-dev:40573]) use long in according to OpenSSL API. (SSL_SESSION_{get,set}_time{,out}) * ext/openssl/ossl_x509name.c: added X509::Name#hash_old as a wrapper for X509_NAME_hash_old in OpenSSL 1.0.0. * test/openssl/test_x509name.rb (test_hash): make test pass with OpenSSL 1.0.0. * test/openssl/test_x509*: make tests pass with OpenSSL 1.0.0b5. * PKey::PKey#verify raises an exception when a given PKey does not match with signature. * PKey::DSA#sign accepts SHA1, SHA256 other than DSS1. * backport the commit from trunk: Sun Feb 28 11:49:35 2010 NARUSE, Yui <naruse@ruby-lang.org> * openssl/ossl.c (OSSL_IMPL_SK2ARY): for OpenSSL 1.0. patched by Jeroen van Meeuwen at [ruby-core:25210] fixed by Nobuyoshi Nakada [ruby-core:25238], Hongli Lai [ruby-core:27417], and Motohiro KOSAKI [ruby-core:28063] * ext/openssl/ossl_ssl.c (ossl_ssl_method_tab), (ossl_ssl_cipher_to_ary): constified. * ext/openssl/ossl_pkcs7.c (pkcs7_get_certs, pkcs7_get_crls): split pkcs7_get_certs_or_crls. * test/openssl/test_ec.rb: added test_dsa_sign_asn1_FIPS186_3. dgst is truncated with ec_key.group.order.size after openssl 0.9.8m for FIPS 186-3 compliance. WARNING: ruby-openssl aims to wrap an OpenSSL so when you're using openssl 0.9.8l or earlier version, EC.dsa_sign_asn1 raises OpenSSL::PKey::ECError as before and EC.dsa_verify_asn1 just returns false when you pass dgst longer than expected (no truncation performed). * ext/openssl/ossl_pkey_ec.c: rdoc typo fixed. * ext/openssl/ossl_config.c: defined own IMPLEMENT_LHASH_DOALL_ARG_FN_098 macro according to IMPLEMENT_LHASH_DOALL_ARG_FN in OpenSSL 0.9.8m. OpenSSL 1.0.0beta5 has a slightly different definiton so it could be a temporal workaround for 0.9.8 and 1.0.0 dual support. * ext/openssl/ossl_pkcs5.c (ossl_pkcs5_pbkdf2_hmac): follows function definition in OpenSSL 1.0.0beta5. PKCS5_PBKDF2_HMAC is from 1.0.0 (0.9.8 only has PKCS5_PBKDF2_HMAC_SHA1) * ext/openssl/ossl_ssl_session.c (ossl_ssl_session_eq): do not use SSL_SESSION_cmp and implement equality func by ousrself. See the comment. * ext/openssl/extconf.rb: check some functions added at OpenSSL 1.0.0. * ext/openssl/ossl_engine.c (ossl_engine_s_load): use engines which exists. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_8_7@28367 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
-rw-r--r--ChangeLog75
-rw-r--r--ext/openssl/extconf.rb9
-rw-r--r--ext/openssl/ossl.c6
-rw-r--r--ext/openssl/ossl.h7
-rw-r--r--ext/openssl/ossl_config.c12
-rw-r--r--ext/openssl/ossl_engine.c18
-rw-r--r--ext/openssl/ossl_pkcs5.c7
-rw-r--r--ext/openssl/ossl_pkcs7.c40
-rw-r--r--ext/openssl/ossl_pkey_ec.c2
-rw-r--r--ext/openssl/ossl_ssl.c4
-rw-r--r--ext/openssl/ossl_ssl_session.c15
-rw-r--r--ext/openssl/ossl_x509attr.c5
-rw-r--r--ext/openssl/ossl_x509crl.c4
-rw-r--r--ext/openssl/ossl_x509name.c24
-rw-r--r--test/openssl/test_ec.rb4
-rw-r--r--test/openssl/test_x509cert.rb39
-rw-r--r--test/openssl/test_x509crl.rb28
-rw-r--r--test/openssl/test_x509req.rb38
-rw-r--r--version.h8
19 files changed, 278 insertions, 67 deletions
diff --git a/ChangeLog b/ChangeLog
index 2ee35d4..83b7176 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,78 @@
+Mon Jun 21 18:12:15 2010 NAKAMURA Usaku <usa@ruby-lang.org>
+
+ * ext/openssl/extconf.rb: check some functions added at OpenSSL 1.0.0.
+
+ * ext/openssl/ossl_engine.c (ossl_engine_s_load): use engines which
+ exists.
+
+Mon Jun 21 18:12:15 2010 NAKAMURA, Hiroshi <nahi@ruby-lang.org>
+
+ * ext/openssl/ossl_config.c: defined own IMPLEMENT_LHASH_DOALL_ARG_FN_098
+ macro according to IMPLEMENT_LHASH_DOALL_ARG_FN in OpenSSL 0.9.8m.
+ OpenSSL 1.0.0beta5 has a slightly different definiton so it could
+ be a temporal workaround for 0.9.8 and 1.0.0 dual support.
+
+ * ext/openssl/ossl_pkcs5.c (ossl_pkcs5_pbkdf2_hmac): follows function
+ definition in OpenSSL 1.0.0beta5. PKCS5_PBKDF2_HMAC is from 1.0.0
+ (0.9.8 only has PKCS5_PBKDF2_HMAC_SHA1)
+
+ * ext/openssl/ossl_ssl_session.c (ossl_ssl_session_eq): do not use
+ SSL_SESSION_cmp and implement equality func by ousrself. See the
+ comment.
+
+Mon Jun 21 18:12:15 2010 NAKAMURA, Hiroshi <nahi@ruby-lang.org>
+
+ * ext/openssl/ossl_ssl_session.c
+ (ossl_ssl_session_{get,set}_time{,out}): fixed a bug introduced by
+ backporting. (see [ruby-dev:40573]) use long in according to
+ OpenSSL API. (SSL_SESSION_{get,set}_time{,out})
+
+Mon Jun 21 18:12:15 2010 NAKAMURA, Hiroshi <nahi@ruby-lang.org>
+
+ * ext/openssl/ossl_x509name.c: added X509::Name#hash_old as a wrapper
+ for X509_NAME_hash_old in OpenSSL 1.0.0.
+
+ * test/openssl/test_x509name.rb (test_hash): make test pass with
+ OpenSSL 1.0.0.
+
+Mon Jun 21 18:12:15 2010 NAKAMURA, Hiroshi <nahi@ruby-lang.org>
+
+ * test/openssl/test_x509*: make tests pass with OpenSSL 1.0.0b5.
+ * PKey::PKey#verify raises an exception when a given PKey does not
+ match with signature.
+ * PKey::DSA#sign accepts SHA1, SHA256 other than DSS1.
+
+Mon Jun 21 18:12:15 2010 NAKAMURA, Hiroshi <nahi@ruby-lang.org>
+
+ * backport the commit from trunk:
+ Sun Feb 28 11:49:35 2010 NARUSE, Yui <naruse@ruby-lang.org>
+
+ * openssl/ossl.c (OSSL_IMPL_SK2ARY): for OpenSSL 1.0.
+ patched by Jeroen van Meeuwen at [ruby-core:25210]
+ fixed by Nobuyoshi Nakada [ruby-core:25238],
+ Hongli Lai [ruby-core:27417],
+ and Motohiro KOSAKI [ruby-core:28063]
+
+ * ext/openssl/ossl_ssl.c (ossl_ssl_method_tab),
+ (ossl_ssl_cipher_to_ary): constified.
+
+ * ext/openssl/ossl_pkcs7.c (pkcs7_get_certs, pkcs7_get_crls):
+ split pkcs7_get_certs_or_crls.
+
+Mon Jun 21 18:12:15 2010 NAKAMURA, Hiroshi <nahi@ruby-lang.org>
+
+ * test/openssl/test_ec.rb: added test_dsa_sign_asn1_FIPS186_3. dgst is
+ truncated with ec_key.group.order.size after openssl 0.9.8m for
+ FIPS 186-3 compliance.
+
+ WARNING: ruby-openssl aims to wrap an OpenSSL so when you're using
+ openssl 0.9.8l or earlier version, EC.dsa_sign_asn1 raises
+ OpenSSL::PKey::ECError as before and EC.dsa_verify_asn1 just returns
+ false when you pass dgst longer than expected (no truncation
+ performed).
+
+ * ext/openssl/ossl_pkey_ec.c: rdoc typo fixed.
+
Wed Jun 16 16:01:42 2010 Tanaka Akira <akr@fsij.org>
* lib/pathname.rb (Pathname#sub): suppress a warning.
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
index 63ec7f2..6554eba 100644
--- a/ext/openssl/extconf.rb
+++ b/ext/openssl/extconf.rb
@@ -91,6 +91,7 @@ have_func("X509_CRL_add0_revoked")
have_func("X509_CRL_set_issuer_name")
have_func("X509_CRL_set_version")
have_func("X509_CRL_sort")
+have_func("X509_NAME_hash_old")
have_func("X509_STORE_get_ex_data")
have_func("X509_STORE_set_ex_data")
have_func("OBJ_NAME_do_all_sorted")
@@ -106,6 +107,14 @@ if have_header("openssl/engine.h")
have_func("ENGINE_get_digest")
have_func("ENGINE_get_cipher")
have_func("ENGINE_cleanup")
+ have_func("ENGINE_load_4758cca")
+ have_func("ENGINE_load_aep")
+ have_func("ENGINE_load_atalla")
+ have_func("ENGINE_load_chil")
+ have_func("ENGINE_load_cswift")
+ have_func("ENGINE_load_nuron")
+ have_func("ENGINE_load_sureware")
+ have_func("ENGINE_load_ubsec")
end
if try_compile(<<SRC)
#include <openssl/opensslv.h>
diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c
index fd9429b..7aa2c0d 100644
--- a/ext/openssl/ossl.c
+++ b/ext/openssl/ossl.c
@@ -92,7 +92,7 @@ ossl_x509_ary2sk(VALUE ary)
#define OSSL_IMPL_SK2ARY(name, type) \
VALUE \
-ossl_##name##_sk2ary(STACK *sk) \
+ossl_##name##_sk2ary(STACK_OF(type) *sk) \
{ \
type *t; \
int i, num; \
@@ -102,7 +102,7 @@ ossl_##name##_sk2ary(STACK *sk) \
OSSL_Debug("empty sk!"); \
return Qnil; \
} \
- num = sk_num(sk); \
+ num = sk_##type##_num(sk); \
if (num < 0) { \
OSSL_Debug("items in sk < -1???"); \
return rb_ary_new(); \
@@ -110,7 +110,7 @@ ossl_##name##_sk2ary(STACK *sk) \
ary = rb_ary_new2(num); \
\
for (i=0; i<num; i++) { \
- t = (type *)sk_value(sk, i); \
+ t = sk_##type##_value(sk, i); \
rb_ary_push(ary, ossl_##name##_new(t)); \
} \
return ary; \
diff --git a/ext/openssl/ossl.h b/ext/openssl/ossl.h
index 31fd7d7..9944a86 100644
--- a/ext/openssl/ossl.h
+++ b/ext/openssl/ossl.h
@@ -108,6 +108,13 @@ extern VALUE eOSSLError;
} while (0)
/*
+ * Compatibility
+ */
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+#define STACK _STACK
+#endif
+
+/*
* String to HEXString conversion
*/
int string2hex(char *, int, char **, int *);
diff --git a/ext/openssl/ossl_config.c b/ext/openssl/ossl_config.c
index 606edfc..f5e57ba 100644
--- a/ext/openssl/ossl_config.c
+++ b/ext/openssl/ossl_config.c
@@ -313,6 +313,12 @@ ossl_config_get_section_old(VALUE self, VALUE section)
}
#ifdef IMPLEMENT_LHASH_DOALL_ARG_FN
+#define IMPLEMENT_LHASH_DOALL_ARG_FN_098(f_name,o_type,a_type) \
+ void f_name##_LHASH_DOALL_ARG(void *arg1, void *arg2) { \
+ o_type a = (o_type)arg1; \
+ a_type b = (a_type)arg2; \
+ f_name(a,b); }
+
static void
get_conf_section(CONF_VALUE *cv, VALUE ary)
{
@@ -320,7 +326,7 @@ get_conf_section(CONF_VALUE *cv, VALUE ary)
rb_ary_push(ary, rb_str_new2(cv->section));
}
-static IMPLEMENT_LHASH_DOALL_ARG_FN(get_conf_section, CONF_VALUE*, VALUE)
+static IMPLEMENT_LHASH_DOALL_ARG_FN_098(get_conf_section, CONF_VALUE*, VALUE)
static VALUE
ossl_config_get_sections(VALUE self)
@@ -358,7 +364,7 @@ dump_conf_value(CONF_VALUE *cv, VALUE str)
rb_str_cat2(str, "\n");
}
-static IMPLEMENT_LHASH_DOALL_ARG_FN(dump_conf_value, CONF_VALUE*, VALUE)
+static IMPLEMENT_LHASH_DOALL_ARG_FN_098(dump_conf_value, CONF_VALUE*, VALUE)
static VALUE
dump_conf(CONF *conf)
@@ -402,7 +408,7 @@ each_conf_value(CONF_VALUE *cv, void* dummy)
}
}
-static IMPLEMENT_LHASH_DOALL_ARG_FN(each_conf_value, CONF_VALUE*, void*)
+static IMPLEMENT_LHASH_DOALL_ARG_FN_098(each_conf_value, CONF_VALUE*, void*)
static VALUE
ossl_config_each(VALUE self)
diff --git a/ext/openssl/ossl_engine.c b/ext/openssl/ossl_engine.c
index c0eb180..c6fc603 100644
--- a/ext/openssl/ossl_engine.c
+++ b/ext/openssl/ossl_engine.c
@@ -61,16 +61,34 @@ ossl_engine_s_load(int argc, VALUE *argv, VALUE klass)
}
StringValue(name);
#ifndef OPENSSL_NO_STATIC_ENGINE
+#if HAVE_ENGINE_LOAD_DYNAMIC
OSSL_ENGINE_LOAD_IF_MATCH(dynamic);
+#endif
+#if HAVE_ENGINE_LOAD_CSWIFT
OSSL_ENGINE_LOAD_IF_MATCH(cswift);
+#endif
+#if HAVE_ENGINE_LOAD_CHIL
OSSL_ENGINE_LOAD_IF_MATCH(chil);
+#endif
+#if HAVE_ENGINE_LOAD_ATALLA
OSSL_ENGINE_LOAD_IF_MATCH(atalla);
+#endif
+#if HAVE_ENGINE_LOAD_NURON
OSSL_ENGINE_LOAD_IF_MATCH(nuron);
+#endif
+#if HAVE_ENGINE_LOAD_UBSEC
OSSL_ENGINE_LOAD_IF_MATCH(ubsec);
+#endif
+#if HAVE_ENGINE_LOAD_AEP
OSSL_ENGINE_LOAD_IF_MATCH(aep);
+#endif
+#if HAVE_ENGINE_LOAD_SUREWARE
OSSL_ENGINE_LOAD_IF_MATCH(sureware);
+#endif
+#if HAVE_ENGINE_LOAD_4758CCA
OSSL_ENGINE_LOAD_IF_MATCH(4758cca);
#endif
+#endif
#ifdef HAVE_ENGINE_LOAD_OPENBSD_DEV_CRYPTO
OSSL_ENGINE_LOAD_IF_MATCH(openbsd_dev_crypto);
#endif
diff --git a/ext/openssl/ossl_pkcs5.c b/ext/openssl/ossl_pkcs5.c
index 007889f..39ba013 100644
--- a/ext/openssl/ossl_pkcs5.c
+++ b/ext/openssl/ossl_pkcs5.c
@@ -29,14 +29,17 @@ ossl_pkcs5_pbkdf2_hmac(VALUE self, VALUE pass, VALUE salt, VALUE iter, VALUE key
VALUE str;
const EVP_MD *md;
int len = NUM2INT(keylen);
+ unsigned char* salt_p;
+ unsigned char* str_p;
StringValue(pass);
StringValue(salt);
md = GetDigestPtr(digest);
-
str = rb_str_new(0, len);
+ salt_p = (unsigned char*)RSTRING_PTR(salt);
+ str_p = (unsigned char*)RSTRING_PTR(str);
- if (PKCS5_PBKDF2_HMAC(RSTRING_PTR(pass), RSTRING_LEN(pass), RSTRING_PTR(salt), RSTRING_LEN(salt), NUM2INT(iter), md, len, RSTRING_PTR(str)) != 1)
+ if (PKCS5_PBKDF2_HMAC(RSTRING_PTR(pass), RSTRING_LEN(pass), salt_p, RSTRING_LEN(salt), NUM2INT(iter), md, len, str_p) != 1)
ossl_raise(ePKCS5, "PKCS5_PBKDF2_HMAC");
return str;
diff --git a/ext/openssl/ossl_pkcs7.c b/ext/openssl/ossl_pkcs7.c
index 6918844..5177f5c 100644
--- a/ext/openssl/ossl_pkcs7.c
+++ b/ext/openssl/ossl_pkcs7.c
@@ -570,12 +570,11 @@ ossl_pkcs7_add_certificate(VALUE self, VALUE cert)
return self;
}
-static STACK *
-pkcs7_get_certs_or_crls(VALUE self, int want_certs)
+static STACK_OF(X509) *
+pkcs7_get_certs(VALUE self)
{
PKCS7 *pkcs7;
STACK_OF(X509) *certs;
- STACK_OF(X509_CRL) *crls;
int i;
GetPKCS7(self, pkcs7);
@@ -583,17 +582,38 @@ pkcs7_get_certs_or_crls(VALUE self, int want_certs)
switch(i){
case NID_pkcs7_signed:
certs = pkcs7->d.sign->cert;
- crls = pkcs7->d.sign->crl;
break;
case NID_pkcs7_signedAndEnveloped:
certs = pkcs7->d.signed_and_enveloped->cert;
+ break;
+ default:
+ certs = NULL;
+ }
+
+ return certs;
+}
+
+static STACK_OF(X509_CRL) *
+pkcs7_get_crls(VALUE self)
+{
+ PKCS7 *pkcs7;
+ STACK_OF(X509_CRL) *crls;
+ int i;
+
+ GetPKCS7(self, pkcs7);
+ i = OBJ_obj2nid(pkcs7->type);
+ switch(i){
+ case NID_pkcs7_signed:
+ crls = pkcs7->d.sign->crl;
+ break;
+ case NID_pkcs7_signedAndEnveloped:
crls = pkcs7->d.signed_and_enveloped->crl;
break;
default:
- certs = crls = NULL;
+ crls = NULL;
}
- return want_certs ? certs : crls;
+ return crls;
}
static VALUE
@@ -608,7 +628,7 @@ ossl_pkcs7_set_certificates(VALUE self, VALUE ary)
STACK_OF(X509) *certs;
X509 *cert;
- certs = pkcs7_get_certs_or_crls(self, 1);
+ certs = pkcs7_get_certs(self);
while((cert = sk_X509_pop(certs))) X509_free(cert);
rb_block_call(ary, rb_intern("each"), 0, 0, ossl_pkcs7_set_certs_i, self);
@@ -618,7 +638,7 @@ ossl_pkcs7_set_certificates(VALUE self, VALUE ary)
static VALUE
ossl_pkcs7_get_certificates(VALUE self)
{
- return ossl_x509_sk2ary(pkcs7_get_certs_or_crls(self, 1));
+ return ossl_x509_sk2ary(pkcs7_get_certs(self));
}
static VALUE
@@ -648,7 +668,7 @@ ossl_pkcs7_set_crls(VALUE self, VALUE ary)
STACK_OF(X509_CRL) *crls;
X509_CRL *crl;
- crls = pkcs7_get_certs_or_crls(self, 0);
+ crls = pkcs7_get_crls(self);
while((crl = sk_X509_CRL_pop(crls))) X509_CRL_free(crl);
rb_block_call(ary, rb_intern("each"), 0, 0, ossl_pkcs7_set_crls_i, self);
@@ -658,7 +678,7 @@ ossl_pkcs7_set_crls(VALUE self, VALUE ary)
static VALUE
ossl_pkcs7_get_crls(VALUE self)
{
- return ossl_x509crl_sk2ary(pkcs7_get_certs_or_crls(self, 0));
+ return ossl_x509crl_sk2ary(pkcs7_get_crls(self));
}
static VALUE
diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c
index f02fcd8..cbdad3f 100644
--- a/ext/openssl/ossl_pkey_ec.c
+++ b/ext/openssl/ossl_pkey_ec.c
@@ -681,7 +681,7 @@ static VALUE ossl_ec_key_dsa_sign_asn1(VALUE self, VALUE data)
/*
* call-seq:
- * key.dsa_verify(data, sig) => true or false
+ * key.dsa_verify_asn1(data, sig) => true or false
*
* See the OpenSSL documentation for ECDSA_verify()
*/
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
index fb3cf5c..1ee391c 100644
--- a/ext/openssl/ossl_ssl.c
+++ b/ext/openssl/ossl_ssl.c
@@ -1196,10 +1196,10 @@ ossl_ssl_get_peer_cert_chain(VALUE self)
}
chain = SSL_get_peer_cert_chain(ssl);
if(!chain) return Qnil;
- num = sk_num(chain);
+ num = sk_X509_num(chain);
ary = rb_ary_new2(num);
for (i = 0; i < num; i++){
- cert = (X509*)sk_value(chain, i);
+ cert = sk_X509_value(chain, i);
rb_ary_push(ary, ossl_x509_new(cert));
}
diff --git a/ext/openssl/ossl_ssl_session.c b/ext/openssl/ossl_ssl_session.c
index 86f9d80..b416e76 100644
--- a/ext/openssl/ossl_ssl_session.c
+++ b/ext/openssl/ossl_ssl_session.c
@@ -86,9 +86,18 @@ static VALUE ossl_ssl_session_eq(VALUE val1, VALUE val2)
GetSSLSession(val1, ctx1);
SafeGetSSLSession(val2, ctx2);
- switch (SSL_SESSION_cmp(ctx1, ctx2)) {
- case 0: return Qtrue;
- default: return Qfalse;
+ /*
+ * OpenSSL 1.0.0betas do not have non-static SSL_SESSION_cmp.
+ * ssl_session_cmp (was SSL_SESSION_cmp in 0.9.8) is for lhash
+ * comparing so we should not depend on it. Just compare sessions
+ * by version and id.
+ */
+ if ((ctx1->ssl_version == ctx2->ssl_version) &&
+ (ctx1->session_id_length == ctx2->session_id_length) &&
+ (memcmp(ctx1->session_id, ctx2->session_id, ctx1->session_id_length) == 0)) {
+ return Qtrue;
+ } else {
+ return Qfalse;
}
}
diff --git a/ext/openssl/ossl_x509attr.c b/ext/openssl/ossl_x509attr.c
index ca1c59a..949785a 100644
--- a/ext/openssl/ossl_x509attr.c
+++ b/ext/openssl/ossl_x509attr.c
@@ -217,8 +217,9 @@ ossl_x509attr_get_value(VALUE self)
ossl_str_adjust(str, p);
}
else{
- length = i2d_ASN1_SET_OF_ASN1_TYPE(attr->value.set, NULL,
- i2d_ASN1_TYPE, V_ASN1_SET, V_ASN1_UNIVERSAL, 0);
+ length = i2d_ASN1_SET_OF_ASN1_TYPE(attr->value.set,
+ (unsigned char **) NULL, i2d_ASN1_TYPE,
+ V_ASN1_SET, V_ASN1_UNIVERSAL, 0);
str = rb_str_new(0, length);
p = RSTRING_PTR(str);
i2d_ASN1_SET_OF_ASN1_TYPE(attr->value.set, &p,
diff --git a/ext/openssl/ossl_x509crl.c b/ext/openssl/ossl_x509crl.c
index be9ddac..e6d0c2e 100644
--- a/ext/openssl/ossl_x509crl.c
+++ b/ext/openssl/ossl_x509crl.c
@@ -262,7 +262,7 @@ ossl_x509crl_get_revoked(VALUE self)
VALUE ary, revoked;
GetX509CRL(self, crl);
- num = sk_X509_CRL_num(X509_CRL_get_REVOKED(crl));
+ num = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl));
if (num < 0) {
OSSL_Debug("num < 0???");
return rb_ary_new();
@@ -270,7 +270,7 @@ ossl_x509crl_get_revoked(VALUE self)
ary = rb_ary_new2(num);
for(i=0; i<num; i++) {
/* NO DUP - don't free! */
- rev = (X509_REVOKED *)sk_X509_CRL_value(X509_CRL_get_REVOKED(crl), i);
+ rev = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
revoked = ossl_x509revoked_new(rev);
rb_ary_push(ary, revoked);
}
diff --git a/ext/openssl/ossl_x509name.c b/ext/openssl/ossl_x509name.c
index 220dc06..55f5b58 100644
--- a/ext/openssl/ossl_x509name.c
+++ b/ext/openssl/ossl_x509name.c
@@ -306,6 +306,27 @@ ossl_x509name_hash(VALUE self)
return ULONG2NUM(hash);
}
+#ifdef HAVE_X509_NAME_HASH_OLD
+/*
+ * call-seq:
+ * name.hash_old => integer
+ *
+ * hash_old returns MD5 based hash used in OpenSSL 0.9.X.
+ */
+static VALUE
+ossl_x509name_hash_old(VALUE self)
+{
+ X509_NAME *name;
+ unsigned long hash;
+
+ GetX509Name(self, name);
+
+ hash = X509_NAME_hash_old(name);
+
+ return ULONG2NUM(hash);
+}
+#endif
+
/*
* call-seq:
* name.to_der => string
@@ -351,6 +372,9 @@ Init_ossl_x509name()
rb_define_alias(cX509Name, "<=>", "cmp");
rb_define_method(cX509Name, "eql?", ossl_x509name_eql, 1);
rb_define_method(cX509Name, "hash", ossl_x509name_hash, 0);
+#ifdef HAVE_X509_NAME_HASH_OLD
+ rb_define_method(cX509Name, "hash_old", ossl_x509name_hash_old, 0);
+#endif
rb_define_method(cX509Name, "to_der", ossl_x509name_to_der, 0);
utf8str = INT2NUM(V_ASN1_UTF8STRING);
diff --git a/test/openssl/test_ec.rb b/test/openssl/test_ec.rb
index 671901c..eb1c61e 100644
--- a/test/openssl/test_ec.rb
+++ b/test/openssl/test_ec.rb
@@ -87,9 +87,7 @@ class OpenSSL::TestEC < Test::Unit::TestCase
def test_dsa_sign_verify
for key in @keys
sig = key.dsa_sign_asn1(@data1)
- assert_equal(key.dsa_verify_asn1(@data1, sig), true)
-
- assert_raises(OpenSSL::PKey::ECError) { key.dsa_sign_asn1(@data2) }
+ assert(key.dsa_verify_asn1(@data1, sig))
end
end
diff --git a/test/openssl/test_x509cert.rb b/test/openssl/test_x509cert.rb
index a5a75ff..cf5e6f7 100644
--- a/test/openssl/test_x509cert.rb
+++ b/test/openssl/test_x509cert.rb
@@ -129,13 +129,31 @@ class OpenSSL::TestX509Certificate < Test::Unit::TestCase
end
+ def test_sign_and_verify_wrong_key_type
+ cert_rsa = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
+ nil, nil, OpenSSL::Digest::SHA1.new)
+ cert_dsa = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
+ nil, nil, OpenSSL::Digest::DSS1.new)
+ begin
+ assert_equal(false, cert_rsa.verify(@dsa256))
+ rescue OpenSSL::X509::CertificateError => e
+ # OpenSSL 1.0.0 added checks for pkey OID
+ assert_equal('wrong public key type', e.message)
+ end
+
+ begin
+ assert_equal(false, cert_dsa.verify(@rsa1024))
+ rescue OpenSSL::X509::CertificateError => e
+ # OpenSSL 1.0.0 added checks for pkey OID
+ assert_equal('wrong public key type', e.message)
+ end
+ end
+
def test_sign_and_verify
cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
nil, nil, OpenSSL::Digest::SHA1.new)
assert_equal(false, cert.verify(@rsa1024))
assert_equal(true, cert.verify(@rsa2048))
- assert_equal(false, cert.verify(@dsa256))
- assert_equal(false, cert.verify(@dsa512))
cert.serial = 2
assert_equal(false, cert.verify(@rsa2048))
@@ -143,33 +161,22 @@ class OpenSSL::TestX509Certificate < Test::Unit::TestCase
nil, nil, OpenSSL::Digest::MD5.new)
assert_equal(false, cert.verify(@rsa1024))
assert_equal(true, cert.verify(@rsa2048))
- assert_equal(false, cert.verify(@dsa256))
- assert_equal(false, cert.verify(@dsa512))
cert.subject = @ee1
assert_equal(false, cert.verify(@rsa2048))
cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
nil, nil, OpenSSL::Digest::DSS1.new)
- assert_equal(false, cert.verify(@rsa1024))
- assert_equal(false, cert.verify(@rsa2048))
assert_equal(false, cert.verify(@dsa256))
assert_equal(true, cert.verify(@dsa512))
cert.not_after = Time.now
assert_equal(false, cert.verify(@dsa512))
+ end
+ def test_dsig_algorithm_mismatch
assert_raises(OpenSSL::X509::CertificateError){
cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
nil, nil, OpenSSL::Digest::DSS1.new)
}
- assert_raises(OpenSSL::X509::CertificateError){
- cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
- nil, nil, OpenSSL::Digest::MD5.new)
- }
- assert_raises(OpenSSL::X509::CertificateError){
- cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
- nil, nil, OpenSSL::Digest::SHA1.new)
- }
+ end
end
end
-
-end
diff --git a/test/openssl/test_x509crl.rb b/test/openssl/test_x509crl.rb
index 444a00a..c59ff52 100644
--- a/test/openssl/test_x509crl.rb
+++ b/test/openssl/test_x509crl.rb
@@ -190,6 +190,30 @@ class OpenSSL::TestX509CRL < Test::Unit::TestCase
assert_match((2**100).to_s, crl.extensions[0].value)
end
+ def test_sign_and_verify_wrong_key_type
+ cert_rsa = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
+ nil, nil, OpenSSL::Digest::SHA1.new)
+ crl_rsa = issue_crl([], 1, Time.now, Time.now+1600, [],
+ cert_rsa, @rsa2048, OpenSSL::Digest::SHA1.new)
+ cert_dsa = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
+ nil, nil, OpenSSL::Digest::DSS1.new)
+ crl_dsa = issue_crl([], 1, Time.now, Time.now+1600, [],
+ cert_dsa, @dsa512, OpenSSL::Digest::DSS1.new)
+ begin
+ assert_equal(false, crl_rsa.verify(@dsa256))
+ rescue OpenSSL::X509::CRLError => e
+ # OpenSSL 1.0.0 added checks for pkey OID
+ assert_equal('wrong public key type', e.message)
+ end
+
+ begin
+ assert_equal(false, crl_dsa.verify(@rsa1024))
+ rescue OpenSSL::X509::CRLError => e
+ # OpenSSL 1.0.0 added checks for pkey OID
+ assert_equal('wrong public key type', e.message)
+ end
+ end
+
def test_sign_and_verify
cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
nil, nil, OpenSSL::Digest::SHA1.new)
@@ -197,8 +221,6 @@ class OpenSSL::TestX509CRL < Test::Unit::TestCase
cert, @rsa2048, OpenSSL::Digest::SHA1.new)
assert_equal(false, crl.verify(@rsa1024))
assert_equal(true, crl.verify(@rsa2048))
- assert_equal(false, crl.verify(@dsa256))
- assert_equal(false, crl.verify(@dsa512))
crl.version = 0
assert_equal(false, crl.verify(@rsa2048))
@@ -206,8 +228,6 @@ class OpenSSL::TestX509CRL < Test::Unit::TestCase
nil, nil, OpenSSL::Digest::DSS1.new)
crl = issue_crl([], 1, Time.now, Time.now+1600, [],
cert, @dsa512, OpenSSL::Digest::DSS1.new)
- assert_equal(false, crl.verify(@rsa1024))
- assert_equal(false, crl.verify(@rsa2048))
assert_equal(false, crl.verify(@dsa256))
assert_equal(true, crl.verify(@dsa512))
crl.version = 0
diff --git a/test/openssl/test_x509req.rb b/test/openssl/test_x509req.rb
index a37ed5c..6186bce 100644
--- a/test/openssl/test_x509req.rb
+++ b/test/openssl/test_x509req.rb
@@ -103,37 +103,51 @@ class OpenSSL::TestX509Request < Test::Unit::TestCase
assert_equal(exts, get_ext_req(attrs[1].value))
end
+ def test_sign_and_verify_wrong_key_type
+ req_rsa = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::SHA1.new)
+ req_dsa = issue_csr(0, @dn, @dsa512, OpenSSL::Digest::DSS1.new)
+ begin
+ assert_equal(false, req_rsa.verify(@dsa256))
+ rescue OpenSSL::X509::RequestError => e
+ # OpenSSL 1.0.0 added checks for pkey OID
+ assert_equal('wrong public key type', e.message)
+ end
+
+ begin
+ assert_equal(false, req_dsa.verify(@rsa1024))
+ rescue OpenSSL::X509::RequestError => e
+ # OpenSSL 1.0.0 added checks for pkey OID
+ assert_equal('wrong public key type', e.message)
+ end
+ end
+
def test_sign_and_verify
req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::SHA1.new)
assert_equal(true, req.verify(@rsa1024))
assert_equal(false, req.verify(@rsa2048))
- assert_equal(false, req.verify(@dsa256))
- assert_equal(false, req.verify(@dsa512))
req.version = 1
assert_equal(false, req.verify(@rsa1024))
req = issue_csr(0, @dn, @rsa2048, OpenSSL::Digest::MD5.new)
assert_equal(false, req.verify(@rsa1024))
assert_equal(true, req.verify(@rsa2048))
- assert_equal(false, req.verify(@dsa256))
- assert_equal(false, req.verify(@dsa512))
req.subject = OpenSSL::X509::Name.parse("/C=JP/CN=FooBar")
assert_equal(false, req.verify(@rsa2048))
req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest::DSS1.new)
- assert_equal(false, req.verify(@rsa1024))
- assert_equal(false, req.verify(@rsa2048))
assert_equal(false, req.verify(@dsa256))
assert_equal(true, req.verify(@dsa512))
req.public_key = @rsa1024.public_key
assert_equal(false, req.verify(@dsa512))
+ end
- assert_raise(OpenSSL::X509::RequestError){
- issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::DSS1.new) }
- assert_raise(OpenSSL::X509::RequestError){
- issue_csr(0, @dn, @dsa512, OpenSSL::Digest::SHA1.new) }
- assert_raise(OpenSSL::X509::RequestError){
- issue_csr(0, @dn, @dsa512, OpenSSL::Digest::MD5.new) }
+ def test_dsig_algorithm_mismatch
+ assert_raise(OpenSSL::X509::RequestError) do
+ issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::DSS1.new)
+ end
+ assert_raise(OpenSSL::X509::RequestError) do
+ issue_csr(0, @dn, @dsa512, OpenSSL::Digest::MD5.new)
+ end
end
end
diff --git a/version.h b/version.h
index e85620a..607d9cb 100644
--- a/version.h
+++ b/version.h
@@ -1,15 +1,15 @@
#define RUBY_VERSION "1.8.7"
-#define RUBY_RELEASE_DATE "2010-06-16"
+#define RUBY_RELEASE_DATE "2010-06-21"
#define RUBY_VERSION_CODE 187
-#define RUBY_RELEASE_CODE 20100616
-#define RUBY_PATCHLEVEL 296
+#define RUBY_RELEASE_CODE 20100621
+#define RUBY_PATCHLEVEL 297
#define RUBY_VERSION_MAJOR 1
#define RUBY_VERSION_MINOR 8
#define RUBY_VERSION_TEENY 7
#define RUBY_RELEASE_YEAR 2010
#define RUBY_RELEASE_MONTH 6
-#define RUBY_RELEASE_DAY 16
+#define RUBY_RELEASE_DAY 21
#ifdef RUBY_EXTERN
RUBY_EXTERN const char ruby_version[];