diff options
| author | Kazuki Yamaguchi <k@rhe.jp> | 2026-05-14 00:42:14 +0900 |
|---|---|---|
| committer | Hiroshi SHIBATA <hsbt@ruby-lang.org> | 2026-05-14 13:59:53 +0900 |
| commit | 1fbf9abe85e36c442d43fae6be8b5573a959b971 (patch) | |
| tree | 578bbb8624e18ad2da92338d860ee4f08340608f /ext/openssl | |
| parent | 0c2dcf4815800551b60bfcd3106855defceb6df0 (diff) | |
Merge openssl-3.2.4ruby_3_3
The changes can be found at:
https://github.com/ruby/openssl/compare/v3.2.3...v3.2.4
Diffstat (limited to 'ext/openssl')
| -rw-r--r-- | ext/openssl/History.md | 10 | ||||
| -rw-r--r-- | ext/openssl/depend | 156 | ||||
| -rw-r--r-- | ext/openssl/extconf.rb | 13 | ||||
| -rw-r--r-- | ext/openssl/lib/openssl/version.rb | 2 | ||||
| -rw-r--r-- | ext/openssl/openssl.gemspec | 2 | ||||
| -rw-r--r-- | ext/openssl/openssl_missing.c | 1 | ||||
| -rw-r--r-- | ext/openssl/openssl_missing.h | 27 | ||||
| -rw-r--r-- | ext/openssl/ossl.c | 2 | ||||
| -rw-r--r-- | ext/openssl/ossl.h | 3 | ||||
| -rw-r--r-- | ext/openssl/ossl_asn1.c | 81 | ||||
| -rw-r--r-- | ext/openssl/ossl_ns_spki.c | 9 | ||||
| -rw-r--r-- | ext/openssl/ossl_ocsp.c | 16 | ||||
| -rw-r--r-- | ext/openssl/ossl_pkcs7.c | 2 | ||||
| -rw-r--r-- | ext/openssl/ossl_pkey.c | 82 | ||||
| -rw-r--r-- | ext/openssl/ossl_provider.c | 2 | ||||
| -rw-r--r-- | ext/openssl/ossl_ts.c | 8 | ||||
| -rw-r--r-- | ext/openssl/ossl_x509.h | 12 | ||||
| -rw-r--r-- | ext/openssl/ossl_x509attr.c | 13 | ||||
| -rw-r--r-- | ext/openssl/ossl_x509cert.c | 12 | ||||
| -rw-r--r-- | ext/openssl/ossl_x509crl.c | 10 | ||||
| -rw-r--r-- | ext/openssl/ossl_x509ext.c | 27 | ||||
| -rw-r--r-- | ext/openssl/ossl_x509name.c | 12 | ||||
| -rw-r--r-- | ext/openssl/ossl_x509req.c | 4 | ||||
| -rw-r--r-- | ext/openssl/ossl_x509revoked.c | 7 | ||||
| -rw-r--r-- | ext/openssl/ossl_x509store.c | 8 |
25 files changed, 383 insertions, 138 deletions
diff --git a/ext/openssl/History.md b/ext/openssl/History.md index f7ef59aa85..daadc41866 100644 --- a/ext/openssl/History.md +++ b/ext/openssl/History.md @@ -1,3 +1,13 @@ +Version 3.2.4 +============= + +Notable changes +--------------- + +* Add support for OpenSSL 4.0. + [[GitHub #1051]](https://github.com/ruby/openssl/pull/1051) + + Version 3.2.3 ============= diff --git a/ext/openssl/depend b/ext/openssl/depend index 0d03c85b80..a9668f48c4 100644 --- a/ext/openssl/depend +++ b/ext/openssl/depend @@ -1,6 +1,162 @@ # AUTOGENERATED DEPENDENCIES START openssl_missing.o: $(RUBY_EXTCONF_H) openssl_missing.o: $(arch_hdrdir)/ruby/config.h +openssl_missing.o: $(hdrdir)/ruby.h +openssl_missing.o: $(hdrdir)/ruby/assert.h +openssl_missing.o: $(hdrdir)/ruby/backward.h +openssl_missing.o: $(hdrdir)/ruby/backward/2/assume.h +openssl_missing.o: $(hdrdir)/ruby/backward/2/attributes.h +openssl_missing.o: $(hdrdir)/ruby/backward/2/bool.h +openssl_missing.o: $(hdrdir)/ruby/backward/2/inttypes.h +openssl_missing.o: $(hdrdir)/ruby/backward/2/limits.h +openssl_missing.o: $(hdrdir)/ruby/backward/2/long_long.h +openssl_missing.o: $(hdrdir)/ruby/backward/2/stdalign.h +openssl_missing.o: $(hdrdir)/ruby/backward/2/stdarg.h +openssl_missing.o: $(hdrdir)/ruby/defines.h +openssl_missing.o: $(hdrdir)/ruby/intern.h +openssl_missing.o: $(hdrdir)/ruby/internal/abi.h +openssl_missing.o: $(hdrdir)/ruby/internal/anyargs.h +openssl_missing.o: $(hdrdir)/ruby/internal/arithmetic.h +openssl_missing.o: $(hdrdir)/ruby/internal/arithmetic/char.h +openssl_missing.o: $(hdrdir)/ruby/internal/arithmetic/double.h +openssl_missing.o: $(hdrdir)/ruby/internal/arithmetic/fixnum.h +openssl_missing.o: $(hdrdir)/ruby/internal/arithmetic/gid_t.h +openssl_missing.o: $(hdrdir)/ruby/internal/arithmetic/int.h +openssl_missing.o: $(hdrdir)/ruby/internal/arithmetic/intptr_t.h +openssl_missing.o: $(hdrdir)/ruby/internal/arithmetic/long.h +openssl_missing.o: $(hdrdir)/ruby/internal/arithmetic/long_long.h +openssl_missing.o: $(hdrdir)/ruby/internal/arithmetic/mode_t.h +openssl_missing.o: $(hdrdir)/ruby/internal/arithmetic/off_t.h +openssl_missing.o: $(hdrdir)/ruby/internal/arithmetic/pid_t.h +openssl_missing.o: $(hdrdir)/ruby/internal/arithmetic/short.h +openssl_missing.o: $(hdrdir)/ruby/internal/arithmetic/size_t.h +openssl_missing.o: $(hdrdir)/ruby/internal/arithmetic/st_data_t.h +openssl_missing.o: $(hdrdir)/ruby/internal/arithmetic/uid_t.h +openssl_missing.o: $(hdrdir)/ruby/internal/assume.h +openssl_missing.o: $(hdrdir)/ruby/internal/attr/alloc_size.h +openssl_missing.o: $(hdrdir)/ruby/internal/attr/artificial.h +openssl_missing.o: $(hdrdir)/ruby/internal/attr/cold.h +openssl_missing.o: $(hdrdir)/ruby/internal/attr/const.h +openssl_missing.o: $(hdrdir)/ruby/internal/attr/constexpr.h +openssl_missing.o: $(hdrdir)/ruby/internal/attr/deprecated.h +openssl_missing.o: $(hdrdir)/ruby/internal/attr/diagnose_if.h +openssl_missing.o: $(hdrdir)/ruby/internal/attr/enum_extensibility.h +openssl_missing.o: $(hdrdir)/ruby/internal/attr/error.h +openssl_missing.o: $(hdrdir)/ruby/internal/attr/flag_enum.h +openssl_missing.o: $(hdrdir)/ruby/internal/attr/forceinline.h +openssl_missing.o: $(hdrdir)/ruby/internal/attr/format.h +openssl_missing.o: $(hdrdir)/ruby/internal/attr/maybe_unused.h +openssl_missing.o: $(hdrdir)/ruby/internal/attr/noalias.h +openssl_missing.o: $(hdrdir)/ruby/internal/attr/nodiscard.h +openssl_missing.o: $(hdrdir)/ruby/internal/attr/noexcept.h +openssl_missing.o: $(hdrdir)/ruby/internal/attr/noinline.h +openssl_missing.o: $(hdrdir)/ruby/internal/attr/nonnull.h +openssl_missing.o: $(hdrdir)/ruby/internal/attr/noreturn.h +openssl_missing.o: $(hdrdir)/ruby/internal/attr/packed_struct.h +openssl_missing.o: $(hdrdir)/ruby/internal/attr/pure.h +openssl_missing.o: $(hdrdir)/ruby/internal/attr/restrict.h +openssl_missing.o: $(hdrdir)/ruby/internal/attr/returns_nonnull.h +openssl_missing.o: $(hdrdir)/ruby/internal/attr/warning.h +openssl_missing.o: $(hdrdir)/ruby/internal/attr/weakref.h +openssl_missing.o: $(hdrdir)/ruby/internal/cast.h +openssl_missing.o: $(hdrdir)/ruby/internal/compiler_is.h +openssl_missing.o: $(hdrdir)/ruby/internal/compiler_is/apple.h +openssl_missing.o: $(hdrdir)/ruby/internal/compiler_is/clang.h +openssl_missing.o: $(hdrdir)/ruby/internal/compiler_is/gcc.h +openssl_missing.o: $(hdrdir)/ruby/internal/compiler_is/intel.h +openssl_missing.o: $(hdrdir)/ruby/internal/compiler_is/msvc.h +openssl_missing.o: $(hdrdir)/ruby/internal/compiler_is/sunpro.h +openssl_missing.o: $(hdrdir)/ruby/internal/compiler_since.h +openssl_missing.o: $(hdrdir)/ruby/internal/config.h +openssl_missing.o: $(hdrdir)/ruby/internal/constant_p.h +openssl_missing.o: $(hdrdir)/ruby/internal/core.h +openssl_missing.o: $(hdrdir)/ruby/internal/core/rarray.h +openssl_missing.o: $(hdrdir)/ruby/internal/core/rbasic.h +openssl_missing.o: $(hdrdir)/ruby/internal/core/rbignum.h +openssl_missing.o: $(hdrdir)/ruby/internal/core/rclass.h +openssl_missing.o: $(hdrdir)/ruby/internal/core/rdata.h +openssl_missing.o: $(hdrdir)/ruby/internal/core/rfile.h +openssl_missing.o: $(hdrdir)/ruby/internal/core/rhash.h +openssl_missing.o: $(hdrdir)/ruby/internal/core/robject.h +openssl_missing.o: $(hdrdir)/ruby/internal/core/rregexp.h +openssl_missing.o: $(hdrdir)/ruby/internal/core/rstring.h +openssl_missing.o: $(hdrdir)/ruby/internal/core/rstruct.h +openssl_missing.o: $(hdrdir)/ruby/internal/core/rtypeddata.h +openssl_missing.o: $(hdrdir)/ruby/internal/ctype.h +openssl_missing.o: $(hdrdir)/ruby/internal/dllexport.h +openssl_missing.o: $(hdrdir)/ruby/internal/dosish.h +openssl_missing.o: $(hdrdir)/ruby/internal/error.h +openssl_missing.o: $(hdrdir)/ruby/internal/eval.h +openssl_missing.o: $(hdrdir)/ruby/internal/event.h +openssl_missing.o: $(hdrdir)/ruby/internal/fl_type.h +openssl_missing.o: $(hdrdir)/ruby/internal/gc.h +openssl_missing.o: $(hdrdir)/ruby/internal/glob.h +openssl_missing.o: $(hdrdir)/ruby/internal/globals.h +openssl_missing.o: $(hdrdir)/ruby/internal/has/attribute.h +openssl_missing.o: $(hdrdir)/ruby/internal/has/builtin.h +openssl_missing.o: $(hdrdir)/ruby/internal/has/c_attribute.h +openssl_missing.o: $(hdrdir)/ruby/internal/has/cpp_attribute.h +openssl_missing.o: $(hdrdir)/ruby/internal/has/declspec_attribute.h +openssl_missing.o: $(hdrdir)/ruby/internal/has/extension.h +openssl_missing.o: $(hdrdir)/ruby/internal/has/feature.h +openssl_missing.o: $(hdrdir)/ruby/internal/has/warning.h +openssl_missing.o: $(hdrdir)/ruby/internal/intern/array.h +openssl_missing.o: $(hdrdir)/ruby/internal/intern/bignum.h +openssl_missing.o: $(hdrdir)/ruby/internal/intern/class.h +openssl_missing.o: $(hdrdir)/ruby/internal/intern/compar.h +openssl_missing.o: $(hdrdir)/ruby/internal/intern/complex.h +openssl_missing.o: $(hdrdir)/ruby/internal/intern/cont.h +openssl_missing.o: $(hdrdir)/ruby/internal/intern/dir.h +openssl_missing.o: $(hdrdir)/ruby/internal/intern/enum.h +openssl_missing.o: $(hdrdir)/ruby/internal/intern/enumerator.h +openssl_missing.o: $(hdrdir)/ruby/internal/intern/error.h +openssl_missing.o: $(hdrdir)/ruby/internal/intern/eval.h +openssl_missing.o: $(hdrdir)/ruby/internal/intern/file.h +openssl_missing.o: $(hdrdir)/ruby/internal/intern/hash.h +openssl_missing.o: $(hdrdir)/ruby/internal/intern/io.h +openssl_missing.o: $(hdrdir)/ruby/internal/intern/load.h +openssl_missing.o: $(hdrdir)/ruby/internal/intern/marshal.h +openssl_missing.o: $(hdrdir)/ruby/internal/intern/numeric.h +openssl_missing.o: $(hdrdir)/ruby/internal/intern/object.h +openssl_missing.o: $(hdrdir)/ruby/internal/intern/parse.h +openssl_missing.o: $(hdrdir)/ruby/internal/intern/proc.h +openssl_missing.o: $(hdrdir)/ruby/internal/intern/process.h +openssl_missing.o: $(hdrdir)/ruby/internal/intern/random.h +openssl_missing.o: $(hdrdir)/ruby/internal/intern/range.h +openssl_missing.o: $(hdrdir)/ruby/internal/intern/rational.h +openssl_missing.o: $(hdrdir)/ruby/internal/intern/re.h +openssl_missing.o: $(hdrdir)/ruby/internal/intern/ruby.h +openssl_missing.o: $(hdrdir)/ruby/internal/intern/select.h +openssl_missing.o: $(hdrdir)/ruby/internal/intern/select/largesize.h +openssl_missing.o: $(hdrdir)/ruby/internal/intern/signal.h +openssl_missing.o: $(hdrdir)/ruby/internal/intern/sprintf.h +openssl_missing.o: $(hdrdir)/ruby/internal/intern/string.h +openssl_missing.o: $(hdrdir)/ruby/internal/intern/struct.h +openssl_missing.o: $(hdrdir)/ruby/internal/intern/thread.h +openssl_missing.o: $(hdrdir)/ruby/internal/intern/time.h +openssl_missing.o: $(hdrdir)/ruby/internal/intern/variable.h +openssl_missing.o: $(hdrdir)/ruby/internal/intern/vm.h +openssl_missing.o: $(hdrdir)/ruby/internal/interpreter.h +openssl_missing.o: $(hdrdir)/ruby/internal/iterator.h +openssl_missing.o: $(hdrdir)/ruby/internal/memory.h +openssl_missing.o: $(hdrdir)/ruby/internal/method.h +openssl_missing.o: $(hdrdir)/ruby/internal/module.h +openssl_missing.o: $(hdrdir)/ruby/internal/newobj.h +openssl_missing.o: $(hdrdir)/ruby/internal/scan_args.h +openssl_missing.o: $(hdrdir)/ruby/internal/special_consts.h +openssl_missing.o: $(hdrdir)/ruby/internal/static_assert.h +openssl_missing.o: $(hdrdir)/ruby/internal/stdalign.h +openssl_missing.o: $(hdrdir)/ruby/internal/stdbool.h +openssl_missing.o: $(hdrdir)/ruby/internal/symbol.h +openssl_missing.o: $(hdrdir)/ruby/internal/value.h +openssl_missing.o: $(hdrdir)/ruby/internal/value_type.h +openssl_missing.o: $(hdrdir)/ruby/internal/variable.h +openssl_missing.o: $(hdrdir)/ruby/internal/warning_push.h +openssl_missing.o: $(hdrdir)/ruby/internal/xmalloc.h +openssl_missing.o: $(hdrdir)/ruby/missing.h +openssl_missing.o: $(hdrdir)/ruby/ruby.h +openssl_missing.o: $(hdrdir)/ruby/st.h +openssl_missing.o: $(hdrdir)/ruby/subst.h openssl_missing.o: openssl_missing.c openssl_missing.o: openssl_missing.h ossl.o: $(RUBY_EXTCONF_H) diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb index 56f4a1c3ab..0de00b62a0 100644 --- a/ext/openssl/extconf.rb +++ b/ext/openssl/extconf.rb @@ -13,14 +13,7 @@ require "mkmf" -ssl_dirs = nil -if defined?(::TruffleRuby) - # Always respect the openssl prefix chosen by truffle/openssl-prefix - require 'truffle/openssl-prefix' - ssl_dirs = dir_config("openssl", ENV["OPENSSL_PREFIX"]) -else - ssl_dirs = dir_config("openssl") -end +ssl_dirs = dir_config("openssl") dir_config_given = ssl_dirs.any? _, ssl_ldir = ssl_dirs @@ -193,6 +186,7 @@ have_func("TS_VERIFY_CTX_add_flags(NULL, 0)", ts_h) have_func("TS_RESP_CTX_set_time_cb(NULL, NULL, NULL)", ts_h) have_func("EVP_PBE_scrypt(\"\", 0, (unsigned char *)\"\", 0, 0, 0, 0, 0, NULL, 0)", evp_h) have_func("SSL_CTX_set_post_handshake_auth(NULL, 0)", ssl_h) +have_func("ASN1_STRING_get0_data(NULL)", "openssl/asn1.h") # added in 1.1.1 have_func("EVP_PKEY_check(NULL)", evp_h) @@ -210,6 +204,9 @@ have_func("EVP_MD_CTX_get_pkey_ctx(NULL)", evp_h) have_func("EVP_PKEY_eq(NULL, NULL)", evp_h) have_func("EVP_PKEY_dup(NULL)", evp_h) +# added in 4.0.0 +have_func("ASN1_BIT_STRING_set1(NULL, NULL, 0, 0)", "openssl/asn1.h") + Logging::message "=== Checking done. ===\n" # Append flags from environment variables. diff --git a/ext/openssl/lib/openssl/version.rb b/ext/openssl/lib/openssl/version.rb index 63a404af9e..ca073a20ae 100644 --- a/ext/openssl/lib/openssl/version.rb +++ b/ext/openssl/lib/openssl/version.rb @@ -1,5 +1,5 @@ # frozen_string_literal: true module OpenSSL - VERSION = "3.2.3" + VERSION = "3.2.4" end diff --git a/ext/openssl/openssl.gemspec b/ext/openssl/openssl.gemspec index cf42192384..1311fedc42 100644 --- a/ext/openssl/openssl.gemspec +++ b/ext/openssl/openssl.gemspec @@ -1,6 +1,6 @@ Gem::Specification.new do |spec| spec.name = "openssl" - spec.version = "3.2.3" + spec.version = "3.2.4" spec.authors = ["Martin Bosslet", "SHIBATA Hiroshi", "Zachary Scott", "Kazuki Yamaguchi"] spec.email = ["ruby-core@ruby-lang.org"] spec.summary = %q{SSL/TLS and general-purpose cryptography for Ruby} diff --git a/ext/openssl/openssl_missing.c b/ext/openssl/openssl_missing.c index 4415703db4..59dbec6fc3 100644 --- a/ext/openssl/openssl_missing.c +++ b/ext/openssl/openssl_missing.c @@ -8,6 +8,7 @@ * (See the file 'LICENCE'.) */ #include RUBY_EXTCONF_H +#include <ruby.h> #include <string.h> /* memcpy() */ #include <openssl/x509_vfy.h> diff --git a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h index 8629bfe505..9ddb5c8f04 100644 --- a/ext/openssl/openssl_missing.h +++ b/ext/openssl/openssl_missing.h @@ -210,6 +210,10 @@ IMPL_PKEY_GETTER(EC_KEY, ec) } while (0) #endif +#if !defined(HAVE_ASN1_STRING_GET0_DATA) +# define ASN1_STRING_get0_data(x) ((x)->data) +#endif + /* added in 3.0.0 */ #if !defined(HAVE_TS_VERIFY_CTX_SET_CERTS) # define TS_VERIFY_CTX_set_certs(ctx, crts) TS_VERIFY_CTS_set_certs(ctx, crts) @@ -235,4 +239,27 @@ IMPL_PKEY_GETTER(EC_KEY, ec) # define EVP_PKEY_eq(a, b) EVP_PKEY_cmp(a, b) #endif +/* added in 4.0.0 */ +#ifndef HAVE_ASN1_BIT_STRING_SET1 +static inline int +ASN1_BIT_STRING_set1(ASN1_BIT_STRING *bitstr, const uint8_t *data, + size_t length, int unused_bits) +{ + if (length > INT_MAX || !ASN1_STRING_set(bitstr, data, (int)length)) + return 0; + bitstr->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07); + bitstr->flags |= ASN1_STRING_FLAG_BITS_LEFT | unused_bits; + return 1; +} + +static inline int +ASN1_BIT_STRING_get_length(const ASN1_BIT_STRING *bitstr, size_t *length, + int *unused_bits) +{ + *length = bitstr->length; + *unused_bits = bitstr->flags & 0x07; + return 1; +} +#endif + #endif /* _OSSL_OPENSSL_MISSING_H_ */ diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c index 00eded55cb..ce74c0e0af 100644 --- a/ext/openssl/ossl.c +++ b/ext/openssl/ossl.c @@ -136,7 +136,7 @@ ossl_buf2str(char *buf, int len) } void -ossl_bin2hex(unsigned char *in, char *out, size_t inlen) +ossl_bin2hex(const unsigned char *in, char *out, size_t inlen) { const char *hex = "0123456789abcdef"; size_t i; diff --git a/ext/openssl/ossl.h b/ext/openssl/ossl.h index 68d42b71e2..4d364c1f30 100644 --- a/ext/openssl/ossl.h +++ b/ext/openssl/ossl.h @@ -64,6 +64,7 @@ #if OSSL_OPENSSL_PREREQ(3, 0, 0) # define OSSL_USE_PROVIDER +# include <openssl/provider.h> #endif /* @@ -119,7 +120,7 @@ do{\ * Convert binary string to hex string. The caller is responsible for * ensuring out has (2 * len) bytes of capacity. */ -void ossl_bin2hex(unsigned char *in, char *out, size_t len); +void ossl_bin2hex(const unsigned char *in, char *out, size_t len); /* * Our default PEM callback diff --git a/ext/openssl/ossl_asn1.c b/ext/openssl/ossl_asn1.c index f26a4759cf..3579321383 100644 --- a/ext/openssl/ossl_asn1.c +++ b/ext/openssl/ossl_asn1.c @@ -17,17 +17,18 @@ static VALUE ossl_asn1_initialize(int argc, VALUE *argv, VALUE self); * DATE conversion */ VALUE -asn1time_to_time(const ASN1_TIME *time) +asn1time_to_time(const ASN1_TIME *time_) { + ASN1_TIME *time = (ASN1_TIME *)time_; // const cast for OpenSSL 1.0.2 struct tm tm; VALUE argv[6]; int count; memset(&tm, 0, sizeof(struct tm)); - switch (time->type) { + switch (ASN1_STRING_type(time)) { case V_ASN1_UTCTIME: - count = sscanf((const char *)time->data, "%2d%2d%2d%2d%2d%2dZ", + count = sscanf((const char *)ASN1_STRING_get0_data(time), "%2d%2d%2d%2d%2d%2dZ", &tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour, &tm.tm_min, &tm.tm_sec); @@ -35,7 +36,7 @@ asn1time_to_time(const ASN1_TIME *time) tm.tm_sec = 0; } else if (count != 6) { ossl_raise(rb_eTypeError, "bad UTCTIME format: \"%s\"", - time->data); + ASN1_STRING_get0_data(time)); } if (tm.tm_year < 69) { tm.tm_year += 2000; @@ -44,7 +45,7 @@ asn1time_to_time(const ASN1_TIME *time) } break; case V_ASN1_GENERALIZEDTIME: - count = sscanf((const char *)time->data, "%4d%2d%2d%2d%2d%2dZ", + count = sscanf((const char *)ASN1_STRING_get0_data(time), "%4d%2d%2d%2d%2d%2dZ", &tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour, &tm.tm_min, &tm.tm_sec); if (count == 5) { @@ -52,7 +53,7 @@ asn1time_to_time(const ASN1_TIME *time) } else if (count != 6) { ossl_raise(rb_eTypeError, "bad GENERALIZEDTIME format: \"%s\"", - time->data); + ASN1_STRING_get0_data(time)); } break; default: @@ -97,7 +98,8 @@ ossl_time_split(VALUE time, time_t *sec, int *days) VALUE asn1str_to_str(const ASN1_STRING *str) { - return rb_str_new((const char *)str->data, str->length); + return rb_str_new((const char *)ASN1_STRING_get0_data(str), + ASN1_STRING_length(str)); } /* @@ -112,9 +114,9 @@ asn1integer_to_num(const ASN1_INTEGER *ai) if (!ai) { ossl_raise(rb_eTypeError, "ASN1_INTEGER is NULL!"); } - if (ai->type == V_ASN1_ENUMERATED) - /* const_cast: workaround for old OpenSSL */ - bn = ASN1_ENUMERATED_to_BN((ASN1_ENUMERATED *)ai, NULL); + if (ASN1_STRING_type((ASN1_STRING *)ai) == V_ASN1_ENUMERATED) + /* const_cast: workaround for old OpenSSL */ + bn = ASN1_ENUMERATED_to_BN((ASN1_ENUMERATED *)ai, NULL); else bn = ASN1_INTEGER_to_BN(ai, NULL); @@ -210,7 +212,7 @@ obj_to_asn1int(VALUE obj) } static ASN1_BIT_STRING* -obj_to_asn1bstr(VALUE obj, long unused_bits) +obj_to_asn1bstr(VALUE obj, int unused_bits) { ASN1_BIT_STRING *bstr; @@ -218,11 +220,11 @@ obj_to_asn1bstr(VALUE obj, long unused_bits) ossl_raise(eASN1Error, "unused_bits for a bitstring value must be in "\ "the range 0 to 7"); StringValue(obj); - if(!(bstr = ASN1_BIT_STRING_new())) - ossl_raise(eASN1Error, NULL); - ASN1_BIT_STRING_set(bstr, (unsigned char *)RSTRING_PTR(obj), RSTRING_LENINT(obj)); - bstr->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); /* clear */ - bstr->flags |= ASN1_STRING_FLAG_BITS_LEFT | unused_bits; + if (!(bstr = ASN1_BIT_STRING_new())) + ossl_raise(eASN1Error, "ASN1_BIT_STRING_new"); + if (!ASN1_BIT_STRING_set1(bstr, (uint8_t *)RSTRING_PTR(obj), + RSTRING_LEN(obj), unused_bits)) + ossl_raise(eASN1Error, "ASN1_BIT_STRING_set1"); return bstr; } @@ -346,22 +348,25 @@ decode_int(unsigned char* der, long length) } static VALUE -decode_bstr(unsigned char* der, long length, long *unused_bits) +decode_bstr(unsigned char* der, long length, int *unused_bits) { ASN1_BIT_STRING *bstr; const unsigned char *p; - long len; + size_t len; VALUE ret; + int state; p = der; - if(!(bstr = d2i_ASN1_BIT_STRING(NULL, &p, length))) - ossl_raise(eASN1Error, NULL); - len = bstr->length; - *unused_bits = 0; - if(bstr->flags & ASN1_STRING_FLAG_BITS_LEFT) - *unused_bits = bstr->flags & 0x07; - ret = rb_str_new((const char *)bstr->data, len); + if (!(bstr = d2i_ASN1_BIT_STRING(NULL, &p, length))) + ossl_raise(eASN1Error, "d2i_ASN1_BIT_STRING"); + if (!ASN1_BIT_STRING_get_length(bstr, &len, unused_bits)) { + ASN1_BIT_STRING_free(bstr); + ossl_raise(eASN1Error, "ASN1_BIT_STRING_get_length"); + } + ret = ossl_str_new((const char *)ASN1_STRING_get0_data(bstr), len, &state); ASN1_BIT_STRING_free(bstr); + if (state) + rb_jump_tag(state); return ret; } @@ -746,7 +751,7 @@ int_ossl_asn1_decode0_prim(unsigned char **pp, long length, long hlen, int tag, { VALUE value, asn1data; unsigned char *p; - long flag = 0; + int flag = 0; p = *pp; @@ -793,18 +798,18 @@ int_ossl_asn1_decode0_prim(unsigned char **pp, long length, long hlen, int tag, *num_read = hlen + length; if (tc == sym_UNIVERSAL && - tag < ossl_asn1_info_size && ossl_asn1_info[tag].klass) { - VALUE klass = *ossl_asn1_info[tag].klass; - VALUE args[4]; - args[0] = value; - args[1] = INT2NUM(tag); - args[2] = Qnil; - args[3] = tc; - asn1data = rb_obj_alloc(klass); - ossl_asn1_initialize(4, args, asn1data); - if(tag == V_ASN1_BIT_STRING){ - rb_ivar_set(asn1data, sivUNUSED_BITS, LONG2NUM(flag)); - } + tag < ossl_asn1_info_size && ossl_asn1_info[tag].klass) { + VALUE klass = *ossl_asn1_info[tag].klass; + VALUE args[4]; + args[0] = value; + args[1] = INT2NUM(tag); + args[2] = Qnil; + args[3] = tc; + asn1data = rb_obj_alloc(klass); + ossl_asn1_initialize(4, args, asn1data); + if(tag == V_ASN1_BIT_STRING){ + rb_ivar_set(asn1data, sivUNUSED_BITS, INT2NUM(flag)); + } } else { asn1data = rb_obj_alloc(cASN1Data); diff --git a/ext/openssl/ossl_ns_spki.c b/ext/openssl/ossl_ns_spki.c index 9bed1f330e..ac9937eaa8 100644 --- a/ext/openssl/ossl_ns_spki.c +++ b/ext/openssl/ossl_ns_spki.c @@ -230,13 +230,12 @@ ossl_spki_get_challenge(VALUE self) NETSCAPE_SPKI *spki; GetSPKI(self, spki); - if (spki->spkac->challenge->length <= 0) { - OSSL_Debug("Challenge.length <= 0?"); - return rb_str_new(0, 0); + if (ASN1_STRING_length(spki->spkac->challenge) <= 0) { + OSSL_Debug("Challenge.length <= 0?"); + return rb_str_new(0, 0); } - return rb_str_new((const char *)spki->spkac->challenge->data, - spki->spkac->challenge->length); + return asn1str_to_str(spki->spkac->challenge); } /* diff --git a/ext/openssl/ossl_ocsp.c b/ext/openssl/ossl_ocsp.c index df986bb3ee..b4b326fbd1 100644 --- a/ext/openssl/ossl_ocsp.c +++ b/ext/openssl/ossl_ocsp.c @@ -900,7 +900,6 @@ ossl_ocspbres_get_status(VALUE self) OCSP_CERTID *cid; ASN1_TIME *revtime, *thisupd, *nextupd; int status, reason; - X509_EXTENSION *x509ext; VALUE ret, ary, ext; int count, ext_count, i, j; @@ -927,7 +926,7 @@ ossl_ocspbres_get_status(VALUE self) ext = rb_ary_new(); ext_count = OCSP_SINGLERESP_get_ext_count(single); for(j = 0; j < ext_count; j++){ - x509ext = OCSP_SINGLERESP_get_ext(single, j); + const X509_EXTENSION *x509ext = OCSP_SINGLERESP_get_ext(single, j); rb_ary_push(ext, ossl_x509ext_new(x509ext)); } rb_ary_push(ary, ext); @@ -1358,7 +1357,6 @@ static VALUE ossl_ocspsres_get_extensions(VALUE self) { OCSP_SINGLERESP *sres; - X509_EXTENSION *ext; int count, i; VALUE ary; @@ -1367,7 +1365,7 @@ ossl_ocspsres_get_extensions(VALUE self) count = OCSP_SINGLERESP_get_ext_count(sres); ary = rb_ary_new2(count); for (i = 0; i < count; i++) { - ext = OCSP_SINGLERESP_get_ext(sres, i); + const X509_EXTENSION *ext = OCSP_SINGLERESP_get_ext(sres, i); rb_ary_push(ary, ossl_x509ext_new(ext)); /* will dup */ } @@ -1565,8 +1563,9 @@ ossl_ocspcid_get_issuer_name_hash(VALUE self) GetOCSPCertId(self, id); OCSP_id_get0_info(&name_hash, NULL, NULL, NULL, id); - ret = rb_str_new(NULL, name_hash->length * 2); - ossl_bin2hex(name_hash->data, RSTRING_PTR(ret), name_hash->length); + ret = rb_str_new(NULL, ASN1_STRING_length(name_hash) * 2); + ossl_bin2hex(ASN1_STRING_get0_data(name_hash), RSTRING_PTR(ret), + ASN1_STRING_length(name_hash)); return ret; } @@ -1588,8 +1587,9 @@ ossl_ocspcid_get_issuer_key_hash(VALUE self) GetOCSPCertId(self, id); OCSP_id_get0_info(NULL, NULL, &key_hash, NULL, id); - ret = rb_str_new(NULL, key_hash->length * 2); - ossl_bin2hex(key_hash->data, RSTRING_PTR(ret), key_hash->length); + ret = rb_str_new(NULL, ASN1_STRING_length(key_hash) * 2); + ossl_bin2hex(ASN1_STRING_get0_data(key_hash), RSTRING_PTR(ret), + ASN1_STRING_length(key_hash)); return ret; } diff --git a/ext/openssl/ossl_pkcs7.c b/ext/openssl/ossl_pkcs7.c index 7e5fb9c1b2..41ace21d27 100644 --- a/ext/openssl/ossl_pkcs7.c +++ b/ext/openssl/ossl_pkcs7.c @@ -932,7 +932,7 @@ static VALUE ossl_pkcs7si_get_signed_time(VALUE self) { PKCS7_SIGNER_INFO *p7si; - ASN1_TYPE *asn1obj; + const ASN1_TYPE *asn1obj; GetPKCS7si(self, p7si); diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c index 9e0835d38c..c579135bde 100644 --- a/ext/openssl/ossl_pkey.c +++ b/ext/openssl/ossl_pkey.c @@ -636,6 +636,30 @@ ossl_pkey_initialize_copy(VALUE self, VALUE other) #endif #ifdef HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY + +#ifndef OSSL_USE_PROVIDER +static int +lookup_pkey_type(VALUE type) +{ + const EVP_PKEY_ASN1_METHOD *ameth; + int pkey_id; + + StringValue(type); + /* + * XXX: EVP_PKEY_asn1_find_str() looks up a PEM type string. Should we use + * OBJ_txt2nid() instead (and then somehow check if the NID is an acceptable + * EVP_PKEY type)? + * It is probably fine, though, since it can handle all algorithms that + * support raw keys in 1.1.1: { X25519, X448, ED25519, ED448, HMAC }. + */ + ameth = EVP_PKEY_asn1_find_str(NULL, RSTRING_PTR(type), RSTRING_LENINT(type)); + if (!ameth) + ossl_raise(ePKeyError, "algorithm %"PRIsVALUE" not found", type); + EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth); + return pkey_id; +} +#endif + /* * call-seq: * OpenSSL::PKey.new_raw_private_key(algo, string) -> PKey @@ -647,22 +671,23 @@ static VALUE ossl_pkey_new_raw_private_key(VALUE self, VALUE type, VALUE key) { EVP_PKEY *pkey; - const EVP_PKEY_ASN1_METHOD *ameth; - int pkey_id; size_t keylen; - StringValue(type); StringValue(key); - ameth = EVP_PKEY_asn1_find_str(NULL, RSTRING_PTR(type), RSTRING_LENINT(type)); - if (!ameth) - ossl_raise(ePKeyError, "algorithm %"PRIsVALUE" not found", type); - EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth); - keylen = RSTRING_LEN(key); +#ifdef OSSL_USE_PROVIDER + pkey = EVP_PKEY_new_raw_private_key_ex(NULL, StringValueCStr(type), NULL, + (unsigned char *)RSTRING_PTR(key), + keylen); + if (!pkey) + ossl_raise(ePKeyError, "EVP_PKEY_new_raw_private_key_ex"); +#else + int pkey_id = lookup_pkey_type(type); pkey = EVP_PKEY_new_raw_private_key(pkey_id, NULL, (unsigned char *)RSTRING_PTR(key), keylen); if (!pkey) ossl_raise(ePKeyError, "EVP_PKEY_new_raw_private_key"); +#endif return ossl_pkey_new(pkey); } @@ -680,22 +705,23 @@ static VALUE ossl_pkey_new_raw_public_key(VALUE self, VALUE type, VALUE key) { EVP_PKEY *pkey; - const EVP_PKEY_ASN1_METHOD *ameth; - int pkey_id; size_t keylen; - StringValue(type); StringValue(key); - ameth = EVP_PKEY_asn1_find_str(NULL, RSTRING_PTR(type), RSTRING_LENINT(type)); - if (!ameth) - ossl_raise(ePKeyError, "algorithm %"PRIsVALUE" not found", type); - EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth); - keylen = RSTRING_LEN(key); +#ifdef OSSL_USE_PROVIDER + pkey = EVP_PKEY_new_raw_public_key_ex(NULL, StringValueCStr(type), NULL, + (unsigned char *)RSTRING_PTR(key), + keylen); + if (!pkey) + ossl_raise(ePKeyError, "EVP_PKEY_new_raw_public_key_ex"); +#else + int pkey_id = lookup_pkey_type(type); pkey = EVP_PKEY_new_raw_public_key(pkey_id, NULL, (unsigned char *)RSTRING_PTR(key), keylen); if (!pkey) ossl_raise(ePKeyError, "EVP_PKEY_new_raw_public_key"); +#endif return ossl_pkey_new(pkey); } @@ -715,6 +741,10 @@ ossl_pkey_oid(VALUE self) GetPKey(self, pkey); nid = EVP_PKEY_id(pkey); +#ifdef OSSL_USE_PROVIDER + if (nid == EVP_PKEY_KEYMGMT) + ossl_raise(ePKeyError, "EVP_PKEY_id"); +#endif return rb_str_new_cstr(OBJ_nid2sn(nid)); } @@ -728,13 +758,23 @@ static VALUE ossl_pkey_inspect(VALUE self) { EVP_PKEY *pkey; - int nid; GetPKey(self, pkey); - nid = EVP_PKEY_id(pkey); - return rb_sprintf("#<%"PRIsVALUE":%p oid=%s>", - rb_class_name(CLASS_OF(self)), (void *)self, - OBJ_nid2sn(nid)); + VALUE str = rb_sprintf("#<%"PRIsVALUE":%p", + rb_obj_class(self), (void *)self); + int nid = EVP_PKEY_id(pkey); +#ifdef OSSL_USE_PROVIDER + if (nid != EVP_PKEY_KEYMGMT) +#endif + rb_str_catf(str, " oid=%s", OBJ_nid2sn(nid)); +#ifdef OSSL_USE_PROVIDER + rb_str_catf(str, " type_name=%s", EVP_PKEY_get0_type_name(pkey)); + const OSSL_PROVIDER *prov = EVP_PKEY_get0_provider(pkey); + if (prov) + rb_str_catf(str, " provider=%s", OSSL_PROVIDER_get0_name(prov)); +#endif + rb_str_catf(str, ">"); + return str; } /* diff --git a/ext/openssl/ossl_provider.c b/ext/openssl/ossl_provider.c index 981c6ccdc7..6ec8187990 100644 --- a/ext/openssl/ossl_provider.c +++ b/ext/openssl/ossl_provider.c @@ -5,8 +5,6 @@ #include "ossl.h" #ifdef OSSL_USE_PROVIDER -# include <openssl/provider.h> - #define NewProvider(klass) \ TypedData_Wrap_Struct((klass), &ossl_provider_type, 0) #define SetProvider(obj, provider) do { \ diff --git a/ext/openssl/ossl_ts.c b/ext/openssl/ossl_ts.c index f698bdc7ff..7d01b0b8ba 100644 --- a/ext/openssl/ossl_ts.c +++ b/ext/openssl/ossl_ts.c @@ -288,7 +288,7 @@ ossl_ts_req_get_msg_imprint(VALUE self) mi = TS_REQ_get_msg_imprint(req); hashed_msg = TS_MSG_IMPRINT_get_msg(mi); - ret = rb_str_new((const char *)hashed_msg->data, hashed_msg->length); + ret = asn1str_to_str(hashed_msg); return ret; } @@ -497,7 +497,7 @@ ossl_ts_req_to_der(VALUE self) ossl_raise(eTimestampError, "Message imprint missing algorithm"); hashed_msg = TS_MSG_IMPRINT_get_msg(mi); - if (!hashed_msg->length) + if (!ASN1_STRING_length(hashed_msg)) ossl_raise(eTimestampError, "Message imprint missing hashed message"); return asn1_to_der((void *)req, (int (*)(void *, unsigned char **))i2d_TS_REQ); @@ -730,7 +730,7 @@ ossl_ts_resp_get_tsa_certificate(VALUE self) TS_RESP *resp; PKCS7 *p7; PKCS7_SIGNER_INFO *ts_info; - X509 *cert; + const X509 *cert; GetTSResponse(self, resp); if (!(p7 = TS_RESP_get_token(resp))) @@ -974,7 +974,7 @@ ossl_ts_token_info_get_msg_imprint(VALUE self) GetTSTokenInfo(self, info); mi = TS_TST_INFO_get_msg_imprint(info); hashed_msg = TS_MSG_IMPRINT_get_msg(mi); - ret = rb_str_new((const char *)hashed_msg->data, hashed_msg->length); + ret = asn1str_to_str(hashed_msg); return ret; } diff --git a/ext/openssl/ossl_x509.h b/ext/openssl/ossl_x509.h index 4fadfa6b82..7448ca2e7d 100644 --- a/ext/openssl/ossl_x509.h +++ b/ext/openssl/ossl_x509.h @@ -30,7 +30,7 @@ void Init_ossl_x509(void); extern VALUE cX509Attr; extern VALUE eX509AttrError; -VALUE ossl_x509attr_new(X509_ATTRIBUTE *); +VALUE ossl_x509attr_new(const X509_ATTRIBUTE *); X509_ATTRIBUTE *GetX509AttrPtr(VALUE); void Init_ossl_x509attr(void); @@ -40,7 +40,7 @@ void Init_ossl_x509attr(void); extern VALUE cX509Cert; extern VALUE eX509CertError; -VALUE ossl_x509_new(X509 *); +VALUE ossl_x509_new(const X509 *); X509 *GetX509CertPtr(VALUE); X509 *DupX509CertPtr(VALUE); void Init_ossl_x509cert(void); @@ -51,7 +51,7 @@ void Init_ossl_x509cert(void); extern VALUE cX509CRL; extern VALUE eX509CRLError; -VALUE ossl_x509crl_new(X509_CRL *); +VALUE ossl_x509crl_new(const X509_CRL *); X509_CRL *GetX509CRLPtr(VALUE); void Init_ossl_x509crl(void); @@ -62,7 +62,7 @@ extern VALUE cX509Ext; extern VALUE cX509ExtFactory; extern VALUE eX509ExtError; -VALUE ossl_x509ext_new(X509_EXTENSION *); +VALUE ossl_x509ext_new(const X509_EXTENSION *); X509_EXTENSION *GetX509ExtPtr(VALUE); void Init_ossl_x509ext(void); @@ -72,7 +72,7 @@ void Init_ossl_x509ext(void); extern VALUE cX509Name; extern VALUE eX509NameError; -VALUE ossl_x509name_new(X509_NAME *); +VALUE ossl_x509name_new(const X509_NAME *); X509_NAME *GetX509NamePtr(VALUE); void Init_ossl_x509name(void); @@ -91,7 +91,7 @@ void Init_ossl_x509req(void); extern VALUE cX509Rev; extern VALUE eX509RevError; -VALUE ossl_x509revoked_new(X509_REVOKED *); +VALUE ossl_x509revoked_new(const X509_REVOKED *); X509_REVOKED *DupX509RevokedPtr(VALUE); void Init_ossl_x509revoked(void); diff --git a/ext/openssl/ossl_x509attr.c b/ext/openssl/ossl_x509attr.c index d1d8bb5e95..0057148436 100644 --- a/ext/openssl/ossl_x509attr.c +++ b/ext/openssl/ossl_x509attr.c @@ -48,7 +48,7 @@ static const rb_data_type_t ossl_x509attr_type = { * Public */ VALUE -ossl_x509attr_new(X509_ATTRIBUTE *attr) +ossl_x509attr_new(const X509_ATTRIBUTE *attr) { X509_ATTRIBUTE *new; VALUE obj; @@ -57,7 +57,8 @@ ossl_x509attr_new(X509_ATTRIBUTE *attr) if (!attr) { new = X509_ATTRIBUTE_new(); } else { - new = X509_ATTRIBUTE_dup(attr); + /* OpenSSL 1.1.1 takes a non-const pointer */ + new = X509_ATTRIBUTE_dup((X509_ATTRIBUTE *)attr); } if (!new) { ossl_raise(eX509AttrError, NULL); @@ -174,7 +175,7 @@ static VALUE ossl_x509attr_get_oid(VALUE self) { X509_ATTRIBUTE *attr; - ASN1_OBJECT *oid; + const ASN1_OBJECT *oid; BIO *out; VALUE ret; int nid; @@ -186,7 +187,7 @@ ossl_x509attr_get_oid(VALUE self) else{ if (!(out = BIO_new(BIO_s_mem()))) ossl_raise(eX509AttrError, NULL); - i2a_ASN1_OBJECT(out, oid); + i2a_ASN1_OBJECT(out, (ASN1_OBJECT *)oid); ret = ossl_membio2str(out); } @@ -214,7 +215,7 @@ ossl_x509attr_set_value(VALUE self, VALUE value) GetX509Attr(self, attr); if (X509_ATTRIBUTE_count(attr)) { /* populated, reset first */ - ASN1_OBJECT *obj = X509_ATTRIBUTE_get0_object(attr); + const ASN1_OBJECT *obj = X509_ATTRIBUTE_get0_object(attr); X509_ATTRIBUTE *new_attr = X509_ATTRIBUTE_create_by_OBJ(NULL, obj, 0, NULL, -1); if (!new_attr) ossl_raise(eX509AttrError, NULL); @@ -256,7 +257,7 @@ ossl_x509attr_get_value(VALUE self) count = X509_ATTRIBUTE_count(attr); for (i = 0; i < count; i++) - sk_ASN1_TYPE_push(sk, X509_ATTRIBUTE_get0_type(attr, i)); + sk_ASN1_TYPE_push(sk, (ASN1_TYPE *)X509_ATTRIBUTE_get0_type(attr, i)); if ((len = i2d_ASN1_SET_ANY(sk, NULL)) <= 0) { sk_ASN1_TYPE_free(sk); diff --git a/ext/openssl/ossl_x509cert.c b/ext/openssl/ossl_x509cert.c index aa6b9bb7ce..2727278ed0 100644 --- a/ext/openssl/ossl_x509cert.c +++ b/ext/openssl/ossl_x509cert.c @@ -48,7 +48,7 @@ static const rb_data_type_t ossl_x509_type = { * Public */ VALUE -ossl_x509_new(X509 *x509) +ossl_x509_new(const X509 *x509) { X509 *new; VALUE obj; @@ -57,7 +57,8 @@ ossl_x509_new(X509 *x509) if (!x509) { new = X509_new(); } else { - new = X509_dup(x509); + /* OpenSSL 1.1.1 takes a non-const pointer */ + new = X509_dup((X509 *)x509); } if (!new) { ossl_raise(eX509CertError, NULL); @@ -351,7 +352,7 @@ static VALUE ossl_x509_get_subject(VALUE self) { X509 *x509; - X509_NAME *name; + const X509_NAME *name; GetX509(self, x509); if (!(name = X509_get_subject_name(x509))) { /* NO DUP - don't free! */ @@ -386,7 +387,7 @@ static VALUE ossl_x509_get_issuer(VALUE self) { X509 *x509; - X509_NAME *name; + const X509_NAME *name; GetX509(self, x509); if(!(name = X509_get_issuer_name(x509))) { /* NO DUP - don't free! */ @@ -608,7 +609,6 @@ ossl_x509_get_extensions(VALUE self) { X509 *x509; int count, i; - X509_EXTENSION *ext; VALUE ary; GetX509(self, x509); @@ -618,7 +618,7 @@ ossl_x509_get_extensions(VALUE self) } ary = rb_ary_new2(count); for (i=0; i<count; i++) { - ext = X509_get_ext(x509, i); /* NO DUP - don't free! */ + const X509_EXTENSION *ext = X509_get_ext(x509, i); rb_ary_push(ary, ossl_x509ext_new(ext)); } diff --git a/ext/openssl/ossl_x509crl.c b/ext/openssl/ossl_x509crl.c index 80e29f9df2..5244a666d0 100644 --- a/ext/openssl/ossl_x509crl.c +++ b/ext/openssl/ossl_x509crl.c @@ -58,13 +58,14 @@ GetX509CRLPtr(VALUE obj) } VALUE -ossl_x509crl_new(X509_CRL *crl) +ossl_x509crl_new(const X509_CRL *crl) { X509_CRL *tmp; VALUE obj; obj = NewX509CRL(cX509CRL); - tmp = crl ? X509_CRL_dup(crl) : X509_CRL_new(); + /* OpenSSL 1.1.1 takes a non-const pointer */ + tmp = crl ? X509_CRL_dup((X509_CRL *)crl) : X509_CRL_new(); if(!tmp) ossl_raise(eX509CRLError, NULL); SetX509CRL(obj, tmp); @@ -274,7 +275,7 @@ ossl_x509crl_get_revoked(VALUE self) { X509_CRL *crl; int i, num; - X509_REVOKED *rev; + const X509_REVOKED *rev; VALUE ary, revoked; GetX509CRL(self, crl); @@ -440,7 +441,6 @@ ossl_x509crl_get_extensions(VALUE self) { X509_CRL *crl; int count, i; - X509_EXTENSION *ext; VALUE ary; GetX509CRL(self, crl); @@ -451,7 +451,7 @@ ossl_x509crl_get_extensions(VALUE self) } ary = rb_ary_new2(count); for (i=0; i<count; i++) { - ext = X509_CRL_get_ext(crl, i); /* NO DUP - don't free! */ + const X509_EXTENSION *ext = X509_CRL_get_ext(crl, i); rb_ary_push(ary, ossl_x509ext_new(ext)); } diff --git a/ext/openssl/ossl_x509ext.c b/ext/openssl/ossl_x509ext.c index 192d09bd3f..b63b0c73d3 100644 --- a/ext/openssl/ossl_x509ext.c +++ b/ext/openssl/ossl_x509ext.c @@ -62,7 +62,7 @@ static const rb_data_type_t ossl_x509ext_type = { * Public */ VALUE -ossl_x509ext_new(X509_EXTENSION *ext) +ossl_x509ext_new(const X509_EXTENSION *ext) { X509_EXTENSION *new; VALUE obj; @@ -71,7 +71,8 @@ ossl_x509ext_new(X509_EXTENSION *ext) if (!ext) { new = X509_EXTENSION_new(); } else { - new = X509_EXTENSION_dup(ext); + /* OpenSSL 1.1.1 takes a non-const pointer */ + new = X509_EXTENSION_dup((X509_EXTENSION *)ext); } if (!new) { ossl_raise(eX509ExtError, NULL); @@ -346,12 +347,20 @@ ossl_x509ext_set_value(VALUE self, VALUE data) GetX509Ext(self, ext); data = ossl_to_der_if_possible(data); StringValue(data); - asn1s = X509_EXTENSION_get_data(ext); + asn1s = ASN1_OCTET_STRING_new(); + if (!asn1s) + ossl_raise(eX509ExtError, "ASN1_OCTET_STRING_new"); if (!ASN1_OCTET_STRING_set(asn1s, (unsigned char *)RSTRING_PTR(data), - RSTRING_LENINT(data))) { - ossl_raise(eX509ExtError, "ASN1_OCTET_STRING_set"); + RSTRING_LENINT(data))) { + ASN1_OCTET_STRING_free(asn1s); + ossl_raise(eX509ExtError, "ASN1_OCTET_STRING_set"); } + if (!X509_EXTENSION_set_data(ext, asn1s)) { + ASN1_OCTET_STRING_free(asn1s); + ossl_raise(eX509ExtError, "X509_EXTENSION_set_data"); + } + ASN1_OCTET_STRING_free(asn1s); return data; } @@ -371,7 +380,7 @@ static VALUE ossl_x509ext_get_oid(VALUE obj) { X509_EXTENSION *ext; - ASN1_OBJECT *extobj; + const ASN1_OBJECT *extobj; BIO *out; VALUE ret; int nid; @@ -383,7 +392,7 @@ ossl_x509ext_get_oid(VALUE obj) else{ if (!(out = BIO_new(BIO_s_mem()))) ossl_raise(eX509ExtError, NULL); - i2a_ASN1_OBJECT(out, extobj); + i2a_ASN1_OBJECT(out, (ASN1_OBJECT *)extobj); ret = ossl_membio2str(out); } @@ -411,13 +420,13 @@ static VALUE ossl_x509ext_get_value_der(VALUE obj) { X509_EXTENSION *ext; - ASN1_OCTET_STRING *value; + const ASN1_OCTET_STRING *value; GetX509Ext(obj, ext); if ((value = X509_EXTENSION_get_data(ext)) == NULL) ossl_raise(eX509ExtError, NULL); - return rb_str_new((const char *)value->data, value->length); + return asn1str_to_str(value); } static VALUE diff --git a/ext/openssl/ossl_x509name.c b/ext/openssl/ossl_x509name.c index 9591912f70..90ec2d96a2 100644 --- a/ext/openssl/ossl_x509name.c +++ b/ext/openssl/ossl_x509name.c @@ -53,7 +53,7 @@ static const rb_data_type_t ossl_x509name_type = { * Public */ VALUE -ossl_x509name_new(X509_NAME *name) +ossl_x509name_new(const X509_NAME *name) { X509_NAME *new; VALUE obj; @@ -62,7 +62,8 @@ ossl_x509name_new(X509_NAME *name) if (!name) { new = X509_NAME_new(); } else { - new = X509_NAME_dup(name); + /* OpenSSL 1.1.1 takes a non-const pointer */ + new = X509_NAME_dup((X509_NAME *)name); } if (!new) { ossl_raise(eX509NameError, NULL); @@ -360,7 +361,7 @@ ossl_x509name_to_a(VALUE self) } ret = rb_ary_new2(entries); for (i=0; i<entries; i++) { - if (!(entry = X509_NAME_get_entry(name, i))) { + if (!(entry = (X509_NAME_ENTRY *)X509_NAME_get_entry(name, i))) { ossl_raise(eX509NameError, NULL); } if (!i2t_ASN1_OBJECT(long_name, sizeof(long_name), @@ -374,8 +375,9 @@ ossl_x509name_to_a(VALUE self) short_name = OBJ_nid2sn(nid); vname = rb_str_new2(short_name); /*do not free*/ } - value = X509_NAME_ENTRY_get_data(entry); - ary = rb_ary_new3(3, vname, asn1str_to_str(value), INT2NUM(value->type)); + value = (ASN1_STRING *)X509_NAME_ENTRY_get_data(entry); + ary = rb_ary_new3(3, vname, asn1str_to_str(value), + INT2NUM(ASN1_STRING_type(value))); rb_ary_push(ret, ary); } return ret; diff --git a/ext/openssl/ossl_x509req.c b/ext/openssl/ossl_x509req.c index f058185151..ef8e0bccfa 100644 --- a/ext/openssl/ossl_x509req.c +++ b/ext/openssl/ossl_x509req.c @@ -230,7 +230,7 @@ static VALUE ossl_x509req_get_subject(VALUE self) { X509_REQ *req; - X509_NAME *name; + const X509_NAME *name; GetX509Req(self, req); if (!(name = X509_REQ_get_subject_name(req))) { /* NO DUP - don't free */ @@ -348,7 +348,7 @@ ossl_x509req_get_attributes(VALUE self) { X509_REQ *req; int count, i; - X509_ATTRIBUTE *attr; + const X509_ATTRIBUTE *attr; VALUE ary; GetX509Req(self, req); diff --git a/ext/openssl/ossl_x509revoked.c b/ext/openssl/ossl_x509revoked.c index 108447c868..b4916d34b3 100644 --- a/ext/openssl/ossl_x509revoked.c +++ b/ext/openssl/ossl_x509revoked.c @@ -48,7 +48,7 @@ static const rb_data_type_t ossl_x509rev_type = { * PUBLIC */ VALUE -ossl_x509revoked_new(X509_REVOKED *rev) +ossl_x509revoked_new(const X509_REVOKED *rev) { X509_REVOKED *new; VALUE obj; @@ -57,7 +57,8 @@ ossl_x509revoked_new(X509_REVOKED *rev) if (!rev) { new = X509_REVOKED_new(); } else { - new = X509_REVOKED_dup(rev); + /* OpenSSL 1.1.1 takes a non-const pointer */ + new = X509_REVOKED_dup((X509_REVOKED *)rev); } if (!new) { ossl_raise(eX509RevError, NULL); @@ -189,7 +190,7 @@ ossl_x509revoked_get_extensions(VALUE self) { X509_REVOKED *rev; int count, i; - X509_EXTENSION *ext; + const X509_EXTENSION *ext; VALUE ary; GetX509Rev(self, rev); diff --git a/ext/openssl/ossl_x509store.c b/ext/openssl/ossl_x509store.c index f27381ca90..110b5934d7 100644 --- a/ext/openssl/ossl_x509store.c +++ b/ext/openssl/ossl_x509store.c @@ -521,10 +521,8 @@ static void ossl_x509stctx_free(void *ptr) { X509_STORE_CTX *ctx = ptr; - if (X509_STORE_CTX_get0_untrusted(ctx)) - sk_X509_pop_free(X509_STORE_CTX_get0_untrusted(ctx), X509_free); - if (X509_STORE_CTX_get0_cert(ctx)) - X509_free(X509_STORE_CTX_get0_cert(ctx)); + sk_X509_pop_free(X509_STORE_CTX_get0_untrusted(ctx), X509_free); + X509_free((X509 *)X509_STORE_CTX_get0_cert(ctx)); X509_STORE_CTX_free(ctx); } @@ -765,7 +763,7 @@ static VALUE ossl_x509stctx_get_curr_crl(VALUE self) { X509_STORE_CTX *ctx; - X509_CRL *crl; + const X509_CRL *crl; GetX509StCtx(self, ctx); crl = X509_STORE_CTX_get0_current_crl(ctx); |