diff options
Diffstat (limited to 'ext/openssl')
47 files changed, 4741 insertions, 2722 deletions
diff --git a/ext/openssl/History.md b/ext/openssl/History.md index a4a82a146c..3249f6617a 100644 --- a/ext/openssl/History.md +++ b/ext/openssl/History.md @@ -1,3 +1,257 @@ +Version 3.2.0 +============= + +Compatibility +------------- + +* Ruby >= 2.7 + - Support for Ruby 2.6 has been removed. Note that Ruby 2.6 reached the + end-of-life in 2022-04. + [[GitHub #639]](https://github.com/ruby/openssl/pull/639) +* OpenSSL >= 1.0.2 or LibreSSL >= 3.1 + +Notable changes +--------------- + +* Add a stub gemspec for JRuby, which depends on the `jruby-openssl` gem. + [[GitHub #598]](https://github.com/ruby/openssl/pull/598) +* Add support for the FIPS module in OpenSSL 3.0/3.1. + [[GitHub #608]](https://github.com/ruby/openssl/pull/608) +* Rework `OpenSSL::PKey` routines for loading DER or PEM encoded keys for better + compatibility with OpenSSL 3.0/3.1 with the FIPS module. + [[GitHub #615]](https://github.com/ruby/openssl/pull/615) + [[GitHub #669]](https://github.com/ruby/openssl/pull/669) +* Add `OpenSSL::Provider` module for loading and unloading OpenSSL 3 providers. + [[GitHub #635]](https://github.com/ruby/openssl/pull/635) +* Add `OpenSSL::PKey.new_raw_private_key`, `.new_raw_public_key`, + `OpenSSL::PKey::PKey#raw_private_key`, and `#raw_public_key` for public key + algorithms that use "raw private/public key", such as X25519 and Ed25519. + [[GitHub #646]](https://github.com/ruby/openssl/pull/646) +* Improve OpenSSL error messages to include additional information when + it is available in OpenSSL's error queue. + [[GitHub #648]](https://github.com/ruby/openssl/pull/648) +* Change `OpenSSL::SSL::SSLContext#ca_file=` and `#ca_path=` to raise + `OpenSSL::SSL::SSLError` instead of printing a warning message. + [[GitHub #659]](https://github.com/ruby/openssl/pull/659) +* Allow `OpenSSL::X509::ExtensionFactory#create_extension` to take OIDs in the + dotted-decimal notation. + [[GitHub #141]](https://github.com/ruby/openssl/pull/141) + + +Version 3.1.0 +============= + +Ruby/OpenSSL 3.1 will be maintained for the lifetime of Ruby 3.2. + +Merged bug fixes in 2.2.3 and 3.0.2. Among the new features and changes are: + +Notable changes +--------------- + +* Add `OpenSSL::SSL::SSLContext#ciphersuites=` to allow setting TLS 1.3 cipher + suites. + [[GitHub #493]](https://github.com/ruby/openssl/pull/493) +* Add `OpenSSL::SSL::SSLSocket#export_keying_material` for exporting keying + material of the session, as defined in RFC 5705. + [[GitHub #530]](https://github.com/ruby/openssl/pull/530) +* Add `OpenSSL::SSL::SSLContext#keylog_cb=` for setting the TLS key logging + callback, which is useful for supporting NSS's SSLKEYLOGFILE debugging output. + [[GitHub #536]](https://github.com/ruby/openssl/pull/536) +* Remove the default digest algorithm from `OpenSSL::OCSP::BasicResponse#sign` + and `OpenSSL::OCSP::Request#sign`. Omitting the 5th parameter of these + methods used to be equivalent of specifying SHA-1. This default value is now + removed and we will let the underlying OpenSSL library decide instead. + [[GitHub #507]](https://github.com/ruby/openssl/pull/507) +* Add `OpenSSL::BN#mod_sqrt`. + [[GitHub #553]](https://github.com/ruby/openssl/pull/553) +* Allow calling `OpenSSL::Cipher#update` with an empty string. This was + prohibited to workaround an ancient bug in OpenSSL. + [[GitHub #568]](https://github.com/ruby/openssl/pull/568) +* Fix build on platforms without socket support, such as WASI. `OpenSSL::SSL` + will not be defined if OpenSSL is compiled with `OPENSSL_NO_SOCK`. + [[GitHub #558]](https://github.com/ruby/openssl/pull/558) +* Improve support for recent LibreSSL versions. This includes HKDF support in + LibreSSL 3.6 and Ed25519 support in LibreSSL 3.7. + + +Version 3.0.2 +============= + +Merged changes in 2.2.3. Additionally, the following issues are fixed by this +release. + +Bug fixes +--------- + +* Fix OpenSSL::PKey::EC#check_key not working correctly on OpenSSL 3.0. + [[GitHub #563]](https://github.com/ruby/openssl/issues/563) + [[GitHub #580]](https://github.com/ruby/openssl/pull/580) + + +Version 3.0.1 +============= + +Merged changes in 2.1.4 and 2.2.2. Additionally, the following issues are fixed +by this release. + +Bug fixes +--------- + +* Add missing type check in OpenSSL::PKey::PKey#sign's optional parameters. + [[GitHub #531]](https://github.com/ruby/openssl/pull/531) +* Work around OpenSSL 3.0's HMAC issues with a zero-length key. + [[GitHub #538]](https://github.com/ruby/openssl/pull/538) +* Fix a regression in OpenSSL::PKey::DSA.generate's default of 'q' size. + [[GitHub #483]](https://github.com/ruby/openssl/issues/483) + [[GitHub #539]](https://github.com/ruby/openssl/pull/539) +* Restore OpenSSL::PKey.read's ability to decode "openssl ecparam -genkey" + output when linked against OpenSSL 3.0. + [[GitHub #535]](https://github.com/ruby/openssl/pull/535) + [[GitHub #540]](https://github.com/ruby/openssl/pull/540) +* Restore error checks in OpenSSL::PKey::EC#{to_der,to_pem}. + [[GitHub #541]](https://github.com/ruby/openssl/pull/541) + + +Version 3.0.0 +============= + +Compatibility notes +------------------- + +* OpenSSL 1.0.1 and Ruby 2.3-2.5 are no longer supported. + [[GitHub #396]](https://github.com/ruby/openssl/pull/396) + [[GitHub #466]](https://github.com/ruby/openssl/pull/466) + +* OpenSSL 3.0 support is added. It is the first major version bump from OpenSSL + 1.1 and contains incompatible changes that affect Ruby/OpenSSL. + Note that OpenSSL 3.0 support is preliminary and not all features are + currently available: + [[GitHub #369]](https://github.com/ruby/openssl/issues/369) + + - Deprecate the ability to modify `OpenSSL::PKey::PKey` instances. OpenSSL 3.0 + made EVP_PKEY structure immutable, and hence the following methods are not + available when Ruby/OpenSSL is linked against OpenSSL 3.0. + [[GitHub #480]](https://github.com/ruby/openssl/pull/480) + + - `OpenSSL::PKey::RSA#set_key`, `#set_factors`, `#set_crt_params` + - `OpenSSL::PKey::DSA#set_pqg`, `#set_key` + - `OpenSSL::PKey::DH#set_pqg`, `#set_key`, `#generate_key!` + - `OpenSSL::PKey::EC#private_key=`, `#public_key=`, `#group=`, `#generate_key!` + + - Deprecate `OpenSSL::Engine`. The ENGINE API has been deprecated in OpenSSL 3.0 + in favor of the new "provider" concept and will be removed in a future + version. + [[GitHub #481]](https://github.com/ruby/openssl/pull/481) + +* `OpenSSL::SSL::SSLContext#tmp_ecdh_callback` has been removed. It has been + deprecated since v2.0.0 because it is incompatible with modern OpenSSL + versions. + [[GitHub #394]](https://github.com/ruby/openssl/pull/394) + +* `OpenSSL::SSL::SSLSocket#read` and `#write` now raise `OpenSSL::SSL::SSLError` + if called before a TLS connection is established. Historically, they + read/wrote unencrypted data to the underlying socket directly in that case. + [[GitHub #9]](https://github.com/ruby/openssl/issues/9) + [[GitHub #469]](https://github.com/ruby/openssl/pull/469) + + +Notable changes +--------------- + +* Enhance OpenSSL::PKey's common interface. + [[GitHub #370]](https://github.com/ruby/openssl/issues/370) + + - Key deserialization: Enhance `OpenSSL::PKey.read` to handle PEM encoding of + DH parameters, which used to be only deserialized by `OpenSSL::PKey::DH.new`. + [[GitHub #328]](https://github.com/ruby/openssl/issues/328) + - Key generation: Add `OpenSSL::PKey.generate_parameters` and + `OpenSSL::PKey.generate_key`. + [[GitHub #329]](https://github.com/ruby/openssl/issues/329) + - Public key signing: Enhance `OpenSSL::PKey::PKey#sign` and `#verify` to use + the new EVP_DigestSign() family to enable PureEdDSA support on OpenSSL 1.1.1 + or later. They also now take optional algorithm-specific parameters for more + control. + [[GitHub #329]](https://github.com/ruby/openssl/issues/329) + - Low-level public key signing and verification: Add + `OpenSSL::PKey::PKey#sign_raw`, `#verify_raw`, and `#verify_recover`. + [[GitHub #382]](https://github.com/ruby/openssl/issues/382) + - Public key encryption: Add `OpenSSL::PKey::PKey#encrypt` and `#decrypt`. + [[GitHub #382]](https://github.com/ruby/openssl/issues/382) + - Key agreement: Add `OpenSSL::PKey::PKey#derive`. + [[GitHub #329]](https://github.com/ruby/openssl/issues/329) + - Key comparison: Add `OpenSSL::PKey::PKey#compare?` to conveniently check + that two keys have common parameters and a public key. + [[GitHub #383]](https://github.com/ruby/openssl/issues/383) + +* Add `OpenSSL::BN#set_flags` and `#get_flags`. This can be used in combination + with `OpenSSL::BN::CONSTTIME` to force constant-time computation. + [[GitHub #417]](https://github.com/ruby/openssl/issues/417) + +* Add `OpenSSL::BN#abs` to get the absolute value of the BIGNUM. + [[GitHub #430]](https://github.com/ruby/openssl/issues/430) + +* Add `OpenSSL::SSL::SSLSocket#getbyte`. + [[GitHub #438]](https://github.com/ruby/openssl/issues/438) + +* Add `OpenSSL::SSL::SSLContext#tmp_dh=`. + [[GitHub #459]](https://github.com/ruby/openssl/pull/459) + +* Add `OpenSSL::X509::Certificate.load` to load a PEM-encoded and concatenated + list of X.509 certificates at once. + [[GitHub #441]](https://github.com/ruby/openssl/pull/441) + +* Change `OpenSSL::X509::Certificate.new` to attempt to deserialize the given + string first as DER encoding first and then as PEM encoding to ensure the + round-trip consistency. + [[GitHub #442]](https://github.com/ruby/openssl/pull/442) + +* Update various part of the code base to use the modern API. No breaking + changes are intended with this. This includes: + + - `OpenSSL::HMAC` uses the EVP API. + [[GitHub #371]](https://github.com/ruby/openssl/issues/371) + - `OpenSSL::Config` uses native OpenSSL API to parse config files. + [[GitHub #342]](https://github.com/ruby/openssl/issues/342) + + +Version 2.2.3 +============= + +Bug fixes +--------- + +* Fix serveral methods in OpenSSL::PKey::EC::Point attempting to raise an error + with an incorrect class, which would end up with a TypeError. + [[GitHub #570]](https://github.com/ruby/openssl/pull/570) +* Fix OpenSSL::PKey::EC::Point#eql? and OpenSSL::PKey::EC::Group#eql? + incorrectly treated OpenSSL's internal errors as "not equal". + [[GitHub #564]](https://github.com/ruby/openssl/pull/564) +* Fix build with LibreSSL 3.5 or later. + + +Version 2.2.2 +============= + +Merged changes in 2.1.4. + + +Version 2.2.1 +============= + +Merged changes in 2.1.3. Additionally, the following issues are fixed by this +release. + +Bug fixes +--------- + +* Fix crash in `OpenSSL::Timestamp::{Request,Response,TokenInfo}.new` when + invalid arguments are given. + [[GitHub #407]](https://github.com/ruby/openssl/pull/407) +* Fix `OpenSSL::Timestamp::Factory#create_timestamp` with LibreSSL on platforms + where `time_t` has a different size from `long`. + [[GitHub #454]](https://github.com/ruby/openssl/pull/454) + + Version 2.2.0 ============= @@ -75,6 +329,52 @@ Notable changes [[GitHub #297]](https://github.com/ruby/openssl/pull/297) +Version 2.1.4 +============= + +Bug fixes +--------- + +* Do not use pkg-config if --with-openssl-dir option is specified. + [[GitHub #486]](https://github.com/ruby/openssl/pull/486) + + +Version 2.1.3 +============= + +Bug fixes +--------- + +* Fix deprecation warnings on Ruby 3.0. +* Add ".include" directive support in `OpenSSL::Config`. + [[GitHub #216]](https://github.com/ruby/openssl/pull/216) +* Fix handling of IPv6 address SANs. + [[GitHub #185]](https://github.com/ruby/openssl/pull/185) +* Hostname verification failure with `OpenSSL::SSL::SSLContext#verify_hostname=` + sets a proper error code. + [[GitHub #350]](https://github.com/ruby/openssl/pull/350) +* Fix crash with `OpenSSL::BN.new(nil, 2)`. + [[Bug #15760]](https://bugs.ruby-lang.org/issues/15760) +* `OpenSSL::SSL::SSLSocket#sys{read,write}` prevent internal string buffers from + being modified by another thread. + [[GitHub #453]](https://github.com/ruby/openssl/pull/453) +* Fix misuse of input record separator in `OpenSSL::Buffering` where it was + for output. +* Fix wrong integer casting in `OpenSSL::PKey::EC#dsa_verify_asn1`. + [[GitHub #460]](https://github.com/ruby/openssl/pull/460) +* `extconf.rb` explicitly checks that OpenSSL's version number is 1.0.1 or + newer but also less than 3.0. Ruby/OpenSSL v2.1.x and v2.2.x will not support + OpenSSL 3.0 API. + [[GitHub #458]](https://github.com/ruby/openssl/pull/458) +* Activate `digest` gem correctly. `digest` library could go into an + inconsistent state if there are multiple versions of `digest` is installed + and `openssl` is `require`d before `digest`. + [[GitHub #463]](https://github.com/ruby/openssl/pull/463) +* Fix GC.compact compatibility. + [[GitHub #464]](https://github.com/ruby/openssl/issues/464) + [[GitHub #465]](https://github.com/ruby/openssl/pull/465) + + Version 2.1.2 ============= @@ -157,7 +457,7 @@ Security fixes Bug fixes --------- -* Fixed OpenSSL::PKey::*.{new,generate} immediately aborting if the thread is +* Fixed OpenSSL::PKey::\*.{new,generate} immediately aborting if the thread is interrupted. [[Bug #14882]](https://bugs.ruby-lang.org/issues/14882) [[GitHub #205]](https://github.com/ruby/openssl/pull/205) diff --git a/ext/openssl/depend b/ext/openssl/depend index df84de4d71..12c6793939 100644 --- a/ext/openssl/depend +++ b/ext/openssl/depend @@ -11,7 +11,6 @@ ossl.o: $(hdrdir)/ruby/backward.h ossl.o: $(hdrdir)/ruby/backward/2/assume.h ossl.o: $(hdrdir)/ruby/backward/2/attributes.h ossl.o: $(hdrdir)/ruby/backward/2/bool.h -ossl.o: $(hdrdir)/ruby/backward/2/gcc_version_since.h ossl.o: $(hdrdir)/ruby/backward/2/inttypes.h ossl.o: $(hdrdir)/ruby/backward/2/limits.h ossl.o: $(hdrdir)/ruby/backward/2/long_long.h @@ -20,6 +19,7 @@ ossl.o: $(hdrdir)/ruby/backward/2/stdarg.h ossl.o: $(hdrdir)/ruby/defines.h ossl.o: $(hdrdir)/ruby/encoding.h ossl.o: $(hdrdir)/ruby/intern.h +ossl.o: $(hdrdir)/ruby/internal/abi.h ossl.o: $(hdrdir)/ruby/internal/anyargs.h ossl.o: $(hdrdir)/ruby/internal/arithmetic.h ossl.o: $(hdrdir)/ruby/internal/arithmetic/char.h @@ -57,6 +57,7 @@ ossl.o: $(hdrdir)/ruby/internal/attr/noexcept.h ossl.o: $(hdrdir)/ruby/internal/attr/noinline.h ossl.o: $(hdrdir)/ruby/internal/attr/nonnull.h ossl.o: $(hdrdir)/ruby/internal/attr/noreturn.h +ossl.o: $(hdrdir)/ruby/internal/attr/packed_struct.h ossl.o: $(hdrdir)/ruby/internal/attr/pure.h ossl.o: $(hdrdir)/ruby/internal/attr/restrict.h ossl.o: $(hdrdir)/ruby/internal/attr/returns_nonnull.h @@ -89,6 +90,15 @@ ossl.o: $(hdrdir)/ruby/internal/core/rtypeddata.h ossl.o: $(hdrdir)/ruby/internal/ctype.h ossl.o: $(hdrdir)/ruby/internal/dllexport.h ossl.o: $(hdrdir)/ruby/internal/dosish.h +ossl.o: $(hdrdir)/ruby/internal/encoding/coderange.h +ossl.o: $(hdrdir)/ruby/internal/encoding/ctype.h +ossl.o: $(hdrdir)/ruby/internal/encoding/encoding.h +ossl.o: $(hdrdir)/ruby/internal/encoding/pathname.h +ossl.o: $(hdrdir)/ruby/internal/encoding/re.h +ossl.o: $(hdrdir)/ruby/internal/encoding/sprintf.h +ossl.o: $(hdrdir)/ruby/internal/encoding/string.h +ossl.o: $(hdrdir)/ruby/internal/encoding/symbol.h +ossl.o: $(hdrdir)/ruby/internal/encoding/transcode.h ossl.o: $(hdrdir)/ruby/internal/error.h ossl.o: $(hdrdir)/ruby/internal/eval.h ossl.o: $(hdrdir)/ruby/internal/event.h @@ -116,7 +126,6 @@ ossl.o: $(hdrdir)/ruby/internal/intern/enumerator.h ossl.o: $(hdrdir)/ruby/internal/intern/error.h ossl.o: $(hdrdir)/ruby/internal/intern/eval.h ossl.o: $(hdrdir)/ruby/internal/intern/file.h -ossl.o: $(hdrdir)/ruby/internal/intern/gc.h ossl.o: $(hdrdir)/ruby/internal/intern/hash.h ossl.o: $(hdrdir)/ruby/internal/intern/io.h ossl.o: $(hdrdir)/ruby/internal/intern/load.h @@ -147,12 +156,12 @@ ossl.o: $(hdrdir)/ruby/internal/memory.h ossl.o: $(hdrdir)/ruby/internal/method.h ossl.o: $(hdrdir)/ruby/internal/module.h ossl.o: $(hdrdir)/ruby/internal/newobj.h -ossl.o: $(hdrdir)/ruby/internal/rgengc.h ossl.o: $(hdrdir)/ruby/internal/scan_args.h ossl.o: $(hdrdir)/ruby/internal/special_consts.h ossl.o: $(hdrdir)/ruby/internal/static_assert.h ossl.o: $(hdrdir)/ruby/internal/stdalign.h ossl.o: $(hdrdir)/ruby/internal/stdbool.h +ossl.o: $(hdrdir)/ruby/internal/stdckdint.h ossl.o: $(hdrdir)/ruby/internal/symbol.h ossl.o: $(hdrdir)/ruby/internal/value.h ossl.o: $(hdrdir)/ruby/internal/value_type.h @@ -167,7 +176,6 @@ ossl.o: $(hdrdir)/ruby/ruby.h ossl.o: $(hdrdir)/ruby/st.h ossl.o: $(hdrdir)/ruby/subst.h ossl.o: $(hdrdir)/ruby/thread.h -ossl.o: $(hdrdir)/ruby/thread_native.h ossl.o: openssl_missing.h ossl.o: ossl.c ossl.o: ossl.h @@ -185,11 +193,11 @@ ossl.o: ossl_ocsp.h ossl.o: ossl_pkcs12.h ossl.o: ossl_pkcs7.h ossl.o: ossl_pkey.h +ossl.o: ossl_provider.h ossl.o: ossl_rand.h ossl.o: ossl_ssl.h ossl.o: ossl_ts.h ossl.o: ossl_x509.h -ossl.o: ruby_missing.h ossl_asn1.o: $(RUBY_EXTCONF_H) ossl_asn1.o: $(arch_hdrdir)/ruby/config.h ossl_asn1.o: $(hdrdir)/ruby.h @@ -198,7 +206,6 @@ ossl_asn1.o: $(hdrdir)/ruby/backward.h ossl_asn1.o: $(hdrdir)/ruby/backward/2/assume.h ossl_asn1.o: $(hdrdir)/ruby/backward/2/attributes.h ossl_asn1.o: $(hdrdir)/ruby/backward/2/bool.h -ossl_asn1.o: $(hdrdir)/ruby/backward/2/gcc_version_since.h ossl_asn1.o: $(hdrdir)/ruby/backward/2/inttypes.h ossl_asn1.o: $(hdrdir)/ruby/backward/2/limits.h ossl_asn1.o: $(hdrdir)/ruby/backward/2/long_long.h @@ -207,6 +214,7 @@ ossl_asn1.o: $(hdrdir)/ruby/backward/2/stdarg.h ossl_asn1.o: $(hdrdir)/ruby/defines.h ossl_asn1.o: $(hdrdir)/ruby/encoding.h ossl_asn1.o: $(hdrdir)/ruby/intern.h +ossl_asn1.o: $(hdrdir)/ruby/internal/abi.h ossl_asn1.o: $(hdrdir)/ruby/internal/anyargs.h ossl_asn1.o: $(hdrdir)/ruby/internal/arithmetic.h ossl_asn1.o: $(hdrdir)/ruby/internal/arithmetic/char.h @@ -244,6 +252,7 @@ ossl_asn1.o: $(hdrdir)/ruby/internal/attr/noexcept.h ossl_asn1.o: $(hdrdir)/ruby/internal/attr/noinline.h ossl_asn1.o: $(hdrdir)/ruby/internal/attr/nonnull.h ossl_asn1.o: $(hdrdir)/ruby/internal/attr/noreturn.h +ossl_asn1.o: $(hdrdir)/ruby/internal/attr/packed_struct.h ossl_asn1.o: $(hdrdir)/ruby/internal/attr/pure.h ossl_asn1.o: $(hdrdir)/ruby/internal/attr/restrict.h ossl_asn1.o: $(hdrdir)/ruby/internal/attr/returns_nonnull.h @@ -276,6 +285,15 @@ ossl_asn1.o: $(hdrdir)/ruby/internal/core/rtypeddata.h ossl_asn1.o: $(hdrdir)/ruby/internal/ctype.h ossl_asn1.o: $(hdrdir)/ruby/internal/dllexport.h ossl_asn1.o: $(hdrdir)/ruby/internal/dosish.h +ossl_asn1.o: $(hdrdir)/ruby/internal/encoding/coderange.h +ossl_asn1.o: $(hdrdir)/ruby/internal/encoding/ctype.h +ossl_asn1.o: $(hdrdir)/ruby/internal/encoding/encoding.h +ossl_asn1.o: $(hdrdir)/ruby/internal/encoding/pathname.h +ossl_asn1.o: $(hdrdir)/ruby/internal/encoding/re.h +ossl_asn1.o: $(hdrdir)/ruby/internal/encoding/sprintf.h +ossl_asn1.o: $(hdrdir)/ruby/internal/encoding/string.h +ossl_asn1.o: $(hdrdir)/ruby/internal/encoding/symbol.h +ossl_asn1.o: $(hdrdir)/ruby/internal/encoding/transcode.h ossl_asn1.o: $(hdrdir)/ruby/internal/error.h ossl_asn1.o: $(hdrdir)/ruby/internal/eval.h ossl_asn1.o: $(hdrdir)/ruby/internal/event.h @@ -303,7 +321,6 @@ ossl_asn1.o: $(hdrdir)/ruby/internal/intern/enumerator.h ossl_asn1.o: $(hdrdir)/ruby/internal/intern/error.h ossl_asn1.o: $(hdrdir)/ruby/internal/intern/eval.h ossl_asn1.o: $(hdrdir)/ruby/internal/intern/file.h -ossl_asn1.o: $(hdrdir)/ruby/internal/intern/gc.h ossl_asn1.o: $(hdrdir)/ruby/internal/intern/hash.h ossl_asn1.o: $(hdrdir)/ruby/internal/intern/io.h ossl_asn1.o: $(hdrdir)/ruby/internal/intern/load.h @@ -334,12 +351,12 @@ ossl_asn1.o: $(hdrdir)/ruby/internal/memory.h ossl_asn1.o: $(hdrdir)/ruby/internal/method.h ossl_asn1.o: $(hdrdir)/ruby/internal/module.h ossl_asn1.o: $(hdrdir)/ruby/internal/newobj.h -ossl_asn1.o: $(hdrdir)/ruby/internal/rgengc.h ossl_asn1.o: $(hdrdir)/ruby/internal/scan_args.h ossl_asn1.o: $(hdrdir)/ruby/internal/special_consts.h ossl_asn1.o: $(hdrdir)/ruby/internal/static_assert.h ossl_asn1.o: $(hdrdir)/ruby/internal/stdalign.h ossl_asn1.o: $(hdrdir)/ruby/internal/stdbool.h +ossl_asn1.o: $(hdrdir)/ruby/internal/stdckdint.h ossl_asn1.o: $(hdrdir)/ruby/internal/symbol.h ossl_asn1.o: $(hdrdir)/ruby/internal/value.h ossl_asn1.o: $(hdrdir)/ruby/internal/value_type.h @@ -371,11 +388,11 @@ ossl_asn1.o: ossl_ocsp.h ossl_asn1.o: ossl_pkcs12.h ossl_asn1.o: ossl_pkcs7.h ossl_asn1.o: ossl_pkey.h +ossl_asn1.o: ossl_provider.h ossl_asn1.o: ossl_rand.h ossl_asn1.o: ossl_ssl.h ossl_asn1.o: ossl_ts.h ossl_asn1.o: ossl_x509.h -ossl_asn1.o: ruby_missing.h ossl_bio.o: $(RUBY_EXTCONF_H) ossl_bio.o: $(arch_hdrdir)/ruby/config.h ossl_bio.o: $(hdrdir)/ruby.h @@ -384,7 +401,6 @@ ossl_bio.o: $(hdrdir)/ruby/backward.h ossl_bio.o: $(hdrdir)/ruby/backward/2/assume.h ossl_bio.o: $(hdrdir)/ruby/backward/2/attributes.h ossl_bio.o: $(hdrdir)/ruby/backward/2/bool.h -ossl_bio.o: $(hdrdir)/ruby/backward/2/gcc_version_since.h ossl_bio.o: $(hdrdir)/ruby/backward/2/inttypes.h ossl_bio.o: $(hdrdir)/ruby/backward/2/limits.h ossl_bio.o: $(hdrdir)/ruby/backward/2/long_long.h @@ -393,6 +409,7 @@ ossl_bio.o: $(hdrdir)/ruby/backward/2/stdarg.h ossl_bio.o: $(hdrdir)/ruby/defines.h ossl_bio.o: $(hdrdir)/ruby/encoding.h ossl_bio.o: $(hdrdir)/ruby/intern.h +ossl_bio.o: $(hdrdir)/ruby/internal/abi.h ossl_bio.o: $(hdrdir)/ruby/internal/anyargs.h ossl_bio.o: $(hdrdir)/ruby/internal/arithmetic.h ossl_bio.o: $(hdrdir)/ruby/internal/arithmetic/char.h @@ -430,6 +447,7 @@ ossl_bio.o: $(hdrdir)/ruby/internal/attr/noexcept.h ossl_bio.o: $(hdrdir)/ruby/internal/attr/noinline.h ossl_bio.o: $(hdrdir)/ruby/internal/attr/nonnull.h ossl_bio.o: $(hdrdir)/ruby/internal/attr/noreturn.h +ossl_bio.o: $(hdrdir)/ruby/internal/attr/packed_struct.h ossl_bio.o: $(hdrdir)/ruby/internal/attr/pure.h ossl_bio.o: $(hdrdir)/ruby/internal/attr/restrict.h ossl_bio.o: $(hdrdir)/ruby/internal/attr/returns_nonnull.h @@ -462,6 +480,15 @@ ossl_bio.o: $(hdrdir)/ruby/internal/core/rtypeddata.h ossl_bio.o: $(hdrdir)/ruby/internal/ctype.h ossl_bio.o: $(hdrdir)/ruby/internal/dllexport.h ossl_bio.o: $(hdrdir)/ruby/internal/dosish.h +ossl_bio.o: $(hdrdir)/ruby/internal/encoding/coderange.h +ossl_bio.o: $(hdrdir)/ruby/internal/encoding/ctype.h +ossl_bio.o: $(hdrdir)/ruby/internal/encoding/encoding.h +ossl_bio.o: $(hdrdir)/ruby/internal/encoding/pathname.h +ossl_bio.o: $(hdrdir)/ruby/internal/encoding/re.h +ossl_bio.o: $(hdrdir)/ruby/internal/encoding/sprintf.h +ossl_bio.o: $(hdrdir)/ruby/internal/encoding/string.h +ossl_bio.o: $(hdrdir)/ruby/internal/encoding/symbol.h +ossl_bio.o: $(hdrdir)/ruby/internal/encoding/transcode.h ossl_bio.o: $(hdrdir)/ruby/internal/error.h ossl_bio.o: $(hdrdir)/ruby/internal/eval.h ossl_bio.o: $(hdrdir)/ruby/internal/event.h @@ -489,7 +516,6 @@ ossl_bio.o: $(hdrdir)/ruby/internal/intern/enumerator.h ossl_bio.o: $(hdrdir)/ruby/internal/intern/error.h ossl_bio.o: $(hdrdir)/ruby/internal/intern/eval.h ossl_bio.o: $(hdrdir)/ruby/internal/intern/file.h -ossl_bio.o: $(hdrdir)/ruby/internal/intern/gc.h ossl_bio.o: $(hdrdir)/ruby/internal/intern/hash.h ossl_bio.o: $(hdrdir)/ruby/internal/intern/io.h ossl_bio.o: $(hdrdir)/ruby/internal/intern/load.h @@ -520,12 +546,12 @@ ossl_bio.o: $(hdrdir)/ruby/internal/memory.h ossl_bio.o: $(hdrdir)/ruby/internal/method.h ossl_bio.o: $(hdrdir)/ruby/internal/module.h ossl_bio.o: $(hdrdir)/ruby/internal/newobj.h -ossl_bio.o: $(hdrdir)/ruby/internal/rgengc.h ossl_bio.o: $(hdrdir)/ruby/internal/scan_args.h ossl_bio.o: $(hdrdir)/ruby/internal/special_consts.h ossl_bio.o: $(hdrdir)/ruby/internal/static_assert.h ossl_bio.o: $(hdrdir)/ruby/internal/stdalign.h ossl_bio.o: $(hdrdir)/ruby/internal/stdbool.h +ossl_bio.o: $(hdrdir)/ruby/internal/stdckdint.h ossl_bio.o: $(hdrdir)/ruby/internal/symbol.h ossl_bio.o: $(hdrdir)/ruby/internal/value.h ossl_bio.o: $(hdrdir)/ruby/internal/value_type.h @@ -557,11 +583,11 @@ ossl_bio.o: ossl_ocsp.h ossl_bio.o: ossl_pkcs12.h ossl_bio.o: ossl_pkcs7.h ossl_bio.o: ossl_pkey.h +ossl_bio.o: ossl_provider.h ossl_bio.o: ossl_rand.h ossl_bio.o: ossl_ssl.h ossl_bio.o: ossl_ts.h ossl_bio.o: ossl_x509.h -ossl_bio.o: ruby_missing.h ossl_bn.o: $(RUBY_EXTCONF_H) ossl_bn.o: $(arch_hdrdir)/ruby/config.h ossl_bn.o: $(hdrdir)/ruby.h @@ -570,7 +596,6 @@ ossl_bn.o: $(hdrdir)/ruby/backward.h ossl_bn.o: $(hdrdir)/ruby/backward/2/assume.h ossl_bn.o: $(hdrdir)/ruby/backward/2/attributes.h ossl_bn.o: $(hdrdir)/ruby/backward/2/bool.h -ossl_bn.o: $(hdrdir)/ruby/backward/2/gcc_version_since.h ossl_bn.o: $(hdrdir)/ruby/backward/2/inttypes.h ossl_bn.o: $(hdrdir)/ruby/backward/2/limits.h ossl_bn.o: $(hdrdir)/ruby/backward/2/long_long.h @@ -579,6 +604,7 @@ ossl_bn.o: $(hdrdir)/ruby/backward/2/stdarg.h ossl_bn.o: $(hdrdir)/ruby/defines.h ossl_bn.o: $(hdrdir)/ruby/encoding.h ossl_bn.o: $(hdrdir)/ruby/intern.h +ossl_bn.o: $(hdrdir)/ruby/internal/abi.h ossl_bn.o: $(hdrdir)/ruby/internal/anyargs.h ossl_bn.o: $(hdrdir)/ruby/internal/arithmetic.h ossl_bn.o: $(hdrdir)/ruby/internal/arithmetic/char.h @@ -616,6 +642,7 @@ ossl_bn.o: $(hdrdir)/ruby/internal/attr/noexcept.h ossl_bn.o: $(hdrdir)/ruby/internal/attr/noinline.h ossl_bn.o: $(hdrdir)/ruby/internal/attr/nonnull.h ossl_bn.o: $(hdrdir)/ruby/internal/attr/noreturn.h +ossl_bn.o: $(hdrdir)/ruby/internal/attr/packed_struct.h ossl_bn.o: $(hdrdir)/ruby/internal/attr/pure.h ossl_bn.o: $(hdrdir)/ruby/internal/attr/restrict.h ossl_bn.o: $(hdrdir)/ruby/internal/attr/returns_nonnull.h @@ -648,6 +675,15 @@ ossl_bn.o: $(hdrdir)/ruby/internal/core/rtypeddata.h ossl_bn.o: $(hdrdir)/ruby/internal/ctype.h ossl_bn.o: $(hdrdir)/ruby/internal/dllexport.h ossl_bn.o: $(hdrdir)/ruby/internal/dosish.h +ossl_bn.o: $(hdrdir)/ruby/internal/encoding/coderange.h +ossl_bn.o: $(hdrdir)/ruby/internal/encoding/ctype.h +ossl_bn.o: $(hdrdir)/ruby/internal/encoding/encoding.h +ossl_bn.o: $(hdrdir)/ruby/internal/encoding/pathname.h +ossl_bn.o: $(hdrdir)/ruby/internal/encoding/re.h +ossl_bn.o: $(hdrdir)/ruby/internal/encoding/sprintf.h +ossl_bn.o: $(hdrdir)/ruby/internal/encoding/string.h +ossl_bn.o: $(hdrdir)/ruby/internal/encoding/symbol.h +ossl_bn.o: $(hdrdir)/ruby/internal/encoding/transcode.h ossl_bn.o: $(hdrdir)/ruby/internal/error.h ossl_bn.o: $(hdrdir)/ruby/internal/eval.h ossl_bn.o: $(hdrdir)/ruby/internal/event.h @@ -675,7 +711,6 @@ ossl_bn.o: $(hdrdir)/ruby/internal/intern/enumerator.h ossl_bn.o: $(hdrdir)/ruby/internal/intern/error.h ossl_bn.o: $(hdrdir)/ruby/internal/intern/eval.h ossl_bn.o: $(hdrdir)/ruby/internal/intern/file.h -ossl_bn.o: $(hdrdir)/ruby/internal/intern/gc.h ossl_bn.o: $(hdrdir)/ruby/internal/intern/hash.h ossl_bn.o: $(hdrdir)/ruby/internal/intern/io.h ossl_bn.o: $(hdrdir)/ruby/internal/intern/load.h @@ -706,12 +741,12 @@ ossl_bn.o: $(hdrdir)/ruby/internal/memory.h ossl_bn.o: $(hdrdir)/ruby/internal/method.h ossl_bn.o: $(hdrdir)/ruby/internal/module.h ossl_bn.o: $(hdrdir)/ruby/internal/newobj.h -ossl_bn.o: $(hdrdir)/ruby/internal/rgengc.h ossl_bn.o: $(hdrdir)/ruby/internal/scan_args.h ossl_bn.o: $(hdrdir)/ruby/internal/special_consts.h ossl_bn.o: $(hdrdir)/ruby/internal/static_assert.h ossl_bn.o: $(hdrdir)/ruby/internal/stdalign.h ossl_bn.o: $(hdrdir)/ruby/internal/stdbool.h +ossl_bn.o: $(hdrdir)/ruby/internal/stdckdint.h ossl_bn.o: $(hdrdir)/ruby/internal/symbol.h ossl_bn.o: $(hdrdir)/ruby/internal/value.h ossl_bn.o: $(hdrdir)/ruby/internal/value_type.h @@ -744,11 +779,11 @@ ossl_bn.o: ossl_ocsp.h ossl_bn.o: ossl_pkcs12.h ossl_bn.o: ossl_pkcs7.h ossl_bn.o: ossl_pkey.h +ossl_bn.o: ossl_provider.h ossl_bn.o: ossl_rand.h ossl_bn.o: ossl_ssl.h ossl_bn.o: ossl_ts.h ossl_bn.o: ossl_x509.h -ossl_bn.o: ruby_missing.h ossl_cipher.o: $(RUBY_EXTCONF_H) ossl_cipher.o: $(arch_hdrdir)/ruby/config.h ossl_cipher.o: $(hdrdir)/ruby.h @@ -757,7 +792,6 @@ ossl_cipher.o: $(hdrdir)/ruby/backward.h ossl_cipher.o: $(hdrdir)/ruby/backward/2/assume.h ossl_cipher.o: $(hdrdir)/ruby/backward/2/attributes.h ossl_cipher.o: $(hdrdir)/ruby/backward/2/bool.h -ossl_cipher.o: $(hdrdir)/ruby/backward/2/gcc_version_since.h ossl_cipher.o: $(hdrdir)/ruby/backward/2/inttypes.h ossl_cipher.o: $(hdrdir)/ruby/backward/2/limits.h ossl_cipher.o: $(hdrdir)/ruby/backward/2/long_long.h @@ -766,6 +800,7 @@ ossl_cipher.o: $(hdrdir)/ruby/backward/2/stdarg.h ossl_cipher.o: $(hdrdir)/ruby/defines.h ossl_cipher.o: $(hdrdir)/ruby/encoding.h ossl_cipher.o: $(hdrdir)/ruby/intern.h +ossl_cipher.o: $(hdrdir)/ruby/internal/abi.h ossl_cipher.o: $(hdrdir)/ruby/internal/anyargs.h ossl_cipher.o: $(hdrdir)/ruby/internal/arithmetic.h ossl_cipher.o: $(hdrdir)/ruby/internal/arithmetic/char.h @@ -803,6 +838,7 @@ ossl_cipher.o: $(hdrdir)/ruby/internal/attr/noexcept.h ossl_cipher.o: $(hdrdir)/ruby/internal/attr/noinline.h ossl_cipher.o: $(hdrdir)/ruby/internal/attr/nonnull.h ossl_cipher.o: $(hdrdir)/ruby/internal/attr/noreturn.h +ossl_cipher.o: $(hdrdir)/ruby/internal/attr/packed_struct.h ossl_cipher.o: $(hdrdir)/ruby/internal/attr/pure.h ossl_cipher.o: $(hdrdir)/ruby/internal/attr/restrict.h ossl_cipher.o: $(hdrdir)/ruby/internal/attr/returns_nonnull.h @@ -835,6 +871,15 @@ ossl_cipher.o: $(hdrdir)/ruby/internal/core/rtypeddata.h ossl_cipher.o: $(hdrdir)/ruby/internal/ctype.h ossl_cipher.o: $(hdrdir)/ruby/internal/dllexport.h ossl_cipher.o: $(hdrdir)/ruby/internal/dosish.h +ossl_cipher.o: $(hdrdir)/ruby/internal/encoding/coderange.h +ossl_cipher.o: $(hdrdir)/ruby/internal/encoding/ctype.h +ossl_cipher.o: $(hdrdir)/ruby/internal/encoding/encoding.h +ossl_cipher.o: $(hdrdir)/ruby/internal/encoding/pathname.h +ossl_cipher.o: $(hdrdir)/ruby/internal/encoding/re.h +ossl_cipher.o: $(hdrdir)/ruby/internal/encoding/sprintf.h +ossl_cipher.o: $(hdrdir)/ruby/internal/encoding/string.h +ossl_cipher.o: $(hdrdir)/ruby/internal/encoding/symbol.h +ossl_cipher.o: $(hdrdir)/ruby/internal/encoding/transcode.h ossl_cipher.o: $(hdrdir)/ruby/internal/error.h ossl_cipher.o: $(hdrdir)/ruby/internal/eval.h ossl_cipher.o: $(hdrdir)/ruby/internal/event.h @@ -862,7 +907,6 @@ ossl_cipher.o: $(hdrdir)/ruby/internal/intern/enumerator.h ossl_cipher.o: $(hdrdir)/ruby/internal/intern/error.h ossl_cipher.o: $(hdrdir)/ruby/internal/intern/eval.h ossl_cipher.o: $(hdrdir)/ruby/internal/intern/file.h -ossl_cipher.o: $(hdrdir)/ruby/internal/intern/gc.h ossl_cipher.o: $(hdrdir)/ruby/internal/intern/hash.h ossl_cipher.o: $(hdrdir)/ruby/internal/intern/io.h ossl_cipher.o: $(hdrdir)/ruby/internal/intern/load.h @@ -893,12 +937,12 @@ ossl_cipher.o: $(hdrdir)/ruby/internal/memory.h ossl_cipher.o: $(hdrdir)/ruby/internal/method.h ossl_cipher.o: $(hdrdir)/ruby/internal/module.h ossl_cipher.o: $(hdrdir)/ruby/internal/newobj.h -ossl_cipher.o: $(hdrdir)/ruby/internal/rgengc.h ossl_cipher.o: $(hdrdir)/ruby/internal/scan_args.h ossl_cipher.o: $(hdrdir)/ruby/internal/special_consts.h ossl_cipher.o: $(hdrdir)/ruby/internal/static_assert.h ossl_cipher.o: $(hdrdir)/ruby/internal/stdalign.h ossl_cipher.o: $(hdrdir)/ruby/internal/stdbool.h +ossl_cipher.o: $(hdrdir)/ruby/internal/stdckdint.h ossl_cipher.o: $(hdrdir)/ruby/internal/symbol.h ossl_cipher.o: $(hdrdir)/ruby/internal/value.h ossl_cipher.o: $(hdrdir)/ruby/internal/value_type.h @@ -930,11 +974,11 @@ ossl_cipher.o: ossl_ocsp.h ossl_cipher.o: ossl_pkcs12.h ossl_cipher.o: ossl_pkcs7.h ossl_cipher.o: ossl_pkey.h +ossl_cipher.o: ossl_provider.h ossl_cipher.o: ossl_rand.h ossl_cipher.o: ossl_ssl.h ossl_cipher.o: ossl_ts.h ossl_cipher.o: ossl_x509.h -ossl_cipher.o: ruby_missing.h ossl_config.o: $(RUBY_EXTCONF_H) ossl_config.o: $(arch_hdrdir)/ruby/config.h ossl_config.o: $(hdrdir)/ruby.h @@ -943,7 +987,6 @@ ossl_config.o: $(hdrdir)/ruby/backward.h ossl_config.o: $(hdrdir)/ruby/backward/2/assume.h ossl_config.o: $(hdrdir)/ruby/backward/2/attributes.h ossl_config.o: $(hdrdir)/ruby/backward/2/bool.h -ossl_config.o: $(hdrdir)/ruby/backward/2/gcc_version_since.h ossl_config.o: $(hdrdir)/ruby/backward/2/inttypes.h ossl_config.o: $(hdrdir)/ruby/backward/2/limits.h ossl_config.o: $(hdrdir)/ruby/backward/2/long_long.h @@ -952,6 +995,7 @@ ossl_config.o: $(hdrdir)/ruby/backward/2/stdarg.h ossl_config.o: $(hdrdir)/ruby/defines.h ossl_config.o: $(hdrdir)/ruby/encoding.h ossl_config.o: $(hdrdir)/ruby/intern.h +ossl_config.o: $(hdrdir)/ruby/internal/abi.h ossl_config.o: $(hdrdir)/ruby/internal/anyargs.h ossl_config.o: $(hdrdir)/ruby/internal/arithmetic.h ossl_config.o: $(hdrdir)/ruby/internal/arithmetic/char.h @@ -989,6 +1033,7 @@ ossl_config.o: $(hdrdir)/ruby/internal/attr/noexcept.h ossl_config.o: $(hdrdir)/ruby/internal/attr/noinline.h ossl_config.o: $(hdrdir)/ruby/internal/attr/nonnull.h ossl_config.o: $(hdrdir)/ruby/internal/attr/noreturn.h +ossl_config.o: $(hdrdir)/ruby/internal/attr/packed_struct.h ossl_config.o: $(hdrdir)/ruby/internal/attr/pure.h ossl_config.o: $(hdrdir)/ruby/internal/attr/restrict.h ossl_config.o: $(hdrdir)/ruby/internal/attr/returns_nonnull.h @@ -1021,6 +1066,15 @@ ossl_config.o: $(hdrdir)/ruby/internal/core/rtypeddata.h ossl_config.o: $(hdrdir)/ruby/internal/ctype.h ossl_config.o: $(hdrdir)/ruby/internal/dllexport.h ossl_config.o: $(hdrdir)/ruby/internal/dosish.h +ossl_config.o: $(hdrdir)/ruby/internal/encoding/coderange.h +ossl_config.o: $(hdrdir)/ruby/internal/encoding/ctype.h +ossl_config.o: $(hdrdir)/ruby/internal/encoding/encoding.h +ossl_config.o: $(hdrdir)/ruby/internal/encoding/pathname.h +ossl_config.o: $(hdrdir)/ruby/internal/encoding/re.h +ossl_config.o: $(hdrdir)/ruby/internal/encoding/sprintf.h +ossl_config.o: $(hdrdir)/ruby/internal/encoding/string.h +ossl_config.o: $(hdrdir)/ruby/internal/encoding/symbol.h +ossl_config.o: $(hdrdir)/ruby/internal/encoding/transcode.h ossl_config.o: $(hdrdir)/ruby/internal/error.h ossl_config.o: $(hdrdir)/ruby/internal/eval.h ossl_config.o: $(hdrdir)/ruby/internal/event.h @@ -1048,7 +1102,6 @@ ossl_config.o: $(hdrdir)/ruby/internal/intern/enumerator.h ossl_config.o: $(hdrdir)/ruby/internal/intern/error.h ossl_config.o: $(hdrdir)/ruby/internal/intern/eval.h ossl_config.o: $(hdrdir)/ruby/internal/intern/file.h -ossl_config.o: $(hdrdir)/ruby/internal/intern/gc.h ossl_config.o: $(hdrdir)/ruby/internal/intern/hash.h ossl_config.o: $(hdrdir)/ruby/internal/intern/io.h ossl_config.o: $(hdrdir)/ruby/internal/intern/load.h @@ -1079,12 +1132,12 @@ ossl_config.o: $(hdrdir)/ruby/internal/memory.h ossl_config.o: $(hdrdir)/ruby/internal/method.h ossl_config.o: $(hdrdir)/ruby/internal/module.h ossl_config.o: $(hdrdir)/ruby/internal/newobj.h -ossl_config.o: $(hdrdir)/ruby/internal/rgengc.h ossl_config.o: $(hdrdir)/ruby/internal/scan_args.h ossl_config.o: $(hdrdir)/ruby/internal/special_consts.h ossl_config.o: $(hdrdir)/ruby/internal/static_assert.h ossl_config.o: $(hdrdir)/ruby/internal/stdalign.h ossl_config.o: $(hdrdir)/ruby/internal/stdbool.h +ossl_config.o: $(hdrdir)/ruby/internal/stdckdint.h ossl_config.o: $(hdrdir)/ruby/internal/symbol.h ossl_config.o: $(hdrdir)/ruby/internal/value.h ossl_config.o: $(hdrdir)/ruby/internal/value_type.h @@ -1116,11 +1169,11 @@ ossl_config.o: ossl_ocsp.h ossl_config.o: ossl_pkcs12.h ossl_config.o: ossl_pkcs7.h ossl_config.o: ossl_pkey.h +ossl_config.o: ossl_provider.h ossl_config.o: ossl_rand.h ossl_config.o: ossl_ssl.h ossl_config.o: ossl_ts.h ossl_config.o: ossl_x509.h -ossl_config.o: ruby_missing.h ossl_digest.o: $(RUBY_EXTCONF_H) ossl_digest.o: $(arch_hdrdir)/ruby/config.h ossl_digest.o: $(hdrdir)/ruby.h @@ -1129,7 +1182,6 @@ ossl_digest.o: $(hdrdir)/ruby/backward.h ossl_digest.o: $(hdrdir)/ruby/backward/2/assume.h ossl_digest.o: $(hdrdir)/ruby/backward/2/attributes.h ossl_digest.o: $(hdrdir)/ruby/backward/2/bool.h -ossl_digest.o: $(hdrdir)/ruby/backward/2/gcc_version_since.h ossl_digest.o: $(hdrdir)/ruby/backward/2/inttypes.h ossl_digest.o: $(hdrdir)/ruby/backward/2/limits.h ossl_digest.o: $(hdrdir)/ruby/backward/2/long_long.h @@ -1138,6 +1190,7 @@ ossl_digest.o: $(hdrdir)/ruby/backward/2/stdarg.h ossl_digest.o: $(hdrdir)/ruby/defines.h ossl_digest.o: $(hdrdir)/ruby/encoding.h ossl_digest.o: $(hdrdir)/ruby/intern.h +ossl_digest.o: $(hdrdir)/ruby/internal/abi.h ossl_digest.o: $(hdrdir)/ruby/internal/anyargs.h ossl_digest.o: $(hdrdir)/ruby/internal/arithmetic.h ossl_digest.o: $(hdrdir)/ruby/internal/arithmetic/char.h @@ -1175,6 +1228,7 @@ ossl_digest.o: $(hdrdir)/ruby/internal/attr/noexcept.h ossl_digest.o: $(hdrdir)/ruby/internal/attr/noinline.h ossl_digest.o: $(hdrdir)/ruby/internal/attr/nonnull.h ossl_digest.o: $(hdrdir)/ruby/internal/attr/noreturn.h +ossl_digest.o: $(hdrdir)/ruby/internal/attr/packed_struct.h ossl_digest.o: $(hdrdir)/ruby/internal/attr/pure.h ossl_digest.o: $(hdrdir)/ruby/internal/attr/restrict.h ossl_digest.o: $(hdrdir)/ruby/internal/attr/returns_nonnull.h @@ -1207,6 +1261,15 @@ ossl_digest.o: $(hdrdir)/ruby/internal/core/rtypeddata.h ossl_digest.o: $(hdrdir)/ruby/internal/ctype.h ossl_digest.o: $(hdrdir)/ruby/internal/dllexport.h ossl_digest.o: $(hdrdir)/ruby/internal/dosish.h +ossl_digest.o: $(hdrdir)/ruby/internal/encoding/coderange.h +ossl_digest.o: $(hdrdir)/ruby/internal/encoding/ctype.h +ossl_digest.o: $(hdrdir)/ruby/internal/encoding/encoding.h +ossl_digest.o: $(hdrdir)/ruby/internal/encoding/pathname.h +ossl_digest.o: $(hdrdir)/ruby/internal/encoding/re.h +ossl_digest.o: $(hdrdir)/ruby/internal/encoding/sprintf.h +ossl_digest.o: $(hdrdir)/ruby/internal/encoding/string.h +ossl_digest.o: $(hdrdir)/ruby/internal/encoding/symbol.h +ossl_digest.o: $(hdrdir)/ruby/internal/encoding/transcode.h ossl_digest.o: $(hdrdir)/ruby/internal/error.h ossl_digest.o: $(hdrdir)/ruby/internal/eval.h ossl_digest.o: $(hdrdir)/ruby/internal/event.h @@ -1234,7 +1297,6 @@ ossl_digest.o: $(hdrdir)/ruby/internal/intern/enumerator.h ossl_digest.o: $(hdrdir)/ruby/internal/intern/error.h ossl_digest.o: $(hdrdir)/ruby/internal/intern/eval.h ossl_digest.o: $(hdrdir)/ruby/internal/intern/file.h -ossl_digest.o: $(hdrdir)/ruby/internal/intern/gc.h ossl_digest.o: $(hdrdir)/ruby/internal/intern/hash.h ossl_digest.o: $(hdrdir)/ruby/internal/intern/io.h ossl_digest.o: $(hdrdir)/ruby/internal/intern/load.h @@ -1265,12 +1327,12 @@ ossl_digest.o: $(hdrdir)/ruby/internal/memory.h ossl_digest.o: $(hdrdir)/ruby/internal/method.h ossl_digest.o: $(hdrdir)/ruby/internal/module.h ossl_digest.o: $(hdrdir)/ruby/internal/newobj.h -ossl_digest.o: $(hdrdir)/ruby/internal/rgengc.h ossl_digest.o: $(hdrdir)/ruby/internal/scan_args.h ossl_digest.o: $(hdrdir)/ruby/internal/special_consts.h ossl_digest.o: $(hdrdir)/ruby/internal/static_assert.h ossl_digest.o: $(hdrdir)/ruby/internal/stdalign.h ossl_digest.o: $(hdrdir)/ruby/internal/stdbool.h +ossl_digest.o: $(hdrdir)/ruby/internal/stdckdint.h ossl_digest.o: $(hdrdir)/ruby/internal/symbol.h ossl_digest.o: $(hdrdir)/ruby/internal/value.h ossl_digest.o: $(hdrdir)/ruby/internal/value_type.h @@ -1302,11 +1364,11 @@ ossl_digest.o: ossl_ocsp.h ossl_digest.o: ossl_pkcs12.h ossl_digest.o: ossl_pkcs7.h ossl_digest.o: ossl_pkey.h +ossl_digest.o: ossl_provider.h ossl_digest.o: ossl_rand.h ossl_digest.o: ossl_ssl.h ossl_digest.o: ossl_ts.h ossl_digest.o: ossl_x509.h -ossl_digest.o: ruby_missing.h ossl_engine.o: $(RUBY_EXTCONF_H) ossl_engine.o: $(arch_hdrdir)/ruby/config.h ossl_engine.o: $(hdrdir)/ruby.h @@ -1315,7 +1377,6 @@ ossl_engine.o: $(hdrdir)/ruby/backward.h ossl_engine.o: $(hdrdir)/ruby/backward/2/assume.h ossl_engine.o: $(hdrdir)/ruby/backward/2/attributes.h ossl_engine.o: $(hdrdir)/ruby/backward/2/bool.h -ossl_engine.o: $(hdrdir)/ruby/backward/2/gcc_version_since.h ossl_engine.o: $(hdrdir)/ruby/backward/2/inttypes.h ossl_engine.o: $(hdrdir)/ruby/backward/2/limits.h ossl_engine.o: $(hdrdir)/ruby/backward/2/long_long.h @@ -1324,6 +1385,7 @@ ossl_engine.o: $(hdrdir)/ruby/backward/2/stdarg.h ossl_engine.o: $(hdrdir)/ruby/defines.h ossl_engine.o: $(hdrdir)/ruby/encoding.h ossl_engine.o: $(hdrdir)/ruby/intern.h +ossl_engine.o: $(hdrdir)/ruby/internal/abi.h ossl_engine.o: $(hdrdir)/ruby/internal/anyargs.h ossl_engine.o: $(hdrdir)/ruby/internal/arithmetic.h ossl_engine.o: $(hdrdir)/ruby/internal/arithmetic/char.h @@ -1361,6 +1423,7 @@ ossl_engine.o: $(hdrdir)/ruby/internal/attr/noexcept.h ossl_engine.o: $(hdrdir)/ruby/internal/attr/noinline.h ossl_engine.o: $(hdrdir)/ruby/internal/attr/nonnull.h ossl_engine.o: $(hdrdir)/ruby/internal/attr/noreturn.h +ossl_engine.o: $(hdrdir)/ruby/internal/attr/packed_struct.h ossl_engine.o: $(hdrdir)/ruby/internal/attr/pure.h ossl_engine.o: $(hdrdir)/ruby/internal/attr/restrict.h ossl_engine.o: $(hdrdir)/ruby/internal/attr/returns_nonnull.h @@ -1393,6 +1456,15 @@ ossl_engine.o: $(hdrdir)/ruby/internal/core/rtypeddata.h ossl_engine.o: $(hdrdir)/ruby/internal/ctype.h ossl_engine.o: $(hdrdir)/ruby/internal/dllexport.h ossl_engine.o: $(hdrdir)/ruby/internal/dosish.h +ossl_engine.o: $(hdrdir)/ruby/internal/encoding/coderange.h +ossl_engine.o: $(hdrdir)/ruby/internal/encoding/ctype.h +ossl_engine.o: $(hdrdir)/ruby/internal/encoding/encoding.h +ossl_engine.o: $(hdrdir)/ruby/internal/encoding/pathname.h +ossl_engine.o: $(hdrdir)/ruby/internal/encoding/re.h +ossl_engine.o: $(hdrdir)/ruby/internal/encoding/sprintf.h +ossl_engine.o: $(hdrdir)/ruby/internal/encoding/string.h +ossl_engine.o: $(hdrdir)/ruby/internal/encoding/symbol.h +ossl_engine.o: $(hdrdir)/ruby/internal/encoding/transcode.h ossl_engine.o: $(hdrdir)/ruby/internal/error.h ossl_engine.o: $(hdrdir)/ruby/internal/eval.h ossl_engine.o: $(hdrdir)/ruby/internal/event.h @@ -1420,7 +1492,6 @@ ossl_engine.o: $(hdrdir)/ruby/internal/intern/enumerator.h ossl_engine.o: $(hdrdir)/ruby/internal/intern/error.h ossl_engine.o: $(hdrdir)/ruby/internal/intern/eval.h ossl_engine.o: $(hdrdir)/ruby/internal/intern/file.h -ossl_engine.o: $(hdrdir)/ruby/internal/intern/gc.h ossl_engine.o: $(hdrdir)/ruby/internal/intern/hash.h ossl_engine.o: $(hdrdir)/ruby/internal/intern/io.h ossl_engine.o: $(hdrdir)/ruby/internal/intern/load.h @@ -1451,12 +1522,12 @@ ossl_engine.o: $(hdrdir)/ruby/internal/memory.h ossl_engine.o: $(hdrdir)/ruby/internal/method.h ossl_engine.o: $(hdrdir)/ruby/internal/module.h ossl_engine.o: $(hdrdir)/ruby/internal/newobj.h -ossl_engine.o: $(hdrdir)/ruby/internal/rgengc.h ossl_engine.o: $(hdrdir)/ruby/internal/scan_args.h ossl_engine.o: $(hdrdir)/ruby/internal/special_consts.h ossl_engine.o: $(hdrdir)/ruby/internal/static_assert.h ossl_engine.o: $(hdrdir)/ruby/internal/stdalign.h ossl_engine.o: $(hdrdir)/ruby/internal/stdbool.h +ossl_engine.o: $(hdrdir)/ruby/internal/stdckdint.h ossl_engine.o: $(hdrdir)/ruby/internal/symbol.h ossl_engine.o: $(hdrdir)/ruby/internal/value.h ossl_engine.o: $(hdrdir)/ruby/internal/value_type.h @@ -1488,11 +1559,11 @@ ossl_engine.o: ossl_ocsp.h ossl_engine.o: ossl_pkcs12.h ossl_engine.o: ossl_pkcs7.h ossl_engine.o: ossl_pkey.h +ossl_engine.o: ossl_provider.h ossl_engine.o: ossl_rand.h ossl_engine.o: ossl_ssl.h ossl_engine.o: ossl_ts.h ossl_engine.o: ossl_x509.h -ossl_engine.o: ruby_missing.h ossl_hmac.o: $(RUBY_EXTCONF_H) ossl_hmac.o: $(arch_hdrdir)/ruby/config.h ossl_hmac.o: $(hdrdir)/ruby.h @@ -1501,7 +1572,6 @@ ossl_hmac.o: $(hdrdir)/ruby/backward.h ossl_hmac.o: $(hdrdir)/ruby/backward/2/assume.h ossl_hmac.o: $(hdrdir)/ruby/backward/2/attributes.h ossl_hmac.o: $(hdrdir)/ruby/backward/2/bool.h -ossl_hmac.o: $(hdrdir)/ruby/backward/2/gcc_version_since.h ossl_hmac.o: $(hdrdir)/ruby/backward/2/inttypes.h ossl_hmac.o: $(hdrdir)/ruby/backward/2/limits.h ossl_hmac.o: $(hdrdir)/ruby/backward/2/long_long.h @@ -1510,6 +1580,7 @@ ossl_hmac.o: $(hdrdir)/ruby/backward/2/stdarg.h ossl_hmac.o: $(hdrdir)/ruby/defines.h ossl_hmac.o: $(hdrdir)/ruby/encoding.h ossl_hmac.o: $(hdrdir)/ruby/intern.h +ossl_hmac.o: $(hdrdir)/ruby/internal/abi.h ossl_hmac.o: $(hdrdir)/ruby/internal/anyargs.h ossl_hmac.o: $(hdrdir)/ruby/internal/arithmetic.h ossl_hmac.o: $(hdrdir)/ruby/internal/arithmetic/char.h @@ -1547,6 +1618,7 @@ ossl_hmac.o: $(hdrdir)/ruby/internal/attr/noexcept.h ossl_hmac.o: $(hdrdir)/ruby/internal/attr/noinline.h ossl_hmac.o: $(hdrdir)/ruby/internal/attr/nonnull.h ossl_hmac.o: $(hdrdir)/ruby/internal/attr/noreturn.h +ossl_hmac.o: $(hdrdir)/ruby/internal/attr/packed_struct.h ossl_hmac.o: $(hdrdir)/ruby/internal/attr/pure.h ossl_hmac.o: $(hdrdir)/ruby/internal/attr/restrict.h ossl_hmac.o: $(hdrdir)/ruby/internal/attr/returns_nonnull.h @@ -1579,6 +1651,15 @@ ossl_hmac.o: $(hdrdir)/ruby/internal/core/rtypeddata.h ossl_hmac.o: $(hdrdir)/ruby/internal/ctype.h ossl_hmac.o: $(hdrdir)/ruby/internal/dllexport.h ossl_hmac.o: $(hdrdir)/ruby/internal/dosish.h +ossl_hmac.o: $(hdrdir)/ruby/internal/encoding/coderange.h +ossl_hmac.o: $(hdrdir)/ruby/internal/encoding/ctype.h +ossl_hmac.o: $(hdrdir)/ruby/internal/encoding/encoding.h +ossl_hmac.o: $(hdrdir)/ruby/internal/encoding/pathname.h +ossl_hmac.o: $(hdrdir)/ruby/internal/encoding/re.h +ossl_hmac.o: $(hdrdir)/ruby/internal/encoding/sprintf.h +ossl_hmac.o: $(hdrdir)/ruby/internal/encoding/string.h +ossl_hmac.o: $(hdrdir)/ruby/internal/encoding/symbol.h +ossl_hmac.o: $(hdrdir)/ruby/internal/encoding/transcode.h ossl_hmac.o: $(hdrdir)/ruby/internal/error.h ossl_hmac.o: $(hdrdir)/ruby/internal/eval.h ossl_hmac.o: $(hdrdir)/ruby/internal/event.h @@ -1606,7 +1687,6 @@ ossl_hmac.o: $(hdrdir)/ruby/internal/intern/enumerator.h ossl_hmac.o: $(hdrdir)/ruby/internal/intern/error.h ossl_hmac.o: $(hdrdir)/ruby/internal/intern/eval.h ossl_hmac.o: $(hdrdir)/ruby/internal/intern/file.h -ossl_hmac.o: $(hdrdir)/ruby/internal/intern/gc.h ossl_hmac.o: $(hdrdir)/ruby/internal/intern/hash.h ossl_hmac.o: $(hdrdir)/ruby/internal/intern/io.h ossl_hmac.o: $(hdrdir)/ruby/internal/intern/load.h @@ -1637,12 +1717,12 @@ ossl_hmac.o: $(hdrdir)/ruby/internal/memory.h ossl_hmac.o: $(hdrdir)/ruby/internal/method.h ossl_hmac.o: $(hdrdir)/ruby/internal/module.h ossl_hmac.o: $(hdrdir)/ruby/internal/newobj.h -ossl_hmac.o: $(hdrdir)/ruby/internal/rgengc.h ossl_hmac.o: $(hdrdir)/ruby/internal/scan_args.h ossl_hmac.o: $(hdrdir)/ruby/internal/special_consts.h ossl_hmac.o: $(hdrdir)/ruby/internal/static_assert.h ossl_hmac.o: $(hdrdir)/ruby/internal/stdalign.h ossl_hmac.o: $(hdrdir)/ruby/internal/stdbool.h +ossl_hmac.o: $(hdrdir)/ruby/internal/stdckdint.h ossl_hmac.o: $(hdrdir)/ruby/internal/symbol.h ossl_hmac.o: $(hdrdir)/ruby/internal/value.h ossl_hmac.o: $(hdrdir)/ruby/internal/value_type.h @@ -1674,11 +1754,11 @@ ossl_hmac.o: ossl_ocsp.h ossl_hmac.o: ossl_pkcs12.h ossl_hmac.o: ossl_pkcs7.h ossl_hmac.o: ossl_pkey.h +ossl_hmac.o: ossl_provider.h ossl_hmac.o: ossl_rand.h ossl_hmac.o: ossl_ssl.h ossl_hmac.o: ossl_ts.h ossl_hmac.o: ossl_x509.h -ossl_hmac.o: ruby_missing.h ossl_kdf.o: $(RUBY_EXTCONF_H) ossl_kdf.o: $(arch_hdrdir)/ruby/config.h ossl_kdf.o: $(hdrdir)/ruby.h @@ -1687,7 +1767,6 @@ ossl_kdf.o: $(hdrdir)/ruby/backward.h ossl_kdf.o: $(hdrdir)/ruby/backward/2/assume.h ossl_kdf.o: $(hdrdir)/ruby/backward/2/attributes.h ossl_kdf.o: $(hdrdir)/ruby/backward/2/bool.h -ossl_kdf.o: $(hdrdir)/ruby/backward/2/gcc_version_since.h ossl_kdf.o: $(hdrdir)/ruby/backward/2/inttypes.h ossl_kdf.o: $(hdrdir)/ruby/backward/2/limits.h ossl_kdf.o: $(hdrdir)/ruby/backward/2/long_long.h @@ -1696,6 +1775,7 @@ ossl_kdf.o: $(hdrdir)/ruby/backward/2/stdarg.h ossl_kdf.o: $(hdrdir)/ruby/defines.h ossl_kdf.o: $(hdrdir)/ruby/encoding.h ossl_kdf.o: $(hdrdir)/ruby/intern.h +ossl_kdf.o: $(hdrdir)/ruby/internal/abi.h ossl_kdf.o: $(hdrdir)/ruby/internal/anyargs.h ossl_kdf.o: $(hdrdir)/ruby/internal/arithmetic.h ossl_kdf.o: $(hdrdir)/ruby/internal/arithmetic/char.h @@ -1733,6 +1813,7 @@ ossl_kdf.o: $(hdrdir)/ruby/internal/attr/noexcept.h ossl_kdf.o: $(hdrdir)/ruby/internal/attr/noinline.h ossl_kdf.o: $(hdrdir)/ruby/internal/attr/nonnull.h ossl_kdf.o: $(hdrdir)/ruby/internal/attr/noreturn.h +ossl_kdf.o: $(hdrdir)/ruby/internal/attr/packed_struct.h ossl_kdf.o: $(hdrdir)/ruby/internal/attr/pure.h ossl_kdf.o: $(hdrdir)/ruby/internal/attr/restrict.h ossl_kdf.o: $(hdrdir)/ruby/internal/attr/returns_nonnull.h @@ -1765,6 +1846,15 @@ ossl_kdf.o: $(hdrdir)/ruby/internal/core/rtypeddata.h ossl_kdf.o: $(hdrdir)/ruby/internal/ctype.h ossl_kdf.o: $(hdrdir)/ruby/internal/dllexport.h ossl_kdf.o: $(hdrdir)/ruby/internal/dosish.h +ossl_kdf.o: $(hdrdir)/ruby/internal/encoding/coderange.h +ossl_kdf.o: $(hdrdir)/ruby/internal/encoding/ctype.h +ossl_kdf.o: $(hdrdir)/ruby/internal/encoding/encoding.h +ossl_kdf.o: $(hdrdir)/ruby/internal/encoding/pathname.h +ossl_kdf.o: $(hdrdir)/ruby/internal/encoding/re.h +ossl_kdf.o: $(hdrdir)/ruby/internal/encoding/sprintf.h +ossl_kdf.o: $(hdrdir)/ruby/internal/encoding/string.h +ossl_kdf.o: $(hdrdir)/ruby/internal/encoding/symbol.h +ossl_kdf.o: $(hdrdir)/ruby/internal/encoding/transcode.h ossl_kdf.o: $(hdrdir)/ruby/internal/error.h ossl_kdf.o: $(hdrdir)/ruby/internal/eval.h ossl_kdf.o: $(hdrdir)/ruby/internal/event.h @@ -1792,7 +1882,6 @@ ossl_kdf.o: $(hdrdir)/ruby/internal/intern/enumerator.h ossl_kdf.o: $(hdrdir)/ruby/internal/intern/error.h ossl_kdf.o: $(hdrdir)/ruby/internal/intern/eval.h ossl_kdf.o: $(hdrdir)/ruby/internal/intern/file.h -ossl_kdf.o: $(hdrdir)/ruby/internal/intern/gc.h ossl_kdf.o: $(hdrdir)/ruby/internal/intern/hash.h ossl_kdf.o: $(hdrdir)/ruby/internal/intern/io.h ossl_kdf.o: $(hdrdir)/ruby/internal/intern/load.h @@ -1823,12 +1912,12 @@ ossl_kdf.o: $(hdrdir)/ruby/internal/memory.h ossl_kdf.o: $(hdrdir)/ruby/internal/method.h ossl_kdf.o: $(hdrdir)/ruby/internal/module.h ossl_kdf.o: $(hdrdir)/ruby/internal/newobj.h -ossl_kdf.o: $(hdrdir)/ruby/internal/rgengc.h ossl_kdf.o: $(hdrdir)/ruby/internal/scan_args.h ossl_kdf.o: $(hdrdir)/ruby/internal/special_consts.h ossl_kdf.o: $(hdrdir)/ruby/internal/static_assert.h ossl_kdf.o: $(hdrdir)/ruby/internal/stdalign.h ossl_kdf.o: $(hdrdir)/ruby/internal/stdbool.h +ossl_kdf.o: $(hdrdir)/ruby/internal/stdckdint.h ossl_kdf.o: $(hdrdir)/ruby/internal/symbol.h ossl_kdf.o: $(hdrdir)/ruby/internal/value.h ossl_kdf.o: $(hdrdir)/ruby/internal/value_type.h @@ -1860,11 +1949,11 @@ ossl_kdf.o: ossl_ocsp.h ossl_kdf.o: ossl_pkcs12.h ossl_kdf.o: ossl_pkcs7.h ossl_kdf.o: ossl_pkey.h +ossl_kdf.o: ossl_provider.h ossl_kdf.o: ossl_rand.h ossl_kdf.o: ossl_ssl.h ossl_kdf.o: ossl_ts.h ossl_kdf.o: ossl_x509.h -ossl_kdf.o: ruby_missing.h ossl_ns_spki.o: $(RUBY_EXTCONF_H) ossl_ns_spki.o: $(arch_hdrdir)/ruby/config.h ossl_ns_spki.o: $(hdrdir)/ruby.h @@ -1873,7 +1962,6 @@ ossl_ns_spki.o: $(hdrdir)/ruby/backward.h ossl_ns_spki.o: $(hdrdir)/ruby/backward/2/assume.h ossl_ns_spki.o: $(hdrdir)/ruby/backward/2/attributes.h ossl_ns_spki.o: $(hdrdir)/ruby/backward/2/bool.h -ossl_ns_spki.o: $(hdrdir)/ruby/backward/2/gcc_version_since.h ossl_ns_spki.o: $(hdrdir)/ruby/backward/2/inttypes.h ossl_ns_spki.o: $(hdrdir)/ruby/backward/2/limits.h ossl_ns_spki.o: $(hdrdir)/ruby/backward/2/long_long.h @@ -1882,6 +1970,7 @@ ossl_ns_spki.o: $(hdrdir)/ruby/backward/2/stdarg.h ossl_ns_spki.o: $(hdrdir)/ruby/defines.h ossl_ns_spki.o: $(hdrdir)/ruby/encoding.h ossl_ns_spki.o: $(hdrdir)/ruby/intern.h +ossl_ns_spki.o: $(hdrdir)/ruby/internal/abi.h ossl_ns_spki.o: $(hdrdir)/ruby/internal/anyargs.h ossl_ns_spki.o: $(hdrdir)/ruby/internal/arithmetic.h ossl_ns_spki.o: $(hdrdir)/ruby/internal/arithmetic/char.h @@ -1919,6 +2008,7 @@ ossl_ns_spki.o: $(hdrdir)/ruby/internal/attr/noexcept.h ossl_ns_spki.o: $(hdrdir)/ruby/internal/attr/noinline.h ossl_ns_spki.o: $(hdrdir)/ruby/internal/attr/nonnull.h ossl_ns_spki.o: $(hdrdir)/ruby/internal/attr/noreturn.h +ossl_ns_spki.o: $(hdrdir)/ruby/internal/attr/packed_struct.h ossl_ns_spki.o: $(hdrdir)/ruby/internal/attr/pure.h ossl_ns_spki.o: $(hdrdir)/ruby/internal/attr/restrict.h ossl_ns_spki.o: $(hdrdir)/ruby/internal/attr/returns_nonnull.h @@ -1951,6 +2041,15 @@ ossl_ns_spki.o: $(hdrdir)/ruby/internal/core/rtypeddata.h ossl_ns_spki.o: $(hdrdir)/ruby/internal/ctype.h ossl_ns_spki.o: $(hdrdir)/ruby/internal/dllexport.h ossl_ns_spki.o: $(hdrdir)/ruby/internal/dosish.h +ossl_ns_spki.o: $(hdrdir)/ruby/internal/encoding/coderange.h +ossl_ns_spki.o: $(hdrdir)/ruby/internal/encoding/ctype.h +ossl_ns_spki.o: $(hdrdir)/ruby/internal/encoding/encoding.h +ossl_ns_spki.o: $(hdrdir)/ruby/internal/encoding/pathname.h +ossl_ns_spki.o: $(hdrdir)/ruby/internal/encoding/re.h +ossl_ns_spki.o: $(hdrdir)/ruby/internal/encoding/sprintf.h +ossl_ns_spki.o: $(hdrdir)/ruby/internal/encoding/string.h +ossl_ns_spki.o: $(hdrdir)/ruby/internal/encoding/symbol.h +ossl_ns_spki.o: $(hdrdir)/ruby/internal/encoding/transcode.h ossl_ns_spki.o: $(hdrdir)/ruby/internal/error.h ossl_ns_spki.o: $(hdrdir)/ruby/internal/eval.h ossl_ns_spki.o: $(hdrdir)/ruby/internal/event.h @@ -1978,7 +2077,6 @@ ossl_ns_spki.o: $(hdrdir)/ruby/internal/intern/enumerator.h ossl_ns_spki.o: $(hdrdir)/ruby/internal/intern/error.h ossl_ns_spki.o: $(hdrdir)/ruby/internal/intern/eval.h ossl_ns_spki.o: $(hdrdir)/ruby/internal/intern/file.h -ossl_ns_spki.o: $(hdrdir)/ruby/internal/intern/gc.h ossl_ns_spki.o: $(hdrdir)/ruby/internal/intern/hash.h ossl_ns_spki.o: $(hdrdir)/ruby/internal/intern/io.h ossl_ns_spki.o: $(hdrdir)/ruby/internal/intern/load.h @@ -2009,12 +2107,12 @@ ossl_ns_spki.o: $(hdrdir)/ruby/internal/memory.h ossl_ns_spki.o: $(hdrdir)/ruby/internal/method.h ossl_ns_spki.o: $(hdrdir)/ruby/internal/module.h ossl_ns_spki.o: $(hdrdir)/ruby/internal/newobj.h -ossl_ns_spki.o: $(hdrdir)/ruby/internal/rgengc.h ossl_ns_spki.o: $(hdrdir)/ruby/internal/scan_args.h ossl_ns_spki.o: $(hdrdir)/ruby/internal/special_consts.h ossl_ns_spki.o: $(hdrdir)/ruby/internal/static_assert.h ossl_ns_spki.o: $(hdrdir)/ruby/internal/stdalign.h ossl_ns_spki.o: $(hdrdir)/ruby/internal/stdbool.h +ossl_ns_spki.o: $(hdrdir)/ruby/internal/stdckdint.h ossl_ns_spki.o: $(hdrdir)/ruby/internal/symbol.h ossl_ns_spki.o: $(hdrdir)/ruby/internal/value.h ossl_ns_spki.o: $(hdrdir)/ruby/internal/value_type.h @@ -2046,11 +2144,11 @@ ossl_ns_spki.o: ossl_ocsp.h ossl_ns_spki.o: ossl_pkcs12.h ossl_ns_spki.o: ossl_pkcs7.h ossl_ns_spki.o: ossl_pkey.h +ossl_ns_spki.o: ossl_provider.h ossl_ns_spki.o: ossl_rand.h ossl_ns_spki.o: ossl_ssl.h ossl_ns_spki.o: ossl_ts.h ossl_ns_spki.o: ossl_x509.h -ossl_ns_spki.o: ruby_missing.h ossl_ocsp.o: $(RUBY_EXTCONF_H) ossl_ocsp.o: $(arch_hdrdir)/ruby/config.h ossl_ocsp.o: $(hdrdir)/ruby.h @@ -2059,7 +2157,6 @@ ossl_ocsp.o: $(hdrdir)/ruby/backward.h ossl_ocsp.o: $(hdrdir)/ruby/backward/2/assume.h ossl_ocsp.o: $(hdrdir)/ruby/backward/2/attributes.h ossl_ocsp.o: $(hdrdir)/ruby/backward/2/bool.h -ossl_ocsp.o: $(hdrdir)/ruby/backward/2/gcc_version_since.h ossl_ocsp.o: $(hdrdir)/ruby/backward/2/inttypes.h ossl_ocsp.o: $(hdrdir)/ruby/backward/2/limits.h ossl_ocsp.o: $(hdrdir)/ruby/backward/2/long_long.h @@ -2068,6 +2165,7 @@ ossl_ocsp.o: $(hdrdir)/ruby/backward/2/stdarg.h ossl_ocsp.o: $(hdrdir)/ruby/defines.h ossl_ocsp.o: $(hdrdir)/ruby/encoding.h ossl_ocsp.o: $(hdrdir)/ruby/intern.h +ossl_ocsp.o: $(hdrdir)/ruby/internal/abi.h ossl_ocsp.o: $(hdrdir)/ruby/internal/anyargs.h ossl_ocsp.o: $(hdrdir)/ruby/internal/arithmetic.h ossl_ocsp.o: $(hdrdir)/ruby/internal/arithmetic/char.h @@ -2105,6 +2203,7 @@ ossl_ocsp.o: $(hdrdir)/ruby/internal/attr/noexcept.h ossl_ocsp.o: $(hdrdir)/ruby/internal/attr/noinline.h ossl_ocsp.o: $(hdrdir)/ruby/internal/attr/nonnull.h ossl_ocsp.o: $(hdrdir)/ruby/internal/attr/noreturn.h +ossl_ocsp.o: $(hdrdir)/ruby/internal/attr/packed_struct.h ossl_ocsp.o: $(hdrdir)/ruby/internal/attr/pure.h ossl_ocsp.o: $(hdrdir)/ruby/internal/attr/restrict.h ossl_ocsp.o: $(hdrdir)/ruby/internal/attr/returns_nonnull.h @@ -2137,6 +2236,15 @@ ossl_ocsp.o: $(hdrdir)/ruby/internal/core/rtypeddata.h ossl_ocsp.o: $(hdrdir)/ruby/internal/ctype.h ossl_ocsp.o: $(hdrdir)/ruby/internal/dllexport.h ossl_ocsp.o: $(hdrdir)/ruby/internal/dosish.h +ossl_ocsp.o: $(hdrdir)/ruby/internal/encoding/coderange.h +ossl_ocsp.o: $(hdrdir)/ruby/internal/encoding/ctype.h +ossl_ocsp.o: $(hdrdir)/ruby/internal/encoding/encoding.h +ossl_ocsp.o: $(hdrdir)/ruby/internal/encoding/pathname.h +ossl_ocsp.o: $(hdrdir)/ruby/internal/encoding/re.h +ossl_ocsp.o: $(hdrdir)/ruby/internal/encoding/sprintf.h +ossl_ocsp.o: $(hdrdir)/ruby/internal/encoding/string.h +ossl_ocsp.o: $(hdrdir)/ruby/internal/encoding/symbol.h +ossl_ocsp.o: $(hdrdir)/ruby/internal/encoding/transcode.h ossl_ocsp.o: $(hdrdir)/ruby/internal/error.h ossl_ocsp.o: $(hdrdir)/ruby/internal/eval.h ossl_ocsp.o: $(hdrdir)/ruby/internal/event.h @@ -2164,7 +2272,6 @@ ossl_ocsp.o: $(hdrdir)/ruby/internal/intern/enumerator.h ossl_ocsp.o: $(hdrdir)/ruby/internal/intern/error.h ossl_ocsp.o: $(hdrdir)/ruby/internal/intern/eval.h ossl_ocsp.o: $(hdrdir)/ruby/internal/intern/file.h -ossl_ocsp.o: $(hdrdir)/ruby/internal/intern/gc.h ossl_ocsp.o: $(hdrdir)/ruby/internal/intern/hash.h ossl_ocsp.o: $(hdrdir)/ruby/internal/intern/io.h ossl_ocsp.o: $(hdrdir)/ruby/internal/intern/load.h @@ -2195,12 +2302,12 @@ ossl_ocsp.o: $(hdrdir)/ruby/internal/memory.h ossl_ocsp.o: $(hdrdir)/ruby/internal/method.h ossl_ocsp.o: $(hdrdir)/ruby/internal/module.h ossl_ocsp.o: $(hdrdir)/ruby/internal/newobj.h -ossl_ocsp.o: $(hdrdir)/ruby/internal/rgengc.h ossl_ocsp.o: $(hdrdir)/ruby/internal/scan_args.h ossl_ocsp.o: $(hdrdir)/ruby/internal/special_consts.h ossl_ocsp.o: $(hdrdir)/ruby/internal/static_assert.h ossl_ocsp.o: $(hdrdir)/ruby/internal/stdalign.h ossl_ocsp.o: $(hdrdir)/ruby/internal/stdbool.h +ossl_ocsp.o: $(hdrdir)/ruby/internal/stdckdint.h ossl_ocsp.o: $(hdrdir)/ruby/internal/symbol.h ossl_ocsp.o: $(hdrdir)/ruby/internal/value.h ossl_ocsp.o: $(hdrdir)/ruby/internal/value_type.h @@ -2232,11 +2339,11 @@ ossl_ocsp.o: ossl_ocsp.h ossl_ocsp.o: ossl_pkcs12.h ossl_ocsp.o: ossl_pkcs7.h ossl_ocsp.o: ossl_pkey.h +ossl_ocsp.o: ossl_provider.h ossl_ocsp.o: ossl_rand.h ossl_ocsp.o: ossl_ssl.h ossl_ocsp.o: ossl_ts.h ossl_ocsp.o: ossl_x509.h -ossl_ocsp.o: ruby_missing.h ossl_pkcs12.o: $(RUBY_EXTCONF_H) ossl_pkcs12.o: $(arch_hdrdir)/ruby/config.h ossl_pkcs12.o: $(hdrdir)/ruby.h @@ -2245,7 +2352,6 @@ ossl_pkcs12.o: $(hdrdir)/ruby/backward.h ossl_pkcs12.o: $(hdrdir)/ruby/backward/2/assume.h ossl_pkcs12.o: $(hdrdir)/ruby/backward/2/attributes.h ossl_pkcs12.o: $(hdrdir)/ruby/backward/2/bool.h -ossl_pkcs12.o: $(hdrdir)/ruby/backward/2/gcc_version_since.h ossl_pkcs12.o: $(hdrdir)/ruby/backward/2/inttypes.h ossl_pkcs12.o: $(hdrdir)/ruby/backward/2/limits.h ossl_pkcs12.o: $(hdrdir)/ruby/backward/2/long_long.h @@ -2254,6 +2360,7 @@ ossl_pkcs12.o: $(hdrdir)/ruby/backward/2/stdarg.h ossl_pkcs12.o: $(hdrdir)/ruby/defines.h ossl_pkcs12.o: $(hdrdir)/ruby/encoding.h ossl_pkcs12.o: $(hdrdir)/ruby/intern.h +ossl_pkcs12.o: $(hdrdir)/ruby/internal/abi.h ossl_pkcs12.o: $(hdrdir)/ruby/internal/anyargs.h ossl_pkcs12.o: $(hdrdir)/ruby/internal/arithmetic.h ossl_pkcs12.o: $(hdrdir)/ruby/internal/arithmetic/char.h @@ -2291,6 +2398,7 @@ ossl_pkcs12.o: $(hdrdir)/ruby/internal/attr/noexcept.h ossl_pkcs12.o: $(hdrdir)/ruby/internal/attr/noinline.h ossl_pkcs12.o: $(hdrdir)/ruby/internal/attr/nonnull.h ossl_pkcs12.o: $(hdrdir)/ruby/internal/attr/noreturn.h +ossl_pkcs12.o: $(hdrdir)/ruby/internal/attr/packed_struct.h ossl_pkcs12.o: $(hdrdir)/ruby/internal/attr/pure.h ossl_pkcs12.o: $(hdrdir)/ruby/internal/attr/restrict.h ossl_pkcs12.o: $(hdrdir)/ruby/internal/attr/returns_nonnull.h @@ -2323,6 +2431,15 @@ ossl_pkcs12.o: $(hdrdir)/ruby/internal/core/rtypeddata.h ossl_pkcs12.o: $(hdrdir)/ruby/internal/ctype.h ossl_pkcs12.o: $(hdrdir)/ruby/internal/dllexport.h ossl_pkcs12.o: $(hdrdir)/ruby/internal/dosish.h +ossl_pkcs12.o: $(hdrdir)/ruby/internal/encoding/coderange.h +ossl_pkcs12.o: $(hdrdir)/ruby/internal/encoding/ctype.h +ossl_pkcs12.o: $(hdrdir)/ruby/internal/encoding/encoding.h +ossl_pkcs12.o: $(hdrdir)/ruby/internal/encoding/pathname.h +ossl_pkcs12.o: $(hdrdir)/ruby/internal/encoding/re.h +ossl_pkcs12.o: $(hdrdir)/ruby/internal/encoding/sprintf.h +ossl_pkcs12.o: $(hdrdir)/ruby/internal/encoding/string.h +ossl_pkcs12.o: $(hdrdir)/ruby/internal/encoding/symbol.h +ossl_pkcs12.o: $(hdrdir)/ruby/internal/encoding/transcode.h ossl_pkcs12.o: $(hdrdir)/ruby/internal/error.h ossl_pkcs12.o: $(hdrdir)/ruby/internal/eval.h ossl_pkcs12.o: $(hdrdir)/ruby/internal/event.h @@ -2350,7 +2467,6 @@ ossl_pkcs12.o: $(hdrdir)/ruby/internal/intern/enumerator.h ossl_pkcs12.o: $(hdrdir)/ruby/internal/intern/error.h ossl_pkcs12.o: $(hdrdir)/ruby/internal/intern/eval.h ossl_pkcs12.o: $(hdrdir)/ruby/internal/intern/file.h -ossl_pkcs12.o: $(hdrdir)/ruby/internal/intern/gc.h ossl_pkcs12.o: $(hdrdir)/ruby/internal/intern/hash.h ossl_pkcs12.o: $(hdrdir)/ruby/internal/intern/io.h ossl_pkcs12.o: $(hdrdir)/ruby/internal/intern/load.h @@ -2381,12 +2497,12 @@ ossl_pkcs12.o: $(hdrdir)/ruby/internal/memory.h ossl_pkcs12.o: $(hdrdir)/ruby/internal/method.h ossl_pkcs12.o: $(hdrdir)/ruby/internal/module.h ossl_pkcs12.o: $(hdrdir)/ruby/internal/newobj.h -ossl_pkcs12.o: $(hdrdir)/ruby/internal/rgengc.h ossl_pkcs12.o: $(hdrdir)/ruby/internal/scan_args.h ossl_pkcs12.o: $(hdrdir)/ruby/internal/special_consts.h ossl_pkcs12.o: $(hdrdir)/ruby/internal/static_assert.h ossl_pkcs12.o: $(hdrdir)/ruby/internal/stdalign.h ossl_pkcs12.o: $(hdrdir)/ruby/internal/stdbool.h +ossl_pkcs12.o: $(hdrdir)/ruby/internal/stdckdint.h ossl_pkcs12.o: $(hdrdir)/ruby/internal/symbol.h ossl_pkcs12.o: $(hdrdir)/ruby/internal/value.h ossl_pkcs12.o: $(hdrdir)/ruby/internal/value_type.h @@ -2418,11 +2534,11 @@ ossl_pkcs12.o: ossl_pkcs12.c ossl_pkcs12.o: ossl_pkcs12.h ossl_pkcs12.o: ossl_pkcs7.h ossl_pkcs12.o: ossl_pkey.h +ossl_pkcs12.o: ossl_provider.h ossl_pkcs12.o: ossl_rand.h ossl_pkcs12.o: ossl_ssl.h ossl_pkcs12.o: ossl_ts.h ossl_pkcs12.o: ossl_x509.h -ossl_pkcs12.o: ruby_missing.h ossl_pkcs7.o: $(RUBY_EXTCONF_H) ossl_pkcs7.o: $(arch_hdrdir)/ruby/config.h ossl_pkcs7.o: $(hdrdir)/ruby.h @@ -2431,7 +2547,6 @@ ossl_pkcs7.o: $(hdrdir)/ruby/backward.h ossl_pkcs7.o: $(hdrdir)/ruby/backward/2/assume.h ossl_pkcs7.o: $(hdrdir)/ruby/backward/2/attributes.h ossl_pkcs7.o: $(hdrdir)/ruby/backward/2/bool.h -ossl_pkcs7.o: $(hdrdir)/ruby/backward/2/gcc_version_since.h ossl_pkcs7.o: $(hdrdir)/ruby/backward/2/inttypes.h ossl_pkcs7.o: $(hdrdir)/ruby/backward/2/limits.h ossl_pkcs7.o: $(hdrdir)/ruby/backward/2/long_long.h @@ -2440,6 +2555,7 @@ ossl_pkcs7.o: $(hdrdir)/ruby/backward/2/stdarg.h ossl_pkcs7.o: $(hdrdir)/ruby/defines.h ossl_pkcs7.o: $(hdrdir)/ruby/encoding.h ossl_pkcs7.o: $(hdrdir)/ruby/intern.h +ossl_pkcs7.o: $(hdrdir)/ruby/internal/abi.h ossl_pkcs7.o: $(hdrdir)/ruby/internal/anyargs.h ossl_pkcs7.o: $(hdrdir)/ruby/internal/arithmetic.h ossl_pkcs7.o: $(hdrdir)/ruby/internal/arithmetic/char.h @@ -2477,6 +2593,7 @@ ossl_pkcs7.o: $(hdrdir)/ruby/internal/attr/noexcept.h ossl_pkcs7.o: $(hdrdir)/ruby/internal/attr/noinline.h ossl_pkcs7.o: $(hdrdir)/ruby/internal/attr/nonnull.h ossl_pkcs7.o: $(hdrdir)/ruby/internal/attr/noreturn.h +ossl_pkcs7.o: $(hdrdir)/ruby/internal/attr/packed_struct.h ossl_pkcs7.o: $(hdrdir)/ruby/internal/attr/pure.h ossl_pkcs7.o: $(hdrdir)/ruby/internal/attr/restrict.h ossl_pkcs7.o: $(hdrdir)/ruby/internal/attr/returns_nonnull.h @@ -2509,6 +2626,15 @@ ossl_pkcs7.o: $(hdrdir)/ruby/internal/core/rtypeddata.h ossl_pkcs7.o: $(hdrdir)/ruby/internal/ctype.h ossl_pkcs7.o: $(hdrdir)/ruby/internal/dllexport.h ossl_pkcs7.o: $(hdrdir)/ruby/internal/dosish.h +ossl_pkcs7.o: $(hdrdir)/ruby/internal/encoding/coderange.h +ossl_pkcs7.o: $(hdrdir)/ruby/internal/encoding/ctype.h +ossl_pkcs7.o: $(hdrdir)/ruby/internal/encoding/encoding.h +ossl_pkcs7.o: $(hdrdir)/ruby/internal/encoding/pathname.h +ossl_pkcs7.o: $(hdrdir)/ruby/internal/encoding/re.h +ossl_pkcs7.o: $(hdrdir)/ruby/internal/encoding/sprintf.h +ossl_pkcs7.o: $(hdrdir)/ruby/internal/encoding/string.h +ossl_pkcs7.o: $(hdrdir)/ruby/internal/encoding/symbol.h +ossl_pkcs7.o: $(hdrdir)/ruby/internal/encoding/transcode.h ossl_pkcs7.o: $(hdrdir)/ruby/internal/error.h ossl_pkcs7.o: $(hdrdir)/ruby/internal/eval.h ossl_pkcs7.o: $(hdrdir)/ruby/internal/event.h @@ -2536,7 +2662,6 @@ ossl_pkcs7.o: $(hdrdir)/ruby/internal/intern/enumerator.h ossl_pkcs7.o: $(hdrdir)/ruby/internal/intern/error.h ossl_pkcs7.o: $(hdrdir)/ruby/internal/intern/eval.h ossl_pkcs7.o: $(hdrdir)/ruby/internal/intern/file.h -ossl_pkcs7.o: $(hdrdir)/ruby/internal/intern/gc.h ossl_pkcs7.o: $(hdrdir)/ruby/internal/intern/hash.h ossl_pkcs7.o: $(hdrdir)/ruby/internal/intern/io.h ossl_pkcs7.o: $(hdrdir)/ruby/internal/intern/load.h @@ -2567,12 +2692,12 @@ ossl_pkcs7.o: $(hdrdir)/ruby/internal/memory.h ossl_pkcs7.o: $(hdrdir)/ruby/internal/method.h ossl_pkcs7.o: $(hdrdir)/ruby/internal/module.h ossl_pkcs7.o: $(hdrdir)/ruby/internal/newobj.h -ossl_pkcs7.o: $(hdrdir)/ruby/internal/rgengc.h ossl_pkcs7.o: $(hdrdir)/ruby/internal/scan_args.h ossl_pkcs7.o: $(hdrdir)/ruby/internal/special_consts.h ossl_pkcs7.o: $(hdrdir)/ruby/internal/static_assert.h ossl_pkcs7.o: $(hdrdir)/ruby/internal/stdalign.h ossl_pkcs7.o: $(hdrdir)/ruby/internal/stdbool.h +ossl_pkcs7.o: $(hdrdir)/ruby/internal/stdckdint.h ossl_pkcs7.o: $(hdrdir)/ruby/internal/symbol.h ossl_pkcs7.o: $(hdrdir)/ruby/internal/value.h ossl_pkcs7.o: $(hdrdir)/ruby/internal/value_type.h @@ -2604,11 +2729,11 @@ ossl_pkcs7.o: ossl_pkcs12.h ossl_pkcs7.o: ossl_pkcs7.c ossl_pkcs7.o: ossl_pkcs7.h ossl_pkcs7.o: ossl_pkey.h +ossl_pkcs7.o: ossl_provider.h ossl_pkcs7.o: ossl_rand.h ossl_pkcs7.o: ossl_ssl.h ossl_pkcs7.o: ossl_ts.h ossl_pkcs7.o: ossl_x509.h -ossl_pkcs7.o: ruby_missing.h ossl_pkey.o: $(RUBY_EXTCONF_H) ossl_pkey.o: $(arch_hdrdir)/ruby/config.h ossl_pkey.o: $(hdrdir)/ruby.h @@ -2617,7 +2742,6 @@ ossl_pkey.o: $(hdrdir)/ruby/backward.h ossl_pkey.o: $(hdrdir)/ruby/backward/2/assume.h ossl_pkey.o: $(hdrdir)/ruby/backward/2/attributes.h ossl_pkey.o: $(hdrdir)/ruby/backward/2/bool.h -ossl_pkey.o: $(hdrdir)/ruby/backward/2/gcc_version_since.h ossl_pkey.o: $(hdrdir)/ruby/backward/2/inttypes.h ossl_pkey.o: $(hdrdir)/ruby/backward/2/limits.h ossl_pkey.o: $(hdrdir)/ruby/backward/2/long_long.h @@ -2626,6 +2750,7 @@ ossl_pkey.o: $(hdrdir)/ruby/backward/2/stdarg.h ossl_pkey.o: $(hdrdir)/ruby/defines.h ossl_pkey.o: $(hdrdir)/ruby/encoding.h ossl_pkey.o: $(hdrdir)/ruby/intern.h +ossl_pkey.o: $(hdrdir)/ruby/internal/abi.h ossl_pkey.o: $(hdrdir)/ruby/internal/anyargs.h ossl_pkey.o: $(hdrdir)/ruby/internal/arithmetic.h ossl_pkey.o: $(hdrdir)/ruby/internal/arithmetic/char.h @@ -2663,6 +2788,7 @@ ossl_pkey.o: $(hdrdir)/ruby/internal/attr/noexcept.h ossl_pkey.o: $(hdrdir)/ruby/internal/attr/noinline.h ossl_pkey.o: $(hdrdir)/ruby/internal/attr/nonnull.h ossl_pkey.o: $(hdrdir)/ruby/internal/attr/noreturn.h +ossl_pkey.o: $(hdrdir)/ruby/internal/attr/packed_struct.h ossl_pkey.o: $(hdrdir)/ruby/internal/attr/pure.h ossl_pkey.o: $(hdrdir)/ruby/internal/attr/restrict.h ossl_pkey.o: $(hdrdir)/ruby/internal/attr/returns_nonnull.h @@ -2695,6 +2821,15 @@ ossl_pkey.o: $(hdrdir)/ruby/internal/core/rtypeddata.h ossl_pkey.o: $(hdrdir)/ruby/internal/ctype.h ossl_pkey.o: $(hdrdir)/ruby/internal/dllexport.h ossl_pkey.o: $(hdrdir)/ruby/internal/dosish.h +ossl_pkey.o: $(hdrdir)/ruby/internal/encoding/coderange.h +ossl_pkey.o: $(hdrdir)/ruby/internal/encoding/ctype.h +ossl_pkey.o: $(hdrdir)/ruby/internal/encoding/encoding.h +ossl_pkey.o: $(hdrdir)/ruby/internal/encoding/pathname.h +ossl_pkey.o: $(hdrdir)/ruby/internal/encoding/re.h +ossl_pkey.o: $(hdrdir)/ruby/internal/encoding/sprintf.h +ossl_pkey.o: $(hdrdir)/ruby/internal/encoding/string.h +ossl_pkey.o: $(hdrdir)/ruby/internal/encoding/symbol.h +ossl_pkey.o: $(hdrdir)/ruby/internal/encoding/transcode.h ossl_pkey.o: $(hdrdir)/ruby/internal/error.h ossl_pkey.o: $(hdrdir)/ruby/internal/eval.h ossl_pkey.o: $(hdrdir)/ruby/internal/event.h @@ -2722,7 +2857,6 @@ ossl_pkey.o: $(hdrdir)/ruby/internal/intern/enumerator.h ossl_pkey.o: $(hdrdir)/ruby/internal/intern/error.h ossl_pkey.o: $(hdrdir)/ruby/internal/intern/eval.h ossl_pkey.o: $(hdrdir)/ruby/internal/intern/file.h -ossl_pkey.o: $(hdrdir)/ruby/internal/intern/gc.h ossl_pkey.o: $(hdrdir)/ruby/internal/intern/hash.h ossl_pkey.o: $(hdrdir)/ruby/internal/intern/io.h ossl_pkey.o: $(hdrdir)/ruby/internal/intern/load.h @@ -2753,12 +2887,12 @@ ossl_pkey.o: $(hdrdir)/ruby/internal/memory.h ossl_pkey.o: $(hdrdir)/ruby/internal/method.h ossl_pkey.o: $(hdrdir)/ruby/internal/module.h ossl_pkey.o: $(hdrdir)/ruby/internal/newobj.h -ossl_pkey.o: $(hdrdir)/ruby/internal/rgengc.h ossl_pkey.o: $(hdrdir)/ruby/internal/scan_args.h ossl_pkey.o: $(hdrdir)/ruby/internal/special_consts.h ossl_pkey.o: $(hdrdir)/ruby/internal/static_assert.h ossl_pkey.o: $(hdrdir)/ruby/internal/stdalign.h ossl_pkey.o: $(hdrdir)/ruby/internal/stdbool.h +ossl_pkey.o: $(hdrdir)/ruby/internal/stdckdint.h ossl_pkey.o: $(hdrdir)/ruby/internal/symbol.h ossl_pkey.o: $(hdrdir)/ruby/internal/value.h ossl_pkey.o: $(hdrdir)/ruby/internal/value_type.h @@ -2790,11 +2924,11 @@ ossl_pkey.o: ossl_pkcs12.h ossl_pkey.o: ossl_pkcs7.h ossl_pkey.o: ossl_pkey.c ossl_pkey.o: ossl_pkey.h +ossl_pkey.o: ossl_provider.h ossl_pkey.o: ossl_rand.h ossl_pkey.o: ossl_ssl.h ossl_pkey.o: ossl_ts.h ossl_pkey.o: ossl_x509.h -ossl_pkey.o: ruby_missing.h ossl_pkey_dh.o: $(RUBY_EXTCONF_H) ossl_pkey_dh.o: $(arch_hdrdir)/ruby/config.h ossl_pkey_dh.o: $(hdrdir)/ruby.h @@ -2803,7 +2937,6 @@ ossl_pkey_dh.o: $(hdrdir)/ruby/backward.h ossl_pkey_dh.o: $(hdrdir)/ruby/backward/2/assume.h ossl_pkey_dh.o: $(hdrdir)/ruby/backward/2/attributes.h ossl_pkey_dh.o: $(hdrdir)/ruby/backward/2/bool.h -ossl_pkey_dh.o: $(hdrdir)/ruby/backward/2/gcc_version_since.h ossl_pkey_dh.o: $(hdrdir)/ruby/backward/2/inttypes.h ossl_pkey_dh.o: $(hdrdir)/ruby/backward/2/limits.h ossl_pkey_dh.o: $(hdrdir)/ruby/backward/2/long_long.h @@ -2812,6 +2945,7 @@ ossl_pkey_dh.o: $(hdrdir)/ruby/backward/2/stdarg.h ossl_pkey_dh.o: $(hdrdir)/ruby/defines.h ossl_pkey_dh.o: $(hdrdir)/ruby/encoding.h ossl_pkey_dh.o: $(hdrdir)/ruby/intern.h +ossl_pkey_dh.o: $(hdrdir)/ruby/internal/abi.h ossl_pkey_dh.o: $(hdrdir)/ruby/internal/anyargs.h ossl_pkey_dh.o: $(hdrdir)/ruby/internal/arithmetic.h ossl_pkey_dh.o: $(hdrdir)/ruby/internal/arithmetic/char.h @@ -2849,6 +2983,7 @@ ossl_pkey_dh.o: $(hdrdir)/ruby/internal/attr/noexcept.h ossl_pkey_dh.o: $(hdrdir)/ruby/internal/attr/noinline.h ossl_pkey_dh.o: $(hdrdir)/ruby/internal/attr/nonnull.h ossl_pkey_dh.o: $(hdrdir)/ruby/internal/attr/noreturn.h +ossl_pkey_dh.o: $(hdrdir)/ruby/internal/attr/packed_struct.h ossl_pkey_dh.o: $(hdrdir)/ruby/internal/attr/pure.h ossl_pkey_dh.o: $(hdrdir)/ruby/internal/attr/restrict.h ossl_pkey_dh.o: $(hdrdir)/ruby/internal/attr/returns_nonnull.h @@ -2881,6 +3016,15 @@ ossl_pkey_dh.o: $(hdrdir)/ruby/internal/core/rtypeddata.h ossl_pkey_dh.o: $(hdrdir)/ruby/internal/ctype.h ossl_pkey_dh.o: $(hdrdir)/ruby/internal/dllexport.h ossl_pkey_dh.o: $(hdrdir)/ruby/internal/dosish.h +ossl_pkey_dh.o: $(hdrdir)/ruby/internal/encoding/coderange.h +ossl_pkey_dh.o: $(hdrdir)/ruby/internal/encoding/ctype.h +ossl_pkey_dh.o: $(hdrdir)/ruby/internal/encoding/encoding.h +ossl_pkey_dh.o: $(hdrdir)/ruby/internal/encoding/pathname.h +ossl_pkey_dh.o: $(hdrdir)/ruby/internal/encoding/re.h +ossl_pkey_dh.o: $(hdrdir)/ruby/internal/encoding/sprintf.h +ossl_pkey_dh.o: $(hdrdir)/ruby/internal/encoding/string.h +ossl_pkey_dh.o: $(hdrdir)/ruby/internal/encoding/symbol.h +ossl_pkey_dh.o: $(hdrdir)/ruby/internal/encoding/transcode.h ossl_pkey_dh.o: $(hdrdir)/ruby/internal/error.h ossl_pkey_dh.o: $(hdrdir)/ruby/internal/eval.h ossl_pkey_dh.o: $(hdrdir)/ruby/internal/event.h @@ -2908,7 +3052,6 @@ ossl_pkey_dh.o: $(hdrdir)/ruby/internal/intern/enumerator.h ossl_pkey_dh.o: $(hdrdir)/ruby/internal/intern/error.h ossl_pkey_dh.o: $(hdrdir)/ruby/internal/intern/eval.h ossl_pkey_dh.o: $(hdrdir)/ruby/internal/intern/file.h -ossl_pkey_dh.o: $(hdrdir)/ruby/internal/intern/gc.h ossl_pkey_dh.o: $(hdrdir)/ruby/internal/intern/hash.h ossl_pkey_dh.o: $(hdrdir)/ruby/internal/intern/io.h ossl_pkey_dh.o: $(hdrdir)/ruby/internal/intern/load.h @@ -2939,12 +3082,12 @@ ossl_pkey_dh.o: $(hdrdir)/ruby/internal/memory.h ossl_pkey_dh.o: $(hdrdir)/ruby/internal/method.h ossl_pkey_dh.o: $(hdrdir)/ruby/internal/module.h ossl_pkey_dh.o: $(hdrdir)/ruby/internal/newobj.h -ossl_pkey_dh.o: $(hdrdir)/ruby/internal/rgengc.h ossl_pkey_dh.o: $(hdrdir)/ruby/internal/scan_args.h ossl_pkey_dh.o: $(hdrdir)/ruby/internal/special_consts.h ossl_pkey_dh.o: $(hdrdir)/ruby/internal/static_assert.h ossl_pkey_dh.o: $(hdrdir)/ruby/internal/stdalign.h ossl_pkey_dh.o: $(hdrdir)/ruby/internal/stdbool.h +ossl_pkey_dh.o: $(hdrdir)/ruby/internal/stdckdint.h ossl_pkey_dh.o: $(hdrdir)/ruby/internal/symbol.h ossl_pkey_dh.o: $(hdrdir)/ruby/internal/value.h ossl_pkey_dh.o: $(hdrdir)/ruby/internal/value_type.h @@ -2976,11 +3119,11 @@ ossl_pkey_dh.o: ossl_pkcs12.h ossl_pkey_dh.o: ossl_pkcs7.h ossl_pkey_dh.o: ossl_pkey.h ossl_pkey_dh.o: ossl_pkey_dh.c +ossl_pkey_dh.o: ossl_provider.h ossl_pkey_dh.o: ossl_rand.h ossl_pkey_dh.o: ossl_ssl.h ossl_pkey_dh.o: ossl_ts.h ossl_pkey_dh.o: ossl_x509.h -ossl_pkey_dh.o: ruby_missing.h ossl_pkey_dsa.o: $(RUBY_EXTCONF_H) ossl_pkey_dsa.o: $(arch_hdrdir)/ruby/config.h ossl_pkey_dsa.o: $(hdrdir)/ruby.h @@ -2989,7 +3132,6 @@ ossl_pkey_dsa.o: $(hdrdir)/ruby/backward.h ossl_pkey_dsa.o: $(hdrdir)/ruby/backward/2/assume.h ossl_pkey_dsa.o: $(hdrdir)/ruby/backward/2/attributes.h ossl_pkey_dsa.o: $(hdrdir)/ruby/backward/2/bool.h -ossl_pkey_dsa.o: $(hdrdir)/ruby/backward/2/gcc_version_since.h ossl_pkey_dsa.o: $(hdrdir)/ruby/backward/2/inttypes.h ossl_pkey_dsa.o: $(hdrdir)/ruby/backward/2/limits.h ossl_pkey_dsa.o: $(hdrdir)/ruby/backward/2/long_long.h @@ -2998,6 +3140,7 @@ ossl_pkey_dsa.o: $(hdrdir)/ruby/backward/2/stdarg.h ossl_pkey_dsa.o: $(hdrdir)/ruby/defines.h ossl_pkey_dsa.o: $(hdrdir)/ruby/encoding.h ossl_pkey_dsa.o: $(hdrdir)/ruby/intern.h +ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/abi.h ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/anyargs.h ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/arithmetic.h ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/arithmetic/char.h @@ -3035,6 +3178,7 @@ ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/attr/noexcept.h ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/attr/noinline.h ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/attr/nonnull.h ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/attr/noreturn.h +ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/attr/packed_struct.h ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/attr/pure.h ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/attr/restrict.h ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/attr/returns_nonnull.h @@ -3067,6 +3211,15 @@ ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/core/rtypeddata.h ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/ctype.h ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/dllexport.h ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/dosish.h +ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/encoding/coderange.h +ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/encoding/ctype.h +ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/encoding/encoding.h +ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/encoding/pathname.h +ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/encoding/re.h +ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/encoding/sprintf.h +ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/encoding/string.h +ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/encoding/symbol.h +ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/encoding/transcode.h ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/error.h ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/eval.h ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/event.h @@ -3094,7 +3247,6 @@ ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/intern/enumerator.h ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/intern/error.h ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/intern/eval.h ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/intern/file.h -ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/intern/gc.h ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/intern/hash.h ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/intern/io.h ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/intern/load.h @@ -3125,12 +3277,12 @@ ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/memory.h ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/method.h ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/module.h ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/newobj.h -ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/rgengc.h ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/scan_args.h ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/special_consts.h ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/static_assert.h ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/stdalign.h ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/stdbool.h +ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/stdckdint.h ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/symbol.h ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/value.h ossl_pkey_dsa.o: $(hdrdir)/ruby/internal/value_type.h @@ -3162,11 +3314,11 @@ ossl_pkey_dsa.o: ossl_pkcs12.h ossl_pkey_dsa.o: ossl_pkcs7.h ossl_pkey_dsa.o: ossl_pkey.h ossl_pkey_dsa.o: ossl_pkey_dsa.c +ossl_pkey_dsa.o: ossl_provider.h ossl_pkey_dsa.o: ossl_rand.h ossl_pkey_dsa.o: ossl_ssl.h ossl_pkey_dsa.o: ossl_ts.h ossl_pkey_dsa.o: ossl_x509.h -ossl_pkey_dsa.o: ruby_missing.h ossl_pkey_ec.o: $(RUBY_EXTCONF_H) ossl_pkey_ec.o: $(arch_hdrdir)/ruby/config.h ossl_pkey_ec.o: $(hdrdir)/ruby.h @@ -3175,7 +3327,6 @@ ossl_pkey_ec.o: $(hdrdir)/ruby/backward.h ossl_pkey_ec.o: $(hdrdir)/ruby/backward/2/assume.h ossl_pkey_ec.o: $(hdrdir)/ruby/backward/2/attributes.h ossl_pkey_ec.o: $(hdrdir)/ruby/backward/2/bool.h -ossl_pkey_ec.o: $(hdrdir)/ruby/backward/2/gcc_version_since.h ossl_pkey_ec.o: $(hdrdir)/ruby/backward/2/inttypes.h ossl_pkey_ec.o: $(hdrdir)/ruby/backward/2/limits.h ossl_pkey_ec.o: $(hdrdir)/ruby/backward/2/long_long.h @@ -3184,6 +3335,7 @@ ossl_pkey_ec.o: $(hdrdir)/ruby/backward/2/stdarg.h ossl_pkey_ec.o: $(hdrdir)/ruby/defines.h ossl_pkey_ec.o: $(hdrdir)/ruby/encoding.h ossl_pkey_ec.o: $(hdrdir)/ruby/intern.h +ossl_pkey_ec.o: $(hdrdir)/ruby/internal/abi.h ossl_pkey_ec.o: $(hdrdir)/ruby/internal/anyargs.h ossl_pkey_ec.o: $(hdrdir)/ruby/internal/arithmetic.h ossl_pkey_ec.o: $(hdrdir)/ruby/internal/arithmetic/char.h @@ -3221,6 +3373,7 @@ ossl_pkey_ec.o: $(hdrdir)/ruby/internal/attr/noexcept.h ossl_pkey_ec.o: $(hdrdir)/ruby/internal/attr/noinline.h ossl_pkey_ec.o: $(hdrdir)/ruby/internal/attr/nonnull.h ossl_pkey_ec.o: $(hdrdir)/ruby/internal/attr/noreturn.h +ossl_pkey_ec.o: $(hdrdir)/ruby/internal/attr/packed_struct.h ossl_pkey_ec.o: $(hdrdir)/ruby/internal/attr/pure.h ossl_pkey_ec.o: $(hdrdir)/ruby/internal/attr/restrict.h ossl_pkey_ec.o: $(hdrdir)/ruby/internal/attr/returns_nonnull.h @@ -3253,6 +3406,15 @@ ossl_pkey_ec.o: $(hdrdir)/ruby/internal/core/rtypeddata.h ossl_pkey_ec.o: $(hdrdir)/ruby/internal/ctype.h ossl_pkey_ec.o: $(hdrdir)/ruby/internal/dllexport.h ossl_pkey_ec.o: $(hdrdir)/ruby/internal/dosish.h +ossl_pkey_ec.o: $(hdrdir)/ruby/internal/encoding/coderange.h +ossl_pkey_ec.o: $(hdrdir)/ruby/internal/encoding/ctype.h +ossl_pkey_ec.o: $(hdrdir)/ruby/internal/encoding/encoding.h +ossl_pkey_ec.o: $(hdrdir)/ruby/internal/encoding/pathname.h +ossl_pkey_ec.o: $(hdrdir)/ruby/internal/encoding/re.h +ossl_pkey_ec.o: $(hdrdir)/ruby/internal/encoding/sprintf.h +ossl_pkey_ec.o: $(hdrdir)/ruby/internal/encoding/string.h +ossl_pkey_ec.o: $(hdrdir)/ruby/internal/encoding/symbol.h +ossl_pkey_ec.o: $(hdrdir)/ruby/internal/encoding/transcode.h ossl_pkey_ec.o: $(hdrdir)/ruby/internal/error.h ossl_pkey_ec.o: $(hdrdir)/ruby/internal/eval.h ossl_pkey_ec.o: $(hdrdir)/ruby/internal/event.h @@ -3280,7 +3442,6 @@ ossl_pkey_ec.o: $(hdrdir)/ruby/internal/intern/enumerator.h ossl_pkey_ec.o: $(hdrdir)/ruby/internal/intern/error.h ossl_pkey_ec.o: $(hdrdir)/ruby/internal/intern/eval.h ossl_pkey_ec.o: $(hdrdir)/ruby/internal/intern/file.h -ossl_pkey_ec.o: $(hdrdir)/ruby/internal/intern/gc.h ossl_pkey_ec.o: $(hdrdir)/ruby/internal/intern/hash.h ossl_pkey_ec.o: $(hdrdir)/ruby/internal/intern/io.h ossl_pkey_ec.o: $(hdrdir)/ruby/internal/intern/load.h @@ -3311,12 +3472,12 @@ ossl_pkey_ec.o: $(hdrdir)/ruby/internal/memory.h ossl_pkey_ec.o: $(hdrdir)/ruby/internal/method.h ossl_pkey_ec.o: $(hdrdir)/ruby/internal/module.h ossl_pkey_ec.o: $(hdrdir)/ruby/internal/newobj.h -ossl_pkey_ec.o: $(hdrdir)/ruby/internal/rgengc.h ossl_pkey_ec.o: $(hdrdir)/ruby/internal/scan_args.h ossl_pkey_ec.o: $(hdrdir)/ruby/internal/special_consts.h ossl_pkey_ec.o: $(hdrdir)/ruby/internal/static_assert.h ossl_pkey_ec.o: $(hdrdir)/ruby/internal/stdalign.h ossl_pkey_ec.o: $(hdrdir)/ruby/internal/stdbool.h +ossl_pkey_ec.o: $(hdrdir)/ruby/internal/stdckdint.h ossl_pkey_ec.o: $(hdrdir)/ruby/internal/symbol.h ossl_pkey_ec.o: $(hdrdir)/ruby/internal/value.h ossl_pkey_ec.o: $(hdrdir)/ruby/internal/value_type.h @@ -3348,11 +3509,11 @@ ossl_pkey_ec.o: ossl_pkcs12.h ossl_pkey_ec.o: ossl_pkcs7.h ossl_pkey_ec.o: ossl_pkey.h ossl_pkey_ec.o: ossl_pkey_ec.c +ossl_pkey_ec.o: ossl_provider.h ossl_pkey_ec.o: ossl_rand.h ossl_pkey_ec.o: ossl_ssl.h ossl_pkey_ec.o: ossl_ts.h ossl_pkey_ec.o: ossl_x509.h -ossl_pkey_ec.o: ruby_missing.h ossl_pkey_rsa.o: $(RUBY_EXTCONF_H) ossl_pkey_rsa.o: $(arch_hdrdir)/ruby/config.h ossl_pkey_rsa.o: $(hdrdir)/ruby.h @@ -3361,7 +3522,6 @@ ossl_pkey_rsa.o: $(hdrdir)/ruby/backward.h ossl_pkey_rsa.o: $(hdrdir)/ruby/backward/2/assume.h ossl_pkey_rsa.o: $(hdrdir)/ruby/backward/2/attributes.h ossl_pkey_rsa.o: $(hdrdir)/ruby/backward/2/bool.h -ossl_pkey_rsa.o: $(hdrdir)/ruby/backward/2/gcc_version_since.h ossl_pkey_rsa.o: $(hdrdir)/ruby/backward/2/inttypes.h ossl_pkey_rsa.o: $(hdrdir)/ruby/backward/2/limits.h ossl_pkey_rsa.o: $(hdrdir)/ruby/backward/2/long_long.h @@ -3370,6 +3530,7 @@ ossl_pkey_rsa.o: $(hdrdir)/ruby/backward/2/stdarg.h ossl_pkey_rsa.o: $(hdrdir)/ruby/defines.h ossl_pkey_rsa.o: $(hdrdir)/ruby/encoding.h ossl_pkey_rsa.o: $(hdrdir)/ruby/intern.h +ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/abi.h ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/anyargs.h ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/arithmetic.h ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/arithmetic/char.h @@ -3407,6 +3568,7 @@ ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/attr/noexcept.h ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/attr/noinline.h ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/attr/nonnull.h ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/attr/noreturn.h +ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/attr/packed_struct.h ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/attr/pure.h ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/attr/restrict.h ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/attr/returns_nonnull.h @@ -3439,6 +3601,15 @@ ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/core/rtypeddata.h ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/ctype.h ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/dllexport.h ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/dosish.h +ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/encoding/coderange.h +ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/encoding/ctype.h +ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/encoding/encoding.h +ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/encoding/pathname.h +ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/encoding/re.h +ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/encoding/sprintf.h +ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/encoding/string.h +ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/encoding/symbol.h +ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/encoding/transcode.h ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/error.h ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/eval.h ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/event.h @@ -3466,7 +3637,6 @@ ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/intern/enumerator.h ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/intern/error.h ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/intern/eval.h ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/intern/file.h -ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/intern/gc.h ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/intern/hash.h ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/intern/io.h ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/intern/load.h @@ -3497,12 +3667,12 @@ ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/memory.h ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/method.h ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/module.h ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/newobj.h -ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/rgengc.h ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/scan_args.h ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/special_consts.h ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/static_assert.h ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/stdalign.h ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/stdbool.h +ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/stdckdint.h ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/symbol.h ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/value.h ossl_pkey_rsa.o: $(hdrdir)/ruby/internal/value_type.h @@ -3534,11 +3704,206 @@ ossl_pkey_rsa.o: ossl_pkcs12.h ossl_pkey_rsa.o: ossl_pkcs7.h ossl_pkey_rsa.o: ossl_pkey.h ossl_pkey_rsa.o: ossl_pkey_rsa.c +ossl_pkey_rsa.o: ossl_provider.h ossl_pkey_rsa.o: ossl_rand.h ossl_pkey_rsa.o: ossl_ssl.h ossl_pkey_rsa.o: ossl_ts.h ossl_pkey_rsa.o: ossl_x509.h -ossl_pkey_rsa.o: ruby_missing.h +ossl_provider.o: $(RUBY_EXTCONF_H) +ossl_provider.o: $(arch_hdrdir)/ruby/config.h +ossl_provider.o: $(hdrdir)/ruby.h +ossl_provider.o: $(hdrdir)/ruby/assert.h +ossl_provider.o: $(hdrdir)/ruby/backward.h +ossl_provider.o: $(hdrdir)/ruby/backward/2/assume.h +ossl_provider.o: $(hdrdir)/ruby/backward/2/attributes.h +ossl_provider.o: $(hdrdir)/ruby/backward/2/bool.h +ossl_provider.o: $(hdrdir)/ruby/backward/2/inttypes.h +ossl_provider.o: $(hdrdir)/ruby/backward/2/limits.h +ossl_provider.o: $(hdrdir)/ruby/backward/2/long_long.h +ossl_provider.o: $(hdrdir)/ruby/backward/2/stdalign.h +ossl_provider.o: $(hdrdir)/ruby/backward/2/stdarg.h +ossl_provider.o: $(hdrdir)/ruby/defines.h +ossl_provider.o: $(hdrdir)/ruby/encoding.h +ossl_provider.o: $(hdrdir)/ruby/intern.h +ossl_provider.o: $(hdrdir)/ruby/internal/abi.h +ossl_provider.o: $(hdrdir)/ruby/internal/anyargs.h +ossl_provider.o: $(hdrdir)/ruby/internal/arithmetic.h +ossl_provider.o: $(hdrdir)/ruby/internal/arithmetic/char.h +ossl_provider.o: $(hdrdir)/ruby/internal/arithmetic/double.h +ossl_provider.o: $(hdrdir)/ruby/internal/arithmetic/fixnum.h +ossl_provider.o: $(hdrdir)/ruby/internal/arithmetic/gid_t.h +ossl_provider.o: $(hdrdir)/ruby/internal/arithmetic/int.h +ossl_provider.o: $(hdrdir)/ruby/internal/arithmetic/intptr_t.h +ossl_provider.o: $(hdrdir)/ruby/internal/arithmetic/long.h +ossl_provider.o: $(hdrdir)/ruby/internal/arithmetic/long_long.h +ossl_provider.o: $(hdrdir)/ruby/internal/arithmetic/mode_t.h +ossl_provider.o: $(hdrdir)/ruby/internal/arithmetic/off_t.h +ossl_provider.o: $(hdrdir)/ruby/internal/arithmetic/pid_t.h +ossl_provider.o: $(hdrdir)/ruby/internal/arithmetic/short.h +ossl_provider.o: $(hdrdir)/ruby/internal/arithmetic/size_t.h +ossl_provider.o: $(hdrdir)/ruby/internal/arithmetic/st_data_t.h +ossl_provider.o: $(hdrdir)/ruby/internal/arithmetic/uid_t.h +ossl_provider.o: $(hdrdir)/ruby/internal/assume.h +ossl_provider.o: $(hdrdir)/ruby/internal/attr/alloc_size.h +ossl_provider.o: $(hdrdir)/ruby/internal/attr/artificial.h +ossl_provider.o: $(hdrdir)/ruby/internal/attr/cold.h +ossl_provider.o: $(hdrdir)/ruby/internal/attr/const.h +ossl_provider.o: $(hdrdir)/ruby/internal/attr/constexpr.h +ossl_provider.o: $(hdrdir)/ruby/internal/attr/deprecated.h +ossl_provider.o: $(hdrdir)/ruby/internal/attr/diagnose_if.h +ossl_provider.o: $(hdrdir)/ruby/internal/attr/enum_extensibility.h +ossl_provider.o: $(hdrdir)/ruby/internal/attr/error.h +ossl_provider.o: $(hdrdir)/ruby/internal/attr/flag_enum.h +ossl_provider.o: $(hdrdir)/ruby/internal/attr/forceinline.h +ossl_provider.o: $(hdrdir)/ruby/internal/attr/format.h +ossl_provider.o: $(hdrdir)/ruby/internal/attr/maybe_unused.h +ossl_provider.o: $(hdrdir)/ruby/internal/attr/noalias.h +ossl_provider.o: $(hdrdir)/ruby/internal/attr/nodiscard.h +ossl_provider.o: $(hdrdir)/ruby/internal/attr/noexcept.h +ossl_provider.o: $(hdrdir)/ruby/internal/attr/noinline.h +ossl_provider.o: $(hdrdir)/ruby/internal/attr/nonnull.h +ossl_provider.o: $(hdrdir)/ruby/internal/attr/noreturn.h +ossl_provider.o: $(hdrdir)/ruby/internal/attr/packed_struct.h +ossl_provider.o: $(hdrdir)/ruby/internal/attr/pure.h +ossl_provider.o: $(hdrdir)/ruby/internal/attr/restrict.h +ossl_provider.o: $(hdrdir)/ruby/internal/attr/returns_nonnull.h +ossl_provider.o: $(hdrdir)/ruby/internal/attr/warning.h +ossl_provider.o: $(hdrdir)/ruby/internal/attr/weakref.h +ossl_provider.o: $(hdrdir)/ruby/internal/cast.h +ossl_provider.o: $(hdrdir)/ruby/internal/compiler_is.h +ossl_provider.o: $(hdrdir)/ruby/internal/compiler_is/apple.h +ossl_provider.o: $(hdrdir)/ruby/internal/compiler_is/clang.h +ossl_provider.o: $(hdrdir)/ruby/internal/compiler_is/gcc.h +ossl_provider.o: $(hdrdir)/ruby/internal/compiler_is/intel.h +ossl_provider.o: $(hdrdir)/ruby/internal/compiler_is/msvc.h +ossl_provider.o: $(hdrdir)/ruby/internal/compiler_is/sunpro.h +ossl_provider.o: $(hdrdir)/ruby/internal/compiler_since.h +ossl_provider.o: $(hdrdir)/ruby/internal/config.h +ossl_provider.o: $(hdrdir)/ruby/internal/constant_p.h +ossl_provider.o: $(hdrdir)/ruby/internal/core.h +ossl_provider.o: $(hdrdir)/ruby/internal/core/rarray.h +ossl_provider.o: $(hdrdir)/ruby/internal/core/rbasic.h +ossl_provider.o: $(hdrdir)/ruby/internal/core/rbignum.h +ossl_provider.o: $(hdrdir)/ruby/internal/core/rclass.h +ossl_provider.o: $(hdrdir)/ruby/internal/core/rdata.h +ossl_provider.o: $(hdrdir)/ruby/internal/core/rfile.h +ossl_provider.o: $(hdrdir)/ruby/internal/core/rhash.h +ossl_provider.o: $(hdrdir)/ruby/internal/core/robject.h +ossl_provider.o: $(hdrdir)/ruby/internal/core/rregexp.h +ossl_provider.o: $(hdrdir)/ruby/internal/core/rstring.h +ossl_provider.o: $(hdrdir)/ruby/internal/core/rstruct.h +ossl_provider.o: $(hdrdir)/ruby/internal/core/rtypeddata.h +ossl_provider.o: $(hdrdir)/ruby/internal/ctype.h +ossl_provider.o: $(hdrdir)/ruby/internal/dllexport.h +ossl_provider.o: $(hdrdir)/ruby/internal/dosish.h +ossl_provider.o: $(hdrdir)/ruby/internal/encoding/coderange.h +ossl_provider.o: $(hdrdir)/ruby/internal/encoding/ctype.h +ossl_provider.o: $(hdrdir)/ruby/internal/encoding/encoding.h +ossl_provider.o: $(hdrdir)/ruby/internal/encoding/pathname.h +ossl_provider.o: $(hdrdir)/ruby/internal/encoding/re.h +ossl_provider.o: $(hdrdir)/ruby/internal/encoding/sprintf.h +ossl_provider.o: $(hdrdir)/ruby/internal/encoding/string.h +ossl_provider.o: $(hdrdir)/ruby/internal/encoding/symbol.h +ossl_provider.o: $(hdrdir)/ruby/internal/encoding/transcode.h +ossl_provider.o: $(hdrdir)/ruby/internal/error.h +ossl_provider.o: $(hdrdir)/ruby/internal/eval.h +ossl_provider.o: $(hdrdir)/ruby/internal/event.h +ossl_provider.o: $(hdrdir)/ruby/internal/fl_type.h +ossl_provider.o: $(hdrdir)/ruby/internal/gc.h +ossl_provider.o: $(hdrdir)/ruby/internal/glob.h +ossl_provider.o: $(hdrdir)/ruby/internal/globals.h +ossl_provider.o: $(hdrdir)/ruby/internal/has/attribute.h +ossl_provider.o: $(hdrdir)/ruby/internal/has/builtin.h +ossl_provider.o: $(hdrdir)/ruby/internal/has/c_attribute.h +ossl_provider.o: $(hdrdir)/ruby/internal/has/cpp_attribute.h +ossl_provider.o: $(hdrdir)/ruby/internal/has/declspec_attribute.h +ossl_provider.o: $(hdrdir)/ruby/internal/has/extension.h +ossl_provider.o: $(hdrdir)/ruby/internal/has/feature.h +ossl_provider.o: $(hdrdir)/ruby/internal/has/warning.h +ossl_provider.o: $(hdrdir)/ruby/internal/intern/array.h +ossl_provider.o: $(hdrdir)/ruby/internal/intern/bignum.h +ossl_provider.o: $(hdrdir)/ruby/internal/intern/class.h +ossl_provider.o: $(hdrdir)/ruby/internal/intern/compar.h +ossl_provider.o: $(hdrdir)/ruby/internal/intern/complex.h +ossl_provider.o: $(hdrdir)/ruby/internal/intern/cont.h +ossl_provider.o: $(hdrdir)/ruby/internal/intern/dir.h +ossl_provider.o: $(hdrdir)/ruby/internal/intern/enum.h +ossl_provider.o: $(hdrdir)/ruby/internal/intern/enumerator.h +ossl_provider.o: $(hdrdir)/ruby/internal/intern/error.h +ossl_provider.o: $(hdrdir)/ruby/internal/intern/eval.h +ossl_provider.o: $(hdrdir)/ruby/internal/intern/file.h +ossl_provider.o: $(hdrdir)/ruby/internal/intern/hash.h +ossl_provider.o: $(hdrdir)/ruby/internal/intern/io.h +ossl_provider.o: $(hdrdir)/ruby/internal/intern/load.h +ossl_provider.o: $(hdrdir)/ruby/internal/intern/marshal.h +ossl_provider.o: $(hdrdir)/ruby/internal/intern/numeric.h +ossl_provider.o: $(hdrdir)/ruby/internal/intern/object.h +ossl_provider.o: $(hdrdir)/ruby/internal/intern/parse.h +ossl_provider.o: $(hdrdir)/ruby/internal/intern/proc.h +ossl_provider.o: $(hdrdir)/ruby/internal/intern/process.h +ossl_provider.o: $(hdrdir)/ruby/internal/intern/random.h +ossl_provider.o: $(hdrdir)/ruby/internal/intern/range.h +ossl_provider.o: $(hdrdir)/ruby/internal/intern/rational.h +ossl_provider.o: $(hdrdir)/ruby/internal/intern/re.h +ossl_provider.o: $(hdrdir)/ruby/internal/intern/ruby.h +ossl_provider.o: $(hdrdir)/ruby/internal/intern/select.h +ossl_provider.o: $(hdrdir)/ruby/internal/intern/select/largesize.h +ossl_provider.o: $(hdrdir)/ruby/internal/intern/signal.h +ossl_provider.o: $(hdrdir)/ruby/internal/intern/sprintf.h +ossl_provider.o: $(hdrdir)/ruby/internal/intern/string.h +ossl_provider.o: $(hdrdir)/ruby/internal/intern/struct.h +ossl_provider.o: $(hdrdir)/ruby/internal/intern/thread.h +ossl_provider.o: $(hdrdir)/ruby/internal/intern/time.h +ossl_provider.o: $(hdrdir)/ruby/internal/intern/variable.h +ossl_provider.o: $(hdrdir)/ruby/internal/intern/vm.h +ossl_provider.o: $(hdrdir)/ruby/internal/interpreter.h +ossl_provider.o: $(hdrdir)/ruby/internal/iterator.h +ossl_provider.o: $(hdrdir)/ruby/internal/memory.h +ossl_provider.o: $(hdrdir)/ruby/internal/method.h +ossl_provider.o: $(hdrdir)/ruby/internal/module.h +ossl_provider.o: $(hdrdir)/ruby/internal/newobj.h +ossl_provider.o: $(hdrdir)/ruby/internal/scan_args.h +ossl_provider.o: $(hdrdir)/ruby/internal/special_consts.h +ossl_provider.o: $(hdrdir)/ruby/internal/static_assert.h +ossl_provider.o: $(hdrdir)/ruby/internal/stdalign.h +ossl_provider.o: $(hdrdir)/ruby/internal/stdbool.h +ossl_provider.o: $(hdrdir)/ruby/internal/stdckdint.h +ossl_provider.o: $(hdrdir)/ruby/internal/symbol.h +ossl_provider.o: $(hdrdir)/ruby/internal/value.h +ossl_provider.o: $(hdrdir)/ruby/internal/value_type.h +ossl_provider.o: $(hdrdir)/ruby/internal/variable.h +ossl_provider.o: $(hdrdir)/ruby/internal/warning_push.h +ossl_provider.o: $(hdrdir)/ruby/internal/xmalloc.h +ossl_provider.o: $(hdrdir)/ruby/io.h +ossl_provider.o: $(hdrdir)/ruby/missing.h +ossl_provider.o: $(hdrdir)/ruby/onigmo.h +ossl_provider.o: $(hdrdir)/ruby/oniguruma.h +ossl_provider.o: $(hdrdir)/ruby/ruby.h +ossl_provider.o: $(hdrdir)/ruby/st.h +ossl_provider.o: $(hdrdir)/ruby/subst.h +ossl_provider.o: $(hdrdir)/ruby/thread.h +ossl_provider.o: openssl_missing.h +ossl_provider.o: ossl.h +ossl_provider.o: ossl_asn1.h +ossl_provider.o: ossl_bio.h +ossl_provider.o: ossl_bn.h +ossl_provider.o: ossl_cipher.h +ossl_provider.o: ossl_config.h +ossl_provider.o: ossl_digest.h +ossl_provider.o: ossl_engine.h +ossl_provider.o: ossl_hmac.h +ossl_provider.o: ossl_kdf.h +ossl_provider.o: ossl_ns_spki.h +ossl_provider.o: ossl_ocsp.h +ossl_provider.o: ossl_pkcs12.h +ossl_provider.o: ossl_pkcs7.h +ossl_provider.o: ossl_pkey.h +ossl_provider.o: ossl_provider.c +ossl_provider.o: ossl_provider.h +ossl_provider.o: ossl_rand.h +ossl_provider.o: ossl_ssl.h +ossl_provider.o: ossl_ts.h +ossl_provider.o: ossl_x509.h ossl_rand.o: $(RUBY_EXTCONF_H) ossl_rand.o: $(arch_hdrdir)/ruby/config.h ossl_rand.o: $(hdrdir)/ruby.h @@ -3547,7 +3912,6 @@ ossl_rand.o: $(hdrdir)/ruby/backward.h ossl_rand.o: $(hdrdir)/ruby/backward/2/assume.h ossl_rand.o: $(hdrdir)/ruby/backward/2/attributes.h ossl_rand.o: $(hdrdir)/ruby/backward/2/bool.h -ossl_rand.o: $(hdrdir)/ruby/backward/2/gcc_version_since.h ossl_rand.o: $(hdrdir)/ruby/backward/2/inttypes.h ossl_rand.o: $(hdrdir)/ruby/backward/2/limits.h ossl_rand.o: $(hdrdir)/ruby/backward/2/long_long.h @@ -3556,6 +3920,7 @@ ossl_rand.o: $(hdrdir)/ruby/backward/2/stdarg.h ossl_rand.o: $(hdrdir)/ruby/defines.h ossl_rand.o: $(hdrdir)/ruby/encoding.h ossl_rand.o: $(hdrdir)/ruby/intern.h +ossl_rand.o: $(hdrdir)/ruby/internal/abi.h ossl_rand.o: $(hdrdir)/ruby/internal/anyargs.h ossl_rand.o: $(hdrdir)/ruby/internal/arithmetic.h ossl_rand.o: $(hdrdir)/ruby/internal/arithmetic/char.h @@ -3593,6 +3958,7 @@ ossl_rand.o: $(hdrdir)/ruby/internal/attr/noexcept.h ossl_rand.o: $(hdrdir)/ruby/internal/attr/noinline.h ossl_rand.o: $(hdrdir)/ruby/internal/attr/nonnull.h ossl_rand.o: $(hdrdir)/ruby/internal/attr/noreturn.h +ossl_rand.o: $(hdrdir)/ruby/internal/attr/packed_struct.h ossl_rand.o: $(hdrdir)/ruby/internal/attr/pure.h ossl_rand.o: $(hdrdir)/ruby/internal/attr/restrict.h ossl_rand.o: $(hdrdir)/ruby/internal/attr/returns_nonnull.h @@ -3625,6 +3991,15 @@ ossl_rand.o: $(hdrdir)/ruby/internal/core/rtypeddata.h ossl_rand.o: $(hdrdir)/ruby/internal/ctype.h ossl_rand.o: $(hdrdir)/ruby/internal/dllexport.h ossl_rand.o: $(hdrdir)/ruby/internal/dosish.h +ossl_rand.o: $(hdrdir)/ruby/internal/encoding/coderange.h +ossl_rand.o: $(hdrdir)/ruby/internal/encoding/ctype.h +ossl_rand.o: $(hdrdir)/ruby/internal/encoding/encoding.h +ossl_rand.o: $(hdrdir)/ruby/internal/encoding/pathname.h +ossl_rand.o: $(hdrdir)/ruby/internal/encoding/re.h +ossl_rand.o: $(hdrdir)/ruby/internal/encoding/sprintf.h +ossl_rand.o: $(hdrdir)/ruby/internal/encoding/string.h +ossl_rand.o: $(hdrdir)/ruby/internal/encoding/symbol.h +ossl_rand.o: $(hdrdir)/ruby/internal/encoding/transcode.h ossl_rand.o: $(hdrdir)/ruby/internal/error.h ossl_rand.o: $(hdrdir)/ruby/internal/eval.h ossl_rand.o: $(hdrdir)/ruby/internal/event.h @@ -3652,7 +4027,6 @@ ossl_rand.o: $(hdrdir)/ruby/internal/intern/enumerator.h ossl_rand.o: $(hdrdir)/ruby/internal/intern/error.h ossl_rand.o: $(hdrdir)/ruby/internal/intern/eval.h ossl_rand.o: $(hdrdir)/ruby/internal/intern/file.h -ossl_rand.o: $(hdrdir)/ruby/internal/intern/gc.h ossl_rand.o: $(hdrdir)/ruby/internal/intern/hash.h ossl_rand.o: $(hdrdir)/ruby/internal/intern/io.h ossl_rand.o: $(hdrdir)/ruby/internal/intern/load.h @@ -3683,12 +4057,12 @@ ossl_rand.o: $(hdrdir)/ruby/internal/memory.h ossl_rand.o: $(hdrdir)/ruby/internal/method.h ossl_rand.o: $(hdrdir)/ruby/internal/module.h ossl_rand.o: $(hdrdir)/ruby/internal/newobj.h -ossl_rand.o: $(hdrdir)/ruby/internal/rgengc.h ossl_rand.o: $(hdrdir)/ruby/internal/scan_args.h ossl_rand.o: $(hdrdir)/ruby/internal/special_consts.h ossl_rand.o: $(hdrdir)/ruby/internal/static_assert.h ossl_rand.o: $(hdrdir)/ruby/internal/stdalign.h ossl_rand.o: $(hdrdir)/ruby/internal/stdbool.h +ossl_rand.o: $(hdrdir)/ruby/internal/stdckdint.h ossl_rand.o: $(hdrdir)/ruby/internal/symbol.h ossl_rand.o: $(hdrdir)/ruby/internal/value.h ossl_rand.o: $(hdrdir)/ruby/internal/value_type.h @@ -3719,12 +4093,12 @@ ossl_rand.o: ossl_ocsp.h ossl_rand.o: ossl_pkcs12.h ossl_rand.o: ossl_pkcs7.h ossl_rand.o: ossl_pkey.h +ossl_rand.o: ossl_provider.h ossl_rand.o: ossl_rand.c ossl_rand.o: ossl_rand.h ossl_rand.o: ossl_ssl.h ossl_rand.o: ossl_ts.h ossl_rand.o: ossl_x509.h -ossl_rand.o: ruby_missing.h ossl_ssl.o: $(RUBY_EXTCONF_H) ossl_ssl.o: $(arch_hdrdir)/ruby/config.h ossl_ssl.o: $(hdrdir)/ruby.h @@ -3733,7 +4107,6 @@ ossl_ssl.o: $(hdrdir)/ruby/backward.h ossl_ssl.o: $(hdrdir)/ruby/backward/2/assume.h ossl_ssl.o: $(hdrdir)/ruby/backward/2/attributes.h ossl_ssl.o: $(hdrdir)/ruby/backward/2/bool.h -ossl_ssl.o: $(hdrdir)/ruby/backward/2/gcc_version_since.h ossl_ssl.o: $(hdrdir)/ruby/backward/2/inttypes.h ossl_ssl.o: $(hdrdir)/ruby/backward/2/limits.h ossl_ssl.o: $(hdrdir)/ruby/backward/2/long_long.h @@ -3742,6 +4115,7 @@ ossl_ssl.o: $(hdrdir)/ruby/backward/2/stdarg.h ossl_ssl.o: $(hdrdir)/ruby/defines.h ossl_ssl.o: $(hdrdir)/ruby/encoding.h ossl_ssl.o: $(hdrdir)/ruby/intern.h +ossl_ssl.o: $(hdrdir)/ruby/internal/abi.h ossl_ssl.o: $(hdrdir)/ruby/internal/anyargs.h ossl_ssl.o: $(hdrdir)/ruby/internal/arithmetic.h ossl_ssl.o: $(hdrdir)/ruby/internal/arithmetic/char.h @@ -3779,6 +4153,7 @@ ossl_ssl.o: $(hdrdir)/ruby/internal/attr/noexcept.h ossl_ssl.o: $(hdrdir)/ruby/internal/attr/noinline.h ossl_ssl.o: $(hdrdir)/ruby/internal/attr/nonnull.h ossl_ssl.o: $(hdrdir)/ruby/internal/attr/noreturn.h +ossl_ssl.o: $(hdrdir)/ruby/internal/attr/packed_struct.h ossl_ssl.o: $(hdrdir)/ruby/internal/attr/pure.h ossl_ssl.o: $(hdrdir)/ruby/internal/attr/restrict.h ossl_ssl.o: $(hdrdir)/ruby/internal/attr/returns_nonnull.h @@ -3811,6 +4186,15 @@ ossl_ssl.o: $(hdrdir)/ruby/internal/core/rtypeddata.h ossl_ssl.o: $(hdrdir)/ruby/internal/ctype.h ossl_ssl.o: $(hdrdir)/ruby/internal/dllexport.h ossl_ssl.o: $(hdrdir)/ruby/internal/dosish.h +ossl_ssl.o: $(hdrdir)/ruby/internal/encoding/coderange.h +ossl_ssl.o: $(hdrdir)/ruby/internal/encoding/ctype.h +ossl_ssl.o: $(hdrdir)/ruby/internal/encoding/encoding.h +ossl_ssl.o: $(hdrdir)/ruby/internal/encoding/pathname.h +ossl_ssl.o: $(hdrdir)/ruby/internal/encoding/re.h +ossl_ssl.o: $(hdrdir)/ruby/internal/encoding/sprintf.h +ossl_ssl.o: $(hdrdir)/ruby/internal/encoding/string.h +ossl_ssl.o: $(hdrdir)/ruby/internal/encoding/symbol.h +ossl_ssl.o: $(hdrdir)/ruby/internal/encoding/transcode.h ossl_ssl.o: $(hdrdir)/ruby/internal/error.h ossl_ssl.o: $(hdrdir)/ruby/internal/eval.h ossl_ssl.o: $(hdrdir)/ruby/internal/event.h @@ -3838,7 +4222,6 @@ ossl_ssl.o: $(hdrdir)/ruby/internal/intern/enumerator.h ossl_ssl.o: $(hdrdir)/ruby/internal/intern/error.h ossl_ssl.o: $(hdrdir)/ruby/internal/intern/eval.h ossl_ssl.o: $(hdrdir)/ruby/internal/intern/file.h -ossl_ssl.o: $(hdrdir)/ruby/internal/intern/gc.h ossl_ssl.o: $(hdrdir)/ruby/internal/intern/hash.h ossl_ssl.o: $(hdrdir)/ruby/internal/intern/io.h ossl_ssl.o: $(hdrdir)/ruby/internal/intern/load.h @@ -3869,12 +4252,12 @@ ossl_ssl.o: $(hdrdir)/ruby/internal/memory.h ossl_ssl.o: $(hdrdir)/ruby/internal/method.h ossl_ssl.o: $(hdrdir)/ruby/internal/module.h ossl_ssl.o: $(hdrdir)/ruby/internal/newobj.h -ossl_ssl.o: $(hdrdir)/ruby/internal/rgengc.h ossl_ssl.o: $(hdrdir)/ruby/internal/scan_args.h ossl_ssl.o: $(hdrdir)/ruby/internal/special_consts.h ossl_ssl.o: $(hdrdir)/ruby/internal/static_assert.h ossl_ssl.o: $(hdrdir)/ruby/internal/stdalign.h ossl_ssl.o: $(hdrdir)/ruby/internal/stdbool.h +ossl_ssl.o: $(hdrdir)/ruby/internal/stdckdint.h ossl_ssl.o: $(hdrdir)/ruby/internal/symbol.h ossl_ssl.o: $(hdrdir)/ruby/internal/value.h ossl_ssl.o: $(hdrdir)/ruby/internal/value_type.h @@ -3905,12 +4288,12 @@ ossl_ssl.o: ossl_ocsp.h ossl_ssl.o: ossl_pkcs12.h ossl_ssl.o: ossl_pkcs7.h ossl_ssl.o: ossl_pkey.h +ossl_ssl.o: ossl_provider.h ossl_ssl.o: ossl_rand.h ossl_ssl.o: ossl_ssl.c ossl_ssl.o: ossl_ssl.h ossl_ssl.o: ossl_ts.h ossl_ssl.o: ossl_x509.h -ossl_ssl.o: ruby_missing.h ossl_ssl_session.o: $(RUBY_EXTCONF_H) ossl_ssl_session.o: $(arch_hdrdir)/ruby/config.h ossl_ssl_session.o: $(hdrdir)/ruby.h @@ -3919,7 +4302,6 @@ ossl_ssl_session.o: $(hdrdir)/ruby/backward.h ossl_ssl_session.o: $(hdrdir)/ruby/backward/2/assume.h ossl_ssl_session.o: $(hdrdir)/ruby/backward/2/attributes.h ossl_ssl_session.o: $(hdrdir)/ruby/backward/2/bool.h -ossl_ssl_session.o: $(hdrdir)/ruby/backward/2/gcc_version_since.h ossl_ssl_session.o: $(hdrdir)/ruby/backward/2/inttypes.h ossl_ssl_session.o: $(hdrdir)/ruby/backward/2/limits.h ossl_ssl_session.o: $(hdrdir)/ruby/backward/2/long_long.h @@ -3928,6 +4310,7 @@ ossl_ssl_session.o: $(hdrdir)/ruby/backward/2/stdarg.h ossl_ssl_session.o: $(hdrdir)/ruby/defines.h ossl_ssl_session.o: $(hdrdir)/ruby/encoding.h ossl_ssl_session.o: $(hdrdir)/ruby/intern.h +ossl_ssl_session.o: $(hdrdir)/ruby/internal/abi.h ossl_ssl_session.o: $(hdrdir)/ruby/internal/anyargs.h ossl_ssl_session.o: $(hdrdir)/ruby/internal/arithmetic.h ossl_ssl_session.o: $(hdrdir)/ruby/internal/arithmetic/char.h @@ -3965,6 +4348,7 @@ ossl_ssl_session.o: $(hdrdir)/ruby/internal/attr/noexcept.h ossl_ssl_session.o: $(hdrdir)/ruby/internal/attr/noinline.h ossl_ssl_session.o: $(hdrdir)/ruby/internal/attr/nonnull.h ossl_ssl_session.o: $(hdrdir)/ruby/internal/attr/noreturn.h +ossl_ssl_session.o: $(hdrdir)/ruby/internal/attr/packed_struct.h ossl_ssl_session.o: $(hdrdir)/ruby/internal/attr/pure.h ossl_ssl_session.o: $(hdrdir)/ruby/internal/attr/restrict.h ossl_ssl_session.o: $(hdrdir)/ruby/internal/attr/returns_nonnull.h @@ -3997,6 +4381,15 @@ ossl_ssl_session.o: $(hdrdir)/ruby/internal/core/rtypeddata.h ossl_ssl_session.o: $(hdrdir)/ruby/internal/ctype.h ossl_ssl_session.o: $(hdrdir)/ruby/internal/dllexport.h ossl_ssl_session.o: $(hdrdir)/ruby/internal/dosish.h +ossl_ssl_session.o: $(hdrdir)/ruby/internal/encoding/coderange.h +ossl_ssl_session.o: $(hdrdir)/ruby/internal/encoding/ctype.h +ossl_ssl_session.o: $(hdrdir)/ruby/internal/encoding/encoding.h +ossl_ssl_session.o: $(hdrdir)/ruby/internal/encoding/pathname.h +ossl_ssl_session.o: $(hdrdir)/ruby/internal/encoding/re.h +ossl_ssl_session.o: $(hdrdir)/ruby/internal/encoding/sprintf.h +ossl_ssl_session.o: $(hdrdir)/ruby/internal/encoding/string.h +ossl_ssl_session.o: $(hdrdir)/ruby/internal/encoding/symbol.h +ossl_ssl_session.o: $(hdrdir)/ruby/internal/encoding/transcode.h ossl_ssl_session.o: $(hdrdir)/ruby/internal/error.h ossl_ssl_session.o: $(hdrdir)/ruby/internal/eval.h ossl_ssl_session.o: $(hdrdir)/ruby/internal/event.h @@ -4024,7 +4417,6 @@ ossl_ssl_session.o: $(hdrdir)/ruby/internal/intern/enumerator.h ossl_ssl_session.o: $(hdrdir)/ruby/internal/intern/error.h ossl_ssl_session.o: $(hdrdir)/ruby/internal/intern/eval.h ossl_ssl_session.o: $(hdrdir)/ruby/internal/intern/file.h -ossl_ssl_session.o: $(hdrdir)/ruby/internal/intern/gc.h ossl_ssl_session.o: $(hdrdir)/ruby/internal/intern/hash.h ossl_ssl_session.o: $(hdrdir)/ruby/internal/intern/io.h ossl_ssl_session.o: $(hdrdir)/ruby/internal/intern/load.h @@ -4055,12 +4447,12 @@ ossl_ssl_session.o: $(hdrdir)/ruby/internal/memory.h ossl_ssl_session.o: $(hdrdir)/ruby/internal/method.h ossl_ssl_session.o: $(hdrdir)/ruby/internal/module.h ossl_ssl_session.o: $(hdrdir)/ruby/internal/newobj.h -ossl_ssl_session.o: $(hdrdir)/ruby/internal/rgengc.h ossl_ssl_session.o: $(hdrdir)/ruby/internal/scan_args.h ossl_ssl_session.o: $(hdrdir)/ruby/internal/special_consts.h ossl_ssl_session.o: $(hdrdir)/ruby/internal/static_assert.h ossl_ssl_session.o: $(hdrdir)/ruby/internal/stdalign.h ossl_ssl_session.o: $(hdrdir)/ruby/internal/stdbool.h +ossl_ssl_session.o: $(hdrdir)/ruby/internal/stdckdint.h ossl_ssl_session.o: $(hdrdir)/ruby/internal/symbol.h ossl_ssl_session.o: $(hdrdir)/ruby/internal/value.h ossl_ssl_session.o: $(hdrdir)/ruby/internal/value_type.h @@ -4091,12 +4483,12 @@ ossl_ssl_session.o: ossl_ocsp.h ossl_ssl_session.o: ossl_pkcs12.h ossl_ssl_session.o: ossl_pkcs7.h ossl_ssl_session.o: ossl_pkey.h +ossl_ssl_session.o: ossl_provider.h ossl_ssl_session.o: ossl_rand.h ossl_ssl_session.o: ossl_ssl.h ossl_ssl_session.o: ossl_ssl_session.c ossl_ssl_session.o: ossl_ts.h ossl_ssl_session.o: ossl_x509.h -ossl_ssl_session.o: ruby_missing.h ossl_ts.o: $(RUBY_EXTCONF_H) ossl_ts.o: $(arch_hdrdir)/ruby/config.h ossl_ts.o: $(hdrdir)/ruby.h @@ -4105,7 +4497,6 @@ ossl_ts.o: $(hdrdir)/ruby/backward.h ossl_ts.o: $(hdrdir)/ruby/backward/2/assume.h ossl_ts.o: $(hdrdir)/ruby/backward/2/attributes.h ossl_ts.o: $(hdrdir)/ruby/backward/2/bool.h -ossl_ts.o: $(hdrdir)/ruby/backward/2/gcc_version_since.h ossl_ts.o: $(hdrdir)/ruby/backward/2/inttypes.h ossl_ts.o: $(hdrdir)/ruby/backward/2/limits.h ossl_ts.o: $(hdrdir)/ruby/backward/2/long_long.h @@ -4114,6 +4505,7 @@ ossl_ts.o: $(hdrdir)/ruby/backward/2/stdarg.h ossl_ts.o: $(hdrdir)/ruby/defines.h ossl_ts.o: $(hdrdir)/ruby/encoding.h ossl_ts.o: $(hdrdir)/ruby/intern.h +ossl_ts.o: $(hdrdir)/ruby/internal/abi.h ossl_ts.o: $(hdrdir)/ruby/internal/anyargs.h ossl_ts.o: $(hdrdir)/ruby/internal/arithmetic.h ossl_ts.o: $(hdrdir)/ruby/internal/arithmetic/char.h @@ -4151,6 +4543,7 @@ ossl_ts.o: $(hdrdir)/ruby/internal/attr/noexcept.h ossl_ts.o: $(hdrdir)/ruby/internal/attr/noinline.h ossl_ts.o: $(hdrdir)/ruby/internal/attr/nonnull.h ossl_ts.o: $(hdrdir)/ruby/internal/attr/noreturn.h +ossl_ts.o: $(hdrdir)/ruby/internal/attr/packed_struct.h ossl_ts.o: $(hdrdir)/ruby/internal/attr/pure.h ossl_ts.o: $(hdrdir)/ruby/internal/attr/restrict.h ossl_ts.o: $(hdrdir)/ruby/internal/attr/returns_nonnull.h @@ -4183,6 +4576,15 @@ ossl_ts.o: $(hdrdir)/ruby/internal/core/rtypeddata.h ossl_ts.o: $(hdrdir)/ruby/internal/ctype.h ossl_ts.o: $(hdrdir)/ruby/internal/dllexport.h ossl_ts.o: $(hdrdir)/ruby/internal/dosish.h +ossl_ts.o: $(hdrdir)/ruby/internal/encoding/coderange.h +ossl_ts.o: $(hdrdir)/ruby/internal/encoding/ctype.h +ossl_ts.o: $(hdrdir)/ruby/internal/encoding/encoding.h +ossl_ts.o: $(hdrdir)/ruby/internal/encoding/pathname.h +ossl_ts.o: $(hdrdir)/ruby/internal/encoding/re.h +ossl_ts.o: $(hdrdir)/ruby/internal/encoding/sprintf.h +ossl_ts.o: $(hdrdir)/ruby/internal/encoding/string.h +ossl_ts.o: $(hdrdir)/ruby/internal/encoding/symbol.h +ossl_ts.o: $(hdrdir)/ruby/internal/encoding/transcode.h ossl_ts.o: $(hdrdir)/ruby/internal/error.h ossl_ts.o: $(hdrdir)/ruby/internal/eval.h ossl_ts.o: $(hdrdir)/ruby/internal/event.h @@ -4210,7 +4612,6 @@ ossl_ts.o: $(hdrdir)/ruby/internal/intern/enumerator.h ossl_ts.o: $(hdrdir)/ruby/internal/intern/error.h ossl_ts.o: $(hdrdir)/ruby/internal/intern/eval.h ossl_ts.o: $(hdrdir)/ruby/internal/intern/file.h -ossl_ts.o: $(hdrdir)/ruby/internal/intern/gc.h ossl_ts.o: $(hdrdir)/ruby/internal/intern/hash.h ossl_ts.o: $(hdrdir)/ruby/internal/intern/io.h ossl_ts.o: $(hdrdir)/ruby/internal/intern/load.h @@ -4241,12 +4642,12 @@ ossl_ts.o: $(hdrdir)/ruby/internal/memory.h ossl_ts.o: $(hdrdir)/ruby/internal/method.h ossl_ts.o: $(hdrdir)/ruby/internal/module.h ossl_ts.o: $(hdrdir)/ruby/internal/newobj.h -ossl_ts.o: $(hdrdir)/ruby/internal/rgengc.h ossl_ts.o: $(hdrdir)/ruby/internal/scan_args.h ossl_ts.o: $(hdrdir)/ruby/internal/special_consts.h ossl_ts.o: $(hdrdir)/ruby/internal/static_assert.h ossl_ts.o: $(hdrdir)/ruby/internal/stdalign.h ossl_ts.o: $(hdrdir)/ruby/internal/stdbool.h +ossl_ts.o: $(hdrdir)/ruby/internal/stdckdint.h ossl_ts.o: $(hdrdir)/ruby/internal/symbol.h ossl_ts.o: $(hdrdir)/ruby/internal/value.h ossl_ts.o: $(hdrdir)/ruby/internal/value_type.h @@ -4277,12 +4678,12 @@ ossl_ts.o: ossl_ocsp.h ossl_ts.o: ossl_pkcs12.h ossl_ts.o: ossl_pkcs7.h ossl_ts.o: ossl_pkey.h +ossl_ts.o: ossl_provider.h ossl_ts.o: ossl_rand.h ossl_ts.o: ossl_ssl.h ossl_ts.o: ossl_ts.c ossl_ts.o: ossl_ts.h ossl_ts.o: ossl_x509.h -ossl_ts.o: ruby_missing.h ossl_x509.o: $(RUBY_EXTCONF_H) ossl_x509.o: $(arch_hdrdir)/ruby/config.h ossl_x509.o: $(hdrdir)/ruby.h @@ -4291,7 +4692,6 @@ ossl_x509.o: $(hdrdir)/ruby/backward.h ossl_x509.o: $(hdrdir)/ruby/backward/2/assume.h ossl_x509.o: $(hdrdir)/ruby/backward/2/attributes.h ossl_x509.o: $(hdrdir)/ruby/backward/2/bool.h -ossl_x509.o: $(hdrdir)/ruby/backward/2/gcc_version_since.h ossl_x509.o: $(hdrdir)/ruby/backward/2/inttypes.h ossl_x509.o: $(hdrdir)/ruby/backward/2/limits.h ossl_x509.o: $(hdrdir)/ruby/backward/2/long_long.h @@ -4300,6 +4700,7 @@ ossl_x509.o: $(hdrdir)/ruby/backward/2/stdarg.h ossl_x509.o: $(hdrdir)/ruby/defines.h ossl_x509.o: $(hdrdir)/ruby/encoding.h ossl_x509.o: $(hdrdir)/ruby/intern.h +ossl_x509.o: $(hdrdir)/ruby/internal/abi.h ossl_x509.o: $(hdrdir)/ruby/internal/anyargs.h ossl_x509.o: $(hdrdir)/ruby/internal/arithmetic.h ossl_x509.o: $(hdrdir)/ruby/internal/arithmetic/char.h @@ -4337,6 +4738,7 @@ ossl_x509.o: $(hdrdir)/ruby/internal/attr/noexcept.h ossl_x509.o: $(hdrdir)/ruby/internal/attr/noinline.h ossl_x509.o: $(hdrdir)/ruby/internal/attr/nonnull.h ossl_x509.o: $(hdrdir)/ruby/internal/attr/noreturn.h +ossl_x509.o: $(hdrdir)/ruby/internal/attr/packed_struct.h ossl_x509.o: $(hdrdir)/ruby/internal/attr/pure.h ossl_x509.o: $(hdrdir)/ruby/internal/attr/restrict.h ossl_x509.o: $(hdrdir)/ruby/internal/attr/returns_nonnull.h @@ -4369,6 +4771,15 @@ ossl_x509.o: $(hdrdir)/ruby/internal/core/rtypeddata.h ossl_x509.o: $(hdrdir)/ruby/internal/ctype.h ossl_x509.o: $(hdrdir)/ruby/internal/dllexport.h ossl_x509.o: $(hdrdir)/ruby/internal/dosish.h +ossl_x509.o: $(hdrdir)/ruby/internal/encoding/coderange.h +ossl_x509.o: $(hdrdir)/ruby/internal/encoding/ctype.h +ossl_x509.o: $(hdrdir)/ruby/internal/encoding/encoding.h +ossl_x509.o: $(hdrdir)/ruby/internal/encoding/pathname.h +ossl_x509.o: $(hdrdir)/ruby/internal/encoding/re.h +ossl_x509.o: $(hdrdir)/ruby/internal/encoding/sprintf.h +ossl_x509.o: $(hdrdir)/ruby/internal/encoding/string.h +ossl_x509.o: $(hdrdir)/ruby/internal/encoding/symbol.h +ossl_x509.o: $(hdrdir)/ruby/internal/encoding/transcode.h ossl_x509.o: $(hdrdir)/ruby/internal/error.h ossl_x509.o: $(hdrdir)/ruby/internal/eval.h ossl_x509.o: $(hdrdir)/ruby/internal/event.h @@ -4396,7 +4807,6 @@ ossl_x509.o: $(hdrdir)/ruby/internal/intern/enumerator.h ossl_x509.o: $(hdrdir)/ruby/internal/intern/error.h ossl_x509.o: $(hdrdir)/ruby/internal/intern/eval.h ossl_x509.o: $(hdrdir)/ruby/internal/intern/file.h -ossl_x509.o: $(hdrdir)/ruby/internal/intern/gc.h ossl_x509.o: $(hdrdir)/ruby/internal/intern/hash.h ossl_x509.o: $(hdrdir)/ruby/internal/intern/io.h ossl_x509.o: $(hdrdir)/ruby/internal/intern/load.h @@ -4427,12 +4837,12 @@ ossl_x509.o: $(hdrdir)/ruby/internal/memory.h ossl_x509.o: $(hdrdir)/ruby/internal/method.h ossl_x509.o: $(hdrdir)/ruby/internal/module.h ossl_x509.o: $(hdrdir)/ruby/internal/newobj.h -ossl_x509.o: $(hdrdir)/ruby/internal/rgengc.h ossl_x509.o: $(hdrdir)/ruby/internal/scan_args.h ossl_x509.o: $(hdrdir)/ruby/internal/special_consts.h ossl_x509.o: $(hdrdir)/ruby/internal/static_assert.h ossl_x509.o: $(hdrdir)/ruby/internal/stdalign.h ossl_x509.o: $(hdrdir)/ruby/internal/stdbool.h +ossl_x509.o: $(hdrdir)/ruby/internal/stdckdint.h ossl_x509.o: $(hdrdir)/ruby/internal/symbol.h ossl_x509.o: $(hdrdir)/ruby/internal/value.h ossl_x509.o: $(hdrdir)/ruby/internal/value_type.h @@ -4463,12 +4873,12 @@ ossl_x509.o: ossl_ocsp.h ossl_x509.o: ossl_pkcs12.h ossl_x509.o: ossl_pkcs7.h ossl_x509.o: ossl_pkey.h +ossl_x509.o: ossl_provider.h ossl_x509.o: ossl_rand.h ossl_x509.o: ossl_ssl.h ossl_x509.o: ossl_ts.h ossl_x509.o: ossl_x509.c ossl_x509.o: ossl_x509.h -ossl_x509.o: ruby_missing.h ossl_x509attr.o: $(RUBY_EXTCONF_H) ossl_x509attr.o: $(arch_hdrdir)/ruby/config.h ossl_x509attr.o: $(hdrdir)/ruby.h @@ -4477,7 +4887,6 @@ ossl_x509attr.o: $(hdrdir)/ruby/backward.h ossl_x509attr.o: $(hdrdir)/ruby/backward/2/assume.h ossl_x509attr.o: $(hdrdir)/ruby/backward/2/attributes.h ossl_x509attr.o: $(hdrdir)/ruby/backward/2/bool.h -ossl_x509attr.o: $(hdrdir)/ruby/backward/2/gcc_version_since.h ossl_x509attr.o: $(hdrdir)/ruby/backward/2/inttypes.h ossl_x509attr.o: $(hdrdir)/ruby/backward/2/limits.h ossl_x509attr.o: $(hdrdir)/ruby/backward/2/long_long.h @@ -4486,6 +4895,7 @@ ossl_x509attr.o: $(hdrdir)/ruby/backward/2/stdarg.h ossl_x509attr.o: $(hdrdir)/ruby/defines.h ossl_x509attr.o: $(hdrdir)/ruby/encoding.h ossl_x509attr.o: $(hdrdir)/ruby/intern.h +ossl_x509attr.o: $(hdrdir)/ruby/internal/abi.h ossl_x509attr.o: $(hdrdir)/ruby/internal/anyargs.h ossl_x509attr.o: $(hdrdir)/ruby/internal/arithmetic.h ossl_x509attr.o: $(hdrdir)/ruby/internal/arithmetic/char.h @@ -4523,6 +4933,7 @@ ossl_x509attr.o: $(hdrdir)/ruby/internal/attr/noexcept.h ossl_x509attr.o: $(hdrdir)/ruby/internal/attr/noinline.h ossl_x509attr.o: $(hdrdir)/ruby/internal/attr/nonnull.h ossl_x509attr.o: $(hdrdir)/ruby/internal/attr/noreturn.h +ossl_x509attr.o: $(hdrdir)/ruby/internal/attr/packed_struct.h ossl_x509attr.o: $(hdrdir)/ruby/internal/attr/pure.h ossl_x509attr.o: $(hdrdir)/ruby/internal/attr/restrict.h ossl_x509attr.o: $(hdrdir)/ruby/internal/attr/returns_nonnull.h @@ -4555,6 +4966,15 @@ ossl_x509attr.o: $(hdrdir)/ruby/internal/core/rtypeddata.h ossl_x509attr.o: $(hdrdir)/ruby/internal/ctype.h ossl_x509attr.o: $(hdrdir)/ruby/internal/dllexport.h ossl_x509attr.o: $(hdrdir)/ruby/internal/dosish.h +ossl_x509attr.o: $(hdrdir)/ruby/internal/encoding/coderange.h +ossl_x509attr.o: $(hdrdir)/ruby/internal/encoding/ctype.h +ossl_x509attr.o: $(hdrdir)/ruby/internal/encoding/encoding.h +ossl_x509attr.o: $(hdrdir)/ruby/internal/encoding/pathname.h +ossl_x509attr.o: $(hdrdir)/ruby/internal/encoding/re.h +ossl_x509attr.o: $(hdrdir)/ruby/internal/encoding/sprintf.h +ossl_x509attr.o: $(hdrdir)/ruby/internal/encoding/string.h +ossl_x509attr.o: $(hdrdir)/ruby/internal/encoding/symbol.h +ossl_x509attr.o: $(hdrdir)/ruby/internal/encoding/transcode.h ossl_x509attr.o: $(hdrdir)/ruby/internal/error.h ossl_x509attr.o: $(hdrdir)/ruby/internal/eval.h ossl_x509attr.o: $(hdrdir)/ruby/internal/event.h @@ -4582,7 +5002,6 @@ ossl_x509attr.o: $(hdrdir)/ruby/internal/intern/enumerator.h ossl_x509attr.o: $(hdrdir)/ruby/internal/intern/error.h ossl_x509attr.o: $(hdrdir)/ruby/internal/intern/eval.h ossl_x509attr.o: $(hdrdir)/ruby/internal/intern/file.h -ossl_x509attr.o: $(hdrdir)/ruby/internal/intern/gc.h ossl_x509attr.o: $(hdrdir)/ruby/internal/intern/hash.h ossl_x509attr.o: $(hdrdir)/ruby/internal/intern/io.h ossl_x509attr.o: $(hdrdir)/ruby/internal/intern/load.h @@ -4613,12 +5032,12 @@ ossl_x509attr.o: $(hdrdir)/ruby/internal/memory.h ossl_x509attr.o: $(hdrdir)/ruby/internal/method.h ossl_x509attr.o: $(hdrdir)/ruby/internal/module.h ossl_x509attr.o: $(hdrdir)/ruby/internal/newobj.h -ossl_x509attr.o: $(hdrdir)/ruby/internal/rgengc.h ossl_x509attr.o: $(hdrdir)/ruby/internal/scan_args.h ossl_x509attr.o: $(hdrdir)/ruby/internal/special_consts.h ossl_x509attr.o: $(hdrdir)/ruby/internal/static_assert.h ossl_x509attr.o: $(hdrdir)/ruby/internal/stdalign.h ossl_x509attr.o: $(hdrdir)/ruby/internal/stdbool.h +ossl_x509attr.o: $(hdrdir)/ruby/internal/stdckdint.h ossl_x509attr.o: $(hdrdir)/ruby/internal/symbol.h ossl_x509attr.o: $(hdrdir)/ruby/internal/value.h ossl_x509attr.o: $(hdrdir)/ruby/internal/value_type.h @@ -4649,12 +5068,12 @@ ossl_x509attr.o: ossl_ocsp.h ossl_x509attr.o: ossl_pkcs12.h ossl_x509attr.o: ossl_pkcs7.h ossl_x509attr.o: ossl_pkey.h +ossl_x509attr.o: ossl_provider.h ossl_x509attr.o: ossl_rand.h ossl_x509attr.o: ossl_ssl.h ossl_x509attr.o: ossl_ts.h ossl_x509attr.o: ossl_x509.h ossl_x509attr.o: ossl_x509attr.c -ossl_x509attr.o: ruby_missing.h ossl_x509cert.o: $(RUBY_EXTCONF_H) ossl_x509cert.o: $(arch_hdrdir)/ruby/config.h ossl_x509cert.o: $(hdrdir)/ruby.h @@ -4663,7 +5082,6 @@ ossl_x509cert.o: $(hdrdir)/ruby/backward.h ossl_x509cert.o: $(hdrdir)/ruby/backward/2/assume.h ossl_x509cert.o: $(hdrdir)/ruby/backward/2/attributes.h ossl_x509cert.o: $(hdrdir)/ruby/backward/2/bool.h -ossl_x509cert.o: $(hdrdir)/ruby/backward/2/gcc_version_since.h ossl_x509cert.o: $(hdrdir)/ruby/backward/2/inttypes.h ossl_x509cert.o: $(hdrdir)/ruby/backward/2/limits.h ossl_x509cert.o: $(hdrdir)/ruby/backward/2/long_long.h @@ -4672,6 +5090,7 @@ ossl_x509cert.o: $(hdrdir)/ruby/backward/2/stdarg.h ossl_x509cert.o: $(hdrdir)/ruby/defines.h ossl_x509cert.o: $(hdrdir)/ruby/encoding.h ossl_x509cert.o: $(hdrdir)/ruby/intern.h +ossl_x509cert.o: $(hdrdir)/ruby/internal/abi.h ossl_x509cert.o: $(hdrdir)/ruby/internal/anyargs.h ossl_x509cert.o: $(hdrdir)/ruby/internal/arithmetic.h ossl_x509cert.o: $(hdrdir)/ruby/internal/arithmetic/char.h @@ -4709,6 +5128,7 @@ ossl_x509cert.o: $(hdrdir)/ruby/internal/attr/noexcept.h ossl_x509cert.o: $(hdrdir)/ruby/internal/attr/noinline.h ossl_x509cert.o: $(hdrdir)/ruby/internal/attr/nonnull.h ossl_x509cert.o: $(hdrdir)/ruby/internal/attr/noreturn.h +ossl_x509cert.o: $(hdrdir)/ruby/internal/attr/packed_struct.h ossl_x509cert.o: $(hdrdir)/ruby/internal/attr/pure.h ossl_x509cert.o: $(hdrdir)/ruby/internal/attr/restrict.h ossl_x509cert.o: $(hdrdir)/ruby/internal/attr/returns_nonnull.h @@ -4741,6 +5161,15 @@ ossl_x509cert.o: $(hdrdir)/ruby/internal/core/rtypeddata.h ossl_x509cert.o: $(hdrdir)/ruby/internal/ctype.h ossl_x509cert.o: $(hdrdir)/ruby/internal/dllexport.h ossl_x509cert.o: $(hdrdir)/ruby/internal/dosish.h +ossl_x509cert.o: $(hdrdir)/ruby/internal/encoding/coderange.h +ossl_x509cert.o: $(hdrdir)/ruby/internal/encoding/ctype.h +ossl_x509cert.o: $(hdrdir)/ruby/internal/encoding/encoding.h +ossl_x509cert.o: $(hdrdir)/ruby/internal/encoding/pathname.h +ossl_x509cert.o: $(hdrdir)/ruby/internal/encoding/re.h +ossl_x509cert.o: $(hdrdir)/ruby/internal/encoding/sprintf.h +ossl_x509cert.o: $(hdrdir)/ruby/internal/encoding/string.h +ossl_x509cert.o: $(hdrdir)/ruby/internal/encoding/symbol.h +ossl_x509cert.o: $(hdrdir)/ruby/internal/encoding/transcode.h ossl_x509cert.o: $(hdrdir)/ruby/internal/error.h ossl_x509cert.o: $(hdrdir)/ruby/internal/eval.h ossl_x509cert.o: $(hdrdir)/ruby/internal/event.h @@ -4768,7 +5197,6 @@ ossl_x509cert.o: $(hdrdir)/ruby/internal/intern/enumerator.h ossl_x509cert.o: $(hdrdir)/ruby/internal/intern/error.h ossl_x509cert.o: $(hdrdir)/ruby/internal/intern/eval.h ossl_x509cert.o: $(hdrdir)/ruby/internal/intern/file.h -ossl_x509cert.o: $(hdrdir)/ruby/internal/intern/gc.h ossl_x509cert.o: $(hdrdir)/ruby/internal/intern/hash.h ossl_x509cert.o: $(hdrdir)/ruby/internal/intern/io.h ossl_x509cert.o: $(hdrdir)/ruby/internal/intern/load.h @@ -4799,12 +5227,12 @@ ossl_x509cert.o: $(hdrdir)/ruby/internal/memory.h ossl_x509cert.o: $(hdrdir)/ruby/internal/method.h ossl_x509cert.o: $(hdrdir)/ruby/internal/module.h ossl_x509cert.o: $(hdrdir)/ruby/internal/newobj.h -ossl_x509cert.o: $(hdrdir)/ruby/internal/rgengc.h ossl_x509cert.o: $(hdrdir)/ruby/internal/scan_args.h ossl_x509cert.o: $(hdrdir)/ruby/internal/special_consts.h ossl_x509cert.o: $(hdrdir)/ruby/internal/static_assert.h ossl_x509cert.o: $(hdrdir)/ruby/internal/stdalign.h ossl_x509cert.o: $(hdrdir)/ruby/internal/stdbool.h +ossl_x509cert.o: $(hdrdir)/ruby/internal/stdckdint.h ossl_x509cert.o: $(hdrdir)/ruby/internal/symbol.h ossl_x509cert.o: $(hdrdir)/ruby/internal/value.h ossl_x509cert.o: $(hdrdir)/ruby/internal/value_type.h @@ -4835,12 +5263,12 @@ ossl_x509cert.o: ossl_ocsp.h ossl_x509cert.o: ossl_pkcs12.h ossl_x509cert.o: ossl_pkcs7.h ossl_x509cert.o: ossl_pkey.h +ossl_x509cert.o: ossl_provider.h ossl_x509cert.o: ossl_rand.h ossl_x509cert.o: ossl_ssl.h ossl_x509cert.o: ossl_ts.h ossl_x509cert.o: ossl_x509.h ossl_x509cert.o: ossl_x509cert.c -ossl_x509cert.o: ruby_missing.h ossl_x509crl.o: $(RUBY_EXTCONF_H) ossl_x509crl.o: $(arch_hdrdir)/ruby/config.h ossl_x509crl.o: $(hdrdir)/ruby.h @@ -4849,7 +5277,6 @@ ossl_x509crl.o: $(hdrdir)/ruby/backward.h ossl_x509crl.o: $(hdrdir)/ruby/backward/2/assume.h ossl_x509crl.o: $(hdrdir)/ruby/backward/2/attributes.h ossl_x509crl.o: $(hdrdir)/ruby/backward/2/bool.h -ossl_x509crl.o: $(hdrdir)/ruby/backward/2/gcc_version_since.h ossl_x509crl.o: $(hdrdir)/ruby/backward/2/inttypes.h ossl_x509crl.o: $(hdrdir)/ruby/backward/2/limits.h ossl_x509crl.o: $(hdrdir)/ruby/backward/2/long_long.h @@ -4858,6 +5285,7 @@ ossl_x509crl.o: $(hdrdir)/ruby/backward/2/stdarg.h ossl_x509crl.o: $(hdrdir)/ruby/defines.h ossl_x509crl.o: $(hdrdir)/ruby/encoding.h ossl_x509crl.o: $(hdrdir)/ruby/intern.h +ossl_x509crl.o: $(hdrdir)/ruby/internal/abi.h ossl_x509crl.o: $(hdrdir)/ruby/internal/anyargs.h ossl_x509crl.o: $(hdrdir)/ruby/internal/arithmetic.h ossl_x509crl.o: $(hdrdir)/ruby/internal/arithmetic/char.h @@ -4895,6 +5323,7 @@ ossl_x509crl.o: $(hdrdir)/ruby/internal/attr/noexcept.h ossl_x509crl.o: $(hdrdir)/ruby/internal/attr/noinline.h ossl_x509crl.o: $(hdrdir)/ruby/internal/attr/nonnull.h ossl_x509crl.o: $(hdrdir)/ruby/internal/attr/noreturn.h +ossl_x509crl.o: $(hdrdir)/ruby/internal/attr/packed_struct.h ossl_x509crl.o: $(hdrdir)/ruby/internal/attr/pure.h ossl_x509crl.o: $(hdrdir)/ruby/internal/attr/restrict.h ossl_x509crl.o: $(hdrdir)/ruby/internal/attr/returns_nonnull.h @@ -4927,6 +5356,15 @@ ossl_x509crl.o: $(hdrdir)/ruby/internal/core/rtypeddata.h ossl_x509crl.o: $(hdrdir)/ruby/internal/ctype.h ossl_x509crl.o: $(hdrdir)/ruby/internal/dllexport.h ossl_x509crl.o: $(hdrdir)/ruby/internal/dosish.h +ossl_x509crl.o: $(hdrdir)/ruby/internal/encoding/coderange.h +ossl_x509crl.o: $(hdrdir)/ruby/internal/encoding/ctype.h +ossl_x509crl.o: $(hdrdir)/ruby/internal/encoding/encoding.h +ossl_x509crl.o: $(hdrdir)/ruby/internal/encoding/pathname.h +ossl_x509crl.o: $(hdrdir)/ruby/internal/encoding/re.h +ossl_x509crl.o: $(hdrdir)/ruby/internal/encoding/sprintf.h +ossl_x509crl.o: $(hdrdir)/ruby/internal/encoding/string.h +ossl_x509crl.o: $(hdrdir)/ruby/internal/encoding/symbol.h +ossl_x509crl.o: $(hdrdir)/ruby/internal/encoding/transcode.h ossl_x509crl.o: $(hdrdir)/ruby/internal/error.h ossl_x509crl.o: $(hdrdir)/ruby/internal/eval.h ossl_x509crl.o: $(hdrdir)/ruby/internal/event.h @@ -4954,7 +5392,6 @@ ossl_x509crl.o: $(hdrdir)/ruby/internal/intern/enumerator.h ossl_x509crl.o: $(hdrdir)/ruby/internal/intern/error.h ossl_x509crl.o: $(hdrdir)/ruby/internal/intern/eval.h ossl_x509crl.o: $(hdrdir)/ruby/internal/intern/file.h -ossl_x509crl.o: $(hdrdir)/ruby/internal/intern/gc.h ossl_x509crl.o: $(hdrdir)/ruby/internal/intern/hash.h ossl_x509crl.o: $(hdrdir)/ruby/internal/intern/io.h ossl_x509crl.o: $(hdrdir)/ruby/internal/intern/load.h @@ -4985,12 +5422,12 @@ ossl_x509crl.o: $(hdrdir)/ruby/internal/memory.h ossl_x509crl.o: $(hdrdir)/ruby/internal/method.h ossl_x509crl.o: $(hdrdir)/ruby/internal/module.h ossl_x509crl.o: $(hdrdir)/ruby/internal/newobj.h -ossl_x509crl.o: $(hdrdir)/ruby/internal/rgengc.h ossl_x509crl.o: $(hdrdir)/ruby/internal/scan_args.h ossl_x509crl.o: $(hdrdir)/ruby/internal/special_consts.h ossl_x509crl.o: $(hdrdir)/ruby/internal/static_assert.h ossl_x509crl.o: $(hdrdir)/ruby/internal/stdalign.h ossl_x509crl.o: $(hdrdir)/ruby/internal/stdbool.h +ossl_x509crl.o: $(hdrdir)/ruby/internal/stdckdint.h ossl_x509crl.o: $(hdrdir)/ruby/internal/symbol.h ossl_x509crl.o: $(hdrdir)/ruby/internal/value.h ossl_x509crl.o: $(hdrdir)/ruby/internal/value_type.h @@ -5021,12 +5458,12 @@ ossl_x509crl.o: ossl_ocsp.h ossl_x509crl.o: ossl_pkcs12.h ossl_x509crl.o: ossl_pkcs7.h ossl_x509crl.o: ossl_pkey.h +ossl_x509crl.o: ossl_provider.h ossl_x509crl.o: ossl_rand.h ossl_x509crl.o: ossl_ssl.h ossl_x509crl.o: ossl_ts.h ossl_x509crl.o: ossl_x509.h ossl_x509crl.o: ossl_x509crl.c -ossl_x509crl.o: ruby_missing.h ossl_x509ext.o: $(RUBY_EXTCONF_H) ossl_x509ext.o: $(arch_hdrdir)/ruby/config.h ossl_x509ext.o: $(hdrdir)/ruby.h @@ -5035,7 +5472,6 @@ ossl_x509ext.o: $(hdrdir)/ruby/backward.h ossl_x509ext.o: $(hdrdir)/ruby/backward/2/assume.h ossl_x509ext.o: $(hdrdir)/ruby/backward/2/attributes.h ossl_x509ext.o: $(hdrdir)/ruby/backward/2/bool.h -ossl_x509ext.o: $(hdrdir)/ruby/backward/2/gcc_version_since.h ossl_x509ext.o: $(hdrdir)/ruby/backward/2/inttypes.h ossl_x509ext.o: $(hdrdir)/ruby/backward/2/limits.h ossl_x509ext.o: $(hdrdir)/ruby/backward/2/long_long.h @@ -5044,6 +5480,7 @@ ossl_x509ext.o: $(hdrdir)/ruby/backward/2/stdarg.h ossl_x509ext.o: $(hdrdir)/ruby/defines.h ossl_x509ext.o: $(hdrdir)/ruby/encoding.h ossl_x509ext.o: $(hdrdir)/ruby/intern.h +ossl_x509ext.o: $(hdrdir)/ruby/internal/abi.h ossl_x509ext.o: $(hdrdir)/ruby/internal/anyargs.h ossl_x509ext.o: $(hdrdir)/ruby/internal/arithmetic.h ossl_x509ext.o: $(hdrdir)/ruby/internal/arithmetic/char.h @@ -5081,6 +5518,7 @@ ossl_x509ext.o: $(hdrdir)/ruby/internal/attr/noexcept.h ossl_x509ext.o: $(hdrdir)/ruby/internal/attr/noinline.h ossl_x509ext.o: $(hdrdir)/ruby/internal/attr/nonnull.h ossl_x509ext.o: $(hdrdir)/ruby/internal/attr/noreturn.h +ossl_x509ext.o: $(hdrdir)/ruby/internal/attr/packed_struct.h ossl_x509ext.o: $(hdrdir)/ruby/internal/attr/pure.h ossl_x509ext.o: $(hdrdir)/ruby/internal/attr/restrict.h ossl_x509ext.o: $(hdrdir)/ruby/internal/attr/returns_nonnull.h @@ -5113,6 +5551,15 @@ ossl_x509ext.o: $(hdrdir)/ruby/internal/core/rtypeddata.h ossl_x509ext.o: $(hdrdir)/ruby/internal/ctype.h ossl_x509ext.o: $(hdrdir)/ruby/internal/dllexport.h ossl_x509ext.o: $(hdrdir)/ruby/internal/dosish.h +ossl_x509ext.o: $(hdrdir)/ruby/internal/encoding/coderange.h +ossl_x509ext.o: $(hdrdir)/ruby/internal/encoding/ctype.h +ossl_x509ext.o: $(hdrdir)/ruby/internal/encoding/encoding.h +ossl_x509ext.o: $(hdrdir)/ruby/internal/encoding/pathname.h +ossl_x509ext.o: $(hdrdir)/ruby/internal/encoding/re.h +ossl_x509ext.o: $(hdrdir)/ruby/internal/encoding/sprintf.h +ossl_x509ext.o: $(hdrdir)/ruby/internal/encoding/string.h +ossl_x509ext.o: $(hdrdir)/ruby/internal/encoding/symbol.h +ossl_x509ext.o: $(hdrdir)/ruby/internal/encoding/transcode.h ossl_x509ext.o: $(hdrdir)/ruby/internal/error.h ossl_x509ext.o: $(hdrdir)/ruby/internal/eval.h ossl_x509ext.o: $(hdrdir)/ruby/internal/event.h @@ -5140,7 +5587,6 @@ ossl_x509ext.o: $(hdrdir)/ruby/internal/intern/enumerator.h ossl_x509ext.o: $(hdrdir)/ruby/internal/intern/error.h ossl_x509ext.o: $(hdrdir)/ruby/internal/intern/eval.h ossl_x509ext.o: $(hdrdir)/ruby/internal/intern/file.h -ossl_x509ext.o: $(hdrdir)/ruby/internal/intern/gc.h ossl_x509ext.o: $(hdrdir)/ruby/internal/intern/hash.h ossl_x509ext.o: $(hdrdir)/ruby/internal/intern/io.h ossl_x509ext.o: $(hdrdir)/ruby/internal/intern/load.h @@ -5171,12 +5617,12 @@ ossl_x509ext.o: $(hdrdir)/ruby/internal/memory.h ossl_x509ext.o: $(hdrdir)/ruby/internal/method.h ossl_x509ext.o: $(hdrdir)/ruby/internal/module.h ossl_x509ext.o: $(hdrdir)/ruby/internal/newobj.h -ossl_x509ext.o: $(hdrdir)/ruby/internal/rgengc.h ossl_x509ext.o: $(hdrdir)/ruby/internal/scan_args.h ossl_x509ext.o: $(hdrdir)/ruby/internal/special_consts.h ossl_x509ext.o: $(hdrdir)/ruby/internal/static_assert.h ossl_x509ext.o: $(hdrdir)/ruby/internal/stdalign.h ossl_x509ext.o: $(hdrdir)/ruby/internal/stdbool.h +ossl_x509ext.o: $(hdrdir)/ruby/internal/stdckdint.h ossl_x509ext.o: $(hdrdir)/ruby/internal/symbol.h ossl_x509ext.o: $(hdrdir)/ruby/internal/value.h ossl_x509ext.o: $(hdrdir)/ruby/internal/value_type.h @@ -5207,12 +5653,12 @@ ossl_x509ext.o: ossl_ocsp.h ossl_x509ext.o: ossl_pkcs12.h ossl_x509ext.o: ossl_pkcs7.h ossl_x509ext.o: ossl_pkey.h +ossl_x509ext.o: ossl_provider.h ossl_x509ext.o: ossl_rand.h ossl_x509ext.o: ossl_ssl.h ossl_x509ext.o: ossl_ts.h ossl_x509ext.o: ossl_x509.h ossl_x509ext.o: ossl_x509ext.c -ossl_x509ext.o: ruby_missing.h ossl_x509name.o: $(RUBY_EXTCONF_H) ossl_x509name.o: $(arch_hdrdir)/ruby/config.h ossl_x509name.o: $(hdrdir)/ruby.h @@ -5221,7 +5667,6 @@ ossl_x509name.o: $(hdrdir)/ruby/backward.h ossl_x509name.o: $(hdrdir)/ruby/backward/2/assume.h ossl_x509name.o: $(hdrdir)/ruby/backward/2/attributes.h ossl_x509name.o: $(hdrdir)/ruby/backward/2/bool.h -ossl_x509name.o: $(hdrdir)/ruby/backward/2/gcc_version_since.h ossl_x509name.o: $(hdrdir)/ruby/backward/2/inttypes.h ossl_x509name.o: $(hdrdir)/ruby/backward/2/limits.h ossl_x509name.o: $(hdrdir)/ruby/backward/2/long_long.h @@ -5230,6 +5675,7 @@ ossl_x509name.o: $(hdrdir)/ruby/backward/2/stdarg.h ossl_x509name.o: $(hdrdir)/ruby/defines.h ossl_x509name.o: $(hdrdir)/ruby/encoding.h ossl_x509name.o: $(hdrdir)/ruby/intern.h +ossl_x509name.o: $(hdrdir)/ruby/internal/abi.h ossl_x509name.o: $(hdrdir)/ruby/internal/anyargs.h ossl_x509name.o: $(hdrdir)/ruby/internal/arithmetic.h ossl_x509name.o: $(hdrdir)/ruby/internal/arithmetic/char.h @@ -5267,6 +5713,7 @@ ossl_x509name.o: $(hdrdir)/ruby/internal/attr/noexcept.h ossl_x509name.o: $(hdrdir)/ruby/internal/attr/noinline.h ossl_x509name.o: $(hdrdir)/ruby/internal/attr/nonnull.h ossl_x509name.o: $(hdrdir)/ruby/internal/attr/noreturn.h +ossl_x509name.o: $(hdrdir)/ruby/internal/attr/packed_struct.h ossl_x509name.o: $(hdrdir)/ruby/internal/attr/pure.h ossl_x509name.o: $(hdrdir)/ruby/internal/attr/restrict.h ossl_x509name.o: $(hdrdir)/ruby/internal/attr/returns_nonnull.h @@ -5299,6 +5746,15 @@ ossl_x509name.o: $(hdrdir)/ruby/internal/core/rtypeddata.h ossl_x509name.o: $(hdrdir)/ruby/internal/ctype.h ossl_x509name.o: $(hdrdir)/ruby/internal/dllexport.h ossl_x509name.o: $(hdrdir)/ruby/internal/dosish.h +ossl_x509name.o: $(hdrdir)/ruby/internal/encoding/coderange.h +ossl_x509name.o: $(hdrdir)/ruby/internal/encoding/ctype.h +ossl_x509name.o: $(hdrdir)/ruby/internal/encoding/encoding.h +ossl_x509name.o: $(hdrdir)/ruby/internal/encoding/pathname.h +ossl_x509name.o: $(hdrdir)/ruby/internal/encoding/re.h +ossl_x509name.o: $(hdrdir)/ruby/internal/encoding/sprintf.h +ossl_x509name.o: $(hdrdir)/ruby/internal/encoding/string.h +ossl_x509name.o: $(hdrdir)/ruby/internal/encoding/symbol.h +ossl_x509name.o: $(hdrdir)/ruby/internal/encoding/transcode.h ossl_x509name.o: $(hdrdir)/ruby/internal/error.h ossl_x509name.o: $(hdrdir)/ruby/internal/eval.h ossl_x509name.o: $(hdrdir)/ruby/internal/event.h @@ -5326,7 +5782,6 @@ ossl_x509name.o: $(hdrdir)/ruby/internal/intern/enumerator.h ossl_x509name.o: $(hdrdir)/ruby/internal/intern/error.h ossl_x509name.o: $(hdrdir)/ruby/internal/intern/eval.h ossl_x509name.o: $(hdrdir)/ruby/internal/intern/file.h -ossl_x509name.o: $(hdrdir)/ruby/internal/intern/gc.h ossl_x509name.o: $(hdrdir)/ruby/internal/intern/hash.h ossl_x509name.o: $(hdrdir)/ruby/internal/intern/io.h ossl_x509name.o: $(hdrdir)/ruby/internal/intern/load.h @@ -5357,12 +5812,12 @@ ossl_x509name.o: $(hdrdir)/ruby/internal/memory.h ossl_x509name.o: $(hdrdir)/ruby/internal/method.h ossl_x509name.o: $(hdrdir)/ruby/internal/module.h ossl_x509name.o: $(hdrdir)/ruby/internal/newobj.h -ossl_x509name.o: $(hdrdir)/ruby/internal/rgengc.h ossl_x509name.o: $(hdrdir)/ruby/internal/scan_args.h ossl_x509name.o: $(hdrdir)/ruby/internal/special_consts.h ossl_x509name.o: $(hdrdir)/ruby/internal/static_assert.h ossl_x509name.o: $(hdrdir)/ruby/internal/stdalign.h ossl_x509name.o: $(hdrdir)/ruby/internal/stdbool.h +ossl_x509name.o: $(hdrdir)/ruby/internal/stdckdint.h ossl_x509name.o: $(hdrdir)/ruby/internal/symbol.h ossl_x509name.o: $(hdrdir)/ruby/internal/value.h ossl_x509name.o: $(hdrdir)/ruby/internal/value_type.h @@ -5393,12 +5848,12 @@ ossl_x509name.o: ossl_ocsp.h ossl_x509name.o: ossl_pkcs12.h ossl_x509name.o: ossl_pkcs7.h ossl_x509name.o: ossl_pkey.h +ossl_x509name.o: ossl_provider.h ossl_x509name.o: ossl_rand.h ossl_x509name.o: ossl_ssl.h ossl_x509name.o: ossl_ts.h ossl_x509name.o: ossl_x509.h ossl_x509name.o: ossl_x509name.c -ossl_x509name.o: ruby_missing.h ossl_x509req.o: $(RUBY_EXTCONF_H) ossl_x509req.o: $(arch_hdrdir)/ruby/config.h ossl_x509req.o: $(hdrdir)/ruby.h @@ -5407,7 +5862,6 @@ ossl_x509req.o: $(hdrdir)/ruby/backward.h ossl_x509req.o: $(hdrdir)/ruby/backward/2/assume.h ossl_x509req.o: $(hdrdir)/ruby/backward/2/attributes.h ossl_x509req.o: $(hdrdir)/ruby/backward/2/bool.h -ossl_x509req.o: $(hdrdir)/ruby/backward/2/gcc_version_since.h ossl_x509req.o: $(hdrdir)/ruby/backward/2/inttypes.h ossl_x509req.o: $(hdrdir)/ruby/backward/2/limits.h ossl_x509req.o: $(hdrdir)/ruby/backward/2/long_long.h @@ -5416,6 +5870,7 @@ ossl_x509req.o: $(hdrdir)/ruby/backward/2/stdarg.h ossl_x509req.o: $(hdrdir)/ruby/defines.h ossl_x509req.o: $(hdrdir)/ruby/encoding.h ossl_x509req.o: $(hdrdir)/ruby/intern.h +ossl_x509req.o: $(hdrdir)/ruby/internal/abi.h ossl_x509req.o: $(hdrdir)/ruby/internal/anyargs.h ossl_x509req.o: $(hdrdir)/ruby/internal/arithmetic.h ossl_x509req.o: $(hdrdir)/ruby/internal/arithmetic/char.h @@ -5453,6 +5908,7 @@ ossl_x509req.o: $(hdrdir)/ruby/internal/attr/noexcept.h ossl_x509req.o: $(hdrdir)/ruby/internal/attr/noinline.h ossl_x509req.o: $(hdrdir)/ruby/internal/attr/nonnull.h ossl_x509req.o: $(hdrdir)/ruby/internal/attr/noreturn.h +ossl_x509req.o: $(hdrdir)/ruby/internal/attr/packed_struct.h ossl_x509req.o: $(hdrdir)/ruby/internal/attr/pure.h ossl_x509req.o: $(hdrdir)/ruby/internal/attr/restrict.h ossl_x509req.o: $(hdrdir)/ruby/internal/attr/returns_nonnull.h @@ -5485,6 +5941,15 @@ ossl_x509req.o: $(hdrdir)/ruby/internal/core/rtypeddata.h ossl_x509req.o: $(hdrdir)/ruby/internal/ctype.h ossl_x509req.o: $(hdrdir)/ruby/internal/dllexport.h ossl_x509req.o: $(hdrdir)/ruby/internal/dosish.h +ossl_x509req.o: $(hdrdir)/ruby/internal/encoding/coderange.h +ossl_x509req.o: $(hdrdir)/ruby/internal/encoding/ctype.h +ossl_x509req.o: $(hdrdir)/ruby/internal/encoding/encoding.h +ossl_x509req.o: $(hdrdir)/ruby/internal/encoding/pathname.h +ossl_x509req.o: $(hdrdir)/ruby/internal/encoding/re.h +ossl_x509req.o: $(hdrdir)/ruby/internal/encoding/sprintf.h +ossl_x509req.o: $(hdrdir)/ruby/internal/encoding/string.h +ossl_x509req.o: $(hdrdir)/ruby/internal/encoding/symbol.h +ossl_x509req.o: $(hdrdir)/ruby/internal/encoding/transcode.h ossl_x509req.o: $(hdrdir)/ruby/internal/error.h ossl_x509req.o: $(hdrdir)/ruby/internal/eval.h ossl_x509req.o: $(hdrdir)/ruby/internal/event.h @@ -5512,7 +5977,6 @@ ossl_x509req.o: $(hdrdir)/ruby/internal/intern/enumerator.h ossl_x509req.o: $(hdrdir)/ruby/internal/intern/error.h ossl_x509req.o: $(hdrdir)/ruby/internal/intern/eval.h ossl_x509req.o: $(hdrdir)/ruby/internal/intern/file.h -ossl_x509req.o: $(hdrdir)/ruby/internal/intern/gc.h ossl_x509req.o: $(hdrdir)/ruby/internal/intern/hash.h ossl_x509req.o: $(hdrdir)/ruby/internal/intern/io.h ossl_x509req.o: $(hdrdir)/ruby/internal/intern/load.h @@ -5543,12 +6007,12 @@ ossl_x509req.o: $(hdrdir)/ruby/internal/memory.h ossl_x509req.o: $(hdrdir)/ruby/internal/method.h ossl_x509req.o: $(hdrdir)/ruby/internal/module.h ossl_x509req.o: $(hdrdir)/ruby/internal/newobj.h -ossl_x509req.o: $(hdrdir)/ruby/internal/rgengc.h ossl_x509req.o: $(hdrdir)/ruby/internal/scan_args.h ossl_x509req.o: $(hdrdir)/ruby/internal/special_consts.h ossl_x509req.o: $(hdrdir)/ruby/internal/static_assert.h ossl_x509req.o: $(hdrdir)/ruby/internal/stdalign.h ossl_x509req.o: $(hdrdir)/ruby/internal/stdbool.h +ossl_x509req.o: $(hdrdir)/ruby/internal/stdckdint.h ossl_x509req.o: $(hdrdir)/ruby/internal/symbol.h ossl_x509req.o: $(hdrdir)/ruby/internal/value.h ossl_x509req.o: $(hdrdir)/ruby/internal/value_type.h @@ -5579,12 +6043,12 @@ ossl_x509req.o: ossl_ocsp.h ossl_x509req.o: ossl_pkcs12.h ossl_x509req.o: ossl_pkcs7.h ossl_x509req.o: ossl_pkey.h +ossl_x509req.o: ossl_provider.h ossl_x509req.o: ossl_rand.h ossl_x509req.o: ossl_ssl.h ossl_x509req.o: ossl_ts.h ossl_x509req.o: ossl_x509.h ossl_x509req.o: ossl_x509req.c -ossl_x509req.o: ruby_missing.h ossl_x509revoked.o: $(RUBY_EXTCONF_H) ossl_x509revoked.o: $(arch_hdrdir)/ruby/config.h ossl_x509revoked.o: $(hdrdir)/ruby.h @@ -5593,7 +6057,6 @@ ossl_x509revoked.o: $(hdrdir)/ruby/backward.h ossl_x509revoked.o: $(hdrdir)/ruby/backward/2/assume.h ossl_x509revoked.o: $(hdrdir)/ruby/backward/2/attributes.h ossl_x509revoked.o: $(hdrdir)/ruby/backward/2/bool.h -ossl_x509revoked.o: $(hdrdir)/ruby/backward/2/gcc_version_since.h ossl_x509revoked.o: $(hdrdir)/ruby/backward/2/inttypes.h ossl_x509revoked.o: $(hdrdir)/ruby/backward/2/limits.h ossl_x509revoked.o: $(hdrdir)/ruby/backward/2/long_long.h @@ -5602,6 +6065,7 @@ ossl_x509revoked.o: $(hdrdir)/ruby/backward/2/stdarg.h ossl_x509revoked.o: $(hdrdir)/ruby/defines.h ossl_x509revoked.o: $(hdrdir)/ruby/encoding.h ossl_x509revoked.o: $(hdrdir)/ruby/intern.h +ossl_x509revoked.o: $(hdrdir)/ruby/internal/abi.h ossl_x509revoked.o: $(hdrdir)/ruby/internal/anyargs.h ossl_x509revoked.o: $(hdrdir)/ruby/internal/arithmetic.h ossl_x509revoked.o: $(hdrdir)/ruby/internal/arithmetic/char.h @@ -5639,6 +6103,7 @@ ossl_x509revoked.o: $(hdrdir)/ruby/internal/attr/noexcept.h ossl_x509revoked.o: $(hdrdir)/ruby/internal/attr/noinline.h ossl_x509revoked.o: $(hdrdir)/ruby/internal/attr/nonnull.h ossl_x509revoked.o: $(hdrdir)/ruby/internal/attr/noreturn.h +ossl_x509revoked.o: $(hdrdir)/ruby/internal/attr/packed_struct.h ossl_x509revoked.o: $(hdrdir)/ruby/internal/attr/pure.h ossl_x509revoked.o: $(hdrdir)/ruby/internal/attr/restrict.h ossl_x509revoked.o: $(hdrdir)/ruby/internal/attr/returns_nonnull.h @@ -5671,6 +6136,15 @@ ossl_x509revoked.o: $(hdrdir)/ruby/internal/core/rtypeddata.h ossl_x509revoked.o: $(hdrdir)/ruby/internal/ctype.h ossl_x509revoked.o: $(hdrdir)/ruby/internal/dllexport.h ossl_x509revoked.o: $(hdrdir)/ruby/internal/dosish.h +ossl_x509revoked.o: $(hdrdir)/ruby/internal/encoding/coderange.h +ossl_x509revoked.o: $(hdrdir)/ruby/internal/encoding/ctype.h +ossl_x509revoked.o: $(hdrdir)/ruby/internal/encoding/encoding.h +ossl_x509revoked.o: $(hdrdir)/ruby/internal/encoding/pathname.h +ossl_x509revoked.o: $(hdrdir)/ruby/internal/encoding/re.h +ossl_x509revoked.o: $(hdrdir)/ruby/internal/encoding/sprintf.h +ossl_x509revoked.o: $(hdrdir)/ruby/internal/encoding/string.h +ossl_x509revoked.o: $(hdrdir)/ruby/internal/encoding/symbol.h +ossl_x509revoked.o: $(hdrdir)/ruby/internal/encoding/transcode.h ossl_x509revoked.o: $(hdrdir)/ruby/internal/error.h ossl_x509revoked.o: $(hdrdir)/ruby/internal/eval.h ossl_x509revoked.o: $(hdrdir)/ruby/internal/event.h @@ -5698,7 +6172,6 @@ ossl_x509revoked.o: $(hdrdir)/ruby/internal/intern/enumerator.h ossl_x509revoked.o: $(hdrdir)/ruby/internal/intern/error.h ossl_x509revoked.o: $(hdrdir)/ruby/internal/intern/eval.h ossl_x509revoked.o: $(hdrdir)/ruby/internal/intern/file.h -ossl_x509revoked.o: $(hdrdir)/ruby/internal/intern/gc.h ossl_x509revoked.o: $(hdrdir)/ruby/internal/intern/hash.h ossl_x509revoked.o: $(hdrdir)/ruby/internal/intern/io.h ossl_x509revoked.o: $(hdrdir)/ruby/internal/intern/load.h @@ -5729,12 +6202,12 @@ ossl_x509revoked.o: $(hdrdir)/ruby/internal/memory.h ossl_x509revoked.o: $(hdrdir)/ruby/internal/method.h ossl_x509revoked.o: $(hdrdir)/ruby/internal/module.h ossl_x509revoked.o: $(hdrdir)/ruby/internal/newobj.h -ossl_x509revoked.o: $(hdrdir)/ruby/internal/rgengc.h ossl_x509revoked.o: $(hdrdir)/ruby/internal/scan_args.h ossl_x509revoked.o: $(hdrdir)/ruby/internal/special_consts.h ossl_x509revoked.o: $(hdrdir)/ruby/internal/static_assert.h ossl_x509revoked.o: $(hdrdir)/ruby/internal/stdalign.h ossl_x509revoked.o: $(hdrdir)/ruby/internal/stdbool.h +ossl_x509revoked.o: $(hdrdir)/ruby/internal/stdckdint.h ossl_x509revoked.o: $(hdrdir)/ruby/internal/symbol.h ossl_x509revoked.o: $(hdrdir)/ruby/internal/value.h ossl_x509revoked.o: $(hdrdir)/ruby/internal/value_type.h @@ -5765,12 +6238,12 @@ ossl_x509revoked.o: ossl_ocsp.h ossl_x509revoked.o: ossl_pkcs12.h ossl_x509revoked.o: ossl_pkcs7.h ossl_x509revoked.o: ossl_pkey.h +ossl_x509revoked.o: ossl_provider.h ossl_x509revoked.o: ossl_rand.h ossl_x509revoked.o: ossl_ssl.h ossl_x509revoked.o: ossl_ts.h ossl_x509revoked.o: ossl_x509.h ossl_x509revoked.o: ossl_x509revoked.c -ossl_x509revoked.o: ruby_missing.h ossl_x509store.o: $(RUBY_EXTCONF_H) ossl_x509store.o: $(arch_hdrdir)/ruby/config.h ossl_x509store.o: $(hdrdir)/ruby.h @@ -5779,7 +6252,6 @@ ossl_x509store.o: $(hdrdir)/ruby/backward.h ossl_x509store.o: $(hdrdir)/ruby/backward/2/assume.h ossl_x509store.o: $(hdrdir)/ruby/backward/2/attributes.h ossl_x509store.o: $(hdrdir)/ruby/backward/2/bool.h -ossl_x509store.o: $(hdrdir)/ruby/backward/2/gcc_version_since.h ossl_x509store.o: $(hdrdir)/ruby/backward/2/inttypes.h ossl_x509store.o: $(hdrdir)/ruby/backward/2/limits.h ossl_x509store.o: $(hdrdir)/ruby/backward/2/long_long.h @@ -5788,6 +6260,7 @@ ossl_x509store.o: $(hdrdir)/ruby/backward/2/stdarg.h ossl_x509store.o: $(hdrdir)/ruby/defines.h ossl_x509store.o: $(hdrdir)/ruby/encoding.h ossl_x509store.o: $(hdrdir)/ruby/intern.h +ossl_x509store.o: $(hdrdir)/ruby/internal/abi.h ossl_x509store.o: $(hdrdir)/ruby/internal/anyargs.h ossl_x509store.o: $(hdrdir)/ruby/internal/arithmetic.h ossl_x509store.o: $(hdrdir)/ruby/internal/arithmetic/char.h @@ -5825,6 +6298,7 @@ ossl_x509store.o: $(hdrdir)/ruby/internal/attr/noexcept.h ossl_x509store.o: $(hdrdir)/ruby/internal/attr/noinline.h ossl_x509store.o: $(hdrdir)/ruby/internal/attr/nonnull.h ossl_x509store.o: $(hdrdir)/ruby/internal/attr/noreturn.h +ossl_x509store.o: $(hdrdir)/ruby/internal/attr/packed_struct.h ossl_x509store.o: $(hdrdir)/ruby/internal/attr/pure.h ossl_x509store.o: $(hdrdir)/ruby/internal/attr/restrict.h ossl_x509store.o: $(hdrdir)/ruby/internal/attr/returns_nonnull.h @@ -5857,6 +6331,15 @@ ossl_x509store.o: $(hdrdir)/ruby/internal/core/rtypeddata.h ossl_x509store.o: $(hdrdir)/ruby/internal/ctype.h ossl_x509store.o: $(hdrdir)/ruby/internal/dllexport.h ossl_x509store.o: $(hdrdir)/ruby/internal/dosish.h +ossl_x509store.o: $(hdrdir)/ruby/internal/encoding/coderange.h +ossl_x509store.o: $(hdrdir)/ruby/internal/encoding/ctype.h +ossl_x509store.o: $(hdrdir)/ruby/internal/encoding/encoding.h +ossl_x509store.o: $(hdrdir)/ruby/internal/encoding/pathname.h +ossl_x509store.o: $(hdrdir)/ruby/internal/encoding/re.h +ossl_x509store.o: $(hdrdir)/ruby/internal/encoding/sprintf.h +ossl_x509store.o: $(hdrdir)/ruby/internal/encoding/string.h +ossl_x509store.o: $(hdrdir)/ruby/internal/encoding/symbol.h +ossl_x509store.o: $(hdrdir)/ruby/internal/encoding/transcode.h ossl_x509store.o: $(hdrdir)/ruby/internal/error.h ossl_x509store.o: $(hdrdir)/ruby/internal/eval.h ossl_x509store.o: $(hdrdir)/ruby/internal/event.h @@ -5884,7 +6367,6 @@ ossl_x509store.o: $(hdrdir)/ruby/internal/intern/enumerator.h ossl_x509store.o: $(hdrdir)/ruby/internal/intern/error.h ossl_x509store.o: $(hdrdir)/ruby/internal/intern/eval.h ossl_x509store.o: $(hdrdir)/ruby/internal/intern/file.h -ossl_x509store.o: $(hdrdir)/ruby/internal/intern/gc.h ossl_x509store.o: $(hdrdir)/ruby/internal/intern/hash.h ossl_x509store.o: $(hdrdir)/ruby/internal/intern/io.h ossl_x509store.o: $(hdrdir)/ruby/internal/intern/load.h @@ -5915,12 +6397,12 @@ ossl_x509store.o: $(hdrdir)/ruby/internal/memory.h ossl_x509store.o: $(hdrdir)/ruby/internal/method.h ossl_x509store.o: $(hdrdir)/ruby/internal/module.h ossl_x509store.o: $(hdrdir)/ruby/internal/newobj.h -ossl_x509store.o: $(hdrdir)/ruby/internal/rgengc.h ossl_x509store.o: $(hdrdir)/ruby/internal/scan_args.h ossl_x509store.o: $(hdrdir)/ruby/internal/special_consts.h ossl_x509store.o: $(hdrdir)/ruby/internal/static_assert.h ossl_x509store.o: $(hdrdir)/ruby/internal/stdalign.h ossl_x509store.o: $(hdrdir)/ruby/internal/stdbool.h +ossl_x509store.o: $(hdrdir)/ruby/internal/stdckdint.h ossl_x509store.o: $(hdrdir)/ruby/internal/symbol.h ossl_x509store.o: $(hdrdir)/ruby/internal/value.h ossl_x509store.o: $(hdrdir)/ruby/internal/value_type.h @@ -5951,10 +6433,10 @@ ossl_x509store.o: ossl_ocsp.h ossl_x509store.o: ossl_pkcs12.h ossl_x509store.o: ossl_pkcs7.h ossl_x509store.o: ossl_pkey.h +ossl_x509store.o: ossl_provider.h ossl_x509store.o: ossl_rand.h ossl_x509store.o: ossl_ssl.h ossl_x509store.o: ossl_ts.h ossl_x509store.o: ossl_x509.h ossl_x509store.o: ossl_x509store.c -ossl_x509store.o: ruby_missing.h # AUTOGENERATED DEPENDENCIES END diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb index d5e0470ce8..dd3732d0a8 100644 --- a/ext/openssl/extconf.rb +++ b/ext/openssl/extconf.rb @@ -13,18 +13,36 @@ require "mkmf" -dir_config("openssl") +ssl_dirs = dir_config("openssl") +dir_config_given = ssl_dirs.any? + +_, ssl_ldir = ssl_dirs +if ssl_ldir&.split(File::PATH_SEPARATOR)&.none? { |dir| File.directory?(dir) } + # According to the `mkmf.rb#dir_config`, the `--with-openssl-dir=<dir>` uses + # the value of the `File.basename(RbConfig::MAKEFILE_CONFIG["libdir"])` as a + # loaded library directory name. + ruby_ldir_name = File.basename(RbConfig::MAKEFILE_CONFIG["libdir"]) + + raise "OpenSSL library directory could not be found in '#{ssl_ldir}'. " \ + "You might want to fix this error in one of the following ways.\n" \ + " * Recompile OpenSSL by configuring it with --libdir=#{ruby_ldir_name} " \ + " to specify the OpenSSL library directory.\n" \ + " * Recompile Ruby by configuring it with --libdir=<dir> to specify the " \ + "Ruby library directory.\n" \ + " * Compile this openssl gem with --with-openssl-include=<dir> and " \ + "--with-openssl-lib=<dir> options to specify the OpenSSL include and " \ + "library directories." +end + dir_config("kerberos") Logging::message "=== OpenSSL for Ruby configurator ===\n" -## -# Adds -DOSSL_DEBUG for compilation and some more targets when GCC is used -# To turn it on, use: --with-debug or --enable-debug -# -if with_config("debug") or enable_config("debug") - $defs.push("-DOSSL_DEBUG") -end +$defs.push("-D""OPENSSL_SUPPRESS_DEPRECATED") + +have_func("rb_io_descriptor") +have_func("rb_io_maybe_wait(0, Qnil, Qnil, Qnil)", "ruby/io.h") # Ruby 3.1 +have_func("rb_io_timeout", "ruby/io.h") Logging::message "=== Checking for system dependent stuff... ===\n" have_library("nsl", "t_open") @@ -33,9 +51,6 @@ if $mswin || $mingw have_library("ws2_32") end -Logging::message "=== Checking for required stuff... ===\n" -result = pkg_config("openssl") && have_header("openssl/ssl.h") - if $mingw append_cflags '-D_FORTIFY_SOURCE=2' append_ldflags '-fstack-protector' @@ -92,90 +107,111 @@ def find_openssl_library return false end -unless result - unless find_openssl_library - Logging::message "=== Checking for required stuff failed. ===\n" - Logging::message "Makefile wasn't created. Fix the errors above.\n" - raise "OpenSSL library could not be found. You might want to use " \ - "--with-openssl-dir=<dir> option to specify the prefix where OpenSSL " \ - "is installed." - end +Logging::message "=== Checking for required stuff... ===\n" +pkg_config_found = !dir_config_given && pkg_config("openssl") && have_header("openssl/ssl.h") + +if !pkg_config_found && !find_openssl_library + Logging::message "=== Checking for required stuff failed. ===\n" + Logging::message "Makefile wasn't created. Fix the errors above.\n" + raise "OpenSSL library could not be found. You might want to use " \ + "--with-openssl-dir=<dir> option to specify the prefix where OpenSSL " \ + "is installed." +end + +version_ok = if have_macro("LIBRESSL_VERSION_NUMBER", "openssl/opensslv.h") + is_libressl = true + checking_for("LibreSSL version >= 3.1.0") { + try_static_assert("LIBRESSL_VERSION_NUMBER >= 0x30100000L", "openssl/opensslv.h") } +else + checking_for("OpenSSL version >= 1.0.2") { + try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10002000L", "openssl/opensslv.h") } +end +unless version_ok + raise "OpenSSL >= 1.0.2 or LibreSSL >= 3.1.0 is required" end -unless checking_for("OpenSSL version is 1.0.1 or later") { - try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10001000L", "openssl/opensslv.h") } - raise "OpenSSL >= 1.0.1 or LibreSSL is required" +# Prevent wincrypt.h from being included, which defines conflicting macro with openssl/x509.h +if is_libressl && ($mswin || $mingw) + $defs.push("-DNOCRYPT") end Logging::message "=== Checking for OpenSSL features... ===\n" +evp_h = "openssl/evp.h".freeze +x509_h = "openssl/x509.h".freeze +ts_h = "openssl/ts.h".freeze +ssl_h = "openssl/ssl.h".freeze + # compile options -have_func("RAND_egd") +have_func("RAND_egd()", "openssl/rand.h") engines = %w{dynamic 4758cca aep atalla chil cswift nuron sureware ubsec padlock capi gmp gost cryptodev} engines.each { |name| have_func("ENGINE_load_#{name}()", "openssl/engine.h") } -if ($mswin || $mingw) && have_macro("LIBRESSL_VERSION_NUMBER", "openssl/opensslv.h") - $defs.push("-DNOCRYPT") -end - -# added in 1.0.2 -have_func("EC_curve_nist2nid") -have_func("X509_REVOKED_dup") -have_func("X509_STORE_CTX_get0_store") -have_func("SSL_CTX_set_alpn_select_cb") -have_func("SSL_CTX_set1_curves_list(NULL, NULL)", "openssl/ssl.h") -have_func("SSL_CTX_set_ecdh_auto(NULL, 0)", "openssl/ssl.h") -have_func("SSL_get_server_tmp_key(NULL, NULL)", "openssl/ssl.h") -have_func("SSL_is_server") - # added in 1.1.0 -if !have_struct_member("SSL", "ctx", "openssl/ssl.h") || - try_static_assert("LIBRESSL_VERSION_NUMBER >= 0x2070000fL", "openssl/opensslv.h") +if !have_struct_member("SSL", "ctx", "openssl/ssl.h") || is_libressl $defs.push("-DHAVE_OPAQUE_OPENSSL") end -have_func("CRYPTO_lock") || $defs.push("-DHAVE_OPENSSL_110_THREADING_API") -have_func("BN_GENCB_new") -have_func("BN_GENCB_free") -have_func("BN_GENCB_get_arg") -have_func("EVP_MD_CTX_new") -have_func("EVP_MD_CTX_free") -have_func("EVP_MD_CTX_pkey_ctx") -have_func("X509_STORE_get_ex_data") -have_func("X509_STORE_set_ex_data") -have_func("X509_STORE_get_ex_new_index") -have_func("X509_CRL_get0_signature") -have_func("X509_REQ_get0_signature") -have_func("X509_REVOKED_get0_serialNumber") -have_func("X509_REVOKED_get0_revocationDate") -have_func("X509_get0_tbs_sigalg") -have_func("X509_STORE_CTX_get0_untrusted") -have_func("X509_STORE_CTX_get0_cert") -have_func("X509_STORE_CTX_get0_chain") -have_func("OCSP_SINGLERESP_get0_id") -have_func("SSL_CTX_get_ciphers") -have_func("X509_up_ref") -have_func("X509_CRL_up_ref") -have_func("X509_STORE_up_ref") -have_func("SSL_SESSION_up_ref") -have_func("EVP_PKEY_up_ref") -have_func("SSL_CTX_set_min_proto_version(NULL, 0)", "openssl/ssl.h") -have_func("SSL_CTX_get_security_level") -have_func("X509_get0_notBefore") -have_func("SSL_SESSION_get_protocol_version") -have_func("TS_STATUS_INFO_get0_status") -have_func("TS_STATUS_INFO_get0_text") -have_func("TS_STATUS_INFO_get0_failure_info") -have_func("TS_VERIFY_CTS_set_certs") -have_func("TS_VERIFY_CTX_set_store") -have_func("TS_VERIFY_CTX_add_flags") -have_func("TS_RESP_CTX_set_time_cb") -have_func("EVP_PBE_scrypt") -have_func("SSL_CTX_set_post_handshake_auth") +have_func("EVP_MD_CTX_new()", evp_h) +have_func("EVP_MD_CTX_free(NULL)", evp_h) +have_func("EVP_MD_CTX_pkey_ctx(NULL)", evp_h) +have_func("X509_STORE_get_ex_data(NULL, 0)", x509_h) +have_func("X509_STORE_set_ex_data(NULL, 0, NULL)", x509_h) +have_func("X509_STORE_get_ex_new_index(0, NULL, NULL, NULL, NULL)", x509_h) +have_func("X509_CRL_get0_signature(NULL, NULL, NULL)", x509_h) +have_func("X509_REQ_get0_signature(NULL, NULL, NULL)", x509_h) +have_func("X509_REVOKED_get0_serialNumber(NULL)", x509_h) +have_func("X509_REVOKED_get0_revocationDate(NULL)", x509_h) +have_func("X509_get0_tbs_sigalg(NULL)", x509_h) +have_func("X509_STORE_CTX_get0_untrusted(NULL)", x509_h) +have_func("X509_STORE_CTX_get0_cert(NULL)", x509_h) +have_func("X509_STORE_CTX_get0_chain(NULL)", x509_h) +have_func("OCSP_SINGLERESP_get0_id(NULL)", "openssl/ocsp.h") +have_func("SSL_CTX_get_ciphers(NULL)", ssl_h) +have_func("X509_up_ref(NULL)", x509_h) +have_func("X509_CRL_up_ref(NULL)", x509_h) +have_func("X509_STORE_up_ref(NULL)", x509_h) +have_func("SSL_SESSION_up_ref(NULL)", ssl_h) +have_func("EVP_PKEY_up_ref(NULL)", evp_h) +have_func("SSL_CTX_set_min_proto_version(NULL, 0)", ssl_h) +have_func("SSL_CTX_get_security_level(NULL)", ssl_h) +have_func("X509_get0_notBefore(NULL)", x509_h) +have_func("SSL_SESSION_get_protocol_version(NULL)", ssl_h) +have_func("TS_STATUS_INFO_get0_status(NULL)", ts_h) +have_func("TS_STATUS_INFO_get0_text(NULL)", ts_h) +have_func("TS_STATUS_INFO_get0_failure_info(NULL)", ts_h) +have_func("TS_VERIFY_CTS_set_certs(NULL, NULL)", ts_h) +have_func("TS_VERIFY_CTX_set_store(NULL, NULL)", ts_h) +have_func("TS_VERIFY_CTX_add_flags(NULL, 0)", ts_h) +have_func("TS_RESP_CTX_set_time_cb(NULL, NULL, NULL)", ts_h) +have_func("EVP_PBE_scrypt(\"\", 0, (unsigned char *)\"\", 0, 0, 0, 0, 0, NULL, 0)", evp_h) +have_func("SSL_CTX_set_post_handshake_auth(NULL, 0)", ssl_h) + +# added in 1.1.1 +have_func("EVP_PKEY_check(NULL)", evp_h) +have_func("EVP_PKEY_new_raw_private_key(0, NULL, (unsigned char *)\"\", 0)", evp_h) +have_func("SSL_CTX_set_ciphersuites(NULL, \"\")", ssl_h) + +# added in 3.0.0 +have_func("SSL_set0_tmp_dh_pkey(NULL, NULL)", ssl_h) +have_func("ERR_get_error_all(NULL, NULL, NULL, NULL, NULL)", "openssl/err.h") +have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", ts_h) +have_func("SSL_CTX_load_verify_file(NULL, \"\")", ssl_h) +have_func("BN_check_prime(NULL, NULL, NULL)", "openssl/bn.h") +have_func("EVP_MD_CTX_get0_md(NULL)", evp_h) +have_func("EVP_MD_CTX_get_pkey_ctx(NULL)", evp_h) +have_func("EVP_PKEY_eq(NULL, NULL)", evp_h) +have_func("EVP_PKEY_dup(NULL)", evp_h) Logging::message "=== Checking done. ===\n" +# Append flags from environment variables. +extcflags = ENV["RUBY_OPENSSL_EXTCFLAGS"] +append_cflags(extcflags.split) if extcflags +extldflags = ENV["RUBY_OPENSSL_EXTLDFLAGS"] +append_ldflags(extldflags.split) if extldflags + create_header create_makefile("openssl") Logging::message "Done.\n" diff --git a/ext/openssl/lib/openssl/buffering.rb b/ext/openssl/lib/openssl/buffering.rb index 32e04b4896..68aa7bc970 100644 --- a/ext/openssl/lib/openssl/buffering.rb +++ b/ext/openssl/lib/openssl/buffering.rb @@ -93,14 +93,20 @@ module OpenSSL::Buffering nil else size = @rbuffer.size unless size - ret = @rbuffer[0, size] - @rbuffer[0, size] = "" - ret + @rbuffer.slice!(0, size) end end public + # call-seq: + # ssl.getbyte => 81 + # + # Get the next 8bit byte from `ssl`. Returns `nil` on EOF + def getbyte + read(1)&.ord + end + ## # Reads _size_ bytes from the stream. If _buf_ is provided it must # reference a string which will receive the data. @@ -223,7 +229,7 @@ module OpenSSL::Buffering # # Unlike IO#gets the separator must be provided if a limit is provided. - def gets(eol=$/, limit=nil) + def gets(eol=$/, limit=nil, chomp: false) idx = @rbuffer.index(eol) until @eof break if idx @@ -238,7 +244,11 @@ module OpenSSL::Buffering if size && limit && limit >= 0 size = [size, limit].min end - consume_rbuff(size) + line = consume_rbuff(size) + if chomp && line + line.chomp!(eol) + end + line end ## diff --git a/ext/openssl/lib/openssl/digest.rb b/ext/openssl/lib/openssl/digest.rb index 2ff8398e44..0f35ddadd3 100644 --- a/ext/openssl/lib/openssl/digest.rb +++ b/ext/openssl/lib/openssl/digest.rb @@ -18,13 +18,9 @@ module OpenSSL # Return the hash value computed with _name_ Digest. _name_ is either the # long name or short name of a supported digest algorithm. # - # === Examples + # === Example # # OpenSSL::Digest.digest("SHA256", "abc") - # - # which is equivalent to: - # - # OpenSSL::Digest.digest('SHA256', "abc") def self.digest(name, data) super(data, name) diff --git a/ext/openssl/lib/openssl/pkey.rb b/ext/openssl/lib/openssl/pkey.rb index be60ac2beb..0414658a10 100644 --- a/ext/openssl/lib/openssl/pkey.rb +++ b/ext/openssl/lib/openssl/pkey.rb @@ -11,6 +11,30 @@ module OpenSSL::PKey include OpenSSL::Marshal # :call-seq: + # dh.public_key -> dhnew + # + # Returns a new DH instance that carries just the \DH parameters. + # + # Contrary to the method name, the returned DH object contains only + # parameters and not the public key. + # + # This method is provided for backwards compatibility. In most cases, there + # is no need to call this method. + # + # For the purpose of re-generating the key pair while keeping the + # parameters, check OpenSSL::PKey.generate_key. + # + # Example: + # # OpenSSL::PKey::DH.generate by default generates a random key pair + # dh1 = OpenSSL::PKey::DH.generate(2048) + # p dh1.priv_key #=> #<OpenSSL::BN 1288347...> + # dhcopy = dh1.public_key + # p dhcopy.priv_key #=> nil + def public_key + DH.new(to_der) + end + + # :call-seq: # dh.compute_key(pub_bn) -> string # # Returns a String containing a shared secret computed from the other @@ -23,14 +47,204 @@ module OpenSSL::PKey # * _pub_bn_ is a OpenSSL::BN, *not* the DH instance returned by # DH#public_key as that contains the DH parameters only. def compute_key(pub_bn) - peer = dup - peer.set_key(pub_bn, nil) - derive(peer) + # FIXME: This is constructing an X.509 SubjectPublicKeyInfo and is very + # inefficient + obj = OpenSSL::ASN1.Sequence([ + OpenSSL::ASN1.Sequence([ + OpenSSL::ASN1.ObjectId("dhKeyAgreement"), + OpenSSL::ASN1.Sequence([ + OpenSSL::ASN1.Integer(p), + OpenSSL::ASN1.Integer(g), + ]), + ]), + OpenSSL::ASN1.BitString(OpenSSL::ASN1.Integer(pub_bn).to_der), + ]) + derive(OpenSSL::PKey.read(obj.to_der)) + end + + # :call-seq: + # dh.generate_key! -> self + # + # Generates a private and public key unless a private key already exists. + # If this DH instance was generated from public \DH parameters (e.g. by + # encoding the result of DH#public_key), then this method needs to be + # called first in order to generate the per-session keys before performing + # the actual key exchange. + # + # <b>Deprecated in version 3.0</b>. This method is incompatible with + # OpenSSL 3.0.0 or later. + # + # See also OpenSSL::PKey.generate_key. + # + # Example: + # # DEPRECATED USAGE: This will not work on OpenSSL 3.0 or later + # dh0 = OpenSSL::PKey::DH.new(2048) + # dh = dh0.public_key # #public_key only copies the DH parameters (contrary to the name) + # dh.generate_key! + # puts dh.private? # => true + # puts dh0.pub_key == dh.pub_key #=> false + # + # # With OpenSSL::PKey.generate_key + # dh0 = OpenSSL::PKey::DH.new(2048) + # dh = OpenSSL::PKey.generate_key(dh0) + # puts dh0.pub_key == dh.pub_key #=> false + def generate_key! + if OpenSSL::OPENSSL_VERSION_NUMBER >= 0x30000000 + raise DHError, "OpenSSL::PKey::DH is immutable on OpenSSL 3.0; " \ + "use OpenSSL::PKey.generate_key instead" + end + + unless priv_key + tmp = OpenSSL::PKey.generate_key(self) + set_key(tmp.pub_key, tmp.priv_key) + end + self + end + + class << self + # :call-seq: + # DH.generate(size, generator = 2) -> dh + # + # Creates a new DH instance from scratch by generating random parameters + # and a key pair. + # + # See also OpenSSL::PKey.generate_parameters and + # OpenSSL::PKey.generate_key. + # + # +size+:: + # The desired key size in bits. + # +generator+:: + # The generator. + def generate(size, generator = 2, &blk) + dhparams = OpenSSL::PKey.generate_parameters("DH", { + "dh_paramgen_prime_len" => size, + "dh_paramgen_generator" => generator, + }, &blk) + OpenSSL::PKey.generate_key(dhparams) + end + + # Handle DH.new(size, generator) form here; new(str) and new() forms + # are handled by #initialize + def new(*args, &blk) # :nodoc: + if args[0].is_a?(Integer) + generate(*args, &blk) + else + super + end + end end end class DSA include OpenSSL::Marshal + + # :call-seq: + # dsa.public_key -> dsanew + # + # Returns a new DSA instance that carries just the \DSA parameters and the + # public key. + # + # This method is provided for backwards compatibility. In most cases, there + # is no need to call this method. + # + # For the purpose of serializing the public key, to PEM or DER encoding of + # X.509 SubjectPublicKeyInfo format, check PKey#public_to_pem and + # PKey#public_to_der. + def public_key + OpenSSL::PKey.read(public_to_der) + end + + class << self + # :call-seq: + # DSA.generate(size) -> dsa + # + # Creates a new DSA instance by generating a private/public key pair + # from scratch. + # + # See also OpenSSL::PKey.generate_parameters and + # OpenSSL::PKey.generate_key. + # + # +size+:: + # The desired key size in bits. + def generate(size, &blk) + # FIPS 186-4 specifies four (L,N) pairs: (1024,160), (2048,224), + # (2048,256), and (3072,256). + # + # q size is derived here with compatibility with + # DSA_generator_parameters_ex() which previous versions of ruby/openssl + # used to call. + qsize = size >= 2048 ? 256 : 160 + dsaparams = OpenSSL::PKey.generate_parameters("DSA", { + "dsa_paramgen_bits" => size, + "dsa_paramgen_q_bits" => qsize, + }, &blk) + OpenSSL::PKey.generate_key(dsaparams) + end + + # Handle DSA.new(size) form here; new(str) and new() forms + # are handled by #initialize + def new(*args, &blk) # :nodoc: + if args[0].is_a?(Integer) + generate(*args, &blk) + else + super + end + end + end + + # :call-seq: + # dsa.syssign(string) -> string + # + # Computes and returns the \DSA signature of +string+, where +string+ is + # expected to be an already-computed message digest of the original input + # data. The signature is issued using the private key of this DSA instance. + # + # <b>Deprecated in version 3.0</b>. + # Consider using PKey::PKey#sign_raw and PKey::PKey#verify_raw instead. + # + # +string+:: + # A message digest of the original input data to be signed. + # + # Example: + # dsa = OpenSSL::PKey::DSA.new(2048) + # doc = "Sign me" + # digest = OpenSSL::Digest.digest('SHA1', doc) + # + # # With legacy #syssign and #sysverify: + # sig = dsa.syssign(digest) + # p dsa.sysverify(digest, sig) #=> true + # + # # With #sign_raw and #verify_raw: + # sig = dsa.sign_raw(nil, digest) + # p dsa.verify_raw(nil, sig, digest) #=> true + def syssign(string) + q or raise OpenSSL::PKey::DSAError, "incomplete DSA" + private? or raise OpenSSL::PKey::DSAError, "Private DSA key needed!" + begin + sign_raw(nil, string) + rescue OpenSSL::PKey::PKeyError + raise OpenSSL::PKey::DSAError, $!.message + end + end + + # :call-seq: + # dsa.sysverify(digest, sig) -> true | false + # + # Verifies whether the signature is valid given the message digest input. + # It does so by validating +sig+ using the public key of this DSA instance. + # + # <b>Deprecated in version 3.0</b>. + # Consider using PKey::PKey#sign_raw and PKey::PKey#verify_raw instead. + # + # +digest+:: + # A message digest of the original input data to be signed. + # +sig+:: + # A \DSA signature value. + def sysverify(digest, sig) + verify_raw(nil, sig, digest) + rescue OpenSSL::PKey::PKeyError + raise OpenSSL::PKey::DSAError, $!.message + end end if defined?(EC) @@ -38,6 +252,28 @@ module OpenSSL::PKey include OpenSSL::Marshal # :call-seq: + # key.dsa_sign_asn1(data) -> String + # + # <b>Deprecated in version 3.0</b>. + # Consider using PKey::PKey#sign_raw and PKey::PKey#verify_raw instead. + def dsa_sign_asn1(data) + sign_raw(nil, data) + rescue OpenSSL::PKey::PKeyError + raise OpenSSL::PKey::ECError, $!.message + end + + # :call-seq: + # key.dsa_verify_asn1(data, sig) -> true | false + # + # <b>Deprecated in version 3.0</b>. + # Consider using PKey::PKey#sign_raw and PKey::PKey#verify_raw instead. + def dsa_verify_asn1(data, sig) + verify_raw(nil, sig, data) + rescue OpenSSL::PKey::PKeyError + raise OpenSSL::PKey::ECError, $!.message + end + + # :call-seq: # ec.dh_compute_key(pubkey) -> string # # Derives a shared secret by ECDH. _pubkey_ must be an instance of @@ -46,9 +282,14 @@ module OpenSSL::PKey # This method is provided for backwards compatibility, and calls #derive # internally. def dh_compute_key(pubkey) - peer = OpenSSL::PKey::EC.new(group) - peer.public_key = pubkey - derive(peer) + obj = OpenSSL::ASN1.Sequence([ + OpenSSL::ASN1.Sequence([ + OpenSSL::ASN1.ObjectId("id-ecPublicKey"), + group.to_der, + ]), + OpenSSL::ASN1.BitString(pubkey.to_octet_string(:uncompressed)), + ]) + derive(OpenSSL::PKey.read(obj.to_der)) end end @@ -71,5 +312,160 @@ module OpenSSL::PKey class RSA include OpenSSL::Marshal + + # :call-seq: + # rsa.public_key -> rsanew + # + # Returns a new RSA instance that carries just the public key components. + # + # This method is provided for backwards compatibility. In most cases, there + # is no need to call this method. + # + # For the purpose of serializing the public key, to PEM or DER encoding of + # X.509 SubjectPublicKeyInfo format, check PKey#public_to_pem and + # PKey#public_to_der. + def public_key + OpenSSL::PKey.read(public_to_der) + end + + class << self + # :call-seq: + # RSA.generate(size, exponent = 65537) -> RSA + # + # Generates an \RSA keypair. + # + # See also OpenSSL::PKey.generate_key. + # + # +size+:: + # The desired key size in bits. + # +exponent+:: + # An odd Integer, normally 3, 17, or 65537. + def generate(size, exp = 0x10001, &blk) + OpenSSL::PKey.generate_key("RSA", { + "rsa_keygen_bits" => size, + "rsa_keygen_pubexp" => exp, + }, &blk) + end + + # Handle RSA.new(size, exponent) form here; new(str) and new() forms + # are handled by #initialize + def new(*args, &blk) # :nodoc: + if args[0].is_a?(Integer) + generate(*args, &blk) + else + super + end + end + end + + # :call-seq: + # rsa.private_encrypt(string) -> String + # rsa.private_encrypt(string, padding) -> String + # + # Encrypt +string+ with the private key. +padding+ defaults to + # PKCS1_PADDING, which is known to be insecure but is kept for backwards + # compatibility. The encrypted string output can be decrypted using + # #public_decrypt. + # + # <b>Deprecated in version 3.0</b>. + # Consider using PKey::PKey#sign_raw and PKey::PKey#verify_raw, and + # PKey::PKey#verify_recover instead. + def private_encrypt(string, padding = PKCS1_PADDING) + n or raise OpenSSL::PKey::RSAError, "incomplete RSA" + private? or raise OpenSSL::PKey::RSAError, "private key needed." + begin + sign_raw(nil, string, { + "rsa_padding_mode" => translate_padding_mode(padding), + }) + rescue OpenSSL::PKey::PKeyError + raise OpenSSL::PKey::RSAError, $!.message + end + end + + # :call-seq: + # rsa.public_decrypt(string) -> String + # rsa.public_decrypt(string, padding) -> String + # + # Decrypt +string+, which has been encrypted with the private key, with the + # public key. +padding+ defaults to PKCS1_PADDING which is known to be + # insecure but is kept for backwards compatibility. + # + # <b>Deprecated in version 3.0</b>. + # Consider using PKey::PKey#sign_raw and PKey::PKey#verify_raw, and + # PKey::PKey#verify_recover instead. + def public_decrypt(string, padding = PKCS1_PADDING) + n or raise OpenSSL::PKey::RSAError, "incomplete RSA" + begin + verify_recover(nil, string, { + "rsa_padding_mode" => translate_padding_mode(padding), + }) + rescue OpenSSL::PKey::PKeyError + raise OpenSSL::PKey::RSAError, $!.message + end + end + + # :call-seq: + # rsa.public_encrypt(string) -> String + # rsa.public_encrypt(string, padding) -> String + # + # Encrypt +string+ with the public key. +padding+ defaults to + # PKCS1_PADDING, which is known to be insecure but is kept for backwards + # compatibility. The encrypted string output can be decrypted using + # #private_decrypt. + # + # <b>Deprecated in version 3.0</b>. + # Consider using PKey::PKey#encrypt and PKey::PKey#decrypt instead. + def public_encrypt(data, padding = PKCS1_PADDING) + n or raise OpenSSL::PKey::RSAError, "incomplete RSA" + begin + encrypt(data, { + "rsa_padding_mode" => translate_padding_mode(padding), + }) + rescue OpenSSL::PKey::PKeyError + raise OpenSSL::PKey::RSAError, $!.message + end + end + + # :call-seq: + # rsa.private_decrypt(string) -> String + # rsa.private_decrypt(string, padding) -> String + # + # Decrypt +string+, which has been encrypted with the public key, with the + # private key. +padding+ defaults to PKCS1_PADDING, which is known to be + # insecure but is kept for backwards compatibility. + # + # <b>Deprecated in version 3.0</b>. + # Consider using PKey::PKey#encrypt and PKey::PKey#decrypt instead. + def private_decrypt(data, padding = PKCS1_PADDING) + n or raise OpenSSL::PKey::RSAError, "incomplete RSA" + private? or raise OpenSSL::PKey::RSAError, "private key needed." + begin + decrypt(data, { + "rsa_padding_mode" => translate_padding_mode(padding), + }) + rescue OpenSSL::PKey::PKeyError + raise OpenSSL::PKey::RSAError, $!.message + end + end + + PKCS1_PADDING = 1 + SSLV23_PADDING = 2 + NO_PADDING = 3 + PKCS1_OAEP_PADDING = 4 + + private def translate_padding_mode(num) + case num + when PKCS1_PADDING + "pkcs1" + when SSLV23_PADDING + "sslv23" + when NO_PADDING + "none" + when PKCS1_OAEP_PADDING + "oaep" + else + raise OpenSSL::PKey::PKeyError, "unsupported padding mode" + end + end end end diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb index 0930a53017..d28bf1a374 100644 --- a/ext/openssl/lib/openssl/ssl.rb +++ b/ext/openssl/lib/openssl/ssl.rb @@ -11,6 +11,9 @@ =end require "openssl/buffering" + +if defined?(OpenSSL::SSL) + require "io/nonblock" require "ipaddr" require "socket" @@ -19,7 +22,6 @@ module OpenSSL module SSL class SSLContext DEFAULT_PARAMS = { # :nodoc: - :min_version => OpenSSL::SSL::TLS1_VERSION, :verify_mode => OpenSSL::SSL::VERIFY_PEER, :verify_hostname => true, :options => -> { @@ -31,27 +33,28 @@ module OpenSSL } if defined?(OpenSSL::PKey::DH) - DEFAULT_2048 = OpenSSL::PKey::DH.new <<-_end_of_pem_ + DH_ffdhe2048 = OpenSSL::PKey::DH.new <<-_end_of_pem_ -----BEGIN DH PARAMETERS----- -MIIBCAKCAQEA7E6kBrYiyvmKAMzQ7i8WvwVk9Y/+f8S7sCTN712KkK3cqd1jhJDY -JbrYeNV3kUIKhPxWHhObHKpD1R84UpL+s2b55+iMd6GmL7OYmNIT/FccKhTcveab -VBmZT86BZKYyf45hUF9FOuUM9xPzuK3Vd8oJQvfYMCd7LPC0taAEljQLR4Edf8E6 -YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3 -1bNveX5wInh5GDx1FGhKBZ+s1H+aedudCm7sCgRwv8lKWYGiHzObSma8A86KG+MD -7Lo5JquQ3DlBodj3IDyPrxIv96lvRPFtAwIBAg== +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== -----END DH PARAMETERS----- _end_of_pem_ - private_constant :DEFAULT_2048 + private_constant :DH_ffdhe2048 DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen| # :nodoc: warn "using default DH parameters." if $VERBOSE - DEFAULT_2048 + DH_ffdhe2048 } end if !(OpenSSL::OPENSSL_VERSION.start_with?("OpenSSL") && OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10100000) DEFAULT_PARAMS.merge!( + min_version: OpenSSL::SSL::TLS1_VERSION, ciphers: %w{ ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 @@ -91,15 +94,17 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3 DEFAULT_CERT_STORE.set_default_paths DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL - # A callback invoked when DH parameters are required. + # A callback invoked when DH parameters are required for ephemeral DH key + # exchange. # - # The callback is invoked with the Session for the key exchange, an + # The callback is invoked with the SSLSocket, a # flag indicating the use of an export cipher and the keylength # required. # # The callback must return an OpenSSL::PKey::DH instance of the correct # key length. - + # + # <b>Deprecated in version 3.0.</b> Use #tmp_dh= instead. attr_accessor :tmp_dh_callback # A callback invoked at connect time to distinguish between multiple @@ -247,6 +252,14 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3 to_io.peeraddr end + def local_address + to_io.local_address + end + + def remote_address + to_io.remote_address + end + def setsockopt(level, optname, optval) to_io.setsockopt(level, optname, optval) end @@ -266,6 +279,36 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3 def do_not_reverse_lookup=(flag) to_io.do_not_reverse_lookup = flag end + + def close_on_exec=(value) + to_io.close_on_exec = value + end + + def close_on_exec? + to_io.close_on_exec? + end + + def wait(*args) + to_io.wait(*args) + end + + def wait_readable(*args) + to_io.wait_readable(*args) + end + + def wait_writable(*args) + to_io.wait_writable(*args) + end + + if IO.method_defined?(:timeout) + def timeout + to_io.timeout + end + + def timeout=(value) + to_io.timeout=(value) + end + end end def verify_certificate_identity(cert, hostname) @@ -416,6 +459,32 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3 nil end + # Close the stream for reading. + # This method is ignored by OpenSSL as there is no reasonable way to + # implement it, but exists for compatibility with IO. + def close_read + # Unsupported and ignored. + # Just don't read any more. + end + + # Closes the stream for writing. The behavior of this method depends on + # the version of OpenSSL and the TLS protocol in use. + # + # - Sends a 'close_notify' alert to the peer. + # - Does not wait for the peer's 'close_notify' alert in response. + # + # In TLS 1.2 and earlier: + # - On receipt of a 'close_notify' alert, responds with a 'close_notify' + # alert of its own and close down the connection immediately, + # discarding any pending writes. + # + # Therefore, on TLS 1.2, this method will cause the connection to be + # completely shut down. On TLS 1.3, the connection will remain open for + # reading only. + def close_write + stop + end + private def using_anon_cipher? @@ -432,10 +501,6 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3 @context.tmp_dh_callback || OpenSSL::SSL::SSLContext::DEFAULT_TMP_DH_CALLBACK end - def tmp_ecdh_callback - @context.tmp_ecdh_callback - end - def session_new_cb @context.session_new_cb end @@ -493,7 +558,7 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3 unless ctx.session_id_context # see #6137 - session id may not exceed 32 bytes prng = ::Random.new($0.hash) - session_id = prng.bytes(16).unpack('H*')[0] + session_id = prng.bytes(16).unpack1('H*') @ctx.session_id_context = session_id end @start_immediately = true @@ -542,3 +607,5 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3 end end end + +end diff --git a/ext/openssl/lib/openssl/version.rb b/ext/openssl/lib/openssl/version.rb index 9c7515ba0f..9315a79381 100644 --- a/ext/openssl/lib/openssl/version.rb +++ b/ext/openssl/lib/openssl/version.rb @@ -1,5 +1,5 @@ # frozen_string_literal: true module OpenSSL - VERSION = "2.2.0" + VERSION = "3.2.0" end diff --git a/ext/openssl/lib/openssl/x509.rb b/ext/openssl/lib/openssl/x509.rb index 6771b90c1a..f973f4f4dc 100644 --- a/ext/openssl/lib/openssl/x509.rb +++ b/ext/openssl/lib/openssl/x509.rb @@ -279,11 +279,29 @@ module OpenSSL end class << self + # Parses the UTF-8 string representation of a distinguished name, + # according to RFC 2253. + # + # See also #to_utf8 for the opposite operation. def parse_rfc2253(str, template=OBJECT_TYPE_TEMPLATE) ary = OpenSSL::X509::Name::RFC2253DN.scan(str) self.new(ary, template) end + # Parses the string representation of a distinguished name. Two + # different forms are supported: + # + # - \OpenSSL format (<tt>X509_NAME_oneline()</tt>) used by + # <tt>#to_s</tt>. For example: <tt>/DC=com/DC=example/CN=nobody</tt> + # - \OpenSSL format (<tt>X509_NAME_print()</tt>) + # used by <tt>#to_s(OpenSSL::X509::Name::COMPAT)</tt>. For example: + # <tt>DC=com, DC=example, CN=nobody</tt> + # + # Neither of them is standardized and has quirks and inconsistencies + # in handling of escaped characters or multi-valued RDNs. + # + # Use of this method is discouraged in new applications. See + # Name.parse_rfc2253 and #to_utf8 for the alternative. def parse_openssl(str, template=OBJECT_TYPE_TEMPLATE) if str.start_with?("/") # /A=B/C=D format @@ -338,6 +356,10 @@ module OpenSSL q.text 'not_after='; q.pp self.not_after } end + + def self.load_file(path) + load(File.binread(path)) + end end class CRL diff --git a/ext/openssl/openssl.gemspec b/ext/openssl/openssl.gemspec index 471a3c4265..2765f55401 100644 --- a/ext/openssl/openssl.gemspec +++ b/ext/openssl/openssl.gemspec @@ -1,26 +1,27 @@ Gem::Specification.new do |spec| spec.name = "openssl" - spec.version = "2.2.0" + spec.version = "3.2.0" spec.authors = ["Martin Bosslet", "SHIBATA Hiroshi", "Zachary Scott", "Kazuki Yamaguchi"] spec.email = ["ruby-core@ruby-lang.org"] - spec.summary = %q{OpenSSL provides SSL, TLS and general purpose cryptography.} - spec.description = %q{It wraps the OpenSSL library.} + spec.summary = %q{SSL/TLS and general-purpose cryptography for Ruby} + spec.description = %q{OpenSSL for Ruby provides access to SSL/TLS and general-purpose cryptography based on the OpenSSL library.} spec.homepage = "https://github.com/ruby/openssl" spec.license = "Ruby" - spec.files = Dir["lib/**/*.rb", "ext/**/*.{c,h,rb}", "*.md", "BSDL", "LICENSE.txt"] - spec.require_paths = ["lib"] - spec.extensions = ["ext/openssl/extconf.rb"] + if Gem::Platform === spec.platform and spec.platform =~ 'java' or RUBY_ENGINE == 'jruby' + spec.platform = "java" + spec.files = [] + spec.add_runtime_dependency('jruby-openssl', '~> 0.14') + else + spec.files = Dir["lib/**/*.rb", "ext/**/*.{c,h,rb}", "*.md", "BSDL", "LICENSE.txt"] + spec.require_paths = ["lib"] + spec.extensions = ["ext/openssl/extconf.rb"] + end spec.extra_rdoc_files = Dir["*.md"] spec.rdoc_options = ["--main", "README.md"] - spec.required_ruby_version = ">= 2.3.0" - - spec.add_development_dependency "rake" - spec.add_development_dependency "rake-compiler" - spec.add_development_dependency "test-unit", "~> 3.0" - spec.add_development_dependency "rdoc" + spec.required_ruby_version = ">= 2.7.0" spec.metadata["msys2_mingw_dependencies"] = "openssl" end diff --git a/ext/openssl/openssl_missing.c b/ext/openssl/openssl_missing.c index 010c158dc1..4415703db4 100644 --- a/ext/openssl/openssl_missing.c +++ b/ext/openssl/openssl_missing.c @@ -10,50 +10,10 @@ #include RUBY_EXTCONF_H #include <string.h> /* memcpy() */ -#if !defined(OPENSSL_NO_ENGINE) -# include <openssl/engine.h> -#endif #include <openssl/x509_vfy.h> #include "openssl_missing.h" -/* added in 1.0.2 */ -#if !defined(OPENSSL_NO_EC) -#if !defined(HAVE_EC_CURVE_NIST2NID) -static struct { - const char *name; - int nid; -} nist_curves[] = { - {"B-163", NID_sect163r2}, - {"B-233", NID_sect233r1}, - {"B-283", NID_sect283r1}, - {"B-409", NID_sect409r1}, - {"B-571", NID_sect571r1}, - {"K-163", NID_sect163k1}, - {"K-233", NID_sect233k1}, - {"K-283", NID_sect283k1}, - {"K-409", NID_sect409k1}, - {"K-571", NID_sect571k1}, - {"P-192", NID_X9_62_prime192v1}, - {"P-224", NID_secp224r1}, - {"P-256", NID_X9_62_prime256v1}, - {"P-384", NID_secp384r1}, - {"P-521", NID_secp521r1} -}; - -int -ossl_EC_curve_nist2nid(const char *name) -{ - size_t i; - for (i = 0; i < (sizeof(nist_curves) / sizeof(nist_curves[0])); i++) { - if (!strcmp(nist_curves[i].name, name)) - return nist_curves[i].nid; - } - return NID_undef; -} -#endif -#endif - /*** added in 1.1.0 ***/ #if !defined(HAVE_X509_CRL_GET0_SIGNATURE) void diff --git a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h index 06d2a9082f..8629bfe505 100644 --- a/ext/openssl/openssl_missing.h +++ b/ext/openssl/openssl_missing.h @@ -12,40 +12,7 @@ #include "ruby/config.h" -/* added in 1.0.2 */ -#if !defined(OPENSSL_NO_EC) -#if !defined(HAVE_EC_CURVE_NIST2NID) -int ossl_EC_curve_nist2nid(const char *); -# define EC_curve_nist2nid ossl_EC_curve_nist2nid -#endif -#endif - -#if !defined(HAVE_X509_REVOKED_DUP) -# define X509_REVOKED_dup(rev) (X509_REVOKED *)ASN1_dup((i2d_of_void *)i2d_X509_REVOKED, \ - (d2i_of_void *)d2i_X509_REVOKED, (char *)(rev)) -#endif - -#if !defined(HAVE_X509_STORE_CTX_GET0_STORE) -# define X509_STORE_CTX_get0_store(x) ((x)->ctx) -#endif - -#if !defined(HAVE_SSL_IS_SERVER) -# define SSL_is_server(s) ((s)->server) -#endif - /* added in 1.1.0 */ -#if !defined(HAVE_BN_GENCB_NEW) -# define BN_GENCB_new() ((BN_GENCB *)OPENSSL_malloc(sizeof(BN_GENCB))) -#endif - -#if !defined(HAVE_BN_GENCB_FREE) -# define BN_GENCB_free(cb) OPENSSL_free(cb) -#endif - -#if !defined(HAVE_BN_GENCB_GET_ARG) -# define BN_GENCB_get_arg(cb) (cb)->arg -#endif - #if !defined(HAVE_EVP_MD_CTX_NEW) # define EVP_MD_CTX_new EVP_MD_CTX_create #endif @@ -54,10 +21,6 @@ int ossl_EC_curve_nist2nid(const char *); # define EVP_MD_CTX_free EVP_MD_CTX_destroy #endif -#if !defined(HAVE_EVP_MD_CTX_PKEY_CTX) -# define EVP_MD_CTX_pkey_ctx(x) (x)->pctx -#endif - #if !defined(HAVE_X509_STORE_GET_EX_DATA) # define X509_STORE_get_ex_data(x, idx) \ CRYPTO_get_ex_data(&(x)->ex_data, (idx)) @@ -141,8 +104,7 @@ void ossl_X509_REQ_get0_signature(const X509_REQ *, const ASN1_BIT_STRING **, co CRYPTO_add(&(x)->references, 1, CRYPTO_LOCK_EVP_PKEY); #endif -#if !defined(HAVE_OPAQUE_OPENSSL) && \ - (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL) +#if !defined(HAVE_OPAQUE_OPENSSL) #define IMPL_PKEY_GETTER(_type, _name) \ static inline _type *EVP_PKEY_get0_##_type(EVP_PKEY *pkey) { \ return pkey->pkey._name; } @@ -248,4 +210,29 @@ IMPL_PKEY_GETTER(EC_KEY, ec) } while (0) #endif +/* added in 3.0.0 */ +#if !defined(HAVE_TS_VERIFY_CTX_SET_CERTS) +# define TS_VERIFY_CTX_set_certs(ctx, crts) TS_VERIFY_CTS_set_certs(ctx, crts) +#endif + +#ifndef HAVE_EVP_MD_CTX_GET0_MD +# define EVP_MD_CTX_get0_md(ctx) EVP_MD_CTX_md(ctx) +#endif + +/* + * OpenSSL 1.1.0 added EVP_MD_CTX_pkey_ctx(), and then it was renamed to + * EVP_MD_CTX_get_pkey_ctx(x) in OpenSSL 3.0. + */ +#ifndef HAVE_EVP_MD_CTX_GET_PKEY_CTX +# ifdef HAVE_EVP_MD_CTX_PKEY_CTX +# define EVP_MD_CTX_get_pkey_ctx(x) EVP_MD_CTX_pkey_ctx(x) +# else +# define EVP_MD_CTX_get_pkey_ctx(x) (x)->pctx +# endif +#endif + +#ifndef HAVE_EVP_PKEY_EQ +# define EVP_PKEY_eq(a, b) EVP_PKEY_cmp(a, b) +#endif + #endif /* _OSSL_OPENSSL_MISSING_H_ */ diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c index 70b6a6a806..00eded55cb 100644 --- a/ext/openssl/ossl.c +++ b/ext/openssl/ossl.c @@ -9,13 +9,19 @@ */ #include "ossl.h" #include <stdarg.h> /* for ossl_raise */ -#include <ruby/thread_native.h> /* for OpenSSL < 1.1.0 locks */ + +/* OpenSSL >= 1.1.0 and LibreSSL >= 2.9.0 */ +#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER >= 0x10100000 +# define HAVE_OPENSSL_110_THREADING_API +#else +# include <ruby/thread_native.h> +#endif /* * Data Conversion */ #define OSSL_IMPL_ARY2SK(name, type, expected_class, dup) \ -STACK_OF(type) * \ +VALUE \ ossl_##name##_ary2sk0(VALUE ary) \ { \ STACK_OF(type) *sk; \ @@ -37,7 +43,7 @@ ossl_##name##_ary2sk0(VALUE ary) \ x = dup(val); /* NEED TO DUP */ \ sk_##type##_push(sk, x); \ } \ - return sk; \ + return (VALUE)sk; \ } \ \ STACK_OF(type) * \ @@ -201,7 +207,7 @@ ossl_pem_passwd_cb(char *buf, int max_len, int flag, void *pwd_) while (1) { /* - * when the flag is nonzero, this passphrase + * when the flag is nonzero, this password * will be used to perform encryption; otherwise it will * be used to perform decryption. */ @@ -262,31 +268,32 @@ ossl_to_der_if_possible(VALUE obj) /* * Errors */ -static VALUE -ossl_make_error(VALUE exc, const char *fmt, va_list args) +VALUE +ossl_make_error(VALUE exc, VALUE str) { - VALUE str = Qnil; unsigned long e; + const char *data; + int flags; - if (fmt) { - str = rb_vsprintf(fmt, args); - } - e = ERR_peek_last_error(); + if (NIL_P(str)) + str = rb_str_new(NULL, 0); + +#ifdef HAVE_ERR_GET_ERROR_ALL + e = ERR_peek_last_error_all(NULL, NULL, NULL, &data, &flags); +#else + e = ERR_peek_last_error_line_data(NULL, NULL, &data, &flags); +#endif if (e) { - const char *msg = ERR_reason_error_string(e); + const char *msg = ERR_reason_error_string(e); - if (NIL_P(str)) { - if (msg) str = rb_str_new_cstr(msg); - } - else { - if (RSTRING_LEN(str)) rb_str_cat2(str, ": "); - rb_str_cat2(str, msg ? msg : "(null)"); - } - ossl_clear_error(); + if (RSTRING_LEN(str)) rb_str_cat_cstr(str, ": "); + rb_str_cat_cstr(str, msg ? msg : "(null)"); + if (flags & ERR_TXT_STRING && data) + rb_str_catf(str, " (%s)", data); + ossl_clear_error(); } - if (NIL_P(str)) str = rb_str_new(0, 0); - return rb_exc_new3(exc, str); + return rb_exc_new_str(exc, str); } void @@ -294,37 +301,48 @@ ossl_raise(VALUE exc, const char *fmt, ...) { va_list args; VALUE err; - va_start(args, fmt); - err = ossl_make_error(exc, fmt, args); - va_end(args); - rb_exc_raise(err); + + if (fmt) { + va_start(args, fmt); + err = rb_vsprintf(fmt, args); + va_end(args); + } + else { + err = Qnil; + } + + rb_exc_raise(ossl_make_error(exc, err)); } void ossl_clear_error(void) { if (dOSSL == Qtrue) { - unsigned long e; - const char *file, *data, *errstr; - int line, flags; - - while ((e = ERR_get_error_line_data(&file, &line, &data, &flags))) { - errstr = ERR_error_string(e, NULL); - if (!errstr) - errstr = "(null)"; - - if (flags & ERR_TXT_STRING) { - if (!data) - data = "(null)"; - rb_warn("error on stack: %s (%s)", errstr, data); - } - else { - rb_warn("error on stack: %s", errstr); - } - } + unsigned long e; + const char *file, *data, *func, *lib, *reason; + char append[256] = ""; + int line, flags; + +#ifdef HAVE_ERR_GET_ERROR_ALL + while ((e = ERR_get_error_all(&file, &line, &func, &data, &flags))) { +#else + while ((e = ERR_get_error_line_data(&file, &line, &data, &flags))) { + func = ERR_func_error_string(e); +#endif + lib = ERR_lib_error_string(e); + reason = ERR_reason_error_string(e); + + if (flags & ERR_TXT_STRING) { + if (!data) + data = "(null)"; + snprintf(append, sizeof(append), " (%s)", data); + } + rb_warn("error on stack: error:%08lX:%s:%s:%s%s", e, lib ? lib : "", + func ? func : "", reason ? reason : "", append); + } } else { - ERR_clear_error(); + ERR_clear_error(); } } @@ -356,22 +374,6 @@ ossl_get_errors(VALUE _) */ VALUE dOSSL; -#if !defined(HAVE_VA_ARGS_MACRO) -void -ossl_debug(const char *fmt, ...) -{ - va_list args; - - if (dOSSL == Qtrue) { - fprintf(stderr, "OSSL_DEBUG: "); - va_start(args, fmt); - vfprintf(stderr, fmt, args); - va_end(args); - fprintf(stderr, " [CONTEXT N/A]\n"); - } -} -#endif - /* * call-seq: * OpenSSL.debug -> true | false @@ -386,7 +388,7 @@ ossl_debug_get(VALUE self) * call-seq: * OpenSSL.debug = boolean -> boolean * - * Turns on or off debug mode. With debug mode, all erros added to the OpenSSL + * Turns on or off debug mode. With debug mode, all errors added to the OpenSSL * error queue will be printed to stderr. */ static VALUE @@ -405,7 +407,11 @@ static VALUE ossl_fips_mode_get(VALUE self) { -#ifdef OPENSSL_FIPS +#if OSSL_OPENSSL_PREREQ(3, 0, 0) + VALUE enabled; + enabled = EVP_default_properties_is_fips_enabled(NULL) ? Qtrue : Qfalse; + return enabled; +#elif defined(OPENSSL_FIPS) VALUE enabled; enabled = FIPS_mode() ? Qtrue : Qfalse; return enabled; @@ -429,8 +435,18 @@ ossl_fips_mode_get(VALUE self) static VALUE ossl_fips_mode_set(VALUE self, VALUE enabled) { - -#ifdef OPENSSL_FIPS +#if OSSL_OPENSSL_PREREQ(3, 0, 0) + if (RTEST(enabled)) { + if (!EVP_default_properties_enable_fips(NULL, 1)) { + ossl_raise(eOSSLError, "Turning on FIPS mode failed"); + } + } else { + if (!EVP_default_properties_enable_fips(NULL, 0)) { + ossl_raise(eOSSLError, "Turning off FIPS mode failed"); + } + } + return enabled; +#elif defined(OPENSSL_FIPS) if (RTEST(enabled)) { int mode = FIPS_mode(); if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */ @@ -447,75 +463,6 @@ ossl_fips_mode_set(VALUE self, VALUE enabled) #endif } -#if defined(OSSL_DEBUG) -#if !defined(LIBRESSL_VERSION_NUMBER) && \ - (OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(OPENSSL_NO_CRYPTO_MDEBUG) || \ - defined(CRYPTO_malloc_debug_init)) -/* - * call-seq: - * OpenSSL.mem_check_start -> nil - * - * Calls CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON). Starts tracking memory - * allocations. See also OpenSSL.print_mem_leaks. - * - * This is available only when built with a capable OpenSSL and --enable-debug - * configure option. - */ -static VALUE -mem_check_start(VALUE self) -{ - CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); - return Qnil; -} - -/* - * call-seq: - * OpenSSL.print_mem_leaks -> true | false - * - * For debugging the Ruby/OpenSSL library. Calls CRYPTO_mem_leaks_fp(stderr). - * Prints detected memory leaks to standard error. This cleans the global state - * up thus you cannot use any methods of the library after calling this. - * - * Returns +true+ if leaks detected, +false+ otherwise. - * - * This is available only when built with a capable OpenSSL and --enable-debug - * configure option. - * - * === Example - * OpenSSL.mem_check_start - * NOT_GCED = OpenSSL::PKey::RSA.new(256) - * - * END { - * GC.start - * OpenSSL.print_mem_leaks # will print the leakage - * } - */ -static VALUE -print_mem_leaks(VALUE self) -{ -#if OPENSSL_VERSION_NUMBER >= 0x10100000 - int ret; -#endif - -#ifndef HAVE_RB_EXT_RACTOR_SAFE - // for Ruby 2.x - void ossl_bn_ctx_free(void); // ossl_bn.c - ossl_bn_ctx_free(); -#endif - -#if OPENSSL_VERSION_NUMBER >= 0x10100000 - ret = CRYPTO_mem_leaks_fp(stderr); - if (ret < 0) - ossl_raise(eOSSLError, "CRYPTO_mem_leaks_fp"); - return ret ? Qfalse : Qtrue; -#else - CRYPTO_mem_leaks_fp(stderr); - return Qnil; -#endif -} -#endif -#endif - #if !defined(HAVE_OPENSSL_110_THREADING_API) /** * Stores locks needed for OpenSSL thread safety @@ -658,23 +605,21 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2) * * key = OpenSSL::PKey::RSA.new 2048 * - * open 'private_key.pem', 'w' do |io| io.write key.to_pem end - * open 'public_key.pem', 'w' do |io| io.write key.public_key.to_pem end + * File.write 'private_key.pem', key.private_to_pem + * File.write 'public_key.pem', key.public_to_pem * * === Exporting a Key * * Keys saved to disk without encryption are not secure as anyone who gets * ahold of the key may use it unless it is encrypted. In order to securely - * export a key you may export it with a pass phrase. + * export a key you may export it with a password. * * cipher = OpenSSL::Cipher.new 'aes-256-cbc' - * pass_phrase = 'my secure pass phrase goes here' + * password = 'my secure password goes here' * - * key_secure = key.export cipher, pass_phrase + * key_secure = key.private_to_pem cipher, password * - * open 'private.secure.pem', 'w' do |io| - * io.write key_secure - * end + * File.write 'private.secure.pem', key_secure * * OpenSSL::Cipher.ciphers returns a list of available ciphers. * @@ -694,13 +639,13 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2) * * === Loading an Encrypted Key * - * OpenSSL will prompt you for your pass phrase when loading an encrypted key. - * If you will not be able to type in the pass phrase you may provide it when + * OpenSSL will prompt you for your password when loading an encrypted key. + * If you will not be able to type in the password you may provide it when * loading the key: * * key4_pem = File.read 'private.secure.pem' - * pass_phrase = 'my secure pass phrase goes here' - * key4 = OpenSSL::PKey.read key4_pem, pass_phrase + * password = 'my secure password goes here' + * key4 = OpenSSL::PKey.read key4_pem, password * * == RSA Encryption * @@ -816,45 +761,6 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2) * decrypted = cipher.update encrypted * decrypted << cipher.final * - * == PKCS #5 Password-based Encryption - * - * PKCS #5 is a password-based encryption standard documented at - * RFC2898[http://www.ietf.org/rfc/rfc2898.txt]. It allows a short password or - * passphrase to be used to create a secure encryption key. If possible, PBKDF2 - * as described above should be used if the circumstances allow it. - * - * PKCS #5 uses a Cipher, a pass phrase and a salt to generate an encryption - * key. - * - * pass_phrase = 'my secure pass phrase goes here' - * salt = '8 octets' - * - * === Encryption - * - * First set up the cipher for encryption - * - * encryptor = OpenSSL::Cipher.new 'aes-256-cbc' - * encryptor.encrypt - * encryptor.pkcs5_keyivgen pass_phrase, salt - * - * Then pass the data you want to encrypt through - * - * encrypted = encryptor.update 'top secret document' - * encrypted << encryptor.final - * - * === Decryption - * - * Use a new Cipher instance set up for decryption - * - * decryptor = OpenSSL::Cipher.new 'aes-256-cbc' - * decryptor.decrypt - * decryptor.pkcs5_keyivgen pass_phrase, salt - * - * Then pass the data you want to decrypt through - * - * plain = decryptor.update encrypted - * plain << decryptor.final - * * == X509 Certificates * * === Creating a Certificate @@ -932,12 +838,12 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2) * not readable by other users. * * ca_key = OpenSSL::PKey::RSA.new 2048 - * pass_phrase = 'my secure pass phrase goes here' + * password = 'my secure password goes here' * - * cipher = OpenSSL::Cipher.new 'aes-256-cbc' + * cipher = 'aes-256-cbc' * * open 'ca_key.pem', 'w', 0400 do |io| - * io.write ca_key.export(cipher, pass_phrase) + * io.write ca_key.private_to_pem(cipher, password) * end * * === CA Certificate @@ -1157,8 +1063,8 @@ Init_openssl(void) /* * Init main module */ - mOSSL = rb_define_module("OpenSSL"); rb_global_variable(&mOSSL); + mOSSL = rb_define_module("OpenSSL"); rb_define_singleton_method(mOSSL, "fixed_length_secure_compare", ossl_crypto_fixed_length_secure_compare, 2); /* @@ -1177,15 +1083,35 @@ Init_openssl(void) /* * Version number of OpenSSL the ruby OpenSSL extension was built with - * (base 16) + * (base 16). The formats are below. + * + * [OpenSSL 3] <tt>0xMNN00PP0 (major minor 00 patch 0)</tt> + * [OpenSSL before 3] <tt>0xMNNFFPPS (major minor fix patch status)</tt> + * [LibreSSL] <tt>0x20000000 (fixed value)</tt> + * + * See also the man page OPENSSL_VERSION_NUMBER(3). */ rb_define_const(mOSSL, "OPENSSL_VERSION_NUMBER", INT2NUM(OPENSSL_VERSION_NUMBER)); +#if defined(LIBRESSL_VERSION_NUMBER) + /* + * Version number of LibreSSL the ruby OpenSSL extension was built with + * (base 16). The format is <tt>0xMNNFF00f (major minor fix 00 + * status)</tt>. This constant is only defined in LibreSSL cases. + * + * See also the man page LIBRESSL_VERSION_NUMBER(3). + */ + rb_define_const(mOSSL, "LIBRESSL_VERSION_NUMBER", INT2NUM(LIBRESSL_VERSION_NUMBER)); +#endif + /* * Boolean indicating whether OpenSSL is FIPS-capable or not */ rb_define_const(mOSSL, "OPENSSL_FIPS", -#ifdef OPENSSL_FIPS +/* OpenSSL 3 is FIPS-capable even when it is installed without fips option */ +#if OSSL_OPENSSL_PREREQ(3, 0, 0) + Qtrue +#elif defined(OPENSSL_FIPS) Qtrue #else Qfalse @@ -1195,12 +1121,12 @@ Init_openssl(void) rb_define_module_function(mOSSL, "fips_mode", ossl_fips_mode_get, 0); rb_define_module_function(mOSSL, "fips_mode=", ossl_fips_mode_set, 1); + rb_global_variable(&eOSSLError); /* * Generic error, * common for all classes under OpenSSL module */ eOSSLError = rb_define_class_under(mOSSL,"OpenSSLError",rb_eStandardError); - rb_global_variable(&eOSSLError); /* * Init debug core @@ -1241,42 +1167,7 @@ Init_openssl(void) Init_ossl_x509(); Init_ossl_ocsp(); Init_ossl_engine(); + Init_ossl_provider(); Init_ossl_asn1(); Init_ossl_kdf(); - -#if defined(OSSL_DEBUG) - /* - * For debugging Ruby/OpenSSL. Enable only when built with --enable-debug - */ -#if !defined(LIBRESSL_VERSION_NUMBER) && \ - (OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(OPENSSL_NO_CRYPTO_MDEBUG) || \ - defined(CRYPTO_malloc_debug_init)) - rb_define_module_function(mOSSL, "mem_check_start", mem_check_start, 0); - rb_define_module_function(mOSSL, "print_mem_leaks", print_mem_leaks, 0); - -#if defined(CRYPTO_malloc_debug_init) /* <= 1.0.2 */ - CRYPTO_malloc_debug_init(); -#endif - -#if defined(V_CRYPTO_MDEBUG_ALL) /* <= 1.0.2 */ - CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); -#endif - -#if OPENSSL_VERSION_NUMBER < 0x10100000 /* <= 1.0.2 */ - { - int i; - /* - * See crypto/ex_data.c; call def_get_class() immediately to avoid - * allocations. 15 is the maximum number that is used as the class index - * in OpenSSL 1.0.2. - */ - for (i = 0; i <= 15; i++) { - if (CRYPTO_get_ex_new_index(i, 0, (void *)"ossl-mdebug-dummy", 0, 0, 0) < 0) - rb_raise(rb_eRuntimeError, "CRYPTO_get_ex_new_index for " - "class index %d failed", i); - } - } -#endif -#endif -#endif } diff --git a/ext/openssl/ossl.h b/ext/openssl/ossl.h index 577eb6d6be..68d42b71e2 100644 --- a/ext/openssl/ossl.h +++ b/ext/openssl/ossl.h @@ -18,6 +18,7 @@ #include <ruby/io.h> #include <ruby/thread.h> #include <openssl/opensslv.h> + #include <openssl/err.h> #include <openssl/asn1.h> #include <openssl/x509v3.h> @@ -30,9 +31,6 @@ #include <openssl/ts.h> #endif #include <openssl/crypto.h> -#if !defined(OPENSSL_NO_ENGINE) -# include <openssl/engine.h> -#endif #if !defined(OPENSSL_NO_OCSP) # include <openssl/ocsp.h> #endif @@ -42,6 +40,32 @@ #include <openssl/evp.h> #include <openssl/dh.h> +#ifndef LIBRESSL_VERSION_NUMBER +# define OSSL_IS_LIBRESSL 0 +# define OSSL_OPENSSL_PREREQ(maj, min, pat) \ + (OPENSSL_VERSION_NUMBER >= ((maj << 28) | (min << 20) | (pat << 12))) +# define OSSL_LIBRESSL_PREREQ(maj, min, pat) 0 +#else +# define OSSL_IS_LIBRESSL 1 +# define OSSL_OPENSSL_PREREQ(maj, min, pat) 0 +# define OSSL_LIBRESSL_PREREQ(maj, min, pat) \ + (LIBRESSL_VERSION_NUMBER >= ((maj << 28) | (min << 20) | (pat << 12))) +#endif + +#if OSSL_OPENSSL_PREREQ(3, 0, 0) +# define OSSL_3_const const +#else +# define OSSL_3_const /* const */ +#endif + +#if !defined(OPENSSL_NO_ENGINE) && !OSSL_OPENSSL_PREREQ(3, 0, 0) +# define OSSL_USE_ENGINE +#endif + +#if OSSL_OPENSSL_PREREQ(3, 0, 0) +# define OSSL_USE_PROVIDER +#endif + /* * Common Module */ @@ -120,7 +144,9 @@ int ossl_pem_passwd_cb(char *, int, int, void *); /* * ERRor messages */ -NORETURN(void ossl_raise(VALUE, const char *, ...)); +PRINTF_ARGS(NORETURN(void ossl_raise(VALUE, const char *, ...)), 2, 3); +/* Make exception instance from str and OpenSSL error reason string. */ +VALUE ossl_make_error(VALUE exc, VALUE str); /* Clear OpenSSL error queue. If dOSSL is set, rb_warn() them. */ void ossl_clear_error(void); @@ -135,7 +161,6 @@ VALUE ossl_to_der_if_possible(VALUE); */ extern VALUE dOSSL; -#if defined(HAVE_VA_ARGS_MACRO) #define OSSL_Debug(...) do { \ if (dOSSL == Qtrue) { \ fprintf(stderr, "OSSL_DEBUG: "); \ @@ -144,16 +169,10 @@ extern VALUE dOSSL; } \ } while (0) -#else -void ossl_debug(const char *, ...); -#define OSSL_Debug ossl_debug -#endif - /* * Include all parts */ #include "openssl_missing.h" -#include "ruby_missing.h" #include "ossl_asn1.h" #include "ossl_bio.h" #include "ossl_bn.h" @@ -173,6 +192,7 @@ void ossl_debug(const char *, ...); #endif #include "ossl_x509.h" #include "ossl_engine.h" +#include "ossl_provider.h" #include "ossl_kdf.h" void Init_openssl(void); diff --git a/ext/openssl/ossl_asn1.c b/ext/openssl/ossl_asn1.c index b4b285323b..71c452c88a 100644 --- a/ext/openssl/ossl_asn1.c +++ b/ext/openssl/ossl_asn1.c @@ -69,6 +69,12 @@ asn1time_to_time(const ASN1_TIME *time) return rb_funcall2(rb_cTime, rb_intern("utc"), 6, argv); } +static VALUE +asn1time_to_time_i(VALUE arg) +{ + return asn1time_to_time((ASN1_TIME *)arg); +} + void ossl_time_split(VALUE time, time_t *sec, int *days) { @@ -136,6 +142,12 @@ num_to_asn1integer(VALUE obj, ASN1_INTEGER *ai) return ai; } +static VALUE +asn1integer_to_num_i(VALUE arg) +{ + return asn1integer_to_num((ASN1_INTEGER *)arg); +} + /********/ /* * ASN1 module @@ -325,7 +337,7 @@ decode_int(unsigned char* der, long length) p = der; if(!(ai = d2i_ASN1_INTEGER(NULL, &p, length))) ossl_raise(eASN1Error, NULL); - ret = rb_protect((VALUE (*)(VALUE))asn1integer_to_num, + ret = rb_protect(asn1integer_to_num_i, (VALUE)ai, &status); ASN1_INTEGER_free(ai); if(status) rb_jump_tag(status); @@ -365,7 +377,7 @@ decode_enum(unsigned char* der, long length) p = der; if(!(ai = d2i_ASN1_ENUMERATED(NULL, &p, length))) ossl_raise(eASN1Error, NULL); - ret = rb_protect((VALUE (*)(VALUE))asn1integer_to_num, + ret = rb_protect(asn1integer_to_num_i, (VALUE)ai, &status); ASN1_ENUMERATED_free(ai); if(status) rb_jump_tag(status); @@ -427,7 +439,7 @@ decode_time(unsigned char* der, long length) p = der; if(!(time = d2i_ASN1_TIME(NULL, &p, length))) ossl_raise(eASN1Error, NULL); - ret = rb_protect((VALUE (*)(VALUE))asn1time_to_time, + ret = rb_protect(asn1time_to_time_i, (VALUE)time, &status); ASN1_TIME_free(time); if(status) rb_jump_tag(status); @@ -497,7 +509,8 @@ ossl_asn1_get_asn1type(VALUE obj) ASN1_TYPE *ret; VALUE value, rflag; void *ptr; - void (*free_func)(); + typedef void free_func_type(void *); + free_func_type *free_func; int tag; tag = ossl_asn1_default_tag(obj); @@ -510,16 +523,16 @@ ossl_asn1_get_asn1type(VALUE obj) case V_ASN1_INTEGER: /* FALLTHROUGH */ case V_ASN1_ENUMERATED: ptr = obj_to_asn1int(value); - free_func = ASN1_INTEGER_free; + free_func = (free_func_type *)ASN1_INTEGER_free; break; case V_ASN1_BIT_STRING: rflag = rb_attr_get(obj, sivUNUSED_BITS); ptr = obj_to_asn1bstr(value, NUM2INT(rflag)); - free_func = ASN1_BIT_STRING_free; + free_func = (free_func_type *)ASN1_BIT_STRING_free; break; case V_ASN1_NULL: ptr = obj_to_asn1null(value); - free_func = ASN1_NULL_free; + free_func = (free_func_type *)ASN1_NULL_free; break; case V_ASN1_OCTET_STRING: /* FALLTHROUGH */ case V_ASN1_UTF8STRING: /* FALLTHROUGH */ @@ -534,24 +547,24 @@ ossl_asn1_get_asn1type(VALUE obj) case V_ASN1_UNIVERSALSTRING: /* FALLTHROUGH */ case V_ASN1_BMPSTRING: ptr = obj_to_asn1str(value); - free_func = ASN1_STRING_free; + free_func = (free_func_type *)ASN1_STRING_free; break; case V_ASN1_OBJECT: ptr = obj_to_asn1obj(value); - free_func = ASN1_OBJECT_free; + free_func = (free_func_type *)ASN1_OBJECT_free; break; case V_ASN1_UTCTIME: ptr = obj_to_asn1utime(value); - free_func = ASN1_TIME_free; + free_func = (free_func_type *)ASN1_TIME_free; break; case V_ASN1_GENERALIZEDTIME: ptr = obj_to_asn1gtime(value); - free_func = ASN1_TIME_free; + free_func = (free_func_type *)ASN1_TIME_free; break; case V_ASN1_SET: /* FALLTHROUGH */ case V_ASN1_SEQUENCE: ptr = obj_to_asn1derstr(obj); - free_func = ASN1_STRING_free; + free_func = (free_func_type *)ASN1_STRING_free; break; default: ossl_raise(eASN1Error, "unsupported ASN.1 type"); @@ -1510,7 +1523,7 @@ Init_ossl_asn1(void) * * An Array that stores the name of a given tag number. These names are * the same as the name of the tag constant that is additionally defined, - * e.g. +UNIVERSAL_TAG_NAME[2] = "INTEGER"+ and +OpenSSL::ASN1::INTEGER = 2+. + * e.g. <tt>UNIVERSAL_TAG_NAME[2] = "INTEGER"</tt> and <tt>OpenSSL::ASN1::INTEGER = 2</tt>. * * == Example usage * diff --git a/ext/openssl/ossl_bn.c b/ext/openssl/ossl_bn.c index 1d43e4572b..ce0d3ec7ee 100644 --- a/ext/openssl/ossl_bn.c +++ b/ext/openssl/ossl_bn.c @@ -41,7 +41,7 @@ static const rb_data_type_t ossl_bn_type = { { 0, ossl_bn_free, }, - 0, 0, RUBY_TYPED_FREE_IMMEDIATELY, + 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED, }; /* @@ -223,12 +223,29 @@ ossl_bn_alloc(VALUE klass) /* * call-seq: - * OpenSSL::BN.new(bn) => aBN - * OpenSSL::BN.new(integer) => aBN - * OpenSSL::BN.new(string) => aBN - * OpenSSL::BN.new(string, 0 | 2 | 10 | 16) => aBN + * OpenSSL::BN.new(bn) -> aBN + * OpenSSL::BN.new(integer) -> aBN + * OpenSSL::BN.new(string, base = 10) -> aBN * - * Construct a new OpenSSL BIGNUM object. + * Construct a new \OpenSSL BIGNUM object. + * + * If +bn+ is an Integer or OpenSSL::BN, a new instance of OpenSSL::BN + * representing the same value is returned. See also Integer#to_bn for the + * short-hand. + * + * If a String is given, the content will be parsed according to +base+. + * + * +string+:: + * The string to be parsed. + * +base+:: + * The format. Must be one of the following: + * - +0+ - MPI format. See the man page BN_mpi2bn(3) for details. + * - +2+ - Variable-length and big-endian binary encoding of a positive + * number. + * - +10+ - Decimal number representation, with a leading '-' for a negative + * number. + * - +16+ - Hexadeciaml number representation, with a leading '-' for a + * negative number. */ static VALUE ossl_bn_initialize(int argc, VALUE *argv, VALUE self) @@ -296,16 +313,21 @@ ossl_bn_initialize(int argc, VALUE *argv, VALUE self) /* * call-seq: - * bn.to_s => string - * bn.to_s(base) => string + * bn.to_s(base = 10) -> string * - * === Parameters - * * _base_ - Integer - * Valid values: - * * 0 - MPI - * * 2 - binary - * * 10 - the default - * * 16 - hex + * Returns the string representation of the bignum. + * + * BN.new can parse the encoded string to convert back into an OpenSSL::BN. + * + * +base+:: + * The format. Must be one of the following: + * - +0+ - MPI format. See the man page BN_bn2mpi(3) for details. + * - +2+ - Variable-length and big-endian binary encoding. The sign of + * the bignum is ignored. + * - +10+ - Decimal number representation, with a leading '-' for a negative + * bignum. + * - +16+ - Hexadeciaml number representation, with a leading '-' for a + * negative bignum. */ static VALUE ossl_bn_to_s(int argc, VALUE *argv, VALUE self) @@ -555,22 +577,33 @@ BIGNUM_2c(gcd) */ BIGNUM_2c(mod_sqr) +#define BIGNUM_2cr(func) \ + static VALUE \ + ossl_bn_##func(VALUE self, VALUE other) \ + { \ + BIGNUM *bn1, *bn2 = GetBNPtr(other), *result; \ + VALUE obj; \ + GetBN(self, bn1); \ + obj = NewBN(rb_obj_class(self)); \ + if (!(result = BN_##func(NULL, bn1, bn2, ossl_bn_ctx))) \ + ossl_raise(eBNError, NULL); \ + SetBN(obj, result); \ + return obj; \ + } + +/* + * Document-method: OpenSSL::BN#mod_sqrt + * call-seq: + * bn.mod_sqrt(bn2) => aBN + */ +BIGNUM_2cr(mod_sqrt) + /* + * Document-method: OpenSSL::BN#mod_inverse * call-seq: * bn.mod_inverse(bn2) => aBN */ -static VALUE -ossl_bn_mod_inverse(VALUE self, VALUE other) -{ - BIGNUM *bn1, *bn2 = GetBNPtr(other), *result; - VALUE obj; - GetBN(self, bn1); - obj = NewBN(rb_obj_class(self)); - if (!(result = BN_mod_inverse(NULL, bn1, bn2, ossl_bn_ctx))) - ossl_raise(eBNError, "BN_mod_inverse"); - SetBN(obj, result); - return obj; -} +BIGNUM_2cr(mod_inverse) /* * call-seq: @@ -770,78 +803,64 @@ BIGNUM_SELF_SHIFT(lshift) */ BIGNUM_SELF_SHIFT(rshift) -#define BIGNUM_RAND(func) \ - static VALUE \ - ossl_bn_s_##func(int argc, VALUE *argv, VALUE klass) \ - { \ - BIGNUM *result; \ - int bottom = 0, top = 0, b; \ - VALUE bits, fill, odd, obj; \ - \ - switch (rb_scan_args(argc, argv, "12", &bits, &fill, &odd)) { \ - case 3: \ - bottom = (odd == Qtrue) ? 1 : 0; \ - /* FALLTHROUGH */ \ - case 2: \ - top = NUM2INT(fill); \ - } \ - b = NUM2INT(bits); \ - obj = NewBN(klass); \ - if (!(result = BN_new())) { \ - ossl_raise(eBNError, NULL); \ - } \ - if (BN_##func(result, b, top, bottom) <= 0) { \ - BN_free(result); \ - ossl_raise(eBNError, NULL); \ - } \ - SetBN(obj, result); \ - return obj; \ - } - -/* - * Document-method: OpenSSL::BN.rand - * BN.rand(bits [, fill [, odd]]) -> aBN - */ -BIGNUM_RAND(rand) - /* - * Document-method: OpenSSL::BN.pseudo_rand - * BN.pseudo_rand(bits [, fill [, odd]]) -> aBN - */ -BIGNUM_RAND(pseudo_rand) - -#define BIGNUM_RAND_RANGE(func) \ - static VALUE \ - ossl_bn_s_##func##_range(VALUE klass, VALUE range) \ - { \ - BIGNUM *bn = GetBNPtr(range), *result; \ - VALUE obj = NewBN(klass); \ - if (!(result = BN_new())) { \ - ossl_raise(eBNError, NULL); \ - } \ - if (BN_##func##_range(result, bn) <= 0) { \ - BN_free(result); \ - ossl_raise(eBNError, NULL); \ - } \ - SetBN(obj, result); \ - return obj; \ - } - -/* - * Document-method: OpenSSL::BN.rand_range * call-seq: - * BN.rand_range(range) -> aBN + * BN.rand(bits [, fill [, odd]]) -> aBN * + * Generates a cryptographically strong pseudo-random number of +bits+. + * + * See also the man page BN_rand(3). */ -BIGNUM_RAND_RANGE(rand) +static VALUE +ossl_bn_s_rand(int argc, VALUE *argv, VALUE klass) +{ + BIGNUM *result; + int bottom = 0, top = 0, b; + VALUE bits, fill, odd, obj; + + switch (rb_scan_args(argc, argv, "12", &bits, &fill, &odd)) { + case 3: + bottom = (odd == Qtrue) ? 1 : 0; + /* FALLTHROUGH */ + case 2: + top = NUM2INT(fill); + } + b = NUM2INT(bits); + obj = NewBN(klass); + if (!(result = BN_new())) { + ossl_raise(eBNError, "BN_new"); + } + if (BN_rand(result, b, top, bottom) <= 0) { + BN_free(result); + ossl_raise(eBNError, "BN_rand"); + } + SetBN(obj, result); + return obj; +} /* - * Document-method: OpenSSL::BN.pseudo_rand_range * call-seq: - * BN.pseudo_rand_range(range) -> aBN + * BN.rand_range(range) -> aBN * + * Generates a cryptographically strong pseudo-random number in the range + * 0...+range+. + * + * See also the man page BN_rand_range(3). */ -BIGNUM_RAND_RANGE(pseudo_rand) +static VALUE +ossl_bn_s_rand_range(VALUE klass, VALUE range) +{ + BIGNUM *bn = GetBNPtr(range), *result; + VALUE obj = NewBN(klass); + if (!(result = BN_new())) + ossl_raise(eBNError, "BN_new"); + if (BN_rand_range(result, bn) <= 0) { + BN_free(result); + ossl_raise(eBNError, "BN_rand_range"); + } + SetBN(obj, result); + return obj; +} /* * call-seq: @@ -936,7 +955,17 @@ ossl_bn_copy(VALUE self, VALUE other) static VALUE ossl_bn_uplus(VALUE self) { - return self; + VALUE obj; + BIGNUM *bn1, *bn2; + + GetBN(self, bn1); + obj = NewBN(cBN); + bn2 = BN_dup(bn1); + if (!bn2) + ossl_raise(eBNError, "BN_dup"); + SetBN(obj, bn2); + + return obj; } /* @@ -960,6 +989,24 @@ ossl_bn_uminus(VALUE self) return obj; } +/* + * call-seq: + * bn.abs -> aBN + */ +static VALUE +ossl_bn_abs(VALUE self) +{ + BIGNUM *bn1; + + GetBN(self, bn1); + if (BN_is_negative(bn1)) { + return ossl_bn_uminus(self); + } + else { + return ossl_bn_uplus(self); + } +} + #define BIGNUM_CMP(func) \ static VALUE \ ossl_bn_##func(VALUE self, VALUE other) \ @@ -1068,34 +1115,29 @@ ossl_bn_hash(VALUE self) * bn.prime? => true | false * bn.prime?(checks) => true | false * - * Performs a Miller-Rabin probabilistic primality test with _checks_ - * iterations. If _checks_ is not specified, a number of iterations is used - * that yields a false positive rate of at most 2^-80 for random input. + * Performs a Miller-Rabin probabilistic primality test for +bn+. * - * === Parameters - * * _checks_ - integer + * <b>+checks+ parameter is deprecated in version 3.0.</b> It has no effect. */ static VALUE ossl_bn_is_prime(int argc, VALUE *argv, VALUE self) { BIGNUM *bn; - VALUE vchecks; - int checks = BN_prime_checks; + int ret; - if (rb_scan_args(argc, argv, "01", &vchecks) == 1) { - checks = NUM2INT(vchecks); - } + rb_check_arity(argc, 0, 1); GetBN(self, bn); - switch (BN_is_prime_ex(bn, checks, ossl_bn_ctx, NULL)) { - case 1: - return Qtrue; - case 0: - return Qfalse; - default: - ossl_raise(eBNError, NULL); - } - /* not reachable */ - return Qnil; + +#ifdef HAVE_BN_CHECK_PRIME + ret = BN_check_prime(bn, ossl_bn_ctx, NULL); + if (ret < 0) + ossl_raise(eBNError, "BN_check_prime"); +#else + ret = BN_is_prime_fasttest_ex(bn, BN_prime_checks, ossl_bn_ctx, 1, NULL); + if (ret < 0) + ossl_raise(eBNError, "BN_is_prime_fasttest_ex"); +#endif + return ret ? Qtrue : Qfalse; } /* @@ -1104,39 +1146,52 @@ ossl_bn_is_prime(int argc, VALUE *argv, VALUE self) * bn.prime_fasttest?(checks) => true | false * bn.prime_fasttest?(checks, trial_div) => true | false * - * Performs a Miller-Rabin primality test. This is same as #prime? except this - * first attempts trial divisions with some small primes. + * Performs a Miller-Rabin probabilistic primality test for +bn+. * - * === Parameters - * * _checks_ - integer - * * _trial_div_ - boolean + * <b>Deprecated in version 3.0.</b> Use #prime? instead. + * + * +checks+ and +trial_div+ parameters no longer have any effect. */ static VALUE ossl_bn_is_prime_fasttest(int argc, VALUE *argv, VALUE self) { + rb_check_arity(argc, 0, 2); + return ossl_bn_is_prime(0, argv, self); +} + +/* + * call-seq: + * bn.get_flags(flags) => flags + * + * Returns the flags on the BN object. + * The argument is used as a bit mask. + * + * === Parameters + * * _flags_ - integer + */ +static VALUE +ossl_bn_get_flags(VALUE self, VALUE arg) +{ BIGNUM *bn; - VALUE vchecks, vtrivdiv; - int checks = BN_prime_checks, do_trial_division = 1; + GetBN(self, bn); - rb_scan_args(argc, argv, "02", &vchecks, &vtrivdiv); + return INT2NUM(BN_get_flags(bn, NUM2INT(arg))); +} - if (!NIL_P(vchecks)) { - checks = NUM2INT(vchecks); - } +/* + * call-seq: + * bn.set_flags(flags) => nil + * + * Enables the flags on the BN object. + * Currently, the flags argument can contain zero of OpenSSL::BN::CONSTTIME. + */ +static VALUE +ossl_bn_set_flags(VALUE self, VALUE arg) +{ + BIGNUM *bn; GetBN(self, bn); - /* handle true/false */ - if (vtrivdiv == Qfalse) { - do_trial_division = 0; - } - switch (BN_is_prime_fasttest_ex(bn, checks, ossl_bn_ctx, do_trial_division, NULL)) { - case 1: - return Qtrue; - case 0: - return Qfalse; - default: - ossl_raise(eBNError, NULL); - } - /* not reachable */ + + BN_set_flags(bn, NUM2INT(arg)); return Qnil; } @@ -1176,6 +1231,7 @@ Init_ossl_bn(void) rb_define_method(cBN, "+@", ossl_bn_uplus, 0); rb_define_method(cBN, "-@", ossl_bn_uminus, 0); + rb_define_method(cBN, "abs", ossl_bn_abs, 0); rb_define_method(cBN, "+", ossl_bn_add, 1); rb_define_method(cBN, "-", ossl_bn_sub, 1); @@ -1189,6 +1245,7 @@ Init_ossl_bn(void) rb_define_method(cBN, "mod_sub", ossl_bn_mod_sub, 2); rb_define_method(cBN, "mod_mul", ossl_bn_mod_mul, 2); rb_define_method(cBN, "mod_sqr", ossl_bn_mod_sqr, 1); + rb_define_method(cBN, "mod_sqrt", ossl_bn_mod_sqrt, 1); rb_define_method(cBN, "**", ossl_bn_exp, 1); rb_define_method(cBN, "mod_exp", ossl_bn_mod_exp, 2); rb_define_method(cBN, "gcd", ossl_bn_gcd, 1); @@ -1219,9 +1276,9 @@ Init_ossl_bn(void) * get_word */ rb_define_singleton_method(cBN, "rand", ossl_bn_s_rand, -1); - rb_define_singleton_method(cBN, "pseudo_rand", ossl_bn_s_pseudo_rand, -1); rb_define_singleton_method(cBN, "rand_range", ossl_bn_s_rand_range, 1); - rb_define_singleton_method(cBN, "pseudo_rand_range", ossl_bn_s_pseudo_rand_range, 1); + rb_define_alias(rb_singleton_class(cBN), "pseudo_rand", "rand"); + rb_define_alias(rb_singleton_class(cBN), "pseudo_rand_range", "rand_range"); rb_define_singleton_method(cBN, "generate_prime", ossl_bn_s_generate_prime, -1); rb_define_method(cBN, "prime?", ossl_bn_is_prime, -1); @@ -1238,6 +1295,23 @@ Init_ossl_bn(void) /* lshift1 - DON'T IMPL. */ /* rshift1 - DON'T IMPL. */ + rb_define_method(cBN, "get_flags", ossl_bn_get_flags, 1); + rb_define_method(cBN, "set_flags", ossl_bn_set_flags, 1); + +#ifdef BN_FLG_CONSTTIME + rb_define_const(cBN, "CONSTTIME", INT2NUM(BN_FLG_CONSTTIME)); +#endif + /* BN_FLG_MALLOCED and BN_FLG_STATIC_DATA seems for C programming. + * Allowing them leads to memory leak. + * So, for now, they are not exported +#ifdef BN_FLG_MALLOCED + rb_define_const(cBN, "MALLOCED", INT2NUM(BN_FLG_MALLOCED)); +#endif +#ifdef BN_FLG_STATIC_DATA + rb_define_const(cBN, "STATIC_DATA", INT2NUM(BN_FLG_STATIC_DATA)); +#endif + */ + /* * bn2bin * bin2bn diff --git a/ext/openssl/ossl_cipher.c b/ext/openssl/ossl_cipher.c index 28f5c1b5ef..1910a5cdee 100644 --- a/ext/openssl/ossl_cipher.c +++ b/ext/openssl/ossl_cipher.c @@ -42,7 +42,7 @@ static const rb_data_type_t ossl_cipher_type = { { 0, ossl_cipher_free, }, - 0, 0, RUBY_TYPED_FREE_IMMEDIATELY, + 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED, }; /* @@ -149,11 +149,11 @@ ossl_cipher_copy(VALUE self, VALUE other) return self; } -static void* -add_cipher_name_to_ary(const OBJ_NAME *name, VALUE ary) +static void +add_cipher_name_to_ary(const OBJ_NAME *name, void *arg) { + VALUE ary = (VALUE)arg; rb_ary_push(ary, rb_str_new2(name->name)); - return NULL; } /* @@ -169,7 +169,7 @@ ossl_s_ciphers(VALUE self) ary = rb_ary_new(); OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH, - (void(*)(const OBJ_NAME*,void*))add_cipher_name_to_ary, + add_cipher_name_to_ary, (void*)ary); return ary; @@ -384,8 +384,7 @@ ossl_cipher_update(int argc, VALUE *argv, VALUE self) StringValue(data); in = (unsigned char *)RSTRING_PTR(data); - if ((in_len = RSTRING_LEN(data)) == 0) - ossl_raise(rb_eArgError, "data must not be empty"); + in_len = RSTRING_LEN(data); GetCipher(self, ctx); out_len = in_len+EVP_CIPHER_CTX_block_size(ctx); if (out_len <= 0) { @@ -443,8 +442,8 @@ ossl_cipher_final(VALUE self) * call-seq: * cipher.name -> string * - * Returns the name of the cipher which may differ slightly from the original - * name provided. + * Returns the short name of the cipher which may differ slightly from the + * original name provided. */ static VALUE ossl_cipher_name(VALUE self) diff --git a/ext/openssl/ossl_config.c b/ext/openssl/ossl_config.c index 21c327b26b..0e598b4d51 100644 --- a/ext/openssl/ossl_config.c +++ b/ext/openssl/ossl_config.c @@ -22,7 +22,7 @@ static const rb_data_type_t ossl_config_type = { { 0, nconf_free, }, - 0, 0, RUBY_TYPED_FREE_IMMEDIATELY, + 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED, }; CONF * @@ -60,7 +60,7 @@ config_load_bio(CONF *conf, BIO *bio) if (eline <= 0) ossl_raise(eConfigError, "wrong config format"); else - ossl_raise(eConfigError, "error in line %d", eline); + ossl_raise(eConfigError, "error in line %ld", eline); } BIO_free(bio); diff --git a/ext/openssl/ossl_digest.c b/ext/openssl/ossl_digest.c index d327f718e2..1ae26a2355 100644 --- a/ext/openssl/ossl_digest.c +++ b/ext/openssl/ossl_digest.c @@ -35,7 +35,7 @@ static const rb_data_type_t ossl_digest_type = { { 0, ossl_digest_free, }, - 0, 0, RUBY_TYPED_FREE_IMMEDIATELY, + 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED, }; /* @@ -63,7 +63,7 @@ ossl_evp_get_digestbyname(VALUE obj) GetDigest(obj, ctx); - md = EVP_MD_CTX_md(ctx); + md = EVP_MD_CTX_get0_md(ctx); } return md; @@ -103,7 +103,8 @@ VALUE ossl_digest_update(VALUE, VALUE); * Digest.new(string [, data]) -> Digest * * Creates a Digest instance based on _string_, which is either the ln - * (long name) or sn (short name) of a supported digest algorithm. + * (long name) or sn (short name) of a supported digest algorithm. A list of + * supported algorithms can be obtained by calling OpenSSL::Digest.digests. * * If _data_ (a String) is given, it is used as the initial input to the * Digest instance, i.e. @@ -162,6 +163,32 @@ ossl_digest_copy(VALUE self, VALUE other) return self; } +static void +add_digest_name_to_ary(const OBJ_NAME *name, void *arg) +{ + VALUE ary = (VALUE)arg; + rb_ary_push(ary, rb_str_new2(name->name)); +} + +/* + * call-seq: + * OpenSSL::Digest.digests -> array[string...] + * + * Returns the names of all available digests in an array. + */ +static VALUE +ossl_s_digests(VALUE self) +{ + VALUE ary; + + ary = rb_ary_new(); + OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_MD_METH, + add_digest_name_to_ary, + (void*)ary); + + return ary; +} + /* * call-seq: * digest.reset -> self @@ -176,7 +203,7 @@ ossl_digest_reset(VALUE self) EVP_MD_CTX *ctx; GetDigest(self, ctx); - if (EVP_DigestInit_ex(ctx, EVP_MD_CTX_md(ctx), NULL) != 1) { + if (EVP_DigestInit_ex(ctx, EVP_MD_CTX_get0_md(ctx), NULL) != 1) { ossl_raise(eDigestError, "Digest initialization failed."); } @@ -245,7 +272,8 @@ ossl_digest_finish(int argc, VALUE *argv, VALUE self) * call-seq: * digest.name -> string * - * Returns the sn of this Digest algorithm. + * Returns the short name of this Digest algorithm which may differ slightly + * from the original name provided. * * === Example * digest = OpenSSL::Digest.new('SHA512') @@ -259,7 +287,7 @@ ossl_digest_name(VALUE self) GetDigest(self, ctx); - return rb_str_new2(EVP_MD_name(EVP_MD_CTX_md(ctx))); + return rb_str_new_cstr(EVP_MD_name(EVP_MD_CTX_get0_md(ctx))); } /* @@ -313,8 +341,6 @@ ossl_digest_block_length(VALUE self) void Init_ossl_digest(void) { - rb_require("digest"); - #if 0 mOSSL = rb_define_module("OpenSSL"); eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError); @@ -398,6 +424,12 @@ Init_ossl_digest(void) * digest2 = sha256.digest(data2) * */ + + /* + * Digest::Class is defined by the digest library. rb_require() cannot be + * used here because it bypasses RubyGems. + */ + rb_funcall(Qnil, rb_intern_const("require"), 1, rb_str_new_cstr("digest")); cDigest = rb_define_class_under(mOSSL, "Digest", rb_path2class("Digest::Class")); /* Document-class: OpenSSL::Digest::DigestError * @@ -408,6 +440,7 @@ Init_ossl_digest(void) rb_define_alloc_func(cDigest, ossl_digest_alloc); + rb_define_module_function(cDigest, "digests", ossl_s_digests, 0); rb_define_method(cDigest, "initialize", ossl_digest_initialize, -1); rb_define_method(cDigest, "initialize_copy", ossl_digest_copy, 1); rb_define_method(cDigest, "reset", ossl_digest_reset, 0); diff --git a/ext/openssl/ossl_engine.c b/ext/openssl/ossl_engine.c index 661a1368e2..9e86321d06 100644 --- a/ext/openssl/ossl_engine.c +++ b/ext/openssl/ossl_engine.c @@ -9,7 +9,8 @@ */ #include "ossl.h" -#if !defined(OPENSSL_NO_ENGINE) +#ifdef OSSL_USE_ENGINE +# include <openssl/engine.h> #define NewEngine(klass) \ TypedData_Wrap_Struct((klass), &ossl_engine_type, 0) @@ -77,7 +78,7 @@ static const rb_data_type_t ossl_engine_type = { { 0, ossl_engine_free, }, - 0, 0, RUBY_TYPED_FREE_IMMEDIATELY, + 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED, }; /* diff --git a/ext/openssl/ossl_hmac.c b/ext/openssl/ossl_hmac.c index a21db6c481..c485ba7e67 100644 --- a/ext/openssl/ossl_hmac.c +++ b/ext/openssl/ossl_hmac.c @@ -42,7 +42,7 @@ static const rb_data_type_t ossl_hmac_type = { { 0, ossl_hmac_free, }, - 0, 0, RUBY_TYPED_FREE_IMMEDIATELY, + 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED, }; static VALUE @@ -97,11 +97,19 @@ ossl_hmac_initialize(VALUE self, VALUE key, VALUE digest) GetHMAC(self, ctx); StringValue(key); +#ifdef HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY + pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, + (unsigned char *)RSTRING_PTR(key), + RSTRING_LENINT(key)); + if (!pkey) + ossl_raise(eHMACError, "EVP_PKEY_new_raw_private_key"); +#else pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, (unsigned char *)RSTRING_PTR(key), RSTRING_LENINT(key)); if (!pkey) ossl_raise(eHMACError, "EVP_PKEY_new_mac_key"); +#endif if (EVP_DigestSignInit(ctx, NULL, ossl_evp_get_digestbyname(digest), NULL, pkey) != 1) { EVP_PKEY_free(pkey); @@ -175,7 +183,7 @@ static VALUE ossl_hmac_digest(VALUE self) { EVP_MD_CTX *ctx; - size_t buf_len; + size_t buf_len = EVP_MAX_MD_SIZE; VALUE ret; GetHMAC(self, ctx); @@ -200,7 +208,7 @@ ossl_hmac_hexdigest(VALUE self) { EVP_MD_CTX *ctx; unsigned char buf[EVP_MAX_MD_SIZE]; - size_t buf_len; + size_t buf_len = EVP_MAX_MD_SIZE; VALUE ret; GetHMAC(self, ctx); @@ -238,8 +246,8 @@ ossl_hmac_reset(VALUE self) EVP_PKEY *pkey; GetHMAC(self, ctx); - pkey = EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx)); - if (EVP_DigestSignInit(ctx, NULL, EVP_MD_CTX_md(ctx), NULL, pkey) != 1) + pkey = EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_get_pkey_ctx(ctx)); + if (EVP_DigestSignInit(ctx, NULL, EVP_MD_CTX_get0_md(ctx), NULL, pkey) != 1) ossl_raise(eHMACError, "EVP_DigestSignInit"); return self; diff --git a/ext/openssl/ossl_kdf.c b/ext/openssl/ossl_kdf.c index 486e789458..ba197a659e 100644 --- a/ext/openssl/ossl_kdf.c +++ b/ext/openssl/ossl_kdf.c @@ -3,7 +3,7 @@ * Copyright (C) 2007, 2017 Ruby/OpenSSL Project Authors */ #include "ossl.h" -#if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER) +#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_LIBRESSL_PREREQ(3, 6, 0) # include <openssl/kdf.h> #endif @@ -18,10 +18,10 @@ static VALUE mKDF, eKDF; * of _length_ bytes. * * For more information about PBKDF2, see RFC 2898 Section 5.2 - * (https://tools.ietf.org/html/rfc2898#section-5.2). + * (https://www.rfc-editor.org/rfc/rfc2898#section-5.2). * * === Parameters - * pass :: The passphrase. + * pass :: The password. * salt :: The salt. Salts prevent attacks based on dictionaries of common * passwords and attacks based on rainbow tables. It is a public * value that can be safely stored along with the password (e.g. @@ -81,10 +81,10 @@ kdf_pbkdf2_hmac(int argc, VALUE *argv, VALUE self) * bcrypt. * * The keyword arguments _N_, _r_ and _p_ can be used to tune scrypt. RFC 7914 - * (published on 2016-08, https://tools.ietf.org/html/rfc7914#section-2) states + * (published on 2016-08, https://www.rfc-editor.org/rfc/rfc7914#section-2) states * that using values r=8 and p=1 appears to yield good results. * - * See RFC 7914 (https://tools.ietf.org/html/rfc7914) for more information. + * See RFC 7914 (https://www.rfc-editor.org/rfc/rfc7914) for more information. * * === Parameters * pass :: Passphrase. @@ -141,13 +141,13 @@ kdf_scrypt(int argc, VALUE *argv, VALUE self) } #endif -#if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER) +#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_LIBRESSL_PREREQ(3, 6, 0) /* * call-seq: * KDF.hkdf(ikm, salt:, info:, length:, hash:) -> String * * HMAC-based Extract-and-Expand Key Derivation Function (HKDF) as specified in - * {RFC 5869}[https://tools.ietf.org/html/rfc5869]. + * {RFC 5869}[https://www.rfc-editor.org/rfc/rfc5869]. * * New in OpenSSL 1.1.0. * @@ -163,6 +163,14 @@ kdf_scrypt(int argc, VALUE *argv, VALUE self) * HashLen is the length of the hash function output in octets. * _hash_:: * The hash function. + * + * === Example + * # The values from https://www.rfc-editor.org/rfc/rfc5869#appendix-A.1 + * ikm = ["0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"].pack("H*") + * salt = ["000102030405060708090a0b0c"].pack("H*") + * info = ["f0f1f2f3f4f5f6f7f8f9"].pack("H*") + * p OpenSSL::KDF.hkdf(ikm, salt: salt, info: info, length: 42, hash: "SHA256").unpack1("H*") + * # => "3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865" */ static VALUE kdf_hkdf(int argc, VALUE *argv, VALUE self) @@ -297,7 +305,7 @@ Init_ossl_kdf(void) #if defined(HAVE_EVP_PBE_SCRYPT) rb_define_module_function(mKDF, "scrypt", kdf_scrypt, -1); #endif -#if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER) +#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_LIBRESSL_PREREQ(3, 6, 0) rb_define_module_function(mKDF, "hkdf", kdf_hkdf, -1); #endif } diff --git a/ext/openssl/ossl_ns_spki.c b/ext/openssl/ossl_ns_spki.c index 9b1147367a..9d70b5d87a 100644 --- a/ext/openssl/ossl_ns_spki.c +++ b/ext/openssl/ossl_ns_spki.c @@ -50,7 +50,7 @@ static const rb_data_type_t ossl_netscape_spki_type = { { 0, ossl_netscape_spki_free, }, - 0, 0, RUBY_TYPED_FREE_IMMEDIATELY, + 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED, }; static VALUE @@ -365,8 +365,8 @@ ossl_spki_verify(VALUE self, VALUE key) * * OpenSSL::Netscape is a namespace for SPKI (Simple Public Key * Infrastructure) which implements Signed Public Key and Challenge. - * See {RFC 2692}[http://tools.ietf.org/html/rfc2692] and {RFC - * 2693}[http://tools.ietf.org/html/rfc2692] for details. + * See {RFC 2692}[https://www.rfc-editor.org/rfc/rfc2692] and {RFC + * 2693}[https://www.rfc-editor.org/rfc/rfc2692] for details. */ /* Document-class: OpenSSL::Netscape::SPKIError diff --git a/ext/openssl/ossl_ocsp.c b/ext/openssl/ossl_ocsp.c index 0ade7adde7..df986bb3ee 100644 --- a/ext/openssl/ossl_ocsp.c +++ b/ext/openssl/ossl_ocsp.c @@ -86,7 +86,7 @@ static const rb_data_type_t ossl_ocsp_request_type = { { 0, ossl_ocsp_request_free, }, - 0, 0, RUBY_TYPED_FREE_IMMEDIATELY, + 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED, }; static void @@ -100,7 +100,7 @@ static const rb_data_type_t ossl_ocsp_response_type = { { 0, ossl_ocsp_response_free, }, - 0, 0, RUBY_TYPED_FREE_IMMEDIATELY, + 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED, }; static void @@ -114,7 +114,7 @@ static const rb_data_type_t ossl_ocsp_basicresp_type = { { 0, ossl_ocsp_basicresp_free, }, - 0, 0, RUBY_TYPED_FREE_IMMEDIATELY, + 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED, }; static void @@ -128,7 +128,7 @@ static const rb_data_type_t ossl_ocsp_singleresp_type = { { 0, ossl_ocsp_singleresp_free, }, - 0, 0, RUBY_TYPED_FREE_IMMEDIATELY, + 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED, }; static void @@ -142,7 +142,7 @@ static const rb_data_type_t ossl_ocsp_certid_type = { { 0, ossl_ocsp_certid_free, }, - 0, 0, RUBY_TYPED_FREE_IMMEDIATELY, + 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED, }; /* @@ -157,7 +157,7 @@ ossl_ocspcertid_new(OCSP_CERTID *cid) } /* - * OCSP::Resquest + * OCSP::Request */ static VALUE ossl_ocspreq_alloc(VALUE klass) @@ -382,7 +382,7 @@ ossl_ocspreq_sign(int argc, VALUE *argv, VALUE self) if (!NIL_P(flags)) flg = NUM2INT(flags); if (NIL_P(digest)) - md = EVP_sha1(); + md = NULL; else md = ossl_evp_get_digestbyname(digest); if (NIL_P(certs)) @@ -803,7 +803,7 @@ add_status_convert_time(VALUE obj) * revocation, and must be one of OpenSSL::OCSP::REVOKED_STATUS_* constants. * _revocation_time_ is the time when the certificate is revoked. * - * _this_update_ and _next_update_ indicate the time at which ths status is + * _this_update_ and _next_update_ indicate the time at which the status is * verified to be correct and the time at or before which newer information * will be available, respectively. _next_update_ is optional. * @@ -1033,7 +1033,7 @@ ossl_ocspbres_sign(int argc, VALUE *argv, VALUE self) if (!NIL_P(flags)) flg = NUM2INT(flags); if (NIL_P(digest)) - md = EVP_sha1(); + md = NULL; else md = ossl_evp_get_digestbyname(digest); if (NIL_P(certs)) @@ -1069,55 +1069,7 @@ ossl_ocspbres_verify(int argc, VALUE *argv, VALUE self) x509st = GetX509StorePtr(store); flg = NIL_P(flags) ? 0 : NUM2INT(flags); x509s = ossl_x509_ary2sk(certs); -#if (OPENSSL_VERSION_NUMBER < 0x1000202fL) || defined(LIBRESSL_VERSION_NUMBER) - /* - * OpenSSL had a bug that it doesn't use the certificates in x509s for - * verifying the chain. This can be a problem when the response is signed by - * a certificate issued by an intermediate CA. - * - * root_ca - * | - * intermediate_ca - * |-------------| - * end_entity ocsp_signer - * - * When the certificate hierarchy is like this, and the response contains - * only ocsp_signer certificate, the following code wrongly fails. - * - * store = OpenSSL::X509::Store.new; store.add_cert(root_ca) - * basic_response.verify([intermediate_ca], store) - * - * So add the certificates in x509s to the embedded certificates list first. - * - * This is fixed in OpenSSL 0.9.8zg, 1.0.0s, 1.0.1n, 1.0.2b. But it still - * exists in LibreSSL 2.1.10, 2.2.9, 2.3.6, 2.4.1. - */ - if (!(flg & (OCSP_NOCHAIN | OCSP_NOVERIFY)) && - sk_X509_num(x509s) && sk_X509_num(bs->certs)) { - int i; - - bs = ASN1_item_dup(ASN1_ITEM_rptr(OCSP_BASICRESP), bs); - if (!bs) { - sk_X509_pop_free(x509s, X509_free); - ossl_raise(eOCSPError, "ASN1_item_dup"); - } - - for (i = 0; i < sk_X509_num(x509s); i++) { - if (!OCSP_basic_add1_cert(bs, sk_X509_value(x509s, i))) { - sk_X509_pop_free(x509s, X509_free); - OCSP_BASICRESP_free(bs); - ossl_raise(eOCSPError, "OCSP_basic_add1_cert"); - } - } - result = OCSP_basic_verify(bs, x509s, x509st, flg); - OCSP_BASICRESP_free(bs); - } - else { - result = OCSP_basic_verify(bs, x509s, x509st, flg); - } -#else result = OCSP_basic_verify(bs, x509s, x509st, flg); -#endif sk_X509_pop_free(x509s, X509_free); if (result <= 0) ossl_clear_error(); @@ -1749,7 +1701,7 @@ Init_ossl_ocsp(void) * require 'net/http' * * http_response = - * Net::HTTP.start ocsp_uri.hostname, ocsp.port do |http| + * Net::HTTP.start ocsp_uri.hostname, ocsp_uri.port do |http| * http.post ocsp_uri.path, request.to_der, * 'content-type' => 'application/ocsp-request' * end diff --git a/ext/openssl/ossl_pkcs12.c b/ext/openssl/ossl_pkcs12.c index 4566334481..164b2da465 100644 --- a/ext/openssl/ossl_pkcs12.c +++ b/ext/openssl/ossl_pkcs12.c @@ -44,7 +44,7 @@ static const rb_data_type_t ossl_pkcs12_type = { { 0, ossl_pkcs12_free, }, - 0, 0, RUBY_TYPED_FREE_IMMEDIATELY, + 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED, }; static VALUE @@ -149,6 +149,24 @@ ossl_pkcs12_s_create(int argc, VALUE *argv, VALUE self) return obj; } +static VALUE +ossl_pkey_new_i(VALUE arg) +{ + return ossl_pkey_new((EVP_PKEY *)arg); +} + +static VALUE +ossl_x509_new_i(VALUE arg) +{ + return ossl_x509_new((X509 *)arg); +} + +static VALUE +ossl_x509_sk2ary_i(VALUE arg) +{ + return ossl_x509_sk2ary((STACK_OF(X509) *)arg); +} + /* * call-seq: * PKCS12.new -> pkcs12 @@ -186,15 +204,15 @@ ossl_pkcs12_initialize(int argc, VALUE *argv, VALUE self) ossl_raise(ePKCS12Error, "PKCS12_parse"); ERR_pop_to_mark(); if (key) { - pkey = rb_protect((VALUE (*)(VALUE))ossl_pkey_new, (VALUE)key, &st); + pkey = rb_protect(ossl_pkey_new_i, (VALUE)key, &st); if (st) goto err; } if (x509) { - cert = rb_protect((VALUE (*)(VALUE))ossl_x509_new, (VALUE)x509, &st); + cert = rb_protect(ossl_x509_new_i, (VALUE)x509, &st); if (st) goto err; } if (x509s) { - ca = rb_protect((VALUE (*)(VALUE))ossl_x509_sk2ary, (VALUE)x509s, &st); + ca = rb_protect(ossl_x509_sk2ary_i, (VALUE)x509s, &st); if (st) goto err; } diff --git a/ext/openssl/ossl_pkcs7.c b/ext/openssl/ossl_pkcs7.c index 0bcc76a9fd..78dcbd667a 100644 --- a/ext/openssl/ossl_pkcs7.c +++ b/ext/openssl/ossl_pkcs7.c @@ -65,7 +65,7 @@ const rb_data_type_t ossl_pkcs7_type = { { 0, ossl_pkcs7_free, }, - 0, 0, RUBY_TYPED_FREE_IMMEDIATELY, + 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED, }; static void @@ -79,7 +79,7 @@ static const rb_data_type_t ossl_pkcs7_signer_info_type = { { 0, ossl_pkcs7_signer_info_free, }, - 0, 0, RUBY_TYPED_FREE_IMMEDIATELY, + 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED, }; static void @@ -93,7 +93,7 @@ static const rb_data_type_t ossl_pkcs7_recip_info_type = { { 0, ossl_pkcs7_recip_info_free, }, - 0, 0, RUBY_TYPED_FREE_IMMEDIATELY, + 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED, }; /* @@ -330,7 +330,7 @@ ossl_pkcs7_alloc(VALUE klass) static VALUE ossl_pkcs7_initialize(int argc, VALUE *argv, VALUE self) { - PKCS7 *p7, *pkcs = DATA_PTR(self); + PKCS7 *p7, *p7_orig = RTYPEDDATA_DATA(self); BIO *in; VALUE arg; @@ -338,19 +338,17 @@ ossl_pkcs7_initialize(int argc, VALUE *argv, VALUE self) return self; arg = ossl_to_der_if_possible(arg); in = ossl_obj2bio(&arg); - p7 = PEM_read_bio_PKCS7(in, &pkcs, NULL, NULL); + p7 = d2i_PKCS7_bio(in, NULL); if (!p7) { - OSSL_BIO_reset(in); - p7 = d2i_PKCS7_bio(in, &pkcs); - if (!p7) { - BIO_free(in); - PKCS7_free(pkcs); - DATA_PTR(self) = NULL; - ossl_raise(rb_eArgError, "Could not parse the PKCS7"); - } + OSSL_BIO_reset(in); + p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL); } - DATA_PTR(self) = pkcs; BIO_free(in); + if (!p7) + ossl_raise(rb_eArgError, "Could not parse the PKCS7"); + + RTYPEDDATA_DATA(self) = p7; + PKCS7_free(p7_orig); ossl_pkcs7_set_data(self, Qnil); ossl_pkcs7_set_err_string(self, Qnil); diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c index 1c1f80bf80..013412c27f 100644 --- a/ext/openssl/ossl_pkey.c +++ b/ext/openssl/ossl_pkey.c @@ -9,6 +9,10 @@ */ #include "ossl.h" +#ifdef OSSL_USE_ENGINE +# include <openssl/engine.h> +#endif + /* * Classes */ @@ -17,64 +21,6 @@ VALUE cPKey; VALUE ePKeyError; static ID id_private_q; -/* - * callback for generating keys - */ -static VALUE -call_check_ints0(VALUE arg) -{ - rb_thread_check_ints(); - return Qnil; -} - -static void * -call_check_ints(void *arg) -{ - int state; - rb_protect(call_check_ints0, Qnil, &state); - return (void *)(VALUE)state; -} - -int -ossl_generate_cb_2(int p, int n, BN_GENCB *cb) -{ - VALUE ary; - struct ossl_generate_cb_arg *arg; - int state; - - arg = (struct ossl_generate_cb_arg *)BN_GENCB_get_arg(cb); - if (arg->yield) { - ary = rb_ary_new2(2); - rb_ary_store(ary, 0, INT2NUM(p)); - rb_ary_store(ary, 1, INT2NUM(n)); - - /* - * can be break by raising exception or 'break' - */ - rb_protect(rb_yield, ary, &state); - if (state) { - arg->state = state; - return 0; - } - } - if (arg->interrupted) { - arg->interrupted = 0; - state = (int)(VALUE)rb_thread_call_with_gvl(call_check_ints, NULL); - if (state) { - arg->state = state; - return 0; - } - } - return 1; -} - -void -ossl_generate_cb_stop(void *ptr) -{ - struct ossl_generate_cb_arg *arg = (struct ossl_generate_cb_arg *)ptr; - arg->interrupted = 1; -} - static void ossl_evp_pkey_free(void *ptr) { @@ -89,19 +35,16 @@ const rb_data_type_t ossl_evp_pkey_type = { { 0, ossl_evp_pkey_free, }, - 0, 0, RUBY_TYPED_FREE_IMMEDIATELY, + 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED, }; static VALUE -pkey_new0(EVP_PKEY *pkey) +pkey_new0(VALUE arg) { + EVP_PKEY *pkey = (EVP_PKEY *)arg; VALUE klass, obj; - int type; - if (!pkey || (type = EVP_PKEY_base_id(pkey)) == EVP_PKEY_NONE) - ossl_raise(rb_eRuntimeError, "pkey is empty"); - - switch (type) { + switch (EVP_PKEY_base_id(pkey)) { #if !defined(OPENSSL_NO_RSA) case EVP_PKEY_RSA: klass = cRSA; break; #endif @@ -116,8 +59,8 @@ pkey_new0(EVP_PKEY *pkey) #endif default: klass = cPKey; break; } - obj = NewPKey(klass); - SetPKey(obj, pkey); + obj = rb_obj_alloc(klass); + RTYPEDDATA_DATA(obj) = pkey; return obj; } @@ -127,7 +70,7 @@ ossl_pkey_new(EVP_PKEY *pkey) VALUE obj; int status; - obj = rb_protect((VALUE (*)(VALUE))pkey_new0, (VALUE)pkey, &status); + obj = rb_protect(pkey_new0, (VALUE)pkey, &status); if (status) { EVP_PKEY_free(pkey); rb_jump_tag(status); @@ -136,6 +79,107 @@ ossl_pkey_new(EVP_PKEY *pkey) return obj; } +#if OSSL_OPENSSL_PREREQ(3, 0, 0) +# include <openssl/decoder.h> + +static EVP_PKEY * +ossl_pkey_read(BIO *bio, const char *input_type, int selection, VALUE pass) +{ + void *ppass = (void *)pass; + OSSL_DECODER_CTX *dctx; + EVP_PKEY *pkey = NULL; + int pos = 0, pos2; + + dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, input_type, NULL, NULL, + selection, NULL, NULL); + if (!dctx) + goto out; + if (OSSL_DECODER_CTX_set_pem_password_cb(dctx, ossl_pem_passwd_cb, + ppass) != 1) + goto out; + while (1) { + if (OSSL_DECODER_from_bio(dctx, bio) == 1) + goto out; + if (BIO_eof(bio)) + break; + pos2 = BIO_tell(bio); + if (pos2 < 0 || pos2 <= pos) + break; + ossl_clear_error(); + pos = pos2; + } + out: + OSSL_BIO_reset(bio); + OSSL_DECODER_CTX_free(dctx); + return pkey; +} + +EVP_PKEY * +ossl_pkey_read_generic(BIO *bio, VALUE pass) +{ + EVP_PKEY *pkey = NULL; + /* First check DER, then check PEM. */ + const char *input_types[] = {"DER", "PEM"}; + int input_type_num = (int)(sizeof(input_types) / sizeof(char *)); + /* + * Non-zero selections to try to decode. + * + * See EVP_PKEY_fromdata(3) - Selections to see all the selections. + * + * This is a workaround for the decoder failing to decode or returning + * bogus keys with selection 0, if a key management provider is different + * from a decoder provider. The workaround is to avoid using selection 0. + * + * Affected OpenSSL versions: >= 3.1.0, <= 3.1.2, or >= 3.0.0, <= 3.0.10 + * Fixed OpenSSL versions: 3.2, next release of the 3.1.z and 3.0.z + * + * See https://github.com/openssl/openssl/pull/21519 for details. + * + * First check for private key formats (EVP_PKEY_KEYPAIR). This is to keep + * compatibility with ruby/openssl < 3.0 which decoded the following as a + * private key. + * + * $ openssl ecparam -name prime256v1 -genkey -outform PEM + * -----BEGIN EC PARAMETERS----- + * BggqhkjOPQMBBw== + * -----END EC PARAMETERS----- + * -----BEGIN EC PRIVATE KEY----- + * MHcCAQEEIAG8ugBbA5MHkqnZ9ujQF93OyUfL9tk8sxqM5Wv5tKg5oAoGCCqGSM49 + * AwEHoUQDQgAEVcjhJfkwqh5C7kGuhAf8XaAjVuG5ADwb5ayg/cJijCgs+GcXeedj + * 86avKpGH84DXUlB23C/kPt+6fXYlitUmXQ== + * -----END EC PRIVATE KEY----- + * + * While the first PEM block is a proper encoding of ECParameters, thus + * OSSL_DECODER_from_bio() would pick it up, ruby/openssl used to return + * the latter instead. Existing applications expect this behavior. + * + * Note that normally, the input is supposed to contain a single decodable + * PEM block only, so this special handling should not create a new problem. + * + * Note that we need to create the OSSL_DECODER_CTX variable each time when + * we use the different selection as a workaround. + * See https://github.com/openssl/openssl/issues/20657 for details. + */ + int selections[] = { + EVP_PKEY_KEYPAIR, + EVP_PKEY_KEY_PARAMETERS, + EVP_PKEY_PUBLIC_KEY + }; + int selection_num = (int)(sizeof(selections) / sizeof(int)); + int i, j; + + for (i = 0; i < input_type_num; i++) { + for (j = 0; j < selection_num; j++) { + pkey = ossl_pkey_read(bio, input_types[i], selections[j], pass); + if (pkey) { + goto out; + } + } + } + out: + return pkey; +} +#else EVP_PKEY * ossl_pkey_read_generic(BIO *bio, VALUE pass) { @@ -164,6 +208,7 @@ ossl_pkey_read_generic(BIO *bio, VALUE pass) out: return pkey; } +#endif /* * call-seq: @@ -198,7 +243,7 @@ ossl_pkey_new_from_data(int argc, VALUE *argv, VALUE self) } static VALUE -pkey_gen_apply_options_i(RB_BLOCK_CALL_FUNC_ARGLIST(i, ctx_v)) +pkey_ctx_apply_options_i(RB_BLOCK_CALL_FUNC_ARGLIST(i, ctx_v)) { VALUE key = rb_ary_entry(i, 0), value = rb_ary_entry(i, 1); EVP_PKEY_CTX *ctx = (EVP_PKEY_CTX *)ctx_v; @@ -214,22 +259,33 @@ pkey_gen_apply_options_i(RB_BLOCK_CALL_FUNC_ARGLIST(i, ctx_v)) } static VALUE -pkey_gen_apply_options0(VALUE args_v) +pkey_ctx_apply_options0(VALUE args_v) { VALUE *args = (VALUE *)args_v; + Check_Type(args[1], T_HASH); rb_block_call(args[1], rb_intern("each"), 0, NULL, - pkey_gen_apply_options_i, args[0]); + pkey_ctx_apply_options_i, args[0]); return Qnil; } +static void +pkey_ctx_apply_options(EVP_PKEY_CTX *ctx, VALUE options, int *state) +{ + VALUE args[2]; + args[0] = (VALUE)ctx; + args[1] = options; + + rb_protect(pkey_ctx_apply_options0, (VALUE)args, state); +} + struct pkey_blocking_generate_arg { EVP_PKEY_CTX *ctx; EVP_PKEY *pkey; int state; - int yield: 1; - int genparam: 1; - int stop: 1; + unsigned int yield: 1; + unsigned int genparam: 1; + unsigned int interrupted: 1; }; static VALUE @@ -247,27 +303,50 @@ pkey_gen_cb_yield(VALUE ctx_v) return rb_yield_values2(info_num, argv); } +static VALUE +call_check_ints0(VALUE arg) +{ + rb_thread_check_ints(); + return Qnil; +} + +static void * +call_check_ints(void *arg) +{ + int state; + rb_protect(call_check_ints0, Qnil, &state); + return (void *)(VALUE)state; +} + static int pkey_gen_cb(EVP_PKEY_CTX *ctx) { struct pkey_blocking_generate_arg *arg = EVP_PKEY_CTX_get_app_data(ctx); + int state; if (arg->yield) { - int state; rb_protect(pkey_gen_cb_yield, (VALUE)ctx, &state); if (state) { - arg->stop = 1; arg->state = state; + return 0; + } + } + if (arg->interrupted) { + arg->interrupted = 0; + state = (int)(VALUE)rb_thread_call_with_gvl(call_check_ints, NULL); + if (state) { + arg->state = state; + return 0; } } - return !arg->stop; + return 1; } static void pkey_blocking_gen_stop(void *ptr) { struct pkey_blocking_generate_arg *arg = ptr; - arg->stop = 1; + arg->interrupted = 1; } static void * @@ -300,6 +379,11 @@ pkey_generate(int argc, VALUE *argv, VALUE self, int genparam) ossl_raise(ePKeyError, "EVP_PKEY_CTX_new"); } else { +#if OSSL_OPENSSL_PREREQ(3, 0, 0) + ctx = EVP_PKEY_CTX_new_from_name(NULL, StringValueCStr(alg), NULL); + if (!ctx) + ossl_raise(ePKeyError, "EVP_PKEY_CTX_new_from_name"); +#else const EVP_PKEY_ASN1_METHOD *ameth; ENGINE *tmpeng; int pkey_id; @@ -318,6 +402,7 @@ pkey_generate(int argc, VALUE *argv, VALUE self, int genparam) ctx = EVP_PKEY_CTX_new_id(pkey_id, NULL/* engine */); if (!ctx) ossl_raise(ePKeyError, "EVP_PKEY_CTX_new_id"); +#endif } if (genparam && EVP_PKEY_paramgen_init(ctx) <= 0) { @@ -330,11 +415,7 @@ pkey_generate(int argc, VALUE *argv, VALUE self, int genparam) } if (!NIL_P(options)) { - VALUE args[2]; - - args[0] = (VALUE)ctx; - args[1] = options; - rb_protect(pkey_gen_apply_options0, (VALUE)args, &state); + pkey_ctx_apply_options(ctx, options, &state); if (state) { EVP_PKEY_CTX_free(ctx); rb_jump_tag(state); @@ -417,9 +498,19 @@ ossl_pkey_s_generate_key(int argc, VALUE *argv, VALUE self) return pkey_generate(argc, argv, self, 0); } +/* + * TODO: There is no convenient way to check the presence of public key + * components on OpenSSL 3.0. But since keys are immutable on 3.0, pkeys without + * these should only be created by OpenSSL::PKey.generate_parameters or by + * parsing DER-/PEM-encoded string. We would need another flag for that. + */ void ossl_pkey_check_public_key(const EVP_PKEY *pkey) { +#if OSSL_OPENSSL_PREREQ(3, 0, 0) + if (EVP_PKEY_missing_parameters(pkey)) + ossl_raise(ePKeyError, "parameters missing"); +#else void *ptr; const BIGNUM *n, *e, *pubkey; @@ -455,6 +546,7 @@ ossl_pkey_check_public_key(const EVP_PKEY *pkey) return; } ossl_raise(ePKeyError, "public key missing"); +#endif } EVP_PKEY * @@ -504,16 +596,7 @@ DupPKeyPtr(VALUE obj) static VALUE ossl_pkey_alloc(VALUE klass) { - EVP_PKEY *pkey; - VALUE obj; - - obj = NewPKey(klass); - if (!(pkey = EVP_PKEY_new())) { - ossl_raise(ePKeyError, NULL); - } - SetPKey(obj, pkey); - - return obj; + return TypedData_Wrap_Struct(klass, &ossl_evp_pkey_type, NULL); } /* @@ -532,6 +615,92 @@ ossl_pkey_initialize(VALUE self) return self; } +#ifdef HAVE_EVP_PKEY_DUP +static VALUE +ossl_pkey_initialize_copy(VALUE self, VALUE other) +{ + EVP_PKEY *pkey, *pkey_other; + + TypedData_Get_Struct(self, EVP_PKEY, &ossl_evp_pkey_type, pkey); + TypedData_Get_Struct(other, EVP_PKEY, &ossl_evp_pkey_type, pkey_other); + if (pkey) + rb_raise(rb_eTypeError, "pkey already initialized"); + if (pkey_other) { + pkey = EVP_PKEY_dup(pkey_other); + if (!pkey) + ossl_raise(ePKeyError, "EVP_PKEY_dup"); + RTYPEDDATA_DATA(self) = pkey; + } + return self; +} +#endif + +#ifdef HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY +/* + * call-seq: + * OpenSSL::PKey.new_raw_private_key(algo, string) -> PKey + * + * See the OpenSSL documentation for EVP_PKEY_new_raw_private_key() + */ + +static VALUE +ossl_pkey_new_raw_private_key(VALUE self, VALUE type, VALUE key) +{ + EVP_PKEY *pkey; + const EVP_PKEY_ASN1_METHOD *ameth; + int pkey_id; + size_t keylen; + + StringValue(type); + StringValue(key); + ameth = EVP_PKEY_asn1_find_str(NULL, RSTRING_PTR(type), RSTRING_LENINT(type)); + if (!ameth) + ossl_raise(ePKeyError, "algorithm %"PRIsVALUE" not found", type); + EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth); + + keylen = RSTRING_LEN(key); + + pkey = EVP_PKEY_new_raw_private_key(pkey_id, NULL, (unsigned char *)RSTRING_PTR(key), keylen); + if (!pkey) + ossl_raise(ePKeyError, "EVP_PKEY_new_raw_private_key"); + + return ossl_pkey_new(pkey); +} +#endif + +#ifdef HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY +/* + * call-seq: + * OpenSSL::PKey.new_raw_public_key(algo, string) -> PKey + * + * See the OpenSSL documentation for EVP_PKEY_new_raw_public_key() + */ + +static VALUE +ossl_pkey_new_raw_public_key(VALUE self, VALUE type, VALUE key) +{ + EVP_PKEY *pkey; + const EVP_PKEY_ASN1_METHOD *ameth; + int pkey_id; + size_t keylen; + + StringValue(type); + StringValue(key); + ameth = EVP_PKEY_asn1_find_str(NULL, RSTRING_PTR(type), RSTRING_LENINT(type)); + if (!ameth) + ossl_raise(ePKeyError, "algorithm %"PRIsVALUE" not found", type); + EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth); + + keylen = RSTRING_LEN(key); + + pkey = EVP_PKEY_new_raw_public_key(pkey_id, NULL, (unsigned char *)RSTRING_PTR(key), keylen); + if (!pkey) + ossl_raise(ePKeyError, "EVP_PKEY_new_raw_public_key"); + + return ossl_pkey_new(pkey); +} +#endif + /* * call-seq: * pkey.oid -> string @@ -568,6 +737,43 @@ ossl_pkey_inspect(VALUE self) OBJ_nid2sn(nid)); } +/* + * call-seq: + * pkey.to_text -> string + * + * Dumps key parameters, public key, and private key components contained in + * the key into a human-readable text. + * + * This is intended for debugging purpose. + * + * See also the man page EVP_PKEY_print_private(3). + */ +static VALUE +ossl_pkey_to_text(VALUE self) +{ + EVP_PKEY *pkey; + BIO *bio; + + GetPKey(self, pkey); + if (!(bio = BIO_new(BIO_s_mem()))) + ossl_raise(ePKeyError, "BIO_new"); + + if (EVP_PKEY_print_private(bio, pkey, 0, NULL) == 1) + goto out; + OSSL_BIO_reset(bio); + if (EVP_PKEY_print_public(bio, pkey, 0, NULL) == 1) + goto out; + OSSL_BIO_reset(bio); + if (EVP_PKEY_print_params(bio, pkey, 0, NULL) == 1) + goto out; + + BIO_free(bio); + ossl_raise(ePKeyError, "EVP_PKEY_print_params"); + + out: + return ossl_membio2str(bio); +} + VALUE ossl_pkey_export_traditional(int argc, VALUE *argv, VALUE self, int to_der) { @@ -593,7 +799,7 @@ ossl_pkey_export_traditional(int argc, VALUE *argv, VALUE self, int to_der) } } else { -#if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER) +#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_LIBRESSL_PREREQ(3, 5, 0) if (!PEM_write_bio_PrivateKey_traditional(bio, pkey, enc, NULL, 0, ossl_pem_passwd_cb, (void *)pass)) { @@ -676,6 +882,18 @@ ossl_pkey_private_to_der(int argc, VALUE *argv, VALUE self) * * Serializes the private key to PEM-encoded PKCS #8 format. See #private_to_der * for more details. + * + * An unencrypted PEM-encoded key will look like: + * + * -----BEGIN PRIVATE KEY----- + * [...] + * -----END PRIVATE KEY----- + * + * An encrypted PEM-encoded key will look like: + * + * -----BEGIN ENCRYPTED PRIVATE KEY----- + * [...] + * -----END ENCRYPTED PRIVATE KEY----- */ static VALUE ossl_pkey_private_to_pem(int argc, VALUE *argv, VALUE self) @@ -683,6 +901,35 @@ ossl_pkey_private_to_pem(int argc, VALUE *argv, VALUE self) return do_pkcs8_export(argc, argv, self, 0); } +#ifdef HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY +/* + * call-seq: + * pkey.raw_private_key => string + * + * See the OpenSSL documentation for EVP_PKEY_get_raw_private_key() + */ + +static VALUE +ossl_pkey_raw_private_key(VALUE self) +{ + EVP_PKEY *pkey; + VALUE str; + size_t len; + + GetPKey(self, pkey); + if (EVP_PKEY_get_raw_private_key(pkey, NULL, &len) != 1) + ossl_raise(ePKeyError, "EVP_PKEY_get_raw_private_key"); + str = rb_str_new(NULL, len); + + if (EVP_PKEY_get_raw_private_key(pkey, (unsigned char *)RSTRING_PTR(str), &len) != 1) + ossl_raise(ePKeyError, "EVP_PKEY_get_raw_private_key"); + + rb_str_set_len(str, len); + + return str; +} +#endif + VALUE ossl_pkey_export_spki(VALUE self, int to_der) { @@ -725,6 +972,12 @@ ossl_pkey_public_to_der(VALUE self) * pkey.public_to_pem -> string * * Serializes the public key to PEM-encoded X.509 SubjectPublicKeyInfo format. + * + * A PEM-encoded key will look like: + * + * -----BEGIN PUBLIC KEY----- + * [...] + * -----END PUBLIC KEY----- */ static VALUE ossl_pkey_public_to_pem(VALUE self) @@ -732,6 +985,35 @@ ossl_pkey_public_to_pem(VALUE self) return ossl_pkey_export_spki(self, 0); } +#ifdef HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY +/* + * call-seq: + * pkey.raw_public_key => string + * + * See the OpenSSL documentation for EVP_PKEY_get_raw_public_key() + */ + +static VALUE +ossl_pkey_raw_public_key(VALUE self) +{ + EVP_PKEY *pkey; + VALUE str; + size_t len; + + GetPKey(self, pkey); + if (EVP_PKEY_get_raw_public_key(pkey, NULL, &len) != 1) + ossl_raise(ePKeyError, "EVP_PKEY_get_raw_public_key"); + str = rb_str_new(NULL, len); + + if (EVP_PKEY_get_raw_public_key(pkey, (unsigned char *)RSTRING_PTR(str), &len) != 1) + ossl_raise(ePKeyError, "EVP_PKEY_get_raw_public_key"); + + rb_str_set_len(str, len); + + return str; +} +#endif + /* * call-seq: * pkey.compare?(another_pkey) -> true | false @@ -760,44 +1042,62 @@ ossl_pkey_compare(VALUE self, VALUE other) if (EVP_PKEY_id(selfPKey) != EVP_PKEY_id(otherPKey)) ossl_raise(rb_eTypeError, "cannot match different PKey types"); - ret = EVP_PKEY_cmp(selfPKey, otherPKey); + ret = EVP_PKEY_eq(selfPKey, otherPKey); if (ret == 0) return Qfalse; else if (ret == 1) return Qtrue; else - ossl_raise(ePKeyError, "EVP_PKEY_cmp"); + ossl_raise(ePKeyError, "EVP_PKEY_eq"); } /* - * call-seq: - * pkey.sign(digest, data) -> String + * call-seq: + * pkey.sign(digest, data [, options]) -> string * - * To sign the String _data_, _digest_, an instance of OpenSSL::Digest, must - * be provided. The return value is again a String containing the signature. - * A PKeyError is raised should errors occur. - * Any previous state of the Digest instance is irrelevant to the signature - * outcome, the digest instance is reset to its initial state during the - * operation. + * Hashes and signs the +data+ using a message digest algorithm +digest+ and + * a private key +pkey+. * - * == Example - * data = 'Sign me!' - * digest = OpenSSL::Digest.new('SHA256') - * pkey = OpenSSL::PKey::RSA.new(2048) - * signature = pkey.sign(digest, data) + * See #verify for the verification operation. + * + * See also the man page EVP_DigestSign(3). + * + * +digest+:: + * A String that represents the message digest algorithm name, or +nil+ + * if the PKey type requires no digest algorithm. + * For backwards compatibility, this can be an instance of OpenSSL::Digest. + * Its state will not affect the signature. + * +data+:: + * A String. The data to be hashed and signed. + * +options+:: + * A Hash that contains algorithm specific control operations to \OpenSSL. + * See OpenSSL's man page EVP_PKEY_CTX_ctrl_str(3) for details. + * +options+ parameter was added in version 3.0. + * + * Example: + * data = "Sign me!" + * pkey = OpenSSL::PKey.generate_key("RSA", rsa_keygen_bits: 2048) + * signopts = { rsa_padding_mode: "pss" } + * signature = pkey.sign("SHA256", data, signopts) + * + * # Creates a copy of the RSA key pkey, but without the private components + * pub_key = pkey.public_key + * puts pub_key.verify("SHA256", signature, data, signopts) # => true */ static VALUE -ossl_pkey_sign(VALUE self, VALUE digest, VALUE data) +ossl_pkey_sign(int argc, VALUE *argv, VALUE self) { EVP_PKEY *pkey; + VALUE digest, data, options, sig; const EVP_MD *md = NULL; EVP_MD_CTX *ctx; + EVP_PKEY_CTX *pctx; size_t siglen; int state; - VALUE sig; pkey = GetPrivPKeyPtr(self); + rb_scan_args(argc, argv, "21", &digest, &data, &options); if (!NIL_P(digest)) md = ossl_evp_get_digestbyname(digest); StringValue(data); @@ -805,18 +1105,27 @@ ossl_pkey_sign(VALUE self, VALUE digest, VALUE data) ctx = EVP_MD_CTX_new(); if (!ctx) ossl_raise(ePKeyError, "EVP_MD_CTX_new"); - if (EVP_DigestSignInit(ctx, NULL, md, /* engine */NULL, pkey) < 1) { + if (EVP_DigestSignInit(ctx, &pctx, md, /* engine */NULL, pkey) < 1) { EVP_MD_CTX_free(ctx); ossl_raise(ePKeyError, "EVP_DigestSignInit"); } -#if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER) + if (!NIL_P(options)) { + pkey_ctx_apply_options(pctx, options, &state); + if (state) { + EVP_MD_CTX_free(ctx); + rb_jump_tag(state); + } + } +#if OSSL_OPENSSL_PREREQ(1, 1, 1) || OSSL_LIBRESSL_PREREQ(3, 4, 0) if (EVP_DigestSign(ctx, NULL, &siglen, (unsigned char *)RSTRING_PTR(data), RSTRING_LEN(data)) < 1) { EVP_MD_CTX_free(ctx); ossl_raise(ePKeyError, "EVP_DigestSign"); } - if (siglen > LONG_MAX) + if (siglen > LONG_MAX) { + EVP_MD_CTX_free(ctx); rb_raise(ePKeyError, "signature would be too large"); + } sig = ossl_str_new(NULL, (long)siglen, &state); if (state) { EVP_MD_CTX_free(ctx); @@ -837,8 +1146,10 @@ ossl_pkey_sign(VALUE self, VALUE digest, VALUE data) EVP_MD_CTX_free(ctx); ossl_raise(ePKeyError, "EVP_DigestSignFinal"); } - if (siglen > LONG_MAX) + if (siglen > LONG_MAX) { + EVP_MD_CTX_free(ctx); rb_raise(ePKeyError, "signature would be too large"); + } sig = ossl_str_new(NULL, (long)siglen, &state); if (state) { EVP_MD_CTX_free(ctx); @@ -856,35 +1167,40 @@ ossl_pkey_sign(VALUE self, VALUE digest, VALUE data) } /* - * call-seq: - * pkey.verify(digest, signature, data) -> String + * call-seq: + * pkey.verify(digest, signature, data [, options]) -> true or false * - * To verify the String _signature_, _digest_, an instance of - * OpenSSL::Digest, must be provided to re-compute the message digest of the - * original _data_, also a String. The return value is +true+ if the - * signature is valid, +false+ otherwise. A PKeyError is raised should errors - * occur. - * Any previous state of the Digest instance is irrelevant to the validation - * outcome, the digest instance is reset to its initial state during the - * operation. + * Verifies the +signature+ for the +data+ using a message digest algorithm + * +digest+ and a public key +pkey+. * - * == Example - * data = 'Sign me!' - * digest = OpenSSL::Digest.new('SHA256') - * pkey = OpenSSL::PKey::RSA.new(2048) - * signature = pkey.sign(digest, data) - * pub_key = pkey.public_key - * puts pub_key.verify(digest, signature, data) # => true + * Returns +true+ if the signature is successfully verified, +false+ otherwise. + * The caller must check the return value. + * + * See #sign for the signing operation and an example. + * + * See also the man page EVP_DigestVerify(3). + * + * +digest+:: + * See #sign. + * +signature+:: + * A String containing the signature to be verified. + * +data+:: + * See #sign. + * +options+:: + * See #sign. +options+ parameter was added in version 3.0. */ static VALUE -ossl_pkey_verify(VALUE self, VALUE digest, VALUE sig, VALUE data) +ossl_pkey_verify(int argc, VALUE *argv, VALUE self) { EVP_PKEY *pkey; + VALUE digest, sig, data, options; const EVP_MD *md = NULL; EVP_MD_CTX *ctx; - int ret; + EVP_PKEY_CTX *pctx; + int state, ret; GetPKey(self, pkey); + rb_scan_args(argc, argv, "31", &digest, &sig, &data, &options); ossl_pkey_check_public_key(pkey); if (!NIL_P(digest)) md = ossl_evp_get_digestbyname(digest); @@ -894,11 +1210,18 @@ ossl_pkey_verify(VALUE self, VALUE digest, VALUE sig, VALUE data) ctx = EVP_MD_CTX_new(); if (!ctx) ossl_raise(ePKeyError, "EVP_MD_CTX_new"); - if (EVP_DigestVerifyInit(ctx, NULL, md, /* engine */NULL, pkey) < 1) { + if (EVP_DigestVerifyInit(ctx, &pctx, md, /* engine */NULL, pkey) < 1) { EVP_MD_CTX_free(ctx); ossl_raise(ePKeyError, "EVP_DigestVerifyInit"); } -#if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER) + if (!NIL_P(options)) { + pkey_ctx_apply_options(pctx, options, &state); + if (state) { + EVP_MD_CTX_free(ctx); + rb_jump_tag(state); + } + } +#if OSSL_OPENSSL_PREREQ(1, 1, 1) || OSSL_LIBRESSL_PREREQ(3, 4, 0) ret = EVP_DigestVerify(ctx, (unsigned char *)RSTRING_PTR(sig), RSTRING_LEN(sig), (unsigned char *)RSTRING_PTR(data), RSTRING_LEN(data)); @@ -926,6 +1249,235 @@ ossl_pkey_verify(VALUE self, VALUE digest, VALUE sig, VALUE data) /* * call-seq: + * pkey.sign_raw(digest, data [, options]) -> string + * + * Signs +data+ using a private key +pkey+. Unlike #sign, +data+ will not be + * hashed by +digest+ automatically. + * + * See #verify_raw for the verification operation. + * + * Added in version 3.0. See also the man page EVP_PKEY_sign(3). + * + * +digest+:: + * A String that represents the message digest algorithm name, or +nil+ + * if the PKey type requires no digest algorithm. + * Although this method will not hash +data+ with it, this parameter may still + * be required depending on the signature algorithm. + * +data+:: + * A String. The data to be signed. + * +options+:: + * A Hash that contains algorithm specific control operations to \OpenSSL. + * See OpenSSL's man page EVP_PKEY_CTX_ctrl_str(3) for details. + * + * Example: + * data = "Sign me!" + * hash = OpenSSL::Digest.digest("SHA256", data) + * pkey = OpenSSL::PKey.generate_key("RSA", rsa_keygen_bits: 2048) + * signopts = { rsa_padding_mode: "pss" } + * signature = pkey.sign_raw("SHA256", hash, signopts) + * + * # Creates a copy of the RSA key pkey, but without the private components + * pub_key = pkey.public_key + * puts pub_key.verify_raw("SHA256", signature, hash, signopts) # => true + */ +static VALUE +ossl_pkey_sign_raw(int argc, VALUE *argv, VALUE self) +{ + EVP_PKEY *pkey; + VALUE digest, data, options, sig; + const EVP_MD *md = NULL; + EVP_PKEY_CTX *ctx; + size_t outlen; + int state; + + GetPKey(self, pkey); + rb_scan_args(argc, argv, "21", &digest, &data, &options); + if (!NIL_P(digest)) + md = ossl_evp_get_digestbyname(digest); + StringValue(data); + + ctx = EVP_PKEY_CTX_new(pkey, /* engine */NULL); + if (!ctx) + ossl_raise(ePKeyError, "EVP_PKEY_CTX_new"); + if (EVP_PKEY_sign_init(ctx) <= 0) { + EVP_PKEY_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_PKEY_sign_init"); + } + if (md && EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0) { + EVP_PKEY_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_PKEY_CTX_set_signature_md"); + } + if (!NIL_P(options)) { + pkey_ctx_apply_options(ctx, options, &state); + if (state) { + EVP_PKEY_CTX_free(ctx); + rb_jump_tag(state); + } + } + if (EVP_PKEY_sign(ctx, NULL, &outlen, (unsigned char *)RSTRING_PTR(data), + RSTRING_LEN(data)) <= 0) { + EVP_PKEY_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_PKEY_sign"); + } + if (outlen > LONG_MAX) { + EVP_PKEY_CTX_free(ctx); + rb_raise(ePKeyError, "signature would be too large"); + } + sig = ossl_str_new(NULL, (long)outlen, &state); + if (state) { + EVP_PKEY_CTX_free(ctx); + rb_jump_tag(state); + } + if (EVP_PKEY_sign(ctx, (unsigned char *)RSTRING_PTR(sig), &outlen, + (unsigned char *)RSTRING_PTR(data), + RSTRING_LEN(data)) <= 0) { + EVP_PKEY_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_PKEY_sign"); + } + EVP_PKEY_CTX_free(ctx); + rb_str_set_len(sig, outlen); + return sig; +} + +/* + * call-seq: + * pkey.verify_raw(digest, signature, data [, options]) -> true or false + * + * Verifies the +signature+ for the +data+ using a public key +pkey+. Unlike + * #verify, this method will not hash +data+ with +digest+ automatically. + * + * Returns +true+ if the signature is successfully verified, +false+ otherwise. + * The caller must check the return value. + * + * See #sign_raw for the signing operation and an example code. + * + * Added in version 3.0. See also the man page EVP_PKEY_verify(3). + * + * +signature+:: + * A String containing the signature to be verified. + */ +static VALUE +ossl_pkey_verify_raw(int argc, VALUE *argv, VALUE self) +{ + EVP_PKEY *pkey; + VALUE digest, sig, data, options; + const EVP_MD *md = NULL; + EVP_PKEY_CTX *ctx; + int state, ret; + + GetPKey(self, pkey); + rb_scan_args(argc, argv, "31", &digest, &sig, &data, &options); + ossl_pkey_check_public_key(pkey); + if (!NIL_P(digest)) + md = ossl_evp_get_digestbyname(digest); + StringValue(sig); + StringValue(data); + + ctx = EVP_PKEY_CTX_new(pkey, /* engine */NULL); + if (!ctx) + ossl_raise(ePKeyError, "EVP_PKEY_CTX_new"); + if (EVP_PKEY_verify_init(ctx) <= 0) { + EVP_PKEY_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_PKEY_verify_init"); + } + if (md && EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0) { + EVP_PKEY_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_PKEY_CTX_set_signature_md"); + } + if (!NIL_P(options)) { + pkey_ctx_apply_options(ctx, options, &state); + if (state) { + EVP_PKEY_CTX_free(ctx); + rb_jump_tag(state); + } + } + ret = EVP_PKEY_verify(ctx, (unsigned char *)RSTRING_PTR(sig), + RSTRING_LEN(sig), + (unsigned char *)RSTRING_PTR(data), + RSTRING_LEN(data)); + EVP_PKEY_CTX_free(ctx); + if (ret < 0) + ossl_raise(ePKeyError, "EVP_PKEY_verify"); + + if (ret) + return Qtrue; + else { + ossl_clear_error(); + return Qfalse; + } +} + +/* + * call-seq: + * pkey.verify_recover(digest, signature [, options]) -> string + * + * Recovers the signed data from +signature+ using a public key +pkey+. Not all + * signature algorithms support this operation. + * + * Added in version 3.0. See also the man page EVP_PKEY_verify_recover(3). + * + * +signature+:: + * A String containing the signature to be verified. + */ +static VALUE +ossl_pkey_verify_recover(int argc, VALUE *argv, VALUE self) +{ + EVP_PKEY *pkey; + VALUE digest, sig, options, out; + const EVP_MD *md = NULL; + EVP_PKEY_CTX *ctx; + int state; + size_t outlen; + + GetPKey(self, pkey); + rb_scan_args(argc, argv, "21", &digest, &sig, &options); + ossl_pkey_check_public_key(pkey); + if (!NIL_P(digest)) + md = ossl_evp_get_digestbyname(digest); + StringValue(sig); + + ctx = EVP_PKEY_CTX_new(pkey, /* engine */NULL); + if (!ctx) + ossl_raise(ePKeyError, "EVP_PKEY_CTX_new"); + if (EVP_PKEY_verify_recover_init(ctx) <= 0) { + EVP_PKEY_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_PKEY_verify_recover_init"); + } + if (md && EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0) { + EVP_PKEY_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_PKEY_CTX_set_signature_md"); + } + if (!NIL_P(options)) { + pkey_ctx_apply_options(ctx, options, &state); + if (state) { + EVP_PKEY_CTX_free(ctx); + rb_jump_tag(state); + } + } + if (EVP_PKEY_verify_recover(ctx, NULL, &outlen, + (unsigned char *)RSTRING_PTR(sig), + RSTRING_LEN(sig)) <= 0) { + EVP_PKEY_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_PKEY_verify_recover"); + } + out = ossl_str_new(NULL, (long)outlen, &state); + if (state) { + EVP_PKEY_CTX_free(ctx); + rb_jump_tag(state); + } + if (EVP_PKEY_verify_recover(ctx, (unsigned char *)RSTRING_PTR(out), &outlen, + (unsigned char *)RSTRING_PTR(sig), + RSTRING_LEN(sig)) <= 0) { + EVP_PKEY_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_PKEY_verify_recover"); + } + EVP_PKEY_CTX_free(ctx); + rb_str_set_len(out, outlen); + return out; +} + +/* + * call-seq: * pkey.derive(peer_pkey) -> string * * Derives a shared secret from _pkey_ and _peer_pkey_. _pkey_ must contain @@ -976,6 +1528,145 @@ ossl_pkey_derive(int argc, VALUE *argv, VALUE self) } /* + * call-seq: + * pkey.encrypt(data [, options]) -> string + * + * Performs a public key encryption operation using +pkey+. + * + * See #decrypt for the reverse operation. + * + * Added in version 3.0. See also the man page EVP_PKEY_encrypt(3). + * + * +data+:: + * A String to be encrypted. + * +options+:: + * A Hash that contains algorithm specific control operations to \OpenSSL. + * See OpenSSL's man page EVP_PKEY_CTX_ctrl_str(3) for details. + * + * Example: + * pkey = OpenSSL::PKey.generate_key("RSA", rsa_keygen_bits: 2048) + * data = "secret data" + * encrypted = pkey.encrypt(data, rsa_padding_mode: "oaep") + * decrypted = pkey.decrypt(data, rsa_padding_mode: "oaep") + * p decrypted #=> "secret data" + */ +static VALUE +ossl_pkey_encrypt(int argc, VALUE *argv, VALUE self) +{ + EVP_PKEY *pkey; + EVP_PKEY_CTX *ctx; + VALUE data, options, str; + size_t outlen; + int state; + + GetPKey(self, pkey); + rb_scan_args(argc, argv, "11", &data, &options); + StringValue(data); + + ctx = EVP_PKEY_CTX_new(pkey, /* engine */NULL); + if (!ctx) + ossl_raise(ePKeyError, "EVP_PKEY_CTX_new"); + if (EVP_PKEY_encrypt_init(ctx) <= 0) { + EVP_PKEY_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_PKEY_encrypt_init"); + } + if (!NIL_P(options)) { + pkey_ctx_apply_options(ctx, options, &state); + if (state) { + EVP_PKEY_CTX_free(ctx); + rb_jump_tag(state); + } + } + if (EVP_PKEY_encrypt(ctx, NULL, &outlen, + (unsigned char *)RSTRING_PTR(data), + RSTRING_LEN(data)) <= 0) { + EVP_PKEY_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_PKEY_encrypt"); + } + if (outlen > LONG_MAX) { + EVP_PKEY_CTX_free(ctx); + rb_raise(ePKeyError, "encrypted data would be too large"); + } + str = ossl_str_new(NULL, (long)outlen, &state); + if (state) { + EVP_PKEY_CTX_free(ctx); + rb_jump_tag(state); + } + if (EVP_PKEY_encrypt(ctx, (unsigned char *)RSTRING_PTR(str), &outlen, + (unsigned char *)RSTRING_PTR(data), + RSTRING_LEN(data)) <= 0) { + EVP_PKEY_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_PKEY_encrypt"); + } + EVP_PKEY_CTX_free(ctx); + rb_str_set_len(str, outlen); + return str; +} + +/* + * call-seq: + * pkey.decrypt(data [, options]) -> string + * + * Performs a public key decryption operation using +pkey+. + * + * See #encrypt for a description of the parameters and an example. + * + * Added in version 3.0. See also the man page EVP_PKEY_decrypt(3). + */ +static VALUE +ossl_pkey_decrypt(int argc, VALUE *argv, VALUE self) +{ + EVP_PKEY *pkey; + EVP_PKEY_CTX *ctx; + VALUE data, options, str; + size_t outlen; + int state; + + GetPKey(self, pkey); + rb_scan_args(argc, argv, "11", &data, &options); + StringValue(data); + + ctx = EVP_PKEY_CTX_new(pkey, /* engine */NULL); + if (!ctx) + ossl_raise(ePKeyError, "EVP_PKEY_CTX_new"); + if (EVP_PKEY_decrypt_init(ctx) <= 0) { + EVP_PKEY_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_PKEY_decrypt_init"); + } + if (!NIL_P(options)) { + pkey_ctx_apply_options(ctx, options, &state); + if (state) { + EVP_PKEY_CTX_free(ctx); + rb_jump_tag(state); + } + } + if (EVP_PKEY_decrypt(ctx, NULL, &outlen, + (unsigned char *)RSTRING_PTR(data), + RSTRING_LEN(data)) <= 0) { + EVP_PKEY_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_PKEY_decrypt"); + } + if (outlen > LONG_MAX) { + EVP_PKEY_CTX_free(ctx); + rb_raise(ePKeyError, "decrypted data would be too large"); + } + str = ossl_str_new(NULL, (long)outlen, &state); + if (state) { + EVP_PKEY_CTX_free(ctx); + rb_jump_tag(state); + } + if (EVP_PKEY_decrypt(ctx, (unsigned char *)RSTRING_PTR(str), &outlen, + (unsigned char *)RSTRING_PTR(data), + RSTRING_LEN(data)) <= 0) { + EVP_PKEY_CTX_free(ctx); + ossl_raise(ePKeyError, "EVP_PKEY_decrypt"); + } + EVP_PKEY_CTX_free(ctx); + rb_str_set_len(str, outlen); + return str; +} + +/* * INIT */ void @@ -1060,20 +1751,39 @@ Init_ossl_pkey(void) rb_define_module_function(mPKey, "read", ossl_pkey_new_from_data, -1); rb_define_module_function(mPKey, "generate_parameters", ossl_pkey_s_generate_parameters, -1); rb_define_module_function(mPKey, "generate_key", ossl_pkey_s_generate_key, -1); +#ifdef HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY + rb_define_module_function(mPKey, "new_raw_private_key", ossl_pkey_new_raw_private_key, 2); + rb_define_module_function(mPKey, "new_raw_public_key", ossl_pkey_new_raw_public_key, 2); +#endif rb_define_alloc_func(cPKey, ossl_pkey_alloc); rb_define_method(cPKey, "initialize", ossl_pkey_initialize, 0); +#ifdef HAVE_EVP_PKEY_DUP + rb_define_method(cPKey, "initialize_copy", ossl_pkey_initialize_copy, 1); +#else + rb_undef_method(cPKey, "initialize_copy"); +#endif rb_define_method(cPKey, "oid", ossl_pkey_oid, 0); rb_define_method(cPKey, "inspect", ossl_pkey_inspect, 0); + rb_define_method(cPKey, "to_text", ossl_pkey_to_text, 0); rb_define_method(cPKey, "private_to_der", ossl_pkey_private_to_der, -1); rb_define_method(cPKey, "private_to_pem", ossl_pkey_private_to_pem, -1); rb_define_method(cPKey, "public_to_der", ossl_pkey_public_to_der, 0); rb_define_method(cPKey, "public_to_pem", ossl_pkey_public_to_pem, 0); +#ifdef HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY + rb_define_method(cPKey, "raw_private_key", ossl_pkey_raw_private_key, 0); + rb_define_method(cPKey, "raw_public_key", ossl_pkey_raw_public_key, 0); +#endif rb_define_method(cPKey, "compare?", ossl_pkey_compare, 1); - rb_define_method(cPKey, "sign", ossl_pkey_sign, 2); - rb_define_method(cPKey, "verify", ossl_pkey_verify, 3); + rb_define_method(cPKey, "sign", ossl_pkey_sign, -1); + rb_define_method(cPKey, "verify", ossl_pkey_verify, -1); + rb_define_method(cPKey, "sign_raw", ossl_pkey_sign_raw, -1); + rb_define_method(cPKey, "verify_raw", ossl_pkey_verify_raw, -1); + rb_define_method(cPKey, "verify_recover", ossl_pkey_verify_recover, -1); rb_define_method(cPKey, "derive", ossl_pkey_derive, -1); + rb_define_method(cPKey, "encrypt", ossl_pkey_encrypt, -1); + rb_define_method(cPKey, "decrypt", ossl_pkey_decrypt, -1); id_private_q = rb_intern("private?"); diff --git a/ext/openssl/ossl_pkey.h b/ext/openssl/ossl_pkey.h index 7dbaed47bc..10669b824c 100644 --- a/ext/openssl/ossl_pkey.h +++ b/ext/openssl/ossl_pkey.h @@ -7,27 +7,18 @@ * This program is licensed under the same licence as Ruby. * (See the file 'LICENCE'.) */ -#if !defined(_OSSL_PKEY_H_) -#define _OSSL_PKEY_H_ +#if !defined(OSSL_PKEY_H) +#define OSSL_PKEY_H extern VALUE mPKey; extern VALUE cPKey; extern VALUE ePKeyError; extern const rb_data_type_t ossl_evp_pkey_type; -#define OSSL_PKEY_SET_PRIVATE(obj) rb_iv_set((obj), "private", Qtrue) -#define OSSL_PKEY_SET_PUBLIC(obj) rb_iv_set((obj), "private", Qfalse) -#define OSSL_PKEY_IS_PRIVATE(obj) (rb_iv_get((obj), "private") == Qtrue) +/* For ENGINE */ +#define OSSL_PKEY_SET_PRIVATE(obj) rb_ivar_set((obj), rb_intern("private"), Qtrue) +#define OSSL_PKEY_IS_PRIVATE(obj) (rb_attr_get((obj), rb_intern("private")) == Qtrue) -#define NewPKey(klass) \ - TypedData_Wrap_Struct((klass), &ossl_evp_pkey_type, 0) -#define SetPKey(obj, pkey) do { \ - if (!(pkey)) { \ - rb_raise(rb_eRuntimeError, "PKEY wasn't initialized!"); \ - } \ - RTYPEDDATA_DATA(obj) = (pkey); \ - OSSL_PKEY_SET_PUBLIC(obj); \ -} while (0) #define GetPKey(obj, pkey) do {\ TypedData_Get_Struct((obj), EVP_PKEY, &ossl_evp_pkey_type, (pkey)); \ if (!(pkey)) { \ @@ -35,14 +26,7 @@ extern const rb_data_type_t ossl_evp_pkey_type; } \ } while (0) -struct ossl_generate_cb_arg { - int yield; - int interrupted; - int state; -}; -int ossl_generate_cb_2(int p, int n, BN_GENCB *cb); -void ossl_generate_cb_stop(void *ptr); - +/* Takes ownership of the EVP_PKEY */ VALUE ossl_pkey_new(EVP_PKEY *); void ossl_pkey_check_public_key(const EVP_PKEY *); EVP_PKEY *ossl_pkey_read_generic(BIO *, VALUE); @@ -108,7 +92,7 @@ void Init_ossl_ec(void); */ \ static VALUE ossl_##_keytype##_get_##_name(VALUE self) \ { \ - _type *obj; \ + const _type *obj; \ const BIGNUM *bn; \ \ Get##_type(self, obj); \ @@ -132,6 +116,7 @@ static VALUE ossl_##_keytype##_get_##_name(VALUE self) \ OSSL_PKEY_BN_DEF_GETTER0(_keytype, _type, a2, \ _type##_get0_##_group(obj, NULL, &bn)) +#if !OSSL_OPENSSL_PREREQ(3, 0, 0) #define OSSL_PKEY_BN_DEF_SETTER3(_keytype, _type, _group, a1, a2, a3) \ /* \ * call-seq: \ @@ -189,36 +174,22 @@ static VALUE ossl_##_keytype##_set_##_group(VALUE self, VALUE v1, VALUE v2) \ } \ return self; \ } +#else +#define OSSL_PKEY_BN_DEF_SETTER3(_keytype, _type, _group, a1, a2, a3) \ +static VALUE ossl_##_keytype##_set_##_group(VALUE self, VALUE v1, VALUE v2, VALUE v3) \ +{ \ + rb_raise(ePKeyError, \ + #_keytype"#set_"#_group"= is incompatible with OpenSSL 3.0"); \ +} -#define OSSL_PKEY_BN_DEF_SETTER_OLD(_keytype, _type, _group, _name) \ -/* \ - * call-seq: \ - * _keytype##.##_name = bn -> bn \ - */ \ -static VALUE ossl_##_keytype##_set_##_name(VALUE self, VALUE bignum) \ +#define OSSL_PKEY_BN_DEF_SETTER2(_keytype, _type, _group, a1, a2) \ +static VALUE ossl_##_keytype##_set_##_group(VALUE self, VALUE v1, VALUE v2) \ { \ - _type *obj; \ - BIGNUM *bn; \ - \ - rb_warning("#"#_name"= is deprecated; use #set_"#_group); \ - Get##_type(self, obj); \ - if (NIL_P(bignum)) { \ - BN_clear_free(obj->_name); \ - obj->_name = NULL; \ - return Qnil; \ - } \ - \ - bn = GetBNPtr(bignum); \ - if (obj->_name == NULL) \ - obj->_name = BN_new(); \ - if (obj->_name == NULL) \ - ossl_raise(eBNError, NULL); \ - if (BN_copy(obj->_name, bn) == NULL) \ - ossl_raise(eBNError, NULL); \ - return bignum; \ + rb_raise(ePKeyError, \ + #_keytype"#set_"#_group"= is incompatible with OpenSSL 3.0"); \ } +#endif -#if defined(HAVE_OPAQUE_OPENSSL) /* OpenSSL 1.1.0 */ #define OSSL_PKEY_BN_DEF3(_keytype, _type, _group, a1, a2, a3) \ OSSL_PKEY_BN_DEF_GETTER3(_keytype, _type, _group, a1, a2, a3) \ OSSL_PKEY_BN_DEF_SETTER3(_keytype, _type, _group, a1, a2, a3) @@ -230,24 +201,4 @@ static VALUE ossl_##_keytype##_set_##_name(VALUE self, VALUE bignum) \ #define DEF_OSSL_PKEY_BN(class, keytype, name) \ rb_define_method((class), #name, ossl_##keytype##_get_##name, 0) -#else -#define OSSL_PKEY_BN_DEF3(_keytype, _type, _group, a1, a2, a3) \ - OSSL_PKEY_BN_DEF_GETTER3(_keytype, _type, _group, a1, a2, a3) \ - OSSL_PKEY_BN_DEF_SETTER3(_keytype, _type, _group, a1, a2, a3) \ - OSSL_PKEY_BN_DEF_SETTER_OLD(_keytype, _type, _group, a1) \ - OSSL_PKEY_BN_DEF_SETTER_OLD(_keytype, _type, _group, a2) \ - OSSL_PKEY_BN_DEF_SETTER_OLD(_keytype, _type, _group, a3) - -#define OSSL_PKEY_BN_DEF2(_keytype, _type, _group, a1, a2) \ - OSSL_PKEY_BN_DEF_GETTER2(_keytype, _type, _group, a1, a2) \ - OSSL_PKEY_BN_DEF_SETTER2(_keytype, _type, _group, a1, a2) \ - OSSL_PKEY_BN_DEF_SETTER_OLD(_keytype, _type, _group, a1) \ - OSSL_PKEY_BN_DEF_SETTER_OLD(_keytype, _type, _group, a2) - -#define DEF_OSSL_PKEY_BN(class, keytype, name) do { \ - rb_define_method((class), #name, ossl_##keytype##_get_##name, 0);\ - rb_define_method((class), #name "=", ossl_##keytype##_set_##name, 1);\ -} while (0) -#endif /* HAVE_OPAQUE_OPENSSL */ - -#endif /* _OSSL_PKEY_H_ */ +#endif /* OSSL_PKEY_H */ diff --git a/ext/openssl/ossl_pkey_dh.c b/ext/openssl/ossl_pkey_dh.c index 5bc1c49ca1..a231814a99 100644 --- a/ext/openssl/ossl_pkey_dh.c +++ b/ext/openssl/ossl_pkey_dh.c @@ -32,168 +32,102 @@ VALUE eDHError; /* * Private */ -struct dh_blocking_gen_arg { - DH *dh; - int size; - int gen; - BN_GENCB *cb; - int result; -}; - -static void * -dh_blocking_gen(void *arg) -{ - struct dh_blocking_gen_arg *gen = (struct dh_blocking_gen_arg *)arg; - gen->result = DH_generate_parameters_ex(gen->dh, gen->size, gen->gen, gen->cb); - return 0; -} - -static DH * -dh_generate(int size, int gen) -{ - struct ossl_generate_cb_arg cb_arg = { 0 }; - struct dh_blocking_gen_arg gen_arg; - DH *dh = DH_new(); - BN_GENCB *cb = BN_GENCB_new(); - - if (!dh || !cb) { - DH_free(dh); - BN_GENCB_free(cb); - ossl_raise(eDHError, "malloc failure"); - } - - if (rb_block_given_p()) - cb_arg.yield = 1; - BN_GENCB_set(cb, ossl_generate_cb_2, &cb_arg); - gen_arg.dh = dh; - gen_arg.size = size; - gen_arg.gen = gen; - gen_arg.cb = cb; - if (cb_arg.yield == 1) { - /* we cannot release GVL when callback proc is supplied */ - dh_blocking_gen(&gen_arg); - } else { - /* there's a chance to unblock */ - rb_thread_call_without_gvl(dh_blocking_gen, &gen_arg, ossl_generate_cb_stop, &cb_arg); - } - - BN_GENCB_free(cb); - if (!gen_arg.result) { - DH_free(dh); - if (cb_arg.state) { - /* Clear OpenSSL error queue before re-raising. */ - ossl_clear_error(); - rb_jump_tag(cb_arg.state); - } - ossl_raise(eDHError, "DH_generate_parameters_ex"); - } - - if (!DH_generate_key(dh)) { - DH_free(dh); - ossl_raise(eDHError, "DH_generate_key"); - } - - return dh; -} - -/* - * call-seq: - * DH.generate(size [, generator]) -> dh - * - * Creates a new DH instance from scratch by generating the private and public - * components alike. - * - * === Parameters - * * _size_ is an integer representing the desired key size. Keys smaller than 1024 bits should be considered insecure. - * * _generator_ is a small number > 1, typically 2 or 5. - * - */ -static VALUE -ossl_dh_s_generate(int argc, VALUE *argv, VALUE klass) -{ - EVP_PKEY *pkey; - DH *dh ; - int g = 2; - VALUE size, gen, obj; - - if (rb_scan_args(argc, argv, "11", &size, &gen) == 2) { - g = NUM2INT(gen); - } - obj = rb_obj_alloc(klass); - GetPKey(obj, pkey); - - dh = dh_generate(NUM2INT(size), g); - if (!EVP_PKEY_assign_DH(pkey, dh)) { - DH_free(dh); - ossl_raise(eDHError, "EVP_PKEY_assign_DH"); - } - return obj; -} - /* * call-seq: * DH.new -> dh * DH.new(string) -> dh * DH.new(size [, generator]) -> dh * - * Either generates a DH instance from scratch or by reading already existing - * DH parameters from _string_. Note that when reading a DH instance from - * data that was encoded from a DH instance by using DH#to_pem or DH#to_der - * the result will *not* contain a public/private key pair yet. This needs to - * be generated using DH#generate_key! first. + * Creates a new instance of OpenSSL::PKey::DH. * - * === Parameters - * * _size_ is an integer representing the desired key size. Keys smaller than 1024 bits should be considered insecure. - * * _generator_ is a small number > 1, typically 2 or 5. - * * _string_ contains the DER or PEM encoded key. + * If called without arguments, an empty instance without any parameter or key + * components is created. Use #set_pqg to manually set the parameters afterwards + * (and optionally #set_key to set private and public key components). * - * === Examples - * DH.new # -> dh - * DH.new(1024) # -> dh - * DH.new(1024, 5) # -> dh - * #Reading DH parameters - * dh = DH.new(File.read('parameters.pem')) # -> dh, but no public/private key yet - * dh.generate_key! # -> dh with public and private key + * If a String is given, tries to parse it as a DER- or PEM- encoded parameters. + * See also OpenSSL::PKey.read which can parse keys of any kinds. + * + * The DH.new(size [, generator]) form is an alias of DH.generate. + * + * +string+:: + * A String that contains the DER or PEM encoded key. + * +size+:: + * See DH.generate. + * +generator+:: + * See DH.generate. + * + * Examples: + * # Creating an instance from scratch + * # Note that this is deprecated and will not work on OpenSSL 3.0 or later. + * dh = OpenSSL::PKey::DH.new + * dh.set_pqg(bn_p, nil, bn_g) + * + * # Generating a parameters and a key pair + * dh = OpenSSL::PKey::DH.new(2048) # An alias of OpenSSL::PKey::DH.generate(2048) + * + * # Reading DH parameters + * dh_params = OpenSSL::PKey::DH.new(File.read('parameters.pem')) # loads parameters only + * dh = OpenSSL::PKey.generate_key(dh_params) # generates a key pair */ static VALUE ossl_dh_initialize(int argc, VALUE *argv, VALUE self) { EVP_PKEY *pkey; + int type; DH *dh; - int g = 2; - BIO *in; - VALUE arg, gen; - - GetPKey(self, pkey); - if(rb_scan_args(argc, argv, "02", &arg, &gen) == 0) { - dh = DH_new(); - } - else if (RB_INTEGER_TYPE_P(arg)) { - if (!NIL_P(gen)) { - g = NUM2INT(gen); - } - dh = dh_generate(NUM2INT(arg), g); + BIO *in = NULL; + VALUE arg; + + TypedData_Get_Struct(self, EVP_PKEY, &ossl_evp_pkey_type, pkey); + if (pkey) + rb_raise(rb_eTypeError, "pkey already initialized"); + + /* The DH.new(size, generator) form is handled by lib/openssl/pkey.rb */ + if (rb_scan_args(argc, argv, "01", &arg) == 0) { + dh = DH_new(); + if (!dh) + ossl_raise(eDHError, "DH_new"); + goto legacy; } - else { - arg = ossl_to_der_if_possible(arg); - in = ossl_obj2bio(&arg); - dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL); - if (!dh){ - OSSL_BIO_reset(in); - dh = d2i_DHparams_bio(in, NULL); - } - BIO_free(in); - if (!dh) { - ossl_raise(eDHError, NULL); - } + + arg = ossl_to_der_if_possible(arg); + in = ossl_obj2bio(&arg); + + /* + * On OpenSSL <= 1.1.1 and current versions of LibreSSL, the generic + * routine does not support DER-encoded parameters + */ + dh = d2i_DHparams_bio(in, NULL); + if (dh) + goto legacy; + OSSL_BIO_reset(in); + + pkey = ossl_pkey_read_generic(in, Qnil); + BIO_free(in); + if (!pkey) + ossl_raise(eDHError, "could not parse pkey"); + + type = EVP_PKEY_base_id(pkey); + if (type != EVP_PKEY_DH) { + EVP_PKEY_free(pkey); + rb_raise(eDHError, "incorrect pkey type: %s", OBJ_nid2sn(type)); } - if (!EVP_PKEY_assign_DH(pkey, dh)) { - DH_free(dh); - ossl_raise(eDHError, NULL); + RTYPEDDATA_DATA(self) = pkey; + return self; + + legacy: + BIO_free(in); + pkey = EVP_PKEY_new(); + if (!pkey || EVP_PKEY_assign_DH(pkey, dh) != 1) { + EVP_PKEY_free(pkey); + DH_free(dh); + ossl_raise(eDHError, "EVP_PKEY_assign_DH"); } + RTYPEDDATA_DATA(self) = pkey; return self; } +#ifndef HAVE_EVP_PKEY_DUP static VALUE ossl_dh_initialize_copy(VALUE self, VALUE other) { @@ -201,15 +135,14 @@ ossl_dh_initialize_copy(VALUE self, VALUE other) DH *dh, *dh_other; const BIGNUM *pub, *priv; - GetPKey(self, pkey); - if (EVP_PKEY_base_id(pkey) != EVP_PKEY_NONE) - ossl_raise(eDHError, "DH already initialized"); + TypedData_Get_Struct(self, EVP_PKEY, &ossl_evp_pkey_type, pkey); + if (pkey) + rb_raise(rb_eTypeError, "pkey already initialized"); GetDH(other, dh_other); dh = DHparams_dup(dh_other); if (!dh) ossl_raise(eDHError, "DHparams_dup"); - EVP_PKEY_assign_DH(pkey, dh); DH_get0_key(dh_other, &pub, &priv); if (pub) { @@ -224,8 +157,16 @@ ossl_dh_initialize_copy(VALUE self, VALUE other) DH_set0_key(dh, pub2, priv2); } + pkey = EVP_PKEY_new(); + if (!pkey || EVP_PKEY_assign_DH(pkey, dh) != 1) { + EVP_PKEY_free(pkey); + DH_free(dh); + ossl_raise(eDHError, "EVP_PKEY_assign_DH"); + } + RTYPEDDATA_DATA(self) = pkey; return self; } +#endif /* * call-seq: @@ -237,7 +178,7 @@ ossl_dh_initialize_copy(VALUE self, VALUE other) static VALUE ossl_dh_is_public(VALUE self) { - DH *dh; + OSSL_3_const DH *dh; const BIGNUM *bn; GetDH(self, dh); @@ -256,14 +197,14 @@ ossl_dh_is_public(VALUE self) static VALUE ossl_dh_is_private(VALUE self) { - DH *dh; + OSSL_3_const DH *dh; const BIGNUM *bn; GetDH(self, dh); DH_get0_key(dh, NULL, &bn); #if !defined(OPENSSL_NO_ENGINE) - return (bn || DH_get0_engine(dh)) ? Qtrue : Qfalse; + return (bn || DH_get0_engine((DH *)dh)) ? Qtrue : Qfalse; #else return bn ? Qtrue : Qfalse; #endif @@ -275,14 +216,25 @@ ossl_dh_is_private(VALUE self) * dh.to_pem -> aString * dh.to_s -> aString * - * Encodes this DH to its PEM encoding. Note that any existing per-session - * public/private keys will *not* get encoded, just the Diffie-Hellman - * parameters will be encoded. + * Serializes the DH parameters to a PEM-encoding. + * + * Note that any existing per-session public/private keys will *not* get + * encoded, just the Diffie-Hellman parameters will be encoded. + * + * PEM-encoded parameters will look like: + * + * -----BEGIN DH PARAMETERS----- + * [...] + * -----END DH PARAMETERS----- + * + * See also #public_to_pem (X.509 SubjectPublicKeyInfo) and + * #private_to_pem (PKCS #8 PrivateKeyInfo or EncryptedPrivateKeyInfo) for + * serialization with the private or public key components. */ static VALUE ossl_dh_export(VALUE self) { - DH *dh; + OSSL_3_const DH *dh; BIO *out; VALUE str; @@ -303,15 +255,19 @@ ossl_dh_export(VALUE self) * call-seq: * dh.to_der -> aString * - * Encodes this DH to its DER encoding. Note that any existing per-session - * public/private keys will *not* get encoded, just the Diffie-Hellman - * parameters will be encoded. - + * Serializes the DH parameters to a DER-encoding + * + * Note that any existing per-session public/private keys will *not* get + * encoded, just the Diffie-Hellman parameters will be encoded. + * + * See also #public_to_der (X.509 SubjectPublicKeyInfo) and + * #private_to_der (PKCS #8 PrivateKeyInfo or EncryptedPrivateKeyInfo) for + * serialization with the private or public key components. */ static VALUE ossl_dh_to_der(VALUE self) { - DH *dh; + OSSL_3_const DH *dh; unsigned char *p; long len; VALUE str; @@ -339,7 +295,7 @@ ossl_dh_to_der(VALUE self) static VALUE ossl_dh_get_params(VALUE self) { - DH *dh; + OSSL_3_const DH *dh; VALUE hash; const BIGNUM *p, *q, *g, *pub_key, *priv_key; @@ -359,121 +315,43 @@ ossl_dh_get_params(VALUE self) /* * call-seq: - * dh.to_text -> aString - * - * Prints all parameters of key to buffer - * INSECURE: PRIVATE INFORMATIONS CAN LEAK OUT!!! - * Don't use :-)) (I's up to you) - */ -static VALUE -ossl_dh_to_text(VALUE self) -{ - DH *dh; - BIO *out; - VALUE str; - - GetDH(self, dh); - if (!(out = BIO_new(BIO_s_mem()))) { - ossl_raise(eDHError, NULL); - } - if (!DHparams_print(out, dh)) { - BIO_free(out); - ossl_raise(eDHError, NULL); - } - str = ossl_membio2str(out); - - return str; -} - -/* - * call-seq: - * dh.public_key -> aDH - * - * Returns a new DH instance that carries just the public information, i.e. - * the prime _p_ and the generator _g_, but no public/private key yet. Such - * a pair may be generated using DH#generate_key!. The "public key" needed - * for a key exchange with DH#compute_key is considered as per-session - * information and may be retrieved with DH#pub_key once a key pair has - * been generated. - * If the current instance already contains private information (and thus a - * valid public/private key pair), this information will no longer be present - * in the new instance generated by DH#public_key. This feature is helpful for - * publishing the Diffie-Hellman parameters without leaking any of the private - * per-session information. - * - * === Example - * dh = OpenSSL::PKey::DH.new(2048) # has public and private key set - * public_key = dh.public_key # contains only prime and generator - * parameters = public_key.to_der # it's safe to publish this - */ -static VALUE -ossl_dh_to_public_key(VALUE self) -{ - EVP_PKEY *pkey; - DH *orig_dh, *dh; - VALUE obj; - - obj = rb_obj_alloc(rb_obj_class(self)); - GetPKey(obj, pkey); - - GetDH(self, orig_dh); - dh = DHparams_dup(orig_dh); - if (!dh) - ossl_raise(eDHError, "DHparams_dup"); - if (!EVP_PKEY_assign_DH(pkey, dh)) { - DH_free(dh); - ossl_raise(eDHError, "EVP_PKEY_assign_DH"); - } - return obj; -} - -/* - * call-seq: * dh.params_ok? -> true | false * * Validates the Diffie-Hellman parameters associated with this instance. * It checks whether a safe prime and a suitable generator are used. If this * is not the case, +false+ is returned. + * + * See also the man page EVP_PKEY_param_check(3). */ static VALUE ossl_dh_check_params(VALUE self) { + int ret; +#ifdef HAVE_EVP_PKEY_CHECK + EVP_PKEY *pkey; + EVP_PKEY_CTX *pctx; + + GetPKey(self, pkey); + pctx = EVP_PKEY_CTX_new(pkey, /* engine */NULL); + if (!pctx) + ossl_raise(eDHError, "EVP_PKEY_CTX_new"); + ret = EVP_PKEY_param_check(pctx); + EVP_PKEY_CTX_free(pctx); +#else DH *dh; int codes; GetDH(self, dh); - if (!DH_check(dh, &codes)) { - return Qfalse; - } - - return codes == 0 ? Qtrue : Qfalse; -} - -/* - * call-seq: - * dh.generate_key! -> self - * - * Generates a private and public key unless a private key already exists. - * If this DH instance was generated from public DH parameters (e.g. by - * encoding the result of DH#public_key), then this method needs to be - * called first in order to generate the per-session keys before performing - * the actual key exchange. - * - * === Example - * dh = OpenSSL::PKey::DH.new(2048) - * public_key = dh.public_key #contains no private/public key yet - * public_key.generate_key! - * puts public_key.private? # => true - */ -static VALUE -ossl_dh_generate_key(VALUE self) -{ - DH *dh; + ret = DH_check(dh, &codes) == 1 && codes == 0; +#endif - GetDH(self, dh); - if (!DH_generate_key(dh)) - ossl_raise(eDHError, "Failed to generate key"); - return self; + if (ret == 1) + return Qtrue; + else { + /* DH_check_ex() will put error entry on failure */ + ossl_clear_error(); + return Qfalse; + } } /* @@ -530,29 +408,33 @@ Init_ossl_dh(void) * The per-session private key, an OpenSSL::BN. * * === Example of a key exchange - * dh1 = OpenSSL::PKey::DH.new(2048) - * der = dh1.public_key.to_der #you may send this publicly to the participating party - * dh2 = OpenSSL::PKey::DH.new(der) - * dh2.generate_key! #generate the per-session key pair - * symm_key1 = dh1.compute_key(dh2.pub_key) - * symm_key2 = dh2.compute_key(dh1.pub_key) + * # you may send the parameters (der) and own public key (pub1) publicly + * # to the participating party + * dh1 = OpenSSL::PKey::DH.new(2048) + * der = dh1.to_der + * pub1 = dh1.pub_key * - * puts symm_key1 == symm_key2 # => true + * # the other party generates its per-session key pair + * dhparams = OpenSSL::PKey::DH.new(der) + * dh2 = OpenSSL::PKey.generate_key(dhparams) + * pub2 = dh2.pub_key + * + * symm_key1 = dh1.compute_key(pub2) + * symm_key2 = dh2.compute_key(pub1) + * puts symm_key1 == symm_key2 # => true */ cDH = rb_define_class_under(mPKey, "DH", cPKey); - rb_define_singleton_method(cDH, "generate", ossl_dh_s_generate, -1); rb_define_method(cDH, "initialize", ossl_dh_initialize, -1); +#ifndef HAVE_EVP_PKEY_DUP rb_define_method(cDH, "initialize_copy", ossl_dh_initialize_copy, 1); +#endif rb_define_method(cDH, "public?", ossl_dh_is_public, 0); rb_define_method(cDH, "private?", ossl_dh_is_private, 0); - rb_define_method(cDH, "to_text", ossl_dh_to_text, 0); rb_define_method(cDH, "export", ossl_dh_export, 0); rb_define_alias(cDH, "to_pem", "export"); rb_define_alias(cDH, "to_s", "export"); rb_define_method(cDH, "to_der", ossl_dh_to_der, 0); - rb_define_method(cDH, "public_key", ossl_dh_to_public_key, 0); rb_define_method(cDH, "params_ok?", ossl_dh_check_params, 0); - rb_define_method(cDH, "generate_key!", ossl_dh_generate_key, 0); DEF_OSSL_PKEY_BN(cDH, dh, p); DEF_OSSL_PKEY_BN(cDH, dh, q); diff --git a/ext/openssl/ossl_pkey_dsa.c b/ext/openssl/ossl_pkey_dsa.c index 0e68f7f27f..058ce73888 100644 --- a/ext/openssl/ossl_pkey_dsa.c +++ b/ext/openssl/ossl_pkey_dsa.c @@ -24,7 +24,7 @@ } while (0) static inline int -DSA_HAS_PRIVATE(DSA *dsa) +DSA_HAS_PRIVATE(OSSL_3_const DSA *dsa) { const BIGNUM *bn; DSA_get0_key(dsa, NULL, &bn); @@ -32,7 +32,7 @@ DSA_HAS_PRIVATE(DSA *dsa) } static inline int -DSA_PRIVATE(VALUE obj, DSA *dsa) +DSA_PRIVATE(VALUE obj, OSSL_3_const DSA *dsa) { return DSA_HAS_PRIVATE(dsa) || OSSL_PKEY_IS_PRIVATE(obj); } @@ -46,198 +46,128 @@ VALUE eDSAError; /* * Private */ -struct dsa_blocking_gen_arg { - DSA *dsa; - int size; - int *counter; - unsigned long *h; - BN_GENCB *cb; - int result; -}; - -static void * -dsa_blocking_gen(void *arg) -{ - struct dsa_blocking_gen_arg *gen = (struct dsa_blocking_gen_arg *)arg; - gen->result = DSA_generate_parameters_ex(gen->dsa, gen->size, NULL, 0, - gen->counter, gen->h, gen->cb); - return 0; -} - -static DSA * -dsa_generate(int size) -{ - struct ossl_generate_cb_arg cb_arg = { 0 }; - struct dsa_blocking_gen_arg gen_arg; - DSA *dsa = DSA_new(); - BN_GENCB *cb = BN_GENCB_new(); - int counter; - unsigned long h; - - if (!dsa || !cb) { - DSA_free(dsa); - BN_GENCB_free(cb); - ossl_raise(eDSAError, "malloc failure"); - } - - if (rb_block_given_p()) - cb_arg.yield = 1; - BN_GENCB_set(cb, ossl_generate_cb_2, &cb_arg); - gen_arg.dsa = dsa; - gen_arg.size = size; - gen_arg.counter = &counter; - gen_arg.h = &h; - gen_arg.cb = cb; - if (cb_arg.yield == 1) { - /* we cannot release GVL when callback proc is supplied */ - dsa_blocking_gen(&gen_arg); - } else { - /* there's a chance to unblock */ - rb_thread_call_without_gvl(dsa_blocking_gen, &gen_arg, ossl_generate_cb_stop, &cb_arg); - } - - BN_GENCB_free(cb); - if (!gen_arg.result) { - DSA_free(dsa); - if (cb_arg.state) { - /* Clear OpenSSL error queue before re-raising. By the way, the - * documentation of DSA_generate_parameters_ex() says the error code - * can be obtained by ERR_get_error(), but the default - * implementation, dsa_builtin_paramgen() doesn't put any error... */ - ossl_clear_error(); - rb_jump_tag(cb_arg.state); - } - ossl_raise(eDSAError, "DSA_generate_parameters_ex"); - } - - if (!DSA_generate_key(dsa)) { - DSA_free(dsa); - ossl_raise(eDSAError, "DSA_generate_key"); - } - - return dsa; -} - -/* - * call-seq: - * DSA.generate(size) -> dsa - * - * Creates a new DSA instance by generating a private/public key pair - * from scratch. - * - * === Parameters - * * _size_ is an integer representing the desired key size. - * - */ -static VALUE -ossl_dsa_s_generate(VALUE klass, VALUE size) -{ - EVP_PKEY *pkey; - DSA *dsa; - VALUE obj; - - obj = rb_obj_alloc(klass); - GetPKey(obj, pkey); - - dsa = dsa_generate(NUM2INT(size)); - if (!EVP_PKEY_assign_DSA(pkey, dsa)) { - DSA_free(dsa); - ossl_raise(eDSAError, "EVP_PKEY_assign_DSA"); - } - return obj; -} - /* * call-seq: * DSA.new -> dsa - * DSA.new(size) -> dsa * DSA.new(string [, pass]) -> dsa + * DSA.new(size) -> dsa * * Creates a new DSA instance by reading an existing key from _string_. * - * === Parameters - * * _size_ is an integer representing the desired key size. - * * _string_ contains a DER or PEM encoded key. - * * _pass_ is a string that contains an optional password. + * If called without arguments, creates a new instance with no key components + * set. They can be set individually by #set_pqg and #set_key. + * + * If called with a String, tries to parse as DER or PEM encoding of a \DSA key. + * See also OpenSSL::PKey.read which can parse keys of any kinds. + * + * If called with a number, generates random parameters and a key pair. This + * form works as an alias of DSA.generate. + * + * +string+:: + * A String that contains a DER or PEM encoded key. + * +pass+:: + * A String that contains an optional password. + * +size+:: + * See DSA.generate. + * + * Examples: + * p OpenSSL::PKey::DSA.new(1024) + * #=> #<OpenSSL::PKey::DSA:0x000055a8d6025bf0 oid=DSA> * - * === Examples - * DSA.new -> dsa - * DSA.new(1024) -> dsa - * DSA.new(File.read('dsa.pem')) -> dsa - * DSA.new(File.read('dsa.pem'), 'mypassword') -> dsa + * p OpenSSL::PKey::DSA.new(File.read('dsa.pem')) + * #=> #<OpenSSL::PKey::DSA:0x000055555d6b8110 oid=DSA> * + * p OpenSSL::PKey::DSA.new(File.read('dsa.pem'), 'mypassword') + * #=> #<OpenSSL::PKey::DSA:0x0000556f973c40b8 oid=DSA> */ static VALUE ossl_dsa_initialize(int argc, VALUE *argv, VALUE self) { - EVP_PKEY *pkey, *tmp; - DSA *dsa = NULL; - BIO *in; + EVP_PKEY *pkey; + DSA *dsa; + BIO *in = NULL; VALUE arg, pass; + int type; - GetPKey(self, pkey); + TypedData_Get_Struct(self, EVP_PKEY, &ossl_evp_pkey_type, pkey); + if (pkey) + rb_raise(rb_eTypeError, "pkey already initialized"); + + /* The DSA.new(size, generator) form is handled by lib/openssl/pkey.rb */ rb_scan_args(argc, argv, "02", &arg, &pass); if (argc == 0) { dsa = DSA_new(); if (!dsa) ossl_raise(eDSAError, "DSA_new"); + goto legacy; } - else if (argc == 1 && RB_INTEGER_TYPE_P(arg)) { - dsa = dsa_generate(NUM2INT(arg)); - } - else { - pass = ossl_pem_passwd_value(pass); - arg = ossl_to_der_if_possible(arg); - in = ossl_obj2bio(&arg); - - tmp = ossl_pkey_read_generic(in, pass); - if (tmp) { - if (EVP_PKEY_base_id(tmp) != EVP_PKEY_DSA) - rb_raise(eDSAError, "incorrect pkey type: %s", - OBJ_nid2sn(EVP_PKEY_base_id(tmp))); - dsa = EVP_PKEY_get1_DSA(tmp); - EVP_PKEY_free(tmp); - } - if (!dsa) { - OSSL_BIO_reset(in); -#define PEM_read_bio_DSAPublicKey(bp,x,cb,u) (DSA *)PEM_ASN1_read_bio( \ - (d2i_of_void *)d2i_DSAPublicKey, PEM_STRING_DSA_PUBLIC, (bp), (void **)(x), (cb), (u)) - dsa = PEM_read_bio_DSAPublicKey(in, NULL, NULL, NULL); -#undef PEM_read_bio_DSAPublicKey - } - BIO_free(in); - if (!dsa) { - ossl_clear_error(); - ossl_raise(eDSAError, "Neither PUB key nor PRIV key"); - } - } - if (!EVP_PKEY_assign_DSA(pkey, dsa)) { - DSA_free(dsa); - ossl_raise(eDSAError, NULL); + + pass = ossl_pem_passwd_value(pass); + arg = ossl_to_der_if_possible(arg); + in = ossl_obj2bio(&arg); + + /* DER-encoded DSAPublicKey format isn't supported by the generic routine */ + dsa = (DSA *)PEM_ASN1_read_bio((d2i_of_void *)d2i_DSAPublicKey, + PEM_STRING_DSA_PUBLIC, + in, NULL, NULL, NULL); + if (dsa) + goto legacy; + OSSL_BIO_reset(in); + + pkey = ossl_pkey_read_generic(in, pass); + BIO_free(in); + if (!pkey) + ossl_raise(eDSAError, "Neither PUB key nor PRIV key"); + + type = EVP_PKEY_base_id(pkey); + if (type != EVP_PKEY_DSA) { + EVP_PKEY_free(pkey); + rb_raise(eDSAError, "incorrect pkey type: %s", OBJ_nid2sn(type)); } + RTYPEDDATA_DATA(self) = pkey; + return self; + legacy: + BIO_free(in); + pkey = EVP_PKEY_new(); + if (!pkey || EVP_PKEY_assign_DSA(pkey, dsa) != 1) { + EVP_PKEY_free(pkey); + DSA_free(dsa); + ossl_raise(eDSAError, "EVP_PKEY_assign_DSA"); + } + RTYPEDDATA_DATA(self) = pkey; return self; } +#ifndef HAVE_EVP_PKEY_DUP static VALUE ossl_dsa_initialize_copy(VALUE self, VALUE other) { EVP_PKEY *pkey; DSA *dsa, *dsa_new; - GetPKey(self, pkey); - if (EVP_PKEY_base_id(pkey) != EVP_PKEY_NONE) - ossl_raise(eDSAError, "DSA already initialized"); + TypedData_Get_Struct(self, EVP_PKEY, &ossl_evp_pkey_type, pkey); + if (pkey) + rb_raise(rb_eTypeError, "pkey already initialized"); GetDSA(other, dsa); - dsa_new = ASN1_dup((i2d_of_void *)i2d_DSAPrivateKey, (d2i_of_void *)d2i_DSAPrivateKey, (char *)dsa); + dsa_new = (DSA *)ASN1_dup((i2d_of_void *)i2d_DSAPrivateKey, + (d2i_of_void *)d2i_DSAPrivateKey, + (char *)dsa); if (!dsa_new) ossl_raise(eDSAError, "ASN1_dup"); - EVP_PKEY_assign_DSA(pkey, dsa_new); + pkey = EVP_PKEY_new(); + if (!pkey || EVP_PKEY_assign_DSA(pkey, dsa_new) != 1) { + EVP_PKEY_free(pkey); + DSA_free(dsa_new); + ossl_raise(eDSAError, "EVP_PKEY_assign_DSA"); + } + RTYPEDDATA_DATA(self) = pkey; return self; } +#endif /* * call-seq: @@ -249,7 +179,7 @@ ossl_dsa_initialize_copy(VALUE self, VALUE other) static VALUE ossl_dsa_is_public(VALUE self) { - DSA *dsa; + const DSA *dsa; const BIGNUM *bn; GetDSA(self, dsa); @@ -268,7 +198,7 @@ ossl_dsa_is_public(VALUE self) static VALUE ossl_dsa_is_private(VALUE self) { - DSA *dsa; + OSSL_3_const DSA *dsa; GetDSA(self, dsa); @@ -281,21 +211,63 @@ ossl_dsa_is_private(VALUE self) * dsa.to_pem([cipher, password]) -> aString * dsa.to_s([cipher, password]) -> aString * - * Encodes this DSA to its PEM encoding. + * Serializes a private or public key to a PEM-encoding. + * + * [When the key contains public components only] + * + * Serializes it into an X.509 SubjectPublicKeyInfo. + * The parameters _cipher_ and _password_ are ignored. + * + * A PEM-encoded key will look like: + * + * -----BEGIN PUBLIC KEY----- + * [...] + * -----END PUBLIC KEY----- + * + * Consider using #public_to_pem instead. This serializes the key into an + * X.509 SubjectPublicKeyInfo regardless of whether it is a public key + * or a private key. + * + * [When the key contains private components, and no parameters are given] + * + * Serializes it into a traditional \OpenSSL DSAPrivateKey. * - * === Parameters - * * _cipher_ is an OpenSSL::Cipher. - * * _password_ is a string containing your password. + * A PEM-encoded key will look like: * - * === Examples - * DSA.to_pem -> aString - * DSA.to_pem(cipher, 'mypassword') -> aString + * -----BEGIN DSA PRIVATE KEY----- + * [...] + * -----END DSA PRIVATE KEY----- * + * [When the key contains private components, and _cipher_ and _password_ are given] + * + * Serializes it into a traditional \OpenSSL DSAPrivateKey and encrypts it in + * OpenSSL's traditional PEM encryption format. + * _cipher_ must be a cipher name understood by OpenSSL::Cipher.new or an + * instance of OpenSSL::Cipher. + * + * An encrypted PEM-encoded key will look like: + * + * -----BEGIN DSA PRIVATE KEY----- + * Proc-Type: 4,ENCRYPTED + * DEK-Info: AES-128-CBC,733F5302505B34701FC41F5C0746E4C0 + * + * [...] + * -----END DSA PRIVATE KEY----- + * + * Note that this format uses MD5 to derive the encryption key, and hence + * will not be available on FIPS-compliant systems. + * + * <b>This method is kept for compatibility.</b> + * This should only be used when the traditional, non-standard \OpenSSL format + * is required. + * + * Consider using #public_to_pem (X.509 SubjectPublicKeyInfo) or #private_to_pem + * (PKCS #8 PrivateKeyInfo or EncryptedPrivateKeyInfo) instead. */ static VALUE ossl_dsa_export(int argc, VALUE *argv, VALUE self) { - DSA *dsa; + OSSL_3_const DSA *dsa; GetDSA(self, dsa); if (DSA_HAS_PRIVATE(dsa)) @@ -308,13 +280,20 @@ ossl_dsa_export(int argc, VALUE *argv, VALUE self) * call-seq: * dsa.to_der -> aString * - * Encodes this DSA to its DER encoding. + * Serializes a private or public key to a DER-encoding. * + * See #to_pem for details. + * + * <b>This method is kept for compatibility.</b> + * This should only be used when the traditional, non-standard \OpenSSL format + * is required. + * + * Consider using #public_to_der or #private_to_der instead. */ static VALUE ossl_dsa_to_der(VALUE self) { - DSA *dsa; + OSSL_3_const DSA *dsa; GetDSA(self, dsa); if (DSA_HAS_PRIVATE(dsa)) @@ -335,7 +314,7 @@ ossl_dsa_to_der(VALUE self) static VALUE ossl_dsa_get_params(VALUE self) { - DSA *dsa; + OSSL_3_const DSA *dsa; VALUE hash; const BIGNUM *p, *q, *g, *pub_key, *priv_key; @@ -354,161 +333,6 @@ ossl_dsa_get_params(VALUE self) } /* - * call-seq: - * dsa.to_text -> aString - * - * Prints all parameters of key to buffer - * INSECURE: PRIVATE INFORMATIONS CAN LEAK OUT!!! - * Don't use :-)) (I's up to you) - */ -static VALUE -ossl_dsa_to_text(VALUE self) -{ - DSA *dsa; - BIO *out; - VALUE str; - - GetDSA(self, dsa); - if (!(out = BIO_new(BIO_s_mem()))) { - ossl_raise(eDSAError, NULL); - } - if (!DSA_print(out, dsa, 0)) { /* offset = 0 */ - BIO_free(out); - ossl_raise(eDSAError, NULL); - } - str = ossl_membio2str(out); - - return str; -} - -/* - * call-seq: - * dsa.public_key -> aDSA - * - * Returns a new DSA instance that carries just the public key information. - * If the current instance has also private key information, this will no - * longer be present in the new instance. This feature is helpful for - * publishing the public key information without leaking any of the private - * information. - * - * === Example - * dsa = OpenSSL::PKey::DSA.new(2048) # has public and private information - * pub_key = dsa.public_key # has only the public part available - * pub_key_der = pub_key.to_der # it's safe to publish this - * - * - */ -static VALUE -ossl_dsa_to_public_key(VALUE self) -{ - EVP_PKEY *pkey, *pkey_new; - DSA *dsa; - VALUE obj; - - GetPKeyDSA(self, pkey); - obj = rb_obj_alloc(rb_obj_class(self)); - GetPKey(obj, pkey_new); - -#define DSAPublicKey_dup(dsa) (DSA *)ASN1_dup( \ - (i2d_of_void *)i2d_DSAPublicKey, (d2i_of_void *)d2i_DSAPublicKey, (char *)(dsa)) - dsa = DSAPublicKey_dup(EVP_PKEY_get0_DSA(pkey)); -#undef DSAPublicKey_dup - if (!dsa) - ossl_raise(eDSAError, "DSAPublicKey_dup"); - if (!EVP_PKEY_assign_DSA(pkey_new, dsa)) { - DSA_free(dsa); - ossl_raise(eDSAError, "EVP_PKEY_assign_DSA"); - } - return obj; -} - -/* - * call-seq: - * dsa.syssign(string) -> aString - * - * Computes and returns the DSA signature of _string_, where _string_ is - * expected to be an already-computed message digest of the original input - * data. The signature is issued using the private key of this DSA instance. - * - * === Parameters - * * _string_ is a message digest of the original input data to be signed. - * - * === Example - * dsa = OpenSSL::PKey::DSA.new(2048) - * doc = "Sign me" - * digest = OpenSSL::Digest.digest('SHA1', doc) - * sig = dsa.syssign(digest) - * - * - */ -static VALUE -ossl_dsa_sign(VALUE self, VALUE data) -{ - DSA *dsa; - const BIGNUM *dsa_q; - unsigned int buf_len; - VALUE str; - - GetDSA(self, dsa); - DSA_get0_pqg(dsa, NULL, &dsa_q, NULL); - if (!dsa_q) - ossl_raise(eDSAError, "incomplete DSA"); - if (!DSA_PRIVATE(self, dsa)) - ossl_raise(eDSAError, "Private DSA key needed!"); - StringValue(data); - str = rb_str_new(0, DSA_size(dsa)); - if (!DSA_sign(0, (unsigned char *)RSTRING_PTR(data), RSTRING_LENINT(data), - (unsigned char *)RSTRING_PTR(str), - &buf_len, dsa)) { /* type is ignored (0) */ - ossl_raise(eDSAError, NULL); - } - rb_str_set_len(str, buf_len); - - return str; -} - -/* - * call-seq: - * dsa.sysverify(digest, sig) -> true | false - * - * Verifies whether the signature is valid given the message digest input. It - * does so by validating _sig_ using the public key of this DSA instance. - * - * === Parameters - * * _digest_ is a message digest of the original input data to be signed - * * _sig_ is a DSA signature value - * - * === Example - * dsa = OpenSSL::PKey::DSA.new(2048) - * doc = "Sign me" - * digest = OpenSSL::Digest.digest('SHA1', doc) - * sig = dsa.syssign(digest) - * puts dsa.sysverify(digest, sig) # => true - * - */ -static VALUE -ossl_dsa_verify(VALUE self, VALUE digest, VALUE sig) -{ - DSA *dsa; - int ret; - - GetDSA(self, dsa); - StringValue(digest); - StringValue(sig); - /* type is ignored (0) */ - ret = DSA_verify(0, (unsigned char *)RSTRING_PTR(digest), RSTRING_LENINT(digest), - (unsigned char *)RSTRING_PTR(sig), RSTRING_LENINT(sig), dsa); - if (ret < 0) { - ossl_raise(eDSAError, NULL); - } - else if (ret == 1) { - return Qtrue; - } - - return Qfalse; -} - -/* * Document-method: OpenSSL::PKey::DSA#set_pqg * call-seq: * dsa.set_pqg(p, q, g) -> self @@ -553,20 +377,17 @@ Init_ossl_dsa(void) */ cDSA = rb_define_class_under(mPKey, "DSA", cPKey); - rb_define_singleton_method(cDSA, "generate", ossl_dsa_s_generate, 1); rb_define_method(cDSA, "initialize", ossl_dsa_initialize, -1); +#ifndef HAVE_EVP_PKEY_DUP rb_define_method(cDSA, "initialize_copy", ossl_dsa_initialize_copy, 1); +#endif rb_define_method(cDSA, "public?", ossl_dsa_is_public, 0); rb_define_method(cDSA, "private?", ossl_dsa_is_private, 0); - rb_define_method(cDSA, "to_text", ossl_dsa_to_text, 0); rb_define_method(cDSA, "export", ossl_dsa_export, -1); rb_define_alias(cDSA, "to_pem", "export"); rb_define_alias(cDSA, "to_s", "export"); rb_define_method(cDSA, "to_der", ossl_dsa_to_der, 0); - rb_define_method(cDSA, "public_key", ossl_dsa_to_public_key, 0); - rb_define_method(cDSA, "syssign", ossl_dsa_sign, 1); - rb_define_method(cDSA, "sysverify", ossl_dsa_verify, 2); DEF_OSSL_PKEY_BN(cDSA, dsa, p); DEF_OSSL_PKEY_BN(cDSA, dsa, q); diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c index be9b09cae6..4b3a1fd0fe 100644 --- a/ext/openssl/ossl_pkey_ec.c +++ b/ext/openssl/ossl_pkey_ec.c @@ -109,13 +109,16 @@ ossl_ec_key_s_generate(VALUE klass, VALUE arg) VALUE obj; obj = rb_obj_alloc(klass); - GetPKey(obj, pkey); ec = ec_key_new_from_group(arg); - if (!EVP_PKEY_assign_EC_KEY(pkey, ec)) { + pkey = EVP_PKEY_new(); + if (!pkey || EVP_PKEY_assign_EC_KEY(pkey, ec) != 1) { + EVP_PKEY_free(pkey); EC_KEY_free(ec); ossl_raise(eECError, "EVP_PKEY_assign_EC_KEY"); } + RTYPEDDATA_DATA(obj) = pkey; + if (!EC_KEY_generate_key(ec)) ossl_raise(eECError, "EC_KEY_generate_key"); @@ -136,75 +139,83 @@ ossl_ec_key_s_generate(VALUE klass, VALUE arg) static VALUE ossl_ec_key_initialize(int argc, VALUE *argv, VALUE self) { EVP_PKEY *pkey; - EC_KEY *ec = NULL; + EC_KEY *ec; + BIO *in; VALUE arg, pass; + int type; - GetPKey(self, pkey); - if (EVP_PKEY_base_id(pkey) != EVP_PKEY_NONE) - ossl_raise(eECError, "EC_KEY already initialized"); + TypedData_Get_Struct(self, EVP_PKEY, &ossl_evp_pkey_type, pkey); + if (pkey) + rb_raise(rb_eTypeError, "pkey already initialized"); rb_scan_args(argc, argv, "02", &arg, &pass); - if (NIL_P(arg)) { if (!(ec = EC_KEY_new())) - ossl_raise(eECError, NULL); - } else if (rb_obj_is_kind_of(arg, cEC)) { - EC_KEY *other_ec = NULL; + ossl_raise(eECError, "EC_KEY_new"); + goto legacy; + } + else if (rb_obj_is_kind_of(arg, cEC_GROUP)) { + ec = ec_key_new_from_group(arg); + goto legacy; + } - GetEC(arg, other_ec); - if (!(ec = EC_KEY_dup(other_ec))) - ossl_raise(eECError, NULL); - } else if (rb_obj_is_kind_of(arg, cEC_GROUP)) { - ec = ec_key_new_from_group(arg); - } else { - BIO *in = ossl_obj2bio(&arg); - EVP_PKEY *tmp; - pass = ossl_pem_passwd_value(pass); - tmp = ossl_pkey_read_generic(in, pass); - if (tmp) { - if (EVP_PKEY_base_id(tmp) != EVP_PKEY_EC) - rb_raise(eECError, "incorrect pkey type: %s", - OBJ_nid2sn(EVP_PKEY_base_id(tmp))); - ec = EVP_PKEY_get1_EC_KEY(tmp); - EVP_PKEY_free(tmp); - } - BIO_free(in); + pass = ossl_pem_passwd_value(pass); + arg = ossl_to_der_if_possible(arg); + in = ossl_obj2bio(&arg); - if (!ec) { - ossl_clear_error(); - ec = ec_key_new_from_group(arg); - } + pkey = ossl_pkey_read_generic(in, pass); + BIO_free(in); + if (!pkey) { + ossl_clear_error(); + ec = ec_key_new_from_group(arg); + goto legacy; } - if (!EVP_PKEY_assign_EC_KEY(pkey, ec)) { - EC_KEY_free(ec); - ossl_raise(eECError, "EVP_PKEY_assign_EC_KEY"); + type = EVP_PKEY_base_id(pkey); + if (type != EVP_PKEY_EC) { + EVP_PKEY_free(pkey); + rb_raise(eDSAError, "incorrect pkey type: %s", OBJ_nid2sn(type)); } + RTYPEDDATA_DATA(self) = pkey; + return self; + legacy: + pkey = EVP_PKEY_new(); + if (!pkey || EVP_PKEY_assign_EC_KEY(pkey, ec) != 1) { + EVP_PKEY_free(pkey); + EC_KEY_free(ec); + ossl_raise(eECError, "EVP_PKEY_assign_EC_KEY"); + } + RTYPEDDATA_DATA(self) = pkey; return self; } +#ifndef HAVE_EVP_PKEY_DUP static VALUE ossl_ec_key_initialize_copy(VALUE self, VALUE other) { EVP_PKEY *pkey; EC_KEY *ec, *ec_new; - GetPKey(self, pkey); - if (EVP_PKEY_base_id(pkey) != EVP_PKEY_NONE) - ossl_raise(eECError, "EC already initialized"); + TypedData_Get_Struct(self, EVP_PKEY, &ossl_evp_pkey_type, pkey); + if (pkey) + rb_raise(rb_eTypeError, "pkey already initialized"); GetEC(other, ec); ec_new = EC_KEY_dup(ec); if (!ec_new) ossl_raise(eECError, "EC_KEY_dup"); - if (!EVP_PKEY_assign_EC_KEY(pkey, ec_new)) { - EC_KEY_free(ec_new); - ossl_raise(eECError, "EVP_PKEY_assign_EC_KEY"); + + pkey = EVP_PKEY_new(); + if (!pkey || EVP_PKEY_assign_EC_KEY(pkey, ec_new) != 1) { + EC_KEY_free(ec_new); + ossl_raise(eECError, "EVP_PKEY_assign_EC_KEY"); } + RTYPEDDATA_DATA(self) = pkey; return self; } +#endif /* * call-seq: @@ -216,7 +227,7 @@ ossl_ec_key_initialize_copy(VALUE self, VALUE other) static VALUE ossl_ec_key_get_group(VALUE self) { - EC_KEY *ec; + OSSL_3_const EC_KEY *ec; const EC_GROUP *group; GetEC(self, ec); @@ -237,6 +248,9 @@ ossl_ec_key_get_group(VALUE self) static VALUE ossl_ec_key_set_group(VALUE self, VALUE group_v) { +#if OSSL_OPENSSL_PREREQ(3, 0, 0) + rb_raise(ePKeyError, "pkeys are immutable on OpenSSL 3.0"); +#else EC_KEY *ec; EC_GROUP *group; @@ -247,6 +261,7 @@ ossl_ec_key_set_group(VALUE self, VALUE group_v) ossl_raise(eECError, "EC_KEY_set_group"); return group_v; +#endif } /* @@ -257,7 +272,7 @@ ossl_ec_key_set_group(VALUE self, VALUE group_v) */ static VALUE ossl_ec_key_get_private_key(VALUE self) { - EC_KEY *ec; + OSSL_3_const EC_KEY *ec; const BIGNUM *bn; GetEC(self, ec); @@ -275,6 +290,9 @@ static VALUE ossl_ec_key_get_private_key(VALUE self) */ static VALUE ossl_ec_key_set_private_key(VALUE self, VALUE private_key) { +#if OSSL_OPENSSL_PREREQ(3, 0, 0) + rb_raise(ePKeyError, "pkeys are immutable on OpenSSL 3.0"); +#else EC_KEY *ec; BIGNUM *bn = NULL; @@ -288,11 +306,13 @@ static VALUE ossl_ec_key_set_private_key(VALUE self, VALUE private_key) case 0: if (bn == NULL) break; + /* fallthrough */ default: ossl_raise(eECError, "EC_KEY_set_private_key"); } return private_key; +#endif } /* @@ -303,7 +323,7 @@ static VALUE ossl_ec_key_set_private_key(VALUE self, VALUE private_key) */ static VALUE ossl_ec_key_get_public_key(VALUE self) { - EC_KEY *ec; + OSSL_3_const EC_KEY *ec; const EC_POINT *point; GetEC(self, ec); @@ -321,6 +341,9 @@ static VALUE ossl_ec_key_get_public_key(VALUE self) */ static VALUE ossl_ec_key_set_public_key(VALUE self, VALUE public_key) { +#if OSSL_OPENSSL_PREREQ(3, 0, 0) + rb_raise(ePKeyError, "pkeys are immutable on OpenSSL 3.0"); +#else EC_KEY *ec; EC_POINT *point = NULL; @@ -334,11 +357,13 @@ static VALUE ossl_ec_key_set_public_key(VALUE self, VALUE public_key) case 0: if (point == NULL) break; + /* fallthrough */ default: ossl_raise(eECError, "EC_KEY_set_public_key"); } return public_key; +#endif } /* @@ -350,7 +375,7 @@ static VALUE ossl_ec_key_set_public_key(VALUE self, VALUE public_key) */ static VALUE ossl_ec_key_is_public(VALUE self) { - EC_KEY *ec; + OSSL_3_const EC_KEY *ec; GetEC(self, ec); @@ -366,7 +391,7 @@ static VALUE ossl_ec_key_is_public(VALUE self) */ static VALUE ossl_ec_key_is_private(VALUE self) { - EC_KEY *ec; + OSSL_3_const EC_KEY *ec; GetEC(self, ec); @@ -375,20 +400,70 @@ static VALUE ossl_ec_key_is_private(VALUE self) /* * call-seq: - * key.export([cipher, pass_phrase]) => String - * key.to_pem([cipher, pass_phrase]) => String + * key.export([cipher, password]) => String + * key.to_pem([cipher, password]) => String + * + * Serializes a private or public key to a PEM-encoding. + * + * [When the key contains public components only] + * + * Serializes it into an X.509 SubjectPublicKeyInfo. + * The parameters _cipher_ and _password_ are ignored. * - * Outputs the EC key in PEM encoding. If _cipher_ and _pass_phrase_ are given - * they will be used to encrypt the key. _cipher_ must be an OpenSSL::Cipher - * instance. Note that encryption will only be effective for a private key, - * public keys will always be encoded in plain text. + * A PEM-encoded key will look like: + * + * -----BEGIN PUBLIC KEY----- + * [...] + * -----END PUBLIC KEY----- + * + * Consider using #public_to_pem instead. This serializes the key into an + * X.509 SubjectPublicKeyInfo regardless of whether it is a public key + * or a private key. + * + * [When the key contains private components, and no parameters are given] + * + * Serializes it into a SEC 1/RFC 5915 ECPrivateKey. + * + * A PEM-encoded key will look like: + * + * -----BEGIN EC PRIVATE KEY----- + * [...] + * -----END EC PRIVATE KEY----- + * + * [When the key contains private components, and _cipher_ and _password_ are given] + * + * Serializes it into a SEC 1/RFC 5915 ECPrivateKey + * and encrypts it in OpenSSL's traditional PEM encryption format. + * _cipher_ must be a cipher name understood by OpenSSL::Cipher.new or an + * instance of OpenSSL::Cipher. + * + * An encrypted PEM-encoded key will look like: + * + * -----BEGIN EC PRIVATE KEY----- + * Proc-Type: 4,ENCRYPTED + * DEK-Info: AES-128-CBC,733F5302505B34701FC41F5C0746E4C0 + * + * [...] + * -----END EC PRIVATE KEY----- + * + * Note that this format uses MD5 to derive the encryption key, and hence + * will not be available on FIPS-compliant systems. + * + * <b>This method is kept for compatibility.</b> + * This should only be used when the SEC 1/RFC 5915 ECPrivateKey format is + * required. + * + * Consider using #public_to_pem (X.509 SubjectPublicKeyInfo) or #private_to_pem + * (PKCS #8 PrivateKeyInfo or EncryptedPrivateKeyInfo) instead. */ static VALUE ossl_ec_key_export(int argc, VALUE *argv, VALUE self) { - EC_KEY *ec; + OSSL_3_const EC_KEY *ec; GetEC(self, ec); + if (EC_KEY_get0_public_key(ec) == NULL) + ossl_raise(eECError, "can't export - no public key set"); if (EC_KEY_get0_private_key(ec)) return ossl_pkey_export_traditional(argc, argv, self, 0); else @@ -399,45 +474,29 @@ ossl_ec_key_export(int argc, VALUE *argv, VALUE self) * call-seq: * key.to_der => String * - * See the OpenSSL documentation for i2d_ECPrivateKey_bio() + * Serializes a private or public key to a DER-encoding. + * + * See #to_pem for details. + * + * <b>This method is kept for compatibility.</b> + * This should only be used when the SEC 1/RFC 5915 ECPrivateKey format is + * required. + * + * Consider using #public_to_der or #private_to_der instead. */ static VALUE ossl_ec_key_to_der(VALUE self) { - EC_KEY *ec; + OSSL_3_const EC_KEY *ec; GetEC(self, ec); + if (EC_KEY_get0_public_key(ec) == NULL) + ossl_raise(eECError, "can't export - no public key set"); if (EC_KEY_get0_private_key(ec)) return ossl_pkey_export_traditional(0, NULL, self, 1); else return ossl_pkey_export_spki(self, 1); } - -/* - * call-seq: - * key.to_text => String - * - * See the OpenSSL documentation for EC_KEY_print() - */ -static VALUE ossl_ec_key_to_text(VALUE self) -{ - EC_KEY *ec; - BIO *out; - VALUE str; - - GetEC(self, ec); - if (!(out = BIO_new(BIO_s_mem()))) { - ossl_raise(eECError, "BIO_new(BIO_s_mem())"); - } - if (!EC_KEY_print(out, ec, 0)) { - BIO_free(out); - ossl_raise(eECError, "EC_KEY_print"); - } - str = ossl_membio2str(out); - - return str; -} - /* * call-seq: * key.generate_key! => self @@ -454,6 +513,9 @@ static VALUE ossl_ec_key_to_text(VALUE self) */ static VALUE ossl_ec_key_generate_key(VALUE self) { +#if OSSL_OPENSSL_PREREQ(3, 0, 0) + rb_raise(ePKeyError, "pkeys are immutable on OpenSSL 3.0"); +#else EC_KEY *ec; GetEC(self, ec); @@ -461,76 +523,53 @@ static VALUE ossl_ec_key_generate_key(VALUE self) ossl_raise(eECError, "EC_KEY_generate_key"); return self; +#endif } /* - * call-seq: - * key.check_key => true + * call-seq: + * key.check_key => true * - * Raises an exception if the key is invalid. + * Raises an exception if the key is invalid. * - * See the OpenSSL documentation for EC_KEY_check_key() + * See also the man page EVP_PKEY_public_check(3). */ static VALUE ossl_ec_key_check_key(VALUE self) { - EC_KEY *ec; - - GetEC(self, ec); - if (EC_KEY_check_key(ec) != 1) - ossl_raise(eECError, "EC_KEY_check_key"); - - return Qtrue; -} - -/* - * call-seq: - * key.dsa_sign_asn1(data) => String - * - * See the OpenSSL documentation for ECDSA_sign() - */ -static VALUE ossl_ec_key_dsa_sign_asn1(VALUE self, VALUE data) -{ - EC_KEY *ec; - unsigned int buf_len; - VALUE str; +#ifdef HAVE_EVP_PKEY_CHECK + EVP_PKEY *pkey; + EVP_PKEY_CTX *pctx; + const EC_KEY *ec; + GetPKey(self, pkey); GetEC(self, ec); - StringValue(data); - - if (EC_KEY_get0_private_key(ec) == NULL) - ossl_raise(eECError, "Private EC key needed!"); - - str = rb_str_new(0, ECDSA_size(ec)); - if (ECDSA_sign(0, (unsigned char *) RSTRING_PTR(data), RSTRING_LENINT(data), (unsigned char *) RSTRING_PTR(str), &buf_len, ec) != 1) - ossl_raise(eECError, "ECDSA_sign"); - rb_str_set_len(str, buf_len); - - return str; -} + pctx = EVP_PKEY_CTX_new(pkey, /* engine */NULL); + if (!pctx) + ossl_raise(eECError, "EVP_PKEY_CTX_new"); + + if (EC_KEY_get0_private_key(ec) != NULL) { + if (EVP_PKEY_check(pctx) != 1) { + EVP_PKEY_CTX_free(pctx); + ossl_raise(eECError, "EVP_PKEY_check"); + } + } + else { + if (EVP_PKEY_public_check(pctx) != 1) { + EVP_PKEY_CTX_free(pctx); + ossl_raise(eECError, "EVP_PKEY_public_check"); + } + } -/* - * call-seq: - * key.dsa_verify_asn1(data, sig) => true or false - * - * See the OpenSSL documentation for ECDSA_verify() - */ -static VALUE ossl_ec_key_dsa_verify_asn1(VALUE self, VALUE data, VALUE sig) -{ + EVP_PKEY_CTX_free(pctx); +#else EC_KEY *ec; GetEC(self, ec); - StringValue(data); - StringValue(sig); - - switch (ECDSA_verify(0, (unsigned char *) RSTRING_PTR(data), RSTRING_LENINT(data), (unsigned char *) RSTRING_PTR(sig), (int)RSTRING_LEN(sig), ec)) { - case 1: return Qtrue; - case 0: return Qfalse; - default: break; - } - - ossl_raise(eECError, "ECDSA_verify"); + if (EC_KEY_check_key(ec) != 1) + ossl_raise(eECError, "EC_KEY_check_key"); +#endif - UNREACHABLE; + return Qtrue; } /* @@ -539,7 +578,7 @@ static VALUE ossl_ec_key_dsa_verify_asn1(VALUE self, VALUE data, VALUE sig) static void ossl_ec_group_free(void *ptr) { - EC_GROUP_clear_free(ptr); + EC_GROUP_free(ptr); } static const rb_data_type_t ossl_ec_group_type = { @@ -547,7 +586,7 @@ static const rb_data_type_t ossl_ec_group_type = { { 0, ossl_ec_group_free, }, - 0, 0, RUBY_TYPED_FREE_IMMEDIATELY, + 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED, }; static VALUE @@ -658,8 +697,7 @@ static VALUE ossl_ec_group_initialize(int argc, VALUE *argv, VALUE self) ossl_raise(rb_eArgError, "wrong number of arguments"); } - if (group == NULL) - ossl_raise(eEC_GROUP, ""); + ASSUME(group); RTYPEDDATA_DATA(self) = group; return self; @@ -698,10 +736,11 @@ static VALUE ossl_ec_group_eql(VALUE a, VALUE b) GetECGroup(a, group1); GetECGroup(b, group2); - if (EC_GROUP_cmp(group1, group2, ossl_bn_ctx) == 1) - return Qfalse; - - return Qtrue; + switch (EC_GROUP_cmp(group1, group2, ossl_bn_ctx)) { + case 0: return Qtrue; + case 1: return Qfalse; + default: ossl_raise(eEC_GROUP, "EC_GROUP_cmp"); + } } /* @@ -1132,7 +1171,7 @@ static const rb_data_type_t ossl_ec_point_type = { { 0, ossl_ec_point_free, }, - 0, 0, RUBY_TYPED_FREE_IMMEDIATELY, + 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED, }; static VALUE @@ -1262,10 +1301,13 @@ static VALUE ossl_ec_point_eql(VALUE a, VALUE b) GetECPoint(b, point2); GetECGroup(group_v1, group); - if (EC_POINT_cmp(group, point1, point2, ossl_bn_ctx) == 1) - return Qfalse; + switch (EC_POINT_cmp(group, point1, point2, ossl_bn_ctx)) { + case 0: return Qtrue; + case 1: return Qfalse; + default: ossl_raise(eEC_POINT, "EC_POINT_cmp"); + } - return Qtrue; + UNREACHABLE; } /* @@ -1283,7 +1325,7 @@ static VALUE ossl_ec_point_is_at_infinity(VALUE self) switch (EC_POINT_is_at_infinity(group, point)) { case 1: return Qtrue; case 0: return Qfalse; - default: ossl_raise(cEC_POINT, "EC_POINT_is_at_infinity"); + default: ossl_raise(eEC_POINT, "EC_POINT_is_at_infinity"); } UNREACHABLE; @@ -1304,7 +1346,7 @@ static VALUE ossl_ec_point_is_on_curve(VALUE self) switch (EC_POINT_is_on_curve(group, point, ossl_bn_ctx)) { case 1: return Qtrue; case 0: return Qfalse; - default: ossl_raise(cEC_POINT, "EC_POINT_is_on_curve"); + default: ossl_raise(eEC_POINT, "EC_POINT_is_on_curve"); } UNREACHABLE; @@ -1313,6 +1355,8 @@ static VALUE ossl_ec_point_is_on_curve(VALUE self) /* * call-seq: * point.make_affine! => self + * + * This method is deprecated and should not be used. This is a no-op. */ static VALUE ossl_ec_point_make_affine(VALUE self) { @@ -1322,8 +1366,11 @@ static VALUE ossl_ec_point_make_affine(VALUE self) GetECPoint(self, point); GetECPointGroup(self, group); + rb_warn("OpenSSL::PKey::EC::Point#make_affine! is deprecated"); +#if !OSSL_OPENSSL_PREREQ(3, 0, 0) if (EC_POINT_make_affine(group, point, ossl_bn_ctx) != 1) - ossl_raise(cEC_POINT, "EC_POINT_make_affine"); + ossl_raise(eEC_POINT, "EC_POINT_make_affine"); +#endif return self; } @@ -1341,7 +1388,7 @@ static VALUE ossl_ec_point_invert(VALUE self) GetECPointGroup(self, group); if (EC_POINT_invert(group, point, ossl_bn_ctx) != 1) - ossl_raise(cEC_POINT, "EC_POINT_invert"); + ossl_raise(eEC_POINT, "EC_POINT_invert"); return self; } @@ -1359,7 +1406,7 @@ static VALUE ossl_ec_point_set_to_infinity(VALUE self) GetECPointGroup(self, group); if (EC_POINT_set_to_infinity(group, point) != 1) - ossl_raise(cEC_POINT, "EC_POINT_set_to_infinity"); + ossl_raise(eEC_POINT, "EC_POINT_set_to_infinity"); return self; } @@ -1570,8 +1617,9 @@ void Init_ossl_ec(void) rb_define_singleton_method(cEC, "generate", ossl_ec_key_s_generate, 1); rb_define_method(cEC, "initialize", ossl_ec_key_initialize, -1); +#ifndef HAVE_EVP_PKEY_DUP rb_define_method(cEC, "initialize_copy", ossl_ec_key_initialize_copy, 1); -/* copy/dup/cmp */ +#endif rb_define_method(cEC, "group", ossl_ec_key_get_group, 0); rb_define_method(cEC, "group=", ossl_ec_key_set_group, 1); @@ -1594,14 +1642,9 @@ void Init_ossl_ec(void) rb_define_alias(cEC, "generate_key", "generate_key!"); rb_define_method(cEC, "check_key", ossl_ec_key_check_key, 0); - rb_define_method(cEC, "dsa_sign_asn1", ossl_ec_key_dsa_sign_asn1, 1); - rb_define_method(cEC, "dsa_verify_asn1", ossl_ec_key_dsa_verify_asn1, 2); -/* do_sign/do_verify */ - rb_define_method(cEC, "export", ossl_ec_key_export, -1); rb_define_alias(cEC, "to_pem", "export"); rb_define_method(cEC, "to_der", ossl_ec_key_to_der, 0); - rb_define_method(cEC, "to_text", ossl_ec_key_to_text, 0); rb_define_alloc_func(cEC_GROUP, ossl_ec_group_alloc); diff --git a/ext/openssl/ossl_pkey_rsa.c b/ext/openssl/ossl_pkey_rsa.c index 3c298a2aea..389f76f309 100644 --- a/ext/openssl/ossl_pkey_rsa.c +++ b/ext/openssl/ossl_pkey_rsa.c @@ -24,7 +24,7 @@ } while (0) static inline int -RSA_HAS_PRIVATE(RSA *rsa) +RSA_HAS_PRIVATE(OSSL_3_const RSA *rsa) { const BIGNUM *e, *d; @@ -33,7 +33,7 @@ RSA_HAS_PRIVATE(RSA *rsa) } static inline int -RSA_PRIVATE(VALUE obj, RSA *rsa) +RSA_PRIVATE(VALUE obj, OSSL_3_const RSA *rsa) { return RSA_HAS_PRIVATE(rsa) || OSSL_PKEY_IS_PRIVATE(obj); } @@ -47,201 +47,122 @@ VALUE eRSAError; /* * Private */ -struct rsa_blocking_gen_arg { - RSA *rsa; - BIGNUM *e; - int size; - BN_GENCB *cb; - int result; -}; - -static void * -rsa_blocking_gen(void *arg) -{ - struct rsa_blocking_gen_arg *gen = (struct rsa_blocking_gen_arg *)arg; - gen->result = RSA_generate_key_ex(gen->rsa, gen->size, gen->e, gen->cb); - return 0; -} - -static RSA * -rsa_generate(int size, unsigned long exp) -{ - int i; - struct ossl_generate_cb_arg cb_arg = { 0 }; - struct rsa_blocking_gen_arg gen_arg; - RSA *rsa = RSA_new(); - BIGNUM *e = BN_new(); - BN_GENCB *cb = BN_GENCB_new(); - - if (!rsa || !e || !cb) { - RSA_free(rsa); - BN_free(e); - BN_GENCB_free(cb); - ossl_raise(eRSAError, "malloc failure"); - } - for (i = 0; i < (int)sizeof(exp) * 8; ++i) { - if (exp & (1UL << i)) { - if (BN_set_bit(e, i) == 0) { - BN_free(e); - RSA_free(rsa); - BN_GENCB_free(cb); - ossl_raise(eRSAError, "BN_set_bit"); - } - } - } - - if (rb_block_given_p()) - cb_arg.yield = 1; - BN_GENCB_set(cb, ossl_generate_cb_2, &cb_arg); - gen_arg.rsa = rsa; - gen_arg.e = e; - gen_arg.size = size; - gen_arg.cb = cb; - if (cb_arg.yield == 1) { - /* we cannot release GVL when callback proc is supplied */ - rsa_blocking_gen(&gen_arg); - } else { - /* there's a chance to unblock */ - rb_thread_call_without_gvl(rsa_blocking_gen, &gen_arg, ossl_generate_cb_stop, &cb_arg); - } - - BN_GENCB_free(cb); - BN_free(e); - if (!gen_arg.result) { - RSA_free(rsa); - if (cb_arg.state) { - /* must clear OpenSSL error stack */ - ossl_clear_error(); - rb_jump_tag(cb_arg.state); - } - ossl_raise(eRSAError, "RSA_generate_key_ex"); - } - - return rsa; -} - /* * call-seq: - * RSA.generate(size) => RSA instance - * RSA.generate(size, exponent) => RSA instance + * RSA.new -> rsa + * RSA.new(encoded_key [, password ]) -> rsa + * RSA.new(encoded_key) { password } -> rsa + * RSA.new(size [, exponent]) -> rsa * - * Generates an RSA keypair. _size_ is an integer representing the desired key - * size. Keys smaller than 1024 should be considered insecure. _exponent_ is - * an odd number normally 3, 17, or 65537. - */ -static VALUE -ossl_rsa_s_generate(int argc, VALUE *argv, VALUE klass) -{ -/* why does this method exist? why can't initialize take an optional exponent? */ - EVP_PKEY *pkey; - RSA *rsa; - VALUE size, exp; - VALUE obj; - - rb_scan_args(argc, argv, "11", &size, &exp); - obj = rb_obj_alloc(klass); - GetPKey(obj, pkey); - - rsa = rsa_generate(NUM2INT(size), NIL_P(exp) ? RSA_F4 : NUM2ULONG(exp)); - if (!EVP_PKEY_assign_RSA(pkey, rsa)) { - RSA_free(rsa); - ossl_raise(eRSAError, "EVP_PKEY_assign_RSA"); - } - return obj; -} - -/* - * call-seq: - * RSA.new(size [, exponent]) => RSA instance - * RSA.new(encoded_key) => RSA instance - * RSA.new(encoded_key, pass_phrase) => RSA instance + * Generates or loads an \RSA keypair. * - * Generates or loads an RSA keypair. If an integer _key_size_ is given it - * represents the desired key size. Keys less than 1024 bits should be - * considered insecure. + * If called without arguments, creates a new instance with no key components + * set. They can be set individually by #set_key, #set_factors, and + * #set_crt_params. * - * A key can instead be loaded from an _encoded_key_ which must be PEM or DER - * encoded. A _pass_phrase_ can be used to decrypt the key. If none is given - * OpenSSL will prompt for the pass phrase. + * If called with a String, tries to parse as DER or PEM encoding of an \RSA key. + * Note that if _password_ is not specified, but the key is encrypted with a + * password, \OpenSSL will prompt for it. + * See also OpenSSL::PKey.read which can parse keys of any kind. * - * = Examples + * If called with a number, generates a new key pair. This form works as an + * alias of RSA.generate. * + * Examples: * OpenSSL::PKey::RSA.new 2048 * OpenSSL::PKey::RSA.new File.read 'rsa.pem' - * OpenSSL::PKey::RSA.new File.read('rsa.pem'), 'my pass phrase' + * OpenSSL::PKey::RSA.new File.read('rsa.pem'), 'my password' */ static VALUE ossl_rsa_initialize(int argc, VALUE *argv, VALUE self) { - EVP_PKEY *pkey, *tmp; - RSA *rsa = NULL; - BIO *in; + EVP_PKEY *pkey; + RSA *rsa; + BIO *in = NULL; VALUE arg, pass; + int type; - GetPKey(self, pkey); + TypedData_Get_Struct(self, EVP_PKEY, &ossl_evp_pkey_type, pkey); + if (pkey) + rb_raise(rb_eTypeError, "pkey already initialized"); + + /* The RSA.new(size, generator) form is handled by lib/openssl/pkey.rb */ rb_scan_args(argc, argv, "02", &arg, &pass); if (argc == 0) { rsa = RSA_new(); if (!rsa) ossl_raise(eRSAError, "RSA_new"); + goto legacy; } - else if (RB_INTEGER_TYPE_P(arg)) { - rsa = rsa_generate(NUM2INT(arg), NIL_P(pass) ? RSA_F4 : NUM2ULONG(pass)); - } - else { - pass = ossl_pem_passwd_value(pass); - arg = ossl_to_der_if_possible(arg); - in = ossl_obj2bio(&arg); - - tmp = ossl_pkey_read_generic(in, pass); - if (tmp) { - if (EVP_PKEY_base_id(tmp) != EVP_PKEY_RSA) - rb_raise(eRSAError, "incorrect pkey type: %s", - OBJ_nid2sn(EVP_PKEY_base_id(tmp))); - rsa = EVP_PKEY_get1_RSA(tmp); - EVP_PKEY_free(tmp); - } - if (!rsa) { - OSSL_BIO_reset(in); - rsa = PEM_read_bio_RSAPublicKey(in, NULL, NULL, NULL); - } - if (!rsa) { - OSSL_BIO_reset(in); - rsa = d2i_RSAPublicKey_bio(in, NULL); - } - BIO_free(in); - if (!rsa) { - ossl_clear_error(); - ossl_raise(eRSAError, "Neither PUB key nor PRIV key"); - } - } - if (!EVP_PKEY_assign_RSA(pkey, rsa)) { - RSA_free(rsa); - ossl_raise(eRSAError, "EVP_PKEY_assign_RSA"); + + pass = ossl_pem_passwd_value(pass); + arg = ossl_to_der_if_possible(arg); + in = ossl_obj2bio(&arg); + + /* First try RSAPublicKey format */ + rsa = d2i_RSAPublicKey_bio(in, NULL); + if (rsa) + goto legacy; + OSSL_BIO_reset(in); + rsa = PEM_read_bio_RSAPublicKey(in, NULL, NULL, NULL); + if (rsa) + goto legacy; + OSSL_BIO_reset(in); + + /* Use the generic routine */ + pkey = ossl_pkey_read_generic(in, pass); + BIO_free(in); + if (!pkey) + ossl_raise(eRSAError, "Neither PUB key nor PRIV key"); + + type = EVP_PKEY_base_id(pkey); + if (type != EVP_PKEY_RSA) { + EVP_PKEY_free(pkey); + rb_raise(eRSAError, "incorrect pkey type: %s", OBJ_nid2sn(type)); } + RTYPEDDATA_DATA(self) = pkey; + return self; + legacy: + BIO_free(in); + pkey = EVP_PKEY_new(); + if (!pkey || EVP_PKEY_assign_RSA(pkey, rsa) != 1) { + EVP_PKEY_free(pkey); + RSA_free(rsa); + ossl_raise(eRSAError, "EVP_PKEY_assign_RSA"); + } + RTYPEDDATA_DATA(self) = pkey; return self; } +#ifndef HAVE_EVP_PKEY_DUP static VALUE ossl_rsa_initialize_copy(VALUE self, VALUE other) { EVP_PKEY *pkey; RSA *rsa, *rsa_new; - GetPKey(self, pkey); - if (EVP_PKEY_base_id(pkey) != EVP_PKEY_NONE) - ossl_raise(eRSAError, "RSA already initialized"); + TypedData_Get_Struct(self, EVP_PKEY, &ossl_evp_pkey_type, pkey); + if (pkey) + rb_raise(rb_eTypeError, "pkey already initialized"); GetRSA(other, rsa); - rsa_new = ASN1_dup((i2d_of_void *)i2d_RSAPrivateKey, (d2i_of_void *)d2i_RSAPrivateKey, (char *)rsa); + rsa_new = (RSA *)ASN1_dup((i2d_of_void *)i2d_RSAPrivateKey, + (d2i_of_void *)d2i_RSAPrivateKey, + (char *)rsa); if (!rsa_new) ossl_raise(eRSAError, "ASN1_dup"); - EVP_PKEY_assign_RSA(pkey, rsa_new); + pkey = EVP_PKEY_new(); + if (!pkey || EVP_PKEY_assign_RSA(pkey, rsa_new) != 1) { + RSA_free(rsa_new); + ossl_raise(eRSAError, "EVP_PKEY_assign_RSA"); + } + RTYPEDDATA_DATA(self) = pkey; return self; } +#endif /* * call-seq: @@ -253,7 +174,7 @@ ossl_rsa_initialize_copy(VALUE self, VALUE other) static VALUE ossl_rsa_is_public(VALUE self) { - RSA *rsa; + OSSL_3_const RSA *rsa; GetRSA(self, rsa); /* @@ -272,7 +193,7 @@ ossl_rsa_is_public(VALUE self) static VALUE ossl_rsa_is_private(VALUE self) { - RSA *rsa; + OSSL_3_const RSA *rsa; GetRSA(self, rsa); @@ -282,7 +203,7 @@ ossl_rsa_is_private(VALUE self) static int can_export_rsaprivatekey(VALUE self) { - RSA *rsa; + OSSL_3_const RSA *rsa; const BIGNUM *n, *e, *d, *p, *q, *dmp1, *dmq1, *iqmp; GetRSA(self, rsa); @@ -296,13 +217,61 @@ can_export_rsaprivatekey(VALUE self) /* * call-seq: - * rsa.export([cipher, pass_phrase]) => PEM-format String - * rsa.to_pem([cipher, pass_phrase]) => PEM-format String - * rsa.to_s([cipher, pass_phrase]) => PEM-format String + * rsa.export([cipher, password]) => PEM-format String + * rsa.to_pem([cipher, password]) => PEM-format String + * rsa.to_s([cipher, password]) => PEM-format String + * + * Serializes a private or public key to a PEM-encoding. + * + * [When the key contains public components only] + * + * Serializes it into an X.509 SubjectPublicKeyInfo. + * The parameters _cipher_ and _password_ are ignored. + * + * A PEM-encoded key will look like: + * + * -----BEGIN PUBLIC KEY----- + * [...] + * -----END PUBLIC KEY----- + * + * Consider using #public_to_pem instead. This serializes the key into an + * X.509 SubjectPublicKeyInfo regardless of whether the key is a public key + * or a private key. + * + * [When the key contains private components, and no parameters are given] + * + * Serializes it into a PKCS #1 RSAPrivateKey. + * + * A PEM-encoded key will look like: + * + * -----BEGIN RSA PRIVATE KEY----- + * [...] + * -----END RSA PRIVATE KEY----- + * + * [When the key contains private components, and _cipher_ and _password_ are given] + * + * Serializes it into a PKCS #1 RSAPrivateKey + * and encrypts it in OpenSSL's traditional PEM encryption format. + * _cipher_ must be a cipher name understood by OpenSSL::Cipher.new or an + * instance of OpenSSL::Cipher. + * + * An encrypted PEM-encoded key will look like: + * + * -----BEGIN RSA PRIVATE KEY----- + * Proc-Type: 4,ENCRYPTED + * DEK-Info: AES-128-CBC,733F5302505B34701FC41F5C0746E4C0 + * + * [...] + * -----END RSA PRIVATE KEY----- + * + * Note that this format uses MD5 to derive the encryption key, and hence + * will not be available on FIPS-compliant systems. + * + * <b>This method is kept for compatibility.</b> + * This should only be used when the PKCS #1 RSAPrivateKey format is required. * - * Outputs this keypair in PEM encoding. If _cipher_ and _pass_phrase_ are - * given they will be used to encrypt the key. _cipher_ must be an - * OpenSSL::Cipher instance. + * Consider using #public_to_pem (X.509 SubjectPublicKeyInfo) or #private_to_pem + * (PKCS #8 PrivateKeyInfo or EncryptedPrivateKeyInfo) instead. */ static VALUE ossl_rsa_export(int argc, VALUE *argv, VALUE self) @@ -317,7 +286,14 @@ ossl_rsa_export(int argc, VALUE *argv, VALUE self) * call-seq: * rsa.to_der => DER-format String * - * Outputs this keypair in DER encoding. + * Serializes a private or public key to a DER-encoding. + * + * See #to_pem for details. + * + * <b>This method is kept for compatibility.</b> + * This should only be used when the PKCS #1 RSAPrivateKey format is required. + * + * Consider using #public_to_der or #private_to_der instead. */ static VALUE ossl_rsa_to_der(VALUE self) @@ -330,138 +306,6 @@ ossl_rsa_to_der(VALUE self) /* * call-seq: - * rsa.public_encrypt(string) => String - * rsa.public_encrypt(string, padding) => String - * - * Encrypt _string_ with the public key. _padding_ defaults to PKCS1_PADDING. - * The encrypted string output can be decrypted using #private_decrypt. - */ -static VALUE -ossl_rsa_public_encrypt(int argc, VALUE *argv, VALUE self) -{ - RSA *rsa; - const BIGNUM *rsa_n; - int buf_len, pad; - VALUE str, buffer, padding; - - GetRSA(self, rsa); - RSA_get0_key(rsa, &rsa_n, NULL, NULL); - if (!rsa_n) - ossl_raise(eRSAError, "incomplete RSA"); - rb_scan_args(argc, argv, "11", &buffer, &padding); - pad = (argc == 1) ? RSA_PKCS1_PADDING : NUM2INT(padding); - StringValue(buffer); - str = rb_str_new(0, RSA_size(rsa)); - buf_len = RSA_public_encrypt(RSTRING_LENINT(buffer), (unsigned char *)RSTRING_PTR(buffer), - (unsigned char *)RSTRING_PTR(str), rsa, pad); - if (buf_len < 0) ossl_raise(eRSAError, NULL); - rb_str_set_len(str, buf_len); - - return str; -} - -/* - * call-seq: - * rsa.public_decrypt(string) => String - * rsa.public_decrypt(string, padding) => String - * - * Decrypt _string_, which has been encrypted with the private key, with the - * public key. _padding_ defaults to PKCS1_PADDING. - */ -static VALUE -ossl_rsa_public_decrypt(int argc, VALUE *argv, VALUE self) -{ - RSA *rsa; - const BIGNUM *rsa_n; - int buf_len, pad; - VALUE str, buffer, padding; - - GetRSA(self, rsa); - RSA_get0_key(rsa, &rsa_n, NULL, NULL); - if (!rsa_n) - ossl_raise(eRSAError, "incomplete RSA"); - rb_scan_args(argc, argv, "11", &buffer, &padding); - pad = (argc == 1) ? RSA_PKCS1_PADDING : NUM2INT(padding); - StringValue(buffer); - str = rb_str_new(0, RSA_size(rsa)); - buf_len = RSA_public_decrypt(RSTRING_LENINT(buffer), (unsigned char *)RSTRING_PTR(buffer), - (unsigned char *)RSTRING_PTR(str), rsa, pad); - if (buf_len < 0) ossl_raise(eRSAError, NULL); - rb_str_set_len(str, buf_len); - - return str; -} - -/* - * call-seq: - * rsa.private_encrypt(string) => String - * rsa.private_encrypt(string, padding) => String - * - * Encrypt _string_ with the private key. _padding_ defaults to PKCS1_PADDING. - * The encrypted string output can be decrypted using #public_decrypt. - */ -static VALUE -ossl_rsa_private_encrypt(int argc, VALUE *argv, VALUE self) -{ - RSA *rsa; - const BIGNUM *rsa_n; - int buf_len, pad; - VALUE str, buffer, padding; - - GetRSA(self, rsa); - RSA_get0_key(rsa, &rsa_n, NULL, NULL); - if (!rsa_n) - ossl_raise(eRSAError, "incomplete RSA"); - if (!RSA_PRIVATE(self, rsa)) - ossl_raise(eRSAError, "private key needed."); - rb_scan_args(argc, argv, "11", &buffer, &padding); - pad = (argc == 1) ? RSA_PKCS1_PADDING : NUM2INT(padding); - StringValue(buffer); - str = rb_str_new(0, RSA_size(rsa)); - buf_len = RSA_private_encrypt(RSTRING_LENINT(buffer), (unsigned char *)RSTRING_PTR(buffer), - (unsigned char *)RSTRING_PTR(str), rsa, pad); - if (buf_len < 0) ossl_raise(eRSAError, NULL); - rb_str_set_len(str, buf_len); - - return str; -} - -/* - * call-seq: - * rsa.private_decrypt(string) => String - * rsa.private_decrypt(string, padding) => String - * - * Decrypt _string_, which has been encrypted with the public key, with the - * private key. _padding_ defaults to PKCS1_PADDING. - */ -static VALUE -ossl_rsa_private_decrypt(int argc, VALUE *argv, VALUE self) -{ - RSA *rsa; - const BIGNUM *rsa_n; - int buf_len, pad; - VALUE str, buffer, padding; - - GetRSA(self, rsa); - RSA_get0_key(rsa, &rsa_n, NULL, NULL); - if (!rsa_n) - ossl_raise(eRSAError, "incomplete RSA"); - if (!RSA_PRIVATE(self, rsa)) - ossl_raise(eRSAError, "private key needed."); - rb_scan_args(argc, argv, "11", &buffer, &padding); - pad = (argc == 1) ? RSA_PKCS1_PADDING : NUM2INT(padding); - StringValue(buffer); - str = rb_str_new(0, RSA_size(rsa)); - buf_len = RSA_private_decrypt(RSTRING_LENINT(buffer), (unsigned char *)RSTRING_PTR(buffer), - (unsigned char *)RSTRING_PTR(str), rsa, pad); - if (buf_len < 0) ossl_raise(eRSAError, NULL); - rb_str_set_len(str, buf_len); - - return str; -} - -/* - * call-seq: * rsa.sign_pss(digest, data, salt_length:, mgf1_hash:) -> String * * Signs _data_ using the Probabilistic Signature Scheme (RSA-PSS) and returns @@ -489,7 +333,7 @@ ossl_rsa_private_decrypt(int argc, VALUE *argv, VALUE self) * data = "Sign me!" * pkey = OpenSSL::PKey::RSA.new(2048) * signature = pkey.sign_pss("SHA256", data, salt_length: :max, mgf1_hash: "SHA256") - * pub_key = pkey.public_key + * pub_key = OpenSSL::PKey.read(pkey.public_to_der) * puts pub_key.verify_pss("SHA256", signature, data, * salt_length: :auto, mgf1_hash: "SHA256") # => true */ @@ -664,7 +508,7 @@ ossl_rsa_verify_pss(int argc, VALUE *argv, VALUE self) static VALUE ossl_rsa_get_params(VALUE self) { - RSA *rsa; + OSSL_3_const RSA *rsa; VALUE hash; const BIGNUM *n, *e, *d, *p, *q, *dmp1, *dmq1, *iqmp; @@ -687,91 +531,6 @@ ossl_rsa_get_params(VALUE self) } /* - * call-seq: - * rsa.to_text => String - * - * THIS METHOD IS INSECURE, PRIVATE INFORMATION CAN LEAK OUT!!! - * - * Dumps all parameters of a keypair to a String - * - * Don't use :-)) (It's up to you) - */ -static VALUE -ossl_rsa_to_text(VALUE self) -{ - RSA *rsa; - BIO *out; - VALUE str; - - GetRSA(self, rsa); - if (!(out = BIO_new(BIO_s_mem()))) { - ossl_raise(eRSAError, NULL); - } - if (!RSA_print(out, rsa, 0)) { /* offset = 0 */ - BIO_free(out); - ossl_raise(eRSAError, NULL); - } - str = ossl_membio2str(out); - - return str; -} - -/* - * call-seq: - * rsa.public_key -> RSA - * - * Makes new RSA instance containing the public key from the private key. - */ -static VALUE -ossl_rsa_to_public_key(VALUE self) -{ - EVP_PKEY *pkey, *pkey_new; - RSA *rsa; - VALUE obj; - - GetPKeyRSA(self, pkey); - obj = rb_obj_alloc(rb_obj_class(self)); - GetPKey(obj, pkey_new); - - rsa = RSAPublicKey_dup(EVP_PKEY_get0_RSA(pkey)); - if (!rsa) - ossl_raise(eRSAError, "RSAPublicKey_dup"); - if (!EVP_PKEY_assign_RSA(pkey_new, rsa)) { - RSA_free(rsa); - ossl_raise(eRSAError, "EVP_PKEY_assign_RSA"); - } - return obj; -} - -/* - * TODO: Test me - -static VALUE -ossl_rsa_blinding_on(VALUE self) -{ - RSA *rsa; - - GetRSA(self, rsa); - - if (RSA_blinding_on(rsa, ossl_bn_ctx) != 1) { - ossl_raise(eRSAError, NULL); - } - return self; -} - -static VALUE -ossl_rsa_blinding_off(VALUE self) -{ - RSA *rsa; - - GetRSA(self, rsa); - RSA_blinding_off(rsa); - - return self; -} - */ - -/* * Document-method: OpenSSL::PKey::RSA#set_key * call-seq: * rsa.set_key(n, e, d) -> self @@ -832,22 +591,17 @@ Init_ossl_rsa(void) */ cRSA = rb_define_class_under(mPKey, "RSA", cPKey); - rb_define_singleton_method(cRSA, "generate", ossl_rsa_s_generate, -1); rb_define_method(cRSA, "initialize", ossl_rsa_initialize, -1); +#ifndef HAVE_EVP_PKEY_DUP rb_define_method(cRSA, "initialize_copy", ossl_rsa_initialize_copy, 1); +#endif rb_define_method(cRSA, "public?", ossl_rsa_is_public, 0); rb_define_method(cRSA, "private?", ossl_rsa_is_private, 0); - rb_define_method(cRSA, "to_text", ossl_rsa_to_text, 0); rb_define_method(cRSA, "export", ossl_rsa_export, -1); rb_define_alias(cRSA, "to_pem", "export"); rb_define_alias(cRSA, "to_s", "export"); rb_define_method(cRSA, "to_der", ossl_rsa_to_der, 0); - rb_define_method(cRSA, "public_key", ossl_rsa_to_public_key, 0); - rb_define_method(cRSA, "public_encrypt", ossl_rsa_public_encrypt, -1); - rb_define_method(cRSA, "public_decrypt", ossl_rsa_public_decrypt, -1); - rb_define_method(cRSA, "private_encrypt", ossl_rsa_private_encrypt, -1); - rb_define_method(cRSA, "private_decrypt", ossl_rsa_private_decrypt, -1); rb_define_method(cRSA, "sign_pss", ossl_rsa_sign_pss, -1); rb_define_method(cRSA, "verify_pss", ossl_rsa_verify_pss, -1); @@ -865,11 +619,6 @@ Init_ossl_rsa(void) rb_define_method(cRSA, "params", ossl_rsa_get_params, 0); - DefRSAConst(PKCS1_PADDING); - DefRSAConst(SSLV23_PADDING); - DefRSAConst(NO_PADDING); - DefRSAConst(PKCS1_OAEP_PADDING); - /* * TODO: Test it rb_define_method(cRSA, "blinding_on!", ossl_rsa_blinding_on, 0); diff --git a/ext/openssl/ossl_provider.c b/ext/openssl/ossl_provider.c new file mode 100644 index 0000000000..981c6ccdc7 --- /dev/null +++ b/ext/openssl/ossl_provider.c @@ -0,0 +1,211 @@ +/* + * This program is licensed under the same licence as Ruby. + * (See the file 'LICENCE'.) + */ +#include "ossl.h" + +#ifdef OSSL_USE_PROVIDER +# include <openssl/provider.h> + +#define NewProvider(klass) \ + TypedData_Wrap_Struct((klass), &ossl_provider_type, 0) +#define SetProvider(obj, provider) do { \ + if (!(provider)) { \ + ossl_raise(rb_eRuntimeError, "Provider wasn't initialized."); \ + } \ + RTYPEDDATA_DATA(obj) = (provider); \ +} while(0) +#define GetProvider(obj, provider) do { \ + TypedData_Get_Struct((obj), OSSL_PROVIDER, &ossl_provider_type, (provider)); \ + if (!(provider)) { \ + ossl_raise(rb_eRuntimeError, "PROVIDER wasn't initialized."); \ + } \ +} while (0) + +static const rb_data_type_t ossl_provider_type = { + "OpenSSL/Provider", + { + 0, + }, + 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED, +}; + +/* + * Classes + */ +/* Document-class: OpenSSL::Provider + * + * This class is the access to openssl's Provider + * See also, https://www.openssl.org/docs/manmaster/man7/provider.html + */ +static VALUE cProvider; +/* Document-class: OpenSSL::Provider::ProviderError + * + * This is the generic exception for OpenSSL::Provider related errors + */ +static VALUE eProviderError; + +/* + * call-seq: + * OpenSSL::Provider.load(name) -> provider + * + * This method loads and initializes a provider + */ +static VALUE +ossl_provider_s_load(VALUE klass, VALUE name) +{ + OSSL_PROVIDER *provider = NULL; + VALUE obj; + + const char *provider_name_ptr = StringValueCStr(name); + + provider = OSSL_PROVIDER_load(NULL, provider_name_ptr); + if (provider == NULL) { + ossl_raise(eProviderError, "Failed to load %s provider", provider_name_ptr); + } + obj = NewProvider(klass); + SetProvider(obj, provider); + + return obj; +} + +struct ary_with_state { VALUE ary; int state; }; +struct rb_push_provider_name_args { OSSL_PROVIDER *prov; VALUE ary; }; + +static VALUE +rb_push_provider_name(VALUE rb_push_provider_name_args) +{ + struct rb_push_provider_name_args *args = (struct rb_push_provider_name_args *)rb_push_provider_name_args; + + VALUE name = rb_str_new2(OSSL_PROVIDER_get0_name(args->prov)); + return rb_ary_push(args->ary, name); +} + +static int +push_provider(OSSL_PROVIDER *prov, void *cbdata) +{ + struct ary_with_state *ary_with_state = (struct ary_with_state *)cbdata; + struct rb_push_provider_name_args args = { prov, ary_with_state->ary }; + + rb_protect(rb_push_provider_name, (VALUE)&args, &ary_with_state->state); + if (ary_with_state->state) { + return 0; + } else { + return 1; + } +} + +/* + * call-seq: + * OpenSSL::Provider.provider_names -> [provider_name, ...] + * + * Returns an array of currently loaded provider names. + */ +static VALUE +ossl_provider_s_provider_names(VALUE klass) +{ + VALUE ary = rb_ary_new(); + struct ary_with_state cbdata = { ary, 0 }; + + int result = OSSL_PROVIDER_do_all(NULL, &push_provider, (void*)&cbdata); + if (result != 1 ) { + if (cbdata.state) { + rb_jump_tag(cbdata.state); + } else { + ossl_raise(eProviderError, "Failed to load provider names"); + } + } + + return ary; +} + +/* + * call-seq: + * provider.unload -> true + * + * This method unloads this provider. + * + * if provider unload fails or already unloaded, it raises OpenSSL::Provider::ProviderError + */ +static VALUE +ossl_provider_unload(VALUE self) +{ + OSSL_PROVIDER *prov; + if (RTYPEDDATA_DATA(self) == NULL) { + ossl_raise(eProviderError, "Provider already unloaded."); + } + GetProvider(self, prov); + + int result = OSSL_PROVIDER_unload(prov); + + if (result != 1) { + ossl_raise(eProviderError, "Failed to unload provider"); + } + RTYPEDDATA_DATA(self) = NULL; + return Qtrue; +} + +/* + * call-seq: + * provider.name -> string + * + * Get the name of this provider. + * + * if this provider is already unloaded, it raises OpenSSL::Provider::ProviderError + */ +static VALUE +ossl_provider_get_name(VALUE self) +{ + OSSL_PROVIDER *prov; + if (RTYPEDDATA_DATA(self) == NULL) { + ossl_raise(eProviderError, "Provider already unloaded."); + } + GetProvider(self, prov); + + return rb_str_new2(OSSL_PROVIDER_get0_name(prov)); +} + +/* + * call-seq: + * provider.inspect -> string + * + * Pretty prints this provider. + */ +static VALUE +ossl_provider_inspect(VALUE self) +{ + OSSL_PROVIDER *prov; + if (RTYPEDDATA_DATA(self) == NULL ) { + return rb_sprintf("#<%"PRIsVALUE" unloaded provider>", rb_obj_class(self)); + } + GetProvider(self, prov); + + return rb_sprintf("#<%"PRIsVALUE" name=\"%s\">", + rb_obj_class(self), OSSL_PROVIDER_get0_name(prov)); +} + +void +Init_ossl_provider(void) +{ +#if 0 + mOSSL = rb_define_module("OpenSSL"); + eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError); +#endif + + cProvider = rb_define_class_under(mOSSL, "Provider", rb_cObject); + eProviderError = rb_define_class_under(cProvider, "ProviderError", eOSSLError); + + rb_undef_alloc_func(cProvider); + rb_define_singleton_method(cProvider, "load", ossl_provider_s_load, 1); + rb_define_singleton_method(cProvider, "provider_names", ossl_provider_s_provider_names, 0); + + rb_define_method(cProvider, "unload", ossl_provider_unload, 0); + rb_define_method(cProvider, "name", ossl_provider_get_name, 0); + rb_define_method(cProvider, "inspect", ossl_provider_inspect, 0); +} +#else +void +Init_ossl_provider(void) +{ +} +#endif diff --git a/ext/openssl/ossl_provider.h b/ext/openssl/ossl_provider.h new file mode 100644 index 0000000000..1d69cb1e44 --- /dev/null +++ b/ext/openssl/ossl_provider.h @@ -0,0 +1,5 @@ +#if !defined(OSSL_PROVIDER_H) +#define OSSL_PROVIDER_H + +void Init_ossl_provider(void); +#endif diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c index c38142bfcc..9f374b65ff 100644 --- a/ext/openssl/ossl_ssl.c +++ b/ext/openssl/ossl_ssl.c @@ -11,11 +11,15 @@ */ #include "ossl.h" +#ifndef OPENSSL_NO_SOCK #define numberof(ary) (int)(sizeof(ary)/sizeof((ary)[0])) +#if !defined(OPENSSL_NO_NEXTPROTONEG) && !OSSL_IS_LIBRESSL +# define OSSL_USE_NEXTPROTONEG +#endif + #if !defined(TLS1_3_VERSION) && \ - defined(LIBRESSL_VERSION_NUMBER) && \ - LIBRESSL_VERSION_NUMBER >= 0x3020000fL + OSSL_LIBRESSL_PREREQ(3, 2, 0) && !OSSL_LIBRESSL_PREREQ(3, 4, 0) # define TLS1_3_VERSION 0x0304 #endif @@ -30,7 +34,6 @@ } while (0) VALUE mSSL; -static VALUE mSSLExtConfig; static VALUE eSSLError; VALUE cSSLContext; VALUE cSSLSocket; @@ -39,7 +42,7 @@ static VALUE eSSLErrorWaitReadable; static VALUE eSSLErrorWaitWritable; static ID id_call, ID_callback_state, id_tmp_dh_callback, - id_npn_protocols_encoded; + id_npn_protocols_encoded, id_each; static VALUE sym_exception, sym_wait_readable, sym_wait_writable; static ID id_i_cert_store, id_i_ca_file, id_i_ca_path, id_i_verify_mode, @@ -49,33 +52,32 @@ static ID id_i_cert_store, id_i_ca_file, id_i_ca_path, id_i_verify_mode, id_i_session_id_context, id_i_session_get_cb, id_i_session_new_cb, id_i_session_remove_cb, id_i_npn_select_cb, id_i_npn_protocols, id_i_alpn_select_cb, id_i_alpn_protocols, id_i_servername_cb, - id_i_verify_hostname; + id_i_verify_hostname, id_i_keylog_cb; static ID id_i_io, id_i_context, id_i_hostname; static int ossl_ssl_ex_vcb_idx; static int ossl_ssl_ex_ptr_idx; static int ossl_sslctx_ex_ptr_idx; -#if !defined(HAVE_X509_STORE_UP_REF) -static int ossl_sslctx_ex_store_p; -#endif static void -ossl_sslctx_free(void *ptr) +ossl_sslctx_mark(void *ptr) { SSL_CTX *ctx = ptr; -#if !defined(HAVE_X509_STORE_UP_REF) - if (ctx && SSL_CTX_get_ex_data(ctx, ossl_sslctx_ex_store_p)) - ctx->cert_store = NULL; -#endif - SSL_CTX_free(ctx); + rb_gc_mark((VALUE)SSL_CTX_get_ex_data(ctx, ossl_sslctx_ex_ptr_idx)); +} + +static void +ossl_sslctx_free(void *ptr) +{ + SSL_CTX_free(ptr); } static const rb_data_type_t ossl_sslctx_type = { "OpenSSL/SSL/CTX", { - 0, ossl_sslctx_free, + ossl_sslctx_mark, ossl_sslctx_free, }, - 0, 0, RUBY_TYPED_FREE_IMMEDIATELY, + 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED, }; static VALUE @@ -89,7 +91,7 @@ ossl_sslctx_s_alloc(VALUE klass) VALUE obj; obj = TypedData_Wrap_Struct(klass, &ossl_sslctx_type, 0); -#if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER) +#if OPENSSL_VERSION_NUMBER >= 0x10100000 || defined(LIBRESSL_VERSION_NUMBER) ctx = SSL_CTX_new(TLS_method()); #else ctx = SSL_CTX_new(SSLv23_method()); @@ -101,14 +103,15 @@ ossl_sslctx_s_alloc(VALUE klass) RTYPEDDATA_DATA(obj) = ctx; SSL_CTX_set_ex_data(ctx, ossl_sslctx_ex_ptr_idx, (void *)obj); -#if !defined(OPENSSL_NO_EC) && defined(HAVE_SSL_CTX_SET_ECDH_AUTO) +#if !defined(OPENSSL_NO_EC) && OPENSSL_VERSION_NUMBER < 0x10100000 && \ + !defined(LIBRESSL_VERSION_NUMBER) /* We use SSL_CTX_set1_curves_list() to specify the curve used in ECDH. It * allows to specify multiple curve names and OpenSSL will select * automatically from them. In OpenSSL 1.0.2, the automatic selection has to - * be enabled explicitly. But OpenSSL 1.1.0 removed the knob and it is - * always enabled. To uniform the behavior, we enable the automatic - * selection also in 1.0.2. Users can still disable ECDH by removing ECDH - * cipher suites by SSLContext#ciphers=. */ + * be enabled explicitly. OpenSSL 1.1.0 and LibreSSL 2.6.1 removed the knob + * and it is always enabled. To uniform the behavior, we enable the + * automatic selection also in 1.0.2. Users can still disable ECDH by + * removing ECDH cipher suites by SSLContext#ciphers=. */ if (!SSL_CTX_set_ecdh_auto(ctx, 1)) ossl_raise(eSSLError, "SSL_CTX_set_ecdh_auto"); #endif @@ -246,22 +249,23 @@ struct tmp_dh_callback_args { int keylength; }; -static EVP_PKEY * -ossl_call_tmp_dh_callback(struct tmp_dh_callback_args *args) +static VALUE +ossl_call_tmp_dh_callback(VALUE arg) { + struct tmp_dh_callback_args *args = (struct tmp_dh_callback_args *)arg; VALUE cb, dh; EVP_PKEY *pkey; cb = rb_funcall(args->ssl_obj, args->id, 0); if (NIL_P(cb)) - return NULL; + return (VALUE)NULL; dh = rb_funcall(cb, id_call, 3, args->ssl_obj, INT2NUM(args->is_export), INT2NUM(args->keylength)); pkey = GetPKeyPtr(dh); if (EVP_PKEY_base_id(pkey) != args->type) - return NULL; + return (VALUE)NULL; - return pkey; + return (VALUE)pkey; } #endif @@ -281,7 +285,7 @@ ossl_tmp_dh_callback(SSL *ssl, int is_export, int keylength) args.keylength = keylength; args.type = EVP_PKEY_DH; - pkey = (EVP_PKEY *)rb_protect((VALUE (*)(VALUE))ossl_call_tmp_dh_callback, + pkey = (EVP_PKEY *)rb_protect(ossl_call_tmp_dh_callback, (VALUE)&args, &state); if (state) { rb_ivar_set(rb_ssl, ID_callback_state, INT2NUM(state)); @@ -290,7 +294,7 @@ ossl_tmp_dh_callback(SSL *ssl, int is_export, int keylength) if (!pkey) return NULL; - return EVP_PKEY_get0_DH(pkey); + return (DH *)EVP_PKEY_get0_DH(pkey); } #endif /* OPENSSL_NO_DH */ @@ -363,7 +367,7 @@ ossl_call_session_get_cb(VALUE ary) } static SSL_SESSION * -#if (!defined(LIBRESSL_VERSION_NUMBER) ? OPENSSL_VERSION_NUMBER >= 0x10100000 : LIBRESSL_VERSION_NUMBER >= 0x2080000f) +#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER >= 0x10100000 ossl_sslctx_session_get_cb(SSL *ssl, const unsigned char *buf, int len, int *copy) #else ossl_sslctx_session_get_cb(SSL *ssl, unsigned char *buf, int len, int *copy) @@ -440,6 +444,54 @@ ossl_sslctx_session_new_cb(SSL *ssl, SSL_SESSION *sess) return 0; } +#if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER) +/* + * It is only compatible with OpenSSL >= 1.1.1. Even if LibreSSL implements + * SSL_CTX_set_keylog_callback() from v3.4.2, it does nothing (see + * https://github.com/libressl-portable/openbsd/commit/648d39f0f035835d0653342d139883b9661e9cb6). + */ + +struct ossl_call_keylog_cb_args { + VALUE ssl_obj; + const char * line; +}; + +static VALUE +ossl_call_keylog_cb(VALUE args_v) +{ + VALUE sslctx_obj, cb, line_v; + struct ossl_call_keylog_cb_args *args = (struct ossl_call_keylog_cb_args *) args_v; + + sslctx_obj = rb_attr_get(args->ssl_obj, id_i_context); + + cb = rb_attr_get(sslctx_obj, id_i_keylog_cb); + if (NIL_P(cb)) return Qnil; + + line_v = rb_str_new_cstr(args->line); + + return rb_funcall(cb, id_call, 2, args->ssl_obj, line_v); +} + +static void +ossl_sslctx_keylog_cb(const SSL *ssl, const char *line) +{ + VALUE ssl_obj; + struct ossl_call_keylog_cb_args args; + int state = 0; + + OSSL_Debug("SSL keylog callback entered"); + + ssl_obj = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx); + args.ssl_obj = ssl_obj; + args.line = line; + + rb_protect(ossl_call_keylog_cb, (VALUE)&args, &state); + if (state) { + rb_ivar_set(ssl_obj, ID_callback_state, INT2NUM(state)); + } +} +#endif + static VALUE ossl_call_session_remove_cb(VALUE ary) { @@ -572,8 +624,6 @@ ssl_renegotiation_cb(const SSL *ssl) rb_funcallv(cb, id_call, 1, &ssl_obj); } -#if !defined(OPENSSL_NO_NEXTPROTONEG) || \ - defined(HAVE_SSL_CTX_SET_ALPN_SELECT_CB) static VALUE ssl_npn_encode_protocol_i(RB_BLOCK_CALL_FUNC_ARGLIST(cur, encoded)) { @@ -592,7 +642,7 @@ static VALUE ssl_encode_npn_protocols(VALUE protocols) { VALUE encoded = rb_str_new(NULL, 0); - rb_iterate(rb_each, protocols, ssl_npn_encode_protocol_i, encoded); + rb_block_call(protocols, id_each, 0, 0, ssl_npn_encode_protocol_i, encoded); return encoded; } @@ -655,14 +705,13 @@ ssl_npn_select_cb_common(SSL *ssl, VALUE cb, const unsigned char **out, return SSL_TLSEXT_ERR_OK; } -#endif -#ifndef OPENSSL_NO_NEXTPROTONEG +#ifdef OSSL_USE_NEXTPROTONEG static int ssl_npn_advertise_cb(SSL *ssl, const unsigned char **out, unsigned int *outlen, void *arg) { - VALUE protocols = (VALUE)arg; + VALUE protocols = rb_attr_get((VALUE)arg, id_npn_protocols_encoded); *out = (const unsigned char *) RSTRING_PTR(protocols); *outlen = RSTRING_LENINT(protocols); @@ -684,7 +733,6 @@ ssl_npn_select_cb(SSL *ssl, unsigned char **out, unsigned char *outlen, } #endif -#ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB static int ssl_alpn_select_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg) @@ -696,7 +744,6 @@ ssl_alpn_select_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen, return ssl_npn_select_cb_common(ssl, cb, out, outlen, in, inlen); } -#endif /* This function may serve as the entry point to support further callbacks. */ static void @@ -781,17 +828,7 @@ ossl_sslctx_setup(VALUE self) if (!NIL_P(val)) { X509_STORE *store = GetX509StorePtr(val); /* NO NEED TO DUP */ SSL_CTX_set_cert_store(ctx, store); -#if !defined(HAVE_X509_STORE_UP_REF) - /* - * WORKAROUND: - * X509_STORE can count references, but - * X509_STORE_free() doesn't care it. - * So we won't increment it but mark it by ex_data. - */ - SSL_CTX_set_ex_data(ctx, ossl_sslctx_ex_store_p, ctx); -#else /* Fixed in OpenSSL 1.0.2; bff9ce4db38b (master), 5b4b9ce976fc (1.0.2) */ X509_STORE_up_ref(store); -#endif } val = rb_attr_get(self, id_i_extra_chain_cert); @@ -842,10 +879,17 @@ ossl_sslctx_setup(VALUE self) ca_file = NIL_P(val) ? NULL : StringValueCStr(val); val = rb_attr_get(self, id_i_ca_path); ca_path = NIL_P(val) ? NULL : StringValueCStr(val); - if(ca_file || ca_path){ - if (!SSL_CTX_load_verify_locations(ctx, ca_file, ca_path)) - rb_warning("can't set verify locations"); +#ifdef HAVE_SSL_CTX_LOAD_VERIFY_FILE + if (ca_file && !SSL_CTX_load_verify_file(ctx, ca_file)) + ossl_raise(eSSLError, "SSL_CTX_load_verify_file"); + if (ca_path && !SSL_CTX_load_verify_dir(ctx, ca_path)) + ossl_raise(eSSLError, "SSL_CTX_load_verify_dir"); +#else + if (ca_file || ca_path) { + if (!SSL_CTX_load_verify_locations(ctx, ca_file, ca_path)) + ossl_raise(eSSLError, "SSL_CTX_load_verify_locations"); } +#endif val = rb_attr_get(self, id_i_verify_mode); verify_mode = NIL_P(val) ? SSL_VERIFY_NONE : NUM2INT(val); @@ -859,12 +903,12 @@ ossl_sslctx_setup(VALUE self) val = rb_attr_get(self, id_i_verify_depth); if(!NIL_P(val)) SSL_CTX_set_verify_depth(ctx, NUM2INT(val)); -#ifndef OPENSSL_NO_NEXTPROTONEG +#ifdef OSSL_USE_NEXTPROTONEG val = rb_attr_get(self, id_i_npn_protocols); if (!NIL_P(val)) { VALUE encoded = ssl_encode_npn_protocols(val); rb_ivar_set(self, id_npn_protocols_encoded, encoded); - SSL_CTX_set_next_protos_advertised_cb(ctx, ssl_npn_advertise_cb, (void *)encoded); + SSL_CTX_set_next_protos_advertised_cb(ctx, ssl_npn_advertise_cb, (void *)self); OSSL_Debug("SSL NPN advertise callback added"); } if (RTEST(rb_attr_get(self, id_i_npn_select_cb))) { @@ -873,7 +917,6 @@ ossl_sslctx_setup(VALUE self) } #endif -#ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB val = rb_attr_get(self, id_i_alpn_protocols); if (!NIL_P(val)) { VALUE rprotos = ssl_encode_npn_protocols(val); @@ -888,7 +931,6 @@ ossl_sslctx_setup(VALUE self) SSL_CTX_set_alpn_select_cb(ctx, ssl_alpn_select_cb, (void *) self); OSSL_Debug("SSL ALPN select callback added"); } -#endif rb_obj_freeze(self); @@ -920,6 +962,18 @@ ossl_sslctx_setup(VALUE self) OSSL_Debug("SSL TLSEXT servername callback added"); } +#if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER) + /* + * It is only compatible with OpenSSL >= 1.1.1. Even if LibreSSL implements + * SSL_CTX_set_keylog_callback() from v3.4.2, it does nothing (see + * https://github.com/libressl-portable/openbsd/commit/648d39f0f035835d0653342d139883b9661e9cb6). + */ + if (RTEST(rb_attr_get(self, id_i_keylog_cb))) { + SSL_CTX_set_keylog_callback(ctx, ossl_sslctx_keylog_cb); + OSSL_Debug("SSL keylog callback added"); + } +#endif + return Qtrue; } @@ -968,27 +1022,13 @@ ossl_sslctx_get_ciphers(VALUE self) return ary; } -/* - * call-seq: - * ctx.ciphers = "cipher1:cipher2:..." - * ctx.ciphers = [name, ...] - * ctx.ciphers = [[name, version, bits, alg_bits], ...] - * - * Sets the list of available cipher suites for this context. Note in a server - * context some ciphers require the appropriate certificates. For example, an - * RSA cipher suite can only be chosen when an RSA certificate is available. - */ static VALUE -ossl_sslctx_set_ciphers(VALUE self, VALUE v) +build_cipher_string(VALUE v) { - SSL_CTX *ctx; VALUE str, elem; int i; - rb_check_frozen(self); - if (NIL_P(v)) - return v; - else if (RB_TYPE_P(v, T_ARRAY)) { + if (RB_TYPE_P(v, T_ARRAY)) { str = rb_str_new(0, 0); for (i = 0; i < RARRAY_LEN(v); i++) { elem = rb_ary_entry(v, i); @@ -1002,14 +1042,113 @@ ossl_sslctx_set_ciphers(VALUE self, VALUE v) StringValue(str); } + return str; +} + +/* + * call-seq: + * ctx.ciphers = "cipher1:cipher2:..." + * ctx.ciphers = [name, ...] + * ctx.ciphers = [[name, version, bits, alg_bits], ...] + * + * Sets the list of available cipher suites for this context. Note in a server + * context some ciphers require the appropriate certificates. For example, an + * RSA cipher suite can only be chosen when an RSA certificate is available. + */ +static VALUE +ossl_sslctx_set_ciphers(VALUE self, VALUE v) +{ + SSL_CTX *ctx; + VALUE str; + + rb_check_frozen(self); + if (NIL_P(v)) + return v; + + str = build_cipher_string(v); + GetSSLCTX(self, ctx); - if (!SSL_CTX_set_cipher_list(ctx, StringValueCStr(str))) { + if (!SSL_CTX_set_cipher_list(ctx, StringValueCStr(str))) ossl_raise(eSSLError, "SSL_CTX_set_cipher_list"); - } return v; } +#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES +/* + * call-seq: + * ctx.ciphersuites = "cipher1:cipher2:..." + * ctx.ciphersuites = [name, ...] + * ctx.ciphersuites = [[name, version, bits, alg_bits], ...] + * + * Sets the list of available TLSv1.3 cipher suites for this context. + */ +static VALUE +ossl_sslctx_set_ciphersuites(VALUE self, VALUE v) +{ + SSL_CTX *ctx; + VALUE str; + + rb_check_frozen(self); + if (NIL_P(v)) + return v; + + str = build_cipher_string(v); + + GetSSLCTX(self, ctx); + if (!SSL_CTX_set_ciphersuites(ctx, StringValueCStr(str))) + ossl_raise(eSSLError, "SSL_CTX_set_ciphersuites"); + + return v; +} +#endif + +#ifndef OPENSSL_NO_DH +/* + * call-seq: + * ctx.tmp_dh = pkey + * + * Sets DH parameters used for ephemeral DH key exchange. This is relevant for + * servers only. + * + * +pkey+ is an instance of OpenSSL::PKey::DH. Note that key components + * contained in the key object, if any, are ignored. The server will always + * generate a new key pair for each handshake. + * + * Added in version 3.0. See also the man page SSL_set0_tmp_dh_pkey(3). + * + * Example: + * ctx = OpenSSL::SSL::SSLContext.new + * ctx.tmp_dh = OpenSSL::DH.generate(2048) + * svr = OpenSSL::SSL::SSLServer.new(tcp_svr, ctx) + * Thread.new { svr.accept } + */ +static VALUE +ossl_sslctx_set_tmp_dh(VALUE self, VALUE arg) +{ + SSL_CTX *ctx; + EVP_PKEY *pkey; + + rb_check_frozen(self); + GetSSLCTX(self, ctx); + pkey = GetPKeyPtr(arg); + + if (EVP_PKEY_base_id(pkey) != EVP_PKEY_DH) + rb_raise(eSSLError, "invalid pkey type %s (expected DH)", + OBJ_nid2sn(EVP_PKEY_base_id(pkey))); +#ifdef HAVE_SSL_SET0_TMP_DH_PKEY + if (!SSL_CTX_set0_tmp_dh_pkey(ctx, pkey)) + ossl_raise(eSSLError, "SSL_CTX_set0_tmp_dh_pkey"); + EVP_PKEY_up_ref(pkey); +#else + if (!SSL_CTX_set_tmp_dh(ctx, EVP_PKEY_get0_DH(pkey))) + ossl_raise(eSSLError, "SSL_CTX_set_tmp_dh"); +#endif + + return arg; +} +#endif + #if !defined(OPENSSL_NO_EC) /* * call-seq: @@ -1021,9 +1160,6 @@ ossl_sslctx_set_ciphers(VALUE self, VALUE v) * Extension. For a server, the list is used by OpenSSL to determine the set of * shared curves. OpenSSL will pick the most appropriate one from it. * - * Note that this works differently with old OpenSSL (<= 1.0.1). Only one curve - * can be set, and this has no effect for TLS clients. - * * === Example * ctx1 = OpenSSL::SSL::SSLContext.new * ctx1.ecdh_curves = "X25519:P-256:P-224" @@ -1047,48 +1183,8 @@ ossl_sslctx_set_ecdh_curves(VALUE self, VALUE arg) GetSSLCTX(self, ctx); StringValueCStr(arg); -#if defined(HAVE_SSL_CTX_SET1_CURVES_LIST) if (!SSL_CTX_set1_curves_list(ctx, RSTRING_PTR(arg))) ossl_raise(eSSLError, NULL); -#else - /* OpenSSL does not have SSL_CTX_set1_curves_list()... Fallback to - * SSL_CTX_set_tmp_ecdh(). So only the first curve is used. */ - { - VALUE curve, splitted; - EC_KEY *ec; - int nid; - - splitted = rb_str_split(arg, ":"); - if (!RARRAY_LEN(splitted)) - ossl_raise(eSSLError, "invalid input format"); - curve = RARRAY_AREF(splitted, 0); - StringValueCStr(curve); - - /* SSL_CTX_set1_curves_list() accepts NIST names */ - nid = EC_curve_nist2nid(RSTRING_PTR(curve)); - if (nid == NID_undef) - nid = OBJ_txt2nid(RSTRING_PTR(curve)); - if (nid == NID_undef) - ossl_raise(eSSLError, "unknown curve name"); - - ec = EC_KEY_new_by_curve_name(nid); - if (!ec) - ossl_raise(eSSLError, NULL); - EC_KEY_set_asn1_flag(ec, OPENSSL_EC_NAMED_CURVE); - if (!SSL_CTX_set_tmp_ecdh(ctx, ec)) { - EC_KEY_free(ec); - ossl_raise(eSSLError, "SSL_CTX_set_tmp_ecdh"); - } - EC_KEY_free(ec); -# if defined(HAVE_SSL_CTX_SET_ECDH_AUTO) - /* tmp_ecdh and ecdh_auto conflict. tmp_ecdh is ignored when ecdh_auto - * is enabled. So disable ecdh_auto. */ - if (!SSL_CTX_set_ecdh_auto(ctx, 0)) - ossl_raise(eSSLError, "SSL_CTX_set_ecdh_auto"); -# endif - } -#endif - return arg; } #else @@ -1179,7 +1275,7 @@ ossl_sslctx_enable_fallback_scsv(VALUE self) /* * call-seq: - * ctx.add_certificate(certiticate, pkey [, extra_certs]) -> self + * ctx.add_certificate(certificate, pkey [, extra_certs]) -> self * * Adds a certificate to the context. _pkey_ must be a corresponding private * key with _certificate_. @@ -1211,10 +1307,6 @@ ossl_sslctx_enable_fallback_scsv(VALUE self) * ecdsa_pkey = ... * another_ca_cert = ... * ctx.add_certificate(ecdsa_cert, ecdsa_pkey, [another_ca_cert]) - * - * === Note - * OpenSSL before the version 1.0.2 could handle only one extra chain across - * all key types. Calling this method discards the chain set previously. */ static VALUE ossl_sslctx_add_certificate(int argc, VALUE *argv, VALUE self) @@ -1239,7 +1331,7 @@ ossl_sslctx_add_certificate(int argc, VALUE *argv, VALUE self) EVP_PKEY_free(pub_pkey); if (!pub_pkey) rb_raise(rb_eArgError, "certificate does not contain public key"); - if (EVP_PKEY_cmp(pub_pkey, pkey) != 1) + if (EVP_PKEY_eq(pub_pkey, pkey) != 1) rb_raise(rb_eArgError, "public key mismatch"); if (argc >= 3) @@ -1253,34 +1345,9 @@ ossl_sslctx_add_certificate(int argc, VALUE *argv, VALUE self) sk_X509_pop_free(extra_chain, X509_free); ossl_raise(eSSLError, "SSL_CTX_use_PrivateKey"); } - - if (extra_chain) { -#if OPENSSL_VERSION_NUMBER >= 0x10002000 && !defined(LIBRESSL_VERSION_NUMBER) - if (!SSL_CTX_set0_chain(ctx, extra_chain)) { - sk_X509_pop_free(extra_chain, X509_free); - ossl_raise(eSSLError, "SSL_CTX_set0_chain"); - } -#else - STACK_OF(X509) *orig_extra_chain; - X509 *x509_tmp; - - /* First, clear the existing chain */ - SSL_CTX_get_extra_chain_certs(ctx, &orig_extra_chain); - if (orig_extra_chain && sk_X509_num(orig_extra_chain)) { - rb_warning("SSL_CTX_set0_chain() is not available; " \ - "clearing previously set certificate chain"); - SSL_CTX_clear_extra_chain_certs(ctx); - } - while ((x509_tmp = sk_X509_shift(extra_chain))) { - /* Transfers ownership */ - if (!SSL_CTX_add_extra_chain_cert(ctx, x509_tmp)) { - X509_free(x509_tmp); - sk_X509_pop_free(extra_chain, X509_free); - ossl_raise(eSSLError, "SSL_CTX_add_extra_chain_cert"); - } - } - sk_X509_free(extra_chain); -#endif + if (extra_chain && !SSL_CTX_set0_chain(ctx, extra_chain)) { + sk_X509_pop_free(extra_chain, X509_free); + ossl_raise(eSSLError, "SSL_CTX_set0_chain"); } return self; } @@ -1474,12 +1541,23 @@ ossl_sslctx_flush_sessions(int argc, VALUE *argv, VALUE self) /* * SSLSocket class */ -#ifndef OPENSSL_NO_SOCK static inline int ssl_started(SSL *ssl) { - /* the FD is set in ossl_ssl_setup(), called by #connect or #accept */ - return SSL_get_fd(ssl) >= 0; + /* BIO is created through ossl_ssl_setup(), called by #connect or #accept */ + return SSL_get_rbio(ssl) != NULL; +} + +static void +ossl_ssl_mark(void *ptr) +{ + SSL *ssl = ptr; + rb_gc_mark((VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx)); + + // Note: this reference is stored as @verify_callback so we don't need to mark it. + // However we do need to ensure GC compaction won't move it, hence why + // we call rb_gc_mark here. + rb_gc_mark((VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_vcb_idx)); } static void @@ -1491,9 +1569,9 @@ ossl_ssl_free(void *ssl) const rb_data_type_t ossl_ssl_type = { "OpenSSL/SSL", { - 0, ossl_ssl_free, + ossl_ssl_mark, ossl_ssl_free, }, - 0, 0, RUBY_TYPED_FREE_IMMEDIATELY, + 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED, }; static VALUE @@ -1502,6 +1580,29 @@ ossl_ssl_s_alloc(VALUE klass) return TypedData_Wrap_Struct(klass, &ossl_ssl_type, NULL); } +static VALUE +peer_ip_address(VALUE self) +{ + VALUE remote_address = rb_funcall(rb_attr_get(self, id_i_io), rb_intern("remote_address"), 0); + + return rb_funcall(remote_address, rb_intern("inspect_sockaddr"), 0); +} + +static VALUE +fallback_peer_ip_address(VALUE self, VALUE args) +{ + return rb_str_new_cstr("(null)"); +} + +static VALUE +peeraddr_ip_str(VALUE self) +{ + VALUE rb_mErrno = rb_const_get(rb_cObject, rb_intern("Errno")); + VALUE rb_eSystemCallError = rb_const_get(rb_mErrno, rb_intern("SystemCallError")); + + return rb_rescue2(peer_ip_address, self, fallback_peer_ip_address, (VALUE)0, rb_eSystemCallError, NULL); +} + /* * call-seq: * SSLSocket.new(io) => aSSLSocket @@ -1538,6 +1639,7 @@ ossl_ssl_initialize(int argc, VALUE *argv, VALUE self) if (rb_respond_to(io, rb_intern("nonblock="))) rb_funcall(io, rb_intern("nonblock="), 1, Qtrue); + Check_Type(io, T_FILE); rb_ivar_set(self, id_i_io, io); ssl = SSL_new(ctx); @@ -1548,6 +1650,8 @@ ossl_ssl_initialize(int argc, VALUE *argv, VALUE self) SSL_set_ex_data(ssl, ossl_ssl_ex_ptr_idx, (void *)self); SSL_set_info_callback(ssl, ssl_info_cb); verify_cb = rb_attr_get(v_ctx, id_i_verify_callback); + // We don't need to trigger a write barrier because it's already + // an instance variable of this object. SSL_set_ex_data(ssl, ossl_ssl_ex_vcb_idx, (void *)verify_cb); rb_call_super(0, NULL); @@ -1555,6 +1659,17 @@ ossl_ssl_initialize(int argc, VALUE *argv, VALUE self) return self; } +#ifndef HAVE_RB_IO_DESCRIPTOR +static int +io_descriptor_fallback(VALUE io) +{ + rb_io_t *fptr; + GetOpenFile(io, fptr); + return fptr->fd; +} +#define rb_io_descriptor io_descriptor_fallback +#endif + static VALUE ossl_ssl_setup(VALUE self) { @@ -1570,8 +1685,8 @@ ossl_ssl_setup(VALUE self) GetOpenFile(io, fptr); rb_io_check_readable(fptr); rb_io_check_writable(fptr); - if (!SSL_set_fd(ssl, TO_SOCKET(fptr->fd))) - ossl_raise(eSSLError, "SSL_set_fd"); + if (!SSL_set_fd(ssl, TO_SOCKET(rb_io_descriptor(io)))) + ossl_raise(eSSLError, "SSL_set_fd"); return Qtrue; } @@ -1605,75 +1720,118 @@ no_exception_p(VALUE opts) return 0; } +// Provided by Ruby 3.2.0 and later in order to support the default IO#timeout. +#ifndef RUBY_IO_TIMEOUT_DEFAULT +#define RUBY_IO_TIMEOUT_DEFAULT Qnil +#endif + +#ifdef HAVE_RB_IO_TIMEOUT +#define IO_TIMEOUT_ERROR rb_eIOTimeoutError +#else +#define IO_TIMEOUT_ERROR rb_eIOError +#endif + + +static void +io_wait_writable(VALUE io) +{ +#ifdef HAVE_RB_IO_MAYBE_WAIT + if (!rb_io_maybe_wait_writable(errno, io, RUBY_IO_TIMEOUT_DEFAULT)) { + rb_raise(IO_TIMEOUT_ERROR, "Timed out while waiting to become writable!"); + } +#else + rb_io_t *fptr; + GetOpenFile(io, fptr); + rb_io_wait_writable(fptr->fd); +#endif +} + +static void +io_wait_readable(VALUE io) +{ +#ifdef HAVE_RB_IO_MAYBE_WAIT + if (!rb_io_maybe_wait_readable(errno, io, RUBY_IO_TIMEOUT_DEFAULT)) { + rb_raise(IO_TIMEOUT_ERROR, "Timed out while waiting to become readable!"); + } +#else + rb_io_t *fptr; + GetOpenFile(io, fptr); + rb_io_wait_readable(fptr->fd); +#endif +} + static VALUE -ossl_start_ssl(VALUE self, int (*func)(), const char *funcname, VALUE opts) +ossl_start_ssl(VALUE self, int (*func)(SSL *), const char *funcname, VALUE opts) { SSL *ssl; - rb_io_t *fptr; int ret, ret2; VALUE cb_state; int nonblock = opts != Qfalse; -#if defined(SSL_R_CERTIFICATE_VERIFY_FAILED) - unsigned long err; -#endif rb_ivar_set(self, ID_callback_state, Qnil); GetSSL(self, ssl); - GetOpenFile(rb_attr_get(self, id_i_io), fptr); - for(;;){ - ret = func(ssl); + VALUE io = rb_attr_get(self, id_i_io); + for (;;) { + ret = func(ssl); - cb_state = rb_attr_get(self, ID_callback_state); + cb_state = rb_attr_get(self, ID_callback_state); if (!NIL_P(cb_state)) { - /* must cleanup OpenSSL error stack before re-raising */ - ossl_clear_error(); - rb_jump_tag(NUM2INT(cb_state)); - } + /* must cleanup OpenSSL error stack before re-raising */ + ossl_clear_error(); + rb_jump_tag(NUM2INT(cb_state)); + } - if (ret > 0) - break; + if (ret > 0) + break; - switch((ret2 = ssl_get_error(ssl, ret))){ - case SSL_ERROR_WANT_WRITE: + switch ((ret2 = ssl_get_error(ssl, ret))) { + case SSL_ERROR_WANT_WRITE: if (no_exception_p(opts)) { return sym_wait_writable; } write_would_block(nonblock); - rb_io_wait_writable(fptr->fd); + io_wait_writable(io); continue; - case SSL_ERROR_WANT_READ: + case SSL_ERROR_WANT_READ: if (no_exception_p(opts)) { return sym_wait_readable; } read_would_block(nonblock); - rb_io_wait_readable(fptr->fd); + io_wait_readable(io); continue; - case SSL_ERROR_SYSCALL: + case SSL_ERROR_SYSCALL: #ifdef __APPLE__ /* See ossl_ssl_write_internal() */ if (errno == EPROTOTYPE) continue; #endif - if (errno) rb_sys_fail(funcname); - ossl_raise(eSSLError, "%s SYSCALL returned=%d errno=%d state=%s", funcname, ret2, errno, SSL_state_string_long(ssl)); + if (errno) rb_sys_fail(funcname); + /* fallthrough */ + default: { + VALUE error_append = Qnil; #if defined(SSL_R_CERTIFICATE_VERIFY_FAILED) - case SSL_ERROR_SSL: - err = ERR_peek_last_error(); - if (ERR_GET_LIB(err) == ERR_LIB_SSL && - ERR_GET_REASON(err) == SSL_R_CERTIFICATE_VERIFY_FAILED) { - const char *err_msg = ERR_reason_error_string(err), - *verify_msg = X509_verify_cert_error_string(SSL_get_verify_result(ssl)); - if (!err_msg) - err_msg = "(null)"; - if (!verify_msg) - verify_msg = "(null)"; - ossl_clear_error(); /* let ossl_raise() not append message */ - ossl_raise(eSSLError, "%s returned=%d errno=%d state=%s: %s (%s)", - funcname, ret2, errno, SSL_state_string_long(ssl), - err_msg, verify_msg); - } + unsigned long err = ERR_peek_last_error(); + if (ERR_GET_LIB(err) == ERR_LIB_SSL && + ERR_GET_REASON(err) == SSL_R_CERTIFICATE_VERIFY_FAILED) { + const char *err_msg = ERR_reason_error_string(err), + *verify_msg = X509_verify_cert_error_string(SSL_get_verify_result(ssl)); + if (!err_msg) + err_msg = "(null)"; + if (!verify_msg) + verify_msg = "(null)"; + ossl_clear_error(); /* let ossl_raise() not append message */ + error_append = rb_sprintf(": %s (%s)", err_msg, verify_msg); + } #endif - default: - ossl_raise(eSSLError, "%s returned=%d errno=%d state=%s", funcname, ret2, errno, SSL_state_string_long(ssl)); - } + ossl_raise(eSSLError, + "%s%s returned=%d errno=%d peeraddr=%"PRIsVALUE" state=%s%"PRIsVALUE, + funcname, + ret2 == SSL_ERROR_SYSCALL ? " SYSCALL" : "", + ret2, + errno, + peeraddr_ip_str(self), + SSL_state_string_long(ssl), + error_append); + } + } } return self; @@ -1683,8 +1841,7 @@ ossl_start_ssl(VALUE self, int (*func)(), const char *funcname, VALUE opts) * call-seq: * ssl.connect => self * - * Initiates an SSL/TLS handshake with a server. The handshake may be started - * after unencrypted data has been sent over the socket. + * Initiates an SSL/TLS handshake with a server. */ static VALUE ossl_ssl_connect(VALUE self) @@ -1731,8 +1888,7 @@ ossl_ssl_connect_nonblock(int argc, VALUE *argv, VALUE self) * call-seq: * ssl.accept => self * - * Waits for a SSL/TLS client to initiate a handshake. The handshake may be - * started after unencrypted data has been sent over the socket. + * Waits for a SSL/TLS client to initiate a handshake. */ static VALUE ossl_ssl_accept(VALUE self) @@ -1779,16 +1935,18 @@ static VALUE ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock) { SSL *ssl; - int ilen, nread = 0; + int ilen; VALUE len, str; - rb_io_t *fptr; - VALUE io, opts = Qnil; + VALUE opts = Qnil; if (nonblock) { rb_scan_args(argc, argv, "11:", &len, &str, &opts); } else { rb_scan_args(argc, argv, "11", &len, &str); } + GetSSL(self, ssl); + if (!ssl_started(ssl)) + rb_raise(eSSLError, "SSL session is not started yet"); ilen = NUM2INT(len); if (NIL_P(str)) @@ -1804,74 +1962,59 @@ ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock) if (ilen == 0) return str; - GetSSL(self, ssl); - io = rb_attr_get(self, id_i_io); - GetOpenFile(io, fptr); - if (ssl_started(ssl)) { - for (;;){ - nread = SSL_read(ssl, RSTRING_PTR(str), ilen); - switch(ssl_get_error(ssl, nread)){ - case SSL_ERROR_NONE: - goto end; - case SSL_ERROR_ZERO_RETURN: - if (no_exception_p(opts)) { return Qnil; } - rb_eof_error(); - case SSL_ERROR_WANT_WRITE: - if (no_exception_p(opts)) { return sym_wait_writable; } + VALUE io = rb_attr_get(self, id_i_io); + + rb_str_locktmp(str); + for (;;) { + int nread = SSL_read(ssl, RSTRING_PTR(str), ilen); + switch (ssl_get_error(ssl, nread)) { + case SSL_ERROR_NONE: + rb_str_unlocktmp(str); + rb_str_set_len(str, nread); + return str; + case SSL_ERROR_ZERO_RETURN: + rb_str_unlocktmp(str); + if (no_exception_p(opts)) { return Qnil; } + rb_eof_error(); + case SSL_ERROR_WANT_WRITE: + if (nonblock) { + rb_str_unlocktmp(str); + if (no_exception_p(opts)) { return sym_wait_writable; } write_would_block(nonblock); - rb_io_wait_writable(fptr->fd); - continue; - case SSL_ERROR_WANT_READ: - if (no_exception_p(opts)) { return sym_wait_readable; } + } + io_wait_writable(io); + continue; + case SSL_ERROR_WANT_READ: + if (nonblock) { + rb_str_unlocktmp(str); + if (no_exception_p(opts)) { return sym_wait_readable; } read_would_block(nonblock); - rb_io_wait_readable(fptr->fd); - continue; - case SSL_ERROR_SYSCALL: - if (!ERR_peek_error()) { - if (errno) - rb_sys_fail(0); - else { - /* - * The underlying BIO returned 0. This is actually a - * protocol error. But unfortunately, not all - * implementations cleanly shutdown the TLS connection - * but just shutdown/close the TCP connection. So report - * EOF for now... - */ - if (no_exception_p(opts)) { return Qnil; } - rb_eof_error(); - } - } - /* fall through */ - default: - ossl_raise(eSSLError, "SSL_read"); - } - } - } - else { - ID meth = nonblock ? rb_intern("read_nonblock") : rb_intern("sysread"); - - rb_warning("SSL session is not started yet."); -#if defined(RB_PASS_KEYWORDS) - if (nonblock) { - VALUE argv[3]; - argv[0] = len; - argv[1] = str; - argv[2] = opts; - return rb_funcallv_kw(io, meth, 3, argv, RB_PASS_KEYWORDS); - } -#else - if (nonblock) { - return rb_funcall(io, meth, 3, len, str, opts); + } + io_wait_readable(io); + continue; + case SSL_ERROR_SYSCALL: + if (!ERR_peek_error()) { + rb_str_unlocktmp(str); + if (errno) + rb_sys_fail(0); + else { + /* + * The underlying BIO returned 0. This is actually a + * protocol error. But unfortunately, not all + * implementations cleanly shutdown the TLS connection + * but just shutdown/close the TCP connection. So report + * EOF for now... + */ + if (no_exception_p(opts)) { return Qnil; } + rb_eof_error(); + } + } + /* fall through */ + default: + rb_str_unlocktmp(str); + ossl_raise(eSSLError, "SSL_read"); } -#endif - else - return rb_funcall(io, meth, 2, len, str); } - - end: - rb_str_set_len(str, nread); - return str; } /* @@ -1911,77 +2054,55 @@ static VALUE ossl_ssl_write_internal(VALUE self, VALUE str, VALUE opts) { SSL *ssl; - int nwrite = 0; rb_io_t *fptr; - int nonblock = opts != Qfalse; - VALUE io; + int num, nonblock = opts != Qfalse; + VALUE tmp; - StringValue(str); GetSSL(self, ssl); - io = rb_attr_get(self, id_i_io); + if (!ssl_started(ssl)) + rb_raise(eSSLError, "SSL session is not started yet"); + + tmp = rb_str_new_frozen(StringValue(str)); + VALUE io = rb_attr_get(self, id_i_io); GetOpenFile(io, fptr); - if (ssl_started(ssl)) { - for (;;){ - int num = RSTRING_LENINT(str); - - /* SSL_write(3ssl) manpage states num == 0 is undefined */ - if (num == 0) - goto end; - - nwrite = SSL_write(ssl, RSTRING_PTR(str), num); - switch(ssl_get_error(ssl, nwrite)){ - case SSL_ERROR_NONE: - goto end; - case SSL_ERROR_WANT_WRITE: - if (no_exception_p(opts)) { return sym_wait_writable; } - write_would_block(nonblock); - rb_io_wait_writable(fptr->fd); - continue; - case SSL_ERROR_WANT_READ: - if (no_exception_p(opts)) { return sym_wait_readable; } - read_would_block(nonblock); - rb_io_wait_readable(fptr->fd); - continue; - case SSL_ERROR_SYSCALL: + + /* SSL_write(3ssl) manpage states num == 0 is undefined */ + num = RSTRING_LENINT(tmp); + if (num == 0) + return INT2FIX(0); + + for (;;) { + int nwritten = SSL_write(ssl, RSTRING_PTR(tmp), num); + switch (ssl_get_error(ssl, nwritten)) { + case SSL_ERROR_NONE: + return INT2NUM(nwritten); + case SSL_ERROR_WANT_WRITE: + if (no_exception_p(opts)) { return sym_wait_writable; } + write_would_block(nonblock); + io_wait_writable(io); + continue; + case SSL_ERROR_WANT_READ: + if (no_exception_p(opts)) { return sym_wait_readable; } + read_would_block(nonblock); + io_wait_readable(io); + continue; + case SSL_ERROR_SYSCALL: #ifdef __APPLE__ - /* - * It appears that send syscall can return EPROTOTYPE if the - * socket is being torn down. Retry to get a proper errno to - * make the error handling in line with the socket library. - * [Bug #14713] https://bugs.ruby-lang.org/issues/14713 - */ - if (errno == EPROTOTYPE) - continue; + /* + * It appears that send syscall can return EPROTOTYPE if the + * socket is being torn down. Retry to get a proper errno to + * make the error handling in line with the socket library. + * [Bug #14713] https://bugs.ruby-lang.org/issues/14713 + */ + if (errno == EPROTOTYPE) + continue; #endif - if (errno) rb_sys_fail(0); - default: - ossl_raise(eSSLError, "SSL_write"); - } + if (errno) rb_sys_fail(0); + /* fallthrough */ + default: + ossl_raise(eSSLError, "SSL_write"); } } - else { - ID meth = nonblock ? - rb_intern("write_nonblock") : rb_intern("syswrite"); - - rb_warning("SSL session is not started yet."); -#if defined(RB_PASS_KEYWORDS) - if (nonblock) { - VALUE argv[2]; - argv[0] = str; - argv[1] = opts; - return rb_funcallv_kw(io, meth, 2, argv, RB_PASS_KEYWORDS); - } -#else - if (nonblock) { - return rb_funcall(io, meth, 2, str, opts); - } -#endif - else - return rb_funcall(io, meth, 1, str); - } - - end: - return INT2NUM(nwrite); } /* @@ -2356,7 +2477,7 @@ ossl_ssl_get_client_ca_list(VALUE self) return ossl_x509name_sk2ary(ca); } -# ifndef OPENSSL_NO_NEXTPROTONEG +# ifdef OSSL_USE_NEXTPROTONEG /* * call-seq: * ssl.npn_protocol => String | nil @@ -2381,7 +2502,6 @@ ossl_ssl_npn_protocol(VALUE self) } # endif -# ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB /* * call-seq: * ssl.alpn_protocol => String | nil @@ -2404,9 +2524,50 @@ ossl_ssl_alpn_protocol(VALUE self) else return rb_str_new((const char *) out, outlen); } -# endif -# ifdef HAVE_SSL_GET_SERVER_TMP_KEY +/* + * call-seq: + * session.export_keying_material(label, length) -> String + * + * Enables use of shared session key material in accordance with RFC 5705. + */ +static VALUE +ossl_ssl_export_keying_material(int argc, VALUE *argv, VALUE self) +{ + SSL *ssl; + VALUE str; + VALUE label; + VALUE length; + VALUE context; + unsigned char *p; + size_t len; + int use_ctx = 0; + unsigned char *ctx = NULL; + size_t ctx_len = 0; + int ret; + + rb_scan_args(argc, argv, "21", &label, &length, &context); + StringValue(label); + + GetSSL(self, ssl); + + len = (size_t)NUM2LONG(length); + str = rb_str_new(0, len); + p = (unsigned char *)RSTRING_PTR(str); + if (!NIL_P(context)) { + use_ctx = 1; + StringValue(context); + ctx = (unsigned char *)RSTRING_PTR(context); + ctx_len = RSTRING_LEN(context); + } + ret = SSL_export_keying_material(ssl, p, len, (char *)RSTRING_PTR(label), + RSTRING_LENINT(label), ctx, ctx_len, use_ctx); + if (ret == 0 || ret == -1) { + ossl_raise(eSSLError, "SSL_export_keying_material"); + } + return str; +} + /* * call-seq: * ssl.tmp_key => PKey or nil @@ -2424,7 +2585,6 @@ ossl_ssl_tmp_key(VALUE self) return Qnil; return ossl_pkey_new(key); } -# endif /* defined(HAVE_SSL_GET_SERVER_TMP_KEY) */ #endif /* !defined(OPENSSL_NO_SOCK) */ void @@ -2437,6 +2597,7 @@ Init_ossl_ssl(void) rb_mWaitWritable = rb_define_module_under(rb_cIO, "WaitWritable"); #endif +#ifndef OPENSSL_NO_SOCK id_call = rb_intern_const("call"); ID_callback_state = rb_intern_const("callback_state"); @@ -2449,11 +2610,6 @@ Init_ossl_ssl(void) ossl_sslctx_ex_ptr_idx = SSL_CTX_get_ex_new_index(0, (void *)"ossl_sslctx_ex_ptr_idx", 0, 0, 0); if (ossl_sslctx_ex_ptr_idx < 0) ossl_raise(rb_eRuntimeError, "SSL_CTX_get_ex_new_index"); -#if !defined(HAVE_X509_STORE_UP_REF) - ossl_sslctx_ex_store_p = SSL_CTX_get_ex_new_index(0, (void *)"ossl_sslctx_ex_store_p", 0, 0, 0); - if (ossl_sslctx_ex_store_p < 0) - ossl_raise(rb_eRuntimeError, "SSL_CTX_get_ex_new_index"); -#endif /* Document-module: OpenSSL::SSL * @@ -2464,16 +2620,6 @@ Init_ossl_ssl(void) */ mSSL = rb_define_module_under(mOSSL, "SSL"); - /* Document-module: OpenSSL::ExtConfig - * - * This module contains configuration information about the SSL extension, - * for example if socket support is enabled, or the host name TLS extension - * is enabled. Constants in this module will always be defined, but contain - * +true+ or +false+ values depending on the configuration of your OpenSSL - * installation. - */ - mSSLExtConfig = rb_define_module_under(mOSSL, "ExtConfig"); - /* Document-class: OpenSSL::SSL::SSLError * * Generic error class raised by SSLSocket and SSLContext. @@ -2636,8 +2782,6 @@ Init_ossl_ssl(void) */ rb_attr(cSSLContext, rb_intern_const("session_remove_cb"), 1, 1, Qfalse); - rb_define_const(mSSLExtConfig, "HAVE_TLSEXT_HOST_NAME", Qtrue); - /* * A callback invoked whenever a new handshake is initiated on an * established connection. May be used to disable renegotiation entirely. @@ -2658,7 +2802,7 @@ Init_ossl_ssl(void) * end */ rb_attr(cSSLContext, rb_intern_const("renegotiation_cb"), 1, 1, Qfalse); -#ifndef OPENSSL_NO_NEXTPROTONEG +#ifdef OSSL_USE_NEXTPROTONEG /* * An Enumerable of Strings. Each String represents a protocol to be * advertised as the list of supported protocols for Next Protocol @@ -2690,7 +2834,6 @@ Init_ossl_ssl(void) rb_attr(cSSLContext, rb_intern_const("npn_select_cb"), 1, 1, Qfalse); #endif -#ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB /* * An Enumerable of Strings. Each String represents a protocol to be * advertised as the list of supported protocols for Application-Layer @@ -2720,7 +2863,29 @@ Init_ossl_ssl(void) * end */ rb_attr(cSSLContext, rb_intern_const("alpn_select_cb"), 1, 1, Qfalse); -#endif + + /* + * A callback invoked when TLS key material is generated or received, in + * order to allow applications to store this keying material for debugging + * purposes. + * + * The callback is invoked with an SSLSocket and a string containing the + * key material in the format used by NSS for its SSLKEYLOGFILE debugging + * output. + * + * It is only compatible with OpenSSL >= 1.1.1. Even if LibreSSL implements + * SSL_CTX_set_keylog_callback() from v3.4.2, it does nothing (see + * https://github.com/libressl-portable/openbsd/commit/648d39f0f035835d0653342d139883b9661e9cb6). + * + * === Example + * + * context.keylog_cb = proc do |_sock, line| + * File.open('ssl_keylog_file', "a") do |f| + * f.write("#{line}\n") + * end + * end + */ + rb_attr(cSSLContext, rb_intern_const("keylog_cb"), 1, 1, Qfalse); rb_define_alias(cSSLContext, "ssl_timeout", "timeout"); rb_define_alias(cSSLContext, "ssl_timeout=", "timeout="); @@ -2728,6 +2893,12 @@ Init_ossl_ssl(void) ossl_sslctx_set_minmax_proto_version, 2); rb_define_method(cSSLContext, "ciphers", ossl_sslctx_get_ciphers, 0); rb_define_method(cSSLContext, "ciphers=", ossl_sslctx_set_ciphers, 1); +#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES + rb_define_method(cSSLContext, "ciphersuites=", ossl_sslctx_set_ciphersuites, 1); +#endif +#ifndef OPENSSL_NO_DH + rb_define_method(cSSLContext, "tmp_dh=", ossl_sslctx_set_tmp_dh, 1); +#endif rb_define_method(cSSLContext, "ecdh_curves=", ossl_sslctx_set_ecdh_curves, 1); rb_define_method(cSSLContext, "security_level", ossl_sslctx_get_security_level, 0); rb_define_method(cSSLContext, "security_level=", ossl_sslctx_set_security_level, 1); @@ -2801,11 +2972,6 @@ Init_ossl_ssl(void) * Document-class: OpenSSL::SSL::SSLSocket */ cSSLSocket = rb_define_class_under(mSSL, "SSLSocket", rb_cObject); -#ifdef OPENSSL_NO_SOCK - rb_define_const(mSSLExtConfig, "OPENSSL_NO_SOCK", Qtrue); - rb_define_method(cSSLSocket, "initialize", rb_f_notimplement, -1); -#else - rb_define_const(mSSLExtConfig, "OPENSSL_NO_SOCK", Qfalse); rb_define_alloc_func(cSSLSocket, ossl_ssl_s_alloc); rb_define_method(cSSLSocket, "initialize", ossl_ssl_initialize, -1); rb_undef_method(cSSLSocket, "initialize_copy"); @@ -2834,16 +3000,12 @@ Init_ossl_ssl(void) rb_define_method(cSSLSocket, "hostname=", ossl_ssl_set_hostname, 1); rb_define_method(cSSLSocket, "finished_message", ossl_ssl_get_finished, 0); rb_define_method(cSSLSocket, "peer_finished_message", ossl_ssl_get_peer_finished, 0); -# ifdef HAVE_SSL_GET_SERVER_TMP_KEY rb_define_method(cSSLSocket, "tmp_key", ossl_ssl_tmp_key, 0); -# endif -# ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB rb_define_method(cSSLSocket, "alpn_protocol", ossl_ssl_alpn_protocol, 0); -# endif -# ifndef OPENSSL_NO_NEXTPROTONEG + rb_define_method(cSSLSocket, "export_keying_material", ossl_ssl_export_keying_material, -1); +# ifdef OSSL_USE_NEXTPROTONEG rb_define_method(cSSLSocket, "npn_protocol", ossl_ssl_npn_protocol, 0); # endif -#endif rb_define_const(mSSL, "VERIFY_NONE", INT2NUM(SSL_VERIFY_NONE)); rb_define_const(mSSL, "VERIFY_PEER", INT2NUM(SSL_VERIFY_PEER)); @@ -2851,12 +3013,23 @@ Init_ossl_ssl(void) rb_define_const(mSSL, "VERIFY_CLIENT_ONCE", INT2NUM(SSL_VERIFY_CLIENT_ONCE)); rb_define_const(mSSL, "OP_ALL", ULONG2NUM(SSL_OP_ALL)); +#ifdef SSL_OP_CLEANSE_PLAINTEXT /* OpenSSL 3.0 */ + rb_define_const(mSSL, "OP_CLEANSE_PLAINTEXT", ULONG2NUM(SSL_OP_CLEANSE_PLAINTEXT)); +#endif rb_define_const(mSSL, "OP_LEGACY_SERVER_CONNECT", ULONG2NUM(SSL_OP_LEGACY_SERVER_CONNECT)); -#ifdef SSL_OP_TLSEXT_PADDING /* OpenSSL 1.0.1h and OpenSSL 1.0.2 */ - rb_define_const(mSSL, "OP_TLSEXT_PADDING", ULONG2NUM(SSL_OP_TLSEXT_PADDING)); +#ifdef SSL_OP_ENABLE_KTLS /* OpenSSL 3.0 */ + rb_define_const(mSSL, "OP_ENABLE_KTLS", ULONG2NUM(SSL_OP_ENABLE_KTLS)); #endif -#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG /* OpenSSL 1.0.1f and OpenSSL 1.0.2 */ + rb_define_const(mSSL, "OP_TLSEXT_PADDING", ULONG2NUM(SSL_OP_TLSEXT_PADDING)); rb_define_const(mSSL, "OP_SAFARI_ECDHE_ECDSA_BUG", ULONG2NUM(SSL_OP_SAFARI_ECDHE_ECDSA_BUG)); +#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF /* OpenSSL 3.0 */ + rb_define_const(mSSL, "OP_IGNORE_UNEXPECTED_EOF", ULONG2NUM(SSL_OP_IGNORE_UNEXPECTED_EOF)); +#endif +#ifdef SSL_OP_ALLOW_CLIENT_RENEGOTIATION /* OpenSSL 3.0 */ + rb_define_const(mSSL, "OP_ALLOW_CLIENT_RENEGOTIATION", ULONG2NUM(SSL_OP_ALLOW_CLIENT_RENEGOTIATION)); +#endif +#ifdef SSL_OP_DISABLE_TLSEXT_CA_NAMES /* OpenSSL 3.0 */ + rb_define_const(mSSL, "OP_DISABLE_TLSEXT_CA_NAMES", ULONG2NUM(SSL_OP_DISABLE_TLSEXT_CA_NAMES)); #endif #ifdef SSL_OP_ALLOW_NO_DHE_KEX /* OpenSSL 1.1.1 */ rb_define_const(mSSL, "OP_ALLOW_NO_DHE_KEX", ULONG2NUM(SSL_OP_ALLOW_NO_DHE_KEX)); @@ -2869,13 +3042,15 @@ Init_ossl_ssl(void) #ifdef SSL_OP_NO_ENCRYPT_THEN_MAC /* OpenSSL 1.1.1 */ rb_define_const(mSSL, "OP_NO_ENCRYPT_THEN_MAC", ULONG2NUM(SSL_OP_NO_ENCRYPT_THEN_MAC)); #endif - rb_define_const(mSSL, "OP_CIPHER_SERVER_PREFERENCE", ULONG2NUM(SSL_OP_CIPHER_SERVER_PREFERENCE)); - rb_define_const(mSSL, "OP_TLS_ROLLBACK_BUG", ULONG2NUM(SSL_OP_TLS_ROLLBACK_BUG)); -#ifdef SSL_OP_NO_RENEGOTIATION /* OpenSSL 1.1.1 */ - rb_define_const(mSSL, "OP_NO_RENEGOTIATION", ULONG2NUM(SSL_OP_NO_RENEGOTIATION)); +#ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT /* OpenSSL 1.1.1 */ + rb_define_const(mSSL, "OP_ENABLE_MIDDLEBOX_COMPAT", ULONG2NUM(SSL_OP_ENABLE_MIDDLEBOX_COMPAT)); +#endif +#ifdef SSL_OP_PRIORITIZE_CHACHA /* OpenSSL 1.1.1 */ + rb_define_const(mSSL, "OP_PRIORITIZE_CHACHA", ULONG2NUM(SSL_OP_PRIORITIZE_CHACHA)); +#endif +#ifdef SSL_OP_NO_ANTI_REPLAY /* OpenSSL 1.1.1 */ + rb_define_const(mSSL, "OP_NO_ANTI_REPLAY", ULONG2NUM(SSL_OP_NO_ANTI_REPLAY)); #endif - rb_define_const(mSSL, "OP_CRYPTOPRO_TLSEXT_BUG", ULONG2NUM(SSL_OP_CRYPTOPRO_TLSEXT_BUG)); - rb_define_const(mSSL, "OP_NO_SSLv3", ULONG2NUM(SSL_OP_NO_SSLv3)); rb_define_const(mSSL, "OP_NO_TLSv1", ULONG2NUM(SSL_OP_NO_TLSv1)); rb_define_const(mSSL, "OP_NO_TLSv1_1", ULONG2NUM(SSL_OP_NO_TLSv1_1)); @@ -2883,6 +3058,12 @@ Init_ossl_ssl(void) #ifdef SSL_OP_NO_TLSv1_3 /* OpenSSL 1.1.1 */ rb_define_const(mSSL, "OP_NO_TLSv1_3", ULONG2NUM(SSL_OP_NO_TLSv1_3)); #endif + rb_define_const(mSSL, "OP_CIPHER_SERVER_PREFERENCE", ULONG2NUM(SSL_OP_CIPHER_SERVER_PREFERENCE)); + rb_define_const(mSSL, "OP_TLS_ROLLBACK_BUG", ULONG2NUM(SSL_OP_TLS_ROLLBACK_BUG)); +#ifdef SSL_OP_NO_RENEGOTIATION /* OpenSSL 1.1.1 */ + rb_define_const(mSSL, "OP_NO_RENEGOTIATION", ULONG2NUM(SSL_OP_NO_RENEGOTIATION)); +#endif + rb_define_const(mSSL, "OP_CRYPTOPRO_TLSEXT_BUG", ULONG2NUM(SSL_OP_CRYPTOPRO_TLSEXT_BUG)); /* SSL_OP_* flags for DTLS */ #if 0 @@ -2953,6 +3134,7 @@ Init_ossl_ssl(void) id_tmp_dh_callback = rb_intern_const("tmp_dh_callback"); id_npn_protocols_encoded = rb_intern_const("npn_protocols_encoded"); + id_each = rb_intern_const("each"); #define DefIVarID(name) do \ id_i_##name = rb_intern_const("@"#name); while (0) @@ -2980,8 +3162,10 @@ Init_ossl_ssl(void) DefIVarID(alpn_select_cb); DefIVarID(servername_cb); DefIVarID(verify_hostname); + DefIVarID(keylog_cb); DefIVarID(io); DefIVarID(context); DefIVarID(hostname); +#endif /* !defined(OPENSSL_NO_SOCK) */ } diff --git a/ext/openssl/ossl_ssl_session.c b/ext/openssl/ossl_ssl_session.c index 5514087387..c5df902c60 100644 --- a/ext/openssl/ossl_ssl_session.c +++ b/ext/openssl/ossl_ssl_session.c @@ -4,6 +4,7 @@ #include "ossl.h" +#ifndef OPENSSL_NO_SOCK VALUE cSSLSession; static VALUE eSSLSession; @@ -18,7 +19,7 @@ const rb_data_type_t ossl_ssl_session_type = { { 0, ossl_ssl_session_free, }, - 0, 0, RUBY_TYPED_FREE_IMMEDIATELY, + 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED, }; static VALUE ossl_ssl_session_alloc(VALUE klass) @@ -34,43 +35,38 @@ static VALUE ossl_ssl_session_alloc(VALUE klass) * Creates a new Session object from an instance of SSLSocket or DER/PEM encoded * String. */ -static VALUE ossl_ssl_session_initialize(VALUE self, VALUE arg1) +static VALUE +ossl_ssl_session_initialize(VALUE self, VALUE arg1) { - SSL_SESSION *ctx = NULL; - - if (RDATA(self)->data) - ossl_raise(eSSLSession, "SSL Session already initialized"); - - if (rb_obj_is_instance_of(arg1, cSSLSocket)) { - SSL *ssl; - - GetSSL(arg1, ssl); - - if ((ctx = SSL_get1_session(ssl)) == NULL) - ossl_raise(eSSLSession, "no session available"); - } else { - BIO *in = ossl_obj2bio(&arg1); + SSL_SESSION *ctx; - ctx = PEM_read_bio_SSL_SESSION(in, NULL, NULL, NULL); + if (RTYPEDDATA_DATA(self)) + ossl_raise(eSSLSession, "SSL Session already initialized"); - if (!ctx) { - OSSL_BIO_reset(in); - ctx = d2i_SSL_SESSION_bio(in, NULL); - } + if (rb_obj_is_instance_of(arg1, cSSLSocket)) { + SSL *ssl; - BIO_free(in); + GetSSL(arg1, ssl); - if (!ctx) - ossl_raise(rb_eArgError, "unknown type"); - } + if ((ctx = SSL_get1_session(ssl)) == NULL) + ossl_raise(eSSLSession, "no session available"); + } + else { + BIO *in = ossl_obj2bio(&arg1); - /* should not happen */ - if (ctx == NULL) - ossl_raise(eSSLSession, "ctx not set - internal error"); + ctx = d2i_SSL_SESSION_bio(in, NULL); + if (!ctx) { + OSSL_BIO_reset(in); + ctx = PEM_read_bio_SSL_SESSION(in, NULL, NULL, NULL); + } + BIO_free(in); + if (!ctx) + ossl_raise(rb_eArgError, "unknown type"); + } - RDATA(self)->data = ctx; + RTYPEDDATA_DATA(self) = ctx; - return self; + return self; } static VALUE @@ -304,6 +300,7 @@ static VALUE ossl_ssl_session_to_text(VALUE self) return ossl_membio2str(out); } +#endif /* !defined(OPENSSL_NO_SOCK) */ void Init_ossl_ssl_session(void) { @@ -312,6 +309,7 @@ void Init_ossl_ssl_session(void) mSSL = rb_define_module_under(mOSSL, "SSL"); eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError); #endif +#ifndef OPENSSL_NO_SOCK cSSLSession = rb_define_class_under(mSSL, "Session", rb_cObject); eSSLSession = rb_define_class_under(cSSLSession, "SessionError", eOSSLError); @@ -329,4 +327,5 @@ void Init_ossl_ssl_session(void) rb_define_method(cSSLSession, "to_der", ossl_ssl_session_to_der, 0); rb_define_method(cSSLSession, "to_pem", ossl_ssl_session_to_pem, 0); rb_define_method(cSSLSession, "to_text", ossl_ssl_session_to_text, 0); +#endif /* !defined(OPENSSL_NO_SOCK) */ } diff --git a/ext/openssl/ossl_ts.c b/ext/openssl/ossl_ts.c index 9450e435e0..f698bdc7ff 100644 --- a/ext/openssl/ossl_ts.c +++ b/ext/openssl/ossl_ts.c @@ -83,7 +83,7 @@ static const rb_data_type_t ossl_ts_req_type = { { 0, ossl_ts_req_free, }, - 0, 0, RUBY_TYPED_FREE_IMMEDIATELY, + 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED, }; static void @@ -97,7 +97,7 @@ static const rb_data_type_t ossl_ts_resp_type = { { 0, ossl_ts_resp_free, }, - 0, 0, RUBY_TYPED_FREE_IMMEDIATELY, + 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED, }; static void @@ -111,7 +111,7 @@ static const rb_data_type_t ossl_ts_token_info_type = { { 0, ossl_ts_token_info_free, }, - 0, 0, RUBY_TYPED_FREE_IMMEDIATELY, + 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED, }; static VALUE @@ -146,6 +146,12 @@ obj_to_asn1obj(VALUE obj) } static VALUE +obj_to_asn1obj_i(VALUE obj) +{ + return (VALUE)obj_to_asn1obj(obj); +} + +static VALUE get_asn1obj(ASN1_OBJECT *obj) { BIO *out; @@ -205,8 +211,10 @@ ossl_ts_req_initialize(int argc, VALUE *argv, VALUE self) in = ossl_obj2bio(&arg); ts_req = d2i_TS_REQ_bio(in, &ts_req); BIO_free(in); - if (!ts_req) + if (!ts_req) { + DATA_PTR(self) = NULL; ossl_raise(eTimestampError, "Error when decoding the timestamp request"); + } DATA_PTR(self) = ts_req; return self; @@ -529,8 +537,10 @@ ossl_ts_resp_initialize(VALUE self, VALUE der) in = ossl_obj2bio(&der); ts_resp = d2i_TS_RESP_bio(in, &ts_resp); BIO_free(in); - if (!ts_resp) + if (!ts_resp) { + DATA_PTR(self) = NULL; ossl_raise(eTimestampError, "Error when decoding the timestamp response"); + } DATA_PTR(self) = ts_resp; return self; @@ -816,17 +826,14 @@ ossl_ts_resp_verify(int argc, VALUE *argv, VALUE self) X509_up_ref(cert); } - TS_VERIFY_CTS_set_certs(ctx, x509inter); + TS_VERIFY_CTX_set_certs(ctx, x509inter); TS_VERIFY_CTX_add_flags(ctx, TS_VFY_SIGNATURE); TS_VERIFY_CTX_set_store(ctx, x509st); ok = TS_RESP_verify_response(ctx, resp); - - /* WORKAROUND: - * X509_STORE can count references, but X509_STORE_free() doesn't check - * this. To prevent our X509_STORE from being freed with our - * TS_VERIFY_CTX we set the store to NULL first. - * Fixed in OpenSSL 1.0.2; bff9ce4db38b (master), 5b4b9ce976fc (1.0.2) + /* + * TS_VERIFY_CTX_set_store() call above does not increment the reference + * counter, so it must be unset before TS_VERIFY_CTX_free() is called. */ TS_VERIFY_CTX_set_store(ctx, NULL); TS_VERIFY_CTX_free(ctx); @@ -871,8 +878,10 @@ ossl_ts_token_info_initialize(VALUE self, VALUE der) in = ossl_obj2bio(&der); info = d2i_TS_TST_INFO_bio(in, &info); BIO_free(in); - if (!info) + if (!info) { + DATA_PTR(self) = NULL; ossl_raise(eTimestampError, "Error when decoding the timestamp token info"); + } DATA_PTR(self) = info; return self; @@ -1074,13 +1083,29 @@ ossl_tsfac_serial_cb(struct TS_resp_ctx *ctx, void *data) } static int +#if !defined(LIBRESSL_VERSION_NUMBER) ossl_tsfac_time_cb(struct TS_resp_ctx *ctx, void *data, long *sec, long *usec) +#else +ossl_tsfac_time_cb(struct TS_resp_ctx *ctx, void *data, time_t *sec, long *usec) +#endif { *sec = *((long *)data); *usec = 0; return 1; } +static VALUE +ossl_evp_get_digestbyname_i(VALUE arg) +{ + return (VALUE)ossl_evp_get_digestbyname(arg); +} + +static VALUE +ossl_obj2bio_i(VALUE arg) +{ + return (VALUE)ossl_obj2bio((VALUE *)arg); +} + /* * Creates a Response with the help of an OpenSSL::PKey, an * OpenSSL::X509::Certificate and a Request. @@ -1149,7 +1174,7 @@ ossl_tsfac_create_ts(VALUE self, VALUE key, VALUE certificate, VALUE request) goto end; } if (!NIL_P(def_policy_id) && !TS_REQ_get_policy_id(req)) { - def_policy_id_obj = (ASN1_OBJECT*)rb_protect((VALUE (*)(VALUE))obj_to_asn1obj, (VALUE)def_policy_id, &status); + def_policy_id_obj = (ASN1_OBJECT*)rb_protect(obj_to_asn1obj_i, (VALUE)def_policy_id, &status); if (status) goto end; } @@ -1191,7 +1216,7 @@ ossl_tsfac_create_ts(VALUE self, VALUE key, VALUE certificate, VALUE request) for (i = 0; i < RARRAY_LEN(allowed_digests); i++) { rbmd = rb_ary_entry(allowed_digests, i); - md = (const EVP_MD *)rb_protect((VALUE (*)(VALUE))ossl_evp_get_digestbyname, rbmd, &status); + md = (const EVP_MD *)rb_protect(ossl_evp_get_digestbyname_i, rbmd, &status); if (status) goto end; TS_RESP_CTX_add_md(ctx, md); @@ -1202,7 +1227,7 @@ ossl_tsfac_create_ts(VALUE self, VALUE key, VALUE certificate, VALUE request) if (status) goto end; - req_bio = (BIO*)rb_protect((VALUE (*)(VALUE))ossl_obj2bio, (VALUE)&str, &status); + req_bio = (BIO*)rb_protect(ossl_obj2bio_i, (VALUE)&str, &status); if (status) goto end; @@ -1226,7 +1251,7 @@ end: ASN1_OBJECT_free(def_policy_id_obj); TS_RESP_CTX_free(ctx); if (err_msg) - ossl_raise(eTimestampError, err_msg); + rb_exc_raise(ossl_make_error(eTimestampError, rb_str_new_cstr(err_msg))); if (status) rb_jump_tag(status); return ret; diff --git a/ext/openssl/ossl_x509.c b/ext/openssl/ossl_x509.c index 4fc0648614..f8470703fc 100644 --- a/ext/openssl/ossl_x509.c +++ b/ext/openssl/ossl_x509.c @@ -115,11 +115,9 @@ Init_ossl_x509(void) DefX509Const(V_ERR_SUITE_B_LOS_NOT_ALLOWED); DefX509Const(V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256); #endif -#if defined(X509_V_ERR_HOSTNAME_MISMATCH) DefX509Const(V_ERR_HOSTNAME_MISMATCH); DefX509Const(V_ERR_EMAIL_MISMATCH); DefX509Const(V_ERR_IP_ADDRESS_MISMATCH); -#endif #if defined(X509_V_ERR_DANE_NO_MATCH) DefX509Const(V_ERR_DANE_NO_MATCH); #endif @@ -187,12 +185,10 @@ Init_ossl_x509(void) /* Set by Store#flags= and StoreContext#flags=. Enables checking of the * signature of the root self-signed CA. */ DefX509Const(V_FLAG_CHECK_SS_SIGNATURE); -#if defined(X509_V_FLAG_TRUSTED_FIRST) /* Set by Store#flags= and StoreContext#flags=. When constructing a * certificate chain, search the Store first for the issuer certificate. * Enabled by default in OpenSSL >= 1.1.0. */ DefX509Const(V_FLAG_TRUSTED_FIRST); -#endif #if defined(X509_V_FLAG_SUITEB_128_LOS_ONLY) /* Set by Store#flags= and StoreContext#flags=. * Enables Suite B 128 bit only mode. */ @@ -208,11 +204,9 @@ Init_ossl_x509(void) * Enables Suite B 128 bit mode allowing 192 bit algorithms. */ DefX509Const(V_FLAG_SUITEB_128_LOS); #endif -#if defined(X509_V_FLAG_PARTIAL_CHAIN) /* Set by Store#flags= and StoreContext#flags=. * Allows partial chains if at least one certificate is in trusted store. */ DefX509Const(V_FLAG_PARTIAL_CHAIN); -#endif #if defined(X509_V_FLAG_NO_ALT_CHAINS) /* Set by Store#flags= and StoreContext#flags=. Suppresses searching for * a alternative chain. No effect in OpenSSL >= 1.1.0. */ diff --git a/ext/openssl/ossl_x509attr.c b/ext/openssl/ossl_x509attr.c index 60846cfe9d..d1d8bb5e95 100644 --- a/ext/openssl/ossl_x509attr.c +++ b/ext/openssl/ossl_x509attr.c @@ -41,7 +41,7 @@ static const rb_data_type_t ossl_x509attr_type = { { 0, ossl_x509attr_free, }, - 0, 0, RUBY_TYPED_FREE_IMMEDIATELY, + 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED, }; /* diff --git a/ext/openssl/ossl_x509cert.c b/ext/openssl/ossl_x509cert.c index 5376bff08d..aa6b9bb7ce 100644 --- a/ext/openssl/ossl_x509cert.c +++ b/ext/openssl/ossl_x509cert.c @@ -41,7 +41,7 @@ static const rb_data_type_t ossl_x509_type = { { 0, ossl_x509_free, }, - 0, 0, RUBY_TYPED_FREE_IMMEDIATELY, + 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED, }; /* @@ -115,24 +115,27 @@ static VALUE ossl_x509_initialize(int argc, VALUE *argv, VALUE self) { BIO *in; - X509 *x509, *x = DATA_PTR(self); + X509 *x509, *x509_orig = RTYPEDDATA_DATA(self); VALUE arg; + rb_check_frozen(self); if (rb_scan_args(argc, argv, "01", &arg) == 0) { /* create just empty X509Cert */ return self; } arg = ossl_to_der_if_possible(arg); in = ossl_obj2bio(&arg); - x509 = PEM_read_bio_X509(in, &x, NULL, NULL); - DATA_PTR(self) = x; + x509 = d2i_X509_bio(in, NULL); if (!x509) { - OSSL_BIO_reset(in); - x509 = d2i_X509_bio(in, &x); - DATA_PTR(self) = x; + OSSL_BIO_reset(in); + x509 = PEM_read_bio_X509(in, NULL, NULL, NULL); } BIO_free(in); - if (!x509) ossl_raise(eX509CertError, NULL); + if (!x509) + ossl_raise(eX509CertError, "PEM_read_bio_X509"); + + RTYPEDDATA_DATA(self) = x509; + X509_free(x509_orig); return self; } @@ -639,12 +642,12 @@ ossl_x509_set_extensions(VALUE self, VALUE ary) OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Ext); } GetX509(self, x509); - while ((ext = X509_delete_ext(x509, 0))) - X509_EXTENSION_free(ext); + for (i = X509_get_ext_count(x509); i > 0; i--) + X509_EXTENSION_free(X509_delete_ext(x509, 0)); for (i=0; i<RARRAY_LEN(ary); i++) { ext = GetX509ExtPtr(RARRAY_AREF(ary, i)); if (!X509_add_ext(x509, ext, -1)) { /* DUPs ext */ - ossl_raise(eX509CertError, NULL); + ossl_raise(eX509CertError, "X509_add_ext"); } } @@ -704,6 +707,157 @@ ossl_x509_eq(VALUE self, VALUE other) return !X509_cmp(a, b) ? Qtrue : Qfalse; } +struct load_chained_certificates_arguments { + VALUE certificates; + X509 *certificate; +}; + +static VALUE +load_chained_certificates_append_push(VALUE _arguments) { + struct load_chained_certificates_arguments *arguments = (struct load_chained_certificates_arguments*)_arguments; + + if (arguments->certificates == Qnil) { + arguments->certificates = rb_ary_new(); + } + + rb_ary_push(arguments->certificates, ossl_x509_new(arguments->certificate)); + + return Qnil; +} + +static VALUE +load_chained_certificate_append_ensure(VALUE _arguments) { + struct load_chained_certificates_arguments *arguments = (struct load_chained_certificates_arguments*)_arguments; + + X509_free(arguments->certificate); + + return Qnil; +} + +inline static VALUE +load_chained_certificates_append(VALUE certificates, X509 *certificate) { + struct load_chained_certificates_arguments arguments; + arguments.certificates = certificates; + arguments.certificate = certificate; + + rb_ensure(load_chained_certificates_append_push, (VALUE)&arguments, load_chained_certificate_append_ensure, (VALUE)&arguments); + + return arguments.certificates; +} + +static VALUE +load_chained_certificates_PEM(BIO *in) { + VALUE certificates = Qnil; + X509 *certificate = PEM_read_bio_X509(in, NULL, NULL, NULL); + + /* If we cannot read even one certificate: */ + if (certificate == NULL) { + /* If we cannot read one certificate because we could not read the PEM encoding: */ + if (ERR_GET_REASON(ERR_peek_last_error()) == PEM_R_NO_START_LINE) { + ossl_clear_error(); + } + + if (ERR_peek_last_error()) + ossl_raise(eX509CertError, NULL); + else + return Qnil; + } + + certificates = load_chained_certificates_append(Qnil, certificate); + + while ((certificate = PEM_read_bio_X509(in, NULL, NULL, NULL))) { + load_chained_certificates_append(certificates, certificate); + } + + /* We tried to read one more certificate but could not read start line: */ + if (ERR_GET_REASON(ERR_peek_last_error()) == PEM_R_NO_START_LINE) { + /* This is not an error, it means we are finished: */ + ossl_clear_error(); + + return certificates; + } + + /* Alternatively, if we reached the end of the file and there was no error: */ + if (BIO_eof(in) && !ERR_peek_last_error()) { + return certificates; + } else { + /* Otherwise, we tried to read a certificate but failed somewhere: */ + ossl_raise(eX509CertError, NULL); + } +} + +static VALUE +load_chained_certificates_DER(BIO *in) { + X509 *certificate = d2i_X509_bio(in, NULL); + + /* If we cannot read one certificate: */ + if (certificate == NULL) { + /* Ignore error. We could not load. */ + ossl_clear_error(); + + return Qnil; + } + + return load_chained_certificates_append(Qnil, certificate); +} + +static VALUE +load_chained_certificates(VALUE _io) { + BIO *in = (BIO*)_io; + VALUE certificates = Qnil; + + /* + DER is a binary format and it may contain octets within it that look like + PEM encoded certificates. So we need to check DER first. + */ + certificates = load_chained_certificates_DER(in); + + if (certificates != Qnil) + return certificates; + + OSSL_BIO_reset(in); + + certificates = load_chained_certificates_PEM(in); + + if (certificates != Qnil) + return certificates; + + /* Otherwise we couldn't read the output correctly so fail: */ + ossl_raise(eX509CertError, "Could not detect format of certificate data!"); +} + +static VALUE +load_chained_certificates_ensure(VALUE _io) { + BIO *in = (BIO*)_io; + + BIO_free(in); + + return Qnil; +} + +/* + * call-seq: + * OpenSSL::X509::Certificate.load(string) -> [certs...] + * OpenSSL::X509::Certificate.load(file) -> [certs...] + * + * Read the chained certificates from the given input. Supports both PEM + * and DER encoded certificates. + * + * PEM is a text format and supports more than one certificate. + * + * DER is a binary format and only supports one certificate. + * + * If the file is empty, or contains only unrelated data, an + * +OpenSSL::X509::CertificateError+ exception will be raised. + */ +static VALUE +ossl_x509_load(VALUE klass, VALUE buffer) +{ + BIO *in = ossl_obj2bio(&buffer); + + return rb_ensure(load_chained_certificates, (VALUE)in, load_chained_certificates_ensure, (VALUE)in); +} + /* * INIT */ @@ -812,6 +966,8 @@ Init_ossl_x509cert(void) */ cX509Cert = rb_define_class_under(mX509, "Certificate", rb_cObject); + rb_define_singleton_method(cX509Cert, "load", ossl_x509_load, 1); + rb_define_alloc_func(cX509Cert, ossl_x509_alloc); rb_define_method(cX509Cert, "initialize", ossl_x509_initialize, -1); rb_define_method(cX509Cert, "initialize_copy", ossl_x509_copy, 1); diff --git a/ext/openssl/ossl_x509crl.c b/ext/openssl/ossl_x509crl.c index b0badf45c4..80e29f9df2 100644 --- a/ext/openssl/ossl_x509crl.c +++ b/ext/openssl/ossl_x509crl.c @@ -41,7 +41,7 @@ static const rb_data_type_t ossl_x509crl_type = { { 0, ossl_x509crl_free, }, - 0, 0, RUBY_TYPED_FREE_IMMEDIATELY, + 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED, }; /* @@ -93,23 +93,26 @@ static VALUE ossl_x509crl_initialize(int argc, VALUE *argv, VALUE self) { BIO *in; - X509_CRL *crl, *x = DATA_PTR(self); + X509_CRL *crl, *crl_orig = RTYPEDDATA_DATA(self); VALUE arg; + rb_check_frozen(self); if (rb_scan_args(argc, argv, "01", &arg) == 0) { return self; } arg = ossl_to_der_if_possible(arg); in = ossl_obj2bio(&arg); - crl = PEM_read_bio_X509_CRL(in, &x, NULL, NULL); - DATA_PTR(self) = x; + crl = d2i_X509_CRL_bio(in, NULL); if (!crl) { - OSSL_BIO_reset(in); - crl = d2i_X509_CRL_bio(in, &x); - DATA_PTR(self) = x; + OSSL_BIO_reset(in); + crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL); } BIO_free(in); - if (!crl) ossl_raise(eX509CRLError, NULL); + if (!crl) + ossl_raise(eX509CRLError, "PEM_read_bio_X509_CRL"); + + RTYPEDDATA_DATA(self) = crl; + X509_CRL_free(crl_orig); return self; } @@ -471,12 +474,12 @@ ossl_x509crl_set_extensions(VALUE self, VALUE ary) OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Ext); } GetX509CRL(self, crl); - while ((ext = X509_CRL_delete_ext(crl, 0))) - X509_EXTENSION_free(ext); + for (i = X509_CRL_get_ext_count(crl); i > 0; i--) + X509_EXTENSION_free(X509_CRL_delete_ext(crl, 0)); for (i=0; i<RARRAY_LEN(ary); i++) { ext = GetX509ExtPtr(RARRAY_AREF(ary, i)); /* NO NEED TO DUP */ if (!X509_CRL_add_ext(crl, ext, -1)) { - ossl_raise(eX509CRLError, NULL); + ossl_raise(eX509CRLError, "X509_CRL_add_ext"); } } diff --git a/ext/openssl/ossl_x509ext.c b/ext/openssl/ossl_x509ext.c index e54102c771..192d09bd3f 100644 --- a/ext/openssl/ossl_x509ext.c +++ b/ext/openssl/ossl_x509ext.c @@ -55,7 +55,7 @@ static const rb_data_type_t ossl_x509ext_type = { { 0, ossl_x509ext_free, }, - 0, 0, RUBY_TYPED_FREE_IMMEDIATELY, + 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED, }; /* @@ -108,7 +108,7 @@ static const rb_data_type_t ossl_x509extfactory_type = { { 0, ossl_x509extfactory_free, }, - 0, 0, RUBY_TYPED_FREE_IMMEDIATELY, + 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED, }; static VALUE @@ -209,15 +209,16 @@ ossl_x509extfactory_create_ext(int argc, VALUE *argv, VALUE self) int nid; VALUE rconf; CONF *conf; + const char *oid_cstr = NULL; rb_scan_args(argc, argv, "21", &oid, &value, &critical); - StringValueCStr(oid); StringValue(value); if(NIL_P(critical)) critical = Qfalse; - nid = OBJ_ln2nid(RSTRING_PTR(oid)); - if(!nid) nid = OBJ_sn2nid(RSTRING_PTR(oid)); - if(!nid) ossl_raise(eX509ExtError, "unknown OID `%"PRIsVALUE"'", oid); + oid_cstr = StringValueCStr(oid); + nid = OBJ_ln2nid(oid_cstr); + if (nid != NID_undef) + oid_cstr = OBJ_nid2sn(nid); valstr = rb_str_new2(RTEST(critical) ? "critical," : ""); rb_str_append(valstr, value); @@ -228,7 +229,12 @@ ossl_x509extfactory_create_ext(int argc, VALUE *argv, VALUE self) rconf = rb_iv_get(self, "@config"); conf = NIL_P(rconf) ? NULL : GetConfig(rconf); X509V3_set_nconf(ctx, conf); - ext = X509V3_EXT_nconf_nid(conf, ctx, nid, RSTRING_PTR(valstr)); + +#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_IS_LIBRESSL + ext = X509V3_EXT_nconf(conf, ctx, oid_cstr, RSTRING_PTR(valstr)); +#else + ext = X509V3_EXT_nconf(conf, ctx, (char *)oid_cstr, RSTRING_PTR(valstr)); +#endif X509V3_set_ctx_nodb(ctx); if (!ext){ ossl_raise(eX509ExtError, "%"PRIsVALUE" = %"PRIsVALUE, oid, valstr); diff --git a/ext/openssl/ossl_x509name.c b/ext/openssl/ossl_x509name.c index 1522c3d897..9591912f70 100644 --- a/ext/openssl/ossl_x509name.c +++ b/ext/openssl/ossl_x509name.c @@ -46,7 +46,7 @@ static const rb_data_type_t ossl_x509name_type = { { 0, ossl_x509name_free, }, - 0, 0, RUBY_TYPED_FREE_IMMEDIATELY, + 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED, }; /* @@ -291,7 +291,14 @@ x509name_print(VALUE self, unsigned long iflag) * * OpenSSL::X509::Name::MULTILINE * * If _format_ is omitted, the largely broken and traditional OpenSSL format - * is used. + * (<tt>X509_NAME_oneline()</tt> format) is chosen. + * + * <b>Use of this method is discouraged.</b> None of the formats other than + * OpenSSL::X509::Name::RFC2253 is standardized and may show an inconsistent + * behavior through \OpenSSL versions. + * + * It is recommended to use #to_utf8 instead, which is equivalent to calling + * <tt>name.to_s(OpenSSL::X509::Name::RFC2253).force_encoding("UTF-8")</tt>. */ static VALUE ossl_x509name_to_s(int argc, VALUE *argv, VALUE self) @@ -498,7 +505,7 @@ ossl_x509name_to_der(VALUE self) * You can create a Name by parsing a distinguished name String or by * supplying the distinguished name as an Array. * - * name = OpenSSL::X509::Name.parse '/CN=nobody/DC=example' + * name = OpenSSL::X509::Name.parse_rfc2253 'DC=example,CN=nobody' * * name = OpenSSL::X509::Name.new [['CN', 'nobody'], ['DC', 'example']] */ diff --git a/ext/openssl/ossl_x509req.c b/ext/openssl/ossl_x509req.c index 2c20042a92..f058185151 100644 --- a/ext/openssl/ossl_x509req.c +++ b/ext/openssl/ossl_x509req.c @@ -41,7 +41,7 @@ static const rb_data_type_t ossl_x509req_type = { { 0, ossl_x509req_free, }, - 0, 0, RUBY_TYPED_FREE_IMMEDIATELY, + 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED, }; /* @@ -79,23 +79,26 @@ static VALUE ossl_x509req_initialize(int argc, VALUE *argv, VALUE self) { BIO *in; - X509_REQ *req, *x = DATA_PTR(self); + X509_REQ *req, *req_orig = RTYPEDDATA_DATA(self); VALUE arg; + rb_check_frozen(self); if (rb_scan_args(argc, argv, "01", &arg) == 0) { return self; } arg = ossl_to_der_if_possible(arg); in = ossl_obj2bio(&arg); - req = PEM_read_bio_X509_REQ(in, &x, NULL, NULL); - DATA_PTR(self) = x; + req = d2i_X509_REQ_bio(in, NULL); if (!req) { - OSSL_BIO_reset(in); - req = d2i_X509_REQ_bio(in, &x); - DATA_PTR(self) = x; + OSSL_BIO_reset(in); + req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL); } BIO_free(in); - if (!req) ossl_raise(eX509ReqError, NULL); + if (!req) + ossl_raise(eX509ReqError, "PEM_read_bio_X509_REQ"); + + RTYPEDDATA_DATA(self) = req; + X509_REQ_free(req_orig); return self; } @@ -377,13 +380,13 @@ ossl_x509req_set_attributes(VALUE self, VALUE ary) OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Attr); } GetX509Req(self, req); - while ((attr = X509_REQ_delete_attr(req, 0))) - X509_ATTRIBUTE_free(attr); + for (i = X509_REQ_get_attr_count(req); i > 0; i--) + X509_ATTRIBUTE_free(X509_REQ_delete_attr(req, 0)); for (i=0;i<RARRAY_LEN(ary); i++) { item = RARRAY_AREF(ary, i); attr = GetX509AttrPtr(item); if (!X509_REQ_add1_attr(req, attr)) { - ossl_raise(eX509ReqError, NULL); + ossl_raise(eX509ReqError, "X509_REQ_add1_attr"); } } return ary; diff --git a/ext/openssl/ossl_x509revoked.c b/ext/openssl/ossl_x509revoked.c index 5fe6853430..108447c868 100644 --- a/ext/openssl/ossl_x509revoked.c +++ b/ext/openssl/ossl_x509revoked.c @@ -41,7 +41,7 @@ static const rb_data_type_t ossl_x509rev_type = { { 0, ossl_x509rev_free, }, - 0, 0, RUBY_TYPED_FREE_IMMEDIATELY, + 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED, }; /* @@ -223,13 +223,13 @@ ossl_x509revoked_set_extensions(VALUE self, VALUE ary) OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Ext); } GetX509Rev(self, rev); - while ((ext = X509_REVOKED_delete_ext(rev, 0))) - X509_EXTENSION_free(ext); + for (i = X509_REVOKED_get_ext_count(rev); i > 0; i--) + X509_EXTENSION_free(X509_REVOKED_delete_ext(rev, 0)); for (i=0; i<RARRAY_LEN(ary); i++) { item = RARRAY_AREF(ary, i); ext = GetX509ExtPtr(item); if(!X509_REVOKED_add_ext(rev, ext, -1)) { - ossl_raise(eX509RevError, NULL); + ossl_raise(eX509RevError, "X509_REVOKED_add_ext"); } } diff --git a/ext/openssl/ossl_x509store.c b/ext/openssl/ossl_x509store.c index 5e0ab8d850..f27381ca90 100644 --- a/ext/openssl/ossl_x509store.c +++ b/ext/openssl/ossl_x509store.c @@ -52,8 +52,15 @@ struct ossl_verify_cb_args { }; static VALUE -call_verify_cb_proc(struct ossl_verify_cb_args *args) +ossl_x509stctx_new_i(VALUE arg) { + return ossl_x509stctx_new((X509_STORE_CTX *)arg); +} + +static VALUE +call_verify_cb_proc(VALUE arg) +{ + struct ossl_verify_cb_args *args = (struct ossl_verify_cb_args *)arg; return rb_funcall(args->proc, rb_intern("call"), 2, args->preverify_ok, args->store_ctx); } @@ -69,7 +76,7 @@ ossl_verify_cb_call(VALUE proc, int ok, X509_STORE_CTX *ctx) return ok; ret = Qfalse; - rctx = rb_protect((VALUE(*)(VALUE))ossl_x509stctx_new, (VALUE)ctx, &state); + rctx = rb_protect(ossl_x509stctx_new_i, (VALUE)ctx, &state); if (state) { rb_set_errinfo(Qnil); rb_warn("StoreContext initialization failure"); @@ -78,7 +85,7 @@ ossl_verify_cb_call(VALUE proc, int ok, X509_STORE_CTX *ctx) args.proc = proc; args.preverify_ok = ok ? Qtrue : Qfalse; args.store_ctx = rctx; - ret = rb_protect((VALUE(*)(VALUE))call_verify_cb_proc, (VALUE)&args, &state); + ret = rb_protect(call_verify_cb_proc, (VALUE)&args, &state); if (state) { rb_set_errinfo(Qnil); rb_warn("exception in verify_callback is ignored"); @@ -106,6 +113,16 @@ VALUE cX509StoreContext; VALUE eX509StoreError; static void +ossl_x509store_mark(void *ptr) +{ + X509_STORE *store = ptr; + // Note: this reference is stored as @verify_callback so we don't need to mark it. + // However we do need to ensure GC compaction won't move it, hence why + // we call rb_gc_mark here. + rb_gc_mark((VALUE)X509_STORE_get_ex_data(store, store_ex_verify_cb_idx)); +} + +static void ossl_x509store_free(void *ptr) { X509_STORE_free(ptr); @@ -114,9 +131,9 @@ ossl_x509store_free(void *ptr) static const rb_data_type_t ossl_x509store_type = { "OpenSSL/X509/STORE", { - 0, ossl_x509store_free, + ossl_x509store_mark, ossl_x509store_free, }, - 0, 0, RUBY_TYPED_FREE_IMMEDIATELY, + 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED, }; /* @@ -173,8 +190,9 @@ ossl_x509store_set_vfy_cb(VALUE self, VALUE cb) X509_STORE *store; GetX509Store(self, store); - X509_STORE_set_ex_data(store, store_ex_verify_cb_idx, (void *)cb); rb_iv_set(self, "@verify_callback", cb); + // We don't need to trigger a write barrier because `rb_iv_set` did it. + X509_STORE_set_ex_data(store, store_ex_verify_cb_idx, (void *)cb); return cb; } @@ -487,23 +505,19 @@ ossl_x509store_verify(int argc, VALUE *argv, VALUE self) } /* - * Public Functions - */ -static void ossl_x509stctx_free(void*); - - -static const rb_data_type_t ossl_x509stctx_type = { - "OpenSSL/X509/STORE_CTX", - { - 0, ossl_x509stctx_free, - }, - 0, 0, RUBY_TYPED_FREE_IMMEDIATELY, -}; - -/* * Private functions */ static void +ossl_x509stctx_mark(void *ptr) +{ + X509_STORE_CTX *ctx = ptr; + // Note: this reference is stored as @verify_callback so we don't need to mark it. + // However we do need to ensure GC compaction won't move it, hence why + // we call rb_gc_mark here. + rb_gc_mark((VALUE)X509_STORE_CTX_get_ex_data(ctx, stctx_ex_verify_cb_idx)); +} + +static void ossl_x509stctx_free(void *ptr) { X509_STORE_CTX *ctx = ptr; @@ -514,6 +528,14 @@ ossl_x509stctx_free(void *ptr) X509_STORE_CTX_free(ctx); } +static const rb_data_type_t ossl_x509stctx_type = { + "OpenSSL/X509/STORE_CTX", + { + ossl_x509stctx_mark, ossl_x509stctx_free, + }, + 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED, +}; + static VALUE ossl_x509stctx_alloc(VALUE klass) { @@ -599,8 +621,8 @@ ossl_x509stctx_verify(VALUE self) X509_STORE_CTX *ctx; GetX509StCtx(self, ctx); - X509_STORE_CTX_set_ex_data(ctx, stctx_ex_verify_cb_idx, - (void *)rb_iv_get(self, "@verify_callback")); + VALUE cb = rb_iv_get(self, "@verify_callback"); + X509_STORE_CTX_set_ex_data(ctx, stctx_ex_verify_cb_idx, (void *)cb); switch (X509_verify_cert(ctx)) { case 1: diff --git a/ext/openssl/ruby_missing.h b/ext/openssl/ruby_missing.h deleted file mode 100644 index 069acc8b14..0000000000 --- a/ext/openssl/ruby_missing.h +++ /dev/null @@ -1,24 +0,0 @@ -/* - * 'OpenSSL for Ruby' project - * Copyright (C) 2001-2003 Michal Rokos <m.rokos@sh.cvut.cz> - * All rights reserved. - */ -/* - * This program is licensed under the same licence as Ruby. - * (See the file 'LICENCE'.) - */ -#if !defined(_OSSL_RUBY_MISSING_H_) -#define _OSSL_RUBY_MISSING_H_ - -/* Ruby 2.4 */ -#ifndef RB_INTEGER_TYPE_P -# define RB_INTEGER_TYPE_P(obj) (RB_FIXNUM_P(obj) || RB_TYPE_P(obj, T_BIGNUM)) -#endif - -/* Ruby 2.5 */ -#ifndef ST2FIX -# define RB_ST2FIX(h) LONG2FIX((long)(h)) -# define ST2FIX(h) RB_ST2FIX(h) -#endif - -#endif /* _OSSL_RUBY_MISSING_H_ */ |