From e4a26cd4f8e74e5d29de10a3a0ce5829829301b0 Mon Sep 17 00:00:00 2001
From: Kazuki Yamaguchi <k@rhe.jp>
Date: Mon, 9 Mar 2020 18:26:19 +0900
Subject: openssl: sync with upstream repository

Import current master (2c43241dc0ed) of ruby/openssl.git.

Below are the commits that were made since the last batch at commit
b99775b163ce (ruby/openssl.git commit f49e7110ca1e). Note that some of
them have been applied already.

----------------------------------------------------------------
Benoit Daloze (1):
      Remove redundant and ignored workflow file

DBL-Lee (1):
      add support for SHA512_256/SHA512_224

Hiroshi SHIBATA (2):
      Guard for OpenSSL::PKey::EC::Group::Error with unsupported platforms
      Fixed inconsistency directory structure with ruby/ruby repo

Jeremy Evans (2):
      Fix keyword argument separation issues in OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock
      Remove taint support

Kazuki Yamaguchi (26):
      config: support .include directive
      random: make OpenSSL::Random.pseudo_bytes alias of .random_bytes
      extconf.rb: get rid of -Werror=deprecated-declarations
      test/openssl/test_ssl: skip test_fallback_scsv if necessary
      ts: simplify OpenSSL::Timestamp::Request#algorithm
      History.md: add missing references to GitHub issues
      config: deprecate OpenSSL::Config#add_value and #[]=
      test/openssl/test_ssl: remove sleep from test_finished_messages
      test/openssl/test_ssl: fix random failure in SSLSocket.open test
      test/openssl/test_ssl: avoid explicitly-sized private keys
      test/openssl/test_ssl: remove commented-out test case
      test/openssl/test_ssl: allow kRSA tests to fail
      ssl: avoid declarations after statements
      engine: revert OpenSSL::Engine.load changes for cloudhsm
      engine: remove really outdated static engines
      engine: do not check for ENGINE_load_builtin_engines()
      engine: fix guards for 'dynamic' and 'cryptodev' engines
      lib/openssl.rb: require openssl/version.rb
      x509: add error code and verify flags constants
      ssl: set verify error code in the case of verify_hostname failure
      .github/workflows: merge CI jobs into a single workflow
      .github/workflows: test against different OpenSSL versions
      .travis.yml: fully migrate to GitHub Actions
      ssl: suppress test failure with SSLContext#add_certificate_chain_file
      ssl: remove test case test_puts_meta from test_pair
      Revert "Use version.rb in gemspec"

MSP-Greg (2):
      .travis.yml - remove 2.3/1.0.2, 2.5/1.1.1, head/1.0.2
      Use version.rb in gemspec

Samuel Williams (1):
      Restore compatibility with older versions of Ruby.

Yusuke Endoh (1):
      Make OpenSSL::OSSL#test_memcmp_timing robust
---
 ext/openssl/ossl_ssl.c | 43 +++++++++++++++++++++++++++----------------
 1 file changed, 27 insertions(+), 16 deletions(-)

(limited to 'ext/openssl/ossl_ssl.c')

diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
index dfbfbb22ee..34bb636ead 100644
--- a/ext/openssl/ossl_ssl.c
+++ b/ext/openssl/ossl_ssl.c
@@ -359,7 +359,14 @@ ossl_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 	    rb_ivar_set(ssl_obj, ID_callback_state, INT2NUM(status));
 	    return 0;
 	}
-	preverify_ok = ret == Qtrue;
+        if (ret != Qtrue) {
+            preverify_ok = 0;
+#if defined(X509_V_ERR_HOSTNAME_MISMATCH)
+            X509_STORE_CTX_set_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH);
+#else
+            X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REJECTED);
+#endif
+        }
     }
 
     return ossl_verify_cb_call(cb, preverify_ok, ctx);
@@ -1325,12 +1332,16 @@ ossl_sslctx_add_certificate(int argc, VALUE *argv, VALUE self)
 static VALUE
 ossl_sslctx_add_certificate_chain_file(VALUE self, VALUE path)
 {
-    StringValue(path);
-    SSL_CTX *ctx = NULL;
+    SSL_CTX *ctx;
+    int ret;
 
     GetSSLCTX(self, ctx);
+    StringValueCStr(path);
+    ret = SSL_CTX_use_certificate_chain_file(ctx, RSTRING_PTR(path));
+    if (ret != 1)
+        ossl_raise(eSSLError, "SSL_CTX_use_certificate_chain_file");
 
-    return SSL_CTX_use_certificate_chain_file(ctx, RSTRING_PTR(path)) == 1 ? Qtrue : Qfalse;
+    return Qtrue;
 }
 
 /*
@@ -2327,16 +2338,16 @@ static VALUE
 ossl_ssl_get_finished(VALUE self)
 {
     SSL *ssl;
+    char sizer[1], *buf;
+    size_t len;
 
     GetSSL(self, ssl);
 
-    char sizer[1];
-    size_t len = SSL_get_finished(ssl, sizer, 0);
-
-    if(len == 0)
-      return Qnil;
+    len = SSL_get_finished(ssl, sizer, 0);
+    if (len == 0)
+        return Qnil;
 
-    char* buf = ALLOCA_N(char, len);
+    buf = ALLOCA_N(char, len);
     SSL_get_finished(ssl, buf, len);
     return rb_str_new(buf, len);
 }
@@ -2352,16 +2363,16 @@ static VALUE
 ossl_ssl_get_peer_finished(VALUE self)
 {
     SSL *ssl;
+    char sizer[1], *buf;
+    size_t len;
 
     GetSSL(self, ssl);
 
-    char sizer[1];
-    size_t len = SSL_get_peer_finished(ssl, sizer, 0);
-
-    if(len == 0)
-      return Qnil;
+    len = SSL_get_peer_finished(ssl, sizer, 0);
+    if (len == 0)
+        return Qnil;
 
-    char* buf = ALLOCA_N(char, len);
+    buf = ALLOCA_N(char, len);
     SSL_get_peer_finished(ssl, buf, len);
     return rb_str_new(buf, len);
 }
-- 
cgit v1.2.3