merge revision(s) 26836:26859,26861,27921:

* ext/openssl/ossl_ssl_session.c (ossl_ssl_session_{get,set}_time{,out}): fixed a bug introduced by backporting. (see [ruby-dev:40573]) use long in according to OpenSSL API. (SSL_SESSION_{get,set}_time{,out}) * ext/openssl/ossl_x509name.c: added X509::Name#hash_old as a wrapper for X509_NAME_hash_old in OpenSSL 1.0.0. * test/openssl/test_x509name.rb (test_hash): make test pass with OpenSSL 1.0.0. * test/openssl/test_x509*: make tests pass with OpenSSL 1.0.0b5. * PKey::PKey#verify raises an exception when a given PKey does not match with signature. * PKey::DSA#sign accepts SHA1, SHA256 other than DSS1. * backport the commit from trunk: Sun Feb 28 11:49:35 2010 NARUSE, Yui <naruse@ruby-lang.org> * openssl/ossl.c (OSSL_IMPL_SK2ARY): for OpenSSL 1.0. patched by Jeroen van Meeuwen at [ruby-core:25210] fixed by Nobuyoshi Nakada [ruby-core:25238], Hongli Lai [ruby-core:27417], and Motohiro KOSAKI [ruby-core:28063] * ext/openssl/ossl_ssl.c (ossl_ssl_method_tab), (ossl_ssl_cipher_to_ary): constified. * ext/openssl/ossl_pkcs7.c (pkcs7_get_certs, pkcs7_get_crls): split pkcs7_get_certs_or_crls. * test/openssl/test_ec.rb: added test_dsa_sign_asn1_FIPS186_3. dgst is truncated with ec_key.group.order.size after openssl 0.9.8m for FIPS 186-3 compliance. WARNING: ruby-openssl aims to wrap an OpenSSL so when you're using openssl 0.9.8l or earlier version, EC.dsa_sign_asn1 raises OpenSSL::PKey::ECError as before and EC.dsa_verify_asn1 just returns false when you pass dgst longer than expected (no truncation performed). * ext/openssl/ossl_pkey_ec.c: rdoc typo fixed. * ext/openssl/ossl_config.c: defined own IMPLEMENT_LHASH_DOALL_ARG_FN_098 macro according to IMPLEMENT_LHASH_DOALL_ARG_FN in OpenSSL 0.9.8m. OpenSSL 1.0.0beta5 has a slightly different definiton so it could be a temporal workaround for 0.9.8 and 1.0.0 dual support. * ext/openssl/ossl_pkcs5.c (ossl_pkcs5_pbkdf2_hmac): follows function definition in OpenSSL 1.0.0beta5. PKCS5_PBKDF2_HMAC is from 1.0.0 (0.9.8 only has PKCS5_PBKDF2_HMAC_SHA1) * ext/openssl/ossl_ssl_session.c (ossl_ssl_session_eq): do not use SSL_SESSION_cmp and implement equality func by ousrself. See the comment. * ext/openssl/extconf.rb: check some functions added at OpenSSL 1.0.0. * ext/openssl/ossl_engine.c (ossl_engine_s_load): use engines which exists. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_8_7@28367 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
eac · Jun 21, 2010 · 1ae1696 · 1ae1696
1 parent c9915e5
commit 1ae1696
Show file tree

Hide file tree

Showing 19 changed files with 278 additions and 67 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,78 @@
+Mon Jun 21 18:12:15 2010  NAKAMURA Usaku  <usa@ruby-lang.org>
+
+	* ext/openssl/extconf.rb: check some functions added at OpenSSL 1.0.0.
+
+	* ext/openssl/ossl_engine.c (ossl_engine_s_load): use engines which
+	  exists.
+
+Mon Jun 21 18:12:15 2010  NAKAMURA, Hiroshi  <nahi@ruby-lang.org>
+
+	* ext/openssl/ossl_config.c: defined own IMPLEMENT_LHASH_DOALL_ARG_FN_098
+	  macro according to IMPLEMENT_LHASH_DOALL_ARG_FN in OpenSSL 0.9.8m.
+	  OpenSSL 1.0.0beta5 has a slightly different definiton so it could
+	  be a temporal workaround for 0.9.8 and 1.0.0 dual support.
+
+	* ext/openssl/ossl_pkcs5.c (ossl_pkcs5_pbkdf2_hmac): follows function
+	  definition in OpenSSL 1.0.0beta5. PKCS5_PBKDF2_HMAC is from 1.0.0
+	  (0.9.8 only has PKCS5_PBKDF2_HMAC_SHA1)
+
+	* ext/openssl/ossl_ssl_session.c (ossl_ssl_session_eq): do not use
+	  SSL_SESSION_cmp and implement equality func by ousrself.  See the
+	  comment.
+
+Mon Jun 21 18:12:15 2010  NAKAMURA, Hiroshi  <nahi@ruby-lang.org>
+
+	* ext/openssl/ossl_ssl_session.c
+	  (ossl_ssl_session_{get,set}_time{,out}): fixed a bug introduced by
+	  backporting. (see [ruby-dev:40573])  use long in according to
+	  OpenSSL API. (SSL_SESSION_{get,set}_time{,out})
+
+Mon Jun 21 18:12:15 2010  NAKAMURA, Hiroshi  <nahi@ruby-lang.org>
+
+	* ext/openssl/ossl_x509name.c: added X509::Name#hash_old as a wrapper
+	  for X509_NAME_hash_old in OpenSSL 1.0.0.
+
+	* test/openssl/test_x509name.rb (test_hash): make test pass with
+	  OpenSSL 1.0.0.
+
+Mon Jun 21 18:12:15 2010  NAKAMURA, Hiroshi  <nahi@ruby-lang.org>
+
+	* test/openssl/test_x509*: make tests pass with OpenSSL 1.0.0b5.
+	  * PKey::PKey#verify raises an exception when a given PKey does not
+	    match with signature.
+	  * PKey::DSA#sign accepts SHA1, SHA256 other than DSS1.
+
+Mon Jun 21 18:12:15 2010  NAKAMURA, Hiroshi  <nahi@ruby-lang.org>
+
+	* backport the commit from trunk:
+	  Sun Feb 28 11:49:35 2010  NARUSE, Yui  <naruse@ruby-lang.org>
+
+	* openssl/ossl.c (OSSL_IMPL_SK2ARY): for OpenSSL 1.0.
+	  patched by Jeroen van Meeuwen at [ruby-core:25210]
+	  fixed by Nobuyoshi Nakada [ruby-core:25238],
+	  Hongli Lai [ruby-core:27417],
+	  and Motohiro KOSAKI [ruby-core:28063]
+
+	* ext/openssl/ossl_ssl.c (ossl_ssl_method_tab),
+	  (ossl_ssl_cipher_to_ary): constified.
+
+	* ext/openssl/ossl_pkcs7.c (pkcs7_get_certs, pkcs7_get_crls):
+	  split pkcs7_get_certs_or_crls.
+
+Mon Jun 21 18:12:15 2010  NAKAMURA, Hiroshi  <nahi@ruby-lang.org>
+
+	* test/openssl/test_ec.rb: added test_dsa_sign_asn1_FIPS186_3. dgst is
+	  truncated with ec_key.group.order.size after openssl 0.9.8m for
+	  FIPS 186-3 compliance.
+
+	  WARNING: ruby-openssl aims to wrap an OpenSSL so when you're using
+	  openssl 0.9.8l or earlier version, EC.dsa_sign_asn1 raises
+	  OpenSSL::PKey::ECError as before and EC.dsa_verify_asn1 just returns
+	  false when you pass dgst longer than expected (no truncation
+	  performed).
+
+	* ext/openssl/ossl_pkey_ec.c: rdoc typo fixed.
+
 Wed Jun 16 16:01:42 2010  Tanaka Akira  <akr@fsij.org>
 
 	* lib/pathname.rb (Pathname#sub): suppress a warning.

diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
@@ -91,6 +91,7 @@
 have_func("X509_CRL_set_issuer_name")
 have_func("X509_CRL_set_version")
 have_func("X509_CRL_sort")
+have_func("X509_NAME_hash_old")
 have_func("X509_STORE_get_ex_data")
 have_func("X509_STORE_set_ex_data")
 have_func("OBJ_NAME_do_all_sorted")
@@ -106,6 +107,14 @@
   have_func("ENGINE_get_digest")
   have_func("ENGINE_get_cipher")
   have_func("ENGINE_cleanup")
+  have_func("ENGINE_load_4758cca")
+  have_func("ENGINE_load_aep")
+  have_func("ENGINE_load_atalla")
+  have_func("ENGINE_load_chil")
+  have_func("ENGINE_load_cswift")
+  have_func("ENGINE_load_nuron")
+  have_func("ENGINE_load_sureware")
+  have_func("ENGINE_load_ubsec")
 end
 if try_compile(<<SRC)
 #include <openssl/opensslv.h>

diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c
@@ -92,7 +92,7 @@ ossl_x509_ary2sk(VALUE ary)
 
 #define OSSL_IMPL_SK2ARY(name, type)	        \
 VALUE						\
-ossl_##name##_sk2ary(STACK *sk)			\
+ossl_##name##_sk2ary(STACK_OF(type) *sk)	\
 {						\
     type *t;					\
     int i, num;					\
@@ -102,15 +102,15 @@ ossl_##name##_sk2ary(STACK *sk)			\
 	OSSL_Debug("empty sk!");		\
 	return Qnil;				\
     }						\
-    num = sk_num(sk);				\
+    num = sk_##type##_num(sk);			\
     if (num < 0) {				\
 	OSSL_Debug("items in sk < -1???");	\
 	return rb_ary_new();			\
     }						\
     ary = rb_ary_new2(num);			\
 						\
     for (i=0; i<num; i++) {			\
-	t = (type *)sk_value(sk, i);		\
+	t = sk_##type##_value(sk, i);		\
 	rb_ary_push(ary, ossl_##name##_new(t));	\
     }						\
     return ary;					\

diff --git a/ext/openssl/ossl.h b/ext/openssl/ossl.h
@@ -107,6 +107,13 @@ extern VALUE eOSSLError;
   }\
 } while (0)
 
+/*
+ * Compatibility
+ */
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+#define STACK _STACK
+#endif
+
 /*
  * String to HEXString conversion
  */

diff --git a/ext/openssl/ossl_config.c b/ext/openssl/ossl_config.c
@@ -313,14 +313,20 @@ ossl_config_get_section_old(VALUE self, VALUE section)
 }
 
 #ifdef IMPLEMENT_LHASH_DOALL_ARG_FN
+#define IMPLEMENT_LHASH_DOALL_ARG_FN_098(f_name,o_type,a_type) \
+            void f_name##_LHASH_DOALL_ARG(void *arg1, void *arg2) { \
+		                o_type a = (o_type)arg1; \
+		                a_type b = (a_type)arg2; \
+		                f_name(a,b); }
+
 static void
 get_conf_section(CONF_VALUE *cv, VALUE ary)
 {
     if(cv->name) return;
     rb_ary_push(ary, rb_str_new2(cv->section));
 }
 
-static IMPLEMENT_LHASH_DOALL_ARG_FN(get_conf_section, CONF_VALUE*, VALUE)
+static IMPLEMENT_LHASH_DOALL_ARG_FN_098(get_conf_section, CONF_VALUE*, VALUE)
 
 static VALUE
 ossl_config_get_sections(VALUE self)
@@ -358,7 +364,7 @@ dump_conf_value(CONF_VALUE *cv, VALUE str)
     rb_str_cat2(str, "\n");
 }
 
-static IMPLEMENT_LHASH_DOALL_ARG_FN(dump_conf_value, CONF_VALUE*, VALUE)
+static IMPLEMENT_LHASH_DOALL_ARG_FN_098(dump_conf_value, CONF_VALUE*, VALUE)
 
 static VALUE
 dump_conf(CONF *conf)
@@ -402,7 +408,7 @@ each_conf_value(CONF_VALUE *cv, void* dummy)
     }
 }
 
-static IMPLEMENT_LHASH_DOALL_ARG_FN(each_conf_value, CONF_VALUE*, void*)
+static IMPLEMENT_LHASH_DOALL_ARG_FN_098(each_conf_value, CONF_VALUE*, void*)
 
 static VALUE
 ossl_config_each(VALUE self)

diff --git a/ext/openssl/ossl_engine.c b/ext/openssl/ossl_engine.c
@@ -61,16 +61,34 @@ ossl_engine_s_load(int argc, VALUE *argv, VALUE klass)
     }
     StringValue(name);
 #ifndef OPENSSL_NO_STATIC_ENGINE
+#if HAVE_ENGINE_LOAD_DYNAMIC
     OSSL_ENGINE_LOAD_IF_MATCH(dynamic);
+#endif
+#if HAVE_ENGINE_LOAD_CSWIFT
     OSSL_ENGINE_LOAD_IF_MATCH(cswift);
+#endif
+#if HAVE_ENGINE_LOAD_CHIL
     OSSL_ENGINE_LOAD_IF_MATCH(chil);
+#endif
+#if HAVE_ENGINE_LOAD_ATALLA
     OSSL_ENGINE_LOAD_IF_MATCH(atalla);
+#endif
+#if HAVE_ENGINE_LOAD_NURON
     OSSL_ENGINE_LOAD_IF_MATCH(nuron);
+#endif
+#if HAVE_ENGINE_LOAD_UBSEC
     OSSL_ENGINE_LOAD_IF_MATCH(ubsec);
+#endif
+#if HAVE_ENGINE_LOAD_AEP
     OSSL_ENGINE_LOAD_IF_MATCH(aep);
+#endif
+#if HAVE_ENGINE_LOAD_SUREWARE
     OSSL_ENGINE_LOAD_IF_MATCH(sureware);
+#endif
+#if HAVE_ENGINE_LOAD_4758CCA
     OSSL_ENGINE_LOAD_IF_MATCH(4758cca);
 #endif
+#endif
 #ifdef HAVE_ENGINE_LOAD_OPENBSD_DEV_CRYPTO
     OSSL_ENGINE_LOAD_IF_MATCH(openbsd_dev_crypto);
 #endif

diff --git a/ext/openssl/ossl_pkcs5.c b/ext/openssl/ossl_pkcs5.c
@@ -29,14 +29,17 @@ ossl_pkcs5_pbkdf2_hmac(VALUE self, VALUE pass, VALUE salt, VALUE iter, VALUE key
     VALUE str;
     const EVP_MD *md;
     int len = NUM2INT(keylen);
+    unsigned char* salt_p;
+    unsigned char* str_p;
 
     StringValue(pass);
     StringValue(salt);
     md = GetDigestPtr(digest);
-
     str = rb_str_new(0, len);
+    salt_p = (unsigned char*)RSTRING_PTR(salt);
+    str_p = (unsigned char*)RSTRING_PTR(str);
 
-    if (PKCS5_PBKDF2_HMAC(RSTRING_PTR(pass), RSTRING_LEN(pass), RSTRING_PTR(salt), RSTRING_LEN(salt), NUM2INT(iter), md, len, RSTRING_PTR(str)) != 1)
+    if (PKCS5_PBKDF2_HMAC(RSTRING_PTR(pass), RSTRING_LEN(pass), salt_p, RSTRING_LEN(salt), NUM2INT(iter), md, len, str_p) != 1)
         ossl_raise(ePKCS5, "PKCS5_PBKDF2_HMAC");
 
     return str;

diff --git a/ext/openssl/ossl_pkcs7.c b/ext/openssl/ossl_pkcs7.c
@@ -570,30 +570,50 @@ ossl_pkcs7_add_certificate(VALUE self, VALUE cert)
     return self;
 }
 
-static STACK *
-pkcs7_get_certs_or_crls(VALUE self, int want_certs)
+static STACK_OF(X509) *
+pkcs7_get_certs(VALUE self)
 {
     PKCS7 *pkcs7;
     STACK_OF(X509) *certs;
-    STACK_OF(X509_CRL) *crls;
     int i;
 
     GetPKCS7(self, pkcs7);
     i = OBJ_obj2nid(pkcs7->type);
     switch(i){
     case NID_pkcs7_signed:
         certs = pkcs7->d.sign->cert;
-        crls = pkcs7->d.sign->crl;
         break;
     case NID_pkcs7_signedAndEnveloped:
         certs = pkcs7->d.signed_and_enveloped->cert;
+        break;
+    default:
+        certs = NULL;
+    }
+
+    return certs;
+}
+
+static STACK_OF(X509_CRL) *
+pkcs7_get_crls(VALUE self)
+{
+    PKCS7 *pkcs7;
+    STACK_OF(X509_CRL) *crls;
+    int i;
+
+    GetPKCS7(self, pkcs7);
+    i = OBJ_obj2nid(pkcs7->type);
+    switch(i){
+    case NID_pkcs7_signed:
+        crls = pkcs7->d.sign->crl;
+        break;
+    case NID_pkcs7_signedAndEnveloped:
         crls = pkcs7->d.signed_and_enveloped->crl;
         break;
     default:
-        certs = crls = NULL;
+        crls = NULL;
     }
 
-    return want_certs ? certs : crls;
+    return crls;
 }
 
 static VALUE
@@ -608,7 +628,7 @@ ossl_pkcs7_set_certificates(VALUE self, VALUE ary)
     STACK_OF(X509) *certs;
     X509 *cert;
 
-    certs = pkcs7_get_certs_or_crls(self, 1);
+    certs = pkcs7_get_certs(self);
     while((cert = sk_X509_pop(certs))) X509_free(cert);
     rb_block_call(ary, rb_intern("each"), 0, 0, ossl_pkcs7_set_certs_i, self);
 
@@ -618,7 +638,7 @@ ossl_pkcs7_set_certificates(VALUE self, VALUE ary)
 static VALUE
 ossl_pkcs7_get_certificates(VALUE self)
 {
-    return ossl_x509_sk2ary(pkcs7_get_certs_or_crls(self, 1));
+    return ossl_x509_sk2ary(pkcs7_get_certs(self));
 }
 
 static VALUE
@@ -648,7 +668,7 @@ ossl_pkcs7_set_crls(VALUE self, VALUE ary)
     STACK_OF(X509_CRL) *crls;
     X509_CRL *crl;
 
-    crls = pkcs7_get_certs_or_crls(self, 0);
+    crls = pkcs7_get_crls(self);
     while((crl = sk_X509_CRL_pop(crls))) X509_CRL_free(crl);
     rb_block_call(ary, rb_intern("each"), 0, 0, ossl_pkcs7_set_crls_i, self);
 
@@ -658,7 +678,7 @@ ossl_pkcs7_set_crls(VALUE self, VALUE ary)
 static VALUE
 ossl_pkcs7_get_crls(VALUE self)
 {
-    return ossl_x509crl_sk2ary(pkcs7_get_certs_or_crls(self, 0));
+    return ossl_x509crl_sk2ary(pkcs7_get_crls(self));
 }
 
 static VALUE

diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c
@@ -681,7 +681,7 @@ static VALUE ossl_ec_key_dsa_sign_asn1(VALUE self, VALUE data)
 
 /*
  *  call-seq:
- *     key.dsa_verify(data, sig)   => true or false
+ *     key.dsa_verify_asn1(data, sig)   => true or false
  *
  *  See the OpenSSL documentation for ECDSA_verify()
  */

diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
@@ -1196,10 +1196,10 @@ ossl_ssl_get_peer_cert_chain(VALUE self)
     }
     chain = SSL_get_peer_cert_chain(ssl);
     if(!chain) return Qnil;
-    num = sk_num(chain);
+    num = sk_X509_num(chain);
     ary = rb_ary_new2(num);
     for (i = 0; i < num; i++){
-	cert = (X509*)sk_value(chain, i);
+	cert = sk_X509_value(chain, i);
 	rb_ary_push(ary, ossl_x509_new(cert));
     }
 

diff --git a/ext/openssl/ossl_ssl_session.c b/ext/openssl/ossl_ssl_session.c
@@ -86,9 +86,18 @@ static VALUE ossl_ssl_session_eq(VALUE val1, VALUE val2)
 	GetSSLSession(val1, ctx1);
 	SafeGetSSLSession(val2, ctx2);
 
-	switch (SSL_SESSION_cmp(ctx1, ctx2)) {
-	case 0:		return Qtrue;
-	default:	return Qfalse;
+	/*
+	 * OpenSSL 1.0.0betas do not have non-static SSL_SESSION_cmp.
+	 * ssl_session_cmp (was SSL_SESSION_cmp in 0.9.8) is for lhash
+	 * comparing so we should not depend on it.  Just compare sessions
+	 * by version and id.
+	 */
+	if ((ctx1->ssl_version == ctx2->ssl_version) &&
+	    (ctx1->session_id_length == ctx2->session_id_length) &&
+	    (memcmp(ctx1->session_id, ctx2->session_id, ctx1->session_id_length) == 0)) {
+	    return Qtrue;
+	} else {
+	    return Qfalse;
 	}
 }
 

diff --git a/ext/openssl/ossl_x509attr.c b/ext/openssl/ossl_x509attr.c
@@ -217,8 +217,9 @@ ossl_x509attr_get_value(VALUE self)
 	ossl_str_adjust(str, p);
     }
     else{
-	length = i2d_ASN1_SET_OF_ASN1_TYPE(attr->value.set, NULL,
-			i2d_ASN1_TYPE, V_ASN1_SET, V_ASN1_UNIVERSAL, 0);
+	length = i2d_ASN1_SET_OF_ASN1_TYPE(attr->value.set,
+			(unsigned char **) NULL, i2d_ASN1_TYPE,
+			V_ASN1_SET, V_ASN1_UNIVERSAL, 0);
 	str = rb_str_new(0, length);
 	p = RSTRING_PTR(str);
 	i2d_ASN1_SET_OF_ASN1_TYPE(attr->value.set, &p,