add OpenSSL Provider support

ruby · Jun 2, 2023 · 056a641 · 056a641
1 parent cb8f4ee
commit 056a641
Show file tree

Hide file tree

Showing 5 changed files with 239 additions and 0 deletions.
diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c
@@ -1271,6 +1271,7 @@ Init_openssl(void)
     Init_ossl_x509();
     Init_ossl_ocsp();
     Init_ossl_engine();
+    Init_ossl_provider();
     Init_ossl_asn1();
     Init_ossl_kdf();
 

diff --git a/ext/openssl/ossl.h b/ext/openssl/ossl.h
@@ -62,6 +62,10 @@
 # define OSSL_USE_ENGINE
 #endif
 
+#if !defined(OSSL_USE_ENGINE) && OSSL_OPENSSL_PREREQ(3, 0, 0)
+# define OSSL_USE_PROVIDER
+#endif
+
 /*
  * Common Module
  */
@@ -194,6 +198,7 @@ void ossl_debug(const char *, ...);
 #endif
 #include "ossl_x509.h"
 #include "ossl_engine.h"
+#include "ossl_provider.h"
 #include "ossl_kdf.h"
 
 void Init_openssl(void);

diff --git a/ext/openssl/ossl_provider.c b/ext/openssl/ossl_provider.c
@@ -0,0 +1,171 @@
+/*
+ * This program is licensed under the same licence as Ruby.
+ * (See the file 'LICENCE'.)
+ */
+#include "ossl.h"
+
+#ifdef OSSL_USE_PROVIDER
+# include <openssl/provider.h>
+
+#define NewProvider(klass) \
+    TypedData_Wrap_Struct((klass), &ossl_provider_type, 0)
+#define SetProvider(obj, provider) do { \
+    if (!(provider)) { \
+	ossl_raise(rb_eRuntimeError, "Provider wasn't initialized."); \
+    } \
+    RTYPEDDATA_DATA(obj) = (provider); \
+} while(0)
+#define GetProvider(obj, provider) do { \
+    TypedData_Get_Struct((obj), OSSL_PROVIDER, &ossl_provider_type, (provider)); \
+    if (!(provider)) { \
+        ossl_raise(rb_eRuntimeError, "PROVIDER wasn't initialized."); \
+    } \
+} while (0)
+
+static const rb_data_type_t ossl_provider_type = {
+    "OpenSSL/Provider",
+    {
+	0,
+    },
+    0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
+};
+
+/*
+ * Classes
+ */
+/* Document-class: OpenSSL::Procider
+ *
+ * This class is the access to openssl's Provider
+ * See also, https://www.openssl.org/docs/manmaster/man7/provider.html
+ */
+VALUE cProvider;
+/* Document-class: OpenSSL::Provider::ProviderError
+ *
+ * This is the generic exception for OpenSSL::Provider related errors
+ */
+VALUE eProviderError;
+
+/*
+ * call-seq:
+ *    OpenSSL::Provider.load(name)
+ * This method loads and initializes a provider
+ */
+static VALUE
+ossl_provider_s_load(VALUE klass, VALUE name)
+{
+    OSSL_PROVIDER *provider = NULL;
+    VALUE obj;
+
+    const char *provider_name_ptr = StringValueCStr(name);
+
+    provider = OSSL_PROVIDER_load(NULL, provider_name_ptr);
+    if (provider == NULL) {
+      ossl_raise(eProviderError, "Failed to load %s provider\n", provider_name_ptr);
+    }
+    obj = NewProvider(klass);
+    SetProvider(obj, provider);
+
+    return obj;
+}
+
+/*
+ * call-seq:
+ *    OpenSSL::Engine.cleanup
+ *
+ * This method unloads the given provider
+ */
+static VALUE
+ossl_provider_s_unload(VALUE klass, VALUE obj)
+{
+    OSSL_PROVIDER *prov;
+    GetProvider(obj, prov);
+
+    int result = OSSL_PROVIDER_unload(prov);
+
+    if (result != 1) {
+      return Qfalse;
+    }
+    return Qtrue;
+}
+
+static int push_provider(OSSL_PROVIDER *prov, void *cbdata)
+{
+    VALUE obj = NewProvider(cProvider);
+    VALUE ary = (VALUE)cbdata;
+    SetProvider(obj, prov);
+    rb_ary_push(ary, obj);
+    return 1;
+}
+
+/*
+ * call-seq:
+ *    OpenSSL::Provider.providers -> [provider, ...]
+ *
+ * Returns an array of currently loaded providers.
+ */
+static VALUE
+ossl_provider_s_providers(VALUE klass)
+{
+    VALUE ary = rb_ary_new();
+
+    OSSL_PROVIDER_do_all(NULL, &push_provider, (void*)ary);
+    return ary;
+}
+
+/*
+ * call-seq:
+ *    provider.name -> string
+ *
+ * Get the name of this provider.
+ *
+ *    OpenSSL::Provider.load("legacy")
+ *    OpenSSL::Provider.providers #=> [#<OpenSSL::Provider#>, ...]
+ *    OpenSSL::Provider.providers.last.name
+ *	#=> "legacy"
+ *
+ */
+static VALUE
+ossl_provider_get_name(VALUE self)
+{
+    OSSL_PROVIDER *prov;
+    GetProvider(self, prov);
+
+    return rb_str_new2(OSSL_PROVIDER_get0_name(prov));
+}
+
+/*
+ * call-seq:
+ *    provider.inspect -> string
+ *
+ * Pretty prints this provider.
+ */
+static VALUE
+ossl_provider_inspect(VALUE self)
+{
+    OSSL_PROVIDER *prov;
+    GetProvider(self, prov);
+
+    return rb_sprintf("#<%"PRIsVALUE" name=\"%s\">",
+		      rb_obj_class(self), OSSL_PROVIDER_get0_name(prov));
+}
+
+void
+Init_ossl_provider(void)
+{
+    cProvider = rb_define_class_under(mOSSL, "Provider", rb_cObject);
+    eProviderError = rb_define_class_under(cProvider, "ProviderError", eOSSLError);
+
+    rb_undef_alloc_func(cProvider);
+    rb_define_singleton_method(cProvider, "load", ossl_provider_s_load, 1);
+    rb_define_singleton_method(cProvider, "unload", ossl_provider_s_unload, 1);
+    rb_define_singleton_method(cProvider, "providers", ossl_provider_s_providers, 0);
+
+    rb_define_method(cProvider, "name", ossl_provider_get_name, 0);
+    rb_define_method(cProvider, "inspect", ossl_provider_inspect, 0);
+}
+#else
+void
+Init_ossl_provider(void)
+{
+}
+#endif
diff --git a/ext/openssl/ossl_provider.h b/ext/openssl/ossl_provider.h
@@ -0,0 +1,8 @@
+#if !defined(OSSL_PROVIDER_H)
+#define OSSL_PROVIDER_H
+
+extern VALUE cProvider;
+extern VALUE eProviderError;
+
+void Init_ossl_provider(void);
+#endif
diff --git a/test/openssl/test_provider.rb b/test/openssl/test_provider.rb
@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+require_relative 'utils'
+if defined?(OpenSSL) && defined?(OpenSSL::Provider)
+
+class OpenSSL::TestProvider < OpenSSL::TestCase
+  def test_openssl_provider_name_inspect
+    with_openssl <<-'end;'
+      provider = OpenSSL::Provider.load("default")
+      assert_equal("default", provider.name)
+      assert_not_nil(provider.inspect)
+    end;
+  end
+
+  def test_openssl_providers
+    with_openssl <<-'end;'
+      providers = OpenSSL::Provider.providers
+      assert_kind_of(Array, providers)
+      assert_not_empty(providers)
+    end;
+  end
+
+  def test_openssl_legacy_provider
+    with_openssl(<<-'end;')
+      OpenSSL::Provider.load("legacy")
+      algo = "RC4"
+      data = "a" * 1000
+      key = OpenSSL::Random.random_bytes(16)
+      
+      # default provider does not support RC4
+      cipher = OpenSSL::Cipher.new(algo)
+      cipher.encrypt
+      cipher.key = key
+      encrypted = cipher.update(data) + cipher.final
+      
+      other_cipher = OpenSSL::Cipher.new(algo)
+      other_cipher.decrypt
+      other_cipher.key = key
+      decrypted = other_cipher.update(encrypted) + other_cipher.final
+
+      assert_equal(data, decrypted)
+    end;
+  end
+
+  private
+
+  # this is required because OpenSSL::Provider methods change global state
+  def with_openssl(code, **opts)
+    assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;", **opts)
+      #{code}
+    end;
+  end
+end
+
+end