import Ruby/OpenSSL 2.0.0.beta.1

* NEWS, {ext,test,sample}/openssl: Import Ruby/OpenSSL 2.0.0.beta.1.
  ext/openssl is now converted into a default gem. The full commit
  history since r55538 can be found at:
  ruby/openssl@08e1881...v2.0.0.beta.1
  [Feature #9612]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56027 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

NEWS

@@ -123,6 +123,12 @@ with all sufficient information, see the ChangeLog file or Redmine
 
   * Add an into option. [Feature #11191]
 
+* OpenSSL
+
+  * OpenSSL is extracted as a gem and the upstream has been migrated to
+    https://github.com/ruby/openssl. OpenSSL still remains as a default gem.
+    Refer to its History.md for the full release note. [Feature #9612]
+
 === Compatibility issues (excluding feature bug fixes)
 
 * Array#sum and Enumerable#sum are implemented.  [Feature #12217]

ext/openssl/extconf.rb

@@ -147,6 +147,7 @@
 OpenSSL.check_func_or_macro("SSL_CTX_set_tmp_ecdh_callback", "openssl/ssl.h") # removed
 OpenSSL.check_func_or_macro("SSL_CTX_set_min_proto_version", "openssl/ssl.h")
 have_func("SSL_CTX_get_security_level")
+have_func("X509_get0_notBefore")
 
 Logging::message "=== Checking done. ===\n"
 

ext/openssl/lib/openssl/cipher.rb

@@ -18,42 +18,50 @@ class Cipher
       klass = Class.new(Cipher){
         define_method(:initialize){|*args|
           cipher_name = args.inject(name){|n, arg| "#{n}-#{arg}" }
-          super(cipher_name)
+          super(cipher_name.downcase)
         }
       }
       const_set(name, klass)
     }
 
     %w(128 192 256).each{|keylen|
       klass = Class.new(Cipher){
-        define_method(:initialize){|mode|
-          mode ||= "CBC"
-          cipher_name = "AES-#{keylen}-#{mode}"
-          super(cipher_name)
+        define_method(:initialize){|mode = "CBC"|
+          super("aes-#{keylen}-#{mode}".downcase)
         }
       }
       const_set("AES#{keylen}", klass)
     }
 
-    # Generate, set, and return a random key.
-    # You must call cipher.encrypt or cipher.decrypt before calling this method.
+    # call-seq:
+    #   cipher.random_key -> key
+    #
+    # Generate a random key with OpenSSL::Random.random_bytes and sets it to
+    # the cipher, and returns it.
+    #
+    # You must call #encrypt or #decrypt before calling this method.
     def random_key
       str = OpenSSL::Random.random_bytes(self.key_len)
       self.key = str
-      return str
     end
 
-    # Generate, set, and return a random iv.
-    # You must call cipher.encrypt or cipher.decrypt before calling this method.
+    # call-seq:
+    #   cipher.random_iv -> iv
+    #
+    # Generate a random IV with OpenSSL::Random.random_bytes and sets it to the
+    # cipher, and returns it.
+    #
+    # You must call #encrypt or #decrypt before calling this method.
     def random_iv
       str = OpenSSL::Random.random_bytes(self.iv_len)
       self.iv = str
-      return str
     end
 
-    # This class is only provided for backwards compatibility.  Use OpenSSL::Cipher in the future.
-    class Cipher < Cipher
-      # add warning
-    end
+    # Deprecated.
+    #
+    # This class is only provided for backwards compatibility.
+    # Use OpenSSL::Cipher.
+    class Cipher < Cipher; end
+    deprecate_constant :Cipher
   end # Cipher
 end # OpenSSL

ext/openssl/lib/openssl/digest.rb

@@ -53,15 +53,9 @@ def self.digest(name, data)
     # Deprecated.
     #
     # This class is only provided for backwards compatibility.
-    class Digest < Digest # :nodoc:
-      # Deprecated.
-      #
-      # See OpenSSL::Digest.new
-      def initialize(*args)
-        warn('Digest::Digest is deprecated; use Digest')
-        super(*args)
-      end
-    end
+    # Use OpenSSL::Digest instead.
+    class Digest < Digest; end # :nodoc:
+    deprecate_constant :Digest
 
   end # Digest
 

ext/openssl/lib/openssl/pkey.rb

@@ -4,6 +4,7 @@ module PKey
     if defined?(OpenSSL::PKey::DH)
 
     class DH
+      # :nodoc:
       DEFAULT_1024 = new <<-_end_of_pem_
 -----BEGIN DH PARAMETERS-----
 MIGHAoGBAJ0lOVy0VIr/JebWn0zDwY2h+rqITFOpdNr6ugsgvkDXuucdcChhYExJ
@@ -12,6 +13,7 @@ class DH
 -----END DH PARAMETERS-----
       _end_of_pem_
 
+      # :nodoc:
       DEFAULT_2048 = new <<-_end_of_pem_
 -----BEGIN DH PARAMETERS-----
 MIIBCAKCAQEA7E6kBrYiyvmKAMzQ7i8WvwVk9Y/+f8S7sCTN712KkK3cqd1jhJDY
@@ -24,6 +26,7 @@ class DH
       _end_of_pem_
     end
 
+    # :nodoc:
     DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen|
       warn "using default DH parameters." if $VERBOSE
       case keylen

ext/openssl/lib/openssl/ssl.rb

@@ -16,44 +16,11 @@
 module OpenSSL
   module SSL
     class SSLContext
+      # :nodoc:
       DEFAULT_PARAMS = {
         :ssl_version => "SSLv23",
         :verify_mode => OpenSSL::SSL::VERIFY_PEER,
-        :ciphers => %w{
-          ECDHE-ECDSA-AES128-GCM-SHA256
-          ECDHE-RSA-AES128-GCM-SHA256
-          ECDHE-ECDSA-AES256-GCM-SHA384
-          ECDHE-RSA-AES256-GCM-SHA384
-          DHE-RSA-AES128-GCM-SHA256
-          DHE-DSS-AES128-GCM-SHA256
-          DHE-RSA-AES256-GCM-SHA384
-          DHE-DSS-AES256-GCM-SHA384
-          ECDHE-ECDSA-AES128-SHA256
-          ECDHE-RSA-AES128-SHA256
-          ECDHE-ECDSA-AES128-SHA
-          ECDHE-RSA-AES128-SHA
-          ECDHE-ECDSA-AES256-SHA384
-          ECDHE-RSA-AES256-SHA384
-          ECDHE-ECDSA-AES256-SHA
-          ECDHE-RSA-AES256-SHA
-          DHE-RSA-AES128-SHA256
-          DHE-RSA-AES256-SHA256
-          DHE-RSA-AES128-SHA
-          DHE-RSA-AES256-SHA
-          DHE-DSS-AES128-SHA256
-          DHE-DSS-AES256-SHA256
-          DHE-DSS-AES128-SHA
-          DHE-DSS-AES256-SHA
-          AES128-GCM-SHA256
-          AES256-GCM-SHA384
-          AES128-SHA256
-          AES256-SHA256
-          AES128-SHA
-          AES256-SHA
-          ECDHE-ECDSA-RC4-SHA
-          ECDHE-RSA-RC4-SHA
-          RC4-SHA
-        }.join(":"),
+        :verify_hostname => true,
         :options => -> {
           opts = OpenSSL::SSL::OP_ALL
           opts &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
@@ -63,18 +30,58 @@ class SSLContext
         }.call
       }
 
+      if !(OpenSSL::OPENSSL_VERSION.start_with?("OpenSSL") &&
+           OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10100000)
+        DEFAULT_PARAMS.merge!(
+          ciphers: %w{
+            ECDHE-ECDSA-AES128-GCM-SHA256
+            ECDHE-RSA-AES128-GCM-SHA256
+            ECDHE-ECDSA-AES256-GCM-SHA384
+            ECDHE-RSA-AES256-GCM-SHA384
+            DHE-RSA-AES128-GCM-SHA256
+            DHE-DSS-AES128-GCM-SHA256
+            DHE-RSA-AES256-GCM-SHA384
+            DHE-DSS-AES256-GCM-SHA384
+            ECDHE-ECDSA-AES128-SHA256
+            ECDHE-RSA-AES128-SHA256
+            ECDHE-ECDSA-AES128-SHA
+            ECDHE-RSA-AES128-SHA
+            ECDHE-ECDSA-AES256-SHA384
+            ECDHE-RSA-AES256-SHA384
+            ECDHE-ECDSA-AES256-SHA
+            ECDHE-RSA-AES256-SHA
+            DHE-RSA-AES128-SHA256
+            DHE-RSA-AES256-SHA256
+            DHE-RSA-AES128-SHA
+            DHE-RSA-AES256-SHA
+            DHE-DSS-AES128-SHA256
+            DHE-DSS-AES256-SHA256
+            DHE-DSS-AES128-SHA
+            DHE-DSS-AES256-SHA
+            AES128-GCM-SHA256
+            AES256-GCM-SHA384
+            AES128-SHA256
+            AES256-SHA256
+            AES128-SHA
+            AES256-SHA
+          }.join(":"),
+        )
+      end
+
+      # :nodoc:
       DEFAULT_CERT_STORE = OpenSSL::X509::Store.new
       DEFAULT_CERT_STORE.set_default_paths
       DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
 
+      # :nodoc:
       INIT_VARS = ["cert", "key", "client_ca", "ca_file", "ca_path",
         "timeout", "verify_mode", "verify_depth", "renegotiation_cb",
         "verify_callback", "cert_store", "extra_chain_cert",
         "client_cert_cb", "session_id_context", "tmp_dh_callback",
         "session_get_cb", "session_new_cb", "session_remove_cb",
         "tmp_ecdh_callback", "servername_cb", "npn_protocols",
         "alpn_protocols", "alpn_select_cb",
-        "npn_select_cb"].map { |x| "@#{x}" }
+        "npn_select_cb", "verify_hostname"].map { |x| "@#{x}" }
 
       # A callback invoked when DH parameters are required.
       #
@@ -110,13 +117,17 @@ def initialize(version = nil)
       end
 
       ##
-      # Sets the parameters for this SSL context to the values in +params+.
+      # call-seq:
+      #   ctx.set_params(params = {}) -> params
+      #
+      # Sets saner defaults optimized for the use with HTTP-like protocols.
+      #
+      # If a Hash +params+ is given, the parameters are overridden with it.
       # The keys in +params+ must be assignment methods on SSLContext.
       #
       # If the verify_mode is not VERIFY_NONE and ca_file, ca_path and
       # cert_store are not set then the system default certificate store is
       # used.
-
       def set_params(params={})
         params = DEFAULT_PARAMS.merge(params)
         params.each{|name, value| self.__send__("#{name}=", value) }
@@ -251,10 +262,17 @@ class SSLSocket
         attr_reader :hostname
       end
 
-      attr_reader :io, :context
-      attr_accessor :sync_close
+      # The underlying IO object.
+      attr_reader :io
       alias :to_io :io
 
+      # The SSLContext object used in this connection.
+      attr_reader :context
+
+      # Whether to close the underlying socket as well, when the SSL/TLS
+      # connection is shut down. This defaults to +false+.
+      attr_accessor :sync_close
+
       # call-seq:
       #    ssl.sysclose => nil
       #
@@ -268,16 +286,19 @@ def sysclose
         io.close if sync_close
       end
 
-      ##
-      # Perform hostname verification after an SSL connection is established
+      # call-seq:
+      #   ssl.post_connection_check(hostname) -> true
+      #
+      # Perform hostname verification following RFC 6125.
       #
       # This method MUST be called after calling #connect to ensure that the
       # hostname of a remote peer has been verified.
       def post_connection_check(hostname)
         if peer_cert.nil?
           msg = "Peer verification enabled, but no certificate received."
           if using_anon_cipher?
-            msg += " Anonymous cipher suite #{cipher[0]} was negotiated. Anonymous suites must be disabled to use peer verification."
+            msg += " Anonymous cipher suite #{cipher[0]} was negotiated. " \
+                   "Anonymous suites must be disabled to use peer verification."
           end
           raise SSLError, msg
         end
@@ -288,6 +309,11 @@ def post_connection_check(hostname)
         return true
       end
 
+      # call-seq:
+      #   ssl.session -> aSession
+      #
+      # Returns the SSLSession object currently used, or nil if the session is
+      # not established.
       def session
         SSL::Session.new(self)
       rescue SSL::Session::SessionError

ext/openssl/openssl.gemspec

@@ -0,0 +1,45 @@
+# -*- encoding: utf-8 -*-
+# stub: openssl 2.0.0.beta.1 ruby lib
+# stub: ext/openssl/extconf.rb
+
+Gem::Specification.new do |s|
+  s.name = "openssl".freeze
+  s.version = "2.0.0.beta.1"
+
+  s.required_rubygems_version = Gem::Requirement.new("> 1.3.1".freeze) if s.respond_to? :required_rubygems_version=
+  s.require_paths = ["lib".freeze]
+  s.authors = ["Martin Bosslet".freeze, "SHIBATA Hiroshi".freeze, "Zachary Scott".freeze, "Kazuki Yamaguchi".freeze]
+  s.date = "2016-08-29"
+  s.description = "It wraps the OpenSSL library.".freeze
+  s.email = ["ruby-core@ruby-lang.org".freeze]
+  s.extensions = ["ext/openssl/extconf.rb".freeze]
+  s.extra_rdoc_files = ["CONTRIBUTING.md".freeze, "History.md".freeze, "README.md".freeze]
+  s.files = ["BSDL".freeze, "CONTRIBUTING.md".freeze, "History.md".freeze, "LICENSE.txt".freeze, "README.md".freeze, "ext/openssl/deprecation.rb".freeze, "ext/openssl/extconf.rb".freeze, "ext/openssl/openssl_missing.c".freeze, "ext/openssl/openssl_missing.h".freeze, "ext/openssl/ossl.c".freeze, "ext/openssl/ossl.h".freeze, "ext/openssl/ossl_asn1.c".freeze, "ext/openssl/ossl_asn1.h".freeze, "ext/openssl/ossl_bio.c".freeze, "ext/openssl/ossl_bio.h".freeze, "ext/openssl/ossl_bn.c".freeze, "ext/openssl/ossl_bn.h".freeze, "ext/openssl/ossl_cipher.c".freeze, "ext/openssl/ossl_cipher.h".freeze, "ext/openssl/ossl_config.c".freeze, "ext/openssl/ossl_config.h".freeze, "ext/openssl/ossl_digest.c".freeze, "ext/openssl/ossl_digest.h".freeze, "ext/openssl/ossl_engine.c".freeze, "ext/openssl/ossl_engine.h".freeze, "ext/openssl/ossl_hmac.c".freeze, "ext/openssl/ossl_hmac.h".freeze, "ext/openssl/ossl_ns_spki.c".freeze, "ext/openssl/ossl_ns_spki.h".freeze, "ext/openssl/ossl_ocsp.c".freeze, "ext/openssl/ossl_ocsp.h".freeze, "ext/openssl/ossl_pkcs12.c".freeze, "ext/openssl/ossl_pkcs12.h".freeze, "ext/openssl/ossl_pkcs5.c".freeze, "ext/openssl/ossl_pkcs5.h".freeze, "ext/openssl/ossl_pkcs7.c".freeze, "ext/openssl/ossl_pkcs7.h".freeze, "ext/openssl/ossl_pkey.c".freeze, "ext/openssl/ossl_pkey.h".freeze, "ext/openssl/ossl_pkey_dh.c".freeze, "ext/openssl/ossl_pkey_dsa.c".freeze, "ext/openssl/ossl_pkey_ec.c".freeze, "ext/openssl/ossl_pkey_rsa.c".freeze, "ext/openssl/ossl_rand.c".freeze, "ext/openssl/ossl_rand.h".freeze, "ext/openssl/ossl_ssl.c".freeze, "ext/openssl/ossl_ssl.h".freeze, "ext/openssl/ossl_ssl_session.c".freeze, "ext/openssl/ossl_version.h".freeze, "ext/openssl/ossl_x509.c".freeze, "ext/openssl/ossl_x509.h".freeze, "ext/openssl/ossl_x509attr.c".freeze, "ext/openssl/ossl_x509cert.c".freeze, "ext/openssl/ossl_x509crl.c".freeze, "ext/openssl/ossl_x509ext.c".freeze, "ext/openssl/ossl_x509name.c".freeze, "ext/openssl/ossl_x509req.c".freeze, "ext/openssl/ossl_x509revoked.c".freeze, "ext/openssl/ossl_x509store.c".freeze, "ext/openssl/ruby_missing.h".freeze, "lib/openssl.rb".freeze, "lib/openssl/bn.rb".freeze, "lib/openssl/buffering.rb".freeze, "lib/openssl/cipher.rb".freeze, "lib/openssl/config.rb".freeze, "lib/openssl/digest.rb".freeze, "lib/openssl/pkey.rb".freeze, "lib/openssl/ssl.rb".freeze, "lib/openssl/x509.rb".freeze]
+  s.homepage = "https://www.ruby-lang.org/".freeze
+  s.licenses = ["Ruby".freeze]
+  s.rdoc_options = ["--main".freeze, "README.md".freeze]
+  s.required_ruby_version = Gem::Requirement.new(">= 2.3.0".freeze)
+  s.rubygems_version = "2.6.6".freeze
+  s.summary = "OpenSSL provides SSL, TLS and general purpose cryptography.".freeze
+
+  if s.respond_to? :specification_version then
+    s.specification_version = 4
+
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+      s.add_development_dependency(%q<rake>.freeze, ["~> 10.3"])
+      s.add_development_dependency(%q<rake-compiler>.freeze, ["~> 0.9"])
+      s.add_development_dependency(%q<test-unit>.freeze, ["~> 3.0"])
+      s.add_development_dependency(%q<rdoc>.freeze, ["~> 4.2"])
+    else
+      s.add_dependency(%q<rake>.freeze, ["~> 10.3"])
+      s.add_dependency(%q<rake-compiler>.freeze, ["~> 0.9"])
+      s.add_dependency(%q<test-unit>.freeze, ["~> 3.0"])
+      s.add_dependency(%q<rdoc>.freeze, ["~> 4.2"])
+    end
+  else
+    s.add_dependency(%q<rake>.freeze, ["~> 10.3"])
+    s.add_dependency(%q<rake-compiler>.freeze, ["~> 0.9"])
+    s.add_dependency(%q<test-unit>.freeze, ["~> 3.0"])
+    s.add_dependency(%q<rdoc>.freeze, ["~> 4.2"])
+  end
+end

ext/openssl/openssl_missing.c

@@ -150,7 +150,8 @@ HMAC_CTX_free(HMAC_CTX *ctx)
 
 #if !defined(HAVE_X509_CRL_GET0_SIGNATURE)
 void
-X509_CRL_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, X509_CRL *crl)
+X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig,
+			const X509_ALGOR **palg)
 {
     if (psig != NULL)
 	*psig = crl->signature;
@@ -161,7 +162,8 @@ X509_CRL_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, X509_CRL *crl
 
 #if !defined(HAVE_X509_REQ_GET0_SIGNATURE)
 void
-X509_REQ_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, X509_REQ *req)
+X509_REQ_get0_signature(const X509_REQ *req, const ASN1_BIT_STRING **psig,
+			const X509_ALGOR **palg)
 {
     if (psig != NULL)
 	*psig = req->signature;