Merge branch 'master' into ky/ssl-add-certificate

.travis.yml

@@ -21,7 +21,6 @@ matrix:
     - env: RUBY_VERSION=ruby-2.4 OPENSSL_VERSION=openssl-1.0.1
     - env: RUBY_VERSION=ruby-2.4 OPENSSL_VERSION=openssl-1.0.2
     - env: RUBY_VERSION=ruby-2.4 OPENSSL_VERSION=openssl-1.1.0
-    - env: RUBY_VERSION=ruby-2.4 OPENSSL_VERSION=libressl-2.4
     - env: RUBY_VERSION=ruby-2.4 OPENSSL_VERSION=libressl-2.5
     - env: RUBY_VERSION=ruby-2.4 OPENSSL_VERSION=libressl-2.6
     - language: ruby

ext/openssl/openssl_missing.h

@@ -209,6 +209,10 @@ IMPL_PKEY_GETTER(EC_KEY, ec)
 #  define X509_get0_notAfter(x) X509_get_notAfter(x)
 #  define X509_CRL_get0_lastUpdate(x) X509_CRL_get_lastUpdate(x)
 #  define X509_CRL_get0_nextUpdate(x) X509_CRL_get_nextUpdate(x)
+#  define X509_set1_notBefore(x, t) X509_set_notBefore(x, t)
+#  define X509_set1_notAfter(x, t) X509_set_notAfter(x, t)
+#  define X509_CRL_set1_lastUpdate(x, t) X509_CRL_set_lastUpdate(x, t)
+#  define X509_CRL_set1_nextUpdate(x, t) X509_CRL_set_nextUpdate(x, t)
 #endif
 
 #if !defined(HAVE_SSL_SESSION_GET_PROTOCOL_VERSION)

ext/openssl/ossl.c

@@ -1109,25 +1109,14 @@ Init_openssl(void)
     /*
      * Init all digests, ciphers
      */
-    /* CRYPTO_malloc_init(); */
-    /* ENGINE_load_builtin_engines(); */
+#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000
+    if (!OPENSSL_init_ssl(0, NULL))
+        rb_raise(rb_eRuntimeError, "OPENSSL_init_ssl");
+#else
     OpenSSL_add_ssl_algorithms();
     OpenSSL_add_all_algorithms();
     ERR_load_crypto_strings();
     SSL_load_error_strings();
-
-    /*
-     * FIXME:
-     * On unload do:
-     */
-#if 0
-    CONF_modules_unload(1);
-    destroy_ui_method();
-    EVP_cleanup();
-    ENGINE_cleanup();
-    CRYPTO_cleanup_all_ex_data();
-    ERR_remove_state(0);
-    ERR_free_strings();
 #endif
 
     /*
@@ -1149,7 +1138,11 @@ Init_openssl(void)
     /*
      * Version of OpenSSL the ruby OpenSSL extension is running with
      */
+#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000
+    rb_define_const(mOSSL, "OPENSSL_LIBRARY_VERSION", rb_str_new2(OpenSSL_version(OPENSSL_VERSION)));
+#else
     rb_define_const(mOSSL, "OPENSSL_LIBRARY_VERSION", rb_str_new2(SSLeay_version(SSLEAY_VERSION)));
+#endif
 
     /*
      * Version number of OpenSSL the ruby OpenSSL extension was built with

ext/openssl/ossl.h

@@ -35,6 +35,11 @@
 #if !defined(OPENSSL_NO_OCSP)
 #  include <openssl/ocsp.h>
 #endif
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/dsa.h>
+#include <openssl/evp.h>
+#include <openssl/dh.h>
 
 /*
  * Common Module

ext/openssl/ossl_bn.c

@@ -979,20 +979,20 @@ static VALUE
 ossl_bn_hash(VALUE self)
 {
     BIGNUM *bn;
-    VALUE hash;
+    VALUE tmp, hash;
     unsigned char *buf;
     int len;
 
     GetBN(self, bn);
     len = BN_num_bytes(bn);
-    buf = xmalloc(len);
+    buf = ALLOCV(tmp, len);
     if (BN_bn2bin(bn, buf) != len) {
-	xfree(buf);
-	ossl_raise(eBNError, NULL);
+	ALLOCV_END(tmp);
+	ossl_raise(eBNError, "BN_bn2bin");
     }
 
     hash = ST2FIX(rb_memhash(buf, len));
-    xfree(buf);
+    ALLOCV_END(tmp);
 
     return hash;
 }

ext/openssl/ossl_cipher.c

@@ -508,7 +508,7 @@ ossl_cipher_set_iv(VALUE self, VALUE iv)
     StringValue(iv);
     GetCipher(self, ctx);
 
-    if (EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER)
+    if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_FLAG_AEAD_CIPHER)
 	iv_len = (int)(VALUE)EVP_CIPHER_CTX_get_app_data(ctx);
     if (!iv_len)
 	iv_len = EVP_CIPHER_CTX_iv_length(ctx);
@@ -535,7 +535,7 @@ ossl_cipher_is_authenticated(VALUE self)
 
     GetCipher(self, ctx);
 
-    return (EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER) ? Qtrue : Qfalse;
+    return (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_FLAG_AEAD_CIPHER) ? Qtrue : Qfalse;
 }
 
 /*
@@ -606,7 +606,7 @@ ossl_cipher_get_auth_tag(int argc, VALUE *argv, VALUE self)
 
     GetCipher(self, ctx);
 
-    if (!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER))
+    if (!(EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_FLAG_AEAD_CIPHER))
 	ossl_raise(eCipherError, "authentication tag not supported by this cipher");
 
     ret = rb_str_new(NULL, tag_len);
@@ -641,7 +641,7 @@ ossl_cipher_set_auth_tag(VALUE self, VALUE vtag)
     tag_len = RSTRING_LENINT(vtag);
 
     GetCipher(self, ctx);
-    if (!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER))
+    if (!(EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_FLAG_AEAD_CIPHER))
 	ossl_raise(eCipherError, "authentication tag not supported by this cipher");
 
     if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, tag_len, tag))
@@ -668,7 +668,7 @@ ossl_cipher_set_auth_tag_len(VALUE self, VALUE vlen)
     EVP_CIPHER_CTX *ctx;
 
     GetCipher(self, ctx);
-    if (!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER))
+    if (!(EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_FLAG_AEAD_CIPHER))
 	ossl_raise(eCipherError, "AEAD not supported by this cipher");
 
     if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, tag_len, NULL))
@@ -695,7 +695,7 @@ ossl_cipher_set_iv_length(VALUE self, VALUE iv_length)
     EVP_CIPHER_CTX *ctx;
 
     GetCipher(self, ctx);
-    if (!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER))
+    if (!(EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_FLAG_AEAD_CIPHER))
 	ossl_raise(eCipherError, "cipher does not support AEAD");
 
     if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, len, NULL))
@@ -786,7 +786,7 @@ ossl_cipher_iv_length(VALUE self)
     int len = 0;
 
     GetCipher(self, ctx);
-    if (EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER)
+    if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_FLAG_AEAD_CIPHER)
 	len = (int)(VALUE)EVP_CIPHER_CTX_get_app_data(ctx);
     if (!len)
 	len = EVP_CIPHER_CTX_iv_length(ctx);

ext/openssl/ossl_engine.c

@@ -46,13 +46,25 @@ VALUE eEngineError;
 /*
  * Private
  */
-#define OSSL_ENGINE_LOAD_IF_MATCH(x) \
+#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000
+#define OSSL_ENGINE_LOAD_IF_MATCH(engine_name, x) \
 do{\
-  if(!strcmp(#x, RSTRING_PTR(name))){\
-    ENGINE_load_##x();\
+  if(!strcmp(#engine_name, RSTRING_PTR(name))){\
+    if (OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_##x, NULL))\
+      return Qtrue;\
+    else\
+      ossl_raise(eEngineError, "OPENSSL_init_crypto"); \
+  }\
+}while(0)
+#else
+#define OSSL_ENGINE_LOAD_IF_MATCH(engine_name, x)  \
+do{\
+  if(!strcmp(#engine_name, RSTRING_PTR(name))){\
+    ENGINE_load_##engine_name();\
     return Qtrue;\
   }\
 }while(0)
+#endif
 
 static void
 ossl_engine_free(void *engine)
@@ -94,55 +106,55 @@ ossl_engine_s_load(int argc, VALUE *argv, VALUE klass)
     StringValueCStr(name);
 #ifndef OPENSSL_NO_STATIC_ENGINE
 #if HAVE_ENGINE_LOAD_DYNAMIC
-    OSSL_ENGINE_LOAD_IF_MATCH(dynamic);
+    OSSL_ENGINE_LOAD_IF_MATCH(dynamic, DYNAMIC);
 #endif
 #if HAVE_ENGINE_LOAD_4758CCA
-    OSSL_ENGINE_LOAD_IF_MATCH(4758cca);
+    OSSL_ENGINE_LOAD_IF_MATCH(4758cca, 4758CCA);
 #endif
 #if HAVE_ENGINE_LOAD_AEP
-    OSSL_ENGINE_LOAD_IF_MATCH(aep);
+    OSSL_ENGINE_LOAD_IF_MATCH(aep, AEP);
 #endif
 #if HAVE_ENGINE_LOAD_ATALLA
-    OSSL_ENGINE_LOAD_IF_MATCH(atalla);
+    OSSL_ENGINE_LOAD_IF_MATCH(atalla, ATALLA);
 #endif
 #if HAVE_ENGINE_LOAD_CHIL
-    OSSL_ENGINE_LOAD_IF_MATCH(chil);
+    OSSL_ENGINE_LOAD_IF_MATCH(chil, CHIL);
 #endif
 #if HAVE_ENGINE_LOAD_CSWIFT
-    OSSL_ENGINE_LOAD_IF_MATCH(cswift);
+    OSSL_ENGINE_LOAD_IF_MATCH(cswift, CSWIFT);
 #endif
 #if HAVE_ENGINE_LOAD_NURON
-    OSSL_ENGINE_LOAD_IF_MATCH(nuron);
+    OSSL_ENGINE_LOAD_IF_MATCH(nuron, NURON);
 #endif
 #if HAVE_ENGINE_LOAD_SUREWARE
-    OSSL_ENGINE_LOAD_IF_MATCH(sureware);
+    OSSL_ENGINE_LOAD_IF_MATCH(sureware, SUREWARE);
 #endif
 #if HAVE_ENGINE_LOAD_UBSEC
-    OSSL_ENGINE_LOAD_IF_MATCH(ubsec);
+    OSSL_ENGINE_LOAD_IF_MATCH(ubsec, UBSEC);
 #endif
 #if HAVE_ENGINE_LOAD_PADLOCK
-    OSSL_ENGINE_LOAD_IF_MATCH(padlock);
+    OSSL_ENGINE_LOAD_IF_MATCH(padlock, PADLOCK);
 #endif
 #if HAVE_ENGINE_LOAD_CAPI
-    OSSL_ENGINE_LOAD_IF_MATCH(capi);
+    OSSL_ENGINE_LOAD_IF_MATCH(capi, CAPI);
 #endif
 #if HAVE_ENGINE_LOAD_GMP
-    OSSL_ENGINE_LOAD_IF_MATCH(gmp);
+    OSSL_ENGINE_LOAD_IF_MATCH(gmp, GMP);
 #endif
 #if HAVE_ENGINE_LOAD_GOST
-    OSSL_ENGINE_LOAD_IF_MATCH(gost);
+    OSSL_ENGINE_LOAD_IF_MATCH(gost, GOST);
 #endif
 #if HAVE_ENGINE_LOAD_CRYPTODEV
-    OSSL_ENGINE_LOAD_IF_MATCH(cryptodev);
+    OSSL_ENGINE_LOAD_IF_MATCH(cryptodev, CRYPTODEV);
 #endif
 #if HAVE_ENGINE_LOAD_AESNI
-    OSSL_ENGINE_LOAD_IF_MATCH(aesni);
+    OSSL_ENGINE_LOAD_IF_MATCH(aesni, AESNI);
 #endif
 #endif
 #ifdef HAVE_ENGINE_LOAD_OPENBSD_DEV_CRYPTO
-    OSSL_ENGINE_LOAD_IF_MATCH(openbsd_dev_crypto);
+    OSSL_ENGINE_LOAD_IF_MATCH(openbsd_dev_crypto, OPENBSD_DEV_CRYPTO);
 #endif
-    OSSL_ENGINE_LOAD_IF_MATCH(openssl);
+    OSSL_ENGINE_LOAD_IF_MATCH(openssl, OPENSSL);
     rb_warning("no such builtin loader for `%"PRIsVALUE"'", name);
     return Qnil;
 #endif /* HAVE_ENGINE_LOAD_BUILTIN_ENGINES */
@@ -160,7 +172,9 @@ ossl_engine_s_load(int argc, VALUE *argv, VALUE klass)
 static VALUE
 ossl_engine_s_cleanup(VALUE self)
 {
+#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100000
     ENGINE_cleanup();
+#endif
     return Qnil;
 }