diff --git a/1887f60a8540f64f5c7bb14d57c0be70506941b8.patch b/1887f60a8540f64f5c7bb14d57c0be70506941b8.patch new file mode 100644 index 0000000..8999910 --- /dev/null +++ b/1887f60a8540f64f5c7bb14d57c0be70506941b8.patch @@ -0,0 +1,24 @@ +From 1887f60a8540f64f5c7bb14d57c0be70506941b8 Mon Sep 17 00:00:00 2001 +From: mame +Date: Sat, 29 May 2010 17:22:46 +0000 +Subject: [PATCH] * ext/zlib/zlib.c (zstream_append_input2): add RB_GC_GUARD. + This caused failure when test/csv is executed with GC.stress = true. + +git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@28080 b2dd03c8-39d4-4d8f-98ff-823fe69b080e +--- + ChangeLog | 5 +++++ + ext/zlib/zlib.c | 1 + + 2 files changed, 6 insertions(+), 0 deletions(-) + +Index: ext/zlib/zlib.c +=================================================================== +--- ext/zlib/zlib.c.orig ++++ ext/zlib/zlib.c +@@ -610,6 +610,7 @@ zstream_append_input(z, src, len) + } + + #define zstream_append_input2(z,v)\ ++ RB_GC_GUARD(v),\ + zstream_append_input((z), RSTRING(v)->ptr, RSTRING(v)->len) + + static void diff --git a/ruby-1.8.6.p36_socket_ipv6.patch b/ruby-1.8.6.p36_socket_ipv6.patch deleted file mode 100644 index e7228ba..0000000 --- a/ruby-1.8.6.p36_socket_ipv6.patch +++ /dev/null @@ -1,20 +0,0 @@ -Index: ext/socket/extconf.rb -=================================================================== ---- ext/socket/extconf.rb.orig -+++ ext/socket/extconf.rb -@@ -43,6 +43,7 @@ if enable_config("ipv6", default_ipv6) - if checking_for("ipv6") {try_link(< - #include -+int - main() - { - socket(AF_INET6, SOCK_STREAM, 0); -@@ -135,6 +136,7 @@ getaddr_info_ok = enable_config("wide-ge - #define AF_LOCAL AF_UNIX - #endif - -+int - main() - { - int passive, gaierr, inet4 = 0, inet6 = 0; diff --git a/ruby-1.8.7-p249.tar.bz2 b/ruby-1.8.7-p249.tar.bz2 deleted file mode 100644 index 519f682..0000000 --- a/ruby-1.8.7-p249.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:8b89448fc79df6862660e9f77e884f06c76da28f078d8edd2f17567a615f3af5 -size 4153461 diff --git a/ruby-1.8.7-p334.tar.bz2 b/ruby-1.8.7-p334.tar.bz2 new file mode 100644 index 0000000..b05e7cb --- /dev/null +++ b/ruby-1.8.7-p334.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3e7f1a15fb2c205ac9eb0da804983b83bf8c0ffeb2f146d1eb9e0579ea2507da +size 4190857 diff --git a/ruby-1.8.7.p299_date_remove_privat.patch b/ruby-1.8.7.p299_date_remove_privat.patch new file mode 100644 index 0000000..9198126 --- /dev/null +++ b/ruby-1.8.7.p299_date_remove_privat.patch @@ -0,0 +1,15 @@ +=== lib/date.rb +================================================================== +Index: lib/date.rb +=================================================================== +--- lib/date.rb.orig 2010-06-08 06:45:42.000000000 +0200 ++++ lib/date.rb 2010-07-01 14:07:25.065690840 +0200 +@@ -1648,8 +1648,6 @@ class Time + DateTime.new!(DateTime.jd_to_ajd(jd, fr, of), of, DateTime::ITALY) + end + +- private :to_date, :to_datetime +- + end + + class Date diff --git a/ruby-1.8.7.p22_lib64.patch b/ruby-1.8.7.p299_lib64.patch similarity index 66% rename from ruby-1.8.7.p22_lib64.patch rename to ruby-1.8.7.p299_lib64.patch index d5cb59b..4049d0b 100644 --- a/ruby-1.8.7.p22_lib64.patch +++ b/ruby-1.8.7.p299_lib64.patch @@ -1,8 +1,8 @@ Index: configure.in =================================================================== ---- configure.in.orig 2008-06-15 12:28:47.000000000 +0200 -+++ configure.in 2008-06-21 04:19:24.713590544 +0200 -@@ -1366,7 +1366,7 @@ rb_cv_missing_fconvert=yes, rb_cv_missin +--- configure.in.orig 2010-06-08 11:26:34.000000000 +0200 ++++ configure.in 2010-07-01 14:07:03.849193105 +0200 +@@ -1433,7 +1433,7 @@ rb_cv_missing_fconvert=yes, rb_cv_missin if test "$rb_cv_missing_fconvert" = yes; then AC_DEFINE(MISSING_FCONVERT) fi diff --git a/ruby-pedantic-headers.diff b/ruby-1.8.7.p299_pedantic-headers.patch similarity index 61% rename from ruby-pedantic-headers.diff rename to ruby-1.8.7.p299_pedantic-headers.patch index c42e5d8..9b01a64 100644 --- a/ruby-pedantic-headers.diff +++ b/ruby-1.8.7.p299_pedantic-headers.patch @@ -1,8 +1,8 @@ Index: node.h =================================================================== ---- node.h.orig 2007-05-22 17:01:22.000000000 +0200 -+++ node.h 2007-12-06 22:26:07.621461094 +0100 -@@ -394,7 +394,7 @@ enum rb_thread_status { +--- node.h.orig 2009-02-25 07:15:55.000000000 +0100 ++++ node.h 2010-07-01 14:07:38.645191446 +0200 +@@ -395,7 +395,7 @@ enum rb_thread_status { THREAD_TO_KILL, THREAD_RUNNABLE, THREAD_STOPPED, diff --git a/ruby-1.8.7.p299_webrick_error_page_encoding.patch b/ruby-1.8.7.p299_webrick_error_page_encoding.patch new file mode 100644 index 0000000..d340be7 --- /dev/null +++ b/ruby-1.8.7.p299_webrick_error_page_encoding.patch @@ -0,0 +1,13 @@ +Index: lib/webrick/httpresponse.rb +=================================================================== +--- lib/webrick/httpresponse.rb.orig 2008-06-06 10:05:24.000000000 +0200 ++++ lib/webrick/httpresponse.rb 2010-07-01 17:58:35.585190988 +0200 +@@ -209,7 +209,7 @@ module WEBrick + @keep_alive = false + self.status = HTTPStatus::RC_INTERNAL_SERVER_ERROR + end +- @header['content-type'] = "text/html" ++ @header['content-type'] = "text/html; charset=utf-8" + + if respond_to?(:create_error_page) + create_error_page() diff --git a/ruby-1.8.7.p334_remove_zlib_test_params_test.patch b/ruby-1.8.7.p334_remove_zlib_test_params_test.patch new file mode 100644 index 0000000..9ca141f --- /dev/null +++ b/ruby-1.8.7.p334_remove_zlib_test_params_test.patch @@ -0,0 +1,72 @@ +Index: test/zlib/test_zlib.rb +=================================================================== +--- test/zlib/test_zlib.rb.orig ++++ test/zlib/test_zlib.rb +@@ -113,36 +113,36 @@ if defined? Zlib + assert_equal(true, z.closed?) + end + +- def test_params +- z = Zlib::Deflate.new +- z << "foo" +- z.params(Zlib::DEFAULT_COMPRESSION, Zlib::DEFAULT_STRATEGY) +- z << "bar" +- s = z.finish +- assert_equal("foobar", Zlib::Inflate.inflate(s)) +- +- data = ('a'..'z').to_a.join +- z = Zlib::Deflate.new(Zlib::NO_COMPRESSION, Zlib::MAX_WBITS, +- Zlib::DEF_MEM_LEVEL, Zlib::DEFAULT_STRATEGY) +- z << data[0, 10] +- z.params(Zlib::BEST_COMPRESSION, Zlib::DEFAULT_STRATEGY) +- z << data[10 .. -1] +- assert_equal(data, Zlib::Inflate.inflate(z.finish)) +- +- z = Zlib::Deflate.new +- s = z.deflate("foo", Zlib::FULL_FLUSH) +- z.avail_out = 0 +- z.params(Zlib::NO_COMPRESSION, Zlib::FILTERED) +- s << z.deflate("bar", Zlib::FULL_FLUSH) +- z.avail_out = 0 +- z.params(Zlib::BEST_COMPRESSION, Zlib::HUFFMAN_ONLY) +- s << z.deflate("baz", Zlib::FINISH) +- assert_equal("foobarbaz", Zlib::Inflate.inflate(s)) +- +- z = Zlib::Deflate.new +- assert_raise(Zlib::StreamError) { z.params(10000, 10000) } +- z.close # without this, outputs `zlib(finalizer): the stream was freed prematurely.' +- end ++# def test_params ++# z = Zlib::Deflate.new ++# z << "foo" ++# z.params(Zlib::DEFAULT_COMPRESSION, Zlib::DEFAULT_STRATEGY) ++# z << "bar" ++# s = z.finish ++# assert_equal("foobar", Zlib::Inflate.inflate(s)) ++# ++# data = ('a'..'z').to_a.join ++# z = Zlib::Deflate.new(Zlib::NO_COMPRESSION, Zlib::MAX_WBITS, ++# Zlib::DEF_MEM_LEVEL, Zlib::DEFAULT_STRATEGY) ++# z << data[0, 10] ++# z.params(Zlib::BEST_COMPRESSION, Zlib::DEFAULT_STRATEGY) ++# z << data[10 .. -1] ++# assert_equal(data, Zlib::Inflate.inflate(z.finish)) ++# ++# z = Zlib::Deflate.new ++# s = z.deflate("foo", Zlib::FULL_FLUSH) ++# z.avail_out = 0 ++# z.params(Zlib::NO_COMPRESSION, Zlib::FILTERED) ++# s << z.deflate("bar", Zlib::FULL_FLUSH) ++# z.avail_out = 0 ++# z.params(Zlib::BEST_COMPRESSION, Zlib::HUFFMAN_ONLY) ++# s << z.deflate("baz", Zlib::FINISH) ++# assert_equal("foobarbaz", Zlib::Inflate.inflate(s)) ++# ++# z = Zlib::Deflate.new ++# assert_raise(Zlib::StreamError) { z.params(10000, 10000) } ++# z.close # without this, outputs `zlib(finalizer): the stream was freed prematurely.' ++# end + + def test_set_dictionary + z = Zlib::Deflate.new + diff --git a/ruby-1.8.7-p72_topdir.patch b/ruby-1.8.7.p72_topdir.patch similarity index 100% rename from ruby-1.8.7-p72_topdir.patch rename to ruby-1.8.7.p72_topdir.patch diff --git a/ruby-1.8.7-p72_vendor_specific.patch b/ruby-1.8.7.p72_vendor_specific.patch similarity index 100% rename from ruby-1.8.7-p72_vendor_specific.patch rename to ruby-1.8.7.p72_vendor_specific.patch diff --git a/ruby-1.8.x_openssl-1.0-tests.patch b/ruby-1.8.x_openssl-1.0-tests.patch deleted file mode 100644 index 2fae89b..0000000 --- a/ruby-1.8.x_openssl-1.0-tests.patch +++ /dev/null @@ -1,1465 +0,0 @@ -Index: test/openssl/test_x509store.rb -=================================================================== ---- test/openssl/test_x509store.rb (.../ruby_1_8_7/test/openssl) (revision 27451) -+++ test/openssl/test_x509store.rb (.../ruby_1_8/test/openssl) (revision 27451) -@@ -4,6 +4,7 @@ - rescue LoadError - end - require "test/unit" -+require "tempfile" - - if defined?(OpenSSL) - -@@ -198,7 +199,7 @@ - nil, nil, OpenSSL::Digest::SHA1.new) - store = OpenSSL::X509::Store.new - store.add_cert(ca1_cert) -- assert_raises(OpenSSL::X509::StoreError){ -+ assert_raise(OpenSSL::X509::StoreError){ - store.add_cert(ca1_cert) # add same certificate twice - } - -@@ -209,10 +210,37 @@ - crl2 = issue_crl(revoke_info, 2, now+1800, now+3600, [], - ca1_cert, @rsa2048, OpenSSL::Digest::SHA1.new) - store.add_crl(crl1) -- assert_raises(OpenSSL::X509::StoreError){ -+ assert_raise(OpenSSL::X509::StoreError){ - store.add_crl(crl2) # add CRL issued by same CA twice. - } - end -+ -+ def test_add_file -+ ca1_cert = < e -+ # OpenSSL 1.0.0 added checks for pkey OID -+ assert_equal('wrong public key type', e.message) -+ end -+ -+ begin -+ assert_equal(false, cert_dsa.verify(@rsa1024)) -+ rescue OpenSSL::X509::CertificateError => e -+ # OpenSSL 1.0.0 added checks for pkey OID -+ assert_equal('wrong public key type', e.message) -+ end -+ end -+ - def test_sign_and_verify - cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], -- nil, nil, OpenSSL::Digest::SHA1.new) -+ nil, nil, OpenSSL::Digest::SHA1.new) - assert_equal(false, cert.verify(@rsa1024)) - assert_equal(true, cert.verify(@rsa2048)) -- assert_equal(false, cert.verify(@dsa256)) -- assert_equal(false, cert.verify(@dsa512)) - cert.serial = 2 - assert_equal(false, cert.verify(@rsa2048)) - - cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], -- nil, nil, OpenSSL::Digest::MD5.new) -+ nil, nil, OpenSSL::Digest::MD5.new) - assert_equal(false, cert.verify(@rsa1024)) - assert_equal(true, cert.verify(@rsa2048)) -- assert_equal(false, cert.verify(@dsa256)) -- assert_equal(false, cert.verify(@dsa512)) - cert.subject = @ee1 - assert_equal(false, cert.verify(@rsa2048)) - - cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [], -- nil, nil, OpenSSL::Digest::DSS1.new) -- assert_equal(false, cert.verify(@rsa1024)) -- assert_equal(false, cert.verify(@rsa2048)) -+ nil, nil, OpenSSL::Digest::DSS1.new) - assert_equal(false, cert.verify(@dsa256)) - assert_equal(true, cert.verify(@dsa512)) -- cert.not_after = Time.now -+ cert.not_after = Time.now - assert_equal(false, cert.verify(@dsa512)) -+ end - -- assert_raises(OpenSSL::X509::CertificateError){ -+ def test_dsig_algorithm_mismatch -+ assert_raise(OpenSSL::X509::CertificateError) do - cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], -- nil, nil, OpenSSL::Digest::DSS1.new) -- } -- assert_raises(OpenSSL::X509::CertificateError){ -+ nil, nil, OpenSSL::Digest::DSS1.new) -+ end -+ assert_raise(OpenSSL::X509::CertificateError) do - cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [], -- nil, nil, OpenSSL::Digest::MD5.new) -- } -- assert_raises(OpenSSL::X509::CertificateError){ -- cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [], -- nil, nil, OpenSSL::Digest::SHA1.new) -- } -+ nil, nil, OpenSSL::Digest::MD5.new) -+ end - end -+ -+ def test_dsa_with_sha2 -+ begin -+ cert = issue_cert(@ca, @dsa256, 1, Time.now, Time.now+3600, [], -+ nil, nil, OpenSSL::Digest::SHA256.new) -+ assert_equal("dsa_with_SHA256", cert.signature_algorithm) -+ rescue OpenSSL::X509::CertificateError -+ # dsa_with_sha2 not supported. skip following test. -+ return -+ end -+ # TODO: need more tests for dsa + sha2 -+ -+ # SHA1 is allowed from OpenSSL 1.0.0 (0.9.8 requireds DSS1) -+ cert = issue_cert(@ca, @dsa256, 1, Time.now, Time.now+3600, [], -+ nil, nil, OpenSSL::Digest::SHA1.new) -+ assert_equal("dsaWithSHA1", cert.signature_algorithm) -+ end -+ -+ def test_check_private_key -+ cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], -+ nil, nil, OpenSSL::Digest::SHA1.new) -+ assert_equal(true, cert.check_private_key(@rsa2048)) -+ end -+ -+ def test_to_text -+ cert_pem = < e -+ # just an exception for longer dgst before openssl-0.9.8m -+ assert_equal('ECDSA_sign: data too large for key size', e.message) -+ # no need to do following tests -+ return -+ end -+ end -+ end -+ - def test_dh_compute_key - for key in @keys - k = OpenSSL::PKey::EC.new(key.group) -Index: test/openssl/test_pkcs7.rb -=================================================================== ---- test/openssl/test_pkcs7.rb (.../ruby_1_8_7/test/openssl) (revision 27451) -+++ test/openssl/test_pkcs7.rb (.../ruby_1_8/test/openssl) (revision 27451) -@@ -28,6 +28,7 @@ - ["keyUsage","Non Repudiation, Digital Signature, Key Encipherment",true], - ["authorityKeyIdentifier","keyid:always",false], - ["extendedKeyUsage","clientAuth, emailProtection, codeSigning",false], -+ ["nsCertType","client,email",false], - ] - @ee1_cert = issue_cert(ee1, @rsa1024, 2, Time.now, Time.now+1800, ee_exts, - @ca_cert, @rsa2048, OpenSSL::Digest::SHA1.new) -@@ -35,7 +36,7 @@ - @ca_cert, @rsa2048, OpenSSL::Digest::SHA1.new) - end - -- def issue_cert(*args) -+ def issue_cert(*args) - OpenSSL::TestUtils.issue_cert(*args) - end - -@@ -46,6 +47,127 @@ - - data = "aaaaa\r\nbbbbb\r\nccccc\r\n" - tmp = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, ca_certs) -+ p7 = OpenSSL::PKCS7.new(tmp.to_der) -+ certs = p7.certificates -+ signers = p7.signers -+ assert(p7.verify([], store)) -+ assert_equal(data, p7.data) -+ assert_equal(2, certs.size) -+ assert_equal(@ee1_cert.subject.to_s, certs[0].subject.to_s) -+ assert_equal(@ca_cert.subject.to_s, certs[1].subject.to_s) -+ assert_equal(1, signers.size) -+ assert_equal(@ee1_cert.serial, signers[0].serial) -+ assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s) -+ -+ # Normaly OpenSSL tries to translate the supplied content into canonical -+ # MIME format (e.g. a newline character is converted into CR+LF). -+ # If the content is a binary, PKCS7::BINARY flag should be used. -+ -+ data = "aaaaa\nbbbbb\nccccc\n" -+ flag = OpenSSL::PKCS7::BINARY -+ tmp = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, ca_certs, flag) -+ p7 = OpenSSL::PKCS7.new(tmp.to_der) -+ certs = p7.certificates -+ signers = p7.signers -+ assert(p7.verify([], store)) -+ assert_equal(data, p7.data) -+ assert_equal(2, certs.size) -+ assert_equal(@ee1_cert.subject.to_s, certs[0].subject.to_s) -+ assert_equal(@ca_cert.subject.to_s, certs[1].subject.to_s) -+ assert_equal(1, signers.size) -+ assert_equal(@ee1_cert.serial, signers[0].serial) -+ assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s) -+ -+ # A signed-data which have multiple signatures can be created -+ # through the following steps. -+ # 1. create two signed-data -+ # 2. copy signerInfo and certificate from one to another -+ -+ tmp1 = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, [], flag) -+ tmp2 = OpenSSL::PKCS7.sign(@ee2_cert, @rsa1024, data, [], flag) -+ tmp1.add_signer(tmp2.signers[0]) -+ tmp1.add_certificate(@ee2_cert) -+ -+ p7 = OpenSSL::PKCS7.new(tmp1.to_der) -+ certs = p7.certificates -+ signers = p7.signers -+ assert(p7.verify([], store)) -+ assert_equal(data, p7.data) -+ assert_equal(2, certs.size) -+ assert_equal(2, signers.size) -+ assert_equal(@ee1_cert.serial, signers[0].serial) -+ assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s) -+ assert_equal(@ee2_cert.serial, signers[1].serial) -+ assert_equal(@ee2_cert.issuer.to_s, signers[1].issuer.to_s) -+ end -+ -+ def test_detached_sign -+ store = OpenSSL::X509::Store.new -+ store.add_cert(@ca_cert) -+ ca_certs = [@ca_cert] -+ -+ data = "aaaaa\nbbbbb\nccccc\n" -+ flag = OpenSSL::PKCS7::BINARY|OpenSSL::PKCS7::DETACHED -+ tmp = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, ca_certs, flag) -+ p7 = OpenSSL::PKCS7.new(tmp.to_der) -+ a1 = OpenSSL::ASN1.decode(p7) -+ -+ certs = p7.certificates -+ signers = p7.signers -+ assert(!p7.verify([], store)) -+ assert(p7.verify([], store, data)) -+ assert_equal(data, p7.data) -+ assert_equal(2, certs.size) -+ assert_equal(@ee1_cert.subject.to_s, certs[0].subject.to_s) -+ assert_equal(@ca_cert.subject.to_s, certs[1].subject.to_s) -+ assert_equal(1, signers.size) -+ assert_equal(@ee1_cert.serial, signers[0].serial) -+ assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s) -+ end -+ -+ def test_enveloped -+ if OpenSSL::OPENSSL_VERSION_NUMBER <= 0x0090704f -+ # PKCS7_encrypt() of OpenSSL-0.9.7d goes to SEGV. -+ # http://www.mail-archive.com/openssl-dev@openssl.org/msg17376.html -+ return -+ end -+ -+ certs = [@ee1_cert, @ee2_cert] -+ cipher = OpenSSL::Cipher::AES.new("128-CBC") -+ data = "aaaaa\nbbbbb\nccccc\n" -+ -+ tmp = OpenSSL::PKCS7.encrypt(certs, data, cipher, OpenSSL::PKCS7::BINARY) -+ p7 = OpenSSL::PKCS7.new(tmp.to_der) -+ recip = p7.recipients -+ assert_equal(:enveloped, p7.type) -+ assert_equal(2, recip.size) -+ -+ assert_equal(@ca_cert.subject.to_s, recip[0].issuer.to_s) -+ assert_equal(2, recip[0].serial) -+ assert_equal(data, p7.decrypt(@rsa1024, @ee1_cert)) -+ -+ assert_equal(@ca_cert.subject.to_s, recip[1].issuer.to_s) -+ assert_equal(3, recip[1].serial) -+ assert_equal(data, p7.decrypt(@rsa1024, @ee2_cert)) -+ end -+ -+ def silent -+ begin -+ back, $VERBOSE = $VERBOSE, nil -+ yield -+ ensure -+ $VERBOSE = back if back -+ end -+ end -+ -+ def test_signed_pkcs7_pkcs7 -+ silent do -+ store = OpenSSL::X509::Store.new -+ store.add_cert(@ca_cert) -+ ca_certs = [@ca_cert] -+ -+ data = "aaaaa\r\nbbbbb\r\nccccc\r\n" -+ tmp = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, ca_certs) - p7 = OpenSSL::PKCS7::PKCS7.new(tmp.to_der) - certs = p7.certificates - signers = p7.signers -@@ -77,7 +199,7 @@ - assert_equal(@ee1_cert.serial, signers[0].serial) - assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s) - -- # A signed-data which have multiple signatures can be created -+ # A signed-data which have multiple signatures can be created - # through the following steps. - # 1. create two signed-data - # 2. copy signerInfo and certificate from one to another -@@ -85,7 +207,7 @@ - tmp1 = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, [], flag) - tmp2 = OpenSSL::PKCS7.sign(@ee2_cert, @rsa1024, data, [], flag) - tmp1.add_signer(tmp2.signers[0]) -- tmp1.add_certificate(@ee2_cert) -+ tmp1.add_certificate(@ee2_cert) - - p7 = OpenSSL::PKCS7::PKCS7.new(tmp1.to_der) - certs = p7.certificates -@@ -99,8 +221,10 @@ - assert_equal(@ee2_cert.serial, signers[1].serial) - assert_equal(@ee2_cert.issuer.to_s, signers[1].issuer.to_s) - end -+ end - -- def test_detached_sign -+ def test_detached_sign_pkcs7_pkcs7 -+ silent do - store = OpenSSL::X509::Store.new - store.add_cert(@ca_cert) - ca_certs = [@ca_cert] -@@ -123,8 +247,10 @@ - assert_equal(@ee1_cert.serial, signers[0].serial) - assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s) - end -+ end - -- def test_enveloped -+ def test_enveloped_pkcs7_pkcs7 -+ silent do - if OpenSSL::OPENSSL_VERSION_NUMBER <= 0x0090704f - # PKCS7_encrypt() of OpenSSL-0.9.7d goes to SEGV. - # http://www.mail-archive.com/openssl-dev@openssl.org/msg17376.html -@@ -149,6 +275,7 @@ - assert_equal(3, recip[1].serial) - assert_equal(data, p7.decrypt(@rsa1024, @ee2_cert)) - end -+ end - end - - end -Index: test/openssl/ssl_server.rb -=================================================================== ---- test/openssl/ssl_server.rb (.../ruby_1_8_7/test/openssl) (revision 27451) -+++ test/openssl/ssl_server.rb (.../ruby_1_8/test/openssl) (revision 27451) -@@ -53,7 +53,7 @@ - port = port + i - break - rescue Errno::EADDRINUSE -- next -+ next - end - } - ssls = OpenSSL::SSL::SSLServer.new(tcps, ctx) -Index: test/openssl/utils.rb -=================================================================== ---- test/openssl/utils.rb (.../ruby_1_8_7/test/openssl) (revision 27451) -+++ test/openssl/utils.rb (.../ruby_1_8/test/openssl) (revision 27451) -@@ -96,16 +96,16 @@ - cert - end - -- def issue_crl(revoke_info, serial, lastup, nextup, extensions, -+ def issue_crl(revoke_info, serial, lastup, nextup, extensions, - issuer, issuer_key, digest) - crl = OpenSSL::X509::CRL.new - crl.issuer = issuer.subject - crl.version = 1 - crl.last_update = lastup - crl.next_update = nextup -- revoke_info.each{|serial, time, reason_code| -+ revoke_info.each{|rserial, time, reason_code| - revoked = OpenSSL::X509::Revoked.new -- revoked.serial = serial -+ revoked.serial = rserial - revoked.time = time - enum = OpenSSL::ASN1::Enumerated(reason_code) - ext = OpenSSL::X509::Extension.new("CRLReason", enum) -Index: test/openssl/test_ssl.rb -=================================================================== ---- test/openssl/test_ssl.rb (.../ruby_1_8_7/test/openssl) (revision 27451) -+++ test/openssl/test_ssl.rb (.../ruby_1_8/test/openssl) (revision 27451) -@@ -6,6 +6,8 @@ - require "rbconfig" - require "socket" - require "test/unit" -+require 'tempfile' -+ - begin - loadpath = $:.dup - $:.replace($: | [File.expand_path("../ruby", File.dirname(__FILE__))]) -@@ -58,6 +60,20 @@ - OpenSSL::TestUtils.issue_crl(*arg) - end - -+ def choose_port(port) -+ tcps = nil -+ 100.times{ |i| -+ begin -+ tcps = TCPServer.new("127.0.0.1", port+i) -+ port = port + i -+ break -+ rescue Errno::EADDRINUSE -+ next -+ end -+ } -+ return tcps, port -+ end -+ - def readwrite_loop(ctx, ssl) - while line = ssl.gets - if line =~ /^STARTTLS$/ -@@ -78,22 +94,22 @@ - begin - ssl = ssls.accept - rescue OpenSSL::SSL::SSLError -- retry -+ retry - end - - Thread.start do -- Thread.current.abort_on_exception = true -+ Thread.current.abort_on_exception = true - server_proc.call(ctx, ssl) - end - end -- rescue Errno::EBADF, IOError -+ rescue Errno::EBADF, IOError, Errno::EINVAL, Errno::ECONNABORTED - end - - def start_server(port0, verify_mode, start_immediately, args = {}, &block) - ctx_proc = args[:ctx_proc] - server_proc = args[:server_proc] - server_proc ||= method(:readwrite_loop) -- -+ - store = OpenSSL::X509::Store.new - store.add_cert(@ca_cert) - store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT -@@ -106,8 +122,7 @@ - ctx_proc.call(ctx) if ctx_proc - - Socket.do_not_reverse_lookup = true -- tcps = nil -- port = port0 -+ tcps, port = choose_port(port0) - begin - tcps = TCPServer.new("127.0.0.1", port) - rescue Errno::EADDRINUSE -@@ -120,22 +135,33 @@ - - begin - server = Thread.new do -- Thread.current.abort_on_exception = true -+ Thread.current.abort_on_exception = true - server_loop(ctx, ssls, server_proc) - end - -- $stderr.printf("%s started: pid=%d port=%d\n", SSL_SERVER, pid, port) if $DEBUG -+ $stderr.printf("%s started: pid=%d port=%d\n", SSL_SERVER, $$, port) if $DEBUG - - block.call(server, port.to_i) - ensure -- tcps.close if (tcps) -- if (server) -- server.join(5) -- if server.alive? -- server.kill -- server.join -- flunk("TCPServer was closed and SSLServer is still alive") unless $! -+ begin -+ begin -+ tcps.shutdown -+ rescue Errno::ENOTCONN -+ # when `Errno::ENOTCONN: Socket is not connected' on some platforms, -+ # call #close instead of #shutdown. -+ tcps.close -+ tcps = nil -+ end if (tcps) -+ if (server) -+ server.join(5) -+ if server.alive? -+ server.kill -+ server.join -+ flunk("TCPServer was closed and SSLServer is still alive") unless $! -+ end - end -+ ensure -+ tcps.close if (tcps) - end - end - end -@@ -180,6 +206,8 @@ - ssl.sync_close = true - ssl.connect - -+ assert_raise(ArgumentError) { ssl.sysread(-1) } -+ - # syswrite and sysread - ITERATIONS.times{|i| - str = "x" * 100 + "\n" -@@ -193,6 +221,13 @@ - assert_equal(str, buf) - } - -+ # puts and gets -+ ITERATIONS.times{ -+ str = "x" * 100 + "\n" -+ ssl.puts(str) -+ assert_equal(str, ssl.gets) -+ } -+ - # read and write - ITERATIONS.times{|i| - str = "x" * 100 + "\n" -@@ -213,7 +248,7 @@ - def test_client_auth - vflag = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT - start_server(PORT, vflag, true){|server, port| -- assert_raises(OpenSSL::SSL::SSLError){ -+ assert_raise(OpenSSL::SSL::SSLError){ - sock = TCPSocket.new("127.0.0.1", port) - ssl = OpenSSL::SSL::SSLSocket.new(sock) - ssl.connect -@@ -247,6 +282,82 @@ - } - end - -+ def test_client_auth_with_server_store -+ vflag = OpenSSL::SSL::VERIFY_PEER -+ -+ localcacert_file = Tempfile.open("cafile") -+ localcacert_file << @ca_cert.to_pem -+ localcacert_file.close -+ localcacert_path = localcacert_file.path -+ -+ ssl_store = OpenSSL::X509::Store.new -+ ssl_store.purpose = OpenSSL::X509::PURPOSE_ANY -+ ssl_store.add_file(localcacert_path) -+ -+ args = {} -+ args[:ctx_proc] = proc { |server_ctx| -+ server_ctx.cert = @svr_cert -+ server_ctx.key = @svr_key -+ server_ctx.verify_mode = vflag -+ server_ctx.cert_store = ssl_store -+ } -+ -+ start_server(PORT, vflag, true, args){|server, port| -+ ctx = OpenSSL::SSL::SSLContext.new -+ ctx.cert = @cli_cert -+ ctx.key = @cli_key -+ sock = TCPSocket.new("127.0.0.1", port) -+ ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx) -+ ssl.sync_close = true -+ ssl.connect -+ ssl.puts("foo") -+ assert_equal("foo\n", ssl.gets) -+ ssl.close -+ localcacert_file.unlink -+ } -+ end -+ -+ def test_client_crl_with_server_store -+ vflag = OpenSSL::SSL::VERIFY_PEER -+ -+ localcacert_file = Tempfile.open("cafile") -+ localcacert_file << @ca_cert.to_pem -+ localcacert_file.close -+ localcacert_path = localcacert_file.path -+ -+ ssl_store = OpenSSL::X509::Store.new -+ ssl_store.purpose = OpenSSL::X509::PURPOSE_ANY -+ ssl_store.add_file(localcacert_path) -+ ssl_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK -+ -+ crl = issue_crl([], 1, Time.now, Time.now+1600, [], -+ @cli_cert, @ca_key, OpenSSL::Digest::SHA1.new) -+ -+ ssl_store.add_crl(OpenSSL::X509::CRL.new(crl.to_pem)) -+ -+ args = {} -+ args[:ctx_proc] = proc { |server_ctx| -+ server_ctx.cert = @svr_cert -+ server_ctx.key = @svr_key -+ server_ctx.verify_mode = vflag -+ server_ctx.cert_store = ssl_store -+ } -+ -+ start_server(PORT, vflag, true, args){|s, p| -+ ctx = OpenSSL::SSL::SSLContext.new -+ ctx.cert = @cli_cert -+ ctx.key = @cli_key -+ assert_raise(OpenSSL::SSL::SSLError){ -+ sock = TCPSocket.new("127.0.0.1", p) -+ ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx) -+ ssl.sync_close = true -+ ssl.connect -+ ssl.close -+ } -+ localcacert_file.unlink -+ } -+ end -+ - def test_starttls - start_server(PORT, OpenSSL::SSL::VERIFY_NONE, false){|server, port| - sock = TCPSocket.new("127.0.0.1", port) -@@ -352,10 +463,10 @@ - sock = TCPSocket.new("127.0.0.1", port) - ssl = OpenSSL::SSL::SSLSocket.new(sock) - ssl.connect -- assert_raises(sslerr){ssl.post_connection_check("localhost.localdomain")} -- assert_raises(sslerr){ssl.post_connection_check("127.0.0.1")} -+ assert_raise(sslerr){ssl.post_connection_check("localhost.localdomain")} -+ assert_raise(sslerr){ssl.post_connection_check("127.0.0.1")} - assert(ssl.post_connection_check("localhost")) -- assert_raises(sslerr){ssl.post_connection_check("foo.example.com")} -+ assert_raise(sslerr){ssl.post_connection_check("foo.example.com")} - - cert = ssl.peer_cert - assert(!OpenSSL::SSL.verify_certificate_identity(cert, "localhost.localdomain")) -@@ -378,8 +489,8 @@ - ssl.connect - assert(ssl.post_connection_check("localhost.localdomain")) - assert(ssl.post_connection_check("127.0.0.1")) -- assert_raises(sslerr){ssl.post_connection_check("localhost")} -- assert_raises(sslerr){ssl.post_connection_check("foo.example.com")} -+ assert_raise(sslerr){ssl.post_connection_check("localhost")} -+ assert_raise(sslerr){ssl.post_connection_check("foo.example.com")} - - cert = ssl.peer_cert - assert(OpenSSL::SSL.verify_certificate_identity(cert, "localhost.localdomain")) -@@ -400,9 +511,9 @@ - ssl = OpenSSL::SSL::SSLSocket.new(sock) - ssl.connect - assert(ssl.post_connection_check("localhost.localdomain")) -- assert_raises(sslerr){ssl.post_connection_check("127.0.0.1")} -- assert_raises(sslerr){ssl.post_connection_check("localhost")} -- assert_raises(sslerr){ssl.post_connection_check("foo.example.com")} -+ assert_raise(sslerr){ssl.post_connection_check("127.0.0.1")} -+ assert_raise(sslerr){ssl.post_connection_check("localhost")} -+ assert_raise(sslerr){ssl.post_connection_check("foo.example.com")} - cert = ssl.peer_cert - assert(OpenSSL::SSL.verify_certificate_identity(cert, "localhost.localdomain")) - assert(!OpenSSL::SSL.verify_certificate_identity(cert, "127.0.0.1")) -@@ -494,7 +605,7 @@ - ctx.session_add(saved_session) - end - connections += 1 -- -+ - readwrite_loop(ctx, ssl) - end - -@@ -532,6 +643,50 @@ - end - end - end -+ -+ def test_tlsext_hostname -+ return unless OpenSSL::SSL::SSLSocket.instance_methods.include?("hostname") -+ -+ ctx_proc = Proc.new do |ctx, ssl| -+ foo_ctx = ctx.dup -+ -+ ctx.servername_cb = Proc.new do |ssl2, hostname| -+ case hostname -+ when 'foo.example.com' -+ foo_ctx -+ when 'bar.example.com' -+ nil -+ else -+ raise "unknown hostname #{hostname.inspect}" -+ end -+ end -+ end -+ -+ server_proc = Proc.new do |ctx, ssl| -+ readwrite_loop(ctx, ssl) -+ end -+ -+ start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true, :ctx_proc => ctx_proc, :server_proc => server_proc) do |server, port| -+ 2.times do |i| -+ sock = TCPSocket.new("127.0.0.1", port) -+ ctx = OpenSSL::SSL::SSLContext.new -+ if defined?(OpenSSL::SSL::OP_NO_TICKET) -+ # disable RFC4507 support -+ ctx.options = OpenSSL::SSL::OP_NO_TICKET -+ end -+ ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx) -+ ssl.sync_close = true -+ ssl.hostname = (i & 1 == 0) ? 'foo.example.com' : 'bar.example.com' -+ ssl.connect -+ -+ str = "x" * 100 + "\n" -+ ssl.puts(str) -+ assert_equal(str, ssl.gets) -+ -+ ssl.close -+ end -+ end -+ end - end - - end -Index: test/openssl/max.pem -=================================================================== ---- test/openssl/max.pem (.../ruby_1_8_7/test/openssl) (revision 0) -+++ test/openssl/max.pem (.../ruby_1_8/test/openssl) (revision 27451) -@@ -0,0 +1,29 @@ -+-----BEGIN CERTIFICATE----- -+MIIE4zCCA8ugAwIBAgIDBbhlMA0GCSqGSIb3DQEBBQUAMIGXMQswCQYDVQQGEwJB -+VDFIMEYGA1UECgw/QS1UcnVzdCBHZXMuIGYuIFNpY2hlcmhlaXRzc3lzdGVtZSBp -+bSBlbGVrdHIuIERhdGVudmVya2VociBHbWJIMR4wHAYDVQQLDBVhLXNpZ24tUHJl -+bWl1bS1FbmMtMDIxHjAcBgNVBAMMFWEtc2lnbi1QcmVtaXVtLUVuYy0wMjAeFw0w -+OTA2MjYwOTExMzZaFw0xNDA2MjYwOTExMzZaMGAxCzAJBgNVBAYTAkFUMRcwFQYD -+VQQDDA5NYXggTXVzdGVybWFubjETMBEGA1UEBAwKTXVzdGVybWFubjEMMAoGA1UE -+KgwDTWF4MRUwEwYDVQQFEww3NTkzNjIxNTE2MTYwgd8wDQYJKoZIhvcNAQEBBQAD -+gc0AMIHJAoHBAO+1eEcrMoYJ2S2iybcqUEzIxKQ9yJJL0XRNQSrKo/bDOBibfQ3H -+E/TExiivgdXG2p0UjuPO1NEFgxhT5gtdaLthV2Kuokb+vbp3mWoUGz+uHIILT2zJ -+TG6Yz6sooi/ppNIagFx3qAdFes8QMAereZQp0zzphK/a21FTLk0GVHpw+DWn7NRn -+ynDVY0XgFkHXS4uHSfZDhzMGXVef3+SJLQzsV8R1ThMYQeoizA7tj6hT3YeBID2E -+lh86V1Z8XuznUQIDAQABo4IBsDCCAawwEwYDVR0jBAwwCoAIRyFHjpdh4x4wewYI -+KwYBBQUHAQEEbzBtMEIGCCsGAQUFBzAChjZodHRwOi8vd3d3LmEtdHJ1c3QuYXQv -+Y2VydHMvYS1zaWduLVByZW1pdW0tRW5jLTAyYS5jcnQwJwYIKwYBBQUHMAGGG2h0 -+dHA6Ly9vY3NwLmEtdHJ1c3QuYXQvb2NzcDBNBgNVHSAERjBEMEIGBiooABEBDDA4 -+MDYGCCsGAQUFBwIBFipodHRwOi8vd3d3LmEtdHJ1c3QuYXQvZG9jcy9jcC9hLXNp -+Z24tdG9rZW4wgZoGA1UdHwSBkjCBjzCBjKCBiaCBhoaBg2xkYXA6Ly9sZGFwLmEt -+dHJ1c3QuYXQvb3U9YS1zaWduLVByZW1pdW0tRW5jLTAyLG89QS1UcnVzdCxjPUFU -+P2NlcnRpZmljYXRlcmV2b2NhdGlvbmxpc3Q/YmFzZT9vYmplY3RjbGFzcz1laWRD -+ZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MBEGA1UdDgQKBAhMueHceqw1zzAOBgNVHQ8B -+Af8EBAMCBLAwCQYDVR0TBAIwADANBgkqhkiG9w0BAQUFAAOCAQEASLyAbafKFN5h -+0Mkk0QQoUl4Uvl+yy2ECe/QWNmDQpd7UCw1UAKrMvR8p6OcBiTnvbvg1HnbWI3Hy -+BaEhGAhb1tziWkbV93z1NQCIt8hmdqE7GEp58ptYSuzwev6rgO/RZIxI9FCQn9kJ -+ruGTM8hOIkh3QEy7Mq6utquMOEO0hQSUOvZkJdaSqHAoh2I3SzsxGr3juAa61x+0 -+K8kW1ZgIsc0jhhb3NOyso48AqDK6oqwfiC6fp/HzSB5gycLllWrgUnMeae6Axbag -+dImyOtaoxhIwZCr1tjTaQmaNK49kpvDGlIuDIQHf8uZgAoyduQfAvwiQ0llu5Ns2 -+AOs41se+Gg== -+-----END CERTIFICATE----- - -Property changes on: max.pem -___________________________________________________________________ -Added: svn:eol-style - + LF - -Index: test/openssl/test_config.rb -=================================================================== ---- test/openssl/test_config.rb (.../ruby_1_8_7/test/openssl) (revision 0) -+++ test/openssl/test_config.rb (.../ruby_1_8/test/openssl) (revision 27451) -@@ -0,0 +1,16 @@ -+require 'openssl' -+require "test/unit" -+ -+class OpenSSL::TestConfig < Test::Unit::TestCase -+ def test_freeze -+ c = OpenSSL::Config.new -+ c['foo'] = [['key', 'value']] -+ c.freeze -+ -+ # [ruby-core:18377] -+ # RuntimeError for 1.9, TypeError for 1.8 -+ assert_raise(TypeError, /frozen/) do -+ c['foo'] = [['key', 'wrong']] -+ end -+ end -+end - -Property changes on: test_config.rb -___________________________________________________________________ -Added: svn:eol-style - + LF - -Index: test/openssl/test_x509name.rb -=================================================================== ---- test/openssl/test_x509name.rb (.../ruby_1_8_7/test/openssl) (revision 27451) -+++ test/openssl/test_x509name.rb (.../ruby_1_8/test/openssl) (revision 27451) -@@ -6,6 +6,8 @@ - - if defined?(OpenSSL) - -+require 'digest/md5' -+ - class OpenSSL::TestX509Name < Test::Unit::TestCase - OpenSSL::ASN1::ObjectId.register( - "1.2.840.113549.1.9.1", "emailAddress", "emailAddress") -@@ -261,6 +263,28 @@ - assert_equal(OpenSSL::ASN1::IA5STRING, ary[3][2]) - assert_equal(OpenSSL::ASN1::PRINTABLESTRING, ary[4][2]) - end -+ -+ def name_hash(name) -+ # OpenSSL 1.0.0 uses SHA1 for canonical encoding (not just a der) of -+ # X509Name for X509_NAME_hash. -+ name.respond_to?(:hash_old) ? name.hash_old : name.hash -+ end -+ -+ def calc_hash(d) -+ (d[0] & 0xff) | (d[1] & 0xff) << 8 | (d[2] & 0xff) << 16 | (d[3] & 0xff) << 24 -+ end -+ -+ def test_hash -+ dn = "/DC=org/DC=ruby-lang/CN=www.ruby-lang.org" -+ name = OpenSSL::X509::Name.parse(dn) -+ d = Digest::MD5.digest(name.to_der) -+ assert_equal(calc_hash(d), name_hash(name)) -+ # -+ dn = "/DC=org/DC=ruby-lang/CN=baz.ruby-lang.org" -+ name = OpenSSL::X509::Name.parse(dn) -+ d = Digest::MD5.digest(name.to_der) -+ assert_equal(calc_hash(d), name_hash(name)) -+ end - end - - end -Index: test/openssl/test_x509crl.rb -=================================================================== ---- test/openssl/test_x509crl.rb (.../ruby_1_8_7/test/openssl) (revision 27451) -+++ test/openssl/test_x509crl.rb (.../ruby_1_8/test/openssl) (revision 27451) -@@ -125,13 +125,13 @@ - def test_extension - cert_exts = [ - ["basicConstraints", "CA:TRUE", true], -- ["subjectKeyIdentifier", "hash", false], -- ["authorityKeyIdentifier", "keyid:always", false], -+ ["subjectKeyIdentifier", "hash", false], -+ ["authorityKeyIdentifier", "keyid:always", false], - ["subjectAltName", "email:xyzzy@ruby-lang.org", false], - ["keyUsage", "cRLSign, keyCertSign", true], - ] - crl_exts = [ -- ["authorityKeyIdentifier", "keyid:always", false], -+ ["authorityKeyIdentifier", "keyid:always", false], - ["issuerAltName", "issuer:copy", false], - ] - -@@ -190,6 +190,30 @@ - assert_match((2**100).to_s, crl.extensions[0].value) - end - -+ def test_sign_and_verify_wrong_key_type -+ cert_rsa = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], -+ nil, nil, OpenSSL::Digest::SHA1.new) -+ crl_rsa = issue_crl([], 1, Time.now, Time.now+1600, [], -+ cert_rsa, @rsa2048, OpenSSL::Digest::SHA1.new) -+ cert_dsa = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [], -+ nil, nil, OpenSSL::Digest::DSS1.new) -+ crl_dsa = issue_crl([], 1, Time.now, Time.now+1600, [], -+ cert_dsa, @dsa512, OpenSSL::Digest::DSS1.new) -+ begin -+ assert_equal(false, crl_rsa.verify(@dsa256)) -+ rescue OpenSSL::X509::CRLError => e -+ # OpenSSL 1.0.0 added checks for pkey OID -+ assert_equal('wrong public key type', e.message) -+ end -+ -+ begin -+ assert_equal(false, crl_dsa.verify(@rsa1024)) -+ rescue OpenSSL::X509::CRLError => e -+ # OpenSSL 1.0.0 added checks for pkey OID -+ assert_equal('wrong public key type', e.message) -+ end -+ end -+ - def test_sign_and_verify - cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::SHA1.new) -@@ -197,8 +221,6 @@ - cert, @rsa2048, OpenSSL::Digest::SHA1.new) - assert_equal(false, crl.verify(@rsa1024)) - assert_equal(true, crl.verify(@rsa2048)) -- assert_equal(false, crl.verify(@dsa256)) -- assert_equal(false, crl.verify(@dsa512)) - crl.version = 0 - assert_equal(false, crl.verify(@rsa2048)) - -@@ -206,13 +228,26 @@ - nil, nil, OpenSSL::Digest::DSS1.new) - crl = issue_crl([], 1, Time.now, Time.now+1600, [], - cert, @dsa512, OpenSSL::Digest::DSS1.new) -- assert_equal(false, crl.verify(@rsa1024)) -- assert_equal(false, crl.verify(@rsa2048)) - assert_equal(false, crl.verify(@dsa256)) - assert_equal(true, crl.verify(@dsa512)) - crl.version = 0 - assert_equal(false, crl.verify(@dsa512)) - end -+ -+ def test_create_from_pem -+ crl = < 0x00907000 - def test_ciphers - OpenSSL::Cipher.ciphers.each{|name| -@@ -90,6 +162,30 @@ - } - end - end -+ -+ # JRUBY-4028 -+ def test_jruby_4028 -+ key = "0599E113A7EE32A9" -+ data = "1234567890~5J96LC303C1D22DD~20090930005944~http%3A%2F%2Flocalhost%3A8080%2Flogin%3B0%3B1~http%3A%2F%2Fmix-stage.oracle.com%2F~00" -+ c1 = OpenSSL::Cipher::Cipher.new("DES-CBC") -+ c1.padding = 0 -+ c1.iv = "0" * 8 -+ c1.encrypt -+ c1.key = key -+ e = c1.update data -+ e << c1.final -+ -+ c2 = OpenSSL::Cipher::Cipher.new("DES-CBC") -+ c2.padding = 0 -+ c2.iv = "0" * 8 -+ c2.decrypt -+ c2.key = key -+ d = c2.update e -+ d << c2.final -+ -+ assert_equal "\342\320B.\300&X\310\344\253\025\215\017*\22015\344\024D\342\213\361\336\311\271\326\016\243\214\026\2545\002\237,\017s\202\316&Ew\323\221H\376\200\304\201\365\332Im\240\361\037\246\3536\001A2\341\324o0\350\364%=\325\330\240\324u\225\304h\277\272\361f\024\324\352\336\353N\002/]C\370!\003)\212oa\225\207\333\340\245\207\024\351\037\327[\212\001{\216\f\315\345\372\v\226\r\233?\002\vJK", e -+ assert_equal data, d -+ end - end - - end -Index: test/openssl/test_x509req.rb -=================================================================== ---- test/openssl/test_x509req.rb (.../ruby_1_8_7/test/openssl) (revision 27451) -+++ test/openssl/test_x509req.rb (.../ruby_1_8/test/openssl) (revision 27451) -@@ -103,38 +103,89 @@ - assert_equal(exts, get_ext_req(attrs[1].value)) - end - -+ def test_sign_and_verify_wrong_key_type -+ req_rsa = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::SHA1.new) -+ req_dsa = issue_csr(0, @dn, @dsa512, OpenSSL::Digest::DSS1.new) -+ begin -+ assert_equal(false, req_rsa.verify(@dsa256)) -+ rescue OpenSSL::X509::RequestError => e -+ # OpenSSL 1.0.0 added checks for pkey OID -+ assert_equal('wrong public key type', e.message) -+ end -+ -+ begin -+ assert_equal(false, req_dsa.verify(@rsa1024)) -+ rescue OpenSSL::X509::RequestError => e -+ # OpenSSL 1.0.0 added checks for pkey OID -+ assert_equal('wrong public key type', e.message) -+ end -+ end -+ - def test_sign_and_verify - req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::SHA1.new) - assert_equal(true, req.verify(@rsa1024)) - assert_equal(false, req.verify(@rsa2048)) -- assert_equal(false, req.verify(@dsa256)) -- assert_equal(false, req.verify(@dsa512)) - req.version = 1 - assert_equal(false, req.verify(@rsa1024)) - - req = issue_csr(0, @dn, @rsa2048, OpenSSL::Digest::MD5.new) - assert_equal(false, req.verify(@rsa1024)) - assert_equal(true, req.verify(@rsa2048)) -- assert_equal(false, req.verify(@dsa256)) -- assert_equal(false, req.verify(@dsa512)) - req.subject = OpenSSL::X509::Name.parse("/C=JP/CN=FooBar") - assert_equal(false, req.verify(@rsa2048)) - - req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest::DSS1.new) -- assert_equal(false, req.verify(@rsa1024)) -- assert_equal(false, req.verify(@rsa2048)) - assert_equal(false, req.verify(@dsa256)) - assert_equal(true, req.verify(@dsa512)) - req.public_key = @rsa1024.public_key - assert_equal(false, req.verify(@dsa512)) -+ end - -- assert_raise(OpenSSL::X509::RequestError){ -- issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::DSS1.new) } -- assert_raise(OpenSSL::X509::RequestError){ -- issue_csr(0, @dn, @dsa512, OpenSSL::Digest::SHA1.new) } -- assert_raise(OpenSSL::X509::RequestError){ -- issue_csr(0, @dn, @dsa512, OpenSSL::Digest::MD5.new) } -+ def test_dsig_algorithm_mismatch -+ assert_raise(OpenSSL::X509::RequestError) do -+ issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::DSS1.new) -+ end -+ assert_raise(OpenSSL::X509::RequestError) do -+ issue_csr(0, @dn, @dsa512, OpenSSL::Digest::MD5.new) -+ end - end -+ -+ def test_create_from_pem -+ req = <value.single, NULL); str = rb_str_new(0, length); @@ -118,19 +101,16 @@ Index: ext/openssl/ossl_x509attr.c i2d_ASN1_TYPE(attr->value.single, &p); ossl_str_adjust(str, p); } - else{ -- length = i2d_ASN1_SET_OF_ASN1_TYPE(attr->value.set, NULL, -- i2d_ASN1_TYPE, V_ASN1_SET, V_ASN1_UNIVERSAL, 0); -+ length = i2d_ASN1_SET_OF_ASN1_TYPE(attr->value.set, -+ (unsigned char **) NULL, i2d_ASN1_TYPE, -+ V_ASN1_SET, V_ASN1_UNIVERSAL, 0); +@@ -221,7 +222,7 @@ ossl_x509attr_get_value(VALUE self) + (unsigned char **) NULL, i2d_ASN1_TYPE, + V_ASN1_SET, V_ASN1_UNIVERSAL, 0); str = rb_str_new(0, length); - p = RSTRING_PTR(str); + p = (unsigned char *)RSTRING_PTR(str); i2d_ASN1_SET_OF_ASN1_TYPE(attr->value.set, &p, i2d_ASN1_TYPE, V_ASN1_SET, V_ASN1_UNIVERSAL, 0); ossl_str_adjust(str, p); -@@ -246,7 +248,7 @@ ossl_x509attr_to_der(VALUE self) +@@ -247,7 +248,7 @@ ossl_x509attr_to_der(VALUE self) if((len = i2d_X509_ATTRIBUTE(attr, NULL)) <= 0) ossl_raise(eX509AttrError, NULL); str = rb_str_new(0, len); @@ -315,15 +295,6 @@ Index: ext/openssl/ossl_ssl.c rb_scan_args(argc, argv, "01", &arg1); -@@ -829,7 +907,7 @@ ossl_sslctx_flush_sessions(int argc, VAL - rb_raise(rb_eArgError, "arg must be Time or nil"); - } - -- SSL_CTX_flush_sessions(ctx, tm); -+ SSL_CTX_flush_sessions(ctx, (long)tm); - - return self; - } @@ -887,6 +965,9 @@ ossl_ssl_initialize(int argc, VALUE *arg ossl_ssl_set_ctx(self, ctx); ossl_ssl_set_sync_close(self, Qfalse); @@ -386,19 +357,6 @@ Index: ext/openssl/ossl_ssl.c return self; } -@@ -1196,10 +1291,10 @@ ossl_ssl_get_peer_cert_chain(VALUE self) - } - chain = SSL_get_peer_cert_chain(ssl); - if(!chain) return Qnil; -- num = sk_num(chain); -+ num = sk_X509_num(chain); - ary = rb_ary_new2(num); - for (i = 0; i < num; i++){ -- cert = (X509*)sk_value(chain, i); -+ cert = sk_X509_value(chain, i); - rb_ary_push(ary, ossl_x509_new(cert)); - } - @@ -1344,13 +1439,13 @@ Init_ossl_ssl() ID_callback_state = rb_intern("@callback_state"); @@ -483,17 +441,15 @@ Index: ext/openssl/ossl_ocsp.c ossl_raise(eOCSPError, "cannot load DER encoded response"); } } -@@ -377,8 +381,8 @@ ossl_ocspres_to_der(VALUE self) +@@ -377,7 +381,7 @@ ossl_ocspres_to_der(VALUE self) if((len = i2d_OCSP_RESPONSE(res, NULL)) <= 0) ossl_raise(eOCSPError, NULL); str = rb_str_new(0, len); - p = RSTRING_PTR(str); -- if(i2d_OCSP_RESPONSE(res, NULL) <= 0) + p = (unsigned char *)RSTRING_PTR(str); -+ if(i2d_OCSP_RESPONSE(res, &p) <= 0) + if(i2d_OCSP_RESPONSE(res, &p) <= 0) ossl_raise(eOCSPError, NULL); ossl_str_adjust(str, p); - @@ -436,7 +440,7 @@ ossl_ocspbres_add_nonce(int argc, VALUE else{ StringValue(val); @@ -507,16 +463,7 @@ Index: ext/openssl/ossl_engine.c =================================================================== --- ext/openssl/ossl_engine.c.orig +++ ext/openssl/ossl_engine.c -@@ -119,7 +119,7 @@ ossl_engine_s_by_id(VALUE klass, VALUE i - if(!ENGINE_init(e)) - ossl_raise(eEngineError, NULL); - ENGINE_ctrl(e, ENGINE_CTRL_SET_PASSWORD_CALLBACK, -- 0, NULL, (void(*)())ossl_pem_passwd_cb); -+ 0, NULL, (void(*)(void))ossl_pem_passwd_cb); - ERR_clear_error(); - - return obj; -@@ -326,7 +326,7 @@ static VALUE +@@ -344,7 +344,7 @@ static VALUE ossl_engine_inspect(VALUE self) { VALUE str; @@ -525,154 +472,10 @@ Index: ext/openssl/ossl_engine.c str = rb_str_new2("#<"); rb_str_cat2(str, cname); -Index: ext/openssl/ossl_config.c -=================================================================== ---- ext/openssl/ossl_config.c.orig -+++ ext/openssl/ossl_config.c -@@ -158,14 +158,6 @@ ossl_config_initialize(int argc, VALUE * - return self; - } - --static void --rb_ossl_config_modify_check(VALUE config) --{ -- if (OBJ_FROZEN(config)) rb_error_frozen("OpenSSL::Config"); -- if (!OBJ_TAINTED(config) && rb_safe_level() >= 4) -- rb_raise(rb_eSecurityError, "Insecure: can't modify OpenSSL config"); --} -- - static VALUE - ossl_config_add_value(VALUE self, VALUE section, VALUE name, VALUE value) - { -@@ -175,7 +167,6 @@ ossl_config_add_value(VALUE self, VALUE - CONF *conf; - CONF_VALUE *sv, *cv; - -- rb_ossl_config_modify_check(self); - StringValue(section); - StringValue(name); - StringValue(value); -@@ -201,6 +192,25 @@ ossl_config_add_value(VALUE self, VALUE - #endif - } - -+static void -+rb_ossl_config_modify_check(VALUE config) -+{ -+ if (OBJ_FROZEN(config)) rb_error_frozen("OpenSSL::Config"); -+ if (!OBJ_TAINTED(config) && rb_safe_level() >= 4) -+ rb_raise(rb_eSecurityError, "Insecure: can't modify OpenSSL config"); -+} -+ -+static VALUE -+ossl_config_add_value_m(VALUE self, VALUE section, VALUE name, VALUE value) -+{ -+#if defined(OSSL_NO_CONF_API) -+ rb_notimplement(); -+#else -+ rb_ossl_config_modify_check(self); -+ return ossl_config_add_value(self, section, name, value); -+#endif -+} -+ - static VALUE - ossl_config_get_value(VALUE self, VALUE section, VALUE name) - { -@@ -303,6 +313,12 @@ ossl_config_get_section_old(VALUE self, - } - - #ifdef IMPLEMENT_LHASH_DOALL_ARG_FN -+#define IMPLEMENT_LHASH_DOALL_ARG_FN_098(f_name,o_type,a_type) \ -+ void f_name##_LHASH_DOALL_ARG(void *arg1, void *arg2) { \ -+ o_type a = (o_type)arg1; \ -+ a_type b = (a_type)arg2; \ -+ f_name(a,b); } -+ - static void - get_conf_section(CONF_VALUE *cv, VALUE ary) - { -@@ -310,7 +326,7 @@ get_conf_section(CONF_VALUE *cv, VALUE a - rb_ary_push(ary, rb_str_new2(cv->section)); - } - --static IMPLEMENT_LHASH_DOALL_ARG_FN(get_conf_section, CONF_VALUE*, VALUE); -+static IMPLEMENT_LHASH_DOALL_ARG_FN_098(get_conf_section, CONF_VALUE*, VALUE) - - static VALUE - ossl_config_get_sections(VALUE self) -@@ -348,7 +364,7 @@ dump_conf_value(CONF_VALUE *cv, VALUE st - rb_str_cat2(str, "\n"); - } - --static IMPLEMENT_LHASH_DOALL_ARG_FN(dump_conf_value, CONF_VALUE*, VALUE); -+static IMPLEMENT_LHASH_DOALL_ARG_FN_098(dump_conf_value, CONF_VALUE*, VALUE) - - static VALUE - dump_conf(CONF *conf) -@@ -392,13 +408,15 @@ each_conf_value(CONF_VALUE *cv, void* du - } - } - --static IMPLEMENT_LHASH_DOALL_ARG_FN(each_conf_value, CONF_VALUE*, void*); -+static IMPLEMENT_LHASH_DOALL_ARG_FN_098(each_conf_value, CONF_VALUE*, void*) - - static VALUE - ossl_config_each(VALUE self) - { - CONF *conf; - -+ RETURN_ENUMERATOR(self, 0, 0); -+ - GetConfig(self, conf); - lh_doall_arg(conf->data, LHASH_DOALL_ARG_FN(each_conf_value), (void*)NULL); - -@@ -431,7 +449,7 @@ static VALUE - ossl_config_inspect(VALUE self) - { - VALUE str, ary = ossl_config_get_sections(self); -- char *cname = rb_class2name(rb_obj_class(self)); -+ const char *cname = rb_class2name(rb_obj_class(self)); - - str = rb_str_new2("#<"); - rb_str_cat2(str, cname); -@@ -448,11 +466,14 @@ ossl_config_inspect(VALUE self) - void - Init_ossl_config() - { -+ char *default_config_file; - eConfigError = rb_define_class_under(mOSSL, "ConfigError", eOSSLError); - cConfig = rb_define_class_under(mOSSL, "Config", rb_cObject); - -+ default_config_file = CONF_get1_default_config_file(); - rb_define_const(cConfig, "DEFAULT_CONFIG_FILE", -- rb_str_new2(CONF_get1_default_config_file())); -+ rb_str_new2(default_config_file)); -+ OPENSSL_free(default_config_file); - rb_include_module(cConfig, rb_mEnumerable); - rb_define_singleton_method(cConfig, "parse", ossl_config_s_parse, 1); - rb_define_alias(CLASS_OF(cConfig), "load", "new"); -@@ -461,7 +482,7 @@ Init_ossl_config() - rb_define_method(cConfig, "initialize", ossl_config_initialize, -1); - rb_define_method(cConfig, "get_value", ossl_config_get_value, 2); - rb_define_method(cConfig, "value", ossl_config_get_value_old, -1); -- rb_define_method(cConfig, "add_value", ossl_config_add_value, 3); -+ rb_define_method(cConfig, "add_value", ossl_config_add_value_m, 3); - rb_define_method(cConfig, "[]", ossl_config_get_section, 1); - rb_define_method(cConfig, "section", ossl_config_get_section_old, 1); - rb_define_method(cConfig, "[]=", ossl_config_set_section, 2); Index: ext/openssl/ossl_hmac.c =================================================================== --- ext/openssl/ossl_hmac.c.orig +++ ext/openssl/ossl_hmac.c -@@ -42,7 +42,7 @@ static void - ossl_hmac_free(HMAC_CTX *ctx) - { - HMAC_CTX_cleanup(ctx); -- free(ctx); -+ ruby_xfree(ctx); - } - - static VALUE @@ -103,13 +103,13 @@ ossl_hmac_update(VALUE self, VALUE data) StringValue(data); @@ -762,31 +565,7 @@ Index: ext/openssl/ossl_cipher.c =================================================================== --- ext/openssl/ossl_cipher.c.orig +++ ext/openssl/ossl_cipher.c -@@ -67,7 +67,7 @@ ossl_cipher_free(EVP_CIPHER_CTX *ctx) - { - if (ctx) { - EVP_CIPHER_CTX_cleanup(ctx); -- free(ctx); -+ ruby_xfree(ctx); - } - } - -@@ -124,12 +124,14 @@ ossl_cipher_copy(VALUE self, VALUE other - return self; - } - -+#ifdef HAVE_OBJ_NAME_DO_ALL_SORTED - static void* - add_cipher_name_to_ary(const OBJ_NAME *name, VALUE ary) - { - rb_ary_push(ary, rb_str_new2(name->name)); - return NULL; - } -+#endif - - /* - * call-seq: -@@ -186,7 +188,7 @@ ossl_cipher_init(int argc, VALUE *argv, +@@ -188,7 +188,7 @@ ossl_cipher_init(int argc, VALUE *argv, * We deprecated the arguments for this method, but we decided * keeping this behaviour for backward compatibility. */ @@ -795,7 +574,7 @@ Index: ext/openssl/ossl_cipher.c rb_warn("argumtents for %s#encrypt and %s#decrypt were deprecated; " "use %s#pkcs5_keyivgen to derive key and IV", cname, cname, cname); -@@ -202,7 +204,7 @@ ossl_cipher_init(int argc, VALUE *argv, +@@ -204,7 +204,7 @@ ossl_cipher_init(int argc, VALUE *argv, else memcpy(iv, RSTRING_PTR(init_v), sizeof(iv)); } EVP_BytesToKey(EVP_CIPHER_CTX_cipher(ctx), EVP_md5(), iv, @@ -804,7 +583,7 @@ Index: ext/openssl/ossl_cipher.c p_key = key; p_iv = iv; } -@@ -279,13 +281,13 @@ ossl_cipher_pkcs5_keyivgen(int argc, VAL +@@ -281,13 +281,13 @@ ossl_cipher_pkcs5_keyivgen(int argc, VAL StringValue(vsalt); if(RSTRING_LEN(vsalt) != PKCS5_SALT_LEN) rb_raise(eCipherError, "salt must be an 8-octet string"); @@ -820,7 +599,7 @@ Index: ext/openssl/ossl_cipher.c if (EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, -1) != 1) ossl_raise(eCipherError, NULL); OPENSSL_cleanse(key, sizeof key); -@@ -297,26 +299,6 @@ ossl_cipher_pkcs5_keyivgen(int argc, VAL +@@ -299,26 +299,6 @@ ossl_cipher_pkcs5_keyivgen(int argc, VAL /* * call-seq: @@ -847,7 +626,7 @@ Index: ext/openssl/ossl_cipher.c * cipher.update(data [, buffer]) -> string or buffer * * === Parameters -@@ -327,14 +309,14 @@ static VALUE +@@ -329,14 +309,14 @@ static VALUE ossl_cipher_update(int argc, VALUE *argv, VALUE self) { EVP_CIPHER_CTX *ctx; @@ -864,7 +643,7 @@ Index: ext/openssl/ossl_cipher.c if ((in_len = RSTRING_LEN(data)) == 0) rb_raise(rb_eArgError, "data must not be empty"); GetCipher(self, ctx); -@@ -347,7 +329,7 @@ ossl_cipher_update(int argc, VALUE *argv +@@ -349,7 +329,7 @@ ossl_cipher_update(int argc, VALUE *argv rb_str_resize(str, out_len); } @@ -873,7 +652,7 @@ Index: ext/openssl/ossl_cipher.c ossl_raise(eCipherError, NULL); assert(out_len < RSTRING_LEN(str)); rb_str_set_len(str, out_len); -@@ -372,7 +354,7 @@ ossl_cipher_final(VALUE self) +@@ -374,7 +354,7 @@ ossl_cipher_final(VALUE self) GetCipher(self, ctx); str = rb_str_new(0, EVP_CIPHER_CTX_block_size(ctx)); @@ -882,7 +661,7 @@ Index: ext/openssl/ossl_cipher.c ossl_raise(eCipherError, NULL); assert(out_len <= RSTRING_LEN(str)); rb_str_set_len(str, out_len); -@@ -415,7 +397,7 @@ ossl_cipher_set_key(VALUE self, VALUE ke +@@ -417,7 +397,7 @@ ossl_cipher_set_key(VALUE self, VALUE ke if (RSTRING_LEN(key) < EVP_CIPHER_CTX_key_length(ctx)) ossl_raise(eCipherError, "key length too short"); @@ -891,7 +670,7 @@ Index: ext/openssl/ossl_cipher.c ossl_raise(eCipherError, NULL); return key; -@@ -440,7 +422,7 @@ ossl_cipher_set_iv(VALUE self, VALUE iv) +@@ -442,7 +422,7 @@ ossl_cipher_set_iv(VALUE self, VALUE iv) if (RSTRING_LEN(iv) < EVP_CIPHER_CTX_iv_length(ctx)) ossl_raise(eCipherError, "iv length too short"); @@ -900,7 +679,7 @@ Index: ext/openssl/ossl_cipher.c ossl_raise(eCipherError, NULL); return iv; -@@ -551,9 +533,6 @@ Init_ossl_cipher(void) +@@ -553,9 +533,6 @@ Init_ossl_cipher(void) rb_define_method(cCipher, "decrypt", ossl_cipher_decrypt, -1); rb_define_method(cCipher, "pkcs5_keyivgen", ossl_cipher_pkcs5_keyivgen, -1); rb_define_method(cCipher, "update", ossl_cipher_update, -1); @@ -996,29 +775,6 @@ Index: ext/openssl/ossl_pkey_rsa.c pad); if (buf_len < 0) ossl_raise(eRSAError, NULL); rb_str_set_len(str, buf_len); -@@ -519,14 +519,14 @@ ossl_rsa_blinding_off(VALUE self) - } - */ - --OSSL_PKEY_BN(rsa, n); --OSSL_PKEY_BN(rsa, e); --OSSL_PKEY_BN(rsa, d); --OSSL_PKEY_BN(rsa, p); --OSSL_PKEY_BN(rsa, q); --OSSL_PKEY_BN(rsa, dmp1); --OSSL_PKEY_BN(rsa, dmq1); --OSSL_PKEY_BN(rsa, iqmp); -+OSSL_PKEY_BN(rsa, n) -+OSSL_PKEY_BN(rsa, e) -+OSSL_PKEY_BN(rsa, d) -+OSSL_PKEY_BN(rsa, p) -+OSSL_PKEY_BN(rsa, q) -+OSSL_PKEY_BN(rsa, dmp1) -+OSSL_PKEY_BN(rsa, dmq1) -+OSSL_PKEY_BN(rsa, iqmp) - - /* - * INIT Index: ext/openssl/ossl_x509req.c =================================================================== --- ext/openssl/ossl_x509req.c.orig @@ -1088,73 +844,7 @@ Index: ext/openssl/ossl_pkey_ec.c int nid = OBJ_sn2nid(name); if (nid == NID_undef) -@@ -463,8 +463,10 @@ static VALUE ossl_ec_key_to_string(VALUE - BIO *out; - int i = -1; - int private = 0; -+#if 0 /* unused now */ - EVP_CIPHER *cipher = NULL; - char *password = NULL; -+#endif - VALUE str; - - Require_EC_KEY(self, ec); -@@ -484,13 +486,18 @@ static VALUE ossl_ec_key_to_string(VALUE - switch(format) { - case EXPORT_PEM: - if (private) { -+#if 0 /* unused now */ - if (cipher || password) - /* BUG: finish cipher/password key export */ - rb_notimplement(); - i = PEM_write_bio_ECPrivateKey(out, ec, cipher, NULL, 0, NULL, password); -+#endif -+ i = PEM_write_bio_ECPrivateKey(out, ec, NULL, NULL, 0, NULL, NULL); - } else { -+#if 0 /* unused now */ - if (cipher || password) - rb_raise(rb_eArgError, "encryption is not supported when exporting this key type"); -+#endif - - i = PEM_write_bio_EC_PUBKEY(out, ec); - } -@@ -498,13 +505,17 @@ static VALUE ossl_ec_key_to_string(VALUE - break; - case EXPORT_DER: - if (private) { -+#if 0 /* unused now */ - if (cipher || password) - rb_raise(rb_eArgError, "encryption is not supported when exporting this key type"); -+#endif - - i = i2d_ECPrivateKey_bio(out, ec); - } else { -+#if 0 /* unused now */ - if (cipher || password) - rb_raise(rb_eArgError, "encryption is not supported when exporting this key type"); -+#endif - - i = i2d_EC_PUBKEY_bio(out, ec); - } -@@ -670,7 +681,7 @@ static VALUE ossl_ec_key_dsa_sign_asn1(V - - /* - * call-seq: -- * key.dsa_verify(data, sig) => true or false -+ * key.dsa_verify_asn1(data, sig) => true or false - * - * See the OpenSSL documentation for ECDSA_verify() - */ -@@ -695,7 +706,7 @@ static void ossl_ec_group_free(ossl_ec_g - { - if (!ec_group->dont_free && ec_group->group) - EC_GROUP_clear_free(ec_group->group); -- free(ec_group); -+ ruby_xfree(ec_group); - } - - static VALUE ossl_ec_group_alloc(VALUE klass) -@@ -767,14 +778,14 @@ static VALUE ossl_ec_group_initialize(in +@@ -778,14 +778,14 @@ static VALUE ossl_ec_group_initialize(in group = PEM_read_bio_ECPKParameters(in, NULL, NULL, NULL); if (!group) { @@ -1171,7 +861,7 @@ Index: ext/openssl/ossl_pkey_ec.c int nid = OBJ_sn2nid(name); if (nid == NID_undef) -@@ -1081,7 +1092,7 @@ static VALUE ossl_ec_group_get_seed(VALU +@@ -1092,7 +1092,7 @@ static VALUE ossl_ec_group_get_seed(VALU if (seed_len == 0) return Qnil; @@ -1180,7 +870,7 @@ Index: ext/openssl/ossl_pkey_ec.c } /* call-seq: -@@ -1096,7 +1107,7 @@ static VALUE ossl_ec_group_set_seed(VALU +@@ -1107,7 +1107,7 @@ static VALUE ossl_ec_group_set_seed(VALU Require_EC_GROUP(self, group); StringValue(seed); @@ -1189,15 +879,6 @@ Index: ext/openssl/ossl_pkey_ec.c ossl_raise(eEC_GROUP, "EC_GROUP_set_seed"); return seed; -@@ -1201,7 +1212,7 @@ static void ossl_ec_point_free(ossl_ec_p - { - if (!ec_point->dont_free && ec_point->point) - EC_POINT_clear_free(ec_point->point); -- free(ec_point); -+ ruby_xfree(ec_point); - } - - static VALUE ossl_ec_point_alloc(VALUE klass) Index: ext/openssl/ossl_digest.c =================================================================== --- ext/openssl/ossl_digest.c.orig @@ -1249,97 +930,7 @@ Index: ext/openssl/ossl.c { static const char hex[]="0123456789abcdef"; int i, len = 2 * buf_len; -@@ -92,7 +92,7 @@ ossl_x509_ary2sk(VALUE ary) - - #define OSSL_IMPL_SK2ARY(name, type) \ - VALUE \ --ossl_##name##_sk2ary(STACK *sk) \ -+ossl_##name##_sk2ary(STACK_OF(type) *sk) \ - { \ - type *t; \ - int i, num; \ -@@ -102,7 +102,7 @@ ossl_##name##_sk2ary(STACK *sk) \ - OSSL_Debug("empty sk!"); \ - return Qnil; \ - } \ -- num = sk_num(sk); \ -+ num = sk_##type##_num(sk); \ - if (num < 0) { \ - OSSL_Debug("items in sk < -1???"); \ - return rb_ary_new(); \ -@@ -110,7 +110,7 @@ ossl_##name##_sk2ary(STACK *sk) \ - ary = rb_ary_new2(num); \ - \ - for (i=0; i BUFSIZ) len = strlen(buf); -- rb_exc_raise(rb_exc_new(exc, buf, len)); -+ return rb_exc_new(exc, buf, len); -+} -+ -+void -+ossl_raise(VALUE exc, const char *fmt, ...) -+{ -+ va_list args; -+ VALUE err; -+ va_start(args, fmt); -+ err = ossl_make_error(exc, fmt, args); -+ va_end(args); -+ rb_exc_raise(err); -+} -+ -+VALUE -+ossl_exc_new(VALUE exc, const char *fmt, ...) -+{ -+ va_list args; -+ VALUE err; -+ va_start(args, fmt); -+ err = ossl_make_error(exc, fmt, args); -+ va_end(args); -+ return err; - } - - /* -@@ -446,7 +464,7 @@ Init_openssl() +@@ -464,7 +464,7 @@ Init_openssl() /* * Verify callback Proc index for ext-data */ @@ -1348,7 +939,7 @@ Index: ext/openssl/ossl.c ossl_raise(eOSSLError, "X509_STORE_CTX_get_ex_new_index"); /* -@@ -488,7 +506,7 @@ Init_openssl() +@@ -506,7 +506,7 @@ Init_openssl() * Check if all symbols are OK with 'make LDSHARED=gcc all' */ int @@ -1383,17 +974,8 @@ Index: ext/openssl/ossl.h =================================================================== --- ext/openssl/ossl.h.orig +++ ext/openssl/ossl.h -@@ -108,9 +108,16 @@ extern VALUE eOSSLError; - } while (0) - +@@ -117,7 +117,7 @@ extern VALUE eOSSLError; /* -+ * Compatibility -+ */ -+#if OPENSSL_VERSION_NUMBER >= 0x10000000L -+#define STACK _STACK -+#endif -+ -+/* * String to HEXString conversion */ -int string2hex(char *, int, char **, int *); @@ -1401,757 +983,6 @@ Index: ext/openssl/ossl.h /* * Data Conversion -@@ -139,6 +146,7 @@ int ossl_pem_passwd_cb(char *, int, int, - */ - #define OSSL_ErrMsg() ERR_reason_error_string(ERR_get_error()) - NORETURN(void ossl_raise(VALUE, const char *, ...)); -+VALUE ossl_exc_new(VALUE, const char *, ...); - - /* - * Verify callback -@@ -167,10 +175,10 @@ VALUE ossl_to_der_if_possible(VALUE); - extern VALUE dOSSL; - - #if defined(HAVE_VA_ARGS_MACRO) --#define OSSL_Debug(fmt, ...) do { \ -+#define OSSL_Debug(...) do { \ - if (dOSSL == Qtrue) { \ - fprintf(stderr, "OSSL_DEBUG: "); \ -- fprintf(stderr, fmt, ##__VA_ARGS__); \ -+ fprintf(stderr, __VA_ARGS__); \ - fprintf(stderr, " [%s:%d]\n", __FILE__, __LINE__); \ - } \ - } while (0) -Index: ext/openssl/lib/openssl/digest.rb -=================================================================== ---- ext/openssl/lib/openssl/digest.rb.orig -+++ ext/openssl/lib/openssl/digest.rb -@@ -40,7 +40,7 @@ module OpenSSL - super(name, data.first) - } - } -- singleton = (class < -+ All rights reserved. -+ -+= Licence -+ This program is licenced under the same licence as Ruby. -+ (See the file 'LICENCE'.) -+ -+= Version -+ $Id$ -+=end -+ -+module OpenSSL -+ module X509 -+ class ExtensionFactory -+ def create_extension(*arg) -+ if arg.size > 1 -+ create_ext(*arg) -+ else -+ send("create_ext_from_"+arg[0].class.name.downcase, arg[0]) -+ end -+ end -+ -+ def create_ext_from_array(ary) -+ raise ExtensionError, "unexpected array form" if ary.size > 3 -+ create_ext(ary[0], ary[1], ary[2]) -+ end -+ -+ def create_ext_from_string(str) # "oid = critical, value" -+ oid, value = str.split(/=/, 2) -+ oid.strip! -+ value.strip! -+ create_ext(oid, value) -+ end -+ -+ def create_ext_from_hash(hash) -+ create_ext(hash["oid"], hash["value"], hash["critical"]) -+ end -+ end -+ -+ class Extension -+ def to_s # "oid = critical, value" -+ str = self.oid -+ str << " = " -+ str << "critical, " if self.critical? -+ str << self.value.gsub(/\n/, ", ") -+ end -+ -+ def to_h # {"oid"=>sn|ln, "value"=>value, "critical"=>true|false} -+ {"oid"=>self.oid,"value"=>self.value,"critical"=>self.critical?} -+ end -+ -+ def to_a -+ [ self.oid, self.value, self.critical? ] -+ end -+ end -+ -+ class Name -+ module RFC2253DN -+ Special = ',=+<>#;' -+ HexChar = /[0-9a-fA-F]/ -+ HexPair = /#{HexChar}#{HexChar}/ -+ HexString = /#{HexPair}+/ -+ Pair = /\\(?:[#{Special}]|\\|"|#{HexPair})/ -+ StringChar = /[^#{Special}\\"]/ -+ QuoteChar = /[^\\"]/ -+ AttributeType = /[a-zA-Z][0-9a-zA-Z]*|[0-9]+(?:\.[0-9]+)*/ -+ AttributeValue = / -+ (?!["#])((?:#{StringChar}|#{Pair})*)| -+ \#(#{HexString})| -+ "((?:#{QuoteChar}|#{Pair})*)" -+ /x -+ TypeAndValue = /\A(#{AttributeType})=#{AttributeValue}/ -+ -+ module_function -+ -+ def expand_pair(str) -+ return nil unless str -+ return str.gsub(Pair){ -+ pair = $& -+ case pair.size -+ when 2 then pair[1,1] -+ when 3 then Integer("0x#{pair[1,2]}").chr -+ else raise OpenSSL::X509::NameError, "invalid pair: #{str}" -+ end -+ } -+ end -+ -+ def expand_hexstring(str) -+ return nil unless str -+ der = str.gsub(HexPair){$&.to_i(16).chr } -+ a1 = OpenSSL::ASN1.decode(der) -+ return a1.value, a1.tag -+ end -+ -+ def expand_value(str1, str2, str3) -+ value = expand_pair(str1) -+ value, tag = expand_hexstring(str2) unless value -+ value = expand_pair(str3) unless value -+ return value, tag -+ end -+ -+ def scan(dn) -+ str = dn -+ ary = [] -+ while true -+ if md = TypeAndValue.match(str) -+ matched = md.to_s -+ remain = md.post_match -+ type = md[1] -+ value, tag = expand_value(md[2], md[3], md[4]) rescue nil -+ if value -+ type_and_value = [type, value] -+ type_and_value.push(tag) if tag -+ ary.unshift(type_and_value) -+ if remain.length > 2 && remain[0] == ?, -+ str = remain[1..-1] -+ next -+ elsif remain.length > 2 && remain[0] == ?+ -+ raise OpenSSL::X509::NameError, -+ "multi-valued RDN is not supported: #{dn}" -+ elsif remain.empty? -+ break -+ end -+ end -+ end -+ msg_dn = dn[0, dn.length - str.length] + " =>" + str -+ raise OpenSSL::X509::NameError, "malformed RDN: #{msg_dn}" -+ end -+ return ary -+ end -+ end -+ -+ class < "SSLv23", -- :verify_mode => OpenSSL::SSL::VERIFY_PEER, -- :ciphers => "ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW", -- :options => OpenSSL::SSL::OP_ALL, -- } -- -- DEFAULT_CERT_STORE = OpenSSL::X509::Store.new -- DEFAULT_CERT_STORE.set_default_paths -- if defined?(OpenSSL::X509::V_FLAG_CRL_CHECK_ALL) -- DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL -- end -- -- def set_params(params={}) -- params = DEFAULT_PARAMS.merge(params) -- self.ssl_version = params.delete(:ssl_version) -- params.each{|name, value| self.__send__("#{name}=", value) } -- if self.verify_mode != OpenSSL::SSL::VERIFY_NONE -- unless self.ca_file or self.ca_path or self.cert_store -- self.cert_store = DEFAULT_CERT_STORE -- end -- end -- return params -- end -- end -- -- module SocketForwarder -- def addr -- to_io.addr -- end -- -- def peeraddr -- to_io.peeraddr -- end -- -- def setsockopt(level, optname, optval) -- to_io.setsockopt(level, optname, optval) -- end -- -- def getsockopt(level, optname) -- to_io.getsockopt(level, optname) -- end -- -- def fcntl(*args) -- to_io.fcntl(*args) -- end -- -- def closed? -- to_io.closed? -- end -- -- def do_not_reverse_lookup=(flag) -- to_io.do_not_reverse_lookup = flag -- end -- end -- -- module Nonblock -- def initialize(*args) -- flag = File::NONBLOCK -- flag |= @io.fcntl(Fcntl::F_GETFL) if defined?(Fcntl::F_GETFL) -- @io.fcntl(Fcntl::F_SETFL, flag) -- super -- end -- end -- -- def verify_certificate_identity(cert, hostname) -- should_verify_common_name = true -- cert.extensions.each{|ext| -- next if ext.oid != "subjectAltName" -- ext.value.split(/,\s+/).each{|general_name| -- if /\ADNS:(.*)/ =~ general_name -- should_verify_common_name = false -- reg = Regexp.escape($1).gsub(/\\\*/, "[^.]+") -- return true if /\A#{reg}\z/i =~ hostname -- elsif /\AIP Address:(.*)/ =~ general_name -- should_verify_common_name = false -- return true if $1 == hostname -- end -- } -- } -- if should_verify_common_name -- cert.subject.to_a.each{|oid, value| -- if oid == "CN" -- reg = Regexp.escape(value).gsub(/\\\*/, "[^.]+") -- return true if /\A#{reg}\z/i =~ hostname -- end -- } -- end -- return false -- end -- module_function :verify_certificate_identity -- -- class SSLSocket -- include Buffering -- include SocketForwarder -- include Nonblock -- -- def post_connection_check(hostname) -- unless OpenSSL::SSL.verify_certificate_identity(peer_cert, hostname) -- raise SSLError, "hostname was not match with the server certificate" -- end -- return true -- end -- -- def session -- SSL::Session.new(self) -- rescue SSL::Session::SessionError -- nil -- end -- end -- -- class SSLServer -- include SocketForwarder -- attr_accessor :start_immediately -- -- def initialize(svr, ctx) -- @svr = svr -- @ctx = ctx -- unless ctx.session_id_context -- session_id = OpenSSL::Digest::MD5.hexdigest($0) -- @ctx.session_id_context = session_id -- end -- @start_immediately = true -- end -- -- def to_io -- @svr -- end -- -- def listen(backlog=5) -- @svr.listen(backlog) -- end -- -- def shutdown(how=Socket::SHUT_RDWR) -- @svr.shutdown(how) -- end -- -- def accept -- sock = @svr.accept -- begin -- ssl = OpenSSL::SSL::SSLSocket.new(sock, @ctx) -- ssl.sync_close = true -- ssl.accept if @start_immediately -- ssl -- rescue SSLError => ex -- sock.close -- raise ex -- end -- end -- -- def close -- @svr.close -- end -- end -- end --end -+require 'openssl' -Index: ext/openssl/lib/openssl/x509.rb -=================================================================== ---- ext/openssl/lib/openssl/x509.rb.orig -+++ ext/openssl/lib/openssl/x509.rb -@@ -1,154 +1 @@ --=begin --= $RCSfile$ -- Ruby-space definitions that completes C-space funcs for X509 and subclasses -- --= Info -- 'OpenSSL for Ruby 2' project -- Copyright (C) 2002 Michal Rokos -- All rights reserved. -- --= Licence -- This program is licenced under the same licence as Ruby. -- (See the file 'LICENCE'.) -- --= Version -- $Id: x509.rb 11708 2007-02-12 23:01:19Z shyouhei $ --=end -- --require "openssl" -- --module OpenSSL -- module X509 -- class ExtensionFactory -- def create_extension(*arg) -- if arg.size > 1 -- create_ext(*arg) -- else -- send("create_ext_from_"+arg[0].class.name.downcase, arg[0]) -- end -- end -- -- def create_ext_from_array(ary) -- raise ExtensionError, "unexpected array form" if ary.size > 3 -- create_ext(ary[0], ary[1], ary[2]) -- end -- -- def create_ext_from_string(str) # "oid = critical, value" -- oid, value = str.split(/=/, 2) -- oid.strip! -- value.strip! -- create_ext(oid, value) -- end -- -- def create_ext_from_hash(hash) -- create_ext(hash["oid"], hash["value"], hash["critical"]) -- end -- end -- -- class Extension -- def to_s # "oid = critical, value" -- str = self.oid -- str << " = " -- str << "critical, " if self.critical? -- str << self.value.gsub(/\n/, ", ") -- end -- -- def to_h # {"oid"=>sn|ln, "value"=>value, "critical"=>true|false} -- {"oid"=>self.oid,"value"=>self.value,"critical"=>self.critical?} -- end -- -- def to_a -- [ self.oid, self.value, self.critical? ] -- end -- end -- -- class Name -- module RFC2253DN -- Special = ',=+<>#;' -- HexChar = /[0-9a-fA-F]/ -- HexPair = /#{HexChar}#{HexChar}/ -- HexString = /#{HexPair}+/ -- Pair = /\\(?:[#{Special}]|\\|"|#{HexPair})/ -- StringChar = /[^#{Special}\\"]/ -- QuoteChar = /[^\\"]/ -- AttributeType = /[a-zA-Z][0-9a-zA-Z]*|[0-9]+(?:\.[0-9]+)*/ -- AttributeValue = / -- (?!["#])((?:#{StringChar}|#{Pair})*)| -- \#(#{HexString})| -- "((?:#{QuoteChar}|#{Pair})*)" -- /x -- TypeAndValue = /\A(#{AttributeType})=#{AttributeValue}/ -- -- module_function -- -- def expand_pair(str) -- return nil unless str -- return str.gsub(Pair){|pair| -- case pair.size -- when 2 then pair[1,1] -- when 3 then Integer("0x#{pair[1,2]}").chr -- else raise OpenSSL::X509::NameError, "invalid pair: #{str}" -- end -- } -- end -- -- def expand_hexstring(str) -- return nil unless str -- der = str.gsub(HexPair){|hex| Integer("0x#{hex}").chr } -- a1 = OpenSSL::ASN1.decode(der) -- return a1.value, a1.tag -- end -- -- def expand_value(str1, str2, str3) -- value = expand_pair(str1) -- value, tag = expand_hexstring(str2) unless value -- value = expand_pair(str3) unless value -- return value, tag -- end -- -- def scan(dn) -- str = dn -- ary = [] -- while true -- if md = TypeAndValue.match(str) -- matched = md.to_s -- remain = md.post_match -- type = md[1] -- value, tag = expand_value(md[2], md[3], md[4]) rescue nil -- if value -- type_and_value = [type, value] -- type_and_value.push(tag) if tag -- ary.unshift(type_and_value) -- if remain.length > 2 && remain[0] == ?, -- str = remain[1..-1] -- next -- elsif remain.length > 2 && remain[0] == ?+ -- raise OpenSSL::X509::NameError, -- "multi-valued RDN is not supported: #{dn}" -- elsif remain.empty? -- break -- end -- end -- end -- msg_dn = dn[0, dn.length - str.length] + " =>" + str -- raise OpenSSL::X509::NameError, "malformed RDN: #{msg_dn}" -- end -- return ary -- end -- end -- -- class < "SSLv23", -+ :verify_mode => OpenSSL::SSL::VERIFY_PEER, -+ :ciphers => "ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW", -+ :options => OpenSSL::SSL::OP_ALL, -+ } -+ -+ DEFAULT_CERT_STORE = OpenSSL::X509::Store.new -+ DEFAULT_CERT_STORE.set_default_paths -+ if defined?(OpenSSL::X509::V_FLAG_CRL_CHECK_ALL) -+ DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL -+ end -+ -+ def set_params(params={}) -+ params = DEFAULT_PARAMS.merge(params) -+ # ssl_version need to be set at first. -+ self.ssl_version = params.delete(:ssl_version) -+ params.each{|name, value| self.__send__("#{name}=", value) } -+ if self.verify_mode != OpenSSL::SSL::VERIFY_NONE -+ unless self.ca_file or self.ca_path or self.cert_store -+ self.cert_store = DEFAULT_CERT_STORE -+ end -+ end -+ return params -+ end -+ end -+ -+ module SocketForwarder -+ def addr -+ to_io.addr -+ end -+ -+ def peeraddr -+ to_io.peeraddr -+ end -+ -+ def setsockopt(level, optname, optval) -+ to_io.setsockopt(level, optname, optval) -+ end -+ -+ def getsockopt(level, optname) -+ to_io.getsockopt(level, optname) -+ end -+ -+ def fcntl(*args) -+ to_io.fcntl(*args) -+ end -+ -+ def closed? -+ to_io.closed? -+ end -+ -+ def do_not_reverse_lookup=(flag) -+ to_io.do_not_reverse_lookup = flag -+ end -+ end -+ -+ module Nonblock -+ def initialize(*args) -+ flag = File::NONBLOCK -+ flag |= @io.fcntl(Fcntl::F_GETFL) if defined?(Fcntl::F_GETFL) -+ @io.fcntl(Fcntl::F_SETFL, flag) -+ super -+ end -+ end -+ -+ def verify_certificate_identity(cert, hostname) -+ should_verify_common_name = true -+ cert.extensions.each{|ext| -+ next if ext.oid != "subjectAltName" -+ ext.value.split(/,\s+/).each{|general_name| -+ if /\ADNS:(.*)/ =~ general_name -+ should_verify_common_name = false -+ reg = Regexp.escape($1).gsub(/\\\*/, "[^.]+") -+ return true if /\A#{reg}\z/i =~ hostname -+ elsif /\AIP Address:(.*)/ =~ general_name -+ should_verify_common_name = false -+ return true if $1 == hostname -+ end -+ } -+ } -+ if should_verify_common_name -+ cert.subject.to_a.each{|oid, value| -+ if oid == "CN" -+ reg = Regexp.escape(value).gsub(/\\\*/, "[^.]+") -+ return true if /\A#{reg}\z/i =~ hostname -+ end -+ } -+ end -+ return false -+ end -+ module_function :verify_certificate_identity -+ -+ class SSLSocket -+ include Buffering -+ include SocketForwarder -+ include Nonblock -+ -+ def post_connection_check(hostname) -+ unless OpenSSL::SSL.verify_certificate_identity(peer_cert, hostname) -+ raise SSLError, "hostname was not match with the server certificate" -+ end -+ return true -+ end -+ -+ def session -+ SSL::Session.new(self) -+ rescue SSL::Session::SessionError -+ nil -+ end -+ end -+ -+ class SSLServer -+ include SocketForwarder -+ attr_accessor :start_immediately -+ -+ def initialize(svr, ctx) -+ @svr = svr -+ @ctx = ctx -+ unless ctx.session_id_context -+ session_id = OpenSSL::Digest::MD5.hexdigest($0) -+ @ctx.session_id_context = session_id -+ end -+ @start_immediately = true -+ end -+ -+ def to_io -+ @svr -+ end -+ -+ def listen(backlog=5) -+ @svr.listen(backlog) -+ end -+ -+ def shutdown(how=Socket::SHUT_RDWR) -+ @svr.shutdown(how) -+ end -+ -+ def accept -+ sock = @svr.accept -+ begin -+ ssl = OpenSSL::SSL::SSLSocket.new(sock, @ctx) -+ ssl.sync_close = true -+ ssl.accept if @start_immediately -+ ssl -+ rescue SSLError => ex -+ sock.close -+ raise ex -+ end -+ end -+ -+ def close -+ @svr.close -+ end -+ end -+ end -+end -Index: ext/openssl/lib/openssl.rb -=================================================================== ---- ext/openssl/lib/openssl.rb.orig -+++ ext/openssl/lib/openssl.rb -@@ -20,6 +20,6 @@ require 'openssl/bn' - require 'openssl/cipher' - require 'openssl/digest' - require 'openssl/pkcs7' --require 'openssl/ssl' --require 'openssl/x509' -+require 'openssl/ssl-internal' -+require 'openssl/x509-internal' - Index: ext/openssl/lib/net/telnets.rb =================================================================== --- ext/openssl/lib/net/telnets.rb.orig @@ -2207,15 +1038,6 @@ Index: ext/openssl/ossl_bn.c ossl_raise(eBNError, NULL); } break; -@@ -151,7 +151,7 @@ ossl_bn_initialize(int argc, VALUE *argv - } - break; - default: -- ossl_raise(rb_eArgError, "illegal radix %d", base); -+ ossl_raise(rb_eArgError, "invalid radix %d", base); - } - return self; - } @@ -185,13 +185,13 @@ ossl_bn_to_s(int argc, VALUE *argv, VALU case 0: len = BN_bn2mpi(bn, NULL); @@ -2232,161 +1054,6 @@ Index: ext/openssl/ossl_bn.c ossl_raise(eBNError, NULL); break; case 10: -@@ -203,7 +203,7 @@ ossl_bn_to_s(int argc, VALUE *argv, VALU - str = ossl_buf2str(buf, strlen(buf)); - break; - default: -- ossl_raise(rb_eArgError, "illegal radix %d", base); -+ ossl_raise(rb_eArgError, "invalid radix %d", base); - } - - return str; -@@ -272,9 +272,9 @@ ossl_bn_coerce(VALUE self, VALUE other) - } \ - return Qfalse; \ - } --BIGNUM_BOOL1(is_zero); --BIGNUM_BOOL1(is_one); --BIGNUM_BOOL1(is_odd); -+BIGNUM_BOOL1(is_zero) -+BIGNUM_BOOL1(is_one) -+BIGNUM_BOOL1(is_odd) - - #define BIGNUM_1c(func) \ - /* \ -@@ -298,7 +298,7 @@ BIGNUM_BOOL1(is_odd); - WrapBN(CLASS_OF(self), obj, result); \ - return obj; \ - } --BIGNUM_1c(sqr); -+BIGNUM_1c(sqr) - - #define BIGNUM_2(func) \ - /* \ -@@ -322,8 +322,8 @@ BIGNUM_1c(sqr); - WrapBN(CLASS_OF(self), obj, result); \ - return obj; \ - } --BIGNUM_2(add); --BIGNUM_2(sub); -+BIGNUM_2(add) -+BIGNUM_2(sub) - - #define BIGNUM_2c(func) \ - /* \ -@@ -347,12 +347,12 @@ BIGNUM_2(sub); - WrapBN(CLASS_OF(self), obj, result); \ - return obj; \ - } --BIGNUM_2c(mul); --BIGNUM_2c(mod); --BIGNUM_2c(exp); --BIGNUM_2c(gcd); --BIGNUM_2c(mod_sqr); --BIGNUM_2c(mod_inverse); -+BIGNUM_2c(mul) -+BIGNUM_2c(mod) -+BIGNUM_2c(exp) -+BIGNUM_2c(gcd) -+BIGNUM_2c(mod_sqr) -+BIGNUM_2c(mod_inverse) - - /* - * call-seq: -@@ -407,10 +407,10 @@ ossl_bn_div(VALUE self, VALUE other) - WrapBN(CLASS_OF(self), obj, result); \ - return obj; \ - } --BIGNUM_3c(mod_add); --BIGNUM_3c(mod_sub); --BIGNUM_3c(mod_mul); --BIGNUM_3c(mod_exp); -+BIGNUM_3c(mod_add) -+BIGNUM_3c(mod_sub) -+BIGNUM_3c(mod_mul) -+BIGNUM_3c(mod_exp) - - #define BIGNUM_BIT(func) \ - /* \ -@@ -428,9 +428,9 @@ BIGNUM_3c(mod_exp); - } \ - return self; \ - } --BIGNUM_BIT(set_bit); --BIGNUM_BIT(clear_bit); --BIGNUM_BIT(mask_bits); -+BIGNUM_BIT(set_bit) -+BIGNUM_BIT(clear_bit) -+BIGNUM_BIT(mask_bits) - - /* - * call-seq: -@@ -474,8 +474,8 @@ ossl_bn_is_bit_set(VALUE self, VALUE bit - WrapBN(CLASS_OF(self), obj, result); \ - return obj; \ - } --BIGNUM_SHIFT(lshift); --BIGNUM_SHIFT(rshift); -+BIGNUM_SHIFT(lshift) -+BIGNUM_SHIFT(rshift) - - #define BIGNUM_SELF_SHIFT(func) \ - /* \ -@@ -494,8 +494,8 @@ BIGNUM_SHIFT(rshift); - ossl_raise(eBNError, NULL); \ - return self; \ - } --BIGNUM_SELF_SHIFT(lshift); --BIGNUM_SELF_SHIFT(rshift); -+BIGNUM_SELF_SHIFT(lshift) -+BIGNUM_SELF_SHIFT(rshift) - - #define BIGNUM_RAND(func) \ - /* \ -@@ -528,8 +528,8 @@ BIGNUM_SELF_SHIFT(rshift); - WrapBN(klass, obj, result); \ - return obj; \ - } --BIGNUM_RAND(rand); --BIGNUM_RAND(pseudo_rand); -+BIGNUM_RAND(rand) -+BIGNUM_RAND(pseudo_rand) - - #define BIGNUM_RAND_RANGE(func) \ - /* \ -@@ -552,8 +552,8 @@ BIGNUM_RAND(pseudo_rand); - WrapBN(klass, obj, result); \ - return obj; \ - } --BIGNUM_RAND_RANGE(rand); --BIGNUM_RAND_RANGE(pseudo_rand); -+BIGNUM_RAND_RANGE(rand) -+BIGNUM_RAND_RANGE(pseudo_rand) - - /* - * call-seq: -@@ -608,8 +608,8 @@ ossl_bn_s_generate_prime(int argc, VALUE - GetBN(self, bn); \ - return INT2FIX(BN_##func(bn)); \ - } --BIGNUM_NUM(num_bytes); --BIGNUM_NUM(num_bits); -+BIGNUM_NUM(num_bytes) -+BIGNUM_NUM(num_bits) - - static VALUE - ossl_bn_copy(VALUE self, VALUE other) -@@ -642,8 +642,8 @@ ossl_bn_copy(VALUE self, VALUE other) - GetBN(self, bn1); \ - return INT2FIX(BN_##func(bn1, bn2)); \ - } --BIGNUM_CMP(cmp); --BIGNUM_CMP(ucmp); -+BIGNUM_CMP(cmp) -+BIGNUM_CMP(ucmp) - - static VALUE - ossl_bn_eql(VALUE self, VALUE other) Index: ext/openssl/ossl_asn1.c =================================================================== --- ext/openssl/ossl_asn1.c.orig @@ -2418,7 +1085,7 @@ Index: ext/openssl/ossl_asn1.c } /* -@@ -214,7 +214,7 @@ obj_to_asn1bstr(VALUE obj, long unused_b +@@ -218,7 +218,7 @@ obj_to_asn1bstr(VALUE obj, long unused_b StringValue(obj); if(!(bstr = ASN1_BIT_STRING_new())) ossl_raise(eASN1Error, NULL); @@ -2427,25 +1094,16 @@ Index: ext/openssl/ossl_asn1.c bstr->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); /* clear */ bstr->flags |= ASN1_STRING_FLAG_BITS_LEFT|(unused_bits&0x07); -@@ -306,21 +306,21 @@ obj_to_asn1derstr(VALUE obj) - static VALUE +@@ -311,7 +311,7 @@ static VALUE decode_bool(unsigned char* der, int length) { -- int bool; + int val; - unsigned char *p; -+ int val; + const unsigned char *p; p = der; -- if((bool = d2i_ASN1_BOOLEAN(NULL, &p, length)) < 0) -+ if((val = d2i_ASN1_BOOLEAN(NULL, &p, length)) < 0) - ossl_raise(eASN1Error, NULL); - -- return bool ? Qtrue : Qfalse; -+ return val ? Qtrue : Qfalse; - } - - static VALUE + if((val = d2i_ASN1_BOOLEAN(NULL, &p, length)) < 0) +@@ -324,7 +324,7 @@ static VALUE decode_int(unsigned char* der, int length) { ASN1_INTEGER *ai; @@ -2454,34 +1112,7 @@ Index: ext/openssl/ossl_asn1.c VALUE ret; int status = 0; -@@ -339,7 +339,7 @@ static VALUE - decode_bstr(unsigned char* der, int length, long *unused_bits) - { - ASN1_BIT_STRING *bstr; -- unsigned char *p, *buf; -+ const unsigned char *p; - long len; - VALUE ret; - -@@ -347,16 +347,11 @@ decode_bstr(unsigned char* der, int leng - if(!(bstr = d2i_ASN1_BIT_STRING(NULL, &p, length))) - ossl_raise(eASN1Error, NULL); - len = bstr->length; -- if(!(buf = OPENSSL_malloc(len))){ -- ASN1_BIT_STRING_free(bstr); -- ossl_raise(eASN1Error, NULL); -- } - *unused_bits = 0; - if(bstr->flags & ASN1_STRING_FLAG_BITS_LEFT) - *unused_bits = bstr->flags & 0x07; -- memcpy(buf, bstr->data, len); -+ ret = rb_str_new((const char *)bstr->data, len); - ASN1_BIT_STRING_free(bstr); -- ret = ossl_buf2str(buf, len); - - return ret; - } -@@ -365,7 +360,7 @@ static VALUE +@@ -364,7 +364,7 @@ static VALUE decode_enum(unsigned char* der, int length) { ASN1_ENUMERATED *ai; @@ -2490,7 +1121,7 @@ Index: ext/openssl/ossl_asn1.c VALUE ret; int status = 0; -@@ -384,7 +379,7 @@ static VALUE +@@ -383,7 +383,7 @@ static VALUE decode_null(unsigned char* der, int length) { ASN1_NULL *null; @@ -2499,7 +1130,7 @@ Index: ext/openssl/ossl_asn1.c p = der; if(!(null = d2i_ASN1_NULL(NULL, &p, length))) -@@ -398,7 +393,7 @@ static VALUE +@@ -397,7 +397,7 @@ static VALUE decode_obj(unsigned char* der, int length) { ASN1_OBJECT *obj; @@ -2508,7 +1139,7 @@ Index: ext/openssl/ossl_asn1.c VALUE ret; int nid; BIO *bio; -@@ -427,7 +422,7 @@ static VALUE +@@ -426,7 +426,7 @@ static VALUE decode_time(unsigned char* der, int length) { ASN1_TIME *time; @@ -2517,16 +1148,7 @@ Index: ext/openssl/ossl_asn1.c VALUE ret; int status = 0; -@@ -500,7 +495,7 @@ ossl_asn1_get_asn1type(VALUE obj) - value = ossl_asn1_get_value(obj); - switch(tag){ - case V_ASN1_BOOLEAN: -- ptr = (void*)obj_to_asn1bool(value); -+ ptr = (void*)(VALUE)obj_to_asn1bool(value); - free_func = NULL; - break; - case V_ASN1_INTEGER: /* FALLTHROUGH */ -@@ -702,7 +697,7 @@ ossl_asn1data_to_der(VALUE self) +@@ -701,7 +701,7 @@ ossl_asn1data_to_der(VALUE self) if((length = ASN1_object_size(1, RSTRING_LEN(value), tag)) <= 0) ossl_raise(eASN1Error, NULL); der = rb_str_new(0, length); @@ -2535,7 +1157,7 @@ Index: ext/openssl/ossl_asn1.c ASN1_put_object(&p, is_cons, RSTRING_LEN(value), tag, tag_class); memcpy(p, RSTRING_PTR(value), RSTRING_LEN(value)); p += RSTRING_LEN(value); -@@ -716,6 +711,7 @@ ossl_asn1_decode0(unsigned char **pp, lo +@@ -715,6 +715,7 @@ ossl_asn1_decode0(unsigned char **pp, lo int once, int yield) { unsigned char *start, *p; @@ -2543,7 +1165,7 @@ Index: ext/openssl/ossl_asn1.c long len, off = *offset; int hlen, tag, tc, j; VALUE ary, asn1data, value, tag_class; -@@ -724,7 +720,9 @@ ossl_asn1_decode0(unsigned char **pp, lo +@@ -723,7 +724,9 @@ ossl_asn1_decode0(unsigned char **pp, lo p = *pp; while(length > 0){ start = p; @@ -2554,7 +1176,7 @@ Index: ext/openssl/ossl_asn1.c if(j & 0x80) ossl_raise(eASN1Error, NULL); hlen = p - start; if(yield){ -@@ -759,7 +757,7 @@ ossl_asn1_decode0(unsigned char **pp, lo +@@ -758,7 +761,7 @@ ossl_asn1_decode0(unsigned char **pp, lo else value = ossl_asn1_decode0(&p, len, &off, depth+1, 0, yield); } else{ @@ -2563,7 +1185,7 @@ Index: ext/openssl/ossl_asn1.c p += len; off += len; } -@@ -824,7 +822,7 @@ ossl_asn1_traverse(VALUE self, VALUE obj +@@ -823,7 +826,7 @@ ossl_asn1_traverse(VALUE self, VALUE obj obj = ossl_to_der_if_possible(obj); tmp = rb_str_new4(StringValue(obj)); @@ -2572,7 +1194,7 @@ Index: ext/openssl/ossl_asn1.c ossl_asn1_decode0(&p, RSTRING_LEN(tmp), &offset, 0, 0, 1); return Qnil; -@@ -840,7 +838,7 @@ ossl_asn1_decode(VALUE self, VALUE obj) +@@ -839,7 +842,7 @@ ossl_asn1_decode(VALUE self, VALUE obj) obj = ossl_to_der_if_possible(obj); tmp = rb_str_new4(StringValue(obj)); @@ -2581,7 +1203,7 @@ Index: ext/openssl/ossl_asn1.c ary = ossl_asn1_decode0(&p, RSTRING_LEN(tmp), &offset, 0, 1, 0); ret = rb_ary_entry(ary, 0); -@@ -857,7 +855,7 @@ ossl_asn1_decode_all(VALUE self, VALUE o +@@ -856,7 +859,7 @@ ossl_asn1_decode_all(VALUE self, VALUE o obj = ossl_to_der_if_possible(obj); tmp = rb_str_new4(StringValue(obj)); @@ -2590,56 +1212,16 @@ Index: ext/openssl/ossl_asn1.c ret = ossl_asn1_decode0(&p, RSTRING_LEN(tmp), &offset, 0, 0, 0); return ret; -@@ -925,7 +923,7 @@ ossl_asn1prim_to_der(VALUE self) - { - ASN1_TYPE *asn1; - int tn, tc, explicit; -- long length, reallen; -+ long len, reallen; - unsigned char *buf, *p; - VALUE str; - -@@ -934,27 +932,25 @@ ossl_asn1prim_to_der(VALUE self) - explicit = ossl_asn1_is_explicit(self); - asn1 = ossl_asn1_get_asn1type(self); - -- length = ASN1_object_size(1, ossl_i2d_ASN1_TYPE(asn1, NULL), tn); -- if(!(buf = OPENSSL_malloc(length))){ -+ len = ASN1_object_size(1, ossl_i2d_ASN1_TYPE(asn1, NULL), tn); -+ if(!(buf = OPENSSL_malloc(len))){ - ossl_ASN1_TYPE_free(asn1); - ossl_raise(eASN1Error, "cannot alloc buffer"); - } - p = buf; -- if(tc == V_ASN1_UNIVERSAL) ossl_i2d_ASN1_TYPE(asn1, &p); -- else{ -- if(explicit){ -- ASN1_put_object(&p, 1, ossl_i2d_ASN1_TYPE(asn1, NULL), tn, tc); -- ossl_i2d_ASN1_TYPE(asn1, &p); -- } -- else{ -- ossl_i2d_ASN1_TYPE(asn1, &p); -- *buf = tc | tn | (*buf & V_ASN1_CONSTRUCTED); -- } -+ if (tc == V_ASN1_UNIVERSAL) { -+ ossl_i2d_ASN1_TYPE(asn1, &p); -+ } else if (explicit) { -+ ASN1_put_object(&p, 1, ossl_i2d_ASN1_TYPE(asn1, NULL), tn, tc); -+ ossl_i2d_ASN1_TYPE(asn1, &p); -+ } else { -+ ossl_i2d_ASN1_TYPE(asn1, &p); -+ *buf = tc | tn | (*buf & V_ASN1_CONSTRUCTED); - } +@@ -951,7 +954,7 @@ ossl_asn1prim_to_der(VALUE self) ossl_ASN1_TYPE_free(asn1); reallen = p - buf; -- assert(reallen <= length); + assert(reallen <= len); - str = ossl_buf2str(buf, reallen); /* buf will be free in ossl_buf2str */ -+ assert(reallen <= len); + str = ossl_buf2str((char *)buf, reallen); /* buf will be free in ossl_buf2str */ return str; } -@@ -976,7 +972,7 @@ ossl_asn1cons_to_der(VALUE self) +@@ -973,7 +976,7 @@ ossl_asn1cons_to_der(VALUE self) seq_len = ASN1_object_size(1, RSTRING_LEN(value), tag); length = ASN1_object_size(1, seq_len, tn); str = rb_str_new(0, length); @@ -2703,70 +1285,6 @@ Index: ext/openssl/ossl_ssl_session.c ctx = d2i_SSL_SESSION_bio(in, NULL); } -@@ -86,9 +84,18 @@ static VALUE ossl_ssl_session_eq(VALUE v - GetSSLSession(val1, ctx1); - SafeGetSSLSession(val2, ctx2); - -- switch (SSL_SESSION_cmp(ctx1, ctx2)) { -- case 0: return Qtrue; -- default: return Qfalse; -+ /* -+ * OpenSSL 1.0.0betas do not have non-static SSL_SESSION_cmp. -+ * ssl_session_cmp (was SSL_SESSION_cmp in 0.9.8) is for lhash -+ * comparing so we should not depend on it. Just compare sessions -+ * by version and id. -+ */ -+ if ((ctx1->ssl_version == ctx2->ssl_version) && -+ (ctx1->session_id_length == ctx2->session_id_length) && -+ (memcmp(ctx1->session_id, ctx2->session_id, ctx1->session_id_length) == 0)) { -+ return Qtrue; -+ } else { -+ return Qfalse; - } - } - -@@ -100,7 +107,7 @@ static VALUE ossl_ssl_session_eq(VALUE v - static VALUE ossl_ssl_session_get_time(VALUE self) - { - SSL_SESSION *ctx; -- time_t t; -+ long t; - - GetSSLSession(self, ctx); - -@@ -122,20 +129,20 @@ static VALUE ossl_ssl_session_get_time(V - static VALUE ossl_ssl_session_get_timeout(VALUE self) - { - SSL_SESSION *ctx; -- time_t t; -+ long t; - - GetSSLSession(self, ctx); - - t = SSL_SESSION_get_timeout(ctx); - -- return ULONG2NUM(t); -+ return LONG2NUM(t); - } - - #define SSLSESSION_SET_TIME(func) \ - static VALUE ossl_ssl_session_set_##func(VALUE self, VALUE time_v) \ - { \ - SSL_SESSION *ctx; \ -- time_t t; \ -+ long t; \ - \ - GetSSLSession(self, ctx); \ - \ -@@ -147,7 +154,7 @@ static VALUE ossl_ssl_session_get_timeou - rb_raise(rb_eArgError, "unknown type"); \ - } \ - \ -- t = NUM2ULONG(time_v); \ -+ t = NUM2LONG(time_v); \ - \ - SSL_SESSION_set_##func(ctx, t); \ - \ Index: ext/openssl/ossl_ns_spki.c =================================================================== --- ext/openssl/ossl_ns_spki.c.orig @@ -2835,47 +1353,20 @@ Index: ext/openssl/ossl_x509crl.c } BIO_free(in); if (!crl) ossl_raise(eX509CRLError, NULL); -@@ -262,7 +264,7 @@ ossl_x509crl_get_revoked(VALUE self) - VALUE ary, revoked; - - GetX509CRL(self, crl); -- num = sk_X509_CRL_num(X509_CRL_get_REVOKED(crl)); -+ num = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl)); - if (num < 0) { - OSSL_Debug("num < 0???"); - return rb_ary_new(); -@@ -270,7 +272,7 @@ ossl_x509crl_get_revoked(VALUE self) - ary = rb_ary_new2(num); - for(i=0; ivalue->type)); rb_ary_push(ret, ary); } -@@ -303,6 +306,27 @@ ossl_x509name_hash(VALUE self) - return ULONG2NUM(hash); - } - -+#ifdef HAVE_X509_NAME_HASH_OLD -+/* -+ * call-seq: -+ * name.hash_old => integer -+ * -+ * hash_old returns MD5 based hash used in OpenSSL 0.9.X. -+ */ -+static VALUE -+ossl_x509name_hash_old(VALUE self) -+{ -+ X509_NAME *name; -+ unsigned long hash; -+ -+ GetX509Name(self, name); -+ -+ hash = X509_NAME_hash_old(name); -+ -+ return ULONG2NUM(hash); -+} -+#endif -+ - /* - * call-seq: - * name.to_der => string -@@ -319,7 +343,7 @@ ossl_x509name_to_der(VALUE self) +@@ -343,7 +343,7 @@ ossl_x509name_to_der(VALUE self) if((len = i2d_X509_NAME(name, NULL)) <= 0) ossl_raise(eX509NameError, NULL); str = rb_str_new(0, len); @@ -2930,16 +1393,6 @@ Index: ext/openssl/ossl_x509name.c if(i2d_X509_NAME(name, &p) <= 0) ossl_raise(eX509NameError, NULL); ossl_str_adjust(str, p); -@@ -348,6 +372,9 @@ Init_ossl_x509name() - rb_define_alias(cX509Name, "<=>", "cmp"); - rb_define_method(cX509Name, "eql?", ossl_x509name_eql, 1); - rb_define_method(cX509Name, "hash", ossl_x509name_hash, 0); -+#ifdef HAVE_X509_NAME_HASH_OLD -+ rb_define_method(cX509Name, "hash_old", ossl_x509name_hash_old, 0); -+#endif - rb_define_method(cX509Name, "to_der", ossl_x509name_to_der, 0); - - utf8str = INT2NUM(V_ASN1_UTF8STRING); Index: ext/openssl/ossl_pkey.c =================================================================== --- ext/openssl/ossl_pkey.c.orig @@ -2953,18 +1406,15 @@ Index: ext/openssl/ossl_pkey.c VALUE str; if (rb_funcall(self, id_private_q, 0, NULL) != Qtrue) { -@@ -175,9 +175,9 @@ ossl_pkey_sign(VALUE self, VALUE digest, +@@ -175,7 +175,7 @@ ossl_pkey_sign(VALUE self, VALUE digest, StringValue(data); EVP_SignUpdate(&ctx, RSTRING_PTR(data), RSTRING_LEN(data)); str = rb_str_new(0, EVP_PKEY_size(pkey)+16); - if (!EVP_SignFinal(&ctx, RSTRING_PTR(str), &buf_len, pkey)) + if (!EVP_SignFinal(&ctx, (unsigned char *)RSTRING_PTR(str), &buf_len, pkey)) ossl_raise(ePKeyError, NULL); -- assert(buf_len <= RSTRING_LEN(str)); -+ assert((long)buf_len <= RSTRING_LEN(str)); + assert((long)buf_len <= RSTRING_LEN(str)); rb_str_set_len(str, buf_len); - - return str; @@ -194,7 +194,7 @@ ossl_pkey_verify(VALUE self, VALUE diges StringValue(sig); StringValue(data); @@ -2978,17 +1428,7 @@ Index: ext/openssl/openssl_missing.h =================================================================== --- ext/openssl/openssl_missing.h.orig +++ ext/openssl/openssl_missing.h -@@ -18,6 +18,9 @@ extern "C" { - #ifndef TYPEDEF_D2I_OF - typedef char *d2i_of_void(); - #endif -+#ifndef TYPEDEF_I2D_OF -+typedef int i2d_of_void(); -+#endif - - /* - * These functions are not included in headers of OPENSSL <= 0.9.6b -@@ -25,39 +28,39 @@ typedef char *d2i_of_void(); +@@ -28,7 +28,7 @@ typedef int i2d_of_void(); #if !defined(PEM_read_bio_DSAPublicKey) # define PEM_read_bio_DSAPublicKey(bp,x,cb,u) (DSA *)PEM_ASN1_read_bio( \ @@ -2997,45 +1437,35 @@ Index: ext/openssl/openssl_missing.h #endif #if !defined(PEM_write_bio_DSAPublicKey) - # define PEM_write_bio_DSAPublicKey(bp,x) \ -- PEM_ASN1_write_bio((int (*)())i2d_DSAPublicKey,\ -+ PEM_ASN1_write_bio((i2d_of_void *)i2d_DSAPublicKey,\ - PEM_STRING_DSA_PUBLIC,\ - bp,(char *)x, NULL, NULL, 0, NULL, NULL) - #endif +@@ -40,27 +40,27 @@ typedef int i2d_of_void(); #if !defined(DSAPrivateKey_dup) --# define DSAPrivateKey_dup(dsa) (DSA *)ASN1_dup((int (*)())i2d_DSAPrivateKey, \ + # define DSAPrivateKey_dup(dsa) (DSA *)ASN1_dup((i2d_of_void *)i2d_DSAPrivateKey, \ - (char *(*)())d2i_DSAPrivateKey,(char *)dsa) -+# define DSAPrivateKey_dup(dsa) (DSA *)ASN1_dup((i2d_of_void *)i2d_DSAPrivateKey, \ + (d2i_of_void *)d2i_DSAPrivateKey,(char *)dsa) #endif #if !defined(DSAPublicKey_dup) --# define DSAPublicKey_dup(dsa) (DSA *)ASN1_dup((int (*)())i2d_DSAPublicKey, \ + # define DSAPublicKey_dup(dsa) (DSA *)ASN1_dup((i2d_of_void *)i2d_DSAPublicKey, \ - (char *(*)())d2i_DSAPublicKey,(char *)dsa) -+# define DSAPublicKey_dup(dsa) (DSA *)ASN1_dup((i2d_of_void *)i2d_DSAPublicKey, \ + (d2i_of_void *)d2i_DSAPublicKey,(char *)dsa) #endif #if !defined(X509_REVOKED_dup) --# define X509_REVOKED_dup(rev) (X509_REVOKED *)ASN1_dup((int (*)())i2d_X509_REVOKED, \ + # define X509_REVOKED_dup(rev) (X509_REVOKED *)ASN1_dup((i2d_of_void *)i2d_X509_REVOKED, \ - (char *(*)())d2i_X509_REVOKED, (char *)rev) -+# define X509_REVOKED_dup(rev) (X509_REVOKED *)ASN1_dup((i2d_of_void *)i2d_X509_REVOKED, \ + (d2i_of_void *)d2i_X509_REVOKED, (char *)rev) #endif #if !defined(PKCS7_SIGNER_INFO_dup) --# define PKCS7_SIGNER_INFO_dup(si) (PKCS7_SIGNER_INFO *)ASN1_dup((int (*)())i2d_PKCS7_SIGNER_INFO, \ + # define PKCS7_SIGNER_INFO_dup(si) (PKCS7_SIGNER_INFO *)ASN1_dup((i2d_of_void *)i2d_PKCS7_SIGNER_INFO, \ - (char *(*)())d2i_PKCS7_SIGNER_INFO, (char *)si) -+# define PKCS7_SIGNER_INFO_dup(si) (PKCS7_SIGNER_INFO *)ASN1_dup((i2d_of_void *)i2d_PKCS7_SIGNER_INFO, \ + (d2i_of_void *)d2i_PKCS7_SIGNER_INFO, (char *)si) #endif #if !defined(PKCS7_RECIP_INFO_dup) --# define PKCS7_RECIP_INFO_dup(ri) (PKCS7_RECIP_INFO *)ASN1_dup((int (*)())i2d_PKCS7_RECIP_INFO, \ + # define PKCS7_RECIP_INFO_dup(ri) (PKCS7_RECIP_INFO *)ASN1_dup((i2d_of_void *)i2d_PKCS7_RECIP_INFO, \ - (char *(*)())d2i_PKCS7_RECIP_INFO, (char *)ri) -+# define PKCS7_RECIP_INFO_dup(ri) (PKCS7_RECIP_INFO *)ASN1_dup((i2d_of_void *)i2d_PKCS7_RECIP_INFO, \ + (d2i_of_void *)d2i_PKCS7_RECIP_INFO, (char *)ri) #endif @@ -3071,21 +1501,6 @@ Index: ext/openssl/ossl_pkey_dh.c ossl_raise(eDHError, NULL); } rb_str_set_len(str, len); -@@ -415,10 +415,10 @@ ossl_dh_compute_key(VALUE self, VALUE pu - return str; - } - --OSSL_PKEY_BN(dh, p); --OSSL_PKEY_BN(dh, g); --OSSL_PKEY_BN(dh, pub_key); --OSSL_PKEY_BN(dh, priv_key); -+OSSL_PKEY_BN(dh, p) -+OSSL_PKEY_BN(dh, g) -+OSSL_PKEY_BN(dh, pub_key) -+OSSL_PKEY_BN(dh, priv_key) - - /* - * -----BEGIN DH PARAMETERS----- Index: ext/openssl/ossl_x509cert.c =================================================================== --- ext/openssl/ossl_x509cert.c.orig @@ -3159,27 +1574,7 @@ Index: ext/openssl/ossl_pkcs5.c =================================================================== --- ext/openssl/ossl_pkcs5.c.orig +++ ext/openssl/ossl_pkcs5.c -@@ -29,14 +29,17 @@ ossl_pkcs5_pbkdf2_hmac(VALUE self, VALUE - VALUE str; - const EVP_MD *md; - int len = NUM2INT(keylen); -+ unsigned char* salt_p; -+ unsigned char* str_p; - - StringValue(pass); - StringValue(salt); - md = GetDigestPtr(digest); -- - str = rb_str_new(0, len); -+ salt_p = (unsigned char*)RSTRING_PTR(salt); -+ str_p = (unsigned char*)RSTRING_PTR(str); - -- if (PKCS5_PBKDF2_HMAC(RSTRING_PTR(pass), RSTRING_LEN(pass), RSTRING_PTR(salt), RSTRING_LEN(salt), NUM2INT(iter), md, len, RSTRING_PTR(str)) != 1) -+ if (PKCS5_PBKDF2_HMAC(RSTRING_PTR(pass), RSTRING_LEN(pass), salt_p, RSTRING_LEN(salt), NUM2INT(iter), md, len, str_p) != 1) - ossl_raise(ePKCS5, "PKCS5_PBKDF2_HMAC"); - - return str; -@@ -72,7 +75,9 @@ ossl_pkcs5_pbkdf2_hmac_sha1(VALUE self, +@@ -75,7 +75,9 @@ ossl_pkcs5_pbkdf2_hmac_sha1(VALUE self, str = rb_str_new(0, len); @@ -3194,15 +1589,7 @@ Index: ext/openssl/ossl_x509ext.c =================================================================== --- ext/openssl/ossl_x509ext.c.orig +++ ext/openssl/ossl_x509ext.c -@@ -198,6 +198,7 @@ ossl_x509extfactory_initialize(int argc, - ossl_x509extfactory_set_subject_req(self, subject_req); - if (!NIL_P(crl)) - ossl_x509extfactory_set_crl(self, crl); -+ rb_iv_set(self, "@config", Qnil); - - return self; - } -@@ -273,16 +274,17 @@ static VALUE +@@ -274,16 +274,17 @@ static VALUE ossl_x509ext_initialize(int argc, VALUE *argv, VALUE self) { VALUE oid, value, critical; @@ -3225,25 +1612,7 @@ Index: ext/openssl/ossl_x509ext.c ossl_raise(eX509ExtError, NULL); return self; } -@@ -323,14 +325,15 @@ ossl_x509ext_set_value(VALUE self, VALUE - ossl_raise(eX509ExtError, "malloc error"); - memcpy(s, RSTRING_PTR(data), RSTRING_LEN(data)); - if(!(asn1s = ASN1_OCTET_STRING_new())){ -- free(s); -+ OPENSSL_free(s); - ossl_raise(eX509ExtError, NULL); - } - if(!M_ASN1_OCTET_STRING_set(asn1s, s, RSTRING_LEN(data))){ -- free(s); -+ OPENSSL_free(s); - ASN1_OCTET_STRING_free(asn1s); - ossl_raise(eX509ExtError, NULL); - } -+ OPENSSL_free(s); - GetX509Ext(self, ext); - X509_EXTENSION_set_data(ext, asn1s); - -@@ -409,7 +412,7 @@ ossl_x509ext_to_der(VALUE obj) +@@ -411,7 +412,7 @@ ossl_x509ext_to_der(VALUE obj) if((len = i2d_X509_EXTENSION(ext, NULL)) <= 0) ossl_raise(eX509ExtError, NULL); str = rb_str_new(0, len); @@ -3281,100 +1650,7 @@ Index: ext/openssl/ossl_pkcs7.c } BIO_free(in); ossl_pkcs7_set_data(self, Qnil); -@@ -570,12 +572,11 @@ ossl_pkcs7_add_certificate(VALUE self, V - return self; - } - --static STACK * --pkcs7_get_certs_or_crls(VALUE self, int want_certs) -+static STACK_OF(X509) * -+pkcs7_get_certs(VALUE self) - { - PKCS7 *pkcs7; - STACK_OF(X509) *certs; -- STACK_OF(X509_CRL) *crls; - int i; - - GetPKCS7(self, pkcs7); -@@ -583,17 +584,38 @@ pkcs7_get_certs_or_crls(VALUE self, int - switch(i){ - case NID_pkcs7_signed: - certs = pkcs7->d.sign->cert; -- crls = pkcs7->d.sign->crl; - break; - case NID_pkcs7_signedAndEnveloped: - certs = pkcs7->d.signed_and_enveloped->cert; -+ break; -+ default: -+ certs = NULL; -+ } -+ -+ return certs; -+} -+ -+static STACK_OF(X509_CRL) * -+pkcs7_get_crls(VALUE self) -+{ -+ PKCS7 *pkcs7; -+ STACK_OF(X509_CRL) *crls; -+ int i; -+ -+ GetPKCS7(self, pkcs7); -+ i = OBJ_obj2nid(pkcs7->type); -+ switch(i){ -+ case NID_pkcs7_signed: -+ crls = pkcs7->d.sign->crl; -+ break; -+ case NID_pkcs7_signedAndEnveloped: - crls = pkcs7->d.signed_and_enveloped->crl; - break; - default: -- certs = crls = NULL; -+ crls = NULL; - } - -- return want_certs ? certs : crls; -+ return crls; - } - - static VALUE -@@ -608,7 +630,7 @@ ossl_pkcs7_set_certificates(VALUE self, - STACK_OF(X509) *certs; - X509 *cert; - -- certs = pkcs7_get_certs_or_crls(self, 1); -+ certs = pkcs7_get_certs(self); - while((cert = sk_X509_pop(certs))) X509_free(cert); - rb_block_call(ary, rb_intern("each"), 0, 0, ossl_pkcs7_set_certs_i, self); - -@@ -618,7 +640,7 @@ ossl_pkcs7_set_certificates(VALUE self, - static VALUE - ossl_pkcs7_get_certificates(VALUE self) - { -- return ossl_x509_sk2ary(pkcs7_get_certs_or_crls(self, 1)); -+ return ossl_x509_sk2ary(pkcs7_get_certs(self)); - } - - static VALUE -@@ -648,7 +670,7 @@ ossl_pkcs7_set_crls(VALUE self, VALUE ar - STACK_OF(X509_CRL) *crls; - X509_CRL *crl; - -- crls = pkcs7_get_certs_or_crls(self, 0); -+ crls = pkcs7_get_crls(self); - while((crl = sk_X509_CRL_pop(crls))) X509_CRL_free(crl); - rb_block_call(ary, rb_intern("each"), 0, 0, ossl_pkcs7_set_crls_i, self); - -@@ -658,7 +680,7 @@ ossl_pkcs7_set_crls(VALUE self, VALUE ar - static VALUE - ossl_pkcs7_get_crls(VALUE self) - { -- return ossl_x509crl_sk2ary(pkcs7_get_certs_or_crls(self, 0)); -+ return ossl_x509crl_sk2ary(pkcs7_get_crls(self)); - } - - static VALUE -@@ -778,7 +800,7 @@ ossl_pkcs7_to_der(VALUE self) +@@ -798,7 +800,7 @@ ossl_pkcs7_to_der(VALUE self) if((len = i2d_PKCS7(pkcs7, NULL)) <= 0) ossl_raise(ePKCS7Error, NULL); str = rb_str_new(0, len); @@ -3387,21 +1663,13 @@ Index: ext/openssl/extconf.rb =================================================================== --- ext/openssl/extconf.rb.orig +++ ext/openssl/extconf.rb -@@ -91,12 +91,16 @@ have_func("X509_CRL_add0_revoked") - have_func("X509_CRL_set_issuer_name") - have_func("X509_CRL_set_version") - have_func("X509_CRL_sort") -+have_func("X509_NAME_hash_old") - have_func("X509_STORE_get_ex_data") - have_func("X509_STORE_set_ex_data") +@@ -97,6 +97,9 @@ have_func("X509_STORE_set_ex_data") have_func("OBJ_NAME_do_all_sorted") have_func("SSL_SESSION_get_id") have_func("OPENSSL_cleanse") --if try_compile("#define FOO(a, ...) foo(a, ##__VA_ARGS__)\n int x(){FOO(1);FOO(1,2);FOO(1,2,3);}\n") +unless have_func("SSL_set_tlsext_host_name", ['openssl/ssl.h']) + have_macro("SSL_set_tlsext_host_name", ['openssl/ssl.h']) && $defs.push("-DHAVE_SSL_SET_TLSEXT_HOST_NAME") +end -+if try_compile("#define FOO(...) foo(__VA_ARGS__)\n int x(){FOO(1);FOO(1,2);FOO(1,2,3);}\n") + if try_compile("#define FOO(...) foo(__VA_ARGS__)\n int x(){FOO(1);FOO(1,2);FOO(1,2,3);}\n") $defs.push("-DHAVE_VA_ARGS_MACRO") end - if have_header("openssl/engine.h") diff --git a/ruby-rpmlintrc b/ruby-rpmlintrc index b50e727..3f5175f 100644 --- a/ruby-rpmlintrc +++ b/ruby-rpmlintrc @@ -1,4 +1,5 @@ -addFilter("ruby-test-suite spurious-executable-perm.*/usr/share/doc/packages/ruby-test-suite/runruby.rb") -addFilter("ruby non-executable-script /usr/lib.*/ruby/.*") -addFilter("ruby-doc-html wrong-file-end-of-line-encoding /usr/share/doc/packages/ruby/.*") -addFilter("ruby-test-suite zero-length /usr/share/doc/packages/ruby-test-suite/.*") +addFilter("spurious-executable-perm.*/usr/share/doc/packages/ruby-test-suite/runruby.rb") +addFilter("non-executable-script /usr/lib.*/ruby/.*") +addFilter("wrong-file-end-of-line-encoding /usr/share/doc/packages/ruby/.*") +addFilter("zero-length /usr/share/doc/packages/ruby-test-suite/.*") +addFilter("unexpanded-macro.*/usr/share/ri/.*") diff --git a/ruby.changes b/ruby.changes index 744ad6a..40bc306 100644 --- a/ruby.changes +++ b/ruby.changes @@ -1,8 +1,65 @@ +------------------------------------------------------------------- +Tue Feb 22 16:38:09 UTC 2011 - mrueckert@suse.de + +- update to 1.8.7.p334 (bnc#673740, bnc#673750, bnc#600752) + - A symlink race condition vulnerability was found in + FileUtils.remove_entry_secure. The vulnerability allows local + users to delete arbitrary files and directories. CVE-2011-1004 + - Exception#to_s method can be used to trick $SAFE check, which + makes a untrusted codes to modify arbitrary strings. + CVE-2011-1005 + - Ruby WEBrick character set issue (XSS) CVE-2010-0541 + + for all non security changes see + /usr/share/doc/packages/ruby/ChangeLog + +- refreshed ruby-1.8.x_openssl_branch_update.patch +- buildrequires openssl to make the last openssl test work +- https://github.com/ruby/ruby/commit/1887f60a8540f64f5c7bb14d57c0be70506941b8.patch + * ext/zlib/zlib.c (zstream_append_input2): add RB_GC_GUARD. + This caused failure when test/csv is executed with GC.stress = + true. +- added ruby-1.8.7.p334_remove_zlib_test_params_test.patch: + remove the test_params patch from backport in r27917 + It doesnt pass atm. +- removed ruby-1.8.6.p36_socket_ipv6.patch: + included upstream + +------------------------------------------------------------------- +Tue Sep 7 14:38:54 UTC 2010 - mrueckert@suse.de + +- the testsuite and doc-html package should of course require the + main package + ------------------------------------------------------------------- Fri Jul 2 09:50:00 UTC 2010 - mrueckert@suse.de - add ruby(abi) = 1.8 provides +------------------------------------------------------------------- +Thu Jul 1 15:27:17 UTC 2010 - mrueckert@suse.de + +- update to 1.8.7.p299 (bnc#606056 and bnc#603914) + - OpenSSL 1.0.0 support + - Use OpenSSL engines which exist + - Fixed range and chunked support for Net::HTTP + - Iconv fixes + - Backported pack/unpack from the 1.9 branch (bnc#606056 bnc#603914) + - Multiple fixes in the resolver + - Fixed Unicode inspection bug. + - Escape characters properly for the accesslog (bnc#570616) +- cleaned up rpmlintrc +- refreshed patches: + old: ruby-1.8.7.p22_lib64.patch + new: ruby-1.8.7.p299_lib64.patch + old: ruby_1.8.6.p36_date_remove_privat.patch + new: ruby-1.8.7.p299_date_remove_privat.patch + old: ruby-pedantic-headers.diff + new: ruby-1.8.7.p299_pedantic-headers.patch +- replaced patches ruby-1.8.x_openssl-1.0.patch and + ruby-1.8.x_openssl-1.0-tests.patch with + ruby-1.8.x_openssl_branch_update.patch + ------------------------------------------------------------------- Wed May 19 14:44:51 UTC 2010 - mrueckert@suse.de diff --git a/ruby.spec b/ruby.spec index c62fa49..962564a 100644 --- a/ruby.spec +++ b/ruby.spec @@ -1,7 +1,7 @@ # -# spec file for package ruby (Version 1.8.7.p249) +# spec file for package ruby # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,13 +17,12 @@ # norootforbuild - Name: ruby -Version: 1.8.7.p249 -Release: 4 +Version: 1.8.7.p334 +Release: 0 # %define pkg_version 1.8.7 -%define patch_level p249 +%define patch_level p334 %define rb_arch %(echo %{_target_cpu}-linux | sed -e "s/i686/i586/" -e "s/hppa2.0/hppa/" -e "s/ppc/powerpc/") %define rb_ver %(echo %{pkg_version} | sed -e 's/\\\.[0-9]\\\+$//') # @@ -32,6 +31,8 @@ Group: Development/Languages/Ruby # BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison gdbm-devel gperf graphviz libjpeg-devel openssl-devel readline-devel tk-devel +# for openssl testsuite +BuildRequires: openssl #define with_bleak_house 1 %if 0%{suse_version} >= 1030 %define use_fdupes 1 @@ -56,18 +57,20 @@ Url: http://www.ruby-lang.org/ Source: ftp://ftp.ruby-lang.org/pub/ruby/ruby-%{pkg_version}-%{patch_level}.tar.bz2 Source1: irb.1 Source2: ruby-doc-bundle.tar.bz2 -Patch1: ruby-1.8.7.p22_lib64.patch +Patch1: ruby-1.8.7.p299_lib64.patch Patch2: ruby-1.8.7.p22_tcltk-multilib.patch -Patch3: ruby-1.8.6.p36_socket_ipv6.patch -Patch5: ruby_1.8.6.p36_date_remove_privat.patch -Patch6: ruby-pedantic-headers.diff -Patch7: ruby-1.8.7-p72_vendor_specific.patch -Patch8: ruby-1.8.7-p72_topdir.patch -# can be removed on next version update. pulled from svn +Patch5: ruby-1.8.7.p299_date_remove_privat.patch +Patch6: ruby-1.8.7.p299_pedantic-headers.patch +Patch7: ruby-1.8.7.p72_vendor_specific.patch +Patch8: ruby-1.8.7.p72_topdir.patch Patch9: ruby-1.8.x_digest_non_void_return.patch -Patch10: ruby-1.8.x_openssl-1.0.patch -Patch11: ruby-1.8.x_openssl-1.0-tests.patch -Patch12: ruby-1.8.x_yaml2byte.patch +# can be removed on next version update. pulled from svn +Patch10: ruby-1.8.x_openssl_branch_update.patch +Patch11: ruby-1.8.x_yaml2byte.patch +Patch12: 1887f60a8540f64f5c7bb14d57c0be70506941b8.patch +Patch13: ruby-1.8.7.p334_remove_zlib_test_params_test.patch +# need to discuss with sec team which encoding is better +Patch14: ruby-1.8.7.p299_webrick_error_page_encoding.patch # vendor ruby files taken from: # http://svn.macports.org/repository/macports/trunk/dports/lang/ruby/ Source3: site-specific.rb @@ -80,7 +83,6 @@ Source6: ruby.macros %endif # Summary: An Interpreted Object-Oriented Scripting Language - %description Ruby is an interpreted scripting language for quick and easy object-oriented programming. It has many features for processing text @@ -125,7 +127,6 @@ Requires: %{name} = %{version} Requires: ruby_with_bleak_house = %{bleak_house_version} Provides: ruby-devel_with_bleak_house = %{bleak_house_version}-%{release} %endif - %description devel Development files to link against Ruby. @@ -140,7 +141,6 @@ License: GPLv2+ Group: Development/Languages/Ruby Summary: TCL/TK bindings for Ruby Requires: %{name} = %{version} - %description tk TCL/TK bindings for Ruby @@ -158,7 +158,6 @@ Requires: %{name} = %{version} %if 0%{?suse_version} >= 1120 BuildArch: noarch %endif - %description doc-ri This package contains the RI docs for ruby @@ -172,10 +171,10 @@ Authors: License: GPLv2+ Group: Development/Languages/Ruby Summary: This package contains the HTML docs for ruby +Requires: %{name} = %{version} %if 0%{?suse_version} >= 1120 BuildArch: noarch %endif - %description doc-html This package contains the HTML docs for ruby @@ -188,9 +187,8 @@ Authors: %package examples License: GPLv2+ Group: Development/Languages/Ruby -Summary: Example scripts for ruby Requires: %{name} = %{version} - +Summary: Example scripts for ruby %description examples Example scripts for ruby @@ -203,8 +201,8 @@ Authors: %package test-suite License: GPLv2+ Group: Development/Languages/Ruby +Requires: %{name} = %{version} Summary: An Interpreted Object-Oriented Scripting Language - %description test-suite Ruby is an interpreted scripting language for quick and easy object-oriented programming. It has many features for processing text @@ -244,7 +242,6 @@ Authors: %setup -q -n ruby-%{pkg_version}-%{patch_level} -a2 %{?with_bleak_house:-a6} %patch1 %patch2 -%patch3 %patch5 %patch6 %patch7 @@ -253,6 +250,7 @@ Authors: %patch10 %patch11 %patch12 +%patch13 %if 0%{?with_bleak_house} for patch in valgrind configure gc ; do patch -p0 < bleak_house-%{bleak_house_version}/ruby/${patch}.patch @@ -262,8 +260,9 @@ find . -type f | xargs -n 1 sed -i "s@#!\s*/usr/local/bin/ruby@#!/usr/bin/ruby@" # make sure it _really_ rebuilds parse.c for us old parse.c + %build -autoreconf -fi +# autoreconf -fi export CFLAGS="%{optflags} -g -fno-strict-aliasing" %configure \ --target=%{_target_platform} \ diff --git a/ruby_1.8.6.p36_date_remove_privat.patch b/ruby_1.8.6.p36_date_remove_privat.patch deleted file mode 100644 index 04cf215..0000000 --- a/ruby_1.8.6.p36_date_remove_privat.patch +++ /dev/null @@ -1,13 +0,0 @@ -=== lib/date.rb -================================================================== ---- lib/date.rb (revision 12921) -+++ lib/date.rb (local) -@@ -1604,8 +1604,6 @@ - DateTime.new!(DateTime.jd_to_ajd(jd, fr, of), of, DateTime::ITALY) - end - -- private :to_date, :to_datetime -- - end - - class Date