[前][次][番号順一覧][スレッド一覧]

ruby-changes:16384

From: shyouhei <ko1@a...>
Date: Mon, 21 Jun 2010 18:19:22 +0900 (JST)
Subject: [ruby-changes:16384] Ruby:r28367 (ruby_1_8_7): merge revision(s) 26836:26859,26861,27921:

shyouhei	2010-06-21 18:18:59 +0900 (Mon, 21 Jun 2010)

  New Revision: 28367

  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=28367

  Log:
    merge revision(s) 26836:26859,26861,27921:
    * ext/openssl/ossl_ssl_session.c
      (ossl_ssl_session_{get,set}_time{,out}): fixed a bug introduced by
      backporting. (see [ruby-dev:40573])  use long in according to
      OpenSSL API. (SSL_SESSION_{get,set}_time{,out})
    * ext/openssl/ossl_x509name.c: added X509::Name#hash_old as a wrapper
      for X509_NAME_hash_old in OpenSSL 1.0.0.
    * test/openssl/test_x509name.rb (test_hash): make test pass with
      OpenSSL 1.0.0.
    * test/openssl/test_x509*: make tests pass with OpenSSL 1.0.0b5.
      * PKey::PKey#verify raises an exception when a given PKey does not
        match with signature.
      * PKey::DSA#sign accepts SHA1, SHA256 other than DSS1.
    * backport the commit from trunk:
      Sun Feb 28 11:49:35 2010  NARUSE, Yui  <naruse@r...>
    * openssl/ossl.c (OSSL_IMPL_SK2ARY): for OpenSSL 1.0.
      patched by Jeroen van Meeuwen at [ruby-core:25210]
      fixed by Nobuyoshi Nakada [ruby-core:25238],
      Hongli Lai [ruby-core:27417],
      and Motohiro KOSAKI [ruby-core:28063]
    * ext/openssl/ossl_ssl.c (ossl_ssl_method_tab),
      (ossl_ssl_cipher_to_ary): constified.
    * ext/openssl/ossl_pkcs7.c (pkcs7_get_certs, pkcs7_get_crls):
      split pkcs7_get_certs_or_crls.
    * test/openssl/test_ec.rb: added test_dsa_sign_asn1_FIPS186_3. dgst is
      truncated with ec_key.group.order.size after openssl 0.9.8m for
      FIPS 186-3 compliance.
      WARNING: ruby-openssl aims to wrap an OpenSSL so when you're using
      openssl 0.9.8l or earlier version, EC.dsa_sign_asn1 raises
      OpenSSL::PKey::ECError as before and EC.dsa_verify_asn1 just returns
      false when you pass dgst longer than expected (no truncation
      performed).
    * ext/openssl/ossl_pkey_ec.c: rdoc typo fixed.
    * ext/openssl/ossl_config.c: defined own IMPLEMENT_LHASH_DOALL_ARG_FN_098
      macro according to IMPLEMENT_LHASH_DOALL_ARG_FN in OpenSSL 0.9.8m.
      OpenSSL 1.0.0beta5 has a slightly different definiton so it could
      be a temporal workaround for 0.9.8 and 1.0.0 dual support.
    * ext/openssl/ossl_pkcs5.c (ossl_pkcs5_pbkdf2_hmac): follows function
      definition in OpenSSL 1.0.0beta5. PKCS5_PBKDF2_HMAC is from 1.0.0
      (0.9.8 only has PKCS5_PBKDF2_HMAC_SHA1)
    * ext/openssl/ossl_ssl_session.c (ossl_ssl_session_eq): do not use
      SSL_SESSION_cmp and implement equality func by ousrself.  See the
      comment.
    * ext/openssl/extconf.rb: check some functions added at OpenSSL 1.0.0.
    * ext/openssl/ossl_engine.c (ossl_engine_s_load): use engines which
      exists.

  Modified files:
    branches/ruby_1_8_7/ChangeLog
    branches/ruby_1_8_7/ext/openssl/extconf.rb
    branches/ruby_1_8_7/ext/openssl/ossl.c
    branches/ruby_1_8_7/ext/openssl/ossl.h
    branches/ruby_1_8_7/ext/openssl/ossl_config.c
    branches/ruby_1_8_7/ext/openssl/ossl_engine.c
    branches/ruby_1_8_7/ext/openssl/ossl_pkcs5.c
    branches/ruby_1_8_7/ext/openssl/ossl_pkcs7.c
    branches/ruby_1_8_7/ext/openssl/ossl_pkey_ec.c
    branches/ruby_1_8_7/ext/openssl/ossl_ssl.c
    branches/ruby_1_8_7/ext/openssl/ossl_ssl_session.c
    branches/ruby_1_8_7/ext/openssl/ossl_x509attr.c
    branches/ruby_1_8_7/ext/openssl/ossl_x509crl.c
    branches/ruby_1_8_7/ext/openssl/ossl_x509name.c
    branches/ruby_1_8_7/test/openssl/test_ec.rb
    branches/ruby_1_8_7/test/openssl/test_x509cert.rb
    branches/ruby_1_8_7/test/openssl/test_x509crl.rb
    branches/ruby_1_8_7/test/openssl/test_x509req.rb
    branches/ruby_1_8_7/version.h

Index: ruby_1_8_7/ext/openssl/ossl_x509attr.c
===================================================================
--- ruby_1_8_7/ext/openssl/ossl_x509attr.c	(revision 28366)
+++ ruby_1_8_7/ext/openssl/ossl_x509attr.c	(revision 28367)
@@ -217,8 +217,9 @@
 	ossl_str_adjust(str, p);
     }
     else{
-	length = i2d_ASN1_SET_OF_ASN1_TYPE(attr->value.set, NULL,
-			i2d_ASN1_TYPE, V_ASN1_SET, V_ASN1_UNIVERSAL, 0);
+	length = i2d_ASN1_SET_OF_ASN1_TYPE(attr->value.set,
+			(unsigned char **) NULL, i2d_ASN1_TYPE,
+			V_ASN1_SET, V_ASN1_UNIVERSAL, 0);
 	str = rb_str_new(0, length);
 	p = RSTRING_PTR(str);
 	i2d_ASN1_SET_OF_ASN1_TYPE(attr->value.set, &p,
Index: ruby_1_8_7/ext/openssl/ossl_ssl.c
===================================================================
--- ruby_1_8_7/ext/openssl/ossl_ssl.c	(revision 28366)
+++ ruby_1_8_7/ext/openssl/ossl_ssl.c	(revision 28367)
@@ -1196,10 +1196,10 @@
     }
     chain = SSL_get_peer_cert_chain(ssl);
     if(!chain) return Qnil;
-    num = sk_num(chain);
+    num = sk_X509_num(chain);
     ary = rb_ary_new2(num);
     for (i = 0; i < num; i++){
-	cert = (X509*)sk_value(chain, i);
+	cert = sk_X509_value(chain, i);
 	rb_ary_push(ary, ossl_x509_new(cert));
     }
 
Index: ruby_1_8_7/ext/openssl/ossl_engine.c
===================================================================
--- ruby_1_8_7/ext/openssl/ossl_engine.c	(revision 28366)
+++ ruby_1_8_7/ext/openssl/ossl_engine.c	(revision 28367)
@@ -61,16 +61,34 @@
     }
     StringValue(name);
 #ifndef OPENSSL_NO_STATIC_ENGINE
+#if HAVE_ENGINE_LOAD_DYNAMIC
     OSSL_ENGINE_LOAD_IF_MATCH(dynamic);
+#endif
+#if HAVE_ENGINE_LOAD_CSWIFT
     OSSL_ENGINE_LOAD_IF_MATCH(cswift);
+#endif
+#if HAVE_ENGINE_LOAD_CHIL
     OSSL_ENGINE_LOAD_IF_MATCH(chil);
+#endif
+#if HAVE_ENGINE_LOAD_ATALLA
     OSSL_ENGINE_LOAD_IF_MATCH(atalla);
+#endif
+#if HAVE_ENGINE_LOAD_NURON
     OSSL_ENGINE_LOAD_IF_MATCH(nuron);
+#endif
+#if HAVE_ENGINE_LOAD_UBSEC
     OSSL_ENGINE_LOAD_IF_MATCH(ubsec);
+#endif
+#if HAVE_ENGINE_LOAD_AEP
     OSSL_ENGINE_LOAD_IF_MATCH(aep);
+#endif
+#if HAVE_ENGINE_LOAD_SUREWARE
     OSSL_ENGINE_LOAD_IF_MATCH(sureware);
+#endif
+#if HAVE_ENGINE_LOAD_4758CCA
     OSSL_ENGINE_LOAD_IF_MATCH(4758cca);
 #endif
+#endif
 #ifdef HAVE_ENGINE_LOAD_OPENBSD_DEV_CRYPTO
     OSSL_ENGINE_LOAD_IF_MATCH(openbsd_dev_crypto);
 #endif
Index: ruby_1_8_7/ext/openssl/ossl_config.c
===================================================================
--- ruby_1_8_7/ext/openssl/ossl_config.c	(revision 28366)
+++ ruby_1_8_7/ext/openssl/ossl_config.c	(revision 28367)
@@ -313,6 +313,12 @@
 }
 
 #ifdef IMPLEMENT_LHASH_DOALL_ARG_FN
+#define IMPLEMENT_LHASH_DOALL_ARG_FN_098(f_name,o_type,a_type) \
+            void f_name##_LHASH_DOALL_ARG(void *arg1, void *arg2) { \
+		                o_type a = (o_type)arg1; \
+		                a_type b = (a_type)arg2; \
+		                f_name(a,b); }
+
 static void
 get_conf_section(CONF_VALUE *cv, VALUE ary)
 {
@@ -320,7 +326,7 @@
     rb_ary_push(ary, rb_str_new2(cv->section));
 }
 
-static IMPLEMENT_LHASH_DOALL_ARG_FN(get_conf_section, CONF_VALUE*, VALUE)
+static IMPLEMENT_LHASH_DOALL_ARG_FN_098(get_conf_section, CONF_VALUE*, VALUE)
 
 static VALUE
 ossl_config_get_sections(VALUE self)
@@ -358,7 +364,7 @@
     rb_str_cat2(str, "\n");
 }
 
-static IMPLEMENT_LHASH_DOALL_ARG_FN(dump_conf_value, CONF_VALUE*, VALUE)
+static IMPLEMENT_LHASH_DOALL_ARG_FN_098(dump_conf_value, CONF_VALUE*, VALUE)
 
 static VALUE
 dump_conf(CONF *conf)
@@ -402,7 +408,7 @@
     }
 }
 
-static IMPLEMENT_LHASH_DOALL_ARG_FN(each_conf_value, CONF_VALUE*, void*)
+static IMPLEMENT_LHASH_DOALL_ARG_FN_098(each_conf_value, CONF_VALUE*, void*)
 
 static VALUE
 ossl_config_each(VALUE self)
Index: ruby_1_8_7/ext/openssl/ossl_pkey_ec.c
===================================================================
--- ruby_1_8_7/ext/openssl/ossl_pkey_ec.c	(revision 28366)
+++ ruby_1_8_7/ext/openssl/ossl_pkey_ec.c	(revision 28367)
@@ -681,7 +681,7 @@
 
 /*
  *  call-seq:
- *     key.dsa_verify(data, sig)   => true or false
+ *     key.dsa_verify_asn1(data, sig)   => true or false
  *
  *  See the OpenSSL documentation for ECDSA_verify()
  */
Index: ruby_1_8_7/ext/openssl/ossl.c
===================================================================
--- ruby_1_8_7/ext/openssl/ossl.c	(revision 28366)
+++ ruby_1_8_7/ext/openssl/ossl.c	(revision 28367)
@@ -92,7 +92,7 @@
 
 #define OSSL_IMPL_SK2ARY(name, type)	        \
 VALUE						\
-ossl_##name##_sk2ary(STACK *sk)			\
+ossl_##name##_sk2ary(STACK_OF(type) *sk)	\
 {						\
     type *t;					\
     int i, num;					\
@@ -102,7 +102,7 @@
 	OSSL_Debug("empty sk!");		\
 	return Qnil;				\
     }						\
-    num = sk_num(sk);				\
+    num = sk_##type##_num(sk);			\
     if (num < 0) {				\
 	OSSL_Debug("items in sk < -1???");	\
 	return rb_ary_new();			\
@@ -110,7 +110,7 @@
     ary = rb_ary_new2(num);			\
 						\
     for (i=0; i<num; i++) {			\
-	t = (type *)sk_value(sk, i);		\
+	t = sk_##type##_value(sk, i);		\
 	rb_ary_push(ary, ossl_##name##_new(t));	\
     }						\
     return ary;					\
Index: ruby_1_8_7/ext/openssl/ossl.h
===================================================================
--- ruby_1_8_7/ext/openssl/ossl.h	(revision 28366)
+++ ruby_1_8_7/ext/openssl/ossl.h	(revision 28367)
@@ -108,6 +108,13 @@
 } while (0)
 
 /*
+ * Compatibility
+ */
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+#define STACK _STACK
+#endif
+
+/*
  * String to HEXString conversion
  */
 int string2hex(char *, int, char **, int *);
Index: ruby_1_8_7/ext/openssl/ossl_ssl_session.c
===================================================================
--- ruby_1_8_7/ext/openssl/ossl_ssl_session.c	(revision 28366)
+++ ruby_1_8_7/ext/openssl/ossl_ssl_session.c	(revision 28367)
@@ -86,9 +86,18 @@
 	GetSSLSession(val1, ctx1);
 	SafeGetSSLSession(val2, ctx2);
 
-	switch (SSL_SESSION_cmp(ctx1, ctx2)) {
-	case 0:		return Qtrue;
-	default:	return Qfalse;
+	/*
+	 * OpenSSL 1.0.0betas do not have non-static SSL_SESSION_cmp.
+	 * ssl_session_cmp (was SSL_SESSION_cmp in 0.9.8) is for lhash
+	 * comparing so we should not depend on it.  Just compare sessions
+	 * by version and id.
+	 */
+	if ((ctx1->ssl_version == ctx2->ssl_version) &&
+	    (ctx1->session_id_length == ctx2->session_id_length) &&
+	    (memcmp(ctx1->session_id, ctx2->session_id, ctx1->session_id_length) == 0)) {
+	    return Qtrue;
+	} else {
+	    return Qfalse;
 	}
 }
 
Index: ruby_1_8_7/ext/openssl/ossl_x509crl.c
===================================================================
--- ruby_1_8_7/ext/openssl/ossl_x509crl.c	(revision 28366)
+++ ruby_1_8_7/ext/openssl/ossl_x509crl.c	(revision 28367)
@@ -262,7 +262,7 @@
     VALUE ary, revoked;
 
     GetX509CRL(self, crl);
-    num = sk_X509_CRL_num(X509_CRL_get_REVOKED(crl));
+    num = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl));
     if (num < 0) {
 	OSSL_Debug("num < 0???");
 	return rb_ary_new();
@@ -270,7 +270,7 @@
     ary = rb_ary_new2(num);
     for(i=0; i<num; i++) {
 	/* NO DUP - don't free! */
-	rev = (X509_REVOKED *)sk_X509_CRL_value(X509_CRL_get_REVOKED(crl), i);
+	rev = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
 	revoked = ossl_x509revoked_new(rev);
 	rb_ary_push(ary, revoked);
     }
Index: ruby_1_8_7/ext/openssl/ossl_x509name.c
===================================================================
--- ruby_1_8_7/ext/openssl/ossl_x509name.c	(revision 28366)
+++ ruby_1_8_7/ext/openssl/ossl_x509name.c	(revision 28367)
@@ -306,8 +306,29 @@
     return ULONG2NUM(hash);
 }
 
+#ifdef HAVE_X509_NAME_HASH_OLD
 /*
  * call-seq:
+ *    name.hash_old => integer
+ *
+ * hash_old returns MD5 based hash used in OpenSSL 0.9.X.
+ */
+static VALUE
+ossl_x509name_hash_old(VALUE self)
+{
+    X509_NAME *name;
+    unsigned long hash;
+
+    GetX509Name(self, name);
+
+    hash = X509_NAME_hash_old(name);
+
+    return ULONG2NUM(hash);
+}
+#endif
+
+/*
+ * call-seq:
  *    name.to_der => string
  */
 static VALUE
@@ -351,6 +372,9 @@
     rb_define_alias(cX509Name, "<=>", "cmp");
     rb_define_method(cX509Name, "eql?", ossl_x509name_eql, 1);
     rb_define_method(cX509Name, "hash", ossl_x509name_hash, 0);
+#ifdef HAVE_X509_NAME_HASH_OLD
+    rb_define_method(cX509Name, "hash_old", ossl_x509name_hash_old, 0);
+#endif
     rb_define_method(cX509Name, "to_der", ossl_x509name_to_der, 0);
 
     utf8str = INT2NUM(V_ASN1_UTF8STRING);
Index: ruby_1_8_7/ext/openssl/ossl_pkcs5.c
===================================================================
--- ruby_1_8_7/ext/openssl/ossl_pkcs5.c	(revision 28366)
+++ ruby_1_8_7/ext/openssl/ossl_pkcs5.c	(revision 28367)
@@ -29,14 +29,17 @@
     VALUE str;
     const EVP_MD *md;
     int len = NUM2INT(keylen);
+    unsigned char* salt_p;
+    unsigned char* str_p;
 
     StringValue(pass);
     StringValue(salt);
     md = GetDigestPtr(digest);
-
     str = rb_str_new(0, len);
+    salt_p = (unsigned char*)RSTRING_PTR(salt);
+    str_p = (unsigned char*)RSTRING_PTR(str);
 
-    if (PKCS5_PBKDF2_HMAC(RSTRING_PTR(pass), RSTRING_LEN(pass), RSTRING_PTR(salt), RSTRING_LEN(salt), NUM2INT(iter), md, len, RSTRING_PTR(str)) != 1)
+    if (PKCS5_PBKDF2_HMAC(RSTRING_PTR(pass), RSTRING_LEN(pass), salt_p, RSTRING_LEN(salt), NUM2INT(iter), md, len, str_p) != 1)
         ossl_raise(ePKCS5, "PKCS5_PBKDF2_HMAC");
 
     return str;
Index: ruby_1_8_7/ext/openssl/ossl_pkcs7.c
===================================================================
--- ruby_1_8_7/ext/openssl/ossl_pkcs7.c	(revision 28366)
+++ ruby_1_8_7/ext/openssl/ossl_pkcs7.c	(revision 28367)
@@ -570,11 +570,33 @@
     return self;
 }
 
-static STACK *
-pkcs7_get_certs_or_crls(VALUE self, int want_certs)
+static STACK_OF(X509) *
+pkcs7_get_certs(VALUE self)
 {
     PKCS7 *pkcs7;
     STACK_OF(X509) *certs;
+    int i;
+
+    GetPKCS7(self, pkcs7);
+    i = OBJ_obj2nid(pkcs7->type);
+    switch(i){
+    case NID_pkcs7_signed:
+        certs = pkcs7->d.sign->cert;
+        break;
+    case NID_pkcs7_signedAndEnveloped:
+        certs = pkcs7->d.signed_and_enveloped->cert;
+        break;
+    default:
+        certs = NULL;
+    }
+
+    return certs;
+}
+
+static STACK_OF(X509_CRL) *
+pkcs7_get_crls(VALUE self)
+{
+    PKCS7 *pkcs7;
     STACK_OF(X509_CRL) *crls;
     int i;
 
@@ -582,18 +604,16 @@
     i = OBJ_obj2nid(pkcs7->type);
     switch(i){
     case NID_pkcs7_signed:
-        certs = pkcs7->d.sign->cert;
         crls = pkcs7->d.sign->crl;
         break;
     case NID_pkcs7_signedAndEnveloped:
-        certs = pkcs7->d.signed_and_enveloped->cert;
         crls = pkcs7->d.signed_and_enveloped->crl;
         break;
     default:
-        certs = crls = NULL;
+        crls = NULL;
     }
 
-    return want_certs ? certs : crls;
+    return crls;
 }
 
 static VALUE
@@ -608,7 +628,7 @@
     STACK_OF(X509) *certs;
     X509 *cert;
 
-    certs = pkcs7_get_certs_or_crls(self, 1);
+    certs = pkcs7_get_certs(self);
     while((cert = sk_X509_pop(certs))) X509_free(cert);
     rb_block_call(ary, rb_intern("each"), 0, 0, ossl_pkcs7_set_certs_i, self);
 
@@ -618,7 +638,7 @@
 static VALUE
 ossl_pkcs7_get_certificates(VALUE self)
 {
-    return ossl_x509_sk2ary(pkcs7_get_certs_or_crls(self, 1));
+    return ossl_x509_sk2ary(pkcs7_get_certs(self));
 }
 
 static VALUE
@@ -648,7 +668,7 @@
     STACK_OF(X509_CRL) *crls;
     X509_CRL *crl;
 
-    crls = pkcs7_get_certs_or_crls(self, 0);
+    crls = pkcs7_get_crls(self);
     while((crl = sk_X509_CRL_pop(crls))) X509_CRL_free(crl);
     rb_block_call(ary, rb_intern("each"), 0, 0, ossl_pkcs7_set_crls_i, self);
 
@@ -658,7 +678,7 @@
 static VALUE
 ossl_pkcs7_get_crls(VALUE self)
 {
-    return ossl_x509crl_sk2ary(pkcs7_get_certs_or_crls(self, 0));
+    return ossl_x509crl_sk2ary(pkcs7_get_crls(self));
 }
 
 static VALUE
Index: ruby_1_8_7/ext/openssl/extconf.rb
===================================================================
--- ruby_1_8_7/ext/openssl/extconf.rb	(revision 28366)
+++ ruby_1_8_7/ext/openssl/extconf.rb	(revision 28367)
@@ -91,6 +91,7 @@
 have_func("X509_CRL_set_issuer_name")
 have_func("X509_CRL_set_version")
 have_func("X509_CRL_sort")
+have_func("X509_NAME_hash_old")
 have_func("X509_STORE_get_ex_data")
 have_func("X509_STORE_set_ex_data")
 have_func("OBJ_NAME_do_all_sorted")
@@ -106,6 +107,14 @@
   have_func("ENGINE_get_digest")
   have_func("ENGINE_get_cipher")
   have_func("ENGINE_cleanup")
+  have_func("ENGINE_load_4758cca")
+  have_func("ENGINE_load_aep")
+  have_func("ENGINE_load_atalla")
+  have_func("ENGINE_load_chil")
+  have_func("ENGINE_load_cswift")
+  have_func("ENGINE_load_nuron")
+  have_func("ENGINE_load_sureware")
+  have_func("ENGINE_load_ubsec")
 end
 if try_compile(<<SRC)
 #include <openssl/opensslv.h>
Index: ruby_1_8_7/ChangeLog
===================================================================
--- ruby_1_8_7/ChangeLog	(revision 28366)
+++ ruby_1_8_7/ChangeLog	(revision 28367)
@@ -1,3 +1,78 @@
+Mon Jun 21 18:12:15 2010  NAKAMURA Usaku  <usa@r...>
+
+	* ext/openssl/extconf.rb: check some functions added at OpenSSL 1.0.0.
+
+	* ext/openssl/ossl_engine.c (ossl_engine_s_load): use engines which
+	  exists.
+
+Mon Jun 21 18:12:15 2010  NAKAMURA, Hiroshi  <nahi@r...>
+
+	* ext/openssl/ossl_config.c: defined own IMPLEMENT_LHASH_DOALL_ARG_FN_098
+	  macro according to IMPLEMENT_LHASH_DOALL_ARG_FN in OpenSSL 0.9.8m.
+	  OpenSSL 1.0.0beta5 has a slightly different definiton so it could
+	  be a temporal workaround for 0.9.8 and 1.0.0 dual support.
+
+	* ext/openssl/ossl_pkcs5.c (ossl_pkcs5_pbkdf2_hmac): follows function
+	  definition in OpenSSL 1.0.0beta5. PKCS5_PBKDF2_HMAC is from 1.0.0
+	  (0.9.8 only has PKCS5_PBKDF2_HMAC_SHA1)
+
+	* ext/openssl/ossl_ssl_session.c (ossl_ssl_session_eq): do not use
+	  SSL_SESSION_cmp and implement equality func by ousrself.  See the
+	  comment.
+
+Mon Jun 21 18:12:15 2010  NAKAMURA, Hiroshi  <nahi@r...>
+
+	* ext/openssl/ossl_ssl_session.c
+	  (ossl_ssl_session_{get,set}_time{,out}): fixed a bug introduced by
+	  backporting. (see [ruby-dev:40573])  use long in according to
+	  OpenSSL API. (SSL_SESSION_{get,set}_time{,out})
+
+Mon Jun 21 18:12:15 2010  NAKAMURA, Hiroshi  <nahi@r...>
+
+	* ext/openssl/ossl_x509name.c: added X509::Name#hash_old as a wrapper
+	  for X509_NAME_hash_old in OpenSSL 1.0.0.
+
+	* test/openssl/test_x509name.rb (test_hash): make test pass with
+	  OpenSSL 1.0.0.
+
+Mon Jun 21 18:12:15 2010  NAKAMURA, Hiroshi  <nahi@r...>
+
+	* test/openssl/test_x509*: make tests pass with OpenSSL 1.0.0b5.
+	  * PKey::PKey#verify raises an exception when a given PKey does not
+	    match with signature.
+	  * PKey::DSA#sign accepts SHA1, SHA256 other than DSS1.
+
+Mon Jun 21 18:12:15 2010  NAKAMURA, Hiroshi  <nahi@r...>
+
+	* backport the commit from trunk:
+	  Sun Feb 28 11:49:35 2010  NARUSE, Yui  <naruse@r...>
+
+	* openssl/ossl.c (OSSL_IMPL_SK2ARY): for OpenSSL 1.0.
+	  patched by Jeroen van Meeuwen at [ruby-core:25210]
+	  fixed by Nobuyoshi Nakada [ruby-core:25238],
+	  Hongli Lai [ruby-core:27417],
+	  and Motohiro KOSAKI [ruby-core:28063]
+
+	* ext/openssl/ossl_ssl.c (ossl_ssl_method_tab),
+	  (ossl_ssl_cipher_to_ary): constified.
+
+	* ext/openssl/ossl_pkcs7.c (pkcs7_get_certs, pkcs7_get_crls):
+	  split pkcs7_get_certs_or_crls.
+
+Mon Jun 21 18:12:15 2010  NAKAMURA, Hiroshi  <nahi@r...>
+
+	* test/openssl/test_ec.rb: added test_dsa_sign_asn1_FIPS186_3. dgst is
+	  truncated with ec_key.group.order.size after openssl 0.9.8m for
+	  FIPS 186-3 compliance.
+
+	  WARNING: ruby-openssl aims to wrap an OpenSSL so when you're using
+	  openssl 0.9.8l or earlier version, EC.dsa_sign_asn1 raises
+	  OpenSSL::PKey::ECError as before and EC.dsa_verify_asn1 just returns
+	  false when you pass dgst longer than expected (no truncation
+	  performed).
+
+	* ext/openssl/ossl_pkey_ec.c: rdoc typo fixed.
+
 Wed Jun 16 16:01:42 2010  Tanaka Akira  <akr@f...>
 
 	* lib/pathname.rb (Pathname#sub): suppress a warning.
Index: ruby_1_8_7/version.h
===================================================================
--- ruby_1_8_7/version.h	(revision 28366)
+++ ruby_1_8_7/version.h	(revision 28367)
@@ -1,15 +1,15 @@
 #define RUBY_VERSION "1.8.7"
-#define RUBY_RELEASE_DATE "2010-06-16"
+#define RUBY_RELEASE_DATE "2010-06-21"
 #define RUBY_VERSION_CODE 187
-#define RUBY_RELEASE_CODE 20100616
-#define RUBY_PATCHLEVEL 296
+#define RUBY_RELEASE_CODE 20100621
+#define RUBY_PATCHLEVEL 297
 
 #define RUBY_VERSION_MAJOR 1
 #define RUBY_VERSION_MINOR 8
 #define RUBY_VERSION_TEENY 7
 #define RUBY_RELEASE_YEAR 2010
 #define RUBY_RELEASE_MONTH 6
-#define RUBY_RELEASE_DAY 16
+#define RUBY_RELEASE_DAY 21
 
 #ifdef RUBY_EXTERN
 RUBY_EXTERN const char ruby_version[];
Index: ruby_1_8_7/test/openssl/test_x509cert.rb
===================================================================
--- ruby_1_8_7/test/openssl/test_x509cert.rb	(revision 28366)
+++ ruby_1_8_7/test/openssl/test_x509cert.rb	(revision 28367)
@@ -129,13 +129,31 @@
 
   end
 
+  def test_sign_and_verify_wrong_key_type
+    cert_rsa = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
+                      nil, nil, OpenSSL::Digest::SHA1.new)
+    cert_dsa = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
+                      nil, nil, OpenSSL::Digest::DSS1.new)
+    begin
+      assert_equal(false, cert_rsa.verify(@dsa256))
+    rescue OpenSSL::X509::CertificateError => e
+      # OpenSSL 1.0.0 added checks for pkey OID
+      assert_equal('wrong public key type', e.message)
+    end
+
+    begin
+      assert_equal(false, cert_dsa.verify(@rsa1024))
+    rescue OpenSSL::X509::CertificateError => e
+      # OpenSSL 1.0.0 added checks for pkey OID
+      assert_equal('wrong public key type', e.message)
+    end
+  end
+
   def test_sign_and_verify
     cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
                       nil, nil, OpenSSL::Digest::SHA1.new) 
     assert_equal(false, cert.verify(@rsa1024))
     assert_equal(true,  cert.verify(@rsa2048))
-    assert_equal(false, cert.verify(@dsa256))
-    assert_equal(false, cert.verify(@dsa512))
     cert.serial = 2
     assert_equal(false, cert.verify(@rsa2048))
 
@@ -143,33 +161,22 @@
                       nil, nil, OpenSSL::Digest::MD5.new) 
     assert_equal(false, cert.verify(@rsa1024))
     assert_equal(true,  cert.verify(@rsa2048))
-    assert_equal(false, cert.verify(@dsa256))
-    assert_equal(false, cert.verify(@dsa512))
     cert.subject = @ee1
     assert_equal(false, cert.verify(@rsa2048))
 
     cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
                       nil, nil, OpenSSL::Digest::DSS1.new) 
-    assert_equal(false, cert.verify(@rsa1024))
-    assert_equal(false, cert.verify(@rsa2048))
     assert_equal(false, cert.verify(@dsa256))
     assert_equal(true,  cert.verify(@dsa512))
     cert.not_after = Time.now 
     assert_equal(false, cert.verify(@dsa512))
+  end
 
+  def test_dsig_algorithm_mismatch
     assert_raises(OpenSSL::X509::CertificateError){
       cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
                         nil, nil, OpenSSL::Digest::DSS1.new) 
     }
-    assert_raises(OpenSSL::X509::CertificateError){
-      cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
-                        nil, nil, OpenSSL::Digest::MD5.new) 
-    }
-    assert_raises(OpenSSL::X509::CertificateError){
-      cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
-                        nil, nil, OpenSSL::Digest::SHA1.new) 
-    }
+    end
   end
 end
-
-end
Index: ruby_1_8_7/test/openssl/test_ec.rb
===================================================================
--- ruby_1_8_7/test/openssl/test_ec.rb	(revision 28366)
+++ ruby_1_8_7/test/openssl/test_ec.rb	(revision 28367)
@@ -87,9 +87,7 @@
   def test_dsa_sign_verify
     for key in @keys
       sig = key.dsa_sign_asn1(@data1)
-      assert_equal(key.dsa_verify_asn1(@data1, sig), true)
-        
-      assert_raises(OpenSSL::PKey::ECError) { key.dsa_sign_asn1(@data2) }
+      assert(key.dsa_verify_asn1(@data1, sig))
     end
   end
 
Index: ruby_1_8_7/test/openssl/test_x509crl.rb
===================================================================
--- ruby_1_8_7/test/openssl/test_x509crl.rb	(revision 28366)
+++ ruby_1_8_7/test/openssl/test_x509crl.rb	(revision 28367)
@@ -190,6 +190,30 @@
     assert_match((2**100).to_s, crl.extensions[0].value)
   end
 
+  def test_sign_and_verify_wrong_key_type
+    cert_rsa = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
+                      nil, nil, OpenSSL::Digest::SHA1.new)
+    crl_rsa = issue_crl([], 1, Time.now, Time.now+1600, [],
+                    cert_rsa, @rsa2048, OpenSSL::Digest::SHA1.new)
+    cert_dsa = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
+                      nil, nil, OpenSSL::Digest::DSS1.new)
+    crl_dsa = issue_crl([], 1, Time.now, Time.now+1600, [],
+                    cert_dsa, @dsa512, OpenSSL::Digest::DSS1.new)
+    begin
+      assert_equal(false, crl_rsa.verify(@dsa256))
+    rescue OpenSSL::X509::CRLError => e
+      # OpenSSL 1.0.0 added checks for pkey OID
+      assert_equal('wrong public key type', e.message)
+    end
+
+    begin
+      assert_equal(false, crl_dsa.verify(@rsa1024))
+    rescue OpenSSL::X509::CRLError => e
+      # OpenSSL 1.0.0 added checks for pkey OID
+      assert_equal('wrong public key type', e.message)
+    end
+  end
+
   def test_sign_and_verify
     cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
                       nil, nil, OpenSSL::Digest::SHA1.new)
@@ -197,8 +221,6 @@
                     cert, @rsa2048, OpenSSL::Digest::SHA1.new)
     assert_equal(false, crl.verify(@rsa1024))
     assert_equal(true,  crl.verify(@rsa2048))
-    assert_equal(false, crl.verify(@dsa256))
-    assert_equal(false, crl.verify(@dsa512))
     crl.version = 0
     assert_equal(false, crl.verify(@rsa2048))
 
@@ -206,8 +228,6 @@
                       nil, nil, OpenSSL::Digest::DSS1.new)
     crl = issue_crl([], 1, Time.now, Time.now+1600, [],
                     cert, @dsa512, OpenSSL::Digest::DSS1.new)
-    assert_equal(false, crl.verify(@rsa1024))
-    assert_equal(false, crl.verify(@rsa2048))
     assert_equal(false, crl.verify(@dsa256))
     assert_equal(true,  crl.verify(@dsa512))
     crl.version = 0
Index: ruby_1_8_7/test/openssl/test_x509req.rb
===================================================================
--- ruby_1_8_7/test/openssl/test_x509req.rb	(revision 28366)
+++ ruby_1_8_7/test/openssl/test_x509req.rb	(revision 28367)
@@ -103,37 +103,51 @@
     assert_equal(exts, get_ext_req(attrs[1].value))
   end
 
+  def test_sign_and_verify_wrong_key_type
+    req_rsa = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::SHA1.new)
+    req_dsa = issue_csr(0, @dn, @dsa512, OpenSSL::Digest::DSS1.new)
+    begin
+      assert_equal(false, req_rsa.verify(@dsa256))
+    rescue OpenSSL::X509::RequestError => e
+      # OpenSSL 1.0.0 added checks for pkey OID
+      assert_equal('wrong public key type', e.message)
+    end
+
+    begin
+      assert_equal(false, req_dsa.verify(@rsa1024))
+    rescue OpenSSL::X509::RequestError => e
+      # OpenSSL 1.0.0 added checks for pkey OID
+      assert_equal('wrong public key type', e.message)
+    end
+  end
+
   def test_sign_and_verify
     req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::SHA1.new)
     assert_equal(true,  req.verify(@rsa1024))
     assert_equal(false, req.verify(@rsa2048))
-    assert_equal(false, req.verify(@dsa256))
-    assert_equal(false, req.verify(@dsa512))
     req.version = 1
     assert_equal(false, req.verify(@rsa1024))
 
     req = issue_csr(0, @dn, @rsa2048, OpenSSL::Digest::MD5.new)
     assert_equal(false, req.verify(@rsa1024))
     assert_equal(true,  req.verify(@rsa2048))
-    assert_equal(false, req.verify(@dsa256))
-    assert_equal(false, req.verify(@dsa512))
     req.subject = OpenSSL::X509::Name.parse("/C=JP/CN=FooBar")
     assert_equal(false, req.verify(@rsa2048))
 
     req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest::DSS1.new)
-    assert_equal(false, req.verify(@rsa1024))
-    assert_equal(false, req.verify(@rsa2048))
     assert_equal(false, req.verify(@dsa256))
     assert_equal(true,  req.verify(@dsa512))
     req.public_key = @rsa1024.public_key
     assert_equal(false, req.verify(@dsa512))
+  end
 
-    assert_raise(OpenSSL::X509::RequestError){
-      issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::DSS1.new) }
-    assert_raise(OpenSSL::X509::RequestError){
-      issue_csr(0, @dn, @dsa512, OpenSSL::Digest::SHA1.new) }
-    assert_raise(OpenSSL::X509::RequestError){
-      issue_csr(0, @dn, @dsa512, OpenSSL::Digest::MD5.new) }
+  def test_dsig_algorithm_mismatch
+    assert_raise(OpenSSL::X509::RequestError) do
+      issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::DSS1.new)
+    end
+    assert_raise(OpenSSL::X509::RequestError) do
+      issue_csr(0, @dn, @dsa512, OpenSSL::Digest::MD5.new)
+    end
   end
 end
 

--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/

[前][次][番号順一覧][スレッド一覧]