[ruby/openssl] Add const qualifiers for OpenSSL 4.0 compatibility

OpenSSL's master branch is changing functions to return const pointers
where the returned objects are not meant to be modified by the caller.

Update ossl_*_new() to take const pointers accordingly. Unfortunately,
*_dup() in older versions of OpenSSL and in LibreSSL/AWS-LC take
non-const pointers, so const casts are required.

ruby/openssl@34c49e6c6c

Author: rhenium

ext/openssl/ossl_ocsp.c

@@ -922,7 +922,7 @@ ossl_ocspbres_get_status(VALUE self)
         VALUE ext = rb_ary_new();
         int ext_count = OCSP_SINGLERESP_get_ext_count(single);
         for (int j = 0; j < ext_count; j++) {
-            X509_EXTENSION *x509ext = OCSP_SINGLERESP_get_ext(single, j);
+            const X509_EXTENSION *x509ext = OCSP_SINGLERESP_get_ext(single, j);
             rb_ary_push(ext, ossl_x509ext_new(x509ext));
         }
         rb_ary_push(ary, ext);
@@ -1341,7 +1341,6 @@ static VALUE
 ossl_ocspsres_get_extensions(VALUE self)
 {
     OCSP_SINGLERESP *sres;
-    X509_EXTENSION *ext;
     int count, i;
     VALUE ary;
 
@@ -1350,7 +1349,7 @@ ossl_ocspsres_get_extensions(VALUE self)
     count = OCSP_SINGLERESP_get_ext_count(sres);
     ary = rb_ary_new2(count);
     for (i = 0; i < count; i++) {
-        ext = OCSP_SINGLERESP_get_ext(sres, i);
+        const X509_EXTENSION *ext = OCSP_SINGLERESP_get_ext(sres, i);
         rb_ary_push(ary, ossl_x509ext_new(ext)); /* will dup */
     }
 

ext/openssl/ossl_ts.c

@@ -706,7 +706,7 @@ ossl_ts_resp_get_tsa_certificate(VALUE self)
     TS_RESP *resp;
     PKCS7 *p7;
     PKCS7_SIGNER_INFO *ts_info;
-    X509 *cert;
+    const X509 *cert;
 
     GetTSResponse(self, resp);
     if (!(p7 = TS_RESP_get_token(resp)))

ext/openssl/ossl_x509.h

@@ -29,7 +29,7 @@ void Init_ossl_x509(void);
  */
 extern VALUE cX509Attr;
 
-VALUE ossl_x509attr_new(X509_ATTRIBUTE *);
+VALUE ossl_x509attr_new(const X509_ATTRIBUTE *);
 X509_ATTRIBUTE *GetX509AttrPtr(VALUE);
 void Init_ossl_x509attr(void);
 
@@ -38,15 +38,15 @@ void Init_ossl_x509attr(void);
  */
 extern VALUE cX509Cert;
 
-VALUE ossl_x509_new(X509 *);
+VALUE ossl_x509_new(const X509 *);
 X509 *GetX509CertPtr(VALUE);
 X509 *DupX509CertPtr(VALUE);
 void Init_ossl_x509cert(void);
 
 /*
  * X509CRL
  */
-VALUE ossl_x509crl_new(X509_CRL *);
+VALUE ossl_x509crl_new(const X509_CRL *);
 X509_CRL *GetX509CRLPtr(VALUE);
 void Init_ossl_x509crl(void);
 
@@ -55,14 +55,14 @@ void Init_ossl_x509crl(void);
  */
 extern VALUE cX509Ext;
 
-VALUE ossl_x509ext_new(X509_EXTENSION *);
+VALUE ossl_x509ext_new(const X509_EXTENSION *);
 X509_EXTENSION *GetX509ExtPtr(VALUE);
 void Init_ossl_x509ext(void);
 
 /*
  * X509Name
  */
-VALUE ossl_x509name_new(X509_NAME *);
+VALUE ossl_x509name_new(const X509_NAME *);
 X509_NAME *GetX509NamePtr(VALUE);
 void Init_ossl_x509name(void);
 
@@ -77,7 +77,7 @@ void Init_ossl_x509req(void);
  */
 extern VALUE cX509Rev;
 
-VALUE ossl_x509revoked_new(X509_REVOKED *);
+VALUE ossl_x509revoked_new(const X509_REVOKED *);
 X509_REVOKED *DupX509RevokedPtr(VALUE);
 void Init_ossl_x509revoked(void);
 

ext/openssl/ossl_x509attr.c

@@ -48,13 +48,14 @@ static const rb_data_type_t ossl_x509attr_type = {
  * Public
  */
 VALUE
-ossl_x509attr_new(X509_ATTRIBUTE *attr)
+ossl_x509attr_new(const X509_ATTRIBUTE *attr)
 {
     X509_ATTRIBUTE *new;
     VALUE obj;
 
     obj = NewX509Attr(cX509Attr);
-    new = X509_ATTRIBUTE_dup(attr);
+    /* OpenSSL 1.1.1 takes a non-const pointer */
+    new = X509_ATTRIBUTE_dup((X509_ATTRIBUTE *)attr);
     if (!new)
         ossl_raise(eX509AttrError, "X509_ATTRIBUTE_dup");
     SetX509Attr(obj, new);
@@ -196,7 +197,7 @@ ossl_x509attr_set_value(VALUE self, VALUE value)
         ossl_raise(eX509AttrError, "attribute value must be ASN1::Set");
 
     if (X509_ATTRIBUTE_count(attr)) { /* populated, reset first */
-        ASN1_OBJECT *obj = X509_ATTRIBUTE_get0_object(attr);
+        const ASN1_OBJECT *obj = X509_ATTRIBUTE_get0_object(attr);
         X509_ATTRIBUTE *new_attr = X509_ATTRIBUTE_create_by_OBJ(NULL, obj, 0, NULL, -1);
         if (!new_attr) {
             sk_ASN1_TYPE_pop_free(sk, ASN1_TYPE_free);
@@ -240,7 +241,7 @@ ossl_x509attr_get_value(VALUE self)
 
     count = X509_ATTRIBUTE_count(attr);
     for (i = 0; i < count; i++)
-        sk_ASN1_TYPE_push(sk, X509_ATTRIBUTE_get0_type(attr, i));
+        sk_ASN1_TYPE_push(sk, (ASN1_TYPE *)X509_ATTRIBUTE_get0_type(attr, i));
 
     if ((len = i2d_ASN1_SET_ANY(sk, NULL)) <= 0) {
         sk_ASN1_TYPE_free(sk);

ext/openssl/ossl_x509cert.c

@@ -48,13 +48,14 @@ static const rb_data_type_t ossl_x509_type = {
  * Public
  */
 VALUE
-ossl_x509_new(X509 *x509)
+ossl_x509_new(const X509 *x509)
 {
     X509 *new;
     VALUE obj;
 
     obj = NewX509(cX509Cert);
-    new = X509_dup(x509);
+    /* OpenSSL 1.1.1 takes a non-const pointer */
+    new = X509_dup((X509 *)x509);
     if (!new)
         ossl_raise(eX509CertError, "X509_dup");
     SetX509(obj, new);
@@ -345,7 +346,7 @@ static VALUE
 ossl_x509_get_subject(VALUE self)
 {
     X509 *x509;
-    X509_NAME *name;
+    const X509_NAME *name;
 
     GetX509(self, x509);
     if (!(name = X509_get_subject_name(x509))) { /* NO DUP - don't free! */
@@ -380,7 +381,7 @@ static VALUE
 ossl_x509_get_issuer(VALUE self)
 {
     X509 *x509;
-    X509_NAME *name;
+    const X509_NAME *name;
 
     GetX509(self, x509);
     if(!(name = X509_get_issuer_name(x509))) { /* NO DUP - don't free! */
@@ -603,14 +604,13 @@ ossl_x509_get_extensions(VALUE self)
 {
     X509 *x509;
     int count, i;
-    X509_EXTENSION *ext;
     VALUE ary;
 
     GetX509(self, x509);
     count = X509_get_ext_count(x509);
     ary = rb_ary_new_capa(count);
     for (i=0; i<count; i++) {
-        ext = X509_get_ext(x509, i); /* NO DUP - don't free! */
+        const X509_EXTENSION *ext = X509_get_ext(x509, i);
         rb_ary_push(ary, ossl_x509ext_new(ext));
     }
 

ext/openssl/ossl_x509crl.c

@@ -58,13 +58,14 @@ GetX509CRLPtr(VALUE obj)
 }
 
 VALUE
-ossl_x509crl_new(X509_CRL *crl)
+ossl_x509crl_new(const X509_CRL *crl)
 {
     X509_CRL *tmp;
     VALUE obj;
 
     obj = NewX509CRL(cX509CRL);
-    tmp = X509_CRL_dup(crl);
+    /* OpenSSL 1.1.1 takes a non-const pointer */
+    tmp = X509_CRL_dup((X509_CRL *)crl);
     if (!tmp)
         ossl_raise(eX509CRLError, "X509_CRL_dup");
     SetX509CRL(obj, tmp);
@@ -289,7 +290,7 @@ ossl_x509crl_get_revoked(VALUE self)
     num = sk_X509_REVOKED_num(sk);
     ary = rb_ary_new_capa(num);
     for(i=0; i<num; i++) {
-        X509_REVOKED *rev = sk_X509_REVOKED_value(sk, i);
+        const X509_REVOKED *rev = sk_X509_REVOKED_value(sk, i);
         rb_ary_push(ary, ossl_x509revoked_new(rev));
     }
 
@@ -443,14 +444,13 @@ ossl_x509crl_get_extensions(VALUE self)
 {
     X509_CRL *crl;
     int count, i;
-    X509_EXTENSION *ext;
     VALUE ary;
 
     GetX509CRL(self, crl);
     count = X509_CRL_get_ext_count(crl);
     ary = rb_ary_new_capa(count);
     for (i=0; i<count; i++) {
-        ext = X509_CRL_get_ext(crl, i); /* NO DUP - don't free! */
+        const X509_EXTENSION *ext = X509_CRL_get_ext(crl, i);
         rb_ary_push(ary, ossl_x509ext_new(ext));
     }
 

ext/openssl/ossl_x509ext.c

@@ -62,13 +62,14 @@ static const rb_data_type_t ossl_x509ext_type = {
  * Public
  */
 VALUE
-ossl_x509ext_new(X509_EXTENSION *ext)
+ossl_x509ext_new(const X509_EXTENSION *ext)
 {
     X509_EXTENSION *new;
     VALUE obj;
 
     obj = NewX509Ext(cX509Ext);
-    new = X509_EXTENSION_dup(ext);
+    /* OpenSSL 1.1.1 takes a non-const pointer */
+    new = X509_EXTENSION_dup((X509_EXTENSION *)ext);
     if (!new)
         ossl_raise(eX509ExtError, "X509_EXTENSION_dup");
     SetX509Ext(obj, new);
@@ -338,12 +339,20 @@ ossl_x509ext_set_value(VALUE self, VALUE data)
     GetX509Ext(self, ext);
     data = ossl_to_der_if_possible(data);
     StringValue(data);
-    asn1s = X509_EXTENSION_get_data(ext);
 
+    asn1s = ASN1_OCTET_STRING_new();
+    if (!asn1s)
+        ossl_raise(eX509ExtError, "ASN1_OCTET_STRING_new");
     if (!ASN1_OCTET_STRING_set(asn1s, (unsigned char *)RSTRING_PTR(data),
                                RSTRING_LENINT(data))) {
+        ASN1_OCTET_STRING_free(asn1s);
         ossl_raise(eX509ExtError, "ASN1_OCTET_STRING_set");
     }
+    if (!X509_EXTENSION_set_data(ext, asn1s)) {
+        ASN1_OCTET_STRING_free(asn1s);
+        ossl_raise(eX509ExtError, "X509_EXTENSION_set_data");
+    }
+    ASN1_OCTET_STRING_free(asn1s);
 
     return data;
 }
@@ -386,7 +395,7 @@ ossl_x509ext_get_value(VALUE obj)
     if (!(out = BIO_new(BIO_s_mem())))
         ossl_raise(eX509ExtError, NULL);
     if (!X509V3_EXT_print(out, ext, 0, 0))
-        ASN1_STRING_print(out, (ASN1_STRING *)X509_EXTENSION_get_data(ext));
+        ASN1_STRING_print(out, X509_EXTENSION_get_data(ext));
     ret = ossl_membio2str(out);
 
     return ret;
@@ -396,7 +405,7 @@ static VALUE
 ossl_x509ext_get_value_der(VALUE obj)
 {
     X509_EXTENSION *ext;
-    ASN1_OCTET_STRING *value;
+    const ASN1_OCTET_STRING *value;
 
     GetX509Ext(obj, ext);
     if ((value = X509_EXTENSION_get_data(ext)) == NULL)

ext/openssl/ossl_x509name.c

@@ -53,13 +53,14 @@ static const rb_data_type_t ossl_x509name_type = {
  * Public
  */
 VALUE
-ossl_x509name_new(X509_NAME *name)
+ossl_x509name_new(const X509_NAME *name)
 {
     X509_NAME *new;
     VALUE obj;
 
     obj = NewX509Name(cX509Name);
-    new = X509_NAME_dup(name);
+    /* OpenSSL 1.1.1 takes a non-const pointer */
+    new = X509_NAME_dup((X509_NAME *)name);
     if (!new)
         ossl_raise(eX509NameError, "X509_NAME_dup");
     SetX509Name(obj, new);

ext/openssl/ossl_x509req.c

@@ -231,7 +231,7 @@ static VALUE
 ossl_x509req_get_subject(VALUE self)
 {
     X509_REQ *req;
-    X509_NAME *name;
+    const X509_NAME *name;
 
     GetX509Req(self, req);
     if (!(name = X509_REQ_get_subject_name(req))) { /* NO DUP - don't free */
@@ -351,7 +351,7 @@ ossl_x509req_get_attributes(VALUE self)
 {
     X509_REQ *req;
     int count, i;
-    X509_ATTRIBUTE *attr;
+    const X509_ATTRIBUTE *attr;
     VALUE ary;
 
     GetX509Req(self, req);

ext/openssl/ossl_x509revoked.c

@@ -48,13 +48,14 @@ static const rb_data_type_t ossl_x509rev_type = {
  * PUBLIC
  */
 VALUE
-ossl_x509revoked_new(X509_REVOKED *rev)
+ossl_x509revoked_new(const X509_REVOKED *rev)
 {
     X509_REVOKED *new;
     VALUE obj;
 
     obj = NewX509Rev(cX509Rev);
-    new = X509_REVOKED_dup(rev);
+    /* OpenSSL 1.1.1 takes a non-const pointer */
+    new = X509_REVOKED_dup((X509_REVOKED *)rev);
     if (!new)
         ossl_raise(eX509RevError, "X509_REVOKED_dup");
     SetX509Rev(obj, new);
@@ -185,7 +186,7 @@ ossl_x509revoked_get_extensions(VALUE self)
 {
     X509_REVOKED *rev;
     int count, i;
-    X509_EXTENSION *ext;
+    const X509_EXTENSION *ext;
     VALUE ary;
 
     GetX509Rev(self, rev);