openssl-custom 2.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (75) hide show
  1. checksums.yaml +7 -0
  2. data/BSDL +22 -0
  3. data/CONTRIBUTING.md +132 -0
  4. data/History.md +485 -0
  5. data/LICENSE.txt +56 -0
  6. data/README.md +66 -0
  7. data/ext/openssl/extconf.rb +190 -0
  8. data/ext/openssl/openssl_missing.c +106 -0
  9. data/ext/openssl/openssl_missing.h +257 -0
  10. data/ext/openssl/ossl.c +1282 -0
  11. data/ext/openssl/ossl.h +181 -0
  12. data/ext/openssl/ossl_asn1.c +1878 -0
  13. data/ext/openssl/ossl_asn1.h +62 -0
  14. data/ext/openssl/ossl_bio.c +42 -0
  15. data/ext/openssl/ossl_bio.h +16 -0
  16. data/ext/openssl/ossl_bn.c +1270 -0
  17. data/ext/openssl/ossl_bn.h +26 -0
  18. data/ext/openssl/ossl_cipher.c +1075 -0
  19. data/ext/openssl/ossl_cipher.h +20 -0
  20. data/ext/openssl/ossl_config.c +89 -0
  21. data/ext/openssl/ossl_config.h +19 -0
  22. data/ext/openssl/ossl_digest.c +425 -0
  23. data/ext/openssl/ossl_digest.h +20 -0
  24. data/ext/openssl/ossl_engine.c +567 -0
  25. data/ext/openssl/ossl_engine.h +19 -0
  26. data/ext/openssl/ossl_hmac.c +389 -0
  27. data/ext/openssl/ossl_hmac.h +18 -0
  28. data/ext/openssl/ossl_kdf.c +303 -0
  29. data/ext/openssl/ossl_kdf.h +6 -0
  30. data/ext/openssl/ossl_ns_spki.c +405 -0
  31. data/ext/openssl/ossl_ns_spki.h +19 -0
  32. data/ext/openssl/ossl_ocsp.c +2013 -0
  33. data/ext/openssl/ossl_ocsp.h +23 -0
  34. data/ext/openssl/ossl_pkcs12.c +257 -0
  35. data/ext/openssl/ossl_pkcs12.h +13 -0
  36. data/ext/openssl/ossl_pkcs7.c +1098 -0
  37. data/ext/openssl/ossl_pkcs7.h +36 -0
  38. data/ext/openssl/ossl_pkey.c +673 -0
  39. data/ext/openssl/ossl_pkey.h +241 -0
  40. data/ext/openssl/ossl_pkey_dh.c +650 -0
  41. data/ext/openssl/ossl_pkey_dsa.c +664 -0
  42. data/ext/openssl/ossl_pkey_ec.c +1827 -0
  43. data/ext/openssl/ossl_pkey_rsa.c +966 -0
  44. data/ext/openssl/ossl_rand.c +200 -0
  45. data/ext/openssl/ossl_rand.h +18 -0
  46. data/ext/openssl/ossl_ssl.c +3080 -0
  47. data/ext/openssl/ossl_ssl.h +36 -0
  48. data/ext/openssl/ossl_ssl_session.c +332 -0
  49. data/ext/openssl/ossl_ts.c +1524 -0
  50. data/ext/openssl/ossl_ts.h +16 -0
  51. data/ext/openssl/ossl_x509.c +262 -0
  52. data/ext/openssl/ossl_x509.h +115 -0
  53. data/ext/openssl/ossl_x509attr.c +324 -0
  54. data/ext/openssl/ossl_x509cert.c +846 -0
  55. data/ext/openssl/ossl_x509crl.c +542 -0
  56. data/ext/openssl/ossl_x509ext.c +491 -0
  57. data/ext/openssl/ossl_x509name.c +590 -0
  58. data/ext/openssl/ossl_x509req.c +441 -0
  59. data/ext/openssl/ossl_x509revoked.c +300 -0
  60. data/ext/openssl/ossl_x509store.c +902 -0
  61. data/ext/openssl/ruby_missing.h +24 -0
  62. data/lib/openssl/bn.rb +40 -0
  63. data/lib/openssl/buffering.rb +478 -0
  64. data/lib/openssl/cipher.rb +67 -0
  65. data/lib/openssl/config.rb +501 -0
  66. data/lib/openssl/digest.rb +73 -0
  67. data/lib/openssl/hmac.rb +13 -0
  68. data/lib/openssl/marshal.rb +30 -0
  69. data/lib/openssl/pkcs5.rb +22 -0
  70. data/lib/openssl/pkey.rb +42 -0
  71. data/lib/openssl/ssl.rb +542 -0
  72. data/lib/openssl/version.rb +5 -0
  73. data/lib/openssl/x509.rb +369 -0
  74. data/lib/openssl.rb +38 -0
  75. metadata +196 -0
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA256:
3
+ metadata.gz: a04ec81f313c5f606922d81938d8f3303e7cc3b40e8d4320689b9e67d3478c47
4
+ data.tar.gz: 327338b3a80ce8b17201348a60da763db4503674a195f83afdcfb7923eac409c
5
+ SHA512:
6
+ metadata.gz: 815753d2248d5ee3f164ca526d73c31e7b2cdf356ede8bb9d57f9c39c715f44052cd223ed54ef28f5b7a9c3520c01bb6bf756ad088ea6e4c4e50f5903a4d7b27
7
+ data.tar.gz: 33abff1e75462a949525d0ef8f5dd9fc0cbd5ce9c9421d2924b2b5e4e3687c595d9d151a3c7b4fe926ab723dc251d3da403e4f1dff5bc6e9f0e74a55a0399f0e
data/BSDL ADDED
@@ -0,0 +1,22 @@
1
+ Copyright (C) 1993-2013 Yukihiro Matsumoto. All rights reserved.
2
+
3
+ Redistribution and use in source and binary forms, with or without
4
+ modification, are permitted provided that the following conditions
5
+ are met:
6
+ 1. Redistributions of source code must retain the above copyright
7
+ notice, this list of conditions and the following disclaimer.
8
+ 2. Redistributions in binary form must reproduce the above copyright
9
+ notice, this list of conditions and the following disclaimer in the
10
+ documentation and/or other materials provided with the distribution.
11
+
12
+ THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
13
+ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
14
+ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
15
+ ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
16
+ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
17
+ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
18
+ OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
19
+ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
20
+ LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
21
+ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
22
+ SUCH DAMAGE.
data/CONTRIBUTING.md ADDED
@@ -0,0 +1,132 @@
1
+ # Contributing to Ruby OpenSSL
2
+
3
+ Thank you for your interest in contributing to Ruby OpenSSL!
4
+
5
+ This documentation provides an overview how you can contribute.
6
+
7
+ ## Bugs and feature requests
8
+
9
+ Bugs and feature requests are tracked on [GitHub].
10
+
11
+ If you think you found a bug, file a ticket on GitHub. Please DO NOT report
12
+ security issues here, there is a separate procedure which is described on
13
+ ["Security at ruby-lang.org"](https://www.ruby-lang.org/en/security/).
14
+
15
+ When reporting a bug, please make sure you include:
16
+ * Ruby version
17
+ * OpenSSL gem version
18
+ * OpenSSL library version
19
+ * A sample file that illustrates the problem or link to the repository or
20
+ gem that is associated with the bug.
21
+
22
+ There are a number of unresolved issues and feature requests for openssl that
23
+ need review. Before submitting a new ticket, it is recommended to check
24
+ [known issues] and [bugs.ruby-lang.org], the previous issue tracker.
25
+
26
+ ## Submitting patches
27
+
28
+ Patches are also very welcome!
29
+
30
+ Please submit a [pull request] with your changes.
31
+
32
+ Make sure that your branch does:
33
+
34
+ * Have good commit messages
35
+ * Follow Ruby's coding style ([DeveloperHowTo])
36
+ * Pass the test suite successfully (see "Testing")
37
+ * Add an entry to [History.md] if necessary
38
+
39
+ ## Testing
40
+
41
+ We have a test suite!
42
+
43
+ Test cases are located under the
44
+ [`test/`](https://github.com/ruby/openssl/tree/master/test) directory.
45
+
46
+ You can run it with the following three commands:
47
+
48
+ ```
49
+ $ rake install_dependencies # installs rake-compiler, test-unit, ...
50
+ $ rake compile
51
+ $ rake test
52
+ ```
53
+
54
+ ### Docker
55
+
56
+ You can also use Docker Compose to run tests. It can be used to check that your
57
+ changes work correctly with various supported versions of Ruby and OpenSSL.
58
+
59
+ First, you need to install [Docker](https://www.docker.com/products/docker) and
60
+ [Docker Compose](https://www.docker.com/products/docker-compose) on your
61
+ computer.
62
+
63
+ If you're on MacOS or Windows, we recommended to use the official [Docker
64
+ Toolbox](https://www.docker.com/products/docker-toolbox). On Linux, follow the
65
+ instructions for your package manager. For further information, please check
66
+ the [official documentation](https://docs.docker.com/).
67
+
68
+ Once you have Docker and Docker Compose, running the following commands will
69
+ build the container and execute the openssl tests. In this example, we will use
70
+ Ruby version 2.3 with OpenSSL version 1.0.2.
71
+
72
+ ```
73
+ $ docker-compose build
74
+ $ export RUBY_VERSION=ruby-2.3
75
+ $ export OPENSSL_VERSION=openssl-1.0.2
76
+ $ docker-compose run test
77
+
78
+ # You may want an interactive shell for dubugging
79
+ $ docker-compose run debug
80
+ ```
81
+
82
+ All possible values for `RUBY_VERSION` and `OPENSSL_VERSION` can be found in
83
+ [`test.yml`](https://github.com/ruby/openssl/tree/master/.github/workflows/test.yml).
84
+
85
+ **NOTE**: these commands must be run from the openssl repository root, in order
86
+ to use the
87
+ [`docker-compose.yml`](https://github.com/ruby/openssl/blob/master/docker-compose.yml)
88
+ file we have provided.
89
+
90
+ This Docker image is built using the
91
+ [Dockerfile](https://github.com/ruby/openssl/tree/master/tool/ruby-openssl-docker)
92
+ provided in the repository.
93
+
94
+
95
+ ## Relation with Ruby source tree
96
+
97
+ After Ruby 2.3, `ext/openssl` was converted into a "default gem", a library
98
+ which ships with standard Ruby builds but can be upgraded via RubyGems. This
99
+ means the development of this gem has migrated to a [separate
100
+ repository][GitHub] and will be released independently.
101
+
102
+ The version included in the Ruby source tree (trunk branch) is synchronized with
103
+ the latest release.
104
+
105
+ ## Release policy
106
+
107
+ Bug fixes (including security fixes) will be made only for the version series
108
+ included in a stable Ruby release.
109
+
110
+ ## Security
111
+
112
+ If you discovered a security issue, please send us in private, using the
113
+ security issue handling procedure for Ruby core.
114
+
115
+ You can either use [HackerOne] or send an email to security@ruby-lang.org.
116
+
117
+ Please see [Security] page on ruby-lang.org website for details.
118
+
119
+ Reported problems will be published after a fix is released.
120
+
121
+ _Thanks for your contributions!_
122
+
123
+ _\- The Ruby OpenSSL team_
124
+
125
+ [GitHub]: https://github.com/ruby/openssl
126
+ [known issues]: https://github.com/ruby/openssl/issues
127
+ [bugs.ruby-lang.org]: https://bugs.ruby-lang.org/issues?utf8=%E2%9C%93&set_filter=1&f%5B%5D=status_id&op%5Bstatus_id%5D=o&f%5B%5D=assigned_to_id&op%5Bassigned_to_id%5D=%3D&v%5Bassigned_to_id%5D%5B%5D=7150&f%5B%5D=&c%5B%5D=project&c%5B%5D=tracker&c%5B%5D=status&c%5B%5D=subject&c%5B%5D=assigned_to&c%5B%5D=updated_on&group_by=&t%5B%5D=
128
+ [DeveloperHowTo]: https://bugs.ruby-lang.org/projects/ruby/wiki/DeveloperHowto
129
+ [HackerOne]: https://hackerone.com/ruby
130
+ [Security]: https://www.ruby-lang.org/en/security/
131
+ [pull request]: https://github.com/ruby/openssl/compare
132
+ [History.md]: https://github.com/ruby/openssl/tree/master/History.md
data/History.md ADDED
@@ -0,0 +1,485 @@
1
+ Version 2.2.2
2
+ =============
3
+
4
+ Merged changes in 2.1.4.
5
+
6
+
7
+ Version 2.2.1
8
+ =============
9
+
10
+ Merged changes in 2.1.3. Additionally, the following issues are fixed by this
11
+ release.
12
+
13
+ Bug fixes
14
+ ---------
15
+
16
+ * Fix crash in `OpenSSL::Timestamp::{Request,Response,TokenInfo}.new` when
17
+ invalid arguments are given.
18
+ [[GitHub #407]](https://github.com/ruby/openssl/pull/407)
19
+ * Fix `OpenSSL::Timestamp::Factory#create_timestamp` with LibreSSL on platforms
20
+ where `time_t` has a different size from `long`.
21
+ [[GitHub #454]](https://github.com/ruby/openssl/pull/454)
22
+
23
+
24
+ Version 2.2.0
25
+ =============
26
+
27
+ Compatibility notes
28
+ -------------------
29
+
30
+ * Remove unsupported MDC2, DSS, DSS1, and SHA algorithms.
31
+ * Remove `OpenSSL::PKCS7::SignerInfo#name` alias for `#issuer`.
32
+ [[GitHub #266]](https://github.com/ruby/openssl/pull/266)
33
+ * Deprecate `OpenSSL::Config#add_value` and `#[]=` for future removal.
34
+ [[GitHub #322]](https://github.com/ruby/openssl/pull/322)
35
+
36
+
37
+ Notable changes
38
+ ---------------
39
+
40
+ * Change default `OpenSSL::SSL::SSLServer#listen` backlog argument from
41
+ 5 to `Socket::SOMAXCONN`.
42
+ [[GitHub #286]](https://github.com/ruby/openssl/issues/286)
43
+ * Make `OpenSSL::HMAC#==` use a timing safe string comparison.
44
+ [[GitHub #284]](https://github.com/ruby/openssl/pull/284)
45
+ * Add support for SHA3 and BLAKE digests.
46
+ [[GitHub #282]](https://github.com/ruby/openssl/pull/282)
47
+ * Add `OpenSSL::SSL::SSLSocket.open` for opening a `TCPSocket` and
48
+ returning an `OpenSSL::SSL::SSLSocket` for it.
49
+ [[GitHub #225]](https://github.com/ruby/openssl/issues/225)
50
+ * Support marshalling of `OpenSSL::X509` and `OpenSSL::PKey` objects.
51
+ [[GitHub #281]](https://github.com/ruby/openssl/pull/281)
52
+ [[GitHub #363]](https://github.com/ruby/openssl/pull/363)
53
+ * Add `OpenSSL.secure_compare` for timing safe string comparison for
54
+ strings of possibly unequal length.
55
+ [[GitHub #280]](https://github.com/ruby/openssl/pull/280)
56
+ * Add `OpenSSL.fixed_length_secure_compare` for timing safe string
57
+ comparison for strings of equal length.
58
+ [[GitHub #269]](https://github.com/ruby/openssl/pull/269)
59
+ * Add `OpenSSL::SSL::SSLSocket#{finished_message,peer_finished_message}`
60
+ for last finished message sent and received.
61
+ [[GitHub #250]](https://github.com/ruby/openssl/pull/250)
62
+ * Add `OpenSSL::Timestamp` module for handing timestamp requests and
63
+ responses.
64
+ [[GitHub #204]](https://github.com/ruby/openssl/pull/204)
65
+ * Add helper methods for `OpenSSL::X509::Certificate`:
66
+ `find_extension`, `subject_key_identifier`,
67
+ `authority_key_identifier`, `crl_uris`, `ca_issuer_uris` and
68
+ `ocsp_uris`, and for `OpenSSL::X509::CRL`:
69
+ `find_extension` and `subject_key_identifier`.
70
+ [[GitHub #260]](https://github.com/ruby/openssl/pull/260)
71
+ [[GitHub #275]](https://github.com/ruby/openssl/pull/275)
72
+ [[GitHub #293]](https://github.com/ruby/openssl/pull/293)
73
+ * Add `OpenSSL::ECPoint#add` for performing elliptic curve point addition.
74
+ [[GitHub #261]](https://github.com/ruby/openssl/pull/261)
75
+ * Make `OpenSSL::PKey::RSA#{export,to_der}` check `key`, `factors`, and
76
+ `crt_params` to do proper private key serialization.
77
+ [[GitHub #258]](https://github.com/ruby/openssl/pull/258)
78
+ * Add `OpenSSL::SSL::{SSLSocket,SSLServer}#fileno`, returning the
79
+ underlying socket file descriptor number.
80
+ [[GitHub #247]](https://github.com/ruby/openssl/pull/247)
81
+ * Support client certificates with TLS 1.3, and support post-handshake
82
+ authentication with OpenSSL 1.1.1+.
83
+ [[GitHub #239]](https://github.com/ruby/openssl/pull/239)
84
+ * Add `OpenSSL::ASN1::ObjectId#==` for equality testing.
85
+ * Add `OpenSSL::X509::Extension#value_der` for the raw value of
86
+ the extension.
87
+ [[GitHub #234]](https://github.com/ruby/openssl/pull/234)
88
+ * Significantly reduce allocated memory in `OpenSSL::Buffering#do_write`.
89
+ [[GitHub #212]](https://github.com/ruby/openssl/pull/212)
90
+ * Ensure all valid IPv6 addresses are considered valid as elements
91
+ of subjectAlternativeName in certificates.
92
+ [[GitHub #185]](https://github.com/ruby/openssl/pull/185)
93
+ * Allow recipient's certificate to be omitted in PCKS7#decrypt.
94
+ [[GitHub #183]](https://github.com/ruby/openssl/pull/183)
95
+ * Add support for reading keys in PKCS #8 format and export via instance methods
96
+ added to `OpenSSL::PKey` classes: `private_to_der`, `private_to_pem`,
97
+ `public_to_der` and `public_to_pem`.
98
+ [[GitHub #297]](https://github.com/ruby/openssl/pull/297)
99
+
100
+
101
+ Version 2.1.4
102
+ =============
103
+
104
+ Bug fixes
105
+ ---------
106
+
107
+ * Do not use pkg-config if --with-openssl-dir option is specified.
108
+ [[GitHub #486]](https://github.com/ruby/openssl/pull/486)
109
+
110
+
111
+ Version 2.1.3
112
+ =============
113
+
114
+ Bug fixes
115
+ ---------
116
+
117
+ * Fix deprecation warnings on Ruby 3.0.
118
+ * Add ".include" directive support in `OpenSSL::Config`.
119
+ [[GitHub #216]](https://github.com/ruby/openssl/pull/216)
120
+ * Fix handling of IPv6 address SANs.
121
+ [[GitHub #185]](https://github.com/ruby/openssl/pull/185)
122
+ * Hostname verification failure with `OpenSSL::SSL::SSLContext#verify_hostname=`
123
+ sets a proper error code.
124
+ [[GitHub #350]](https://github.com/ruby/openssl/pull/350)
125
+ * Fix crash with `OpenSSL::BN.new(nil, 2)`.
126
+ [[Bug #15760]](https://bugs.ruby-lang.org/issues/15760)
127
+ * `OpenSSL::SSL::SSLSocket#sys{read,write}` prevent internal string buffers from
128
+ being modified by another thread.
129
+ [[GitHub #453]](https://github.com/ruby/openssl/pull/453)
130
+ * Fix misuse of input record separator in `OpenSSL::Buffering` where it was
131
+ for output.
132
+ * Fix wrong interger casting in `OpenSSL::PKey::EC#dsa_verify_asn1`.
133
+ [[GitHub #460]](https://github.com/ruby/openssl/pull/460)
134
+ * `extconf.rb` explicitly checks that OpenSSL's version number is 1.0.1 or
135
+ newer but also less than 3.0. Ruby/OpenSSL v2.1.x and v2.2.x will not support
136
+ OpenSSL 3.0 API.
137
+ [[GitHub #458]](https://github.com/ruby/openssl/pull/458)
138
+ * Activate `digest` gem correctly. `digest` library could go into an
139
+ inconsistent state if there are multiple versions of `digest` is installed
140
+ and `openssl` is `require`d before `digest`.
141
+ [[GitHub #463]](https://github.com/ruby/openssl/pull/463)
142
+ * Fix GC.compact compatibility.
143
+ [[GitHub #464]](https://github.com/ruby/openssl/issues/464)
144
+ [[GitHub #465]](https://github.com/ruby/openssl/pull/465)
145
+
146
+
147
+ Version 2.1.2
148
+ =============
149
+
150
+ Merged changes in 2.0.9.
151
+
152
+
153
+ Version 2.1.1
154
+ =============
155
+
156
+ Merged changes in 2.0.8.
157
+
158
+
159
+ Version 2.1.0
160
+ =============
161
+
162
+ Notable changes
163
+ ---------------
164
+
165
+ * Support for OpenSSL versions before 1.0.1 and LibreSSL versions before 2.5
166
+ is removed.
167
+ [[GitHub #86]](https://github.com/ruby/openssl/pull/86)
168
+ * OpenSSL::BN#negative?, #+@, and #-@ are added.
169
+ * OpenSSL::SSL::SSLSocket#connect raises a more informative exception when
170
+ certificate verification fails.
171
+ [[GitHub #99]](https://github.com/ruby/openssl/pull/99)
172
+ * OpenSSL::KDF module is newly added. In addition to PBKDF2-HMAC that has moved
173
+ from OpenSSL::PKCS5, scrypt and HKDF are supported.
174
+ [[GitHub #109]](https://github.com/ruby/openssl/pull/109)
175
+ [[GitHub #173]](https://github.com/ruby/openssl/pull/173)
176
+ * OpenSSL.fips_mode is added. We had the setter, but not the getter.
177
+ [[GitHub #125]](https://github.com/ruby/openssl/pull/125)
178
+ * OpenSSL::OCSP::Request#signed? is added.
179
+ * OpenSSL::ASN1 handles the indefinite length form better. OpenSSL::ASN1.decode
180
+ no longer wrongly treats the end-of-contents octets as part of the content.
181
+ OpenSSL::ASN1::ASN1Data#infinite_length is renamed to #indefinite_length.
182
+ [[GitHub #98]](https://github.com/ruby/openssl/pull/98)
183
+ * OpenSSL::X509::Name#add_entry now accepts two additional keyword arguments
184
+ 'loc' and 'set'.
185
+ [[GitHub #94]](https://github.com/ruby/openssl/issues/94)
186
+ * OpenSSL::SSL::SSLContext#min_version= and #max_version= are added to replace
187
+ #ssl_version= that was built on top of the deprecated OpenSSL C API. Use of
188
+ that method and the constant OpenSSL::SSL::SSLContext::METHODS is now
189
+ deprecated.
190
+ [[GitHub #142]](https://github.com/ruby/openssl/pull/142)
191
+ * OpenSSL::X509::Name#to_utf8 is added.
192
+ [[GitHub #26]](https://github.com/ruby/openssl/issues/26)
193
+ [[GitHub #143]](https://github.com/ruby/openssl/pull/143)
194
+ * OpenSSL::X509::{Extension,Attribute,Certificate,CRL,Revoked,Request} can be
195
+ compared with == operator.
196
+ [[GitHub #161]](https://github.com/ruby/openssl/pull/161)
197
+ * TLS Fallback Signaling Cipher Suite Value (SCSV) support is added.
198
+ [[GitHub #165]](https://github.com/ruby/openssl/pull/165)
199
+ * Build failure with OpenSSL 1.1 built with no-deprecated is fixed.
200
+ [[GitHub #160]](https://github.com/ruby/openssl/pull/160)
201
+ * OpenSSL::Buffering#write accepts an arbitrary number of arguments.
202
+ [[Feature #9323]](https://bugs.ruby-lang.org/issues/9323)
203
+ [[GitHub #162]](https://github.com/ruby/openssl/pull/162)
204
+ * OpenSSL::PKey::RSA#sign_pss and #verify_pss are added. They perform RSA-PSS
205
+ signature and verification.
206
+ [[GitHub #75]](https://github.com/ruby/openssl/issues/75)
207
+ [[GitHub #76]](https://github.com/ruby/openssl/pull/76)
208
+ [[GitHub #169]](https://github.com/ruby/openssl/pull/169)
209
+ * OpenSSL::SSL::SSLContext#add_certificate is added.
210
+ [[GitHub #167]](https://github.com/ruby/openssl/pull/167)
211
+ * OpenSSL::PKey::EC::Point#to_octet_string is added.
212
+ OpenSSL::PKey::EC::Point.new can now take String as the second argument.
213
+ [[GitHub #177]](https://github.com/ruby/openssl/pull/177)
214
+
215
+
216
+ Version 2.0.9
217
+ =============
218
+
219
+ Security fixes
220
+ --------------
221
+
222
+ * OpenSSL::X509::Name#<=> could incorrectly return 0 (= equal) for non-equal
223
+ objects. CVE-2018-16395 is assigned for this issue.
224
+ https://hackerone.com/reports/387250
225
+
226
+ Bug fixes
227
+ ---------
228
+
229
+ * Fixed OpenSSL::PKey::*.{new,generate} immediately aborting if the thread is
230
+ interrupted.
231
+ [[Bug #14882]](https://bugs.ruby-lang.org/issues/14882)
232
+ [[GitHub #205]](https://github.com/ruby/openssl/pull/205)
233
+ * Fixed OpenSSL::X509::Name#to_s failing with OpenSSL::X509::NameError if
234
+ called against an empty instance.
235
+ [[GitHub #200]](https://github.com/ruby/openssl/issues/200)
236
+ [[GitHub #211]](https://github.com/ruby/openssl/pull/211)
237
+
238
+
239
+ Version 2.0.8
240
+ =============
241
+
242
+ Bug fixes
243
+ ---------
244
+
245
+ * OpenSSL::Cipher#pkcs5_keyivgen raises an error when a negative iteration
246
+ count is given.
247
+ [[GitHub #184]](https://github.com/ruby/openssl/pull/184)
248
+ * Fixed build with LibreSSL 2.7.
249
+ [[GitHub #192]](https://github.com/ruby/openssl/issues/192)
250
+ [[GitHub #193]](https://github.com/ruby/openssl/pull/193)
251
+
252
+
253
+ Version 2.0.7
254
+ =============
255
+
256
+ Bug fixes
257
+ ---------
258
+
259
+ * OpenSSL::Cipher#auth_data= could segfault if called against a non-AEAD cipher.
260
+ [[Bug #14024]](https://bugs.ruby-lang.org/issues/14024)
261
+ * OpenSSL::X509::Certificate#public_key= (and similar methods) could segfault
262
+ when an instance of OpenSSL::PKey::PKey with no public key components is
263
+ passed.
264
+ [[Bug #14087]](https://bugs.ruby-lang.org/issues/14087)
265
+ [[GitHub #168]](https://github.com/ruby/openssl/pull/168)
266
+
267
+
268
+ Version 2.0.6
269
+ =============
270
+
271
+ Bug fixes
272
+ ---------
273
+
274
+ * The session_remove_cb set to an OpenSSL::SSL::SSLContext is no longer called
275
+ during GC.
276
+ * A possible deadlock in OpenSSL::SSL::SSLSocket#sysread is fixed.
277
+ [[GitHub #139]](https://github.com/ruby/openssl/pull/139)
278
+ * OpenSSL::BN#hash could return an unnormalized fixnum value on Windows.
279
+ [[Bug #13877]](https://bugs.ruby-lang.org/issues/13877)
280
+ * OpenSSL::SSL::SSLSocket#sysread and #sysread_nonblock set the length of the
281
+ destination buffer String to 0 on error.
282
+ [[GitHub #153]](https://github.com/ruby/openssl/pull/153)
283
+ * Possible deadlock is fixed. This happened only when built with older versions
284
+ of OpenSSL (before 1.1.0) or LibreSSL.
285
+ [[GitHub #155]](https://github.com/ruby/openssl/pull/155)
286
+
287
+
288
+ Version 2.0.5
289
+ =============
290
+
291
+ Bug fixes
292
+ ---------
293
+
294
+ * Reading a PEM/DER-encoded private key or certificate from an IO object did
295
+ not work properly on mswin platforms.
296
+ [[ruby/openssl#128]](https://github.com/ruby/openssl/issues/128)
297
+ * Broken length check in the PEM passphrase callback is fixed.
298
+ * It failed to compile when OpenSSL is configured without TLS 1.0 support.
299
+
300
+
301
+ Version 2.0.4
302
+ =============
303
+
304
+ Bug fixes
305
+ ---------
306
+
307
+ * It now compiles with LibreSSL without renaming on Windows (mswin).
308
+ * A workaround for the error queue leak of X509_load_cert_crl_file() that
309
+ causes random errors is added.
310
+ [[Bug #11033]](https://bugs.ruby-lang.org/issues/11033)
311
+
312
+
313
+ Version 2.0.3
314
+ =============
315
+
316
+ Bug fixes
317
+ ---------
318
+
319
+ * OpenSSL::ASN1::Constructive#each which was broken by 2.0.0 is fixed.
320
+ [[ruby/openssl#96]](https://github.com/ruby/openssl/pull/96)
321
+ * Fixed build with static OpenSSL libraries on Windows.
322
+ [[Bug #13080]](https://bugs.ruby-lang.org/issues/13080)
323
+ * OpenSSL::X509::Name#eql? which was broken by 2.0.0 is fixed.
324
+
325
+
326
+ Version 2.0.2
327
+ =============
328
+
329
+ Bug fixes
330
+ ---------
331
+
332
+ * Fix build with early 0.9.8 series which did not have SSL_CTX_clear_options().
333
+ [ruby-core:78693]
334
+
335
+
336
+ Version 2.0.1
337
+ =============
338
+
339
+ Bug fixes
340
+ ---------
341
+
342
+ * A GC issue around OpenSSL::BN is fixed.
343
+ [[ruby/openssl#87]](https://github.com/ruby/openssl/issues/87)
344
+ * OpenSSL::ASN1 now parses BER encoding of GeneralizedTime without seconds.
345
+ [[ruby/openssl#88]](https://github.com/ruby/openssl/pull/88)
346
+
347
+
348
+ Version 2.0.0
349
+ =============
350
+
351
+ This is the first release of openssl gem, formerly a standard library of Ruby,
352
+ ext/openssl. This is the successor of the version included in Ruby 2.3.
353
+
354
+ Compatibility notes
355
+ -------------------
356
+
357
+ * Support for OpenSSL version 0.9.6 and 0.9.7 is completely removed. openssl gem
358
+ still works with OpenSSL 0.9.8, but users are strongly encouraged to upgrade
359
+ to at least 1.0.1, as OpenSSL < 1.0.1 will not receive any security fixes from
360
+ the OpenSSL development team.
361
+
362
+ Supported platforms
363
+ -------------------
364
+
365
+ * OpenSSL 1.0.0, 1.0.1, 1.0.2, 1.1.0
366
+ * OpenSSL < 0.9.8 is no longer supported.
367
+ * LibreSSL 2.3, 2.4, 2.5
368
+ * Ruby 2.3, 2.4
369
+
370
+ Notable changes
371
+ ---------------
372
+
373
+ * Add support for OpenSSL 1.1.0.
374
+ [[Feature #12324]](https://bugs.ruby-lang.org/issues/12324)
375
+ * Add support for LibreSSL
376
+
377
+ * OpenSSL::Cipher
378
+
379
+ - OpenSSL::Cipher#key= and #iv= reject too long inputs. They used to truncate
380
+ silently. [[Bug #12561]](https://bugs.ruby-lang.org/issues/12561)
381
+
382
+ - OpenSSL::Cipher#iv_len= is added. It allows changing IV (nonce) length if
383
+ using AEAD ciphers.
384
+ [[Bug #8667]](https://bugs.ruby-lang.org/issues/8667),
385
+ [[Bug #10420]](https://bugs.ruby-lang.org/issues/10420),
386
+ [[GH ruby/ruby#569]](https://github.com/ruby/ruby/pull/569),
387
+ [[GH ruby/openssl#58]](https://github.com/ruby/openssl/pull/58)
388
+
389
+ - OpenSSL::Cipher#auth_tag_len= is added. This sets the authentication tag
390
+ length to be generated by an AEAD cipher.
391
+
392
+ * OpenSSL::OCSP
393
+
394
+ - Accessor methods are added to OpenSSL::OCSP::CertificateId.
395
+ [[Feature #7181]](https://bugs.ruby-lang.org/issues/7181)
396
+
397
+ - OpenSSL::OCSP::Request and BasicResponse can be signed with non-SHA-1 hash
398
+ algorithm. [[Feature #11552]](https://bugs.ruby-lang.org/issues/11552)
399
+
400
+ - OpenSSL::OCSP::CertificateId and BasicResponse can be encoded into DER.
401
+
402
+ - A new class OpenSSL::OCSP::SingleResponse is added for convenience.
403
+
404
+ - OpenSSL::OCSP::BasicResponse#add_status accepts absolute times. They used to
405
+ accept only relative seconds from the current time.
406
+
407
+ * OpenSSL::PKey
408
+
409
+ - OpenSSL::PKey::EC follows the general PKey interface.
410
+ [[Bug #6567]](https://bugs.ruby-lang.org/issues/6567)
411
+
412
+ - OpenSSL::PKey.read raises OpenSSL::PKey::PKeyError instead of ArgumentError
413
+ for consistency with OpenSSL::PKey::{DH,DSA,RSA,EC}#new.
414
+ [[Bug #11774]](https://bugs.ruby-lang.org/issues/11774),
415
+ [[GH ruby/openssl#55]](https://github.com/ruby/openssl/pull/55)
416
+
417
+ - OpenSSL::PKey::EC::Group retrieved by OpenSSL::PKey::EC#group is no longer
418
+ linked with the EC key. Modifications to the EC::Group have no effect on the
419
+ key. [[GH ruby/openssl#71]](https://github.com/ruby/openssl/pull/71)
420
+
421
+ - OpenSSL::PKey::EC::Point#to_bn allows specifying the point conversion form
422
+ by the optional argument.
423
+
424
+ * OpenSSL::SSL
425
+
426
+ - OpenSSL::SSL::SSLSocket#tmp_key is added. A client can call it after the
427
+ connection is established to retrieve the ephemeral key.
428
+ [[GH ruby/ruby#1318]](https://github.com/ruby/ruby/pull/1318)
429
+
430
+ - The automatic ephemeral ECDH curve selection is enabled by default when
431
+ built with OpenSSL >= 1.0.2 or LibreSSL.
432
+
433
+ - OpenSSL::SSL::SSLContext#security_level= is added. You can set the "security
434
+ level" of the SSL context. This is effective only when built with OpenSSL
435
+ 1.1.0.
436
+
437
+ - A new option 'verify_hostname' is added to OpenSSL::SSL::SSLContext. When it
438
+ is enabled, and the SNI hostname is also set, the hostname verification on
439
+ the server certificate is automatically performed. It is now enabled by
440
+ OpenSSL::SSL::SSLContext#set_params.
441
+ [[GH ruby/openssl#60]](https://github.com/ruby/openssl/pull/60)
442
+
443
+ Removals
444
+ --------
445
+
446
+ * OpenSSL::Engine
447
+
448
+ - OpenSSL::Engine.cleanup does nothing when built with OpenSSL 1.1.0.
449
+
450
+ * OpenSSL::SSL
451
+
452
+ - OpenSSL::PKey::DH::DEFAULT_512 is removed. Hence servers no longer use
453
+ 512-bit DH group by default. It is considered too weak nowadays.
454
+ [[Bug #11968]](https://bugs.ruby-lang.org/issues/11968),
455
+ [[GH ruby/ruby#1196]](https://github.com/ruby/ruby/pull/1196)
456
+
457
+ - RC4 cipher suites are removed from OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.
458
+ RC4 is now considered to be weak.
459
+ [[GH ruby/openssl#50]](https://github.com/ruby/openssl/pull/50)
460
+
461
+ Deprecations
462
+ ------------
463
+
464
+ * OpenSSL::PKey
465
+
466
+ - OpenSSL::PKey::RSA#n=, #e=, #d=, #p=, #q=, #dmp1=, #dmq1=, #iqmp=,
467
+ OpenSSL::PKey::DSA#p=, #q=, #g=, #priv_key=, #pub_key=,
468
+ OpenSSL::PKey::DH#p=, #g=, #priv_key= and #pub_key= are deprecated. They are
469
+ disabled when built with OpenSSL 1.1.0, due to its API change. Instead,
470
+ OpenSSL::PKey::RSA#set_key, #set_factors, #set_crt_params,
471
+ OpenSSL::PKey::DSA#set_pqg, #set_key, OpenSSL::PKey::DH#set_pqg and #set_key
472
+ are added.
473
+
474
+ * OpenSSL::Random
475
+
476
+ - OpenSSL::Random.pseudo_bytes is deprecated, and not defined when built with
477
+ OpenSSL 1.1.0. Use OpenSSL::Random.random_bytes instead.
478
+
479
+ * OpenSSL::SSL
480
+
481
+ - OpenSSL::SSL::SSLContext#tmp_ecdh_callback is deprecated, as the underlying
482
+ API SSL_CTX_set_tmp_ecdh_callback() is removed in OpenSSL 1.1.0. It was
483
+ first added in Ruby 2.3.0. To specify the curve to be used in ephemeral
484
+ ECDH, use OpenSSL::SSL::SSLContext#ecdh_curves=. The automatic curve
485
+ selection is also now enabled by default when built with a capable OpenSSL.