openssl-custom 2.2.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/BSDL +22 -0
- data/CONTRIBUTING.md +132 -0
- data/History.md +485 -0
- data/LICENSE.txt +56 -0
- data/README.md +66 -0
- data/ext/openssl/extconf.rb +190 -0
- data/ext/openssl/openssl_missing.c +106 -0
- data/ext/openssl/openssl_missing.h +257 -0
- data/ext/openssl/ossl.c +1282 -0
- data/ext/openssl/ossl.h +181 -0
- data/ext/openssl/ossl_asn1.c +1878 -0
- data/ext/openssl/ossl_asn1.h +62 -0
- data/ext/openssl/ossl_bio.c +42 -0
- data/ext/openssl/ossl_bio.h +16 -0
- data/ext/openssl/ossl_bn.c +1270 -0
- data/ext/openssl/ossl_bn.h +26 -0
- data/ext/openssl/ossl_cipher.c +1075 -0
- data/ext/openssl/ossl_cipher.h +20 -0
- data/ext/openssl/ossl_config.c +89 -0
- data/ext/openssl/ossl_config.h +19 -0
- data/ext/openssl/ossl_digest.c +425 -0
- data/ext/openssl/ossl_digest.h +20 -0
- data/ext/openssl/ossl_engine.c +567 -0
- data/ext/openssl/ossl_engine.h +19 -0
- data/ext/openssl/ossl_hmac.c +389 -0
- data/ext/openssl/ossl_hmac.h +18 -0
- data/ext/openssl/ossl_kdf.c +303 -0
- data/ext/openssl/ossl_kdf.h +6 -0
- data/ext/openssl/ossl_ns_spki.c +405 -0
- data/ext/openssl/ossl_ns_spki.h +19 -0
- data/ext/openssl/ossl_ocsp.c +2013 -0
- data/ext/openssl/ossl_ocsp.h +23 -0
- data/ext/openssl/ossl_pkcs12.c +257 -0
- data/ext/openssl/ossl_pkcs12.h +13 -0
- data/ext/openssl/ossl_pkcs7.c +1098 -0
- data/ext/openssl/ossl_pkcs7.h +36 -0
- data/ext/openssl/ossl_pkey.c +673 -0
- data/ext/openssl/ossl_pkey.h +241 -0
- data/ext/openssl/ossl_pkey_dh.c +650 -0
- data/ext/openssl/ossl_pkey_dsa.c +664 -0
- data/ext/openssl/ossl_pkey_ec.c +1827 -0
- data/ext/openssl/ossl_pkey_rsa.c +966 -0
- data/ext/openssl/ossl_rand.c +200 -0
- data/ext/openssl/ossl_rand.h +18 -0
- data/ext/openssl/ossl_ssl.c +3080 -0
- data/ext/openssl/ossl_ssl.h +36 -0
- data/ext/openssl/ossl_ssl_session.c +332 -0
- data/ext/openssl/ossl_ts.c +1524 -0
- data/ext/openssl/ossl_ts.h +16 -0
- data/ext/openssl/ossl_x509.c +262 -0
- data/ext/openssl/ossl_x509.h +115 -0
- data/ext/openssl/ossl_x509attr.c +324 -0
- data/ext/openssl/ossl_x509cert.c +846 -0
- data/ext/openssl/ossl_x509crl.c +542 -0
- data/ext/openssl/ossl_x509ext.c +491 -0
- data/ext/openssl/ossl_x509name.c +590 -0
- data/ext/openssl/ossl_x509req.c +441 -0
- data/ext/openssl/ossl_x509revoked.c +300 -0
- data/ext/openssl/ossl_x509store.c +902 -0
- data/ext/openssl/ruby_missing.h +24 -0
- data/lib/openssl/bn.rb +40 -0
- data/lib/openssl/buffering.rb +478 -0
- data/lib/openssl/cipher.rb +67 -0
- data/lib/openssl/config.rb +501 -0
- data/lib/openssl/digest.rb +73 -0
- data/lib/openssl/hmac.rb +13 -0
- data/lib/openssl/marshal.rb +30 -0
- data/lib/openssl/pkcs5.rb +22 -0
- data/lib/openssl/pkey.rb +42 -0
- data/lib/openssl/ssl.rb +542 -0
- data/lib/openssl/version.rb +5 -0
- data/lib/openssl/x509.rb +369 -0
- data/lib/openssl.rb +38 -0
- metadata +196 -0
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: a04ec81f313c5f606922d81938d8f3303e7cc3b40e8d4320689b9e67d3478c47
|
4
|
+
data.tar.gz: 327338b3a80ce8b17201348a60da763db4503674a195f83afdcfb7923eac409c
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: 815753d2248d5ee3f164ca526d73c31e7b2cdf356ede8bb9d57f9c39c715f44052cd223ed54ef28f5b7a9c3520c01bb6bf756ad088ea6e4c4e50f5903a4d7b27
|
7
|
+
data.tar.gz: 33abff1e75462a949525d0ef8f5dd9fc0cbd5ce9c9421d2924b2b5e4e3687c595d9d151a3c7b4fe926ab723dc251d3da403e4f1dff5bc6e9f0e74a55a0399f0e
|
data/BSDL
ADDED
@@ -0,0 +1,22 @@
|
|
1
|
+
Copyright (C) 1993-2013 Yukihiro Matsumoto. All rights reserved.
|
2
|
+
|
3
|
+
Redistribution and use in source and binary forms, with or without
|
4
|
+
modification, are permitted provided that the following conditions
|
5
|
+
are met:
|
6
|
+
1. Redistributions of source code must retain the above copyright
|
7
|
+
notice, this list of conditions and the following disclaimer.
|
8
|
+
2. Redistributions in binary form must reproduce the above copyright
|
9
|
+
notice, this list of conditions and the following disclaimer in the
|
10
|
+
documentation and/or other materials provided with the distribution.
|
11
|
+
|
12
|
+
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
13
|
+
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
14
|
+
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
15
|
+
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
16
|
+
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
17
|
+
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
18
|
+
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
19
|
+
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
20
|
+
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
21
|
+
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
22
|
+
SUCH DAMAGE.
|
data/CONTRIBUTING.md
ADDED
@@ -0,0 +1,132 @@
|
|
1
|
+
# Contributing to Ruby OpenSSL
|
2
|
+
|
3
|
+
Thank you for your interest in contributing to Ruby OpenSSL!
|
4
|
+
|
5
|
+
This documentation provides an overview how you can contribute.
|
6
|
+
|
7
|
+
## Bugs and feature requests
|
8
|
+
|
9
|
+
Bugs and feature requests are tracked on [GitHub].
|
10
|
+
|
11
|
+
If you think you found a bug, file a ticket on GitHub. Please DO NOT report
|
12
|
+
security issues here, there is a separate procedure which is described on
|
13
|
+
["Security at ruby-lang.org"](https://www.ruby-lang.org/en/security/).
|
14
|
+
|
15
|
+
When reporting a bug, please make sure you include:
|
16
|
+
* Ruby version
|
17
|
+
* OpenSSL gem version
|
18
|
+
* OpenSSL library version
|
19
|
+
* A sample file that illustrates the problem or link to the repository or
|
20
|
+
gem that is associated with the bug.
|
21
|
+
|
22
|
+
There are a number of unresolved issues and feature requests for openssl that
|
23
|
+
need review. Before submitting a new ticket, it is recommended to check
|
24
|
+
[known issues] and [bugs.ruby-lang.org], the previous issue tracker.
|
25
|
+
|
26
|
+
## Submitting patches
|
27
|
+
|
28
|
+
Patches are also very welcome!
|
29
|
+
|
30
|
+
Please submit a [pull request] with your changes.
|
31
|
+
|
32
|
+
Make sure that your branch does:
|
33
|
+
|
34
|
+
* Have good commit messages
|
35
|
+
* Follow Ruby's coding style ([DeveloperHowTo])
|
36
|
+
* Pass the test suite successfully (see "Testing")
|
37
|
+
* Add an entry to [History.md] if necessary
|
38
|
+
|
39
|
+
## Testing
|
40
|
+
|
41
|
+
We have a test suite!
|
42
|
+
|
43
|
+
Test cases are located under the
|
44
|
+
[`test/`](https://github.com/ruby/openssl/tree/master/test) directory.
|
45
|
+
|
46
|
+
You can run it with the following three commands:
|
47
|
+
|
48
|
+
```
|
49
|
+
$ rake install_dependencies # installs rake-compiler, test-unit, ...
|
50
|
+
$ rake compile
|
51
|
+
$ rake test
|
52
|
+
```
|
53
|
+
|
54
|
+
### Docker
|
55
|
+
|
56
|
+
You can also use Docker Compose to run tests. It can be used to check that your
|
57
|
+
changes work correctly with various supported versions of Ruby and OpenSSL.
|
58
|
+
|
59
|
+
First, you need to install [Docker](https://www.docker.com/products/docker) and
|
60
|
+
[Docker Compose](https://www.docker.com/products/docker-compose) on your
|
61
|
+
computer.
|
62
|
+
|
63
|
+
If you're on MacOS or Windows, we recommended to use the official [Docker
|
64
|
+
Toolbox](https://www.docker.com/products/docker-toolbox). On Linux, follow the
|
65
|
+
instructions for your package manager. For further information, please check
|
66
|
+
the [official documentation](https://docs.docker.com/).
|
67
|
+
|
68
|
+
Once you have Docker and Docker Compose, running the following commands will
|
69
|
+
build the container and execute the openssl tests. In this example, we will use
|
70
|
+
Ruby version 2.3 with OpenSSL version 1.0.2.
|
71
|
+
|
72
|
+
```
|
73
|
+
$ docker-compose build
|
74
|
+
$ export RUBY_VERSION=ruby-2.3
|
75
|
+
$ export OPENSSL_VERSION=openssl-1.0.2
|
76
|
+
$ docker-compose run test
|
77
|
+
|
78
|
+
# You may want an interactive shell for dubugging
|
79
|
+
$ docker-compose run debug
|
80
|
+
```
|
81
|
+
|
82
|
+
All possible values for `RUBY_VERSION` and `OPENSSL_VERSION` can be found in
|
83
|
+
[`test.yml`](https://github.com/ruby/openssl/tree/master/.github/workflows/test.yml).
|
84
|
+
|
85
|
+
**NOTE**: these commands must be run from the openssl repository root, in order
|
86
|
+
to use the
|
87
|
+
[`docker-compose.yml`](https://github.com/ruby/openssl/blob/master/docker-compose.yml)
|
88
|
+
file we have provided.
|
89
|
+
|
90
|
+
This Docker image is built using the
|
91
|
+
[Dockerfile](https://github.com/ruby/openssl/tree/master/tool/ruby-openssl-docker)
|
92
|
+
provided in the repository.
|
93
|
+
|
94
|
+
|
95
|
+
## Relation with Ruby source tree
|
96
|
+
|
97
|
+
After Ruby 2.3, `ext/openssl` was converted into a "default gem", a library
|
98
|
+
which ships with standard Ruby builds but can be upgraded via RubyGems. This
|
99
|
+
means the development of this gem has migrated to a [separate
|
100
|
+
repository][GitHub] and will be released independently.
|
101
|
+
|
102
|
+
The version included in the Ruby source tree (trunk branch) is synchronized with
|
103
|
+
the latest release.
|
104
|
+
|
105
|
+
## Release policy
|
106
|
+
|
107
|
+
Bug fixes (including security fixes) will be made only for the version series
|
108
|
+
included in a stable Ruby release.
|
109
|
+
|
110
|
+
## Security
|
111
|
+
|
112
|
+
If you discovered a security issue, please send us in private, using the
|
113
|
+
security issue handling procedure for Ruby core.
|
114
|
+
|
115
|
+
You can either use [HackerOne] or send an email to security@ruby-lang.org.
|
116
|
+
|
117
|
+
Please see [Security] page on ruby-lang.org website for details.
|
118
|
+
|
119
|
+
Reported problems will be published after a fix is released.
|
120
|
+
|
121
|
+
_Thanks for your contributions!_
|
122
|
+
|
123
|
+
_\- The Ruby OpenSSL team_
|
124
|
+
|
125
|
+
[GitHub]: https://github.com/ruby/openssl
|
126
|
+
[known issues]: https://github.com/ruby/openssl/issues
|
127
|
+
[bugs.ruby-lang.org]: https://bugs.ruby-lang.org/issues?utf8=%E2%9C%93&set_filter=1&f%5B%5D=status_id&op%5Bstatus_id%5D=o&f%5B%5D=assigned_to_id&op%5Bassigned_to_id%5D=%3D&v%5Bassigned_to_id%5D%5B%5D=7150&f%5B%5D=&c%5B%5D=project&c%5B%5D=tracker&c%5B%5D=status&c%5B%5D=subject&c%5B%5D=assigned_to&c%5B%5D=updated_on&group_by=&t%5B%5D=
|
128
|
+
[DeveloperHowTo]: https://bugs.ruby-lang.org/projects/ruby/wiki/DeveloperHowto
|
129
|
+
[HackerOne]: https://hackerone.com/ruby
|
130
|
+
[Security]: https://www.ruby-lang.org/en/security/
|
131
|
+
[pull request]: https://github.com/ruby/openssl/compare
|
132
|
+
[History.md]: https://github.com/ruby/openssl/tree/master/History.md
|
data/History.md
ADDED
@@ -0,0 +1,485 @@
|
|
1
|
+
Version 2.2.2
|
2
|
+
=============
|
3
|
+
|
4
|
+
Merged changes in 2.1.4.
|
5
|
+
|
6
|
+
|
7
|
+
Version 2.2.1
|
8
|
+
=============
|
9
|
+
|
10
|
+
Merged changes in 2.1.3. Additionally, the following issues are fixed by this
|
11
|
+
release.
|
12
|
+
|
13
|
+
Bug fixes
|
14
|
+
---------
|
15
|
+
|
16
|
+
* Fix crash in `OpenSSL::Timestamp::{Request,Response,TokenInfo}.new` when
|
17
|
+
invalid arguments are given.
|
18
|
+
[[GitHub #407]](https://github.com/ruby/openssl/pull/407)
|
19
|
+
* Fix `OpenSSL::Timestamp::Factory#create_timestamp` with LibreSSL on platforms
|
20
|
+
where `time_t` has a different size from `long`.
|
21
|
+
[[GitHub #454]](https://github.com/ruby/openssl/pull/454)
|
22
|
+
|
23
|
+
|
24
|
+
Version 2.2.0
|
25
|
+
=============
|
26
|
+
|
27
|
+
Compatibility notes
|
28
|
+
-------------------
|
29
|
+
|
30
|
+
* Remove unsupported MDC2, DSS, DSS1, and SHA algorithms.
|
31
|
+
* Remove `OpenSSL::PKCS7::SignerInfo#name` alias for `#issuer`.
|
32
|
+
[[GitHub #266]](https://github.com/ruby/openssl/pull/266)
|
33
|
+
* Deprecate `OpenSSL::Config#add_value` and `#[]=` for future removal.
|
34
|
+
[[GitHub #322]](https://github.com/ruby/openssl/pull/322)
|
35
|
+
|
36
|
+
|
37
|
+
Notable changes
|
38
|
+
---------------
|
39
|
+
|
40
|
+
* Change default `OpenSSL::SSL::SSLServer#listen` backlog argument from
|
41
|
+
5 to `Socket::SOMAXCONN`.
|
42
|
+
[[GitHub #286]](https://github.com/ruby/openssl/issues/286)
|
43
|
+
* Make `OpenSSL::HMAC#==` use a timing safe string comparison.
|
44
|
+
[[GitHub #284]](https://github.com/ruby/openssl/pull/284)
|
45
|
+
* Add support for SHA3 and BLAKE digests.
|
46
|
+
[[GitHub #282]](https://github.com/ruby/openssl/pull/282)
|
47
|
+
* Add `OpenSSL::SSL::SSLSocket.open` for opening a `TCPSocket` and
|
48
|
+
returning an `OpenSSL::SSL::SSLSocket` for it.
|
49
|
+
[[GitHub #225]](https://github.com/ruby/openssl/issues/225)
|
50
|
+
* Support marshalling of `OpenSSL::X509` and `OpenSSL::PKey` objects.
|
51
|
+
[[GitHub #281]](https://github.com/ruby/openssl/pull/281)
|
52
|
+
[[GitHub #363]](https://github.com/ruby/openssl/pull/363)
|
53
|
+
* Add `OpenSSL.secure_compare` for timing safe string comparison for
|
54
|
+
strings of possibly unequal length.
|
55
|
+
[[GitHub #280]](https://github.com/ruby/openssl/pull/280)
|
56
|
+
* Add `OpenSSL.fixed_length_secure_compare` for timing safe string
|
57
|
+
comparison for strings of equal length.
|
58
|
+
[[GitHub #269]](https://github.com/ruby/openssl/pull/269)
|
59
|
+
* Add `OpenSSL::SSL::SSLSocket#{finished_message,peer_finished_message}`
|
60
|
+
for last finished message sent and received.
|
61
|
+
[[GitHub #250]](https://github.com/ruby/openssl/pull/250)
|
62
|
+
* Add `OpenSSL::Timestamp` module for handing timestamp requests and
|
63
|
+
responses.
|
64
|
+
[[GitHub #204]](https://github.com/ruby/openssl/pull/204)
|
65
|
+
* Add helper methods for `OpenSSL::X509::Certificate`:
|
66
|
+
`find_extension`, `subject_key_identifier`,
|
67
|
+
`authority_key_identifier`, `crl_uris`, `ca_issuer_uris` and
|
68
|
+
`ocsp_uris`, and for `OpenSSL::X509::CRL`:
|
69
|
+
`find_extension` and `subject_key_identifier`.
|
70
|
+
[[GitHub #260]](https://github.com/ruby/openssl/pull/260)
|
71
|
+
[[GitHub #275]](https://github.com/ruby/openssl/pull/275)
|
72
|
+
[[GitHub #293]](https://github.com/ruby/openssl/pull/293)
|
73
|
+
* Add `OpenSSL::ECPoint#add` for performing elliptic curve point addition.
|
74
|
+
[[GitHub #261]](https://github.com/ruby/openssl/pull/261)
|
75
|
+
* Make `OpenSSL::PKey::RSA#{export,to_der}` check `key`, `factors`, and
|
76
|
+
`crt_params` to do proper private key serialization.
|
77
|
+
[[GitHub #258]](https://github.com/ruby/openssl/pull/258)
|
78
|
+
* Add `OpenSSL::SSL::{SSLSocket,SSLServer}#fileno`, returning the
|
79
|
+
underlying socket file descriptor number.
|
80
|
+
[[GitHub #247]](https://github.com/ruby/openssl/pull/247)
|
81
|
+
* Support client certificates with TLS 1.3, and support post-handshake
|
82
|
+
authentication with OpenSSL 1.1.1+.
|
83
|
+
[[GitHub #239]](https://github.com/ruby/openssl/pull/239)
|
84
|
+
* Add `OpenSSL::ASN1::ObjectId#==` for equality testing.
|
85
|
+
* Add `OpenSSL::X509::Extension#value_der` for the raw value of
|
86
|
+
the extension.
|
87
|
+
[[GitHub #234]](https://github.com/ruby/openssl/pull/234)
|
88
|
+
* Significantly reduce allocated memory in `OpenSSL::Buffering#do_write`.
|
89
|
+
[[GitHub #212]](https://github.com/ruby/openssl/pull/212)
|
90
|
+
* Ensure all valid IPv6 addresses are considered valid as elements
|
91
|
+
of subjectAlternativeName in certificates.
|
92
|
+
[[GitHub #185]](https://github.com/ruby/openssl/pull/185)
|
93
|
+
* Allow recipient's certificate to be omitted in PCKS7#decrypt.
|
94
|
+
[[GitHub #183]](https://github.com/ruby/openssl/pull/183)
|
95
|
+
* Add support for reading keys in PKCS #8 format and export via instance methods
|
96
|
+
added to `OpenSSL::PKey` classes: `private_to_der`, `private_to_pem`,
|
97
|
+
`public_to_der` and `public_to_pem`.
|
98
|
+
[[GitHub #297]](https://github.com/ruby/openssl/pull/297)
|
99
|
+
|
100
|
+
|
101
|
+
Version 2.1.4
|
102
|
+
=============
|
103
|
+
|
104
|
+
Bug fixes
|
105
|
+
---------
|
106
|
+
|
107
|
+
* Do not use pkg-config if --with-openssl-dir option is specified.
|
108
|
+
[[GitHub #486]](https://github.com/ruby/openssl/pull/486)
|
109
|
+
|
110
|
+
|
111
|
+
Version 2.1.3
|
112
|
+
=============
|
113
|
+
|
114
|
+
Bug fixes
|
115
|
+
---------
|
116
|
+
|
117
|
+
* Fix deprecation warnings on Ruby 3.0.
|
118
|
+
* Add ".include" directive support in `OpenSSL::Config`.
|
119
|
+
[[GitHub #216]](https://github.com/ruby/openssl/pull/216)
|
120
|
+
* Fix handling of IPv6 address SANs.
|
121
|
+
[[GitHub #185]](https://github.com/ruby/openssl/pull/185)
|
122
|
+
* Hostname verification failure with `OpenSSL::SSL::SSLContext#verify_hostname=`
|
123
|
+
sets a proper error code.
|
124
|
+
[[GitHub #350]](https://github.com/ruby/openssl/pull/350)
|
125
|
+
* Fix crash with `OpenSSL::BN.new(nil, 2)`.
|
126
|
+
[[Bug #15760]](https://bugs.ruby-lang.org/issues/15760)
|
127
|
+
* `OpenSSL::SSL::SSLSocket#sys{read,write}` prevent internal string buffers from
|
128
|
+
being modified by another thread.
|
129
|
+
[[GitHub #453]](https://github.com/ruby/openssl/pull/453)
|
130
|
+
* Fix misuse of input record separator in `OpenSSL::Buffering` where it was
|
131
|
+
for output.
|
132
|
+
* Fix wrong interger casting in `OpenSSL::PKey::EC#dsa_verify_asn1`.
|
133
|
+
[[GitHub #460]](https://github.com/ruby/openssl/pull/460)
|
134
|
+
* `extconf.rb` explicitly checks that OpenSSL's version number is 1.0.1 or
|
135
|
+
newer but also less than 3.0. Ruby/OpenSSL v2.1.x and v2.2.x will not support
|
136
|
+
OpenSSL 3.0 API.
|
137
|
+
[[GitHub #458]](https://github.com/ruby/openssl/pull/458)
|
138
|
+
* Activate `digest` gem correctly. `digest` library could go into an
|
139
|
+
inconsistent state if there are multiple versions of `digest` is installed
|
140
|
+
and `openssl` is `require`d before `digest`.
|
141
|
+
[[GitHub #463]](https://github.com/ruby/openssl/pull/463)
|
142
|
+
* Fix GC.compact compatibility.
|
143
|
+
[[GitHub #464]](https://github.com/ruby/openssl/issues/464)
|
144
|
+
[[GitHub #465]](https://github.com/ruby/openssl/pull/465)
|
145
|
+
|
146
|
+
|
147
|
+
Version 2.1.2
|
148
|
+
=============
|
149
|
+
|
150
|
+
Merged changes in 2.0.9.
|
151
|
+
|
152
|
+
|
153
|
+
Version 2.1.1
|
154
|
+
=============
|
155
|
+
|
156
|
+
Merged changes in 2.0.8.
|
157
|
+
|
158
|
+
|
159
|
+
Version 2.1.0
|
160
|
+
=============
|
161
|
+
|
162
|
+
Notable changes
|
163
|
+
---------------
|
164
|
+
|
165
|
+
* Support for OpenSSL versions before 1.0.1 and LibreSSL versions before 2.5
|
166
|
+
is removed.
|
167
|
+
[[GitHub #86]](https://github.com/ruby/openssl/pull/86)
|
168
|
+
* OpenSSL::BN#negative?, #+@, and #-@ are added.
|
169
|
+
* OpenSSL::SSL::SSLSocket#connect raises a more informative exception when
|
170
|
+
certificate verification fails.
|
171
|
+
[[GitHub #99]](https://github.com/ruby/openssl/pull/99)
|
172
|
+
* OpenSSL::KDF module is newly added. In addition to PBKDF2-HMAC that has moved
|
173
|
+
from OpenSSL::PKCS5, scrypt and HKDF are supported.
|
174
|
+
[[GitHub #109]](https://github.com/ruby/openssl/pull/109)
|
175
|
+
[[GitHub #173]](https://github.com/ruby/openssl/pull/173)
|
176
|
+
* OpenSSL.fips_mode is added. We had the setter, but not the getter.
|
177
|
+
[[GitHub #125]](https://github.com/ruby/openssl/pull/125)
|
178
|
+
* OpenSSL::OCSP::Request#signed? is added.
|
179
|
+
* OpenSSL::ASN1 handles the indefinite length form better. OpenSSL::ASN1.decode
|
180
|
+
no longer wrongly treats the end-of-contents octets as part of the content.
|
181
|
+
OpenSSL::ASN1::ASN1Data#infinite_length is renamed to #indefinite_length.
|
182
|
+
[[GitHub #98]](https://github.com/ruby/openssl/pull/98)
|
183
|
+
* OpenSSL::X509::Name#add_entry now accepts two additional keyword arguments
|
184
|
+
'loc' and 'set'.
|
185
|
+
[[GitHub #94]](https://github.com/ruby/openssl/issues/94)
|
186
|
+
* OpenSSL::SSL::SSLContext#min_version= and #max_version= are added to replace
|
187
|
+
#ssl_version= that was built on top of the deprecated OpenSSL C API. Use of
|
188
|
+
that method and the constant OpenSSL::SSL::SSLContext::METHODS is now
|
189
|
+
deprecated.
|
190
|
+
[[GitHub #142]](https://github.com/ruby/openssl/pull/142)
|
191
|
+
* OpenSSL::X509::Name#to_utf8 is added.
|
192
|
+
[[GitHub #26]](https://github.com/ruby/openssl/issues/26)
|
193
|
+
[[GitHub #143]](https://github.com/ruby/openssl/pull/143)
|
194
|
+
* OpenSSL::X509::{Extension,Attribute,Certificate,CRL,Revoked,Request} can be
|
195
|
+
compared with == operator.
|
196
|
+
[[GitHub #161]](https://github.com/ruby/openssl/pull/161)
|
197
|
+
* TLS Fallback Signaling Cipher Suite Value (SCSV) support is added.
|
198
|
+
[[GitHub #165]](https://github.com/ruby/openssl/pull/165)
|
199
|
+
* Build failure with OpenSSL 1.1 built with no-deprecated is fixed.
|
200
|
+
[[GitHub #160]](https://github.com/ruby/openssl/pull/160)
|
201
|
+
* OpenSSL::Buffering#write accepts an arbitrary number of arguments.
|
202
|
+
[[Feature #9323]](https://bugs.ruby-lang.org/issues/9323)
|
203
|
+
[[GitHub #162]](https://github.com/ruby/openssl/pull/162)
|
204
|
+
* OpenSSL::PKey::RSA#sign_pss and #verify_pss are added. They perform RSA-PSS
|
205
|
+
signature and verification.
|
206
|
+
[[GitHub #75]](https://github.com/ruby/openssl/issues/75)
|
207
|
+
[[GitHub #76]](https://github.com/ruby/openssl/pull/76)
|
208
|
+
[[GitHub #169]](https://github.com/ruby/openssl/pull/169)
|
209
|
+
* OpenSSL::SSL::SSLContext#add_certificate is added.
|
210
|
+
[[GitHub #167]](https://github.com/ruby/openssl/pull/167)
|
211
|
+
* OpenSSL::PKey::EC::Point#to_octet_string is added.
|
212
|
+
OpenSSL::PKey::EC::Point.new can now take String as the second argument.
|
213
|
+
[[GitHub #177]](https://github.com/ruby/openssl/pull/177)
|
214
|
+
|
215
|
+
|
216
|
+
Version 2.0.9
|
217
|
+
=============
|
218
|
+
|
219
|
+
Security fixes
|
220
|
+
--------------
|
221
|
+
|
222
|
+
* OpenSSL::X509::Name#<=> could incorrectly return 0 (= equal) for non-equal
|
223
|
+
objects. CVE-2018-16395 is assigned for this issue.
|
224
|
+
https://hackerone.com/reports/387250
|
225
|
+
|
226
|
+
Bug fixes
|
227
|
+
---------
|
228
|
+
|
229
|
+
* Fixed OpenSSL::PKey::*.{new,generate} immediately aborting if the thread is
|
230
|
+
interrupted.
|
231
|
+
[[Bug #14882]](https://bugs.ruby-lang.org/issues/14882)
|
232
|
+
[[GitHub #205]](https://github.com/ruby/openssl/pull/205)
|
233
|
+
* Fixed OpenSSL::X509::Name#to_s failing with OpenSSL::X509::NameError if
|
234
|
+
called against an empty instance.
|
235
|
+
[[GitHub #200]](https://github.com/ruby/openssl/issues/200)
|
236
|
+
[[GitHub #211]](https://github.com/ruby/openssl/pull/211)
|
237
|
+
|
238
|
+
|
239
|
+
Version 2.0.8
|
240
|
+
=============
|
241
|
+
|
242
|
+
Bug fixes
|
243
|
+
---------
|
244
|
+
|
245
|
+
* OpenSSL::Cipher#pkcs5_keyivgen raises an error when a negative iteration
|
246
|
+
count is given.
|
247
|
+
[[GitHub #184]](https://github.com/ruby/openssl/pull/184)
|
248
|
+
* Fixed build with LibreSSL 2.7.
|
249
|
+
[[GitHub #192]](https://github.com/ruby/openssl/issues/192)
|
250
|
+
[[GitHub #193]](https://github.com/ruby/openssl/pull/193)
|
251
|
+
|
252
|
+
|
253
|
+
Version 2.0.7
|
254
|
+
=============
|
255
|
+
|
256
|
+
Bug fixes
|
257
|
+
---------
|
258
|
+
|
259
|
+
* OpenSSL::Cipher#auth_data= could segfault if called against a non-AEAD cipher.
|
260
|
+
[[Bug #14024]](https://bugs.ruby-lang.org/issues/14024)
|
261
|
+
* OpenSSL::X509::Certificate#public_key= (and similar methods) could segfault
|
262
|
+
when an instance of OpenSSL::PKey::PKey with no public key components is
|
263
|
+
passed.
|
264
|
+
[[Bug #14087]](https://bugs.ruby-lang.org/issues/14087)
|
265
|
+
[[GitHub #168]](https://github.com/ruby/openssl/pull/168)
|
266
|
+
|
267
|
+
|
268
|
+
Version 2.0.6
|
269
|
+
=============
|
270
|
+
|
271
|
+
Bug fixes
|
272
|
+
---------
|
273
|
+
|
274
|
+
* The session_remove_cb set to an OpenSSL::SSL::SSLContext is no longer called
|
275
|
+
during GC.
|
276
|
+
* A possible deadlock in OpenSSL::SSL::SSLSocket#sysread is fixed.
|
277
|
+
[[GitHub #139]](https://github.com/ruby/openssl/pull/139)
|
278
|
+
* OpenSSL::BN#hash could return an unnormalized fixnum value on Windows.
|
279
|
+
[[Bug #13877]](https://bugs.ruby-lang.org/issues/13877)
|
280
|
+
* OpenSSL::SSL::SSLSocket#sysread and #sysread_nonblock set the length of the
|
281
|
+
destination buffer String to 0 on error.
|
282
|
+
[[GitHub #153]](https://github.com/ruby/openssl/pull/153)
|
283
|
+
* Possible deadlock is fixed. This happened only when built with older versions
|
284
|
+
of OpenSSL (before 1.1.0) or LibreSSL.
|
285
|
+
[[GitHub #155]](https://github.com/ruby/openssl/pull/155)
|
286
|
+
|
287
|
+
|
288
|
+
Version 2.0.5
|
289
|
+
=============
|
290
|
+
|
291
|
+
Bug fixes
|
292
|
+
---------
|
293
|
+
|
294
|
+
* Reading a PEM/DER-encoded private key or certificate from an IO object did
|
295
|
+
not work properly on mswin platforms.
|
296
|
+
[[ruby/openssl#128]](https://github.com/ruby/openssl/issues/128)
|
297
|
+
* Broken length check in the PEM passphrase callback is fixed.
|
298
|
+
* It failed to compile when OpenSSL is configured without TLS 1.0 support.
|
299
|
+
|
300
|
+
|
301
|
+
Version 2.0.4
|
302
|
+
=============
|
303
|
+
|
304
|
+
Bug fixes
|
305
|
+
---------
|
306
|
+
|
307
|
+
* It now compiles with LibreSSL without renaming on Windows (mswin).
|
308
|
+
* A workaround for the error queue leak of X509_load_cert_crl_file() that
|
309
|
+
causes random errors is added.
|
310
|
+
[[Bug #11033]](https://bugs.ruby-lang.org/issues/11033)
|
311
|
+
|
312
|
+
|
313
|
+
Version 2.0.3
|
314
|
+
=============
|
315
|
+
|
316
|
+
Bug fixes
|
317
|
+
---------
|
318
|
+
|
319
|
+
* OpenSSL::ASN1::Constructive#each which was broken by 2.0.0 is fixed.
|
320
|
+
[[ruby/openssl#96]](https://github.com/ruby/openssl/pull/96)
|
321
|
+
* Fixed build with static OpenSSL libraries on Windows.
|
322
|
+
[[Bug #13080]](https://bugs.ruby-lang.org/issues/13080)
|
323
|
+
* OpenSSL::X509::Name#eql? which was broken by 2.0.0 is fixed.
|
324
|
+
|
325
|
+
|
326
|
+
Version 2.0.2
|
327
|
+
=============
|
328
|
+
|
329
|
+
Bug fixes
|
330
|
+
---------
|
331
|
+
|
332
|
+
* Fix build with early 0.9.8 series which did not have SSL_CTX_clear_options().
|
333
|
+
[ruby-core:78693]
|
334
|
+
|
335
|
+
|
336
|
+
Version 2.0.1
|
337
|
+
=============
|
338
|
+
|
339
|
+
Bug fixes
|
340
|
+
---------
|
341
|
+
|
342
|
+
* A GC issue around OpenSSL::BN is fixed.
|
343
|
+
[[ruby/openssl#87]](https://github.com/ruby/openssl/issues/87)
|
344
|
+
* OpenSSL::ASN1 now parses BER encoding of GeneralizedTime without seconds.
|
345
|
+
[[ruby/openssl#88]](https://github.com/ruby/openssl/pull/88)
|
346
|
+
|
347
|
+
|
348
|
+
Version 2.0.0
|
349
|
+
=============
|
350
|
+
|
351
|
+
This is the first release of openssl gem, formerly a standard library of Ruby,
|
352
|
+
ext/openssl. This is the successor of the version included in Ruby 2.3.
|
353
|
+
|
354
|
+
Compatibility notes
|
355
|
+
-------------------
|
356
|
+
|
357
|
+
* Support for OpenSSL version 0.9.6 and 0.9.7 is completely removed. openssl gem
|
358
|
+
still works with OpenSSL 0.9.8, but users are strongly encouraged to upgrade
|
359
|
+
to at least 1.0.1, as OpenSSL < 1.0.1 will not receive any security fixes from
|
360
|
+
the OpenSSL development team.
|
361
|
+
|
362
|
+
Supported platforms
|
363
|
+
-------------------
|
364
|
+
|
365
|
+
* OpenSSL 1.0.0, 1.0.1, 1.0.2, 1.1.0
|
366
|
+
* OpenSSL < 0.9.8 is no longer supported.
|
367
|
+
* LibreSSL 2.3, 2.4, 2.5
|
368
|
+
* Ruby 2.3, 2.4
|
369
|
+
|
370
|
+
Notable changes
|
371
|
+
---------------
|
372
|
+
|
373
|
+
* Add support for OpenSSL 1.1.0.
|
374
|
+
[[Feature #12324]](https://bugs.ruby-lang.org/issues/12324)
|
375
|
+
* Add support for LibreSSL
|
376
|
+
|
377
|
+
* OpenSSL::Cipher
|
378
|
+
|
379
|
+
- OpenSSL::Cipher#key= and #iv= reject too long inputs. They used to truncate
|
380
|
+
silently. [[Bug #12561]](https://bugs.ruby-lang.org/issues/12561)
|
381
|
+
|
382
|
+
- OpenSSL::Cipher#iv_len= is added. It allows changing IV (nonce) length if
|
383
|
+
using AEAD ciphers.
|
384
|
+
[[Bug #8667]](https://bugs.ruby-lang.org/issues/8667),
|
385
|
+
[[Bug #10420]](https://bugs.ruby-lang.org/issues/10420),
|
386
|
+
[[GH ruby/ruby#569]](https://github.com/ruby/ruby/pull/569),
|
387
|
+
[[GH ruby/openssl#58]](https://github.com/ruby/openssl/pull/58)
|
388
|
+
|
389
|
+
- OpenSSL::Cipher#auth_tag_len= is added. This sets the authentication tag
|
390
|
+
length to be generated by an AEAD cipher.
|
391
|
+
|
392
|
+
* OpenSSL::OCSP
|
393
|
+
|
394
|
+
- Accessor methods are added to OpenSSL::OCSP::CertificateId.
|
395
|
+
[[Feature #7181]](https://bugs.ruby-lang.org/issues/7181)
|
396
|
+
|
397
|
+
- OpenSSL::OCSP::Request and BasicResponse can be signed with non-SHA-1 hash
|
398
|
+
algorithm. [[Feature #11552]](https://bugs.ruby-lang.org/issues/11552)
|
399
|
+
|
400
|
+
- OpenSSL::OCSP::CertificateId and BasicResponse can be encoded into DER.
|
401
|
+
|
402
|
+
- A new class OpenSSL::OCSP::SingleResponse is added for convenience.
|
403
|
+
|
404
|
+
- OpenSSL::OCSP::BasicResponse#add_status accepts absolute times. They used to
|
405
|
+
accept only relative seconds from the current time.
|
406
|
+
|
407
|
+
* OpenSSL::PKey
|
408
|
+
|
409
|
+
- OpenSSL::PKey::EC follows the general PKey interface.
|
410
|
+
[[Bug #6567]](https://bugs.ruby-lang.org/issues/6567)
|
411
|
+
|
412
|
+
- OpenSSL::PKey.read raises OpenSSL::PKey::PKeyError instead of ArgumentError
|
413
|
+
for consistency with OpenSSL::PKey::{DH,DSA,RSA,EC}#new.
|
414
|
+
[[Bug #11774]](https://bugs.ruby-lang.org/issues/11774),
|
415
|
+
[[GH ruby/openssl#55]](https://github.com/ruby/openssl/pull/55)
|
416
|
+
|
417
|
+
- OpenSSL::PKey::EC::Group retrieved by OpenSSL::PKey::EC#group is no longer
|
418
|
+
linked with the EC key. Modifications to the EC::Group have no effect on the
|
419
|
+
key. [[GH ruby/openssl#71]](https://github.com/ruby/openssl/pull/71)
|
420
|
+
|
421
|
+
- OpenSSL::PKey::EC::Point#to_bn allows specifying the point conversion form
|
422
|
+
by the optional argument.
|
423
|
+
|
424
|
+
* OpenSSL::SSL
|
425
|
+
|
426
|
+
- OpenSSL::SSL::SSLSocket#tmp_key is added. A client can call it after the
|
427
|
+
connection is established to retrieve the ephemeral key.
|
428
|
+
[[GH ruby/ruby#1318]](https://github.com/ruby/ruby/pull/1318)
|
429
|
+
|
430
|
+
- The automatic ephemeral ECDH curve selection is enabled by default when
|
431
|
+
built with OpenSSL >= 1.0.2 or LibreSSL.
|
432
|
+
|
433
|
+
- OpenSSL::SSL::SSLContext#security_level= is added. You can set the "security
|
434
|
+
level" of the SSL context. This is effective only when built with OpenSSL
|
435
|
+
1.1.0.
|
436
|
+
|
437
|
+
- A new option 'verify_hostname' is added to OpenSSL::SSL::SSLContext. When it
|
438
|
+
is enabled, and the SNI hostname is also set, the hostname verification on
|
439
|
+
the server certificate is automatically performed. It is now enabled by
|
440
|
+
OpenSSL::SSL::SSLContext#set_params.
|
441
|
+
[[GH ruby/openssl#60]](https://github.com/ruby/openssl/pull/60)
|
442
|
+
|
443
|
+
Removals
|
444
|
+
--------
|
445
|
+
|
446
|
+
* OpenSSL::Engine
|
447
|
+
|
448
|
+
- OpenSSL::Engine.cleanup does nothing when built with OpenSSL 1.1.0.
|
449
|
+
|
450
|
+
* OpenSSL::SSL
|
451
|
+
|
452
|
+
- OpenSSL::PKey::DH::DEFAULT_512 is removed. Hence servers no longer use
|
453
|
+
512-bit DH group by default. It is considered too weak nowadays.
|
454
|
+
[[Bug #11968]](https://bugs.ruby-lang.org/issues/11968),
|
455
|
+
[[GH ruby/ruby#1196]](https://github.com/ruby/ruby/pull/1196)
|
456
|
+
|
457
|
+
- RC4 cipher suites are removed from OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.
|
458
|
+
RC4 is now considered to be weak.
|
459
|
+
[[GH ruby/openssl#50]](https://github.com/ruby/openssl/pull/50)
|
460
|
+
|
461
|
+
Deprecations
|
462
|
+
------------
|
463
|
+
|
464
|
+
* OpenSSL::PKey
|
465
|
+
|
466
|
+
- OpenSSL::PKey::RSA#n=, #e=, #d=, #p=, #q=, #dmp1=, #dmq1=, #iqmp=,
|
467
|
+
OpenSSL::PKey::DSA#p=, #q=, #g=, #priv_key=, #pub_key=,
|
468
|
+
OpenSSL::PKey::DH#p=, #g=, #priv_key= and #pub_key= are deprecated. They are
|
469
|
+
disabled when built with OpenSSL 1.1.0, due to its API change. Instead,
|
470
|
+
OpenSSL::PKey::RSA#set_key, #set_factors, #set_crt_params,
|
471
|
+
OpenSSL::PKey::DSA#set_pqg, #set_key, OpenSSL::PKey::DH#set_pqg and #set_key
|
472
|
+
are added.
|
473
|
+
|
474
|
+
* OpenSSL::Random
|
475
|
+
|
476
|
+
- OpenSSL::Random.pseudo_bytes is deprecated, and not defined when built with
|
477
|
+
OpenSSL 1.1.0. Use OpenSSL::Random.random_bytes instead.
|
478
|
+
|
479
|
+
* OpenSSL::SSL
|
480
|
+
|
481
|
+
- OpenSSL::SSL::SSLContext#tmp_ecdh_callback is deprecated, as the underlying
|
482
|
+
API SSL_CTX_set_tmp_ecdh_callback() is removed in OpenSSL 1.1.0. It was
|
483
|
+
first added in Ruby 2.3.0. To specify the curve to be used in ephemeral
|
484
|
+
ECDH, use OpenSSL::SSL::SSLContext#ecdh_curves=. The automatic curve
|
485
|
+
selection is also now enabled by default when built with a capable OpenSSL.
|