openssl-custom 2.2.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (75) hide show
  1. checksums.yaml +7 -0
  2. data/BSDL +22 -0
  3. data/CONTRIBUTING.md +132 -0
  4. data/History.md +485 -0
  5. data/LICENSE.txt +56 -0
  6. data/README.md +66 -0
  7. data/ext/openssl/extconf.rb +190 -0
  8. data/ext/openssl/openssl_missing.c +106 -0
  9. data/ext/openssl/openssl_missing.h +257 -0
  10. data/ext/openssl/ossl.c +1282 -0
  11. data/ext/openssl/ossl.h +181 -0
  12. data/ext/openssl/ossl_asn1.c +1878 -0
  13. data/ext/openssl/ossl_asn1.h +62 -0
  14. data/ext/openssl/ossl_bio.c +42 -0
  15. data/ext/openssl/ossl_bio.h +16 -0
  16. data/ext/openssl/ossl_bn.c +1270 -0
  17. data/ext/openssl/ossl_bn.h +26 -0
  18. data/ext/openssl/ossl_cipher.c +1075 -0
  19. data/ext/openssl/ossl_cipher.h +20 -0
  20. data/ext/openssl/ossl_config.c +89 -0
  21. data/ext/openssl/ossl_config.h +19 -0
  22. data/ext/openssl/ossl_digest.c +425 -0
  23. data/ext/openssl/ossl_digest.h +20 -0
  24. data/ext/openssl/ossl_engine.c +567 -0
  25. data/ext/openssl/ossl_engine.h +19 -0
  26. data/ext/openssl/ossl_hmac.c +389 -0
  27. data/ext/openssl/ossl_hmac.h +18 -0
  28. data/ext/openssl/ossl_kdf.c +303 -0
  29. data/ext/openssl/ossl_kdf.h +6 -0
  30. data/ext/openssl/ossl_ns_spki.c +405 -0
  31. data/ext/openssl/ossl_ns_spki.h +19 -0
  32. data/ext/openssl/ossl_ocsp.c +2013 -0
  33. data/ext/openssl/ossl_ocsp.h +23 -0
  34. data/ext/openssl/ossl_pkcs12.c +257 -0
  35. data/ext/openssl/ossl_pkcs12.h +13 -0
  36. data/ext/openssl/ossl_pkcs7.c +1098 -0
  37. data/ext/openssl/ossl_pkcs7.h +36 -0
  38. data/ext/openssl/ossl_pkey.c +673 -0
  39. data/ext/openssl/ossl_pkey.h +241 -0
  40. data/ext/openssl/ossl_pkey_dh.c +650 -0
  41. data/ext/openssl/ossl_pkey_dsa.c +664 -0
  42. data/ext/openssl/ossl_pkey_ec.c +1827 -0
  43. data/ext/openssl/ossl_pkey_rsa.c +966 -0
  44. data/ext/openssl/ossl_rand.c +200 -0
  45. data/ext/openssl/ossl_rand.h +18 -0
  46. data/ext/openssl/ossl_ssl.c +3080 -0
  47. data/ext/openssl/ossl_ssl.h +36 -0
  48. data/ext/openssl/ossl_ssl_session.c +332 -0
  49. data/ext/openssl/ossl_ts.c +1524 -0
  50. data/ext/openssl/ossl_ts.h +16 -0
  51. data/ext/openssl/ossl_x509.c +262 -0
  52. data/ext/openssl/ossl_x509.h +115 -0
  53. data/ext/openssl/ossl_x509attr.c +324 -0
  54. data/ext/openssl/ossl_x509cert.c +846 -0
  55. data/ext/openssl/ossl_x509crl.c +542 -0
  56. data/ext/openssl/ossl_x509ext.c +491 -0
  57. data/ext/openssl/ossl_x509name.c +590 -0
  58. data/ext/openssl/ossl_x509req.c +441 -0
  59. data/ext/openssl/ossl_x509revoked.c +300 -0
  60. data/ext/openssl/ossl_x509store.c +902 -0
  61. data/ext/openssl/ruby_missing.h +24 -0
  62. data/lib/openssl/bn.rb +40 -0
  63. data/lib/openssl/buffering.rb +478 -0
  64. data/lib/openssl/cipher.rb +67 -0
  65. data/lib/openssl/config.rb +501 -0
  66. data/lib/openssl/digest.rb +73 -0
  67. data/lib/openssl/hmac.rb +13 -0
  68. data/lib/openssl/marshal.rb +30 -0
  69. data/lib/openssl/pkcs5.rb +22 -0
  70. data/lib/openssl/pkey.rb +42 -0
  71. data/lib/openssl/ssl.rb +542 -0
  72. data/lib/openssl/version.rb +5 -0
  73. data/lib/openssl/x509.rb +369 -0
  74. data/lib/openssl.rb +38 -0
  75. metadata +196 -0
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA256:
3
+ metadata.gz: a04ec81f313c5f606922d81938d8f3303e7cc3b40e8d4320689b9e67d3478c47
4
+ data.tar.gz: 327338b3a80ce8b17201348a60da763db4503674a195f83afdcfb7923eac409c
5
+ SHA512:
6
+ metadata.gz: 815753d2248d5ee3f164ca526d73c31e7b2cdf356ede8bb9d57f9c39c715f44052cd223ed54ef28f5b7a9c3520c01bb6bf756ad088ea6e4c4e50f5903a4d7b27
7
+ data.tar.gz: 33abff1e75462a949525d0ef8f5dd9fc0cbd5ce9c9421d2924b2b5e4e3687c595d9d151a3c7b4fe926ab723dc251d3da403e4f1dff5bc6e9f0e74a55a0399f0e
data/BSDL ADDED
@@ -0,0 +1,22 @@
1
+ Copyright (C) 1993-2013 Yukihiro Matsumoto. All rights reserved.
2
+
3
+ Redistribution and use in source and binary forms, with or without
4
+ modification, are permitted provided that the following conditions
5
+ are met:
6
+ 1. Redistributions of source code must retain the above copyright
7
+ notice, this list of conditions and the following disclaimer.
8
+ 2. Redistributions in binary form must reproduce the above copyright
9
+ notice, this list of conditions and the following disclaimer in the
10
+ documentation and/or other materials provided with the distribution.
11
+
12
+ THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
13
+ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
14
+ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
15
+ ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
16
+ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
17
+ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
18
+ OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
19
+ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
20
+ LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
21
+ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
22
+ SUCH DAMAGE.
data/CONTRIBUTING.md ADDED
@@ -0,0 +1,132 @@
1
+ # Contributing to Ruby OpenSSL
2
+
3
+ Thank you for your interest in contributing to Ruby OpenSSL!
4
+
5
+ This documentation provides an overview how you can contribute.
6
+
7
+ ## Bugs and feature requests
8
+
9
+ Bugs and feature requests are tracked on [GitHub].
10
+
11
+ If you think you found a bug, file a ticket on GitHub. Please DO NOT report
12
+ security issues here, there is a separate procedure which is described on
13
+ ["Security at ruby-lang.org"](https://www.ruby-lang.org/en/security/).
14
+
15
+ When reporting a bug, please make sure you include:
16
+ * Ruby version
17
+ * OpenSSL gem version
18
+ * OpenSSL library version
19
+ * A sample file that illustrates the problem or link to the repository or
20
+ gem that is associated with the bug.
21
+
22
+ There are a number of unresolved issues and feature requests for openssl that
23
+ need review. Before submitting a new ticket, it is recommended to check
24
+ [known issues] and [bugs.ruby-lang.org], the previous issue tracker.
25
+
26
+ ## Submitting patches
27
+
28
+ Patches are also very welcome!
29
+
30
+ Please submit a [pull request] with your changes.
31
+
32
+ Make sure that your branch does:
33
+
34
+ * Have good commit messages
35
+ * Follow Ruby's coding style ([DeveloperHowTo])
36
+ * Pass the test suite successfully (see "Testing")
37
+ * Add an entry to [History.md] if necessary
38
+
39
+ ## Testing
40
+
41
+ We have a test suite!
42
+
43
+ Test cases are located under the
44
+ [`test/`](https://github.com/ruby/openssl/tree/master/test) directory.
45
+
46
+ You can run it with the following three commands:
47
+
48
+ ```
49
+ $ rake install_dependencies # installs rake-compiler, test-unit, ...
50
+ $ rake compile
51
+ $ rake test
52
+ ```
53
+
54
+ ### Docker
55
+
56
+ You can also use Docker Compose to run tests. It can be used to check that your
57
+ changes work correctly with various supported versions of Ruby and OpenSSL.
58
+
59
+ First, you need to install [Docker](https://www.docker.com/products/docker) and
60
+ [Docker Compose](https://www.docker.com/products/docker-compose) on your
61
+ computer.
62
+
63
+ If you're on MacOS or Windows, we recommended to use the official [Docker
64
+ Toolbox](https://www.docker.com/products/docker-toolbox). On Linux, follow the
65
+ instructions for your package manager. For further information, please check
66
+ the [official documentation](https://docs.docker.com/).
67
+
68
+ Once you have Docker and Docker Compose, running the following commands will
69
+ build the container and execute the openssl tests. In this example, we will use
70
+ Ruby version 2.3 with OpenSSL version 1.0.2.
71
+
72
+ ```
73
+ $ docker-compose build
74
+ $ export RUBY_VERSION=ruby-2.3
75
+ $ export OPENSSL_VERSION=openssl-1.0.2
76
+ $ docker-compose run test
77
+
78
+ # You may want an interactive shell for dubugging
79
+ $ docker-compose run debug
80
+ ```
81
+
82
+ All possible values for `RUBY_VERSION` and `OPENSSL_VERSION` can be found in
83
+ [`test.yml`](https://github.com/ruby/openssl/tree/master/.github/workflows/test.yml).
84
+
85
+ **NOTE**: these commands must be run from the openssl repository root, in order
86
+ to use the
87
+ [`docker-compose.yml`](https://github.com/ruby/openssl/blob/master/docker-compose.yml)
88
+ file we have provided.
89
+
90
+ This Docker image is built using the
91
+ [Dockerfile](https://github.com/ruby/openssl/tree/master/tool/ruby-openssl-docker)
92
+ provided in the repository.
93
+
94
+
95
+ ## Relation with Ruby source tree
96
+
97
+ After Ruby 2.3, `ext/openssl` was converted into a "default gem", a library
98
+ which ships with standard Ruby builds but can be upgraded via RubyGems. This
99
+ means the development of this gem has migrated to a [separate
100
+ repository][GitHub] and will be released independently.
101
+
102
+ The version included in the Ruby source tree (trunk branch) is synchronized with
103
+ the latest release.
104
+
105
+ ## Release policy
106
+
107
+ Bug fixes (including security fixes) will be made only for the version series
108
+ included in a stable Ruby release.
109
+
110
+ ## Security
111
+
112
+ If you discovered a security issue, please send us in private, using the
113
+ security issue handling procedure for Ruby core.
114
+
115
+ You can either use [HackerOne] or send an email to security@ruby-lang.org.
116
+
117
+ Please see [Security] page on ruby-lang.org website for details.
118
+
119
+ Reported problems will be published after a fix is released.
120
+
121
+ _Thanks for your contributions!_
122
+
123
+ _\- The Ruby OpenSSL team_
124
+
125
+ [GitHub]: https://github.com/ruby/openssl
126
+ [known issues]: https://github.com/ruby/openssl/issues
127
+ [bugs.ruby-lang.org]: https://bugs.ruby-lang.org/issues?utf8=%E2%9C%93&set_filter=1&f%5B%5D=status_id&op%5Bstatus_id%5D=o&f%5B%5D=assigned_to_id&op%5Bassigned_to_id%5D=%3D&v%5Bassigned_to_id%5D%5B%5D=7150&f%5B%5D=&c%5B%5D=project&c%5B%5D=tracker&c%5B%5D=status&c%5B%5D=subject&c%5B%5D=assigned_to&c%5B%5D=updated_on&group_by=&t%5B%5D=
128
+ [DeveloperHowTo]: https://bugs.ruby-lang.org/projects/ruby/wiki/DeveloperHowto
129
+ [HackerOne]: https://hackerone.com/ruby
130
+ [Security]: https://www.ruby-lang.org/en/security/
131
+ [pull request]: https://github.com/ruby/openssl/compare
132
+ [History.md]: https://github.com/ruby/openssl/tree/master/History.md
data/History.md ADDED
@@ -0,0 +1,485 @@
1
+ Version 2.2.2
2
+ =============
3
+
4
+ Merged changes in 2.1.4.
5
+
6
+
7
+ Version 2.2.1
8
+ =============
9
+
10
+ Merged changes in 2.1.3. Additionally, the following issues are fixed by this
11
+ release.
12
+
13
+ Bug fixes
14
+ ---------
15
+
16
+ * Fix crash in `OpenSSL::Timestamp::{Request,Response,TokenInfo}.new` when
17
+ invalid arguments are given.
18
+ [[GitHub #407]](https://github.com/ruby/openssl/pull/407)
19
+ * Fix `OpenSSL::Timestamp::Factory#create_timestamp` with LibreSSL on platforms
20
+ where `time_t` has a different size from `long`.
21
+ [[GitHub #454]](https://github.com/ruby/openssl/pull/454)
22
+
23
+
24
+ Version 2.2.0
25
+ =============
26
+
27
+ Compatibility notes
28
+ -------------------
29
+
30
+ * Remove unsupported MDC2, DSS, DSS1, and SHA algorithms.
31
+ * Remove `OpenSSL::PKCS7::SignerInfo#name` alias for `#issuer`.
32
+ [[GitHub #266]](https://github.com/ruby/openssl/pull/266)
33
+ * Deprecate `OpenSSL::Config#add_value` and `#[]=` for future removal.
34
+ [[GitHub #322]](https://github.com/ruby/openssl/pull/322)
35
+
36
+
37
+ Notable changes
38
+ ---------------
39
+
40
+ * Change default `OpenSSL::SSL::SSLServer#listen` backlog argument from
41
+ 5 to `Socket::SOMAXCONN`.
42
+ [[GitHub #286]](https://github.com/ruby/openssl/issues/286)
43
+ * Make `OpenSSL::HMAC#==` use a timing safe string comparison.
44
+ [[GitHub #284]](https://github.com/ruby/openssl/pull/284)
45
+ * Add support for SHA3 and BLAKE digests.
46
+ [[GitHub #282]](https://github.com/ruby/openssl/pull/282)
47
+ * Add `OpenSSL::SSL::SSLSocket.open` for opening a `TCPSocket` and
48
+ returning an `OpenSSL::SSL::SSLSocket` for it.
49
+ [[GitHub #225]](https://github.com/ruby/openssl/issues/225)
50
+ * Support marshalling of `OpenSSL::X509` and `OpenSSL::PKey` objects.
51
+ [[GitHub #281]](https://github.com/ruby/openssl/pull/281)
52
+ [[GitHub #363]](https://github.com/ruby/openssl/pull/363)
53
+ * Add `OpenSSL.secure_compare` for timing safe string comparison for
54
+ strings of possibly unequal length.
55
+ [[GitHub #280]](https://github.com/ruby/openssl/pull/280)
56
+ * Add `OpenSSL.fixed_length_secure_compare` for timing safe string
57
+ comparison for strings of equal length.
58
+ [[GitHub #269]](https://github.com/ruby/openssl/pull/269)
59
+ * Add `OpenSSL::SSL::SSLSocket#{finished_message,peer_finished_message}`
60
+ for last finished message sent and received.
61
+ [[GitHub #250]](https://github.com/ruby/openssl/pull/250)
62
+ * Add `OpenSSL::Timestamp` module for handing timestamp requests and
63
+ responses.
64
+ [[GitHub #204]](https://github.com/ruby/openssl/pull/204)
65
+ * Add helper methods for `OpenSSL::X509::Certificate`:
66
+ `find_extension`, `subject_key_identifier`,
67
+ `authority_key_identifier`, `crl_uris`, `ca_issuer_uris` and
68
+ `ocsp_uris`, and for `OpenSSL::X509::CRL`:
69
+ `find_extension` and `subject_key_identifier`.
70
+ [[GitHub #260]](https://github.com/ruby/openssl/pull/260)
71
+ [[GitHub #275]](https://github.com/ruby/openssl/pull/275)
72
+ [[GitHub #293]](https://github.com/ruby/openssl/pull/293)
73
+ * Add `OpenSSL::ECPoint#add` for performing elliptic curve point addition.
74
+ [[GitHub #261]](https://github.com/ruby/openssl/pull/261)
75
+ * Make `OpenSSL::PKey::RSA#{export,to_der}` check `key`, `factors`, and
76
+ `crt_params` to do proper private key serialization.
77
+ [[GitHub #258]](https://github.com/ruby/openssl/pull/258)
78
+ * Add `OpenSSL::SSL::{SSLSocket,SSLServer}#fileno`, returning the
79
+ underlying socket file descriptor number.
80
+ [[GitHub #247]](https://github.com/ruby/openssl/pull/247)
81
+ * Support client certificates with TLS 1.3, and support post-handshake
82
+ authentication with OpenSSL 1.1.1+.
83
+ [[GitHub #239]](https://github.com/ruby/openssl/pull/239)
84
+ * Add `OpenSSL::ASN1::ObjectId#==` for equality testing.
85
+ * Add `OpenSSL::X509::Extension#value_der` for the raw value of
86
+ the extension.
87
+ [[GitHub #234]](https://github.com/ruby/openssl/pull/234)
88
+ * Significantly reduce allocated memory in `OpenSSL::Buffering#do_write`.
89
+ [[GitHub #212]](https://github.com/ruby/openssl/pull/212)
90
+ * Ensure all valid IPv6 addresses are considered valid as elements
91
+ of subjectAlternativeName in certificates.
92
+ [[GitHub #185]](https://github.com/ruby/openssl/pull/185)
93
+ * Allow recipient's certificate to be omitted in PCKS7#decrypt.
94
+ [[GitHub #183]](https://github.com/ruby/openssl/pull/183)
95
+ * Add support for reading keys in PKCS #8 format and export via instance methods
96
+ added to `OpenSSL::PKey` classes: `private_to_der`, `private_to_pem`,
97
+ `public_to_der` and `public_to_pem`.
98
+ [[GitHub #297]](https://github.com/ruby/openssl/pull/297)
99
+
100
+
101
+ Version 2.1.4
102
+ =============
103
+
104
+ Bug fixes
105
+ ---------
106
+
107
+ * Do not use pkg-config if --with-openssl-dir option is specified.
108
+ [[GitHub #486]](https://github.com/ruby/openssl/pull/486)
109
+
110
+
111
+ Version 2.1.3
112
+ =============
113
+
114
+ Bug fixes
115
+ ---------
116
+
117
+ * Fix deprecation warnings on Ruby 3.0.
118
+ * Add ".include" directive support in `OpenSSL::Config`.
119
+ [[GitHub #216]](https://github.com/ruby/openssl/pull/216)
120
+ * Fix handling of IPv6 address SANs.
121
+ [[GitHub #185]](https://github.com/ruby/openssl/pull/185)
122
+ * Hostname verification failure with `OpenSSL::SSL::SSLContext#verify_hostname=`
123
+ sets a proper error code.
124
+ [[GitHub #350]](https://github.com/ruby/openssl/pull/350)
125
+ * Fix crash with `OpenSSL::BN.new(nil, 2)`.
126
+ [[Bug #15760]](https://bugs.ruby-lang.org/issues/15760)
127
+ * `OpenSSL::SSL::SSLSocket#sys{read,write}` prevent internal string buffers from
128
+ being modified by another thread.
129
+ [[GitHub #453]](https://github.com/ruby/openssl/pull/453)
130
+ * Fix misuse of input record separator in `OpenSSL::Buffering` where it was
131
+ for output.
132
+ * Fix wrong interger casting in `OpenSSL::PKey::EC#dsa_verify_asn1`.
133
+ [[GitHub #460]](https://github.com/ruby/openssl/pull/460)
134
+ * `extconf.rb` explicitly checks that OpenSSL's version number is 1.0.1 or
135
+ newer but also less than 3.0. Ruby/OpenSSL v2.1.x and v2.2.x will not support
136
+ OpenSSL 3.0 API.
137
+ [[GitHub #458]](https://github.com/ruby/openssl/pull/458)
138
+ * Activate `digest` gem correctly. `digest` library could go into an
139
+ inconsistent state if there are multiple versions of `digest` is installed
140
+ and `openssl` is `require`d before `digest`.
141
+ [[GitHub #463]](https://github.com/ruby/openssl/pull/463)
142
+ * Fix GC.compact compatibility.
143
+ [[GitHub #464]](https://github.com/ruby/openssl/issues/464)
144
+ [[GitHub #465]](https://github.com/ruby/openssl/pull/465)
145
+
146
+
147
+ Version 2.1.2
148
+ =============
149
+
150
+ Merged changes in 2.0.9.
151
+
152
+
153
+ Version 2.1.1
154
+ =============
155
+
156
+ Merged changes in 2.0.8.
157
+
158
+
159
+ Version 2.1.0
160
+ =============
161
+
162
+ Notable changes
163
+ ---------------
164
+
165
+ * Support for OpenSSL versions before 1.0.1 and LibreSSL versions before 2.5
166
+ is removed.
167
+ [[GitHub #86]](https://github.com/ruby/openssl/pull/86)
168
+ * OpenSSL::BN#negative?, #+@, and #-@ are added.
169
+ * OpenSSL::SSL::SSLSocket#connect raises a more informative exception when
170
+ certificate verification fails.
171
+ [[GitHub #99]](https://github.com/ruby/openssl/pull/99)
172
+ * OpenSSL::KDF module is newly added. In addition to PBKDF2-HMAC that has moved
173
+ from OpenSSL::PKCS5, scrypt and HKDF are supported.
174
+ [[GitHub #109]](https://github.com/ruby/openssl/pull/109)
175
+ [[GitHub #173]](https://github.com/ruby/openssl/pull/173)
176
+ * OpenSSL.fips_mode is added. We had the setter, but not the getter.
177
+ [[GitHub #125]](https://github.com/ruby/openssl/pull/125)
178
+ * OpenSSL::OCSP::Request#signed? is added.
179
+ * OpenSSL::ASN1 handles the indefinite length form better. OpenSSL::ASN1.decode
180
+ no longer wrongly treats the end-of-contents octets as part of the content.
181
+ OpenSSL::ASN1::ASN1Data#infinite_length is renamed to #indefinite_length.
182
+ [[GitHub #98]](https://github.com/ruby/openssl/pull/98)
183
+ * OpenSSL::X509::Name#add_entry now accepts two additional keyword arguments
184
+ 'loc' and 'set'.
185
+ [[GitHub #94]](https://github.com/ruby/openssl/issues/94)
186
+ * OpenSSL::SSL::SSLContext#min_version= and #max_version= are added to replace
187
+ #ssl_version= that was built on top of the deprecated OpenSSL C API. Use of
188
+ that method and the constant OpenSSL::SSL::SSLContext::METHODS is now
189
+ deprecated.
190
+ [[GitHub #142]](https://github.com/ruby/openssl/pull/142)
191
+ * OpenSSL::X509::Name#to_utf8 is added.
192
+ [[GitHub #26]](https://github.com/ruby/openssl/issues/26)
193
+ [[GitHub #143]](https://github.com/ruby/openssl/pull/143)
194
+ * OpenSSL::X509::{Extension,Attribute,Certificate,CRL,Revoked,Request} can be
195
+ compared with == operator.
196
+ [[GitHub #161]](https://github.com/ruby/openssl/pull/161)
197
+ * TLS Fallback Signaling Cipher Suite Value (SCSV) support is added.
198
+ [[GitHub #165]](https://github.com/ruby/openssl/pull/165)
199
+ * Build failure with OpenSSL 1.1 built with no-deprecated is fixed.
200
+ [[GitHub #160]](https://github.com/ruby/openssl/pull/160)
201
+ * OpenSSL::Buffering#write accepts an arbitrary number of arguments.
202
+ [[Feature #9323]](https://bugs.ruby-lang.org/issues/9323)
203
+ [[GitHub #162]](https://github.com/ruby/openssl/pull/162)
204
+ * OpenSSL::PKey::RSA#sign_pss and #verify_pss are added. They perform RSA-PSS
205
+ signature and verification.
206
+ [[GitHub #75]](https://github.com/ruby/openssl/issues/75)
207
+ [[GitHub #76]](https://github.com/ruby/openssl/pull/76)
208
+ [[GitHub #169]](https://github.com/ruby/openssl/pull/169)
209
+ * OpenSSL::SSL::SSLContext#add_certificate is added.
210
+ [[GitHub #167]](https://github.com/ruby/openssl/pull/167)
211
+ * OpenSSL::PKey::EC::Point#to_octet_string is added.
212
+ OpenSSL::PKey::EC::Point.new can now take String as the second argument.
213
+ [[GitHub #177]](https://github.com/ruby/openssl/pull/177)
214
+
215
+
216
+ Version 2.0.9
217
+ =============
218
+
219
+ Security fixes
220
+ --------------
221
+
222
+ * OpenSSL::X509::Name#<=> could incorrectly return 0 (= equal) for non-equal
223
+ objects. CVE-2018-16395 is assigned for this issue.
224
+ https://hackerone.com/reports/387250
225
+
226
+ Bug fixes
227
+ ---------
228
+
229
+ * Fixed OpenSSL::PKey::*.{new,generate} immediately aborting if the thread is
230
+ interrupted.
231
+ [[Bug #14882]](https://bugs.ruby-lang.org/issues/14882)
232
+ [[GitHub #205]](https://github.com/ruby/openssl/pull/205)
233
+ * Fixed OpenSSL::X509::Name#to_s failing with OpenSSL::X509::NameError if
234
+ called against an empty instance.
235
+ [[GitHub #200]](https://github.com/ruby/openssl/issues/200)
236
+ [[GitHub #211]](https://github.com/ruby/openssl/pull/211)
237
+
238
+
239
+ Version 2.0.8
240
+ =============
241
+
242
+ Bug fixes
243
+ ---------
244
+
245
+ * OpenSSL::Cipher#pkcs5_keyivgen raises an error when a negative iteration
246
+ count is given.
247
+ [[GitHub #184]](https://github.com/ruby/openssl/pull/184)
248
+ * Fixed build with LibreSSL 2.7.
249
+ [[GitHub #192]](https://github.com/ruby/openssl/issues/192)
250
+ [[GitHub #193]](https://github.com/ruby/openssl/pull/193)
251
+
252
+
253
+ Version 2.0.7
254
+ =============
255
+
256
+ Bug fixes
257
+ ---------
258
+
259
+ * OpenSSL::Cipher#auth_data= could segfault if called against a non-AEAD cipher.
260
+ [[Bug #14024]](https://bugs.ruby-lang.org/issues/14024)
261
+ * OpenSSL::X509::Certificate#public_key= (and similar methods) could segfault
262
+ when an instance of OpenSSL::PKey::PKey with no public key components is
263
+ passed.
264
+ [[Bug #14087]](https://bugs.ruby-lang.org/issues/14087)
265
+ [[GitHub #168]](https://github.com/ruby/openssl/pull/168)
266
+
267
+
268
+ Version 2.0.6
269
+ =============
270
+
271
+ Bug fixes
272
+ ---------
273
+
274
+ * The session_remove_cb set to an OpenSSL::SSL::SSLContext is no longer called
275
+ during GC.
276
+ * A possible deadlock in OpenSSL::SSL::SSLSocket#sysread is fixed.
277
+ [[GitHub #139]](https://github.com/ruby/openssl/pull/139)
278
+ * OpenSSL::BN#hash could return an unnormalized fixnum value on Windows.
279
+ [[Bug #13877]](https://bugs.ruby-lang.org/issues/13877)
280
+ * OpenSSL::SSL::SSLSocket#sysread and #sysread_nonblock set the length of the
281
+ destination buffer String to 0 on error.
282
+ [[GitHub #153]](https://github.com/ruby/openssl/pull/153)
283
+ * Possible deadlock is fixed. This happened only when built with older versions
284
+ of OpenSSL (before 1.1.0) or LibreSSL.
285
+ [[GitHub #155]](https://github.com/ruby/openssl/pull/155)
286
+
287
+
288
+ Version 2.0.5
289
+ =============
290
+
291
+ Bug fixes
292
+ ---------
293
+
294
+ * Reading a PEM/DER-encoded private key or certificate from an IO object did
295
+ not work properly on mswin platforms.
296
+ [[ruby/openssl#128]](https://github.com/ruby/openssl/issues/128)
297
+ * Broken length check in the PEM passphrase callback is fixed.
298
+ * It failed to compile when OpenSSL is configured without TLS 1.0 support.
299
+
300
+
301
+ Version 2.0.4
302
+ =============
303
+
304
+ Bug fixes
305
+ ---------
306
+
307
+ * It now compiles with LibreSSL without renaming on Windows (mswin).
308
+ * A workaround for the error queue leak of X509_load_cert_crl_file() that
309
+ causes random errors is added.
310
+ [[Bug #11033]](https://bugs.ruby-lang.org/issues/11033)
311
+
312
+
313
+ Version 2.0.3
314
+ =============
315
+
316
+ Bug fixes
317
+ ---------
318
+
319
+ * OpenSSL::ASN1::Constructive#each which was broken by 2.0.0 is fixed.
320
+ [[ruby/openssl#96]](https://github.com/ruby/openssl/pull/96)
321
+ * Fixed build with static OpenSSL libraries on Windows.
322
+ [[Bug #13080]](https://bugs.ruby-lang.org/issues/13080)
323
+ * OpenSSL::X509::Name#eql? which was broken by 2.0.0 is fixed.
324
+
325
+
326
+ Version 2.0.2
327
+ =============
328
+
329
+ Bug fixes
330
+ ---------
331
+
332
+ * Fix build with early 0.9.8 series which did not have SSL_CTX_clear_options().
333
+ [ruby-core:78693]
334
+
335
+
336
+ Version 2.0.1
337
+ =============
338
+
339
+ Bug fixes
340
+ ---------
341
+
342
+ * A GC issue around OpenSSL::BN is fixed.
343
+ [[ruby/openssl#87]](https://github.com/ruby/openssl/issues/87)
344
+ * OpenSSL::ASN1 now parses BER encoding of GeneralizedTime without seconds.
345
+ [[ruby/openssl#88]](https://github.com/ruby/openssl/pull/88)
346
+
347
+
348
+ Version 2.0.0
349
+ =============
350
+
351
+ This is the first release of openssl gem, formerly a standard library of Ruby,
352
+ ext/openssl. This is the successor of the version included in Ruby 2.3.
353
+
354
+ Compatibility notes
355
+ -------------------
356
+
357
+ * Support for OpenSSL version 0.9.6 and 0.9.7 is completely removed. openssl gem
358
+ still works with OpenSSL 0.9.8, but users are strongly encouraged to upgrade
359
+ to at least 1.0.1, as OpenSSL < 1.0.1 will not receive any security fixes from
360
+ the OpenSSL development team.
361
+
362
+ Supported platforms
363
+ -------------------
364
+
365
+ * OpenSSL 1.0.0, 1.0.1, 1.0.2, 1.1.0
366
+ * OpenSSL < 0.9.8 is no longer supported.
367
+ * LibreSSL 2.3, 2.4, 2.5
368
+ * Ruby 2.3, 2.4
369
+
370
+ Notable changes
371
+ ---------------
372
+
373
+ * Add support for OpenSSL 1.1.0.
374
+ [[Feature #12324]](https://bugs.ruby-lang.org/issues/12324)
375
+ * Add support for LibreSSL
376
+
377
+ * OpenSSL::Cipher
378
+
379
+ - OpenSSL::Cipher#key= and #iv= reject too long inputs. They used to truncate
380
+ silently. [[Bug #12561]](https://bugs.ruby-lang.org/issues/12561)
381
+
382
+ - OpenSSL::Cipher#iv_len= is added. It allows changing IV (nonce) length if
383
+ using AEAD ciphers.
384
+ [[Bug #8667]](https://bugs.ruby-lang.org/issues/8667),
385
+ [[Bug #10420]](https://bugs.ruby-lang.org/issues/10420),
386
+ [[GH ruby/ruby#569]](https://github.com/ruby/ruby/pull/569),
387
+ [[GH ruby/openssl#58]](https://github.com/ruby/openssl/pull/58)
388
+
389
+ - OpenSSL::Cipher#auth_tag_len= is added. This sets the authentication tag
390
+ length to be generated by an AEAD cipher.
391
+
392
+ * OpenSSL::OCSP
393
+
394
+ - Accessor methods are added to OpenSSL::OCSP::CertificateId.
395
+ [[Feature #7181]](https://bugs.ruby-lang.org/issues/7181)
396
+
397
+ - OpenSSL::OCSP::Request and BasicResponse can be signed with non-SHA-1 hash
398
+ algorithm. [[Feature #11552]](https://bugs.ruby-lang.org/issues/11552)
399
+
400
+ - OpenSSL::OCSP::CertificateId and BasicResponse can be encoded into DER.
401
+
402
+ - A new class OpenSSL::OCSP::SingleResponse is added for convenience.
403
+
404
+ - OpenSSL::OCSP::BasicResponse#add_status accepts absolute times. They used to
405
+ accept only relative seconds from the current time.
406
+
407
+ * OpenSSL::PKey
408
+
409
+ - OpenSSL::PKey::EC follows the general PKey interface.
410
+ [[Bug #6567]](https://bugs.ruby-lang.org/issues/6567)
411
+
412
+ - OpenSSL::PKey.read raises OpenSSL::PKey::PKeyError instead of ArgumentError
413
+ for consistency with OpenSSL::PKey::{DH,DSA,RSA,EC}#new.
414
+ [[Bug #11774]](https://bugs.ruby-lang.org/issues/11774),
415
+ [[GH ruby/openssl#55]](https://github.com/ruby/openssl/pull/55)
416
+
417
+ - OpenSSL::PKey::EC::Group retrieved by OpenSSL::PKey::EC#group is no longer
418
+ linked with the EC key. Modifications to the EC::Group have no effect on the
419
+ key. [[GH ruby/openssl#71]](https://github.com/ruby/openssl/pull/71)
420
+
421
+ - OpenSSL::PKey::EC::Point#to_bn allows specifying the point conversion form
422
+ by the optional argument.
423
+
424
+ * OpenSSL::SSL
425
+
426
+ - OpenSSL::SSL::SSLSocket#tmp_key is added. A client can call it after the
427
+ connection is established to retrieve the ephemeral key.
428
+ [[GH ruby/ruby#1318]](https://github.com/ruby/ruby/pull/1318)
429
+
430
+ - The automatic ephemeral ECDH curve selection is enabled by default when
431
+ built with OpenSSL >= 1.0.2 or LibreSSL.
432
+
433
+ - OpenSSL::SSL::SSLContext#security_level= is added. You can set the "security
434
+ level" of the SSL context. This is effective only when built with OpenSSL
435
+ 1.1.0.
436
+
437
+ - A new option 'verify_hostname' is added to OpenSSL::SSL::SSLContext. When it
438
+ is enabled, and the SNI hostname is also set, the hostname verification on
439
+ the server certificate is automatically performed. It is now enabled by
440
+ OpenSSL::SSL::SSLContext#set_params.
441
+ [[GH ruby/openssl#60]](https://github.com/ruby/openssl/pull/60)
442
+
443
+ Removals
444
+ --------
445
+
446
+ * OpenSSL::Engine
447
+
448
+ - OpenSSL::Engine.cleanup does nothing when built with OpenSSL 1.1.0.
449
+
450
+ * OpenSSL::SSL
451
+
452
+ - OpenSSL::PKey::DH::DEFAULT_512 is removed. Hence servers no longer use
453
+ 512-bit DH group by default. It is considered too weak nowadays.
454
+ [[Bug #11968]](https://bugs.ruby-lang.org/issues/11968),
455
+ [[GH ruby/ruby#1196]](https://github.com/ruby/ruby/pull/1196)
456
+
457
+ - RC4 cipher suites are removed from OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.
458
+ RC4 is now considered to be weak.
459
+ [[GH ruby/openssl#50]](https://github.com/ruby/openssl/pull/50)
460
+
461
+ Deprecations
462
+ ------------
463
+
464
+ * OpenSSL::PKey
465
+
466
+ - OpenSSL::PKey::RSA#n=, #e=, #d=, #p=, #q=, #dmp1=, #dmq1=, #iqmp=,
467
+ OpenSSL::PKey::DSA#p=, #q=, #g=, #priv_key=, #pub_key=,
468
+ OpenSSL::PKey::DH#p=, #g=, #priv_key= and #pub_key= are deprecated. They are
469
+ disabled when built with OpenSSL 1.1.0, due to its API change. Instead,
470
+ OpenSSL::PKey::RSA#set_key, #set_factors, #set_crt_params,
471
+ OpenSSL::PKey::DSA#set_pqg, #set_key, OpenSSL::PKey::DH#set_pqg and #set_key
472
+ are added.
473
+
474
+ * OpenSSL::Random
475
+
476
+ - OpenSSL::Random.pseudo_bytes is deprecated, and not defined when built with
477
+ OpenSSL 1.1.0. Use OpenSSL::Random.random_bytes instead.
478
+
479
+ * OpenSSL::SSL
480
+
481
+ - OpenSSL::SSL::SSLContext#tmp_ecdh_callback is deprecated, as the underlying
482
+ API SSL_CTX_set_tmp_ecdh_callback() is removed in OpenSSL 1.1.0. It was
483
+ first added in Ruby 2.3.0. To specify the curve to be used in ephemeral
484
+ ECDH, use OpenSSL::SSL::SSLContext#ecdh_curves=. The automatic curve
485
+ selection is also now enabled by default when built with a capable OpenSSL.