openssl 2.0.0.beta.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of openssl might be problematic. Click here for more details.

Files changed (71) hide show
  1. checksums.yaml +7 -0
  2. data/BSDL +22 -0
  3. data/CONTRIBUTING.md +130 -0
  4. data/History.md +118 -0
  5. data/LICENSE.txt +56 -0
  6. data/README.md +70 -0
  7. data/ext/openssl/deprecation.rb +26 -0
  8. data/ext/openssl/extconf.rb +158 -0
  9. data/ext/openssl/openssl_missing.c +173 -0
  10. data/ext/openssl/openssl_missing.h +244 -0
  11. data/ext/openssl/ossl.c +1201 -0
  12. data/ext/openssl/ossl.h +222 -0
  13. data/ext/openssl/ossl_asn1.c +1992 -0
  14. data/ext/openssl/ossl_asn1.h +66 -0
  15. data/ext/openssl/ossl_bio.c +87 -0
  16. data/ext/openssl/ossl_bio.h +19 -0
  17. data/ext/openssl/ossl_bn.c +1153 -0
  18. data/ext/openssl/ossl_bn.h +23 -0
  19. data/ext/openssl/ossl_cipher.c +1085 -0
  20. data/ext/openssl/ossl_cipher.h +20 -0
  21. data/ext/openssl/ossl_config.c +89 -0
  22. data/ext/openssl/ossl_config.h +19 -0
  23. data/ext/openssl/ossl_digest.c +453 -0
  24. data/ext/openssl/ossl_digest.h +20 -0
  25. data/ext/openssl/ossl_engine.c +580 -0
  26. data/ext/openssl/ossl_engine.h +19 -0
  27. data/ext/openssl/ossl_hmac.c +398 -0
  28. data/ext/openssl/ossl_hmac.h +18 -0
  29. data/ext/openssl/ossl_ns_spki.c +406 -0
  30. data/ext/openssl/ossl_ns_spki.h +19 -0
  31. data/ext/openssl/ossl_ocsp.c +2013 -0
  32. data/ext/openssl/ossl_ocsp.h +23 -0
  33. data/ext/openssl/ossl_pkcs12.c +259 -0
  34. data/ext/openssl/ossl_pkcs12.h +13 -0
  35. data/ext/openssl/ossl_pkcs5.c +180 -0
  36. data/ext/openssl/ossl_pkcs5.h +6 -0
  37. data/ext/openssl/ossl_pkcs7.c +1125 -0
  38. data/ext/openssl/ossl_pkcs7.h +20 -0
  39. data/ext/openssl/ossl_pkey.c +435 -0
  40. data/ext/openssl/ossl_pkey.h +245 -0
  41. data/ext/openssl/ossl_pkey_dh.c +650 -0
  42. data/ext/openssl/ossl_pkey_dsa.c +672 -0
  43. data/ext/openssl/ossl_pkey_ec.c +1899 -0
  44. data/ext/openssl/ossl_pkey_rsa.c +768 -0
  45. data/ext/openssl/ossl_rand.c +238 -0
  46. data/ext/openssl/ossl_rand.h +18 -0
  47. data/ext/openssl/ossl_ssl.c +2679 -0
  48. data/ext/openssl/ossl_ssl.h +41 -0
  49. data/ext/openssl/ossl_ssl_session.c +352 -0
  50. data/ext/openssl/ossl_version.h +15 -0
  51. data/ext/openssl/ossl_x509.c +186 -0
  52. data/ext/openssl/ossl_x509.h +119 -0
  53. data/ext/openssl/ossl_x509attr.c +328 -0
  54. data/ext/openssl/ossl_x509cert.c +860 -0
  55. data/ext/openssl/ossl_x509crl.c +565 -0
  56. data/ext/openssl/ossl_x509ext.c +480 -0
  57. data/ext/openssl/ossl_x509name.c +547 -0
  58. data/ext/openssl/ossl_x509req.c +492 -0
  59. data/ext/openssl/ossl_x509revoked.c +279 -0
  60. data/ext/openssl/ossl_x509store.c +846 -0
  61. data/ext/openssl/ruby_missing.h +32 -0
  62. data/lib/openssl.rb +21 -0
  63. data/lib/openssl/bn.rb +39 -0
  64. data/lib/openssl/buffering.rb +451 -0
  65. data/lib/openssl/cipher.rb +67 -0
  66. data/lib/openssl/config.rb +473 -0
  67. data/lib/openssl/digest.rb +78 -0
  68. data/lib/openssl/pkey.rb +44 -0
  69. data/lib/openssl/ssl.rb +416 -0
  70. data/lib/openssl/x509.rb +176 -0
  71. metadata +178 -0
@@ -0,0 +1,173 @@
1
+ /*
2
+ * 'OpenSSL for Ruby' project
3
+ * Copyright (C) 2001-2002 Michal Rokos <m.rokos@sh.cvut.cz>
4
+ * All rights reserved.
5
+ */
6
+ /*
7
+ * This program is licensed under the same licence as Ruby.
8
+ * (See the file 'LICENCE'.)
9
+ */
10
+ #include RUBY_EXTCONF_H
11
+
12
+ #include <string.h> /* memcpy() */
13
+ #if !defined(OPENSSL_NO_ENGINE)
14
+ # include <openssl/engine.h>
15
+ #endif
16
+ #if !defined(OPENSSL_NO_HMAC)
17
+ # include <openssl/hmac.h>
18
+ #endif
19
+ #include <openssl/x509_vfy.h>
20
+
21
+ #include "openssl_missing.h"
22
+
23
+ /* added in 0.9.8X */
24
+ #if !defined(HAVE_EVP_CIPHER_CTX_NEW)
25
+ EVP_CIPHER_CTX *
26
+ EVP_CIPHER_CTX_new(void)
27
+ {
28
+ EVP_CIPHER_CTX *ctx = OPENSSL_malloc(sizeof(EVP_CIPHER_CTX));
29
+ if (!ctx)
30
+ return NULL;
31
+ EVP_CIPHER_CTX_init(ctx);
32
+ return ctx;
33
+ }
34
+ #endif
35
+
36
+ #if !defined(HAVE_EVP_CIPHER_CTX_FREE)
37
+ void
38
+ EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx)
39
+ {
40
+ if (ctx) {
41
+ EVP_CIPHER_CTX_cleanup(ctx);
42
+ OPENSSL_free(ctx);
43
+ }
44
+ }
45
+ #endif
46
+
47
+ /* added in 1.0.0 */
48
+ #if !defined(HAVE_EVP_CIPHER_CTX_COPY)
49
+ /*
50
+ * this function does not exist in OpenSSL yet... or ever?.
51
+ * a future version may break this function.
52
+ * tested on 0.9.7d.
53
+ */
54
+ int
55
+ EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in)
56
+ {
57
+ memcpy(out, in, sizeof(EVP_CIPHER_CTX));
58
+
59
+ #if !defined(OPENSSL_NO_ENGINE)
60
+ if (in->engine) ENGINE_add(out->engine);
61
+ if (in->cipher_data) {
62
+ out->cipher_data = OPENSSL_malloc(in->cipher->ctx_size);
63
+ memcpy(out->cipher_data, in->cipher_data, in->cipher->ctx_size);
64
+ }
65
+ #endif
66
+
67
+ return 1;
68
+ }
69
+ #endif
70
+
71
+ #if !defined(OPENSSL_NO_HMAC)
72
+ #if !defined(HAVE_HMAC_CTX_COPY)
73
+ int
74
+ HMAC_CTX_copy(HMAC_CTX *out, HMAC_CTX *in)
75
+ {
76
+ if (!out || !in)
77
+ return 0;
78
+
79
+ memcpy(out, in, sizeof(HMAC_CTX));
80
+
81
+ EVP_MD_CTX_copy(&out->md_ctx, &in->md_ctx);
82
+ EVP_MD_CTX_copy(&out->i_ctx, &in->i_ctx);
83
+ EVP_MD_CTX_copy(&out->o_ctx, &in->o_ctx);
84
+
85
+ return 1;
86
+ }
87
+ #endif /* HAVE_HMAC_CTX_COPY */
88
+ #endif /* NO_HMAC */
89
+
90
+ /* added in 1.0.2 */
91
+ #if !defined(OPENSSL_NO_EC)
92
+ #if !defined(HAVE_EC_CURVE_NIST2NID)
93
+ static struct {
94
+ const char *name;
95
+ int nid;
96
+ } nist_curves[] = {
97
+ {"B-163", NID_sect163r2},
98
+ {"B-233", NID_sect233r1},
99
+ {"B-283", NID_sect283r1},
100
+ {"B-409", NID_sect409r1},
101
+ {"B-571", NID_sect571r1},
102
+ {"K-163", NID_sect163k1},
103
+ {"K-233", NID_sect233k1},
104
+ {"K-283", NID_sect283k1},
105
+ {"K-409", NID_sect409k1},
106
+ {"K-571", NID_sect571k1},
107
+ {"P-192", NID_X9_62_prime192v1},
108
+ {"P-224", NID_secp224r1},
109
+ {"P-256", NID_X9_62_prime256v1},
110
+ {"P-384", NID_secp384r1},
111
+ {"P-521", NID_secp521r1}
112
+ };
113
+
114
+ int
115
+ EC_curve_nist2nid(const char *name)
116
+ {
117
+ size_t i;
118
+ for (i = 0; i < (sizeof(nist_curves) / sizeof(nist_curves[0])); i++) {
119
+ if (!strcmp(nist_curves[i].name, name))
120
+ return nist_curves[i].nid;
121
+ }
122
+ return NID_undef;
123
+ }
124
+ #endif
125
+ #endif
126
+
127
+ /*** added in 1.1.0 ***/
128
+ #if !defined(HAVE_HMAC_CTX_NEW)
129
+ HMAC_CTX *
130
+ HMAC_CTX_new(void)
131
+ {
132
+ HMAC_CTX *ctx = OPENSSL_malloc(sizeof(HMAC_CTX));
133
+ if (!ctx)
134
+ return NULL;
135
+ HMAC_CTX_init(ctx);
136
+ return ctx;
137
+ }
138
+ #endif
139
+
140
+ #if !defined(HAVE_HMAC_CTX_FREE)
141
+ void
142
+ HMAC_CTX_free(HMAC_CTX *ctx)
143
+ {
144
+ if (ctx) {
145
+ HMAC_CTX_cleanup(ctx);
146
+ OPENSSL_free(ctx);
147
+ }
148
+ }
149
+ #endif
150
+
151
+ #if !defined(HAVE_X509_CRL_GET0_SIGNATURE)
152
+ void
153
+ X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig,
154
+ const X509_ALGOR **palg)
155
+ {
156
+ if (psig != NULL)
157
+ *psig = crl->signature;
158
+ if (palg != NULL)
159
+ *palg = crl->sig_alg;
160
+ }
161
+ #endif
162
+
163
+ #if !defined(HAVE_X509_REQ_GET0_SIGNATURE)
164
+ void
165
+ X509_REQ_get0_signature(const X509_REQ *req, const ASN1_BIT_STRING **psig,
166
+ const X509_ALGOR **palg)
167
+ {
168
+ if (psig != NULL)
169
+ *psig = req->signature;
170
+ if (palg != NULL)
171
+ *palg = req->sig_alg;
172
+ }
173
+ #endif
@@ -0,0 +1,244 @@
1
+ /*
2
+ * 'OpenSSL for Ruby' project
3
+ * Copyright (C) 2001-2002 Michal Rokos <m.rokos@sh.cvut.cz>
4
+ * All rights reserved.
5
+ */
6
+ /*
7
+ * This program is licensed under the same licence as Ruby.
8
+ * (See the file 'LICENCE'.)
9
+ */
10
+ #if !defined(_OSSL_OPENSSL_MISSING_H_)
11
+ #define _OSSL_OPENSSL_MISSING_H_
12
+
13
+ #include "ruby/config.h"
14
+
15
+ /* added in 0.9.8X */
16
+ #if !defined(HAVE_EVP_CIPHER_CTX_NEW)
17
+ EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void);
18
+ #endif
19
+
20
+ #if !defined(HAVE_EVP_CIPHER_CTX_FREE)
21
+ void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx);
22
+ #endif
23
+
24
+ /* added in 1.0.0 */
25
+ #if !defined(HAVE_EVP_PKEY_BASE_ID)
26
+ # define EVP_PKEY_base_id(pkey) EVP_PKEY_type((pkey)->type)
27
+ #endif
28
+
29
+ #if !defined(HAVE_EVP_CIPHER_CTX_COPY)
30
+ int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in);
31
+ #endif
32
+
33
+ #if !defined(HAVE_HMAC_CTX_COPY)
34
+ int HMAC_CTX_copy(HMAC_CTX *out, HMAC_CTX *in);
35
+ #endif
36
+
37
+ #if !defined(HAVE_X509_STORE_CTX_GET0_CURRENT_CRL)
38
+ # define X509_STORE_CTX_get0_current_crl(x) ((x)->current_crl)
39
+ #endif
40
+
41
+ #if !defined(HAVE_X509_STORE_SET_VERIFY_CB)
42
+ # define X509_STORE_set_verify_cb X509_STORE_set_verify_cb_func
43
+ #endif
44
+
45
+ #if !defined(HAVE_I2D_ASN1_SET_ANY)
46
+ # define i2d_ASN1_SET_ANY(sk, x) i2d_ASN1_SET_OF_ASN1_TYPE((sk), (x), \
47
+ i2d_ASN1_TYPE, V_ASN1_SET, V_ASN1_UNIVERSAL, 0)
48
+ #endif
49
+
50
+ /* added in 1.0.2 */
51
+ #if !defined(OPENSSL_NO_EC)
52
+ #if !defined(HAVE_EC_CURVE_NIST2NID)
53
+ int EC_curve_nist2nid(const char *);
54
+ #endif
55
+ #endif
56
+
57
+ #if !defined(HAVE_X509_REVOKED_DUP)
58
+ # define X509_REVOKED_dup(rev) (X509_REVOKED *)ASN1_dup((i2d_of_void *)i2d_X509_REVOKED, \
59
+ (d2i_of_void *)d2i_X509_REVOKED, (char *)(rev))
60
+ #endif
61
+
62
+ #if !defined(HAVE_X509_STORE_CTX_GET0_STORE)
63
+ # define X509_STORE_CTX_get0_store(x) ((x)->ctx)
64
+ #endif
65
+
66
+ #if !defined(HAVE_SSL_IS_SERVER)
67
+ # define SSL_is_server(s) ((s)->server)
68
+ #endif
69
+
70
+ /* added in 1.1.0 */
71
+ #if !defined(HAVE_BN_GENCB_NEW)
72
+ # define BN_GENCB_new() ((BN_GENCB *)OPENSSL_malloc(sizeof(BN_GENCB)))
73
+ #endif
74
+
75
+ #if !defined(HAVE_BN_GENCB_FREE)
76
+ # define BN_GENCB_free(cb) OPENSSL_free(cb)
77
+ #endif
78
+
79
+ #if !defined(HAVE_BN_GENCB_GET_ARG)
80
+ # define BN_GENCB_get_arg(cb) (cb)->arg
81
+ #endif
82
+
83
+ #if !defined(HAVE_EVP_MD_CTX_NEW)
84
+ # define EVP_MD_CTX_new EVP_MD_CTX_create
85
+ #endif
86
+
87
+ #if !defined(HAVE_EVP_MD_CTX_FREE)
88
+ # define EVP_MD_CTX_free EVP_MD_CTX_destroy
89
+ #endif
90
+
91
+ #if !defined(HAVE_HMAC_CTX_NEW)
92
+ HMAC_CTX *HMAC_CTX_new(void);
93
+ #endif
94
+
95
+ #if !defined(HAVE_HMAC_CTX_FREE)
96
+ void HMAC_CTX_free(HMAC_CTX *ctx);
97
+ #endif
98
+
99
+ #if !defined(HAVE_X509_STORE_GET_EX_DATA)
100
+ # define X509_STORE_get_ex_data(x, idx) \
101
+ CRYPTO_get_ex_data(&(x)->ex_data, (idx))
102
+ #endif
103
+
104
+ #if !defined(HAVE_X509_STORE_SET_EX_DATA)
105
+ # define X509_STORE_set_ex_data(x, idx, data) \
106
+ CRYPTO_set_ex_data(&(x)->ex_data, (idx), (data))
107
+ # define X509_STORE_get_ex_new_index(l, p, newf, dupf, freef) \
108
+ CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE, (l), (p), \
109
+ (newf), (dupf), (freef))
110
+ #endif
111
+
112
+ #if !defined(HAVE_X509_CRL_GET0_SIGNATURE)
113
+ void X509_CRL_get0_signature(const X509_CRL *, const ASN1_BIT_STRING **, const X509_ALGOR **);
114
+ #endif
115
+
116
+ #if !defined(HAVE_X509_REQ_GET0_SIGNATURE)
117
+ void X509_REQ_get0_signature(const X509_REQ *, const ASN1_BIT_STRING **, const X509_ALGOR **);
118
+ #endif
119
+
120
+ #if !defined(HAVE_X509_REVOKED_GET0_SERIALNUMBER)
121
+ # define X509_REVOKED_get0_serialNumber(x) ((x)->serialNumber)
122
+ #endif
123
+
124
+ #if !defined(HAVE_X509_REVOKED_GET0_REVOCATIONDATE)
125
+ # define X509_REVOKED_get0_revocationDate(x) ((x)->revocationDate)
126
+ #endif
127
+
128
+ #if !defined(HAVE_X509_GET0_TBS_SIGALG)
129
+ # define X509_get0_tbs_sigalg(x) ((x)->cert_info->signature)
130
+ #endif
131
+
132
+ #if !defined(HAVE_X509_STORE_CTX_GET0_UNTRUSTED)
133
+ # define X509_STORE_CTX_get0_untrusted(x) ((x)->untrusted)
134
+ #endif
135
+
136
+ #if !defined(HAVE_X509_STORE_CTX_GET0_CERT)
137
+ # define X509_STORE_CTX_get0_cert(x) ((x)->cert)
138
+ #endif
139
+
140
+ #if !defined(HAVE_X509_STORE_CTX_GET0_CHAIN)
141
+ # define X509_STORE_CTX_get0_chain(ctx) X509_STORE_CTX_get_chain(ctx)
142
+ #endif
143
+
144
+ #if !defined(HAVE_OCSP_SINGLERESP_GET0_ID)
145
+ # define OCSP_SINGLERESP_get0_id(s) ((s)->certId)
146
+ #endif
147
+
148
+ #if !defined(HAVE_SSL_CTX_GET_CIPHERS)
149
+ # define SSL_CTX_get_ciphers(ctx) ((ctx)->cipher_list)
150
+ #endif
151
+
152
+ #if !defined(HAVE_X509_UP_REF)
153
+ # define X509_up_ref(x) \
154
+ CRYPTO_add(&(x)->references, 1, CRYPTO_LOCK_X509)
155
+ #endif
156
+
157
+ #if !defined(HAVE_X509_CRL_UP_REF)
158
+ # define X509_CRL_up_ref(x) \
159
+ CRYPTO_add(&(x)->references, 1, CRYPTO_LOCK_X509_CRL);
160
+ #endif
161
+
162
+ #if !defined(HAVE_X509_STORE_UP_REF)
163
+ # define X509_STORE_up_ref(x) \
164
+ CRYPTO_add(&(x)->references, 1, CRYPTO_LOCK_X509_STORE);
165
+ #endif
166
+
167
+ #if !defined(HAVE_SSL_SESSION_UP_REF)
168
+ # define SSL_SESSION_up_ref(x) \
169
+ CRYPTO_add(&(x)->references, 1, CRYPTO_LOCK_SSL_SESSION);
170
+ #endif
171
+
172
+ #if !defined(HAVE_EVP_PKEY_UP_REF)
173
+ # define EVP_PKEY_up_ref(x) \
174
+ CRYPTO_add(&(x)->references, 1, CRYPTO_LOCK_EVP_PKEY);
175
+ #endif
176
+
177
+ #if !defined(HAVE_OPAQUE_OPENSSL)
178
+ #define IMPL_PKEY_GETTER(_type, _name) \
179
+ static inline _type *EVP_PKEY_get0_##_type(EVP_PKEY *pkey) { \
180
+ return pkey->pkey._name; }
181
+ #define IMPL_KEY_ACCESSOR2(_type, _group, a1, a2, _fail_cond) \
182
+ static inline void _type##_get0_##_group(_type *obj, const BIGNUM **a1, const BIGNUM **a2) { \
183
+ if (a1) *a1 = obj->a1; \
184
+ if (a2) *a2 = obj->a2; } \
185
+ static inline int _type##_set0_##_group(_type *obj, BIGNUM *a1, BIGNUM *a2) { \
186
+ if (_fail_cond) return 0; \
187
+ BN_clear_free(obj->a1); obj->a1 = a1; \
188
+ BN_clear_free(obj->a2); obj->a2 = a2; \
189
+ return 1; }
190
+ #define IMPL_KEY_ACCESSOR3(_type, _group, a1, a2, a3, _fail_cond) \
191
+ static inline void _type##_get0_##_group(_type *obj, const BIGNUM **a1, const BIGNUM **a2, const BIGNUM **a3) { \
192
+ if (a1) *a1 = obj->a1; \
193
+ if (a2) *a2 = obj->a2; \
194
+ if (a3) *a3 = obj->a3; } \
195
+ static inline int _type##_set0_##_group(_type *obj, BIGNUM *a1, BIGNUM *a2, BIGNUM *a3) { \
196
+ if (_fail_cond) return 0; \
197
+ BN_clear_free(obj->a1); obj->a1 = a1; \
198
+ BN_clear_free(obj->a2); obj->a2 = a2; \
199
+ BN_clear_free(obj->a3); obj->a3 = a3; \
200
+ return 1; }
201
+
202
+ #if !defined(OPENSSL_NO_RSA)
203
+ IMPL_PKEY_GETTER(RSA, rsa)
204
+ IMPL_KEY_ACCESSOR3(RSA, key, n, e, d, (n == obj->n || e == obj->e || (obj->d && d == obj->d)))
205
+ IMPL_KEY_ACCESSOR2(RSA, factors, p, q, (p == obj->p || q == obj->q))
206
+ IMPL_KEY_ACCESSOR3(RSA, crt_params, dmp1, dmq1, iqmp, (dmp1 == obj->dmp1 || dmq1 == obj->dmq1 || iqmp == obj->iqmp))
207
+ #endif
208
+
209
+ #if !defined(OPENSSL_NO_DSA)
210
+ IMPL_PKEY_GETTER(DSA, dsa)
211
+ IMPL_KEY_ACCESSOR2(DSA, key, pub_key, priv_key, (pub_key == obj->pub_key || (obj->priv_key && priv_key == obj->priv_key)))
212
+ IMPL_KEY_ACCESSOR3(DSA, pqg, p, q, g, (p == obj->p || q == obj->q || g == obj->g))
213
+ #endif
214
+
215
+ #if !defined(OPENSSL_NO_DH)
216
+ IMPL_PKEY_GETTER(DH, dh)
217
+ IMPL_KEY_ACCESSOR2(DH, key, pub_key, priv_key, (pub_key == obj->pub_key || (obj->priv_key && priv_key == obj->priv_key)))
218
+ IMPL_KEY_ACCESSOR3(DH, pqg, p, q, g, (p == obj->p || obj->q && q == obj->q || g == obj->g))
219
+ static inline ENGINE *DH_get0_engine(DH *dh) { return dh->engine; }
220
+ #endif
221
+
222
+ #if !defined(OPENSSL_NO_EC)
223
+ IMPL_PKEY_GETTER(EC_KEY, ec)
224
+ #endif
225
+
226
+ #undef IMPL_PKEY_GETTER
227
+ #undef IMPL_KEY_ACCESSOR2
228
+ #undef IMPL_KEY_ACCESSOR3
229
+ #endif /* HAVE_OPAQUE_OPENSSL */
230
+
231
+ #if defined(HAVE_AUTHENTICATED_ENCRYPTION) && !defined(EVP_CTRL_AEAD_GET_TAG)
232
+ # define EVP_CTRL_AEAD_GET_TAG EVP_CTRL_GCM_GET_TAG
233
+ # define EVP_CTRL_AEAD_SET_TAG EVP_CTRL_GCM_SET_TAG
234
+ # define EVP_CTRL_AEAD_SET_IVLEN EVP_CTRL_GCM_SET_IVLEN
235
+ #endif
236
+
237
+ #if !defined(HAVE_X509_GET0_NOTBEFORE)
238
+ # define X509_get0_notBefore(x) X509_get_notBefore(x)
239
+ # define X509_get0_notAfter(x) X509_get_notAfter(x)
240
+ # define X509_CRL_get0_lastUpdate(x) X509_CRL_get_lastUpdate(x)
241
+ # define X509_CRL_get0_nextUpdate(x) X509_CRL_get_nextUpdate(x)
242
+ #endif
243
+
244
+ #endif /* _OSSL_OPENSSL_MISSING_H_ */
@@ -0,0 +1,1201 @@
1
+ /*
2
+ * 'OpenSSL for Ruby' project
3
+ * Copyright (C) 2001-2002 Michal Rokos <m.rokos@sh.cvut.cz>
4
+ * All rights reserved.
5
+ */
6
+ /*
7
+ * This program is licensed under the same licence as Ruby.
8
+ * (See the file 'LICENCE'.)
9
+ */
10
+ #include "ossl.h"
11
+ #include <stdarg.h> /* for ossl_raise */
12
+ #include <ruby/thread_native.h> /* for OpenSSL < 1.1.0 locks */
13
+
14
+ /*
15
+ * Data Conversion
16
+ */
17
+ #define OSSL_IMPL_ARY2SK(name, type, expected_class, dup) \
18
+ STACK_OF(type) * \
19
+ ossl_##name##_ary2sk0(VALUE ary) \
20
+ { \
21
+ STACK_OF(type) *sk; \
22
+ VALUE val; \
23
+ type *x; \
24
+ int i; \
25
+ \
26
+ Check_Type(ary, T_ARRAY); \
27
+ sk = sk_##type##_new_null(); \
28
+ if (!sk) ossl_raise(eOSSLError, NULL); \
29
+ \
30
+ for (i = 0; i < RARRAY_LEN(ary); i++) { \
31
+ val = rb_ary_entry(ary, i); \
32
+ if (!rb_obj_is_kind_of(val, expected_class)) { \
33
+ sk_##type##_pop_free(sk, type##_free); \
34
+ ossl_raise(eOSSLError, "object in array not" \
35
+ " of class ##type##"); \
36
+ } \
37
+ x = dup(val); /* NEED TO DUP */ \
38
+ sk_##type##_push(sk, x); \
39
+ } \
40
+ return sk; \
41
+ } \
42
+ \
43
+ STACK_OF(type) * \
44
+ ossl_protect_##name##_ary2sk(VALUE ary, int *status) \
45
+ { \
46
+ return (STACK_OF(type)*)rb_protect( \
47
+ (VALUE (*)(VALUE))ossl_##name##_ary2sk0, \
48
+ ary, \
49
+ status); \
50
+ } \
51
+ \
52
+ STACK_OF(type) * \
53
+ ossl_##name##_ary2sk(VALUE ary) \
54
+ { \
55
+ STACK_OF(type) *sk; \
56
+ int status = 0; \
57
+ \
58
+ sk = ossl_protect_##name##_ary2sk(ary, &status); \
59
+ if (status) rb_jump_tag(status); \
60
+ \
61
+ return sk; \
62
+ }
63
+ OSSL_IMPL_ARY2SK(x509, X509, cX509Cert, DupX509CertPtr)
64
+
65
+ #define OSSL_IMPL_SK2ARY(name, type) \
66
+ VALUE \
67
+ ossl_##name##_sk2ary(const STACK_OF(type) *sk) \
68
+ { \
69
+ type *t; \
70
+ int i, num; \
71
+ VALUE ary; \
72
+ \
73
+ if (!sk) { \
74
+ OSSL_Debug("empty sk!"); \
75
+ return Qnil; \
76
+ } \
77
+ num = sk_##type##_num(sk); \
78
+ if (num < 0) { \
79
+ OSSL_Debug("items in sk < -1???"); \
80
+ return rb_ary_new(); \
81
+ } \
82
+ ary = rb_ary_new2(num); \
83
+ \
84
+ for (i=0; i<num; i++) { \
85
+ t = sk_##type##_value(sk, i); \
86
+ rb_ary_push(ary, ossl_##name##_new(t)); \
87
+ } \
88
+ return ary; \
89
+ }
90
+ OSSL_IMPL_SK2ARY(x509, X509)
91
+ OSSL_IMPL_SK2ARY(x509crl, X509_CRL)
92
+ OSSL_IMPL_SK2ARY(x509name, X509_NAME)
93
+
94
+ static VALUE
95
+ ossl_str_new(int size)
96
+ {
97
+ return rb_str_new(0, size);
98
+ }
99
+
100
+ VALUE
101
+ ossl_buf2str(char *buf, int len)
102
+ {
103
+ VALUE str;
104
+ int status = 0;
105
+
106
+ str = rb_protect((VALUE (*)(VALUE))ossl_str_new, len, &status);
107
+ if(!NIL_P(str)) memcpy(RSTRING_PTR(str), buf, len);
108
+ OPENSSL_free(buf);
109
+ if(status) rb_jump_tag(status);
110
+
111
+ return str;
112
+ }
113
+
114
+ void
115
+ ossl_bin2hex(unsigned char *in, char *out, size_t inlen)
116
+ {
117
+ const char *hex = "0123456789abcdef";
118
+ size_t i;
119
+
120
+ assert(inlen <= LONG_MAX / 2);
121
+ for (i = 0; i < inlen; i++) {
122
+ unsigned char p = in[i];
123
+
124
+ out[i * 2 + 0] = hex[p >> 4];
125
+ out[i * 2 + 1] = hex[p & 0x0f];
126
+ }
127
+ }
128
+
129
+ /*
130
+ * our default PEM callback
131
+ */
132
+
133
+ /*
134
+ * OpenSSL requires passwords for PEM-encoded files to be at least four
135
+ * characters long. See crypto/pem/pem_lib.c (as of 1.0.2h)
136
+ */
137
+ #define OSSL_MIN_PWD_LEN 4
138
+
139
+ VALUE
140
+ ossl_pem_passwd_value(VALUE pass)
141
+ {
142
+ if (NIL_P(pass))
143
+ return Qnil;
144
+
145
+ StringValue(pass);
146
+
147
+ if (RSTRING_LEN(pass) < OSSL_MIN_PWD_LEN)
148
+ ossl_raise(eOSSLError, "password must be at least %d bytes", OSSL_MIN_PWD_LEN);
149
+ /* PEM_BUFSIZE is currently used as the second argument of pem_password_cb,
150
+ * that is +max_len+ of ossl_pem_passwd_cb() */
151
+ if (RSTRING_LEN(pass) > PEM_BUFSIZE)
152
+ ossl_raise(eOSSLError, "password must be shorter than %d bytes", PEM_BUFSIZE);
153
+
154
+ return pass;
155
+ }
156
+
157
+ static VALUE
158
+ ossl_pem_passwd_cb0(VALUE flag)
159
+ {
160
+ VALUE pass;
161
+
162
+ pass = rb_yield(flag);
163
+ SafeStringValue(pass);
164
+
165
+ return pass;
166
+ }
167
+
168
+ int
169
+ ossl_pem_passwd_cb(char *buf, int max_len, int flag, void *pwd_)
170
+ {
171
+ int len, status;
172
+ VALUE rflag, pass = (VALUE)pwd_;
173
+
174
+ if (RTEST(pass)) {
175
+ /* PEM_def_callback(buf, max_len, flag, StringValueCStr(pass)) does not
176
+ * work because it does not allow NUL characters and truncates to 1024
177
+ * bytes silently if the input is over 1024 bytes */
178
+ if (RB_TYPE_P(pass, T_STRING)) {
179
+ len = RSTRING_LENINT(pass);
180
+ if (len >= OSSL_MIN_PWD_LEN && len <= max_len) {
181
+ memcpy(buf, RSTRING_PTR(pass), len);
182
+ return len;
183
+ }
184
+ }
185
+ OSSL_Debug("passed data is not valid String???");
186
+ return -1;
187
+ }
188
+
189
+ if (!rb_block_given_p()) {
190
+ return PEM_def_callback(buf, max_len, flag, NULL);
191
+ }
192
+
193
+ while (1) {
194
+ /*
195
+ * when the flag is nonzero, this passphrase
196
+ * will be used to perform encryption; otherwise it will
197
+ * be used to perform decryption.
198
+ */
199
+ rflag = flag ? Qtrue : Qfalse;
200
+ pass = rb_protect(ossl_pem_passwd_cb0, rflag, &status);
201
+ if (status) {
202
+ /* ignore an exception raised. */
203
+ rb_set_errinfo(Qnil);
204
+ return -1;
205
+ }
206
+ len = RSTRING_LENINT(pass);
207
+ if (len < OSSL_MIN_PWD_LEN) {
208
+ rb_warning("password must be at least %d bytes", OSSL_MIN_PWD_LEN);
209
+ continue;
210
+ }
211
+ if (len > max_len) {
212
+ rb_warning("password must be shorter than %d bytes", max_len);
213
+ continue;
214
+ }
215
+ memcpy(buf, RSTRING_PTR(pass), len);
216
+ break;
217
+ }
218
+ return len;
219
+ }
220
+
221
+ /*
222
+ * Verify callback
223
+ */
224
+ int ossl_store_ctx_ex_verify_cb_idx;
225
+ int ossl_store_ex_verify_cb_idx;
226
+
227
+ struct ossl_verify_cb_args {
228
+ VALUE proc;
229
+ VALUE preverify_ok;
230
+ VALUE store_ctx;
231
+ };
232
+
233
+ static VALUE
234
+ ossl_call_verify_cb_proc(struct ossl_verify_cb_args *args)
235
+ {
236
+ return rb_funcall(args->proc, rb_intern("call"), 2,
237
+ args->preverify_ok, args->store_ctx);
238
+ }
239
+
240
+ int
241
+ ossl_verify_cb_call(VALUE proc, int ok, X509_STORE_CTX *ctx)
242
+ {
243
+ VALUE rctx, ret;
244
+ struct ossl_verify_cb_args args;
245
+ int state;
246
+
247
+ if (NIL_P(proc))
248
+ return ok;
249
+
250
+ ret = Qfalse;
251
+ rctx = rb_protect((VALUE(*)(VALUE))ossl_x509stctx_new, (VALUE)ctx, &state);
252
+ if (state) {
253
+ rb_set_errinfo(Qnil);
254
+ rb_warn("StoreContext initialization failure");
255
+ }
256
+ else {
257
+ args.proc = proc;
258
+ args.preverify_ok = ok ? Qtrue : Qfalse;
259
+ args.store_ctx = rctx;
260
+ ret = rb_protect((VALUE(*)(VALUE))ossl_call_verify_cb_proc, (VALUE)&args, &state);
261
+ if (state) {
262
+ rb_set_errinfo(Qnil);
263
+ rb_warn("exception in verify_callback is ignored");
264
+ }
265
+ ossl_x509stctx_clear_ptr(rctx);
266
+ }
267
+ if (ret == Qtrue) {
268
+ X509_STORE_CTX_set_error(ctx, X509_V_OK);
269
+ ok = 1;
270
+ }
271
+ else {
272
+ if (X509_STORE_CTX_get_error(ctx) == X509_V_OK)
273
+ X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REJECTED);
274
+ ok = 0;
275
+ }
276
+
277
+ return ok;
278
+ }
279
+
280
+ /*
281
+ * main module
282
+ */
283
+ VALUE mOSSL;
284
+
285
+ /*
286
+ * OpenSSLError < StandardError
287
+ */
288
+ VALUE eOSSLError;
289
+
290
+ /*
291
+ * Convert to DER string
292
+ */
293
+ ID ossl_s_to_der;
294
+
295
+ VALUE
296
+ ossl_to_der(VALUE obj)
297
+ {
298
+ VALUE tmp;
299
+
300
+ tmp = rb_funcall(obj, ossl_s_to_der, 0);
301
+ StringValue(tmp);
302
+
303
+ return tmp;
304
+ }
305
+
306
+ VALUE
307
+ ossl_to_der_if_possible(VALUE obj)
308
+ {
309
+ if(rb_respond_to(obj, ossl_s_to_der))
310
+ return ossl_to_der(obj);
311
+ return obj;
312
+ }
313
+
314
+ /*
315
+ * Errors
316
+ */
317
+ static VALUE
318
+ ossl_make_error(VALUE exc, const char *fmt, va_list args)
319
+ {
320
+ VALUE str = Qnil;
321
+ const char *msg;
322
+ long e;
323
+
324
+ e = ERR_peek_last_error();
325
+ if (fmt) {
326
+ str = rb_vsprintf(fmt, args);
327
+ }
328
+ if (e) {
329
+ if (dOSSL == Qtrue) /* FULL INFO */
330
+ msg = ERR_error_string(e, NULL);
331
+ else
332
+ msg = ERR_reason_error_string(e);
333
+ if (NIL_P(str)) {
334
+ if (msg) str = rb_str_new_cstr(msg);
335
+ }
336
+ else {
337
+ if (RSTRING_LEN(str)) rb_str_cat2(str, ": ");
338
+ rb_str_cat2(str, msg ? msg : "(null)");
339
+ }
340
+ }
341
+ ossl_clear_error();
342
+
343
+ if (NIL_P(str)) str = rb_str_new(0, 0);
344
+ return rb_exc_new3(exc, str);
345
+ }
346
+
347
+ void
348
+ ossl_raise(VALUE exc, const char *fmt, ...)
349
+ {
350
+ va_list args;
351
+ VALUE err;
352
+ va_start(args, fmt);
353
+ err = ossl_make_error(exc, fmt, args);
354
+ va_end(args);
355
+ rb_exc_raise(err);
356
+ }
357
+
358
+ VALUE
359
+ ossl_exc_new(VALUE exc, const char *fmt, ...)
360
+ {
361
+ va_list args;
362
+ VALUE err;
363
+ va_start(args, fmt);
364
+ err = ossl_make_error(exc, fmt, args);
365
+ va_end(args);
366
+ return err;
367
+ }
368
+
369
+ void
370
+ ossl_clear_error(void)
371
+ {
372
+ if (dOSSL == Qtrue) {
373
+ long e;
374
+ while ((e = ERR_get_error())) {
375
+ rb_warn("error on stack: %s", ERR_error_string(e, NULL));
376
+ }
377
+ }
378
+ ERR_clear_error();
379
+ }
380
+
381
+ /*
382
+ * call-seq:
383
+ * OpenSSL.errors -> [String...]
384
+ *
385
+ * See any remaining errors held in queue.
386
+ *
387
+ * Any errors you see here are probably due to a bug in ruby's OpenSSL implementation.
388
+ */
389
+ VALUE
390
+ ossl_get_errors(void)
391
+ {
392
+ VALUE ary;
393
+ long e;
394
+
395
+ ary = rb_ary_new();
396
+ while ((e = ERR_get_error()) != 0){
397
+ rb_ary_push(ary, rb_str_new2(ERR_error_string(e, NULL)));
398
+ }
399
+
400
+ return ary;
401
+ }
402
+
403
+ /*
404
+ * Debug
405
+ */
406
+ VALUE dOSSL;
407
+
408
+ #if !defined(HAVE_VA_ARGS_MACRO)
409
+ void
410
+ ossl_debug(const char *fmt, ...)
411
+ {
412
+ va_list args;
413
+
414
+ if (dOSSL == Qtrue) {
415
+ fprintf(stderr, "OSSL_DEBUG: ");
416
+ va_start(args, fmt);
417
+ vfprintf(stderr, fmt, args);
418
+ va_end(args);
419
+ fprintf(stderr, " [CONTEXT N/A]\n");
420
+ }
421
+ }
422
+ #endif
423
+
424
+ /*
425
+ * call-seq:
426
+ * OpenSSL.debug -> true | false
427
+ */
428
+ static VALUE
429
+ ossl_debug_get(VALUE self)
430
+ {
431
+ return dOSSL;
432
+ }
433
+
434
+ /*
435
+ * call-seq:
436
+ * OpenSSL.debug = boolean -> boolean
437
+ *
438
+ * Turns on or off debug mode. With debug mode, all erros added to the OpenSSL
439
+ * error queue will be printed to stderr.
440
+ */
441
+ static VALUE
442
+ ossl_debug_set(VALUE self, VALUE val)
443
+ {
444
+ dOSSL = RTEST(val) ? Qtrue : Qfalse;
445
+
446
+ return val;
447
+ }
448
+
449
+ /*
450
+ * call-seq:
451
+ * OpenSSL.fips_mode = boolean -> boolean
452
+ *
453
+ * Turns FIPS mode on or off. Turning on FIPS mode will obviously only have an
454
+ * effect for FIPS-capable installations of the OpenSSL library. Trying to do
455
+ * so otherwise will result in an error.
456
+ *
457
+ * === Examples
458
+ * OpenSSL.fips_mode = true # turn FIPS mode on
459
+ * OpenSSL.fips_mode = false # and off again
460
+ */
461
+ static VALUE
462
+ ossl_fips_mode_set(VALUE self, VALUE enabled)
463
+ {
464
+
465
+ #ifdef OPENSSL_FIPS
466
+ if (RTEST(enabled)) {
467
+ int mode = FIPS_mode();
468
+ if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */
469
+ ossl_raise(eOSSLError, "Turning on FIPS mode failed");
470
+ } else {
471
+ if(!FIPS_mode_set(0)) /* turning off twice is OK */
472
+ ossl_raise(eOSSLError, "Turning off FIPS mode failed");
473
+ }
474
+ return enabled;
475
+ #else
476
+ if (RTEST(enabled))
477
+ ossl_raise(eOSSLError, "This version of OpenSSL does not support FIPS mode");
478
+ return enabled;
479
+ #endif
480
+ }
481
+
482
+ #if !defined(HAVE_OPENSSL_110_THREADING_API)
483
+ /**
484
+ * Stores locks needed for OpenSSL thread safety
485
+ */
486
+ static rb_nativethread_lock_t *ossl_locks;
487
+
488
+ static void
489
+ ossl_lock_unlock(int mode, rb_nativethread_lock_t *lock)
490
+ {
491
+ if (mode & CRYPTO_LOCK) {
492
+ rb_nativethread_lock_lock(lock);
493
+ } else {
494
+ rb_nativethread_lock_unlock(lock);
495
+ }
496
+ }
497
+
498
+ static void
499
+ ossl_lock_callback(int mode, int type, const char *file, int line)
500
+ {
501
+ ossl_lock_unlock(mode, &ossl_locks[type]);
502
+ }
503
+
504
+ struct CRYPTO_dynlock_value {
505
+ rb_nativethread_lock_t lock;
506
+ };
507
+
508
+ static struct CRYPTO_dynlock_value *
509
+ ossl_dyn_create_callback(const char *file, int line)
510
+ {
511
+ struct CRYPTO_dynlock_value *dynlock = (struct CRYPTO_dynlock_value *)OPENSSL_malloc((int)sizeof(struct CRYPTO_dynlock_value));
512
+ rb_nativethread_lock_initialize(&dynlock->lock);
513
+ return dynlock;
514
+ }
515
+
516
+ static void
517
+ ossl_dyn_lock_callback(int mode, struct CRYPTO_dynlock_value *l, const char *file, int line)
518
+ {
519
+ ossl_lock_unlock(mode, &l->lock);
520
+ }
521
+
522
+ static void
523
+ ossl_dyn_destroy_callback(struct CRYPTO_dynlock_value *l, const char *file, int line)
524
+ {
525
+ rb_nativethread_lock_destroy(&l->lock);
526
+ OPENSSL_free(l);
527
+ }
528
+
529
+ #ifdef HAVE_CRYPTO_THREADID_PTR
530
+ static void ossl_threadid_func(CRYPTO_THREADID *id)
531
+ {
532
+ /* register native thread id */
533
+ CRYPTO_THREADID_set_pointer(id, (void *)rb_nativethread_self());
534
+ }
535
+ #else
536
+ static unsigned long ossl_thread_id(void)
537
+ {
538
+ /* before OpenSSL 1.0, this is 'unsigned long' */
539
+ return (unsigned long)rb_nativethread_self();
540
+ }
541
+ #endif
542
+
543
+ static void Init_ossl_locks(void)
544
+ {
545
+ int i;
546
+ int num_locks = CRYPTO_num_locks();
547
+
548
+ if ((unsigned)num_locks >= INT_MAX / (int)sizeof(VALUE)) {
549
+ rb_raise(rb_eRuntimeError, "CRYPTO_num_locks() is too big: %d", num_locks);
550
+ }
551
+ ossl_locks = (rb_nativethread_lock_t *) OPENSSL_malloc(num_locks * (int)sizeof(rb_nativethread_lock_t));
552
+ if (!ossl_locks) {
553
+ rb_raise(rb_eNoMemError, "CRYPTO_num_locks() is too big: %d", num_locks);
554
+ }
555
+ for (i = 0; i < num_locks; i++) {
556
+ rb_nativethread_lock_initialize(&ossl_locks[i]);
557
+ }
558
+
559
+ #ifdef HAVE_CRYPTO_THREADID_PTR
560
+ CRYPTO_THREADID_set_callback(ossl_threadid_func);
561
+ #else
562
+ CRYPTO_set_id_callback(ossl_thread_id);
563
+ #endif
564
+ CRYPTO_set_locking_callback(ossl_lock_callback);
565
+ CRYPTO_set_dynlock_create_callback(ossl_dyn_create_callback);
566
+ CRYPTO_set_dynlock_lock_callback(ossl_dyn_lock_callback);
567
+ CRYPTO_set_dynlock_destroy_callback(ossl_dyn_destroy_callback);
568
+ }
569
+ #endif /* !HAVE_OPENSSL_110_THREADING_API */
570
+
571
+ /*
572
+ * OpenSSL provides SSL, TLS and general purpose cryptography. It wraps the
573
+ * OpenSSL[http://www.openssl.org/] library.
574
+ *
575
+ * = Examples
576
+ *
577
+ * All examples assume you have loaded OpenSSL with:
578
+ *
579
+ * require 'openssl'
580
+ *
581
+ * These examples build atop each other. For example the key created in the
582
+ * next is used in throughout these examples.
583
+ *
584
+ * == Keys
585
+ *
586
+ * === Creating a Key
587
+ *
588
+ * This example creates a 2048 bit RSA keypair and writes it to the current
589
+ * directory.
590
+ *
591
+ * key = OpenSSL::PKey::RSA.new 2048
592
+ *
593
+ * open 'private_key.pem', 'w' do |io| io.write key.to_pem end
594
+ * open 'public_key.pem', 'w' do |io| io.write key.public_key.to_pem end
595
+ *
596
+ * === Exporting a Key
597
+ *
598
+ * Keys saved to disk without encryption are not secure as anyone who gets
599
+ * ahold of the key may use it unless it is encrypted. In order to securely
600
+ * export a key you may export it with a pass phrase.
601
+ *
602
+ * cipher = OpenSSL::Cipher.new 'AES-128-CBC'
603
+ * pass_phrase = 'my secure pass phrase goes here'
604
+ *
605
+ * key_secure = key.export cipher, pass_phrase
606
+ *
607
+ * open 'private.secure.pem', 'w' do |io|
608
+ * io.write key_secure
609
+ * end
610
+ *
611
+ * OpenSSL::Cipher.ciphers returns a list of available ciphers.
612
+ *
613
+ * === Loading a Key
614
+ *
615
+ * A key can also be loaded from a file.
616
+ *
617
+ * key2 = OpenSSL::PKey::RSA.new File.read 'private_key.pem'
618
+ * key2.public? # => true
619
+ * key2.private? # => true
620
+ *
621
+ * or
622
+ *
623
+ * key3 = OpenSSL::PKey::RSA.new File.read 'public_key.pem'
624
+ * key3.public? # => true
625
+ * key3.private? # => false
626
+ *
627
+ * === Loading an Encrypted Key
628
+ *
629
+ * OpenSSL will prompt you for your pass phrase when loading an encrypted key.
630
+ * If you will not be able to type in the pass phrase you may provide it when
631
+ * loading the key:
632
+ *
633
+ * key4_pem = File.read 'private.secure.pem'
634
+ * pass_phrase = 'my secure pass phrase goes here'
635
+ * key4 = OpenSSL::PKey::RSA.new key4_pem, pass_phrase
636
+ *
637
+ * == RSA Encryption
638
+ *
639
+ * RSA provides encryption and decryption using the public and private keys.
640
+ * You can use a variety of padding methods depending upon the intended use of
641
+ * encrypted data.
642
+ *
643
+ * === Encryption & Decryption
644
+ *
645
+ * Asymmetric public/private key encryption is slow and victim to attack in
646
+ * cases where it is used without padding or directly to encrypt larger chunks
647
+ * of data. Typical use cases for RSA encryption involve "wrapping" a symmetric
648
+ * key with the public key of the recipient who would "unwrap" that symmetric
649
+ * key again using their private key.
650
+ * The following illustrates a simplified example of such a key transport
651
+ * scheme. It shouldn't be used in practice, though, standardized protocols
652
+ * should always be preferred.
653
+ *
654
+ * wrapped_key = key.public_encrypt key
655
+ *
656
+ * A symmetric key encrypted with the public key can only be decrypted with
657
+ * the corresponding private key of the recipient.
658
+ *
659
+ * original_key = key.private_decrypt wrapped_key
660
+ *
661
+ * By default PKCS#1 padding will be used, but it is also possible to use
662
+ * other forms of padding, see PKey::RSA for further details.
663
+ *
664
+ * === Signatures
665
+ *
666
+ * Using "private_encrypt" to encrypt some data with the private key is
667
+ * equivalent to applying a digital signature to the data. A verifying
668
+ * party may validate the signature by comparing the result of decrypting
669
+ * the signature with "public_decrypt" to the original data. However,
670
+ * OpenSSL::PKey already has methods "sign" and "verify" that handle
671
+ * digital signatures in a standardized way - "private_encrypt" and
672
+ * "public_decrypt" shouldn't be used in practice.
673
+ *
674
+ * To sign a document, a cryptographically secure hash of the document is
675
+ * computed first, which is then signed using the private key.
676
+ *
677
+ * digest = OpenSSL::Digest::SHA256.new
678
+ * signature = key.sign digest, document
679
+ *
680
+ * To validate the signature, again a hash of the document is computed and
681
+ * the signature is decrypted using the public key. The result is then
682
+ * compared to the hash just computed, if they are equal the signature was
683
+ * valid.
684
+ *
685
+ * digest = OpenSSL::Digest::SHA256.new
686
+ * if key.verify digest, signature, document
687
+ * puts 'Valid'
688
+ * else
689
+ * puts 'Invalid'
690
+ * end
691
+ *
692
+ * == PBKDF2 Password-based Encryption
693
+ *
694
+ * If supported by the underlying OpenSSL version used, Password-based
695
+ * Encryption should use the features of PKCS5. If not supported or if
696
+ * required by legacy applications, the older, less secure methods specified
697
+ * in RFC 2898 are also supported (see below).
698
+ *
699
+ * PKCS5 supports PBKDF2 as it was specified in PKCS#5
700
+ * v2.0[http://www.rsa.com/rsalabs/node.asp?id=2127]. It still uses a
701
+ * password, a salt, and additionally a number of iterations that will
702
+ * slow the key derivation process down. The slower this is, the more work
703
+ * it requires being able to brute-force the resulting key.
704
+ *
705
+ * === Encryption
706
+ *
707
+ * The strategy is to first instantiate a Cipher for encryption, and
708
+ * then to generate a random IV plus a key derived from the password
709
+ * using PBKDF2. PKCS #5 v2.0 recommends at least 8 bytes for the salt,
710
+ * the number of iterations largely depends on the hardware being used.
711
+ *
712
+ * cipher = OpenSSL::Cipher.new 'AES-128-CBC'
713
+ * cipher.encrypt
714
+ * iv = cipher.random_iv
715
+ *
716
+ * pwd = 'some hopefully not to easily guessable password'
717
+ * salt = OpenSSL::Random.random_bytes 16
718
+ * iter = 20000
719
+ * key_len = cipher.key_len
720
+ * digest = OpenSSL::Digest::SHA256.new
721
+ *
722
+ * key = OpenSSL::PKCS5.pbkdf2_hmac(pwd, salt, iter, key_len, digest)
723
+ * cipher.key = key
724
+ *
725
+ * Now encrypt the data:
726
+ *
727
+ * encrypted = cipher.update document
728
+ * encrypted << cipher.final
729
+ *
730
+ * === Decryption
731
+ *
732
+ * Use the same steps as before to derive the symmetric AES key, this time
733
+ * setting the Cipher up for decryption.
734
+ *
735
+ * cipher = OpenSSL::Cipher.new 'AES-128-CBC'
736
+ * cipher.decrypt
737
+ * cipher.iv = iv # the one generated with #random_iv
738
+ *
739
+ * pwd = 'some hopefully not to easily guessable password'
740
+ * salt = ... # the one generated above
741
+ * iter = 20000
742
+ * key_len = cipher.key_len
743
+ * digest = OpenSSL::Digest::SHA256.new
744
+ *
745
+ * key = OpenSSL::PKCS5.pbkdf2_hmac(pwd, salt, iter, key_len, digest)
746
+ * cipher.key = key
747
+ *
748
+ * Now decrypt the data:
749
+ *
750
+ * decrypted = cipher.update encrypted
751
+ * decrypted << cipher.final
752
+ *
753
+ * == PKCS #5 Password-based Encryption
754
+ *
755
+ * PKCS #5 is a password-based encryption standard documented at
756
+ * RFC2898[http://www.ietf.org/rfc/rfc2898.txt]. It allows a short password or
757
+ * passphrase to be used to create a secure encryption key. If possible, PBKDF2
758
+ * as described above should be used if the circumstances allow it.
759
+ *
760
+ * PKCS #5 uses a Cipher, a pass phrase and a salt to generate an encryption
761
+ * key.
762
+ *
763
+ * pass_phrase = 'my secure pass phrase goes here'
764
+ * salt = '8 octets'
765
+ *
766
+ * === Encryption
767
+ *
768
+ * First set up the cipher for encryption
769
+ *
770
+ * encryptor = OpenSSL::Cipher.new 'AES-128-CBC'
771
+ * encryptor.encrypt
772
+ * encryptor.pkcs5_keyivgen pass_phrase, salt
773
+ *
774
+ * Then pass the data you want to encrypt through
775
+ *
776
+ * encrypted = encryptor.update 'top secret document'
777
+ * encrypted << encryptor.final
778
+ *
779
+ * === Decryption
780
+ *
781
+ * Use a new Cipher instance set up for decryption
782
+ *
783
+ * decryptor = OpenSSL::Cipher.new 'AES-128-CBC'
784
+ * decryptor.decrypt
785
+ * decryptor.pkcs5_keyivgen pass_phrase, salt
786
+ *
787
+ * Then pass the data you want to decrypt through
788
+ *
789
+ * plain = decryptor.update encrypted
790
+ * plain << decryptor.final
791
+ *
792
+ * == X509 Certificates
793
+ *
794
+ * === Creating a Certificate
795
+ *
796
+ * This example creates a self-signed certificate using an RSA key and a SHA1
797
+ * signature.
798
+ *
799
+ * key = OpenSSL::PKey::RSA.new 2048
800
+ * name = OpenSSL::X509::Name.parse 'CN=nobody/DC=example'
801
+ *
802
+ * cert = OpenSSL::X509::Certificate.new
803
+ * cert.version = 2
804
+ * cert.serial = 0
805
+ * cert.not_before = Time.now
806
+ * cert.not_after = Time.now + 3600
807
+ *
808
+ * cert.public_key = key.public_key
809
+ * cert.subject = name
810
+ *
811
+ * === Certificate Extensions
812
+ *
813
+ * You can add extensions to the certificate with
814
+ * OpenSSL::SSL::ExtensionFactory to indicate the purpose of the certificate.
815
+ *
816
+ * extension_factory = OpenSSL::X509::ExtensionFactory.new nil, cert
817
+ *
818
+ * cert.add_extension \
819
+ * extension_factory.create_extension('basicConstraints', 'CA:FALSE', true)
820
+ *
821
+ * cert.add_extension \
822
+ * extension_factory.create_extension(
823
+ * 'keyUsage', 'keyEncipherment,dataEncipherment,digitalSignature')
824
+ *
825
+ * cert.add_extension \
826
+ * extension_factory.create_extension('subjectKeyIdentifier', 'hash')
827
+ *
828
+ * The list of supported extensions (and in some cases their possible values)
829
+ * can be derived from the "objects.h" file in the OpenSSL source code.
830
+ *
831
+ * === Signing a Certificate
832
+ *
833
+ * To sign a certificate set the issuer and use OpenSSL::X509::Certificate#sign
834
+ * with a digest algorithm. This creates a self-signed cert because we're using
835
+ * the same name and key to sign the certificate as was used to create the
836
+ * certificate.
837
+ *
838
+ * cert.issuer = name
839
+ * cert.sign key, OpenSSL::Digest::SHA1.new
840
+ *
841
+ * open 'certificate.pem', 'w' do |io| io.write cert.to_pem end
842
+ *
843
+ * === Loading a Certificate
844
+ *
845
+ * Like a key, a cert can also be loaded from a file.
846
+ *
847
+ * cert2 = OpenSSL::X509::Certificate.new File.read 'certificate.pem'
848
+ *
849
+ * === Verifying a Certificate
850
+ *
851
+ * Certificate#verify will return true when a certificate was signed with the
852
+ * given public key.
853
+ *
854
+ * raise 'certificate can not be verified' unless cert2.verify key
855
+ *
856
+ * == Certificate Authority
857
+ *
858
+ * A certificate authority (CA) is a trusted third party that allows you to
859
+ * verify the ownership of unknown certificates. The CA issues key signatures
860
+ * that indicate it trusts the user of that key. A user encountering the key
861
+ * can verify the signature by using the CA's public key.
862
+ *
863
+ * === CA Key
864
+ *
865
+ * CA keys are valuable, so we encrypt and save it to disk and make sure it is
866
+ * not readable by other users.
867
+ *
868
+ * ca_key = OpenSSL::PKey::RSA.new 2048
869
+ * pass_phrase = 'my secure pass phrase goes here'
870
+ *
871
+ * cipher = OpenSSL::Cipher.new 'AES-128-CBC'
872
+ *
873
+ * open 'ca_key.pem', 'w', 0400 do |io|
874
+ * io.write ca_key.export(cipher, pass_phrase)
875
+ * end
876
+ *
877
+ * === CA Certificate
878
+ *
879
+ * A CA certificate is created the same way we created a certificate above, but
880
+ * with different extensions.
881
+ *
882
+ * ca_name = OpenSSL::X509::Name.parse 'CN=ca/DC=example'
883
+ *
884
+ * ca_cert = OpenSSL::X509::Certificate.new
885
+ * ca_cert.serial = 0
886
+ * ca_cert.version = 2
887
+ * ca_cert.not_before = Time.now
888
+ * ca_cert.not_after = Time.now + 86400
889
+ *
890
+ * ca_cert.public_key = ca_key.public_key
891
+ * ca_cert.subject = ca_name
892
+ * ca_cert.issuer = ca_name
893
+ *
894
+ * extension_factory = OpenSSL::X509::ExtensionFactory.new
895
+ * extension_factory.subject_certificate = ca_cert
896
+ * extension_factory.issuer_certificate = ca_cert
897
+ *
898
+ * ca_cert.add_extension \
899
+ * extension_factory.create_extension('subjectKeyIdentifier', 'hash')
900
+ *
901
+ * This extension indicates the CA's key may be used as a CA.
902
+ *
903
+ * ca_cert.add_extension \
904
+ * extension_factory.create_extension('basicConstraints', 'CA:TRUE', true)
905
+ *
906
+ * This extension indicates the CA's key may be used to verify signatures on
907
+ * both certificates and certificate revocations.
908
+ *
909
+ * ca_cert.add_extension \
910
+ * extension_factory.create_extension(
911
+ * 'keyUsage', 'cRLSign,keyCertSign', true)
912
+ *
913
+ * Root CA certificates are self-signed.
914
+ *
915
+ * ca_cert.sign ca_key, OpenSSL::Digest::SHA1.new
916
+ *
917
+ * The CA certificate is saved to disk so it may be distributed to all the
918
+ * users of the keys this CA will sign.
919
+ *
920
+ * open 'ca_cert.pem', 'w' do |io|
921
+ * io.write ca_cert.to_pem
922
+ * end
923
+ *
924
+ * === Certificate Signing Request
925
+ *
926
+ * The CA signs keys through a Certificate Signing Request (CSR). The CSR
927
+ * contains the information necessary to identify the key.
928
+ *
929
+ * csr = OpenSSL::X509::Request.new
930
+ * csr.version = 0
931
+ * csr.subject = name
932
+ * csr.public_key = key.public_key
933
+ * csr.sign key, OpenSSL::Digest::SHA1.new
934
+ *
935
+ * A CSR is saved to disk and sent to the CA for signing.
936
+ *
937
+ * open 'csr.pem', 'w' do |io|
938
+ * io.write csr.to_pem
939
+ * end
940
+ *
941
+ * === Creating a Certificate from a CSR
942
+ *
943
+ * Upon receiving a CSR the CA will verify it before signing it. A minimal
944
+ * verification would be to check the CSR's signature.
945
+ *
946
+ * csr = OpenSSL::X509::Request.new File.read 'csr.pem'
947
+ *
948
+ * raise 'CSR can not be verified' unless csr.verify csr.public_key
949
+ *
950
+ * After verification a certificate is created, marked for various usages,
951
+ * signed with the CA key and returned to the requester.
952
+ *
953
+ * csr_cert = OpenSSL::X509::Certificate.new
954
+ * csr_cert.serial = 0
955
+ * csr_cert.version = 2
956
+ * csr_cert.not_before = Time.now
957
+ * csr_cert.not_after = Time.now + 600
958
+ *
959
+ * csr_cert.subject = csr.subject
960
+ * csr_cert.public_key = csr.public_key
961
+ * csr_cert.issuer = ca_cert.subject
962
+ *
963
+ * extension_factory = OpenSSL::X509::ExtensionFactory.new
964
+ * extension_factory.subject_certificate = csr_cert
965
+ * extension_factory.issuer_certificate = ca_cert
966
+ *
967
+ * csr_cert.add_extension \
968
+ * extension_factory.create_extension('basicConstraints', 'CA:FALSE')
969
+ *
970
+ * csr_cert.add_extension \
971
+ * extension_factory.create_extension(
972
+ * 'keyUsage', 'keyEncipherment,dataEncipherment,digitalSignature')
973
+ *
974
+ * csr_cert.add_extension \
975
+ * extension_factory.create_extension('subjectKeyIdentifier', 'hash')
976
+ *
977
+ * csr_cert.sign ca_key, OpenSSL::Digest::SHA1.new
978
+ *
979
+ * open 'csr_cert.pem', 'w' do |io|
980
+ * io.write csr_cert.to_pem
981
+ * end
982
+ *
983
+ * == SSL and TLS Connections
984
+ *
985
+ * Using our created key and certificate we can create an SSL or TLS connection.
986
+ * An SSLContext is used to set up an SSL session.
987
+ *
988
+ * context = OpenSSL::SSL::SSLContext.new
989
+ *
990
+ * === SSL Server
991
+ *
992
+ * An SSL server requires the certificate and private key to communicate
993
+ * securely with its clients:
994
+ *
995
+ * context.cert = cert
996
+ * context.key = key
997
+ *
998
+ * Then create an SSLServer with a TCP server socket and the context. Use the
999
+ * SSLServer like an ordinary TCP server.
1000
+ *
1001
+ * require 'socket'
1002
+ *
1003
+ * tcp_server = TCPServer.new 5000
1004
+ * ssl_server = OpenSSL::SSL::SSLServer.new tcp_server, context
1005
+ *
1006
+ * loop do
1007
+ * ssl_connection = ssl_server.accept
1008
+ *
1009
+ * data = connection.gets
1010
+ *
1011
+ * response = "I got #{data.dump}"
1012
+ * puts response
1013
+ *
1014
+ * connection.puts "I got #{data.dump}"
1015
+ * connection.close
1016
+ * end
1017
+ *
1018
+ * === SSL client
1019
+ *
1020
+ * An SSL client is created with a TCP socket and the context.
1021
+ * SSLSocket#connect must be called to initiate the SSL handshake and start
1022
+ * encryption. A key and certificate are not required for the client socket.
1023
+ *
1024
+ * Note that SSLSocket#close doesn't close the underlying socket by default. Set
1025
+ * SSLSocket#sync_close to true if you want.
1026
+ *
1027
+ * require 'socket'
1028
+ *
1029
+ * tcp_socket = TCPSocket.new 'localhost', 5000
1030
+ * ssl_client = OpenSSL::SSL::SSLSocket.new tcp_socket, context
1031
+ * ssl_client.sync_close = true
1032
+ * ssl_client.connect
1033
+ *
1034
+ * ssl_client.puts "hello server!"
1035
+ * puts ssl_client.gets
1036
+ *
1037
+ * ssl_client.close # shutdown the TLS connection and close tcp_socket
1038
+ *
1039
+ * === Peer Verification
1040
+ *
1041
+ * An unverified SSL connection does not provide much security. For enhanced
1042
+ * security the client or server can verify the certificate of its peer.
1043
+ *
1044
+ * The client can be modified to verify the server's certificate against the
1045
+ * certificate authority's certificate:
1046
+ *
1047
+ * context.ca_file = 'ca_cert.pem'
1048
+ * context.verify_mode = OpenSSL::SSL::VERIFY_PEER
1049
+ *
1050
+ * require 'socket'
1051
+ *
1052
+ * tcp_socket = TCPSocket.new 'localhost', 5000
1053
+ * ssl_client = OpenSSL::SSL::SSLSocket.new tcp_socket, context
1054
+ * ssl_client.connect
1055
+ *
1056
+ * ssl_client.puts "hello server!"
1057
+ * puts ssl_client.gets
1058
+ *
1059
+ * If the server certificate is invalid or <tt>context.ca_file</tt> is not set
1060
+ * when verifying peers an OpenSSL::SSL::SSLError will be raised.
1061
+ *
1062
+ */
1063
+ void
1064
+ Init_openssl(void)
1065
+ {
1066
+ /*
1067
+ * Init timezone info
1068
+ */
1069
+ #if 0
1070
+ tzset();
1071
+ #endif
1072
+
1073
+ /*
1074
+ * Init all digests, ciphers
1075
+ */
1076
+ /* CRYPTO_malloc_init(); */
1077
+ /* ENGINE_load_builtin_engines(); */
1078
+ OpenSSL_add_ssl_algorithms();
1079
+ OpenSSL_add_all_algorithms();
1080
+ ERR_load_crypto_strings();
1081
+ SSL_load_error_strings();
1082
+
1083
+ /*
1084
+ * FIXME:
1085
+ * On unload do:
1086
+ */
1087
+ #if 0
1088
+ CONF_modules_unload(1);
1089
+ destroy_ui_method();
1090
+ EVP_cleanup();
1091
+ ENGINE_cleanup();
1092
+ CRYPTO_cleanup_all_ex_data();
1093
+ ERR_remove_state(0);
1094
+ ERR_free_strings();
1095
+ #endif
1096
+
1097
+ /*
1098
+ * Init main module
1099
+ */
1100
+ mOSSL = rb_define_module("OpenSSL");
1101
+ rb_global_variable(&mOSSL);
1102
+
1103
+ /*
1104
+ * OpenSSL ruby extension version
1105
+ */
1106
+ rb_define_const(mOSSL, "VERSION", rb_str_new2(OSSL_VERSION));
1107
+
1108
+ /*
1109
+ * Version of OpenSSL the ruby OpenSSL extension was built with
1110
+ */
1111
+ rb_define_const(mOSSL, "OPENSSL_VERSION", rb_str_new2(OPENSSL_VERSION_TEXT));
1112
+
1113
+ /*
1114
+ * Version of OpenSSL the ruby OpenSSL extension is running with
1115
+ */
1116
+ rb_define_const(mOSSL, "OPENSSL_LIBRARY_VERSION", rb_str_new2(SSLeay_version(SSLEAY_VERSION)));
1117
+
1118
+ /*
1119
+ * Version number of OpenSSL the ruby OpenSSL extension was built with
1120
+ * (base 16)
1121
+ */
1122
+ rb_define_const(mOSSL, "OPENSSL_VERSION_NUMBER", INT2NUM(OPENSSL_VERSION_NUMBER));
1123
+
1124
+ /*
1125
+ * Boolean indicating whether OpenSSL is FIPS-enabled or not
1126
+ */
1127
+ rb_define_const(mOSSL, "OPENSSL_FIPS",
1128
+ #ifdef OPENSSL_FIPS
1129
+ Qtrue
1130
+ #else
1131
+ Qfalse
1132
+ #endif
1133
+ );
1134
+
1135
+ rb_define_module_function(mOSSL, "fips_mode=", ossl_fips_mode_set, 1);
1136
+
1137
+ /*
1138
+ * Generic error,
1139
+ * common for all classes under OpenSSL module
1140
+ */
1141
+ eOSSLError = rb_define_class_under(mOSSL,"OpenSSLError",rb_eStandardError);
1142
+ rb_global_variable(&eOSSLError);
1143
+
1144
+ /*
1145
+ * Init debug core
1146
+ */
1147
+ dOSSL = Qfalse;
1148
+ rb_global_variable(&dOSSL);
1149
+
1150
+ rb_define_module_function(mOSSL, "debug", ossl_debug_get, 0);
1151
+ rb_define_module_function(mOSSL, "debug=", ossl_debug_set, 1);
1152
+ rb_define_module_function(mOSSL, "errors", ossl_get_errors, 0);
1153
+
1154
+ /*
1155
+ * Verify callback Proc index for ext-data
1156
+ */
1157
+ if ((ossl_store_ctx_ex_verify_cb_idx = X509_STORE_CTX_get_ex_new_index(0, (void *)"ossl_store_ctx_ex_verify_cb_idx", 0, 0, 0)) < 0)
1158
+ ossl_raise(eOSSLError, "X509_STORE_CTX_get_ex_new_index");
1159
+ if ((ossl_store_ex_verify_cb_idx = X509_STORE_get_ex_new_index(0, (void *)"ossl_store_ex_verify_cb_idx", 0, 0, 0)) < 0)
1160
+ ossl_raise(eOSSLError, "X509_STORE_get_ex_new_index");
1161
+
1162
+ /*
1163
+ * Get ID of to_der
1164
+ */
1165
+ ossl_s_to_der = rb_intern("to_der");
1166
+
1167
+ #if !defined(HAVE_OPENSSL_110_THREADING_API)
1168
+ Init_ossl_locks();
1169
+ #endif
1170
+
1171
+ /*
1172
+ * Init components
1173
+ */
1174
+ Init_ossl_bn();
1175
+ Init_ossl_cipher();
1176
+ Init_ossl_config();
1177
+ Init_ossl_digest();
1178
+ Init_ossl_hmac();
1179
+ Init_ossl_ns_spki();
1180
+ Init_ossl_pkcs12();
1181
+ Init_ossl_pkcs7();
1182
+ Init_ossl_pkcs5();
1183
+ Init_ossl_pkey();
1184
+ Init_ossl_rand();
1185
+ Init_ossl_ssl();
1186
+ Init_ossl_x509();
1187
+ Init_ossl_ocsp();
1188
+ Init_ossl_engine();
1189
+ Init_ossl_asn1();
1190
+ }
1191
+
1192
+ #if defined(OSSL_DEBUG)
1193
+ /*
1194
+ * Check if all symbols are OK with 'make LDSHARED=gcc all'
1195
+ */
1196
+ int
1197
+ main(int argc, char *argv[])
1198
+ {
1199
+ return 0;
1200
+ }
1201
+ #endif /* OSSL_DEBUG */