openssl 2.1.0 → 3.2.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (64) hide show
  1. checksums.yaml +4 -4
  2. data/CONTRIBUTING.md +35 -45
  3. data/History.md +426 -0
  4. data/README.md +38 -21
  5. data/ext/openssl/extconf.rb +132 -72
  6. data/ext/openssl/openssl_missing.c +0 -66
  7. data/ext/openssl/openssl_missing.h +62 -46
  8. data/ext/openssl/ossl.c +177 -252
  9. data/ext/openssl/ossl.h +39 -17
  10. data/ext/openssl/ossl_asn1.c +53 -14
  11. data/ext/openssl/ossl_bn.c +288 -146
  12. data/ext/openssl/ossl_bn.h +2 -1
  13. data/ext/openssl/ossl_cipher.c +42 -32
  14. data/ext/openssl/ossl_config.c +412 -41
  15. data/ext/openssl/ossl_config.h +4 -7
  16. data/ext/openssl/ossl_digest.c +32 -63
  17. data/ext/openssl/ossl_engine.c +19 -28
  18. data/ext/openssl/ossl_hmac.c +61 -146
  19. data/ext/openssl/ossl_kdf.c +15 -23
  20. data/ext/openssl/ossl_ns_spki.c +2 -2
  21. data/ext/openssl/ossl_ocsp.c +17 -70
  22. data/ext/openssl/ossl_ocsp.h +3 -3
  23. data/ext/openssl/ossl_pkcs12.c +23 -4
  24. data/ext/openssl/ossl_pkcs7.c +49 -81
  25. data/ext/openssl/ossl_pkcs7.h +16 -0
  26. data/ext/openssl/ossl_pkey.c +1508 -195
  27. data/ext/openssl/ossl_pkey.h +41 -78
  28. data/ext/openssl/ossl_pkey_dh.c +153 -348
  29. data/ext/openssl/ossl_pkey_dsa.c +157 -413
  30. data/ext/openssl/ossl_pkey_ec.c +257 -343
  31. data/ext/openssl/ossl_pkey_rsa.c +166 -490
  32. data/ext/openssl/ossl_provider.c +211 -0
  33. data/ext/openssl/ossl_provider.h +5 -0
  34. data/ext/openssl/ossl_rand.c +2 -40
  35. data/ext/openssl/ossl_ssl.c +666 -456
  36. data/ext/openssl/ossl_ssl_session.c +29 -30
  37. data/ext/openssl/ossl_ts.c +1539 -0
  38. data/ext/openssl/ossl_ts.h +16 -0
  39. data/ext/openssl/ossl_x509.c +86 -1
  40. data/ext/openssl/ossl_x509attr.c +1 -1
  41. data/ext/openssl/ossl_x509cert.c +170 -14
  42. data/ext/openssl/ossl_x509crl.c +14 -11
  43. data/ext/openssl/ossl_x509ext.c +29 -9
  44. data/ext/openssl/ossl_x509name.c +24 -12
  45. data/ext/openssl/ossl_x509req.c +14 -11
  46. data/ext/openssl/ossl_x509revoked.c +4 -4
  47. data/ext/openssl/ossl_x509store.c +205 -96
  48. data/lib/openssl/bn.rb +1 -1
  49. data/lib/openssl/buffering.rb +42 -20
  50. data/lib/openssl/cipher.rb +1 -1
  51. data/lib/openssl/digest.rb +10 -16
  52. data/lib/openssl/hmac.rb +78 -0
  53. data/lib/openssl/marshal.rb +30 -0
  54. data/lib/openssl/pkcs5.rb +1 -1
  55. data/lib/openssl/pkey.rb +447 -1
  56. data/lib/openssl/ssl.rb +68 -24
  57. data/lib/openssl/version.rb +5 -0
  58. data/lib/openssl/x509.rb +177 -1
  59. data/lib/openssl.rb +24 -9
  60. metadata +18 -71
  61. data/ext/openssl/deprecation.rb +0 -23
  62. data/ext/openssl/ossl_version.h +0 -15
  63. data/ext/openssl/ruby_missing.h +0 -24
  64. data/lib/openssl/config.rb +0 -474
data/lib/openssl/x509.rb CHANGED
@@ -1,4 +1,4 @@
1
- # frozen_string_literal: false
1
+ # frozen_string_literal: true
2
2
  #--
3
3
  # = Ruby-space definitions that completes C-space funcs for X509 and subclasses
4
4
  #
@@ -12,6 +12,8 @@
12
12
  # (See the file 'LICENCE'.)
13
13
  #++
14
14
 
15
+ require_relative 'marshal'
16
+
15
17
  module OpenSSL
16
18
  module X509
17
19
  class ExtensionFactory
@@ -41,6 +43,8 @@ module OpenSSL
41
43
  end
42
44
 
43
45
  class Extension
46
+ include OpenSSL::Marshal
47
+
44
48
  def ==(other)
45
49
  return false unless Extension === other
46
50
  to_der == other.to_der
@@ -60,9 +64,146 @@ module OpenSSL
60
64
  def to_a
61
65
  [ self.oid, self.value, self.critical? ]
62
66
  end
67
+
68
+ module Helpers
69
+ def find_extension(oid)
70
+ extensions.find { |e| e.oid == oid }
71
+ end
72
+ end
73
+
74
+ module SubjectKeyIdentifier
75
+ include Helpers
76
+
77
+ # Get the subject's key identifier from the subjectKeyIdentifier
78
+ # exteension, as described in RFC5280 Section 4.2.1.2.
79
+ #
80
+ # Returns the binary String key identifier or nil or raises
81
+ # ASN1::ASN1Error.
82
+ def subject_key_identifier
83
+ ext = find_extension("subjectKeyIdentifier")
84
+ return nil if ext.nil?
85
+
86
+ ski_asn1 = ASN1.decode(ext.value_der)
87
+ if ext.critical? || ski_asn1.tag_class != :UNIVERSAL || ski_asn1.tag != ASN1::OCTET_STRING
88
+ raise ASN1::ASN1Error, "invalid extension"
89
+ end
90
+
91
+ ski_asn1.value
92
+ end
93
+ end
94
+
95
+ module AuthorityKeyIdentifier
96
+ include Helpers
97
+
98
+ # Get the issuing certificate's key identifier from the
99
+ # authorityKeyIdentifier extension, as described in RFC5280
100
+ # Section 4.2.1.1
101
+ #
102
+ # Returns the binary String keyIdentifier or nil or raises
103
+ # ASN1::ASN1Error.
104
+ def authority_key_identifier
105
+ ext = find_extension("authorityKeyIdentifier")
106
+ return nil if ext.nil?
107
+
108
+ aki_asn1 = ASN1.decode(ext.value_der)
109
+ if ext.critical? || aki_asn1.tag_class != :UNIVERSAL || aki_asn1.tag != ASN1::SEQUENCE
110
+ raise ASN1::ASN1Error, "invalid extension"
111
+ end
112
+
113
+ key_id = aki_asn1.value.find do |v|
114
+ v.tag_class == :CONTEXT_SPECIFIC && v.tag == 0
115
+ end
116
+
117
+ key_id.nil? ? nil : key_id.value
118
+ end
119
+ end
120
+
121
+ module CRLDistributionPoints
122
+ include Helpers
123
+
124
+ # Get the distributionPoint fullName URI from the certificate's CRL
125
+ # distribution points extension, as described in RFC5280 Section
126
+ # 4.2.1.13
127
+ #
128
+ # Returns an array of strings or nil or raises ASN1::ASN1Error.
129
+ def crl_uris
130
+ ext = find_extension("crlDistributionPoints")
131
+ return nil if ext.nil?
132
+
133
+ cdp_asn1 = ASN1.decode(ext.value_der)
134
+ if cdp_asn1.tag_class != :UNIVERSAL || cdp_asn1.tag != ASN1::SEQUENCE
135
+ raise ASN1::ASN1Error, "invalid extension"
136
+ end
137
+
138
+ crl_uris = cdp_asn1.map do |crl_distribution_point|
139
+ distribution_point = crl_distribution_point.value.find do |v|
140
+ v.tag_class == :CONTEXT_SPECIFIC && v.tag == 0
141
+ end
142
+ full_name = distribution_point&.value&.find do |v|
143
+ v.tag_class == :CONTEXT_SPECIFIC && v.tag == 0
144
+ end
145
+ full_name&.value&.find do |v|
146
+ v.tag_class == :CONTEXT_SPECIFIC && v.tag == 6 # uniformResourceIdentifier
147
+ end
148
+ end
149
+
150
+ crl_uris&.map(&:value)
151
+ end
152
+ end
153
+
154
+ module AuthorityInfoAccess
155
+ include Helpers
156
+
157
+ # Get the information and services for the issuer from the certificate's
158
+ # authority information access extension exteension, as described in RFC5280
159
+ # Section 4.2.2.1.
160
+ #
161
+ # Returns an array of strings or nil or raises ASN1::ASN1Error.
162
+ def ca_issuer_uris
163
+ aia_asn1 = parse_aia_asn1
164
+ return nil if aia_asn1.nil?
165
+
166
+ ca_issuer = aia_asn1.value.select do |authority_info_access|
167
+ authority_info_access.value.first.value == "caIssuers"
168
+ end
169
+
170
+ ca_issuer&.map(&:value)&.map(&:last)&.map(&:value)
171
+ end
172
+
173
+ # Get the URIs for OCSP from the certificate's authority information access
174
+ # extension exteension, as described in RFC5280 Section 4.2.2.1.
175
+ #
176
+ # Returns an array of strings or nil or raises ASN1::ASN1Error.
177
+ def ocsp_uris
178
+ aia_asn1 = parse_aia_asn1
179
+ return nil if aia_asn1.nil?
180
+
181
+ ocsp = aia_asn1.value.select do |authority_info_access|
182
+ authority_info_access.value.first.value == "OCSP"
183
+ end
184
+
185
+ ocsp&.map(&:value)&.map(&:last)&.map(&:value)
186
+ end
187
+
188
+ private
189
+
190
+ def parse_aia_asn1
191
+ ext = find_extension("authorityInfoAccess")
192
+ return nil if ext.nil?
193
+
194
+ aia_asn1 = ASN1.decode(ext.value_der)
195
+ if ext.critical? || aia_asn1.tag_class != :UNIVERSAL || aia_asn1.tag != ASN1::SEQUENCE
196
+ raise ASN1::ASN1Error, "invalid extension"
197
+ end
198
+
199
+ aia_asn1
200
+ end
201
+ end
63
202
  end
64
203
 
65
204
  class Name
205
+ include OpenSSL::Marshal
206
+
66
207
  module RFC2253DN
67
208
  Special = ',=+<>#;'
68
209
  HexChar = /[0-9a-fA-F]/
@@ -138,11 +279,29 @@ module OpenSSL
138
279
  end
139
280
 
140
281
  class << self
282
+ # Parses the UTF-8 string representation of a distinguished name,
283
+ # according to RFC 2253.
284
+ #
285
+ # See also #to_utf8 for the opposite operation.
141
286
  def parse_rfc2253(str, template=OBJECT_TYPE_TEMPLATE)
142
287
  ary = OpenSSL::X509::Name::RFC2253DN.scan(str)
143
288
  self.new(ary, template)
144
289
  end
145
290
 
291
+ # Parses the string representation of a distinguished name. Two
292
+ # different forms are supported:
293
+ #
294
+ # - \OpenSSL format (<tt>X509_NAME_oneline()</tt>) used by
295
+ # <tt>#to_s</tt>. For example: <tt>/DC=com/DC=example/CN=nobody</tt>
296
+ # - \OpenSSL format (<tt>X509_NAME_print()</tt>)
297
+ # used by <tt>#to_s(OpenSSL::X509::Name::COMPAT)</tt>. For example:
298
+ # <tt>DC=com, DC=example, CN=nobody</tt>
299
+ #
300
+ # Neither of them is standardized and has quirks and inconsistencies
301
+ # in handling of escaped characters or multi-valued RDNs.
302
+ #
303
+ # Use of this method is discouraged in new applications. See
304
+ # Name.parse_rfc2253 and #to_utf8 for the alternative.
146
305
  def parse_openssl(str, template=OBJECT_TYPE_TEMPLATE)
147
306
  if str.start_with?("/")
148
307
  # /A=B/C=D format
@@ -166,6 +325,8 @@ module OpenSSL
166
325
  end
167
326
 
168
327
  class Attribute
328
+ include OpenSSL::Marshal
329
+
169
330
  def ==(other)
170
331
  return false unless Attribute === other
171
332
  to_der == other.to_der
@@ -179,6 +340,12 @@ module OpenSSL
179
340
  end
180
341
 
181
342
  class Certificate
343
+ include OpenSSL::Marshal
344
+ include Extension::SubjectKeyIdentifier
345
+ include Extension::AuthorityKeyIdentifier
346
+ include Extension::CRLDistributionPoints
347
+ include Extension::AuthorityInfoAccess
348
+
182
349
  def pretty_print(q)
183
350
  q.object_group(self) {
184
351
  q.breakable
@@ -189,9 +356,16 @@ module OpenSSL
189
356
  q.text 'not_after='; q.pp self.not_after
190
357
  }
191
358
  end
359
+
360
+ def self.load_file(path)
361
+ load(File.binread(path))
362
+ end
192
363
  end
193
364
 
194
365
  class CRL
366
+ include OpenSSL::Marshal
367
+ include Extension::AuthorityKeyIdentifier
368
+
195
369
  def ==(other)
196
370
  return false unless CRL === other
197
371
  to_der == other.to_der
@@ -206,6 +380,8 @@ module OpenSSL
206
380
  end
207
381
 
208
382
  class Request
383
+ include OpenSSL::Marshal
384
+
209
385
  def ==(other)
210
386
  return false unless Request === other
211
387
  to_der == other.to_der
data/lib/openssl.rb CHANGED
@@ -1,4 +1,4 @@
1
- # frozen_string_literal: false
1
+ # frozen_string_literal: true
2
2
  =begin
3
3
  = Info
4
4
  'OpenSSL for Ruby 2' project
@@ -12,11 +12,26 @@
12
12
 
13
13
  require 'openssl.so'
14
14
 
15
- require 'openssl/bn'
16
- require 'openssl/pkey'
17
- require 'openssl/cipher'
18
- require 'openssl/config'
19
- require 'openssl/digest'
20
- require 'openssl/x509'
21
- require 'openssl/ssl'
22
- require 'openssl/pkcs5'
15
+ require_relative 'openssl/bn'
16
+ require_relative 'openssl/pkey'
17
+ require_relative 'openssl/cipher'
18
+ require_relative 'openssl/digest'
19
+ require_relative 'openssl/hmac'
20
+ require_relative 'openssl/x509'
21
+ require_relative 'openssl/ssl'
22
+ require_relative 'openssl/pkcs5'
23
+ require_relative 'openssl/version'
24
+
25
+ module OpenSSL
26
+ # call-seq:
27
+ # OpenSSL.secure_compare(string, string) -> boolean
28
+ #
29
+ # Constant time memory comparison. Inputs are hashed using SHA-256 to mask
30
+ # the length of the secret. Returns +true+ if the strings are identical,
31
+ # +false+ otherwise.
32
+ def self.secure_compare(a, b)
33
+ hashed_a = OpenSSL::Digest.digest('SHA256', a)
34
+ hashed_b = OpenSSL::Digest.digest('SHA256', b)
35
+ OpenSSL.fixed_length_secure_compare(hashed_a, hashed_b) && a == b
36
+ end
37
+ end
metadata CHANGED
@@ -1,75 +1,20 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: openssl
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.1.0
4
+ version: 3.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Martin Bosslet
8
8
  - SHIBATA Hiroshi
9
9
  - Zachary Scott
10
10
  - Kazuki Yamaguchi
11
- autorequire:
11
+ autorequire:
12
12
  bindir: bin
13
13
  cert_chain: []
14
- date: 2017-12-14 00:00:00.000000000 Z
15
- dependencies:
16
- - !ruby/object:Gem::Dependency
17
- name: rake
18
- requirement: !ruby/object:Gem::Requirement
19
- requirements:
20
- - - ">="
21
- - !ruby/object:Gem::Version
22
- version: '0'
23
- type: :development
24
- prerelease: false
25
- version_requirements: !ruby/object:Gem::Requirement
26
- requirements:
27
- - - ">="
28
- - !ruby/object:Gem::Version
29
- version: '0'
30
- - !ruby/object:Gem::Dependency
31
- name: rake-compiler
32
- requirement: !ruby/object:Gem::Requirement
33
- requirements:
34
- - - ">="
35
- - !ruby/object:Gem::Version
36
- version: '0'
37
- type: :development
38
- prerelease: false
39
- version_requirements: !ruby/object:Gem::Requirement
40
- requirements:
41
- - - ">="
42
- - !ruby/object:Gem::Version
43
- version: '0'
44
- - !ruby/object:Gem::Dependency
45
- name: test-unit
46
- requirement: !ruby/object:Gem::Requirement
47
- requirements:
48
- - - "~>"
49
- - !ruby/object:Gem::Version
50
- version: '3.0'
51
- type: :development
52
- prerelease: false
53
- version_requirements: !ruby/object:Gem::Requirement
54
- requirements:
55
- - - "~>"
56
- - !ruby/object:Gem::Version
57
- version: '3.0'
58
- - !ruby/object:Gem::Dependency
59
- name: rdoc
60
- requirement: !ruby/object:Gem::Requirement
61
- requirements:
62
- - - ">="
63
- - !ruby/object:Gem::Version
64
- version: '0'
65
- type: :development
66
- prerelease: false
67
- version_requirements: !ruby/object:Gem::Requirement
68
- requirements:
69
- - - ">="
70
- - !ruby/object:Gem::Version
71
- version: '0'
72
- description: It wraps the OpenSSL library.
14
+ date: 2023-09-21 00:00:00.000000000 Z
15
+ dependencies: []
16
+ description: OpenSSL for Ruby provides access to SSL/TLS and general-purpose cryptography
17
+ based on the OpenSSL library.
73
18
  email:
74
19
  - ruby-core@ruby-lang.org
75
20
  executables: []
@@ -85,7 +30,6 @@ files:
85
30
  - History.md
86
31
  - LICENSE.txt
87
32
  - README.md
88
- - ext/openssl/deprecation.rb
89
33
  - ext/openssl/extconf.rb
90
34
  - ext/openssl/openssl_missing.c
91
35
  - ext/openssl/openssl_missing.h
@@ -123,12 +67,15 @@ files:
123
67
  - ext/openssl/ossl_pkey_dsa.c
124
68
  - ext/openssl/ossl_pkey_ec.c
125
69
  - ext/openssl/ossl_pkey_rsa.c
70
+ - ext/openssl/ossl_provider.c
71
+ - ext/openssl/ossl_provider.h
126
72
  - ext/openssl/ossl_rand.c
127
73
  - ext/openssl/ossl_rand.h
128
74
  - ext/openssl/ossl_ssl.c
129
75
  - ext/openssl/ossl_ssl.h
130
76
  - ext/openssl/ossl_ssl_session.c
131
- - ext/openssl/ossl_version.h
77
+ - ext/openssl/ossl_ts.c
78
+ - ext/openssl/ossl_ts.h
132
79
  - ext/openssl/ossl_x509.c
133
80
  - ext/openssl/ossl_x509.h
134
81
  - ext/openssl/ossl_x509attr.c
@@ -139,23 +86,24 @@ files:
139
86
  - ext/openssl/ossl_x509req.c
140
87
  - ext/openssl/ossl_x509revoked.c
141
88
  - ext/openssl/ossl_x509store.c
142
- - ext/openssl/ruby_missing.h
143
89
  - lib/openssl.rb
144
90
  - lib/openssl/bn.rb
145
91
  - lib/openssl/buffering.rb
146
92
  - lib/openssl/cipher.rb
147
- - lib/openssl/config.rb
148
93
  - lib/openssl/digest.rb
94
+ - lib/openssl/hmac.rb
95
+ - lib/openssl/marshal.rb
149
96
  - lib/openssl/pkcs5.rb
150
97
  - lib/openssl/pkey.rb
151
98
  - lib/openssl/ssl.rb
99
+ - lib/openssl/version.rb
152
100
  - lib/openssl/x509.rb
153
101
  homepage: https://github.com/ruby/openssl
154
102
  licenses:
155
103
  - Ruby
156
104
  metadata:
157
105
  msys2_mingw_dependencies: openssl
158
- post_install_message:
106
+ post_install_message:
159
107
  rdoc_options:
160
108
  - "--main"
161
109
  - README.md
@@ -165,16 +113,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
165
113
  requirements:
166
114
  - - ">="
167
115
  - !ruby/object:Gem::Version
168
- version: 2.3.0
116
+ version: 2.7.0
169
117
  required_rubygems_version: !ruby/object:Gem::Requirement
170
118
  requirements:
171
119
  - - ">="
172
120
  - !ruby/object:Gem::Version
173
121
  version: '0'
174
122
  requirements: []
175
- rubyforge_project:
176
- rubygems_version: 2.7.3
177
- signing_key:
123
+ rubygems_version: 3.4.10
124
+ signing_key:
178
125
  specification_version: 4
179
- summary: OpenSSL provides SSL, TLS and general purpose cryptography.
126
+ summary: SSL/TLS and general-purpose cryptography for Ruby
180
127
  test_files: []
@@ -1,23 +0,0 @@
1
- # frozen_string_literal: false
2
- module OpenSSL
3
- def self.deprecated_warning_flag
4
- unless flag = (@deprecated_warning_flag ||= nil)
5
- if try_compile("", flag = "-Werror=deprecated-declarations")
6
- $warnflags << " #{flag}"
7
- else
8
- flag = ""
9
- end
10
- @deprecated_warning_flag = flag
11
- end
12
- flag
13
- end
14
-
15
- def self.check_func(func, header)
16
- have_func(func, header, deprecated_warning_flag)
17
- end
18
-
19
- def self.check_func_or_macro(func, header)
20
- check_func(func, header) or
21
- have_macro(func, header) && $defs.push("-DHAVE_#{func.upcase}")
22
- end
23
- end
@@ -1,15 +0,0 @@
1
- /*
2
- * 'OpenSSL for Ruby' project
3
- * Copyright (C) 2001-2002 Michal Rokos <m.rokos@sh.cvut.cz>
4
- * All rights reserved.
5
- */
6
- /*
7
- * This program is licensed under the same licence as Ruby.
8
- * (See the file 'LICENCE'.)
9
- */
10
- #if !defined(_OSSL_VERSION_H_)
11
- #define _OSSL_VERSION_H_
12
-
13
- #define OSSL_VERSION "2.1.0"
14
-
15
- #endif /* _OSSL_VERSION_H_ */
@@ -1,24 +0,0 @@
1
- /*
2
- * 'OpenSSL for Ruby' project
3
- * Copyright (C) 2001-2003 Michal Rokos <m.rokos@sh.cvut.cz>
4
- * All rights reserved.
5
- */
6
- /*
7
- * This program is licensed under the same licence as Ruby.
8
- * (See the file 'LICENCE'.)
9
- */
10
- #if !defined(_OSSL_RUBY_MISSING_H_)
11
- #define _OSSL_RUBY_MISSING_H_
12
-
13
- /* Ruby 2.4 */
14
- #ifndef RB_INTEGER_TYPE_P
15
- # define RB_INTEGER_TYPE_P(obj) (RB_FIXNUM_P(obj) || RB_TYPE_P(obj, T_BIGNUM))
16
- #endif
17
-
18
- /* Ruby 2.5 */
19
- #ifndef ST2FIX
20
- # define RB_ST2FIX(h) LONG2FIX((long)(h))
21
- # define ST2FIX(h) RB_ST2FIX(h)
22
- #endif
23
-
24
- #endif /* _OSSL_RUBY_MISSING_H_ */