openssl 2.1.2 → 2.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CONTRIBUTING.md +9 -7
- data/History.md +77 -0
- data/README.md +2 -2
- data/ext/openssl/extconf.rb +24 -14
- data/ext/openssl/openssl_missing.h +37 -2
- data/ext/openssl/ossl.c +51 -25
- data/ext/openssl/ossl.h +8 -5
- data/ext/openssl/ossl_asn1.c +26 -1
- data/ext/openssl/ossl_bn.c +9 -3
- data/ext/openssl/ossl_cipher.c +33 -24
- data/ext/openssl/ossl_digest.c +16 -51
- data/ext/openssl/ossl_engine.c +2 -12
- data/ext/openssl/ossl_hmac.c +5 -11
- data/ext/openssl/ossl_kdf.c +3 -19
- data/ext/openssl/ossl_ns_spki.c +1 -1
- data/ext/openssl/ossl_ocsp.c +6 -11
- data/ext/openssl/ossl_ocsp.h +3 -3
- data/ext/openssl/ossl_pkcs7.c +3 -19
- data/ext/openssl/ossl_pkcs7.h +16 -0
- data/ext/openssl/ossl_pkey.c +180 -14
- data/ext/openssl/ossl_pkey.h +5 -5
- data/ext/openssl/ossl_pkey_dh.c +1 -1
- data/ext/openssl/ossl_pkey_dsa.c +2 -2
- data/ext/openssl/ossl_pkey_ec.c +29 -0
- data/ext/openssl/ossl_pkey_rsa.c +17 -9
- data/ext/openssl/ossl_rand.c +2 -40
- data/ext/openssl/ossl_ssl.c +109 -25
- data/ext/openssl/ossl_ts.c +1514 -0
- data/ext/openssl/ossl_ts.h +16 -0
- data/ext/openssl/ossl_x509.c +91 -0
- data/ext/openssl/ossl_x509cert.c +2 -2
- data/ext/openssl/ossl_x509ext.c +14 -0
- data/ext/openssl/ossl_x509name.c +8 -4
- data/ext/openssl/ossl_x509store.c +0 -2
- data/lib/openssl.rb +25 -9
- data/lib/openssl/bn.rb +1 -1
- data/lib/openssl/buffering.rb +33 -17
- data/lib/openssl/cipher.rb +1 -1
- data/lib/openssl/config.rb +53 -26
- data/lib/openssl/digest.rb +10 -12
- data/lib/openssl/hmac.rb +13 -0
- data/lib/openssl/marshal.rb +30 -0
- data/lib/openssl/pkcs5.rb +1 -1
- data/lib/openssl/pkey.rb +18 -1
- data/lib/openssl/ssl.rb +46 -7
- data/lib/openssl/version.rb +5 -0
- data/lib/openssl/x509.rb +155 -1
- metadata +8 -6
- data/ext/openssl/deprecation.rb +0 -23
- data/ext/openssl/ossl_version.h +0 -15
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 6f52e266d6038d1d7173a58d9ad72207e7d492da086ef0ecf9484a8b1cac5156
|
4
|
+
data.tar.gz: ca3211e0c3887311a9d0ac997c864e0cdd54fc0c7510d04c2497c9c99b97fd0c
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: b20ff54093b47c1d1da2f90a41ee1787bcd6a3e14c26f86f4c117d5ec6703364c73df226da5bf357ec6440770b639dd92575e468caeaf38fd8815ef52fb9864f
|
7
|
+
data.tar.gz: 6f64e438c1cc74cea40674a4d3d5926ecc3ea4a0701dd02514f990fcbcb8c525a364789f832ac649fe65e557522a9df983e5beca5f3476b3ec29f7a82b15f071
|
data/CONTRIBUTING.md
CHANGED
@@ -12,12 +12,14 @@ If you think you found a bug, file a ticket on GitHub. Please DO NOT report
|
|
12
12
|
security issues here, there is a separate procedure which is described on
|
13
13
|
["Security at ruby-lang.org"](https://www.ruby-lang.org/en/security/).
|
14
14
|
|
15
|
-
When reporting a bug, please make sure you include
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
15
|
+
When reporting a bug, please make sure you include:
|
16
|
+
* Ruby version
|
17
|
+
* OpenSSL gem version
|
18
|
+
* OpenSSL library version
|
19
|
+
* A sample file that illustrates the problem or link to the repository or
|
20
|
+
gem that is associated with the bug.
|
21
|
+
|
22
|
+
There are a number of unresolved issues and feature requests for openssl that
|
21
23
|
need review. Before submitting a new ticket, it is recommended to check
|
22
24
|
[known issues] and [bugs.ruby-lang.org], the previous issue tracker.
|
23
25
|
|
@@ -78,7 +80,7 @@ $ docker-compose run debug
|
|
78
80
|
```
|
79
81
|
|
80
82
|
All possible values for `RUBY_VERSION` and `OPENSSL_VERSION` can be found in
|
81
|
-
[
|
83
|
+
[`test.yml`](https://github.com/ruby/openssl/tree/master/.github/workflows/test.yml).
|
82
84
|
|
83
85
|
**NOTE**: these commands must be run from the openssl repository root, in order
|
84
86
|
to use the
|
data/History.md
CHANGED
@@ -1,3 +1,80 @@
|
|
1
|
+
Version 2.2.0
|
2
|
+
=============
|
3
|
+
|
4
|
+
Compatibility notes
|
5
|
+
-------------------
|
6
|
+
|
7
|
+
* Remove unsupported MDC2, DSS, DSS1, and SHA algorithms.
|
8
|
+
* Remove `OpenSSL::PKCS7::SignerInfo#name` alias for `#issuer`.
|
9
|
+
[[GitHub #266]](https://github.com/ruby/openssl/pull/266)
|
10
|
+
* Deprecate `OpenSSL::Config#add_value` and `#[]=` for future removal.
|
11
|
+
[[GitHub #322]](https://github.com/ruby/openssl/pull/322)
|
12
|
+
|
13
|
+
|
14
|
+
Notable changes
|
15
|
+
---------------
|
16
|
+
|
17
|
+
* Change default `OpenSSL::SSL::SSLServer#listen` backlog argument from
|
18
|
+
5 to `Socket::SOMAXCONN`.
|
19
|
+
[[GitHub #286]](https://github.com/ruby/openssl/issues/286)
|
20
|
+
* Make `OpenSSL::HMAC#==` use a timing safe string comparison.
|
21
|
+
[[GitHub #284]](https://github.com/ruby/openssl/pull/284)
|
22
|
+
* Add support for SHA3 and BLAKE digests.
|
23
|
+
[[GitHub #282]](https://github.com/ruby/openssl/pull/282)
|
24
|
+
* Add `OpenSSL::SSL::SSLSocket.open` for opening a `TCPSocket` and
|
25
|
+
returning an `OpenSSL::SSL::SSLSocket` for it.
|
26
|
+
[[GitHub #225]](https://github.com/ruby/openssl/issues/225)
|
27
|
+
* Support marshalling of `OpenSSL::X509` and `OpenSSL::PKey` objects.
|
28
|
+
[[GitHub #281]](https://github.com/ruby/openssl/pull/281)
|
29
|
+
[[GitHub #363]](https://github.com/ruby/openssl/pull/363)
|
30
|
+
* Add `OpenSSL.secure_compare` for timing safe string comparison for
|
31
|
+
strings of possibly unequal length.
|
32
|
+
[[GitHub #280]](https://github.com/ruby/openssl/pull/280)
|
33
|
+
* Add `OpenSSL.fixed_length_secure_compare` for timing safe string
|
34
|
+
comparison for strings of equal length.
|
35
|
+
[[GitHub #269]](https://github.com/ruby/openssl/pull/269)
|
36
|
+
* Add `OpenSSL::SSL::SSLSocket#{finished_message,peer_finished_message}`
|
37
|
+
for last finished message sent and received.
|
38
|
+
[[GitHub #250]](https://github.com/ruby/openssl/pull/250)
|
39
|
+
* Add `OpenSSL::Timestamp` module for handing timestamp requests and
|
40
|
+
responses.
|
41
|
+
[[GitHub #204]](https://github.com/ruby/openssl/pull/204)
|
42
|
+
* Add helper methods for `OpenSSL::X509::Certificate`:
|
43
|
+
`find_extension`, `subject_key_identifier`,
|
44
|
+
`authority_key_identifier`, `crl_uris`, `ca_issuer_uris` and
|
45
|
+
`ocsp_uris`, and for `OpenSSL::X509::CRL`:
|
46
|
+
`find_extension` and `subject_key_identifier`.
|
47
|
+
[[GitHub #260]](https://github.com/ruby/openssl/pull/260)
|
48
|
+
[[GitHub #275]](https://github.com/ruby/openssl/pull/275)
|
49
|
+
[[GitHub #293]](https://github.com/ruby/openssl/pull/293)
|
50
|
+
* Add `OpenSSL::ECPoint#add` for performing elliptic curve point addition.
|
51
|
+
[[GitHub #261]](https://github.com/ruby/openssl/pull/261)
|
52
|
+
* Make `OpenSSL::PKey::RSA#{export,to_der}` check `key`, `factors`, and
|
53
|
+
`crt_params` to do proper private key serialization.
|
54
|
+
[[GitHub #258]](https://github.com/ruby/openssl/pull/258)
|
55
|
+
* Add `OpenSSL::SSL::{SSLSocket,SSLServer}#fileno`, returning the
|
56
|
+
underlying socket file descriptor number.
|
57
|
+
[[GitHub #247]](https://github.com/ruby/openssl/pull/247)
|
58
|
+
* Support client certificates with TLS 1.3, and support post-handshake
|
59
|
+
authentication with OpenSSL 1.1.1+.
|
60
|
+
[[GitHub #239]](https://github.com/ruby/openssl/pull/239)
|
61
|
+
* Add `OpenSSL::ASN1::ObjectId#==` for equality testing.
|
62
|
+
* Add `OpenSSL::X509::Extension#value_der` for the raw value of
|
63
|
+
the extension.
|
64
|
+
[[GitHub #234]](https://github.com/ruby/openssl/pull/234)
|
65
|
+
* Significantly reduce allocated memory in `OpenSSL::Buffering#do_write`.
|
66
|
+
[[GitHub #212]](https://github.com/ruby/openssl/pull/212)
|
67
|
+
* Ensure all valid IPv6 addresses are considered valid as elements
|
68
|
+
of subjectAlternativeName in certificates.
|
69
|
+
[[GitHub #185]](https://github.com/ruby/openssl/pull/185)
|
70
|
+
* Allow recipient's certificate to be omitted in PCKS7#decrypt.
|
71
|
+
[[GitHub #183]](https://github.com/ruby/openssl/pull/183)
|
72
|
+
* Add support for reading keys in PKCS #8 format and export via instance methods
|
73
|
+
added to `OpenSSL::PKey` classes: `private_to_der`, `private_to_pem`,
|
74
|
+
`public_to_der` and `public_to_pem`.
|
75
|
+
[[GitHub #297]](https://github.com/ruby/openssl/pull/297)
|
76
|
+
|
77
|
+
|
1
78
|
Version 2.1.2
|
2
79
|
=============
|
3
80
|
|
data/README.md
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
# OpenSSL for Ruby
|
2
2
|
|
3
|
-
[![
|
4
|
-
|
3
|
+
[![Actions Status](https://github.com/ruby/openssl/workflows/CI/badge.svg)](https://github.com/ruby/openssl/actions?workflow=CI)
|
4
|
+
|
5
5
|
|
6
6
|
OpenSSL provides SSL, TLS and general purpose cryptography. It wraps the
|
7
7
|
OpenSSL library.
|
data/ext/openssl/extconf.rb
CHANGED
@@ -1,5 +1,5 @@
|
|
1
1
|
# -*- coding: us-ascii -*-
|
2
|
-
# frozen_string_literal:
|
2
|
+
# frozen_string_literal: true
|
3
3
|
=begin
|
4
4
|
= Info
|
5
5
|
'OpenSSL for Ruby 2' project
|
@@ -12,16 +12,12 @@
|
|
12
12
|
=end
|
13
13
|
|
14
14
|
require "mkmf"
|
15
|
-
require File.expand_path('../deprecation', __FILE__)
|
16
15
|
|
17
16
|
dir_config("openssl")
|
18
17
|
dir_config("kerberos")
|
19
18
|
|
20
19
|
Logging::message "=== OpenSSL for Ruby configurator ===\n"
|
21
20
|
|
22
|
-
# Add -Werror=deprecated-declarations to $warnflags if available
|
23
|
-
OpenSSL.deprecated_warning_flag
|
24
|
-
|
25
21
|
##
|
26
22
|
# Adds -DOSSL_DEBUG for compilation and some more targets when GCC is used
|
27
23
|
# To turn it on, use: --with-debug or --enable-debug
|
@@ -40,6 +36,12 @@ end
|
|
40
36
|
Logging::message "=== Checking for required stuff... ===\n"
|
41
37
|
result = pkg_config("openssl") && have_header("openssl/ssl.h")
|
42
38
|
|
39
|
+
if $mingw
|
40
|
+
append_cflags '-D_FORTIFY_SOURCE=2'
|
41
|
+
append_ldflags '-fstack-protector'
|
42
|
+
have_library 'ssp'
|
43
|
+
end
|
44
|
+
|
43
45
|
def find_openssl_library
|
44
46
|
if $mswin || $mingw
|
45
47
|
# required for static OpenSSL libraries
|
@@ -108,10 +110,10 @@ end
|
|
108
110
|
Logging::message "=== Checking for OpenSSL features... ===\n"
|
109
111
|
# compile options
|
110
112
|
have_func("RAND_egd")
|
111
|
-
engines = %w{
|
112
|
-
cswift nuron sureware ubsec padlock capi gmp gost cryptodev
|
113
|
+
engines = %w{dynamic 4758cca aep atalla chil
|
114
|
+
cswift nuron sureware ubsec padlock capi gmp gost cryptodev}
|
113
115
|
engines.each { |name|
|
114
|
-
|
116
|
+
have_func("ENGINE_load_#{name}()", "openssl/engine.h")
|
115
117
|
}
|
116
118
|
|
117
119
|
if ($mswin || $mingw) && have_macro("LIBRESSL_VERSION_NUMBER", "openssl/opensslv.h")
|
@@ -123,9 +125,9 @@ have_func("EC_curve_nist2nid")
|
|
123
125
|
have_func("X509_REVOKED_dup")
|
124
126
|
have_func("X509_STORE_CTX_get0_store")
|
125
127
|
have_func("SSL_CTX_set_alpn_select_cb")
|
126
|
-
|
127
|
-
|
128
|
-
|
128
|
+
have_func("SSL_CTX_set1_curves_list(NULL, NULL)", "openssl/ssl.h")
|
129
|
+
have_func("SSL_CTX_set_ecdh_auto(NULL, 0)", "openssl/ssl.h")
|
130
|
+
have_func("SSL_get_server_tmp_key(NULL, NULL)", "openssl/ssl.h")
|
129
131
|
have_func("SSL_is_server")
|
130
132
|
|
131
133
|
# added in 1.1.0
|
@@ -141,9 +143,9 @@ have_func("EVP_MD_CTX_new")
|
|
141
143
|
have_func("EVP_MD_CTX_free")
|
142
144
|
have_func("HMAC_CTX_new")
|
143
145
|
have_func("HMAC_CTX_free")
|
144
|
-
OpenSSL.check_func("RAND_pseudo_bytes", "openssl/rand.h") # deprecated
|
145
146
|
have_func("X509_STORE_get_ex_data")
|
146
147
|
have_func("X509_STORE_set_ex_data")
|
148
|
+
have_func("X509_STORE_get_ex_new_index")
|
147
149
|
have_func("X509_CRL_get0_signature")
|
148
150
|
have_func("X509_REQ_get0_signature")
|
149
151
|
have_func("X509_REVOKED_get0_serialNumber")
|
@@ -159,12 +161,20 @@ have_func("X509_CRL_up_ref")
|
|
159
161
|
have_func("X509_STORE_up_ref")
|
160
162
|
have_func("SSL_SESSION_up_ref")
|
161
163
|
have_func("EVP_PKEY_up_ref")
|
162
|
-
|
163
|
-
|
164
|
+
have_func("SSL_CTX_set_tmp_ecdh_callback(NULL, NULL)", "openssl/ssl.h") # removed
|
165
|
+
have_func("SSL_CTX_set_min_proto_version(NULL, 0)", "openssl/ssl.h")
|
164
166
|
have_func("SSL_CTX_get_security_level")
|
165
167
|
have_func("X509_get0_notBefore")
|
166
168
|
have_func("SSL_SESSION_get_protocol_version")
|
169
|
+
have_func("TS_STATUS_INFO_get0_status")
|
170
|
+
have_func("TS_STATUS_INFO_get0_text")
|
171
|
+
have_func("TS_STATUS_INFO_get0_failure_info")
|
172
|
+
have_func("TS_VERIFY_CTS_set_certs")
|
173
|
+
have_func("TS_VERIFY_CTX_set_store")
|
174
|
+
have_func("TS_VERIFY_CTX_add_flags")
|
175
|
+
have_func("TS_RESP_CTX_set_time_cb")
|
167
176
|
have_func("EVP_PBE_scrypt")
|
177
|
+
have_func("SSL_CTX_set_post_handshake_auth")
|
168
178
|
|
169
179
|
Logging::message "=== Checking done. ===\n"
|
170
180
|
|
@@ -72,6 +72,9 @@ void ossl_HMAC_CTX_free(HMAC_CTX *);
|
|
72
72
|
#if !defined(HAVE_X509_STORE_SET_EX_DATA)
|
73
73
|
# define X509_STORE_set_ex_data(x, idx, data) \
|
74
74
|
CRYPTO_set_ex_data(&(x)->ex_data, (idx), (data))
|
75
|
+
#endif
|
76
|
+
|
77
|
+
#if !defined(HAVE_X509_STORE_GET_EX_NEW_INDEX) && !defined(X509_STORE_get_ex_new_index)
|
75
78
|
# define X509_STORE_get_ex_new_index(l, p, newf, dupf, freef) \
|
76
79
|
CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE, (l), (p), \
|
77
80
|
(newf), (dupf), (freef))
|
@@ -144,7 +147,8 @@ void ossl_X509_REQ_get0_signature(const X509_REQ *, const ASN1_BIT_STRING **, co
|
|
144
147
|
CRYPTO_add(&(x)->references, 1, CRYPTO_LOCK_EVP_PKEY);
|
145
148
|
#endif
|
146
149
|
|
147
|
-
#if !defined(HAVE_OPAQUE_OPENSSL)
|
150
|
+
#if !defined(HAVE_OPAQUE_OPENSSL) && \
|
151
|
+
(!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL)
|
148
152
|
#define IMPL_PKEY_GETTER(_type, _name) \
|
149
153
|
static inline _type *EVP_PKEY_get0_##_type(EVP_PKEY *pkey) { \
|
150
154
|
return pkey->pkey._name; }
|
@@ -185,7 +189,7 @@ IMPL_KEY_ACCESSOR3(DSA, pqg, p, q, g, (p == obj->p || q == obj->q || g == obj->g
|
|
185
189
|
#if !defined(OPENSSL_NO_DH)
|
186
190
|
IMPL_PKEY_GETTER(DH, dh)
|
187
191
|
IMPL_KEY_ACCESSOR2(DH, key, pub_key, priv_key, (pub_key == obj->pub_key || (obj->priv_key && priv_key == obj->priv_key)))
|
188
|
-
IMPL_KEY_ACCESSOR3(DH, pqg, p, q, g, (p == obj->p || obj->q && q == obj->q || g == obj->g))
|
192
|
+
IMPL_KEY_ACCESSOR3(DH, pqg, p, q, g, (p == obj->p || (obj->q && q == obj->q) || g == obj->g))
|
189
193
|
static inline ENGINE *DH_get0_engine(DH *dh) { return dh->engine; }
|
190
194
|
#endif
|
191
195
|
|
@@ -219,4 +223,35 @@ IMPL_PKEY_GETTER(EC_KEY, ec)
|
|
219
223
|
# define SSL_SESSION_get_protocol_version(s) ((s)->ssl_version)
|
220
224
|
#endif
|
221
225
|
|
226
|
+
#if !defined(HAVE_TS_STATUS_INFO_GET0_STATUS)
|
227
|
+
# define TS_STATUS_INFO_get0_status(a) ((a)->status)
|
228
|
+
#endif
|
229
|
+
|
230
|
+
#if !defined(HAVE_TS_STATUS_INFO_GET0_TEXT)
|
231
|
+
# define TS_STATUS_INFO_get0_text(a) ((a)->text)
|
232
|
+
#endif
|
233
|
+
|
234
|
+
#if !defined(HAVE_TS_STATUS_INFO_GET0_FAILURE_INFO)
|
235
|
+
# define TS_STATUS_INFO_get0_failure_info(a) ((a)->failure_info)
|
236
|
+
#endif
|
237
|
+
|
238
|
+
#if !defined(HAVE_TS_VERIFY_CTS_SET_CERTS)
|
239
|
+
# define TS_VERIFY_CTS_set_certs(ctx, crts) ((ctx)->certs=(crts))
|
240
|
+
#endif
|
241
|
+
|
242
|
+
#if !defined(HAVE_TS_VERIFY_CTX_SET_STORE)
|
243
|
+
# define TS_VERIFY_CTX_set_store(ctx, str) ((ctx)->store=(str))
|
244
|
+
#endif
|
245
|
+
|
246
|
+
#if !defined(HAVE_TS_VERIFY_CTX_ADD_FLAGS)
|
247
|
+
# define TS_VERIFY_CTX_add_flags(ctx, f) ((ctx)->flags |= (f))
|
248
|
+
#endif
|
249
|
+
|
250
|
+
#if !defined(HAVE_TS_RESP_CTX_SET_TIME_CB)
|
251
|
+
# define TS_RESP_CTX_set_time_cb(ctx, callback, dta) do { \
|
252
|
+
(ctx)->time_cb = (callback); \
|
253
|
+
(ctx)->time_cb_data = (dta); \
|
254
|
+
} while (0)
|
255
|
+
#endif
|
256
|
+
|
222
257
|
#endif /* _OSSL_OPENSSL_MISSING_H_ */
|
data/ext/openssl/ossl.c
CHANGED
@@ -338,7 +338,7 @@ ossl_clear_error(void)
|
|
338
338
|
* implementation.
|
339
339
|
*/
|
340
340
|
VALUE
|
341
|
-
ossl_get_errors(
|
341
|
+
ossl_get_errors(VALUE _)
|
342
342
|
{
|
343
343
|
VALUE ary;
|
344
344
|
long e;
|
@@ -398,7 +398,7 @@ ossl_debug_set(VALUE self, VALUE val)
|
|
398
398
|
}
|
399
399
|
|
400
400
|
/*
|
401
|
-
* call-seq
|
401
|
+
* call-seq:
|
402
402
|
* OpenSSL.fips_mode -> true | false
|
403
403
|
*/
|
404
404
|
static VALUE
|
@@ -604,6 +604,35 @@ static void Init_ossl_locks(void)
|
|
604
604
|
}
|
605
605
|
#endif /* !HAVE_OPENSSL_110_THREADING_API */
|
606
606
|
|
607
|
+
/*
|
608
|
+
* call-seq:
|
609
|
+
* OpenSSL.fixed_length_secure_compare(string, string) -> boolean
|
610
|
+
*
|
611
|
+
* Constant time memory comparison for fixed length strings, such as results
|
612
|
+
* of HMAC calculations.
|
613
|
+
*
|
614
|
+
* Returns +true+ if the strings are identical, +false+ if they are of the same
|
615
|
+
* length but not identical. If the length is different, +ArgumentError+ is
|
616
|
+
* raised.
|
617
|
+
*/
|
618
|
+
static VALUE
|
619
|
+
ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2)
|
620
|
+
{
|
621
|
+
const unsigned char *p1 = (const unsigned char *)StringValuePtr(str1);
|
622
|
+
const unsigned char *p2 = (const unsigned char *)StringValuePtr(str2);
|
623
|
+
long len1 = RSTRING_LEN(str1);
|
624
|
+
long len2 = RSTRING_LEN(str2);
|
625
|
+
|
626
|
+
if (len1 != len2) {
|
627
|
+
ossl_raise(rb_eArgError, "inputs must be of equal length");
|
628
|
+
}
|
629
|
+
|
630
|
+
switch (CRYPTO_memcmp(p1, p2, len1)) {
|
631
|
+
case 0: return Qtrue;
|
632
|
+
default: return Qfalse;
|
633
|
+
}
|
634
|
+
}
|
635
|
+
|
607
636
|
/*
|
608
637
|
* OpenSSL provides SSL, TLS and general purpose cryptography. It wraps the
|
609
638
|
* OpenSSL[https://www.openssl.org/] library.
|
@@ -635,7 +664,7 @@ static void Init_ossl_locks(void)
|
|
635
664
|
* ahold of the key may use it unless it is encrypted. In order to securely
|
636
665
|
* export a key you may export it with a pass phrase.
|
637
666
|
*
|
638
|
-
* cipher = OpenSSL::Cipher.new 'AES-
|
667
|
+
* cipher = OpenSSL::Cipher.new 'AES-256-CBC'
|
639
668
|
* pass_phrase = 'my secure pass phrase goes here'
|
640
669
|
*
|
641
670
|
* key_secure = key.export cipher, pass_phrase
|
@@ -710,16 +739,14 @@ static void Init_ossl_locks(void)
|
|
710
739
|
* To sign a document, a cryptographically secure hash of the document is
|
711
740
|
* computed first, which is then signed using the private key.
|
712
741
|
*
|
713
|
-
*
|
714
|
-
* signature = key.sign digest, document
|
742
|
+
* signature = key.sign 'SHA256', document
|
715
743
|
*
|
716
744
|
* To validate the signature, again a hash of the document is computed and
|
717
745
|
* the signature is decrypted using the public key. The result is then
|
718
746
|
* compared to the hash just computed, if they are equal the signature was
|
719
747
|
* valid.
|
720
748
|
*
|
721
|
-
*
|
722
|
-
* if key.verify digest, signature, document
|
749
|
+
* if key.verify 'SHA256', signature, document
|
723
750
|
* puts 'Valid'
|
724
751
|
* else
|
725
752
|
* puts 'Invalid'
|
@@ -745,7 +772,7 @@ static void Init_ossl_locks(void)
|
|
745
772
|
* using PBKDF2. PKCS #5 v2.0 recommends at least 8 bytes for the salt,
|
746
773
|
* the number of iterations largely depends on the hardware being used.
|
747
774
|
*
|
748
|
-
* cipher = OpenSSL::Cipher.new 'AES-
|
775
|
+
* cipher = OpenSSL::Cipher.new 'AES-256-CBC'
|
749
776
|
* cipher.encrypt
|
750
777
|
* iv = cipher.random_iv
|
751
778
|
*
|
@@ -753,7 +780,7 @@ static void Init_ossl_locks(void)
|
|
753
780
|
* salt = OpenSSL::Random.random_bytes 16
|
754
781
|
* iter = 20000
|
755
782
|
* key_len = cipher.key_len
|
756
|
-
* digest = OpenSSL::Digest
|
783
|
+
* digest = OpenSSL::Digest.new('SHA256')
|
757
784
|
*
|
758
785
|
* key = OpenSSL::PKCS5.pbkdf2_hmac(pwd, salt, iter, key_len, digest)
|
759
786
|
* cipher.key = key
|
@@ -768,7 +795,7 @@ static void Init_ossl_locks(void)
|
|
768
795
|
* Use the same steps as before to derive the symmetric AES key, this time
|
769
796
|
* setting the Cipher up for decryption.
|
770
797
|
*
|
771
|
-
* cipher = OpenSSL::Cipher.new 'AES-
|
798
|
+
* cipher = OpenSSL::Cipher.new 'AES-256-CBC'
|
772
799
|
* cipher.decrypt
|
773
800
|
* cipher.iv = iv # the one generated with #random_iv
|
774
801
|
*
|
@@ -776,7 +803,7 @@ static void Init_ossl_locks(void)
|
|
776
803
|
* salt = ... # the one generated above
|
777
804
|
* iter = 20000
|
778
805
|
* key_len = cipher.key_len
|
779
|
-
* digest = OpenSSL::Digest
|
806
|
+
* digest = OpenSSL::Digest.new('SHA256')
|
780
807
|
*
|
781
808
|
* key = OpenSSL::PKCS5.pbkdf2_hmac(pwd, salt, iter, key_len, digest)
|
782
809
|
* cipher.key = key
|
@@ -803,7 +830,7 @@ static void Init_ossl_locks(void)
|
|
803
830
|
*
|
804
831
|
* First set up the cipher for encryption
|
805
832
|
*
|
806
|
-
* encryptor = OpenSSL::Cipher.new 'AES-
|
833
|
+
* encryptor = OpenSSL::Cipher.new 'AES-256-CBC'
|
807
834
|
* encryptor.encrypt
|
808
835
|
* encryptor.pkcs5_keyivgen pass_phrase, salt
|
809
836
|
*
|
@@ -816,7 +843,7 @@ static void Init_ossl_locks(void)
|
|
816
843
|
*
|
817
844
|
* Use a new Cipher instance set up for decryption
|
818
845
|
*
|
819
|
-
* decryptor = OpenSSL::Cipher.new 'AES-
|
846
|
+
* decryptor = OpenSSL::Cipher.new 'AES-256-CBC'
|
820
847
|
* decryptor.decrypt
|
821
848
|
* decryptor.pkcs5_keyivgen pass_phrase, salt
|
822
849
|
*
|
@@ -833,7 +860,7 @@ static void Init_ossl_locks(void)
|
|
833
860
|
* signature.
|
834
861
|
*
|
835
862
|
* key = OpenSSL::PKey::RSA.new 2048
|
836
|
-
* name = OpenSSL::X509::Name.parse 'CN=nobody/DC=example'
|
863
|
+
* name = OpenSSL::X509::Name.parse '/CN=nobody/DC=example'
|
837
864
|
*
|
838
865
|
* cert = OpenSSL::X509::Certificate.new
|
839
866
|
* cert.version = 2
|
@@ -872,7 +899,7 @@ static void Init_ossl_locks(void)
|
|
872
899
|
* certificate.
|
873
900
|
*
|
874
901
|
* cert.issuer = name
|
875
|
-
* cert.sign key, OpenSSL::Digest
|
902
|
+
* cert.sign key, OpenSSL::Digest.new('SHA1')
|
876
903
|
*
|
877
904
|
* open 'certificate.pem', 'w' do |io| io.write cert.to_pem end
|
878
905
|
*
|
@@ -904,7 +931,7 @@ static void Init_ossl_locks(void)
|
|
904
931
|
* ca_key = OpenSSL::PKey::RSA.new 2048
|
905
932
|
* pass_phrase = 'my secure pass phrase goes here'
|
906
933
|
*
|
907
|
-
* cipher = OpenSSL::Cipher.new 'AES-
|
934
|
+
* cipher = OpenSSL::Cipher.new 'AES-256-CBC'
|
908
935
|
*
|
909
936
|
* open 'ca_key.pem', 'w', 0400 do |io|
|
910
937
|
* io.write ca_key.export(cipher, pass_phrase)
|
@@ -915,7 +942,7 @@ static void Init_ossl_locks(void)
|
|
915
942
|
* A CA certificate is created the same way we created a certificate above, but
|
916
943
|
* with different extensions.
|
917
944
|
*
|
918
|
-
* ca_name = OpenSSL::X509::Name.parse 'CN=ca/DC=example'
|
945
|
+
* ca_name = OpenSSL::X509::Name.parse '/CN=ca/DC=example'
|
919
946
|
*
|
920
947
|
* ca_cert = OpenSSL::X509::Certificate.new
|
921
948
|
* ca_cert.serial = 0
|
@@ -948,7 +975,7 @@ static void Init_ossl_locks(void)
|
|
948
975
|
*
|
949
976
|
* Root CA certificates are self-signed.
|
950
977
|
*
|
951
|
-
* ca_cert.sign ca_key, OpenSSL::Digest
|
978
|
+
* ca_cert.sign ca_key, OpenSSL::Digest.new('SHA1')
|
952
979
|
*
|
953
980
|
* The CA certificate is saved to disk so it may be distributed to all the
|
954
981
|
* users of the keys this CA will sign.
|
@@ -966,7 +993,7 @@ static void Init_ossl_locks(void)
|
|
966
993
|
* csr.version = 0
|
967
994
|
* csr.subject = name
|
968
995
|
* csr.public_key = key.public_key
|
969
|
-
* csr.sign key, OpenSSL::Digest
|
996
|
+
* csr.sign key, OpenSSL::Digest.new('SHA1')
|
970
997
|
*
|
971
998
|
* A CSR is saved to disk and sent to the CA for signing.
|
972
999
|
*
|
@@ -1010,7 +1037,7 @@ static void Init_ossl_locks(void)
|
|
1010
1037
|
* csr_cert.add_extension \
|
1011
1038
|
* extension_factory.create_extension('subjectKeyIdentifier', 'hash')
|
1012
1039
|
*
|
1013
|
-
* csr_cert.sign ca_key, OpenSSL::Digest
|
1040
|
+
* csr_cert.sign ca_key, OpenSSL::Digest.new('SHA1')
|
1014
1041
|
*
|
1015
1042
|
* open 'csr_cert.pem', 'w' do |io|
|
1016
1043
|
* io.write csr_cert.to_pem
|
@@ -1125,11 +1152,7 @@ Init_openssl(void)
|
|
1125
1152
|
*/
|
1126
1153
|
mOSSL = rb_define_module("OpenSSL");
|
1127
1154
|
rb_global_variable(&mOSSL);
|
1128
|
-
|
1129
|
-
/*
|
1130
|
-
* OpenSSL ruby extension version
|
1131
|
-
*/
|
1132
|
-
rb_define_const(mOSSL, "VERSION", rb_str_new2(OSSL_VERSION));
|
1155
|
+
rb_define_singleton_method(mOSSL, "fixed_length_secure_compare", ossl_crypto_fixed_length_secure_compare, 2);
|
1133
1156
|
|
1134
1157
|
/*
|
1135
1158
|
* Version of OpenSSL the ruby OpenSSL extension was built with
|
@@ -1205,6 +1228,9 @@ Init_openssl(void)
|
|
1205
1228
|
Init_ossl_pkey();
|
1206
1229
|
Init_ossl_rand();
|
1207
1230
|
Init_ossl_ssl();
|
1231
|
+
#ifndef OPENSSL_NO_TS
|
1232
|
+
Init_ossl_ts();
|
1233
|
+
#endif
|
1208
1234
|
Init_ossl_x509();
|
1209
1235
|
Init_ossl_ocsp();
|
1210
1236
|
Init_ossl_engine();
|