openssl 2.1.2 → 2.2.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (51) hide show
  1. checksums.yaml +4 -4
  2. data/CONTRIBUTING.md +9 -7
  3. data/History.md +77 -0
  4. data/README.md +2 -2
  5. data/ext/openssl/extconf.rb +24 -14
  6. data/ext/openssl/openssl_missing.h +37 -2
  7. data/ext/openssl/ossl.c +51 -25
  8. data/ext/openssl/ossl.h +8 -5
  9. data/ext/openssl/ossl_asn1.c +26 -1
  10. data/ext/openssl/ossl_bn.c +9 -3
  11. data/ext/openssl/ossl_cipher.c +33 -24
  12. data/ext/openssl/ossl_digest.c +16 -51
  13. data/ext/openssl/ossl_engine.c +2 -12
  14. data/ext/openssl/ossl_hmac.c +5 -11
  15. data/ext/openssl/ossl_kdf.c +3 -19
  16. data/ext/openssl/ossl_ns_spki.c +1 -1
  17. data/ext/openssl/ossl_ocsp.c +6 -11
  18. data/ext/openssl/ossl_ocsp.h +3 -3
  19. data/ext/openssl/ossl_pkcs7.c +3 -19
  20. data/ext/openssl/ossl_pkcs7.h +16 -0
  21. data/ext/openssl/ossl_pkey.c +180 -14
  22. data/ext/openssl/ossl_pkey.h +5 -5
  23. data/ext/openssl/ossl_pkey_dh.c +1 -1
  24. data/ext/openssl/ossl_pkey_dsa.c +2 -2
  25. data/ext/openssl/ossl_pkey_ec.c +29 -0
  26. data/ext/openssl/ossl_pkey_rsa.c +17 -9
  27. data/ext/openssl/ossl_rand.c +2 -40
  28. data/ext/openssl/ossl_ssl.c +109 -25
  29. data/ext/openssl/ossl_ts.c +1514 -0
  30. data/ext/openssl/ossl_ts.h +16 -0
  31. data/ext/openssl/ossl_x509.c +91 -0
  32. data/ext/openssl/ossl_x509cert.c +2 -2
  33. data/ext/openssl/ossl_x509ext.c +14 -0
  34. data/ext/openssl/ossl_x509name.c +8 -4
  35. data/ext/openssl/ossl_x509store.c +0 -2
  36. data/lib/openssl.rb +25 -9
  37. data/lib/openssl/bn.rb +1 -1
  38. data/lib/openssl/buffering.rb +33 -17
  39. data/lib/openssl/cipher.rb +1 -1
  40. data/lib/openssl/config.rb +53 -26
  41. data/lib/openssl/digest.rb +10 -12
  42. data/lib/openssl/hmac.rb +13 -0
  43. data/lib/openssl/marshal.rb +30 -0
  44. data/lib/openssl/pkcs5.rb +1 -1
  45. data/lib/openssl/pkey.rb +18 -1
  46. data/lib/openssl/ssl.rb +46 -7
  47. data/lib/openssl/version.rb +5 -0
  48. data/lib/openssl/x509.rb +155 -1
  49. metadata +8 -6
  50. data/ext/openssl/deprecation.rb +0 -23
  51. data/ext/openssl/ossl_version.h +0 -15
@@ -13,8 +13,8 @@
13
13
  #include RUBY_EXTCONF_H
14
14
 
15
15
  #include <assert.h>
16
- #include <errno.h>
17
16
  #include <ruby.h>
17
+ #include <errno.h>
18
18
  #include <ruby/io.h>
19
19
  #include <ruby/thread.h>
20
20
  #include <openssl/opensslv.h>
@@ -27,7 +27,9 @@
27
27
  #include <openssl/hmac.h>
28
28
  #include <openssl/rand.h>
29
29
  #include <openssl/conf.h>
30
- #include <openssl/conf_api.h>
30
+ #ifndef OPENSSL_NO_TS
31
+ #include <openssl/ts.h>
32
+ #endif
31
33
  #include <openssl/crypto.h>
32
34
  #if !defined(OPENSSL_NO_ENGINE)
33
35
  # include <openssl/engine.h>
@@ -86,9 +88,8 @@ VALUE ossl_buf2str(char *buf, int len);
86
88
  VALUE ossl_str_new(const char *, long, int *);
87
89
  #define ossl_str_adjust(str, p) \
88
90
  do{\
89
- long len = RSTRING_LEN(str);\
90
91
  long newlen = (long)((p) - (unsigned char*)RSTRING_PTR(str));\
91
- assert(newlen <= len);\
92
+ assert(newlen <= RSTRING_LEN(str));\
92
93
  rb_str_set_len((str), newlen);\
93
94
  }while(0)
94
95
  /*
@@ -168,7 +169,9 @@ void ossl_debug(const char *, ...);
168
169
  #include "ossl_pkey.h"
169
170
  #include "ossl_rand.h"
170
171
  #include "ossl_ssl.h"
171
- #include "ossl_version.h"
172
+ #ifndef OPENSSL_NO_TS
173
+ #include "ossl_ts.h"
174
+ #endif
172
175
  #include "ossl_x509.h"
173
176
  #include "ossl_engine.h"
174
177
  #include "ossl_kdf.h"
@@ -1285,6 +1285,30 @@ ossl_asn1obj_get_ln(VALUE self)
1285
1285
  return ret;
1286
1286
  }
1287
1287
 
1288
+ /*
1289
+ * call-seq:
1290
+ * oid == other_oid => true or false
1291
+ *
1292
+ * Returns +true+ if _other_oid_ is the same as _oid_
1293
+ */
1294
+ static VALUE
1295
+ ossl_asn1obj_eq(VALUE self, VALUE other)
1296
+ {
1297
+ VALUE valSelf, valOther;
1298
+ int nidSelf, nidOther;
1299
+
1300
+ valSelf = ossl_asn1_get_value(self);
1301
+ valOther = ossl_asn1_get_value(other);
1302
+
1303
+ if ((nidSelf = OBJ_txt2nid(StringValueCStr(valSelf))) == NID_undef)
1304
+ ossl_raise(eASN1Error, "OBJ_txt2nid");
1305
+
1306
+ if ((nidOther = OBJ_txt2nid(StringValueCStr(valOther))) == NID_undef)
1307
+ ossl_raise(eASN1Error, "OBJ_txt2nid");
1308
+
1309
+ return nidSelf == nidOther ? Qtrue : Qfalse;
1310
+ }
1311
+
1288
1312
  static VALUE
1289
1313
  asn1obj_get_oid_i(VALUE vobj)
1290
1314
  {
@@ -1818,12 +1842,14 @@ do{\
1818
1842
  rb_define_method(cASN1ObjectId, "oid", ossl_asn1obj_get_oid, 0);
1819
1843
  rb_define_alias(cASN1ObjectId, "short_name", "sn");
1820
1844
  rb_define_alias(cASN1ObjectId, "long_name", "ln");
1845
+ rb_define_method(cASN1ObjectId, "==", ossl_asn1obj_eq, 1);
1821
1846
  rb_attr(cASN1BitString, rb_intern("unused_bits"), 1, 1, 0);
1822
1847
 
1823
1848
  rb_define_method(cASN1EndOfContent, "initialize", ossl_asn1eoc_initialize, 0);
1824
1849
  rb_define_method(cASN1EndOfContent, "to_der", ossl_asn1eoc_to_der, 0);
1825
1850
 
1826
1851
  class_tag_map = rb_hash_new();
1852
+ rb_gc_register_mark_object(class_tag_map);
1827
1853
  rb_hash_aset(class_tag_map, cASN1EndOfContent, INT2NUM(V_ASN1_EOC));
1828
1854
  rb_hash_aset(class_tag_map, cASN1Boolean, INT2NUM(V_ASN1_BOOLEAN));
1829
1855
  rb_hash_aset(class_tag_map, cASN1Integer, INT2NUM(V_ASN1_INTEGER));
@@ -1847,7 +1873,6 @@ do{\
1847
1873
  rb_hash_aset(class_tag_map, cASN1GeneralString, INT2NUM(V_ASN1_GENERALSTRING));
1848
1874
  rb_hash_aset(class_tag_map, cASN1UniversalString, INT2NUM(V_ASN1_UNIVERSALSTRING));
1849
1875
  rb_hash_aset(class_tag_map, cASN1BMPString, INT2NUM(V_ASN1_BMPSTRING));
1850
- rb_global_variable(&class_tag_map);
1851
1876
 
1852
1877
  id_each = rb_intern_const("each");
1853
1878
  }
@@ -173,7 +173,6 @@ ossl_bn_alloc(VALUE klass)
173
173
 
174
174
  /*
175
175
  * call-seq:
176
- * OpenSSL::BN.new => aBN
177
176
  * OpenSSL::BN.new(bn) => aBN
178
177
  * OpenSSL::BN.new(integer) => aBN
179
178
  * OpenSSL::BN.new(string) => aBN
@@ -187,11 +186,16 @@ ossl_bn_initialize(int argc, VALUE *argv, VALUE self)
187
186
  BIGNUM *bn;
188
187
  VALUE str, bs;
189
188
  int base = 10;
189
+ char *ptr;
190
190
 
191
191
  if (rb_scan_args(argc, argv, "11", &str, &bs) == 2) {
192
192
  base = NUM2INT(bs);
193
193
  }
194
194
 
195
+ if (NIL_P(str)) {
196
+ ossl_raise(rb_eArgError, "invalid argument");
197
+ }
198
+
195
199
  if (RB_INTEGER_TYPE_P(str)) {
196
200
  GetBN(self, bn);
197
201
  integer_to_bnptr(str, bn);
@@ -213,12 +217,14 @@ ossl_bn_initialize(int argc, VALUE *argv, VALUE self)
213
217
  GetBN(self, bn);
214
218
  switch (base) {
215
219
  case 0:
216
- if (!BN_mpi2bn((unsigned char *)StringValuePtr(str), RSTRING_LENINT(str), bn)) {
220
+ ptr = StringValuePtr(str);
221
+ if (!BN_mpi2bn((unsigned char *)ptr, RSTRING_LENINT(str), bn)) {
217
222
  ossl_raise(eBNError, NULL);
218
223
  }
219
224
  break;
220
225
  case 2:
221
- if (!BN_bin2bn((unsigned char *)StringValuePtr(str), RSTRING_LENINT(str), bn)) {
226
+ ptr = StringValuePtr(str);
227
+ if (!BN_bin2bn((unsigned char *)ptr, RSTRING_LENINT(str), bn)) {
222
228
  ossl_raise(eBNError, NULL);
223
229
  }
224
230
  break;
@@ -104,7 +104,7 @@ ossl_cipher_alloc(VALUE klass)
104
104
  * call-seq:
105
105
  * Cipher.new(string) -> cipher
106
106
  *
107
- * The string must be a valid cipher name like "AES-128-CBC" or "3DES".
107
+ * The string must contain a valid cipher name like "AES-256-CBC".
108
108
  *
109
109
  * A list of cipher names is available by calling OpenSSL::Cipher.ciphers.
110
110
  */
@@ -237,8 +237,7 @@ ossl_cipher_init(int argc, VALUE *argv, VALUE self, int mode)
237
237
  ossl_raise(eCipherError, NULL);
238
238
  }
239
239
 
240
- if (p_key)
241
- rb_ivar_set(self, id_key_set, Qtrue);
240
+ rb_ivar_set(self, id_key_set, p_key ? Qtrue : Qfalse);
242
241
 
243
242
  return self;
244
243
  }
@@ -814,6 +813,31 @@ ossl_cipher_block_size(VALUE self)
814
813
  return INT2NUM(EVP_CIPHER_CTX_block_size(ctx));
815
814
  }
816
815
 
816
+ /*
817
+ * call-seq:
818
+ * cipher.ccm_data_len = integer -> integer
819
+ *
820
+ * Sets the length of the plaintext / ciphertext message that will be
821
+ * processed in CCM mode. Make sure to call this method after #key= and
822
+ * #iv= have been set, and before #auth_data=.
823
+ *
824
+ * Only call this method after calling Cipher#encrypt or Cipher#decrypt.
825
+ */
826
+ static VALUE
827
+ ossl_cipher_set_ccm_data_len(VALUE self, VALUE data_len)
828
+ {
829
+ int in_len, out_len;
830
+ EVP_CIPHER_CTX *ctx;
831
+
832
+ in_len = NUM2INT(data_len);
833
+
834
+ GetCipher(self, ctx);
835
+ if (EVP_CipherUpdate(ctx, NULL, &out_len, NULL, in_len) != 1)
836
+ ossl_raise(eCipherError, NULL);
837
+
838
+ return data_len;
839
+ }
840
+
817
841
  /*
818
842
  * INIT
819
843
  */
@@ -852,22 +876,6 @@ Init_ossl_cipher(void)
852
876
  *
853
877
  * cipher = OpenSSL::Cipher.new('AES-128-CBC')
854
878
  *
855
- * For each algorithm supported, there is a class defined under the
856
- * Cipher class that goes by the name of the cipher, e.g. to obtain an
857
- * instance of AES, you could also use
858
- *
859
- * # these are equivalent
860
- * cipher = OpenSSL::Cipher::AES.new(128, :CBC)
861
- * cipher = OpenSSL::Cipher::AES.new(128, 'CBC')
862
- * cipher = OpenSSL::Cipher::AES.new('128-CBC')
863
- *
864
- * Finally, due to its wide-spread use, there are also extra classes
865
- * defined for the different key sizes of AES
866
- *
867
- * cipher = OpenSSL::Cipher::AES128.new(:CBC)
868
- * cipher = OpenSSL::Cipher::AES192.new(:CBC)
869
- * cipher = OpenSSL::Cipher::AES256.new(:CBC)
870
- *
871
879
  * === Choosing either encryption or decryption mode
872
880
  *
873
881
  * Encryption and decryption are often very similar operations for
@@ -896,7 +904,7 @@ Init_ossl_cipher(void)
896
904
  * without processing the password further. A simple and secure way to
897
905
  * create a key for a particular Cipher is
898
906
  *
899
- * cipher = OpenSSL::AES256.new(:CFB)
907
+ * cipher = OpenSSL::Cipher.new('AES-256-CFB')
900
908
  * cipher.encrypt
901
909
  * key = cipher.random_key # also sets the generated key on the Cipher
902
910
  *
@@ -964,14 +972,14 @@ Init_ossl_cipher(void)
964
972
  *
965
973
  * data = "Very, very confidential data"
966
974
  *
967
- * cipher = OpenSSL::Cipher::AES.new(128, :CBC)
975
+ * cipher = OpenSSL::Cipher.new('AES-128-CBC')
968
976
  * cipher.encrypt
969
977
  * key = cipher.random_key
970
978
  * iv = cipher.random_iv
971
979
  *
972
980
  * encrypted = cipher.update(data) + cipher.final
973
981
  * ...
974
- * decipher = OpenSSL::Cipher::AES.new(128, :CBC)
982
+ * decipher = OpenSSL::Cipher.new('AES-128-CBC')
975
983
  * decipher.decrypt
976
984
  * decipher.key = key
977
985
  * decipher.iv = iv
@@ -1007,7 +1015,7 @@ Init_ossl_cipher(void)
1007
1015
  * not to reuse the _key_ and _nonce_ pair. Reusing an nonce ruins the
1008
1016
  * security guarantees of GCM mode.
1009
1017
  *
1010
- * cipher = OpenSSL::Cipher::AES.new(128, :GCM).encrypt
1018
+ * cipher = OpenSSL::Cipher.new('AES-128-GCM').encrypt
1011
1019
  * cipher.key = key
1012
1020
  * cipher.iv = nonce
1013
1021
  * cipher.auth_data = auth_data
@@ -1023,7 +1031,7 @@ Init_ossl_cipher(void)
1023
1031
  * ciphertext with a probability of 1/256.
1024
1032
  *
1025
1033
  * raise "tag is truncated!" unless tag.bytesize == 16
1026
- * decipher = OpenSSL::Cipher::AES.new(128, :GCM).decrypt
1034
+ * decipher = OpenSSL::Cipher.new('AES-128-GCM').decrypt
1027
1035
  * decipher.key = key
1028
1036
  * decipher.iv = nonce
1029
1037
  * decipher.auth_tag = tag
@@ -1060,6 +1068,7 @@ Init_ossl_cipher(void)
1060
1068
  rb_define_method(cCipher, "iv_len", ossl_cipher_iv_length, 0);
1061
1069
  rb_define_method(cCipher, "block_size", ossl_cipher_block_size, 0);
1062
1070
  rb_define_method(cCipher, "padding=", ossl_cipher_set_padding, 1);
1071
+ rb_define_method(cCipher, "ccm_data_len=", ossl_cipher_set_ccm_data_len, 1);
1063
1072
 
1064
1073
  id_auth_tag_len = rb_intern_const("auth_tag_len");
1065
1074
  id_key_set = rb_intern_const("key_set");
@@ -192,7 +192,7 @@ ossl_digest_reset(VALUE self)
192
192
  * be passed individually to the Digest instance.
193
193
  *
194
194
  * === Example
195
- * digest = OpenSSL::Digest::SHA256.new
195
+ * digest = OpenSSL::Digest.new('SHA256')
196
196
  * digest.update('First input')
197
197
  * digest << 'Second input' # equivalent to digest.update('Second input')
198
198
  * result = digest.digest
@@ -248,7 +248,7 @@ ossl_digest_finish(int argc, VALUE *argv, VALUE self)
248
248
  * Returns the sn of this Digest algorithm.
249
249
  *
250
250
  * === Example
251
- * digest = OpenSSL::Digest::SHA512.new
251
+ * digest = OpenSSL::Digest.new('SHA512')
252
252
  * puts digest.name # => SHA512
253
253
  *
254
254
  */
@@ -270,7 +270,7 @@ ossl_digest_name(VALUE self)
270
270
  * final message digest result.
271
271
  *
272
272
  * === Example
273
- * digest = OpenSSL::Digest::SHA1.new
273
+ * digest = OpenSSL::Digest.new('SHA1')
274
274
  * puts digest.digest_length # => 20
275
275
  *
276
276
  */
@@ -294,7 +294,7 @@ ossl_digest_size(VALUE self)
294
294
  * consecutively.
295
295
  *
296
296
  * === Example
297
- * digest = OpenSSL::Digest::SHA1.new
297
+ * digest = OpenSSL::Digest.new('SHA1')
298
298
  * puts digest.block_length # => 64
299
299
  */
300
300
  static VALUE
@@ -348,54 +348,19 @@ Init_ossl_digest(void)
348
348
  * the integrity of a signed document, it suffices to re-compute the hash
349
349
  * and verify that it is equal to that in the signature.
350
350
  *
351
- * Among the supported message digest algorithms are:
352
- * * SHA, SHA1, SHA224, SHA256, SHA384 and SHA512
353
- * * MD2, MD4, MDC2 and MD5
354
- * * RIPEMD160
355
- * * DSS, DSS1 (Pseudo algorithms to be used for DSA signatures. DSS is
356
- * equal to SHA and DSS1 is equal to SHA1)
351
+ * You can get a list of all digest algorithms supported on your system by
352
+ * running this command in your terminal:
357
353
  *
358
- * For each of these algorithms, there is a sub-class of Digest that
359
- * can be instantiated as simply as e.g.
354
+ * openssl list -digest-algorithms
360
355
  *
361
- * digest = OpenSSL::Digest::SHA1.new
356
+ * Among the OpenSSL 1.1.1 supported message digest algorithms are:
357
+ * * SHA224, SHA256, SHA384, SHA512, SHA512-224 and SHA512-256
358
+ * * SHA3-224, SHA3-256, SHA3-384 and SHA3-512
359
+ * * BLAKE2s256 and BLAKE2b512
362
360
  *
363
- * === Mapping between Digest class and sn/ln
361
+ * Each of these algorithms can be instantiated using the name:
364
362
  *
365
- * The sn (short names) and ln (long names) are defined in
366
- * <openssl/object.h> and <openssl/obj_mac.h>. They are textual
367
- * representations of ASN.1 OBJECT IDENTIFIERs. Each supported digest
368
- * algorithm has an OBJECT IDENTIFIER associated to it and those again
369
- * have short/long names assigned to them.
370
- * E.g. the OBJECT IDENTIFIER for SHA-1 is 1.3.14.3.2.26 and its
371
- * sn is "SHA1" and its ln is "sha1".
372
- * ==== MD2
373
- * * sn: MD2
374
- * * ln: md2
375
- * ==== MD4
376
- * * sn: MD4
377
- * * ln: md4
378
- * ==== MD5
379
- * * sn: MD5
380
- * * ln: md5
381
- * ==== SHA
382
- * * sn: SHA
383
- * * ln: SHA
384
- * ==== SHA-1
385
- * * sn: SHA1
386
- * * ln: sha1
387
- * ==== SHA-224
388
- * * sn: SHA224
389
- * * ln: sha224
390
- * ==== SHA-256
391
- * * sn: SHA256
392
- * * ln: sha256
393
- * ==== SHA-384
394
- * * sn: SHA384
395
- * * ln: sha384
396
- * ==== SHA-512
397
- * * sn: SHA512
398
- * * ln: sha512
363
+ * digest = OpenSSL::Digest.new('SHA256')
399
364
  *
400
365
  * "Breaking" a message digest algorithm means defying its one-way
401
366
  * function characteristics, i.e. producing a collision or finding a way
@@ -408,7 +373,7 @@ Init_ossl_digest(void)
408
373
  * === Hashing a file
409
374
  *
410
375
  * data = File.read('document')
411
- * sha256 = OpenSSL::Digest::SHA256.new
376
+ * sha256 = OpenSSL::Digest.new('SHA256')
412
377
  * digest = sha256.digest(data)
413
378
  *
414
379
  * === Hashing several pieces of data at once
@@ -416,7 +381,7 @@ Init_ossl_digest(void)
416
381
  * data1 = File.read('file1')
417
382
  * data2 = File.read('file2')
418
383
  * data3 = File.read('file3')
419
- * sha256 = OpenSSL::Digest::SHA256.new
384
+ * sha256 = OpenSSL::Digest.new('SHA256')
420
385
  * sha256 << data1
421
386
  * sha256 << data2
422
387
  * sha256 << data3
@@ -425,7 +390,7 @@ Init_ossl_digest(void)
425
390
  * === Reuse a Digest instance
426
391
  *
427
392
  * data1 = File.read('file1')
428
- * sha256 = OpenSSL::Digest::SHA256.new
393
+ * sha256 = OpenSSL::Digest.new('SHA256')
429
394
  * digest1 = sha256.digest(data1)
430
395
  *
431
396
  * data2 = File.read('file2')
@@ -93,9 +93,6 @@ static const rb_data_type_t ossl_engine_type = {
93
93
  static VALUE
94
94
  ossl_engine_s_load(int argc, VALUE *argv, VALUE klass)
95
95
  {
96
- #if !defined(HAVE_ENGINE_LOAD_BUILTIN_ENGINES)
97
- return Qnil;
98
- #else
99
96
  VALUE name;
100
97
 
101
98
  rb_scan_args(argc, argv, "01", &name);
@@ -104,10 +101,10 @@ ossl_engine_s_load(int argc, VALUE *argv, VALUE klass)
104
101
  return Qtrue;
105
102
  }
106
103
  StringValueCStr(name);
107
- #ifndef OPENSSL_NO_STATIC_ENGINE
108
104
  #if HAVE_ENGINE_LOAD_DYNAMIC
109
105
  OSSL_ENGINE_LOAD_IF_MATCH(dynamic, DYNAMIC);
110
106
  #endif
107
+ #ifndef OPENSSL_NO_STATIC_ENGINE
111
108
  #if HAVE_ENGINE_LOAD_4758CCA
112
109
  OSSL_ENGINE_LOAD_IF_MATCH(4758cca, 4758CCA);
113
110
  #endif
@@ -144,20 +141,13 @@ ossl_engine_s_load(int argc, VALUE *argv, VALUE klass)
144
141
  #if HAVE_ENGINE_LOAD_GOST
145
142
  OSSL_ENGINE_LOAD_IF_MATCH(gost, GOST);
146
143
  #endif
144
+ #endif
147
145
  #if HAVE_ENGINE_LOAD_CRYPTODEV
148
146
  OSSL_ENGINE_LOAD_IF_MATCH(cryptodev, CRYPTODEV);
149
- #endif
150
- #if HAVE_ENGINE_LOAD_AESNI
151
- OSSL_ENGINE_LOAD_IF_MATCH(aesni, AESNI);
152
- #endif
153
- #endif
154
- #ifdef HAVE_ENGINE_LOAD_OPENBSD_DEV_CRYPTO
155
- OSSL_ENGINE_LOAD_IF_MATCH(openbsd_dev_crypto, OPENBSD_DEV_CRYPTO);
156
147
  #endif
157
148
  OSSL_ENGINE_LOAD_IF_MATCH(openssl, OPENSSL);
158
149
  rb_warning("no such builtin loader for `%"PRIsVALUE"'", name);
159
150
  return Qnil;
160
- #endif /* HAVE_ENGINE_LOAD_BUILTIN_ENGINES */
161
151
  }
162
152
 
163
153
  /*
@@ -84,18 +84,12 @@ ossl_hmac_alloc(VALUE klass)
84
84
  *
85
85
  * === A note about comparisons
86
86
  *
87
- * Two instances won't be equal when they're compared, even if they have the
88
- * same value. Use #to_s or #hexdigest to return the authentication code that
89
- * the instance represents. For example:
87
+ * Two instances can be securely compared with #== in constant time:
90
88
  *
91
89
  * other_instance = OpenSSL::HMAC.new('key', OpenSSL::Digest.new('sha1'))
92
- * #=> f42bb0eeb018ebbd4597ae7213711ec60760843f
93
- * instance
94
- * #=> f42bb0eeb018ebbd4597ae7213711ec60760843f
95
- * instance == other_instance
96
- * #=> false
97
- * instance.to_s == other_instance.to_s
98
- * #=> true
90
+ * #=> f42bb0eeb018ebbd4597ae7213711ec60760843f
91
+ * instance == other_instance
92
+ * #=> true
99
93
  *
100
94
  */
101
95
  static VALUE
@@ -359,7 +353,7 @@ Init_ossl_hmac(void)
359
353
  * data1 = File.read("file1")
360
354
  * data2 = File.read("file2")
361
355
  * key = "key"
362
- * digest = OpenSSL::Digest::SHA256.new
356
+ * digest = OpenSSL::Digest.new('SHA256')
363
357
  * hmac = OpenSSL::HMAC.new(key, digest)
364
358
  * hmac << data1
365
359
  * hmac << data2