openssl 2.1.2 → 2.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (51) hide show
  1. checksums.yaml +4 -4
  2. data/CONTRIBUTING.md +9 -7
  3. data/History.md +77 -0
  4. data/README.md +2 -2
  5. data/ext/openssl/extconf.rb +24 -14
  6. data/ext/openssl/openssl_missing.h +37 -2
  7. data/ext/openssl/ossl.c +51 -25
  8. data/ext/openssl/ossl.h +8 -5
  9. data/ext/openssl/ossl_asn1.c +26 -1
  10. data/ext/openssl/ossl_bn.c +9 -3
  11. data/ext/openssl/ossl_cipher.c +33 -24
  12. data/ext/openssl/ossl_digest.c +16 -51
  13. data/ext/openssl/ossl_engine.c +2 -12
  14. data/ext/openssl/ossl_hmac.c +5 -11
  15. data/ext/openssl/ossl_kdf.c +3 -19
  16. data/ext/openssl/ossl_ns_spki.c +1 -1
  17. data/ext/openssl/ossl_ocsp.c +6 -11
  18. data/ext/openssl/ossl_ocsp.h +3 -3
  19. data/ext/openssl/ossl_pkcs7.c +3 -19
  20. data/ext/openssl/ossl_pkcs7.h +16 -0
  21. data/ext/openssl/ossl_pkey.c +180 -14
  22. data/ext/openssl/ossl_pkey.h +5 -5
  23. data/ext/openssl/ossl_pkey_dh.c +1 -1
  24. data/ext/openssl/ossl_pkey_dsa.c +2 -2
  25. data/ext/openssl/ossl_pkey_ec.c +29 -0
  26. data/ext/openssl/ossl_pkey_rsa.c +17 -9
  27. data/ext/openssl/ossl_rand.c +2 -40
  28. data/ext/openssl/ossl_ssl.c +109 -25
  29. data/ext/openssl/ossl_ts.c +1514 -0
  30. data/ext/openssl/ossl_ts.h +16 -0
  31. data/ext/openssl/ossl_x509.c +91 -0
  32. data/ext/openssl/ossl_x509cert.c +2 -2
  33. data/ext/openssl/ossl_x509ext.c +14 -0
  34. data/ext/openssl/ossl_x509name.c +8 -4
  35. data/ext/openssl/ossl_x509store.c +0 -2
  36. data/lib/openssl.rb +25 -9
  37. data/lib/openssl/bn.rb +1 -1
  38. data/lib/openssl/buffering.rb +33 -17
  39. data/lib/openssl/cipher.rb +1 -1
  40. data/lib/openssl/config.rb +53 -26
  41. data/lib/openssl/digest.rb +10 -12
  42. data/lib/openssl/hmac.rb +13 -0
  43. data/lib/openssl/marshal.rb +30 -0
  44. data/lib/openssl/pkcs5.rb +1 -1
  45. data/lib/openssl/pkey.rb +18 -1
  46. data/lib/openssl/ssl.rb +46 -7
  47. data/lib/openssl/version.rb +5 -0
  48. data/lib/openssl/x509.rb +155 -1
  49. metadata +8 -6
  50. data/ext/openssl/deprecation.rb +0 -23
  51. data/ext/openssl/ossl_version.h +0 -15
@@ -1,4 +1,4 @@
1
- # frozen_string_literal: false
1
+ # frozen_string_literal: true
2
2
  #--
3
3
  # = Ruby-space predefined Digest subclasses
4
4
  #
@@ -15,11 +15,6 @@
15
15
  module OpenSSL
16
16
  class Digest
17
17
 
18
- alg = %w(MD2 MD4 MD5 MDC2 RIPEMD160 SHA1 SHA224 SHA256 SHA384 SHA512)
19
- if OPENSSL_VERSION_NUMBER < 0x10100000
20
- alg += %w(DSS DSS1 SHA)
21
- end
22
-
23
18
  # Return the hash value computed with _name_ Digest. _name_ is either the
24
19
  # long name or short name of a supported digest algorithm.
25
20
  #
@@ -29,23 +24,26 @@ module OpenSSL
29
24
  #
30
25
  # which is equivalent to:
31
26
  #
32
- # OpenSSL::Digest::SHA256.digest("abc")
27
+ # OpenSSL::Digest.digest('SHA256', "abc")
33
28
 
34
29
  def self.digest(name, data)
35
30
  super(data, name)
36
31
  end
37
32
 
38
- alg.each{|name|
33
+ %w(MD4 MD5 RIPEMD160 SHA1 SHA224 SHA256 SHA384 SHA512).each do |name|
39
34
  klass = Class.new(self) {
40
35
  define_method(:initialize, ->(data = nil) {super(name, data)})
41
36
  }
37
+
42
38
  singleton = (class << klass; self; end)
39
+
43
40
  singleton.class_eval{
44
- define_method(:digest){|data| new.digest(data) }
45
- define_method(:hexdigest){|data| new.hexdigest(data) }
41
+ define_method(:digest) {|data| new.digest(data)}
42
+ define_method(:hexdigest) {|data| new.hexdigest(data)}
46
43
  }
47
- const_set(name, klass)
48
- }
44
+
45
+ const_set(name.tr('-', '_'), klass)
46
+ end
49
47
 
50
48
  # Deprecated.
51
49
  #
@@ -0,0 +1,13 @@
1
+ # frozen_string_literal: true
2
+
3
+ module OpenSSL
4
+ class HMAC
5
+ # Securely compare with another HMAC instance in constant time.
6
+ def ==(other)
7
+ return false unless HMAC === other
8
+ return false unless self.digest.bytesize == other.digest.bytesize
9
+
10
+ OpenSSL.fixed_length_secure_compare(self.digest, other.digest)
11
+ end
12
+ end
13
+ end
@@ -0,0 +1,30 @@
1
+ # frozen_string_literal: true
2
+ #--
3
+ # = Ruby-space definitions to add DER (de)serialization to classes
4
+ #
5
+ # = Info
6
+ # 'OpenSSL for Ruby 2' project
7
+ # Copyright (C) 2002 Michal Rokos <m.rokos@sh.cvut.cz>
8
+ # All rights reserved.
9
+ #
10
+ # = Licence
11
+ # This program is licensed under the same licence as Ruby.
12
+ # (See the file 'LICENCE'.)
13
+ #++
14
+ module OpenSSL
15
+ module Marshal
16
+ def self.included(base)
17
+ base.extend(ClassMethods)
18
+ end
19
+
20
+ module ClassMethods
21
+ def _load(string)
22
+ new(string)
23
+ end
24
+ end
25
+
26
+ def _dump(_level)
27
+ to_der
28
+ end
29
+ end
30
+ end
@@ -1,4 +1,4 @@
1
- # frozen_string_literal: false
1
+ # frozen_string_literal: true
2
2
  #--
3
3
  # Ruby/OpenSSL Project
4
4
  # Copyright (C) 2017 Ruby/OpenSSL Project Authors
@@ -1,11 +1,24 @@
1
- # frozen_string_literal: false
1
+ # frozen_string_literal: true
2
2
  #--
3
3
  # Ruby/OpenSSL Project
4
4
  # Copyright (C) 2017 Ruby/OpenSSL Project Authors
5
5
  #++
6
6
 
7
+ require_relative 'marshal'
8
+
7
9
  module OpenSSL::PKey
10
+ class DH
11
+ include OpenSSL::Marshal
12
+ end
13
+
14
+ class DSA
15
+ include OpenSSL::Marshal
16
+ end
17
+
8
18
  if defined?(EC)
19
+ class EC
20
+ include OpenSSL::Marshal
21
+ end
9
22
  class EC::Point
10
23
  # :call-seq:
11
24
  # point.to_bn([conversion_form]) -> OpenSSL::BN
@@ -22,4 +35,8 @@ module OpenSSL::PKey
22
35
  end
23
36
  end
24
37
  end
38
+
39
+ class RSA
40
+ include OpenSSL::Marshal
41
+ end
25
42
  end
@@ -1,4 +1,4 @@
1
- # frozen_string_literal: false
1
+ # frozen_string_literal: true
2
2
  =begin
3
3
  = Info
4
4
  'OpenSSL for Ruby 2' project
@@ -12,6 +12,8 @@
12
12
 
13
13
  require "openssl/buffering"
14
14
  require "io/nonblock"
15
+ require "ipaddr"
16
+ require "socket"
15
17
 
16
18
  module OpenSSL
17
19
  module SSL
@@ -230,6 +232,11 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
230
232
  end
231
233
 
232
234
  module SocketForwarder
235
+ # The file descriptor for the socket.
236
+ def fileno
237
+ to_io.fileno
238
+ end
239
+
233
240
  def addr
234
241
  to_io.addr
235
242
  end
@@ -272,11 +279,11 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
272
279
  return true if verify_hostname(hostname, san.value)
273
280
  when 7 # iPAddress in GeneralName (RFC5280)
274
281
  should_verify_common_name = false
275
- # follows GENERAL_NAME_print() in x509v3/v3_alt.c
276
- if san.value.size == 4
277
- return true if san.value.unpack('C*').join('.') == hostname
278
- elsif san.value.size == 16
279
- return true if san.value.unpack('n*').map { |e| sprintf("%X", e) }.join(':') == hostname
282
+ if san.value.size == 4 || san.value.size == 16
283
+ begin
284
+ return true if san.value == IPAddr.new(hostname).hton
285
+ rescue IPAddr::InvalidAddressError
286
+ end
280
287
  end
281
288
  end
282
289
  }
@@ -434,6 +441,38 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
434
441
  def session_get_cb
435
442
  @context.session_get_cb
436
443
  end
444
+
445
+ class << self
446
+
447
+ # call-seq:
448
+ # open(remote_host, remote_port, local_host=nil, local_port=nil, context: nil)
449
+ #
450
+ # Creates a new instance of SSLSocket.
451
+ # _remote\_host_ and _remote\_port_ are used to open TCPSocket.
452
+ # If _local\_host_ and _local\_port_ are specified,
453
+ # then those parameters are used on the local end to establish the connection.
454
+ # If _context_ is provided,
455
+ # the SSL Sockets initial params will be taken from the context.
456
+ #
457
+ # === Examples
458
+ #
459
+ # sock = OpenSSL::SSL::SSLSocket.open('localhost', 443)
460
+ # sock.connect # Initiates a connection to localhost:443
461
+ #
462
+ # with SSLContext:
463
+ #
464
+ # ctx = OpenSSL::SSL::SSLContext.new
465
+ # sock = OpenSSL::SSL::SSLSocket.open('localhost', 443, context: ctx)
466
+ # sock.connect # Initiates a connection to localhost:443 with SSLContext
467
+ def open(remote_host, remote_port, local_host=nil, local_port=nil, context: nil)
468
+ sock = ::TCPSocket.open(remote_host, remote_port, local_host, local_port)
469
+ if context.nil?
470
+ return OpenSSL::SSL::SSLSocket.new(sock)
471
+ else
472
+ return OpenSSL::SSL::SSLSocket.new(sock, context)
473
+ end
474
+ end
475
+ end
437
476
  end
438
477
 
439
478
  ##
@@ -464,7 +503,7 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
464
503
  end
465
504
 
466
505
  # See TCPServer#listen for details.
467
- def listen(backlog=5)
506
+ def listen(backlog=Socket::SOMAXCONN)
468
507
  @svr.listen(backlog)
469
508
  end
470
509
 
@@ -0,0 +1,5 @@
1
+ # frozen_string_literal: true
2
+
3
+ module OpenSSL
4
+ VERSION = "2.2.0"
5
+ end
@@ -1,4 +1,4 @@
1
- # frozen_string_literal: false
1
+ # frozen_string_literal: true
2
2
  #--
3
3
  # = Ruby-space definitions that completes C-space funcs for X509 and subclasses
4
4
  #
@@ -12,6 +12,8 @@
12
12
  # (See the file 'LICENCE'.)
13
13
  #++
14
14
 
15
+ require_relative 'marshal'
16
+
15
17
  module OpenSSL
16
18
  module X509
17
19
  class ExtensionFactory
@@ -41,6 +43,8 @@ module OpenSSL
41
43
  end
42
44
 
43
45
  class Extension
46
+ include OpenSSL::Marshal
47
+
44
48
  def ==(other)
45
49
  return false unless Extension === other
46
50
  to_der == other.to_der
@@ -60,9 +64,146 @@ module OpenSSL
60
64
  def to_a
61
65
  [ self.oid, self.value, self.critical? ]
62
66
  end
67
+
68
+ module Helpers
69
+ def find_extension(oid)
70
+ extensions.find { |e| e.oid == oid }
71
+ end
72
+ end
73
+
74
+ module SubjectKeyIdentifier
75
+ include Helpers
76
+
77
+ # Get the subject's key identifier from the subjectKeyIdentifier
78
+ # exteension, as described in RFC5280 Section 4.2.1.2.
79
+ #
80
+ # Returns the binary String key identifier or nil or raises
81
+ # ASN1::ASN1Error.
82
+ def subject_key_identifier
83
+ ext = find_extension("subjectKeyIdentifier")
84
+ return nil if ext.nil?
85
+
86
+ ski_asn1 = ASN1.decode(ext.value_der)
87
+ if ext.critical? || ski_asn1.tag_class != :UNIVERSAL || ski_asn1.tag != ASN1::OCTET_STRING
88
+ raise ASN1::ASN1Error, "invalid extension"
89
+ end
90
+
91
+ ski_asn1.value
92
+ end
93
+ end
94
+
95
+ module AuthorityKeyIdentifier
96
+ include Helpers
97
+
98
+ # Get the issuing certificate's key identifier from the
99
+ # authorityKeyIdentifier extension, as described in RFC5280
100
+ # Section 4.2.1.1
101
+ #
102
+ # Returns the binary String keyIdentifier or nil or raises
103
+ # ASN1::ASN1Error.
104
+ def authority_key_identifier
105
+ ext = find_extension("authorityKeyIdentifier")
106
+ return nil if ext.nil?
107
+
108
+ aki_asn1 = ASN1.decode(ext.value_der)
109
+ if ext.critical? || aki_asn1.tag_class != :UNIVERSAL || aki_asn1.tag != ASN1::SEQUENCE
110
+ raise ASN1::ASN1Error, "invalid extension"
111
+ end
112
+
113
+ key_id = aki_asn1.value.find do |v|
114
+ v.tag_class == :CONTEXT_SPECIFIC && v.tag == 0
115
+ end
116
+
117
+ key_id.nil? ? nil : key_id.value
118
+ end
119
+ end
120
+
121
+ module CRLDistributionPoints
122
+ include Helpers
123
+
124
+ # Get the distributionPoint fullName URI from the certificate's CRL
125
+ # distribution points extension, as described in RFC5280 Section
126
+ # 4.2.1.13
127
+ #
128
+ # Returns an array of strings or nil or raises ASN1::ASN1Error.
129
+ def crl_uris
130
+ ext = find_extension("crlDistributionPoints")
131
+ return nil if ext.nil?
132
+
133
+ cdp_asn1 = ASN1.decode(ext.value_der)
134
+ if cdp_asn1.tag_class != :UNIVERSAL || cdp_asn1.tag != ASN1::SEQUENCE
135
+ raise ASN1::ASN1Error, "invalid extension"
136
+ end
137
+
138
+ crl_uris = cdp_asn1.map do |crl_distribution_point|
139
+ distribution_point = crl_distribution_point.value.find do |v|
140
+ v.tag_class == :CONTEXT_SPECIFIC && v.tag == 0
141
+ end
142
+ full_name = distribution_point&.value&.find do |v|
143
+ v.tag_class == :CONTEXT_SPECIFIC && v.tag == 0
144
+ end
145
+ full_name&.value&.find do |v|
146
+ v.tag_class == :CONTEXT_SPECIFIC && v.tag == 6 # uniformResourceIdentifier
147
+ end
148
+ end
149
+
150
+ crl_uris&.map(&:value)
151
+ end
152
+ end
153
+
154
+ module AuthorityInfoAccess
155
+ include Helpers
156
+
157
+ # Get the information and services for the issuer from the certificate's
158
+ # authority information access extension exteension, as described in RFC5280
159
+ # Section 4.2.2.1.
160
+ #
161
+ # Returns an array of strings or nil or raises ASN1::ASN1Error.
162
+ def ca_issuer_uris
163
+ aia_asn1 = parse_aia_asn1
164
+ return nil if aia_asn1.nil?
165
+
166
+ ca_issuer = aia_asn1.value.select do |authority_info_access|
167
+ authority_info_access.value.first.value == "caIssuers"
168
+ end
169
+
170
+ ca_issuer&.map(&:value)&.map(&:last)&.map(&:value)
171
+ end
172
+
173
+ # Get the URIs for OCSP from the certificate's authority information access
174
+ # extension exteension, as described in RFC5280 Section 4.2.2.1.
175
+ #
176
+ # Returns an array of strings or nil or raises ASN1::ASN1Error.
177
+ def ocsp_uris
178
+ aia_asn1 = parse_aia_asn1
179
+ return nil if aia_asn1.nil?
180
+
181
+ ocsp = aia_asn1.value.select do |authority_info_access|
182
+ authority_info_access.value.first.value == "OCSP"
183
+ end
184
+
185
+ ocsp&.map(&:value)&.map(&:last)&.map(&:value)
186
+ end
187
+
188
+ private
189
+
190
+ def parse_aia_asn1
191
+ ext = find_extension("authorityInfoAccess")
192
+ return nil if ext.nil?
193
+
194
+ aia_asn1 = ASN1.decode(ext.value_der)
195
+ if ext.critical? || aia_asn1.tag_class != :UNIVERSAL || aia_asn1.tag != ASN1::SEQUENCE
196
+ raise ASN1::ASN1Error, "invalid extension"
197
+ end
198
+
199
+ aia_asn1
200
+ end
201
+ end
63
202
  end
64
203
 
65
204
  class Name
205
+ include OpenSSL::Marshal
206
+
66
207
  module RFC2253DN
67
208
  Special = ',=+<>#;'
68
209
  HexChar = /[0-9a-fA-F]/
@@ -166,6 +307,8 @@ module OpenSSL
166
307
  end
167
308
 
168
309
  class Attribute
310
+ include OpenSSL::Marshal
311
+
169
312
  def ==(other)
170
313
  return false unless Attribute === other
171
314
  to_der == other.to_der
@@ -179,6 +322,12 @@ module OpenSSL
179
322
  end
180
323
 
181
324
  class Certificate
325
+ include OpenSSL::Marshal
326
+ include Extension::SubjectKeyIdentifier
327
+ include Extension::AuthorityKeyIdentifier
328
+ include Extension::CRLDistributionPoints
329
+ include Extension::AuthorityInfoAccess
330
+
182
331
  def pretty_print(q)
183
332
  q.object_group(self) {
184
333
  q.breakable
@@ -192,6 +341,9 @@ module OpenSSL
192
341
  end
193
342
 
194
343
  class CRL
344
+ include OpenSSL::Marshal
345
+ include Extension::AuthorityKeyIdentifier
346
+
195
347
  def ==(other)
196
348
  return false unless CRL === other
197
349
  to_der == other.to_der
@@ -206,6 +358,8 @@ module OpenSSL
206
358
  end
207
359
 
208
360
  class Request
361
+ include OpenSSL::Marshal
362
+
209
363
  def ==(other)
210
364
  return false unless Request === other
211
365
  to_der == other.to_der
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: openssl
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.1.2
4
+ version: 2.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Martin Bosslet
@@ -11,7 +11,7 @@ authors:
11
11
  autorequire:
12
12
  bindir: bin
13
13
  cert_chain: []
14
- date: 2018-10-18 00:00:00.000000000 Z
14
+ date: 2020-05-13 00:00:00.000000000 Z
15
15
  dependencies:
16
16
  - !ruby/object:Gem::Dependency
17
17
  name: rake
@@ -85,7 +85,6 @@ files:
85
85
  - History.md
86
86
  - LICENSE.txt
87
87
  - README.md
88
- - ext/openssl/deprecation.rb
89
88
  - ext/openssl/extconf.rb
90
89
  - ext/openssl/openssl_missing.c
91
90
  - ext/openssl/openssl_missing.h
@@ -128,7 +127,8 @@ files:
128
127
  - ext/openssl/ossl_ssl.c
129
128
  - ext/openssl/ossl_ssl.h
130
129
  - ext/openssl/ossl_ssl_session.c
131
- - ext/openssl/ossl_version.h
130
+ - ext/openssl/ossl_ts.c
131
+ - ext/openssl/ossl_ts.h
132
132
  - ext/openssl/ossl_x509.c
133
133
  - ext/openssl/ossl_x509.h
134
134
  - ext/openssl/ossl_x509attr.c
@@ -146,9 +146,12 @@ files:
146
146
  - lib/openssl/cipher.rb
147
147
  - lib/openssl/config.rb
148
148
  - lib/openssl/digest.rb
149
+ - lib/openssl/hmac.rb
150
+ - lib/openssl/marshal.rb
149
151
  - lib/openssl/pkcs5.rb
150
152
  - lib/openssl/pkey.rb
151
153
  - lib/openssl/ssl.rb
154
+ - lib/openssl/version.rb
152
155
  - lib/openssl/x509.rb
153
156
  homepage: https://github.com/ruby/openssl
154
157
  licenses:
@@ -172,8 +175,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
172
175
  - !ruby/object:Gem::Version
173
176
  version: '0'
174
177
  requirements: []
175
- rubyforge_project:
176
- rubygems_version: 2.7.6
178
+ rubygems_version: 3.2.0.pre1
177
179
  signing_key:
178
180
  specification_version: 4
179
181
  summary: OpenSSL provides SSL, TLS and general purpose cryptography.