openssl 2.1.2 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (60) hide show
  1. checksums.yaml +4 -4
  2. data/CONTRIBUTING.md +35 -45
  3. data/History.md +232 -0
  4. data/README.md +2 -2
  5. data/ext/openssl/extconf.rb +61 -46
  6. data/ext/openssl/openssl_missing.c +0 -66
  7. data/ext/openssl/openssl_missing.h +60 -44
  8. data/ext/openssl/ossl.c +112 -66
  9. data/ext/openssl/ossl.h +28 -11
  10. data/ext/openssl/ossl_asn1.c +42 -5
  11. data/ext/openssl/ossl_bn.c +276 -146
  12. data/ext/openssl/ossl_bn.h +2 -1
  13. data/ext/openssl/ossl_cipher.c +38 -29
  14. data/ext/openssl/ossl_config.c +412 -41
  15. data/ext/openssl/ossl_config.h +4 -7
  16. data/ext/openssl/ossl_digest.c +31 -62
  17. data/ext/openssl/ossl_engine.c +18 -27
  18. data/ext/openssl/ossl_hmac.c +52 -145
  19. data/ext/openssl/ossl_kdf.c +11 -19
  20. data/ext/openssl/ossl_ns_spki.c +1 -1
  21. data/ext/openssl/ossl_ocsp.c +9 -62
  22. data/ext/openssl/ossl_ocsp.h +3 -3
  23. data/ext/openssl/ossl_pkcs12.c +21 -3
  24. data/ext/openssl/ossl_pkcs7.c +45 -78
  25. data/ext/openssl/ossl_pkcs7.h +16 -0
  26. data/ext/openssl/ossl_pkey.c +1255 -178
  27. data/ext/openssl/ossl_pkey.h +40 -77
  28. data/ext/openssl/ossl_pkey_dh.c +125 -335
  29. data/ext/openssl/ossl_pkey_dsa.c +93 -398
  30. data/ext/openssl/ossl_pkey_ec.c +155 -318
  31. data/ext/openssl/ossl_pkey_rsa.c +105 -484
  32. data/ext/openssl/ossl_rand.c +2 -40
  33. data/ext/openssl/ossl_ssl.c +395 -364
  34. data/ext/openssl/ossl_ssl_session.c +24 -29
  35. data/ext/openssl/ossl_ts.c +1539 -0
  36. data/ext/openssl/ossl_ts.h +16 -0
  37. data/ext/openssl/ossl_x509.c +86 -1
  38. data/ext/openssl/ossl_x509cert.c +166 -10
  39. data/ext/openssl/ossl_x509crl.c +10 -7
  40. data/ext/openssl/ossl_x509ext.c +15 -2
  41. data/ext/openssl/ossl_x509name.c +16 -5
  42. data/ext/openssl/ossl_x509req.c +10 -7
  43. data/ext/openssl/ossl_x509store.c +193 -92
  44. data/lib/openssl/bn.rb +1 -1
  45. data/lib/openssl/buffering.rb +42 -17
  46. data/lib/openssl/cipher.rb +1 -1
  47. data/lib/openssl/digest.rb +10 -12
  48. data/lib/openssl/hmac.rb +78 -0
  49. data/lib/openssl/marshal.rb +30 -0
  50. data/lib/openssl/pkcs5.rb +1 -1
  51. data/lib/openssl/pkey.rb +435 -1
  52. data/lib/openssl/ssl.rb +53 -14
  53. data/lib/openssl/version.rb +5 -0
  54. data/lib/openssl/x509.rb +177 -1
  55. data/lib/openssl.rb +24 -9
  56. metadata +13 -69
  57. data/ext/openssl/deprecation.rb +0 -23
  58. data/ext/openssl/ossl_version.h +0 -15
  59. data/ext/openssl/ruby_missing.h +0 -24
  60. data/lib/openssl/config.rb +0 -474
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 9a5ba46835caa91a77f80010c07b52e8532221c8a1b4726159584eb92a6ce204
4
- data.tar.gz: ca5ba9b87ceb945ac1f312e00ceadae32c868e2659e89677ed534a22ed145cf8
3
+ metadata.gz: d382c0c6e46a7009fa58a8378b052341712f115f73f90c2409fdfa990c5c3a41
4
+ data.tar.gz: dc54eb994bb6c4de4e425c32702ec551b5c9d1d677062e629cbf162d171a5dec
5
5
  SHA512:
6
- metadata.gz: 0eb54df27a2aa1455fb18b6e5e05c40598ba3f342ad933fd035342596b55a1e68c3b9607cede2b955961805150ca8eb7dcfa2a046600614da1d80dc9d17db17b
7
- data.tar.gz: 31ac63101df5218fa003477b130b07a32826f685e465c71cf43fc9db28d3ecbb275e5dcc4b685860f418ea893378c133009af92ff1a2293b3d91606a8055b70b
6
+ metadata.gz: 8516105c4fb7d40619519c8165d45c602dd6ed65971ad8289ad70e9a7fc89d36c16a801c62ecf7c82e9068f07a3a63df69c3d9faf693796b071c059cdb10f805
7
+ data.tar.gz: 5c6cc181f035383b724b6bd5d249e36797c5079482e88efa137e9dc74b0b338fd4be7d6d27d7e39a67054429a64d79305a15146c645ee23c97696f1838640c7a
data/CONTRIBUTING.md CHANGED
@@ -12,14 +12,17 @@ If you think you found a bug, file a ticket on GitHub. Please DO NOT report
12
12
  security issues here, there is a separate procedure which is described on
13
13
  ["Security at ruby-lang.org"](https://www.ruby-lang.org/en/security/).
14
14
 
15
- When reporting a bug, please make sure you include the version of Ruby, the
16
- version of openssl gem, the version of the OpenSSL library, along with a sample
17
- file that illustrates the problem or link to repository or gem that is
18
- associated with the bug.
15
+ When reporting a bug, please make sure you include:
19
16
 
20
- There is a number of unresolved issues and feature requests for openssl that
17
+ * Ruby version (`ruby -v`)
18
+ * `openssl` gem version (`gem list openssl` and `OpenSSL::VERSION`)
19
+ * OpenSSL library version (`OpenSSL::OPENSSL_VERSION`)
20
+ * A sample file that illustrates the problem or link to the repository or
21
+ gem that is associated with the bug.
22
+
23
+ There are a number of unresolved issues and feature requests for openssl that
21
24
  need review. Before submitting a new ticket, it is recommended to check
22
- [known issues] and [bugs.ruby-lang.org], the previous issue tracker.
25
+ [known issues].
23
26
 
24
27
  ## Submitting patches
25
28
 
@@ -32,62 +35,50 @@ Make sure that your branch does:
32
35
  * Have good commit messages
33
36
  * Follow Ruby's coding style ([DeveloperHowTo])
34
37
  * Pass the test suite successfully (see "Testing")
35
- * Add an entry to [History.md] if necessary
36
38
 
37
39
  ## Testing
38
40
 
39
41
  We have a test suite!
40
42
 
41
43
  Test cases are located under the
42
- [`test/`](https://github.com/ruby/openssl/tree/master/test) directory.
44
+ [`test/openssl`](https://github.com/ruby/openssl/tree/master/test/openssl)
45
+ directory.
43
46
 
44
47
  You can run it with the following three commands:
45
48
 
46
49
  ```
47
- $ rake install_dependencies # installs rake-compiler, test-unit, ...
48
- $ rake compile
49
- $ rake test
50
+ $ bundle install # installs rake-compiler, test-unit, ...
51
+ $ bundle exec rake compile
52
+ $ bundle exec rake test
50
53
  ```
51
54
 
52
- ### Docker
53
-
54
- You can also use Docker Compose to run tests. It can be used to check that your
55
- changes work correctly with various supported versions of Ruby and OpenSSL.
56
-
57
- First, you need to install [Docker](https://www.docker.com/products/docker) and
58
- [Docker Compose](https://www.docker.com/products/docker-compose) on your
59
- computer.
55
+ ### With different versions of OpenSSL
60
56
 
61
- If you're on MacOS or Windows, we recommended to use the official [Docker
62
- Toolbox](https://www.docker.com/products/docker-toolbox). On Linux, follow the
63
- instructions for your package manager. For further information, please check
64
- the [official documentation](https://docs.docker.com/).
57
+ Ruby OpenSSL supports various versions of OpenSSL library. The test suite needs
58
+ to pass on all supported combinations.
65
59
 
66
- Once you have Docker and Docker Compose, running the following commands will
67
- build the container and execute the openssl tests. In this example, we will use
68
- Ruby version 2.3 with OpenSSL version 1.0.2.
60
+ Similarly to when installing `openssl` gem via the `gem` command,
61
+ you can pass a `--with-openssl-dir` argument to `rake compile`
62
+ to specify the OpenSSL library to build against.
69
63
 
70
64
  ```
71
- $ docker-compose build
72
- $ export RUBY_VERSION=ruby-2.3
73
- $ export OPENSSL_VERSION=openssl-1.0.2
74
- $ docker-compose run test
75
-
76
- # You may want an interactive shell for dubugging
77
- $ docker-compose run debug
65
+ $ ( curl -OL https://ftp.openssl.org/source/openssl-3.0.1.tar.gz &&
66
+ tar xf openssl-3.0.1.tar.gz &&
67
+ cd openssl-3.0.1 &&
68
+ ./config --prefix=$HOME/.openssl/openssl-3.0.1 --libdir=lib &&
69
+ make -j4 &&
70
+ make install )
71
+
72
+ $ # in Ruby/OpenSSL's source directory
73
+ $ bundle exec rake clean
74
+ $ bundle exec rake compile -- --with-openssl-dir=$HOME/.openssl/openssl-3.0.1
75
+ $ bundle exec rake test
78
76
  ```
79
77
 
80
- All possible values for `RUBY_VERSION` and `OPENSSL_VERSION` can be found in
81
- [`.travis.yml`](https://github.com/ruby/openssl/tree/master/.travis.yml).
82
-
83
- **NOTE**: these commands must be run from the openssl repository root, in order
84
- to use the
85
- [`docker-compose.yml`](https://github.com/ruby/openssl/blob/master/docker-compose.yml)
86
- file we have provided.
87
-
88
- This Docker image is built using the
89
- [Dockerfile](https://github.com/ruby/openssl/tree/master/tool/ruby-openssl-docker)
90
- provided in the repository.
78
+ The GitHub Actions workflow file
79
+ [`test.yml`](https://github.com/ruby/openssl/tree/master/.github/workflows/test.yml)
80
+ contains useful information for building OpenSSL/LibreSSL and testing against
81
+ them.
91
82
 
92
83
 
93
84
  ## Relation with Ruby source tree
@@ -122,7 +113,6 @@ _Thanks for your contributions!_
122
113
 
123
114
  [GitHub]: https://github.com/ruby/openssl
124
115
  [known issues]: https://github.com/ruby/openssl/issues
125
- [bugs.ruby-lang.org]: https://bugs.ruby-lang.org/issues?utf8=%E2%9C%93&set_filter=1&f%5B%5D=status_id&op%5Bstatus_id%5D=o&f%5B%5D=assigned_to_id&op%5Bassigned_to_id%5D=%3D&v%5Bassigned_to_id%5D%5B%5D=7150&f%5B%5D=&c%5B%5D=project&c%5B%5D=tracker&c%5B%5D=status&c%5B%5D=subject&c%5B%5D=assigned_to&c%5B%5D=updated_on&group_by=&t%5B%5D=
126
116
  [DeveloperHowTo]: https://bugs.ruby-lang.org/projects/ruby/wiki/DeveloperHowto
127
117
  [HackerOne]: https://hackerone.com/ruby
128
118
  [Security]: https://www.ruby-lang.org/en/security/
data/History.md CHANGED
@@ -1,3 +1,235 @@
1
+ Version 3.0.0
2
+ =============
3
+
4
+ Compatibility notes
5
+ -------------------
6
+
7
+ * OpenSSL 1.0.1 and Ruby 2.3-2.5 are no longer supported.
8
+ [[GitHub #396]](https://github.com/ruby/openssl/pull/396)
9
+ [[GitHub #466]](https://github.com/ruby/openssl/pull/466)
10
+
11
+ * OpenSSL 3.0 support is added. It is the first major version bump from OpenSSL
12
+ 1.1 and contains incompatible changes that affect Ruby/OpenSSL.
13
+ Note that OpenSSL 3.0 support is preliminary and not all features are
14
+ currently available:
15
+ [[GitHub #369]](https://github.com/ruby/openssl/issues/369)
16
+
17
+ - Deprecate the ability to modify `OpenSSL::PKey::PKey` instances. OpenSSL 3.0
18
+ made EVP_PKEY structure immutable, and hence the following methods are not
19
+ available when Ruby/OpenSSL is linked against OpenSSL 3.0.
20
+ [[GitHub #480]](https://github.com/ruby/openssl/pull/480)
21
+
22
+ - `OpenSSL::PKey::RSA#set_key`, `#set_factors`, `#set_crt_params`
23
+ - `OpenSSL::PKey::DSA#set_pqg`, `#set_key`
24
+ - `OpenSSL::PKey::DH#set_pqg`, `#set_key`, `#generate_key!`
25
+ - `OpenSSL::PKey::EC#private_key=`, `#public_key=`, `#group=`, `#generate_key!`
26
+
27
+ - Deprecate `OpenSSL::Engine`. The ENGINE API has been deprecated in OpenSSL 3.0
28
+ in favor of the new "provider" concept and will be removed in a future
29
+ version.
30
+ [[GitHub #481]](https://github.com/ruby/openssl/pull/481)
31
+
32
+ * `OpenSSL::SSL::SSLContext#tmp_ecdh_callback` has been removed. It has been
33
+ deprecated since v2.0.0 because it is incompatible with modern OpenSSL
34
+ versions.
35
+ [[GitHub #394]](https://github.com/ruby/openssl/pull/394)
36
+
37
+ * `OpenSSL::SSL::SSLSocket#read` and `#write` now raise `OpenSSL::SSL::SSLError`
38
+ if called before a TLS connection is established. Historically, they
39
+ read/wrote unencrypted data to the underlying socket directly in that case.
40
+ [[GitHub #9]](https://github.com/ruby/openssl/issues/9)
41
+ [[GitHub #469]](https://github.com/ruby/openssl/pull/469)
42
+
43
+
44
+ Notable changes
45
+ ---------------
46
+
47
+ * Enhance OpenSSL::PKey's common interface.
48
+ [[GitHub #370]](https://github.com/ruby/openssl/issues/370)
49
+
50
+ - Key deserialization: Enhance `OpenSSL::PKey.read` to handle PEM encoding of
51
+ DH parameters, which used to be only deserialized by `OpenSSL::PKey::DH.new`.
52
+ [[GitHub #328]](https://github.com/ruby/openssl/issues/328)
53
+ - Key generation: Add `OpenSSL::PKey.generate_parameters` and
54
+ `OpenSSL::PKey.generate_key`.
55
+ [[GitHub #329]](https://github.com/ruby/openssl/issues/329)
56
+ - Public key signing: Enhance `OpenSSL::PKey::PKey#sign` and `#verify` to use
57
+ the new EVP_DigestSign() family to enable PureEdDSA support on OpenSSL 1.1.1
58
+ or later. They also now take optional algorithm-specific parameters for more
59
+ control.
60
+ [[GitHub #329]](https://github.com/ruby/openssl/issues/329)
61
+ - Low-level public key signing and verification: Add
62
+ `OpenSSL::PKey::PKey#sign_raw`, `#verify_raw`, and `#verify_recover`.
63
+ [[GitHub #382]](https://github.com/ruby/openssl/issues/382)
64
+ - Public key encryption: Add `OpenSSL::PKey::PKey#encrypt` and `#decrypt`.
65
+ [[GitHub #382]](https://github.com/ruby/openssl/issues/382)
66
+ - Key agreement: Add `OpenSSL::PKey::PKey#derive`.
67
+ [[GitHub #329]](https://github.com/ruby/openssl/issues/329)
68
+ - Key comparison: Add `OpenSSL::PKey::PKey#compare?` to conveniently check
69
+ that two keys have common parameters and a public key.
70
+ [[GitHub #383]](https://github.com/ruby/openssl/issues/383)
71
+
72
+ * Add `OpenSSL::BN#set_flags` and `#get_flags`. This can be used in combination
73
+ with `OpenSSL::BN::CONSTTIME` to force constant-time computation.
74
+ [[GitHub #417]](https://github.com/ruby/openssl/issues/417)
75
+
76
+ * Add `OpenSSL::BN#abs` to get the absolute value of the BIGNUM.
77
+ [[GitHub #430]](https://github.com/ruby/openssl/issues/430)
78
+
79
+ * Add `OpenSSL::SSL::SSLSocket#getbyte`.
80
+ [[GitHub #438]](https://github.com/ruby/openssl/issues/438)
81
+
82
+ * Add `OpenSSL::SSL::SSLContext#tmp_dh=`.
83
+ [[GitHub #459]](https://github.com/ruby/openssl/pull/459)
84
+
85
+ * Add `OpenSSL::X509::Certificate.load` to load a PEM-encoded and concatenated
86
+ list of X.509 certificates at once.
87
+ [[GitHub #441]](https://github.com/ruby/openssl/pull/441)
88
+
89
+ * Change `OpenSSL::X509::Certificate.new` to attempt to deserialize the given
90
+ string first as DER encoding first and then as PEM encoding to ensure the
91
+ round-trip consistency.
92
+ [[GitHub #442]](https://github.com/ruby/openssl/pull/442)
93
+
94
+ * Update various part of the code base to use the modern API. No breaking
95
+ changes are intended with this. This includes:
96
+
97
+ - `OpenSSL::HMAC` uses the EVP API.
98
+ [[GitHub #371]](https://github.com/ruby/openssl/issues/371)
99
+ - `OpenSSL::Config` uses native OpenSSL API to parse config files.
100
+ [[GitHub #342]](https://github.com/ruby/openssl/issues/342)
101
+
102
+
103
+ Version 2.2.1
104
+ =============
105
+
106
+ Merged changes in 2.1.3. Additionally, the following issues are fixed by this
107
+ release.
108
+
109
+ Bug fixes
110
+ ---------
111
+
112
+ * Fix crash in `OpenSSL::Timestamp::{Request,Response,TokenInfo}.new` when
113
+ invalid arguments are given.
114
+ [[GitHub #407]](https://github.com/ruby/openssl/pull/407)
115
+ * Fix `OpenSSL::Timestamp::Factory#create_timestamp` with LibreSSL on platforms
116
+ where `time_t` has a different size from `long`.
117
+ [[GitHub #454]](https://github.com/ruby/openssl/pull/454)
118
+
119
+
120
+ Version 2.2.0
121
+ =============
122
+
123
+ Compatibility notes
124
+ -------------------
125
+
126
+ * Remove unsupported MDC2, DSS, DSS1, and SHA algorithms.
127
+ * Remove `OpenSSL::PKCS7::SignerInfo#name` alias for `#issuer`.
128
+ [[GitHub #266]](https://github.com/ruby/openssl/pull/266)
129
+ * Deprecate `OpenSSL::Config#add_value` and `#[]=` for future removal.
130
+ [[GitHub #322]](https://github.com/ruby/openssl/pull/322)
131
+
132
+
133
+ Notable changes
134
+ ---------------
135
+
136
+ * Change default `OpenSSL::SSL::SSLServer#listen` backlog argument from
137
+ 5 to `Socket::SOMAXCONN`.
138
+ [[GitHub #286]](https://github.com/ruby/openssl/issues/286)
139
+ * Make `OpenSSL::HMAC#==` use a timing safe string comparison.
140
+ [[GitHub #284]](https://github.com/ruby/openssl/pull/284)
141
+ * Add support for SHA3 and BLAKE digests.
142
+ [[GitHub #282]](https://github.com/ruby/openssl/pull/282)
143
+ * Add `OpenSSL::SSL::SSLSocket.open` for opening a `TCPSocket` and
144
+ returning an `OpenSSL::SSL::SSLSocket` for it.
145
+ [[GitHub #225]](https://github.com/ruby/openssl/issues/225)
146
+ * Support marshalling of `OpenSSL::X509` and `OpenSSL::PKey` objects.
147
+ [[GitHub #281]](https://github.com/ruby/openssl/pull/281)
148
+ [[GitHub #363]](https://github.com/ruby/openssl/pull/363)
149
+ * Add `OpenSSL.secure_compare` for timing safe string comparison for
150
+ strings of possibly unequal length.
151
+ [[GitHub #280]](https://github.com/ruby/openssl/pull/280)
152
+ * Add `OpenSSL.fixed_length_secure_compare` for timing safe string
153
+ comparison for strings of equal length.
154
+ [[GitHub #269]](https://github.com/ruby/openssl/pull/269)
155
+ * Add `OpenSSL::SSL::SSLSocket#{finished_message,peer_finished_message}`
156
+ for last finished message sent and received.
157
+ [[GitHub #250]](https://github.com/ruby/openssl/pull/250)
158
+ * Add `OpenSSL::Timestamp` module for handing timestamp requests and
159
+ responses.
160
+ [[GitHub #204]](https://github.com/ruby/openssl/pull/204)
161
+ * Add helper methods for `OpenSSL::X509::Certificate`:
162
+ `find_extension`, `subject_key_identifier`,
163
+ `authority_key_identifier`, `crl_uris`, `ca_issuer_uris` and
164
+ `ocsp_uris`, and for `OpenSSL::X509::CRL`:
165
+ `find_extension` and `subject_key_identifier`.
166
+ [[GitHub #260]](https://github.com/ruby/openssl/pull/260)
167
+ [[GitHub #275]](https://github.com/ruby/openssl/pull/275)
168
+ [[GitHub #293]](https://github.com/ruby/openssl/pull/293)
169
+ * Add `OpenSSL::ECPoint#add` for performing elliptic curve point addition.
170
+ [[GitHub #261]](https://github.com/ruby/openssl/pull/261)
171
+ * Make `OpenSSL::PKey::RSA#{export,to_der}` check `key`, `factors`, and
172
+ `crt_params` to do proper private key serialization.
173
+ [[GitHub #258]](https://github.com/ruby/openssl/pull/258)
174
+ * Add `OpenSSL::SSL::{SSLSocket,SSLServer}#fileno`, returning the
175
+ underlying socket file descriptor number.
176
+ [[GitHub #247]](https://github.com/ruby/openssl/pull/247)
177
+ * Support client certificates with TLS 1.3, and support post-handshake
178
+ authentication with OpenSSL 1.1.1+.
179
+ [[GitHub #239]](https://github.com/ruby/openssl/pull/239)
180
+ * Add `OpenSSL::ASN1::ObjectId#==` for equality testing.
181
+ * Add `OpenSSL::X509::Extension#value_der` for the raw value of
182
+ the extension.
183
+ [[GitHub #234]](https://github.com/ruby/openssl/pull/234)
184
+ * Significantly reduce allocated memory in `OpenSSL::Buffering#do_write`.
185
+ [[GitHub #212]](https://github.com/ruby/openssl/pull/212)
186
+ * Ensure all valid IPv6 addresses are considered valid as elements
187
+ of subjectAlternativeName in certificates.
188
+ [[GitHub #185]](https://github.com/ruby/openssl/pull/185)
189
+ * Allow recipient's certificate to be omitted in PCKS7#decrypt.
190
+ [[GitHub #183]](https://github.com/ruby/openssl/pull/183)
191
+ * Add support for reading keys in PKCS #8 format and export via instance methods
192
+ added to `OpenSSL::PKey` classes: `private_to_der`, `private_to_pem`,
193
+ `public_to_der` and `public_to_pem`.
194
+ [[GitHub #297]](https://github.com/ruby/openssl/pull/297)
195
+
196
+
197
+ Version 2.1.3
198
+ =============
199
+
200
+ Bug fixes
201
+ ---------
202
+
203
+ * Fix deprecation warnings on Ruby 3.0.
204
+ * Add ".include" directive support in `OpenSSL::Config`.
205
+ [[GitHub #216]](https://github.com/ruby/openssl/pull/216)
206
+ * Fix handling of IPv6 address SANs.
207
+ [[GitHub #185]](https://github.com/ruby/openssl/pull/185)
208
+ * Hostname verification failure with `OpenSSL::SSL::SSLContext#verify_hostname=`
209
+ sets a proper error code.
210
+ [[GitHub #350]](https://github.com/ruby/openssl/pull/350)
211
+ * Fix crash with `OpenSSL::BN.new(nil, 2)`.
212
+ [[Bug #15760]](https://bugs.ruby-lang.org/issues/15760)
213
+ * `OpenSSL::SSL::SSLSocket#sys{read,write}` prevent internal string buffers from
214
+ being modified by another thread.
215
+ [[GitHub #453]](https://github.com/ruby/openssl/pull/453)
216
+ * Fix misuse of input record separator in `OpenSSL::Buffering` where it was
217
+ for output.
218
+ * Fix wrong integer casting in `OpenSSL::PKey::EC#dsa_verify_asn1`.
219
+ [[GitHub #460]](https://github.com/ruby/openssl/pull/460)
220
+ * `extconf.rb` explicitly checks that OpenSSL's version number is 1.0.1 or
221
+ newer but also less than 3.0. Ruby/OpenSSL v2.1.x and v2.2.x will not support
222
+ OpenSSL 3.0 API.
223
+ [[GitHub #458]](https://github.com/ruby/openssl/pull/458)
224
+ * Activate `digest` gem correctly. `digest` library could go into an
225
+ inconsistent state if there are multiple versions of `digest` is installed
226
+ and `openssl` is `require`d before `digest`.
227
+ [[GitHub #463]](https://github.com/ruby/openssl/pull/463)
228
+ * Fix GC.compact compatibility.
229
+ [[GitHub #464]](https://github.com/ruby/openssl/issues/464)
230
+ [[GitHub #465]](https://github.com/ruby/openssl/pull/465)
231
+
232
+
1
233
  Version 2.1.2
2
234
  =============
3
235
 
data/README.md CHANGED
@@ -1,7 +1,7 @@
1
1
  # OpenSSL for Ruby
2
2
 
3
- [![Build Status](https://travis-ci.org/ruby/openssl.svg?branch=master)](https://travis-ci.org/ruby/openssl)
4
- [![Build status](https://ci.appveyor.com/api/projects/status/b8djtmwo7l26f88y/branch/master?svg=true)](https://ci.appveyor.com/project/ruby/openssl/branch/master)
3
+ [![Actions Status](https://github.com/ruby/openssl/workflows/CI/badge.svg)](https://github.com/ruby/openssl/actions?workflow=CI)
4
+
5
5
 
6
6
  OpenSSL provides SSL, TLS and general purpose cryptography. It wraps the
7
7
  OpenSSL library.
@@ -1,5 +1,5 @@
1
1
  # -*- coding: us-ascii -*-
2
- # frozen_string_literal: false
2
+ # frozen_string_literal: true
3
3
  =begin
4
4
  = Info
5
5
  'OpenSSL for Ruby 2' project
@@ -12,16 +12,12 @@
12
12
  =end
13
13
 
14
14
  require "mkmf"
15
- require File.expand_path('../deprecation', __FILE__)
16
15
 
17
16
  dir_config("openssl")
18
17
  dir_config("kerberos")
19
18
 
20
19
  Logging::message "=== OpenSSL for Ruby configurator ===\n"
21
20
 
22
- # Add -Werror=deprecated-declarations to $warnflags if available
23
- OpenSSL.deprecated_warning_flag
24
-
25
21
  ##
26
22
  # Adds -DOSSL_DEBUG for compilation and some more targets when GCC is used
27
23
  # To turn it on, use: --with-debug or --enable-debug
@@ -30,6 +26,8 @@ if with_config("debug") or enable_config("debug")
30
26
  $defs.push("-DOSSL_DEBUG")
31
27
  end
32
28
 
29
+ have_func("rb_io_maybe_wait") # Ruby 3.1
30
+
33
31
  Logging::message "=== Checking for system dependent stuff... ===\n"
34
32
  have_library("nsl", "t_open")
35
33
  have_library("socket", "socket")
@@ -37,8 +35,11 @@ if $mswin || $mingw
37
35
  have_library("ws2_32")
38
36
  end
39
37
 
40
- Logging::message "=== Checking for required stuff... ===\n"
41
- result = pkg_config("openssl") && have_header("openssl/ssl.h")
38
+ if $mingw
39
+ append_cflags '-D_FORTIFY_SOURCE=2'
40
+ append_ldflags '-fstack-protector'
41
+ have_library 'ssp'
42
+ end
42
43
 
43
44
  def find_openssl_library
44
45
  if $mswin || $mingw
@@ -90,60 +91,53 @@ def find_openssl_library
90
91
  return false
91
92
  end
92
93
 
93
- unless result
94
- unless find_openssl_library
95
- Logging::message "=== Checking for required stuff failed. ===\n"
96
- Logging::message "Makefile wasn't created. Fix the errors above.\n"
97
- raise "OpenSSL library could not be found. You might want to use " \
98
- "--with-openssl-dir=<dir> option to specify the prefix where OpenSSL " \
99
- "is installed."
100
- end
94
+ Logging::message "=== Checking for required stuff... ===\n"
95
+ pkg_config_found = pkg_config("openssl") && have_header("openssl/ssl.h")
96
+
97
+ if !pkg_config_found && !find_openssl_library
98
+ Logging::message "=== Checking for required stuff failed. ===\n"
99
+ Logging::message "Makefile wasn't created. Fix the errors above.\n"
100
+ raise "OpenSSL library could not be found. You might want to use " \
101
+ "--with-openssl-dir=<dir> option to specify the prefix where OpenSSL " \
102
+ "is installed."
103
+ end
104
+
105
+ version_ok = if have_macro("LIBRESSL_VERSION_NUMBER", "openssl/opensslv.h")
106
+ is_libressl = true
107
+ checking_for("LibreSSL version >= 3.1.0") {
108
+ try_static_assert("LIBRESSL_VERSION_NUMBER >= 0x30100000L", "openssl/opensslv.h") }
109
+ else
110
+ checking_for("OpenSSL version >= 1.0.2") {
111
+ try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10002000L", "openssl/opensslv.h") }
112
+ end
113
+ unless version_ok
114
+ raise "OpenSSL >= 1.0.2 or LibreSSL >= 3.1.0 is required"
101
115
  end
102
116
 
103
- unless checking_for("OpenSSL version is 1.0.1 or later") {
104
- try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10001000L", "openssl/opensslv.h") }
105
- raise "OpenSSL >= 1.0.1 or LibreSSL is required"
117
+ # Prevent wincrypt.h from being included, which defines conflicting macro with openssl/x509.h
118
+ if is_libressl && ($mswin || $mingw)
119
+ $defs.push("-DNOCRYPT")
106
120
  end
107
121
 
108
122
  Logging::message "=== Checking for OpenSSL features... ===\n"
109
123
  # compile options
110
124
  have_func("RAND_egd")
111
- engines = %w{builtin_engines openbsd_dev_crypto dynamic 4758cca aep atalla chil
112
- cswift nuron sureware ubsec padlock capi gmp gost cryptodev aesni}
125
+ engines = %w{dynamic 4758cca aep atalla chil
126
+ cswift nuron sureware ubsec padlock capi gmp gost cryptodev}
113
127
  engines.each { |name|
114
- OpenSSL.check_func_or_macro("ENGINE_load_#{name}", "openssl/engine.h")
128
+ have_func("ENGINE_load_#{name}()", "openssl/engine.h")
115
129
  }
116
130
 
117
- if ($mswin || $mingw) && have_macro("LIBRESSL_VERSION_NUMBER", "openssl/opensslv.h")
118
- $defs.push("-DNOCRYPT")
119
- end
120
-
121
- # added in 1.0.2
122
- have_func("EC_curve_nist2nid")
123
- have_func("X509_REVOKED_dup")
124
- have_func("X509_STORE_CTX_get0_store")
125
- have_func("SSL_CTX_set_alpn_select_cb")
126
- OpenSSL.check_func_or_macro("SSL_CTX_set1_curves_list", "openssl/ssl.h")
127
- OpenSSL.check_func_or_macro("SSL_CTX_set_ecdh_auto", "openssl/ssl.h")
128
- OpenSSL.check_func_or_macro("SSL_get_server_tmp_key", "openssl/ssl.h")
129
- have_func("SSL_is_server")
130
-
131
131
  # added in 1.1.0
132
- if !have_struct_member("SSL", "ctx", "openssl/ssl.h") ||
133
- try_static_assert("LIBRESSL_VERSION_NUMBER >= 0x2070000fL", "openssl/opensslv.h")
132
+ if !have_struct_member("SSL", "ctx", "openssl/ssl.h") || is_libressl
134
133
  $defs.push("-DHAVE_OPAQUE_OPENSSL")
135
134
  end
136
- have_func("CRYPTO_lock") || $defs.push("-DHAVE_OPENSSL_110_THREADING_API")
137
- have_func("BN_GENCB_new")
138
- have_func("BN_GENCB_free")
139
- have_func("BN_GENCB_get_arg")
140
135
  have_func("EVP_MD_CTX_new")
141
136
  have_func("EVP_MD_CTX_free")
142
- have_func("HMAC_CTX_new")
143
- have_func("HMAC_CTX_free")
144
- OpenSSL.check_func("RAND_pseudo_bytes", "openssl/rand.h") # deprecated
137
+ have_func("EVP_MD_CTX_pkey_ctx")
145
138
  have_func("X509_STORE_get_ex_data")
146
139
  have_func("X509_STORE_set_ex_data")
140
+ have_func("X509_STORE_get_ex_new_index")
147
141
  have_func("X509_CRL_get0_signature")
148
142
  have_func("X509_REQ_get0_signature")
149
143
  have_func("X509_REVOKED_get0_serialNumber")
@@ -159,12 +153,33 @@ have_func("X509_CRL_up_ref")
159
153
  have_func("X509_STORE_up_ref")
160
154
  have_func("SSL_SESSION_up_ref")
161
155
  have_func("EVP_PKEY_up_ref")
162
- OpenSSL.check_func_or_macro("SSL_CTX_set_tmp_ecdh_callback", "openssl/ssl.h") # removed
163
- OpenSSL.check_func_or_macro("SSL_CTX_set_min_proto_version", "openssl/ssl.h")
156
+ have_func("SSL_CTX_set_min_proto_version(NULL, 0)", "openssl/ssl.h")
164
157
  have_func("SSL_CTX_get_security_level")
165
158
  have_func("X509_get0_notBefore")
166
159
  have_func("SSL_SESSION_get_protocol_version")
160
+ have_func("TS_STATUS_INFO_get0_status")
161
+ have_func("TS_STATUS_INFO_get0_text")
162
+ have_func("TS_STATUS_INFO_get0_failure_info")
163
+ have_func("TS_VERIFY_CTS_set_certs(NULL, NULL)", "openssl/ts.h")
164
+ have_func("TS_VERIFY_CTX_set_store")
165
+ have_func("TS_VERIFY_CTX_add_flags")
166
+ have_func("TS_RESP_CTX_set_time_cb")
167
167
  have_func("EVP_PBE_scrypt")
168
+ have_func("SSL_CTX_set_post_handshake_auth")
169
+
170
+ # added in 1.1.1
171
+ have_func("EVP_PKEY_check")
172
+
173
+ # added in 3.0.0
174
+ have_func("SSL_set0_tmp_dh_pkey")
175
+ have_func("ERR_get_error_all")
176
+ have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", "openssl/ts.h")
177
+ have_func("SSL_CTX_load_verify_file")
178
+ have_func("BN_check_prime")
179
+ have_func("EVP_MD_CTX_get0_md")
180
+ have_func("EVP_MD_CTX_get_pkey_ctx")
181
+ have_func("EVP_PKEY_eq")
182
+ have_func("EVP_PKEY_dup")
168
183
 
169
184
  Logging::message "=== Checking done. ===\n"
170
185
 
@@ -10,77 +10,11 @@
10
10
  #include RUBY_EXTCONF_H
11
11
 
12
12
  #include <string.h> /* memcpy() */
13
- #if !defined(OPENSSL_NO_ENGINE)
14
- # include <openssl/engine.h>
15
- #endif
16
- #if !defined(OPENSSL_NO_HMAC)
17
- # include <openssl/hmac.h>
18
- #endif
19
13
  #include <openssl/x509_vfy.h>
20
14
 
21
15
  #include "openssl_missing.h"
22
16
 
23
- /* added in 1.0.2 */
24
- #if !defined(OPENSSL_NO_EC)
25
- #if !defined(HAVE_EC_CURVE_NIST2NID)
26
- static struct {
27
- const char *name;
28
- int nid;
29
- } nist_curves[] = {
30
- {"B-163", NID_sect163r2},
31
- {"B-233", NID_sect233r1},
32
- {"B-283", NID_sect283r1},
33
- {"B-409", NID_sect409r1},
34
- {"B-571", NID_sect571r1},
35
- {"K-163", NID_sect163k1},
36
- {"K-233", NID_sect233k1},
37
- {"K-283", NID_sect283k1},
38
- {"K-409", NID_sect409k1},
39
- {"K-571", NID_sect571k1},
40
- {"P-192", NID_X9_62_prime192v1},
41
- {"P-224", NID_secp224r1},
42
- {"P-256", NID_X9_62_prime256v1},
43
- {"P-384", NID_secp384r1},
44
- {"P-521", NID_secp521r1}
45
- };
46
-
47
- int
48
- ossl_EC_curve_nist2nid(const char *name)
49
- {
50
- size_t i;
51
- for (i = 0; i < (sizeof(nist_curves) / sizeof(nist_curves[0])); i++) {
52
- if (!strcmp(nist_curves[i].name, name))
53
- return nist_curves[i].nid;
54
- }
55
- return NID_undef;
56
- }
57
- #endif
58
- #endif
59
-
60
17
  /*** added in 1.1.0 ***/
61
- #if !defined(HAVE_HMAC_CTX_NEW)
62
- HMAC_CTX *
63
- ossl_HMAC_CTX_new(void)
64
- {
65
- HMAC_CTX *ctx = OPENSSL_malloc(sizeof(HMAC_CTX));
66
- if (!ctx)
67
- return NULL;
68
- HMAC_CTX_init(ctx);
69
- return ctx;
70
- }
71
- #endif
72
-
73
- #if !defined(HAVE_HMAC_CTX_FREE)
74
- void
75
- ossl_HMAC_CTX_free(HMAC_CTX *ctx)
76
- {
77
- if (ctx) {
78
- HMAC_CTX_cleanup(ctx);
79
- OPENSSL_free(ctx);
80
- }
81
- }
82
- #endif
83
-
84
18
  #if !defined(HAVE_X509_CRL_GET0_SIGNATURE)
85
19
  void
86
20
  ossl_X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig,