openssl 2.1.2 → 3.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CONTRIBUTING.md +35 -45
- data/History.md +232 -0
- data/README.md +2 -2
- data/ext/openssl/extconf.rb +61 -46
- data/ext/openssl/openssl_missing.c +0 -66
- data/ext/openssl/openssl_missing.h +60 -44
- data/ext/openssl/ossl.c +112 -66
- data/ext/openssl/ossl.h +28 -11
- data/ext/openssl/ossl_asn1.c +42 -5
- data/ext/openssl/ossl_bn.c +276 -146
- data/ext/openssl/ossl_bn.h +2 -1
- data/ext/openssl/ossl_cipher.c +38 -29
- data/ext/openssl/ossl_config.c +412 -41
- data/ext/openssl/ossl_config.h +4 -7
- data/ext/openssl/ossl_digest.c +31 -62
- data/ext/openssl/ossl_engine.c +18 -27
- data/ext/openssl/ossl_hmac.c +52 -145
- data/ext/openssl/ossl_kdf.c +11 -19
- data/ext/openssl/ossl_ns_spki.c +1 -1
- data/ext/openssl/ossl_ocsp.c +9 -62
- data/ext/openssl/ossl_ocsp.h +3 -3
- data/ext/openssl/ossl_pkcs12.c +21 -3
- data/ext/openssl/ossl_pkcs7.c +45 -78
- data/ext/openssl/ossl_pkcs7.h +16 -0
- data/ext/openssl/ossl_pkey.c +1255 -178
- data/ext/openssl/ossl_pkey.h +40 -77
- data/ext/openssl/ossl_pkey_dh.c +125 -335
- data/ext/openssl/ossl_pkey_dsa.c +93 -398
- data/ext/openssl/ossl_pkey_ec.c +155 -318
- data/ext/openssl/ossl_pkey_rsa.c +105 -484
- data/ext/openssl/ossl_rand.c +2 -40
- data/ext/openssl/ossl_ssl.c +395 -364
- data/ext/openssl/ossl_ssl_session.c +24 -29
- data/ext/openssl/ossl_ts.c +1539 -0
- data/ext/openssl/ossl_ts.h +16 -0
- data/ext/openssl/ossl_x509.c +86 -1
- data/ext/openssl/ossl_x509cert.c +166 -10
- data/ext/openssl/ossl_x509crl.c +10 -7
- data/ext/openssl/ossl_x509ext.c +15 -2
- data/ext/openssl/ossl_x509name.c +16 -5
- data/ext/openssl/ossl_x509req.c +10 -7
- data/ext/openssl/ossl_x509store.c +193 -92
- data/lib/openssl/bn.rb +1 -1
- data/lib/openssl/buffering.rb +42 -17
- data/lib/openssl/cipher.rb +1 -1
- data/lib/openssl/digest.rb +10 -12
- data/lib/openssl/hmac.rb +78 -0
- data/lib/openssl/marshal.rb +30 -0
- data/lib/openssl/pkcs5.rb +1 -1
- data/lib/openssl/pkey.rb +435 -1
- data/lib/openssl/ssl.rb +53 -14
- data/lib/openssl/version.rb +5 -0
- data/lib/openssl/x509.rb +177 -1
- data/lib/openssl.rb +24 -9
- metadata +13 -69
- data/ext/openssl/deprecation.rb +0 -23
- data/ext/openssl/ossl_version.h +0 -15
- data/ext/openssl/ruby_missing.h +0 -24
- data/lib/openssl/config.rb +0 -474
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: d382c0c6e46a7009fa58a8378b052341712f115f73f90c2409fdfa990c5c3a41
|
4
|
+
data.tar.gz: dc54eb994bb6c4de4e425c32702ec551b5c9d1d677062e629cbf162d171a5dec
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 8516105c4fb7d40619519c8165d45c602dd6ed65971ad8289ad70e9a7fc89d36c16a801c62ecf7c82e9068f07a3a63df69c3d9faf693796b071c059cdb10f805
|
7
|
+
data.tar.gz: 5c6cc181f035383b724b6bd5d249e36797c5079482e88efa137e9dc74b0b338fd4be7d6d27d7e39a67054429a64d79305a15146c645ee23c97696f1838640c7a
|
data/CONTRIBUTING.md
CHANGED
@@ -12,14 +12,17 @@ If you think you found a bug, file a ticket on GitHub. Please DO NOT report
|
|
12
12
|
security issues here, there is a separate procedure which is described on
|
13
13
|
["Security at ruby-lang.org"](https://www.ruby-lang.org/en/security/).
|
14
14
|
|
15
|
-
When reporting a bug, please make sure you include
|
16
|
-
version of openssl gem, the version of the OpenSSL library, along with a sample
|
17
|
-
file that illustrates the problem or link to repository or gem that is
|
18
|
-
associated with the bug.
|
15
|
+
When reporting a bug, please make sure you include:
|
19
16
|
|
20
|
-
|
17
|
+
* Ruby version (`ruby -v`)
|
18
|
+
* `openssl` gem version (`gem list openssl` and `OpenSSL::VERSION`)
|
19
|
+
* OpenSSL library version (`OpenSSL::OPENSSL_VERSION`)
|
20
|
+
* A sample file that illustrates the problem or link to the repository or
|
21
|
+
gem that is associated with the bug.
|
22
|
+
|
23
|
+
There are a number of unresolved issues and feature requests for openssl that
|
21
24
|
need review. Before submitting a new ticket, it is recommended to check
|
22
|
-
[known issues]
|
25
|
+
[known issues].
|
23
26
|
|
24
27
|
## Submitting patches
|
25
28
|
|
@@ -32,62 +35,50 @@ Make sure that your branch does:
|
|
32
35
|
* Have good commit messages
|
33
36
|
* Follow Ruby's coding style ([DeveloperHowTo])
|
34
37
|
* Pass the test suite successfully (see "Testing")
|
35
|
-
* Add an entry to [History.md] if necessary
|
36
38
|
|
37
39
|
## Testing
|
38
40
|
|
39
41
|
We have a test suite!
|
40
42
|
|
41
43
|
Test cases are located under the
|
42
|
-
[`test
|
44
|
+
[`test/openssl`](https://github.com/ruby/openssl/tree/master/test/openssl)
|
45
|
+
directory.
|
43
46
|
|
44
47
|
You can run it with the following three commands:
|
45
48
|
|
46
49
|
```
|
47
|
-
$
|
48
|
-
$ rake compile
|
49
|
-
$ rake test
|
50
|
+
$ bundle install # installs rake-compiler, test-unit, ...
|
51
|
+
$ bundle exec rake compile
|
52
|
+
$ bundle exec rake test
|
50
53
|
```
|
51
54
|
|
52
|
-
###
|
53
|
-
|
54
|
-
You can also use Docker Compose to run tests. It can be used to check that your
|
55
|
-
changes work correctly with various supported versions of Ruby and OpenSSL.
|
56
|
-
|
57
|
-
First, you need to install [Docker](https://www.docker.com/products/docker) and
|
58
|
-
[Docker Compose](https://www.docker.com/products/docker-compose) on your
|
59
|
-
computer.
|
55
|
+
### With different versions of OpenSSL
|
60
56
|
|
61
|
-
|
62
|
-
|
63
|
-
instructions for your package manager. For further information, please check
|
64
|
-
the [official documentation](https://docs.docker.com/).
|
57
|
+
Ruby OpenSSL supports various versions of OpenSSL library. The test suite needs
|
58
|
+
to pass on all supported combinations.
|
65
59
|
|
66
|
-
|
67
|
-
|
68
|
-
|
60
|
+
Similarly to when installing `openssl` gem via the `gem` command,
|
61
|
+
you can pass a `--with-openssl-dir` argument to `rake compile`
|
62
|
+
to specify the OpenSSL library to build against.
|
69
63
|
|
70
64
|
```
|
71
|
-
$
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
|
65
|
+
$ ( curl -OL https://ftp.openssl.org/source/openssl-3.0.1.tar.gz &&
|
66
|
+
tar xf openssl-3.0.1.tar.gz &&
|
67
|
+
cd openssl-3.0.1 &&
|
68
|
+
./config --prefix=$HOME/.openssl/openssl-3.0.1 --libdir=lib &&
|
69
|
+
make -j4 &&
|
70
|
+
make install )
|
71
|
+
|
72
|
+
$ # in Ruby/OpenSSL's source directory
|
73
|
+
$ bundle exec rake clean
|
74
|
+
$ bundle exec rake compile -- --with-openssl-dir=$HOME/.openssl/openssl-3.0.1
|
75
|
+
$ bundle exec rake test
|
78
76
|
```
|
79
77
|
|
80
|
-
|
81
|
-
[
|
82
|
-
|
83
|
-
|
84
|
-
to use the
|
85
|
-
[`docker-compose.yml`](https://github.com/ruby/openssl/blob/master/docker-compose.yml)
|
86
|
-
file we have provided.
|
87
|
-
|
88
|
-
This Docker image is built using the
|
89
|
-
[Dockerfile](https://github.com/ruby/openssl/tree/master/tool/ruby-openssl-docker)
|
90
|
-
provided in the repository.
|
78
|
+
The GitHub Actions workflow file
|
79
|
+
[`test.yml`](https://github.com/ruby/openssl/tree/master/.github/workflows/test.yml)
|
80
|
+
contains useful information for building OpenSSL/LibreSSL and testing against
|
81
|
+
them.
|
91
82
|
|
92
83
|
|
93
84
|
## Relation with Ruby source tree
|
@@ -122,7 +113,6 @@ _Thanks for your contributions!_
|
|
122
113
|
|
123
114
|
[GitHub]: https://github.com/ruby/openssl
|
124
115
|
[known issues]: https://github.com/ruby/openssl/issues
|
125
|
-
[bugs.ruby-lang.org]: https://bugs.ruby-lang.org/issues?utf8=%E2%9C%93&set_filter=1&f%5B%5D=status_id&op%5Bstatus_id%5D=o&f%5B%5D=assigned_to_id&op%5Bassigned_to_id%5D=%3D&v%5Bassigned_to_id%5D%5B%5D=7150&f%5B%5D=&c%5B%5D=project&c%5B%5D=tracker&c%5B%5D=status&c%5B%5D=subject&c%5B%5D=assigned_to&c%5B%5D=updated_on&group_by=&t%5B%5D=
|
126
116
|
[DeveloperHowTo]: https://bugs.ruby-lang.org/projects/ruby/wiki/DeveloperHowto
|
127
117
|
[HackerOne]: https://hackerone.com/ruby
|
128
118
|
[Security]: https://www.ruby-lang.org/en/security/
|
data/History.md
CHANGED
@@ -1,3 +1,235 @@
|
|
1
|
+
Version 3.0.0
|
2
|
+
=============
|
3
|
+
|
4
|
+
Compatibility notes
|
5
|
+
-------------------
|
6
|
+
|
7
|
+
* OpenSSL 1.0.1 and Ruby 2.3-2.5 are no longer supported.
|
8
|
+
[[GitHub #396]](https://github.com/ruby/openssl/pull/396)
|
9
|
+
[[GitHub #466]](https://github.com/ruby/openssl/pull/466)
|
10
|
+
|
11
|
+
* OpenSSL 3.0 support is added. It is the first major version bump from OpenSSL
|
12
|
+
1.1 and contains incompatible changes that affect Ruby/OpenSSL.
|
13
|
+
Note that OpenSSL 3.0 support is preliminary and not all features are
|
14
|
+
currently available:
|
15
|
+
[[GitHub #369]](https://github.com/ruby/openssl/issues/369)
|
16
|
+
|
17
|
+
- Deprecate the ability to modify `OpenSSL::PKey::PKey` instances. OpenSSL 3.0
|
18
|
+
made EVP_PKEY structure immutable, and hence the following methods are not
|
19
|
+
available when Ruby/OpenSSL is linked against OpenSSL 3.0.
|
20
|
+
[[GitHub #480]](https://github.com/ruby/openssl/pull/480)
|
21
|
+
|
22
|
+
- `OpenSSL::PKey::RSA#set_key`, `#set_factors`, `#set_crt_params`
|
23
|
+
- `OpenSSL::PKey::DSA#set_pqg`, `#set_key`
|
24
|
+
- `OpenSSL::PKey::DH#set_pqg`, `#set_key`, `#generate_key!`
|
25
|
+
- `OpenSSL::PKey::EC#private_key=`, `#public_key=`, `#group=`, `#generate_key!`
|
26
|
+
|
27
|
+
- Deprecate `OpenSSL::Engine`. The ENGINE API has been deprecated in OpenSSL 3.0
|
28
|
+
in favor of the new "provider" concept and will be removed in a future
|
29
|
+
version.
|
30
|
+
[[GitHub #481]](https://github.com/ruby/openssl/pull/481)
|
31
|
+
|
32
|
+
* `OpenSSL::SSL::SSLContext#tmp_ecdh_callback` has been removed. It has been
|
33
|
+
deprecated since v2.0.0 because it is incompatible with modern OpenSSL
|
34
|
+
versions.
|
35
|
+
[[GitHub #394]](https://github.com/ruby/openssl/pull/394)
|
36
|
+
|
37
|
+
* `OpenSSL::SSL::SSLSocket#read` and `#write` now raise `OpenSSL::SSL::SSLError`
|
38
|
+
if called before a TLS connection is established. Historically, they
|
39
|
+
read/wrote unencrypted data to the underlying socket directly in that case.
|
40
|
+
[[GitHub #9]](https://github.com/ruby/openssl/issues/9)
|
41
|
+
[[GitHub #469]](https://github.com/ruby/openssl/pull/469)
|
42
|
+
|
43
|
+
|
44
|
+
Notable changes
|
45
|
+
---------------
|
46
|
+
|
47
|
+
* Enhance OpenSSL::PKey's common interface.
|
48
|
+
[[GitHub #370]](https://github.com/ruby/openssl/issues/370)
|
49
|
+
|
50
|
+
- Key deserialization: Enhance `OpenSSL::PKey.read` to handle PEM encoding of
|
51
|
+
DH parameters, which used to be only deserialized by `OpenSSL::PKey::DH.new`.
|
52
|
+
[[GitHub #328]](https://github.com/ruby/openssl/issues/328)
|
53
|
+
- Key generation: Add `OpenSSL::PKey.generate_parameters` and
|
54
|
+
`OpenSSL::PKey.generate_key`.
|
55
|
+
[[GitHub #329]](https://github.com/ruby/openssl/issues/329)
|
56
|
+
- Public key signing: Enhance `OpenSSL::PKey::PKey#sign` and `#verify` to use
|
57
|
+
the new EVP_DigestSign() family to enable PureEdDSA support on OpenSSL 1.1.1
|
58
|
+
or later. They also now take optional algorithm-specific parameters for more
|
59
|
+
control.
|
60
|
+
[[GitHub #329]](https://github.com/ruby/openssl/issues/329)
|
61
|
+
- Low-level public key signing and verification: Add
|
62
|
+
`OpenSSL::PKey::PKey#sign_raw`, `#verify_raw`, and `#verify_recover`.
|
63
|
+
[[GitHub #382]](https://github.com/ruby/openssl/issues/382)
|
64
|
+
- Public key encryption: Add `OpenSSL::PKey::PKey#encrypt` and `#decrypt`.
|
65
|
+
[[GitHub #382]](https://github.com/ruby/openssl/issues/382)
|
66
|
+
- Key agreement: Add `OpenSSL::PKey::PKey#derive`.
|
67
|
+
[[GitHub #329]](https://github.com/ruby/openssl/issues/329)
|
68
|
+
- Key comparison: Add `OpenSSL::PKey::PKey#compare?` to conveniently check
|
69
|
+
that two keys have common parameters and a public key.
|
70
|
+
[[GitHub #383]](https://github.com/ruby/openssl/issues/383)
|
71
|
+
|
72
|
+
* Add `OpenSSL::BN#set_flags` and `#get_flags`. This can be used in combination
|
73
|
+
with `OpenSSL::BN::CONSTTIME` to force constant-time computation.
|
74
|
+
[[GitHub #417]](https://github.com/ruby/openssl/issues/417)
|
75
|
+
|
76
|
+
* Add `OpenSSL::BN#abs` to get the absolute value of the BIGNUM.
|
77
|
+
[[GitHub #430]](https://github.com/ruby/openssl/issues/430)
|
78
|
+
|
79
|
+
* Add `OpenSSL::SSL::SSLSocket#getbyte`.
|
80
|
+
[[GitHub #438]](https://github.com/ruby/openssl/issues/438)
|
81
|
+
|
82
|
+
* Add `OpenSSL::SSL::SSLContext#tmp_dh=`.
|
83
|
+
[[GitHub #459]](https://github.com/ruby/openssl/pull/459)
|
84
|
+
|
85
|
+
* Add `OpenSSL::X509::Certificate.load` to load a PEM-encoded and concatenated
|
86
|
+
list of X.509 certificates at once.
|
87
|
+
[[GitHub #441]](https://github.com/ruby/openssl/pull/441)
|
88
|
+
|
89
|
+
* Change `OpenSSL::X509::Certificate.new` to attempt to deserialize the given
|
90
|
+
string first as DER encoding first and then as PEM encoding to ensure the
|
91
|
+
round-trip consistency.
|
92
|
+
[[GitHub #442]](https://github.com/ruby/openssl/pull/442)
|
93
|
+
|
94
|
+
* Update various part of the code base to use the modern API. No breaking
|
95
|
+
changes are intended with this. This includes:
|
96
|
+
|
97
|
+
- `OpenSSL::HMAC` uses the EVP API.
|
98
|
+
[[GitHub #371]](https://github.com/ruby/openssl/issues/371)
|
99
|
+
- `OpenSSL::Config` uses native OpenSSL API to parse config files.
|
100
|
+
[[GitHub #342]](https://github.com/ruby/openssl/issues/342)
|
101
|
+
|
102
|
+
|
103
|
+
Version 2.2.1
|
104
|
+
=============
|
105
|
+
|
106
|
+
Merged changes in 2.1.3. Additionally, the following issues are fixed by this
|
107
|
+
release.
|
108
|
+
|
109
|
+
Bug fixes
|
110
|
+
---------
|
111
|
+
|
112
|
+
* Fix crash in `OpenSSL::Timestamp::{Request,Response,TokenInfo}.new` when
|
113
|
+
invalid arguments are given.
|
114
|
+
[[GitHub #407]](https://github.com/ruby/openssl/pull/407)
|
115
|
+
* Fix `OpenSSL::Timestamp::Factory#create_timestamp` with LibreSSL on platforms
|
116
|
+
where `time_t` has a different size from `long`.
|
117
|
+
[[GitHub #454]](https://github.com/ruby/openssl/pull/454)
|
118
|
+
|
119
|
+
|
120
|
+
Version 2.2.0
|
121
|
+
=============
|
122
|
+
|
123
|
+
Compatibility notes
|
124
|
+
-------------------
|
125
|
+
|
126
|
+
* Remove unsupported MDC2, DSS, DSS1, and SHA algorithms.
|
127
|
+
* Remove `OpenSSL::PKCS7::SignerInfo#name` alias for `#issuer`.
|
128
|
+
[[GitHub #266]](https://github.com/ruby/openssl/pull/266)
|
129
|
+
* Deprecate `OpenSSL::Config#add_value` and `#[]=` for future removal.
|
130
|
+
[[GitHub #322]](https://github.com/ruby/openssl/pull/322)
|
131
|
+
|
132
|
+
|
133
|
+
Notable changes
|
134
|
+
---------------
|
135
|
+
|
136
|
+
* Change default `OpenSSL::SSL::SSLServer#listen` backlog argument from
|
137
|
+
5 to `Socket::SOMAXCONN`.
|
138
|
+
[[GitHub #286]](https://github.com/ruby/openssl/issues/286)
|
139
|
+
* Make `OpenSSL::HMAC#==` use a timing safe string comparison.
|
140
|
+
[[GitHub #284]](https://github.com/ruby/openssl/pull/284)
|
141
|
+
* Add support for SHA3 and BLAKE digests.
|
142
|
+
[[GitHub #282]](https://github.com/ruby/openssl/pull/282)
|
143
|
+
* Add `OpenSSL::SSL::SSLSocket.open` for opening a `TCPSocket` and
|
144
|
+
returning an `OpenSSL::SSL::SSLSocket` for it.
|
145
|
+
[[GitHub #225]](https://github.com/ruby/openssl/issues/225)
|
146
|
+
* Support marshalling of `OpenSSL::X509` and `OpenSSL::PKey` objects.
|
147
|
+
[[GitHub #281]](https://github.com/ruby/openssl/pull/281)
|
148
|
+
[[GitHub #363]](https://github.com/ruby/openssl/pull/363)
|
149
|
+
* Add `OpenSSL.secure_compare` for timing safe string comparison for
|
150
|
+
strings of possibly unequal length.
|
151
|
+
[[GitHub #280]](https://github.com/ruby/openssl/pull/280)
|
152
|
+
* Add `OpenSSL.fixed_length_secure_compare` for timing safe string
|
153
|
+
comparison for strings of equal length.
|
154
|
+
[[GitHub #269]](https://github.com/ruby/openssl/pull/269)
|
155
|
+
* Add `OpenSSL::SSL::SSLSocket#{finished_message,peer_finished_message}`
|
156
|
+
for last finished message sent and received.
|
157
|
+
[[GitHub #250]](https://github.com/ruby/openssl/pull/250)
|
158
|
+
* Add `OpenSSL::Timestamp` module for handing timestamp requests and
|
159
|
+
responses.
|
160
|
+
[[GitHub #204]](https://github.com/ruby/openssl/pull/204)
|
161
|
+
* Add helper methods for `OpenSSL::X509::Certificate`:
|
162
|
+
`find_extension`, `subject_key_identifier`,
|
163
|
+
`authority_key_identifier`, `crl_uris`, `ca_issuer_uris` and
|
164
|
+
`ocsp_uris`, and for `OpenSSL::X509::CRL`:
|
165
|
+
`find_extension` and `subject_key_identifier`.
|
166
|
+
[[GitHub #260]](https://github.com/ruby/openssl/pull/260)
|
167
|
+
[[GitHub #275]](https://github.com/ruby/openssl/pull/275)
|
168
|
+
[[GitHub #293]](https://github.com/ruby/openssl/pull/293)
|
169
|
+
* Add `OpenSSL::ECPoint#add` for performing elliptic curve point addition.
|
170
|
+
[[GitHub #261]](https://github.com/ruby/openssl/pull/261)
|
171
|
+
* Make `OpenSSL::PKey::RSA#{export,to_der}` check `key`, `factors`, and
|
172
|
+
`crt_params` to do proper private key serialization.
|
173
|
+
[[GitHub #258]](https://github.com/ruby/openssl/pull/258)
|
174
|
+
* Add `OpenSSL::SSL::{SSLSocket,SSLServer}#fileno`, returning the
|
175
|
+
underlying socket file descriptor number.
|
176
|
+
[[GitHub #247]](https://github.com/ruby/openssl/pull/247)
|
177
|
+
* Support client certificates with TLS 1.3, and support post-handshake
|
178
|
+
authentication with OpenSSL 1.1.1+.
|
179
|
+
[[GitHub #239]](https://github.com/ruby/openssl/pull/239)
|
180
|
+
* Add `OpenSSL::ASN1::ObjectId#==` for equality testing.
|
181
|
+
* Add `OpenSSL::X509::Extension#value_der` for the raw value of
|
182
|
+
the extension.
|
183
|
+
[[GitHub #234]](https://github.com/ruby/openssl/pull/234)
|
184
|
+
* Significantly reduce allocated memory in `OpenSSL::Buffering#do_write`.
|
185
|
+
[[GitHub #212]](https://github.com/ruby/openssl/pull/212)
|
186
|
+
* Ensure all valid IPv6 addresses are considered valid as elements
|
187
|
+
of subjectAlternativeName in certificates.
|
188
|
+
[[GitHub #185]](https://github.com/ruby/openssl/pull/185)
|
189
|
+
* Allow recipient's certificate to be omitted in PCKS7#decrypt.
|
190
|
+
[[GitHub #183]](https://github.com/ruby/openssl/pull/183)
|
191
|
+
* Add support for reading keys in PKCS #8 format and export via instance methods
|
192
|
+
added to `OpenSSL::PKey` classes: `private_to_der`, `private_to_pem`,
|
193
|
+
`public_to_der` and `public_to_pem`.
|
194
|
+
[[GitHub #297]](https://github.com/ruby/openssl/pull/297)
|
195
|
+
|
196
|
+
|
197
|
+
Version 2.1.3
|
198
|
+
=============
|
199
|
+
|
200
|
+
Bug fixes
|
201
|
+
---------
|
202
|
+
|
203
|
+
* Fix deprecation warnings on Ruby 3.0.
|
204
|
+
* Add ".include" directive support in `OpenSSL::Config`.
|
205
|
+
[[GitHub #216]](https://github.com/ruby/openssl/pull/216)
|
206
|
+
* Fix handling of IPv6 address SANs.
|
207
|
+
[[GitHub #185]](https://github.com/ruby/openssl/pull/185)
|
208
|
+
* Hostname verification failure with `OpenSSL::SSL::SSLContext#verify_hostname=`
|
209
|
+
sets a proper error code.
|
210
|
+
[[GitHub #350]](https://github.com/ruby/openssl/pull/350)
|
211
|
+
* Fix crash with `OpenSSL::BN.new(nil, 2)`.
|
212
|
+
[[Bug #15760]](https://bugs.ruby-lang.org/issues/15760)
|
213
|
+
* `OpenSSL::SSL::SSLSocket#sys{read,write}` prevent internal string buffers from
|
214
|
+
being modified by another thread.
|
215
|
+
[[GitHub #453]](https://github.com/ruby/openssl/pull/453)
|
216
|
+
* Fix misuse of input record separator in `OpenSSL::Buffering` where it was
|
217
|
+
for output.
|
218
|
+
* Fix wrong integer casting in `OpenSSL::PKey::EC#dsa_verify_asn1`.
|
219
|
+
[[GitHub #460]](https://github.com/ruby/openssl/pull/460)
|
220
|
+
* `extconf.rb` explicitly checks that OpenSSL's version number is 1.0.1 or
|
221
|
+
newer but also less than 3.0. Ruby/OpenSSL v2.1.x and v2.2.x will not support
|
222
|
+
OpenSSL 3.0 API.
|
223
|
+
[[GitHub #458]](https://github.com/ruby/openssl/pull/458)
|
224
|
+
* Activate `digest` gem correctly. `digest` library could go into an
|
225
|
+
inconsistent state if there are multiple versions of `digest` is installed
|
226
|
+
and `openssl` is `require`d before `digest`.
|
227
|
+
[[GitHub #463]](https://github.com/ruby/openssl/pull/463)
|
228
|
+
* Fix GC.compact compatibility.
|
229
|
+
[[GitHub #464]](https://github.com/ruby/openssl/issues/464)
|
230
|
+
[[GitHub #465]](https://github.com/ruby/openssl/pull/465)
|
231
|
+
|
232
|
+
|
1
233
|
Version 2.1.2
|
2
234
|
=============
|
3
235
|
|
data/README.md
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
# OpenSSL for Ruby
|
2
2
|
|
3
|
-
[](https://github.com/ruby/openssl/actions?workflow=CI)
|
4
|
+
|
5
5
|
|
6
6
|
OpenSSL provides SSL, TLS and general purpose cryptography. It wraps the
|
7
7
|
OpenSSL library.
|
data/ext/openssl/extconf.rb
CHANGED
@@ -1,5 +1,5 @@
|
|
1
1
|
# -*- coding: us-ascii -*-
|
2
|
-
# frozen_string_literal:
|
2
|
+
# frozen_string_literal: true
|
3
3
|
=begin
|
4
4
|
= Info
|
5
5
|
'OpenSSL for Ruby 2' project
|
@@ -12,16 +12,12 @@
|
|
12
12
|
=end
|
13
13
|
|
14
14
|
require "mkmf"
|
15
|
-
require File.expand_path('../deprecation', __FILE__)
|
16
15
|
|
17
16
|
dir_config("openssl")
|
18
17
|
dir_config("kerberos")
|
19
18
|
|
20
19
|
Logging::message "=== OpenSSL for Ruby configurator ===\n"
|
21
20
|
|
22
|
-
# Add -Werror=deprecated-declarations to $warnflags if available
|
23
|
-
OpenSSL.deprecated_warning_flag
|
24
|
-
|
25
21
|
##
|
26
22
|
# Adds -DOSSL_DEBUG for compilation and some more targets when GCC is used
|
27
23
|
# To turn it on, use: --with-debug or --enable-debug
|
@@ -30,6 +26,8 @@ if with_config("debug") or enable_config("debug")
|
|
30
26
|
$defs.push("-DOSSL_DEBUG")
|
31
27
|
end
|
32
28
|
|
29
|
+
have_func("rb_io_maybe_wait") # Ruby 3.1
|
30
|
+
|
33
31
|
Logging::message "=== Checking for system dependent stuff... ===\n"
|
34
32
|
have_library("nsl", "t_open")
|
35
33
|
have_library("socket", "socket")
|
@@ -37,8 +35,11 @@ if $mswin || $mingw
|
|
37
35
|
have_library("ws2_32")
|
38
36
|
end
|
39
37
|
|
40
|
-
|
41
|
-
|
38
|
+
if $mingw
|
39
|
+
append_cflags '-D_FORTIFY_SOURCE=2'
|
40
|
+
append_ldflags '-fstack-protector'
|
41
|
+
have_library 'ssp'
|
42
|
+
end
|
42
43
|
|
43
44
|
def find_openssl_library
|
44
45
|
if $mswin || $mingw
|
@@ -90,60 +91,53 @@ def find_openssl_library
|
|
90
91
|
return false
|
91
92
|
end
|
92
93
|
|
93
|
-
|
94
|
-
|
95
|
-
|
96
|
-
|
97
|
-
|
98
|
-
|
99
|
-
|
100
|
-
|
94
|
+
Logging::message "=== Checking for required stuff... ===\n"
|
95
|
+
pkg_config_found = pkg_config("openssl") && have_header("openssl/ssl.h")
|
96
|
+
|
97
|
+
if !pkg_config_found && !find_openssl_library
|
98
|
+
Logging::message "=== Checking for required stuff failed. ===\n"
|
99
|
+
Logging::message "Makefile wasn't created. Fix the errors above.\n"
|
100
|
+
raise "OpenSSL library could not be found. You might want to use " \
|
101
|
+
"--with-openssl-dir=<dir> option to specify the prefix where OpenSSL " \
|
102
|
+
"is installed."
|
103
|
+
end
|
104
|
+
|
105
|
+
version_ok = if have_macro("LIBRESSL_VERSION_NUMBER", "openssl/opensslv.h")
|
106
|
+
is_libressl = true
|
107
|
+
checking_for("LibreSSL version >= 3.1.0") {
|
108
|
+
try_static_assert("LIBRESSL_VERSION_NUMBER >= 0x30100000L", "openssl/opensslv.h") }
|
109
|
+
else
|
110
|
+
checking_for("OpenSSL version >= 1.0.2") {
|
111
|
+
try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10002000L", "openssl/opensslv.h") }
|
112
|
+
end
|
113
|
+
unless version_ok
|
114
|
+
raise "OpenSSL >= 1.0.2 or LibreSSL >= 3.1.0 is required"
|
101
115
|
end
|
102
116
|
|
103
|
-
|
104
|
-
|
105
|
-
|
117
|
+
# Prevent wincrypt.h from being included, which defines conflicting macro with openssl/x509.h
|
118
|
+
if is_libressl && ($mswin || $mingw)
|
119
|
+
$defs.push("-DNOCRYPT")
|
106
120
|
end
|
107
121
|
|
108
122
|
Logging::message "=== Checking for OpenSSL features... ===\n"
|
109
123
|
# compile options
|
110
124
|
have_func("RAND_egd")
|
111
|
-
engines = %w{
|
112
|
-
cswift nuron sureware ubsec padlock capi gmp gost cryptodev
|
125
|
+
engines = %w{dynamic 4758cca aep atalla chil
|
126
|
+
cswift nuron sureware ubsec padlock capi gmp gost cryptodev}
|
113
127
|
engines.each { |name|
|
114
|
-
|
128
|
+
have_func("ENGINE_load_#{name}()", "openssl/engine.h")
|
115
129
|
}
|
116
130
|
|
117
|
-
if ($mswin || $mingw) && have_macro("LIBRESSL_VERSION_NUMBER", "openssl/opensslv.h")
|
118
|
-
$defs.push("-DNOCRYPT")
|
119
|
-
end
|
120
|
-
|
121
|
-
# added in 1.0.2
|
122
|
-
have_func("EC_curve_nist2nid")
|
123
|
-
have_func("X509_REVOKED_dup")
|
124
|
-
have_func("X509_STORE_CTX_get0_store")
|
125
|
-
have_func("SSL_CTX_set_alpn_select_cb")
|
126
|
-
OpenSSL.check_func_or_macro("SSL_CTX_set1_curves_list", "openssl/ssl.h")
|
127
|
-
OpenSSL.check_func_or_macro("SSL_CTX_set_ecdh_auto", "openssl/ssl.h")
|
128
|
-
OpenSSL.check_func_or_macro("SSL_get_server_tmp_key", "openssl/ssl.h")
|
129
|
-
have_func("SSL_is_server")
|
130
|
-
|
131
131
|
# added in 1.1.0
|
132
|
-
if !have_struct_member("SSL", "ctx", "openssl/ssl.h") ||
|
133
|
-
try_static_assert("LIBRESSL_VERSION_NUMBER >= 0x2070000fL", "openssl/opensslv.h")
|
132
|
+
if !have_struct_member("SSL", "ctx", "openssl/ssl.h") || is_libressl
|
134
133
|
$defs.push("-DHAVE_OPAQUE_OPENSSL")
|
135
134
|
end
|
136
|
-
have_func("CRYPTO_lock") || $defs.push("-DHAVE_OPENSSL_110_THREADING_API")
|
137
|
-
have_func("BN_GENCB_new")
|
138
|
-
have_func("BN_GENCB_free")
|
139
|
-
have_func("BN_GENCB_get_arg")
|
140
135
|
have_func("EVP_MD_CTX_new")
|
141
136
|
have_func("EVP_MD_CTX_free")
|
142
|
-
have_func("
|
143
|
-
have_func("HMAC_CTX_free")
|
144
|
-
OpenSSL.check_func("RAND_pseudo_bytes", "openssl/rand.h") # deprecated
|
137
|
+
have_func("EVP_MD_CTX_pkey_ctx")
|
145
138
|
have_func("X509_STORE_get_ex_data")
|
146
139
|
have_func("X509_STORE_set_ex_data")
|
140
|
+
have_func("X509_STORE_get_ex_new_index")
|
147
141
|
have_func("X509_CRL_get0_signature")
|
148
142
|
have_func("X509_REQ_get0_signature")
|
149
143
|
have_func("X509_REVOKED_get0_serialNumber")
|
@@ -159,12 +153,33 @@ have_func("X509_CRL_up_ref")
|
|
159
153
|
have_func("X509_STORE_up_ref")
|
160
154
|
have_func("SSL_SESSION_up_ref")
|
161
155
|
have_func("EVP_PKEY_up_ref")
|
162
|
-
|
163
|
-
OpenSSL.check_func_or_macro("SSL_CTX_set_min_proto_version", "openssl/ssl.h")
|
156
|
+
have_func("SSL_CTX_set_min_proto_version(NULL, 0)", "openssl/ssl.h")
|
164
157
|
have_func("SSL_CTX_get_security_level")
|
165
158
|
have_func("X509_get0_notBefore")
|
166
159
|
have_func("SSL_SESSION_get_protocol_version")
|
160
|
+
have_func("TS_STATUS_INFO_get0_status")
|
161
|
+
have_func("TS_STATUS_INFO_get0_text")
|
162
|
+
have_func("TS_STATUS_INFO_get0_failure_info")
|
163
|
+
have_func("TS_VERIFY_CTS_set_certs(NULL, NULL)", "openssl/ts.h")
|
164
|
+
have_func("TS_VERIFY_CTX_set_store")
|
165
|
+
have_func("TS_VERIFY_CTX_add_flags")
|
166
|
+
have_func("TS_RESP_CTX_set_time_cb")
|
167
167
|
have_func("EVP_PBE_scrypt")
|
168
|
+
have_func("SSL_CTX_set_post_handshake_auth")
|
169
|
+
|
170
|
+
# added in 1.1.1
|
171
|
+
have_func("EVP_PKEY_check")
|
172
|
+
|
173
|
+
# added in 3.0.0
|
174
|
+
have_func("SSL_set0_tmp_dh_pkey")
|
175
|
+
have_func("ERR_get_error_all")
|
176
|
+
have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", "openssl/ts.h")
|
177
|
+
have_func("SSL_CTX_load_verify_file")
|
178
|
+
have_func("BN_check_prime")
|
179
|
+
have_func("EVP_MD_CTX_get0_md")
|
180
|
+
have_func("EVP_MD_CTX_get_pkey_ctx")
|
181
|
+
have_func("EVP_PKEY_eq")
|
182
|
+
have_func("EVP_PKEY_dup")
|
168
183
|
|
169
184
|
Logging::message "=== Checking done. ===\n"
|
170
185
|
|
@@ -10,77 +10,11 @@
|
|
10
10
|
#include RUBY_EXTCONF_H
|
11
11
|
|
12
12
|
#include <string.h> /* memcpy() */
|
13
|
-
#if !defined(OPENSSL_NO_ENGINE)
|
14
|
-
# include <openssl/engine.h>
|
15
|
-
#endif
|
16
|
-
#if !defined(OPENSSL_NO_HMAC)
|
17
|
-
# include <openssl/hmac.h>
|
18
|
-
#endif
|
19
13
|
#include <openssl/x509_vfy.h>
|
20
14
|
|
21
15
|
#include "openssl_missing.h"
|
22
16
|
|
23
|
-
/* added in 1.0.2 */
|
24
|
-
#if !defined(OPENSSL_NO_EC)
|
25
|
-
#if !defined(HAVE_EC_CURVE_NIST2NID)
|
26
|
-
static struct {
|
27
|
-
const char *name;
|
28
|
-
int nid;
|
29
|
-
} nist_curves[] = {
|
30
|
-
{"B-163", NID_sect163r2},
|
31
|
-
{"B-233", NID_sect233r1},
|
32
|
-
{"B-283", NID_sect283r1},
|
33
|
-
{"B-409", NID_sect409r1},
|
34
|
-
{"B-571", NID_sect571r1},
|
35
|
-
{"K-163", NID_sect163k1},
|
36
|
-
{"K-233", NID_sect233k1},
|
37
|
-
{"K-283", NID_sect283k1},
|
38
|
-
{"K-409", NID_sect409k1},
|
39
|
-
{"K-571", NID_sect571k1},
|
40
|
-
{"P-192", NID_X9_62_prime192v1},
|
41
|
-
{"P-224", NID_secp224r1},
|
42
|
-
{"P-256", NID_X9_62_prime256v1},
|
43
|
-
{"P-384", NID_secp384r1},
|
44
|
-
{"P-521", NID_secp521r1}
|
45
|
-
};
|
46
|
-
|
47
|
-
int
|
48
|
-
ossl_EC_curve_nist2nid(const char *name)
|
49
|
-
{
|
50
|
-
size_t i;
|
51
|
-
for (i = 0; i < (sizeof(nist_curves) / sizeof(nist_curves[0])); i++) {
|
52
|
-
if (!strcmp(nist_curves[i].name, name))
|
53
|
-
return nist_curves[i].nid;
|
54
|
-
}
|
55
|
-
return NID_undef;
|
56
|
-
}
|
57
|
-
#endif
|
58
|
-
#endif
|
59
|
-
|
60
17
|
/*** added in 1.1.0 ***/
|
61
|
-
#if !defined(HAVE_HMAC_CTX_NEW)
|
62
|
-
HMAC_CTX *
|
63
|
-
ossl_HMAC_CTX_new(void)
|
64
|
-
{
|
65
|
-
HMAC_CTX *ctx = OPENSSL_malloc(sizeof(HMAC_CTX));
|
66
|
-
if (!ctx)
|
67
|
-
return NULL;
|
68
|
-
HMAC_CTX_init(ctx);
|
69
|
-
return ctx;
|
70
|
-
}
|
71
|
-
#endif
|
72
|
-
|
73
|
-
#if !defined(HAVE_HMAC_CTX_FREE)
|
74
|
-
void
|
75
|
-
ossl_HMAC_CTX_free(HMAC_CTX *ctx)
|
76
|
-
{
|
77
|
-
if (ctx) {
|
78
|
-
HMAC_CTX_cleanup(ctx);
|
79
|
-
OPENSSL_free(ctx);
|
80
|
-
}
|
81
|
-
}
|
82
|
-
#endif
|
83
|
-
|
84
18
|
#if !defined(HAVE_X509_CRL_GET0_SIGNATURE)
|
85
19
|
void
|
86
20
|
ossl_X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig,
|