openssl 2.1.3 → 3.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CONTRIBUTING.md +35 -45
- data/History.md +302 -1
- data/README.md +2 -2
- data/ext/openssl/extconf.rb +77 -62
- data/ext/openssl/openssl_missing.c +0 -66
- data/ext/openssl/openssl_missing.h +59 -43
- data/ext/openssl/ossl.c +110 -64
- data/ext/openssl/ossl.h +33 -10
- data/ext/openssl/ossl_asn1.c +51 -13
- data/ext/openssl/ossl_bn.c +275 -146
- data/ext/openssl/ossl_bn.h +2 -1
- data/ext/openssl/ossl_cipher.c +39 -31
- data/ext/openssl/ossl_config.c +412 -41
- data/ext/openssl/ossl_config.h +4 -7
- data/ext/openssl/ossl_digest.c +25 -60
- data/ext/openssl/ossl_engine.c +18 -27
- data/ext/openssl/ossl_hmac.c +60 -145
- data/ext/openssl/ossl_kdf.c +14 -22
- data/ext/openssl/ossl_ns_spki.c +1 -1
- data/ext/openssl/ossl_ocsp.c +11 -64
- data/ext/openssl/ossl_ocsp.h +3 -3
- data/ext/openssl/ossl_pkcs12.c +21 -3
- data/ext/openssl/ossl_pkcs7.c +45 -78
- data/ext/openssl/ossl_pkcs7.h +16 -0
- data/ext/openssl/ossl_pkey.c +1295 -178
- data/ext/openssl/ossl_pkey.h +36 -73
- data/ext/openssl/ossl_pkey_dh.c +130 -340
- data/ext/openssl/ossl_pkey_dsa.c +100 -405
- data/ext/openssl/ossl_pkey_ec.c +192 -335
- data/ext/openssl/ossl_pkey_rsa.c +110 -489
- data/ext/openssl/ossl_rand.c +2 -32
- data/ext/openssl/ossl_ssl.c +556 -442
- data/ext/openssl/ossl_ssl_session.c +28 -29
- data/ext/openssl/ossl_ts.c +1539 -0
- data/ext/openssl/ossl_ts.h +16 -0
- data/ext/openssl/ossl_x509.c +0 -6
- data/ext/openssl/ossl_x509cert.c +169 -13
- data/ext/openssl/ossl_x509crl.c +13 -10
- data/ext/openssl/ossl_x509ext.c +15 -2
- data/ext/openssl/ossl_x509name.c +15 -4
- data/ext/openssl/ossl_x509req.c +13 -10
- data/ext/openssl/ossl_x509revoked.c +3 -3
- data/ext/openssl/ossl_x509store.c +154 -70
- data/lib/openssl/bn.rb +1 -1
- data/lib/openssl/buffering.rb +37 -5
- data/lib/openssl/cipher.rb +1 -1
- data/lib/openssl/digest.rb +10 -12
- data/lib/openssl/hmac.rb +78 -0
- data/lib/openssl/marshal.rb +30 -0
- data/lib/openssl/pkcs5.rb +1 -1
- data/lib/openssl/pkey.rb +447 -1
- data/lib/openssl/ssl.rb +52 -9
- data/lib/openssl/version.rb +5 -0
- data/lib/openssl/x509.rb +177 -1
- data/lib/openssl.rb +24 -9
- metadata +10 -79
- data/ext/openssl/deprecation.rb +0 -27
- data/ext/openssl/ossl_version.h +0 -15
- data/ext/openssl/ruby_missing.h +0 -24
- data/lib/openssl/config.rb +0 -492
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 239c530562472710697b8da573b8aa64b477c02f5895907220e83e9f09c88fec
|
4
|
+
data.tar.gz: 62f2d04df3f693b995bf29be9d299c9f916f44a82b5bc5df60e9f46a748990d8
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 05f891730a9dea150a2cecedb8decbf7f7dbb500cc825226a635fce8ca195a2dbf036de38dbdb7462cbb18e2e3c8aca337c1e1d9d021a94bbc444312dcf26568
|
7
|
+
data.tar.gz: 4cff09ce02fc107422829ca552c97cf912f2b5f129c87e37137b153fd2c09d9a231493af7ce32f391c32828b3ffc64bf905adf6a1e3fad943e78ca81048a4f96
|
data/CONTRIBUTING.md
CHANGED
@@ -12,14 +12,17 @@ If you think you found a bug, file a ticket on GitHub. Please DO NOT report
|
|
12
12
|
security issues here, there is a separate procedure which is described on
|
13
13
|
["Security at ruby-lang.org"](https://www.ruby-lang.org/en/security/).
|
14
14
|
|
15
|
-
When reporting a bug, please make sure you include
|
16
|
-
version of openssl gem, the version of the OpenSSL library, along with a sample
|
17
|
-
file that illustrates the problem or link to repository or gem that is
|
18
|
-
associated with the bug.
|
15
|
+
When reporting a bug, please make sure you include:
|
19
16
|
|
20
|
-
|
17
|
+
* Ruby version (`ruby -v`)
|
18
|
+
* `openssl` gem version (`gem list openssl` and `OpenSSL::VERSION`)
|
19
|
+
* OpenSSL library version (`OpenSSL::OPENSSL_VERSION`)
|
20
|
+
* A sample file that illustrates the problem or link to the repository or
|
21
|
+
gem that is associated with the bug.
|
22
|
+
|
23
|
+
There are a number of unresolved issues and feature requests for openssl that
|
21
24
|
need review. Before submitting a new ticket, it is recommended to check
|
22
|
-
[known issues]
|
25
|
+
[known issues].
|
23
26
|
|
24
27
|
## Submitting patches
|
25
28
|
|
@@ -32,62 +35,50 @@ Make sure that your branch does:
|
|
32
35
|
* Have good commit messages
|
33
36
|
* Follow Ruby's coding style ([DeveloperHowTo])
|
34
37
|
* Pass the test suite successfully (see "Testing")
|
35
|
-
* Add an entry to [History.md] if necessary
|
36
38
|
|
37
39
|
## Testing
|
38
40
|
|
39
41
|
We have a test suite!
|
40
42
|
|
41
43
|
Test cases are located under the
|
42
|
-
[`test
|
44
|
+
[`test/openssl`](https://github.com/ruby/openssl/tree/master/test/openssl)
|
45
|
+
directory.
|
43
46
|
|
44
47
|
You can run it with the following three commands:
|
45
48
|
|
46
49
|
```
|
47
|
-
$
|
48
|
-
$ rake compile
|
49
|
-
$ rake test
|
50
|
+
$ bundle install # installs rake-compiler, test-unit, ...
|
51
|
+
$ bundle exec rake compile
|
52
|
+
$ bundle exec rake test
|
50
53
|
```
|
51
54
|
|
52
|
-
###
|
53
|
-
|
54
|
-
You can also use Docker Compose to run tests. It can be used to check that your
|
55
|
-
changes work correctly with various supported versions of Ruby and OpenSSL.
|
56
|
-
|
57
|
-
First, you need to install [Docker](https://www.docker.com/products/docker) and
|
58
|
-
[Docker Compose](https://www.docker.com/products/docker-compose) on your
|
59
|
-
computer.
|
55
|
+
### With different versions of OpenSSL
|
60
56
|
|
61
|
-
|
62
|
-
|
63
|
-
instructions for your package manager. For further information, please check
|
64
|
-
the [official documentation](https://docs.docker.com/).
|
57
|
+
Ruby OpenSSL supports various versions of OpenSSL library. The test suite needs
|
58
|
+
to pass on all supported combinations.
|
65
59
|
|
66
|
-
|
67
|
-
|
68
|
-
|
60
|
+
Similarly to when installing `openssl` gem via the `gem` command,
|
61
|
+
you can pass a `--with-openssl-dir` argument to `rake compile`
|
62
|
+
to specify the OpenSSL library to build against.
|
69
63
|
|
70
64
|
```
|
71
|
-
$
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
|
65
|
+
$ ( curl -OL https://ftp.openssl.org/source/openssl-3.0.1.tar.gz &&
|
66
|
+
tar xf openssl-3.0.1.tar.gz &&
|
67
|
+
cd openssl-3.0.1 &&
|
68
|
+
./config --prefix=$HOME/.openssl/openssl-3.0.1 --libdir=lib &&
|
69
|
+
make -j4 &&
|
70
|
+
make install )
|
71
|
+
|
72
|
+
$ # in Ruby/OpenSSL's source directory
|
73
|
+
$ bundle exec rake clean
|
74
|
+
$ bundle exec rake compile -- --with-openssl-dir=$HOME/.openssl/openssl-3.0.1
|
75
|
+
$ bundle exec rake test
|
78
76
|
```
|
79
77
|
|
80
|
-
|
81
|
-
[
|
82
|
-
|
83
|
-
|
84
|
-
to use the
|
85
|
-
[`docker-compose.yml`](https://github.com/ruby/openssl/blob/master/docker-compose.yml)
|
86
|
-
file we have provided.
|
87
|
-
|
88
|
-
This Docker image is built using the
|
89
|
-
[Dockerfile](https://github.com/ruby/openssl/tree/master/tool/ruby-openssl-docker)
|
90
|
-
provided in the repository.
|
78
|
+
The GitHub Actions workflow file
|
79
|
+
[`test.yml`](https://github.com/ruby/openssl/tree/master/.github/workflows/test.yml)
|
80
|
+
contains useful information for building OpenSSL/LibreSSL and testing against
|
81
|
+
them.
|
91
82
|
|
92
83
|
|
93
84
|
## Relation with Ruby source tree
|
@@ -122,7 +113,6 @@ _Thanks for your contributions!_
|
|
122
113
|
|
123
114
|
[GitHub]: https://github.com/ruby/openssl
|
124
115
|
[known issues]: https://github.com/ruby/openssl/issues
|
125
|
-
[bugs.ruby-lang.org]: https://bugs.ruby-lang.org/issues?utf8=%E2%9C%93&set_filter=1&f%5B%5D=status_id&op%5Bstatus_id%5D=o&f%5B%5D=assigned_to_id&op%5Bassigned_to_id%5D=%3D&v%5Bassigned_to_id%5D%5B%5D=7150&f%5B%5D=&c%5B%5D=project&c%5B%5D=tracker&c%5B%5D=status&c%5B%5D=subject&c%5B%5D=assigned_to&c%5B%5D=updated_on&group_by=&t%5B%5D=
|
126
116
|
[DeveloperHowTo]: https://bugs.ruby-lang.org/projects/ruby/wiki/DeveloperHowto
|
127
117
|
[HackerOne]: https://hackerone.com/ruby
|
128
118
|
[Security]: https://www.ruby-lang.org/en/security/
|
data/History.md
CHANGED
@@ -1,3 +1,304 @@
|
|
1
|
+
Version 3.1.0
|
2
|
+
=============
|
3
|
+
|
4
|
+
Ruby/OpenSSL 3.1 will be maintained for the lifetime of Ruby 3.2.
|
5
|
+
|
6
|
+
Merged bug fixes in 2.2.3 and 3.0.2. Among the new features and changes are:
|
7
|
+
|
8
|
+
Notable changes
|
9
|
+
---------------
|
10
|
+
|
11
|
+
* Add `OpenSSL::SSL::SSLContext#ciphersuites=` to allow setting TLS 1.3 cipher
|
12
|
+
suites.
|
13
|
+
[[GitHub #493]](https://github.com/ruby/openssl/pull/493)
|
14
|
+
* Add `OpenSSL::SSL::SSLSocket#export_keying_material` for exporting keying
|
15
|
+
material of the session, as defined in RFC 5705.
|
16
|
+
[[GitHub #530]](https://github.com/ruby/openssl/pull/530)
|
17
|
+
* Add `OpenSSL::SSL::SSLContext#keylog_cb=` for setting the TLS key logging
|
18
|
+
callback, which is useful for supporting NSS's SSLKEYLOGFILE debugging output.
|
19
|
+
[[GitHub #536]](https://github.com/ruby/openssl/pull/536)
|
20
|
+
* Remove the default digest algorithm from `OpenSSL::OCSP::BasicResponse#sign`
|
21
|
+
and `OpenSSL::OCSP::Request#sign`. Omitting the 5th parameter of these
|
22
|
+
methods used to be equivalent of specifying SHA-1. This default value is now
|
23
|
+
removed and we will let the underlying OpenSSL library decide instead.
|
24
|
+
[[GitHub #507]](https://github.com/ruby/openssl/pull/507)
|
25
|
+
* Add `OpenSSL::BN#mod_sqrt`.
|
26
|
+
[[GitHub #553]](https://github.com/ruby/openssl/pull/553)
|
27
|
+
* Allow calling `OpenSSL::Cipher#update` with an empty string. This was
|
28
|
+
prohibited to workaround an ancient bug in OpenSSL.
|
29
|
+
[[GitHub #568]](https://github.com/ruby/openssl/pull/568)
|
30
|
+
* Fix build on platforms without socket support, such as WASI. `OpenSSL::SSL`
|
31
|
+
will not be defined if OpenSSL is compiled with `OPENSSL_NO_SOCK`.
|
32
|
+
[[GitHub #558]](https://github.com/ruby/openssl/pull/558)
|
33
|
+
* Improve support for recent LibreSSL versions. This includes HKDF support in
|
34
|
+
LibreSSL 3.6 and Ed25519 support in LibreSSL 3.7.
|
35
|
+
|
36
|
+
|
37
|
+
Version 3.0.2
|
38
|
+
=============
|
39
|
+
|
40
|
+
Merged changes in 2.2.3. Additionally, the following issues are fixed by this
|
41
|
+
release.
|
42
|
+
|
43
|
+
Bug fixes
|
44
|
+
---------
|
45
|
+
|
46
|
+
* Fix OpenSSL::PKey::EC#check_key not working correctly on OpenSSL 3.0.
|
47
|
+
[[GitHub #563]](https://github.com/ruby/openssl/issues/563)
|
48
|
+
[[GitHub #580]](https://github.com/ruby/openssl/pull/580)
|
49
|
+
|
50
|
+
|
51
|
+
Version 3.0.1
|
52
|
+
=============
|
53
|
+
|
54
|
+
Merged changes in 2.1.4 and 2.2.2. Additionally, the following issues are fixed
|
55
|
+
by this release.
|
56
|
+
|
57
|
+
Bug fixes
|
58
|
+
---------
|
59
|
+
|
60
|
+
* Add missing type check in OpenSSL::PKey::PKey#sign's optional parameters.
|
61
|
+
[[GitHub #531]](https://github.com/ruby/openssl/pull/531)
|
62
|
+
* Work around OpenSSL 3.0's HMAC issues with a zero-length key.
|
63
|
+
[[GitHub #538]](https://github.com/ruby/openssl/pull/538)
|
64
|
+
* Fix a regression in OpenSSL::PKey::DSA.generate's default of 'q' size.
|
65
|
+
[[GitHub #483]](https://github.com/ruby/openssl/issues/483)
|
66
|
+
[[GitHub #539]](https://github.com/ruby/openssl/pull/539)
|
67
|
+
* Restore OpenSSL::PKey.read's ability to decode "openssl ecparam -genkey"
|
68
|
+
output when linked against OpenSSL 3.0.
|
69
|
+
[[GitHub #535]](https://github.com/ruby/openssl/pull/535)
|
70
|
+
[[GitHub #540]](https://github.com/ruby/openssl/pull/540)
|
71
|
+
* Restore error checks in OpenSSL::PKey::EC#{to_der,to_pem}.
|
72
|
+
[[GitHub #541]](https://github.com/ruby/openssl/pull/541)
|
73
|
+
|
74
|
+
|
75
|
+
Version 3.0.0
|
76
|
+
=============
|
77
|
+
|
78
|
+
Compatibility notes
|
79
|
+
-------------------
|
80
|
+
|
81
|
+
* OpenSSL 1.0.1 and Ruby 2.3-2.5 are no longer supported.
|
82
|
+
[[GitHub #396]](https://github.com/ruby/openssl/pull/396)
|
83
|
+
[[GitHub #466]](https://github.com/ruby/openssl/pull/466)
|
84
|
+
|
85
|
+
* OpenSSL 3.0 support is added. It is the first major version bump from OpenSSL
|
86
|
+
1.1 and contains incompatible changes that affect Ruby/OpenSSL.
|
87
|
+
Note that OpenSSL 3.0 support is preliminary and not all features are
|
88
|
+
currently available:
|
89
|
+
[[GitHub #369]](https://github.com/ruby/openssl/issues/369)
|
90
|
+
|
91
|
+
- Deprecate the ability to modify `OpenSSL::PKey::PKey` instances. OpenSSL 3.0
|
92
|
+
made EVP_PKEY structure immutable, and hence the following methods are not
|
93
|
+
available when Ruby/OpenSSL is linked against OpenSSL 3.0.
|
94
|
+
[[GitHub #480]](https://github.com/ruby/openssl/pull/480)
|
95
|
+
|
96
|
+
- `OpenSSL::PKey::RSA#set_key`, `#set_factors`, `#set_crt_params`
|
97
|
+
- `OpenSSL::PKey::DSA#set_pqg`, `#set_key`
|
98
|
+
- `OpenSSL::PKey::DH#set_pqg`, `#set_key`, `#generate_key!`
|
99
|
+
- `OpenSSL::PKey::EC#private_key=`, `#public_key=`, `#group=`, `#generate_key!`
|
100
|
+
|
101
|
+
- Deprecate `OpenSSL::Engine`. The ENGINE API has been deprecated in OpenSSL 3.0
|
102
|
+
in favor of the new "provider" concept and will be removed in a future
|
103
|
+
version.
|
104
|
+
[[GitHub #481]](https://github.com/ruby/openssl/pull/481)
|
105
|
+
|
106
|
+
* `OpenSSL::SSL::SSLContext#tmp_ecdh_callback` has been removed. It has been
|
107
|
+
deprecated since v2.0.0 because it is incompatible with modern OpenSSL
|
108
|
+
versions.
|
109
|
+
[[GitHub #394]](https://github.com/ruby/openssl/pull/394)
|
110
|
+
|
111
|
+
* `OpenSSL::SSL::SSLSocket#read` and `#write` now raise `OpenSSL::SSL::SSLError`
|
112
|
+
if called before a TLS connection is established. Historically, they
|
113
|
+
read/wrote unencrypted data to the underlying socket directly in that case.
|
114
|
+
[[GitHub #9]](https://github.com/ruby/openssl/issues/9)
|
115
|
+
[[GitHub #469]](https://github.com/ruby/openssl/pull/469)
|
116
|
+
|
117
|
+
|
118
|
+
Notable changes
|
119
|
+
---------------
|
120
|
+
|
121
|
+
* Enhance OpenSSL::PKey's common interface.
|
122
|
+
[[GitHub #370]](https://github.com/ruby/openssl/issues/370)
|
123
|
+
|
124
|
+
- Key deserialization: Enhance `OpenSSL::PKey.read` to handle PEM encoding of
|
125
|
+
DH parameters, which used to be only deserialized by `OpenSSL::PKey::DH.new`.
|
126
|
+
[[GitHub #328]](https://github.com/ruby/openssl/issues/328)
|
127
|
+
- Key generation: Add `OpenSSL::PKey.generate_parameters` and
|
128
|
+
`OpenSSL::PKey.generate_key`.
|
129
|
+
[[GitHub #329]](https://github.com/ruby/openssl/issues/329)
|
130
|
+
- Public key signing: Enhance `OpenSSL::PKey::PKey#sign` and `#verify` to use
|
131
|
+
the new EVP_DigestSign() family to enable PureEdDSA support on OpenSSL 1.1.1
|
132
|
+
or later. They also now take optional algorithm-specific parameters for more
|
133
|
+
control.
|
134
|
+
[[GitHub #329]](https://github.com/ruby/openssl/issues/329)
|
135
|
+
- Low-level public key signing and verification: Add
|
136
|
+
`OpenSSL::PKey::PKey#sign_raw`, `#verify_raw`, and `#verify_recover`.
|
137
|
+
[[GitHub #382]](https://github.com/ruby/openssl/issues/382)
|
138
|
+
- Public key encryption: Add `OpenSSL::PKey::PKey#encrypt` and `#decrypt`.
|
139
|
+
[[GitHub #382]](https://github.com/ruby/openssl/issues/382)
|
140
|
+
- Key agreement: Add `OpenSSL::PKey::PKey#derive`.
|
141
|
+
[[GitHub #329]](https://github.com/ruby/openssl/issues/329)
|
142
|
+
- Key comparison: Add `OpenSSL::PKey::PKey#compare?` to conveniently check
|
143
|
+
that two keys have common parameters and a public key.
|
144
|
+
[[GitHub #383]](https://github.com/ruby/openssl/issues/383)
|
145
|
+
|
146
|
+
* Add `OpenSSL::BN#set_flags` and `#get_flags`. This can be used in combination
|
147
|
+
with `OpenSSL::BN::CONSTTIME` to force constant-time computation.
|
148
|
+
[[GitHub #417]](https://github.com/ruby/openssl/issues/417)
|
149
|
+
|
150
|
+
* Add `OpenSSL::BN#abs` to get the absolute value of the BIGNUM.
|
151
|
+
[[GitHub #430]](https://github.com/ruby/openssl/issues/430)
|
152
|
+
|
153
|
+
* Add `OpenSSL::SSL::SSLSocket#getbyte`.
|
154
|
+
[[GitHub #438]](https://github.com/ruby/openssl/issues/438)
|
155
|
+
|
156
|
+
* Add `OpenSSL::SSL::SSLContext#tmp_dh=`.
|
157
|
+
[[GitHub #459]](https://github.com/ruby/openssl/pull/459)
|
158
|
+
|
159
|
+
* Add `OpenSSL::X509::Certificate.load` to load a PEM-encoded and concatenated
|
160
|
+
list of X.509 certificates at once.
|
161
|
+
[[GitHub #441]](https://github.com/ruby/openssl/pull/441)
|
162
|
+
|
163
|
+
* Change `OpenSSL::X509::Certificate.new` to attempt to deserialize the given
|
164
|
+
string first as DER encoding first and then as PEM encoding to ensure the
|
165
|
+
round-trip consistency.
|
166
|
+
[[GitHub #442]](https://github.com/ruby/openssl/pull/442)
|
167
|
+
|
168
|
+
* Update various part of the code base to use the modern API. No breaking
|
169
|
+
changes are intended with this. This includes:
|
170
|
+
|
171
|
+
- `OpenSSL::HMAC` uses the EVP API.
|
172
|
+
[[GitHub #371]](https://github.com/ruby/openssl/issues/371)
|
173
|
+
- `OpenSSL::Config` uses native OpenSSL API to parse config files.
|
174
|
+
[[GitHub #342]](https://github.com/ruby/openssl/issues/342)
|
175
|
+
|
176
|
+
|
177
|
+
Version 2.2.3
|
178
|
+
=============
|
179
|
+
|
180
|
+
Bug fixes
|
181
|
+
---------
|
182
|
+
|
183
|
+
* Fix serveral methods in OpenSSL::PKey::EC::Point attempting to raise an error
|
184
|
+
with an incorrect class, which would end up with a TypeError.
|
185
|
+
[[GitHub #570]](https://github.com/ruby/openssl/pull/570)
|
186
|
+
* Fix OpenSSL::PKey::EC::Point#eql? and OpenSSL::PKey::EC::Group#eql?
|
187
|
+
incorrectly treated OpenSSL's internal errors as "not equal".
|
188
|
+
[[GitHub #564]](https://github.com/ruby/openssl/pull/564)
|
189
|
+
* Fix build with LibreSSL 3.5 or later.
|
190
|
+
|
191
|
+
|
192
|
+
Version 2.2.2
|
193
|
+
=============
|
194
|
+
|
195
|
+
Merged changes in 2.1.4.
|
196
|
+
|
197
|
+
|
198
|
+
Version 2.2.1
|
199
|
+
=============
|
200
|
+
|
201
|
+
Merged changes in 2.1.3. Additionally, the following issues are fixed by this
|
202
|
+
release.
|
203
|
+
|
204
|
+
Bug fixes
|
205
|
+
---------
|
206
|
+
|
207
|
+
* Fix crash in `OpenSSL::Timestamp::{Request,Response,TokenInfo}.new` when
|
208
|
+
invalid arguments are given.
|
209
|
+
[[GitHub #407]](https://github.com/ruby/openssl/pull/407)
|
210
|
+
* Fix `OpenSSL::Timestamp::Factory#create_timestamp` with LibreSSL on platforms
|
211
|
+
where `time_t` has a different size from `long`.
|
212
|
+
[[GitHub #454]](https://github.com/ruby/openssl/pull/454)
|
213
|
+
|
214
|
+
|
215
|
+
Version 2.2.0
|
216
|
+
=============
|
217
|
+
|
218
|
+
Compatibility notes
|
219
|
+
-------------------
|
220
|
+
|
221
|
+
* Remove unsupported MDC2, DSS, DSS1, and SHA algorithms.
|
222
|
+
* Remove `OpenSSL::PKCS7::SignerInfo#name` alias for `#issuer`.
|
223
|
+
[[GitHub #266]](https://github.com/ruby/openssl/pull/266)
|
224
|
+
* Deprecate `OpenSSL::Config#add_value` and `#[]=` for future removal.
|
225
|
+
[[GitHub #322]](https://github.com/ruby/openssl/pull/322)
|
226
|
+
|
227
|
+
|
228
|
+
Notable changes
|
229
|
+
---------------
|
230
|
+
|
231
|
+
* Change default `OpenSSL::SSL::SSLServer#listen` backlog argument from
|
232
|
+
5 to `Socket::SOMAXCONN`.
|
233
|
+
[[GitHub #286]](https://github.com/ruby/openssl/issues/286)
|
234
|
+
* Make `OpenSSL::HMAC#==` use a timing safe string comparison.
|
235
|
+
[[GitHub #284]](https://github.com/ruby/openssl/pull/284)
|
236
|
+
* Add support for SHA3 and BLAKE digests.
|
237
|
+
[[GitHub #282]](https://github.com/ruby/openssl/pull/282)
|
238
|
+
* Add `OpenSSL::SSL::SSLSocket.open` for opening a `TCPSocket` and
|
239
|
+
returning an `OpenSSL::SSL::SSLSocket` for it.
|
240
|
+
[[GitHub #225]](https://github.com/ruby/openssl/issues/225)
|
241
|
+
* Support marshalling of `OpenSSL::X509` and `OpenSSL::PKey` objects.
|
242
|
+
[[GitHub #281]](https://github.com/ruby/openssl/pull/281)
|
243
|
+
[[GitHub #363]](https://github.com/ruby/openssl/pull/363)
|
244
|
+
* Add `OpenSSL.secure_compare` for timing safe string comparison for
|
245
|
+
strings of possibly unequal length.
|
246
|
+
[[GitHub #280]](https://github.com/ruby/openssl/pull/280)
|
247
|
+
* Add `OpenSSL.fixed_length_secure_compare` for timing safe string
|
248
|
+
comparison for strings of equal length.
|
249
|
+
[[GitHub #269]](https://github.com/ruby/openssl/pull/269)
|
250
|
+
* Add `OpenSSL::SSL::SSLSocket#{finished_message,peer_finished_message}`
|
251
|
+
for last finished message sent and received.
|
252
|
+
[[GitHub #250]](https://github.com/ruby/openssl/pull/250)
|
253
|
+
* Add `OpenSSL::Timestamp` module for handing timestamp requests and
|
254
|
+
responses.
|
255
|
+
[[GitHub #204]](https://github.com/ruby/openssl/pull/204)
|
256
|
+
* Add helper methods for `OpenSSL::X509::Certificate`:
|
257
|
+
`find_extension`, `subject_key_identifier`,
|
258
|
+
`authority_key_identifier`, `crl_uris`, `ca_issuer_uris` and
|
259
|
+
`ocsp_uris`, and for `OpenSSL::X509::CRL`:
|
260
|
+
`find_extension` and `subject_key_identifier`.
|
261
|
+
[[GitHub #260]](https://github.com/ruby/openssl/pull/260)
|
262
|
+
[[GitHub #275]](https://github.com/ruby/openssl/pull/275)
|
263
|
+
[[GitHub #293]](https://github.com/ruby/openssl/pull/293)
|
264
|
+
* Add `OpenSSL::ECPoint#add` for performing elliptic curve point addition.
|
265
|
+
[[GitHub #261]](https://github.com/ruby/openssl/pull/261)
|
266
|
+
* Make `OpenSSL::PKey::RSA#{export,to_der}` check `key`, `factors`, and
|
267
|
+
`crt_params` to do proper private key serialization.
|
268
|
+
[[GitHub #258]](https://github.com/ruby/openssl/pull/258)
|
269
|
+
* Add `OpenSSL::SSL::{SSLSocket,SSLServer}#fileno`, returning the
|
270
|
+
underlying socket file descriptor number.
|
271
|
+
[[GitHub #247]](https://github.com/ruby/openssl/pull/247)
|
272
|
+
* Support client certificates with TLS 1.3, and support post-handshake
|
273
|
+
authentication with OpenSSL 1.1.1+.
|
274
|
+
[[GitHub #239]](https://github.com/ruby/openssl/pull/239)
|
275
|
+
* Add `OpenSSL::ASN1::ObjectId#==` for equality testing.
|
276
|
+
* Add `OpenSSL::X509::Extension#value_der` for the raw value of
|
277
|
+
the extension.
|
278
|
+
[[GitHub #234]](https://github.com/ruby/openssl/pull/234)
|
279
|
+
* Significantly reduce allocated memory in `OpenSSL::Buffering#do_write`.
|
280
|
+
[[GitHub #212]](https://github.com/ruby/openssl/pull/212)
|
281
|
+
* Ensure all valid IPv6 addresses are considered valid as elements
|
282
|
+
of subjectAlternativeName in certificates.
|
283
|
+
[[GitHub #185]](https://github.com/ruby/openssl/pull/185)
|
284
|
+
* Allow recipient's certificate to be omitted in PCKS7#decrypt.
|
285
|
+
[[GitHub #183]](https://github.com/ruby/openssl/pull/183)
|
286
|
+
* Add support for reading keys in PKCS #8 format and export via instance methods
|
287
|
+
added to `OpenSSL::PKey` classes: `private_to_der`, `private_to_pem`,
|
288
|
+
`public_to_der` and `public_to_pem`.
|
289
|
+
[[GitHub #297]](https://github.com/ruby/openssl/pull/297)
|
290
|
+
|
291
|
+
|
292
|
+
Version 2.1.4
|
293
|
+
=============
|
294
|
+
|
295
|
+
Bug fixes
|
296
|
+
---------
|
297
|
+
|
298
|
+
* Do not use pkg-config if --with-openssl-dir option is specified.
|
299
|
+
[[GitHub #486]](https://github.com/ruby/openssl/pull/486)
|
300
|
+
|
301
|
+
|
1
302
|
Version 2.1.3
|
2
303
|
=============
|
3
304
|
|
@@ -19,7 +320,7 @@ Bug fixes
|
|
19
320
|
[[GitHub #453]](https://github.com/ruby/openssl/pull/453)
|
20
321
|
* Fix misuse of input record separator in `OpenSSL::Buffering` where it was
|
21
322
|
for output.
|
22
|
-
* Fix wrong
|
323
|
+
* Fix wrong integer casting in `OpenSSL::PKey::EC#dsa_verify_asn1`.
|
23
324
|
[[GitHub #460]](https://github.com/ruby/openssl/pull/460)
|
24
325
|
* `extconf.rb` explicitly checks that OpenSSL's version number is 1.0.1 or
|
25
326
|
newer but also less than 3.0. Ruby/OpenSSL v2.1.x and v2.2.x will not support
|
data/README.md
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
# OpenSSL for Ruby
|
2
2
|
|
3
|
-
[![
|
4
|
-
|
3
|
+
[![Actions Status](https://github.com/ruby/openssl/workflows/CI/badge.svg)](https://github.com/ruby/openssl/actions?workflow=CI)
|
4
|
+
|
5
5
|
|
6
6
|
OpenSSL provides SSL, TLS and general purpose cryptography. It wraps the
|
7
7
|
OpenSSL library.
|
data/ext/openssl/extconf.rb
CHANGED
@@ -1,5 +1,5 @@
|
|
1
1
|
# -*- coding: us-ascii -*-
|
2
|
-
# frozen_string_literal:
|
2
|
+
# frozen_string_literal: true
|
3
3
|
=begin
|
4
4
|
= Info
|
5
5
|
'OpenSSL for Ruby 2' project
|
@@ -12,16 +12,12 @@
|
|
12
12
|
=end
|
13
13
|
|
14
14
|
require "mkmf"
|
15
|
-
require File.expand_path('../deprecation', __FILE__)
|
16
15
|
|
17
|
-
dir_config("openssl")
|
16
|
+
dir_config_given = dir_config("openssl").any?
|
18
17
|
dir_config("kerberos")
|
19
18
|
|
20
19
|
Logging::message "=== OpenSSL for Ruby configurator ===\n"
|
21
20
|
|
22
|
-
# Check with -Werror=deprecated-declarations if available
|
23
|
-
OpenSSL.deprecated_warning_flag
|
24
|
-
|
25
21
|
##
|
26
22
|
# Adds -DOSSL_DEBUG for compilation and some more targets when GCC is used
|
27
23
|
# To turn it on, use: --with-debug or --enable-debug
|
@@ -29,6 +25,9 @@ OpenSSL.deprecated_warning_flag
|
|
29
25
|
if with_config("debug") or enable_config("debug")
|
30
26
|
$defs.push("-DOSSL_DEBUG")
|
31
27
|
end
|
28
|
+
$defs.push("-D""OPENSSL_SUPPRESS_DEPRECATED")
|
29
|
+
|
30
|
+
have_func("rb_io_maybe_wait(0, Qnil, Qnil, Qnil)", "ruby/io.h") # Ruby 3.1
|
32
31
|
|
33
32
|
Logging::message "=== Checking for system dependent stuff... ===\n"
|
34
33
|
have_library("nsl", "t_open")
|
@@ -37,6 +36,12 @@ if $mswin || $mingw
|
|
37
36
|
have_library("ws2_32")
|
38
37
|
end
|
39
38
|
|
39
|
+
if $mingw
|
40
|
+
append_cflags '-D_FORTIFY_SOURCE=2'
|
41
|
+
append_ldflags '-fstack-protector'
|
42
|
+
have_library 'ssp'
|
43
|
+
end
|
44
|
+
|
40
45
|
def find_openssl_library
|
41
46
|
if $mswin || $mingw
|
42
47
|
# required for static OpenSSL libraries
|
@@ -88,7 +93,7 @@ def find_openssl_library
|
|
88
93
|
end
|
89
94
|
|
90
95
|
Logging::message "=== Checking for required stuff... ===\n"
|
91
|
-
pkg_config_found = pkg_config("openssl") && have_header("openssl/ssl.h")
|
96
|
+
pkg_config_found = !dir_config_given && pkg_config("openssl") && have_header("openssl/ssl.h")
|
92
97
|
|
93
98
|
if !pkg_config_found && !find_openssl_library
|
94
99
|
Logging::message "=== Checking for required stuff failed. ===\n"
|
@@ -100,15 +105,14 @@ end
|
|
100
105
|
|
101
106
|
version_ok = if have_macro("LIBRESSL_VERSION_NUMBER", "openssl/opensslv.h")
|
102
107
|
is_libressl = true
|
103
|
-
checking_for("LibreSSL version >=
|
104
|
-
try_static_assert("LIBRESSL_VERSION_NUMBER >=
|
108
|
+
checking_for("LibreSSL version >= 3.1.0") {
|
109
|
+
try_static_assert("LIBRESSL_VERSION_NUMBER >= 0x30100000L", "openssl/opensslv.h") }
|
105
110
|
else
|
106
|
-
checking_for("OpenSSL version >= 1.0.
|
107
|
-
try_static_assert("OPENSSL_VERSION_NUMBER >=
|
108
|
-
!try_static_assert("OPENSSL_VERSION_MAJOR >= 3", "openssl/opensslv.h") }
|
111
|
+
checking_for("OpenSSL version >= 1.0.2") {
|
112
|
+
try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10002000L", "openssl/opensslv.h") }
|
109
113
|
end
|
110
114
|
unless version_ok
|
111
|
-
raise "OpenSSL >= 1.0.
|
115
|
+
raise "OpenSSL >= 1.0.2 or LibreSSL >= 3.1.0 is required"
|
112
116
|
end
|
113
117
|
|
114
118
|
# Prevent wincrypt.h from being included, which defines conflicting macro with openssl/x509.h
|
@@ -117,65 +121,76 @@ if is_libressl && ($mswin || $mingw)
|
|
117
121
|
end
|
118
122
|
|
119
123
|
Logging::message "=== Checking for OpenSSL features... ===\n"
|
124
|
+
evp_h = "openssl/evp.h".freeze
|
125
|
+
x509_h = "openssl/x509.h".freeze
|
126
|
+
ts_h = "openssl/ts.h".freeze
|
127
|
+
ssl_h = "openssl/ssl.h".freeze
|
128
|
+
|
120
129
|
# compile options
|
121
|
-
have_func("RAND_egd")
|
122
|
-
engines = %w{
|
123
|
-
cswift nuron sureware ubsec padlock capi gmp gost cryptodev
|
130
|
+
have_func("RAND_egd()", "openssl/rand.h")
|
131
|
+
engines = %w{dynamic 4758cca aep atalla chil
|
132
|
+
cswift nuron sureware ubsec padlock capi gmp gost cryptodev}
|
124
133
|
engines.each { |name|
|
125
|
-
|
134
|
+
have_func("ENGINE_load_#{name}()", "openssl/engine.h")
|
126
135
|
}
|
127
136
|
|
128
|
-
# added in 1.0.2
|
129
|
-
have_func("EC_curve_nist2nid")
|
130
|
-
have_func("X509_REVOKED_dup")
|
131
|
-
have_func("X509_STORE_CTX_get0_store")
|
132
|
-
have_func("SSL_CTX_set_alpn_select_cb")
|
133
|
-
OpenSSL.check_func_or_macro("SSL_CTX_set1_curves_list", "openssl/ssl.h")
|
134
|
-
OpenSSL.check_func_or_macro("SSL_CTX_set_ecdh_auto", "openssl/ssl.h")
|
135
|
-
OpenSSL.check_func_or_macro("SSL_get_server_tmp_key", "openssl/ssl.h")
|
136
|
-
have_func("SSL_is_server")
|
137
|
-
|
138
137
|
# added in 1.1.0
|
139
|
-
if !have_struct_member("SSL", "ctx", "openssl/ssl.h") ||
|
140
|
-
try_static_assert("LIBRESSL_VERSION_NUMBER >= 0x2070000fL", "openssl/opensslv.h")
|
138
|
+
if !have_struct_member("SSL", "ctx", "openssl/ssl.h") || is_libressl
|
141
139
|
$defs.push("-DHAVE_OPAQUE_OPENSSL")
|
142
140
|
end
|
143
|
-
have_func("
|
144
|
-
have_func("
|
145
|
-
have_func("
|
146
|
-
have_func("
|
147
|
-
have_func("
|
148
|
-
have_func("
|
149
|
-
have_func("
|
150
|
-
have_func("
|
151
|
-
|
152
|
-
have_func("
|
153
|
-
have_func("
|
154
|
-
have_func("
|
155
|
-
have_func("
|
156
|
-
have_func("
|
157
|
-
have_func("
|
158
|
-
have_func("
|
159
|
-
have_func("
|
160
|
-
have_func("
|
161
|
-
have_func("
|
162
|
-
have_func("
|
163
|
-
have_func("
|
164
|
-
have_func("
|
165
|
-
have_func("
|
166
|
-
have_func("
|
167
|
-
have_func("
|
168
|
-
have_func("
|
169
|
-
|
170
|
-
|
171
|
-
have_func("
|
172
|
-
have_func("
|
173
|
-
have_func("
|
174
|
-
have_func("
|
141
|
+
have_func("EVP_MD_CTX_new()", evp_h)
|
142
|
+
have_func("EVP_MD_CTX_free(NULL)", evp_h)
|
143
|
+
have_func("EVP_MD_CTX_pkey_ctx(NULL)", evp_h)
|
144
|
+
have_func("X509_STORE_get_ex_data(NULL, 0)", x509_h)
|
145
|
+
have_func("X509_STORE_set_ex_data(NULL, 0, NULL)", x509_h)
|
146
|
+
have_func("X509_STORE_get_ex_new_index(0, NULL, NULL, NULL, NULL)", x509_h)
|
147
|
+
have_func("X509_CRL_get0_signature(NULL, NULL, NULL)", x509_h)
|
148
|
+
have_func("X509_REQ_get0_signature(NULL, NULL, NULL)", x509_h)
|
149
|
+
have_func("X509_REVOKED_get0_serialNumber(NULL)", x509_h)
|
150
|
+
have_func("X509_REVOKED_get0_revocationDate(NULL)", x509_h)
|
151
|
+
have_func("X509_get0_tbs_sigalg(NULL)", x509_h)
|
152
|
+
have_func("X509_STORE_CTX_get0_untrusted(NULL)", x509_h)
|
153
|
+
have_func("X509_STORE_CTX_get0_cert(NULL)", x509_h)
|
154
|
+
have_func("X509_STORE_CTX_get0_chain(NULL)", x509_h)
|
155
|
+
have_func("OCSP_SINGLERESP_get0_id(NULL)", "openssl/ocsp.h")
|
156
|
+
have_func("SSL_CTX_get_ciphers(NULL)", ssl_h)
|
157
|
+
have_func("X509_up_ref(NULL)", x509_h)
|
158
|
+
have_func("X509_CRL_up_ref(NULL)", x509_h)
|
159
|
+
have_func("X509_STORE_up_ref(NULL)", x509_h)
|
160
|
+
have_func("SSL_SESSION_up_ref(NULL)", ssl_h)
|
161
|
+
have_func("EVP_PKEY_up_ref(NULL)", evp_h)
|
162
|
+
have_func("SSL_CTX_set_min_proto_version(NULL, 0)", ssl_h)
|
163
|
+
have_func("SSL_CTX_get_security_level(NULL)", ssl_h)
|
164
|
+
have_func("X509_get0_notBefore(NULL)", x509_h)
|
165
|
+
have_func("SSL_SESSION_get_protocol_version(NULL)", ssl_h)
|
166
|
+
have_func("TS_STATUS_INFO_get0_status(NULL)", ts_h)
|
167
|
+
have_func("TS_STATUS_INFO_get0_text(NULL)", ts_h)
|
168
|
+
have_func("TS_STATUS_INFO_get0_failure_info(NULL)", ts_h)
|
169
|
+
have_func("TS_VERIFY_CTS_set_certs(NULL, NULL)", ts_h)
|
170
|
+
have_func("TS_VERIFY_CTX_set_store(NULL, NULL)", ts_h)
|
171
|
+
have_func("TS_VERIFY_CTX_add_flags(NULL, 0)", ts_h)
|
172
|
+
have_func("TS_RESP_CTX_set_time_cb(NULL, NULL, NULL)", ts_h)
|
173
|
+
have_func("EVP_PBE_scrypt(\"\", 0, (unsigned char *)\"\", 0, 0, 0, 0, 0, NULL, 0)", evp_h)
|
174
|
+
have_func("SSL_CTX_set_post_handshake_auth(NULL, 0)", ssl_h)
|
175
|
+
|
176
|
+
# added in 1.1.1
|
177
|
+
have_func("EVP_PKEY_check(NULL)", evp_h)
|
178
|
+
have_func("EVP_PKEY_new_raw_private_key(0, NULL, (unsigned char *)\"\", 0)", evp_h)
|
179
|
+
have_func("SSL_CTX_set_ciphersuites(NULL, \"\")", ssl_h)
|
180
|
+
|
181
|
+
# added in 3.0.0
|
182
|
+
have_func("SSL_set0_tmp_dh_pkey(NULL, NULL)", ssl_h)
|
183
|
+
have_func("ERR_get_error_all(NULL, NULL, NULL, NULL, NULL)", "openssl/err.h")
|
184
|
+
have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", ts_h)
|
185
|
+
have_func("SSL_CTX_load_verify_file(NULL, \"\")", ssl_h)
|
186
|
+
have_func("BN_check_prime(NULL, NULL, NULL)", "openssl/bn.h")
|
187
|
+
have_func("EVP_MD_CTX_get0_md(NULL)", evp_h)
|
188
|
+
have_func("EVP_MD_CTX_get_pkey_ctx(NULL)", evp_h)
|
189
|
+
have_func("EVP_PKEY_eq(NULL, NULL)", evp_h)
|
190
|
+
have_func("EVP_PKEY_dup(NULL)", evp_h)
|
175
191
|
|
176
192
|
Logging::message "=== Checking done. ===\n"
|
177
193
|
|
178
194
|
create_header
|
179
|
-
OpenSSL.restore_warning_flag
|
180
195
|
create_makefile("openssl")
|
181
196
|
Logging::message "Done.\n"
|