openssl 2.1.4 → 2.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 88da06860381b21467805e571f0b92f020a070dd3088f39cd8511a6a1dcc87aa
-  data.tar.gz: 28dbc9f0648e7a4a4400fcc8ced412286099dca4bfeea603cc0804a8c204e33f
+  metadata.gz: 6f52e266d6038d1d7173a58d9ad72207e7d492da086ef0ecf9484a8b1cac5156
+  data.tar.gz: ca3211e0c3887311a9d0ac997c864e0cdd54fc0c7510d04c2497c9c99b97fd0c
 SHA512:
-  metadata.gz: 7a2f752f6cafd6de5a0ef4674ae625d1afe8061da727a46732031de22d150d972bca92e783bef224706a0c511e27b6fc1aec787554c00efbb03b08ebf6e12f6e
-  data.tar.gz: '09459c4b38deda5c19ad1fde1129e0de914f25f131d2f7d27ec535d6216130cdd3fe1b0f8ee8edd8f661625f62185e68b688b4f3d5713fc13562285b4e8651e4'
+  metadata.gz: b20ff54093b47c1d1da2f90a41ee1787bcd6a3e14c26f86f4c117d5ec6703364c73df226da5bf357ec6440770b639dd92575e468caeaf38fd8815ef52fb9864f
+  data.tar.gz: 6f64e438c1cc74cea40674a4d3d5926ecc3ea4a0701dd02514f990fcbcb8c525a364789f832ac649fe65e557522a9df983e5beca5f3476b3ec29f7a82b15f071

data/CONTRIBUTING.md

@@ -12,12 +12,14 @@ If you think you found a bug, file a ticket on GitHub. Please DO NOT report
 security issues here, there is a separate procedure which is described on
 ["Security at ruby-lang.org"](https://www.ruby-lang.org/en/security/).
 
-When reporting a bug, please make sure you include the version of Ruby, the
-version of openssl gem, the version of the OpenSSL library, along with a sample
-file that illustrates the problem or link to repository or gem that is
-associated with the bug.
-
-There is a number of unresolved issues and feature requests for openssl that
+When reporting a bug, please make sure you include: 
+* Ruby version 
+* OpenSSL gem version
+* OpenSSL library version 
+* A sample file that illustrates the problem or link to the repository or 
+  gem that is associated with the bug.
+
+There are a number of unresolved issues and feature requests for openssl that
 need review. Before submitting a new ticket, it is recommended to check
 [known issues] and [bugs.ruby-lang.org], the previous issue tracker.
 
@@ -78,7 +80,7 @@ $ docker-compose run debug
 ```
 
 All possible values for `RUBY_VERSION` and `OPENSSL_VERSION` can be found in
-[`.travis.yml`](https://github.com/ruby/openssl/tree/master/.travis.yml).
+[`test.yml`](https://github.com/ruby/openssl/tree/master/.github/workflows/test.yml).
 
 **NOTE**: these commands must be run from the openssl repository root, in order
 to use the

data/History.md

@@ -1,47 +1,78 @@
-Version 2.1.4
+Version 2.2.0
 =============
 
-Bug fixes
----------
-
-* Do not use pkg-config if --with-openssl-dir option is specified.
- [[GitHub #486]](https://github.com/ruby/openssl/pull/486)
+Compatibility notes
+-------------------
 
+* Remove unsupported MDC2, DSS, DSS1, and SHA algorithms.
+* Remove `OpenSSL::PKCS7::SignerInfo#name` alias for `#issuer`.
+  [[GitHub #266]](https://github.com/ruby/openssl/pull/266)
+* Deprecate `OpenSSL::Config#add_value` and `#[]=` for future removal.
+  [[GitHub #322]](https://github.com/ruby/openssl/pull/322)
 
-Version 2.1.3
-=============
 
-Bug fixes
----------
+Notable changes
+---------------
 
-* Fix deprecation warnings on Ruby 3.0.
-* Add ".include" directive support in `OpenSSL::Config`.
-  [[GitHub #216]](https://github.com/ruby/openssl/pull/216)
-* Fix handling of IPv6 address SANs.
+* Change default `OpenSSL::SSL::SSLServer#listen` backlog argument from
+  5 to `Socket::SOMAXCONN`.
+  [[GitHub #286]](https://github.com/ruby/openssl/issues/286)
+* Make `OpenSSL::HMAC#==` use a timing safe string comparison.
+  [[GitHub #284]](https://github.com/ruby/openssl/pull/284)
+* Add support for SHA3 and BLAKE digests.
+  [[GitHub #282]](https://github.com/ruby/openssl/pull/282)
+* Add `OpenSSL::SSL::SSLSocket.open` for opening a `TCPSocket` and
+  returning an `OpenSSL::SSL::SSLSocket` for it.
+  [[GitHub #225]](https://github.com/ruby/openssl/issues/225)
+* Support marshalling of `OpenSSL::X509` and `OpenSSL::PKey` objects.
+  [[GitHub #281]](https://github.com/ruby/openssl/pull/281)
+  [[GitHub #363]](https://github.com/ruby/openssl/pull/363)
+* Add `OpenSSL.secure_compare` for timing safe string comparison for
+  strings of possibly unequal length.
+  [[GitHub #280]](https://github.com/ruby/openssl/pull/280)
+* Add `OpenSSL.fixed_length_secure_compare` for timing safe string
+  comparison for strings of equal length.
+  [[GitHub #269]](https://github.com/ruby/openssl/pull/269)
+* Add `OpenSSL::SSL::SSLSocket#{finished_message,peer_finished_message}`
+  for last finished message sent and received.
+  [[GitHub #250]](https://github.com/ruby/openssl/pull/250)
+* Add `OpenSSL::Timestamp` module for handing timestamp requests and
+  responses.
+  [[GitHub #204]](https://github.com/ruby/openssl/pull/204)
+* Add helper methods for `OpenSSL::X509::Certificate`:
+  `find_extension`, `subject_key_identifier`,
+  `authority_key_identifier`, `crl_uris`, `ca_issuer_uris` and
+  `ocsp_uris`, and for `OpenSSL::X509::CRL`:
+  `find_extension` and `subject_key_identifier`.
+  [[GitHub #260]](https://github.com/ruby/openssl/pull/260)
+  [[GitHub #275]](https://github.com/ruby/openssl/pull/275)
+  [[GitHub #293]](https://github.com/ruby/openssl/pull/293)
+* Add `OpenSSL::ECPoint#add` for performing elliptic curve point addition.
+  [[GitHub #261]](https://github.com/ruby/openssl/pull/261)
+* Make `OpenSSL::PKey::RSA#{export,to_der}` check `key`, `factors`, and
+  `crt_params` to do proper private key serialization.
+  [[GitHub #258]](https://github.com/ruby/openssl/pull/258)
+* Add `OpenSSL::SSL::{SSLSocket,SSLServer}#fileno`, returning the
+  underlying socket file descriptor number.
+  [[GitHub #247]](https://github.com/ruby/openssl/pull/247)
+* Support client certificates with TLS 1.3, and support post-handshake
+  authentication with OpenSSL 1.1.1+.
+  [[GitHub #239]](https://github.com/ruby/openssl/pull/239)
+* Add `OpenSSL::ASN1::ObjectId#==` for equality testing.
+* Add `OpenSSL::X509::Extension#value_der` for the raw value of
+  the extension.
+  [[GitHub #234]](https://github.com/ruby/openssl/pull/234)
+* Significantly reduce allocated memory in `OpenSSL::Buffering#do_write`.
+  [[GitHub #212]](https://github.com/ruby/openssl/pull/212)
+* Ensure all valid IPv6 addresses are considered valid as elements
+  of subjectAlternativeName in certificates.
   [[GitHub #185]](https://github.com/ruby/openssl/pull/185)
-* Hostname verification failure with `OpenSSL::SSL::SSLContext#verify_hostname=`
-  sets a proper error code.
-  [[GitHub #350]](https://github.com/ruby/openssl/pull/350)
-* Fix crash with `OpenSSL::BN.new(nil, 2)`.
-  [[Bug #15760]](https://bugs.ruby-lang.org/issues/15760)
-* `OpenSSL::SSL::SSLSocket#sys{read,write}` prevent internal string buffers from
-  being modified by another thread.
-  [[GitHub #453]](https://github.com/ruby/openssl/pull/453)
-* Fix misuse of input record separator in `OpenSSL::Buffering` where it was
-  for output.
-* Fix wrong interger casting in `OpenSSL::PKey::EC#dsa_verify_asn1`.
-  [[GitHub #460]](https://github.com/ruby/openssl/pull/460)
-* `extconf.rb` explicitly checks that OpenSSL's version number is 1.0.1 or
-  newer but also less than 3.0. Ruby/OpenSSL v2.1.x and v2.2.x will not support
-  OpenSSL 3.0 API.
-  [[GitHub #458]](https://github.com/ruby/openssl/pull/458)
-* Activate `digest` gem correctly. `digest` library could go into an
-  inconsistent state if there are multiple versions of `digest` is installed
-  and `openssl` is `require`d before `digest`.
-  [[GitHub #463]](https://github.com/ruby/openssl/pull/463)
-* Fix GC.compact compatibility.
-  [[GitHub #464]](https://github.com/ruby/openssl/issues/464)
-  [[GitHub #465]](https://github.com/ruby/openssl/pull/465)
+* Allow recipient's certificate to be omitted in PCKS7#decrypt.
+  [[GitHub #183]](https://github.com/ruby/openssl/pull/183)
+* Add support for reading keys in PKCS #8 format and export via instance methods
+  added to `OpenSSL::PKey` classes: `private_to_der`, `private_to_pem`,
+  `public_to_der` and `public_to_pem`.
+  [[GitHub #297]](https://github.com/ruby/openssl/pull/297)
 
 
 Version 2.1.2

data/README.md

@@ -1,7 +1,7 @@
 # OpenSSL for Ruby
 
-[![Build Status](https://travis-ci.org/ruby/openssl.svg?branch=master)](https://travis-ci.org/ruby/openssl)
-[![Build status](https://ci.appveyor.com/api/projects/status/b8djtmwo7l26f88y/branch/master?svg=true)](https://ci.appveyor.com/project/ruby/openssl/branch/master)
+[![Actions Status](https://github.com/ruby/openssl/workflows/CI/badge.svg)](https://github.com/ruby/openssl/actions?workflow=CI)
+
 
 OpenSSL provides SSL, TLS and general purpose cryptography. It wraps the
 OpenSSL library.

data/ext/openssl/extconf.rb

@@ -1,5 +1,5 @@
 # -*- coding: us-ascii -*-
-# frozen_string_literal: false
+# frozen_string_literal: true
 =begin
 = Info
   'OpenSSL for Ruby 2' project
@@ -12,16 +12,12 @@
 =end
 
 require "mkmf"
-require File.expand_path('../deprecation', __FILE__)
 
-dir_config_given = dir_config("openssl").any?
+dir_config("openssl")
 dir_config("kerberos")
 
 Logging::message "=== OpenSSL for Ruby configurator ===\n"
 
-# Check with -Werror=deprecated-declarations if available
-OpenSSL.deprecated_warning_flag
-
 ##
 # Adds -DOSSL_DEBUG for compilation and some more targets when GCC is used
 # To turn it on, use: --with-debug or --enable-debug
@@ -37,6 +33,15 @@ if $mswin || $mingw
   have_library("ws2_32")
 end
 
+Logging::message "=== Checking for required stuff... ===\n"
+result = pkg_config("openssl") && have_header("openssl/ssl.h")
+
+if $mingw
+  append_cflags '-D_FORTIFY_SOURCE=2'
+  append_ldflags '-fstack-protector'
+  have_library 'ssp'
+end
+
 def find_openssl_library
   if $mswin || $mingw
     # required for static OpenSSL libraries
@@ -87,52 +92,42 @@ def find_openssl_library
   return false
 end
 
-Logging::message "=== Checking for required stuff... ===\n"
-pkg_config_found = !dir_config_given && pkg_config("openssl") && have_header("openssl/ssl.h")
-
-if !pkg_config_found && !find_openssl_library
-  Logging::message "=== Checking for required stuff failed. ===\n"
-  Logging::message "Makefile wasn't created. Fix the errors above.\n"
-  raise "OpenSSL library could not be found. You might want to use " \
-    "--with-openssl-dir=<dir> option to specify the prefix where OpenSSL " \
-    "is installed."
-end
-
-version_ok = if have_macro("LIBRESSL_VERSION_NUMBER", "openssl/opensslv.h")
-  is_libressl = true
-  checking_for("LibreSSL version >= 2.5.0") {
-    try_static_assert("LIBRESSL_VERSION_NUMBER >= 0x20500000L", "openssl/opensslv.h") }
-else
-  checking_for("OpenSSL version >= 1.0.1 and < 3.0.0") {
-    try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10001000L", "openssl/opensslv.h") &&
-    !try_static_assert("OPENSSL_VERSION_MAJOR >= 3", "openssl/opensslv.h") }
-end
-unless version_ok
-  raise "OpenSSL >= 1.0.1, < 3.0.0 or LibreSSL >= 2.5.0 is required"
+unless result
+  unless find_openssl_library
+    Logging::message "=== Checking for required stuff failed. ===\n"
+    Logging::message "Makefile wasn't created. Fix the errors above.\n"
+    raise "OpenSSL library could not be found. You might want to use " \
+      "--with-openssl-dir=<dir> option to specify the prefix where OpenSSL " \
+      "is installed."
+  end
 end
 
-# Prevent wincrypt.h from being included, which defines conflicting macro with openssl/x509.h
-if is_libressl && ($mswin || $mingw)
-  $defs.push("-DNOCRYPT")
+unless checking_for("OpenSSL version is 1.0.1 or later") {
+    try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10001000L", "openssl/opensslv.h") }
+  raise "OpenSSL >= 1.0.1 or LibreSSL is required"
 end
 
 Logging::message "=== Checking for OpenSSL features... ===\n"
 # compile options
 have_func("RAND_egd")
-engines = %w{builtin_engines openbsd_dev_crypto dynamic 4758cca aep atalla chil
-             cswift nuron sureware ubsec padlock capi gmp gost cryptodev aesni}
+engines = %w{dynamic 4758cca aep atalla chil
+             cswift nuron sureware ubsec padlock capi gmp gost cryptodev}
 engines.each { |name|
-  OpenSSL.check_func_or_macro("ENGINE_load_#{name}", "openssl/engine.h")
+  have_func("ENGINE_load_#{name}()", "openssl/engine.h")
 }
 
+if ($mswin || $mingw) && have_macro("LIBRESSL_VERSION_NUMBER", "openssl/opensslv.h")
+  $defs.push("-DNOCRYPT")
+end
+
 # added in 1.0.2
 have_func("EC_curve_nist2nid")
 have_func("X509_REVOKED_dup")
 have_func("X509_STORE_CTX_get0_store")
 have_func("SSL_CTX_set_alpn_select_cb")
-OpenSSL.check_func_or_macro("SSL_CTX_set1_curves_list", "openssl/ssl.h")
-OpenSSL.check_func_or_macro("SSL_CTX_set_ecdh_auto", "openssl/ssl.h")
-OpenSSL.check_func_or_macro("SSL_get_server_tmp_key", "openssl/ssl.h")
+have_func("SSL_CTX_set1_curves_list(NULL, NULL)", "openssl/ssl.h")
+have_func("SSL_CTX_set_ecdh_auto(NULL, 0)", "openssl/ssl.h")
+have_func("SSL_get_server_tmp_key(NULL, NULL)", "openssl/ssl.h")
 have_func("SSL_is_server")
 
 # added in 1.1.0
@@ -148,9 +143,9 @@ have_func("EVP_MD_CTX_new")
 have_func("EVP_MD_CTX_free")
 have_func("HMAC_CTX_new")
 have_func("HMAC_CTX_free")
-OpenSSL.check_func("RAND_pseudo_bytes", "openssl/rand.h") # deprecated
 have_func("X509_STORE_get_ex_data")
 have_func("X509_STORE_set_ex_data")
+have_func("X509_STORE_get_ex_new_index")
 have_func("X509_CRL_get0_signature")
 have_func("X509_REQ_get0_signature")
 have_func("X509_REVOKED_get0_serialNumber")
@@ -166,16 +161,23 @@ have_func("X509_CRL_up_ref")
 have_func("X509_STORE_up_ref")
 have_func("SSL_SESSION_up_ref")
 have_func("EVP_PKEY_up_ref")
-OpenSSL.check_func_or_macro("SSL_CTX_set_tmp_ecdh_callback", "openssl/ssl.h") # removed
-OpenSSL.check_func_or_macro("SSL_CTX_set_min_proto_version", "openssl/ssl.h")
+have_func("SSL_CTX_set_tmp_ecdh_callback(NULL, NULL)", "openssl/ssl.h") # removed
+have_func("SSL_CTX_set_min_proto_version(NULL, 0)", "openssl/ssl.h")
 have_func("SSL_CTX_get_security_level")
 have_func("X509_get0_notBefore")
 have_func("SSL_SESSION_get_protocol_version")
+have_func("TS_STATUS_INFO_get0_status")
+have_func("TS_STATUS_INFO_get0_text")
+have_func("TS_STATUS_INFO_get0_failure_info")
+have_func("TS_VERIFY_CTS_set_certs")
+have_func("TS_VERIFY_CTX_set_store")
+have_func("TS_VERIFY_CTX_add_flags")
+have_func("TS_RESP_CTX_set_time_cb")
 have_func("EVP_PBE_scrypt")
+have_func("SSL_CTX_set_post_handshake_auth")
 
 Logging::message "=== Checking done. ===\n"
 
 create_header
-OpenSSL.restore_warning_flag
 create_makefile("openssl")
 Logging::message "Done.\n"

data/ext/openssl/openssl_missing.h

@@ -72,6 +72,9 @@ void ossl_HMAC_CTX_free(HMAC_CTX *);
 #if !defined(HAVE_X509_STORE_SET_EX_DATA)
 #  define X509_STORE_set_ex_data(x, idx, data) \
 	CRYPTO_set_ex_data(&(x)->ex_data, (idx), (data))
+#endif
+
+#if !defined(HAVE_X509_STORE_GET_EX_NEW_INDEX) && !defined(X509_STORE_get_ex_new_index)
 #  define X509_STORE_get_ex_new_index(l, p, newf, dupf, freef) \
 	CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE, (l), (p), \
 				(newf), (dupf), (freef))
@@ -144,7 +147,8 @@ void ossl_X509_REQ_get0_signature(const X509_REQ *, const ASN1_BIT_STRING **, co
 	CRYPTO_add(&(x)->references, 1, CRYPTO_LOCK_EVP_PKEY);
 #endif
 
-#if !defined(HAVE_OPAQUE_OPENSSL)
+#if !defined(HAVE_OPAQUE_OPENSSL) && \
+    (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL)
 #define IMPL_PKEY_GETTER(_type, _name) \
 static inline _type *EVP_PKEY_get0_##_type(EVP_PKEY *pkey) { \
 	return pkey->pkey._name; }
@@ -219,4 +223,35 @@ IMPL_PKEY_GETTER(EC_KEY, ec)
 #  define SSL_SESSION_get_protocol_version(s) ((s)->ssl_version)
 #endif
 
+#if !defined(HAVE_TS_STATUS_INFO_GET0_STATUS)
+#  define TS_STATUS_INFO_get0_status(a) ((a)->status)
+#endif
+
+#if !defined(HAVE_TS_STATUS_INFO_GET0_TEXT)
+#  define TS_STATUS_INFO_get0_text(a) ((a)->text)
+#endif
+
+#if !defined(HAVE_TS_STATUS_INFO_GET0_FAILURE_INFO)
+#  define TS_STATUS_INFO_get0_failure_info(a) ((a)->failure_info)
+#endif
+
+#if !defined(HAVE_TS_VERIFY_CTS_SET_CERTS)
+#  define TS_VERIFY_CTS_set_certs(ctx, crts) ((ctx)->certs=(crts))
+#endif
+
+#if !defined(HAVE_TS_VERIFY_CTX_SET_STORE)
+#  define TS_VERIFY_CTX_set_store(ctx, str) ((ctx)->store=(str))
+#endif
+
+#if !defined(HAVE_TS_VERIFY_CTX_ADD_FLAGS)
+#  define TS_VERIFY_CTX_add_flags(ctx, f) ((ctx)->flags |= (f))
+#endif
+
+#if !defined(HAVE_TS_RESP_CTX_SET_TIME_CB)
+#   define TS_RESP_CTX_set_time_cb(ctx, callback, dta) do { \
+        (ctx)->time_cb = (callback); \
+        (ctx)->time_cb_data = (dta); \
+    } while (0)
+#endif
+
 #endif /* _OSSL_OPENSSL_MISSING_H_ */

data/ext/openssl/ossl.c

@@ -604,6 +604,35 @@ static void Init_ossl_locks(void)
 }
 #endif /* !HAVE_OPENSSL_110_THREADING_API */
 
+/*
+ * call-seq:
+ *   OpenSSL.fixed_length_secure_compare(string, string) -> boolean
+ *
+ * Constant time memory comparison for fixed length strings, such as results
+ * of HMAC calculations.
+ *
+ * Returns +true+ if the strings are identical, +false+ if they are of the same
+ * length but not identical. If the length is different, +ArgumentError+ is
+ * raised.
+ */
+static VALUE
+ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2)
+{
+    const unsigned char *p1 = (const unsigned char *)StringValuePtr(str1);
+    const unsigned char *p2 = (const unsigned char *)StringValuePtr(str2);
+    long len1 = RSTRING_LEN(str1);
+    long len2 = RSTRING_LEN(str2);
+
+    if (len1 != len2) {
+        ossl_raise(rb_eArgError, "inputs must be of equal length");
+    }
+
+    switch (CRYPTO_memcmp(p1, p2, len1)) {
+        case 0:	return Qtrue;
+        default: return Qfalse;
+    }
+}
+
 /*
  * OpenSSL provides SSL, TLS and general purpose cryptography.  It wraps the
  * OpenSSL[https://www.openssl.org/] library.
@@ -635,7 +664,7 @@ static void Init_ossl_locks(void)
  * ahold of the key may use it unless it is encrypted.  In order to securely
  * export a key you may export it with a pass phrase.
  *
- *   cipher = OpenSSL::Cipher.new 'AES-128-CBC'
+ *   cipher = OpenSSL::Cipher.new 'AES-256-CBC'
  *   pass_phrase = 'my secure pass phrase goes here'
  *
  *   key_secure = key.export cipher, pass_phrase
@@ -710,16 +739,14 @@ static void Init_ossl_locks(void)
  * To sign a document, a cryptographically secure hash of the document is
  * computed first, which is then signed using the private key.
  *
- *   digest = OpenSSL::Digest::SHA256.new
- *   signature = key.sign digest, document
+ *   signature = key.sign 'SHA256', document
  *
  * To validate the signature, again a hash of the document is computed and
  * the signature is decrypted using the public key. The result is then
  * compared to the hash just computed, if they are equal the signature was
  * valid.
  *
- *   digest = OpenSSL::Digest::SHA256.new
- *   if key.verify digest, signature, document
+ *   if key.verify 'SHA256', signature, document
  *     puts 'Valid'
  *   else
  *     puts 'Invalid'
@@ -745,7 +772,7 @@ static void Init_ossl_locks(void)
  * using PBKDF2. PKCS #5 v2.0 recommends at least 8 bytes for the salt,
  * the number of iterations largely depends on the hardware being used.
  *
- *   cipher = OpenSSL::Cipher.new 'AES-128-CBC'
+ *   cipher = OpenSSL::Cipher.new 'AES-256-CBC'
  *   cipher.encrypt
  *   iv = cipher.random_iv
  *
@@ -753,7 +780,7 @@ static void Init_ossl_locks(void)
  *   salt = OpenSSL::Random.random_bytes 16
  *   iter = 20000
  *   key_len = cipher.key_len
- *   digest = OpenSSL::Digest::SHA256.new
+ *   digest = OpenSSL::Digest.new('SHA256')
  *
  *   key = OpenSSL::PKCS5.pbkdf2_hmac(pwd, salt, iter, key_len, digest)
  *   cipher.key = key
@@ -768,7 +795,7 @@ static void Init_ossl_locks(void)
  * Use the same steps as before to derive the symmetric AES key, this time
  * setting the Cipher up for decryption.
  *
- *   cipher = OpenSSL::Cipher.new 'AES-128-CBC'
+ *   cipher = OpenSSL::Cipher.new 'AES-256-CBC'
  *   cipher.decrypt
  *   cipher.iv = iv # the one generated with #random_iv
  *
@@ -776,7 +803,7 @@ static void Init_ossl_locks(void)
  *   salt = ... # the one generated above
  *   iter = 20000
  *   key_len = cipher.key_len
- *   digest = OpenSSL::Digest::SHA256.new
+ *   digest = OpenSSL::Digest.new('SHA256')
  *
  *   key = OpenSSL::PKCS5.pbkdf2_hmac(pwd, salt, iter, key_len, digest)
  *   cipher.key = key
@@ -803,7 +830,7 @@ static void Init_ossl_locks(void)
  *
  * First set up the cipher for encryption
  *
- *   encryptor = OpenSSL::Cipher.new 'AES-128-CBC'
+ *   encryptor = OpenSSL::Cipher.new 'AES-256-CBC'
  *   encryptor.encrypt
  *   encryptor.pkcs5_keyivgen pass_phrase, salt
  *
@@ -816,7 +843,7 @@ static void Init_ossl_locks(void)
  *
  * Use a new Cipher instance set up for decryption
  *
- *   decryptor = OpenSSL::Cipher.new 'AES-128-CBC'
+ *   decryptor = OpenSSL::Cipher.new 'AES-256-CBC'
  *   decryptor.decrypt
  *   decryptor.pkcs5_keyivgen pass_phrase, salt
  *
@@ -833,7 +860,7 @@ static void Init_ossl_locks(void)
  * signature.
  *
  *   key = OpenSSL::PKey::RSA.new 2048
- *   name = OpenSSL::X509::Name.parse 'CN=nobody/DC=example'
+ *   name = OpenSSL::X509::Name.parse '/CN=nobody/DC=example'
  *
  *   cert = OpenSSL::X509::Certificate.new
  *   cert.version = 2
@@ -872,7 +899,7 @@ static void Init_ossl_locks(void)
  * certificate.
  *
  *   cert.issuer = name
- *   cert.sign key, OpenSSL::Digest::SHA1.new
+ *   cert.sign key, OpenSSL::Digest.new('SHA1')
  *
  *   open 'certificate.pem', 'w' do |io| io.write cert.to_pem end
  *
@@ -904,7 +931,7 @@ static void Init_ossl_locks(void)
  *   ca_key = OpenSSL::PKey::RSA.new 2048
  *   pass_phrase = 'my secure pass phrase goes here'
  *
- *   cipher = OpenSSL::Cipher.new 'AES-128-CBC'
+ *   cipher = OpenSSL::Cipher.new 'AES-256-CBC'
  *
  *   open 'ca_key.pem', 'w', 0400 do |io|
  *     io.write ca_key.export(cipher, pass_phrase)
@@ -915,7 +942,7 @@ static void Init_ossl_locks(void)
  * A CA certificate is created the same way we created a certificate above, but
  * with different extensions.
  *
- *   ca_name = OpenSSL::X509::Name.parse 'CN=ca/DC=example'
+ *   ca_name = OpenSSL::X509::Name.parse '/CN=ca/DC=example'
  *
  *   ca_cert = OpenSSL::X509::Certificate.new
  *   ca_cert.serial = 0
@@ -948,7 +975,7 @@ static void Init_ossl_locks(void)
  *
  * Root CA certificates are self-signed.
  *
- *   ca_cert.sign ca_key, OpenSSL::Digest::SHA1.new
+ *   ca_cert.sign ca_key, OpenSSL::Digest.new('SHA1')
  *
  * The CA certificate is saved to disk so it may be distributed to all the
  * users of the keys this CA will sign.
@@ -966,7 +993,7 @@ static void Init_ossl_locks(void)
  *   csr.version = 0
  *   csr.subject = name
  *   csr.public_key = key.public_key
- *   csr.sign key, OpenSSL::Digest::SHA1.new
+ *   csr.sign key, OpenSSL::Digest.new('SHA1')
  *
  * A CSR is saved to disk and sent to the CA for signing.
  *
@@ -1010,7 +1037,7 @@ static void Init_ossl_locks(void)
  *   csr_cert.add_extension \
  *     extension_factory.create_extension('subjectKeyIdentifier', 'hash')
  *
- *   csr_cert.sign ca_key, OpenSSL::Digest::SHA1.new
+ *   csr_cert.sign ca_key, OpenSSL::Digest.new('SHA1')
  *
  *   open 'csr_cert.pem', 'w' do |io|
  *     io.write csr_cert.to_pem
@@ -1125,11 +1152,7 @@ Init_openssl(void)
      */
     mOSSL = rb_define_module("OpenSSL");
     rb_global_variable(&mOSSL);
-
-    /*
-     * OpenSSL ruby extension version
-     */
-    rb_define_const(mOSSL, "VERSION", rb_str_new2(OSSL_VERSION));
+    rb_define_singleton_method(mOSSL, "fixed_length_secure_compare", ossl_crypto_fixed_length_secure_compare, 2);
 
     /*
      * Version of OpenSSL the ruby OpenSSL extension was built with
@@ -1205,6 +1228,9 @@ Init_openssl(void)
     Init_ossl_pkey();
     Init_ossl_rand();
     Init_ossl_ssl();
+#ifndef OPENSSL_NO_TS
+    Init_ossl_ts();
+#endif
     Init_ossl_x509();
     Init_ossl_ocsp();
     Init_ossl_engine();

data/ext/openssl/ossl.h

@@ -27,7 +27,9 @@
 #include <openssl/hmac.h>
 #include <openssl/rand.h>
 #include <openssl/conf.h>
-#include <openssl/conf_api.h>
+#ifndef OPENSSL_NO_TS
+  #include <openssl/ts.h>
+#endif
 #include <openssl/crypto.h>
 #if !defined(OPENSSL_NO_ENGINE)
 #  include <openssl/engine.h>
@@ -86,9 +88,8 @@ VALUE ossl_buf2str(char *buf, int len);
 VALUE ossl_str_new(const char *, long, int *);
 #define ossl_str_adjust(str, p) \
 do{\
-    long len = RSTRING_LEN(str);\
     long newlen = (long)((p) - (unsigned char*)RSTRING_PTR(str));\
-    assert(newlen <= len);\
+    assert(newlen <= RSTRING_LEN(str));\
     rb_str_set_len((str), newlen);\
 }while(0)
 /*
@@ -168,7 +169,9 @@ void ossl_debug(const char *, ...);
 #include "ossl_pkey.h"
 #include "ossl_rand.h"
 #include "ossl_ssl.h"
-#include "ossl_version.h"
+#ifndef OPENSSL_NO_TS
+  #include "ossl_ts.h"
+#endif
 #include "ossl_x509.h"
 #include "ossl_engine.h"
 #include "ossl_kdf.h"

data/ext/openssl/ossl_asn1.c

@@ -1285,6 +1285,30 @@ ossl_asn1obj_get_ln(VALUE self)
     return ret;
 }
 
+/*
+ *  call-seq:
+ *     oid == other_oid => true or false
+ *
+ *  Returns +true+ if _other_oid_ is the same as _oid_
+ */
+static VALUE
+ossl_asn1obj_eq(VALUE self, VALUE other)
+{
+    VALUE valSelf, valOther;
+    int nidSelf, nidOther;
+
+    valSelf = ossl_asn1_get_value(self);
+    valOther = ossl_asn1_get_value(other);
+
+    if ((nidSelf = OBJ_txt2nid(StringValueCStr(valSelf))) == NID_undef)
+	ossl_raise(eASN1Error, "OBJ_txt2nid");
+
+    if ((nidOther = OBJ_txt2nid(StringValueCStr(valOther))) == NID_undef)
+	ossl_raise(eASN1Error, "OBJ_txt2nid");
+
+    return nidSelf == nidOther ? Qtrue : Qfalse;
+}
+
 static VALUE
 asn1obj_get_oid_i(VALUE vobj)
 {
@@ -1818,6 +1842,7 @@ do{\
     rb_define_method(cASN1ObjectId, "oid", ossl_asn1obj_get_oid, 0);
     rb_define_alias(cASN1ObjectId, "short_name", "sn");
     rb_define_alias(cASN1ObjectId, "long_name", "ln");
+    rb_define_method(cASN1ObjectId, "==", ossl_asn1obj_eq, 1);
     rb_attr(cASN1BitString, rb_intern("unused_bits"), 1, 1, 0);
 
     rb_define_method(cASN1EndOfContent, "initialize", ossl_asn1eoc_initialize, 0);