openssl 2.1.4 → 2.2.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (48) hide show
  1. checksums.yaml +4 -4
  2. data/CONTRIBUTING.md +9 -7
  3. data/History.md +68 -37
  4. data/README.md +2 -2
  5. data/ext/openssl/extconf.rb +43 -41
  6. data/ext/openssl/openssl_missing.h +36 -1
  7. data/ext/openssl/ossl.c +49 -23
  8. data/ext/openssl/ossl.h +7 -4
  9. data/ext/openssl/ossl_asn1.c +25 -0
  10. data/ext/openssl/ossl_bn.c +16 -23
  11. data/ext/openssl/ossl_cipher.c +33 -24
  12. data/ext/openssl/ossl_digest.c +18 -57
  13. data/ext/openssl/ossl_engine.c +2 -12
  14. data/ext/openssl/ossl_hmac.c +5 -11
  15. data/ext/openssl/ossl_kdf.c +3 -19
  16. data/ext/openssl/ossl_ns_spki.c +1 -1
  17. data/ext/openssl/ossl_ocsp.c +6 -11
  18. data/ext/openssl/ossl_ocsp.h +3 -3
  19. data/ext/openssl/ossl_pkcs7.c +3 -19
  20. data/ext/openssl/ossl_pkcs7.h +16 -0
  21. data/ext/openssl/ossl_pkey.c +180 -14
  22. data/ext/openssl/ossl_pkey_dsa.c +2 -2
  23. data/ext/openssl/ossl_pkey_ec.c +37 -8
  24. data/ext/openssl/ossl_pkey_rsa.c +17 -9
  25. data/ext/openssl/ossl_rand.c +2 -32
  26. data/ext/openssl/ossl_ssl.c +78 -72
  27. data/ext/openssl/ossl_ts.c +1514 -0
  28. data/ext/openssl/ossl_ts.h +16 -0
  29. data/ext/openssl/ossl_x509cert.c +2 -2
  30. data/ext/openssl/ossl_x509ext.c +14 -0
  31. data/ext/openssl/ossl_x509name.c +7 -3
  32. data/ext/openssl/ossl_x509store.c +20 -39
  33. data/lib/openssl/bn.rb +1 -1
  34. data/lib/openssl/buffering.rb +28 -5
  35. data/lib/openssl/cipher.rb +1 -1
  36. data/lib/openssl/config.rb +17 -8
  37. data/lib/openssl/digest.rb +10 -12
  38. data/lib/openssl/hmac.rb +13 -0
  39. data/lib/openssl/marshal.rb +30 -0
  40. data/lib/openssl/pkcs5.rb +1 -1
  41. data/lib/openssl/pkey.rb +18 -1
  42. data/lib/openssl/ssl.rb +40 -2
  43. data/lib/openssl/version.rb +5 -0
  44. data/lib/openssl/x509.rb +155 -1
  45. data/lib/openssl.rb +25 -9
  46. metadata +13 -24
  47. data/ext/openssl/deprecation.rb +0 -27
  48. data/ext/openssl/ossl_version.h +0 -15
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 88da06860381b21467805e571f0b92f020a070dd3088f39cd8511a6a1dcc87aa
4
- data.tar.gz: 28dbc9f0648e7a4a4400fcc8ced412286099dca4bfeea603cc0804a8c204e33f
3
+ metadata.gz: 6f52e266d6038d1d7173a58d9ad72207e7d492da086ef0ecf9484a8b1cac5156
4
+ data.tar.gz: ca3211e0c3887311a9d0ac997c864e0cdd54fc0c7510d04c2497c9c99b97fd0c
5
5
  SHA512:
6
- metadata.gz: 7a2f752f6cafd6de5a0ef4674ae625d1afe8061da727a46732031de22d150d972bca92e783bef224706a0c511e27b6fc1aec787554c00efbb03b08ebf6e12f6e
7
- data.tar.gz: '09459c4b38deda5c19ad1fde1129e0de914f25f131d2f7d27ec535d6216130cdd3fe1b0f8ee8edd8f661625f62185e68b688b4f3d5713fc13562285b4e8651e4'
6
+ metadata.gz: b20ff54093b47c1d1da2f90a41ee1787bcd6a3e14c26f86f4c117d5ec6703364c73df226da5bf357ec6440770b639dd92575e468caeaf38fd8815ef52fb9864f
7
+ data.tar.gz: 6f64e438c1cc74cea40674a4d3d5926ecc3ea4a0701dd02514f990fcbcb8c525a364789f832ac649fe65e557522a9df983e5beca5f3476b3ec29f7a82b15f071
data/CONTRIBUTING.md CHANGED
@@ -12,12 +12,14 @@ If you think you found a bug, file a ticket on GitHub. Please DO NOT report
12
12
  security issues here, there is a separate procedure which is described on
13
13
  ["Security at ruby-lang.org"](https://www.ruby-lang.org/en/security/).
14
14
 
15
- When reporting a bug, please make sure you include the version of Ruby, the
16
- version of openssl gem, the version of the OpenSSL library, along with a sample
17
- file that illustrates the problem or link to repository or gem that is
18
- associated with the bug.
19
-
20
- There is a number of unresolved issues and feature requests for openssl that
15
+ When reporting a bug, please make sure you include:
16
+ * Ruby version
17
+ * OpenSSL gem version
18
+ * OpenSSL library version
19
+ * A sample file that illustrates the problem or link to the repository or
20
+ gem that is associated with the bug.
21
+
22
+ There are a number of unresolved issues and feature requests for openssl that
21
23
  need review. Before submitting a new ticket, it is recommended to check
22
24
  [known issues] and [bugs.ruby-lang.org], the previous issue tracker.
23
25
 
@@ -78,7 +80,7 @@ $ docker-compose run debug
78
80
  ```
79
81
 
80
82
  All possible values for `RUBY_VERSION` and `OPENSSL_VERSION` can be found in
81
- [`.travis.yml`](https://github.com/ruby/openssl/tree/master/.travis.yml).
83
+ [`test.yml`](https://github.com/ruby/openssl/tree/master/.github/workflows/test.yml).
82
84
 
83
85
  **NOTE**: these commands must be run from the openssl repository root, in order
84
86
  to use the
data/History.md CHANGED
@@ -1,47 +1,78 @@
1
- Version 2.1.4
1
+ Version 2.2.0
2
2
  =============
3
3
 
4
- Bug fixes
5
- ---------
6
-
7
- * Do not use pkg-config if --with-openssl-dir option is specified.
8
- [[GitHub #486]](https://github.com/ruby/openssl/pull/486)
4
+ Compatibility notes
5
+ -------------------
9
6
 
7
+ * Remove unsupported MDC2, DSS, DSS1, and SHA algorithms.
8
+ * Remove `OpenSSL::PKCS7::SignerInfo#name` alias for `#issuer`.
9
+ [[GitHub #266]](https://github.com/ruby/openssl/pull/266)
10
+ * Deprecate `OpenSSL::Config#add_value` and `#[]=` for future removal.
11
+ [[GitHub #322]](https://github.com/ruby/openssl/pull/322)
10
12
 
11
- Version 2.1.3
12
- =============
13
13
 
14
- Bug fixes
15
- ---------
14
+ Notable changes
15
+ ---------------
16
16
 
17
- * Fix deprecation warnings on Ruby 3.0.
18
- * Add ".include" directive support in `OpenSSL::Config`.
19
- [[GitHub #216]](https://github.com/ruby/openssl/pull/216)
20
- * Fix handling of IPv6 address SANs.
17
+ * Change default `OpenSSL::SSL::SSLServer#listen` backlog argument from
18
+ 5 to `Socket::SOMAXCONN`.
19
+ [[GitHub #286]](https://github.com/ruby/openssl/issues/286)
20
+ * Make `OpenSSL::HMAC#==` use a timing safe string comparison.
21
+ [[GitHub #284]](https://github.com/ruby/openssl/pull/284)
22
+ * Add support for SHA3 and BLAKE digests.
23
+ [[GitHub #282]](https://github.com/ruby/openssl/pull/282)
24
+ * Add `OpenSSL::SSL::SSLSocket.open` for opening a `TCPSocket` and
25
+ returning an `OpenSSL::SSL::SSLSocket` for it.
26
+ [[GitHub #225]](https://github.com/ruby/openssl/issues/225)
27
+ * Support marshalling of `OpenSSL::X509` and `OpenSSL::PKey` objects.
28
+ [[GitHub #281]](https://github.com/ruby/openssl/pull/281)
29
+ [[GitHub #363]](https://github.com/ruby/openssl/pull/363)
30
+ * Add `OpenSSL.secure_compare` for timing safe string comparison for
31
+ strings of possibly unequal length.
32
+ [[GitHub #280]](https://github.com/ruby/openssl/pull/280)
33
+ * Add `OpenSSL.fixed_length_secure_compare` for timing safe string
34
+ comparison for strings of equal length.
35
+ [[GitHub #269]](https://github.com/ruby/openssl/pull/269)
36
+ * Add `OpenSSL::SSL::SSLSocket#{finished_message,peer_finished_message}`
37
+ for last finished message sent and received.
38
+ [[GitHub #250]](https://github.com/ruby/openssl/pull/250)
39
+ * Add `OpenSSL::Timestamp` module for handing timestamp requests and
40
+ responses.
41
+ [[GitHub #204]](https://github.com/ruby/openssl/pull/204)
42
+ * Add helper methods for `OpenSSL::X509::Certificate`:
43
+ `find_extension`, `subject_key_identifier`,
44
+ `authority_key_identifier`, `crl_uris`, `ca_issuer_uris` and
45
+ `ocsp_uris`, and for `OpenSSL::X509::CRL`:
46
+ `find_extension` and `subject_key_identifier`.
47
+ [[GitHub #260]](https://github.com/ruby/openssl/pull/260)
48
+ [[GitHub #275]](https://github.com/ruby/openssl/pull/275)
49
+ [[GitHub #293]](https://github.com/ruby/openssl/pull/293)
50
+ * Add `OpenSSL::ECPoint#add` for performing elliptic curve point addition.
51
+ [[GitHub #261]](https://github.com/ruby/openssl/pull/261)
52
+ * Make `OpenSSL::PKey::RSA#{export,to_der}` check `key`, `factors`, and
53
+ `crt_params` to do proper private key serialization.
54
+ [[GitHub #258]](https://github.com/ruby/openssl/pull/258)
55
+ * Add `OpenSSL::SSL::{SSLSocket,SSLServer}#fileno`, returning the
56
+ underlying socket file descriptor number.
57
+ [[GitHub #247]](https://github.com/ruby/openssl/pull/247)
58
+ * Support client certificates with TLS 1.3, and support post-handshake
59
+ authentication with OpenSSL 1.1.1+.
60
+ [[GitHub #239]](https://github.com/ruby/openssl/pull/239)
61
+ * Add `OpenSSL::ASN1::ObjectId#==` for equality testing.
62
+ * Add `OpenSSL::X509::Extension#value_der` for the raw value of
63
+ the extension.
64
+ [[GitHub #234]](https://github.com/ruby/openssl/pull/234)
65
+ * Significantly reduce allocated memory in `OpenSSL::Buffering#do_write`.
66
+ [[GitHub #212]](https://github.com/ruby/openssl/pull/212)
67
+ * Ensure all valid IPv6 addresses are considered valid as elements
68
+ of subjectAlternativeName in certificates.
21
69
  [[GitHub #185]](https://github.com/ruby/openssl/pull/185)
22
- * Hostname verification failure with `OpenSSL::SSL::SSLContext#verify_hostname=`
23
- sets a proper error code.
24
- [[GitHub #350]](https://github.com/ruby/openssl/pull/350)
25
- * Fix crash with `OpenSSL::BN.new(nil, 2)`.
26
- [[Bug #15760]](https://bugs.ruby-lang.org/issues/15760)
27
- * `OpenSSL::SSL::SSLSocket#sys{read,write}` prevent internal string buffers from
28
- being modified by another thread.
29
- [[GitHub #453]](https://github.com/ruby/openssl/pull/453)
30
- * Fix misuse of input record separator in `OpenSSL::Buffering` where it was
31
- for output.
32
- * Fix wrong interger casting in `OpenSSL::PKey::EC#dsa_verify_asn1`.
33
- [[GitHub #460]](https://github.com/ruby/openssl/pull/460)
34
- * `extconf.rb` explicitly checks that OpenSSL's version number is 1.0.1 or
35
- newer but also less than 3.0. Ruby/OpenSSL v2.1.x and v2.2.x will not support
36
- OpenSSL 3.0 API.
37
- [[GitHub #458]](https://github.com/ruby/openssl/pull/458)
38
- * Activate `digest` gem correctly. `digest` library could go into an
39
- inconsistent state if there are multiple versions of `digest` is installed
40
- and `openssl` is `require`d before `digest`.
41
- [[GitHub #463]](https://github.com/ruby/openssl/pull/463)
42
- * Fix GC.compact compatibility.
43
- [[GitHub #464]](https://github.com/ruby/openssl/issues/464)
44
- [[GitHub #465]](https://github.com/ruby/openssl/pull/465)
70
+ * Allow recipient's certificate to be omitted in PCKS7#decrypt.
71
+ [[GitHub #183]](https://github.com/ruby/openssl/pull/183)
72
+ * Add support for reading keys in PKCS #8 format and export via instance methods
73
+ added to `OpenSSL::PKey` classes: `private_to_der`, `private_to_pem`,
74
+ `public_to_der` and `public_to_pem`.
75
+ [[GitHub #297]](https://github.com/ruby/openssl/pull/297)
45
76
 
46
77
 
47
78
  Version 2.1.2
data/README.md CHANGED
@@ -1,7 +1,7 @@
1
1
  # OpenSSL for Ruby
2
2
 
3
- [![Build Status](https://travis-ci.org/ruby/openssl.svg?branch=master)](https://travis-ci.org/ruby/openssl)
4
- [![Build status](https://ci.appveyor.com/api/projects/status/b8djtmwo7l26f88y/branch/master?svg=true)](https://ci.appveyor.com/project/ruby/openssl/branch/master)
3
+ [![Actions Status](https://github.com/ruby/openssl/workflows/CI/badge.svg)](https://github.com/ruby/openssl/actions?workflow=CI)
4
+
5
5
 
6
6
  OpenSSL provides SSL, TLS and general purpose cryptography. It wraps the
7
7
  OpenSSL library.
@@ -1,5 +1,5 @@
1
1
  # -*- coding: us-ascii -*-
2
- # frozen_string_literal: false
2
+ # frozen_string_literal: true
3
3
  =begin
4
4
  = Info
5
5
  'OpenSSL for Ruby 2' project
@@ -12,16 +12,12 @@
12
12
  =end
13
13
 
14
14
  require "mkmf"
15
- require File.expand_path('../deprecation', __FILE__)
16
15
 
17
- dir_config_given = dir_config("openssl").any?
16
+ dir_config("openssl")
18
17
  dir_config("kerberos")
19
18
 
20
19
  Logging::message "=== OpenSSL for Ruby configurator ===\n"
21
20
 
22
- # Check with -Werror=deprecated-declarations if available
23
- OpenSSL.deprecated_warning_flag
24
-
25
21
  ##
26
22
  # Adds -DOSSL_DEBUG for compilation and some more targets when GCC is used
27
23
  # To turn it on, use: --with-debug or --enable-debug
@@ -37,6 +33,15 @@ if $mswin || $mingw
37
33
  have_library("ws2_32")
38
34
  end
39
35
 
36
+ Logging::message "=== Checking for required stuff... ===\n"
37
+ result = pkg_config("openssl") && have_header("openssl/ssl.h")
38
+
39
+ if $mingw
40
+ append_cflags '-D_FORTIFY_SOURCE=2'
41
+ append_ldflags '-fstack-protector'
42
+ have_library 'ssp'
43
+ end
44
+
40
45
  def find_openssl_library
41
46
  if $mswin || $mingw
42
47
  # required for static OpenSSL libraries
@@ -87,52 +92,42 @@ def find_openssl_library
87
92
  return false
88
93
  end
89
94
 
90
- Logging::message "=== Checking for required stuff... ===\n"
91
- pkg_config_found = !dir_config_given && pkg_config("openssl") && have_header("openssl/ssl.h")
92
-
93
- if !pkg_config_found && !find_openssl_library
94
- Logging::message "=== Checking for required stuff failed. ===\n"
95
- Logging::message "Makefile wasn't created. Fix the errors above.\n"
96
- raise "OpenSSL library could not be found. You might want to use " \
97
- "--with-openssl-dir=<dir> option to specify the prefix where OpenSSL " \
98
- "is installed."
99
- end
100
-
101
- version_ok = if have_macro("LIBRESSL_VERSION_NUMBER", "openssl/opensslv.h")
102
- is_libressl = true
103
- checking_for("LibreSSL version >= 2.5.0") {
104
- try_static_assert("LIBRESSL_VERSION_NUMBER >= 0x20500000L", "openssl/opensslv.h") }
105
- else
106
- checking_for("OpenSSL version >= 1.0.1 and < 3.0.0") {
107
- try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10001000L", "openssl/opensslv.h") &&
108
- !try_static_assert("OPENSSL_VERSION_MAJOR >= 3", "openssl/opensslv.h") }
109
- end
110
- unless version_ok
111
- raise "OpenSSL >= 1.0.1, < 3.0.0 or LibreSSL >= 2.5.0 is required"
95
+ unless result
96
+ unless find_openssl_library
97
+ Logging::message "=== Checking for required stuff failed. ===\n"
98
+ Logging::message "Makefile wasn't created. Fix the errors above.\n"
99
+ raise "OpenSSL library could not be found. You might want to use " \
100
+ "--with-openssl-dir=<dir> option to specify the prefix where OpenSSL " \
101
+ "is installed."
102
+ end
112
103
  end
113
104
 
114
- # Prevent wincrypt.h from being included, which defines conflicting macro with openssl/x509.h
115
- if is_libressl && ($mswin || $mingw)
116
- $defs.push("-DNOCRYPT")
105
+ unless checking_for("OpenSSL version is 1.0.1 or later") {
106
+ try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10001000L", "openssl/opensslv.h") }
107
+ raise "OpenSSL >= 1.0.1 or LibreSSL is required"
117
108
  end
118
109
 
119
110
  Logging::message "=== Checking for OpenSSL features... ===\n"
120
111
  # compile options
121
112
  have_func("RAND_egd")
122
- engines = %w{builtin_engines openbsd_dev_crypto dynamic 4758cca aep atalla chil
123
- cswift nuron sureware ubsec padlock capi gmp gost cryptodev aesni}
113
+ engines = %w{dynamic 4758cca aep atalla chil
114
+ cswift nuron sureware ubsec padlock capi gmp gost cryptodev}
124
115
  engines.each { |name|
125
- OpenSSL.check_func_or_macro("ENGINE_load_#{name}", "openssl/engine.h")
116
+ have_func("ENGINE_load_#{name}()", "openssl/engine.h")
126
117
  }
127
118
 
119
+ if ($mswin || $mingw) && have_macro("LIBRESSL_VERSION_NUMBER", "openssl/opensslv.h")
120
+ $defs.push("-DNOCRYPT")
121
+ end
122
+
128
123
  # added in 1.0.2
129
124
  have_func("EC_curve_nist2nid")
130
125
  have_func("X509_REVOKED_dup")
131
126
  have_func("X509_STORE_CTX_get0_store")
132
127
  have_func("SSL_CTX_set_alpn_select_cb")
133
- OpenSSL.check_func_or_macro("SSL_CTX_set1_curves_list", "openssl/ssl.h")
134
- OpenSSL.check_func_or_macro("SSL_CTX_set_ecdh_auto", "openssl/ssl.h")
135
- OpenSSL.check_func_or_macro("SSL_get_server_tmp_key", "openssl/ssl.h")
128
+ have_func("SSL_CTX_set1_curves_list(NULL, NULL)", "openssl/ssl.h")
129
+ have_func("SSL_CTX_set_ecdh_auto(NULL, 0)", "openssl/ssl.h")
130
+ have_func("SSL_get_server_tmp_key(NULL, NULL)", "openssl/ssl.h")
136
131
  have_func("SSL_is_server")
137
132
 
138
133
  # added in 1.1.0
@@ -148,9 +143,9 @@ have_func("EVP_MD_CTX_new")
148
143
  have_func("EVP_MD_CTX_free")
149
144
  have_func("HMAC_CTX_new")
150
145
  have_func("HMAC_CTX_free")
151
- OpenSSL.check_func("RAND_pseudo_bytes", "openssl/rand.h") # deprecated
152
146
  have_func("X509_STORE_get_ex_data")
153
147
  have_func("X509_STORE_set_ex_data")
148
+ have_func("X509_STORE_get_ex_new_index")
154
149
  have_func("X509_CRL_get0_signature")
155
150
  have_func("X509_REQ_get0_signature")
156
151
  have_func("X509_REVOKED_get0_serialNumber")
@@ -166,16 +161,23 @@ have_func("X509_CRL_up_ref")
166
161
  have_func("X509_STORE_up_ref")
167
162
  have_func("SSL_SESSION_up_ref")
168
163
  have_func("EVP_PKEY_up_ref")
169
- OpenSSL.check_func_or_macro("SSL_CTX_set_tmp_ecdh_callback", "openssl/ssl.h") # removed
170
- OpenSSL.check_func_or_macro("SSL_CTX_set_min_proto_version", "openssl/ssl.h")
164
+ have_func("SSL_CTX_set_tmp_ecdh_callback(NULL, NULL)", "openssl/ssl.h") # removed
165
+ have_func("SSL_CTX_set_min_proto_version(NULL, 0)", "openssl/ssl.h")
171
166
  have_func("SSL_CTX_get_security_level")
172
167
  have_func("X509_get0_notBefore")
173
168
  have_func("SSL_SESSION_get_protocol_version")
169
+ have_func("TS_STATUS_INFO_get0_status")
170
+ have_func("TS_STATUS_INFO_get0_text")
171
+ have_func("TS_STATUS_INFO_get0_failure_info")
172
+ have_func("TS_VERIFY_CTS_set_certs")
173
+ have_func("TS_VERIFY_CTX_set_store")
174
+ have_func("TS_VERIFY_CTX_add_flags")
175
+ have_func("TS_RESP_CTX_set_time_cb")
174
176
  have_func("EVP_PBE_scrypt")
177
+ have_func("SSL_CTX_set_post_handshake_auth")
175
178
 
176
179
  Logging::message "=== Checking done. ===\n"
177
180
 
178
181
  create_header
179
- OpenSSL.restore_warning_flag
180
182
  create_makefile("openssl")
181
183
  Logging::message "Done.\n"
@@ -72,6 +72,9 @@ void ossl_HMAC_CTX_free(HMAC_CTX *);
72
72
  #if !defined(HAVE_X509_STORE_SET_EX_DATA)
73
73
  # define X509_STORE_set_ex_data(x, idx, data) \
74
74
  CRYPTO_set_ex_data(&(x)->ex_data, (idx), (data))
75
+ #endif
76
+
77
+ #if !defined(HAVE_X509_STORE_GET_EX_NEW_INDEX) && !defined(X509_STORE_get_ex_new_index)
75
78
  # define X509_STORE_get_ex_new_index(l, p, newf, dupf, freef) \
76
79
  CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE, (l), (p), \
77
80
  (newf), (dupf), (freef))
@@ -144,7 +147,8 @@ void ossl_X509_REQ_get0_signature(const X509_REQ *, const ASN1_BIT_STRING **, co
144
147
  CRYPTO_add(&(x)->references, 1, CRYPTO_LOCK_EVP_PKEY);
145
148
  #endif
146
149
 
147
- #if !defined(HAVE_OPAQUE_OPENSSL)
150
+ #if !defined(HAVE_OPAQUE_OPENSSL) && \
151
+ (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL)
148
152
  #define IMPL_PKEY_GETTER(_type, _name) \
149
153
  static inline _type *EVP_PKEY_get0_##_type(EVP_PKEY *pkey) { \
150
154
  return pkey->pkey._name; }
@@ -219,4 +223,35 @@ IMPL_PKEY_GETTER(EC_KEY, ec)
219
223
  # define SSL_SESSION_get_protocol_version(s) ((s)->ssl_version)
220
224
  #endif
221
225
 
226
+ #if !defined(HAVE_TS_STATUS_INFO_GET0_STATUS)
227
+ # define TS_STATUS_INFO_get0_status(a) ((a)->status)
228
+ #endif
229
+
230
+ #if !defined(HAVE_TS_STATUS_INFO_GET0_TEXT)
231
+ # define TS_STATUS_INFO_get0_text(a) ((a)->text)
232
+ #endif
233
+
234
+ #if !defined(HAVE_TS_STATUS_INFO_GET0_FAILURE_INFO)
235
+ # define TS_STATUS_INFO_get0_failure_info(a) ((a)->failure_info)
236
+ #endif
237
+
238
+ #if !defined(HAVE_TS_VERIFY_CTS_SET_CERTS)
239
+ # define TS_VERIFY_CTS_set_certs(ctx, crts) ((ctx)->certs=(crts))
240
+ #endif
241
+
242
+ #if !defined(HAVE_TS_VERIFY_CTX_SET_STORE)
243
+ # define TS_VERIFY_CTX_set_store(ctx, str) ((ctx)->store=(str))
244
+ #endif
245
+
246
+ #if !defined(HAVE_TS_VERIFY_CTX_ADD_FLAGS)
247
+ # define TS_VERIFY_CTX_add_flags(ctx, f) ((ctx)->flags |= (f))
248
+ #endif
249
+
250
+ #if !defined(HAVE_TS_RESP_CTX_SET_TIME_CB)
251
+ # define TS_RESP_CTX_set_time_cb(ctx, callback, dta) do { \
252
+ (ctx)->time_cb = (callback); \
253
+ (ctx)->time_cb_data = (dta); \
254
+ } while (0)
255
+ #endif
256
+
222
257
  #endif /* _OSSL_OPENSSL_MISSING_H_ */
data/ext/openssl/ossl.c CHANGED
@@ -604,6 +604,35 @@ static void Init_ossl_locks(void)
604
604
  }
605
605
  #endif /* !HAVE_OPENSSL_110_THREADING_API */
606
606
 
607
+ /*
608
+ * call-seq:
609
+ * OpenSSL.fixed_length_secure_compare(string, string) -> boolean
610
+ *
611
+ * Constant time memory comparison for fixed length strings, such as results
612
+ * of HMAC calculations.
613
+ *
614
+ * Returns +true+ if the strings are identical, +false+ if they are of the same
615
+ * length but not identical. If the length is different, +ArgumentError+ is
616
+ * raised.
617
+ */
618
+ static VALUE
619
+ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2)
620
+ {
621
+ const unsigned char *p1 = (const unsigned char *)StringValuePtr(str1);
622
+ const unsigned char *p2 = (const unsigned char *)StringValuePtr(str2);
623
+ long len1 = RSTRING_LEN(str1);
624
+ long len2 = RSTRING_LEN(str2);
625
+
626
+ if (len1 != len2) {
627
+ ossl_raise(rb_eArgError, "inputs must be of equal length");
628
+ }
629
+
630
+ switch (CRYPTO_memcmp(p1, p2, len1)) {
631
+ case 0: return Qtrue;
632
+ default: return Qfalse;
633
+ }
634
+ }
635
+
607
636
  /*
608
637
  * OpenSSL provides SSL, TLS and general purpose cryptography. It wraps the
609
638
  * OpenSSL[https://www.openssl.org/] library.
@@ -635,7 +664,7 @@ static void Init_ossl_locks(void)
635
664
  * ahold of the key may use it unless it is encrypted. In order to securely
636
665
  * export a key you may export it with a pass phrase.
637
666
  *
638
- * cipher = OpenSSL::Cipher.new 'AES-128-CBC'
667
+ * cipher = OpenSSL::Cipher.new 'AES-256-CBC'
639
668
  * pass_phrase = 'my secure pass phrase goes here'
640
669
  *
641
670
  * key_secure = key.export cipher, pass_phrase
@@ -710,16 +739,14 @@ static void Init_ossl_locks(void)
710
739
  * To sign a document, a cryptographically secure hash of the document is
711
740
  * computed first, which is then signed using the private key.
712
741
  *
713
- * digest = OpenSSL::Digest::SHA256.new
714
- * signature = key.sign digest, document
742
+ * signature = key.sign 'SHA256', document
715
743
  *
716
744
  * To validate the signature, again a hash of the document is computed and
717
745
  * the signature is decrypted using the public key. The result is then
718
746
  * compared to the hash just computed, if they are equal the signature was
719
747
  * valid.
720
748
  *
721
- * digest = OpenSSL::Digest::SHA256.new
722
- * if key.verify digest, signature, document
749
+ * if key.verify 'SHA256', signature, document
723
750
  * puts 'Valid'
724
751
  * else
725
752
  * puts 'Invalid'
@@ -745,7 +772,7 @@ static void Init_ossl_locks(void)
745
772
  * using PBKDF2. PKCS #5 v2.0 recommends at least 8 bytes for the salt,
746
773
  * the number of iterations largely depends on the hardware being used.
747
774
  *
748
- * cipher = OpenSSL::Cipher.new 'AES-128-CBC'
775
+ * cipher = OpenSSL::Cipher.new 'AES-256-CBC'
749
776
  * cipher.encrypt
750
777
  * iv = cipher.random_iv
751
778
  *
@@ -753,7 +780,7 @@ static void Init_ossl_locks(void)
753
780
  * salt = OpenSSL::Random.random_bytes 16
754
781
  * iter = 20000
755
782
  * key_len = cipher.key_len
756
- * digest = OpenSSL::Digest::SHA256.new
783
+ * digest = OpenSSL::Digest.new('SHA256')
757
784
  *
758
785
  * key = OpenSSL::PKCS5.pbkdf2_hmac(pwd, salt, iter, key_len, digest)
759
786
  * cipher.key = key
@@ -768,7 +795,7 @@ static void Init_ossl_locks(void)
768
795
  * Use the same steps as before to derive the symmetric AES key, this time
769
796
  * setting the Cipher up for decryption.
770
797
  *
771
- * cipher = OpenSSL::Cipher.new 'AES-128-CBC'
798
+ * cipher = OpenSSL::Cipher.new 'AES-256-CBC'
772
799
  * cipher.decrypt
773
800
  * cipher.iv = iv # the one generated with #random_iv
774
801
  *
@@ -776,7 +803,7 @@ static void Init_ossl_locks(void)
776
803
  * salt = ... # the one generated above
777
804
  * iter = 20000
778
805
  * key_len = cipher.key_len
779
- * digest = OpenSSL::Digest::SHA256.new
806
+ * digest = OpenSSL::Digest.new('SHA256')
780
807
  *
781
808
  * key = OpenSSL::PKCS5.pbkdf2_hmac(pwd, salt, iter, key_len, digest)
782
809
  * cipher.key = key
@@ -803,7 +830,7 @@ static void Init_ossl_locks(void)
803
830
  *
804
831
  * First set up the cipher for encryption
805
832
  *
806
- * encryptor = OpenSSL::Cipher.new 'AES-128-CBC'
833
+ * encryptor = OpenSSL::Cipher.new 'AES-256-CBC'
807
834
  * encryptor.encrypt
808
835
  * encryptor.pkcs5_keyivgen pass_phrase, salt
809
836
  *
@@ -816,7 +843,7 @@ static void Init_ossl_locks(void)
816
843
  *
817
844
  * Use a new Cipher instance set up for decryption
818
845
  *
819
- * decryptor = OpenSSL::Cipher.new 'AES-128-CBC'
846
+ * decryptor = OpenSSL::Cipher.new 'AES-256-CBC'
820
847
  * decryptor.decrypt
821
848
  * decryptor.pkcs5_keyivgen pass_phrase, salt
822
849
  *
@@ -833,7 +860,7 @@ static void Init_ossl_locks(void)
833
860
  * signature.
834
861
  *
835
862
  * key = OpenSSL::PKey::RSA.new 2048
836
- * name = OpenSSL::X509::Name.parse 'CN=nobody/DC=example'
863
+ * name = OpenSSL::X509::Name.parse '/CN=nobody/DC=example'
837
864
  *
838
865
  * cert = OpenSSL::X509::Certificate.new
839
866
  * cert.version = 2
@@ -872,7 +899,7 @@ static void Init_ossl_locks(void)
872
899
  * certificate.
873
900
  *
874
901
  * cert.issuer = name
875
- * cert.sign key, OpenSSL::Digest::SHA1.new
902
+ * cert.sign key, OpenSSL::Digest.new('SHA1')
876
903
  *
877
904
  * open 'certificate.pem', 'w' do |io| io.write cert.to_pem end
878
905
  *
@@ -904,7 +931,7 @@ static void Init_ossl_locks(void)
904
931
  * ca_key = OpenSSL::PKey::RSA.new 2048
905
932
  * pass_phrase = 'my secure pass phrase goes here'
906
933
  *
907
- * cipher = OpenSSL::Cipher.new 'AES-128-CBC'
934
+ * cipher = OpenSSL::Cipher.new 'AES-256-CBC'
908
935
  *
909
936
  * open 'ca_key.pem', 'w', 0400 do |io|
910
937
  * io.write ca_key.export(cipher, pass_phrase)
@@ -915,7 +942,7 @@ static void Init_ossl_locks(void)
915
942
  * A CA certificate is created the same way we created a certificate above, but
916
943
  * with different extensions.
917
944
  *
918
- * ca_name = OpenSSL::X509::Name.parse 'CN=ca/DC=example'
945
+ * ca_name = OpenSSL::X509::Name.parse '/CN=ca/DC=example'
919
946
  *
920
947
  * ca_cert = OpenSSL::X509::Certificate.new
921
948
  * ca_cert.serial = 0
@@ -948,7 +975,7 @@ static void Init_ossl_locks(void)
948
975
  *
949
976
  * Root CA certificates are self-signed.
950
977
  *
951
- * ca_cert.sign ca_key, OpenSSL::Digest::SHA1.new
978
+ * ca_cert.sign ca_key, OpenSSL::Digest.new('SHA1')
952
979
  *
953
980
  * The CA certificate is saved to disk so it may be distributed to all the
954
981
  * users of the keys this CA will sign.
@@ -966,7 +993,7 @@ static void Init_ossl_locks(void)
966
993
  * csr.version = 0
967
994
  * csr.subject = name
968
995
  * csr.public_key = key.public_key
969
- * csr.sign key, OpenSSL::Digest::SHA1.new
996
+ * csr.sign key, OpenSSL::Digest.new('SHA1')
970
997
  *
971
998
  * A CSR is saved to disk and sent to the CA for signing.
972
999
  *
@@ -1010,7 +1037,7 @@ static void Init_ossl_locks(void)
1010
1037
  * csr_cert.add_extension \
1011
1038
  * extension_factory.create_extension('subjectKeyIdentifier', 'hash')
1012
1039
  *
1013
- * csr_cert.sign ca_key, OpenSSL::Digest::SHA1.new
1040
+ * csr_cert.sign ca_key, OpenSSL::Digest.new('SHA1')
1014
1041
  *
1015
1042
  * open 'csr_cert.pem', 'w' do |io|
1016
1043
  * io.write csr_cert.to_pem
@@ -1125,11 +1152,7 @@ Init_openssl(void)
1125
1152
  */
1126
1153
  mOSSL = rb_define_module("OpenSSL");
1127
1154
  rb_global_variable(&mOSSL);
1128
-
1129
- /*
1130
- * OpenSSL ruby extension version
1131
- */
1132
- rb_define_const(mOSSL, "VERSION", rb_str_new2(OSSL_VERSION));
1155
+ rb_define_singleton_method(mOSSL, "fixed_length_secure_compare", ossl_crypto_fixed_length_secure_compare, 2);
1133
1156
 
1134
1157
  /*
1135
1158
  * Version of OpenSSL the ruby OpenSSL extension was built with
@@ -1205,6 +1228,9 @@ Init_openssl(void)
1205
1228
  Init_ossl_pkey();
1206
1229
  Init_ossl_rand();
1207
1230
  Init_ossl_ssl();
1231
+ #ifndef OPENSSL_NO_TS
1232
+ Init_ossl_ts();
1233
+ #endif
1208
1234
  Init_ossl_x509();
1209
1235
  Init_ossl_ocsp();
1210
1236
  Init_ossl_engine();
data/ext/openssl/ossl.h CHANGED
@@ -27,7 +27,9 @@
27
27
  #include <openssl/hmac.h>
28
28
  #include <openssl/rand.h>
29
29
  #include <openssl/conf.h>
30
- #include <openssl/conf_api.h>
30
+ #ifndef OPENSSL_NO_TS
31
+ #include <openssl/ts.h>
32
+ #endif
31
33
  #include <openssl/crypto.h>
32
34
  #if !defined(OPENSSL_NO_ENGINE)
33
35
  # include <openssl/engine.h>
@@ -86,9 +88,8 @@ VALUE ossl_buf2str(char *buf, int len);
86
88
  VALUE ossl_str_new(const char *, long, int *);
87
89
  #define ossl_str_adjust(str, p) \
88
90
  do{\
89
- long len = RSTRING_LEN(str);\
90
91
  long newlen = (long)((p) - (unsigned char*)RSTRING_PTR(str));\
91
- assert(newlen <= len);\
92
+ assert(newlen <= RSTRING_LEN(str));\
92
93
  rb_str_set_len((str), newlen);\
93
94
  }while(0)
94
95
  /*
@@ -168,7 +169,9 @@ void ossl_debug(const char *, ...);
168
169
  #include "ossl_pkey.h"
169
170
  #include "ossl_rand.h"
170
171
  #include "ossl_ssl.h"
171
- #include "ossl_version.h"
172
+ #ifndef OPENSSL_NO_TS
173
+ #include "ossl_ts.h"
174
+ #endif
172
175
  #include "ossl_x509.h"
173
176
  #include "ossl_engine.h"
174
177
  #include "ossl_kdf.h"
@@ -1285,6 +1285,30 @@ ossl_asn1obj_get_ln(VALUE self)
1285
1285
  return ret;
1286
1286
  }
1287
1287
 
1288
+ /*
1289
+ * call-seq:
1290
+ * oid == other_oid => true or false
1291
+ *
1292
+ * Returns +true+ if _other_oid_ is the same as _oid_
1293
+ */
1294
+ static VALUE
1295
+ ossl_asn1obj_eq(VALUE self, VALUE other)
1296
+ {
1297
+ VALUE valSelf, valOther;
1298
+ int nidSelf, nidOther;
1299
+
1300
+ valSelf = ossl_asn1_get_value(self);
1301
+ valOther = ossl_asn1_get_value(other);
1302
+
1303
+ if ((nidSelf = OBJ_txt2nid(StringValueCStr(valSelf))) == NID_undef)
1304
+ ossl_raise(eASN1Error, "OBJ_txt2nid");
1305
+
1306
+ if ((nidOther = OBJ_txt2nid(StringValueCStr(valOther))) == NID_undef)
1307
+ ossl_raise(eASN1Error, "OBJ_txt2nid");
1308
+
1309
+ return nidSelf == nidOther ? Qtrue : Qfalse;
1310
+ }
1311
+
1288
1312
  static VALUE
1289
1313
  asn1obj_get_oid_i(VALUE vobj)
1290
1314
  {
@@ -1818,6 +1842,7 @@ do{\
1818
1842
  rb_define_method(cASN1ObjectId, "oid", ossl_asn1obj_get_oid, 0);
1819
1843
  rb_define_alias(cASN1ObjectId, "short_name", "sn");
1820
1844
  rb_define_alias(cASN1ObjectId, "long_name", "ln");
1845
+ rb_define_method(cASN1ObjectId, "==", ossl_asn1obj_eq, 1);
1821
1846
  rb_attr(cASN1BitString, rb_intern("unused_bits"), 1, 1, 0);
1822
1847
 
1823
1848
  rb_define_method(cASN1EndOfContent, "initialize", ossl_asn1eoc_initialize, 0);