openssl 2.1.4 → 2.2.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CONTRIBUTING.md +9 -7
- data/History.md +100 -0
- data/README.md +2 -2
- data/ext/openssl/extconf.rb +24 -15
- data/ext/openssl/openssl_missing.h +36 -1
- data/ext/openssl/ossl.c +58 -25
- data/ext/openssl/ossl.h +7 -4
- data/ext/openssl/ossl_asn1.c +25 -0
- data/ext/openssl/ossl_bn.c +65 -10
- data/ext/openssl/ossl_bn.h +2 -1
- data/ext/openssl/ossl_cipher.c +33 -24
- data/ext/openssl/ossl_digest.c +16 -51
- data/ext/openssl/ossl_engine.c +2 -12
- data/ext/openssl/ossl_hmac.c +5 -11
- data/ext/openssl/ossl_kdf.c +3 -19
- data/ext/openssl/ossl_ns_spki.c +1 -1
- data/ext/openssl/ossl_ocsp.c +6 -11
- data/ext/openssl/ossl_ocsp.h +3 -3
- data/ext/openssl/ossl_pkcs7.c +3 -19
- data/ext/openssl/ossl_pkcs7.h +16 -0
- data/ext/openssl/ossl_pkey.c +180 -14
- data/ext/openssl/ossl_pkey_dsa.c +2 -2
- data/ext/openssl/ossl_pkey_ec.c +29 -0
- data/ext/openssl/ossl_pkey_rsa.c +17 -9
- data/ext/openssl/ossl_rand.c +2 -32
- data/ext/openssl/ossl_ssl.c +94 -42
- data/ext/openssl/ossl_ts.c +1524 -0
- data/ext/openssl/ossl_ts.h +16 -0
- data/ext/openssl/ossl_x509cert.c +2 -2
- data/ext/openssl/ossl_x509ext.c +14 -0
- data/ext/openssl/ossl_x509name.c +7 -3
- data/lib/openssl/bn.rb +1 -1
- data/lib/openssl/buffering.rb +28 -5
- data/lib/openssl/cipher.rb +1 -1
- data/lib/openssl/config.rb +17 -8
- data/lib/openssl/digest.rb +10 -12
- data/lib/openssl/hmac.rb +13 -0
- data/lib/openssl/marshal.rb +30 -0
- data/lib/openssl/pkcs5.rb +1 -1
- data/lib/openssl/pkey.rb +18 -1
- data/lib/openssl/ssl.rb +40 -2
- data/lib/openssl/version.rb +5 -0
- data/lib/openssl/x509.rb +155 -1
- data/lib/openssl.rb +25 -9
- metadata +6 -3
- data/ext/openssl/deprecation.rb +0 -27
- data/ext/openssl/ossl_version.h +0 -15
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: ca57a155a863eab5ef5138956be25ab7915d701d10e7487605f3f909262aecdc
|
4
|
+
data.tar.gz: ae7d5d15ae4944d79c8bd45a4279b4ab5fa021604ad8bb12759ebf3c9f6ff33d
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 479a5f07bc88c5cc20e4be271da0f1e0314c69bcde3a3b173871e6499f905cb5d0335cc91b7132eb7c1b10382c088f23e5734aa5eadb675979f65afeb3e9f9fe
|
7
|
+
data.tar.gz: b3a5c5346ee5b3becedc9040c1a7e87344333c0cc1903566db1b24090897e45c186aded4e6c68f49eab16a13a42faf77d7adff89ea527fff5c73d4c0e976a27d
|
data/CONTRIBUTING.md
CHANGED
@@ -12,12 +12,14 @@ If you think you found a bug, file a ticket on GitHub. Please DO NOT report
|
|
12
12
|
security issues here, there is a separate procedure which is described on
|
13
13
|
["Security at ruby-lang.org"](https://www.ruby-lang.org/en/security/).
|
14
14
|
|
15
|
-
When reporting a bug, please make sure you include
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
15
|
+
When reporting a bug, please make sure you include:
|
16
|
+
* Ruby version
|
17
|
+
* OpenSSL gem version
|
18
|
+
* OpenSSL library version
|
19
|
+
* A sample file that illustrates the problem or link to the repository or
|
20
|
+
gem that is associated with the bug.
|
21
|
+
|
22
|
+
There are a number of unresolved issues and feature requests for openssl that
|
21
23
|
need review. Before submitting a new ticket, it is recommended to check
|
22
24
|
[known issues] and [bugs.ruby-lang.org], the previous issue tracker.
|
23
25
|
|
@@ -78,7 +80,7 @@ $ docker-compose run debug
|
|
78
80
|
```
|
79
81
|
|
80
82
|
All possible values for `RUBY_VERSION` and `OPENSSL_VERSION` can be found in
|
81
|
-
[
|
83
|
+
[`test.yml`](https://github.com/ruby/openssl/tree/master/.github/workflows/test.yml).
|
82
84
|
|
83
85
|
**NOTE**: these commands must be run from the openssl repository root, in order
|
84
86
|
to use the
|
data/History.md
CHANGED
@@ -1,3 +1,103 @@
|
|
1
|
+
Version 2.2.2
|
2
|
+
=============
|
3
|
+
|
4
|
+
Merged changes in 2.1.4.
|
5
|
+
|
6
|
+
|
7
|
+
Version 2.2.1
|
8
|
+
=============
|
9
|
+
|
10
|
+
Merged changes in 2.1.3. Additionally, the following issues are fixed by this
|
11
|
+
release.
|
12
|
+
|
13
|
+
Bug fixes
|
14
|
+
---------
|
15
|
+
|
16
|
+
* Fix crash in `OpenSSL::Timestamp::{Request,Response,TokenInfo}.new` when
|
17
|
+
invalid arguments are given.
|
18
|
+
[[GitHub #407]](https://github.com/ruby/openssl/pull/407)
|
19
|
+
* Fix `OpenSSL::Timestamp::Factory#create_timestamp` with LibreSSL on platforms
|
20
|
+
where `time_t` has a different size from `long`.
|
21
|
+
[[GitHub #454]](https://github.com/ruby/openssl/pull/454)
|
22
|
+
|
23
|
+
|
24
|
+
Version 2.2.0
|
25
|
+
=============
|
26
|
+
|
27
|
+
Compatibility notes
|
28
|
+
-------------------
|
29
|
+
|
30
|
+
* Remove unsupported MDC2, DSS, DSS1, and SHA algorithms.
|
31
|
+
* Remove `OpenSSL::PKCS7::SignerInfo#name` alias for `#issuer`.
|
32
|
+
[[GitHub #266]](https://github.com/ruby/openssl/pull/266)
|
33
|
+
* Deprecate `OpenSSL::Config#add_value` and `#[]=` for future removal.
|
34
|
+
[[GitHub #322]](https://github.com/ruby/openssl/pull/322)
|
35
|
+
|
36
|
+
|
37
|
+
Notable changes
|
38
|
+
---------------
|
39
|
+
|
40
|
+
* Change default `OpenSSL::SSL::SSLServer#listen` backlog argument from
|
41
|
+
5 to `Socket::SOMAXCONN`.
|
42
|
+
[[GitHub #286]](https://github.com/ruby/openssl/issues/286)
|
43
|
+
* Make `OpenSSL::HMAC#==` use a timing safe string comparison.
|
44
|
+
[[GitHub #284]](https://github.com/ruby/openssl/pull/284)
|
45
|
+
* Add support for SHA3 and BLAKE digests.
|
46
|
+
[[GitHub #282]](https://github.com/ruby/openssl/pull/282)
|
47
|
+
* Add `OpenSSL::SSL::SSLSocket.open` for opening a `TCPSocket` and
|
48
|
+
returning an `OpenSSL::SSL::SSLSocket` for it.
|
49
|
+
[[GitHub #225]](https://github.com/ruby/openssl/issues/225)
|
50
|
+
* Support marshalling of `OpenSSL::X509` and `OpenSSL::PKey` objects.
|
51
|
+
[[GitHub #281]](https://github.com/ruby/openssl/pull/281)
|
52
|
+
[[GitHub #363]](https://github.com/ruby/openssl/pull/363)
|
53
|
+
* Add `OpenSSL.secure_compare` for timing safe string comparison for
|
54
|
+
strings of possibly unequal length.
|
55
|
+
[[GitHub #280]](https://github.com/ruby/openssl/pull/280)
|
56
|
+
* Add `OpenSSL.fixed_length_secure_compare` for timing safe string
|
57
|
+
comparison for strings of equal length.
|
58
|
+
[[GitHub #269]](https://github.com/ruby/openssl/pull/269)
|
59
|
+
* Add `OpenSSL::SSL::SSLSocket#{finished_message,peer_finished_message}`
|
60
|
+
for last finished message sent and received.
|
61
|
+
[[GitHub #250]](https://github.com/ruby/openssl/pull/250)
|
62
|
+
* Add `OpenSSL::Timestamp` module for handing timestamp requests and
|
63
|
+
responses.
|
64
|
+
[[GitHub #204]](https://github.com/ruby/openssl/pull/204)
|
65
|
+
* Add helper methods for `OpenSSL::X509::Certificate`:
|
66
|
+
`find_extension`, `subject_key_identifier`,
|
67
|
+
`authority_key_identifier`, `crl_uris`, `ca_issuer_uris` and
|
68
|
+
`ocsp_uris`, and for `OpenSSL::X509::CRL`:
|
69
|
+
`find_extension` and `subject_key_identifier`.
|
70
|
+
[[GitHub #260]](https://github.com/ruby/openssl/pull/260)
|
71
|
+
[[GitHub #275]](https://github.com/ruby/openssl/pull/275)
|
72
|
+
[[GitHub #293]](https://github.com/ruby/openssl/pull/293)
|
73
|
+
* Add `OpenSSL::ECPoint#add` for performing elliptic curve point addition.
|
74
|
+
[[GitHub #261]](https://github.com/ruby/openssl/pull/261)
|
75
|
+
* Make `OpenSSL::PKey::RSA#{export,to_der}` check `key`, `factors`, and
|
76
|
+
`crt_params` to do proper private key serialization.
|
77
|
+
[[GitHub #258]](https://github.com/ruby/openssl/pull/258)
|
78
|
+
* Add `OpenSSL::SSL::{SSLSocket,SSLServer}#fileno`, returning the
|
79
|
+
underlying socket file descriptor number.
|
80
|
+
[[GitHub #247]](https://github.com/ruby/openssl/pull/247)
|
81
|
+
* Support client certificates with TLS 1.3, and support post-handshake
|
82
|
+
authentication with OpenSSL 1.1.1+.
|
83
|
+
[[GitHub #239]](https://github.com/ruby/openssl/pull/239)
|
84
|
+
* Add `OpenSSL::ASN1::ObjectId#==` for equality testing.
|
85
|
+
* Add `OpenSSL::X509::Extension#value_der` for the raw value of
|
86
|
+
the extension.
|
87
|
+
[[GitHub #234]](https://github.com/ruby/openssl/pull/234)
|
88
|
+
* Significantly reduce allocated memory in `OpenSSL::Buffering#do_write`.
|
89
|
+
[[GitHub #212]](https://github.com/ruby/openssl/pull/212)
|
90
|
+
* Ensure all valid IPv6 addresses are considered valid as elements
|
91
|
+
of subjectAlternativeName in certificates.
|
92
|
+
[[GitHub #185]](https://github.com/ruby/openssl/pull/185)
|
93
|
+
* Allow recipient's certificate to be omitted in PCKS7#decrypt.
|
94
|
+
[[GitHub #183]](https://github.com/ruby/openssl/pull/183)
|
95
|
+
* Add support for reading keys in PKCS #8 format and export via instance methods
|
96
|
+
added to `OpenSSL::PKey` classes: `private_to_der`, `private_to_pem`,
|
97
|
+
`public_to_der` and `public_to_pem`.
|
98
|
+
[[GitHub #297]](https://github.com/ruby/openssl/pull/297)
|
99
|
+
|
100
|
+
|
1
101
|
Version 2.1.4
|
2
102
|
=============
|
3
103
|
|
data/README.md
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
# OpenSSL for Ruby
|
2
2
|
|
3
|
-
[![
|
4
|
-
|
3
|
+
[![Actions Status](https://github.com/ruby/openssl/workflows/CI/badge.svg)](https://github.com/ruby/openssl/actions?workflow=CI)
|
4
|
+
|
5
5
|
|
6
6
|
OpenSSL provides SSL, TLS and general purpose cryptography. It wraps the
|
7
7
|
OpenSSL library.
|
data/ext/openssl/extconf.rb
CHANGED
@@ -1,5 +1,5 @@
|
|
1
1
|
# -*- coding: us-ascii -*-
|
2
|
-
# frozen_string_literal:
|
2
|
+
# frozen_string_literal: true
|
3
3
|
=begin
|
4
4
|
= Info
|
5
5
|
'OpenSSL for Ruby 2' project
|
@@ -12,16 +12,12 @@
|
|
12
12
|
=end
|
13
13
|
|
14
14
|
require "mkmf"
|
15
|
-
require File.expand_path('../deprecation', __FILE__)
|
16
15
|
|
17
16
|
dir_config_given = dir_config("openssl").any?
|
18
17
|
dir_config("kerberos")
|
19
18
|
|
20
19
|
Logging::message "=== OpenSSL for Ruby configurator ===\n"
|
21
20
|
|
22
|
-
# Check with -Werror=deprecated-declarations if available
|
23
|
-
OpenSSL.deprecated_warning_flag
|
24
|
-
|
25
21
|
##
|
26
22
|
# Adds -DOSSL_DEBUG for compilation and some more targets when GCC is used
|
27
23
|
# To turn it on, use: --with-debug or --enable-debug
|
@@ -37,6 +33,12 @@ if $mswin || $mingw
|
|
37
33
|
have_library("ws2_32")
|
38
34
|
end
|
39
35
|
|
36
|
+
if $mingw
|
37
|
+
append_cflags '-D_FORTIFY_SOURCE=2'
|
38
|
+
append_ldflags '-fstack-protector'
|
39
|
+
have_library 'ssp'
|
40
|
+
end
|
41
|
+
|
40
42
|
def find_openssl_library
|
41
43
|
if $mswin || $mingw
|
42
44
|
# required for static OpenSSL libraries
|
@@ -119,10 +121,10 @@ end
|
|
119
121
|
Logging::message "=== Checking for OpenSSL features... ===\n"
|
120
122
|
# compile options
|
121
123
|
have_func("RAND_egd")
|
122
|
-
engines = %w{
|
123
|
-
cswift nuron sureware ubsec padlock capi gmp gost cryptodev
|
124
|
+
engines = %w{dynamic 4758cca aep atalla chil
|
125
|
+
cswift nuron sureware ubsec padlock capi gmp gost cryptodev}
|
124
126
|
engines.each { |name|
|
125
|
-
|
127
|
+
have_func("ENGINE_load_#{name}()", "openssl/engine.h")
|
126
128
|
}
|
127
129
|
|
128
130
|
# added in 1.0.2
|
@@ -130,9 +132,9 @@ have_func("EC_curve_nist2nid")
|
|
130
132
|
have_func("X509_REVOKED_dup")
|
131
133
|
have_func("X509_STORE_CTX_get0_store")
|
132
134
|
have_func("SSL_CTX_set_alpn_select_cb")
|
133
|
-
|
134
|
-
|
135
|
-
|
135
|
+
have_func("SSL_CTX_set1_curves_list(NULL, NULL)", "openssl/ssl.h")
|
136
|
+
have_func("SSL_CTX_set_ecdh_auto(NULL, 0)", "openssl/ssl.h")
|
137
|
+
have_func("SSL_get_server_tmp_key(NULL, NULL)", "openssl/ssl.h")
|
136
138
|
have_func("SSL_is_server")
|
137
139
|
|
138
140
|
# added in 1.1.0
|
@@ -148,9 +150,9 @@ have_func("EVP_MD_CTX_new")
|
|
148
150
|
have_func("EVP_MD_CTX_free")
|
149
151
|
have_func("HMAC_CTX_new")
|
150
152
|
have_func("HMAC_CTX_free")
|
151
|
-
OpenSSL.check_func("RAND_pseudo_bytes", "openssl/rand.h") # deprecated
|
152
153
|
have_func("X509_STORE_get_ex_data")
|
153
154
|
have_func("X509_STORE_set_ex_data")
|
155
|
+
have_func("X509_STORE_get_ex_new_index")
|
154
156
|
have_func("X509_CRL_get0_signature")
|
155
157
|
have_func("X509_REQ_get0_signature")
|
156
158
|
have_func("X509_REVOKED_get0_serialNumber")
|
@@ -166,16 +168,23 @@ have_func("X509_CRL_up_ref")
|
|
166
168
|
have_func("X509_STORE_up_ref")
|
167
169
|
have_func("SSL_SESSION_up_ref")
|
168
170
|
have_func("EVP_PKEY_up_ref")
|
169
|
-
|
170
|
-
|
171
|
+
have_func("SSL_CTX_set_tmp_ecdh_callback(NULL, NULL)", "openssl/ssl.h") # removed
|
172
|
+
have_func("SSL_CTX_set_min_proto_version(NULL, 0)", "openssl/ssl.h")
|
171
173
|
have_func("SSL_CTX_get_security_level")
|
172
174
|
have_func("X509_get0_notBefore")
|
173
175
|
have_func("SSL_SESSION_get_protocol_version")
|
176
|
+
have_func("TS_STATUS_INFO_get0_status")
|
177
|
+
have_func("TS_STATUS_INFO_get0_text")
|
178
|
+
have_func("TS_STATUS_INFO_get0_failure_info")
|
179
|
+
have_func("TS_VERIFY_CTS_set_certs")
|
180
|
+
have_func("TS_VERIFY_CTX_set_store")
|
181
|
+
have_func("TS_VERIFY_CTX_add_flags")
|
182
|
+
have_func("TS_RESP_CTX_set_time_cb")
|
174
183
|
have_func("EVP_PBE_scrypt")
|
184
|
+
have_func("SSL_CTX_set_post_handshake_auth")
|
175
185
|
|
176
186
|
Logging::message "=== Checking done. ===\n"
|
177
187
|
|
178
188
|
create_header
|
179
|
-
OpenSSL.restore_warning_flag
|
180
189
|
create_makefile("openssl")
|
181
190
|
Logging::message "Done.\n"
|
@@ -72,6 +72,9 @@ void ossl_HMAC_CTX_free(HMAC_CTX *);
|
|
72
72
|
#if !defined(HAVE_X509_STORE_SET_EX_DATA)
|
73
73
|
# define X509_STORE_set_ex_data(x, idx, data) \
|
74
74
|
CRYPTO_set_ex_data(&(x)->ex_data, (idx), (data))
|
75
|
+
#endif
|
76
|
+
|
77
|
+
#if !defined(HAVE_X509_STORE_GET_EX_NEW_INDEX) && !defined(X509_STORE_get_ex_new_index)
|
75
78
|
# define X509_STORE_get_ex_new_index(l, p, newf, dupf, freef) \
|
76
79
|
CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE, (l), (p), \
|
77
80
|
(newf), (dupf), (freef))
|
@@ -144,7 +147,8 @@ void ossl_X509_REQ_get0_signature(const X509_REQ *, const ASN1_BIT_STRING **, co
|
|
144
147
|
CRYPTO_add(&(x)->references, 1, CRYPTO_LOCK_EVP_PKEY);
|
145
148
|
#endif
|
146
149
|
|
147
|
-
#if !defined(HAVE_OPAQUE_OPENSSL)
|
150
|
+
#if !defined(HAVE_OPAQUE_OPENSSL) && \
|
151
|
+
(!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL)
|
148
152
|
#define IMPL_PKEY_GETTER(_type, _name) \
|
149
153
|
static inline _type *EVP_PKEY_get0_##_type(EVP_PKEY *pkey) { \
|
150
154
|
return pkey->pkey._name; }
|
@@ -219,4 +223,35 @@ IMPL_PKEY_GETTER(EC_KEY, ec)
|
|
219
223
|
# define SSL_SESSION_get_protocol_version(s) ((s)->ssl_version)
|
220
224
|
#endif
|
221
225
|
|
226
|
+
#if !defined(HAVE_TS_STATUS_INFO_GET0_STATUS)
|
227
|
+
# define TS_STATUS_INFO_get0_status(a) ((a)->status)
|
228
|
+
#endif
|
229
|
+
|
230
|
+
#if !defined(HAVE_TS_STATUS_INFO_GET0_TEXT)
|
231
|
+
# define TS_STATUS_INFO_get0_text(a) ((a)->text)
|
232
|
+
#endif
|
233
|
+
|
234
|
+
#if !defined(HAVE_TS_STATUS_INFO_GET0_FAILURE_INFO)
|
235
|
+
# define TS_STATUS_INFO_get0_failure_info(a) ((a)->failure_info)
|
236
|
+
#endif
|
237
|
+
|
238
|
+
#if !defined(HAVE_TS_VERIFY_CTS_SET_CERTS)
|
239
|
+
# define TS_VERIFY_CTS_set_certs(ctx, crts) ((ctx)->certs=(crts))
|
240
|
+
#endif
|
241
|
+
|
242
|
+
#if !defined(HAVE_TS_VERIFY_CTX_SET_STORE)
|
243
|
+
# define TS_VERIFY_CTX_set_store(ctx, str) ((ctx)->store=(str))
|
244
|
+
#endif
|
245
|
+
|
246
|
+
#if !defined(HAVE_TS_VERIFY_CTX_ADD_FLAGS)
|
247
|
+
# define TS_VERIFY_CTX_add_flags(ctx, f) ((ctx)->flags |= (f))
|
248
|
+
#endif
|
249
|
+
|
250
|
+
#if !defined(HAVE_TS_RESP_CTX_SET_TIME_CB)
|
251
|
+
# define TS_RESP_CTX_set_time_cb(ctx, callback, dta) do { \
|
252
|
+
(ctx)->time_cb = (callback); \
|
253
|
+
(ctx)->time_cb_data = (dta); \
|
254
|
+
} while (0)
|
255
|
+
#endif
|
256
|
+
|
222
257
|
#endif /* _OSSL_OPENSSL_MISSING_H_ */
|
data/ext/openssl/ossl.c
CHANGED
@@ -497,8 +497,11 @@ print_mem_leaks(VALUE self)
|
|
497
497
|
int ret;
|
498
498
|
#endif
|
499
499
|
|
500
|
-
|
501
|
-
|
500
|
+
#ifndef HAVE_RB_EXT_RACTOR_SAFE
|
501
|
+
// for Ruby 2.x
|
502
|
+
void ossl_bn_ctx_free(void); // ossl_bn.c
|
503
|
+
ossl_bn_ctx_free();
|
504
|
+
#endif
|
502
505
|
|
503
506
|
#if OPENSSL_VERSION_NUMBER >= 0x10100000
|
504
507
|
ret = CRYPTO_mem_leaks_fp(stderr);
|
@@ -604,6 +607,35 @@ static void Init_ossl_locks(void)
|
|
604
607
|
}
|
605
608
|
#endif /* !HAVE_OPENSSL_110_THREADING_API */
|
606
609
|
|
610
|
+
/*
|
611
|
+
* call-seq:
|
612
|
+
* OpenSSL.fixed_length_secure_compare(string, string) -> boolean
|
613
|
+
*
|
614
|
+
* Constant time memory comparison for fixed length strings, such as results
|
615
|
+
* of HMAC calculations.
|
616
|
+
*
|
617
|
+
* Returns +true+ if the strings are identical, +false+ if they are of the same
|
618
|
+
* length but not identical. If the length is different, +ArgumentError+ is
|
619
|
+
* raised.
|
620
|
+
*/
|
621
|
+
static VALUE
|
622
|
+
ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2)
|
623
|
+
{
|
624
|
+
const unsigned char *p1 = (const unsigned char *)StringValuePtr(str1);
|
625
|
+
const unsigned char *p2 = (const unsigned char *)StringValuePtr(str2);
|
626
|
+
long len1 = RSTRING_LEN(str1);
|
627
|
+
long len2 = RSTRING_LEN(str2);
|
628
|
+
|
629
|
+
if (len1 != len2) {
|
630
|
+
ossl_raise(rb_eArgError, "inputs must be of equal length");
|
631
|
+
}
|
632
|
+
|
633
|
+
switch (CRYPTO_memcmp(p1, p2, len1)) {
|
634
|
+
case 0: return Qtrue;
|
635
|
+
default: return Qfalse;
|
636
|
+
}
|
637
|
+
}
|
638
|
+
|
607
639
|
/*
|
608
640
|
* OpenSSL provides SSL, TLS and general purpose cryptography. It wraps the
|
609
641
|
* OpenSSL[https://www.openssl.org/] library.
|
@@ -635,7 +667,7 @@ static void Init_ossl_locks(void)
|
|
635
667
|
* ahold of the key may use it unless it is encrypted. In order to securely
|
636
668
|
* export a key you may export it with a pass phrase.
|
637
669
|
*
|
638
|
-
* cipher = OpenSSL::Cipher.new 'AES-
|
670
|
+
* cipher = OpenSSL::Cipher.new 'AES-256-CBC'
|
639
671
|
* pass_phrase = 'my secure pass phrase goes here'
|
640
672
|
*
|
641
673
|
* key_secure = key.export cipher, pass_phrase
|
@@ -710,16 +742,14 @@ static void Init_ossl_locks(void)
|
|
710
742
|
* To sign a document, a cryptographically secure hash of the document is
|
711
743
|
* computed first, which is then signed using the private key.
|
712
744
|
*
|
713
|
-
*
|
714
|
-
* signature = key.sign digest, document
|
745
|
+
* signature = key.sign 'SHA256', document
|
715
746
|
*
|
716
747
|
* To validate the signature, again a hash of the document is computed and
|
717
748
|
* the signature is decrypted using the public key. The result is then
|
718
749
|
* compared to the hash just computed, if they are equal the signature was
|
719
750
|
* valid.
|
720
751
|
*
|
721
|
-
*
|
722
|
-
* if key.verify digest, signature, document
|
752
|
+
* if key.verify 'SHA256', signature, document
|
723
753
|
* puts 'Valid'
|
724
754
|
* else
|
725
755
|
* puts 'Invalid'
|
@@ -745,7 +775,7 @@ static void Init_ossl_locks(void)
|
|
745
775
|
* using PBKDF2. PKCS #5 v2.0 recommends at least 8 bytes for the salt,
|
746
776
|
* the number of iterations largely depends on the hardware being used.
|
747
777
|
*
|
748
|
-
* cipher = OpenSSL::Cipher.new 'AES-
|
778
|
+
* cipher = OpenSSL::Cipher.new 'AES-256-CBC'
|
749
779
|
* cipher.encrypt
|
750
780
|
* iv = cipher.random_iv
|
751
781
|
*
|
@@ -753,7 +783,7 @@ static void Init_ossl_locks(void)
|
|
753
783
|
* salt = OpenSSL::Random.random_bytes 16
|
754
784
|
* iter = 20000
|
755
785
|
* key_len = cipher.key_len
|
756
|
-
* digest = OpenSSL::Digest
|
786
|
+
* digest = OpenSSL::Digest.new('SHA256')
|
757
787
|
*
|
758
788
|
* key = OpenSSL::PKCS5.pbkdf2_hmac(pwd, salt, iter, key_len, digest)
|
759
789
|
* cipher.key = key
|
@@ -768,7 +798,7 @@ static void Init_ossl_locks(void)
|
|
768
798
|
* Use the same steps as before to derive the symmetric AES key, this time
|
769
799
|
* setting the Cipher up for decryption.
|
770
800
|
*
|
771
|
-
* cipher = OpenSSL::Cipher.new 'AES-
|
801
|
+
* cipher = OpenSSL::Cipher.new 'AES-256-CBC'
|
772
802
|
* cipher.decrypt
|
773
803
|
* cipher.iv = iv # the one generated with #random_iv
|
774
804
|
*
|
@@ -776,7 +806,7 @@ static void Init_ossl_locks(void)
|
|
776
806
|
* salt = ... # the one generated above
|
777
807
|
* iter = 20000
|
778
808
|
* key_len = cipher.key_len
|
779
|
-
* digest = OpenSSL::Digest
|
809
|
+
* digest = OpenSSL::Digest.new('SHA256')
|
780
810
|
*
|
781
811
|
* key = OpenSSL::PKCS5.pbkdf2_hmac(pwd, salt, iter, key_len, digest)
|
782
812
|
* cipher.key = key
|
@@ -803,7 +833,7 @@ static void Init_ossl_locks(void)
|
|
803
833
|
*
|
804
834
|
* First set up the cipher for encryption
|
805
835
|
*
|
806
|
-
* encryptor = OpenSSL::Cipher.new 'AES-
|
836
|
+
* encryptor = OpenSSL::Cipher.new 'AES-256-CBC'
|
807
837
|
* encryptor.encrypt
|
808
838
|
* encryptor.pkcs5_keyivgen pass_phrase, salt
|
809
839
|
*
|
@@ -816,7 +846,7 @@ static void Init_ossl_locks(void)
|
|
816
846
|
*
|
817
847
|
* Use a new Cipher instance set up for decryption
|
818
848
|
*
|
819
|
-
* decryptor = OpenSSL::Cipher.new 'AES-
|
849
|
+
* decryptor = OpenSSL::Cipher.new 'AES-256-CBC'
|
820
850
|
* decryptor.decrypt
|
821
851
|
* decryptor.pkcs5_keyivgen pass_phrase, salt
|
822
852
|
*
|
@@ -833,7 +863,7 @@ static void Init_ossl_locks(void)
|
|
833
863
|
* signature.
|
834
864
|
*
|
835
865
|
* key = OpenSSL::PKey::RSA.new 2048
|
836
|
-
* name = OpenSSL::X509::Name.parse 'CN=nobody/DC=example'
|
866
|
+
* name = OpenSSL::X509::Name.parse '/CN=nobody/DC=example'
|
837
867
|
*
|
838
868
|
* cert = OpenSSL::X509::Certificate.new
|
839
869
|
* cert.version = 2
|
@@ -872,7 +902,7 @@ static void Init_ossl_locks(void)
|
|
872
902
|
* certificate.
|
873
903
|
*
|
874
904
|
* cert.issuer = name
|
875
|
-
* cert.sign key, OpenSSL::Digest
|
905
|
+
* cert.sign key, OpenSSL::Digest.new('SHA1')
|
876
906
|
*
|
877
907
|
* open 'certificate.pem', 'w' do |io| io.write cert.to_pem end
|
878
908
|
*
|
@@ -904,7 +934,7 @@ static void Init_ossl_locks(void)
|
|
904
934
|
* ca_key = OpenSSL::PKey::RSA.new 2048
|
905
935
|
* pass_phrase = 'my secure pass phrase goes here'
|
906
936
|
*
|
907
|
-
* cipher = OpenSSL::Cipher.new 'AES-
|
937
|
+
* cipher = OpenSSL::Cipher.new 'AES-256-CBC'
|
908
938
|
*
|
909
939
|
* open 'ca_key.pem', 'w', 0400 do |io|
|
910
940
|
* io.write ca_key.export(cipher, pass_phrase)
|
@@ -915,7 +945,7 @@ static void Init_ossl_locks(void)
|
|
915
945
|
* A CA certificate is created the same way we created a certificate above, but
|
916
946
|
* with different extensions.
|
917
947
|
*
|
918
|
-
* ca_name = OpenSSL::X509::Name.parse 'CN=ca/DC=example'
|
948
|
+
* ca_name = OpenSSL::X509::Name.parse '/CN=ca/DC=example'
|
919
949
|
*
|
920
950
|
* ca_cert = OpenSSL::X509::Certificate.new
|
921
951
|
* ca_cert.serial = 0
|
@@ -948,7 +978,7 @@ static void Init_ossl_locks(void)
|
|
948
978
|
*
|
949
979
|
* Root CA certificates are self-signed.
|
950
980
|
*
|
951
|
-
* ca_cert.sign ca_key, OpenSSL::Digest
|
981
|
+
* ca_cert.sign ca_key, OpenSSL::Digest.new('SHA1')
|
952
982
|
*
|
953
983
|
* The CA certificate is saved to disk so it may be distributed to all the
|
954
984
|
* users of the keys this CA will sign.
|
@@ -966,7 +996,7 @@ static void Init_ossl_locks(void)
|
|
966
996
|
* csr.version = 0
|
967
997
|
* csr.subject = name
|
968
998
|
* csr.public_key = key.public_key
|
969
|
-
* csr.sign key, OpenSSL::Digest
|
999
|
+
* csr.sign key, OpenSSL::Digest.new('SHA1')
|
970
1000
|
*
|
971
1001
|
* A CSR is saved to disk and sent to the CA for signing.
|
972
1002
|
*
|
@@ -1010,7 +1040,7 @@ static void Init_ossl_locks(void)
|
|
1010
1040
|
* csr_cert.add_extension \
|
1011
1041
|
* extension_factory.create_extension('subjectKeyIdentifier', 'hash')
|
1012
1042
|
*
|
1013
|
-
* csr_cert.sign ca_key, OpenSSL::Digest
|
1043
|
+
* csr_cert.sign ca_key, OpenSSL::Digest.new('SHA1')
|
1014
1044
|
*
|
1015
1045
|
* open 'csr_cert.pem', 'w' do |io|
|
1016
1046
|
* io.write csr_cert.to_pem
|
@@ -1099,6 +1129,10 @@ static void Init_ossl_locks(void)
|
|
1099
1129
|
void
|
1100
1130
|
Init_openssl(void)
|
1101
1131
|
{
|
1132
|
+
#if HAVE_RB_EXT_RACTOR_SAFE
|
1133
|
+
rb_ext_ractor_safe(true);
|
1134
|
+
#endif
|
1135
|
+
|
1102
1136
|
#undef rb_intern
|
1103
1137
|
/*
|
1104
1138
|
* Init timezone info
|
@@ -1125,11 +1159,7 @@ Init_openssl(void)
|
|
1125
1159
|
*/
|
1126
1160
|
mOSSL = rb_define_module("OpenSSL");
|
1127
1161
|
rb_global_variable(&mOSSL);
|
1128
|
-
|
1129
|
-
/*
|
1130
|
-
* OpenSSL ruby extension version
|
1131
|
-
*/
|
1132
|
-
rb_define_const(mOSSL, "VERSION", rb_str_new2(OSSL_VERSION));
|
1162
|
+
rb_define_singleton_method(mOSSL, "fixed_length_secure_compare", ossl_crypto_fixed_length_secure_compare, 2);
|
1133
1163
|
|
1134
1164
|
/*
|
1135
1165
|
* Version of OpenSSL the ruby OpenSSL extension was built with
|
@@ -1205,6 +1235,9 @@ Init_openssl(void)
|
|
1205
1235
|
Init_ossl_pkey();
|
1206
1236
|
Init_ossl_rand();
|
1207
1237
|
Init_ossl_ssl();
|
1238
|
+
#ifndef OPENSSL_NO_TS
|
1239
|
+
Init_ossl_ts();
|
1240
|
+
#endif
|
1208
1241
|
Init_ossl_x509();
|
1209
1242
|
Init_ossl_ocsp();
|
1210
1243
|
Init_ossl_engine();
|
data/ext/openssl/ossl.h
CHANGED
@@ -27,7 +27,9 @@
|
|
27
27
|
#include <openssl/hmac.h>
|
28
28
|
#include <openssl/rand.h>
|
29
29
|
#include <openssl/conf.h>
|
30
|
-
#
|
30
|
+
#ifndef OPENSSL_NO_TS
|
31
|
+
#include <openssl/ts.h>
|
32
|
+
#endif
|
31
33
|
#include <openssl/crypto.h>
|
32
34
|
#if !defined(OPENSSL_NO_ENGINE)
|
33
35
|
# include <openssl/engine.h>
|
@@ -86,9 +88,8 @@ VALUE ossl_buf2str(char *buf, int len);
|
|
86
88
|
VALUE ossl_str_new(const char *, long, int *);
|
87
89
|
#define ossl_str_adjust(str, p) \
|
88
90
|
do{\
|
89
|
-
long len = RSTRING_LEN(str);\
|
90
91
|
long newlen = (long)((p) - (unsigned char*)RSTRING_PTR(str));\
|
91
|
-
assert(newlen <=
|
92
|
+
assert(newlen <= RSTRING_LEN(str));\
|
92
93
|
rb_str_set_len((str), newlen);\
|
93
94
|
}while(0)
|
94
95
|
/*
|
@@ -168,7 +169,9 @@ void ossl_debug(const char *, ...);
|
|
168
169
|
#include "ossl_pkey.h"
|
169
170
|
#include "ossl_rand.h"
|
170
171
|
#include "ossl_ssl.h"
|
171
|
-
#
|
172
|
+
#ifndef OPENSSL_NO_TS
|
173
|
+
#include "ossl_ts.h"
|
174
|
+
#endif
|
172
175
|
#include "ossl_x509.h"
|
173
176
|
#include "ossl_engine.h"
|
174
177
|
#include "ossl_kdf.h"
|
data/ext/openssl/ossl_asn1.c
CHANGED
@@ -1285,6 +1285,30 @@ ossl_asn1obj_get_ln(VALUE self)
|
|
1285
1285
|
return ret;
|
1286
1286
|
}
|
1287
1287
|
|
1288
|
+
/*
|
1289
|
+
* call-seq:
|
1290
|
+
* oid == other_oid => true or false
|
1291
|
+
*
|
1292
|
+
* Returns +true+ if _other_oid_ is the same as _oid_
|
1293
|
+
*/
|
1294
|
+
static VALUE
|
1295
|
+
ossl_asn1obj_eq(VALUE self, VALUE other)
|
1296
|
+
{
|
1297
|
+
VALUE valSelf, valOther;
|
1298
|
+
int nidSelf, nidOther;
|
1299
|
+
|
1300
|
+
valSelf = ossl_asn1_get_value(self);
|
1301
|
+
valOther = ossl_asn1_get_value(other);
|
1302
|
+
|
1303
|
+
if ((nidSelf = OBJ_txt2nid(StringValueCStr(valSelf))) == NID_undef)
|
1304
|
+
ossl_raise(eASN1Error, "OBJ_txt2nid");
|
1305
|
+
|
1306
|
+
if ((nidOther = OBJ_txt2nid(StringValueCStr(valOther))) == NID_undef)
|
1307
|
+
ossl_raise(eASN1Error, "OBJ_txt2nid");
|
1308
|
+
|
1309
|
+
return nidSelf == nidOther ? Qtrue : Qfalse;
|
1310
|
+
}
|
1311
|
+
|
1288
1312
|
static VALUE
|
1289
1313
|
asn1obj_get_oid_i(VALUE vobj)
|
1290
1314
|
{
|
@@ -1818,6 +1842,7 @@ do{\
|
|
1818
1842
|
rb_define_method(cASN1ObjectId, "oid", ossl_asn1obj_get_oid, 0);
|
1819
1843
|
rb_define_alias(cASN1ObjectId, "short_name", "sn");
|
1820
1844
|
rb_define_alias(cASN1ObjectId, "long_name", "ln");
|
1845
|
+
rb_define_method(cASN1ObjectId, "==", ossl_asn1obj_eq, 1);
|
1821
1846
|
rb_attr(cASN1BitString, rb_intern("unused_bits"), 1, 1, 0);
|
1822
1847
|
|
1823
1848
|
rb_define_method(cASN1EndOfContent, "initialize", ossl_asn1eoc_initialize, 0);
|