openssl 2.2.0 → 3.0.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (47) hide show
  1. checksums.yaml +4 -4
  2. data/CONTRIBUTING.md +32 -44
  3. data/History.md +155 -0
  4. data/ext/openssl/extconf.rb +43 -38
  5. data/ext/openssl/openssl_missing.c +0 -66
  6. data/ext/openssl/openssl_missing.h +26 -45
  7. data/ext/openssl/ossl.c +67 -47
  8. data/ext/openssl/ossl.h +20 -6
  9. data/ext/openssl/ossl_asn1.c +16 -4
  10. data/ext/openssl/ossl_bn.c +267 -143
  11. data/ext/openssl/ossl_bn.h +2 -1
  12. data/ext/openssl/ossl_cipher.c +11 -11
  13. data/ext/openssl/ossl_config.c +412 -41
  14. data/ext/openssl/ossl_config.h +4 -7
  15. data/ext/openssl/ossl_digest.c +15 -11
  16. data/ext/openssl/ossl_engine.c +16 -15
  17. data/ext/openssl/ossl_hmac.c +48 -135
  18. data/ext/openssl/ossl_kdf.c +8 -0
  19. data/ext/openssl/ossl_ocsp.c +3 -51
  20. data/ext/openssl/ossl_pkcs12.c +21 -3
  21. data/ext/openssl/ossl_pkcs7.c +42 -59
  22. data/ext/openssl/ossl_pkey.c +1102 -191
  23. data/ext/openssl/ossl_pkey.h +35 -72
  24. data/ext/openssl/ossl_pkey_dh.c +124 -334
  25. data/ext/openssl/ossl_pkey_dsa.c +93 -398
  26. data/ext/openssl/ossl_pkey_ec.c +126 -318
  27. data/ext/openssl/ossl_pkey_rsa.c +100 -487
  28. data/ext/openssl/ossl_ssl.c +322 -375
  29. data/ext/openssl/ossl_ssl_session.c +24 -29
  30. data/ext/openssl/ossl_ts.c +64 -39
  31. data/ext/openssl/ossl_x509.c +0 -6
  32. data/ext/openssl/ossl_x509cert.c +164 -8
  33. data/ext/openssl/ossl_x509crl.c +10 -7
  34. data/ext/openssl/ossl_x509ext.c +1 -2
  35. data/ext/openssl/ossl_x509name.c +9 -2
  36. data/ext/openssl/ossl_x509req.c +10 -7
  37. data/ext/openssl/ossl_x509store.c +193 -90
  38. data/lib/openssl/buffering.rb +10 -1
  39. data/lib/openssl/hmac.rb +65 -0
  40. data/lib/openssl/pkey.rb +417 -0
  41. data/lib/openssl/ssl.rb +8 -8
  42. data/lib/openssl/version.rb +1 -1
  43. data/lib/openssl/x509.rb +22 -0
  44. data/lib/openssl.rb +0 -1
  45. metadata +8 -66
  46. data/ext/openssl/ruby_missing.h +0 -24
  47. data/lib/openssl/config.rb +0 -501
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 6f52e266d6038d1d7173a58d9ad72207e7d492da086ef0ecf9484a8b1cac5156
4
- data.tar.gz: ca3211e0c3887311a9d0ac997c864e0cdd54fc0c7510d04c2497c9c99b97fd0c
3
+ metadata.gz: d382c0c6e46a7009fa58a8378b052341712f115f73f90c2409fdfa990c5c3a41
4
+ data.tar.gz: dc54eb994bb6c4de4e425c32702ec551b5c9d1d677062e629cbf162d171a5dec
5
5
  SHA512:
6
- metadata.gz: b20ff54093b47c1d1da2f90a41ee1787bcd6a3e14c26f86f4c117d5ec6703364c73df226da5bf357ec6440770b639dd92575e468caeaf38fd8815ef52fb9864f
7
- data.tar.gz: 6f64e438c1cc74cea40674a4d3d5926ecc3ea4a0701dd02514f990fcbcb8c525a364789f832ac649fe65e557522a9df983e5beca5f3476b3ec29f7a82b15f071
6
+ metadata.gz: 8516105c4fb7d40619519c8165d45c602dd6ed65971ad8289ad70e9a7fc89d36c16a801c62ecf7c82e9068f07a3a63df69c3d9faf693796b071c059cdb10f805
7
+ data.tar.gz: 5c6cc181f035383b724b6bd5d249e36797c5079482e88efa137e9dc74b0b338fd4be7d6d27d7e39a67054429a64d79305a15146c645ee23c97696f1838640c7a
data/CONTRIBUTING.md CHANGED
@@ -12,16 +12,17 @@ If you think you found a bug, file a ticket on GitHub. Please DO NOT report
12
12
  security issues here, there is a separate procedure which is described on
13
13
  ["Security at ruby-lang.org"](https://www.ruby-lang.org/en/security/).
14
14
 
15
- When reporting a bug, please make sure you include:
16
- * Ruby version
17
- * OpenSSL gem version
18
- * OpenSSL library version
15
+ When reporting a bug, please make sure you include:
16
+
17
+ * Ruby version (`ruby -v`)
18
+ * `openssl` gem version (`gem list openssl` and `OpenSSL::VERSION`)
19
+ * OpenSSL library version (`OpenSSL::OPENSSL_VERSION`)
19
20
  * A sample file that illustrates the problem or link to the repository or
20
21
  gem that is associated with the bug.
21
22
 
22
23
  There are a number of unresolved issues and feature requests for openssl that
23
24
  need review. Before submitting a new ticket, it is recommended to check
24
- [known issues] and [bugs.ruby-lang.org], the previous issue tracker.
25
+ [known issues].
25
26
 
26
27
  ## Submitting patches
27
28
 
@@ -34,62 +35,50 @@ Make sure that your branch does:
34
35
  * Have good commit messages
35
36
  * Follow Ruby's coding style ([DeveloperHowTo])
36
37
  * Pass the test suite successfully (see "Testing")
37
- * Add an entry to [History.md] if necessary
38
38
 
39
39
  ## Testing
40
40
 
41
41
  We have a test suite!
42
42
 
43
43
  Test cases are located under the
44
- [`test/`](https://github.com/ruby/openssl/tree/master/test) directory.
44
+ [`test/openssl`](https://github.com/ruby/openssl/tree/master/test/openssl)
45
+ directory.
45
46
 
46
47
  You can run it with the following three commands:
47
48
 
48
49
  ```
49
- $ rake install_dependencies # installs rake-compiler, test-unit, ...
50
- $ rake compile
51
- $ rake test
50
+ $ bundle install # installs rake-compiler, test-unit, ...
51
+ $ bundle exec rake compile
52
+ $ bundle exec rake test
52
53
  ```
53
54
 
54
- ### Docker
55
-
56
- You can also use Docker Compose to run tests. It can be used to check that your
57
- changes work correctly with various supported versions of Ruby and OpenSSL.
58
-
59
- First, you need to install [Docker](https://www.docker.com/products/docker) and
60
- [Docker Compose](https://www.docker.com/products/docker-compose) on your
61
- computer.
55
+ ### With different versions of OpenSSL
62
56
 
63
- If you're on MacOS or Windows, we recommended to use the official [Docker
64
- Toolbox](https://www.docker.com/products/docker-toolbox). On Linux, follow the
65
- instructions for your package manager. For further information, please check
66
- the [official documentation](https://docs.docker.com/).
57
+ Ruby OpenSSL supports various versions of OpenSSL library. The test suite needs
58
+ to pass on all supported combinations.
67
59
 
68
- Once you have Docker and Docker Compose, running the following commands will
69
- build the container and execute the openssl tests. In this example, we will use
70
- Ruby version 2.3 with OpenSSL version 1.0.2.
60
+ Similarly to when installing `openssl` gem via the `gem` command,
61
+ you can pass a `--with-openssl-dir` argument to `rake compile`
62
+ to specify the OpenSSL library to build against.
71
63
 
72
64
  ```
73
- $ docker-compose build
74
- $ export RUBY_VERSION=ruby-2.3
75
- $ export OPENSSL_VERSION=openssl-1.0.2
76
- $ docker-compose run test
77
-
78
- # You may want an interactive shell for dubugging
79
- $ docker-compose run debug
65
+ $ ( curl -OL https://ftp.openssl.org/source/openssl-3.0.1.tar.gz &&
66
+ tar xf openssl-3.0.1.tar.gz &&
67
+ cd openssl-3.0.1 &&
68
+ ./config --prefix=$HOME/.openssl/openssl-3.0.1 --libdir=lib &&
69
+ make -j4 &&
70
+ make install )
71
+
72
+ $ # in Ruby/OpenSSL's source directory
73
+ $ bundle exec rake clean
74
+ $ bundle exec rake compile -- --with-openssl-dir=$HOME/.openssl/openssl-3.0.1
75
+ $ bundle exec rake test
80
76
  ```
81
77
 
82
- All possible values for `RUBY_VERSION` and `OPENSSL_VERSION` can be found in
83
- [`test.yml`](https://github.com/ruby/openssl/tree/master/.github/workflows/test.yml).
84
-
85
- **NOTE**: these commands must be run from the openssl repository root, in order
86
- to use the
87
- [`docker-compose.yml`](https://github.com/ruby/openssl/blob/master/docker-compose.yml)
88
- file we have provided.
89
-
90
- This Docker image is built using the
91
- [Dockerfile](https://github.com/ruby/openssl/tree/master/tool/ruby-openssl-docker)
92
- provided in the repository.
78
+ The GitHub Actions workflow file
79
+ [`test.yml`](https://github.com/ruby/openssl/tree/master/.github/workflows/test.yml)
80
+ contains useful information for building OpenSSL/LibreSSL and testing against
81
+ them.
93
82
 
94
83
 
95
84
  ## Relation with Ruby source tree
@@ -124,7 +113,6 @@ _Thanks for your contributions!_
124
113
 
125
114
  [GitHub]: https://github.com/ruby/openssl
126
115
  [known issues]: https://github.com/ruby/openssl/issues
127
- [bugs.ruby-lang.org]: https://bugs.ruby-lang.org/issues?utf8=%E2%9C%93&set_filter=1&f%5B%5D=status_id&op%5Bstatus_id%5D=o&f%5B%5D=assigned_to_id&op%5Bassigned_to_id%5D=%3D&v%5Bassigned_to_id%5D%5B%5D=7150&f%5B%5D=&c%5B%5D=project&c%5B%5D=tracker&c%5B%5D=status&c%5B%5D=subject&c%5B%5D=assigned_to&c%5B%5D=updated_on&group_by=&t%5B%5D=
128
116
  [DeveloperHowTo]: https://bugs.ruby-lang.org/projects/ruby/wiki/DeveloperHowto
129
117
  [HackerOne]: https://hackerone.com/ruby
130
118
  [Security]: https://www.ruby-lang.org/en/security/
data/History.md CHANGED
@@ -1,3 +1,122 @@
1
+ Version 3.0.0
2
+ =============
3
+
4
+ Compatibility notes
5
+ -------------------
6
+
7
+ * OpenSSL 1.0.1 and Ruby 2.3-2.5 are no longer supported.
8
+ [[GitHub #396]](https://github.com/ruby/openssl/pull/396)
9
+ [[GitHub #466]](https://github.com/ruby/openssl/pull/466)
10
+
11
+ * OpenSSL 3.0 support is added. It is the first major version bump from OpenSSL
12
+ 1.1 and contains incompatible changes that affect Ruby/OpenSSL.
13
+ Note that OpenSSL 3.0 support is preliminary and not all features are
14
+ currently available:
15
+ [[GitHub #369]](https://github.com/ruby/openssl/issues/369)
16
+
17
+ - Deprecate the ability to modify `OpenSSL::PKey::PKey` instances. OpenSSL 3.0
18
+ made EVP_PKEY structure immutable, and hence the following methods are not
19
+ available when Ruby/OpenSSL is linked against OpenSSL 3.0.
20
+ [[GitHub #480]](https://github.com/ruby/openssl/pull/480)
21
+
22
+ - `OpenSSL::PKey::RSA#set_key`, `#set_factors`, `#set_crt_params`
23
+ - `OpenSSL::PKey::DSA#set_pqg`, `#set_key`
24
+ - `OpenSSL::PKey::DH#set_pqg`, `#set_key`, `#generate_key!`
25
+ - `OpenSSL::PKey::EC#private_key=`, `#public_key=`, `#group=`, `#generate_key!`
26
+
27
+ - Deprecate `OpenSSL::Engine`. The ENGINE API has been deprecated in OpenSSL 3.0
28
+ in favor of the new "provider" concept and will be removed in a future
29
+ version.
30
+ [[GitHub #481]](https://github.com/ruby/openssl/pull/481)
31
+
32
+ * `OpenSSL::SSL::SSLContext#tmp_ecdh_callback` has been removed. It has been
33
+ deprecated since v2.0.0 because it is incompatible with modern OpenSSL
34
+ versions.
35
+ [[GitHub #394]](https://github.com/ruby/openssl/pull/394)
36
+
37
+ * `OpenSSL::SSL::SSLSocket#read` and `#write` now raise `OpenSSL::SSL::SSLError`
38
+ if called before a TLS connection is established. Historically, they
39
+ read/wrote unencrypted data to the underlying socket directly in that case.
40
+ [[GitHub #9]](https://github.com/ruby/openssl/issues/9)
41
+ [[GitHub #469]](https://github.com/ruby/openssl/pull/469)
42
+
43
+
44
+ Notable changes
45
+ ---------------
46
+
47
+ * Enhance OpenSSL::PKey's common interface.
48
+ [[GitHub #370]](https://github.com/ruby/openssl/issues/370)
49
+
50
+ - Key deserialization: Enhance `OpenSSL::PKey.read` to handle PEM encoding of
51
+ DH parameters, which used to be only deserialized by `OpenSSL::PKey::DH.new`.
52
+ [[GitHub #328]](https://github.com/ruby/openssl/issues/328)
53
+ - Key generation: Add `OpenSSL::PKey.generate_parameters` and
54
+ `OpenSSL::PKey.generate_key`.
55
+ [[GitHub #329]](https://github.com/ruby/openssl/issues/329)
56
+ - Public key signing: Enhance `OpenSSL::PKey::PKey#sign` and `#verify` to use
57
+ the new EVP_DigestSign() family to enable PureEdDSA support on OpenSSL 1.1.1
58
+ or later. They also now take optional algorithm-specific parameters for more
59
+ control.
60
+ [[GitHub #329]](https://github.com/ruby/openssl/issues/329)
61
+ - Low-level public key signing and verification: Add
62
+ `OpenSSL::PKey::PKey#sign_raw`, `#verify_raw`, and `#verify_recover`.
63
+ [[GitHub #382]](https://github.com/ruby/openssl/issues/382)
64
+ - Public key encryption: Add `OpenSSL::PKey::PKey#encrypt` and `#decrypt`.
65
+ [[GitHub #382]](https://github.com/ruby/openssl/issues/382)
66
+ - Key agreement: Add `OpenSSL::PKey::PKey#derive`.
67
+ [[GitHub #329]](https://github.com/ruby/openssl/issues/329)
68
+ - Key comparison: Add `OpenSSL::PKey::PKey#compare?` to conveniently check
69
+ that two keys have common parameters and a public key.
70
+ [[GitHub #383]](https://github.com/ruby/openssl/issues/383)
71
+
72
+ * Add `OpenSSL::BN#set_flags` and `#get_flags`. This can be used in combination
73
+ with `OpenSSL::BN::CONSTTIME` to force constant-time computation.
74
+ [[GitHub #417]](https://github.com/ruby/openssl/issues/417)
75
+
76
+ * Add `OpenSSL::BN#abs` to get the absolute value of the BIGNUM.
77
+ [[GitHub #430]](https://github.com/ruby/openssl/issues/430)
78
+
79
+ * Add `OpenSSL::SSL::SSLSocket#getbyte`.
80
+ [[GitHub #438]](https://github.com/ruby/openssl/issues/438)
81
+
82
+ * Add `OpenSSL::SSL::SSLContext#tmp_dh=`.
83
+ [[GitHub #459]](https://github.com/ruby/openssl/pull/459)
84
+
85
+ * Add `OpenSSL::X509::Certificate.load` to load a PEM-encoded and concatenated
86
+ list of X.509 certificates at once.
87
+ [[GitHub #441]](https://github.com/ruby/openssl/pull/441)
88
+
89
+ * Change `OpenSSL::X509::Certificate.new` to attempt to deserialize the given
90
+ string first as DER encoding first and then as PEM encoding to ensure the
91
+ round-trip consistency.
92
+ [[GitHub #442]](https://github.com/ruby/openssl/pull/442)
93
+
94
+ * Update various part of the code base to use the modern API. No breaking
95
+ changes are intended with this. This includes:
96
+
97
+ - `OpenSSL::HMAC` uses the EVP API.
98
+ [[GitHub #371]](https://github.com/ruby/openssl/issues/371)
99
+ - `OpenSSL::Config` uses native OpenSSL API to parse config files.
100
+ [[GitHub #342]](https://github.com/ruby/openssl/issues/342)
101
+
102
+
103
+ Version 2.2.1
104
+ =============
105
+
106
+ Merged changes in 2.1.3. Additionally, the following issues are fixed by this
107
+ release.
108
+
109
+ Bug fixes
110
+ ---------
111
+
112
+ * Fix crash in `OpenSSL::Timestamp::{Request,Response,TokenInfo}.new` when
113
+ invalid arguments are given.
114
+ [[GitHub #407]](https://github.com/ruby/openssl/pull/407)
115
+ * Fix `OpenSSL::Timestamp::Factory#create_timestamp` with LibreSSL on platforms
116
+ where `time_t` has a different size from `long`.
117
+ [[GitHub #454]](https://github.com/ruby/openssl/pull/454)
118
+
119
+
1
120
  Version 2.2.0
2
121
  =============
3
122
 
@@ -75,6 +194,42 @@ Notable changes
75
194
  [[GitHub #297]](https://github.com/ruby/openssl/pull/297)
76
195
 
77
196
 
197
+ Version 2.1.3
198
+ =============
199
+
200
+ Bug fixes
201
+ ---------
202
+
203
+ * Fix deprecation warnings on Ruby 3.0.
204
+ * Add ".include" directive support in `OpenSSL::Config`.
205
+ [[GitHub #216]](https://github.com/ruby/openssl/pull/216)
206
+ * Fix handling of IPv6 address SANs.
207
+ [[GitHub #185]](https://github.com/ruby/openssl/pull/185)
208
+ * Hostname verification failure with `OpenSSL::SSL::SSLContext#verify_hostname=`
209
+ sets a proper error code.
210
+ [[GitHub #350]](https://github.com/ruby/openssl/pull/350)
211
+ * Fix crash with `OpenSSL::BN.new(nil, 2)`.
212
+ [[Bug #15760]](https://bugs.ruby-lang.org/issues/15760)
213
+ * `OpenSSL::SSL::SSLSocket#sys{read,write}` prevent internal string buffers from
214
+ being modified by another thread.
215
+ [[GitHub #453]](https://github.com/ruby/openssl/pull/453)
216
+ * Fix misuse of input record separator in `OpenSSL::Buffering` where it was
217
+ for output.
218
+ * Fix wrong integer casting in `OpenSSL::PKey::EC#dsa_verify_asn1`.
219
+ [[GitHub #460]](https://github.com/ruby/openssl/pull/460)
220
+ * `extconf.rb` explicitly checks that OpenSSL's version number is 1.0.1 or
221
+ newer but also less than 3.0. Ruby/OpenSSL v2.1.x and v2.2.x will not support
222
+ OpenSSL 3.0 API.
223
+ [[GitHub #458]](https://github.com/ruby/openssl/pull/458)
224
+ * Activate `digest` gem correctly. `digest` library could go into an
225
+ inconsistent state if there are multiple versions of `digest` is installed
226
+ and `openssl` is `require`d before `digest`.
227
+ [[GitHub #463]](https://github.com/ruby/openssl/pull/463)
228
+ * Fix GC.compact compatibility.
229
+ [[GitHub #464]](https://github.com/ruby/openssl/issues/464)
230
+ [[GitHub #465]](https://github.com/ruby/openssl/pull/465)
231
+
232
+
78
233
  Version 2.1.2
79
234
  =============
80
235
 
@@ -26,6 +26,8 @@ if with_config("debug") or enable_config("debug")
26
26
  $defs.push("-DOSSL_DEBUG")
27
27
  end
28
28
 
29
+ have_func("rb_io_maybe_wait") # Ruby 3.1
30
+
29
31
  Logging::message "=== Checking for system dependent stuff... ===\n"
30
32
  have_library("nsl", "t_open")
31
33
  have_library("socket", "socket")
@@ -33,9 +35,6 @@ if $mswin || $mingw
33
35
  have_library("ws2_32")
34
36
  end
35
37
 
36
- Logging::message "=== Checking for required stuff... ===\n"
37
- result = pkg_config("openssl") && have_header("openssl/ssl.h")
38
-
39
38
  if $mingw
40
39
  append_cflags '-D_FORTIFY_SOURCE=2'
41
40
  append_ldflags '-fstack-protector'
@@ -92,19 +91,32 @@ def find_openssl_library
92
91
  return false
93
92
  end
94
93
 
95
- unless result
96
- unless find_openssl_library
97
- Logging::message "=== Checking for required stuff failed. ===\n"
98
- Logging::message "Makefile wasn't created. Fix the errors above.\n"
99
- raise "OpenSSL library could not be found. You might want to use " \
100
- "--with-openssl-dir=<dir> option to specify the prefix where OpenSSL " \
101
- "is installed."
102
- end
94
+ Logging::message "=== Checking for required stuff... ===\n"
95
+ pkg_config_found = pkg_config("openssl") && have_header("openssl/ssl.h")
96
+
97
+ if !pkg_config_found && !find_openssl_library
98
+ Logging::message "=== Checking for required stuff failed. ===\n"
99
+ Logging::message "Makefile wasn't created. Fix the errors above.\n"
100
+ raise "OpenSSL library could not be found. You might want to use " \
101
+ "--with-openssl-dir=<dir> option to specify the prefix where OpenSSL " \
102
+ "is installed."
103
+ end
104
+
105
+ version_ok = if have_macro("LIBRESSL_VERSION_NUMBER", "openssl/opensslv.h")
106
+ is_libressl = true
107
+ checking_for("LibreSSL version >= 3.1.0") {
108
+ try_static_assert("LIBRESSL_VERSION_NUMBER >= 0x30100000L", "openssl/opensslv.h") }
109
+ else
110
+ checking_for("OpenSSL version >= 1.0.2") {
111
+ try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10002000L", "openssl/opensslv.h") }
112
+ end
113
+ unless version_ok
114
+ raise "OpenSSL >= 1.0.2 or LibreSSL >= 3.1.0 is required"
103
115
  end
104
116
 
105
- unless checking_for("OpenSSL version is 1.0.1 or later") {
106
- try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10001000L", "openssl/opensslv.h") }
107
- raise "OpenSSL >= 1.0.1 or LibreSSL is required"
117
+ # Prevent wincrypt.h from being included, which defines conflicting macro with openssl/x509.h
118
+ if is_libressl && ($mswin || $mingw)
119
+ $defs.push("-DNOCRYPT")
108
120
  end
109
121
 
110
122
  Logging::message "=== Checking for OpenSSL features... ===\n"
@@ -116,33 +128,13 @@ engines.each { |name|
116
128
  have_func("ENGINE_load_#{name}()", "openssl/engine.h")
117
129
  }
118
130
 
119
- if ($mswin || $mingw) && have_macro("LIBRESSL_VERSION_NUMBER", "openssl/opensslv.h")
120
- $defs.push("-DNOCRYPT")
121
- end
122
-
123
- # added in 1.0.2
124
- have_func("EC_curve_nist2nid")
125
- have_func("X509_REVOKED_dup")
126
- have_func("X509_STORE_CTX_get0_store")
127
- have_func("SSL_CTX_set_alpn_select_cb")
128
- have_func("SSL_CTX_set1_curves_list(NULL, NULL)", "openssl/ssl.h")
129
- have_func("SSL_CTX_set_ecdh_auto(NULL, 0)", "openssl/ssl.h")
130
- have_func("SSL_get_server_tmp_key(NULL, NULL)", "openssl/ssl.h")
131
- have_func("SSL_is_server")
132
-
133
131
  # added in 1.1.0
134
- if !have_struct_member("SSL", "ctx", "openssl/ssl.h") ||
135
- try_static_assert("LIBRESSL_VERSION_NUMBER >= 0x2070000fL", "openssl/opensslv.h")
132
+ if !have_struct_member("SSL", "ctx", "openssl/ssl.h") || is_libressl
136
133
  $defs.push("-DHAVE_OPAQUE_OPENSSL")
137
134
  end
138
- have_func("CRYPTO_lock") || $defs.push("-DHAVE_OPENSSL_110_THREADING_API")
139
- have_func("BN_GENCB_new")
140
- have_func("BN_GENCB_free")
141
- have_func("BN_GENCB_get_arg")
142
135
  have_func("EVP_MD_CTX_new")
143
136
  have_func("EVP_MD_CTX_free")
144
- have_func("HMAC_CTX_new")
145
- have_func("HMAC_CTX_free")
137
+ have_func("EVP_MD_CTX_pkey_ctx")
146
138
  have_func("X509_STORE_get_ex_data")
147
139
  have_func("X509_STORE_set_ex_data")
148
140
  have_func("X509_STORE_get_ex_new_index")
@@ -161,7 +153,6 @@ have_func("X509_CRL_up_ref")
161
153
  have_func("X509_STORE_up_ref")
162
154
  have_func("SSL_SESSION_up_ref")
163
155
  have_func("EVP_PKEY_up_ref")
164
- have_func("SSL_CTX_set_tmp_ecdh_callback(NULL, NULL)", "openssl/ssl.h") # removed
165
156
  have_func("SSL_CTX_set_min_proto_version(NULL, 0)", "openssl/ssl.h")
166
157
  have_func("SSL_CTX_get_security_level")
167
158
  have_func("X509_get0_notBefore")
@@ -169,13 +160,27 @@ have_func("SSL_SESSION_get_protocol_version")
169
160
  have_func("TS_STATUS_INFO_get0_status")
170
161
  have_func("TS_STATUS_INFO_get0_text")
171
162
  have_func("TS_STATUS_INFO_get0_failure_info")
172
- have_func("TS_VERIFY_CTS_set_certs")
163
+ have_func("TS_VERIFY_CTS_set_certs(NULL, NULL)", "openssl/ts.h")
173
164
  have_func("TS_VERIFY_CTX_set_store")
174
165
  have_func("TS_VERIFY_CTX_add_flags")
175
166
  have_func("TS_RESP_CTX_set_time_cb")
176
167
  have_func("EVP_PBE_scrypt")
177
168
  have_func("SSL_CTX_set_post_handshake_auth")
178
169
 
170
+ # added in 1.1.1
171
+ have_func("EVP_PKEY_check")
172
+
173
+ # added in 3.0.0
174
+ have_func("SSL_set0_tmp_dh_pkey")
175
+ have_func("ERR_get_error_all")
176
+ have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", "openssl/ts.h")
177
+ have_func("SSL_CTX_load_verify_file")
178
+ have_func("BN_check_prime")
179
+ have_func("EVP_MD_CTX_get0_md")
180
+ have_func("EVP_MD_CTX_get_pkey_ctx")
181
+ have_func("EVP_PKEY_eq")
182
+ have_func("EVP_PKEY_dup")
183
+
179
184
  Logging::message "=== Checking done. ===\n"
180
185
 
181
186
  create_header
@@ -10,77 +10,11 @@
10
10
  #include RUBY_EXTCONF_H
11
11
 
12
12
  #include <string.h> /* memcpy() */
13
- #if !defined(OPENSSL_NO_ENGINE)
14
- # include <openssl/engine.h>
15
- #endif
16
- #if !defined(OPENSSL_NO_HMAC)
17
- # include <openssl/hmac.h>
18
- #endif
19
13
  #include <openssl/x509_vfy.h>
20
14
 
21
15
  #include "openssl_missing.h"
22
16
 
23
- /* added in 1.0.2 */
24
- #if !defined(OPENSSL_NO_EC)
25
- #if !defined(HAVE_EC_CURVE_NIST2NID)
26
- static struct {
27
- const char *name;
28
- int nid;
29
- } nist_curves[] = {
30
- {"B-163", NID_sect163r2},
31
- {"B-233", NID_sect233r1},
32
- {"B-283", NID_sect283r1},
33
- {"B-409", NID_sect409r1},
34
- {"B-571", NID_sect571r1},
35
- {"K-163", NID_sect163k1},
36
- {"K-233", NID_sect233k1},
37
- {"K-283", NID_sect283k1},
38
- {"K-409", NID_sect409k1},
39
- {"K-571", NID_sect571k1},
40
- {"P-192", NID_X9_62_prime192v1},
41
- {"P-224", NID_secp224r1},
42
- {"P-256", NID_X9_62_prime256v1},
43
- {"P-384", NID_secp384r1},
44
- {"P-521", NID_secp521r1}
45
- };
46
-
47
- int
48
- ossl_EC_curve_nist2nid(const char *name)
49
- {
50
- size_t i;
51
- for (i = 0; i < (sizeof(nist_curves) / sizeof(nist_curves[0])); i++) {
52
- if (!strcmp(nist_curves[i].name, name))
53
- return nist_curves[i].nid;
54
- }
55
- return NID_undef;
56
- }
57
- #endif
58
- #endif
59
-
60
17
  /*** added in 1.1.0 ***/
61
- #if !defined(HAVE_HMAC_CTX_NEW)
62
- HMAC_CTX *
63
- ossl_HMAC_CTX_new(void)
64
- {
65
- HMAC_CTX *ctx = OPENSSL_malloc(sizeof(HMAC_CTX));
66
- if (!ctx)
67
- return NULL;
68
- HMAC_CTX_init(ctx);
69
- return ctx;
70
- }
71
- #endif
72
-
73
- #if !defined(HAVE_HMAC_CTX_FREE)
74
- void
75
- ossl_HMAC_CTX_free(HMAC_CTX *ctx)
76
- {
77
- if (ctx) {
78
- HMAC_CTX_cleanup(ctx);
79
- OPENSSL_free(ctx);
80
- }
81
- }
82
- #endif
83
-
84
18
  #if !defined(HAVE_X509_CRL_GET0_SIGNATURE)
85
19
  void
86
20
  ossl_X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig,
@@ -12,40 +12,7 @@
12
12
 
13
13
  #include "ruby/config.h"
14
14
 
15
- /* added in 1.0.2 */
16
- #if !defined(OPENSSL_NO_EC)
17
- #if !defined(HAVE_EC_CURVE_NIST2NID)
18
- int ossl_EC_curve_nist2nid(const char *);
19
- # define EC_curve_nist2nid ossl_EC_curve_nist2nid
20
- #endif
21
- #endif
22
-
23
- #if !defined(HAVE_X509_REVOKED_DUP)
24
- # define X509_REVOKED_dup(rev) (X509_REVOKED *)ASN1_dup((i2d_of_void *)i2d_X509_REVOKED, \
25
- (d2i_of_void *)d2i_X509_REVOKED, (char *)(rev))
26
- #endif
27
-
28
- #if !defined(HAVE_X509_STORE_CTX_GET0_STORE)
29
- # define X509_STORE_CTX_get0_store(x) ((x)->ctx)
30
- #endif
31
-
32
- #if !defined(HAVE_SSL_IS_SERVER)
33
- # define SSL_is_server(s) ((s)->server)
34
- #endif
35
-
36
15
  /* added in 1.1.0 */
37
- #if !defined(HAVE_BN_GENCB_NEW)
38
- # define BN_GENCB_new() ((BN_GENCB *)OPENSSL_malloc(sizeof(BN_GENCB)))
39
- #endif
40
-
41
- #if !defined(HAVE_BN_GENCB_FREE)
42
- # define BN_GENCB_free(cb) OPENSSL_free(cb)
43
- #endif
44
-
45
- #if !defined(HAVE_BN_GENCB_GET_ARG)
46
- # define BN_GENCB_get_arg(cb) (cb)->arg
47
- #endif
48
-
49
16
  #if !defined(HAVE_EVP_MD_CTX_NEW)
50
17
  # define EVP_MD_CTX_new EVP_MD_CTX_create
51
18
  #endif
@@ -54,16 +21,6 @@ int ossl_EC_curve_nist2nid(const char *);
54
21
  # define EVP_MD_CTX_free EVP_MD_CTX_destroy
55
22
  #endif
56
23
 
57
- #if !defined(HAVE_HMAC_CTX_NEW)
58
- HMAC_CTX *ossl_HMAC_CTX_new(void);
59
- # define HMAC_CTX_new ossl_HMAC_CTX_new
60
- #endif
61
-
62
- #if !defined(HAVE_HMAC_CTX_FREE)
63
- void ossl_HMAC_CTX_free(HMAC_CTX *);
64
- # define HMAC_CTX_free ossl_HMAC_CTX_free
65
- #endif
66
-
67
24
  #if !defined(HAVE_X509_STORE_GET_EX_DATA)
68
25
  # define X509_STORE_get_ex_data(x, idx) \
69
26
  CRYPTO_get_ex_data(&(x)->ex_data, (idx))
@@ -147,8 +104,7 @@ void ossl_X509_REQ_get0_signature(const X509_REQ *, const ASN1_BIT_STRING **, co
147
104
  CRYPTO_add(&(x)->references, 1, CRYPTO_LOCK_EVP_PKEY);
148
105
  #endif
149
106
 
150
- #if !defined(HAVE_OPAQUE_OPENSSL) && \
151
- (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL)
107
+ #if !defined(HAVE_OPAQUE_OPENSSL)
152
108
  #define IMPL_PKEY_GETTER(_type, _name) \
153
109
  static inline _type *EVP_PKEY_get0_##_type(EVP_PKEY *pkey) { \
154
110
  return pkey->pkey._name; }
@@ -254,4 +210,29 @@ IMPL_PKEY_GETTER(EC_KEY, ec)
254
210
  } while (0)
255
211
  #endif
256
212
 
213
+ /* added in 3.0.0 */
214
+ #if !defined(HAVE_TS_VERIFY_CTX_SET_CERTS)
215
+ # define TS_VERIFY_CTX_set_certs(ctx, crts) TS_VERIFY_CTS_set_certs(ctx, crts)
216
+ #endif
217
+
218
+ #ifndef HAVE_EVP_MD_CTX_GET0_MD
219
+ # define EVP_MD_CTX_get0_md(ctx) EVP_MD_CTX_md(ctx)
220
+ #endif
221
+
222
+ /*
223
+ * OpenSSL 1.1.0 added EVP_MD_CTX_pkey_ctx(), and then it was renamed to
224
+ * EVP_MD_CTX_get_pkey_ctx(x) in OpenSSL 3.0.
225
+ */
226
+ #ifndef HAVE_EVP_MD_CTX_GET_PKEY_CTX
227
+ # ifdef HAVE_EVP_MD_CTX_PKEY_CTX
228
+ # define EVP_MD_CTX_get_pkey_ctx(x) EVP_MD_CTX_pkey_ctx(x)
229
+ # else
230
+ # define EVP_MD_CTX_get_pkey_ctx(x) (x)->pctx
231
+ # endif
232
+ #endif
233
+
234
+ #ifndef HAVE_EVP_PKEY_EQ
235
+ # define EVP_PKEY_eq(a, b) EVP_PKEY_cmp(a, b)
236
+ #endif
237
+
257
238
  #endif /* _OSSL_OPENSSL_MISSING_H_ */