openssl 2.2.0 → 3.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CONTRIBUTING.md +32 -44
- data/History.md +155 -0
- data/ext/openssl/extconf.rb +43 -38
- data/ext/openssl/openssl_missing.c +0 -66
- data/ext/openssl/openssl_missing.h +26 -45
- data/ext/openssl/ossl.c +67 -47
- data/ext/openssl/ossl.h +20 -6
- data/ext/openssl/ossl_asn1.c +16 -4
- data/ext/openssl/ossl_bn.c +267 -143
- data/ext/openssl/ossl_bn.h +2 -1
- data/ext/openssl/ossl_cipher.c +11 -11
- data/ext/openssl/ossl_config.c +412 -41
- data/ext/openssl/ossl_config.h +4 -7
- data/ext/openssl/ossl_digest.c +15 -11
- data/ext/openssl/ossl_engine.c +16 -15
- data/ext/openssl/ossl_hmac.c +48 -135
- data/ext/openssl/ossl_kdf.c +8 -0
- data/ext/openssl/ossl_ocsp.c +3 -51
- data/ext/openssl/ossl_pkcs12.c +21 -3
- data/ext/openssl/ossl_pkcs7.c +42 -59
- data/ext/openssl/ossl_pkey.c +1102 -191
- data/ext/openssl/ossl_pkey.h +35 -72
- data/ext/openssl/ossl_pkey_dh.c +124 -334
- data/ext/openssl/ossl_pkey_dsa.c +93 -398
- data/ext/openssl/ossl_pkey_ec.c +126 -318
- data/ext/openssl/ossl_pkey_rsa.c +100 -487
- data/ext/openssl/ossl_ssl.c +322 -375
- data/ext/openssl/ossl_ssl_session.c +24 -29
- data/ext/openssl/ossl_ts.c +64 -39
- data/ext/openssl/ossl_x509.c +0 -6
- data/ext/openssl/ossl_x509cert.c +164 -8
- data/ext/openssl/ossl_x509crl.c +10 -7
- data/ext/openssl/ossl_x509ext.c +1 -2
- data/ext/openssl/ossl_x509name.c +9 -2
- data/ext/openssl/ossl_x509req.c +10 -7
- data/ext/openssl/ossl_x509store.c +193 -90
- data/lib/openssl/buffering.rb +10 -1
- data/lib/openssl/hmac.rb +65 -0
- data/lib/openssl/pkey.rb +417 -0
- data/lib/openssl/ssl.rb +8 -8
- data/lib/openssl/version.rb +1 -1
- data/lib/openssl/x509.rb +22 -0
- data/lib/openssl.rb +0 -1
- metadata +8 -66
- data/ext/openssl/ruby_missing.h +0 -24
- data/lib/openssl/config.rb +0 -501
data/ext/openssl/ossl.c
CHANGED
@@ -9,13 +9,19 @@
|
|
9
9
|
*/
|
10
10
|
#include "ossl.h"
|
11
11
|
#include <stdarg.h> /* for ossl_raise */
|
12
|
-
|
12
|
+
|
13
|
+
/* OpenSSL >= 1.1.0 and LibreSSL >= 2.9.0 */
|
14
|
+
#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER >= 0x10100000
|
15
|
+
# define HAVE_OPENSSL_110_THREADING_API
|
16
|
+
#else
|
17
|
+
# include <ruby/thread_native.h>
|
18
|
+
#endif
|
13
19
|
|
14
20
|
/*
|
15
21
|
* Data Conversion
|
16
22
|
*/
|
17
23
|
#define OSSL_IMPL_ARY2SK(name, type, expected_class, dup) \
|
18
|
-
|
24
|
+
VALUE \
|
19
25
|
ossl_##name##_ary2sk0(VALUE ary) \
|
20
26
|
{ \
|
21
27
|
STACK_OF(type) *sk; \
|
@@ -37,7 +43,7 @@ ossl_##name##_ary2sk0(VALUE ary) \
|
|
37
43
|
x = dup(val); /* NEED TO DUP */ \
|
38
44
|
sk_##type##_push(sk, x); \
|
39
45
|
} \
|
40
|
-
return sk;
|
46
|
+
return (VALUE)sk; \
|
41
47
|
} \
|
42
48
|
\
|
43
49
|
STACK_OF(type) * \
|
@@ -262,15 +268,11 @@ ossl_to_der_if_possible(VALUE obj)
|
|
262
268
|
/*
|
263
269
|
* Errors
|
264
270
|
*/
|
265
|
-
|
266
|
-
ossl_make_error(VALUE exc,
|
271
|
+
VALUE
|
272
|
+
ossl_make_error(VALUE exc, VALUE str)
|
267
273
|
{
|
268
|
-
VALUE str = Qnil;
|
269
274
|
unsigned long e;
|
270
275
|
|
271
|
-
if (fmt) {
|
272
|
-
str = rb_vsprintf(fmt, args);
|
273
|
-
}
|
274
276
|
e = ERR_peek_last_error();
|
275
277
|
if (e) {
|
276
278
|
const char *msg = ERR_reason_error_string(e);
|
@@ -294,37 +296,48 @@ ossl_raise(VALUE exc, const char *fmt, ...)
|
|
294
296
|
{
|
295
297
|
va_list args;
|
296
298
|
VALUE err;
|
297
|
-
|
298
|
-
|
299
|
-
|
300
|
-
|
299
|
+
|
300
|
+
if (fmt) {
|
301
|
+
va_start(args, fmt);
|
302
|
+
err = rb_vsprintf(fmt, args);
|
303
|
+
va_end(args);
|
304
|
+
}
|
305
|
+
else {
|
306
|
+
err = Qnil;
|
307
|
+
}
|
308
|
+
|
309
|
+
rb_exc_raise(ossl_make_error(exc, err));
|
301
310
|
}
|
302
311
|
|
303
312
|
void
|
304
313
|
ossl_clear_error(void)
|
305
314
|
{
|
306
315
|
if (dOSSL == Qtrue) {
|
307
|
-
|
308
|
-
|
309
|
-
|
310
|
-
|
311
|
-
|
312
|
-
|
313
|
-
|
314
|
-
|
315
|
-
|
316
|
-
|
317
|
-
|
318
|
-
|
319
|
-
|
320
|
-
|
321
|
-
|
322
|
-
|
323
|
-
|
324
|
-
|
316
|
+
unsigned long e;
|
317
|
+
const char *file, *data, *func, *lib, *reason;
|
318
|
+
char append[256] = "";
|
319
|
+
int line, flags;
|
320
|
+
|
321
|
+
#ifdef HAVE_ERR_GET_ERROR_ALL
|
322
|
+
while ((e = ERR_get_error_all(&file, &line, &func, &data, &flags))) {
|
323
|
+
#else
|
324
|
+
while ((e = ERR_get_error_line_data(&file, &line, &data, &flags))) {
|
325
|
+
func = ERR_func_error_string(e);
|
326
|
+
#endif
|
327
|
+
lib = ERR_lib_error_string(e);
|
328
|
+
reason = ERR_reason_error_string(e);
|
329
|
+
|
330
|
+
if (flags & ERR_TXT_STRING) {
|
331
|
+
if (!data)
|
332
|
+
data = "(null)";
|
333
|
+
snprintf(append, sizeof(append), " (%s)", data);
|
334
|
+
}
|
335
|
+
rb_warn("error on stack: error:%08lX:%s:%s:%s%s", e, lib ? lib : "",
|
336
|
+
func ? func : "", reason ? reason : "", append);
|
337
|
+
}
|
325
338
|
}
|
326
339
|
else {
|
327
|
-
|
340
|
+
ERR_clear_error();
|
328
341
|
}
|
329
342
|
}
|
330
343
|
|
@@ -386,7 +399,7 @@ ossl_debug_get(VALUE self)
|
|
386
399
|
* call-seq:
|
387
400
|
* OpenSSL.debug = boolean -> boolean
|
388
401
|
*
|
389
|
-
* Turns on or off debug mode. With debug mode, all
|
402
|
+
* Turns on or off debug mode. With debug mode, all errors added to the OpenSSL
|
390
403
|
* error queue will be printed to stderr.
|
391
404
|
*/
|
392
405
|
static VALUE
|
@@ -497,8 +510,11 @@ print_mem_leaks(VALUE self)
|
|
497
510
|
int ret;
|
498
511
|
#endif
|
499
512
|
|
500
|
-
|
501
|
-
|
513
|
+
#ifndef HAVE_RB_EXT_RACTOR_SAFE
|
514
|
+
// for Ruby 2.x
|
515
|
+
void ossl_bn_ctx_free(void); // ossl_bn.c
|
516
|
+
ossl_bn_ctx_free();
|
517
|
+
#endif
|
502
518
|
|
503
519
|
#if OPENSSL_VERSION_NUMBER >= 0x10100000
|
504
520
|
ret = CRYPTO_mem_leaks_fp(stderr);
|
@@ -664,7 +680,7 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2)
|
|
664
680
|
* ahold of the key may use it unless it is encrypted. In order to securely
|
665
681
|
* export a key you may export it with a pass phrase.
|
666
682
|
*
|
667
|
-
* cipher = OpenSSL::Cipher.new '
|
683
|
+
* cipher = OpenSSL::Cipher.new 'aes-256-cbc'
|
668
684
|
* pass_phrase = 'my secure pass phrase goes here'
|
669
685
|
*
|
670
686
|
* key_secure = key.export cipher, pass_phrase
|
@@ -679,13 +695,13 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2)
|
|
679
695
|
*
|
680
696
|
* A key can also be loaded from a file.
|
681
697
|
*
|
682
|
-
* key2 = OpenSSL::PKey
|
698
|
+
* key2 = OpenSSL::PKey.read File.read 'private_key.pem'
|
683
699
|
* key2.public? # => true
|
684
700
|
* key2.private? # => true
|
685
701
|
*
|
686
702
|
* or
|
687
703
|
*
|
688
|
-
* key3 = OpenSSL::PKey
|
704
|
+
* key3 = OpenSSL::PKey.read File.read 'public_key.pem'
|
689
705
|
* key3.public? # => true
|
690
706
|
* key3.private? # => false
|
691
707
|
*
|
@@ -697,7 +713,7 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2)
|
|
697
713
|
*
|
698
714
|
* key4_pem = File.read 'private.secure.pem'
|
699
715
|
* pass_phrase = 'my secure pass phrase goes here'
|
700
|
-
* key4 = OpenSSL::PKey
|
716
|
+
* key4 = OpenSSL::PKey.read key4_pem, pass_phrase
|
701
717
|
*
|
702
718
|
* == RSA Encryption
|
703
719
|
*
|
@@ -772,7 +788,7 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2)
|
|
772
788
|
* using PBKDF2. PKCS #5 v2.0 recommends at least 8 bytes for the salt,
|
773
789
|
* the number of iterations largely depends on the hardware being used.
|
774
790
|
*
|
775
|
-
* cipher = OpenSSL::Cipher.new '
|
791
|
+
* cipher = OpenSSL::Cipher.new 'aes-256-cbc'
|
776
792
|
* cipher.encrypt
|
777
793
|
* iv = cipher.random_iv
|
778
794
|
*
|
@@ -795,7 +811,7 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2)
|
|
795
811
|
* Use the same steps as before to derive the symmetric AES key, this time
|
796
812
|
* setting the Cipher up for decryption.
|
797
813
|
*
|
798
|
-
* cipher = OpenSSL::Cipher.new '
|
814
|
+
* cipher = OpenSSL::Cipher.new 'aes-256-cbc'
|
799
815
|
* cipher.decrypt
|
800
816
|
* cipher.iv = iv # the one generated with #random_iv
|
801
817
|
*
|
@@ -830,7 +846,7 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2)
|
|
830
846
|
*
|
831
847
|
* First set up the cipher for encryption
|
832
848
|
*
|
833
|
-
* encryptor = OpenSSL::Cipher.new '
|
849
|
+
* encryptor = OpenSSL::Cipher.new 'aes-256-cbc'
|
834
850
|
* encryptor.encrypt
|
835
851
|
* encryptor.pkcs5_keyivgen pass_phrase, salt
|
836
852
|
*
|
@@ -843,7 +859,7 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2)
|
|
843
859
|
*
|
844
860
|
* Use a new Cipher instance set up for decryption
|
845
861
|
*
|
846
|
-
* decryptor = OpenSSL::Cipher.new '
|
862
|
+
* decryptor = OpenSSL::Cipher.new 'aes-256-cbc'
|
847
863
|
* decryptor.decrypt
|
848
864
|
* decryptor.pkcs5_keyivgen pass_phrase, salt
|
849
865
|
*
|
@@ -931,7 +947,7 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2)
|
|
931
947
|
* ca_key = OpenSSL::PKey::RSA.new 2048
|
932
948
|
* pass_phrase = 'my secure pass phrase goes here'
|
933
949
|
*
|
934
|
-
* cipher = OpenSSL::Cipher.new '
|
950
|
+
* cipher = OpenSSL::Cipher.new 'aes-256-cbc'
|
935
951
|
*
|
936
952
|
* open 'ca_key.pem', 'w', 0400 do |io|
|
937
953
|
* io.write ca_key.export(cipher, pass_phrase)
|
@@ -1069,13 +1085,13 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2)
|
|
1069
1085
|
* loop do
|
1070
1086
|
* ssl_connection = ssl_server.accept
|
1071
1087
|
*
|
1072
|
-
* data =
|
1088
|
+
* data = ssl_connection.gets
|
1073
1089
|
*
|
1074
1090
|
* response = "I got #{data.dump}"
|
1075
1091
|
* puts response
|
1076
1092
|
*
|
1077
|
-
*
|
1078
|
-
*
|
1093
|
+
* ssl_connection.puts "I got #{data.dump}"
|
1094
|
+
* ssl_connection.close
|
1079
1095
|
* end
|
1080
1096
|
*
|
1081
1097
|
* === SSL client
|
@@ -1126,6 +1142,10 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2)
|
|
1126
1142
|
void
|
1127
1143
|
Init_openssl(void)
|
1128
1144
|
{
|
1145
|
+
#ifdef HAVE_RB_EXT_RACTOR_SAFE
|
1146
|
+
rb_ext_ractor_safe(true);
|
1147
|
+
#endif
|
1148
|
+
|
1129
1149
|
#undef rb_intern
|
1130
1150
|
/*
|
1131
1151
|
* Init timezone info
|
data/ext/openssl/ossl.h
CHANGED
@@ -18,22 +18,19 @@
|
|
18
18
|
#include <ruby/io.h>
|
19
19
|
#include <ruby/thread.h>
|
20
20
|
#include <openssl/opensslv.h>
|
21
|
+
|
21
22
|
#include <openssl/err.h>
|
22
23
|
#include <openssl/asn1.h>
|
23
24
|
#include <openssl/x509v3.h>
|
24
25
|
#include <openssl/ssl.h>
|
25
26
|
#include <openssl/pkcs12.h>
|
26
27
|
#include <openssl/pkcs7.h>
|
27
|
-
#include <openssl/hmac.h>
|
28
28
|
#include <openssl/rand.h>
|
29
29
|
#include <openssl/conf.h>
|
30
30
|
#ifndef OPENSSL_NO_TS
|
31
31
|
#include <openssl/ts.h>
|
32
32
|
#endif
|
33
33
|
#include <openssl/crypto.h>
|
34
|
-
#if !defined(OPENSSL_NO_ENGINE)
|
35
|
-
# include <openssl/engine.h>
|
36
|
-
#endif
|
37
34
|
#if !defined(OPENSSL_NO_OCSP)
|
38
35
|
# include <openssl/ocsp.h>
|
39
36
|
#endif
|
@@ -43,6 +40,22 @@
|
|
43
40
|
#include <openssl/evp.h>
|
44
41
|
#include <openssl/dh.h>
|
45
42
|
|
43
|
+
#ifndef LIBRESSL_VERSION_NUMBER
|
44
|
+
# define OSSL_IS_LIBRESSL 0
|
45
|
+
# define OSSL_OPENSSL_PREREQ(maj, min, pat) \
|
46
|
+
(OPENSSL_VERSION_NUMBER >= (maj << 28) | (min << 20) | (pat << 12))
|
47
|
+
# define OSSL_LIBRESSL_PREREQ(maj, min, pat) 0
|
48
|
+
#else
|
49
|
+
# define OSSL_IS_LIBRESSL 1
|
50
|
+
# define OSSL_OPENSSL_PREREQ(maj, min, pat) 0
|
51
|
+
# define OSSL_LIBRESSL_PREREQ(maj, min, pat) \
|
52
|
+
(LIBRESSL_VERSION_NUMBER >= (maj << 28) | (min << 20) | (pat << 12))
|
53
|
+
#endif
|
54
|
+
|
55
|
+
#if !defined(OPENSSL_NO_ENGINE) && !OSSL_OPENSSL_PREREQ(3, 0, 0)
|
56
|
+
# define OSSL_USE_ENGINE
|
57
|
+
#endif
|
58
|
+
|
46
59
|
/*
|
47
60
|
* Common Module
|
48
61
|
*/
|
@@ -121,7 +134,9 @@ int ossl_pem_passwd_cb(char *, int, int, void *);
|
|
121
134
|
/*
|
122
135
|
* ERRor messages
|
123
136
|
*/
|
124
|
-
NORETURN(void ossl_raise(VALUE, const char *, ...));
|
137
|
+
PRINTF_ARGS(NORETURN(void ossl_raise(VALUE, const char *, ...)), 2, 3);
|
138
|
+
/* Make exception instance from str and OpenSSL error reason string. */
|
139
|
+
VALUE ossl_make_error(VALUE exc, VALUE str);
|
125
140
|
/* Clear OpenSSL error queue. If dOSSL is set, rb_warn() them. */
|
126
141
|
void ossl_clear_error(void);
|
127
142
|
|
@@ -154,7 +169,6 @@ void ossl_debug(const char *, ...);
|
|
154
169
|
* Include all parts
|
155
170
|
*/
|
156
171
|
#include "openssl_missing.h"
|
157
|
-
#include "ruby_missing.h"
|
158
172
|
#include "ossl_asn1.h"
|
159
173
|
#include "ossl_bio.h"
|
160
174
|
#include "ossl_bn.h"
|
data/ext/openssl/ossl_asn1.c
CHANGED
@@ -69,6 +69,12 @@ asn1time_to_time(const ASN1_TIME *time)
|
|
69
69
|
return rb_funcall2(rb_cTime, rb_intern("utc"), 6, argv);
|
70
70
|
}
|
71
71
|
|
72
|
+
static VALUE
|
73
|
+
asn1time_to_time_i(VALUE arg)
|
74
|
+
{
|
75
|
+
return asn1time_to_time((ASN1_TIME *)arg);
|
76
|
+
}
|
77
|
+
|
72
78
|
void
|
73
79
|
ossl_time_split(VALUE time, time_t *sec, int *days)
|
74
80
|
{
|
@@ -136,6 +142,12 @@ num_to_asn1integer(VALUE obj, ASN1_INTEGER *ai)
|
|
136
142
|
return ai;
|
137
143
|
}
|
138
144
|
|
145
|
+
static VALUE
|
146
|
+
asn1integer_to_num_i(VALUE arg)
|
147
|
+
{
|
148
|
+
return asn1integer_to_num((ASN1_INTEGER *)arg);
|
149
|
+
}
|
150
|
+
|
139
151
|
/********/
|
140
152
|
/*
|
141
153
|
* ASN1 module
|
@@ -325,7 +337,7 @@ decode_int(unsigned char* der, long length)
|
|
325
337
|
p = der;
|
326
338
|
if(!(ai = d2i_ASN1_INTEGER(NULL, &p, length)))
|
327
339
|
ossl_raise(eASN1Error, NULL);
|
328
|
-
ret = rb_protect(
|
340
|
+
ret = rb_protect(asn1integer_to_num_i,
|
329
341
|
(VALUE)ai, &status);
|
330
342
|
ASN1_INTEGER_free(ai);
|
331
343
|
if(status) rb_jump_tag(status);
|
@@ -365,7 +377,7 @@ decode_enum(unsigned char* der, long length)
|
|
365
377
|
p = der;
|
366
378
|
if(!(ai = d2i_ASN1_ENUMERATED(NULL, &p, length)))
|
367
379
|
ossl_raise(eASN1Error, NULL);
|
368
|
-
ret = rb_protect(
|
380
|
+
ret = rb_protect(asn1integer_to_num_i,
|
369
381
|
(VALUE)ai, &status);
|
370
382
|
ASN1_ENUMERATED_free(ai);
|
371
383
|
if(status) rb_jump_tag(status);
|
@@ -427,7 +439,7 @@ decode_time(unsigned char* der, long length)
|
|
427
439
|
p = der;
|
428
440
|
if(!(time = d2i_ASN1_TIME(NULL, &p, length)))
|
429
441
|
ossl_raise(eASN1Error, NULL);
|
430
|
-
ret = rb_protect(
|
442
|
+
ret = rb_protect(asn1time_to_time_i,
|
431
443
|
(VALUE)time, &status);
|
432
444
|
ASN1_TIME_free(time);
|
433
445
|
if(status) rb_jump_tag(status);
|
@@ -1510,7 +1522,7 @@ Init_ossl_asn1(void)
|
|
1510
1522
|
*
|
1511
1523
|
* An Array that stores the name of a given tag number. These names are
|
1512
1524
|
* the same as the name of the tag constant that is additionally defined,
|
1513
|
-
* e.g. UNIVERSAL_TAG_NAME[2] = "INTEGER" and OpenSSL::ASN1::INTEGER = 2
|
1525
|
+
* e.g. +UNIVERSAL_TAG_NAME[2] = "INTEGER"+ and +OpenSSL::ASN1::INTEGER = 2+.
|
1514
1526
|
*
|
1515
1527
|
* == Example usage
|
1516
1528
|
*
|