openssl 2.2.0 → 3.2.0

data/ext/openssl/ossl_cipher.c

@@ -42,7 +42,7 @@ static const rb_data_type_t ossl_cipher_type = {
     {
 	0, ossl_cipher_free,
     },
-    0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
+    0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
 };
 
 /*
@@ -104,7 +104,7 @@ ossl_cipher_alloc(VALUE klass)
  *  call-seq:
  *     Cipher.new(string) -> cipher
  *
- *  The string must contain a valid cipher name like "AES-256-CBC".
+ *  The string must contain a valid cipher name like "aes-256-cbc".
  *
  *  A list of cipher names is available by calling OpenSSL::Cipher.ciphers.
  */
@@ -149,11 +149,11 @@ ossl_cipher_copy(VALUE self, VALUE other)
     return self;
 }
 
-static void*
-add_cipher_name_to_ary(const OBJ_NAME *name, VALUE ary)
+static void
+add_cipher_name_to_ary(const OBJ_NAME *name, void *arg)
 {
+    VALUE ary = (VALUE)arg;
     rb_ary_push(ary, rb_str_new2(name->name));
-    return NULL;
 }
 
 /*
@@ -169,7 +169,7 @@ ossl_s_ciphers(VALUE self)
 
     ary = rb_ary_new();
     OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH,
-                    (void(*)(const OBJ_NAME*,void*))add_cipher_name_to_ary,
+                    add_cipher_name_to_ary,
                     (void*)ary);
 
     return ary;
@@ -384,8 +384,7 @@ ossl_cipher_update(int argc, VALUE *argv, VALUE self)
 
     StringValue(data);
     in = (unsigned char *)RSTRING_PTR(data);
-    if ((in_len = RSTRING_LEN(data)) == 0)
-        ossl_raise(rb_eArgError, "data must not be empty");
+    in_len = RSTRING_LEN(data);
     GetCipher(self, ctx);
     out_len = in_len+EVP_CIPHER_CTX_block_size(ctx);
     if (out_len <= 0) {
@@ -874,7 +873,7 @@ Init_ossl_cipher(void)
      * individual components name, key length and mode. Either all uppercase
      * or all lowercase strings may be used, for example:
      *
-     *  cipher = OpenSSL::Cipher.new('AES-128-CBC')
+     *  cipher = OpenSSL::Cipher.new('aes-128-cbc')
      *
      * === Choosing either encryption or decryption mode
      *
@@ -904,7 +903,7 @@ Init_ossl_cipher(void)
      * without processing the password further. A simple and secure way to
      * create a key for a particular Cipher is
      *
-     *  cipher = OpenSSL::Cipher.new('AES-256-CFB')
+     *  cipher = OpenSSL::Cipher.new('aes-256-cfb')
      *  cipher.encrypt
      *  key = cipher.random_key # also sets the generated key on the Cipher
      *
@@ -972,14 +971,14 @@ Init_ossl_cipher(void)
      *
      *   data = "Very, very confidential data"
      *
-     *   cipher = OpenSSL::Cipher.new('AES-128-CBC')
+     *   cipher = OpenSSL::Cipher.new('aes-128-cbc')
      *   cipher.encrypt
      *   key = cipher.random_key
      *   iv = cipher.random_iv
      *
      *   encrypted = cipher.update(data) + cipher.final
      *   ...
-     *   decipher = OpenSSL::Cipher.new('AES-128-CBC')
+     *   decipher = OpenSSL::Cipher.new('aes-128-cbc')
      *   decipher.decrypt
      *   decipher.key = key
      *   decipher.iv = iv
@@ -1015,7 +1014,7 @@ Init_ossl_cipher(void)
      * not to reuse the _key_ and _nonce_ pair. Reusing an nonce ruins the
      * security guarantees of GCM mode.
      *
-     *   cipher = OpenSSL::Cipher.new('AES-128-GCM').encrypt
+     *   cipher = OpenSSL::Cipher.new('aes-128-gcm').encrypt
      *   cipher.key = key
      *   cipher.iv = nonce
      *   cipher.auth_data = auth_data
@@ -1031,7 +1030,7 @@ Init_ossl_cipher(void)
      * ciphertext with a probability of 1/256.
      *
      *   raise "tag is truncated!" unless tag.bytesize == 16
-     *   decipher = OpenSSL::Cipher.new('AES-128-GCM').decrypt
+     *   decipher = OpenSSL::Cipher.new('aes-128-gcm').decrypt
      *   decipher.key = key
      *   decipher.iv = nonce
      *   decipher.auth_tag = tag

data/ext/openssl/ossl_config.c

@@ -9,81 +9,452 @@
  */
 #include "ossl.h"
 
+static VALUE cConfig, eConfigError;
+
+static void
+nconf_free(void *conf)
+{
+    NCONF_free(conf);
+}
+
+static const rb_data_type_t ossl_config_type = {
+    "OpenSSL/CONF",
+    {
+        0, nconf_free,
+    },
+    0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
+};
+
+CONF *
+GetConfig(VALUE obj)
+{
+    CONF *conf;
+
+    TypedData_Get_Struct(obj, CONF, &ossl_config_type, conf);
+    if (!conf)
+        rb_raise(rb_eRuntimeError, "CONF is not initialized");
+    return conf;
+}
+
+static VALUE
+config_s_alloc(VALUE klass)
+{
+    VALUE obj;
+    CONF *conf;
+
+    obj = TypedData_Wrap_Struct(klass, &ossl_config_type, 0);
+    conf = NCONF_new(NULL);
+    if (!conf)
+        ossl_raise(eConfigError, "NCONF_new");
+    RTYPEDDATA_DATA(obj) = conf;
+    return obj;
+}
+
+static void
+config_load_bio(CONF *conf, BIO *bio)
+{
+    long eline = -1;
+
+    if (!NCONF_load_bio(conf, bio, &eline)) {
+        BIO_free(bio);
+        if (eline <= 0)
+            ossl_raise(eConfigError, "wrong config format");
+        else
+            ossl_raise(eConfigError, "error in line %ld", eline);
+    }
+    BIO_free(bio);
+
+    /*
+     * Clear the error queue even if it is parsed successfully.
+     * Particularly, when the .include directive refers to a non-existent file,
+     * it is only reported in the error queue.
+     */
+    ossl_clear_error();
+}
 
 /*
- * Classes
- */
-VALUE cConfig;
-/* Document-class: OpenSSL::ConfigError
+ * call-seq:
+ *    Config.parse(string) -> OpenSSL::Config
  *
- * General error for openssl library configuration files. Including formatting,
- * parsing errors, etc.
+ * Parses a given _string_ as a blob that contains configuration for OpenSSL.
  */
-VALUE eConfigError;
+static VALUE
+config_s_parse(VALUE klass, VALUE str)
+{
+    VALUE obj = config_s_alloc(klass);
+    CONF *conf = GetConfig(obj);
+    BIO *bio;
+
+    bio = ossl_obj2bio(&str);
+    config_load_bio(conf, bio); /* Consumes BIO */
+    return obj;
+}
+
+static VALUE config_get_sections(VALUE self);
+static VALUE config_get_section(VALUE self, VALUE section);
 
 /*
- * Public
+ * call-seq:
+ *    Config.parse_config(io) -> hash
+ *
+ * Parses the configuration data read from _io_ and returns the whole content
+ * as a Hash.
  */
+static VALUE
+config_s_parse_config(VALUE klass, VALUE io)
+{
+    VALUE obj, sections, ret;
+    long i;
+
+    obj = config_s_parse(klass, io);
+    sections = config_get_sections(obj);
+    ret = rb_hash_new();
+    for (i = 0; i < RARRAY_LEN(sections); i++) {
+        VALUE section = rb_ary_entry(sections, i);
+        rb_hash_aset(ret, section, config_get_section(obj, section));
+    }
+    return ret;
+}
 
 /*
- * DupConfigPtr is a public C-level function for getting OpenSSL CONF struct
- * from an OpenSSL::Config(eConfig) instance.  We decided to implement
- * OpenSSL::Config in Ruby level but we need to pass native CONF struct for
- * some OpenSSL features such as X509V3_EXT_*.
+ * call-seq:
+ *    Config.new(filename) -> OpenSSL::Config
+ *
+ * Creates an instance of OpenSSL::Config from the content of the file
+ * specified by _filename_.
+ *
+ * This can be used in contexts like OpenSSL::X509::ExtensionFactory.config=
+ *
+ * This can raise IO exceptions based on the access, or availability of the
+ * file. A ConfigError exception may be raised depending on the validity of
+ * the data being configured.
  */
-CONF *
-DupConfigPtr(VALUE obj)
+static VALUE
+config_initialize(int argc, VALUE *argv, VALUE self)
 {
-    CONF *conf;
+    CONF *conf = GetConfig(self);
+    VALUE filename;
+
+    /* 0-arguments call has no use-case, but is kept for compatibility */
+    rb_scan_args(argc, argv, "01", &filename);
+    rb_check_frozen(self);
+    if (!NIL_P(filename)) {
+        BIO *bio = BIO_new_file(StringValueCStr(filename), "rb");
+        if (!bio)
+            ossl_raise(eConfigError, "BIO_new_file");
+        config_load_bio(conf, bio); /* Consumes BIO */
+    }
+    return self;
+}
+
+static VALUE
+config_initialize_copy(VALUE self, VALUE other)
+{
+    CONF *conf = GetConfig(self);
     VALUE str;
     BIO *bio;
-    long eline = -1;
 
-    OSSL_Check_Kind(obj, cConfig);
-    str = rb_funcall(obj, rb_intern("to_s"), 0);
+    str = rb_funcall(other, rb_intern("to_s"), 0);
+    rb_check_frozen(self);
     bio = ossl_obj2bio(&str);
-    conf = NCONF_new(NULL);
-    if(!conf){
-	BIO_free(bio);
-	ossl_raise(eConfigError, NULL);
+    config_load_bio(conf, bio); /* Consumes BIO */
+    return self;
+}
+
+/*
+ * call-seq:
+ *    config.get_value(section, key) -> string
+ *
+ * Gets the value of _key_ from the given _section_.
+ *
+ * Given the following configurating file being loaded:
+ *
+ *   config = OpenSSL::Config.load('foo.cnf')
+ *     #=> #<OpenSSL::Config sections=["default"]>
+ *   puts config.to_s
+ *     #=> [ default ]
+ *     #   foo=bar
+ *
+ * You can get a specific value from the config if you know the _section_
+ * and _key_ like so:
+ *
+ *   config.get_value('default','foo')
+ *     #=> "bar"
+ */
+static VALUE
+config_get_value(VALUE self, VALUE section, VALUE key)
+{
+    CONF *conf = GetConfig(self);
+    const char *str, *sectionp;
+
+    StringValueCStr(section);
+    StringValueCStr(key);
+    /* For compatibility; NULL means "default". */
+    sectionp = RSTRING_LEN(section) ? RSTRING_PTR(section) : NULL;
+    str = NCONF_get_string(conf, sectionp, RSTRING_PTR(key));
+    if (!str) {
+        ossl_clear_error();
+        return Qnil;
+    }
+    return rb_str_new_cstr(str);
+}
+
+/*
+ * call-seq:
+ *    config[section] -> hash
+ *
+ * Gets all key-value pairs in a specific _section_ from the current
+ * configuration.
+ *
+ * Given the following configurating file being loaded:
+ *
+ *   config = OpenSSL::Config.load('foo.cnf')
+ *     #=> #<OpenSSL::Config sections=["default"]>
+ *   puts config.to_s
+ *     #=> [ default ]
+ *     #   foo=bar
+ *
+ * You can get a hash of the specific section like so:
+ *
+ *   config['default']
+ *     #=> {"foo"=>"bar"}
+ *
+ */
+static VALUE
+config_get_section(VALUE self, VALUE section)
+{
+    CONF *conf = GetConfig(self);
+    STACK_OF(CONF_VALUE) *sk;
+    int i, entries;
+    VALUE hash;
+
+    hash = rb_hash_new();
+    StringValueCStr(section);
+    if (!(sk = NCONF_get_section(conf, RSTRING_PTR(section)))) {
+        ossl_clear_error();
+        return hash;
     }
-    if(!NCONF_load_bio(conf, bio, &eline)){
-	BIO_free(bio);
-	NCONF_free(conf);
-	if (eline <= 0)
-	    ossl_raise(eConfigError, "wrong config format");
-	else
-	    ossl_raise(eConfigError, "error in line %d", eline);
+    entries = sk_CONF_VALUE_num(sk);
+    for (i = 0; i < entries; i++) {
+        CONF_VALUE *entry = sk_CONF_VALUE_value(sk, i);
+        rb_hash_aset(hash, rb_str_new_cstr(entry->name),
+                     rb_str_new_cstr(entry->value));
     }
-    BIO_free(bio);
+    return hash;
+}
 
-    return conf;
+static void
+get_conf_section_doall_arg(CONF_VALUE *cv, VALUE *aryp)
+{
+    if (cv->name)
+        return;
+    rb_ary_push(*aryp, rb_str_new_cstr(cv->section));
 }
 
-/* Document-const: DEFAULT_CONFIG_FILE
+/* IMPLEMENT_LHASH_DOALL_ARG_CONST() requires >= OpenSSL 1.1.0 */
+static IMPLEMENT_LHASH_DOALL_ARG_FN(get_conf_section, CONF_VALUE, VALUE)
+
+/*
+ * call-seq:
+ *    config.sections -> array of string
  *
- * The default system configuration file for openssl
+ * Get the names of all sections in the current configuration.
  */
+static VALUE
+config_get_sections(VALUE self)
+{
+    CONF *conf = GetConfig(self);
+    VALUE ary;
+
+    ary = rb_ary_new();
+    lh_doall_arg((_LHASH *)conf->data, LHASH_DOALL_ARG_FN(get_conf_section),
+                 &ary);
+    return ary;
+}
+
+static void
+dump_conf_value_doall_arg(CONF_VALUE *cv, VALUE *strp)
+{
+    VALUE str = *strp;
+    STACK_OF(CONF_VALUE) *sk;
+    int i, num;
+
+    if (cv->name)
+        return;
+    sk = (STACK_OF(CONF_VALUE) *)cv->value;
+    num = sk_CONF_VALUE_num(sk);
+    rb_str_cat_cstr(str, "[ ");
+    rb_str_cat_cstr(str, cv->section);
+    rb_str_cat_cstr(str, " ]\n");
+    for (i = 0; i < num; i++){
+        CONF_VALUE *v = sk_CONF_VALUE_value(sk, i);
+        rb_str_cat_cstr(str, v->name ? v->name : "None");
+        rb_str_cat_cstr(str, "=");
+        rb_str_cat_cstr(str, v->value ? v->value : "None");
+        rb_str_cat_cstr(str, "\n");
+    }
+    rb_str_cat_cstr(str, "\n");
+}
+
+static IMPLEMENT_LHASH_DOALL_ARG_FN(dump_conf_value, CONF_VALUE, VALUE)
 
 /*
- * INIT
+ * call-seq:
+ *    config.to_s -> string
+ *
+ *
+ * Gets the parsable form of the current configuration.
+ *
+ * Given the following configuration being created:
+ *
+ *   config = OpenSSL::Config.new
+ *     #=> #<OpenSSL::Config sections=[]>
+ *   config['default'] = {"foo"=>"bar","baz"=>"buz"}
+ *     #=> {"foo"=>"bar", "baz"=>"buz"}
+ *   puts config.to_s
+ *     #=> [ default ]
+ *     #   foo=bar
+ *     #   baz=buz
+ *
+ * You can parse get the serialized configuration using #to_s and then parse
+ * it later:
+ *
+ *   serialized_config = config.to_s
+ *   # much later...
+ *   new_config = OpenSSL::Config.parse(serialized_config)
+ *     #=> #<OpenSSL::Config sections=["default"]>
+ *   puts new_config
+ *     #=> [ default ]
+ *         foo=bar
+ *         baz=buz
  */
+static VALUE
+config_to_s(VALUE self)
+{
+    CONF *conf = GetConfig(self);
+    VALUE str;
+
+    str = rb_str_new(NULL, 0);
+    lh_doall_arg((_LHASH *)conf->data, LHASH_DOALL_ARG_FN(dump_conf_value),
+                 &str);
+    return str;
+}
+
+static void
+each_conf_value_doall_arg(CONF_VALUE *cv, void *unused)
+{
+    STACK_OF(CONF_VALUE) *sk;
+    VALUE section;
+    int i, num;
+
+    if (cv->name)
+        return;
+    sk = (STACK_OF(CONF_VALUE) *)cv->value;
+    num = sk_CONF_VALUE_num(sk);
+    section = rb_str_new_cstr(cv->section);
+    for (i = 0; i < num; i++){
+        CONF_VALUE *v = sk_CONF_VALUE_value(sk, i);
+        VALUE name = v->name ? rb_str_new_cstr(v->name) : Qnil;
+        VALUE value = v->value ? rb_str_new_cstr(v->value) : Qnil;
+        rb_yield(rb_ary_new3(3, section, name, value));
+    }
+}
+
+static IMPLEMENT_LHASH_DOALL_ARG_FN(each_conf_value, CONF_VALUE, void)
+
+/*
+ * call-seq:
+ *    config.each { |section, key, value| }
+ *
+ * Retrieves the section and its pairs for the current configuration.
+ *
+ *    config.each do |section, key, value|
+ *      # ...
+ *    end
+ */
+static VALUE
+config_each(VALUE self)
+{
+    CONF *conf = GetConfig(self);
+
+    RETURN_ENUMERATOR(self, 0, 0);
+
+    lh_doall_arg((_LHASH *)conf->data, LHASH_DOALL_ARG_FN(each_conf_value),
+                 NULL);
+    return self;
+}
+
+/*
+ * call-seq:
+ *    config.inspect -> string
+ *
+ * String representation of this configuration object, including the class
+ * name and its sections.
+ */
+static VALUE
+config_inspect(VALUE self)
+{
+    VALUE str, ary = config_get_sections(self);
+    const char *cname = rb_class2name(rb_obj_class(self));
+
+    str = rb_str_new_cstr("#<");
+    rb_str_cat_cstr(str, cname);
+    rb_str_cat_cstr(str, " sections=");
+    rb_str_append(str, rb_inspect(ary));
+    rb_str_cat_cstr(str, ">");
+
+    return str;
+}
+
 void
 Init_ossl_config(void)
 {
-    char *default_config_file;
+    char *path;
+    VALUE path_str;
 
 #if 0
     mOSSL = rb_define_module("OpenSSL");
     eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
 #endif
 
-    eConfigError = rb_define_class_under(mOSSL, "ConfigError", eOSSLError);
+    /* Document-class: OpenSSL::Config
+     *
+     * Configuration for the openssl library.
+     *
+     * Many system's installation of openssl library will depend on your system
+     * configuration. See the value of OpenSSL::Config::DEFAULT_CONFIG_FILE for
+     * the location of the file for your host.
+     *
+     * See also http://www.openssl.org/docs/apps/config.html
+     */
     cConfig = rb_define_class_under(mOSSL, "Config", rb_cObject);
 
-    default_config_file = CONF_get1_default_config_file();
-    rb_define_const(cConfig, "DEFAULT_CONFIG_FILE",
-		    rb_str_new2(default_config_file));
-    OPENSSL_free(default_config_file);
-    /* methods are defined by openssl/config.rb */
+    /* Document-class: OpenSSL::ConfigError
+     *
+     * General error for openssl library configuration files. Including formatting,
+     * parsing errors, etc.
+     */
+    eConfigError = rb_define_class_under(mOSSL, "ConfigError", eOSSLError);
+
+    rb_include_module(cConfig, rb_mEnumerable);
+    rb_define_singleton_method(cConfig, "parse", config_s_parse, 1);
+    rb_define_singleton_method(cConfig, "parse_config", config_s_parse_config, 1);
+    rb_define_alias(CLASS_OF(cConfig), "load", "new");
+    rb_define_alloc_func(cConfig, config_s_alloc);
+    rb_define_method(cConfig, "initialize", config_initialize, -1);
+    rb_define_method(cConfig, "initialize_copy", config_initialize_copy, 1);
+    rb_define_method(cConfig, "get_value", config_get_value, 2);
+    rb_define_method(cConfig, "[]", config_get_section, 1);
+    rb_define_method(cConfig, "sections", config_get_sections, 0);
+    rb_define_method(cConfig, "to_s", config_to_s, 0);
+    rb_define_method(cConfig, "each", config_each, 0);
+    rb_define_method(cConfig, "inspect", config_inspect, 0);
+
+    /* Document-const: DEFAULT_CONFIG_FILE
+     *
+     * The default system configuration file for OpenSSL.
+     */
+    path = CONF_get1_default_config_file();
+    path_str = ossl_buf2str(path, rb_long2int(strlen(path)));
+    rb_define_const(cConfig, "DEFAULT_CONFIG_FILE", path_str);
 }

data/ext/openssl/ossl_config.h

@@ -7,13 +7,10 @@
  * This program is licensed under the same licence as Ruby.
  * (See the file 'LICENCE'.)
  */
-#if !defined(_OSSL_CONFIG_H_)
-#define _OSSL_CONFIG_H_
+#ifndef OSSL_CONFIG_H
+#define OSSL_CONFIG_H
 
-extern VALUE cConfig;
-extern VALUE eConfigError;
-
-CONF* DupConfigPtr(VALUE obj);
+CONF *GetConfig(VALUE obj);
 void Init_ossl_config(void);
 
-#endif /* _OSSL_CONFIG_H_ */
+#endif /* OSSL_CONFIG_H */

data/ext/openssl/ossl_digest.c

@@ -35,7 +35,7 @@ static const rb_data_type_t ossl_digest_type = {
     {
 	0, ossl_digest_free,
     },
-    0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
+    0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
 };
 
 /*
@@ -63,7 +63,7 @@ ossl_evp_get_digestbyname(VALUE obj)
 
         GetDigest(obj, ctx);
 
-        md = EVP_MD_CTX_md(ctx);
+        md = EVP_MD_CTX_get0_md(ctx);
     }
 
     return md;
@@ -176,7 +176,7 @@ ossl_digest_reset(VALUE self)
     EVP_MD_CTX *ctx;
 
     GetDigest(self, ctx);
-    if (EVP_DigestInit_ex(ctx, EVP_MD_CTX_md(ctx), NULL) != 1) {
+    if (EVP_DigestInit_ex(ctx, EVP_MD_CTX_get0_md(ctx), NULL) != 1) {
 	ossl_raise(eDigestError, "Digest initialization failed.");
     }
 
@@ -259,7 +259,7 @@ ossl_digest_name(VALUE self)
 
     GetDigest(self, ctx);
 
-    return rb_str_new2(EVP_MD_name(EVP_MD_CTX_md(ctx)));
+    return rb_str_new_cstr(EVP_MD_name(EVP_MD_CTX_get0_md(ctx)));
 }
 
 /*
@@ -313,8 +313,6 @@ ossl_digest_block_length(VALUE self)
 void
 Init_ossl_digest(void)
 {
-    rb_require("digest");
-
 #if 0
     mOSSL = rb_define_module("OpenSSL");
     eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
@@ -372,15 +370,15 @@ Init_ossl_digest(void)
      *
      * === Hashing a file
      *
-     *   data = File.read('document')
+     *   data = File.binread('document')
      *   sha256 = OpenSSL::Digest.new('SHA256')
      *   digest = sha256.digest(data)
      *
      * === Hashing several pieces of data at once
      *
-     *   data1 = File.read('file1')
-     *   data2 = File.read('file2')
-     *   data3 = File.read('file3')
+     *   data1 = File.binread('file1')
+     *   data2 = File.binread('file2')
+     *   data3 = File.binread('file3')
      *   sha256 = OpenSSL::Digest.new('SHA256')
      *   sha256 << data1
      *   sha256 << data2
@@ -389,15 +387,21 @@ Init_ossl_digest(void)
      *
      * === Reuse a Digest instance
      *
-     *   data1 = File.read('file1')
+     *   data1 = File.binread('file1')
      *   sha256 = OpenSSL::Digest.new('SHA256')
      *   digest1 = sha256.digest(data1)
      *
-     *   data2 = File.read('file2')
+     *   data2 = File.binread('file2')
      *   sha256.reset
      *   digest2 = sha256.digest(data2)
      *
      */
+
+    /*
+     * Digest::Class is defined by the digest library. rb_require() cannot be
+     * used here because it bypasses RubyGems.
+     */
+    rb_funcall(Qnil, rb_intern_const("require"), 1, rb_str_new_cstr("digest"));
     cDigest = rb_define_class_under(mOSSL, "Digest", rb_path2class("Digest::Class"));
     /* Document-class: OpenSSL::Digest::DigestError
      *