openssl 3.0.2 → 3.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CONTRIBUTING.md +1 -1
- data/History.md +36 -0
- data/ext/openssl/extconf.rb +54 -47
- data/ext/openssl/ossl.h +6 -0
- data/ext/openssl/ossl_asn1.c +11 -10
- data/ext/openssl/ossl_bn.c +24 -12
- data/ext/openssl/ossl_cipher.c +1 -2
- data/ext/openssl/ossl_kdf.c +3 -3
- data/ext/openssl/ossl_ocsp.c +2 -2
- data/ext/openssl/ossl_pkey.c +2 -2
- data/ext/openssl/ossl_pkey.h +1 -1
- data/ext/openssl/ossl_pkey_dh.c +6 -6
- data/ext/openssl/ossl_pkey_dsa.c +7 -7
- data/ext/openssl/ossl_pkey_ec.c +7 -7
- data/ext/openssl/ossl_pkey_rsa.c +6 -6
- data/ext/openssl/ossl_ssl.c +211 -50
- data/ext/openssl/ossl_ssl_session.c +4 -0
- data/lib/openssl/pkey.rb +8 -4
- data/lib/openssl/ssl.rb +5 -0
- data/lib/openssl/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 239c530562472710697b8da573b8aa64b477c02f5895907220e83e9f09c88fec
|
4
|
+
data.tar.gz: 62f2d04df3f693b995bf29be9d299c9f916f44a82b5bc5df60e9f46a748990d8
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 05f891730a9dea150a2cecedb8decbf7f7dbb500cc825226a635fce8ca195a2dbf036de38dbdb7462cbb18e2e3c8aca337c1e1d9d021a94bbc444312dcf26568
|
7
|
+
data.tar.gz: 4cff09ce02fc107422829ca552c97cf912f2b5f129c87e37137b153fd2c09d9a231493af7ce32f391c32828b3ffc64bf905adf6a1e3fad943e78ca81048a4f96
|
data/CONTRIBUTING.md
CHANGED
@@ -17,7 +17,7 @@ When reporting a bug, please make sure you include:
|
|
17
17
|
* Ruby version (`ruby -v`)
|
18
18
|
* `openssl` gem version (`gem list openssl` and `OpenSSL::VERSION`)
|
19
19
|
* OpenSSL library version (`OpenSSL::OPENSSL_VERSION`)
|
20
|
-
* A sample file that illustrates the problem or link to the repository or
|
20
|
+
* A sample file that illustrates the problem or link to the repository or
|
21
21
|
gem that is associated with the bug.
|
22
22
|
|
23
23
|
There are a number of unresolved issues and feature requests for openssl that
|
data/History.md
CHANGED
@@ -1,3 +1,39 @@
|
|
1
|
+
Version 3.1.0
|
2
|
+
=============
|
3
|
+
|
4
|
+
Ruby/OpenSSL 3.1 will be maintained for the lifetime of Ruby 3.2.
|
5
|
+
|
6
|
+
Merged bug fixes in 2.2.3 and 3.0.2. Among the new features and changes are:
|
7
|
+
|
8
|
+
Notable changes
|
9
|
+
---------------
|
10
|
+
|
11
|
+
* Add `OpenSSL::SSL::SSLContext#ciphersuites=` to allow setting TLS 1.3 cipher
|
12
|
+
suites.
|
13
|
+
[[GitHub #493]](https://github.com/ruby/openssl/pull/493)
|
14
|
+
* Add `OpenSSL::SSL::SSLSocket#export_keying_material` for exporting keying
|
15
|
+
material of the session, as defined in RFC 5705.
|
16
|
+
[[GitHub #530]](https://github.com/ruby/openssl/pull/530)
|
17
|
+
* Add `OpenSSL::SSL::SSLContext#keylog_cb=` for setting the TLS key logging
|
18
|
+
callback, which is useful for supporting NSS's SSLKEYLOGFILE debugging output.
|
19
|
+
[[GitHub #536]](https://github.com/ruby/openssl/pull/536)
|
20
|
+
* Remove the default digest algorithm from `OpenSSL::OCSP::BasicResponse#sign`
|
21
|
+
and `OpenSSL::OCSP::Request#sign`. Omitting the 5th parameter of these
|
22
|
+
methods used to be equivalent of specifying SHA-1. This default value is now
|
23
|
+
removed and we will let the underlying OpenSSL library decide instead.
|
24
|
+
[[GitHub #507]](https://github.com/ruby/openssl/pull/507)
|
25
|
+
* Add `OpenSSL::BN#mod_sqrt`.
|
26
|
+
[[GitHub #553]](https://github.com/ruby/openssl/pull/553)
|
27
|
+
* Allow calling `OpenSSL::Cipher#update` with an empty string. This was
|
28
|
+
prohibited to workaround an ancient bug in OpenSSL.
|
29
|
+
[[GitHub #568]](https://github.com/ruby/openssl/pull/568)
|
30
|
+
* Fix build on platforms without socket support, such as WASI. `OpenSSL::SSL`
|
31
|
+
will not be defined if OpenSSL is compiled with `OPENSSL_NO_SOCK`.
|
32
|
+
[[GitHub #558]](https://github.com/ruby/openssl/pull/558)
|
33
|
+
* Improve support for recent LibreSSL versions. This includes HKDF support in
|
34
|
+
LibreSSL 3.6 and Ed25519 support in LibreSSL 3.7.
|
35
|
+
|
36
|
+
|
1
37
|
Version 3.0.2
|
2
38
|
=============
|
3
39
|
|
data/ext/openssl/extconf.rb
CHANGED
@@ -25,8 +25,9 @@ Logging::message "=== OpenSSL for Ruby configurator ===\n"
|
|
25
25
|
if with_config("debug") or enable_config("debug")
|
26
26
|
$defs.push("-DOSSL_DEBUG")
|
27
27
|
end
|
28
|
+
$defs.push("-D""OPENSSL_SUPPRESS_DEPRECATED")
|
28
29
|
|
29
|
-
have_func("rb_io_maybe_wait") # Ruby 3.1
|
30
|
+
have_func("rb_io_maybe_wait(0, Qnil, Qnil, Qnil)", "ruby/io.h") # Ruby 3.1
|
30
31
|
|
31
32
|
Logging::message "=== Checking for system dependent stuff... ===\n"
|
32
33
|
have_library("nsl", "t_open")
|
@@ -120,8 +121,13 @@ if is_libressl && ($mswin || $mingw)
|
|
120
121
|
end
|
121
122
|
|
122
123
|
Logging::message "=== Checking for OpenSSL features... ===\n"
|
124
|
+
evp_h = "openssl/evp.h".freeze
|
125
|
+
x509_h = "openssl/x509.h".freeze
|
126
|
+
ts_h = "openssl/ts.h".freeze
|
127
|
+
ssl_h = "openssl/ssl.h".freeze
|
128
|
+
|
123
129
|
# compile options
|
124
|
-
have_func("RAND_egd")
|
130
|
+
have_func("RAND_egd()", "openssl/rand.h")
|
125
131
|
engines = %w{dynamic 4758cca aep atalla chil
|
126
132
|
cswift nuron sureware ubsec padlock capi gmp gost cryptodev}
|
127
133
|
engines.each { |name|
|
@@ -132,55 +138,56 @@ engines.each { |name|
|
|
132
138
|
if !have_struct_member("SSL", "ctx", "openssl/ssl.h") || is_libressl
|
133
139
|
$defs.push("-DHAVE_OPAQUE_OPENSSL")
|
134
140
|
end
|
135
|
-
have_func("EVP_MD_CTX_new")
|
136
|
-
have_func("EVP_MD_CTX_free")
|
137
|
-
have_func("EVP_MD_CTX_pkey_ctx")
|
138
|
-
have_func("X509_STORE_get_ex_data")
|
139
|
-
have_func("X509_STORE_set_ex_data")
|
140
|
-
have_func("X509_STORE_get_ex_new_index")
|
141
|
-
have_func("X509_CRL_get0_signature")
|
142
|
-
have_func("X509_REQ_get0_signature")
|
143
|
-
have_func("X509_REVOKED_get0_serialNumber")
|
144
|
-
have_func("X509_REVOKED_get0_revocationDate")
|
145
|
-
have_func("X509_get0_tbs_sigalg")
|
146
|
-
have_func("X509_STORE_CTX_get0_untrusted")
|
147
|
-
have_func("X509_STORE_CTX_get0_cert")
|
148
|
-
have_func("X509_STORE_CTX_get0_chain")
|
149
|
-
have_func("OCSP_SINGLERESP_get0_id")
|
150
|
-
have_func("SSL_CTX_get_ciphers")
|
151
|
-
have_func("X509_up_ref")
|
152
|
-
have_func("X509_CRL_up_ref")
|
153
|
-
have_func("X509_STORE_up_ref")
|
154
|
-
have_func("SSL_SESSION_up_ref")
|
155
|
-
have_func("EVP_PKEY_up_ref")
|
156
|
-
have_func("SSL_CTX_set_min_proto_version(NULL, 0)",
|
157
|
-
have_func("SSL_CTX_get_security_level")
|
158
|
-
have_func("X509_get0_notBefore")
|
159
|
-
have_func("SSL_SESSION_get_protocol_version")
|
160
|
-
have_func("TS_STATUS_INFO_get0_status")
|
161
|
-
have_func("TS_STATUS_INFO_get0_text")
|
162
|
-
have_func("TS_STATUS_INFO_get0_failure_info")
|
163
|
-
have_func("TS_VERIFY_CTS_set_certs(NULL, NULL)",
|
164
|
-
have_func("TS_VERIFY_CTX_set_store")
|
165
|
-
have_func("TS_VERIFY_CTX_add_flags")
|
166
|
-
have_func("TS_RESP_CTX_set_time_cb")
|
167
|
-
have_func("EVP_PBE_scrypt")
|
168
|
-
have_func("SSL_CTX_set_post_handshake_auth")
|
141
|
+
have_func("EVP_MD_CTX_new()", evp_h)
|
142
|
+
have_func("EVP_MD_CTX_free(NULL)", evp_h)
|
143
|
+
have_func("EVP_MD_CTX_pkey_ctx(NULL)", evp_h)
|
144
|
+
have_func("X509_STORE_get_ex_data(NULL, 0)", x509_h)
|
145
|
+
have_func("X509_STORE_set_ex_data(NULL, 0, NULL)", x509_h)
|
146
|
+
have_func("X509_STORE_get_ex_new_index(0, NULL, NULL, NULL, NULL)", x509_h)
|
147
|
+
have_func("X509_CRL_get0_signature(NULL, NULL, NULL)", x509_h)
|
148
|
+
have_func("X509_REQ_get0_signature(NULL, NULL, NULL)", x509_h)
|
149
|
+
have_func("X509_REVOKED_get0_serialNumber(NULL)", x509_h)
|
150
|
+
have_func("X509_REVOKED_get0_revocationDate(NULL)", x509_h)
|
151
|
+
have_func("X509_get0_tbs_sigalg(NULL)", x509_h)
|
152
|
+
have_func("X509_STORE_CTX_get0_untrusted(NULL)", x509_h)
|
153
|
+
have_func("X509_STORE_CTX_get0_cert(NULL)", x509_h)
|
154
|
+
have_func("X509_STORE_CTX_get0_chain(NULL)", x509_h)
|
155
|
+
have_func("OCSP_SINGLERESP_get0_id(NULL)", "openssl/ocsp.h")
|
156
|
+
have_func("SSL_CTX_get_ciphers(NULL)", ssl_h)
|
157
|
+
have_func("X509_up_ref(NULL)", x509_h)
|
158
|
+
have_func("X509_CRL_up_ref(NULL)", x509_h)
|
159
|
+
have_func("X509_STORE_up_ref(NULL)", x509_h)
|
160
|
+
have_func("SSL_SESSION_up_ref(NULL)", ssl_h)
|
161
|
+
have_func("EVP_PKEY_up_ref(NULL)", evp_h)
|
162
|
+
have_func("SSL_CTX_set_min_proto_version(NULL, 0)", ssl_h)
|
163
|
+
have_func("SSL_CTX_get_security_level(NULL)", ssl_h)
|
164
|
+
have_func("X509_get0_notBefore(NULL)", x509_h)
|
165
|
+
have_func("SSL_SESSION_get_protocol_version(NULL)", ssl_h)
|
166
|
+
have_func("TS_STATUS_INFO_get0_status(NULL)", ts_h)
|
167
|
+
have_func("TS_STATUS_INFO_get0_text(NULL)", ts_h)
|
168
|
+
have_func("TS_STATUS_INFO_get0_failure_info(NULL)", ts_h)
|
169
|
+
have_func("TS_VERIFY_CTS_set_certs(NULL, NULL)", ts_h)
|
170
|
+
have_func("TS_VERIFY_CTX_set_store(NULL, NULL)", ts_h)
|
171
|
+
have_func("TS_VERIFY_CTX_add_flags(NULL, 0)", ts_h)
|
172
|
+
have_func("TS_RESP_CTX_set_time_cb(NULL, NULL, NULL)", ts_h)
|
173
|
+
have_func("EVP_PBE_scrypt(\"\", 0, (unsigned char *)\"\", 0, 0, 0, 0, 0, NULL, 0)", evp_h)
|
174
|
+
have_func("SSL_CTX_set_post_handshake_auth(NULL, 0)", ssl_h)
|
169
175
|
|
170
176
|
# added in 1.1.1
|
171
|
-
have_func("EVP_PKEY_check")
|
172
|
-
have_func("EVP_PKEY_new_raw_private_key")
|
177
|
+
have_func("EVP_PKEY_check(NULL)", evp_h)
|
178
|
+
have_func("EVP_PKEY_new_raw_private_key(0, NULL, (unsigned char *)\"\", 0)", evp_h)
|
179
|
+
have_func("SSL_CTX_set_ciphersuites(NULL, \"\")", ssl_h)
|
173
180
|
|
174
181
|
# added in 3.0.0
|
175
|
-
have_func("SSL_set0_tmp_dh_pkey")
|
176
|
-
have_func("ERR_get_error_all")
|
177
|
-
have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)",
|
178
|
-
have_func("SSL_CTX_load_verify_file")
|
179
|
-
have_func("BN_check_prime")
|
180
|
-
have_func("EVP_MD_CTX_get0_md")
|
181
|
-
have_func("EVP_MD_CTX_get_pkey_ctx")
|
182
|
-
have_func("EVP_PKEY_eq")
|
183
|
-
have_func("EVP_PKEY_dup")
|
182
|
+
have_func("SSL_set0_tmp_dh_pkey(NULL, NULL)", ssl_h)
|
183
|
+
have_func("ERR_get_error_all(NULL, NULL, NULL, NULL, NULL)", "openssl/err.h")
|
184
|
+
have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", ts_h)
|
185
|
+
have_func("SSL_CTX_load_verify_file(NULL, \"\")", ssl_h)
|
186
|
+
have_func("BN_check_prime(NULL, NULL, NULL)", "openssl/bn.h")
|
187
|
+
have_func("EVP_MD_CTX_get0_md(NULL)", evp_h)
|
188
|
+
have_func("EVP_MD_CTX_get_pkey_ctx(NULL)", evp_h)
|
189
|
+
have_func("EVP_PKEY_eq(NULL, NULL)", evp_h)
|
190
|
+
have_func("EVP_PKEY_dup(NULL)", evp_h)
|
184
191
|
|
185
192
|
Logging::message "=== Checking done. ===\n"
|
186
193
|
|
data/ext/openssl/ossl.h
CHANGED
@@ -52,6 +52,12 @@
|
|
52
52
|
(LIBRESSL_VERSION_NUMBER >= ((maj << 28) | (min << 20) | (pat << 12)))
|
53
53
|
#endif
|
54
54
|
|
55
|
+
#if OSSL_OPENSSL_PREREQ(3, 0, 0)
|
56
|
+
# define OSSL_3_const const
|
57
|
+
#else
|
58
|
+
# define OSSL_3_const /* const */
|
59
|
+
#endif
|
60
|
+
|
55
61
|
#if !defined(OPENSSL_NO_ENGINE) && !OSSL_OPENSSL_PREREQ(3, 0, 0)
|
56
62
|
# define OSSL_USE_ENGINE
|
57
63
|
#endif
|
data/ext/openssl/ossl_asn1.c
CHANGED
@@ -509,7 +509,8 @@ ossl_asn1_get_asn1type(VALUE obj)
|
|
509
509
|
ASN1_TYPE *ret;
|
510
510
|
VALUE value, rflag;
|
511
511
|
void *ptr;
|
512
|
-
void (*
|
512
|
+
typedef void free_func_type(void *);
|
513
|
+
free_func_type *free_func;
|
513
514
|
int tag;
|
514
515
|
|
515
516
|
tag = ossl_asn1_default_tag(obj);
|
@@ -522,16 +523,16 @@ ossl_asn1_get_asn1type(VALUE obj)
|
|
522
523
|
case V_ASN1_INTEGER: /* FALLTHROUGH */
|
523
524
|
case V_ASN1_ENUMERATED:
|
524
525
|
ptr = obj_to_asn1int(value);
|
525
|
-
free_func = ASN1_INTEGER_free;
|
526
|
+
free_func = (free_func_type *)ASN1_INTEGER_free;
|
526
527
|
break;
|
527
528
|
case V_ASN1_BIT_STRING:
|
528
529
|
rflag = rb_attr_get(obj, sivUNUSED_BITS);
|
529
530
|
ptr = obj_to_asn1bstr(value, NUM2INT(rflag));
|
530
|
-
free_func = ASN1_BIT_STRING_free;
|
531
|
+
free_func = (free_func_type *)ASN1_BIT_STRING_free;
|
531
532
|
break;
|
532
533
|
case V_ASN1_NULL:
|
533
534
|
ptr = obj_to_asn1null(value);
|
534
|
-
free_func = ASN1_NULL_free;
|
535
|
+
free_func = (free_func_type *)ASN1_NULL_free;
|
535
536
|
break;
|
536
537
|
case V_ASN1_OCTET_STRING: /* FALLTHROUGH */
|
537
538
|
case V_ASN1_UTF8STRING: /* FALLTHROUGH */
|
@@ -546,24 +547,24 @@ ossl_asn1_get_asn1type(VALUE obj)
|
|
546
547
|
case V_ASN1_UNIVERSALSTRING: /* FALLTHROUGH */
|
547
548
|
case V_ASN1_BMPSTRING:
|
548
549
|
ptr = obj_to_asn1str(value);
|
549
|
-
free_func = ASN1_STRING_free;
|
550
|
+
free_func = (free_func_type *)ASN1_STRING_free;
|
550
551
|
break;
|
551
552
|
case V_ASN1_OBJECT:
|
552
553
|
ptr = obj_to_asn1obj(value);
|
553
|
-
free_func = ASN1_OBJECT_free;
|
554
|
+
free_func = (free_func_type *)ASN1_OBJECT_free;
|
554
555
|
break;
|
555
556
|
case V_ASN1_UTCTIME:
|
556
557
|
ptr = obj_to_asn1utime(value);
|
557
|
-
free_func = ASN1_TIME_free;
|
558
|
+
free_func = (free_func_type *)ASN1_TIME_free;
|
558
559
|
break;
|
559
560
|
case V_ASN1_GENERALIZEDTIME:
|
560
561
|
ptr = obj_to_asn1gtime(value);
|
561
|
-
free_func = ASN1_TIME_free;
|
562
|
+
free_func = (free_func_type *)ASN1_TIME_free;
|
562
563
|
break;
|
563
564
|
case V_ASN1_SET: /* FALLTHROUGH */
|
564
565
|
case V_ASN1_SEQUENCE:
|
565
566
|
ptr = obj_to_asn1derstr(obj);
|
566
|
-
free_func = ASN1_STRING_free;
|
567
|
+
free_func = (free_func_type *)ASN1_STRING_free;
|
567
568
|
break;
|
568
569
|
default:
|
569
570
|
ossl_raise(eASN1Error, "unsupported ASN.1 type");
|
@@ -1522,7 +1523,7 @@ Init_ossl_asn1(void)
|
|
1522
1523
|
*
|
1523
1524
|
* An Array that stores the name of a given tag number. These names are
|
1524
1525
|
* the same as the name of the tag constant that is additionally defined,
|
1525
|
-
* e.g.
|
1526
|
+
* e.g. <tt>UNIVERSAL_TAG_NAME[2] = "INTEGER"</tt> and <tt>OpenSSL::ASN1::INTEGER = 2</tt>.
|
1526
1527
|
*
|
1527
1528
|
* == Example usage
|
1528
1529
|
*
|
data/ext/openssl/ossl_bn.c
CHANGED
@@ -577,22 +577,33 @@ BIGNUM_2c(gcd)
|
|
577
577
|
*/
|
578
578
|
BIGNUM_2c(mod_sqr)
|
579
579
|
|
580
|
+
#define BIGNUM_2cr(func) \
|
581
|
+
static VALUE \
|
582
|
+
ossl_bn_##func(VALUE self, VALUE other) \
|
583
|
+
{ \
|
584
|
+
BIGNUM *bn1, *bn2 = GetBNPtr(other), *result; \
|
585
|
+
VALUE obj; \
|
586
|
+
GetBN(self, bn1); \
|
587
|
+
obj = NewBN(rb_obj_class(self)); \
|
588
|
+
if (!(result = BN_##func(NULL, bn1, bn2, ossl_bn_ctx))) \
|
589
|
+
ossl_raise(eBNError, NULL); \
|
590
|
+
SetBN(obj, result); \
|
591
|
+
return obj; \
|
592
|
+
}
|
593
|
+
|
580
594
|
/*
|
595
|
+
* Document-method: OpenSSL::BN#mod_sqrt
|
596
|
+
* call-seq:
|
597
|
+
* bn.mod_sqrt(bn2) => aBN
|
598
|
+
*/
|
599
|
+
BIGNUM_2cr(mod_sqrt)
|
600
|
+
|
601
|
+
/*
|
602
|
+
* Document-method: OpenSSL::BN#mod_inverse
|
581
603
|
* call-seq:
|
582
604
|
* bn.mod_inverse(bn2) => aBN
|
583
605
|
*/
|
584
|
-
|
585
|
-
ossl_bn_mod_inverse(VALUE self, VALUE other)
|
586
|
-
{
|
587
|
-
BIGNUM *bn1, *bn2 = GetBNPtr(other), *result;
|
588
|
-
VALUE obj;
|
589
|
-
GetBN(self, bn1);
|
590
|
-
obj = NewBN(rb_obj_class(self));
|
591
|
-
if (!(result = BN_mod_inverse(NULL, bn1, bn2, ossl_bn_ctx)))
|
592
|
-
ossl_raise(eBNError, "BN_mod_inverse");
|
593
|
-
SetBN(obj, result);
|
594
|
-
return obj;
|
595
|
-
}
|
606
|
+
BIGNUM_2cr(mod_inverse)
|
596
607
|
|
597
608
|
/*
|
598
609
|
* call-seq:
|
@@ -1234,6 +1245,7 @@ Init_ossl_bn(void)
|
|
1234
1245
|
rb_define_method(cBN, "mod_sub", ossl_bn_mod_sub, 2);
|
1235
1246
|
rb_define_method(cBN, "mod_mul", ossl_bn_mod_mul, 2);
|
1236
1247
|
rb_define_method(cBN, "mod_sqr", ossl_bn_mod_sqr, 1);
|
1248
|
+
rb_define_method(cBN, "mod_sqrt", ossl_bn_mod_sqrt, 1);
|
1237
1249
|
rb_define_method(cBN, "**", ossl_bn_exp, 1);
|
1238
1250
|
rb_define_method(cBN, "mod_exp", ossl_bn_mod_exp, 2);
|
1239
1251
|
rb_define_method(cBN, "gcd", ossl_bn_gcd, 1);
|
data/ext/openssl/ossl_cipher.c
CHANGED
@@ -384,8 +384,7 @@ ossl_cipher_update(int argc, VALUE *argv, VALUE self)
|
|
384
384
|
|
385
385
|
StringValue(data);
|
386
386
|
in = (unsigned char *)RSTRING_PTR(data);
|
387
|
-
|
388
|
-
ossl_raise(rb_eArgError, "data must not be empty");
|
387
|
+
in_len = RSTRING_LEN(data);
|
389
388
|
GetCipher(self, ctx);
|
390
389
|
out_len = in_len+EVP_CIPHER_CTX_block_size(ctx);
|
391
390
|
if (out_len <= 0) {
|
data/ext/openssl/ossl_kdf.c
CHANGED
@@ -3,7 +3,7 @@
|
|
3
3
|
* Copyright (C) 2007, 2017 Ruby/OpenSSL Project Authors
|
4
4
|
*/
|
5
5
|
#include "ossl.h"
|
6
|
-
#if
|
6
|
+
#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_LIBRESSL_PREREQ(3, 6, 0)
|
7
7
|
# include <openssl/kdf.h>
|
8
8
|
#endif
|
9
9
|
|
@@ -141,7 +141,7 @@ kdf_scrypt(int argc, VALUE *argv, VALUE self)
|
|
141
141
|
}
|
142
142
|
#endif
|
143
143
|
|
144
|
-
#if
|
144
|
+
#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_LIBRESSL_PREREQ(3, 6, 0)
|
145
145
|
/*
|
146
146
|
* call-seq:
|
147
147
|
* KDF.hkdf(ikm, salt:, info:, length:, hash:) -> String
|
@@ -305,7 +305,7 @@ Init_ossl_kdf(void)
|
|
305
305
|
#if defined(HAVE_EVP_PBE_SCRYPT)
|
306
306
|
rb_define_module_function(mKDF, "scrypt", kdf_scrypt, -1);
|
307
307
|
#endif
|
308
|
-
#if
|
308
|
+
#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_LIBRESSL_PREREQ(3, 6, 0)
|
309
309
|
rb_define_module_function(mKDF, "hkdf", kdf_hkdf, -1);
|
310
310
|
#endif
|
311
311
|
}
|
data/ext/openssl/ossl_ocsp.c
CHANGED
@@ -382,7 +382,7 @@ ossl_ocspreq_sign(int argc, VALUE *argv, VALUE self)
|
|
382
382
|
if (!NIL_P(flags))
|
383
383
|
flg = NUM2INT(flags);
|
384
384
|
if (NIL_P(digest))
|
385
|
-
md =
|
385
|
+
md = NULL;
|
386
386
|
else
|
387
387
|
md = ossl_evp_get_digestbyname(digest);
|
388
388
|
if (NIL_P(certs))
|
@@ -1033,7 +1033,7 @@ ossl_ocspbres_sign(int argc, VALUE *argv, VALUE self)
|
|
1033
1033
|
if (!NIL_P(flags))
|
1034
1034
|
flg = NUM2INT(flags);
|
1035
1035
|
if (NIL_P(digest))
|
1036
|
-
md =
|
1036
|
+
md = NULL;
|
1037
1037
|
else
|
1038
1038
|
md = ossl_evp_get_digestbyname(digest);
|
1039
1039
|
if (NIL_P(certs))
|
data/ext/openssl/ossl_pkey.c
CHANGED
@@ -951,7 +951,7 @@ ossl_pkey_sign(int argc, VALUE *argv, VALUE self)
|
|
951
951
|
rb_jump_tag(state);
|
952
952
|
}
|
953
953
|
}
|
954
|
-
#if
|
954
|
+
#if OSSL_OPENSSL_PREREQ(1, 1, 1) || OSSL_LIBRESSL_PREREQ(3, 4, 0)
|
955
955
|
if (EVP_DigestSign(ctx, NULL, &siglen, (unsigned char *)RSTRING_PTR(data),
|
956
956
|
RSTRING_LEN(data)) < 1) {
|
957
957
|
EVP_MD_CTX_free(ctx);
|
@@ -1056,7 +1056,7 @@ ossl_pkey_verify(int argc, VALUE *argv, VALUE self)
|
|
1056
1056
|
rb_jump_tag(state);
|
1057
1057
|
}
|
1058
1058
|
}
|
1059
|
-
#if
|
1059
|
+
#if OSSL_OPENSSL_PREREQ(1, 1, 1) || OSSL_LIBRESSL_PREREQ(3, 4, 0)
|
1060
1060
|
ret = EVP_DigestVerify(ctx, (unsigned char *)RSTRING_PTR(sig),
|
1061
1061
|
RSTRING_LEN(sig), (unsigned char *)RSTRING_PTR(data),
|
1062
1062
|
RSTRING_LEN(data));
|
data/ext/openssl/ossl_pkey.h
CHANGED
data/ext/openssl/ossl_pkey_dh.c
CHANGED
@@ -178,7 +178,7 @@ ossl_dh_initialize_copy(VALUE self, VALUE other)
|
|
178
178
|
static VALUE
|
179
179
|
ossl_dh_is_public(VALUE self)
|
180
180
|
{
|
181
|
-
DH *dh;
|
181
|
+
OSSL_3_const DH *dh;
|
182
182
|
const BIGNUM *bn;
|
183
183
|
|
184
184
|
GetDH(self, dh);
|
@@ -197,14 +197,14 @@ ossl_dh_is_public(VALUE self)
|
|
197
197
|
static VALUE
|
198
198
|
ossl_dh_is_private(VALUE self)
|
199
199
|
{
|
200
|
-
DH *dh;
|
200
|
+
OSSL_3_const DH *dh;
|
201
201
|
const BIGNUM *bn;
|
202
202
|
|
203
203
|
GetDH(self, dh);
|
204
204
|
DH_get0_key(dh, NULL, &bn);
|
205
205
|
|
206
206
|
#if !defined(OPENSSL_NO_ENGINE)
|
207
|
-
return (bn || DH_get0_engine(dh)) ? Qtrue : Qfalse;
|
207
|
+
return (bn || DH_get0_engine((DH *)dh)) ? Qtrue : Qfalse;
|
208
208
|
#else
|
209
209
|
return bn ? Qtrue : Qfalse;
|
210
210
|
#endif
|
@@ -223,7 +223,7 @@ ossl_dh_is_private(VALUE self)
|
|
223
223
|
static VALUE
|
224
224
|
ossl_dh_export(VALUE self)
|
225
225
|
{
|
226
|
-
DH *dh;
|
226
|
+
OSSL_3_const DH *dh;
|
227
227
|
BIO *out;
|
228
228
|
VALUE str;
|
229
229
|
|
@@ -252,7 +252,7 @@ ossl_dh_export(VALUE self)
|
|
252
252
|
static VALUE
|
253
253
|
ossl_dh_to_der(VALUE self)
|
254
254
|
{
|
255
|
-
DH *dh;
|
255
|
+
OSSL_3_const DH *dh;
|
256
256
|
unsigned char *p;
|
257
257
|
long len;
|
258
258
|
VALUE str;
|
@@ -280,7 +280,7 @@ ossl_dh_to_der(VALUE self)
|
|
280
280
|
static VALUE
|
281
281
|
ossl_dh_get_params(VALUE self)
|
282
282
|
{
|
283
|
-
DH *dh;
|
283
|
+
OSSL_3_const DH *dh;
|
284
284
|
VALUE hash;
|
285
285
|
const BIGNUM *p, *q, *g, *pub_key, *priv_key;
|
286
286
|
|
data/ext/openssl/ossl_pkey_dsa.c
CHANGED
@@ -24,7 +24,7 @@
|
|
24
24
|
} while (0)
|
25
25
|
|
26
26
|
static inline int
|
27
|
-
DSA_HAS_PRIVATE(DSA *dsa)
|
27
|
+
DSA_HAS_PRIVATE(OSSL_3_const DSA *dsa)
|
28
28
|
{
|
29
29
|
const BIGNUM *bn;
|
30
30
|
DSA_get0_key(dsa, NULL, &bn);
|
@@ -32,7 +32,7 @@ DSA_HAS_PRIVATE(DSA *dsa)
|
|
32
32
|
}
|
33
33
|
|
34
34
|
static inline int
|
35
|
-
DSA_PRIVATE(VALUE obj, DSA *dsa)
|
35
|
+
DSA_PRIVATE(VALUE obj, OSSL_3_const DSA *dsa)
|
36
36
|
{
|
37
37
|
return DSA_HAS_PRIVATE(dsa) || OSSL_PKEY_IS_PRIVATE(obj);
|
38
38
|
}
|
@@ -179,7 +179,7 @@ ossl_dsa_initialize_copy(VALUE self, VALUE other)
|
|
179
179
|
static VALUE
|
180
180
|
ossl_dsa_is_public(VALUE self)
|
181
181
|
{
|
182
|
-
DSA *dsa;
|
182
|
+
const DSA *dsa;
|
183
183
|
const BIGNUM *bn;
|
184
184
|
|
185
185
|
GetDSA(self, dsa);
|
@@ -198,7 +198,7 @@ ossl_dsa_is_public(VALUE self)
|
|
198
198
|
static VALUE
|
199
199
|
ossl_dsa_is_private(VALUE self)
|
200
200
|
{
|
201
|
-
DSA *dsa;
|
201
|
+
OSSL_3_const DSA *dsa;
|
202
202
|
|
203
203
|
GetDSA(self, dsa);
|
204
204
|
|
@@ -225,7 +225,7 @@ ossl_dsa_is_private(VALUE self)
|
|
225
225
|
static VALUE
|
226
226
|
ossl_dsa_export(int argc, VALUE *argv, VALUE self)
|
227
227
|
{
|
228
|
-
DSA *dsa;
|
228
|
+
OSSL_3_const DSA *dsa;
|
229
229
|
|
230
230
|
GetDSA(self, dsa);
|
231
231
|
if (DSA_HAS_PRIVATE(dsa))
|
@@ -244,7 +244,7 @@ ossl_dsa_export(int argc, VALUE *argv, VALUE self)
|
|
244
244
|
static VALUE
|
245
245
|
ossl_dsa_to_der(VALUE self)
|
246
246
|
{
|
247
|
-
DSA *dsa;
|
247
|
+
OSSL_3_const DSA *dsa;
|
248
248
|
|
249
249
|
GetDSA(self, dsa);
|
250
250
|
if (DSA_HAS_PRIVATE(dsa))
|
@@ -265,7 +265,7 @@ ossl_dsa_to_der(VALUE self)
|
|
265
265
|
static VALUE
|
266
266
|
ossl_dsa_get_params(VALUE self)
|
267
267
|
{
|
268
|
-
DSA *dsa;
|
268
|
+
OSSL_3_const DSA *dsa;
|
269
269
|
VALUE hash;
|
270
270
|
const BIGNUM *p, *q, *g, *pub_key, *priv_key;
|
271
271
|
|
data/ext/openssl/ossl_pkey_ec.c
CHANGED
@@ -227,7 +227,7 @@ ossl_ec_key_initialize_copy(VALUE self, VALUE other)
|
|
227
227
|
static VALUE
|
228
228
|
ossl_ec_key_get_group(VALUE self)
|
229
229
|
{
|
230
|
-
EC_KEY *ec;
|
230
|
+
OSSL_3_const EC_KEY *ec;
|
231
231
|
const EC_GROUP *group;
|
232
232
|
|
233
233
|
GetEC(self, ec);
|
@@ -272,7 +272,7 @@ ossl_ec_key_set_group(VALUE self, VALUE group_v)
|
|
272
272
|
*/
|
273
273
|
static VALUE ossl_ec_key_get_private_key(VALUE self)
|
274
274
|
{
|
275
|
-
EC_KEY *ec;
|
275
|
+
OSSL_3_const EC_KEY *ec;
|
276
276
|
const BIGNUM *bn;
|
277
277
|
|
278
278
|
GetEC(self, ec);
|
@@ -323,7 +323,7 @@ static VALUE ossl_ec_key_set_private_key(VALUE self, VALUE private_key)
|
|
323
323
|
*/
|
324
324
|
static VALUE ossl_ec_key_get_public_key(VALUE self)
|
325
325
|
{
|
326
|
-
EC_KEY *ec;
|
326
|
+
OSSL_3_const EC_KEY *ec;
|
327
327
|
const EC_POINT *point;
|
328
328
|
|
329
329
|
GetEC(self, ec);
|
@@ -375,7 +375,7 @@ static VALUE ossl_ec_key_set_public_key(VALUE self, VALUE public_key)
|
|
375
375
|
*/
|
376
376
|
static VALUE ossl_ec_key_is_public(VALUE self)
|
377
377
|
{
|
378
|
-
EC_KEY *ec;
|
378
|
+
OSSL_3_const EC_KEY *ec;
|
379
379
|
|
380
380
|
GetEC(self, ec);
|
381
381
|
|
@@ -391,7 +391,7 @@ static VALUE ossl_ec_key_is_public(VALUE self)
|
|
391
391
|
*/
|
392
392
|
static VALUE ossl_ec_key_is_private(VALUE self)
|
393
393
|
{
|
394
|
-
EC_KEY *ec;
|
394
|
+
OSSL_3_const EC_KEY *ec;
|
395
395
|
|
396
396
|
GetEC(self, ec);
|
397
397
|
|
@@ -411,7 +411,7 @@ static VALUE ossl_ec_key_is_private(VALUE self)
|
|
411
411
|
static VALUE
|
412
412
|
ossl_ec_key_export(int argc, VALUE *argv, VALUE self)
|
413
413
|
{
|
414
|
-
EC_KEY *ec;
|
414
|
+
OSSL_3_const EC_KEY *ec;
|
415
415
|
|
416
416
|
GetEC(self, ec);
|
417
417
|
if (EC_KEY_get0_public_key(ec) == NULL)
|
@@ -431,7 +431,7 @@ ossl_ec_key_export(int argc, VALUE *argv, VALUE self)
|
|
431
431
|
static VALUE
|
432
432
|
ossl_ec_key_to_der(VALUE self)
|
433
433
|
{
|
434
|
-
EC_KEY *ec;
|
434
|
+
OSSL_3_const EC_KEY *ec;
|
435
435
|
|
436
436
|
GetEC(self, ec);
|
437
437
|
if (EC_KEY_get0_public_key(ec) == NULL)
|
data/ext/openssl/ossl_pkey_rsa.c
CHANGED
@@ -24,7 +24,7 @@
|
|
24
24
|
} while (0)
|
25
25
|
|
26
26
|
static inline int
|
27
|
-
RSA_HAS_PRIVATE(RSA *rsa)
|
27
|
+
RSA_HAS_PRIVATE(OSSL_3_const RSA *rsa)
|
28
28
|
{
|
29
29
|
const BIGNUM *e, *d;
|
30
30
|
|
@@ -33,7 +33,7 @@ RSA_HAS_PRIVATE(RSA *rsa)
|
|
33
33
|
}
|
34
34
|
|
35
35
|
static inline int
|
36
|
-
RSA_PRIVATE(VALUE obj, RSA *rsa)
|
36
|
+
RSA_PRIVATE(VALUE obj, OSSL_3_const RSA *rsa)
|
37
37
|
{
|
38
38
|
return RSA_HAS_PRIVATE(rsa) || OSSL_PKEY_IS_PRIVATE(obj);
|
39
39
|
}
|
@@ -174,7 +174,7 @@ ossl_rsa_initialize_copy(VALUE self, VALUE other)
|
|
174
174
|
static VALUE
|
175
175
|
ossl_rsa_is_public(VALUE self)
|
176
176
|
{
|
177
|
-
RSA *rsa;
|
177
|
+
OSSL_3_const RSA *rsa;
|
178
178
|
|
179
179
|
GetRSA(self, rsa);
|
180
180
|
/*
|
@@ -193,7 +193,7 @@ ossl_rsa_is_public(VALUE self)
|
|
193
193
|
static VALUE
|
194
194
|
ossl_rsa_is_private(VALUE self)
|
195
195
|
{
|
196
|
-
RSA *rsa;
|
196
|
+
OSSL_3_const RSA *rsa;
|
197
197
|
|
198
198
|
GetRSA(self, rsa);
|
199
199
|
|
@@ -203,7 +203,7 @@ ossl_rsa_is_private(VALUE self)
|
|
203
203
|
static int
|
204
204
|
can_export_rsaprivatekey(VALUE self)
|
205
205
|
{
|
206
|
-
RSA *rsa;
|
206
|
+
OSSL_3_const RSA *rsa;
|
207
207
|
const BIGNUM *n, *e, *d, *p, *q, *dmp1, *dmq1, *iqmp;
|
208
208
|
|
209
209
|
GetRSA(self, rsa);
|
@@ -453,7 +453,7 @@ ossl_rsa_verify_pss(int argc, VALUE *argv, VALUE self)
|
|
453
453
|
static VALUE
|
454
454
|
ossl_rsa_get_params(VALUE self)
|
455
455
|
{
|
456
|
-
RSA *rsa;
|
456
|
+
OSSL_3_const RSA *rsa;
|
457
457
|
VALUE hash;
|
458
458
|
const BIGNUM *n, *e, *d, *p, *q, *dmp1, *dmq1, *iqmp;
|
459
459
|
|
data/ext/openssl/ossl_ssl.c
CHANGED
@@ -11,11 +11,15 @@
|
|
11
11
|
*/
|
12
12
|
#include "ossl.h"
|
13
13
|
|
14
|
+
#ifndef OPENSSL_NO_SOCK
|
14
15
|
#define numberof(ary) (int)(sizeof(ary)/sizeof((ary)[0]))
|
15
16
|
|
17
|
+
#if !defined(OPENSSL_NO_NEXTPROTONEG) && !OSSL_IS_LIBRESSL
|
18
|
+
# define OSSL_USE_NEXTPROTONEG
|
19
|
+
#endif
|
20
|
+
|
16
21
|
#if !defined(TLS1_3_VERSION) && \
|
17
|
-
|
18
|
-
LIBRESSL_VERSION_NUMBER >= 0x3020000fL
|
22
|
+
OSSL_LIBRESSL_PREREQ(3, 2, 0) && !OSSL_LIBRESSL_PREREQ(3, 4, 0)
|
19
23
|
# define TLS1_3_VERSION 0x0304
|
20
24
|
#endif
|
21
25
|
|
@@ -30,7 +34,6 @@
|
|
30
34
|
} while (0)
|
31
35
|
|
32
36
|
VALUE mSSL;
|
33
|
-
static VALUE mSSLExtConfig;
|
34
37
|
static VALUE eSSLError;
|
35
38
|
VALUE cSSLContext;
|
36
39
|
VALUE cSSLSocket;
|
@@ -49,7 +52,7 @@ static ID id_i_cert_store, id_i_ca_file, id_i_ca_path, id_i_verify_mode,
|
|
49
52
|
id_i_session_id_context, id_i_session_get_cb, id_i_session_new_cb,
|
50
53
|
id_i_session_remove_cb, id_i_npn_select_cb, id_i_npn_protocols,
|
51
54
|
id_i_alpn_select_cb, id_i_alpn_protocols, id_i_servername_cb,
|
52
|
-
id_i_verify_hostname;
|
55
|
+
id_i_verify_hostname, id_i_keylog_cb;
|
53
56
|
static ID id_i_io, id_i_context, id_i_hostname;
|
54
57
|
|
55
58
|
static int ossl_ssl_ex_vcb_idx;
|
@@ -291,7 +294,7 @@ ossl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
|
|
291
294
|
if (!pkey)
|
292
295
|
return NULL;
|
293
296
|
|
294
|
-
return EVP_PKEY_get0_DH(pkey);
|
297
|
+
return (DH *)EVP_PKEY_get0_DH(pkey);
|
295
298
|
}
|
296
299
|
#endif /* OPENSSL_NO_DH */
|
297
300
|
|
@@ -441,6 +444,54 @@ ossl_sslctx_session_new_cb(SSL *ssl, SSL_SESSION *sess)
|
|
441
444
|
return 0;
|
442
445
|
}
|
443
446
|
|
447
|
+
#if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER)
|
448
|
+
/*
|
449
|
+
* It is only compatible with OpenSSL >= 1.1.1. Even if LibreSSL implements
|
450
|
+
* SSL_CTX_set_keylog_callback() from v3.4.2, it does nothing (see
|
451
|
+
* https://github.com/libressl-portable/openbsd/commit/648d39f0f035835d0653342d139883b9661e9cb6).
|
452
|
+
*/
|
453
|
+
|
454
|
+
struct ossl_call_keylog_cb_args {
|
455
|
+
VALUE ssl_obj;
|
456
|
+
const char * line;
|
457
|
+
};
|
458
|
+
|
459
|
+
static VALUE
|
460
|
+
ossl_call_keylog_cb(VALUE args_v)
|
461
|
+
{
|
462
|
+
VALUE sslctx_obj, cb, line_v;
|
463
|
+
struct ossl_call_keylog_cb_args *args = (struct ossl_call_keylog_cb_args *) args_v;
|
464
|
+
|
465
|
+
sslctx_obj = rb_attr_get(args->ssl_obj, id_i_context);
|
466
|
+
|
467
|
+
cb = rb_attr_get(sslctx_obj, id_i_keylog_cb);
|
468
|
+
if (NIL_P(cb)) return Qnil;
|
469
|
+
|
470
|
+
line_v = rb_str_new_cstr(args->line);
|
471
|
+
|
472
|
+
return rb_funcall(cb, id_call, 2, args->ssl_obj, line_v);
|
473
|
+
}
|
474
|
+
|
475
|
+
static void
|
476
|
+
ossl_sslctx_keylog_cb(const SSL *ssl, const char *line)
|
477
|
+
{
|
478
|
+
VALUE ssl_obj;
|
479
|
+
struct ossl_call_keylog_cb_args args;
|
480
|
+
int state = 0;
|
481
|
+
|
482
|
+
OSSL_Debug("SSL keylog callback entered");
|
483
|
+
|
484
|
+
ssl_obj = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
|
485
|
+
args.ssl_obj = ssl_obj;
|
486
|
+
args.line = line;
|
487
|
+
|
488
|
+
rb_protect(ossl_call_keylog_cb, (VALUE)&args, &state);
|
489
|
+
if (state) {
|
490
|
+
rb_ivar_set(ssl_obj, ID_callback_state, INT2NUM(state));
|
491
|
+
}
|
492
|
+
}
|
493
|
+
#endif
|
494
|
+
|
444
495
|
static VALUE
|
445
496
|
ossl_call_session_remove_cb(VALUE ary)
|
446
497
|
{
|
@@ -655,7 +706,7 @@ ssl_npn_select_cb_common(SSL *ssl, VALUE cb, const unsigned char **out,
|
|
655
706
|
return SSL_TLSEXT_ERR_OK;
|
656
707
|
}
|
657
708
|
|
658
|
-
#
|
709
|
+
#ifdef OSSL_USE_NEXTPROTONEG
|
659
710
|
static int
|
660
711
|
ssl_npn_advertise_cb(SSL *ssl, const unsigned char **out, unsigned int *outlen,
|
661
712
|
void *arg)
|
@@ -852,7 +903,7 @@ ossl_sslctx_setup(VALUE self)
|
|
852
903
|
val = rb_attr_get(self, id_i_verify_depth);
|
853
904
|
if(!NIL_P(val)) SSL_CTX_set_verify_depth(ctx, NUM2INT(val));
|
854
905
|
|
855
|
-
#
|
906
|
+
#ifdef OSSL_USE_NEXTPROTONEG
|
856
907
|
val = rb_attr_get(self, id_i_npn_protocols);
|
857
908
|
if (!NIL_P(val)) {
|
858
909
|
VALUE encoded = ssl_encode_npn_protocols(val);
|
@@ -911,6 +962,18 @@ ossl_sslctx_setup(VALUE self)
|
|
911
962
|
OSSL_Debug("SSL TLSEXT servername callback added");
|
912
963
|
}
|
913
964
|
|
965
|
+
#if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER)
|
966
|
+
/*
|
967
|
+
* It is only compatible with OpenSSL >= 1.1.1. Even if LibreSSL implements
|
968
|
+
* SSL_CTX_set_keylog_callback() from v3.4.2, it does nothing (see
|
969
|
+
* https://github.com/libressl-portable/openbsd/commit/648d39f0f035835d0653342d139883b9661e9cb6).
|
970
|
+
*/
|
971
|
+
if (RTEST(rb_attr_get(self, id_i_keylog_cb))) {
|
972
|
+
SSL_CTX_set_keylog_callback(ctx, ossl_sslctx_keylog_cb);
|
973
|
+
OSSL_Debug("SSL keylog callback added");
|
974
|
+
}
|
975
|
+
#endif
|
976
|
+
|
914
977
|
return Qtrue;
|
915
978
|
}
|
916
979
|
|
@@ -959,27 +1022,13 @@ ossl_sslctx_get_ciphers(VALUE self)
|
|
959
1022
|
return ary;
|
960
1023
|
}
|
961
1024
|
|
962
|
-
/*
|
963
|
-
* call-seq:
|
964
|
-
* ctx.ciphers = "cipher1:cipher2:..."
|
965
|
-
* ctx.ciphers = [name, ...]
|
966
|
-
* ctx.ciphers = [[name, version, bits, alg_bits], ...]
|
967
|
-
*
|
968
|
-
* Sets the list of available cipher suites for this context. Note in a server
|
969
|
-
* context some ciphers require the appropriate certificates. For example, an
|
970
|
-
* RSA cipher suite can only be chosen when an RSA certificate is available.
|
971
|
-
*/
|
972
1025
|
static VALUE
|
973
|
-
|
1026
|
+
build_cipher_string(VALUE v)
|
974
1027
|
{
|
975
|
-
SSL_CTX *ctx;
|
976
1028
|
VALUE str, elem;
|
977
1029
|
int i;
|
978
1030
|
|
979
|
-
|
980
|
-
if (NIL_P(v))
|
981
|
-
return v;
|
982
|
-
else if (RB_TYPE_P(v, T_ARRAY)) {
|
1031
|
+
if (RB_TYPE_P(v, T_ARRAY)) {
|
983
1032
|
str = rb_str_new(0, 0);
|
984
1033
|
for (i = 0; i < RARRAY_LEN(v); i++) {
|
985
1034
|
elem = rb_ary_entry(v, i);
|
@@ -993,14 +1042,67 @@ ossl_sslctx_set_ciphers(VALUE self, VALUE v)
|
|
993
1042
|
StringValue(str);
|
994
1043
|
}
|
995
1044
|
|
1045
|
+
return str;
|
1046
|
+
}
|
1047
|
+
|
1048
|
+
/*
|
1049
|
+
* call-seq:
|
1050
|
+
* ctx.ciphers = "cipher1:cipher2:..."
|
1051
|
+
* ctx.ciphers = [name, ...]
|
1052
|
+
* ctx.ciphers = [[name, version, bits, alg_bits], ...]
|
1053
|
+
*
|
1054
|
+
* Sets the list of available cipher suites for this context. Note in a server
|
1055
|
+
* context some ciphers require the appropriate certificates. For example, an
|
1056
|
+
* RSA cipher suite can only be chosen when an RSA certificate is available.
|
1057
|
+
*/
|
1058
|
+
static VALUE
|
1059
|
+
ossl_sslctx_set_ciphers(VALUE self, VALUE v)
|
1060
|
+
{
|
1061
|
+
SSL_CTX *ctx;
|
1062
|
+
VALUE str;
|
1063
|
+
|
1064
|
+
rb_check_frozen(self);
|
1065
|
+
if (NIL_P(v))
|
1066
|
+
return v;
|
1067
|
+
|
1068
|
+
str = build_cipher_string(v);
|
1069
|
+
|
996
1070
|
GetSSLCTX(self, ctx);
|
997
|
-
if (!SSL_CTX_set_cipher_list(ctx, StringValueCStr(str)))
|
1071
|
+
if (!SSL_CTX_set_cipher_list(ctx, StringValueCStr(str)))
|
998
1072
|
ossl_raise(eSSLError, "SSL_CTX_set_cipher_list");
|
999
|
-
}
|
1000
1073
|
|
1001
1074
|
return v;
|
1002
1075
|
}
|
1003
1076
|
|
1077
|
+
#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
|
1078
|
+
/*
|
1079
|
+
* call-seq:
|
1080
|
+
* ctx.ciphersuites = "cipher1:cipher2:..."
|
1081
|
+
* ctx.ciphersuites = [name, ...]
|
1082
|
+
* ctx.ciphersuites = [[name, version, bits, alg_bits], ...]
|
1083
|
+
*
|
1084
|
+
* Sets the list of available TLSv1.3 cipher suites for this context.
|
1085
|
+
*/
|
1086
|
+
static VALUE
|
1087
|
+
ossl_sslctx_set_ciphersuites(VALUE self, VALUE v)
|
1088
|
+
{
|
1089
|
+
SSL_CTX *ctx;
|
1090
|
+
VALUE str;
|
1091
|
+
|
1092
|
+
rb_check_frozen(self);
|
1093
|
+
if (NIL_P(v))
|
1094
|
+
return v;
|
1095
|
+
|
1096
|
+
str = build_cipher_string(v);
|
1097
|
+
|
1098
|
+
GetSSLCTX(self, ctx);
|
1099
|
+
if (!SSL_CTX_set_ciphersuites(ctx, StringValueCStr(str)))
|
1100
|
+
ossl_raise(eSSLError, "SSL_CTX_set_ciphersuites");
|
1101
|
+
|
1102
|
+
return v;
|
1103
|
+
}
|
1104
|
+
#endif
|
1105
|
+
|
1004
1106
|
#ifndef OPENSSL_NO_DH
|
1005
1107
|
/*
|
1006
1108
|
* call-seq:
|
@@ -1439,7 +1541,6 @@ ossl_sslctx_flush_sessions(int argc, VALUE *argv, VALUE self)
|
|
1439
1541
|
/*
|
1440
1542
|
* SSLSocket class
|
1441
1543
|
*/
|
1442
|
-
#ifndef OPENSSL_NO_SOCK
|
1443
1544
|
static inline int
|
1444
1545
|
ssl_started(SSL *ssl)
|
1445
1546
|
{
|
@@ -1602,11 +1703,16 @@ no_exception_p(VALUE opts)
|
|
1602
1703
|
return 0;
|
1603
1704
|
}
|
1604
1705
|
|
1706
|
+
// Provided by Ruby 3.2.0 and later in order to support the default IO#timeout.
|
1707
|
+
#ifndef RUBY_IO_TIMEOUT_DEFAULT
|
1708
|
+
#define RUBY_IO_TIMEOUT_DEFAULT Qnil
|
1709
|
+
#endif
|
1710
|
+
|
1605
1711
|
static void
|
1606
1712
|
io_wait_writable(rb_io_t *fptr)
|
1607
1713
|
{
|
1608
1714
|
#ifdef HAVE_RB_IO_MAYBE_WAIT
|
1609
|
-
rb_io_maybe_wait_writable(errno, fptr->self,
|
1715
|
+
rb_io_maybe_wait_writable(errno, fptr->self, RUBY_IO_TIMEOUT_DEFAULT);
|
1610
1716
|
#else
|
1611
1717
|
rb_io_wait_writable(fptr->fd);
|
1612
1718
|
#endif
|
@@ -1616,14 +1722,14 @@ static void
|
|
1616
1722
|
io_wait_readable(rb_io_t *fptr)
|
1617
1723
|
{
|
1618
1724
|
#ifdef HAVE_RB_IO_MAYBE_WAIT
|
1619
|
-
rb_io_maybe_wait_readable(errno, fptr->self,
|
1725
|
+
rb_io_maybe_wait_readable(errno, fptr->self, RUBY_IO_TIMEOUT_DEFAULT);
|
1620
1726
|
#else
|
1621
1727
|
rb_io_wait_readable(fptr->fd);
|
1622
1728
|
#endif
|
1623
1729
|
}
|
1624
1730
|
|
1625
1731
|
static VALUE
|
1626
|
-
ossl_start_ssl(VALUE self, int (*func)(), const char *funcname, VALUE opts)
|
1732
|
+
ossl_start_ssl(VALUE self, int (*func)(SSL *), const char *funcname, VALUE opts)
|
1627
1733
|
{
|
1628
1734
|
SSL *ssl;
|
1629
1735
|
rb_io_t *fptr;
|
@@ -2342,7 +2448,7 @@ ossl_ssl_get_client_ca_list(VALUE self)
|
|
2342
2448
|
return ossl_x509name_sk2ary(ca);
|
2343
2449
|
}
|
2344
2450
|
|
2345
|
-
#
|
2451
|
+
# ifdef OSSL_USE_NEXTPROTONEG
|
2346
2452
|
/*
|
2347
2453
|
* call-seq:
|
2348
2454
|
* ssl.npn_protocol => String | nil
|
@@ -2390,6 +2496,49 @@ ossl_ssl_alpn_protocol(VALUE self)
|
|
2390
2496
|
return rb_str_new((const char *) out, outlen);
|
2391
2497
|
}
|
2392
2498
|
|
2499
|
+
/*
|
2500
|
+
* call-seq:
|
2501
|
+
* session.export_keying_material(label, length) -> String
|
2502
|
+
*
|
2503
|
+
* Enables use of shared session key material in accordance with RFC 5705.
|
2504
|
+
*/
|
2505
|
+
static VALUE
|
2506
|
+
ossl_ssl_export_keying_material(int argc, VALUE *argv, VALUE self)
|
2507
|
+
{
|
2508
|
+
SSL *ssl;
|
2509
|
+
VALUE str;
|
2510
|
+
VALUE label;
|
2511
|
+
VALUE length;
|
2512
|
+
VALUE context;
|
2513
|
+
unsigned char *p;
|
2514
|
+
size_t len;
|
2515
|
+
int use_ctx = 0;
|
2516
|
+
unsigned char *ctx = NULL;
|
2517
|
+
size_t ctx_len = 0;
|
2518
|
+
int ret;
|
2519
|
+
|
2520
|
+
rb_scan_args(argc, argv, "21", &label, &length, &context);
|
2521
|
+
StringValue(label);
|
2522
|
+
|
2523
|
+
GetSSL(self, ssl);
|
2524
|
+
|
2525
|
+
len = (size_t)NUM2LONG(length);
|
2526
|
+
str = rb_str_new(0, len);
|
2527
|
+
p = (unsigned char *)RSTRING_PTR(str);
|
2528
|
+
if (!NIL_P(context)) {
|
2529
|
+
use_ctx = 1;
|
2530
|
+
StringValue(context);
|
2531
|
+
ctx = (unsigned char *)RSTRING_PTR(context);
|
2532
|
+
ctx_len = RSTRING_LEN(context);
|
2533
|
+
}
|
2534
|
+
ret = SSL_export_keying_material(ssl, p, len, (char *)RSTRING_PTR(label),
|
2535
|
+
RSTRING_LENINT(label), ctx, ctx_len, use_ctx);
|
2536
|
+
if (ret == 0 || ret == -1) {
|
2537
|
+
ossl_raise(eSSLError, "SSL_export_keying_material");
|
2538
|
+
}
|
2539
|
+
return str;
|
2540
|
+
}
|
2541
|
+
|
2393
2542
|
/*
|
2394
2543
|
* call-seq:
|
2395
2544
|
* ssl.tmp_key => PKey or nil
|
@@ -2419,6 +2568,7 @@ Init_ossl_ssl(void)
|
|
2419
2568
|
rb_mWaitWritable = rb_define_module_under(rb_cIO, "WaitWritable");
|
2420
2569
|
#endif
|
2421
2570
|
|
2571
|
+
#ifndef OPENSSL_NO_SOCK
|
2422
2572
|
id_call = rb_intern_const("call");
|
2423
2573
|
ID_callback_state = rb_intern_const("callback_state");
|
2424
2574
|
|
@@ -2441,16 +2591,6 @@ Init_ossl_ssl(void)
|
|
2441
2591
|
*/
|
2442
2592
|
mSSL = rb_define_module_under(mOSSL, "SSL");
|
2443
2593
|
|
2444
|
-
/* Document-module: OpenSSL::ExtConfig
|
2445
|
-
*
|
2446
|
-
* This module contains configuration information about the SSL extension,
|
2447
|
-
* for example if socket support is enabled, or the host name TLS extension
|
2448
|
-
* is enabled. Constants in this module will always be defined, but contain
|
2449
|
-
* +true+ or +false+ values depending on the configuration of your OpenSSL
|
2450
|
-
* installation.
|
2451
|
-
*/
|
2452
|
-
mSSLExtConfig = rb_define_module_under(mOSSL, "ExtConfig");
|
2453
|
-
|
2454
2594
|
/* Document-class: OpenSSL::SSL::SSLError
|
2455
2595
|
*
|
2456
2596
|
* Generic error class raised by SSLSocket and SSLContext.
|
@@ -2613,8 +2753,6 @@ Init_ossl_ssl(void)
|
|
2613
2753
|
*/
|
2614
2754
|
rb_attr(cSSLContext, rb_intern_const("session_remove_cb"), 1, 1, Qfalse);
|
2615
2755
|
|
2616
|
-
rb_define_const(mSSLExtConfig, "HAVE_TLSEXT_HOST_NAME", Qtrue);
|
2617
|
-
|
2618
2756
|
/*
|
2619
2757
|
* A callback invoked whenever a new handshake is initiated on an
|
2620
2758
|
* established connection. May be used to disable renegotiation entirely.
|
@@ -2635,7 +2773,7 @@ Init_ossl_ssl(void)
|
|
2635
2773
|
* end
|
2636
2774
|
*/
|
2637
2775
|
rb_attr(cSSLContext, rb_intern_const("renegotiation_cb"), 1, 1, Qfalse);
|
2638
|
-
#
|
2776
|
+
#ifdef OSSL_USE_NEXTPROTONEG
|
2639
2777
|
/*
|
2640
2778
|
* An Enumerable of Strings. Each String represents a protocol to be
|
2641
2779
|
* advertised as the list of supported protocols for Next Protocol
|
@@ -2697,12 +2835,38 @@ Init_ossl_ssl(void)
|
|
2697
2835
|
*/
|
2698
2836
|
rb_attr(cSSLContext, rb_intern_const("alpn_select_cb"), 1, 1, Qfalse);
|
2699
2837
|
|
2838
|
+
/*
|
2839
|
+
* A callback invoked when TLS key material is generated or received, in
|
2840
|
+
* order to allow applications to store this keying material for debugging
|
2841
|
+
* purposes.
|
2842
|
+
*
|
2843
|
+
* The callback is invoked with an SSLSocket and a string containing the
|
2844
|
+
* key material in the format used by NSS for its SSLKEYLOGFILE debugging
|
2845
|
+
* output.
|
2846
|
+
*
|
2847
|
+
* It is only compatible with OpenSSL >= 1.1.1. Even if LibreSSL implements
|
2848
|
+
* SSL_CTX_set_keylog_callback() from v3.4.2, it does nothing (see
|
2849
|
+
* https://github.com/libressl-portable/openbsd/commit/648d39f0f035835d0653342d139883b9661e9cb6).
|
2850
|
+
*
|
2851
|
+
* === Example
|
2852
|
+
*
|
2853
|
+
* context.keylog_cb = proc do |_sock, line|
|
2854
|
+
* File.open('ssl_keylog_file', "a") do |f|
|
2855
|
+
* f.write("#{line}\n")
|
2856
|
+
* end
|
2857
|
+
* end
|
2858
|
+
*/
|
2859
|
+
rb_attr(cSSLContext, rb_intern_const("keylog_cb"), 1, 1, Qfalse);
|
2860
|
+
|
2700
2861
|
rb_define_alias(cSSLContext, "ssl_timeout", "timeout");
|
2701
2862
|
rb_define_alias(cSSLContext, "ssl_timeout=", "timeout=");
|
2702
2863
|
rb_define_private_method(cSSLContext, "set_minmax_proto_version",
|
2703
2864
|
ossl_sslctx_set_minmax_proto_version, 2);
|
2704
2865
|
rb_define_method(cSSLContext, "ciphers", ossl_sslctx_get_ciphers, 0);
|
2705
2866
|
rb_define_method(cSSLContext, "ciphers=", ossl_sslctx_set_ciphers, 1);
|
2867
|
+
#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
|
2868
|
+
rb_define_method(cSSLContext, "ciphersuites=", ossl_sslctx_set_ciphersuites, 1);
|
2869
|
+
#endif
|
2706
2870
|
#ifndef OPENSSL_NO_DH
|
2707
2871
|
rb_define_method(cSSLContext, "tmp_dh=", ossl_sslctx_set_tmp_dh, 1);
|
2708
2872
|
#endif
|
@@ -2779,11 +2943,6 @@ Init_ossl_ssl(void)
|
|
2779
2943
|
* Document-class: OpenSSL::SSL::SSLSocket
|
2780
2944
|
*/
|
2781
2945
|
cSSLSocket = rb_define_class_under(mSSL, "SSLSocket", rb_cObject);
|
2782
|
-
#ifdef OPENSSL_NO_SOCK
|
2783
|
-
rb_define_const(mSSLExtConfig, "OPENSSL_NO_SOCK", Qtrue);
|
2784
|
-
rb_define_method(cSSLSocket, "initialize", rb_f_notimplement, -1);
|
2785
|
-
#else
|
2786
|
-
rb_define_const(mSSLExtConfig, "OPENSSL_NO_SOCK", Qfalse);
|
2787
2946
|
rb_define_alloc_func(cSSLSocket, ossl_ssl_s_alloc);
|
2788
2947
|
rb_define_method(cSSLSocket, "initialize", ossl_ssl_initialize, -1);
|
2789
2948
|
rb_undef_method(cSSLSocket, "initialize_copy");
|
@@ -2814,10 +2973,10 @@ Init_ossl_ssl(void)
|
|
2814
2973
|
rb_define_method(cSSLSocket, "peer_finished_message", ossl_ssl_get_peer_finished, 0);
|
2815
2974
|
rb_define_method(cSSLSocket, "tmp_key", ossl_ssl_tmp_key, 0);
|
2816
2975
|
rb_define_method(cSSLSocket, "alpn_protocol", ossl_ssl_alpn_protocol, 0);
|
2817
|
-
|
2976
|
+
rb_define_method(cSSLSocket, "export_keying_material", ossl_ssl_export_keying_material, -1);
|
2977
|
+
# ifdef OSSL_USE_NEXTPROTONEG
|
2818
2978
|
rb_define_method(cSSLSocket, "npn_protocol", ossl_ssl_npn_protocol, 0);
|
2819
2979
|
# endif
|
2820
|
-
#endif
|
2821
2980
|
|
2822
2981
|
rb_define_const(mSSL, "VERIFY_NONE", INT2NUM(SSL_VERIFY_NONE));
|
2823
2982
|
rb_define_const(mSSL, "VERIFY_PEER", INT2NUM(SSL_VERIFY_PEER));
|
@@ -2974,8 +3133,10 @@ Init_ossl_ssl(void)
|
|
2974
3133
|
DefIVarID(alpn_select_cb);
|
2975
3134
|
DefIVarID(servername_cb);
|
2976
3135
|
DefIVarID(verify_hostname);
|
3136
|
+
DefIVarID(keylog_cb);
|
2977
3137
|
|
2978
3138
|
DefIVarID(io);
|
2979
3139
|
DefIVarID(context);
|
2980
3140
|
DefIVarID(hostname);
|
3141
|
+
#endif /* !defined(OPENSSL_NO_SOCK) */
|
2981
3142
|
}
|
@@ -4,6 +4,7 @@
|
|
4
4
|
|
5
5
|
#include "ossl.h"
|
6
6
|
|
7
|
+
#ifndef OPENSSL_NO_SOCK
|
7
8
|
VALUE cSSLSession;
|
8
9
|
static VALUE eSSLSession;
|
9
10
|
|
@@ -299,6 +300,7 @@ static VALUE ossl_ssl_session_to_text(VALUE self)
|
|
299
300
|
return ossl_membio2str(out);
|
300
301
|
}
|
301
302
|
|
303
|
+
#endif /* !defined(OPENSSL_NO_SOCK) */
|
302
304
|
|
303
305
|
void Init_ossl_ssl_session(void)
|
304
306
|
{
|
@@ -307,6 +309,7 @@ void Init_ossl_ssl_session(void)
|
|
307
309
|
mSSL = rb_define_module_under(mOSSL, "SSL");
|
308
310
|
eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
|
309
311
|
#endif
|
312
|
+
#ifndef OPENSSL_NO_SOCK
|
310
313
|
cSSLSession = rb_define_class_under(mSSL, "Session", rb_cObject);
|
311
314
|
eSSLSession = rb_define_class_under(cSSLSession, "SessionError", eOSSLError);
|
312
315
|
|
@@ -324,4 +327,5 @@ void Init_ossl_ssl_session(void)
|
|
324
327
|
rb_define_method(cSSLSession, "to_der", ossl_ssl_session_to_der, 0);
|
325
328
|
rb_define_method(cSSLSession, "to_pem", ossl_ssl_session_to_pem, 0);
|
326
329
|
rb_define_method(cSSLSession, "to_text", ossl_ssl_session_to_text, 0);
|
330
|
+
#endif /* !defined(OPENSSL_NO_SOCK) */
|
327
331
|
}
|
data/lib/openssl/pkey.rb
CHANGED
@@ -363,7 +363,8 @@ module OpenSSL::PKey
|
|
363
363
|
# rsa.private_encrypt(string, padding) -> String
|
364
364
|
#
|
365
365
|
# Encrypt +string+ with the private key. +padding+ defaults to
|
366
|
-
# PKCS1_PADDING
|
366
|
+
# PKCS1_PADDING, which is known to be insecure but is kept for backwards
|
367
|
+
# compatibility. The encrypted string output can be decrypted using
|
367
368
|
# #public_decrypt.
|
368
369
|
#
|
369
370
|
# <b>Deprecated in version 3.0</b>.
|
@@ -386,7 +387,8 @@ module OpenSSL::PKey
|
|
386
387
|
# rsa.public_decrypt(string, padding) -> String
|
387
388
|
#
|
388
389
|
# Decrypt +string+, which has been encrypted with the private key, with the
|
389
|
-
# public key. +padding+ defaults to PKCS1_PADDING
|
390
|
+
# public key. +padding+ defaults to PKCS1_PADDING which is known to be
|
391
|
+
# insecure but is kept for backwards compatibility.
|
390
392
|
#
|
391
393
|
# <b>Deprecated in version 3.0</b>.
|
392
394
|
# Consider using PKey::PKey#sign_raw and PKey::PKey#verify_raw, and
|
@@ -407,7 +409,8 @@ module OpenSSL::PKey
|
|
407
409
|
# rsa.public_encrypt(string, padding) -> String
|
408
410
|
#
|
409
411
|
# Encrypt +string+ with the public key. +padding+ defaults to
|
410
|
-
# PKCS1_PADDING
|
412
|
+
# PKCS1_PADDING, which is known to be insecure but is kept for backwards
|
413
|
+
# compatibility. The encrypted string output can be decrypted using
|
411
414
|
# #private_decrypt.
|
412
415
|
#
|
413
416
|
# <b>Deprecated in version 3.0</b>.
|
@@ -428,7 +431,8 @@ module OpenSSL::PKey
|
|
428
431
|
# rsa.private_decrypt(string, padding) -> String
|
429
432
|
#
|
430
433
|
# Decrypt +string+, which has been encrypted with the public key, with the
|
431
|
-
# private key. +padding+ defaults to PKCS1_PADDING
|
434
|
+
# private key. +padding+ defaults to PKCS1_PADDING, which is known to be
|
435
|
+
# insecure but is kept for backwards compatibility.
|
432
436
|
#
|
433
437
|
# <b>Deprecated in version 3.0</b>.
|
434
438
|
# Consider using PKey::PKey#encrypt and PKey::PKey#decrypt instead.
|
data/lib/openssl/ssl.rb
CHANGED
@@ -11,6 +11,9 @@
|
|
11
11
|
=end
|
12
12
|
|
13
13
|
require "openssl/buffering"
|
14
|
+
|
15
|
+
if defined?(OpenSSL::SSL)
|
16
|
+
|
14
17
|
require "io/nonblock"
|
15
18
|
require "ipaddr"
|
16
19
|
require "socket"
|
@@ -540,3 +543,5 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
|
|
540
543
|
end
|
541
544
|
end
|
542
545
|
end
|
546
|
+
|
547
|
+
end
|
data/lib/openssl/version.rb
CHANGED