openssl 3.0.3 → 3.1.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 7e3734ac5044a3ae69b9fb618a0896867e28cfe1390220d802e9db114b449384
4
- data.tar.gz: '0976489913ce74b9b7e83c013db968687c75d2b61715bdda5d6ced8a7b6cdd6a'
3
+ metadata.gz: 65d16dc88820644059bc2773d3f9ea9511324aa07822a31b2bdf1dfd2306224f
4
+ data.tar.gz: bbd4cdeec2d76994294061804456942b9528d86352375b8d2c4dfea171287ec5
5
5
  SHA512:
6
- metadata.gz: df86c47dd43a0d92ddaea6d9edd39cbac1eb963807eeb525c9e4be2a9820f1f5dfac017492082fcac63f93ceb3cb6d1a4e0d0574104bd61004c14b5a1866bd9f
7
- data.tar.gz: 071d295fd05b9be5e941a9698977cdb62a02d6b1f83557243bf250d566db372f42df8338c6c9fb11af349c5df879c1ab7179042b2e5c44664431fa0eae1cd1b9
6
+ metadata.gz: 3b7477f09b389f6ed8ffc24c5adb43cfe9a19ba2ee6293adc5e1d08199ea3a9365c4006705c4a4c2935e251e6e720af699786f0eda6cebc7fa2ec9826eb1dbcb
7
+ data.tar.gz: 765705e0e698d843b3a2809e957542c76dc414208a762ad58fdfdb6ed9f6400c39c797b0cdc7ad6173fd1d12b4b7c16a448e0a0445fec4efbf190a27318e4340
data/CONTRIBUTING.md CHANGED
@@ -17,7 +17,7 @@ When reporting a bug, please make sure you include:
17
17
  * Ruby version (`ruby -v`)
18
18
  * `openssl` gem version (`gem list openssl` and `OpenSSL::VERSION`)
19
19
  * OpenSSL library version (`OpenSSL::OPENSSL_VERSION`)
20
- * A sample file that illustrates the problem or link to the repository or
20
+ * A sample file that illustrates the problem or link to the repository or
21
21
  gem that is associated with the bug.
22
22
 
23
23
  There are a number of unresolved issues and feature requests for openssl that
data/History.md CHANGED
@@ -1,3 +1,45 @@
1
+ Version 3.1.1
2
+ =============
3
+
4
+ Merged changes in 3.0.3.
5
+
6
+
7
+ Version 3.1.0
8
+ =============
9
+
10
+ Ruby/OpenSSL 3.1 will be maintained for the lifetime of Ruby 3.2.
11
+
12
+ Merged bug fixes in 2.2.3 and 3.0.2. Among the new features and changes are:
13
+
14
+ Notable changes
15
+ ---------------
16
+
17
+ * Add `OpenSSL::SSL::SSLContext#ciphersuites=` to allow setting TLS 1.3 cipher
18
+ suites.
19
+ [[GitHub #493]](https://github.com/ruby/openssl/pull/493)
20
+ * Add `OpenSSL::SSL::SSLSocket#export_keying_material` for exporting keying
21
+ material of the session, as defined in RFC 5705.
22
+ [[GitHub #530]](https://github.com/ruby/openssl/pull/530)
23
+ * Add `OpenSSL::SSL::SSLContext#keylog_cb=` for setting the TLS key logging
24
+ callback, which is useful for supporting NSS's SSLKEYLOGFILE debugging output.
25
+ [[GitHub #536]](https://github.com/ruby/openssl/pull/536)
26
+ * Remove the default digest algorithm from `OpenSSL::OCSP::BasicResponse#sign`
27
+ and `OpenSSL::OCSP::Request#sign`. Omitting the 5th parameter of these
28
+ methods used to be equivalent of specifying SHA-1. This default value is now
29
+ removed and we will let the underlying OpenSSL library decide instead.
30
+ [[GitHub #507]](https://github.com/ruby/openssl/pull/507)
31
+ * Add `OpenSSL::BN#mod_sqrt`.
32
+ [[GitHub #553]](https://github.com/ruby/openssl/pull/553)
33
+ * Allow calling `OpenSSL::Cipher#update` with an empty string. This was
34
+ prohibited to workaround an ancient bug in OpenSSL.
35
+ [[GitHub #568]](https://github.com/ruby/openssl/pull/568)
36
+ * Fix build on platforms without socket support, such as WASI. `OpenSSL::SSL`
37
+ will not be defined if OpenSSL is compiled with `OPENSSL_NO_SOCK`.
38
+ [[GitHub #558]](https://github.com/ruby/openssl/pull/558)
39
+ * Improve support for recent LibreSSL versions. This includes HKDF support in
40
+ LibreSSL 3.6 and Ed25519 support in LibreSSL 3.7.
41
+
42
+
1
43
  Version 3.0.3
2
44
  =============
3
45
 
@@ -25,8 +25,9 @@ Logging::message "=== OpenSSL for Ruby configurator ===\n"
25
25
  if with_config("debug") or enable_config("debug")
26
26
  $defs.push("-DOSSL_DEBUG")
27
27
  end
28
+ $defs.push("-D""OPENSSL_SUPPRESS_DEPRECATED")
28
29
 
29
- have_func("rb_io_maybe_wait") # Ruby 3.1
30
+ have_func("rb_io_maybe_wait(0, Qnil, Qnil, Qnil)", "ruby/io.h") # Ruby 3.1
30
31
 
31
32
  Logging::message "=== Checking for system dependent stuff... ===\n"
32
33
  have_library("nsl", "t_open")
@@ -120,8 +121,13 @@ if is_libressl && ($mswin || $mingw)
120
121
  end
121
122
 
122
123
  Logging::message "=== Checking for OpenSSL features... ===\n"
124
+ evp_h = "openssl/evp.h".freeze
125
+ x509_h = "openssl/x509.h".freeze
126
+ ts_h = "openssl/ts.h".freeze
127
+ ssl_h = "openssl/ssl.h".freeze
128
+
123
129
  # compile options
124
- have_func("RAND_egd")
130
+ have_func("RAND_egd()", "openssl/rand.h")
125
131
  engines = %w{dynamic 4758cca aep atalla chil
126
132
  cswift nuron sureware ubsec padlock capi gmp gost cryptodev}
127
133
  engines.each { |name|
@@ -132,55 +138,56 @@ engines.each { |name|
132
138
  if !have_struct_member("SSL", "ctx", "openssl/ssl.h") || is_libressl
133
139
  $defs.push("-DHAVE_OPAQUE_OPENSSL")
134
140
  end
135
- have_func("EVP_MD_CTX_new")
136
- have_func("EVP_MD_CTX_free")
137
- have_func("EVP_MD_CTX_pkey_ctx")
138
- have_func("X509_STORE_get_ex_data")
139
- have_func("X509_STORE_set_ex_data")
140
- have_func("X509_STORE_get_ex_new_index")
141
- have_func("X509_CRL_get0_signature")
142
- have_func("X509_REQ_get0_signature")
143
- have_func("X509_REVOKED_get0_serialNumber")
144
- have_func("X509_REVOKED_get0_revocationDate")
145
- have_func("X509_get0_tbs_sigalg")
146
- have_func("X509_STORE_CTX_get0_untrusted")
147
- have_func("X509_STORE_CTX_get0_cert")
148
- have_func("X509_STORE_CTX_get0_chain")
149
- have_func("OCSP_SINGLERESP_get0_id")
150
- have_func("SSL_CTX_get_ciphers")
151
- have_func("X509_up_ref")
152
- have_func("X509_CRL_up_ref")
153
- have_func("X509_STORE_up_ref")
154
- have_func("SSL_SESSION_up_ref")
155
- have_func("EVP_PKEY_up_ref")
156
- have_func("SSL_CTX_set_min_proto_version(NULL, 0)", "openssl/ssl.h")
157
- have_func("SSL_CTX_get_security_level")
158
- have_func("X509_get0_notBefore")
159
- have_func("SSL_SESSION_get_protocol_version")
160
- have_func("TS_STATUS_INFO_get0_status")
161
- have_func("TS_STATUS_INFO_get0_text")
162
- have_func("TS_STATUS_INFO_get0_failure_info")
163
- have_func("TS_VERIFY_CTS_set_certs(NULL, NULL)", "openssl/ts.h")
164
- have_func("TS_VERIFY_CTX_set_store")
165
- have_func("TS_VERIFY_CTX_add_flags")
166
- have_func("TS_RESP_CTX_set_time_cb")
167
- have_func("EVP_PBE_scrypt")
168
- have_func("SSL_CTX_set_post_handshake_auth")
141
+ have_func("EVP_MD_CTX_new()", evp_h)
142
+ have_func("EVP_MD_CTX_free(NULL)", evp_h)
143
+ have_func("EVP_MD_CTX_pkey_ctx(NULL)", evp_h)
144
+ have_func("X509_STORE_get_ex_data(NULL, 0)", x509_h)
145
+ have_func("X509_STORE_set_ex_data(NULL, 0, NULL)", x509_h)
146
+ have_func("X509_STORE_get_ex_new_index(0, NULL, NULL, NULL, NULL)", x509_h)
147
+ have_func("X509_CRL_get0_signature(NULL, NULL, NULL)", x509_h)
148
+ have_func("X509_REQ_get0_signature(NULL, NULL, NULL)", x509_h)
149
+ have_func("X509_REVOKED_get0_serialNumber(NULL)", x509_h)
150
+ have_func("X509_REVOKED_get0_revocationDate(NULL)", x509_h)
151
+ have_func("X509_get0_tbs_sigalg(NULL)", x509_h)
152
+ have_func("X509_STORE_CTX_get0_untrusted(NULL)", x509_h)
153
+ have_func("X509_STORE_CTX_get0_cert(NULL)", x509_h)
154
+ have_func("X509_STORE_CTX_get0_chain(NULL)", x509_h)
155
+ have_func("OCSP_SINGLERESP_get0_id(NULL)", "openssl/ocsp.h")
156
+ have_func("SSL_CTX_get_ciphers(NULL)", ssl_h)
157
+ have_func("X509_up_ref(NULL)", x509_h)
158
+ have_func("X509_CRL_up_ref(NULL)", x509_h)
159
+ have_func("X509_STORE_up_ref(NULL)", x509_h)
160
+ have_func("SSL_SESSION_up_ref(NULL)", ssl_h)
161
+ have_func("EVP_PKEY_up_ref(NULL)", evp_h)
162
+ have_func("SSL_CTX_set_min_proto_version(NULL, 0)", ssl_h)
163
+ have_func("SSL_CTX_get_security_level(NULL)", ssl_h)
164
+ have_func("X509_get0_notBefore(NULL)", x509_h)
165
+ have_func("SSL_SESSION_get_protocol_version(NULL)", ssl_h)
166
+ have_func("TS_STATUS_INFO_get0_status(NULL)", ts_h)
167
+ have_func("TS_STATUS_INFO_get0_text(NULL)", ts_h)
168
+ have_func("TS_STATUS_INFO_get0_failure_info(NULL)", ts_h)
169
+ have_func("TS_VERIFY_CTS_set_certs(NULL, NULL)", ts_h)
170
+ have_func("TS_VERIFY_CTX_set_store(NULL, NULL)", ts_h)
171
+ have_func("TS_VERIFY_CTX_add_flags(NULL, 0)", ts_h)
172
+ have_func("TS_RESP_CTX_set_time_cb(NULL, NULL, NULL)", ts_h)
173
+ have_func("EVP_PBE_scrypt(\"\", 0, (unsigned char *)\"\", 0, 0, 0, 0, 0, NULL, 0)", evp_h)
174
+ have_func("SSL_CTX_set_post_handshake_auth(NULL, 0)", ssl_h)
169
175
 
170
176
  # added in 1.1.1
171
- have_func("EVP_PKEY_check")
172
- have_func("EVP_PKEY_new_raw_private_key")
177
+ have_func("EVP_PKEY_check(NULL)", evp_h)
178
+ have_func("EVP_PKEY_new_raw_private_key(0, NULL, (unsigned char *)\"\", 0)", evp_h)
179
+ have_func("SSL_CTX_set_ciphersuites(NULL, \"\")", ssl_h)
173
180
 
174
181
  # added in 3.0.0
175
- have_func("SSL_set0_tmp_dh_pkey")
176
- have_func("ERR_get_error_all")
177
- have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", "openssl/ts.h")
178
- have_func("SSL_CTX_load_verify_file")
179
- have_func("BN_check_prime")
180
- have_func("EVP_MD_CTX_get0_md")
181
- have_func("EVP_MD_CTX_get_pkey_ctx")
182
- have_func("EVP_PKEY_eq")
183
- have_func("EVP_PKEY_dup")
182
+ have_func("SSL_set0_tmp_dh_pkey(NULL, NULL)", ssl_h)
183
+ have_func("ERR_get_error_all(NULL, NULL, NULL, NULL, NULL)", "openssl/err.h")
184
+ have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", ts_h)
185
+ have_func("SSL_CTX_load_verify_file(NULL, \"\")", ssl_h)
186
+ have_func("BN_check_prime(NULL, NULL, NULL)", "openssl/bn.h")
187
+ have_func("EVP_MD_CTX_get0_md(NULL)", evp_h)
188
+ have_func("EVP_MD_CTX_get_pkey_ctx(NULL)", evp_h)
189
+ have_func("EVP_PKEY_eq(NULL, NULL)", evp_h)
190
+ have_func("EVP_PKEY_dup(NULL)", evp_h)
184
191
 
185
192
  Logging::message "=== Checking done. ===\n"
186
193
 
data/ext/openssl/ossl.h CHANGED
@@ -52,6 +52,12 @@
52
52
  (LIBRESSL_VERSION_NUMBER >= ((maj << 28) | (min << 20) | (pat << 12)))
53
53
  #endif
54
54
 
55
+ #if OSSL_OPENSSL_PREREQ(3, 0, 0)
56
+ # define OSSL_3_const const
57
+ #else
58
+ # define OSSL_3_const /* const */
59
+ #endif
60
+
55
61
  #if !defined(OPENSSL_NO_ENGINE) && !OSSL_OPENSSL_PREREQ(3, 0, 0)
56
62
  # define OSSL_USE_ENGINE
57
63
  #endif
@@ -509,7 +509,8 @@ ossl_asn1_get_asn1type(VALUE obj)
509
509
  ASN1_TYPE *ret;
510
510
  VALUE value, rflag;
511
511
  void *ptr;
512
- void (*free_func)();
512
+ typedef void free_func_type(void *);
513
+ free_func_type *free_func;
513
514
  int tag;
514
515
 
515
516
  tag = ossl_asn1_default_tag(obj);
@@ -522,16 +523,16 @@ ossl_asn1_get_asn1type(VALUE obj)
522
523
  case V_ASN1_INTEGER: /* FALLTHROUGH */
523
524
  case V_ASN1_ENUMERATED:
524
525
  ptr = obj_to_asn1int(value);
525
- free_func = ASN1_INTEGER_free;
526
+ free_func = (free_func_type *)ASN1_INTEGER_free;
526
527
  break;
527
528
  case V_ASN1_BIT_STRING:
528
529
  rflag = rb_attr_get(obj, sivUNUSED_BITS);
529
530
  ptr = obj_to_asn1bstr(value, NUM2INT(rflag));
530
- free_func = ASN1_BIT_STRING_free;
531
+ free_func = (free_func_type *)ASN1_BIT_STRING_free;
531
532
  break;
532
533
  case V_ASN1_NULL:
533
534
  ptr = obj_to_asn1null(value);
534
- free_func = ASN1_NULL_free;
535
+ free_func = (free_func_type *)ASN1_NULL_free;
535
536
  break;
536
537
  case V_ASN1_OCTET_STRING: /* FALLTHROUGH */
537
538
  case V_ASN1_UTF8STRING: /* FALLTHROUGH */
@@ -546,24 +547,24 @@ ossl_asn1_get_asn1type(VALUE obj)
546
547
  case V_ASN1_UNIVERSALSTRING: /* FALLTHROUGH */
547
548
  case V_ASN1_BMPSTRING:
548
549
  ptr = obj_to_asn1str(value);
549
- free_func = ASN1_STRING_free;
550
+ free_func = (free_func_type *)ASN1_STRING_free;
550
551
  break;
551
552
  case V_ASN1_OBJECT:
552
553
  ptr = obj_to_asn1obj(value);
553
- free_func = ASN1_OBJECT_free;
554
+ free_func = (free_func_type *)ASN1_OBJECT_free;
554
555
  break;
555
556
  case V_ASN1_UTCTIME:
556
557
  ptr = obj_to_asn1utime(value);
557
- free_func = ASN1_TIME_free;
558
+ free_func = (free_func_type *)ASN1_TIME_free;
558
559
  break;
559
560
  case V_ASN1_GENERALIZEDTIME:
560
561
  ptr = obj_to_asn1gtime(value);
561
- free_func = ASN1_TIME_free;
562
+ free_func = (free_func_type *)ASN1_TIME_free;
562
563
  break;
563
564
  case V_ASN1_SET: /* FALLTHROUGH */
564
565
  case V_ASN1_SEQUENCE:
565
566
  ptr = obj_to_asn1derstr(obj);
566
- free_func = ASN1_STRING_free;
567
+ free_func = (free_func_type *)ASN1_STRING_free;
567
568
  break;
568
569
  default:
569
570
  ossl_raise(eASN1Error, "unsupported ASN.1 type");
@@ -1517,7 +1518,7 @@ Init_ossl_asn1(void)
1517
1518
  *
1518
1519
  * An Array that stores the name of a given tag number. These names are
1519
1520
  * the same as the name of the tag constant that is additionally defined,
1520
- * e.g. +UNIVERSAL_TAG_NAME[2] = "INTEGER"+ and +OpenSSL::ASN1::INTEGER = 2+.
1521
+ * e.g. <tt>UNIVERSAL_TAG_NAME[2] = "INTEGER"</tt> and <tt>OpenSSL::ASN1::INTEGER = 2</tt>.
1521
1522
  *
1522
1523
  * == Example usage
1523
1524
  *
@@ -577,22 +577,33 @@ BIGNUM_2c(gcd)
577
577
  */
578
578
  BIGNUM_2c(mod_sqr)
579
579
 
580
+ #define BIGNUM_2cr(func) \
581
+ static VALUE \
582
+ ossl_bn_##func(VALUE self, VALUE other) \
583
+ { \
584
+ BIGNUM *bn1, *bn2 = GetBNPtr(other), *result; \
585
+ VALUE obj; \
586
+ GetBN(self, bn1); \
587
+ obj = NewBN(rb_obj_class(self)); \
588
+ if (!(result = BN_##func(NULL, bn1, bn2, ossl_bn_ctx))) \
589
+ ossl_raise(eBNError, NULL); \
590
+ SetBN(obj, result); \
591
+ return obj; \
592
+ }
593
+
580
594
  /*
595
+ * Document-method: OpenSSL::BN#mod_sqrt
596
+ * call-seq:
597
+ * bn.mod_sqrt(bn2) => aBN
598
+ */
599
+ BIGNUM_2cr(mod_sqrt)
600
+
601
+ /*
602
+ * Document-method: OpenSSL::BN#mod_inverse
581
603
  * call-seq:
582
604
  * bn.mod_inverse(bn2) => aBN
583
605
  */
584
- static VALUE
585
- ossl_bn_mod_inverse(VALUE self, VALUE other)
586
- {
587
- BIGNUM *bn1, *bn2 = GetBNPtr(other), *result;
588
- VALUE obj;
589
- GetBN(self, bn1);
590
- obj = NewBN(rb_obj_class(self));
591
- if (!(result = BN_mod_inverse(NULL, bn1, bn2, ossl_bn_ctx)))
592
- ossl_raise(eBNError, "BN_mod_inverse");
593
- SetBN(obj, result);
594
- return obj;
595
- }
606
+ BIGNUM_2cr(mod_inverse)
596
607
 
597
608
  /*
598
609
  * call-seq:
@@ -1234,6 +1245,7 @@ Init_ossl_bn(void)
1234
1245
  rb_define_method(cBN, "mod_sub", ossl_bn_mod_sub, 2);
1235
1246
  rb_define_method(cBN, "mod_mul", ossl_bn_mod_mul, 2);
1236
1247
  rb_define_method(cBN, "mod_sqr", ossl_bn_mod_sqr, 1);
1248
+ rb_define_method(cBN, "mod_sqrt", ossl_bn_mod_sqrt, 1);
1237
1249
  rb_define_method(cBN, "**", ossl_bn_exp, 1);
1238
1250
  rb_define_method(cBN, "mod_exp", ossl_bn_mod_exp, 2);
1239
1251
  rb_define_method(cBN, "gcd", ossl_bn_gcd, 1);
@@ -384,8 +384,7 @@ ossl_cipher_update(int argc, VALUE *argv, VALUE self)
384
384
 
385
385
  StringValue(data);
386
386
  in = (unsigned char *)RSTRING_PTR(data);
387
- if ((in_len = RSTRING_LEN(data)) == 0)
388
- ossl_raise(rb_eArgError, "data must not be empty");
387
+ in_len = RSTRING_LEN(data);
389
388
  GetCipher(self, ctx);
390
389
 
391
390
  /*
@@ -3,7 +3,7 @@
3
3
  * Copyright (C) 2007, 2017 Ruby/OpenSSL Project Authors
4
4
  */
5
5
  #include "ossl.h"
6
- #if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER)
6
+ #if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_LIBRESSL_PREREQ(3, 6, 0)
7
7
  # include <openssl/kdf.h>
8
8
  #endif
9
9
 
@@ -141,7 +141,7 @@ kdf_scrypt(int argc, VALUE *argv, VALUE self)
141
141
  }
142
142
  #endif
143
143
 
144
- #if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER)
144
+ #if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_LIBRESSL_PREREQ(3, 6, 0)
145
145
  /*
146
146
  * call-seq:
147
147
  * KDF.hkdf(ikm, salt:, info:, length:, hash:) -> String
@@ -305,7 +305,7 @@ Init_ossl_kdf(void)
305
305
  #if defined(HAVE_EVP_PBE_SCRYPT)
306
306
  rb_define_module_function(mKDF, "scrypt", kdf_scrypt, -1);
307
307
  #endif
308
- #if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER)
308
+ #if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_LIBRESSL_PREREQ(3, 6, 0)
309
309
  rb_define_module_function(mKDF, "hkdf", kdf_hkdf, -1);
310
310
  #endif
311
311
  }
@@ -382,7 +382,7 @@ ossl_ocspreq_sign(int argc, VALUE *argv, VALUE self)
382
382
  if (!NIL_P(flags))
383
383
  flg = NUM2INT(flags);
384
384
  if (NIL_P(digest))
385
- md = EVP_sha1();
385
+ md = NULL;
386
386
  else
387
387
  md = ossl_evp_get_digestbyname(digest);
388
388
  if (NIL_P(certs))
@@ -1033,7 +1033,7 @@ ossl_ocspbres_sign(int argc, VALUE *argv, VALUE self)
1033
1033
  if (!NIL_P(flags))
1034
1034
  flg = NUM2INT(flags);
1035
1035
  if (NIL_P(digest))
1036
- md = EVP_sha1();
1036
+ md = NULL;
1037
1037
  else
1038
1038
  md = ossl_evp_get_digestbyname(digest);
1039
1039
  if (NIL_P(certs))
@@ -92,7 +92,7 @@ void Init_ossl_ec(void);
92
92
  */ \
93
93
  static VALUE ossl_##_keytype##_get_##_name(VALUE self) \
94
94
  { \
95
- _type *obj; \
95
+ const _type *obj; \
96
96
  const BIGNUM *bn; \
97
97
  \
98
98
  Get##_type(self, obj); \
@@ -178,7 +178,7 @@ ossl_dh_initialize_copy(VALUE self, VALUE other)
178
178
  static VALUE
179
179
  ossl_dh_is_public(VALUE self)
180
180
  {
181
- DH *dh;
181
+ OSSL_3_const DH *dh;
182
182
  const BIGNUM *bn;
183
183
 
184
184
  GetDH(self, dh);
@@ -197,14 +197,14 @@ ossl_dh_is_public(VALUE self)
197
197
  static VALUE
198
198
  ossl_dh_is_private(VALUE self)
199
199
  {
200
- DH *dh;
200
+ OSSL_3_const DH *dh;
201
201
  const BIGNUM *bn;
202
202
 
203
203
  GetDH(self, dh);
204
204
  DH_get0_key(dh, NULL, &bn);
205
205
 
206
206
  #if !defined(OPENSSL_NO_ENGINE)
207
- return (bn || DH_get0_engine(dh)) ? Qtrue : Qfalse;
207
+ return (bn || DH_get0_engine((DH *)dh)) ? Qtrue : Qfalse;
208
208
  #else
209
209
  return bn ? Qtrue : Qfalse;
210
210
  #endif
@@ -223,7 +223,7 @@ ossl_dh_is_private(VALUE self)
223
223
  static VALUE
224
224
  ossl_dh_export(VALUE self)
225
225
  {
226
- DH *dh;
226
+ OSSL_3_const DH *dh;
227
227
  BIO *out;
228
228
  VALUE str;
229
229
 
@@ -252,7 +252,7 @@ ossl_dh_export(VALUE self)
252
252
  static VALUE
253
253
  ossl_dh_to_der(VALUE self)
254
254
  {
255
- DH *dh;
255
+ OSSL_3_const DH *dh;
256
256
  unsigned char *p;
257
257
  long len;
258
258
  VALUE str;
@@ -280,7 +280,7 @@ ossl_dh_to_der(VALUE self)
280
280
  static VALUE
281
281
  ossl_dh_get_params(VALUE self)
282
282
  {
283
- DH *dh;
283
+ OSSL_3_const DH *dh;
284
284
  VALUE hash;
285
285
  const BIGNUM *p, *q, *g, *pub_key, *priv_key;
286
286
 
@@ -24,7 +24,7 @@
24
24
  } while (0)
25
25
 
26
26
  static inline int
27
- DSA_HAS_PRIVATE(DSA *dsa)
27
+ DSA_HAS_PRIVATE(OSSL_3_const DSA *dsa)
28
28
  {
29
29
  const BIGNUM *bn;
30
30
  DSA_get0_key(dsa, NULL, &bn);
@@ -32,7 +32,7 @@ DSA_HAS_PRIVATE(DSA *dsa)
32
32
  }
33
33
 
34
34
  static inline int
35
- DSA_PRIVATE(VALUE obj, DSA *dsa)
35
+ DSA_PRIVATE(VALUE obj, OSSL_3_const DSA *dsa)
36
36
  {
37
37
  return DSA_HAS_PRIVATE(dsa) || OSSL_PKEY_IS_PRIVATE(obj);
38
38
  }
@@ -179,7 +179,7 @@ ossl_dsa_initialize_copy(VALUE self, VALUE other)
179
179
  static VALUE
180
180
  ossl_dsa_is_public(VALUE self)
181
181
  {
182
- DSA *dsa;
182
+ const DSA *dsa;
183
183
  const BIGNUM *bn;
184
184
 
185
185
  GetDSA(self, dsa);
@@ -198,7 +198,7 @@ ossl_dsa_is_public(VALUE self)
198
198
  static VALUE
199
199
  ossl_dsa_is_private(VALUE self)
200
200
  {
201
- DSA *dsa;
201
+ OSSL_3_const DSA *dsa;
202
202
 
203
203
  GetDSA(self, dsa);
204
204
 
@@ -225,7 +225,7 @@ ossl_dsa_is_private(VALUE self)
225
225
  static VALUE
226
226
  ossl_dsa_export(int argc, VALUE *argv, VALUE self)
227
227
  {
228
- DSA *dsa;
228
+ OSSL_3_const DSA *dsa;
229
229
 
230
230
  GetDSA(self, dsa);
231
231
  if (DSA_HAS_PRIVATE(dsa))
@@ -244,7 +244,7 @@ ossl_dsa_export(int argc, VALUE *argv, VALUE self)
244
244
  static VALUE
245
245
  ossl_dsa_to_der(VALUE self)
246
246
  {
247
- DSA *dsa;
247
+ OSSL_3_const DSA *dsa;
248
248
 
249
249
  GetDSA(self, dsa);
250
250
  if (DSA_HAS_PRIVATE(dsa))
@@ -265,7 +265,7 @@ ossl_dsa_to_der(VALUE self)
265
265
  static VALUE
266
266
  ossl_dsa_get_params(VALUE self)
267
267
  {
268
- DSA *dsa;
268
+ OSSL_3_const DSA *dsa;
269
269
  VALUE hash;
270
270
  const BIGNUM *p, *q, *g, *pub_key, *priv_key;
271
271
 
@@ -227,7 +227,7 @@ ossl_ec_key_initialize_copy(VALUE self, VALUE other)
227
227
  static VALUE
228
228
  ossl_ec_key_get_group(VALUE self)
229
229
  {
230
- EC_KEY *ec;
230
+ OSSL_3_const EC_KEY *ec;
231
231
  const EC_GROUP *group;
232
232
 
233
233
  GetEC(self, ec);
@@ -272,7 +272,7 @@ ossl_ec_key_set_group(VALUE self, VALUE group_v)
272
272
  */
273
273
  static VALUE ossl_ec_key_get_private_key(VALUE self)
274
274
  {
275
- EC_KEY *ec;
275
+ OSSL_3_const EC_KEY *ec;
276
276
  const BIGNUM *bn;
277
277
 
278
278
  GetEC(self, ec);
@@ -323,7 +323,7 @@ static VALUE ossl_ec_key_set_private_key(VALUE self, VALUE private_key)
323
323
  */
324
324
  static VALUE ossl_ec_key_get_public_key(VALUE self)
325
325
  {
326
- EC_KEY *ec;
326
+ OSSL_3_const EC_KEY *ec;
327
327
  const EC_POINT *point;
328
328
 
329
329
  GetEC(self, ec);
@@ -375,7 +375,7 @@ static VALUE ossl_ec_key_set_public_key(VALUE self, VALUE public_key)
375
375
  */
376
376
  static VALUE ossl_ec_key_is_public(VALUE self)
377
377
  {
378
- EC_KEY *ec;
378
+ OSSL_3_const EC_KEY *ec;
379
379
 
380
380
  GetEC(self, ec);
381
381
 
@@ -391,7 +391,7 @@ static VALUE ossl_ec_key_is_public(VALUE self)
391
391
  */
392
392
  static VALUE ossl_ec_key_is_private(VALUE self)
393
393
  {
394
- EC_KEY *ec;
394
+ OSSL_3_const EC_KEY *ec;
395
395
 
396
396
  GetEC(self, ec);
397
397
 
@@ -411,7 +411,7 @@ static VALUE ossl_ec_key_is_private(VALUE self)
411
411
  static VALUE
412
412
  ossl_ec_key_export(int argc, VALUE *argv, VALUE self)
413
413
  {
414
- EC_KEY *ec;
414
+ OSSL_3_const EC_KEY *ec;
415
415
 
416
416
  GetEC(self, ec);
417
417
  if (EC_KEY_get0_public_key(ec) == NULL)
@@ -431,7 +431,7 @@ ossl_ec_key_export(int argc, VALUE *argv, VALUE self)
431
431
  static VALUE
432
432
  ossl_ec_key_to_der(VALUE self)
433
433
  {
434
- EC_KEY *ec;
434
+ OSSL_3_const EC_KEY *ec;
435
435
 
436
436
  GetEC(self, ec);
437
437
  if (EC_KEY_get0_public_key(ec) == NULL)
@@ -483,7 +483,7 @@ static VALUE ossl_ec_key_check_key(VALUE self)
483
483
  #ifdef HAVE_EVP_PKEY_CHECK
484
484
  EVP_PKEY *pkey;
485
485
  EVP_PKEY_CTX *pctx;
486
- EC_KEY *ec;
486
+ const EC_KEY *ec;
487
487
 
488
488
  GetPKey(self, pkey);
489
489
  GetEC(self, ec);
@@ -24,7 +24,7 @@
24
24
  } while (0)
25
25
 
26
26
  static inline int
27
- RSA_HAS_PRIVATE(RSA *rsa)
27
+ RSA_HAS_PRIVATE(OSSL_3_const RSA *rsa)
28
28
  {
29
29
  const BIGNUM *e, *d;
30
30
 
@@ -33,7 +33,7 @@ RSA_HAS_PRIVATE(RSA *rsa)
33
33
  }
34
34
 
35
35
  static inline int
36
- RSA_PRIVATE(VALUE obj, RSA *rsa)
36
+ RSA_PRIVATE(VALUE obj, OSSL_3_const RSA *rsa)
37
37
  {
38
38
  return RSA_HAS_PRIVATE(rsa) || OSSL_PKEY_IS_PRIVATE(obj);
39
39
  }
@@ -174,7 +174,7 @@ ossl_rsa_initialize_copy(VALUE self, VALUE other)
174
174
  static VALUE
175
175
  ossl_rsa_is_public(VALUE self)
176
176
  {
177
- RSA *rsa;
177
+ OSSL_3_const RSA *rsa;
178
178
 
179
179
  GetRSA(self, rsa);
180
180
  /*
@@ -193,7 +193,7 @@ ossl_rsa_is_public(VALUE self)
193
193
  static VALUE
194
194
  ossl_rsa_is_private(VALUE self)
195
195
  {
196
- RSA *rsa;
196
+ OSSL_3_const RSA *rsa;
197
197
 
198
198
  GetRSA(self, rsa);
199
199
 
@@ -203,7 +203,7 @@ ossl_rsa_is_private(VALUE self)
203
203
  static int
204
204
  can_export_rsaprivatekey(VALUE self)
205
205
  {
206
- RSA *rsa;
206
+ OSSL_3_const RSA *rsa;
207
207
  const BIGNUM *n, *e, *d, *p, *q, *dmp1, *dmq1, *iqmp;
208
208
 
209
209
  GetRSA(self, rsa);
@@ -453,7 +453,7 @@ ossl_rsa_verify_pss(int argc, VALUE *argv, VALUE self)
453
453
  static VALUE
454
454
  ossl_rsa_get_params(VALUE self)
455
455
  {
456
- RSA *rsa;
456
+ OSSL_3_const RSA *rsa;
457
457
  VALUE hash;
458
458
  const BIGNUM *n, *e, *d, *p, *q, *dmp1, *dmq1, *iqmp;
459
459
 
@@ -11,11 +11,15 @@
11
11
  */
12
12
  #include "ossl.h"
13
13
 
14
+ #ifndef OPENSSL_NO_SOCK
14
15
  #define numberof(ary) (int)(sizeof(ary)/sizeof((ary)[0]))
15
16
 
17
+ #if !defined(OPENSSL_NO_NEXTPROTONEG) && !OSSL_IS_LIBRESSL
18
+ # define OSSL_USE_NEXTPROTONEG
19
+ #endif
20
+
16
21
  #if !defined(TLS1_3_VERSION) && \
17
- defined(LIBRESSL_VERSION_NUMBER) && \
18
- LIBRESSL_VERSION_NUMBER >= 0x3020000fL
22
+ OSSL_LIBRESSL_PREREQ(3, 2, 0) && !OSSL_LIBRESSL_PREREQ(3, 4, 0)
19
23
  # define TLS1_3_VERSION 0x0304
20
24
  #endif
21
25
 
@@ -30,7 +34,6 @@
30
34
  } while (0)
31
35
 
32
36
  VALUE mSSL;
33
- static VALUE mSSLExtConfig;
34
37
  static VALUE eSSLError;
35
38
  VALUE cSSLContext;
36
39
  VALUE cSSLSocket;
@@ -49,7 +52,7 @@ static ID id_i_cert_store, id_i_ca_file, id_i_ca_path, id_i_verify_mode,
49
52
  id_i_session_id_context, id_i_session_get_cb, id_i_session_new_cb,
50
53
  id_i_session_remove_cb, id_i_npn_select_cb, id_i_npn_protocols,
51
54
  id_i_alpn_select_cb, id_i_alpn_protocols, id_i_servername_cb,
52
- id_i_verify_hostname;
55
+ id_i_verify_hostname, id_i_keylog_cb;
53
56
  static ID id_i_io, id_i_context, id_i_hostname;
54
57
 
55
58
  static int ossl_ssl_ex_vcb_idx;
@@ -291,7 +294,7 @@ ossl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
291
294
  if (!pkey)
292
295
  return NULL;
293
296
 
294
- return EVP_PKEY_get0_DH(pkey);
297
+ return (DH *)EVP_PKEY_get0_DH(pkey);
295
298
  }
296
299
  #endif /* OPENSSL_NO_DH */
297
300
 
@@ -441,6 +444,54 @@ ossl_sslctx_session_new_cb(SSL *ssl, SSL_SESSION *sess)
441
444
  return 0;
442
445
  }
443
446
 
447
+ #if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER)
448
+ /*
449
+ * It is only compatible with OpenSSL >= 1.1.1. Even if LibreSSL implements
450
+ * SSL_CTX_set_keylog_callback() from v3.4.2, it does nothing (see
451
+ * https://github.com/libressl-portable/openbsd/commit/648d39f0f035835d0653342d139883b9661e9cb6).
452
+ */
453
+
454
+ struct ossl_call_keylog_cb_args {
455
+ VALUE ssl_obj;
456
+ const char * line;
457
+ };
458
+
459
+ static VALUE
460
+ ossl_call_keylog_cb(VALUE args_v)
461
+ {
462
+ VALUE sslctx_obj, cb, line_v;
463
+ struct ossl_call_keylog_cb_args *args = (struct ossl_call_keylog_cb_args *) args_v;
464
+
465
+ sslctx_obj = rb_attr_get(args->ssl_obj, id_i_context);
466
+
467
+ cb = rb_attr_get(sslctx_obj, id_i_keylog_cb);
468
+ if (NIL_P(cb)) return Qnil;
469
+
470
+ line_v = rb_str_new_cstr(args->line);
471
+
472
+ return rb_funcall(cb, id_call, 2, args->ssl_obj, line_v);
473
+ }
474
+
475
+ static void
476
+ ossl_sslctx_keylog_cb(const SSL *ssl, const char *line)
477
+ {
478
+ VALUE ssl_obj;
479
+ struct ossl_call_keylog_cb_args args;
480
+ int state = 0;
481
+
482
+ OSSL_Debug("SSL keylog callback entered");
483
+
484
+ ssl_obj = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
485
+ args.ssl_obj = ssl_obj;
486
+ args.line = line;
487
+
488
+ rb_protect(ossl_call_keylog_cb, (VALUE)&args, &state);
489
+ if (state) {
490
+ rb_ivar_set(ssl_obj, ID_callback_state, INT2NUM(state));
491
+ }
492
+ }
493
+ #endif
494
+
444
495
  static VALUE
445
496
  ossl_call_session_remove_cb(VALUE ary)
446
497
  {
@@ -655,7 +706,7 @@ ssl_npn_select_cb_common(SSL *ssl, VALUE cb, const unsigned char **out,
655
706
  return SSL_TLSEXT_ERR_OK;
656
707
  }
657
708
 
658
- #ifndef OPENSSL_NO_NEXTPROTONEG
709
+ #ifdef OSSL_USE_NEXTPROTONEG
659
710
  static int
660
711
  ssl_npn_advertise_cb(SSL *ssl, const unsigned char **out, unsigned int *outlen,
661
712
  void *arg)
@@ -852,7 +903,7 @@ ossl_sslctx_setup(VALUE self)
852
903
  val = rb_attr_get(self, id_i_verify_depth);
853
904
  if(!NIL_P(val)) SSL_CTX_set_verify_depth(ctx, NUM2INT(val));
854
905
 
855
- #ifndef OPENSSL_NO_NEXTPROTONEG
906
+ #ifdef OSSL_USE_NEXTPROTONEG
856
907
  val = rb_attr_get(self, id_i_npn_protocols);
857
908
  if (!NIL_P(val)) {
858
909
  VALUE encoded = ssl_encode_npn_protocols(val);
@@ -911,6 +962,18 @@ ossl_sslctx_setup(VALUE self)
911
962
  OSSL_Debug("SSL TLSEXT servername callback added");
912
963
  }
913
964
 
965
+ #if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER)
966
+ /*
967
+ * It is only compatible with OpenSSL >= 1.1.1. Even if LibreSSL implements
968
+ * SSL_CTX_set_keylog_callback() from v3.4.2, it does nothing (see
969
+ * https://github.com/libressl-portable/openbsd/commit/648d39f0f035835d0653342d139883b9661e9cb6).
970
+ */
971
+ if (RTEST(rb_attr_get(self, id_i_keylog_cb))) {
972
+ SSL_CTX_set_keylog_callback(ctx, ossl_sslctx_keylog_cb);
973
+ OSSL_Debug("SSL keylog callback added");
974
+ }
975
+ #endif
976
+
914
977
  return Qtrue;
915
978
  }
916
979
 
@@ -959,27 +1022,13 @@ ossl_sslctx_get_ciphers(VALUE self)
959
1022
  return ary;
960
1023
  }
961
1024
 
962
- /*
963
- * call-seq:
964
- * ctx.ciphers = "cipher1:cipher2:..."
965
- * ctx.ciphers = [name, ...]
966
- * ctx.ciphers = [[name, version, bits, alg_bits], ...]
967
- *
968
- * Sets the list of available cipher suites for this context. Note in a server
969
- * context some ciphers require the appropriate certificates. For example, an
970
- * RSA cipher suite can only be chosen when an RSA certificate is available.
971
- */
972
1025
  static VALUE
973
- ossl_sslctx_set_ciphers(VALUE self, VALUE v)
1026
+ build_cipher_string(VALUE v)
974
1027
  {
975
- SSL_CTX *ctx;
976
1028
  VALUE str, elem;
977
1029
  int i;
978
1030
 
979
- rb_check_frozen(self);
980
- if (NIL_P(v))
981
- return v;
982
- else if (RB_TYPE_P(v, T_ARRAY)) {
1031
+ if (RB_TYPE_P(v, T_ARRAY)) {
983
1032
  str = rb_str_new(0, 0);
984
1033
  for (i = 0; i < RARRAY_LEN(v); i++) {
985
1034
  elem = rb_ary_entry(v, i);
@@ -993,14 +1042,67 @@ ossl_sslctx_set_ciphers(VALUE self, VALUE v)
993
1042
  StringValue(str);
994
1043
  }
995
1044
 
1045
+ return str;
1046
+ }
1047
+
1048
+ /*
1049
+ * call-seq:
1050
+ * ctx.ciphers = "cipher1:cipher2:..."
1051
+ * ctx.ciphers = [name, ...]
1052
+ * ctx.ciphers = [[name, version, bits, alg_bits], ...]
1053
+ *
1054
+ * Sets the list of available cipher suites for this context. Note in a server
1055
+ * context some ciphers require the appropriate certificates. For example, an
1056
+ * RSA cipher suite can only be chosen when an RSA certificate is available.
1057
+ */
1058
+ static VALUE
1059
+ ossl_sslctx_set_ciphers(VALUE self, VALUE v)
1060
+ {
1061
+ SSL_CTX *ctx;
1062
+ VALUE str;
1063
+
1064
+ rb_check_frozen(self);
1065
+ if (NIL_P(v))
1066
+ return v;
1067
+
1068
+ str = build_cipher_string(v);
1069
+
996
1070
  GetSSLCTX(self, ctx);
997
- if (!SSL_CTX_set_cipher_list(ctx, StringValueCStr(str))) {
1071
+ if (!SSL_CTX_set_cipher_list(ctx, StringValueCStr(str)))
998
1072
  ossl_raise(eSSLError, "SSL_CTX_set_cipher_list");
999
- }
1000
1073
 
1001
1074
  return v;
1002
1075
  }
1003
1076
 
1077
+ #ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
1078
+ /*
1079
+ * call-seq:
1080
+ * ctx.ciphersuites = "cipher1:cipher2:..."
1081
+ * ctx.ciphersuites = [name, ...]
1082
+ * ctx.ciphersuites = [[name, version, bits, alg_bits], ...]
1083
+ *
1084
+ * Sets the list of available TLSv1.3 cipher suites for this context.
1085
+ */
1086
+ static VALUE
1087
+ ossl_sslctx_set_ciphersuites(VALUE self, VALUE v)
1088
+ {
1089
+ SSL_CTX *ctx;
1090
+ VALUE str;
1091
+
1092
+ rb_check_frozen(self);
1093
+ if (NIL_P(v))
1094
+ return v;
1095
+
1096
+ str = build_cipher_string(v);
1097
+
1098
+ GetSSLCTX(self, ctx);
1099
+ if (!SSL_CTX_set_ciphersuites(ctx, StringValueCStr(str)))
1100
+ ossl_raise(eSSLError, "SSL_CTX_set_ciphersuites");
1101
+
1102
+ return v;
1103
+ }
1104
+ #endif
1105
+
1004
1106
  #ifndef OPENSSL_NO_DH
1005
1107
  /*
1006
1108
  * call-seq:
@@ -1439,7 +1541,6 @@ ossl_sslctx_flush_sessions(int argc, VALUE *argv, VALUE self)
1439
1541
  /*
1440
1542
  * SSLSocket class
1441
1543
  */
1442
- #ifndef OPENSSL_NO_SOCK
1443
1544
  static inline int
1444
1545
  ssl_started(SSL *ssl)
1445
1546
  {
@@ -1602,11 +1703,16 @@ no_exception_p(VALUE opts)
1602
1703
  return 0;
1603
1704
  }
1604
1705
 
1706
+ // Provided by Ruby 3.2.0 and later in order to support the default IO#timeout.
1707
+ #ifndef RUBY_IO_TIMEOUT_DEFAULT
1708
+ #define RUBY_IO_TIMEOUT_DEFAULT Qnil
1709
+ #endif
1710
+
1605
1711
  static void
1606
1712
  io_wait_writable(rb_io_t *fptr)
1607
1713
  {
1608
1714
  #ifdef HAVE_RB_IO_MAYBE_WAIT
1609
- rb_io_maybe_wait_writable(errno, fptr->self, Qnil);
1715
+ rb_io_maybe_wait_writable(errno, fptr->self, RUBY_IO_TIMEOUT_DEFAULT);
1610
1716
  #else
1611
1717
  rb_io_wait_writable(fptr->fd);
1612
1718
  #endif
@@ -1616,14 +1722,14 @@ static void
1616
1722
  io_wait_readable(rb_io_t *fptr)
1617
1723
  {
1618
1724
  #ifdef HAVE_RB_IO_MAYBE_WAIT
1619
- rb_io_maybe_wait_readable(errno, fptr->self, Qnil);
1725
+ rb_io_maybe_wait_readable(errno, fptr->self, RUBY_IO_TIMEOUT_DEFAULT);
1620
1726
  #else
1621
1727
  rb_io_wait_readable(fptr->fd);
1622
1728
  #endif
1623
1729
  }
1624
1730
 
1625
1731
  static VALUE
1626
- ossl_start_ssl(VALUE self, int (*func)(), const char *funcname, VALUE opts)
1732
+ ossl_start_ssl(VALUE self, int (*func)(SSL *), const char *funcname, VALUE opts)
1627
1733
  {
1628
1734
  SSL *ssl;
1629
1735
  rb_io_t *fptr;
@@ -2342,7 +2448,7 @@ ossl_ssl_get_client_ca_list(VALUE self)
2342
2448
  return ossl_x509name_sk2ary(ca);
2343
2449
  }
2344
2450
 
2345
- # ifndef OPENSSL_NO_NEXTPROTONEG
2451
+ # ifdef OSSL_USE_NEXTPROTONEG
2346
2452
  /*
2347
2453
  * call-seq:
2348
2454
  * ssl.npn_protocol => String | nil
@@ -2390,6 +2496,49 @@ ossl_ssl_alpn_protocol(VALUE self)
2390
2496
  return rb_str_new((const char *) out, outlen);
2391
2497
  }
2392
2498
 
2499
+ /*
2500
+ * call-seq:
2501
+ * session.export_keying_material(label, length) -> String
2502
+ *
2503
+ * Enables use of shared session key material in accordance with RFC 5705.
2504
+ */
2505
+ static VALUE
2506
+ ossl_ssl_export_keying_material(int argc, VALUE *argv, VALUE self)
2507
+ {
2508
+ SSL *ssl;
2509
+ VALUE str;
2510
+ VALUE label;
2511
+ VALUE length;
2512
+ VALUE context;
2513
+ unsigned char *p;
2514
+ size_t len;
2515
+ int use_ctx = 0;
2516
+ unsigned char *ctx = NULL;
2517
+ size_t ctx_len = 0;
2518
+ int ret;
2519
+
2520
+ rb_scan_args(argc, argv, "21", &label, &length, &context);
2521
+ StringValue(label);
2522
+
2523
+ GetSSL(self, ssl);
2524
+
2525
+ len = (size_t)NUM2LONG(length);
2526
+ str = rb_str_new(0, len);
2527
+ p = (unsigned char *)RSTRING_PTR(str);
2528
+ if (!NIL_P(context)) {
2529
+ use_ctx = 1;
2530
+ StringValue(context);
2531
+ ctx = (unsigned char *)RSTRING_PTR(context);
2532
+ ctx_len = RSTRING_LEN(context);
2533
+ }
2534
+ ret = SSL_export_keying_material(ssl, p, len, (char *)RSTRING_PTR(label),
2535
+ RSTRING_LENINT(label), ctx, ctx_len, use_ctx);
2536
+ if (ret == 0 || ret == -1) {
2537
+ ossl_raise(eSSLError, "SSL_export_keying_material");
2538
+ }
2539
+ return str;
2540
+ }
2541
+
2393
2542
  /*
2394
2543
  * call-seq:
2395
2544
  * ssl.tmp_key => PKey or nil
@@ -2419,6 +2568,7 @@ Init_ossl_ssl(void)
2419
2568
  rb_mWaitWritable = rb_define_module_under(rb_cIO, "WaitWritable");
2420
2569
  #endif
2421
2570
 
2571
+ #ifndef OPENSSL_NO_SOCK
2422
2572
  id_call = rb_intern_const("call");
2423
2573
  ID_callback_state = rb_intern_const("callback_state");
2424
2574
 
@@ -2441,16 +2591,6 @@ Init_ossl_ssl(void)
2441
2591
  */
2442
2592
  mSSL = rb_define_module_under(mOSSL, "SSL");
2443
2593
 
2444
- /* Document-module: OpenSSL::ExtConfig
2445
- *
2446
- * This module contains configuration information about the SSL extension,
2447
- * for example if socket support is enabled, or the host name TLS extension
2448
- * is enabled. Constants in this module will always be defined, but contain
2449
- * +true+ or +false+ values depending on the configuration of your OpenSSL
2450
- * installation.
2451
- */
2452
- mSSLExtConfig = rb_define_module_under(mOSSL, "ExtConfig");
2453
-
2454
2594
  /* Document-class: OpenSSL::SSL::SSLError
2455
2595
  *
2456
2596
  * Generic error class raised by SSLSocket and SSLContext.
@@ -2613,8 +2753,6 @@ Init_ossl_ssl(void)
2613
2753
  */
2614
2754
  rb_attr(cSSLContext, rb_intern_const("session_remove_cb"), 1, 1, Qfalse);
2615
2755
 
2616
- rb_define_const(mSSLExtConfig, "HAVE_TLSEXT_HOST_NAME", Qtrue);
2617
-
2618
2756
  /*
2619
2757
  * A callback invoked whenever a new handshake is initiated on an
2620
2758
  * established connection. May be used to disable renegotiation entirely.
@@ -2635,7 +2773,7 @@ Init_ossl_ssl(void)
2635
2773
  * end
2636
2774
  */
2637
2775
  rb_attr(cSSLContext, rb_intern_const("renegotiation_cb"), 1, 1, Qfalse);
2638
- #ifndef OPENSSL_NO_NEXTPROTONEG
2776
+ #ifdef OSSL_USE_NEXTPROTONEG
2639
2777
  /*
2640
2778
  * An Enumerable of Strings. Each String represents a protocol to be
2641
2779
  * advertised as the list of supported protocols for Next Protocol
@@ -2697,12 +2835,38 @@ Init_ossl_ssl(void)
2697
2835
  */
2698
2836
  rb_attr(cSSLContext, rb_intern_const("alpn_select_cb"), 1, 1, Qfalse);
2699
2837
 
2838
+ /*
2839
+ * A callback invoked when TLS key material is generated or received, in
2840
+ * order to allow applications to store this keying material for debugging
2841
+ * purposes.
2842
+ *
2843
+ * The callback is invoked with an SSLSocket and a string containing the
2844
+ * key material in the format used by NSS for its SSLKEYLOGFILE debugging
2845
+ * output.
2846
+ *
2847
+ * It is only compatible with OpenSSL >= 1.1.1. Even if LibreSSL implements
2848
+ * SSL_CTX_set_keylog_callback() from v3.4.2, it does nothing (see
2849
+ * https://github.com/libressl-portable/openbsd/commit/648d39f0f035835d0653342d139883b9661e9cb6).
2850
+ *
2851
+ * === Example
2852
+ *
2853
+ * context.keylog_cb = proc do |_sock, line|
2854
+ * File.open('ssl_keylog_file', "a") do |f|
2855
+ * f.write("#{line}\n")
2856
+ * end
2857
+ * end
2858
+ */
2859
+ rb_attr(cSSLContext, rb_intern_const("keylog_cb"), 1, 1, Qfalse);
2860
+
2700
2861
  rb_define_alias(cSSLContext, "ssl_timeout", "timeout");
2701
2862
  rb_define_alias(cSSLContext, "ssl_timeout=", "timeout=");
2702
2863
  rb_define_private_method(cSSLContext, "set_minmax_proto_version",
2703
2864
  ossl_sslctx_set_minmax_proto_version, 2);
2704
2865
  rb_define_method(cSSLContext, "ciphers", ossl_sslctx_get_ciphers, 0);
2705
2866
  rb_define_method(cSSLContext, "ciphers=", ossl_sslctx_set_ciphers, 1);
2867
+ #ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
2868
+ rb_define_method(cSSLContext, "ciphersuites=", ossl_sslctx_set_ciphersuites, 1);
2869
+ #endif
2706
2870
  #ifndef OPENSSL_NO_DH
2707
2871
  rb_define_method(cSSLContext, "tmp_dh=", ossl_sslctx_set_tmp_dh, 1);
2708
2872
  #endif
@@ -2779,11 +2943,6 @@ Init_ossl_ssl(void)
2779
2943
  * Document-class: OpenSSL::SSL::SSLSocket
2780
2944
  */
2781
2945
  cSSLSocket = rb_define_class_under(mSSL, "SSLSocket", rb_cObject);
2782
- #ifdef OPENSSL_NO_SOCK
2783
- rb_define_const(mSSLExtConfig, "OPENSSL_NO_SOCK", Qtrue);
2784
- rb_define_method(cSSLSocket, "initialize", rb_f_notimplement, -1);
2785
- #else
2786
- rb_define_const(mSSLExtConfig, "OPENSSL_NO_SOCK", Qfalse);
2787
2946
  rb_define_alloc_func(cSSLSocket, ossl_ssl_s_alloc);
2788
2947
  rb_define_method(cSSLSocket, "initialize", ossl_ssl_initialize, -1);
2789
2948
  rb_undef_method(cSSLSocket, "initialize_copy");
@@ -2814,10 +2973,10 @@ Init_ossl_ssl(void)
2814
2973
  rb_define_method(cSSLSocket, "peer_finished_message", ossl_ssl_get_peer_finished, 0);
2815
2974
  rb_define_method(cSSLSocket, "tmp_key", ossl_ssl_tmp_key, 0);
2816
2975
  rb_define_method(cSSLSocket, "alpn_protocol", ossl_ssl_alpn_protocol, 0);
2817
- # ifndef OPENSSL_NO_NEXTPROTONEG
2976
+ rb_define_method(cSSLSocket, "export_keying_material", ossl_ssl_export_keying_material, -1);
2977
+ # ifdef OSSL_USE_NEXTPROTONEG
2818
2978
  rb_define_method(cSSLSocket, "npn_protocol", ossl_ssl_npn_protocol, 0);
2819
2979
  # endif
2820
- #endif
2821
2980
 
2822
2981
  rb_define_const(mSSL, "VERIFY_NONE", INT2NUM(SSL_VERIFY_NONE));
2823
2982
  rb_define_const(mSSL, "VERIFY_PEER", INT2NUM(SSL_VERIFY_PEER));
@@ -2974,8 +3133,10 @@ Init_ossl_ssl(void)
2974
3133
  DefIVarID(alpn_select_cb);
2975
3134
  DefIVarID(servername_cb);
2976
3135
  DefIVarID(verify_hostname);
3136
+ DefIVarID(keylog_cb);
2977
3137
 
2978
3138
  DefIVarID(io);
2979
3139
  DefIVarID(context);
2980
3140
  DefIVarID(hostname);
3141
+ #endif /* !defined(OPENSSL_NO_SOCK) */
2981
3142
  }
@@ -4,6 +4,7 @@
4
4
 
5
5
  #include "ossl.h"
6
6
 
7
+ #ifndef OPENSSL_NO_SOCK
7
8
  VALUE cSSLSession;
8
9
  static VALUE eSSLSession;
9
10
 
@@ -299,6 +300,7 @@ static VALUE ossl_ssl_session_to_text(VALUE self)
299
300
  return ossl_membio2str(out);
300
301
  }
301
302
 
303
+ #endif /* !defined(OPENSSL_NO_SOCK) */
302
304
 
303
305
  void Init_ossl_ssl_session(void)
304
306
  {
@@ -307,6 +309,7 @@ void Init_ossl_ssl_session(void)
307
309
  mSSL = rb_define_module_under(mOSSL, "SSL");
308
310
  eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
309
311
  #endif
312
+ #ifndef OPENSSL_NO_SOCK
310
313
  cSSLSession = rb_define_class_under(mSSL, "Session", rb_cObject);
311
314
  eSSLSession = rb_define_class_under(cSSLSession, "SessionError", eOSSLError);
312
315
 
@@ -324,4 +327,5 @@ void Init_ossl_ssl_session(void)
324
327
  rb_define_method(cSSLSession, "to_der", ossl_ssl_session_to_der, 0);
325
328
  rb_define_method(cSSLSession, "to_pem", ossl_ssl_session_to_pem, 0);
326
329
  rb_define_method(cSSLSession, "to_text", ossl_ssl_session_to_text, 0);
330
+ #endif /* !defined(OPENSSL_NO_SOCK) */
327
331
  }
data/lib/openssl/pkey.rb CHANGED
@@ -363,7 +363,8 @@ module OpenSSL::PKey
363
363
  # rsa.private_encrypt(string, padding) -> String
364
364
  #
365
365
  # Encrypt +string+ with the private key. +padding+ defaults to
366
- # PKCS1_PADDING. The encrypted string output can be decrypted using
366
+ # PKCS1_PADDING, which is known to be insecure but is kept for backwards
367
+ # compatibility. The encrypted string output can be decrypted using
367
368
  # #public_decrypt.
368
369
  #
369
370
  # <b>Deprecated in version 3.0</b>.
@@ -386,7 +387,8 @@ module OpenSSL::PKey
386
387
  # rsa.public_decrypt(string, padding) -> String
387
388
  #
388
389
  # Decrypt +string+, which has been encrypted with the private key, with the
389
- # public key. +padding+ defaults to PKCS1_PADDING.
390
+ # public key. +padding+ defaults to PKCS1_PADDING which is known to be
391
+ # insecure but is kept for backwards compatibility.
390
392
  #
391
393
  # <b>Deprecated in version 3.0</b>.
392
394
  # Consider using PKey::PKey#sign_raw and PKey::PKey#verify_raw, and
@@ -407,7 +409,8 @@ module OpenSSL::PKey
407
409
  # rsa.public_encrypt(string, padding) -> String
408
410
  #
409
411
  # Encrypt +string+ with the public key. +padding+ defaults to
410
- # PKCS1_PADDING. The encrypted string output can be decrypted using
412
+ # PKCS1_PADDING, which is known to be insecure but is kept for backwards
413
+ # compatibility. The encrypted string output can be decrypted using
411
414
  # #private_decrypt.
412
415
  #
413
416
  # <b>Deprecated in version 3.0</b>.
@@ -428,7 +431,8 @@ module OpenSSL::PKey
428
431
  # rsa.private_decrypt(string, padding) -> String
429
432
  #
430
433
  # Decrypt +string+, which has been encrypted with the public key, with the
431
- # private key. +padding+ defaults to PKCS1_PADDING.
434
+ # private key. +padding+ defaults to PKCS1_PADDING, which is known to be
435
+ # insecure but is kept for backwards compatibility.
432
436
  #
433
437
  # <b>Deprecated in version 3.0</b>.
434
438
  # Consider using PKey::PKey#encrypt and PKey::PKey#decrypt instead.
data/lib/openssl/ssl.rb CHANGED
@@ -11,6 +11,9 @@
11
11
  =end
12
12
 
13
13
  require "openssl/buffering"
14
+
15
+ if defined?(OpenSSL::SSL)
16
+
14
17
  require "io/nonblock"
15
18
  require "ipaddr"
16
19
  require "socket"
@@ -540,3 +543,5 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
540
543
  end
541
544
  end
542
545
  end
546
+
547
+ end
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module OpenSSL
4
- VERSION = "3.0.3"
4
+ VERSION = "3.1.1"
5
5
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: openssl
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.0.3
4
+ version: 3.1.1
5
5
  platform: ruby
6
6
  original_platform: ''
7
7
  authors: