openssl 3.0.3 → 3.1.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CONTRIBUTING.md +1 -1
- data/History.md +42 -0
- data/ext/openssl/extconf.rb +54 -47
- data/ext/openssl/ossl.h +6 -0
- data/ext/openssl/ossl_asn1.c +11 -10
- data/ext/openssl/ossl_bn.c +24 -12
- data/ext/openssl/ossl_cipher.c +1 -2
- data/ext/openssl/ossl_kdf.c +3 -3
- data/ext/openssl/ossl_ocsp.c +2 -2
- data/ext/openssl/ossl_pkey.h +1 -1
- data/ext/openssl/ossl_pkey_dh.c +6 -6
- data/ext/openssl/ossl_pkey_dsa.c +7 -7
- data/ext/openssl/ossl_pkey_ec.c +8 -8
- data/ext/openssl/ossl_pkey_rsa.c +6 -6
- data/ext/openssl/ossl_ssl.c +211 -50
- data/ext/openssl/ossl_ssl_session.c +4 -0
- data/lib/openssl/pkey.rb +8 -4
- data/lib/openssl/ssl.rb +5 -0
- data/lib/openssl/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 65d16dc88820644059bc2773d3f9ea9511324aa07822a31b2bdf1dfd2306224f
|
4
|
+
data.tar.gz: bbd4cdeec2d76994294061804456942b9528d86352375b8d2c4dfea171287ec5
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 3b7477f09b389f6ed8ffc24c5adb43cfe9a19ba2ee6293adc5e1d08199ea3a9365c4006705c4a4c2935e251e6e720af699786f0eda6cebc7fa2ec9826eb1dbcb
|
7
|
+
data.tar.gz: 765705e0e698d843b3a2809e957542c76dc414208a762ad58fdfdb6ed9f6400c39c797b0cdc7ad6173fd1d12b4b7c16a448e0a0445fec4efbf190a27318e4340
|
data/CONTRIBUTING.md
CHANGED
@@ -17,7 +17,7 @@ When reporting a bug, please make sure you include:
|
|
17
17
|
* Ruby version (`ruby -v`)
|
18
18
|
* `openssl` gem version (`gem list openssl` and `OpenSSL::VERSION`)
|
19
19
|
* OpenSSL library version (`OpenSSL::OPENSSL_VERSION`)
|
20
|
-
* A sample file that illustrates the problem or link to the repository or
|
20
|
+
* A sample file that illustrates the problem or link to the repository or
|
21
21
|
gem that is associated with the bug.
|
22
22
|
|
23
23
|
There are a number of unresolved issues and feature requests for openssl that
|
data/History.md
CHANGED
@@ -1,3 +1,45 @@
|
|
1
|
+
Version 3.1.1
|
2
|
+
=============
|
3
|
+
|
4
|
+
Merged changes in 3.0.3.
|
5
|
+
|
6
|
+
|
7
|
+
Version 3.1.0
|
8
|
+
=============
|
9
|
+
|
10
|
+
Ruby/OpenSSL 3.1 will be maintained for the lifetime of Ruby 3.2.
|
11
|
+
|
12
|
+
Merged bug fixes in 2.2.3 and 3.0.2. Among the new features and changes are:
|
13
|
+
|
14
|
+
Notable changes
|
15
|
+
---------------
|
16
|
+
|
17
|
+
* Add `OpenSSL::SSL::SSLContext#ciphersuites=` to allow setting TLS 1.3 cipher
|
18
|
+
suites.
|
19
|
+
[[GitHub #493]](https://github.com/ruby/openssl/pull/493)
|
20
|
+
* Add `OpenSSL::SSL::SSLSocket#export_keying_material` for exporting keying
|
21
|
+
material of the session, as defined in RFC 5705.
|
22
|
+
[[GitHub #530]](https://github.com/ruby/openssl/pull/530)
|
23
|
+
* Add `OpenSSL::SSL::SSLContext#keylog_cb=` for setting the TLS key logging
|
24
|
+
callback, which is useful for supporting NSS's SSLKEYLOGFILE debugging output.
|
25
|
+
[[GitHub #536]](https://github.com/ruby/openssl/pull/536)
|
26
|
+
* Remove the default digest algorithm from `OpenSSL::OCSP::BasicResponse#sign`
|
27
|
+
and `OpenSSL::OCSP::Request#sign`. Omitting the 5th parameter of these
|
28
|
+
methods used to be equivalent of specifying SHA-1. This default value is now
|
29
|
+
removed and we will let the underlying OpenSSL library decide instead.
|
30
|
+
[[GitHub #507]](https://github.com/ruby/openssl/pull/507)
|
31
|
+
* Add `OpenSSL::BN#mod_sqrt`.
|
32
|
+
[[GitHub #553]](https://github.com/ruby/openssl/pull/553)
|
33
|
+
* Allow calling `OpenSSL::Cipher#update` with an empty string. This was
|
34
|
+
prohibited to workaround an ancient bug in OpenSSL.
|
35
|
+
[[GitHub #568]](https://github.com/ruby/openssl/pull/568)
|
36
|
+
* Fix build on platforms without socket support, such as WASI. `OpenSSL::SSL`
|
37
|
+
will not be defined if OpenSSL is compiled with `OPENSSL_NO_SOCK`.
|
38
|
+
[[GitHub #558]](https://github.com/ruby/openssl/pull/558)
|
39
|
+
* Improve support for recent LibreSSL versions. This includes HKDF support in
|
40
|
+
LibreSSL 3.6 and Ed25519 support in LibreSSL 3.7.
|
41
|
+
|
42
|
+
|
1
43
|
Version 3.0.3
|
2
44
|
=============
|
3
45
|
|
data/ext/openssl/extconf.rb
CHANGED
@@ -25,8 +25,9 @@ Logging::message "=== OpenSSL for Ruby configurator ===\n"
|
|
25
25
|
if with_config("debug") or enable_config("debug")
|
26
26
|
$defs.push("-DOSSL_DEBUG")
|
27
27
|
end
|
28
|
+
$defs.push("-D""OPENSSL_SUPPRESS_DEPRECATED")
|
28
29
|
|
29
|
-
have_func("rb_io_maybe_wait") # Ruby 3.1
|
30
|
+
have_func("rb_io_maybe_wait(0, Qnil, Qnil, Qnil)", "ruby/io.h") # Ruby 3.1
|
30
31
|
|
31
32
|
Logging::message "=== Checking for system dependent stuff... ===\n"
|
32
33
|
have_library("nsl", "t_open")
|
@@ -120,8 +121,13 @@ if is_libressl && ($mswin || $mingw)
|
|
120
121
|
end
|
121
122
|
|
122
123
|
Logging::message "=== Checking for OpenSSL features... ===\n"
|
124
|
+
evp_h = "openssl/evp.h".freeze
|
125
|
+
x509_h = "openssl/x509.h".freeze
|
126
|
+
ts_h = "openssl/ts.h".freeze
|
127
|
+
ssl_h = "openssl/ssl.h".freeze
|
128
|
+
|
123
129
|
# compile options
|
124
|
-
have_func("RAND_egd")
|
130
|
+
have_func("RAND_egd()", "openssl/rand.h")
|
125
131
|
engines = %w{dynamic 4758cca aep atalla chil
|
126
132
|
cswift nuron sureware ubsec padlock capi gmp gost cryptodev}
|
127
133
|
engines.each { |name|
|
@@ -132,55 +138,56 @@ engines.each { |name|
|
|
132
138
|
if !have_struct_member("SSL", "ctx", "openssl/ssl.h") || is_libressl
|
133
139
|
$defs.push("-DHAVE_OPAQUE_OPENSSL")
|
134
140
|
end
|
135
|
-
have_func("EVP_MD_CTX_new")
|
136
|
-
have_func("EVP_MD_CTX_free")
|
137
|
-
have_func("EVP_MD_CTX_pkey_ctx")
|
138
|
-
have_func("X509_STORE_get_ex_data")
|
139
|
-
have_func("X509_STORE_set_ex_data")
|
140
|
-
have_func("X509_STORE_get_ex_new_index")
|
141
|
-
have_func("X509_CRL_get0_signature")
|
142
|
-
have_func("X509_REQ_get0_signature")
|
143
|
-
have_func("X509_REVOKED_get0_serialNumber")
|
144
|
-
have_func("X509_REVOKED_get0_revocationDate")
|
145
|
-
have_func("X509_get0_tbs_sigalg")
|
146
|
-
have_func("X509_STORE_CTX_get0_untrusted")
|
147
|
-
have_func("X509_STORE_CTX_get0_cert")
|
148
|
-
have_func("X509_STORE_CTX_get0_chain")
|
149
|
-
have_func("OCSP_SINGLERESP_get0_id")
|
150
|
-
have_func("SSL_CTX_get_ciphers")
|
151
|
-
have_func("X509_up_ref")
|
152
|
-
have_func("X509_CRL_up_ref")
|
153
|
-
have_func("X509_STORE_up_ref")
|
154
|
-
have_func("SSL_SESSION_up_ref")
|
155
|
-
have_func("EVP_PKEY_up_ref")
|
156
|
-
have_func("SSL_CTX_set_min_proto_version(NULL, 0)",
|
157
|
-
have_func("SSL_CTX_get_security_level")
|
158
|
-
have_func("X509_get0_notBefore")
|
159
|
-
have_func("SSL_SESSION_get_protocol_version")
|
160
|
-
have_func("TS_STATUS_INFO_get0_status")
|
161
|
-
have_func("TS_STATUS_INFO_get0_text")
|
162
|
-
have_func("TS_STATUS_INFO_get0_failure_info")
|
163
|
-
have_func("TS_VERIFY_CTS_set_certs(NULL, NULL)",
|
164
|
-
have_func("TS_VERIFY_CTX_set_store")
|
165
|
-
have_func("TS_VERIFY_CTX_add_flags")
|
166
|
-
have_func("TS_RESP_CTX_set_time_cb")
|
167
|
-
have_func("EVP_PBE_scrypt")
|
168
|
-
have_func("SSL_CTX_set_post_handshake_auth")
|
141
|
+
have_func("EVP_MD_CTX_new()", evp_h)
|
142
|
+
have_func("EVP_MD_CTX_free(NULL)", evp_h)
|
143
|
+
have_func("EVP_MD_CTX_pkey_ctx(NULL)", evp_h)
|
144
|
+
have_func("X509_STORE_get_ex_data(NULL, 0)", x509_h)
|
145
|
+
have_func("X509_STORE_set_ex_data(NULL, 0, NULL)", x509_h)
|
146
|
+
have_func("X509_STORE_get_ex_new_index(0, NULL, NULL, NULL, NULL)", x509_h)
|
147
|
+
have_func("X509_CRL_get0_signature(NULL, NULL, NULL)", x509_h)
|
148
|
+
have_func("X509_REQ_get0_signature(NULL, NULL, NULL)", x509_h)
|
149
|
+
have_func("X509_REVOKED_get0_serialNumber(NULL)", x509_h)
|
150
|
+
have_func("X509_REVOKED_get0_revocationDate(NULL)", x509_h)
|
151
|
+
have_func("X509_get0_tbs_sigalg(NULL)", x509_h)
|
152
|
+
have_func("X509_STORE_CTX_get0_untrusted(NULL)", x509_h)
|
153
|
+
have_func("X509_STORE_CTX_get0_cert(NULL)", x509_h)
|
154
|
+
have_func("X509_STORE_CTX_get0_chain(NULL)", x509_h)
|
155
|
+
have_func("OCSP_SINGLERESP_get0_id(NULL)", "openssl/ocsp.h")
|
156
|
+
have_func("SSL_CTX_get_ciphers(NULL)", ssl_h)
|
157
|
+
have_func("X509_up_ref(NULL)", x509_h)
|
158
|
+
have_func("X509_CRL_up_ref(NULL)", x509_h)
|
159
|
+
have_func("X509_STORE_up_ref(NULL)", x509_h)
|
160
|
+
have_func("SSL_SESSION_up_ref(NULL)", ssl_h)
|
161
|
+
have_func("EVP_PKEY_up_ref(NULL)", evp_h)
|
162
|
+
have_func("SSL_CTX_set_min_proto_version(NULL, 0)", ssl_h)
|
163
|
+
have_func("SSL_CTX_get_security_level(NULL)", ssl_h)
|
164
|
+
have_func("X509_get0_notBefore(NULL)", x509_h)
|
165
|
+
have_func("SSL_SESSION_get_protocol_version(NULL)", ssl_h)
|
166
|
+
have_func("TS_STATUS_INFO_get0_status(NULL)", ts_h)
|
167
|
+
have_func("TS_STATUS_INFO_get0_text(NULL)", ts_h)
|
168
|
+
have_func("TS_STATUS_INFO_get0_failure_info(NULL)", ts_h)
|
169
|
+
have_func("TS_VERIFY_CTS_set_certs(NULL, NULL)", ts_h)
|
170
|
+
have_func("TS_VERIFY_CTX_set_store(NULL, NULL)", ts_h)
|
171
|
+
have_func("TS_VERIFY_CTX_add_flags(NULL, 0)", ts_h)
|
172
|
+
have_func("TS_RESP_CTX_set_time_cb(NULL, NULL, NULL)", ts_h)
|
173
|
+
have_func("EVP_PBE_scrypt(\"\", 0, (unsigned char *)\"\", 0, 0, 0, 0, 0, NULL, 0)", evp_h)
|
174
|
+
have_func("SSL_CTX_set_post_handshake_auth(NULL, 0)", ssl_h)
|
169
175
|
|
170
176
|
# added in 1.1.1
|
171
|
-
have_func("EVP_PKEY_check")
|
172
|
-
have_func("EVP_PKEY_new_raw_private_key")
|
177
|
+
have_func("EVP_PKEY_check(NULL)", evp_h)
|
178
|
+
have_func("EVP_PKEY_new_raw_private_key(0, NULL, (unsigned char *)\"\", 0)", evp_h)
|
179
|
+
have_func("SSL_CTX_set_ciphersuites(NULL, \"\")", ssl_h)
|
173
180
|
|
174
181
|
# added in 3.0.0
|
175
|
-
have_func("SSL_set0_tmp_dh_pkey")
|
176
|
-
have_func("ERR_get_error_all")
|
177
|
-
have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)",
|
178
|
-
have_func("SSL_CTX_load_verify_file")
|
179
|
-
have_func("BN_check_prime")
|
180
|
-
have_func("EVP_MD_CTX_get0_md")
|
181
|
-
have_func("EVP_MD_CTX_get_pkey_ctx")
|
182
|
-
have_func("EVP_PKEY_eq")
|
183
|
-
have_func("EVP_PKEY_dup")
|
182
|
+
have_func("SSL_set0_tmp_dh_pkey(NULL, NULL)", ssl_h)
|
183
|
+
have_func("ERR_get_error_all(NULL, NULL, NULL, NULL, NULL)", "openssl/err.h")
|
184
|
+
have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", ts_h)
|
185
|
+
have_func("SSL_CTX_load_verify_file(NULL, \"\")", ssl_h)
|
186
|
+
have_func("BN_check_prime(NULL, NULL, NULL)", "openssl/bn.h")
|
187
|
+
have_func("EVP_MD_CTX_get0_md(NULL)", evp_h)
|
188
|
+
have_func("EVP_MD_CTX_get_pkey_ctx(NULL)", evp_h)
|
189
|
+
have_func("EVP_PKEY_eq(NULL, NULL)", evp_h)
|
190
|
+
have_func("EVP_PKEY_dup(NULL)", evp_h)
|
184
191
|
|
185
192
|
Logging::message "=== Checking done. ===\n"
|
186
193
|
|
data/ext/openssl/ossl.h
CHANGED
@@ -52,6 +52,12 @@
|
|
52
52
|
(LIBRESSL_VERSION_NUMBER >= ((maj << 28) | (min << 20) | (pat << 12)))
|
53
53
|
#endif
|
54
54
|
|
55
|
+
#if OSSL_OPENSSL_PREREQ(3, 0, 0)
|
56
|
+
# define OSSL_3_const const
|
57
|
+
#else
|
58
|
+
# define OSSL_3_const /* const */
|
59
|
+
#endif
|
60
|
+
|
55
61
|
#if !defined(OPENSSL_NO_ENGINE) && !OSSL_OPENSSL_PREREQ(3, 0, 0)
|
56
62
|
# define OSSL_USE_ENGINE
|
57
63
|
#endif
|
data/ext/openssl/ossl_asn1.c
CHANGED
@@ -509,7 +509,8 @@ ossl_asn1_get_asn1type(VALUE obj)
|
|
509
509
|
ASN1_TYPE *ret;
|
510
510
|
VALUE value, rflag;
|
511
511
|
void *ptr;
|
512
|
-
void (*
|
512
|
+
typedef void free_func_type(void *);
|
513
|
+
free_func_type *free_func;
|
513
514
|
int tag;
|
514
515
|
|
515
516
|
tag = ossl_asn1_default_tag(obj);
|
@@ -522,16 +523,16 @@ ossl_asn1_get_asn1type(VALUE obj)
|
|
522
523
|
case V_ASN1_INTEGER: /* FALLTHROUGH */
|
523
524
|
case V_ASN1_ENUMERATED:
|
524
525
|
ptr = obj_to_asn1int(value);
|
525
|
-
free_func = ASN1_INTEGER_free;
|
526
|
+
free_func = (free_func_type *)ASN1_INTEGER_free;
|
526
527
|
break;
|
527
528
|
case V_ASN1_BIT_STRING:
|
528
529
|
rflag = rb_attr_get(obj, sivUNUSED_BITS);
|
529
530
|
ptr = obj_to_asn1bstr(value, NUM2INT(rflag));
|
530
|
-
free_func = ASN1_BIT_STRING_free;
|
531
|
+
free_func = (free_func_type *)ASN1_BIT_STRING_free;
|
531
532
|
break;
|
532
533
|
case V_ASN1_NULL:
|
533
534
|
ptr = obj_to_asn1null(value);
|
534
|
-
free_func = ASN1_NULL_free;
|
535
|
+
free_func = (free_func_type *)ASN1_NULL_free;
|
535
536
|
break;
|
536
537
|
case V_ASN1_OCTET_STRING: /* FALLTHROUGH */
|
537
538
|
case V_ASN1_UTF8STRING: /* FALLTHROUGH */
|
@@ -546,24 +547,24 @@ ossl_asn1_get_asn1type(VALUE obj)
|
|
546
547
|
case V_ASN1_UNIVERSALSTRING: /* FALLTHROUGH */
|
547
548
|
case V_ASN1_BMPSTRING:
|
548
549
|
ptr = obj_to_asn1str(value);
|
549
|
-
free_func = ASN1_STRING_free;
|
550
|
+
free_func = (free_func_type *)ASN1_STRING_free;
|
550
551
|
break;
|
551
552
|
case V_ASN1_OBJECT:
|
552
553
|
ptr = obj_to_asn1obj(value);
|
553
|
-
free_func = ASN1_OBJECT_free;
|
554
|
+
free_func = (free_func_type *)ASN1_OBJECT_free;
|
554
555
|
break;
|
555
556
|
case V_ASN1_UTCTIME:
|
556
557
|
ptr = obj_to_asn1utime(value);
|
557
|
-
free_func = ASN1_TIME_free;
|
558
|
+
free_func = (free_func_type *)ASN1_TIME_free;
|
558
559
|
break;
|
559
560
|
case V_ASN1_GENERALIZEDTIME:
|
560
561
|
ptr = obj_to_asn1gtime(value);
|
561
|
-
free_func = ASN1_TIME_free;
|
562
|
+
free_func = (free_func_type *)ASN1_TIME_free;
|
562
563
|
break;
|
563
564
|
case V_ASN1_SET: /* FALLTHROUGH */
|
564
565
|
case V_ASN1_SEQUENCE:
|
565
566
|
ptr = obj_to_asn1derstr(obj);
|
566
|
-
free_func = ASN1_STRING_free;
|
567
|
+
free_func = (free_func_type *)ASN1_STRING_free;
|
567
568
|
break;
|
568
569
|
default:
|
569
570
|
ossl_raise(eASN1Error, "unsupported ASN.1 type");
|
@@ -1517,7 +1518,7 @@ Init_ossl_asn1(void)
|
|
1517
1518
|
*
|
1518
1519
|
* An Array that stores the name of a given tag number. These names are
|
1519
1520
|
* the same as the name of the tag constant that is additionally defined,
|
1520
|
-
* e.g.
|
1521
|
+
* e.g. <tt>UNIVERSAL_TAG_NAME[2] = "INTEGER"</tt> and <tt>OpenSSL::ASN1::INTEGER = 2</tt>.
|
1521
1522
|
*
|
1522
1523
|
* == Example usage
|
1523
1524
|
*
|
data/ext/openssl/ossl_bn.c
CHANGED
@@ -577,22 +577,33 @@ BIGNUM_2c(gcd)
|
|
577
577
|
*/
|
578
578
|
BIGNUM_2c(mod_sqr)
|
579
579
|
|
580
|
+
#define BIGNUM_2cr(func) \
|
581
|
+
static VALUE \
|
582
|
+
ossl_bn_##func(VALUE self, VALUE other) \
|
583
|
+
{ \
|
584
|
+
BIGNUM *bn1, *bn2 = GetBNPtr(other), *result; \
|
585
|
+
VALUE obj; \
|
586
|
+
GetBN(self, bn1); \
|
587
|
+
obj = NewBN(rb_obj_class(self)); \
|
588
|
+
if (!(result = BN_##func(NULL, bn1, bn2, ossl_bn_ctx))) \
|
589
|
+
ossl_raise(eBNError, NULL); \
|
590
|
+
SetBN(obj, result); \
|
591
|
+
return obj; \
|
592
|
+
}
|
593
|
+
|
580
594
|
/*
|
595
|
+
* Document-method: OpenSSL::BN#mod_sqrt
|
596
|
+
* call-seq:
|
597
|
+
* bn.mod_sqrt(bn2) => aBN
|
598
|
+
*/
|
599
|
+
BIGNUM_2cr(mod_sqrt)
|
600
|
+
|
601
|
+
/*
|
602
|
+
* Document-method: OpenSSL::BN#mod_inverse
|
581
603
|
* call-seq:
|
582
604
|
* bn.mod_inverse(bn2) => aBN
|
583
605
|
*/
|
584
|
-
|
585
|
-
ossl_bn_mod_inverse(VALUE self, VALUE other)
|
586
|
-
{
|
587
|
-
BIGNUM *bn1, *bn2 = GetBNPtr(other), *result;
|
588
|
-
VALUE obj;
|
589
|
-
GetBN(self, bn1);
|
590
|
-
obj = NewBN(rb_obj_class(self));
|
591
|
-
if (!(result = BN_mod_inverse(NULL, bn1, bn2, ossl_bn_ctx)))
|
592
|
-
ossl_raise(eBNError, "BN_mod_inverse");
|
593
|
-
SetBN(obj, result);
|
594
|
-
return obj;
|
595
|
-
}
|
606
|
+
BIGNUM_2cr(mod_inverse)
|
596
607
|
|
597
608
|
/*
|
598
609
|
* call-seq:
|
@@ -1234,6 +1245,7 @@ Init_ossl_bn(void)
|
|
1234
1245
|
rb_define_method(cBN, "mod_sub", ossl_bn_mod_sub, 2);
|
1235
1246
|
rb_define_method(cBN, "mod_mul", ossl_bn_mod_mul, 2);
|
1236
1247
|
rb_define_method(cBN, "mod_sqr", ossl_bn_mod_sqr, 1);
|
1248
|
+
rb_define_method(cBN, "mod_sqrt", ossl_bn_mod_sqrt, 1);
|
1237
1249
|
rb_define_method(cBN, "**", ossl_bn_exp, 1);
|
1238
1250
|
rb_define_method(cBN, "mod_exp", ossl_bn_mod_exp, 2);
|
1239
1251
|
rb_define_method(cBN, "gcd", ossl_bn_gcd, 1);
|
data/ext/openssl/ossl_cipher.c
CHANGED
@@ -384,8 +384,7 @@ ossl_cipher_update(int argc, VALUE *argv, VALUE self)
|
|
384
384
|
|
385
385
|
StringValue(data);
|
386
386
|
in = (unsigned char *)RSTRING_PTR(data);
|
387
|
-
|
388
|
-
ossl_raise(rb_eArgError, "data must not be empty");
|
387
|
+
in_len = RSTRING_LEN(data);
|
389
388
|
GetCipher(self, ctx);
|
390
389
|
|
391
390
|
/*
|
data/ext/openssl/ossl_kdf.c
CHANGED
@@ -3,7 +3,7 @@
|
|
3
3
|
* Copyright (C) 2007, 2017 Ruby/OpenSSL Project Authors
|
4
4
|
*/
|
5
5
|
#include "ossl.h"
|
6
|
-
#if
|
6
|
+
#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_LIBRESSL_PREREQ(3, 6, 0)
|
7
7
|
# include <openssl/kdf.h>
|
8
8
|
#endif
|
9
9
|
|
@@ -141,7 +141,7 @@ kdf_scrypt(int argc, VALUE *argv, VALUE self)
|
|
141
141
|
}
|
142
142
|
#endif
|
143
143
|
|
144
|
-
#if
|
144
|
+
#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_LIBRESSL_PREREQ(3, 6, 0)
|
145
145
|
/*
|
146
146
|
* call-seq:
|
147
147
|
* KDF.hkdf(ikm, salt:, info:, length:, hash:) -> String
|
@@ -305,7 +305,7 @@ Init_ossl_kdf(void)
|
|
305
305
|
#if defined(HAVE_EVP_PBE_SCRYPT)
|
306
306
|
rb_define_module_function(mKDF, "scrypt", kdf_scrypt, -1);
|
307
307
|
#endif
|
308
|
-
#if
|
308
|
+
#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_LIBRESSL_PREREQ(3, 6, 0)
|
309
309
|
rb_define_module_function(mKDF, "hkdf", kdf_hkdf, -1);
|
310
310
|
#endif
|
311
311
|
}
|
data/ext/openssl/ossl_ocsp.c
CHANGED
@@ -382,7 +382,7 @@ ossl_ocspreq_sign(int argc, VALUE *argv, VALUE self)
|
|
382
382
|
if (!NIL_P(flags))
|
383
383
|
flg = NUM2INT(flags);
|
384
384
|
if (NIL_P(digest))
|
385
|
-
md =
|
385
|
+
md = NULL;
|
386
386
|
else
|
387
387
|
md = ossl_evp_get_digestbyname(digest);
|
388
388
|
if (NIL_P(certs))
|
@@ -1033,7 +1033,7 @@ ossl_ocspbres_sign(int argc, VALUE *argv, VALUE self)
|
|
1033
1033
|
if (!NIL_P(flags))
|
1034
1034
|
flg = NUM2INT(flags);
|
1035
1035
|
if (NIL_P(digest))
|
1036
|
-
md =
|
1036
|
+
md = NULL;
|
1037
1037
|
else
|
1038
1038
|
md = ossl_evp_get_digestbyname(digest);
|
1039
1039
|
if (NIL_P(certs))
|
data/ext/openssl/ossl_pkey.h
CHANGED
data/ext/openssl/ossl_pkey_dh.c
CHANGED
@@ -178,7 +178,7 @@ ossl_dh_initialize_copy(VALUE self, VALUE other)
|
|
178
178
|
static VALUE
|
179
179
|
ossl_dh_is_public(VALUE self)
|
180
180
|
{
|
181
|
-
DH *dh;
|
181
|
+
OSSL_3_const DH *dh;
|
182
182
|
const BIGNUM *bn;
|
183
183
|
|
184
184
|
GetDH(self, dh);
|
@@ -197,14 +197,14 @@ ossl_dh_is_public(VALUE self)
|
|
197
197
|
static VALUE
|
198
198
|
ossl_dh_is_private(VALUE self)
|
199
199
|
{
|
200
|
-
DH *dh;
|
200
|
+
OSSL_3_const DH *dh;
|
201
201
|
const BIGNUM *bn;
|
202
202
|
|
203
203
|
GetDH(self, dh);
|
204
204
|
DH_get0_key(dh, NULL, &bn);
|
205
205
|
|
206
206
|
#if !defined(OPENSSL_NO_ENGINE)
|
207
|
-
return (bn || DH_get0_engine(dh)) ? Qtrue : Qfalse;
|
207
|
+
return (bn || DH_get0_engine((DH *)dh)) ? Qtrue : Qfalse;
|
208
208
|
#else
|
209
209
|
return bn ? Qtrue : Qfalse;
|
210
210
|
#endif
|
@@ -223,7 +223,7 @@ ossl_dh_is_private(VALUE self)
|
|
223
223
|
static VALUE
|
224
224
|
ossl_dh_export(VALUE self)
|
225
225
|
{
|
226
|
-
DH *dh;
|
226
|
+
OSSL_3_const DH *dh;
|
227
227
|
BIO *out;
|
228
228
|
VALUE str;
|
229
229
|
|
@@ -252,7 +252,7 @@ ossl_dh_export(VALUE self)
|
|
252
252
|
static VALUE
|
253
253
|
ossl_dh_to_der(VALUE self)
|
254
254
|
{
|
255
|
-
DH *dh;
|
255
|
+
OSSL_3_const DH *dh;
|
256
256
|
unsigned char *p;
|
257
257
|
long len;
|
258
258
|
VALUE str;
|
@@ -280,7 +280,7 @@ ossl_dh_to_der(VALUE self)
|
|
280
280
|
static VALUE
|
281
281
|
ossl_dh_get_params(VALUE self)
|
282
282
|
{
|
283
|
-
DH *dh;
|
283
|
+
OSSL_3_const DH *dh;
|
284
284
|
VALUE hash;
|
285
285
|
const BIGNUM *p, *q, *g, *pub_key, *priv_key;
|
286
286
|
|
data/ext/openssl/ossl_pkey_dsa.c
CHANGED
@@ -24,7 +24,7 @@
|
|
24
24
|
} while (0)
|
25
25
|
|
26
26
|
static inline int
|
27
|
-
DSA_HAS_PRIVATE(DSA *dsa)
|
27
|
+
DSA_HAS_PRIVATE(OSSL_3_const DSA *dsa)
|
28
28
|
{
|
29
29
|
const BIGNUM *bn;
|
30
30
|
DSA_get0_key(dsa, NULL, &bn);
|
@@ -32,7 +32,7 @@ DSA_HAS_PRIVATE(DSA *dsa)
|
|
32
32
|
}
|
33
33
|
|
34
34
|
static inline int
|
35
|
-
DSA_PRIVATE(VALUE obj, DSA *dsa)
|
35
|
+
DSA_PRIVATE(VALUE obj, OSSL_3_const DSA *dsa)
|
36
36
|
{
|
37
37
|
return DSA_HAS_PRIVATE(dsa) || OSSL_PKEY_IS_PRIVATE(obj);
|
38
38
|
}
|
@@ -179,7 +179,7 @@ ossl_dsa_initialize_copy(VALUE self, VALUE other)
|
|
179
179
|
static VALUE
|
180
180
|
ossl_dsa_is_public(VALUE self)
|
181
181
|
{
|
182
|
-
DSA *dsa;
|
182
|
+
const DSA *dsa;
|
183
183
|
const BIGNUM *bn;
|
184
184
|
|
185
185
|
GetDSA(self, dsa);
|
@@ -198,7 +198,7 @@ ossl_dsa_is_public(VALUE self)
|
|
198
198
|
static VALUE
|
199
199
|
ossl_dsa_is_private(VALUE self)
|
200
200
|
{
|
201
|
-
DSA *dsa;
|
201
|
+
OSSL_3_const DSA *dsa;
|
202
202
|
|
203
203
|
GetDSA(self, dsa);
|
204
204
|
|
@@ -225,7 +225,7 @@ ossl_dsa_is_private(VALUE self)
|
|
225
225
|
static VALUE
|
226
226
|
ossl_dsa_export(int argc, VALUE *argv, VALUE self)
|
227
227
|
{
|
228
|
-
DSA *dsa;
|
228
|
+
OSSL_3_const DSA *dsa;
|
229
229
|
|
230
230
|
GetDSA(self, dsa);
|
231
231
|
if (DSA_HAS_PRIVATE(dsa))
|
@@ -244,7 +244,7 @@ ossl_dsa_export(int argc, VALUE *argv, VALUE self)
|
|
244
244
|
static VALUE
|
245
245
|
ossl_dsa_to_der(VALUE self)
|
246
246
|
{
|
247
|
-
DSA *dsa;
|
247
|
+
OSSL_3_const DSA *dsa;
|
248
248
|
|
249
249
|
GetDSA(self, dsa);
|
250
250
|
if (DSA_HAS_PRIVATE(dsa))
|
@@ -265,7 +265,7 @@ ossl_dsa_to_der(VALUE self)
|
|
265
265
|
static VALUE
|
266
266
|
ossl_dsa_get_params(VALUE self)
|
267
267
|
{
|
268
|
-
DSA *dsa;
|
268
|
+
OSSL_3_const DSA *dsa;
|
269
269
|
VALUE hash;
|
270
270
|
const BIGNUM *p, *q, *g, *pub_key, *priv_key;
|
271
271
|
|
data/ext/openssl/ossl_pkey_ec.c
CHANGED
@@ -227,7 +227,7 @@ ossl_ec_key_initialize_copy(VALUE self, VALUE other)
|
|
227
227
|
static VALUE
|
228
228
|
ossl_ec_key_get_group(VALUE self)
|
229
229
|
{
|
230
|
-
EC_KEY *ec;
|
230
|
+
OSSL_3_const EC_KEY *ec;
|
231
231
|
const EC_GROUP *group;
|
232
232
|
|
233
233
|
GetEC(self, ec);
|
@@ -272,7 +272,7 @@ ossl_ec_key_set_group(VALUE self, VALUE group_v)
|
|
272
272
|
*/
|
273
273
|
static VALUE ossl_ec_key_get_private_key(VALUE self)
|
274
274
|
{
|
275
|
-
EC_KEY *ec;
|
275
|
+
OSSL_3_const EC_KEY *ec;
|
276
276
|
const BIGNUM *bn;
|
277
277
|
|
278
278
|
GetEC(self, ec);
|
@@ -323,7 +323,7 @@ static VALUE ossl_ec_key_set_private_key(VALUE self, VALUE private_key)
|
|
323
323
|
*/
|
324
324
|
static VALUE ossl_ec_key_get_public_key(VALUE self)
|
325
325
|
{
|
326
|
-
EC_KEY *ec;
|
326
|
+
OSSL_3_const EC_KEY *ec;
|
327
327
|
const EC_POINT *point;
|
328
328
|
|
329
329
|
GetEC(self, ec);
|
@@ -375,7 +375,7 @@ static VALUE ossl_ec_key_set_public_key(VALUE self, VALUE public_key)
|
|
375
375
|
*/
|
376
376
|
static VALUE ossl_ec_key_is_public(VALUE self)
|
377
377
|
{
|
378
|
-
EC_KEY *ec;
|
378
|
+
OSSL_3_const EC_KEY *ec;
|
379
379
|
|
380
380
|
GetEC(self, ec);
|
381
381
|
|
@@ -391,7 +391,7 @@ static VALUE ossl_ec_key_is_public(VALUE self)
|
|
391
391
|
*/
|
392
392
|
static VALUE ossl_ec_key_is_private(VALUE self)
|
393
393
|
{
|
394
|
-
EC_KEY *ec;
|
394
|
+
OSSL_3_const EC_KEY *ec;
|
395
395
|
|
396
396
|
GetEC(self, ec);
|
397
397
|
|
@@ -411,7 +411,7 @@ static VALUE ossl_ec_key_is_private(VALUE self)
|
|
411
411
|
static VALUE
|
412
412
|
ossl_ec_key_export(int argc, VALUE *argv, VALUE self)
|
413
413
|
{
|
414
|
-
EC_KEY *ec;
|
414
|
+
OSSL_3_const EC_KEY *ec;
|
415
415
|
|
416
416
|
GetEC(self, ec);
|
417
417
|
if (EC_KEY_get0_public_key(ec) == NULL)
|
@@ -431,7 +431,7 @@ ossl_ec_key_export(int argc, VALUE *argv, VALUE self)
|
|
431
431
|
static VALUE
|
432
432
|
ossl_ec_key_to_der(VALUE self)
|
433
433
|
{
|
434
|
-
EC_KEY *ec;
|
434
|
+
OSSL_3_const EC_KEY *ec;
|
435
435
|
|
436
436
|
GetEC(self, ec);
|
437
437
|
if (EC_KEY_get0_public_key(ec) == NULL)
|
@@ -483,7 +483,7 @@ static VALUE ossl_ec_key_check_key(VALUE self)
|
|
483
483
|
#ifdef HAVE_EVP_PKEY_CHECK
|
484
484
|
EVP_PKEY *pkey;
|
485
485
|
EVP_PKEY_CTX *pctx;
|
486
|
-
EC_KEY *ec;
|
486
|
+
const EC_KEY *ec;
|
487
487
|
|
488
488
|
GetPKey(self, pkey);
|
489
489
|
GetEC(self, ec);
|
data/ext/openssl/ossl_pkey_rsa.c
CHANGED
@@ -24,7 +24,7 @@
|
|
24
24
|
} while (0)
|
25
25
|
|
26
26
|
static inline int
|
27
|
-
RSA_HAS_PRIVATE(RSA *rsa)
|
27
|
+
RSA_HAS_PRIVATE(OSSL_3_const RSA *rsa)
|
28
28
|
{
|
29
29
|
const BIGNUM *e, *d;
|
30
30
|
|
@@ -33,7 +33,7 @@ RSA_HAS_PRIVATE(RSA *rsa)
|
|
33
33
|
}
|
34
34
|
|
35
35
|
static inline int
|
36
|
-
RSA_PRIVATE(VALUE obj, RSA *rsa)
|
36
|
+
RSA_PRIVATE(VALUE obj, OSSL_3_const RSA *rsa)
|
37
37
|
{
|
38
38
|
return RSA_HAS_PRIVATE(rsa) || OSSL_PKEY_IS_PRIVATE(obj);
|
39
39
|
}
|
@@ -174,7 +174,7 @@ ossl_rsa_initialize_copy(VALUE self, VALUE other)
|
|
174
174
|
static VALUE
|
175
175
|
ossl_rsa_is_public(VALUE self)
|
176
176
|
{
|
177
|
-
RSA *rsa;
|
177
|
+
OSSL_3_const RSA *rsa;
|
178
178
|
|
179
179
|
GetRSA(self, rsa);
|
180
180
|
/*
|
@@ -193,7 +193,7 @@ ossl_rsa_is_public(VALUE self)
|
|
193
193
|
static VALUE
|
194
194
|
ossl_rsa_is_private(VALUE self)
|
195
195
|
{
|
196
|
-
RSA *rsa;
|
196
|
+
OSSL_3_const RSA *rsa;
|
197
197
|
|
198
198
|
GetRSA(self, rsa);
|
199
199
|
|
@@ -203,7 +203,7 @@ ossl_rsa_is_private(VALUE self)
|
|
203
203
|
static int
|
204
204
|
can_export_rsaprivatekey(VALUE self)
|
205
205
|
{
|
206
|
-
RSA *rsa;
|
206
|
+
OSSL_3_const RSA *rsa;
|
207
207
|
const BIGNUM *n, *e, *d, *p, *q, *dmp1, *dmq1, *iqmp;
|
208
208
|
|
209
209
|
GetRSA(self, rsa);
|
@@ -453,7 +453,7 @@ ossl_rsa_verify_pss(int argc, VALUE *argv, VALUE self)
|
|
453
453
|
static VALUE
|
454
454
|
ossl_rsa_get_params(VALUE self)
|
455
455
|
{
|
456
|
-
RSA *rsa;
|
456
|
+
OSSL_3_const RSA *rsa;
|
457
457
|
VALUE hash;
|
458
458
|
const BIGNUM *n, *e, *d, *p, *q, *dmp1, *dmq1, *iqmp;
|
459
459
|
|
data/ext/openssl/ossl_ssl.c
CHANGED
@@ -11,11 +11,15 @@
|
|
11
11
|
*/
|
12
12
|
#include "ossl.h"
|
13
13
|
|
14
|
+
#ifndef OPENSSL_NO_SOCK
|
14
15
|
#define numberof(ary) (int)(sizeof(ary)/sizeof((ary)[0]))
|
15
16
|
|
17
|
+
#if !defined(OPENSSL_NO_NEXTPROTONEG) && !OSSL_IS_LIBRESSL
|
18
|
+
# define OSSL_USE_NEXTPROTONEG
|
19
|
+
#endif
|
20
|
+
|
16
21
|
#if !defined(TLS1_3_VERSION) && \
|
17
|
-
|
18
|
-
LIBRESSL_VERSION_NUMBER >= 0x3020000fL
|
22
|
+
OSSL_LIBRESSL_PREREQ(3, 2, 0) && !OSSL_LIBRESSL_PREREQ(3, 4, 0)
|
19
23
|
# define TLS1_3_VERSION 0x0304
|
20
24
|
#endif
|
21
25
|
|
@@ -30,7 +34,6 @@
|
|
30
34
|
} while (0)
|
31
35
|
|
32
36
|
VALUE mSSL;
|
33
|
-
static VALUE mSSLExtConfig;
|
34
37
|
static VALUE eSSLError;
|
35
38
|
VALUE cSSLContext;
|
36
39
|
VALUE cSSLSocket;
|
@@ -49,7 +52,7 @@ static ID id_i_cert_store, id_i_ca_file, id_i_ca_path, id_i_verify_mode,
|
|
49
52
|
id_i_session_id_context, id_i_session_get_cb, id_i_session_new_cb,
|
50
53
|
id_i_session_remove_cb, id_i_npn_select_cb, id_i_npn_protocols,
|
51
54
|
id_i_alpn_select_cb, id_i_alpn_protocols, id_i_servername_cb,
|
52
|
-
id_i_verify_hostname;
|
55
|
+
id_i_verify_hostname, id_i_keylog_cb;
|
53
56
|
static ID id_i_io, id_i_context, id_i_hostname;
|
54
57
|
|
55
58
|
static int ossl_ssl_ex_vcb_idx;
|
@@ -291,7 +294,7 @@ ossl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
|
|
291
294
|
if (!pkey)
|
292
295
|
return NULL;
|
293
296
|
|
294
|
-
return EVP_PKEY_get0_DH(pkey);
|
297
|
+
return (DH *)EVP_PKEY_get0_DH(pkey);
|
295
298
|
}
|
296
299
|
#endif /* OPENSSL_NO_DH */
|
297
300
|
|
@@ -441,6 +444,54 @@ ossl_sslctx_session_new_cb(SSL *ssl, SSL_SESSION *sess)
|
|
441
444
|
return 0;
|
442
445
|
}
|
443
446
|
|
447
|
+
#if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER)
|
448
|
+
/*
|
449
|
+
* It is only compatible with OpenSSL >= 1.1.1. Even if LibreSSL implements
|
450
|
+
* SSL_CTX_set_keylog_callback() from v3.4.2, it does nothing (see
|
451
|
+
* https://github.com/libressl-portable/openbsd/commit/648d39f0f035835d0653342d139883b9661e9cb6).
|
452
|
+
*/
|
453
|
+
|
454
|
+
struct ossl_call_keylog_cb_args {
|
455
|
+
VALUE ssl_obj;
|
456
|
+
const char * line;
|
457
|
+
};
|
458
|
+
|
459
|
+
static VALUE
|
460
|
+
ossl_call_keylog_cb(VALUE args_v)
|
461
|
+
{
|
462
|
+
VALUE sslctx_obj, cb, line_v;
|
463
|
+
struct ossl_call_keylog_cb_args *args = (struct ossl_call_keylog_cb_args *) args_v;
|
464
|
+
|
465
|
+
sslctx_obj = rb_attr_get(args->ssl_obj, id_i_context);
|
466
|
+
|
467
|
+
cb = rb_attr_get(sslctx_obj, id_i_keylog_cb);
|
468
|
+
if (NIL_P(cb)) return Qnil;
|
469
|
+
|
470
|
+
line_v = rb_str_new_cstr(args->line);
|
471
|
+
|
472
|
+
return rb_funcall(cb, id_call, 2, args->ssl_obj, line_v);
|
473
|
+
}
|
474
|
+
|
475
|
+
static void
|
476
|
+
ossl_sslctx_keylog_cb(const SSL *ssl, const char *line)
|
477
|
+
{
|
478
|
+
VALUE ssl_obj;
|
479
|
+
struct ossl_call_keylog_cb_args args;
|
480
|
+
int state = 0;
|
481
|
+
|
482
|
+
OSSL_Debug("SSL keylog callback entered");
|
483
|
+
|
484
|
+
ssl_obj = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
|
485
|
+
args.ssl_obj = ssl_obj;
|
486
|
+
args.line = line;
|
487
|
+
|
488
|
+
rb_protect(ossl_call_keylog_cb, (VALUE)&args, &state);
|
489
|
+
if (state) {
|
490
|
+
rb_ivar_set(ssl_obj, ID_callback_state, INT2NUM(state));
|
491
|
+
}
|
492
|
+
}
|
493
|
+
#endif
|
494
|
+
|
444
495
|
static VALUE
|
445
496
|
ossl_call_session_remove_cb(VALUE ary)
|
446
497
|
{
|
@@ -655,7 +706,7 @@ ssl_npn_select_cb_common(SSL *ssl, VALUE cb, const unsigned char **out,
|
|
655
706
|
return SSL_TLSEXT_ERR_OK;
|
656
707
|
}
|
657
708
|
|
658
|
-
#
|
709
|
+
#ifdef OSSL_USE_NEXTPROTONEG
|
659
710
|
static int
|
660
711
|
ssl_npn_advertise_cb(SSL *ssl, const unsigned char **out, unsigned int *outlen,
|
661
712
|
void *arg)
|
@@ -852,7 +903,7 @@ ossl_sslctx_setup(VALUE self)
|
|
852
903
|
val = rb_attr_get(self, id_i_verify_depth);
|
853
904
|
if(!NIL_P(val)) SSL_CTX_set_verify_depth(ctx, NUM2INT(val));
|
854
905
|
|
855
|
-
#
|
906
|
+
#ifdef OSSL_USE_NEXTPROTONEG
|
856
907
|
val = rb_attr_get(self, id_i_npn_protocols);
|
857
908
|
if (!NIL_P(val)) {
|
858
909
|
VALUE encoded = ssl_encode_npn_protocols(val);
|
@@ -911,6 +962,18 @@ ossl_sslctx_setup(VALUE self)
|
|
911
962
|
OSSL_Debug("SSL TLSEXT servername callback added");
|
912
963
|
}
|
913
964
|
|
965
|
+
#if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER)
|
966
|
+
/*
|
967
|
+
* It is only compatible with OpenSSL >= 1.1.1. Even if LibreSSL implements
|
968
|
+
* SSL_CTX_set_keylog_callback() from v3.4.2, it does nothing (see
|
969
|
+
* https://github.com/libressl-portable/openbsd/commit/648d39f0f035835d0653342d139883b9661e9cb6).
|
970
|
+
*/
|
971
|
+
if (RTEST(rb_attr_get(self, id_i_keylog_cb))) {
|
972
|
+
SSL_CTX_set_keylog_callback(ctx, ossl_sslctx_keylog_cb);
|
973
|
+
OSSL_Debug("SSL keylog callback added");
|
974
|
+
}
|
975
|
+
#endif
|
976
|
+
|
914
977
|
return Qtrue;
|
915
978
|
}
|
916
979
|
|
@@ -959,27 +1022,13 @@ ossl_sslctx_get_ciphers(VALUE self)
|
|
959
1022
|
return ary;
|
960
1023
|
}
|
961
1024
|
|
962
|
-
/*
|
963
|
-
* call-seq:
|
964
|
-
* ctx.ciphers = "cipher1:cipher2:..."
|
965
|
-
* ctx.ciphers = [name, ...]
|
966
|
-
* ctx.ciphers = [[name, version, bits, alg_bits], ...]
|
967
|
-
*
|
968
|
-
* Sets the list of available cipher suites for this context. Note in a server
|
969
|
-
* context some ciphers require the appropriate certificates. For example, an
|
970
|
-
* RSA cipher suite can only be chosen when an RSA certificate is available.
|
971
|
-
*/
|
972
1025
|
static VALUE
|
973
|
-
|
1026
|
+
build_cipher_string(VALUE v)
|
974
1027
|
{
|
975
|
-
SSL_CTX *ctx;
|
976
1028
|
VALUE str, elem;
|
977
1029
|
int i;
|
978
1030
|
|
979
|
-
|
980
|
-
if (NIL_P(v))
|
981
|
-
return v;
|
982
|
-
else if (RB_TYPE_P(v, T_ARRAY)) {
|
1031
|
+
if (RB_TYPE_P(v, T_ARRAY)) {
|
983
1032
|
str = rb_str_new(0, 0);
|
984
1033
|
for (i = 0; i < RARRAY_LEN(v); i++) {
|
985
1034
|
elem = rb_ary_entry(v, i);
|
@@ -993,14 +1042,67 @@ ossl_sslctx_set_ciphers(VALUE self, VALUE v)
|
|
993
1042
|
StringValue(str);
|
994
1043
|
}
|
995
1044
|
|
1045
|
+
return str;
|
1046
|
+
}
|
1047
|
+
|
1048
|
+
/*
|
1049
|
+
* call-seq:
|
1050
|
+
* ctx.ciphers = "cipher1:cipher2:..."
|
1051
|
+
* ctx.ciphers = [name, ...]
|
1052
|
+
* ctx.ciphers = [[name, version, bits, alg_bits], ...]
|
1053
|
+
*
|
1054
|
+
* Sets the list of available cipher suites for this context. Note in a server
|
1055
|
+
* context some ciphers require the appropriate certificates. For example, an
|
1056
|
+
* RSA cipher suite can only be chosen when an RSA certificate is available.
|
1057
|
+
*/
|
1058
|
+
static VALUE
|
1059
|
+
ossl_sslctx_set_ciphers(VALUE self, VALUE v)
|
1060
|
+
{
|
1061
|
+
SSL_CTX *ctx;
|
1062
|
+
VALUE str;
|
1063
|
+
|
1064
|
+
rb_check_frozen(self);
|
1065
|
+
if (NIL_P(v))
|
1066
|
+
return v;
|
1067
|
+
|
1068
|
+
str = build_cipher_string(v);
|
1069
|
+
|
996
1070
|
GetSSLCTX(self, ctx);
|
997
|
-
if (!SSL_CTX_set_cipher_list(ctx, StringValueCStr(str)))
|
1071
|
+
if (!SSL_CTX_set_cipher_list(ctx, StringValueCStr(str)))
|
998
1072
|
ossl_raise(eSSLError, "SSL_CTX_set_cipher_list");
|
999
|
-
}
|
1000
1073
|
|
1001
1074
|
return v;
|
1002
1075
|
}
|
1003
1076
|
|
1077
|
+
#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
|
1078
|
+
/*
|
1079
|
+
* call-seq:
|
1080
|
+
* ctx.ciphersuites = "cipher1:cipher2:..."
|
1081
|
+
* ctx.ciphersuites = [name, ...]
|
1082
|
+
* ctx.ciphersuites = [[name, version, bits, alg_bits], ...]
|
1083
|
+
*
|
1084
|
+
* Sets the list of available TLSv1.3 cipher suites for this context.
|
1085
|
+
*/
|
1086
|
+
static VALUE
|
1087
|
+
ossl_sslctx_set_ciphersuites(VALUE self, VALUE v)
|
1088
|
+
{
|
1089
|
+
SSL_CTX *ctx;
|
1090
|
+
VALUE str;
|
1091
|
+
|
1092
|
+
rb_check_frozen(self);
|
1093
|
+
if (NIL_P(v))
|
1094
|
+
return v;
|
1095
|
+
|
1096
|
+
str = build_cipher_string(v);
|
1097
|
+
|
1098
|
+
GetSSLCTX(self, ctx);
|
1099
|
+
if (!SSL_CTX_set_ciphersuites(ctx, StringValueCStr(str)))
|
1100
|
+
ossl_raise(eSSLError, "SSL_CTX_set_ciphersuites");
|
1101
|
+
|
1102
|
+
return v;
|
1103
|
+
}
|
1104
|
+
#endif
|
1105
|
+
|
1004
1106
|
#ifndef OPENSSL_NO_DH
|
1005
1107
|
/*
|
1006
1108
|
* call-seq:
|
@@ -1439,7 +1541,6 @@ ossl_sslctx_flush_sessions(int argc, VALUE *argv, VALUE self)
|
|
1439
1541
|
/*
|
1440
1542
|
* SSLSocket class
|
1441
1543
|
*/
|
1442
|
-
#ifndef OPENSSL_NO_SOCK
|
1443
1544
|
static inline int
|
1444
1545
|
ssl_started(SSL *ssl)
|
1445
1546
|
{
|
@@ -1602,11 +1703,16 @@ no_exception_p(VALUE opts)
|
|
1602
1703
|
return 0;
|
1603
1704
|
}
|
1604
1705
|
|
1706
|
+
// Provided by Ruby 3.2.0 and later in order to support the default IO#timeout.
|
1707
|
+
#ifndef RUBY_IO_TIMEOUT_DEFAULT
|
1708
|
+
#define RUBY_IO_TIMEOUT_DEFAULT Qnil
|
1709
|
+
#endif
|
1710
|
+
|
1605
1711
|
static void
|
1606
1712
|
io_wait_writable(rb_io_t *fptr)
|
1607
1713
|
{
|
1608
1714
|
#ifdef HAVE_RB_IO_MAYBE_WAIT
|
1609
|
-
rb_io_maybe_wait_writable(errno, fptr->self,
|
1715
|
+
rb_io_maybe_wait_writable(errno, fptr->self, RUBY_IO_TIMEOUT_DEFAULT);
|
1610
1716
|
#else
|
1611
1717
|
rb_io_wait_writable(fptr->fd);
|
1612
1718
|
#endif
|
@@ -1616,14 +1722,14 @@ static void
|
|
1616
1722
|
io_wait_readable(rb_io_t *fptr)
|
1617
1723
|
{
|
1618
1724
|
#ifdef HAVE_RB_IO_MAYBE_WAIT
|
1619
|
-
rb_io_maybe_wait_readable(errno, fptr->self,
|
1725
|
+
rb_io_maybe_wait_readable(errno, fptr->self, RUBY_IO_TIMEOUT_DEFAULT);
|
1620
1726
|
#else
|
1621
1727
|
rb_io_wait_readable(fptr->fd);
|
1622
1728
|
#endif
|
1623
1729
|
}
|
1624
1730
|
|
1625
1731
|
static VALUE
|
1626
|
-
ossl_start_ssl(VALUE self, int (*func)(), const char *funcname, VALUE opts)
|
1732
|
+
ossl_start_ssl(VALUE self, int (*func)(SSL *), const char *funcname, VALUE opts)
|
1627
1733
|
{
|
1628
1734
|
SSL *ssl;
|
1629
1735
|
rb_io_t *fptr;
|
@@ -2342,7 +2448,7 @@ ossl_ssl_get_client_ca_list(VALUE self)
|
|
2342
2448
|
return ossl_x509name_sk2ary(ca);
|
2343
2449
|
}
|
2344
2450
|
|
2345
|
-
#
|
2451
|
+
# ifdef OSSL_USE_NEXTPROTONEG
|
2346
2452
|
/*
|
2347
2453
|
* call-seq:
|
2348
2454
|
* ssl.npn_protocol => String | nil
|
@@ -2390,6 +2496,49 @@ ossl_ssl_alpn_protocol(VALUE self)
|
|
2390
2496
|
return rb_str_new((const char *) out, outlen);
|
2391
2497
|
}
|
2392
2498
|
|
2499
|
+
/*
|
2500
|
+
* call-seq:
|
2501
|
+
* session.export_keying_material(label, length) -> String
|
2502
|
+
*
|
2503
|
+
* Enables use of shared session key material in accordance with RFC 5705.
|
2504
|
+
*/
|
2505
|
+
static VALUE
|
2506
|
+
ossl_ssl_export_keying_material(int argc, VALUE *argv, VALUE self)
|
2507
|
+
{
|
2508
|
+
SSL *ssl;
|
2509
|
+
VALUE str;
|
2510
|
+
VALUE label;
|
2511
|
+
VALUE length;
|
2512
|
+
VALUE context;
|
2513
|
+
unsigned char *p;
|
2514
|
+
size_t len;
|
2515
|
+
int use_ctx = 0;
|
2516
|
+
unsigned char *ctx = NULL;
|
2517
|
+
size_t ctx_len = 0;
|
2518
|
+
int ret;
|
2519
|
+
|
2520
|
+
rb_scan_args(argc, argv, "21", &label, &length, &context);
|
2521
|
+
StringValue(label);
|
2522
|
+
|
2523
|
+
GetSSL(self, ssl);
|
2524
|
+
|
2525
|
+
len = (size_t)NUM2LONG(length);
|
2526
|
+
str = rb_str_new(0, len);
|
2527
|
+
p = (unsigned char *)RSTRING_PTR(str);
|
2528
|
+
if (!NIL_P(context)) {
|
2529
|
+
use_ctx = 1;
|
2530
|
+
StringValue(context);
|
2531
|
+
ctx = (unsigned char *)RSTRING_PTR(context);
|
2532
|
+
ctx_len = RSTRING_LEN(context);
|
2533
|
+
}
|
2534
|
+
ret = SSL_export_keying_material(ssl, p, len, (char *)RSTRING_PTR(label),
|
2535
|
+
RSTRING_LENINT(label), ctx, ctx_len, use_ctx);
|
2536
|
+
if (ret == 0 || ret == -1) {
|
2537
|
+
ossl_raise(eSSLError, "SSL_export_keying_material");
|
2538
|
+
}
|
2539
|
+
return str;
|
2540
|
+
}
|
2541
|
+
|
2393
2542
|
/*
|
2394
2543
|
* call-seq:
|
2395
2544
|
* ssl.tmp_key => PKey or nil
|
@@ -2419,6 +2568,7 @@ Init_ossl_ssl(void)
|
|
2419
2568
|
rb_mWaitWritable = rb_define_module_under(rb_cIO, "WaitWritable");
|
2420
2569
|
#endif
|
2421
2570
|
|
2571
|
+
#ifndef OPENSSL_NO_SOCK
|
2422
2572
|
id_call = rb_intern_const("call");
|
2423
2573
|
ID_callback_state = rb_intern_const("callback_state");
|
2424
2574
|
|
@@ -2441,16 +2591,6 @@ Init_ossl_ssl(void)
|
|
2441
2591
|
*/
|
2442
2592
|
mSSL = rb_define_module_under(mOSSL, "SSL");
|
2443
2593
|
|
2444
|
-
/* Document-module: OpenSSL::ExtConfig
|
2445
|
-
*
|
2446
|
-
* This module contains configuration information about the SSL extension,
|
2447
|
-
* for example if socket support is enabled, or the host name TLS extension
|
2448
|
-
* is enabled. Constants in this module will always be defined, but contain
|
2449
|
-
* +true+ or +false+ values depending on the configuration of your OpenSSL
|
2450
|
-
* installation.
|
2451
|
-
*/
|
2452
|
-
mSSLExtConfig = rb_define_module_under(mOSSL, "ExtConfig");
|
2453
|
-
|
2454
2594
|
/* Document-class: OpenSSL::SSL::SSLError
|
2455
2595
|
*
|
2456
2596
|
* Generic error class raised by SSLSocket and SSLContext.
|
@@ -2613,8 +2753,6 @@ Init_ossl_ssl(void)
|
|
2613
2753
|
*/
|
2614
2754
|
rb_attr(cSSLContext, rb_intern_const("session_remove_cb"), 1, 1, Qfalse);
|
2615
2755
|
|
2616
|
-
rb_define_const(mSSLExtConfig, "HAVE_TLSEXT_HOST_NAME", Qtrue);
|
2617
|
-
|
2618
2756
|
/*
|
2619
2757
|
* A callback invoked whenever a new handshake is initiated on an
|
2620
2758
|
* established connection. May be used to disable renegotiation entirely.
|
@@ -2635,7 +2773,7 @@ Init_ossl_ssl(void)
|
|
2635
2773
|
* end
|
2636
2774
|
*/
|
2637
2775
|
rb_attr(cSSLContext, rb_intern_const("renegotiation_cb"), 1, 1, Qfalse);
|
2638
|
-
#
|
2776
|
+
#ifdef OSSL_USE_NEXTPROTONEG
|
2639
2777
|
/*
|
2640
2778
|
* An Enumerable of Strings. Each String represents a protocol to be
|
2641
2779
|
* advertised as the list of supported protocols for Next Protocol
|
@@ -2697,12 +2835,38 @@ Init_ossl_ssl(void)
|
|
2697
2835
|
*/
|
2698
2836
|
rb_attr(cSSLContext, rb_intern_const("alpn_select_cb"), 1, 1, Qfalse);
|
2699
2837
|
|
2838
|
+
/*
|
2839
|
+
* A callback invoked when TLS key material is generated or received, in
|
2840
|
+
* order to allow applications to store this keying material for debugging
|
2841
|
+
* purposes.
|
2842
|
+
*
|
2843
|
+
* The callback is invoked with an SSLSocket and a string containing the
|
2844
|
+
* key material in the format used by NSS for its SSLKEYLOGFILE debugging
|
2845
|
+
* output.
|
2846
|
+
*
|
2847
|
+
* It is only compatible with OpenSSL >= 1.1.1. Even if LibreSSL implements
|
2848
|
+
* SSL_CTX_set_keylog_callback() from v3.4.2, it does nothing (see
|
2849
|
+
* https://github.com/libressl-portable/openbsd/commit/648d39f0f035835d0653342d139883b9661e9cb6).
|
2850
|
+
*
|
2851
|
+
* === Example
|
2852
|
+
*
|
2853
|
+
* context.keylog_cb = proc do |_sock, line|
|
2854
|
+
* File.open('ssl_keylog_file', "a") do |f|
|
2855
|
+
* f.write("#{line}\n")
|
2856
|
+
* end
|
2857
|
+
* end
|
2858
|
+
*/
|
2859
|
+
rb_attr(cSSLContext, rb_intern_const("keylog_cb"), 1, 1, Qfalse);
|
2860
|
+
|
2700
2861
|
rb_define_alias(cSSLContext, "ssl_timeout", "timeout");
|
2701
2862
|
rb_define_alias(cSSLContext, "ssl_timeout=", "timeout=");
|
2702
2863
|
rb_define_private_method(cSSLContext, "set_minmax_proto_version",
|
2703
2864
|
ossl_sslctx_set_minmax_proto_version, 2);
|
2704
2865
|
rb_define_method(cSSLContext, "ciphers", ossl_sslctx_get_ciphers, 0);
|
2705
2866
|
rb_define_method(cSSLContext, "ciphers=", ossl_sslctx_set_ciphers, 1);
|
2867
|
+
#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
|
2868
|
+
rb_define_method(cSSLContext, "ciphersuites=", ossl_sslctx_set_ciphersuites, 1);
|
2869
|
+
#endif
|
2706
2870
|
#ifndef OPENSSL_NO_DH
|
2707
2871
|
rb_define_method(cSSLContext, "tmp_dh=", ossl_sslctx_set_tmp_dh, 1);
|
2708
2872
|
#endif
|
@@ -2779,11 +2943,6 @@ Init_ossl_ssl(void)
|
|
2779
2943
|
* Document-class: OpenSSL::SSL::SSLSocket
|
2780
2944
|
*/
|
2781
2945
|
cSSLSocket = rb_define_class_under(mSSL, "SSLSocket", rb_cObject);
|
2782
|
-
#ifdef OPENSSL_NO_SOCK
|
2783
|
-
rb_define_const(mSSLExtConfig, "OPENSSL_NO_SOCK", Qtrue);
|
2784
|
-
rb_define_method(cSSLSocket, "initialize", rb_f_notimplement, -1);
|
2785
|
-
#else
|
2786
|
-
rb_define_const(mSSLExtConfig, "OPENSSL_NO_SOCK", Qfalse);
|
2787
2946
|
rb_define_alloc_func(cSSLSocket, ossl_ssl_s_alloc);
|
2788
2947
|
rb_define_method(cSSLSocket, "initialize", ossl_ssl_initialize, -1);
|
2789
2948
|
rb_undef_method(cSSLSocket, "initialize_copy");
|
@@ -2814,10 +2973,10 @@ Init_ossl_ssl(void)
|
|
2814
2973
|
rb_define_method(cSSLSocket, "peer_finished_message", ossl_ssl_get_peer_finished, 0);
|
2815
2974
|
rb_define_method(cSSLSocket, "tmp_key", ossl_ssl_tmp_key, 0);
|
2816
2975
|
rb_define_method(cSSLSocket, "alpn_protocol", ossl_ssl_alpn_protocol, 0);
|
2817
|
-
|
2976
|
+
rb_define_method(cSSLSocket, "export_keying_material", ossl_ssl_export_keying_material, -1);
|
2977
|
+
# ifdef OSSL_USE_NEXTPROTONEG
|
2818
2978
|
rb_define_method(cSSLSocket, "npn_protocol", ossl_ssl_npn_protocol, 0);
|
2819
2979
|
# endif
|
2820
|
-
#endif
|
2821
2980
|
|
2822
2981
|
rb_define_const(mSSL, "VERIFY_NONE", INT2NUM(SSL_VERIFY_NONE));
|
2823
2982
|
rb_define_const(mSSL, "VERIFY_PEER", INT2NUM(SSL_VERIFY_PEER));
|
@@ -2974,8 +3133,10 @@ Init_ossl_ssl(void)
|
|
2974
3133
|
DefIVarID(alpn_select_cb);
|
2975
3134
|
DefIVarID(servername_cb);
|
2976
3135
|
DefIVarID(verify_hostname);
|
3136
|
+
DefIVarID(keylog_cb);
|
2977
3137
|
|
2978
3138
|
DefIVarID(io);
|
2979
3139
|
DefIVarID(context);
|
2980
3140
|
DefIVarID(hostname);
|
3141
|
+
#endif /* !defined(OPENSSL_NO_SOCK) */
|
2981
3142
|
}
|
@@ -4,6 +4,7 @@
|
|
4
4
|
|
5
5
|
#include "ossl.h"
|
6
6
|
|
7
|
+
#ifndef OPENSSL_NO_SOCK
|
7
8
|
VALUE cSSLSession;
|
8
9
|
static VALUE eSSLSession;
|
9
10
|
|
@@ -299,6 +300,7 @@ static VALUE ossl_ssl_session_to_text(VALUE self)
|
|
299
300
|
return ossl_membio2str(out);
|
300
301
|
}
|
301
302
|
|
303
|
+
#endif /* !defined(OPENSSL_NO_SOCK) */
|
302
304
|
|
303
305
|
void Init_ossl_ssl_session(void)
|
304
306
|
{
|
@@ -307,6 +309,7 @@ void Init_ossl_ssl_session(void)
|
|
307
309
|
mSSL = rb_define_module_under(mOSSL, "SSL");
|
308
310
|
eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
|
309
311
|
#endif
|
312
|
+
#ifndef OPENSSL_NO_SOCK
|
310
313
|
cSSLSession = rb_define_class_under(mSSL, "Session", rb_cObject);
|
311
314
|
eSSLSession = rb_define_class_under(cSSLSession, "SessionError", eOSSLError);
|
312
315
|
|
@@ -324,4 +327,5 @@ void Init_ossl_ssl_session(void)
|
|
324
327
|
rb_define_method(cSSLSession, "to_der", ossl_ssl_session_to_der, 0);
|
325
328
|
rb_define_method(cSSLSession, "to_pem", ossl_ssl_session_to_pem, 0);
|
326
329
|
rb_define_method(cSSLSession, "to_text", ossl_ssl_session_to_text, 0);
|
330
|
+
#endif /* !defined(OPENSSL_NO_SOCK) */
|
327
331
|
}
|
data/lib/openssl/pkey.rb
CHANGED
@@ -363,7 +363,8 @@ module OpenSSL::PKey
|
|
363
363
|
# rsa.private_encrypt(string, padding) -> String
|
364
364
|
#
|
365
365
|
# Encrypt +string+ with the private key. +padding+ defaults to
|
366
|
-
# PKCS1_PADDING
|
366
|
+
# PKCS1_PADDING, which is known to be insecure but is kept for backwards
|
367
|
+
# compatibility. The encrypted string output can be decrypted using
|
367
368
|
# #public_decrypt.
|
368
369
|
#
|
369
370
|
# <b>Deprecated in version 3.0</b>.
|
@@ -386,7 +387,8 @@ module OpenSSL::PKey
|
|
386
387
|
# rsa.public_decrypt(string, padding) -> String
|
387
388
|
#
|
388
389
|
# Decrypt +string+, which has been encrypted with the private key, with the
|
389
|
-
# public key. +padding+ defaults to PKCS1_PADDING
|
390
|
+
# public key. +padding+ defaults to PKCS1_PADDING which is known to be
|
391
|
+
# insecure but is kept for backwards compatibility.
|
390
392
|
#
|
391
393
|
# <b>Deprecated in version 3.0</b>.
|
392
394
|
# Consider using PKey::PKey#sign_raw and PKey::PKey#verify_raw, and
|
@@ -407,7 +409,8 @@ module OpenSSL::PKey
|
|
407
409
|
# rsa.public_encrypt(string, padding) -> String
|
408
410
|
#
|
409
411
|
# Encrypt +string+ with the public key. +padding+ defaults to
|
410
|
-
# PKCS1_PADDING
|
412
|
+
# PKCS1_PADDING, which is known to be insecure but is kept for backwards
|
413
|
+
# compatibility. The encrypted string output can be decrypted using
|
411
414
|
# #private_decrypt.
|
412
415
|
#
|
413
416
|
# <b>Deprecated in version 3.0</b>.
|
@@ -428,7 +431,8 @@ module OpenSSL::PKey
|
|
428
431
|
# rsa.private_decrypt(string, padding) -> String
|
429
432
|
#
|
430
433
|
# Decrypt +string+, which has been encrypted with the public key, with the
|
431
|
-
# private key. +padding+ defaults to PKCS1_PADDING
|
434
|
+
# private key. +padding+ defaults to PKCS1_PADDING, which is known to be
|
435
|
+
# insecure but is kept for backwards compatibility.
|
432
436
|
#
|
433
437
|
# <b>Deprecated in version 3.0</b>.
|
434
438
|
# Consider using PKey::PKey#encrypt and PKey::PKey#decrypt instead.
|
data/lib/openssl/ssl.rb
CHANGED
@@ -11,6 +11,9 @@
|
|
11
11
|
=end
|
12
12
|
|
13
13
|
require "openssl/buffering"
|
14
|
+
|
15
|
+
if defined?(OpenSSL::SSL)
|
16
|
+
|
14
17
|
require "io/nonblock"
|
15
18
|
require "ipaddr"
|
16
19
|
require "socket"
|
@@ -540,3 +543,5 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
|
|
540
543
|
end
|
541
544
|
end
|
542
545
|
end
|
546
|
+
|
547
|
+
end
|
data/lib/openssl/version.rb
CHANGED