openssl 3.1.0 → 3.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/History.md +40 -0
- data/README.md +36 -19
- data/ext/openssl/extconf.rb +35 -8
- data/ext/openssl/ossl.c +73 -195
- data/ext/openssl/ossl.h +5 -6
- data/ext/openssl/ossl_bn.c +1 -1
- data/ext/openssl/ossl_cipher.c +1 -1
- data/ext/openssl/ossl_config.c +1 -1
- data/ext/openssl/ossl_digest.c +1 -1
- data/ext/openssl/ossl_engine.c +1 -1
- data/ext/openssl/ossl_hmac.c +1 -1
- data/ext/openssl/ossl_kdf.c +1 -1
- data/ext/openssl/ossl_ns_spki.c +1 -1
- data/ext/openssl/ossl_ocsp.c +6 -6
- data/ext/openssl/ossl_pkcs12.c +1 -1
- data/ext/openssl/ossl_pkcs7.c +3 -3
- data/ext/openssl/ossl_pkey.c +217 -44
- data/ext/openssl/ossl_pkey_dh.c +22 -7
- data/ext/openssl/ossl_pkey_dsa.c +57 -8
- data/ext/openssl/ossl_pkey_ec.c +66 -10
- data/ext/openssl/ossl_pkey_rsa.c +68 -13
- data/ext/openssl/ossl_provider.c +211 -0
- data/ext/openssl/ossl_provider.h +5 -0
- data/ext/openssl/ossl_ssl.c +83 -65
- data/ext/openssl/ossl_ssl_session.c +1 -1
- data/ext/openssl/ossl_ts.c +3 -3
- data/ext/openssl/ossl_x509attr.c +1 -1
- data/ext/openssl/ossl_x509cert.c +1 -1
- data/ext/openssl/ossl_x509crl.c +1 -1
- data/ext/openssl/ossl_x509ext.c +13 -7
- data/ext/openssl/ossl_x509name.c +1 -1
- data/ext/openssl/ossl_x509req.c +1 -1
- data/ext/openssl/ossl_x509revoked.c +1 -1
- data/ext/openssl/ossl_x509store.c +12 -5
- data/lib/openssl/buffering.rb +2 -5
- data/lib/openssl/digest.rb +1 -5
- data/lib/openssl/ssl.rb +10 -10
- data/lib/openssl/version.rb +1 -1
- metadata +9 -6
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 5040b959a35f5692d6d19e2bf520e1123da8133fff2f878cfc21c2ff0f145d6e
|
4
|
+
data.tar.gz: dfee6ebd76e423511aa0fc4630f8120edce8fe79d4f40ee7105ccad12c2d3340
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: f542ec360be844382829f4bcc46b5cffdfcaf675b02ecdc1cd15a6e80c061476ee4582fdb201ef2dd0f430806d74036233eef3a5c23e5b4028560ad075ed706b
|
7
|
+
data.tar.gz: 0173033ebe6efb76b747cc80835cc9530dd664d038256bbdf963d4940b5f3bfad90be313554f548a911ac0977d4bdc33c088dfd3b6fb8e46db7bcd5d2ec34a8c
|
data/History.md
CHANGED
@@ -1,3 +1,43 @@
|
|
1
|
+
Version 3.2.0
|
2
|
+
=============
|
3
|
+
|
4
|
+
Compatibility
|
5
|
+
-------------
|
6
|
+
|
7
|
+
* Ruby >= 2.7
|
8
|
+
- Support for Ruby 2.6 has been removed. Note that Ruby 2.6 reached the
|
9
|
+
end-of-life in 2022-04.
|
10
|
+
[[GitHub #639]](https://github.com/ruby/openssl/pull/639)
|
11
|
+
* OpenSSL >= 1.0.2 or LibreSSL >= 3.1
|
12
|
+
|
13
|
+
Notable changes
|
14
|
+
---------------
|
15
|
+
|
16
|
+
* Add a stub gemspec for JRuby, which depends on the `jruby-openssl` gem.
|
17
|
+
[[GitHub #598]](https://github.com/ruby/openssl/pull/598)
|
18
|
+
* Add support for the FIPS module in OpenSSL 3.0/3.1.
|
19
|
+
[[GitHub #608]](https://github.com/ruby/openssl/pull/608)
|
20
|
+
* Rework `OpenSSL::PKey` routines for loading DER or PEM encoded keys for better
|
21
|
+
compatibility with OpenSSL 3.0/3.1 with the FIPS module.
|
22
|
+
[[GitHub #615]](https://github.com/ruby/openssl/pull/615)
|
23
|
+
[[GitHub #669]](https://github.com/ruby/openssl/pull/669)
|
24
|
+
* Add `OpenSSL::Provider` module for loading and unloading OpenSSL 3 providers.
|
25
|
+
[[GitHub #635]](https://github.com/ruby/openssl/pull/635)
|
26
|
+
* Add `OpenSSL::PKey.new_raw_private_key`, `.new_raw_public_key`,
|
27
|
+
`OpenSSL::PKey::PKey#raw_private_key`, and `#raw_public_key` for public key
|
28
|
+
algorithms that use "raw private/public key", such as X25519 and Ed25519.
|
29
|
+
[[GitHub #646]](https://github.com/ruby/openssl/pull/646)
|
30
|
+
* Improve OpenSSL error messages to include additional information when
|
31
|
+
it is available in OpenSSL's error queue.
|
32
|
+
[[GitHub #648]](https://github.com/ruby/openssl/pull/648)
|
33
|
+
* Change `OpenSSL::SSL::SSLContext#ca_file=` and `#ca_path=` to raise
|
34
|
+
`OpenSSL::SSL::SSLError` instead of printing a warning message.
|
35
|
+
[[GitHub #659]](https://github.com/ruby/openssl/pull/659)
|
36
|
+
* Allow `OpenSSL::X509::ExtensionFactory#create_extension` to take OIDs in the
|
37
|
+
dotted-decimal notation.
|
38
|
+
[[GitHub #141]](https://github.com/ruby/openssl/pull/141)
|
39
|
+
|
40
|
+
|
1
41
|
Version 3.1.0
|
2
42
|
=============
|
3
43
|
|
data/README.md
CHANGED
@@ -2,26 +2,53 @@
|
|
2
2
|
|
3
3
|
[![Actions Status](https://github.com/ruby/openssl/workflows/CI/badge.svg)](https://github.com/ruby/openssl/actions?workflow=CI)
|
4
4
|
|
5
|
+
**OpenSSL for Ruby** provides access to SSL/TLS and general-purpose
|
6
|
+
cryptography based on the OpenSSL library.
|
5
7
|
|
6
|
-
OpenSSL
|
7
|
-
OpenSSL
|
8
|
+
OpenSSL for Ruby is sometimes referred to as **openssl** in all lowercase
|
9
|
+
or **Ruby/OpenSSL** for disambiguation.
|
10
|
+
|
11
|
+
## Compatibility and maintenance policy
|
12
|
+
|
13
|
+
OpenSSL for Ruby is released as a RubyGems gem. At the same time, it is part of
|
14
|
+
the standard library of Ruby. This is called a [default gem].
|
15
|
+
|
16
|
+
Each stable branch of OpenSSL for Ruby will remain supported as long as it is
|
17
|
+
included as a default gem in [supported Ruby branches][Ruby Maintenance Branches].
|
18
|
+
|
19
|
+
|Version|Maintenance status |Ruby compatibility|OpenSSL compatibility |
|
20
|
+
|-------|-------------------------------|------------------|--------------------------------------------|
|
21
|
+
|3.2.x |normal maintenance (Ruby 3.3) |Ruby 2.7+ |OpenSSL 1.0.2-3.1 (current) or LibreSSL 3.1+|
|
22
|
+
|3.1.x |normal maintenance (Ruby 3.2) |Ruby 2.6+ |OpenSSL 1.0.2-3.1 (current) or LibreSSL 3.1+|
|
23
|
+
|3.0.x |normal maintenance (Ruby 3.1) |Ruby 2.6+ |OpenSSL 1.0.2-3.1 (current) or LibreSSL 3.1+|
|
24
|
+
|2.2.x |security maintenance (Ruby 3.0)|Ruby 2.3+ |OpenSSL 1.0.1-1.1.1 or LibreSSL 2.9+ |
|
25
|
+
|2.1.x |end-of-life (Ruby 2.5-2.7) |Ruby 2.3+ |OpenSSL 1.0.1-1.1.1 or LibreSSL 2.5+ |
|
26
|
+
|2.0.x |end-of-life (Ruby 2.4) |Ruby 2.3+ |OpenSSL 0.9.8-1.1.1 or LibreSSL 2.3+ |
|
27
|
+
|
28
|
+
[default gem]: https://docs.ruby-lang.org/en/master/standard_library_rdoc.html
|
29
|
+
[Ruby Maintenance Branches]: https://www.ruby-lang.org/en/downloads/branches/
|
8
30
|
|
9
31
|
## Installation
|
10
32
|
|
11
|
-
|
12
|
-
|
33
|
+
> **Note**
|
34
|
+
> The openssl gem is included with Ruby by default, but you may wish to upgrade
|
35
|
+
> it to a newer version available at
|
36
|
+
> [rubygems.org](https://rubygems.org/gems/openssl).
|
37
|
+
|
38
|
+
To upgrade it, you can use RubyGems:
|
13
39
|
|
14
40
|
```
|
15
41
|
gem install openssl
|
16
42
|
```
|
17
43
|
|
18
|
-
|
44
|
+
In some cases, it may be necessary to specify the path to the installation
|
45
|
+
directory of the OpenSSL library.
|
19
46
|
|
20
47
|
```
|
21
48
|
gem install openssl -- --with-openssl-dir=/opt/openssl
|
22
49
|
```
|
23
50
|
|
24
|
-
Alternatively, you can install the gem with
|
51
|
+
Alternatively, you can install the gem with Bundler:
|
25
52
|
|
26
53
|
```ruby
|
27
54
|
# Gemfile
|
@@ -30,7 +57,7 @@ gem 'openssl'
|
|
30
57
|
gem 'openssl', git: 'https://github.com/ruby/openssl'
|
31
58
|
```
|
32
59
|
|
33
|
-
After
|
60
|
+
After running `bundle install`, you should have the gem installed in your bundle.
|
34
61
|
|
35
62
|
## Usage
|
36
63
|
|
@@ -40,15 +67,6 @@ Once installed, you can require "openssl" in your application.
|
|
40
67
|
require "openssl"
|
41
68
|
```
|
42
69
|
|
43
|
-
**NOTE**: If you are using Ruby 2.3 (and not Bundler), you **must** activate
|
44
|
-
the gem version of openssl, otherwise the default gem packaged with the Ruby
|
45
|
-
installation will be used:
|
46
|
-
|
47
|
-
```ruby
|
48
|
-
gem "openssl"
|
49
|
-
require "openssl"
|
50
|
-
```
|
51
|
-
|
52
70
|
## Documentation
|
53
71
|
|
54
72
|
See https://ruby.github.io/openssl/.
|
@@ -57,10 +75,9 @@ See https://ruby.github.io/openssl/.
|
|
57
75
|
|
58
76
|
Please read our [CONTRIBUTING.md] for instructions.
|
59
77
|
|
78
|
+
[CONTRIBUTING.md]: https://github.com/ruby/openssl/tree/master/CONTRIBUTING.md
|
79
|
+
|
60
80
|
## Security
|
61
81
|
|
62
82
|
Security issues should be reported to ruby-core by following the process
|
63
83
|
described on ["Security at ruby-lang.org"](https://www.ruby-lang.org/en/security/).
|
64
|
-
|
65
|
-
|
66
|
-
[CONTRIBUTING.md]: https://github.com/ruby/openssl/tree/master/CONTRIBUTING.md
|
data/ext/openssl/extconf.rb
CHANGED
@@ -13,20 +13,41 @@
|
|
13
13
|
|
14
14
|
require "mkmf"
|
15
15
|
|
16
|
-
|
16
|
+
ssl_dirs = nil
|
17
|
+
if defined?(::TruffleRuby)
|
18
|
+
# Always respect the openssl prefix chosen by truffle/openssl-prefix
|
19
|
+
require 'truffle/openssl-prefix'
|
20
|
+
ssl_dirs = dir_config("openssl", ENV["OPENSSL_PREFIX"])
|
21
|
+
else
|
22
|
+
ssl_dirs = dir_config("openssl")
|
23
|
+
end
|
24
|
+
dir_config_given = ssl_dirs.any?
|
25
|
+
|
26
|
+
_, ssl_ldir = ssl_dirs
|
27
|
+
if ssl_ldir&.split(File::PATH_SEPARATOR)&.none? { |dir| File.directory?(dir) }
|
28
|
+
# According to the `mkmf.rb#dir_config`, the `--with-openssl-dir=<dir>` uses
|
29
|
+
# the value of the `File.basename(RbConfig::MAKEFILE_CONFIG["libdir"])` as a
|
30
|
+
# loaded library directory name.
|
31
|
+
ruby_ldir_name = File.basename(RbConfig::MAKEFILE_CONFIG["libdir"])
|
32
|
+
|
33
|
+
raise "OpenSSL library directory could not be found in '#{ssl_ldir}'. " \
|
34
|
+
"You might want to fix this error in one of the following ways.\n" \
|
35
|
+
" * Recompile OpenSSL by configuring it with --libdir=#{ruby_ldir_name} " \
|
36
|
+
" to specify the OpenSSL library directory.\n" \
|
37
|
+
" * Recompile Ruby by configuring it with --libdir=<dir> to specify the " \
|
38
|
+
"Ruby library directory.\n" \
|
39
|
+
" * Compile this openssl gem with --with-openssl-include=<dir> and " \
|
40
|
+
"--with-openssl-lib=<dir> options to specify the OpenSSL include and " \
|
41
|
+
"library directories."
|
42
|
+
end
|
43
|
+
|
17
44
|
dir_config("kerberos")
|
18
45
|
|
19
46
|
Logging::message "=== OpenSSL for Ruby configurator ===\n"
|
20
47
|
|
21
|
-
##
|
22
|
-
# Adds -DOSSL_DEBUG for compilation and some more targets when GCC is used
|
23
|
-
# To turn it on, use: --with-debug or --enable-debug
|
24
|
-
#
|
25
|
-
if with_config("debug") or enable_config("debug")
|
26
|
-
$defs.push("-DOSSL_DEBUG")
|
27
|
-
end
|
28
48
|
$defs.push("-D""OPENSSL_SUPPRESS_DEPRECATED")
|
29
49
|
|
50
|
+
have_func("rb_io_descriptor")
|
30
51
|
have_func("rb_io_maybe_wait(0, Qnil, Qnil, Qnil)", "ruby/io.h") # Ruby 3.1
|
31
52
|
|
32
53
|
Logging::message "=== Checking for system dependent stuff... ===\n"
|
@@ -191,6 +212,12 @@ have_func("EVP_PKEY_dup(NULL)", evp_h)
|
|
191
212
|
|
192
213
|
Logging::message "=== Checking done. ===\n"
|
193
214
|
|
215
|
+
# Append flags from environment variables.
|
216
|
+
extcflags = ENV["RUBY_OPENSSL_EXTCFLAGS"]
|
217
|
+
append_cflags(extcflags.split) if extcflags
|
218
|
+
extldflags = ENV["RUBY_OPENSSL_EXTLDFLAGS"]
|
219
|
+
append_ldflags(extldflags.split) if extldflags
|
220
|
+
|
194
221
|
create_header
|
195
222
|
create_makefile("openssl")
|
196
223
|
Logging::message "Done.\n"
|
data/ext/openssl/ossl.c
CHANGED
@@ -207,7 +207,7 @@ ossl_pem_passwd_cb(char *buf, int max_len, int flag, void *pwd_)
|
|
207
207
|
|
208
208
|
while (1) {
|
209
209
|
/*
|
210
|
-
* when the flag is nonzero, this
|
210
|
+
* when the flag is nonzero, this password
|
211
211
|
* will be used to perform encryption; otherwise it will
|
212
212
|
* be used to perform decryption.
|
213
213
|
*/
|
@@ -272,23 +272,28 @@ VALUE
|
|
272
272
|
ossl_make_error(VALUE exc, VALUE str)
|
273
273
|
{
|
274
274
|
unsigned long e;
|
275
|
+
const char *data;
|
276
|
+
int flags;
|
275
277
|
|
276
|
-
|
278
|
+
if (NIL_P(str))
|
279
|
+
str = rb_str_new(NULL, 0);
|
280
|
+
|
281
|
+
#ifdef HAVE_ERR_GET_ERROR_ALL
|
282
|
+
e = ERR_peek_last_error_all(NULL, NULL, NULL, &data, &flags);
|
283
|
+
#else
|
284
|
+
e = ERR_peek_last_error_line_data(NULL, NULL, &data, &flags);
|
285
|
+
#endif
|
277
286
|
if (e) {
|
278
|
-
|
287
|
+
const char *msg = ERR_reason_error_string(e);
|
279
288
|
|
280
|
-
|
281
|
-
|
282
|
-
|
283
|
-
|
284
|
-
|
285
|
-
rb_str_cat2(str, msg ? msg : "(null)");
|
286
|
-
}
|
287
|
-
ossl_clear_error();
|
289
|
+
if (RSTRING_LEN(str)) rb_str_cat_cstr(str, ": ");
|
290
|
+
rb_str_cat_cstr(str, msg ? msg : "(null)");
|
291
|
+
if (flags & ERR_TXT_STRING && data)
|
292
|
+
rb_str_catf(str, " (%s)", data);
|
293
|
+
ossl_clear_error();
|
288
294
|
}
|
289
295
|
|
290
|
-
|
291
|
-
return rb_exc_new3(exc, str);
|
296
|
+
return rb_exc_new_str(exc, str);
|
292
297
|
}
|
293
298
|
|
294
299
|
void
|
@@ -369,22 +374,6 @@ ossl_get_errors(VALUE _)
|
|
369
374
|
*/
|
370
375
|
VALUE dOSSL;
|
371
376
|
|
372
|
-
#if !defined(HAVE_VA_ARGS_MACRO)
|
373
|
-
void
|
374
|
-
ossl_debug(const char *fmt, ...)
|
375
|
-
{
|
376
|
-
va_list args;
|
377
|
-
|
378
|
-
if (dOSSL == Qtrue) {
|
379
|
-
fprintf(stderr, "OSSL_DEBUG: ");
|
380
|
-
va_start(args, fmt);
|
381
|
-
vfprintf(stderr, fmt, args);
|
382
|
-
va_end(args);
|
383
|
-
fprintf(stderr, " [CONTEXT N/A]\n");
|
384
|
-
}
|
385
|
-
}
|
386
|
-
#endif
|
387
|
-
|
388
377
|
/*
|
389
378
|
* call-seq:
|
390
379
|
* OpenSSL.debug -> true | false
|
@@ -418,7 +407,11 @@ static VALUE
|
|
418
407
|
ossl_fips_mode_get(VALUE self)
|
419
408
|
{
|
420
409
|
|
421
|
-
#
|
410
|
+
#if OSSL_OPENSSL_PREREQ(3, 0, 0)
|
411
|
+
VALUE enabled;
|
412
|
+
enabled = EVP_default_properties_is_fips_enabled(NULL) ? Qtrue : Qfalse;
|
413
|
+
return enabled;
|
414
|
+
#elif defined(OPENSSL_FIPS)
|
422
415
|
VALUE enabled;
|
423
416
|
enabled = FIPS_mode() ? Qtrue : Qfalse;
|
424
417
|
return enabled;
|
@@ -442,8 +435,18 @@ ossl_fips_mode_get(VALUE self)
|
|
442
435
|
static VALUE
|
443
436
|
ossl_fips_mode_set(VALUE self, VALUE enabled)
|
444
437
|
{
|
445
|
-
|
446
|
-
|
438
|
+
#if OSSL_OPENSSL_PREREQ(3, 0, 0)
|
439
|
+
if (RTEST(enabled)) {
|
440
|
+
if (!EVP_default_properties_enable_fips(NULL, 1)) {
|
441
|
+
ossl_raise(eOSSLError, "Turning on FIPS mode failed");
|
442
|
+
}
|
443
|
+
} else {
|
444
|
+
if (!EVP_default_properties_enable_fips(NULL, 0)) {
|
445
|
+
ossl_raise(eOSSLError, "Turning off FIPS mode failed");
|
446
|
+
}
|
447
|
+
}
|
448
|
+
return enabled;
|
449
|
+
#elif defined(OPENSSL_FIPS)
|
447
450
|
if (RTEST(enabled)) {
|
448
451
|
int mode = FIPS_mode();
|
449
452
|
if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */
|
@@ -460,75 +463,6 @@ ossl_fips_mode_set(VALUE self, VALUE enabled)
|
|
460
463
|
#endif
|
461
464
|
}
|
462
465
|
|
463
|
-
#if defined(OSSL_DEBUG)
|
464
|
-
#if !defined(LIBRESSL_VERSION_NUMBER) && \
|
465
|
-
(OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(OPENSSL_NO_CRYPTO_MDEBUG) || \
|
466
|
-
defined(CRYPTO_malloc_debug_init))
|
467
|
-
/*
|
468
|
-
* call-seq:
|
469
|
-
* OpenSSL.mem_check_start -> nil
|
470
|
-
*
|
471
|
-
* Calls CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON). Starts tracking memory
|
472
|
-
* allocations. See also OpenSSL.print_mem_leaks.
|
473
|
-
*
|
474
|
-
* This is available only when built with a capable OpenSSL and --enable-debug
|
475
|
-
* configure option.
|
476
|
-
*/
|
477
|
-
static VALUE
|
478
|
-
mem_check_start(VALUE self)
|
479
|
-
{
|
480
|
-
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
|
481
|
-
return Qnil;
|
482
|
-
}
|
483
|
-
|
484
|
-
/*
|
485
|
-
* call-seq:
|
486
|
-
* OpenSSL.print_mem_leaks -> true | false
|
487
|
-
*
|
488
|
-
* For debugging the Ruby/OpenSSL library. Calls CRYPTO_mem_leaks_fp(stderr).
|
489
|
-
* Prints detected memory leaks to standard error. This cleans the global state
|
490
|
-
* up thus you cannot use any methods of the library after calling this.
|
491
|
-
*
|
492
|
-
* Returns +true+ if leaks detected, +false+ otherwise.
|
493
|
-
*
|
494
|
-
* This is available only when built with a capable OpenSSL and --enable-debug
|
495
|
-
* configure option.
|
496
|
-
*
|
497
|
-
* === Example
|
498
|
-
* OpenSSL.mem_check_start
|
499
|
-
* NOT_GCED = OpenSSL::PKey::RSA.new(256)
|
500
|
-
*
|
501
|
-
* END {
|
502
|
-
* GC.start
|
503
|
-
* OpenSSL.print_mem_leaks # will print the leakage
|
504
|
-
* }
|
505
|
-
*/
|
506
|
-
static VALUE
|
507
|
-
print_mem_leaks(VALUE self)
|
508
|
-
{
|
509
|
-
#if OPENSSL_VERSION_NUMBER >= 0x10100000
|
510
|
-
int ret;
|
511
|
-
#endif
|
512
|
-
|
513
|
-
#ifndef HAVE_RB_EXT_RACTOR_SAFE
|
514
|
-
// for Ruby 2.x
|
515
|
-
void ossl_bn_ctx_free(void); // ossl_bn.c
|
516
|
-
ossl_bn_ctx_free();
|
517
|
-
#endif
|
518
|
-
|
519
|
-
#if OPENSSL_VERSION_NUMBER >= 0x10100000
|
520
|
-
ret = CRYPTO_mem_leaks_fp(stderr);
|
521
|
-
if (ret < 0)
|
522
|
-
ossl_raise(eOSSLError, "CRYPTO_mem_leaks_fp");
|
523
|
-
return ret ? Qfalse : Qtrue;
|
524
|
-
#else
|
525
|
-
CRYPTO_mem_leaks_fp(stderr);
|
526
|
-
return Qnil;
|
527
|
-
#endif
|
528
|
-
}
|
529
|
-
#endif
|
530
|
-
#endif
|
531
|
-
|
532
466
|
#if !defined(HAVE_OPENSSL_110_THREADING_API)
|
533
467
|
/**
|
534
468
|
* Stores locks needed for OpenSSL thread safety
|
@@ -671,23 +605,21 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2)
|
|
671
605
|
*
|
672
606
|
* key = OpenSSL::PKey::RSA.new 2048
|
673
607
|
*
|
674
|
-
*
|
675
|
-
*
|
608
|
+
* File.write 'private_key.pem', key.private_to_pem
|
609
|
+
* File.write 'public_key.pem', key.public_to_pem
|
676
610
|
*
|
677
611
|
* === Exporting a Key
|
678
612
|
*
|
679
613
|
* Keys saved to disk without encryption are not secure as anyone who gets
|
680
614
|
* ahold of the key may use it unless it is encrypted. In order to securely
|
681
|
-
* export a key you may export it with a
|
615
|
+
* export a key you may export it with a password.
|
682
616
|
*
|
683
617
|
* cipher = OpenSSL::Cipher.new 'aes-256-cbc'
|
684
|
-
*
|
618
|
+
* password = 'my secure password goes here'
|
685
619
|
*
|
686
|
-
* key_secure = key.
|
620
|
+
* key_secure = key.private_to_pem cipher, password
|
687
621
|
*
|
688
|
-
*
|
689
|
-
* io.write key_secure
|
690
|
-
* end
|
622
|
+
* File.write 'private.secure.pem', key_secure
|
691
623
|
*
|
692
624
|
* OpenSSL::Cipher.ciphers returns a list of available ciphers.
|
693
625
|
*
|
@@ -707,13 +639,13 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2)
|
|
707
639
|
*
|
708
640
|
* === Loading an Encrypted Key
|
709
641
|
*
|
710
|
-
* OpenSSL will prompt you for your
|
711
|
-
* If you will not be able to type in the
|
642
|
+
* OpenSSL will prompt you for your password when loading an encrypted key.
|
643
|
+
* If you will not be able to type in the password you may provide it when
|
712
644
|
* loading the key:
|
713
645
|
*
|
714
646
|
* key4_pem = File.read 'private.secure.pem'
|
715
|
-
*
|
716
|
-
* key4 = OpenSSL::PKey.read key4_pem,
|
647
|
+
* password = 'my secure password goes here'
|
648
|
+
* key4 = OpenSSL::PKey.read key4_pem, password
|
717
649
|
*
|
718
650
|
* == RSA Encryption
|
719
651
|
*
|
@@ -829,45 +761,6 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2)
|
|
829
761
|
* decrypted = cipher.update encrypted
|
830
762
|
* decrypted << cipher.final
|
831
763
|
*
|
832
|
-
* == PKCS #5 Password-based Encryption
|
833
|
-
*
|
834
|
-
* PKCS #5 is a password-based encryption standard documented at
|
835
|
-
* RFC2898[http://www.ietf.org/rfc/rfc2898.txt]. It allows a short password or
|
836
|
-
* passphrase to be used to create a secure encryption key. If possible, PBKDF2
|
837
|
-
* as described above should be used if the circumstances allow it.
|
838
|
-
*
|
839
|
-
* PKCS #5 uses a Cipher, a pass phrase and a salt to generate an encryption
|
840
|
-
* key.
|
841
|
-
*
|
842
|
-
* pass_phrase = 'my secure pass phrase goes here'
|
843
|
-
* salt = '8 octets'
|
844
|
-
*
|
845
|
-
* === Encryption
|
846
|
-
*
|
847
|
-
* First set up the cipher for encryption
|
848
|
-
*
|
849
|
-
* encryptor = OpenSSL::Cipher.new 'aes-256-cbc'
|
850
|
-
* encryptor.encrypt
|
851
|
-
* encryptor.pkcs5_keyivgen pass_phrase, salt
|
852
|
-
*
|
853
|
-
* Then pass the data you want to encrypt through
|
854
|
-
*
|
855
|
-
* encrypted = encryptor.update 'top secret document'
|
856
|
-
* encrypted << encryptor.final
|
857
|
-
*
|
858
|
-
* === Decryption
|
859
|
-
*
|
860
|
-
* Use a new Cipher instance set up for decryption
|
861
|
-
*
|
862
|
-
* decryptor = OpenSSL::Cipher.new 'aes-256-cbc'
|
863
|
-
* decryptor.decrypt
|
864
|
-
* decryptor.pkcs5_keyivgen pass_phrase, salt
|
865
|
-
*
|
866
|
-
* Then pass the data you want to decrypt through
|
867
|
-
*
|
868
|
-
* plain = decryptor.update encrypted
|
869
|
-
* plain << decryptor.final
|
870
|
-
*
|
871
764
|
* == X509 Certificates
|
872
765
|
*
|
873
766
|
* === Creating a Certificate
|
@@ -945,12 +838,12 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2)
|
|
945
838
|
* not readable by other users.
|
946
839
|
*
|
947
840
|
* ca_key = OpenSSL::PKey::RSA.new 2048
|
948
|
-
*
|
841
|
+
* password = 'my secure password goes here'
|
949
842
|
*
|
950
|
-
* cipher =
|
843
|
+
* cipher = 'aes-256-cbc'
|
951
844
|
*
|
952
845
|
* open 'ca_key.pem', 'w', 0400 do |io|
|
953
|
-
* io.write ca_key.
|
846
|
+
* io.write ca_key.private_to_pem(cipher, password)
|
954
847
|
* end
|
955
848
|
*
|
956
849
|
* === CA Certificate
|
@@ -1170,8 +1063,8 @@ Init_openssl(void)
|
|
1170
1063
|
/*
|
1171
1064
|
* Init main module
|
1172
1065
|
*/
|
1173
|
-
mOSSL = rb_define_module("OpenSSL");
|
1174
1066
|
rb_global_variable(&mOSSL);
|
1067
|
+
mOSSL = rb_define_module("OpenSSL");
|
1175
1068
|
rb_define_singleton_method(mOSSL, "fixed_length_secure_compare", ossl_crypto_fixed_length_secure_compare, 2);
|
1176
1069
|
|
1177
1070
|
/*
|
@@ -1190,15 +1083,35 @@ Init_openssl(void)
|
|
1190
1083
|
|
1191
1084
|
/*
|
1192
1085
|
* Version number of OpenSSL the ruby OpenSSL extension was built with
|
1193
|
-
* (base 16)
|
1086
|
+
* (base 16). The formats are below.
|
1087
|
+
*
|
1088
|
+
* [OpenSSL 3] <tt>0xMNN00PP0 (major minor 00 patch 0)</tt>
|
1089
|
+
* [OpenSSL before 3] <tt>0xMNNFFPPS (major minor fix patch status)</tt>
|
1090
|
+
* [LibreSSL] <tt>0x20000000 (fixed value)</tt>
|
1091
|
+
*
|
1092
|
+
* See also the man page OPENSSL_VERSION_NUMBER(3).
|
1194
1093
|
*/
|
1195
1094
|
rb_define_const(mOSSL, "OPENSSL_VERSION_NUMBER", INT2NUM(OPENSSL_VERSION_NUMBER));
|
1196
1095
|
|
1096
|
+
#if defined(LIBRESSL_VERSION_NUMBER)
|
1097
|
+
/*
|
1098
|
+
* Version number of LibreSSL the ruby OpenSSL extension was built with
|
1099
|
+
* (base 16). The format is <tt>0xMNNFF00f (major minor fix 00
|
1100
|
+
* status)</tt>. This constant is only defined in LibreSSL cases.
|
1101
|
+
*
|
1102
|
+
* See also the man page LIBRESSL_VERSION_NUMBER(3).
|
1103
|
+
*/
|
1104
|
+
rb_define_const(mOSSL, "LIBRESSL_VERSION_NUMBER", INT2NUM(LIBRESSL_VERSION_NUMBER));
|
1105
|
+
#endif
|
1106
|
+
|
1197
1107
|
/*
|
1198
1108
|
* Boolean indicating whether OpenSSL is FIPS-capable or not
|
1199
1109
|
*/
|
1200
1110
|
rb_define_const(mOSSL, "OPENSSL_FIPS",
|
1201
|
-
|
1111
|
+
/* OpenSSL 3 is FIPS-capable even when it is installed without fips option */
|
1112
|
+
#if OSSL_OPENSSL_PREREQ(3, 0, 0)
|
1113
|
+
Qtrue
|
1114
|
+
#elif defined(OPENSSL_FIPS)
|
1202
1115
|
Qtrue
|
1203
1116
|
#else
|
1204
1117
|
Qfalse
|
@@ -1208,12 +1121,12 @@ Init_openssl(void)
|
|
1208
1121
|
rb_define_module_function(mOSSL, "fips_mode", ossl_fips_mode_get, 0);
|
1209
1122
|
rb_define_module_function(mOSSL, "fips_mode=", ossl_fips_mode_set, 1);
|
1210
1123
|
|
1124
|
+
rb_global_variable(&eOSSLError);
|
1211
1125
|
/*
|
1212
1126
|
* Generic error,
|
1213
1127
|
* common for all classes under OpenSSL module
|
1214
1128
|
*/
|
1215
1129
|
eOSSLError = rb_define_class_under(mOSSL,"OpenSSLError",rb_eStandardError);
|
1216
|
-
rb_global_variable(&eOSSLError);
|
1217
1130
|
|
1218
1131
|
/*
|
1219
1132
|
* Init debug core
|
@@ -1254,42 +1167,7 @@ Init_openssl(void)
|
|
1254
1167
|
Init_ossl_x509();
|
1255
1168
|
Init_ossl_ocsp();
|
1256
1169
|
Init_ossl_engine();
|
1170
|
+
Init_ossl_provider();
|
1257
1171
|
Init_ossl_asn1();
|
1258
1172
|
Init_ossl_kdf();
|
1259
|
-
|
1260
|
-
#if defined(OSSL_DEBUG)
|
1261
|
-
/*
|
1262
|
-
* For debugging Ruby/OpenSSL. Enable only when built with --enable-debug
|
1263
|
-
*/
|
1264
|
-
#if !defined(LIBRESSL_VERSION_NUMBER) && \
|
1265
|
-
(OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(OPENSSL_NO_CRYPTO_MDEBUG) || \
|
1266
|
-
defined(CRYPTO_malloc_debug_init))
|
1267
|
-
rb_define_module_function(mOSSL, "mem_check_start", mem_check_start, 0);
|
1268
|
-
rb_define_module_function(mOSSL, "print_mem_leaks", print_mem_leaks, 0);
|
1269
|
-
|
1270
|
-
#if defined(CRYPTO_malloc_debug_init) /* <= 1.0.2 */
|
1271
|
-
CRYPTO_malloc_debug_init();
|
1272
|
-
#endif
|
1273
|
-
|
1274
|
-
#if defined(V_CRYPTO_MDEBUG_ALL) /* <= 1.0.2 */
|
1275
|
-
CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
|
1276
|
-
#endif
|
1277
|
-
|
1278
|
-
#if OPENSSL_VERSION_NUMBER < 0x10100000 /* <= 1.0.2 */
|
1279
|
-
{
|
1280
|
-
int i;
|
1281
|
-
/*
|
1282
|
-
* See crypto/ex_data.c; call def_get_class() immediately to avoid
|
1283
|
-
* allocations. 15 is the maximum number that is used as the class index
|
1284
|
-
* in OpenSSL 1.0.2.
|
1285
|
-
*/
|
1286
|
-
for (i = 0; i <= 15; i++) {
|
1287
|
-
if (CRYPTO_get_ex_new_index(i, 0, (void *)"ossl-mdebug-dummy", 0, 0, 0) < 0)
|
1288
|
-
rb_raise(rb_eRuntimeError, "CRYPTO_get_ex_new_index for "
|
1289
|
-
"class index %d failed", i);
|
1290
|
-
}
|
1291
|
-
}
|
1292
|
-
#endif
|
1293
|
-
#endif
|
1294
|
-
#endif
|
1295
1173
|
}
|
data/ext/openssl/ossl.h
CHANGED
@@ -62,6 +62,10 @@
|
|
62
62
|
# define OSSL_USE_ENGINE
|
63
63
|
#endif
|
64
64
|
|
65
|
+
#if OSSL_OPENSSL_PREREQ(3, 0, 0)
|
66
|
+
# define OSSL_USE_PROVIDER
|
67
|
+
#endif
|
68
|
+
|
65
69
|
/*
|
66
70
|
* Common Module
|
67
71
|
*/
|
@@ -157,7 +161,6 @@ VALUE ossl_to_der_if_possible(VALUE);
|
|
157
161
|
*/
|
158
162
|
extern VALUE dOSSL;
|
159
163
|
|
160
|
-
#if defined(HAVE_VA_ARGS_MACRO)
|
161
164
|
#define OSSL_Debug(...) do { \
|
162
165
|
if (dOSSL == Qtrue) { \
|
163
166
|
fprintf(stderr, "OSSL_DEBUG: "); \
|
@@ -166,11 +169,6 @@ extern VALUE dOSSL;
|
|
166
169
|
} \
|
167
170
|
} while (0)
|
168
171
|
|
169
|
-
#else
|
170
|
-
void ossl_debug(const char *, ...);
|
171
|
-
#define OSSL_Debug ossl_debug
|
172
|
-
#endif
|
173
|
-
|
174
172
|
/*
|
175
173
|
* Include all parts
|
176
174
|
*/
|
@@ -194,6 +192,7 @@ void ossl_debug(const char *, ...);
|
|
194
192
|
#endif
|
195
193
|
#include "ossl_x509.h"
|
196
194
|
#include "ossl_engine.h"
|
195
|
+
#include "ossl_provider.h"
|
197
196
|
#include "ossl_kdf.h"
|
198
197
|
|
199
198
|
void Init_openssl(void);
|
data/ext/openssl/ossl_bn.c
CHANGED
data/ext/openssl/ossl_cipher.c
CHANGED
data/ext/openssl/ossl_config.c
CHANGED