openssl 3.1.0 → 3.2.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 239c530562472710697b8da573b8aa64b477c02f5895907220e83e9f09c88fec
4
- data.tar.gz: 62f2d04df3f693b995bf29be9d299c9f916f44a82b5bc5df60e9f46a748990d8
3
+ metadata.gz: 5040b959a35f5692d6d19e2bf520e1123da8133fff2f878cfc21c2ff0f145d6e
4
+ data.tar.gz: dfee6ebd76e423511aa0fc4630f8120edce8fe79d4f40ee7105ccad12c2d3340
5
5
  SHA512:
6
- metadata.gz: 05f891730a9dea150a2cecedb8decbf7f7dbb500cc825226a635fce8ca195a2dbf036de38dbdb7462cbb18e2e3c8aca337c1e1d9d021a94bbc444312dcf26568
7
- data.tar.gz: 4cff09ce02fc107422829ca552c97cf912f2b5f129c87e37137b153fd2c09d9a231493af7ce32f391c32828b3ffc64bf905adf6a1e3fad943e78ca81048a4f96
6
+ metadata.gz: f542ec360be844382829f4bcc46b5cffdfcaf675b02ecdc1cd15a6e80c061476ee4582fdb201ef2dd0f430806d74036233eef3a5c23e5b4028560ad075ed706b
7
+ data.tar.gz: 0173033ebe6efb76b747cc80835cc9530dd664d038256bbdf963d4940b5f3bfad90be313554f548a911ac0977d4bdc33c088dfd3b6fb8e46db7bcd5d2ec34a8c
data/History.md CHANGED
@@ -1,3 +1,43 @@
1
+ Version 3.2.0
2
+ =============
3
+
4
+ Compatibility
5
+ -------------
6
+
7
+ * Ruby >= 2.7
8
+ - Support for Ruby 2.6 has been removed. Note that Ruby 2.6 reached the
9
+ end-of-life in 2022-04.
10
+ [[GitHub #639]](https://github.com/ruby/openssl/pull/639)
11
+ * OpenSSL >= 1.0.2 or LibreSSL >= 3.1
12
+
13
+ Notable changes
14
+ ---------------
15
+
16
+ * Add a stub gemspec for JRuby, which depends on the `jruby-openssl` gem.
17
+ [[GitHub #598]](https://github.com/ruby/openssl/pull/598)
18
+ * Add support for the FIPS module in OpenSSL 3.0/3.1.
19
+ [[GitHub #608]](https://github.com/ruby/openssl/pull/608)
20
+ * Rework `OpenSSL::PKey` routines for loading DER or PEM encoded keys for better
21
+ compatibility with OpenSSL 3.0/3.1 with the FIPS module.
22
+ [[GitHub #615]](https://github.com/ruby/openssl/pull/615)
23
+ [[GitHub #669]](https://github.com/ruby/openssl/pull/669)
24
+ * Add `OpenSSL::Provider` module for loading and unloading OpenSSL 3 providers.
25
+ [[GitHub #635]](https://github.com/ruby/openssl/pull/635)
26
+ * Add `OpenSSL::PKey.new_raw_private_key`, `.new_raw_public_key`,
27
+ `OpenSSL::PKey::PKey#raw_private_key`, and `#raw_public_key` for public key
28
+ algorithms that use "raw private/public key", such as X25519 and Ed25519.
29
+ [[GitHub #646]](https://github.com/ruby/openssl/pull/646)
30
+ * Improve OpenSSL error messages to include additional information when
31
+ it is available in OpenSSL's error queue.
32
+ [[GitHub #648]](https://github.com/ruby/openssl/pull/648)
33
+ * Change `OpenSSL::SSL::SSLContext#ca_file=` and `#ca_path=` to raise
34
+ `OpenSSL::SSL::SSLError` instead of printing a warning message.
35
+ [[GitHub #659]](https://github.com/ruby/openssl/pull/659)
36
+ * Allow `OpenSSL::X509::ExtensionFactory#create_extension` to take OIDs in the
37
+ dotted-decimal notation.
38
+ [[GitHub #141]](https://github.com/ruby/openssl/pull/141)
39
+
40
+
1
41
  Version 3.1.0
2
42
  =============
3
43
 
data/README.md CHANGED
@@ -2,26 +2,53 @@
2
2
 
3
3
  [![Actions Status](https://github.com/ruby/openssl/workflows/CI/badge.svg)](https://github.com/ruby/openssl/actions?workflow=CI)
4
4
 
5
+ **OpenSSL for Ruby** provides access to SSL/TLS and general-purpose
6
+ cryptography based on the OpenSSL library.
5
7
 
6
- OpenSSL provides SSL, TLS and general purpose cryptography. It wraps the
7
- OpenSSL library.
8
+ OpenSSL for Ruby is sometimes referred to as **openssl** in all lowercase
9
+ or **Ruby/OpenSSL** for disambiguation.
10
+
11
+ ## Compatibility and maintenance policy
12
+
13
+ OpenSSL for Ruby is released as a RubyGems gem. At the same time, it is part of
14
+ the standard library of Ruby. This is called a [default gem].
15
+
16
+ Each stable branch of OpenSSL for Ruby will remain supported as long as it is
17
+ included as a default gem in [supported Ruby branches][Ruby Maintenance Branches].
18
+
19
+ |Version|Maintenance status |Ruby compatibility|OpenSSL compatibility |
20
+ |-------|-------------------------------|------------------|--------------------------------------------|
21
+ |3.2.x |normal maintenance (Ruby 3.3) |Ruby 2.7+ |OpenSSL 1.0.2-3.1 (current) or LibreSSL 3.1+|
22
+ |3.1.x |normal maintenance (Ruby 3.2) |Ruby 2.6+ |OpenSSL 1.0.2-3.1 (current) or LibreSSL 3.1+|
23
+ |3.0.x |normal maintenance (Ruby 3.1) |Ruby 2.6+ |OpenSSL 1.0.2-3.1 (current) or LibreSSL 3.1+|
24
+ |2.2.x |security maintenance (Ruby 3.0)|Ruby 2.3+ |OpenSSL 1.0.1-1.1.1 or LibreSSL 2.9+ |
25
+ |2.1.x |end-of-life (Ruby 2.5-2.7) |Ruby 2.3+ |OpenSSL 1.0.1-1.1.1 or LibreSSL 2.5+ |
26
+ |2.0.x |end-of-life (Ruby 2.4) |Ruby 2.3+ |OpenSSL 0.9.8-1.1.1 or LibreSSL 2.3+ |
27
+
28
+ [default gem]: https://docs.ruby-lang.org/en/master/standard_library_rdoc.html
29
+ [Ruby Maintenance Branches]: https://www.ruby-lang.org/en/downloads/branches/
8
30
 
9
31
  ## Installation
10
32
 
11
- The openssl gem is available at [rubygems.org](https://rubygems.org/gems/openssl).
12
- You can install with:
33
+ > **Note**
34
+ > The openssl gem is included with Ruby by default, but you may wish to upgrade
35
+ > it to a newer version available at
36
+ > [rubygems.org](https://rubygems.org/gems/openssl).
37
+
38
+ To upgrade it, you can use RubyGems:
13
39
 
14
40
  ```
15
41
  gem install openssl
16
42
  ```
17
43
 
18
- You may need to specify the path where OpenSSL is installed.
44
+ In some cases, it may be necessary to specify the path to the installation
45
+ directory of the OpenSSL library.
19
46
 
20
47
  ```
21
48
  gem install openssl -- --with-openssl-dir=/opt/openssl
22
49
  ```
23
50
 
24
- Alternatively, you can install the gem with `bundler`:
51
+ Alternatively, you can install the gem with Bundler:
25
52
 
26
53
  ```ruby
27
54
  # Gemfile
@@ -30,7 +57,7 @@ gem 'openssl'
30
57
  gem 'openssl', git: 'https://github.com/ruby/openssl'
31
58
  ```
32
59
 
33
- After doing `bundle install`, you should have the gem installed in your bundle.
60
+ After running `bundle install`, you should have the gem installed in your bundle.
34
61
 
35
62
  ## Usage
36
63
 
@@ -40,15 +67,6 @@ Once installed, you can require "openssl" in your application.
40
67
  require "openssl"
41
68
  ```
42
69
 
43
- **NOTE**: If you are using Ruby 2.3 (and not Bundler), you **must** activate
44
- the gem version of openssl, otherwise the default gem packaged with the Ruby
45
- installation will be used:
46
-
47
- ```ruby
48
- gem "openssl"
49
- require "openssl"
50
- ```
51
-
52
70
  ## Documentation
53
71
 
54
72
  See https://ruby.github.io/openssl/.
@@ -57,10 +75,9 @@ See https://ruby.github.io/openssl/.
57
75
 
58
76
  Please read our [CONTRIBUTING.md] for instructions.
59
77
 
78
+ [CONTRIBUTING.md]: https://github.com/ruby/openssl/tree/master/CONTRIBUTING.md
79
+
60
80
  ## Security
61
81
 
62
82
  Security issues should be reported to ruby-core by following the process
63
83
  described on ["Security at ruby-lang.org"](https://www.ruby-lang.org/en/security/).
64
-
65
-
66
- [CONTRIBUTING.md]: https://github.com/ruby/openssl/tree/master/CONTRIBUTING.md
@@ -13,20 +13,41 @@
13
13
 
14
14
  require "mkmf"
15
15
 
16
- dir_config_given = dir_config("openssl").any?
16
+ ssl_dirs = nil
17
+ if defined?(::TruffleRuby)
18
+ # Always respect the openssl prefix chosen by truffle/openssl-prefix
19
+ require 'truffle/openssl-prefix'
20
+ ssl_dirs = dir_config("openssl", ENV["OPENSSL_PREFIX"])
21
+ else
22
+ ssl_dirs = dir_config("openssl")
23
+ end
24
+ dir_config_given = ssl_dirs.any?
25
+
26
+ _, ssl_ldir = ssl_dirs
27
+ if ssl_ldir&.split(File::PATH_SEPARATOR)&.none? { |dir| File.directory?(dir) }
28
+ # According to the `mkmf.rb#dir_config`, the `--with-openssl-dir=<dir>` uses
29
+ # the value of the `File.basename(RbConfig::MAKEFILE_CONFIG["libdir"])` as a
30
+ # loaded library directory name.
31
+ ruby_ldir_name = File.basename(RbConfig::MAKEFILE_CONFIG["libdir"])
32
+
33
+ raise "OpenSSL library directory could not be found in '#{ssl_ldir}'. " \
34
+ "You might want to fix this error in one of the following ways.\n" \
35
+ " * Recompile OpenSSL by configuring it with --libdir=#{ruby_ldir_name} " \
36
+ " to specify the OpenSSL library directory.\n" \
37
+ " * Recompile Ruby by configuring it with --libdir=<dir> to specify the " \
38
+ "Ruby library directory.\n" \
39
+ " * Compile this openssl gem with --with-openssl-include=<dir> and " \
40
+ "--with-openssl-lib=<dir> options to specify the OpenSSL include and " \
41
+ "library directories."
42
+ end
43
+
17
44
  dir_config("kerberos")
18
45
 
19
46
  Logging::message "=== OpenSSL for Ruby configurator ===\n"
20
47
 
21
- ##
22
- # Adds -DOSSL_DEBUG for compilation and some more targets when GCC is used
23
- # To turn it on, use: --with-debug or --enable-debug
24
- #
25
- if with_config("debug") or enable_config("debug")
26
- $defs.push("-DOSSL_DEBUG")
27
- end
28
48
  $defs.push("-D""OPENSSL_SUPPRESS_DEPRECATED")
29
49
 
50
+ have_func("rb_io_descriptor")
30
51
  have_func("rb_io_maybe_wait(0, Qnil, Qnil, Qnil)", "ruby/io.h") # Ruby 3.1
31
52
 
32
53
  Logging::message "=== Checking for system dependent stuff... ===\n"
@@ -191,6 +212,12 @@ have_func("EVP_PKEY_dup(NULL)", evp_h)
191
212
 
192
213
  Logging::message "=== Checking done. ===\n"
193
214
 
215
+ # Append flags from environment variables.
216
+ extcflags = ENV["RUBY_OPENSSL_EXTCFLAGS"]
217
+ append_cflags(extcflags.split) if extcflags
218
+ extldflags = ENV["RUBY_OPENSSL_EXTLDFLAGS"]
219
+ append_ldflags(extldflags.split) if extldflags
220
+
194
221
  create_header
195
222
  create_makefile("openssl")
196
223
  Logging::message "Done.\n"
data/ext/openssl/ossl.c CHANGED
@@ -207,7 +207,7 @@ ossl_pem_passwd_cb(char *buf, int max_len, int flag, void *pwd_)
207
207
 
208
208
  while (1) {
209
209
  /*
210
- * when the flag is nonzero, this passphrase
210
+ * when the flag is nonzero, this password
211
211
  * will be used to perform encryption; otherwise it will
212
212
  * be used to perform decryption.
213
213
  */
@@ -272,23 +272,28 @@ VALUE
272
272
  ossl_make_error(VALUE exc, VALUE str)
273
273
  {
274
274
  unsigned long e;
275
+ const char *data;
276
+ int flags;
275
277
 
276
- e = ERR_peek_last_error();
278
+ if (NIL_P(str))
279
+ str = rb_str_new(NULL, 0);
280
+
281
+ #ifdef HAVE_ERR_GET_ERROR_ALL
282
+ e = ERR_peek_last_error_all(NULL, NULL, NULL, &data, &flags);
283
+ #else
284
+ e = ERR_peek_last_error_line_data(NULL, NULL, &data, &flags);
285
+ #endif
277
286
  if (e) {
278
- const char *msg = ERR_reason_error_string(e);
287
+ const char *msg = ERR_reason_error_string(e);
279
288
 
280
- if (NIL_P(str)) {
281
- if (msg) str = rb_str_new_cstr(msg);
282
- }
283
- else {
284
- if (RSTRING_LEN(str)) rb_str_cat2(str, ": ");
285
- rb_str_cat2(str, msg ? msg : "(null)");
286
- }
287
- ossl_clear_error();
289
+ if (RSTRING_LEN(str)) rb_str_cat_cstr(str, ": ");
290
+ rb_str_cat_cstr(str, msg ? msg : "(null)");
291
+ if (flags & ERR_TXT_STRING && data)
292
+ rb_str_catf(str, " (%s)", data);
293
+ ossl_clear_error();
288
294
  }
289
295
 
290
- if (NIL_P(str)) str = rb_str_new(0, 0);
291
- return rb_exc_new3(exc, str);
296
+ return rb_exc_new_str(exc, str);
292
297
  }
293
298
 
294
299
  void
@@ -369,22 +374,6 @@ ossl_get_errors(VALUE _)
369
374
  */
370
375
  VALUE dOSSL;
371
376
 
372
- #if !defined(HAVE_VA_ARGS_MACRO)
373
- void
374
- ossl_debug(const char *fmt, ...)
375
- {
376
- va_list args;
377
-
378
- if (dOSSL == Qtrue) {
379
- fprintf(stderr, "OSSL_DEBUG: ");
380
- va_start(args, fmt);
381
- vfprintf(stderr, fmt, args);
382
- va_end(args);
383
- fprintf(stderr, " [CONTEXT N/A]\n");
384
- }
385
- }
386
- #endif
387
-
388
377
  /*
389
378
  * call-seq:
390
379
  * OpenSSL.debug -> true | false
@@ -418,7 +407,11 @@ static VALUE
418
407
  ossl_fips_mode_get(VALUE self)
419
408
  {
420
409
 
421
- #ifdef OPENSSL_FIPS
410
+ #if OSSL_OPENSSL_PREREQ(3, 0, 0)
411
+ VALUE enabled;
412
+ enabled = EVP_default_properties_is_fips_enabled(NULL) ? Qtrue : Qfalse;
413
+ return enabled;
414
+ #elif defined(OPENSSL_FIPS)
422
415
  VALUE enabled;
423
416
  enabled = FIPS_mode() ? Qtrue : Qfalse;
424
417
  return enabled;
@@ -442,8 +435,18 @@ ossl_fips_mode_get(VALUE self)
442
435
  static VALUE
443
436
  ossl_fips_mode_set(VALUE self, VALUE enabled)
444
437
  {
445
-
446
- #ifdef OPENSSL_FIPS
438
+ #if OSSL_OPENSSL_PREREQ(3, 0, 0)
439
+ if (RTEST(enabled)) {
440
+ if (!EVP_default_properties_enable_fips(NULL, 1)) {
441
+ ossl_raise(eOSSLError, "Turning on FIPS mode failed");
442
+ }
443
+ } else {
444
+ if (!EVP_default_properties_enable_fips(NULL, 0)) {
445
+ ossl_raise(eOSSLError, "Turning off FIPS mode failed");
446
+ }
447
+ }
448
+ return enabled;
449
+ #elif defined(OPENSSL_FIPS)
447
450
  if (RTEST(enabled)) {
448
451
  int mode = FIPS_mode();
449
452
  if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */
@@ -460,75 +463,6 @@ ossl_fips_mode_set(VALUE self, VALUE enabled)
460
463
  #endif
461
464
  }
462
465
 
463
- #if defined(OSSL_DEBUG)
464
- #if !defined(LIBRESSL_VERSION_NUMBER) && \
465
- (OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(OPENSSL_NO_CRYPTO_MDEBUG) || \
466
- defined(CRYPTO_malloc_debug_init))
467
- /*
468
- * call-seq:
469
- * OpenSSL.mem_check_start -> nil
470
- *
471
- * Calls CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON). Starts tracking memory
472
- * allocations. See also OpenSSL.print_mem_leaks.
473
- *
474
- * This is available only when built with a capable OpenSSL and --enable-debug
475
- * configure option.
476
- */
477
- static VALUE
478
- mem_check_start(VALUE self)
479
- {
480
- CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
481
- return Qnil;
482
- }
483
-
484
- /*
485
- * call-seq:
486
- * OpenSSL.print_mem_leaks -> true | false
487
- *
488
- * For debugging the Ruby/OpenSSL library. Calls CRYPTO_mem_leaks_fp(stderr).
489
- * Prints detected memory leaks to standard error. This cleans the global state
490
- * up thus you cannot use any methods of the library after calling this.
491
- *
492
- * Returns +true+ if leaks detected, +false+ otherwise.
493
- *
494
- * This is available only when built with a capable OpenSSL and --enable-debug
495
- * configure option.
496
- *
497
- * === Example
498
- * OpenSSL.mem_check_start
499
- * NOT_GCED = OpenSSL::PKey::RSA.new(256)
500
- *
501
- * END {
502
- * GC.start
503
- * OpenSSL.print_mem_leaks # will print the leakage
504
- * }
505
- */
506
- static VALUE
507
- print_mem_leaks(VALUE self)
508
- {
509
- #if OPENSSL_VERSION_NUMBER >= 0x10100000
510
- int ret;
511
- #endif
512
-
513
- #ifndef HAVE_RB_EXT_RACTOR_SAFE
514
- // for Ruby 2.x
515
- void ossl_bn_ctx_free(void); // ossl_bn.c
516
- ossl_bn_ctx_free();
517
- #endif
518
-
519
- #if OPENSSL_VERSION_NUMBER >= 0x10100000
520
- ret = CRYPTO_mem_leaks_fp(stderr);
521
- if (ret < 0)
522
- ossl_raise(eOSSLError, "CRYPTO_mem_leaks_fp");
523
- return ret ? Qfalse : Qtrue;
524
- #else
525
- CRYPTO_mem_leaks_fp(stderr);
526
- return Qnil;
527
- #endif
528
- }
529
- #endif
530
- #endif
531
-
532
466
  #if !defined(HAVE_OPENSSL_110_THREADING_API)
533
467
  /**
534
468
  * Stores locks needed for OpenSSL thread safety
@@ -671,23 +605,21 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2)
671
605
  *
672
606
  * key = OpenSSL::PKey::RSA.new 2048
673
607
  *
674
- * open 'private_key.pem', 'w' do |io| io.write key.to_pem end
675
- * open 'public_key.pem', 'w' do |io| io.write key.public_key.to_pem end
608
+ * File.write 'private_key.pem', key.private_to_pem
609
+ * File.write 'public_key.pem', key.public_to_pem
676
610
  *
677
611
  * === Exporting a Key
678
612
  *
679
613
  * Keys saved to disk without encryption are not secure as anyone who gets
680
614
  * ahold of the key may use it unless it is encrypted. In order to securely
681
- * export a key you may export it with a pass phrase.
615
+ * export a key you may export it with a password.
682
616
  *
683
617
  * cipher = OpenSSL::Cipher.new 'aes-256-cbc'
684
- * pass_phrase = 'my secure pass phrase goes here'
618
+ * password = 'my secure password goes here'
685
619
  *
686
- * key_secure = key.export cipher, pass_phrase
620
+ * key_secure = key.private_to_pem cipher, password
687
621
  *
688
- * open 'private.secure.pem', 'w' do |io|
689
- * io.write key_secure
690
- * end
622
+ * File.write 'private.secure.pem', key_secure
691
623
  *
692
624
  * OpenSSL::Cipher.ciphers returns a list of available ciphers.
693
625
  *
@@ -707,13 +639,13 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2)
707
639
  *
708
640
  * === Loading an Encrypted Key
709
641
  *
710
- * OpenSSL will prompt you for your pass phrase when loading an encrypted key.
711
- * If you will not be able to type in the pass phrase you may provide it when
642
+ * OpenSSL will prompt you for your password when loading an encrypted key.
643
+ * If you will not be able to type in the password you may provide it when
712
644
  * loading the key:
713
645
  *
714
646
  * key4_pem = File.read 'private.secure.pem'
715
- * pass_phrase = 'my secure pass phrase goes here'
716
- * key4 = OpenSSL::PKey.read key4_pem, pass_phrase
647
+ * password = 'my secure password goes here'
648
+ * key4 = OpenSSL::PKey.read key4_pem, password
717
649
  *
718
650
  * == RSA Encryption
719
651
  *
@@ -829,45 +761,6 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2)
829
761
  * decrypted = cipher.update encrypted
830
762
  * decrypted << cipher.final
831
763
  *
832
- * == PKCS #5 Password-based Encryption
833
- *
834
- * PKCS #5 is a password-based encryption standard documented at
835
- * RFC2898[http://www.ietf.org/rfc/rfc2898.txt]. It allows a short password or
836
- * passphrase to be used to create a secure encryption key. If possible, PBKDF2
837
- * as described above should be used if the circumstances allow it.
838
- *
839
- * PKCS #5 uses a Cipher, a pass phrase and a salt to generate an encryption
840
- * key.
841
- *
842
- * pass_phrase = 'my secure pass phrase goes here'
843
- * salt = '8 octets'
844
- *
845
- * === Encryption
846
- *
847
- * First set up the cipher for encryption
848
- *
849
- * encryptor = OpenSSL::Cipher.new 'aes-256-cbc'
850
- * encryptor.encrypt
851
- * encryptor.pkcs5_keyivgen pass_phrase, salt
852
- *
853
- * Then pass the data you want to encrypt through
854
- *
855
- * encrypted = encryptor.update 'top secret document'
856
- * encrypted << encryptor.final
857
- *
858
- * === Decryption
859
- *
860
- * Use a new Cipher instance set up for decryption
861
- *
862
- * decryptor = OpenSSL::Cipher.new 'aes-256-cbc'
863
- * decryptor.decrypt
864
- * decryptor.pkcs5_keyivgen pass_phrase, salt
865
- *
866
- * Then pass the data you want to decrypt through
867
- *
868
- * plain = decryptor.update encrypted
869
- * plain << decryptor.final
870
- *
871
764
  * == X509 Certificates
872
765
  *
873
766
  * === Creating a Certificate
@@ -945,12 +838,12 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2)
945
838
  * not readable by other users.
946
839
  *
947
840
  * ca_key = OpenSSL::PKey::RSA.new 2048
948
- * pass_phrase = 'my secure pass phrase goes here'
841
+ * password = 'my secure password goes here'
949
842
  *
950
- * cipher = OpenSSL::Cipher.new 'aes-256-cbc'
843
+ * cipher = 'aes-256-cbc'
951
844
  *
952
845
  * open 'ca_key.pem', 'w', 0400 do |io|
953
- * io.write ca_key.export(cipher, pass_phrase)
846
+ * io.write ca_key.private_to_pem(cipher, password)
954
847
  * end
955
848
  *
956
849
  * === CA Certificate
@@ -1170,8 +1063,8 @@ Init_openssl(void)
1170
1063
  /*
1171
1064
  * Init main module
1172
1065
  */
1173
- mOSSL = rb_define_module("OpenSSL");
1174
1066
  rb_global_variable(&mOSSL);
1067
+ mOSSL = rb_define_module("OpenSSL");
1175
1068
  rb_define_singleton_method(mOSSL, "fixed_length_secure_compare", ossl_crypto_fixed_length_secure_compare, 2);
1176
1069
 
1177
1070
  /*
@@ -1190,15 +1083,35 @@ Init_openssl(void)
1190
1083
 
1191
1084
  /*
1192
1085
  * Version number of OpenSSL the ruby OpenSSL extension was built with
1193
- * (base 16)
1086
+ * (base 16). The formats are below.
1087
+ *
1088
+ * [OpenSSL 3] <tt>0xMNN00PP0 (major minor 00 patch 0)</tt>
1089
+ * [OpenSSL before 3] <tt>0xMNNFFPPS (major minor fix patch status)</tt>
1090
+ * [LibreSSL] <tt>0x20000000 (fixed value)</tt>
1091
+ *
1092
+ * See also the man page OPENSSL_VERSION_NUMBER(3).
1194
1093
  */
1195
1094
  rb_define_const(mOSSL, "OPENSSL_VERSION_NUMBER", INT2NUM(OPENSSL_VERSION_NUMBER));
1196
1095
 
1096
+ #if defined(LIBRESSL_VERSION_NUMBER)
1097
+ /*
1098
+ * Version number of LibreSSL the ruby OpenSSL extension was built with
1099
+ * (base 16). The format is <tt>0xMNNFF00f (major minor fix 00
1100
+ * status)</tt>. This constant is only defined in LibreSSL cases.
1101
+ *
1102
+ * See also the man page LIBRESSL_VERSION_NUMBER(3).
1103
+ */
1104
+ rb_define_const(mOSSL, "LIBRESSL_VERSION_NUMBER", INT2NUM(LIBRESSL_VERSION_NUMBER));
1105
+ #endif
1106
+
1197
1107
  /*
1198
1108
  * Boolean indicating whether OpenSSL is FIPS-capable or not
1199
1109
  */
1200
1110
  rb_define_const(mOSSL, "OPENSSL_FIPS",
1201
- #ifdef OPENSSL_FIPS
1111
+ /* OpenSSL 3 is FIPS-capable even when it is installed without fips option */
1112
+ #if OSSL_OPENSSL_PREREQ(3, 0, 0)
1113
+ Qtrue
1114
+ #elif defined(OPENSSL_FIPS)
1202
1115
  Qtrue
1203
1116
  #else
1204
1117
  Qfalse
@@ -1208,12 +1121,12 @@ Init_openssl(void)
1208
1121
  rb_define_module_function(mOSSL, "fips_mode", ossl_fips_mode_get, 0);
1209
1122
  rb_define_module_function(mOSSL, "fips_mode=", ossl_fips_mode_set, 1);
1210
1123
 
1124
+ rb_global_variable(&eOSSLError);
1211
1125
  /*
1212
1126
  * Generic error,
1213
1127
  * common for all classes under OpenSSL module
1214
1128
  */
1215
1129
  eOSSLError = rb_define_class_under(mOSSL,"OpenSSLError",rb_eStandardError);
1216
- rb_global_variable(&eOSSLError);
1217
1130
 
1218
1131
  /*
1219
1132
  * Init debug core
@@ -1254,42 +1167,7 @@ Init_openssl(void)
1254
1167
  Init_ossl_x509();
1255
1168
  Init_ossl_ocsp();
1256
1169
  Init_ossl_engine();
1170
+ Init_ossl_provider();
1257
1171
  Init_ossl_asn1();
1258
1172
  Init_ossl_kdf();
1259
-
1260
- #if defined(OSSL_DEBUG)
1261
- /*
1262
- * For debugging Ruby/OpenSSL. Enable only when built with --enable-debug
1263
- */
1264
- #if !defined(LIBRESSL_VERSION_NUMBER) && \
1265
- (OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(OPENSSL_NO_CRYPTO_MDEBUG) || \
1266
- defined(CRYPTO_malloc_debug_init))
1267
- rb_define_module_function(mOSSL, "mem_check_start", mem_check_start, 0);
1268
- rb_define_module_function(mOSSL, "print_mem_leaks", print_mem_leaks, 0);
1269
-
1270
- #if defined(CRYPTO_malloc_debug_init) /* <= 1.0.2 */
1271
- CRYPTO_malloc_debug_init();
1272
- #endif
1273
-
1274
- #if defined(V_CRYPTO_MDEBUG_ALL) /* <= 1.0.2 */
1275
- CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
1276
- #endif
1277
-
1278
- #if OPENSSL_VERSION_NUMBER < 0x10100000 /* <= 1.0.2 */
1279
- {
1280
- int i;
1281
- /*
1282
- * See crypto/ex_data.c; call def_get_class() immediately to avoid
1283
- * allocations. 15 is the maximum number that is used as the class index
1284
- * in OpenSSL 1.0.2.
1285
- */
1286
- for (i = 0; i <= 15; i++) {
1287
- if (CRYPTO_get_ex_new_index(i, 0, (void *)"ossl-mdebug-dummy", 0, 0, 0) < 0)
1288
- rb_raise(rb_eRuntimeError, "CRYPTO_get_ex_new_index for "
1289
- "class index %d failed", i);
1290
- }
1291
- }
1292
- #endif
1293
- #endif
1294
- #endif
1295
1173
  }
data/ext/openssl/ossl.h CHANGED
@@ -62,6 +62,10 @@
62
62
  # define OSSL_USE_ENGINE
63
63
  #endif
64
64
 
65
+ #if OSSL_OPENSSL_PREREQ(3, 0, 0)
66
+ # define OSSL_USE_PROVIDER
67
+ #endif
68
+
65
69
  /*
66
70
  * Common Module
67
71
  */
@@ -157,7 +161,6 @@ VALUE ossl_to_der_if_possible(VALUE);
157
161
  */
158
162
  extern VALUE dOSSL;
159
163
 
160
- #if defined(HAVE_VA_ARGS_MACRO)
161
164
  #define OSSL_Debug(...) do { \
162
165
  if (dOSSL == Qtrue) { \
163
166
  fprintf(stderr, "OSSL_DEBUG: "); \
@@ -166,11 +169,6 @@ extern VALUE dOSSL;
166
169
  } \
167
170
  } while (0)
168
171
 
169
- #else
170
- void ossl_debug(const char *, ...);
171
- #define OSSL_Debug ossl_debug
172
- #endif
173
-
174
172
  /*
175
173
  * Include all parts
176
174
  */
@@ -194,6 +192,7 @@ void ossl_debug(const char *, ...);
194
192
  #endif
195
193
  #include "ossl_x509.h"
196
194
  #include "ossl_engine.h"
195
+ #include "ossl_provider.h"
197
196
  #include "ossl_kdf.h"
198
197
 
199
198
  void Init_openssl(void);
@@ -41,7 +41,7 @@ static const rb_data_type_t ossl_bn_type = {
41
41
  {
42
42
  0, ossl_bn_free,
43
43
  },
44
- 0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
44
+ 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
45
45
  };
46
46
 
47
47
  /*
@@ -42,7 +42,7 @@ static const rb_data_type_t ossl_cipher_type = {
42
42
  {
43
43
  0, ossl_cipher_free,
44
44
  },
45
- 0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
45
+ 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
46
46
  };
47
47
 
48
48
  /*
@@ -22,7 +22,7 @@ static const rb_data_type_t ossl_config_type = {
22
22
  {
23
23
  0, nconf_free,
24
24
  },
25
- 0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
25
+ 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
26
26
  };
27
27
 
28
28
  CONF *
@@ -35,7 +35,7 @@ static const rb_data_type_t ossl_digest_type = {
35
35
  {
36
36
  0, ossl_digest_free,
37
37
  },
38
- 0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
38
+ 0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
39
39
  };
40
40
 
41
41
  /*