openssl 3.3.0 → 4.0.1

data/lib/openssl/pkey.rb

@@ -7,6 +7,9 @@
 require_relative 'marshal'
 
 module OpenSSL::PKey
+  # Alias of PKeyError. Before version 4.0.0, this was a subclass of PKeyError.
+  DHError = PKeyError
+
   class DH
     include OpenSSL::Marshal
 
@@ -34,6 +37,18 @@ module OpenSSL::PKey
       DH.new(to_der)
     end
 
+    # :call-seq:
+    #    dh.params -> hash
+    #
+    # Stores all parameters of key to a Hash.
+    #
+    # The hash has keys 'p', 'q', 'g', 'pub_key', and 'priv_key'.
+    def params
+      %w{p q g pub_key priv_key}.map { |name|
+        [name, send(name)]
+      }.to_h
+    end
+
     # :call-seq:
     #    dh.compute_key(pub_bn) -> string
     #
@@ -90,7 +105,7 @@ module OpenSSL::PKey
     #   puts dh0.pub_key == dh.pub_key #=> false
     def generate_key!
       if OpenSSL::OPENSSL_VERSION_NUMBER >= 0x30000000
-        raise DHError, "OpenSSL::PKey::DH is immutable on OpenSSL 3.0; " \
+        raise PKeyError, "OpenSSL::PKey::DH is immutable on OpenSSL 3.0; " \
         "use OpenSSL::PKey.generate_key instead"
       end
 
@@ -135,6 +150,9 @@ module OpenSSL::PKey
     end
   end
 
+  # Alias of PKeyError. Before version 4.0.0, this was a subclass of PKeyError.
+  DSAError = PKeyError
+
   class DSA
     include OpenSSL::Marshal
 
@@ -154,6 +172,18 @@ module OpenSSL::PKey
       OpenSSL::PKey.read(public_to_der)
     end
 
+    # :call-seq:
+    #    dsa.params -> hash
+    #
+    # Stores all parameters of key to a Hash.
+    #
+    # The hash has keys 'p', 'q', 'g', 'pub_key', and 'priv_key'.
+    def params
+      %w{p q g pub_key priv_key}.map { |name|
+        [name, send(name)]
+      }.to_h
+    end
+
     class << self
       # :call-seq:
       #    DSA.generate(size) -> dsa
@@ -218,13 +248,9 @@ module OpenSSL::PKey
     #   sig = dsa.sign_raw(nil, digest)
     #   p dsa.verify_raw(nil, sig, digest) #=> true
     def syssign(string)
-      q or raise OpenSSL::PKey::DSAError, "incomplete DSA"
-      private? or raise OpenSSL::PKey::DSAError, "Private DSA key needed!"
-      begin
-        sign_raw(nil, string)
-      rescue OpenSSL::PKey::PKeyError
-        raise OpenSSL::PKey::DSAError, $!.message
-      end
+      q or raise PKeyError, "incomplete DSA"
+      private? or raise PKeyError, "Private DSA key needed!"
+      sign_raw(nil, string)
     end
 
     # :call-seq:
@@ -242,12 +268,13 @@ module OpenSSL::PKey
     #   A \DSA signature value.
     def sysverify(digest, sig)
       verify_raw(nil, sig, digest)
-    rescue OpenSSL::PKey::PKeyError
-      raise OpenSSL::PKey::DSAError, $!.message
     end
   end
 
   if defined?(EC)
+  # Alias of PKeyError. Before version 4.0.0, this was a subclass of PKeyError.
+  ECError = PKeyError
+
   class EC
     include OpenSSL::Marshal
 
@@ -258,8 +285,6 @@ module OpenSSL::PKey
     # Consider using PKey::PKey#sign_raw and PKey::PKey#verify_raw instead.
     def dsa_sign_asn1(data)
       sign_raw(nil, data)
-    rescue OpenSSL::PKey::PKeyError
-      raise OpenSSL::PKey::ECError, $!.message
     end
 
     # :call-seq:
@@ -269,8 +294,6 @@ module OpenSSL::PKey
     # Consider using PKey::PKey#sign_raw and PKey::PKey#verify_raw instead.
     def dsa_verify_asn1(data, sig)
       verify_raw(nil, sig, data)
-    rescue OpenSSL::PKey::PKeyError
-      raise OpenSSL::PKey::ECError, $!.message
     end
 
     # :call-seq:
@@ -310,6 +333,9 @@ module OpenSSL::PKey
   end
   end
 
+  # Alias of PKeyError. Before version 4.0.0, this was a subclass of PKeyError.
+  RSAError = PKeyError
+
   class RSA
     include OpenSSL::Marshal
 
@@ -328,6 +354,18 @@ module OpenSSL::PKey
       OpenSSL::PKey.read(public_to_der)
     end
 
+    # :call-seq:
+    #    rsa.params -> hash
+    #
+    # Stores all parameters of key to a Hash.
+    #
+    # The hash has keys 'n', 'e', 'd', 'p', 'q', 'dmp1', 'dmq1', and 'iqmp'.
+    def params
+      %w{n e d p q dmp1 dmq1 iqmp}.map { |name|
+        [name, send(name)]
+      }.to_h
+    end
+
     class << self
       # :call-seq:
       #    RSA.generate(size, exponent = 65537) -> RSA
@@ -371,15 +409,11 @@ module OpenSSL::PKey
     # Consider using PKey::PKey#sign_raw and PKey::PKey#verify_raw, and
     # PKey::PKey#verify_recover instead.
     def private_encrypt(string, padding = PKCS1_PADDING)
-      n or raise OpenSSL::PKey::RSAError, "incomplete RSA"
-      private? or raise OpenSSL::PKey::RSAError, "private key needed."
-      begin
-        sign_raw(nil, string, {
-          "rsa_padding_mode" => translate_padding_mode(padding),
-        })
-      rescue OpenSSL::PKey::PKeyError
-        raise OpenSSL::PKey::RSAError, $!.message
-      end
+      n or raise PKeyError, "incomplete RSA"
+      private? or raise PKeyError, "private key needed."
+      sign_raw(nil, string, {
+        "rsa_padding_mode" => translate_padding_mode(padding),
+      })
     end
 
     # :call-seq:
@@ -394,14 +428,10 @@ module OpenSSL::PKey
     # Consider using PKey::PKey#sign_raw and PKey::PKey#verify_raw, and
     # PKey::PKey#verify_recover instead.
     def public_decrypt(string, padding = PKCS1_PADDING)
-      n or raise OpenSSL::PKey::RSAError, "incomplete RSA"
-      begin
-        verify_recover(nil, string, {
-          "rsa_padding_mode" => translate_padding_mode(padding),
-        })
-      rescue OpenSSL::PKey::PKeyError
-        raise OpenSSL::PKey::RSAError, $!.message
-      end
+      n or raise PKeyError, "incomplete RSA"
+      verify_recover(nil, string, {
+        "rsa_padding_mode" => translate_padding_mode(padding),
+      })
     end
 
     # :call-seq:
@@ -416,14 +446,10 @@ module OpenSSL::PKey
     # <b>Deprecated in version 3.0</b>.
     # Consider using PKey::PKey#encrypt and PKey::PKey#decrypt instead.
     def public_encrypt(data, padding = PKCS1_PADDING)
-      n or raise OpenSSL::PKey::RSAError, "incomplete RSA"
-      begin
-        encrypt(data, {
-          "rsa_padding_mode" => translate_padding_mode(padding),
-        })
-      rescue OpenSSL::PKey::PKeyError
-        raise OpenSSL::PKey::RSAError, $!.message
-      end
+      n or raise PKeyError, "incomplete RSA"
+      encrypt(data, {
+        "rsa_padding_mode" => translate_padding_mode(padding),
+      })
     end
 
     # :call-seq:
@@ -437,15 +463,11 @@ module OpenSSL::PKey
     # <b>Deprecated in version 3.0</b>.
     # Consider using PKey::PKey#encrypt and PKey::PKey#decrypt instead.
     def private_decrypt(data, padding = PKCS1_PADDING)
-      n or raise OpenSSL::PKey::RSAError, "incomplete RSA"
-      private? or raise OpenSSL::PKey::RSAError, "private key needed."
-      begin
-        decrypt(data, {
-          "rsa_padding_mode" => translate_padding_mode(padding),
-        })
-      rescue OpenSSL::PKey::PKeyError
-        raise OpenSSL::PKey::RSAError, $!.message
-      end
+      n or raise PKeyError, "incomplete RSA"
+      private? or raise PKeyError, "private key needed."
+      decrypt(data, {
+        "rsa_padding_mode" => translate_padding_mode(padding),
+      })
     end
 
     PKCS1_PADDING = 1
@@ -464,7 +486,7 @@ module OpenSSL::PKey
       when PKCS1_OAEP_PADDING
         "oaep"
       else
-        raise OpenSSL::PKey::PKeyError, "unsupported padding mode"
+        raise PKeyError, "unsupported padding mode"
       end
     end
   end

data/lib/openssl/ssl.rb

@@ -32,27 +32,7 @@ module OpenSSL
         }.call
       }
 
-      if defined?(OpenSSL::PKey::DH)
-        DH_ffdhe2048 = OpenSSL::PKey::DH.new <<-_end_of_pem_
------BEGIN DH PARAMETERS-----
-MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
-+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
-87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
-YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
-7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
-ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
------END DH PARAMETERS-----
-        _end_of_pem_
-        private_constant :DH_ffdhe2048
-
-        DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen| # :nodoc:
-          warn "using default DH parameters." if $VERBOSE
-          DH_ffdhe2048
-        }
-      end
-
-      if !(OpenSSL::OPENSSL_VERSION.start_with?("OpenSSL") &&
-           OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10100000)
+      if !OpenSSL::OPENSSL_VERSION.start_with?("OpenSSL")
         DEFAULT_PARAMS.merge!(
           min_version: OpenSSL::SSL::TLS1_VERSION,
           ciphers: %w{
@@ -86,26 +66,13 @@ ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
             AES256-SHA256
             AES128-SHA
             AES256-SHA
-          }.join(":"),
+          }.join(":").freeze,
         )
       end
+      DEFAULT_PARAMS.freeze
 
       DEFAULT_CERT_STORE = OpenSSL::X509::Store.new # :nodoc:
       DEFAULT_CERT_STORE.set_default_paths
-      DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
-
-      # A callback invoked when DH parameters are required for ephemeral DH key
-      # exchange.
-      #
-      # The callback is invoked with the SSLSocket, a
-      # flag indicating the use of an export cipher and the keylength
-      # required.
-      #
-      # The callback must return an OpenSSL::PKey::DH instance of the correct
-      # key length.
-      #
-      # <b>Deprecated in version 3.0.</b> Use #tmp_dh= instead.
-      attr_accessor :tmp_dh_callback
 
       # A callback invoked at connect time to distinguish between multiple
       # server names.
@@ -148,49 +115,19 @@ ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
         params.each{|name, value| self.__send__("#{name}=", value) }
         if self.verify_mode != OpenSSL::SSL::VERIFY_NONE
           unless self.ca_file or self.ca_path or self.cert_store
-            self.cert_store = DEFAULT_CERT_STORE
+            if not defined?(Ractor) or Ractor.current == Ractor.main
+              self.cert_store = DEFAULT_CERT_STORE
+            else
+              self.cert_store = Ractor.current[:__openssl_default_store__] ||=
+                OpenSSL::X509::Store.new.tap { |store|
+                  store.set_default_paths
+                }
+            end
           end
         end
         return params
       end
 
-      # call-seq:
-      #    ctx.min_version = OpenSSL::SSL::TLS1_2_VERSION
-      #    ctx.min_version = :TLS1_2
-      #    ctx.min_version = nil
-      #
-      # Sets the lower bound on the supported SSL/TLS protocol version. The
-      # version may be specified by an integer constant named
-      # OpenSSL::SSL::*_VERSION, a Symbol, or +nil+ which means "any version".
-      #
-      # Be careful that you don't overwrite OpenSSL::SSL::OP_NO_{SSL,TLS}v*
-      # options by #options= once you have called #min_version= or
-      # #max_version=.
-      #
-      # === Example
-      #   ctx = OpenSSL::SSL::SSLContext.new
-      #   ctx.min_version = OpenSSL::SSL::TLS1_1_VERSION
-      #   ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION
-      #
-      #   sock = OpenSSL::SSL::SSLSocket.new(tcp_sock, ctx)
-      #   sock.connect # Initiates a connection using either TLS 1.1 or TLS 1.2
-      def min_version=(version)
-        set_minmax_proto_version(version, @max_proto_version ||= nil)
-        @min_proto_version = version
-      end
-
-      # call-seq:
-      #    ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION
-      #    ctx.max_version = :TLS1_2
-      #    ctx.max_version = nil
-      #
-      # Sets the upper bound of the supported SSL/TLS protocol version. See
-      # #min_version= for the possible values.
-      def max_version=(version)
-        set_minmax_proto_version(@min_proto_version ||= nil, version)
-        @max_proto_version = version
-      end
-
       # call-seq:
       #    ctx.ssl_version = :TLSv1
       #    ctx.ssl_version = "SSLv23"
@@ -215,8 +152,7 @@ ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
         end
         version = METHODS_MAP[meth.intern] or
           raise ArgumentError, "unknown SSL method `%s'" % meth
-        set_minmax_proto_version(version, version)
-        @min_proto_version = @max_proto_version = version
+        self.min_version = self.max_version = version
       end
 
       METHODS_MAP = {
@@ -496,10 +432,6 @@ ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
         @context.client_cert_cb
       end
 
-      def tmp_dh_callback
-        @context.tmp_dh_callback || OpenSSL::SSL::SSLContext::DEFAULT_TMP_DH_CALLBACK
-      end
-
       def session_new_cb
         @context.session_new_cb
       end

data/lib/openssl/version.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
 module OpenSSL
-  VERSION = "3.3.0"
+  # The version string of Ruby/OpenSSL.
+  VERSION = "4.0.1"
 end

data/lib/openssl/x509.rb

@@ -346,6 +346,15 @@ module OpenSSL
       include Extension::CRLDistributionPoints
       include Extension::AuthorityInfoAccess
 
+      def inspect
+        "#<#{self.class}: " \
+          "subject=#{subject.inspect}, " \
+          "issuer=#{issuer.inspect}, " \
+          "serial=#{serial.inspect}, " \
+          "not_before=#{not_before.inspect rescue "(error)"}, " \
+          "not_after=#{not_after.inspect rescue "(error)"}>"
+      end
+
       def pretty_print(q)
         q.object_group(self) {
           q.breakable

data/lib/openssl.rb

@@ -13,23 +13,26 @@
 require 'openssl.so'
 
 require_relative 'openssl/bn'
-require_relative 'openssl/asn1'
-require_relative 'openssl/pkey'
 require_relative 'openssl/cipher'
 require_relative 'openssl/digest'
 require_relative 'openssl/hmac'
-require_relative 'openssl/x509'
-require_relative 'openssl/ssl'
 require_relative 'openssl/pkcs5'
+require_relative 'openssl/pkey'
+require_relative 'openssl/ssl'
 require_relative 'openssl/version'
+require_relative 'openssl/x509'
 
 module OpenSSL
-  # call-seq:
-  #   OpenSSL.secure_compare(string, string) -> boolean
+  # :call-seq:
+  #    OpenSSL.secure_compare(string, string) -> true or false
   #
   # Constant time memory comparison. Inputs are hashed using SHA-256 to mask
   # the length of the secret. Returns +true+ if the strings are identical,
   # +false+ otherwise.
+  #
+  # This method is expensive due to the SHA-256 hashing. In most cases, where
+  # the input lengths are known to be equal or are not sensitive,
+  # OpenSSL.fixed_length_secure_compare should be used instead.
   def self.secure_compare(a, b)
     hashed_a = OpenSSL::Digest.digest('SHA256', a)
     hashed_b = OpenSSL::Digest.digest('SHA256', b)

metadata

@@ -1,17 +1,16 @@
 --- !ruby/object:Gem::Specification
 name: openssl
 version: !ruby/object:Gem::Version
-  version: 3.3.0
+  version: 4.0.1
 platform: ruby
 authors:
 - Martin Bosslet
 - SHIBATA Hiroshi
 - Zachary Scott
 - Kazuki Yamaguchi
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-12-21 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies: []
 description: OpenSSL for Ruby provides access to SSL/TLS and general-purpose cryptography
   based on the OpenSSL library.
@@ -31,7 +30,6 @@ files:
 - History.md
 - README.md
 - ext/openssl/extconf.rb
-- ext/openssl/openssl_missing.c
 - ext/openssl/openssl_missing.h
 - ext/openssl/ossl.c
 - ext/openssl/ossl.h
@@ -87,7 +85,6 @@ files:
 - ext/openssl/ossl_x509revoked.c
 - ext/openssl/ossl_x509store.c
 - lib/openssl.rb
-- lib/openssl/asn1.rb
 - lib/openssl/bn.rb
 - lib/openssl/buffering.rb
 - lib/openssl/cipher.rb
@@ -105,7 +102,6 @@ licenses:
 - BSD-2-Clause
 metadata:
   msys2_mingw_dependencies: openssl
-post_install_message:
 rdoc_options:
 - "--main"
 - README.md
@@ -122,8 +118,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.22
-signing_key:
+rubygems_version: 4.0.3
 specification_version: 4
 summary: SSL/TLS and general-purpose cryptography for Ruby
 test_files: []

data/ext/openssl/openssl_missing.c

@@ -1,40 +0,0 @@
-/*
- * 'OpenSSL for Ruby' project
- * Copyright (C) 2001-2002  Michal Rokos <m.rokos@sh.cvut.cz>
- * All rights reserved.
- */
-/*
- * This program is licensed under the same licence as Ruby.
- * (See the file 'COPYING'.)
- */
-#include RUBY_EXTCONF_H
-
-#include <string.h> /* memcpy() */
-#include <openssl/x509_vfy.h>
-
-#include "openssl_missing.h"
-
-/*** added in 1.1.0 ***/
-#if !defined(HAVE_X509_CRL_GET0_SIGNATURE)
-void
-ossl_X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig,
-			     const X509_ALGOR **palg)
-{
-    if (psig != NULL)
-	*psig = crl->signature;
-    if (palg != NULL)
-	*palg = crl->sig_alg;
-}
-#endif
-
-#if !defined(HAVE_X509_REQ_GET0_SIGNATURE)
-void
-ossl_X509_REQ_get0_signature(const X509_REQ *req, const ASN1_BIT_STRING **psig,
-			     const X509_ALGOR **palg)
-{
-    if (psig != NULL)
-	*psig = req->signature;
-    if (palg != NULL)
-	*palg = req->sig_alg;
-}
-#endif