openssl 2.0.9 → 2.1.0.beta1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of openssl might be problematic. Click here for more details.

Files changed (60) hide show
  1. checksums.yaml +5 -5
  2. data/History.md +28 -69
  3. data/README.md +1 -1
  4. data/ext/openssl/deprecation.rb +0 -3
  5. data/ext/openssl/extconf.rb +8 -52
  6. data/ext/openssl/openssl_missing.c +0 -67
  7. data/ext/openssl/openssl_missing.h +3 -50
  8. data/ext/openssl/ossl.c +81 -74
  9. data/ext/openssl/ossl.h +14 -27
  10. data/ext/openssl/ossl_asn1.c +287 -374
  11. data/ext/openssl/ossl_asn1.h +0 -4
  12. data/ext/openssl/ossl_bio.c +5 -20
  13. data/ext/openssl/ossl_bio.h +0 -2
  14. data/ext/openssl/ossl_bn.c +70 -28
  15. data/ext/openssl/ossl_cipher.c +18 -42
  16. data/ext/openssl/ossl_cipher.h +1 -1
  17. data/ext/openssl/ossl_digest.c +8 -12
  18. data/ext/openssl/ossl_digest.h +1 -1
  19. data/ext/openssl/ossl_engine.c +47 -47
  20. data/ext/openssl/ossl_hmac.c +19 -22
  21. data/ext/openssl/ossl_kdf.c +221 -0
  22. data/ext/openssl/ossl_kdf.h +6 -0
  23. data/ext/openssl/ossl_ns_spki.c +17 -21
  24. data/ext/openssl/ossl_ocsp.c +85 -80
  25. data/ext/openssl/ossl_pkcs12.c +15 -21
  26. data/ext/openssl/ossl_pkcs7.c +8 -21
  27. data/ext/openssl/ossl_pkey.c +24 -48
  28. data/ext/openssl/ossl_pkey.h +1 -6
  29. data/ext/openssl/ossl_pkey_dh.c +11 -11
  30. data/ext/openssl/ossl_pkey_dsa.c +16 -22
  31. data/ext/openssl/ossl_pkey_ec.c +43 -56
  32. data/ext/openssl/ossl_pkey_rsa.c +19 -19
  33. data/ext/openssl/ossl_rand.c +12 -12
  34. data/ext/openssl/ossl_ssl.c +291 -243
  35. data/ext/openssl/ossl_ssl.h +0 -5
  36. data/ext/openssl/ossl_ssl_session.c +7 -9
  37. data/ext/openssl/ossl_version.h +1 -1
  38. data/ext/openssl/ossl_x509.c +0 -15
  39. data/ext/openssl/ossl_x509.h +0 -7
  40. data/ext/openssl/ossl_x509attr.c +3 -7
  41. data/ext/openssl/ossl_x509cert.c +17 -54
  42. data/ext/openssl/ossl_x509crl.c +15 -25
  43. data/ext/openssl/ossl_x509ext.c +9 -14
  44. data/ext/openssl/ossl_x509name.c +76 -41
  45. data/ext/openssl/ossl_x509req.c +10 -47
  46. data/ext/openssl/ossl_x509revoked.c +8 -8
  47. data/ext/openssl/ossl_x509store.c +15 -45
  48. data/ext/openssl/ruby_missing.h +2 -13
  49. data/lib/openssl.rb +1 -0
  50. data/lib/openssl/bn.rb +2 -1
  51. data/lib/openssl/buffering.rb +24 -23
  52. data/lib/openssl/config.rb +12 -11
  53. data/lib/openssl/digest.rb +3 -6
  54. data/lib/openssl/pkcs5.rb +22 -0
  55. data/lib/openssl/pkey.rb +0 -41
  56. data/lib/openssl/ssl.rb +118 -16
  57. data/lib/openssl/x509.rb +7 -1
  58. metadata +8 -7
  59. data/ext/openssl/ossl_pkcs5.c +0 -180
  60. data/ext/openssl/ossl_pkcs5.h +0 -6
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
- SHA256:
3
- metadata.gz: 91fe9d652320bafb549ff509a248703fb6344805a6054a646f48377bab07a57b
4
- data.tar.gz: c581caac26a9edb277a214e14d470fbba9e94b0b553835aae5d7114488c1f94e
2
+ SHA1:
3
+ metadata.gz: 4cc6326c79cf145b9fb1f5a44a7b55a455ae0980
4
+ data.tar.gz: 6a7dfe45eb2335413661a03fe31b883890052b78
5
5
  SHA512:
6
- metadata.gz: 7a63763e084612b0ebff8c17285046de11b8b21d80b20b7118e1b6245d17eb6226906d57cbae7187fa080d12236083c5f7fbaa4b45f2ef98305176cc09f485a5
7
- data.tar.gz: 986d486b248c941099272e984b62b221178bf0ebb4566e24b83d97c8168b364aa9da3c27d73ed6b9c6eb606764a2c0d82a93adb3b156072a03b39b638e5fe890
6
+ metadata.gz: 621847e9bf167872c49c12c6adea64b4516b74818377808918ff7cb1a032381f88e1c5b3d3679da80ee7a1c89d4848c620c2876436e41af82ed9a15330a57fdd
7
+ data.tar.gz: 352c40ced871126e88f96ef339a7c455e974794ef98688527a9fddcc4e0e6c6e6297bd0591dbd74c185bee19bdc7500a16f50b8c6c17fd08fe09584d14b9b94f
data/History.md CHANGED
@@ -1,73 +1,32 @@
1
- Version 2.0.9
2
- =============
3
-
4
- Security fixes
5
- --------------
6
-
7
- * OpenSSL::X509::Name#<=> could incorrectly return 0 (= equal) for non-equal
8
- objects. CVE-2018-16395 is assigned for this issue.
9
- https://hackerone.com/reports/387250
10
-
11
- Bug fixes
12
- ---------
13
-
14
- * Fixed OpenSSL::PKey::*.{new,generate} immediately aborting if the thread is
15
- interrupted.
16
- [[Bug #14882]](https://bugs.ruby-lang.org/issues/14882)
17
- [[GitHub #205]](https://github.com/ruby/openssl/pull/205)
18
- * Fixed OpenSSL::X509::Name#to_s failing with OpenSSL::X509::NameError if
19
- called against an empty instance.
20
- [[GitHub #200]](https://github.com/ruby/openssl/issues/200)
21
- [[GitHub #211]](https://github.com/ruby/openssl/pull/211)
22
-
23
-
24
- Version 2.0.8
25
- =============
26
-
27
- Bug fixes
28
- ---------
29
-
30
- * OpenSSL::Cipher#pkcs5_keyivgen raises an error when a negative iteration
31
- count is given.
32
- [[GitHub #184]](https://github.com/ruby/openssl/pull/184)
33
- * Fixed build with LibreSSL 2.7.
34
- [[GitHub #192]](https://github.com/ruby/openssl/issues/192)
35
- [[GitHub #193]](https://github.com/ruby/openssl/pull/193)
1
+ Version 2.1.0.beta1
2
+ ===================
36
3
 
4
+ Notable changes
5
+ ---------------
37
6
 
38
- Version 2.0.7
39
- =============
40
-
41
- Bug fixes
42
- ---------
43
-
44
- * OpenSSL::Cipher#auth_data= could segfault if called against a non-AEAD cipher.
45
- [[Bug #14024]](https://bugs.ruby-lang.org/issues/14024)
46
- * OpenSSL::X509::Certificate#public_key= (and similar methods) could segfault
47
- when an instance of OpenSSL::PKey::PKey with no public key components is
48
- passed.
49
- [[Bug #14087]](https://bugs.ruby-lang.org/issues/14087)
50
- [[GitHub #168]](https://github.com/ruby/openssl/pull/168)
51
-
52
-
53
- Version 2.0.6
54
- =============
55
-
56
- Bug fixes
57
- ---------
58
-
59
- * The session_remove_cb set to an OpenSSL::SSL::SSLContext is no longer called
60
- during GC.
61
- * A possible deadlock in OpenSSL::SSL::SSLSocket#sysread is fixed.
62
- [[GitHub #139]](https://github.com/ruby/openssl/pull/139)
63
- * OpenSSL::BN#hash could return an unnormalized fixnum value on Windows.
64
- [[Bug #13877]](https://bugs.ruby-lang.org/issues/13877)
65
- * OpenSSL::SSL::SSLSocket#sysread and #sysread_nonblock set the length of the
66
- destination buffer String to 0 on error.
67
- [[GitHub #153]](https://github.com/ruby/openssl/pull/153)
68
- * Possible deadlock is fixed. This happened only when built with older versions
69
- of OpenSSL (before 1.1.0) or LibreSSL.
70
- [[GitHub #155]](https://github.com/ruby/openssl/pull/155)
7
+ * Support for OpenSSL versions before 1.0.1 is removed.
8
+ [[GitHub #86]](https://github.com/ruby/openssl/pull/86)
9
+ * OpenSSL::BN#negative?, #+@, and #-@ are added.
10
+ * OpenSSL::SSL::SSLSocket#connect raises a more informative exception when
11
+ certificate verification fails.
12
+ [[GitHub #99]](https://github.com/ruby/openssl/pull/99)
13
+ * OpenSSL::KDF module is newly added. Support for scrypt is added.
14
+ [[GitHub #109]](https://github.com/ruby/openssl/pull/109)
15
+ * OpenSSL.fips_mode is added. We have had the setter, but not the getter.
16
+ [[GitHub #125]](https://github.com/ruby/openssl/pull/125)
17
+ * OpenSSL::OCSP::Request#signed? is added.
18
+ * OpenSSL::ASN1 handles the indefinite length form better. OpenSSL::ASN1.decode
19
+ no longer wrongly treats the end-of-contents octets as part of the content.
20
+ OpenSSL::ASN1::ASN1Data#infinite_length is renamed to #indefinite_length.
21
+ [[GitHub #98]](https://github.com/ruby/openssl/pull/98)
22
+ * OpenSSL::X509::Name#add_entry now accepts two additional keyword arguments
23
+ 'loc' and 'set'.
24
+ [[GitHub #94]](https://github.com/ruby/openssl/issues/94)
25
+ * OpenSSL::SSL::SSLContext#min_version= and #max_version= are added.
26
+ [[GitHub #142]](https://github.com/ruby/openssl/pull/142)
27
+ * OpenSSL::X509::Name#to_utf8 is added.
28
+ [[GitHub #26]](https://github.com/ruby/openssl/issues/26)
29
+ [[GitHub #143]](https://github.com/ruby/openssl/pull/143)
71
30
 
72
31
 
73
32
  Version 2.0.5
@@ -222,7 +181,7 @@ Notable changes
222
181
  - A new option 'verify_hostname' is added to OpenSSL::SSL::SSLContext. When it
223
182
  is enabled, and the SNI hostname is also set, the hostname verification on
224
183
  the server certificate is automatically performed. It is now enabled by
225
- OpenSSL::SSL::SSLContext#set_params.
184
+ OpenSSL::SSL::Context#set_params.
226
185
  [[GH ruby/openssl#60]](https://github.com/ruby/openssl/pull/60)
227
186
 
228
187
  Removals
data/README.md CHANGED
@@ -27,7 +27,7 @@ Alternatively, you can install the gem with `bundler`:
27
27
  # Gemfile
28
28
  gem 'openssl'
29
29
  # or specify git master
30
- gem 'openssl', github: 'ruby/openssl'
30
+ gem 'openssl', git: 'https://github.com/ruby/openssl'
31
31
  ```
32
32
 
33
33
  After doing `bundle install`, you should have the gem installed in your bundle.
@@ -3,9 +3,6 @@ module OpenSSL
3
3
  def self.deprecated_warning_flag
4
4
  unless flag = (@deprecated_warning_flag ||= nil)
5
5
  if try_compile("", flag = "-Werror=deprecated-declarations")
6
- if /darwin/ =~ RUBY_PLATFORM and with_config("broken-apple-openssl")
7
- flag = "-Wno-deprecated-declarations"
8
- end
9
6
  $warnflags << " #{flag}"
10
7
  else
11
8
  flag = ""
@@ -33,9 +33,6 @@ end
33
33
  Logging::message "=== Checking for system dependent stuff... ===\n"
34
34
  have_library("nsl", "t_open")
35
35
  have_library("socket", "socket")
36
- if $mswin || $mingw
37
- have_library("ws2_32")
38
- end
39
36
 
40
37
  Logging::message "=== Checking for required stuff... ===\n"
41
38
  result = pkg_config("openssl") && have_header("openssl/ssl.h")
@@ -94,30 +91,19 @@ unless result
94
91
  unless find_openssl_library
95
92
  Logging::message "=== Checking for required stuff failed. ===\n"
96
93
  Logging::message "Makefile wasn't created. Fix the errors above.\n"
97
- exit 1
94
+ raise "OpenSSL library could not be found. You might want to use " \
95
+ "--with-openssl-dir=<dir> option to specify the prefix where OpenSSL " \
96
+ "is installed."
98
97
  end
99
98
  end
100
99
 
101
- result = checking_for("OpenSSL version is 0.9.8 or later") {
102
- try_static_assert("OPENSSL_VERSION_NUMBER >= 0x00908000L", "openssl/opensslv.h")
103
- }
104
- unless result
105
- raise "OpenSSL 0.9.8 or later required."
106
- end
107
-
108
- if /darwin/ =~ RUBY_PLATFORM and !OpenSSL.check_func("SSL_library_init()", "openssl/ssl.h")
109
- raise "Ignore OpenSSL broken by Apple.\nPlease use another openssl. (e.g. using `configure --with-openssl-dir=/path/to/openssl')"
100
+ unless checking_for("OpenSSL version is 1.0.1 or later") {
101
+ try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10001000L", "openssl/opensslv.h") }
102
+ raise "OpenSSL >= 1.0.1 or LibreSSL is required"
110
103
  end
111
104
 
112
105
  Logging::message "=== Checking for OpenSSL features... ===\n"
113
106
  # compile options
114
-
115
- # SSLv2 and SSLv3 may be removed in future versions of OpenSSL, and even macros
116
- # like OPENSSL_NO_SSL2 may not be defined.
117
- have_func("SSLv2_method")
118
- have_func("SSLv3_method")
119
- have_func("TLSv1_1_method")
120
- have_func("TLSv1_2_method")
121
107
  have_func("RAND_egd")
122
108
  engines = %w{builtin_engines openbsd_dev_crypto dynamic 4758cca aep atalla chil
123
109
  cswift nuron sureware ubsec padlock capi gmp gost cryptodev aesni}
@@ -125,34 +111,6 @@ engines.each { |name|
125
111
  OpenSSL.check_func_or_macro("ENGINE_load_#{name}", "openssl/engine.h")
126
112
  }
127
113
 
128
- if ($mswin || $mingw) && have_macro("LIBRESSL_VERSION_NUMBER", "openssl/opensslv.h")
129
- $defs.push("-DNOCRYPT")
130
- end
131
-
132
- # added in 0.9.8X
133
- have_func("EVP_CIPHER_CTX_new")
134
- have_func("EVP_CIPHER_CTX_free")
135
- OpenSSL.check_func_or_macro("SSL_CTX_clear_options", "openssl/ssl.h")
136
-
137
- # added in 1.0.0
138
- have_func("ASN1_TIME_adj")
139
- have_func("EVP_CIPHER_CTX_copy")
140
- have_func("EVP_PKEY_base_id")
141
- have_func("HMAC_CTX_copy")
142
- have_func("PKCS5_PBKDF2_HMAC")
143
- have_func("X509_NAME_hash_old")
144
- have_func("X509_STORE_CTX_get0_current_crl")
145
- have_func("X509_STORE_set_verify_cb")
146
- have_func("i2d_ASN1_SET_ANY")
147
- have_func("SSL_SESSION_cmp") # removed
148
- OpenSSL.check_func_or_macro("SSL_set_tlsext_host_name", "openssl/ssl.h")
149
- have_struct_member("CRYPTO_THREADID", "ptr", "openssl/crypto.h")
150
- have_func("EVP_PKEY_get0")
151
-
152
- # added in 1.0.1
153
- have_func("SSL_CTX_set_next_proto_select_cb")
154
- have_macro("EVP_CTRL_GCM_GET_TAG", ['openssl/evp.h']) && $defs.push("-DHAVE_AUTHENTICATED_ENCRYPTION")
155
-
156
114
  # added in 1.0.2
157
115
  have_func("EC_curve_nist2nid")
158
116
  have_func("X509_REVOKED_dup")
@@ -164,11 +122,8 @@ OpenSSL.check_func_or_macro("SSL_get_server_tmp_key", "openssl/ssl.h")
164
122
  have_func("SSL_is_server")
165
123
 
166
124
  # added in 1.1.0
167
- if !have_struct_member("SSL", "ctx", "openssl/ssl.h") ||
168
- try_static_assert("LIBRESSL_VERSION_NUMBER >= 0x2070000fL", "openssl/opensslv.h")
169
- $defs.push("-DHAVE_OPAQUE_OPENSSL")
170
- end
171
125
  have_func("CRYPTO_lock") || $defs.push("-DHAVE_OPENSSL_110_THREADING_API")
126
+ have_struct_member("SSL", "ctx", "openssl/ssl.h") || $defs.push("-DHAVE_OPAQUE_OPENSSL")
172
127
  have_func("BN_GENCB_new")
173
128
  have_func("BN_GENCB_free")
174
129
  have_func("BN_GENCB_get_arg")
@@ -199,6 +154,7 @@ OpenSSL.check_func_or_macro("SSL_CTX_set_min_proto_version", "openssl/ssl.h")
199
154
  have_func("SSL_CTX_get_security_level")
200
155
  have_func("X509_get0_notBefore")
201
156
  have_func("SSL_SESSION_get_protocol_version")
157
+ have_func("EVP_PBE_scrypt")
202
158
 
203
159
  Logging::message "=== Checking done. ===\n"
204
160
 
@@ -20,73 +20,6 @@
20
20
 
21
21
  #include "openssl_missing.h"
22
22
 
23
- /* added in 0.9.8X */
24
- #if !defined(HAVE_EVP_CIPHER_CTX_NEW)
25
- EVP_CIPHER_CTX *
26
- ossl_EVP_CIPHER_CTX_new(void)
27
- {
28
- EVP_CIPHER_CTX *ctx = OPENSSL_malloc(sizeof(EVP_CIPHER_CTX));
29
- if (!ctx)
30
- return NULL;
31
- EVP_CIPHER_CTX_init(ctx);
32
- return ctx;
33
- }
34
- #endif
35
-
36
- #if !defined(HAVE_EVP_CIPHER_CTX_FREE)
37
- void
38
- ossl_EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx)
39
- {
40
- if (ctx) {
41
- EVP_CIPHER_CTX_cleanup(ctx);
42
- OPENSSL_free(ctx);
43
- }
44
- }
45
- #endif
46
-
47
- /* added in 1.0.0 */
48
- #if !defined(HAVE_EVP_CIPHER_CTX_COPY)
49
- /*
50
- * this function does not exist in OpenSSL yet... or ever?.
51
- * a future version may break this function.
52
- * tested on 0.9.7d.
53
- */
54
- int
55
- ossl_EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in)
56
- {
57
- memcpy(out, in, sizeof(EVP_CIPHER_CTX));
58
-
59
- #if !defined(OPENSSL_NO_ENGINE)
60
- if (in->engine) ENGINE_add(out->engine);
61
- if (in->cipher_data) {
62
- out->cipher_data = OPENSSL_malloc(in->cipher->ctx_size);
63
- memcpy(out->cipher_data, in->cipher_data, in->cipher->ctx_size);
64
- }
65
- #endif
66
-
67
- return 1;
68
- }
69
- #endif
70
-
71
- #if !defined(OPENSSL_NO_HMAC)
72
- #if !defined(HAVE_HMAC_CTX_COPY)
73
- int
74
- ossl_HMAC_CTX_copy(HMAC_CTX *out, HMAC_CTX *in)
75
- {
76
- if (!out || !in)
77
- return 0;
78
-
79
- memcpy(out, in, sizeof(HMAC_CTX));
80
-
81
- EVP_MD_CTX_copy(&out->md_ctx, &in->md_ctx);
82
- EVP_MD_CTX_copy(&out->i_ctx, &in->i_ctx);
83
- EVP_MD_CTX_copy(&out->o_ctx, &in->o_ctx);
84
-
85
- return 1;
86
- }
87
- #endif /* HAVE_HMAC_CTX_COPY */
88
- #endif /* NO_HMAC */
89
-
90
23
  /* added in 1.0.2 */
91
24
  #if !defined(OPENSSL_NO_EC)
92
25
  #if !defined(HAVE_EC_CURVE_NIST2NID)
@@ -12,53 +12,6 @@
12
12
 
13
13
  #include "ruby/config.h"
14
14
 
15
- /* added in 0.9.8X */
16
- #if !defined(HAVE_EVP_CIPHER_CTX_NEW)
17
- EVP_CIPHER_CTX *ossl_EVP_CIPHER_CTX_new(void);
18
- # define EVP_CIPHER_CTX_new ossl_EVP_CIPHER_CTX_new
19
- #endif
20
-
21
- #if !defined(HAVE_EVP_CIPHER_CTX_FREE)
22
- void ossl_EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *);
23
- # define EVP_CIPHER_CTX_free ossl_EVP_CIPHER_CTX_free
24
- #endif
25
-
26
- #if !defined(HAVE_SSL_CTX_CLEAR_OPTIONS)
27
- # define SSL_CTX_clear_options(ctx, op) ((ctx)->options &= ~(op))
28
- #endif
29
-
30
- /* added in 1.0.0 */
31
- #if !defined(HAVE_EVP_PKEY_BASE_ID)
32
- # define EVP_PKEY_base_id(pkey) EVP_PKEY_type((pkey)->type)
33
- #endif
34
-
35
- #if !defined(HAVE_EVP_CIPHER_CTX_COPY)
36
- int ossl_EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *, const EVP_CIPHER_CTX *);
37
- # define EVP_CIPHER_CTX_copy ossl_EVP_CIPHER_CTX_copy
38
- #endif
39
-
40
- #if !defined(HAVE_HMAC_CTX_COPY)
41
- int ossl_HMAC_CTX_copy(HMAC_CTX *out, HMAC_CTX *in);
42
- # define HMAC_CTX_copy ossl_HMAC_CTX_copy
43
- #endif
44
-
45
- #if !defined(HAVE_X509_STORE_CTX_GET0_CURRENT_CRL)
46
- # define X509_STORE_CTX_get0_current_crl(x) ((x)->current_crl)
47
- #endif
48
-
49
- #if !defined(HAVE_X509_STORE_SET_VERIFY_CB)
50
- # define X509_STORE_set_verify_cb X509_STORE_set_verify_cb_func
51
- #endif
52
-
53
- #if !defined(HAVE_I2D_ASN1_SET_ANY)
54
- # define i2d_ASN1_SET_ANY(sk, x) i2d_ASN1_SET_OF_ASN1_TYPE((sk), (x), \
55
- i2d_ASN1_TYPE, V_ASN1_SET, V_ASN1_UNIVERSAL, 0)
56
- #endif
57
-
58
- #if !defined(HAVE_EVP_PKEY_GET0)
59
- # define EVP_PKEY_get0(pk) (pk->pkey.ptr)
60
- #endif
61
-
62
15
  /* added in 1.0.2 */
63
16
  #if !defined(OPENSSL_NO_EC)
64
17
  #if !defined(HAVE_EC_CURVE_NIST2NID)
@@ -196,7 +149,7 @@ void ossl_X509_REQ_get0_signature(const X509_REQ *, const ASN1_BIT_STRING **, co
196
149
  static inline _type *EVP_PKEY_get0_##_type(EVP_PKEY *pkey) { \
197
150
  return pkey->pkey._name; }
198
151
  #define IMPL_KEY_ACCESSOR2(_type, _group, a1, a2, _fail_cond) \
199
- static inline void _type##_get0_##_group(const _type *obj, const BIGNUM **a1, const BIGNUM **a2) { \
152
+ static inline void _type##_get0_##_group(_type *obj, const BIGNUM **a1, const BIGNUM **a2) { \
200
153
  if (a1) *a1 = obj->a1; \
201
154
  if (a2) *a2 = obj->a2; } \
202
155
  static inline int _type##_set0_##_group(_type *obj, BIGNUM *a1, BIGNUM *a2) { \
@@ -205,7 +158,7 @@ static inline int _type##_set0_##_group(_type *obj, BIGNUM *a1, BIGNUM *a2) { \
205
158
  BN_clear_free(obj->a2); obj->a2 = a2; \
206
159
  return 1; }
207
160
  #define IMPL_KEY_ACCESSOR3(_type, _group, a1, a2, a3, _fail_cond) \
208
- static inline void _type##_get0_##_group(const _type *obj, const BIGNUM **a1, const BIGNUM **a2, const BIGNUM **a3) { \
161
+ static inline void _type##_get0_##_group(_type *obj, const BIGNUM **a1, const BIGNUM **a2, const BIGNUM **a3) { \
209
162
  if (a1) *a1 = obj->a1; \
210
163
  if (a2) *a2 = obj->a2; \
211
164
  if (a3) *a3 = obj->a3; } \
@@ -245,7 +198,7 @@ IMPL_PKEY_GETTER(EC_KEY, ec)
245
198
  #undef IMPL_KEY_ACCESSOR3
246
199
  #endif /* HAVE_OPAQUE_OPENSSL */
247
200
 
248
- #if defined(HAVE_AUTHENTICATED_ENCRYPTION) && !defined(EVP_CTRL_AEAD_GET_TAG)
201
+ #if !defined(EVP_CTRL_AEAD_GET_TAG)
249
202
  # define EVP_CTRL_AEAD_GET_TAG EVP_CTRL_GCM_GET_TAG
250
203
  # define EVP_CTRL_AEAD_SET_TAG EVP_CTRL_GCM_SET_TAG
251
204
  # define EVP_CTRL_AEAD_SET_IVLEN EVP_CTRL_GCM_SET_IVLEN
@@ -92,22 +92,40 @@ OSSL_IMPL_SK2ARY(x509crl, X509_CRL)
92
92
  OSSL_IMPL_SK2ARY(x509name, X509_NAME)
93
93
 
94
94
  static VALUE
95
- ossl_str_new(int size)
95
+ ossl_str_new_i(VALUE size)
96
96
  {
97
- return rb_str_new(0, size);
97
+ return rb_str_new(NULL, (long)size);
98
+ }
99
+
100
+ VALUE
101
+ ossl_str_new(const char *ptr, long len, int *pstate)
102
+ {
103
+ VALUE str;
104
+ int state;
105
+
106
+ str = rb_protect(ossl_str_new_i, len, &state);
107
+ if (pstate)
108
+ *pstate = state;
109
+ if (state) {
110
+ if (!pstate)
111
+ rb_set_errinfo(Qnil);
112
+ return Qnil;
113
+ }
114
+ if (ptr)
115
+ memcpy(RSTRING_PTR(str), ptr, len);
116
+ return str;
98
117
  }
99
118
 
100
119
  VALUE
101
120
  ossl_buf2str(char *buf, int len)
102
121
  {
103
122
  VALUE str;
104
- int status = 0;
123
+ int state;
105
124
 
106
- str = rb_protect((VALUE (*)(VALUE))ossl_str_new, len, &status);
107
- if(!NIL_P(str)) memcpy(RSTRING_PTR(str), buf, len);
125
+ str = ossl_str_new(buf, len, &state);
108
126
  OPENSSL_free(buf);
109
- if(status) rb_jump_tag(status);
110
-
127
+ if (state)
128
+ rb_jump_tag(state);
111
129
  return str;
112
130
  }
113
131
 
@@ -220,7 +238,7 @@ VALUE eOSSLError;
220
238
  /*
221
239
  * Convert to DER string
222
240
  */
223
- ID ossl_s_to_der;
241
+ static ID ossl_s_to_der;
224
242
 
225
243
  VALUE
226
244
  ossl_to_der(VALUE obj)
@@ -248,18 +266,15 @@ static VALUE
248
266
  ossl_make_error(VALUE exc, const char *fmt, va_list args)
249
267
  {
250
268
  VALUE str = Qnil;
251
- const char *msg;
252
- long e;
269
+ unsigned long e;
253
270
 
254
- e = ERR_peek_last_error();
255
271
  if (fmt) {
256
272
  str = rb_vsprintf(fmt, args);
257
273
  }
274
+ e = ERR_peek_last_error();
258
275
  if (e) {
259
- if (dOSSL == Qtrue) /* FULL INFO */
260
- msg = ERR_error_string(e, NULL);
261
- else
262
- msg = ERR_reason_error_string(e);
276
+ const char *msg = ERR_reason_error_string(e);
277
+
263
278
  if (NIL_P(str)) {
264
279
  if (msg) str = rb_str_new_cstr(msg);
265
280
  }
@@ -267,8 +282,8 @@ ossl_make_error(VALUE exc, const char *fmt, va_list args)
267
282
  if (RSTRING_LEN(str)) rb_str_cat2(str, ": ");
268
283
  rb_str_cat2(str, msg ? msg : "(null)");
269
284
  }
285
+ ossl_clear_error();
270
286
  }
271
- ossl_clear_error();
272
287
 
273
288
  if (NIL_P(str)) str = rb_str_new(0, 0);
274
289
  return rb_exc_new3(exc, str);
@@ -319,7 +334,8 @@ ossl_clear_error(void)
319
334
  *
320
335
  * See any remaining errors held in queue.
321
336
  *
322
- * Any errors you see here are probably due to a bug in ruby's OpenSSL implementation.
337
+ * Any errors you see here are probably due to a bug in Ruby's OpenSSL
338
+ * implementation.
323
339
  */
324
340
  VALUE
325
341
  ossl_get_errors(void)
@@ -381,6 +397,23 @@ ossl_debug_set(VALUE self, VALUE val)
381
397
  return val;
382
398
  }
383
399
 
400
+ /*
401
+ * call-seq
402
+ * OpenSSL.fips_mode -> true | false
403
+ */
404
+ static VALUE
405
+ ossl_fips_mode_get(VALUE self)
406
+ {
407
+
408
+ #ifdef OPENSSL_FIPS
409
+ VALUE enabled;
410
+ enabled = FIPS_mode() ? Qtrue : Qfalse;
411
+ return enabled;
412
+ #else
413
+ return Qfalse;
414
+ #endif
415
+ }
416
+
384
417
  /*
385
418
  * call-seq:
386
419
  * OpenSSL.fips_mode = boolean -> boolean
@@ -443,7 +476,7 @@ mem_check_start(VALUE self)
443
476
  * Prints detected memory leaks to standard error. This cleans the global state
444
477
  * up thus you cannot use any methods of the library after calling this.
445
478
  *
446
- * Returns true if leaks detected, false otherwise.
479
+ * Returns +true+ if leaks detected, +false+ otherwise.
447
480
  *
448
481
  * This is available only when built with a capable OpenSSL and --enable-debug
449
482
  * configure option.
@@ -484,53 +517,40 @@ print_mem_leaks(VALUE self)
484
517
  /**
485
518
  * Stores locks needed for OpenSSL thread safety
486
519
  */
487
- struct CRYPTO_dynlock_value {
488
- rb_nativethread_lock_t lock;
489
- rb_nativethread_id_t owner;
490
- size_t count;
491
- };
520
+ static rb_nativethread_lock_t *ossl_locks;
492
521
 
493
522
  static void
494
- ossl_lock_init(struct CRYPTO_dynlock_value *l)
523
+ ossl_lock_unlock(int mode, rb_nativethread_lock_t *lock)
495
524
  {
496
- rb_nativethread_lock_initialize(&l->lock);
497
- l->count = 0;
525
+ if (mode & CRYPTO_LOCK) {
526
+ rb_nativethread_lock_lock(lock);
527
+ } else {
528
+ rb_nativethread_lock_unlock(lock);
529
+ }
498
530
  }
499
531
 
500
532
  static void
501
- ossl_lock_unlock(int mode, struct CRYPTO_dynlock_value *l)
533
+ ossl_lock_callback(int mode, int type, const char *file, int line)
502
534
  {
503
- if (mode & CRYPTO_LOCK) {
504
- /* TODO: rb_nativethread_id_t is not necessarily compared with ==. */
505
- rb_nativethread_id_t tid = rb_nativethread_self();
506
- if (l->count && l->owner == tid) {
507
- l->count++;
508
- return;
509
- }
510
- rb_nativethread_lock_lock(&l->lock);
511
- l->owner = tid;
512
- l->count = 1;
513
- } else {
514
- if (!--l->count)
515
- rb_nativethread_lock_unlock(&l->lock);
516
- }
535
+ ossl_lock_unlock(mode, &ossl_locks[type]);
517
536
  }
518
537
 
538
+ struct CRYPTO_dynlock_value {
539
+ rb_nativethread_lock_t lock;
540
+ };
541
+
519
542
  static struct CRYPTO_dynlock_value *
520
543
  ossl_dyn_create_callback(const char *file, int line)
521
544
  {
522
- /* Do not use xmalloc() here, since it may raise NoMemoryError */
523
- struct CRYPTO_dynlock_value *dynlock =
524
- OPENSSL_malloc(sizeof(struct CRYPTO_dynlock_value));
525
- if (dynlock)
526
- ossl_lock_init(dynlock);
545
+ struct CRYPTO_dynlock_value *dynlock = (struct CRYPTO_dynlock_value *)OPENSSL_malloc((int)sizeof(struct CRYPTO_dynlock_value));
546
+ rb_nativethread_lock_initialize(&dynlock->lock);
527
547
  return dynlock;
528
548
  }
529
549
 
530
550
  static void
531
551
  ossl_dyn_lock_callback(int mode, struct CRYPTO_dynlock_value *l, const char *file, int line)
532
552
  {
533
- ossl_lock_unlock(mode, l);
553
+ ossl_lock_unlock(mode, &l->lock);
534
554
  }
535
555
 
536
556
  static void
@@ -540,42 +560,29 @@ ossl_dyn_destroy_callback(struct CRYPTO_dynlock_value *l, const char *file, int
540
560
  OPENSSL_free(l);
541
561
  }
542
562
 
543
- #ifdef HAVE_CRYPTO_THREADID_PTR
544
563
  static void ossl_threadid_func(CRYPTO_THREADID *id)
545
564
  {
546
565
  /* register native thread id */
547
566
  CRYPTO_THREADID_set_pointer(id, (void *)rb_nativethread_self());
548
567
  }
549
- #else
550
- static unsigned long ossl_thread_id(void)
551
- {
552
- /* before OpenSSL 1.0, this is 'unsigned long' */
553
- return (unsigned long)rb_nativethread_self();
554
- }
555
- #endif
556
-
557
- static struct CRYPTO_dynlock_value *ossl_locks;
558
-
559
- static void
560
- ossl_lock_callback(int mode, int type, const char *file, int line)
561
- {
562
- ossl_lock_unlock(mode, &ossl_locks[type]);
563
- }
564
568
 
565
569
  static void Init_ossl_locks(void)
566
570
  {
567
571
  int i;
568
572
  int num_locks = CRYPTO_num_locks();
569
573
 
570
- ossl_locks = ALLOC_N(struct CRYPTO_dynlock_value, num_locks);
571
- for (i = 0; i < num_locks; i++)
572
- ossl_lock_init(&ossl_locks[i]);
574
+ if ((unsigned)num_locks >= INT_MAX / (int)sizeof(VALUE)) {
575
+ rb_raise(rb_eRuntimeError, "CRYPTO_num_locks() is too big: %d", num_locks);
576
+ }
577
+ ossl_locks = (rb_nativethread_lock_t *) OPENSSL_malloc(num_locks * (int)sizeof(rb_nativethread_lock_t));
578
+ if (!ossl_locks) {
579
+ rb_raise(rb_eNoMemError, "CRYPTO_num_locks() is too big: %d", num_locks);
580
+ }
581
+ for (i = 0; i < num_locks; i++) {
582
+ rb_nativethread_lock_initialize(&ossl_locks[i]);
583
+ }
573
584
 
574
- #ifdef HAVE_CRYPTO_THREADID_PTR
575
585
  CRYPTO_THREADID_set_callback(ossl_threadid_func);
576
- #else
577
- CRYPTO_set_id_callback(ossl_thread_id);
578
- #endif
579
586
  CRYPTO_set_locking_callback(ossl_lock_callback);
580
587
  CRYPTO_set_dynlock_create_callback(ossl_dyn_create_callback);
581
588
  CRYPTO_set_dynlock_lock_callback(ossl_dyn_lock_callback);
@@ -585,7 +592,7 @@ static void Init_ossl_locks(void)
585
592
 
586
593
  /*
587
594
  * OpenSSL provides SSL, TLS and general purpose cryptography. It wraps the
588
- * OpenSSL[http://www.openssl.org/] library.
595
+ * OpenSSL[https://www.openssl.org/] library.
589
596
  *
590
597
  * = Examples
591
598
  *
@@ -1078,7 +1085,6 @@ static void Init_ossl_locks(void)
1078
1085
  void
1079
1086
  Init_openssl(void)
1080
1087
  {
1081
- #undef rb_intern
1082
1088
  /*
1083
1089
  * Init timezone info
1084
1090
  */
@@ -1138,7 +1144,7 @@ Init_openssl(void)
1138
1144
  rb_define_const(mOSSL, "OPENSSL_VERSION_NUMBER", INT2NUM(OPENSSL_VERSION_NUMBER));
1139
1145
 
1140
1146
  /*
1141
- * Boolean indicating whether OpenSSL is FIPS-enabled or not
1147
+ * Boolean indicating whether OpenSSL is FIPS-capable or not
1142
1148
  */
1143
1149
  rb_define_const(mOSSL, "OPENSSL_FIPS",
1144
1150
  #ifdef OPENSSL_FIPS
@@ -1148,6 +1154,7 @@ Init_openssl(void)
1148
1154
  #endif
1149
1155
  );
1150
1156
 
1157
+ rb_define_module_function(mOSSL, "fips_mode", ossl_fips_mode_get, 0);
1151
1158
  rb_define_module_function(mOSSL, "fips_mode=", ossl_fips_mode_set, 1);
1152
1159
 
1153
1160
  /*
@@ -1187,7 +1194,6 @@ Init_openssl(void)
1187
1194
  Init_ossl_ns_spki();
1188
1195
  Init_ossl_pkcs12();
1189
1196
  Init_ossl_pkcs7();
1190
- Init_ossl_pkcs5();
1191
1197
  Init_ossl_pkey();
1192
1198
  Init_ossl_rand();
1193
1199
  Init_ossl_ssl();
@@ -1195,6 +1201,7 @@ Init_openssl(void)
1195
1201
  Init_ossl_ocsp();
1196
1202
  Init_ossl_engine();
1197
1203
  Init_ossl_asn1();
1204
+ Init_ossl_kdf();
1198
1205
 
1199
1206
  #if defined(OSSL_DEBUG)
1200
1207
  /*