ruby-changes:47619
From: rhe <ko1@a...>
Date: Sun, 3 Sep 2017 21:35:36 +0900 (JST)
Subject: [ruby-changes:47619] rhe:r59734 (trunk): openssl: import v2.1.0.beta1
rhe 2017-09-03 21:35:27 +0900 (Sun, 03 Sep 2017) New Revision: 59734 https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=59734 Log: openssl: import v2.1.0.beta1 Import Ruby/OpenSSL 2.1.0.beta1. The full commit log since v2.0.5 (imported by r59567) can be found at: https://github.com/ruby/openssl/compare/v2.0.5...v2.1.0.beta1 ---------------------------------------------------------------- Antonio Terceiro (1): test/test_ssl: explicitly accept TLS 1.1 in corresponding test Colby Swandale (1): document using secure protocol to fetch git master in Bundler Colton Jenkins (1): Add fips_mode_get to return fips_mode Kazuki Yamaguchi (85): Start preparing for 2.1.0 Remove support for OpenSSL 0.9.8 and 1.0.0 bn: refine tests bn: implement unary {plus,minus} operators for OpenSSL::BN bn: implement OpenSSL::BN#negative? Don't define main() when built with --enable-debug test: let OpenSSL::TestCase include OpenSSL::TestUtils test: prepare test PKey instances on demand Add OpenSSL.print_mem_leaks Enable OSSL_MDEBUG on CI builds ssl: move default DH parameters from OpenSSL::PKey::DH Make exceptions with the same format regardless of OpenSSL.debug ssl: show reason of 'certificate verify error' in exception message ssl: remove OpenSSL::ExtConfig::TLS_DH_anon_WITH_AES_256_GCM_SHA384 ssl: do not confuse different ex_data index registries ssl: assume SSL/SSL_CTX always have a valid reference to the Ruby object Fix RDoc markup ssl: suppress compiler warning ext/openssl/deprecation.rb: remove broken-apple-openssl extconf.rb: print informative message if OpenSSL can't be found Rakefile: compile the extension before test kdf: introduce OpenSSL::KDF module ossl.h: add NUM2UINT64T() macro kdf: add scrypt Expand rb_define_copy_func() macro Expand FPTR_TO_FD() macro Remove SafeGet*() macros cipher: rename GetCipherPtr() to ossl_evp_get_cipherbyname() digest: rename GetDigestPtr() to ossl_evp_get_digestbyname() Add ossl_str_new(), an exception-safe rb_str_new() bio: simplify ossl_membio2str() using ossl_str_new() Remove unused functions and macros Drop support for LibreSSL 2.3 ocsp: add OpenSSL::OCSP::Request#signed? asn1: infinite length -> indefinite length asn1: rearrange tests ssl: remove a needless NULL check in SSL::SSLContext#ciphers ssl: return nil in SSL::SSLSocket#cipher if session is not started asn1: remove an unnecessary function prototype asn1: require tag information when instantiating generic type asn1: initialize 'unused_bits' attribute of BitString with 0 asn1: check for illegal 'unused_bits' value of BitString asn1: disallow NULL to be passed to asn1time_to_time() asn1: avoid truncating OID in OpenSSL::ASN1::ObjectId#oid asn1: allow constructed encoding with definite length form asn1: prohibit indefinite length form for primitive encoding asn1: allow tag number to be >= 32 for universal tag class asn1: use ossl_asn1_tag() asn1: clean up OpenSSL::ASN1::Constructive#to_der asn1: harmonize OpenSSL::ASN1::*#to_der asn1: prevent EOC octets from being in the middle of the content asn1: do not treat EOC octets as part of content octets x509name: add 'loc' and 'set' kwargs to OpenSSL::X509::Name#add_entry ssl: do not call session_remove_cb during GC Backport "Merge branch 'topic/test-memory-leak'" to maint cipher: update the documentation for Cipher#auth_tag= Rakefile: let sync:to_ruby know about test/openssl/fixtures test: fix formatting test/utils: remove OpenSSL::TestUtils.silent test/utils: add SSLTestCase#tls12_supported? test/utils: have start_server yield only the port number test/utils: do not set ecdh_curves in start_server test/utils: let server_loop close socket test/utils: improve error handling in start_server test/utils: add OpenSSL::TestUtils.openssl? and .libressl? test/utils: do not use DSA certificates in SSL tests test/test_ssl: remove test_invalid_shutdown_by_gc test/test_ssl: move test_multibyte_read_write to test_pair test/test_ssl_session: rearrange tests test/test_pair, test/test_ssl: fix for TLS 1.3 ssl: remove useless call to rb_thread_wait_fd() ssl: fix NPN support ssl: mark OpenSSL::SSL::SSLContext::DEFAULT_{1024,2048} as private ssl: use 2048-bit group in the default tmp_dh_cb ssl: ensure that SSL option flags are non-negative ssl: update OpenSSL::SSL::OP_* flags ssl: prefer TLS_method() over SSLv23_method() ssl: add SSLContext#min_version= and #max_version= ssl: rework SSLContext#ssl_version= test/test_x509name: change script encoding to ASCII-8BIT x509name: refactor OpenSSL::X509::Name#to_s x509name: add OpenSSL::X509::Name#to_utf8 x509name: add OpenSSL::X509::Name#inspect x509name: update regexp in OpenSSL::X509::Name.parse Ruby/OpenSSL 2.1.0.beta1 Marcus Stollsteimer (1): Fix rdoc for core Integer class nobu (4): [DOC] {read,write}_nonblock with exception: false [DOC] keyword argument _exception_ [DOC] mark up literals Revert r57690 except for read_nonblock Added directories: trunk/test/openssl/fixtures/ trunk/test/openssl/fixtures/pkey/ Added files: trunk/ext/openssl/lib/openssl/pkcs5.rb trunk/ext/openssl/ossl_kdf.c trunk/ext/openssl/ossl_kdf.h trunk/test/openssl/fixtures/pkey/dh1024.pem trunk/test/openssl/fixtures/pkey/dsa1024.pem trunk/test/openssl/fixtures/pkey/dsa256.pem trunk/test/openssl/fixtures/pkey/dsa512.pem trunk/test/openssl/fixtures/pkey/p256.pem trunk/test/openssl/fixtures/pkey/rsa1024.pem trunk/test/openssl/fixtures/pkey/rsa2048.pem trunk/test/openssl/test_kdf.rb Removed files: trunk/ext/openssl/ossl_pkcs5.c trunk/ext/openssl/ossl_pkcs5.h trunk/test/openssl/test_pkcs5.rb Modified files: trunk/ext/openssl/History.md trunk/ext/openssl/depend trunk/ext/openssl/deprecation.rb trunk/ext/openssl/extconf.rb trunk/ext/openssl/lib/openssl/bn.rb trunk/ext/openssl/lib/openssl/buffering.rb trunk/ext/openssl/lib/openssl/config.rb trunk/ext/openssl/lib/openssl/digest.rb trunk/ext/openssl/lib/openssl/pkey.rb trunk/ext/openssl/lib/openssl/ssl.rb trunk/ext/openssl/lib/openssl/x509.rb trunk/ext/openssl/lib/openssl.rb trunk/ext/openssl/openssl.gemspec trunk/ext/openssl/openssl_missing.c trunk/ext/openssl/openssl_missing.h trunk/ext/openssl/ossl.c trunk/ext/openssl/ossl.h trunk/ext/openssl/ossl_asn1.c trunk/ext/openssl/ossl_asn1.h trunk/ext/openssl/ossl_bio.c trunk/ext/openssl/ossl_bio.h trunk/ext/openssl/ossl_bn.c trunk/ext/openssl/ossl_cipher.c trunk/ext/openssl/ossl_cipher.h trunk/ext/openssl/ossl_digest.c trunk/ext/openssl/ossl_digest.h trunk/ext/openssl/ossl_engine.c trunk/ext/openssl/ossl_hmac.c trunk/ext/openssl/ossl_ns_spki.c trunk/ext/openssl/ossl_ocsp.c trunk/ext/openssl/ossl_pkcs12.c trunk/ext/openssl/ossl_pkcs7.c trunk/ext/openssl/ossl_pkey.c trunk/ext/openssl/ossl_pkey.h trunk/ext/openssl/ossl_pkey_dh.c trunk/ext/openssl/ossl_pkey_dsa.c trunk/ext/openssl/ossl_pkey_ec.c trunk/ext/openssl/ossl_pkey_rsa.c trunk/ext/openssl/ossl_rand.c trunk/ext/openssl/ossl_ssl.c trunk/ext/openssl/ossl_ssl.h trunk/ext/openssl/ossl_ssl_session.c trunk/ext/openssl/ossl_version.h trunk/ext/openssl/ossl_x509.c trunk/ext/openssl/ossl_x509.h trunk/ext/openssl/ossl_x509attr.c trunk/ext/openssl/ossl_x509cert.c trunk/ext/openssl/ossl_x509crl.c trunk/ext/openssl/ossl_x509ext.c trunk/ext/openssl/ossl_x509name.c trunk/ext/openssl/ossl_x509req.c trunk/ext/openssl/ossl_x509revoked.c trunk/ext/openssl/ossl_x509store.c trunk/ext/openssl/ruby_missing.h trunk/test/openssl/test_asn1.rb trunk/test/openssl/test_bn.rb trunk/test/openssl/test_buffering.rb trunk/test/openssl/test_cipher.rb trunk/test/openssl/test_config.rb trunk/test/openssl/test_digest.rb trunk/test/openssl/test_engine.rb trunk/test/openssl/test_fips.rb trunk/test/openssl/test_hmac.rb trunk/test/openssl/test_ns_spki.rb trunk/test/openssl/test_ocsp.rb trunk/test/openssl/test_pair.rb trunk/test/openssl/test_pkcs12.rb trunk/test/openssl/test_pkcs7.rb trunk/test/openssl/test_pkey_dh.rb trunk/test/openssl/test_pkey_dsa.rb trunk/test/openssl/test_pkey_ec.rb trunk/test/openssl/test_pkey_rsa.rb trunk/test/openssl/test_random.rb trunk/test/openssl/test_ssl.rb trunk/test/openssl/test_ssl_session.rb trunk/test/openssl/test_x509attr.rb trunk/test/openssl/test_x509cert.rb trunk/test/openssl/test_x509crl.rb trunk/test/openssl/test_x509ext.rb trunk/test/openssl/test_x509name.rb trunk/test/openssl/test_x509req.rb trunk/test/openssl/test_x509store.rb trunk/test/openssl/ut_eof.rb trunk/test/openssl/utils.rb Index: ext/openssl/ossl_pkcs5.c =================================================================== --- ext/openssl/ossl_pkcs5.c (revision 59733) +++ ext/openssl/ossl_pkcs5.c (nonexistent) @@ -1,180 +0,0 @@ https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_pkcs5.c#L0 -/* - * Copyright (C) 2007 Technorama Ltd. <oss-ruby@t...> - */ -#include "ossl.h" - -VALUE mPKCS5; -VALUE ePKCS5; - -#ifdef HAVE_PKCS5_PBKDF2_HMAC -/* - * call-seq: - * PKCS5.pbkdf2_hmac(pass, salt, iter, keylen, digest) => string - * - * === Parameters - * * +pass+ - string - * * +salt+ - string - should be at least 8 bytes long. - * * +iter+ - integer - should be greater than 1000. 20000 is better. - * * +keylen+ - integer - * * +digest+ - a string or OpenSSL::Digest object. - * - * Available in OpenSSL >= 1.0.0. - * - * Digests other than SHA1 may not be supported by other cryptography libraries. - */ -static VALUE -ossl_pkcs5_pbkdf2_hmac(VALUE self, VALUE pass, VALUE salt, VALUE iter, VALUE keylen, VALUE digest) -{ - VALUE str; - const EVP_MD *md; - int len = NUM2INT(keylen); - - StringValue(pass); - StringValue(salt); - md = GetDigestPtr(digest); - - str = rb_str_new(0, len); - - if (PKCS5_PBKDF2_HMAC(RSTRING_PTR(pass), RSTRING_LENINT(pass), - (unsigned char *)RSTRING_PTR(salt), RSTRING_LENINT(salt), - NUM2INT(iter), md, len, - (unsigned char *)RSTRING_PTR(str)) != 1) - ossl_raise(ePKCS5, "PKCS5_PBKDF2_HMAC"); - - return str; -} -#else -#define ossl_pkcs5_pbkdf2_hmac rb_f_notimplement -#endif - - -/* - * call-seq: - * PKCS5.pbkdf2_hmac_sha1(pass, salt, iter, keylen) => string - * - * === Parameters - * * +pass+ - string - * * +salt+ - string - should be at least 8 bytes long. - * * +iter+ - integer - should be greater than 1000. 20000 is better. - * * +keylen+ - integer - * - * This method is available in almost any version of OpenSSL. - * - * Conforms to RFC 2898. - */ -static VALUE -ossl_pkcs5_pbkdf2_hmac_sha1(VALUE self, VALUE pass, VALUE salt, VALUE iter, VALUE keylen) -{ - VALUE str; - int len = NUM2INT(keylen); - - StringValue(pass); - StringValue(salt); - - str = rb_str_new(0, len); - - if (PKCS5_PBKDF2_HMAC_SHA1(RSTRING_PTR(pass), RSTRING_LENINT(pass), - (const unsigned char *)RSTRING_PTR(salt), RSTRING_LENINT(salt), NUM2INT(iter), - len, (unsigned char *)RSTRING_PTR(str)) != 1) - ossl_raise(ePKCS5, "PKCS5_PBKDF2_HMAC_SHA1"); - - return str; -} - -void -Init_ossl_pkcs5(void) -{ -#if 0 - mOSSL = rb_define_module("OpenSSL"); - eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError); -#endif - - /* Document-class: OpenSSL::PKCS5 - * - * Provides password-based encryption functionality based on PKCS#5. - * Typically used for securely deriving arbitrary length symmetric keys - * to be used with an OpenSSL::Cipher from passwords. Another use case - * is for storing passwords: Due to the ability to tweak the effort of - * computation by increasing the iteration count, computation can be - * slowed down artificially in order to render possible attacks infeasible. - * - * PKCS5 offers support for PBKDF2 with an OpenSSL::Digest::SHA1-based - * HMAC, or an arbitrary Digest if the underlying version of OpenSSL - * already supports it (>= 1.0.0). - * - * === Parameters - * ==== Password - * Typically an arbitrary String that represents the password to be used - * for deriving a key. - * ==== Salt - * Prevents attacks based on dictionaries of common passwords. It is a - * public value that can be safely stored along with the password (e.g. - * if PBKDF2 is used for password storage). For maximum security, a fresh, - * random salt should be generated for each stored password. According - * to PKCS#5, a salt should be at least 8 bytes long. - * ==== Iteration Count - * Allows to tweak the length that the actual computation will take. The - * larger the iteration count, the longer it will take. - * ==== Key Length - * Specifies the length in bytes of the output that will be generated. - * Typically, the key length should be larger than or equal to the output - * length of the underlying digest function, otherwise an attacker could - * simply try to brute-force the key. According to PKCS#5, security is - * limited by the output length of the underlying digest function, i.e. - * security is not improved if a key length strictly larger than the - * digest output length is chosen. Therefore, when using PKCS5 for - * password storage, it suffices to store values equal to the digest - * output length, nothing is gained by storing larger values. - * - * == Examples - * === Generating a 128 bit key for a Cipher (e.g. AES) - * pass = "secret" - * salt = OpenSSL::Random.random_bytes(16) - * iter = 20000 - * key_len = 16 - * key = OpenSSL::PKCS5.pbkdf2_hmac_sha1(pass, salt, iter, key_len) - * - * === Storing Passwords - * pass = "secret" - * salt = OpenSSL::Random.random_bytes(16) #store this with the generated value - * iter = 20000 - * digest = OpenSSL::Digest::SHA256.new - * len = digest.digest_length - * #the final value to be stored - * value = OpenSSL::PKCS5.pbkdf2_hmac(pass, salt, iter, len, digest) - * - * === Important Note on Checking Passwords - * When comparing passwords provided by the user with previously stored - * values, a common mistake made is comparing the two values using "==". - * Typically, "==" short-circuits on evaluation, and is therefore - * vulnerable to timing attacks. The proper way is to use a method that - * always takes the same amount of time when comparing two values, thus - * not leaking any information to potential attackers. To compare two - * values, the following could be used: - * def eql_time_cmp(a, b) - * unless a.length == b.length - * return false - * end - * cmp = b.bytes.to_a - * result = 0 - * a.bytes.each_with_index {|c,i| - * result |= c ^ cmp[i] - * } - * result == 0 - * end - * Please note that the premature return in case of differing lengths - * typically does not leak valuable information - when using PKCS#5, the - * length of the values to be compared is of fixed size. - */ - - mPKCS5 = rb_define_module_under(mOSSL, "PKCS5"); - /* Document-class: OpenSSL::PKCS5::PKCS5Error - * - * Generic Exception class that is raised if an error occurs during a - * computation. - */ - ePKCS5 = rb_define_class_under(mPKCS5, "PKCS5Error", eOSSLError); - - rb_define_module_function(mPKCS5, "pbkdf2_hmac", ossl_pkcs5_pbkdf2_hmac, 5); - rb_define_module_function(mPKCS5, "pbkdf2_hmac_sha1", ossl_pkcs5_pbkdf2_hmac_sha1, 4); -} Property changes on: ext/openssl/ossl_pkcs5.c ___________________________________________________________________ Deleted: svn:eol-style ## -1 +0,0 ## -LF \ No newline at end of property Index: ext/openssl/ossl_pkcs5.h =================================================================== --- ext/openssl/ossl_pkcs5.h (revision 59733) +++ ext/openssl/ossl_pkcs5.h (nonexistent) @@ -1,6 +0,0 @@ https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_pkcs5.h#L0 -#if !defined(_OSSL_PKCS5_H_) -#define _OSSL_PKCS5_H_ - -void Init_ossl_pkcs5(void); - -#endif /* _OSSL_PKCS5_H_ */ Property changes on: ext/openssl/ossl_pkcs5.h ___________________________________________________________________ Deleted: svn:eol-style ## -1 +0,0 ## -LF \ No newline at end of property Index: ext/openssl/ossl_rand.c =================================================================== --- ext/openssl/ossl_rand.c (revision 59733) +++ ext/openssl/ossl_rand.c (revision 59734) @@ -16,7 +16,7 @@ VALUE eRandomError; https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_rand.c#L16 * call-seq: * seed(str) -> str * - * ::seed is equivalent to ::add where +entropy+ is length of +str+. + * ::seed is equivalent to ::add where _entropy_ is length of _str_. */ static VALUE ossl_rand_seed(VALUE self, VALUE str) @@ -31,15 +31,15 @@ ossl_rand_seed(VALUE self, VALUE str) https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_rand.c#L31 * call-seq: * add(str, entropy) -> self * - * Mixes the bytes from +str+ into the Pseudo Random Number Generator(PRNG) + * Mixes the bytes from _str_ into the Pseudo Random Number Generator(PRNG) * state. * - * Thus, if the data from +str+ are unpredictable to an adversary, this + * Thus, if the data from _str_ are unpredictable to an adversary, this * increases the uncertainty about the state and makes the PRNG output less * predictable. * - * The +entropy+ argument is (the lower bound of) an estimate of how much - * randomness is contained in +str+, measured in bytes. + * The _entropy_ argument is (the lower bound of) an estimate of how much + * randomness is contained in _str_, measured in bytes. * * === Example * @@ -62,7 +62,7 @@ ossl_rand_add(VALUE self, VALUE str, VAL https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_rand.c#L62 * call-seq: * load_random_file(filename) -> true * - * Reads bytes from +filename+ and adds them to the PRNG. + * Reads bytes from _filename_ and adds them to the PRNG. */ static VALUE ossl_rand_load_file(VALUE self, VALUE filename) @@ -79,7 +79,7 @@ ossl_rand_load_file(VALUE self, VALUE fi https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_rand.c#L79 * call-seq: * write_random_file(filename) -> true * - * Writes a number of random generated bytes (currently 1024) to +filename+ + * Writes a number of random generated bytes (currently 1024) to _filename_ * which can be used to initialize the PRNG by calling ::load_random_file in a * later session. */ @@ -98,7 +98,7 @@ ossl_rand_write_file(VALUE self, VALUE f https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_rand.c#L98 * call-seq: * random_bytes(length) -> string * - * Generates +string+ with +length+ number of cryptographically strong + * Generates a String with _length_ number of cryptographically strong * pseudo-random bytes. * * === Example @@ -129,7 +129,7 @@ ossl_rand_bytes(VALUE self, VALUE len) https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_rand.c#L129 * call-seq: * pseudo_bytes(length) -> string * - * Generates +string+ with +length+ number of pseudo-random bytes. + * Generates a String with _length_ number of pseudo-random bytes. * * Pseudo-random byte sequences generated by ::pseudo_bytes will be unique if * they are of sufficient length, but are not necessarily unpredictable. @@ -176,9 +176,9 @@ ossl_rand_egd(VALUE self, VALUE filename https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_rand.c#L176 * call-seq: * egd_bytes(filename, length) -> true * - * Queries the entropy gathering daemon EGD on socket path given by +filename+. + * Queries the entropy gathering daemon EGD on socket path given by _filename_. * - * Fetches +length+ number of bytes and uses ::add to seed the OpenSSL built-in + * Fetches _length_ number of bytes and uses ::add to seed the OpenSSL built-in * PRNG. */ static VALUE @@ -199,7 +199,7 @@ ossl_rand_egd_bytes(VALUE self, VALUE fi https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_rand.c#L199 * call-seq: * status? => true | false * - * Return true if the PRNG has been seeded with enough data, false otherwise. + * Return +true+ if the PRNG has been seeded with enough data, +false+ otherwise. */ static VALUE ossl_rand_status(VALUE self) Index: ext/openssl/extconf.rb =================================================================== --- ext/openssl/extconf.rb (revision 59733) +++ ext/openssl/extconf.rb (revision 59734) @@ -91,30 +91,19 @@ unless result https://github.com/ruby/ruby/blob/trunk/ext/openssl/extconf.rb#L91 unless find_openssl_library Logging::message "=== Checking for required stuff failed. ===\n" Logging::message "Makefile wasn't created. Fix the errors above.\n" - exit 1 + raise "OpenSSL library could not be found. You might want to use " \ + "--with-openssl-dir=<dir> option to specify the prefix where OpenSSL " \ + "is installed." end end -result = checking_for("OpenSSL version is 0.9.8 or later") { - try_static_assert("OPENSSL_VERSION_NUMBER >= 0x00908000L", "openssl/opensslv.h") -} -unless result - raise "OpenSSL 0.9.8 or later required." -end - -if /darwin/ =~ RUBY_PLATFORM and !OpenSSL.check_func("SSL_library_init()", "openssl/ssl.h") - raise "Ignore OpenSSL broken by Apple.\nPlease use another openssl. (e.g. using `configure --with-openssl-dir=/path/to/openssl')" +unless checking_for("OpenSSL version is 1.0.1 or later") { + try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10001000L", "openssl/opensslv.h") } + raise "OpenSSL >= 1.0.1 or LibreSSL is required" end Logging::message "=== Checking for OpenSSL features... ===\n" # compile options - -# SSLv2 and SSLv3 may be removed in future versions of OpenSSL, and even macros -# like OPENSSL_NO_SSL2 may not be defined. -have_func("SSLv2_method") -have_func("SSLv3_method") -have_func("TLSv1_1_method") -have_func("TLSv1_2_method") have_func("RAND_egd") engines = %w{builtin_engines openbsd_dev_crypto dynamic 4758cca aep atalla chil cswift nuron sureware ubsec padlock capi gmp gost cryptodev aesni} @@ -122,30 +111,6 @@ engines.each { |name| https://github.com/ruby/ruby/blob/trunk/ext/openssl/extconf.rb#L111 OpenSSL.check_func_or_macro("ENGINE_load_#{name}", "openssl/engine.h") } -# added in 0.9.8X -have_func("EVP_CIPHER_CTX_new") -have_func("EVP_CIPHER_CTX_free") -OpenSSL.check_func_or_macro("SSL_CTX_clear_options", "openssl/ssl.h") - -# added in 1.0.0 -have_func("ASN1_TIME_adj") -have_func("EVP_CIPHER_CTX_copy") -have_func("EVP_PKEY_base_id") -have_func("HMAC_CTX_copy") -have_func("PKCS5_PBKDF2_HMAC") -have_func("X509_NAME_hash_old") -have_func("X509_STORE_CTX_get0_current_crl") -have_func("X509_STORE_set_verify_cb") -have_func("i2d_ASN1_SET_ANY") -have_func("SSL_SESSION_cmp") # removed -OpenSSL.check_func_or_macro("SSL_set_tlsext_host_name", "openssl/ssl.h") -have_struct_member("CRYPTO_THREADID", "ptr", "openssl/crypto.h") -have_func("EVP_PKEY_get0") - -# added in 1.0.1 -have_func("SSL_CTX_set_next_proto_select_cb") -have_macro("EVP_CTRL_GCM_GET_TAG", ['openssl/evp.h']) && $defs.push("-DHAVE_AUTHENTICATED_ENCRYPTION") - # added in 1.0.2 have_func("EC_curve_nist2nid") have_func("X509_REVOKED_dup") @@ -189,6 +154,7 @@ OpenSSL.check_func_or_macro("SSL_CTX_set https://github.com/ruby/ruby/blob/trunk/ext/openssl/extconf.rb#L154 have_func("SSL_CTX_get_security_level") have_func("X509_get0_notBefore") have_func("SSL_SESSION_get_protocol_version") +have_func("EVP_PBE_scrypt") Logging::message "=== Checking done. ===\n" Index: ext/openssl/ossl_pkey_dsa.c =================================================================== --- ext/openssl/ossl_pkey_dsa.c (revision 59733) +++ ext/openssl/ossl_pkey_dsa.c (revision 59734) @@ -172,7 +172,7 @@ dsa_generate(int size) https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_pkey_dsa.c#L172 * from scratch. * * === Parameters - * * +size+ is an integer representing the desired key size. + * * _size_ is an integer representing the desired key size. * */ static VALUE @@ -195,12 +195,12 @@ ossl_dsa_s_generate(VALUE klass, VALUE s https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_pkey_dsa.c#L195 * DSA.new(size) -> dsa * DSA.new(string [, pass]) -> dsa * - * Creates a new DSA instance by reading an existing key from +string+. + * Creates a new DSA instance by reading an existing key from _string_. * * === Parameters - * * +size+ is an integer representing the desired key size. - * * +string+ contains a DER or PEM encoded key. - * * +pass+ is a string that contains an optional password. + * * _size_ is an integer representing the desired key size. + * * _string_ contains a DER or PEM encoded key. + * * _pass_ is a string that contains an optional password. * * === Examples * DSA.new -> dsa @@ -329,8 +329,8 @@ ossl_dsa_is_private(VALUE self) https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_pkey_dsa.c#L329 * Encodes this DSA to its PEM encoding. * * === Parameters - * * +cipher+ is an OpenSSL::Cipher. - * * +password+ is a string containing your password. + * * _cipher_ is an OpenSSL::Cipher. + * * _password_ is a string containing your password. * * === Examples * DSA.to_pem -> aString @@ -348,7 +348,7 @@ ossl_dsa_export(int argc, VALUE *argv, V https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_pkey_dsa.c#L348 GetDSA(self, dsa); rb_scan_args(argc, argv, "02", &cipher, &pass); if (!NIL_P(cipher)) { - ciph = GetCipherPtr(cipher); + ciph = ossl_evp_get_cipherbyname(cipher); pass = ossl_pem_passwd_value(pass); } if (!(out = BIO_new(BIO_s_mem()))) { @@ -503,12 +503,12 @@ ossl_dsa_to_public_key(VALUE self) https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_pkey_dsa.c#L503 * call-seq: * dsa.syssign(string) -> aString * - * Computes and returns the DSA signature of +string+, where +string+ is + * Computes and returns the DSA signature of _string_, where _string_ is * expected to be an already-computed message digest of the original input * data. The signature is issued using the private key of this DSA instance. * * === Parameters - * * +string+ is a message digest of the original input data to be signed + * * _string_ is a message digest of the original input data to be signed. * * === Example * dsa = OpenSSL::PKey::DSA.new(2048) @@ -549,11 +549,11 @@ ossl_dsa_sign(VALUE self, VALUE data) https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_pkey_dsa.c#L549 * dsa.sysverify(digest, sig) -> true | false * * Verifies whether the signature is valid given the message digest input. It - * does so by validating +sig+ using the public key of this DSA instance. + * does so by validating _sig_ using the public key of this DSA instance. * * === Parameters - * * +digest+ is a message digest of the original input data to be signed - * * +sig+ is a DSA signature value + * * _digest_ is a message digest of the original input data to be signed + * * _sig_ is a DSA signature value * * === Example * dsa = OpenSSL::PKey::DSA.new(2048) @@ -590,7 +590,7 @@ ossl_dsa_verify(VALUE self, VALUE digest https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_pkey_dsa.c#L590 * call-seq: * dsa.set_pqg(p, q, g) -> self * - * Sets +p+, +q+, +g+ for the DSA instance. + * Sets _p_, _q_, _g_ to the DSA instance. */ OSSL_PKEY_BN_DEF3(dsa, DSA, pqg, p, q, g) /* @@ -598,7 +598,7 @@ OSSL_PKEY_BN_DEF3(dsa, DSA, pqg, p, q, g https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_pkey_dsa.c#L598 * call-seq: * dsa.set_key(pub_key, priv_key) -> self * - * Sets +pub_key+ and +priv_key+ for the DSA instance. +priv_key+ may be nil. + * Sets _pub_key_ and _priv_key_ for the DSA instance. _priv_key_ may be +nil+. */ OSSL_PKEY_BN_DEF2(dsa, DSA, key, pub_key, priv_key) @@ -627,18 +627,12 @@ Init_ossl_dsa(void) https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_pkey_dsa.c#L627 * DSA, the Digital Signature Algorithm, is specified in NIST's * FIPS 186-3. It is an asymmetric public key algorithm that may be used * similar to e.g. RSA. - * Please note that for OpenSSL versions prior to 1.0.0 the digest - * algorithms OpenSSL::Digest::DSS (equivalent to SHA) or - * OpenSSL::Digest::DSS1 (equivalent to SHA-1) must be used for issuing - * signatures with a DSA key using OpenSSL::PKey#sign. - * Starting with OpenSSL 1.0.0, digest algorithms are no longer restricted, - * any Digest may (... truncated) -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/