Module: OpenSSL
Overview
Init main module
Constant Summary
-
OPENSSL_FIPS =
# File 'ext/openssl/ossl.c', line 1200#ifdef OPENSSL_FIPS Qtrue #else Qfalse #endif
-
OPENSSL_LIBRARY_VERSION =
# File 'ext/openssl/ossl.c', line 1186rb_str_new2(OpenSSL_version(OPENSSL_VERSION))
-
OPENSSL_VERSION =
# File 'ext/openssl/ossl.c', line 1180
Version of
OpenSSLthe rubyOpenSSLextension was built withrb_str_new2(OPENSSL_VERSION_TEXT)
-
OPENSSL_VERSION_NUMBER =
# File 'ext/openssl/ossl.c', line 1195
Version number of
OpenSSLthe rubyOpenSSLextension was built with (base 16)INT2NUM(OPENSSL_VERSION_NUMBER)
-
VERSION =
# File 'ext/openssl/lib/openssl/version.rb', line 4"3.0.1"
Class Attribute Summary
- .debug ⇒ Boolean rw mod_func
-
.debug=(boolean) ⇒ Boolean
rw
mod_func
Turns on or off debug mode.
- .fips_mode ⇒ Boolean rw mod_func
-
.fips_mode=(boolean) ⇒ Boolean
rw
mod_func
Turns FIPS mode on or off.
Class Method Summary
-
.fixed_length_secure_compare(string, string) ⇒ Boolean
Constant time memory comparison for fixed length strings, such as results of
HMACcalculations. -
.secure_compare(string, string) ⇒ Boolean
Constant time memory comparison.
-
Digest(name)
mod_func
Returns a
Digestsubclass by name. - .errors mod_func
-
.mem_check_start ⇒ nil
mod_func
Calls CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON).
-
.print_mem_leaks ⇒ Boolean
mod_func
For debugging the Ruby/OpenSSL library.
Class Attribute Details
.debug ⇒ Boolean (rw, mod_func)
[ GitHub ]
# File 'ext/openssl/ossl.c', line 392
static VALUE
ossl_debug_get(VALUE self)
{
return dOSSL;
}
.debug=(boolean) ⇒ Boolean (rw, mod_func)
Turns on or off debug mode. With debug mode, all errors added to the OpenSSL error queue will be printed to stderr.
# File 'ext/openssl/ossl.c', line 405
static VALUE
ossl_debug_set(VALUE self, VALUE val)
{
dOSSL = RTEST(val) ? Qtrue : Qfalse;
return val;
}
.fips_mode ⇒ Boolean (rw, mod_func)
[ GitHub ]
# File 'ext/openssl/ossl.c', line 417
static VALUE
ossl_fips_mode_get(VALUE self)
{
#ifdef OPENSSL_FIPS
VALUE enabled;
enabled = FIPS_mode() ? Qtrue : Qfalse;
return enabled;
#else
return Qfalse;
#endif
}
.fips_mode=(boolean) ⇒ Boolean (rw, mod_func)
# File 'ext/openssl/ossl.c', line 442
static VALUE
ossl_fips_mode_set(VALUE self, VALUE enabled)
{
#ifdef OPENSSL_FIPS
if (RTEST(enabled)) {
int mode = FIPS_mode();
if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */
ossl_raise(eOSSLError, "Turning on FIPS mode failed");
} else {
if(!FIPS_mode_set(0)) /* turning off twice is OK */
ossl_raise(eOSSLError, "Turning off FIPS mode failed");
}
return enabled;
#else
if (RTEST(enabled))
ossl_raise(eOSSLError, "This version of OpenSSL does not support FIPS mode");
return enabled;
#endif
}
Class Method Details
Digest(name) (mod_func)
Returns a ::OpenSSL::Digest subclass by name
require 'openssl'
OpenSSL::Digest("MD5")
# => OpenSSL::Digest::MD5
Digest("Foo")
# => NameError: wrong constant name Foo.errors (mod_func)
[ GitHub ]
.fixed_length_secure_compare(string, string) ⇒ Boolean
Constant time memory comparison for fixed length strings, such as results of ::OpenSSL::HMAC calculations.
Returns true if the strings are identical, false if they are of the same length but not identical. If the length is different, ArgumentError is raised.
# File 'ext/openssl/ossl.c', line 634
static VALUE
ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2)
{
const unsigned char *p1 = (const unsigned char *)StringValuePtr(str1);
const unsigned char *p2 = (const unsigned char *)StringValuePtr(str2);
long len1 = RSTRING_LEN(str1);
long len2 = RSTRING_LEN(str2);
if (len1 != len2) {
ossl_raise(rb_eArgError, "inputs must be of equal length");
}
switch (CRYPTO_memcmp(p1, p2, len1)) {
case 0: return Qtrue;
default: return Qfalse;
}
}
.mem_check_start ⇒ nil (mod_func)
Calls CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON). Starts tracking memory allocations. See also .print_mem_leaks.
This is available only when built with a capable OpenSSL and –enable-debug configure option.
# File 'ext/openssl/ossl.c', line 477
static VALUE
mem_check_start(VALUE self)
{
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
return Qnil;
}
.print_mem_leaks ⇒ Boolean (mod_func)
For debugging the Ruby/OpenSSL library. Calls CRYPTO_mem_leaks_fp(stderr). Prints detected memory leaks to standard error. This cleans the global state up thus you cannot use any methods of the library after calling this.
Returns true if leaks detected, false otherwise.
This is available only when built with a capable OpenSSL and –enable-debug configure option.
Example
OpenSSL.mem_check_start
NOT_GCED = OpenSSL::PKey::RSA.new(256)
END {
GC.start
OpenSSL.print_mem_leaks # will print the leakage
}# File 'ext/openssl/ossl.c', line 506
static VALUE
print_mem_leaks(VALUE self)
{
#if OPENSSL_VERSION_NUMBER >= 0x10100000
int ret;
#endif
#ifndef HAVE_RB_EXT_RACTOR_SAFE
// for Ruby 2.x
void ossl_bn_ctx_free(void); // ossl_bn.c
ossl_bn_ctx_free();
#endif
#if OPENSSL_VERSION_NUMBER >= 0x10100000
ret = CRYPTO_mem_leaks_fp(stderr);
if (ret < 0)
ossl_raise(eOSSLError, "CRYPTO_mem_leaks_fp");
return ret ? Qfalse : Qtrue;
#else
CRYPTO_mem_leaks_fp(stderr);
return Qnil;
#endif
}
.secure_compare(string, string) ⇒ Boolean
Constant time memory comparison. Inputs are hashed using SHA-256 to mask the length of the secret. Returns true if the strings are identical, false otherwise.
# File 'ext/openssl/lib/openssl.rb', line 32
def self.secure_compare(a, b) hashed_a = OpenSSL::Digest.digest('SHA256', a) hashed_b = OpenSSL::Digest.digest('SHA256', b) OpenSSL.fixed_length_secure_compare(hashed_a, hashed_b) && a == b end