Module: OpenSSL
Overview
Init main module
Constant Summary
-
OPENSSL_FIPS =
# File 'ext/openssl/ossl.c', line 1200#ifdef OPENSSL_FIPS Qtrue #else Qfalse #endif
-
OPENSSL_LIBRARY_VERSION =
# File 'ext/openssl/ossl.c', line 1186rb_str_new2(OpenSSL_version(OPENSSL_VERSION))
-
OPENSSL_VERSION =
Version of
OpenSSL
the rubyOpenSSL
extension was built withrb_str_new2(OPENSSL_VERSION_TEXT)
-
OPENSSL_VERSION_NUMBER =
Version number of
OpenSSL
the rubyOpenSSL
extension was built with (base 16)INT2NUM(OPENSSL_VERSION_NUMBER)
-
VERSION =
# File 'ext/openssl/lib/openssl/version.rb', line 4"3.1.0"
Class Attribute Summary
- .debug ⇒ Boolean rw mod_func
-
.debug=(boolean) ⇒ Boolean
rw
mod_func
Turns on or off debug mode.
- .fips_mode ⇒ Boolean rw mod_func
-
.fips_mode=(boolean) ⇒ Boolean
rw
mod_func
Turns FIPS mode on or off.
Class Method Summary
-
.fixed_length_secure_compare(string, string) ⇒ Boolean
Constant time memory comparison for fixed length strings, such as results of
HMAC
calculations. -
.secure_compare(string, string) ⇒ Boolean
Constant time memory comparison.
-
Digest(name)
mod_func
Returns a
Digest
subclass by name. - .errors mod_func
-
.mem_check_start ⇒ nil
mod_func
Calls CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON).
-
.print_mem_leaks ⇒ Boolean
mod_func
For debugging the Ruby/OpenSSL library.
Class Attribute Details
.debug ⇒ Boolean
(rw, mod_func)
[ GitHub ]
# File 'ext/openssl/ossl.c', line 392
static VALUE ossl_debug_get(VALUE self) { return dOSSL; }
.debug=(boolean) ⇒ Boolean
(rw, mod_func)
Turns on or off debug mode. With debug mode, all errors added to the OpenSSL
error queue will be printed to stderr.
# File 'ext/openssl/ossl.c', line 405
static VALUE ossl_debug_set(VALUE self, VALUE val) { dOSSL = RTEST(val) ? Qtrue : Qfalse; return val; }
.fips_mode ⇒ Boolean
(rw, mod_func)
[ GitHub ]
# File 'ext/openssl/ossl.c', line 417
static VALUE ossl_fips_mode_get(VALUE self) { #ifdef OPENSSL_FIPS VALUE enabled; enabled = FIPS_mode() ? Qtrue : Qfalse; return enabled; #else return Qfalse; #endif }
.fips_mode=(boolean) ⇒ Boolean
(rw, mod_func)
# File 'ext/openssl/ossl.c', line 442
static VALUE ossl_fips_mode_set(VALUE self, VALUE enabled) { #ifdef OPENSSL_FIPS if (RTEST(enabled)) { int mode = FIPS_mode(); if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */ ossl_raise(eOSSLError, "Turning on FIPS mode failed"); } else { if(!FIPS_mode_set(0)) /* turning off twice is OK */ ossl_raise(eOSSLError, "Turning off FIPS mode failed"); } return enabled; #else if (RTEST(enabled)) ossl_raise(eOSSLError, "This version of OpenSSL does not support FIPS mode"); return enabled; #endif }
Class Method Details
Digest(name) (mod_func)
Returns a ::OpenSSL::Digest
subclass by name
require 'openssl'
OpenSSL::Digest("MD5")
# => OpenSSL::Digest::MD5
Digest("Foo")
# => NameError: wrong constant name Foo
.errors (mod_func)
[ GitHub ]
.fixed_length_secure_compare(string, string) ⇒ Boolean
Constant time memory comparison for fixed length strings, such as results of ::OpenSSL::HMAC
calculations.
Returns true
if the strings are identical, false
if they are of the same length but not identical. If the length is different, ArgumentError
is raised.
# File 'ext/openssl/ossl.c', line 634
static VALUE ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2) { const unsigned char *p1 = (const unsigned char *)StringValuePtr(str1); const unsigned char *p2 = (const unsigned char *)StringValuePtr(str2); long len1 = RSTRING_LEN(str1); long len2 = RSTRING_LEN(str2); if (len1 != len2) { ossl_raise(rb_eArgError, "inputs must be of equal length"); } switch (CRYPTO_memcmp(p1, p2, len1)) { case 0: return Qtrue; default: return Qfalse; } }
.mem_check_start ⇒ nil
(mod_func)
Calls CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON). Starts tracking memory allocations. See also .print_mem_leaks.
This is available only when built with a capable OpenSSL
and –enable-debug configure option.
# File 'ext/openssl/ossl.c', line 477
static VALUE mem_check_start(VALUE self) { CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); return Qnil; }
.print_mem_leaks ⇒ Boolean
(mod_func)
For debugging the Ruby/OpenSSL library. Calls CRYPTO_mem_leaks_fp(stderr). Prints detected memory leaks to standard error. This cleans the global state up thus you cannot use any methods of the library after calling this.
Returns true
if leaks detected, false
otherwise.
This is available only when built with a capable OpenSSL
and –enable-debug configure option.
Example
OpenSSL.mem_check_start
NOT_GCED = OpenSSL::PKey::RSA.new(256)
END {
GC.start
OpenSSL.print_mem_leaks # will print the leakage
}
# File 'ext/openssl/ossl.c', line 506
static VALUE print_mem_leaks(VALUE self) { #if OPENSSL_VERSION_NUMBER >= 0x10100000 int ret; #endif #ifndef HAVE_RB_EXT_RACTOR_SAFE // for Ruby 2.x void ossl_bn_ctx_free(void); // ossl_bn.c ossl_bn_ctx_free(); #endif #if OPENSSL_VERSION_NUMBER >= 0x10100000 ret = CRYPTO_mem_leaks_fp(stderr); if (ret < 0) ossl_raise(eOSSLError, "CRYPTO_mem_leaks_fp"); return ret ? Qfalse : Qtrue; #else CRYPTO_mem_leaks_fp(stderr); return Qnil; #endif }
.secure_compare(string, string) ⇒ Boolean
Constant time memory comparison. Inputs are hashed using SHA-256 to mask the length of the secret. Returns true
if the strings are identical, false
otherwise.
# File 'ext/openssl/lib/openssl.rb', line 32
def self.secure_compare(a, b) hashed_a = OpenSSL::Digest.digest('SHA256', a) hashed_b = OpenSSL::Digest.digest('SHA256', b) OpenSSL.fixed_length_secure_compare(hashed_a, hashed_b) && a == b end