123456789_123456789_123456789_123456789_123456789_

Module: OpenSSL

Constant Summary

Class Attribute Summary

Class Method Summary

Class Attribute Details

.debugBoolean (rw, mod_func)

[ GitHub ]

  
# File 'ext/openssl/ossl.c', line 367

static VALUE
ossl_debug_get(VALUE self)
{
    return dOSSL;
}

.debug=(boolean) ⇒ Boolean (rw, mod_func)

Turns on or off debug mode. With debug mode, all errors added to the OpenSSL error queue will be printed to stderr.

[ GitHub ]

  
# File 'ext/openssl/ossl.c', line 380

static VALUE
ossl_debug_set(VALUE self, VALUE val)
{
    dOSSL = RTEST(val) ? Qtrue : Qfalse;

    return val;
}

.fips_modeBoolean (rw, mod_func)

[ GitHub ]

  
# File 'ext/openssl/ossl.c', line 392

static VALUE
ossl_fips_mode_get(VALUE self)
{

#if OSSL_OPENSSL_PREREQ(3, 0, 0)
    VALUE enabled;
    enabled = EVP_default_properties_is_fips_enabled(NULL) ? Qtrue : Qfalse;
    return enabled;
#elif defined(OPENSSL_FIPS) || defined(OPENSSL_IS_AWSLC)
    VALUE enabled;
    enabled = FIPS_mode() ? Qtrue : Qfalse;
    return enabled;
#else
    return Qfalse;
#endif
}

.fips_mode=(boolean) ⇒ Boolean (rw, mod_func)

Turns FIPS mode on or off. Turning on FIPS mode will obviously only have an effect for FIPS-capable installations of the OpenSSL library. Trying to do so otherwise will result in an error.

Examples

OpenSSL.fips_mode = true   # turn FIPS mode on
OpenSSL.fips_mode = false  # and off again
[ GitHub ]

  
# File 'ext/openssl/ossl.c', line 421

static VALUE
ossl_fips_mode_set(VALUE self, VALUE enabled)
{
#if OSSL_OPENSSL_PREREQ(3, 0, 0)
    if (RTEST(enabled)) {
        if (!EVP_default_properties_enable_fips(NULL, 1)) {
            ossl_raise(eOSSLError, "Turning on FIPS mode failed");
        }
    } else {
        if (!EVP_default_properties_enable_fips(NULL, 0)) {
            ossl_raise(eOSSLError, "Turning off FIPS mode failed");
        }
    }
    return enabled;
#elif defined(OPENSSL_FIPS) || defined(OPENSSL_IS_AWSLC)
    if (RTEST(enabled)) {
	int mode = FIPS_mode();
	if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */
	    ossl_raise(eOSSLError, "Turning on FIPS mode failed");
    } else {
	if(!FIPS_mode_set(0)) /* turning off twice is OK */
	    ossl_raise(eOSSLError, "Turning off FIPS mode failed");
    }
    return enabled;
#else
    if (RTEST(enabled))
	ossl_raise(eOSSLError, "This version of OpenSSL does not support FIPS mode");
    return enabled;
#endif
}

Class Method Details

Digest(name) (mod_func)

Returns a ::OpenSSL::Digest subclass by name

require 'openssl'

OpenSSL::Digest("MD5")
# => OpenSSL::Digest::MD5

Digest("Foo")
# => NameError: wrong constant name Foo
[ GitHub ]

  
# File 'ext/openssl/lib/openssl/digest.rb', line 63

def Digest(name)
  OpenSSL::Digest.const_get(name)
end

.errors (mod_func)

[ GitHub ]

.fixed_length_secure_compare(string, string) ⇒ Boolean

Constant time memory comparison for fixed length strings, such as results of ::OpenSSL::HMAC calculations.

Returns true if the strings are identical, false if they are of the same length but not identical. If the length is different, ArgumentError is raised.

[ GitHub ]

  
# File 'ext/openssl/ossl.c', line 463

static VALUE
ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2)
{
    const unsigned char *p1 = (const unsigned char *)StringValuePtr(str1);
    const unsigned char *p2 = (const unsigned char *)StringValuePtr(str2);
    long len1 = RSTRING_LEN(str1);
    long len2 = RSTRING_LEN(str2);

    if (len1 != len2) {
        ossl_raise(rb_eArgError, "inputs must be of equal length");
    }

    switch (CRYPTO_memcmp(p1, p2, len1)) {
        case 0:	return Qtrue;
        default: return Qfalse;
    }
}

.secure_compare(string, string) ⇒ Boolean

Constant time memory comparison. Inputs are hashed using SHA-256 to mask the length of the secret. Returns true if the strings are identical, false otherwise.

[ GitHub ]

  
# File 'ext/openssl/lib/openssl.rb', line 33

def self.secure_compare(a, b)
  hashed_a = OpenSSL::Digest.digest('SHA256', a)
  hashed_b = OpenSSL::Digest.digest('SHA256', b)
  OpenSSL.fixed_length_secure_compare(hashed_a, hashed_b) && a == b
end