Module: OpenSSL
Constant Summary
-
LIBRESSL_VERSION_NUMBER =
# File 'ext/openssl/ossl.c', line 988
Version number of LibreSSL the ruby
OpenSSLextension was built with (base 16). The format is0xMNNFF00f (major minor fix 00 status). This constant is only defined in LibreSSL cases.See also the man page LIBRESSL_VERSION_NUMBER(3).
INT2NUM(LIBRESSL_VERSION_NUMBER)
-
OPENSSL_FIPS =
# File 'ext/openssl/ossl.c', line 994/* OpenSSL 3 is FIPS-capable even when it is installed without fips option */ #if OSSL_OPENSSL_PREREQ(3, 0, 0) Qtrue #elif defined(OPENSSL_FIPS) Qtrue #elif defined(OPENSSL_IS_AWSLC) // AWS-LC FIPS can only be enabled during compile time. FIPS_mode() ? Qtrue : Qfalse #else Qfalse #endif
-
OPENSSL_LIBRARY_VERSION =
# File 'ext/openssl/ossl.c', line 966
Version of
OpenSSLthe rubyOpenSSLextension is running withrb_str_new2(OpenSSL_version(OPENSSL_VERSION))
-
OPENSSL_VERSION =
# File 'ext/openssl/ossl.c', line 961
Version of
OpenSSLthe rubyOpenSSLextension was built withrb_str_new2(OPENSSL_VERSION_TEXT)
-
OPENSSL_VERSION_NUMBER =
# File 'ext/openssl/ossl.c', line 978
Version number of
OpenSSLthe rubyOpenSSLextension was built with (base 16). The formats are below.- OpenSSL 3
-
0xMNN00PP0 (major minor 00 patch 0) - OpenSSL before 3
-
0xMNNFFPPS (major minor fix patch status) - LibreSSL
-
0x20000000 (fixed value)
See also the man page OPENSSL_VERSION_NUMBER(3).
INT2NUM(OPENSSL_VERSION_NUMBER)
-
VERSION =
# File 'ext/openssl/lib/openssl/version.rb', line 4"4.0.0.pre"
Class Attribute Summary
- .debug ⇒ Boolean rw mod_func
-
.debug=(boolean) ⇒ Boolean
rw
mod_func
Turns on or off debug mode.
- .fips_mode ⇒ Boolean rw mod_func
-
.fips_mode=(boolean) ⇒ Boolean
rw
mod_func
Turns FIPS mode on or off.
Class Method Summary
-
.fixed_length_secure_compare(string, string) ⇒ Boolean
Constant time memory comparison for fixed length strings, such as results of
HMACcalculations. -
.secure_compare(string, string) ⇒ Boolean
Constant time memory comparison.
-
Digest(name)
mod_func
Returns a
Digestsubclass by name. - .errors mod_func
Class Attribute Details
.debug ⇒ Boolean (rw, mod_func)
[ GitHub ]
# File 'ext/openssl/ossl.c', line 367
static VALUE
ossl_debug_get(VALUE self)
{
return dOSSL;
}
.debug=(boolean) ⇒ Boolean (rw, mod_func)
Turns on or off debug mode. With debug mode, all errors added to the OpenSSL error queue will be printed to stderr.
# File 'ext/openssl/ossl.c', line 380
static VALUE
ossl_debug_set(VALUE self, VALUE val)
{
dOSSL = RTEST(val) ? Qtrue : Qfalse;
return val;
}
.fips_mode ⇒ Boolean (rw, mod_func)
[ GitHub ]
# File 'ext/openssl/ossl.c', line 392
static VALUE
ossl_fips_mode_get(VALUE self)
{
#if OSSL_OPENSSL_PREREQ(3, 0, 0)
VALUE enabled;
enabled = EVP_default_properties_is_fips_enabled(NULL) ? Qtrue : Qfalse;
return enabled;
#elif defined(OPENSSL_FIPS) || defined(OPENSSL_IS_AWSLC)
VALUE enabled;
enabled = FIPS_mode() ? Qtrue : Qfalse;
return enabled;
#else
return Qfalse;
#endif
}
.fips_mode=(boolean) ⇒ Boolean (rw, mod_func)
# File 'ext/openssl/ossl.c', line 421
static VALUE
ossl_fips_mode_set(VALUE self, VALUE enabled)
{
#if OSSL_OPENSSL_PREREQ(3, 0, 0)
if (RTEST(enabled)) {
if (!EVP_default_properties_enable_fips(NULL, 1)) {
ossl_raise(eOSSLError, "Turning on FIPS mode failed");
}
} else {
if (!EVP_default_properties_enable_fips(NULL, 0)) {
ossl_raise(eOSSLError, "Turning off FIPS mode failed");
}
}
return enabled;
#elif defined(OPENSSL_FIPS) || defined(OPENSSL_IS_AWSLC)
if (RTEST(enabled)) {
int mode = FIPS_mode();
if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */
ossl_raise(eOSSLError, "Turning on FIPS mode failed");
} else {
if(!FIPS_mode_set(0)) /* turning off twice is OK */
ossl_raise(eOSSLError, "Turning off FIPS mode failed");
}
return enabled;
#else
if (RTEST(enabled))
ossl_raise(eOSSLError, "This version of OpenSSL does not support FIPS mode");
return enabled;
#endif
}
Class Method Details
Digest(name) (mod_func)
Returns a ::OpenSSL::Digest subclass by name
require 'openssl'
OpenSSL::Digest("MD5")
# => OpenSSL::Digest::MD5
Digest("Foo")
# => NameError: wrong constant name Foo.errors (mod_func)
[ GitHub ]
.fixed_length_secure_compare(string, string) ⇒ Boolean
Constant time memory comparison for fixed length strings, such as results of ::OpenSSL::HMAC calculations.
Returns true if the strings are identical, false if they are of the same length but not identical. If the length is different, ArgumentError is raised.
# File 'ext/openssl/ossl.c', line 463
static VALUE
ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2)
{
const unsigned char *p1 = (const unsigned char *)StringValuePtr(str1);
const unsigned char *p2 = (const unsigned char *)StringValuePtr(str2);
long len1 = RSTRING_LEN(str1);
long len2 = RSTRING_LEN(str2);
if (len1 != len2) {
ossl_raise(rb_eArgError, "inputs must be of equal length");
}
switch (CRYPTO_memcmp(p1, p2, len1)) {
case 0: return Qtrue;
default: return Qfalse;
}
}
.secure_compare(string, string) ⇒ Boolean
Constant time memory comparison. Inputs are hashed using SHA-256 to mask the length of the secret. Returns true if the strings are identical, false otherwise.
# File 'ext/openssl/lib/openssl.rb', line 33
def self.secure_compare(a, b) hashed_a = OpenSSL::Digest.digest('SHA256', a) hashed_b = OpenSSL::Digest.digest('SHA256', b) OpenSSL.fixed_length_secure_compare(hashed_a, hashed_b) && a == b end