Module: OpenSSL
Constant Summary
-
LIBRESSL_VERSION_NUMBER =
Version number of LibreSSL the ruby
OpenSSL
extension was built with (base 16). The format is0xMNNFF00f (major minor fix 00 status)
. This constant is only defined in LibreSSL cases.See also the man page LIBRESSL_VERSION_NUMBER(3).
INT2NUM(LIBRESSL_VERSION_NUMBER)
-
OPENSSL_FIPS =
# File 'ext/openssl/ossl.c', line 994/* OpenSSL 3 is FIPS-capable even when it is installed without fips option */ #if OSSL_OPENSSL_PREREQ(3, 0, 0) Qtrue #elif defined(OPENSSL_FIPS) Qtrue #elif defined(OPENSSL_IS_AWSLC) // AWS-LC FIPS can only be enabled during compile time. FIPS_mode() ? Qtrue : Qfalse #else Qfalse #endif
-
OPENSSL_LIBRARY_VERSION =
Version of
OpenSSL
the rubyOpenSSL
extension is running withrb_str_new2(OpenSSL_version(OPENSSL_VERSION))
-
OPENSSL_VERSION =
Version of
OpenSSL
the rubyOpenSSL
extension was built withrb_str_new2(OPENSSL_VERSION_TEXT)
-
OPENSSL_VERSION_NUMBER =
Version number of
OpenSSL
the rubyOpenSSL
extension was built with (base 16). The formats are below.- OpenSSL 3
-
0xMNN00PP0 (major minor 00 patch 0)
- OpenSSL before 3
-
0xMNNFFPPS (major minor fix patch status)
- LibreSSL
-
0x20000000 (fixed value)
See also the man page OPENSSL_VERSION_NUMBER(3).
INT2NUM(OPENSSL_VERSION_NUMBER)
-
VERSION =
# File 'ext/openssl/lib/openssl/version.rb', line 4"4.0.0.pre"
Class Attribute Summary
- .debug ⇒ Boolean rw mod_func
-
.debug=(boolean) ⇒ Boolean
rw
mod_func
Turns on or off debug mode.
- .fips_mode ⇒ Boolean rw mod_func
-
.fips_mode=(boolean) ⇒ Boolean
rw
mod_func
Turns FIPS mode on or off.
Class Method Summary
-
.fixed_length_secure_compare(string, string) ⇒ Boolean
Constant time memory comparison for fixed length strings, such as results of
HMAC
calculations. -
.secure_compare(string, string) ⇒ Boolean
Constant time memory comparison.
-
Digest(name)
mod_func
Returns a
Digest
subclass by name. - .errors mod_func
Class Attribute Details
.debug ⇒ Boolean
(rw, mod_func)
[ GitHub ]
# File 'ext/openssl/ossl.c', line 367
static VALUE ossl_debug_get(VALUE self) { return dOSSL; }
.debug=(boolean) ⇒ Boolean
(rw, mod_func)
Turns on or off debug mode. With debug mode, all errors added to the OpenSSL
error queue will be printed to stderr.
# File 'ext/openssl/ossl.c', line 380
static VALUE ossl_debug_set(VALUE self, VALUE val) { dOSSL = RTEST(val) ? Qtrue : Qfalse; return val; }
.fips_mode ⇒ Boolean
(rw, mod_func)
[ GitHub ]
# File 'ext/openssl/ossl.c', line 392
static VALUE ossl_fips_mode_get(VALUE self) { #if OSSL_OPENSSL_PREREQ(3, 0, 0) VALUE enabled; enabled = EVP_default_properties_is_fips_enabled(NULL) ? Qtrue : Qfalse; return enabled; #elif defined(OPENSSL_FIPS) || defined(OPENSSL_IS_AWSLC) VALUE enabled; enabled = FIPS_mode() ? Qtrue : Qfalse; return enabled; #else return Qfalse; #endif }
.fips_mode=(boolean) ⇒ Boolean
(rw, mod_func)
# File 'ext/openssl/ossl.c', line 421
static VALUE ossl_fips_mode_set(VALUE self, VALUE enabled) { #if OSSL_OPENSSL_PREREQ(3, 0, 0) if (RTEST(enabled)) { if (!EVP_default_properties_enable_fips(NULL, 1)) { ossl_raise(eOSSLError, "Turning on FIPS mode failed"); } } else { if (!EVP_default_properties_enable_fips(NULL, 0)) { ossl_raise(eOSSLError, "Turning off FIPS mode failed"); } } return enabled; #elif defined(OPENSSL_FIPS) || defined(OPENSSL_IS_AWSLC) if (RTEST(enabled)) { int mode = FIPS_mode(); if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */ ossl_raise(eOSSLError, "Turning on FIPS mode failed"); } else { if(!FIPS_mode_set(0)) /* turning off twice is OK */ ossl_raise(eOSSLError, "Turning off FIPS mode failed"); } return enabled; #else if (RTEST(enabled)) ossl_raise(eOSSLError, "This version of OpenSSL does not support FIPS mode"); return enabled; #endif }
Class Method Details
Digest(name) (mod_func)
Returns a ::OpenSSL::Digest
subclass by name
require 'openssl'
OpenSSL::Digest("MD5")
# => OpenSSL::Digest::MD5
Digest("Foo")
# => NameError: wrong constant name Foo
.errors (mod_func)
[ GitHub ]
.fixed_length_secure_compare(string, string) ⇒ Boolean
Constant time memory comparison for fixed length strings, such as results of ::OpenSSL::HMAC
calculations.
Returns true
if the strings are identical, false
if they are of the same length but not identical. If the length is different, ArgumentError
is raised.
# File 'ext/openssl/ossl.c', line 463
static VALUE ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2) { const unsigned char *p1 = (const unsigned char *)StringValuePtr(str1); const unsigned char *p2 = (const unsigned char *)StringValuePtr(str2); long len1 = RSTRING_LEN(str1); long len2 = RSTRING_LEN(str2); if (len1 != len2) { ossl_raise(rb_eArgError, "inputs must be of equal length"); } switch (CRYPTO_memcmp(p1, p2, len1)) { case 0: return Qtrue; default: return Qfalse; } }
.secure_compare(string, string) ⇒ Boolean
Constant time memory comparison. Inputs are hashed using SHA-256 to mask the length of the secret. Returns true
if the strings are identical, false
otherwise.
# File 'ext/openssl/lib/openssl.rb', line 33
def self.secure_compare(a, b) hashed_a = OpenSSL::Digest.digest('SHA256', a) hashed_b = OpenSSL::Digest.digest('SHA256', b) OpenSSL.fixed_length_secure_compare(hashed_a, hashed_b) && a == b end