From 0b2c70eaa1e8e41fcb6332b22b084dabb81e637c Mon Sep 17 00:00:00 2001 From: Bart de Water Date: Sun, 19 Apr 2020 11:14:36 -0400 Subject: [ruby/openssl] Look up digest by name instead of constant https://github.com/ruby/openssl/commit/b28fb2f05c --- ext/openssl/lib/openssl.rb | 4 ++-- ext/openssl/lib/openssl/digest.rb | 15 ++------------- ext/openssl/ossl.c | 16 ++++++++-------- ext/openssl/ossl_digest.c | 32 ++++++++++++++++++-------------- ext/openssl/ossl_hmac.c | 2 +- ext/openssl/ossl_kdf.c | 2 +- ext/openssl/ossl_ns_spki.c | 2 +- ext/openssl/ossl_ocsp.c | 2 +- ext/openssl/ossl_pkey.c | 4 ++-- ext/openssl/ossl_pkey_dsa.c | 4 ++-- ext/openssl/ossl_ts.c | 6 +++--- ext/openssl/ossl_x509cert.c | 4 ++-- 12 files changed, 43 insertions(+), 50 deletions(-) (limited to 'ext') diff --git a/ext/openssl/lib/openssl.rb b/ext/openssl/lib/openssl.rb index 00e2db1f40..b047485785 100644 --- a/ext/openssl/lib/openssl.rb +++ b/ext/openssl/lib/openssl.rb @@ -31,8 +31,8 @@ module OpenSSL # the length of the secret. Returns +true+ if the strings are identical, # +false+ otherwise. def self.secure_compare(a, b) - hashed_a = OpenSSL::Digest::SHA256.digest(a) - hashed_b = OpenSSL::Digest::SHA256.digest(b) + hashed_a = OpenSSL::Digest.digest('SHA256', a) + hashed_b = OpenSSL::Digest.digest('SHA256', b) OpenSSL.fixed_length_secure_compare(hashed_a, hashed_b) && a == b end end diff --git a/ext/openssl/lib/openssl/digest.rb b/ext/openssl/lib/openssl/digest.rb index 92d358d241..2ff8398e44 100644 --- a/ext/openssl/lib/openssl/digest.rb +++ b/ext/openssl/lib/openssl/digest.rb @@ -15,17 +15,6 @@ module OpenSSL class Digest - # You can get a list of all algorithms: - # openssl list -digest-algorithms - - ALGORITHMS = %w(MD4 MD5 RIPEMD160 SHA1 SHA224 SHA256 SHA384 SHA512) - - if !OPENSSL_VERSION.include?("LibreSSL") && OPENSSL_VERSION_NUMBER > 0x10101000 - ALGORITHMS.concat %w(BLAKE2b512 BLAKE2s256 SHA3-224 SHA3-256 SHA3-384 SHA3-512 SHA512-224 SHA512-256) - end - - ALGORITHMS.freeze - # Return the hash value computed with _name_ Digest. _name_ is either the # long name or short name of a supported digest algorithm. # @@ -35,13 +24,13 @@ module OpenSSL # # which is equivalent to: # - # OpenSSL::Digest::SHA256.digest("abc") + # OpenSSL::Digest.digest('SHA256', "abc") def self.digest(name, data) super(data, name) end - ALGORITHMS.each do |name| + %w(MD4 MD5 RIPEMD160 SHA1 SHA224 SHA256 SHA384 SHA512).each do |name| klass = Class.new(self) { define_method(:initialize, ->(data = nil) {super(name, data)}) } diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c index 14a7919a93..5d3ee741af 100644 --- a/ext/openssl/ossl.c +++ b/ext/openssl/ossl.c @@ -739,7 +739,7 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2) * To sign a document, a cryptographically secure hash of the document is * computed first, which is then signed using the private key. * - * digest = OpenSSL::Digest::SHA256.new + * digest = OpenSSL::Digest.new('SHA256') * signature = key.sign digest, document * * To validate the signature, again a hash of the document is computed and @@ -747,7 +747,7 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2) * compared to the hash just computed, if they are equal the signature was * valid. * - * digest = OpenSSL::Digest::SHA256.new + * digest = OpenSSL::Digest.new('SHA256') * if key.verify digest, signature, document * puts 'Valid' * else @@ -782,7 +782,7 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2) * salt = OpenSSL::Random.random_bytes 16 * iter = 20000 * key_len = cipher.key_len - * digest = OpenSSL::Digest::SHA256.new + * digest = OpenSSL::Digest.new('SHA256') * * key = OpenSSL::PKCS5.pbkdf2_hmac(pwd, salt, iter, key_len, digest) * cipher.key = key @@ -805,7 +805,7 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2) * salt = ... # the one generated above * iter = 20000 * key_len = cipher.key_len - * digest = OpenSSL::Digest::SHA256.new + * digest = OpenSSL::Digest.new('SHA256') * * key = OpenSSL::PKCS5.pbkdf2_hmac(pwd, salt, iter, key_len, digest) * cipher.key = key @@ -901,7 +901,7 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2) * certificate. * * cert.issuer = name - * cert.sign key, OpenSSL::Digest::SHA1.new + * cert.sign key, OpenSSL::Digest.new('SHA1') * * open 'certificate.pem', 'w' do |io| io.write cert.to_pem end * @@ -977,7 +977,7 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2) * * Root CA certificates are self-signed. * - * ca_cert.sign ca_key, OpenSSL::Digest::SHA1.new + * ca_cert.sign ca_key, OpenSSL::Digest.new('SHA1') * * The CA certificate is saved to disk so it may be distributed to all the * users of the keys this CA will sign. @@ -995,7 +995,7 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2) * csr.version = 0 * csr.subject = name * csr.public_key = key.public_key - * csr.sign key, OpenSSL::Digest::SHA1.new + * csr.sign key, OpenSSL::Digest.new('SHA1') * * A CSR is saved to disk and sent to the CA for signing. * @@ -1039,7 +1039,7 @@ ossl_crypto_fixed_length_secure_compare(VALUE dummy, VALUE str1, VALUE str2) * csr_cert.add_extension \ * extension_factory.create_extension('subjectKeyIdentifier', 'hash') * - * csr_cert.sign ca_key, OpenSSL::Digest::SHA1.new + * csr_cert.sign ca_key, OpenSSL::Digest.new('SHA1') * * open 'csr_cert.pem', 'w' do |io| * io.write csr_cert.to_pem diff --git a/ext/openssl/ossl_digest.c b/ext/openssl/ossl_digest.c index 661b230fb7..123373233c 100644 --- a/ext/openssl/ossl_digest.c +++ b/ext/openssl/ossl_digest.c @@ -192,7 +192,7 @@ ossl_digest_reset(VALUE self) * be passed individually to the Digest instance. * * === Example - * digest = OpenSSL::Digest::SHA256.new + * digest = OpenSSL::Digest.new('SHA256') * digest.update('First input') * digest << 'Second input' # equivalent to digest.update('Second input') * result = digest.digest @@ -248,7 +248,7 @@ ossl_digest_finish(int argc, VALUE *argv, VALUE self) * Returns the sn of this Digest algorithm. * * === Example - * digest = OpenSSL::Digest::SHA512.new + * digest = OpenSSL::Digest.new('SHA512') * puts digest.name # => SHA512 * */ @@ -270,7 +270,7 @@ ossl_digest_name(VALUE self) * final message digest result. * * === Example - * digest = OpenSSL::Digest::SHA1.new + * digest = OpenSSL::Digest.new('SHA1') * puts digest.digest_length # => 20 * */ @@ -294,7 +294,7 @@ ossl_digest_size(VALUE self) * consecutively. * * === Example - * digest = OpenSSL::Digest::SHA1.new + * digest = OpenSSL::Digest.new('SHA1') * puts digest.block_length # => 64 */ static VALUE @@ -348,15 +348,19 @@ Init_ossl_digest(void) * the integrity of a signed document, it suffices to re-compute the hash * and verify that it is equal to that in the signature. * - * Among the supported message digest algorithms are: - * * SHA, SHA1, SHA224, SHA256, SHA384 and SHA512 - * * MD2, MD4, MDC2 and MD5 - * * RIPEMD160 + * You can get a list of all digest algorithms supported on your system by + * running this command in your terminal: * - * For each of these algorithms, there is a sub-class of Digest that - * can be instantiated as simply as e.g. + * openssl list -digest-algorithms * - * digest = OpenSSL::Digest::SHA1.new + * Among the OpenSSL 1.1.1 supported message digest algorithms are: + * * SHA224, SHA256, SHA384, SHA512, SHA512-224 and SHA512-256 + * * SHA3-224, SHA3-256, SHA3-384 and SHA3-512 + * * BLAKE2s256 and BLAKE2b512 + * + * Each of these algorithms can be instantiated using the name: + * + * digest = OpenSSL::Digest.new('SHA256') * * === Mapping between Digest class and sn/ln * @@ -406,7 +410,7 @@ Init_ossl_digest(void) * === Hashing a file * * data = File.read('document') - * sha256 = OpenSSL::Digest::SHA256.new + * sha256 = OpenSSL::Digest.new('SHA256') * digest = sha256.digest(data) * * === Hashing several pieces of data at once @@ -414,7 +418,7 @@ Init_ossl_digest(void) * data1 = File.read('file1') * data2 = File.read('file2') * data3 = File.read('file3') - * sha256 = OpenSSL::Digest::SHA256.new + * sha256 = OpenSSL::Digest.new('SHA256') * sha256 << data1 * sha256 << data2 * sha256 << data3 @@ -423,7 +427,7 @@ Init_ossl_digest(void) * === Reuse a Digest instance * * data1 = File.read('file1') - * sha256 = OpenSSL::Digest::SHA256.new + * sha256 = OpenSSL::Digest.new('SHA256') * digest1 = sha256.digest(data1) * * data2 = File.read('file2') diff --git a/ext/openssl/ossl_hmac.c b/ext/openssl/ossl_hmac.c index 2ac2e5c6ce..e831cff519 100644 --- a/ext/openssl/ossl_hmac.c +++ b/ext/openssl/ossl_hmac.c @@ -353,7 +353,7 @@ Init_ossl_hmac(void) * data1 = File.read("file1") * data2 = File.read("file2") * key = "key" - * digest = OpenSSL::Digest::SHA256.new + * digest = OpenSSL::Digest.new('SHA256') * hmac = OpenSSL::HMAC.new(key, digest) * hmac << data1 * hmac << data2 diff --git a/ext/openssl/ossl_kdf.c b/ext/openssl/ossl_kdf.c index 3d0e66b5f5..486e789458 100644 --- a/ext/openssl/ossl_kdf.c +++ b/ext/openssl/ossl_kdf.c @@ -272,7 +272,7 @@ Init_ossl_kdf(void) * # store this with the generated value * salt = OpenSSL::Random.random_bytes(16) * iter = 20_000 - * hash = OpenSSL::Digest::SHA256.new + * hash = OpenSSL::Digest.new('SHA256') * len = hash.digest_length * # the final value to be stored * value = OpenSSL::KDF.pbkdf2_hmac(pass, salt: salt, iterations: iter, diff --git a/ext/openssl/ossl_ns_spki.c b/ext/openssl/ossl_ns_spki.c index 6f61e61bf5..9b1147367a 100644 --- a/ext/openssl/ossl_ns_spki.c +++ b/ext/openssl/ossl_ns_spki.c @@ -350,7 +350,7 @@ ossl_spki_verify(VALUE self, VALUE key) * spki = OpenSSL::Netscape::SPKI.new * spki.challenge = "RandomChallenge" * spki.public_key = key.public_key - * spki.sign(key, OpenSSL::Digest::SHA256.new) + * spki.sign(key, OpenSSL::Digest.new('SHA256')) * #send a request containing this to a server generating a certificate * === Verifying an SPKI request * request = #... diff --git a/ext/openssl/ossl_ocsp.c b/ext/openssl/ossl_ocsp.c index 2ca4f62f70..7a92e5df68 100644 --- a/ext/openssl/ossl_ocsp.c +++ b/ext/openssl/ossl_ocsp.c @@ -1719,7 +1719,7 @@ Init_ossl_ocsp(void) * subject certificate so the CA knows which certificate we are asking * about: * - * digest = OpenSSL::Digest::SHA1.new + * digest = OpenSSL::Digest.new('SHA1') * certificate_id = * OpenSSL::OCSP::CertificateId.new subject, issuer, digest * diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c index fc4cac3bc4..fc08ebf5ff 100644 --- a/ext/openssl/ossl_pkey.c +++ b/ext/openssl/ossl_pkey.c @@ -430,7 +430,7 @@ ossl_pkey_public_to_pem(VALUE self) * * == Example * data = 'Sign me!' - * digest = OpenSSL::Digest::SHA256.new + * digest = OpenSSL::Digest.new('SHA256') * pkey = OpenSSL::PKey::RSA.new(2048) * signature = pkey.sign(digest, data) */ @@ -484,7 +484,7 @@ ossl_pkey_sign(VALUE self, VALUE digest, VALUE data) * * == Example * data = 'Sign me!' - * digest = OpenSSL::Digest::SHA256.new + * digest = OpenSSL::Digest.new('SHA256') * pkey = OpenSSL::PKey::RSA.new(2048) * signature = pkey.sign(digest, data) * pub_key = pkey.public_key diff --git a/ext/openssl/ossl_pkey_dsa.c b/ext/openssl/ossl_pkey_dsa.c index 56cc9dd4f1..431c20e05c 100644 --- a/ext/openssl/ossl_pkey_dsa.c +++ b/ext/openssl/ossl_pkey_dsa.c @@ -513,7 +513,7 @@ ossl_dsa_to_public_key(VALUE self) * === Example * dsa = OpenSSL::PKey::DSA.new(2048) * doc = "Sign me" - * digest = OpenSSL::Digest::SHA1.digest(doc) + * digest = OpenSSL::Digest.digest('SHA1', doc) * sig = dsa.syssign(digest) * * @@ -558,7 +558,7 @@ ossl_dsa_sign(VALUE self, VALUE data) * === Example * dsa = OpenSSL::PKey::DSA.new(2048) * doc = "Sign me" - * digest = OpenSSL::Digest::SHA1.digest(doc) + * digest = OpenSSL::Digest.digest('SHA1', doc) * sig = dsa.syssign(digest) * puts dsa.sysverify(digest, sig) # => true * diff --git a/ext/openssl/ossl_ts.c b/ext/openssl/ossl_ts.c index ba0df750cf..160ec0d8dd 100644 --- a/ext/openssl/ossl_ts.c +++ b/ext/openssl/ossl_ts.c @@ -1281,7 +1281,7 @@ Init_ossl_ts(void) * #Assumes ts.p12 is a PKCS#12-compatible file with a private key * #and a certificate that has an extended key usage of 'timeStamping' * p12 = OpenSSL::PKCS12.new(File.open('ts.p12', 'rb'), 'pwd') - * md = OpenSSL::Digest::SHA1.new + * md = OpenSSL::Digest.new('SHA1') * hash = md.digest(data) #some binary data to be timestamped * req = OpenSSL::Timestamp::Request.new * req.algorithm = 'SHA1' @@ -1498,8 +1498,8 @@ Init_ossl_ts(void) * Must be an Array of String or OpenSSL::Digest subclass instances. * * call-seq: - * factory.allowed_digests = ["sha1", OpenSSL::Digest::SHA256.new] -> [ "sha1", OpenSSL::Digest::SHA256.new ] - * factory.allowed_digests -> array or nil + * factory.allowed_digests = ["sha1", OpenSSL::Digest.new('SHA256').new] -> [ "sha1", OpenSSL::Digest) ] + * factory.allowed_digests -> array or nil * */ cTimestampFactory = rb_define_class_under(mTimestamp, "Factory", rb_cObject); diff --git a/ext/openssl/ossl_x509cert.c b/ext/openssl/ossl_x509cert.c index 40542c4a78..e3766b1b16 100644 --- a/ext/openssl/ossl_x509cert.c +++ b/ext/openssl/ossl_x509cert.c @@ -788,7 +788,7 @@ Init_ossl_x509cert(void) * root_ca.add_extension(ef.create_extension("keyUsage","keyCertSign, cRLSign", true)) * root_ca.add_extension(ef.create_extension("subjectKeyIdentifier","hash",false)) * root_ca.add_extension(ef.create_extension("authorityKeyIdentifier","keyid:always",false)) - * root_ca.sign(root_key, OpenSSL::Digest::SHA256.new) + * root_ca.sign(root_key, OpenSSL::Digest.new('SHA256')) * * The next step is to create the end-entity certificate using the root CA * certificate. @@ -807,7 +807,7 @@ Init_ossl_x509cert(void) * ef.issuer_certificate = root_ca * cert.add_extension(ef.create_extension("keyUsage","digitalSignature", true)) * cert.add_extension(ef.create_extension("subjectKeyIdentifier","hash",false)) - * cert.sign(root_key, OpenSSL::Digest::SHA256.new) + * cert.sign(root_key, OpenSSL::Digest.new('SHA256')) * */ cX509Cert = rb_define_class_under(mX509, "Certificate", rb_cObject); -- cgit v1.2.3