diff options
| author | Yusuke Endoh <[email protected]> | 2021-02-16 18:21:51 +0900 |
|---|---|---|
| committer | Kazuki Yamaguchi <[email protected]> | 2021-07-18 17:45:02 +0900 |
| commit | 3d37e5d11cdf02ed433493126e195e194d4000dc (patch) | |
| tree | 6aad8033503059b5e42e7f31547fdd7ed0c33b13 /ext/openssl/ossl_bn.c | |
| parent | 5fc2912e60c2bc58ff486d3f23f654f742332d3f (diff) | |
[ruby/openssl] Add OpenSSL::BN#set_flags and #get_flags
Also, OpenSSL::BN::CONSTTIME is added.
OpenSSL itself had a feature that was vulnerable against a side-channel
attack. The OpenSSL authors determined that it was not a security issue,
and they have already fixed the issue by using BN_set_flags.
https://github.com/openssl/openssl/pull/13888
If a Ruby OpenSSL user was faced with a similar issue, they couldn't
prevent the issue because Ruby OpenSSL lacks a wrapper to BN_set_flags.
For the case, this change introduces the wrapper.
https://github.com/ruby/openssl/commit/1e565eba89
Diffstat (limited to 'ext/openssl/ossl_bn.c')
| -rw-r--r-- | ext/openssl/ossl_bn.c | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/ext/openssl/ossl_bn.c b/ext/openssl/ossl_bn.c index 025307894f..8d0f63a986 100644 --- a/ext/openssl/ossl_bn.c +++ b/ext/openssl/ossl_bn.c @@ -1191,6 +1191,42 @@ ossl_bn_is_prime_fasttest(int argc, VALUE *argv, VALUE self) } /* + * call-seq: + * bn.get_flags(flags) => flags + * + * Returns the flags on the BN object. + * The argument is used as a bit mask. + * + * === Parameters + * * _flags_ - integer + */ +static VALUE +ossl_bn_get_flags(VALUE self, VALUE arg) +{ + BIGNUM *bn; + GetBN(self, bn); + + return INT2NUM(BN_get_flags(bn, NUM2INT(arg))); +} + +/* + * call-seq: + * bn.set_flags(flags) => nil + * + * Enables the flags on the BN object. + * Currently, the flags argument can contain zero of OpenSSL::BN::CONSTTIME. + */ +static VALUE +ossl_bn_set_flags(VALUE self, VALUE arg) +{ + BIGNUM *bn; + GetBN(self, bn); + + BN_set_flags(bn, NUM2INT(arg)); + return Qnil; +} + +/* * INIT * (NOTE: ordering of methods is the same as in 'man bn') */ @@ -1289,6 +1325,23 @@ Init_ossl_bn(void) /* lshift1 - DON'T IMPL. */ /* rshift1 - DON'T IMPL. */ + rb_define_method(cBN, "get_flags", ossl_bn_get_flags, 1); + rb_define_method(cBN, "set_flags", ossl_bn_set_flags, 1); + +#ifdef BN_FLG_CONSTTIME + rb_define_const(cBN, "CONSTTIME", INT2NUM(BN_FLG_CONSTTIME)); +#endif + /* BN_FLG_MALLOCED and BN_FLG_STATIC_DATA seems for C programming. + * Allowing them leads to memory leak. + * So, for now, they are not exported +#ifdef BN_FLG_MALLOCED + rb_define_const(cBN, "MALLOCED", INT2NUM(BN_FLG_MALLOCED)); +#endif +#ifdef BN_FLG_STATIC_DATA + rb_define_const(cBN, "STATIC_DATA", INT2NUM(BN_FLG_STATIC_DATA)); +#endif + */ + /* * bn2bin * bin2bn |