| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Remove tool/update-gh-pages as it is no longer necessary.
|
|\
| |
| | |
Clarify license
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Update the references to the file "LICENCE" with "COPYING".
The file LICENCE doesn't exist in ruby/ruby nor ruby/openssl. This has
been always the case since OpenSSL for Ruby 2 was merged to the ruby
tree as a standard library in 2003.
In OpenSSL for Ruby 2's CVS repository[1], the LICENCE file contained
an old version of the Ruby License, identical to the COPYING file that
was in Ruby's tree at that time (r4128[2]).
[1] http://cvs.savannah.gnu.org/viewvc/rubypki/ossl2/LICENCE?revision=1.1.1.1&view=markup
[2] https://github.com/ruby/ruby/blob/231247c010acba191b78ed2d1310c935e63ad919/COPYING
|
| |
| |
| |
| | |
This is for consistency with ruby/ruby.
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
ruby/openssl is licensed under the terms of either the Ruby License or
the 2-Clause BSD License.
The git repository and built .gem files always contained the license
text for both license, but the metadata in the gemspec only specified
the Ruby License. Let's include both.
|
|\ \
| | |
| | | |
Add X509::Certificate#tbs_bytes
|
| |/
| |
| |
| |
| |
| |
| |
| |
| | |
Ref https://github.com/ruby/openssl/issues/519
This makes verifying embedded certificate transparency signatures
significantly easier, as otherwise the alternative was manipulating the
ASN1 sequence, as in
https://github.com/segiddins/sigstore-cosign-verify/pull/2/commits/656d992fa816613fd9936f53ce30972c2f2f4957
|
|\ \
| | |
| | | |
Fix test_create_with_mac_iter accidently setting keytype not maciter
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This test was accidentally passing the value 2048 into the keytype
parameter of PKCS12_create, not the mac_iter parameter (because it had
one too many `nil`s in the call). This value is invalid, and will make
OpenSSL perform an out-of-bounds read which is caught when compiling
with ASAN.
This commit fixes the tests, and also adds some validation to
PKCS12.create to make sure any keytype passed is actually valid. Since
there only two valid keytype constants, and the whole feature is an
export-grade crypto era thing only ever supported by old MSIE, it seems
far more likely that code in the whild is using keytype similarly by
mistake rather than as intended. So this validation might catch that.
|
|\ \
| | |
| | | |
Don't download OpenSSL from ftp.openssl.org anyomre
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
OpenSSL announced that they're changing how they handle releases in this
blog post: https://openssl.org/blog/blog/2024/04/30/releases-distribution-changes/
The tl;dr is that:
* ftp.openssl.org is being shut down (even for HTTP access)
* The releases at openssl.org/source will redirect to github
* git.openssl.org is also shut down (the git repo is on github)
This commit just changes over to using openss.org/source instead of
ftp.openssl.org. We might also need to switch to downloading directly
from Github... let's see.
It also changes to cloning the head of openssl from github too.
|
|\ \
| | |
| | | |
[CI] test.yml - use `bundle exec`, use setup-ruby bundler-cache, fixes Windows issue
|
|/ / |
|
|\ \
| | |
| | |
| | |
| | | |
segiddins/segiddins/add-to_text-for-pkcs7-and-timestamp-response
Add to_text for PKCS7 and Timestamp::Response
|
| | | |
|
|\ \ \
| |/ /
|/| | |
read: don't clear buffer when nothing can be read
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
To be consistent with regular Ruby IOs:
```ruby
r, _ = IO.pipe
buf = "garbage".b
r.read_nonblock(10, buf, exception: false) # => :wait_readable
p buf # => "garbage"
```
Ref: https://github.com/redis-rb/redis-client/commit/98b8944460a11f8508217bda71cfc10cb2190d4d
|
| |
| |
| |
| |
| |
| |
| | |
Ruby 3.0 is EOL by 2024-04.
Also, update the OpenSSL compatibility list to include OpenSSL 3.2-3.3,
which are ABI-compatible with 3.1.
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* maint-3.2:
Fix modular square root test with LibreSSL >= 3.8
pkcs7: raise PKCS7Error for PKCS7 without content in PKCS7.read_smime
pkcs7: raise ArgumentError for PKCS7 with no content in PKCS7.new
cipher: fix buffer overflow in Cipher#update
ssl: allow failure on test_connect_certificate_verify_failed_exception_message
.github/workflows/test.yml: synchronize with master
Only CSR version 1 (encoded as 0) is allowed by PKIX standards
test_asn1.rb: Remove the assertions of the time string format without second.
test/openssl/test_asn1.rb: skip failing tests on LibreSSL 3.6.0
Use EVP_Digest{Sign,Verify} when available
Fix performance regression in do_write(s)
|
| |\ \
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* maint-3.1:
Fix modular square root test with LibreSSL >= 3.8
pkcs7: raise PKCS7Error for PKCS7 without content in PKCS7.read_smime
pkcs7: raise ArgumentError for PKCS7 with no content in PKCS7.new
cipher: fix buffer overflow in Cipher#update
ssl: allow failure on test_connect_certificate_verify_failed_exception_message
.github/workflows/test.yml: synchronize with master
Only CSR version 1 (encoded as 0) is allowed by PKIX standards
test_asn1.rb: Remove the assertions of the time string format without second.
test/openssl/test_asn1.rb: skip failing tests on LibreSSL 3.6.0
Use EVP_Digest{Sign,Verify} when available
Fix performance regression in do_write(s)
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
[ This is a backport to the 3.1 branch. ]
If x is a modular square root of a (mod p) then so is (p - x). Both
answers are valid. In particular, both 2 and 3 are valid square roots
of 4 (mod 5). Do not assume that a particular square root is chosen by
the algorithm. Indeed, the algorithm in OpenSSL and LibreSSL <= 3.7
returns a non-deterministic answer in many cases. LibreSSL 3.8 and
later will always return the smaller of the two possible answers. This
breaks the current test case.
Instead of checking for a particular square root, check that the square
of the claimed square root is the given value. This is always true. Add
the simplest test case where the answer is indeed non-deterministic.
(cherry picked from commit 93548ae9597ba40d3f8b564f6a948ce55b432e30)
|
| | |\ \
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
* maint-3.0:
pkcs7: raise PKCS7Error for PKCS7 without content in PKCS7.read_smime
pkcs7: raise ArgumentError for PKCS7 with no content in PKCS7.new
cipher: fix buffer overflow in Cipher#update
ssl: allow failure on test_connect_certificate_verify_failed_exception_message
.github/workflows/test.yml: synchronize with master
Only CSR version 1 (encoded as 0) is allowed by PKIX standards
test_asn1.rb: Remove the assertions of the time string format without second.
test/openssl/test_asn1.rb: skip failing tests on LibreSSL 3.6.0
Use EVP_Digest{Sign,Verify} when available
Fix performance regression in do_write(s)
|
| | | |\ \
| | | | | |
| | | | | | |
Handle missing content in PKCS7
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
[pkuzco: expanded the fix for other content types]
[ky: adjusted formatting and the exception type]
Co-authored-by: pkuzco <b.naamneh@gmail.com>
Co-authored-by: Kazuki Yamaguchi <k@rhe.jp>
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Fixes [Bug #19974]
[pkuzco: expanded the fix for other content types]
[ky: adjusted formatting and the exception type]
Co-authored-by: pkuzco <b.naamneh@gmail.com>
Co-authored-by: Kazuki Yamaguchi <k@rhe.jp>
|
| | | |\ \ \
| | | | |/ /
| | | |/| | |
cipher: fix buffer overflow in Cipher#update
|
| | | |/ /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
OpenSSL::Cipher#update currently allocates the output buffer with size
(input data length)+(the block size of the cipher). This is insufficient
for the id-aes{128,192,256}-wrap-pad (AES keywrap with padding) ciphers.
They have a block size of 8 bytes, but the output may be up to 15 bytes
larger than the input.
Use (input data length)+EVP_MAX_BLOCK_LENGTH (== 32) as the output
buffer size, instead. OpenSSL doesn't provide a generic way to tell the
maximum required buffer size for ciphers, but this is large enough for
all algorithms implemented in current versions of OpenSSL.
Fixes: https://bugs.ruby-lang.org/issues/20236
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
[ This patch only applies to the 3.0 and 3.1 branch. ]
It is a test case for SSLSocket generating an informative error message
on a certificate verification failure. A change in OpenSSL 3.1 broke it
and a generic error message is currently generated.
This is fixed in the 3.2 branch by commit 5113777e8271, but I decided
not to backport the commit to the 3.0 branch because the diff doesn't
apply cleanly.
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
[ This is a backport to the 3.0 branch. ]
Backport changes made to .github/workflows/test.yml in master branch,
except:
- Minimum version is Ruby 2.6
- FIPS-mode related changes are excluded (as it's not supported)
This includes the following commits:
fcf53d5d6e88 CI: Remove workaround for Ruby-3.2 and 3.3 on Windows
567b412612c3 CI: Upgrade OpenSSL and LibreSSL versions.
405f1eee3dcf CI: Add OpenSSL no-legacy case.
9a995837ba7b CI: Upgrade OpenSSL and LibreSSL versions.
6feeeb821592 CI: Add the rubyinstaller2 issue link that legacy provider is not loaded.
7aed35ac969d Windows Ruby 3.3: Workaround: Set OPENSSL_MODULES to find providers.
adfb6bb9e5b7 CI: Add OpenSSL 3.2.0.
fafe1af4a96e CI: Change the openssl_fips.cnf.tmpl and openssl_fips.cnf directories.
f07e6f5ff2e7 CI: Upgrade OpenSSL and LibreSSL versions.
0dda88d44811 Merge pull request #682 from ruby/dependabot/github_actions/actions/checkout-4
0b83eed154de Rakefile: Add test_fips task for convenience.
b94314f7165f Bump actions/checkout from 3 to 4
8c7a6a17e2bd Remove OSSL_DEBUG compile-time option
e35f19076aac CI: Replace "mode" in "FIPS mode" with "module".
61434f66d6a4 Rakefile: Print FIPS information in the `rake debug`.
7ec8024b1e9a CI: Add OpenSSL master branch head non-FIPS and FIPS cases.
24d8addd2ac9 CI: Upgrade OpenSSL versions.
fddfc5585482 CI: Add OpenSSL 3.1 FIPS case.
58ce7fa4b90c .github/workflows/test.yml: add provider load path for Windows
f6e57e1b9088 CI: Fix a typo in the comment. [ci skip]
52402f6a1cad CI: Check compiler warnings.
f6ba75e51e05 Drop support for Ruby 2.6
3456770a4219 CI: Upgrade OpenSSL and LibreSSL versions.
79786cab6f77 CI: Rename the key name "foo_bar" (underscore) to "foo-bar" (hyphen).
8149cdf6e874 CI: Add the test/openssl/test_pkey.rb on the FIPS mode case.
08e19817b5d0 CI: Enable the verbose mode in the mkmf.rb by env MAKEFLAGS.
121b3b2a35ca Revert "CI: Enable the verbose mode in the mkmf.rb."
a832f5cb98ee CI: Enable the verbose mode in the mkmf.rb.
18b017218ca8 CI: Add OpenSSL FIPS mode case.
af27f509a147 .github/workflows/test.yml: Update OpenSSL versions
d277123cb7bb skip failing test with truffleruby and ubuntu-22.04
25352f4f6c08 Exclude truffleruby with macos-latest
d7f90c7c03b7 Fix missing needs call
064066437607 Try to run with TruffleRuby
aeee125a7b3d Use ruby/actions/.github/workflows/ruby_versions.yml@master
fd4074235877 .github/workflows/test.yml: update LibreSSL versions
ff2fe4b4c5b3 Strip trailing spaces [ci skip]
9c24dccf5436 Actions - Use Ubuntu 20.04 for 1.1.1 CI, misc fixes
cc876f58532c [CI] test.yml - test-openssls - use 1.1.1q, 3.0.5
0fb8d1b43aa5 [CI] add Ubuntu-22.04 and update mswin, all are OpenSSL 3
158868649532 Merge pull request #505 from ruby/update-actions
9f901dc05ce5 Test on LibreSSL 3.4 and 3.5
f2d072cad504 Use actions/checkout@v3
699e2749f525 Added 3.1
b28df9025f12 Install openssl with vcpkg on mswin
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
[ This is a backport to the 3.0 branch. ]
RFC 2986, section 4.1 only defines version 1 for CSRs. This version
is encoded as a 0. Starting with OpenSSL 3.3, setting the CSR version
to anything but 1 fails.
Do not attempt to generate a CSR with invalid version (which now fails)
and invalidate the CSR in test_sign_and_verify_rsa_sha1 by changing its
subject rather than using an invalid version.
This commit fixes the following error.
```
2) Error: test_version(OpenSSL::TestX509Request): OpenSSL::X509::RequestError:
X509_REQ_set_version: passed invalid argument
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `version='
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `issue_csr'
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:43:in
`test_version'
40: req = OpenSSL::X509::Request.new(req.to_der)
41: assert_equal(0, req.version)
42:
=> 43: req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
44: assert_equal(1, req.version)
45: req = OpenSSL::X509::Request.new(req.to_der)
46: assert_equal(1, req.version)
```
(cherry picked from commit c06fdeb0912221d9a2888369bbf9c10704af021e)
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
[ This is a backport to the 3.0 branch. ]
This commit fixes the following errors in the tests.
Because the OpenSSL project changed the code to make the time string format
without second invalid. So, we drop the assertions.
```
1) Error: test_generalizedtime(OpenSSL::TestASN1): OpenSSL::ASN1::ASN1Error: generalizedtime is too short
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode_test'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:433:in `test_generalizedtime'
430: OpenSSL::ASN1::GeneralizedTime.new(Time.utc(9999, 9, 8, 23, 43, 39))
431: # LibreSSL 3.6.0 requires the seconds element
432: return if libressl?
=> 433: decode_test B(%w{ 18 0D }) + "201612081934Z".b,
434: OpenSSL::ASN1::GeneralizedTime.new(Time.utc(2016, 12, 8, 19, 34, 0))
435: # not implemented
436: # decode_test B(%w{ 18 13 }) + "20161208193439+0930".b,
2) Error: test_utctime(OpenSSL::TestASN1): OpenSSL::ASN1::ASN1Error: utctime is too short
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode_test'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:411:in `test_utctime'
408: end
409: # Seconds is omitted. LibreSSL 3.6.0 requires it
410: return if libressl?
=> 411: decode_test B(%w{ 17 0B }) + "1609082343Z".b,
412: OpenSSL::ASN1::UTCTime.new(Time.utc(2016, 9, 8, 23, 43, 0))
413: # not implemented
414: # decode_test B(%w{ 17 11 }) + "500908234339+0930".b,
```
(cherry picked from commit 2e826d571546cdc3beaa884f9e522a102d531641)
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
[ This is a backport to the 3.0 branch. ]
LibreSSL 3.6.0 expects the seconds part in UTCTime and GeneralizedTime
to be always present. LibreSSL 3.6.0 release note [1] says:
> - The ASN.1 time parser has been refactored and rewritten using CBS.
> It has been made stricter in that it now enforces the rules from
> RFC 5280.
[1] https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.0-relnotes.txt
(cherry picked from commit bbc540fe83195e2a54cf40fab448cea2afe4df1d)
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
[ This is a backport to the 3.0 branch. ]
LibreSSL 3.4 added EVP_DigestSign() and EVP_DigestVerify(). Use them
when available to prepare for the addition of Ed25519 support in
LibreSSL 3.7.
(cherry picked from commit 475b2bf766d6093370e49abd5dce5436cc0034ca)
|
| | | |\ \
| | | | | |
| | | | | | |
Fix regression in do_write(s) causing significant performance issues when using large (>10meg) writes
|
| | | |/ /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This causes significant performance issues when using large (>10meg) writes
Fix by adjusting the buffer write function to clear the buffer once, rather than
piece by piece, avoiding a case where a large write (in our case, around
70mbytes) will consume 100% of CPU. This takes a webrick GET request via SSL
from around 200kbyts/sec and consuming 100% of a core, to line speed on gigabit
ethernet and 6% cpu utlization.
|
|\ \ \ \ \
| |_|_|_|/
|/| | | | |
asn1: check error return from i2d_ASN1_TYPE()
|
|/ / / /
| | | |
| | | |
| | | |
| | | | |
i2d_ASN1_TYPE() is not expected to fail, but the return value should be
checked.
|
|\ \ \ \
| | | | |
| | | | | |
Remove trailing space in test_ssl.rb
|
|/ / / / |
|
|\ \ \ \
| | | | |
| | | | | |
Add OpenSSL::Digest.digests to get a list of available digests
|
| | | | | |
|
| | | | | |
|
|\ \ \ \ \
| | | | | |
| | | | | | |
CI: Remove workaround for Ruby-3.2 and 3.3 on Windows
|
| | | | | |
| | | | | |
| | | | | | |
The issue https://github.com/oneclick/rubyinstaller2/issues/365 was fixed with the 3.2.4 and 3.3.1 releases.
|
|\ \ \ \ \ \
| | | | | | |
| | | | | | | |
Introduce basic support for `close_read` and `close_write`.
|
| | | | | | | |
|
| | | | | | | |
|
|/ / / / / / |
|
|\ \ \ \ \ \
| |/ / / / /
|/| | | | | |
Only CSR version 1 (encoded as 0) is allowed by PKIX standards
|
|/ / / / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
RFC 2986, section 4.1 only defines version 1 for CSRs. This version
is encoded as a 0. Starting with OpenSSL 3.3, setting the CSR version
to anything but 1 fails.
Do not attempt to generate a CSR with invalid version (which now fails)
and invalidate the CSR in test_sign_and_verify_rsa_sha1 by changing its
subject rather than using an invalid version.
This commit fixes the following error.
```
2) Error: test_version(OpenSSL::TestX509Request): OpenSSL::X509::RequestError:
X509_REQ_set_version: passed invalid argument
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `version='
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `issue_csr'
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:43:in
`test_version'
40: req = OpenSSL::X509::Request.new(req.to_der)
41: assert_equal(0, req.version)
42:
=> 43: req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
44: assert_equal(1, req.version)
45: req = OpenSSL::X509::Request.new(req.to_der)
46: assert_equal(1, req.version)
```
|