| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update the references to the file "LICENCE" with "COPYING".
The file LICENCE doesn't exist in ruby/ruby nor ruby/openssl. This has
been always the case since OpenSSL for Ruby 2 was merged to the ruby
tree as a standard library in 2003.
In OpenSSL for Ruby 2's CVS repository[1], the LICENCE file contained
an old version of the Ruby License, identical to the COPYING file that
was in Ruby's tree at that time (r4128[2]).
[1] http://cvs.savannah.gnu.org/viewvc/rubypki/ossl2/LICENCE?revision=1.1.1.1&view=markup
[2] https://github.com/ruby/ruby/blob/231247c010acba191b78ed2d1310c935e63ad919/COPYING
|
|
|
|
| |
This is for consistency with ruby/ruby.
|
|
|
|
|
|
|
|
|
| |
ruby/openssl is licensed under the terms of either the Ruby License or
the 2-Clause BSD License.
The git repository and built .gem files always contained the license
text for both license, but the metadata in the gemspec only specified
the Ruby License. Let's include both.
|
|\
| |
| | |
Remove trailing space in test_ssl.rb
|
|/ |
|
|\
| |
| | |
Add OpenSSL::Digest.digests to get a list of available digests
|
| | |
|
| | |
|
|\ \
| | |
| | | |
CI: Remove workaround for Ruby-3.2 and 3.3 on Windows
|
| | |
| | |
| | | |
The issue https://github.com/oneclick/rubyinstaller2/issues/365 was fixed with the 3.2.4 and 3.3.1 releases.
|
|\ \ \
| | | |
| | | | |
Introduce basic support for `close_read` and `close_write`.
|
| | | | |
|
| | | | |
|
|/ / / |
|
|\ \ \
| |/ /
|/| | |
Only CSR version 1 (encoded as 0) is allowed by PKIX standards
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
RFC 2986, section 4.1 only defines version 1 for CSRs. This version
is encoded as a 0. Starting with OpenSSL 3.3, setting the CSR version
to anything but 1 fails.
Do not attempt to generate a CSR with invalid version (which now fails)
and invalidate the CSR in test_sign_and_verify_rsa_sha1 by changing its
subject rather than using an invalid version.
This commit fixes the following error.
```
2) Error: test_version(OpenSSL::TestX509Request): OpenSSL::X509::RequestError:
X509_REQ_set_version: passed invalid argument
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `version='
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `issue_csr'
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:43:in
`test_version'
40: req = OpenSSL::X509::Request.new(req.to_der)
41: assert_equal(0, req.version)
42:
=> 43: req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
44: assert_equal(1, req.version)
45: req = OpenSSL::X509::Request.new(req.to_der)
46: assert_equal(1, req.version)
```
|
|\ \
| | |
| | | |
CI: Upgrade OpenSSL and LibreSSL versions.
|
|/ / |
|
|\ \
| | |
| | | |
Use www.rfc-editor.org for RFC text.
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We use the following site for that now:
* https://tools.ietf.org/ or http
* https://datatracker.ietf.org or http
Today, IETF said the official site of RFC is www.rfc-editor.org.
FYI: https://authors.ietf.org/en/references-in-rfcxml
I replaced them to www.rfc-editor.org.
|
|\ \
| | |
| | | |
Fix test_pkey_dsa.rb in FIPS.
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Note that I created the `dsa2048.pem` and signature text
(`signature_encoded.txt`), that is used as a text to create the `signature0` in
the `test_sign_verify` by the following steps with the `openssl` CLI on FIPS
module.
```
$ OPENSSL_DIR="${HOME}/.local/openssl-3.3.0-dev-fips-debug-1f03d33ef5"
$ export OPENSSL_CONF="${OPENSSL_DIR}/ssl/openssl_fips.cnf"
$ "${OPENSSL_DIR}/bin/openssl" dsaparam -out dsaparam2048.pem 2048
$ "${OPENSSL_DIR}/bin/openssl" gendsa -out dsa2048.pem dsaparam2048.pem
$ echo -n "Sign me!" > data.txt
$ "${OPENSSL_DIR}/bin/openssl" dgst -sha256 -sign dsa2048.pem data.txt > signature.txt
$ cat signature.txt | base64 > signature_encoded.txt
```
Skip the `test_DSAPrivateKey_encrypted` on FIPS because AES-128-CBC, the
password based encryption used in the PEM format uses MD5 for deriving the
encryption key from the password, and MD5 is not FIPS-approved.
See also the comment on the `test/openssl/utils.rb#omit_on_fips`.
|
|\ \
| |/
|/| |
Revert openssl dir workaround on TruffleRuby
|
| |
| |
| |
| |
| |
| |
| | |
on TruffleRuby"
* This reverts commit ca738e7e13570e88eaa9892cbb3dffb330320706.
* No longer needed since https://github.com/oracle/truffleruby/issues/3170 was fixed.
|
|\ \
| | |
| | | |
test_provider.rb: Make a legacy provider test optional.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
In some cases such as OpenSSL package in FreeBSD[1], the legacy provider is not
installed intentionally. So, we omit a test depending the legacy provider if the
legacy provider is not loadable.
For the test_openssl_provider_names test, we use base provider[2] instead of
legacy provider, because we would expect the base provider is always loadable
in OpenSSL 3 for now.
* [1] https://www.freshports.org/security/openssl/
* [2] https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers
|
| | |
| | |
| | |
| | | |
Add the case of the OpenSSL that doesn't install the legacy provider.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This reverts commit 9b7543d58869ae359eb745d7feafbb522ad1fd1e.
The case not providing the legacy provider can happen not only in FreeBSD but
also in other platforms. The fix is addressed in the next commit.
|
|\ \ \
| |/ /
|/| | |
test_asn1.rb: Remove the assertions of the time string format without second.
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This commit fixes the following errors in the tests.
Because the OpenSSL project changed the code to make the time string format
without second invalid. So, we drop the assertions.
```
1) Error: test_generalizedtime(OpenSSL::TestASN1): OpenSSL::ASN1::ASN1Error: generalizedtime is too short
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode_test'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:433:in `test_generalizedtime'
430: OpenSSL::ASN1::GeneralizedTime.new(Time.utc(9999, 9, 8, 23, 43, 39))
431: # LibreSSL 3.6.0 requires the seconds element
432: return if libressl?
=> 433: decode_test B(%w{ 18 0D }) + "201612081934Z".b,
434: OpenSSL::ASN1::GeneralizedTime.new(Time.utc(2016, 12, 8, 19, 34, 0))
435: # not implemented
436: # decode_test B(%w{ 18 13 }) + "20161208193439+0930".b,
2) Error: test_utctime(OpenSSL::TestASN1): OpenSSL::ASN1::ASN1Error: utctime is too short
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode_test'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:411:in `test_utctime'
408: end
409: # Seconds is omitted. LibreSSL 3.6.0 requires it
410: return if libressl?
=> 411: decode_test B(%w{ 17 0B }) + "1609082343Z".b,
412: OpenSSL::ASN1::UTCTime.new(Time.utc(2016, 9, 8, 23, 43, 0))
413: # not implemented
414: # decode_test B(%w{ 17 11 }) + "500908234339+0930".b,
```
|
|\ \
| | |
| | | |
omit tests related legacy provider
|
| | |
| | |
| | |
| | | |
d95d3484a90a985b971ef4c55762847d92b6c81a
|
| | |
| | |
| | |
| | |
| | |
| | | |
It failed with recent update of FreeBSD
https://rubyci.s3.amazonaws.com/freebsd13/ruby-master/log/20240207T023002Z.fail.html.gz
|
|\ \ \
| |/ /
|/| | |
CI: Upgrade OpenSSL and LibreSSL versions.
|
|/ / |
|
|\ \
| | |
| | | |
test/openssl/test_ocsp.rb: fix flaky test
|
| |/
| |
| |
| | |
Fixes: https://github.com/ruby/openssl/issues/695
|
| |
| |
| |
| | |
* Add support for IO#timeout.
|
|\ \
| | |
| | | |
Only set min_version on OpenSSL < 1.1.0
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Both Red Hat and Debian-like systems configure the minimum TLS version
to be 1.2 by default, but allow users to change this via configs.
On Red Hat and derivatives this happens via crypto-policies[1], which in
writes settings in /etc/crypto-policies/back-ends/opensslcnf.config.
Most notably, it sets TLS.MinProtocol there. For Debian there's
MinProtocol in /etc/ssl/openssl.cnf. Both default to TLSv1.2, which is
considered a secure default.
In constrast, the SSLContext has a hard coded OpenSSL::SSL::TLS1_VERSION
for min_version. TLS 1.0 and 1.1 are considered insecure. By always
setting this in the default parameters, the system wide default can't be
respected, even if a developer wants to.
This takes the approach that's also done for ciphers: it's only set for
OpenSSL < 1.1.0.
[1]: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening
|
| | | |
|
|/ / |
|
|\ \
| | |
| | | |
CI: Added the rubyinstaller2 issue link that legacy provider is not loaded.
|
|/ /
| |
| |
| |
| |
| |
| | |
* Add the upstream rubyinstaller2 issue link as a comment. The issue is that the
legacy provider (legacy.dll) is not loaded in Windows MSYS2 OpenSSL 3
environment.
* Polish the text on the comment.
|
|\ \
| |/
|/| |
Windows Ruby 3.3: Workaround: Set OPENSSL_MODULES to find providers.
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit is a workaround to avoid the following test failures by loading
legacy provider.
```
2) Error: test_openssl_legacy_provider(OpenSSL::TestProvider): OpenSSL::Provider::ProviderError: Failed to load legacy provider: (null) (name=legacy)
D:/a/ruby-openssl/ruby-openssl/test/openssl/test_provider.rb:62:in `load'
D:/a/ruby-openssl/ruby-openssl/test/openssl/test_provider.rb:62:in `<main>'
D:/a/ruby-openssl/ruby-openssl/test/openssl/test_provider.rb:61:in `with_openssl'
D:/a/ruby-openssl/ruby-openssl/test/openssl/test_provider.rb:36:in `test_openssl_legacy_provider'
33: end
34:
35: def test_openssl_legacy_provider
=> 36: with_openssl(<<-'end;')
37: OpenSSL::Provider.load("legacy")
38: algo = "RC4"
39: data = "a" * 1000
```
|
|\
| |
| | |
Fix test_pkey_dh.rb in FIPS.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We use dh2048_ffdhe2048.pem file (DH 2048 bits) instead of dh1024.pem file in
both non-FIPS and FIPS cases. Because the following command fails to generate
the pem file with 1024 bits. And the OpenSSL FIPS 140-2 security policy
document explains the DH public keys are allowed from 2048 bits.[1]
```
$ OPENSSL_CONF=/home/jaruga/.local/openssl-3.3.0-dev-fips-debug-1aa08644ec/ssl/openssl_fips.cnf \
/home/jaruga/.local/openssl-3.3.0-dev-fips-debug-1aa08644ec/bin/openssl \
dhparam -out dh1024.pem 1024
Generating DH parameters, 1024 bit long safe prime
dhparam: Generating DH key parameters failed
```
The dh2048_ffdhe2048.pem file was created by the following command with the
OpenSSL FIPS configuration file. The logic to generate the DH pem file is
different between non-FIPS and FIPS cases. In FIPS, it seems that the command
always returns the text defined as ffdhe2048 in the FFDHE groups in RFC 7919
unlike non-FIPS.[2]
As the generated pem file is a normal and valid PKCS#3-style group parameter, we
use the file for the non-FIPS case too.
```
$ OPENSSL_CONF=/home/jaruga/.local/openssl-3.3.0-dev-fips-debug-1aa08644ec/ssl/openssl_fips.cnf \
/home/jaruga/.local/openssl-3.3.0-dev-fips-debug-1aa08644ec/bin/openssl \
dhparam -out dh2048_ffdhe2048.pem 2048
```
Note that the hard-coded PEM-encoded string in the `test_DHparams` is
intentional to avoid modifying the content unintentionally.
* [1] https://www.openssl.org/source/ - OpenSSL 3.0.8 FIPS 140-2 security
policy document page 25, Table 10 – Public Keys - DH Public
- DH (2048/3072/4096/6144/8192) public key agreement key
* [2] RFC7919 - Appendix A.1: ffdhe2048
https://www.rfc-editor.org/rfc/rfc7919#appendix-A.1
|
|\ \
| | |
| | | |
Use Markdown reference-style links in documents. [ci skip]
|
| |/
| |
| |
| |
| |
| | |
Use Markdown reference-style links due to a better readability.
See <https://github.com/adam-p/markdown-here/wiki/Markdown-Cheatsheet#links>
for details.
|