| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
The local lib directory may contain an incomplete openssl library.
The "gemspec" line in Gemfile causes "bundle exec" to put the lib
directory in the load path. Although our Rakefile does not use openssl
itself, it still indirectly tries to load it as a RubyGems dependency.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[ This is a backport to the 3.0 branch. ]
OpenSSL announced that they're changing how they handle releases in this
blog post: https://openssl.org/blog/blog/2024/04/30/releases-distribution-changes/
The tl;dr is that:
* ftp.openssl.org is being shut down (even for HTTP access)
* The releases at openssl.org/source will redirect to github
* git.openssl.org is also shut down (the git repo is on github)
This commit just changes over to using openss.org/source instead of
ftp.openssl.org. We might also need to switch to downloading directly
from Github... let's see.
It also changes to cloning the head of openssl from github too.
(cherry picked from commit 64c50112b60e2cdcc447620a1bd73380f7186600)
|
|\
| |
| | |
Handle missing content in PKCS7
|
| |
| |
| |
| |
| |
| |
| |
| | |
[pkuzco: expanded the fix for other content types]
[ky: adjusted formatting and the exception type]
Co-authored-by: pkuzco <b.naamneh@gmail.com>
Co-authored-by: Kazuki Yamaguchi <k@rhe.jp>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fixes [Bug #19974]
[pkuzco: expanded the fix for other content types]
[ky: adjusted formatting and the exception type]
Co-authored-by: pkuzco <b.naamneh@gmail.com>
Co-authored-by: Kazuki Yamaguchi <k@rhe.jp>
|
|\ \
| |/
|/| |
cipher: fix buffer overflow in Cipher#update
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL::Cipher#update currently allocates the output buffer with size
(input data length)+(the block size of the cipher). This is insufficient
for the id-aes{128,192,256}-wrap-pad (AES keywrap with padding) ciphers.
They have a block size of 8 bytes, but the output may be up to 15 bytes
larger than the input.
Use (input data length)+EVP_MAX_BLOCK_LENGTH (== 32) as the output
buffer size, instead. OpenSSL doesn't provide a generic way to tell the
maximum required buffer size for ciphers, but this is large enough for
all algorithms implemented in current versions of OpenSSL.
Fixes: https://bugs.ruby-lang.org/issues/20236
|
|
|
|
|
|
|
|
|
|
|
|
| |
[ This patch only applies to the 3.0 and 3.1 branch. ]
It is a test case for SSLSocket generating an informative error message
on a certificate verification failure. A change in OpenSSL 3.1 broke it
and a generic error message is currently generated.
This is fixed in the 3.2 branch by commit 5113777e8271, but I decided
not to backport the commit to the 3.0 branch because the diff doesn't
apply cleanly.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[ This is a backport to the 3.0 branch. ]
Backport changes made to .github/workflows/test.yml in master branch,
except:
- Minimum version is Ruby 2.6
- FIPS-mode related changes are excluded (as it's not supported)
This includes the following commits:
fcf53d5d6e88 CI: Remove workaround for Ruby-3.2 and 3.3 on Windows
567b412612c3 CI: Upgrade OpenSSL and LibreSSL versions.
405f1eee3dcf CI: Add OpenSSL no-legacy case.
9a995837ba7b CI: Upgrade OpenSSL and LibreSSL versions.
6feeeb821592 CI: Add the rubyinstaller2 issue link that legacy provider is not loaded.
7aed35ac969d Windows Ruby 3.3: Workaround: Set OPENSSL_MODULES to find providers.
adfb6bb9e5b7 CI: Add OpenSSL 3.2.0.
fafe1af4a96e CI: Change the openssl_fips.cnf.tmpl and openssl_fips.cnf directories.
f07e6f5ff2e7 CI: Upgrade OpenSSL and LibreSSL versions.
0dda88d44811 Merge pull request #682 from ruby/dependabot/github_actions/actions/checkout-4
0b83eed154de Rakefile: Add test_fips task for convenience.
b94314f7165f Bump actions/checkout from 3 to 4
8c7a6a17e2bd Remove OSSL_DEBUG compile-time option
e35f19076aac CI: Replace "mode" in "FIPS mode" with "module".
61434f66d6a4 Rakefile: Print FIPS information in the `rake debug`.
7ec8024b1e9a CI: Add OpenSSL master branch head non-FIPS and FIPS cases.
24d8addd2ac9 CI: Upgrade OpenSSL versions.
fddfc5585482 CI: Add OpenSSL 3.1 FIPS case.
58ce7fa4b90c .github/workflows/test.yml: add provider load path for Windows
f6e57e1b9088 CI: Fix a typo in the comment. [ci skip]
52402f6a1cad CI: Check compiler warnings.
f6ba75e51e05 Drop support for Ruby 2.6
3456770a4219 CI: Upgrade OpenSSL and LibreSSL versions.
79786cab6f77 CI: Rename the key name "foo_bar" (underscore) to "foo-bar" (hyphen).
8149cdf6e874 CI: Add the test/openssl/test_pkey.rb on the FIPS mode case.
08e19817b5d0 CI: Enable the verbose mode in the mkmf.rb by env MAKEFLAGS.
121b3b2a35ca Revert "CI: Enable the verbose mode in the mkmf.rb."
a832f5cb98ee CI: Enable the verbose mode in the mkmf.rb.
18b017218ca8 CI: Add OpenSSL FIPS mode case.
af27f509a147 .github/workflows/test.yml: Update OpenSSL versions
d277123cb7bb skip failing test with truffleruby and ubuntu-22.04
25352f4f6c08 Exclude truffleruby with macos-latest
d7f90c7c03b7 Fix missing needs call
064066437607 Try to run with TruffleRuby
aeee125a7b3d Use ruby/actions/.github/workflows/ruby_versions.yml@master
fd4074235877 .github/workflows/test.yml: update LibreSSL versions
ff2fe4b4c5b3 Strip trailing spaces [ci skip]
9c24dccf5436 Actions - Use Ubuntu 20.04 for 1.1.1 CI, misc fixes
cc876f58532c [CI] test.yml - test-openssls - use 1.1.1q, 3.0.5
0fb8d1b43aa5 [CI] add Ubuntu-22.04 and update mswin, all are OpenSSL 3
158868649532 Merge pull request #505 from ruby/update-actions
9f901dc05ce5 Test on LibreSSL 3.4 and 3.5
f2d072cad504 Use actions/checkout@v3
699e2749f525 Added 3.1
b28df9025f12 Install openssl with vcpkg on mswin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[ This is a backport to the 3.0 branch. ]
RFC 2986, section 4.1 only defines version 1 for CSRs. This version
is encoded as a 0. Starting with OpenSSL 3.3, setting the CSR version
to anything but 1 fails.
Do not attempt to generate a CSR with invalid version (which now fails)
and invalidate the CSR in test_sign_and_verify_rsa_sha1 by changing its
subject rather than using an invalid version.
This commit fixes the following error.
```
2) Error: test_version(OpenSSL::TestX509Request): OpenSSL::X509::RequestError:
X509_REQ_set_version: passed invalid argument
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `version='
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `issue_csr'
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:43:in
`test_version'
40: req = OpenSSL::X509::Request.new(req.to_der)
41: assert_equal(0, req.version)
42:
=> 43: req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
44: assert_equal(1, req.version)
45: req = OpenSSL::X509::Request.new(req.to_der)
46: assert_equal(1, req.version)
```
(cherry picked from commit c06fdeb0912221d9a2888369bbf9c10704af021e)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[ This is a backport to the 3.0 branch. ]
This commit fixes the following errors in the tests.
Because the OpenSSL project changed the code to make the time string format
without second invalid. So, we drop the assertions.
```
1) Error: test_generalizedtime(OpenSSL::TestASN1): OpenSSL::ASN1::ASN1Error: generalizedtime is too short
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode_test'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:433:in `test_generalizedtime'
430: OpenSSL::ASN1::GeneralizedTime.new(Time.utc(9999, 9, 8, 23, 43, 39))
431: # LibreSSL 3.6.0 requires the seconds element
432: return if libressl?
=> 433: decode_test B(%w{ 18 0D }) + "201612081934Z".b,
434: OpenSSL::ASN1::GeneralizedTime.new(Time.utc(2016, 12, 8, 19, 34, 0))
435: # not implemented
436: # decode_test B(%w{ 18 13 }) + "20161208193439+0930".b,
2) Error: test_utctime(OpenSSL::TestASN1): OpenSSL::ASN1::ASN1Error: utctime is too short
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode_test'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:411:in `test_utctime'
408: end
409: # Seconds is omitted. LibreSSL 3.6.0 requires it
410: return if libressl?
=> 411: decode_test B(%w{ 17 0B }) + "1609082343Z".b,
412: OpenSSL::ASN1::UTCTime.new(Time.utc(2016, 9, 8, 23, 43, 0))
413: # not implemented
414: # decode_test B(%w{ 17 11 }) + "500908234339+0930".b,
```
(cherry picked from commit 2e826d571546cdc3beaa884f9e522a102d531641)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[ This is a backport to the 3.0 branch. ]
LibreSSL 3.6.0 expects the seconds part in UTCTime and GeneralizedTime
to be always present. LibreSSL 3.6.0 release note [1] says:
> - The ASN.1 time parser has been refactored and rewritten using CBS.
> It has been made stricter in that it now enforces the rules from
> RFC 5280.
[1] https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.0-relnotes.txt
(cherry picked from commit bbc540fe83195e2a54cf40fab448cea2afe4df1d)
|
|
|
|
|
|
|
|
|
|
| |
[ This is a backport to the 3.0 branch. ]
LibreSSL 3.4 added EVP_DigestSign() and EVP_DigestVerify(). Use them
when available to prepare for the addition of Ed25519 support in
LibreSSL 3.7.
(cherry picked from commit 475b2bf766d6093370e49abd5dce5436cc0034ca)
|
|\
| |
| | |
Fix regression in do_write(s) causing significant performance issues when using large (>10meg) writes
|
|/
|
|
|
|
|
|
|
|
| |
This causes significant performance issues when using large (>10meg) writes
Fix by adjusting the buffer write function to clear the buffer once, rather than
piece by piece, avoiding a case where a large write (in our case, around
70mbytes) will consume 100% of CPU. This takes a webrick GET request via SSL
from around 200kbyts/sec and consuming 100% of a core, to line speed on gigabit
ethernet and 6% cpu utlization.
|
|
|
|
|
|
|
| |
Commit f2e2a5e5ed8e ("test/openssl/test_pkey.rb: allow failures in
test_s_generate_parameters", 2022-12-23) was completely bogus. The
problem in OpenSSL 3.0.0-3.0.5 is that errors from the callback are
sometimes silently suppressed.
|
| |
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* maint-2.2:
Ruby/OpenSSL 2.2.3
ts: use TS_VERIFY_CTX_set_certs instead of TS_VERIFY_CTS_set_certs
ocsp: disable OCSP_basic_verify() workaround on LibreSSL 3.5
Actions - update workflow to use OpenSSL 1.1.1, actions/checkout@v3
pkey/ec: fix ossl_raise() calls using cEC_POINT instead of eEC_POINT
raise when EC_POINT_cmp or EC_GROUP_cmp error instead of returning true
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ This is a backport to the 2.2 branch to fix build with LibreSSL. ]
OpenSSL 3.0 fixed the typo in the function name and replaced the
current 'CTS' version with a macro.
(cherry picked from commit 2be6779b08161a084a1a5d2758de21a913740b94)
|
| |
| |
| |
| |
| |
| |
| | |
The workaround is not needed on LibreSSL 3.5. LibreSSL 3.5 at the same
time made the structure opaque, so it does not compile.
This is a patch to the 2.2 branch; the code no longer exists in v3.0.
|
| |\
| | |
| | | |
maint-2.2 Actions - update workflow to use OpenSSL 1.1.1, actions/checkout@v3
|
| | | |
|
| |\ \
| | | |
| | | | |
raise when EC_POINT_cmp or EC_GROUP_cmp error instead of returning true
|
| | |/ |
|
| |\ \
| | |/
| |/| |
pkey/ec: fix multiple ossl_raise() calls using cEC_POINT instead of eEC_POINT
|
| |/ |
|
| |
| |
| |
| |
| |
| | |
[ This is a backport to the 3.0 branch. ]
(cherry picked from commit e25fb0d0d86da5a9398ebdc9216b2ea89f80fa3d)
|
| |
| |
| |
| |
| |
| | |
[ This is a backport to the 3.0 branch. ]
(cherry picked from commit b02815271fcc295cb8b07ef740684b88a10f2760)
|
|\ \
| | |
| | | |
pkey/ec: check private key validity with OpenSSL 3
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The behavior of EVP_PKEY_public_check changed between OpenSSL 1.1.1
and 3.0 so that it no longer validates the private key. Instead, private
keys can be validated through EVP_PKEY_private_check and
EVP_PKEY_pairwise_check.
[ky: simplified condition to use either EVP_PKEY_check() or
EVP_PKEY_public_check().]
|
|/ /
| |
| |
| |
| |
| |
| | |
The root cause has been fixed by OpenSSL 3.0.6, but Ubuntu 22.04's
OpenSSL package has not backported the patch yet.
Reference: https://github.com/ruby/openssl/issues/492
|
| | |
|
|\|
| |
| |
| |
| |
| |
| |
| |
| | |
* maint-2.2:
Ruby/OpenSSL 2.2.2
Ruby/OpenSSL 2.1.4
Make GitHub Actions happy on 2.1/2.2 branches
test/openssl/test_cipher: skip AES-CCM tests on OpenSSL <= 1.1.1b
ignore pkgconfig when any openssl option is specified
|
| | |
|
| |\
| | |
| | |
| | |
| | |
| | |
| | | |
* maint-2.1:
Ruby/OpenSSL 2.1.4
Make GitHub Actions happy on 2.1/2.2 branches
ignore pkgconfig when any openssl option is specified
|
| | | |
|
| | | |
|
| | |\
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This is a backport to the 2.1 branch. The Pull Request was accidentally
merged into master instead.
* upstream/pr/486:
ignore pkgconfig when any openssl option is specified
|
| | |/ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
[ This is a backport to the 2.2 branch. ]
AES CCM mode in OpenSSL <= 1.1.1b was overly strict in the parameters
assignment order. This has been relaxed by OpenSSL 1.1.1c.
https://github.com/openssl/openssl/commit/b48e3be947ddc5da6b5a86db8341081c72b9a4ee
The test case is failing on Ubuntu 18.04 because it still uses the
initial 1.1.1 release and has the issue:
http://rubyci.s3.amazonaws.com/graviton2/ruby-master/log/20210316T120003Z.fail.html.gz
(cherry picked from commit ruby/ruby@44d67128a827c65d1a3867c5d8fd190d10aa1dd2)
(cherry picked from commit c7edb0a0f93ef6e137481d59103aec5fe09c3d66)
|
|\ \ \
| | | |
| | | | |
pkey/ec: check existence of public key component before exporting
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
i2d_PUBKEY_bio() against an EC_KEY without the public key component
trggers a null dereference.
This is a regression introduced by commit 56f0d34d63fb ("pkey:
refactor #export/#to_pem and #to_der", 2017-06-14).
Fixes https://github.com/ruby/openssl/pull/527#issuecomment-1220504524
Fixes https://github.com/ruby/openssl/issues/369#issuecomment-1221554057
|
|\ \ \ \
| | | | |
| | | | | |
pkey: restore support for decoding "openssl ecparam -genkey" output
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Scan through the input for a private key, then fallback to generic
decoder.
OpenSSL 3.0's OSSL_DECODER supports encoded key parameters. The PEM
header "-----BEGIN EC PARAMETERS-----" is used by one of such encoding
formats. While this is useful for OpenSSL::PKey::PKey, an edge case has
been discovered.
The openssl CLI command line "openssl ecparam -genkey" prints two PEM
blocks in a row, one for EC parameters and another for the private key.
Feeding the whole output into OSSL_DECODER results in only the first PEM
block, the key parameters, being decoded. Previously, ruby/openssl did
not support decoding key parameters and it would decode the private key
PEM block instead.
While the new behavior is technically correct, "openssl ecparam -genkey"
is so widely used that ruby/openssl does not want to break existing
applications.
Fixes https://github.com/ruby/openssl/pull/535
|
| |/ / /
| | | |
| | | |
| | | | |
Fix potential error queue leak.
|
|\ \ \ \
| | | | |
| | | | | |
pkey/dsa: let PKey::DSA.generate choose appropriate q size
|
| |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
DSA parameters generation via EVP_PKEY_paramgen() will not automatically
adjust the size of q value but uses 224 bits by default unless specified
explicitly. This behavior is different from the now-deprecated
DSA_generate_parameters_ex(), which PKey::DSA.generate used to call.
Fixes https://github.com/ruby/openssl/issues/483
Fixes: 1800a8d5ebaf ("pkey/dsa: use high level EVP interface to generate parameters and keys", 2020-05-17)
|
|\ \ \ \
| | | | |
| | | | | |
x509*: fix error queue leak in #extensions= and #attributes= methods
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
X509at_delete_attr() in OpenSSL master puts an error queue entry if
there is no attribute left to delete. We must either clear the error
queue, or try not to call it when the list is already empty.
|