| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
[ This is a backport to the 2.0 branch. ]
Ruby 2.7 deprecates taint and it no longer has an effect.
The lack of taint support should not cause a problem in
previous Ruby versions.
(cherry picked from commit e7ed01b580a139ad0fb320ad5f29bbb40ef2ddc2)
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
[ Originally landed on as commit b4e96fc4abc3. This is a backport to the
2.0 branch. ]
`RB_PASS_KEYWORDS` is not always available.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock
[ Originally landed on ruby.git as commit 3959469f240e, then was merged
into ruby/openssl.git as commit b4e96fc4abc3. This is a backport to
the 2.0 branch. ]
It's unlikely anyone would actually hit these. The methods are
private, you only hit this code path if calling these methods
before performing the SSL connection, and there is already a
verbose warning issued.
|
| | |\
| | | |
| | | | |
config: support .include directive
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
OpenSSL 1.1.1 introduces a new '.include' directive. Update our config
parser to support that.
As mentioned in the referenced GitHub issue, we should use the OpenSSL
API instead of implementing the parsing logic ourselves, but it will
need backwards-incompatible changes which we can't backport to stable
versions. So continue to use the Ruby implementation for now.
Squashed in additional changes by Vít Ondruch to support '.include = '
syntax.
Reference: https://github.com/ruby/openssl/issues/208
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Remove it as it does not make sense. Also, it produces deprecation
warning on the current master of Ruby (2.8).
It is a test case to check that changing $/ will not affect
OpenSSL::Buffering#puts. However, $/ is the input record separator and
should be completely irrelevant to it.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The feature is currently premature and will be rewritten. However, it
is causing test failures on RubyCI. Make it happy for now.
Reference: https://github.com/ruby/openssl/issues/334
|
|\ \ \ \
| | | | |
| | | | | |
Add support for SHA512/256 and SHA512/224
|
|/ / / / |
|
|\ \ \ \
| | | | |
| | | | | |
.github/workflows: test against different OpenSSL versions
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
The GitHub Actions workflow now covers all patterns we currently test
using Travis CI. .travis.yml can be removed.
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Compile OpenSSL and LibreSSL on-the-fly and run our test suite against
the OpenSSL installation.
Compiling OpenSSL or LibreSSL takes about 1.5 - 2 minutes on a GitHub-
hosted runner.
|
|/ / / /
| | | |
| | | |
| | | |
| | | | |
The "Ubuntu-macOS" and "Windows" workflows are both for the same
purpose. Merge them into a single workflow for clarity.
|
|\ \ \ \
| | | | |
| | | | | |
Use version.rb in gemspec
|
|/ / / /
| | | |
| | | |
| | | | |
Use version.rb in gemspec so version string exists in one location
|
| | | |
| | | |
| | | |
| | | | |
* .github/workflows/ubuntu-macos.yml already tests those.
|
|\ \ \ \
| | | | |
| | | | | |
lib/openssl.rb: require openssl/version.rb
|
|/ / / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The OpenSSL::VERSION constant is now defined by lib/openssl/version.rb
instead of by the extension. Add missing require statement.
Fixes: 0cddb0b736c8 ("Simplify handling of version constant.", 2019-10-31)
Reference: https://github.com/ruby/openssl/issues/347
|
|\ \ \ \
| | | | |
| | | | | |
config: deprecate OpenSSL::Config#add_value and #[]=
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
OpenSSL::Config is currently implemented in Ruby, but we plan to revert
back to use OpenSSL API, just as it did before r28632 (in ruby_1_8;
r29048 in trunk). It's not clear what was the issue with Windows, but
the CONF library should work on Windows too.
Modifying a CONF object is not possible in OpenSSL API. Actually, it
was possible in previous versions of OpenSSL, but we used their
internal functions that are not exposed in shared libraries anymore.
Accordingly, OpenSSL::Config#add_value and #[]= have to be removed. As
a first step towards the change, let's deprecate those methods.
|
|\ \ \ \ \
| | | | | |
| | | | | | |
engine: small cleanups on OpenSSL::Engine.load
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Those two engines exist as builtin engines even if static engines are
disabled with OPENSSL_NO_STATIC_ENGINE. This is the default with recent
OpenSSL.
This has prevented Engine.load("dynamic") from working and required
the user to call OpenSSL::Engine.load with no arguments, which loads all
builtin engines including 'dynamic'.
Note that OpenSSL 1.1.0 and newer calls (the equivalent of)
ENGINE_load_builtin_engines() on its initialization. This includes
'dynamic' and 'cryptodev' engines (if available).
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Remove dead code. The function, or a macro in OpenSSL 1.1.0 and newer,
always exists unless the whole engine code is disabled with
OPENSSL_NO_ENGINE.
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
They no longer exists in OpenSSL 1.0.1, which is the oldest version
Ruby/OpenSSL currently compiles with.
Note that OpenSSL 1.0.2 and older is already in EOL state. The following
engines should also be removed when we completely drop support for those
versions as they were removed in OpenSSL 1.1.0.
- 4758cca
- aep
- atalla
- chil
- cswift
- nuron
- sureware
- ubsec
- gmp
- gost
|
|\| | | | |
| | | | | |
| | | | | | |
engine: revert OpenSSL::Engine.load changes for cloudhsm
|
|/ / / / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Revert two commits:
- ea49ccc82aa4 Add cloudhsm to extconf.rb
- 33ed3ba10424 Add cloudhsm to ossl_engine.c
OpenSSL::Engine.load is a binding for ENGINE_load_*() functions which
are provided by OpenSSL itself, so-called "static engines".
Since the AWS CloudHSM engine is a dynamic engine, which is provided as
a shared library, this change is not a correct solution for the issue.
Reference: https://github.com/ruby/openssl/issues/189
Reference: https://github.com/ruby/openssl/pull/190
|
|\ \ \ \ \
| | | | | |
| | | | | | |
test/openssl/test_ssl: test fixes
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Non-forward-secrecy cipher suites may be disabled when OpenSSL's
security level is set to 3 or higher.
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Reapply commit ca77d5504f0a ("Remove out-of-scope test.", 2019-12-29).
Private methods are not to be used by users and the behavior should not
be tested.
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Fix possible test failure in test_add_certificate_multiple_certs. In
environment with OpenSSL's security level set to 3, RSA keys with 2048
bits will be rejected.
Since the test case does not require the exact size of a key, just use
the generic rsa-3 key.
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Let test_socket_open_with_local_address_port_context use a random high
port number and also ignore Errno::EADDRINUSE in case it is in use.
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Ensure that the handshake fully completes by sending data each other
rather than by inserting 50ms sleep.
|
|\ \ \ \ \ \
| |_|/ / / /
|/| | | | | |
ssl: avoid declarations after statements
|
| |/ / / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
We cannot use C99 features yet, as we still support Ruby 2.6 and older.
Fixes: debaca25604c ("Adds support for the 'get_finished' and 'get_peer_finished' functions", 2019-06-25)
|
|/ / / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Add links to GitHub issues or pull requests.
Also, move incompatible changes to a separate section for better
visibility.
|
|\ \ \ \
| | | | |
| | | | | |
extconf.rb: get rid of -Werror=deprecated-declarations
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
No function needs -Werror=deprecated-declarations flag to check
availability any more.
This also fixes -Werror=deprecated-declarations erroneously carrying on
to the actual compilation, resulting in an compilation error on some
environment.
Fixes: https://github.com/ruby/openssl/pull/331
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
The default implementation of RAND_pseudo_bytes() uses the same routine
as RAND_bytes().
Note that OpenSSL::Random.pseudo_bytes has been available only when it
is compiled with EOL versions of OpenSSL.
|
|\ \ \ \ \
| | | | | |
| | | | | | |
ts: simplify OpenSSL::Timestamp::Request#algorithm
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Stop the special treatment of invalid hashAlgorithm of the message
imprint. Those invalid values can only appear after the object is
instantiated, before the user sets an actual message digest algorithm.
OpenSSL::Timestamp::TokenInfo#algorithm already does the same.
Also, remove the test case "test_create_request" since it does not make
much sense. Those fields are to be set by the user after creation of
the object and checking the initial value is pointless.
Fixes: https://github.com/ruby/openssl/issues/335
|
|\ \ \ \ \ \
| | | | | | |
| | | | | | | |
test/openssl/test_ssl: skip test_fallback_scsv if necessary
|
| |/ / / / /
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Run the test case only when the OpenSSL supports both TLS 1.1 and TLS
1.2. Note that the fallback SCSV mechanism is for TLS 1.2 or older and
not for 1.3.
Fixes: https://github.com/ruby/openssl/issues/336
|
|\ \ \ \ \ \
| |/ / / / /
|/| | | | | |
.travis.yml - remove 2.3/1.0.2, 2.5/1.1.1, head/1.0.2
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Two jobs in Travis are duplicates of Actions jobs, and one is unlikely.
The below two jobs are running in Actions on all OS's
Ruby 2.3 and OpenSSL 1.0.2, Ruby 2.5 and OpenSSL 1.1.1
Ruby head and OpenSSL 1.0.2 - OpenSSL 1.0.2 is EOL, and the CI is running 1.0.2g, last release was 1.0.2u.
|
| | | | | | |
|
|\ \ \ \ \ \
| |_|/ / / /
|/| | | | | |
Make OpenSSL::OSSL#test_memcmp_timing robust
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
The test was too fragile. Actually, it fails on one of our CIs
immediately after it was merged to ruby/ruby.
https://gist.github.com/ko1/7ea4a5826641f79e2f9e041d83e45dba#file-brlog-trunk_clang_40-20200216-101730-L532-L535
https://gist.github.com/ko1/1c657746092b871359d8bf9e0ad28921#file-brlog-trunk-test4-20200216-104518-L473-L476
* Two measurements, a-b and a-c, must be interative instead of
sequential; the execution time will be easily affected by disturbance
(say, cron job or some external process invoked during measurement)
* The comparison of the two results must be relative instead of
absolute; slow machine may take several tens of seconds for each
execution, and one delta second is too small. The test cases of a, b,
and c are very extreme, so if the target method has a bug, the two
execution times would be very different. So I think it is enough to
check if the difference is less than 10 times.
|
|\ \ \ \ \ \
| |/ / / / /
|/| | | | | |
Guard for OpenSSL::PKey::EC::Group::Error with unsupported platforms
|
|/ / / / / |
|
|\ \ \ \ \
| |/ / / /
|/| | | | |
Drop to reference OpenSSL::VERSION on gemspec
|