aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* hmac: implement base64digest methodsky/hmac-base64Kazuki Yamaguchi2020-06-302-0/+29
| | | | | OpenSSL::HMAC implements the similar interface as ::Digest. Let's add base64digest methods to OpenSSL::HMAC, too, for feature parity.
* hmac: migrate from the low-level HMAC API to the EVP APIky/hmac-evpKazuki Yamaguchi2020-06-306-170/+89
| | | | | | | | | Use the EVP API instead of the low-level HMAC API. Use of the HMAC API has been discouraged and is being marked as deprecated starting from OpenSSL 3.0.0. The two singleton methods OpenSSL::HMAC, HMAC.digest and HMAC.hexdigest are now in lib/openssl/hmac.rb.
* hmac: add a test case for OpenSSL::HMAC singleton methodsKazuki Yamaguchi2020-06-301-0/+9
|
* digest, hmac, ts, x509: use IO.binread in examples where appropriateKazuki Yamaguchi2020-05-134-18/+18
| | | | | | | IO.read may mangle line separator, which will corrupt binary data including DER-encoded X.509 certificates and such. Fixes: https://github.com/ruby/openssl/issues/243
* Merge pull request #329 from rhenium/ky/pkey-generic-operationsKazuki Yamaguchi2020-05-137-110/+554
|\ | | | | pkey: add more support for 'generic' pkey types
| * pkey: reimplement PKey::DH#compute_key and PKey::EC#dh_compute_keyky/pkey-generic-operationsKazuki Yamaguchi2020-05-133-67/+33
| | | | | | | | | | Use the new OpenSSL::PKey::PKey#derive instead of the raw {EC,}DH_compute_key(), mainly to reduce amount of the C code.
| * pkey: add PKey::PKey#deriveKazuki Yamaguchi2020-05-134-0/+107
| | | | | | | | | | | | Add OpenSSL::PKey::PKey#derive as the wrapper for EVP_PKEY_CTX_derive(). This is useful for pkey types that we don't have dedicated classes, such as X25519.
| * pkey: support 'one-shot' signing and verificationKazuki Yamaguchi2020-05-132-0/+75
| | | | | | | | | | | | OpenSSL 1.1.1 added EVP_DigestSign() and EVP_DigestVerify() functions to the interface. Some EVP_PKEY methods such as PureEdDSA algorithms do not support the streaming mechanism and require us to use them.
| * pkey: port PKey::PKey#sign and #verify to the EVP_Digest* interfaceKazuki Yamaguchi2020-05-132-39/+63
| | | | | | | | | | | | | | | | | | Use EVP_DigestSign*() and EVP_DigestVerify*() interface instead of the old EVP_Sign*() and EVP_Verify*() functions. They were added in OpenSSL 1.0.0. Also, allow the digest to be specified as nil, as certain EVP_PKEY types don't expect a digest algorithm.
| * pkey: add PKey.generate_parameters and .generate_keyKazuki Yamaguchi2020-05-132-0/+265
| | | | | | | | | | Add two methods to create a PKey using the generic EVP interface. This is useful for the PKey types we don't have a dedicated class.
| * pkey: assume generic PKeys contain private componentsKazuki Yamaguchi2020-05-131-4/+11
| | | | | | | | | | | | The EVP interface cannot tell whether if a pkey contains the private components or not. Assume it does if it does not respond to #private?. This fixes the NoMethodError on calling #sign on a generic PKey.
* | Merge pull request #328 from rhenium/ky/pkey-refactor-serializationKazuki Yamaguchi2020-05-1314-514/+282
|\ \ | | | | | | pkey: refactor PEM/DER serialization code
| * | pkey: refactor #export/#to_pem and #to_derky/pkey-refactor-serializationKazuki Yamaguchi2020-05-135-173/+114
| | | | | | | | | | | | | | | Add ossl_pkey_export_traditional() and ossl_pkey_export_spki() helper functions, and use them. This reduces code duplication.
| * | pkey: refactor DER/PEM-encoded string parsing codeKazuki Yamaguchi2020-05-135-77/+73
| | | | | | | | | | | | | | | Export the flow used by OpenSSL::PKey.read and let the subclasses call it before attempting other formats.
| * | pkey: prefer PKey.read over PKey::RSA.new in docsKazuki Yamaguchi2020-05-136-8/+8
| | |
| * | pkey: have PKey.read parse PEM-encoded DHParameterKazuki Yamaguchi2020-05-133-3/+5
| | | | | | | | | | | | | | | Try PEM_read_bio_Parameters(). Only PEM format is supported at the moment since corresponding d2i_* functions are not provided by OpenSSL.
| * | pkey: inline {rsa,dsa,dh,ec}_instance()Kazuki Yamaguchi2020-05-134-156/+76
| | | | | | | | | | | | | | | | | | | | | Merge the code into the callers so that the wrapping Ruby object is allocated before the raw key object is allocated. This prevents possible memory leak on Ruby object allocation failure, and also reduces the lines of code.
| * | pkey: simplify ossl_pkey_new()Kazuki Yamaguchi2020-05-136-100/+9
| |/ | | | | | | | | | | ossl_{rsa,dsa,dh,ec}_new() called from this function are not used anywhere else. Inline them into pkey_new0() and reduce code duplication.
* | test/openssl/test_ssl: fix flaky test caseKazuki Yamaguchi2020-05-131-1/+1
| | | | | | | | | | | | | | | | | | | | | | Fix test_socket_open_with_local_address_port_context. Often with MinGW, it seems EACCES is returned on bind when the port number is unavailable. Ignore it just as we do for EADDRINUSE and continue searching free port number. Fixes: 98f8787b4687 ("test/openssl/test_ssl: fix random failure in SSLSocket.open test", 2020-02-17)
* | Merge pull request #342 from rhenium/ky/config-use-openssl-apiKazuki Yamaguchi2020-05-136-668/+450
|\ \ | |/ |/| config: revert to C implementation of OpenSSL::Config
| * config: replace DupConfigPtr() with GetConfig()ky/config-use-openssl-apiKazuki Yamaguchi2020-05-133-40/+3
| | | | | | | | | | | | | | | | Now that OpenSSL::Config wraps a real CONF object, the caller can just borrow it rather than creating a new temporary CONF object. CONF object is usually treated as immutable. DupConfigPtr() is now removed, and GetConfig() is exported instead.
| * config: revert to C implementation of OpenSSL::ConfigKazuki Yamaguchi2020-05-135-445/+441
| | | | | | | | | | | | | | | | | | | | Revert OpenSSL::Config to using the OpenSSL API and remove our own parser implementation for the config file syntax. OpenSSL::Config now wraps a CONF object. Accessor methods deal with the object directly rather than Ruby-level internal state. This work is based on the old C code we used before 2010.
| * test/openssl/test_config: skip test_get_value_ENV on LibreSSLKazuki Yamaguchi2020-05-131-0/+3
| | | | | | | | | | LibreSSL has removed the feature to map environment variables onto the "ENV" section.
| * test/openssl/test_config: fix non-deterministic test caseKazuki Yamaguchi2020-05-131-1/+1
| | | | | | | | | | | | | | Sort keys of a section before comparing. The ordering is not part of the API. This can cause a test failure if we use OpenSSL's C implementation. Fixes: 2ad65b5f673f ("config: support .include directive", 2018-08-16)
| * test/openssl/test_config: add missing test case for Config.parse_configKazuki Yamaguchi2020-05-131-0/+6
| |
| * config: remove deprecated methodsKazuki Yamaguchi2020-05-132-202/+16
|/ | | | | | | | | | | | | | | | Remove 4 deprecated methods. The following two methods have been marked as deprecated since 2003, by r4531 (ruby.git commit 78ff3833fb67c8005a9b851037e74b3eea940aa3). - OpenSSL::Config#value - OpenSSL::Config#section Other two methods are removed because the corresponding functions disappeared in OpenSSL 1.1.0. - OpenSSL::Config#add_value - OpenSSL::Config#[]=
* Ruby/OpenSSL 2.2.0v2.2.0ky/release-2.2.0Kazuki Yamaguchi2020-05-131-1/+1
|
* .github/workflows: update OpenSSL and LibreSSL versions to test withKazuki Yamaguchi2020-05-131-4/+5
|
* ssl: temporarily remove SSLContext#add_certificate_chain_fileKazuki Yamaguchi2020-05-132-44/+0
| | | | | | | | | | | | | | | | | | | | | | | | | Let's revert the changes for now, as it cannot be included in the 2.2.0 release. My comment on #257: > A blocker is OpenSSL::SSL::SSLContext#add_certificate_chain_file. It > has a pending change and I don't want to include it in an incomplete > state. > > The initial implementation in commit 46e4bdba40c5 was not really > useful. The issue is described in #305. #309 extended it > to take the corresponding private key together. However, the new > implementation was incompatible on Windows and was reverted by #320 to > the initial one. > > (The prerequisite to implement it in) an alternative way is #288, and > it's still cooking. This effectively reverts the following commits: - dacd08937ccd ("ssl: suppress test failure with SSLContext#add_certificate_chain_file", 2020-03-09) - 46e4bdba40c5 ("Add support for SSL_CTX_use_certificate_chain_file. Fixes #254.", 2019-06-13)
* ext/openssl/ossl.h: Remove a variable that is used only in assertYusuke Endoh2020-05-131-2/+1
| | | | | | It produces "unused variable" warnings in NDEBUG mode [ Cherry-picked from ruby.git commit 3bca1b6aadff. ]
* Suppress -Wshorten-64-to-32 warningsNobuyoshi Nakada2020-05-131-1/+1
| | | | [ Cherry-picked from ruby.git commit d8720eb7de9c. ]
* Merge pull request #359 from zeroSteiner/fix/aead/ccm-mode-in-lenKazuki Yamaguchi2020-04-223-1/+69
|\ | | | | Allow specifying the data length for CCM mode
| * Define Cipher #ccm_data_len= for CCM mode ciphersSpencer McIntyre2020-04-213-1/+69
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Allow specifying just length to #update CCM mode ciphers need to specify the total plaintext or ciphertext length to EVP_CipherUpdate. Update the link to the tests file Define Cipher#ccm_data_len= for CCM mode ciphers Add a unit test for CCM mode Also check CCM is authenticated when testing
* | pkey: add PKey#inspect and #oidKazuki Yamaguchi2020-04-212-0/+66
| | | | | | | | | | | | | | | | | | | | | | Implement OpenSSL::PKey::PKey#oid as a wrapper around EVP_PKEY_id(). This allows user code to check the type of a PKey object. EVP_PKEY can have a pkey type for which we do not provide a dedicated subclass. In other words, an EVP_PKEY that is not any of {RSA,DSA,DH,EC} can exist. It is currently not possible to distinguish such a pkey. Also, implement PKey#inspect to include the key type for convenience.
* | Fix signing example to not use Digest instanceBart de Water2020-04-211-4/+2
| |
* | Look up cipher by name instead of constantBart de Water2020-04-212-24/+8
| |
* | Remove 'mapping between Digest class and sn/ln'Bart de Water2020-04-211-37/+0
| | | | | | | | This is not present in the referenced files anymore, and not useful to most users
* | Look up digest by name instead of constantBart de Water2020-04-2131-171/+161
| |
* | Merge pull request #363 from bdewater/marshal-pkeyKazuki Yamaguchi2020-04-218-23/+85
|\ \ | | | | | | Add Marshal support to PKey objects
| * | Add Marshal support to PKey objectsBart de Water2020-04-198-23/+85
|/ /
* | Merge pull request #354 from MSP-Greg/setup-ruby-pkgsKazuki Yamaguchi2020-03-311-18/+6
|\ \ | | | | | | Use setup-ruby-pkgs for Windows
| * | Use setup-ruby-pkgs for WindowsMSP-Greg2020-03-161-18/+6
| |/ | | | | | | | | | | 1. Using correct MSYS compiler for Windows Ruby 2.3, previous CI used MSYS2 2. Ruby installation is done via a fork of setup-ruby
* | Merge pull request #357 from mame/ignore-SSLError-when-socket-is-forcibly-closedKazuki Yamaguchi2020-03-311-1/+6
|\ \ | |/ |/| test/openssl/test_ssl.rb: ignore SSLError when the connection is closed
| * test/openssl/test_ssl.rb: ignore SSLError when the connection is closedYusuke Endoh2020-03-211-1/+6
|/ | | | | | | | | | | | | | | | | | "test_close_after_socket_close" checks if ssl.close is no-op even after the wrapped socket is closed. The test itself is fair, but the other endpoint that is reading the SSL connection may fail with SSLError: "SSL_read: unexpected eof while reading" in some environments: https://github.com/ruby/ruby/actions/runs/60085389 (MinGW) https://rubyci.org/logs/rubyci.s3.amazonaws.com/android28-x86_64/ruby-master/log/20200321T034442Z.fail.html.gz ``` 1) Failure: OpenSSL::TestSSL#test_close_after_socket_close [D:/a/ruby/ruby/src/test/openssl/utils.rb:299]: exceptions on 1 threads: SSL_read: unexpected eof while reading ``` This changeset rescues and ignores the SSLError in the test.
* Revert "Use version.rb in gemspec"Kazuki Yamaguchi2020-03-101-3/+1
| | | | | | | | | | | This reverts commit 55cfee6edbc5c663cbe73323852b93292cf94a3f. Unfortunately, this doesn't work well in some places because RubyGems depends on openssl in some code paths. This ends up with defining OpenSSL::VERSION twice and producing warning: /work/ruby/ext/openssl/lib/openssl/version.rb:4: warning: already initialized constant OpenSSL::VERSION /work/ruby/.x86_64-linux/.ext/common/openssl/version.rb:5: warning: previous definition of VERSION was here
* Merge branch 'maint'Kazuki Yamaguchi2020-03-095-19/+229
|\ | | | | | | | | | | | | | | | | | | * maint: ssl: set verify error code in the case of verify_hostname failure x509: add error code and verify flags constants Remove taint support Restore compatibility with older versions of Ruby. Fix keyword argument separation issues in OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock config: support .include directive
| * Merge branch 'maint-2.0' into maintKazuki Yamaguchi2020-03-097-42/+262
| |\ | | | | | | | | | | | | | | | | | | | | | | | | | | | * maint-2.0: ssl: set verify error code in the case of verify_hostname failure x509: add error code and verify flags constants Remove taint support Restore compatibility with older versions of Ruby. Fix keyword argument separation issues in OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock config: support .include directive
| | * Merge pull request #350 from rhenium/ky/ssl-fix-verify-hostname-set-error-codemaint-2.0Kazuki Yamaguchi2020-02-262-1/+48
| | |\ | | | | | | | | ssl: set verify error code in the case of verify_hostname failure
| | | * ssl: set verify error code in the case of verify_hostname failureky/ssl-fix-verify-hostname-set-error-codeKazuki Yamaguchi2020-02-242-1/+48
| | |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When the verify_hostname option is enabled, the hostname verification is done before calling verify_callback provided by the user. The callback should be notified of the hostname verification failure. OpenSSL::X509::StoreContext's error code must be set to an appropriate value rather than OpenSSL::X509::V_OK. If the constant X509_V_ERR_HOSTNAME_MISMATCH is available (OpenSSL >= 1.0.2), use it. Otherwise use the generic X509_V_ERR_CERT_REJECTED. Reference: https://github.com/ruby/openssl/issues/244 Fixes: 028e495734e9 ("ssl: add verify_hostname option to SSLContext", 2016-06-27)
| | * x509: add error code and verify flags constantsKazuki Yamaguchi2020-02-241-0/+91
| | | | | | | | | | | | | | | Add missing constant declarations for certificate verification flags and the error codes, to match with OpenSSL 1.1.1.
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-25 06:58:28 +0000