| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
test/openssl/fixtures/pkey/p256_too_large.pem and p384_invalid.pem are
invalid PEM encoding whether the encoded public key doesn't match the
private key. They are only useful for testing
OpenSSL::PKey::EC#check_key.
To improve clarity, let's directly include the PEM encoding as a
heredoc. p384_invalid.pem is simply dropped because it was redundant.
|
|
|
|
|
|
|
| |
Remove files from test/openssl/fixtures/pkey that are not pkeys.
The test cases for Certificate.load_file don't require a static
fixtures. Use tempfile to make them self-contained.
|
|\
| |
| | |
Add SSLSocket#readbyte
|
|/
|
|
|
| |
Companion to getbyte but raise EOFError
Similar to https://github.com/ruby/openssl/pull/438
|
|\
| |
| | |
rewriting most of the asn1 init code in ruby
|
|/
|
|
| |
to have as much of the lib in ruby as possible
|
|\
| |
| |
| |
| | |
* maint-3.2:
Remove "gemspec" from Gemfile
|
| |\
| | |
| | |
| | |
| | | |
* maint-3.1:
Remove "gemspec" from Gemfile
|
| | |\
| | | |
| | | |
| | | |
| | | | |
* maint-3.0:
Remove "gemspec" from Gemfile
|
| | | |\
| | | | |
| | | | | |
Remove "gemspec" from Gemfile
|
| | | |/
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The local lib directory may contain an incomplete openssl library.
The "gemspec" line in Gemfile causes "bundle exec" to put the lib
directory in the load path. Although our Rakefile does not use openssl
itself, it still indirectly tries to load it as a RubyGems dependency.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
In order to sign certificates with Ed25519 keys, NULL must be passed
as md to X509_sign. This NULL is then passed
(via ASN1_item_sign_ex) as type to EVP_DigestSignInit. The
documentation[1] of EVP_DigestSignInit states that type must be NULL
for various key types, including Ed25519.
[1]: https://www.openssl.org/docs/manmaster/man3/EVP_DigestSignInit.html
|
|\ \ \ \
| | | | |
| | | | | |
CI: Rely on setup-ruby to install Bundler gems
|
|/ / / / |
|
|\| | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* maint-3.2:
Don't download OpenSSL from ftp.openssl.org anyomre
Fix test_pkey_dh.rb in FIPS.
History.md: Escape Markdown syntax Italic "*". [ci skip]
CI: Change the openssl_fips.cnf.tmpl and openssl_fips.cnf directories.
Exact checks with `assert_include`
Exact checks with `assert_include`
|
| |\| |
| | | |
| | | |
| | | |
| | | | |
* maint-3.1:
Don't download OpenSSL from ftp.openssl.org anyomre
|
| | |\|
| | | |
| | | |
| | | |
| | | | |
* maint-3.0:
Don't download OpenSSL from ftp.openssl.org anyomre
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
[ This is a backport to the 3.0 branch. ]
OpenSSL announced that they're changing how they handle releases in this
blog post: https://openssl.org/blog/blog/2024/04/30/releases-distribution-changes/
The tl;dr is that:
* ftp.openssl.org is being shut down (even for HTTP access)
* The releases at openssl.org/source will redirect to github
* git.openssl.org is also shut down (the git repo is on github)
This commit just changes over to using openss.org/source instead of
ftp.openssl.org. We might also need to switch to downloading directly
from Github... let's see.
It also changes to cloning the head of openssl from github too.
(cherry picked from commit 64c50112b60e2cdcc447620a1bd73380f7186600)
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
[ This is a backport to the 3.2 branch. ]
We use dh2048_ffdhe2048.pem file (DH 2048 bits) instead of dh1024.pem file in
both non-FIPS and FIPS cases. Because the following command fails to generate
the pem file with 1024 bits. And the OpenSSL FIPS 140-2 security policy
document explains the DH public keys are allowed from 2048 bits.[1]
```
$ OPENSSL_CONF=/home/jaruga/.local/openssl-3.3.0-dev-fips-debug-1aa08644ec/ssl/openssl_fips.cnf \
/home/jaruga/.local/openssl-3.3.0-dev-fips-debug-1aa08644ec/bin/openssl \
dhparam -out dh1024.pem 1024
Generating DH parameters, 1024 bit long safe prime
dhparam: Generating DH key parameters failed
```
The dh2048_ffdhe2048.pem file was created by the following command with the
OpenSSL FIPS configuration file. The logic to generate the DH pem file is
different between non-FIPS and FIPS cases. In FIPS, it seems that the command
always returns the text defined as ffdhe2048 in the FFDHE groups in RFC 7919
unlike non-FIPS.[2]
As the generated pem file is a normal and valid PKCS#3-style group parameter, we
use the file for the non-FIPS case too.
```
$ OPENSSL_CONF=/home/jaruga/.local/openssl-3.3.0-dev-fips-debug-1aa08644ec/ssl/openssl_fips.cnf \
/home/jaruga/.local/openssl-3.3.0-dev-fips-debug-1aa08644ec/bin/openssl \
dhparam -out dh2048_ffdhe2048.pem 2048
```
Note that the hard-coded PEM-encoded string in the `test_DHparams` is
intentional to avoid modifying the content unintentionally.
* [1] https://www.openssl.org/source/ - OpenSSL 3.0.8 FIPS 140-2 security
policy document page 25, Table 10 – Public Keys - DH Public
- DH (2048/3072/4096/6144/8192) public key agreement key
* [2] RFC7919 - Appendix A.1: ffdhe2048
https://www.rfc-editor.org/rfc/rfc7919#appendix-A.1
(cherry picked from commit 6a4ff26475adbbd70a1df430f314f03544172b15)
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
[ This is a backport to the 3.2 branch. ]
(cherry picked from commit dc26433ae5705a0e040b2b79e09675308d53ab9f)
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
[ This is a backport to the 3.2 branch. ]
(cherry picked from commit fafe1af4a96e498ec49d3b0ad1998950f953d802)
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
[ This is a backport to the 3.2 branch. ]
Where `assert_match` converts string matcher argument to regexp first
with escaping, `assert_include` does the same thing simpler.
(cherry picked from commit 81007e0a49990afb752f0eac6badb3a6e84a432d)
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
[ This is a backport to the 3.2 branch. ]
(cherry picked from commit 9a6e24daafd09c34a6aaef2626438c800d1fc86a)
|
|\ \ \ \
| | | | |
| | | | | |
Automatically update GitHub Pages from master branch
|
|/ / / /
| | | |
| | | |
| | | | |
Remove tool/update-gh-pages as it is no longer necessary.
|
|\ \ \ \
| | | | |
| | | | | |
Clarify license
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Update the references to the file "LICENCE" with "COPYING".
The file LICENCE doesn't exist in ruby/ruby nor ruby/openssl. This has
been always the case since OpenSSL for Ruby 2 was merged to the ruby
tree as a standard library in 2003.
In OpenSSL for Ruby 2's CVS repository[1], the LICENCE file contained
an old version of the Ruby License, identical to the COPYING file that
was in Ruby's tree at that time (r4128[2]).
[1] http://cvs.savannah.gnu.org/viewvc/rubypki/ossl2/LICENCE?revision=1.1.1.1&view=markup
[2] https://github.com/ruby/ruby/blob/231247c010acba191b78ed2d1310c935e63ad919/COPYING
|
| | | | |
| | | | |
| | | | |
| | | | | |
This is for consistency with ruby/ruby.
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
ruby/openssl is licensed under the terms of either the Ruby License or
the 2-Clause BSD License.
The git repository and built .gem files always contained the license
text for both license, but the metadata in the gemspec only specified
the Ruby License. Let's include both.
|
|\ \ \ \ \
| | | | | |
| | | | | | |
Add X509::Certificate#tbs_bytes
|
| |/ / / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Ref https://github.com/ruby/openssl/issues/519
This makes verifying embedded certificate transparency signatures
significantly easier, as otherwise the alternative was manipulating the
ASN1 sequence, as in
https://github.com/segiddins/sigstore-cosign-verify/pull/2/commits/656d992fa816613fd9936f53ce30972c2f2f4957
|
|\ \ \ \ \
| | | | | |
| | | | | | |
Fix test_create_with_mac_iter accidently setting keytype not maciter
|
|/ / / / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This test was accidentally passing the value 2048 into the keytype
parameter of PKCS12_create, not the mac_iter parameter (because it had
one too many `nil`s in the call). This value is invalid, and will make
OpenSSL perform an out-of-bounds read which is caught when compiling
with ASAN.
This commit fixes the tests, and also adds some validation to
PKCS12.create to make sure any keytype passed is actually valid. Since
there only two valid keytype constants, and the whole feature is an
export-grade crypto era thing only ever supported by old MSIE, it seems
far more likely that code in the whild is using keytype similarly by
mistake rather than as intended. So this validation might catch that.
|
|\ \ \ \ \
| | | | | |
| | | | | | |
Don't download OpenSSL from ftp.openssl.org anyomre
|
|/ / / / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
OpenSSL announced that they're changing how they handle releases in this
blog post: https://openssl.org/blog/blog/2024/04/30/releases-distribution-changes/
The tl;dr is that:
* ftp.openssl.org is being shut down (even for HTTP access)
* The releases at openssl.org/source will redirect to github
* git.openssl.org is also shut down (the git repo is on github)
This commit just changes over to using openss.org/source instead of
ftp.openssl.org. We might also need to switch to downloading directly
from Github... let's see.
It also changes to cloning the head of openssl from github too.
|
|\ \ \ \ \
| | | | | |
| | | | | | |
[CI] test.yml - use `bundle exec`, use setup-ruby bundler-cache, fixes Windows issue
|
|/ / / / / |
|
|\ \ \ \ \
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
segiddins/segiddins/add-to_text-for-pkcs7-and-timestamp-response
Add to_text for PKCS7 and Timestamp::Response
|
| | | | | | |
|
|\ \ \ \ \ \
| |/ / / / /
|/| | | | | |
read: don't clear buffer when nothing can be read
|
|/ / / / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
To be consistent with regular Ruby IOs:
```ruby
r, _ = IO.pipe
buf = "garbage".b
r.read_nonblock(10, buf, exception: false) # => :wait_readable
p buf # => "garbage"
```
Ref: https://github.com/redis-rb/redis-client/commit/98b8944460a11f8508217bda71cfc10cb2190d4d
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Ruby 3.0 is EOL by 2024-04.
Also, update the OpenSSL compatibility list to include OpenSSL 3.2-3.3,
which are ABI-compatible with 3.1.
|
|\ \ \ \ \
| | |/ / /
| |/| | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
* maint-3.2:
Fix modular square root test with LibreSSL >= 3.8
pkcs7: raise PKCS7Error for PKCS7 without content in PKCS7.read_smime
pkcs7: raise ArgumentError for PKCS7 with no content in PKCS7.new
cipher: fix buffer overflow in Cipher#update
ssl: allow failure on test_connect_certificate_verify_failed_exception_message
.github/workflows/test.yml: synchronize with master
Only CSR version 1 (encoded as 0) is allowed by PKIX standards
test_asn1.rb: Remove the assertions of the time string format without second.
test/openssl/test_asn1.rb: skip failing tests on LibreSSL 3.6.0
Use EVP_Digest{Sign,Verify} when available
Fix performance regression in do_write(s)
|
| |\ \ \ \
| | | |/ /
| | |/| |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
* maint-3.1:
Fix modular square root test with LibreSSL >= 3.8
pkcs7: raise PKCS7Error for PKCS7 without content in PKCS7.read_smime
pkcs7: raise ArgumentError for PKCS7 with no content in PKCS7.new
cipher: fix buffer overflow in Cipher#update
ssl: allow failure on test_connect_certificate_verify_failed_exception_message
.github/workflows/test.yml: synchronize with master
Only CSR version 1 (encoded as 0) is allowed by PKIX standards
test_asn1.rb: Remove the assertions of the time string format without second.
test/openssl/test_asn1.rb: skip failing tests on LibreSSL 3.6.0
Use EVP_Digest{Sign,Verify} when available
Fix performance regression in do_write(s)
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
[ This is a backport to the 3.1 branch. ]
If x is a modular square root of a (mod p) then so is (p - x). Both
answers are valid. In particular, both 2 and 3 are valid square roots
of 4 (mod 5). Do not assume that a particular square root is chosen by
the algorithm. Indeed, the algorithm in OpenSSL and LibreSSL <= 3.7
returns a non-deterministic answer in many cases. LibreSSL 3.8 and
later will always return the smaller of the two possible answers. This
breaks the current test case.
Instead of checking for a particular square root, check that the square
of the claimed square root is the given value. This is always true. Add
the simplest test case where the answer is indeed non-deterministic.
(cherry picked from commit 93548ae9597ba40d3f8b564f6a948ce55b432e30)
|
| | |\ \ \
| | | | |/
| | | |/|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
* maint-3.0:
pkcs7: raise PKCS7Error for PKCS7 without content in PKCS7.read_smime
pkcs7: raise ArgumentError for PKCS7 with no content in PKCS7.new
cipher: fix buffer overflow in Cipher#update
ssl: allow failure on test_connect_certificate_verify_failed_exception_message
.github/workflows/test.yml: synchronize with master
Only CSR version 1 (encoded as 0) is allowed by PKIX standards
test_asn1.rb: Remove the assertions of the time string format without second.
test/openssl/test_asn1.rb: skip failing tests on LibreSSL 3.6.0
Use EVP_Digest{Sign,Verify} when available
Fix performance regression in do_write(s)
|
| | | |\ \
| | | | | |
| | | | | | |
Handle missing content in PKCS7
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
[pkuzco: expanded the fix for other content types]
[ky: adjusted formatting and the exception type]
Co-authored-by: pkuzco <b.naamneh@gmail.com>
Co-authored-by: Kazuki Yamaguchi <k@rhe.jp>
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Fixes [Bug #19974]
[pkuzco: expanded the fix for other content types]
[ky: adjusted formatting and the exception type]
Co-authored-by: pkuzco <b.naamneh@gmail.com>
Co-authored-by: Kazuki Yamaguchi <k@rhe.jp>
|
| | | |\ \ \
| | | | |/ /
| | | |/| | |
cipher: fix buffer overflow in Cipher#update
|