| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
Use the new OpenSSL::PKey::PKey#derive instead of the raw
{EC,}DH_compute_key(), mainly to reduce amount of the C code.
|
|
|
|
|
|
| |
Add OpenSSL::PKey::PKey#derive as the wrapper for EVP_PKEY_CTX_derive().
This is useful for pkey types that we don't have dedicated classes, such
as X25519.
|
|
|
|
|
|
| |
OpenSSL 1.1.1 added EVP_DigestSign() and EVP_DigestVerify() functions
to the interface. Some EVP_PKEY methods such as PureEdDSA algorithms
do not support the streaming mechanism and require us to use them.
|
|
|
|
|
|
|
|
|
| |
Use EVP_DigestSign*() and EVP_DigestVerify*() interface instead of the
old EVP_Sign*() and EVP_Verify*() functions. They were added in OpenSSL
1.0.0.
Also, allow the digest to be specified as nil, as certain EVP_PKEY types
don't expect a digest algorithm.
|
|
|
|
|
| |
Add two methods to create a PKey using the generic EVP interface. This
is useful for the PKey types we don't have a dedicated class.
|
|
|
|
|
|
| |
The EVP interface cannot tell whether if a pkey contains the private
components or not. Assume it does if it does not respond to #private?.
This fixes the NoMethodError on calling #sign on a generic PKey.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let's revert the changes for now, as it cannot be included in the 2.2.0
release.
My comment on #257:
> A blocker is OpenSSL::SSL::SSLContext#add_certificate_chain_file. It
> has a pending change and I don't want to include it in an incomplete
> state.
>
> The initial implementation in commit 46e4bdba40c5 was not really
> useful. The issue is described in #305. #309 extended it
> to take the corresponding private key together. However, the new
> implementation was incompatible on Windows and was reverted by #320 to
> the initial one.
>
> (The prerequisite to implement it in) an alternative way is #288, and
> it's still cooking.
This effectively reverts the following commits:
- dacd08937ccd ("ssl: suppress test failure with SSLContext#add_certificate_chain_file", 2020-03-09)
- 46e4bdba40c5 ("Add support for SSL_CTX_use_certificate_chain_file. Fixes #254.", 2019-06-13)
|
|
|
|
|
|
| |
It produces "unused variable" warnings in NDEBUG mode
[ Cherry-picked from ruby.git commit 3bca1b6aadff. ]
|
|
|
|
| |
[ Cherry-picked from ruby.git commit d8720eb7de9c. ]
|
|\
| |
| | |
Allow specifying the data length for CCM mode
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Allow specifying just length to #update
CCM mode ciphers need to specify the total plaintext or ciphertext
length to EVP_CipherUpdate.
Update the link to the tests file
Define Cipher#ccm_data_len= for CCM mode ciphers
Add a unit test for CCM mode
Also check CCM is authenticated when testing
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Implement OpenSSL::PKey::PKey#oid as a wrapper around EVP_PKEY_id().
This allows user code to check the type of a PKey object.
EVP_PKEY can have a pkey type for which we do not provide a dedicated
subclass. In other words, an EVP_PKEY that is not any of {RSA,DSA,DH,EC}
can exist. It is currently not possible to distinguish such a pkey.
Also, implement PKey#inspect to include the key type for convenience.
|
| | |
|
| | |
|
| |
| |
| |
| | |
This is not present in the referenced files anymore, and not useful to most users
|
| | |
|
|\ \
| | |
| | | |
Add Marshal support to PKey objects
|
|/ / |
|
|\ \
| | |
| | | |
Use setup-ruby-pkgs for Windows
|
| |/
| |
| |
| |
| |
| | |
1. Using correct MSYS compiler for Windows Ruby 2.3, previous CI used MSYS2
2. Ruby installation is done via a fork of setup-ruby
|
|\ \
| |/
|/| |
test/openssl/test_ssl.rb: ignore SSLError when the connection is closed
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
"test_close_after_socket_close" checks if ssl.close is no-op even after
the wrapped socket is closed. The test itself is fair, but the other
endpoint that is reading the SSL connection may fail with SSLError:
"SSL_read: unexpected eof while reading" in some environments:
https://github.com/ruby/ruby/actions/runs/60085389 (MinGW)
https://rubyci.org/logs/rubyci.s3.amazonaws.com/android28-x86_64/ruby-master/log/20200321T034442Z.fail.html.gz
```
1) Failure:
OpenSSL::TestSSL#test_close_after_socket_close [D:/a/ruby/ruby/src/test/openssl/utils.rb:299]:
exceptions on 1 threads:
SSL_read: unexpected eof while reading
```
This changeset rescues and ignores the SSLError in the test.
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 55cfee6edbc5c663cbe73323852b93292cf94a3f.
Unfortunately, this doesn't work well in some places because RubyGems
depends on openssl in some code paths. This ends up with defining
OpenSSL::VERSION twice and producing warning:
/work/ruby/ext/openssl/lib/openssl/version.rb:4: warning: already initialized constant OpenSSL::VERSION
/work/ruby/.x86_64-linux/.ext/common/openssl/version.rb:5: warning: previous definition of VERSION was here
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* maint:
ssl: set verify error code in the case of verify_hostname failure
x509: add error code and verify flags constants
Remove taint support
Restore compatibility with older versions of Ruby.
Fix keyword argument separation issues in OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock
config: support .include directive
|
| |\
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* maint-2.0:
ssl: set verify error code in the case of verify_hostname failure
x509: add error code and verify flags constants
Remove taint support
Restore compatibility with older versions of Ruby.
Fix keyword argument separation issues in OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock
config: support .include directive
|
| | |\
| | | |
| | | | |
ssl: set verify error code in the case of verify_hostname failure
|
| | |/
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When the verify_hostname option is enabled, the hostname verification is
done before calling verify_callback provided by the user.
The callback should be notified of the hostname verification failure.
OpenSSL::X509::StoreContext's error code must be set to an appropriate
value rather than OpenSSL::X509::V_OK.
If the constant X509_V_ERR_HOSTNAME_MISMATCH is available (OpenSSL >=
1.0.2), use it. Otherwise use the generic X509_V_ERR_CERT_REJECTED.
Reference: https://github.com/ruby/openssl/issues/244
Fixes: 028e495734e9 ("ssl: add verify_hostname option to SSLContext", 2016-06-27)
|
| | |
| | |
| | |
| | |
| | | |
Add missing constant declarations for certificate verification flags and
the error codes, to match with OpenSSL 1.1.1.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
[ This is a backport to the 2.0 branch. ]
Ruby 2.7 deprecates taint and it no longer has an effect.
The lack of taint support should not cause a problem in
previous Ruby versions.
(cherry picked from commit e7ed01b580a139ad0fb320ad5f29bbb40ef2ddc2)
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
[ Originally landed on as commit b4e96fc4abc3. This is a backport to the
2.0 branch. ]
`RB_PASS_KEYWORDS` is not always available.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock
[ Originally landed on ruby.git as commit 3959469f240e, then was merged
into ruby/openssl.git as commit b4e96fc4abc3. This is a backport to
the 2.0 branch. ]
It's unlikely anyone would actually hit these. The methods are
private, you only hit this code path if calling these methods
before performing the SSL connection, and there is already a
verbose warning issued.
|
| | |\
| | | |
| | | | |
config: support .include directive
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
OpenSSL 1.1.1 introduces a new '.include' directive. Update our config
parser to support that.
As mentioned in the referenced GitHub issue, we should use the OpenSSL
API instead of implementing the parsing logic ourselves, but it will
need backwards-incompatible changes which we can't backport to stable
versions. So continue to use the Ruby implementation for now.
Squashed in additional changes by Vít Ondruch to support '.include = '
syntax.
Reference: https://github.com/ruby/openssl/issues/208
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Remove it as it does not make sense. Also, it produces deprecation
warning on the current master of Ruby (2.8).
It is a test case to check that changing $/ will not affect
OpenSSL::Buffering#puts. However, $/ is the input record separator and
should be completely irrelevant to it.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The feature is currently premature and will be rewritten. However, it
is causing test failures on RubyCI. Make it happy for now.
Reference: https://github.com/ruby/openssl/issues/334
|
|\ \ \ \
| | | | |
| | | | | |
Add support for SHA512/256 and SHA512/224
|
|/ / / / |
|
|\ \ \ \
| | | | |
| | | | | |
.github/workflows: test against different OpenSSL versions
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
The GitHub Actions workflow now covers all patterns we currently test
using Travis CI. .travis.yml can be removed.
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Compile OpenSSL and LibreSSL on-the-fly and run our test suite against
the OpenSSL installation.
Compiling OpenSSL or LibreSSL takes about 1.5 - 2 minutes on a GitHub-
hosted runner.
|
|/ / / /
| | | |
| | | |
| | | |
| | | | |
The "Ubuntu-macOS" and "Windows" workflows are both for the same
purpose. Merge them into a single workflow for clarity.
|
|\ \ \ \
| | | | |
| | | | | |
Use version.rb in gemspec
|
|/ / / /
| | | |
| | | |
| | | | |
Use version.rb in gemspec so version string exists in one location
|
| | | |
| | | |
| | | |
| | | | |
* .github/workflows/ubuntu-macos.yml already tests those.
|
|\ \ \ \
| | | | |
| | | | | |
lib/openssl.rb: require openssl/version.rb
|
|/ / / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The OpenSSL::VERSION constant is now defined by lib/openssl/version.rb
instead of by the extension. Add missing require statement.
Fixes: 0cddb0b736c8 ("Simplify handling of version constant.", 2019-10-31)
Reference: https://github.com/ruby/openssl/issues/347
|
|\ \ \ \
| | | | |
| | | | | |
config: deprecate OpenSSL::Config#add_value and #[]=
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
OpenSSL::Config is currently implemented in Ruby, but we plan to revert
back to use OpenSSL API, just as it did before r28632 (in ruby_1_8;
r29048 in trunk). It's not clear what was the issue with Windows, but
the CONF library should work on Windows too.
Modifying a CONF object is not possible in OpenSSL API. Actually, it
was possible in previous versions of OpenSSL, but we used their
internal functions that are not exposed in shared libraries anymore.
Accordingly, OpenSSL::Config#add_value and #[]= have to be removed. As
a first step towards the change, let's deprecate those methods.
|