| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The function ossl_cipher_update_long() was added to fix this in r48923
(ossl_cipher.c: workaround of OpenSSL API, 2014-12-23), but it didn't
work well. [Bug #10633]
This can be tested by running:
$ fallocate -l 2G data.img
$ ruby -ropenssl <<EOF
cipher = OpenSSL::Cipher.new("aes-128-ecb").encrypt
cipher.key = "\x00" * 16
ct = cipher.update(File.read("data.img")) << cipher.final
p ct.bytesize
EOF
|
| |\
| |
| |
| |
| |
| |
| | |
* topic/ssl-check-pkey-private:
ssl: reject keys without private components
ssl: remove unneeded instance variable x509 and key from SSL::SSLSocket
pkey: remove unused things
|
| | |
| |
| |
| |
| |
| |
| | |
OpenSSL checks if the PKey's public key matches with the certificate,
but does not check that the PKey contains the private components. As a
result, OpenSSL does a NULL dereference while doing SSL/TLS negotiation.
[Bug #8673]
|
| | |
| |
| |
| |
| |
| | |
They are only used to pass two objects across rb_protect(). So just
remove them and use temporary array instead. Since they are not public
attributes, this should be safe.
|
| | |
| |
| |
| |
| | |
Make id_private_q local to ossl_pkey.c, and remove unused
DupPrivPKeyPtr() function.
|
| |\ \
| | |
| | |
| | |
| | | |
* topic/cipher-iv-len:
cipher: allow setting IV length when using AEAD ciphers
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add OpenSSL::Cipher#iv_len=. For interoperability with other
applications, it is sometimes required. Normally 'IV' is fixed-length,
but in OpenSSL, some ciphers such as aes-128-gcm make use of it as
'nonce', which is variable-length.
Changing the IV length in Cipher#iv= is also an option but I decided not
to choose it. Because in Ruby <= 2.3 Cipher#iv= truncates the input when
the length is longer than the current IV length, changing the behavior
might cause unexpected encryption result.
[Bug #8667] [Bug #10420] [GH ruby/ruby#569]
|
| | | | |
|
| |\ \ \
| | | |
| | | | |
Make PKey.read raise PKey::PKeyError rather than ArgumentError
|
| | |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
PKey.read is a generic method to load an arbitrary PKey structure from a
PEM or DER encoded String. Each PKey classes's constructor also can load
from a String, but the behavior on error is different. While they raises
its own exception (are subclasses of PKey::PKeyError), PKey.read raises
ArgumentError. [Bug #11774]
|
| |\ \ \
| | | |
| | | | |
Improve 'Loading a key' section of the documentation
|
| | | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Show the return values of both PKey::RSA#public? and #private? for each
two .pem files. The current example is not technically incorrect, but
very confusing.
This is based on the reports by Rob Nichols and Brett Goulder.
[Bug #10115] [GH ruby/openssl#52]
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Mark OpenSSL::{Digest::Digest,Cipher::Cipher} as deprecated using
Module#deprecate_constant. They have been deprecated for years in the
documentation.
|
| | | |
| | |
| | |
| | | |
Load path needs to be passed.
|
| |\ \ \
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* topic/rdoc-fixes:
Fix RDoc style
Update .gitignore
Add RDoc task to Rakefile
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | | |
Ignore /html and /ext/openssl/extconf.h. Also remove impossible files -
we currently don't use YARD or Bundler.
|
| | | | | |
|
| |\ \ \ \
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
* topic/ocsp-basic-verify-bug:
ocsp: add workaround for OCSP_basic_verify() bug
ocsp: refactor tests
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Older versions of OpenSSL have a bug that it doesn't use the
certificates passed to OCSP_basic_verify() for verifying the chain. This
can be a problem when the response is signed by a certificate issued by
an intermediate CA.
root_ca
|
intermediate_ca
|-------------|
end_entity ocsp_signer
When the certificate hierarchy is like this, and the response contains
only ocsp_signer certificate, the following code wrongly fails.
store = OpenSSL::X509::Store.new; store.add_cert(root_ca)
basic_response.verify([intermediate_ca], store)
So duplicate the OCSP_BASICRESP and add the certificates to the embedded
list first.
|
| | |/ / /
| | | |
| | | |
| | | | |
Make @cert an intermediate CA, add @cert2 that issued by @cert.
|
| |\ \ \ \
| |_|_|/
|/| | |
| | | |
| | | | |
* topic/doc-ssl-sync-close:
Document OpenSSL::SSL::SSLSocket#sync_close
|
| | | |/
| |/|
| | |
| | |
| | | |
Add rdoc for OpenSSL::SSL::SSLSocket#sync_close, and mention it in the
example code in the rdoc for OpenSSL namespace. [GH ruby/openssl#11]
|
| | |/
|/| |
|
| |\ \
| |/
|/| |
RC4 has insecure biases and both clients and servers should not be using it.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This commit removes insecure RC4 ciper suites [1] from being used by
default. If needed, users can still specify the usage of it by
specifying it explicitly.
[1]: https://tools.ietf.org/html/rfc7465
|
| |\ \
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* ruby-trunk r55457..r55538: (4 commits)
(r55538) openssl: fix for OpenSSL 1.0.0t
(r55523) * ext/digest/md5/md5ossl.h: Remove excess semicolons. Sup..
(r55503) Refine assertion
(r55502) openssl: ignore test failure caused by LibreSSL bug
Sync-with-trunk: r55538
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
* ext/openssl/ossl_ocsp.c: The "reuse" behavior of d2i_ functions does
not work well with OpenSSL 1.0.0t. So avoid it.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55538 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Suppress warning on Solaris with Oracle Solaris Studio 12.
[ruby-dev:49692] [Bug #12524]
* ext/digest/md5/md5cc.h: ditto.
* ext/digest/sha1/sha1cc.h: ditto.
* ext/digest/sha1/sha1ossl.h: ditto.
* ext/digest/sha2/sha2cc.h: ditto.
* ext/digest/sha2/sha2ossl.h: ditto.
* ext/openssl/ossl_pkey_rsa.c: ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55523 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| | | |
| | |
| | |
| | |
| | |
| | | |
* test/openssl/test_ocsp.rb: assert_in_delta for better message.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55503 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| |/ /
| |
| |
| |
| |
| |
| | |
* test/openssl/test_ocsp.rb: Ignore errors caused by bugs that exist in
LibreSSL >= 2.3.1.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55502 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| | |
| |
| |
| | |
- Remove version restriction from `rake-compiler` in `Rakefile`
|
| |\ \
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Also adjust tests.
* ruby-trunk r55335..r55457: (15 commits)
(r55457) openssl: add OpenSSL::OCSP::SingleResponse
(r55456) openssl: allow passing absolute times in OCSP::BasicRespons..
(r55455) openssl: implement initialize_copy for OpenSSL::OCSP::*
(r55454) openssl: implement initialize_copy method for PKey classes
(r55450) openssl: add 'const's required in OpenSSL master
(r55444) openssl: avoid test crash on Ubuntu 16.04
(r55423) openssl: refactor OpenSSL::OCSP::*#verify
(r55422) openssl: allow specifying hash algorithm in OCSP::*#sign
(r55411) openssl: add some accessor methods for OCSP::CertificateId
(r55409) openssl: add missing #to_der to OCSP::{CertificateId,BasicR..
(r55408) openssl: fix acesssor functions for RSA and DH in openssl_m..
(r55388) openssl: support non AES-GCM AEAD ciphers in OpenSSL::Cipher
(r55387) openssl: avoid test failure in test_engine.rb
(r55344) openssl: use ASN1_ENUMERATED_to_BN() if needed
(r55342) openssl: fix build with OPENSSL_NO_EC
Sync-with-trunk: r55457
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* ext/openssl/ossl_ocsp.c: Add OCSP::SingleResponse that represents an
OCSP SingleResponse structure. Also add two new methods #responses
and #find_response to OCSP::BasicResponse. A BasicResponse has one or
more SingleResponse. We have OCSP::BasicResponse#status that returns
them as an array of arrays, each containing the content of a
SingleResponse, but this is not useful. When validating an OCSP
response, we need to look into the each SingleResponse and check their
validity but it is not simple. For example, when validating for a
certificate 'cert', the code would be like:
# certid_target is an OpenSSL::OCSP::CertificateId for cert
basic = res.basic
result = basic.status.any? do |ary|
ary[0].cmp(certid_target) &&
ary[4] <= Time.now && (!ary[5] || Time.now <= ary[5])
end
Adding OCSP::SingleResponse at the same time allows exposing
OCSP_check_validity(). With this, the code above can be rewritten as:
basic = res.basic
single = basic.find_response(certid_target)
result = single.check_validity
* test/openssl/test_ocsp.rb: Test this.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55457 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* ext/openssl/ossl_ocsp.c (ossl_ocspbres_add_status): Allow specifying
the times (thisUpdate, nextUpdate and revocationTime) with Time
objects. Currently they accepts only relative seconds from the current
time. This is inconvenience, especially for revocationTime. When
Integer is passed, they are still treated as relative times. Since the
type check is currently done with rb_Integer(), this is a slightly
incompatible change. Hope no one passes a relative time as String or
Time object...
Also, allow passing nil as nextUpdate. It is optional.
* ext/openssl/ruby_missing.h: Define RB_INTEGER_TYPE_P() if not defined.
openssl gem will be released before Ruby 2.4.0.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55456 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* ext/openssl/ossl_ocsp.c: Implement OCSP::{CertificateId,Request,
BasicResponse,Response}#initialize_copy.
[ruby-core:75504] [Bug #12381]
* test/openssl/test_ocsp.rb: Test them.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55455 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* ext/openssl/ossl_pkey_dh.c, ext/openssl/ossl_pkey_dsa.c,
ext/openssl/ossl_pkey_ec.c, ext/openssl/ossl_pkey_rsa.c: Implement
initialize_copy method for OpenSSL::PKey::*.
[ruby-core:75504] [Bug #12381]
* test/openssl/test_pkey_dh.rb, test/openssl/test_pkey_dsa.rb,
test/openssl/test_pkey_ec.rb, test/openssl/test_pkey_rsa.rb: Test they
actually copy the OpenSSL objects, and modifications to cloned object
don't affect the original object.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55454 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* ext/openssl/ossl_pkey.h, ext/openssl/ossl_pkey_dh.c,
ext/openssl/ossl_pkey_dsa.c, ext/openssl/ossl_pkey_rsa.c: A few days
ago, OpenSSL changed {DH,DSA,RSA}_get0_*() to take const BIGNUM **.
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=fd809cfdbd6e32b6b67b68c59f6d55fbed7a9327
[ruby-core:75225] [Feature #12324]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55450 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* test/openssl/test_pkey_ec.rb (setup): Don't call EC#generate_key! for
Oakley-* curves. This causes an odd error on Ubuntu 16.04 with openssl
1.0.2g-1ubuntu4.1.
begin
OpenSSL::PKey::EC.new("Oakley-EC2N-4").generate_key
rescue
p $!
end
OpenSSL::PKey::RSA.new(512)
This sometimes causes:
#<OpenSSL::PKey::ECError: EC_KEY_generate_key: pairwise test failed>
fips.c(139): OpenSSL internal error, assertion failed: FATAL FIPS SELFTEST FAILURE
[ruby-dev:49670] [Bug #12504]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55444 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* ext/openssl/ossl_ocsp.c (ossl_ocspreq_verify, ossl_ocspbres_verify):
Use ossl_clear_error() so that they don't print warnings to stderr and
leak errors in the OpenSSL error queue. Also, check the return value
of OCSP_*_verify() correctly. They can return -1 on verification
failure.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55423 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* ext/openssl/ossl_ocsp.c (ossl_ocspreq_sign, ossl_ocspbres_sign): Allow
specifying hash algorithm used in signing. They are hard coded to use
SHA-1.
Based on a patch provided by Tim Shirley <tidoublemy@gmail.com>.
[ruby-core:70915] [Feature #11552] [GH ruby/openssl#28]
* test/openssl/test_ocsp.rb: Test sign-verify works.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55422 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* ext/openssl/ossl_ocsp.c (ossl_ocspcid_get_issuer_name_hash,
ossl_ocspcid_get_issuer_key_hash, ossl_ocspcid_get_hash_algorithm):
Add accessor methods OCSP::CertificateId#issuer_name_hash,
#issuer_key_hash, #hash_algorithm.
Based on a patch provided by Paul Kehrer <paul.l.kehrer@gmail.com>.
[ruby-core:48062] [Feature #7181]
* test/openssl/test_ocsp.rb: Test these new methods.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55411 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* ext/openssl/ossl_ocsp.c (ossl_ocspbres_to_der, ossl_ocspcid_to_der):
Implement #to_der methods for OCSP::BasicResponse and
OCSP::CertificateId.
(ossl_ocspreq_initialize, ossl_ocspres_initialize): Use GetOCSP*()
instead of raw DATA_PTR().
(ossl_ocspbres_initialize, ossl_ocspcid_initialize): Allow
initializing from DER string.
(Init_ossl_ocsp): Define new #to_der methods.
* test/openssl/test_ocsp.rb: Test these changes. Also add missing tests
for OCSP::{Response,Request}#to_der.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55409 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* ext/openssl/openssl_missing.h (DH_set0_pqg, RSA_set0_key):
DH_set0_pqg() allows 'q' to be NULL. Fix a typo in RSA_set0_key().
Fixes r55285. [ruby-core:75225] [Feature #12324]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55408 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* ext/openssl/ossl_cipher.c (ossl_cipher_get_auth_tag,
ossl_cipher_set_auth_tag): Check if the cipher flags retrieved by
EVP_CIPHER_CTX_flags() includes EVP_CIPH_FLAG_AEAD_CIPHER to see if
the cipher supports AEAD. AES-GCM was the only supported in OpenSSL
1.0.1.
(Init_ossl_cipher): Fix doc; OpenSSL::Cipher::AES.new(128, :GCM) can't
work.
* ext/openssl/openssl_missing.h: Define EVP_CTRL_AEAD_{GET,SET}_TAG if
missing. They are added in OpenSSL 1.1.0, and have the same value as
EVP_CTRL_GCM_{GET,SET}_TAG and EVP_CTRL_CCM_{GET,SET}_TAG.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55388 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* test/openssl/test_engine.rb (test_openssl_engine_builtin,
test_openssl_engine_by_id_string): Skip test if 'openssl' engine is
already loaded. And test the number increased by Engine.load{_by_id,},
not the total count of loaded engines. Previously, we called
OpenSSL::Engine.cleanup every time running a test case, but we no
longer can do it.
[ruby-core:75225] [Feature #12324]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55387 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* ext/openssl/ossl_asn1.c (asn1integer_to_num): Use
ASN1_ENUMERATED_to_BN() to convert an ASN1_ENUMERATED to a BN.
Starting from OpenSSL 1.1.0, ASN1_INTEGER_to_BN() rejects
non-ASN1_INTEGER objects. The format of INTEGER and ENUMERATED are
almost identical so they behaved in the same way in OpenSSL <= 1.0.2.
[ruby-core:75225] [Feature #12324]
* test/openssl/test_asn1.rb (test_decode_enumerated): Test that it
works.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55344 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* ext/openssl/ossl_ssl.c: Add define guards for OPENSSL_NO_EC.
SSL_CTX_set_ecdh_auto() is defined even when ECDH is disabled in
OpenSSL's configuration. This fixes r55214.
* test/openssl/test_pair.rb (test_ecdh_curves): Skip if the OpenSSL does
not support ECDH.
* test/openssl/utils.rb (start_server): Ignore error in
SSLContext#ecdh_curves=.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55342 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| | | |
|
| |\ \
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
And adjust tests for test-unit.
* ruby-trunk r55224..r55335: (16 commits)
(r55335) openssl: fix build with OpenSSL 1.1.0 and no pkg-config
(r55314) openssl: adjust tests for OpenSSL 1.1.0
(r55309) openssl: add SSL::SSLContext#security_level{=,}
(r55304) openssl: avoid deprecated version-specific ssl methods if n..
(r55294) openssl: fix free function of OpenSSL::Cipher
(r55291) openssl: fix compile on VC
(r55289) openssl: use SSL_is_server()
(r55288) openssl: avoid d2i_ASN1_BOOLEAN()
(r55287) openssl: adapt to OpenSSL 1.1.0 opaque structs
(r55285) openssl: adapt OpenSSL::PKey to OpenSSL 1.1.0 opaque structs
(r55283) openssl: support OpenSSL 1.1.0's new multi-threading API
(r55282) openssl: check existence of RAND_pseudo_bytes()
(r55273) openssl: avoid deprecated BN_*prime* functions
(r55252) ossl_asn1.c: check overflow
(r55249) openssl: fix the Year 2038 problem
(r55229) openssl: add missing test for r55219
Sync-with-trunk: r55335
|
