| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
Rename the test case to test_add_cert_duplicate to clarify what it is
actually testing.
|
| |
|
|
|
| |
The test case is huge and too complex. Break it up into separate test
cases for better documentation.
|
| |
|
|
|
| |
Add more details about each method, and add reference to OpenSSL man
pages.
|
| |
|
|
|
| |
Use the OpenSSL function name that caused the error to generate a better
error message.
|
| |
|
|
|
| |
Use ossl_x509_sk2ary() to create an array of OpenSSL::X509::Certificate
from STACK_OF(X509).
|
| |
|
|
|
| |
Anything passed to OpenSSL::X509::Store.new was always ignored. Let's
emit an explicit warning to not confuse users.
|
| |
|
|
|
|
|
|
| |
Undo special treatment of nil and simply pass the value to
StringValueCStr().
nil was never a valid argument for the method; OpenSSL::X509::StoreError
with an unhelpful error message "system lib" was raised in that case.
|
| | |
|
| |
|
|
| |
The socket is called ssl_connection, not connection
|
| |\
| |
| | |
Add wrapper method for EVP_PKEY_cmp to compare same type keys
|
| | |
| |
| |
| |
| |
| | |
Explicitly check for type given some conflicting statements within openssl's
documentation around EVP_PKEY_cmp and EVP_PKEY_ASN1_METHOD(3).
Add documentation with an example for compare?
|
| |\ \
| | |
| | | |
hmac: implement base64digest methods
|
| | | |
| | |
| | |
| | |
| | | |
OpenSSL::HMAC implements the similar interface as ::Digest. Let's add
base64digest methods to OpenSSL::HMAC, too, for feature parity.
|
| |\ \ \
| |_|/
|/| | |
User lower case cipher names for maximum compatibility
|
| |/ /
| |
| |
| | |
We ran into some Linux-based systems not accepting the upper case variant
|
| |\|
| |
| | |
hmac: migrate from the low-level HMAC API to the EVP API
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Use the EVP API instead of the low-level HMAC API. Use of the HMAC API
has been discouraged and is being marked as deprecated starting from
OpenSSL 3.0.0.
The two singleton methods OpenSSL::HMAC, HMAC.digest and HMAC.hexdigest
are now in lib/openssl/hmac.rb.
|
| | | |
|
| |\ \
| |/
|/| |
pkey/ec: deprecate OpenSSL::PKey::EC::Point#mul(ary, ary [, bn])
|
| |/
|
|
|
|
|
|
|
|
|
|
|
| |
Deprecate it for future removal. However, I do not expect any
application is affected by this.
The other form of calling it, PKey::EC::Point#mul(bn [, bn]) remains
untouched.
PKey::EC::Point#mul calls EC_POINTs_mul(3) when multiple BNs
are given as an array. LibreSSL 2.8.0 released on 2018-08 removed the
feature and OpenSSL 3.0 which is planned to be released in 2020 will
also deprecate the function as there is no real use-case.
|
| |
|
|
|
|
|
| |
IO.read may mangle line separator, which will corrupt binary data
including DER-encoded X.509 certificates and such.
Fixes: https://github.com/ruby/openssl/issues/243
|
| |\
| |
| | |
pkey: add more support for 'generic' pkey types
|
| | |
| |
| |
| |
| | |
Use the new OpenSSL::PKey::PKey#derive instead of the raw
{EC,}DH_compute_key(), mainly to reduce amount of the C code.
|
| | |
| |
| |
| |
| |
| | |
Add OpenSSL::PKey::PKey#derive as the wrapper for EVP_PKEY_CTX_derive().
This is useful for pkey types that we don't have dedicated classes, such
as X25519.
|
| | |
| |
| |
| |
| |
| | |
OpenSSL 1.1.1 added EVP_DigestSign() and EVP_DigestVerify() functions
to the interface. Some EVP_PKEY methods such as PureEdDSA algorithms
do not support the streaming mechanism and require us to use them.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Use EVP_DigestSign*() and EVP_DigestVerify*() interface instead of the
old EVP_Sign*() and EVP_Verify*() functions. They were added in OpenSSL
1.0.0.
Also, allow the digest to be specified as nil, as certain EVP_PKEY types
don't expect a digest algorithm.
|
| | |
| |
| |
| |
| | |
Add two methods to create a PKey using the generic EVP interface. This
is useful for the PKey types we don't have a dedicated class.
|
| | |
| |
| |
| |
| |
| | |
The EVP interface cannot tell whether if a pkey contains the private
components or not. Assume it does if it does not respond to #private?.
This fixes the NoMethodError on calling #sign on a generic PKey.
|
| |\ \
| | |
| | | |
pkey: refactor PEM/DER serialization code
|
| | | |
| | |
| | |
| | |
| | | |
Add ossl_pkey_export_traditional() and ossl_pkey_export_spki() helper
functions, and use them. This reduces code duplication.
|
| | | |
| | |
| | |
| | |
| | | |
Export the flow used by OpenSSL::PKey.read and let the subclasses call
it before attempting other formats.
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | | |
Try PEM_read_bio_Parameters(). Only PEM format is supported at the
moment since corresponding d2i_* functions are not provided by OpenSSL.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Merge the code into the callers so that the wrapping Ruby object is
allocated before the raw key object is allocated. This prevents possible
memory leak on Ruby object allocation failure, and also reduces the
lines of code.
|
| | |/
| |
| |
| |
| |
| | |
ossl_{rsa,dsa,dh,ec}_new() called from this function are not used
anywhere else. Inline them into pkey_new0() and reduce code
duplication.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fix test_socket_open_with_local_address_port_context.
Often with MinGW, it seems EACCES is returned on bind when the port
number is unavailable. Ignore it just as we do for EADDRINUSE and
continue searching free port number.
Fixes: 98f8787b4687 ("test/openssl/test_ssl: fix random failure in
SSLSocket.open test", 2020-02-17)
|
| |\ \
| |/
|/| |
config: revert to C implementation of OpenSSL::Config
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Now that OpenSSL::Config wraps a real CONF object, the caller can just
borrow it rather than creating a new temporary CONF object. CONF object
is usually treated as immutable.
DupConfigPtr() is now removed, and GetConfig() is exported instead.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Revert OpenSSL::Config to using the OpenSSL API and remove our own
parser implementation for the config file syntax.
OpenSSL::Config now wraps a CONF object. Accessor methods deal with the
object directly rather than Ruby-level internal state.
This work is based on the old C code we used before 2010.
|
| | |
| |
| |
| |
| | |
LibreSSL has removed the feature to map environment variables onto the
"ENV" section.
|
| | |
| |
| |
| |
| |
| |
| | |
Sort keys of a section before comparing. The ordering is not part of the
API. This can cause a test failure if we use OpenSSL's C implementation.
Fixes: 2ad65b5f673f ("config: support .include directive", 2018-08-16)
|
| | | |
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove 4 deprecated methods.
The following two methods have been marked as deprecated since 2003,
by r4531 (ruby.git commit 78ff3833fb67c8005a9b851037e74b3eea940aa3).
- OpenSSL::Config#value
- OpenSSL::Config#section
Other two methods are removed because the corresponding functions
disappeared in OpenSSL 1.1.0.
- OpenSSL::Config#add_value
- OpenSSL::Config#[]=
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let's revert the changes for now, as it cannot be included in the 2.2.0
release.
My comment on #257:
> A blocker is OpenSSL::SSL::SSLContext#add_certificate_chain_file. It
> has a pending change and I don't want to include it in an incomplete
> state.
>
> The initial implementation in commit 46e4bdba40c5 was not really
> useful. The issue is described in #305. #309 extended it
> to take the corresponding private key together. However, the new
> implementation was incompatible on Windows and was reverted by #320 to
> the initial one.
>
> (The prerequisite to implement it in) an alternative way is #288, and
> it's still cooking.
This effectively reverts the following commits:
- dacd08937ccd ("ssl: suppress test failure with SSLContext#add_certificate_chain_file", 2020-03-09)
- 46e4bdba40c5 ("Add support for SSL_CTX_use_certificate_chain_file. Fixes #254.", 2019-06-13)
|
| |
|
|
|
|
| |
It produces "unused variable" warnings in NDEBUG mode
[ Cherry-picked from ruby.git commit 3bca1b6aadff. ]
|
| |
|
|
| |
[ Cherry-picked from ruby.git commit d8720eb7de9c. ]
|
| |\
| |
| | |
Allow specifying the data length for CCM mode
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Allow specifying just length to #update
CCM mode ciphers need to specify the total plaintext or ciphertext
length to EVP_CipherUpdate.
Update the link to the tests file
Define Cipher#ccm_data_len= for CCM mode ciphers
Add a unit test for CCM mode
Also check CCM is authenticated when testing
|
