aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* pkey: allow setting algorithm-specific options in #sign and #verifyky/pkey-sign-verify-optionsKazuki Yamaguchi2021-04-042-58/+89
| | | | | | Similarly to OpenSSL::PKey.generate_key and .generate_parameters, let OpenSSL::PKey::PKey#sign and #verify take an optional parameter for specifying control strings for EVP_PKEY_CTX_ctrl_str().
* pkey: prepare pkey_ctx_apply_options() for usage by other operationsKazuki Yamaguchi2021-04-041-8/+14
| | | | | | The routine to apply Hash to EVP_PKEY_CTX_ctrl_str() is currently used by key generation, but it is useful for other operations too. Let's change it to a slightly more generic name.
* pkey: fix potential memory leak in PKey#signKazuki Yamaguchi2021-04-041-2/+6
| | | | | | Fix potential leak of EVP_MD_CTX object in an error path. This path is normally unreachable, since the size of a signature generated by any supported algorithms would not be larger than LONG_MAX.
* Merge pull request #396 from rhenium/ky/drop-openssl-1.0.1Kazuki Yamaguchi2021-04-0412-355/+78
|\ | | | | require OpenSSL >= 1.0.2 and LibreSSL >= 3.1
| * ossl.c: do not set locking callbacks on LibreSSLky/drop-openssl-1.0.1Kazuki Yamaguchi2021-04-042-2/+7
| | | | | | | | | | | | Similarly to OpenSSL >= 1.1.0, LibreSSL 2.9.0 ensures thread safety without requiring applications to set locking callbacks and made related functions no-op.
| * ssl: use TLS_method() instead of SSLv23_method() for LibreSSLKazuki Yamaguchi2021-04-041-1/+1
| | | | | | | | | | | | | | | | | | LibreSSL 2.2.2 introduced TLS_method(), but with different semantics from OpenSSL: TLS_method() enabled TLS >= 1.0 while SSLv23_method() enabled all available versions, which included SSL 3.0 in addition. However, LibreSSL 2.3.0 removed SSL 3.0 support completely and now TLS_method() and SSLv23_method() are equivalent.
| * ssl: call SSL_CTX_set_ecdh_auto() on OpenSSL 1.0.2 onlyKazuki Yamaguchi2021-04-041-5/+6
| | | | | | | | | | | | | | SSL_CTX_set_ecdh_auto() exists in OpenSSL 1.1.0 and LibreSSL 2.6.1, but it is made no-op and the automatic curve selection cannot be disabled. Wrap it with ifdef to make it clear that it is safe to remove it completely when we drop support for OpenSSL 1.0.2.
| * require OpenSSL >= 1.0.2 and LibreSSL >= 3.1Kazuki Yamaguchi2021-04-0411-348/+65
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Clean up old version guards in preparation for the upcoming OpenSSL 3.0 support. OpenSSL 1.0.1 reached its EOL on 2016-12-31. At that time, we decided to keep 1.0.1 support because many major Linux distributions were still shipped with 1.0.1. Now, nearly 4 years later, most Linux distributions are reaching their EOL and it should be safe to assume nobody uses them anymore. Major ones that were using 1.0.1: - Ubuntu 14.04 is EOL since 2019-04-30 - RHEL 6 will reach EOL on 2020-11-30 LibreSSL 3.0 and older versions are no longer supported by the LibreSSL team as of October 2020. Note that OpenSSL 1.0.2 also reached EOL on 2019-12-31 and 1.1.0 also did on 2018-08-31.
* | bn: update documentation of OpenSSL::BN#initialize and #to_sKazuki Yamaguchi2021-04-021-14/+36
| | | | | | | | | | | | | | Clarify that BN.new(str, 2) and bn.to_s(2) handles binary string in big-endian, and the sign of the bignum is ignored. Reference: https://github.com/ruby/openssl/issues/431
* | Merge pull request #430 from rickmark/rickmark/bn_absKazuki Yamaguchi2021-04-022-1/+51
|\ \ | | | | | | Implement OpenSSL::BN#abs
| * | BN.abs and BN uplusRick Mark2021-04-012-1/+51
|/ / | | | | | | Adds standard math abs fuction and revises uplus to return a duplicated object due to BN mutability
* | Enclose the code that was accidentally a link in "tt"aycabta2021-03-311-1/+1
| | | | | | | | (cherry picked from commit ruby/ruby@66d2fc7989d741bf5a73286233139901cecb4fc2)
* | Merge pull request #424 from Shopify/fix-openssl-engine-buildKazuki Yamaguchi2021-03-263-17/+17
|\ \ | | | | | | Fix OpenSSL::Engine build on Debian
| * | Use #ifdef consistently for HAVE_RB_EXT_RACTOR_SAFETom Stuart2021-03-252-3/+3
| | | | | | | | | | | | | | | We previously used a mix of both `#if` and `#ifdef`, but the latter is more reliable because it will still work if the macro is undefined.
| * | Fix OpenSSL::Engine build on DebianTom Stuart2021-03-241-14/+14
|/ / | | | | | | | | | | | | | | | | | | | | | | | | On Debian 9 (“stretch”) the `OPENSSL_NO_STATIC_ENGINE` macro is not defined, which causes all the `#if HAVE_ENGINE_LOAD_…` directives to fail with `error: 'HAVE_ENGINE_LOAD_…' is not defined, evaluates to 0 [-Werror,-Wundef]` while building TruffleRuby. We can accomplish the same thing with `#ifdef`, which (of course) works fine when the `HAVE_ENGINE_LOAD…` macros are also undefined. Upstreamed from oracle/truffleruby#2255, which fixed oracle/truffleruby#2254.
* | Merge pull request #423 from rhenium/ky/pkcs7-add-signer-keep-pkey-ptrKazuki Yamaguchi2021-03-242-48/+51
|\ \ | |/ |/| pkcs7: keep private key when duplicating PKCS7_SIGNER_INFO
| * pkcs7: keep private key when duplicating PKCS7_SIGNER_INFOky/pkcs7-add-signer-keep-pkey-ptrKazuki Yamaguchi2021-03-242-48/+51
|/ | | | | | | | | | | | | ASN1_dup() will not copy the 'pkey' field of a PKCS7_SIGNER_INFO object by design; it is a temporary field kept until the PKCS7 structure is finalized. Let's bump reference counter of the pkey in the original object and use it in the new object, too. This commit also removes PKCS7#add_signer's routine to add the content-type attribute as a signed attribute automatically. This behavior was not documented or tested. This change should not break any working user code since the method was completely useless without the change above.
* test/openssl/test_config: skip tests for .include on older OpenSSLKazuki Yamaguchi2021-03-171-4/+5
| | | | | | | | | | | | | | The .include directive was initially added by OpenSSL 1.1.1, but the syntax was later modified in 1.1.1b to improve compatibility with the parser in <= 1.1.0. The test case expects 1.1.1b's parser. https://github.com/openssl/openssl/commit/95f59d398c3f28f7ee50f092106c5910d25f9e30 The test case is failing on Ubuntu 18.04 because it still uses the initial 1.1.1 release: http://rubyci.s3.amazonaws.com/graviton2/ruby-master/log/20210316T120003Z.fail.html.gz (cherry picked from commit ruby/ruby@e61e9bcfb27580ae52b46fc7ca49c38f8fdeb8cd)
* test/openssl/test_cipher: skip AES-CCM tests on OpenSSL <= 1.1.1bKazuki Yamaguchi2021-03-171-1/+1
| | | | | | | | | | | | | AES CCM mode in OpenSSL <= 1.1.1b was overly strict in the parameters assignment order. This has been relaxed by OpenSSL 1.1.1c. https://github.com/openssl/openssl/commit/b48e3be947ddc5da6b5a86db8341081c72b9a4ee The test case is failing on Ubuntu 18.04 because it still uses the initial 1.1.1 release and has the issue: http://rubyci.s3.amazonaws.com/graviton2/ruby-master/log/20210316T120003Z.fail.html.gz (cherry picked from commit ruby/ruby@44d67128a827c65d1a3867c5d8fd190d10aa1dd2)
* Merge pull request #398 from rhenium/ky/pkey-remove-ec-group-from-raw-methodKazuki Yamaguchi2021-03-161-42/+2
|\ | | | | pkey/ec: remove OpenSSL::PKey::EC::Group.new(ec_method) form
| * pkey/ec: remove OpenSSL::PKey::EC::Group.new(ec_method) formky/pkey-remove-ec-group-from-raw-methodKazuki Yamaguchi2020-08-211-42/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The form created an empty EC_GROUP object with the specified EC_METHOD. However, the feature was unfinished and not useful in any way because OpenSSL::PKey::EC::Group did not implement wrappers for necessary functions to set actual parameters for the group, namely EC_GROUP_set_curve() family. EC_GROUP object creation with EC_METHOD explicitly specified is deprecated in OpenSSL 3.0, as it was apparently not intended for use outside OpenSSL. It is still possible to create EC_GROUP, but without EC_METHOD explicitly specified - OpenSSL chooses the appropriate EC_METHOD for the curve type. The OpenSSL::PKey::EC::Group.new(<:GFp|:GF2m>, p, a, b) form will continue to work.
* | Merge branch 'ky/sample-updates'Kazuki Yamaguchi2021-02-257-34/+29
|\ \ | | | | | | | | | | | | | | | * ky/sample-updates: sample: update obsolete API use sample: avoid "include OpenSSL"
| * | sample: update obsolete API useky/sample-updatesKazuki Yamaguchi2021-02-253-8/+7
| | |
| * | sample: avoid "include OpenSSL"Kazuki Yamaguchi2021-02-255-27/+23
|/ / | | | | | | | | | | | | | | It is not a common practice and should not be done since it causes name clash: for example, Digest and Random are provided by other standard libraries of Ruby. Fixes: https://github.com/ruby/openssl/issues/419
* | test: adjust test cases for LibreSSL 3.2.4Kazuki Yamaguchi2021-02-255-41/+52
| | | | | | | | | | | | | | | | | | | | | | | | | | | | LibreSSL 3.2.4 made the certificate verification logic back closer to pre-3.2.2 one, which is more compatible with OpenSSL. Part of the fixes added by commit a0e98d48c91f ("Enhance TLS 1.3 support on LibreSSL 3.2/3.3", 2020-12-03) is required for 3.2.2 and 3.2.3 only (and ~3.3.1, however 3.3 does not have a stable release yet). Since both releases are security fix, it should be safe to remove those special treatment from our test suite. While we are at it, TestSSL#test_ecdh_curves is split into TLS 1.2 and TLS 1.3 variants for clarity.
* | Merge branch 'maint-2.2'Kazuki Yamaguchi2021-02-254-30/+59
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * maint-2.2: .github/workflows: update Ruby and OpenSSL/LibreSSL versions bn: check -1 return from BIGNUM functions .github/workflows: disable pkg-config on Windows tests ssl: retry write on EPROTOTYPE on macOS x509store: fix memory leak in X509::StoreContext.new .github/workflows/test.yml: use GitHub Actions Skip one assertion for OpenSSL::PKey::EC::Point#mul on LibreSSL
| * \ Merge branch 'maint-2.1' into maint-2.2Kazuki Yamaguchi2021-02-254-30/+61
| |\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * maint-2.1: .github/workflows: update Ruby and OpenSSL/LibreSSL versions bn: check -1 return from BIGNUM functions .github/workflows: disable pkg-config on Windows tests ssl: retry write on EPROTOTYPE on macOS x509store: fix memory leak in X509::StoreContext.new .github/workflows/test.yml: use GitHub Actions Skip one assertion for OpenSSL::PKey::EC::Point#mul on LibreSSL
| | * | .github/workflows: update Ruby and OpenSSL/LibreSSL versionsKazuki Yamaguchi2021-02-251-5/+5
| | | |
| | * | Merge pull request #418 from rhenium/ky/bn-check-negative-error-returnsKazuki Yamaguchi2021-02-251-12/+22
| | |\ \ | | | | | | | | | | bn: check -1 return from BIGNUM functions
| | | * | bn: check -1 return from BIGNUM functionsky/bn-check-negative-error-returnsKazuki Yamaguchi2021-02-181-12/+22
| | |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Although the manpage says that BIGNUM functions return 0 on error, OpenSSL versions before 1.0.2n and current LibreSSL versions may return -1 instead. Note that the implementation of OpenSSL::BN#mod_inverse is extracted from BIGNUM_2c() macro as it didn't really share the same function signature with others.
| | * | .github/workflows: disable pkg-config on Windows testsKazuki Yamaguchi2021-02-181-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Let ext/openssl/extconf.rb find the correct OpenSSL installation from the default include/library paths. Since some time ago, the test environment contains another OpenSSL installation and pkg-config from Mingw-w64. However, as pkg-config is not available in RubyInstaller (Ruby 2.3), simply invoking pkg-config command from our ext/openssl/extconf.rb ends up with picking up Mingw-w64's OpenSSL, which is incompatible with RI.
| | * | Merge pull request #393 from rhenium/ky/ssl-macos-send-eprototypeKazuki Yamaguchi2020-08-121-0/+15
| | |\ \ | | | | | | | | | | ssl: retry write on EPROTOTYPE on macOS
| | | * | ssl: retry write on EPROTOTYPE on macOSky/ssl-macos-send-eprototypeKazuki Yamaguchi2020-08-121-0/+15
| | |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Errno::EPROTOTYPE is not supposed to be raised by SSLSocket#write. However, on macOS, send(2) which is called via SSL_write() can occasionally return EPROTOTYPE. Retry SSL_write() so that we get a proper error, just as ext/socket does. Reference: https://bugs.ruby-lang.org/issues/14713 Reference: https://github.com/ruby/openssl/issues/227
| | * | Merge pull request #391 from rhenium/ky/x509stctx-new-fix-leakKazuki Yamaguchi2020-08-121-5/+16
| | |\ \ | | | | | | | | | | x509store: fix memory leak in X509::StoreContext.new
| | | * | x509store: fix memory leak in X509::StoreContext.newky/x509stctx-new-fix-leakKazuki Yamaguchi2020-08-121-5/+16
| | |/ / | | | | | | | | | | | | | | | | The certificate passed as the second argument was not properly free'd in the error paths.
| | * | .github/workflows/test.yml: use GitHub ActionsKazuki Yamaguchi2020-08-123-65/+120
| | | | | | | | | | | | | | | | | | | | | | | | .github/workflows/test.yml is copied from current master's (last update by commit 0a2e8c67f252), and then the LibreSSL versions to run test with are adjusted for Ruby/OpenSSL 2.1.
| | * | Skip one assertion for OpenSSL::PKey::EC::Point#mul on LibreSSLJeremy Evans2020-08-121-2/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Original commit is 4e9801dff855 in 2.2.0. This is a backport to the 2.1 branch. ] LibreSSL 2.8.0+ does not support multiple elements in the first argument.
* | | | Merge pull request #416 from ruby/syncKazuki Yamaguchi2021-02-173-12/+72
|\ \ \ \ | | | | | | | | | | Sync from ruby master
| * | | | support Ruby 2.x for opensslKoichi Sasada2021-02-142-2/+35
| | | | | | | | | | | | | | | | | | | | ruby/ruby@e76b56f58e44cb54497d93526d649950f5bdd1c0
| * | | | openssl is ractor-safeKoichi Sasada2021-02-143-10/+37
|/ / / / | | | | | | | | | | | | | | | | | | | | | | | | ossl_bn_ctx is C's global variable and it should be ractor-local to make it ractor-safe. ruby/ruby@b5588edc0a538de840c79e0bbc9d271ba0c5a711
* | | | Fixed the results of OpenSSL::Timestamp::Response#failure_infoNobuyoshi Nakada2021-02-142-11/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Made stored values `Symbol`s instead of `ID`s. Fixes https://bugs.ruby-lang.org/issues/17625 Co-Authored-By: xtkoba (Tee KOBAYASHI) <xtkoba+ruby@gmail.com>
* | | | Merge pull request #413 from ruby/backport-ruby-coreHiroshi SHIBATA2020-12-144-47/+45
|\ \ \ \ | | | | | | | | | | Backport ruby core repo
| * | | | Use rb_intern_const instead of rb_intern in Init functionsNobuyoshi Nakada2020-12-141-13/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ``` find . -name \*.o -exec nm {} + |& sed '/Init_.*\.rbimpl_id/!d;s/^.* b //;s/\.[1-9][0-9]*$//;s/\.rbimpl_id$//' | uniq ``` should be empty.
| * | | | Don't redefine #rb_intern over and over againStefan Stüben2020-12-141-32/+30
| | | | |
| * | | | Remove trailing spaces [ci skip]Nobuyoshi Nakada2020-12-142-2/+2
|/ / / /
* | | | Enhance TLS 1.3 support on LibreSSL 3.2/3.3Jeremy Evans2020-12-035-24/+56
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This defines TLS1_3_VERSION when using LibreSSL 3.2+. LibreSSL 3.2/3.3 doesn't advertise this by default, even though it will use TLS 1.3 in both client and server modes. Changes between LibreSSL 3.1 and 3.2/3.3 broke a few tests, Defining TLS1_3_VERSION by itself fixes 1 test failure. A few tests now fail on LibreSSL 3.2/3.3 unless TLS 1.2 is set as the maximum version, and this adjusts those tests. The client CA test doesn't work in LibreSSL 3.2+, so I've marked that as pending. For the hostname verification, LibreSSL 3.2.2+ has a new stricter hostname verifier that doesn't like subjectAltName such as c*.example.com and d.*.example.com, so adjust the related tests. With these changes, the tests pass on LibreSSL 3.2/3.3.
* | | | Revert "Import ruby/ruby@3beecafc2cae86290a191c1e841be13f5b08795d"Benoit Daloze2020-09-261-25/+23
| | | | | | | | | | | | | | | | | | | | * This reverts commit 86f113c9a67fb5d60d2b8847765f960abd94335f. * It was reverted in ruby/ruby.
* | | | Import ruby/ruby@3beecafc2cae86290a191c1e841be13f5b08795dBenoit Daloze2020-08-291-23/+25
| |_|/ |/| |
* | | Merge pull request #394 from rhenium/ky/ssl-remove-tmp-ecdh-callbackKazuki Yamaguchi2020-08-213-94/+3
|\ \ \ | | | | | | | | ssl: remove SSL::SSLContext#tmp_ecdh_callback
| * | | ssl: remove SSL::SSLContext#tmp_ecdh_callbackky/ssl-remove-tmp-ecdh-callbackKazuki Yamaguchi2020-08-133-94/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The underlying API SSL_CTX_set_tmp_ecdh_callback() was removed by LibreSSL >= 2.6.1 and OpenSSL >= 1.1.0, in other words, it is not supported by any non-EOL versions of OpenSSL. The wrapper was initially implemented in Ruby 2.3 and has been deprecated since Ruby/OpenSSL 2.0 (bundled with Ruby 2.4) with explicit warning with rb_warn().
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-05 22:44:52 +0000