| Commit message (Collapse) | Author | Age | Files | Lines |
|\
| |
| |
| |
| | |
* maint-3.0:
Remove "gemspec" from Gemfile
|
| |\
| | |
| | | |
Remove "gemspec" from Gemfile
|
| |/
| |
| |
| |
| |
| |
| |
| | |
The local lib directory may contain an incomplete openssl library.
The "gemspec" line in Gemfile causes "bundle exec" to put the lib
directory in the load path. Although our Rakefile does not use openssl
itself, it still indirectly tries to load it as a RubyGems dependency.
|
|\|
| |
| |
| |
| | |
* maint-3.0:
Don't download OpenSSL from ftp.openssl.org anyomre
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ This is a backport to the 3.0 branch. ]
OpenSSL announced that they're changing how they handle releases in this
blog post: https://openssl.org/blog/blog/2024/04/30/releases-distribution-changes/
The tl;dr is that:
* ftp.openssl.org is being shut down (even for HTTP access)
* The releases at openssl.org/source will redirect to github
* git.openssl.org is also shut down (the git repo is on github)
This commit just changes over to using openss.org/source instead of
ftp.openssl.org. We might also need to switch to downloading directly
from Github... let's see.
It also changes to cloning the head of openssl from github too.
(cherry picked from commit 64c50112b60e2cdcc447620a1bd73380f7186600)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ This is a backport to the 3.1 branch. ]
If x is a modular square root of a (mod p) then so is (p - x). Both
answers are valid. In particular, both 2 and 3 are valid square roots
of 4 (mod 5). Do not assume that a particular square root is chosen by
the algorithm. Indeed, the algorithm in OpenSSL and LibreSSL <= 3.7
returns a non-deterministic answer in many cases. LibreSSL 3.8 and
later will always return the smaller of the two possible answers. This
breaks the current test case.
Instead of checking for a particular square root, check that the square
of the claimed square root is the given value. This is always true. Add
the simplest test case where the answer is indeed non-deterministic.
(cherry picked from commit 93548ae9597ba40d3f8b564f6a948ce55b432e30)
|
|\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* maint-3.0:
pkcs7: raise PKCS7Error for PKCS7 without content in PKCS7.read_smime
pkcs7: raise ArgumentError for PKCS7 with no content in PKCS7.new
cipher: fix buffer overflow in Cipher#update
ssl: allow failure on test_connect_certificate_verify_failed_exception_message
.github/workflows/test.yml: synchronize with master
Only CSR version 1 (encoded as 0) is allowed by PKIX standards
test_asn1.rb: Remove the assertions of the time string format without second.
test/openssl/test_asn1.rb: skip failing tests on LibreSSL 3.6.0
Use EVP_Digest{Sign,Verify} when available
Fix performance regression in do_write(s)
|
| |\
| | |
| | | |
Handle missing content in PKCS7
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
[pkuzco: expanded the fix for other content types]
[ky: adjusted formatting and the exception type]
Co-authored-by: pkuzco <b.naamneh@gmail.com>
Co-authored-by: Kazuki Yamaguchi <k@rhe.jp>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Fixes [Bug #19974]
[pkuzco: expanded the fix for other content types]
[ky: adjusted formatting and the exception type]
Co-authored-by: pkuzco <b.naamneh@gmail.com>
Co-authored-by: Kazuki Yamaguchi <k@rhe.jp>
|
| |\ \
| | |/
| |/| |
cipher: fix buffer overflow in Cipher#update
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
OpenSSL::Cipher#update currently allocates the output buffer with size
(input data length)+(the block size of the cipher). This is insufficient
for the id-aes{128,192,256}-wrap-pad (AES keywrap with padding) ciphers.
They have a block size of 8 bytes, but the output may be up to 15 bytes
larger than the input.
Use (input data length)+EVP_MAX_BLOCK_LENGTH (== 32) as the output
buffer size, instead. OpenSSL doesn't provide a generic way to tell the
maximum required buffer size for ciphers, but this is large enough for
all algorithms implemented in current versions of OpenSSL.
Fixes: https://bugs.ruby-lang.org/issues/20236
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ This patch only applies to the 3.0 and 3.1 branch. ]
It is a test case for SSLSocket generating an informative error message
on a certificate verification failure. A change in OpenSSL 3.1 broke it
and a generic error message is currently generated.
This is fixed in the 3.2 branch by commit 5113777e8271, but I decided
not to backport the commit to the 3.0 branch because the diff doesn't
apply cleanly.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ This is a backport to the 3.0 branch. ]
Backport changes made to .github/workflows/test.yml in master branch,
except:
- Minimum version is Ruby 2.6
- FIPS-mode related changes are excluded (as it's not supported)
This includes the following commits:
fcf53d5d6e88 CI: Remove workaround for Ruby-3.2 and 3.3 on Windows
567b412612c3 CI: Upgrade OpenSSL and LibreSSL versions.
405f1eee3dcf CI: Add OpenSSL no-legacy case.
9a995837ba7b CI: Upgrade OpenSSL and LibreSSL versions.
6feeeb821592 CI: Add the rubyinstaller2 issue link that legacy provider is not loaded.
7aed35ac969d Windows Ruby 3.3: Workaround: Set OPENSSL_MODULES to find providers.
adfb6bb9e5b7 CI: Add OpenSSL 3.2.0.
fafe1af4a96e CI: Change the openssl_fips.cnf.tmpl and openssl_fips.cnf directories.
f07e6f5ff2e7 CI: Upgrade OpenSSL and LibreSSL versions.
0dda88d44811 Merge pull request #682 from ruby/dependabot/github_actions/actions/checkout-4
0b83eed154de Rakefile: Add test_fips task for convenience.
b94314f7165f Bump actions/checkout from 3 to 4
8c7a6a17e2bd Remove OSSL_DEBUG compile-time option
e35f19076aac CI: Replace "mode" in "FIPS mode" with "module".
61434f66d6a4 Rakefile: Print FIPS information in the `rake debug`.
7ec8024b1e9a CI: Add OpenSSL master branch head non-FIPS and FIPS cases.
24d8addd2ac9 CI: Upgrade OpenSSL versions.
fddfc5585482 CI: Add OpenSSL 3.1 FIPS case.
58ce7fa4b90c .github/workflows/test.yml: add provider load path for Windows
f6e57e1b9088 CI: Fix a typo in the comment. [ci skip]
52402f6a1cad CI: Check compiler warnings.
f6ba75e51e05 Drop support for Ruby 2.6
3456770a4219 CI: Upgrade OpenSSL and LibreSSL versions.
79786cab6f77 CI: Rename the key name "foo_bar" (underscore) to "foo-bar" (hyphen).
8149cdf6e874 CI: Add the test/openssl/test_pkey.rb on the FIPS mode case.
08e19817b5d0 CI: Enable the verbose mode in the mkmf.rb by env MAKEFLAGS.
121b3b2a35ca Revert "CI: Enable the verbose mode in the mkmf.rb."
a832f5cb98ee CI: Enable the verbose mode in the mkmf.rb.
18b017218ca8 CI: Add OpenSSL FIPS mode case.
af27f509a147 .github/workflows/test.yml: Update OpenSSL versions
d277123cb7bb skip failing test with truffleruby and ubuntu-22.04
25352f4f6c08 Exclude truffleruby with macos-latest
d7f90c7c03b7 Fix missing needs call
064066437607 Try to run with TruffleRuby
aeee125a7b3d Use ruby/actions/.github/workflows/ruby_versions.yml@master
fd4074235877 .github/workflows/test.yml: update LibreSSL versions
ff2fe4b4c5b3 Strip trailing spaces [ci skip]
9c24dccf5436 Actions - Use Ubuntu 20.04 for 1.1.1 CI, misc fixes
cc876f58532c [CI] test.yml - test-openssls - use 1.1.1q, 3.0.5
0fb8d1b43aa5 [CI] add Ubuntu-22.04 and update mswin, all are OpenSSL 3
158868649532 Merge pull request #505 from ruby/update-actions
9f901dc05ce5 Test on LibreSSL 3.4 and 3.5
f2d072cad504 Use actions/checkout@v3
699e2749f525 Added 3.1
b28df9025f12 Install openssl with vcpkg on mswin
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ This is a backport to the 3.0 branch. ]
RFC 2986, section 4.1 only defines version 1 for CSRs. This version
is encoded as a 0. Starting with OpenSSL 3.3, setting the CSR version
to anything but 1 fails.
Do not attempt to generate a CSR with invalid version (which now fails)
and invalidate the CSR in test_sign_and_verify_rsa_sha1 by changing its
subject rather than using an invalid version.
This commit fixes the following error.
```
2) Error: test_version(OpenSSL::TestX509Request): OpenSSL::X509::RequestError:
X509_REQ_set_version: passed invalid argument
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `version='
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `issue_csr'
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:43:in
`test_version'
40: req = OpenSSL::X509::Request.new(req.to_der)
41: assert_equal(0, req.version)
42:
=> 43: req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
44: assert_equal(1, req.version)
45: req = OpenSSL::X509::Request.new(req.to_der)
46: assert_equal(1, req.version)
```
(cherry picked from commit c06fdeb0912221d9a2888369bbf9c10704af021e)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ This is a backport to the 3.0 branch. ]
This commit fixes the following errors in the tests.
Because the OpenSSL project changed the code to make the time string format
without second invalid. So, we drop the assertions.
```
1) Error: test_generalizedtime(OpenSSL::TestASN1): OpenSSL::ASN1::ASN1Error: generalizedtime is too short
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode_test'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:433:in `test_generalizedtime'
430: OpenSSL::ASN1::GeneralizedTime.new(Time.utc(9999, 9, 8, 23, 43, 39))
431: # LibreSSL 3.6.0 requires the seconds element
432: return if libressl?
=> 433: decode_test B(%w{ 18 0D }) + "201612081934Z".b,
434: OpenSSL::ASN1::GeneralizedTime.new(Time.utc(2016, 12, 8, 19, 34, 0))
435: # not implemented
436: # decode_test B(%w{ 18 13 }) + "20161208193439+0930".b,
2) Error: test_utctime(OpenSSL::TestASN1): OpenSSL::ASN1::ASN1Error: utctime is too short
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode_test'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:411:in `test_utctime'
408: end
409: # Seconds is omitted. LibreSSL 3.6.0 requires it
410: return if libressl?
=> 411: decode_test B(%w{ 17 0B }) + "1609082343Z".b,
412: OpenSSL::ASN1::UTCTime.new(Time.utc(2016, 9, 8, 23, 43, 0))
413: # not implemented
414: # decode_test B(%w{ 17 11 }) + "500908234339+0930".b,
```
(cherry picked from commit 2e826d571546cdc3beaa884f9e522a102d531641)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ This is a backport to the 3.0 branch. ]
LibreSSL 3.6.0 expects the seconds part in UTCTime and GeneralizedTime
to be always present. LibreSSL 3.6.0 release note [1] says:
> - The ASN.1 time parser has been refactored and rewritten using CBS.
> It has been made stricter in that it now enforces the rules from
> RFC 5280.
[1] https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.0-relnotes.txt
(cherry picked from commit bbc540fe83195e2a54cf40fab448cea2afe4df1d)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ This is a backport to the 3.0 branch. ]
LibreSSL 3.4 added EVP_DigestSign() and EVP_DigestVerify(). Use them
when available to prepare for the addition of Ed25519 support in
LibreSSL 3.7.
(cherry picked from commit 475b2bf766d6093370e49abd5dce5436cc0034ca)
|
| |\
| | |
| | | |
Fix regression in do_write(s) causing significant performance issues when using large (>10meg) writes
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This causes significant performance issues when using large (>10meg) writes
Fix by adjusting the buffer write function to clear the buffer once, rather than
piece by piece, avoiding a case where a large write (in our case, around
70mbytes) will consume 100% of CPU. This takes a webrick GET request via SSL
from around 200kbyts/sec and consuming 100% of a core, to line speed on gigabit
ethernet and 6% cpu utlization.
|
|\|
| |
| |
| |
| | |
* maint-3.0:
test/openssl/test_pkey.rb: allow failures in test_s_generate_parameters
|
| |
| |
| |
| |
| |
| |
| | |
Commit f2e2a5e5ed8e ("test/openssl/test_pkey.rb: allow failures in
test_s_generate_parameters", 2022-12-23) was completely bogus. The
problem in OpenSSL 3.0.0-3.0.5 is that errors from the callback are
sometimes silently suppressed.
|
|\ \
| | |
| | | |
pkey/ec: constify
|
|/ / |
|
| | |
|
|\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* maint-3.0:
Ruby/OpenSSL 3.0.2
Fix build with LibreSSL 3.5
Fix operator precedence in OSSL_OPENSSL_PREREQ and OSSL_LIBRESSL_PREREQ
Ruby/OpenSSL 2.2.3
ts: use TS_VERIFY_CTX_set_certs instead of TS_VERIFY_CTS_set_certs
ocsp: disable OCSP_basic_verify() workaround on LibreSSL 3.5
test/openssl/test_pkey.rb: allow failures in test_s_generate_parameters
pkey/ec: check private key validity with OpenSSL 3
Actions - update workflow to use OpenSSL 1.1.1, actions/checkout@v3
pkey/ec: fix ossl_raise() calls using cEC_POINT instead of eEC_POINT
raise when EC_POINT_cmp or EC_GROUP_cmp error instead of returning true
|
| | |
|
| |\
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* maint-2.2:
Ruby/OpenSSL 2.2.3
ts: use TS_VERIFY_CTX_set_certs instead of TS_VERIFY_CTS_set_certs
ocsp: disable OCSP_basic_verify() workaround on LibreSSL 3.5
Actions - update workflow to use OpenSSL 1.1.1, actions/checkout@v3
pkey/ec: fix ossl_raise() calls using cEC_POINT instead of eEC_POINT
raise when EC_POINT_cmp or EC_GROUP_cmp error instead of returning true
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
[ This is a backport to the 2.2 branch to fix build with LibreSSL. ]
OpenSSL 3.0 fixed the typo in the function name and replaced the
current 'CTS' version with a macro.
(cherry picked from commit 2be6779b08161a084a1a5d2758de21a913740b94)
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The workaround is not needed on LibreSSL 3.5. LibreSSL 3.5 at the same
time made the structure opaque, so it does not compile.
This is a patch to the 2.2 branch; the code no longer exists in v3.0.
|
| | |\
| | | |
| | | | |
maint-2.2 Actions - update workflow to use OpenSSL 1.1.1, actions/checkout@v3
|
| | | | |
|
| | |\ \
| | | | |
| | | | | |
raise when EC_POINT_cmp or EC_GROUP_cmp error instead of returning true
|
| | | |/ |
|
| | |\ \
| | | |/
| | |/| |
pkey/ec: fix multiple ossl_raise() calls using cEC_POINT instead of eEC_POINT
|
| | |/ |
|
| | |
| | |
| | |
| | |
| | |
| | | |
[ This is a backport to the 3.0 branch. ]
(cherry picked from commit e25fb0d0d86da5a9398ebdc9216b2ea89f80fa3d)
|
| | |
| | |
| | |
| | |
| | |
| | | |
[ This is a backport to the 3.0 branch. ]
(cherry picked from commit b02815271fcc295cb8b07ef740684b88a10f2760)
|
| |\ \
| | | |
| | | | |
pkey/ec: check private key validity with OpenSSL 3
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The behavior of EVP_PKEY_public_check changed between OpenSSL 1.1.1
and 3.0 so that it no longer validates the private key. Instead, private
keys can be validated through EVP_PKEY_private_check and
EVP_PKEY_pairwise_check.
[ky: simplified condition to use either EVP_PKEY_check() or
EVP_PKEY_public_check().]
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | | |
The root cause has been fixed by OpenSSL 3.0.6, but Ubuntu 22.04's
OpenSSL package has not backported the patch yet.
Reference: https://github.com/ruby/openssl/issues/492
|
|\ \ \
| | | |
| | | | |
Undefine `OpenSSL::SSL` for no socket platforms
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This fixes a linkage error about `ossl_ssl_type` on platforms which do
not have socket, like WASI.
Even before this patch, some items are disabled under `OPENSSL_NO_SOCK` since
https://github.com/ruby/ruby/commit/ee22fad45d394818690c4a7586d7bb576ba67c56
However, due to some new use of OpenSSL::SSL::Socket over the past few years,
the build under `OPENSSL_NO_SOCK` had been broken.
This patch guards whole `OpenSSL::SSL` items by `OPENSSL_NO_SOCK`.
[ky: adjusted to apply on top of my previous commit that removed the
OpenSSL::ExtConfig, and added a guard to lib/openssl/ssl.rb.]
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This module was introduced in 2015 for internal use within this library.
Neither of the two constants in it is used anymore. I don't think we
will be adding a new constant in the foreseeable future, either.
OPENSSL_NO_SOCK is unused since commit 998d66712a78 (r55191).
HAVE_TLSEXT_HOST_NAME is unused since commit 4eb4b3297a92.
|
| | | | |
|
|\ \ \ \
| | | | |
| | | | | |
Suppress OpenSSL-3 warnings
|
| | | | | |
|
| | | | | |
|
|\ \ \ \ \
| | | | | |
| | | | | | |
Check for functions with arguments
|