summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Merge branch 'maint-2.1' into maint-2.2Kazuki Yamaguchi2021-02-254-30/+61
|\ | | | | | | | | | | | | | | | | | | | | * maint-2.1: .github/workflows: update Ruby and OpenSSL/LibreSSL versions bn: check -1 return from BIGNUM functions .github/workflows: disable pkg-config on Windows tests ssl: retry write on EPROTOTYPE on macOS x509store: fix memory leak in X509::StoreContext.new .github/workflows/test.yml: use GitHub Actions Skip one assertion for OpenSSL::PKey::EC::Point#mul on LibreSSL
| * .github/workflows: update Ruby and OpenSSL/LibreSSL versionsKazuki Yamaguchi2021-02-251-5/+5
| |
| * Merge pull request #418 from rhenium/ky/bn-check-negative-error-returnsKazuki Yamaguchi2021-02-251-12/+22
| |\ | | | | | | bn: check -1 return from BIGNUM functions
| | * bn: check -1 return from BIGNUM functionsky/bn-check-negative-error-returnsKazuki Yamaguchi2021-02-181-12/+22
| |/ | | | | | | | | | | | | | | | | | | Although the manpage says that BIGNUM functions return 0 on error, OpenSSL versions before 1.0.2n and current LibreSSL versions may return -1 instead. Note that the implementation of OpenSSL::BN#mod_inverse is extracted from BIGNUM_2c() macro as it didn't really share the same function signature with others.
| * .github/workflows: disable pkg-config on Windows testsKazuki Yamaguchi2021-02-181-1/+2
| | | | | | | | | | | | | | | | | | | | | | Let ext/openssl/extconf.rb find the correct OpenSSL installation from the default include/library paths. Since some time ago, the test environment contains another OpenSSL installation and pkg-config from Mingw-w64. However, as pkg-config is not available in RubyInstaller (Ruby 2.3), simply invoking pkg-config command from our ext/openssl/extconf.rb ends up with picking up Mingw-w64's OpenSSL, which is incompatible with RI.
| * Merge pull request #393 from rhenium/ky/ssl-macos-send-eprototypeKazuki Yamaguchi2020-08-121-0/+15
| |\ | | | | | | ssl: retry write on EPROTOTYPE on macOS
| | * ssl: retry write on EPROTOTYPE on macOSky/ssl-macos-send-eprototypeKazuki Yamaguchi2020-08-121-0/+15
| |/ | | | | | | | | | | | | | | | | | | Errno::EPROTOTYPE is not supposed to be raised by SSLSocket#write. However, on macOS, send(2) which is called via SSL_write() can occasionally return EPROTOTYPE. Retry SSL_write() so that we get a proper error, just as ext/socket does. Reference: https://bugs.ruby-lang.org/issues/14713 Reference: https://github.com/ruby/openssl/issues/227
| * Merge pull request #391 from rhenium/ky/x509stctx-new-fix-leakKazuki Yamaguchi2020-08-121-5/+16
| |\ | | | | | | x509store: fix memory leak in X509::StoreContext.new
| | * x509store: fix memory leak in X509::StoreContext.newky/x509stctx-new-fix-leakKazuki Yamaguchi2020-08-121-5/+16
| |/ | | | | | | | | The certificate passed as the second argument was not properly free'd in the error paths.
| * .github/workflows/test.yml: use GitHub ActionsKazuki Yamaguchi2020-08-123-65/+120
| | | | | | | | | | | | .github/workflows/test.yml is copied from current master's (last update by commit 0a2e8c67f252), and then the LibreSSL versions to run test with are adjusted for Ruby/OpenSSL 2.1.
| * Skip one assertion for OpenSSL::PKey::EC::Point#mul on LibreSSLJeremy Evans2020-08-121-2/+8
| | | | | | | | | | | | | | | | [ Original commit is 4e9801dff855 in 2.2.0. This is a backport to the 2.1 branch. ] LibreSSL 2.8.0+ does not support multiple elements in the first argument.
* | Ruby/OpenSSL 2.2.0v2.2.0ky/release-2.2.0Kazuki Yamaguchi2020-05-131-1/+1
| |
* | .github/workflows: update OpenSSL and LibreSSL versions to test withKazuki Yamaguchi2020-05-131-4/+5
| |
* | ssl: temporarily remove SSLContext#add_certificate_chain_fileKazuki Yamaguchi2020-05-132-44/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Let's revert the changes for now, as it cannot be included in the 2.2.0 release. My comment on #257: > A blocker is OpenSSL::SSL::SSLContext#add_certificate_chain_file. It > has a pending change and I don't want to include it in an incomplete > state. > > The initial implementation in commit 46e4bdba40c5 was not really > useful. The issue is described in #305. #309 extended it > to take the corresponding private key together. However, the new > implementation was incompatible on Windows and was reverted by #320 to > the initial one. > > (The prerequisite to implement it in) an alternative way is #288, and > it's still cooking. This effectively reverts the following commits: - dacd08937ccd ("ssl: suppress test failure with SSLContext#add_certificate_chain_file", 2020-03-09) - 46e4bdba40c5 ("Add support for SSL_CTX_use_certificate_chain_file. Fixes #254.", 2019-06-13)
* | ext/openssl/ossl.h: Remove a variable that is used only in assertYusuke Endoh2020-05-131-2/+1
| | | | | | | | | | | | It produces "unused variable" warnings in NDEBUG mode [ Cherry-picked from ruby.git commit 3bca1b6aadff. ]
* | Suppress -Wshorten-64-to-32 warningsNobuyoshi Nakada2020-05-131-1/+1
| | | | | | | | [ Cherry-picked from ruby.git commit d8720eb7de9c. ]
* | Merge pull request #359 from zeroSteiner/fix/aead/ccm-mode-in-lenKazuki Yamaguchi2020-04-223-1/+69
|\ \ | | | | | | Allow specifying the data length for CCM mode
| * | Define Cipher #ccm_data_len= for CCM mode ciphersSpencer McIntyre2020-04-213-1/+69
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Allow specifying just length to #update CCM mode ciphers need to specify the total plaintext or ciphertext length to EVP_CipherUpdate. Update the link to the tests file Define Cipher#ccm_data_len= for CCM mode ciphers Add a unit test for CCM mode Also check CCM is authenticated when testing
* | | pkey: add PKey#inspect and #oidKazuki Yamaguchi2020-04-212-0/+66
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Implement OpenSSL::PKey::PKey#oid as a wrapper around EVP_PKEY_id(). This allows user code to check the type of a PKey object. EVP_PKEY can have a pkey type for which we do not provide a dedicated subclass. In other words, an EVP_PKEY that is not any of {RSA,DSA,DH,EC} can exist. It is currently not possible to distinguish such a pkey. Also, implement PKey#inspect to include the key type for convenience.
* | | Fix signing example to not use Digest instanceBart de Water2020-04-211-4/+2
| | |
* | | Look up cipher by name instead of constantBart de Water2020-04-212-24/+8
| | |
* | | Remove 'mapping between Digest class and sn/ln'Bart de Water2020-04-211-37/+0
| | | | | | | | | | | | This is not present in the referenced files anymore, and not useful to most users
* | | Look up digest by name instead of constantBart de Water2020-04-2131-171/+161
| | |
* | | Merge pull request #363 from bdewater/marshal-pkeyKazuki Yamaguchi2020-04-218-23/+85
|\ \ \ | | | | | | | | Add Marshal support to PKey objects
| * | | Add Marshal support to PKey objectsBart de Water2020-04-198-23/+85
|/ / /
* | | Merge pull request #354 from MSP-Greg/setup-ruby-pkgsKazuki Yamaguchi2020-03-311-18/+6
|\ \ \ | | | | | | | | Use setup-ruby-pkgs for Windows
| * | | Use setup-ruby-pkgs for WindowsMSP-Greg2020-03-161-18/+6
| |/ / | | | | | | | | | | | | | | | 1. Using correct MSYS compiler for Windows Ruby 2.3, previous CI used MSYS2 2. Ruby installation is done via a fork of setup-ruby
* | | Merge pull request #357 from mame/ignore-SSLError-when-socket-is-forcibly-closedKazuki Yamaguchi2020-03-311-1/+6
|\ \ \ | |/ / |/| | test/openssl/test_ssl.rb: ignore SSLError when the connection is closed
| * | test/openssl/test_ssl.rb: ignore SSLError when the connection is closedYusuke Endoh2020-03-211-1/+6
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | "test_close_after_socket_close" checks if ssl.close is no-op even after the wrapped socket is closed. The test itself is fair, but the other endpoint that is reading the SSL connection may fail with SSLError: "SSL_read: unexpected eof while reading" in some environments: https://github.com/ruby/ruby/actions/runs/60085389 (MinGW) https://rubyci.org/logs/rubyci.s3.amazonaws.com/android28-x86_64/ruby-master/log/20200321T034442Z.fail.html.gz ``` 1) Failure: OpenSSL::TestSSL#test_close_after_socket_close [D:/a/ruby/ruby/src/test/openssl/utils.rb:299]: exceptions on 1 threads: SSL_read: unexpected eof while reading ``` This changeset rescues and ignores the SSLError in the test.
* | Revert "Use version.rb in gemspec"Kazuki Yamaguchi2020-03-101-3/+1
| | | | | | | | | | | | | | | | | | | | | | This reverts commit 55cfee6edbc5c663cbe73323852b93292cf94a3f. Unfortunately, this doesn't work well in some places because RubyGems depends on openssl in some code paths. This ends up with defining OpenSSL::VERSION twice and producing warning: /work/ruby/ext/openssl/lib/openssl/version.rb:4: warning: already initialized constant OpenSSL::VERSION /work/ruby/.x86_64-linux/.ext/common/openssl/version.rb:5: warning: previous definition of VERSION was here
* | Merge branch 'maint'Kazuki Yamaguchi2020-03-095-19/+229
|\| | | | | | | | | | | | | | | | | | | * maint: ssl: set verify error code in the case of verify_hostname failure x509: add error code and verify flags constants Remove taint support Restore compatibility with older versions of Ruby. Fix keyword argument separation issues in OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock config: support .include directive
| * Merge branch 'maint-2.0' into maintKazuki Yamaguchi2020-03-097-42/+262
| |\ | | | | | | | | | | | | | | | | | | | | | | | | | | | * maint-2.0: ssl: set verify error code in the case of verify_hostname failure x509: add error code and verify flags constants Remove taint support Restore compatibility with older versions of Ruby. Fix keyword argument separation issues in OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock config: support .include directive
| | * Merge pull request #350 from rhenium/ky/ssl-fix-verify-hostname-set-error-codemaint-2.0Kazuki Yamaguchi2020-02-262-1/+48
| | |\ | | | | | | | | ssl: set verify error code in the case of verify_hostname failure
| | | * ssl: set verify error code in the case of verify_hostname failureky/ssl-fix-verify-hostname-set-error-codeKazuki Yamaguchi2020-02-242-1/+48
| | |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When the verify_hostname option is enabled, the hostname verification is done before calling verify_callback provided by the user. The callback should be notified of the hostname verification failure. OpenSSL::X509::StoreContext's error code must be set to an appropriate value rather than OpenSSL::X509::V_OK. If the constant X509_V_ERR_HOSTNAME_MISMATCH is available (OpenSSL >= 1.0.2), use it. Otherwise use the generic X509_V_ERR_CERT_REJECTED. Reference: https://github.com/ruby/openssl/issues/244 Fixes: 028e495734e9 ("ssl: add verify_hostname option to SSLContext", 2016-06-27)
| | * x509: add error code and verify flags constantsKazuki Yamaguchi2020-02-241-0/+91
| | | | | | | | | | | | | | | Add missing constant declarations for certificate verification flags and the error codes, to match with OpenSSL 1.1.1.
| | * Remove taint supportJeremy Evans2020-02-243-11/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ This is a backport to the 2.0 branch. ] Ruby 2.7 deprecates taint and it no longer has an effect. The lack of taint support should not cause a problem in previous Ruby versions. (cherry picked from commit e7ed01b580a139ad0fb320ad5f29bbb40ef2ddc2)
| | * Restore compatibility with older versions of Ruby.Samuel Williams2020-02-241-9/+21
| | | | | | | | | | | | | | | | | | | | | [ Originally landed on as commit b4e96fc4abc3. This is a backport to the 2.0 branch. ] `RB_PASS_KEYWORDS` is not always available.
| | * Fix keyword argument separation issues in ↵Jeremy Evans2020-02-241-4/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock [ Originally landed on ruby.git as commit 3959469f240e, then was merged into ruby/openssl.git as commit b4e96fc4abc3. This is a backport to the 2.0 branch. ] It's unlikely anyone would actually hit these. The methods are private, you only hit this code path if calling these methods before performing the SSL connection, and there is already a verbose warning issued.
| | * Merge pull request #216 from rhenium/ky/config-include-directiveKazuki Yamaguchi2020-02-172-18/+90
| | |\ | | | | | | | | config: support .include directive
| | | * config: support .include directiveky/config-include-directiveKazuki Yamaguchi2019-12-132-18/+90
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | OpenSSL 1.1.1 introduces a new '.include' directive. Update our config parser to support that. As mentioned in the referenced GitHub issue, we should use the OpenSSL API instead of implementing the parsing logic ourselves, but it will need backwards-incompatible changes which we can't backport to stable versions. So continue to use the Ruby implementation for now. Squashed in additional changes by Vít Ondruch to support '.include = ' syntax. Reference: https://github.com/ruby/openssl/issues/208
* | | | ssl: remove test case test_puts_meta from test_pairKazuki Yamaguchi2020-03-091-14/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Remove it as it does not make sense. Also, it produces deprecation warning on the current master of Ruby (2.8). It is a test case to check that changing $/ will not affect OpenSSL::Buffering#puts. However, $/ is the input record separator and should be completely irrelevant to it.
* | | | ssl: suppress test failure with SSLContext#add_certificate_chain_fileKazuki Yamaguchi2020-03-096-48/+32
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The feature is currently premature and will be rewritten. However, it is causing test failures on RubyCI. Make it happy for now. Reference: https://github.com/ruby/openssl/issues/334
* | | | Merge pull request #352 from DBL-Lee/masterKazuki Yamaguchi2020-02-292-1/+13
|\ \ \ \ | | | | | | | | | | Add support for SHA512/256 and SHA512/224
| * | | | add support for SHA512_256/SHA512_224DBL-Lee2020-02-272-1/+13
|/ / / /
* | | | Merge pull request #351 from rhenium/ky/actions-updateKazuki Yamaguchi2020-02-265-103/+138
|\ \ \ \ | | | | | | | | | | .github/workflows: test against different OpenSSL versions
| * | | | .travis.yml: fully migrate to GitHub Actionsky/actions-updateKazuki Yamaguchi2020-02-262-23/+1
| | | | | | | | | | | | | | | | | | | | | | | | | The GitHub Actions workflow now covers all patterns we currently test using Travis CI. .travis.yml can be removed.
| * | | | .github/workflows: test against different OpenSSL versionsKazuki Yamaguchi2020-02-261-0/+64
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Compile OpenSSL and LibreSSL on-the-fly and run our test suite against the OpenSSL installation. Compiling OpenSSL or LibreSSL takes about 1.5 - 2 minutes on a GitHub- hosted runner.
| * | | | .github/workflows: merge CI jobs into a single workflowKazuki Yamaguchi2020-02-262-39/+32
|/ / / / | | | | | | | | | | | | | | | | The "Ubuntu-macOS" and "Windows" workflows are both for the same purpose. Merge them into a single workflow for clarity.
* | | | Merge pull request #349 from MSP-Greg/gemspec-versionKazuki Yamaguchi2020-02-251-1/+3
|\ \ \ \ | | | | | | | | | | Use version.rb in gemspec
| * | | | Use version.rb in gemspecMSP-Greg2020-02-241-1/+3
|/ / / / | | | | | | | | | | | | Use version.rb in gemspec so version string exists in one location
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-26 21:56:05 +0000