| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
Ruby 2.6 has reached EOL on 2022-03. Requiring Ruby 2.7 allows us to
use C99 syntax.
|
|\
| |
| | |
extconf.rb: apply RUBY_OPENSSL_EXT{C,LD}FLAGS after checking features
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
RUBY_OPENSSL_EXTCFLAGS and RUBY_OPENSSL_EXTLDFLAGS have been added for
the primary purpose of appending custom warning flags during
development and CI.
Since checking programs generated by mkmf may not be completely
warning-free, we don't want to apply -Werror that may be supplied from
those environment variables.
|
|\ \
| | |
| | | |
CI: Upgrade OpenSSL and LibreSSL versions.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
If x is a modular square root of a (mod p) then so is (p - x). Both
answers are valid. In particular, both 2 and 3 are valid square roots
of 4 (mod 5). Do not assume that a particular square root is chosen by
the algorithm. Indeed, the algorithm in OpenSSL and LibreSSL <= 3.7
returns a non-deterministic answer in many cases. LibreSSL 3.8 and
later will always return the smaller of the two possible answers. This
breaks the current test case.
Instead of checking for a particular square root, check that the square
of the claimed square root is the given value. This is always true. Add
the simplest test case where the answer is indeed non-deterministic.
|
|/ / |
|
|\ \
| | |
| | | |
CI: Rename the key name "foo_bar" (underscore) to "foo-bar" (hyphen).
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
GitHub Action YAML config file's key names are a style with the "foo-bar"
(hyphen). This commit is to rename the key names with "foo_bar" (underscore) to
"foo-bar" (hyphen) for consistency.
* Replaced "fips_enabled" with "fips-enabled".
* Replaced "append_configure" with "append-configure".
* Replaced "name_extra" with "name-extra".
|
|\ \ \
| |/ /
|/| | |
Implement Write Barrier for all OpenSSL types
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The vast majority have no reference so it's just a matter of setting the flags.
For the couple exception, they have very little references so it's
easy.
|
|\ \ \
| | | |
| | | | |
Fix OpenSSL::PKey.read that cannot parse PKey in the FIPS mode.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
It's to test the `OpenSSL::PKey.read` in the `test/openssl/test_pkey.rb`.
I added the pending status to the following tests failing on the FIPS mode
case in the `test/openssl/test_pkey.rb`.
* `test_ed25519`
* `test_x25519`
* `test_compare?`
|
| | | |
| | | |
| | | |
| | | | |
We want to run the unit tests in the FIPS mode too.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This commit is a workaround to avoid the error below that the
`OpenSSL::PKey.read` fails with the OpenSSL 3.0 FIPS mode.
```
$ openssl genrsa -out key.pem 4096
$ ruby -e "require 'openssl'; OpenSSL::PKey.read(File.read('key.pem'))"
-e:1:in `read': Could not parse PKey (OpenSSL::PKey::PKeyError)
from -e:1:in `<main>'
```
The root cause is on the OpenSSL side. The `OSSL_DECODER_CTX_set_selection`
doesn't apply the selection value properly if there are multiple providers, and
a provider (e.g. "base" provider) handles the decoder implementation, and
another provider (e.g. "fips" provider) handles the keys.
The workaround is to create `OSSL_DECODER_CTX` variable each time without using
the `OSSL_DECODER_CTX_set_selection`.
|
|\ \ \ \
| |/ / /
|/| | | |
Rakefile: Print the message with `Rake.rake_output_message`.
|
|/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The `puts` method outputs the message to the `$stdout`, while the `sh` method
outputs the message of the executed command to the `$stderr` by the
`Rake.rake_output_message`.
https://github.com/ruby/rake/blob/v13.0.6/lib/rake/file_utils.rb#L51
This caused the message `Compiler: ...` not printed before the actual compiling
task like the CI result below.
<https://github.com/ruby/openssl/actions/runs/5142797693/jobs/9256988158#step:6:141>.
|
|\ \ \
| |/ /
|/| | |
Print the Ruby and compiler info or the command itself before compiling.
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The new task "debug_compiler" to print the Ruby and compiler version or,
compiler command itself for the debugging purpose. The task name is aligning
with the "debug" task that is to print the info in the Ruby OpenSSL binding for
the debugging purpose.
The compiler version info is useful when we hit the issues coming from the
newly updated compilers on the CI, and we find the cause.
|
|\|
| |
| | |
Append flags from environment variables.
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
According to the `mkmf.rb#init_mkmf`, there are command line options below.
* `--with-cflags` to set the `cflags`
* `--with-ldflags` to set the `ldflags`
For example the following command compiles with the specified flags. Note that
`MAKEFLAGS` is to print the compiler command lines.
```
$ MAKEFLAGS="V=1" \
bundle exec rake compile -- \
--with-cflags="-Wundef -Werror" \
--with-ldflags="-fstack-protector"
```
However, I couldn't find command line options to append the flags. And this
commit is to append the `cflags` and `ldflags` by the environment variables.
```
$ MAKEFLAGS="V=1" \
RUBY_OPENSSL_EXTCFLAGS="-Wundef -Werror" \
RUBY_OPENSSL_EXTLDFLAGS="-fstack-protector" \
bundle exec rake compile
```
|
| |
|
|\
| |
| | |
CI: Enable the verbose mode in the mkmf.rb by env MAKEFLAGS.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Enable the verbose option (variable `V`) in the `Makefile` generated by
`mkmf.rb` to print the compiling commands in the process of the `rake compile`
by setting the environment variable `MAKEFLAGS`[1] reserved by `make`. Because
it's helpful to see what compiler warnings are checked.
It seems that this implementation to enable the verbose mode only works in
Linux and macOS. Not Windows.
[1] https://www.gnu.org/software/make/manual/html_node/Variables_002fRecursion.html
|
|/
|
|
|
|
|
| |
This reverts commit a832f5cb98ee952a3e7ceeddf59065b9c1f430b4.
Because there is a simpler way to enable the verbose mode by setting the
environment variable `MAKEFLAGS`.
|
|\
| |
| | |
CI: Enable the verbose mode in the mkmf.rb.
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enable the verbose option in mkmf.rb to print the compiling commands in the
process of the `rake compile`. Because it's helpful to see what compiler
warnings are checked.
The script only runs in Linux and macOS. Not Windows. Because the sh script
doesn't work in Windows. For the syntax, see the reference.[1]
Right now there is a way to configure Ruby with `--enable-mkmf-verbose` in this
purpose. But there is no formal way to enable the verbose mode in runtime of
Ruby. My intention is that this commit is a workaround for this purpose.
[1] https://docs.github.com/en/actions/learn-github-actions/variables
* Default environment variables - RUNNER_OS
* Detecting the operating system
|
|\
| |
| | |
Revert "Skip OpenSSL::TestHMAC#test_dup when running with RHEL9"
|
|/
|
|
| |
This reverts commit 9493d4a3bb26d1bfa7f30c2786fc6dd4451753fd.
|
|\
| |
| | |
Fix warnings about the OPENSSL_FIPS macro in OpenSSL 1.1.
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The commit <c5b2bc1268bcb946ff2eb52904a85278a1dac12c> made the warnings below
in the case of OpenSSL 1.1 where the `OPENSSL_FIPS` macro is not defined.
```
$ bundle install --standalone
$ bundle exec rake compile -- \
--with-openssl-dir=$HOME/.local/openssl-1.1.1t-debug \
--with-cflags="-Wundef"
mkdir -p tmp/x86_64-linux/openssl/3.2.1
cd tmp/x86_64-linux/openssl/3.2.1
/usr/local/ruby-3.2.1/bin/ruby -I. -r.rake-compiler-siteconf.rb ../../../../ext/openssl/extconf.rb -- --with-openssl-dir=/home/jaruga/.local/openssl-1.1.1t-debug --with-cflags=-Wundef
...
gcc -I. -I/usr/local/ruby-3.2.1/include/ruby-3.2.0/x86_64-linux -I/usr/local/ruby-3.2.1/include/ruby-3.2.0/ruby/backward -I/usr/local/ruby-3.2.1/include/ruby-3.2.0 -I../../../../ext/openssl -DRUBY_EXTCONF_H=\"extconf.h\" -I/home/jaruga/.local/openssl-1.1.1t-debug/include -fPIC -Wundef -o ossl.o -c ../../../../ext/openssl/ossl.c
../../../../ext/openssl/ossl.c: In function ‘ossl_fips_mode_get’:
../../../../ext/openssl/ossl.c:425:7: warning: "OPENSSL_FIPS" is not defined, evaluates to 0 [-Wundef]
425 | #elif OPENSSL_FIPS
| ^~~~~~~~~~~~
../../../../ext/openssl/ossl.c: In function ‘ossl_fips_mode_set’:
../../../../ext/openssl/ossl.c:460:7: warning: "OPENSSL_FIPS" is not defined, evaluates to 0 [-Wundef]
460 | #elif OPENSSL_FIPS
| ^~~~~~~~~~~~
../../../../ext/openssl/ossl.c: In function ‘Init_openssl’:
../../../../ext/openssl/ossl.c:1218:7: warning: "OPENSSL_FIPS" is not defined, evaluates to 0 [-Wundef]
1218 | #elif OPENSSL_FIPS
| ^~~~~~~~~~~~
...
cp tmp/x86_64-linux/openssl/3.2.1/openssl.so tmp/x86_64-linux/stage/lib/openssl.so
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit is to implement the `OpenSSL::OPENSSL_FIPS`, `ossl_fips_mode_get`
and `ossl_fips_mode_set` to pass the test `test/openssl/test_fips.rb`.
It seems that the `OPENSSL_FIPS` macro is not used on the FIPS mode case any
more, and some FIPS related APIs also were removed in OpenSSL 3.
See the document <https://github.com/openssl/openssl/blob/master/doc/man7/migration_guide.pod#removed-fips_mode-and-fips_mode_set>
the section OPENSSL 3.0 > Main Changes from OpenSSL 1.1.1 >
Other notable deprecations and changes - Removed FIPS_mode() and FIPS_mode_set() .
The `OpenSSL::OPENSSL_FIPS` returns always true in OpenSSL 3 because the used
functions `EVP_default_properties_enable_fips` and `EVP_default_properties_is_fips_enabled`
works with the OpenSSL installed without FIPS option.
The `TEST_RUBY_OPENSSL_FIPS_ENABLED` is set on the FIPS mode case on the CI.
Because I want to test that the `OpenSSL.fips_mode` returns the `true` or
'false' surely in the CI. You can test the FIPS mode case by setting
`TEST_RUBY_OPENSSL_FIPS_ENABLED` on local too. Right now I don't find a better
way to get the status of the FIPS mode enabled or disabled for this purpose. I
am afraid of the possibility that the FIPS test case is unintentionally skipped.
I also replaced the ambiguous "returns" with "should return" in the tests.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
test/openssl/fixtures/ssl/openssl_fips.cnf.tmpl:
I referred to the following document for the openssl config file for FIPS mode.
<https://www.openssl.org/docs/manmaster/man7/fips_module.html>
- Making all applications use the FIPS module by default
It seems that the `.include` syntax only requires the absolute path.
So, the placeholder OPENSSL_DIR in the template file is replaced with the
actual OpenSSL directory.
.github/workflows/test.yml:
The `TEST_RUBY_OPENSSL_FIPS_ENABLED` environment variable is set
in the FIPS mode CI case. It can be used in the unit tests.
|
|\
| |
| | |
Add rdoc as a development dependency.
|
|/
|
|
|
|
| |
There is a case of the Ruby where the rdoc is not a default gem. That is Ruby
RPM packages on Fedora Linux and the downstream Linux. The intention is to
reduce the size of the package.
|
|\
| |
| | |
Register global variables before assignment
|
|/ |
|
|
|
|
| |
https://github.com/ruby/ruby/commit/b4e438d8aabaf4bba2b27f374c787543fae07c58
|
|\
| |
| | |
Relax error message check for OpenSSL 3.1
|
|/
|
|
|
|
|
|
| |
A tentative measures fo https://github.com/ruby/openssl/issues/606.
With OpenSSL 3.1.0, the error message at connection using "self-signed
certificate" seems to return `SSL_R_TLSV1_ALERT_UNKNOWN_CA` instead of
`SSL_R_CERTIFICATE_VERIFY_FAILED`.
|
|\
| |
| | |
.github/workflows/test.yml: Update OpenSSL versions
|
|/ |
|
|\
| |
| | |
Stub gemspec for JRuby
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
JRuby has its own implementation of the `openssl` library in
jruby-openssl. The simplest way for us to allow users to set
openssl as a gem dependency is to ship a stub gem that just
depends on jruby-openssl. This patch adds that to the gemspec.
Additional work may be required to fit this stub gem into the test
and release process.
See #20 for more details.
|
|\ \
| | |
| | | |
Skip failing test with truffleruby and ubuntu-22.04
|
|/ /
| |
| |
| | |
https://github.com/ruby/openssl/actions/runs/4190107682/jobs/7263178067
|
|\ \
| | |
| | | |
Forward-port https://bugs.ruby-lang.org/issues/19386
|
| |/ |
|
|\ \
| |/
|/| |
Improve GH Actions
|
| | |
|
| | |
|