| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
[ky: fixed compatibility with older versions of Ruby]
(cherry picked from commit ruby/ruby@45e65f302b663b2c6ab69df06d3b6f219c1797b2)
|
|
|
|
|
|
|
|
|
| |
Use EVP_PKEY_param_check() instead of DH_check() if available. Also,
use EVP_PKEY_public_check() instead of EC_KEY_check_key().
EVP_PKEY_*check() is part of the EVP API and is meant to replace those
low-level functions. They were added by OpenSSL 1.1.1. It is currently
not provided by LibreSSL.
|
|
|
|
|
|
| |
The previous series of commits re-implemented key generation with the
low level API with the EVP API. The BN_GENCB-based callback function is
no longer used.
|
|
|
|
|
|
| |
Similarly to OpenSSL >= 1.1.0, LibreSSL 2.9.0 ensures thread safety
without requiring applications to set locking callbacks and made
related functions no-op.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Clean up old version guards in preparation for the upcoming OpenSSL 3.0
support.
OpenSSL 1.0.1 reached its EOL on 2016-12-31. At that time, we decided
to keep 1.0.1 support because many major Linux distributions were still
shipped with 1.0.1. Now, nearly 4 years later, most Linux distributions
are reaching their EOL and it should be safe to assume nobody uses them
anymore. Major ones that were using 1.0.1:
- Ubuntu 14.04 is EOL since 2019-04-30
- RHEL 6 will reach EOL on 2020-11-30
LibreSSL 3.0 and older versions are no longer supported by the LibreSSL
team as of October 2020.
Note that OpenSSL 1.0.2 also reached EOL on 2019-12-31 and 1.1.0 also
did on 2018-08-31.
|
|
|
|
|
|
|
|
|
|
| |
The underlying API SSL_CTX_set_tmp_ecdh_callback() was removed by
LibreSSL >= 2.6.1 and OpenSSL >= 1.1.0, in other words, it is not
supported by any non-EOL versions of OpenSSL.
The wrapper was initially implemented in Ruby 2.3 and has been
deprecated since Ruby/OpenSSL 2.0 (bundled with Ruby 2.4) with explicit
warning with rb_warn().
|
|
|
|
|
|
|
|
|
| |
Use the EVP API instead of the low-level HMAC API. Use of the HMAC API
has been discouraged and is being marked as deprecated starting from
OpenSSL 3.0.0.
The two singleton methods OpenSSL::HMAC, HMAC.digest and HMAC.hexdigest
are now in lib/openssl/hmac.rb.
|
|
|
|
|
|
| |
Remove dead code. The function, or a macro in OpenSSL 1.1.0 and newer,
always exists unless the whole engine code is disabled with
OPENSSL_NO_ENGINE.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
They no longer exists in OpenSSL 1.0.1, which is the oldest version
Ruby/OpenSSL currently compiles with.
Note that OpenSSL 1.0.2 and older is already in EOL state. The following
engines should also be removed when we completely drop support for those
versions as they were removed in OpenSSL 1.1.0.
- 4758cca
- aep
- atalla
- chil
- cswift
- nuron
- sureware
- ubsec
- gmp
- gost
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Revert two commits:
- ea49ccc82aa4 Add cloudhsm to extconf.rb
- 33ed3ba10424 Add cloudhsm to ossl_engine.c
OpenSSL::Engine.load is a binding for ENGINE_load_*() functions which
are provided by OpenSSL itself, so-called "static engines".
Since the AWS CloudHSM engine is a dynamic engine, which is provided as
a shared library, this change is not a correct solution for the issue.
Reference: https://github.com/ruby/openssl/issues/189
Reference: https://github.com/ruby/openssl/pull/190
|
|
|
|
|
|
|
|
|
|
|
| |
No function needs -Werror=deprecated-declarations flag to check
availability any more.
This also fixes -Werror=deprecated-declarations erroneously carrying on
to the actual compilation, resulting in an compilation error on some
environment.
Fixes: https://github.com/ruby/openssl/pull/331
|
|
|
|
|
|
|
|
| |
The default implementation of RAND_pseudo_bytes() uses the same routine
as RAND_bytes().
Note that OpenSSL::Random.pseudo_bytes has been available only when it
is compiled with EOL versions of OpenSSL.
|
| |
|
|
|
| |
to support the CloudHSM OpenSSL library
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- make some global variables static instead of extern
- get rid of GetTsReqPtr/GetTsRespPtr functions
- don't use c99 comments
- fix some leaks
- clarify what numeric type is returned (Integer or BN, never Fixnum)
- typos
- add missing checks, remove unecessary checks
- use OPENSSL_NO_TS instead of our own macros checking for ts support
- use EVP_{digest-name} instead of looking up algos by NID
- don't differentiate between failure reasons when verifying
- rename Response#pkcs7 to #token
|
|
|
|
|
| |
- define missing TS_RESP_CTX_set_time_cb
- handle alternate case for nil oid
|
|
|
|
|
|
|
| |
- clean up whitespace
- be consistent with not returning after ossl_raise
- use accessor functions when working with openssl TS_* structs
- backport accessors for TS_STATUS_INFO, TS_VERIFY_CTX, and TS_RESP_CTX as macros
|
|
|
|
| |
This commit applies the second patches (ts2.tar.gz) from https://bugs.ruby-lang.org/issues/4183
|
|\
| |
| | |
Support client certificates with TLS 1.3
|
| |
| |
| |
| |
| |
| | |
Enable post-handshake authentication with OpenSSL 1.1.1
Fixes #237
|
|/
|
|
|
|
|
| |
Don't assume that just because X509_STORE_set_ex_data is defined
that the second one is defined. Some versions of LibreSSL need
this. See
https://github.com/openbsd/ports/commit/23f03b0df4af7e0606fd73c551a39430234b7449
|
|\
| |
| |
| |
| |
| |
| | |
* maint-2.0:
Ruby/OpenSSL 2.0.9
needs openssl/opensslv.h
x509name: fix OpenSSL::X509::Name#{cmp,<=>}
|
| |
| |
| |
| |
| |
| |
| |
| | |
* ext/openssl/extconf.rb: LIBRESSL_VERSION_NUMBER is defined in
openssl/opensslv.h. fix up r64101.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64236 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Sync-with-trunk: r64236
|
|\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The fix made in 6fcc6c0efc42 ("test/test_ssl: fix test failure with
TLS 1.3", 2018-08-06) is applied to the new test cases.
* maint-2.0:
reduce LibreSSL warnings
openssl_missing.h: constified
openssl: search winsock
search winsock libraries explicitly
no ID cache in Init functions
test/test_ssl: fix test failure with TLS 1.3
tool/ruby-openssl-docker: update to latest versions
pkey: resume key generation after interrupt
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* ext/openssl/extconf.rb: LibreSSL headers emit "overriding WinCrypt
defines" warnings if wincrypt.h has been included (except for
x509.h) on Windows. get rid of including the header by defining
NOCRYPT macro.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64101 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Sync-with-trunk: r64101
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* ext/openssl/extconf.rb: on Windows search winsock library
always, regardless pkg-config. direct use of winsock is not
region of OpenSSL. [ruby-core:85895] [Bug #14568]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@62637 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Sync-with-trunk: r62637
|
| |
| |
| |
| |
| | |
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@62628 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Sync-with-trunk: r62628
|
|\|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* maint-2.0:
Ruby/OpenSSL 2.0.8
test/test_ssl_session: set client protocol version explicitly
test/test_pkey_rsa: fix test failure with OpenSSL 1.1.1
extconf.rb: fix build with LibreSSL 2.7.0
cipher: validate iterations argument for Cipher#pkcs5_keyivgen
test/utils: disable Thread's report_on_exception in start_server
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Our compat implementation of accessor functions that were introduced in
OpenSSL 1.1.0 conflicts with those from LibreSSL 2.7.0. Use the
HAVE_OPAQUE_OPENSSL code path when LibreSSL 2.7 or newer is detected.
Fix suggested by Joel Sing.
Fixes: https://github.com/ruby/openssl/issues/192
|
| |
| |
| |
| |
| |
| |
| | |
OpenSSL <= 1.0.0 did not support TLS 1.1/1.2, and thus we must still
check the existence of the symbols. This fixes the previous commit,
3e5a009966bd ("ssl: remove unsupported TLS versions from
SSLContext::METHODS", 2017-08-08).
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Check for all version-specific SSL methods. We do check for existence of
TLSv1_1_method() and TLSv1_2_method(), but not for TLSv1_method(). This
fixes compile error when OpenSSL is configured with no-tls1-method.
Also check the OPENSSL_NO_TLS{1,1_1,1_2} macros for whether OpenSSL
supports the corresponding versions or not. This prevents :TLSv1 from
being in SSLContext::METHODS when OpenSSL is compiled with no-tls1.
In particular, Debian sid has disabled TLS 1.0/1.1 support recently.
The changes in ext/openssl are partial backport of 4eb4b3297a92 ("Remove
support for OpenSSL 0.9.8 and 1.0.0", 2016-11-30).
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Reimplement SSLContext#ssl_version= as a wrapper around
SSLContext#min_version= and #max_version=.
SSLContext#ssl_version= used to call SSL_CTX_set_ssl_version() which
replaces the SSL method used for the connections created from the SSL
context. This is mainly used for forcing a specific SSL/TLS protocol
version.
As of OpenSSL 1.1.0, however, use of the version-specific SSL methods
such as TLSv1_method() is deprecated. Follow the current recommendation
-- to use the generic SSL method always and to control the supported
version range by SSL_CTX_set_{min,max}_proto_version(). Actually, we
have already started doing a similar thing when the extension is
compiled with OpenSSL 1.1.0.
OpenSSL::SSL::SSLContext::METHODS, which contained the possible names of
SSL methods, is not useful anymore. It is now deprecate_constant-ed.
|
|\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* maint:
Ruby/OpenSSL 2.0.4
History.md: add entries for 2.0.1-2.0.3
History.md: wrap at 80 characters
extconf.rb: simplify searching libraries logic
Search SSL libraries by testing various filename patterns
openssl: fix broken openssl check
openssl: fix broken openssl check
x509store: clear error queue after calling X509_LOOKUP_load_file()
tool/sync-with-trunk: 'LASY' -> 'LAST'
Update .travis.yml and Dockerfile
test/test_x509store: skip OpenSSL::TestX509Store#test_set_errors
Fix documentation for OpenSSL::Cipher#final
Fix typos
ssl: check return value of SSL_set_fd()
test/test_ssl: fix typo in test_sysread_and_syswrite
Fix typos
test/test_pkey_ec: do not use dummy 0 order
|
| |
| |
| |
| |
| | |
Clarify what it's doing. For non-Windows and MinGW platforms we can
just give "crypto" and "ssl" to have_library.
|
| |
| |
| |
| |
| |
| |
| |
| | |
* ext/openssl/extconf.rb (find_openssl_library): should search by more flexible
method, especially for LibreSSL on Windows.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@58742 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| |
| |
| |
| |
| |
| |
| | |
* ext/openssl/extconf.rb: check for broken OpenSSL only on mac OS.
[ruby-core:79475] [Bug #13200]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@57591 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
scrypt support is added.
* topic/kdf-module:
kdf: add scrypt
ossl.h: add NUM2UINT64T() macro
kdf: introduce OpenSSL::KDF module
|
| | |
| | |
| | |
| | |
| | | |
Add OpenSSL::KDF.scrypt as a wrapper around EVP_PBE_scrypt(). This is
added by OpenSSL 1.1.0.
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Describe --with-openssl-dir option that specifies the directory the
OpenSSL installed if the libraries could not found, and suggest
installing "development package" if just the headers are missing.
Also, let it raise an exception instead of writing to Logging and
terminating the process. This improves the look of the error message on
'gem install openssl' or 'make' (on the Ruby tree) failure.
|
|\|
| |
| |
| |
| |
| |
| | |
* maint:
appveyor.yml: update OpenSSL version to 1.0.2j
Fix build with static OpenSSL libraries on Windows
Fix for ASN1::Constructive 'each' implementation
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
OpenSSL <= 1.0.2 requires gdi32 for RAND_screen(). OpenSSL >= 1.1.0 no
longer has RAND_screen() but it now requires crypt32. If pkg-config is
usable, they are automatically linked, but if it is not, configuring
Ruby/OpenSSL fails.
Fixes: https://bugs.ruby-lang.org/issues/13080
|
|/
|
|
|
|
|
|
|
|
| |
They are no longer receiving security updates from the OpenSSL
development team since 2015-12.
We have kept basic compatibility until now because RHEL 5 still uses an
(heavily modified) OpenSSL 0.9.8e. The RHEL 5 will reach EOL on 2017-03,
thus it is now safe to assume nobody is still using such old versions of
OpenSSL.
|
|
|
|
|
|
|
|
| |
Restore the old behavior of OpenSSL::SSL::Session#==.
SSL_SESSION_get_protocol_version() was missing in OpenSSL master at the
time r55287 (cad3226a06a1, "openssl: adapt to OpenSSL 1.1.0 opaque
structs", 2016-06-05).
|
|
|
|
|
|
|
| |
SSL_CTX_clear_options() first appeared in OpenSSL 0.9.8m. Add
alternative macro definition for ancient versions of OpenSSL.
http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/78693
|
|
|
|
|
| |
EVP_PKEY_get0() did not exist in early OpenSSL 0.9.8 series. So define
ourselves if needed.
|
|
|
|
|
| |
The Ruby core code uses assert.h without a guard. So, we can assume it
is always available.
|
| |
|
|
|
|
|
|
| |
r45944 exported the internal thread_native.h as ruby/thread_native.h.
It does not depend on the thread model specific headers, so the
workaround is no longer necessary.
|
|
|
|
|
|
|
| |
Fix compiler errors and warnings. The order of parameters of
X509_{CRL,REQ}_get0_signature() has been changed, and certificate and
CRL time accessors have been reorganized: *_get_* functions are
deprecated and replaced by *_get0_* that return a const pointer.
|