| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
The previous series of commits re-implemented key generation with the
low level API with the EVP API. The BN_GENCB-based callback function is
no longer used.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Clean up old version guards in preparation for the upcoming OpenSSL 3.0
support.
OpenSSL 1.0.1 reached its EOL on 2016-12-31. At that time, we decided
to keep 1.0.1 support because many major Linux distributions were still
shipped with 1.0.1. Now, nearly 4 years later, most Linux distributions
are reaching their EOL and it should be safe to assume nobody uses them
anymore. Major ones that were using 1.0.1:
- Ubuntu 14.04 is EOL since 2019-04-30
- RHEL 6 will reach EOL on 2020-11-30
LibreSSL 3.0 and older versions are no longer supported by the LibreSSL
team as of October 2020.
Note that OpenSSL 1.0.2 also reached EOL on 2019-12-31 and 1.1.0 also
did on 2018-08-31.
|
|
|
|
|
|
|
|
|
| |
Use the EVP API instead of the low-level HMAC API. Use of the HMAC API
has been discouraged and is being marked as deprecated starting from
OpenSSL 3.0.0.
The two singleton methods OpenSSL::HMAC, HMAC.digest and HMAC.hexdigest
are now in lib/openssl/hmac.rb.
|
| |
|
|
|
|
|
| |
- define missing TS_RESP_CTX_set_time_cb
- handle alternate case for nil oid
|
|
|
|
|
|
|
| |
- clean up whitespace
- be consistent with not returning after ossl_raise
- use accessor functions when working with openssl TS_* structs
- backport accessors for TS_STATUS_INFO, TS_VERIFY_CTX, and TS_RESP_CTX as macros
|
|
|
|
| |
Looks like at least some versions of OpenSSL define this as a macro.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
LibreSSL does not define HAVE_OPAQUE_OPENSSL, but operates
similarly.
See:
https://github.com/openbsd/ports/commit/24f62d13dcefff26ade5088b7cdd9238a805450d
https://github.com/openbsd/ports/commit/c8307509d3638d5e5e6c1b7be411f4cdeba0e113
|
|
|
|
|
|
|
| |
Don't assume that just because X509_STORE_set_ex_data is defined
that the second one is defined. Some versions of LibreSSL need
this. See
https://github.com/openbsd/ports/commit/23f03b0df4af7e0606fd73c551a39430234b7449
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[Fix GH-1958]
From: Jun Aruga <jaruga@redhat.com>
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64806 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* expand tabs.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64807 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Suppress more -Wparentheses warnings
[Fix GH-1958]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64808 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
[ky: this is a combined patch of r64806-r64808.]
Sync-with-trunk: r64808
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The fix made in 6fcc6c0efc42 ("test/test_ssl: fix test failure with
TLS 1.3", 2018-08-06) is applied to the new test cases.
* maint-2.0:
reduce LibreSSL warnings
openssl_missing.h: constified
openssl: search winsock
search winsock libraries explicitly
no ID cache in Init functions
test/test_ssl: fix test failure with TLS 1.3
tool/ruby-openssl-docker: update to latest versions
pkey: resume key generation after interrupt
|
| |
| |
| |
| |
| |
| |
| |
| | |
* ext/openssl/openssl_missing.h (IMPL_KEY_ACCESSOR{2,3}):
constified obj argument getters.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63684 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Sync-with-trunk: r63684
|
| |
| |
| |
| | |
Thanks rhenium for the code review and fixes.
|
|/
|
|
|
|
|
|
|
|
| |
They are no longer receiving security updates from the OpenSSL
development team since 2015-12.
We have kept basic compatibility until now because RHEL 5 still uses an
(heavily modified) OpenSSL 0.9.8e. The RHEL 5 will reach EOL on 2017-03,
thus it is now safe to assume nobody is still using such old versions of
OpenSSL.
|
|
|
|
|
|
|
|
| |
Restore the old behavior of OpenSSL::SSL::Session#==.
SSL_SESSION_get_protocol_version() was missing in OpenSSL master at the
time r55287 (cad3226a06a1, "openssl: adapt to OpenSSL 1.1.0 opaque
structs", 2016-06-05).
|
|
|
|
|
| |
To avoid symbol conflict that would occur if two versions of OpenSSL are
loaded at the same time.
|
|
|
|
|
|
|
| |
SSL_CTX_clear_options() first appeared in OpenSSL 0.9.8m. Add
alternative macro definition for ancient versions of OpenSSL.
http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/78693
|
|
|
|
|
| |
EVP_PKEY_get0() did not exist in early OpenSSL 0.9.8 series. So define
ourselves if needed.
|
|
|
|
|
|
|
| |
Fix compiler errors and warnings. The order of parameters of
X509_{CRL,REQ}_get0_signature() has been changed, and certificate and
CRL time accessors have been reorganized: *_get_* functions are
deprecated and replaced by *_get0_* that return a const pointer.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add OpenSSL::Cipher#iv_len=. For interoperability with other
applications, it is sometimes required. Normally 'IV' is fixed-length,
but in OpenSSL, some ciphers such as aes-128-gcm make use of it as
'nonce', which is variable-length.
Changing the IV length in Cipher#iv= is also an option but I decided not
to choose it. Because in Ruby <= 2.3 Cipher#iv= truncates the input when
the length is longer than the current IV length, changing the behavior
might cause unexpected encryption result.
[Bug #8667] [Bug #10420] [GH ruby/ruby#569]
|
|
|
|
|
|
|
|
|
|
| |
* ext/openssl/ossl_pkey.h, ext/openssl/ossl_pkey_dh.c,
ext/openssl/ossl_pkey_dsa.c, ext/openssl/ossl_pkey_rsa.c: A few days
ago, OpenSSL changed {DH,DSA,RSA}_get0_*() to take const BIGNUM **.
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=fd809cfdbd6e32b6b67b68c59f6d55fbed7a9327
[ruby-core:75225] [Feature #12324]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55450 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
| |
* ext/openssl/openssl_missing.h (DH_set0_pqg, RSA_set0_key):
DH_set0_pqg() allows 'q' to be NULL. Fix a typo in RSA_set0_key().
Fixes r55285. [ruby-core:75225] [Feature #12324]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55408 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* ext/openssl/ossl_cipher.c (ossl_cipher_get_auth_tag,
ossl_cipher_set_auth_tag): Check if the cipher flags retrieved by
EVP_CIPHER_CTX_flags() includes EVP_CIPH_FLAG_AEAD_CIPHER to see if
the cipher supports AEAD. AES-GCM was the only supported in OpenSSL
1.0.1.
(Init_ossl_cipher): Fix doc; OpenSSL::Cipher::AES.new(128, :GCM) can't
work.
* ext/openssl/openssl_missing.h: Define EVP_CTRL_AEAD_{GET,SET}_TAG if
missing. They are added in OpenSSL 1.1.0, and have the same value as
EVP_CTRL_GCM_{GET,SET}_TAG and EVP_CTRL_CCM_{GET,SET}_TAG.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55388 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
| |
* ext/openssl/openssl_missing.h: Include ruby/config.h. r55285 added
some inline functions but VC does not recognize 'inline' keyword.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55291 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* ext/openssl/extconf.rb: Check existence of SSL_is_server(). This
function was introduced in OpenSSL 1.0.2.
[ruby-core:75225] [Feature #12324]
* ext/openssl/openssl_missing.h: Implement SSL_is_server() if missing.
* ext/openssl/ossl_ssl.c (ssl_info_cb): Use SSL_is_server() to see if
the SSL is server. The state machine in OpenSSL was rewritten and
SSL_get_state() no longer returns SSL_ST_ACCEPT.
(ossl_ssl_cipher_to_ary, ossl_sslctx_session_get_cb): Add some
`const`s to suppress warning.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55289 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* ext/openssl/extconf.rb: Check existence of accessor functions that
don't exist in OpenSSL 0.9.8. OpenSSL 1.1.0 made most of its
structures opaque and requires use of these accessor functions.
[ruby-core:75225] [Feature #12324]
* ext/openssl/openssl_missing.[ch]: Implement them if missing.
* ext/openssl/ossl*.c: Use these accessor functions.
* test/openssl/test_hmac.rb: Add missing test for HMAC#reset.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55287 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* ext/openssl/openssl_missing.[ch]: Implement EVP_PKEY_get0_*() and
{RSA,DSA,EC_KEY,DH}_get0_*() functions.
OpenSSL 1.1.0 makes EVP_PKEY/RSA/DSA/DH opaque. We used to provide
setter methods for each parameter of each PKey type, for example
PKey::RSA#e=, but this is no longer possible because the new API
RSA_set0_key() requires the 'n' at the same time. This commit adds
deprecation warning to them and adds PKey::*#set_* methods as direct
wrapper for those new APIs. For example, 'rsa.e = 3' now needs to be
rewritten as 'rsa.set_key(rsa.n, 3, rsa.d)'.
[ruby-core:75225] [Feature #12324]
* ext/openssl/ossl_pkey*.[ch]: Use the new accessor functions. Implement
RSA#set_{key,factors,crt_params}, DSA#set_{key,pqg}, DH#set_{key,pqg}.
Emit a warning with rb_warning() when old setter methods are used.
* test/drb/ut_array_drbssl.rb, test/drb/ut_drb_drbssl.rb,
test/rubygems/test_gem_remote_fetcher.rb: Don't set a priv_key for DH
object that are used in tmp_dh_callback. Generating a new key pair
every time should be fine - actually the private exponent is ignored
in OpenSSL >= 1.0.2f/1.0.1r even if we explicitly set.
https://www.openssl.org/news/secadv/20160128.txt
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55285 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* ext/openssl/extconf.rb: Check absence of CRYPTO_lock() to see if the
OpenSSL has the new threading API. In OpenSSL <= 1.0.2, an application
had to set locking callbacks to use OpenSSL in a multi-threaded
environment. OpenSSL 1.1.0 now finds pthreads or Windows threads so we
don't need to do something special.
[ruby-core:75225] [Feature #12324]
Also check existence of *_up_ref(). Some structures in OpenSSL have
a reference counter. We used to increment it with CRYPTO_add() which
is a part of the old API.
* ext/openssl/openssl_missing.h: Implement *_up_ref() if missing.
* ext/openssl/ossl.c: Don't set locking callbacks if unneeded.
* ext/openssl/ossl_pkey.c, ext/openssl/ossl_ssl.c,
ext/openssl/ossl_x509cert.c, ext/openssl/ossl_x509crl.c,
ext/openssl/ossl_x509store.c: Use *_up_ref() instead of CRYPTO_add().
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55283 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* ext/openssl/ossl_ssl.c (ossl_sslctx_s_alloc): Enable the automatic
curve selection for ECDH by calling SSL_CTX_set_ecdh_auto(). With
this a TLS server automatically selects a curve which both the client
and the server support to use in ECDH. This changes the default
behavior but users can still disable ECDH by excluding 'ECDH' cipher
suites from the cipher list (with SSLContext#ciphers=). This commit
also deprecate #tmp_ecdh_callback=. It was added in Ruby 2.3.0. It
wraps SSL_CTX_set_tmp_ecdh_callback() which will be removed in OpenSSL
1.1.0. Its callback receives two values 'is_export' and 'keylength'
but both are completely useless for determining a curve to use in
ECDH. The automatic curve selection was introduced to replace this.
(ossl_sslctx_setup): Deprecate SSLContext#tmp_ecdh_callback=. Emit a
warning if this is in use.
(ossl_sslctx_set_ecdh_curves): Add SSLContext#ecdh_curves=. Wrap
SSL_CTX_set1_curves_list(). If it is not available, this falls back
to SSL_CTX_set_tmp_ecdh().
(Init_ossl_ssl): Define SSLContext#ecdh_curves=.
* ext/openssl/extconf.rb: Check the existence of EC_curve_nist2nid(),
SSL_CTX_set1_curves_list(), SSL_CTX_set_ecdh_auto() and
SSL_CTX_set_tmp_ecdh_callback().
* ext/openssl/openssl_missing.[ch]: Implement EC_curve_nist2nid() if
missing.
* test/openssl/test_pair.rb (test_ecdh_callback): Use
EnvUtil.suppress_warning to suppress deprecated warning.
(test_ecdh_curves): Test that SSLContext#ecdh_curves= works.
* test/openssl/utils.rb (start_server): Use SSLContext#ecdh_curves=.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55214 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
| |
* ext/openssl, test/openssl: Drop OpenSSL < 0.9.8 support.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55162 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
| |
* ext/openssl/openssl_missing.h, ext/openssl/ossl.h: Remove
unnecessary 'extern "C"' blocks. We don't use C++ and these headers
are local to ext/openssl, so there is no need to enclose with it.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55161 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* ext/openssl/ossl.c (Init_openssl): register an ex_data index for
X509_STORE and X509_STORE_CTX respectively. Since they don't share
the ex_data index registry, we can't use the same index.
(ossl_verify_cb): use the the correct index.
* ext/openssl/ossl_ssl.c (ossl_ssl_verify_callback): ditto.
* ext/openssl/ossl_x509store.c (ossl_x509store_set_vfy_cb): ditto.
(ossl_x509stctx_verify): ditto.
* ext/openssl/ossl.h (void ossl_clear_error): add extern declarations
of ossl_store_{ctx_,}ex_verify_cb_idx.
* ext/openssl/openssl_missing.c: remove X509_STORE_set_ex_data and
X509_STORE_get_ex_data.
* ext/openssl/openssl_missing.h: implement X509_STORE_get_ex_data,
X509_STORE_set_ex_data and X509_STORE_get_ex_new_index as macros.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55074 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| |
|
|
|
|
| |
See also r50351 from ruby/ruby#876
|
|
|