aboutsummaryrefslogtreecommitdiffstats
path: root/ext/openssl/ossl_pkey_dsa.c
Commit message (Collapse)AuthorAgeFilesLines
* Constify when building with OpenSSL 3Nobuyoshi Nakada2022-11-291-7/+7
|
* pkey: use EVP_PKEY_dup() if availableky/pkey-base-dupKazuki Yamaguchi2021-12-121-0/+4
| | | | | We can use it to implement OpenSSL::PKey::PKey#initialize_copy. This should work on all key types, not just DH/DSA/EC/RSA types.
* pkey: allocate EVP_PKEY on #initializeKazuki Yamaguchi2021-12-121-38/+55
| | | | | | | Allocate an EVP_PKEY when the content is ready: when #initialize or #initialize_copy is called, rather than when a T_DATA is allocated. This is more natural because the lower level API has been deprecated and an EVP_PKEY is becoming the minimum unit of handling keys.
* pkey/dsa: refactor DSA#sys{sign,verify} with PKey#{sign,verify}_rawky/pkey-encrypt-decryptKazuki Yamaguchi2021-05-251-88/+0
| | | | | | With the newly added OpenSSL::PKey::PKey#{sign,verify}_raw, OpenSSL::PKey::DSA's low level signing operation methods can be implemented in Ruby. The definitions are now in lib/openssl/pkey.rb.
* pkey: implement {DH,DSA,RSA}#public_key in RubyKazuki Yamaguchi2021-04-151-42/+0
| | | | | | | | | | | The low-level API that is used to implement #public_key is deprecated in OpenSSL 3.0. It is actually very simple to implement in another way, using existing methods only, in much shorter code. Let's do it. While we are at it, the documentation is updated to recommend against using #public_key. Now that OpenSSL::PKey::PKey implements public_to_der method, there is no real use case for #public_key in newly written Ruby programs.
* pkey: implement #to_text using EVP APIKazuki Yamaguchi2021-04-151-29/+0
| | | | | | | | | | | | | | | | Use EVP_PKEY_print_private() instead of the low-level API *_print() functions, such as RSA_print(). EVP_PKEY_print_*() family was added in OpenSSL 1.0.0. Note that it falls back to EVP_PKEY_print_public() and EVP_PKEY_print_params() as necessary. This is required for EVP_PKEY_DH type for which _private() fails if the private component is not set in the pkey object. Since the new API works in the same way for all key types, we now implement #to_text in the base class OpenSSL::PKey::PKey rather than in each subclass.
* pkey/dsa: use high level EVP interface to generate parameters and keysKazuki Yamaguchi2021-04-051-115/+25
| | | | | | Implement PKey::DSA.new(size) and PKey::DSA.generate using OpenSSL::PKey.generate_parameters and .generate_key instead of the low level DSA functions.
* pkey: refactor #export/#to_pem and #to_derky/pkey-refactor-serializationKazuki Yamaguchi2020-05-131-42/+7
| | | | | Add ossl_pkey_export_traditional() and ossl_pkey_export_spki() helper functions, and use them. This reduces code duplication.
* pkey: refactor DER/PEM-encoded string parsing codeKazuki Yamaguchi2020-05-131-20/+17
| | | | | Export the flow used by OpenSSL::PKey.read and let the subclasses call it before attempting other formats.
* pkey: inline {rsa,dsa,dh,ec}_instance()Kazuki Yamaguchi2020-05-131-43/+25
| | | | | | | Merge the code into the callers so that the wrapping Ruby object is allocated before the raw key object is allocated. This prevents possible memory leak on Ruby object allocation failure, and also reduces the lines of code.
* pkey: simplify ossl_pkey_new()Kazuki Yamaguchi2020-05-131-21/+0
| | | | | | ossl_{rsa,dsa,dh,ec}_new() called from this function are not used anywhere else. Inline them into pkey_new0() and reduce code duplication.
* Look up digest by name instead of constantBart de Water2020-04-211-2/+2
|
* Merge branch 'maint'Kazuki Yamaguchi2017-08-081-1/+1
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * maint: Ruby/OpenSSL 2.0.5 ssl: fix compile error with OpenSSL 1.0.0 ssl: remove unsupported TLS versions from SSLContext::METHODS Add msys2 library dependency tag in gem metadata ossl_pem_passwd_cb: handle nil from the block explicitly ossl_pem_passwd_cb: do not check for taintedness ossl_pem_passwd_cb: relax passphrase length constraint appveyor.yml: test against Ruby 2.4 Rakefile: install_dependencies: install only when needed bio: do not use the FILE BIO method in ossl_obj2bio() bio: prevent possible GC issue in ossl_obj2bio() test/test_ssl: allow 3DES cipher suites in test_sslctx_set_params
| * bio: prevent possible GC issue in ossl_obj2bio()Kazuki Yamaguchi2017-07-111-1/+1
| | | | | | | | | | | | | | | | | | | | Prevent the new object created by StringValue() from being GCed. Luckily, as none of the callers of ossl_obj2bio() reads from the returned BIO after possible triggering GC, this has not been a real problem. As a bonus, ossl_protect_obj2bio() function which is no longer used anywhere is removed.
* | cipher: rename GetCipherPtr() to ossl_evp_get_cipherbyname()Kazuki Yamaguchi2017-05-021-1/+1
| | | | | | | | | | | | | | | | While GetCipherPtr() function gets a const EVP_CIPHER * from algorithm name, GetCipher() macro that is locally defined in ext/openssl/ossl_cipher.c gets the EVP_CIPHER_CTX from an OpenSSL::Cipher object. They are completely different things. Rename GetCipherPtr() for disambiguation.
* | Merge branch 'topic/expand-ruby-missing-h'Kazuki Yamaguchi2017-04-281-1/+1
|\ \ | | | | | | | | | | | | | | | * topic/expand-ruby-missing-h: Expand FPTR_TO_FD() macro Expand rb_define_copy_func() macro
| * | Expand rb_define_copy_func() macroKazuki Yamaguchi2017-04-281-1/+1
| |/ | | | | | | | | It's not really "missing". Let's expand that, as it does not improve the readability so much.
* | Fix RDoc markuptopic/fix-rdoc-markupKazuki Yamaguchi2017-02-241-14/+14
| | | | | | | | | | Ruby core uses _str_ for emphasizing argument names and +str+ for codes. Match with the rule for better rendering.
* | Remove support for OpenSSL 0.9.8 and 1.0.0topic/drop-openssl-098-and-100Kazuki Yamaguchi2016-12-221-6/+0
|/ | | | | | | | | | They are no longer receiving security updates from the OpenSSL development team since 2015-12. We have kept basic compatibility until now because RHEL 5 still uses an (heavily modified) OpenSSL 0.9.8e. The RHEL 5 will reach EOL on 2017-03, thus it is now safe to assume nobody is still using such old versions of OpenSSL.
* pkey: tighten buffer size for signatureKazuki Yamaguchi2016-10-141-3/+1
| | | | | | | We allocate too large buffer for the generated signature. The resulting signature, or the RSA encryption result, should not be larger than the size returned by EVP_PKEY_size() (or, DSA_size(), RSA_size(), and ECDSA_size()).
* Use rb_obj_class() instead of CLASS_OF()Kazuki Yamaguchi2016-09-081-1/+1
| | | | | | CLASS_OF() (or, rb_class_of()) may return the singleton class of the object; so avoid using it and replace with rb_obj_class() that returns the actual class of the object.
* Avoid using *2FIX() where we don't know if it really fits in FixnumKazuki Yamaguchi2016-08-221-2/+2
|
* pkey: fixup documentKazuki Yamaguchi2016-08-221-1/+17
|
* pkey: don't pass a seed to DSA_generate_parameters_ex()Kazuki Yamaguchi2016-08-071-10/+3
| | | | | | | | | | We currently always pass 20 random bytes generated by RAND_bytes(). It is fine when generating parameters <= 1024 bits, because OpenSSL requires a seed with the same length as the prime q, which is 160 bits. FIPS 186-3 allowed the parameters to be >= 2048 bits. For them, OpenSSL generates a 256 bits long q. We can pass 32 bytes long random bytes instead, but the function is able to generate on its own. So just give NULL.
* Remove unnecessary usage of _() macroKazuki Yamaguchi2016-07-251-2/+2
|
* Fix RDoc styletopic/rdoc-fixesKazuki Yamaguchi2016-07-091-1/+2
|
* openssl: implement initialize_copy method for PKey classesrhe2016-06-191-0/+21
| | | | | | | | | | | | | | * ext/openssl/ossl_pkey_dh.c, ext/openssl/ossl_pkey_dsa.c, ext/openssl/ossl_pkey_ec.c, ext/openssl/ossl_pkey_rsa.c: Implement initialize_copy method for OpenSSL::PKey::*. [ruby-core:75504] [Bug #12381] * test/openssl/test_pkey_dh.rb, test/openssl/test_pkey_dsa.rb, test/openssl/test_pkey_ec.rb, test/openssl/test_pkey_rsa.rb: Test they actually copy the OpenSSL objects, and modifications to cloned object don't affect the original object. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55454 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* openssl: add 'const's required in OpenSSL masterrhe2016-06-191-4/+4
| | | | | | | | | | * ext/openssl/ossl_pkey.h, ext/openssl/ossl_pkey_dh.c, ext/openssl/ossl_pkey_dsa.c, ext/openssl/ossl_pkey_rsa.c: A few days ago, OpenSSL changed {DH,DSA,RSA}_get0_*() to take const BIGNUM **. https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=fd809cfdbd6e32b6b67b68c59f6d55fbed7a9327 [ruby-core:75225] [Feature #12324] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55450 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* openssl: adapt to OpenSSL 1.1.0 opaque structsrhe2016-06-091-10/+14
| | | | | | | | | | | | | | | * ext/openssl/extconf.rb: Check existence of accessor functions that don't exist in OpenSSL 0.9.8. OpenSSL 1.1.0 made most of its structures opaque and requires use of these accessor functions. [ruby-core:75225] [Feature #12324] * ext/openssl/openssl_missing.[ch]: Implement them if missing. * ext/openssl/ossl*.c: Use these accessor functions. * test/openssl/test_hmac.rb: Add missing test for HMAC#reset. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55287 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* openssl: adapt OpenSSL::PKey to OpenSSL 1.1.0 opaque structsrhe2016-06-091-50/+72
| | | | | | | | | | | | | | | | | | | | | | | | | | * ext/openssl/openssl_missing.[ch]: Implement EVP_PKEY_get0_*() and {RSA,DSA,EC_KEY,DH}_get0_*() functions. OpenSSL 1.1.0 makes EVP_PKEY/RSA/DSA/DH opaque. We used to provide setter methods for each parameter of each PKey type, for example PKey::RSA#e=, but this is no longer possible because the new API RSA_set0_key() requires the 'n' at the same time. This commit adds deprecation warning to them and adds PKey::*#set_* methods as direct wrapper for those new APIs. For example, 'rsa.e = 3' now needs to be rewritten as 'rsa.set_key(rsa.n, 3, rsa.d)'. [ruby-core:75225] [Feature #12324] * ext/openssl/ossl_pkey*.[ch]: Use the new accessor functions. Implement RSA#set_{key,factors,crt_params}, DSA#set_{key,pqg}, DH#set_{key,pqg}. Emit a warning with rb_warning() when old setter methods are used. * test/drb/ut_array_drbssl.rb, test/drb/ut_drb_drbssl.rb, test/rubygems/test_gem_remote_fetcher.rb: Don't set a priv_key for DH object that are used in tmp_dh_callback. Generating a new key pair every time should be fine - actually the private exponent is ignored in OpenSSL >= 1.0.2f/1.0.1r even if we explicitly set. https://www.openssl.org/news/secadv/20160128.txt git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55285 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* openssl: avoid NULL dereference in {DH,DSA,RSA}_size()rhe2016-05-311-3/+4
| | | | | | | | | | | | | | | | * ext/openssl/ossl_pkey_dh.c (ossl_dh_compute_key): Check that the DH has 'p' (the prime) before calling DH_size(). We can create a DH with no parameter but DH_size() does not check and dereferences NULL. [ruby-core:75720] [Bug #12428] * ext/openssl/ossl_pkey_dsa.c (ossl_dsa_sign): Ditto. DSA_size() does not check dsa->q. * ext/openssl/ossl_pkey_rsa.c (ossl_rsa_public_encrypt, ossl_rsa_public_decrypt, ossl_rsa_private_encrypt, ossl_rsa_private_decrypt): Ditto. RSA_size() does not check rsa->n. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55175 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* openssl: drop OpenSSL 0.9.6/0.9.7 supportrhe2016-05-311-16/+6
| | | | | | * ext/openssl, test/openssl: Drop OpenSSL < 0.9.8 support. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55162 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* openssl: improve handling of password for encrypted PEMrhe2016-05-311-11/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | * ext/openssl/ossl.c (ossl_pem_passwd_value): Added. Convert the argument to String with StringValue() and validate the length is in 4..PEM_BUFSIZE. PEM_BUFSIZE is a macro defined in OpenSSL headers. (ossl_pem_passwd_cb): When reading/writing encrypted PEM format, we used to pass the password to PEM_def_callback() directly but it was problematic. It is not NUL character safe. And surprisingly, it silently truncates the password to 1024 bytes. [GH ruby/openssl#51] * ext/openssl/ossl.h: Add function prototype declaration of newly added ossl_pem_passwd_value(). * ext/openssl/ossl_pkey.c (ossl_pkey_new_from_data): Use ossl_pem_passwd_value() to validate the password String. * ext/openssl/ossl_pkey_dsa.c (ossl_dsa_initialize, ossl_dsa_export): ditto. * ext/openssl/ossl_pkey_ec.c (ossl_ec_key_initialize, ossl_ec_key_to_string): ditto. * ext/openssl/ossl_pkey_rsa.c (ossl_rsa_initialize, ossl_rsa_export): ditto. * test/openssl/test_pkey_{dsa,ec,rsa}.rb: test this. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55087 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* openssl: clear OpenSSL error queue before return to Rubyrhe2016-05-311-1/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | * ext/openssl/ossl_x509cert.c (ossl_x509_verify): X509_verify() family may put errors on 0 return (0 means verification failure). Clear OpenSSL error queue before return to Ruby. Since the queue is thread global, remaining errors in the queue can cause an unexpected error in the next OpenSSL operation. [ruby-core:48284] [Bug #7215] * ext/openssl/ossl_x509crl.c (ossl_x509crl_verify): ditto. * ext/openssl/ossl_x509req.c (ossl_x509req_verify): ditto. * ext/openssl/ossl_x509store.c (ossl_x509stctx_verify): ditto. * ext/openssl/ossl_pkey_dh.c (dh_generate): clear the OpenSSL error queue before re-raising exception. * ext/openssl/ossl_pkey_dsa.c (dsa_generate): ditto. * ext/openssl/ossl_pkey_rsa.c (rsa_generate): ditto. * ext/openssl/ossl_ssl.c (ossl_start_ssl): ditto. * test/openssl: check that OpenSSL.errors is empty every time after running a test case. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55051 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* openssl: report errors in OpenSSL error queue when clear itrhe2016-05-311-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | * ext/openssl/ossl.c (ossl_clear_error): Extracted from ossl_make_error(). This prints errors in the OpenSSL error queue if OpenSSL.debug is true, and clears the queue. (ossl_make_error): use ossl_clear_error(). * ext/openssl/ossl.h: add prototype declaration of ossl_make_error(). (OSSL_BIO_reset) use ossl_clear_error() to clear the queue. Clearing silently makes debugging difficult. * ext/openssl/ossl_engine.c (ossl_engine_s_by_id): ditto. * ext/openssl/ossl_ns_spki.c (ossl_spki_initialize): ditto. * ext/openssl/ossl_pkcs7.c (ossl_pkcs7_verify): ditto. * ext/openssl/ossl_pkey_dsa.c (ossl_dsa_initialize): ditto. * ext/openssl/ossl_pkey_ec.c (ossl_ec_key_initialize): ditto. (ossl_ec_group_initialize): ditto. * ext/openssl/ossl_ssl.c (ossl_ssl_shutdown): ditto. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55050 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* sync code from upstreamSHIBATA Hiroshi2015-12-301-2/+2
|
* Sync with ruby trunkZachary Scott2015-09-231-1/+0
|
* Upstream ruby/ruby@451fe26 from r50673Zachary Scott2015-06-031-2/+4
|
* Apply ruby/ruby@325a50fc572516a171d640765d6ddf9b20be14dc to fix typosZachary Scott2015-05-041-1/+1
| | | | See also r50351 from ruby/ruby#876
* import ruby trunkSHIBATA Hiroshi2014-10-271-0/+623
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-24 02:54:11 +0000