aboutsummaryrefslogtreecommitdiffstats
path: root/ext/openssl
Commit message (Collapse)AuthorAgeFilesLines
* Include "additional data" message in OpenSSL errorsky/error-additional-dataKazuki Yamaguchi2023-08-111-12/+17
| | | | | | | | | | | | | | | Error entries in the OpenSSL error queue may contain additional contextual information associated with the error, which can be helpful when debugging. This "additional data" is currently only printed to stderr when OpenSSL.debug is enabled. Let's include this in the exception messages raised with ossl_raise(), too. $ ruby -Ilib -ropenssl -e'OpenSSL.debug=true; OpenSSL::SSL::SSLContext.new.ecdh_curves="P-256:not-a-curve"' -e:1: warning: error on stack: error:0A080106:SSL routines:gid_cb:passed invalid argument (group 'not-a-curve' cannot be set) -e:1:in `ecdh_curves=': passed invalid argument (group 'not-a-curve' cannot be set) (OpenSSL::SSL::SSLError) from -e:1:in `<main>'
* Raise an error when the specified OpenSSL library directory doesn't exist.Jun Aruga2023-07-251-2/+22
| | | | | | | | | OpenSSL built from the source creates the library directory to the `/path/to/openssl_dir/lib64` as a default. In the case, the `bundle exec rake compile -- --with-openssl-dir=<openssl_dir>` cannot compile with the lib64 directory, and may compile with system OpenSSL's libraries unintentionally. This commit is to check this case to avoid linking with an unintentional library directory.
* Always respect the openssl prefix chosen by truffle/openssl-prefix on ↵Benoit Daloze2023-07-211-1/+8
| | | | | | TruffleRuby * See https://github.com/ruby/openssl/issues/650#issuecomment-1645699608
* [DOC] remove top-level example for OpenSSL::Cipher#pkcs5_keyivgen (#647)Kazuki Yamaguchi2023-07-121-39/+0
| | | | | | | | | | | | | OpenSSL::Cipher#pkcs5_keyivgen should only be used when it is absolutely necessary for compatibility with ancient applications. Having an example can be misleading. We already have another example for OpenSSL::Cipher in which PBKDF2 is used to derive a key. As described in the rdoc of OpenSSL::Cipher#pkcs5_keyivgen, it is compatible with PKCS#5 PBES1 (PKCS#5 v1.5) only when used in combination of a hash function MD2, MD5, or SHA-1, and a cipher DES-CBC or RC2-CBC. This example uses MD5 as the hash function and combines it with AES. This is considered insecure and also using a non-standard technique to derive longer keys.
* Add support for raw private/public keys (#646)Ryo Kajiwara2023-07-121-0/+132
| | | | | | | | | | | Add OpenSSL::PKey.new_raw_private_key, #raw_private_key and public equivalents. These methods are useful for importing and exporting keys that support "raw private/public key". Currently, OpenSSL implements X25519/X448 and Ed25519/Ed448 keys. [rhe: rewrote commit message] Co-authored-by: Bart de Water <bartdewater@gmail.com>
* add OpenSSL Provider supportqwyng2023-06-174-0/+222
|
* Merge pull request #639 from rhenium/ky/require-ruby-2.7Kazuki Yamaguchi2023-06-072-22/+0
|\ | | | | Drop support for Ruby 2.6
| * Drop support for Ruby 2.6ky/require-ruby-2.7Kazuki Yamaguchi2023-06-072-22/+0
| | | | | | | | | | Ruby 2.6 has reached EOL on 2022-03. Requiring Ruby 2.7 allows us to use C99 syntax.
* | pkey: use unsigned type for bit fieldsky/pkey-fix-warning-single-bit-bitfield-constant-conversionKazuki Yamaguchi2023-06-071-3/+3
|/ | | | | | | | | clang generates a warning: ../../../../ext/openssl/ossl_pkey.c:326:22: error: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Werror,-Wsingle-bit-bitfield-constant-conversion] arg->interrupted = 1; ^ ~ 1 error generated.
* Merge pull request #633 from rhenium/ky/extconf-append-flags-lastKazuki Yamaguchi2023-06-071-6/+6
|\ | | | | extconf.rb: apply RUBY_OPENSSL_EXT{C,LD}FLAGS after checking features
| * extconf.rb: apply RUBY_OPENSSL_EXT{C,LD}FLAGS after checking featuresky/extconf-append-flags-lastKazuki Yamaguchi2023-06-021-6/+6
| | | | | | | | | | | | | | | | | | | | RUBY_OPENSSL_EXTCFLAGS and RUBY_OPENSSL_EXTLDFLAGS have been added for the primary purpose of appending custom warning flags during development and CI. Since checking programs generated by mkmf may not be completely warning-free, we don't want to apply -Werror that may be supplied from those environment variables.
* | Merge pull request #604 from casperisfine/ssl-write-barrierKazuki Yamaguchi2023-06-0223-38/+51
|\ \ | | | | | | Implement Write Barrier for all OpenSSL types
| * | Implement Write Barrier for all OpenSSL typesJean Boussier2023-06-0123-38/+51
| |/ | | | | | | | | | | | | The vast majority have no reference so it's just a matter of setting the flags. For the couple exception, they have very little references so it's easy.
* / Workaround: Fix OpenSSL::PKey.read that cannot parse PKey in the FIPS mode.Jun Aruga2023-06-011-5/+21
|/ | | | | | | | | | | | | | | | | | | | | This commit is a workaround to avoid the error below that the `OpenSSL::PKey.read` fails with the OpenSSL 3.0 FIPS mode. ``` $ openssl genrsa -out key.pem 4096 $ ruby -e "require 'openssl'; OpenSSL::PKey.read(File.read('key.pem'))" -e:1:in `read': Could not parse PKey (OpenSSL::PKey::PKeyError) from -e:1:in `<main>' ``` The root cause is on the OpenSSL side. The `OSSL_DECODER_CTX_set_selection` doesn't apply the selection value properly if there are multiple providers, and a provider (e.g. "base" provider) handles the decoder implementation, and another provider (e.g. "fips" provider) handles the keys. The workaround is to create `OSSL_DECODER_CTX` variable each time without using the `OSSL_DECODER_CTX_set_selection`.
* Append flags from environment variables.Jun Aruga2023-05-311-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | According to the `mkmf.rb#init_mkmf`, there are command line options below. * `--with-cflags` to set the `cflags` * `--with-ldflags` to set the `ldflags` For example the following command compiles with the specified flags. Note that `MAKEFLAGS` is to print the compiler command lines. ``` $ MAKEFLAGS="V=1" \ bundle exec rake compile -- \ --with-cflags="-Wundef -Werror" \ --with-ldflags="-fstack-protector" ``` However, I couldn't find command line options to append the flags. And this commit is to append the `cflags` and `ldflags` by the environment variables. ``` $ MAKEFLAGS="V=1" \ RUBY_OPENSSL_EXTCFLAGS="-Wundef -Werror" \ RUBY_OPENSSL_EXTLDFLAGS="-fstack-protector" \ bundle exec rake compile ```
* Remove usage of IO internals. (#627)Samuel Williams2023-05-292-20/+33
|
* Fix warnings about the OPENSSL_FIPS macro in OpenSSL 1.1.Jun Aruga2023-05-161-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The commit <c5b2bc1268bcb946ff2eb52904a85278a1dac12c> made the warnings below in the case of OpenSSL 1.1 where the `OPENSSL_FIPS` macro is not defined. ``` $ bundle install --standalone $ bundle exec rake compile -- \ --with-openssl-dir=$HOME/.local/openssl-1.1.1t-debug \ --with-cflags="-Wundef" mkdir -p tmp/x86_64-linux/openssl/3.2.1 cd tmp/x86_64-linux/openssl/3.2.1 /usr/local/ruby-3.2.1/bin/ruby -I. -r.rake-compiler-siteconf.rb ../../../../ext/openssl/extconf.rb -- --with-openssl-dir=/home/jaruga/.local/openssl-1.1.1t-debug --with-cflags=-Wundef ... gcc -I. -I/usr/local/ruby-3.2.1/include/ruby-3.2.0/x86_64-linux -I/usr/local/ruby-3.2.1/include/ruby-3.2.0/ruby/backward -I/usr/local/ruby-3.2.1/include/ruby-3.2.0 -I../../../../ext/openssl -DRUBY_EXTCONF_H=\"extconf.h\" -I/home/jaruga/.local/openssl-1.1.1t-debug/include -fPIC -Wundef -o ossl.o -c ../../../../ext/openssl/ossl.c ../../../../ext/openssl/ossl.c: In function ‘ossl_fips_mode_get’: ../../../../ext/openssl/ossl.c:425:7: warning: "OPENSSL_FIPS" is not defined, evaluates to 0 [-Wundef] 425 | #elif OPENSSL_FIPS | ^~~~~~~~~~~~ ../../../../ext/openssl/ossl.c: In function ‘ossl_fips_mode_set’: ../../../../ext/openssl/ossl.c:460:7: warning: "OPENSSL_FIPS" is not defined, evaluates to 0 [-Wundef] 460 | #elif OPENSSL_FIPS | ^~~~~~~~~~~~ ../../../../ext/openssl/ossl.c: In function ‘Init_openssl’: ../../../../ext/openssl/ossl.c:1218:7: warning: "OPENSSL_FIPS" is not defined, evaluates to 0 [-Wundef] 1218 | #elif OPENSSL_FIPS | ^~~~~~~~~~~~ ... cp tmp/x86_64-linux/openssl/3.2.1/openssl.so tmp/x86_64-linux/stage/lib/openssl.so ```
* Implement FIPS functions on OpenSSL 3.Jun Aruga2023-05-151-4/+21
| | | | | | | | | | | | | | | | | | | | | | | | | This commit is to implement the `OpenSSL::OPENSSL_FIPS`, `ossl_fips_mode_get` and `ossl_fips_mode_set` to pass the test `test/openssl/test_fips.rb`. It seems that the `OPENSSL_FIPS` macro is not used on the FIPS mode case any more, and some FIPS related APIs also were removed in OpenSSL 3. See the document <https://github.com/openssl/openssl/blob/master/doc/man7/migration_guide.pod#removed-fips_mode-and-fips_mode_set> the section OPENSSL 3.0 > Main Changes from OpenSSL 1.1.1 > Other notable deprecations and changes - Removed FIPS_mode() and FIPS_mode_set() . The `OpenSSL::OPENSSL_FIPS` returns always true in OpenSSL 3 because the used functions `EVP_default_properties_enable_fips` and `EVP_default_properties_is_fips_enabled` works with the OpenSSL installed without FIPS option. The `TEST_RUBY_OPENSSL_FIPS_ENABLED` is set on the FIPS mode case on the CI. Because I want to test that the `OpenSSL.fips_mode` returns the `true` or 'false' surely in the CI. You can test the FIPS mode case by setting `TEST_RUBY_OPENSSL_FIPS_ENABLED` on local too. Right now I don't find a better way to get the status of the FIPS mode enabled or disabled for this purpose. I am afraid of the possibility that the FIPS test case is unintentionally skipped. I also replaced the ambiguous "returns" with "should return" in the tests.
* Register global variables before assignmentNobuyoshi Nakada2023-04-071-2/+2
|
* pkey/ec: constifyNobuyoshi Nakada2022-12-231-1/+1
|
* Merge branch 'maint-3.0'Kazuki Yamaguchi2022-12-231-17/+33
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | * maint-3.0: Ruby/OpenSSL 3.0.2 Fix build with LibreSSL 3.5 Fix operator precedence in OSSL_OPENSSL_PREREQ and OSSL_LIBRESSL_PREREQ Ruby/OpenSSL 2.2.3 ts: use TS_VERIFY_CTX_set_certs instead of TS_VERIFY_CTS_set_certs ocsp: disable OCSP_basic_verify() workaround on LibreSSL 3.5 test/openssl/test_pkey.rb: allow failures in test_s_generate_parameters pkey/ec: check private key validity with OpenSSL 3 Actions - update workflow to use OpenSSL 1.1.1, actions/checkout@v3 pkey/ec: fix ossl_raise() calls using cEC_POINT instead of eEC_POINT raise when EC_POINT_cmp or EC_GROUP_cmp error instead of returning true
| * Merge branch 'maint-2.2' into maint-3.0Kazuki Yamaguchi2022-12-231-12/+16
| |\ | | | | | | | | | | | | | | | | | | | | | | | | | | | * maint-2.2: Ruby/OpenSSL 2.2.3 ts: use TS_VERIFY_CTX_set_certs instead of TS_VERIFY_CTS_set_certs ocsp: disable OCSP_basic_verify() workaround on LibreSSL 3.5 Actions - update workflow to use OpenSSL 1.1.1, actions/checkout@v3 pkey/ec: fix ossl_raise() calls using cEC_POINT instead of eEC_POINT raise when EC_POINT_cmp or EC_GROUP_cmp error instead of returning true
| | * ts: use TS_VERIFY_CTX_set_certs instead of TS_VERIFY_CTS_set_certsKazuki Yamaguchi2022-12-233-2/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | [ This is a backport to the 2.2 branch to fix build with LibreSSL. ] OpenSSL 3.0 fixed the typo in the function name and replaced the current 'CTS' version with a macro. (cherry picked from commit 2be6779b08161a084a1a5d2758de21a913740b94)
| | * ocsp: disable OCSP_basic_verify() workaround on LibreSSL 3.5Kazuki Yamaguchi2022-12-231-1/+2
| | | | | | | | | | | | | | | | | | | | | The workaround is not needed on LibreSSL 3.5. LibreSSL 3.5 at the same time made the structure opaque, so it does not compile. This is a patch to the 2.2 branch; the code no longer exists in v3.0.
| | * Merge pull request #564 from bannable/ec_point_ops-raiseKazuki Yamaguchi2022-12-181-7/+11
| | |\ | | | | | | | | raise when EC_POINT_cmp or EC_GROUP_cmp error instead of returning true
| | | * raise when EC_POINT_cmp or EC_GROUP_cmp error instead of returning trueJoe Truba2022-11-231-7/+11
| | | |
| | * | pkey/ec: fix ossl_raise() calls using cEC_POINT instead of eEC_POINTJoe Truba2022-11-271-5/+5
| | |/
| * | Fix build with LibreSSL 3.5Jeremy Evans2022-12-231-1/+1
| | | | | | | | | | | | | | | | | | [ This is a backport to the 3.0 branch. ] (cherry picked from commit e25fb0d0d86da5a9398ebdc9216b2ea89f80fa3d)
| * | Fix operator precedence in OSSL_OPENSSL_PREREQ and OSSL_LIBRESSL_PREREQJeremy Evans2022-12-231-2/+2
| | | | | | | | | | | | | | | | | | [ This is a backport to the 3.0 branch. ] (cherry picked from commit b02815271fcc295cb8b07ef740684b88a10f2760)
| * | pkey/ec: check private key validity with OpenSSL 3ky/pkey-ec-fix-checkJoe Truba2022-12-231-5/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The behavior of EVP_PKEY_public_check changed between OpenSSL 1.1.1 and 3.0 so that it no longer validates the private key. Instead, private keys can be validated through EVP_PKEY_private_check and EVP_PKEY_pairwise_check. [ky: simplified condition to use either EVP_PKEY_check() or EVP_PKEY_public_check().]
* | | Merge pull request #558 from kateinoigakukun/katei/fix-no-sock-supportKazuki Yamaguchi2022-12-232-20/+7
|\ \ \ | | | | | | | | Undefine `OpenSSL::SSL` for no socket platforms
| * | | Undefine `OpenSSL::SSL` for no socket platformsYuta Saito2022-12-232-5/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes a linkage error about `ossl_ssl_type` on platforms which do not have socket, like WASI. Even before this patch, some items are disabled under `OPENSSL_NO_SOCK` since https://github.com/ruby/ruby/commit/ee22fad45d394818690c4a7586d7bb576ba67c56 However, due to some new use of OpenSSL::SSL::Socket over the past few years, the build under `OPENSSL_NO_SOCK` had been broken. This patch guards whole `OpenSSL::SSL` items by `OPENSSL_NO_SOCK`. [ky: adjusted to apply on top of my previous commit that removed the OpenSSL::ExtConfig, and added a guard to lib/openssl/ssl.rb.]
| * | | ssl: remove OpenSSL::ExtConfigKazuki Yamaguchi2022-12-231-15/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This module was introduced in 2015 for internal use within this library. Neither of the two constants in it is used anymore. I don't think we will be adding a new constant in the foreseeable future, either. OPENSSL_NO_SOCK is unused since commit 998d66712a78 (r55191). HAVE_TLSEXT_HOST_NAME is unused since commit 4eb4b3297a92.
* | | | Merge pull request #576 from nobu/openssl3-warningsKazuki Yamaguchi2022-12-238-28/+35
|\ \ \ \ | | | | | | | | | | Suppress OpenSSL-3 warnings
| * | | | Suppress deprecation warnings by OpenSSL 3Nobuyoshi Nakada2022-11-291-0/+1
| | | | |
| * | | | Constify when building with OpenSSL 3Nobuyoshi Nakada2022-11-297-28/+34
| |/ / /
* | | | Merge pull request #575 from nobu/check-in-headerKazuki Yamaguchi2022-12-231-44/+44
|\ \ \ \ | | | | | | | | | | Check for functions with arguments
| * | | | Check for functions with argumentsNobuyoshi Nakada2022-11-291-44/+44
| |/ / /
* | | | ssl: disable NPN support on LibreSSLky/libressl-3.7.0Kazuki Yamaguchi2022-12-231-5/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As noted in commit a2ed156cc9f1 ("test/test_ssl: do not run NPN tests for LibreSSL >= 2.6.1", 2017-08-13), NPN is known not to work properly on LibreSSL. Disable NPN support on LibreSSL, whether OPENSSL_NO_NEXTPROTONEG is defined or not. NPN is less relevant today anyway. Let's also silence test suite when it's not available.
* | | | ssl: update TLS1_3_VERSION workaround for older LibreSSL versionsKazuki Yamaguchi2022-12-231-2/+1
| | | | | | | | | | | | | | | | | | | | The macro is now defined by default in LibreSSL 3.4+. Let's document it for future readers.
* | | | [DOC] Remove duplicate docNobuyoshi Nakada2022-12-131-6/+3
|/ / / | | | | | | | | | | | | RDoc does not consider preprocessor conditionals, but equally uses both documents of `#if` and `#else` sides.
* | | Merge pull request #560 from botovq/libressl-digest-sign-verifyKazuki Yamaguchi2022-11-241-2/+2
|\ \ \ | | | | | | | | Use EVP_Digest{Sign,Verify} when available
| * | | Use EVP_Digest{Sign,Verify} when availableTheo Buehler2022-11-231-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | LibreSSL 3.4 added EVP_DigestSign() and EVP_DigestVerify(). Use them when available to prepare for the addition of Ed25519 support in LibreSSL 3.7.
* | | | Fixes OPENSSL_LIBRARY_VERSION description on documentation (#559)Henrique Bontempo2022-11-241-3/+6
| | | | | | | | | | | | Adds back missing constant description on the documentation.
* | | | Merge pull request #568 from unasuke/empty_string_to_cipher_updateKazuki Yamaguchi2022-11-241-2/+1
|\ \ \ \ | | | | | | | | | | Allow empty string to OpenSSL::Cipher#update
| * | | | Allow empty string to OpenSSL::Cipher#updateYusuke Nakamura2022-11-241-2/+1
| |/ / / | | | | | | | | | | | | | | | | | | | | For some reasons, plaintext may be empty string. ref https://www.rfc-editor.org/rfc/rfc9001.html#section-5.8
* / / / Enable HKDF support for LibreSSL 3.6 and laterTheo Buehler2022-11-231-3/+3
|/ / / | | | | | | | | | LibreSSL 3.6 added support for HKDF in EVP. Enable this in ossl_kdf.c.
* | | Merge pull request #553 from btoews/ossl_bn_mod_sqrtKazuki Yamaguchi2022-10-171-12/+24
|\ \ \ | | | | | | | | Add BN#mod_sqrt
| * | | add document-method for BN#mod_inverseBen Toews2022-10-171-0/+1
| | | |
| * | | add BN#mod_sqrtBen Toews2022-10-171-0/+8
| | | |
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-30 04:42:02 +0000