aboutsummaryrefslogtreecommitdiffstats
path: root/ext/openssl
Commit message (Collapse)AuthorAgeFilesLines
* [DOC] enhance RDoc for exporting pkeysky/pkey-document-traditional-pemKazuki Yamaguchi2023-07-025-26/+219
| | | | | | | | | | Describe the behavior of OpenSSL::PKey::{DH,DSA,EC,RSA}#to_pem and #to_der more clearly. They return a different result depending on whether the pkey is a public or private key. This was not documented adequately. Also, suggest the use of OpenSSL::PKey::PKey#private_to_pem and #public_to_pem instead, if possible.
* [DOC] prefer PKey#private_to_pem and #public_to_pem in RDocKazuki Yamaguchi2023-07-021-8/+6
| | | | | | | | | | | | | | | | | Suggest the use of OpenSSL::PKey::PKey#private_to_pem and #public_to_pem in the top-level documentation. For new programs, these are recommended over OpenSSL::PKey::RSA#export (also aliased as #to_s and #to_pem) unless there is a specific reason to use it, i.e., unless the PKCS#1 output format specifically is required. The output format of OpenSSL::PKey::RSA#export depends on whether the key is a public key or a private key, which is very counter-intuitive. Additionally, when called with arguments to encrypt a private key, as in this example, OpenSSL's own, non-standard format is used. The man page of PEM_write_bio_PrivateKey_traditional(3) in OpenSSL 1.1.1 or later states that it "should only be used for compatibility with legacy programs".
* [DOC] prefer "password" to "passphrase"Kazuki Yamaguchi2023-07-023-21/+21
| | | | | | | | Let's consistently use the word "password". Although they are considered synonymous, the mixed usage in the rdoc can cause confusion. OpenSSL::KDF.scrypt is an exception. This is because RFC 7914 refers to the input parameter as "passphrase".
* add OpenSSL Provider supportqwyng2023-06-174-0/+222
|
* Merge pull request #639 from rhenium/ky/require-ruby-2.7Kazuki Yamaguchi2023-06-072-22/+0
|\ | | | | Drop support for Ruby 2.6
| * Drop support for Ruby 2.6ky/require-ruby-2.7Kazuki Yamaguchi2023-06-072-22/+0
| | | | | | | | | | Ruby 2.6 has reached EOL on 2022-03. Requiring Ruby 2.7 allows us to use C99 syntax.
* | pkey: use unsigned type for bit fieldsky/pkey-fix-warning-single-bit-bitfield-constant-conversionKazuki Yamaguchi2023-06-071-3/+3
|/ | | | | | | | | clang generates a warning: ../../../../ext/openssl/ossl_pkey.c:326:22: error: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Werror,-Wsingle-bit-bitfield-constant-conversion] arg->interrupted = 1; ^ ~ 1 error generated.
* Merge pull request #633 from rhenium/ky/extconf-append-flags-lastKazuki Yamaguchi2023-06-071-6/+6
|\ | | | | extconf.rb: apply RUBY_OPENSSL_EXT{C,LD}FLAGS after checking features
| * extconf.rb: apply RUBY_OPENSSL_EXT{C,LD}FLAGS after checking featuresky/extconf-append-flags-lastKazuki Yamaguchi2023-06-021-6/+6
| | | | | | | | | | | | | | | | | | | | RUBY_OPENSSL_EXTCFLAGS and RUBY_OPENSSL_EXTLDFLAGS have been added for the primary purpose of appending custom warning flags during development and CI. Since checking programs generated by mkmf may not be completely warning-free, we don't want to apply -Werror that may be supplied from those environment variables.
* | Merge pull request #604 from casperisfine/ssl-write-barrierKazuki Yamaguchi2023-06-0223-38/+51
|\ \ | | | | | | Implement Write Barrier for all OpenSSL types
| * | Implement Write Barrier for all OpenSSL typesJean Boussier2023-06-0123-38/+51
| |/ | | | | | | | | | | | | The vast majority have no reference so it's just a matter of setting the flags. For the couple exception, they have very little references so it's easy.
* / Workaround: Fix OpenSSL::PKey.read that cannot parse PKey in the FIPS mode.Jun Aruga2023-06-011-5/+21
|/ | | | | | | | | | | | | | | | | | | | | This commit is a workaround to avoid the error below that the `OpenSSL::PKey.read` fails with the OpenSSL 3.0 FIPS mode. ``` $ openssl genrsa -out key.pem 4096 $ ruby -e "require 'openssl'; OpenSSL::PKey.read(File.read('key.pem'))" -e:1:in `read': Could not parse PKey (OpenSSL::PKey::PKeyError) from -e:1:in `<main>' ``` The root cause is on the OpenSSL side. The `OSSL_DECODER_CTX_set_selection` doesn't apply the selection value properly if there are multiple providers, and a provider (e.g. "base" provider) handles the decoder implementation, and another provider (e.g. "fips" provider) handles the keys. The workaround is to create `OSSL_DECODER_CTX` variable each time without using the `OSSL_DECODER_CTX_set_selection`.
* Append flags from environment variables.Jun Aruga2023-05-311-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | According to the `mkmf.rb#init_mkmf`, there are command line options below. * `--with-cflags` to set the `cflags` * `--with-ldflags` to set the `ldflags` For example the following command compiles with the specified flags. Note that `MAKEFLAGS` is to print the compiler command lines. ``` $ MAKEFLAGS="V=1" \ bundle exec rake compile -- \ --with-cflags="-Wundef -Werror" \ --with-ldflags="-fstack-protector" ``` However, I couldn't find command line options to append the flags. And this commit is to append the `cflags` and `ldflags` by the environment variables. ``` $ MAKEFLAGS="V=1" \ RUBY_OPENSSL_EXTCFLAGS="-Wundef -Werror" \ RUBY_OPENSSL_EXTLDFLAGS="-fstack-protector" \ bundle exec rake compile ```
* Remove usage of IO internals. (#627)Samuel Williams2023-05-292-20/+33
|
* Fix warnings about the OPENSSL_FIPS macro in OpenSSL 1.1.Jun Aruga2023-05-161-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The commit <c5b2bc1268bcb946ff2eb52904a85278a1dac12c> made the warnings below in the case of OpenSSL 1.1 where the `OPENSSL_FIPS` macro is not defined. ``` $ bundle install --standalone $ bundle exec rake compile -- \ --with-openssl-dir=$HOME/.local/openssl-1.1.1t-debug \ --with-cflags="-Wundef" mkdir -p tmp/x86_64-linux/openssl/3.2.1 cd tmp/x86_64-linux/openssl/3.2.1 /usr/local/ruby-3.2.1/bin/ruby -I. -r.rake-compiler-siteconf.rb ../../../../ext/openssl/extconf.rb -- --with-openssl-dir=/home/jaruga/.local/openssl-1.1.1t-debug --with-cflags=-Wundef ... gcc -I. -I/usr/local/ruby-3.2.1/include/ruby-3.2.0/x86_64-linux -I/usr/local/ruby-3.2.1/include/ruby-3.2.0/ruby/backward -I/usr/local/ruby-3.2.1/include/ruby-3.2.0 -I../../../../ext/openssl -DRUBY_EXTCONF_H=\"extconf.h\" -I/home/jaruga/.local/openssl-1.1.1t-debug/include -fPIC -Wundef -o ossl.o -c ../../../../ext/openssl/ossl.c ../../../../ext/openssl/ossl.c: In function ‘ossl_fips_mode_get’: ../../../../ext/openssl/ossl.c:425:7: warning: "OPENSSL_FIPS" is not defined, evaluates to 0 [-Wundef] 425 | #elif OPENSSL_FIPS | ^~~~~~~~~~~~ ../../../../ext/openssl/ossl.c: In function ‘ossl_fips_mode_set’: ../../../../ext/openssl/ossl.c:460:7: warning: "OPENSSL_FIPS" is not defined, evaluates to 0 [-Wundef] 460 | #elif OPENSSL_FIPS | ^~~~~~~~~~~~ ../../../../ext/openssl/ossl.c: In function ‘Init_openssl’: ../../../../ext/openssl/ossl.c:1218:7: warning: "OPENSSL_FIPS" is not defined, evaluates to 0 [-Wundef] 1218 | #elif OPENSSL_FIPS | ^~~~~~~~~~~~ ... cp tmp/x86_64-linux/openssl/3.2.1/openssl.so tmp/x86_64-linux/stage/lib/openssl.so ```
* Implement FIPS functions on OpenSSL 3.Jun Aruga2023-05-151-4/+21
| | | | | | | | | | | | | | | | | | | | | | | | | This commit is to implement the `OpenSSL::OPENSSL_FIPS`, `ossl_fips_mode_get` and `ossl_fips_mode_set` to pass the test `test/openssl/test_fips.rb`. It seems that the `OPENSSL_FIPS` macro is not used on the FIPS mode case any more, and some FIPS related APIs also were removed in OpenSSL 3. See the document <https://github.com/openssl/openssl/blob/master/doc/man7/migration_guide.pod#removed-fips_mode-and-fips_mode_set> the section OPENSSL 3.0 > Main Changes from OpenSSL 1.1.1 > Other notable deprecations and changes - Removed FIPS_mode() and FIPS_mode_set() . The `OpenSSL::OPENSSL_FIPS` returns always true in OpenSSL 3 because the used functions `EVP_default_properties_enable_fips` and `EVP_default_properties_is_fips_enabled` works with the OpenSSL installed without FIPS option. The `TEST_RUBY_OPENSSL_FIPS_ENABLED` is set on the FIPS mode case on the CI. Because I want to test that the `OpenSSL.fips_mode` returns the `true` or 'false' surely in the CI. You can test the FIPS mode case by setting `TEST_RUBY_OPENSSL_FIPS_ENABLED` on local too. Right now I don't find a better way to get the status of the FIPS mode enabled or disabled for this purpose. I am afraid of the possibility that the FIPS test case is unintentionally skipped. I also replaced the ambiguous "returns" with "should return" in the tests.
* Register global variables before assignmentNobuyoshi Nakada2023-04-071-2/+2
|
* pkey/ec: constifyNobuyoshi Nakada2022-12-231-1/+1
|
* Merge branch 'maint-3.0'Kazuki Yamaguchi2022-12-231-17/+33
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | * maint-3.0: Ruby/OpenSSL 3.0.2 Fix build with LibreSSL 3.5 Fix operator precedence in OSSL_OPENSSL_PREREQ and OSSL_LIBRESSL_PREREQ Ruby/OpenSSL 2.2.3 ts: use TS_VERIFY_CTX_set_certs instead of TS_VERIFY_CTS_set_certs ocsp: disable OCSP_basic_verify() workaround on LibreSSL 3.5 test/openssl/test_pkey.rb: allow failures in test_s_generate_parameters pkey/ec: check private key validity with OpenSSL 3 Actions - update workflow to use OpenSSL 1.1.1, actions/checkout@v3 pkey/ec: fix ossl_raise() calls using cEC_POINT instead of eEC_POINT raise when EC_POINT_cmp or EC_GROUP_cmp error instead of returning true
| * Merge branch 'maint-2.2' into maint-3.0Kazuki Yamaguchi2022-12-231-12/+16
| |\ | | | | | | | | | | | | | | | | | | | | | | | | | | | * maint-2.2: Ruby/OpenSSL 2.2.3 ts: use TS_VERIFY_CTX_set_certs instead of TS_VERIFY_CTS_set_certs ocsp: disable OCSP_basic_verify() workaround on LibreSSL 3.5 Actions - update workflow to use OpenSSL 1.1.1, actions/checkout@v3 pkey/ec: fix ossl_raise() calls using cEC_POINT instead of eEC_POINT raise when EC_POINT_cmp or EC_GROUP_cmp error instead of returning true
| | * ts: use TS_VERIFY_CTX_set_certs instead of TS_VERIFY_CTS_set_certsKazuki Yamaguchi2022-12-233-2/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | [ This is a backport to the 2.2 branch to fix build with LibreSSL. ] OpenSSL 3.0 fixed the typo in the function name and replaced the current 'CTS' version with a macro. (cherry picked from commit 2be6779b08161a084a1a5d2758de21a913740b94)
| | * ocsp: disable OCSP_basic_verify() workaround on LibreSSL 3.5Kazuki Yamaguchi2022-12-231-1/+2
| | | | | | | | | | | | | | | | | | | | | The workaround is not needed on LibreSSL 3.5. LibreSSL 3.5 at the same time made the structure opaque, so it does not compile. This is a patch to the 2.2 branch; the code no longer exists in v3.0.
| | * Merge pull request #564 from bannable/ec_point_ops-raiseKazuki Yamaguchi2022-12-181-7/+11
| | |\ | | | | | | | | raise when EC_POINT_cmp or EC_GROUP_cmp error instead of returning true
| | | * raise when EC_POINT_cmp or EC_GROUP_cmp error instead of returning trueJoe Truba2022-11-231-7/+11
| | | |
| | * | pkey/ec: fix ossl_raise() calls using cEC_POINT instead of eEC_POINTJoe Truba2022-11-271-5/+5
| | |/
| * | Fix build with LibreSSL 3.5Jeremy Evans2022-12-231-1/+1
| | | | | | | | | | | | | | | | | | [ This is a backport to the 3.0 branch. ] (cherry picked from commit e25fb0d0d86da5a9398ebdc9216b2ea89f80fa3d)
| * | Fix operator precedence in OSSL_OPENSSL_PREREQ and OSSL_LIBRESSL_PREREQJeremy Evans2022-12-231-2/+2
| | | | | | | | | | | | | | | | | | [ This is a backport to the 3.0 branch. ] (cherry picked from commit b02815271fcc295cb8b07ef740684b88a10f2760)
| * | pkey/ec: check private key validity with OpenSSL 3ky/pkey-ec-fix-checkJoe Truba2022-12-231-5/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The behavior of EVP_PKEY_public_check changed between OpenSSL 1.1.1 and 3.0 so that it no longer validates the private key. Instead, private keys can be validated through EVP_PKEY_private_check and EVP_PKEY_pairwise_check. [ky: simplified condition to use either EVP_PKEY_check() or EVP_PKEY_public_check().]
* | | Merge pull request #558 from kateinoigakukun/katei/fix-no-sock-supportKazuki Yamaguchi2022-12-232-20/+7
|\ \ \ | | | | | | | | Undefine `OpenSSL::SSL` for no socket platforms
| * | | Undefine `OpenSSL::SSL` for no socket platformsYuta Saito2022-12-232-5/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes a linkage error about `ossl_ssl_type` on platforms which do not have socket, like WASI. Even before this patch, some items are disabled under `OPENSSL_NO_SOCK` since https://github.com/ruby/ruby/commit/ee22fad45d394818690c4a7586d7bb576ba67c56 However, due to some new use of OpenSSL::SSL::Socket over the past few years, the build under `OPENSSL_NO_SOCK` had been broken. This patch guards whole `OpenSSL::SSL` items by `OPENSSL_NO_SOCK`. [ky: adjusted to apply on top of my previous commit that removed the OpenSSL::ExtConfig, and added a guard to lib/openssl/ssl.rb.]
| * | | ssl: remove OpenSSL::ExtConfigKazuki Yamaguchi2022-12-231-15/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This module was introduced in 2015 for internal use within this library. Neither of the two constants in it is used anymore. I don't think we will be adding a new constant in the foreseeable future, either. OPENSSL_NO_SOCK is unused since commit 998d66712a78 (r55191). HAVE_TLSEXT_HOST_NAME is unused since commit 4eb4b3297a92.
* | | | Merge pull request #576 from nobu/openssl3-warningsKazuki Yamaguchi2022-12-238-28/+35
|\ \ \ \ | | | | | | | | | | Suppress OpenSSL-3 warnings
| * | | | Suppress deprecation warnings by OpenSSL 3Nobuyoshi Nakada2022-11-291-0/+1
| | | | |
| * | | | Constify when building with OpenSSL 3Nobuyoshi Nakada2022-11-297-28/+34
| |/ / /
* | | | Merge pull request #575 from nobu/check-in-headerKazuki Yamaguchi2022-12-231-44/+44
|\ \ \ \ | | | | | | | | | | Check for functions with arguments
| * | | | Check for functions with argumentsNobuyoshi Nakada2022-11-291-44/+44
| |/ / /
* | | | ssl: disable NPN support on LibreSSLky/libressl-3.7.0Kazuki Yamaguchi2022-12-231-5/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As noted in commit a2ed156cc9f1 ("test/test_ssl: do not run NPN tests for LibreSSL >= 2.6.1", 2017-08-13), NPN is known not to work properly on LibreSSL. Disable NPN support on LibreSSL, whether OPENSSL_NO_NEXTPROTONEG is defined or not. NPN is less relevant today anyway. Let's also silence test suite when it's not available.
* | | | ssl: update TLS1_3_VERSION workaround for older LibreSSL versionsKazuki Yamaguchi2022-12-231-2/+1
| | | | | | | | | | | | | | | | | | | | The macro is now defined by default in LibreSSL 3.4+. Let's document it for future readers.
* | | | [DOC] Remove duplicate docNobuyoshi Nakada2022-12-131-6/+3
|/ / / | | | | | | | | | | | | RDoc does not consider preprocessor conditionals, but equally uses both documents of `#if` and `#else` sides.
* | | Merge pull request #560 from botovq/libressl-digest-sign-verifyKazuki Yamaguchi2022-11-241-2/+2
|\ \ \ | | | | | | | | Use EVP_Digest{Sign,Verify} when available
| * | | Use EVP_Digest{Sign,Verify} when availableTheo Buehler2022-11-231-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | LibreSSL 3.4 added EVP_DigestSign() and EVP_DigestVerify(). Use them when available to prepare for the addition of Ed25519 support in LibreSSL 3.7.
* | | | Fixes OPENSSL_LIBRARY_VERSION description on documentation (#559)Henrique Bontempo2022-11-241-3/+6
| | | | | | | | | | | | Adds back missing constant description on the documentation.
* | | | Merge pull request #568 from unasuke/empty_string_to_cipher_updateKazuki Yamaguchi2022-11-241-2/+1
|\ \ \ \ | | | | | | | | | | Allow empty string to OpenSSL::Cipher#update
| * | | | Allow empty string to OpenSSL::Cipher#updateYusuke Nakamura2022-11-241-2/+1
| |/ / / | | | | | | | | | | | | | | | | | | | | For some reasons, plaintext may be empty string. ref https://www.rfc-editor.org/rfc/rfc9001.html#section-5.8
* / / / Enable HKDF support for LibreSSL 3.6 and laterTheo Buehler2022-11-231-3/+3
|/ / / | | | | | | | | | LibreSSL 3.6 added support for HKDF in EVP. Enable this in ossl_kdf.c.
* | | Merge pull request #553 from btoews/ossl_bn_mod_sqrtKazuki Yamaguchi2022-10-171-12/+24
|\ \ \ | | | | | | | | Add BN#mod_sqrt
| * | | add document-method for BN#mod_inverseBen Toews2022-10-171-0/+1
| | | |
| * | | add BN#mod_sqrtBen Toews2022-10-171-0/+8
| | | |
| * | | define BIGNUM_2cr macro for BN function that takes context andBen Toews2022-10-171-12/+15
| | | | | | | | | | | | | | | | returns a BN
* | | | proper function prototypes for openssl卜部昌平2022-10-172-10/+11
|/ / / | | | | | | | | | | | | | | | Just to reroute compiler warnings. (cherry picked from commit ruby/ruby@7060b23ffa25fb53884e99e4ab1fa8919f666beb)
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-30 04:20:38 +0000