| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
Describe the behavior of OpenSSL::PKey::{DH,DSA,EC,RSA}#to_pem
and #to_der more clearly. They return a different result depending on
whether the pkey is a public or private key. This was not documented
adequately.
Also, suggest the use of OpenSSL::PKey::PKey#private_to_pem
and #public_to_pem instead, if possible.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Suggest the use of OpenSSL::PKey::PKey#private_to_pem and #public_to_pem
in the top-level documentation. For new programs, these are recommended
over OpenSSL::PKey::RSA#export (also aliased as #to_s and #to_pem)
unless there is a specific reason to use it, i.e., unless the PKCS#1
output format specifically is required.
The output format of OpenSSL::PKey::RSA#export depends on whether the
key is a public key or a private key, which is very counter-intuitive.
Additionally, when called with arguments to encrypt a private key, as in
this example, OpenSSL's own, non-standard format is used. The man page
of PEM_write_bio_PrivateKey_traditional(3) in OpenSSL 1.1.1 or later
states that it "should only be used for compatibility with legacy
programs".
|
|
|
|
|
|
|
|
| |
Let's consistently use the word "password". Although they are considered
synonymous, the mixed usage in the rdoc can cause confusion.
OpenSSL::KDF.scrypt is an exception. This is because RFC 7914 refers to
the input parameter as "passphrase".
|
| |
|
|\
| |
| | |
Drop support for Ruby 2.6
|
| |
| |
| |
| |
| | |
Ruby 2.6 has reached EOL on 2022-03. Requiring Ruby 2.7 allows us to
use C99 syntax.
|
|/
|
|
|
|
|
|
|
| |
clang generates a warning:
../../../../ext/openssl/ossl_pkey.c:326:22: error: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Werror,-Wsingle-bit-bitfield-constant-conversion]
arg->interrupted = 1;
^ ~
1 error generated.
|
|\
| |
| | |
extconf.rb: apply RUBY_OPENSSL_EXT{C,LD}FLAGS after checking features
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
RUBY_OPENSSL_EXTCFLAGS and RUBY_OPENSSL_EXTLDFLAGS have been added for
the primary purpose of appending custom warning flags during
development and CI.
Since checking programs generated by mkmf may not be completely
warning-free, we don't want to apply -Werror that may be supplied from
those environment variables.
|
|\ \
| | |
| | | |
Implement Write Barrier for all OpenSSL types
|
| |/
| |
| |
| |
| |
| |
| | |
The vast majority have no reference so it's just a matter of setting the flags.
For the couple exception, they have very little references so it's
easy.
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit is a workaround to avoid the error below that the
`OpenSSL::PKey.read` fails with the OpenSSL 3.0 FIPS mode.
```
$ openssl genrsa -out key.pem 4096
$ ruby -e "require 'openssl'; OpenSSL::PKey.read(File.read('key.pem'))"
-e:1:in `read': Could not parse PKey (OpenSSL::PKey::PKeyError)
from -e:1:in `<main>'
```
The root cause is on the OpenSSL side. The `OSSL_DECODER_CTX_set_selection`
doesn't apply the selection value properly if there are multiple providers, and
a provider (e.g. "base" provider) handles the decoder implementation, and
another provider (e.g. "fips" provider) handles the keys.
The workaround is to create `OSSL_DECODER_CTX` variable each time without using
the `OSSL_DECODER_CTX_set_selection`.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
According to the `mkmf.rb#init_mkmf`, there are command line options below.
* `--with-cflags` to set the `cflags`
* `--with-ldflags` to set the `ldflags`
For example the following command compiles with the specified flags. Note that
`MAKEFLAGS` is to print the compiler command lines.
```
$ MAKEFLAGS="V=1" \
bundle exec rake compile -- \
--with-cflags="-Wundef -Werror" \
--with-ldflags="-fstack-protector"
```
However, I couldn't find command line options to append the flags. And this
commit is to append the `cflags` and `ldflags` by the environment variables.
```
$ MAKEFLAGS="V=1" \
RUBY_OPENSSL_EXTCFLAGS="-Wundef -Werror" \
RUBY_OPENSSL_EXTLDFLAGS="-fstack-protector" \
bundle exec rake compile
```
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The commit <c5b2bc1268bcb946ff2eb52904a85278a1dac12c> made the warnings below
in the case of OpenSSL 1.1 where the `OPENSSL_FIPS` macro is not defined.
```
$ bundle install --standalone
$ bundle exec rake compile -- \
--with-openssl-dir=$HOME/.local/openssl-1.1.1t-debug \
--with-cflags="-Wundef"
mkdir -p tmp/x86_64-linux/openssl/3.2.1
cd tmp/x86_64-linux/openssl/3.2.1
/usr/local/ruby-3.2.1/bin/ruby -I. -r.rake-compiler-siteconf.rb ../../../../ext/openssl/extconf.rb -- --with-openssl-dir=/home/jaruga/.local/openssl-1.1.1t-debug --with-cflags=-Wundef
...
gcc -I. -I/usr/local/ruby-3.2.1/include/ruby-3.2.0/x86_64-linux -I/usr/local/ruby-3.2.1/include/ruby-3.2.0/ruby/backward -I/usr/local/ruby-3.2.1/include/ruby-3.2.0 -I../../../../ext/openssl -DRUBY_EXTCONF_H=\"extconf.h\" -I/home/jaruga/.local/openssl-1.1.1t-debug/include -fPIC -Wundef -o ossl.o -c ../../../../ext/openssl/ossl.c
../../../../ext/openssl/ossl.c: In function ‘ossl_fips_mode_get’:
../../../../ext/openssl/ossl.c:425:7: warning: "OPENSSL_FIPS" is not defined, evaluates to 0 [-Wundef]
425 | #elif OPENSSL_FIPS
| ^~~~~~~~~~~~
../../../../ext/openssl/ossl.c: In function ‘ossl_fips_mode_set’:
../../../../ext/openssl/ossl.c:460:7: warning: "OPENSSL_FIPS" is not defined, evaluates to 0 [-Wundef]
460 | #elif OPENSSL_FIPS
| ^~~~~~~~~~~~
../../../../ext/openssl/ossl.c: In function ‘Init_openssl’:
../../../../ext/openssl/ossl.c:1218:7: warning: "OPENSSL_FIPS" is not defined, evaluates to 0 [-Wundef]
1218 | #elif OPENSSL_FIPS
| ^~~~~~~~~~~~
...
cp tmp/x86_64-linux/openssl/3.2.1/openssl.so tmp/x86_64-linux/stage/lib/openssl.so
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit is to implement the `OpenSSL::OPENSSL_FIPS`, `ossl_fips_mode_get`
and `ossl_fips_mode_set` to pass the test `test/openssl/test_fips.rb`.
It seems that the `OPENSSL_FIPS` macro is not used on the FIPS mode case any
more, and some FIPS related APIs also were removed in OpenSSL 3.
See the document <https://github.com/openssl/openssl/blob/master/doc/man7/migration_guide.pod#removed-fips_mode-and-fips_mode_set>
the section OPENSSL 3.0 > Main Changes from OpenSSL 1.1.1 >
Other notable deprecations and changes - Removed FIPS_mode() and FIPS_mode_set() .
The `OpenSSL::OPENSSL_FIPS` returns always true in OpenSSL 3 because the used
functions `EVP_default_properties_enable_fips` and `EVP_default_properties_is_fips_enabled`
works with the OpenSSL installed without FIPS option.
The `TEST_RUBY_OPENSSL_FIPS_ENABLED` is set on the FIPS mode case on the CI.
Because I want to test that the `OpenSSL.fips_mode` returns the `true` or
'false' surely in the CI. You can test the FIPS mode case by setting
`TEST_RUBY_OPENSSL_FIPS_ENABLED` on local too. Right now I don't find a better
way to get the status of the FIPS mode enabled or disabled for this purpose. I
am afraid of the possibility that the FIPS test case is unintentionally skipped.
I also replaced the ambiguous "returns" with "should return" in the tests.
|
| |
|
| |
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* maint-3.0:
Ruby/OpenSSL 3.0.2
Fix build with LibreSSL 3.5
Fix operator precedence in OSSL_OPENSSL_PREREQ and OSSL_LIBRESSL_PREREQ
Ruby/OpenSSL 2.2.3
ts: use TS_VERIFY_CTX_set_certs instead of TS_VERIFY_CTS_set_certs
ocsp: disable OCSP_basic_verify() workaround on LibreSSL 3.5
test/openssl/test_pkey.rb: allow failures in test_s_generate_parameters
pkey/ec: check private key validity with OpenSSL 3
Actions - update workflow to use OpenSSL 1.1.1, actions/checkout@v3
pkey/ec: fix ossl_raise() calls using cEC_POINT instead of eEC_POINT
raise when EC_POINT_cmp or EC_GROUP_cmp error instead of returning true
|
| |\
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* maint-2.2:
Ruby/OpenSSL 2.2.3
ts: use TS_VERIFY_CTX_set_certs instead of TS_VERIFY_CTS_set_certs
ocsp: disable OCSP_basic_verify() workaround on LibreSSL 3.5
Actions - update workflow to use OpenSSL 1.1.1, actions/checkout@v3
pkey/ec: fix ossl_raise() calls using cEC_POINT instead of eEC_POINT
raise when EC_POINT_cmp or EC_GROUP_cmp error instead of returning true
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
[ This is a backport to the 2.2 branch to fix build with LibreSSL. ]
OpenSSL 3.0 fixed the typo in the function name and replaced the
current 'CTS' version with a macro.
(cherry picked from commit 2be6779b08161a084a1a5d2758de21a913740b94)
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The workaround is not needed on LibreSSL 3.5. LibreSSL 3.5 at the same
time made the structure opaque, so it does not compile.
This is a patch to the 2.2 branch; the code no longer exists in v3.0.
|
| | |\
| | | |
| | | | |
raise when EC_POINT_cmp or EC_GROUP_cmp error instead of returning true
|
| | | | |
|
| | |/ |
|
| | |
| | |
| | |
| | |
| | |
| | | |
[ This is a backport to the 3.0 branch. ]
(cherry picked from commit e25fb0d0d86da5a9398ebdc9216b2ea89f80fa3d)
|
| | |
| | |
| | |
| | |
| | |
| | | |
[ This is a backport to the 3.0 branch. ]
(cherry picked from commit b02815271fcc295cb8b07ef740684b88a10f2760)
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The behavior of EVP_PKEY_public_check changed between OpenSSL 1.1.1
and 3.0 so that it no longer validates the private key. Instead, private
keys can be validated through EVP_PKEY_private_check and
EVP_PKEY_pairwise_check.
[ky: simplified condition to use either EVP_PKEY_check() or
EVP_PKEY_public_check().]
|
|\ \ \
| | | |
| | | | |
Undefine `OpenSSL::SSL` for no socket platforms
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This fixes a linkage error about `ossl_ssl_type` on platforms which do
not have socket, like WASI.
Even before this patch, some items are disabled under `OPENSSL_NO_SOCK` since
https://github.com/ruby/ruby/commit/ee22fad45d394818690c4a7586d7bb576ba67c56
However, due to some new use of OpenSSL::SSL::Socket over the past few years,
the build under `OPENSSL_NO_SOCK` had been broken.
This patch guards whole `OpenSSL::SSL` items by `OPENSSL_NO_SOCK`.
[ky: adjusted to apply on top of my previous commit that removed the
OpenSSL::ExtConfig, and added a guard to lib/openssl/ssl.rb.]
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This module was introduced in 2015 for internal use within this library.
Neither of the two constants in it is used anymore. I don't think we
will be adding a new constant in the foreseeable future, either.
OPENSSL_NO_SOCK is unused since commit 998d66712a78 (r55191).
HAVE_TLSEXT_HOST_NAME is unused since commit 4eb4b3297a92.
|
|\ \ \ \
| | | | |
| | | | | |
Suppress OpenSSL-3 warnings
|
| | | | | |
|
| |/ / / |
|
|\ \ \ \
| | | | |
| | | | | |
Check for functions with arguments
|
| |/ / / |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
As noted in commit a2ed156cc9f1 ("test/test_ssl: do not run NPN tests
for LibreSSL >= 2.6.1", 2017-08-13), NPN is known not to work properly
on LibreSSL.
Disable NPN support on LibreSSL, whether OPENSSL_NO_NEXTPROTONEG is
defined or not.
NPN is less relevant today anyway. Let's also silence test suite when
it's not available.
|
| | | |
| | | |
| | | |
| | | |
| | | | |
The macro is now defined by default in LibreSSL 3.4+. Let's document it
for future readers.
|
|/ / /
| | |
| | |
| | |
| | | |
RDoc does not consider preprocessor conditionals, but equally uses
both documents of `#if` and `#else` sides.
|
|\ \ \
| | | |
| | | | |
Use EVP_Digest{Sign,Verify} when available
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
LibreSSL 3.4 added EVP_DigestSign() and EVP_DigestVerify(). Use them
when available to prepare for the addition of Ed25519 support in
LibreSSL 3.7.
|
| | | |
| | | |
| | | | |
Adds back missing constant description on the documentation.
|
|\ \ \ \
| | | | |
| | | | | |
Allow empty string to OpenSSL::Cipher#update
|
| |/ / /
| | | |
| | | |
| | | |
| | | |
| | | | |
For some reasons, plaintext may be empty string.
ref https://www.rfc-editor.org/rfc/rfc9001.html#section-5.8
|
|/ / /
| | |
| | |
| | | |
LibreSSL 3.6 added support for HKDF in EVP. Enable this in ossl_kdf.c.
|
|\ \ \
| | | |
| | | | |
Add BN#mod_sqrt
|
| | | | |
|
| | | | |
|
| | | |
| | | |
| | | |
| | | | |
returns a BN
|
|/ / /
| | |
| | |
| | |
| | |
| | | |
Just to reroute compiler warnings.
(cherry picked from commit ruby/ruby@7060b23ffa25fb53884e99e4ab1fa8919f666beb)
|