| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When compiled with OpenSSL <= 1.1.1, OpenSSL::SSL::SSLContext#setup
does not raise an exception on an error return from
SSL_CTX_load_verify_locations(), but instead only prints a verbose-mode
warning. This is not helpful since it very likely indicates an actual
error, such as the specified file not being readable.
Also, OpenSSL's error queue is not correctly cleared:
$ ruby -w -ropenssl -e'OpenSSL.debug=true; ctx=OpenSSL::SSL::SSLContext.new; ctx.ca_file="bad-path"; ctx.setup; pp OpenSSL.errors'
-e:1: warning: can't set verify locations
["error:02001002:system library:fopen:No such file or directory",
"error:2006D080:BIO routines:BIO_new_file:no such file",
"error:0B084002:x509 certificate routines:X509_load_cert_crl_file: system lib"]
The behavior is currently different when compiled with OpenSSL >= 3.0:
SSLError is raised if SSL_CTX_load_verify_file() or
SSL_CTX_load_verify_dir() fails.
This inconsistency was unintentionally introduced by commit 5375a55ffc35
("ssl: use SSL_CTX_load_verify_{file,dir}() if available", 2020-02-22).
However, raising SSLError seems more appropriate in this situation.
Let's adjust the OpenSSL <= 1.1.1 code so that it behaves the same way
as the OpenSSL >= 3.0 code currently does.
Fixes: https://github.com/ruby/openssl/issues/649
|
|
|
|
|
|
|
|
|
| |
OpenSSL built from the source creates the library directory to the
`/path/to/openssl_dir/lib64` as a default.
In the case, the `bundle exec rake compile -- --with-openssl-dir=<openssl_dir>`
cannot compile with the lib64 directory, and may compile with system OpenSSL's
libraries unintentionally. This commit is to check this case to avoid linking
with an unintentional library directory.
|
|
|
|
|
|
| |
TruffleRuby
* See https://github.com/ruby/openssl/issues/650#issuecomment-1645699608
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL::Cipher#pkcs5_keyivgen should only be used when it is
absolutely necessary for compatibility with ancient applications.
Having an example can be misleading. We already have another example
for OpenSSL::Cipher in which PBKDF2 is used to derive a key.
As described in the rdoc of OpenSSL::Cipher#pkcs5_keyivgen, it is
compatible with PKCS#5 PBES1 (PKCS#5 v1.5) only when used in combination
of a hash function MD2, MD5, or SHA-1, and a cipher DES-CBC or RC2-CBC.
This example uses MD5 as the hash function and combines it with AES.
This is considered insecure and also using a non-standard technique to
derive longer keys.
|
|
|
|
|
|
|
|
|
|
|
| |
Add OpenSSL::PKey.new_raw_private_key, #raw_private_key and public
equivalents. These methods are useful for importing and exporting keys
that support "raw private/public key". Currently, OpenSSL implements
X25519/X448 and Ed25519/Ed448 keys.
[rhe: rewrote commit message]
Co-authored-by: Bart de Water <bartdewater@gmail.com>
|
| |
|
|\
| |
| | |
Drop support for Ruby 2.6
|
| |
| |
| |
| |
| | |
Ruby 2.6 has reached EOL on 2022-03. Requiring Ruby 2.7 allows us to
use C99 syntax.
|
|/
|
|
|
|
|
|
|
| |
clang generates a warning:
../../../../ext/openssl/ossl_pkey.c:326:22: error: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Werror,-Wsingle-bit-bitfield-constant-conversion]
arg->interrupted = 1;
^ ~
1 error generated.
|
|\
| |
| | |
extconf.rb: apply RUBY_OPENSSL_EXT{C,LD}FLAGS after checking features
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
RUBY_OPENSSL_EXTCFLAGS and RUBY_OPENSSL_EXTLDFLAGS have been added for
the primary purpose of appending custom warning flags during
development and CI.
Since checking programs generated by mkmf may not be completely
warning-free, we don't want to apply -Werror that may be supplied from
those environment variables.
|
|\ \
| | |
| | | |
Implement Write Barrier for all OpenSSL types
|
| |/
| |
| |
| |
| |
| |
| | |
The vast majority have no reference so it's just a matter of setting the flags.
For the couple exception, they have very little references so it's
easy.
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit is a workaround to avoid the error below that the
`OpenSSL::PKey.read` fails with the OpenSSL 3.0 FIPS mode.
```
$ openssl genrsa -out key.pem 4096
$ ruby -e "require 'openssl'; OpenSSL::PKey.read(File.read('key.pem'))"
-e:1:in `read': Could not parse PKey (OpenSSL::PKey::PKeyError)
from -e:1:in `<main>'
```
The root cause is on the OpenSSL side. The `OSSL_DECODER_CTX_set_selection`
doesn't apply the selection value properly if there are multiple providers, and
a provider (e.g. "base" provider) handles the decoder implementation, and
another provider (e.g. "fips" provider) handles the keys.
The workaround is to create `OSSL_DECODER_CTX` variable each time without using
the `OSSL_DECODER_CTX_set_selection`.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
According to the `mkmf.rb#init_mkmf`, there are command line options below.
* `--with-cflags` to set the `cflags`
* `--with-ldflags` to set the `ldflags`
For example the following command compiles with the specified flags. Note that
`MAKEFLAGS` is to print the compiler command lines.
```
$ MAKEFLAGS="V=1" \
bundle exec rake compile -- \
--with-cflags="-Wundef -Werror" \
--with-ldflags="-fstack-protector"
```
However, I couldn't find command line options to append the flags. And this
commit is to append the `cflags` and `ldflags` by the environment variables.
```
$ MAKEFLAGS="V=1" \
RUBY_OPENSSL_EXTCFLAGS="-Wundef -Werror" \
RUBY_OPENSSL_EXTLDFLAGS="-fstack-protector" \
bundle exec rake compile
```
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The commit <c5b2bc1268bcb946ff2eb52904a85278a1dac12c> made the warnings below
in the case of OpenSSL 1.1 where the `OPENSSL_FIPS` macro is not defined.
```
$ bundle install --standalone
$ bundle exec rake compile -- \
--with-openssl-dir=$HOME/.local/openssl-1.1.1t-debug \
--with-cflags="-Wundef"
mkdir -p tmp/x86_64-linux/openssl/3.2.1
cd tmp/x86_64-linux/openssl/3.2.1
/usr/local/ruby-3.2.1/bin/ruby -I. -r.rake-compiler-siteconf.rb ../../../../ext/openssl/extconf.rb -- --with-openssl-dir=/home/jaruga/.local/openssl-1.1.1t-debug --with-cflags=-Wundef
...
gcc -I. -I/usr/local/ruby-3.2.1/include/ruby-3.2.0/x86_64-linux -I/usr/local/ruby-3.2.1/include/ruby-3.2.0/ruby/backward -I/usr/local/ruby-3.2.1/include/ruby-3.2.0 -I../../../../ext/openssl -DRUBY_EXTCONF_H=\"extconf.h\" -I/home/jaruga/.local/openssl-1.1.1t-debug/include -fPIC -Wundef -o ossl.o -c ../../../../ext/openssl/ossl.c
../../../../ext/openssl/ossl.c: In function ‘ossl_fips_mode_get’:
../../../../ext/openssl/ossl.c:425:7: warning: "OPENSSL_FIPS" is not defined, evaluates to 0 [-Wundef]
425 | #elif OPENSSL_FIPS
| ^~~~~~~~~~~~
../../../../ext/openssl/ossl.c: In function ‘ossl_fips_mode_set’:
../../../../ext/openssl/ossl.c:460:7: warning: "OPENSSL_FIPS" is not defined, evaluates to 0 [-Wundef]
460 | #elif OPENSSL_FIPS
| ^~~~~~~~~~~~
../../../../ext/openssl/ossl.c: In function ‘Init_openssl’:
../../../../ext/openssl/ossl.c:1218:7: warning: "OPENSSL_FIPS" is not defined, evaluates to 0 [-Wundef]
1218 | #elif OPENSSL_FIPS
| ^~~~~~~~~~~~
...
cp tmp/x86_64-linux/openssl/3.2.1/openssl.so tmp/x86_64-linux/stage/lib/openssl.so
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit is to implement the `OpenSSL::OPENSSL_FIPS`, `ossl_fips_mode_get`
and `ossl_fips_mode_set` to pass the test `test/openssl/test_fips.rb`.
It seems that the `OPENSSL_FIPS` macro is not used on the FIPS mode case any
more, and some FIPS related APIs also were removed in OpenSSL 3.
See the document <https://github.com/openssl/openssl/blob/master/doc/man7/migration_guide.pod#removed-fips_mode-and-fips_mode_set>
the section OPENSSL 3.0 > Main Changes from OpenSSL 1.1.1 >
Other notable deprecations and changes - Removed FIPS_mode() and FIPS_mode_set() .
The `OpenSSL::OPENSSL_FIPS` returns always true in OpenSSL 3 because the used
functions `EVP_default_properties_enable_fips` and `EVP_default_properties_is_fips_enabled`
works with the OpenSSL installed without FIPS option.
The `TEST_RUBY_OPENSSL_FIPS_ENABLED` is set on the FIPS mode case on the CI.
Because I want to test that the `OpenSSL.fips_mode` returns the `true` or
'false' surely in the CI. You can test the FIPS mode case by setting
`TEST_RUBY_OPENSSL_FIPS_ENABLED` on local too. Right now I don't find a better
way to get the status of the FIPS mode enabled or disabled for this purpose. I
am afraid of the possibility that the FIPS test case is unintentionally skipped.
I also replaced the ambiguous "returns" with "should return" in the tests.
|
| |
|
| |
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* maint-3.0:
Ruby/OpenSSL 3.0.2
Fix build with LibreSSL 3.5
Fix operator precedence in OSSL_OPENSSL_PREREQ and OSSL_LIBRESSL_PREREQ
Ruby/OpenSSL 2.2.3
ts: use TS_VERIFY_CTX_set_certs instead of TS_VERIFY_CTS_set_certs
ocsp: disable OCSP_basic_verify() workaround on LibreSSL 3.5
test/openssl/test_pkey.rb: allow failures in test_s_generate_parameters
pkey/ec: check private key validity with OpenSSL 3
Actions - update workflow to use OpenSSL 1.1.1, actions/checkout@v3
pkey/ec: fix ossl_raise() calls using cEC_POINT instead of eEC_POINT
raise when EC_POINT_cmp or EC_GROUP_cmp error instead of returning true
|
| |\
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* maint-2.2:
Ruby/OpenSSL 2.2.3
ts: use TS_VERIFY_CTX_set_certs instead of TS_VERIFY_CTS_set_certs
ocsp: disable OCSP_basic_verify() workaround on LibreSSL 3.5
Actions - update workflow to use OpenSSL 1.1.1, actions/checkout@v3
pkey/ec: fix ossl_raise() calls using cEC_POINT instead of eEC_POINT
raise when EC_POINT_cmp or EC_GROUP_cmp error instead of returning true
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
[ This is a backport to the 2.2 branch to fix build with LibreSSL. ]
OpenSSL 3.0 fixed the typo in the function name and replaced the
current 'CTS' version with a macro.
(cherry picked from commit 2be6779b08161a084a1a5d2758de21a913740b94)
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The workaround is not needed on LibreSSL 3.5. LibreSSL 3.5 at the same
time made the structure opaque, so it does not compile.
This is a patch to the 2.2 branch; the code no longer exists in v3.0.
|
| | |\
| | | |
| | | | |
raise when EC_POINT_cmp or EC_GROUP_cmp error instead of returning true
|
| | | | |
|
| | |/ |
|
| | |
| | |
| | |
| | |
| | |
| | | |
[ This is a backport to the 3.0 branch. ]
(cherry picked from commit e25fb0d0d86da5a9398ebdc9216b2ea89f80fa3d)
|
| | |
| | |
| | |
| | |
| | |
| | | |
[ This is a backport to the 3.0 branch. ]
(cherry picked from commit b02815271fcc295cb8b07ef740684b88a10f2760)
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The behavior of EVP_PKEY_public_check changed between OpenSSL 1.1.1
and 3.0 so that it no longer validates the private key. Instead, private
keys can be validated through EVP_PKEY_private_check and
EVP_PKEY_pairwise_check.
[ky: simplified condition to use either EVP_PKEY_check() or
EVP_PKEY_public_check().]
|
|\ \ \
| | | |
| | | | |
Undefine `OpenSSL::SSL` for no socket platforms
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This fixes a linkage error about `ossl_ssl_type` on platforms which do
not have socket, like WASI.
Even before this patch, some items are disabled under `OPENSSL_NO_SOCK` since
https://github.com/ruby/ruby/commit/ee22fad45d394818690c4a7586d7bb576ba67c56
However, due to some new use of OpenSSL::SSL::Socket over the past few years,
the build under `OPENSSL_NO_SOCK` had been broken.
This patch guards whole `OpenSSL::SSL` items by `OPENSSL_NO_SOCK`.
[ky: adjusted to apply on top of my previous commit that removed the
OpenSSL::ExtConfig, and added a guard to lib/openssl/ssl.rb.]
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This module was introduced in 2015 for internal use within this library.
Neither of the two constants in it is used anymore. I don't think we
will be adding a new constant in the foreseeable future, either.
OPENSSL_NO_SOCK is unused since commit 998d66712a78 (r55191).
HAVE_TLSEXT_HOST_NAME is unused since commit 4eb4b3297a92.
|
|\ \ \ \
| | | | |
| | | | | |
Suppress OpenSSL-3 warnings
|
| | | | | |
|
| |/ / / |
|
|\ \ \ \
| | | | |
| | | | | |
Check for functions with arguments
|
| |/ / / |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
As noted in commit a2ed156cc9f1 ("test/test_ssl: do not run NPN tests
for LibreSSL >= 2.6.1", 2017-08-13), NPN is known not to work properly
on LibreSSL.
Disable NPN support on LibreSSL, whether OPENSSL_NO_NEXTPROTONEG is
defined or not.
NPN is less relevant today anyway. Let's also silence test suite when
it's not available.
|
| | | |
| | | |
| | | |
| | | |
| | | | |
The macro is now defined by default in LibreSSL 3.4+. Let's document it
for future readers.
|
|/ / /
| | |
| | |
| | |
| | | |
RDoc does not consider preprocessor conditionals, but equally uses
both documents of `#if` and `#else` sides.
|
|\ \ \
| | | |
| | | | |
Use EVP_Digest{Sign,Verify} when available
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
LibreSSL 3.4 added EVP_DigestSign() and EVP_DigestVerify(). Use them
when available to prepare for the addition of Ed25519 support in
LibreSSL 3.7.
|
| | | |
| | | |
| | | | |
Adds back missing constant description on the documentation.
|
|\ \ \ \
| | | | |
| | | | | |
Allow empty string to OpenSSL::Cipher#update
|
| |/ / /
| | | |
| | | |
| | | |
| | | |
| | | | |
For some reasons, plaintext may be empty string.
ref https://www.rfc-editor.org/rfc/rfc9001.html#section-5.8
|
|/ / /
| | |
| | |
| | | |
LibreSSL 3.6 added support for HKDF in EVP. Enable this in ossl_kdf.c.
|
|\ \ \
| | | |
| | | | |
Add BN#mod_sqrt
|
| | | | |
|
| | | | |
|