| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
Remove the OSSL_DEBUG flag and OpenSSL.mem_check_start which is only
compiled when the flag is given. They are meant purely for development
of Ruby/OpenSSL.
OpenSSL.mem_check_start helped us find memory leak bugs in past, but
it is no longer working with the recent OpenSSL versions. Let's just
remove it now.
|
| |
|
|
|
|
|
|
|
| |
This is a workaround for the decoding issue in ossl_pkey_read_generic().
The issue happens in the case that a key management provider is different from
a decoding provider.
Try all the non-zero selections in order, instead of selection 0 for OpenSSL 3
to avoid the issue.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Fix the wrong man reference.
* According to the LIBRESSL_VERSION_NUMBER(3), the value always ends with 00f.
```
$ man -M /home/jaruga/.local/libressl-6650dce/share/man/ 3 LIBRESSL_VERSION_NUMBER
...
DESCRIPTION
OPENSSL_VERSION_NUMBER and LIBRESSL_VERSION_NUMBER are numeric release version
identifiers. The first two digits contain the major release number, the third and
fourth digits the minor release number, and the fifth and sixth digits the fix re‐
lease number. For OpenSSL, the seventh and eight digits contain the patch release
number and the final digit is 0 for development, 1 to e for betas 1 to 14, or f
for release. For LibreSSL, OPENSSL_VERSION_NUMBER is always 0x020000000, and
LIBRESSL_VERSION_NUMBER always ends with 00f.
```
|
| |\
| |
| |
| |
| | |
rhenium/ky/ssl-connect-verify-error-ssl-error-syscall
ssl: adjust "certificate verify failed" error on SSL_ERROR_SYSCALL
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Enrich SSLError's message with the low-level certificate verification
result, even if SSL_get_error() returns SSL_ERROR_SYSCALL. This is
currently done on SSL_ERROR_SSL only.
According to the man page of SSL_get_error(), SSL_ERROR_SYSCALL may be
returned for "other errors, check the error queue for details". This
apparently means we have to treat SSL_ERROR_SYSCALL, if errno is not
set, as equivalent to SSL_ERROR_SSL.
|
| | |
| |
| |
| |
| | |
Expand tabs, insert some spaces, and adjust indentation of switch-case
to match Ruby's style.
|
| |\ \
| | |
| | | |
[DOC] enhance RDoc for exporting pkeys
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Describe the behavior of OpenSSL::PKey::{DH,DSA,EC,RSA}#to_pem
and #to_der more clearly. They return a different result depending on
whether the pkey is a public or private key. This was not documented
adequately.
Also, suggest the use of OpenSSL::PKey::PKey#private_to_pem
and #public_to_pem instead, if possible.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Suggest the use of OpenSSL::PKey::PKey#private_to_pem and #public_to_pem
in the top-level documentation. For new programs, these are recommended
over OpenSSL::PKey::RSA#export (also aliased as #to_s and #to_pem)
unless there is a specific reason to use it, i.e., unless the PKCS#1
output format specifically is required.
The output format of OpenSSL::PKey::RSA#export depends on whether the
key is a public key or a private key, which is very counter-intuitive.
Additionally, when called with arguments to encrypt a private key, as in
this example, OpenSSL's own, non-standard format is used. The man page
of PEM_write_bio_PrivateKey_traditional(3) in OpenSSL 1.1.1 or later
states that it "should only be used for compatibility with legacy
programs".
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Let's consistently use the word "password". Although they are considered
synonymous, the mixed usage in the rdoc can cause confusion.
OpenSSL::KDF.scrypt is an exception. This is because RFC 7914 refers to
the input parameter as "passphrase".
|
| |\ \ \
| | | |
| | | | |
ssl: raise SSLError if loading ca_file or ca_path fails
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
When compiled with OpenSSL <= 1.1.1, OpenSSL::SSL::SSLContext#setup
does not raise an exception on an error return from
SSL_CTX_load_verify_locations(), but instead only prints a verbose-mode
warning. This is not helpful since it very likely indicates an actual
error, such as the specified file not being readable.
Also, OpenSSL's error queue is not correctly cleared:
$ ruby -w -ropenssl -e'OpenSSL.debug=true; ctx=OpenSSL::SSL::SSLContext.new; ctx.ca_file="bad-path"; ctx.setup; pp OpenSSL.errors'
-e:1: warning: can't set verify locations
["error:02001002:system library:fopen:No such file or directory",
"error:2006D080:BIO routines:BIO_new_file:no such file",
"error:0B084002:x509 certificate routines:X509_load_cert_crl_file: system lib"]
The behavior is currently different when compiled with OpenSSL >= 3.0:
SSLError is raised if SSL_CTX_load_verify_file() or
SSL_CTX_load_verify_dir() fails.
This inconsistency was unintentionally introduced by commit 5375a55ffc35
("ssl: use SSL_CTX_load_verify_{file,dir}() if available", 2020-02-22).
However, raising SSLError seems more appropriate in this situation.
Let's adjust the OpenSSL <= 1.1.1 code so that it behaves the same way
as the OpenSSL >= 3.0 code currently does.
Fixes: https://github.com/ruby/openssl/issues/649
|
| |\ \ \ \
| | | | |
| | | | | |
Include "additional data" message in OpenSSL errors
|
| | |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Error entries in the OpenSSL error queue may contain additional
contextual information associated with the error, which can be helpful
when debugging.
This "additional data" is currently only printed to stderr when
OpenSSL.debug is enabled. Let's include this in the exception messages
raised with ossl_raise(), too.
$ ruby -Ilib -ropenssl -e'OpenSSL.debug=true; OpenSSL::SSL::SSLContext.new.ecdh_curves="P-256:not-a-curve"'
-e:1: warning: error on stack: error:0A080106:SSL routines:gid_cb:passed invalid argument (group 'not-a-curve' cannot be set)
-e:1:in `ecdh_curves=': passed invalid argument (group 'not-a-curve' cannot be set) (OpenSSL::SSL::SSLError)
from -e:1:in `<main>'
|
| |/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Updated the `OpenSSL::OPENSSL_VERSION_NUMBER` comment explaining the format.
* Added the `OpenSSL::LIBRESSL_VERSION_NUMBER` to print LibreSSL version number,
in the case that Ruby OpenSSL binding is compiled with LibreSSL. Note
`test/openssl/utils.rb#libressl?` is not using this value in it for now.
* Update `rake debug` to print the values in a readable way, adding
`OpenSSL::OPENSSL_VERSION_NUMBER` and `OpenSSL::LIBRESSL_VERSION_NUMBER`.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
OpenSSL built from the source creates the library directory to the
`/path/to/openssl_dir/lib64` as a default.
In the case, the `bundle exec rake compile -- --with-openssl-dir=<openssl_dir>`
cannot compile with the lib64 directory, and may compile with system OpenSSL's
libraries unintentionally. This commit is to check this case to avoid linking
with an unintentional library directory.
|
| | | |
| | |
| | |
| | |
| | |
| | | |
TruffleRuby
* See https://github.com/ruby/openssl/issues/650#issuecomment-1645699608
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
OpenSSL::Cipher#pkcs5_keyivgen should only be used when it is
absolutely necessary for compatibility with ancient applications.
Having an example can be misleading. We already have another example
for OpenSSL::Cipher in which PBKDF2 is used to derive a key.
As described in the rdoc of OpenSSL::Cipher#pkcs5_keyivgen, it is
compatible with PKCS#5 PBES1 (PKCS#5 v1.5) only when used in combination
of a hash function MD2, MD5, or SHA-1, and a cipher DES-CBC or RC2-CBC.
This example uses MD5 as the hash function and combines it with AES.
This is considered insecure and also using a non-standard technique to
derive longer keys.
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add OpenSSL::PKey.new_raw_private_key, #raw_private_key and public
equivalents. These methods are useful for importing and exporting keys
that support "raw private/public key". Currently, OpenSSL implements
X25519/X448 and Ed25519/Ed448 keys.
[rhe: rewrote commit message]
Co-authored-by: Bart de Water <bartdewater@gmail.com>
|
| | | |
|
| |\ \
| | |
| | | |
Drop support for Ruby 2.6
|
| | |/
| |
| |
| |
| | |
Ruby 2.6 has reached EOL on 2022-03. Requiring Ruby 2.7 allows us to
use C99 syntax.
|
| |/
|
|
|
|
|
|
|
| |
clang generates a warning:
../../../../ext/openssl/ossl_pkey.c:326:22: error: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Werror,-Wsingle-bit-bitfield-constant-conversion]
arg->interrupted = 1;
^ ~
1 error generated.
|
| |\
| |
| | |
extconf.rb: apply RUBY_OPENSSL_EXT{C,LD}FLAGS after checking features
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
RUBY_OPENSSL_EXTCFLAGS and RUBY_OPENSSL_EXTLDFLAGS have been added for
the primary purpose of appending custom warning flags during
development and CI.
Since checking programs generated by mkmf may not be completely
warning-free, we don't want to apply -Werror that may be supplied from
those environment variables.
|
| |\ \
| | |
| | | |
Implement Write Barrier for all OpenSSL types
|
| | |/
| |
| |
| |
| |
| |
| | |
The vast majority have no reference so it's just a matter of setting the flags.
For the couple exception, they have very little references so it's
easy.
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit is a workaround to avoid the error below that the
`OpenSSL::PKey.read` fails with the OpenSSL 3.0 FIPS mode.
```
$ openssl genrsa -out key.pem 4096
$ ruby -e "require 'openssl'; OpenSSL::PKey.read(File.read('key.pem'))"
-e:1:in `read': Could not parse PKey (OpenSSL::PKey::PKeyError)
from -e:1:in `<main>'
```
The root cause is on the OpenSSL side. The `OSSL_DECODER_CTX_set_selection`
doesn't apply the selection value properly if there are multiple providers, and
a provider (e.g. "base" provider) handles the decoder implementation, and
another provider (e.g. "fips" provider) handles the keys.
The workaround is to create `OSSL_DECODER_CTX` variable each time without using
the `OSSL_DECODER_CTX_set_selection`.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
According to the `mkmf.rb#init_mkmf`, there are command line options below.
* `--with-cflags` to set the `cflags`
* `--with-ldflags` to set the `ldflags`
For example the following command compiles with the specified flags. Note that
`MAKEFLAGS` is to print the compiler command lines.
```
$ MAKEFLAGS="V=1" \
bundle exec rake compile -- \
--with-cflags="-Wundef -Werror" \
--with-ldflags="-fstack-protector"
```
However, I couldn't find command line options to append the flags. And this
commit is to append the `cflags` and `ldflags` by the environment variables.
```
$ MAKEFLAGS="V=1" \
RUBY_OPENSSL_EXTCFLAGS="-Wundef -Werror" \
RUBY_OPENSSL_EXTLDFLAGS="-fstack-protector" \
bundle exec rake compile
```
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The commit <c5b2bc1268bcb946ff2eb52904a85278a1dac12c> made the warnings below
in the case of OpenSSL 1.1 where the `OPENSSL_FIPS` macro is not defined.
```
$ bundle install --standalone
$ bundle exec rake compile -- \
--with-openssl-dir=$HOME/.local/openssl-1.1.1t-debug \
--with-cflags="-Wundef"
mkdir -p tmp/x86_64-linux/openssl/3.2.1
cd tmp/x86_64-linux/openssl/3.2.1
/usr/local/ruby-3.2.1/bin/ruby -I. -r.rake-compiler-siteconf.rb ../../../../ext/openssl/extconf.rb -- --with-openssl-dir=/home/jaruga/.local/openssl-1.1.1t-debug --with-cflags=-Wundef
...
gcc -I. -I/usr/local/ruby-3.2.1/include/ruby-3.2.0/x86_64-linux -I/usr/local/ruby-3.2.1/include/ruby-3.2.0/ruby/backward -I/usr/local/ruby-3.2.1/include/ruby-3.2.0 -I../../../../ext/openssl -DRUBY_EXTCONF_H=\"extconf.h\" -I/home/jaruga/.local/openssl-1.1.1t-debug/include -fPIC -Wundef -o ossl.o -c ../../../../ext/openssl/ossl.c
../../../../ext/openssl/ossl.c: In function ‘ossl_fips_mode_get’:
../../../../ext/openssl/ossl.c:425:7: warning: "OPENSSL_FIPS" is not defined, evaluates to 0 [-Wundef]
425 | #elif OPENSSL_FIPS
| ^~~~~~~~~~~~
../../../../ext/openssl/ossl.c: In function ‘ossl_fips_mode_set’:
../../../../ext/openssl/ossl.c:460:7: warning: "OPENSSL_FIPS" is not defined, evaluates to 0 [-Wundef]
460 | #elif OPENSSL_FIPS
| ^~~~~~~~~~~~
../../../../ext/openssl/ossl.c: In function ‘Init_openssl’:
../../../../ext/openssl/ossl.c:1218:7: warning: "OPENSSL_FIPS" is not defined, evaluates to 0 [-Wundef]
1218 | #elif OPENSSL_FIPS
| ^~~~~~~~~~~~
...
cp tmp/x86_64-linux/openssl/3.2.1/openssl.so tmp/x86_64-linux/stage/lib/openssl.so
```
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit is to implement the `OpenSSL::OPENSSL_FIPS`, `ossl_fips_mode_get`
and `ossl_fips_mode_set` to pass the test `test/openssl/test_fips.rb`.
It seems that the `OPENSSL_FIPS` macro is not used on the FIPS mode case any
more, and some FIPS related APIs also were removed in OpenSSL 3.
See the document <https://github.com/openssl/openssl/blob/master/doc/man7/migration_guide.pod#removed-fips_mode-and-fips_mode_set>
the section OPENSSL 3.0 > Main Changes from OpenSSL 1.1.1 >
Other notable deprecations and changes - Removed FIPS_mode() and FIPS_mode_set() .
The `OpenSSL::OPENSSL_FIPS` returns always true in OpenSSL 3 because the used
functions `EVP_default_properties_enable_fips` and `EVP_default_properties_is_fips_enabled`
works with the OpenSSL installed without FIPS option.
The `TEST_RUBY_OPENSSL_FIPS_ENABLED` is set on the FIPS mode case on the CI.
Because I want to test that the `OpenSSL.fips_mode` returns the `true` or
'false' surely in the CI. You can test the FIPS mode case by setting
`TEST_RUBY_OPENSSL_FIPS_ENABLED` on local too. Right now I don't find a better
way to get the status of the FIPS mode enabled or disabled for this purpose. I
am afraid of the possibility that the FIPS test case is unintentionally skipped.
I also replaced the ambiguous "returns" with "should return" in the tests.
|
| | |
|
| | |
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* maint-3.0:
Ruby/OpenSSL 3.0.2
Fix build with LibreSSL 3.5
Fix operator precedence in OSSL_OPENSSL_PREREQ and OSSL_LIBRESSL_PREREQ
Ruby/OpenSSL 2.2.3
ts: use TS_VERIFY_CTX_set_certs instead of TS_VERIFY_CTS_set_certs
ocsp: disable OCSP_basic_verify() workaround on LibreSSL 3.5
test/openssl/test_pkey.rb: allow failures in test_s_generate_parameters
pkey/ec: check private key validity with OpenSSL 3
Actions - update workflow to use OpenSSL 1.1.1, actions/checkout@v3
pkey/ec: fix ossl_raise() calls using cEC_POINT instead of eEC_POINT
raise when EC_POINT_cmp or EC_GROUP_cmp error instead of returning true
|
| | |\
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* maint-2.2:
Ruby/OpenSSL 2.2.3
ts: use TS_VERIFY_CTX_set_certs instead of TS_VERIFY_CTS_set_certs
ocsp: disable OCSP_basic_verify() workaround on LibreSSL 3.5
Actions - update workflow to use OpenSSL 1.1.1, actions/checkout@v3
pkey/ec: fix ossl_raise() calls using cEC_POINT instead of eEC_POINT
raise when EC_POINT_cmp or EC_GROUP_cmp error instead of returning true
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
[ This is a backport to the 2.2 branch to fix build with LibreSSL. ]
OpenSSL 3.0 fixed the typo in the function name and replaced the
current 'CTS' version with a macro.
(cherry picked from commit 2be6779b08161a084a1a5d2758de21a913740b94)
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
The workaround is not needed on LibreSSL 3.5. LibreSSL 3.5 at the same
time made the structure opaque, so it does not compile.
This is a patch to the 2.2 branch; the code no longer exists in v3.0.
|
| | | |\
| | | |
| | | | |
raise when EC_POINT_cmp or EC_GROUP_cmp error instead of returning true
|
| | | | | |
|
| | | |/ |
|
| | | |
| | |
| | |
| | |
| | |
| | | |
[ This is a backport to the 3.0 branch. ]
(cherry picked from commit e25fb0d0d86da5a9398ebdc9216b2ea89f80fa3d)
|
| | | |
| | |
| | |
| | |
| | |
| | | |
[ This is a backport to the 3.0 branch. ]
(cherry picked from commit b02815271fcc295cb8b07ef740684b88a10f2760)
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The behavior of EVP_PKEY_public_check changed between OpenSSL 1.1.1
and 3.0 so that it no longer validates the private key. Instead, private
keys can be validated through EVP_PKEY_private_check and
EVP_PKEY_pairwise_check.
[ky: simplified condition to use either EVP_PKEY_check() or
EVP_PKEY_public_check().]
|
| |\ \ \
| | | |
| | | | |
Undefine `OpenSSL::SSL` for no socket platforms
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This fixes a linkage error about `ossl_ssl_type` on platforms which do
not have socket, like WASI.
Even before this patch, some items are disabled under `OPENSSL_NO_SOCK` since
https://github.com/ruby/ruby/commit/ee22fad45d394818690c4a7586d7bb576ba67c56
However, due to some new use of OpenSSL::SSL::Socket over the past few years,
the build under `OPENSSL_NO_SOCK` had been broken.
This patch guards whole `OpenSSL::SSL` items by `OPENSSL_NO_SOCK`.
[ky: adjusted to apply on top of my previous commit that removed the
OpenSSL::ExtConfig, and added a guard to lib/openssl/ssl.rb.]
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This module was introduced in 2015 for internal use within this library.
Neither of the two constants in it is used anymore. I don't think we
will be adding a new constant in the foreseeable future, either.
OPENSSL_NO_SOCK is unused since commit 998d66712a78 (r55191).
HAVE_TLSEXT_HOST_NAME is unused since commit 4eb4b3297a92.
|
| |\ \ \ \
| | | | |
| | | | | |
Suppress OpenSSL-3 warnings
|
| | | | | | |
|
| | |/ / / |
|
