aboutsummaryrefslogtreecommitdiffstats
path: root/ext
Commit message (Collapse)AuthorAgeFilesLines
* ssl: raise SSLError if loading ca_file or ca_path failsky/ssl-ca-file-ca-path-raiseKazuki Yamaguchi2023-08-111-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | When compiled with OpenSSL <= 1.1.1, OpenSSL::SSL::SSLContext#setup does not raise an exception on an error return from SSL_CTX_load_verify_locations(), but instead only prints a verbose-mode warning. This is not helpful since it very likely indicates an actual error, such as the specified file not being readable. Also, OpenSSL's error queue is not correctly cleared: $ ruby -w -ropenssl -e'OpenSSL.debug=true; ctx=OpenSSL::SSL::SSLContext.new; ctx.ca_file="bad-path"; ctx.setup; pp OpenSSL.errors' -e:1: warning: can't set verify locations ["error:02001002:system library:fopen:No such file or directory", "error:2006D080:BIO routines:BIO_new_file:no such file", "error:0B084002:x509 certificate routines:X509_load_cert_crl_file: system lib"] The behavior is currently different when compiled with OpenSSL >= 3.0: SSLError is raised if SSL_CTX_load_verify_file() or SSL_CTX_load_verify_dir() fails. This inconsistency was unintentionally introduced by commit 5375a55ffc35 ("ssl: use SSL_CTX_load_verify_{file,dir}() if available", 2020-02-22). However, raising SSLError seems more appropriate in this situation. Let's adjust the OpenSSL <= 1.1.1 code so that it behaves the same way as the OpenSSL >= 3.0 code currently does. Fixes: https://github.com/ruby/openssl/issues/649
* Raise an error when the specified OpenSSL library directory doesn't exist.Jun Aruga2023-07-251-2/+22
| | | | | | | | | OpenSSL built from the source creates the library directory to the `/path/to/openssl_dir/lib64` as a default. In the case, the `bundle exec rake compile -- --with-openssl-dir=<openssl_dir>` cannot compile with the lib64 directory, and may compile with system OpenSSL's libraries unintentionally. This commit is to check this case to avoid linking with an unintentional library directory.
* Always respect the openssl prefix chosen by truffle/openssl-prefix on ↵Benoit Daloze2023-07-211-1/+8
| | | | | | TruffleRuby * See https://github.com/ruby/openssl/issues/650#issuecomment-1645699608
* [DOC] remove top-level example for OpenSSL::Cipher#pkcs5_keyivgen (#647)Kazuki Yamaguchi2023-07-121-39/+0
| | | | | | | | | | | | | OpenSSL::Cipher#pkcs5_keyivgen should only be used when it is absolutely necessary for compatibility with ancient applications. Having an example can be misleading. We already have another example for OpenSSL::Cipher in which PBKDF2 is used to derive a key. As described in the rdoc of OpenSSL::Cipher#pkcs5_keyivgen, it is compatible with PKCS#5 PBES1 (PKCS#5 v1.5) only when used in combination of a hash function MD2, MD5, or SHA-1, and a cipher DES-CBC or RC2-CBC. This example uses MD5 as the hash function and combines it with AES. This is considered insecure and also using a non-standard technique to derive longer keys.
* Add support for raw private/public keys (#646)Ryo Kajiwara2023-07-121-0/+132
| | | | | | | | | | | Add OpenSSL::PKey.new_raw_private_key, #raw_private_key and public equivalents. These methods are useful for importing and exporting keys that support "raw private/public key". Currently, OpenSSL implements X25519/X448 and Ed25519/Ed448 keys. [rhe: rewrote commit message] Co-authored-by: Bart de Water <bartdewater@gmail.com>
* add OpenSSL Provider supportqwyng2023-06-174-0/+222
|
* Merge pull request #639 from rhenium/ky/require-ruby-2.7Kazuki Yamaguchi2023-06-072-22/+0
|\ | | | | Drop support for Ruby 2.6
| * Drop support for Ruby 2.6ky/require-ruby-2.7Kazuki Yamaguchi2023-06-072-22/+0
| | | | | | | | | | Ruby 2.6 has reached EOL on 2022-03. Requiring Ruby 2.7 allows us to use C99 syntax.
* | pkey: use unsigned type for bit fieldsky/pkey-fix-warning-single-bit-bitfield-constant-conversionKazuki Yamaguchi2023-06-071-3/+3
|/ | | | | | | | | clang generates a warning: ../../../../ext/openssl/ossl_pkey.c:326:22: error: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Werror,-Wsingle-bit-bitfield-constant-conversion] arg->interrupted = 1; ^ ~ 1 error generated.
* Merge pull request #633 from rhenium/ky/extconf-append-flags-lastKazuki Yamaguchi2023-06-071-6/+6
|\ | | | | extconf.rb: apply RUBY_OPENSSL_EXT{C,LD}FLAGS after checking features
| * extconf.rb: apply RUBY_OPENSSL_EXT{C,LD}FLAGS after checking featuresky/extconf-append-flags-lastKazuki Yamaguchi2023-06-021-6/+6
| | | | | | | | | | | | | | | | | | | | RUBY_OPENSSL_EXTCFLAGS and RUBY_OPENSSL_EXTLDFLAGS have been added for the primary purpose of appending custom warning flags during development and CI. Since checking programs generated by mkmf may not be completely warning-free, we don't want to apply -Werror that may be supplied from those environment variables.
* | Merge pull request #604 from casperisfine/ssl-write-barrierKazuki Yamaguchi2023-06-0223-38/+51
|\ \ | | | | | | Implement Write Barrier for all OpenSSL types
| * | Implement Write Barrier for all OpenSSL typesJean Boussier2023-06-0123-38/+51
| |/ | | | | | | | | | | | | The vast majority have no reference so it's just a matter of setting the flags. For the couple exception, they have very little references so it's easy.
* / Workaround: Fix OpenSSL::PKey.read that cannot parse PKey in the FIPS mode.Jun Aruga2023-06-011-5/+21
|/ | | | | | | | | | | | | | | | | | | | | This commit is a workaround to avoid the error below that the `OpenSSL::PKey.read` fails with the OpenSSL 3.0 FIPS mode. ``` $ openssl genrsa -out key.pem 4096 $ ruby -e "require 'openssl'; OpenSSL::PKey.read(File.read('key.pem'))" -e:1:in `read': Could not parse PKey (OpenSSL::PKey::PKeyError) from -e:1:in `<main>' ``` The root cause is on the OpenSSL side. The `OSSL_DECODER_CTX_set_selection` doesn't apply the selection value properly if there are multiple providers, and a provider (e.g. "base" provider) handles the decoder implementation, and another provider (e.g. "fips" provider) handles the keys. The workaround is to create `OSSL_DECODER_CTX` variable each time without using the `OSSL_DECODER_CTX_set_selection`.
* Append flags from environment variables.Jun Aruga2023-05-311-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | According to the `mkmf.rb#init_mkmf`, there are command line options below. * `--with-cflags` to set the `cflags` * `--with-ldflags` to set the `ldflags` For example the following command compiles with the specified flags. Note that `MAKEFLAGS` is to print the compiler command lines. ``` $ MAKEFLAGS="V=1" \ bundle exec rake compile -- \ --with-cflags="-Wundef -Werror" \ --with-ldflags="-fstack-protector" ``` However, I couldn't find command line options to append the flags. And this commit is to append the `cflags` and `ldflags` by the environment variables. ``` $ MAKEFLAGS="V=1" \ RUBY_OPENSSL_EXTCFLAGS="-Wundef -Werror" \ RUBY_OPENSSL_EXTLDFLAGS="-fstack-protector" \ bundle exec rake compile ```
* Remove usage of IO internals. (#627)Samuel Williams2023-05-292-20/+33
|
* Fix warnings about the OPENSSL_FIPS macro in OpenSSL 1.1.Jun Aruga2023-05-161-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The commit <c5b2bc1268bcb946ff2eb52904a85278a1dac12c> made the warnings below in the case of OpenSSL 1.1 where the `OPENSSL_FIPS` macro is not defined. ``` $ bundle install --standalone $ bundle exec rake compile -- \ --with-openssl-dir=$HOME/.local/openssl-1.1.1t-debug \ --with-cflags="-Wundef" mkdir -p tmp/x86_64-linux/openssl/3.2.1 cd tmp/x86_64-linux/openssl/3.2.1 /usr/local/ruby-3.2.1/bin/ruby -I. -r.rake-compiler-siteconf.rb ../../../../ext/openssl/extconf.rb -- --with-openssl-dir=/home/jaruga/.local/openssl-1.1.1t-debug --with-cflags=-Wundef ... gcc -I. -I/usr/local/ruby-3.2.1/include/ruby-3.2.0/x86_64-linux -I/usr/local/ruby-3.2.1/include/ruby-3.2.0/ruby/backward -I/usr/local/ruby-3.2.1/include/ruby-3.2.0 -I../../../../ext/openssl -DRUBY_EXTCONF_H=\"extconf.h\" -I/home/jaruga/.local/openssl-1.1.1t-debug/include -fPIC -Wundef -o ossl.o -c ../../../../ext/openssl/ossl.c ../../../../ext/openssl/ossl.c: In function ‘ossl_fips_mode_get’: ../../../../ext/openssl/ossl.c:425:7: warning: "OPENSSL_FIPS" is not defined, evaluates to 0 [-Wundef] 425 | #elif OPENSSL_FIPS | ^~~~~~~~~~~~ ../../../../ext/openssl/ossl.c: In function ‘ossl_fips_mode_set’: ../../../../ext/openssl/ossl.c:460:7: warning: "OPENSSL_FIPS" is not defined, evaluates to 0 [-Wundef] 460 | #elif OPENSSL_FIPS | ^~~~~~~~~~~~ ../../../../ext/openssl/ossl.c: In function ‘Init_openssl’: ../../../../ext/openssl/ossl.c:1218:7: warning: "OPENSSL_FIPS" is not defined, evaluates to 0 [-Wundef] 1218 | #elif OPENSSL_FIPS | ^~~~~~~~~~~~ ... cp tmp/x86_64-linux/openssl/3.2.1/openssl.so tmp/x86_64-linux/stage/lib/openssl.so ```
* Implement FIPS functions on OpenSSL 3.Jun Aruga2023-05-151-4/+21
| | | | | | | | | | | | | | | | | | | | | | | | | This commit is to implement the `OpenSSL::OPENSSL_FIPS`, `ossl_fips_mode_get` and `ossl_fips_mode_set` to pass the test `test/openssl/test_fips.rb`. It seems that the `OPENSSL_FIPS` macro is not used on the FIPS mode case any more, and some FIPS related APIs also were removed in OpenSSL 3. See the document <https://github.com/openssl/openssl/blob/master/doc/man7/migration_guide.pod#removed-fips_mode-and-fips_mode_set> the section OPENSSL 3.0 > Main Changes from OpenSSL 1.1.1 > Other notable deprecations and changes - Removed FIPS_mode() and FIPS_mode_set() . The `OpenSSL::OPENSSL_FIPS` returns always true in OpenSSL 3 because the used functions `EVP_default_properties_enable_fips` and `EVP_default_properties_is_fips_enabled` works with the OpenSSL installed without FIPS option. The `TEST_RUBY_OPENSSL_FIPS_ENABLED` is set on the FIPS mode case on the CI. Because I want to test that the `OpenSSL.fips_mode` returns the `true` or 'false' surely in the CI. You can test the FIPS mode case by setting `TEST_RUBY_OPENSSL_FIPS_ENABLED` on local too. Right now I don't find a better way to get the status of the FIPS mode enabled or disabled for this purpose. I am afraid of the possibility that the FIPS test case is unintentionally skipped. I also replaced the ambiguous "returns" with "should return" in the tests.
* Register global variables before assignmentNobuyoshi Nakada2023-04-071-2/+2
|
* pkey/ec: constifyNobuyoshi Nakada2022-12-231-1/+1
|
* Merge branch 'maint-3.0'Kazuki Yamaguchi2022-12-231-17/+33
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | * maint-3.0: Ruby/OpenSSL 3.0.2 Fix build with LibreSSL 3.5 Fix operator precedence in OSSL_OPENSSL_PREREQ and OSSL_LIBRESSL_PREREQ Ruby/OpenSSL 2.2.3 ts: use TS_VERIFY_CTX_set_certs instead of TS_VERIFY_CTS_set_certs ocsp: disable OCSP_basic_verify() workaround on LibreSSL 3.5 test/openssl/test_pkey.rb: allow failures in test_s_generate_parameters pkey/ec: check private key validity with OpenSSL 3 Actions - update workflow to use OpenSSL 1.1.1, actions/checkout@v3 pkey/ec: fix ossl_raise() calls using cEC_POINT instead of eEC_POINT raise when EC_POINT_cmp or EC_GROUP_cmp error instead of returning true
| * Merge branch 'maint-2.2' into maint-3.0Kazuki Yamaguchi2022-12-231-12/+16
| |\ | | | | | | | | | | | | | | | | | | | | | | | | | | | * maint-2.2: Ruby/OpenSSL 2.2.3 ts: use TS_VERIFY_CTX_set_certs instead of TS_VERIFY_CTS_set_certs ocsp: disable OCSP_basic_verify() workaround on LibreSSL 3.5 Actions - update workflow to use OpenSSL 1.1.1, actions/checkout@v3 pkey/ec: fix ossl_raise() calls using cEC_POINT instead of eEC_POINT raise when EC_POINT_cmp or EC_GROUP_cmp error instead of returning true
| | * ts: use TS_VERIFY_CTX_set_certs instead of TS_VERIFY_CTS_set_certsKazuki Yamaguchi2022-12-233-2/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | [ This is a backport to the 2.2 branch to fix build with LibreSSL. ] OpenSSL 3.0 fixed the typo in the function name and replaced the current 'CTS' version with a macro. (cherry picked from commit 2be6779b08161a084a1a5d2758de21a913740b94)
| | * ocsp: disable OCSP_basic_verify() workaround on LibreSSL 3.5Kazuki Yamaguchi2022-12-231-1/+2
| | | | | | | | | | | | | | | | | | | | | The workaround is not needed on LibreSSL 3.5. LibreSSL 3.5 at the same time made the structure opaque, so it does not compile. This is a patch to the 2.2 branch; the code no longer exists in v3.0.
| | * Merge pull request #564 from bannable/ec_point_ops-raiseKazuki Yamaguchi2022-12-181-7/+11
| | |\ | | | | | | | | raise when EC_POINT_cmp or EC_GROUP_cmp error instead of returning true
| | | * raise when EC_POINT_cmp or EC_GROUP_cmp error instead of returning trueJoe Truba2022-11-231-7/+11
| | | |
| | * | pkey/ec: fix ossl_raise() calls using cEC_POINT instead of eEC_POINTJoe Truba2022-11-271-5/+5
| | |/
| * | Fix build with LibreSSL 3.5Jeremy Evans2022-12-231-1/+1
| | | | | | | | | | | | | | | | | | [ This is a backport to the 3.0 branch. ] (cherry picked from commit e25fb0d0d86da5a9398ebdc9216b2ea89f80fa3d)
| * | Fix operator precedence in OSSL_OPENSSL_PREREQ and OSSL_LIBRESSL_PREREQJeremy Evans2022-12-231-2/+2
| | | | | | | | | | | | | | | | | | [ This is a backport to the 3.0 branch. ] (cherry picked from commit b02815271fcc295cb8b07ef740684b88a10f2760)
| * | pkey/ec: check private key validity with OpenSSL 3ky/pkey-ec-fix-checkJoe Truba2022-12-231-5/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The behavior of EVP_PKEY_public_check changed between OpenSSL 1.1.1 and 3.0 so that it no longer validates the private key. Instead, private keys can be validated through EVP_PKEY_private_check and EVP_PKEY_pairwise_check. [ky: simplified condition to use either EVP_PKEY_check() or EVP_PKEY_public_check().]
* | | Merge pull request #558 from kateinoigakukun/katei/fix-no-sock-supportKazuki Yamaguchi2022-12-232-20/+7
|\ \ \ | | | | | | | | Undefine `OpenSSL::SSL` for no socket platforms
| * | | Undefine `OpenSSL::SSL` for no socket platformsYuta Saito2022-12-232-5/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes a linkage error about `ossl_ssl_type` on platforms which do not have socket, like WASI. Even before this patch, some items are disabled under `OPENSSL_NO_SOCK` since https://github.com/ruby/ruby/commit/ee22fad45d394818690c4a7586d7bb576ba67c56 However, due to some new use of OpenSSL::SSL::Socket over the past few years, the build under `OPENSSL_NO_SOCK` had been broken. This patch guards whole `OpenSSL::SSL` items by `OPENSSL_NO_SOCK`. [ky: adjusted to apply on top of my previous commit that removed the OpenSSL::ExtConfig, and added a guard to lib/openssl/ssl.rb.]
| * | | ssl: remove OpenSSL::ExtConfigKazuki Yamaguchi2022-12-231-15/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This module was introduced in 2015 for internal use within this library. Neither of the two constants in it is used anymore. I don't think we will be adding a new constant in the foreseeable future, either. OPENSSL_NO_SOCK is unused since commit 998d66712a78 (r55191). HAVE_TLSEXT_HOST_NAME is unused since commit 4eb4b3297a92.
* | | | Merge pull request #576 from nobu/openssl3-warningsKazuki Yamaguchi2022-12-238-28/+35
|\ \ \ \ | | | | | | | | | | Suppress OpenSSL-3 warnings
| * | | | Suppress deprecation warnings by OpenSSL 3Nobuyoshi Nakada2022-11-291-0/+1
| | | | |
| * | | | Constify when building with OpenSSL 3Nobuyoshi Nakada2022-11-297-28/+34
| |/ / /
* | | | Merge pull request #575 from nobu/check-in-headerKazuki Yamaguchi2022-12-231-44/+44
|\ \ \ \ | | | | | | | | | | Check for functions with arguments
| * | | | Check for functions with argumentsNobuyoshi Nakada2022-11-291-44/+44
| |/ / /
* | | | ssl: disable NPN support on LibreSSLky/libressl-3.7.0Kazuki Yamaguchi2022-12-231-5/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As noted in commit a2ed156cc9f1 ("test/test_ssl: do not run NPN tests for LibreSSL >= 2.6.1", 2017-08-13), NPN is known not to work properly on LibreSSL. Disable NPN support on LibreSSL, whether OPENSSL_NO_NEXTPROTONEG is defined or not. NPN is less relevant today anyway. Let's also silence test suite when it's not available.
* | | | ssl: update TLS1_3_VERSION workaround for older LibreSSL versionsKazuki Yamaguchi2022-12-231-2/+1
| | | | | | | | | | | | | | | | | | | | The macro is now defined by default in LibreSSL 3.4+. Let's document it for future readers.
* | | | [DOC] Remove duplicate docNobuyoshi Nakada2022-12-131-6/+3
|/ / / | | | | | | | | | | | | RDoc does not consider preprocessor conditionals, but equally uses both documents of `#if` and `#else` sides.
* | | Merge pull request #560 from botovq/libressl-digest-sign-verifyKazuki Yamaguchi2022-11-241-2/+2
|\ \ \ | | | | | | | | Use EVP_Digest{Sign,Verify} when available
| * | | Use EVP_Digest{Sign,Verify} when availableTheo Buehler2022-11-231-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | LibreSSL 3.4 added EVP_DigestSign() and EVP_DigestVerify(). Use them when available to prepare for the addition of Ed25519 support in LibreSSL 3.7.
* | | | Fixes OPENSSL_LIBRARY_VERSION description on documentation (#559)Henrique Bontempo2022-11-241-3/+6
| | | | | | | | | | | | Adds back missing constant description on the documentation.
* | | | Merge pull request #568 from unasuke/empty_string_to_cipher_updateKazuki Yamaguchi2022-11-241-2/+1
|\ \ \ \ | | | | | | | | | | Allow empty string to OpenSSL::Cipher#update
| * | | | Allow empty string to OpenSSL::Cipher#updateYusuke Nakamura2022-11-241-2/+1
| |/ / / | | | | | | | | | | | | | | | | | | | | For some reasons, plaintext may be empty string. ref https://www.rfc-editor.org/rfc/rfc9001.html#section-5.8
* / / / Enable HKDF support for LibreSSL 3.6 and laterTheo Buehler2022-11-231-3/+3
|/ / / | | | | | | | | | LibreSSL 3.6 added support for HKDF in EVP. Enable this in ossl_kdf.c.
* | | Merge pull request #553 from btoews/ossl_bn_mod_sqrtKazuki Yamaguchi2022-10-171-12/+24
|\ \ \ | | | | | | | | Add BN#mod_sqrt
| * | | add document-method for BN#mod_inverseBen Toews2022-10-171-0/+1
| | | |
| * | | add BN#mod_sqrtBen Toews2022-10-171-0/+8
| | | |
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-12 10:27:00 +0000