aboutsummaryrefslogtreecommitdiffstats
path: root/ext
Commit message (Collapse)AuthorAgeFilesLines
...
* | | Fix signing example to not use Digest instanceBart de Water2020-04-211-4/+2
| | |
* | | Look up cipher by name instead of constantBart de Water2020-04-211-21/+5
| | |
* | | Remove 'mapping between Digest class and sn/ln'Bart de Water2020-04-211-37/+0
| | | | | | | | | | | | This is not present in the referenced files anymore, and not useful to most users
* | | Look up digest by name instead of constantBart de Water2020-04-2110-35/+39
|/ /
* | Merge branch 'maint'Kazuki Yamaguchi2020-03-092-1/+99
|\| | | | | | | | | | | | | | | | | | | * maint: ssl: set verify error code in the case of verify_hostname failure x509: add error code and verify flags constants Remove taint support Restore compatibility with older versions of Ruby. Fix keyword argument separation issues in OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock config: support .include directive
| * Merge branch 'maint-2.0' into maintKazuki Yamaguchi2020-03-094-24/+132
| |\ | | | | | | | | | | | | | | | | | | | | | | | | | | | * maint-2.0: ssl: set verify error code in the case of verify_hostname failure x509: add error code and verify flags constants Remove taint support Restore compatibility with older versions of Ruby. Fix keyword argument separation issues in OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock config: support .include directive
| | * ssl: set verify error code in the case of verify_hostname failureky/ssl-fix-verify-hostname-set-error-codeKazuki Yamaguchi2020-02-241-1/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When the verify_hostname option is enabled, the hostname verification is done before calling verify_callback provided by the user. The callback should be notified of the hostname verification failure. OpenSSL::X509::StoreContext's error code must be set to an appropriate value rather than OpenSSL::X509::V_OK. If the constant X509_V_ERR_HOSTNAME_MISMATCH is available (OpenSSL >= 1.0.2), use it. Otherwise use the generic X509_V_ERR_CERT_REJECTED. Reference: https://github.com/ruby/openssl/issues/244 Fixes: 028e495734e9 ("ssl: add verify_hostname option to SSLContext", 2016-06-27)
| | * x509: add error code and verify flags constantsKazuki Yamaguchi2020-02-241-0/+91
| | | | | | | | | | | | | | | Add missing constant declarations for certificate verification flags and the error codes, to match with OpenSSL 1.1.1.
| | * Remove taint supportJeremy Evans2020-02-243-11/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ This is a backport to the 2.0 branch. ] Ruby 2.7 deprecates taint and it no longer has an effect. The lack of taint support should not cause a problem in previous Ruby versions. (cherry picked from commit e7ed01b580a139ad0fb320ad5f29bbb40ef2ddc2)
| | * Restore compatibility with older versions of Ruby.Samuel Williams2020-02-241-9/+21
| | | | | | | | | | | | | | | | | | | | | [ Originally landed on as commit b4e96fc4abc3. This is a backport to the 2.0 branch. ] `RB_PASS_KEYWORDS` is not always available.
| | * Fix keyword argument separation issues in ↵Jeremy Evans2020-02-241-4/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock [ Originally landed on ruby.git as commit 3959469f240e, then was merged into ruby/openssl.git as commit b4e96fc4abc3. This is a backport to the 2.0 branch. ] It's unlikely anyone would actually hit these. The methods are private, you only hit this code path if calling these methods before performing the SSL connection, and there is already a verbose warning issued.
* | | ssl: suppress test failure with SSLContext#add_certificate_chain_fileKazuki Yamaguchi2020-03-091-3/+7
| | | | | | | | | | | | | | | | | | | | | The feature is currently premature and will be rewritten. However, it is causing test failures on RubyCI. Make it happy for now. Reference: https://github.com/ruby/openssl/issues/334
* | | engine: fix guards for 'dynamic' and 'cryptodev' enginesky/engine-load-updatesKazuki Yamaguchi2020-02-211-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Those two engines exist as builtin engines even if static engines are disabled with OPENSSL_NO_STATIC_ENGINE. This is the default with recent OpenSSL. This has prevented Engine.load("dynamic") from working and required the user to call OpenSSL::Engine.load with no arguments, which loads all builtin engines including 'dynamic'. Note that OpenSSL 1.1.0 and newer calls (the equivalent of) ENGINE_load_builtin_engines() on its initialization. This includes 'dynamic' and 'cryptodev' engines (if available).
* | | engine: do not check for ENGINE_load_builtin_engines()Kazuki Yamaguchi2020-02-212-5/+1
| | | | | | | | | | | | | | | | | | Remove dead code. The function, or a macro in OpenSSL 1.1.0 and newer, always exists unless the whole engine code is disabled with OPENSSL_NO_ENGINE.
* | | engine: remove really outdated static enginesKazuki Yamaguchi2020-02-212-8/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | They no longer exists in OpenSSL 1.0.1, which is the oldest version Ruby/OpenSSL currently compiles with. Note that OpenSSL 1.0.2 and older is already in EOL state. The following engines should also be removed when we completely drop support for those versions as they were removed in OpenSSL 1.1.0. - 4758cca - aep - atalla - chil - cswift - nuron - sureware - ubsec - gmp - gost
* | | engine: revert OpenSSL::Engine.load changes for cloudhsmky/engine-load-revert-cloudhsmKazuki Yamaguchi2020-02-202-5/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Revert two commits: - ea49ccc82aa4 Add cloudhsm to extconf.rb - 33ed3ba10424 Add cloudhsm to ossl_engine.c OpenSSL::Engine.load is a binding for ENGINE_load_*() functions which are provided by OpenSSL itself, so-called "static engines". Since the AWS CloudHSM engine is a dynamic engine, which is provided as a shared library, this change is not a correct solution for the issue. Reference: https://github.com/ruby/openssl/issues/189 Reference: https://github.com/ruby/openssl/pull/190
* | | ssl: avoid declarations after statementsky/ssl-avoid-mixed-declarationsKazuki Yamaguchi2020-02-191-12/+12
| | | | | | | | | | | | | | | | | | We cannot use C99 features yet, as we still support Ruby 2.6 and older. Fixes: debaca25604c ("Adds support for the 'get_finished' and 'get_peer_finished' functions", 2019-06-25)
* | | Merge pull request #333 from rhenium/ky/remove-wdeprecated-declarationsKazuki Yamaguchi2020-02-173-66/+8
|\ \ \ | | | | | | | | extconf.rb: get rid of -Werror=deprecated-declarations
| * | | extconf.rb: get rid of -Werror=deprecated-declarationsky/remove-wdeprecated-declarationsKazuki Yamaguchi2020-02-162-33/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | No function needs -Werror=deprecated-declarations flag to check availability any more. This also fixes -Werror=deprecated-declarations erroneously carrying on to the actual compilation, resulting in an compilation error on some environment. Fixes: https://github.com/ruby/openssl/pull/331
| * | | random: make OpenSSL::Random.pseudo_bytes alias of .random_bytesKazuki Yamaguchi2020-02-162-33/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The default implementation of RAND_pseudo_bytes() uses the same routine as RAND_bytes(). Note that OpenSSL::Random.pseudo_bytes has been available only when it is compiled with EOL versions of OpenSSL.
* | | | ts: simplify OpenSSL::Timestamp::Request#algorithmky/ts-simplify-tsreq-get-algorithmKazuki Yamaguchi2020-02-171-6/+1
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Stop the special treatment of invalid hashAlgorithm of the message imprint. Those invalid values can only appear after the object is instantiated, before the user sets an actual message digest algorithm. OpenSSL::Timestamp::TokenInfo#algorithm already does the same. Also, remove the test case "test_create_request" since it does not make much sense. Those fields are to be set by the user after creation of the object and checking the initial value is pointless. Fixes: https://github.com/ruby/openssl/issues/335
* | | Revert "Fix segfaults in OpenSSL::PKey::RSA#private_{en,de}crypt when ↵Kazuki Yamaguchi2020-02-161-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | private exp not set" This reverts commit e30b9a27f00338b065e90c6172d1c4509edc2853 (#255) except the added test code. The 'd' value can be NULL when the RSA private key is backed by an OpenSSL engine, such as an HSM. In that case, only 'n' and 'e' are visible from the OpenSSL API. The original issue has been fixed by Pull Request #258 in another way. Reference: https://github.com/ruby/openssl/pull/255 Reference: https://github.com/ruby/openssl/pull/258
* | | Revert add_certificate_chain_file changes (#320)Hiroshi SHIBATA2020-02-161-82/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Revert SSLContext#add_certificate_chain_file changes * 0da0dfaf09f549b2b2cd984627b321b7908d1186. * 8d12f0f6ca944212cb8000e689469d7aaa8190d7. * 49f42ad5f82f8b61f51a16e3a6df1ab0d5307d5f. * 5ee295ab8e37c8ffc6eb8c1b7b79ec024f3253e4. * 8b4fa5e336c7544ea677ccee160ec6d221559e10. * 443d13e9b2c127230fde2733959eaa4d41eb355d. * 5d866038920edf2729865653d6dc9309589f089a. * f18559acf97a6f6aaf3d253417eb0100b262cbc6.
* | | Improve string allocation.Samuel Williams2020-02-071-8/+8
| | |
* | | 'finished' messages: expand sizer array to 1-bytesMo Morsi2020-02-061-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | Zero-size arrays not playing nicely with visual studio / mingw, see: https://github.com/ruby/ruby/pull/2693 Also see related discussion pertaining to using NULL pointer here: https://github.com/ruby/openssl/pull/315
* | | Prefer `frozen_string_literal: true`.Samuel Williams2020-02-062-2/+2
| | |
* | | Add cloudhsm to extconf.rbKyle Oliveira2020-01-251-1/+2
| | | | | | | | | to support the CloudHSM OpenSSL library
* | | Add cloudhsm to ossl_engine.cKyle Oliveira2020-01-251-0/+3
| | | | | | | | | to support the CloudHSM OpenSSL library
* | | fix an incorrect method namethekuwayama2020-01-251-2/+2
| | |
* | | fix comment; Examplethekuwayama2020-01-251-2/+2
| | |
* | | add X509_free and EVP_PKEY_freethekuwayama2020-01-251-7/+19
| | |
* | | check with EVP_PKEY_cmp in advancethekuwayama2020-01-251-2/+33
| | |
* | | modify ossl_sslctx_add_certificate_chain_file() to raise Error and to return ↵thekuwayama2020-01-251-10/+13
| | | | | | | | | | | | | | | | | | self add test_add_certificate_chain_file_multiple_certs
* | | modify test_add_certificate_chain_file to check ssl.peer_cert and ↵thekuwayama2020-01-251-4/+5
| | | | | | | | | | | | ssl.peer_cert_chain
* | | add pkey_path argument to ossl_sslctx_add_certificate_chain_file()thekuwayama2020-01-251-5/+35
| | |
* | | Fix typo of `OpenSSL::OCSP` extern varthekuwayama2020-01-161-3/+3
| | |
* | | Simplify handling of version constant.Samuel Williams2019-12-293-21/+0
| | |
* | | Prepend slashes to X509::Name.parse argument in examplesJoshua Stowers2019-12-142-3/+3
| | | | | | | | | | | | | | | | | | Addresses [issue 15882](https://bugs.ruby-lang.org/issues/15882) with [Zach Rowe's patch.](https://bugs.ruby-lang.org/attachments/7810) The #parse_openssl method [expects a forward slash at the beginning of the argument](https://github.com/ruby/openssl/blob/master/lib/openssl/x509.rb#L302) if used as the delimiter.
* | | modify the document about `CertificateId.new`thekuwayama2019-12-021-1/+3
| | |
* | | Restore compatibility with older versions of Ruby.Samuel Williams2019-11-271-9/+21
| | | | | | | | | | | | `RB_PASS_KEYWORDS` is not always available.
* | | Pull relevant changes from `ruby/ext/openssl`.Samuel Williams2019-11-275-13/+25
| | | | | | | | | | | | | | | | | | | | | | | | Diff was generated: git diff --output openssl.patch 93bc10272734cbbb9197470ca629cc4ea019f6f0 ext/openssl/*.c ext/openssl/*.h ext/openssl/**/*.rb Appled using `patch -p1 < openssl.patch`.
* | | pkey: add support for PKCS #8 key serializationKazuki Yamaguchi2019-11-251-12/+140
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | OpenSSL::PKey::PKey#private_to_der, #private_to_pem are added to the generic PKey class. They serialize the private key to PKCS #8 {Encrypted,}PrivateKeyInfo format, in DER- and PEM- encoding, respectively. For symmetry, also add #public_to_der and #public_to_pem that serialize the public key into X.509 SubjectPublicKeyInfo format. OpenSSL::PKey.read now reads DER-encoded PKCS #8 keys as well as the "raw" private keys. PEM-encoded PKCS #8 keys have been already handled by PEM_read_bio_PrivateKey().
* | | Update renegotiation_cb docstring to reflect its actual behavior in MRIOleg Pudeyev2019-11-221-7/+5
| | | | | | | | | | | | Closes #256
* | | add/update document about AuthorityInfoAccessthekuwayama2019-11-191-9/+2
| | | | | | | | | | | | add ca_issuer_uris and ocsp_uris description to the changelog
* | | Use fixed_length_secure_compare in HKDF example [ci skip]Bart de Water2019-11-041-18/+2
| | |
* | | Make OpenSSL::HMAC#== compare in constant time instead of returning falseBart de Water2019-11-041-10/+2
| | |
* | | Use constant time compare in HMAC exampleBart de Water2019-11-041-9/+11
| | |
* | | Remove unsupported DSS, DSS1 & SHA algorithms.Samuel Williams2019-11-011-2/+0
| | |
* | | Rename OpenSSL.secure_compare to fixed_length_secure_compareBart de Water2019-10-281-20/+8
| | | | | | | | | | | | | | | | | | | | | | | | In 1ade643cbc01f3f7bd96e90bd8837df7ed491a09 the Rails-like secure_compare naming was adopted and in original pull request introducing this functionality debate around timing of hash functions followed. This made me realize why Rails' default of hashing the values to protect users from making mistakes is a good idea.
* | | extconf.rb - update for new MSYS2, libsspMSP-Greg2019-10-271-0/+6
| | |
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-28 23:16:44 +0000