| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
Drop support for Ruby 2.3, 2.4, and 2.5.
As of 2021-10, Ruby 2.6 is the oldest version that still receives
security fixes from the Ruby core team, so it doesn't make much sense
to keep code for those ancient versions.
|
| |
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* maint-2.2: (43 commits)
Ruby/OpenSSL 2.2.1
openssl is ractor-safe
Fixed the results of OpenSSL::Timestamp::Response#failure_info
Don't redefine #rb_intern over and over again
Use rb_intern_const instead of rb_intern in Init functions
Remove trailing spaces [ci skip]
test/openssl/test_ssl: use TLS 1.2 for finished_messages on LibreSSL
Ruby/OpenSSL 2.1.3
ssl: avoid directly storing String object in NPN callback
x509store: explicitly call rb_gc_mark() against Store/StoreContext
ssl: explicitly call rb_gc_mark() against SSLContext/SSLSocket objects
digest: load digest library using Kernel#require
pkey: use RSTRING_LENINT() instead of casting to int
fix segv in Timestamp::{Request,Response,TokenInfo}.new
ts: libressl build fix warning
ext/openssl/extconf.rb: require OpenSSL version >= 1.0.1, < 3
.github/workflows: update OpenSSL/LibreSSL versions
test: adjust test cases for LibreSSL 3.2.4
ssl: temporary lock string buffer while reading
ssl: create a temporary frozen string buffer when writing
...
|
| | |
|
| |
| |
| |
| |
| |
| | |
[ This is a backport to the 2.2 branch. ]
(cherry picked from commit 942bb13afaff7d4ec19b4337c6972476c373c988)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Provide a wrapper of SSL_set0_tmp_dh_pkey()/SSL_CTX_set_tmp_dh(), which
sets the DH parameters used for ephemeral DH key exchange.
SSLContext#tmp_dh_callback= already exists for this purpose, as a
wrapper around SSL_CTX_set_tmp_dh_callback(), but it is considered
obsolete and the OpenSSL API is deprecated for future removal. There is
no practical use case where an application needs to use different DH
parameters nowadays. This was originally introduced to support export
grade ciphers.
RDoc for #tmp_dh_callback= is updated to recommend the new #tmp_dh=.
Note that current versions of OpenSSL support automatic ECDHE curve
selection which is enabled by default. SSLContext#tmp_dh= should only be
necessary if you must allow ancient clients which don't support ECDHE.
|
| |
| |
| |
| |
| | |
Commit ee037e146037 ("ssl: remove SSL::SSLContext#tmp_ecdh_callback",
2020-08-12) forgot to remove the method.
|
| | |
|
|\ \
| | |
| | | |
pkey: implement PKey#encrypt, #decrypt, #sign_raw, #verify_raw, and #verify_recover
|
| | |
| | |
| | |
| | |
| | |
| | | |
With the newly added OpenSSL::PKey::PKey#{sign,verify}_raw,
OpenSSL::PKey::DSA's low level signing operation methods can be
implemented in Ruby. The definitions are now in lib/openssl/pkey.rb.
|
| | |
| | |
| | |
| | |
| | |
| | | |
With the newly added OpenSSL::PKey::PKey#{sign,verify}_raw,
OpenSSL::PKey::EC's low level signing operation methods can be
implemented in Ruby. The definitions are now in lib/openssl/pkey.rb.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Implement these methods using the new OpenSSL::PKey::PKey#{encrypt,sign}
family. The definitions are now in lib/openssl/pkey.rb.
Also, recommend using those generic methods in the documentation.
|
|/ /
| |
| |
| |
| | |
* Add feature for loading the chained certificate into Certificate array.
Co-authored-by: Sao I Kuan <saoikuan@gmail.com>
|
|\ \
| | |
| | | |
Use EVP API in more places
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The low-level API that is used to implement #public_key is deprecated
in OpenSSL 3.0. It is actually very simple to implement in another way,
using existing methods only, in much shorter code. Let's do it.
While we are at it, the documentation is updated to recommend against
using #public_key. Now that OpenSSL::PKey::PKey implements public_to_der
method, there is no real use case for #public_key in newly written Ruby
programs.
|
|/ /
| |
| |
| |
| |
| | |
Normal sockets respond to `getbyte`, so we should make SSLSocket respond
to `getbyte` as well. This way we can substitute SSLSockets for regular
sockets.
|
| |
| |
| |
| |
| |
| | |
Implement PKey::DSA.new(size) and PKey::DSA.generate using
OpenSSL::PKey.generate_parameters and .generate_key instead of the low
level DSA functions.
|
| |
| |
| |
| |
| | |
Implement PKey::RSA.new(size, exponent) and PKey::RSA.generate using
OpenSSL::PKey.generate_key instead of the low level RSA functions.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Implement PKey::DH.new(size, gen), PKey::DH.generate(size, gen), and
PKey::DH#generate_key! using PKey.generate_parameters and .generate_key
instead of the low level DH functions.
Note that the EVP interface can enforce additional restrictions - for
example, DH key shorter than 2048 bits is no longer accepted by default
in OpenSSL 3.0. The test code is updated accordingly.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
SSLContext's verify_mode expects an SSL_VERIFY_* constant (an integer)
and verify_hostname expects either true or false. However, they are set
to nil after calling OpenSSL::SSL::SSLContext.new, which is surprising.
Set a proper value to them by default: verify_mode is set to
OpenSSL::SSL::VERIFY_NONE and verify_hostname is set to false by
default.
Note that this does not change the default behavior. The certificate
verification was never performed unless verify_mode is set to
OpenSSL::SSL::VERIFY_PEER by a user. The same applies to
verify_hostname.
|
| |
| |
| |
| |
| | |
OpenSSL::HMAC implements the similar interface as ::Digest. Let's add
base64digest methods to OpenSSL::HMAC, too, for feature parity.
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Use the EVP API instead of the low-level HMAC API. Use of the HMAC API
has been discouraged and is being marked as deprecated starting from
OpenSSL 3.0.0.
The two singleton methods OpenSSL::HMAC, HMAC.digest and HMAC.hexdigest
are now in lib/openssl/hmac.rb.
|
|\ \
| | |
| | | |
pkey: add more support for 'generic' pkey types
|
| |/
| |
| |
| |
| | |
Use the new OpenSSL::PKey::PKey#derive instead of the raw
{EC,}DH_compute_key(), mainly to reduce amount of the C code.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Revert OpenSSL::Config to using the OpenSSL API and remove our own
parser implementation for the config file syntax.
OpenSSL::Config now wraps a CONF object. Accessor methods deal with the
object directly rather than Ruby-level internal state.
This work is based on the old C code we used before 2010.
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove 4 deprecated methods.
The following two methods have been marked as deprecated since 2003,
by r4531 (ruby.git commit 78ff3833fb67c8005a9b851037e74b3eea940aa3).
- OpenSSL::Config#value
- OpenSSL::Config#section
Other two methods are removed because the corresponding functions
disappeared in OpenSSL 1.1.0.
- OpenSSL::Config#add_value
- OpenSSL::Config#[]=
|
| |
|
| |
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* maint:
ssl: set verify error code in the case of verify_hostname failure
x509: add error code and verify flags constants
Remove taint support
Restore compatibility with older versions of Ruby.
Fix keyword argument separation issues in OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock
config: support .include directive
|
| |\
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* maint-2.0:
ssl: set verify error code in the case of verify_hostname failure
x509: add error code and verify flags constants
Remove taint support
Restore compatibility with older versions of Ruby.
Fix keyword argument separation issues in OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock
config: support .include directive
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
OpenSSL 1.1.1 introduces a new '.include' directive. Update our config
parser to support that.
As mentioned in the referenced GitHub issue, we should use the OpenSSL
API instead of implementing the parsing logic ourselves, but it will
need backwards-incompatible changes which we can't backport to stable
versions. So continue to use the Ruby implementation for now.
Squashed in additional changes by Vít Ondruch to support '.include = '
syntax.
Reference: https://github.com/ruby/openssl/issues/208
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The OpenSSL::VERSION constant is now defined by lib/openssl/version.rb
instead of by the extension. Add missing require statement.
Fixes: 0cddb0b736c8 ("Simplify handling of version constant.", 2019-10-31)
Reference: https://github.com/ruby/openssl/issues/347
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
OpenSSL::Config is currently implemented in Ruby, but we plan to revert
back to use OpenSSL API, just as it did before r28632 (in ruby_1_8;
r29048 in trunk). It's not clear what was the issue with Windows, but
the CONF library should work on Windows too.
Modifying a CONF object is not possible in OpenSSL API. Actually, it
was possible in previous versions of OpenSSL, but we used their
internal functions that are not exposed in shared libraries anymore.
Accordingly, OpenSSL::Config#add_value and #[]= have to be removed. As
a first step towards the change, let's deprecate those methods.
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | | |
add ca_issuer_uris and ocsp_uris description to the changelog
|
| | |
| | |
| | |
| | | |
add helper to access information and services for the issuer of the Certificate
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|