aboutsummaryrefslogtreecommitdiffstats
path: root/ext/openssl
Commit message (Collapse)AuthorAgeFilesLines
* ext/openssl: fix ex_data handling for X509_STOREKazuki Yamaguchi2016-04-277-28/+18
| | | | | X509_STORE_get_ex_new_index() is required in addition to X509_STORE_CTX_get_ex_new_index() because they are independent.
* ext/openssl: no need to check OPENSSL_FIPS in extconf.rbKazuki Yamaguchi2016-04-272-3/+2
| | | | | Since openssl/opensslconf.h is always included, we can check OPENSSL_FIPS macro directly.
* ext/openssl: avoid SEGV on Cipher.new("ChaCha20-Poly1305")Kazuki Yamaguchi2016-04-271-9/+13
| | | | | | | | A temporary workaround. EVP_CipherInit_ex() allows to specify NULL to key and/or iv, however when we use ChaCha20-Poly1305 and set only key (this case), it does memcpy(x, NULL, y) and this causes a segmentation fault.
* ext/openssl: remove SHA, DSS, DSS1 if using OpenSSL 1.1.0Kazuki Yamaguchi2016-04-271-1/+4
|
* ext/openssl: use SSL_is_server() to check if the SSL is server or notKazuki Yamaguchi2016-04-273-3/+7
| | | | | The state returned by SSL_get_state() doesn't become SSL_ST_ACCEPT anymore in OpenSSL 1.1.0.
* ext/openssl: add SSLContext#set_ecdh_curvesKazuki Yamaguchi2016-04-274-6/+146
| | | | | | | | | | And deprecate #tmp_ecdh_callback. Since SSL_CTX_set_tmp_ecdh_callback() was removed in OpenSSL 1.1.0, we can't provide SSLContext#tmp_ecdh_callback anymore. Instead, we should use SSL_CTX_set1_curves_list() to set the curves and SSL_CTX_set_ecdh_auto() to make OpenSSL select automatically from the list.
* ext/openssl: fix some compiler warnings on ossl_ssl.cKazuki Yamaguchi2016-04-271-5/+8
|
* ext/openssl: add SSLContext#security_level, #security_level=Kazuki Yamaguchi2016-04-272-0/+56
| | | | | | | | OpenSSL 1.1.0 introduced "security level" and these methods deal with it. This patch includes many test changes: setting the level to 0. The default security level is 1 and this prohibits aNULL ciphers.
* ext/openssl: make ENGINE.cleanup no-op if using OpenSSL 1.1.0Kazuki Yamaguchi2016-04-272-1/+6
|
* ext/openssl: use SSL_CTX_get_ciphers()Kazuki Yamaguchi2016-04-273-1/+6
|
* ext/openssl: avoid using deprecated protocol version specific methods.Kazuki Yamaguchi2016-04-272-35/+43
| | | | | They emit warnings with OpenSSL 1.1.0. Instead use SSL_CTX_set_{min,max}_proto_version().
* ext/openssl: EVP_PKEY, DH, DSA, RSA, EC_KEY are made opaqueKazuki Yamaguchi2016-04-279-144/+372
| | | | | | | | | | | | | | | | | | | | Use EVP_PKEY_get0_* instead of pkey->pkey.* Use EVP_PKEY_base_id(pkey) instead of EVP_PKEY_type(pkey->type) Because of this, we can no longer set the parameters/keys directly, and the newly added functions as alternative require setting all relevant values at the same time. So this patch contains incompatibility: the following code no longer works (if using 1.1.0): dh = OpenSSL::PKey::DH.new(...) dh.priv_key = OpenSSL::BN.new(...) ...and we have to write like: dh = OpenSSL::PKey::DH.new(...) priv = OpenSSL::BN.new(...) pub = <calculate (dh.g ** priv) % dh.p> dh.set_key(pub, priv)
* ext/openssl: use EVP_MD_CTX_new() to allocate EVP_MD_CTXKazuki Yamaguchi2016-04-273-12/+25
|
* ext/openssl: use X509_STORE_CTX_get0_store() instead of store_ctx->ctxKazuki Yamaguchi2016-04-273-3/+8
|
* ext/openssl: fix (mainly) opaque related compilation of ossl_x509*.cKazuki Yamaguchi2016-04-2711-63/+173
| | | | | | | | | | | | | Fix following files: - ossl_x509attr.c - ossl_x509cert.c - ossl_x509store.c - ossl_x509name.c - ossl_x509req.c - ossl_x509crl.c - ossl_x509revoked.c - ossl_x509ext.c
* ext/openssl: use *_up_ref() functionsKazuki Yamaguchi2016-04-277-10/+45
|
* ext/openssl: support new threading API of OpenSSL 1.1.0Kazuki Yamaguchi2016-04-272-0/+5
| | | | Setting locking callbacks is no longer needed.
* ext/openssl: SSL_SESSION is made opaqueKazuki Yamaguchi2016-04-272-4/+14
|
* ext/openssl: the return type of HMAC_CTX_copy() is intKazuki Yamaguchi2016-04-272-3/+4
|
* ext/openssl: BIGNUM and BN_GENCB is made opaqueKazuki Yamaguchi2016-04-277-23/+47
|
* ext/openssl: OCSP_SINGLERESP and OCSP_CERTID are also made opaqueKazuki Yamaguchi2016-04-273-4/+11
|
* ext/openssl: use HMAC_CTX_{new,free,reset} to allocate HMAC_CTXKazuki Yamaguchi2016-04-274-52/+107
| | | | HMAC_CTX is made opaque in OpenSSL 1.1.0
* ext/openssl: use EVP_CIPHER_CTX_{new,free} to allocate EVP_CIPHER_CTXKazuki Yamaguchi2016-04-274-22/+51
| | | | EVP_CIPHER_CTX was made opaque in OpenSSL 1.1.0
* ext/openssl: d2i_ASN1_BOOLEAN is removedKazuki Yamaguchi2016-04-271-6/+7
|
* ext/openssl: disable OpenSSL::Random.pseudo_bytes if deprecatedKazuki Yamaguchi2016-04-272-0/+5
|
* ext/openssl: avoid deprecated BN primes functionsKazuki Yamaguchi2016-04-271-3/+3
| | | | | BN_generate_prime(), BN_is_prime(), BN_is_prime_fasttest() is deprecated and the replacements are available on all versions of OpenSSL >= 0.9.8.
* ext/openssl: simplify extconf.rbKazuki Yamaguchi2016-04-272-54/+34
|
* ext/openssl: include openssl/asn1.h instead of openssl/asn1_mac.hKazuki Yamaguchi2016-04-271-1/+1
|
* ext/openssl: drop support for OPENSSL_NO_HMACKazuki Yamaguchi2016-04-272-16/+1
| | | | | | It has not been actually supported: since ossl.h includes openssl/hmac.h without any guards, it wouldn't compile if OPENSSL_NO_HMAC is enabled.
* ext/openssl: drop support for OpenSSL 0.9.6/0.9.7Kazuki Yamaguchi2016-04-2723-772/+90
| | | | | | | | | The last release of OpenSSL 0.9.7 series was over 9 years ago (!) and even 0.9.8/1.0.0 are no longer supported (EOL was 2015-12-31). It actually doesn't compile since r40461 (ext/openssl/ossl_bn.c (ossl_bn_initialize): allow Fixnum and Bignum. [ruby-core:53986] [Feature #8217], 2013-04-25, 2.1.0) and it looks like nobody noticed it.
* ext/openssl: always use our implementation of SSL_SESSION_cmp()Kazuki Yamaguchi2016-04-274-5/+26
| | | | | | | | | Implement CRYPTO_memcmp() if it is not available. Always use our SSL_SESSION_cmp() (renamed to ossl_SSL_SESSION_cmp()). SSL_SESSION_cmp() was removed in OpenSSL 1.0.0 and we have used a reimplemented one. However our implementation is better than the original (it uses CRYPTO_memcmp() instead of plain memcmp).
* ext/openssl: check if SSL_CTX_clear_options() is availableKazuki Yamaguchi2016-04-272-0/+6
| | | | | | | Fix build with very very old versions of OpenSSL. SSL_CTX_clear_options() is new in OpenSSL 0.9.8m but some Linux distributions still uses 0.9.8e.
* Update dependencies.akr2016-04-111-0/+31
| | | | git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54544 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* openssl: Access to ephemeral TLS session keynobu2016-04-042-0/+23
| | | | | | | | | * ext/openssl/ossl_ssl.c (ossl_ssl_tmp_key): Access to ephemeral TLS session key in case of forward secrecy cipher. Only available since OpenSSL 1.0.2. [Fix GH-1318] * ext/openssl/extconf.rb: Check for SSL_get_server_tmp_key. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54485 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* openssl: accept moving write buffer for write_nonblocknormal2016-03-311-1/+2
| | | | | | | | | | | | | | | | | | | By setting the SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER flag. This flag was introduced at the same time as SSL_MODE_ENABLE_PARTIAL_WRITE in OpenSSL 0.9.4 and makes usage with non-blocking sockets much easier. Before this, a Rubyist would need to remember the exact object which failed to write and reuse it later when the socket became writable again. This causes problems when the buffer is given by another layer of the application (e.g. a buffer is given by a Rack middleware or application to a Rack web server). * ext/openssl/ossl_ssl.c (ossl_sslctx_s_alloc): enable SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER by default [Bug #12126] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54466 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* openssl: fix build when NPN is disabled by OpenSSLnobu2016-03-252-20/+21
| | | | | | | | | | | * ext/openssl/extconf.rb: check SSL_CTX_set_next_proto_select_cb function rather than OPENSSL_NPN_NEGOTIATED macro. it exists even if it is disabled by OpenSSL configuration. [ruby-core:74384] [Bug #12182] * ext/openssl/ossl_ssl.c: update #ifdef(s) as above. * test/openssl/test_ssl.rb: skip NPN tests if NPN is disabled. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54258 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* document OpenSSL::SSL::SSLContext#setup as MT-unsafenormal2016-03-141-2/+2
| | | | | | | | | | | On a cursory inspection, using rb_block_call for extra_chain_cert is thread-unsafe. There may be other instances of thread-unsafe behavior in this method, but one is enough. * ext/openssl/ossl_ssl.c (ossl_sslctx_setup): document as MT-unsafe [ruby-core:73803] [Bug #12069] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54097 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* Fix typo on OpenSSL::PKey doc [ci skip]nobu2016-02-021-1/+1
| | | | | | | * ext/openssl/ossl_pkey.c (Init_ossl_pkey): [DOC] Fix typo "encrypted" to "decrypted". [Fix GH-1235] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53723 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* * ext/openssl/lib/openssl/pkey.rb: Added 2048 bit DH parameter.hsbt2016-01-161-0/+12
| | | | | | * test/openssl/test_pkey_dh.rb: ditto. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53553 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* * Remove 512-bit DH group. It's affected by LogJam Attack.hsbt2016-01-141-8/+0
| | | | | | | https://weakdh.org/ [fix GH-1196][Bug #11968][ruby-core:72766] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53531 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* openssl: fix examples [ci skip]nobu2016-01-091-0/+3
| | | | | | | * ext/openssl/ossl.c: Add missing variables to documentation examples. [Fix GH-1189] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53486 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* prefer rb_syserr_failnobu2015-12-231-1/+2
| | | | | | | | * file.c, io.c, util.c: prefer rb_syserr_fail with saved errno over setting errno then call rb_sys_fail, not to be clobbered potentially and to reduce thread local errno accesses. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53264 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* NotImplementedError typonobu2015-12-211-1/+1
| | | | | | | * ext/openssl/lib/openssl/ssl.rb (OpenSSL::SSL::SSLSocket): fix NotImplementedError typo. [Fix GH-1165] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53223 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* handle ext/ as r53141naruse2015-12-1611-0/+11
| | | | | | | | g -L frozen_string_literal ext/**/*.rb|xargs ruby -Ka -e'ARGV.each{|fn|puts fn;open(fn,"r+"){|f|s=f.read.sub(/\A(#!.*\n)?(#.*coding.*\n)?/,"\\&# frozen_string_literal: false\n");f.rewind;f.write s}}' git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53143 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* * ext/openssl/ossl_ssl.c (ssl_npn_select_cb_common): fix parsingnaruse2015-12-131-10/+7
| | | | | | | | protocol list. The protocol list from OpenSSL is not null-terminated. patched by Kazuki Yamaguchi [Bug #11810] [ruby-core:72082] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53064 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* * ext/**/*.c (*_memsize): same as r52986 for extensions.ko12015-12-091-1/+1
| | | | git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52988 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* ext/openssl/ossl_ssl.c: hide globalsnormal2015-12-012-8/+6
| | | | | | | | | | | | | * ext/openssl/ossl_ssl.c (mSSLExtConfig): make static (eSSLError): ditto (ID_callback_state): ditto (ossl_ssl_ex_vcb_idx): ditto (ossl_ssl_ex_store_p): ditto (ossl_ssl_ex_ptr_idx): ditto * ext/openssl/ossl_ssl.h: remove extern declarations for mSSLExtConfig and eSSLError git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52842 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* * ext/openssl/ossl_rand.c (ossl_rand_bytes): RAND_bytes couldkosaki2015-11-302-4/+10
| | | | | | | be return -1 as an error. Therefore, added error handling. * ext/openssl/ossl_pkey_dsa.c (dsa_generate): ditto. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52810 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* * ext/openssl/ossl.c: fix brew command for installation of openssl.hsbt2015-11-221-1/+1
| | | | | | [ci skip][fix GH-1007] Patch by @arthurnn git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52714 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* * ext/openssl/ossl.h: LibreSSL doesn't have and need e_os2.h.naruse2015-11-211-1/+1
| | | | git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52693 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
generated by cgit v1.2.3 (git 2.39.1) at 2024-04-29 04:55:53 +0000