| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
X509_STORE_get_ex_new_index() is required in addition to
X509_STORE_CTX_get_ex_new_index() because they are independent.
|
|
|
|
|
| |
Since openssl/opensslconf.h is always included, we can check
OPENSSL_FIPS macro directly.
|
|
|
|
|
|
|
|
| |
A temporary workaround.
EVP_CipherInit_ex() allows to specify NULL to key and/or iv, however
when we use ChaCha20-Poly1305 and set only key (this case), it does
memcpy(x, NULL, y) and this causes a segmentation fault.
|
| |
|
|
|
|
|
| |
The state returned by SSL_get_state() doesn't become SSL_ST_ACCEPT
anymore in OpenSSL 1.1.0.
|
|
|
|
|
|
|
|
|
|
| |
And deprecate #tmp_ecdh_callback.
Since SSL_CTX_set_tmp_ecdh_callback() was removed in OpenSSL 1.1.0, we
can't provide SSLContext#tmp_ecdh_callback anymore. Instead, we should
use SSL_CTX_set1_curves_list() to set the curves and
SSL_CTX_set_ecdh_auto() to make OpenSSL select automatically from the
list.
|
| |
|
|
|
|
|
|
|
|
| |
OpenSSL 1.1.0 introduced "security level" and these methods deal with
it.
This patch includes many test changes: setting the level to 0.
The default security level is 1 and this prohibits aNULL ciphers.
|
| |
|
| |
|
|
|
|
|
| |
They emit warnings with OpenSSL 1.1.0. Instead use
SSL_CTX_set_{min,max}_proto_version().
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use EVP_PKEY_get0_* instead of pkey->pkey.*
Use EVP_PKEY_base_id(pkey) instead of EVP_PKEY_type(pkey->type)
Because of this, we can no longer set the parameters/keys directly, and
the newly added functions as alternative require setting all relevant
values at the same time. So this patch contains incompatibility: the
following code no longer works (if using 1.1.0):
dh = OpenSSL::PKey::DH.new(...)
dh.priv_key = OpenSSL::BN.new(...)
...and we have to write like:
dh = OpenSSL::PKey::DH.new(...)
priv = OpenSSL::BN.new(...)
pub = <calculate (dh.g ** priv) % dh.p>
dh.set_key(pub, priv)
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix following files:
- ossl_x509attr.c
- ossl_x509cert.c
- ossl_x509store.c
- ossl_x509name.c
- ossl_x509req.c
- ossl_x509crl.c
- ossl_x509revoked.c
- ossl_x509ext.c
|
| |
|
|
|
|
| |
Setting locking callbacks is no longer needed.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
HMAC_CTX is made opaque in OpenSSL 1.1.0
|
|
|
|
| |
EVP_CIPHER_CTX was made opaque in OpenSSL 1.1.0
|
| |
|
| |
|
|
|
|
|
| |
BN_generate_prime(), BN_is_prime(), BN_is_prime_fasttest() is deprecated
and the replacements are available on all versions of OpenSSL >= 0.9.8.
|
| |
|
| |
|
|
|
|
|
|
| |
It has not been actually supported: since ossl.h includes
openssl/hmac.h without any guards, it wouldn't compile if
OPENSSL_NO_HMAC is enabled.
|
|
|
|
|
|
|
|
|
| |
The last release of OpenSSL 0.9.7 series was over 9 years ago (!) and
even 0.9.8/1.0.0 are no longer supported (EOL was 2015-12-31).
It actually doesn't compile since r40461 (ext/openssl/ossl_bn.c
(ossl_bn_initialize): allow Fixnum and Bignum. [ruby-core:53986]
[Feature #8217], 2013-04-25, 2.1.0) and it looks like nobody noticed it.
|
|
|
|
|
|
|
|
|
| |
Implement CRYPTO_memcmp() if it is not available.
Always use our SSL_SESSION_cmp() (renamed to ossl_SSL_SESSION_cmp()).
SSL_SESSION_cmp() was removed in OpenSSL 1.0.0 and we have used a
reimplemented one. However our implementation is better than the
original (it uses CRYPTO_memcmp() instead of plain memcmp).
|
|
|
|
|
|
|
| |
Fix build with very very old versions of OpenSSL.
SSL_CTX_clear_options() is new in OpenSSL 0.9.8m but some Linux
distributions still uses 0.9.8e.
|
|
|
|
| |
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54544 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
| |
* ext/openssl/ossl_ssl.c (ossl_ssl_tmp_key): Access to ephemeral
TLS session key in case of forward secrecy cipher. Only
available since OpenSSL 1.0.2. [Fix GH-1318]
* ext/openssl/extconf.rb: Check for SSL_get_server_tmp_key.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54485 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
By setting the SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER flag.
This flag was introduced at the same time as
SSL_MODE_ENABLE_PARTIAL_WRITE in OpenSSL 0.9.4 and makes usage
with non-blocking sockets much easier.
Before this, a Rubyist would need to remember the exact object
which failed to write and reuse it later when the socket became
writable again. This causes problems when the buffer is given
by another layer of the application (e.g. a buffer is given
by a Rack middleware or application to a Rack web server).
* ext/openssl/ossl_ssl.c (ossl_sslctx_s_alloc):
enable SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER by default
[Bug #12126]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54466 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
|
|
| |
* ext/openssl/extconf.rb: check SSL_CTX_set_next_proto_select_cb
function rather than OPENSSL_NPN_NEGOTIATED macro. it exists
even if it is disabled by OpenSSL configuration.
[ruby-core:74384] [Bug #12182]
* ext/openssl/ossl_ssl.c: update #ifdef(s) as above.
* test/openssl/test_ssl.rb: skip NPN tests if NPN is disabled.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54258 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
|
|
| |
On a cursory inspection, using rb_block_call for extra_chain_cert
is thread-unsafe. There may be other instances of thread-unsafe
behavior in this method, but one is enough.
* ext/openssl/ossl_ssl.c (ossl_sslctx_setup): document as MT-unsafe
[ruby-core:73803] [Bug #12069]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54097 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
| |
* ext/openssl/ossl_pkey.c (Init_ossl_pkey): [DOC] Fix typo
"encrypted" to "decrypted". [Fix GH-1235]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53723 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
| |
* test/openssl/test_pkey_dh.rb: ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53553 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
| |
https://weakdh.org/
[fix GH-1196][Bug #11968][ruby-core:72766]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53531 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
| |
* ext/openssl/ossl.c: Add missing variables to documentation
examples. [Fix GH-1189]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53486 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
| |
* file.c, io.c, util.c: prefer rb_syserr_fail with saved errno
over setting errno then call rb_sys_fail, not to be clobbered
potentially and to reduce thread local errno accesses.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53264 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
| |
* ext/openssl/lib/openssl/ssl.rb (OpenSSL::SSL::SSLSocket): fix
NotImplementedError typo. [Fix GH-1165]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53223 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
| |
g -L frozen_string_literal ext/**/*.rb|xargs ruby -Ka -e'ARGV.each{|fn|puts
fn;open(fn,"r+"){|f|s=f.read.sub(/\A(#!.*\n)?(#.*coding.*\n)?/,"\\&#
frozen_string_literal: false\n");f.rewind;f.write s}}'
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53143 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
| |
protocol list.
The protocol list from OpenSSL is not null-terminated.
patched by Kazuki Yamaguchi [Bug #11810] [ruby-core:72082]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53064 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
| |
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52988 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* ext/openssl/ossl_ssl.c (mSSLExtConfig): make static
(eSSLError): ditto
(ID_callback_state): ditto
(ossl_ssl_ex_vcb_idx): ditto
(ossl_ssl_ex_store_p): ditto
(ossl_ssl_ex_ptr_idx): ditto
* ext/openssl/ossl_ssl.h: remove extern declarations for
mSSLExtConfig and eSSLError
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52842 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
| |
be return -1 as an error. Therefore, added error handling.
* ext/openssl/ossl_pkey_dsa.c (dsa_generate): ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52810 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
| |
[ci skip][fix GH-1007] Patch by @arthurnn
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52714 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
| |
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52693 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|