ruby.git/ext/openssl/openssl_missing.h, branch v2_4_0_preview2 The Ruby Programming Language import Ruby/OpenSSL 2.0.0.beta.1 2016-08-29T05:47:09+00:00 rhe rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2016-08-29T05:47:09+00:00 c9dc0164b8ad1cb23faf6120749bcc349a7bfd45 * NEWS, {ext,test,sample}/openssl: Import Ruby/OpenSSL 2.0.0.beta.1. ext/openssl is now converted into a default gem. The full commit history since r55538 can be found at: https://github.com/ruby/openssl/compare/08e1881f5663...v2.0.0.beta.1 [Feature #9612] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56027 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
* NEWS, {ext,test,sample}/openssl: Import Ruby/OpenSSL 2.0.0.beta.1.
  ext/openssl is now converted into a default gem. The full commit
  history since r55538 can be found at:
  https://github.com/ruby/openssl/compare/08e1881f5663...v2.0.0.beta.1
  [Feature #9612]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56027 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
openssl: add 'const's required in OpenSSL master 2016-06-19T05:31:28+00:00 rhe rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2016-06-19T05:31:28+00:00 31388c4a73fa4280b1e544648b35faf02ff4c2e2 * ext/openssl/ossl_pkey.h, ext/openssl/ossl_pkey_dh.c, ext/openssl/ossl_pkey_dsa.c, ext/openssl/ossl_pkey_rsa.c: A few days ago, OpenSSL changed {DH,DSA,RSA}_get0_*() to take const BIGNUM **. https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=fd809cfdbd6e32b6b67b68c59f6d55fbed7a9327 [ruby-core:75225] [Feature #12324] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55450 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
* ext/openssl/ossl_pkey.h, ext/openssl/ossl_pkey_dh.c,
  ext/openssl/ossl_pkey_dsa.c, ext/openssl/ossl_pkey_rsa.c: A few days
  ago, OpenSSL changed {DH,DSA,RSA}_get0_*() to take const BIGNUM **.
  https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=fd809cfdbd6e32b6b67b68c59f6d55fbed7a9327
  [ruby-core:75225] [Feature #12324]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55450 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
openssl: fix acesssor functions for RSA and DH in openssl_missing.h 2016-06-14T12:35:28+00:00 rhe rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2016-06-14T12:35:28+00:00 8dd0a046a9adebdf5cbd53dd4f590981f06715ea * ext/openssl/openssl_missing.h (DH_set0_pqg, RSA_set0_key): DH_set0_pqg() allows 'q' to be NULL. Fix a typo in RSA_set0_key(). Fixes r55285. [ruby-core:75225] [Feature #12324] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55408 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
* ext/openssl/openssl_missing.h (DH_set0_pqg, RSA_set0_key):
  DH_set0_pqg() allows 'q' to be NULL. Fix a typo in RSA_set0_key().
  Fixes r55285.  [ruby-core:75225] [Feature #12324]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55408 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
openssl: support non AES-GCM AEAD ciphers in OpenSSL::Cipher 2016-06-12T05:06:18+00:00 rhe rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2016-06-12T05:06:18+00:00 9f703785ecb78307241e29d2145b198c2d5e6b7e * ext/openssl/ossl_cipher.c (ossl_cipher_get_auth_tag, ossl_cipher_set_auth_tag): Check if the cipher flags retrieved by EVP_CIPHER_CTX_flags() includes EVP_CIPH_FLAG_AEAD_CIPHER to see if the cipher supports AEAD. AES-GCM was the only supported in OpenSSL 1.0.1. (Init_ossl_cipher): Fix doc; OpenSSL::Cipher::AES.new(128, :GCM) can't work. * ext/openssl/openssl_missing.h: Define EVP_CTRL_AEAD_{GET,SET}_TAG if missing. They are added in OpenSSL 1.1.0, and have the same value as EVP_CTRL_GCM_{GET,SET}_TAG and EVP_CTRL_CCM_{GET,SET}_TAG. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55388 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
* ext/openssl/ossl_cipher.c (ossl_cipher_get_auth_tag,
  ossl_cipher_set_auth_tag): Check if the cipher flags retrieved by
  EVP_CIPHER_CTX_flags() includes EVP_CIPH_FLAG_AEAD_CIPHER to see if
  the cipher supports AEAD. AES-GCM was the only supported in OpenSSL
  1.0.1.

  (Init_ossl_cipher): Fix doc; OpenSSL::Cipher::AES.new(128, :GCM) can't
  work.

* ext/openssl/openssl_missing.h: Define EVP_CTRL_AEAD_{GET,SET}_TAG if
  missing. They are added in OpenSSL 1.1.0, and have the same value as
  EVP_CTRL_GCM_{GET,SET}_TAG and EVP_CTRL_CCM_{GET,SET}_TAG.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55388 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
openssl: fix compile on VC 2016-06-06T01:40:27+00:00 rhe rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2016-06-06T01:40:27+00:00 9d2196fd9548991d2cfad4916422bc9bfe12cee0 * ext/openssl/openssl_missing.h: Include ruby/config.h. r55285 added some inline functions but VC does not recognize 'inline' keyword. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55291 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
* ext/openssl/openssl_missing.h: Include ruby/config.h. r55285 added
  some inline functions but VC does not recognize 'inline' keyword.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55291 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
openssl: use SSL_is_server() 2016-06-05T16:36:39+00:00 rhe rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2016-06-05T16:36:39+00:00 7451c1468baf6b998cdc4a4697dffeac2e5a9866 * ext/openssl/extconf.rb: Check existence of SSL_is_server(). This function was introduced in OpenSSL 1.0.2. [ruby-core:75225] [Feature #12324] * ext/openssl/openssl_missing.h: Implement SSL_is_server() if missing. * ext/openssl/ossl_ssl.c (ssl_info_cb): Use SSL_is_server() to see if the SSL is server. The state machine in OpenSSL was rewritten and SSL_get_state() no longer returns SSL_ST_ACCEPT. (ossl_ssl_cipher_to_ary, ossl_sslctx_session_get_cb): Add some `const`s to suppress warning. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55289 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
* ext/openssl/extconf.rb: Check existence of SSL_is_server(). This
  function was introduced in OpenSSL 1.0.2.
  [ruby-core:75225] [Feature #12324]

* ext/openssl/openssl_missing.h: Implement SSL_is_server() if missing.

* ext/openssl/ossl_ssl.c (ssl_info_cb): Use SSL_is_server() to see if
  the SSL is server. The state machine in OpenSSL was rewritten and
  SSL_get_state() no longer returns SSL_ST_ACCEPT.

  (ossl_ssl_cipher_to_ary, ossl_sslctx_session_get_cb): Add some
  `const`s to suppress warning.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55289 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
openssl: adapt to OpenSSL 1.1.0 opaque structs 2016-06-05T15:35:12+00:00 rhe rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2016-06-05T15:35:12+00:00 0a523ab20dfe5564b33d962eb5a470896c6521f2 * ext/openssl/extconf.rb: Check existence of accessor functions that don't exist in OpenSSL 0.9.8. OpenSSL 1.1.0 made most of its structures opaque and requires use of these accessor functions. [ruby-core:75225] [Feature #12324] * ext/openssl/openssl_missing.[ch]: Implement them if missing. * ext/openssl/ossl*.c: Use these accessor functions. * test/openssl/test_hmac.rb: Add missing test for HMAC#reset. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55287 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
* ext/openssl/extconf.rb: Check existence of accessor functions that
  don't exist in OpenSSL 0.9.8. OpenSSL 1.1.0 made most of its
  structures opaque and requires use of these accessor functions.
  [ruby-core:75225] [Feature #12324]

* ext/openssl/openssl_missing.[ch]: Implement them if missing.

* ext/openssl/ossl*.c: Use these accessor functions.

* test/openssl/test_hmac.rb: Add missing test for HMAC#reset.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55287 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
openssl: adapt OpenSSL::PKey to OpenSSL 1.1.0 opaque structs 2016-06-05T15:00:47+00:00 rhe rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2016-06-05T15:00:47+00:00 63abe0078521d91db7a28de1db14bd193f74aad3 * ext/openssl/openssl_missing.[ch]: Implement EVP_PKEY_get0_*() and {RSA,DSA,EC_KEY,DH}_get0_*() functions. OpenSSL 1.1.0 makes EVP_PKEY/RSA/DSA/DH opaque. We used to provide setter methods for each parameter of each PKey type, for example PKey::RSA#e=, but this is no longer possible because the new API RSA_set0_key() requires the 'n' at the same time. This commit adds deprecation warning to them and adds PKey::*#set_* methods as direct wrapper for those new APIs. For example, 'rsa.e = 3' now needs to be rewritten as 'rsa.set_key(rsa.n, 3, rsa.d)'. [ruby-core:75225] [Feature #12324] * ext/openssl/ossl_pkey*.[ch]: Use the new accessor functions. Implement RSA#set_{key,factors,crt_params}, DSA#set_{key,pqg}, DH#set_{key,pqg}. Emit a warning with rb_warning() when old setter methods are used. * test/drb/ut_array_drbssl.rb, test/drb/ut_drb_drbssl.rb, test/rubygems/test_gem_remote_fetcher.rb: Don't set a priv_key for DH object that are used in tmp_dh_callback. Generating a new key pair every time should be fine - actually the private exponent is ignored in OpenSSL >= 1.0.2f/1.0.1r even if we explicitly set. https://www.openssl.org/news/secadv/20160128.txt git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55285 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
* ext/openssl/openssl_missing.[ch]: Implement EVP_PKEY_get0_*() and
  {RSA,DSA,EC_KEY,DH}_get0_*() functions.
  OpenSSL 1.1.0 makes EVP_PKEY/RSA/DSA/DH opaque. We used to provide
  setter methods for each parameter of each PKey type, for example
  PKey::RSA#e=, but this is no longer possible because the new API
  RSA_set0_key() requires the 'n' at the same time. This commit adds
  deprecation warning to them and adds PKey::*#set_* methods as direct
  wrapper for those new APIs. For example, 'rsa.e = 3' now needs to be
  rewritten as 'rsa.set_key(rsa.n, 3, rsa.d)'.
  [ruby-core:75225] [Feature #12324]

* ext/openssl/ossl_pkey*.[ch]: Use the new accessor functions. Implement
  RSA#set_{key,factors,crt_params}, DSA#set_{key,pqg}, DH#set_{key,pqg}.
  Emit a warning with rb_warning() when old setter methods are used.

* test/drb/ut_array_drbssl.rb, test/drb/ut_drb_drbssl.rb,
  test/rubygems/test_gem_remote_fetcher.rb: Don't set a priv_key for DH
  object that are used in tmp_dh_callback. Generating a new key pair
  every time should be fine - actually the private exponent is ignored
  in OpenSSL >= 1.0.2f/1.0.1r even if we explicitly set.
  https://www.openssl.org/news/secadv/20160128.txt

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55285 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
openssl: support OpenSSL 1.1.0's new multi-threading API 2016-06-05T12:46:05+00:00 rhe rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2016-06-05T12:46:05+00:00 e478bb7d79773651fe4339e930aa936c8ae98066 * ext/openssl/extconf.rb: Check absence of CRYPTO_lock() to see if the OpenSSL has the new threading API. In OpenSSL <= 1.0.2, an application had to set locking callbacks to use OpenSSL in a multi-threaded environment. OpenSSL 1.1.0 now finds pthreads or Windows threads so we don't need to do something special. [ruby-core:75225] [Feature #12324] Also check existence of *_up_ref(). Some structures in OpenSSL have a reference counter. We used to increment it with CRYPTO_add() which is a part of the old API. * ext/openssl/openssl_missing.h: Implement *_up_ref() if missing. * ext/openssl/ossl.c: Don't set locking callbacks if unneeded. * ext/openssl/ossl_pkey.c, ext/openssl/ossl_ssl.c, ext/openssl/ossl_x509cert.c, ext/openssl/ossl_x509crl.c, ext/openssl/ossl_x509store.c: Use *_up_ref() instead of CRYPTO_add(). git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55283 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
* ext/openssl/extconf.rb: Check absence of CRYPTO_lock() to see if the
  OpenSSL has the new threading API. In OpenSSL <= 1.0.2, an application
  had to set locking callbacks to use OpenSSL in a multi-threaded
  environment. OpenSSL 1.1.0 now finds pthreads or Windows threads so we
  don't need to do something special.
  [ruby-core:75225] [Feature #12324]

  Also check existence of *_up_ref(). Some structures in OpenSSL have
  a reference counter. We used to increment it with CRYPTO_add() which
  is a part of the old API.

* ext/openssl/openssl_missing.h: Implement *_up_ref() if missing.

* ext/openssl/ossl.c: Don't set locking callbacks if unneeded.

* ext/openssl/ossl_pkey.c, ext/openssl/ossl_ssl.c,
  ext/openssl/ossl_x509cert.c, ext/openssl/ossl_x509crl.c,
  ext/openssl/ossl_x509store.c: Use *_up_ref() instead of CRYPTO_add().

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55283 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
openssl: add SSLContext#ecdh_curves= 2016-05-30T09:30:38+00:00 rhe rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2016-05-30T09:30:38+00:00 f26f3589302e7e26ecb69180d2b2a2f7f7eaf416 * ext/openssl/ossl_ssl.c (ossl_sslctx_s_alloc): Enable the automatic curve selection for ECDH by calling SSL_CTX_set_ecdh_auto(). With this a TLS server automatically selects a curve which both the client and the server support to use in ECDH. This changes the default behavior but users can still disable ECDH by excluding 'ECDH' cipher suites from the cipher list (with SSLContext#ciphers=). This commit also deprecate #tmp_ecdh_callback=. It was added in Ruby 2.3.0. It wraps SSL_CTX_set_tmp_ecdh_callback() which will be removed in OpenSSL 1.1.0. Its callback receives two values 'is_export' and 'keylength' but both are completely useless for determining a curve to use in ECDH. The automatic curve selection was introduced to replace this. (ossl_sslctx_setup): Deprecate SSLContext#tmp_ecdh_callback=. Emit a warning if this is in use. (ossl_sslctx_set_ecdh_curves): Add SSLContext#ecdh_curves=. Wrap SSL_CTX_set1_curves_list(). If it is not available, this falls back to SSL_CTX_set_tmp_ecdh(). (Init_ossl_ssl): Define SSLContext#ecdh_curves=. * ext/openssl/extconf.rb: Check the existence of EC_curve_nist2nid(), SSL_CTX_set1_curves_list(), SSL_CTX_set_ecdh_auto() and SSL_CTX_set_tmp_ecdh_callback(). * ext/openssl/openssl_missing.[ch]: Implement EC_curve_nist2nid() if missing. * test/openssl/test_pair.rb (test_ecdh_callback): Use EnvUtil.suppress_warning to suppress deprecated warning. (test_ecdh_curves): Test that SSLContext#ecdh_curves= works. * test/openssl/utils.rb (start_server): Use SSLContext#ecdh_curves=. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55214 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
* ext/openssl/ossl_ssl.c (ossl_sslctx_s_alloc): Enable the automatic
  curve selection for ECDH by calling SSL_CTX_set_ecdh_auto(). With
  this a TLS server automatically selects a curve which both the client
  and the server support to use in ECDH. This changes the default
  behavior but users can still disable ECDH by excluding 'ECDH' cipher
  suites from the cipher list (with SSLContext#ciphers=). This commit
  also deprecate #tmp_ecdh_callback=. It was added in Ruby 2.3.0. It
  wraps SSL_CTX_set_tmp_ecdh_callback() which will be removed in OpenSSL
  1.1.0. Its callback receives two values 'is_export' and 'keylength'
  but both are completely useless for determining a curve to use in
  ECDH. The automatic curve selection was introduced to replace this.

  (ossl_sslctx_setup): Deprecate SSLContext#tmp_ecdh_callback=. Emit a
  warning if this is in use.

  (ossl_sslctx_set_ecdh_curves): Add SSLContext#ecdh_curves=. Wrap
  SSL_CTX_set1_curves_list(). If it is not available, this falls back
  to SSL_CTX_set_tmp_ecdh().

  (Init_ossl_ssl): Define SSLContext#ecdh_curves=.

* ext/openssl/extconf.rb: Check the existence of EC_curve_nist2nid(),
  SSL_CTX_set1_curves_list(), SSL_CTX_set_ecdh_auto() and
  SSL_CTX_set_tmp_ecdh_callback().

* ext/openssl/openssl_missing.[ch]: Implement EC_curve_nist2nid() if
  missing.

* test/openssl/test_pair.rb (test_ecdh_callback): Use
  EnvUtil.suppress_warning to suppress deprecated warning.

  (test_ecdh_curves): Test that SSLContext#ecdh_curves= works.

* test/openssl/utils.rb (start_server): Use SSLContext#ecdh_curves=.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55214 b2dd03c8-39d4-4d8f-98ff-823fe69b080e