Age | Commit message (Collapse) | Author |
|
The underlying API SSL_CTX_set_tmp_ecdh_callback() was removed by
LibreSSL >= 2.6.1 and OpenSSL >= 1.1.0, in other words, it is not
supported by any non-EOL versions of OpenSSL.
The wrapper was initially implemented in Ruby 2.3 and has been
deprecated since Ruby/OpenSSL 2.0 (bundled with Ruby 2.4) with explicit
warning with rb_warn().
https://github.com/ruby/openssl/commit/ee037e1460
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
Errno::EPROTOTYPE is not supposed to be raised by SSLSocket#write.
However, on macOS, send(2) which is called via SSL_write() can
occasionally return EPROTOTYPE. Retry SSL_write() so that we get a
proper error, just as ext/socket does.
Reference: https://bugs.ruby-lang.org/issues/14713
Reference: https://github.com/ruby/openssl/issues/227
https://github.com/ruby/openssl/commit/2e700c80bf
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
X509::Store#add_cert
Rename the test case to test_add_cert_duplicate to clarify what it is
actually testing.
https://github.com/ruby/openssl/commit/4cc3c4110f
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
The test case is huge and too complex. Break it up into separate test
cases for better documentation.
https://github.com/ruby/openssl/commit/61012df03b
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
Add more details about each method, and add reference to OpenSSL man
pages.
https://github.com/ruby/openssl/commit/02b6f82c73
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
The certificate passed as the second argument was not properly free'd
in the error paths.
https://github.com/ruby/openssl/commit/9561199b9f
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
Use the OpenSSL function name that caused the error to generate a better
error message.
https://github.com/ruby/openssl/commit/b31809ba3d
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
Use ossl_x509_sk2ary() to create an array of OpenSSL::X509::Certificate
from STACK_OF(X509).
https://github.com/ruby/openssl/commit/fa1da69f92
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
Anything passed to OpenSSL::X509::Store.new was always ignored. Let's
emit an explicit warning to not confuse users.
https://github.com/ruby/openssl/commit/d173700eeb
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
given
Undo special treatment of nil and simply pass the value to
StringValueCStr().
nil was never a valid argument for the method; OpenSSL::X509::StoreError
with an unhelpful error message "system lib" was raised in that case.
https://github.com/ruby/openssl/commit/fb2fcbb137
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
https://github.com/ruby/openssl/commit/f36af95519
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
The socket is called ssl_connection, not connection
https://github.com/ruby/openssl/commit/642783aeda
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
values
SSLContext's verify_mode expects an SSL_VERIFY_* constant (an integer)
and verify_hostname expects either true or false. However, they are set
to nil after calling OpenSSL::SSL::SSLContext.new, which is surprising.
Set a proper value to them by default: verify_mode is set to
OpenSSL::SSL::VERIFY_NONE and verify_hostname is set to false by
default.
Note that this does not change the default behavior. The certificate
verification was never performed unless verify_mode is set to
OpenSSL::SSL::VERIFY_PEER by a user. The same applies to
verify_hostname.
https://github.com/ruby/openssl/commit/87d869352c
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
Add explicit test cases for the behaviors with different verify_mode.
If we made a bug in verify_mode, we would notice it by failures of other
test cases, but there were no dedicated test cases for verify_mode.
https://github.com/ruby/openssl/commit/1ccdc05662
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
The current test_client_auth_public_key test case checks that supplying
a PKey containing only public components through client_cert_cb will
cause handshake to fail. While this is a correct behavior as a whole,
the assertions are misleading in the sense that giving a public key is
causing the failure. Actually, the handshake fails because a client
certificate is not supplied at all, as a result of ArgumentError that is
silently ignored.
Rename the test case to test_client_cert_cb_ignore_error and simplify it
to clarify what it is testing.
https://github.com/ruby/openssl/commit/785b5569fc
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
Explicitly check for type given some conflicting statements within openssl's
documentation around EVP_PKEY_cmp and EVP_PKEY_ASN1_METHOD(3).
Add documentation with an example for compare?
https://github.com/ruby/openssl/commit/0bf51da6e2
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
We ran into some Linux-based systems not accepting the upper case variant
https://github.com/ruby/openssl/commit/7bc49121d5
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
OpenSSL::HMAC implements the similar interface as ::Digest. Let's add
base64digest methods to OpenSSL::HMAC, too, for feature parity.
https://github.com/ruby/openssl/commit/098bcb68af
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
Use the EVP API instead of the low-level HMAC API. Use of the HMAC API
has been discouraged and is being marked as deprecated starting from
OpenSSL 3.0.0.
The two singleton methods OpenSSL::HMAC, HMAC.digest and HMAC.hexdigest
are now in lib/openssl/hmac.rb.
https://github.com/ruby/openssl/commit/0317e2fc02
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
https://github.com/ruby/openssl/commit/8253d7c9ce
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
Deprecate it for future removal. However, I do not expect any
application is affected by this.
The other form of calling it, PKey::EC::Point#mul(bn [, bn]) remains
untouched.
PKey::EC::Point#mul calls EC_POINTs_mul(3) when multiple BNs
are given as an array. LibreSSL 2.8.0 released on 2018-08 removed the
feature and OpenSSL 3.0 which is planned to be released in 2020 will
also deprecate the function as there is no real use-case.
https://github.com/ruby/openssl/commit/812de4253d
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
appropriate
IO.read may mangle line separator, which will corrupt binary data
including DER-encoded X.509 certificates and such.
Fixes: https://github.com/ruby/openssl/issues/243
https://github.com/ruby/openssl/commit/93213b2730
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
PKey::EC#dh_compute_key
Use the new OpenSSL::PKey::PKey#derive instead of the raw
{EC,}DH_compute_key(), mainly to reduce amount of the C code.
https://github.com/ruby/openssl/commit/28edf6bafc
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
Add OpenSSL::PKey::PKey#derive as the wrapper for EVP_PKEY_CTX_derive().
This is useful for pkey types that we don't have dedicated classes, such
as X25519.
https://github.com/ruby/openssl/commit/28f0059bea
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
OpenSSL 1.1.1 added EVP_DigestSign() and EVP_DigestVerify() functions
to the interface. Some EVP_PKEY methods such as PureEdDSA algorithms
do not support the streaming mechanism and require us to use them.
https://github.com/ruby/openssl/commit/ae19454592
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
interface
Use EVP_DigestSign*() and EVP_DigestVerify*() interface instead of the
old EVP_Sign*() and EVP_Verify*() functions. They were added in OpenSSL
1.0.0.
Also, allow the digest to be specified as nil, as certain EVP_PKEY types
don't expect a digest algorithm.
https://github.com/ruby/openssl/commit/9ff6e5143b
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
Add two methods to create a PKey using the generic EVP interface. This
is useful for the PKey types we don't have a dedicated class.
https://github.com/ruby/openssl/commit/d8e8e57de9
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
Fix test_socket_open_with_local_address_port_context.
Often with MinGW, it seems EACCES is returned on bind when the port
number is unavailable. Ignore it just as we do for EADDRINUSE and
continue searching free port number.
Fixes: 98f8787b4687 ("test/openssl/test_ssl: fix random failure in
SSLSocket.open test", 2020-02-17)
https://github.com/ruby/openssl/commit/413b15526e
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
The EVP interface cannot tell whether if a pkey contains the private
components or not. Assume it does if it does not respond to #private?.
This fixes the NoMethodError on calling #sign on a generic PKey.
https://github.com/ruby/openssl/commit/f4c717bcb2
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
Add ossl_pkey_export_traditional() and ossl_pkey_export_spki() helper
functions, and use them. This reduces code duplication.
https://github.com/ruby/openssl/commit/56f0d34d63
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
Export the flow used by OpenSSL::PKey.read and let the subclasses call
it before attempting other formats.
https://github.com/ruby/openssl/commit/d963d4e276
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
https://github.com/ruby/openssl/commit/cf92a3ffba
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
Try PEM_read_bio_Parameters(). Only PEM format is supported at the
moment since corresponding d2i_* functions are not provided by OpenSSL.
https://github.com/ruby/openssl/commit/867e5c021b
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
Merge the code into the callers so that the wrapping Ruby object is
allocated before the raw key object is allocated. This prevents possible
memory leak on Ruby object allocation failure, and also reduces the
lines of code.
https://github.com/ruby/openssl/commit/1eb1366615
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
ossl_{rsa,dsa,dh,ec}_new() called from this function are not used
anywhere else. Inline them into pkey_new0() and reduce code
duplication.
https://github.com/ruby/openssl/commit/94aeab2f26
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
Now that OpenSSL::Config wraps a real CONF object, the caller can just
borrow it rather than creating a new temporary CONF object. CONF object
is usually treated as immutable.
DupConfigPtr() is now removed, and GetConfig() is exported instead.
https://github.com/ruby/openssl/commit/d9064190ca
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
Revert OpenSSL::Config to using the OpenSSL API and remove our own
parser implementation for the config file syntax.
OpenSSL::Config now wraps a CONF object. Accessor methods deal with the
object directly rather than Ruby-level internal state.
This work is based on the old C code we used before 2010.
https://github.com/ruby/openssl/commit/c891e0ea89
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
LibreSSL has removed the feature to map environment variables onto the
"ENV" section.
https://github.com/ruby/openssl/commit/b70817faec
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
Sort keys of a section before comparing. The ordering is not part of the
API. This can cause a test failure if we use OpenSSL's C implementation.
Fixes: 2ad65b5f673f ("config: support .include directive", 2018-08-16)
https://github.com/ruby/openssl/commit/259e6fd2dc
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
Config.parse_config
https://github.com/ruby/openssl/commit/9ce2ccf36d
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
Remove 4 deprecated methods.
The following two methods have been marked as deprecated since 2003,
by r4531 (ruby.git commit 78ff3833fb67c8005a9b851037e74b3eea940aa3).
- OpenSSL::Config#value
- OpenSSL::Config#section
Other two methods are removed because the corresponding functions
disappeared in OpenSSL 1.1.0.
- OpenSSL::Config#add_value
- OpenSSL::Config#[]=
https://github.com/ruby/openssl/commit/9783d7f21c
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
Allow specifying just length to #update
CCM mode ciphers need to specify the total plaintext or ciphertext
length to EVP_CipherUpdate.
Update the link to the tests file
Define Cipher#ccm_data_len= for CCM mode ciphers
Add a unit test for CCM mode
Also check CCM is authenticated when testing
https://github.com/ruby/openssl/commit/bb3816953b
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
https://github.com/ruby/rdoc/commit/7b7b91768e
Notes:
Merged: https://github.com/ruby/ruby/pull/4274
|
|
https://github.com/ruby/rdoc/commit/3a4120b155
Notes:
Merged: https://github.com/ruby/ruby/pull/4274
|
|
https://github.com/ruby/rdoc/commit/0c8cb25b50
Notes:
Merged: https://github.com/ruby/ruby/pull/4274
|
|
https://github.com/ruby/rdoc/commit/e14800891f
Notes:
Merged: https://github.com/ruby/ruby/pull/4274
|
|
Currently a fenced code block needs a preceding blank line, it
should not be required, as:
https://github.github.com/gfm/#fenced-code-blocks
> A fenced code block may interrupt a paragraph, and does not
> require a blank line either before or after.
Just recommended:
https://docs.github.com/en/github/writing-on-github/creating-and-highlighting-code-blocks
> We recommend placing a blank line before and after code blocks
> to make the raw formatting easier to read.
https://github.com/ruby/rdoc/commit/0e1776caf3
Notes:
Merged: https://github.com/ruby/ruby/pull/4274
|
|
https://github.com/ruby/rdoc/commit/2219c5ae80
Notes:
Merged: https://github.com/ruby/ruby/pull/4274
|
|
https://github.com/ruby/rdoc/commit/9dc933df16
Notes:
Merged: https://github.com/ruby/ruby/pull/4274
|
|
Updates css so the sidebar look like a panel instead of looking like chopped edges.
https://github.com/ruby/rdoc/commit/b0098c6d72
Notes:
Merged: https://github.com/ruby/ruby/pull/4274
|