| Age | Commit message (Collapse) | Author |
|---|
|
Update openssl gem to 3.3.1
[Backport #21631]
|
|
declarations
https://github.com/ruby/openssl/commit/b6f56c4540
https://github.com/ruby/openssl/commit/5277ca1431
|
|
(https://github.com/ruby/openssl/pull/770)
Instead of an ivar, so other ossl functions that take a store will use the correct time when verifying
https://github.com/ruby/openssl/commit/21aadc66ae
|
|
Update the references to the file "LICENCE" with "COPYING".
The file LICENCE doesn't exist in ruby/ruby nor ruby/openssl. This has
been always the case since OpenSSL for Ruby 2 was merged to the ruby
tree as a standard library in 2003.
In OpenSSL for Ruby 2's CVS repository[1], the LICENCE file contained
an old version of the Ruby License, identical to the COPYING file that
was in Ruby's tree at that time (r4128[2]).
[1] http://cvs.savannah.gnu.org/viewvc/rubypki/ossl2/LICENCE?revision=1.1.1.1&view=markup
[2] https://github.com/ruby/ruby/blob/231247c010acba191b78ed2d1310c935e63ad919/COPYING
https://github.com/ruby/openssl/commit/5bccf07d04
|
|
Ref https://github.com/ruby/openssl/issues/519
This makes verifying embedded certificate transparency signatures
significantly easier, as otherwise the alternative was manipulating the
ASN1 sequence, as in
https://github.com/segiddins/sigstore-cosign-verify/pull/2/commits/656d992fa816613fd9936f53ce30972c2f2f4957
https://github.com/ruby/openssl/commit/99128bea5d
|
|
truffle/openssl-prefix on TruffleRuby"
* This reverts commit https://github.com/ruby/openssl/commit/ca738e7e1357.
* No longer needed since https://github.com/oracle/truffleruby/issues/3170 was fixed.
https://github.com/ruby/openssl/commit/1f641a5604
|
|
(https://github.com/ruby/openssl/pull/714)
* Add support for IO#timeout.
https://github.com/ruby/openssl/commit/3bbf5178a9
|
|
Remove the OSSL_DEBUG flag and OpenSSL.mem_check_start which is only
compiled when the flag is given. They are meant purely for development
of Ruby/OpenSSL.
OpenSSL.mem_check_start helped us find memory leak bugs in past, but
it is no longer working with the recent OpenSSL versions. Let's just
remove it now.
https://github.com/ruby/openssl/commit/8c7a6a17e2
|
|
doesn't exist.
OpenSSL built from the source creates the library directory to the
`/path/to/openssl_dir/lib64` as a default.
In the case, the `bundle exec rake compile -- --with-openssl-dir=<openssl_dir>`
cannot compile with the lib64 directory, and may compile with system OpenSSL's
libraries unintentionally. This commit is to check this case to avoid linking
with an unintentional library directory.
https://github.com/ruby/openssl/commit/ca54087462
|
|
truffle/openssl-prefix on TruffleRuby
* See https://github.com/ruby/openssl/issues/650#issuecomment-1645699608
https://github.com/ruby/openssl/commit/ca738e7e13
|
|
features
RUBY_OPENSSL_EXTCFLAGS and RUBY_OPENSSL_EXTLDFLAGS have been added for
the primary purpose of appending custom warning flags during
development and CI.
Since checking programs generated by mkmf may not be completely
warning-free, we don't want to apply -Werror that may be supplied from
those environment variables.
https://github.com/ruby/openssl/commit/2a95b971d5
|
|
According to the `mkmf.rb#init_mkmf`, there are command line options below.
* `--with-cflags` to set the `cflags`
* `--with-ldflags` to set the `ldflags`
For example the following command compiles with the specified flags. Note that
`MAKEFLAGS` is to print the compiler command lines.
```
$ MAKEFLAGS="V=1" \
bundle exec rake compile -- \
--with-cflags="-Wundef -Werror" \
--with-ldflags="-fstack-protector"
```
However, I couldn't find command line options to append the flags. And this
commit is to append the `cflags` and `ldflags` by the environment variables.
```
$ MAKEFLAGS="V=1" \
RUBY_OPENSSL_EXTCFLAGS="-Wundef -Werror" \
RUBY_OPENSSL_EXTLDFLAGS="-fstack-protector" \
bundle exec rake compile
```
https://github.com/ruby/openssl/commit/b551eb86f6
|
|
|
|
https://github.com/ruby/openssl/commit/91657a7924
|
|
https://github.com/ruby/openssl/commit/b67aaf925d
|
|
https://github.com/ruby/ruby/commit/6d8f396f37350b7aa9c85a097929f54a0939448b
https://github.com/ruby/ruby/commit/c8b3bd45cc3cae93ae701333202416838ee6a00c
|
|
Current OpenSSL 3.0.x release has a regression with zero-length MAC
keys. While this issue should be fixed in a future release of OpenSSL,
we can use EVP_PKEY_new_raw_private_key() in place of the problematic
EVP_PKEY_new_mac_key() to avoid the issue. OpenSSL 3.0's man page
recommends using it regardless:
> EVP_PKEY_new_mac_key() works in the same way as
> EVP_PKEY_new_raw_private_key(). New applications should use
> EVP_PKEY_new_raw_private_key() instead.
Fixes https://github.com/ruby/openssl/issues/369#issuecomment-1224912710
https://github.com/ruby/openssl/commit/4293f18b1f
|
|
X509_STORE_get_ex_new_index() is a macro, so passing just its name to
have_func() doesn't detect it. Pass an example call instead.
https://github.com/ruby/openssl/commit/8d264d3e60
Co-authored-by: Nobuyoshi Nakada <nobu@ruby-lang.org>
|
|
While building with a custom build of OpenSSL, I noticed in mkmf.log
that all the feature detection checks are done using a program lacking
an OpenSSL header include. `mkmf` retries using a fallback program when
this fails, but that means all the `have_func` calls compile twice when
compiling once should suffice. Example log without this commit:
have_func: checking for X509_STORE_CTX_get0_cert()... -------------------- yes
DYLD_FALLBACK_LIBRARY_PATH=.:../.. "clang -o conftest ...
conftest.c:14:57: error: use of undeclared identifier 'X509_STORE_CTX_get0_cert'
int t(void) { void ((*volatile p)()); p = (void ((*)()))X509_STORE_CTX_get0_cert; return !p; }
^
1 error generated.
checked program was:
/* begin */
1: #include "ruby.h"
2:
3: /*top*/
4: extern int t(void);
5: int main(int argc, char **argv)
6: {
7: if (argc > 1000000) {
8: int (* volatile tp)(void)=(int (*)(void))&t;
9: printf("%d", (*tp)());
10: }
11:
12: return !!argv[argc];
13: }
14: int t(void) { void ((*volatile p)()); p = (void ((*)()))X509_STORE_CTX_get0_cert; return !p; }
/* end */
DYLD_FALLBACK_LIBRARY_PATH=.:../.. "clang -o conftest ...
checked program was:
/* begin */
1: #include "ruby.h"
2:
3: /*top*/
4: extern int t(void);
5: int main(int argc, char **argv)
6: {
7: if (argc > 1000000) {
8: int (* volatile tp)(void)=(int (*)(void))&t;
9: printf("%d", (*tp)());
10: }
11:
12: return !!argv[argc];
13: }
14: extern void X509_STORE_CTX_get0_cert();
15: int t(void) { X509_STORE_CTX_get0_cert(); return 0; }
/* end */
The second compilation succeeds.
Specify the header for each checked function.
https://github.com/ruby/openssl/commit/34ae7d92d0
|
|
Notes:
Merged-By: ioquatix <samuel@codeotaku.com>
|
|
Notes:
Merged-By: ioquatix <samuel@codeotaku.com>
|
|
suites along with some unit tests (https://github.com/ruby/openssl/pull/493)
Add OpenSSL::SSL::SSLContext#ciphersuites= method along with unit tests.
https://github.com/ruby/openssl/commit/12250c7cef
|
|
https://github.com/ruby/openssl/commit/b23fa75aa3
|
|
On Windows with OpenSSL 3, the gem fails to compile with the following
error message:
ruby/src/ext/openssl/extconf.rb:188: undefined method \`sub!' for nil:NilClass
This is because $warnflags is nil.
Notes:
Merged: https://github.com/ruby/ruby/pull/6102
|
|
Notes:
Merged: https://github.com/ruby/ruby/pull/5667
|
|
We can use it to implement OpenSSL::PKey::PKey#initialize_copy. This
should work on all key types, not just DH/DSA/EC/RSA types.
https://github.com/ruby/openssl/commit/66cd8cbaaf
|
|
OpenSSL 3.0 renamed EVP_PKEY_cmp() to EVP_PKEY_eq() because that was a
confusing name.
https://github.com/ruby/openssl/commit/d42bd7fcdb
|
|
EVP_MD_CTX_pkey_ctx()
OpenSSL 3.0 renamed EVP_MD_CTX_pkey_ctx() to include "get" in the
function name. Adjust compatibility macro so that we can use the new
function name for all OpenSSL 1.0.2-3.0.
https://github.com/ruby/openssl/commit/c106d888c6
|
|
if exists
The function was renamed in OpenSSL 3.0 due to the change of the
lifetime of EVP_MD objects. They are no longer necessarily statically
allocated and can be reference-counted -- when an EVP_MD_CTX is free'd,
the associated EVP_MD can also become inaccessible.
Currently Ruby/OpenSSL only handles builtin algorithms, so no special
handling is needed except for adapting to the rename.
https://github.com/ruby/openssl/commit/0a253027e6
|
|
In OpenSSL 3.0, BN_is_prime_ex() and BN_is_prime_fasttest_ex() are
deprecated in favor of BN_check_prime().
https://github.com/ruby/openssl/commit/90d51ef510
|
|
SSL_CTX_load_verify_locations() is deprecated in OpenSSL 3.0 and
replaced with those two separate functions. Use them if they exist.
https://github.com/ruby/openssl/commit/5375a55ffc
|
|
TS_VERIFY_CTS_set_certs
OpenSSL 3.0 fixed the typo in the function name and replaced the
current 'CTS' version with a macro.
https://github.com/ruby/openssl/commit/2be6779b08
|
|
OpenSSL 3.0 deprecated ERR_get_error_line_data() in favor of
ERR_get_error_all(), as part of the error queue structure changes.
https://github.com/ruby/openssl/commit/8e98d2ecc8
|
|
Provide a wrapper of SSL_set0_tmp_dh_pkey()/SSL_CTX_set_tmp_dh(), which
sets the DH parameters used for ephemeral DH key exchange.
SSLContext#tmp_dh_callback= already exists for this purpose, as a
wrapper around SSL_CTX_set_tmp_dh_callback(), but it is considered
obsolete and the OpenSSL API is deprecated for future removal. There is
no practical use case where an application needs to use different DH
parameters nowadays. This was originally introduced to support export
grade ciphers.
RDoc for #tmp_dh_callback= is updated to recommend the new #tmp_dh=.
Note that current versions of OpenSSL support automatic ECDHE curve
selection which is enabled by default. SSLContext#tmp_dh= should only be
necessary if you must allow ancient clients which don't support ECDHE.
https://github.com/ruby/openssl/commit/aa43da4f04
|
|
[ky: fixed compatibility with older versions of Ruby]
(cherry picked from commit ruby/ruby@45e65f302b663b2c6ab69df06d3b6f219c1797b2)
https://github.com/ruby/openssl/commit/8d928e0fb9
|
|
Use EVP_PKEY_param_check() instead of DH_check() if available. Also,
use EVP_PKEY_public_check() instead of EC_KEY_check_key().
EVP_PKEY_*check() is part of the EVP API and is meant to replace those
low-level functions. They were added by OpenSSL 1.1.1. It is currently
not provided by LibreSSL.
https://github.com/ruby/openssl/commit/797e9f8e08
|
|
The previous series of commits re-implemented key generation with the
low level API with the EVP API. The BN_GENCB-based callback function is
no longer used.
https://github.com/ruby/openssl/commit/81027b7463
|
|
Similarly to OpenSSL >= 1.1.0, LibreSSL 2.9.0 ensures thread safety
without requiring applications to set locking callbacks and made
related functions no-op.
https://github.com/ruby/openssl/commit/7276233e1a
|
|
Clean up old version guards in preparation for the upcoming OpenSSL 3.0
support.
OpenSSL 1.0.1 reached its EOL on 2016-12-31. At that time, we decided
to keep 1.0.1 support because many major Linux distributions were still
shipped with 1.0.1. Now, nearly 4 years later, most Linux distributions
are reaching their EOL and it should be safe to assume nobody uses them
anymore. Major ones that were using 1.0.1:
- Ubuntu 14.04 is EOL since 2019-04-30
- RHEL 6 will reach EOL on 2020-11-30
LibreSSL 3.0 and older versions are no longer supported by the LibreSSL
team as of October 2020.
Note that OpenSSL 1.0.2 also reached EOL on 2019-12-31 and 1.1.0 also
did on 2018-08-31.
https://github.com/ruby/openssl/commit/c055938f4b
|
|
The underlying API SSL_CTX_set_tmp_ecdh_callback() was removed by
LibreSSL >= 2.6.1 and OpenSSL >= 1.1.0, in other words, it is not
supported by any non-EOL versions of OpenSSL.
The wrapper was initially implemented in Ruby 2.3 and has been
deprecated since Ruby/OpenSSL 2.0 (bundled with Ruby 2.4) with explicit
warning with rb_warn().
https://github.com/ruby/openssl/commit/ee037e1460
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
Use the EVP API instead of the low-level HMAC API. Use of the HMAC API
has been discouraged and is being marked as deprecated starting from
OpenSSL 3.0.0.
The two singleton methods OpenSSL::HMAC, HMAC.digest and HMAC.hexdigest
are now in lib/openssl/hmac.rb.
https://github.com/ruby/openssl/commit/0317e2fc02
Notes:
Merged: https://github.com/ruby/ruby/pull/4275
|
|
Import current master (2c43241dc0ed) of ruby/openssl.git.
Below are the commits that were made since the last batch at commit
b99775b163ce (ruby/openssl.git commit f49e7110ca1e). Note that some of
them have been applied already.
----------------------------------------------------------------
Benoit Daloze (1):
Remove redundant and ignored workflow file
DBL-Lee (1):
add support for SHA512_256/SHA512_224
Hiroshi SHIBATA (2):
Guard for OpenSSL::PKey::EC::Group::Error with unsupported platforms
Fixed inconsistency directory structure with ruby/ruby repo
Jeremy Evans (2):
Fix keyword argument separation issues in OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock
Remove taint support
Kazuki Yamaguchi (26):
config: support .include directive
random: make OpenSSL::Random.pseudo_bytes alias of .random_bytes
extconf.rb: get rid of -Werror=deprecated-declarations
test/openssl/test_ssl: skip test_fallback_scsv if necessary
ts: simplify OpenSSL::Timestamp::Request#algorithm
History.md: add missing references to GitHub issues
config: deprecate OpenSSL::Config#add_value and #[]=
test/openssl/test_ssl: remove sleep from test_finished_messages
test/openssl/test_ssl: fix random failure in SSLSocket.open test
test/openssl/test_ssl: avoid explicitly-sized private keys
test/openssl/test_ssl: remove commented-out test case
test/openssl/test_ssl: allow kRSA tests to fail
ssl: avoid declarations after statements
engine: revert OpenSSL::Engine.load changes for cloudhsm
engine: remove really outdated static engines
engine: do not check for ENGINE_load_builtin_engines()
engine: fix guards for 'dynamic' and 'cryptodev' engines
lib/openssl.rb: require openssl/version.rb
x509: add error code and verify flags constants
ssl: set verify error code in the case of verify_hostname failure
.github/workflows: merge CI jobs into a single workflow
.github/workflows: test against different OpenSSL versions
.travis.yml: fully migrate to GitHub Actions
ssl: suppress test failure with SSLContext#add_certificate_chain_file
ssl: remove test case test_puts_meta from test_pair
Revert "Use version.rb in gemspec"
MSP-Greg (2):
.travis.yml - remove 2.3/1.0.2, 2.5/1.1.1, head/1.0.2
Use version.rb in gemspec
Samuel Williams (1):
Restore compatibility with older versions of Ruby.
Yusuke Endoh (1):
Make OpenSSL::OSSL#test_memcmp_timing robust
|
|
It fails to build on Solaris:
https://rubyci.org/logs/rubyci.s3.amazonaws.com/solaris11-gcc/ruby-master/log/20200216T090008Z.log.html.gz
```
ossl_cipher.c: 関数 ‘ossl_cipher_init’ 内:
ossl_cipher.c:228:2: エラー: ‘EVP_md5’ is deprecated [-Werror=deprecated-declarations]
228 | EVP_BytesToKey(EVP_CIPHER_CTX_cipher(ctx), EVP_md5(), iv,
| ^~~~~~~~~~~~~~
In file included from /usr/include/openssl/x509.h:73,
from /usr/include/openssl/x509v3.h:63,
from ossl.h:23,
from ossl_cipher.c:10:
/usr/include/openssl/evp.h:732:26: 備考: ここで宣言されています
732 | DEPRECATED const EVP_MD *EVP_md5(void);
| ^~~~~~~
```
|
|
Import the master branch of ruby/openssl for preparing to release openssl-2.2.0
Notes:
Merged-By: hsbt <hsbt@ruby-lang.org>
|
|
This reverts commit 0d7d8b2989e1738dd902d354cc41186899e6b71e,
but restore `$warnflags` without the flag, to get rid of using
deprecated functions.
|
|
It fails to build on Solaris:
```
ossl_cipher.c: 関数 ‘ossl_cipher_init’ 内:
ossl_cipher.c:228:2: エラー: ‘EVP_md5’ is deprecated [-Werror=deprecated-declarations]
228 | EVP_BytesToKey(EVP_CIPHER_CTX_cipher(ctx), EVP_md5(), iv,
| ^~~~~~~~~~~~~~
In file included from /usr/include/openssl/x509.h:73,
from /usr/include/openssl/x509v3.h:63,
from ossl.h:23,
from ossl_cipher.c:10:
/usr/include/openssl/evp.h:732:26: 備考: ここで宣言されています
732 | DEPRECATED const EVP_MD *EVP_md5(void);
| ^~~~~~~
```
I agree that `-Werror=` is a good habit, but adding it by default is too
aggressive.
|
|
* ext/openssl/extconf.rb: LIBRESSL_VERSION_NUMBER is defined in
openssl/opensslv.h. fix up r64101.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64236 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/extconf.rb: LibreSSL headers emit "overriding WinCrypt
defines" warnings if wincrypt.h has been included (except for
x509.h) on Windows. get rid of including the header by defining
NOCRYPT macro.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64101 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
Commits in upstream repository since v2.1.0 can be found at:
https://github.com/ruby/openssl/compare/v2.1.0...v2.1.1
----------------------------------------------------------------
Kazuki Yamaguchi (7):
test/utils: disable Thread's report_on_exception in start_server
cipher: validate iterations argument for Cipher#pkcs5_keyivgen
extconf.rb: fix build with LibreSSL 2.7.0
test/test_pkey_rsa: fix test failure with OpenSSL 1.1.1
test/test_ssl_session: set client protocol version explicitly
Ruby/OpenSSL 2.0.8
Ruby/OpenSSL 2.1.1
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63406 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/extconf.rb: on Windows search winsock library
always, regardless pkg-config. direct use of winsock is not
region of OpenSSL. [ruby-core:85895] [Bug #14568]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@62637 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
