path: root/ext/openssl/extconf.rb
AgeCommit message (Collapse)Author
2021-07-18[ruby/openssl] Deprecate and rework old (fd) centric functionsSamuel Williams
[ky: fixed compatibility with older versions of Ruby] (cherry picked from commit ruby/ruby@45e65f302b663b2c6ab69df06d3b6f219c1797b2)
2021-07-18[ruby/openssl] pkey/dh, pkey/ec: use EVP_PKEY_check() familyKazuki Yamaguchi
Use EVP_PKEY_param_check() instead of DH_check() if available. Also, use EVP_PKEY_public_check() instead of EC_KEY_check_key(). EVP_PKEY_*check() is part of the EVP API and is meant to replace those low-level functions. They were added by OpenSSL 1.1.1. It is currently not provided by LibreSSL.
2021-07-18[ruby/openssl] pkey: remove unused ossl_generate_cb_2() helper functionKazuki Yamaguchi
The previous series of commits re-implemented key generation with the low level API with the EVP API. The BN_GENCB-based callback function is no longer used.
2021-07-18[ruby/openssl] ossl.c: do not set locking callbacks on LibreSSLKazuki Yamaguchi
Similarly to OpenSSL >= 1.1.0, LibreSSL 2.9.0 ensures thread safety without requiring applications to set locking callbacks and made related functions no-op.
2021-07-18[ruby/openssl] require OpenSSL >= 1.0.2 and LibreSSL >= 3.1Kazuki Yamaguchi
Clean up old version guards in preparation for the upcoming OpenSSL 3.0 support. OpenSSL 1.0.1 reached its EOL on 2016-12-31. At that time, we decided to keep 1.0.1 support because many major Linux distributions were still shipped with 1.0.1. Now, nearly 4 years later, most Linux distributions are reaching their EOL and it should be safe to assume nobody uses them anymore. Major ones that were using 1.0.1: - Ubuntu 14.04 is EOL since 2019-04-30 - RHEL 6 will reach EOL on 2020-11-30 LibreSSL 3.0 and older versions are no longer supported by the LibreSSL team as of October 2020. Note that OpenSSL 1.0.2 also reached EOL on 2019-12-31 and 1.1.0 also did on 2018-08-31.
2021-03-16[ruby/openssl] ssl: remove SSL::SSLContext#tmp_ecdh_callbackKazuki Yamaguchi
The underlying API SSL_CTX_set_tmp_ecdh_callback() was removed by LibreSSL >= 2.6.1 and OpenSSL >= 1.1.0, in other words, it is not supported by any non-EOL versions of OpenSSL. The wrapper was initially implemented in Ruby 2.3 and has been deprecated since Ruby/OpenSSL 2.0 (bundled with Ruby 2.4) with explicit warning with rb_warn(). Notes: Merged:
2021-03-16[ruby/openssl] hmac: migrate from the low-level HMAC API to the EVP APIKazuki Yamaguchi
Use the EVP API instead of the low-level HMAC API. Use of the HMAC API has been discouraged and is being marked as deprecated starting from OpenSSL 3.0.0. The two singleton methods OpenSSL::HMAC, HMAC.digest and HMAC.hexdigest are now in lib/openssl/hmac.rb. Notes: Merged:
2020-03-10openssl: sync with upstream repositoryKazuki Yamaguchi
Import current master (2c43241dc0ed) of ruby/openssl.git. Below are the commits that were made since the last batch at commit b99775b163ce (ruby/openssl.git commit f49e7110ca1e). Note that some of them have been applied already. ---------------------------------------------------------------- Benoit Daloze (1): Remove redundant and ignored workflow file DBL-Lee (1): add support for SHA512_256/SHA512_224 Hiroshi SHIBATA (2): Guard for OpenSSL::PKey::EC::Group::Error with unsupported platforms Fixed inconsistency directory structure with ruby/ruby repo Jeremy Evans (2): Fix keyword argument separation issues in OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock Remove taint support Kazuki Yamaguchi (26): config: support .include directive random: make OpenSSL::Random.pseudo_bytes alias of .random_bytes extconf.rb: get rid of -Werror=deprecated-declarations test/openssl/test_ssl: skip test_fallback_scsv if necessary ts: simplify OpenSSL::Timestamp::Request#algorithm add missing references to GitHub issues config: deprecate OpenSSL::Config#add_value and #[]= test/openssl/test_ssl: remove sleep from test_finished_messages test/openssl/test_ssl: fix random failure in test test/openssl/test_ssl: avoid explicitly-sized private keys test/openssl/test_ssl: remove commented-out test case test/openssl/test_ssl: allow kRSA tests to fail ssl: avoid declarations after statements engine: revert OpenSSL::Engine.load changes for cloudhsm engine: remove really outdated static engines engine: do not check for ENGINE_load_builtin_engines() engine: fix guards for 'dynamic' and 'cryptodev' engines lib/openssl.rb: require openssl/version.rb x509: add error code and verify flags constants ssl: set verify error code in the case of verify_hostname failure .github/workflows: merge CI jobs into a single workflow .github/workflows: test against different OpenSSL versions .travis.yml: fully migrate to GitHub Actions ssl: suppress test failure with SSLContext#add_certificate_chain_file ssl: remove test case test_puts_meta from test_pair Revert "Use version.rb in gemspec" MSP-Greg (2): .travis.yml - remove 2.3/1.0.2, 2.5/1.1.1, head/1.0.2 Use version.rb in gemspec Samuel Williams (1): Restore compatibility with older versions of Ruby. Yusuke Endoh (1): Make OpenSSL::OSSL#test_memcmp_timing robust
2020-02-16ext/openssl/extconf.rb: avoid -Werror=deprecated-declarationsYusuke Endoh
It fails to build on Solaris: ``` ossl_cipher.c: 関数 ‘ossl_cipher_init’ 内: ossl_cipher.c:228:2: エラー: ‘EVP_md5’ is deprecated [-Werror=deprecated-declarations] 228 | EVP_BytesToKey(EVP_CIPHER_CTX_cipher(ctx), EVP_md5(), iv, | ^~~~~~~~~~~~~~ In file included from /usr/include/openssl/x509.h:73, from /usr/include/openssl/x509v3.h:63, from ossl.h:23, from ossl_cipher.c:10: /usr/include/openssl/evp.h:732:26: 備考: ここで宣言されています 732 | DEPRECATED const EVP_MD *EVP_md5(void); | ^~~~~~~ ```
2020-02-16Import openssl-2.2.0 (#2693)Hiroshi SHIBATA
Import the master branch of ruby/openssl for preparing to release openssl-2.2.0 Notes: Merged-By: hsbt <>
2019-12-05ext/openssl/extconf.rb: check with -Werror=deprecated-declarationsNobuyoshi Nakada
This reverts commit 0d7d8b2989e1738dd902d354cc41186899e6b71e, but restore `$warnflags` without the flag, to get rid of using deprecated functions.
2019-12-05ext/openssl/extconf.rb: do not use -Werror=deprecated-declarationsYusuke Endoh
It fails to build on Solaris: ``` ossl_cipher.c: 関数 ‘ossl_cipher_init’ 内: ossl_cipher.c:228:2: エラー: ‘EVP_md5’ is deprecated [-Werror=deprecated-declarations] 228 | EVP_BytesToKey(EVP_CIPHER_CTX_cipher(ctx), EVP_md5(), iv, | ^~~~~~~~~~~~~~ In file included from /usr/include/openssl/x509.h:73, from /usr/include/openssl/x509v3.h:63, from ossl.h:23, from ossl_cipher.c:10: /usr/include/openssl/evp.h:732:26: 備考: ここで宣言されています 732 | DEPRECATED const EVP_MD *EVP_md5(void); | ^~~~~~~ ``` I agree that `-Werror=` is a good habit, but adding it by default is too aggressive.
2018-08-08needs openssl/opensslv.hnobu
* ext/openssl/extconf.rb: LIBRESSL_VERSION_NUMBER is defined in openssl/opensslv.h. fix up r64101. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2018-07-29reduce LibreSSL warningsnobu
* ext/openssl/extconf.rb: LibreSSL headers emit "overriding WinCrypt defines" warnings if wincrypt.h has been included (except for x509.h) on Windows. get rid of including the header by defining NOCRYPT macro. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2018-05-12openssl: merge changes in v2.1.1rhe
Commits in upstream repository since v2.1.0 can be found at: ---------------------------------------------------------------- Kazuki Yamaguchi (7): test/utils: disable Thread's report_on_exception in start_server cipher: validate iterations argument for Cipher#pkcs5_keyivgen extconf.rb: fix build with LibreSSL 2.7.0 test/test_pkey_rsa: fix test failure with OpenSSL 1.1.1 test/test_ssl_session: set client protocol version explicitly Ruby/OpenSSL 2.0.8 Ruby/OpenSSL 2.1.1 git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2018-03-02openssl: search winsocknobu
* ext/openssl/extconf.rb: on Windows search winsock library always, regardless pkg-config. direct use of winsock is not region of OpenSSL. [ruby-core:85895] [Bug #14568] git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2018-03-02search winsock libraries explicitlynobu
git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2017-09-03openssl: import v2.1.0.beta1rhe
Import Ruby/OpenSSL 2.1.0.beta1. The full commit log since v2.0.5 (imported by r59567) can be found at: ---------------------------------------------------------------- Antonio Terceiro (1): test/test_ssl: explicitly accept TLS 1.1 in corresponding test Colby Swandale (1): document using secure protocol to fetch git master in Bundler Colton Jenkins (1): Add fips_mode_get to return fips_mode Kazuki Yamaguchi (85): Start preparing for 2.1.0 Remove support for OpenSSL 0.9.8 and 1.0.0 bn: refine tests bn: implement unary {plus,minus} operators for OpenSSL::BN bn: implement OpenSSL::BN#negative? Don't define main() when built with --enable-debug test: let OpenSSL::TestCase include OpenSSL::TestUtils test: prepare test PKey instances on demand Add OpenSSL.print_mem_leaks Enable OSSL_MDEBUG on CI builds ssl: move default DH parameters from OpenSSL::PKey::DH Make exceptions with the same format regardless of OpenSSL.debug ssl: show reason of 'certificate verify error' in exception message ssl: remove OpenSSL::ExtConfig::TLS_DH_anon_WITH_AES_256_GCM_SHA384 ssl: do not confuse different ex_data index registries ssl: assume SSL/SSL_CTX always have a valid reference to the Ruby object Fix RDoc markup ssl: suppress compiler warning ext/openssl/deprecation.rb: remove broken-apple-openssl extconf.rb: print informative message if OpenSSL can't be found Rakefile: compile the extension before test kdf: introduce OpenSSL::KDF module ossl.h: add NUM2UINT64T() macro kdf: add scrypt Expand rb_define_copy_func() macro Expand FPTR_TO_FD() macro Remove SafeGet*() macros cipher: rename GetCipherPtr() to ossl_evp_get_cipherbyname() digest: rename GetDigestPtr() to ossl_evp_get_digestbyname() Add ossl_str_new(), an exception-safe rb_str_new() bio: simplify ossl_membio2str() using ossl_str_new() Remove unused functions and macros Drop support for LibreSSL 2.3 ocsp: add OpenSSL::OCSP::Request#signed? asn1: infinite length -> indefinite length asn1: rearrange tests ssl: remove a needless NULL check in SSL::SSLContext#ciphers ssl: return nil in SSL::SSLSocket#cipher if session is not started asn1: remove an unnecessary function prototype asn1: require tag information when instantiating generic type asn1: initialize 'unused_bits' attribute of BitString with 0 asn1: check for illegal 'unused_bits' value of BitString asn1: disallow NULL to be passed to asn1time_to_time() asn1: avoid truncating OID in OpenSSL::ASN1::ObjectId#oid asn1: allow constructed encoding with definite length form asn1: prohibit indefinite length form for primitive encoding asn1: allow tag number to be >= 32 for universal tag class asn1: use ossl_asn1_tag() asn1: clean up OpenSSL::ASN1::Constructive#to_der asn1: harmonize OpenSSL::ASN1::*#to_der asn1: prevent EOC octets from being in the middle of the content asn1: do not treat EOC octets as part of content octets x509name: add 'loc' and 'set' kwargs to OpenSSL::X509::Name#add_entry ssl: do not call session_remove_cb during GC Backport "Merge branch 'topic/test-memory-leak'" to maint cipher: update the documentation for Cipher#auth_tag= Rakefile: let sync:to_ruby know about test/openssl/fixtures test: fix formatting test/utils: remove OpenSSL::TestUtils.silent test/utils: add SSLTestCase#tls12_supported? test/utils: have start_server yield only the port number test/utils: do not set ecdh_curves in start_server test/utils: let server_loop close socket test/utils: improve error handling in start_server test/utils: add OpenSSL::TestUtils.openssl? and .libressl? test/utils: do not use DSA certificates in SSL tests test/test_ssl: remove test_invalid_shutdown_by_gc test/test_ssl: move test_multibyte_read_write to test_pair test/test_ssl_session: rearrange tests test/test_pair, test/test_ssl: fix for TLS 1.3 ssl: remove useless call to rb_thread_wait_fd() ssl: fix NPN support ssl: mark OpenSSL::SSL::SSLContext::DEFAULT_{1024,2048} as private ssl: use 2048-bit group in the default tmp_dh_cb ssl: ensure that SSL option flags are non-negative ssl: update OpenSSL::SSL::OP_* flags ssl: prefer TLS_method() over SSLv23_method() ssl: add SSLContext#min_version= and #max_version= ssl: rework SSLContext#ssl_version= test/test_x509name: change script encoding to ASCII-8BIT x509name: refactor OpenSSL::X509::Name#to_s x509name: add OpenSSL::X509::Name#to_utf8 x509name: add OpenSSL::X509::Name#inspect x509name: update regexp in OpenSSL::X509::Name.parse Ruby/OpenSSL 2.1.0.beta1 Marcus Stollsteimer (1): Fix rdoc for core Integer class nobu (4): [DOC] {read,write}_nonblock with exception: false [DOC] keyword argument _exception_ [DOC] mark up literals Revert r57690 except for read_nonblock git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2017-08-10openssl: import v2.0.5rhe
Import Ruby/OpenSSL 2.0.5. The full commit history since v2.0.4 (imported at r59081) can be found at: This will fix the test failure on latest Debian sid and the "no OPENSSL_Applink" issue on mswin. ---------------------------------------------------------------- Kazuki Yamaguchi (11): test/test_ssl: allow 3DES cipher suites in test_sslctx_set_params bio: prevent possible GC issue in ossl_obj2bio() bio: do not use the FILE BIO method in ossl_obj2bio() Rakefile: install_dependencies: install only when needed appveyor.yml: test against Ruby 2.4 ossl_pem_passwd_cb: relax passphrase length constraint ossl_pem_passwd_cb: do not check for taintedness ossl_pem_passwd_cb: handle nil from the block explicitly ssl: remove unsupported TLS versions from SSLContext::METHODS ssl: fix compile error with OpenSSL 1.0.0 Ruby/OpenSSL 2.0.5 Lars Kanis (1): Add msys2 library dependency tag in gem metadata git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2017-06-14openssl: import v2.0.4rhe
Import Ruby/OpenSSL 2.0.4. Only bug (and typo) fixes. The full commit history since v2.0.3 (imported at r57482) can be found at: This contains the fix for [Bug #11033]. ---------------------------------------------------------------- Jun Aruga (1): Update .travis.yml and Dockerfile Kazuki Yamaguchi (9): test/test_pkey_ec: do not use dummy 0 order test/test_ssl: fix typo in test_sysread_and_syswrite ssl: check return value of SSL_set_fd() Fix typos test/test_x509store: skip OpenSSL::TestX509Store#test_set_errors tool/sync-with-trunk: 'LASY' -> 'LAST' x509store: clear error queue after calling X509_LOOKUP_load_file() extconf.rb: simplify searching libraries logic Ruby/OpenSSL 2.0.4 SHIBATA Hiroshi (1): Fix typos Vladimir Rybas (1): Fix documentation for OpenSSL::Cipher#final nobu (2): openssl: fix broken openssl check openssl: fix broken openssl check usa (1): Search SSL libraries by testing various filename patterns git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2017-05-16Search SSL libraries by testing various filename patternsusa
* ext/openssl/extconf.rb (find_openssl_library): should search by more flexible method, especially for LibreSSL on Windows. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2017-02-10openssl: fix broken openssl checknobu
* ext/openssl/extconf.rb: check for broken OpenSSL only on mac OS. [ruby-core:79475] [Bug #13200] git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2017-01-31openssl: import v2.0.3rhe
Import Ruby/OpenSSL 2.0.3. Only bugfixes. The full commit log since 2.0.2 (imported at r57146) can be found at: ---------------------------------------------------------------- Corey Bonnell (1): Fix for ASN1::Constructive 'each' implementation Kazuki Yamaguchi (10): Fix build with static OpenSSL libraries on Windows ([ruby-core:78878] [Bug #13080]) Merge pull request #96 from CBonnell/master Merge branch 'topic/windows-static-linking-without-pkg-config' into maint appveyor.yml: update OpenSSL version to 1.0.2j buffering: fix typo in doc test/envutil: fix assert_raise_with_message x509: fix OpenSSL::X509::Name#eql? ([ruby-core:79310] [Bug #13170]) ruby-openssl-docker: update versions of Ruby and OpenSSL .travis.yml: test with Ruby 2.4 Ruby/OpenSSL 2.0.3 git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-12-22openssl: import v2.0.2rhe
Import Ruby/OpenSSL 2.0.2. This release contains only bugfixes. The full commit log since 2.0.1 (imported at r57041) can be found at: ---------------------------------------------------------------- Kazuki Yamaguchi (5): ssl: check for SSL_CTX_clear_options() Rename functions in openssl_missing.c ssl: use SSL_SESSION_get_protocol_version() pkey: allow instantiating OpenSSL::PKey::PKey with unsupported key type Ruby/OpenSSL 2.0.2 git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-12-01openssl: import fixes from upstreamrhe
Import the following two commits from upstream: commit 72126d6c8b88abd69c3565fc3bbbd5ed1e401611 Author: Kazuki Yamaguchi <> Date: Thu Dec 1 22:27:03 2016 +0900 pkey: check existence of EVP_PKEY_get0() EVP_PKEY_get0() did not exist in early OpenSSL 0.9.8 series. So define ourselves if needed. commit 94a1c4e0c5705ad1e9a4ca08cacaa6cba8b1e6f5 Author: Kazuki Yamaguchi <> Date: Thu Dec 1 22:13:22 2016 +0900 test/test_cipher: fix test with OpenSSL 1.0.1 before 1.0.1d Set the authentication tag before the AAD when decrypting. Before OpenSSL commit 96f7fafa2431 ("Don't require tag before ciphertext in AESGCM mode", 2012-10-16, at OpenSSL_1_0_1-stable branch, included in OpenSSL 1.0.1d), the authentication tag must be set before any calls of EVP_CipherUpdate(). They should fix build on CentOS 5 and Ubuntu 12.04 respectively. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-11-30openssl: import v2.0.0rhe
Import Ruby/OpenSSL 2.0.0. The full commit history since 2.0.0 beta.2 (imported at r56098) can be found at: git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-09-08openssl: import v2.0.0.beta.2rhe
* {ext,test}/openssl: Import Ruby/OpenSSL 2.0.0.beta.2. The full commit history since v2.0.0.beta.1 can be found at: git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-08-29import Ruby/OpenSSL 2.0.0.beta.1rhe
* NEWS, {ext,test,sample}/openssl: Import Ruby/OpenSSL 2.0.0.beta.1. ext/openssl is now converted into a default gem. The full commit history since r55538 can be found at: [Feature #9612] git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-09openssl: fix build with OpenSSL 1.1.0 and no pkg-configrhe
* ext/openssl/extconf.rb: Check for CRYPTO_malloc() and SSL_new(). OpenSSL_add_all_digests() and SSL_library_init() are deprecated and converted to macros in OpenSSL 1.1.0. [ruby-core:75225] [Feature #12324] git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-07openssl: add SSL::SSLContext#security_level{=,}rhe
* ext/openssl/extconf.rb: Check for SSL_CTX_get_security_level(). OpenSSL 1.1.0 introduced "security level". [ruby-core:75225] [Feature #12324] * ext/openssl/ossl_ssl.c (ossl_sslctx_{get,set}_security_level): Add SSLContext#security_level and #security_level=. * test/openssl/test_ssl.rb (test_security_level): Add test. ...but this doesn't actually test it. Because #security_level= is necessary in order to run other tests on OpenSSL 1.1.0, go without tests for now. Will fix after converting SSLContext#key= and #cert= to normal methods. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-07openssl: avoid deprecated version-specific ssl methods if necessaryrhe
* ext/openssl/extconf.rb: Check for SSL_CTX_set_min_proto_version() macro added in OpenSSL 1.1.0. Version-specific methods, such as TLSv1_method(), are deprecated in OpenSSL 1.1.0. We need to use version-flexible methods (TLS_*method() or SSLv23_*method()) and disable other protocol versions as necessary. [ruby-core:75225] [Feature #12324] * ext/openssl/ossl_ssl.c: Use SSL_CTX_set_{min,max}_proto_version() to fix the protocol version. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-05openssl: use SSL_is_server()rhe
* ext/openssl/extconf.rb: Check existence of SSL_is_server(). This function was introduced in OpenSSL 1.0.2. [ruby-core:75225] [Feature #12324] * ext/openssl/openssl_missing.h: Implement SSL_is_server() if missing. * ext/openssl/ossl_ssl.c (ssl_info_cb): Use SSL_is_server() to see if the SSL is server. The state machine in OpenSSL was rewritten and SSL_get_state() no longer returns SSL_ST_ACCEPT. (ossl_ssl_cipher_to_ary, ossl_sslctx_session_get_cb): Add some `const`s to suppress warning. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-05openssl: adapt to OpenSSL 1.1.0 opaque structsrhe
* ext/openssl/extconf.rb: Check existence of accessor functions that don't exist in OpenSSL 0.9.8. OpenSSL 1.1.0 made most of its structures opaque and requires use of these accessor functions. [ruby-core:75225] [Feature #12324] * ext/openssl/openssl_missing.[ch]: Implement them if missing. * ext/openssl/ossl*.c: Use these accessor functions. * test/openssl/test_hmac.rb: Add missing test for HMAC#reset. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-05openssl: adapt OpenSSL::PKey to OpenSSL 1.1.0 opaque structsrhe
* ext/openssl/openssl_missing.[ch]: Implement EVP_PKEY_get0_*() and {RSA,DSA,EC_KEY,DH}_get0_*() functions. OpenSSL 1.1.0 makes EVP_PKEY/RSA/DSA/DH opaque. We used to provide setter methods for each parameter of each PKey type, for example PKey::RSA#e=, but this is no longer possible because the new API RSA_set0_key() requires the 'n' at the same time. This commit adds deprecation warning to them and adds PKey::*#set_* methods as direct wrapper for those new APIs. For example, 'rsa.e = 3' now needs to be rewritten as 'rsa.set_key(rsa.n, 3, rsa.d)'. [ruby-core:75225] [Feature #12324] * ext/openssl/ossl_pkey*.[ch]: Use the new accessor functions. Implement RSA#set_{key,factors,crt_params}, DSA#set_{key,pqg}, DH#set_{key,pqg}. Emit a warning with rb_warning() when old setter methods are used. * test/drb/ut_array_drbssl.rb, test/drb/ut_drb_drbssl.rb, test/rubygems/test_gem_remote_fetcher.rb: Don't set a priv_key for DH object that are used in tmp_dh_callback. Generating a new key pair every time should be fine - actually the private exponent is ignored in OpenSSL >= 1.0.2f/1.0.1r even if we explicitly set. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-05openssl: support OpenSSL 1.1.0's new multi-threading APIrhe
* ext/openssl/extconf.rb: Check absence of CRYPTO_lock() to see if the OpenSSL has the new threading API. In OpenSSL <= 1.0.2, an application had to set locking callbacks to use OpenSSL in a multi-threaded environment. OpenSSL 1.1.0 now finds pthreads or Windows threads so we don't need to do something special. [ruby-core:75225] [Feature #12324] Also check existence of *_up_ref(). Some structures in OpenSSL have a reference counter. We used to increment it with CRYPTO_add() which is a part of the old API. * ext/openssl/openssl_missing.h: Implement *_up_ref() if missing. * ext/openssl/ossl.c: Don't set locking callbacks if unneeded. * ext/openssl/ossl_pkey.c, ext/openssl/ossl_ssl.c, ext/openssl/ossl_x509cert.c, ext/openssl/ossl_x509crl.c, ext/openssl/ossl_x509store.c: Use *_up_ref() instead of CRYPTO_add(). git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-05openssl: check existence of RAND_pseudo_bytes()rhe
* ext/openssl/extconf.rb: Check if RAND_pseudo_bytes() is usable. It is marked as deprecated in OpenSSL 1.1.0. [ruby-core:75225] [Feature #12324] * ext/openssl/ossl_rand.c: Disable Random.pseudo_bytes if RAND_pseudo_bytes() is unavailable. * test/openssl/test_random.rb: Don't test Random.pseudo_bytes if not defined. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-01openssl: fix the Year 2038 problemrhe
r55219 didn't fix the entire issue. It only fixed the issue on environment with sizeof(time_t) == 8 && sizeof(long) == 4. * ext/openssl/extconf.rb: Check existence of ASN1_TIME_adj(). The old ASN1_TIME_set() is not Year 2038 ready on sizeof(time_t) == 4 environment. This function was added in OpenSSL 1.0.0. [ruby-core:45552] [Bug #6571] * ext/openssl/ossl_asn1.c (ossl_time_split): Added. Split the argument (Time) into the number of days elapsed since the epoch and the remainder seconds to conform to ASN1_TIME_adj(). (obj_to_asn1utime, obj_to_asn1gtime): Use ossl_time_split() and ASN1_*TIME_adj(). * ext/openssl/ossl_asn1.h: Add the function prototype for ossl_time_split(). * ext/openssl/ossl_x509.[ch]: Add ossl_x509_time_adjust(). Similarly to obj_to_asn1*time(), use X509_time_adj_ex() instead of X509_time_adj(). * ext/openssl/ossl_x509cert.c, ext/openssl/ossl_x509crl.c, ext/openssl/ossl_x509revoked.c: Use ossl_x509_time_adjust(). git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-30openssl: add SSLContext#ecdh_curves=rhe
* ext/openssl/ossl_ssl.c (ossl_sslctx_s_alloc): Enable the automatic curve selection for ECDH by calling SSL_CTX_set_ecdh_auto(). With this a TLS server automatically selects a curve which both the client and the server support to use in ECDH. This changes the default behavior but users can still disable ECDH by excluding 'ECDH' cipher suites from the cipher list (with SSLContext#ciphers=). This commit also deprecate #tmp_ecdh_callback=. It was added in Ruby 2.3.0. It wraps SSL_CTX_set_tmp_ecdh_callback() which will be removed in OpenSSL 1.1.0. Its callback receives two values 'is_export' and 'keylength' but both are completely useless for determining a curve to use in ECDH. The automatic curve selection was introduced to replace this. (ossl_sslctx_setup): Deprecate SSLContext#tmp_ecdh_callback=. Emit a warning if this is in use. (ossl_sslctx_set_ecdh_curves): Add SSLContext#ecdh_curves=. Wrap SSL_CTX_set1_curves_list(). If it is not available, this falls back to SSL_CTX_set_tmp_ecdh(). (Init_ossl_ssl): Define SSLContext#ecdh_curves=. * ext/openssl/extconf.rb: Check the existence of EC_curve_nist2nid(), SSL_CTX_set1_curves_list(), SSL_CTX_set_ecdh_auto() and SSL_CTX_set_tmp_ecdh_callback(). * ext/openssl/openssl_missing.[ch]: Implement EC_curve_nist2nid() if missing. * test/openssl/test_pair.rb (test_ecdh_callback): Use EnvUtil.suppress_warning to suppress deprecated warning. (test_ecdh_curves): Test that SSLContext#ecdh_curves= works. * test/openssl/utils.rb (start_server): Use SSLContext#ecdh_curves=. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-25openssl: drop OpenSSL 0.9.6/0.9.7 supportrhe
* ext/openssl, test/openssl: Drop OpenSSL < 0.9.8 support. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-25openssl: remove check of OPENSSL_FIPS macro in extconf.rbrhe
* ext/openssl/extconf.rb: Remove check of OPENSSL_FIPS macro. This is unneeded because we can check the macro directly in source code, just as we already do for OPENSSL_NO_* macros. * ext/openssl/ossl.c: Replace occurrences of HAVE_OPENSSL_FIPS with OPENSSL_FIPS. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-09openssl/extconf.rb: NO SSL macros firstnobu
* ext/openssl/extconf.rb: check OPENSSL_NO_SSL{2,3} macros before checking related functions. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-08* ext/openssl/extconf.rb: asume it doesn't have SSLv2 relatednaruse
functions when OPENSSL_NO_SSL2 is defined. Usually openssl's header and the library (libssl) have the same set of functions, but on some environment the library has functions whose headers doesn't declare. (openssl/opensslconf.h and aren't be synchronized) To detect such case explicitly check feature macro and remove related functions. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-04-04openssl: Access to ephemeral TLS session keynobu
* ext/openssl/ossl_ssl.c (ossl_ssl_tmp_key): Access to ephemeral TLS session key in case of forward secrecy cipher. Only available since OpenSSL 1.0.2. [Fix GH-1318] * ext/openssl/extconf.rb: Check for SSL_get_server_tmp_key. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-03-25openssl: fix build when NPN is disabled by OpenSSLnobu
* ext/openssl/extconf.rb: check SSL_CTX_set_next_proto_select_cb function rather than OPENSSL_NPN_NEGOTIATED macro. it exists even if it is disabled by OpenSSL configuration. [ruby-core:74384] [Bug #12182] * ext/openssl/ossl_ssl.c: update #ifdef(s) as above. * test/openssl/test_ssl.rb: skip NPN tests if NPN is disabled. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2015-12-16handle ext/ as r53141naruse
g -L frozen_string_literal ext/**/*.rb|xargs ruby -Ka -e'ARGV.each{|fn|puts fn;open(fn,"r+"){|f|\A(#!.*\n)?(#.*coding.*\n)?/,"\\&# frozen_string_literal: false\n");f.rewind;f.write s}}' git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2015-09-22* ext/openssl/*: Remove svn commit id macros to make sync easierzzak
git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2015-08-29* ext/openssl/ossl_ssl.c (static const struct): Only add SSLv3 supporttenderlove
if the SSL library supports it. Thanks Kurt Roeckx <> [Bug #11376] * ext/openssl/extconf.rb: check for SSLv3 support in the SSL implementation. * test/openssl/test_ssl.rb (class OpenSSL): Skip tests that need SSLv3 if there is no support. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2015-07-22* ext/openssl/ossl_ssl.c: add ALPN support. [Feature #9390]tenderlove
* ext/openssl/extconf.rb: detect ALPN support in OpenSSL * test/openssl/test_ssl.rb: test for ALPN git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2015-04-20* ext/openssl/*: use license instead of licence.hsbt
[fix GH-876][ci skip] Patch by @davydovanton * lib/net/https.rb: ditto. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2015-02-12openssl: check RAND_edg to support libresslnobu
* ext/openssl/extconf.rb: check RAND_edg to support libressl. * ext/openssl/ossl_rand.c (ossl_rand_egd): define only if RAND_edg is available. [Fix GH-829] git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e