| Age | Commit message (Collapse) | Author |
|---|
|
OpenSSL plans to make asn1_string_st opaque, the struct underlying most
ASN.1 types such as ASN1_*STRING, ASN1_ENUMERATED, ASN1_INTEGER, etc.
Most of ruby/openssl's C code can be straigtforwardly converted to use
accessors available since OpenSS
https://github.com/ruby/openssl/commit/374262435a
|
|
Since around 2018, we have been using spaces for indentation for newly
added code[1]. The mixed use of tabs and spaces has repeatedly confused
new contributors who configured their editors to use a different tab
size than 8. Since git blame can now skip specific commits, ruby/ruby
did a mass reformatting of tabs in 2022[2]. Do the same in ruby/openssl.
While at it, fix a few indentation issues, mainly in switch-case labels
and in ossl_ssl_session.c, which used doubled indentation size.
This patch contains white-space changes only. git diff -w output should
be empty.
[1] https://bugs.ruby-lang.org/issues/14246
[2] https://bugs.ruby-lang.org/issues/18891
https://github.com/ruby/openssl/commit/4d6214f507
|
|
These declarations were added to every source file because older
versions of RDoc did not resolve ancestor tree across files. Since
RDoc 6.9.0 supports this, this workaround is no longer needed.
https://redirect.github.com/ruby/rdoc/pull/1217
https://github.com/ruby/openssl/commit/6491ce63be
|
|
ruby/openssl exposes OIDs to Ruby as strings in many places, but the
conversion logic has been duplicated and the behavior is inconsistent.
There are mainly two patterns:
- Returns the short name associated with the OID/NID, or the dotted
decimal notation if it is unknown to OpenSSL.
- Returns the long name, or the dotted decimal notation.
These patterns are implemented using different OpenSSL APIs and that
caused subtle differences. Add helper functions ossl_asn1obj_to_string()
and ossl_asn1obj_to_string_long_name() to unify the logic.
Also, document the current behaviors where it is not yet done. The
inconsistency was likely unintentional, but since it dates back to the
original implementations, standardizing it now would cause more issues
than it resolves.
https://github.com/ruby/openssl/commit/2ea36c21a4
|
|
With the introduction of OpenSSL 3 providers, newly implemented
algorithms do not necessarily have a corresponding NID assigned. To use
such an algorithm, it has to be "fetched" from providers using the new
EVP_*_fetch() functions.
For digest algorithms, we have to use EVP_MD_fetch() instead of the
existing EVP_get_digestbyname(). However, it is not a drop-in
replacement because:
- EVP_MD_fetch() does not support all algorithm name aliases recognized
by EVP_get_digestbyname().
- Both return an EVP_MD, but the one returned by EVP_MD_fetch() is
sometimes reference counted and the user has to explicitly release
it with EVP_MD_free().
So, keep using EVP_get_digestbyname() for all OpenSSL versions for now,
and fall back to EVP_MD_fetch() if it fails. In the latter case, prepare
a T_DATA object to manage the fetched EVP_MD's lifetime.
https://github.com/ruby/openssl/commit/9fc2179403
|
|
Likewise, let it take a const pointer and not the ownership of the
OpenSSL object.
This fixes potential memory leak in OpenSSL::OCSP::BasicResponse#status.
https://github.com/ruby/openssl/commit/7e0288ebbd
|
|
Similar to most of the other ossl_*_new() functions, let it take a const
pointer and make a copy of the object.
This also fixes a potential memory leak when the wrapper object
allocation fails.
https://github.com/ruby/openssl/commit/eaabf6d8a3
|
|
https://github.com/ruby/openssl/commit/17f87d2cf0
|
|
https://github.com/ruby/openssl/commit/85d6b7f192
|
|
Update the references to the file "LICENCE" with "COPYING".
The file LICENCE doesn't exist in ruby/ruby nor ruby/openssl. This has
been always the case since OpenSSL for Ruby 2 was merged to the ruby
tree as a standard library in 2003.
In OpenSSL for Ruby 2's CVS repository[1], the LICENCE file contained
an old version of the Ruby License, identical to the COPYING file that
was in Ruby's tree at that time (r4128[2]).
[1] http://cvs.savannah.gnu.org/viewvc/rubypki/ossl2/LICENCE?revision=1.1.1.1&view=markup
[2] https://github.com/ruby/ruby/blob/231247c010acba191b78ed2d1310c935e63ad919/COPYING
https://github.com/ruby/openssl/commit/5bccf07d04
|
|
`port` should be called on the `ocsp_uri` URI instead of `ocsp`, which
is just a string.
https://github.com/ruby/openssl/commit/89a1c82dd0
|
|
The vast majority have no reference so it's just a matter of setting the flags.
For the couple exception, they have very little references so it's
easy.
https://github.com/ruby/openssl/commit/2c7c6de69e
|
|
Openssl::OCSP::BasicResponse#sign is nil.
https://github.com/ruby/openssl/commit/27efcd7e1c
|
|
Openssl::OCSP::Request#sign is nil.
https://github.com/ruby/openssl/commit/a1f6cbc261
|
|
https://github.com/ruby/openssl/commit/708ebf2f7a
|
|
https://github.com/ruby/openssl/commit/51b3030b2b
|
|
Clean up old version guards in preparation for the upcoming OpenSSL 3.0
support.
OpenSSL 1.0.1 reached its EOL on 2016-12-31. At that time, we decided
to keep 1.0.1 support because many major Linux distributions were still
shipped with 1.0.1. Now, nearly 4 years later, most Linux distributions
are reaching their EOL and it should be safe to assume nobody uses them
anymore. Major ones that were using 1.0.1:
- Ubuntu 14.04 is EOL since 2019-04-30
- RHEL 6 will reach EOL on 2020-11-30
LibreSSL 3.0 and older versions are no longer supported by the LibreSSL
team as of October 2020.
Note that OpenSSL 1.0.2 also reached EOL on 2019-12-31 and 1.1.0 also
did on 2018-08-31.
https://github.com/ruby/openssl/commit/c055938f4b
|
|
Notes:
Merged: https://github.com/ruby/ruby/pull/4413
|
|
https://github.com/ruby/openssl/commit/b28fb2f05c
|
|
Import the master branch of ruby/openssl for preparing to release openssl-2.2.0
Notes:
Merged-By: hsbt <hsbt@ruby-lang.org>
|
|
Import Ruby/OpenSSL 2.1.0.beta1. The full commit log since v2.0.5
(imported by r59567) can be found at:
https://github.com/ruby/openssl/compare/v2.0.5...v2.1.0.beta1
----------------------------------------------------------------
Antonio Terceiro (1):
test/test_ssl: explicitly accept TLS 1.1 in corresponding test
Colby Swandale (1):
document using secure protocol to fetch git master in Bundler
Colton Jenkins (1):
Add fips_mode_get to return fips_mode
Kazuki Yamaguchi (85):
Start preparing for 2.1.0
Remove support for OpenSSL 0.9.8 and 1.0.0
bn: refine tests
bn: implement unary {plus,minus} operators for OpenSSL::BN
bn: implement OpenSSL::BN#negative?
Don't define main() when built with --enable-debug
test: let OpenSSL::TestCase include OpenSSL::TestUtils
test: prepare test PKey instances on demand
Add OpenSSL.print_mem_leaks
Enable OSSL_MDEBUG on CI builds
ssl: move default DH parameters from OpenSSL::PKey::DH
Make exceptions with the same format regardless of OpenSSL.debug
ssl: show reason of 'certificate verify error' in exception message
ssl: remove OpenSSL::ExtConfig::TLS_DH_anon_WITH_AES_256_GCM_SHA384
ssl: do not confuse different ex_data index registries
ssl: assume SSL/SSL_CTX always have a valid reference to the Ruby object
Fix RDoc markup
ssl: suppress compiler warning
ext/openssl/deprecation.rb: remove broken-apple-openssl
extconf.rb: print informative message if OpenSSL can't be found
Rakefile: compile the extension before test
kdf: introduce OpenSSL::KDF module
ossl.h: add NUM2UINT64T() macro
kdf: add scrypt
Expand rb_define_copy_func() macro
Expand FPTR_TO_FD() macro
Remove SafeGet*() macros
cipher: rename GetCipherPtr() to ossl_evp_get_cipherbyname()
digest: rename GetDigestPtr() to ossl_evp_get_digestbyname()
Add ossl_str_new(), an exception-safe rb_str_new()
bio: simplify ossl_membio2str() using ossl_str_new()
Remove unused functions and macros
Drop support for LibreSSL 2.3
ocsp: add OpenSSL::OCSP::Request#signed?
asn1: infinite length -> indefinite length
asn1: rearrange tests
ssl: remove a needless NULL check in SSL::SSLContext#ciphers
ssl: return nil in SSL::SSLSocket#cipher if session is not started
asn1: remove an unnecessary function prototype
asn1: require tag information when instantiating generic type
asn1: initialize 'unused_bits' attribute of BitString with 0
asn1: check for illegal 'unused_bits' value of BitString
asn1: disallow NULL to be passed to asn1time_to_time()
asn1: avoid truncating OID in OpenSSL::ASN1::ObjectId#oid
asn1: allow constructed encoding with definite length form
asn1: prohibit indefinite length form for primitive encoding
asn1: allow tag number to be >= 32 for universal tag class
asn1: use ossl_asn1_tag()
asn1: clean up OpenSSL::ASN1::Constructive#to_der
asn1: harmonize OpenSSL::ASN1::*#to_der
asn1: prevent EOC octets from being in the middle of the content
asn1: do not treat EOC octets as part of content octets
x509name: add 'loc' and 'set' kwargs to OpenSSL::X509::Name#add_entry
ssl: do not call session_remove_cb during GC
Backport "Merge branch 'topic/test-memory-leak'" to maint
cipher: update the documentation for Cipher#auth_tag=
Rakefile: let sync:to_ruby know about test/openssl/fixtures
test: fix formatting
test/utils: remove OpenSSL::TestUtils.silent
test/utils: add SSLTestCase#tls12_supported?
test/utils: have start_server yield only the port number
test/utils: do not set ecdh_curves in start_server
test/utils: let server_loop close socket
test/utils: improve error handling in start_server
test/utils: add OpenSSL::TestUtils.openssl? and .libressl?
test/utils: do not use DSA certificates in SSL tests
test/test_ssl: remove test_invalid_shutdown_by_gc
test/test_ssl: move test_multibyte_read_write to test_pair
test/test_ssl_session: rearrange tests
test/test_pair, test/test_ssl: fix for TLS 1.3
ssl: remove useless call to rb_thread_wait_fd()
ssl: fix NPN support
ssl: mark OpenSSL::SSL::SSLContext::DEFAULT_{1024,2048} as private
ssl: use 2048-bit group in the default tmp_dh_cb
ssl: ensure that SSL option flags are non-negative
ssl: update OpenSSL::SSL::OP_* flags
ssl: prefer TLS_method() over SSLv23_method()
ssl: add SSLContext#min_version= and #max_version=
ssl: rework SSLContext#ssl_version=
test/test_x509name: change script encoding to ASCII-8BIT
x509name: refactor OpenSSL::X509::Name#to_s
x509name: add OpenSSL::X509::Name#to_utf8
x509name: add OpenSSL::X509::Name#inspect
x509name: update regexp in OpenSSL::X509::Name.parse
Ruby/OpenSSL 2.1.0.beta1
Marcus Stollsteimer (1):
Fix rdoc for core Integer class
nobu (4):
[DOC] {read,write}_nonblock with exception: false
[DOC] keyword argument _exception_
[DOC] mark up literals
Revert r57690 except for read_nonblock
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@59734 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* NEWS, {ext,test,sample}/openssl: Import Ruby/OpenSSL 2.0.0.beta.1.
ext/openssl is now converted into a default gem. The full commit
history since r55538 can be found at:
https://github.com/ruby/openssl/compare/08e1881f5663...v2.0.0.beta.1
[Feature #9612]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56027 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_ocsp.c: The "reuse" behavior of d2i_ functions does
not work well with OpenSSL 1.0.0t. So avoid it.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55538 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_ocsp.c: Add OCSP::SingleResponse that represents an
OCSP SingleResponse structure. Also add two new methods #responses
and #find_response to OCSP::BasicResponse. A BasicResponse has one or
more SingleResponse. We have OCSP::BasicResponse#status that returns
them as an array of arrays, each containing the content of a
SingleResponse, but this is not useful. When validating an OCSP
response, we need to look into the each SingleResponse and check their
validity but it is not simple. For example, when validating for a
certificate 'cert', the code would be like:
# certid_target is an OpenSSL::OCSP::CertificateId for cert
basic = res.basic
result = basic.status.any? do |ary|
ary[0].cmp(certid_target) &&
ary[4] <= Time.now && (!ary[5] || Time.now <= ary[5])
end
Adding OCSP::SingleResponse at the same time allows exposing
OCSP_check_validity(). With this, the code above can be rewritten as:
basic = res.basic
single = basic.find_response(certid_target)
result = single.check_validity
* test/openssl/test_ocsp.rb: Test this.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55457 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_ocsp.c (ossl_ocspbres_add_status): Allow specifying
the times (thisUpdate, nextUpdate and revocationTime) with Time
objects. Currently they accepts only relative seconds from the current
time. This is inconvenience, especially for revocationTime. When
Integer is passed, they are still treated as relative times. Since the
type check is currently done with rb_Integer(), this is a slightly
incompatible change. Hope no one passes a relative time as String or
Time object...
Also, allow passing nil as nextUpdate. It is optional.
* ext/openssl/ruby_missing.h: Define RB_INTEGER_TYPE_P() if not defined.
openssl gem will be released before Ruby 2.4.0.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55456 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_ocsp.c: Implement OCSP::{CertificateId,Request,
BasicResponse,Response}#initialize_copy.
[ruby-core:75504] [Bug #12381]
* test/openssl/test_ocsp.rb: Test them.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55455 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_ocsp.c (ossl_ocspreq_verify, ossl_ocspbres_verify):
Use ossl_clear_error() so that they don't print warnings to stderr and
leak errors in the OpenSSL error queue. Also, check the return value
of OCSP_*_verify() correctly. They can return -1 on verification
failure.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55423 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_ocsp.c (ossl_ocspreq_sign, ossl_ocspbres_sign): Allow
specifying hash algorithm used in signing. They are hard coded to use
SHA-1.
Based on a patch provided by Tim Shirley <tidoublemy@gmail.com>.
[ruby-core:70915] [Feature #11552] [GH ruby/openssl#28]
* test/openssl/test_ocsp.rb: Test sign-verify works.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55422 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_ocsp.c (ossl_ocspcid_get_issuer_name_hash,
ossl_ocspcid_get_issuer_key_hash, ossl_ocspcid_get_hash_algorithm):
Add accessor methods OCSP::CertificateId#issuer_name_hash,
#issuer_key_hash, #hash_algorithm.
Based on a patch provided by Paul Kehrer <paul.l.kehrer@gmail.com>.
[ruby-core:48062] [Feature #7181]
* test/openssl/test_ocsp.rb: Test these new methods.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55411 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_ocsp.c (ossl_ocspbres_to_der, ossl_ocspcid_to_der):
Implement #to_der methods for OCSP::BasicResponse and
OCSP::CertificateId.
(ossl_ocspreq_initialize, ossl_ocspres_initialize): Use GetOCSP*()
instead of raw DATA_PTR().
(ossl_ocspbres_initialize, ossl_ocspcid_initialize): Allow
initializing from DER string.
(Init_ossl_ocsp): Define new #to_der methods.
* test/openssl/test_ocsp.rb: Test these changes. Also add missing tests
for OCSP::{Response,Request}#to_der.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55409 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/extconf.rb: Check existence of accessor functions that
don't exist in OpenSSL 0.9.8. OpenSSL 1.1.0 made most of its
structures opaque and requires use of these accessor functions.
[ruby-core:75225] [Feature #12324]
* ext/openssl/openssl_missing.[ch]: Implement them if missing.
* ext/openssl/ossl*.c: Use these accessor functions.
* test/openssl/test_hmac.rb: Add missing test for HMAC#reset.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55287 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl, test/openssl: Drop OpenSSL < 0.9.8 support.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55162 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/**/*.c: prefer RARRAY_AREF to indexing RARRAY_CONST_PTR.
pointed out by hanmac.
https://github.com/ruby/ruby/commit/3553a86#commitcomment-14187670
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52453 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/bigdecimal/bigdecimal.c: use RARRAY_CONST_PTR just fore
reference instead of RARRAY_PTR, to keep the array WB-protected.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52448 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext: use long for index instead of int and RARRAY_LENINT.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52447 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51918 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
[fix GH-932] Patch by @chrisholmes
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@50861 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl: make wrapper objects before allocating structs to
get rid of potential memory leaks.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@50673 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
[fix GH-876][ci skip] Patch by @davydovanton
* lib/net/https.rb: ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@50351 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_ocsp.c (ossl_ocsp_certid_type): use typed data.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@48798 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_ocsp.c (ossl_ocsp_basicresp_type): use typed
data.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@48797 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_ocsp.c (ossl_ocsp_response_type): use typed
data.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@48796 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_ocsp.c (ossl_ocsp_request_type): use typed
data.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@48795 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@47744 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@45574 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@45573 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@45572 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@40316 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl.h: ditto.
* ext/openssl/ossl_asn1.c: ditto.
* ext/openssl/ossl_bio.c: ditto.
* ext/openssl/ossl_bn.c: ditto.
* ext/openssl/ossl_cipher.c: ditto.
* ext/openssl/ossl_hmac.c: ditto.
* ext/openssl/ossl_ns_spki.c: ditto.
* ext/openssl/ossl_ocsp.c: ditto.
* ext/openssl/ossl_pkcs5.c: ditto.
* ext/openssl/ossl_pkey.c: ditto.
* ext/openssl/ossl_pkey_dh.c: ditto.
* ext/openssl/ossl_pkey_dsa.c: ditto.
* ext/openssl/ossl_pkey_ec.c: ditto.
* ext/openssl/ossl_pkey_rsa.c: ditto.
* ext/openssl/ossl_rand.c: ditto.
* ext/openssl/ossl_ssl.c: ditto.
* ext/openssl/ossl_x509ext.c: ditto.
* ext/openssl/ossl_x509name.c: ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@31166 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
so it should use NUM2INT.
* ext/openssl/ossl_ocsp.c (ossl_ocspbres_verify): ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@31162 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
