path: root/ext/openssl
AgeCommit message (Collapse)Author
2016-06-19openssl: implement initialize_copy for OpenSSL::OCSP::*rhe
* ext/openssl/ossl_ocsp.c: Implement OCSP::{CertificateId,Request, BasicResponse,Response}#initialize_copy. [ruby-core:75504] [Bug #12381] * test/openssl/test_ocsp.rb: Test them. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-19openssl: implement initialize_copy method for PKey classesrhe
* ext/openssl/ossl_pkey_dh.c, ext/openssl/ossl_pkey_dsa.c, ext/openssl/ossl_pkey_ec.c, ext/openssl/ossl_pkey_rsa.c: Implement initialize_copy method for OpenSSL::PKey::*. [ruby-core:75504] [Bug #12381] * test/openssl/test_pkey_dh.rb, test/openssl/test_pkey_dsa.rb, test/openssl/test_pkey_ec.rb, test/openssl/test_pkey_rsa.rb: Test they actually copy the OpenSSL objects, and modifications to cloned object don't affect the original object. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-19openssl: add 'const's required in OpenSSL masterrhe
* ext/openssl/ossl_pkey.h, ext/openssl/ossl_pkey_dh.c, ext/openssl/ossl_pkey_dsa.c, ext/openssl/ossl_pkey_rsa.c: A few days ago, OpenSSL changed {DH,DSA,RSA}_get0_*() to take const BIGNUM **.;a=commit;h=fd809cfdbd6e32b6b67b68c59f6d55fbed7a9327 [ruby-core:75225] [Feature #12324] git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-15openssl: refactor OpenSSL::OCSP::*#verifyrhe
* ext/openssl/ossl_ocsp.c (ossl_ocspreq_verify, ossl_ocspbres_verify): Use ossl_clear_error() so that they don't print warnings to stderr and leak errors in the OpenSSL error queue. Also, check the return value of OCSP_*_verify() correctly. They can return -1 on verification failure. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-15openssl: allow specifying hash algorithm in OCSP::*#signrhe
* ext/openssl/ossl_ocsp.c (ossl_ocspreq_sign, ossl_ocspbres_sign): Allow specifying hash algorithm used in signing. They are hard coded to use SHA-1. Based on a patch provided by Tim Shirley <>. [ruby-core:70915] [Feature #11552] [GH ruby/openssl#28] * test/openssl/test_ocsp.rb: Test sign-verify works. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-14openssl: add some accessor methods for OCSP::CertificateIdrhe
* ext/openssl/ossl_ocsp.c (ossl_ocspcid_get_issuer_name_hash, ossl_ocspcid_get_issuer_key_hash, ossl_ocspcid_get_hash_algorithm): Add accessor methods OCSP::CertificateId#issuer_name_hash, #issuer_key_hash, #hash_algorithm. Based on a patch provided by Paul Kehrer <>. [ruby-core:48062] [Feature #7181] * test/openssl/test_ocsp.rb: Test these new methods. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-14openssl: add missing #to_der to OCSP::{CertificateId,BasicResponse}rhe
* ext/openssl/ossl_ocsp.c (ossl_ocspbres_to_der, ossl_ocspcid_to_der): Implement #to_der methods for OCSP::BasicResponse and OCSP::CertificateId. (ossl_ocspreq_initialize, ossl_ocspres_initialize): Use GetOCSP*() instead of raw DATA_PTR(). (ossl_ocspbres_initialize, ossl_ocspcid_initialize): Allow initializing from DER string. (Init_ossl_ocsp): Define new #to_der methods. * test/openssl/test_ocsp.rb: Test these changes. Also add missing tests for OCSP::{Response,Request}#to_der. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-14openssl: fix acesssor functions for RSA and DH in openssl_missing.hrhe
* ext/openssl/openssl_missing.h (DH_set0_pqg, RSA_set0_key): DH_set0_pqg() allows 'q' to be NULL. Fix a typo in RSA_set0_key(). Fixes r55285. [ruby-core:75225] [Feature #12324] git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-12openssl: support non AES-GCM AEAD ciphers in OpenSSL::Cipherrhe
* ext/openssl/ossl_cipher.c (ossl_cipher_get_auth_tag, ossl_cipher_set_auth_tag): Check if the cipher flags retrieved by EVP_CIPHER_CTX_flags() includes EVP_CIPH_FLAG_AEAD_CIPHER to see if the cipher supports AEAD. AES-GCM was the only supported in OpenSSL 1.0.1. (Init_ossl_cipher): Fix doc;, :GCM) can't work. * ext/openssl/openssl_missing.h: Define EVP_CTRL_AEAD_{GET,SET}_TAG if missing. They are added in OpenSSL 1.1.0, and have the same value as EVP_CTRL_GCM_{GET,SET}_TAG and EVP_CTRL_CCM_{GET,SET}_TAG. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-09openssl: use ASN1_ENUMERATED_to_BN() if neededrhe
* ext/openssl/ossl_asn1.c (asn1integer_to_num): Use ASN1_ENUMERATED_to_BN() to convert an ASN1_ENUMERATED to a BN. Starting from OpenSSL 1.1.0, ASN1_INTEGER_to_BN() rejects non-ASN1_INTEGER objects. The format of INTEGER and ENUMERATED are almost identical so they behaved in the same way in OpenSSL <= 1.0.2. [ruby-core:75225] [Feature #12324] * test/openssl/test_asn1.rb (test_decode_enumerated): Test that it works. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-09openssl: fix build with OPENSSL_NO_ECrhe
* ext/openssl/ossl_ssl.c: Add define guards for OPENSSL_NO_EC. SSL_CTX_set_ecdh_auto() is defined even when ECDH is disabled in OpenSSL's configuration. This fixes r55214. * test/openssl/test_pair.rb (test_ecdh_curves): Skip if the OpenSSL does not support ECDH. * test/openssl/utils.rb (start_server): Ignore error in SSLContext#ecdh_curves=. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-09openssl: fix build with OpenSSL 1.1.0 and no pkg-configrhe
* ext/openssl/extconf.rb: Check for CRYPTO_malloc() and SSL_new(). OpenSSL_add_all_digests() and SSL_library_init() are deprecated and converted to macros in OpenSSL 1.1.0. [ruby-core:75225] [Feature #12324] git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-07openssl: adjust tests for OpenSSL 1.1.0rhe
This fixes `make test-all TESTS=openssl` with OpenSSL master. * test/openssl/test_x509name.rb: Don't register OID for 'emailAddress' and 'serialNumber'. A recent change in OpenSSL made OBJ_create() reject an already existing OID. They were needed to run tests with OpenSSL 0.9.6 which is now unsupported.;a=commit;h=52832e470f5fe8c222249ae5b539aeb3c74cdb25 [ruby-core:75225] [Feature #12324] * test/openssl/test_ssl_session.rb (test_server_session): Duplicate SSL::Session before re-adding to the session store. OpenSSL 1.1.0 starts rejecting SSL_SESSION once removed by SSL_CTX_remove_session().;a=commit;h=7c2d4fee2547650102cd16d23f8125b76112ae75 * test/openssl/test_pkey_ec.rb (setup): Remove X25519 from @keys. X25519 is new in OpenSSL 1.1.0 but this is for key agreement and not for signing. * test/openssl/test_pair.rb, test/openssl/test_ssl.rb, test/openssl/utils.rb: Set security level to 0 when using aNULL cipher suites. * test/openssl/utils.rb: Use 1024 bits DSA key for client certificates. * test/openssl/test_engine.rb: Run each test in separate process. We can no longer cleanup engines explicitly as ENGINE_cleanup() was removed.;a=commit;h=6d4fb1d59e61aacefa25edc4fe5acfe1ac93f743 * ext/openssl/ossl_engine.c (ossl_engine_s_cleanup): Add a note to the RDoc for Engine.cleanup. * ext/openssl/lib/openssl/digest.rb: Don't define constants for DSS, DSS1 and SHA(-0) when using with OpenSSL 1.1.0. They are removed. * test/openssl/test_digest.rb, test/openssl/test_pkey_dsa.rb, test/openssl/test_pkey_dsa.rb, test/openssl/test_ssl.rb, test/openssl/test_x509cert.rb, test/openssl/test_x509req.rb: Don't test unsupported hash functions. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-07openssl: add SSL::SSLContext#security_level{=,}rhe
* ext/openssl/extconf.rb: Check for SSL_CTX_get_security_level(). OpenSSL 1.1.0 introduced "security level". [ruby-core:75225] [Feature #12324] * ext/openssl/ossl_ssl.c (ossl_sslctx_{get,set}_security_level): Add SSLContext#security_level and #security_level=. * test/openssl/test_ssl.rb (test_security_level): Add test. ...but this doesn't actually test it. Because #security_level= is necessary in order to run other tests on OpenSSL 1.1.0, go without tests for now. Will fix after converting SSLContext#key= and #cert= to normal methods. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-07openssl: avoid deprecated version-specific ssl methods if necessaryrhe
* ext/openssl/extconf.rb: Check for SSL_CTX_set_min_proto_version() macro added in OpenSSL 1.1.0. Version-specific methods, such as TLSv1_method(), are deprecated in OpenSSL 1.1.0. We need to use version-flexible methods (TLS_*method() or SSLv23_*method()) and disable other protocol versions as necessary. [ruby-core:75225] [Feature #12324] * ext/openssl/ossl_ssl.c: Use SSL_CTX_set_{min,max}_proto_version() to fix the protocol version. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-06openssl: fix free function of OpenSSL::Cipherrhe
* ext/openssl/ossl_cipher.c (ossl_cipher_free): Use EVP_CIPHER_CTX_free() to free EVP_CIPHER_CTX allocated by EVP_CIPHER_CTX_new(). [ruby-core:75225] [Feature #12324] git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-06openssl: fix compile on VCrhe
* ext/openssl/openssl_missing.h: Include ruby/config.h. r55285 added some inline functions but VC does not recognize 'inline' keyword. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-05openssl: use SSL_is_server()rhe
* ext/openssl/extconf.rb: Check existence of SSL_is_server(). This function was introduced in OpenSSL 1.0.2. [ruby-core:75225] [Feature #12324] * ext/openssl/openssl_missing.h: Implement SSL_is_server() if missing. * ext/openssl/ossl_ssl.c (ssl_info_cb): Use SSL_is_server() to see if the SSL is server. The state machine in OpenSSL was rewritten and SSL_get_state() no longer returns SSL_ST_ACCEPT. (ossl_ssl_cipher_to_ary, ossl_sslctx_session_get_cb): Add some `const`s to suppress warning. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-05openssl: avoid d2i_ASN1_BOOLEAN()rhe
* ext/openssl/ossl_asn1.c (decode_bool): Do the same thing as d2i_ASN1_BOOLEAN() does by ourselves. This function is removed in OpenSSL 1.1.0. [ruby-core:75225] [Feature #12324] git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-05openssl: adapt to OpenSSL 1.1.0 opaque structsrhe
* ext/openssl/extconf.rb: Check existence of accessor functions that don't exist in OpenSSL 0.9.8. OpenSSL 1.1.0 made most of its structures opaque and requires use of these accessor functions. [ruby-core:75225] [Feature #12324] * ext/openssl/openssl_missing.[ch]: Implement them if missing. * ext/openssl/ossl*.c: Use these accessor functions. * test/openssl/test_hmac.rb: Add missing test for HMAC#reset. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-05openssl: adapt OpenSSL::PKey to OpenSSL 1.1.0 opaque structsrhe
* ext/openssl/openssl_missing.[ch]: Implement EVP_PKEY_get0_*() and {RSA,DSA,EC_KEY,DH}_get0_*() functions. OpenSSL 1.1.0 makes EVP_PKEY/RSA/DSA/DH opaque. We used to provide setter methods for each parameter of each PKey type, for example PKey::RSA#e=, but this is no longer possible because the new API RSA_set0_key() requires the 'n' at the same time. This commit adds deprecation warning to them and adds PKey::*#set_* methods as direct wrapper for those new APIs. For example, 'rsa.e = 3' now needs to be rewritten as 'rsa.set_key(rsa.n, 3, rsa.d)'. [ruby-core:75225] [Feature #12324] * ext/openssl/ossl_pkey*.[ch]: Use the new accessor functions. Implement RSA#set_{key,factors,crt_params}, DSA#set_{key,pqg}, DH#set_{key,pqg}. Emit a warning with rb_warning() when old setter methods are used. * test/drb/ut_array_drbssl.rb, test/drb/ut_drb_drbssl.rb, test/rubygems/test_gem_remote_fetcher.rb: Don't set a priv_key for DH object that are used in tmp_dh_callback. Generating a new key pair every time should be fine - actually the private exponent is ignored in OpenSSL >= 1.0.2f/1.0.1r even if we explicitly set. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-05openssl: support OpenSSL 1.1.0's new multi-threading APIrhe
* ext/openssl/extconf.rb: Check absence of CRYPTO_lock() to see if the OpenSSL has the new threading API. In OpenSSL <= 1.0.2, an application had to set locking callbacks to use OpenSSL in a multi-threaded environment. OpenSSL 1.1.0 now finds pthreads or Windows threads so we don't need to do something special. [ruby-core:75225] [Feature #12324] Also check existence of *_up_ref(). Some structures in OpenSSL have a reference counter. We used to increment it with CRYPTO_add() which is a part of the old API. * ext/openssl/openssl_missing.h: Implement *_up_ref() if missing. * ext/openssl/ossl.c: Don't set locking callbacks if unneeded. * ext/openssl/ossl_pkey.c, ext/openssl/ossl_ssl.c, ext/openssl/ossl_x509cert.c, ext/openssl/ossl_x509crl.c, ext/openssl/ossl_x509store.c: Use *_up_ref() instead of CRYPTO_add(). git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-05openssl: check existence of RAND_pseudo_bytes()rhe
* ext/openssl/extconf.rb: Check if RAND_pseudo_bytes() is usable. It is marked as deprecated in OpenSSL 1.1.0. [ruby-core:75225] [Feature #12324] * ext/openssl/ossl_rand.c: Disable Random.pseudo_bytes if RAND_pseudo_bytes() is unavailable. * test/openssl/test_random.rb: Don't test Random.pseudo_bytes if not defined. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-04openssl: avoid deprecated BN_*prime* functionsrhe
* ext/openssl/ossl_bn.c (ossl_bn_s_generate_prime, ossl_bn_is_prime, ossl_bn_is_prime_fasttest): Avoid deprecated BN_generate_prime(), BN_is_prime{,_fasttest}(). They are deprecated because they expect an old style callback function (we don't use it here). They can be simply replaced by _ex suffixed functions. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-01ossl_asn1.c: check overflownobu
* ext/openssl/ossl_asn1.c (ossl_time_split): check overflow and reorder for optimization. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-01openssl: fix the Year 2038 problemrhe
r55219 didn't fix the entire issue. It only fixed the issue on environment with sizeof(time_t) == 8 && sizeof(long) == 4. * ext/openssl/extconf.rb: Check existence of ASN1_TIME_adj(). The old ASN1_TIME_set() is not Year 2038 ready on sizeof(time_t) == 4 environment. This function was added in OpenSSL 1.0.0. [ruby-core:45552] [Bug #6571] * ext/openssl/ossl_asn1.c (ossl_time_split): Added. Split the argument (Time) into the number of days elapsed since the epoch and the remainder seconds to conform to ASN1_TIME_adj(). (obj_to_asn1utime, obj_to_asn1gtime): Use ossl_time_split() and ASN1_*TIME_adj(). * ext/openssl/ossl_asn1.h: Add the function prototype for ossl_time_split(). * ext/openssl/ossl_x509.[ch]: Add ossl_x509_time_adjust(). Similarly to obj_to_asn1*time(), use X509_time_adj_ex() instead of X509_time_adj(). * ext/openssl/ossl_x509cert.c, ext/openssl/ossl_x509crl.c, ext/openssl/ossl_x509revoked.c: Use ossl_x509_time_adjust(). git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-30openssl: use NUM2TIMET() to convert Integer to time_trhe
* ext/openssl/ossl_asn1.c (time_to_time_t): Use NUM2TIMET() instead of NUM2LONG(). time_t may be larger than long. [ruby-core:45552] [Bug #6571] git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-30openssl: add SSLContext#ecdh_curves=rhe
* ext/openssl/ossl_ssl.c (ossl_sslctx_s_alloc): Enable the automatic curve selection for ECDH by calling SSL_CTX_set_ecdh_auto(). With this a TLS server automatically selects a curve which both the client and the server support to use in ECDH. This changes the default behavior but users can still disable ECDH by excluding 'ECDH' cipher suites from the cipher list (with SSLContext#ciphers=). This commit also deprecate #tmp_ecdh_callback=. It was added in Ruby 2.3.0. It wraps SSL_CTX_set_tmp_ecdh_callback() which will be removed in OpenSSL 1.1.0. Its callback receives two values 'is_export' and 'keylength' but both are completely useless for determining a curve to use in ECDH. The automatic curve selection was introduced to replace this. (ossl_sslctx_setup): Deprecate SSLContext#tmp_ecdh_callback=. Emit a warning if this is in use. (ossl_sslctx_set_ecdh_curves): Add SSLContext#ecdh_curves=. Wrap SSL_CTX_set1_curves_list(). If it is not available, this falls back to SSL_CTX_set_tmp_ecdh(). (Init_ossl_ssl): Define SSLContext#ecdh_curves=. * ext/openssl/extconf.rb: Check the existence of EC_curve_nist2nid(), SSL_CTX_set1_curves_list(), SSL_CTX_set_ecdh_auto() and SSL_CTX_set_tmp_ecdh_callback(). * ext/openssl/openssl_missing.[ch]: Implement EC_curve_nist2nid() if missing. * test/openssl/test_pair.rb (test_ecdh_callback): Use EnvUtil.suppress_warning to suppress deprecated warning. (test_ecdh_curves): Test that SSLContext#ecdh_curves= works. * test/openssl/utils.rb (start_server): Use SSLContext#ecdh_curves=. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-28openssl: move SSLSocket#initialize to C extensionrhe
* ext/openssl/lib/openssl/ssl.rb (SSLSocket): Move the implementation of SSLSocket#initialize to C. Initialize the SSL (OpenSSL object) in it. Currently this is delayed until ossl_ssl_setup(), which is called from SSLSocket#accept or #connect. Say we call SSLSocket#hostname= with an illegal value. We expect an exception to be raised in #hostname= but actually we get it in the later SSLSocket#connect. Because the SSL is not ready at #hostname=, the actual call of SSL_set_tlsext_host_name() is also delayed. This also fixes: [ruby-dev:49376] [Bug #11724] * ext/openssl/ossl_ssl.c (ossl_ssl_initialize): Added. Almost the same as the Ruby version but this instantiate the SSL object at the same time. (ossl_ssl_setup): Adjust to the changes. Just set the underlying IO to the SSL. (ssl_started): Added. Make use of SSL_get_fd(). This returns -1 if not yet set by SSL_set_fd(). (ossl_ssl_data_get_struct): Removed. Now GetSSL() checks that the SSL exists. (ossl_ssl_set_session): Don't call ossl_ssl_setup() here as now the SSL is already instantiated in #initialize. (ossl_ssl_shutdown, ossl_start_ssl, ossl_ssl_read_internal, ossl_ssl_write_internal, ossl_ssl_stop, ossl_ssl_get_cert, ossl_ssl_get_peer_cert, ossl_ssl_get_peer_cert_chain, ossl_ssl_get_version, ossl_ssl_get_cipher, ossl_ssl_get_state, ossl_ssl_pending, ossl_ssl_session_reused, ossl_ssl_get_verify_result, ossl_ssl_get_client_ca_list, ossl_ssl_npn_protocol, ossl_ssl_alpn_protocol, ossl_ssl_tmp_key): Use GetSSL() instead of ossl_ssl_data_get_struct(). Use ssl_started(). (Init_ossl_ssl): Add method declarations of SSLSocket#{initialize, hostname=}. * ext/openssl/ossl_ssl.h (GetSSL): Check that the SSL is not NULL. It should not be NULL because we now set it in #initialize. * ext/openssl/ossl_ssl_session.c (ossl_ssl_session_initialize): No need to check if the SSL is NULL. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-26openssl: avoid NULL dereference in {DH,DSA,RSA}_size()rhe
* ext/openssl/ossl_pkey_dh.c (ossl_dh_compute_key): Check that the DH has 'p' (the prime) before calling DH_size(). We can create a DH with no parameter but DH_size() does not check and dereferences NULL. [ruby-core:75720] [Bug #12428] * ext/openssl/ossl_pkey_dsa.c (ossl_dsa_sign): Ditto. DSA_size() does not check dsa->q. * ext/openssl/ossl_pkey_rsa.c (ossl_rsa_public_encrypt, ossl_rsa_public_decrypt, ossl_rsa_private_encrypt, ossl_rsa_private_decrypt): Ditto. RSA_size() does not check rsa->n. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-25openssl: drop OpenSSL 0.9.6/0.9.7 supportrhe
* ext/openssl, test/openssl: Drop OpenSSL < 0.9.8 support. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-25openssl: remove unnecessary 'extern "C"' blocks from local headersrhe
* ext/openssl/openssl_missing.h, ext/openssl/ossl.h: Remove unnecessary 'extern "C"' blocks. We don't use C++ and these headers are local to ext/openssl, so there is no need to enclose with it. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-25openssl: remove check of OPENSSL_FIPS macro in extconf.rbrhe
* ext/openssl/extconf.rb: Remove check of OPENSSL_FIPS macro. This is unneeded because we can check the macro directly in source code, just as we already do for OPENSSL_NO_* macros. * ext/openssl/ossl.c: Replace occurrences of HAVE_OPENSSL_FIPS with OPENSSL_FIPS. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-24openssl: add EC.generaterhe
* ext/openssl/ossl_pkey_ec.c (ec_key_new_from_group): Create a new EC_KEY on given EC group. Extracted from ossl_ec_key_initialize(). (ossl_ec_key_s_generate): Added. Create a new EC instance and generate a random private and public key. (ossl_ec_key_initialize): Use ec_key_new_from_group(). (Init_ossl_ec): Define the new method EC.generate. This change is for consistency with other PKey types. [ruby-core:45541] [Bug #6567] * test/openssl/test_pkey_ec.rb: Test that EC.generate works. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-24openssl: rename EC#generate_key to EC#generate_key!rhe
* ext/openssl/ossl_pkey_ec.c (ossl_ec_key_generate_key): Fix up RDoc. (Init_ossl_ec): Rename EC#generate_key to EC#generate_key!. Make the old name an alias of #generate_key!. This change is for consistency with other PKey types. [ruby-core:45541] [Bug #6567] * test/openssl/test_pkey_ec.rb: Use EC#generate_key! instead of EC#generate_key. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-24openssl: make Cipher#key= and #iv= reject too long valuesrhe
* ext/openssl/ossl_cipher.c (ossl_cipher_set_key, ossl_cipher_set_iv): Reject too long values as well as too short ones. Currently they just truncate the input but this would hide bugs and lead to unexpected encryption/decryption results. * test/openssl/test_cipher.rb: Test that Cipher#key= and #iv= reject Strings with invalid length. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-24openssl: avoid deprecated M_ASN1_* macrosrhe
* ext/openssl/ossl_x509ext.c (ossl_x509ext_set_value): Use ASN1_OCTET_STRING_set() instead of M_ASN1_OCTET_STRING_set(). Macros prefixed by "M_" are discouraged to be used from outside OpenSSL library[1]. (ossl_x509ext_get_value): Likewise, use ASN1_STRING_print() instead of M_ASN1_OCTET_STRING_print(). [1];a=blob;f=CHANGES;h=bf61913d7b01212b4d8b2f3c13d71d645914f67c;hb=b6079a7835f61daa9fb2cbf9addfa86049523933#l878 * ext/openssl/ossl.h: Include openssl/asn1.h instead of openssl/asn1_mac.h. It just includes openssl/asn1.h and defines some additional "M_" macros. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-23openssl: Avoid reference to unset global variable in Init_openssl()rhe
* ext/openssl/ossl.c (Init_openssl): Avoid reference to unset global variable. ossl_raise() may be called before dOSSL is set. Since global variables default to 0 and the default value of dOSSL set in Init_openssl() is also Qfalse, there is no real issue but confusing. Patch by Bertram Scharpf <> [ruby-core:58264] [Bug #9101] git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-23openssl: use StringValueCStr() where NUL-terminated string is expectedrhe
* ext/openssl/ossl_asn1.c, ext/openssl/ossl_bn.c, ext/openssl/ossl_cipher.c, ext/openssl/ossl_digest.c ext/openssl/ossl_engine.c, ext/openssl/ossl_ns_spki.c ext/openssl/ossl_pkcs12.c, ext/openssl/ossl_pkcs7.c ext/openssl/ossl_pkey.c, ext/openssl/ossl_pkey_ec.c ext/openssl/ossl_rand.c, ext/openssl/ossl_ssl.c ext/openssl/ossl_x509attr.c, ext/openssl/ossl_x509cert.c ext/openssl/ossl_x509ext.c, ext/openssl/ossl_x509store.c: Use StringValueCStr() where NUL-terminated string is expected. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-23openssl: fix incorrect return value check of RAND_* functionsrhe
* ext/openssl/ossl_rand.c (ossl_rand_egd, ossl_rand_egd_bytes): RAND_egd{_bytes,}() return -1 on failure, not 0. Patch by cremno phobia <> [ruby-core:63795] [Bug #10053] (ossl_pseudo_bytes): Similar, RAND_pseudo_bytes() may return 0 or -1 on failure. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-21openssl: fix possible SEGV on race between SSLSocket#stop and #connectrhe
* ext/openssl/ossl_ssl.c (ossl_ssl_stop): Don't free the SSL struct here. Since some methods such as SSLSocket#connect releases GVL, there is a chance of use after free if we free the SSL from another thread. SSLSocket#stop was documented as "prepares it for another connection" so this is a slightly incompatible change. However when this sentence was added (r30090, Add toplevel documentation for OpenSSL, 2010-12-06), it didn't actually. The current behavior is from r40304 (Correct shutdown behavior w.r.t GC., 2013-04-15). [ruby-core:74978] [Bug #12292] * ext/openssl/lib/openssl/ssl.rb (sysclose): Update doc. * test/openssl/test_ssl.rb: Test this. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-21openssl: fix SSL client example in documentation [ci skip]rhe
* ext/openssl/ossl.c: [DOC] Fix SSL client example. The variable name was wrong. Patch by Andreas Tiefenthaler <> (@pxlpnk). [GH ruby/openssl#32] git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-21openssl: add OpenSSL::PKey::EC#private? and #public?rhe
* ext/openssl/ossl_pkey_ec.c: rename PKey::EC#private_key? and #public_key? to #private? and #public? for consistency with other PKey types. Old names remain as alias. [ruby-core:45541] [Bug #6567] * test/openssl/test_pkey_ec.rb (test_check_key): check private? and public? works correctly. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-21openssl: remove impossible EOFError raise in OpenSSL::Bufferingrhe
* ext/openssl/lib/openssl/buffering.rb (read_nonblock, readpartial): Remove impossible EOFError raise. Patch by Zach Anker <>. [GH ruby/openssl#23] git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-20ossl.c: suppress warningsnobu
* ext/openssl/ossl.c (ossl_pem_passwd_cb): check integer precision. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-20openssl: improve handling of password for encrypted PEMrhe
* ext/openssl/ossl.c (ossl_pem_passwd_value): Added. Convert the argument to String with StringValue() and validate the length is in 4..PEM_BUFSIZE. PEM_BUFSIZE is a macro defined in OpenSSL headers. (ossl_pem_passwd_cb): When reading/writing encrypted PEM format, we used to pass the password to PEM_def_callback() directly but it was problematic. It is not NUL character safe. And surprisingly, it silently truncates the password to 1024 bytes. [GH ruby/openssl#51] * ext/openssl/ossl.h: Add function prototype declaration of newly added ossl_pem_passwd_value(). * ext/openssl/ossl_pkey.c (ossl_pkey_new_from_data): Use ossl_pem_passwd_value() to validate the password String. * ext/openssl/ossl_pkey_dsa.c (ossl_dsa_initialize, ossl_dsa_export): ditto. * ext/openssl/ossl_pkey_ec.c (ossl_ec_key_initialize, ossl_ec_key_to_string): ditto. * ext/openssl/ossl_pkey_rsa.c (ossl_rsa_initialize, ossl_rsa_export): ditto. * test/openssl/test_pkey_{dsa,ec,rsa}.rb: test this. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-19openssl: register ex_data index for X509_STORE{_CTX,} respectivelyrhe
* ext/openssl/ossl.c (Init_openssl): register an ex_data index for X509_STORE and X509_STORE_CTX respectively. Since they don't share the ex_data index registry, we can't use the same index. (ossl_verify_cb): use the the correct index. * ext/openssl/ossl_ssl.c (ossl_ssl_verify_callback): ditto. * ext/openssl/ossl_x509store.c (ossl_x509store_set_vfy_cb): ditto. (ossl_x509stctx_verify): ditto. * ext/openssl/ossl.h (void ossl_clear_error): add extern declarations of ossl_store_{ctx_,}ex_verify_cb_idx. * ext/openssl/openssl_missing.c: remove X509_STORE_set_ex_data and X509_STORE_get_ex_data. * ext/openssl/openssl_missing.h: implement X509_STORE_get_ex_data, X509_STORE_set_ex_data and X509_STORE_get_ex_new_index as macros. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-19openssl: check argument type in OpenSSL::X509::Attribute#value=rhe
* ext/openssl/ossl_x509attr.c (ossl_x509attr_set_value): check that the argument is an OpenSSL::ASN1::Data before converting to ASN1_TYPE. This fixes SEGV on OpenSSL::X509::Attribute#value=(non-asn1-value). * test/openssl/test_x509attr.rb: add tests for OpenSSL::X509::Attribute. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-18openssl: fix OpenSSL error queue leak in OpenSSL::PKCS12.newrhe
* ext/openssl/ossl_pkcs12.c (ossl_pkcs12_initialize): pop errors leaked by PKCS12_parse(). This is a bug in OpenSSL, which exists in the versions before the version 1.0.0t, 1.0.1p, 1.0.2d. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-18ossl_pkey_ec.c: index typesnobu
* ext/openssl/ossl_pkey_ec.c (ossl_ec_point_mul): fix index types. Array length is long, not int. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e