summaryrefslogtreecommitdiff
path: root/ext/openssl
AgeCommit message (Collapse)Author
2021-07-18[ruby/openssl] Implement `Certificate.load` to load certificate chain. ↵Samuel Williams
(https://github.com/ruby/openssl/pull/441) * Add feature for loading the chained certificate into Certificate array. https://github.com/ruby/openssl/commit/05e1c015d6 Co-authored-by: Sao I Kuan <saoikuan@gmail.com>
2021-07-18[ruby/openssl] x509, ssl, pkcs7: try to parse as DER-encoding firstKazuki Yamaguchi
Methods that take both PEM-encoding and DER-encoding have not been consistent in the order in which encoding to attempt to parse. A DER-encoding may contain a valid PEM block ("\n-----BEGIN ..-----" to "-----END ...-----") embedded within it. Also, the PEM-encoding parser allows arbitrary data around the PEM block and silently skips it. As a result, attempting to parse data in DER-encoding as PEM-encoding first can incorrectly finds the embedded PEM block instead. This commit ensures that DER encoding will always be attempted before PEM encoding. OpenSSL::X509::Certificate is one of the updated classes. With this, the following will always be true: # obj is an OpenSSL::X509::Certificate obj == OpenSSL::X509::Certificate.new(obj.to_der) obj == OpenSSL::X509::Certificate.new(obj.to_pem) https://github.com/ruby/openssl/commit/b280eb1fd0
2021-07-18[ruby/openssl] Fix some typos [ci skip]Ryuta Kamizono
https://github.com/ruby/openssl/commit/51b3030b2b
2021-07-18[ruby/openssl] Add SSLSocket#getbyteAaron Patterson
Normal sockets respond to `getbyte`, so we should make SSLSocket respond to `getbyte` as well. This way we can substitute SSLSockets for regular sockets. https://github.com/ruby/openssl/commit/ac1490b7c9
2021-07-18[ruby/openssl] pkey/dh, pkey/ec: use EVP_PKEY_check() familyKazuki Yamaguchi
Use EVP_PKEY_param_check() instead of DH_check() if available. Also, use EVP_PKEY_public_check() instead of EC_KEY_check_key(). EVP_PKEY_*check() is part of the EVP API and is meant to replace those low-level functions. They were added by OpenSSL 1.1.1. It is currently not provided by LibreSSL. https://github.com/ruby/openssl/commit/797e9f8e08
2021-07-18[ruby/openssl] pkey: implement {DH,DSA,RSA}#public_key in RubyKazuki Yamaguchi
The low-level API that is used to implement #public_key is deprecated in OpenSSL 3.0. It is actually very simple to implement in another way, using existing methods only, in much shorter code. Let's do it. While we are at it, the documentation is updated to recommend against using #public_key. Now that OpenSSL::PKey::PKey implements public_to_der method, there is no real use case for #public_key in newly written Ruby programs. https://github.com/ruby/openssl/commit/48a6c391ef
2021-07-18[ruby/openssl] pkey: implement #to_text using EVP APIKazuki Yamaguchi
Use EVP_PKEY_print_private() instead of the low-level API *_print() functions, such as RSA_print(). EVP_PKEY_print_*() family was added in OpenSSL 1.0.0. Note that it falls back to EVP_PKEY_print_public() and EVP_PKEY_print_params() as necessary. This is required for EVP_PKEY_DH type for which _private() fails if the private component is not set in the pkey object. Since the new API works in the same way for all key types, we now implement #to_text in the base class OpenSSL::PKey::PKey rather than in each subclass. https://github.com/ruby/openssl/commit/e0b4c56956
2021-07-18[ruby/openssl] pkey: remove unused ossl_generate_cb_2() helper functionKazuki Yamaguchi
The previous series of commits re-implemented key generation with the low level API with the EVP API. The BN_GENCB-based callback function is no longer used. https://github.com/ruby/openssl/commit/81027b7463
2021-07-18[ruby/openssl] pkey/dsa: use high level EVP interface to generate parameters ↵Kazuki Yamaguchi
and keys Implement PKey::DSA.new(size) and PKey::DSA.generate using OpenSSL::PKey.generate_parameters and .generate_key instead of the low level DSA functions. https://github.com/ruby/openssl/commit/1800a8d5eb
2021-07-18[ruby/openssl] pkey/rsa: use high level EVP interface to generate parameters ↵Kazuki Yamaguchi
and keys Implement PKey::RSA.new(size, exponent) and PKey::RSA.generate using OpenSSL::PKey.generate_key instead of the low level RSA functions. https://github.com/ruby/openssl/commit/363fd10713
2021-07-18[ruby/openssl] pkey/dh: use high level EVP interface to generate parameters ↵Kazuki Yamaguchi
and keys Implement PKey::DH.new(size, gen), PKey::DH.generate(size, gen), and PKey::DH#generate_key! using PKey.generate_parameters and .generate_key instead of the low level DH functions. Note that the EVP interface can enforce additional restrictions - for example, DH key shorter than 2048 bits is no longer accepted by default in OpenSSL 3.0. The test code is updated accordingly. https://github.com/ruby/openssl/commit/c2e9b16f0b
2021-07-18[ruby/openssl] pkey: fix interrupt handling in OpenSSL::PKey.generate_keyKazuki Yamaguchi
rb_thread_call_without_gvl() can be interrupted, but it may be able to resume the operation. Call rb_thread_check_ints() to see if it raises an exception or not. https://github.com/ruby/openssl/commit/88b90fb856
2021-07-18[ruby/openssl] pkey: allow setting algorithm-specific options in #sign and ↵Kazuki Yamaguchi
#verify Similarly to OpenSSL::PKey.generate_key and .generate_parameters, let OpenSSL::PKey::PKey#sign and #verify take an optional parameter for specifying control strings for EVP_PKEY_CTX_ctrl_str(). https://github.com/ruby/openssl/commit/faf85d7c1d
2021-07-18[ruby/openssl] pkey: prepare pkey_ctx_apply_options() for usage by other ↵Kazuki Yamaguchi
operations The routine to apply Hash to EVP_PKEY_CTX_ctrl_str() is currently used by key generation, but it is useful for other operations too. Let's change it to a slightly more generic name. https://github.com/ruby/openssl/commit/b2b77527fd
2021-07-18[ruby/openssl] pkey: fix potential memory leak in PKey#signKazuki Yamaguchi
Fix potential leak of EVP_MD_CTX object in an error path. This path is normally unreachable, since the size of a signature generated by any supported algorithms would not be larger than LONG_MAX. https://github.com/ruby/openssl/commit/99e8630518
2021-07-18[ruby/openssl] ossl.c: do not set locking callbacks on LibreSSLKazuki Yamaguchi
Similarly to OpenSSL >= 1.1.0, LibreSSL 2.9.0 ensures thread safety without requiring applications to set locking callbacks and made related functions no-op. https://github.com/ruby/openssl/commit/7276233e1a
2021-07-18[ruby/openssl] ssl: use TLS_method() instead of SSLv23_method() for LibreSSLKazuki Yamaguchi
LibreSSL 2.2.2 introduced TLS_method(), but with different semantics from OpenSSL: TLS_method() enabled TLS >= 1.0 while SSLv23_method() enabled all available versions, which included SSL 3.0 in addition. However, LibreSSL 2.3.0 removed SSL 3.0 support completely and now TLS_method() and SSLv23_method() are equivalent. https://github.com/ruby/openssl/commit/3b7d7045b8
2021-07-18[ruby/openssl] ssl: call SSL_CTX_set_ecdh_auto() on OpenSSL 1.0.2 onlyKazuki Yamaguchi
SSL_CTX_set_ecdh_auto() exists in OpenSSL 1.1.0 and LibreSSL 2.6.1, but it is made no-op and the automatic curve selection cannot be disabled. Wrap it with ifdef to make it clear that it is safe to remove it completely when we drop support for OpenSSL 1.0.2. https://github.com/ruby/openssl/commit/2ae8f21234
2021-07-18[ruby/openssl] require OpenSSL >= 1.0.2 and LibreSSL >= 3.1Kazuki Yamaguchi
Clean up old version guards in preparation for the upcoming OpenSSL 3.0 support. OpenSSL 1.0.1 reached its EOL on 2016-12-31. At that time, we decided to keep 1.0.1 support because many major Linux distributions were still shipped with 1.0.1. Now, nearly 4 years later, most Linux distributions are reaching their EOL and it should be safe to assume nobody uses them anymore. Major ones that were using 1.0.1: - Ubuntu 14.04 is EOL since 2019-04-30 - RHEL 6 will reach EOL on 2020-11-30 LibreSSL 3.0 and older versions are no longer supported by the LibreSSL team as of October 2020. Note that OpenSSL 1.0.2 also reached EOL on 2019-12-31 and 1.1.0 also did on 2018-08-31. https://github.com/ruby/openssl/commit/c055938f4b
2021-07-18[ruby/openssl] bn: update documentation of OpenSSL::BN#initialize and #to_sKazuki Yamaguchi
Clarify that BN.new(str, 2) and bn.to_s(2) handles binary string in big-endian, and the sign of the bignum is ignored. Reference: https://github.com/ruby/openssl/issues/431 https://github.com/ruby/openssl/commit/6fae2bd612
2021-07-18[ruby/openssl] BN.abs and BN uplusRick Mark
Adds standard math abs fuction and revises uplus to return a duplicated object due to BN mutability https://github.com/ruby/openssl/commit/0321b1e945
2021-06-22Deprecate and rework old (fd) centric functions.Samuel Williams
Notes: Merged: https://github.com/ruby/ruby/pull/4592
2021-05-04Fix -Wundef warnings in core extensionsBenoit Daloze
* See [Feature #17752] Notes: Merged: https://github.com/ruby/ruby/pull/4428
2021-04-25[ci skip] Fix a typo s/certificiate/certificate/wonda-tea-coffee
Notes: Merged: https://github.com/ruby/ruby/pull/4413
2021-04-13dependency updates卜部昌平
Notes: Merged: https://github.com/ruby/ruby/pull/4371
2021-03-31[ruby/openssl] Use #ifdef consistently for HAVE_RB_EXT_RACTOR_SAFETom Stuart
We previously used a mix of both `#if` and `#ifdef`, but the latter is more reliable because it will still work if the macro is undefined. https://github.com/ruby/openssl/commit/e4a622e67e
2021-03-31[ruby/openssl] Fix OpenSSL::Engine build on DebianTom Stuart
On Debian 9 (“stretch”) the `OPENSSL_NO_STATIC_ENGINE` macro is not defined, which causes all the `#if HAVE_ENGINE_LOAD_…` directives to fail with `error: 'HAVE_ENGINE_LOAD_…' is not defined, evaluates to 0 [-Werror,-Wundef]` while building TruffleRuby. We can accomplish the same thing with `#ifdef`, which (of course) works fine when the `HAVE_ENGINE_LOAD…` macros are also undefined. Upstreamed from oracle/truffleruby#2255, which fixed oracle/truffleruby#2254. https://github.com/ruby/openssl/commit/65e2adf1ac
2021-03-31[ruby/openssl] pkcs7: keep private key when duplicating PKCS7_SIGNER_INFOKazuki Yamaguchi
ASN1_dup() will not copy the 'pkey' field of a PKCS7_SIGNER_INFO object by design; it is a temporary field kept until the PKCS7 structure is finalized. Let's bump reference counter of the pkey in the original object and use it in the new object, too. This commit also removes PKCS7#add_signer's routine to add the content-type attribute as a signed attribute automatically. This behavior was not documented or tested. This change should not break any working user code since the method was completely useless without the change above. https://github.com/ruby/openssl/commit/20ca7a27a8
2021-03-31Enclose the code that was accidentally a link in "tt"aycabta
2021-03-16[ruby/openssl] bn: check -1 return from BIGNUM functionsKazuki Yamaguchi
Although the manpage says that BIGNUM functions return 0 on error, OpenSSL versions before 1.0.2n and current LibreSSL versions may return -1 instead. Note that the implementation of OpenSSL::BN#mod_inverse is extracted from BIGNUM_2c() macro as it didn't really share the same function signature with others. https://github.com/ruby/openssl/commit/9b59f34345 Notes: Merged: https://github.com/ruby/ruby/pull/4275
2021-03-16[ruby/openssl] Fixed the results of OpenSSL::Timestamp::Response#failure_infoNobuyoshi Nakada
Made stored values `Symbol`s instead of `ID`s. Fixes https://bugs.ruby-lang.org/issues/17625 Co-Authored-By: xtkoba (Tee KOBAYASHI) <xtkoba+ruby@gmail.com> https://github.com/ruby/openssl/commit/f2d004679a Notes: Merged: https://github.com/ruby/ruby/pull/4275
2021-03-16[ruby/openssl] Enhance TLS 1.3 support on LibreSSL 3.2/3.3Jeremy Evans
This defines TLS1_3_VERSION when using LibreSSL 3.2+. LibreSSL 3.2/3.3 doesn't advertise this by default, even though it will use TLS 1.3 in both client and server modes. Changes between LibreSSL 3.1 and 3.2/3.3 broke a few tests, Defining TLS1_3_VERSION by itself fixes 1 test failure. A few tests now fail on LibreSSL 3.2/3.3 unless TLS 1.2 is set as the maximum version, and this adjusts those tests. The client CA test doesn't work in LibreSSL 3.2+, so I've marked that as pending. For the hostname verification, LibreSSL 3.2.2+ has a new stricter hostname verifier that doesn't like subjectAltName such as c*.example.com and d.*.example.com, so adjust the related tests. With these changes, the tests pass on LibreSSL 3.2/3.3. https://github.com/ruby/openssl/commit/a0e98d48c9 Notes: Merged: https://github.com/ruby/ruby/pull/4275
2021-03-16[ruby/openssl] pkey/ec: remove OpenSSL::PKey::EC::Group.new(ec_method) formKazuki Yamaguchi
The form created an empty EC_GROUP object with the specified EC_METHOD. However, the feature was unfinished and not useful in any way because OpenSSL::PKey::EC::Group did not implement wrappers for necessary functions to set actual parameters for the group, namely EC_GROUP_set_curve() family. EC_GROUP object creation with EC_METHOD explicitly specified is deprecated in OpenSSL 3.0, as it was apparently not intended for use outside OpenSSL. It is still possible to create EC_GROUP, but without EC_METHOD explicitly specified - OpenSSL chooses the appropriate EC_METHOD for the curve type. The OpenSSL::PKey::EC::Group.new(<:GFp|:GF2m>, p, a, b) form will continue to work. https://github.com/ruby/openssl/commit/df4bec841f Notes: Merged: https://github.com/ruby/ruby/pull/4275
2021-03-16[ruby/openssl] ssl: remove SSL::SSLContext#tmp_ecdh_callbackKazuki Yamaguchi
The underlying API SSL_CTX_set_tmp_ecdh_callback() was removed by LibreSSL >= 2.6.1 and OpenSSL >= 1.1.0, in other words, it is not supported by any non-EOL versions of OpenSSL. The wrapper was initially implemented in Ruby 2.3 and has been deprecated since Ruby/OpenSSL 2.0 (bundled with Ruby 2.4) with explicit warning with rb_warn(). https://github.com/ruby/openssl/commit/ee037e1460 Notes: Merged: https://github.com/ruby/ruby/pull/4275
2021-03-16[ruby/openssl] ssl: retry write on EPROTOTYPE on macOSKazuki Yamaguchi
Errno::EPROTOTYPE is not supposed to be raised by SSLSocket#write. However, on macOS, send(2) which is called via SSL_write() can occasionally return EPROTOTYPE. Retry SSL_write() so that we get a proper error, just as ext/socket does. Reference: https://bugs.ruby-lang.org/issues/14713 Reference: https://github.com/ruby/openssl/issues/227 https://github.com/ruby/openssl/commit/2e700c80bf Notes: Merged: https://github.com/ruby/ruby/pull/4275
2021-03-16[ruby/openssl] x509store: update rdoc for X509::Store and X509::StoreContextKazuki Yamaguchi
Add more details about each method, and add reference to OpenSSL man pages. https://github.com/ruby/openssl/commit/02b6f82c73 Notes: Merged: https://github.com/ruby/ruby/pull/4275
2021-03-16[ruby/openssl] x509store: fix memory leak in X509::StoreContext.newKazuki Yamaguchi
The certificate passed as the second argument was not properly free'd in the error paths. https://github.com/ruby/openssl/commit/9561199b9f Notes: Merged: https://github.com/ruby/ruby/pull/4275
2021-03-16[ruby/openssl] x509store: avoid ossl_raise() calls with NULL messageKazuki Yamaguchi
Use the OpenSSL function name that caused the error to generate a better error message. https://github.com/ruby/openssl/commit/b31809ba3d Notes: Merged: https://github.com/ruby/ruby/pull/4275
2021-03-16[ruby/openssl] x509store: refactor X509::StoreContext#chainKazuki Yamaguchi
Use ossl_x509_sk2ary() to create an array of OpenSSL::X509::Certificate from STACK_OF(X509). https://github.com/ruby/openssl/commit/fa1da69f92 Notes: Merged: https://github.com/ruby/ruby/pull/4275
2021-03-16[ruby/openssl] x509store: emit warning if arguments are given to X509::Store.newKazuki Yamaguchi
Anything passed to OpenSSL::X509::Store.new was always ignored. Let's emit an explicit warning to not confuse users. https://github.com/ruby/openssl/commit/d173700eeb Notes: Merged: https://github.com/ruby/ruby/pull/4275
2021-03-16[ruby/openssl] x509store: let X509::Store#add_file raise TypeError if nil is ↵Kazuki Yamaguchi
given Undo special treatment of nil and simply pass the value to StringValueCStr(). nil was never a valid argument for the method; OpenSSL::X509::StoreError with an unhelpful error message "system lib" was raised in that case. https://github.com/ruby/openssl/commit/fb2fcbb137 Notes: Merged: https://github.com/ruby/ruby/pull/4275
2021-03-16[ruby/openssl] [DOC] Fix RDoc markupNobuhiro IMAI
https://github.com/ruby/openssl/commit/f36af95519 Notes: Merged: https://github.com/ruby/ruby/pull/4275
2021-03-16[ruby/openssl] Fix typo in documentationClaus Lensbøl
The socket is called ssl_connection, not connection https://github.com/ruby/openssl/commit/642783aeda Notes: Merged: https://github.com/ruby/ruby/pull/4275
2021-03-16[ruby/openssl] ssl: initialize verify_mode and verify_hostname with default ↵Kazuki Yamaguchi
values SSLContext's verify_mode expects an SSL_VERIFY_* constant (an integer) and verify_hostname expects either true or false. However, they are set to nil after calling OpenSSL::SSL::SSLContext.new, which is surprising. Set a proper value to them by default: verify_mode is set to OpenSSL::SSL::VERIFY_NONE and verify_hostname is set to false by default. Note that this does not change the default behavior. The certificate verification was never performed unless verify_mode is set to OpenSSL::SSL::VERIFY_PEER by a user. The same applies to verify_hostname. https://github.com/ruby/openssl/commit/87d869352c Notes: Merged: https://github.com/ruby/ruby/pull/4275
2021-03-16[ruby/openssl] Add compare? method to OpenSSL::PKey that wraps EVP_PKEY_cmp.Colton Jenkins
Explicitly check for type given some conflicting statements within openssl's documentation around EVP_PKEY_cmp and EVP_PKEY_ASN1_METHOD(3). Add documentation with an example for compare? https://github.com/ruby/openssl/commit/0bf51da6e2 Notes: Merged: https://github.com/ruby/ruby/pull/4275
2021-03-16[ruby/openssl] User lower case cipher names for maximum compatibilityBart de Water
We ran into some Linux-based systems not accepting the upper case variant https://github.com/ruby/openssl/commit/7bc49121d5 Notes: Merged: https://github.com/ruby/ruby/pull/4275
2021-03-16[ruby/openssl] hmac: implement base64digest methodsKazuki Yamaguchi
OpenSSL::HMAC implements the similar interface as ::Digest. Let's add base64digest methods to OpenSSL::HMAC, too, for feature parity. https://github.com/ruby/openssl/commit/098bcb68af Notes: Merged: https://github.com/ruby/ruby/pull/4275
2021-03-16[ruby/openssl] hmac: migrate from the low-level HMAC API to the EVP APIKazuki Yamaguchi
Use the EVP API instead of the low-level HMAC API. Use of the HMAC API has been discouraged and is being marked as deprecated starting from OpenSSL 3.0.0. The two singleton methods OpenSSL::HMAC, HMAC.digest and HMAC.hexdigest are now in lib/openssl/hmac.rb. https://github.com/ruby/openssl/commit/0317e2fc02 Notes: Merged: https://github.com/ruby/ruby/pull/4275
2021-03-16[ruby/openssl] pkey/ec: deprecate OpenSSL::PKey::EC::Point#mul(ary, ary [, bn])Kazuki Yamaguchi
Deprecate it for future removal. However, I do not expect any application is affected by this. The other form of calling it, PKey::EC::Point#mul(bn [, bn]) remains untouched. PKey::EC::Point#mul calls EC_POINTs_mul(3) when multiple BNs are given as an array. LibreSSL 2.8.0 released on 2018-08 removed the feature and OpenSSL 3.0 which is planned to be released in 2020 will also deprecate the function as there is no real use-case. https://github.com/ruby/openssl/commit/812de4253d Notes: Merged: https://github.com/ruby/ruby/pull/4275
2021-03-16[ruby/openssl] digest, hmac, ts, x509: use IO.binread in examples where ↵Kazuki Yamaguchi
appropriate IO.read may mangle line separator, which will corrupt binary data including DER-encoded X.509 certificates and such. Fixes: https://github.com/ruby/openssl/issues/243 https://github.com/ruby/openssl/commit/93213b2730 Notes: Merged: https://github.com/ruby/ruby/pull/4275