summaryrefslogtreecommitdiff
path: root/ext/openssl
AgeCommit message (Collapse)Author
4 days[ruby/openssl] bn: expand BIGNUM_RAND and BIGNUM_RAND_RANGE macrosKazuki Yamaguchi
Now that BN.pseudo_rand{,_range} are alias, those macros are only used once. Let's expand the macros for better readability. https://github.com/ruby/openssl/commit/7c2fc00dee
4 days[ruby/openssl] bn: make BN.pseudo_rand{,_range} an alias of BN.rand{,_range}Kazuki Yamaguchi
BN_pseudo_rand() and BN_pseudo_rand_range() are deprecated in OpenSSL 3.0. Since they are identical to their non-'pseudo' version anyway, let's make them alias. https://github.com/ruby/openssl/commit/2d34e85ddf
4 days[ruby/openssl] pkey, ssl: use EVP_PKEY_eq() instead of EVP_PKEY_cmp()Kazuki Yamaguchi
OpenSSL 3.0 renamed EVP_PKEY_cmp() to EVP_PKEY_eq() because that was a confusing name. https://github.com/ruby/openssl/commit/d42bd7fcdb
4 days[ruby/openssl] pkey/ec: use EC_GROUP_free() instead of EC_GROUP_clear_free()Kazuki Yamaguchi
EC_GROUP_clear_free() is deprecated in OpenSSL 3.0. EC_GROUP does not include any sensitive data, so we can safely use EC_GROUP_free() instead. https://github.com/ruby/openssl/commit/e93a5fdffc
4 days[ruby/openssl] pkey/ec: deprecate PKey::EC::Point#make_affine! and make it a ↵Kazuki Yamaguchi
no-op It converts the internal representation of the point object to the affine coordinate system. However, it had no real use case because the difference in the internal representation has not been visible from Ruby/OpenSSL at all. EC_POINT_make_affine() is marked as deprecated in OpenSSL 3.0. https://github.com/ruby/openssl/commit/e2cc81fef7
4 days[ruby/openssl] hmac: use EVP_MD_CTX_get_pkey_ctx() instead of ↵Kazuki Yamaguchi
EVP_MD_CTX_pkey_ctx() OpenSSL 3.0 renamed EVP_MD_CTX_pkey_ctx() to include "get" in the function name. Adjust compatibility macro so that we can use the new function name for all OpenSSL 1.0.2-3.0. https://github.com/ruby/openssl/commit/c106d888c6
4 days[ruby/openssl] digest: use EVP_MD_CTX_get0_md() instead of EVP_MD_CTX_md() ↵Kazuki Yamaguchi
if exists The function was renamed in OpenSSL 3.0 due to the change of the lifetime of EVP_MD objects. They are no longer necessarily statically allocated and can be reference-counted -- when an EVP_MD_CTX is free'd, the associated EVP_MD can also become inaccessible. Currently Ruby/OpenSSL only handles builtin algorithms, so no special handling is needed except for adapting to the rename. https://github.com/ruby/openssl/commit/0a253027e6
4 days[ruby/openssl] bn: use BN_check_prime() in OpenSSL::BN#prime{,_fasttest}?Kazuki Yamaguchi
In OpenSSL 3.0, BN_is_prime_ex() and BN_is_prime_fasttest_ex() are deprecated in favor of BN_check_prime(). https://github.com/ruby/openssl/commit/90d51ef510
4 days[ruby/openssl] ssl: use SSL_get_rbio() to check if SSL is started or notKazuki Yamaguchi
Use SSL_get_rbio() instead of SSL_get_fd(). SSL_get_fd() internally calls SSL_get_rbio() and it's enough for our purpose. In OpenSSL 3.0, SSL_get_fd() leaves an entry in the OpenSSL error queue if BIO has not been set up yet, and we would have to clean it up. https://github.com/ruby/openssl/commit/e95ee24867
4 days[ruby/openssl] ssl: use SSL_CTX_load_verify_{file,dir}() if availableKazuki Yamaguchi
SSL_CTX_load_verify_locations() is deprecated in OpenSSL 3.0 and replaced with those two separate functions. Use them if they exist. https://github.com/ruby/openssl/commit/5375a55ffc
4 days[ruby/openssl] ts: use TS_VERIFY_CTX_set_certs instead of ↵Kazuki Yamaguchi
TS_VERIFY_CTS_set_certs OpenSSL 3.0 fixed the typo in the function name and replaced the current 'CTS' version with a macro. https://github.com/ruby/openssl/commit/2be6779b08
4 days[ruby/openssl] ossl.c: use ERR_get_error_all() if availableKazuki Yamaguchi
OpenSSL 3.0 deprecated ERR_get_error_line_data() in favor of ERR_get_error_all(), as part of the error queue structure changes. https://github.com/ruby/openssl/commit/8e98d2ecc8
4 days[ruby/openssl] ext/openssl/ossl.h: add helper macros for OpenSSL/LibreSSL ↵Kazuki Yamaguchi
versions Add following convenient macros: - OSSL_IS_LIBRESSL - OSSL_OPENSSL_PREREQ(maj, min, pat) - OSSL_LIBRESSL_PREREQ(maj, min, pat) https://github.com/ruby/openssl/commit/00abee791d
5 days[ruby/openssl] Raise an exception if the IO object passed to SSLSocket isn't ↵Aaron Patterson
a file SSLSocket#connect eventually calls `GetOpenFile` in order to get the underlying file descriptor for the IO object passed in on initialization. `GetOpenFile` assumes that the Ruby object passed in is a T_FILE object and just casts it to a T_FILE without any checks. If you pass an object that *isn't* a T_FILE to that function, the program will segv. Since we assume the IO object is a file in the `connect` method, this commit adds a `CheckType` in the initialize method to ensure that the IO object is actually a T_FILE. If the object *isn't* a T_FILE, this class will segv on `connect`, so I think this is a backwards compatible change. https://github.com/ruby/openssl/commit/919fa44ec2
12 days[ruby/openssl] require Ruby 2.6 or laterKazuki Yamaguchi
Drop support for Ruby 2.3, 2.4, and 2.5. As of 2021-10, Ruby 2.6 is the oldest version that still receives security fixes from the Ruby core team, so it doesn't make much sense to keep code for those ancient versions. https://github.com/ruby/openssl/commit/3436bd040d
12 days[ruby/openssl] bump version number to 3.0.0.preKazuki Yamaguchi
https://github.com/ruby/openssl/commit/baa83a8a57
12 days[ruby/openssl] Ruby/OpenSSL 2.2.1Kazuki Yamaguchi
https://github.com/ruby/openssl/commit/65e7207a07
12 days[ruby/openssl] Ruby/OpenSSL 2.1.3Kazuki Yamaguchi
https://github.com/ruby/openssl/commit/e8ee01b22c
12 days[ruby/openssl] ssl: avoid directly storing String object in NPN callbackKazuki Yamaguchi
On the server side, the serialized list of protocols is stored in SSL_CTX as a String object reference. We utilize a hidden instance variable to prevent it from being GC'ed, but this is not enough because it can also be relocated by GC.compact. https://github.com/ruby/openssl/commit/5eb68ba778
12 days[ruby/openssl] x509store: explicitly call rb_gc_mark() against ↵Kazuki Yamaguchi
Store/StoreContext We store the reverse reference to the Ruby object in the OpenSSL struct for use from OpenSSL callback functions. To prevent the Ruby object from being relocated by GC.compact, we must "pin" it by calling rb_gc_mark(). https://github.com/ruby/openssl/commit/a6ba9f894f
12 days[ruby/openssl] ssl: explicitly call rb_gc_mark() against ↵Kazuki Yamaguchi
SSLContext/SSLSocket objects We store the reverse reference to the Ruby object in the OpenSSL struct for use from OpenSSL callback functions. To prevent the Ruby object from being relocated by GC.compact, we must "pin" it by calling rb_gc_mark(). https://github.com/ruby/openssl/commit/022b7ceada
12 days[ruby/openssl] digest: load digest library using Kernel#requireKazuki Yamaguchi
The digest library is a default gem now, too. Therefore we can't simply use rb_require() to load it, but we should use Kernel#require instead. This change is based on the suggestion by David Rodríguez in https://github.com/ruby/digest/commit/16172612d56ac42f57e5788465791329303ac5d0#commitcomment-57778397 https://github.com/ruby/openssl/commit/157f80794b
12 days[ruby/openssl] fix segv in Timestamp::{Request,Response,TokenInfo}.newNobuhiro IMAI
prevent `ossl_ts_*_free()` from calling when `d2i_TS_*_bio()` failed. https://github.com/ruby/openssl/commit/b29e215786
12 days[ruby/openssl] ts: libressl build fix warningDavid Carlier
TS_time_cb on libressl expects an long long/time_t 64 bits long instead. https://github.com/ruby/openssl/commit/4c99f577b2
12 days[ruby/openssl] ssl: temporary lock string buffer while readingKazuki Yamaguchi
Similarly to SSLSocket#syswrite, the blocking SSLSocket#sysread allows context switches. We must prevent other threads from modifying the string buffer. We can use rb_str_locktmp() and rb_str_unlocktmp() to temporarily prohibit modification of the string. https://github.com/ruby/openssl/commit/d38274949f
12 days[ruby/openssl] ssl: create a temporary frozen string buffer when writingKazuki Yamaguchi
Since a blocking SSLSocket#syswrite call allows context switches while waiting for the underlying socket to be ready, we must freeze the string buffer to prevent other threads from modifying it. Reference: https://github.com/ruby/openssl/issues/452 https://github.com/ruby/openssl/commit/aea874bc6e
12 days[ruby/openssl] ssl: add SSLContext#tmp_dh=Kazuki Yamaguchi
Provide a wrapper of SSL_set0_tmp_dh_pkey()/SSL_CTX_set_tmp_dh(), which sets the DH parameters used for ephemeral DH key exchange. SSLContext#tmp_dh_callback= already exists for this purpose, as a wrapper around SSL_CTX_set_tmp_dh_callback(), but it is considered obsolete and the OpenSSL API is deprecated for future removal. There is no practical use case where an application needs to use different DH parameters nowadays. This was originally introduced to support export grade ciphers. RDoc for #tmp_dh_callback= is updated to recommend the new #tmp_dh=. Note that current versions of OpenSSL support automatic ECDHE curve selection which is enabled by default. SSLContext#tmp_dh= should only be necessary if you must allow ancient clients which don't support ECDHE. https://github.com/ruby/openssl/commit/aa43da4f04
12 days[ruby/openssl] ssl: remove private method SSLSocket#tmp_ecdh_callbackKazuki Yamaguchi
Commit ee037e146037 ("ssl: remove SSL::SSLContext#tmp_ecdh_callback", 2020-08-12) forgot to remove the method. https://github.com/ruby/openssl/commit/bef9ea84e4
2021-10-05ruby tool/update-deps --fix卜部昌平
Notes: Merged: https://github.com/ruby/ruby/pull/4909
2021-09-12[ruby/openssl] Add fallthrough commentsNobuyoshi Nakada
https://github.com/ruby/openssl/commit/258e30b640
2021-09-12[ruby/openssl] Suppress cast-function-type warningsNobuyoshi Nakada
https://github.com/ruby/openssl/commit/0f91e2a6ee
2021-09-12[ruby/openssl] Separate formatting from ossl_make_errorNobuyoshi Nakada
Just append OpenSSL error reason to the given message string object, which would be alreadly formatted. Suppress -Wformat-security warning in `ossl_tsfac_create_ts`. https://github.com/ruby/openssl/commit/11b1d8a6b8
2021-09-12[ruby/openssl] Suppress printf format warningsNobuyoshi Nakada
* Add `printf` format attribute to `ossl_raise`. * Fix a format specifier in `config_load_bio`. * Use `ASSUME` for the unreachable condition. https://github.com/ruby/openssl/commit/41da2955db
2021-07-18[ruby/openssl] Strip trailing spacesKazuki Yamaguchi
https://github.com/ruby/openssl/commit/68fa9c86f1
2021-07-18[ruby/openssl] Deprecate and rework old (fd) centric functionsSamuel Williams
[ky: fixed compatibility with older versions of Ruby] (cherry picked from commit ruby/ruby@45e65f302b663b2c6ab69df06d3b6f219c1797b2) https://github.com/ruby/openssl/commit/8d928e0fb9
2021-07-18[ruby/openssl] Use rb_block_call() instead of the deprecated rb_iterate() in ↵Benoit Daloze
OpenSSL * See https://bugs.ruby-lang.org/issues/18025 and https://github.com/ruby/ruby/pull/4629 https://github.com/ruby/openssl/commit/b8e4852dcc
2021-07-18[ruby/openssl] Add example to OpenSSL::KDF.hkdf method ↵Yusuke Nakamura
(https://github.com/ruby/openssl/pull/447) The values from RFC 5869 https://datatracker.ietf.org/doc/html/rfc5869#appendix-A.1 https://github.com/ruby/openssl/commit/ec14a87f4f
2021-07-18[ruby/openssl] use Bundler for dependency management and Rake gem tasksKazuki Yamaguchi
Back in 2016, we chose not to use Bundler in Ruby/OpenSSL development because Bundler depended on openssl and could not be used for testing openssl itself - "bundle exec rake test" would end up with loading two different versions of openssl at the same time. This has been resolved long time ago. We can now safely use it for development dependency management and for Rake tasks. https://github.com/ruby/openssl/commit/47283d9161
2021-07-18[ruby/openssl] Include peer socket IP address in errorsVinicius Stock
https://github.com/ruby/openssl/commit/8a1e3f5085
2021-07-18[ruby/openssl] Add OpenSSL::BN#set_flags and #get_flagsYusuke Endoh
Also, OpenSSL::BN::CONSTTIME is added. OpenSSL itself had a feature that was vulnerable against a side-channel attack. The OpenSSL authors determined that it was not a security issue, and they have already fixed the issue by using BN_set_flags. https://github.com/openssl/openssl/pull/13888 If a Ruby OpenSSL user was faced with a similar issue, they couldn't prevent the issue because Ruby OpenSSL lacks a wrapper to BN_set_flags. For the case, this change introduces the wrapper. https://github.com/ruby/openssl/commit/1e565eba89
2021-07-18[ruby/openssl] pkey/dsa: refactor DSA#sys{sign,verify} with ↵Kazuki Yamaguchi
PKey#{sign,verify}_raw With the newly added OpenSSL::PKey::PKey#{sign,verify}_raw, OpenSSL::PKey::DSA's low level signing operation methods can be implemented in Ruby. The definitions are now in lib/openssl/pkey.rb. https://github.com/ruby/openssl/commit/ce805adf0c
2021-07-18[ruby/openssl] pkey/ec: refactor EC#dsa_{sign,verify}_asn1 with ↵Kazuki Yamaguchi
PKey#{sign,verify}_raw With the newly added OpenSSL::PKey::PKey#{sign,verify}_raw, OpenSSL::PKey::EC's low level signing operation methods can be implemented in Ruby. The definitions are now in lib/openssl/pkey.rb. https://github.com/ruby/openssl/commit/1f9da0cd9d
2021-07-18[ruby/openssl] pkey/rsa: port RSA#{private,public}_{encrypt,decrypt} to the ↵Kazuki Yamaguchi
EVP API Implement these methods using the new OpenSSL::PKey::PKey#{encrypt,sign} family. The definitions are now in lib/openssl/pkey.rb. Also, recommend using those generic methods in the documentation. https://github.com/ruby/openssl/commit/2dfc1779d3
2021-07-18[ruby/openssl] pkey: implement PKey#sign_raw, #verify_raw, and #verify_recoverKazuki Yamaguchi
Add a variant of PKey#sign and #verify that do not hash the data automatically. Sometimes the caller has the hashed data only, but not the plaintext to be signed. In that case, users would have to use the low-level API such as RSA#private_encrypt or #public_decrypt directly. OpenSSL 1.0.0 and later supports EVP_PKEY_sign() and EVP_PKEY_verify() which provide the same functionality as part of the EVP API. This patch adds wrappers for them. https://github.com/ruby/openssl/commit/16cca4e0c4
2021-07-18[ruby/openssl] pkey: update version reference in #sign and #verify documentationKazuki Yamaguchi
The next release is decided to be 3.0 rather than 2.3. https://github.com/ruby/openssl/commit/b8a434e462
2021-07-18[ruby/openssl] pkey: implement PKey#encrypt and #decryptKazuki Yamaguchi
Support public key encryption and decryption operations using the EVP API. https://github.com/ruby/openssl/commit/75326d4bbc
2021-07-18[ruby/openssl] pkey: remove deprecated parameter settersKazuki Yamaguchi
Remove the following methods, which have been marked as deprecated and produced a warning since version 2.0, commit 7ea72f1f5084 ("adapt OpenSSL::PKey to OpenSSL 1.1.0 opaque structs", 2016-06-05). - OpenSSL::PKey::RSA#n=, #e=, #d=, #p=, #q=, #dmp1=, #dmq1=, #iqmp= - OpenSSL::PKey::DSA#p=, #q=, #g=, #priv_key=, #pub_key= - OpenSSL::PKey::DH#p=, #g=, #priv_key=, #pub_key= These methods could only work with OpenSSL 1.0.2 or older, which is now EOL. https://github.com/ruby/openssl/commit/2334862cc0
2021-07-18[ruby/openssl] Implement `Certificate.load` to load certificate chain. ↵Samuel Williams
(https://github.com/ruby/openssl/pull/441) * Add feature for loading the chained certificate into Certificate array. https://github.com/ruby/openssl/commit/05e1c015d6 Co-authored-by: Sao I Kuan <saoikuan@gmail.com>
2021-07-18[ruby/openssl] x509, ssl, pkcs7: try to parse as DER-encoding firstKazuki Yamaguchi
Methods that take both PEM-encoding and DER-encoding have not been consistent in the order in which encoding to attempt to parse. A DER-encoding may contain a valid PEM block ("\n-----BEGIN ..-----" to "-----END ...-----") embedded within it. Also, the PEM-encoding parser allows arbitrary data around the PEM block and silently skips it. As a result, attempting to parse data in DER-encoding as PEM-encoding first can incorrectly finds the embedded PEM block instead. This commit ensures that DER encoding will always be attempted before PEM encoding. OpenSSL::X509::Certificate is one of the updated classes. With this, the following will always be true: # obj is an OpenSSL::X509::Certificate obj == OpenSSL::X509::Certificate.new(obj.to_der) obj == OpenSSL::X509::Certificate.new(obj.to_pem) https://github.com/ruby/openssl/commit/b280eb1fd0
2021-07-18[ruby/openssl] Fix some typos [ci skip]Ryuta Kamizono
https://github.com/ruby/openssl/commit/51b3030b2b