path: root/test/openssl/test_cipher.rb
AgeCommit message (Collapse)Author
2021-12-20[ruby/openssl] cipher: update test_ciphersKazuki Yamaguchi
Do not attempt to actually use all algorithms. Not all algorithms listed in OpenSSL::Cipher.ciphers are always available.
2021-03-16test/openssl/test_cipher: skip AES-CCM tests on OpenSSL <= 1.1.1bKazuki Yamaguchi
AES CCM mode in OpenSSL <= 1.1.1b was overly strict in the parameters assignment order. This has been relaxed by OpenSSL 1.1.1c. The test case is failing on Ubuntu 18.04 because it still uses the initial 1.1.1 release and has the issue:
2021-03-16[ruby/openssl] User lower case cipher names for maximum compatibilityBart de Water
We ran into some Linux-based systems not accepting the upper case variant Notes: Merged:
2021-03-16[ruby/openssl] Define Cipher #ccm_data_len= for CCM mode ciphersSpencer McIntyre
Allow specifying just length to #update CCM mode ciphers need to specify the total plaintext or ciphertext length to EVP_CipherUpdate. Update the link to the tests file Define Cipher#ccm_data_len= for CCM mode ciphers Add a unit test for CCM mode Also check CCM is authenticated when testing Notes: Merged:
2020-05-13[ruby/openssl] Look up cipher by name instead of constantBart de Water
2020-05-13[ruby/openssl] Look up digest by name instead of constantBart de Water
2020-02-16Import openssl-2.2.0 (#2693)Hiroshi SHIBATA
Import the master branch of ruby/openssl for preparing to release openssl-2.2.0 Notes: Merged-By: hsbt <>
2018-05-12openssl: merge changes in v2.1.1rhe
Commits in upstream repository since v2.1.0 can be found at: ---------------------------------------------------------------- Kazuki Yamaguchi (7): test/utils: disable Thread's report_on_exception in start_server cipher: validate iterations argument for Cipher#pkcs5_keyivgen extconf.rb: fix build with LibreSSL 2.7.0 test/test_pkey_rsa: fix test failure with OpenSSL 1.1.1 test/test_ssl_session: set client protocol version explicitly Ruby/OpenSSL 2.0.8 Ruby/OpenSSL 2.1.1 git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2017-11-25openssl: import v2.1.0.beta2rhe
Import Ruby/OpenSSL 2.1.0.beta2. The full commit log since commit e72d960db262 which was imported by r60013 can be found at: ---------------------------------------------------------------- Kazuki Yamaguchi (26): bn: use ALLOCV() macro instead of xmalloc() appveyor.yml: remove 'openssl version' line test/test_ssl_session: skip tests for session_remove_cb x509ext: implement X509::Extension#== x509attr: implement X509::Attribute#== x509cert: implement X509::Certificate#== x509revoked: add missing X509::Revoked#to_der x509crl, x509revoked: implement X509::{CRL,Revoked}#== x509req: implement X509::Request#== ssl: extract rb_intern("call") cipher: disallow setting AAD for non-AEAD ciphers test/test_cipher: fix test_non_aead_cipher_set_auth_data failure ssl: fix conflict of options in SSLContext#set_params buffering: let #write accept multiple arguments pkey: make pkey_check_public_key() non-static x509cert, x509crl, x509req, ns_spki: check sanity of public key test/envutil: port assert_warning from Ruby trunk test/utils: remove a pointless .public_key call in issue_cert ssl: add SSLContext#add_certificate test/test_ssl: fix test_security_level Drop support for LibreSSL 2.4 kdf: add HKDF support test/test_x509cert: fix flaky test test/test_x509crl: fix random failure fix a typo Ruby/OpenSSL 2.1.0.beta2 Mark Wright (1): Fix build failure against OpenSSL 1.1 built with no-deprecated Thanks rhenium for the code review and fixes. Peter Karman (1): Add RSA sign_pss() and verify_pss() methods aeris (1): TLS Fallback Signaling Cipher Suite Value kazu (1): Use caller with length to reduce unused strings git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2017-09-03openssl: import v2.1.0.beta1rhe
Import Ruby/OpenSSL 2.1.0.beta1. The full commit log since v2.0.5 (imported by r59567) can be found at: ---------------------------------------------------------------- Antonio Terceiro (1): test/test_ssl: explicitly accept TLS 1.1 in corresponding test Colby Swandale (1): document using secure protocol to fetch git master in Bundler Colton Jenkins (1): Add fips_mode_get to return fips_mode Kazuki Yamaguchi (85): Start preparing for 2.1.0 Remove support for OpenSSL 0.9.8 and 1.0.0 bn: refine tests bn: implement unary {plus,minus} operators for OpenSSL::BN bn: implement OpenSSL::BN#negative? Don't define main() when built with --enable-debug test: let OpenSSL::TestCase include OpenSSL::TestUtils test: prepare test PKey instances on demand Add OpenSSL.print_mem_leaks Enable OSSL_MDEBUG on CI builds ssl: move default DH parameters from OpenSSL::PKey::DH Make exceptions with the same format regardless of OpenSSL.debug ssl: show reason of 'certificate verify error' in exception message ssl: remove OpenSSL::ExtConfig::TLS_DH_anon_WITH_AES_256_GCM_SHA384 ssl: do not confuse different ex_data index registries ssl: assume SSL/SSL_CTX always have a valid reference to the Ruby object Fix RDoc markup ssl: suppress compiler warning ext/openssl/deprecation.rb: remove broken-apple-openssl extconf.rb: print informative message if OpenSSL can't be found Rakefile: compile the extension before test kdf: introduce OpenSSL::KDF module ossl.h: add NUM2UINT64T() macro kdf: add scrypt Expand rb_define_copy_func() macro Expand FPTR_TO_FD() macro Remove SafeGet*() macros cipher: rename GetCipherPtr() to ossl_evp_get_cipherbyname() digest: rename GetDigestPtr() to ossl_evp_get_digestbyname() Add ossl_str_new(), an exception-safe rb_str_new() bio: simplify ossl_membio2str() using ossl_str_new() Remove unused functions and macros Drop support for LibreSSL 2.3 ocsp: add OpenSSL::OCSP::Request#signed? asn1: infinite length -> indefinite length asn1: rearrange tests ssl: remove a needless NULL check in SSL::SSLContext#ciphers ssl: return nil in SSL::SSLSocket#cipher if session is not started asn1: remove an unnecessary function prototype asn1: require tag information when instantiating generic type asn1: initialize 'unused_bits' attribute of BitString with 0 asn1: check for illegal 'unused_bits' value of BitString asn1: disallow NULL to be passed to asn1time_to_time() asn1: avoid truncating OID in OpenSSL::ASN1::ObjectId#oid asn1: allow constructed encoding with definite length form asn1: prohibit indefinite length form for primitive encoding asn1: allow tag number to be >= 32 for universal tag class asn1: use ossl_asn1_tag() asn1: clean up OpenSSL::ASN1::Constructive#to_der asn1: harmonize OpenSSL::ASN1::*#to_der asn1: prevent EOC octets from being in the middle of the content asn1: do not treat EOC octets as part of content octets x509name: add 'loc' and 'set' kwargs to OpenSSL::X509::Name#add_entry ssl: do not call session_remove_cb during GC Backport "Merge branch 'topic/test-memory-leak'" to maint cipher: update the documentation for Cipher#auth_tag= Rakefile: let sync:to_ruby know about test/openssl/fixtures test: fix formatting test/utils: remove OpenSSL::TestUtils.silent test/utils: add SSLTestCase#tls12_supported? test/utils: have start_server yield only the port number test/utils: do not set ecdh_curves in start_server test/utils: let server_loop close socket test/utils: improve error handling in start_server test/utils: add OpenSSL::TestUtils.openssl? and .libressl? test/utils: do not use DSA certificates in SSL tests test/test_ssl: remove test_invalid_shutdown_by_gc test/test_ssl: move test_multibyte_read_write to test_pair test/test_ssl_session: rearrange tests test/test_pair, test/test_ssl: fix for TLS 1.3 ssl: remove useless call to rb_thread_wait_fd() ssl: fix NPN support ssl: mark OpenSSL::SSL::SSLContext::DEFAULT_{1024,2048} as private ssl: use 2048-bit group in the default tmp_dh_cb ssl: ensure that SSL option flags are non-negative ssl: update OpenSSL::SSL::OP_* flags ssl: prefer TLS_method() over SSLv23_method() ssl: add SSLContext#min_version= and #max_version= ssl: rework SSLContext#ssl_version= test/test_x509name: change script encoding to ASCII-8BIT x509name: refactor OpenSSL::X509::Name#to_s x509name: add OpenSSL::X509::Name#to_utf8 x509name: add OpenSSL::X509::Name#inspect x509name: update regexp in OpenSSL::X509::Name.parse Ruby/OpenSSL 2.1.0.beta1 Marcus Stollsteimer (1): Fix rdoc for core Integer class nobu (4): [DOC] {read,write}_nonblock with exception: false [DOC] keyword argument _exception_ [DOC] mark up literals Revert r57690 except for read_nonblock git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-12-01openssl: import fixes from upstreamrhe
Import the following two commits from upstream: commit 72126d6c8b88abd69c3565fc3bbbd5ed1e401611 Author: Kazuki Yamaguchi <> Date: Thu Dec 1 22:27:03 2016 +0900 pkey: check existence of EVP_PKEY_get0() EVP_PKEY_get0() did not exist in early OpenSSL 0.9.8 series. So define ourselves if needed. commit 94a1c4e0c5705ad1e9a4ca08cacaa6cba8b1e6f5 Author: Kazuki Yamaguchi <> Date: Thu Dec 1 22:13:22 2016 +0900 test/test_cipher: fix test with OpenSSL 1.0.1 before 1.0.1d Set the authentication tag before the AAD when decrypting. Before OpenSSL commit 96f7fafa2431 ("Don't require tag before ciphertext in AESGCM mode", 2012-10-16, at OpenSSL_1_0_1-stable branch, included in OpenSSL 1.0.1d), the authentication tag must be set before any calls of EVP_CipherUpdate(). They should fix build on CentOS 5 and Ubuntu 12.04 respectively. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-11-30openssl: import v2.0.0rhe
Import Ruby/OpenSSL 2.0.0. The full commit history since 2.0.0 beta.2 (imported at r56098) can be found at: git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-08-29import Ruby/OpenSSL 2.0.0.beta.1rhe
* NEWS, {ext,test,sample}/openssl: Import Ruby/OpenSSL 2.0.0.beta.1. ext/openssl is now converted into a default gem. The full commit history since r55538 can be found at: [Feature #9612] git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-25openssl: drop OpenSSL 0.9.6/0.9.7 supportrhe
* ext/openssl, test/openssl: Drop OpenSSL < 0.9.8 support. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-24openssl: make Cipher#key= and #iv= reject too long valuesrhe
* ext/openssl/ossl_cipher.c (ossl_cipher_set_key, ossl_cipher_set_iv): Reject too long values as well as too short ones. Currently they just truncate the input but this would hide bugs and lead to unexpected encryption/decryption results. * test/openssl/test_cipher.rb: Test that Cipher#key= and #iv= reject Strings with invalid length. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-18openssl: clear OpenSSL error queue before return to Rubyrhe
* ext/openssl/ossl_x509cert.c (ossl_x509_verify): X509_verify() family may put errors on 0 return (0 means verification failure). Clear OpenSSL error queue before return to Ruby. Since the queue is thread global, remaining errors in the queue can cause an unexpected error in the next OpenSSL operation. [ruby-core:48284] [Bug #7215] * ext/openssl/ossl_x509crl.c (ossl_x509crl_verify): ditto. * ext/openssl/ossl_x509req.c (ossl_x509req_verify): ditto. * ext/openssl/ossl_x509store.c (ossl_x509stctx_verify): ditto. * ext/openssl/ossl_pkey_dh.c (dh_generate): clear the OpenSSL error queue before re-raising exception. * ext/openssl/ossl_pkey_dsa.c (dsa_generate): ditto. * ext/openssl/ossl_pkey_rsa.c (rsa_generate): ditto. * ext/openssl/ossl_ssl.c (ossl_start_ssl): ditto. * test/openssl: check that OpenSSL.errors is empty every time after running a test case. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-17Use Integer instead of Fixnum and Bignum.akr
* object.c, numeric.c, enum.c, ext/-test-/bignum/mul.c, lib/rexml/quickpath.rb, lib/rexml/text.rb, lib/rexml/xpath_parser.rb, lib/rubygems/specification.rb, lib/uri/generic.rb, bootstraptest/test_eval.rb, basictest/test.rb, test/-ext-/bignum/test_big2str.rb, test/-ext-/bignum/test_div.rb, test/-ext-/bignum/test_mul.rb, test/-ext-/bignum/test_str2big.rb, test/csv/test_data_converters.rb, test/date/test_date.rb, test/json/test_json_generate.rb, test/minitest/test_minitest_mock.rb, test/openssl/test_cipher.rb, test/rexml/test_jaxen.rb, test/ruby/test_array.rb, test/ruby/test_basicinstructions.rb, test/ruby/test_bignum.rb, test/ruby/test_case.rb, test/ruby/test_class.rb, test/ruby/test_complex.rb, test/ruby/test_enum.rb, test/ruby/test_eval.rb, test/ruby/test_iseq.rb, test/ruby/test_literal.rb, test/ruby/test_math.rb, test/ruby/test_module.rb, test/ruby/test_numeric.rb, test/ruby/test_range.rb, test/ruby/test_rational.rb, test/ruby/test_refinement.rb, test/ruby/test_rubyvm.rb, test/ruby/test_struct.rb, test/ruby/test_variable.rb, test/rubygems/test_gem_specification.rb, test/thread/test_queue.rb: Use Integer instead of Fixnum and Bignum. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-02-19test: use assert_not_*nobu
git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2015-12-16Add frozen_string_literal: false for all filesnaruse
When you change this to true, you may need to add more tests. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2015-02-13test_cipher.rb: ignore wrap mode errosnobu
* test/openssl/test_cipher.rb (test_ciphers): ignore wrap mode errors if "wrap" is contained in the name. seems no explicit rules. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2015-02-12test_cipher.rb: show cipher namenobu
* test/openssl/test_cipher.rb (test_ciphers): show wrap mode cipher name, which does not end with "wrap". git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2015-02-06test_cipher.rb: OpenSSL 1.0.2nobu
* test/openssl/test_cipher.rb (OpenSSL::TestCipher#test_ciphers): OpenSSL 1.0.2 does not allow wrap mode. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2014-12-13test/openssl: skip old OpenSSLnobu
* test/openssl/utils.rb (OpenSSL::TestUtils): ignore out-of-date OpenSSL before 1.0. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2013-11-14* test/openssl/test_cipher.rb (test_aes_gcm_wrong_tag): Don't useakr
String#succ because it can make modified (wrong) auth_tag longer than 16 bytes. The longer auth_tag makes that EVP_CIPHER_CTX_ctrl (and internally aes_gcm_ctrl) fail. [ruby-core:55143] [Bug #8439] reported by Vit Ondruch. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2013-04-18* test/openssl/test_cipher.rb: Correct a typonaruse
by jgls <> fix GH-291 git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2012-12-20* remove trailing spaces.nobu
git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2012-12-20* ext/openssl/ossl_cipher.c: add support for Authenticated Encryptionemboss
with Associated Data (AEAD) for OpenSSL versions that support the GCM encryption mode. It's the only mode supported for now by OpenSSL itself. Add Cipher#authenticated? to detect whether a chosen mode does support Authenticated Encryption. * test/openssl/test_cipher.rb: add tests for Authenticated Encryption. [Feature #6980] [ruby-core:47426] Thank you, Stephen Touset for providing a patch! git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2012-11-29* test/openssl/test_cipher.rb (test_ctr_if_exists): add CTR mode testnahi
if underlying OpenSSL supports it. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2011-09-20Skip patented algorithms: IDEA and RC5 on NetBSD.naruse
On NetBSD, if it uses patented algorithms without explicit option, openssl will abort. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2011-07-28* ext/openssl/ossl_cipher.c (ossl_cipher_initialize): Avoid possiblenahi
SEGV from AES encryption/decryption. Processing data by Cipher#update without initializing key (meaningless usage of Cipher object since we don't offer a way to export a key) could cause SEGV. In OpenSSL, the EVP which has EVP_CIPH_RAND_KEY flag (such as DES3) allows uninitialized key, but other EVPs (such as AES) does not allow it. Calling EVP_CipherUpdate() without initializing key causes SEGV so we set the data filled with "\0" as the key by default. See #2768. * test/openssl/test_cipher.rb: test it. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2011-02-05* ext/openssl/ossl_cipher.c (ossl_cipher_alloc): leave data ptrnobu
NULL. * ext/openssl/ossl_cipher.c (ossl_cipher_new, ossl_cipher_initialize): allocate internal structure. [ruby-core:35094] * ext/openssl/ossl_cipher.c (ossl_cipher_copy): ditto. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2010-12-11refactor load error rescue to the openssl util filetenderlove
git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2008-09-24* test: assert_raises has been deprecated since a long time ago.nobu
git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2006-05-08* ext/openssl/extconf.rb: add check for OBJ_NAME_do_all_sorted.gotoyuzo
* ext/openssl/ossl_cipher.c (ossl_s_ciphers): new method OpenSSL::Cipher.ciphers. it returns all the cipher names. * ext/openssl/ossl_cipher.c (ossl_cipher_init): refine warning message. * ext/openssl/lib/openssl/cipher.rb: reimplement without eval() and add constants AES128, AES192, AES256. [ruby-dev:28610] * ext/openssl/lib/openssl/digest.rb: reimplement without eval(). * test/openssl/test_cipher.rb, test_digest: fix about reimplemented features. * sample/openssl/cipher.rb: rewrite all. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2005-10-30* ext/openssl/ossl_cipher.c (ossl_cipher_update): input data mustgotoyuzo
not be empty. [ruby-talk:161220] * test/openssl/test_cipher.rb: add test for Cipher#update(""). git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2004-06-30* ext/openssl/extconf.rb: check for EVP_CIPHER_CTX_copy, ENGINE_add,gotoyuzo
EVP_CIPHER_CTX_set_padding, EVP_CipherFinal_ex, EVP_CipherInit_ex, EVP_DigestFinal_ex and EVP_DigestInit_ex. * ext/openssl/openssl_missing.c (EVP_CIPHER_CTX_copy): new function. * ext/openssl/openssl_missing.h (EVP_DigestInit_ex, EVP_DigestFinal_ex, EVP_CipherInit_ex, EVP_CipherFinal_ex, HMAC_Init_ex): new macro for OpenSSL 0.9.6. * ext/openssl/ossl_cipher.c (ossl_cipher_alloc, ossl_cipher_initialize, ossl_cipher_copy, ossl_cipher_reset, ossl_cipher_encrypt, ossl_cipher_decrypt, ossl_cipher_final, ossl_cipher_set_key, ossl_cipher_set_iv): replace all EVP_CipherInit and EVP_CipherFinal into EVP_CipherInit_ex and EVP_CipherFinal_ex. and EVP_CIPHER_CTX_init should only be called once. * ext/openssl/ossl_cipher.c (ossl_cipher_set_padding): check for EVP_CIPHER_CTX_set_padding. * ext/openssl/ossl_cipher.c (Init_ossl_cipher): Cipher#<< is deprecated. * ext/openssl/ossl_digest.c: replace all EVP_DigestInit and EVP_DigestFinal into EVP_DigestInit_ex and EVP_DigestFinal_ex. and EVP_MD_CTX_init should only be called once. * ext/openssl/ossl_digest.c (digest_final): should call EVP_MD_CTX_cleanup to avoid memory leak. * ext/openssl/ossl_hmac.c (ossl_hmac_initialize): repalce HMAC_init into HMAC_init_ex. and HMAC_CTX_init is moved to ossl_hmac_alloc. * ext/openssl/ossl_hmac.c (hmac_final): should call HMAC_CTX_cleanup to avoid memory leak. * test/openssl/test_cipher.rb, test/openssl/test_digest.rb, test/openssl/test_hmac.rb: new file. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e