| Age | Commit message (Collapse) | Author |
|---|
|
|
|
The commit <https://github.com/ruby/openssl/commit/c5b2bc1268bc> made the warnings below
in the case of OpenSSL 1.1 where the `OPENSSL_FIPS` macro is not defined.
```
$ bundle install --standalone
$ bundle exec rake compile -- \
--with-openssl-dir=$HOME/.local/openssl-1.1.1t-debug \
--with-cflags="-Wundef"
mkdir -p tmp/x86_64-linux/openssl/3.2.1
cd tmp/x86_64-linux/openssl/3.2.1
/usr/local/ruby-3.2.1/bin/ruby -I. -r.rake-compiler-siteconf.rb ../../../../ext/openssl/extconf.rb -- --with-openssl-dir=/home/jaruga/.local/openssl-1.1.1t-debug --with-cflags=-Wundef
...
gcc -I. -I/usr/local/ruby-3.2.1/include/ruby-3.2.0/x86_64-linux -I/usr/local/ruby-3.2.1/include/ruby-3.2.0/ruby/backward -I/usr/local/ruby-3.2.1/include/ruby-3.2.0 -I../../../../ext/openssl -DRUBY_EXTCONF_H=\"extconf.h\" -I/home/jaruga/.local/openssl-1.1.1t-debug/include -fPIC -Wundef -o ossl.o -c ../../../../ext/openssl/ossl.c
../../../../ext/openssl/ossl.c: In function ‘ossl_fips_mode_get’:
../../../../ext/openssl/ossl.c:425:7: warning: "OPENSSL_FIPS" is not defined, evaluates to 0 [-Wundef]
425 | #elif OPENSSL_FIPS
| ^~~~~~~~~~~~
../../../../ext/openssl/ossl.c: In function ‘ossl_fips_mode_set’:
../../../../ext/openssl/ossl.c:460:7: warning: "OPENSSL_FIPS" is not defined, evaluates to 0 [-Wundef]
460 | #elif OPENSSL_FIPS
| ^~~~~~~~~~~~
../../../../ext/openssl/ossl.c: In function ‘Init_openssl’:
../../../../ext/openssl/ossl.c:1218:7: warning: "OPENSSL_FIPS" is not defined, evaluates to 0 [-Wundef]
1218 | #elif OPENSSL_FIPS
| ^~~~~~~~~~~~
...
cp tmp/x86_64-linux/openssl/3.2.1/openssl.so tmp/x86_64-linux/stage/lib/openssl.so
```
https://github.com/ruby/openssl/commit/b4228cbcd6
|
|
This commit is to implement the `OpenSSL::OPENSSL_FIPS`, `ossl_fips_mode_get`
and `ossl_fips_mode_set` to pass the test `test/openssl/test_fips.rb`.
It seems that the `OPENSSL_FIPS` macro is not used on the FIPS mode case any
more, and some FIPS related APIs also were removed in OpenSSL 3.
See the document <https://github.com/openssl/openssl/blob/master/doc/man7/migration_guide.pod#removed-fips_mode-and-fips_mode_set>
the section OPENSSL 3.0 > Main Changes from OpenSSL 1.1.1 >
Other notable deprecations and changes - Removed FIPS_mode() and FIPS_mode_set() .
The `OpenSSL::OPENSSL_FIPS` returns always true in OpenSSL 3 because the used
functions `EVP_default_properties_enable_fips` and `EVP_default_properties_is_fips_enabled`
works with the OpenSSL installed without FIPS option.
The `TEST_RUBY_OPENSSL_FIPS_ENABLED` is set on the FIPS mode case on the CI.
Because I want to test that the `OpenSSL.fips_mode` returns the `true` or
'false' surely in the CI. You can test the FIPS mode case by setting
`TEST_RUBY_OPENSSL_FIPS_ENABLED` on local too. Right now I don't find a better
way to get the status of the FIPS mode enabled or disabled for this purpose. I
am afraid of the possibility that the FIPS test case is unintentionally skipped.
I also replaced the ambiguous "returns" with "should return" in the tests.
https://github.com/ruby/openssl/commit/c5b2bc1268
|
|
https://github.com/ruby/openssl/commit/98099d3796
|
|
Notes:
Merged: https://github.com/ruby/ruby/pull/7310
|
|
Notes:
Merged: https://github.com/ruby/ruby/pull/7330
|
|
JRuby has its own implementation of the `openssl` library in
jruby-openssl. The simplest way for us to allow users to set
openssl as a gem dependency is to ship a stub gem that just
depends on jruby-openssl. This patch adds that to the gemspec.
Additional work may be required to fit this stub gem into the test
and release process.
See #20 for more details.
https://github.com/ruby/openssl/commit/74ccaa5e18
|
|
Split `PACKED_STRUCT` and `PACKED_STRUCT_UNALIGNED` macros into the
macros bellow:
* `RBIMPL_ATTR_PACKED_STRUCT_BEGIN`
* `RBIMPL_ATTR_PACKED_STRUCT_END`
* `RBIMPL_ATTR_PACKED_STRUCT_UNALIGNED_BEGIN`
* `RBIMPL_ATTR_PACKED_STRUCT_UNALIGNED_END`
Notes:
Merged: https://github.com/ruby/ruby/pull/7268
|
|
https://github.com/ruby/openssl/commit/5a36cc3cb2
|
|
Reverts the following commits:
eb8d4d7b5145849325985c00b810b8d75661d86e
edb83dc3a2c374e880e8eb488152872152790e92
d40064d1846b5835dff81e3f168c0c3a6c85e814
|
|
Revert "[ruby/openssl] pkey/ec: constify"
This reverts commit d2cd903c85f38f42c6aefc6d97a1558f74d8d9db.
|
|
https://github.com/ruby/openssl/commit/6fb3499a7b
|
|
https://github.com/ruby/openssl/commit/c2f7d775c6
|
|
https://github.com/ruby/openssl/commit/48b79333e0
|
|
https://github.com/ruby/openssl/commit/04acccd692
|
|
The behavior of EVP_PKEY_public_check changed between OpenSSL 1.1.1
and 3.0 so that it no longer validates the private key. Instead, private
keys can be validated through EVP_PKEY_private_check and
EVP_PKEY_pairwise_check.
[ky: simplified condition to use either EVP_PKEY_check() or
EVP_PKEY_public_check().]
https://github.com/ruby/openssl/commit/e38a63ab3d
|
|
This fixes a linkage error about `ossl_ssl_type` on platforms which do
not have socket, like WASI.
Even before this patch, some items are disabled under `OPENSSL_NO_SOCK` since
https://github.com/ruby/ruby/commit/ee22fad45d394818690c4a7586d7bb576ba67c56
However, due to some new use of OpenSSL::SSL::Socket over the past few years,
the build under `OPENSSL_NO_SOCK` had been broken.
This patch guards whole `OpenSSL::SSL` items by `OPENSSL_NO_SOCK`.
[ky: adjusted to apply on top of my previous commit that removed the
OpenSSL::ExtConfig, and added a guard to lib/openssl/ssl.rb.]
https://github.com/ruby/openssl/commit/b0cfac6a96
|
|
This module was introduced in 2015 for internal use within this library.
Neither of the two constants in it is used anymore. I don't think we
will be adding a new constant in the foreseeable future, either.
OPENSSL_NO_SOCK is unused since commit https://github.com/ruby/openssl/commit/998d66712a78 (r55191).
HAVE_TLSEXT_HOST_NAME is unused since commit https://github.com/ruby/openssl/commit/4eb4b3297a92.
https://github.com/ruby/openssl/commit/eed3894bda
|
|
As noted in commit https://github.com/ruby/openssl/commit/a2ed156cc9f1 ("test/test_ssl: do not run NPN tests
for LibreSSL >= 2.6.1", 2017-08-13), NPN is known not to work properly
on LibreSSL.
Disable NPN support on LibreSSL, whether OPENSSL_NO_NEXTPROTONEG is
defined or not.
NPN is less relevant today anyway. Let's also silence test suite when
it's not available.
https://github.com/ruby/openssl/commit/289f6e0e1f
|
|
The macro is now defined by default in LibreSSL 3.4+. Let's document it
for future readers.
https://github.com/ruby/openssl/commit/935698e9f9
|
|
https://github.com/ruby/openssl/commit/91657a7924
|
|
https://github.com/ruby/openssl/commit/c0023822fe
|
|
https://github.com/ruby/openssl/commit/b67aaf925d
|
|
eEC_POINT
https://github.com/ruby/openssl/commit/b2e9f5e132
|
|
returning true
https://github.com/ruby/openssl/commit/e1e8f3cebe
|
|
RDoc does not consider preprocessor conditionals, but equally uses
both documents of `#if` and `#else` sides.
https://github.com/ruby/openssl/commit/ea0a112a0c
|
|
https://github.com/ruby/ruby/commit/6d8f396f37350b7aa9c85a097929f54a0939448b
https://github.com/ruby/ruby/commit/c8b3bd45cc3cae93ae701333202416838ee6a00c
|
|
documentation
(https://github.com/ruby/openssl/pull/559)
Adds back missing constant description on the documentation.
|
|
LibreSSL 3.6 added support for HKDF in EVP. Enable this in ossl_kdf.c.
https://github.com/ruby/openssl/commit/9bdd39a7e2
|
|
For some reasons, plaintext may be empty string.
ref https://www.rfc-editor.org/rfc/rfc9001.html#section-5.8
https://github.com/ruby/openssl/commit/953592a29e
|
|
LibreSSL 3.4 added EVP_DigestSign() and EVP_DigestVerify(). Use them
when available to prepare for the addition of Ed25519 support in
LibreSSL 3.7.
https://github.com/ruby/openssl/commit/475b2bf766
|
|
https://github.com/ruby/openssl/commit/5befde7519
|
|
https://github.com/ruby/openssl/commit/4619ab3e76
|
|
returns a BN
https://github.com/ruby/openssl/commit/4d0971c51c
|
|
https://github.com/ruby/openssl/commit/fd5eaa6dfc
|
|
https://github.com/ruby/openssl/commit/471340f612
|
|
- This callback is invoked when TLS key material is generated or
received, in order to allow applications to store this keying material
for debugging purposes.
- It is invoked with an `SSLSocket` and a string containing the key
material in the format used by NSS for its SSLKEYLOGFILE debugging
output.
- This commit adds the Ruby binding `keylog_cb` and the related tests
- It is only compatible with OpenSSL >= 1.1.1. Even if LibreSSL implements
`SSL_CTX_set_keylog_callback()` from v3.4.2, it does nothing (see
https://github.com/libressl-portable/openbsd/commit/648d39f0f035835d0653342d139883b9661e9cb6)
https://github.com/ruby/openssl/commit/3b63232cf1
|
|
The code was introduced by https://github.com/ruby/openssl/commit/65530b887e54 ("ssl: enable generating keying
material from SSL sessions", 2022-08-03).
This is harmless, but we should avoid it.
https://github.com/ruby/openssl/commit/f5b82e814b
|
|
https://github.com/ruby/openssl/commit/fceb978a5d
|
|
https://github.com/ruby/openssl/commit/e5bbd015dc
|
|
https://github.com/ruby/openssl/commit/de8a644bc4
|
|
https://github.com/ruby/openssl/commit/5316241e61
|
|
i2d_PUBKEY_bio() against an EC_KEY without the public key component
trggers a null dereference.
This is a regression introduced by commit https://github.com/ruby/openssl/commit/56f0d34d63fb ("pkey:
refactor #export/#to_pem and #to_der", 2017-06-14).
Fixes https://github.com/ruby/openssl/pull/527#issuecomment-1220504524
Fixes https://github.com/ruby/openssl/issues/369#issuecomment-1221554057
https://github.com/ruby/openssl/commit/f6ee0fa4de
|
|
output
Scan through the input for a private key, then fallback to generic
decoder.
OpenSSL 3.0's OSSL_DECODER supports encoded key parameters. The PEM
header "-----BEGIN EC PARAMETERS-----" is used by one of such encoding
formats. While this is useful for OpenSSL::PKey::PKey, an edge case has
been discovered.
The openssl CLI command line "openssl ecparam -genkey" prints two PEM
blocks in a row, one for EC parameters and another for the private key.
Feeding the whole output into OSSL_DECODER results in only the first PEM
block, the key parameters, being decoded. Previously, ruby/openssl did
not support decoding key parameters and it would decode the private key
PEM block instead.
While the new behavior is technically correct, "openssl ecparam -genkey"
is so widely used that ruby/openssl does not want to break existing
applications.
Fixes https://github.com/ruby/openssl/pull/535
https://github.com/ruby/openssl/commit/d486c82833
|
|
Fix potential error queue leak.
https://github.com/ruby/openssl/commit/3992b6f208
|
|
DSA parameters generation via EVP_PKEY_paramgen() will not automatically
adjust the size of q value but uses 224 bits by default unless specified
explicitly. This behavior is different from the now-deprecated
DSA_generate_parameters_ex(), which PKey::DSA.generate used to call.
Fixes https://github.com/ruby/openssl/issues/483
Fixes: https://github.com/ruby/openssl/commit/1800a8d5ebaf ("pkey/dsa: use high level EVP interface to generate parameters and keys", 2020-05-17)
https://github.com/ruby/openssl/commit/0105975a0b
|
|
Current OpenSSL 3.0.x release has a regression with zero-length MAC
keys. While this issue should be fixed in a future release of OpenSSL,
we can use EVP_PKEY_new_raw_private_key() in place of the problematic
EVP_PKEY_new_mac_key() to avoid the issue. OpenSSL 3.0's man page
recommends using it regardless:
> EVP_PKEY_new_mac_key() works in the same way as
> EVP_PKEY_new_raw_private_key(). New applications should use
> EVP_PKEY_new_raw_private_key() instead.
Fixes https://github.com/ruby/openssl/issues/369#issuecomment-1224912710
https://github.com/ruby/openssl/commit/4293f18b1f
|
|
methods
X509at_delete_attr() in OpenSSL master puts an error queue entry if
there is no attribute left to delete. We must either clear the error
queue, or try not to call it when the list is already empty.
https://github.com/ruby/openssl/commit/a0c878481f
|
|
Add OpenSSL::SSL::SSLSocket#export_keying_material to support RFC 5705
https://github.com/ruby/openssl/commit/65530b887e
|
|
causes SEGV if it is an Array or something like that.
https://github.com/ruby/openssl/commit/ef23525210
|
