95 Commits

Author SHA1 Message Date
Jun Aruga
b0ec1db8a7 [ruby/openssl] ossl_pkey.c: Workaround: Decode with non-zero selections.
This is a workaround for the decoding issue in ossl_pkey_read_generic().
The issue happens in the case that a key management provider is different from
a decoding provider.

Try all the non-zero selections in order, instead of selection 0 for OpenSSL 3
to avoid the issue.

https://github.com/ruby/openssl/commit/db688fa739
2023-08-28 12:05:33 +09:00
Kazuki Yamaguchi
0eaee5c000 [ruby/openssl] [DOC] enhance RDoc for exporting pkeys
Describe the behavior of OpenSSL::PKey::{DH,DSA,EC,RSA}#to_pem
and #to_der more clearly. They return a different result depending on
whether the pkey is a public or private key. This was not documented
adequately.

Also, suggest the use of OpenSSL::PKey::PKey#private_to_pem
and #public_to_pem instead, if possible.

https://github.com/ruby/openssl/commit/d22769af8f
2023-08-16 14:48:40 +09:00
Ryo Kajiwara
4b6d667c63 [ruby/openssl] Add support for raw private/public keys
(https://github.com/ruby/openssl/pull/646)

Add OpenSSL::PKey.new_raw_private_key, #raw_private_key and public
equivalents. These methods are useful for importing and exporting keys
that support "raw private/public key". Currently, OpenSSL implements
X25519/X448 and Ed25519/Ed448 keys.

[rhe: rewrote commit message]

https://github.com/ruby/openssl/commit/3f29525618

Co-authored-by: Bart de Water <bartdewater@gmail.com>
2023-07-12 23:40:58 +09:00
Kazuki Yamaguchi
af66b9b720 [ruby/openssl] pkey: use unsigned type for bit fields
clang generates a warning:

	../../../../ext/openssl/ossl_pkey.c:326:22: error: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Werror,-Wsingle-bit-bitfield-constant-conversion]
	    arg->interrupted = 1;
	                     ^ ~
	1 error generated.

https://github.com/ruby/openssl/commit/4b2ba7b022
2023-06-19 01:57:09 +09:00
Jun Aruga
2a4834057b [ruby/openssl] Workaround: Fix OpenSSL::PKey.read that cannot parse PKey in the FIPS mode.
This commit is a workaround to avoid the error below that the
`OpenSSL::PKey.read` fails with the OpenSSL 3.0 FIPS mode.

```
$ openssl genrsa -out key.pem 4096

$ ruby -e "require 'openssl'; OpenSSL::PKey.read(File.read('key.pem'))"
-e:1:in `read': Could not parse PKey (OpenSSL::PKey::PKeyError)
  from -e:1:in `<main>'
```

The root cause is on the OpenSSL side. The `OSSL_DECODER_CTX_set_selection`
doesn't apply the selection value properly if there are multiple providers, and
a provider (e.g.  "base" provider) handles the decoder implementation, and
another provider (e.g. "fips" provider) handles the keys.

The workaround is to create `OSSL_DECODER_CTX` variable each time without using
the `OSSL_DECODER_CTX_set_selection`.

https://github.com/ruby/openssl/commit/5ff4a31621
2023-06-19 01:57:09 +09:00
Jean Boussier
1965c09ee5 [ruby/openssl] Implement Write Barrier for all OpenSSL types
The vast majority have no reference so it's just a matter of setting the flags.

For the couple exception, they have very little references so it's
easy.

https://github.com/ruby/openssl/commit/2c7c6de69e
2023-06-19 01:57:09 +09:00
Theo Buehler
d92f4fe4d7
[ruby/openssl] Use EVP_Digest{Sign,Verify} when available
LibreSSL 3.4 added EVP_DigestSign() and EVP_DigestVerify(). Use them
when available to prepare for the addition of Ed25519 support in
LibreSSL 3.7.

https://github.com/ruby/openssl/commit/475b2bf766
2022-12-13 18:07:41 +09:00
Kazuki Yamaguchi
0677b2fb87 [ruby/openssl] pkey: restore support for decoding "openssl ecparam -genkey" output
Scan through the input for a private key, then fallback to generic
decoder.

OpenSSL 3.0's OSSL_DECODER supports encoded key parameters. The PEM
header "-----BEGIN EC PARAMETERS-----" is used by one of such encoding
formats. While this is useful for OpenSSL::PKey::PKey, an edge case has
been discovered.

The openssl CLI command line "openssl ecparam -genkey" prints two PEM
blocks in a row, one for EC parameters and another for the private key.
Feeding the whole output into OSSL_DECODER results in only the first PEM
block, the key parameters, being decoded. Previously, ruby/openssl did
not support decoding key parameters and it would decode the private key
PEM block instead.

While the new behavior is technically correct, "openssl ecparam -genkey"
is so widely used that ruby/openssl does not want to break existing
applications.

Fixes https://github.com/ruby/openssl/pull/535

https://github.com/ruby/openssl/commit/d486c82833
2022-10-17 16:35:35 +09:00
Kazuki Yamaguchi
4fb2845c7b [ruby/openssl] pkey: clear error queue before each OSSL_DECODER_from_bio() call
Fix potential error queue leak.

https://github.com/ruby/openssl/commit/3992b6f208
2022-10-17 16:35:35 +09:00
Nobuhiro IMAI
a98096349e [ruby/openssl] Check if the option is an Hash in pkey_ctx_apply_options0()
causes SEGV if it is an Array or something like that.

https://github.com/ruby/openssl/commit/ef23525210
2022-10-17 16:35:35 +09:00
Jeremy Evans
aee36dd788 [ruby/openssl] Fix build with LibreSSL 3.5
https://github.com/ruby/openssl/commit/e25fb0d0d8
2022-07-08 23:18:14 +09:00
Kazuki Yamaguchi
ac757b218c [ruby/openssl] pkey: use EVP_PKEY_CTX_new_from_name() on OpenSSL 3.0
Replace EVP_PKEY_CTX_new_id() with the new EVP_PKEY_CTX_new_from_name()
which takes the algorithm name in a string instead of in an NID.

https://github.com/ruby/openssl/commit/d6535d13d1
2021-12-20 23:42:04 +09:00
Kazuki Yamaguchi
61e426ae05 [ruby/openssl] pkey: assume a pkey always has public key components on OpenSSL 3.0
OpenSSL 3.0's EVP_PKEY_get0() returns NULL for provider-backed pkeys.
This causes segfault because it was supposed to never return NULL
before.

We can't check the existence of public key components in this way on
OpenSSL 3.0. Let's just skip it for now.

https://github.com/ruby/openssl/commit/ccdb6f7bfa
2021-12-20 23:42:04 +09:00
Kazuki Yamaguchi
b2fb503dab [ruby/openssl] engine: disable OpenSSL::Engine on OpenSSL 3.0
The entire ENGINE API is deprecated in OpenSSL 3.0 in favor of the new
"Provider" concept.

OpenSSL::Engine will not be defined when compiled with OpenSSL 3.0.
We would need a way to interact with providers from Ruby programs, but
since the concept is completely different from the ENGINE API, it will
not be through the current OpenSSL::Engine interface.

https://github.com/ruby/openssl/commit/69a27d8de4
2021-12-20 23:42:03 +09:00
Kazuki Yamaguchi
df6589e418 [ruby/openssl] pkey: use EVP_PKEY_dup() if available
We can use it to implement OpenSSL::PKey::PKey#initialize_copy. This
should work on all key types, not just DH/DSA/EC/RSA types.

https://github.com/ruby/openssl/commit/66cd8cbaaf
2021-12-20 23:42:01 +09:00
Kazuki Yamaguchi
c1a36ebfda [ruby/openssl] pkey: allocate EVP_PKEY on #initialize
Allocate an EVP_PKEY when the content is ready: when #initialize
or #initialize_copy is called, rather than when a T_DATA is allocated.
This is more natural because the lower level API has been deprecated
and an EVP_PKEY is becoming the minimum unit of handling keys.

https://github.com/ruby/openssl/commit/74f6c61756
2021-12-20 23:42:01 +09:00
Kazuki Yamaguchi
02a58fbfd1 [ruby/openssl] pkey: do not check NULL argument in ossl_pkey_new()
Passing NULL to ossl_pkey_new() makes no sense in the first place, and
in fact it is ensured not to be NULL in all cases.

https://github.com/ruby/openssl/commit/316cb2a41f
2021-12-20 23:42:00 +09:00
Kazuki Yamaguchi
6ef0f272eb [ruby/openssl] pkey: use OSSL_DECODER to load encrypted PEM on OpenSSL 3.0
OpenSSL 3.0 has rewritten routines to load pkeys (PEM_read_bio_* and
d2i_* functions) around the newly introduced OSSL_DECODER API.

This comes with a slight behavior change. They now decrypt and parse
each encountered PEM block, then check the kind of the block. This used
to be the reverse: they checked the PEM header to see the kind, and then
decrypted the content. This means that the password callback may now be
called repeatedly.

Let's use the OSSL_DECODER API directly on OpenSSL 3.0 so that the
return value from the password callback will be reused automatically.

https://github.com/ruby/openssl/commit/a84ea531bb
2021-12-20 23:42:00 +09:00
Kazuki Yamaguchi
1b5ccc8a0c [ruby/openssl] pkey, ssl: use EVP_PKEY_eq() instead of EVP_PKEY_cmp()
OpenSSL 3.0 renamed EVP_PKEY_cmp() to EVP_PKEY_eq() because that was a
confusing name.

https://github.com/ruby/openssl/commit/d42bd7fcdb
2021-10-25 00:40:47 +09:00
Nobuyoshi Nakada
6920f3dc96 [ruby/openssl] Suppress cast-function-type warnings
https://github.com/ruby/openssl/commit/0f91e2a6ee
2021-09-12 22:49:05 +09:00
Kazuki Yamaguchi
4ebff35971 [ruby/openssl] pkey: implement PKey#sign_raw, #verify_raw, and #verify_recover
Add a variant of PKey#sign and #verify that do not hash the data
automatically.

Sometimes the caller has the hashed data only, but not the plaintext
to be signed. In that case, users would have to use the low-level API
such as RSA#private_encrypt or #public_decrypt directly.

OpenSSL 1.0.0 and later supports EVP_PKEY_sign() and EVP_PKEY_verify()
which provide the same functionality as part of the EVP API. This patch
adds wrappers for them.

https://github.com/ruby/openssl/commit/16cca4e0c4
2021-07-18 17:44:58 +09:00
Kazuki Yamaguchi
cbc560e38f [ruby/openssl] pkey: update version reference in #sign and #verify documentation
The next release is decided to be 3.0 rather than 2.3.

https://github.com/ruby/openssl/commit/b8a434e462
2021-07-18 17:44:58 +09:00
Kazuki Yamaguchi
87458ff2ae [ruby/openssl] pkey: implement PKey#encrypt and #decrypt
Support public key encryption and decryption operations using the EVP
API.

https://github.com/ruby/openssl/commit/75326d4bbc
2021-07-18 17:44:57 +09:00
Kazuki Yamaguchi
5d1693aac5 [ruby/openssl] pkey: implement #to_text using EVP API
Use EVP_PKEY_print_private() instead of the low-level API *_print()
functions, such as RSA_print().

EVP_PKEY_print_*() family was added in OpenSSL 1.0.0.

Note that it falls back to EVP_PKEY_print_public() and
EVP_PKEY_print_params() as necessary. This is required for EVP_PKEY_DH
type for which _private() fails if the private component is not set in
the pkey object.

Since the new API works in the same way for all key types, we now
implement #to_text in the base class OpenSSL::PKey::PKey rather than in
each subclass.

https://github.com/ruby/openssl/commit/e0b4c56956
2021-07-18 17:44:50 +09:00
Kazuki Yamaguchi
436aecb520 [ruby/openssl] pkey: remove unused ossl_generate_cb_2() helper function
The previous series of commits re-implemented key generation with the
low level API with the EVP API. The BN_GENCB-based callback function is
no longer used.

https://github.com/ruby/openssl/commit/81027b7463
2021-07-18 17:44:50 +09:00
Kazuki Yamaguchi
595644e4f6 [ruby/openssl] pkey: fix interrupt handling in OpenSSL::PKey.generate_key
rb_thread_call_without_gvl() can be interrupted, but it may be able to
resume the operation. Call rb_thread_check_ints() to see if it raises
an exception or not.

https://github.com/ruby/openssl/commit/88b90fb856
2021-07-18 17:44:46 +09:00
Kazuki Yamaguchi
8cfe92b8a2 [ruby/openssl] pkey: allow setting algorithm-specific options in #sign and #verify
Similarly to OpenSSL::PKey.generate_key and .generate_parameters, let
OpenSSL::PKey::PKey#sign and #verify take an optional parameter for
specifying control strings for EVP_PKEY_CTX_ctrl_str().

https://github.com/ruby/openssl/commit/faf85d7c1d
2021-07-18 17:44:46 +09:00
Kazuki Yamaguchi
e2014d0354 [ruby/openssl] pkey: prepare pkey_ctx_apply_options() for usage by other operations
The routine to apply Hash to EVP_PKEY_CTX_ctrl_str() is currently used
by key generation, but it is useful for other operations too. Let's
change it to a slightly more generic name.

https://github.com/ruby/openssl/commit/b2b77527fd
2021-07-18 17:44:45 +09:00
Kazuki Yamaguchi
1706302be5 [ruby/openssl] pkey: fix potential memory leak in PKey#sign
Fix potential leak of EVP_MD_CTX object in an error path. This path is
normally unreachable, since the size of a signature generated by any
supported algorithms would not be larger than LONG_MAX.

https://github.com/ruby/openssl/commit/99e8630518
2021-07-18 17:44:44 +09:00
Nobuhiro IMAI
92f19f7bb0 [ruby/openssl] [DOC] Fix RDoc markup
https://github.com/ruby/openssl/commit/f36af95519
2021-03-16 19:16:11 +09:00
Colton Jenkins
c71afc9db7 [ruby/openssl] Add compare? method to OpenSSL::PKey that wraps EVP_PKEY_cmp.
Explicitly check for type given some conflicting statements within openssl's
documentation around EVP_PKEY_cmp and EVP_PKEY_ASN1_METHOD(3).
Add documentation with an example for compare?

https://github.com/ruby/openssl/commit/0bf51da6e2
2021-03-16 19:16:11 +09:00
Kazuki Yamaguchi
fbadb01d6e [ruby/openssl] pkey: add PKey::PKey#derive
Add OpenSSL::PKey::PKey#derive as the wrapper for EVP_PKEY_CTX_derive().
This is useful for pkey types that we don't have dedicated classes, such
as X25519.

https://github.com/ruby/openssl/commit/28f0059bea
2021-03-16 19:16:11 +09:00
Kazuki Yamaguchi
b2dc4880f5 [ruby/openssl] pkey: support 'one-shot' signing and verification
OpenSSL 1.1.1 added EVP_DigestSign() and EVP_DigestVerify() functions
to the interface. Some EVP_PKEY methods such as PureEdDSA algorithms
do not support the streaming mechanism and require us to use them.

https://github.com/ruby/openssl/commit/ae19454592
2021-03-16 19:16:11 +09:00
Kazuki Yamaguchi
5cae289682 [ruby/openssl] pkey: port PKey::PKey#sign and #verify to the EVP_Digest* interface
Use EVP_DigestSign*() and EVP_DigestVerify*() interface instead of the
old EVP_Sign*() and EVP_Verify*() functions. They were added in OpenSSL
1.0.0.

Also, allow the digest to be specified as nil, as certain EVP_PKEY types
don't expect a digest algorithm.

https://github.com/ruby/openssl/commit/9ff6e5143b
2021-03-16 19:16:11 +09:00
Kazuki Yamaguchi
1e3590fe22 [ruby/openssl] pkey: add PKey.generate_parameters and .generate_key
Add two methods to create a PKey using the generic EVP interface. This
is useful for the PKey types we don't have a dedicated class.

https://github.com/ruby/openssl/commit/d8e8e57de9
2021-03-16 19:16:11 +09:00
Kazuki Yamaguchi
498c8e8f17 [ruby/openssl] pkey: assume generic PKeys contain private components
The EVP interface cannot tell whether if a pkey contains the private
components or not. Assume it does if it does not respond to #private?.
This fixes the NoMethodError on calling #sign on a generic PKey.

https://github.com/ruby/openssl/commit/f4c717bcb2
2021-03-16 19:16:11 +09:00
Kazuki Yamaguchi
1f44640677 [ruby/openssl] pkey: refactor #export/#to_pem and #to_der
Add ossl_pkey_export_traditional() and ossl_pkey_export_spki() helper
functions, and use them. This reduces code duplication.

https://github.com/ruby/openssl/commit/56f0d34d63
2021-03-16 19:16:10 +09:00
Kazuki Yamaguchi
707e3d49cb [ruby/openssl] pkey: refactor DER/PEM-encoded string parsing code
Export the flow used by OpenSSL::PKey.read and let the subclasses call
it before attempting other formats.

https://github.com/ruby/openssl/commit/d963d4e276
2021-03-16 19:16:10 +09:00
Kazuki Yamaguchi
efad0166c6 [ruby/openssl] pkey: have PKey.read parse PEM-encoded DHParameter
Try PEM_read_bio_Parameters(). Only PEM format is supported at the
moment since corresponding d2i_* functions are not provided by OpenSSL.

https://github.com/ruby/openssl/commit/867e5c021b
2021-03-16 19:16:10 +09:00
Kazuki Yamaguchi
27859c09a6 [ruby/openssl] pkey: simplify ossl_pkey_new()
ossl_{rsa,dsa,dh,ec}_new() called from this function are not used
anywhere else. Inline them into pkey_new0() and reduce code
duplication.

https://github.com/ruby/openssl/commit/94aeab2f26
2021-03-16 19:16:10 +09:00
Kazuki Yamaguchi
6f008c9d2f [ruby/openssl] pkey: add PKey#inspect and #oid
Implement OpenSSL::PKey::PKey#oid as a wrapper around EVP_PKEY_id().
This allows user code to check the type of a PKey object.

EVP_PKEY can have a pkey type for which we do not provide a dedicated
subclass. In other words, an EVP_PKEY that is not any of {RSA,DSA,DH,EC}
can exist. It is currently not possible to distinguish such a pkey.

Also, implement PKey#inspect to include the key type for convenience.

https://github.com/ruby/openssl/commit/dafbb1b3e6
2020-05-13 15:47:51 +09:00
Bart de Water
0b2c70eaa1 [ruby/openssl] Look up digest by name instead of constant
https://github.com/ruby/openssl/commit/b28fb2f05c
2020-05-13 15:47:51 +09:00
Hiroshi SHIBATA
b99775b163
Import openssl-2.2.0 (#2693)
Import the master branch of ruby/openssl for preparing to release openssl-2.2.0
2020-02-16 15:21:29 +09:00
rhe
a0f292bbcd openssl: sync with upstream repository
Sync with the current tip of master branch, 62436385306c of
ruby/openssl.git. Changes can be found at:

	https://github.com/ruby/openssl/compare/v2.1.1...62436385306c

----------------------------------------------------------------
Brian Cunnie (1):
      Correctly verify abbreviated IPv6 SANs

Janko Marohnić (1):
      Reduce memory allocation when writing to SSLSocket

Jeremy Evans (1):
      Move rb_global_variable call to directly after assignment

Kazuki Yamaguchi (7):
      pkcs7: allow recipient's certificate to be omitted for PKCS7#decrypt
      pkey: resume key generation after interrupt
      tool/ruby-openssl-docker: update to latest versions
      test/test_ssl: fix test failure with TLS 1.3
      test/test_x509name: change script encoding to ASCII-8BIT
      x509name: refactor OpenSSL::X509::Name#to_s
      x509name: fix handling of X509_NAME_{oneline,print_ex}() return value

ahadc (1):
      Update CONTRIBUTING.md

nobu (6):
      no ID cache in Init functions
      search winsock libraries explicitly
      openssl: search winsock
      openssl_missing.h: constified
      reduce LibreSSL warnings
      openssl/buffering.rb: no RS when output

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64233 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2018-08-08 14:13:53 +00:00
nobu
c8094ff154 no ID cache in Init functions
Init functions are called only once, cache is useless.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@62429 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2018-02-16 08:39:48 +00:00
rhe
a55320b093 openssl: import v2.1.0.beta2
Import Ruby/OpenSSL 2.1.0.beta2. The full commit log since commit
e72d960db262 which was imported by r60013 can be found at:

	https://github.com/ruby/openssl/compare/e72d960db262...v2.1.0.beta2

----------------------------------------------------------------
Kazuki Yamaguchi (26):
      bn: use ALLOCV() macro instead of xmalloc()
      appveyor.yml: remove 'openssl version' line
      test/test_ssl_session: skip tests for session_remove_cb
      x509ext: implement X509::Extension#==
      x509attr: implement X509::Attribute#==
      x509cert: implement X509::Certificate#==
      x509revoked: add missing X509::Revoked#to_der
      x509crl, x509revoked: implement X509::{CRL,Revoked}#==
      x509req: implement X509::Request#==
      ssl: extract rb_intern("call")
      cipher: disallow setting AAD for non-AEAD ciphers
      test/test_cipher: fix test_non_aead_cipher_set_auth_data failure
      ssl: fix conflict of options in SSLContext#set_params
      buffering: let #write accept multiple arguments
      pkey: make pkey_check_public_key() non-static
      x509cert, x509crl, x509req, ns_spki: check sanity of public key
      test/envutil: port assert_warning from Ruby trunk
      test/utils: remove a pointless .public_key call in issue_cert
      ssl: add SSLContext#add_certificate
      test/test_ssl: fix test_security_level
      Drop support for LibreSSL 2.4
      kdf: add HKDF support
      test/test_x509cert: fix flaky test
      test/test_x509crl: fix random failure
      History.md: fix a typo
      Ruby/OpenSSL 2.1.0.beta2

Mark Wright (1):
      Fix build failure against OpenSSL 1.1 built with no-deprecated Thanks rhenium for the code review and fixes.

Peter Karman (1):
      Add RSA sign_pss() and verify_pss() methods

aeris (1):
      TLS Fallback Signaling Cipher Suite Value

kazu (1):
      Use caller with length to reduce unused strings

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@60907 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2017-11-25 14:12:08 +00:00
rhe
609103dbb5 openssl: import v2.1.0.beta1
Import Ruby/OpenSSL 2.1.0.beta1. The full commit log since v2.0.5
(imported by r59567) can be found at:

	https://github.com/ruby/openssl/compare/v2.0.5...v2.1.0.beta1

----------------------------------------------------------------
Antonio Terceiro (1):
      test/test_ssl: explicitly accept TLS 1.1 in corresponding test

Colby Swandale (1):
      document using secure protocol to fetch git master in Bundler

Colton Jenkins (1):
      Add fips_mode_get to return fips_mode

Kazuki Yamaguchi (85):
      Start preparing for 2.1.0
      Remove support for OpenSSL 0.9.8 and 1.0.0
      bn: refine tests
      bn: implement unary {plus,minus} operators for OpenSSL::BN
      bn: implement OpenSSL::BN#negative?
      Don't define main() when built with --enable-debug
      test: let OpenSSL::TestCase include OpenSSL::TestUtils
      test: prepare test PKey instances on demand
      Add OpenSSL.print_mem_leaks
      Enable OSSL_MDEBUG on CI builds
      ssl: move default DH parameters from OpenSSL::PKey::DH
      Make exceptions with the same format regardless of OpenSSL.debug
      ssl: show reason of 'certificate verify error' in exception message
      ssl: remove OpenSSL::ExtConfig::TLS_DH_anon_WITH_AES_256_GCM_SHA384
      ssl: do not confuse different ex_data index registries
      ssl: assume SSL/SSL_CTX always have a valid reference to the Ruby object
      Fix RDoc markup
      ssl: suppress compiler warning
      ext/openssl/deprecation.rb: remove broken-apple-openssl
      extconf.rb: print informative message if OpenSSL can't be found
      Rakefile: compile the extension before test
      kdf: introduce OpenSSL::KDF module
      ossl.h: add NUM2UINT64T() macro
      kdf: add scrypt
      Expand rb_define_copy_func() macro
      Expand FPTR_TO_FD() macro
      Remove SafeGet*() macros
      cipher: rename GetCipherPtr() to ossl_evp_get_cipherbyname()
      digest: rename GetDigestPtr() to ossl_evp_get_digestbyname()
      Add ossl_str_new(), an exception-safe rb_str_new()
      bio: simplify ossl_membio2str() using ossl_str_new()
      Remove unused functions and macros
      Drop support for LibreSSL 2.3
      ocsp: add OpenSSL::OCSP::Request#signed?
      asn1: infinite length -> indefinite length
      asn1: rearrange tests
      ssl: remove a needless NULL check in SSL::SSLContext#ciphers
      ssl: return nil in SSL::SSLSocket#cipher if session is not started
      asn1: remove an unnecessary function prototype
      asn1: require tag information when instantiating generic type
      asn1: initialize 'unused_bits' attribute of BitString with 0
      asn1: check for illegal 'unused_bits' value of BitString
      asn1: disallow NULL to be passed to asn1time_to_time()
      asn1: avoid truncating OID in OpenSSL::ASN1::ObjectId#oid
      asn1: allow constructed encoding with definite length form
      asn1: prohibit indefinite length form for primitive encoding
      asn1: allow tag number to be >= 32 for universal tag class
      asn1: use ossl_asn1_tag()
      asn1: clean up OpenSSL::ASN1::Constructive#to_der
      asn1: harmonize OpenSSL::ASN1::*#to_der
      asn1: prevent EOC octets from being in the middle of the content
      asn1: do not treat EOC octets as part of content octets
      x509name: add 'loc' and 'set' kwargs to OpenSSL::X509::Name#add_entry
      ssl: do not call session_remove_cb during GC
      Backport "Merge branch 'topic/test-memory-leak'" to maint
      cipher: update the documentation for Cipher#auth_tag=
      Rakefile: let sync:to_ruby know about test/openssl/fixtures
      test: fix formatting
      test/utils: remove OpenSSL::TestUtils.silent
      test/utils: add SSLTestCase#tls12_supported?
      test/utils: have start_server yield only the port number
      test/utils: do not set ecdh_curves in start_server
      test/utils: let server_loop close socket
      test/utils: improve error handling in start_server
      test/utils: add OpenSSL::TestUtils.openssl? and .libressl?
      test/utils: do not use DSA certificates in SSL tests
      test/test_ssl: remove test_invalid_shutdown_by_gc
      test/test_ssl: move test_multibyte_read_write to test_pair
      test/test_ssl_session: rearrange tests
      test/test_pair, test/test_ssl: fix for TLS 1.3
      ssl: remove useless call to rb_thread_wait_fd()
      ssl: fix NPN support
      ssl: mark OpenSSL::SSL::SSLContext::DEFAULT_{1024,2048} as private
      ssl: use 2048-bit group in the default tmp_dh_cb
      ssl: ensure that SSL option flags are non-negative
      ssl: update OpenSSL::SSL::OP_* flags
      ssl: prefer TLS_method() over SSLv23_method()
      ssl: add SSLContext#min_version= and #max_version=
      ssl: rework SSLContext#ssl_version=
      test/test_x509name: change script encoding to ASCII-8BIT
      x509name: refactor OpenSSL::X509::Name#to_s
      x509name: add OpenSSL::X509::Name#to_utf8
      x509name: add OpenSSL::X509::Name#inspect
      x509name: update regexp in OpenSSL::X509::Name.parse
      Ruby/OpenSSL 2.1.0.beta1

Marcus Stollsteimer (1):
      Fix rdoc for core Integer class

nobu (4):
      [DOC] {read,write}_nonblock with exception: false
      [DOC] keyword argument _exception_
      [DOC] mark up literals
      Revert r57690 except for read_nonblock

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@59734 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2017-09-03 12:35:27 +00:00
rhe
df94c66f71 openssl: import v2.0.5
Import Ruby/OpenSSL 2.0.5. The full commit history since v2.0.4
(imported at r59081) can be found at:

	https://github.com/ruby/openssl/compare/v2.0.4...v2.0.5

This will fix the test failure on latest Debian sid and the "no
OPENSSL_Applink" issue on mswin.

----------------------------------------------------------------
Kazuki Yamaguchi (11):
      test/test_ssl: allow 3DES cipher suites in test_sslctx_set_params
      bio: prevent possible GC issue in ossl_obj2bio()
      bio: do not use the FILE BIO method in ossl_obj2bio()
      Rakefile: install_dependencies: install only when needed
      appveyor.yml: test against Ruby 2.4
      ossl_pem_passwd_cb: relax passphrase length constraint
      ossl_pem_passwd_cb: do not check for taintedness
      ossl_pem_passwd_cb: handle nil from the block explicitly
      ssl: remove unsupported TLS versions from SSLContext::METHODS
      ssl: fix compile error with OpenSSL 1.0.0
      Ruby/OpenSSL 2.0.5

Lars Kanis (1):
      Add msys2 library dependency tag in gem metadata

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@59567 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2017-08-10 09:23:45 +00:00
rhe
b7458f20ff openssl: import v2.0.2
Import Ruby/OpenSSL 2.0.2. This release contains only bugfixes. The full
commit log since 2.0.1 (imported at r57041) can be found at:

  https://github.com/ruby/openssl/compare/v2.0.1...v2.0.2

----------------------------------------------------------------
Kazuki Yamaguchi (5):
      ssl: check for SSL_CTX_clear_options()
      Rename functions in openssl_missing.c
      ssl: use SSL_SESSION_get_protocol_version()
      pkey: allow instantiating OpenSSL::PKey::PKey with unsupported key type
      Ruby/OpenSSL 2.0.2

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@57146 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-12-22 01:43:41 +00:00
rhe
aab0d67a1f openssl: import v2.0.0
Import Ruby/OpenSSL 2.0.0. The full commit history since 2.0.0 beta.2
(imported at r56098) can be found at:

  https://github.com/ruby/openssl/compare/v2.0.0.beta.2...v2.0.0

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56946 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-11-30 14:41:46 +00:00