| Age | Commit message (Collapse) | Author |
|---|
|
A follow-up to commit https://github.com/ruby/openssl/commit/27e11f2d1dcd and https://github.com/ruby/openssl/commit/07eceb7f6326. The PKCS7 object
must be freed before raising an exception.
https://github.com/ruby/openssl/commit/172eee4665
|
|
The implementation of OpenSSL::X509::Certificate#crl_uris makes the
assumption that each DistributionPoint in the CRL distribution points
extension contains a single general name of type URI. This is not
guaranteed by RFC 5280. A DistributionPoint may contain zero or more
than one URIs.
Let's include all URIs found in the extension. If only non-URI pointers
are found, return nil.
Fixes: https://github.com/ruby/openssl/issues/775
https://github.com/ruby/openssl/commit/71f4fef2fa
|
|
https://github.com/ruby/openssl/commit/d3c8e661e8
|
|
This is a follow-up to commit e5860e565467cb330f2c7b9ae140a1e4b89c0b71.
|
|
in order to import or define the RUBY_TYPED_FROZEN_SHAREABLE macro.
https://github.com/ruby/openssl/commit/b8504c2215
|
|
Require that users explicitly specify the desired algorithm. In my
opinion, we are not in a position to specify the default cipher.
When OpenSSL::PKCS7.encrypt is given only two arguments, it uses
"RC2-40-CBC" as the symmetric cipher algorithm. 40-bit RC2 is a US
export-grade cipher and considered insecure.
Although this is technically a breaking change, the impact should be
minimal. Even when OpenSSL is compiled with RC2 support and the macro
OPENSSL_NO_RC2 is not defined, it will not actually work on modern
systems because RC2 is part of the legacy provider.
https://github.com/ruby/openssl/commit/439f456bfa
|
|
The SSL ex_data index is used for storing the verify_callback Proc. The
only user of it, ossl_ssl_verify_callback(), can find the callback by
looking at the SSLContext object which is always known.
https://github.com/ruby/openssl/commit/3a3d6e258b
|
|
https://github.com/ruby/openssl/commit/26370636f3
Co-authored-by: Olle Jonsson <[email protected]>
|
|
https://github.com/ruby/openssl/commit/93c7bf52ac
|
|
Notes:
Merged: https://github.com/ruby/ruby/pull/11967
Merged-By: nobu <[email protected]>
|
|
(https://github.com/ruby/openssl/pull/770)
Instead of an ivar, so other ossl functions that take a store will use the correct time when verifying
https://github.com/ruby/openssl/commit/21aadc66ae
|
|
The function is not used anywhere outside of ossl_asn1.c.
https://github.com/ruby/openssl/commit/5392b79941
|
|
OpenSSL::ASN1 is being rewritten in Ruby. To make it easier, let's
remove dependency to the instance variables and the internal-use
function ossl_asn1_get_asn1type() outside OpenSSL::ASN1.
This also fixes the insufficient validation of the passed value with
its tagging.
https://github.com/ruby/openssl/commit/35a157462e
|
|
Companion to getbyte but raise EOFError
Similar to https://github.com/ruby/openssl/pull/438
https://github.com/ruby/openssl/commit/c40f70711a
|
|
to have as much of the lib in ruby as possible
https://github.com/ruby/openssl/commit/8305051728
|
|
(https://github.com/ruby/openssl/pull/761)
In order to sign certificates with Ed25519 keys, NULL must be passed
as md to X509_sign. This NULL is then passed
(via ASN1_item_sign_ex) as type to EVP_DigestSignInit. The
documentation[1] of EVP_DigestSignInit states that type must be NULL
for various key types, including Ed25519.
[1]: https://www.openssl.org/docs/manmaster/man3/EVP_DigestSignInit.html
https://github.com/ruby/openssl/commit/b0fc100091
|
|
Update the references to the file "LICENCE" with "COPYING".
The file LICENCE doesn't exist in ruby/ruby nor ruby/openssl. This has
been always the case since OpenSSL for Ruby 2 was merged to the ruby
tree as a standard library in 2003.
In OpenSSL for Ruby 2's CVS repository[1], the LICENCE file contained
an old version of the Ruby License, identical to the COPYING file that
was in Ruby's tree at that time (r4128[2]).
[1] http://cvs.savannah.gnu.org/viewvc/rubypki/ossl2/LICENCE?revision=1.1.1.1&view=markup
[2] https://github.com/ruby/ruby/blob/231247c010acba191b78ed2d1310c935e63ad919/COPYING
https://github.com/ruby/openssl/commit/5bccf07d04
|
|
This is for consistency with ruby/ruby.
https://github.com/ruby/openssl/commit/00ad542791
|
|
ruby/openssl is licensed under the terms of either the Ruby License or
the 2-Clause BSD License.
The git repository and built .gem files always contained the license
text for both license, but the metadata in the gemspec only specified
the Ruby License. Let's include both.
https://github.com/ruby/openssl/commit/c71714d738
|
|
Ref https://github.com/ruby/openssl/issues/519
This makes verifying embedded certificate transparency signatures
significantly easier, as otherwise the alternative was manipulating the
ASN1 sequence, as in
https://github.com/segiddins/sigstore-cosign-verify/pull/2/commits/656d992fa816613fd9936f53ce30972c2f2f4957
https://github.com/ruby/openssl/commit/99128bea5d
|
|
maciter
This test was accidentally passing the value 2048 into the keytype
parameter of PKCS12_create, not the mac_iter parameter (because it had
one too many `nil`s in the call). This value is invalid, and will make
OpenSSL perform an out-of-bounds read which is caught when compiling
with ASAN.
This commit fixes the tests, and also adds some validation to
PKCS12.create to make sure any keytype passed is actually valid. Since
there only two valid keytype constants, and the whole feature is an
export-grade crypto era thing only ever supported by old MSIE, it seems
far more likely that code in the whild is using keytype similarly by
mistake rather than as intended. So this validation might catch that.
https://github.com/ruby/openssl/commit/47028686d2
|
|
https://github.com/ruby/openssl/commit/71cd1e3f5c
|
|
To be consistent with regular Ruby IOs:
```ruby
r, _ = IO.pipe
buf = "garbage".b
r.read_nonblock(10, buf, exception: false) # => :wait_readable
p buf # => "garbage"
```
Ref: https://github.com/redis-rb/redis-client/commit/98b8944460a11f8508217bda71cfc10cb2190d4d
https://github.com/ruby/openssl/commit/08452993d6
|
|
PKCS7.read_smime
[pkuzco: expanded the fix for other content types]
[ky: adjusted formatting and the exception type]
https://github.com/ruby/openssl/commit/07eceb7f63
Co-authored-by: pkuzco <[email protected]>
Co-authored-by: Kazuki Yamaguchi <[email protected]>
|
|
Fixes [Bug #19974]
[pkuzco: expanded the fix for other content types]
[ky: adjusted formatting and the exception type]
https://github.com/ruby/openssl/commit/27e11f2d1d
Co-authored-by: pkuzco <[email protected]>
Co-authored-by: Kazuki Yamaguchi <[email protected]>
|
|
OpenSSL::Cipher#update currently allocates the output buffer with size
(input data length)+(the block size of the cipher). This is insufficient
for the id-aes{128,192,256}-wrap-pad (AES keywrap with padding) ciphers.
They have a block size of 8 bytes, but the output may be up to 15 bytes
larger than the input.
Use (input data length)+EVP_MAX_BLOCK_LENGTH (== 32) as the output
buffer size, instead. OpenSSL doesn't provide a generic way to tell the
maximum required buffer size for ciphers, but this is large enough for
all algorithms implemented in current versions of OpenSSL.
Fixes: https://bugs.ruby-lang.org/issues/20236
https://github.com/ruby/openssl/commit/3035559f54
|
|
This causes significant performance issues when using large (>10meg) writes
Fix by adjusting the buffer write function to clear the buffer once, rather than
piece by piece, avoiding a case where a large write (in our case, around
70mbytes) will consume 100% of CPU. This takes a webrick GET request via SSL
from around 200kbyts/sec and consuming 100% of a core, to line speed on gigabit
ethernet and 6% cpu utlization.
https://github.com/ruby/openssl/commit/d4389b425d
|
|
i2d_ASN1_TYPE() is not expected to fail, but the return value should be
checked.
https://github.com/ruby/openssl/commit/21ed3c310e
|
|
https://github.com/ruby/openssl/commit/79e6dead6e
|
|
https://github.com/ruby/openssl/commit/08dd3c73b7
|
|
https://github.com/ruby/openssl/commit/0697f2f8b4
|
|
https://github.com/ruby/openssl/commit/c8377eaf8d
|
|
https://github.com/ruby/openssl/commit/c99d24cee9
|
|
|
|
We use the following site for that now:
* https://tools.ietf.org/ or http
* https://datatracker.ietf.org or http
Today, IETF said the official site of RFC is www.rfc-editor.org.
FYI: https://authors.ietf.org/en/references-in-rfcxml
I replaced them to www.rfc-editor.org.
|
|
truffle/openssl-prefix on TruffleRuby"
* This reverts commit https://github.com/ruby/openssl/commit/ca738e7e1357.
* No longer needed since https://github.com/oracle/truffleruby/issues/3170 was fixed.
https://github.com/ruby/openssl/commit/1f641a5604
|
|
(https://github.com/ruby/openssl/pull/714)
* Add support for IO#timeout.
https://github.com/ruby/openssl/commit/3bbf5178a9
|
|
Both Red Hat and Debian-like systems configure the minimum TLS version
to be 1.2 by default, but allow users to change this via configs.
On Red Hat and derivatives this happens via crypto-policies[1], which in
writes settings in /etc/crypto-policies/back-ends/opensslcnf.config.
Most notably, it sets TLS.MinProtocol there. For Debian there's
MinProtocol in /etc/ssl/openssl.cnf. Both default to TLSv1.2, which is
considered a secure default.
In constrast, the SSLContext has a hard coded OpenSSL::SSL::TLS1_VERSION
for min_version. TLS 1.0 and 1.1 are considered insecure. By always
setting this in the default parameters, the system wide default can't be
respected, even if a developer wants to.
This takes the approach that's also done for ciphers: it's only set for
OpenSSL < 1.1.0.
[1]: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening
https://github.com/ruby/openssl/commit/ae215a47ae
|
|
https://github.com/ruby/openssl/commit/8aa3849cff
|
|
https://github.com/ruby/openssl/commit/39eaa9f677
|
|
https://github.com/ruby/openssl/commit/dc26433ae5
|
|
https://github.com/ruby/openssl/commit/6b3dd6a372
|
|
* Reword the description in README for more clarity.
* Add a compatibility matrix of our stable branches and explain the
maintenance policy.
* Remove the obsolete paragraph for how to use the gem in Ruby 2.3,
which is no longer supported.
https://github.com/ruby/openssl/commit/7691034fcb
|
|
OID string
instead of looking of NIDs and then using X509V3_EXT_nconf_nid,
instead just pass strings to X509V3_EXT_nconf, which has all the logic for
processing dealing with generic extensions
also process the oid through ln2nid() to retain compatibility.
[rhe: tweaked commit message and added a test case]
https://github.com/ruby/openssl/commit/9f15741331
|
|
`port` should be called on the `ocsp_uri` URI instead of `ocsp`, which
is just a string.
https://github.com/ruby/openssl/commit/89a1c82dd0
|
|
(https://github.com/ruby/openssl/pull/586)
String#unpack1 avoids the intermediate array created by String#unpack
for single elements, while also making a call to Array#first/[0]
unnecessary.
https://github.com/ruby/openssl/commit/8eb0715a42
|
|
parameters
In TLS 1.2 or before, if DH group parameters for DHE are not supplied
with SSLContext#tmp_dh= or #tmp_dh_callback=, we currently use the
self-generated parameters added in commit https://github.com/ruby/openssl/commit/bb3399a61c03 ("support 2048
bit length DH-key", 2016-01-15) as the fallback.
While there is no known weakness in the current parameters, it would be
a good idea to switch to pre-defined, more well audited parameters.
This also allows the fallback to work in the FIPS mode.
The PEM encoding was derived with:
# RFC 7919 Appendix A.1. ffdhe2048
print OpenSSL::PKey.read(OpenSSL::ASN1::Sequence([OpenSSL::ASN1::Integer((<<-END).split.join.to_i(16)), OpenSSL::ASN1::Integer(2)]).to_der).to_pem
FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1
D8B9C583 CE2D3695 A9E13641 146433FB CC939DCE 249B3EF9
7D2FE363 630C75D8 F681B202 AEC4617A D3DF1ED5 D5FD6561
2433F51F 5F066ED0 85636555 3DED1AF3 B557135E 7F57C935
984F0C70 E0E68B77 E2A689DA F3EFE872 1DF158A1 36ADE735
30ACCA4F 483A797A BC0AB182 B324FB61 D108A94B B2C8E3FB
B96ADAB7 60D7F468 1D4F42A3 DE394DF4 AE56EDE7 6372BB19
0B07A7C8 EE0A6D70 9E02FCE1 CDF7E2EC C03404CD 28342F61
9172FE9C E98583FF 8E4F1232 EEF28183 C3FE3B1B 4C6FAD73
3BB5FCBC 2EC22005 C58EF183 7D1683B2 C6F34A26 C1B2EFFA
886B4238 61285C97 FFFFFFFF FFFFFFFF
END
https://github.com/ruby/openssl/commit/a5527cb4f4
|
|
Prefer ``slice!`` for ``Buffering#consume_rbuff`` and safe navigation with ``ord`` for ``Buffering#getbyte``, similar to ``each_byte``.
https://github.com/ruby/openssl/commit/5f6abff178
|
|
Remove the OSSL_DEBUG flag and OpenSSL.mem_check_start which is only
compiled when the flag is given. They are meant purely for development
of Ruby/OpenSSL.
OpenSSL.mem_check_start helped us find memory leak bugs in past, but
it is no longer working with the recent OpenSSL versions. Let's just
remove it now.
https://github.com/ruby/openssl/commit/8c7a6a17e2
|
|
This is a workaround for the decoding issue in ossl_pkey_read_generic().
The issue happens in the case that a key management provider is different from
a decoding provider.
Try all the non-zero selections in order, instead of selection 0 for OpenSSL 3
to avoid the issue.
https://github.com/ruby/openssl/commit/db688fa739
|
