Let's revert the changes for now, as it cannot be included in the 2.2.0
release.
My comment on #257:
> A blocker is OpenSSL::SSL::SSLContext#add_certificate_chain_file. It
> has a pending change and I don't want to include it in an incomplete
> state.
>
> The initial implementation in commit 46e4bdba40c5 was not really
> useful. The issue is described in #305. #309 extended it
> to take the corresponding private key together. However, the new
> implementation was incompatible on Windows and was reverted by #320 to
> the initial one.
>
> (The prerequisite to implement it in) an alternative way is #288, and
> it's still cooking.
This effectively reverts the following commits:
- dacd08937ccd ("ssl: suppress test failure with SSLContext#add_certificate_chain_file", 2020-03-09)
- 46e4bdba40c5 ("Add support for SSL_CTX_use_certificate_chain_file. Fixes #254.", 2019-06-13)
ea925619a9
Implement OpenSSL::PKey::PKey#oid as a wrapper around EVP_PKEY_id().
This allows user code to check the type of a PKey object.
EVP_PKEY can have a pkey type for which we do not provide a dedicated
subclass. In other words, an EVP_PKEY that is not any of {RSA,DSA,DH,EC}
can exist. It is currently not possible to distinguish such a pkey.
Also, implement PKey#inspect to include the key type for convenience.
dafbb1b3e6
Import current master (2c43241dc0ed) of ruby/openssl.git.
Below are the commits that were made since the last batch at commit
b99775b163 (ruby/openssl.git commit f49e7110ca1e). Note that some of
them have been applied already.
----------------------------------------------------------------
Benoit Daloze (1):
Remove redundant and ignored workflow file
DBL-Lee (1):
add support for SHA512_256/SHA512_224
Hiroshi SHIBATA (2):
Guard for OpenSSL::PKey::EC::Group::Error with unsupported platforms
Fixed inconsistency directory structure with ruby/ruby repo
Jeremy Evans (2):
Fix keyword argument separation issues in OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock
Remove taint support
Kazuki Yamaguchi (26):
config: support .include directive
random: make OpenSSL::Random.pseudo_bytes alias of .random_bytes
extconf.rb: get rid of -Werror=deprecated-declarations
test/openssl/test_ssl: skip test_fallback_scsv if necessary
ts: simplify OpenSSL::Timestamp::Request#algorithm
History.md: add missing references to GitHub issues
config: deprecate OpenSSL::Config#add_value and #[]=
test/openssl/test_ssl: remove sleep from test_finished_messages
test/openssl/test_ssl: fix random failure in SSLSocket.open test
test/openssl/test_ssl: avoid explicitly-sized private keys
test/openssl/test_ssl: remove commented-out test case
test/openssl/test_ssl: allow kRSA tests to fail
ssl: avoid declarations after statements
engine: revert OpenSSL::Engine.load changes for cloudhsm
engine: remove really outdated static engines
engine: do not check for ENGINE_load_builtin_engines()
engine: fix guards for 'dynamic' and 'cryptodev' engines
lib/openssl.rb: require openssl/version.rb
x509: add error code and verify flags constants
ssl: set verify error code in the case of verify_hostname failure
.github/workflows: merge CI jobs into a single workflow
.github/workflows: test against different OpenSSL versions
.travis.yml: fully migrate to GitHub Actions
ssl: suppress test failure with SSLContext#add_certificate_chain_file
ssl: remove test case test_puts_meta from test_pair
Revert "Use version.rb in gemspec"
MSP-Greg (2):
.travis.yml - remove 2.3/1.0.2, 2.5/1.1.1, head/1.0.2
Use version.rb in gemspec
Samuel Williams (1):
Restore compatibility with older versions of Ruby.
Yusuke Endoh (1):
Make OpenSSL::OSSL#test_memcmp_timing robust
Stop the special treatment of invalid hashAlgorithm of the message
imprint. Those invalid values can only appear after the object is
instantiated, before the user sets an actual message digest algorithm.
OpenSSL::Timestamp::TokenInfo#algorithm already does the same.
Also, remove the test case "test_create_request" since it does not make
much sense. Those fields are to be set by the user after creation of
the object and checking the initial value is pointless.
Fixes: https://github.com/ruby/openssl/issues/335890a6476fa
It fails to build on Solaris:
20200216T090008Z.log.html.gz
```
ossl_cipher.c: 関数 ‘ossl_cipher_init’ 内:
ossl_cipher.c:228:2: エラー: ‘EVP_md5’ is deprecated [-Werror=deprecated-declarations]
228 | EVP_BytesToKey(EVP_CIPHER_CTX_cipher(ctx), EVP_md5(), iv,
| ^~~~~~~~~~~~~~
In file included from /usr/include/openssl/x509.h:73,
from /usr/include/openssl/x509v3.h:63,
from ossl.h:23,
from ossl_cipher.c:10:
/usr/include/openssl/evp.h:732:26: 備考: ここで宣言されています
732 | DEPRECATED const EVP_MD *EVP_md5(void);
| ^~~~~~~
```
It fails to build on Solaris:
```
ossl_cipher.c: 関数 ‘ossl_cipher_init’ 内:
ossl_cipher.c:228:2: エラー: ‘EVP_md5’ is deprecated [-Werror=deprecated-declarations]
228 | EVP_BytesToKey(EVP_CIPHER_CTX_cipher(ctx), EVP_md5(), iv,
| ^~~~~~~~~~~~~~
In file included from /usr/include/openssl/x509.h:73,
from /usr/include/openssl/x509v3.h:63,
from ossl.h:23,
from ossl_cipher.c:10:
/usr/include/openssl/evp.h:732:26: 備考: ここで宣言されています
732 | DEPRECATED const EVP_MD *EVP_md5(void);
| ^~~~~~~
```
I agree that `-Werror=` is a good habit, but adding it by default is too
aggressive.
This removes the related tests, and puts the related specs behind
version guards. This affects all code in lib, including some
libraries that may want to support older versions of Ruby.
This removes the security features added by $SAFE = 1, and warns for access
or modification of $SAFE from Ruby-level, as well as warning when calling
all public C functions related to $SAFE.
This modifies some internal functions that took a safe level argument
to no longer take the argument.
rb_require_safe now warns, rb_require_string has been added as a
version that takes a VALUE and does not warn.
One public C function that still takes a safe level argument and that
this doesn't warn for is rb_eval_cmd. We may want to consider
adding an alternative method that does not take a safe level argument,
and warn for rb_eval_cmd.
* ext/openssl/ossl_asn1.c (Init_ossl_asn1): prefer
`rb_gc_register_mark_object`, which is better for constant
objects, over `rb_gc_register_address` for global/static
variables which can be re-assigned at runtime. [Bug #16196]
* ext/openssl/ossl_asn1.c (Init_ossl_asn1): register the static
variable to grab an internal object, before creating the object.
otherwise the just-created object could get collected during the
global variable list allocation. [Bug #16196]
It's unlikely anyone would actually hit these. The methods are
private, you only hit this code path if calling these methods
before performing the SSL connection, and there is already a
verbose warning issued.
We can check the function pointer passed to rb_define_module_function
like how we do so in rb_define_method. The difference is that this
changeset reveales lots of atiry mismatches.
None of the functions defined in this header are actually used in Ruby.
Fixes build against boringssl that does not have this file.
Closes: https://github.com/ruby/ruby/pull/2210
Because hard to specify commits related to r67479 only.
So please commit again.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@67499 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Moving public headers was 12-years ago, no depend files would
expect ruby.h in the top source directory now.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@67033 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
_REENTRANT, _THREAD_SAFE, etc., which affect how errno is defined
on some architectures
* ext/openssl/ossl.h: include errno.h after ruby.h
* include/ruby/io.h: include errno.h after ruby/config.h
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@65906 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* ext/openssl/extconf.rb: LIBRESSL_VERSION_NUMBER is defined in
openssl/opensslv.h. fix up r64101.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64236 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Sync with the current tip of master branch, 62436385306c of
ruby/openssl.git. Changes can be found at:
https://github.com/ruby/openssl/compare/v2.1.1...62436385306c
----------------------------------------------------------------
Brian Cunnie (1):
Correctly verify abbreviated IPv6 SANs
Janko Marohnić (1):
Reduce memory allocation when writing to SSLSocket
Jeremy Evans (1):
Move rb_global_variable call to directly after assignment
Kazuki Yamaguchi (7):
pkcs7: allow recipient's certificate to be omitted for PKCS7#decrypt
pkey: resume key generation after interrupt
tool/ruby-openssl-docker: update to latest versions
test/test_ssl: fix test failure with TLS 1.3
test/test_x509name: change script encoding to ASCII-8BIT
x509name: refactor OpenSSL::X509::Name#to_s
x509name: fix handling of X509_NAME_{oneline,print_ex}() return value
ahadc (1):
Update CONTRIBUTING.md
nobu (6):
no ID cache in Init functions
search winsock libraries explicitly
openssl: search winsock
openssl_missing.h: constified
reduce LibreSSL warnings
openssl/buffering.rb: no RS when output
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64233 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
