On Debian 9 (“stretch”) the `OPENSSL_NO_STATIC_ENGINE` macro is not
defined, which causes all the `#if HAVE_ENGINE_LOAD_…` directives to
fail with `error: 'HAVE_ENGINE_LOAD_…' is not defined, evaluates to 0
[-Werror,-Wundef]` while building TruffleRuby.
We can accomplish the same thing with `#ifdef`, which (of course) works
fine when the `HAVE_ENGINE_LOAD…` macros are also undefined.
Upstreamed from oracle/truffleruby#2255, which fixed
oracle/truffleruby#2254.
https://github.com/ruby/openssl/commit/65e2adf1ac
ASN1_dup() will not copy the 'pkey' field of a PKCS7_SIGNER_INFO object
by design; it is a temporary field kept until the PKCS7 structure is
finalized. Let's bump reference counter of the pkey in the original
object and use it in the new object, too.
This commit also removes PKCS7#add_signer's routine to add the
content-type attribute as a signed attribute automatically. This
behavior was not documented or tested. This change should not break any
working user code since the method was completely useless without the
change above.
https://github.com/ruby/openssl/commit/20ca7a27a8
Although the manpage says that BIGNUM functions return 0 on error,
OpenSSL versions before 1.0.2n and current LibreSSL versions may return
-1 instead.
Note that the implementation of OpenSSL::BN#mod_inverse is extracted
from BIGNUM_2c() macro as it didn't really share the same function
signature with others.
https://github.com/ruby/openssl/commit/9b59f34345
This defines TLS1_3_VERSION when using LibreSSL 3.2+. LibreSSL 3.2/3.3
doesn't advertise this by default, even though it will use TLS 1.3
in both client and server modes.
Changes between LibreSSL 3.1 and 3.2/3.3 broke a few tests, Defining
TLS1_3_VERSION by itself fixes 1 test failure. A few tests now
fail on LibreSSL 3.2/3.3 unless TLS 1.2 is set as the maximum version,
and this adjusts those tests. The client CA test doesn't work in
LibreSSL 3.2+, so I've marked that as pending.
For the hostname verification, LibreSSL 3.2.2+ has a new stricter
hostname verifier that doesn't like subjectAltName such as
c*.example.com and d.*.example.com, so adjust the related tests.
With these changes, the tests pass on LibreSSL 3.2/3.3.
https://github.com/ruby/openssl/commit/a0e98d48c9
The form created an empty EC_GROUP object with the specified EC_METHOD.
However, the feature was unfinished and not useful in any way because
OpenSSL::PKey::EC::Group did not implement wrappers for necessary
functions to set actual parameters for the group, namely
EC_GROUP_set_curve() family.
EC_GROUP object creation with EC_METHOD explicitly specified is
deprecated in OpenSSL 3.0, as it was apparently not intended for use
outside OpenSSL.
It is still possible to create EC_GROUP, but without EC_METHOD
explicitly specified - OpenSSL chooses the appropriate EC_METHOD for
the curve type. The OpenSSL::PKey::EC::Group.new(<:GFp|:GF2m>, p, a, b)
form will continue to work.
https://github.com/ruby/openssl/commit/df4bec841f
The underlying API SSL_CTX_set_tmp_ecdh_callback() was removed by
LibreSSL >= 2.6.1 and OpenSSL >= 1.1.0, in other words, it is not
supported by any non-EOL versions of OpenSSL.
The wrapper was initially implemented in Ruby 2.3 and has been
deprecated since Ruby/OpenSSL 2.0 (bundled with Ruby 2.4) with explicit
warning with rb_warn().
https://github.com/ruby/openssl/commit/ee037e1460
Undo special treatment of nil and simply pass the value to
StringValueCStr().
nil was never a valid argument for the method; OpenSSL::X509::StoreError
with an unhelpful error message "system lib" was raised in that case.
https://github.com/ruby/openssl/commit/fb2fcbb137
SSLContext's verify_mode expects an SSL_VERIFY_* constant (an integer)
and verify_hostname expects either true or false. However, they are set
to nil after calling OpenSSL::SSL::SSLContext.new, which is surprising.
Set a proper value to them by default: verify_mode is set to
OpenSSL::SSL::VERIFY_NONE and verify_hostname is set to false by
default.
Note that this does not change the default behavior. The certificate
verification was never performed unless verify_mode is set to
OpenSSL::SSL::VERIFY_PEER by a user. The same applies to
verify_hostname.
https://github.com/ruby/openssl/commit/87d869352c
Explicitly check for type given some conflicting statements within openssl's
documentation around EVP_PKEY_cmp and EVP_PKEY_ASN1_METHOD(3).
Add documentation with an example for compare?
https://github.com/ruby/openssl/commit/0bf51da6e2
Use the EVP API instead of the low-level HMAC API. Use of the HMAC API
has been discouraged and is being marked as deprecated starting from
OpenSSL 3.0.0.
The two singleton methods OpenSSL::HMAC, HMAC.digest and HMAC.hexdigest
are now in lib/openssl/hmac.rb.
https://github.com/ruby/openssl/commit/0317e2fc02
Deprecate it for future removal. However, I do not expect any
application is affected by this.
The other form of calling it, PKey::EC::Point#mul(bn [, bn]) remains
untouched.
PKey::EC::Point#mul calls EC_POINTs_mul(3) when multiple BNs
are given as an array. LibreSSL 2.8.0 released on 2018-08 removed the
feature and OpenSSL 3.0 which is planned to be released in 2020 will
also deprecate the function as there is no real use-case.
https://github.com/ruby/openssl/commit/812de4253d
Add OpenSSL::PKey::PKey#derive as the wrapper for EVP_PKEY_CTX_derive().
This is useful for pkey types that we don't have dedicated classes, such
as X25519.
https://github.com/ruby/openssl/commit/28f0059bea
OpenSSL 1.1.1 added EVP_DigestSign() and EVP_DigestVerify() functions
to the interface. Some EVP_PKEY methods such as PureEdDSA algorithms
do not support the streaming mechanism and require us to use them.
https://github.com/ruby/openssl/commit/ae19454592
Use EVP_DigestSign*() and EVP_DigestVerify*() interface instead of the
old EVP_Sign*() and EVP_Verify*() functions. They were added in OpenSSL
1.0.0.
Also, allow the digest to be specified as nil, as certain EVP_PKEY types
don't expect a digest algorithm.
https://github.com/ruby/openssl/commit/9ff6e5143b
The EVP interface cannot tell whether if a pkey contains the private
components or not. Assume it does if it does not respond to #private?.
This fixes the NoMethodError on calling #sign on a generic PKey.
https://github.com/ruby/openssl/commit/f4c717bcb2
Merge the code into the callers so that the wrapping Ruby object is
allocated before the raw key object is allocated. This prevents possible
memory leak on Ruby object allocation failure, and also reduces the
lines of code.
https://github.com/ruby/openssl/commit/1eb1366615
Now that OpenSSL::Config wraps a real CONF object, the caller can just
borrow it rather than creating a new temporary CONF object. CONF object
is usually treated as immutable.
DupConfigPtr() is now removed, and GetConfig() is exported instead.
https://github.com/ruby/openssl/commit/d9064190ca
Revert OpenSSL::Config to using the OpenSSL API and remove our own
parser implementation for the config file syntax.
OpenSSL::Config now wraps a CONF object. Accessor methods deal with the
object directly rather than Ruby-level internal state.
This work is based on the old C code we used before 2010.
https://github.com/ruby/openssl/commit/c891e0ea89
Remove 4 deprecated methods.
The following two methods have been marked as deprecated since 2003,
by r4531 (ruby.git commit 78ff3833fb).
- OpenSSL::Config#value
- OpenSSL::Config#section
Other two methods are removed because the corresponding functions
disappeared in OpenSSL 1.1.0.
- OpenSSL::Config#add_value
- OpenSSL::Config#[]=
https://github.com/ruby/openssl/commit/9783d7f21c
Allow specifying just length to #update
CCM mode ciphers need to specify the total plaintext or ciphertext
length to EVP_CipherUpdate.
Update the link to the tests file
Define Cipher#ccm_data_len= for CCM mode ciphers
Add a unit test for CCM mode
Also check CCM is authenticated when testing
https://github.com/ruby/openssl/commit/bb3816953b
This lets us cast a Fiddle::Function to a block, allowing is to write
things like:
```ruby
f = Fiddle::Function.new(@libc['strcpy'], [TYPE_VOIDP, TYPE_VOIDP], TYPE_VOIDP)
define_method :strcpy, &f
```
* Rename `rb_scheduler` to `rb_fiber_scheduler`.
* Use public interface if available.
* Use `rb_check_funcall` where possible.
* Don't use `unblock` unless the fiber was non-blocking.
Stop using logarithm to compute the number of components.
Instead, use the theoretical maximum number of components for buffer,
and count up the actual number of components during conversion.
https://github.com/ruby/bigdecimal/commit/9067b353ac
This value should either be pinned, or looked up when needed at runtime.
Without pinning, the GC may move the encoding object, and that could
cause a crash.
In this case it is easier to find the value at runtime, and there is no
performance penalty (as Ruby caches encoding indexes). We can shorten
the code, be compaction friendly, and incur no performance penalty.
Using dtoa of mode=0, we can determine the number of digits in decimal that is
necessary to represent the given Float number without errors.
This change permits digits=0 in BigDecimal(flt) and Float#to_d, and these
methods use dtoa of mode=0 when the given digits is 0.
Internal implicit conversion from Float also uses digits=0.
[Fix GH-70]
https://github.com/ruby/bigdecimal/commit/2dbe170e35
constant cache `IC` is accessed by non-atomic manner and there are
thread-safety issues, so Ruby 3.0 disables to use const cache on
non-main ractors.
This patch enables it by introducing `imemo_constcache` and allocates
it by every re-fill of const cache like `imemo_callcache`.
[Bug #17510]
Now `IC` only has one entry `IC::entry` and it points to
`iseq_inline_constant_cache_entry`, managed by T_IMEMO object.
`IC` is atomic data structure so `rb_mjit_before_vm_ic_update()` and
`rb_mjit_after_vm_ic_update()` is not needed.
* Use the wrapper of rb_cObject instead of data access
* Replaced rest of extentions
* Updated the version guard for Data
* Added the version guard of rb_cData
Stop BigDecimal-specific optimization. Instead, it tries the conversion
methods in the following order:
1. `try_convert`,
2. `new`, and
3. class-named function, e.g. `Foo::Bar.Baz` function for `Foo::Bar::Baz` class
If all the above candidates are unavailable, it fallbacks to Float.
* remove duplicated include
* Make BigDecimal#round with argument < 1 return Integer
Fixes [Bug #12780]
* Use a higher default precision for BigDecimal#power and #**
When a fractional power is given, increase the precision if the
precision isn't specified via power's second argument:
Float: increase by 15 (rough number of decimal precision in float)
BigDecimal: increase by adding similar precision modifier as done to
calculate the base precision.
Rational: double the precision, since a BigDecimal is created, but
the created BigDecimal uses the same precision.
Increasing the precision for these power calculations has the obvious
tradeoff of making the calculations slower.
Fixes Ruby Bug #17264
* Use DBLE_FIG for a Float value
* Version 2.0.1
Co-authored-by: pavel <pavel.rosicky@easy.cz>
Co-authored-by: Jeremy Evans <code@jeremyevans.net>
I don't use tool/sync_default_gem.rb because the last sync was incomplete.
Co-authored-by: Hiroshi SHIBATA <hsbt@ruby-lang.org>
Co-authored-by: Alan Wu <XrXr@users.noreply.github.com>
Co-authored-by: sinisterchipmunk <sinisterchipmunk@gmail.com>
Co-authored-by: Sutou Kouhei <kou@clear-code.com>
getaddrinfo_a() gets stuck after fork().
To avoid this, we need 1 second sleep to wait for internal
worker threads of getaddrinfo_a() to be finished, but that is unacceptable.
[Bug #17220] [Feature #17134] [Feature #17187]
Previously, rb_getaddrinfo_a_before_exec() is called from before_exec().
However, the function needs to be called only before fork().
The change moves it to before_fork().
We need stop worker threads in getaddrinfo_a() before fork().
This change adds a hook before fork() that cancel all outstanding requests
and wait for all ongoing requests. Then, it waits for all worker
threads to be finished.
Fixes [Bug #17220]
If a buffer keyword argument is given, it is used as the buffer,
instead of creating new strings. This can result in significantly
lower memory usage during inflation.
Implements #19https://github.com/ruby/zlib/commit/dac9a9b57d
This commit deletes
{IO,ARGF,StringIO,Zib::GZipReader}#{bytes,chars,lines,codepoints}, which
have been deprecated since c47c095b97.
Note that String also has those methods. They are neither depreacted
nor deleted because they are not aliases of counterpart each_something.
The OpenSSL engine of Digest uses the low-level API of OpenSSL, whose
use has been discouraged for years for multiple reasons.
A long-standing issue on a FIPS-enabled system is that using ::Digest
results in crashing the Ruby process, because the low-level API lacks
the mechanism to report an error (the policy violation) and thus kills
the process as a last resort[1][2]. Also, the upcoming OpenSSL 3.0 will
deprecate it for future removal[3]. Compiling with
-Wdeprecated-declarations will start to emit warnings.
A proper fix for this is to make it use the EVP API instead. This is a
non-trivial work as it requires backwards-incompatible changes to the
framework interface of Digest::Base and rb_digest_metadata_t.
It is more than 15 years ago that the openssl library became part of the
standard library. It has implemented the exactly same functionality as
OpenSSL::Digest, in fact, as a subclass of Digest::Class. There is not
much point in having an identical code in the digest library. Let's
just get rid of OpenSSL within digest. This leaves the C implementations
and the CommonCrypto engine for Apple systems.
A patch is being prepared for the openssl library to provide ::Digest
constants for better performance[4].
[1] https://bugs.ruby-lang.org/issues/6946
[2] https://bugs.ruby-lang.org/issues/13681
[3] https://www.openssl.org/docs/OpenSSL300Design.html
[4] https://github.com/ruby/openssl/pull/377
Fixes [Feature #13381]
When passed a `fake_str`, `register_fstring` would create new strings
with `str_new_static`. That's not what was expected, and answer
almost no use cases.
* memory_view.c: remove a reference in view->obj at rb_memory_view_release
* memory_view.c: keep references of memory-view-exported objects
* Update common.mk
* memory_view.c: Use st_update
* cast to suppress C4267 warnings; no possible loss of data as
following the comparison.
* shift base address to suppress LNK4281; although /DYNAMICBASE is
preferable, not sure from which version of link.exe supports it.
This commits adds in documentation to illustrate the different modes you
can start coverage with. Examples are provided to show how to start each
of these modes, along with an explanation of the mode and a description
of the output.
* Add a "pinning" reference
A `Fiddle::Pinned` objects will prevent the objects they point to from
moving. This is useful in the case where you need to pass a reference
to a C extension that keeps the address in a global and needs the
address to be stable.
For example:
```ruby
class Foo
A = "hi" # this is an embedded string
some_c_function A # A might move!
end
```
If `A` moves, then the underlying string buffer may also move.
`Fiddle::Pinned` will prevent the object from moving:
```ruby
class Foo
A = "hi" # this is an embedded string
A_pinner = Fiddle::Pinned.new(A) # :nodoc:
some_c_function A # A can't move because of `Fiddle::Pinned`
end
```
This is a similar strategy to what Graal uses:
https://www.graalvm.org/sdk/javadoc/org/graalvm/nativeimage/PinnedObject.html#getObject--
* rename global to match exception name
* Introduce generic Fiddle::Error and rearrange error classes
Fiddle::Error is the generic exception base class for Fiddle exceptions.
This commit introduces the class and rearranges Fiddle exceptions to
inherit from it.
https://github.com/ruby/fiddle/commit/ac52d00223
Add rb_fiddle_ prefix to conversion functions.h to keep backward
compatibility but value_to_generic() isn't safe for TYPE_CONST_STRING
and not String src. Use rb_fiddle_value_to_generic() instead.
https://github.com/ruby/fiddle/commit/0ffcaa39e5
To make some kind of Ractor related extensions, some functions
should be exposed.
* include/ruby/thread_native.h
* rb_native_mutex_*
* rb_native_cond_*
* include/ruby/ractor.h
* RB_OBJ_SHAREABLE_P(obj)
* rb_ractor_shareable_p(obj)
* rb_ractor_std*()
* rb_cRactor
and rm ractor_pub.h
and rename srcdir/ractor.h to srcdir/ractor_core.h
(to avoid conflict with include/ruby/ractor.h)