| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |\
| |
| | |
x509name: update regexp in OpenSSL::X509::Name.parse
|
| | |
| |
| |
| |
| |
| |
| | |
Allow the attribute value to contain ',', just as the openssl utility's
parse_name() function does.
Fixes: https://github.com/ruby/openssl/issues/39
|
| |\ \
| |/
|/| |
Add X509::Name#to_utf8 and #inspect
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The existing #to_s does not interact well with distinguished names
containing multi-byte UTF-8 characters since the OpenSSL function
X509_NAME_print_ex() escapes bytes with MSB set by default.
Unfortunately we can't fix it without breaking backwards compatibility.
It takes options as a bit field that is directly passed to
X509_NAME_print_ex(). Let's add a new method instead.
Fixes: https://github.com/ruby/openssl/issues/26
|
| | |
| |
| |
| |
| |
| |
| | |
Extract the body into a function in preparation for adding #to_utf8.
Also a potential memory leak is fixed: the GetX509Name() macro can
raise TypeError.
|
| | |
| |
| |
| | |
Allow string literals containing UTF-8 characters.
|
| |\ \
| | |
| | | |
ssl: add SSLContext#min_version= and #max_version=
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Reimplement SSLContext#ssl_version= as a wrapper around
SSLContext#min_version= and #max_version=.
SSLContext#ssl_version= used to call SSL_CTX_set_ssl_version() which
replaces the SSL method used for the connections created from the SSL
context. This is mainly used for forcing a specific SSL/TLS protocol
version.
As of OpenSSL 1.1.0, however, use of the version-specific SSL methods
such as TLSv1_method() is deprecated. Follow the current recommendation
-- to use the generic SSL method always and to control the supported
version range by SSL_CTX_set_{min,max}_proto_version(). Actually, we
have already started doing a similar thing when the extension is
compiled with OpenSSL 1.1.0.
OpenSSL::SSL::SSLContext::METHODS, which contained the possible names of
SSL methods, is not useful anymore. It is now deprecate_constant-ed.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add methods that set the minimum and maximum supported protocol versions
for the SSL context. If the OpenSSL library supports, use
SSL_CTX_set_{min,max}_proto_version() that do the exact thing.
Otherwise, simulate by combining SSL_OP_NO_{SSL,TLS}v* flags.
The new methods are meant to replace the deprecated #ssl_version= that
cannot support multiple protocol versions.
SSLContext::DEFAULT_PARAMS is also updated to use the new
SSLContext#min_version=.
|
| | | |
| | |
| | |
| | |
| | |
| | | |
OpenSSL 1.1.0 replaced SSLv23_method() with TLS_method(). SSLv23_method
which still exists in 1.1.0, as a macro around TLS_method, will
eventually be removed. Use the new name if possible.
|
| | | |
| | |
| | |
| | |
| | | |
Reorder, expand ossl_ssl_def_const() macro so RDoc can parse and render
better, and add new flags that are in recent versions of OpenSSL.
|
| |/ /
| |
| |
| |
| |
| | |
SSL_CTX_{get,set,clear}_options() are made separate functions and they
now treat flags as unsigned long. Fix possible RangeError on platforms
with sizeof(long)==4.
|
| | |
| |
| |
| |
| |
| | |
The 'keylen' parameter of the tmp_dh_callback is only meaningful when
'is_export' is non-zero. Ignore them and just return the default
2048-bit DH group.
|
| | |
| |
| |
| |
| |
| | |
Follow-up commit eaffc69e40ab ("ssl: move default DH parameters from
OpenSSL::PKey::DH", 2017-01-23). Those constants shouldn't be used
directly.
|
| |/
|
|
|
|
|
|
|
| |
As of commit 4eb4b3297a92 ("Remove support for OpenSSL 0.9.8 and 1.0.0",
2016-11-30), ext/openssl/extconf.rb don't check for existence of
SSL_CTX_set_next_proto_select_cb() function, but the code still refers
to the HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB macro. NPN is available in
all supported versions of OpenSSL and LibreSSL, unless it's disabled by
their configure options. Check OPENSSL_NO_NEXTPROTONEG macro instead.
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This also restores 'if defined?(OpenSSL)-end' wrapping the test code.
They have been removed erroneously by commit 4eb4b3297a92 ("Remove
support for OpenSSL 0.9.8 and 1.0.0", 2016-11-30).
* maint:
test/test_ssl: explicitly accept TLS 1.1 in corresponding test
ssl: remove useless call to rb_thread_wait_fd()
test/test_pair, test/test_ssl: fix for TLS 1.3
test/test_ssl_session: rearrange tests
test/test_ssl: move test_multibyte_read_write to test_pair
test/test_ssl: remove test_invalid_shutdown_by_gc
test/utils: do not use DSA certificates in SSL tests
test/utils: add OpenSSL::TestUtils.openssl? and .libressl?
test/utils: improve error handling in start_server
test/utils: let server_loop close socket
test/utils: do not set ecdh_curves in start_server
test/utils: have start_server yield only the port number
test/utils: add SSLTestCase#tls12_supported?
test/utils: remove OpenSSL::TestUtils.silent
test: fix formatting
Rakefile: let sync:to_ruby know about test/openssl/fixtures
cipher: update the documentation for Cipher#auth_tag=
Backport "Merge branch 'topic/test-memory-leak'" to maint
ssl: do not call session_remove_cb during GC
|
| | |\
| | |
| | | |
test/test_ssl: explicitly accept TLS 1.1 in corresponding test
|
| | |/
| |
| |
| |
| |
| | |
OpenSSL in Debian sid has recently disabled TLS < 1.2 by default, so in
order to test that TLS 1.1 works, we need to explicitly make our test
client accept it.
|
| | |\
| | |
| | | |
ssl: remove useless call to rb_thread_wait_fd()
|
| | | |
| | |
| | |
| | |
| | |
| | | |
That there is no immediately readable data in the SSL instance does not
imply it has to read more bytes from the underlying socket. Just call
SSL_read() and check the return value.
|
| | |\ \
| | |/
| |/| |
Fix test failures with TLS 1.3-capable OpenSSL
|
| | | |
| | |
| | |
| | | |
Fix test cases failing with TLS 1.3-enabled OpenSSL master.
|
| | | |
| | |
| | |
| | |
| | | |
Use TLS 1.2 explicitly where needed, since TLS 1.3 will remove session
ID based session resumption.
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The very patch that added this test case made the dfree function not
send close_notify alert when an SSLSocket is being GCed.
Anyway, the new OSSL_GC_STRESS option added by 6ee4b285036e ("test: run
test cases under GC.stress if OSSL_GC_STRESS is specified", 2016-12-04)
will cover this kind of issues.
|
| | | |
| | |
| | |
| | |
| | |
| | | |
LibreSSL 2.6.1 removed DSA support from its SSL code. Also, TLS 1.3 will
not support DSA certificates. Use an RSA certificate as the client
certificate in the tests, too.
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Add methods that check whether the running OpenSSL is an OpenSSL or a
LibreSSL, and optionally check whether the version is newer or equal to
the given version number.
|
| | | |
| | |
| | |
| | |
| | |
| | | |
start_server can hang if the given block exits before closing sockets
that the block opens. While this is a carelessness of the caller, we
can do a better job.
|
| | | |
| | |
| | |
| | |
| | | |
Close the socket by server_loop rather than by server_proc. This reduces
code duplication.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
An assumption in OpenSSL::TestSSL#test_get_ephemeral_key is that the
ephemeral key type is always EVP_PKEY_EC when negotiated with an ECDHE
cipher suite. This is not true if X25519 is chosen.
The test is passing because we happen to fix the group to P-256 in
start_server, but let's make it explicit.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
The block passed to start_server is invoked with two arguments, the
running thread object for the server and the automatically-selected port
number. The first argument is completely useless and actually is not
used anywhere.
|
| | | |
| | |
| | |
| | |
| | | |
Add a method that returns whether the OpenSSL supports TLS 1.2 or not.
This will be useful for test cases that are specific to TLS ~1.2.
|
| | | |
| | |
| | |
| | |
| | | |
Use EnvUtil.suppress_warning instead. We have started to use it already,
and the name 'suppress_warning' expresses what it does more clearly.
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Fix wrong nesting in test/utils.rb. Remove unnecessary requires. Wrap
the code with 'if defined?(OpenSSL::TestUtils) ~ end' and avoid class
definition with modifier if.
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* topic/test-memory-leak:
Enable OSSL_MDEBUG on CI builds
Add OpenSSL.print_mem_leaks
test: prepare test PKey instances on demand
test: let OpenSSL::TestCase include OpenSSL::TestUtils
Don't define main() when built with --enable-debug
(cherry picked from commit 5c586acc387834ab4e09260937dc21064fc59de4)
Note that fix for new test cases that use the old constants removed by
this is squashed in.
|
| | |/
| |
| |
| |
| |
| |
| | |
The authentication tag can be set after starting the decryption, if
only it is before Cipher#final is called.
Fixes: https://github.com/ruby/openssl/issues/74
|
| | |
| |
| |
| |
| |
| |
| | |
As noted in the SSL_CTX_sess_set_remove_cb(3) manpage, SSL_CTX_free()
will call the callback function for each session in the internal session
store. We can't call the callback Proc since it may do a new object
allocation which is prohibited during GC.
|
| |\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* maint:
Ruby/OpenSSL 2.0.5
ssl: fix compile error with OpenSSL 1.0.0
ssl: remove unsupported TLS versions from SSLContext::METHODS
Add msys2 library dependency tag in gem metadata
ossl_pem_passwd_cb: handle nil from the block explicitly
ossl_pem_passwd_cb: do not check for taintedness
ossl_pem_passwd_cb: relax passphrase length constraint
appveyor.yml: test against Ruby 2.4
Rakefile: install_dependencies: install only when needed
bio: do not use the FILE BIO method in ossl_obj2bio()
bio: prevent possible GC issue in ossl_obj2bio()
test/test_ssl: allow 3DES cipher suites in test_sslctx_set_params
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| | |
OpenSSL <= 1.0.0 did not support TLS 1.1/1.2, and thus we must still
check the existence of the symbols. This fixes the previous commit,
3e5a009966bd ("ssl: remove unsupported TLS versions from
SSLContext::METHODS", 2017-08-08).
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Check for all version-specific SSL methods. We do check for existence of
TLSv1_1_method() and TLSv1_2_method(), but not for TLSv1_method(). This
fixes compile error when OpenSSL is configured with no-tls1-method.
Also check the OPENSSL_NO_TLS{1,1_1,1_2} macros for whether OpenSSL
supports the corresponding versions or not. This prevents :TLSv1 from
being in SSLContext::METHODS when OpenSSL is compiled with no-tls1.
In particular, Debian sid has disabled TLS 1.0/1.1 support recently.
The changes in ext/openssl are partial backport of 4eb4b3297a92 ("Remove
support for OpenSSL 0.9.8 and 1.0.0", 2016-11-30).
|
| | |\
| | |
| | | |
Add msys2 library dependency tag in gem metadata
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
RubyInstaller2 supports metadata tags for installation of dependent
MSYS2/MINGW libraries. The openssl gem requires the mingw-openssl
package to be installed on the system, which the gem installer takes
care about, when this tag is set.
The feature is documented here:
https://github.com/oneclick/rubyinstaller2/wiki/For-gem-developers#msys2-library-dependency
This fixes issues like
https://github.com/oneclick/rubyinstaller2/issues/54 and
https://github.com/oneclick/rubyinstaller2/issues/53 .
|
| | |\
| | |
| | |
| | |
| | |
| | |
| | | |
* ky/pem-passwd-cb-get-rid-of-minlen:
ossl_pem_passwd_cb: handle nil from the block explicitly
ossl_pem_passwd_cb: do not check for taintedness
ossl_pem_passwd_cb: relax passphrase length constraint
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
There is code that returns nil in the passphrase block on purpose (to
prevent OpenSSL from prompting on stdin):
OpenSSL::PKey.read(File.read("file.pem")) { nil }
This is working just by chance because the TypeError from StringValue()
is silently ignored. Let's short circuit in that case and save raising
a needless exception, as this pattern has become too common.
|
| | | |
| | |
| | |
| | | |
It is perfectly permissible to take passwords from an untrusted source.
|
| | |/
| |
| |
| |
| |
| | |
The minimum passphrase length of 4 bytes is only a limitation of
PEM_def_callback() which isn't relevant here. Commit f38501249f33
introduced this bug.
|
