| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
Similarly to SSLSocket#syswrite, the blocking SSLSocket#sysread allows
context switches. We must prevent other threads from modifying the
string buffer.
We can use rb_str_locktmp() and rb_str_unlocktmp() to temporarily
prohibit modification of the string.
|
|
|
|
|
|
|
|
| |
Since a blocking SSLSocket#syswrite call allows context switches while
waiting for the underlying socket to be ready, we must freeze the string
buffer to prevent other threads from modifying it.
Reference: https://github.com/ruby/openssl/issues/452
|
|
|
|
|
|
|
|
|
| |
[ This is a backport to the 2.1 branch. ]
* See https://bugs.ruby-lang.org/issues/18025
and https://github.com/ruby/ruby/pull/4629
(cherry picked from commit b8e4852dcc7cd4b954556001b2bfb1d01b802d0a)
|
|
|
|
|
|
|
|
|
|
|
| |
[ This is a backport to the 2.1 branch. ]
Run the test case only when the OpenSSL supports both TLS 1.1 and TLS
1.2. Note that the fallback SCSV mechanism is for TLS 1.2 or older and
not for 1.3.
Fixes: https://github.com/ruby/openssl/issues/336
(cherry picked from commit 6f2e6d7cf777b378b3b51c239abecb4e4af49824)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[ This is a backport to the 2.1 branch. ]
"test_close_after_socket_close" checks if ssl.close is no-op even after
the wrapped socket is closed. The test itself is fair, but the other
endpoint that is reading the SSL connection may fail with SSLError:
"SSL_read: unexpected eof while reading" in some environments:
https://github.com/ruby/ruby/actions/runs/60085389 (MinGW)
https://rubyci.org/logs/rubyci.s3.amazonaws.com/android28-x86_64/ruby-master/log/20200321T034442Z.fail.html.gz
```
1) Failure:
OpenSSL::TestSSL#test_close_after_socket_close [D:/a/ruby/ruby/src/test/openssl/utils.rb:299]:
exceptions on 1 threads:
SSL_read: unexpected eof while reading
```
This changeset rescues and ignores the SSLError in the test.
(cherry picked from commit 96a481b5728c12d6b5f4d99040ad2c77443c94a2)
|
|
|
|
|
|
|
|
| |
[ This is a backport to the 2.1 branch. ]
Fixed misspellings reported at [Bug #16437], for default gems.
(cherry picked from commit ruby/ruby@e68999c82c4863d33a6f893661fba1b7538c5671)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a combined commit of the following commits by mame and nobu:
- 0d7d8b2989e1 ("ext/openssl/extconf.rb: do not use -Werror=deprecated-declarations", 2019-12-05)
- c3abbc1b2f52 ("ext/openssl/extconf.rb: check with -Werror=deprecated-declarations", 2019-12-05)
-Werror=deprecated-declarations should only be used while checking
available features, and not for compiling the extension itself.
This is a backport to the 2.1 branch from ruby.git. Note that current
master (targeting 3.0) completely removed ext/openssl/deprecation.rb.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[ This is a backport to the 2.1 branch. ]
* ext/openssl/ossl_asn1.c (Init_ossl_asn1): register the static
variable to grab an internal object, before creating the object.
otherwise the just-created object could get collected during the
global variable list allocation. [Bug #16196]
* ext/openssl/ossl_asn1.c (Init_ossl_asn1): prefer
`rb_gc_register_mark_object`, which is better for constant
objects, over `rb_gc_register_address` for global/static
variables which can be re-assigned at runtime. [Bug #16196]
(cherry picked from commit ruby/ruby@203b7fa1ae8cc40d41c38d684f70b3fea7fae813 and
commit ruby/ruby@9c0cd5c569ba22bc68d1a77ad6580a275cd99639)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
to suppress a warning in OpenBSD.
[ This is a backport to the 2.1 branch. ]
```
ossl_ssl.c:938:31: warning: incompatible pointer types passing 'SSL_SESSION *(SSL *, unsigned char *, int, int *)' (aka 'struct ssl_session_st *(struct ssl_st *, unsigned char *, int, int *)') to parameter of type 'SSL_SESSION *(*)(struct ssl_st *, const unsigned char *, int, int *)' (aka 'struct ssl_session_st *(*)(struct ssl_st *, const unsigned char *, int, int *)') [-Wincompatible-pointer-types]
SSL_CTX_sess_set_get_cb(ctx, ossl_sslctx_session_get_cb);
^~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/include/openssl/ssl.h:738:20: note: passing argument to parameter 'get_session_cb' here
SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl,
^
1 warning generated.
```
(cherry picked from commit ruby/ruby@06a04a1aa3fbf9132c61f4ced9582c36c96d3f65)
|
|
|
|
|
|
|
|
|
|
| |
[ This is a backport to the 2.1 branch. ]
We can check the function pointer passed to rb_define_module_function
like how we do so in rb_define_method. The difference is that this
changeset reveales lots of atiry mismatches.
(cherry picked from commit ruby/ruby@7b6fde4258e700c0e0292bb091aa84a5e473342e)
|
|
|
|
|
|
|
|
|
|
| |
[ This is a backport to the 2.1 branch. ]
After 5e86b005c0f2ef30df2f9906c7e2f3abefe286a2, I now think ANYARGS is
dangerous and should be extinct. This commit makes rb_iterate free
from ANYARGS.
(cherry picked from commit ruby/ruby@3cae73133cfec7d5ec3f8058ec647d5163578003)
|
|
|
|
|
|
| |
[ This is a backport to the 2.1 branch. ]
(cherry picked from commit ruby/ruby@80da68db1e770c877782cdf571d96fd89e7774dd)
|
|
|
|
|
|
|
|
|
|
| |
[ This is a backport to the 2.1 branch. ]
https://rubyci.org/logs/rubyci.s3.amazonaws.com/scw-9d6766/ruby-master/log/20190606T171708Z.fail.html.gz
https://rubyci.org/logs/rubyci.s3.amazonaws.com/scw-9d6766/ruby-master/log/20190607T051708Z.fail.html.gz
(cherry picked from commit ruby/ruby@7e403dc6c84356e83c02538e76cc70ac789921ac and
commit ruby/ruby@75751dca2b9f573db923cecd9767e9174fb69a98)
|
|
|
|
|
|
|
|
|
|
| |
[ This is a backport to the 2.1 branch. ]
The test fails when using OpenSSL 1.1 that supports TLS1.3.
To make it pass, this change restricts max_version to TLS1.2.
We may need more work for TLS1.3.
(cherry picked from commit 133487fbccaae399c7ac7f97f92412db4ee8d305)
|
|
|
|
|
|
|
|
| |
[ This is a backport to the 2.1 branch. ]
OpenSSL 1.1.1 seems to require at least 2048 bits for CA's private keys.
(cherry picked from commit 37b9e49db3087dad20019f6fd7c80c3b4b013d9d)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[ This is a backport to the 2.1 branch. ]
Some systems enforce a system-wide policy to restrict key sizes used in
SSL/TLS. Use larger ones if possible so that the test suite runs
successfully.
New PEM files test/fixtures/pkey/{dh-1,rsa-1,rsa-2,rsa-3}.pem are added
to the tree, and SSL tests now use them instead of the fixed-size keys.
Reference: https://github.com/ruby/openssl/issues/215
(cherry picked from commit 5ba99ad7ae1267ed964f53906530579299f3fcc6)
|
|
|
|
|
|
|
|
|
|
| |
[ This is a backport to the 2.1 branch. ]
Call IO.select with a timeout value and limit the number of retries to
prevent stacking forever.
Reference: https://github.com/ruby/openssl/issues/214
(cherry picked from commit b0bcb19cb4f95d260c5993df0aaa3667522fb99d)
|
|
|
|
|
|
| |
[ This is a backport to the 2.1 branch. ]
(cherry picked from commit ruby/ruby@3c77ef9adc567af58e27c62db35d618f3b3069d2)
|
|
|
|
|
|
|
|
|
|
|
| |
[ This is a backport to the 2.1 branch. ]
OpenSSL::BN.new(nil, 2) dumped core.
[ruby-core:92231] [Bug #15760]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@67506 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
(cherry picked from commit ruby/ruby@82632d4c0c117a7728293ff955e3527487230bc1)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
_REENTRANT, _THREAD_SAFE, etc., which affect how errno is defined
on some architectures
[ This is a backport to the 2.1 branch. ]
* ext/openssl/ossl.h: include errno.h after ruby.h
* include/ruby/io.h: include errno.h after ruby/config.h
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@65906 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
(cherry picked from commit ruby/ruby@3385395796127878887bce015431b830fed82c4e)
|
|
|
|
|
|
|
| |
[ This is a backport to the 2.1 branch. ]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@65488 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
(cherry picked from commit ruby/ruby@f83b08755dc7775f7cd8fab0a94516c2641e478d)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[ This is a backport to the 2.1 branch. ]
[Fix GH-1958]
From: Jun Aruga <jaruga@redhat.com>
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64806 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* expand tabs.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64807 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Suppress more -Wparentheses warnings
[Fix GH-1958]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64808 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
[ky: this is a combined patch of r64806-r64808.]
Sync-with-trunk: r64808
(cherry picked from commit 01b23fa8eee2ff9cc4ef5f6fabca6d999e0979c2)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[ This is a backport to the 2.1 branch. ]
IPv6 SAN-verification accommodates
["zero-compression"](https://tools.ietf.org/html/rfc5952#section-2.2).
It also accommodates non-compressed addresses.
Previously the verification of IPv6 addresses would fail unless the
address syntax matched a specific format (no zero-compression, no
leading zeroes).
As an example, the IPv6 loopback address, if represented as `::1`, would
not verify. Nor would it verify if represented as
`0000:0000:0000:0000:0000:0000:0000:0001`; however, both representations
are valid, RFC-compliant representations. The library would only accept
a very specific representation (i.e. `0:0:0:0:0:0:0:1`).
This commit addresses that shortcoming, and ensures that any valid IPv6
representation will correctly verify.
(cherry picked from commit 9322a104d16b02c7a79f9ab589859c9d63fabf52)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[ This is a backport to the 2.1 branch. ]
At the moment OpenSSL::Buffering#do_write allocates some additional
strings, and in my profiling writing 5MB of data allocates additional
7.7MB of strings.
This patch greatly reduces memory allocations, and now writing 5MB of
data allocates only additional 0.2MB of strings. This means that large
file uploads would effectively not allocate additional memory anymore.
Reference: https://bugs.ruby-lang.org/issues/14426
Reference: https://github.com/ruby/ruby/pull/1924
(cherry picked from commit 251b5be20d5b58c27490f44cdeb6e655f9be6f19)
|
|
|
|
|
|
|
|
|
|
|
| |
[ This is a backport to the 2.1 branch. ]
* ext/openssl/lib/openssl/buffering.rb (do_write, puts): output
methods should not be affected by the input record separator.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@62038 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Sync-with-trunk: r62038
(cherry picked from commit 3f6e30e53ce8050375955322e170612e1de099b1)
|
| |
|
|\
| |
| | |
bn: check -1 return from BIGNUM functions
|
|/
|
|
|
|
|
|
|
|
| |
Although the manpage says that BIGNUM functions return 0 on error,
OpenSSL versions before 1.0.2n and current LibreSSL versions may return
-1 instead.
Note that the implementation of OpenSSL::BN#mod_inverse is extracted
from BIGNUM_2c() macro as it didn't really share the same function
signature with others.
|
|
|
|
|
|
|
|
|
|
|
| |
Let ext/openssl/extconf.rb find the correct OpenSSL installation from
the default include/library paths.
Since some time ago, the test environment contains another OpenSSL
installation and pkg-config from Mingw-w64. However, as pkg-config is
not available in RubyInstaller (Ruby 2.3), simply invoking pkg-config
command from our ext/openssl/extconf.rb ends up with picking up
Mingw-w64's OpenSSL, which is incompatible with RI.
|
|\
| |
| | |
ssl: retry write on EPROTOTYPE on macOS
|
|/
|
|
|
|
|
|
|
|
| |
Errno::EPROTOTYPE is not supposed to be raised by SSLSocket#write.
However, on macOS, send(2) which is called via SSL_write() can
occasionally return EPROTOTYPE. Retry SSL_write() so that we get a
proper error, just as ext/socket does.
Reference: https://bugs.ruby-lang.org/issues/14713
Reference: https://github.com/ruby/openssl/issues/227
|
|\
| |
| | |
x509store: fix memory leak in X509::StoreContext.new
|
|/
|
|
|
| |
The certificate passed as the second argument was not properly free'd
in the error paths.
|
|
|
|
|
|
| |
.github/workflows/test.yml is copied from current master's (last update
by commit 0a2e8c67f252), and then the LibreSSL versions to run test with
are adjusted for Ruby/OpenSSL 2.1.
|
|
|
|
|
|
|
|
| |
[ Original commit is 4e9801dff855 in 2.2.0. This is a backport to
the 2.1 branch. ]
LibreSSL 2.8.0+ does not support multiple elements in the first
argument.
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* maint-2.0:
ssl: set verify error code in the case of verify_hostname failure
x509: add error code and verify flags constants
Remove taint support
Restore compatibility with older versions of Ruby.
Fix keyword argument separation issues in OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock
config: support .include directive
|
| |\
| | |
| | | |
ssl: set verify error code in the case of verify_hostname failure
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When the verify_hostname option is enabled, the hostname verification is
done before calling verify_callback provided by the user.
The callback should be notified of the hostname verification failure.
OpenSSL::X509::StoreContext's error code must be set to an appropriate
value rather than OpenSSL::X509::V_OK.
If the constant X509_V_ERR_HOSTNAME_MISMATCH is available (OpenSSL >=
1.0.2), use it. Otherwise use the generic X509_V_ERR_CERT_REJECTED.
Reference: https://github.com/ruby/openssl/issues/244
Fixes: 028e495734e9 ("ssl: add verify_hostname option to SSLContext", 2016-06-27)
|
| |
| |
| |
| |
| | |
Add missing constant declarations for certificate verification flags and
the error codes, to match with OpenSSL 1.1.1.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ This is a backport to the 2.0 branch. ]
Ruby 2.7 deprecates taint and it no longer has an effect.
The lack of taint support should not cause a problem in
previous Ruby versions.
(cherry picked from commit e7ed01b580a139ad0fb320ad5f29bbb40ef2ddc2)
|
| |
| |
| |
| |
| |
| |
| | |
[ Originally landed on as commit b4e96fc4abc3. This is a backport to the
2.0 branch. ]
`RB_PASS_KEYWORDS` is not always available.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock
[ Originally landed on ruby.git as commit 3959469f240e, then was merged
into ruby/openssl.git as commit b4e96fc4abc3. This is a backport to
the 2.0 branch. ]
It's unlikely anyone would actually hit these. The methods are
private, you only hit this code path if calling these methods
before performing the SSL connection, and there is already a
verbose warning issued.
|
| |\
| | |
| | | |
config: support .include directive
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
OpenSSL 1.1.1 introduces a new '.include' directive. Update our config
parser to support that.
As mentioned in the referenced GitHub issue, we should use the OpenSSL
API instead of implementing the parsing logic ourselves, but it will
need backwards-incompatible changes which we can't backport to stable
versions. So continue to use the Ruby implementation for now.
Squashed in additional changes by Vít Ondruch to support '.include = '
syntax.
Reference: https://github.com/ruby/openssl/issues/208
|
| | | |
|
|\| |
| | |
| | |
| | |
| | |
| | |
| | | |
* maint-2.0:
Ruby/OpenSSL 2.0.9
needs openssl/opensslv.h
x509name: fix OpenSSL::X509::Name#{cmp,<=>}
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* ext/openssl/extconf.rb: LIBRESSL_VERSION_NUMBER is defined in
openssl/opensslv.h. fix up r64101.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64236 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Sync-with-trunk: r64236
|
| |\ \
| | |/
| |/|
| | |
| | | |
* ky/x509name-cmp-bugfix:
x509name: fix OpenSSL::X509::Name#{cmp,<=>}
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Fix wrong use of X509_NAME_cmp() return value. OpenSSL::X509::Name#<=>
could return 0 when the two objects aren't identical.
Reported by Tyler Eckstein. CVE-2018-16395.
Reference: https://hackerone.com/reports/387250
|