aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* ssl: temporary lock string buffer while readingky/ssl-sysread-syswrite-protect-bufferKazuki Yamaguchi2021-09-271-5/+16
| | | | | | | | | Similarly to SSLSocket#syswrite, the blocking SSLSocket#sysread allows context switches. We must prevent other threads from modifying the string buffer. We can use rb_str_locktmp() and rb_str_unlocktmp() to temporarily prohibit modification of the string.
* ssl: create a temporary frozen string buffer when writingKazuki Yamaguchi2021-09-271-5/+5
| | | | | | | | Since a blocking SSLSocket#syswrite call allows context switches while waiting for the underlying socket to be ready, we must freeze the string buffer to prevent other threads from modifying it. Reference: https://github.com/ruby/openssl/issues/452
* Use rb_block_call() instead of the deprecated rb_iterate() in OpenSSLBenoit Daloze2021-09-271-2/+3
| | | | | | | | | [ This is a backport to the 2.1 branch. ] * See https://bugs.ruby-lang.org/issues/18025 and https://github.com/ruby/ruby/pull/4629 (cherry picked from commit b8e4852dcc7cd4b954556001b2bfb1d01b802d0a)
* test/openssl/test_ssl: skip test_fallback_scsv if necessaryKazuki Yamaguchi2021-09-261-0/+4
| | | | | | | | | | | [ This is a backport to the 2.1 branch. ] Run the test case only when the OpenSSL supports both TLS 1.1 and TLS 1.2. Note that the fallback SCSV mechanism is for TLS 1.2 or older and not for 1.3. Fixes: https://github.com/ruby/openssl/issues/336 (cherry picked from commit 6f2e6d7cf777b378b3b51c239abecb4e4af49824)
* test/openssl/test_ssl.rb: ignore SSLError when the connection is closedYusuke Endoh2021-09-261-1/+6
| | | | | | | | | | | | | | | | | | | | | | [ This is a backport to the 2.1 branch. ] "test_close_after_socket_close" checks if ssl.close is no-op even after the wrapped socket is closed. The test itself is fair, but the other endpoint that is reading the SSL connection may fail with SSLError: "SSL_read: unexpected eof while reading" in some environments: https://github.com/ruby/ruby/actions/runs/60085389 (MinGW) https://rubyci.org/logs/rubyci.s3.amazonaws.com/android28-x86_64/ruby-master/log/20200321T034442Z.fail.html.gz ``` 1) Failure: OpenSSL::TestSSL#test_close_after_socket_close [D:/a/ruby/ruby/src/test/openssl/utils.rb:299]: exceptions on 1 threads: SSL_read: unexpected eof while reading ``` This changeset rescues and ignores the SSLError in the test. (cherry picked from commit 96a481b5728c12d6b5f4d99040ad2c77443c94a2)
* Fixed misspellingsNobuyoshi Nakada2021-09-261-8/+8
| | | | | | | | [ This is a backport to the 2.1 branch. ] Fixed misspellings reported at [Bug #16437], for default gems. (cherry picked from commit ruby/ruby@e68999c82c4863d33a6f893661fba1b7538c5671)
* ext/openssl/extconf.rb: do not use -Werror=deprecated-declarationsKazuki Yamaguchi2021-09-262-2/+7
| | | | | | | | | | | | | This is a combined commit of the following commits by mame and nobu: - 0d7d8b2989e1 ("ext/openssl/extconf.rb: do not use -Werror=deprecated-declarations", 2019-12-05) - c3abbc1b2f52 ("ext/openssl/extconf.rb: check with -Werror=deprecated-declarations", 2019-12-05) -Werror=deprecated-declarations should only be used while checking available features, and not for compiling the extension itself. This is a backport to the 2.1 branch from ruby.git. Note that current master (targeting 3.0) completely removed ext/openssl/deprecation.rb.
* Guard static variable firstNobuyoshi Nakada2021-09-261-1/+1
| | | | | | | | | | | | | | | | [ This is a backport to the 2.1 branch. ] * ext/openssl/ossl_asn1.c (Init_ossl_asn1): register the static variable to grab an internal object, before creating the object. otherwise the just-created object could get collected during the global variable list allocation. [Bug #16196] * ext/openssl/ossl_asn1.c (Init_ossl_asn1): prefer `rb_gc_register_mark_object`, which is better for constant objects, over `rb_gc_register_address` for global/static variables which can be re-assigned at runtime. [Bug #16196] (cherry picked from commit ruby/ruby@203b7fa1ae8cc40d41c38d684f70b3fea7fae813 and commit ruby/ruby@9c0cd5c569ba22bc68d1a77ad6580a275cd99639)
* ext/openssl/ossl_ssl.c: Use const declaration if LibreSSL >= 2.8.0Yusuke Endoh2021-09-261-1/+1
| | | | | | | | | | | | | | | | | | to suppress a warning in OpenBSD. [ This is a backport to the 2.1 branch. ] ``` ossl_ssl.c:938:31: warning: incompatible pointer types passing 'SSL_SESSION *(SSL *, unsigned char *, int, int *)' (aka 'struct ssl_session_st *(struct ssl_st *, unsigned char *, int, int *)') to parameter of type 'SSL_SESSION *(*)(struct ssl_st *, const unsigned char *, int, int *)' (aka 'struct ssl_session_st *(*)(struct ssl_st *, const unsigned char *, int, int *)') [-Wincompatible-pointer-types] SSL_CTX_sess_set_get_cb(ctx, ossl_sslctx_session_get_cb); ^~~~~~~~~~~~~~~~~~~~~~~~~~ /usr/include/openssl/ssl.h:738:20: note: passing argument to parameter 'get_session_cb' here SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, ^ 1 warning generated. ``` (cherry picked from commit ruby/ruby@06a04a1aa3fbf9132c61f4ced9582c36c96d3f65)
* drop-in type check for rb_define_module_function卜部昌平2021-09-261-1/+1
| | | | | | | | | | [ This is a backport to the 2.1 branch. ] We can check the function pointer passed to rb_define_module_function like how we do so in rb_define_method. The difference is that this changeset reveales lots of atiry mismatches. (cherry picked from commit ruby/ruby@7b6fde4258e700c0e0292bb091aa84a5e473342e)
* rb_iterate now takes rb_block_call_func_t卜部昌平2021-09-261-1/+1
| | | | | | | | | | [ This is a backport to the 2.1 branch. ] After 5e86b005c0f2ef30df2f9906c7e2f3abefe286a2, I now think ANYARGS is dangerous and should be extinct. This commit makes rb_iterate free from ANYARGS. (cherry picked from commit ruby/ruby@3cae73133cfec7d5ec3f8058ec647d5163578003)
* Add a /* fall through */ commentYusuke Endoh2021-09-261-0/+1
| | | | | | [ This is a backport to the 2.1 branch. ] (cherry picked from commit ruby/ruby@80da68db1e770c877782cdf571d96fd89e7774dd)
* test/openssl/utils.rb: Extend the timeoutYusuke Endoh2021-09-261-2/+3
| | | | | | | | | | [ This is a backport to the 2.1 branch. ] https://rubyci.org/logs/rubyci.s3.amazonaws.com/scw-9d6766/ruby-master/log/20190606T171708Z.fail.html.gz https://rubyci.org/logs/rubyci.s3.amazonaws.com/scw-9d6766/ruby-master/log/20190607T051708Z.fail.html.gz (cherry picked from commit ruby/ruby@7e403dc6c84356e83c02538e76cc70ac789921ac and commit ruby/ruby@75751dca2b9f573db923cecd9767e9174fb69a98)
* test/test_ssl.rb: Use TLS1.2Yusuke Endoh2021-09-261-0/+5
| | | | | | | | | | [ This is a backport to the 2.1 branch. ] The test fails when using OpenSSL 1.1 that supports TLS1.3. To make it pass, this change restricts max_version to TLS1.2. We may need more work for TLS1.3. (cherry picked from commit 133487fbccaae399c7ac7f97f92412db4ee8d305)
* test/test_ssl.rb: Use larger keysYusuke Endoh2021-09-261-1/+1
| | | | | | | | [ This is a backport to the 2.1 branch. ] OpenSSL 1.1.1 seems to require at least 2048 bits for CA's private keys. (cherry picked from commit 37b9e49db3087dad20019f6fd7c80c3b4b013d9d)
* test: use larger keys for SSL testsKazuki Yamaguchi2021-09-268-21/+186
| | | | | | | | | | | | | | [ This is a backport to the 2.1 branch. ] Some systems enforce a system-wide policy to restrict key sizes used in SSL/TLS. Use larger ones if possible so that the test suite runs successfully. New PEM files test/fixtures/pkey/{dh-1,rsa-1,rsa-2,rsa-3}.pem are added to the tree, and SSL tests now use them instead of the fixed-size keys. Reference: https://github.com/ruby/openssl/issues/215 (cherry picked from commit 5ba99ad7ae1267ed964f53906530579299f3fcc6)
* test/test_pair: fix deadlock in test_connect_accept_nonblockKazuki Yamaguchi2021-09-261-29/+22
| | | | | | | | | | [ This is a backport to the 2.1 branch. ] Call IO.select with a timeout value and limit the number of retries to prevent stacking forever. Reference: https://github.com/ruby/openssl/issues/214 (cherry picked from commit b0bcb19cb4f95d260c5993df0aaa3667522fb99d)
* Ignore warnings about ambiguous first argument with the negative integer.Hiroshi SHIBATA2021-09-261-6/+6
| | | | | | [ This is a backport to the 2.1 branch. ] (cherry picked from commit ruby/ruby@3c77ef9adc567af58e27c62db35d618f3b3069d2)
* ext/openssl/ossl_bn.c (ossl_bn_initialize): get rid of SEGVmame2021-09-261-2/+5
| | | | | | | | | | | [ This is a backport to the 2.1 branch. ] OpenSSL::BN.new(nil, 2) dumped core. [ruby-core:92231] [Bug #15760] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@67506 b2dd03c8-39d4-4d8f-98ff-823fe69b080e (cherry picked from commit ruby/ruby@82632d4c0c117a7728293ff955e3527487230bc1)
* errno.h must be included after config.h because config.h might defineodaira2021-09-261-1/+1
| | | | | | | | | | | | | | _REENTRANT, _THREAD_SAFE, etc., which affect how errno is defined on some architectures [ This is a backport to the 2.1 branch. ] * ext/openssl/ossl.h: include errno.h after ruby.h * include/ruby/io.h: include errno.h after ruby/config.h git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@65906 b2dd03c8-39d4-4d8f-98ff-823fe69b080e (cherry picked from commit ruby/ruby@3385395796127878887bce015431b830fed82c4e)
* Fix call-seq of OpenSSL.fips_mode and WIN32OLE_METHOD#name [ci skip]kazu2021-09-261-1/+1
| | | | | | | [ This is a backport to the 2.1 branch. ] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@65488 b2dd03c8-39d4-4d8f-98ff-823fe69b080e (cherry picked from commit ruby/ruby@f83b08755dc7775f7cd8fab0a94516c2641e478d)
* Remove -Wno-parentheses flag.nobu2021-09-265-9/+11
| | | | | | | | | | | | | | | | | | | | | | | | [ This is a backport to the 2.1 branch. ] [Fix GH-1958] From: Jun Aruga <jaruga@redhat.com> git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64806 b2dd03c8-39d4-4d8f-98ff-823fe69b080e * expand tabs. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64807 b2dd03c8-39d4-4d8f-98ff-823fe69b080e Suppress more -Wparentheses warnings [Fix GH-1958] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64808 b2dd03c8-39d4-4d8f-98ff-823fe69b080e [ky: this is a combined patch of r64806-r64808.] Sync-with-trunk: r64808 (cherry picked from commit 01b23fa8eee2ff9cc4ef5f6fabca6d999e0979c2)
* Correctly verify abbreviated IPv6 SANsBrian Cunnie2021-09-263-6/+12
| | | | | | | | | | | | | | | | | | | | | | | [ This is a backport to the 2.1 branch. ] IPv6 SAN-verification accommodates ["zero-compression"](https://tools.ietf.org/html/rfc5952#section-2.2). It also accommodates non-compressed addresses. Previously the verification of IPv6 addresses would fail unless the address syntax matched a specific format (no zero-compression, no leading zeroes). As an example, the IPv6 loopback address, if represented as `::1`, would not verify. Nor would it verify if represented as `0000:0000:0000:0000:0000:0000:0000:0001`; however, both representations are valid, RFC-compliant representations. The library would only accept a very specific representation (i.e. `0:0:0:0:0:0:0:1`). This commit addresses that shortcoming, and ensures that any valid IPv6 representation will correctly verify. (cherry picked from commit 9322a104d16b02c7a79f9ab589859c9d63fabf52)
* Reduce memory allocation when writing to SSLSocketJanko Marohnić2021-09-261-9/+4
| | | | | | | | | | | | | | | | [ This is a backport to the 2.1 branch. ] At the moment OpenSSL::Buffering#do_write allocates some additional strings, and in my profiling writing 5MB of data allocates additional 7.7MB of strings. This patch greatly reduces memory allocations, and now writing 5MB of data allocates only additional 0.2MB of strings. This means that large file uploads would effectively not allocate additional memory anymore. Reference: https://bugs.ruby-lang.org/issues/14426 Reference: https://github.com/ruby/ruby/pull/1924 (cherry picked from commit 251b5be20d5b58c27490f44cdeb6e655f9be6f19)
* openssl/buffering.rb: no RS when outputnobu2021-09-261-5/+3
| | | | | | | | | | | [ This is a backport to the 2.1 branch. ] * ext/openssl/lib/openssl/buffering.rb (do_write, puts): output methods should not be affected by the input record separator. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@62038 b2dd03c8-39d4-4d8f-98ff-823fe69b080e Sync-with-trunk: r62038 (cherry picked from commit 3f6e30e53ce8050375955322e170612e1de099b1)
* .github/workflows: update Ruby and OpenSSL/LibreSSL versionsKazuki Yamaguchi2021-02-251-5/+5
|
* Merge pull request #418 from rhenium/ky/bn-check-negative-error-returnsKazuki Yamaguchi2021-02-251-12/+22
|\ | | | | bn: check -1 return from BIGNUM functions
| * bn: check -1 return from BIGNUM functionsky/bn-check-negative-error-returnsKazuki Yamaguchi2021-02-181-12/+22
|/ | | | | | | | | | Although the manpage says that BIGNUM functions return 0 on error, OpenSSL versions before 1.0.2n and current LibreSSL versions may return -1 instead. Note that the implementation of OpenSSL::BN#mod_inverse is extracted from BIGNUM_2c() macro as it didn't really share the same function signature with others.
* .github/workflows: disable pkg-config on Windows testsKazuki Yamaguchi2021-02-181-1/+2
| | | | | | | | | | | Let ext/openssl/extconf.rb find the correct OpenSSL installation from the default include/library paths. Since some time ago, the test environment contains another OpenSSL installation and pkg-config from Mingw-w64. However, as pkg-config is not available in RubyInstaller (Ruby 2.3), simply invoking pkg-config command from our ext/openssl/extconf.rb ends up with picking up Mingw-w64's OpenSSL, which is incompatible with RI.
* Merge pull request #393 from rhenium/ky/ssl-macos-send-eprototypeKazuki Yamaguchi2020-08-121-0/+15
|\ | | | | ssl: retry write on EPROTOTYPE on macOS
| * ssl: retry write on EPROTOTYPE on macOSky/ssl-macos-send-eprototypeKazuki Yamaguchi2020-08-121-0/+15
|/ | | | | | | | | | Errno::EPROTOTYPE is not supposed to be raised by SSLSocket#write. However, on macOS, send(2) which is called via SSL_write() can occasionally return EPROTOTYPE. Retry SSL_write() so that we get a proper error, just as ext/socket does. Reference: https://bugs.ruby-lang.org/issues/14713 Reference: https://github.com/ruby/openssl/issues/227
* Merge pull request #391 from rhenium/ky/x509stctx-new-fix-leakKazuki Yamaguchi2020-08-121-5/+16
|\ | | | | x509store: fix memory leak in X509::StoreContext.new
| * x509store: fix memory leak in X509::StoreContext.newky/x509stctx-new-fix-leakKazuki Yamaguchi2020-08-121-5/+16
|/ | | | | The certificate passed as the second argument was not properly free'd in the error paths.
* .github/workflows/test.yml: use GitHub ActionsKazuki Yamaguchi2020-08-123-65/+120
| | | | | | .github/workflows/test.yml is copied from current master's (last update by commit 0a2e8c67f252), and then the LibreSSL versions to run test with are adjusted for Ruby/OpenSSL 2.1.
* Skip one assertion for OpenSSL::PKey::EC::Point#mul on LibreSSLJeremy Evans2020-08-121-2/+8
| | | | | | | | [ Original commit is 4e9801dff855 in 2.2.0. This is a backport to the 2.1 branch. ] LibreSSL 2.8.0+ does not support multiple elements in the first argument.
* Merge branch 'maint-2.0' into maintKazuki Yamaguchi2020-03-097-42/+262
|\ | | | | | | | | | | | | | | | | | | * maint-2.0: ssl: set verify error code in the case of verify_hostname failure x509: add error code and verify flags constants Remove taint support Restore compatibility with older versions of Ruby. Fix keyword argument separation issues in OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock config: support .include directive
| * Merge pull request #350 from rhenium/ky/ssl-fix-verify-hostname-set-error-codemaint-2.0Kazuki Yamaguchi2020-02-262-1/+48
| |\ | | | | | | ssl: set verify error code in the case of verify_hostname failure
| | * ssl: set verify error code in the case of verify_hostname failureky/ssl-fix-verify-hostname-set-error-codeKazuki Yamaguchi2020-02-242-1/+48
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | When the verify_hostname option is enabled, the hostname verification is done before calling verify_callback provided by the user. The callback should be notified of the hostname verification failure. OpenSSL::X509::StoreContext's error code must be set to an appropriate value rather than OpenSSL::X509::V_OK. If the constant X509_V_ERR_HOSTNAME_MISMATCH is available (OpenSSL >= 1.0.2), use it. Otherwise use the generic X509_V_ERR_CERT_REJECTED. Reference: https://github.com/ruby/openssl/issues/244 Fixes: 028e495734e9 ("ssl: add verify_hostname option to SSLContext", 2016-06-27)
| * x509: add error code and verify flags constantsKazuki Yamaguchi2020-02-241-0/+91
| | | | | | | | | | Add missing constant declarations for certificate verification flags and the error codes, to match with OpenSSL 1.1.1.
| * Remove taint supportJeremy Evans2020-02-243-11/+0
| | | | | | | | | | | | | | | | | | | | [ This is a backport to the 2.0 branch. ] Ruby 2.7 deprecates taint and it no longer has an effect. The lack of taint support should not cause a problem in previous Ruby versions. (cherry picked from commit e7ed01b580a139ad0fb320ad5f29bbb40ef2ddc2)
| * Restore compatibility with older versions of Ruby.Samuel Williams2020-02-241-9/+21
| | | | | | | | | | | | | | [ Originally landed on as commit b4e96fc4abc3. This is a backport to the 2.0 branch. ] `RB_PASS_KEYWORDS` is not always available.
| * Fix keyword argument separation issues in ↵Jeremy Evans2020-02-241-4/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock [ Originally landed on ruby.git as commit 3959469f240e, then was merged into ruby/openssl.git as commit b4e96fc4abc3. This is a backport to the 2.0 branch. ] It's unlikely anyone would actually hit these. The methods are private, you only hit this code path if calling these methods before performing the SSL connection, and there is already a verbose warning issued.
| * Merge pull request #216 from rhenium/ky/config-include-directiveKazuki Yamaguchi2020-02-172-18/+90
| |\ | | | | | | config: support .include directive
| | * config: support .include directiveky/config-include-directiveKazuki Yamaguchi2019-12-132-18/+90
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | OpenSSL 1.1.1 introduces a new '.include' directive. Update our config parser to support that. As mentioned in the referenced GitHub issue, we should use the OpenSSL API instead of implementing the parsing logic ourselves, but it will need backwards-incompatible changes which we can't backport to stable versions. So continue to use the Ruby implementation for now. Squashed in additional changes by Vít Ondruch to support '.include = ' syntax. Reference: https://github.com/ruby/openssl/issues/208
* | | Ruby/OpenSSL 2.1.2v2.1.2Kazuki Yamaguchi2018-10-173-2/+14
| | |
* | | Merge branch 'maint-2.0' into maintKazuki Yamaguchi2018-10-174-6/+35
|\| | | | | | | | | | | | | | | | | | | | * maint-2.0: Ruby/OpenSSL 2.0.9 needs openssl/opensslv.h x509name: fix OpenSSL::X509::Name#{cmp,<=>}
| * | Ruby/OpenSSL 2.0.9v2.0.9Kazuki Yamaguchi2018-10-173-2/+25
| | |
| * | needs openssl/opensslv.hnobu2018-10-171-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | * ext/openssl/extconf.rb: LIBRESSL_VERSION_NUMBER is defined in openssl/opensslv.h. fix up r64101. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64236 b2dd03c8-39d4-4d8f-98ff-823fe69b080e Sync-with-trunk: r64236
| * | Merge branch 'ky/x509name-cmp-bugfix' into maint-2.0Kazuki Yamaguchi2018-10-172-5/+11
| |\ \ | | |/ | |/| | | | | | | * ky/x509name-cmp-bugfix: x509name: fix OpenSSL::X509::Name#{cmp,<=>}
| | * x509name: fix OpenSSL::X509::Name#{cmp,<=>}ky/x509name-cmp-bugfixKazuki Yamaguchi2018-10-172-5/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | Fix wrong use of X509_NAME_cmp() return value. OpenSSL::X509::Name#<=> could return 0 when the two objects aren't identical. Reported by Tyler Eckstein. CVE-2018-16395. Reference: https://hackerone.com/reports/387250
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-19 00:19:01 +0000