| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
As of Ruby 2.5, IO#write accepts multiple input strings and writes them
at once[1]. Follow that.
[1] https://bugs.ruby-lang.org/issues/9323
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* maint:
Ruby/OpenSSL 2.0.6
test/test_engine: check if RC4 is supported
test/test_engine: suppress stderr
ossl.c: make legacy locking callbacks reentrant
ossl.c: use struct CRYPTO_dynlock_value for non-dynamic locks
ssl: prevent SSLSocket#sysread* from leaking uninitialized data
test/test_pair: replace sleep with IO.select
tool/ruby-openssl-docker: update
test/test_ssl: do not run NPN tests for LibreSSL >= 2.6.1
test/test_ssl: skip tmp_ecdh_callback test for LibreSSL >= 2.6.1
test/test_pair: disable compression
test/test_ssl: suppress warning in test_alpn_protocol_selection_cancel
ruby.h: unnormalized Fixnum value
test/test_pair: fix test_write_nonblock{,_no_exceptions}
|
| | |
|
| |\
| | |
| | | |
ossl.c: make legacy locking callbacks reentrant
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Although it's not documented explicitly that the locking callbacks must
provide reentrant mutexes, it seems to be required.
Specifically, the session_remove_cb callback function of an SSL_CTX is
called in a critical section for CRYPTO_LOCK_SSL_CTX, which is shared
across the library. This leads, if the callback function calls another
OpenSSL function that will attempt to lock CRYPTO_LOCK_SSL_CTX, to
deadlock. SSL_CTX_free() is one example of such a function.
http://ci.rvm.jp/results/trunk@P895/64001
|
| | |
| | |
| | |
| | |
| | | |
In preparation for making the mutexes reentrant. It is common to the
non-dynamic and the dynamic locking callbacks.
|
| |\ \
| | | |
| | | | |
ssl: prevent SSLSocket#sysread* from leaking uninitialized data
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Set the length of the buffer string to 0 first, and adjust to the size
successfully read by the SSL_read() call later. This is needed because
the buffer string may be provided by the caller.
|
| | |/
| | |
| | |
| | |
| | | |
The sleep was to ensure that the SSLSocket#read_nonblock will get
close_notify alert. A simple IO.select will suffice.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Skip test_openssl_engine_cipher_rc4 which will fail without RC4 support.
It may be disabled by 'no-rc4' configure option of the OpenSSL library.
Reference: https://github.com/ruby/openssl/issues/154
|
| |/
| |
| |
| |
| |
| |
| | |
Use ignore_stderr option of assert_separately instead of $stderr.reopen
which may not work if the OpenSSL library uses a different stdio.
Reference: https://github.com/ruby/openssl/issues/154
|
| |
| |
| |
| |
| |
| |
| | |
- Upgrade to latest Ubuntu LTS.
- Remove unnecessary packages.
- Update OpenSSL, LibreSSL, and Ruby versions. Notably, LibreSSL 2.6 is
added. Accordingly, .travis.yml is also updated to use that.
|
| |
| |
| |
| |
| |
| | |
Similar to the previous one, LibreSSL 2.6.1 has relevant functions such
as SSL_CTX_set_next_proto_select_cb(), but they are broken and do
nothing.
|
| |
| |
| |
| |
| | |
LibreSSL 2.6.1 has SSL_CTX_set_tmp_ecdh_callback() function, but it does
not work.
|
| |
| |
| |
| |
| |
| |
| | |
The test cases added by commit 8ed81ff4b0a8 ("test/test_pair: fix
test_write_nonblock{,_no_exceptions}", 2017-09-04) can consume much
memory and time if the OpenSSL supports SSL/TLS compression. Disable it
explicitly.
|
| |
| |
| |
| | |
Suppress "using default DH parameters" message.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* include/ruby/ruby.h (ST2FIX): fix unnormalized Fixnum value bug
on mingw/mswin. [ruby-core:82687] [Bug #13877]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@59765 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
[ky: add ST2FIX() definition to ext/openssl/ruby_missing.h, and adapt
the test case to the 2.0 branch.]
Sync-with-trunk: r59765
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When the previous SSLSocket#write_nonblock call does not finish writing
the complete contents, SSL_shutdown() which is called through
SSLSocket#close will not send a close_notify alert.
As of commit e3a305063675 ssl_pair no longer uses the sync_close
feature. Do not expect that SSL_read() would get ECONNRESET.
|
|\ \
| | |
| | | |
To use upstream url of github
|
|/ / |
|
| |
| |
| |
| |
| |
| |
| | |
OpenSSL function ASN1_TIME_adj() internally uses gmtime() to convert
time_t into struct tm. Not all platforms handle negative time_t value.
Reference: https://github.com/ruby/ruby/commit/609103dbb5fb182eec12f052226c43e39b907682#commitcomment-24056418
|
| | |
|
| | |
|
| | |
|
|\ \
| | |
| | | |
x509name: update regexp in OpenSSL::X509::Name.parse
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Allow the attribute value to contain ',', just as the openssl utility's
parse_name() function does.
Fixes: https://github.com/ruby/openssl/issues/39
|
|\ \ \
| |/ /
|/| | |
Add X509::Name#to_utf8 and #inspect
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The existing #to_s does not interact well with distinguished names
containing multi-byte UTF-8 characters since the OpenSSL function
X509_NAME_print_ex() escapes bytes with MSB set by default.
Unfortunately we can't fix it without breaking backwards compatibility.
It takes options as a bit field that is directly passed to
X509_NAME_print_ex(). Let's add a new method instead.
Fixes: https://github.com/ruby/openssl/issues/26
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Extract the body into a function in preparation for adding #to_utf8.
Also a potential memory leak is fixed: the GetX509Name() macro can
raise TypeError.
|
| | |
| | |
| | |
| | | |
Allow string literals containing UTF-8 characters.
|
|\ \ \
| | | |
| | | | |
ssl: add SSLContext#min_version= and #max_version=
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Reimplement SSLContext#ssl_version= as a wrapper around
SSLContext#min_version= and #max_version=.
SSLContext#ssl_version= used to call SSL_CTX_set_ssl_version() which
replaces the SSL method used for the connections created from the SSL
context. This is mainly used for forcing a specific SSL/TLS protocol
version.
As of OpenSSL 1.1.0, however, use of the version-specific SSL methods
such as TLSv1_method() is deprecated. Follow the current recommendation
-- to use the generic SSL method always and to control the supported
version range by SSL_CTX_set_{min,max}_proto_version(). Actually, we
have already started doing a similar thing when the extension is
compiled with OpenSSL 1.1.0.
OpenSSL::SSL::SSLContext::METHODS, which contained the possible names of
SSL methods, is not useful anymore. It is now deprecate_constant-ed.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Add methods that set the minimum and maximum supported protocol versions
for the SSL context. If the OpenSSL library supports, use
SSL_CTX_set_{min,max}_proto_version() that do the exact thing.
Otherwise, simulate by combining SSL_OP_NO_{SSL,TLS}v* flags.
The new methods are meant to replace the deprecated #ssl_version= that
cannot support multiple protocol versions.
SSLContext::DEFAULT_PARAMS is also updated to use the new
SSLContext#min_version=.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
OpenSSL 1.1.0 replaced SSLv23_method() with TLS_method(). SSLv23_method
which still exists in 1.1.0, as a macro around TLS_method, will
eventually be removed. Use the new name if possible.
|
| | | |
| | | |
| | | |
| | | |
| | | | |
Reorder, expand ossl_ssl_def_const() macro so RDoc can parse and render
better, and add new flags that are in recent versions of OpenSSL.
|
|/ / /
| | |
| | |
| | |
| | |
| | | |
SSL_CTX_{get,set,clear}_options() are made separate functions and they
now treat flags as unsigned long. Fix possible RangeError on platforms
with sizeof(long)==4.
|
| | |
| | |
| | |
| | |
| | |
| | | |
The 'keylen' parameter of the tmp_dh_callback is only meaningful when
'is_export' is non-zero. Ignore them and just return the default
2048-bit DH group.
|
| | |
| | |
| | |
| | |
| | |
| | | |
Follow-up commit eaffc69e40ab ("ssl: move default DH parameters from
OpenSSL::PKey::DH", 2017-01-23). Those constants shouldn't be used
directly.
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| | |
As of commit 4eb4b3297a92 ("Remove support for OpenSSL 0.9.8 and 1.0.0",
2016-11-30), ext/openssl/extconf.rb don't check for existence of
SSL_CTX_set_next_proto_select_cb() function, but the code still refers
to the HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB macro. NPN is available in
all supported versions of OpenSSL and LibreSSL, unless it's disabled by
their configure options. Check OPENSSL_NO_NEXTPROTONEG macro instead.
|
|\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This also restores 'if defined?(OpenSSL)-end' wrapping the test code.
They have been removed erroneously by commit 4eb4b3297a92 ("Remove
support for OpenSSL 0.9.8 and 1.0.0", 2016-11-30).
* maint:
test/test_ssl: explicitly accept TLS 1.1 in corresponding test
ssl: remove useless call to rb_thread_wait_fd()
test/test_pair, test/test_ssl: fix for TLS 1.3
test/test_ssl_session: rearrange tests
test/test_ssl: move test_multibyte_read_write to test_pair
test/test_ssl: remove test_invalid_shutdown_by_gc
test/utils: do not use DSA certificates in SSL tests
test/utils: add OpenSSL::TestUtils.openssl? and .libressl?
test/utils: improve error handling in start_server
test/utils: let server_loop close socket
test/utils: do not set ecdh_curves in start_server
test/utils: have start_server yield only the port number
test/utils: add SSLTestCase#tls12_supported?
test/utils: remove OpenSSL::TestUtils.silent
test: fix formatting
Rakefile: let sync:to_ruby know about test/openssl/fixtures
cipher: update the documentation for Cipher#auth_tag=
Backport "Merge branch 'topic/test-memory-leak'" to maint
ssl: do not call session_remove_cb during GC
|
| |\
| | |
| | | |
test/test_ssl: explicitly accept TLS 1.1 in corresponding test
|
| |/
| |
| |
| |
| |
| | |
OpenSSL in Debian sid has recently disabled TLS < 1.2 by default, so in
order to test that TLS 1.1 works, we need to explicitly make our test
client accept it.
|
| |\
| | |
| | | |
ssl: remove useless call to rb_thread_wait_fd()
|
| | |
| | |
| | |
| | |
| | |
| | | |
That there is no immediately readable data in the SSL instance does not
imply it has to read more bytes from the underlying socket. Just call
SSL_read() and check the return value.
|
| |\ \
| | |/
| |/| |
Fix test failures with TLS 1.3-capable OpenSSL
|
| | |
| | |
| | |
| | | |
Fix test cases failing with TLS 1.3-enabled OpenSSL master.
|
| | |
| | |
| | |
| | |
| | | |
Use TLS 1.2 explicitly where needed, since TLS 1.3 will remove session
ID based session resumption.
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The very patch that added this test case made the dfree function not
send close_notify alert when an SSLSocket is being GCed.
Anyway, the new OSSL_GC_STRESS option added by 6ee4b285036e ("test: run
test cases under GC.stress if OSSL_GC_STRESS is specified", 2016-12-04)
will cover this kind of issues.
|