aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* test/test_x509crl: fix random failureky/x509-implement-eqKazuki Yamaguchi2017-11-221-3/+5
| | | | | | | Similarly to the previous one, avoid querying the current time multiple times. Fixes: e4727829837a ("x509crl, x509revoked: implement X509::{CRL,Revoked}#==", 2017-10-12)
* test/test_x509cert: fix flaky testKazuki Yamaguchi2017-11-221-5/+11
| | | | | | | Specify the notBefore and notAfter fields explicitly to prevent occasional failure. Fixes: 432a9f3455f5 ("x509cert: implement X509::Certificate#==", 2017-10-12)
* x509req: implement X509::Request#==Kazuki Yamaguchi2017-10-122-0/+17
|
* x509crl, x509revoked: implement X509::{CRL,Revoked}#==Kazuki Yamaguchi2017-10-122-0/+41
|
* x509revoked: add missing X509::Revoked#to_derKazuki Yamaguchi2017-10-122-0/+44
|
* x509cert: implement X509::Certificate#==Kazuki Yamaguchi2017-10-122-0/+35
|
* x509attr: implement X509::Attribute#==Kazuki Yamaguchi2017-10-122-0/+24
|
* x509ext: implement X509::Extension#==Kazuki Yamaguchi2017-10-122-0/+16
|
* Merge branch 'maint'Kazuki Yamaguchi2017-09-2411-108/+181
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * maint: Ruby/OpenSSL 2.0.6 test/test_engine: check if RC4 is supported test/test_engine: suppress stderr ossl.c: make legacy locking callbacks reentrant ossl.c: use struct CRYPTO_dynlock_value for non-dynamic locks ssl: prevent SSLSocket#sysread* from leaking uninitialized data test/test_pair: replace sleep with IO.select tool/ruby-openssl-docker: update test/test_ssl: do not run NPN tests for LibreSSL >= 2.6.1 test/test_ssl: skip tmp_ecdh_callback test for LibreSSL >= 2.6.1 test/test_pair: disable compression test/test_ssl: suppress warning in test_alpn_protocol_selection_cancel ruby.h: unnormalized Fixnum value test/test_pair: fix test_write_nonblock{,_no_exceptions}
| * Ruby/OpenSSL 2.0.6v2.0.6ky/release-2.0.6Kazuki Yamaguchi2017-09-243-2/+22
| |
| * Merge pull request #155 from rhenium/ky/fix-legacy-locking-callback-relockKazuki Yamaguchi2017-09-241-26/+40
| |\ | | | | | | ossl.c: make legacy locking callbacks reentrant
| | * ossl.c: make legacy locking callbacks reentrantky/fix-legacy-locking-callback-relockKazuki Yamaguchi2017-09-241-1/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Although it's not documented explicitly that the locking callbacks must provide reentrant mutexes, it seems to be required. Specifically, the session_remove_cb callback function of an SSL_CTX is called in a critical section for CRYPTO_LOCK_SSL_CTX, which is shared across the library. This leads, if the callback function calls another OpenSSL function that will attempt to lock CRYPTO_LOCK_SSL_CTX, to deadlock. SSL_CTX_free() is one example of such a function. http://ci.rvm.jp/results/trunk@P895/64001
| | * ossl.c: use struct CRYPTO_dynlock_value for non-dynamic locksKazuki Yamaguchi2017-09-241-26/+28
| | | | | | | | | | | | | | | In preparation for making the mutexes reentrant. It is common to the non-dynamic and the dynamic locking callbacks.
| * | Merge pull request #153 from rhenium/ky/ssl-read-fix-leak-uninitializedKazuki Yamaguchi2017-09-242-11/+39
| |\ \ | | | | | | | | ssl: prevent SSLSocket#sysread* from leaking uninitialized data
| | * | ssl: prevent SSLSocket#sysread* from leaking uninitialized dataky/ssl-read-fix-leak-uninitializedKazuki Yamaguchi2017-09-232-9/+37
| | | | | | | | | | | | | | | | | | | | | | | | Set the length of the buffer string to 0 first, and adjust to the size successfully read by the SSL_read() call later. This is needed because the buffer string may be provided by the caller.
| | * | test/test_pair: replace sleep with IO.selectKazuki Yamaguchi2017-09-231-2/+2
| | |/ | | | | | | | | | | | | The sleep was to ensure that the SSLSocket#read_nonblock will get close_notify alert. A simple IO.select will suffice.
| * | test/test_engine: check if RC4 is supportedKazuki Yamaguchi2017-09-241-1/+7
| | | | | | | | | | | | | | | | | | | | | Skip test_openssl_engine_cipher_rc4 which will fail without RC4 support. It may be disabled by 'no-rc4' configure option of the OpenSSL library. Reference: https://github.com/ruby/openssl/issues/154
| * | test/test_engine: suppress stderrKazuki Yamaguchi2017-09-241-20/+10
| |/ | | | | | | | | | | | | Use ignore_stderr option of assert_separately instead of $stderr.reopen which may not work if the OpenSSL library uses a different stdio. Reference: https://github.com/ruby/openssl/issues/154
| * tool/ruby-openssl-docker: updateky/maint-libressl-2.6Kazuki Yamaguchi2017-09-152-21/+22
| | | | | | | | | | | | | | - Upgrade to latest Ubuntu LTS. - Remove unnecessary packages. - Update OpenSSL, LibreSSL, and Ruby versions. Notably, LibreSSL 2.6 is added. Accordingly, .travis.yml is also updated to use that.
| * test/test_ssl: do not run NPN tests for LibreSSL >= 2.6.1Kazuki Yamaguchi2017-09-091-0/+5
| | | | | | | | | | | | Similar to the previous one, LibreSSL 2.6.1 has relevant functions such as SSL_CTX_set_next_proto_select_cb(), but they are broken and do nothing.
| * test/test_ssl: skip tmp_ecdh_callback test for LibreSSL >= 2.6.1Kazuki Yamaguchi2017-09-091-0/+2
| | | | | | | | | | LibreSSL 2.6.1 has SSL_CTX_set_tmp_ecdh_callback() function, but it does not work.
| * test/test_pair: disable compressionKazuki Yamaguchi2017-09-081-0/+1
| | | | | | | | | | | | | | The test cases added by commit 8ed81ff4b0a8 ("test/test_pair: fix test_write_nonblock{,_no_exceptions}", 2017-09-04) can consume much memory and time if the OpenSSL supports SSL/TLS compression. Disable it explicitly.
| * test/test_ssl: suppress warning in test_alpn_protocol_selection_cancelKazuki Yamaguchi2017-09-081-0/+1
| | | | | | | | Suppress "using default DH parameters" message.
| * ruby.h: unnormalized Fixnum valuenobu2017-09-083-3/+10
| | | | | | | | | | | | | | | | | | | | * include/ruby/ruby.h (ST2FIX): fix unnormalized Fixnum value bug on mingw/mswin. [ruby-core:82687] [Bug #13877] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@59765 b2dd03c8-39d4-4d8f-98ff-823fe69b080e [ky: add ST2FIX() definition to ext/openssl/ruby_missing.h, and adapt the test case to the 2.0 branch.] Sync-with-trunk: r59765
| * test/test_pair: fix test_write_nonblock{,_no_exceptions}ky/fix-test-pair-write-nonblockKazuki Yamaguchi2017-09-041-30/+28
| | | | | | | | | | | | | | | | | | When the previous SSLSocket#write_nonblock call does not finish writing the complete contents, SSL_shutdown() which is called through SSLSocket#close will not send a close_notify alert. As of commit e3a305063675 ssl_pair no longer uses the sync_close feature. Do not expect that SSL_read() would get ECONNRESET.
* | Merge pull request #150 from ruby/homepageKazuki Yamaguchi2017-09-161-1/+1
|\ \ | | | | | | To use upstream url of github
| * | To use upstream url of githubSHIBATA Hiroshi2017-09-161-1/+1
|/ /
* | test/test_asn1: fix possible failure in test_utctimeKazuki Yamaguchi2017-09-051-5/+10
| | | | | | | | | | | | | | OpenSSL function ASN1_TIME_adj() internally uses gmtime() to convert time_t into struct tm. Not all platforms handle negative time_t value. Reference: https://github.com/ruby/ruby/commit/609103dbb5fb182eec12f052226c43e39b907682#commitcomment-24056418
* | test/test_fips: skip if setting FIPS mode failsKazuki Yamaguchi2017-09-041-6/+13
| |
* | x509name: fix a typo in docsKazuki Yamaguchi2017-09-041-1/+1
| |
* | Ruby/OpenSSL 2.1.0.beta1v2.1.0.beta1ky/release-2.1.0.beta1Kazuki Yamaguchi2017-09-032-20/+26
| |
* | Merge pull request #144 from rhenium/ky/x509name-fix-parse-opensslKazuki Yamaguchi2017-09-032-21/+22
|\ \ | | | | | | x509name: update regexp in OpenSSL::X509::Name.parse
| * | x509name: update regexp in OpenSSL::X509::Name.parseky/x509name-fix-parse-opensslKazuki Yamaguchi2017-09-032-21/+22
| | | | | | | | | | | | | | | | | | | | | Allow the attribute value to contain ',', just as the openssl utility's parse_name() function does. Fixes: https://github.com/ruby/openssl/issues/39
* | | Merge pull request #143 from rhenium/ky/x509name-to-utf-8Kazuki Yamaguchi2017-09-032-17/+83
|\ \ \ | |/ / |/| | Add X509::Name#to_utf8 and #inspect
| * | x509name: add OpenSSL::X509::Name#inspectky/x509name-to-utf-8Kazuki Yamaguchi2017-09-031-0/+9
| | |
| * | x509name: add OpenSSL::X509::Name#to_utf8Kazuki Yamaguchi2017-09-032-0/+53
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The existing #to_s does not interact well with distinguished names containing multi-byte UTF-8 characters since the OpenSSL function X509_NAME_print_ex() escapes bytes with MSB set by default. Unfortunately we can't fix it without breaking backwards compatibility. It takes options as a bit field that is directly passed to X509_NAME_print_ex(). Let's add a new method instead. Fixes: https://github.com/ruby/openssl/issues/26
| * | x509name: refactor OpenSSL::X509::Name#to_sKazuki Yamaguchi2017-09-031-18/+22
| | | | | | | | | | | | | | | | | | | | | Extract the body into a function in preparation for adding #to_utf8. Also a potential memory leak is fixed: the GetX509Name() macro can raise TypeError.
| * | test/test_x509name: change script encoding to ASCII-8BITKazuki Yamaguchi2017-09-031-1/+1
| | | | | | | | | | | | Allow string literals containing UTF-8 characters.
* | | Merge pull request #142 from rhenium/ky/ssl-version-min-maxKazuki Yamaguchi2017-09-035-204/+460
|\ \ \ | | | | | | | | ssl: add SSLContext#min_version= and #max_version=
| * | | ssl: rework SSLContext#ssl_version=Kazuki Yamaguchi2017-09-034-100/+56
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Reimplement SSLContext#ssl_version= as a wrapper around SSLContext#min_version= and #max_version=. SSLContext#ssl_version= used to call SSL_CTX_set_ssl_version() which replaces the SSL method used for the connections created from the SSL context. This is mainly used for forcing a specific SSL/TLS protocol version. As of OpenSSL 1.1.0, however, use of the version-specific SSL methods such as TLSv1_method() is deprecated. Follow the current recommendation -- to use the generic SSL method always and to control the supported version range by SSL_CTX_set_{min,max}_proto_version(). Actually, we have already started doing a similar thing when the extension is compiled with OpenSSL 1.1.0. OpenSSL::SSL::SSLContext::METHODS, which contained the possible names of SSL methods, is not useful anymore. It is now deprecate_constant-ed.
| * | | ssl: add SSLContext#min_version= and #max_version=Kazuki Yamaguchi2017-09-034-83/+332
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add methods that set the minimum and maximum supported protocol versions for the SSL context. If the OpenSSL library supports, use SSL_CTX_set_{min,max}_proto_version() that do the exact thing. Otherwise, simulate by combining SSL_OP_NO_{SSL,TLS}v* flags. The new methods are meant to replace the deprecated #ssl_version= that cannot support multiple protocol versions. SSLContext::DEFAULT_PARAMS is also updated to use the new SSLContext#min_version=.
| * | | ssl: prefer TLS_method() over SSLv23_method()Kazuki Yamaguchi2017-09-021-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | OpenSSL 1.1.0 replaced SSLv23_method() with TLS_method(). SSLv23_method which still exists in 1.1.0, as a macro around TLS_method, will eventually be removed. Use the new name if possible.
| * | | ssl: update OpenSSL::SSL::OP_* flagsKazuki Yamaguchi2017-09-021-38/+81
| | | | | | | | | | | | | | | | | | | | Reorder, expand ossl_ssl_def_const() macro so RDoc can parse and render better, and add new flags that are in recent versions of OpenSSL.
| * | | ssl: ensure that SSL option flags are non-negativeKazuki Yamaguchi2017-09-021-3/+7
|/ / / | | | | | | | | | | | | | | | SSL_CTX_{get,set,clear}_options() are made separate functions and they now treat flags as unsigned long. Fix possible RangeError on platforms with sizeof(long)==4.
* | | ssl: use 2048-bit group in the default tmp_dh_cbKazuki Yamaguchi2017-09-021-14/+1
| | | | | | | | | | | | | | | | | | The 'keylen' parameter of the tmp_dh_callback is only meaningful when 'is_export' is non-zero. Ignore them and just return the default 2048-bit DH group.
* | | ssl: mark OpenSSL::SSL::SSLContext::DEFAULT_{1024,2048} as privateKazuki Yamaguchi2017-08-291-4/+3
| | | | | | | | | | | | | | | | | | Follow-up commit eaffc69e40ab ("ssl: move default DH parameters from OpenSSL::PKey::DH", 2017-01-23). Those constants shouldn't be used directly.
* | | ssl: fix NPN supportKazuki Yamaguchi2017-08-261-6/+6
|/ / | | | | | | | | | | | | | | | | As of commit 4eb4b3297a92 ("Remove support for OpenSSL 0.9.8 and 1.0.0", 2016-11-30), ext/openssl/extconf.rb don't check for existence of SSL_CTX_set_next_proto_select_cb() function, but the code still refers to the HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB macro. NPN is available in all supported versions of OpenSSL and LibreSSL, unless it's disabled by their configure options. Check OPENSSL_NO_NEXTPROTONEG macro instead.
* | Merge branch 'maint'Kazuki Yamaguchi2017-08-2634-680/+746
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This also restores 'if defined?(OpenSSL)-end' wrapping the test code. They have been removed erroneously by commit 4eb4b3297a92 ("Remove support for OpenSSL 0.9.8 and 1.0.0", 2016-11-30). * maint: test/test_ssl: explicitly accept TLS 1.1 in corresponding test ssl: remove useless call to rb_thread_wait_fd() test/test_pair, test/test_ssl: fix for TLS 1.3 test/test_ssl_session: rearrange tests test/test_ssl: move test_multibyte_read_write to test_pair test/test_ssl: remove test_invalid_shutdown_by_gc test/utils: do not use DSA certificates in SSL tests test/utils: add OpenSSL::TestUtils.openssl? and .libressl? test/utils: improve error handling in start_server test/utils: let server_loop close socket test/utils: do not set ecdh_curves in start_server test/utils: have start_server yield only the port number test/utils: add SSLTestCase#tls12_supported? test/utils: remove OpenSSL::TestUtils.silent test: fix formatting Rakefile: let sync:to_ruby know about test/openssl/fixtures cipher: update the documentation for Cipher#auth_tag= Backport "Merge branch 'topic/test-memory-leak'" to maint ssl: do not call session_remove_cb during GC
| * Merge pull request #140 from terceiro/tls1.1Kazuki Yamaguchi2017-08-261-1/+2
| |\ | | | | | | test/test_ssl: explicitly accept TLS 1.1 in corresponding test
| | * test/test_ssl: explicitly accept TLS 1.1 in corresponding testAntonio Terceiro2017-08-261-1/+2
| |/ | | | | | | | | | | OpenSSL in Debian sid has recently disabled TLS < 1.2 by default, so in order to test that TLS 1.1 works, we need to explicitly make our test client accept it.
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-03 11:31:21 +0000