| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Allow the attribute value to contain ',', just as the openssl utility's
parse_name() function does.
Fixes: https://github.com/ruby/openssl/issues/39
|
| |\
| |
| | |
ssl: add SSLContext#min_version= and #max_version=
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Reimplement SSLContext#ssl_version= as a wrapper around
SSLContext#min_version= and #max_version=.
SSLContext#ssl_version= used to call SSL_CTX_set_ssl_version() which
replaces the SSL method used for the connections created from the SSL
context. This is mainly used for forcing a specific SSL/TLS protocol
version.
As of OpenSSL 1.1.0, however, use of the version-specific SSL methods
such as TLSv1_method() is deprecated. Follow the current recommendation
-- to use the generic SSL method always and to control the supported
version range by SSL_CTX_set_{min,max}_proto_version(). Actually, we
have already started doing a similar thing when the extension is
compiled with OpenSSL 1.1.0.
OpenSSL::SSL::SSLContext::METHODS, which contained the possible names of
SSL methods, is not useful anymore. It is now deprecate_constant-ed.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add methods that set the minimum and maximum supported protocol versions
for the SSL context. If the OpenSSL library supports, use
SSL_CTX_set_{min,max}_proto_version() that do the exact thing.
Otherwise, simulate by combining SSL_OP_NO_{SSL,TLS}v* flags.
The new methods are meant to replace the deprecated #ssl_version= that
cannot support multiple protocol versions.
SSLContext::DEFAULT_PARAMS is also updated to use the new
SSLContext#min_version=.
|
| | |
| |
| |
| |
| |
| | |
OpenSSL 1.1.0 replaced SSLv23_method() with TLS_method(). SSLv23_method
which still exists in 1.1.0, as a macro around TLS_method, will
eventually be removed. Use the new name if possible.
|
| | |
| |
| |
| |
| | |
Reorder, expand ossl_ssl_def_const() macro so RDoc can parse and render
better, and add new flags that are in recent versions of OpenSSL.
|
| |/
|
|
|
|
| |
SSL_CTX_{get,set,clear}_options() are made separate functions and they
now treat flags as unsigned long. Fix possible RangeError on platforms
with sizeof(long)==4.
|
| |
|
|
|
|
| |
The 'keylen' parameter of the tmp_dh_callback is only meaningful when
'is_export' is non-zero. Ignore them and just return the default
2048-bit DH group.
|
| |
|
|
|
|
| |
Follow-up commit eaffc69e40ab ("ssl: move default DH parameters from
OpenSSL::PKey::DH", 2017-01-23). Those constants shouldn't be used
directly.
|
| |
|
|
|
|
|
|
|
| |
As of commit 4eb4b3297a92 ("Remove support for OpenSSL 0.9.8 and 1.0.0",
2016-11-30), ext/openssl/extconf.rb don't check for existence of
SSL_CTX_set_next_proto_select_cb() function, but the code still refers
to the HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB macro. NPN is available in
all supported versions of OpenSSL and LibreSSL, unless it's disabled by
their configure options. Check OPENSSL_NO_NEXTPROTONEG macro instead.
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This also restores 'if defined?(OpenSSL)-end' wrapping the test code.
They have been removed erroneously by commit 4eb4b3297a92 ("Remove
support for OpenSSL 0.9.8 and 1.0.0", 2016-11-30).
* maint:
test/test_ssl: explicitly accept TLS 1.1 in corresponding test
ssl: remove useless call to rb_thread_wait_fd()
test/test_pair, test/test_ssl: fix for TLS 1.3
test/test_ssl_session: rearrange tests
test/test_ssl: move test_multibyte_read_write to test_pair
test/test_ssl: remove test_invalid_shutdown_by_gc
test/utils: do not use DSA certificates in SSL tests
test/utils: add OpenSSL::TestUtils.openssl? and .libressl?
test/utils: improve error handling in start_server
test/utils: let server_loop close socket
test/utils: do not set ecdh_curves in start_server
test/utils: have start_server yield only the port number
test/utils: add SSLTestCase#tls12_supported?
test/utils: remove OpenSSL::TestUtils.silent
test: fix formatting
Rakefile: let sync:to_ruby know about test/openssl/fixtures
cipher: update the documentation for Cipher#auth_tag=
Backport "Merge branch 'topic/test-memory-leak'" to maint
ssl: do not call session_remove_cb during GC
|
| | |\
| | |
| | | |
test/test_ssl: explicitly accept TLS 1.1 in corresponding test
|
| | |/
| |
| |
| |
| |
| | |
OpenSSL in Debian sid has recently disabled TLS < 1.2 by default, so in
order to test that TLS 1.1 works, we need to explicitly make our test
client accept it.
|
| | |\
| | |
| | | |
ssl: remove useless call to rb_thread_wait_fd()
|
| | | |
| | |
| | |
| | |
| | |
| | | |
That there is no immediately readable data in the SSL instance does not
imply it has to read more bytes from the underlying socket. Just call
SSL_read() and check the return value.
|
| | |\ \
| | |/
| |/| |
Fix test failures with TLS 1.3-capable OpenSSL
|
| | | |
| | |
| | |
| | | |
Fix test cases failing with TLS 1.3-enabled OpenSSL master.
|
| | | |
| | |
| | |
| | |
| | | |
Use TLS 1.2 explicitly where needed, since TLS 1.3 will remove session
ID based session resumption.
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The very patch that added this test case made the dfree function not
send close_notify alert when an SSLSocket is being GCed.
Anyway, the new OSSL_GC_STRESS option added by 6ee4b285036e ("test: run
test cases under GC.stress if OSSL_GC_STRESS is specified", 2016-12-04)
will cover this kind of issues.
|
| | | |
| | |
| | |
| | |
| | |
| | | |
LibreSSL 2.6.1 removed DSA support from its SSL code. Also, TLS 1.3 will
not support DSA certificates. Use an RSA certificate as the client
certificate in the tests, too.
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Add methods that check whether the running OpenSSL is an OpenSSL or a
LibreSSL, and optionally check whether the version is newer or equal to
the given version number.
|
| | | |
| | |
| | |
| | |
| | |
| | | |
start_server can hang if the given block exits before closing sockets
that the block opens. While this is a carelessness of the caller, we
can do a better job.
|
| | | |
| | |
| | |
| | |
| | | |
Close the socket by server_loop rather than by server_proc. This reduces
code duplication.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
An assumption in OpenSSL::TestSSL#test_get_ephemeral_key is that the
ephemeral key type is always EVP_PKEY_EC when negotiated with an ECDHE
cipher suite. This is not true if X25519 is chosen.
The test is passing because we happen to fix the group to P-256 in
start_server, but let's make it explicit.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
The block passed to start_server is invoked with two arguments, the
running thread object for the server and the automatically-selected port
number. The first argument is completely useless and actually is not
used anywhere.
|
| | | |
| | |
| | |
| | |
| | | |
Add a method that returns whether the OpenSSL supports TLS 1.2 or not.
This will be useful for test cases that are specific to TLS ~1.2.
|
| | | |
| | |
| | |
| | |
| | | |
Use EnvUtil.suppress_warning instead. We have started to use it already,
and the name 'suppress_warning' expresses what it does more clearly.
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Fix wrong nesting in test/utils.rb. Remove unnecessary requires. Wrap
the code with 'if defined?(OpenSSL::TestUtils) ~ end' and avoid class
definition with modifier if.
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* topic/test-memory-leak:
Enable OSSL_MDEBUG on CI builds
Add OpenSSL.print_mem_leaks
test: prepare test PKey instances on demand
test: let OpenSSL::TestCase include OpenSSL::TestUtils
Don't define main() when built with --enable-debug
(cherry picked from commit 5c586acc387834ab4e09260937dc21064fc59de4)
Note that fix for new test cases that use the old constants removed by
this is squashed in.
|
| | |/
| |
| |
| |
| |
| |
| | |
The authentication tag can be set after starting the decryption, if
only it is before Cipher#final is called.
Fixes: https://github.com/ruby/openssl/issues/74
|
| | |
| |
| |
| |
| |
| |
| | |
As noted in the SSL_CTX_sess_set_remove_cb(3) manpage, SSL_CTX_free()
will call the callback function for each session in the internal session
store. We can't call the callback Proc since it may do a new object
allocation which is prohibited during GC.
|
| |\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* maint:
Ruby/OpenSSL 2.0.5
ssl: fix compile error with OpenSSL 1.0.0
ssl: remove unsupported TLS versions from SSLContext::METHODS
Add msys2 library dependency tag in gem metadata
ossl_pem_passwd_cb: handle nil from the block explicitly
ossl_pem_passwd_cb: do not check for taintedness
ossl_pem_passwd_cb: relax passphrase length constraint
appveyor.yml: test against Ruby 2.4
Rakefile: install_dependencies: install only when needed
bio: do not use the FILE BIO method in ossl_obj2bio()
bio: prevent possible GC issue in ossl_obj2bio()
test/test_ssl: allow 3DES cipher suites in test_sslctx_set_params
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| | |
OpenSSL <= 1.0.0 did not support TLS 1.1/1.2, and thus we must still
check the existence of the symbols. This fixes the previous commit,
3e5a009966bd ("ssl: remove unsupported TLS versions from
SSLContext::METHODS", 2017-08-08).
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Check for all version-specific SSL methods. We do check for existence of
TLSv1_1_method() and TLSv1_2_method(), but not for TLSv1_method(). This
fixes compile error when OpenSSL is configured with no-tls1-method.
Also check the OPENSSL_NO_TLS{1,1_1,1_2} macros for whether OpenSSL
supports the corresponding versions or not. This prevents :TLSv1 from
being in SSLContext::METHODS when OpenSSL is compiled with no-tls1.
In particular, Debian sid has disabled TLS 1.0/1.1 support recently.
The changes in ext/openssl are partial backport of 4eb4b3297a92 ("Remove
support for OpenSSL 0.9.8 and 1.0.0", 2016-11-30).
|
| | |\
| | |
| | | |
Add msys2 library dependency tag in gem metadata
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
RubyInstaller2 supports metadata tags for installation of dependent
MSYS2/MINGW libraries. The openssl gem requires the mingw-openssl
package to be installed on the system, which the gem installer takes
care about, when this tag is set.
The feature is documented here:
https://github.com/oneclick/rubyinstaller2/wiki/For-gem-developers#msys2-library-dependency
This fixes issues like
https://github.com/oneclick/rubyinstaller2/issues/54 and
https://github.com/oneclick/rubyinstaller2/issues/53 .
|
| | |\
| | |
| | |
| | |
| | |
| | |
| | | |
* ky/pem-passwd-cb-get-rid-of-minlen:
ossl_pem_passwd_cb: handle nil from the block explicitly
ossl_pem_passwd_cb: do not check for taintedness
ossl_pem_passwd_cb: relax passphrase length constraint
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
There is code that returns nil in the passphrase block on purpose (to
prevent OpenSSL from prompting on stdin):
OpenSSL::PKey.read(File.read("file.pem")) { nil }
This is working just by chance because the TypeError from StringValue()
is silently ignored. Let's short circuit in that case and save raising
a needless exception, as this pattern has become too common.
|
| | | |
| | |
| | |
| | | |
It is perfectly permissible to take passwords from an untrusted source.
|
| | |/
| |
| |
| |
| |
| | |
The minimum passphrase length of 4 bytes is only a limitation of
PEM_def_callback() which isn't relevant here. Commit f38501249f33
introduced this bug.
|
| | | |
|
| | |
| |
| |
| |
| | |
Emulate the behavior of 'gem install --conservative'. This would prevent
overwriting the existing Rake installation.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Read everything from an IO object into a String first and use the
memory buffer BIO method just as we do for String inputs.
For MSVC builds, the FILE BIO method uses the "UPLINK" interface that
requires the application to provide OPENSSL_Applink() function. For us,
the "application" means ruby.exe, in which we can't do anything. As a
workaround, avoid using the FILE BIO method at all.
Usually private keys or X.509 certificates aren't that large and the
temporarily increased memory usage hopefully won't be an issue.
Fixes: https://github.com/ruby/openssl/issues/128
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Prevent the new object created by StringValue() from being GCed.
Luckily, as none of the callers of ossl_obj2bio() reads from the
returned BIO after possible triggering GC, this has not been a real
problem.
As a bonus, ossl_protect_obj2bio() function which is no longer used
anywhere is removed.
|
| | |
| |
| |
| |
| |
| | |
Fedora's OpenSSL seems to enable 3DES cipher suites by DEFAULT.
Fixes: https://github.com/ruby/openssl/issues/127
|
| |\ \
| | |
| | |
| | |
| | | |
* ky/x509name-add-entry-options:
x509name: add 'loc' and 'set' kwargs to OpenSSL::X509::Name#add_entry
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add a way to specify these arguments for X509_NAME_add_entry_by_txt().
We currently always use -1 and 0 respectively, which will result in
appending a new single-valued RDN to the end.
Fixes: https://github.com/ruby/openssl/issues/94
|
