| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
| |
| |
| |
| |
| |
| | |
The value of 'value' attribute of OpenSSL::ASN1::{Integer,Enumerated}
should be an instance of OpenSSL::BN.
Reference: https://github.com/ruby/openssl/issues/176
|
| | |
| |
| |
| | |
GetSSLCTX() never returns NULL.
|
| |\ \
| | |
| | | |
pkey/ec: add support for octet string encoding of EC point
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add a new method named PKey::EC#to_octet_string that returns the octet
string representation of the curve point. PKey::EC::Point#to_bn, which
have already existed and is similar except that an instance of
OpenSSL::BN is returned, is rewritten in Ruby.
PKey::EC::Point#initialize now takes String as the second argument in
the PKey::EC::Point.new(group, encoded_point) form.
Also, update the tests to use #to_octet_string instead of #to_bn for
better readability.
|
| | | | |
|
| |\ \ \
| | | |
| | | |
| | | |
| | | | |
* ky/fix-ssl-test-internal-encoding:
Fix test-all tests to avoid creating report_on_exception warnings
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* The warnings are shown by Thread.report_on_exception defaulting to
true. [Feature #14143] [ruby-core:83979]
* Improves tests by narrowing down the scope where an exception
is expected.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@61188 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
[ky: this effectively reverts commit 01445af367ec ("test/test_ssl:
prevent changing default internal encoding", 2017-11-26). This is OK
since EnvUtil.with_default_internal has been made thread-safe.]
Sync-with-trunk: r61188
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The function ossl_sslctx_session_get_cb(), which is passed to
SSL_CTX_sess_set_get_cb(), will never be called on the client-side since
it is for the server-side session caching.
Reference: https://github.com/ruby/openssl/issues/170
|
| |\| | |
| | | |
| | | |
| | | |
| | | | |
* ky/fix-ssl-test-internal-encoding:
test/test_ssl: prevent changing default internal encoding
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
In Ruby tree (not in this tree), assert_raise_with_message uses
EnvUtil.with_default_internal which cannot be called simultaneously.
The patch was suggested by Yusuke Endoh (mame).
|
| | | | | |
|
| |\ \ \ \
| | |_|/
| |/| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* maint:
History.md: fix a typo
x509cert, x509crl, x509req, ns_spki: check sanity of public key
pkey: make pkey_check_public_key() non-static
test/test_cipher: fix test_non_aead_cipher_set_auth_data failure
cipher: disallow setting AAD for non-AEAD ciphers
test/test_ssl_session: skip tests for session_remove_cb
appveyor.yml: remove 'openssl version' line
|
| | | | | |
|
| | |\ \ \
| | | | |
| | | | | |
[Bug #14087] x509cert, x509crl, x509req, ns_spki: check sanity of public key
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
The pub_encode routine of an EVP_PKEY_ASN1_METHOD seems to assume the
parameters and public key component(s) to be set properly. Calling that,
for example, through X509_set_pubkey(), with an incomplete object may
cause segfault.
Use ossl_pkey_check_public_key() to check that. It doesn't look pretty,
but unfortunately there isn't a generic way to do that with the EVP API.
Something similar applies to the verify routine of an EVP_PKEY_METHOD.
Do the same check before calling *_verify().
Reference: http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/83688
Reference: https://bugs.ruby-lang.org/issues/14087
|
| | |/ / /
| | | |
| | | |
| | | | |
Also make it take const pointer as it never modifies the pkey.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
A follow-up to commit bb10767b0570 ("cipher: disallow setting AAD for
non-AEAD ciphers", 2017-10-18). Cipher#auth_data= raises
NotImplementedError if built with OpenSSL < 1.0.1.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
EVP_CipherUpdate() must not be call with the output parameter set to
NULL when the cipher does not support AEAD. Check the flag of
EVP_CIPHER, and raise an exception as necessary.
Reference: http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/83337
Reference: https://bugs.ruby-lang.org/issues/14024
|
| | |\ \ \
| | | | |
| | | | | |
test/test_ssl_session: skip tests for session_remove_cb
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
In OpenSSL < 1.1.0, the session_remove_cb callback is called inside the
global lock for CRYPTO_LOCK_SSL_CTX which is shared across the entire
process, not just for the specific SSL_CTX object. It is possible that
the callback releases GVL while the lock for CRYPTO_LOCK_SSL_CTX is
held, causing another thread calling an OpenSSL function that tries to
acquire the same lock stuck forever.
Add a note about the possible deadlock to the docs for
SSLContext#session_remove_cb=, and skip the relevant test cases unless
the OSSL_TEST_ALL environment variable is set to 1.
A deadlock due to this issue is observed:
http://ci.rvm.jp/results/trunk-test@frontier/104428
|
| | |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
It runs the 'openssl' command line tool that is not of the version used
to compile and run the test suite.
Thanks to MSP-Greg for pointing this out.
Fixes: https://github.com/ruby/openssl/issues/157
|
| |\ \ \ \
| | | | |
| | | | | |
kdf: add HKDF support
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
OpenSSL 1.1.0 supports HKDF through the EVP API. Add OpenSSL::KDF.hkdf
as a wrapper around that.
Reference: https://github.com/ruby/openssl/issues/172
|
| |\ \ \ \ \
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
* ky/x509-implement-eq:
test/test_x509crl: fix random failure
test/test_x509cert: fix flaky test
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Similarly to the previous one, avoid querying the current time multiple
times.
Fixes: e4727829837a ("x509crl, x509revoked: implement X509::{CRL,Revoked}#==", 2017-10-12)
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Specify the notBefore and notAfter fields explicitly to prevent
occasional failure.
Fixes: 432a9f3455f5 ("x509cert: implement X509::Certificate#==", 2017-10-12)
|
| |\ \ \ \ \ \
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Merge GitHub Pull Request #167.
* ky/ssl-add-certificate:
test/test_ssl: fix test_security_level
ssl: add SSLContext#add_certificate
test/utils: remove a pointless .public_key call in issue_cert
test/envutil: port assert_warning from Ruby trunk
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Fix test_security_level using SSLContext#add_certificate. It immediately
sets the certificate to the SSL_CTX, so it is affected by the security
level setting.
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Add a new method to add a certificate, a corresponding private key, and
extra CA certificates at once.
This has two advantages over the existing {cert,key,extra_cert_chain}
attributes:
1. We can notice the problem with the certificate and/or the private
key. Since the existing attributes are simple instance variables,
they aren't set to the SSL_CTX until #setup which usually happens
on the first connection.
2. For the same reason, existing attributes allowed only one
certificate for a context, even though OpenSSL itself is capable of
handling multiple certificates and selecting the most appropriate
one according to the cipher suite selected.
The documentation for the existing attributes are updated to recommend
using #add_certificate.
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
PKey::EC#public_key works differently from other PKey types, making
TestUtils.issue_cert unusable for creating ECDSA certificates.
Actually, the #public_key does not have any effect on any other PKey
types. So just remove it.
|
| | | |/ / / /
| |/| | | |
| | | | | |
| | | | | | |
EnvUtil.verbose_warning used by assert_warning is also ported.
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | | |
LibreSSL 2.4 reached its EOL in 2017-09.
|
| |\ \ \ \ \ \
| | | | | | |
| | | | | | | |
[v2] Add RSA sign_pss() and verify_pss() methods
|
| | |/ / / / /
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Support Probabilistic Signature Scheme for RSA key signing.
[ky: the patch was originally submitted as GitHub Pull Request #76.
finish keyword arguments handling, update docs, and fix tests.]
|
| |\ \ \ \ \ \
| | | | | | |
| | | | | | | |
buffering: let #write accept multiple arguments
|
| | |/ / / / /
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
As of Ruby 2.5, IO#write accepts multiple input strings and writes them
at once[1]. Follow that.
[1] https://bugs.ruby-lang.org/issues/9323
|
| |\ \ \ \ \ \
| | | | | | |
| | | | | | | |
Fix build failure against OpenSSL 1.1 built with no-deprecated
|
| |/ / / / / /
| | | | | |
| | | | | |
| | | | | | |
Thanks rhenium for the code review and fixes.
|
| |\ \ \ \ \ \
| | |_|_|/ /
| |/| | | | |
TLS Fallback Signaling Cipher Suite Value
|
| |/ / / / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Support for fallback SCSV [RFC 7507](https://tools.ietf.org/html/rfc7507).
Expected behaviour is to refuse connection if the client signals a protocol with
the fallback flag but the server supports a better one (downgrade attack detection).
|
| |\ \ \ \ \
| | |/ / /
| |/| | | |
x509*: implement ==
|
| | | | | | |
|
| | | | | | |
|
| | | | | | |
|
| | | | | | |
|
| | | | | | |
|
| | |/ / / |
|
| |\ \ \ \
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
* ky/ssl-version-min-max:
ssl: fix conflict of options in SSLContext#set_params
Use caller with length to reduce unused strings
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Make SSLContext#set_params call #options= first.
SSLContext#set_params by default disables SSL 2.0 and SSL 3.0 by calling
SSLContext#min_version=. After that, it sets the SSL option flags by
calling SSLContext#options=.
This is problematic when built with OpenSSL before 1.1.0 because
SSLContext#min_version= achieves its goal using the SSL_OP_NO_{SSL,TLS}*
options. Since the subsequent SSLContext#options= call replaces the
flags rather than OR together, this results in effectively disabling
min_version setting in SSLContext::DEFAULT_PARAMS.
The issue was first fixed in Ruby trunk tree, as part of r60310 ("fix
OpenSSL::SSL::SSLContext#min_version doesn't work", 2017-10-21).
|
| | | | | |
| | | | |
| | | | |
| | | | | |
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@60288 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
