| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
Errno::EPROTOTYPE is not supposed to be raised by SSLSocket#write.
However, on macOS, send(2) which is called via SSL_write() can
occasionally return EPROTOTYPE. Retry SSL_write() so that we get a
proper error, just as ext/socket does.
Reference: https://bugs.ruby-lang.org/issues/14713
Reference: https://github.com/ruby/openssl/issues/227
|
|\
| |
| | |
x509store: fix memory leak in X509::StoreContext.new
|
|/
|
|
|
| |
The certificate passed as the second argument was not properly free'd
in the error paths.
|
|
|
|
|
|
| |
.github/workflows/test.yml is copied from current master's (last update
by commit 0a2e8c67f252), and then the LibreSSL versions to run test with
are adjusted for Ruby/OpenSSL 2.1.
|
|
|
|
|
|
|
|
| |
[ Original commit is 4e9801dff855 in 2.2.0. This is a backport to
the 2.1 branch. ]
LibreSSL 2.8.0+ does not support multiple elements in the first
argument.
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* maint-2.0:
ssl: set verify error code in the case of verify_hostname failure
x509: add error code and verify flags constants
Remove taint support
Restore compatibility with older versions of Ruby.
Fix keyword argument separation issues in OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock
config: support .include directive
|
| |\
| | |
| | | |
ssl: set verify error code in the case of verify_hostname failure
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When the verify_hostname option is enabled, the hostname verification is
done before calling verify_callback provided by the user.
The callback should be notified of the hostname verification failure.
OpenSSL::X509::StoreContext's error code must be set to an appropriate
value rather than OpenSSL::X509::V_OK.
If the constant X509_V_ERR_HOSTNAME_MISMATCH is available (OpenSSL >=
1.0.2), use it. Otherwise use the generic X509_V_ERR_CERT_REJECTED.
Reference: https://github.com/ruby/openssl/issues/244
Fixes: 028e495734e9 ("ssl: add verify_hostname option to SSLContext", 2016-06-27)
|
| |
| |
| |
| |
| | |
Add missing constant declarations for certificate verification flags and
the error codes, to match with OpenSSL 1.1.1.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ This is a backport to the 2.0 branch. ]
Ruby 2.7 deprecates taint and it no longer has an effect.
The lack of taint support should not cause a problem in
previous Ruby versions.
(cherry picked from commit e7ed01b580a139ad0fb320ad5f29bbb40ef2ddc2)
|
| |
| |
| |
| |
| |
| |
| | |
[ Originally landed on as commit b4e96fc4abc3. This is a backport to the
2.0 branch. ]
`RB_PASS_KEYWORDS` is not always available.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock
[ Originally landed on ruby.git as commit 3959469f240e, then was merged
into ruby/openssl.git as commit b4e96fc4abc3. This is a backport to
the 2.0 branch. ]
It's unlikely anyone would actually hit these. The methods are
private, you only hit this code path if calling these methods
before performing the SSL connection, and there is already a
verbose warning issued.
|
| |\
| | |
| | | |
config: support .include directive
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
OpenSSL 1.1.1 introduces a new '.include' directive. Update our config
parser to support that.
As mentioned in the referenced GitHub issue, we should use the OpenSSL
API instead of implementing the parsing logic ourselves, but it will
need backwards-incompatible changes which we can't backport to stable
versions. So continue to use the Ruby implementation for now.
Squashed in additional changes by Vít Ondruch to support '.include = '
syntax.
Reference: https://github.com/ruby/openssl/issues/208
|
| | | |
|
|\| |
| | |
| | |
| | |
| | |
| | |
| | | |
* maint-2.0:
Ruby/OpenSSL 2.0.9
needs openssl/opensslv.h
x509name: fix OpenSSL::X509::Name#{cmp,<=>}
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* ext/openssl/extconf.rb: LIBRESSL_VERSION_NUMBER is defined in
openssl/opensslv.h. fix up r64101.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64236 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Sync-with-trunk: r64236
|
| |\ \
| | |/
| |/|
| | |
| | | |
* ky/x509name-cmp-bugfix:
x509name: fix OpenSSL::X509::Name#{cmp,<=>}
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Fix wrong use of X509_NAME_cmp() return value. OpenSSL::X509::Name#<=>
could return 0 when the two objects aren't identical.
Reported by Tyler Eckstein. CVE-2018-16395.
Reference: https://hackerone.com/reports/387250
|
|\| |
| | |
| | |
| | |
| | |
| | |
| | | |
* maint-2.0:
x509name: fix handling of X509_NAME_{oneline,print_ex}() return value
x509name: refactor OpenSSL::X509::Name#to_s
test/test_x509name: change script encoding to ASCII-8BIT
|
| |\ \
| | | |
| | | | |
x509name: fix handling of X509_NAME_{oneline,print_ex}() return value
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
X509_NAME_print_ex() behaves differently depending on the passed flags.
When XN_FLAG_COMPAT is specified, it returns either 1 on success or 0
on error. Otherwise, it returns the byte size written or -1 on error.
This means 0 return is not necessarily an error.
Also, X509_NAME_oneline() return value needs to be checked as it may
fail with a NULL return.
Fixes: https://github.com/ruby/openssl/issues/200
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Extract the body into a function in preparation for adding #to_utf8.
Also a potential memory leak is fixed: the GetX509Name() macro can
raise TypeError.
(cherry picked from commit 58964733f7d1f9646ecc344d127150aa7115760e)
|
| |/ /
| | |
| | |
| | |
| | |
| | | |
Allow string literals containing UTF-8 characters.
(cherry picked from commit 98945c7ce8706309a6d358007f1fdb2a73711662)
|
|\| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The fix made in 6fcc6c0efc42 ("test/test_ssl: fix test failure with
TLS 1.3", 2018-08-06) is applied to the new test cases.
* maint-2.0:
reduce LibreSSL warnings
openssl_missing.h: constified
openssl: search winsock
search winsock libraries explicitly
no ID cache in Init functions
test/test_ssl: fix test failure with TLS 1.3
tool/ruby-openssl-docker: update to latest versions
pkey: resume key generation after interrupt
|
| |\ \
| | | |
| | | | |
pkey: resume key generation after interrupt [Bug #14882]
|
| | |/
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Key/parameter generation (OpenSSL::PKey::*.{new,generate}) immediately
aborts when it is done with GVL released (in other words, no block is
given) and the thread is interrupted (e.g., by a signal) during the
operation.
Have ossl_generate_cb_2() acquire GVL and call rb_thread_check_ints()
if needed to process the pending interrupt rather than abort the
operation completely by returning 0.
Reference: https://bugs.ruby-lang.org/issues/14882
|
| |\ \
| | | |
| | | | |
Test matrix update and additional test fixes for OpenSSL 1.1.1
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
SSL_connect() on the client side may return before SSL_accept() on
server side returns. This will fix test failures with OpenSSL's current
master.
|
| | |/ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* ext/openssl/extconf.rb: LibreSSL headers emit "overriding WinCrypt
defines" warnings if wincrypt.h has been included (except for
x509.h) on Windows. get rid of including the header by defining
NOCRYPT macro.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64101 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Sync-with-trunk: r64101
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* ext/openssl/openssl_missing.h (IMPL_KEY_ACCESSOR{2,3}):
constified obj argument getters.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63684 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Sync-with-trunk: r63684
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* ext/openssl/extconf.rb: on Windows search winsock library
always, regardless pkg-config. direct use of winsock is not
region of OpenSSL. [ruby-core:85895] [Bug #14568]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@62637 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Sync-with-trunk: r62637
|
| | |
| | |
| | |
| | |
| | | |
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@62628 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Sync-with-trunk: r62628
|
| |/
| |
| |
| |
| |
| |
| | |
Init functions are called only once, cache is useless.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@62429 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Sync-with-trunk: r62429
|
| | |
|
|\|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* maint-2.0:
Ruby/OpenSSL 2.0.8
test/test_ssl_session: set client protocol version explicitly
test/test_pkey_rsa: fix test failure with OpenSSL 1.1.1
extconf.rb: fix build with LibreSSL 2.7.0
cipher: validate iterations argument for Cipher#pkcs5_keyivgen
test/utils: disable Thread's report_on_exception in start_server
|
| | |
|
| |\
| | |
| | | |
Test fixes for OpenSSL 1.1.1
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Clients that implement TLS 1.3's Middlebox Compatibility Mode will
always provide a non-empty session ID in the ClientHello. This means
the "get" callback for the server-side session caching may be called
for the initial connection.
|
| | |
| | |
| | |
| | | |
OpenSSL 1.1.1 raised the minimum size for RSA keys to 512 bits.
|
| |\ \
| | |/
| |/| |
extconf.rb: fix build with LibreSSL 2.7.0
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Our compat implementation of accessor functions that were introduced in
OpenSSL 1.1.0 conflicts with those from LibreSSL 2.7.0. Use the
HAVE_OPAQUE_OPENSSL code path when LibreSSL 2.7 or newer is detected.
Fix suggested by Joel Sing.
Fixes: https://github.com/ruby/openssl/issues/192
|
| |\
| | |
| | | |
cipher: validate iterations argument for Cipher#pkcs5_keyivgen
|
| |/
| |
| |
| |
| |
| |
| | |
EVP_BytesToKey() internally converts the iteration count given as an
"int" into an "unsigned int". Calling that with a negative integer will
result in a hang. This is surprising, so let's validate the value by
ourselves and raise ArgumentError as necessary.
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Those threads can purposefully raise exceptions when they call 'pend'.
The report_on_exception feature can be safely disabled in this case
since we use assert_join_threads that captures all exceptions raised.
This is necessary to suppress warnings on Ruby 2.5, which enables the
report_on_exception feature by default.
|
| | |
|
|\|
| |
| |
| |
| |
| |
| | |
* maint:
Ruby/OpenSSL 2.0.7
asn1: fix docs
ssl: remove unreachable code
|
| | |
|