aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* ssl: retry write on EPROTOTYPE on macOSky/ssl-macos-send-eprototypeKazuki Yamaguchi2020-08-121-0/+15
| | | | | | | | | | Errno::EPROTOTYPE is not supposed to be raised by SSLSocket#write. However, on macOS, send(2) which is called via SSL_write() can occasionally return EPROTOTYPE. Retry SSL_write() so that we get a proper error, just as ext/socket does. Reference: https://bugs.ruby-lang.org/issues/14713 Reference: https://github.com/ruby/openssl/issues/227
* Merge pull request #391 from rhenium/ky/x509stctx-new-fix-leakKazuki Yamaguchi2020-08-121-5/+16
|\ | | | | x509store: fix memory leak in X509::StoreContext.new
| * x509store: fix memory leak in X509::StoreContext.newky/x509stctx-new-fix-leakKazuki Yamaguchi2020-08-121-5/+16
|/ | | | | The certificate passed as the second argument was not properly free'd in the error paths.
* .github/workflows/test.yml: use GitHub ActionsKazuki Yamaguchi2020-08-123-65/+120
| | | | | | .github/workflows/test.yml is copied from current master's (last update by commit 0a2e8c67f252), and then the LibreSSL versions to run test with are adjusted for Ruby/OpenSSL 2.1.
* Skip one assertion for OpenSSL::PKey::EC::Point#mul on LibreSSLJeremy Evans2020-08-121-2/+8
| | | | | | | | [ Original commit is 4e9801dff855 in 2.2.0. This is a backport to the 2.1 branch. ] LibreSSL 2.8.0+ does not support multiple elements in the first argument.
* Merge branch 'maint-2.0' into maintKazuki Yamaguchi2020-03-097-42/+262
|\ | | | | | | | | | | | | | | | | | | * maint-2.0: ssl: set verify error code in the case of verify_hostname failure x509: add error code and verify flags constants Remove taint support Restore compatibility with older versions of Ruby. Fix keyword argument separation issues in OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock config: support .include directive
| * Merge pull request #350 from rhenium/ky/ssl-fix-verify-hostname-set-error-codemaint-2.0Kazuki Yamaguchi2020-02-262-1/+48
| |\ | | | | | | ssl: set verify error code in the case of verify_hostname failure
| | * ssl: set verify error code in the case of verify_hostname failureky/ssl-fix-verify-hostname-set-error-codeKazuki Yamaguchi2020-02-242-1/+48
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | When the verify_hostname option is enabled, the hostname verification is done before calling verify_callback provided by the user. The callback should be notified of the hostname verification failure. OpenSSL::X509::StoreContext's error code must be set to an appropriate value rather than OpenSSL::X509::V_OK. If the constant X509_V_ERR_HOSTNAME_MISMATCH is available (OpenSSL >= 1.0.2), use it. Otherwise use the generic X509_V_ERR_CERT_REJECTED. Reference: https://github.com/ruby/openssl/issues/244 Fixes: 028e495734e9 ("ssl: add verify_hostname option to SSLContext", 2016-06-27)
| * x509: add error code and verify flags constantsKazuki Yamaguchi2020-02-241-0/+91
| | | | | | | | | | Add missing constant declarations for certificate verification flags and the error codes, to match with OpenSSL 1.1.1.
| * Remove taint supportJeremy Evans2020-02-243-11/+0
| | | | | | | | | | | | | | | | | | | | [ This is a backport to the 2.0 branch. ] Ruby 2.7 deprecates taint and it no longer has an effect. The lack of taint support should not cause a problem in previous Ruby versions. (cherry picked from commit e7ed01b580a139ad0fb320ad5f29bbb40ef2ddc2)
| * Restore compatibility with older versions of Ruby.Samuel Williams2020-02-241-9/+21
| | | | | | | | | | | | | | [ Originally landed on as commit b4e96fc4abc3. This is a backport to the 2.0 branch. ] `RB_PASS_KEYWORDS` is not always available.
| * Fix keyword argument separation issues in ↵Jeremy Evans2020-02-241-4/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock [ Originally landed on ruby.git as commit 3959469f240e, then was merged into ruby/openssl.git as commit b4e96fc4abc3. This is a backport to the 2.0 branch. ] It's unlikely anyone would actually hit these. The methods are private, you only hit this code path if calling these methods before performing the SSL connection, and there is already a verbose warning issued.
| * Merge pull request #216 from rhenium/ky/config-include-directiveKazuki Yamaguchi2020-02-172-18/+90
| |\ | | | | | | config: support .include directive
| | * config: support .include directiveky/config-include-directiveKazuki Yamaguchi2019-12-132-18/+90
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | OpenSSL 1.1.1 introduces a new '.include' directive. Update our config parser to support that. As mentioned in the referenced GitHub issue, we should use the OpenSSL API instead of implementing the parsing logic ourselves, but it will need backwards-incompatible changes which we can't backport to stable versions. So continue to use the Ruby implementation for now. Squashed in additional changes by Vít Ondruch to support '.include = ' syntax. Reference: https://github.com/ruby/openssl/issues/208
* | | Ruby/OpenSSL 2.1.2v2.1.2Kazuki Yamaguchi2018-10-173-2/+14
| | |
* | | Merge branch 'maint-2.0' into maintKazuki Yamaguchi2018-10-174-6/+35
|\| | | | | | | | | | | | | | | | | | | | * maint-2.0: Ruby/OpenSSL 2.0.9 needs openssl/opensslv.h x509name: fix OpenSSL::X509::Name#{cmp,<=>}
| * | Ruby/OpenSSL 2.0.9v2.0.9Kazuki Yamaguchi2018-10-173-2/+25
| | |
| * | needs openssl/opensslv.hnobu2018-10-171-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | * ext/openssl/extconf.rb: LIBRESSL_VERSION_NUMBER is defined in openssl/opensslv.h. fix up r64101. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64236 b2dd03c8-39d4-4d8f-98ff-823fe69b080e Sync-with-trunk: r64236
| * | Merge branch 'ky/x509name-cmp-bugfix' into maint-2.0Kazuki Yamaguchi2018-10-172-5/+11
| |\ \ | | |/ | |/| | | | | | | * ky/x509name-cmp-bugfix: x509name: fix OpenSSL::X509::Name#{cmp,<=>}
| | * x509name: fix OpenSSL::X509::Name#{cmp,<=>}ky/x509name-cmp-bugfixKazuki Yamaguchi2018-10-172-5/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | Fix wrong use of X509_NAME_cmp() return value. OpenSSL::X509::Name#<=> could return 0 when the two objects aren't identical. Reported by Tyler Eckstein. CVE-2018-16395. Reference: https://hackerone.com/reports/387250
* | | Merge branch 'maint-2.0' into maintKazuki Yamaguchi2018-08-082-6/+15
|\| | | | | | | | | | | | | | | | | | | | * maint-2.0: x509name: fix handling of X509_NAME_{oneline,print_ex}() return value x509name: refactor OpenSSL::X509::Name#to_s test/test_x509name: change script encoding to ASCII-8BIT
| * | Merge pull request #211 from rhenium/ky/x509name-to-s-emptyKazuki Yamaguchi2018-08-082-23/+55
| |\ \ | | | | | | | | x509name: fix handling of X509_NAME_{oneline,print_ex}() return value
| | * | x509name: fix handling of X509_NAME_{oneline,print_ex}() return valueky/x509name-to-s-emptyKazuki Yamaguchi2018-08-082-6/+34
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | X509_NAME_print_ex() behaves differently depending on the passed flags. When XN_FLAG_COMPAT is specified, it returns either 1 on success or 0 on error. Otherwise, it returns the byte size written or -1 on error. This means 0 return is not necessarily an error. Also, X509_NAME_oneline() return value needs to be checked as it may fail with a NULL return. Fixes: https://github.com/ruby/openssl/issues/200
| | * | x509name: refactor OpenSSL::X509::Name#to_sKazuki Yamaguchi2018-08-081-18/+22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Extract the body into a function in preparation for adding #to_utf8. Also a potential memory leak is fixed: the GetX509Name() macro can raise TypeError. (cherry picked from commit 58964733f7d1f9646ecc344d127150aa7115760e)
| | * | test/test_x509name: change script encoding to ASCII-8BITKazuki Yamaguchi2018-08-081-1/+1
| |/ / | | | | | | | | | | | | | | | Allow string literals containing UTF-8 characters. (cherry picked from commit 98945c7ce8706309a6d358007f1fdb2a73711662)
* | | Merge branch 'maint-2.0' into maintKazuki Yamaguchi2018-08-0818-39/+130
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The fix made in 6fcc6c0efc42 ("test/test_ssl: fix test failure with TLS 1.3", 2018-08-06) is applied to the new test cases. * maint-2.0: reduce LibreSSL warnings openssl_missing.h: constified openssl: search winsock search winsock libraries explicitly no ID cache in Init functions test/test_ssl: fix test failure with TLS 1.3 tool/ruby-openssl-docker: update to latest versions pkey: resume key generation after interrupt
| * | Merge pull request #205 from rhenium/ky/pkey-generate-interrupt-resumeKazuki Yamaguchi2018-08-082-4/+26
| |\ \ | | | | | | | | pkey: resume key generation after interrupt [Bug #14882]
| | * | pkey: resume key generation after interruptky/pkey-generate-interrupt-resumeKazuki Yamaguchi2018-07-272-4/+26
| | |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Key/parameter generation (OpenSSL::PKey::*.{new,generate}) immediately aborts when it is done with GVL released (in other words, no block is given) and the thread is interrupted (e.g., by a signal) during the operation. Have ossl_generate_cb_2() acquire GVL and call rb_thread_check_ints() if needed to process the pending interrupt rather than abort the operation completely by returning 0. Reference: https://bugs.ruby-lang.org/issues/14882
| * | Merge pull request #209 from rhenium/ky/openssl-1.1.1-part2Kazuki Yamaguchi2018-08-086-35/+77
| |\ \ | | | | | | | | Test matrix update and additional test fixes for OpenSSL 1.1.1
| | * | test/test_ssl: fix test failure with TLS 1.3ky/openssl-1.1.1-part2Kazuki Yamaguchi2018-08-062-15/+31
| | | | | | | | | | | | | | | | | | | | | | | | SSL_connect() on the client side may return before SSL_accept() on server side returns. This will fix test failures with OpenSSL's current master.
| | * | tool/ruby-openssl-docker: update to latest versionsky/docker-image-update-201808Kazuki Yamaguchi2018-08-064-20/+46
| | |/
| * | reduce LibreSSL warningsnobu2018-08-081-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * ext/openssl/extconf.rb: LibreSSL headers emit "overriding WinCrypt defines" warnings if wincrypt.h has been included (except for x509.h) on Windows. get rid of including the header by defining NOCRYPT macro. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64101 b2dd03c8-39d4-4d8f-98ff-823fe69b080e Sync-with-trunk: r64101
| * | openssl_missing.h: constifiednobu2018-08-081-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | * ext/openssl/openssl_missing.h (IMPL_KEY_ACCESSOR{2,3}): constified obj argument getters. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63684 b2dd03c8-39d4-4d8f-98ff-823fe69b080e Sync-with-trunk: r63684
| * | openssl: search winsocknobu2018-08-081-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | * ext/openssl/extconf.rb: on Windows search winsock library always, regardless pkg-config. direct use of winsock is not region of OpenSSL. [ruby-core:85895] [Bug #14568] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@62637 b2dd03c8-39d4-4d8f-98ff-823fe69b080e Sync-with-trunk: r62637
| * | search winsock libraries explicitlynobu2018-08-081-0/+1
| | | | | | | | | | | | | | | git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@62628 b2dd03c8-39d4-4d8f-98ff-823fe69b080e Sync-with-trunk: r62628
| * | no ID cache in Init functionsnobu2018-08-089-0/+9
| |/ | | | | | | | | | | | | Init functions are called only once, cache is useless. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@62429 b2dd03c8-39d4-4d8f-98ff-823fe69b080e Sync-with-trunk: r62429
* | Ruby/OpenSSL 2.1.1v2.1.1Kazuki Yamaguchi2018-05-122-2/+2
| |
* | Merge branch 'maint-2.0' into maintKazuki Yamaguchi2018-05-127-7/+52
|\| | | | | | | | | | | | | | | | | | | * maint-2.0: Ruby/OpenSSL 2.0.8 test/test_ssl_session: set client protocol version explicitly test/test_pkey_rsa: fix test failure with OpenSSL 1.1.1 extconf.rb: fix build with LibreSSL 2.7.0 cipher: validate iterations argument for Cipher#pkcs5_keyivgen test/utils: disable Thread's report_on_exception in start_server
| * Ruby/OpenSSL 2.0.8v2.0.8Kazuki Yamaguchi2018-05-123-2/+16
| |
| * Merge pull request #202 from rhenium/ky/openssl-1.1.1Kazuki Yamaguchi2018-05-122-6/+17
| |\ | | | | | | Test fixes for OpenSSL 1.1.1
| | * test/test_ssl_session: set client protocol version explicitlyky/openssl-1.1.1Kazuki Yamaguchi2018-05-111-5/+9
| | | | | | | | | | | | | | | | | | | | | Clients that implement TLS 1.3's Middlebox Compatibility Mode will always provide a non-empty session ID in the ClientHello. This means the "get" callback for the server-side session caching may be called for the initial connection.
| | * test/test_pkey_rsa: fix test failure with OpenSSL 1.1.1Kazuki Yamaguchi2018-05-111-1/+8
| | | | | | | | | | | | OpenSSL 1.1.1 raised the minimum size for RSA keys to 512 bits.
| * | Merge pull request #193 from rhenium/ky/libressl-2.7Kazuki Yamaguchi2018-05-121-1/+4
| |\ \ | | |/ | |/| extconf.rb: fix build with LibreSSL 2.7.0
| | * extconf.rb: fix build with LibreSSL 2.7.0ky/libressl-2.7Kazuki Yamaguchi2018-03-241-1/+4
| |/ | | | | | | | | | | | | | | | | | | Our compat implementation of accessor functions that were introduced in OpenSSL 1.1.0 conflicts with those from LibreSSL 2.7.0. Use the HAVE_OPAQUE_OPENSSL code path when LibreSSL 2.7 or newer is detected. Fix suggested by Joel Sing. Fixes: https://github.com/ruby/openssl/issues/192
| * Merge pull request #184 from rhenium/ky/cipher-pkcs5-keyivgen-validate-iterKazuki Yamaguchi2018-02-192-0/+5
| |\ | | | | | | cipher: validate iterations argument for Cipher#pkcs5_keyivgen
| | * cipher: validate iterations argument for Cipher#pkcs5_keyivgenky/cipher-pkcs5-keyivgen-validate-iterKazuki Yamaguchi2018-01-122-0/+5
| |/ | | | | | | | | | | | | EVP_BytesToKey() internally converts the iteration count given as an "int" into an "unsigned int". Calling that with a negative integer will result in a hang. This is surprising, so let's validate the value by ourselves and raise ArgumentError as necessary.
| * test/utils: disable Thread's report_on_exception in start_serverKazuki Yamaguchi2017-12-151-0/+12
| | | | | | | | | | | | | | | | | | Those threads can purposefully raise exceptions when they call 'pend'. The report_on_exception feature can be safely disabled in this case since we use assert_join_threads that captures all exceptions raised. This is necessary to suppress warnings on Ruby 2.5, which enables the report_on_exception feature by default.
* | Ruby/OpenSSL 2.1.0v2.1.0ky/release-2.1.0Kazuki Yamaguchi2017-12-142-3/+6
| |
* | Merge branch 'maint'Kazuki Yamaguchi2017-12-143-6/+17
|\| | | | | | | | | | | | | * maint: Ruby/OpenSSL 2.0.7 asn1: fix docs ssl: remove unreachable code
| * Ruby/OpenSSL 2.0.7v2.0.7ky/release-2.0.7Kazuki Yamaguchi2017-12-143-2/+17
| |
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-03 11:25:18 +0000