aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Ruby/OpenSSL 2.2.3maint-2.2ky/release-2.2.3Kazuki Yamaguchi2022-12-233-2/+17
|
* ts: use TS_VERIFY_CTX_set_certs instead of TS_VERIFY_CTS_set_certsKazuki Yamaguchi2022-12-233-2/+10
| | | | | | | | | [ This is a backport to the 2.2 branch to fix build with LibreSSL. ] OpenSSL 3.0 fixed the typo in the function name and replaced the current 'CTS' version with a macro. (cherry picked from commit 2be6779b08161a084a1a5d2758de21a913740b94)
* ocsp: disable OCSP_basic_verify() workaround on LibreSSL 3.5Kazuki Yamaguchi2022-12-231-1/+2
| | | | | | | The workaround is not needed on LibreSSL 3.5. LibreSSL 3.5 at the same time made the structure opaque, so it does not compile. This is a patch to the 2.2 branch; the code no longer exists in v3.0.
* Merge pull request #572 from MSP-Greg/maint-2.2-actionsKazuki Yamaguchi2022-12-181-7/+7
|\ | | | | maint-2.2 Actions - update workflow to use OpenSSL 1.1.1, actions/checkout@v3
| * Actions - update workflow to use OpenSSL 1.1.1, actions/checkout@v3MSP-Greg2022-11-281-7/+7
| |
* | Merge pull request #564 from bannable/ec_point_ops-raiseKazuki Yamaguchi2022-12-181-7/+11
|\ \ | | | | | | raise when EC_POINT_cmp or EC_GROUP_cmp error instead of returning true
| * | raise when EC_POINT_cmp or EC_GROUP_cmp error instead of returning trueJoe Truba2022-11-231-7/+11
| |/
* | Merge pull request #570 from bannable/ec_fix-raises-maint-2.2Kazuki Yamaguchi2022-12-181-5/+5
|\ \ | |/ |/| pkey/ec: fix multiple ossl_raise() calls using cEC_POINT instead of eEC_POINT
| * pkey/ec: fix ossl_raise() calls using cEC_POINT instead of eEC_POINTJoe Truba2022-11-271-5/+5
|/
* Ruby/OpenSSL 2.2.2v2.2.2Kazuki Yamaguchi2022-09-083-2/+8
|
* Merge branch 'maint-2.1' into maint-2.2Kazuki Yamaguchi2022-09-084-3/+15
|\ | | | | | | | | | | | | * maint-2.1: Ruby/OpenSSL 2.1.4 Make GitHub Actions happy on 2.1/2.2 branches ignore pkgconfig when any openssl option is specified
| * Ruby/OpenSSL 2.1.4v2.1.4maint-2.1Kazuki Yamaguchi2022-09-083-2/+12
| |
| * Make GitHub Actions happy on 2.1/2.2 branchesKazuki Yamaguchi2022-09-082-1/+3
| |
| * Merge remote-tracking branch 'upstream/pr/486' into maint-2.1Kazuki Yamaguchi2022-09-021-2/+2
| |\ | | | | | | | | | | | | | | | | | | | | | This is a backport to the 2.1 branch. The Pull Request was accidentally merged into master instead. * upstream/pr/486: ignore pkgconfig when any openssl option is specified
| | * ignore pkgconfig when any openssl option is specifiedStefan Kaes2022-01-111-2/+2
| |/
* | test/openssl/test_cipher: skip AES-CCM tests on OpenSSL <= 1.1.1bKazuki Yamaguchi2022-09-081-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ This is a backport to the 2.2 branch. ] AES CCM mode in OpenSSL <= 1.1.1b was overly strict in the parameters assignment order. This has been relaxed by OpenSSL 1.1.1c. https://github.com/openssl/openssl/commit/b48e3be947ddc5da6b5a86db8341081c72b9a4ee The test case is failing on Ubuntu 18.04 because it still uses the initial 1.1.1 release and has the issue: http://rubyci.s3.amazonaws.com/graviton2/ruby-master/log/20210316T120003Z.fail.html.gz (cherry picked from commit ruby/ruby@44d67128a827c65d1a3867c5d8fd190d10aa1dd2) (cherry picked from commit c7edb0a0f93ef6e137481d59103aec5fe09c3d66)
* | Ruby/OpenSSL 2.2.1v2.2.1ky/release-2.2.1Kazuki Yamaguchi2021-10-163-2/+19
| |
* | openssl is ractor-safeKoichi Sasada2021-10-163-12/+72
| | | | | | | | | | | | | | | | | | | | | | | | [ This is a backport to the 2.2 branch. ] ossl_bn_ctx is C's global variable and it should be ractor-local to make it ractor-safe. ruby/ruby@b5588edc0a538de840c79e0bbc9d271ba0c5a711 (cherry picked from commit 9e7cf9e930cb986a04e312cb576814254dff13be and commit f2db943e8f19d4fa7bf871b9914dd9b92a5fbe6f)
* | Fixed the results of OpenSSL::Timestamp::Response#failure_infoNobuyoshi Nakada2021-10-162-11/+16
| | | | | | | | | | | | | | | | | | | | | | [ This is a backport to the 2.2 branch. ] Made stored values `Symbol`s instead of `ID`s. Fixes https://bugs.ruby-lang.org/issues/17625 Co-Authored-By: xtkoba (Tee KOBAYASHI) <xtkoba+ruby@gmail.com> (cherry picked from commit f2d004679a62408a89d7304b229c24e789b94776)
* | Don't redefine #rb_intern over and over againStefan Stüben2021-10-161-34/+32
| | | | | | | | | | | | [ This is a backport to the 2.2 branch. ] (cherry picked from commit 03304838c931d9600617241909974df5ef58d06b)
* | Use rb_intern_const instead of rb_intern in Init functionsNobuyoshi Nakada2021-10-161-13/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | [ This is a backport to the 2.2 branch. ] ``` find . -name \*.o -exec nm {} + |& sed '/Init_.*\.rbimpl_id/!d;s/^.* b //;s/\.[1-9][0-9]*$//;s/\.rbimpl_id$//' | uniq ``` should be empty. (cherry picked from commit 9e4d4704e65bccd3cedeb9a07c9101f3c2eb02e9)
* | Remove trailing spaces [ci skip]Nobuyoshi Nakada2021-10-162-2/+2
| | | | | | | | | | | | [ This is a backport to the 2.2 branch. ] (cherry picked from commit 942bb13afaff7d4ec19b4337c6972476c373c988)
* | test/openssl/test_ssl: use TLS 1.2 for finished_messages on LibreSSLKazuki Yamaguchi2021-10-161-0/+1
| | | | | | | | | | LibreSSL 2.2.x has a bug in the Finished message handling with TLS 1.3. This is fixed by LibreSSL 3.3.2.
* | Merge branch 'maint-2.1' into maint-2.2Kazuki Yamaguchi2021-10-1610-73/+195
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * maint-2.1: Ruby/OpenSSL 2.1.3 ssl: avoid directly storing String object in NPN callback x509store: explicitly call rb_gc_mark() against Store/StoreContext ssl: explicitly call rb_gc_mark() against SSLContext/SSLSocket objects digest: load digest library using Kernel#require pkey: use RSTRING_LENINT() instead of casting to int ext/openssl/extconf.rb: require OpenSSL version >= 1.0.1, < 3 .github/workflows: update OpenSSL/LibreSSL versions test: adjust test cases for LibreSSL 3.2.4 ssl: temporary lock string buffer while reading ssl: create a temporary frozen string buffer when writing Use rb_block_call() instead of the deprecated rb_iterate() in OpenSSL
| * Ruby/OpenSSL 2.1.3v2.1.3ky/release-2.1.3Kazuki Yamaguchi2021-10-163-2/+38
| |
| * Merge pull request #465 from rhenium/ky/ssl-mark-reverse-referencesKazuki Yamaguchi2021-10-162-19/+42
| |\ | | | | | | Fix GC.compact compatibility
| | * ssl: avoid directly storing String object in NPN callbackky/ssl-mark-reverse-referencesKazuki Yamaguchi2021-10-141-2/+2
| | | | | | | | | | | | | | | | | | | | | On the server side, the serialized list of protocols is stored in SSL_CTX as a String object reference. We utilize a hidden instance variable to prevent it from being GC'ed, but this is not enough because it can also be relocated by GC.compact.
| | * x509store: explicitly call rb_gc_mark() against Store/StoreContextKazuki Yamaguchi2021-10-141-15/+23
| | | | | | | | | | | | | | | | | | | | | We store the reverse reference to the Ruby object in the OpenSSL struct for use from OpenSSL callback functions. To prevent the Ruby object from being relocated by GC.compact, we must "pin" it by calling rb_gc_mark().
| | * ssl: explicitly call rb_gc_mark() against SSLContext/SSLSocket objectsKazuki Yamaguchi2021-10-141-2/+17
| | | | | | | | | | | | | | | | | | | | | We store the reverse reference to the Ruby object in the OpenSSL struct for use from OpenSSL callback functions. To prevent the Ruby object from being relocated by GC.compact, we must "pin" it by calling rb_gc_mark().
| * | Merge pull request #463 from rhenium/ky/require-digest-gemKazuki Yamaguchi2021-10-141-2/+6
| |\ \ | | |/ | |/| digest: load digest library using Kernel#require
| | * digest: load digest library using Kernel#requireky/require-digest-gemKazuki Yamaguchi2021-10-121-2/+6
| |/ | | | | | | | | | | | | | | The digest library is a default gem now, too. Therefore we can't simply use rb_require() to load it, but we should use Kernel#require instead. This change is based on the suggestion by David Rodríguez in https://github.com/ruby/digest/commit/16172612d56ac42f57e5788465791329303ac5d0#commitcomment-57778397
| * Merge pull request #460 from rhenium/ky/pkey-ec-verify-overflowKazuki Yamaguchi2021-09-281-8/+8
| |\ | | | | | | pkey: use RSTRING_LENINT() instead of casting to int
| | * pkey: use RSTRING_LENINT() instead of casting to intky/pkey-ec-verify-overflowKazuki Yamaguchi2021-09-271-8/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | RSTRING_LENINT() checks the range of int and raises an exception as necessary. OpenSSL::PKey::EC#dsa_verify_asn1 currently does not do this, and giving a too big string to it can trigger a surprising behavior: ec.dsa_verify_asn1(digest, signature) #=> true ec.dsa_verify_asn1(digest, signature + "x" * 2**32) #=> true Reference: https://hackerone.com/reports/1246050
| * | Merge pull request #453 from rhenium/ky/ssl-sysread-syswrite-protect-bufferKazuki Yamaguchi2021-09-281-12/+24
| |\ \ | | |/ | |/| ssl: prevent string buffers from being modified outside #sys{read,write}
| | * ssl: temporary lock string buffer while readingky/ssl-sysread-syswrite-protect-bufferKazuki Yamaguchi2021-09-271-5/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | Similarly to SSLSocket#syswrite, the blocking SSLSocket#sysread allows context switches. We must prevent other threads from modifying the string buffer. We can use rb_str_locktmp() and rb_str_unlocktmp() to temporarily prohibit modification of the string.
| | * ssl: create a temporary frozen string buffer when writingKazuki Yamaguchi2021-09-271-5/+5
| | | | | | | | | | | | | | | | | | | | | | | | Since a blocking SSLSocket#syswrite call allows context switches while waiting for the underlying socket to be ready, we must freeze the string buffer to prevent other threads from modifying it. Reference: https://github.com/ruby/openssl/issues/452
| | * Use rb_block_call() instead of the deprecated rb_iterate() in OpenSSLBenoit Daloze2021-09-271-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | [ This is a backport to the 2.1 branch. ] * See https://bugs.ruby-lang.org/issues/18025 and https://github.com/ruby/ruby/pull/4629 (cherry picked from commit b8e4852dcc7cd4b954556001b2bfb1d01b802d0a)
| * | Merge pull request #458 from rhenium/ky/maint-refuse-openssl-3.0Kazuki Yamaguchi2021-09-276-32/+80
| |\ \ | | |/ | |/| [2.1.x and 2.2.x] ext/openssl/extconf.rb: require OpenSSL version >= 1.0.1, < 3
| | * ext/openssl/extconf.rb: require OpenSSL version >= 1.0.1, < 3ky/maint-refuse-openssl-3.0Kazuki Yamaguchi2021-09-271-18/+25
| | | | | | | | | | | | | | | | | | | | | | | | Ruby/OpenSSL 2.1.x and 2.2.x will not support OpenSSL 3.0 API. Let's make extconf.rb explicitly check the version number to be within the acceptable range, since it will not compile anyway. Reference: https://bugs.ruby-lang.org/issues/18192
| | * .github/workflows: update OpenSSL/LibreSSL versionsKazuki Yamaguchi2021-09-271-3/+4
| | |
| | * test: adjust test cases for LibreSSL 3.2.4Kazuki Yamaguchi2021-09-274-11/+51
| |/ | | | | | | | | | | | | This is a backport to the 2.1 branch of the following commits: - a0e98d48c91f ("Enhance TLS 1.3 support on LibreSSL 3.2/3.3", 2020-12-03) - a9954bac22ba ("test: adjust test cases for LibreSSL 3.2.4", 2021-02-25)
* | Merge pull request #407 from no6v/fix-timestamp-segvKazuki Yamaguchi2021-09-272-3/+27
|\ \ | | | | | | fix segv in Timestamp::{Request,Response,TokenInfo}.new
| * | fix segv in Timestamp::{Request,Response,TokenInfo}.newNobuhiro IMAI2021-09-272-3/+27
| | | | | | | | | | | | prevent `ossl_ts_*_free()` from calling when `d2i_TS_*_bio()` failed.
* | | Merge pull request #454 from devnexen/libressl_fixKazuki Yamaguchi2021-09-271-0/+4
|\ \ \ | |/ / |/| | libressl build fix warning TS_time_cb on libressl expects an long lon…
| * | ts: libressl build fix warningDavid Carlier2021-09-271-0/+4
|/ / | | | | | | TS_time_cb on libressl expects an long long/time_t 64 bits long instead.
* | Merge branch 'maint-2.1' into maint-2.2Kazuki Yamaguchi2021-09-272-8/+9
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * maint-2.1: (22 commits) test/openssl/test_ssl: skip test_fallback_scsv if necessary test/openssl/test_ssl.rb: ignore SSLError when the connection is closed Fixed misspellings ext/openssl/extconf.rb: do not use -Werror=deprecated-declarations Guard static variable first ext/openssl/ossl_ssl.c: Use const declaration if LibreSSL >= 2.8.0 drop-in type check for rb_define_module_function rb_iterate now takes rb_block_call_func_t Add a /* fall through */ comment test/openssl/utils.rb: Extend the timeout test/test_ssl.rb: Use TLS1.2 test/test_ssl.rb: Use larger keys test: use larger keys for SSL tests test/test_pair: fix deadlock in test_connect_accept_nonblock Ignore warnings about ambiguous first argument with the negative integer. ext/openssl/ossl_bn.c (ossl_bn_initialize): get rid of SEGV errno.h must be included after config.h because config.h might define _REENTRANT, _THREAD_SAFE, etc., which affect how errno is defined on some architectures Fix call-seq of OpenSSL.fips_mode and WIN32OLE_METHOD#name [ci skip] Remove -Wno-parentheses flag. Correctly verify abbreviated IPv6 SANs ...
| * test/openssl/test_ssl: skip test_fallback_scsv if necessaryKazuki Yamaguchi2021-09-261-0/+4
| | | | | | | | | | | | | | | | | | | | | | [ This is a backport to the 2.1 branch. ] Run the test case only when the OpenSSL supports both TLS 1.1 and TLS 1.2. Note that the fallback SCSV mechanism is for TLS 1.2 or older and not for 1.3. Fixes: https://github.com/ruby/openssl/issues/336 (cherry picked from commit 6f2e6d7cf777b378b3b51c239abecb4e4af49824)
| * test/openssl/test_ssl.rb: ignore SSLError when the connection is closedYusuke Endoh2021-09-261-1/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ This is a backport to the 2.1 branch. ] "test_close_after_socket_close" checks if ssl.close is no-op even after the wrapped socket is closed. The test itself is fair, but the other endpoint that is reading the SSL connection may fail with SSLError: "SSL_read: unexpected eof while reading" in some environments: https://github.com/ruby/ruby/actions/runs/60085389 (MinGW) https://rubyci.org/logs/rubyci.s3.amazonaws.com/android28-x86_64/ruby-master/log/20200321T034442Z.fail.html.gz ``` 1) Failure: OpenSSL::TestSSL#test_close_after_socket_close [D:/a/ruby/ruby/src/test/openssl/utils.rb:299]: exceptions on 1 threads: SSL_read: unexpected eof while reading ``` This changeset rescues and ignores the SSLError in the test. (cherry picked from commit 96a481b5728c12d6b5f4d99040ad2c77443c94a2)
| * Fixed misspellingsNobuyoshi Nakada2021-09-261-8/+8
| | | | | | | | | | | | | | | | [ This is a backport to the 2.1 branch. ] Fixed misspellings reported at [Bug #16437], for default gems. (cherry picked from commit ruby/ruby@e68999c82c4863d33a6f893661fba1b7538c5671)
| * ext/openssl/extconf.rb: do not use -Werror=deprecated-declarationsKazuki Yamaguchi2021-09-262-2/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | This is a combined commit of the following commits by mame and nobu: - 0d7d8b2989e1 ("ext/openssl/extconf.rb: do not use -Werror=deprecated-declarations", 2019-12-05) - c3abbc1b2f52 ("ext/openssl/extconf.rb: check with -Werror=deprecated-declarations", 2019-12-05) -Werror=deprecated-declarations should only be used while checking available features, and not for compiling the extension itself. This is a backport to the 2.1 branch from ruby.git. Note that current master (targeting 3.0) completely removed ext/openssl/deprecation.rb.
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-02 22:42:22 +0000