| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
|
| |
[ This is a backport to the 2.2 branch to fix build with LibreSSL. ]
OpenSSL 3.0 fixed the typo in the function name and replaced the
current 'CTS' version with a macro.
(cherry picked from commit 2be6779b08161a084a1a5d2758de21a913740b94)
|
|
|
|
|
|
|
| |
The workaround is not needed on LibreSSL 3.5. LibreSSL 3.5 at the same
time made the structure opaque, so it does not compile.
This is a patch to the 2.2 branch; the code no longer exists in v3.0.
|
|\
| |
| | |
maint-2.2 Actions - update workflow to use OpenSSL 1.1.1, actions/checkout@v3
|
| | |
|
|\ \
| | |
| | | |
raise when EC_POINT_cmp or EC_GROUP_cmp error instead of returning true
|
| |/ |
|
|\ \
| |/
|/| |
pkey/ec: fix multiple ossl_raise() calls using cEC_POINT instead of eEC_POINT
|
|/ |
|
| |
|
|\
| |
| |
| |
| |
| |
| | |
* maint-2.1:
Ruby/OpenSSL 2.1.4
Make GitHub Actions happy on 2.1/2.2 branches
ignore pkgconfig when any openssl option is specified
|
| | |
|
| | |
|
| |\
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This is a backport to the 2.1 branch. The Pull Request was accidentally
merged into master instead.
* upstream/pr/486:
ignore pkgconfig when any openssl option is specified
|
| |/ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ This is a backport to the 2.2 branch. ]
AES CCM mode in OpenSSL <= 1.1.1b was overly strict in the parameters
assignment order. This has been relaxed by OpenSSL 1.1.1c.
https://github.com/openssl/openssl/commit/b48e3be947ddc5da6b5a86db8341081c72b9a4ee
The test case is failing on Ubuntu 18.04 because it still uses the
initial 1.1.1 release and has the issue:
http://rubyci.s3.amazonaws.com/graviton2/ruby-master/log/20210316T120003Z.fail.html.gz
(cherry picked from commit ruby/ruby@44d67128a827c65d1a3867c5d8fd190d10aa1dd2)
(cherry picked from commit c7edb0a0f93ef6e137481d59103aec5fe09c3d66)
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ This is a backport to the 2.2 branch. ]
ossl_bn_ctx is C's global variable and it should be ractor-local
to make it ractor-safe.
ruby/ruby@b5588edc0a538de840c79e0bbc9d271ba0c5a711
(cherry picked from commit 9e7cf9e930cb986a04e312cb576814254dff13be and
commit f2db943e8f19d4fa7bf871b9914dd9b92a5fbe6f)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ This is a backport to the 2.2 branch. ]
Made stored values `Symbol`s instead of `ID`s.
Fixes https://bugs.ruby-lang.org/issues/17625
Co-Authored-By: xtkoba (Tee KOBAYASHI) <xtkoba+ruby@gmail.com>
(cherry picked from commit f2d004679a62408a89d7304b229c24e789b94776)
|
| |
| |
| |
| |
| |
| | |
[ This is a backport to the 2.2 branch. ]
(cherry picked from commit 03304838c931d9600617241909974df5ef58d06b)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ This is a backport to the 2.2 branch. ]
```
find . -name \*.o -exec nm {} + |&
sed '/Init_.*\.rbimpl_id/!d;s/^.* b //;s/\.[1-9][0-9]*$//;s/\.rbimpl_id$//' |
uniq
```
should be empty.
(cherry picked from commit 9e4d4704e65bccd3cedeb9a07c9101f3c2eb02e9)
|
| |
| |
| |
| |
| |
| | |
[ This is a backport to the 2.2 branch. ]
(cherry picked from commit 942bb13afaff7d4ec19b4337c6972476c373c988)
|
| |
| |
| |
| |
| | |
LibreSSL 2.2.x has a bug in the Finished message handling with TLS 1.3.
This is fixed by LibreSSL 3.3.2.
|
|\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* maint-2.1:
Ruby/OpenSSL 2.1.3
ssl: avoid directly storing String object in NPN callback
x509store: explicitly call rb_gc_mark() against Store/StoreContext
ssl: explicitly call rb_gc_mark() against SSLContext/SSLSocket objects
digest: load digest library using Kernel#require
pkey: use RSTRING_LENINT() instead of casting to int
ext/openssl/extconf.rb: require OpenSSL version >= 1.0.1, < 3
.github/workflows: update OpenSSL/LibreSSL versions
test: adjust test cases for LibreSSL 3.2.4
ssl: temporary lock string buffer while reading
ssl: create a temporary frozen string buffer when writing
Use rb_block_call() instead of the deprecated rb_iterate() in OpenSSL
|
| | |
|
| |\
| | |
| | | |
Fix GC.compact compatibility
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
On the server side, the serialized list of protocols is stored in
SSL_CTX as a String object reference. We utilize a hidden instance
variable to prevent it from being GC'ed, but this is not enough because
it can also be relocated by GC.compact.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
We store the reverse reference to the Ruby object in the OpenSSL
struct for use from OpenSSL callback functions. To prevent the Ruby
object from being relocated by GC.compact, we must "pin" it by calling
rb_gc_mark().
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
We store the reverse reference to the Ruby object in the OpenSSL
struct for use from OpenSSL callback functions. To prevent the Ruby
object from being relocated by GC.compact, we must "pin" it by calling
rb_gc_mark().
|
| |\ \
| | |/
| |/| |
digest: load digest library using Kernel#require
|
| |/
| |
| |
| |
| |
| |
| |
| | |
The digest library is a default gem now, too. Therefore we can't simply
use rb_require() to load it, but we should use Kernel#require instead.
This change is based on the suggestion by David Rodríguez in
https://github.com/ruby/digest/commit/16172612d56ac42f57e5788465791329303ac5d0#commitcomment-57778397
|
| |\
| | |
| | | |
pkey: use RSTRING_LENINT() instead of casting to int
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
RSTRING_LENINT() checks the range of int and raises an exception as
necessary. OpenSSL::PKey::EC#dsa_verify_asn1 currently does not do this,
and giving a too big string to it can trigger a surprising behavior:
ec.dsa_verify_asn1(digest, signature) #=> true
ec.dsa_verify_asn1(digest, signature + "x" * 2**32) #=> true
Reference: https://hackerone.com/reports/1246050
|
| |\ \
| | |/
| |/| |
ssl: prevent string buffers from being modified outside #sys{read,write}
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Similarly to SSLSocket#syswrite, the blocking SSLSocket#sysread allows
context switches. We must prevent other threads from modifying the
string buffer.
We can use rb_str_locktmp() and rb_str_unlocktmp() to temporarily
prohibit modification of the string.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Since a blocking SSLSocket#syswrite call allows context switches while
waiting for the underlying socket to be ready, we must freeze the string
buffer to prevent other threads from modifying it.
Reference: https://github.com/ruby/openssl/issues/452
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
[ This is a backport to the 2.1 branch. ]
* See https://bugs.ruby-lang.org/issues/18025
and https://github.com/ruby/ruby/pull/4629
(cherry picked from commit b8e4852dcc7cd4b954556001b2bfb1d01b802d0a)
|
| |\ \
| | |/
| |/| |
[2.1.x and 2.2.x] ext/openssl/extconf.rb: require OpenSSL version >= 1.0.1, < 3
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Ruby/OpenSSL 2.1.x and 2.2.x will not support OpenSSL 3.0 API. Let's
make extconf.rb explicitly check the version number to be within the
acceptable range, since it will not compile anyway.
Reference: https://bugs.ruby-lang.org/issues/18192
|
| | | |
|
| |/
| |
| |
| |
| |
| |
| | |
This is a backport to the 2.1 branch of the following commits:
- a0e98d48c91f ("Enhance TLS 1.3 support on LibreSSL 3.2/3.3", 2020-12-03)
- a9954bac22ba ("test: adjust test cases for LibreSSL 3.2.4", 2021-02-25)
|
|\ \
| | |
| | | |
fix segv in Timestamp::{Request,Response,TokenInfo}.new
|
| | |
| | |
| | |
| | | |
prevent `ossl_ts_*_free()` from calling when `d2i_TS_*_bio()` failed.
|
|\ \ \
| |/ /
|/| | |
libressl build fix warning TS_time_cb on libressl expects an long lon…
|
|/ /
| |
| |
| | |
TS_time_cb on libressl expects an long long/time_t 64 bits long instead.
|
|\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* maint-2.1: (22 commits)
test/openssl/test_ssl: skip test_fallback_scsv if necessary
test/openssl/test_ssl.rb: ignore SSLError when the connection is closed
Fixed misspellings
ext/openssl/extconf.rb: do not use -Werror=deprecated-declarations
Guard static variable first
ext/openssl/ossl_ssl.c: Use const declaration if LibreSSL >= 2.8.0
drop-in type check for rb_define_module_function
rb_iterate now takes rb_block_call_func_t
Add a /* fall through */ comment
test/openssl/utils.rb: Extend the timeout
test/test_ssl.rb: Use TLS1.2
test/test_ssl.rb: Use larger keys
test: use larger keys for SSL tests
test/test_pair: fix deadlock in test_connect_accept_nonblock
Ignore warnings about ambiguous first argument with the negative integer.
ext/openssl/ossl_bn.c (ossl_bn_initialize): get rid of SEGV
errno.h must be included after config.h because config.h might define _REENTRANT, _THREAD_SAFE, etc., which affect how errno is defined on some architectures
Fix call-seq of OpenSSL.fips_mode and WIN32OLE_METHOD#name [ci skip]
Remove -Wno-parentheses flag.
Correctly verify abbreviated IPv6 SANs
...
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ This is a backport to the 2.1 branch. ]
Run the test case only when the OpenSSL supports both TLS 1.1 and TLS
1.2. Note that the fallback SCSV mechanism is for TLS 1.2 or older and
not for 1.3.
Fixes: https://github.com/ruby/openssl/issues/336
(cherry picked from commit 6f2e6d7cf777b378b3b51c239abecb4e4af49824)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ This is a backport to the 2.1 branch. ]
"test_close_after_socket_close" checks if ssl.close is no-op even after
the wrapped socket is closed. The test itself is fair, but the other
endpoint that is reading the SSL connection may fail with SSLError:
"SSL_read: unexpected eof while reading" in some environments:
https://github.com/ruby/ruby/actions/runs/60085389 (MinGW)
https://rubyci.org/logs/rubyci.s3.amazonaws.com/android28-x86_64/ruby-master/log/20200321T034442Z.fail.html.gz
```
1) Failure:
OpenSSL::TestSSL#test_close_after_socket_close [D:/a/ruby/ruby/src/test/openssl/utils.rb:299]:
exceptions on 1 threads:
SSL_read: unexpected eof while reading
```
This changeset rescues and ignores the SSLError in the test.
(cherry picked from commit 96a481b5728c12d6b5f4d99040ad2c77443c94a2)
|
| |
| |
| |
| |
| |
| |
| |
| | |
[ This is a backport to the 2.1 branch. ]
Fixed misspellings reported at [Bug #16437], for default gems.
(cherry picked from commit ruby/ruby@e68999c82c4863d33a6f893661fba1b7538c5671)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This is a combined commit of the following commits by mame and nobu:
- 0d7d8b2989e1 ("ext/openssl/extconf.rb: do not use -Werror=deprecated-declarations", 2019-12-05)
- c3abbc1b2f52 ("ext/openssl/extconf.rb: check with -Werror=deprecated-declarations", 2019-12-05)
-Werror=deprecated-declarations should only be used while checking
available features, and not for compiling the extension itself.
This is a backport to the 2.1 branch from ruby.git. Note that current
master (targeting 3.0) completely removed ext/openssl/deprecation.rb.
|