| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
It's possible that a PKCS #12 strucuture holds zero private keys. At
such a time PKCS12_parse() returns NULL as the private key. Likewise,
when the strucuture does not contain the corresponding certificate to
the private key, PKCS12_parse() returns NULL as the certificate.
Reported and fix suggested by Masahiro Tomita <tommy@tmtm.org>.
[ruby-dev:49776] [Bug #12726]
|
|\
| |
| |
| |
| |
| |
| | |
* topic/ssl-eliminate-init-vars:
ssl: eliminate SSLContext::INIT_VARS
ssl: hide callback_state from Ruby
ssl: don't store selected {EC,}DH parameter in an instance variable
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Use rb_attr_get() instead of rb_iv_get() so that we can remove
SSLContext::INIT_VARS.
SSLContext::INIT_VARS contains the names of the instance variables used
in SSLContext. SSLContext#initialize sets nil for those variables. It
is necessary to suppress "instance variable @foo not initialized"
warnings emitted by rb_iv_get(). The warnings can be avoided by using
rb_attr_get() that does not check the existence of the variable. So use
it.
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Remove '@' prefix from the variable name to hide it from Ruby.
Currently a SSLSocket instance allows modifying the value of
@callback_state if an user use Object#instance_variable_set. This is
dangerous because the variable is used for storing the tag jump state -
modifying it from Ruby can crash the process.
|
|/
|
|
|
|
|
|
| |
The OpenSSL::PKey::{DH,EC} object is stored in an instance variable to
prevent the object from being GC'd (cf. r51460). However it turned out
to be unnecessary. The underlying object, DH and EC_KEY, have a
reference counter and OpenSSL increments it for the object returned by
the callback functions.
|
|
|
|
|
|
|
|
|
| |
's2.connect' can block indefinitely depending on the version of OpenSSL.
Since the point of the test case is to check the failure path on ALPN
protocol selection callback, that is called on the server side, just
avoid blocking with SSLSocket#connect_nonblock on the client side. The
callback is called just after receiving the Client Hello so calling
SSLSocket#connect_nonblock once should be sufficient.
|
|
|
|
|
|
| |
The function can fail on memory allocation error. Note that the
function returns 0 on success unlike other almost all functions in
OpenSSL.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
They aren't exception safe - they are called during parsing the
Client/Server Hello from OpenSSL code. An exception raised in the
callbacks escapes directly from OpenSSL code so it can break internal
status of OpenSSL.
We have a procedure for handling such exceptions raised during an
handshake: catch them and store the state number in the SSLSocket
object, and then check it in ossl_ssl_start() and re-raise after the
control turned back to our side.
This fixes the instability of
TestSSL::test_alpn_protocol_selection_cancel.
|
|\
| |
| |
| |
| |
| |
| | |
* ruby-trunk r55822..r56028: (1 commits)
(r56028) * remove trailing spaces.
Sync-with-trunk: r56028
|
|/
|
|
| |
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56028 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|\
| |
| | |
Linkify History.md for release 2.0.0 [ci skip]
|
| |
| |
| |
| | |
This reverts commit 59b22d480400e77109fe5c380f5e057ab857b4fb.
|
| |
| |
| |
| | |
/cc #61
|
| | |
|
| | |
|
| | |
|
|/ |
|
| |
|
|
|
|
| |
It can make use of ssl_pair. This allows removing 6 secs sleep.
|
|
|
|
|
| |
This suppresses runtime warning of "instance variable @group not
initialized".
|
|
|
|
|
|
|
| |
The assumption in commit 1b1d520818e0 ("x509ext: fix memory leak in
X509::ExtensionFactory#config=") was wrong. The uninitialized
X509V3_CTX::db can be referred through "r2i" functions when creating
certain types of extension that use them.
|
|
|
|
|
|
|
| |
Remove string2hex() and replace with newly added ossl_bin2hex(). Since
the output hex string is always returned to users as a String, we can
avoid the memory allocation by writing directly to the String buffer.
This also reduces some lines of code.
|
|
|
|
| |
Follow up commit 7fbfed8cf97b.
|
|
|
|
|
| |
It was not implemented in a good way - for example it doesn't compile on
Windows and causes 'rake compile' to fail... So remove for now.
|
|\
| |
| |
| |
| | |
* topic/cipher-auth-tag-len:
cipher: add Cipher#auth_tag_len=
|
| |
| |
| |
| |
| |
| | |
Add a method to set the authentication tag length to be generate by an
AEAD ciphers. In particular, OCB mode which is implemented in OpenSSL
1.1.0 requires this.
|
| | |
|
| |
| |
| |
| | |
Add me to authors and cleanup files.
|
| |
| |
| |
| | |
It's written in rather Markdown.
|
| |
| |
| |
| |
| | |
OCSP_{basic,request}_verify() can return a negative value for
verification failure.
|
| |
| |
| |
| | |
Reference: https://rt.openssl.org/Ticket/Display.html?id=2560
|
| |
| |
| |
| | |
Remove unnecessary or duplicate assertions, and merge test cases.
|
| |
| |
| |
| |
| |
| | |
The variable names 'flg' and 'flags' are mixed up and it doesn't set
OCSP_NOCERTS flag correctly when the 'certs' argument is not given.
[Bug #12704] [ruby-core:77061]
|
| |
| |
| |
| |
| | |
The removed assertions are wrong and testing a bug - the verification
must fail because OpenSSL shouldn't find the signer's certificate.
|
| | |
|
| |
| |
| |
| |
| |
| |
| | |
Fix compiler errors and warnings. The order of parameters of
X509_{CRL,REQ}_get0_signature() has been changed, and certificate and
CRL time accessors have been reorganized: *_get_* functions are
deprecated and replaced by *_get0_* that return a const pointer.
|
| |
| |
| |
| | |
In order to avoid compiler warnings when build with OpenSSL 1.1.0.
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* topic/argument-conversion:
bn: optimize try_convert_to_bnptr() for non-BN objects
Avoid using *2FIX() where we don't know if it really fits in Fixnum
pkey: allow non-BN object as the multiplier in PKey::EC::Point#mul
cipher: allow cipher name in GetCipherPtr()
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Use the same logic as BN#initialize. It is used through GetBNPtr(). For
example, with this change, the following code will be about 7x faster:
puts Benchmark.measure {
a = 0.to_bn
b = 2 ** 2048
i = 0; a + b while (i += 1) <= 1_000_000
}
|
| | | |
|
| | | |
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The function GetCipherPtr() is used when we want a const EVP_CIPHER that
represents a cipher algorithm. This change allows users to write a code
that exports a PKey encrypted without creating an OpenSSL::Cipher
instance:
pkey = OpenSSL::PKey.read(...)
pkey.export("aes-128-cbc") { password }
This is the same as what happened to GetDigestPtr() in r12128.
|
|\ \
| | |
| | | |
[WIP] Add NEWS and update CONTRIBUTING.md
|
| |\ \
| | | |
| | | | |
Fixup Docker and Testing docs
|
| | | | |
|
| |/ / |
|
| | | |
|
| |\ \
| | | |
| | | | |
Readme contrib docs
|
| | | | |
|
| | | | |
|