| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The constant was initially introduced just to skip test cases that do
not work with old versions without AES-GCM cipher suites support
(< 1.0.1).
However, the value of the constant has been always `false' because the
macro TLS_DH_anon_WITH_AES_256_GCM_SHA384 does not exist in any version
of OpenSSL.
We no longer use it as of commit c9d1659f4027 ("test/utils: remove
use_anon_cipher option from SSLTestCase#start_server", 2016-09-06).
Let's just remove the constant.
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* maint:
Ruby/OpenSSL 2.0.3
.travis.yml: test with Ruby 2.4
ruby-openssl-docker: update versions of Ruby and OpenSSL
x509: fix OpenSSL::X509::Name#eql?
test/envutil: fix assert_raise_with_message
buffering: fix typo in doc
|
| | |
|
| | |
|
| |
| |
| |
| | |
Ruby 2.3.3/2.4.0, OpenSSL 1.0.2k/1.1.0d and LibreSSL 2.3.9/2.4.4.
|
| |
| |
| |
| |
| |
| |
| |
| | |
Commit 34e7fe34ee32 ("Use rb_obj_class() instead of CLASS_OF()",
2016-09-08) incorrectly inverted the result. Fix it, and add a test
case for this.
Fixes: 34e7fe34ee32 ("Use rb_obj_class() instead of CLASS_OF()")
|
| |
| |
| |
| | |
Import mu_pp method from Ruby trunk.
|
| | |
|
|\ \
| | |
| | |
| | |
| | |
| | | |
* topic/ssl-certificate-verify-error-desc:
ssl: show reason of 'certificate verify error' in exception message
Make exceptions with the same format regardless of OpenSSL.debug
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The 'certificate verify error' is one of the most common errors that can
be raised by OpenSSL::SSL::SSLSocket#connect. The certificate
verification may fail due to many different issues such as misconfigured
trusted certificate store or inaccurate system clock.
Unfortunately, since the detail is not put to the queue and is only
accessible through OpenSSL::SSL::SSLSocket#verify_result, it is
sometimes hard to figure out the real reason. Let's include a human
readable reason message in the exception message. Like this:
require "socket"
require "openssl"
ctx = OpenSSL::SSL::SSLContext.new
ctx.set_params(cert_store: OpenSSL::X509::Store.new)
ssl = OpenSSL::SSL::SSLSocket.new(Socket.tcp("www.ruby-lang.org", 443), ctx)
ssl.connect
#=>
-:7:in `connect': SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate) (OpenSSL::SSL::SSLError)
from -:7:in `<main>'
|
| | |
| | |
| | |
| | |
| | | |
As the current behavior is useless. If OpenSSL.debug is set to true,
errors put to the error queue will be printed to stderr anyway.
|
|\ \ \
| | | |
| | | |
| | | |
| | | | |
* topic/ssl-move-default-dh-params:
ssl: move default DH parameters from OpenSSL::PKey::DH
|
| |/ /
| | |
| | |
| | | |
They should belong to OpenSSL::SSL rather than OpenSSL::PKey::DH.
|
|\ \ \
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* topic/test-memory-leak:
Enable OSSL_MDEBUG on CI builds
Add OpenSSL.print_mem_leaks
test: prepare test PKey instances on demand
test: let OpenSSL::TestCase include OpenSSL::TestUtils
Don't define main() when built with --enable-debug
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Add a wrapper method for CRYPTO_mem_leaks_fp(stderr). Calling the method
at the end of programs helps debugging memory leak bugs in Ruby/OpenSSL.
This is defined only when --enable-debug option is given when building
Ruby/OpenSSL, and the OpenSSL version is capable.
The test suite recognizes 'OSSL_MDEBUG' environment variable. Set to '1'
to enable the memory leak checker. This would prevent creating another
memory leak problem at least on the success paths. Note that this may
print some false-positives with OpenSSL <= 1.0.2.
It was once introduced by f0754f0b2f33 ("test: add test/mdebug
extension", 2016-08-06) as a separate native extension, but reverted by
4c1ca7669180 ("Remove test/mdebug", 2016-08-26) because it didn't work
on Windows. Let's re-introduce as part of openssl.so.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Preparing for the introduction of the memory leak checker. Do not leave
OpenSSL objects in constants that wouldn't be GCed in order to avoid
false positives.
|
| | | |
| | | |
| | | |
| | | |
| | | | |
OpenSSL::TestPKCS12 is already doing this - let's apply to all test
files. This allows removing redundant 'issue_cert' declarations.
|
| | | |
| | | |
| | | |
| | | | |
It is unnecessary as we have a test suite that does the job.
|
|\ \ \ \
| | |_|/
| |/| |
| | | |
| | | |
| | | |
| | | | |
* maint:
appveyor.yml: update OpenSSL version to 1.0.2j
Fix build with static OpenSSL libraries on Windows
Fix for ASN1::Constructive 'each' implementation
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The new RubyInstaller 2.3.3 uses OpenSSL 1.0.2j. This will fix CI build
on AppVayor. Note that this is not a future-proof resolution; the future
releases of RubyInstaller that AppVayor will use may require another
incompatible version of OpenSSL.
|
| |\ \ \
| | | | |
| | | | |
| | | | |
| | | | | |
* topic/windows-static-linking-without-pkg-config:
Fix build with static OpenSSL libraries on Windows
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
OpenSSL <= 1.0.2 requires gdi32 for RAND_screen(). OpenSSL >= 1.1.0 no
longer has RAND_screen() but it now requires crypt32. If pkg-config is
usable, they are automatically linked, but if it is not, configuring
Ruby/OpenSSL fails.
Fixes: https://bugs.ruby-lang.org/issues/13080
|
| |\ \ \ \
| | |/ / /
| |/| | | |
Fix for ASN1::Constructive 'each' implementation
|
| |/ / / |
|
|\ \ \ \
| |_|/ /
|/| | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Tests for OpenSSL::BN are re-written. OpenSSL::BN now implements unary+
operator, unary- operator and negative? method.
* topic/bn-updates:
bn: implement OpenSSL::BN#negative?
bn: implement unary {plus,minus} operators for OpenSSL::BN
bn: refine tests
|
| | | |
| | | |
| | | |
| | | |
| | | | |
Numeric class implemented #negative? and #positive? in Ruby 2.3. Let's
follow that.
|
| | | |
| | | |
| | | |
| | | |
| | | | |
For consistency with Numeric. Not sure why they aren't currently; maybe
they were simply forgotten.
|
| | |/
| |/|
| | |
| | |
| | |
| | |
| | | |
Many methods in OpenSSL::BN are currently untested. Since OpenSSL::BN is
mostly simple wrapper of BIGNUM, it would be unnecessary to have
detailed test cases, but we should have a basic test case so that we
don't mix up BIGNUM functions in the binding layer.
|
|\ \ \
| |/ /
|/| |
| | |
| | | |
* topic/drop-openssl-098-and-100:
Remove support for OpenSSL 0.9.8 and 1.0.0
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| | |
They are no longer receiving security updates from the OpenSSL
development team since 2015-12.
We have kept basic compatibility until now because RHEL 5 still uses an
(heavily modified) OpenSSL 0.9.8e. The RHEL 5 will reach EOL on 2017-03,
thus it is now safe to assume nobody is still using such old versions of
OpenSSL.
|
|/ |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Fix 'unsupported key type' error if OpenSSL::SSL::SSLSocket#tmp_key is
called when X25519 is used for key exchange.
EVP_PKEY may have a key type that we don't have have a dedicated
subclass. Let's allow instantiating OpenSSL::PKey::PKey with such an
EVP_PKEY, although the resulting instance is not so useful because it
can't be exported at the moment.
|
|
|
|
|
|
|
|
| |
Restore the old behavior of OpenSSL::SSL::Session#==.
SSL_SESSION_get_protocol_version() was missing in OpenSSL master at the
time r55287 (cad3226a06a1, "openssl: adapt to OpenSSL 1.1.0 opaque
structs", 2016-06-05).
|
|
|
|
|
| |
To avoid symbol conflict that would occur if two versions of OpenSSL are
loaded at the same time.
|
|
|
|
|
|
|
| |
SSL_CTX_clear_options() first appeared in OpenSSL 0.9.8m. Add
alternative macro definition for ancient versions of OpenSSL.
http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/78693
|
| |
|
|\
| |
| |
| |
| |
| |
| |
| |
| | |
* ruby-trunk r56927..r56953: (3 commits)
(r56953) openssl: import fixes from upstream
(r56948) ossl.c: cast
(r56946) openssl: import v2.0.0
Sync-with-trunk: r56953
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Import the following two commits from upstream:
commit 72126d6c8b88abd69c3565fc3bbbd5ed1e401611
Author: Kazuki Yamaguchi <k@rhe.jp>
Date: Thu Dec 1 22:27:03 2016 +0900
pkey: check existence of EVP_PKEY_get0()
EVP_PKEY_get0() did not exist in early OpenSSL 0.9.8 series. So define
ourselves if needed.
commit 94a1c4e0c5705ad1e9a4ca08cacaa6cba8b1e6f5
Author: Kazuki Yamaguchi <k@rhe.jp>
Date: Thu Dec 1 22:13:22 2016 +0900
test/test_cipher: fix test with OpenSSL 1.0.1 before 1.0.1d
Set the authentication tag before the AAD when decrypting.
Before OpenSSL commit 96f7fafa2431 ("Don't require tag before ciphertext
in AESGCM mode", 2012-10-16, at OpenSSL_1_0_1-stable branch, included in
OpenSSL 1.0.1d), the authentication tag must be set before any calls of
EVP_CipherUpdate().
They should fix build on CentOS 5 and Ubuntu 12.04 respectively.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56953 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| |
| |
| |
| |
| |
| |
| | |
* ext/openssl/ossl.c (ossl_pem_passwd_cb): cast to int. it's safe
because len does not exceed int max_len.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56948 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Import Ruby/OpenSSL 2.0.0. The full commit history since 2.0.0 beta.2
(imported at r56098) can be found at:
https://github.com/ruby/openssl/compare/v2.0.0.beta.2...v2.0.0
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56946 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|\ \
| | |
| | | |
asn1: handle GENERALIZEDTIME without seconds
|
| | | |
|
| |/ |
|
|\ \
| | |
| | | |
Fix a typo in ossl_engine.c
|
| |/ |
|
| |
| |
| |
| |
| |
| | |
Follow-up for 56354a3b9aef that changed sync:to_ruby Rake task to
include History.md in Ruby tree. Since History.md is located directly
under root in this repository, it needs to be renamed.
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* topic/under-gc-stress:
test: run test cases under GC.stress if OSSL_GC_STRESS is specified
test/test_pair: make TestPairM#test_write_nonblock_retry faster
test: call super from each test case's 'setup' method
ssl: prevent encoded NPN advertised protocol list from being GCed
bn: keep reference to temporary OpenSSL::BN object created by GetBNPtr()
|
| | |
| | |
| | |
| | |
| | | |
This would have caught some of GC issues like one reported at
[ruby/openssl#87].
|