| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
| |
Ruby 2.3.3/2.4.0, OpenSSL 1.0.2k/1.1.0d and LibreSSL 2.3.9/2.4.4.
|
| |
|
|
|
|
|
|
| |
Commit 34e7fe34ee32 ("Use rb_obj_class() instead of CLASS_OF()",
2016-09-08) incorrectly inverted the result. Fix it, and add a test
case for this.
Fixes: 34e7fe34ee32 ("Use rb_obj_class() instead of CLASS_OF()")
|
| |
|
|
| |
Import mu_pp method from Ruby trunk.
|
| | |
|
| |
|
|
|
|
|
| |
The new RubyInstaller 2.3.3 uses OpenSSL 1.0.2j. This will fix CI build
on AppVayor. Note that this is not a future-proof resolution; the future
releases of RubyInstaller that AppVayor will use may require another
incompatible version of OpenSSL.
|
| |\
| |
| |
| |
| | |
* topic/windows-static-linking-without-pkg-config:
Fix build with static OpenSSL libraries on Windows
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
OpenSSL <= 1.0.2 requires gdi32 for RAND_screen(). OpenSSL >= 1.1.0 no
longer has RAND_screen() but it now requires crypt32. If pkg-config is
usable, they are automatically linked, but if it is not, configuring
Ruby/OpenSSL fails.
Fixes: https://bugs.ruby-lang.org/issues/13080
|
| |\ \
| |/
|/| |
Fix for ASN1::Constructive 'each' implementation
|
| |/ |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Fix 'unsupported key type' error if OpenSSL::SSL::SSLSocket#tmp_key is
called when X25519 is used for key exchange.
EVP_PKEY may have a key type that we don't have have a dedicated
subclass. Let's allow instantiating OpenSSL::PKey::PKey with such an
EVP_PKEY, although the resulting instance is not so useful because it
can't be exported at the moment.
|
| |
|
|
|
|
|
|
| |
Restore the old behavior of OpenSSL::SSL::Session#==.
SSL_SESSION_get_protocol_version() was missing in OpenSSL master at the
time r55287 (cad3226a06a1, "openssl: adapt to OpenSSL 1.1.0 opaque
structs", 2016-06-05).
|
| |
|
|
|
| |
To avoid symbol conflict that would occur if two versions of OpenSSL are
loaded at the same time.
|
| |
|
|
|
|
|
| |
SSL_CTX_clear_options() first appeared in OpenSSL 0.9.8m. Add
alternative macro definition for ancient versions of OpenSSL.
http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/78693
|
| | |
|
| |\
| |
| |
| |
| |
| |
| |
| |
| | |
* ruby-trunk r56927..r56953: (3 commits)
(r56953) openssl: import fixes from upstream
(r56948) ossl.c: cast
(r56946) openssl: import v2.0.0
Sync-with-trunk: r56953
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Import the following two commits from upstream:
commit 72126d6c8b88abd69c3565fc3bbbd5ed1e401611
Author: Kazuki Yamaguchi <k@rhe.jp>
Date: Thu Dec 1 22:27:03 2016 +0900
pkey: check existence of EVP_PKEY_get0()
EVP_PKEY_get0() did not exist in early OpenSSL 0.9.8 series. So define
ourselves if needed.
commit 94a1c4e0c5705ad1e9a4ca08cacaa6cba8b1e6f5
Author: Kazuki Yamaguchi <k@rhe.jp>
Date: Thu Dec 1 22:13:22 2016 +0900
test/test_cipher: fix test with OpenSSL 1.0.1 before 1.0.1d
Set the authentication tag before the AAD when decrypting.
Before OpenSSL commit 96f7fafa2431 ("Don't require tag before ciphertext
in AESGCM mode", 2012-10-16, at OpenSSL_1_0_1-stable branch, included in
OpenSSL 1.0.1d), the authentication tag must be set before any calls of
EVP_CipherUpdate().
They should fix build on CentOS 5 and Ubuntu 12.04 respectively.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56953 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| | |
| |
| |
| |
| |
| |
| | |
* ext/openssl/ossl.c (ossl_pem_passwd_cb): cast to int. it's safe
because len does not exceed int max_len.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56948 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Import Ruby/OpenSSL 2.0.0. The full commit history since 2.0.0 beta.2
(imported at r56098) can be found at:
https://github.com/ruby/openssl/compare/v2.0.0.beta.2...v2.0.0
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56946 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| |\ \
| | |
| | | |
asn1: handle GENERALIZEDTIME without seconds
|
| | | | |
|
| | |/ |
|
| |\ \
| | |
| | | |
Fix a typo in ossl_engine.c
|
| | |/ |
|
| | |
| |
| |
| |
| |
| | |
Follow-up for 56354a3b9aef that changed sync:to_ruby Rake task to
include History.md in Ruby tree. Since History.md is located directly
under root in this repository, it needs to be renamed.
|
| |\ \
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* topic/under-gc-stress:
test: run test cases under GC.stress if OSSL_GC_STRESS is specified
test/test_pair: make TestPairM#test_write_nonblock_retry faster
test: call super from each test case's 'setup' method
ssl: prevent encoded NPN advertised protocol list from being GCed
bn: keep reference to temporary OpenSSL::BN object created by GetBNPtr()
|
| | | |
| | |
| | |
| | |
| | | |
This would have caught some of GC issues like one reported at
[ruby/openssl#87].
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Write 4099-bytes blocks instead of 11-bytes blocks to run it faster. The
buffer may be as large as megabytes and it takes too much time to fill
up, especially under GC.stress. I didn't measured but it didn't finish
in an hour.
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Just like we already do for 'teardown' method, though we don't have
OpenSSL::TestCase#setup yet. This will be useful when we want to inject
GC.stress = true.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
SSLContext#setup encodes the protocol list set in @npn_protocols into a
String. The String is passed to SSL_CTX_set_next_protos_advertised_cb()
and OpenSSL invokes the callback function with the String. However since
Ruby's GC can't find the reference to the String from the inside of
OpenSSL, it can be free'd before the callback is invoked. So store the
String in an instance variable to prevent this.
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| | |
GetBNPtr() accepts both OpenSSL::BN and Ruby integers. In the latter
case, it creates a temporary OpenSSL::BN internally. The OpenSSL::BN
object immediately disappears from the stack and is not protected from
GC.
Fixes: https://github.com/ruby/openssl/issues/87
|
| | |
| |
| |
| |
| | |
EVP_PKEY_get0() did not exist in early OpenSSL 0.9.8 series. So define
ourselves if needed.
|
| |/
|
|
|
|
|
|
|
| |
Set the authentication tag before the AAD when decrypting.
Before OpenSSL commit 96f7fafa2431 ("Don't require tag before ciphertext
in AESGCM mode", 2012-10-16, at OpenSSL_1_0_1-stable branch, included in
OpenSSL 1.0.1d), the authentication tag must be set before any calls of
EVP_CipherUpdate().
|
| | |
|
| |
|
|
| |
sync:to_ruby Rake task now copies History.md to ext/openssl/History.md.
|
| |
|
|
|
|
|
|
| |
Remove the comment added by commit 072d53ecf984 ("ssl: workaround for
new behavior of SSL_read() in OpenSSL >= 1.1.0c"). The breaking change
in OpenSSL 1.1.0c has been reverted in the 1.1.0 branch. However, for
the sake of safety, ensure that we never call rb_sys_fail() with
errno == 0. So there is no change in the actual code.
|
| |\
| |
| |
| |
| |
| |
| |
| | |
* ruby-trunk r56492..r56927: (2 commits)
(r56927) parse.y: ambiguous parentheses
(r56578) openssl/ut_eof.rb: rename TestEOF
Sync-with-trunk: r56927
|
| | |
| |
| |
| |
| |
| |
| | |
* parse.y (parser_yylex): warn ambiguous parentheses after a space
in method definitions.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56927 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| | |
| |
| |
| |
| |
| |
| | |
* test/openssl/ut_eof.rb (OpenSSL::TestEOF): move TestEOF module
under OpenSSL to get rid of conflict with test/ruby/ut_eof.rb.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56578 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fix the fragile test cases that are sensitive to the difference between
Time.now.to_i and time(2).
When issuing test certificates, we are typically setting the current
time fetched by Time.now to the notBefore field. Time.now uses
clock_gettime(2) with CLOCK_REALTIME. On the other hand, OpenSSL uses
time(2) in its certificate verification code. On Linux/x86-64, time(2)
is implemented not to return the adjusted 'current time' like Time.now,
but to return the wall clock seconds at the last tick. This results in
that time(2) called later may return an earlier time, causing the
certificate verification to fail with 'certificate is not yet valid'
error.
So, create test certificates with notBefore<Time.now to avoid this.
Since it's awful to do "Time.now - 1" everywhere, make the notBefore and
notAfter fields optional with defaults with margin.
|
| |\ \
| | |
| | |
| | |
| | | |
* topic/ssl-make-sslctx-freeze-alias-of-setup:
ssl: make OpenSSL::SSL::SSLContext#freeze an alias of #setup
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
SSLSocket#setup uses the frozen state as "SSL_CTX is already set up".
If an user manually freeze the context, it misunderstands as if #setup
is already called, leading to unexpected behaviors because parameters
the user set won't be actually set to the underlying SSL_CTX and thus
ignored.
Ideally, #setup should go and be replaced with setters. But we don't
do this now because it is not that simple: some of them would produce
new ordering issues, e.g. 'ca_file' property which loads a file into
SSL_CTX::cert_store and 'cert_store' which replaces SSL_CTX::cert_store
would conflict. Fixing this properly would require deprecating 'ca_file'
first.
So, let's take the second best way: make it "just work" instead of
break silently.
Fixes: https://github.com/ruby/openssl/issues/85
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
rb_ary_new_from_args() is called from non-protected callback function
which will be directly called from OpenSSL. It may raise NoMemoryError
and may corrupt the internal state of SSL object. So, avoid creating
Array here and pass raw values to the protected function instead.
The same change has been applied to ALPN/NPN selection callbacks in
3a926047a729 ("ssl: catch exceptions raised in ALPN/NPN callbacks",
2016-08-30).
|
| | |
| |
| |
| |
| |
| |
| |
| | |
We call SSL_shutdown() four times at most meaninglessly. Since the
underlying socket is in non-blocking mode, if the first call failed
because the underlying socket is not write/readable, the subsequent
calls would just fail with the same error. Just call once, and give up
if it fails.
|
| | |
| |
| |
| |
| |
| | |
This prevents users from allocating OpenSSL::Engine instance using
OpenSSL::Engine.allocate. Undef'ing alloc function also allows us to
remove explicit undef of OpenSSL::Engine.new and #initialize_copy.
|
| | |
| |
| |
| |
| | |
Don't blindy assume that the value which can be modified from Ruby code
is always an Array, and just call its #each method.
|
| | |
| |
| |
| |
| |
| | |
Delay allocation of EVP_MD_CTX until #initialize or #initialize_copy is
called. This fixes segfault that can occur if OpenSSL::Digest#name is
called before the actual initialization.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Commit 4880672a9b41 of OpenSSL[1] (which then was backported to 1.1.0
branch at 122580ef71e4) changed the bahavior of SSL_read(): it now
returns -1 in the case the underlying BIO reaches EOF unexpectedly. This
means, it is possible that rb_sys_fail() is called with errno == 0,
resulting in [BUG].
So, as a workaround, let's distinguish IO error from the underlying BIO
and EOF in violation of SSL/TLS protocol with the value of errno.
[1] https://git.openssl.org/?p=openssl.git;a=commit;h=4880672a9b41a09a0984b55e219f02a2de7ab75e
|
| |\ \
| | |
| | |
| | |
| | | |
* topic/asn1-fix-oob-read-constructed:
asn1: fix out-of-bounds read in decoding constructed objects
|
