aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* ssl: remove OpenSSL::ExtConfig::TLS_DH_anon_WITH_AES_256_GCM_SHA384topic/ssl-remove-TLS_DH_anon_WITH_AES_256_GCM_SHA384Kazuki Yamaguchi2017-02-191-6/+0
| | | | | | | | | | | | | | The constant was initially introduced just to skip test cases that do not work with old versions without AES-GCM cipher suites support (< 1.0.1). However, the value of the constant has been always `false' because the macro TLS_DH_anon_WITH_AES_256_GCM_SHA384 does not exist in any version of OpenSSL. We no longer use it as of commit c9d1659f4027 ("test/utils: remove use_anon_cipher option from SSLTestCase#start_server", 2016-09-06). Let's just remove the constant.
* Merge branch 'maint'Kazuki Yamaguchi2017-01-317-27/+51
|\ | | | | | | | | | | | | | | | | | | * maint: Ruby/OpenSSL 2.0.3 .travis.yml: test with Ruby 2.4 ruby-openssl-docker: update versions of Ruby and OpenSSL x509: fix OpenSSL::X509::Name#eql? test/envutil: fix assert_raise_with_message buffering: fix typo in doc
| * Ruby/OpenSSL 2.0.3v2.0.3Kazuki Yamaguchi2017-01-312-2/+2
| |
| * .travis.yml: test with Ruby 2.4topic/testing-with-ruby24Kazuki Yamaguchi2017-01-311-7/+8
| |
| * ruby-openssl-docker: update versions of Ruby and OpenSSLKazuki Yamaguchi2017-01-312-19/+27
| | | | | | | | Ruby 2.3.3/2.4.0, OpenSSL 1.0.2k/1.1.0d and LibreSSL 2.3.9/2.4.4.
| * x509: fix OpenSSL::X509::Name#eql?Kazuki Yamaguchi2017-01-282-1/+11
| | | | | | | | | | | | | | | | Commit 34e7fe34ee32 ("Use rb_obj_class() instead of CLASS_OF()", 2016-09-08) incorrectly inverted the result. Fix it, and add a test case for this. Fixes: 34e7fe34ee32 ("Use rb_obj_class() instead of CLASS_OF()")
| * test/envutil: fix assert_raise_with_messageKazuki Yamaguchi2017-01-241-0/+5
| | | | | | | | Import mu_pp method from Ruby trunk.
| * buffering: fix typo in docKazuki Yamaguchi2017-01-231-2/+2
| |
* | Merge branch 'topic/ssl-certificate-verify-error-desc'Kazuki Yamaguchi2017-01-263-8/+49
|\ \ | | | | | | | | | | | | | | | * topic/ssl-certificate-verify-error-desc: ssl: show reason of 'certificate verify error' in exception message Make exceptions with the same format regardless of OpenSSL.debug
| * | ssl: show reason of 'certificate verify error' in exception messagetopic/ssl-certificate-verify-error-descKazuki Yamaguchi2017-01-242-0/+44
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The 'certificate verify error' is one of the most common errors that can be raised by OpenSSL::SSL::SSLSocket#connect. The certificate verification may fail due to many different issues such as misconfigured trusted certificate store or inaccurate system clock. Unfortunately, since the detail is not put to the queue and is only accessible through OpenSSL::SSL::SSLSocket#verify_result, it is sometimes hard to figure out the real reason. Let's include a human readable reason message in the exception message. Like this: require "socket" require "openssl" ctx = OpenSSL::SSL::SSLContext.new ctx.set_params(cert_store: OpenSSL::X509::Store.new) ssl = OpenSSL::SSL::SSLSocket.new(Socket.tcp("www.ruby-lang.org", 443), ctx) ssl.connect #=> -:7:in `connect': SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate) (OpenSSL::SSL::SSLError) from -:7:in `<main>'
| * | Make exceptions with the same format regardless of OpenSSL.debugKazuki Yamaguchi2017-01-241-8/+5
| | | | | | | | | | | | | | | As the current behavior is useless. If OpenSSL.debug is set to true, errors put to the error queue will be printed to stderr anyway.
* | | Merge branch 'topic/ssl-move-default-dh-params'Kazuki Yamaguchi2017-01-263-58/+34
|\ \ \ | | | | | | | | | | | | | | | | * topic/ssl-move-default-dh-params: ssl: move default DH parameters from OpenSSL::PKey::DH
| * | | ssl: move default DH parameters from OpenSSL::PKey::DHtopic/ssl-move-default-dh-paramsKazuki Yamaguchi2017-01-243-58/+34
| |/ / | | | | | | | | | They should belong to OpenSSL::SSL rather than OpenSSL::PKey::DH.
* | | Merge branch 'topic/test-memory-leak'Kazuki Yamaguchi2017-01-1727-311/+388
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * topic/test-memory-leak: Enable OSSL_MDEBUG on CI builds Add OpenSSL.print_mem_leaks test: prepare test PKey instances on demand test: let OpenSSL::TestCase include OpenSSL::TestUtils Don't define main() when built with --enable-debug
| * | | Enable OSSL_MDEBUG on CI buildstopic/test-memory-leakKazuki Yamaguchi2017-01-173-7/+6
| | | |
| * | | Add OpenSSL.print_mem_leaksKazuki Yamaguchi2017-01-172-0/+122
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add a wrapper method for CRYPTO_mem_leaks_fp(stderr). Calling the method at the end of programs helps debugging memory leak bugs in Ruby/OpenSSL. This is defined only when --enable-debug option is given when building Ruby/OpenSSL, and the OpenSSL version is capable. The test suite recognizes 'OSSL_MDEBUG' environment variable. Set to '1' to enable the memory leak checker. This would prevent creating another memory leak problem at least on the success paths. Note that this may print some false-positives with OpenSSL <= 1.0.2. It was once introduced by f0754f0b2f33 ("test: add test/mdebug extension", 2016-08-06) as a separate native extension, but reverted by 4c1ca7669180 ("Remove test/mdebug", 2016-08-26) because it didn't work on Windows. Let's re-introduce as part of openssl.so.
| * | | test: prepare test PKey instances on demandKazuki Yamaguchi2017-01-1723-261/+259
| | | | | | | | | | | | | | | | | | | | | | | | Preparing for the introduction of the memory leak checker. Do not leave OpenSSL objects in constants that wouldn't be GCed in order to avoid false positives.
| * | | test: let OpenSSL::TestCase include OpenSSL::TestUtilsKazuki Yamaguchi2017-01-166-34/+3
| | | | | | | | | | | | | | | | | | | | OpenSSL::TestPKCS12 is already doing this - let's apply to all test files. This allows removing redundant 'issue_cert' declarations.
| * | | Don't define main() when built with --enable-debugKazuki Yamaguchi2017-01-161-11/+0
| | | | | | | | | | | | | | | | It is unnecessary as we have a test suite that does the job.
* | | | Merge branch 'maint'Kazuki Yamaguchi2017-01-174-4/+17
|\ \ \ \ | | |_|/ | |/| | | | | | | | | | | | | | | | | | * maint: appveyor.yml: update OpenSSL version to 1.0.2j Fix build with static OpenSSL libraries on Windows Fix for ASN1::Constructive 'each' implementation
| * | | appveyor.yml: update OpenSSL version to 1.0.2jKazuki Yamaguchi2017-01-171-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The new RubyInstaller 2.3.3 uses OpenSSL 1.0.2j. This will fix CI build on AppVayor. Note that this is not a future-proof resolution; the future releases of RubyInstaller that AppVayor will use may require another incompatible version of OpenSSL.
| * | | Merge branch 'topic/windows-static-linking-without-pkg-config' into maintKazuki Yamaguchi2017-01-051-0/+6
| |\ \ \ | | | | | | | | | | | | | | | | | | | | * topic/windows-static-linking-without-pkg-config: Fix build with static OpenSSL libraries on Windows
| | * | | Fix build with static OpenSSL libraries on Windowstopic/windows-static-linking-without-pkg-configKazuki Yamaguchi2016-12-301-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | OpenSSL <= 1.0.2 requires gdi32 for RAND_screen(). OpenSSL >= 1.1.0 no longer has RAND_screen() but it now requires crypt32. If pkg-config is usable, they are automatically linked, but if it is not, configuring Ruby/OpenSSL fails. Fixes: https://bugs.ruby-lang.org/issues/13080
| * | | | Merge pull request #96 from CBonnell/masterKazuki Yamaguchi2016-12-302-1/+8
| |\ \ \ \ | | |/ / / | |/| | | Fix for ASN1::Constructive 'each' implementation
| | * | | Fix for ASN1::Constructive 'each' implementationCorey Bonnell2016-12-292-1/+8
| |/ / /
* | | | Merge branch 'topic/bn-updates'Kazuki Yamaguchi2016-12-262-51/+316
|\ \ \ \ | |_|/ / |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Tests for OpenSSL::BN are re-written. OpenSSL::BN now implements unary+ operator, unary- operator and negative? method. * topic/bn-updates: bn: implement OpenSSL::BN#negative? bn: implement unary {plus,minus} operators for OpenSSL::BN bn: refine tests
| * | | bn: implement OpenSSL::BN#negative?topic/bn-updatesKazuki Yamaguchi2016-12-232-0/+22
| | | | | | | | | | | | | | | | | | | | Numeric class implemented #negative? and #positive? in Ruby 2.3. Let's follow that.
| * | | bn: implement unary {plus,minus} operators for OpenSSL::BNKazuki Yamaguchi2016-12-232-0/+41
| | | | | | | | | | | | | | | | | | | | For consistency with Numeric. Not sure why they aren't currently; maybe they were simply forgotten.
| * | | bn: refine testsKazuki Yamaguchi2016-12-231-51/+253
| | |/ | |/| | | | | | | | | | | | | | | | Many methods in OpenSSL::BN are currently untested. Since OpenSSL::BN is mostly simple wrapper of BIGNUM, it would be unnecessary to have detailed test cases, but we should have a basic test case so that we don't mix up BIGNUM functions in the binding layer.
* | | Merge branch 'topic/drop-openssl-098-and-100'Kazuki Yamaguchi2016-12-2249-516/+105
|\ \ \ | |/ / |/| | | | | | | | * topic/drop-openssl-098-and-100: Remove support for OpenSSL 0.9.8 and 1.0.0
| * | Remove support for OpenSSL 0.9.8 and 1.0.0topic/drop-openssl-098-and-100Kazuki Yamaguchi2016-12-2249-516/+105
|/ / | | | | | | | | | | | | | | | | | | They are no longer receiving security updates from the OpenSSL development team since 2015-12. We have kept basic compatibility until now because RHEL 5 still uses an (heavily modified) OpenSSL 0.9.8e. The RHEL 5 will reach EOL on 2017-03, thus it is now safe to assume nobody is still using such old versions of OpenSSL.
* / Start preparing for 2.1.0Kazuki Yamaguchi2016-12-213-2/+25
|/
* Ruby/OpenSSL 2.0.2v2.0.2Kazuki Yamaguchi2016-12-212-2/+2
|
* pkey: allow instantiating OpenSSL::PKey::PKey with unsupported key typeKazuki Yamaguchi2016-12-211-5/+10
| | | | | | | | | | Fix 'unsupported key type' error if OpenSSL::SSL::SSLSocket#tmp_key is called when X25519 is used for key exchange. EVP_PKEY may have a key type that we don't have have a dedicated subclass. Let's allow instantiating OpenSSL::PKey::PKey with such an EVP_PKEY, although the resulting instance is not so useful because it can't be exported at the moment.
* ssl: use SSL_SESSION_get_protocol_version()Kazuki Yamaguchi2016-12-213-5/+9
| | | | | | | | Restore the old behavior of OpenSSL::SSL::Session#==. SSL_SESSION_get_protocol_version() was missing in OpenSSL master at the time r55287 (cad3226a06a1, "openssl: adapt to OpenSSL 1.1.0 opaque structs", 2016-06-05).
* Rename functions in openssl_missing.cKazuki Yamaguchi2016-12-212-20/+29
| | | | | To avoid symbol conflict that would occur if two versions of OpenSSL are loaded at the same time.
* ssl: check for SSL_CTX_clear_options()Kazuki Yamaguchi2016-12-182-0/+5
| | | | | | | SSL_CTX_clear_options() first appeared in OpenSSL 0.9.8m. Add alternative macro definition for ancient versions of OpenSSL. http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/78693
* Ruby/OpenSSL 2.0.1v2.0.1Kazuki Yamaguchi2016-12-102-2/+2
|
* Merge changes from Ruby trunk r56927..r56953Kazuki Yamaguchi2016-12-101-1/+1
|\ | | | | | | | | | | | | | | | | * ruby-trunk r56927..r56953: (3 commits) (r56953) openssl: import fixes from upstream (r56948) ossl.c: cast (r56946) openssl: import v2.0.0 Sync-with-trunk: r56953
| * openssl: import fixes from upstreamrhe2016-12-103-8/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Import the following two commits from upstream: commit 72126d6c8b88abd69c3565fc3bbbd5ed1e401611 Author: Kazuki Yamaguchi <k@rhe.jp> Date: Thu Dec 1 22:27:03 2016 +0900 pkey: check existence of EVP_PKEY_get0() EVP_PKEY_get0() did not exist in early OpenSSL 0.9.8 series. So define ourselves if needed. commit 94a1c4e0c5705ad1e9a4ca08cacaa6cba8b1e6f5 Author: Kazuki Yamaguchi <k@rhe.jp> Date: Thu Dec 1 22:13:22 2016 +0900 test/test_cipher: fix test with OpenSSL 1.0.1 before 1.0.1d Set the authentication tag before the AAD when decrypting. Before OpenSSL commit 96f7fafa2431 ("Don't require tag before ciphertext in AESGCM mode", 2012-10-16, at OpenSSL_1_0_1-stable branch, included in OpenSSL 1.0.1d), the authentication tag must be set before any calls of EVP_CipherUpdate(). They should fix build on CentOS 5 and Ubuntu 12.04 respectively. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56953 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
| * ossl.c: castnobu2016-12-101-1/+1
| | | | | | | | | | | | | | * ext/openssl/ossl.c (ossl_pem_passwd_cb): cast to int. it's safe because len does not exceed int max_len. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56948 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
| * openssl: import v2.0.0rhe2016-12-100-0/+0
| | | | | | | | | | | | | | | | | | Import Ruby/OpenSSL 2.0.0. The full commit history since 2.0.0 beta.2 (imported at r56098) can be found at: https://github.com/ruby/openssl/compare/v2.0.0.beta.2...v2.0.0 git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56946 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* | Merge pull request #88 from yogo1212/generalizedtime_formatKazuki Yamaguchi2016-12-102-3/+17
|\ \ | | | | | | asn1: handle GENERALIZEDTIME without seconds
| * | asn1: more output on error 'bad GENERALIZEDTIME'Leon M. George2016-12-091-1/+2
| | |
| * | asn1: handle GENERALIZEDTIME without secondsLeon M. George2016-12-092-2/+15
| |/
* | Merge pull request #89 from koic/fix_typo_in_ossl_engineKazuki Yamaguchi2016-12-091-1/+1
|\ \ | | | | | | Fix a typo in ossl_engine.c
| * | Fix a typo in ossl_engine.cKoichi ITO2016-12-091-1/+1
| |/
* | tool/sync-with-trunk: rename ext/openssl/History.md properlyKazuki Yamaguchi2016-12-051-0/+1
| | | | | | | | | | | | Follow-up for 56354a3b9aef that changed sync:to_ruby Rake task to include History.md in Ruby tree. Since History.md is located directly under root in this repository, it needs to be renamed.
* | Merge branch 'topic/under-gc-stress' into maintKazuki Yamaguchi2016-12-0519-21/+59
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | * topic/under-gc-stress: test: run test cases under GC.stress if OSSL_GC_STRESS is specified test/test_pair: make TestPairM#test_write_nonblock_retry faster test: call super from each test case's 'setup' method ssl: prevent encoded NPN advertised protocol list from being GCed bn: keep reference to temporary OpenSSL::BN object created by GetBNPtr()
| * | test: run test cases under GC.stress if OSSL_GC_STRESS is specifiedtopic/under-gc-stressKazuki Yamaguchi2016-12-051-0/+9
| | | | | | | | | | | | | | | This would have caught some of GC issues like one reported at [ruby/openssl#87].
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-27 14:24:19 +0000