aboutsummaryrefslogtreecommitdiffstats
path: root/ext/openssl/ossl_ssl.c
Commit message (Collapse)AuthorAgeFilesLines
* Fix some typos [ci skip]Ryuta Kamizono2021-04-261-1/+1
|
* ssl: use TLS_method() instead of SSLv23_method() for LibreSSLKazuki Yamaguchi2021-04-041-1/+1
| | | | | | | | | LibreSSL 2.2.2 introduced TLS_method(), but with different semantics from OpenSSL: TLS_method() enabled TLS >= 1.0 while SSLv23_method() enabled all available versions, which included SSL 3.0 in addition. However, LibreSSL 2.3.0 removed SSL 3.0 support completely and now TLS_method() and SSLv23_method() are equivalent.
* ssl: call SSL_CTX_set_ecdh_auto() on OpenSSL 1.0.2 onlyKazuki Yamaguchi2021-04-041-5/+6
| | | | | | | SSL_CTX_set_ecdh_auto() exists in OpenSSL 1.1.0 and LibreSSL 2.6.1, but it is made no-op and the automatic curve selection cannot be disabled. Wrap it with ifdef to make it clear that it is safe to remove it completely when we drop support for OpenSSL 1.0.2.
* require OpenSSL >= 1.0.2 and LibreSSL >= 3.1Kazuki Yamaguchi2021-04-041-122/+6
| | | | | | | | | | | | | | | | | | | | Clean up old version guards in preparation for the upcoming OpenSSL 3.0 support. OpenSSL 1.0.1 reached its EOL on 2016-12-31. At that time, we decided to keep 1.0.1 support because many major Linux distributions were still shipped with 1.0.1. Now, nearly 4 years later, most Linux distributions are reaching their EOL and it should be safe to assume nobody uses them anymore. Major ones that were using 1.0.1: - Ubuntu 14.04 is EOL since 2019-04-30 - RHEL 6 will reach EOL on 2020-11-30 LibreSSL 3.0 and older versions are no longer supported by the LibreSSL team as of October 2020. Note that OpenSSL 1.0.2 also reached EOL on 2019-12-31 and 1.1.0 also did on 2018-08-31.
* Merge branch 'maint-2.2'Kazuki Yamaguchi2021-02-251-0/+15
|\ | | | | | | | | | | | | | | | | | | | | * maint-2.2: .github/workflows: update Ruby and OpenSSL/LibreSSL versions bn: check -1 return from BIGNUM functions .github/workflows: disable pkg-config on Windows tests ssl: retry write on EPROTOTYPE on macOS x509store: fix memory leak in X509::StoreContext.new .github/workflows/test.yml: use GitHub Actions Skip one assertion for OpenSSL::PKey::EC::Point#mul on LibreSSL
| * Merge branch 'maint-2.1' into maint-2.2Kazuki Yamaguchi2021-02-251-0/+15
| |\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * maint-2.1: .github/workflows: update Ruby and OpenSSL/LibreSSL versions bn: check -1 return from BIGNUM functions .github/workflows: disable pkg-config on Windows tests ssl: retry write on EPROTOTYPE on macOS x509store: fix memory leak in X509::StoreContext.new .github/workflows/test.yml: use GitHub Actions Skip one assertion for OpenSSL::PKey::EC::Point#mul on LibreSSL
| | * ssl: retry write on EPROTOTYPE on macOSky/ssl-macos-send-eprototypeKazuki Yamaguchi2020-08-121-0/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Errno::EPROTOTYPE is not supposed to be raised by SSLSocket#write. However, on macOS, send(2) which is called via SSL_write() can occasionally return EPROTOTYPE. Retry SSL_write() so that we get a proper error, just as ext/socket does. Reference: https://bugs.ruby-lang.org/issues/14713 Reference: https://github.com/ruby/openssl/issues/227
* | | Don't redefine #rb_intern over and over againStefan Stüben2020-12-141-32/+30
| | |
* | | Enhance TLS 1.3 support on LibreSSL 3.2/3.3Jeremy Evans2020-12-031-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This defines TLS1_3_VERSION when using LibreSSL 3.2+. LibreSSL 3.2/3.3 doesn't advertise this by default, even though it will use TLS 1.3 in both client and server modes. Changes between LibreSSL 3.1 and 3.2/3.3 broke a few tests, Defining TLS1_3_VERSION by itself fixes 1 test failure. A few tests now fail on LibreSSL 3.2/3.3 unless TLS 1.2 is set as the maximum version, and this adjusts those tests. The client CA test doesn't work in LibreSSL 3.2+, so I've marked that as pending. For the hostname verification, LibreSSL 3.2.2+ has a new stricter hostname verifier that doesn't like subjectAltName such as c*.example.com and d.*.example.com, so adjust the related tests. With these changes, the tests pass on LibreSSL 3.2/3.3.
* | | ssl: remove SSL::SSLContext#tmp_ecdh_callbackky/ssl-remove-tmp-ecdh-callbackKazuki Yamaguchi2020-08-131-69/+3
|/ / | | | | | | | | | | | | | | | | | | The underlying API SSL_CTX_set_tmp_ecdh_callback() was removed by LibreSSL >= 2.6.1 and OpenSSL >= 1.1.0, in other words, it is not supported by any non-EOL versions of OpenSSL. The wrapper was initially implemented in Ruby 2.3 and has been deprecated since Ruby/OpenSSL 2.0 (bundled with Ruby 2.4) with explicit warning with rb_warn().
* | ssl: temporarily remove SSLContext#add_certificate_chain_fileKazuki Yamaguchi2020-05-131-16/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Let's revert the changes for now, as it cannot be included in the 2.2.0 release. My comment on #257: > A blocker is OpenSSL::SSL::SSLContext#add_certificate_chain_file. It > has a pending change and I don't want to include it in an incomplete > state. > > The initial implementation in commit 46e4bdba40c5 was not really > useful. The issue is described in #305. #309 extended it > to take the corresponding private key together. However, the new > implementation was incompatible on Windows and was reverted by #320 to > the initial one. > > (The prerequisite to implement it in) an alternative way is #288, and > it's still cooking. This effectively reverts the following commits: - dacd08937ccd ("ssl: suppress test failure with SSLContext#add_certificate_chain_file", 2020-03-09) - 46e4bdba40c5 ("Add support for SSL_CTX_use_certificate_chain_file. Fixes #254.", 2019-06-13)
* | Suppress -Wshorten-64-to-32 warningsNobuyoshi Nakada2020-05-131-1/+1
| | | | | | | | [ Cherry-picked from ruby.git commit d8720eb7de9c. ]
* | Merge branch 'maint'Kazuki Yamaguchi2020-03-091-1/+8
|\| | | | | | | | | | | | | | | | | | | * maint: ssl: set verify error code in the case of verify_hostname failure x509: add error code and verify flags constants Remove taint support Restore compatibility with older versions of Ruby. Fix keyword argument separation issues in OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock config: support .include directive
| * Merge branch 'maint-2.0' into maintKazuki Yamaguchi2020-03-091-14/+41
| |\ | | | | | | | | | | | | | | | | | | | | | | | | | | | * maint-2.0: ssl: set verify error code in the case of verify_hostname failure x509: add error code and verify flags constants Remove taint support Restore compatibility with older versions of Ruby. Fix keyword argument separation issues in OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock config: support .include directive
| | * ssl: set verify error code in the case of verify_hostname failureky/ssl-fix-verify-hostname-set-error-codeKazuki Yamaguchi2020-02-241-1/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When the verify_hostname option is enabled, the hostname verification is done before calling verify_callback provided by the user. The callback should be notified of the hostname verification failure. OpenSSL::X509::StoreContext's error code must be set to an appropriate value rather than OpenSSL::X509::V_OK. If the constant X509_V_ERR_HOSTNAME_MISMATCH is available (OpenSSL >= 1.0.2), use it. Otherwise use the generic X509_V_ERR_CERT_REJECTED. Reference: https://github.com/ruby/openssl/issues/244 Fixes: 028e495734e9 ("ssl: add verify_hostname option to SSLContext", 2016-06-27)
| | * Remove taint supportJeremy Evans2020-02-241-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ This is a backport to the 2.0 branch. ] Ruby 2.7 deprecates taint and it no longer has an effect. The lack of taint support should not cause a problem in previous Ruby versions. (cherry picked from commit e7ed01b580a139ad0fb320ad5f29bbb40ef2ddc2)
| | * Restore compatibility with older versions of Ruby.Samuel Williams2020-02-241-9/+21
| | | | | | | | | | | | | | | | | | | | | [ Originally landed on as commit b4e96fc4abc3. This is a backport to the 2.0 branch. ] `RB_PASS_KEYWORDS` is not always available.
| | * Fix keyword argument separation issues in ↵Jeremy Evans2020-02-241-4/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock [ Originally landed on ruby.git as commit 3959469f240e, then was merged into ruby/openssl.git as commit b4e96fc4abc3. This is a backport to the 2.0 branch. ] It's unlikely anyone would actually hit these. The methods are private, you only hit this code path if calling these methods before performing the SSL connection, and there is already a verbose warning issued.
* | | ssl: suppress test failure with SSLContext#add_certificate_chain_fileKazuki Yamaguchi2020-03-091-3/+7
| | | | | | | | | | | | | | | | | | | | | The feature is currently premature and will be rewritten. However, it is causing test failures on RubyCI. Make it happy for now. Reference: https://github.com/ruby/openssl/issues/334
* | | ssl: avoid declarations after statementsky/ssl-avoid-mixed-declarationsKazuki Yamaguchi2020-02-191-12/+12
| | | | | | | | | | | | | | | | | | We cannot use C99 features yet, as we still support Ruby 2.6 and older. Fixes: debaca25604c ("Adds support for the 'get_finished' and 'get_peer_finished' functions", 2019-06-25)
* | | Revert add_certificate_chain_file changes (#320)Hiroshi SHIBATA2020-02-161-82/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Revert SSLContext#add_certificate_chain_file changes * 0da0dfaf09f549b2b2cd984627b321b7908d1186. * 8d12f0f6ca944212cb8000e689469d7aaa8190d7. * 49f42ad5f82f8b61f51a16e3a6df1ab0d5307d5f. * 5ee295ab8e37c8ffc6eb8c1b7b79ec024f3253e4. * 8b4fa5e336c7544ea677ccee160ec6d221559e10. * 443d13e9b2c127230fde2733959eaa4d41eb355d. * 5d866038920edf2729865653d6dc9309589f089a. * f18559acf97a6f6aaf3d253417eb0100b262cbc6.
* | | Improve string allocation.Samuel Williams2020-02-071-8/+8
| | |
* | | 'finished' messages: expand sizer array to 1-bytesMo Morsi2020-02-061-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | Zero-size arrays not playing nicely with visual studio / mingw, see: https://github.com/ruby/ruby/pull/2693 Also see related discussion pertaining to using NULL pointer here: https://github.com/ruby/openssl/pull/315
* | | fix an incorrect method namethekuwayama2020-01-251-2/+2
| | |
* | | fix comment; Examplethekuwayama2020-01-251-2/+2
| | |
* | | add X509_free and EVP_PKEY_freethekuwayama2020-01-251-7/+19
| | |
* | | check with EVP_PKEY_cmp in advancethekuwayama2020-01-251-2/+33
| | |
* | | modify ossl_sslctx_add_certificate_chain_file() to raise Error and to return ↵thekuwayama2020-01-251-10/+13
| | | | | | | | | | | | | | | | | | self add test_add_certificate_chain_file_multiple_certs
* | | modify test_add_certificate_chain_file to check ssl.peer_cert and ↵thekuwayama2020-01-251-4/+5
| | | | | | | | | | | | ssl.peer_cert_chain
* | | add pkey_path argument to ossl_sslctx_add_certificate_chain_file()thekuwayama2020-01-251-5/+35
| | |
* | | Restore compatibility with older versions of Ruby.Samuel Williams2019-11-271-9/+21
| | | | | | | | | | | | `RB_PASS_KEYWORDS` is not always available.
* | | Pull relevant changes from `ruby/ext/openssl`.Samuel Williams2019-11-271-6/+16
| | | | | | | | | | | | | | | | | | | | | | | | Diff was generated: git diff --output openssl.patch 93bc10272734cbbb9197470ca629cc4ea019f6f0 ext/openssl/*.c ext/openssl/*.h ext/openssl/**/*.rb Appled using `patch -p1 < openssl.patch`.
* | | Update renegotiation_cb docstring to reflect its actual behavior in MRIOleg Pudeyev2019-11-221-7/+5
| | | | | | | | | | | | Closes #256
* | | Remove taint supportJeremy Evans2019-10-201-1/+0
| | | | | | | | | | | | | | | | | | Ruby 2.7 deprecates taint and it no longer has an effect. The lack of taint support should not cause a problem in previous Ruby versions.
* | | Adds support for the 'get_finished' and 'get_peer_finished' functionsMo Morsi2019-10-081-0/+52
| | |
* | | Merge pull request #239 from mkauf/post_handshake_authSamuel Williams2019-06-151-0/+4
|\ \ \ | | | | | | | | Support client certificates with TLS 1.3
| * | | Support client certificates with TLS 1.3Michael Kaufmann2019-01-211-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | Enable post-handshake authentication with OpenSSL 1.1.1 Fixes #237
* | | | Add support for SSL_CTX_use_certificate_chain_file. Fixes #254.Samuel Williams2019-06-131-0/+12
|/ / /
* / / Remove -Wno-parentheses flag.nobu2018-10-181-1/+3
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [Fix GH-1958] From: Jun Aruga <jaruga@redhat.com> git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64806 b2dd03c8-39d4-4d8f-98ff-823fe69b080e * expand tabs. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64807 b2dd03c8-39d4-4d8f-98ff-823fe69b080e Suppress more -Wparentheses warnings [Fix GH-1958] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64808 b2dd03c8-39d4-4d8f-98ff-823fe69b080e [ky: this is a combined patch of r64806-r64808.] Sync-with-trunk: r64808
* | Merge branch 'maint'Kazuki Yamaguchi2017-12-141-4/+0
|\| | | | | | | | | | | | | * maint: Ruby/OpenSSL 2.0.7 asn1: fix docs ssl: remove unreachable code
| * ssl: remove unreachable codeKazuki Yamaguchi2017-12-081-9/+0
| | | | | | | | GetSSLCTX() never returns NULL.
* | ssl: remove a misleading commentKazuki Yamaguchi2017-11-261-1/+0
| | | | | | | | | | | | | | | | The function ossl_sslctx_session_get_cb(), which is passed to SSL_CTX_sess_set_get_cb(), will never be called on the client-side since it is for the server-side session caching. Reference: https://github.com/ruby/openssl/issues/170
* | Merge branch 'maint'Kazuki Yamaguchi2017-11-251-0/+4
|\| | | | | | | | | | | | | | | | | | | | | * maint: History.md: fix a typo x509cert, x509crl, x509req, ns_spki: check sanity of public key pkey: make pkey_check_public_key() non-static test/test_cipher: fix test_non_aead_cipher_set_auth_data failure cipher: disallow setting AAD for non-AEAD ciphers test/test_ssl_session: skip tests for session_remove_cb appveyor.yml: remove 'openssl version' line
| * test/test_ssl_session: skip tests for session_remove_cbky/skip-session-remove-cb-testsKazuki Yamaguchi2017-10-101-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In OpenSSL < 1.1.0, the session_remove_cb callback is called inside the global lock for CRYPTO_LOCK_SSL_CTX which is shared across the entire process, not just for the specific SSL_CTX object. It is possible that the callback releases GVL while the lock for CRYPTO_LOCK_SSL_CTX is held, causing another thread calling an OpenSSL function that tries to acquire the same lock stuck forever. Add a note about the possible deadlock to the docs for SSLContext#session_remove_cb=, and skip the relevant test cases unless the OSSL_TEST_ALL environment variable is set to 1. A deadlock due to this issue is observed: http://ci.rvm.jp/results/trunk-test@frontier/104428
* | Merge branch 'ky/ssl-add-certificate'Kazuki Yamaguchi2017-11-221-0/+118
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | Merge GitHub Pull Request #167. * ky/ssl-add-certificate: test/test_ssl: fix test_security_level ssl: add SSLContext#add_certificate test/utils: remove a pointless .public_key call in issue_cert test/envutil: port assert_warning from Ruby trunk
| * | ssl: add SSLContext#add_certificateKazuki Yamaguchi2017-11-221-0/+118
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add a new method to add a certificate, a corresponding private key, and extra CA certificates at once. This has two advantages over the existing {cert,key,extra_cert_chain} attributes: 1. We can notice the problem with the certificate and/or the private key. Since the existing attributes are simple instance variables, they aren't set to the SSL_CTX until #setup which usually happens on the first connection. 2. For the same reason, existing attributes allowed only one certificate for a context, even though OpenSSL itself is capable of handling multiple certificates and selecting the most appropriate one according to the cipher suite selected. The documentation for the existing attributes are updated to recommend using #add_certificate.
* | | Fix build failure against OpenSSL 1.1 built with no-deprecatedMark Wright2017-11-041-1/+1
| | | | | | | | | | | | Thanks rhenium for the code review and fixes.
* | | TLS Fallback Signaling Cipher Suite Valueaeris2017-11-031-0/+23
| | | | | | | | | | | | | | | | | | | | | Support for fallback SCSV [RFC 7507](https://tools.ietf.org/html/rfc7507). Expected behaviour is to refuse connection if the client signals a protocol with the fallback flag but the server supports a better one (downgrade attack detection).
* | | ssl: extract rb_intern("call")Kazuki Yamaguchi2017-10-161-10/+11
|/ /
* | Merge branch 'maint'Kazuki Yamaguchi2017-09-241-9/+13
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * maint: Ruby/OpenSSL 2.0.6 test/test_engine: check if RC4 is supported test/test_engine: suppress stderr ossl.c: make legacy locking callbacks reentrant ossl.c: use struct CRYPTO_dynlock_value for non-dynamic locks ssl: prevent SSLSocket#sysread* from leaking uninitialized data test/test_pair: replace sleep with IO.select tool/ruby-openssl-docker: update test/test_ssl: do not run NPN tests for LibreSSL >= 2.6.1 test/test_ssl: skip tmp_ecdh_callback test for LibreSSL >= 2.6.1 test/test_pair: disable compression test/test_ssl: suppress warning in test_alpn_protocol_selection_cancel ruby.h: unnormalized Fixnum value test/test_pair: fix test_write_nonblock{,_no_exceptions}
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-28 14:13:08 +0000