aboutsummaryrefslogtreecommitdiffstats
path: root/ext/openssl/ossl_ssl.c
Commit message (Collapse)AuthorAgeFilesLines
* Don't redefine #rb_intern over and over againStefan Stüben2021-10-161-34/+32
| | | | | | [ This is a backport to the 2.2 branch. ] (cherry picked from commit 03304838c931d9600617241909974df5ef58d06b)
* Merge branch 'maint-2.1' into maint-2.2Kazuki Yamaguchi2021-10-161-16/+49
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * maint-2.1: Ruby/OpenSSL 2.1.3 ssl: avoid directly storing String object in NPN callback x509store: explicitly call rb_gc_mark() against Store/StoreContext ssl: explicitly call rb_gc_mark() against SSLContext/SSLSocket objects digest: load digest library using Kernel#require pkey: use RSTRING_LENINT() instead of casting to int ext/openssl/extconf.rb: require OpenSSL version >= 1.0.1, < 3 .github/workflows: update OpenSSL/LibreSSL versions test: adjust test cases for LibreSSL 3.2.4 ssl: temporary lock string buffer while reading ssl: create a temporary frozen string buffer when writing Use rb_block_call() instead of the deprecated rb_iterate() in OpenSSL
| * ssl: avoid directly storing String object in NPN callbackky/ssl-mark-reverse-referencesKazuki Yamaguchi2021-10-141-2/+2
| | | | | | | | | | | | | | On the server side, the serialized list of protocols is stored in SSL_CTX as a String object reference. We utilize a hidden instance variable to prevent it from being GC'ed, but this is not enough because it can also be relocated by GC.compact.
| * ssl: explicitly call rb_gc_mark() against SSLContext/SSLSocket objectsKazuki Yamaguchi2021-10-141-2/+17
| | | | | | | | | | | | | | We store the reverse reference to the Ruby object in the OpenSSL struct for use from OpenSSL callback functions. To prevent the Ruby object from being relocated by GC.compact, we must "pin" it by calling rb_gc_mark().
| * Merge pull request #453 from rhenium/ky/ssl-sysread-syswrite-protect-bufferKazuki Yamaguchi2021-09-281-12/+24
| |\ | | | | | | ssl: prevent string buffers from being modified outside #sys{read,write}
| | * ssl: temporary lock string buffer while readingky/ssl-sysread-syswrite-protect-bufferKazuki Yamaguchi2021-09-271-5/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | Similarly to SSLSocket#syswrite, the blocking SSLSocket#sysread allows context switches. We must prevent other threads from modifying the string buffer. We can use rb_str_locktmp() and rb_str_unlocktmp() to temporarily prohibit modification of the string.
| | * ssl: create a temporary frozen string buffer when writingKazuki Yamaguchi2021-09-271-5/+5
| | | | | | | | | | | | | | | | | | | | | | | | Since a blocking SSLSocket#syswrite call allows context switches while waiting for the underlying socket to be ready, we must freeze the string buffer to prevent other threads from modifying it. Reference: https://github.com/ruby/openssl/issues/452
| | * Use rb_block_call() instead of the deprecated rb_iterate() in OpenSSLBenoit Daloze2021-09-271-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | [ This is a backport to the 2.1 branch. ] * See https://bugs.ruby-lang.org/issues/18025 and https://github.com/ruby/ruby/pull/4629 (cherry picked from commit b8e4852dcc7cd4b954556001b2bfb1d01b802d0a)
| * | test: adjust test cases for LibreSSL 3.2.4Kazuki Yamaguchi2021-09-271-0/+6
| |/ | | | | | | | | | | | | This is a backport to the 2.1 branch of the following commits: - a0e98d48c91f ("Enhance TLS 1.3 support on LibreSSL 3.2/3.3", 2020-12-03) - a9954bac22ba ("test: adjust test cases for LibreSSL 3.2.4", 2021-02-25)
| * ext/openssl/ossl_ssl.c: Use const declaration if LibreSSL >= 2.8.0Yusuke Endoh2021-09-261-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | to suppress a warning in OpenBSD. [ This is a backport to the 2.1 branch. ] ``` ossl_ssl.c:938:31: warning: incompatible pointer types passing 'SSL_SESSION *(SSL *, unsigned char *, int, int *)' (aka 'struct ssl_session_st *(struct ssl_st *, unsigned char *, int, int *)') to parameter of type 'SSL_SESSION *(*)(struct ssl_st *, const unsigned char *, int, int *)' (aka 'struct ssl_session_st *(*)(struct ssl_st *, const unsigned char *, int, int *)') [-Wincompatible-pointer-types] SSL_CTX_sess_set_get_cb(ctx, ossl_sslctx_session_get_cb); ^~~~~~~~~~~~~~~~~~~~~~~~~~ /usr/include/openssl/ssl.h:738:20: note: passing argument to parameter 'get_session_cb' here SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, ^ 1 warning generated. ``` (cherry picked from commit ruby/ruby@06a04a1aa3fbf9132c61f4ced9582c36c96d3f65)
| * rb_iterate now takes rb_block_call_func_t卜部昌平2021-09-261-1/+1
| | | | | | | | | | | | | | | | | | | | [ This is a backport to the 2.1 branch. ] After 5e86b005c0f2ef30df2f9906c7e2f3abefe286a2, I now think ANYARGS is dangerous and should be extinct. This commit makes rb_iterate free from ANYARGS. (cherry picked from commit ruby/ruby@3cae73133cfec7d5ec3f8058ec647d5163578003)
| * Add a /* fall through */ commentYusuke Endoh2021-09-261-0/+1
| | | | | | | | | | | | [ This is a backport to the 2.1 branch. ] (cherry picked from commit ruby/ruby@80da68db1e770c877782cdf571d96fd89e7774dd)
| * Remove -Wno-parentheses flag.nobu2021-09-261-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ This is a backport to the 2.1 branch. ] [Fix GH-1958] From: Jun Aruga <jaruga@redhat.com> git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64806 b2dd03c8-39d4-4d8f-98ff-823fe69b080e * expand tabs. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64807 b2dd03c8-39d4-4d8f-98ff-823fe69b080e Suppress more -Wparentheses warnings [Fix GH-1958] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64808 b2dd03c8-39d4-4d8f-98ff-823fe69b080e [ky: this is a combined patch of r64806-r64808.] Sync-with-trunk: r64808 (cherry picked from commit 01b23fa8eee2ff9cc4ef5f6fabca6d999e0979c2)
* | Merge branch 'maint-2.1' into maint-2.2Kazuki Yamaguchi2021-02-251-0/+15
|\| | | | | | | | | | | | | | | | | | | | | * maint-2.1: .github/workflows: update Ruby and OpenSSL/LibreSSL versions bn: check -1 return from BIGNUM functions .github/workflows: disable pkg-config on Windows tests ssl: retry write on EPROTOTYPE on macOS x509store: fix memory leak in X509::StoreContext.new .github/workflows/test.yml: use GitHub Actions Skip one assertion for OpenSSL::PKey::EC::Point#mul on LibreSSL
| * ssl: retry write on EPROTOTYPE on macOSky/ssl-macos-send-eprototypeKazuki Yamaguchi2020-08-121-0/+15
| | | | | | | | | | | | | | | | | | | | Errno::EPROTOTYPE is not supposed to be raised by SSLSocket#write. However, on macOS, send(2) which is called via SSL_write() can occasionally return EPROTOTYPE. Retry SSL_write() so that we get a proper error, just as ext/socket does. Reference: https://bugs.ruby-lang.org/issues/14713 Reference: https://github.com/ruby/openssl/issues/227
* | ssl: temporarily remove SSLContext#add_certificate_chain_fileKazuki Yamaguchi2020-05-131-16/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Let's revert the changes for now, as it cannot be included in the 2.2.0 release. My comment on #257: > A blocker is OpenSSL::SSL::SSLContext#add_certificate_chain_file. It > has a pending change and I don't want to include it in an incomplete > state. > > The initial implementation in commit 46e4bdba40c5 was not really > useful. The issue is described in #305. #309 extended it > to take the corresponding private key together. However, the new > implementation was incompatible on Windows and was reverted by #320 to > the initial one. > > (The prerequisite to implement it in) an alternative way is #288, and > it's still cooking. This effectively reverts the following commits: - dacd08937ccd ("ssl: suppress test failure with SSLContext#add_certificate_chain_file", 2020-03-09) - 46e4bdba40c5 ("Add support for SSL_CTX_use_certificate_chain_file. Fixes #254.", 2019-06-13)
* | Suppress -Wshorten-64-to-32 warningsNobuyoshi Nakada2020-05-131-1/+1
| | | | | | | | [ Cherry-picked from ruby.git commit d8720eb7de9c. ]
* | Merge branch 'maint'Kazuki Yamaguchi2020-03-091-1/+8
|\| | | | | | | | | | | | | | | | | | | * maint: ssl: set verify error code in the case of verify_hostname failure x509: add error code and verify flags constants Remove taint support Restore compatibility with older versions of Ruby. Fix keyword argument separation issues in OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock config: support .include directive
| * Merge branch 'maint-2.0' into maintKazuki Yamaguchi2020-03-091-14/+41
| |\ | | | | | | | | | | | | | | | | | | | | | | | | | | | * maint-2.0: ssl: set verify error code in the case of verify_hostname failure x509: add error code and verify flags constants Remove taint support Restore compatibility with older versions of Ruby. Fix keyword argument separation issues in OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock config: support .include directive
| | * ssl: set verify error code in the case of verify_hostname failureky/ssl-fix-verify-hostname-set-error-codeKazuki Yamaguchi2020-02-241-1/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When the verify_hostname option is enabled, the hostname verification is done before calling verify_callback provided by the user. The callback should be notified of the hostname verification failure. OpenSSL::X509::StoreContext's error code must be set to an appropriate value rather than OpenSSL::X509::V_OK. If the constant X509_V_ERR_HOSTNAME_MISMATCH is available (OpenSSL >= 1.0.2), use it. Otherwise use the generic X509_V_ERR_CERT_REJECTED. Reference: https://github.com/ruby/openssl/issues/244 Fixes: 028e495734e9 ("ssl: add verify_hostname option to SSLContext", 2016-06-27)
| | * Remove taint supportJeremy Evans2020-02-241-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ This is a backport to the 2.0 branch. ] Ruby 2.7 deprecates taint and it no longer has an effect. The lack of taint support should not cause a problem in previous Ruby versions. (cherry picked from commit e7ed01b580a139ad0fb320ad5f29bbb40ef2ddc2)
| | * Restore compatibility with older versions of Ruby.Samuel Williams2020-02-241-9/+21
| | | | | | | | | | | | | | | | | | | | | [ Originally landed on as commit b4e96fc4abc3. This is a backport to the 2.0 branch. ] `RB_PASS_KEYWORDS` is not always available.
| | * Fix keyword argument separation issues in ↵Jeremy Evans2020-02-241-4/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock [ Originally landed on ruby.git as commit 3959469f240e, then was merged into ruby/openssl.git as commit b4e96fc4abc3. This is a backport to the 2.0 branch. ] It's unlikely anyone would actually hit these. The methods are private, you only hit this code path if calling these methods before performing the SSL connection, and there is already a verbose warning issued.
* | | ssl: suppress test failure with SSLContext#add_certificate_chain_fileKazuki Yamaguchi2020-03-091-3/+7
| | | | | | | | | | | | | | | | | | | | | The feature is currently premature and will be rewritten. However, it is causing test failures on RubyCI. Make it happy for now. Reference: https://github.com/ruby/openssl/issues/334
* | | ssl: avoid declarations after statementsky/ssl-avoid-mixed-declarationsKazuki Yamaguchi2020-02-191-12/+12
| | | | | | | | | | | | | | | | | | We cannot use C99 features yet, as we still support Ruby 2.6 and older. Fixes: debaca25604c ("Adds support for the 'get_finished' and 'get_peer_finished' functions", 2019-06-25)
* | | Revert add_certificate_chain_file changes (#320)Hiroshi SHIBATA2020-02-161-82/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Revert SSLContext#add_certificate_chain_file changes * 0da0dfaf09f549b2b2cd984627b321b7908d1186. * 8d12f0f6ca944212cb8000e689469d7aaa8190d7. * 49f42ad5f82f8b61f51a16e3a6df1ab0d5307d5f. * 5ee295ab8e37c8ffc6eb8c1b7b79ec024f3253e4. * 8b4fa5e336c7544ea677ccee160ec6d221559e10. * 443d13e9b2c127230fde2733959eaa4d41eb355d. * 5d866038920edf2729865653d6dc9309589f089a. * f18559acf97a6f6aaf3d253417eb0100b262cbc6.
* | | Improve string allocation.Samuel Williams2020-02-071-8/+8
| | |
* | | 'finished' messages: expand sizer array to 1-bytesMo Morsi2020-02-061-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | Zero-size arrays not playing nicely with visual studio / mingw, see: https://github.com/ruby/ruby/pull/2693 Also see related discussion pertaining to using NULL pointer here: https://github.com/ruby/openssl/pull/315
* | | fix an incorrect method namethekuwayama2020-01-251-2/+2
| | |
* | | fix comment; Examplethekuwayama2020-01-251-2/+2
| | |
* | | add X509_free and EVP_PKEY_freethekuwayama2020-01-251-7/+19
| | |
* | | check with EVP_PKEY_cmp in advancethekuwayama2020-01-251-2/+33
| | |
* | | modify ossl_sslctx_add_certificate_chain_file() to raise Error and to return ↵thekuwayama2020-01-251-10/+13
| | | | | | | | | | | | | | | | | | self add test_add_certificate_chain_file_multiple_certs
* | | modify test_add_certificate_chain_file to check ssl.peer_cert and ↵thekuwayama2020-01-251-4/+5
| | | | | | | | | | | | ssl.peer_cert_chain
* | | add pkey_path argument to ossl_sslctx_add_certificate_chain_file()thekuwayama2020-01-251-5/+35
| | |
* | | Restore compatibility with older versions of Ruby.Samuel Williams2019-11-271-9/+21
| | | | | | | | | | | | `RB_PASS_KEYWORDS` is not always available.
* | | Pull relevant changes from `ruby/ext/openssl`.Samuel Williams2019-11-271-6/+16
| | | | | | | | | | | | | | | | | | | | | | | | Diff was generated: git diff --output openssl.patch 93bc10272734cbbb9197470ca629cc4ea019f6f0 ext/openssl/*.c ext/openssl/*.h ext/openssl/**/*.rb Appled using `patch -p1 < openssl.patch`.
* | | Update renegotiation_cb docstring to reflect its actual behavior in MRIOleg Pudeyev2019-11-221-7/+5
| | | | | | | | | | | | Closes #256
* | | Remove taint supportJeremy Evans2019-10-201-1/+0
| | | | | | | | | | | | | | | | | | Ruby 2.7 deprecates taint and it no longer has an effect. The lack of taint support should not cause a problem in previous Ruby versions.
* | | Adds support for the 'get_finished' and 'get_peer_finished' functionsMo Morsi2019-10-081-0/+52
| | |
* | | Merge pull request #239 from mkauf/post_handshake_authSamuel Williams2019-06-151-0/+4
|\ \ \ | | | | | | | | Support client certificates with TLS 1.3
| * | | Support client certificates with TLS 1.3Michael Kaufmann2019-01-211-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | Enable post-handshake authentication with OpenSSL 1.1.1 Fixes #237
* | | | Add support for SSL_CTX_use_certificate_chain_file. Fixes #254.Samuel Williams2019-06-131-0/+12
|/ / /
* / / Remove -Wno-parentheses flag.nobu2018-10-181-1/+3
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [Fix GH-1958] From: Jun Aruga <jaruga@redhat.com> git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64806 b2dd03c8-39d4-4d8f-98ff-823fe69b080e * expand tabs. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64807 b2dd03c8-39d4-4d8f-98ff-823fe69b080e Suppress more -Wparentheses warnings [Fix GH-1958] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64808 b2dd03c8-39d4-4d8f-98ff-823fe69b080e [ky: this is a combined patch of r64806-r64808.] Sync-with-trunk: r64808
* | Merge branch 'maint'Kazuki Yamaguchi2017-12-141-4/+0
|\| | | | | | | | | | | | | * maint: Ruby/OpenSSL 2.0.7 asn1: fix docs ssl: remove unreachable code
| * ssl: remove unreachable codeKazuki Yamaguchi2017-12-081-9/+0
| | | | | | | | GetSSLCTX() never returns NULL.
* | ssl: remove a misleading commentKazuki Yamaguchi2017-11-261-1/+0
| | | | | | | | | | | | | | | | The function ossl_sslctx_session_get_cb(), which is passed to SSL_CTX_sess_set_get_cb(), will never be called on the client-side since it is for the server-side session caching. Reference: https://github.com/ruby/openssl/issues/170
* | Merge branch 'maint'Kazuki Yamaguchi2017-11-251-0/+4
|\| | | | | | | | | | | | | | | | | | | | | * maint: History.md: fix a typo x509cert, x509crl, x509req, ns_spki: check sanity of public key pkey: make pkey_check_public_key() non-static test/test_cipher: fix test_non_aead_cipher_set_auth_data failure cipher: disallow setting AAD for non-AEAD ciphers test/test_ssl_session: skip tests for session_remove_cb appveyor.yml: remove 'openssl version' line
| * test/test_ssl_session: skip tests for session_remove_cbky/skip-session-remove-cb-testsKazuki Yamaguchi2017-10-101-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In OpenSSL < 1.1.0, the session_remove_cb callback is called inside the global lock for CRYPTO_LOCK_SSL_CTX which is shared across the entire process, not just for the specific SSL_CTX object. It is possible that the callback releases GVL while the lock for CRYPTO_LOCK_SSL_CTX is held, causing another thread calling an OpenSSL function that tries to acquire the same lock stuck forever. Add a note about the possible deadlock to the docs for SSLContext#session_remove_cb=, and skip the relevant test cases unless the OSSL_TEST_ALL environment variable is set to 1. A deadlock due to this issue is observed: http://ci.rvm.jp/results/trunk-test@frontier/104428
* | Merge branch 'ky/ssl-add-certificate'Kazuki Yamaguchi2017-11-221-0/+118
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | Merge GitHub Pull Request #167. * ky/ssl-add-certificate: test/test_ssl: fix test_security_level ssl: add SSLContext#add_certificate test/utils: remove a pointless .public_key call in issue_cert test/envutil: port assert_warning from Ruby trunk
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-25 02:46:34 +0000