| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
Ruby core uses _str_ for emphasizing argument names and +str+ for codes.
Match with the rule for better rendering.
|
| |
|
|
|
|
| |
https://github.com/ruby/ruby/pull/1527#issuecomment-281867551
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@57694 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| |
|
|
| |
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@57693 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| |
|
|
| |
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@57692 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| |
|
|
|
|
|
|
|
|
| |
Update docs to reflect EOF behavior change of read_nonblock and
write_nonblock when using `exception: false`.
[Fix GH-1527]
Author: Russell Davis <russell-stripe@users.noreply.github.com>
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@57690 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| |\
| |
| |
| |
| |
| | |
* topic/ssl-fixup-ex_data-handling:
ssl: assume SSL/SSL_CTX always have a valid reference to the Ruby object
ssl: do not confuse different ex_data index registries
|
| | |
| |
| |
| | |
It is impossible that they don't.
|
| | |
| |
| |
| |
| |
| |
| | |
Register necessary indices for these two independently. Similar to
r55074 (76e933a5a517, "openssl: register ex_data index for
X509_STORE{_CTX,} respectively", 2016-05-19), we can't blindly use the
same ex_data index number for SSL and SSL_CTX.
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
| |
The constant was initially introduced just to skip test cases that do
not work with old versions without AES-GCM cipher suites support
(< 1.0.1).
However, the value of the constant has been always `false' because the
macro TLS_DH_anon_WITH_AES_256_GCM_SHA384 does not exist in any version
of OpenSSL.
We no longer use it as of commit c9d1659f4027 ("test/utils: remove
use_anon_cipher option from SSLTestCase#start_server", 2016-09-06).
Let's just remove the constant.
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* maint:
Ruby/OpenSSL 2.0.3
.travis.yml: test with Ruby 2.4
ruby-openssl-docker: update versions of Ruby and OpenSSL
x509: fix OpenSSL::X509::Name#eql?
test/envutil: fix assert_raise_with_message
buffering: fix typo in doc
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Commit 34e7fe34ee32 ("Use rb_obj_class() instead of CLASS_OF()",
2016-09-08) incorrectly inverted the result. Fix it, and add a test
case for this.
Fixes: 34e7fe34ee32 ("Use rb_obj_class() instead of CLASS_OF()")
|
| |\ \
| | |
| | |
| | |
| | |
| | | |
* topic/ssl-certificate-verify-error-desc:
ssl: show reason of 'certificate verify error' in exception message
Make exceptions with the same format regardless of OpenSSL.debug
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The 'certificate verify error' is one of the most common errors that can
be raised by OpenSSL::SSL::SSLSocket#connect. The certificate
verification may fail due to many different issues such as misconfigured
trusted certificate store or inaccurate system clock.
Unfortunately, since the detail is not put to the queue and is only
accessible through OpenSSL::SSL::SSLSocket#verify_result, it is
sometimes hard to figure out the real reason. Let's include a human
readable reason message in the exception message. Like this:
require "socket"
require "openssl"
ctx = OpenSSL::SSL::SSLContext.new
ctx.set_params(cert_store: OpenSSL::X509::Store.new)
ssl = OpenSSL::SSL::SSLSocket.new(Socket.tcp("www.ruby-lang.org", 443), ctx)
ssl.connect
#=>
-:7:in `connect': SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate) (OpenSSL::SSL::SSLError)
from -:7:in `<main>'
|
| | | |
| | |
| | |
| | |
| | | |
As the current behavior is useless. If OpenSSL.debug is set to true,
errors put to the error queue will be printed to stderr anyway.
|
| |\ \ \
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* topic/test-memory-leak:
Enable OSSL_MDEBUG on CI builds
Add OpenSSL.print_mem_leaks
test: prepare test PKey instances on demand
test: let OpenSSL::TestCase include OpenSSL::TestUtils
Don't define main() when built with --enable-debug
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Add a wrapper method for CRYPTO_mem_leaks_fp(stderr). Calling the method
at the end of programs helps debugging memory leak bugs in Ruby/OpenSSL.
This is defined only when --enable-debug option is given when building
Ruby/OpenSSL, and the OpenSSL version is capable.
The test suite recognizes 'OSSL_MDEBUG' environment variable. Set to '1'
to enable the memory leak checker. This would prevent creating another
memory leak problem at least on the success paths. Note that this may
print some false-positives with OpenSSL <= 1.0.2.
It was once introduced by f0754f0b2f33 ("test: add test/mdebug
extension", 2016-08-06) as a separate native extension, but reverted by
4c1ca7669180 ("Remove test/mdebug", 2016-08-26) because it didn't work
on Windows. Let's re-introduce as part of openssl.so.
|
| | | | |
| | | |
| | | |
| | | | |
It is unnecessary as we have a test suite that does the job.
|
| |\ \ \ \
| | |_|/
| |/| |
| | | |
| | | |
| | | |
| | | | |
* maint:
appveyor.yml: update OpenSSL version to 1.0.2j
Fix build with static OpenSSL libraries on Windows
Fix for ASN1::Constructive 'each' implementation
|
| | |\ \ \
| | | | |
| | | | |
| | | | |
| | | | | |
* topic/windows-static-linking-without-pkg-config:
Fix build with static OpenSSL libraries on Windows
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
OpenSSL <= 1.0.2 requires gdi32 for RAND_screen(). OpenSSL >= 1.1.0 no
longer has RAND_screen() but it now requires crypt32. If pkg-config is
usable, they are automatically linked, but if it is not, configuring
Ruby/OpenSSL fails.
Fixes: https://bugs.ruby-lang.org/issues/13080
|
| | |/ / / |
|
| |\ \ \ \
| |_|/ /
|/| | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Tests for OpenSSL::BN are re-written. OpenSSL::BN now implements unary+
operator, unary- operator and negative? method.
* topic/bn-updates:
bn: implement OpenSSL::BN#negative?
bn: implement unary {plus,minus} operators for OpenSSL::BN
bn: refine tests
|
| | | | |
| | | |
| | | |
| | | |
| | | | |
Numeric class implemented #negative? and #positive? in Ruby 2.3. Let's
follow that.
|
| | | |/
| |/|
| | |
| | |
| | | |
For consistency with Numeric. Not sure why they aren't currently; maybe
they were simply forgotten.
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| | |
They are no longer receiving security updates from the OpenSSL
development team since 2015-12.
We have kept basic compatibility until now because RHEL 5 still uses an
(heavily modified) OpenSSL 0.9.8e. The RHEL 5 will reach EOL on 2017-03,
thus it is now safe to assume nobody is still using such old versions of
OpenSSL.
|
| |/ |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Fix 'unsupported key type' error if OpenSSL::SSL::SSLSocket#tmp_key is
called when X25519 is used for key exchange.
EVP_PKEY may have a key type that we don't have have a dedicated
subclass. Let's allow instantiating OpenSSL::PKey::PKey with such an
EVP_PKEY, although the resulting instance is not so useful because it
can't be exported at the moment.
|
| |
|
|
|
|
|
|
| |
Restore the old behavior of OpenSSL::SSL::Session#==.
SSL_SESSION_get_protocol_version() was missing in OpenSSL master at the
time r55287 (cad3226a06a1, "openssl: adapt to OpenSSL 1.1.0 opaque
structs", 2016-06-05).
|
| |
|
|
|
| |
To avoid symbol conflict that would occur if two versions of OpenSSL are
loaded at the same time.
|
| |
|
|
|
|
|
| |
SSL_CTX_clear_options() first appeared in OpenSSL 0.9.8m. Add
alternative macro definition for ancient versions of OpenSSL.
http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/78693
|
| | |
|
| |\
| |
| |
| |
| |
| |
| |
| |
| | |
* ruby-trunk r56927..r56953: (3 commits)
(r56953) openssl: import fixes from upstream
(r56948) ossl.c: cast
(r56946) openssl: import v2.0.0
Sync-with-trunk: r56953
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Import the following two commits from upstream:
commit 72126d6c8b88abd69c3565fc3bbbd5ed1e401611
Author: Kazuki Yamaguchi <k@rhe.jp>
Date: Thu Dec 1 22:27:03 2016 +0900
pkey: check existence of EVP_PKEY_get0()
EVP_PKEY_get0() did not exist in early OpenSSL 0.9.8 series. So define
ourselves if needed.
commit 94a1c4e0c5705ad1e9a4ca08cacaa6cba8b1e6f5
Author: Kazuki Yamaguchi <k@rhe.jp>
Date: Thu Dec 1 22:13:22 2016 +0900
test/test_cipher: fix test with OpenSSL 1.0.1 before 1.0.1d
Set the authentication tag before the AAD when decrypting.
Before OpenSSL commit 96f7fafa2431 ("Don't require tag before ciphertext
in AESGCM mode", 2012-10-16, at OpenSSL_1_0_1-stable branch, included in
OpenSSL 1.0.1d), the authentication tag must be set before any calls of
EVP_CipherUpdate().
They should fix build on CentOS 5 and Ubuntu 12.04 respectively.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56953 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| | |
| |
| |
| |
| |
| |
| | |
* ext/openssl/ossl.c (ossl_pem_passwd_cb): cast to int. it's safe
because len does not exceed int max_len.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56948 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| |\ \
| | |
| | | |
asn1: handle GENERALIZEDTIME without seconds
|
| | | | |
|
| | |/ |
|
| |\ \
| | |
| | | |
Fix a typo in ossl_engine.c
|
| | |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
SSLContext#setup encodes the protocol list set in @npn_protocols into a
String. The String is passed to SSL_CTX_set_next_protos_advertised_cb()
and OpenSSL invokes the callback function with the String. However since
Ruby's GC can't find the reference to the String from the inside of
OpenSSL, it can be free'd before the callback is invoked. So store the
String in an instance variable to prevent this.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
GetBNPtr() accepts both OpenSSL::BN and Ruby integers. In the latter
case, it creates a temporary OpenSSL::BN internally. The OpenSSL::BN
object immediately disappears from the stack and is not protected from
GC.
Fixes: https://github.com/ruby/openssl/issues/87
|
| |/
|
|
|
| |
EVP_PKEY_get0() did not exist in early OpenSSL 0.9.8 series. So define
ourselves if needed.
|
| |
|
|
|
|
|
|
| |
Remove the comment added by commit 072d53ecf984 ("ssl: workaround for
new behavior of SSL_read() in OpenSSL >= 1.1.0c"). The breaking change
in OpenSSL 1.1.0c has been reverted in the 1.1.0 branch. However, for
the sake of safety, ensure that we never call rb_sys_fail() with
errno == 0. So there is no change in the actual code.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SSLSocket#setup uses the frozen state as "SSL_CTX is already set up".
If an user manually freeze the context, it misunderstands as if #setup
is already called, leading to unexpected behaviors because parameters
the user set won't be actually set to the underlying SSL_CTX and thus
ignored.
Ideally, #setup should go and be replaced with setters. But we don't
do this now because it is not that simple: some of them would produce
new ordering issues, e.g. 'ca_file' property which loads a file into
SSL_CTX::cert_store and 'cert_store' which replaces SSL_CTX::cert_store
would conflict. Fixing this properly would require deprecating 'ca_file'
first.
So, let's take the second best way: make it "just work" instead of
break silently.
Fixes: https://github.com/ruby/openssl/issues/85
|
| |
|
|
|
|
|
|
|
|
|
| |
rb_ary_new_from_args() is called from non-protected callback function
which will be directly called from OpenSSL. It may raise NoMemoryError
and may corrupt the internal state of SSL object. So, avoid creating
Array here and pass raw values to the protected function instead.
The same change has been applied to ALPN/NPN selection callbacks in
3a926047a729 ("ssl: catch exceptions raised in ALPN/NPN callbacks",
2016-08-30).
|
| |
|
|
|
|
|
|
| |
We call SSL_shutdown() four times at most meaninglessly. Since the
underlying socket is in non-blocking mode, if the first call failed
because the underlying socket is not write/readable, the subsequent
calls would just fail with the same error. Just call once, and give up
if it fails.
|
| |
|
|
|
|
| |
This prevents users from allocating OpenSSL::Engine instance using
OpenSSL::Engine.allocate. Undef'ing alloc function also allows us to
remove explicit undef of OpenSSL::Engine.new and #initialize_copy.
|
| |
|
|
|
| |
Don't blindy assume that the value which can be modified from Ruby code
is always an Array, and just call its #each method.
|
