| Commit message (Collapse) | Author | Age | Files | Lines |
|\
| |
| |
| |
| |
| |
| | |
* maint-2.1:
Ruby/OpenSSL 2.1.4
Make GitHub Actions happy on 2.1/2.2 branches
ignore pkgconfig when any openssl option is specified
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ This is a backport to the 2.2 branch. ]
ossl_bn_ctx is C's global variable and it should be ractor-local
to make it ractor-safe.
ruby/ruby@b5588edc0a538de840c79e0bbc9d271ba0c5a711
(cherry picked from commit 9e7cf9e930cb986a04e312cb576814254dff13be and
commit f2db943e8f19d4fa7bf871b9914dd9b92a5fbe6f)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ This is a backport to the 2.2 branch. ]
Made stored values `Symbol`s instead of `ID`s.
Fixes https://bugs.ruby-lang.org/issues/17625
Co-Authored-By: xtkoba (Tee KOBAYASHI) <xtkoba+ruby@gmail.com>
(cherry picked from commit f2d004679a62408a89d7304b229c24e789b94776)
|
| |
| |
| |
| |
| |
| | |
[ This is a backport to the 2.2 branch. ]
(cherry picked from commit 03304838c931d9600617241909974df5ef58d06b)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ This is a backport to the 2.2 branch. ]
```
find . -name \*.o -exec nm {} + |&
sed '/Init_.*\.rbimpl_id/!d;s/^.* b //;s/\.[1-9][0-9]*$//;s/\.rbimpl_id$//' |
uniq
```
should be empty.
(cherry picked from commit 9e4d4704e65bccd3cedeb9a07c9101f3c2eb02e9)
|
|\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* maint-2.1:
Ruby/OpenSSL 2.1.3
ssl: avoid directly storing String object in NPN callback
x509store: explicitly call rb_gc_mark() against Store/StoreContext
ssl: explicitly call rb_gc_mark() against SSLContext/SSLSocket objects
digest: load digest library using Kernel#require
pkey: use RSTRING_LENINT() instead of casting to int
ext/openssl/extconf.rb: require OpenSSL version >= 1.0.1, < 3
.github/workflows: update OpenSSL/LibreSSL versions
test: adjust test cases for LibreSSL 3.2.4
ssl: temporary lock string buffer while reading
ssl: create a temporary frozen string buffer when writing
Use rb_block_call() instead of the deprecated rb_iterate() in OpenSSL
|
| | |
|
| |\
| | |
| | | |
Fix GC.compact compatibility
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
On the server side, the serialized list of protocols is stored in
SSL_CTX as a String object reference. We utilize a hidden instance
variable to prevent it from being GC'ed, but this is not enough because
it can also be relocated by GC.compact.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
We store the reverse reference to the Ruby object in the OpenSSL
struct for use from OpenSSL callback functions. To prevent the Ruby
object from being relocated by GC.compact, we must "pin" it by calling
rb_gc_mark().
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
We store the reverse reference to the Ruby object in the OpenSSL
struct for use from OpenSSL callback functions. To prevent the Ruby
object from being relocated by GC.compact, we must "pin" it by calling
rb_gc_mark().
|
| |/
| |
| |
| |
| |
| |
| |
| | |
The digest library is a default gem now, too. Therefore we can't simply
use rb_require() to load it, but we should use Kernel#require instead.
This change is based on the suggestion by David Rodríguez in
https://github.com/ruby/digest/commit/16172612d56ac42f57e5788465791329303ac5d0#commitcomment-57778397
|
| |\
| | |
| | | |
pkey: use RSTRING_LENINT() instead of casting to int
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
RSTRING_LENINT() checks the range of int and raises an exception as
necessary. OpenSSL::PKey::EC#dsa_verify_asn1 currently does not do this,
and giving a too big string to it can trigger a surprising behavior:
ec.dsa_verify_asn1(digest, signature) #=> true
ec.dsa_verify_asn1(digest, signature + "x" * 2**32) #=> true
Reference: https://hackerone.com/reports/1246050
|
| |\ \
| | |/
| |/| |
ssl: prevent string buffers from being modified outside #sys{read,write}
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Similarly to SSLSocket#syswrite, the blocking SSLSocket#sysread allows
context switches. We must prevent other threads from modifying the
string buffer.
We can use rb_str_locktmp() and rb_str_unlocktmp() to temporarily
prohibit modification of the string.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Since a blocking SSLSocket#syswrite call allows context switches while
waiting for the underlying socket to be ready, we must freeze the string
buffer to prevent other threads from modifying it.
Reference: https://github.com/ruby/openssl/issues/452
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
[ This is a backport to the 2.1 branch. ]
* See https://bugs.ruby-lang.org/issues/18025
and https://github.com/ruby/ruby/pull/4629
(cherry picked from commit b8e4852dcc7cd4b954556001b2bfb1d01b802d0a)
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Ruby/OpenSSL 2.1.x and 2.2.x will not support OpenSSL 3.0 API. Let's
make extconf.rb explicitly check the version number to be within the
acceptable range, since it will not compile anyway.
Reference: https://bugs.ruby-lang.org/issues/18192
|
| |/
| |
| |
| |
| |
| |
| | |
This is a backport to the 2.1 branch of the following commits:
- a0e98d48c91f ("Enhance TLS 1.3 support on LibreSSL 3.2/3.3", 2020-12-03)
- a9954bac22ba ("test: adjust test cases for LibreSSL 3.2.4", 2021-02-25)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This is a combined commit of the following commits by mame and nobu:
- 0d7d8b2989e1 ("ext/openssl/extconf.rb: do not use -Werror=deprecated-declarations", 2019-12-05)
- c3abbc1b2f52 ("ext/openssl/extconf.rb: check with -Werror=deprecated-declarations", 2019-12-05)
-Werror=deprecated-declarations should only be used while checking
available features, and not for compiling the extension itself.
This is a backport to the 2.1 branch from ruby.git. Note that current
master (targeting 3.0) completely removed ext/openssl/deprecation.rb.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ This is a backport to the 2.1 branch. ]
* ext/openssl/ossl_asn1.c (Init_ossl_asn1): register the static
variable to grab an internal object, before creating the object.
otherwise the just-created object could get collected during the
global variable list allocation. [Bug #16196]
* ext/openssl/ossl_asn1.c (Init_ossl_asn1): prefer
`rb_gc_register_mark_object`, which is better for constant
objects, over `rb_gc_register_address` for global/static
variables which can be re-assigned at runtime. [Bug #16196]
(cherry picked from commit ruby/ruby@203b7fa1ae8cc40d41c38d684f70b3fea7fae813 and
commit ruby/ruby@9c0cd5c569ba22bc68d1a77ad6580a275cd99639)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
to suppress a warning in OpenBSD.
[ This is a backport to the 2.1 branch. ]
```
ossl_ssl.c:938:31: warning: incompatible pointer types passing 'SSL_SESSION *(SSL *, unsigned char *, int, int *)' (aka 'struct ssl_session_st *(struct ssl_st *, unsigned char *, int, int *)') to parameter of type 'SSL_SESSION *(*)(struct ssl_st *, const unsigned char *, int, int *)' (aka 'struct ssl_session_st *(*)(struct ssl_st *, const unsigned char *, int, int *)') [-Wincompatible-pointer-types]
SSL_CTX_sess_set_get_cb(ctx, ossl_sslctx_session_get_cb);
^~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/include/openssl/ssl.h:738:20: note: passing argument to parameter 'get_session_cb' here
SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl,
^
1 warning generated.
```
(cherry picked from commit ruby/ruby@06a04a1aa3fbf9132c61f4ced9582c36c96d3f65)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ This is a backport to the 2.1 branch. ]
We can check the function pointer passed to rb_define_module_function
like how we do so in rb_define_method. The difference is that this
changeset reveales lots of atiry mismatches.
(cherry picked from commit ruby/ruby@7b6fde4258e700c0e0292bb091aa84a5e473342e)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ This is a backport to the 2.1 branch. ]
After 5e86b005c0f2ef30df2f9906c7e2f3abefe286a2, I now think ANYARGS is
dangerous and should be extinct. This commit makes rb_iterate free
from ANYARGS.
(cherry picked from commit ruby/ruby@3cae73133cfec7d5ec3f8058ec647d5163578003)
|
| |
| |
| |
| |
| |
| | |
[ This is a backport to the 2.1 branch. ]
(cherry picked from commit ruby/ruby@80da68db1e770c877782cdf571d96fd89e7774dd)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ This is a backport to the 2.1 branch. ]
OpenSSL::BN.new(nil, 2) dumped core.
[ruby-core:92231] [Bug #15760]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@67506 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
(cherry picked from commit ruby/ruby@82632d4c0c117a7728293ff955e3527487230bc1)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
_REENTRANT, _THREAD_SAFE, etc., which affect how errno is defined
on some architectures
[ This is a backport to the 2.1 branch. ]
* ext/openssl/ossl.h: include errno.h after ruby.h
* include/ruby/io.h: include errno.h after ruby/config.h
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@65906 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
(cherry picked from commit ruby/ruby@3385395796127878887bce015431b830fed82c4e)
|
| |
| |
| |
| |
| |
| |
| | |
[ This is a backport to the 2.1 branch. ]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@65488 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
(cherry picked from commit ruby/ruby@f83b08755dc7775f7cd8fab0a94516c2641e478d)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ This is a backport to the 2.1 branch. ]
[Fix GH-1958]
From: Jun Aruga <jaruga@redhat.com>
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64806 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* expand tabs.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64807 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Suppress more -Wparentheses warnings
[Fix GH-1958]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64808 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
[ky: this is a combined patch of r64806-r64808.]
Sync-with-trunk: r64808
(cherry picked from commit 01b23fa8eee2ff9cc4ef5f6fabca6d999e0979c2)
|
|\ \
| | |
| | | |
fix segv in Timestamp::{Request,Response,TokenInfo}.new
|
| | |
| | |
| | |
| | | |
prevent `ossl_ts_*_free()` from calling when `d2i_TS_*_bio()` failed.
|
|/ /
| |
| |
| | |
TS_time_cb on libressl expects an long long/time_t 64 bits long instead.
|
|\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* maint-2.1:
.github/workflows: update Ruby and OpenSSL/LibreSSL versions
bn: check -1 return from BIGNUM functions
.github/workflows: disable pkg-config on Windows tests
ssl: retry write on EPROTOTYPE on macOS
x509store: fix memory leak in X509::StoreContext.new
.github/workflows/test.yml: use GitHub Actions
Skip one assertion for OpenSSL::PKey::EC::Point#mul on LibreSSL
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Although the manpage says that BIGNUM functions return 0 on error,
OpenSSL versions before 1.0.2n and current LibreSSL versions may return
-1 instead.
Note that the implementation of OpenSSL::BN#mod_inverse is extracted
from BIGNUM_2c() macro as it didn't really share the same function
signature with others.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Errno::EPROTOTYPE is not supposed to be raised by SSLSocket#write.
However, on macOS, send(2) which is called via SSL_write() can
occasionally return EPROTOTYPE. Retry SSL_write() so that we get a
proper error, just as ext/socket does.
Reference: https://bugs.ruby-lang.org/issues/14713
Reference: https://github.com/ruby/openssl/issues/227
|
| |
| |
| |
| |
| | |
The certificate passed as the second argument was not properly free'd
in the error paths.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Let's revert the changes for now, as it cannot be included in the 2.2.0
release.
My comment on #257:
> A blocker is OpenSSL::SSL::SSLContext#add_certificate_chain_file. It
> has a pending change and I don't want to include it in an incomplete
> state.
>
> The initial implementation in commit 46e4bdba40c5 was not really
> useful. The issue is described in #305. #309 extended it
> to take the corresponding private key together. However, the new
> implementation was incompatible on Windows and was reverted by #320 to
> the initial one.
>
> (The prerequisite to implement it in) an alternative way is #288, and
> it's still cooking.
This effectively reverts the following commits:
- dacd08937ccd ("ssl: suppress test failure with SSLContext#add_certificate_chain_file", 2020-03-09)
- 46e4bdba40c5 ("Add support for SSL_CTX_use_certificate_chain_file. Fixes #254.", 2019-06-13)
|
| |
| |
| |
| |
| |
| | |
It produces "unused variable" warnings in NDEBUG mode
[ Cherry-picked from ruby.git commit 3bca1b6aadff. ]
|
| |
| |
| |
| | |
[ Cherry-picked from ruby.git commit d8720eb7de9c. ]
|
|\ \
| | |
| | | |
Allow specifying the data length for CCM mode
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Allow specifying just length to #update
CCM mode ciphers need to specify the total plaintext or ciphertext
length to EVP_CipherUpdate.
Update the link to the tests file
Define Cipher#ccm_data_len= for CCM mode ciphers
Add a unit test for CCM mode
Also check CCM is authenticated when testing
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Implement OpenSSL::PKey::PKey#oid as a wrapper around EVP_PKEY_id().
This allows user code to check the type of a PKey object.
EVP_PKEY can have a pkey type for which we do not provide a dedicated
subclass. In other words, an EVP_PKEY that is not any of {RSA,DSA,DH,EC}
can exist. It is currently not possible to distinguish such a pkey.
Also, implement PKey#inspect to include the key type for convenience.
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | | |
This is not present in the referenced files anymore, and not useful to most users
|
|/ / |
|
|\|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* maint:
ssl: set verify error code in the case of verify_hostname failure
x509: add error code and verify flags constants
Remove taint support
Restore compatibility with older versions of Ruby.
Fix keyword argument separation issues in OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock
config: support .include directive
|