aboutsummaryrefslogtreecommitdiffstats
path: root/lib
Commit message (Collapse)AuthorAgeFilesLines
* Merge branch 'topic/kdf-module'Kazuki Yamaguchi2017-03-232-0/+23
|\ | | | | | | | | | | | | | | | | scrypt support is added. * topic/kdf-module: kdf: add scrypt ossl.h: add NUM2UINT64T() macro kdf: introduce OpenSSL::KDF module
| * kdf: introduce OpenSSL::KDF moduleKazuki Yamaguchi2017-03-232-0/+23
| | | | | | | | | | | | | | | | | | Introduce a new OpenSSL::KDF module as a namespace for to-be-added KDFs. This makes it easier to add new KDFs in future. We already have a stand-alone KDF, OpenSSL::PKCS5.pbkdf2_hmac. This is migrated to the new namespace. The backwards compatibility is retained by the method defined in the newly added lib/openssl/pkcs5.rb.
* | Fix RDoc markuptopic/fix-rdoc-markupKazuki Yamaguchi2017-02-244-36/+37
| | | | | | | | | | Ruby core uses _str_ for emphasizing argument names and +str+ for codes. Match with the rule for better rendering.
* | Revert r57690 except for read_nonblocknobu2017-02-241-2/+1
| | | | | | | | | | | | https://github.com/ruby/ruby/pull/1527#issuecomment-281867551 git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@57694 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* | [DOC] mark up literalsnobu2017-02-241-4/+4
| | | | | | | | git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@57693 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* | [DOC] keyword argument _exception_nobu2017-02-241-2/+2
| | | | | | | | git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@57692 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* | [DOC] {read,write}_nonblock with exception: falsenobu2017-02-241-2/+4
| | | | | | | | | | | | | | | | | | | | Update docs to reflect EOF behavior change of read_nonblock and write_nonblock when using `exception: false`. [Fix GH-1527] Author: Russell Davis <russell-stripe@users.noreply.github.com> git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@57690 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* | Fix rdoc for core Integer classMarcus Stollsteimer2017-02-181-1/+2
| | | | | | | | | | Prevent a comment in bn.rb from showing up in the documentation for the core Integer class.
* | Merge branch 'maint'Kazuki Yamaguchi2017-01-311-2/+2
|\ \ | |/ |/| | | | | | | | | | | | | | | * maint: Ruby/OpenSSL 2.0.3 .travis.yml: test with Ruby 2.4 ruby-openssl-docker: update versions of Ruby and OpenSSL x509: fix OpenSSL::X509::Name#eql? test/envutil: fix assert_raise_with_message buffering: fix typo in doc
| * buffering: fix typo in docKazuki Yamaguchi2017-01-231-2/+2
| |
* | Merge branch 'topic/ssl-move-default-dh-params'Kazuki Yamaguchi2017-01-262-42/+34
|\ \ | | | | | | | | | | | | * topic/ssl-move-default-dh-params: ssl: move default DH parameters from OpenSSL::PKey::DH
| * | ssl: move default DH parameters from OpenSSL::PKey::DHtopic/ssl-move-default-dh-paramsKazuki Yamaguchi2017-01-242-42/+34
| |/ | | | | | | They should belong to OpenSSL::SSL rather than OpenSSL::PKey::DH.
* / Remove support for OpenSSL 0.9.8 and 1.0.0topic/drop-openssl-098-and-100Kazuki Yamaguchi2016-12-222-9/+4
|/ | | | | | | | | | They are no longer receiving security updates from the OpenSSL development team since 2015-12. We have kept basic compatibility until now because RHEL 5 still uses an (heavily modified) OpenSSL 0.9.8e. The RHEL 5 will reach EOL on 2017-03, thus it is now safe to assume nobody is still using such old versions of OpenSSL.
* parse.y: ambiguous parenthesesnobu2016-11-301-1/+1
| | | | | | | * parse.y (parser_yylex): warn ambiguous parentheses after a space in method definitions. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56927 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* openssl: document `exception: false' for *_nonblockEric Wong2016-10-241-0/+8
| | | | | | * lib/openssl/buffering.rb (read_nonblock, write_nonblock): document `exception: false' [ruby-core:73882] [Feature #12085]
* ssl: fix comments so that RDoc can find SSLContext#servername_cbKazuki Yamaguchi2016-09-091-12/+8
|
* ssl: eliminate SSLContext::INIT_VARStopic/ssl-eliminate-init-varsKazuki Yamaguchi2016-09-021-14/+2
| | | | | | | | | | | | Use rb_attr_get() instead of rb_iv_get() so that we can remove SSLContext::INIT_VARS. SSLContext::INIT_VARS contains the names of the instance variables used in SSLContext. SSLContext#initialize sets nil for those variables. It is necessary to suppress "instance variable @foo not initialized" warnings emitted by rb_iv_get(). The warnings can be avoided by using rb_attr_get() that does not check the existence of the variable. So use it.
* pkey: fixup documentKazuki Yamaguchi2016-08-221-0/+3
|
* cipher: fixup documentationKazuki Yamaguchi2016-08-221-6/+14
|
* ssl: fixup documentationKazuki Yamaguchi2016-08-221-6/+20
|
* ssl: conditionally set explicit cipher suite listtopic/ssl-contiditional-explicit-ciphersuitesKazuki Yamaguchi2016-08-141-32/+38
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Don't set in SSLContext#set_params when built with OpenSSL 1.1.0 or newer. The list was added as a workaround to exclude known weak cipher suites ([Bug #9424]). In OpenSSL <= 1.0.2, the default list (DEFAULT) included even cipher suites using MD5. Now, OpenSSL 1.1.0 has better DEFAULT. So make SSLContext#set_params just use it. Here is the diff between our current explicit list and DEFAULT of OpenSSL 1.1.0-pre6 (with sorted): $ list_ruby=$(openssl ciphers -v $(ruby -ropenssl -e'puts OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ciphers]') | sort) $ list_default=$(openssl ciphers -v 'DEAFULT:!PSK:!SRP' | sort) $ diff <(echo "$list_ruby") <(echo "$list_default") 7,12c7 < DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD < DHE-DSS-AES128-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(128) Mac=SHA256 < DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 < DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD < DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256 < DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 --- > DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 18a14,15 > DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD > DHE-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 24a22,23 > ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD > ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1 30a30,31 > ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD > ECDHE-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=RSA Enc=3DES(168) Mac=SHA1
* Merge branch 'topic/ssl-verify-hostname'Kazuki Yamaguchi2016-07-281-3/+8
|\ | | | | | | | | | | | | * topic/ssl-verify-hostname: ssl: add verify_hostname option to SSLContext test/test_ssl: avoid SSLContext#set_params where not required Refactor common verify callback code
| * ssl: add verify_hostname option to SSLContexttopic/ssl-verify-hostnameKazuki Yamaguchi2016-07-231-3/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If a client sets this to true and enables SNI with SSLSocket#hostname=, the hostname verification on the server certificate is performed automatically during the handshake using OpenSSL::SSL.verify_certificate_identity(). Currently an user who wants to do the hostname verification needs to call SSLSocket#post_connection_check explicitly after the TLS connection is established. This commit also enables the option in SSLContext::DEFAULT_PARAMS. Applications using SSLContext#set_params may be affected by this. [GH ruby/openssl#8]
* | cipher: use lower-case cipher name in OpenSSL::Cipher::*.newtopic/cipher-fixesKazuki Yamaguchi2016-07-241-5/+3
|/ | | | AES-GCM ciphers don't have upper-case sn.
* Deprecate constant OpenSSL::Digest::Digest and OpenSSL::Cipher::CipherKazuki Yamaguchi2016-07-092-13/+9
| | | | | | Mark OpenSSL::{Digest::Digest,Cipher::Cipher} as deprecated using Module#deprecate_constant. They have been deprecated for years in the documentation.
* Merge branch 'topic/doc-ssl-sync-close'Kazuki Yamaguchi2016-07-091-0/+4
|\ | | | | | | | | * topic/doc-ssl-sync-close: Document OpenSSL::SSL::SSLSocket#sync_close
| * Document OpenSSL::SSL::SSLSocket#sync_closetopic/doc-ssl-sync-closeKazuki Yamaguchi2016-07-091-0/+4
| | | | | | | | | | Add rdoc for OpenSSL::SSL::SSLSocket#sync_close, and mention it in the example code in the rdoc for OpenSSL namespace. [GH ruby/openssl#11]
* | Merge pull request #50 from jsyeo/jsyeo-remove-rc4Kazuki Yamaguchi2016-07-051-3/+0
|\ \ | |/ |/| RC4 has insecure biases and both clients and servers should not be using it.
| * Remove RC4 cipher suites from SSLContext::DEFAULT_PARAMSJason Yeo2016-07-041-3/+0
| | | | | | | | | | | | | | | | This commit removes insecure RC4 ciper suites [1] from being used by default. If needed, users can still specify the usage of it by specifying it explicitly. [1]: https://tools.ietf.org/html/rfc7465
* | openssl: adjust tests for OpenSSL 1.1.0rhe2016-06-091-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes `make test-all TESTS=openssl` with OpenSSL master. * test/openssl/test_x509name.rb: Don't register OID for 'emailAddress' and 'serialNumber'. A recent change in OpenSSL made OBJ_create() reject an already existing OID. They were needed to run tests with OpenSSL 0.9.6 which is now unsupported. https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=52832e470f5fe8c222249ae5b539aeb3c74cdb25 [ruby-core:75225] [Feature #12324] * test/openssl/test_ssl_session.rb (test_server_session): Duplicate SSL::Session before re-adding to the session store. OpenSSL 1.1.0 starts rejecting SSL_SESSION once removed by SSL_CTX_remove_session(). https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=7c2d4fee2547650102cd16d23f8125b76112ae75 * test/openssl/test_pkey_ec.rb (setup): Remove X25519 from @keys. X25519 is new in OpenSSL 1.1.0 but this is for key agreement and not for signing. * test/openssl/test_pair.rb, test/openssl/test_ssl.rb, test/openssl/utils.rb: Set security level to 0 when using aNULL cipher suites. * test/openssl/utils.rb: Use 1024 bits DSA key for client certificates. * test/openssl/test_engine.rb: Run each test in separate process. We can no longer cleanup engines explicitly as ENGINE_cleanup() was removed. https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6d4fb1d59e61aacefa25edc4fe5acfe1ac93f743 * ext/openssl/ossl_engine.c (ossl_engine_s_cleanup): Add a note to the RDoc for Engine.cleanup. * ext/openssl/lib/openssl/digest.rb: Don't define constants for DSS, DSS1 and SHA(-0) when using with OpenSSL 1.1.0. They are removed. * test/openssl/test_digest.rb, test/openssl/test_pkey_dsa.rb, test/openssl/test_pkey_dsa.rb, test/openssl/test_ssl.rb, test/openssl/test_x509cert.rb, test/openssl/test_x509req.rb: Don't test unsupported hash functions. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55314 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* | openssl: move SSLSocket#initialize to C extensionrhe2016-05-311-35/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * ext/openssl/lib/openssl/ssl.rb (SSLSocket): Move the implementation of SSLSocket#initialize to C. Initialize the SSL (OpenSSL object) in it. Currently this is delayed until ossl_ssl_setup(), which is called from SSLSocket#accept or #connect. Say we call SSLSocket#hostname= with an illegal value. We expect an exception to be raised in #hostname= but actually we get it in the later SSLSocket#connect. Because the SSL is not ready at #hostname=, the actual call of SSL_set_tlsext_host_name() is also delayed. This also fixes: [ruby-dev:49376] [Bug #11724] * ext/openssl/ossl_ssl.c (ossl_ssl_initialize): Added. Almost the same as the Ruby version but this instantiate the SSL object at the same time. (ossl_ssl_setup): Adjust to the changes. Just set the underlying IO to the SSL. (ssl_started): Added. Make use of SSL_get_fd(). This returns -1 if not yet set by SSL_set_fd(). (ossl_ssl_data_get_struct): Removed. Now GetSSL() checks that the SSL exists. (ossl_ssl_set_session): Don't call ossl_ssl_setup() here as now the SSL is already instantiated in #initialize. (ossl_ssl_shutdown, ossl_start_ssl, ossl_ssl_read_internal, ossl_ssl_write_internal, ossl_ssl_stop, ossl_ssl_get_cert, ossl_ssl_get_peer_cert, ossl_ssl_get_peer_cert_chain, ossl_ssl_get_version, ossl_ssl_get_cipher, ossl_ssl_get_state, ossl_ssl_pending, ossl_ssl_session_reused, ossl_ssl_get_verify_result, ossl_ssl_get_client_ca_list, ossl_ssl_npn_protocol, ossl_ssl_alpn_protocol, ossl_ssl_tmp_key): Use GetSSL() instead of ossl_ssl_data_get_struct(). Use ssl_started(). (Init_ossl_ssl): Add method declarations of SSLSocket#{initialize, hostname=}. * ext/openssl/ossl_ssl.h (GetSSL): Check that the SSL is not NULL. It should not be NULL because we now set it in #initialize. * ext/openssl/ossl_ssl_session.c (ossl_ssl_session_initialize): No need to check if the SSL is NULL. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55191 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* | openssl: drop OpenSSL 0.9.6/0.9.7 supportrhe2016-05-311-6/+3
| | | | | | | | | | | | * ext/openssl, test/openssl: Drop OpenSSL < 0.9.8 support. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55162 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* | openssl: fix possible SEGV on race between SSLSocket#stop and #connectrhe2016-05-311-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * ext/openssl/ossl_ssl.c (ossl_ssl_stop): Don't free the SSL struct here. Since some methods such as SSLSocket#connect releases GVL, there is a chance of use after free if we free the SSL from another thread. SSLSocket#stop was documented as "prepares it for another connection" so this is a slightly incompatible change. However when this sentence was added (r30090, Add toplevel documentation for OpenSSL, 2010-12-06), it didn't actually. The current behavior is from r40304 (Correct shutdown behavior w.r.t GC., 2013-04-15). [ruby-core:74978] [Bug #12292] * ext/openssl/lib/openssl/ssl.rb (sysclose): Update doc. * test/openssl/test_ssl.rb: Test this. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55100 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* | openssl: remove impossible EOFError raise in OpenSSL::Bufferingrhe2016-05-311-2/+0
|/ | | | | | | | * ext/openssl/lib/openssl/buffering.rb (read_nonblock, readpartial): Remove impossible EOFError raise. Patch by Zach Anker <zanker@squareup.com>. [GH ruby/openssl#23] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55097 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* support 2048 bit length DH-keySHIBATA Hiroshi2016-01-151-0/+12
|
* Remove 512-bit DH groupTony Arcieri2016-01-071-8/+0
| | | | | | 512-bit DH keys are severely weak and have been implicated in recent attacks: https://weakdh.org/
* sync code from upstreamSHIBATA Hiroshi2015-12-309-1/+10
|
* Merge trunk upstreamZachary Scott2015-11-131-3/+3
|
* Revert "Prefer TLS v1.2 to follow "secure defaults" and disable TLS v1.0 and ↵Zachary Scott2015-10-131-2/+1
| | | | | | v1.1" This reverts commit a504359950f86f96ef2477920b56027f5b7f4fb2.
* Prefer TLS v1.2 to follow "secure defaults" and disable TLS v1.0 and v1.1Zachary Scott2015-10-081-1/+2
| | | | See ruby/ruby#873.
* Sync with ruby trunkZachary Scott2015-09-238-56/+164
|
* Apply ruby/ruby@325a50fc572516a171d640765d6ddf9b20be14dc to fix typosZachary Scott2015-05-048-8/+8
| | | | See also r50351 from ruby/ruby#876
* Stricter hostname verification following RFC 6125.Tony Arcieri2015-04-091-4/+58
| | | | Thanks to @nahi for the tests and initial documentation.
* OpenSSL::VERSION is already definedZachary Scott2014-11-211-3/+0
|
* Sync with ruby trunkZachary Scott2014-11-211-1/+1
| | | | Commit ruby/ruby@c1bad6040865d08a8f391b7e2beca6a6b66355e7
* Start at 1.0.0Zachary Scott2014-10-281-1/+1
|
* added dummy version fileSHIBATA Hiroshi2014-10-271-0/+3
|
* import ruby trunkSHIBATA Hiroshi2014-10-279-7/+1586
|
* bundle gem opensslSHIBATA Hiroshi2014-10-272-0/+8
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-13 04:51:16 +0000