| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* maint:
ssl: set verify error code in the case of verify_hostname failure
x509: add error code and verify flags constants
Remove taint support
Restore compatibility with older versions of Ruby.
Fix keyword argument separation issues in OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock
config: support .include directive
|
| |\
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* maint-2.0:
ssl: set verify error code in the case of verify_hostname failure
x509: add error code and verify flags constants
Remove taint support
Restore compatibility with older versions of Ruby.
Fix keyword argument separation issues in OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock
config: support .include directive
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
OpenSSL 1.1.1 introduces a new '.include' directive. Update our config
parser to support that.
As mentioned in the referenced GitHub issue, we should use the OpenSSL
API instead of implementing the parsing logic ourselves, but it will
need backwards-incompatible changes which we can't backport to stable
versions. So continue to use the Ruby implementation for now.
Squashed in additional changes by Vít Ondruch to support '.include = '
syntax.
Reference: https://github.com/ruby/openssl/issues/208
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The OpenSSL::VERSION constant is now defined by lib/openssl/version.rb
instead of by the extension. Add missing require statement.
Fixes: 0cddb0b736c8 ("Simplify handling of version constant.", 2019-10-31)
Reference: https://github.com/ruby/openssl/issues/347
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
OpenSSL::Config is currently implemented in Ruby, but we plan to revert
back to use OpenSSL API, just as it did before r28632 (in ruby_1_8;
r29048 in trunk). It's not clear what was the issue with Windows, but
the CONF library should work on Windows too.
Modifying a CONF object is not possible in OpenSSL API. Actually, it
was possible in previous versions of OpenSSL, but we used their
internal functions that are not exposed in shared libraries anymore.
Accordingly, OpenSSL::Config#add_value and #[]= have to be removed. As
a first step towards the change, let's deprecate those methods.
|
| | | |
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | | |
It breaks when compiled in ruby source tree.
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | | |
add ca_issuer_uris and ocsp_uris description to the changelog
|
| | |
| | |
| | |
| | | |
add helper to access information and services for the issuer of the Certificate
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | | |
This allows for example to use Rails' cache to store these objects. Without this patch you'd get errors like "TypeError (no _dump_data is defined for class OpenSSL::X509::Certificate)"
Note that the X509::Revoked class doesn't need the newly introduced modules as the DER output of X509::CRL already includes these.
|
| | |
| | |
| | |
| | | |
secure_compare is for user input, fixed_length_secure_compare for already processed data that is known to have the same length
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
At the moment OpenSSL::Buffering#do_write allocates some additional
strings, and in my profiling writing 5MB of data allocates additional
7.7MB of strings.
This patch greatly reduces memory allocations, and now writing 5MB of
data allocates only additional 0.2MB of strings. This means that large
file uploads would effectively not allocate additional memory anymore.
Reference: https://bugs.ruby-lang.org/issues/14426
Reference: https://github.com/ruby/ruby/pull/1924
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* ext/openssl/lib/openssl/buffering.rb (do_write, puts): output
methods should not be affected by the input record separator.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@62038 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Sync-with-trunk: r62038
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
IPv6 SAN-verification accommodates
["zero-compression"](https://tools.ietf.org/html/rfc5952#section-2.2).
It also accommodates non-compressed addresses.
Previously the verification of IPv6 addresses would fail unless the
address syntax matched a specific format (no zero-compression, no
leading zeroes).
As an example, the IPv6 loopback address, if represented as `::1`, would
not verify. Nor would it verify if represented as
`0000:0000:0000:0000:0000:0000:0000:0001`; however, both representations
are valid, RFC-compliant representations. The library would only accept
a very specific representation (i.e. `0:0:0:0:0:0:0:1`).
This commit addresses that shortcoming, and ensures that any valid IPv6
representation will correctly verify.
|
|\ \
| | |
| | | |
pkey/ec: add support for octet string encoding of EC point
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add a new method named PKey::EC#to_octet_string that returns the octet
string representation of the curve point. PKey::EC::Point#to_bn, which
have already existed and is similar except that an instance of
OpenSSL::BN is returned, is rewritten in Ruby.
PKey::EC::Point#initialize now takes String as the second argument in
the PKey::EC::Point.new(group, encoded_point) form.
Also, update the tests to use #to_octet_string instead of #to_bn for
better readability.
|
|\ \ \
| | | |
| | | | |
buffering: let #write accept multiple arguments
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
As of Ruby 2.5, IO#write accepts multiple input strings and writes them
at once[1]. Follow that.
[1] https://bugs.ruby-lang.org/issues/9323
|
|\ \ \ \
| | | | |
| | | | | |
x509*: implement ==
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| |/ / / |
|
|\ \ \ \
| |/ / /
|/| | |
| | | |
| | | |
| | | | |
* ky/ssl-version-min-max:
ssl: fix conflict of options in SSLContext#set_params
Use caller with length to reduce unused strings
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Make SSLContext#set_params call #options= first.
SSLContext#set_params by default disables SSL 2.0 and SSL 3.0 by calling
SSLContext#min_version=. After that, it sets the SSL option flags by
calling SSLContext#options=.
This is problematic when built with OpenSSL before 1.1.0 because
SSLContext#min_version= achieves its goal using the SSL_OP_NO_{SSL,TLS}*
options. Since the subsequent SSLContext#options= call replaces the
flags rather than OR together, this results in effectively disabling
min_version setting in SSLContext::DEFAULT_PARAMS.
The issue was first fixed in Ruby trunk tree, as part of r60310 ("fix
OpenSSL::SSL::SSLContext#min_version doesn't work", 2017-10-21).
|