| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
Specify the notBefore and notAfter fields explicitly to prevent
occasional failure.
Fixes: 432a9f3455f5 ("x509cert: implement X509::Certificate#==", 2017-10-12)
|
| |
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This also restores 'if defined?(OpenSSL)-end' wrapping the test code.
They have been removed erroneously by commit 4eb4b3297a92 ("Remove
support for OpenSSL 0.9.8 and 1.0.0", 2016-11-30).
* maint:
test/test_ssl: explicitly accept TLS 1.1 in corresponding test
ssl: remove useless call to rb_thread_wait_fd()
test/test_pair, test/test_ssl: fix for TLS 1.3
test/test_ssl_session: rearrange tests
test/test_ssl: move test_multibyte_read_write to test_pair
test/test_ssl: remove test_invalid_shutdown_by_gc
test/utils: do not use DSA certificates in SSL tests
test/utils: add OpenSSL::TestUtils.openssl? and .libressl?
test/utils: improve error handling in start_server
test/utils: let server_loop close socket
test/utils: do not set ecdh_curves in start_server
test/utils: have start_server yield only the port number
test/utils: add SSLTestCase#tls12_supported?
test/utils: remove OpenSSL::TestUtils.silent
test: fix formatting
Rakefile: let sync:to_ruby know about test/openssl/fixtures
cipher: update the documentation for Cipher#auth_tag=
Backport "Merge branch 'topic/test-memory-leak'" to maint
ssl: do not call session_remove_cb during GC
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* topic/test-memory-leak:
Enable OSSL_MDEBUG on CI builds
Add OpenSSL.print_mem_leaks
test: prepare test PKey instances on demand
test: let OpenSSL::TestCase include OpenSSL::TestUtils
Don't define main() when built with --enable-debug
(cherry picked from commit 5c586acc387834ab4e09260937dc21064fc59de4)
Note that fix for new test cases that use the old constants removed by
this is squashed in.
|
|\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* maint:
Ruby/OpenSSL 2.0.5
ssl: fix compile error with OpenSSL 1.0.0
ssl: remove unsupported TLS versions from SSLContext::METHODS
Add msys2 library dependency tag in gem metadata
ossl_pem_passwd_cb: handle nil from the block explicitly
ossl_pem_passwd_cb: do not check for taintedness
ossl_pem_passwd_cb: relax passphrase length constraint
appveyor.yml: test against Ruby 2.4
Rakefile: install_dependencies: install only when needed
bio: do not use the FILE BIO method in ossl_obj2bio()
bio: prevent possible GC issue in ossl_obj2bio()
test/test_ssl: allow 3DES cipher suites in test_sslctx_set_params
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Read everything from an IO object into a String first and use the
memory buffer BIO method just as we do for String inputs.
For MSVC builds, the FILE BIO method uses the "UPLINK" interface that
requires the application to provide OPENSSL_Applink() function. For us,
the "application" means ruby.exe, in which we can't do anything. As a
workaround, avoid using the FILE BIO method at all.
Usually private keys or X.509 certificates aren't that large and the
temporarily increased memory usage hopefully won't be an issue.
Fixes: https://github.com/ruby/openssl/issues/128
|
| |
| |
| |
| |
| |
| | |
Preparing for the introduction of the memory leak checker. Do not leave
OpenSSL objects in constants that wouldn't be GCed in order to avoid
false positives.
|
| |
| |
| |
| |
| | |
OpenSSL::TestPKCS12 is already doing this - let's apply to all test
files. This allows removing redundant 'issue_cert' declarations.
|
|/
|
|
|
|
|
|
|
|
| |
They are no longer receiving security updates from the OpenSSL
development team since 2015-12.
We have kept basic compatibility until now because RHEL 5 still uses an
(heavily modified) OpenSSL 0.9.8e. The RHEL 5 will reach EOL on 2017-03,
thus it is now safe to assume nobody is still using such old versions of
OpenSSL.
|
|
|
|
|
|
| |
Just like we already do for 'teardown' method, though we don't have
OpenSSL::TestCase#setup yet. This will be useful when we want to inject
GC.stress = true.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix the fragile test cases that are sensitive to the difference between
Time.now.to_i and time(2).
When issuing test certificates, we are typically setting the current
time fetched by Time.now to the notBefore field. Time.now uses
clock_gettime(2) with CLOCK_REALTIME. On the other hand, OpenSSL uses
time(2) in its certificate verification code. On Linux/x86-64, time(2)
is implemented not to return the adjusted 'current time' like Time.now,
but to return the wall clock seconds at the last tick. This results in
that time(2) called later may return an earlier time, causing the
certificate verification to fail with 'certificate is not yet valid'
error.
So, create test certificates with notBefore<Time.now to avoid this.
Since it's awful to do "Time.now - 1" everywhere, make the notBefore and
notAfter fields optional with defaults with margin.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes `make test-all TESTS=openssl` with OpenSSL master.
* test/openssl/test_x509name.rb: Don't register OID for 'emailAddress'
and 'serialNumber'. A recent change in OpenSSL made OBJ_create()
reject an already existing OID. They were needed to run tests with
OpenSSL 0.9.6 which is now unsupported.
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=52832e470f5fe8c222249ae5b539aeb3c74cdb25
[ruby-core:75225] [Feature #12324]
* test/openssl/test_ssl_session.rb (test_server_session): Duplicate
SSL::Session before re-adding to the session store. OpenSSL 1.1.0
starts rejecting SSL_SESSION once removed by SSL_CTX_remove_session().
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=7c2d4fee2547650102cd16d23f8125b76112ae75
* test/openssl/test_pkey_ec.rb (setup): Remove X25519 from @keys. X25519
is new in OpenSSL 1.1.0 but this is for key agreement and not for
signing.
* test/openssl/test_pair.rb, test/openssl/test_ssl.rb,
test/openssl/utils.rb: Set security level to 0 when using aNULL cipher
suites.
* test/openssl/utils.rb: Use 1024 bits DSA key for client certificates.
* test/openssl/test_engine.rb: Run each test in separate process.
We can no longer cleanup engines explicitly as ENGINE_cleanup() was
removed.
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6d4fb1d59e61aacefa25edc4fe5acfe1ac93f743
* ext/openssl/ossl_engine.c (ossl_engine_s_cleanup): Add a note to the
RDoc for Engine.cleanup.
* ext/openssl/lib/openssl/digest.rb: Don't define constants for DSS,
DSS1 and SHA(-0) when using with OpenSSL 1.1.0. They are removed.
* test/openssl/test_digest.rb, test/openssl/test_pkey_dsa.rb,
test/openssl/test_pkey_dsa.rb, test/openssl/test_ssl.rb,
test/openssl/test_x509cert.rb, test/openssl/test_x509req.rb: Don't
test unsupported hash functions.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55314 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* ext/openssl/ossl_x509cert.c (ossl_x509_verify): X509_verify()
family may put errors on 0 return (0 means verification failure).
Clear OpenSSL error queue before return to Ruby. Since the queue is
thread global, remaining errors in the queue can cause an unexpected
error in the next OpenSSL operation. [ruby-core:48284] [Bug #7215]
* ext/openssl/ossl_x509crl.c (ossl_x509crl_verify): ditto.
* ext/openssl/ossl_x509req.c (ossl_x509req_verify): ditto.
* ext/openssl/ossl_x509store.c (ossl_x509stctx_verify): ditto.
* ext/openssl/ossl_pkey_dh.c (dh_generate): clear the OpenSSL error
queue before re-raising exception.
* ext/openssl/ossl_pkey_dsa.c (dsa_generate): ditto.
* ext/openssl/ossl_pkey_rsa.c (rsa_generate): ditto.
* ext/openssl/ossl_ssl.c (ossl_start_ssl): ditto.
* test/openssl: check that OpenSSL.errors is empty every time after
running a test case.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55051 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| |
|
| |
|
|
|