| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
| |
LibreSSL 2.8.0+ does not support multiple elements in the first
argument.
|
| |
|
|
|
|
| |
The test fails when using OpenSSL 1.1 that supports TLS1.3.
To make it pass, this change restricts max_version to TLS1.2.
We may need more work for TLS1.3.
|
| |
|
|
| |
OpenSSL 1.1.1 seems to require at least 2048 bits for CA's private keys.
|
| |\
| |
| | |
test: use larger keys for SSL tests
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Some systems enforce a system-wide policy to restrict key sizes used in
SSL/TLS. Use larger ones if possible so that the test suite runs
successfully.
New PEM files test/fixtures/pkey/{dh-1,rsa-1,rsa-2,rsa-3}.pem are added
to the tree, and SSL tests now use them instead of the fixed-size keys.
Reference: https://github.com/ruby/openssl/issues/215
|
| | |
| |
| |
| |
| |
| |
| | |
Call IO.select with a timeout value and limit the number of retries to
prevent stacking forever.
Reference: https://github.com/ruby/openssl/issues/214
|
| | | |
|
| |\ \
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* maint:
Ruby/OpenSSL 2.1.2
Ruby/OpenSSL 2.0.9
needs openssl/opensslv.h
x509name: fix OpenSSL::X509::Name#{cmp,<=>}
|
| | |\ \
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* maint-2.0:
Ruby/OpenSSL 2.0.9
needs openssl/opensslv.h
x509name: fix OpenSSL::X509::Name#{cmp,<=>}
|
| | | |\ \
| | | |/
| | |/|
| | | |
| | | | |
* ky/x509name-cmp-bugfix:
x509name: fix OpenSSL::X509::Name#{cmp,<=>}
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Fix wrong use of X509_NAME_cmp() return value. OpenSSL::X509::Name#<=>
could return 0 when the two objects aren't identical.
Reported by Tyler Eckstein. CVE-2018-16395.
Reference: https://hackerone.com/reports/387250
|
| |\| | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* maint:
x509name: fix handling of X509_NAME_{oneline,print_ex}() return value
x509name: refactor OpenSSL::X509::Name#to_s
test/test_x509name: change script encoding to ASCII-8BIT
reduce LibreSSL warnings
openssl_missing.h: constified
openssl: search winsock
search winsock libraries explicitly
no ID cache in Init functions
test/test_ssl: fix test failure with TLS 1.3
tool/ruby-openssl-docker: update to latest versions
pkey: resume key generation after interrupt
|
| | |\| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* maint-2.0:
x509name: fix handling of X509_NAME_{oneline,print_ex}() return value
x509name: refactor OpenSSL::X509::Name#to_s
test/test_x509name: change script encoding to ASCII-8BIT
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
X509_NAME_print_ex() behaves differently depending on the passed flags.
When XN_FLAG_COMPAT is specified, it returns either 1 on success or 0
on error. Otherwise, it returns the byte size written or -1 on error.
This means 0 return is not necessarily an error.
Also, X509_NAME_oneline() return value needs to be checked as it may
fail with a NULL return.
Fixes: https://github.com/ruby/openssl/issues/200
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Allow string literals containing UTF-8 characters.
(cherry picked from commit 98945c7ce8706309a6d358007f1fdb2a73711662)
|
| | |\| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The fix made in 6fcc6c0efc42 ("test/test_ssl: fix test failure with
TLS 1.3", 2018-08-06) is applied to the new test cases.
* maint-2.0:
reduce LibreSSL warnings
openssl_missing.h: constified
openssl: search winsock
search winsock libraries explicitly
no ID cache in Init functions
test/test_ssl: fix test failure with TLS 1.3
tool/ruby-openssl-docker: update to latest versions
pkey: resume key generation after interrupt
|
| | | |/
| | |
| | |
| | |
| | |
| | | |
SSL_connect() on the client side may return before SSL_accept() on
server side returns. This will fix test failures with OpenSSL's current
master.
|
| |\| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* maint:
Ruby/OpenSSL 2.1.1
Ruby/OpenSSL 2.0.8
test/test_ssl_session: set client protocol version explicitly
test/test_pkey_rsa: fix test failure with OpenSSL 1.1.1
extconf.rb: fix build with LibreSSL 2.7.0
cipher: validate iterations argument for Cipher#pkcs5_keyivgen
test/utils: disable Thread's report_on_exception in start_server
|
| | |\|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* maint-2.0:
Ruby/OpenSSL 2.0.8
test/test_ssl_session: set client protocol version explicitly
test/test_pkey_rsa: fix test failure with OpenSSL 1.1.1
extconf.rb: fix build with LibreSSL 2.7.0
cipher: validate iterations argument for Cipher#pkcs5_keyivgen
test/utils: disable Thread's report_on_exception in start_server
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Clients that implement TLS 1.3's Middlebox Compatibility Mode will
always provide a non-empty session ID in the ClientHello. This means
the "get" callback for the server-side session caching may be called
for the initial connection.
|
| | | |
| | |
| | |
| | | |
OpenSSL 1.1.1 raised the minimum size for RSA keys to 512 bits.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
EVP_BytesToKey() internally converts the iteration count given as an
"int" into an "unsigned int". Calling that with a negative integer will
result in a hang. This is surprising, so let's validate the value by
ourselves and raise ArgumentError as necessary.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Those threads can purposefully raise exceptions when they call 'pend'.
The report_on_exception feature can be safely disabled in this case
since we use assert_join_threads that captures all exceptions raised.
This is necessary to suppress warnings on Ruby 2.5, which enables the
report_on_exception feature by default.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
IPv6 SAN-verification accommodates
["zero-compression"](https://tools.ietf.org/html/rfc5952#section-2.2).
It also accommodates non-compressed addresses.
Previously the verification of IPv6 addresses would fail unless the
address syntax matched a specific format (no zero-compression, no
leading zeroes).
As an example, the IPv6 loopback address, if represented as `::1`, would
not verify. Nor would it verify if represented as
`0000:0000:0000:0000:0000:0000:0000:0001`; however, both representations
are valid, RFC-compliant representations. The library would only accept
a very specific representation (i.e. `0:0:0:0:0:0:0:1`).
This commit addresses that shortcoming, and ensures that any valid IPv6
representation will correctly verify.
|
| |/ /
| |
| |
| |
| |
| |
| |
| | |
The recipient's certificate is not mandatory for PKCS7_decrypt(). Make
it possible to call OpenSSL::PKCS7#decrypt with only the private key to
match the functionality.
Reference: https://github.com/ruby/openssl/issues/182
|
| |\ \
| | |
| | | |
pkey/ec: add support for octet string encoding of EC point
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add a new method named PKey::EC#to_octet_string that returns the octet
string representation of the curve point. PKey::EC::Point#to_bn, which
have already existed and is similar except that an instance of
OpenSSL::BN is returned, is rewritten in Ruby.
PKey::EC::Point#initialize now takes String as the second argument in
the PKey::EC::Point.new(group, encoded_point) form.
Also, update the tests to use #to_octet_string instead of #to_bn for
better readability.
|
| |\ \ \
| | | |
| | | |
| | | |
| | | | |
* ky/fix-ssl-test-internal-encoding:
Fix test-all tests to avoid creating report_on_exception warnings
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* The warnings are shown by Thread.report_on_exception defaulting to
true. [Feature #14143] [ruby-core:83979]
* Improves tests by narrowing down the scope where an exception
is expected.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@61188 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
[ky: this effectively reverts commit 01445af367ec ("test/test_ssl:
prevent changing default internal encoding", 2017-11-26). This is OK
since EnvUtil.with_default_internal has been made thread-safe.]
Sync-with-trunk: r61188
|
| |\| | |
| | | |
| | | |
| | | |
| | | | |
* ky/fix-ssl-test-internal-encoding:
test/test_ssl: prevent changing default internal encoding
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
In Ruby tree (not in this tree), assert_raise_with_message uses
EnvUtil.with_default_internal which cannot be called simultaneously.
The patch was suggested by Yusuke Endoh (mame).
|
| |\ \ \ \
| | |_|/
| |/| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* maint:
History.md: fix a typo
x509cert, x509crl, x509req, ns_spki: check sanity of public key
pkey: make pkey_check_public_key() non-static
test/test_cipher: fix test_non_aead_cipher_set_auth_data failure
cipher: disallow setting AAD for non-AEAD ciphers
test/test_ssl_session: skip tests for session_remove_cb
appveyor.yml: remove 'openssl version' line
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
A follow-up to commit bb10767b0570 ("cipher: disallow setting AAD for
non-AEAD ciphers", 2017-10-18). Cipher#auth_data= raises
NotImplementedError if built with OpenSSL < 1.0.1.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
EVP_CipherUpdate() must not be call with the output parameter set to
NULL when the cipher does not support AEAD. Check the flag of
EVP_CIPHER, and raise an exception as necessary.
Reference: http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/83337
Reference: https://bugs.ruby-lang.org/issues/14024
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
In OpenSSL < 1.1.0, the session_remove_cb callback is called inside the
global lock for CRYPTO_LOCK_SSL_CTX which is shared across the entire
process, not just for the specific SSL_CTX object. It is possible that
the callback releases GVL while the lock for CRYPTO_LOCK_SSL_CTX is
held, causing another thread calling an OpenSSL function that tries to
acquire the same lock stuck forever.
Add a note about the possible deadlock to the docs for
SSLContext#session_remove_cb=, and skip the relevant test cases unless
the OSSL_TEST_ALL environment variable is set to 1.
A deadlock due to this issue is observed:
http://ci.rvm.jp/results/trunk-test@frontier/104428
|
| |\ \ \ \
| | | | |
| | | | | |
kdf: add HKDF support
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
OpenSSL 1.1.0 supports HKDF through the EVP API. Add OpenSSL::KDF.hkdf
as a wrapper around that.
Reference: https://github.com/ruby/openssl/issues/172
|
| |\ \ \ \ \
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
* ky/x509-implement-eq:
test/test_x509crl: fix random failure
test/test_x509cert: fix flaky test
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Similarly to the previous one, avoid querying the current time multiple
times.
Fixes: e4727829837a ("x509crl, x509revoked: implement X509::{CRL,Revoked}#==", 2017-10-12)
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Specify the notBefore and notAfter fields explicitly to prevent
occasional failure.
Fixes: 432a9f3455f5 ("x509cert: implement X509::Certificate#==", 2017-10-12)
|
| |\ \ \ \ \ \
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Merge GitHub Pull Request #167.
* ky/ssl-add-certificate:
test/test_ssl: fix test_security_level
ssl: add SSLContext#add_certificate
test/utils: remove a pointless .public_key call in issue_cert
test/envutil: port assert_warning from Ruby trunk
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Fix test_security_level using SSLContext#add_certificate. It immediately
sets the certificate to the SSL_CTX, so it is affected by the security
level setting.
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Add a new method to add a certificate, a corresponding private key, and
extra CA certificates at once.
This has two advantages over the existing {cert,key,extra_cert_chain}
attributes:
1. We can notice the problem with the certificate and/or the private
key. Since the existing attributes are simple instance variables,
they aren't set to the SSL_CTX until #setup which usually happens
on the first connection.
2. For the same reason, existing attributes allowed only one
certificate for a context, even though OpenSSL itself is capable of
handling multiple certificates and selecting the most appropriate
one according to the cipher suite selected.
The documentation for the existing attributes are updated to recommend
using #add_certificate.
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
PKey::EC#public_key works differently from other PKey types, making
TestUtils.issue_cert unusable for creating ECDSA certificates.
Actually, the #public_key does not have any effect on any other PKey
types. So just remove it.
|
| | | |/ / / /
| |/| | | |
| | | | | |
| | | | | | |
EnvUtil.verbose_warning used by assert_warning is also ported.
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | | |
LibreSSL 2.4 reached its EOL in 2017-09.
|
| |\ \ \ \ \ \
| | | | | | |
| | | | | | | |
[v2] Add RSA sign_pss() and verify_pss() methods
|
| | |/ / / / /
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Support Probabilistic Signature Scheme for RSA key signing.
[ky: the patch was originally submitted as GitHub Pull Request #76.
finish keyword arguments handling, update docs, and fix tests.]
|
| |\ \ \ \ \ \
| |_|_|_|/ /
|/| | | | | |
buffering: let #write accept multiple arguments
|
