| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34505 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
option to prevent BEAST attack. See [Bug #5353].
In OpenSSL, OP_DONT_INSERT_EMPTY_FRAGMENTS is used to prevent
TLS-CBC-IV vulunerability described at
http://www.openssl.org/~bodo/tls-cbc.txt
It's known issue of TLSv1/SSLv3 but it attracts lots of attention
these days as BEAST attack. (CVE-2011-3389)
Until now ossl sets OP_ALL at SSLContext allocation and call
SSL_CTX_set_options at connection. SSL_CTX_set_options updates the
value by using |= so bits set by OP_ALL cannot be unset afterwards.
This commit changes to call SSL_CTX_set_options only 1 time for each
SSLContext. It sets the specified value if SSLContext#options= are
called and sets OP_ALL if not.
To help users to unset bits in OP_ALL, this commit also adds several
constant to SSL such as
OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS. These constants were
not exposed in Ruby because there's no way to unset bits in OP_ALL
before.
Following is an example to enable 0/n split for BEAST prevention.
ctx.options = OP_ALL & ~OP_DONT_INSERT_EMPTY_FRAGMENTS
* test/openssl/test_ssl.rb: Test above option exists.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34482 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
|
|
|
| |
unrecognized OIDs instead of the sn "UNDEF".
* test/openssl/test_x509name.rb: Add tests for the fixed behavior.
Patch provided by Paul Kehrer, thanḱ you!
[ruby-core:41769] [Feature #5787]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34481 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
| |
Thanks to Mantas Mikulenas for noticing and providing a patch!
[ruby-core:42358] [Bug #5972]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34469 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
| |
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34463 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
| |
OpenSSL::X509::Store
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34423 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
| |
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34127 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
| |
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34126 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
| |
b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* ext/openssl/ossl.c (ossl_pem_passwd_cb0, ossl_verify_cb):
pem_passwd_cb and verify_cb ignores the exception raised in a
callback proc so it should clear $! for subsequent execution.
That's said, both subsequent processes for pem_passwd_cb and
verify_cb raises another exception before leaking $! to Ruby world.
We cannot test this fix in Ruby land.
* test/openssl/test_pkey_rsa.rb
(test_read_private_key_pem_pw_exception): Test for pem_passwd_cb +
exception.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34078 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
| |
* ext/openssl/missing.h: ditto.
Thanks, Tim Mooney for reporting this!
[Bug #5432] [ruby-core:40088]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33843 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
| |
of OpenSSL::SSL::SSLSocket#session.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33842 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
|
| |
message.
* ext/openssl/ossl_ssl.c: ditto.
* ext/openssl/ossl_pkey_rsa: ditto.
[Bug #5604] [ruby-core:40896]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33821 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
| |
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33763 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
|
| |
flag.
* ext/openssl/ossl_x509cert.c (rb_fd_fix_cloexec): ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33749 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
| |
Document #set_params.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33695 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
| |
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33634 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
exponent value correctly. Awful bug. This bug caused exponent of
generated key to be always '1'. By default, and regardless of e
given as a parameter.
!!! Keys generated by this code (trunk after 2011-09-01) must be
re-generated !!! (ruby_1_9_3 is safe)
* test/openssl/test_pkey_rsa.rb: Add tests for default exponent and
specifying exponent by a parameter.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33633 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
| |
* ext/openssl/ossl_engine.c: add some missing OpenSSL engines.
Thanks, Yui Naruse, for providing the patch!
[Bug #5548] [ruby-core:40670]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33631 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* io.c (rb_cloexec_dup): new function.
(ruby_dup): use rb_cloexec_dup.
* ext/pty/pty.c (pty_getpty): use rb_cloexec_dup.
* ext/openssl/ossl_bio.c (ossl_obj2bio): ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33553 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
| |
GCC.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33529 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* io.c (rb_fd_set_cloexec): new function.
(ruby_dup): call rb_fd_set_cloexec to set close-on-exec flag.
(rb_sysopen_internal): ditto.
(rb_pipe): ditto.
(io_reopen): ditto.
(io_cntl): ditto.
* process.c (rb_f_exec): change the default :close_others option to
true.
(rb_f_system): ditto.
(move_fds_to_avoid_crash): call rb_fd_set_cloexec to set
close-on-exec flag.
(ruby_setsid): ditto.
(rb_daemon): ditto.
* thread_pthread.c (rb_thread_create_timer_thread): call
rb_fd_set_cloexec to set close-on-exec flag.
* ruby.c (load_file_internal): ditto.
* file.c (rb_file_s_truncate): ditto.
(file_load_ok): ditto.
* random.c (fill_random_seed): ditto.
* ext/pty/pty.c (chfunc): ditto.
(get_device_once): ditto.
* ext/openssl/ossl_bio.c (ossl_obj2bio): ditto.
* ext/socket/init.c (rsock_socket): ditto.
(rsock_s_accept_nonblock): ditto.
(rsock_s_accept): ditto.
* ext/socket/socket.c (rsock_sock_s_socketpair): ditto.
* ext/socket/ancdata.c (discard_cmsg): ditto.
(make_io_for_unix_rights): ditto.
* ext/socket/unixsocket.c (unix_recv_io): ditto.
* ext/io/console/console.c (console_dev): ditto.
[ruby-core:38140] [Feature #5041]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33507 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
| |
* test/openssl/test_ns_spki.rb: Integrate SPKI#to_text.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33497 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
| |
documentation.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33495 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
| |
for Netscape SPKI.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33488 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
|
|
|
| |
binary data.
* test/openssl/test_ssl.rb: Add test for it.
Thanks to Niklas Baumstark for reporting the issue!
[Ruby 1.9 - Bug #5233] [ruby-core:39120]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33485 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
|
|
|
| |
ext/openssl/ossl_pkey.c: ditto
* ext/openssl/ossl_pkey_dh.c: Make functions passed to
rb_thread_blocking_region return VALUE instead of void.
ext/openssl/ossl_pkey_dsa.c: ditto
ext/openssl/ossl_pkey_rsa.c: ditto
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33477 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
fed arbitrary string values.
Clearly distinguish between the cases "universal, infinite and
not a SEQUENCE or SET" and "universal SEQUENCE or SET, possibly
infinite". Raise error for universal tags that are not infinite.
* test/openssl/test_asn1.rb: add a test for this.
Thanks to Hiroshi Yoshida for reporting this bug.
[Bug #5363] [ruby-dev:44542]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33333 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
| |
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33318 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
t = Thread.new { print "."; sleep 0.1 }
key = OpenSSL::PKey::RSA.new(2048)
#=> Thread t works in parallel with public key generation if
OS/machine allows it.
This works with OpenSSL >= 0.9.8. From this version, it has new
public key generation function which allows us to interrupt the
execution while pkey generation iterations.
* ext/openssl/extconf.rb: Check existence of OpenSSL's new public key
generation function. (DH_generate_parameters_ex,
DSA_generate_parameters_ex and RSA_generate_key_ex.
* ext/openssl/ossl_pkey.{h,c} (ossl_generate_cb_2,
ossl_generate_cb_stop): Added new callback function for OpenSSL pkey
generation which handles Thread interruption by Ruby.
ossl_generate_cb_stop is the unblock function(ubf) for Ruby which
sets a stop flag. New pkey generation callback ossl_generate_cb_2
checks the stop flag at each iterations of OpenSSL and interrupts
pkey generation when the flag is set.
* ext/openssl/ossl_pkey_dsa.c (dsa_generate): Call
rb_thread_blocking_region with the above unblock function to release
GVL while pkey generation.
* ext/openssl/ossl_pkey_rsa.c (rsa_generate): ditto.
* ext/openssl/ossl_pkey_dh.c (dh_generate): ditto.
* test/openssl/test_pkey_{dh,dsa,rsa}.rb: Test it.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33155 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
| |
* ext/openssl/lib/openssl/digest.rb: ditto
* ext/openssl/lib/openssl/x509.rb: ditto
* ext/openssl/lib/openssl/cipher.rb: ditto
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33066 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
| |
an example to OpenSSL::Digest. Patch by Sylvain Daubert.
[Ruby 1.9 - Bug #5166]
* ext/openssl/lib/openssl/digest.rb (module OpenSSL): ditto
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33065 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
| |
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32992 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
| |
OpenSSL::X509::Certificate.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32991 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
| |
*not* support #sign/verify.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32987 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
| |
* test/openssl/test_ssl.rb: Add a test for it.
Thanks to Eric Wong for the patch.
[Ruby 1.9 - Feature #5183] [ruby-core:38911]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32973 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
|
| |
Patch by Eric Wong. [Feature #5157] [ruby-core:38798]
* ext/openssl/ossl_asn1.c (ossl_asn1_decode): ditto.
* ext/openssl/ossl_pkey.c (ossl_pkey_new_from_data): ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32884 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SEGV from AES encryption/decryption. Processing data by
Cipher#update without initializing key (meaningless usage of Cipher
object since we don't offer a way to export a key) could cause SEGV.
In OpenSSL, the EVP which has EVP_CIPH_RAND_KEY flag (such as DES3)
allows uninitialized key, but other EVPs (such as AES) does not
allow it. Calling EVP_CipherUpdate() without initializing key causes
SEGV so we set the data filled with "\0" as the key by default. See
#2768.
* test/openssl/test_cipher.rb: test it.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32723 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
|
|
|
| |
[ruby-dev:38018]. From the next version of 1.9.3, you should use
require "openssl"
instead of
require "openssl/ssl"
and
require "openssl/x509"
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32664 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
| |
introduced in r30152 to x509-internal.rb.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32662 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SSLError from SSLSocket just after invoking SSLSocket#close.
OpenSSL's SSL_shutdown could try to send alert packet and it might
set SSLerr(global error stack) as the result. It causes the next
SSL read/write operation to fail by unrelated reason.
By design, we're ignoring any error at SSL_shutdown() so we clear
global error stack after SSL_shutdown is called. See #5039.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32658 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
| |
HMAC_Init_ex as it is not compatible with OpenSSL < 1.0.0.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32609 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
| |
* ext/openssl/ossl_hmac.c: Check return value of HMAC_Init_ex.
Thanks, Jared Jennings, for the patch.
[ Ruby 1.9 - Bug #4944 ] [ruby-core:37670]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32606 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
| |
* test/openssl/test_engine.rb: Add a test for it.
Thanks to Ippei Obayashi for providing the patch.
[ Ruby 1.9 - Bug #5062 ] [ruby-dev:44173]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32604 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
internal.h.
* file.c: ditto.
* io.c: call rb_update_max_fd for each new fds.
* process.c: ditto.
* random.c: ditto.
* ruby.c: ditto.
* ext/io/console/console.c: ditto.
* ext/openssl/ossl_bio.c: ditto.
* ext/pty/pty.c: ditto.
* ext/socket/init.c: ditto.
* ext/socket/socket.c: ditto.
* ext/socket/ancdata.c: ditto.
* ext/socket/unixsocket.c: ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32587 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
verify callback of SSLContext and X509Store and make the
verification fail normally. Raising exception directly from callback
causes orphan resouces in OpenSSL stack. Patched by Ippei Obayashi.
See #4445.
* test/openssl/test_ssl.rb
(test_exception_in_verify_callback_is_ignored): test it.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32537 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
| |
defition of OPENSSL_SYS_WIN32.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32452 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
| |
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32344 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
|
|
|
|
|
|
| |
* ext/openssl/ossl.c: Replaced ossl_x509_ary2k by generic macro to
simplify future conversions.
* ext/openssl/ossl_ssl.c: Implement SSLSocket#client_ca.
* test/openssl/test_ssl.rb: Add test for SSLSocket#client_ca.
Thanks to Ippei Obayashi for providing the patch!
[ Ruby 1.9 - Feature #4481 ] [ruby-core:35461]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32337 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
| |
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32292 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|