ruby.git/ext/openssl, branch ruby_1_9_2 The Ruby Programming Language * backport r34482 from trunk 2012-02-09T17:20:52+00:00 emboss emboss@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2012-02-09T17:20:52+00:00 85fd9aadd13fdf685395cf605007e3fcdf40336f * ext/openssl/ossl_ssl.c: Add SSL constants and allow to unset SSL option to prevent BEAST attack. See [Bug #5353]. In OpenSSL, OP_DONT_INSERT_EMPTY_FRAGMENTS is used to prevent TLS-CBC-IV vulunerability described at http://www.openssl.org/~bodo/tls-cbc.txt It's known issue of TLSv1/SSLv3 but it attracts lots of attention these days as BEAST attack. (CVE-2011-3389) Until now ossl sets OP_ALL at SSLContext allocation and call SSL_CTX_set_options at connection. SSL_CTX_set_options updates the value by using |= so bits set by OP_ALL cannot be unset afterwards. This commit changes to call SSL_CTX_set_options only 1 time for each SSLContext. It sets the specified value if SSLContext#options= are called and sets OP_ALL if not. To help users to unset bits in OP_ALL, this commit also adds several constant to SSL such as OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS. These constants were not exposed in Ruby because there's no way to unset bits in OP_ALL before. Following is an example to enable 0/n split for BEAST prevention. ctx.options = OP_ALL & ~OP_DONT_INSERT_EMPTY_FRAGMENTS * test/openssl/test_ssl.rb: Test above option exists. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_2@34525 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
* ext/openssl/ossl_ssl.c: Add SSL constants and allow to unset SSL
  option to prevent BEAST attack. See [Bug #5353].

  In OpenSSL, OP_DONT_INSERT_EMPTY_FRAGMENTS is used to prevent
  TLS-CBC-IV vulunerability described at
  http://www.openssl.org/~bodo/tls-cbc.txt
  It's known issue of TLSv1/SSLv3 but it attracts lots of attention
  these days as BEAST attack. (CVE-2011-3389)

  Until now ossl sets OP_ALL at SSLContext allocation and call
  SSL_CTX_set_options at connection.  SSL_CTX_set_options updates the
  value by using |= so bits set by OP_ALL cannot be unset afterwards.
  This commit changes to call SSL_CTX_set_options only 1 time for each
  SSLContext. It sets the specified value if SSLContext#options= are
  called and sets OP_ALL if not.

  To help users to unset bits in OP_ALL, this commit also adds several
  constant to SSL such as
  OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS.  These constants were
  not exposed in Ruby because there's no way to unset bits in OP_ALL
  before.

  Following is an example to enable 0/n split for BEAST prevention.

    ctx.options = OP_ALL & ~OP_DONT_INSERT_EMPTY_FRAGMENTS

* test/openssl/test_ssl.rb: Test above option exists.



git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_2@34525 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
merges r32288 and r32292 from trunk into ruby_1_9_2. 2011-08-11T00:38:30+00:00 yugui yugui@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2011-08-11T00:38:30+00:00 a0948d8334936d086e6af4157674f90dedf35296 -- * ext/openssl/ossl.h (OPENSSL_SYS_WIN32): support for mingw(msys). -- * ext/openssl/ossl.h (OPENSSL_SYS_WIN32): define only if not defined. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_2@32918 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
--
* ext/openssl/ossl.h (OPENSSL_SYS_WIN32): support for mingw(msys).
--
* ext/openssl/ossl.h (OPENSSL_SYS_WIN32): define only if not defined.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_2@32918 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
merges 32211 from trunk into ruby_1_9_2. 2011-08-07T10:03:07+00:00 yugui yugui@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2011-08-07T10:03:07+00:00 df273d60d51a15452292f7fd111f685e7471e588 -- * ext/openssl/ossl_ssl_session.c (ossl_ssl_session_set_time): Check argument type with NUM2LONG if the arg is not a Time object. See #4919. * ext/openssl/ossl_ssl_session.c (ossl_ssl_session_set_timeout): Check type with NUM2LONG. Time as an arg is not allowed. See #4919. * test/openssl/test_ssl.rb (test_session_time, test_session_timeout): Test it. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_2@32880 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
--
* ext/openssl/ossl_ssl_session.c (ossl_ssl_session_set_time): Check
  argument type with NUM2LONG if the arg is not a Time object.
  See #4919.

* ext/openssl/ossl_ssl_session.c (ossl_ssl_session_set_timeout): Check
  type with NUM2LONG. Time as an arg is not allowed. See #4919.

* test/openssl/test_ssl.rb (test_session_time,
  test_session_timeout): Test it.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_2@32880 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
merges r31528 from trunk into ruby_1_9_2. fixes #4861. 2011-07-03T12:24:02+00:00 yugui yugui@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2011-07-03T12:24:02+00:00 8a571111295f8ce1720e10fd2760197951d481c7 -- * ext/openssl/ossl_ssl.c: By trunk@31346, function check of SSLv2 is executed. However, the problem is not revised in this. This adds the control of using function of SSLv2 in made macro by function check. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_2@32382 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
--
        * ext/openssl/ossl_ssl.c: By trunk@31346, function check of SSLv2 is executed.
        However, the problem is not revised in this.
        This adds the control of using function of SSLv2 in made macro by function check.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_2@32382 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
merges r31346 from trunk into ruby_1_9_2. 2011-05-30T04:44:32+00:00 yugui yugui@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2011-05-30T04:44:32+00:00 1049a5df6d9975661bce0cb8a13cf66be907231d -- * ext/openssl/extconf.rb: Should check SSLv2_*method. openssl compiled with "no-ssl2" the extconf don't fail when running `make' having this compilation errors. Patched by Laurent Arnoud. fixes #4562, #4556 git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_2@31816 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
--
* ext/openssl/extconf.rb: Should check SSLv2_*method.
  openssl compiled with "no-ssl2" the extconf don't fail 
  when running `make' having this compilation errors.
  Patched by Laurent Arnoud. fixes #4562, #4556

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_2@31816 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
merges r31244 from trunk into ruby_1_9_2. 2011-05-29T22:49:10+00:00 yugui yugui@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2011-05-29T22:49:10+00:00 61ce01276dc8b2fe7afa85a8d788f7774a451f0a -- * ext/openssl/ossl_pkey_dh.c (ossl_dh_initialize): pop pushed error after each try of reading. fixes #4550 * ext/openssl/ossl_pkey_dsa.c (ossl_dsa_initialize): ditto. * ext/openssl/ossl_pkey_ec.c (ossl_ec_initialize): ditto. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_2@31796 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
--
* ext/openssl/ossl_pkey_dh.c (ossl_dh_initialize):
  pop pushed error after each try of reading. fixes #4550

* ext/openssl/ossl_pkey_dsa.c (ossl_dsa_initialize): ditto.

* ext/openssl/ossl_pkey_ec.c (ossl_ec_initialize): ditto.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_2@31796 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
merges r31242 from trunk into ruby_1_9_2. 2011-05-29T22:49:02+00:00 yugui yugui@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2011-05-29T22:49:02+00:00 1dd5d8e4f00692b3cdc32f7781e590ac00e70f5e -- * ext/openssl/ossl_pkey_rsa.c (ossl_rsa_initialize): pop pushed error after each try of reading. fixes #4550 git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_2@31795 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
--
* ext/openssl/ossl_pkey_rsa.c (ossl_rsa_initialize):
  pop pushed error after each try of reading. fixes #4550

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_2@31795 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
merges r31164 from trunk into ruby_1_9_2. 2011-05-29T22:48:34+00:00 yugui yugui@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2011-05-29T22:48:34+00:00 a7fb5151464fddaad13c9fae922ba534ac9b125a -- * ext/openssl/ossl_x509name.c: id_aref's type is ID. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_2@31792 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
--
* ext/openssl/ossl_x509name.c: id_aref's type is ID.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_2@31792 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
merges r31162 from trunk into ruby_1_9_2. 2011-05-29T22:48:25+00:00 yugui yugui@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2011-05-29T22:48:25+00:00 cbb9603f3a70d041a65d98f72f429fb0f70f8877 -- * ext/openssl/ossl_ocsp.c (ossl_ocspreq_verify): flags is VALUE, so it should use NUM2INT. * ext/openssl/ossl_ocsp.c (ossl_ocspbres_verify): ditto. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_2@31791 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
--
* ext/openssl/ossl_ocsp.c (ossl_ocspreq_verify): flags is VALUE,
  so it should use NUM2INT.

* ext/openssl/ossl_ocsp.c (ossl_ocspbres_verify): ditto.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_2@31791 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
merges r31113 from trunk into ruby_1_9_2. 2011-05-28T23:32:46+00:00 yugui yugui@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2011-05-28T23:32:46+00:00 8cd1c4ddab456bd5084d9272bb335e11a3651232 -- * ext/openssl/lib/openssl/buffering.rb (module OpenSSL): #flush should not change sync mode on exception. * test/openssl/test_buffering.rb: added git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_2@31777 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
--
	* ext/openssl/lib/openssl/buffering.rb (module OpenSSL): #flush should
	  not change sync mode on exception.
	* test/openssl/test_buffering.rb: added

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_2@31777 b2dd03c8-39d4-4d8f-98ff-823fe69b080e