ruby.git/test/openssl/test_pair.rb, branch v2_4_0_preview2 The Ruby Programming Language openssl: import v2.0.0.beta.2 2016-09-08T01:09:19+00:00 rhe rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2016-09-08T01:09:19+00:00 a128c0d33f1d7a66c2c8c5d57fde40acd97becae * {ext,test}/openssl: Import Ruby/OpenSSL 2.0.0.beta.2. The full commit history since v2.0.0.beta.1 can be found at: https://github.com/ruby/openssl/compare/v2.0.0.beta.1...v2.0.0.beta.2 git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56098 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
* {ext,test}/openssl: Import Ruby/OpenSSL 2.0.0.beta.2. The full commit
  history since v2.0.0.beta.1 can be found at:
  https://github.com/ruby/openssl/compare/v2.0.0.beta.1...v2.0.0.beta.2

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56098 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
import Ruby/OpenSSL 2.0.0.beta.1 2016-08-29T05:47:09+00:00 rhe rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2016-08-29T05:47:09+00:00 c9dc0164b8ad1cb23faf6120749bcc349a7bfd45 * NEWS, {ext,test,sample}/openssl: Import Ruby/OpenSSL 2.0.0.beta.1. ext/openssl is now converted into a default gem. The full commit history since r55538 can be found at: https://github.com/ruby/openssl/compare/08e1881f5663...v2.0.0.beta.1 [Feature #9612] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56027 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
* NEWS, {ext,test,sample}/openssl: Import Ruby/OpenSSL 2.0.0.beta.1.
  ext/openssl is now converted into a default gem. The full commit
  history since r55538 can be found at:
  https://github.com/ruby/openssl/compare/08e1881f5663...v2.0.0.beta.1
  [Feature #9612]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56027 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
openssl: avoid undefined behavior on empty SSL_write 2016-08-06T21:50:10+00:00 normal normal@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2016-08-06T21:50:10+00:00 7513d54659fe8cd07022e07f32e1da640c96f0c3 SSL_write(3ssl) manpage has this in the WARNINGS section: When calling SSL_write() with num=0 bytes to be sent the behaviour is undefined. And indeed, the new test case demonstrates failures when empty strings are used. So, match the behavior of IO#write, IO#write_nonblock, and IO#syswrite by returning zero, as the OpenSSL::SSL::SSLSocket API already closely mimics the IO one. * ext/openssl/ossl_ssl.c (ossl_ssl_write_internal): avoid undefined behavior * test/openssl/test_pair.rb (test_write_zero): new test [ruby-core:76751] [Bug #12660] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55822 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
SSL_write(3ssl) manpage has this in the WARNINGS section:

       When calling SSL_write() with num=0 bytes to be sent the
       behaviour is undefined.

And indeed, the new test case demonstrates failures when
empty strings are used.  So, match the behavior of IO#write,
IO#write_nonblock, and IO#syswrite by returning zero, as the
OpenSSL::SSL::SSLSocket API already closely mimics the IO one.

* ext/openssl/ossl_ssl.c (ossl_ssl_write_internal):
  avoid undefined behavior
* test/openssl/test_pair.rb (test_write_zero): new test
  [ruby-core:76751] [Bug #12660]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55822 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
test: use assert_include 2016-07-26T13:02:33+00:00 nobu nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2016-07-26T13:02:33+00:00 e7440de279fdf1ae50ee4171f678b7af46d48fcd git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55757 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55757 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
openssl: fix build with OPENSSL_NO_EC 2016-06-09T10:46:46+00:00 rhe rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2016-06-09T10:46:46+00:00 dd05607f9a76ebab24fe7cf720bda102a81e5b0d * ext/openssl/ossl_ssl.c: Add define guards for OPENSSL_NO_EC. SSL_CTX_set_ecdh_auto() is defined even when ECDH is disabled in OpenSSL's configuration. This fixes r55214. * test/openssl/test_pair.rb (test_ecdh_curves): Skip if the OpenSSL does not support ECDH. * test/openssl/utils.rb (start_server): Ignore error in SSLContext#ecdh_curves=. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55342 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
* ext/openssl/ossl_ssl.c: Add define guards for OPENSSL_NO_EC.
  SSL_CTX_set_ecdh_auto() is defined even when ECDH is disabled in
  OpenSSL's configuration. This fixes r55214.

* test/openssl/test_pair.rb (test_ecdh_curves): Skip if the OpenSSL does
  not support ECDH.

* test/openssl/utils.rb (start_server): Ignore error in
  SSLContext#ecdh_curves=.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55342 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
openssl: adjust tests for OpenSSL 1.1.0 2016-06-07T12:20:46+00:00 rhe rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2016-06-07T12:20:46+00:00 b257af88595a9fc9b834a43fe726029f25019c16 This fixes `make test-all TESTS=openssl` with OpenSSL master. * test/openssl/test_x509name.rb: Don't register OID for 'emailAddress' and 'serialNumber'. A recent change in OpenSSL made OBJ_create() reject an already existing OID. They were needed to run tests with OpenSSL 0.9.6 which is now unsupported. https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=52832e470f5fe8c222249ae5b539aeb3c74cdb25 [ruby-core:75225] [Feature #12324] * test/openssl/test_ssl_session.rb (test_server_session): Duplicate SSL::Session before re-adding to the session store. OpenSSL 1.1.0 starts rejecting SSL_SESSION once removed by SSL_CTX_remove_session(). https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=7c2d4fee2547650102cd16d23f8125b76112ae75 * test/openssl/test_pkey_ec.rb (setup): Remove X25519 from @keys. X25519 is new in OpenSSL 1.1.0 but this is for key agreement and not for signing. * test/openssl/test_pair.rb, test/openssl/test_ssl.rb, test/openssl/utils.rb: Set security level to 0 when using aNULL cipher suites. * test/openssl/utils.rb: Use 1024 bits DSA key for client certificates. * test/openssl/test_engine.rb: Run each test in separate process. We can no longer cleanup engines explicitly as ENGINE_cleanup() was removed. https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6d4fb1d59e61aacefa25edc4fe5acfe1ac93f743 * ext/openssl/ossl_engine.c (ossl_engine_s_cleanup): Add a note to the RDoc for Engine.cleanup. * ext/openssl/lib/openssl/digest.rb: Don't define constants for DSS, DSS1 and SHA(-0) when using with OpenSSL 1.1.0. They are removed. * test/openssl/test_digest.rb, test/openssl/test_pkey_dsa.rb, test/openssl/test_pkey_dsa.rb, test/openssl/test_ssl.rb, test/openssl/test_x509cert.rb, test/openssl/test_x509req.rb: Don't test unsupported hash functions. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55314 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
This fixes `make test-all TESTS=openssl` with OpenSSL master.

* test/openssl/test_x509name.rb: Don't register OID for 'emailAddress'
  and 'serialNumber'. A recent change in OpenSSL made OBJ_create()
  reject an already existing OID. They were needed to run tests with
  OpenSSL 0.9.6 which is now unsupported.
  https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=52832e470f5fe8c222249ae5b539aeb3c74cdb25
  [ruby-core:75225] [Feature #12324]

* test/openssl/test_ssl_session.rb (test_server_session): Duplicate
  SSL::Session before re-adding to the session store. OpenSSL 1.1.0
  starts rejecting SSL_SESSION once removed by SSL_CTX_remove_session().
  https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=7c2d4fee2547650102cd16d23f8125b76112ae75

* test/openssl/test_pkey_ec.rb (setup): Remove X25519 from @keys. X25519
  is new in OpenSSL 1.1.0 but this is for key agreement and not for
  signing.

* test/openssl/test_pair.rb, test/openssl/test_ssl.rb,
  test/openssl/utils.rb: Set security level to 0 when using aNULL cipher
  suites.

* test/openssl/utils.rb: Use 1024 bits DSA key for client certificates.

* test/openssl/test_engine.rb: Run each test in separate process.
  We can no longer cleanup engines explicitly as ENGINE_cleanup() was
  removed.
  https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6d4fb1d59e61aacefa25edc4fe5acfe1ac93f743

* ext/openssl/ossl_engine.c (ossl_engine_s_cleanup): Add a note to the
  RDoc for Engine.cleanup.

* ext/openssl/lib/openssl/digest.rb: Don't define constants for DSS,
  DSS1 and SHA(-0) when using with OpenSSL 1.1.0. They are removed.

* test/openssl/test_digest.rb, test/openssl/test_pkey_dsa.rb,
  test/openssl/test_pkey_dsa.rb, test/openssl/test_ssl.rb,
  test/openssl/test_x509cert.rb, test/openssl/test_x509req.rb: Don't
  test unsupported hash functions.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55314 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
openssl: fix test failure on Fedora 23 2016-05-30T16:52:10+00:00 rhe rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2016-05-30T16:52:10+00:00 b9f3d4b8363ede4d9c21de00b17f1aa9b0001e5f * test/openssl/test_pair.rb (test_ecdh_curves): Avoid P-224. The FIPS patch from RHEL disables it. The curve has to be chosen from: { secp256k1, secp384r1, secp521r1, prime256v1 }. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55224 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
* test/openssl/test_pair.rb (test_ecdh_curves): Avoid P-224. The FIPS
  patch from RHEL disables it. The curve has to be chosen from: {
  secp256k1, secp384r1, secp521r1, prime256v1 }.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55224 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
openssl: add SSLContext#ecdh_curves= 2016-05-30T09:30:38+00:00 rhe rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2016-05-30T09:30:38+00:00 f26f3589302e7e26ecb69180d2b2a2f7f7eaf416 * ext/openssl/ossl_ssl.c (ossl_sslctx_s_alloc): Enable the automatic curve selection for ECDH by calling SSL_CTX_set_ecdh_auto(). With this a TLS server automatically selects a curve which both the client and the server support to use in ECDH. This changes the default behavior but users can still disable ECDH by excluding 'ECDH' cipher suites from the cipher list (with SSLContext#ciphers=). This commit also deprecate #tmp_ecdh_callback=. It was added in Ruby 2.3.0. It wraps SSL_CTX_set_tmp_ecdh_callback() which will be removed in OpenSSL 1.1.0. Its callback receives two values 'is_export' and 'keylength' but both are completely useless for determining a curve to use in ECDH. The automatic curve selection was introduced to replace this. (ossl_sslctx_setup): Deprecate SSLContext#tmp_ecdh_callback=. Emit a warning if this is in use. (ossl_sslctx_set_ecdh_curves): Add SSLContext#ecdh_curves=. Wrap SSL_CTX_set1_curves_list(). If it is not available, this falls back to SSL_CTX_set_tmp_ecdh(). (Init_ossl_ssl): Define SSLContext#ecdh_curves=. * ext/openssl/extconf.rb: Check the existence of EC_curve_nist2nid(), SSL_CTX_set1_curves_list(), SSL_CTX_set_ecdh_auto() and SSL_CTX_set_tmp_ecdh_callback(). * ext/openssl/openssl_missing.[ch]: Implement EC_curve_nist2nid() if missing. * test/openssl/test_pair.rb (test_ecdh_callback): Use EnvUtil.suppress_warning to suppress deprecated warning. (test_ecdh_curves): Test that SSLContext#ecdh_curves= works. * test/openssl/utils.rb (start_server): Use SSLContext#ecdh_curves=. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55214 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
* ext/openssl/ossl_ssl.c (ossl_sslctx_s_alloc): Enable the automatic
  curve selection for ECDH by calling SSL_CTX_set_ecdh_auto(). With
  this a TLS server automatically selects a curve which both the client
  and the server support to use in ECDH. This changes the default
  behavior but users can still disable ECDH by excluding 'ECDH' cipher
  suites from the cipher list (with SSLContext#ciphers=). This commit
  also deprecate #tmp_ecdh_callback=. It was added in Ruby 2.3.0. It
  wraps SSL_CTX_set_tmp_ecdh_callback() which will be removed in OpenSSL
  1.1.0. Its callback receives two values 'is_export' and 'keylength'
  but both are completely useless for determining a curve to use in
  ECDH. The automatic curve selection was introduced to replace this.

  (ossl_sslctx_setup): Deprecate SSLContext#tmp_ecdh_callback=. Emit a
  warning if this is in use.

  (ossl_sslctx_set_ecdh_curves): Add SSLContext#ecdh_curves=. Wrap
  SSL_CTX_set1_curves_list(). If it is not available, this falls back
  to SSL_CTX_set_tmp_ecdh().

  (Init_ossl_ssl): Define SSLContext#ecdh_curves=.

* ext/openssl/extconf.rb: Check the existence of EC_curve_nist2nid(),
  SSL_CTX_set1_curves_list(), SSL_CTX_set_ecdh_auto() and
  SSL_CTX_set_tmp_ecdh_callback().

* ext/openssl/openssl_missing.[ch]: Implement EC_curve_nist2nid() if
  missing.

* test/openssl/test_pair.rb (test_ecdh_callback): Use
  EnvUtil.suppress_warning to suppress deprecated warning.

  (test_ecdh_curves): Test that SSLContext#ecdh_curves= works.

* test/openssl/utils.rb (start_server): Use SSLContext#ecdh_curves=.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55214 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
openssl: clear OpenSSL error queue before return to Ruby 2016-05-18T04:07:47+00:00 rhe rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2016-05-18T04:07:47+00:00 c8cb26252a9615378a3000d7752a6d6fbb6ea3db * ext/openssl/ossl_x509cert.c (ossl_x509_verify): X509_verify() family may put errors on 0 return (0 means verification failure). Clear OpenSSL error queue before return to Ruby. Since the queue is thread global, remaining errors in the queue can cause an unexpected error in the next OpenSSL operation. [ruby-core:48284] [Bug #7215] * ext/openssl/ossl_x509crl.c (ossl_x509crl_verify): ditto. * ext/openssl/ossl_x509req.c (ossl_x509req_verify): ditto. * ext/openssl/ossl_x509store.c (ossl_x509stctx_verify): ditto. * ext/openssl/ossl_pkey_dh.c (dh_generate): clear the OpenSSL error queue before re-raising exception. * ext/openssl/ossl_pkey_dsa.c (dsa_generate): ditto. * ext/openssl/ossl_pkey_rsa.c (rsa_generate): ditto. * ext/openssl/ossl_ssl.c (ossl_start_ssl): ditto. * test/openssl: check that OpenSSL.errors is empty every time after running a test case. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55051 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
* ext/openssl/ossl_x509cert.c (ossl_x509_verify): X509_verify()
  family may put errors on 0 return (0 means verification failure).
  Clear OpenSSL error queue before return to Ruby. Since the queue is
  thread global, remaining errors in the queue can cause an unexpected
  error in the next OpenSSL operation.  [ruby-core:48284] [Bug #7215]

* ext/openssl/ossl_x509crl.c (ossl_x509crl_verify): ditto.

* ext/openssl/ossl_x509req.c (ossl_x509req_verify): ditto.

* ext/openssl/ossl_x509store.c (ossl_x509stctx_verify): ditto.

* ext/openssl/ossl_pkey_dh.c (dh_generate): clear the OpenSSL error
  queue before re-raising exception.

* ext/openssl/ossl_pkey_dsa.c (dsa_generate): ditto.

* ext/openssl/ossl_pkey_rsa.c (rsa_generate): ditto.

* ext/openssl/ossl_ssl.c (ossl_start_ssl): ditto.

* test/openssl: check that OpenSSL.errors is empty every time after
  running a test case.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55051 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
openssl: accept moving write buffer for write_nonblock 2016-03-31T20:33:55+00:00 normal normal@b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2016-03-31T20:33:55+00:00 280f7322151655b23c11a673b1adaab8796a358f By setting the SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER flag. This flag was introduced at the same time as SSL_MODE_ENABLE_PARTIAL_WRITE in OpenSSL 0.9.4 and makes usage with non-blocking sockets much easier. Before this, a Rubyist would need to remember the exact object which failed to write and reuse it later when the socket became writable again. This causes problems when the buffer is given by another layer of the application (e.g. a buffer is given by a Rack middleware or application to a Rack web server). * ext/openssl/ossl_ssl.c (ossl_sslctx_s_alloc): enable SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER by default [Bug #12126] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54466 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 
By setting the SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER flag.
This flag was introduced at the same time as
SSL_MODE_ENABLE_PARTIAL_WRITE in OpenSSL 0.9.4 and makes usage
with non-blocking sockets much easier.

Before this, a Rubyist would need to remember the exact object
which failed to write and reuse it later when the socket became
writable again.  This causes problems when the buffer is given
by another layer of the application (e.g. a buffer is given
by a Rack middleware or application to a Rack web server).

* ext/openssl/ossl_ssl.c (ossl_sslctx_s_alloc):
  enable SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER by default
  [Bug #12126]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54466 b2dd03c8-39d4-4d8f-98ff-823fe69b080e