Age | Commit message (Collapse) | Author |
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@40996 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@40825 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
defined(OPENSSL_NO_SOCK).
This fixes a linkage error on platforms which do not have socket.
OpenSSL itself is still useful as a set of cryptographic functions
even on such platforms.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@40680 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@40316 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* test/openssl/test_ssl.rb: Add tests to verify correct behavior.
[Bug #8240] Patch provided by Shugo Maeda. Thanks!
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@40304 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@40247 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
subclasses that include WaitReadable or WaitWritable rather than
extending them into the exception object each time.
* error.c: Capture EGAIN, EWOULDBLOCK, EINPROGRESS exceptions and
export them for use in WaitReadable/Writable exceptions.
* io.c: Create versions of EAGAIN, EWOULDBLOCK, EINPROGRESS that
include WaitReadable and WaitWritable. Add rb_readwrite_sys_fail
for nonblocking failures using those exceptions. Use that
function in io_getpartial and io_write_nonblock instead of
rb_mod_sys_fail
* ext/openssl/ossl_ssl.c: Add new SSLError subclasses that include
WaitReadable and WaitWritable. Use those classes for
write_would_block and read_would_block instead of rb_mod_sys_fail.
* ext/socket/ancdata.c: Use rb_readwrite_sys_fail instead of
rb_mod_sys_fail in bsock_sendmsg_internal and
bsock_recvmsg_internal.
* ext/socket/init.c: Use rb_readwrite_sys_fail instead of
rb_mod_sys_fail in rsock_s_recvfrom_nonblock and
rsock_s_connect_nonblock.
* ext/socket/socket.c: Use rb_readwrite_sys_fail instead of
rb_mod_sys_fail in sock_connect_nonblock.
* include/ruby/ruby.h: Export rb_readwrite_sys_fail for use instead
of rb_mod_sys_fail. Introduce new constants RB_IO_WAIT_READABLE and
RB_IO_WAIT_WRITABLE for first arg to rb_readwrite_sys_fail.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@40195 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
issue on big-endian architecture [ruby-core:50292] [Bug #7463]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@37996 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
suppress warning: instance variable @npn_select_cb not initialized
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36985 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36895 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
ext/ossl_ssl.c: Support Next Protocol Negotiation. Protocols to be
advertised by the server can be set in the SSLContext by using
SSLContext#npn_protocols=, protocol selection on the client is
supported by providing a selection callback with
SSLContext#npn_select_cb. The protocol that was finally negotiated
is available through SSL#npn_protocol.
test/openssl/test_ssl.rb: Add tests for Next Protocol Negotiation.
NEWS: add news about NPN support.
[Feature #6503] [ruby-core:45272]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36871 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
remove SSLContext#disable_client_renegotiation and related
functionality introduced in r35797. The new callback approach
gives clients maximum flexibility to decide on their own what to
do on renegotiation attempts.
Add documentation for SSL module and SSLError.
* test/openssl/test_ssl.rb: Add a test for
SSLContext#renegotiation_cb.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35994 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* test/openssl/test_ssl.rb: Simple tests for this.
Client-side renegotiation is still considered problematic, even
when used in the context of secure renegotiation (RI, RFC 5746).
The changes allow users to either completely disable client
renegotiation on the server, or to specify a maximum number of
handshakes allowed in total. The number of total handshakes is
counted in a callback set as SSL_set_info_callback. If the
maximum number of handshakes is exceeded an error will be raised
We do not support renegotiation in the OpenSSL extension, therefore
this feature can only be tested externally.
The feature is opt-in, the default setting will be to allow
unlimited client renegotiation, as was the case before.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35797 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* test/openssl/test_ssl.rb: Handle ECONNRESET in code instead to avoid
the test failing in Ruby CI [1]
[1] http://u64.rubyci.org/~chkbuild/ruby-trunk/log/20120507T190102Z.log.html.gz#test-all
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35795 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
before ossl_raise. this cause a test failure on Linux.
http://u64.rubyci.org/~chkbuild/ruby-trunk/log/20120507T190102Z.log.html.gz
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35583 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
OpenSSL::SSL::OP_NO_TLSv1_1
OpenSSL::SSL::OP_NO_TLSv1_2
to allow blocking specific TLS versions. Thanks to Justin Guyett for
pointing this out to me.
* test/openssl/test_ssl.rb: add tests to assert correct behavior when
blocking certain versions of TLS/SSL both on server and client side.
Also refactored tests to reduce boilerplate code a little.
* test/openssl/utils.rb: rescue Errno::ECONNRESET for tests where
client rejects the connection because a forbidden protocol version
was used.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35567 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
SSLContext#version to inspect the version that was negotiated for
a given connection.
* ext/openssl/extconf.rb: detect TLS 1.1 & 1.2 support.
* test/openssl/test_ssl.rb: add tests for TLS 1.1 & 1.2 given they
are supported by the native OpenSSL being used.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35549 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
reaches end of non-void function" warnings. [ruby-trunk - Bug #6066]
* re.c (name_to_backref_number): ditto.
* object.c (rb_Float): ditto.
* io.c (io_readpartial): ditto.
* io.c (io_read_nonblock): ditto.
* pack.c (rb_uv_to_utf8): ditto.
* proc.c (rb_method_entry_arity): ditto.
* vm_method.c (rb_f_notimplement): ditto.
* struct.c (rb_struct_aset_id): ditto.
* class.c (rb_scan_args): ditto.
* process.c (rlimit_resource_type): ditto.
* process.c (rlimit_resource_value): ditto.
* process.c (p_uid_switch): ditto.
* process.c (p_gid_switch): ditto.
* ext/digest/digest.c (rb_digest_instance_update): ditto.
* ext/digest/digest.c (rb_digest_instance_finish): ditto.
* ext/digest/digest.c (rb_digest_instance_reset): ditto.
* ext/digest/digest.c (rb_digest_instance_block_length): ditto.
* ext/bigdecimal/bigdecimal.c (BigDecimalCmp): ditto.
* ext/dl/handle.c (rb_dlhandle_close): ditto.
* ext/tk/tcltklib.c (pending_exception_check0): ditto.
* ext/tk/tcltklib.c (pending_exception_check1): ditto.
* ext/tk/tcltklib.c (ip_cancel_eval_core): ditto.
* ext/tk/tcltklib.c (lib_get_reltype_name): ditto.
* ext/tk/tcltklib.c (create_dummy_encoding_for_tk_core): ditto.
* ext/tk/tkutil/tkutil.c (tk_hash_kv): ditto.
* ext/openssl/ossl_ssl.c (ossl_ssl_session_reused): ditto.
* ext/openssl/ossl_pkey_ec.c (ossl_ec_key_dsa_verify_asn1): ditto.
* ext/openssl/ossl_pkey_ec.c (ossl_ec_point_is_at_infinit): ditto.
* ext/openssl/ossl_pkey_ec.c (ossl_ec_point_is_on_curve): ditto.
* ext/fiddle/conversions.c (generic_to_value): ditto.
* ext/socket/raddrinfo.c (rsock_io_socket_addrinfo): ditto.
* ext/socket/socket.c (sock_s_getnameinfo): ditto.
* ext/ripper/eventids2.c (ripper_token2eventid): ditto.
* cont.c (return_fiber): ditto.
* dmydln.c (dln_load): ditto.
* vm_insnhelper.c (vm_search_normal_superclass): ditto.
* bignum.c (big_fdiv): ditto.
* marshal.c (r_symlink): ditto.
* marshal.c (r_symbol): ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35321 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
option to prevent BEAST attack. See [Bug #5353].
In OpenSSL, OP_DONT_INSERT_EMPTY_FRAGMENTS is used to prevent
TLS-CBC-IV vulunerability described at
http://www.openssl.org/~bodo/tls-cbc.txt
It's known issue of TLSv1/SSLv3 but it attracts lots of attention
these days as BEAST attack. (CVE-2011-3389)
Until now ossl sets OP_ALL at SSLContext allocation and call
SSL_CTX_set_options at connection. SSL_CTX_set_options updates the
value by using |= so bits set by OP_ALL cannot be unset afterwards.
This commit changes to call SSL_CTX_set_options only 1 time for each
SSLContext. It sets the specified value if SSLContext#options= are
called and sets OP_ALL if not.
To help users to unset bits in OP_ALL, this commit also adds several
constant to SSL such as
OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS. These constants were
not exposed in Ruby because there's no way to unset bits in OP_ALL
before.
Following is an example to enable 0/n split for BEAST prevention.
ctx.options = OP_ALL & ~OP_DONT_INSERT_EMPTY_FRAGMENTS
* test/openssl/test_ssl.rb: Test above option exists.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34482 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
of OpenSSL::SSL::SSLSocket#session.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33842 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
message.
* ext/openssl/ossl_ssl.c: ditto.
* ext/openssl/ossl_pkey_rsa: ditto.
[Bug #5604] [ruby-core:40896]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33821 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
ext/openssl/ossl_pkey.c: ditto
* ext/openssl/ossl_pkey_dh.c: Make functions passed to
rb_thread_blocking_region return VALUE instead of void.
ext/openssl/ossl_pkey_dsa.c: ditto
ext/openssl/ossl_pkey_rsa.c: ditto
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33477 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* test/openssl/test_ssl.rb: Add a test for it.
Thanks to Eric Wong for the patch.
[Ruby 1.9 - Feature #5183] [ruby-core:38911]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32973 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
SSLError from SSLSocket just after invoking SSLSocket#close.
OpenSSL's SSL_shutdown could try to send alert packet and it might
set SSLerr(global error stack) as the result. It causes the next
SSL read/write operation to fail by unrelated reason.
By design, we're ignoring any error at SSL_shutdown() so we clear
global error stack after SSL_shutdown is called. See #5039.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32658 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32344 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl.c: Replaced ossl_x509_ary2k by generic macro to
simplify future conversions.
* ext/openssl/ossl_ssl.c: Implement SSLSocket#client_ca.
* test/openssl/test_ssl.rb: Add test for SSLSocket#client_ca.
Thanks to Ippei Obayashi for providing the patch!
[ Ruby 1.9 - Feature #4481 ] [ruby-core:35461]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32337 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
connection more gracefully. Call SSL_shutdown() max 4 times until it
returns 1 (success). Bi-directional SSL close has several states but
SSL_shutdown() kicks only 1 transition per call. Max 4 is from
mod_ssl.c of Apache httpd that says 'max 2x pending * 2x data = 4'.
See #4237.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32219 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
OpenSSL from the callback for SSL_CTX_sess_set_get_cb().
Returning 0 means to OpenSSL that the the session is still valid
(since we created Ruby Session object) and was not freed by us with
SSL_SESSION_free(). Call SSLContext#remove_session(sess) in
session_get_cb block if you don't want OpenSSL to cache the session
internally.
This potential issue was pointed by Ippei Obayashi. See #4416.
* test/openssl/test_ssl_session.rb (test_ctx_server_session_cb): Test
it.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32204 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
OpenSSL::SSL::SSLContext#session_remove_cb was broken. It wrongly
tried to call the session_*new*_cb callback.
* test/openssl/test_ssl_session.rb (class OpenSSL): Test it.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32200 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
fallback scenarios.
* ext/openssl/ossl_pkey_dsa.c
* ext/openssl/ossl_x509req.c
* ext/openssl/ossl_pkey_rsa.c
* ext/openssl/ossl_pkey_ec.c
* ext/openssl/ossl_ssl_session.c
* ext/openssl/ossl_x509crl.c
* ext/openssl/ossl_pkey.c
* ext/openssl/ossl_pkey_dh.c
* ext/openssl/ossl_x509cert.c
* ext/openssl/ossl_pkcs7.c: Use OSSL_BIO_reset.
* ext/openssl/ossl_ssl.c
* ext/openssl/ossl_cipher.c
* ext/openssl/ossl_pkey_ec.c
* ext/openssl/ossl_pkcs12.c
* ext/openssl/ossl_ssl_session.c: Replace rb_raise occurences by
ossl_raise. This automatically flushes OpenSSL's error queue.
* ext/openssl/ossl_pkcs7.c: Raise error if DER fallback for parsing
fails.
* test/openssl/test_pkey_ec.rb
* test/openssl/test_pkey_dsa.rb
* test/openssl/test_pkey_rsa.rb: Add assertions that OpenSSL.errors is
empty.
* test/openssl/test_pkey_rsa.rb: Remove initial OpenSSL.errors call in
test_new.
[ Ruby 1.9 - Bug #4885 ] [ruby-core:37134]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32199 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
Thanks, Eric Wong, for providing the patch.
[ Ruby 1.9 - Feature #4672 ] [ruby-core:36127]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32198 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@31573 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
executed.
However, the problem is not revised in this.
This adds the control of using function of SSLv2 in made macro by function check.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@31528 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl.h: ditto.
* ext/openssl/ossl_asn1.c: ditto.
* ext/openssl/ossl_bio.c: ditto.
* ext/openssl/ossl_bn.c: ditto.
* ext/openssl/ossl_cipher.c: ditto.
* ext/openssl/ossl_hmac.c: ditto.
* ext/openssl/ossl_ns_spki.c: ditto.
* ext/openssl/ossl_ocsp.c: ditto.
* ext/openssl/ossl_pkcs5.c: ditto.
* ext/openssl/ossl_pkey.c: ditto.
* ext/openssl/ossl_pkey_dh.c: ditto.
* ext/openssl/ossl_pkey_dsa.c: ditto.
* ext/openssl/ossl_pkey_ec.c: ditto.
* ext/openssl/ossl_pkey_rsa.c: ditto.
* ext/openssl/ossl_rand.c: ditto.
* ext/openssl/ossl_ssl.c: ditto.
* ext/openssl/ossl_x509ext.c: ditto.
* ext/openssl/ossl_x509name.c: ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@31166 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
the result is used with functions whose argument is int.
* ext/openssl/ossl_ssl.c (ossl_sslctx_setup): ditto.
* ext/openssl/ossl_x509store.c (ossl_x509store_set_purpose): ditto.
* ext/openssl/ossl_x509store.c (ossl_x509store_set_trust): ditto.
* ext/openssl/ossl_x509store.c (ossl_x509stctx_set_purpose): ditto.
* ext/openssl/ossl_x509store.c (ossl_x509stctx_set_trust): ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@31165 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@31080 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@30488 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
http://www.openssl.org/docs/ssl/SSL_shutdown.html
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@30451 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
Add additional documentation for OpenSSL::SSL::SSLContext and
OpenSSL::SSL::SSLSocket.
Move "let rdoc know about mOSSL" comments so they don't show up in output.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@30090 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
OpenSSL::SSL::SSLContext#ssl_version=.
Add documentation for OpenSSL::SSL::SSLContext#ciphers
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@29977 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
pointer is invalid. Thanks Ippei Obayashi! [ruby-dev:42573]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@29784 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
blocked on Windows while blocking call for SSLSocket. Need to
convert errno for letting rb_io_wait_readable detect EWOULDBLOCK.
Patch by arton. ref #3794.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@29197 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
use sk_SSL_CIPHER_num and sk_SSL_CIPHER_value instead of cast.
patched by Takahiro Kambe [ruby-dev:41530]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@28282 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@27944 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@27437 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
which allows net/https to specify timeout. [ruby-core:24812]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@27282 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
patched by Jeroen van Meeuwen at [ruby-core:25210]
fixed by Nobuyoshi Nakada [ruby-core:25238],
Hongli Lai [ruby-core:27417],
and Motohiro KOSAKI [ruby-core:28063]
* ext/openssl/ossl_ssl.c (ossl_ssl_method_tab),
(ossl_ssl_cipher_to_ary): constified.
* ext/openssl/ossl_pkcs7.c (pkcs7_get_certs, pkcs7_get_crls):
split pkcs7_get_certs_or_crls.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@26781 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
warning at SSLSocket#connect.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@25976 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@23030 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
(read_would_block): defined.
(ossl_start_ssl): add nonblock argument.
(ossl_ssl_connect): follow ossl_start_ssl change.
(ossl_ssl_connect_nonblock): new method.
(ossl_ssl_accept): follow ossl_start_ssl change.
(ossl_ssl_accept_nonblock): new method.
(ossl_ssl_read_internal): use write_would_block and
read_would_block.
(ossl_ssl_write_internal): ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@23029 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|