path: root/ext/openssl/ossl_ssl.c
AgeCommit message (Collapse)Author
12 days[ruby/openssl] Add fallthrough commentsNobuyoshi Nakada
12 days[ruby/openssl] Suppress cast-function-type warningsNobuyoshi Nakada
2021-07-18[ruby/openssl] Strip trailing spacesKazuki Yamaguchi
2021-07-18[ruby/openssl] Deprecate and rework old (fd) centric functionsSamuel Williams
[ky: fixed compatibility with older versions of Ruby] (cherry picked from commit ruby/ruby@45e65f302b663b2c6ab69df06d3b6f219c1797b2)
2021-07-18[ruby/openssl] Use rb_block_call() instead of the deprecated rb_iterate() in ↵Benoit Daloze
OpenSSL * See and
2021-07-18[ruby/openssl] Include peer socket IP address in errorsVinicius Stock
2021-07-18[ruby/openssl] Fix some typos [ci skip]Ryuta Kamizono
2021-07-18[ruby/openssl] ssl: use TLS_method() instead of SSLv23_method() for LibreSSLKazuki Yamaguchi
LibreSSL 2.2.2 introduced TLS_method(), but with different semantics from OpenSSL: TLS_method() enabled TLS >= 1.0 while SSLv23_method() enabled all available versions, which included SSL 3.0 in addition. However, LibreSSL 2.3.0 removed SSL 3.0 support completely and now TLS_method() and SSLv23_method() are equivalent.
2021-07-18[ruby/openssl] ssl: call SSL_CTX_set_ecdh_auto() on OpenSSL 1.0.2 onlyKazuki Yamaguchi
SSL_CTX_set_ecdh_auto() exists in OpenSSL 1.1.0 and LibreSSL 2.6.1, but it is made no-op and the automatic curve selection cannot be disabled. Wrap it with ifdef to make it clear that it is safe to remove it completely when we drop support for OpenSSL 1.0.2.
2021-07-18[ruby/openssl] require OpenSSL >= 1.0.2 and LibreSSL >= 3.1Kazuki Yamaguchi
Clean up old version guards in preparation for the upcoming OpenSSL 3.0 support. OpenSSL 1.0.1 reached its EOL on 2016-12-31. At that time, we decided to keep 1.0.1 support because many major Linux distributions were still shipped with 1.0.1. Now, nearly 4 years later, most Linux distributions are reaching their EOL and it should be safe to assume nobody uses them anymore. Major ones that were using 1.0.1: - Ubuntu 14.04 is EOL since 2019-04-30 - RHEL 6 will reach EOL on 2020-11-30 LibreSSL 3.0 and older versions are no longer supported by the LibreSSL team as of October 2020. Note that OpenSSL 1.0.2 also reached EOL on 2019-12-31 and 1.1.0 also did on 2018-08-31.
2021-06-22Deprecate and rework old (fd) centric functions.Samuel Williams
Notes: Merged:
2021-03-16[ruby/openssl] Enhance TLS 1.3 support on LibreSSL 3.2/3.3Jeremy Evans
This defines TLS1_3_VERSION when using LibreSSL 3.2+. LibreSSL 3.2/3.3 doesn't advertise this by default, even though it will use TLS 1.3 in both client and server modes. Changes between LibreSSL 3.1 and 3.2/3.3 broke a few tests, Defining TLS1_3_VERSION by itself fixes 1 test failure. A few tests now fail on LibreSSL 3.2/3.3 unless TLS 1.2 is set as the maximum version, and this adjusts those tests. The client CA test doesn't work in LibreSSL 3.2+, so I've marked that as pending. For the hostname verification, LibreSSL 3.2.2+ has a new stricter hostname verifier that doesn't like subjectAltName such as c* and d.*, so adjust the related tests. With these changes, the tests pass on LibreSSL 3.2/3.3. Notes: Merged:
2021-03-16[ruby/openssl] ssl: remove SSL::SSLContext#tmp_ecdh_callbackKazuki Yamaguchi
The underlying API SSL_CTX_set_tmp_ecdh_callback() was removed by LibreSSL >= 2.6.1 and OpenSSL >= 1.1.0, in other words, it is not supported by any non-EOL versions of OpenSSL. The wrapper was initially implemented in Ruby 2.3 and has been deprecated since Ruby/OpenSSL 2.0 (bundled with Ruby 2.4) with explicit warning with rb_warn(). Notes: Merged:
2021-03-16[ruby/openssl] ssl: retry write on EPROTOTYPE on macOSKazuki Yamaguchi
Errno::EPROTOTYPE is not supposed to be raised by SSLSocket#write. However, on macOS, send(2) which is called via SSL_write() can occasionally return EPROTOTYPE. Retry SSL_write() so that we get a proper error, just as ext/socket does. Reference: Reference: Notes: Merged:
2020-10-21Don't redefine #rb_intern over and over againStefan Stüben
Notes: Merged:
2020-05-13[ruby/openssl] ssl: temporarily remove SSLContext#add_certificate_chain_fileKazuki Yamaguchi
Let's revert the changes for now, as it cannot be included in the 2.2.0 release. My comment on #257: > A blocker is OpenSSL::SSL::SSLContext#add_certificate_chain_file. It > has a pending change and I don't want to include it in an incomplete > state. > > The initial implementation in commit 46e4bdba40c5 was not really > useful. The issue is described in #305. #309 extended it > to take the corresponding private key together. However, the new > implementation was incompatible on Windows and was reverted by #320 to > the initial one. > > (The prerequisite to implement it in) an alternative way is #288, and > it's still cooking. This effectively reverts the following commits: - dacd08937ccd ("ssl: suppress test failure with SSLContext#add_certificate_chain_file", 2020-03-09) - 46e4bdba40c5 ("Add support for SSL_CTX_use_certificate_chain_file. Fixes #254.", 2019-06-13)
2020-04-08Suppress -Wshorten-64-to-32 warningsNobuyoshi Nakada
2020-03-10openssl: sync with upstream repositoryKazuki Yamaguchi
Import current master (2c43241dc0ed) of ruby/openssl.git. Below are the commits that were made since the last batch at commit b99775b163ce (ruby/openssl.git commit f49e7110ca1e). Note that some of them have been applied already. ---------------------------------------------------------------- Benoit Daloze (1): Remove redundant and ignored workflow file DBL-Lee (1): add support for SHA512_256/SHA512_224 Hiroshi SHIBATA (2): Guard for OpenSSL::PKey::EC::Group::Error with unsupported platforms Fixed inconsistency directory structure with ruby/ruby repo Jeremy Evans (2): Fix keyword argument separation issues in OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock Remove taint support Kazuki Yamaguchi (26): config: support .include directive random: make OpenSSL::Random.pseudo_bytes alias of .random_bytes extconf.rb: get rid of -Werror=deprecated-declarations test/openssl/test_ssl: skip test_fallback_scsv if necessary ts: simplify OpenSSL::Timestamp::Request#algorithm add missing references to GitHub issues config: deprecate OpenSSL::Config#add_value and #[]= test/openssl/test_ssl: remove sleep from test_finished_messages test/openssl/test_ssl: fix random failure in test test/openssl/test_ssl: avoid explicitly-sized private keys test/openssl/test_ssl: remove commented-out test case test/openssl/test_ssl: allow kRSA tests to fail ssl: avoid declarations after statements engine: revert OpenSSL::Engine.load changes for cloudhsm engine: remove really outdated static engines engine: do not check for ENGINE_load_builtin_engines() engine: fix guards for 'dynamic' and 'cryptodev' engines lib/openssl.rb: require openssl/version.rb x509: add error code and verify flags constants ssl: set verify error code in the case of verify_hostname failure .github/workflows: merge CI jobs into a single workflow .github/workflows: test against different OpenSSL versions .travis.yml: fully migrate to GitHub Actions ssl: suppress test failure with SSLContext#add_certificate_chain_file ssl: remove test case test_puts_meta from test_pair Revert "Use version.rb in gemspec" MSP-Greg (2): .travis.yml - remove 2.3/1.0.2, 2.5/1.1.1, head/1.0.2 Use version.rb in gemspec Samuel Williams (1): Restore compatibility with older versions of Ruby. Yusuke Endoh (1): Make OpenSSL::OSSL#test_memcmp_timing robust
2020-02-16Import openssl-2.2.0 (#2693)Hiroshi SHIBATA
Import the master branch of ruby/openssl for preparing to release openssl-2.2.0 Notes: Merged-By: hsbt <>
2019-12-29ext/openssl/ossl_ssl.c: nodoc for private methodsHiroshi SHIBATA
[Misc #11712][ruby-core:71565]
2019-11-18[ruby/openssl] Remove taint supportJeremy Evans
Ruby 2.7 deprecates taint and it no longer has an effect. The lack of taint support should not cause a problem in previous Ruby versions. Notes: Merged:
2019-10-05ext/openssl/ossl_ssl.c: Use const declaration if LibreSSL >= 2.8.0Yusuke Endoh
to suppress a warning in OpenBSD. ``` ossl_ssl.c:938:31: warning: incompatible pointer types passing 'SSL_SESSION *(SSL *, unsigned char *, int, int *)' (aka 'struct ssl_session_st *(struct ssl_st *, unsigned char *, int, int *)') to parameter of type 'SSL_SESSION *(*)(struct ssl_st *, const unsigned char *, int, int *)' (aka 'struct ssl_session_st *(*)(struct ssl_st *, const unsigned char *, int, int *)') [-Wincompatible-pointer-types] SSL_CTX_sess_set_get_cb(ctx, ossl_sslctx_session_get_cb); ^~~~~~~~~~~~~~~~~~~~~~~~~~ /usr/include/openssl/ssl.h:738:20: note: passing argument to parameter 'get_session_cb' here SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, ^ 1 warning generated. ```
2019-09-26Fix keyword argument separation issues in ↵Jeremy Evans
OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock It's unlikely anyone would actually hit these. The methods are private, you only hit this code path if calling these methods before performing the SSL connection, and there is already a verbose warning issued. Notes: Merged:
2019-08-27rb_iterate now takes rb_block_call_func_t卜部昌平
After 5e86b005c0f2ef30df2f9906c7e2f3abefe286a2, I now think ANYARGS is dangerous and should be extinct. This commit makes rb_iterate free from ANYARGS.
2019-07-14Add a /* fall through */ commentYusuke Endoh
2018-09-21Suppress more -Wparentheses warningsnobu
[Fix GH-1958] git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2017-12-14openssl: import v2.1.0rhe
Import Ruby/OpenSSL 2.1.0. Commits since v2.1.0.beta2 can be found at: ---------------------------------------------------------------- Kazuki Yamaguchi (8): test/test_ssl: prevent changing default internal encoding ssl: remove a misleading comment pkey/ec: rearrange PKey::EC::Point#initialize ssl: remove unreachable code asn1: fix docs pkey/ec: add support for octet string encoding of EC point Ruby/OpenSSL 2.0.7 Ruby/OpenSSL 2.1.0 eregon (1): Fix test-all tests to avoid creating report_on_exception warnings git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2017-11-25openssl: import v2.1.0.beta2rhe
Import Ruby/OpenSSL 2.1.0.beta2. The full commit log since commit e72d960db262 which was imported by r60013 can be found at: ---------------------------------------------------------------- Kazuki Yamaguchi (26): bn: use ALLOCV() macro instead of xmalloc() appveyor.yml: remove 'openssl version' line test/test_ssl_session: skip tests for session_remove_cb x509ext: implement X509::Extension#== x509attr: implement X509::Attribute#== x509cert: implement X509::Certificate#== x509revoked: add missing X509::Revoked#to_der x509crl, x509revoked: implement X509::{CRL,Revoked}#== x509req: implement X509::Request#== ssl: extract rb_intern("call") cipher: disallow setting AAD for non-AEAD ciphers test/test_cipher: fix test_non_aead_cipher_set_auth_data failure ssl: fix conflict of options in SSLContext#set_params buffering: let #write accept multiple arguments pkey: make pkey_check_public_key() non-static x509cert, x509crl, x509req, ns_spki: check sanity of public key test/envutil: port assert_warning from Ruby trunk test/utils: remove a pointless .public_key call in issue_cert ssl: add SSLContext#add_certificate test/test_ssl: fix test_security_level Drop support for LibreSSL 2.4 kdf: add HKDF support test/test_x509cert: fix flaky test test/test_x509crl: fix random failure fix a typo Ruby/OpenSSL 2.1.0.beta2 Mark Wright (1): Fix build failure against OpenSSL 1.1 built with no-deprecated Thanks rhenium for the code review and fixes. Peter Karman (1): Add RSA sign_pss() and verify_pss() methods aeris (1): TLS Fallback Signaling Cipher Suite Value kazu (1): Use caller with length to reduce unused strings git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2017-10-21openssl: merge test fix from upstreamrhe
Merge a commit from upstream: d1cbf6d75280 test/test_ssl_session: skip tests for session_remove_cb Tests using SSL::SSLContext#session_remove_cb= are now skipped. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2017-09-24openssl: import e72d960db262rhe
Sync with master branch of ruby/openssl.git to import changes in v2.1.0.beta1..v2.0.6. The commit log since v2.1.0.beta1 which was imported by r59734 can be found at: ---------------------------------------------------------------- Kazuki Yamaguchi (16): test/test_pair: fix test_write_nonblock{,_no_exceptions} x509name: fix a typo in docs test/test_fips: skip if setting FIPS mode fails test/test_asn1: fix possible failure in test_utctime test/test_ssl: suppress warning in test_alpn_protocol_selection_cancel test/test_pair: disable compression test/test_ssl: skip tmp_ecdh_callback test for LibreSSL >= 2.6.1 test/test_ssl: do not run NPN tests for LibreSSL >= 2.6.1 tool/ruby-openssl-docker: update test/test_pair: replace sleep with ssl: prevent SSLSocket#sysread* from leaking uninitialized data ossl.c: use struct CRYPTO_dynlock_value for non-dynamic locks ossl.c: make legacy locking callbacks reentrant test/test_engine: suppress stderr test/test_engine: check if RC4 is supported Ruby/OpenSSL 2.0.6 SHIBATA Hiroshi (1): To use upstream url of github nobu (1): ruby.h: unnormalized Fixnum value git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2017-09-03openssl: import v2.1.0.beta1rhe
Import Ruby/OpenSSL 2.1.0.beta1. The full commit log since v2.0.5 (imported by r59567) can be found at: ---------------------------------------------------------------- Antonio Terceiro (1): test/test_ssl: explicitly accept TLS 1.1 in corresponding test Colby Swandale (1): document using secure protocol to fetch git master in Bundler Colton Jenkins (1): Add fips_mode_get to return fips_mode Kazuki Yamaguchi (85): Start preparing for 2.1.0 Remove support for OpenSSL 0.9.8 and 1.0.0 bn: refine tests bn: implement unary {plus,minus} operators for OpenSSL::BN bn: implement OpenSSL::BN#negative? Don't define main() when built with --enable-debug test: let OpenSSL::TestCase include OpenSSL::TestUtils test: prepare test PKey instances on demand Add OpenSSL.print_mem_leaks Enable OSSL_MDEBUG on CI builds ssl: move default DH parameters from OpenSSL::PKey::DH Make exceptions with the same format regardless of OpenSSL.debug ssl: show reason of 'certificate verify error' in exception message ssl: remove OpenSSL::ExtConfig::TLS_DH_anon_WITH_AES_256_GCM_SHA384 ssl: do not confuse different ex_data index registries ssl: assume SSL/SSL_CTX always have a valid reference to the Ruby object Fix RDoc markup ssl: suppress compiler warning ext/openssl/deprecation.rb: remove broken-apple-openssl extconf.rb: print informative message if OpenSSL can't be found Rakefile: compile the extension before test kdf: introduce OpenSSL::KDF module ossl.h: add NUM2UINT64T() macro kdf: add scrypt Expand rb_define_copy_func() macro Expand FPTR_TO_FD() macro Remove SafeGet*() macros cipher: rename GetCipherPtr() to ossl_evp_get_cipherbyname() digest: rename GetDigestPtr() to ossl_evp_get_digestbyname() Add ossl_str_new(), an exception-safe rb_str_new() bio: simplify ossl_membio2str() using ossl_str_new() Remove unused functions and macros Drop support for LibreSSL 2.3 ocsp: add OpenSSL::OCSP::Request#signed? asn1: infinite length -> indefinite length asn1: rearrange tests ssl: remove a needless NULL check in SSL::SSLContext#ciphers ssl: return nil in SSL::SSLSocket#cipher if session is not started asn1: remove an unnecessary function prototype asn1: require tag information when instantiating generic type asn1: initialize 'unused_bits' attribute of BitString with 0 asn1: check for illegal 'unused_bits' value of BitString asn1: disallow NULL to be passed to asn1time_to_time() asn1: avoid truncating OID in OpenSSL::ASN1::ObjectId#oid asn1: allow constructed encoding with definite length form asn1: prohibit indefinite length form for primitive encoding asn1: allow tag number to be >= 32 for universal tag class asn1: use ossl_asn1_tag() asn1: clean up OpenSSL::ASN1::Constructive#to_der asn1: harmonize OpenSSL::ASN1::*#to_der asn1: prevent EOC octets from being in the middle of the content asn1: do not treat EOC octets as part of content octets x509name: add 'loc' and 'set' kwargs to OpenSSL::X509::Name#add_entry ssl: do not call session_remove_cb during GC Backport "Merge branch 'topic/test-memory-leak'" to maint cipher: update the documentation for Cipher#auth_tag= Rakefile: let sync:to_ruby know about test/openssl/fixtures test: fix formatting test/utils: remove OpenSSL::TestUtils.silent test/utils: add SSLTestCase#tls12_supported? test/utils: have start_server yield only the port number test/utils: do not set ecdh_curves in start_server test/utils: let server_loop close socket test/utils: improve error handling in start_server test/utils: add OpenSSL::TestUtils.openssl? and .libressl? test/utils: do not use DSA certificates in SSL tests test/test_ssl: remove test_invalid_shutdown_by_gc test/test_ssl: move test_multibyte_read_write to test_pair test/test_ssl_session: rearrange tests test/test_pair, test/test_ssl: fix for TLS 1.3 ssl: remove useless call to rb_thread_wait_fd() ssl: fix NPN support ssl: mark OpenSSL::SSL::SSLContext::DEFAULT_{1024,2048} as private ssl: use 2048-bit group in the default tmp_dh_cb ssl: ensure that SSL option flags are non-negative ssl: update OpenSSL::SSL::OP_* flags ssl: prefer TLS_method() over SSLv23_method() ssl: add SSLContext#min_version= and #max_version= ssl: rework SSLContext#ssl_version= test/test_x509name: change script encoding to ASCII-8BIT x509name: refactor OpenSSL::X509::Name#to_s x509name: add OpenSSL::X509::Name#to_utf8 x509name: add OpenSSL::X509::Name#inspect x509name: update regexp in OpenSSL::X509::Name.parse Ruby/OpenSSL 2.1.0.beta1 Marcus Stollsteimer (1): Fix rdoc for core Integer class nobu (4): [DOC] {read,write}_nonblock with exception: false [DOC] keyword argument _exception_ [DOC] mark up literals Revert r57690 except for read_nonblock git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2017-08-10openssl: import v2.0.5rhe
Import Ruby/OpenSSL 2.0.5. The full commit history since v2.0.4 (imported at r59081) can be found at: This will fix the test failure on latest Debian sid and the "no OPENSSL_Applink" issue on mswin. ---------------------------------------------------------------- Kazuki Yamaguchi (11): test/test_ssl: allow 3DES cipher suites in test_sslctx_set_params bio: prevent possible GC issue in ossl_obj2bio() bio: do not use the FILE BIO method in ossl_obj2bio() Rakefile: install_dependencies: install only when needed appveyor.yml: test against Ruby 2.4 ossl_pem_passwd_cb: relax passphrase length constraint ossl_pem_passwd_cb: do not check for taintedness ossl_pem_passwd_cb: handle nil from the block explicitly ssl: remove unsupported TLS versions from SSLContext::METHODS ssl: fix compile error with OpenSSL 1.0.0 Ruby/OpenSSL 2.0.5 Lars Kanis (1): Add msys2 library dependency tag in gem metadata git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2017-06-14openssl: import v2.0.4rhe
Import Ruby/OpenSSL 2.0.4. Only bug (and typo) fixes. The full commit history since v2.0.3 (imported at r57482) can be found at: This contains the fix for [Bug #11033]. ---------------------------------------------------------------- Jun Aruga (1): Update .travis.yml and Dockerfile Kazuki Yamaguchi (9): test/test_pkey_ec: do not use dummy 0 order test/test_ssl: fix typo in test_sysread_and_syswrite ssl: check return value of SSL_set_fd() Fix typos test/test_x509store: skip OpenSSL::TestX509Store#test_set_errors tool/sync-with-trunk: 'LASY' -> 'LAST' x509store: clear error queue after calling X509_LOOKUP_load_file() extconf.rb: simplify searching libraries logic Ruby/OpenSSL 2.0.4 SHIBATA Hiroshi (1): Fix typos Vladimir Rybas (1): Fix documentation for OpenSSL::Cipher#final nobu (2): openssl: fix broken openssl check openssl: fix broken openssl check usa (1): Search SSL libraries by testing various filename patterns git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2017-02-23Revert r57690 except for read_nonblocknobu git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2017-02-23[DOC] mark up literalsnobu
git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2017-02-23[DOC] keyword argument _exception_nobu
git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2017-02-23[DOC] {read,write}_nonblock with exception: falsenobu
Update docs to reflect EOF behavior change of read_nonblock and write_nonblock when using `exception: false`. [Fix GH-1527] Author: Russell Davis <> git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-12-10openssl: import v2.0.1rhe
Import Ruby/OpenSSL 2.0.1. The full commit history since 2.0.0 (imported at r56946) can be found at: This release contains only bug fixes. Note, the first two commits since v2.0.0 are already imported at r56953 to make Travis and RubyCI green. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-11-30openssl: import v2.0.0rhe
Import Ruby/OpenSSL 2.0.0. The full commit history since 2.0.0 beta.2 (imported at r56098) can be found at: git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-09-16* ext/openssl/ossl_ssl.c (ssl_npn_select_cb_common): Fix compile errorngoto
with old version of fcc (Fujitsu C Compiler) on Solaris 10. [Bug #12769] [ruby-dev:49809] git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-09-08openssl: import v2.0.0.beta.2rhe
* {ext,test}/openssl: Import Ruby/OpenSSL 2.0.0.beta.2. The full commit history since v2.0.0.beta.1 can be found at: git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-08-29import Ruby/OpenSSL 2.0.0.beta.1rhe
* NEWS, {ext,test,sample}/openssl: Import Ruby/OpenSSL 2.0.0.beta.1. ext/openssl is now converted into a default gem. The full commit history since r55538 can be found at: [Feature #9612] git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-08-06openssl: avoid undefined behavior on empty SSL_writenormal
SSL_write(3ssl) manpage has this in the WARNINGS section: When calling SSL_write() with num=0 bytes to be sent the behaviour is undefined. And indeed, the new test case demonstrates failures when empty strings are used. So, match the behavior of IO#write, IO#write_nonblock, and IO#syswrite by returning zero, as the OpenSSL::SSL::SSLSocket API already closely mimics the IO one. * ext/openssl/ossl_ssl.c (ossl_ssl_write_internal): avoid undefined behavior * test/openssl/test_pair.rb (test_write_zero): new test [ruby-core:76751] [Bug #12660] git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-09openssl: fix build with OPENSSL_NO_ECrhe
* ext/openssl/ossl_ssl.c: Add define guards for OPENSSL_NO_EC. SSL_CTX_set_ecdh_auto() is defined even when ECDH is disabled in OpenSSL's configuration. This fixes r55214. * test/openssl/test_pair.rb (test_ecdh_curves): Skip if the OpenSSL does not support ECDH. * test/openssl/utils.rb (start_server): Ignore error in SSLContext#ecdh_curves=. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-07openssl: add SSL::SSLContext#security_level{=,}rhe
* ext/openssl/extconf.rb: Check for SSL_CTX_get_security_level(). OpenSSL 1.1.0 introduced "security level". [ruby-core:75225] [Feature #12324] * ext/openssl/ossl_ssl.c (ossl_sslctx_{get,set}_security_level): Add SSLContext#security_level and #security_level=. * test/openssl/test_ssl.rb (test_security_level): Add test. ...but this doesn't actually test it. Because #security_level= is necessary in order to run other tests on OpenSSL 1.1.0, go without tests for now. Will fix after converting SSLContext#key= and #cert= to normal methods. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-07openssl: avoid deprecated version-specific ssl methods if necessaryrhe
* ext/openssl/extconf.rb: Check for SSL_CTX_set_min_proto_version() macro added in OpenSSL 1.1.0. Version-specific methods, such as TLSv1_method(), are deprecated in OpenSSL 1.1.0. We need to use version-flexible methods (TLS_*method() or SSLv23_*method()) and disable other protocol versions as necessary. [ruby-core:75225] [Feature #12324] * ext/openssl/ossl_ssl.c: Use SSL_CTX_set_{min,max}_proto_version() to fix the protocol version. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-05openssl: use SSL_is_server()rhe
* ext/openssl/extconf.rb: Check existence of SSL_is_server(). This function was introduced in OpenSSL 1.0.2. [ruby-core:75225] [Feature #12324] * ext/openssl/openssl_missing.h: Implement SSL_is_server() if missing. * ext/openssl/ossl_ssl.c (ssl_info_cb): Use SSL_is_server() to see if the SSL is server. The state machine in OpenSSL was rewritten and SSL_get_state() no longer returns SSL_ST_ACCEPT. (ossl_ssl_cipher_to_ary, ossl_sslctx_session_get_cb): Add some `const`s to suppress warning. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-05openssl: adapt to OpenSSL 1.1.0 opaque structsrhe
* ext/openssl/extconf.rb: Check existence of accessor functions that don't exist in OpenSSL 0.9.8. OpenSSL 1.1.0 made most of its structures opaque and requires use of these accessor functions. [ruby-core:75225] [Feature #12324] * ext/openssl/openssl_missing.[ch]: Implement them if missing. * ext/openssl/ossl*.c: Use these accessor functions. * test/openssl/test_hmac.rb: Add missing test for HMAC#reset. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-05openssl: adapt OpenSSL::PKey to OpenSSL 1.1.0 opaque structsrhe
* ext/openssl/openssl_missing.[ch]: Implement EVP_PKEY_get0_*() and {RSA,DSA,EC_KEY,DH}_get0_*() functions. OpenSSL 1.1.0 makes EVP_PKEY/RSA/DSA/DH opaque. We used to provide setter methods for each parameter of each PKey type, for example PKey::RSA#e=, but this is no longer possible because the new API RSA_set0_key() requires the 'n' at the same time. This commit adds deprecation warning to them and adds PKey::*#set_* methods as direct wrapper for those new APIs. For example, 'rsa.e = 3' now needs to be rewritten as 'rsa.set_key(rsa.n, 3, rsa.d)'. [ruby-core:75225] [Feature #12324] * ext/openssl/ossl_pkey*.[ch]: Use the new accessor functions. Implement RSA#set_{key,factors,crt_params}, DSA#set_{key,pqg}, DH#set_{key,pqg}. Emit a warning with rb_warning() when old setter methods are used. * test/drb/ut_array_drbssl.rb, test/drb/ut_drb_drbssl.rb, test/rubygems/test_gem_remote_fetcher.rb: Don't set a priv_key for DH object that are used in tmp_dh_callback. Generating a new key pair every time should be fine - actually the private exponent is ignored in OpenSSL >= 1.0.2f/1.0.1r even if we explicitly set. git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-05openssl: support OpenSSL 1.1.0's new multi-threading APIrhe
* ext/openssl/extconf.rb: Check absence of CRYPTO_lock() to see if the OpenSSL has the new threading API. In OpenSSL <= 1.0.2, an application had to set locking callbacks to use OpenSSL in a multi-threaded environment. OpenSSL 1.1.0 now finds pthreads or Windows threads so we don't need to do something special. [ruby-core:75225] [Feature #12324] Also check existence of *_up_ref(). Some structures in OpenSSL have a reference counter. We used to increment it with CRYPTO_add() which is a part of the old API. * ext/openssl/openssl_missing.h: Implement *_up_ref() if missing. * ext/openssl/ossl.c: Don't set locking callbacks if unneeded. * ext/openssl/ossl_pkey.c, ext/openssl/ossl_ssl.c, ext/openssl/ossl_x509cert.c, ext/openssl/ossl_x509crl.c, ext/openssl/ossl_x509store.c: Use *_up_ref() instead of CRYPTO_add(). git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e