Age | Commit message (Collapse) | Author |
|
documentation
* ext/openssl/ossl_x509store.c (ossl_x509store_set_default_paths):
ditto
* ext/openssl/ossl_x509store.c (ossl_x509store_add_cert): ditto
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@37070 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
suppress warning: instance variable @npn_select_cb not initialized
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36985 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36895 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36886 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
ext/openssl/ossl.c: Expose OpenSSL::OPENSSL_FIPS constant to
indicate whether OpenSSL runs in FIPS mode.
test/openssl/test_pkey_dh.rb: Generate 256 bit keys for
non-FIPS installations to improve test performance (e.g. for
rubyci).
test/openssl/utils.rb: Replace DSS1 as certificate signature
digest with SHA1 for FIPS installations when using DSA by
introducing TestUtils::DSA_SIGNATURE_DIGEST.
test/openssl/test_x509cert.rb:
test/openssl/test_x509crl.rb:
test/openssl/test_x509req.rb: Use DSA_SIGNATURE_DIGEST
NEWS: Introduce OpenSSL::OPENSSL_FIPS
These changes allow running the OpenSSL tests in FIPS mode
while keeping a high performance for non-FIPS installations.
Introduction of OpenSSL::OPENSSL_FIPS allows for applications
to react to special requirements when using OpenSSL in FIPS mode.
[Feature #6946] [ruby-core:47345]
- Diese und die folgenden Zeilen werden ignoriert --
M ext/openssl/extconf.rb
M ext/openssl/ossl.c
M NEWS
M ChangeLog
M test/openssl/utils.rb
M test/openssl/test_x509crl.rb
M test/openssl/test_x509req.rb
M test/openssl/test_x509cert.rb
M test/openssl/test_pkey_dh.rb
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36884 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
ext/ossl_ssl.c: Support Next Protocol Negotiation. Protocols to be
advertised by the server can be set in the SSLContext by using
SSLContext#npn_protocols=, protocol selection on the client is
supported by providing a selection callback with
SSLContext#npn_select_cb. The protocol that was finally negotiated
is available through SSL#npn_protocol.
test/openssl/test_ssl.rb: Add tests for Next Protocol Negotiation.
NEWS: add news about NPN support.
[Feature #6503] [ruby-core:45272]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36871 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
test/openssl/test_digest.rb: Add Digest module function to OpenSSL
module and test it. Patch provided by Eric Hodel.
[ruby-core:46908][Feature #6819]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36592 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
of an aggregate type is a C99ism.
* ext/openssl/ossl_pkey_ec.c (ossl_ec_point_mul): get rid of VC++
warnings.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36364 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* io.c (sysopen_func, rb_sysopen_internal): cast through VALUE to get
rid of warnings. fixup of r36355.
* process.c (rb_waitpid_blocking, rb_waitpid): ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36361 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* include/ruby/thread.h: new header file for thread stuff.
* thread.c (rb_thread_call_without_gvl): export. [Feature#4328]
returns void* instead of VALUE. [Feature #5543]
* thread.c (rb_thread_blocking_region): deprecate. [ruby-core:46295]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36355 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
test/openssl/test_pkey_ec.rb: Add support for EC_POINT_mul.
Patch provided by Sambasiva Suda. Thanks!
[ruby-core:44408][ruby-trunk - Feature #6310]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36006 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
session id. MD5, as was used before, causes problems when
using a FIPS version of OpenSSL. Issue was found by Jared
Jennings, thank you!
[ruby-trunk - Bug #6137]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36005 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
ext/openssl/ossl_pkey_rsa.c
ext/openssl/ossl_pkey_dsa.c
ext/openssl/ossl_pkey_ec.c: Forbid export passwords that are less
than four characters long, as OpenSSL itself does not allow this.
Issue found by Eric Hodel.
* ext/openssl/ossl_pkey_ec.c: Add export as an alias of to_pem,
following the PKey interface contract.
* test/openssl/test_pkey_dsa.rb
test/openssl/test_pkey_rsa.rb
test/openssl/test_pkey_ec.rb: Add tests that assert correct
behaviour when dealing with passwords that are less than four
characters long.
[ruby-core: 42281][ruby-trunk - Bug #5951]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36001 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
Add/extend existing documentation. Examples now also cover RSA
signatures and PBKDF2.
[ruby-core: 45154][ruby-trunk - Bug #6475]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35996 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
remove SSLContext#disable_client_renegotiation and related
functionality introduced in r35797. The new callback approach
gives clients maximum flexibility to decide on their own what to
do on renegotiation attempts.
Add documentation for SSL module and SSLError.
* test/openssl/test_ssl.rb: Add a test for
SSLContext#renegotiation_cb.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35994 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* test/openssl/test_ssl.rb: Simple tests for this.
Client-side renegotiation is still considered problematic, even
when used in the context of secure renegotiation (RI, RFC 5746).
The changes allow users to either completely disable client
renegotiation on the server, or to specify a maximum number of
handshakes allowed in total. The number of total handshakes is
counted in a callback set as SSL_set_info_callback. If the
maximum number of handshakes is exceeded an error will be raised
We do not support renegotiation in the OpenSSL extension, therefore
this feature can only be tested externally.
The feature is opt-in, the default setting will be to allow
unlimited client renegotiation, as was the case before.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35797 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* test/openssl/test_ssl.rb: Handle ECONNRESET in code instead to avoid
the test failing in Ruby CI [1]
[1] http://u64.rubyci.org/~chkbuild/ruby-trunk/log/20120507T190102Z.log.html.gz#test-all
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35795 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/zlib/extconf.rb: ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35705 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
OpenSSL issue.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35686 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/extconf.rb: Use exception raising instead of message
and/or abort. We want to display error message to console _and_
logging into mkmf.log.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35685 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
before ossl_raise. this cause a test failure on Linux.
http://u64.rubyci.org/~chkbuild/ruby-trunk/log/20120507T190102Z.log.html.gz
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35583 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
OpenSSL::SSL::OP_NO_TLSv1_1
OpenSSL::SSL::OP_NO_TLSv1_2
to allow blocking specific TLS versions. Thanks to Justin Guyett for
pointing this out to me.
* test/openssl/test_ssl.rb: add tests to assert correct behavior when
blocking certain versions of TLS/SSL both on server and client side.
Also refactored tests to reduce boilerplate code a little.
* test/openssl/utils.rb: rescue Errno::ECONNRESET for tests where
client rejects the connection because a forbidden protocol version
was used.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35567 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
SSLContext#version to inspect the version that was negotiated for
a given connection.
* ext/openssl/extconf.rb: detect TLS 1.1 & 1.2 support.
* test/openssl/test_ssl.rb: add tests for TLS 1.1 & 1.2 given they
are supported by the native OpenSSL being used.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35549 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
available for macro compatibility.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35507 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
openssl. [ruby-core:44755][Bug #6379]
* ext/openssl/deprecation.rb: extract check for broken Apple OpenSSL.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35504 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
match server cert." error.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35494 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/extconf.rb: add --with-broken-apple-openssl option.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35443 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35428 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35427 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
CPPFLAGS.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35426 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
reached.
* variable.c (rb_obj_remove_instance_variable): Replaced "not reached"
comment with the UNREACHABLE macro.
* variable.c (rb_mod_const_missing): ditto.
* variable.c (rb_mod_remove_cvar): ditto.
* enum.c (first_i): ditto.
* string.c (rb_str_aref): ditto.
* string.c (str_byte_aref): ditto.
* string.c (rb_to_id): ditto.
* io.c (rb_io_fmode_modestr): ditto.
* io.c (rb_io_oflags_modestr): ditto.
* pack.c (num2i32): ditto.
* vm_eval.c (rb_method_missing): ditto.
* vm_eval.c (rb_f_throw): ditto.
* dir.c (dir_read): ditto.
* win32/win32.c (child_result): ditto.
* struct.c (rb_struct_getmember): ditto.
* struct.c (rb_struct_set): ditto.
* struct.c (rb_struct_aref_id): ditto.
* eval.c (rb_f_raise): ditto.
* process.c (rb_f_exit_bang): ditto.
* process.c (rb_f_exit): ditto.
* process.c (rb_f_abort): ditto.
* ext/-test-/iter/break.c (iter_break_value): ditto.
* ext/pty/pty.c (pty_check): ditto.
* ext/openssl/ossl_pkey.c (ossl_pkey_new): ditto.
* ext/readline/readline.c (rb_remove_history): ditto.
* ext/stringio/stringio.c (strio_unimpl): ditto.
* numeric.c (num_sadded): ditto.
* numeric.c (num_init_copy): ditto.
* numeric.c (rb_num2ll): ditto.
* numeric.c (rb_num2ull): ditto.
* vm_insnhelper.c (call_cfunc): ditto.
* ruby.c (opt_W_getter): ditto.
* bignum.c (rb_big_coerce): ditto.
* file.c (rb_f_test): ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35322 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
reaches end of non-void function" warnings. [ruby-trunk - Bug #6066]
* re.c (name_to_backref_number): ditto.
* object.c (rb_Float): ditto.
* io.c (io_readpartial): ditto.
* io.c (io_read_nonblock): ditto.
* pack.c (rb_uv_to_utf8): ditto.
* proc.c (rb_method_entry_arity): ditto.
* vm_method.c (rb_f_notimplement): ditto.
* struct.c (rb_struct_aset_id): ditto.
* class.c (rb_scan_args): ditto.
* process.c (rlimit_resource_type): ditto.
* process.c (rlimit_resource_value): ditto.
* process.c (p_uid_switch): ditto.
* process.c (p_gid_switch): ditto.
* ext/digest/digest.c (rb_digest_instance_update): ditto.
* ext/digest/digest.c (rb_digest_instance_finish): ditto.
* ext/digest/digest.c (rb_digest_instance_reset): ditto.
* ext/digest/digest.c (rb_digest_instance_block_length): ditto.
* ext/bigdecimal/bigdecimal.c (BigDecimalCmp): ditto.
* ext/dl/handle.c (rb_dlhandle_close): ditto.
* ext/tk/tcltklib.c (pending_exception_check0): ditto.
* ext/tk/tcltklib.c (pending_exception_check1): ditto.
* ext/tk/tcltklib.c (ip_cancel_eval_core): ditto.
* ext/tk/tcltklib.c (lib_get_reltype_name): ditto.
* ext/tk/tcltklib.c (create_dummy_encoding_for_tk_core): ditto.
* ext/tk/tkutil/tkutil.c (tk_hash_kv): ditto.
* ext/openssl/ossl_ssl.c (ossl_ssl_session_reused): ditto.
* ext/openssl/ossl_pkey_ec.c (ossl_ec_key_dsa_verify_asn1): ditto.
* ext/openssl/ossl_pkey_ec.c (ossl_ec_point_is_at_infinit): ditto.
* ext/openssl/ossl_pkey_ec.c (ossl_ec_point_is_on_curve): ditto.
* ext/fiddle/conversions.c (generic_to_value): ditto.
* ext/socket/raddrinfo.c (rsock_io_socket_addrinfo): ditto.
* ext/socket/socket.c (sock_s_getnameinfo): ditto.
* ext/ripper/eventids2.c (ripper_token2eventid): ditto.
* cont.c (return_fiber): ditto.
* dmydln.c (dln_load): ditto.
* vm_insnhelper.c (vm_search_normal_superclass): ditto.
* bignum.c (big_fdiv): ditto.
* marshal.c (r_symlink): ditto.
* marshal.c (r_symbol): ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35321 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35190 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* test/openssl/test_pkcs7.rb: assert correct behavior for it.
Thanks to Matt Venables for reporting the issue.
[ruby-core:43250][Bug #6134]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35167 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
values for Primitive instances.
* test/openssl/test_asn1.rb: Assert consistent behavior when
encoding nil values: Primitives raise TypeError, Constructives
raise NoMethodError.
Fixes [ruby-core:43009][Bug #6102]
-This line, and those below, will be ignored--
M test/openssl/test_asn1.rb
M ext/openssl/ossl_asn1.c
M ChangeLog
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35159 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_pkey_rsa.c (rsa_generate): fix argument type.
[Bug #6094]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35117 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
This reverts commit r35102.
It breaks tests on FreeBSD.
6) Failure:
test_new_with_exponent(OpenSSL::TestPKeyRSA)
[/usr/home/chkbuild/build/ruby-trunk/20120323T010301Z/ruby/test/openssl/test_pkey_rsa.rb:59]:
<3> expected but was
<12884901891>.
7) Failure:
test_new_exponent_default(OpenSSL::TestPKeyRSA)
[/usr/home/chkbuild/build/ruby-trunk/20120323T010301Z/ruby/test/openssl/test_pkey_rsa.rb:52]:
<65537> expected but was
<281479271743489>.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35116 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
[Bug #6094]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35102 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
from OpenSSL added by Apple.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34823 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34816 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34505 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
option to prevent BEAST attack. See [Bug #5353].
In OpenSSL, OP_DONT_INSERT_EMPTY_FRAGMENTS is used to prevent
TLS-CBC-IV vulunerability described at
http://www.openssl.org/~bodo/tls-cbc.txt
It's known issue of TLSv1/SSLv3 but it attracts lots of attention
these days as BEAST attack. (CVE-2011-3389)
Until now ossl sets OP_ALL at SSLContext allocation and call
SSL_CTX_set_options at connection. SSL_CTX_set_options updates the
value by using |= so bits set by OP_ALL cannot be unset afterwards.
This commit changes to call SSL_CTX_set_options only 1 time for each
SSLContext. It sets the specified value if SSLContext#options= are
called and sets OP_ALL if not.
To help users to unset bits in OP_ALL, this commit also adds several
constant to SSL such as
OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS. These constants were
not exposed in Ruby because there's no way to unset bits in OP_ALL
before.
Following is an example to enable 0/n split for BEAST prevention.
ctx.options = OP_ALL & ~OP_DONT_INSERT_EMPTY_FRAGMENTS
* test/openssl/test_ssl.rb: Test above option exists.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34482 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
unrecognized OIDs instead of the sn "UNDEF".
* test/openssl/test_x509name.rb: Add tests for the fixed behavior.
Patch provided by Paul Kehrer, thanḱ you!
[ruby-core:41769] [Feature #5787]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34481 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
Thanks to Mantas Mikulenas for noticing and providing a patch!
[ruby-core:42358] [Bug #5972]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34469 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34463 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
OpenSSL::X509::Store
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34423 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34127 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34126 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl.c (ossl_pem_passwd_cb0, ossl_verify_cb):
pem_passwd_cb and verify_cb ignores the exception raised in a
callback proc so it should clear $! for subsequent execution.
That's said, both subsequent processes for pem_passwd_cb and
verify_cb raises another exception before leaking $! to Ruby world.
We cannot test this fix in Ruby land.
* test/openssl/test_pkey_rsa.rb
(test_read_private_key_pem_pw_exception): Test for pem_passwd_cb +
exception.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34078 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|