| Age | Commit message (Collapse) | Author |
|---|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34490 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
It is added openssl/crypto/objects/obj_mac.h 1.83.
http://cvs.openssl.org/rlog?f=openssl/crypto/objects/obj_mac.h
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34488 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
option to prevent BEAST attack. See [Bug #5353].
In OpenSSL, OP_DONT_INSERT_EMPTY_FRAGMENTS is used to prevent
TLS-CBC-IV vulunerability described at
http://www.openssl.org/~bodo/tls-cbc.txt
It's known issue of TLSv1/SSLv3 but it attracts lots of attention
these days as BEAST attack. (CVE-2011-3389)
Until now ossl sets OP_ALL at SSLContext allocation and call
SSL_CTX_set_options at connection. SSL_CTX_set_options updates the
value by using |= so bits set by OP_ALL cannot be unset afterwards.
This commit changes to call SSL_CTX_set_options only 1 time for each
SSLContext. It sets the specified value if SSLContext#options= are
called and sets OP_ALL if not.
To help users to unset bits in OP_ALL, this commit also adds several
constant to SSL such as
OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS. These constants were
not exposed in Ruby because there's no way to unset bits in OP_ALL
before.
Following is an example to enable 0/n split for BEAST prevention.
ctx.options = OP_ALL & ~OP_DONT_INSERT_EMPTY_FRAGMENTS
* test/openssl/test_ssl.rb: Test above option exists.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34482 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
unrecognized OIDs instead of the sn "UNDEF".
* test/openssl/test_x509name.rb: Add tests for the fixed behavior.
Patch provided by Paul Kehrer, thanḱ you!
[ruby-core:41769] [Feature #5787]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34481 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl.c (ossl_pem_passwd_cb0, ossl_verify_cb):
pem_passwd_cb and verify_cb ignores the exception raised in a
callback proc so it should clear $! for subsequent execution.
That's said, both subsequent processes for pem_passwd_cb and
verify_cb raises another exception before leaking $! to Ruby world.
We cannot test this fix in Ruby land.
* test/openssl/test_pkey_rsa.rb
(test_read_private_key_pem_pw_exception): Test for pem_passwd_cb +
exception.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34078 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
load by explicitly loading software-based "openssl" engine for
all tests.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33850 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33829 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
engine's RC4 cipher.
[Bug #5633] [ruby-core:41026]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33825 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
because AES is not supported by the "openssl" engine currently.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33645 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
exponent value correctly. Awful bug. This bug caused exponent of
generated key to be always '1'. By default, and regardless of e
given as a parameter.
!!! Keys generated by this code (trunk after 2011-09-01) must be
re-generated !!! (ruby_1_9_3 is safe)
* test/openssl/test_pkey_rsa.rb: Add tests for default exponent and
specifying exponent by a parameter.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33633 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
engine.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33632 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
Patch provided by Yui Naruse, thanks!
[Bug #5547] [ruby-core:40669]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33614 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
for each length to avoid race condition.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33508 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* test/openssl/test_ns_spki.rb: Integrate SPKI#to_text.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33497 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
HMAC-SHA1
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33490 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
binary data.
* test/openssl/test_ssl.rb: Add test for it.
Thanks to Niklas Baumstark for reporting the issue!
[Ruby 1.9 - Bug #5233] [ruby-core:39120]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33485 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
test_ssl_session.rb
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33458 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
fed arbitrary string values.
Clearly distinguish between the cases "universal, infinite and
not a SEQUENCE or SET" and "universal SEQUENCE or SET, possibly
infinite". Raise error for universal tags that are not infinite.
* test/openssl/test_asn1.rb: add a test for this.
Thanks to Hiroshi Yoshida for reporting this bug.
[Bug #5363] [ruby-dev:44542]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33333 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
only for OpenSSL versions >= 0.9.8k. Thanks, Eric Wong, for
reporting this.
[Bug #4961] [ruby-core:37726]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33315 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
test_ctx_server_session_cb. Thanks to Eric Wong for the patch.
[Bug #5336] [ruby-core:39619]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33311 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
On NetBSD, if it uses patented algorithms without explicit option,
openssl will abort.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33301 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
Without this, the connection will be alive without GC after exit
the block and the test will fail as "TCPServer was closed and SSLServer
is still alive" on 64bit Unix: at least CentOS, Ubuntu, and FreeBSD.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33300 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
http://www.openssl.org/news/changelog.html
Reported by Eric Wong. [ruby-core:39617] [Bug #4961]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33298 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
OpenSSL::SSL::SSLSocket#session and #session=.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33294 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
t = Thread.new { print "."; sleep 0.1 }
key = OpenSSL::PKey::RSA.new(2048)
#=> Thread t works in parallel with public key generation if
OS/machine allows it.
This works with OpenSSL >= 0.9.8. From this version, it has new
public key generation function which allows us to interrupt the
execution while pkey generation iterations.
* ext/openssl/extconf.rb: Check existence of OpenSSL's new public key
generation function. (DH_generate_parameters_ex,
DSA_generate_parameters_ex and RSA_generate_key_ex.
* ext/openssl/ossl_pkey.{h,c} (ossl_generate_cb_2,
ossl_generate_cb_stop): Added new callback function for OpenSSL pkey
generation which handles Thread interruption by Ruby.
ossl_generate_cb_stop is the unblock function(ubf) for Ruby which
sets a stop flag. New pkey generation callback ossl_generate_cb_2
checks the stop flag at each iterations of OpenSSL and interrupts
pkey generation when the flag is set.
* ext/openssl/ossl_pkey_dsa.c (dsa_generate): Call
rb_thread_blocking_region with the above unblock function to release
GVL while pkey generation.
* ext/openssl/ossl_pkey_rsa.c (rsa_generate): ditto.
* ext/openssl/ossl_pkey_dh.c (dh_generate): ditto.
* test/openssl/test_pkey_{dh,dsa,rsa}.rb: Test it.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33155 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* test/openssl/test_ssl.rb: Add a test for it.
Thanks to Eric Wong for the patch.
[Ruby 1.9 - Feature #5183] [ruby-core:38911]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32973 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
SEGV from AES encryption/decryption. Processing data by
Cipher#update without initializing key (meaningless usage of Cipher
object since we don't offer a way to export a key) could cause SEGV.
In OpenSSL, the EVP which has EVP_CIPH_RAND_KEY flag (such as DES3)
allows uninitialized key, but other EVPs (such as AES) does not
allow it. Calling EVP_CipherUpdate() without initializing key causes
SEGV so we set the data filled with "\0" as the key by default. See
#2768.
* test/openssl/test_cipher.rb: test it.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32723 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
[ Ruby 1.9 - Feature #3793 ] [ruby-core:32088]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32690 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* test/openssl/test_engine.rb: Add a test for it.
Thanks to Ippei Obayashi for providing the patch.
[ Ruby 1.9 - Bug #5062 ] [ruby-dev:44173]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32604 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
extensions. Use this as the default for the tests to ensure
compatibility with OpenSSL 0.9.7.
[ Ruby 1.9 - Bug #4961 ] [ruby-core:37726]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32563 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
verify callback of SSLContext and X509Store and make the
verification fail normally. Raising exception directly from callback
causes orphan resouces in OpenSSL stack. Patched by Ippei Obayashi.
See #4445.
* test/openssl/test_ssl.rb
(test_exception_in_verify_callback_is_ignored): test it.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32537 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* test/openssl/test_x509_cert.rb: Perform SHA-256 tests only if
supported by the available OpenSSL version. Versions < 0.9.8 don't
support it. [ruby-core:37724]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32366 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl.c: Replaced ossl_x509_ary2k by generic macro to
simplify future conversions.
* ext/openssl/ossl_ssl.c: Implement SSLSocket#client_ca.
* test/openssl/test_ssl.rb: Add test for SSLSocket#client_ca.
Thanks to Ippei Obayashi for providing the patch!
[ Ruby 1.9 - Feature #4481 ] [ruby-core:35461]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32337 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
for X509_NAME_hash_old in OpenSSL 1.0.0. See #4805
* test/openssl/test_x509name.rb (test_hash): Make test pass with
OpenSSL 1.0.0.
* NEWS: Add it.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32213 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
a signed long in 32bit long env.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32212 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
argument type with NUM2LONG if the arg is not a Time object.
See #4919.
* ext/openssl/ossl_ssl_session.c (ossl_ssl_session_set_timeout): Check
type with NUM2LONG. Time as an arg is not allowed. See #4919.
* test/openssl/test_ssl_session.rb (test_session_time,
test_session_timeout): Test it.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32211 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
OpenSSL from the callback for SSL_CTX_sess_set_get_cb().
Returning 0 means to OpenSSL that the the session is still valid
(since we created Ruby Session object) and was not freed by us with
SSL_SESSION_free(). Call SSLContext#remove_session(sess) in
session_get_cb block if you don't want OpenSSL to cache the session
internally.
This potential issue was pointed by Ippei Obayashi. See #4416.
* test/openssl/test_ssl_session.rb (test_ctx_server_session_cb): Test
it.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32204 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
OpenSSL::SSL::SSLContext#session_remove_cb was broken. It wrongly
tried to call the session_*new*_cb callback.
* test/openssl/test_ssl_session.rb (class OpenSSL): Test it.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32200 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
fallback scenarios.
* ext/openssl/ossl_pkey_dsa.c
* ext/openssl/ossl_x509req.c
* ext/openssl/ossl_pkey_rsa.c
* ext/openssl/ossl_pkey_ec.c
* ext/openssl/ossl_ssl_session.c
* ext/openssl/ossl_x509crl.c
* ext/openssl/ossl_pkey.c
* ext/openssl/ossl_pkey_dh.c
* ext/openssl/ossl_x509cert.c
* ext/openssl/ossl_pkcs7.c: Use OSSL_BIO_reset.
* ext/openssl/ossl_ssl.c
* ext/openssl/ossl_cipher.c
* ext/openssl/ossl_pkey_ec.c
* ext/openssl/ossl_pkcs12.c
* ext/openssl/ossl_ssl_session.c: Replace rb_raise occurences by
ossl_raise. This automatically flushes OpenSSL's error queue.
* ext/openssl/ossl_pkcs7.c: Raise error if DER fallback for parsing
fails.
* test/openssl/test_pkey_ec.rb
* test/openssl/test_pkey_dsa.rb
* test/openssl/test_pkey_rsa.rb: Add assertions that OpenSSL.errors is
empty.
* test/openssl/test_pkey_rsa.rb: Remove initial OpenSSL.errors call in
test_new.
[ Ruby 1.9 - Bug #4885 ] [ruby-core:37134]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32199 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* test/openssl/test_pkcs12.rb: Inherit from Test::Unit::TestCase
instead of Mintest::Unit::TestCase. [ruby-core:37275]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32197 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
OpenSSL::SSL::Session#to_der was broken. Fix buffer handling.
* test/openssl/test_ssl_session.rb (test_session): Test it.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32196 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
tests from test_ssl.rb
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32195 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
distributing a patched version of OpenSSL that allows multiple CRL
for a key (multi-crl.patch.) Make test pass on such env.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32189 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32105 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32076 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
test/openssl/test_pkey_ec.rb: merge both files into test_pkey_ec.rb.
Removed redundant group instantiation from PKey tests.
* test/openssl/utils.rb: only create TEST_PKEY_EC_P256V1 if EC is
defined.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32058 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
by default in an OpenSSL installation.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32057 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
(e.g. DSS1).
* test/openssl/test_digest.c: add tests for this.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32045 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
oid.
* test/openssl/test_digest.rb: add tests for this.
[Ruby 1.9 - Feature #4412] [ruby-core:35319]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32040 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* test/openssl/utils.rb: add test key for DH.
* test/openssl/test_pkey_dh.rb: add tests.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32039 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
