| Age | Commit message (Collapse) | Author |
|---|
|
Import Ruby/OpenSSL 2.0.2. This release contains only bugfixes. The full
commit log since 2.0.1 (imported at r57041) can be found at:
https://github.com/ruby/openssl/compare/v2.0.1...v2.0.2
----------------------------------------------------------------
Kazuki Yamaguchi (5):
ssl: check for SSL_CTX_clear_options()
Rename functions in openssl_missing.c
ssl: use SSL_SESSION_get_protocol_version()
pkey: allow instantiating OpenSSL::PKey::PKey with unsupported key type
Ruby/OpenSSL 2.0.2
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@57146 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
Import Ruby/OpenSSL 2.0.1. The full commit history since 2.0.0 (imported
at r56946) can be found at:
https://github.com/ruby/openssl/compare/v2.0.0...v2.0.1
This release contains only bug fixes. Note, the first two commits since
v2.0.0 are already imported at r56953 to make Travis and RubyCI green.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@57041 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
Import the following two commits from upstream:
commit 72126d6c8b88abd69c3565fc3bbbd5ed1e401611
Author: Kazuki Yamaguchi <[email protected]>
Date: Thu Dec 1 22:27:03 2016 +0900
pkey: check existence of EVP_PKEY_get0()
EVP_PKEY_get0() did not exist in early OpenSSL 0.9.8 series. So define
ourselves if needed.
commit 94a1c4e0c5705ad1e9a4ca08cacaa6cba8b1e6f5
Author: Kazuki Yamaguchi <[email protected]>
Date: Thu Dec 1 22:13:22 2016 +0900
test/test_cipher: fix test with OpenSSL 1.0.1 before 1.0.1d
Set the authentication tag before the AAD when decrypting.
Before OpenSSL commit 96f7fafa2431 ("Don't require tag before ciphertext
in AESGCM mode", 2012-10-16, at OpenSSL_1_0_1-stable branch, included in
OpenSSL 1.0.1d), the authentication tag must be set before any calls of
EVP_CipherUpdate().
They should fix build on CentOS 5 and Ubuntu 12.04 respectively.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56953 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl.c (ossl_pem_passwd_cb): cast to int. it's safe
because len does not exceed int max_len.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56948 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
Import Ruby/OpenSSL 2.0.0. The full commit history since 2.0.0 beta.2
(imported at r56098) can be found at:
https://github.com/ruby/openssl/compare/v2.0.0.beta.2...v2.0.0
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56946 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* parse.y (parser_yylex): warn ambiguous parentheses after a space
in method definitions.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56927 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* numeric.c: [DOC] update document for Integer class.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56492 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* fix typos, "a" before "Integer" to "an". [Fix GH-1438]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56225 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
with old version of fcc (Fujitsu C Compiler) on Solaris 10.
[Bug #12769] [ruby-dev:49809]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56173 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* {ext,test}/openssl: Import Ruby/OpenSSL 2.0.0.beta.2. The full commit
history since v2.0.0.beta.1 can be found at:
https://github.com/ruby/openssl/compare/v2.0.0.beta.1...v2.0.0.beta.2
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56098 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56028 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* NEWS, {ext,test,sample}/openssl: Import Ruby/OpenSSL 2.0.0.beta.1.
ext/openssl is now converted into a default gem. The full commit
history since r55538 can be found at:
https://github.com/ruby/openssl/compare/08e1881f5663...v2.0.0.beta.1
[Feature #9612]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56027 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
SSL_write(3ssl) manpage has this in the WARNINGS section:
When calling SSL_write() with num=0 bytes to be sent the
behaviour is undefined.
And indeed, the new test case demonstrates failures when
empty strings are used. So, match the behavior of IO#write,
IO#write_nonblock, and IO#syswrite by returning zero, as the
OpenSSL::SSL::SSLSocket API already closely mimics the IO one.
* ext/openssl/ossl_ssl.c (ossl_ssl_write_internal):
avoid undefined behavior
* test/openssl/test_pair.rb (test_write_zero): new test
[ruby-core:76751] [Bug #12660]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55822 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* common.mk (compile.o, loadpath.o): update dependencies.
* common.mk (vm_call.o): remove stale object dependencies.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55589 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_ocsp.c: The "reuse" behavior of d2i_ functions does
not work well with OpenSSL 1.0.0t. So avoid it.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55538 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
Suppress warning on Solaris with Oracle Solaris Studio 12.
[ruby-dev:49692] [Bug #12524]
* ext/digest/md5/md5cc.h: ditto.
* ext/digest/sha1/sha1cc.h: ditto.
* ext/digest/sha1/sha1ossl.h: ditto.
* ext/digest/sha2/sha2cc.h: ditto.
* ext/digest/sha2/sha2ossl.h: ditto.
* ext/openssl/ossl_pkey_rsa.c: ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55523 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_ocsp.c: Add OCSP::SingleResponse that represents an
OCSP SingleResponse structure. Also add two new methods #responses
and #find_response to OCSP::BasicResponse. A BasicResponse has one or
more SingleResponse. We have OCSP::BasicResponse#status that returns
them as an array of arrays, each containing the content of a
SingleResponse, but this is not useful. When validating an OCSP
response, we need to look into the each SingleResponse and check their
validity but it is not simple. For example, when validating for a
certificate 'cert', the code would be like:
# certid_target is an OpenSSL::OCSP::CertificateId for cert
basic = res.basic
result = basic.status.any? do |ary|
ary[0].cmp(certid_target) &&
ary[4] <= Time.now && (!ary[5] || Time.now <= ary[5])
end
Adding OCSP::SingleResponse at the same time allows exposing
OCSP_check_validity(). With this, the code above can be rewritten as:
basic = res.basic
single = basic.find_response(certid_target)
result = single.check_validity
* test/openssl/test_ocsp.rb: Test this.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55457 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_ocsp.c (ossl_ocspbres_add_status): Allow specifying
the times (thisUpdate, nextUpdate and revocationTime) with Time
objects. Currently they accepts only relative seconds from the current
time. This is inconvenience, especially for revocationTime. When
Integer is passed, they are still treated as relative times. Since the
type check is currently done with rb_Integer(), this is a slightly
incompatible change. Hope no one passes a relative time as String or
Time object...
Also, allow passing nil as nextUpdate. It is optional.
* ext/openssl/ruby_missing.h: Define RB_INTEGER_TYPE_P() if not defined.
openssl gem will be released before Ruby 2.4.0.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55456 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_ocsp.c: Implement OCSP::{CertificateId,Request,
BasicResponse,Response}#initialize_copy.
[ruby-core:75504] [Bug #12381]
* test/openssl/test_ocsp.rb: Test them.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55455 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_pkey_dh.c, ext/openssl/ossl_pkey_dsa.c,
ext/openssl/ossl_pkey_ec.c, ext/openssl/ossl_pkey_rsa.c: Implement
initialize_copy method for OpenSSL::PKey::*.
[ruby-core:75504] [Bug #12381]
* test/openssl/test_pkey_dh.rb, test/openssl/test_pkey_dsa.rb,
test/openssl/test_pkey_ec.rb, test/openssl/test_pkey_rsa.rb: Test they
actually copy the OpenSSL objects, and modifications to cloned object
don't affect the original object.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55454 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_pkey.h, ext/openssl/ossl_pkey_dh.c,
ext/openssl/ossl_pkey_dsa.c, ext/openssl/ossl_pkey_rsa.c: A few days
ago, OpenSSL changed {DH,DSA,RSA}_get0_*() to take const BIGNUM **.
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=fd809cfdbd6e32b6b67b68c59f6d55fbed7a9327
[ruby-core:75225] [Feature #12324]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55450 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_ocsp.c (ossl_ocspreq_verify, ossl_ocspbres_verify):
Use ossl_clear_error() so that they don't print warnings to stderr and
leak errors in the OpenSSL error queue. Also, check the return value
of OCSP_*_verify() correctly. They can return -1 on verification
failure.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55423 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_ocsp.c (ossl_ocspreq_sign, ossl_ocspbres_sign): Allow
specifying hash algorithm used in signing. They are hard coded to use
SHA-1.
Based on a patch provided by Tim Shirley <[email protected]>.
[ruby-core:70915] [Feature #11552] [GH ruby/openssl#28]
* test/openssl/test_ocsp.rb: Test sign-verify works.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55422 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_ocsp.c (ossl_ocspcid_get_issuer_name_hash,
ossl_ocspcid_get_issuer_key_hash, ossl_ocspcid_get_hash_algorithm):
Add accessor methods OCSP::CertificateId#issuer_name_hash,
#issuer_key_hash, #hash_algorithm.
Based on a patch provided by Paul Kehrer <[email protected]>.
[ruby-core:48062] [Feature #7181]
* test/openssl/test_ocsp.rb: Test these new methods.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55411 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_ocsp.c (ossl_ocspbres_to_der, ossl_ocspcid_to_der):
Implement #to_der methods for OCSP::BasicResponse and
OCSP::CertificateId.
(ossl_ocspreq_initialize, ossl_ocspres_initialize): Use GetOCSP*()
instead of raw DATA_PTR().
(ossl_ocspbres_initialize, ossl_ocspcid_initialize): Allow
initializing from DER string.
(Init_ossl_ocsp): Define new #to_der methods.
* test/openssl/test_ocsp.rb: Test these changes. Also add missing tests
for OCSP::{Response,Request}#to_der.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55409 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/openssl_missing.h (DH_set0_pqg, RSA_set0_key):
DH_set0_pqg() allows 'q' to be NULL. Fix a typo in RSA_set0_key().
Fixes r55285. [ruby-core:75225] [Feature #12324]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55408 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_cipher.c (ossl_cipher_get_auth_tag,
ossl_cipher_set_auth_tag): Check if the cipher flags retrieved by
EVP_CIPHER_CTX_flags() includes EVP_CIPH_FLAG_AEAD_CIPHER to see if
the cipher supports AEAD. AES-GCM was the only supported in OpenSSL
1.0.1.
(Init_ossl_cipher): Fix doc; OpenSSL::Cipher::AES.new(128, :GCM) can't
work.
* ext/openssl/openssl_missing.h: Define EVP_CTRL_AEAD_{GET,SET}_TAG if
missing. They are added in OpenSSL 1.1.0, and have the same value as
EVP_CTRL_GCM_{GET,SET}_TAG and EVP_CTRL_CCM_{GET,SET}_TAG.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55388 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_asn1.c (asn1integer_to_num): Use
ASN1_ENUMERATED_to_BN() to convert an ASN1_ENUMERATED to a BN.
Starting from OpenSSL 1.1.0, ASN1_INTEGER_to_BN() rejects
non-ASN1_INTEGER objects. The format of INTEGER and ENUMERATED are
almost identical so they behaved in the same way in OpenSSL <= 1.0.2.
[ruby-core:75225] [Feature #12324]
* test/openssl/test_asn1.rb (test_decode_enumerated): Test that it
works.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55344 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_ssl.c: Add define guards for OPENSSL_NO_EC.
SSL_CTX_set_ecdh_auto() is defined even when ECDH is disabled in
OpenSSL's configuration. This fixes r55214.
* test/openssl/test_pair.rb (test_ecdh_curves): Skip if the OpenSSL does
not support ECDH.
* test/openssl/utils.rb (start_server): Ignore error in
SSLContext#ecdh_curves=.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55342 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/extconf.rb: Check for CRYPTO_malloc() and SSL_new().
OpenSSL_add_all_digests() and SSL_library_init() are deprecated and
converted to macros in OpenSSL 1.1.0.
[ruby-core:75225] [Feature #12324]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55335 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
This fixes `make test-all TESTS=openssl` with OpenSSL master.
* test/openssl/test_x509name.rb: Don't register OID for 'emailAddress'
and 'serialNumber'. A recent change in OpenSSL made OBJ_create()
reject an already existing OID. They were needed to run tests with
OpenSSL 0.9.6 which is now unsupported.
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=52832e470f5fe8c222249ae5b539aeb3c74cdb25
[ruby-core:75225] [Feature #12324]
* test/openssl/test_ssl_session.rb (test_server_session): Duplicate
SSL::Session before re-adding to the session store. OpenSSL 1.1.0
starts rejecting SSL_SESSION once removed by SSL_CTX_remove_session().
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=7c2d4fee2547650102cd16d23f8125b76112ae75
* test/openssl/test_pkey_ec.rb (setup): Remove X25519 from @keys. X25519
is new in OpenSSL 1.1.0 but this is for key agreement and not for
signing.
* test/openssl/test_pair.rb, test/openssl/test_ssl.rb,
test/openssl/utils.rb: Set security level to 0 when using aNULL cipher
suites.
* test/openssl/utils.rb: Use 1024 bits DSA key for client certificates.
* test/openssl/test_engine.rb: Run each test in separate process.
We can no longer cleanup engines explicitly as ENGINE_cleanup() was
removed.
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6d4fb1d59e61aacefa25edc4fe5acfe1ac93f743
* ext/openssl/ossl_engine.c (ossl_engine_s_cleanup): Add a note to the
RDoc for Engine.cleanup.
* ext/openssl/lib/openssl/digest.rb: Don't define constants for DSS,
DSS1 and SHA(-0) when using with OpenSSL 1.1.0. They are removed.
* test/openssl/test_digest.rb, test/openssl/test_pkey_dsa.rb,
test/openssl/test_pkey_dsa.rb, test/openssl/test_ssl.rb,
test/openssl/test_x509cert.rb, test/openssl/test_x509req.rb: Don't
test unsupported hash functions.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55314 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/extconf.rb: Check for SSL_CTX_get_security_level().
OpenSSL 1.1.0 introduced "security level".
[ruby-core:75225] [Feature #12324]
* ext/openssl/ossl_ssl.c (ossl_sslctx_{get,set}_security_level): Add
SSLContext#security_level and #security_level=.
* test/openssl/test_ssl.rb (test_security_level): Add test. ...but this
doesn't actually test it. Because #security_level= is necessary in
order to run other tests on OpenSSL 1.1.0, go without tests for now.
Will fix after converting SSLContext#key= and #cert= to normal methods.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55309 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/extconf.rb: Check for SSL_CTX_set_min_proto_version()
macro added in OpenSSL 1.1.0. Version-specific methods, such as
TLSv1_method(), are deprecated in OpenSSL 1.1.0. We need to use
version-flexible methods (TLS_*method() or SSLv23_*method()) and
disable other protocol versions as necessary.
[ruby-core:75225] [Feature #12324]
* ext/openssl/ossl_ssl.c: Use SSL_CTX_set_{min,max}_proto_version() to
fix the protocol version.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55304 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_cipher.c (ossl_cipher_free): Use EVP_CIPHER_CTX_free()
to free EVP_CIPHER_CTX allocated by EVP_CIPHER_CTX_new().
[ruby-core:75225] [Feature #12324]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55294 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/openssl_missing.h: Include ruby/config.h. r55285 added
some inline functions but VC does not recognize 'inline' keyword.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55291 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/extconf.rb: Check existence of SSL_is_server(). This
function was introduced in OpenSSL 1.0.2.
[ruby-core:75225] [Feature #12324]
* ext/openssl/openssl_missing.h: Implement SSL_is_server() if missing.
* ext/openssl/ossl_ssl.c (ssl_info_cb): Use SSL_is_server() to see if
the SSL is server. The state machine in OpenSSL was rewritten and
SSL_get_state() no longer returns SSL_ST_ACCEPT.
(ossl_ssl_cipher_to_ary, ossl_sslctx_session_get_cb): Add some
`const`s to suppress warning.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55289 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_asn1.c (decode_bool): Do the same thing as
d2i_ASN1_BOOLEAN() does by ourselves. This function is removed in
OpenSSL 1.1.0.
[ruby-core:75225] [Feature #12324]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55288 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/extconf.rb: Check existence of accessor functions that
don't exist in OpenSSL 0.9.8. OpenSSL 1.1.0 made most of its
structures opaque and requires use of these accessor functions.
[ruby-core:75225] [Feature #12324]
* ext/openssl/openssl_missing.[ch]: Implement them if missing.
* ext/openssl/ossl*.c: Use these accessor functions.
* test/openssl/test_hmac.rb: Add missing test for HMAC#reset.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55287 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/openssl_missing.[ch]: Implement EVP_PKEY_get0_*() and
{RSA,DSA,EC_KEY,DH}_get0_*() functions.
OpenSSL 1.1.0 makes EVP_PKEY/RSA/DSA/DH opaque. We used to provide
setter methods for each parameter of each PKey type, for example
PKey::RSA#e=, but this is no longer possible because the new API
RSA_set0_key() requires the 'n' at the same time. This commit adds
deprecation warning to them and adds PKey::*#set_* methods as direct
wrapper for those new APIs. For example, 'rsa.e = 3' now needs to be
rewritten as 'rsa.set_key(rsa.n, 3, rsa.d)'.
[ruby-core:75225] [Feature #12324]
* ext/openssl/ossl_pkey*.[ch]: Use the new accessor functions. Implement
RSA#set_{key,factors,crt_params}, DSA#set_{key,pqg}, DH#set_{key,pqg}.
Emit a warning with rb_warning() when old setter methods are used.
* test/drb/ut_array_drbssl.rb, test/drb/ut_drb_drbssl.rb,
test/rubygems/test_gem_remote_fetcher.rb: Don't set a priv_key for DH
object that are used in tmp_dh_callback. Generating a new key pair
every time should be fine - actually the private exponent is ignored
in OpenSSL >= 1.0.2f/1.0.1r even if we explicitly set.
https://www.openssl.org/news/secadv/20160128.txt
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55285 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/extconf.rb: Check absence of CRYPTO_lock() to see if the
OpenSSL has the new threading API. In OpenSSL <= 1.0.2, an application
had to set locking callbacks to use OpenSSL in a multi-threaded
environment. OpenSSL 1.1.0 now finds pthreads or Windows threads so we
don't need to do something special.
[ruby-core:75225] [Feature #12324]
Also check existence of *_up_ref(). Some structures in OpenSSL have
a reference counter. We used to increment it with CRYPTO_add() which
is a part of the old API.
* ext/openssl/openssl_missing.h: Implement *_up_ref() if missing.
* ext/openssl/ossl.c: Don't set locking callbacks if unneeded.
* ext/openssl/ossl_pkey.c, ext/openssl/ossl_ssl.c,
ext/openssl/ossl_x509cert.c, ext/openssl/ossl_x509crl.c,
ext/openssl/ossl_x509store.c: Use *_up_ref() instead of CRYPTO_add().
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55283 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/extconf.rb: Check if RAND_pseudo_bytes() is usable. It is
marked as deprecated in OpenSSL 1.1.0.
[ruby-core:75225] [Feature #12324]
* ext/openssl/ossl_rand.c: Disable Random.pseudo_bytes if
RAND_pseudo_bytes() is unavailable.
* test/openssl/test_random.rb: Don't test Random.pseudo_bytes if not
defined.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55282 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_bn.c (ossl_bn_s_generate_prime, ossl_bn_is_prime,
ossl_bn_is_prime_fasttest): Avoid deprecated BN_generate_prime(),
BN_is_prime{,_fasttest}(). They are deprecated because they expect an
old style callback function (we don't use it here). They can be simply
replaced by _ex suffixed functions.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55273 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_asn1.c (ossl_time_split): check overflow and
reorder for optimization.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55252 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
r55219 didn't fix the entire issue. It only fixed the issue on
environment with sizeof(time_t) == 8 && sizeof(long) == 4.
* ext/openssl/extconf.rb: Check existence of ASN1_TIME_adj(). The old
ASN1_TIME_set() is not Year 2038 ready on sizeof(time_t) == 4
environment. This function was added in OpenSSL 1.0.0.
[ruby-core:45552] [Bug #6571]
* ext/openssl/ossl_asn1.c (ossl_time_split): Added. Split the argument
(Time) into the number of days elapsed since the epoch and the
remainder seconds to conform to ASN1_TIME_adj().
(obj_to_asn1utime, obj_to_asn1gtime): Use ossl_time_split() and
ASN1_*TIME_adj().
* ext/openssl/ossl_asn1.h: Add the function prototype for
ossl_time_split().
* ext/openssl/ossl_x509.[ch]: Add ossl_x509_time_adjust(). Similarly to
obj_to_asn1*time(), use X509_time_adj_ex() instead of X509_time_adj().
* ext/openssl/ossl_x509cert.c, ext/openssl/ossl_x509crl.c,
ext/openssl/ossl_x509revoked.c: Use ossl_x509_time_adjust().
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55249 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_asn1.c (time_to_time_t): Use NUM2TIMET() instead of
NUM2LONG(). time_t may be larger than long.
[ruby-core:45552] [Bug #6571]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55219 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_ssl.c (ossl_sslctx_s_alloc): Enable the automatic
curve selection for ECDH by calling SSL_CTX_set_ecdh_auto(). With
this a TLS server automatically selects a curve which both the client
and the server support to use in ECDH. This changes the default
behavior but users can still disable ECDH by excluding 'ECDH' cipher
suites from the cipher list (with SSLContext#ciphers=). This commit
also deprecate #tmp_ecdh_callback=. It was added in Ruby 2.3.0. It
wraps SSL_CTX_set_tmp_ecdh_callback() which will be removed in OpenSSL
1.1.0. Its callback receives two values 'is_export' and 'keylength'
but both are completely useless for determining a curve to use in
ECDH. The automatic curve selection was introduced to replace this.
(ossl_sslctx_setup): Deprecate SSLContext#tmp_ecdh_callback=. Emit a
warning if this is in use.
(ossl_sslctx_set_ecdh_curves): Add SSLContext#ecdh_curves=. Wrap
SSL_CTX_set1_curves_list(). If it is not available, this falls back
to SSL_CTX_set_tmp_ecdh().
(Init_ossl_ssl): Define SSLContext#ecdh_curves=.
* ext/openssl/extconf.rb: Check the existence of EC_curve_nist2nid(),
SSL_CTX_set1_curves_list(), SSL_CTX_set_ecdh_auto() and
SSL_CTX_set_tmp_ecdh_callback().
* ext/openssl/openssl_missing.[ch]: Implement EC_curve_nist2nid() if
missing.
* test/openssl/test_pair.rb (test_ecdh_callback): Use
EnvUtil.suppress_warning to suppress deprecated warning.
(test_ecdh_curves): Test that SSLContext#ecdh_curves= works.
* test/openssl/utils.rb (start_server): Use SSLContext#ecdh_curves=.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55214 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/lib/openssl/ssl.rb (SSLSocket): Move the implementation of
SSLSocket#initialize to C. Initialize the SSL (OpenSSL object) in it.
Currently this is delayed until ossl_ssl_setup(), which is called from
SSLSocket#accept or #connect. Say we call SSLSocket#hostname= with an
illegal value. We expect an exception to be raised in #hostname= but
actually we get it in the later SSLSocket#connect. Because the SSL is
not ready at #hostname=, the actual call of SSL_set_tlsext_host_name()
is also delayed.
This also fixes: [ruby-dev:49376] [Bug #11724]
* ext/openssl/ossl_ssl.c (ossl_ssl_initialize): Added. Almost the same
as the Ruby version but this instantiate the SSL object at the same
time.
(ossl_ssl_setup): Adjust to the changes. Just set the underlying IO to
the SSL.
(ssl_started): Added. Make use of SSL_get_fd(). This returns -1 if not
yet set by SSL_set_fd().
(ossl_ssl_data_get_struct): Removed. Now GetSSL() checks that the SSL
exists.
(ossl_ssl_set_session): Don't call ossl_ssl_setup() here as now the
SSL is already instantiated in #initialize.
(ossl_ssl_shutdown, ossl_start_ssl, ossl_ssl_read_internal,
ossl_ssl_write_internal, ossl_ssl_stop, ossl_ssl_get_cert,
ossl_ssl_get_peer_cert, ossl_ssl_get_peer_cert_chain,
ossl_ssl_get_version, ossl_ssl_get_cipher, ossl_ssl_get_state,
ossl_ssl_pending, ossl_ssl_session_reused,
ossl_ssl_get_verify_result, ossl_ssl_get_client_ca_list,
ossl_ssl_npn_protocol, ossl_ssl_alpn_protocol, ossl_ssl_tmp_key): Use
GetSSL() instead of ossl_ssl_data_get_struct(). Use ssl_started().
(Init_ossl_ssl): Add method declarations of SSLSocket#{initialize,
hostname=}.
* ext/openssl/ossl_ssl.h (GetSSL): Check that the SSL is not NULL. It
should not be NULL because we now set it in #initialize.
* ext/openssl/ossl_ssl_session.c (ossl_ssl_session_initialize): No need
to check if the SSL is NULL.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55191 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_pkey_dh.c (ossl_dh_compute_key): Check that the DH
has 'p' (the prime) before calling DH_size(). We can create a DH with
no parameter but DH_size() does not check and dereferences NULL.
[ruby-core:75720] [Bug #12428]
* ext/openssl/ossl_pkey_dsa.c (ossl_dsa_sign): Ditto. DSA_size() does
not check dsa->q.
* ext/openssl/ossl_pkey_rsa.c (ossl_rsa_public_encrypt,
ossl_rsa_public_decrypt, ossl_rsa_private_encrypt,
ossl_rsa_private_decrypt): Ditto. RSA_size() does not check rsa->n.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55175 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl, test/openssl: Drop OpenSSL < 0.9.8 support.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55162 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/openssl_missing.h, ext/openssl/ossl.h: Remove
unnecessary 'extern "C"' blocks. We don't use C++ and these headers
are local to ext/openssl, so there is no need to enclose with it.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55161 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
