* ext/openssl/ossl_asn1.c: fix int_ossl_asn1_decode0_cons when being
fed arbitrary string values.
Clearly distinguish between the cases "universal, infinite and
not a SEQUENCE or SET" and "universal SEQUENCE or SET, possibly
infinite". Raise error for universal tags that are not infinite.
* test/openssl/test_asn1.rb: add a test for this.
Thanks to Hiroshi Yoshida for reporting this bug.
[Bug #5363] [ruby-dev:44542]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_3@33347 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* ext/openssl/ossl_x509cert.c: Add class documentation for
OpenSSL::X509::Certificate.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_3@32993 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* ext/openssl/ossl_ssl.c: Support disabling OpenSSL compression.
* test/openssl/test_ssl.rb: Add a test for it.
Thanks to Eric Wong for the patch.
[Ruby 1.9 - Feature #5183] [ruby-core:38911]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_3@32975 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* ext/openssl/ossl_cipher.c (ossl_cipher_initialize): Avoid possible
SEGV from AES encryption/decryption. Processing data by
Cipher#update without initializing key (meaningless usage of Cipher
object since we don't offer a way to export a key) could cause SEGV.
In OpenSSL, the EVP which has EVP_CIPH_RAND_KEY flag (such as DES3)
allows uninitialized key, but other EVPs (such as AES) does not
allow it. Calling EVP_CipherUpdate() without initializing key causes
SEGV so we set the data filled with "\0" as the key by default. See
#2768.
* test/openssl/test_cipher.rb: test it.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_3@32724 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
for openssl/{x509,ssl} usage. Users should require "openssl" instead
of "openssl/ssl" and "openssl/x509". Start of transition period
introduced by [ruby-dev:38018].
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_3@32665 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* ext/openssl/ossl_ssl.c (ossl_ssl_shutdown): Avoid randomly generated
SSLError from SSLSocket just after invoking SSLSocket#close.
OpenSSL's SSL_shutdown could try to send alert packet and it might
set SSLerr(global error stack) as the result. It causes the next
SSL read/write operation to fail by unrelated reason.
By design, we're ignoring any error at SSL_shutdown() so we clear
global error stack after SSL_shutdown is called. See #5039.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_3@32660 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* ext/openssl/ossl_hmac.c: Revert checking return type of
HMAC_Init_ex as it is not compatible with OpenSSL < 1.0.0.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_3@32610 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* ext/openssl/ossl_digest.c: Check return value of EVP_DigestInit_ex.
* ext/openssl/ossl_hmac.c: Check return value of HMAC_Init_ex.
Thanks, Jared Jennings, for the patch.
[ Ruby 1.9 - Bug #4944 ] [ruby-core:37670]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_3@32607 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* ext/openssl/ossl_engine.c: Avoid double free of ENGINE reference.
* test/openssl/test_engine.rb: Add a test for it.
Thanks to Ippei Obayashi for providing the patch.
[ Ruby 1.9 - Bug #5062 ] [ruby-dev:44173]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_3@32605 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* ext/openssl/ossl.c (ossl_verify_cb): trap the exception from
verify callback of SSLContext and X509Store and make the
verification fail normally. Raising exception directly from callback
causes orphan resouces in OpenSSL stack. Patched by Ippei Obayashi.
See #4445.
* test/openssl/test_ssl.rb
(test_exception_in_verify_callback_is_ignored): test it.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_3@32538 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
connection more gracefully. Call SSL_shutdown() max 4 times until it
returns 1 (success). Bi-directional SSL close has several states but
SSL_shutdown() kicks only 1 transition per call. Max 4 is from
mod_ssl.c of Apache httpd that says 'max 2x pending * 2x data = 4'.
See #4237.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32219 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
for X509_NAME_hash_old in OpenSSL 1.0.0. See #4805
* test/openssl/test_x509name.rb (test_hash): Make test pass with
OpenSSL 1.0.0.
* NEWS: Add it.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32213 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
argument type with NUM2LONG if the arg is not a Time object.
See #4919.
* ext/openssl/ossl_ssl_session.c (ossl_ssl_session_set_timeout): Check
type with NUM2LONG. Time as an arg is not allowed. See #4919.
* test/openssl/test_ssl_session.rb (test_session_time,
test_session_timeout): Test it.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32211 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
OpenSSL from the callback for SSL_CTX_sess_set_get_cb().
Returning 0 means to OpenSSL that the the session is still valid
(since we created Ruby Session object) and was not freed by us with
SSL_SESSION_free(). Call SSLContext#remove_session(sess) in
session_get_cb block if you don't want OpenSSL to cache the session
internally.
This potential issue was pointed by Ippei Obayashi. See #4416.
* test/openssl/test_ssl_session.rb (test_ctx_server_session_cb): Test
it.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32204 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
OpenSSL::SSL::SSLContext#session_remove_cb was broken. It wrongly
tried to call the session_*new*_cb callback.
* test/openssl/test_ssl_session.rb (class OpenSSL): Test it.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32200 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
OpenSSL::SSL::Session#to_der was broken. Fix buffer handling.
* test/openssl/test_ssl_session.rb (test_session): Test it.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32196 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Buffering#each_byte should return String in accordance with IO in
1.9.
* test/openssl/test_buffering.rb (class OpenSSL): add tests for getc
and each_byte.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32012 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
CertificateError when Request#to_der gets an error from OpenSSL.
Patch from Ippei Obayashi, see #4420. I cannot write a test for
this... Request does not allow to create broken bytes...
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32005 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
not let current length become negative for infinite length constructed
values. Support constructed values of length zero. Added tests.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@31711 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
length. This also prevents a segfault. Added test and improved
documentation.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@31701 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Simplified ossl_asn1_decode0 by splitting it into three separate
functions. Add tests.
[Ruby 1.9 - Bug #4374][ruby-core:35123]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@31700 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Constructives with an explicit tag_class parameter without
automatically setting tagging to :EXPLICIT. Fixes a bug when encoding
infinite length primitive values.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@31699 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
EOC for infinite length Constructives that are supposed to be encoded
with explicit tagging. Also tabify method correctly.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@31698 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
