hostname verification. Patched by nahi.
* test/openssl/test_ssl.rb (test_verify_certificate_identity): test for
above.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@41671 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
(BDIGIT_MSB): Defined using BIGRAD_HALF.
(bary_2comp): Apply BIGLO after possible over flow of BDIGIT.
(get2comp): Ditto.
(bary_unpack_internal): Use BDIGIT_MSB.
Apply BIGLO after possible over flow of BDIGIT.
(rb_integer_unpack): Use BDIGIT_MSB.
(calc_hbase): Use BDIGMAX.
(big2dbl): Use BDIGMAX.
Apply BIGLO after possible over flow of BDIGIT.
(rb_big_neg): Apply BIGLO after possible over flow of BDIGIT.
(biglsh_bang): Ditto.
(bigrsh_bang): Ditto.
(bary_divmod): Use BDIGIT_MSB.
(bigdivrem): Ditto.
(bigxor_int): Apply BIGLO after possible over flow of BDIGIT.
* marshal.c (shortlen): Use SIZEOF_BDIGITS instead of sizeof(BDIGIT).
* ext/openssl/ossl_bn.c (ossl_bn_initialize): Use SIZEOF_BDIGITS
instead of sizeof(BDIGIT).
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@41613 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
OSSL_X509ATTR_SET_SINGLE macros to use ->value.set rather than
->set to fix compile failure
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@41527 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
defined(OPENSSL_NO_SOCK).
This fixes a linkage error on platforms which do not have socket.
OpenSSL itself is still useful as a set of cryptographic functions
even on such platforms.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@40680 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
ext/openssl/ossl.h, ext/openssl/openssl_missing.c: Use
HAVE_AGGREGATE_MEMBER instead of HAVE_ST_MEMBER.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@40625 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* ext/openssl/ossl_bn.c (ossl_bn_initialize): no need of alloca for
small fixed size array.
* ext/openssl/ossl_bn.c (ossl_bn_initialize): check overflow first,
and use alloca for small size input.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@40518 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* ext/openssl/ossl_bn.c (ossl_bn_initialize): fix buffer overflow on
x64 Windows and memory leak when initializing with integer.
[ruby-core:54615] [Bug #8337]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@40513 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
subclasses that include WaitReadable or WaitWritable rather than
extending them into the exception object each time.
* error.c: Capture EGAIN, EWOULDBLOCK, EINPROGRESS exceptions and
export them for use in WaitReadable/Writable exceptions.
* io.c: Create versions of EAGAIN, EWOULDBLOCK, EINPROGRESS that
include WaitReadable and WaitWritable. Add rb_readwrite_sys_fail
for nonblocking failures using those exceptions. Use that
function in io_getpartial and io_write_nonblock instead of
rb_mod_sys_fail
* ext/openssl/ossl_ssl.c: Add new SSLError subclasses that include
WaitReadable and WaitWritable. Use those classes for
write_would_block and read_would_block instead of rb_mod_sys_fail.
* ext/socket/ancdata.c: Use rb_readwrite_sys_fail instead of
rb_mod_sys_fail in bsock_sendmsg_internal and
bsock_recvmsg_internal.
* ext/socket/init.c: Use rb_readwrite_sys_fail instead of
rb_mod_sys_fail in rsock_s_recvfrom_nonblock and
rsock_s_connect_nonblock.
* ext/socket/socket.c: Use rb_readwrite_sys_fail instead of
rb_mod_sys_fail in sock_connect_nonblock.
* include/ruby/ruby.h: Export rb_readwrite_sys_fail for use instead
of rb_mod_sys_fail. Introduce new constants RB_IO_WAIT_READABLE and
RB_IO_WAIT_WRITABLE for first arg to rb_readwrite_sys_fail.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@40195 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* ext/openssl/ossl.c (ossl_fips_mode_set): do not assume RTEST() to be
parenthesized always.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@38497 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* test/openssl/utils.rb: revise comment about setting FIPS mode to
false.
* test/openssl/test_fips.rb: remove tests that cause errors on
ruby-ci.
[Feature #6946] [ruby-core:47345]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@38491 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
with Associated Data (AEAD) for OpenSSL versions that support the
GCM encryption mode. It's the only mode supported for now by OpenSSL
itself. Add Cipher#authenticated? to detect whether a chosen mode
does support Authenticated Encryption.
* test/openssl/test_cipher.rb: add tests for Authenticated Encryption.
[Feature #6980] [ruby-core:47426] Thank you, Stephen Touset for
providing a patch!
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@38488 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
mode manually.
* test/openssl/utils.rb: turn off FIPS mode for tests. This prevents
OpenSSL installations with FIPS mode enabled by default from raising
FIPS-related errors during the tests.
* test/openssl/test_fips.rb: add tests for FIPS-capable OpenSSL
installations.
[Feature #6946] [ruby-core:47345]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@38480 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
countermeasure for the BEAST attack by default. The default options
of OpenSSL::SSL:SSLContext are now:
OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
[Bug #5353] [ruby-core:39673]
* test/openssl/test_ssl.rb: Adapt tests to new SSLContext default.
* NEWS: Announce the new default.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@38433 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
ext/openssl/ossl.c: Expose OpenSSL::OPENSSL_FIPS constant to
indicate whether OpenSSL runs in FIPS mode.
test/openssl/test_pkey_dh.rb: Generate 256 bit keys for
non-FIPS installations to improve test performance (e.g. for
rubyci).
test/openssl/utils.rb: Replace DSS1 as certificate signature
digest with SHA1 for FIPS installations when using DSA by
introducing TestUtils::DSA_SIGNATURE_DIGEST.
test/openssl/test_x509cert.rb:
test/openssl/test_x509crl.rb:
test/openssl/test_x509req.rb: Use DSA_SIGNATURE_DIGEST
NEWS: Introduce OpenSSL::OPENSSL_FIPS
These changes allow running the OpenSSL tests in FIPS mode
while keeping a high performance for non-FIPS installations.
Introduction of OpenSSL::OPENSSL_FIPS allows for applications
to react to special requirements when using OpenSSL in FIPS mode.
[Feature #6946] [ruby-core:47345]
- Diese und die folgenden Zeilen werden ignoriert --
M ext/openssl/extconf.rb
M ext/openssl/ossl.c
M NEWS
M ChangeLog
M test/openssl/utils.rb
M test/openssl/test_x509crl.rb
M test/openssl/test_x509req.rb
M test/openssl/test_x509cert.rb
M test/openssl/test_pkey_dh.rb
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36884 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
ext/ossl_ssl.c: Support Next Protocol Negotiation. Protocols to be
advertised by the server can be set in the SSLContext by using
SSLContext#npn_protocols=, protocol selection on the client is
supported by providing a selection callback with
SSLContext#npn_select_cb. The protocol that was finally negotiated
is available through SSL#npn_protocol.
test/openssl/test_ssl.rb: Add tests for Next Protocol Negotiation.
NEWS: add news about NPN support.
[Feature #6503] [ruby-core:45272]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36871 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
test/openssl/test_digest.rb: Add Digest module function to OpenSSL
module and test it. Patch provided by Eric Hodel.
[ruby-core:46908][Feature #6819]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36592 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
of an aggregate type is a C99ism.
* ext/openssl/ossl_pkey_ec.c (ossl_ec_point_mul): get rid of VC++
warnings.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36364 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* io.c (sysopen_func, rb_sysopen_internal): cast through VALUE to get
rid of warnings. fixup of r36355.
* process.c (rb_waitpid_blocking, rb_waitpid): ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36361 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
session id. MD5, as was used before, causes problems when
using a FIPS version of OpenSSL. Issue was found by Jared
Jennings, thank you!
[ruby-trunk - Bug #6137]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36005 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
ext/openssl/ossl_pkey_rsa.c
ext/openssl/ossl_pkey_dsa.c
ext/openssl/ossl_pkey_ec.c: Forbid export passwords that are less
than four characters long, as OpenSSL itself does not allow this.
Issue found by Eric Hodel.
* ext/openssl/ossl_pkey_ec.c: Add export as an alias of to_pem,
following the PKey interface contract.
* test/openssl/test_pkey_dsa.rb
test/openssl/test_pkey_rsa.rb
test/openssl/test_pkey_ec.rb: Add tests that assert correct
behaviour when dealing with passwords that are less than four
characters long.
[ruby-core: 42281][ruby-trunk - Bug #5951]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36001 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
remove SSLContext#disable_client_renegotiation and related
functionality introduced in r35797. The new callback approach
gives clients maximum flexibility to decide on their own what to
do on renegotiation attempts.
Add documentation for SSL module and SSLError.
* test/openssl/test_ssl.rb: Add a test for
SSLContext#renegotiation_cb.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35994 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* test/openssl/test_ssl.rb: Simple tests for this.
Client-side renegotiation is still considered problematic, even
when used in the context of secure renegotiation (RI, RFC 5746).
The changes allow users to either completely disable client
renegotiation on the server, or to specify a maximum number of
handshakes allowed in total. The number of total handshakes is
counted in a callback set as SSL_set_info_callback. If the
maximum number of handshakes is exceeded an error will be raised
We do not support renegotiation in the OpenSSL extension, therefore
this feature can only be tested externally.
The feature is opt-in, the default setting will be to allow
unlimited client renegotiation, as was the case before.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35797 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* test/openssl/test_ssl.rb: Handle ECONNRESET in code instead to avoid
the test failing in Ruby CI [1]
[1] 20120507T190102Z.log.html.gz#test-all
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35795 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
