* file.c, io.c, util.c: prefer rb_syserr_fail with saved errno
over setting errno then call rb_sys_fail, not to be clobbered
potentially and to reduce thread local errno accesses.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53264 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
protocol list.
The protocol list from OpenSSL is not null-terminated.
patched by Kazuki Yamaguchi [Bug #11810] [ruby-core:72082]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53064 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
be return -1 as an error. Therefore, added error handling.
* ext/openssl/ossl_pkey_dsa.c (dsa_generate): ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52810 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* ext/bigdecimal/bigdecimal.c: use RARRAY_CONST_PTR just fore
reference instead of RARRAY_PTR, to keep the array WB-protected.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52448 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* ext: use long for index instead of int and RARRAY_LENINT.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52447 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
in ext/openssl instead of OpenSSL itself because LibreSSL
silently truncate the selected protocol name by casting the length
from int to unsigned char. [Bug #11369]
Patch by Jeremy Evans <merch-redmine@jeremyevans.net>
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52227 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
dropping TLS v1.1 support too. Supporting only TLS v1.2 is too
early, because many popular websites still don't support it.
For instance, Servers where aws-sdk connects to still don't support
TLS v1.2 and it became broken.
We should consider more carefully about this.
[Fix GH-873] [Feature #11524]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52089 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
if the SSL library supports it. Thanks Kurt Roeckx <kurt@roeckx.be>
[Bug #11376]
* ext/openssl/extconf.rb: check for SSLv3 support in the SSL
implementation.
* test/openssl/test_ssl.rb (class OpenSSL): Skip tests that need SSLv3
if there is no support.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51722 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
existing options rather than just setting it. Some vendors apply
custom patches to their versions of OpenSSL that set default values
for options. This commit respects the custom patches they've
applied.
* test/openssl/test_ssl.rb (class OpenSSL): check that OP_ALL has been
added to the options.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51642 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* ext/openssl/ossl_ssl.c (ossl_sslctx_set_ssl_version): SSL method
name must not contain NUL. preserve the encoding of message.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51588 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* ext/openssl/ossl_ssl.c (ossl_sslctx_set_ssl_version): use
rb_sym2str to get rid of inadvertent ID creations.
* ext/socket/ancdata.c (ancillary_inspect): ditto.
* ext/socket/option.c (sockopt_inspect): ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51586 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
enable to SSLSocket#initialize and remove Nonblock module.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51496 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
lookup to private Ruby methods. This means we can keep the default
DH callback logic hidden from consumers. Also, since the SSLSocket
always has a context, we can remove conditionals about that
instance.
* ext/openssl/ossl_ssl.c: move callback lookup methods to private Ruby
methods.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51486 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* ext/openssl/lib/openssl/buffering.rb (gets):
avoid comparing fixnum with nil
* test/openssl/test_pair.rb: test gets with limit when EOF is hit
Thanks to Bar Hofesh <bar.hofesh@safe-t.com> for the bug report
and testing.
[ruby-core:70149] [Bug #11400]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51466 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
SSLContext#options and options= using SSL_CTX_set_options and
SSL_CTX_get_options. This reduces the number of ivars we need and
simplifies `ossl_sslctx_setup`.
* ext/openssl/lib/openssl/ssl.rb (module OpenSSL): Default `options`
to SSL_OP_ALL
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51462 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
constants as longs, so we should follow that and use LONG2NUM.
http://git.io/vOqxD
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51461 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
to return the Ruby dh (or ecdh) object that the caller cares about
instead of doing rb_iv_get / set to communicate. This means we can
remove an rb_iv_get call, and only use the set calls for their
intended purpose (to prevent the object from being GC'd).
* ext/openssl/ossl_ssl.c (ossl_tmp_dh_callback): ditto
* ext/openssl/ossl_ssl.c (ossl_call_tmp_ecdh_callback): ditto
* ext/openssl/ossl_ssl.c (ossl_tmp_ecdh_callback): ditto
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51460 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
tmp_ecdh_callback, the SSLSocket instance always holds a reference
to the SSLContext object (it's always set in `initialize`). The
SSLContext holds a reference to the tmp_dh_callback. Ask the
context for the callback instead of storing the callback in two
places.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51459 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
and use `rb_apply` to clean up calls to `rb_protect`.
* ext/openssl/ossl_ssl.c (ossl_tmp_dh_callback): ditto
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51458 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
always holds a reference to the SSLContext object, which will have
the callback object. Ask the context for the callback instead of
storing the callback in two places.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51457 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
`tmp_dh_callback` to Ruby, and call it when setting up an SSL
connection. This allows us to move the "default" behavior to the
reader method.
* ext/openssl/ossl_ssl.c: call the tmp_dh_callback instead of
accessing the SSLContext's internals.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51455 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
helpful exception when verifying the peer connection and an
anonymous cipher has been selected. [ruby-core:68330] [Bug #10910]
Thanks to Chris Sinjakli <chris@sinjakli.co.uk> for the patch.
* test/openssl/test_ssl.rb (class OpenSSL): test for change
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51409 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
object returned by the servername callback on to the socket as an
instance variable. If the callback allocated a new context object
and didn't keep a reference to it, it could be GC'd out from under
the socket object.
* test/openssl/test_ssl.rb (class OpenSSL): test for change.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51387 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
DEFAULT_1024 constants in Ruby.
* ext/openssl/lib/openssl/ssl.rb (module OpenSSL): Ask PKey for the
default DH callback since it aleady must check whether openssl has
been compiled with DH support.
* ext/openssl/ossl_pkey_dh.c (OSSL_PKEY_BN): Remove C definitions of
DEFAULT_512 and DEFAULT_1024
* ext/openssl/ossl_pkey_dh.c (Init_ossl_dh): ditto
* test/openssl/test_pkey_dh.rb (class OpenSSL): add test to ensure the
Ruby definitions are the same as the C definitions were.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51382 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
specifically setting the tmp_dh_callback to nil.
* ext/openssl/ossl_ssl.c (Init_ossl_ssl): ditto
* test/openssl/test_pair.rb (module OpenSSL): add a test
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51381 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
tmp_dh_callback Ruby code and set it as a default in `initialize`.
* ext/openssl/ossl_pkey_dh.c (static unsigned char DEFAULT_DH_512_GEN):
move this constant to Ruby.
* ext/openssl/ossl_pkey_dh.c (static unsigned char DEFAULT_DH_1024_GEN):
ditto
* ext/openssl/ossl_pkey_dh.c (Init_ossl_dh): ditto
* ext/openssl/ossl_ssl.c (ossl_tmp_dh_callback): ditto
* ext/openssl/ossl_ssl.c (ossl_sslctx_setup): tmp_dh_callback should
always be set, so we can remove this conditional
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51380 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
