* ext/openssl/ossl_pkey_ec.c (ossl_ec_point_mul): Validate the
arguments before passing to EC_POINT(s)_mul(). Add description of this
method. [ruby-core:65152] [Bug #10268]
* test/openssl/test_pkey_ec.rb (test_ec_point_mul): Test that
OpenSSL::PKey::EC::Point#mul works.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55048 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* ext/openssl/ossl_bn.c (try_convert_to_bnptr): Extracted from
GetBNPtr(). This doesn't raise exception but returns NULL on error.
(GetBNPtr): Raise TypeError if conversion fails.
(ossl_bn_eq): Implement BN#==.
(ossl_bn_eql): #eql? should not raise TypeError even if the argument
is not compatible with BN.
(ossl_bn_hash): Implement BN#hash.
* ext/openssl/ossl_bn.c (Init_ossl_bn): Define #== and #hash.
* test/openssl/test_bn.rb: Test BN#eql?, #== and #hash
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55047 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
functions when OPENSSL_NO_SSL2 is defined.
Usually openssl's header and the library (libssl) have the same
set of functions, but on some environment the library has functions
whose headers doesn't declare. (openssl/opensslconf.h and libsso.so
aren't be synchronized)
To detect such case explicitly check feature macro and remove
related functions.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54950 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* ext/openssl/ossl_ssl.c (ossl_ssl_tmp_key): Access to ephemeral
TLS session key in case of forward secrecy cipher. Only
available since OpenSSL 1.0.2. [Fix GH-1318]
* ext/openssl/extconf.rb: Check for SSL_get_server_tmp_key.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54485 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
By setting the SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER flag.
This flag was introduced at the same time as
SSL_MODE_ENABLE_PARTIAL_WRITE in OpenSSL 0.9.4 and makes usage
with non-blocking sockets much easier.
Before this, a Rubyist would need to remember the exact object
which failed to write and reuse it later when the socket became
writable again. This causes problems when the buffer is given
by another layer of the application (e.g. a buffer is given
by a Rack middleware or application to a Rack web server).
* ext/openssl/ossl_ssl.c (ossl_sslctx_s_alloc):
enable SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER by default
[Bug #12126]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54466 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* ext/openssl/extconf.rb: check SSL_CTX_set_next_proto_select_cb
function rather than OPENSSL_NPN_NEGOTIATED macro. it exists
even if it is disabled by OpenSSL configuration.
[ruby-core:74384] [Bug #12182]
* ext/openssl/ossl_ssl.c: update #ifdef(s) as above.
* test/openssl/test_ssl.rb: skip NPN tests if NPN is disabled.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54258 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
On a cursory inspection, using rb_block_call for extra_chain_cert
is thread-unsafe. There may be other instances of thread-unsafe
behavior in this method, but one is enough.
* ext/openssl/ossl_ssl.c (ossl_sslctx_setup): document as MT-unsafe
[ruby-core:73803] [Bug #12069]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54097 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* file.c, io.c, util.c: prefer rb_syserr_fail with saved errno
over setting errno then call rb_sys_fail, not to be clobbered
potentially and to reduce thread local errno accesses.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53264 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
protocol list.
The protocol list from OpenSSL is not null-terminated.
patched by Kazuki Yamaguchi [Bug #11810] [ruby-core:72082]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53064 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
be return -1 as an error. Therefore, added error handling.
* ext/openssl/ossl_pkey_dsa.c (dsa_generate): ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52810 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* ext/bigdecimal/bigdecimal.c: use RARRAY_CONST_PTR just fore
reference instead of RARRAY_PTR, to keep the array WB-protected.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52448 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* ext: use long for index instead of int and RARRAY_LENINT.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52447 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
in ext/openssl instead of OpenSSL itself because LibreSSL
silently truncate the selected protocol name by casting the length
from int to unsigned char. [Bug #11369]
Patch by Jeremy Evans <merch-redmine@jeremyevans.net>
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52227 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
dropping TLS v1.1 support too. Supporting only TLS v1.2 is too
early, because many popular websites still don't support it.
For instance, Servers where aws-sdk connects to still don't support
TLS v1.2 and it became broken.
We should consider more carefully about this.
[Fix GH-873] [Feature #11524]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52089 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
if the SSL library supports it. Thanks Kurt Roeckx <kurt@roeckx.be>
[Bug #11376]
* ext/openssl/extconf.rb: check for SSLv3 support in the SSL
implementation.
* test/openssl/test_ssl.rb (class OpenSSL): Skip tests that need SSLv3
if there is no support.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51722 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
existing options rather than just setting it. Some vendors apply
custom patches to their versions of OpenSSL that set default values
for options. This commit respects the custom patches they've
applied.
* test/openssl/test_ssl.rb (class OpenSSL): check that OP_ALL has been
added to the options.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51642 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* ext/openssl/ossl_ssl.c (ossl_sslctx_set_ssl_version): SSL method
name must not contain NUL. preserve the encoding of message.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51588 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* ext/openssl/ossl_ssl.c (ossl_sslctx_set_ssl_version): use
rb_sym2str to get rid of inadvertent ID creations.
* ext/socket/ancdata.c (ancillary_inspect): ditto.
* ext/socket/option.c (sockopt_inspect): ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51586 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
enable to SSLSocket#initialize and remove Nonblock module.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51496 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
lookup to private Ruby methods. This means we can keep the default
DH callback logic hidden from consumers. Also, since the SSLSocket
always has a context, we can remove conditionals about that
instance.
* ext/openssl/ossl_ssl.c: move callback lookup methods to private Ruby
methods.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51486 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* ext/openssl/lib/openssl/buffering.rb (gets):
avoid comparing fixnum with nil
* test/openssl/test_pair.rb: test gets with limit when EOF is hit
Thanks to Bar Hofesh <bar.hofesh@safe-t.com> for the bug report
and testing.
[ruby-core:70149] [Bug #11400]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51466 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
SSLContext#options and options= using SSL_CTX_set_options and
SSL_CTX_get_options. This reduces the number of ivars we need and
simplifies `ossl_sslctx_setup`.
* ext/openssl/lib/openssl/ssl.rb (module OpenSSL): Default `options`
to SSL_OP_ALL
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51462 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
constants as longs, so we should follow that and use LONG2NUM.
http://git.io/vOqxD
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51461 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
to return the Ruby dh (or ecdh) object that the caller cares about
instead of doing rb_iv_get / set to communicate. This means we can
remove an rb_iv_get call, and only use the set calls for their
intended purpose (to prevent the object from being GC'd).
* ext/openssl/ossl_ssl.c (ossl_tmp_dh_callback): ditto
* ext/openssl/ossl_ssl.c (ossl_call_tmp_ecdh_callback): ditto
* ext/openssl/ossl_ssl.c (ossl_tmp_ecdh_callback): ditto
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51460 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
tmp_ecdh_callback, the SSLSocket instance always holds a reference
to the SSLContext object (it's always set in `initialize`). The
SSLContext holds a reference to the tmp_dh_callback. Ask the
context for the callback instead of storing the callback in two
places.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51459 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
and use `rb_apply` to clean up calls to `rb_protect`.
* ext/openssl/ossl_ssl.c (ossl_tmp_dh_callback): ditto
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51458 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
