| Age | Commit message (Collapse) | Author |
|---|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@65135 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
[Backport #13935]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@62951 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
https://github.com/ruby/openssl/commit/3af2635f117f8da563d180bc1c58702aecb16e0c
patched by Kazuki Yamaguchi <[email protected]>
bio: prevent possible GC issue in ossl_obj2bio()
Prevent the new object created by StringValue() from being GCed.
Luckily, as none of the callers of ossl_obj2bio() reads from the
returned BIO after possible triggering GC, this has not been a real
problem.
As a bonus, ossl_protect_obj2bio() function which is no longer used
anywhere is removed.
merge https://github.com/ruby/openssl/commit/f842b0d5c5e37527c11954a4b7a98c8d9cc57865
patched by Kazuki Yamaguchi <[email protected]>
bio: do not use the FILE BIO method in ossl_obj2bio()
Read everything from an IO object into a String first and use the
memory buffer BIO method just as we do for String inputs.
For MSVC builds, the FILE BIO method uses the "UPLINK" interface that
requires the application to provide OPENSSL_Applink() function. For us,
the "application" means ruby.exe, in which we can't do anything. As a
workaround, avoid using the FILE BIO method at all.
Usually private keys or X.509 certificates aren't that large and the
temporarily increased memory usage hopefully won't be an issue.
ext/openssl/ossl_version.h (OpenSSL::VERSION): bump to 1.1.1.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@62885 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
fixable on 64bit mswin/mingw.
* ext/date/date_core.c (d_lite_hash): ditto.
[Backport #13877]
* ext/openssl/ossl_bn.c (ossl_bn_hash): ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@59879 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* OpenSSL::ASN1.{decode,decode_all,traverse}: have a bug of
out-of-bounds read. int_ossl_asn1_decode0_cons() does not give the
correct available length to ossl_asn1_decode() when decoding the
inner components of a constructed object. This can cause
out-of-bounds read if a crafted input given.
Reference: https://hackerone.com/reports/170316
https://github.com/ruby/openssl/commit/1648afef33c1d97fb203c82291b8a61269e85d3b
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@59800 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
from Cipher#initialize. This is effectively a revert of r32723
("Avoid possible SEGV from AES encryption/decryption", 2011-07-28).
the patch is derived from https://github.com/ruby/openssl/commit/8108e0a6db133f3375608303fdd2083eb5115062,
written by Kazuki Yamaguchi.
[Backport #8221]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@59267 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
X509_LOOKUP_load_file()
X509_LOOKUP_load_file(), which ends up calling
X509_load_cert_crl_file()
internally, may leave error entries in the queue even when it returns
non-zero value (which indicates success).
This will be fixed by OpenSSL 1.1.1, but can be worked around by
clearing the error queue ourselves.
Fixes: [Backport #11033]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@59235 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl.c (Init_openssl): register an ex_data index for
X509_STORE and X509_STORE_CTX respectively. Since they don't share
the ex_data index registry, we can't use the same index.
(ossl_verify_cb): use the the correct index.
* ext/openssl/ossl_ssl.c (ossl_ssl_verify_callback): ditto.
* ext/openssl/ossl_x509store.c (ossl_x509store_set_vfy_cb): ditto.
(ossl_x509stctx_verify): ditto.
* ext/openssl/ossl.h (void ossl_clear_error): add extern declarations
of ossl_store_{ctx_,}ex_verify_cb_idx.
* ext/openssl/openssl_missing.c: remove X509_STORE_set_ex_data and
X509_STORE_get_ex_data.
* ext/openssl/openssl_missing.h: implement X509_STORE_get_ex_data,
X509_STORE_set_ex_data and X509_STORE_get_ex_new_index as macros.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@56565 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_pkcs12.c (ossl_pkcs12_initialize): pop errors
leaked by PKCS12_parse(). This is a bug in OpenSSL, which exists
in the versions before the version 1.0.0t, 1.0.1p, 1.0.2d.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@56258 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
https://github.com/ruby/openssl/commit/e76f076f093efb93dabf2cb042c527500f956061
patches are provided by rhe (Kazuki Yamaguchi).
* ext/openssl/ossl_x509ext.c: additional fix memory leak.
[ruby-core:76922] [Bug #12680]
* text/openssl/test_x509ext.rb: test for above.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@56032 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
https://github.com/ruby/openssl/compare/3a2840e80d275895523a526ce56e4f6e7b8f9cc4...1e30cd395b14ef46e04bdd9ab72f10067890b265
patches are provided by rhe (Kazuki Yamaguchi).
* ext/openssl/ossl_config.c: fix memory leak. [ruby-core:76922] [Bug #12680]
* ext/openssl/ossl_ocsp.c: ditto.
* ext/openssl/ossl_pkcs12.c: ditto.
* ext/openssl/ossl_pkcs7.c: ditto.
* ext/openssl/ossl_pkey_ec.c: ditto.
* ext/openssl/ossl_x509.h: ditto.
* ext/openssl/ossl_x509attr.c: ditto.
* ext/openssl/ossl_x509crl.c: ditto.
* ext/openssl/ossl_x509ext.c: ditto.
* ext/openssl/ossl_x509req.c: ditto.
* ext/openssl/ossl_x509revoked.c: ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@56018 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_ssl.c (ossl_ssl_write_internal):
avoid undefined behavior
* test/openssl/test_pair.rb (test_write_zero): new test
[ruby-core:76751] [Bug #12660]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@55961 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_bn.c (try_convert_to_bnptr): Extracted from
GetBNPtr(). This doesn't raise exception but returns NULL on error.
(GetBNPtr): Raise TypeError if conversion fails.
(ossl_bn_eq): Implement BN#==.
(ossl_bn_eql): #eql? should not raise TypeError even if the argument
is not compatible with BN.
(ossl_bn_hash): Implement BN#hash.
* ext/openssl/ossl_bn.c (Init_ossl_bn): Define #== and #hash.
* test/openssl/test_bn.rb: Test BN#eql?, #== and #hash
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@55906 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_pkey_dh.c (ossl_dh_compute_key): Check that the DH
has 'p' (the prime) before calling DH_size(). We can create a DH with
no parameter but DH_size() does not check and dereferences NULL.
[ruby-core:75720] [Bug #12428]
* ext/openssl/ossl_pkey_dsa.c (ossl_dsa_sign): Ditto. DSA_size() does
not check dsa->q.
* ext/openssl/ossl_pkey_rsa.c (ossl_rsa_public_encrypt,
ossl_rsa_public_decrypt, ossl_rsa_private_encrypt,
ossl_rsa_private_decrypt): Ditto. RSA_size() does not check rsa->n.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@55904 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_ssl.c (ossl_ssl_stop): Don't free the SSL struct
here. Since some methods such as SSLSocket#connect releases GVL,
there is a chance of use after free if we free the SSL from another
thread. SSLSocket#stop was documented as "prepares it for another
connection" so this is a slightly incompatible change. However when
this sentence was added (r30090, Add toplevel documentation for
OpenSSL, 2010-12-06), it didn't actually. The current behavior is
from r40304 (Correct shutdown behavior w.r.t GC., 2013-04-15).
[ruby-core:74978] [Bug #12292]
* ext/openssl/lib/openssl/ssl.rb (sysclose): Update doc.
* test/openssl/test_ssl.rb: Test this.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@55866 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/extconf.rb: check SSL_CTX_set_next_proto_select_cb
function rather than OPENSSL_NPN_NEGOTIATED macro. it exists
even if it is disabled by OpenSSL configuration.
[ruby-core:74384] [Bug #12182]
* ext/openssl/ossl_ssl.c: update #ifdef(s) as above.
* test/openssl/test_ssl.rb: skip NPN tests if NPN is disabled.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@54551 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_ssl.c (ossl_sslctx_setup): document as MT-unsafe
[ruby-core:73803] [Bug #12069]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@54379 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* file.c, io.c, util.c: prefer rb_syserr_fail with saved errno
over setting errno then call rb_sys_fail, not to be clobbered
potentially and to reduce thread local errno accesses.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53264 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/lib/openssl/ssl.rb (OpenSSL::SSL::SSLSocket): fix
NotImplementedError typo. [Fix GH-1165]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53223 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
g -L frozen_string_literal ext/**/*.rb|xargs ruby -Ka -e'ARGV.each{|fn|puts
fn;open(fn,"r+"){|f|s=f.read.sub(/\A(#!.*\n)?(#.*coding.*\n)?/,"\\&#
frozen_string_literal: false\n");f.rewind;f.write s}}'
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53143 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
protocol list.
The protocol list from OpenSSL is not null-terminated.
patched by Kazuki Yamaguchi [Bug #11810] [ruby-core:72082]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53064 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52988 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_ssl.c (mSSLExtConfig): make static
(eSSLError): ditto
(ID_callback_state): ditto
(ossl_ssl_ex_vcb_idx): ditto
(ossl_ssl_ex_store_p): ditto
(ossl_ssl_ex_ptr_idx): ditto
* ext/openssl/ossl_ssl.h: remove extern declarations for
mSSLExtConfig and eSSLError
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52842 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
be return -1 as an error. Therefore, added error handling.
* ext/openssl/ossl_pkey_dsa.c (dsa_generate): ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52810 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
[ci skip][fix GH-1007] Patch by @arthurnn
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52714 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52693 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52557 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52556 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* test/openssl/test_ssl.rb: ditto
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52555 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/date/date_parse.c (date_zone_to_diff): suppress parentheses
warnings.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52491 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/**/*.c: prefer RARRAY_AREF to indexing RARRAY_CONST_PTR.
pointed out by hanmac.
https://github.com/ruby/ruby/commit/3553a86#commitcomment-14187670
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52453 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/bigdecimal/bigdecimal.c: use RARRAY_CONST_PTR just fore
reference instead of RARRAY_PTR, to keep the array WB-protected.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52448 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext: use long for index instead of int and RARRAY_LENINT.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52447 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52228 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
in ext/openssl instead of OpenSSL itself because LibreSSL
silently truncate the selected protocol name by casting the length
from int to unsigned char. [Bug #11369]
Patch by Jeremy Evans <[email protected]>
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52227 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
dropping TLS v1.1 support too. Supporting only TLS v1.2 is too
early, because many popular websites still don't support it.
For instance, Servers where aws-sdk connects to still don't support
TLS v1.2 and it became broken.
We should consider more carefully about this.
[Fix GH-873] [Feature #11524]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52089 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
Patch provided by @claudijd [Fixes GH-873] [Feature #11524]:
https://github.com/ruby/ruby/pull/873
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52082 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51920 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51918 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
if the SSL library supports it. Thanks Kurt Roeckx <[email protected]>
[Bug #11376]
* ext/openssl/extconf.rb: check for SSLv3 support in the SSL
implementation.
* test/openssl/test_ssl.rb (class OpenSSL): Skip tests that need SSLv3
if there is no support.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51722 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
existing options rather than just setting it. Some vendors apply
custom patches to their versions of OpenSSL that set default values
for options. This commit respects the custom patches they've
applied.
* test/openssl/test_ssl.rb (class OpenSSL): check that OP_ALL has been
added to the options.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51642 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_ssl.c (ossl_sslctx_set_ssl_version): SSL method
name must not contain NUL. preserve the encoding of message.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51588 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_ssl.c (ossl_sslctx_set_ssl_version): use
rb_sym2str to get rid of inadvertent ID creations.
* ext/socket/ancdata.c (ancillary_inspect): ditto.
* ext/socket/option.c (sockopt_inspect): ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51586 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
SSLSocket#sysclose to Ruby.
* ext/openssl/ossl_ssl.c (ossl_ssl_close): ditto
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51497 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
enable to SSLSocket#initialize and remove Nonblock module.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51496 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
OpenSSL::SSL::SSLSocket#initialize to Ruby.
* ext/openssl/ossl_ssl.c: ditto
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51495 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_ssl.c (ossl_call_client_cert_cb),
(ossl_call_tmp_dh_callback, ossl_call_tmp_ecdh_callback),
(ossl_call_session_get_cb, ossl_call_session_new_cb): remove no
longer used variables.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51487 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
lookup to private Ruby methods. This means we can keep the default
DH callback logic hidden from consumers. Also, since the SSLSocket
always has a context, we can remove conditionals about that
instance.
* ext/openssl/ossl_ssl.c: move callback lookup methods to private Ruby
methods.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51486 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/lib/openssl/buffering.rb (gets):
avoid comparing fixnum with nil
* test/openssl/test_pair.rb: test gets with limit when EOF is hit
Thanks to Bar Hofesh <[email protected]> for the bug report
and testing.
[ruby-core:70149] [Bug #11400]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51466 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
SSLContext#options and options= using SSL_CTX_set_options and
SSL_CTX_get_options. This reduces the number of ivars we need and
simplifies `ossl_sslctx_setup`.
* ext/openssl/lib/openssl/ssl.rb (module OpenSSL): Default `options`
to SSL_OP_ALL
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51462 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
