Граф коммитов

356 Коммитов

Автор SHA1 Сообщение Дата
rhe 8795838fcb openssl: import v2.0.3
Import Ruby/OpenSSL 2.0.3. Only bugfixes. The full commit log since
2.0.2 (imported at r57146) can be found at:

  https://github.com/ruby/openssl/compare/v2.0.2...v2.0.3

----------------------------------------------------------------
Corey Bonnell (1):
      Fix for ASN1::Constructive 'each' implementation

Kazuki Yamaguchi (10):
      Fix build with static OpenSSL libraries on Windows
       ([ruby-core:78878] [Bug #13080])
      Merge pull request #96 from CBonnell/master
      Merge branch 'topic/windows-static-linking-without-pkg-config' into maint
      appveyor.yml: update OpenSSL version to 1.0.2j
      buffering: fix typo in doc
      test/envutil: fix assert_raise_with_message
      x509: fix OpenSSL::X509::Name#eql?
       ([ruby-core:79310] [Bug #13170])
      ruby-openssl-docker: update versions of Ruby and OpenSSL
      .travis.yml: test with Ruby 2.4
      Ruby/OpenSSL 2.0.3

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@57482 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2017-01-31 10:08:22 +00:00
rhe 0c83666c6c openssl: import v2.0.1
Import Ruby/OpenSSL 2.0.1. The full commit history since 2.0.0 (imported
at r56946) can be found at:

  https://github.com/ruby/openssl/compare/v2.0.0...v2.0.1

This release contains only bug fixes. Note, the first two commits since
v2.0.0 are already imported at r56953 to make Travis and RubyCI green.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@57041 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-12-10 08:12:02 +00:00
rhe 95dbfe0dfc openssl: import fixes from upstream
Import the following two commits from upstream:

  commit 72126d6c8b88abd69c3565fc3bbbd5ed1e401611
  Author: Kazuki Yamaguchi <k@rhe.jp>
  Date:   Thu Dec 1 22:27:03 2016 +0900

      pkey: check existence of EVP_PKEY_get0()

      EVP_PKEY_get0() did not exist in early OpenSSL 0.9.8 series. So define
      ourselves if needed.

  commit 94a1c4e0c5705ad1e9a4ca08cacaa6cba8b1e6f5
  Author: Kazuki Yamaguchi <k@rhe.jp>
  Date:   Thu Dec 1 22:13:22 2016 +0900

      test/test_cipher: fix test with OpenSSL 1.0.1 before 1.0.1d

      Set the authentication tag before the AAD when decrypting.

      Before OpenSSL commit 96f7fafa2431 ("Don't require tag before ciphertext
      in AESGCM mode", 2012-10-16, at OpenSSL_1_0_1-stable branch, included in
      OpenSSL 1.0.1d), the authentication tag must be set before any calls of
      EVP_CipherUpdate().

They should fix build on CentOS 5 and Ubuntu 12.04 respectively.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56953 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-12-01 04:42:10 +00:00
rhe aab0d67a1f openssl: import v2.0.0
Import Ruby/OpenSSL 2.0.0. The full commit history since 2.0.0 beta.2
(imported at r56098) can be found at:

  https://github.com/ruby/openssl/compare/v2.0.0.beta.2...v2.0.0

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56946 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-11-30 14:41:46 +00:00
nobu 34ac59c81e openssl/ut_eof.rb: rename TestEOF
* test/openssl/ut_eof.rb (OpenSSL::TestEOF): move TestEOF module
  under OpenSSL to get rid of conflict with test/ruby/ut_eof.rb.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56578 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-11-05 07:10:05 +00:00
rhe 014da9124a openssl: really fix test failure on Ubuntu 16.04
* test/openssl/test_ssl.rb (test_ctx_options): Fix test failure on
  Ubuntu 16.04. The fix in r56147 was incomplete. This is a cherry-pick
  of the commit b039f3e268c2 at ruby/openssl.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56178 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-09-17 10:19:25 +00:00
rhe b4d0e5a4fb openssl: workaround for Ubuntu's patched OpenSSL
* test/openssl/test_ssl.rb (test_ctx_options): Add a workaround for
  patched OpenSSL to fix the Ruby CI failure on Ubuntu 16.04.
  http://rubyci.s3.amazonaws.com/ubuntu/ruby-trunk/log/20160913T033003Z.fail.html.gz
  This commit is a cherry-pick of the following commit at ruby/openssl:
  f9c04779a8

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56147 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-09-13 05:59:53 +00:00
rhe a128c0d33f openssl: import v2.0.0.beta.2
* {ext,test}/openssl: Import Ruby/OpenSSL 2.0.0.beta.2. The full commit
  history since v2.0.0.beta.1 can be found at:
  https://github.com/ruby/openssl/compare/v2.0.0.beta.1...v2.0.0.beta.2

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56098 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-09-08 01:09:19 +00:00
rhe c9dc0164b8 import Ruby/OpenSSL 2.0.0.beta.1
* NEWS, {ext,test,sample}/openssl: Import Ruby/OpenSSL 2.0.0.beta.1.
  ext/openssl is now converted into a default gem. The full commit
  history since r55538 can be found at:
  https://github.com/ruby/openssl/compare/08e1881f5663...v2.0.0.beta.1
  [Feature #9612]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56027 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-08-29 05:47:09 +00:00
normal 7513d54659 openssl: avoid undefined behavior on empty SSL_write
SSL_write(3ssl) manpage has this in the WARNINGS section:

       When calling SSL_write() with num=0 bytes to be sent the
       behaviour is undefined.

And indeed, the new test case demonstrates failures when
empty strings are used.  So, match the behavior of IO#write,
IO#write_nonblock, and IO#syswrite by returning zero, as the
OpenSSL::SSL::SSLSocket API already closely mimics the IO one.

* ext/openssl/ossl_ssl.c (ossl_ssl_write_internal):
  avoid undefined behavior
* test/openssl/test_pair.rb (test_write_zero): new test
  [ruby-core:76751] [Bug #12660]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55822 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-08-06 21:50:10 +00:00
nobu e7440de279 test: use assert_include
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55757 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-07-26 13:02:33 +00:00
nobu 38f6fe64aa Refine assertion
* test/openssl/test_ocsp.rb: assert_in_delta for better message.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55503 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-25 02:32:06 +00:00
rhe 5ff2e41845 openssl: ignore test failure caused by LibreSSL bug
* test/openssl/test_ocsp.rb: Ignore errors caused by bugs that exist in
  LibreSSL >= 2.3.1.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55502 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-25 01:08:15 +00:00
rhe 102815b046 openssl: add OpenSSL::OCSP::SingleResponse
* ext/openssl/ossl_ocsp.c: Add OCSP::SingleResponse that represents an
  OCSP SingleResponse structure. Also add two new methods #responses
  and #find_response to OCSP::BasicResponse. A BasicResponse has one or
  more SingleResponse. We have OCSP::BasicResponse#status that returns
  them as an array of arrays, each containing the content of a
  SingleResponse, but this is not useful. When validating an OCSP
  response, we need to look into the each SingleResponse and check their
  validity but it is not simple. For example, when validating for a
  certificate 'cert', the code would be like:

    # certid_target is an OpenSSL::OCSP::CertificateId for cert
    basic = res.basic
    result = basic.status.any? do |ary|
      ary[0].cmp(certid_target) &&
        ary[4] <= Time.now && (!ary[5] || Time.now <= ary[5])
    end

  Adding OCSP::SingleResponse at the same time allows exposing
  OCSP_check_validity(). With this, the code above can be rewritten as:

    basic = res.basic
    single = basic.find_response(certid_target)
    result = single.check_validity

* test/openssl/test_ocsp.rb: Test this.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55457 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-19 12:26:27 +00:00
rhe f31f1f1adf openssl: implement initialize_copy for OpenSSL::OCSP::*
* ext/openssl/ossl_ocsp.c: Implement OCSP::{CertificateId,Request,
  BasicResponse,Response}#initialize_copy.
  [ruby-core:75504] [Bug #12381]

* test/openssl/test_ocsp.rb: Test them.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55455 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-19 09:42:29 +00:00
rhe be1baf4a9a openssl: implement initialize_copy method for PKey classes
* ext/openssl/ossl_pkey_dh.c, ext/openssl/ossl_pkey_dsa.c,
  ext/openssl/ossl_pkey_ec.c, ext/openssl/ossl_pkey_rsa.c: Implement
  initialize_copy method for OpenSSL::PKey::*.
  [ruby-core:75504] [Bug #12381]

* test/openssl/test_pkey_dh.rb, test/openssl/test_pkey_dsa.rb,
  test/openssl/test_pkey_ec.rb, test/openssl/test_pkey_rsa.rb: Test they
  actually copy the OpenSSL objects, and modifications to cloned object
  don't affect the original object.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55454 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-19 09:29:59 +00:00
rhe c2158dd55e openssl: avoid test crash on Ubuntu 16.04
* test/openssl/test_pkey_ec.rb (setup): Don't call EC#generate_key! for
  Oakley-* curves. This causes an odd error on Ubuntu 16.04 with openssl
  1.0.2g-1ubuntu4.1.

    begin
      OpenSSL::PKey::EC.new("Oakley-EC2N-4").generate_key
    rescue
      p $!
    end
    OpenSSL::PKey::RSA.new(512)

  This sometimes causes:

    #<OpenSSL::PKey::ECError: EC_KEY_generate_key: pairwise test failed>
    fips.c(139): OpenSSL internal error, assertion failed: FATAL FIPS SELFTEST FAILURE

  [ruby-dev:49670] [Bug #12504]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55444 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-18 09:10:19 +00:00
rhe 2851f19f49 openssl: allow specifying hash algorithm in OCSP::*#sign
* ext/openssl/ossl_ocsp.c (ossl_ocspreq_sign, ossl_ocspbres_sign): Allow
  specifying hash algorithm used in signing. They are hard coded to use
  SHA-1.
  Based on a patch provided by Tim Shirley <tidoublemy@gmail.com>.
  [ruby-core:70915] [Feature #11552] [GH ruby/openssl#28]

* test/openssl/test_ocsp.rb: Test sign-verify works.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55422 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-15 10:52:37 +00:00
rhe 0a97832e6a openssl: add some accessor methods for OCSP::CertificateId
* ext/openssl/ossl_ocsp.c (ossl_ocspcid_get_issuer_name_hash,
  ossl_ocspcid_get_issuer_key_hash, ossl_ocspcid_get_hash_algorithm):
  Add accessor methods OCSP::CertificateId#issuer_name_hash,
  #issuer_key_hash, #hash_algorithm.
  Based on a patch provided by Paul Kehrer <paul.l.kehrer@gmail.com>.
  [ruby-core:48062] [Feature #7181]

* test/openssl/test_ocsp.rb: Test these new methods.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55411 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-14 13:12:20 +00:00
rhe 40799e5ef9 openssl: add missing #to_der to OCSP::{CertificateId,BasicResponse}
* ext/openssl/ossl_ocsp.c (ossl_ocspbres_to_der, ossl_ocspcid_to_der):
  Implement #to_der methods for OCSP::BasicResponse and
  OCSP::CertificateId.

  (ossl_ocspreq_initialize, ossl_ocspres_initialize): Use GetOCSP*()
  instead of raw DATA_PTR().

  (ossl_ocspbres_initialize, ossl_ocspcid_initialize): Allow
  initializing from DER string.

  (Init_ossl_ocsp): Define new #to_der methods.

* test/openssl/test_ocsp.rb: Test these changes. Also add missing tests
  for OCSP::{Response,Request}#to_der.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55409 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-14 12:40:55 +00:00
rhe aefb79c24f openssl: avoid test failure in test_engine.rb
* test/openssl/test_engine.rb (test_openssl_engine_builtin,
  test_openssl_engine_by_id_string): Skip test if 'openssl' engine is
  already loaded. And test the number increased by Engine.load{_by_id,},
  not the total count of loaded engines. Previously, we called
  OpenSSL::Engine.cleanup every time running a test case, but we no
  longer can do it.
  [ruby-core:75225] [Feature #12324]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55387 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-12 04:48:10 +00:00
rhe f9843bc4dc openssl: use ASN1_ENUMERATED_to_BN() if needed
* ext/openssl/ossl_asn1.c (asn1integer_to_num): Use
  ASN1_ENUMERATED_to_BN() to convert an ASN1_ENUMERATED to a BN.
  Starting from OpenSSL 1.1.0, ASN1_INTEGER_to_BN() rejects
  non-ASN1_INTEGER objects. The format of INTEGER and ENUMERATED are
  almost identical so they behaved in the same way in OpenSSL <= 1.0.2.
  [ruby-core:75225] [Feature #12324]

* test/openssl/test_asn1.rb (test_decode_enumerated): Test that it
  works.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55344 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-09 12:42:08 +00:00
rhe dd05607f9a openssl: fix build with OPENSSL_NO_EC
* ext/openssl/ossl_ssl.c: Add define guards for OPENSSL_NO_EC.
  SSL_CTX_set_ecdh_auto() is defined even when ECDH is disabled in
  OpenSSL's configuration. This fixes r55214.

* test/openssl/test_pair.rb (test_ecdh_curves): Skip if the OpenSSL does
  not support ECDH.

* test/openssl/utils.rb (start_server): Ignore error in
  SSLContext#ecdh_curves=.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55342 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-09 10:46:46 +00:00
rhe b257af8859 openssl: adjust tests for OpenSSL 1.1.0
This fixes `make test-all TESTS=openssl` with OpenSSL master.

* test/openssl/test_x509name.rb: Don't register OID for 'emailAddress'
  and 'serialNumber'. A recent change in OpenSSL made OBJ_create()
  reject an already existing OID. They were needed to run tests with
  OpenSSL 0.9.6 which is now unsupported.
  https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=52832e470f5fe8c222249ae5b539aeb3c74cdb25
  [ruby-core:75225] [Feature #12324]

* test/openssl/test_ssl_session.rb (test_server_session): Duplicate
  SSL::Session before re-adding to the session store. OpenSSL 1.1.0
  starts rejecting SSL_SESSION once removed by SSL_CTX_remove_session().
  https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=7c2d4fee2547650102cd16d23f8125b76112ae75

* test/openssl/test_pkey_ec.rb (setup): Remove X25519 from @keys. X25519
  is new in OpenSSL 1.1.0 but this is for key agreement and not for
  signing.

* test/openssl/test_pair.rb, test/openssl/test_ssl.rb,
  test/openssl/utils.rb: Set security level to 0 when using aNULL cipher
  suites.

* test/openssl/utils.rb: Use 1024 bits DSA key for client certificates.

* test/openssl/test_engine.rb: Run each test in separate process.
  We can no longer cleanup engines explicitly as ENGINE_cleanup() was
  removed.
  https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6d4fb1d59e61aacefa25edc4fe5acfe1ac93f743

* ext/openssl/ossl_engine.c (ossl_engine_s_cleanup): Add a note to the
  RDoc for Engine.cleanup.

* ext/openssl/lib/openssl/digest.rb: Don't define constants for DSS,
  DSS1 and SHA(-0) when using with OpenSSL 1.1.0. They are removed.

* test/openssl/test_digest.rb, test/openssl/test_pkey_dsa.rb,
  test/openssl/test_pkey_dsa.rb, test/openssl/test_ssl.rb,
  test/openssl/test_x509cert.rb, test/openssl/test_x509req.rb: Don't
  test unsupported hash functions.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55314 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-07 12:20:46 +00:00
rhe 1f5784ecaf openssl: add SSL::SSLContext#security_level{=,}
* ext/openssl/extconf.rb: Check for SSL_CTX_get_security_level().
  OpenSSL 1.1.0 introduced "security level".
  [ruby-core:75225] [Feature #12324]

* ext/openssl/ossl_ssl.c (ossl_sslctx_{get,set}_security_level): Add
  SSLContext#security_level and #security_level=.

* test/openssl/test_ssl.rb (test_security_level): Add test. ...but this
  doesn't actually test it. Because #security_level= is necessary in
  order to run other tests on OpenSSL 1.1.0, go without tests for now.
  Will fix after converting SSLContext#key= and #cert= to normal methods.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55309 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-07 07:52:24 +00:00
rhe 0a523ab20d openssl: adapt to OpenSSL 1.1.0 opaque structs
* ext/openssl/extconf.rb: Check existence of accessor functions that
  don't exist in OpenSSL 0.9.8. OpenSSL 1.1.0 made most of its
  structures opaque and requires use of these accessor functions.
  [ruby-core:75225] [Feature #12324]

* ext/openssl/openssl_missing.[ch]: Implement them if missing.

* ext/openssl/ossl*.c: Use these accessor functions.

* test/openssl/test_hmac.rb: Add missing test for HMAC#reset.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55287 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-05 15:35:12 +00:00
rhe 63abe00785 openssl: adapt OpenSSL::PKey to OpenSSL 1.1.0 opaque structs
* ext/openssl/openssl_missing.[ch]: Implement EVP_PKEY_get0_*() and
  {RSA,DSA,EC_KEY,DH}_get0_*() functions.
  OpenSSL 1.1.0 makes EVP_PKEY/RSA/DSA/DH opaque. We used to provide
  setter methods for each parameter of each PKey type, for example
  PKey::RSA#e=, but this is no longer possible because the new API
  RSA_set0_key() requires the 'n' at the same time. This commit adds
  deprecation warning to them and adds PKey::*#set_* methods as direct
  wrapper for those new APIs. For example, 'rsa.e = 3' now needs to be
  rewritten as 'rsa.set_key(rsa.n, 3, rsa.d)'.
  [ruby-core:75225] [Feature #12324]

* ext/openssl/ossl_pkey*.[ch]: Use the new accessor functions. Implement
  RSA#set_{key,factors,crt_params}, DSA#set_{key,pqg}, DH#set_{key,pqg}.
  Emit a warning with rb_warning() when old setter methods are used.

* test/drb/ut_array_drbssl.rb, test/drb/ut_drb_drbssl.rb,
  test/rubygems/test_gem_remote_fetcher.rb: Don't set a priv_key for DH
  object that are used in tmp_dh_callback. Generating a new key pair
  every time should be fine - actually the private exponent is ignored
  in OpenSSL >= 1.0.2f/1.0.1r even if we explicitly set.
  https://www.openssl.org/news/secadv/20160128.txt

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55285 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-05 15:00:47 +00:00
rhe 9199bec9e8 openssl: check existence of RAND_pseudo_bytes()
* ext/openssl/extconf.rb: Check if RAND_pseudo_bytes() is usable. It is
  marked as deprecated in OpenSSL 1.1.0.
  [ruby-core:75225] [Feature #12324]

* ext/openssl/ossl_rand.c: Disable Random.pseudo_bytes if
  RAND_pseudo_bytes() is unavailable.

* test/openssl/test_random.rb: Don't test Random.pseudo_bytes if not
  defined.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55282 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-05 12:38:34 +00:00
rhe 1978ce784b openssl: add missing test for r55219
* test/openssl/test_asn1.rb: Add missing regression test for r55219. It
  fixed the year 2038 issue but the test code was missing.
  [ruby-core:45552] [Bug #6571]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55229 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-31 14:10:11 +00:00
rhe b9f3d4b836 openssl: fix test failure on Fedora 23
* test/openssl/test_pair.rb (test_ecdh_curves): Avoid P-224. The FIPS
  patch from RHEL disables it. The curve has to be chosen from: {
  secp256k1, secp384r1, secp521r1, prime256v1 }.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55224 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-30 16:52:10 +00:00
rhe f26f358930 openssl: add SSLContext#ecdh_curves=
* ext/openssl/ossl_ssl.c (ossl_sslctx_s_alloc): Enable the automatic
  curve selection for ECDH by calling SSL_CTX_set_ecdh_auto(). With
  this a TLS server automatically selects a curve which both the client
  and the server support to use in ECDH. This changes the default
  behavior but users can still disable ECDH by excluding 'ECDH' cipher
  suites from the cipher list (with SSLContext#ciphers=). This commit
  also deprecate #tmp_ecdh_callback=. It was added in Ruby 2.3.0. It
  wraps SSL_CTX_set_tmp_ecdh_callback() which will be removed in OpenSSL
  1.1.0. Its callback receives two values 'is_export' and 'keylength'
  but both are completely useless for determining a curve to use in
  ECDH. The automatic curve selection was introduced to replace this.

  (ossl_sslctx_setup): Deprecate SSLContext#tmp_ecdh_callback=. Emit a
  warning if this is in use.

  (ossl_sslctx_set_ecdh_curves): Add SSLContext#ecdh_curves=. Wrap
  SSL_CTX_set1_curves_list(). If it is not available, this falls back
  to SSL_CTX_set_tmp_ecdh().

  (Init_ossl_ssl): Define SSLContext#ecdh_curves=.

* ext/openssl/extconf.rb: Check the existence of EC_curve_nist2nid(),
  SSL_CTX_set1_curves_list(), SSL_CTX_set_ecdh_auto() and
  SSL_CTX_set_tmp_ecdh_callback().

* ext/openssl/openssl_missing.[ch]: Implement EC_curve_nist2nid() if
  missing.

* test/openssl/test_pair.rb (test_ecdh_callback): Use
  EnvUtil.suppress_warning to suppress deprecated warning.

  (test_ecdh_curves): Test that SSLContext#ecdh_curves= works.

* test/openssl/utils.rb (start_server): Use SSLContext#ecdh_curves=.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55214 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-30 09:30:38 +00:00
rhe cf2792d591 openssl: drop OpenSSL 0.9.6/0.9.7 support
* ext/openssl, test/openssl: Drop OpenSSL < 0.9.8 support.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55162 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-25 08:50:03 +00:00
rhe 85500b6634 openssl: add EC.generate
* ext/openssl/ossl_pkey_ec.c (ec_key_new_from_group): Create a new
  EC_KEY on given EC group. Extracted from ossl_ec_key_initialize().
  (ossl_ec_key_s_generate): Added. Create a new EC instance and
  generate a random private and public key.
  (ossl_ec_key_initialize): Use ec_key_new_from_group().
  (Init_ossl_ec): Define the new method EC.generate. This change is
  for consistency with other PKey types.  [ruby-core:45541] [Bug #6567]

* test/openssl/test_pkey_ec.rb: Test that EC.generate works.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55152 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-24 16:30:15 +00:00
rhe 8cbd74a362 openssl: rename EC#generate_key to EC#generate_key!
* ext/openssl/ossl_pkey_ec.c (ossl_ec_key_generate_key): Fix up RDoc.
  (Init_ossl_ec): Rename EC#generate_key to EC#generate_key!. Make the
  old name an alias of #generate_key!. This change is for consistency
  with other PKey types.  [ruby-core:45541] [Bug #6567]

* test/openssl/test_pkey_ec.rb: Use EC#generate_key! instead of
  EC#generate_key.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55151 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-24 16:27:11 +00:00
rhe ce635262f5 openssl: make Cipher#key= and #iv= reject too long values
* ext/openssl/ossl_cipher.c (ossl_cipher_set_key, ossl_cipher_set_iv):
  Reject too long values as well as too short ones. Currently they
  just truncate the input but this would hide bugs and lead to
  unexpected encryption/decryption results.

* test/openssl/test_cipher.rb: Test that Cipher#key= and #iv= reject
  Strings with invalid length.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55146 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-24 13:09:03 +00:00
rhe 118ee2a734 openssl: fix possible SEGV on race between SSLSocket#stop and #connect
* ext/openssl/ossl_ssl.c (ossl_ssl_stop): Don't free the SSL struct
  here. Since some methods such as SSLSocket#connect releases GVL,
  there is a chance of use after free if we free the SSL from another
  thread. SSLSocket#stop was documented as "prepares it for another
  connection" so this is a slightly incompatible change. However when
  this sentence was added (r30090, Add toplevel documentation for
  OpenSSL, 2010-12-06), it didn't actually. The current behavior is
  from r40304 (Correct shutdown behavior w.r.t GC., 2013-04-15).
  [ruby-core:74978] [Bug #12292]

* ext/openssl/lib/openssl/ssl.rb (sysclose): Update doc.

* test/openssl/test_ssl.rb: Test this.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55100 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-21 07:25:00 +00:00
rhe 7c971e61f0 openssl: add OpenSSL::PKey::EC#private? and #public?
* ext/openssl/ossl_pkey_ec.c: rename PKey::EC#private_key? and
  #public_key? to #private? and #public? for consistency with other
  PKey types. Old names remain as alias.  [ruby-core:45541] [Bug #6567]

* test/openssl/test_pkey_ec.rb (test_check_key): check private? and
  public? works correctly.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55098 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-21 05:30:48 +00:00
rhe f52ab6e494 openssl: improve handling of password for encrypted PEM
* ext/openssl/ossl.c (ossl_pem_passwd_value): Added. Convert the
  argument to String with StringValue() and validate the length is in
  4..PEM_BUFSIZE. PEM_BUFSIZE is a macro defined in OpenSSL headers.
  (ossl_pem_passwd_cb): When reading/writing encrypted PEM format, we
  used to pass the password to PEM_def_callback() directly but it was
  problematic. It is not NUL character safe. And surprisingly, it
  silently truncates the password to 1024 bytes.  [GH ruby/openssl#51]

* ext/openssl/ossl.h: Add function prototype declaration of newly
  added ossl_pem_passwd_value().

* ext/openssl/ossl_pkey.c (ossl_pkey_new_from_data): Use
  ossl_pem_passwd_value() to validate the password String.

* ext/openssl/ossl_pkey_dsa.c (ossl_dsa_initialize, ossl_dsa_export):
  ditto.

* ext/openssl/ossl_pkey_ec.c (ossl_ec_key_initialize,
  ossl_ec_key_to_string): ditto.

* ext/openssl/ossl_pkey_rsa.c (ossl_rsa_initialize, ossl_rsa_export):
  ditto.

* test/openssl/test_pkey_{dsa,ec,rsa}.rb: test this.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55087 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-20 15:05:25 +00:00
rhe c06a990806 openssl: don't test default session lifetime value
OpenSSL's default session timeout for TLS v1.0 method is not 300 seconds
but 7200. The TLS v1.0 specification[1] mentions about it as just "An
upper limit of 24 hours is suggested for session ID lifetimes,". And
according to OpenSSL 1.0.2h source comment[2], the value 7200 is decided
just because "the 24 hours mentioned in the TLSv1 spec is way too long
for http, the cache would over fill".

The reason why the default lifetime is set to 300 is maybe an OpenSSL
bug. We always call SSL_CTX_new() with SSLv23_method(), and this set
ssl_ctx->session to 300, the default value for SSLv23_method(). But the
following SSL_set_ssl_method() call does not update it. By the way this
will be fixed in OpenSSL 1.1.0.

[1] https://tools.ietf.org/html/rfc2246#appendix-F.1.4
[2] https://git.openssl.org/?p=openssl.git;a=blob;f=ssl/t1_lib.c;h=dd5bd0050d89f5585c1b06a227eb8221ebf984f1;hb=5dd94f1847c744929a3bd24819f1c99644bb18c7#l193

* test/openssl/test_ssl_session.rb (test_session): remove assertion of
  the default session timeout.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55078 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-20 04:36:03 +00:00
rhe a24fe080a4 openssl: check argument type in OpenSSL::X509::Attribute#value=
* ext/openssl/ossl_x509attr.c (ossl_x509attr_set_value): check that the
  argument is an OpenSSL::ASN1::Data before converting to ASN1_TYPE.
  This fixes SEGV on OpenSSL::X509::Attribute#value=(non-asn1-value).

* test/openssl/test_x509attr.rb: add tests for OpenSSL::X509::Attribute.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55071 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-19 04:12:57 +00:00
rhe 898aeb8779 openssl: fix test failure due to the previous commit
* test/openssl/test_pkey_ec.rb (test_ec_point_mul): My previous commit
  r55059 was broken. I should have been more careful. Sorry.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55060 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-18 10:07:38 +00:00
rhe 1d1efeeafa openssl: fix test failure of OpenSSL::TestEC#test_ec_point_mul
* test/openssl/test_pkey_ec.rb (test_ec_point_mul): CentOS 7 patches
OpenSSL to reject curves defined over a small field.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55059 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-18 08:52:37 +00:00
nobu bbc4fd8895 test_random.rb: skip old OpenSSL
* test/openssl/test_random.rb (OpenSSL::TestRandom): ignore
  out-of-date OpenSSL before 1.0, as well as other tests.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55058 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-18 08:06:23 +00:00
nobu 1fcce422d8 openssl/test_random.rb: requires utils.rb
* test/openssl/test_random.rb: requires test/openssl/utils.rb for
  OpenSSL::TestCase now.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55056 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-18 07:24:02 +00:00
rhe c8cb26252a openssl: clear OpenSSL error queue before return to Ruby
* ext/openssl/ossl_x509cert.c (ossl_x509_verify): X509_verify()
  family may put errors on 0 return (0 means verification failure).
  Clear OpenSSL error queue before return to Ruby. Since the queue is
  thread global, remaining errors in the queue can cause an unexpected
  error in the next OpenSSL operation.  [ruby-core:48284] [Bug #7215]

* ext/openssl/ossl_x509crl.c (ossl_x509crl_verify): ditto.

* ext/openssl/ossl_x509req.c (ossl_x509req_verify): ditto.

* ext/openssl/ossl_x509store.c (ossl_x509stctx_verify): ditto.

* ext/openssl/ossl_pkey_dh.c (dh_generate): clear the OpenSSL error
  queue before re-raising exception.

* ext/openssl/ossl_pkey_dsa.c (dsa_generate): ditto.

* ext/openssl/ossl_pkey_rsa.c (rsa_generate): ditto.

* ext/openssl/ossl_ssl.c (ossl_start_ssl): ditto.

* test/openssl: check that OpenSSL.errors is empty every time after
  running a test case.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55051 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-18 04:07:47 +00:00
rhe 01801f2afd ext/openssl: refactor OpenSSL::PKey::EC::Point#mul
* ext/openssl/ossl_pkey_ec.c (ossl_ec_point_mul): Validate the
  arguments before passing to EC_POINT(s)_mul(). Add description of this
  method.  [ruby-core:65152] [Bug #10268]

* test/openssl/test_pkey_ec.rb (test_ec_point_mul): Test that
  OpenSSL::PKey::EC::Point#mul works.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55048 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-18 02:55:46 +00:00
rhe b43fd8e080 openssl: fix equality test methods of OpenSSL::BN
* ext/openssl/ossl_bn.c (try_convert_to_bnptr): Extracted from
  GetBNPtr(). This doesn't raise exception but returns NULL on error.
  (GetBNPtr): Raise TypeError if conversion fails.
  (ossl_bn_eq): Implement BN#==.
  (ossl_bn_eql): #eql? should not raise TypeError even if the argument
  is not compatible with BN.
  (ossl_bn_hash): Implement BN#hash.

* ext/openssl/ossl_bn.c (Init_ossl_bn): Define #== and #hash.

* test/openssl/test_bn.rb: Test BN#eql?, #== and #hash

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55047 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-18 02:55:45 +00:00
akr 449fbfd4d4 Use Integer instead of Fixnum and Bignum.
* object.c, numeric.c, enum.c, ext/-test-/bignum/mul.c,
  lib/rexml/quickpath.rb, lib/rexml/text.rb, lib/rexml/xpath_parser.rb,
  lib/rubygems/specification.rb, lib/uri/generic.rb,
  bootstraptest/test_eval.rb, basictest/test.rb,
  test/-ext-/bignum/test_big2str.rb, test/-ext-/bignum/test_div.rb,
  test/-ext-/bignum/test_mul.rb, test/-ext-/bignum/test_str2big.rb,
  test/csv/test_data_converters.rb, test/date/test_date.rb,
  test/json/test_json_generate.rb, test/minitest/test_minitest_mock.rb,
  test/openssl/test_cipher.rb, test/rexml/test_jaxen.rb,
  test/ruby/test_array.rb, test/ruby/test_basicinstructions.rb,
  test/ruby/test_bignum.rb, test/ruby/test_case.rb,
  test/ruby/test_class.rb, test/ruby/test_complex.rb,
  test/ruby/test_enum.rb, test/ruby/test_eval.rb,
  test/ruby/test_iseq.rb, test/ruby/test_literal.rb,
  test/ruby/test_math.rb, test/ruby/test_module.rb,
  test/ruby/test_numeric.rb, test/ruby/test_range.rb,
  test/ruby/test_rational.rb, test/ruby/test_refinement.rb,
  test/ruby/test_rubyvm.rb, test/ruby/test_struct.rb,
  test/ruby/test_variable.rb, test/rubygems/test_gem_specification.rb,
  test/thread/test_queue.rb: Use Integer instead of Fixnum and Bignum.



git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55029 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-17 13:15:57 +00:00
nobu f0cee0c6b8 test_ssl.rb: skip unsupported ciphers
* test/openssl/test_ssl.rb (test_get_ephemeral_key): skip
  unsupported ciphers.  [GH-1318]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54506 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-04-07 00:10:41 +00:00
nobu 9d31efc6f0 test_ssl.rb: skip unavailable pkeys
* test/openssl/test_ssl.rb (test_get_ephemeral_key): skip
  unavailable public keys.  [GH-1318]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54498 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-04-06 04:38:49 +00:00