`Date.parse` now raises an ArgumentError when a given date string is
longer than 128. You can configure the limit by giving `limit` keyword
arguments like `Date.parse(str, limit: 1000)`. If you pass `limit: nil`,
the limit is disabled.
Not only `Date.parse` but also the following methods are changed.
* Date._parse
* Date.parse
* DateTime.parse
* Date._iso8601
* Date.iso8601
* DateTime.iso8601
* Date._rfc3339
* Date.rfc3339
* DateTime.rfc3339
* Date._xmlschema
* Date.xmlschema
* DateTime.xmlschema
* Date._rfc2822
* Date.rfc2822
* DateTime.rfc2822
* Date._rfc822
* Date.rfc822
* DateTime.rfc822
* Date._jisx0301
* Date.jisx0301
* DateTime.jisx0301
https://github.com/ruby/date/commit/3959accef8
OpenSSL::SSL::SSLSocket allowed #read and #write to be called before an
SSL/TLS handshake is completed. They passed unencrypted data to the
underlying socket.
This behavior is very odd to have in this library. A verbose mode
warning "SSL session is not started yet" was emitted whenever this
happened. It also didn't behave well with OpenSSL::Buffering. Let's
just get rid of it.
Fixes: https://github.com/ruby/openssl/issues/9https://github.com/ruby/openssl/commit/bf780748b3
BN_pseudo_rand() and BN_pseudo_rand_range() are deprecated in
OpenSSL 3.0. Since they are identical to their non-'pseudo' version
anyway, let's make them alias.
https://github.com/ruby/openssl/commit/2d34e85ddf
It converts the internal representation of the point object to the
affine coordinate system. However, it had no real use case because the
difference in the internal representation has not been visible from
Ruby/OpenSSL at all.
EC_POINT_make_affine() is marked as deprecated in OpenSSL 3.0.
https://github.com/ruby/openssl/commit/e2cc81fef7
OpenSSL 3.0 renamed EVP_MD_CTX_pkey_ctx() to include "get" in the
function name. Adjust compatibility macro so that we can use the new
function name for all OpenSSL 1.0.2-3.0.
https://github.com/ruby/openssl/commit/c106d888c6
The function was renamed in OpenSSL 3.0 due to the change of the
lifetime of EVP_MD objects. They are no longer necessarily statically
allocated and can be reference-counted -- when an EVP_MD_CTX is free'd,
the associated EVP_MD can also become inaccessible.
Currently Ruby/OpenSSL only handles builtin algorithms, so no special
handling is needed except for adapting to the rename.
https://github.com/ruby/openssl/commit/0a253027e6
Use SSL_get_rbio() instead of SSL_get_fd(). SSL_get_fd() internally
calls SSL_get_rbio() and it's enough for our purpose.
In OpenSSL 3.0, SSL_get_fd() leaves an entry in the OpenSSL error queue
if BIO has not been set up yet, and we would have to clean it up.
https://github.com/ruby/openssl/commit/e95ee24867
If we use the same version as the default strscan gem in Ruby, "gem
install" doesn't extract .gem. It fails "gem install" because "gem
install" can't find ext/strscan/ to be built.
https://github.com/ruby/strscan/commit/3ceafa6cdc
SSLSocket#connect eventually calls `GetOpenFile` in order to get the
underlying file descriptor for the IO object passed in on
initialization. `GetOpenFile` assumes that the Ruby object passed in is
a T_FILE object and just casts it to a T_FILE without any checks. If
you pass an object that *isn't* a T_FILE to that function, the program
will segv.
Since we assume the IO object is a file in the `connect` method, this
commit adds a `CheckType` in the initialize method to ensure that the IO
object is actually a T_FILE. If the object *isn't* a T_FILE, this class
will segv on `connect`, so I think this is a backwards compatible
change.
https://github.com/ruby/openssl/commit/919fa44ec2
* Tie lifetime of uJIT blocks to iseqs
Blocks weren't being freed when iseqs are collected.
* Add rb_dary. Use it for method dependency table
* Keep track of blocks per iseq
Remove global version_tbl
* Block version bookkeeping fix
* dary -> darray
* free ujit_blocks
* comment about size of ujit_blocks
Drop support for Ruby 2.3, 2.4, and 2.5.
As of 2021-10, Ruby 2.6 is the oldest version that still receives
security fixes from the Ruby core team, so it doesn't make much sense
to keep code for those ancient versions.
https://github.com/ruby/openssl/commit/3436bd040d
On the server side, the serialized list of protocols is stored in
SSL_CTX as a String object reference. We utilize a hidden instance
variable to prevent it from being GC'ed, but this is not enough because
it can also be relocated by GC.compact.
https://github.com/ruby/openssl/commit/5eb68ba778
We store the reverse reference to the Ruby object in the OpenSSL
struct for use from OpenSSL callback functions. To prevent the Ruby
object from being relocated by GC.compact, we must "pin" it by calling
rb_gc_mark().
https://github.com/ruby/openssl/commit/a6ba9f894f
We store the reverse reference to the Ruby object in the OpenSSL
struct for use from OpenSSL callback functions. To prevent the Ruby
object from being relocated by GC.compact, we must "pin" it by calling
rb_gc_mark().
https://github.com/ruby/openssl/commit/022b7ceada
Similarly to SSLSocket#syswrite, the blocking SSLSocket#sysread allows
context switches. We must prevent other threads from modifying the
string buffer.
We can use rb_str_locktmp() and rb_str_unlocktmp() to temporarily
prohibit modification of the string.
https://github.com/ruby/openssl/commit/d38274949f
Provide a wrapper of SSL_set0_tmp_dh_pkey()/SSL_CTX_set_tmp_dh(), which
sets the DH parameters used for ephemeral DH key exchange.
SSLContext#tmp_dh_callback= already exists for this purpose, as a
wrapper around SSL_CTX_set_tmp_dh_callback(), but it is considered
obsolete and the OpenSSL API is deprecated for future removal. There is
no practical use case where an application needs to use different DH
parameters nowadays. This was originally introduced to support export
grade ciphers.
RDoc for #tmp_dh_callback= is updated to recommend the new #tmp_dh=.
Note that current versions of OpenSSL support automatic ECDHE curve
selection which is enabled by default. SSLContext#tmp_dh= should only be
necessary if you must allow ancient clients which don't support ECDHE.
https://github.com/ruby/openssl/commit/aa43da4f04
In AIX, altzone exists in the standard library but is not declared
in time.h. By 524513be39, have_var
and try_var in mkmf recognizes a variable that exists in a library
even when it is not declared. As a result, in AIX, HAVE_ALTZONE
is defined, but compile fails due to the lack of the declaration.
%v is supposed to be the VMS date, and VMS date format uses an
uppercase month.
Ruby 1.8 used an uppercase month for %v, but the behavior was
changed without explanation in r31672.
Time#strftime still uses an uppercase month for %v, so this change
makes Date#strftime consistent with Time#strftime.
Fixes [Bug #13810]
https://github.com/ruby/date/commit/56c489fd7e
Just append OpenSSL error reason to the given message string
object, which would be alreadly formatted.
Suppress -Wformat-security warning in `ossl_tsfac_create_ts`.
https://github.com/ruby/openssl/commit/11b1d8a6b8
This prevents early collection of the array. The GC doesn't see the
array on the stack when Ruby is compiled with optimizations enabled
Thanks @jhaberman for the test case
[ruby-core:105099] [Bug #18140]
'y' and 'n' are kind of ambiguous. Syck treated y and n literals in
YAML documents as strings. But this is not what the YAML 1.1 spec says.
YAML 1.1 says they should be treated as booleans. When we're dumping
documents, we know it's a string, so adding quotes will eliminate the
"ambiguity" in the emitted document
Fixes#443https://github.com/ruby/psych/commit/6a1c30634e
Previously, `+.inf` was not handled correctly. Additionally, the regexp
was checking for inf and NaN, even though these cases are handled earlier
in the condition. Added a few tests to ensure handling some missing
cases.
https://github.com/ruby/psych/commit/6e0e7a1e9f
Currently when calling any of the "FileUtils" methods on pathname `require` is called every time even though that library might already be loaded. This is slow:
We can speed it up by either checking first if the constant is already defined, or by using autoload.
Using defined speeds up the action by about 300x and using autoload is about twice as fast as that (600x faster than current require method).
I'm proposing we use autoload:
```ruby
require 'benchmark/ips'
Benchmark.ips do |x|
autoload(:FileUtils, "fileutils")
x.report("require") { require 'fileutils' }
x.report("defined") { require 'fileutils' unless defined?(FileUtils) }
x.report("autoload") { FileUtils }
x.compare!
end
# Warming up --------------------------------------
# require 3.624k i/100ms
# defined 1.465M i/100ms
# autoload 2.320M i/100ms
# Calculating -------------------------------------
# require 36.282k (± 2.4%) i/s - 184.824k in 5.097153s
# defined 14.539M (± 2.0%) i/s - 73.260M in 5.041161s
# autoload 23.100M (± 1.9%) i/s - 115.993M in 5.023271s
# Comparison:
# autoload: 23099779.2 i/s
# defined: 14538544.9 i/s - 1.59x (± 0.00) slower
# require: 36282.3 i/s - 636.67x (± 0.00) slower
```
Because this autoload is scoped to Pathname it will not change the behavior of existing programs that are not expecting FileUtils to be loaded yet:
```
ruby -rpathname -e "class Pathname; autoload(:FileUtils, 'fileutils'); end; puts FileUtils.exist?"
Traceback (most recent call last):
-e:1:in `<main>': uninitialized constant FileUtils (NameError)
```
This commit removes T_PAYLOAD since the new VWA implementation no longer
requires T_PAYLOAD types.
Co-authored-by: Aaron Patterson <tenderlove@ruby-lang.org>
This commit removes T_PAYLOAD since the new VWA implementation no longer
requires T_PAYLOAD types.
Co-authored-by: Aaron Patterson <tenderlove@ruby-lang.org>
LibYAML has moved from their previous Mercurial based hosting on BitBucket to a git repository on GitHub. This commit updates the `Psych` module's documentation to point to this new repository, instead of the old one which is now a 404.
https://github.com/ruby/psych/commit/947a84d0dd
I'm not sure whether this handles all multithreaded use cases,
but this handles the example that crashes almost immediately
and does 10,000,000 total deflates using 100 separate threads.
To prevent the tests from taking forever, the committed test
for this uses only 10,000 deflates across 10 separate threads,
which still causes a segfault in the previous implementation
almost immediately.
Fixes [Bug #17803]
https://github.com/ruby/zlib/commit/4b1023b3f2
* It used to be hardcoded since 0affbf9d2c7c5c618b8d3fe191e74d9ae8ad22fc
but got removed in 23abf3d3fb82afcc26d35769f0dec59dd46de4bb
* This means that since that second commit, rb_iterate() was used unintentionally.
https://github.com/ruby/racc/commit/8816ced525
Back in 2016, we chose not to use Bundler in Ruby/OpenSSL development
because Bundler depended on openssl and could not be used for testing
openssl itself - "bundle exec rake test" would end up with loading two
different versions of openssl at the same time.
This has been resolved long time ago. We can now safely use it for
development dependency management and for Rake tasks.
https://github.com/ruby/openssl/commit/47283d9161
Also, OpenSSL::BN::CONSTTIME is added.
OpenSSL itself had a feature that was vulnerable against a side-channel
attack. The OpenSSL authors determined that it was not a security issue,
and they have already fixed the issue by using BN_set_flags.
https://github.com/openssl/openssl/pull/13888
If a Ruby OpenSSL user was faced with a similar issue, they couldn't
prevent the issue because Ruby OpenSSL lacks a wrapper to BN_set_flags.
For the case, this change introduces the wrapper.
https://github.com/ruby/openssl/commit/1e565eba89
With the newly added OpenSSL::PKey::PKey#{sign,verify}_raw,
OpenSSL::PKey::DSA's low level signing operation methods can be
implemented in Ruby. The definitions are now in lib/openssl/pkey.rb.
https://github.com/ruby/openssl/commit/ce805adf0c
With the newly added OpenSSL::PKey::PKey#{sign,verify}_raw,
OpenSSL::PKey::EC's low level signing operation methods can be
implemented in Ruby. The definitions are now in lib/openssl/pkey.rb.
https://github.com/ruby/openssl/commit/1f9da0cd9d
Implement these methods using the new OpenSSL::PKey::PKey#{encrypt,sign}
family. The definitions are now in lib/openssl/pkey.rb.
Also, recommend using those generic methods in the documentation.
https://github.com/ruby/openssl/commit/2dfc1779d3
Add a variant of PKey#sign and #verify that do not hash the data
automatically.
Sometimes the caller has the hashed data only, but not the plaintext
to be signed. In that case, users would have to use the low-level API
such as RSA#private_encrypt or #public_decrypt directly.
OpenSSL 1.0.0 and later supports EVP_PKEY_sign() and EVP_PKEY_verify()
which provide the same functionality as part of the EVP API. This patch
adds wrappers for them.
https://github.com/ruby/openssl/commit/16cca4e0c4
Remove the following methods, which have been marked as deprecated and
produced a warning since version 2.0, commit 7ea72f1f5084 ("adapt
OpenSSL::PKey to OpenSSL 1.1.0 opaque structs", 2016-06-05).
- OpenSSL::PKey::RSA#n=, #e=, #d=, #p=, #q=, #dmp1=, #dmq1=, #iqmp=
- OpenSSL::PKey::DSA#p=, #q=, #g=, #priv_key=, #pub_key=
- OpenSSL::PKey::DH#p=, #g=, #priv_key=, #pub_key=
These methods could only work with OpenSSL 1.0.2 or older, which is now
EOL.
https://github.com/ruby/openssl/commit/2334862cc0
Methods that take both PEM-encoding and DER-encoding have not been
consistent in the order in which encoding to attempt to parse.
A DER-encoding may contain a valid PEM block ("\n-----BEGIN ..-----" to
"-----END ...-----") embedded within it. Also, the PEM-encoding parser
allows arbitrary data around the PEM block and silently skips it. As a
result, attempting to parse data in DER-encoding as PEM-encoding first
can incorrectly finds the embedded PEM block instead.
This commit ensures that DER encoding will always be attempted before
PEM encoding. OpenSSL::X509::Certificate is one of the updated classes.
With this, the following will always be true:
# obj is an OpenSSL::X509::Certificate
obj == OpenSSL::X509::Certificate.new(obj.to_der)
obj == OpenSSL::X509::Certificate.new(obj.to_pem)
https://github.com/ruby/openssl/commit/b280eb1fd0
Normal sockets respond to `getbyte`, so we should make SSLSocket respond
to `getbyte` as well. This way we can substitute SSLSockets for regular
sockets.
https://github.com/ruby/openssl/commit/ac1490b7c9
Use EVP_PKEY_param_check() instead of DH_check() if available. Also,
use EVP_PKEY_public_check() instead of EC_KEY_check_key().
EVP_PKEY_*check() is part of the EVP API and is meant to replace those
low-level functions. They were added by OpenSSL 1.1.1. It is currently
not provided by LibreSSL.
https://github.com/ruby/openssl/commit/797e9f8e08
The low-level API that is used to implement #public_key is deprecated
in OpenSSL 3.0. It is actually very simple to implement in another way,
using existing methods only, in much shorter code. Let's do it.
While we are at it, the documentation is updated to recommend against
using #public_key. Now that OpenSSL::PKey::PKey implements public_to_der
method, there is no real use case for #public_key in newly written Ruby
programs.
https://github.com/ruby/openssl/commit/48a6c391ef
Nobuyoshi Nakada
Yusuke Endoh
Hiroshi SHIBATA
Akinori MUSHA
xtkoba
Peter Zhu
Kazuki Yamaguchi
Josef Šimánek
David Rodríguez
Sutou Kouhei
Aaron Patterson
Alan Wu
Nobuhiro IMAI
David Carlier
Pavel Rosický
Kazuhiro NISHIYAMA
卜部昌平
Rei Odaira
Jeremy Evans
jory-graham
opak
Tomer Brisker
Samuel Williams
schneems
Mike Dalessio
Rhys Powell
Olle Jonsson
Olle Jonsson
Benoit Daloze
Yusuke Nakamura
Vinicius Stock
Ryuta Kamizono