Граф коммитов

62 Коммитов

Автор SHA1 Сообщение Дата
Kazuki Yamaguchi 5a8e1c520a [ruby/openssl] test/openssl/test_ssl: assume ECC support
Disabling ECC support of OpenSSL is impractical nowadays.

We still try to have the C extension compile on no-ec builds (as well
as no-dh or no-engine, etc.) as long as we can, but keeping test cases
for such an extreme scenario is not worth the effort.

https://github.com/ruby/openssl/commit/2cd01d4676
2021-10-23 13:38:37 +09:00
Kazuki Yamaguchi e4a26cd4f8 openssl: sync with upstream repository
Import current master (2c43241dc0ed) of ruby/openssl.git.

Below are the commits that were made since the last batch at commit
b99775b163 (ruby/openssl.git commit f49e7110ca1e). Note that some of
them have been applied already.

----------------------------------------------------------------
Benoit Daloze (1):
      Remove redundant and ignored workflow file

DBL-Lee (1):
      add support for SHA512_256/SHA512_224

Hiroshi SHIBATA (2):
      Guard for OpenSSL::PKey::EC::Group::Error with unsupported platforms
      Fixed inconsistency directory structure with ruby/ruby repo

Jeremy Evans (2):
      Fix keyword argument separation issues in OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock
      Remove taint support

Kazuki Yamaguchi (26):
      config: support .include directive
      random: make OpenSSL::Random.pseudo_bytes alias of .random_bytes
      extconf.rb: get rid of -Werror=deprecated-declarations
      test/openssl/test_ssl: skip test_fallback_scsv if necessary
      ts: simplify OpenSSL::Timestamp::Request#algorithm
      History.md: add missing references to GitHub issues
      config: deprecate OpenSSL::Config#add_value and #[]=
      test/openssl/test_ssl: remove sleep from test_finished_messages
      test/openssl/test_ssl: fix random failure in SSLSocket.open test
      test/openssl/test_ssl: avoid explicitly-sized private keys
      test/openssl/test_ssl: remove commented-out test case
      test/openssl/test_ssl: allow kRSA tests to fail
      ssl: avoid declarations after statements
      engine: revert OpenSSL::Engine.load changes for cloudhsm
      engine: remove really outdated static engines
      engine: do not check for ENGINE_load_builtin_engines()
      engine: fix guards for 'dynamic' and 'cryptodev' engines
      lib/openssl.rb: require openssl/version.rb
      x509: add error code and verify flags constants
      ssl: set verify error code in the case of verify_hostname failure
      .github/workflows: merge CI jobs into a single workflow
      .github/workflows: test against different OpenSSL versions
      .travis.yml: fully migrate to GitHub Actions
      ssl: suppress test failure with SSLContext#add_certificate_chain_file
      ssl: remove test case test_puts_meta from test_pair
      Revert "Use version.rb in gemspec"

MSP-Greg (2):
      .travis.yml - remove 2.3/1.0.2, 2.5/1.1.1, head/1.0.2
      Use version.rb in gemspec

Samuel Williams (1):
      Restore compatibility with older versions of Ruby.

Yusuke Endoh (1):
      Make OpenSSL::OSSL#test_memcmp_timing robust
2020-03-10 17:41:01 +09:00
Nobuyoshi Nakada 8a7e0aaaef
Warn non-nil `$/` [Feature #14240] 2020-02-23 13:37:40 +09:00
Hiroshi SHIBATA b99775b163
Import openssl-2.2.0 (#2693)
Import the master branch of ruby/openssl for preparing to release openssl-2.2.0
2020-02-16 15:21:29 +09:00
Yusuke Endoh 1e54903684 test/openssl: Support OpenSSL 1.1.1
OpenSSL 1.1.1 rejects some shorter keys, which caused some failures of
`make test-all TESTS=openssl`.

https://rubyci.org/logs/rubyci.s3.amazonaws.com/debian/ruby-master/log/20190606T003005Z.fail.html.gz

This change merges 6bbc31ddd1 and 63fb3a36d1 in
https://github.com/ruby/openssl.
Reference: https://github.com/ruby/openssl/pull/217
2019-06-06 14:20:58 +09:00
rhe a55320b093 openssl: import v2.1.0.beta2
Import Ruby/OpenSSL 2.1.0.beta2. The full commit log since commit
e72d960db262 which was imported by r60013 can be found at:

	https://github.com/ruby/openssl/compare/e72d960db262...v2.1.0.beta2

----------------------------------------------------------------
Kazuki Yamaguchi (26):
      bn: use ALLOCV() macro instead of xmalloc()
      appveyor.yml: remove 'openssl version' line
      test/test_ssl_session: skip tests for session_remove_cb
      x509ext: implement X509::Extension#==
      x509attr: implement X509::Attribute#==
      x509cert: implement X509::Certificate#==
      x509revoked: add missing X509::Revoked#to_der
      x509crl, x509revoked: implement X509::{CRL,Revoked}#==
      x509req: implement X509::Request#==
      ssl: extract rb_intern("call")
      cipher: disallow setting AAD for non-AEAD ciphers
      test/test_cipher: fix test_non_aead_cipher_set_auth_data failure
      ssl: fix conflict of options in SSLContext#set_params
      buffering: let #write accept multiple arguments
      pkey: make pkey_check_public_key() non-static
      x509cert, x509crl, x509req, ns_spki: check sanity of public key
      test/envutil: port assert_warning from Ruby trunk
      test/utils: remove a pointless .public_key call in issue_cert
      ssl: add SSLContext#add_certificate
      test/test_ssl: fix test_security_level
      Drop support for LibreSSL 2.4
      kdf: add HKDF support
      test/test_x509cert: fix flaky test
      test/test_x509crl: fix random failure
      History.md: fix a typo
      Ruby/OpenSSL 2.1.0.beta2

Mark Wright (1):
      Fix build failure against OpenSSL 1.1 built with no-deprecated Thanks rhenium for the code review and fixes.

Peter Karman (1):
      Add RSA sign_pss() and verify_pss() methods

aeris (1):
      TLS Fallback Signaling Cipher Suite Value

kazu (1):
      Use caller with length to reduce unused strings

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@60907 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2017-11-25 14:12:08 +00:00
rhe fdd01b5356 openssl: import e72d960db262
Sync with master branch of ruby/openssl.git to import changes in
v2.1.0.beta1..v2.0.6. The commit log since v2.1.0.beta1 which was
imported by r59734 can be found at:

	https://github.com/ruby/openssl/compare/v2.1.0.beta1...e72d960db262

----------------------------------------------------------------
Kazuki Yamaguchi (16):
      test/test_pair: fix test_write_nonblock{,_no_exceptions}
      x509name: fix a typo in docs
      test/test_fips: skip if setting FIPS mode fails
      test/test_asn1: fix possible failure in test_utctime
      test/test_ssl: suppress warning in test_alpn_protocol_selection_cancel
      test/test_pair: disable compression
      test/test_ssl: skip tmp_ecdh_callback test for LibreSSL >= 2.6.1
      test/test_ssl: do not run NPN tests for LibreSSL >= 2.6.1
      tool/ruby-openssl-docker: update
      test/test_pair: replace sleep with IO.select
      ssl: prevent SSLSocket#sysread* from leaking uninitialized data
      ossl.c: use struct CRYPTO_dynlock_value for non-dynamic locks
      ossl.c: make legacy locking callbacks reentrant
      test/test_engine: suppress stderr
      test/test_engine: check if RC4 is supported
      Ruby/OpenSSL 2.0.6

SHIBATA Hiroshi (1):
      To use upstream url of github

nobu (1):
      ruby.h: unnormalized Fixnum value

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@60013 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2017-09-24 16:26:22 +00:00
rhe d0cdb26c75 openssl: merge test fixes from upstream, part 2
This is a combined patch of the following two commits in maint:

	a09d8c78dd30 test/test_ssl: suppress warning in test_alpn_protocol_selection_cancel
	de965374ee85 test/test_pair: disable compression

This hopefully fixes the RubyCI gentoo failure:

	http://rubyci.s3.amazonaws.com/gentoo/ruby-trunk/log/20170912T033004Z.fail.html.gz

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@59857 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2017-09-12 13:52:51 +00:00
rhe d68a6b3ebe openssl: merge test fixes from upstream
Fix platform-dependent or fragile test cases added by r59734. This is a
combined patch of the three commits below:

	4fc17977350a test/test_fips: skip if setting FIPS mode fails
	b25179fbeebf test/test_asn1: fix possible failure in test_utctime
	8ed81ff4b0a8 test/test_pair: fix test_write_nonblock{,_no_exceptions}

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@59751 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2017-09-05 09:47:59 +00:00
rhe 609103dbb5 openssl: import v2.1.0.beta1
Import Ruby/OpenSSL 2.1.0.beta1. The full commit log since v2.0.5
(imported by r59567) can be found at:

	https://github.com/ruby/openssl/compare/v2.0.5...v2.1.0.beta1

----------------------------------------------------------------
Antonio Terceiro (1):
      test/test_ssl: explicitly accept TLS 1.1 in corresponding test

Colby Swandale (1):
      document using secure protocol to fetch git master in Bundler

Colton Jenkins (1):
      Add fips_mode_get to return fips_mode

Kazuki Yamaguchi (85):
      Start preparing for 2.1.0
      Remove support for OpenSSL 0.9.8 and 1.0.0
      bn: refine tests
      bn: implement unary {plus,minus} operators for OpenSSL::BN
      bn: implement OpenSSL::BN#negative?
      Don't define main() when built with --enable-debug
      test: let OpenSSL::TestCase include OpenSSL::TestUtils
      test: prepare test PKey instances on demand
      Add OpenSSL.print_mem_leaks
      Enable OSSL_MDEBUG on CI builds
      ssl: move default DH parameters from OpenSSL::PKey::DH
      Make exceptions with the same format regardless of OpenSSL.debug
      ssl: show reason of 'certificate verify error' in exception message
      ssl: remove OpenSSL::ExtConfig::TLS_DH_anon_WITH_AES_256_GCM_SHA384
      ssl: do not confuse different ex_data index registries
      ssl: assume SSL/SSL_CTX always have a valid reference to the Ruby object
      Fix RDoc markup
      ssl: suppress compiler warning
      ext/openssl/deprecation.rb: remove broken-apple-openssl
      extconf.rb: print informative message if OpenSSL can't be found
      Rakefile: compile the extension before test
      kdf: introduce OpenSSL::KDF module
      ossl.h: add NUM2UINT64T() macro
      kdf: add scrypt
      Expand rb_define_copy_func() macro
      Expand FPTR_TO_FD() macro
      Remove SafeGet*() macros
      cipher: rename GetCipherPtr() to ossl_evp_get_cipherbyname()
      digest: rename GetDigestPtr() to ossl_evp_get_digestbyname()
      Add ossl_str_new(), an exception-safe rb_str_new()
      bio: simplify ossl_membio2str() using ossl_str_new()
      Remove unused functions and macros
      Drop support for LibreSSL 2.3
      ocsp: add OpenSSL::OCSP::Request#signed?
      asn1: infinite length -> indefinite length
      asn1: rearrange tests
      ssl: remove a needless NULL check in SSL::SSLContext#ciphers
      ssl: return nil in SSL::SSLSocket#cipher if session is not started
      asn1: remove an unnecessary function prototype
      asn1: require tag information when instantiating generic type
      asn1: initialize 'unused_bits' attribute of BitString with 0
      asn1: check for illegal 'unused_bits' value of BitString
      asn1: disallow NULL to be passed to asn1time_to_time()
      asn1: avoid truncating OID in OpenSSL::ASN1::ObjectId#oid
      asn1: allow constructed encoding with definite length form
      asn1: prohibit indefinite length form for primitive encoding
      asn1: allow tag number to be >= 32 for universal tag class
      asn1: use ossl_asn1_tag()
      asn1: clean up OpenSSL::ASN1::Constructive#to_der
      asn1: harmonize OpenSSL::ASN1::*#to_der
      asn1: prevent EOC octets from being in the middle of the content
      asn1: do not treat EOC octets as part of content octets
      x509name: add 'loc' and 'set' kwargs to OpenSSL::X509::Name#add_entry
      ssl: do not call session_remove_cb during GC
      Backport "Merge branch 'topic/test-memory-leak'" to maint
      cipher: update the documentation for Cipher#auth_tag=
      Rakefile: let sync:to_ruby know about test/openssl/fixtures
      test: fix formatting
      test/utils: remove OpenSSL::TestUtils.silent
      test/utils: add SSLTestCase#tls12_supported?
      test/utils: have start_server yield only the port number
      test/utils: do not set ecdh_curves in start_server
      test/utils: let server_loop close socket
      test/utils: improve error handling in start_server
      test/utils: add OpenSSL::TestUtils.openssl? and .libressl?
      test/utils: do not use DSA certificates in SSL tests
      test/test_ssl: remove test_invalid_shutdown_by_gc
      test/test_ssl: move test_multibyte_read_write to test_pair
      test/test_ssl_session: rearrange tests
      test/test_pair, test/test_ssl: fix for TLS 1.3
      ssl: remove useless call to rb_thread_wait_fd()
      ssl: fix NPN support
      ssl: mark OpenSSL::SSL::SSLContext::DEFAULT_{1024,2048} as private
      ssl: use 2048-bit group in the default tmp_dh_cb
      ssl: ensure that SSL option flags are non-negative
      ssl: update OpenSSL::SSL::OP_* flags
      ssl: prefer TLS_method() over SSLv23_method()
      ssl: add SSLContext#min_version= and #max_version=
      ssl: rework SSLContext#ssl_version=
      test/test_x509name: change script encoding to ASCII-8BIT
      x509name: refactor OpenSSL::X509::Name#to_s
      x509name: add OpenSSL::X509::Name#to_utf8
      x509name: add OpenSSL::X509::Name#inspect
      x509name: update regexp in OpenSSL::X509::Name.parse
      Ruby/OpenSSL 2.1.0.beta1

Marcus Stollsteimer (1):
      Fix rdoc for core Integer class

nobu (4):
      [DOC] {read,write}_nonblock with exception: false
      [DOC] keyword argument _exception_
      [DOC] mark up literals
      Revert r57690 except for read_nonblock

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@59734 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2017-09-03 12:35:27 +00:00
rhe 0c83666c6c openssl: import v2.0.1
Import Ruby/OpenSSL 2.0.1. The full commit history since 2.0.0 (imported
at r56946) can be found at:

  https://github.com/ruby/openssl/compare/v2.0.0...v2.0.1

This release contains only bug fixes. Note, the first two commits since
v2.0.0 are already imported at r56953 to make Travis and RubyCI green.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@57041 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-12-10 08:12:02 +00:00
rhe aab0d67a1f openssl: import v2.0.0
Import Ruby/OpenSSL 2.0.0. The full commit history since 2.0.0 beta.2
(imported at r56098) can be found at:

  https://github.com/ruby/openssl/compare/v2.0.0.beta.2...v2.0.0

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56946 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-11-30 14:41:46 +00:00
nobu 34ac59c81e openssl/ut_eof.rb: rename TestEOF
* test/openssl/ut_eof.rb (OpenSSL::TestEOF): move TestEOF module
  under OpenSSL to get rid of conflict with test/ruby/ut_eof.rb.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56578 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-11-05 07:10:05 +00:00
rhe a128c0d33f openssl: import v2.0.0.beta.2
* {ext,test}/openssl: Import Ruby/OpenSSL 2.0.0.beta.2. The full commit
  history since v2.0.0.beta.1 can be found at:
  https://github.com/ruby/openssl/compare/v2.0.0.beta.1...v2.0.0.beta.2

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56098 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-09-08 01:09:19 +00:00
rhe c9dc0164b8 import Ruby/OpenSSL 2.0.0.beta.1
* NEWS, {ext,test,sample}/openssl: Import Ruby/OpenSSL 2.0.0.beta.1.
  ext/openssl is now converted into a default gem. The full commit
  history since r55538 can be found at:
  https://github.com/ruby/openssl/compare/08e1881f5663...v2.0.0.beta.1
  [Feature #9612]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56027 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-08-29 05:47:09 +00:00
normal 7513d54659 openssl: avoid undefined behavior on empty SSL_write
SSL_write(3ssl) manpage has this in the WARNINGS section:

       When calling SSL_write() with num=0 bytes to be sent the
       behaviour is undefined.

And indeed, the new test case demonstrates failures when
empty strings are used.  So, match the behavior of IO#write,
IO#write_nonblock, and IO#syswrite by returning zero, as the
OpenSSL::SSL::SSLSocket API already closely mimics the IO one.

* ext/openssl/ossl_ssl.c (ossl_ssl_write_internal):
  avoid undefined behavior
* test/openssl/test_pair.rb (test_write_zero): new test
  [ruby-core:76751] [Bug #12660]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55822 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-08-06 21:50:10 +00:00
nobu e7440de279 test: use assert_include
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55757 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-07-26 13:02:33 +00:00
rhe dd05607f9a openssl: fix build with OPENSSL_NO_EC
* ext/openssl/ossl_ssl.c: Add define guards for OPENSSL_NO_EC.
  SSL_CTX_set_ecdh_auto() is defined even when ECDH is disabled in
  OpenSSL's configuration. This fixes r55214.

* test/openssl/test_pair.rb (test_ecdh_curves): Skip if the OpenSSL does
  not support ECDH.

* test/openssl/utils.rb (start_server): Ignore error in
  SSLContext#ecdh_curves=.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55342 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-09 10:46:46 +00:00
rhe b257af8859 openssl: adjust tests for OpenSSL 1.1.0
This fixes `make test-all TESTS=openssl` with OpenSSL master.

* test/openssl/test_x509name.rb: Don't register OID for 'emailAddress'
  and 'serialNumber'. A recent change in OpenSSL made OBJ_create()
  reject an already existing OID. They were needed to run tests with
  OpenSSL 0.9.6 which is now unsupported.
  https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=52832e470f5fe8c222249ae5b539aeb3c74cdb25
  [ruby-core:75225] [Feature #12324]

* test/openssl/test_ssl_session.rb (test_server_session): Duplicate
  SSL::Session before re-adding to the session store. OpenSSL 1.1.0
  starts rejecting SSL_SESSION once removed by SSL_CTX_remove_session().
  https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=7c2d4fee2547650102cd16d23f8125b76112ae75

* test/openssl/test_pkey_ec.rb (setup): Remove X25519 from @keys. X25519
  is new in OpenSSL 1.1.0 but this is for key agreement and not for
  signing.

* test/openssl/test_pair.rb, test/openssl/test_ssl.rb,
  test/openssl/utils.rb: Set security level to 0 when using aNULL cipher
  suites.

* test/openssl/utils.rb: Use 1024 bits DSA key for client certificates.

* test/openssl/test_engine.rb: Run each test in separate process.
  We can no longer cleanup engines explicitly as ENGINE_cleanup() was
  removed.
  https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6d4fb1d59e61aacefa25edc4fe5acfe1ac93f743

* ext/openssl/ossl_engine.c (ossl_engine_s_cleanup): Add a note to the
  RDoc for Engine.cleanup.

* ext/openssl/lib/openssl/digest.rb: Don't define constants for DSS,
  DSS1 and SHA(-0) when using with OpenSSL 1.1.0. They are removed.

* test/openssl/test_digest.rb, test/openssl/test_pkey_dsa.rb,
  test/openssl/test_pkey_dsa.rb, test/openssl/test_ssl.rb,
  test/openssl/test_x509cert.rb, test/openssl/test_x509req.rb: Don't
  test unsupported hash functions.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55314 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-07 12:20:46 +00:00
rhe b9f3d4b836 openssl: fix test failure on Fedora 23
* test/openssl/test_pair.rb (test_ecdh_curves): Avoid P-224. The FIPS
  patch from RHEL disables it. The curve has to be chosen from: {
  secp256k1, secp384r1, secp521r1, prime256v1 }.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55224 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-30 16:52:10 +00:00
rhe f26f358930 openssl: add SSLContext#ecdh_curves=
* ext/openssl/ossl_ssl.c (ossl_sslctx_s_alloc): Enable the automatic
  curve selection for ECDH by calling SSL_CTX_set_ecdh_auto(). With
  this a TLS server automatically selects a curve which both the client
  and the server support to use in ECDH. This changes the default
  behavior but users can still disable ECDH by excluding 'ECDH' cipher
  suites from the cipher list (with SSLContext#ciphers=). This commit
  also deprecate #tmp_ecdh_callback=. It was added in Ruby 2.3.0. It
  wraps SSL_CTX_set_tmp_ecdh_callback() which will be removed in OpenSSL
  1.1.0. Its callback receives two values 'is_export' and 'keylength'
  but both are completely useless for determining a curve to use in
  ECDH. The automatic curve selection was introduced to replace this.

  (ossl_sslctx_setup): Deprecate SSLContext#tmp_ecdh_callback=. Emit a
  warning if this is in use.

  (ossl_sslctx_set_ecdh_curves): Add SSLContext#ecdh_curves=. Wrap
  SSL_CTX_set1_curves_list(). If it is not available, this falls back
  to SSL_CTX_set_tmp_ecdh().

  (Init_ossl_ssl): Define SSLContext#ecdh_curves=.

* ext/openssl/extconf.rb: Check the existence of EC_curve_nist2nid(),
  SSL_CTX_set1_curves_list(), SSL_CTX_set_ecdh_auto() and
  SSL_CTX_set_tmp_ecdh_callback().

* ext/openssl/openssl_missing.[ch]: Implement EC_curve_nist2nid() if
  missing.

* test/openssl/test_pair.rb (test_ecdh_callback): Use
  EnvUtil.suppress_warning to suppress deprecated warning.

  (test_ecdh_curves): Test that SSLContext#ecdh_curves= works.

* test/openssl/utils.rb (start_server): Use SSLContext#ecdh_curves=.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55214 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-30 09:30:38 +00:00
rhe c8cb26252a openssl: clear OpenSSL error queue before return to Ruby
* ext/openssl/ossl_x509cert.c (ossl_x509_verify): X509_verify()
  family may put errors on 0 return (0 means verification failure).
  Clear OpenSSL error queue before return to Ruby. Since the queue is
  thread global, remaining errors in the queue can cause an unexpected
  error in the next OpenSSL operation.  [ruby-core:48284] [Bug #7215]

* ext/openssl/ossl_x509crl.c (ossl_x509crl_verify): ditto.

* ext/openssl/ossl_x509req.c (ossl_x509req_verify): ditto.

* ext/openssl/ossl_x509store.c (ossl_x509stctx_verify): ditto.

* ext/openssl/ossl_pkey_dh.c (dh_generate): clear the OpenSSL error
  queue before re-raising exception.

* ext/openssl/ossl_pkey_dsa.c (dsa_generate): ditto.

* ext/openssl/ossl_pkey_rsa.c (rsa_generate): ditto.

* ext/openssl/ossl_ssl.c (ossl_start_ssl): ditto.

* test/openssl: check that OpenSSL.errors is empty every time after
  running a test case.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55051 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-05-18 04:07:47 +00:00
normal 280f732215 openssl: accept moving write buffer for write_nonblock
By setting the SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER flag.
This flag was introduced at the same time as
SSL_MODE_ENABLE_PARTIAL_WRITE in OpenSSL 0.9.4 and makes usage
with non-blocking sockets much easier.

Before this, a Rubyist would need to remember the exact object
which failed to write and reuse it later when the socket became
writable again.  This causes problems when the buffer is given
by another layer of the application (e.g. a buffer is given
by a Rack middleware or application to a Rack web server).

* ext/openssl/ossl_ssl.c (ossl_sslctx_s_alloc):
  enable SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER by default
  [Bug #12126]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54466 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-03-31 20:33:55 +00:00
naruse 3e92b635fb Add frozen_string_literal: false for all files
When you change this to true, you may need to add more tests.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53141 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2015-12-16 05:07:31 +00:00
hsbt 6cf568f4b5 * bootstraptest/runner.rb: use safe navigation operator.
[fix GH-1142] Patch by @mlarraz
* test/openssl/test_pair.rb: ditto.
* test/ruby/test_econv.rb: ditto.
* test/ruby/test_settracefunc.rb: ditto.
* test/thread/test_queue.rb: ditto.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53110 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2015-12-14 08:04:28 +00:00
hsbt a8438d3033 * test/openssl/test_pair.rb: skipped tests if openssl doesn't support
ECDH cipher.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52412 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2015-10-31 11:16:02 +00:00
normal 1e5a40ff18 openssl/buffering: fix gets on EOF with limit
* ext/openssl/lib/openssl/buffering.rb (gets):
  avoid comparing fixnum with nil
* test/openssl/test_pair.rb: test gets with limit when EOF is hit
  Thanks to Bar Hofesh <bar.hofesh@safe-t.com> for the bug report
  and testing.
  [ruby-core:70149] [Bug #11400]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51466 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2015-08-01 22:08:17 +00:00
nobu 176414dfa7 test_pair.rb: join client thread
* test/openssl/test_pair.rb (test_ecdh_callback): join client
  thread only when it started.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51446 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2015-07-30 04:43:23 +00:00
nobu b729e9278f test_pair.rb: thread leak
* test/openssl/test_pair.rb (test_ecdh_callback): join client
  thread before closing sockets.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51434 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2015-07-29 12:45:32 +00:00
nobu 621bf532fc test_pair.rb: thread leak
* test/openssl/test_pair.rb (test_ecdh_callback): fix thread leak.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51433 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2015-07-29 12:41:09 +00:00
tenderlove 486e6e02c2 * ext/openssl/lib/openssl/ssl.rb (module OpenSSL): support
specifically setting the tmp_dh_callback to nil.

* ext/openssl/ossl_ssl.c (Init_ossl_ssl): ditto

* test/openssl/test_pair.rb (module OpenSSL): add a test

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51381 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2015-07-25 23:16:49 +00:00
tenderlove ab9cd02f25 * test/openssl/test_pair.rb: add a test ensuring that the default DH
callback is used when no DH callback is specified.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51379 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2015-07-25 21:23:22 +00:00
tenderlove 5326593a8b * ext/openssl/ossl_ssl.c: add ECDH callback support. [Feature #11356]
* test/openssl/test_pair.rb: test for ECDH callback support

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51348 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2015-07-22 18:34:45 +00:00
normal c18df6d87c connect_nonblock supports "exception: false"
This is for consistency with accept_nonblock arguments and gives a
minor speedup from avoiding exceptions.
[ruby-core:68838] [Feature #11024]

* ext/openssl/ossl_ssl.c (ossl_ssl_connect_nonblock):
  support `exception: false'
* (get_no_exception): move function location
* ext/socket/socket.c (sock_connect_nonblock):
  support `exception: false'
* test/openssl/test_pair.rb (test_connect_accept_nonblock_no_exception):
  test `exception: false' on connect,
  rename from `test_accept_nonblock_no_exception'
* test/socket/test_nonblock.rb (test_connect_nonblock_no_exception):
  new test

Benchmark results:

default            0.050000   0.100000   0.150000 (  0.151307)
exception: false   0.030000   0.080000   0.110000 (  0.108840)

----------------------------8<-----------------------
require 'socket'
require 'benchmark'
require 'io/wait'
require 'tmpdir'

host = '127.0.0.1'
serv = TCPServer.new(host, 0) # UNIX sockets may not hit EINPROGRESS

nr = 5000 # few iterations to avoid running out of ports

addr = serv.getsockname
pid = fork do
  begin
    serv.accept.close
  rescue => e
    warn "#$$: #{e.message} (#{e.class})"
  end while true
end
at_exit { Process.kill(:TERM, pid) }
serv.close

Benchmark.bmbm do |x|
  x.report("default") do
    nr.times do
      s = Socket.new(:INET, :STREAM)
      s.setsockopt(:SOL_SOCKET, :SO_REUSEADDR, 1)
      begin
        s.connect_nonblock(addr)
      rescue IO::WaitWritable
        s.wait_writable
      end
      s.close
    end
  end
  x.report("exception: false") do
    nr.times do
      s = Socket.new(:INET, :STREAM)
      s.setsockopt(:SOL_SOCKET, :SO_REUSEADDR, 1)
      case s.connect_nonblock(addr, exception: false)
      when :wait_writable
        s.wait_writable
      end
      s.close
    end
  end
end

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@50254 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2015-04-12 01:41:51 +00:00
normal aaf2d070a8 accept_nonblock supports "exception: false"
This is analogous to functionality found in IO#read_nonblock and
IO#wait_nonblock.  Raising exceptions for common failures on
non-blocking servers is expensive and makes $DEBUG too noisy.

Benchmark results:
                                    user     system      total        real
default                         2.790000   0.870000   3.660000 (  3.671597)
exception: false                1.120000   0.800000   1.920000 (  1.922032)
exception: false (cached arg)   0.820000   0.770000   1.590000 (  1.589267)
--------------------- benchmark script ------------------------
require 'socket'
require 'benchmark'
require 'tmpdir'
nr = 1000000
Dir.mktmpdir('nb_bench') do |path|
  sock_path = "#{path}/test.sock"
  s = UNIXServer.new(sock_path)
  Benchmark.bmbm do |x|
    x.report("default") do
      nr.times do
        begin
          s.accept_nonblock
        rescue IO::WaitReadable
        end
      end
    end
    x.report("exception: false") do
      nr.times do
        begin
          s.accept_nonblock(exception: false)
        rescue IO::WaitReadable
          abort "should not raise"
        end
      end
    end
    x.report("exception: false (cached arg)") do
      arg = { exception: false }
      nr.times do
        begin
          s.accept_nonblock(arg)
        rescue IO::WaitReadable
          abort "should not raise"
        end
      end
    end
  end
end

* ext/socket/init.c (rsock_s_accept_nonblock):
  support exception: false
  [ruby-core:66385] [Feature #10532]
* ext/socket/init.c (rsock_init_socket_init): define new symbols
* ext/socket/rubysocket.h: adjust prototype
* ext/socket/socket.c (sock_accept_nonblock): support exception: false
* ext/openssl/ossl_ssl.c (ossl_ssl_accept_nonblock): ditto
* ext/socket/socket.c (Init_socket): adjust accept_nonblock definition
* ext/openssl/ossl_ssl.c (Init_ossl_ssl): ditto
* ext/socket/tcpserver.c (rsock_init_tcpserver): ditto
* ext/socket/unixserver.c (rsock_init_unixserver): ditto
* ext/socket/tcpserver.c (tcp_accept_nonblock): adjust
  rsock_s_accept_nonblock call
* ext/socket/unixserver.c (unix_accept_nonblock): ditto
* ext/openssl/ossl_ssl.c (ossl_start_ssl): support no_exception
* ext/openssl/ossl_ssl.c (ossl_ssl_connect): adjust ossl_start_ssl call
* ext/openssl/ossl_ssl.c (ossl_ssl_connect_nonblock): ditto
* ext/openssl/ossl_ssl.c (ossl_ssl_accept): ditto
* test/socket/test_nonblock.rb (test_accept_nonblock): test for
  "exception :false"
* test/socket/test_tcp.rb (test_accept_nonblock): new test
* test/socket/test_unix.rb (test_accept_nonblock): ditto
* test/openssl/test_pair.rb (test_accept_nonblock_no_exception): ditto

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@49948 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2015-03-12 03:03:04 +00:00
nobu af06381332 test/openssl: skip old OpenSSL
* test/openssl/utils.rb (OpenSSL::TestUtils): ignore out-of-date
  OpenSSL before 1.0.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@48823 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2014-12-13 03:05:43 +00:00
akr 971df741b9 Close fds.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@46216 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2014-05-28 15:06:39 +00:00
hsbt 6eb8acae90 * test/openssl/test_pair.rb: Modify TestSSL#test_read_and_write
to handle partial sysreads. [Bug #7398][ruby-core:49563]
* test/openssl/test_ssl.rb: ditto.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@46164 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2014-05-27 10:03:09 +00:00
akr 504453d929 * test/openssl: Join threads.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@46108 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2014-05-25 05:22:49 +00:00
akr b9f770ae8f refactored to test Socket and TCPSocket/TCPServer more consistently.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@45871 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2014-05-07 23:21:10 +00:00
akr 2dbae9b1f1 * ext/openssl/lib/openssl/ssl.rb (OpenSSL::SSL::SSLServer#accept):
Consider Socket#accept as well as TCPServer#accept.
  Reported by Sam Stelfox.  [ruby-core:62064] [Bug #9750]



git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@45863 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2014-05-07 12:48:27 +00:00
akr 1386a2303f refactoring to extract tcp_pair.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@45862 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2014-05-07 12:22:02 +00:00
naruse 8db313151d wait until the shutdowning message reaches to the server
see #8831

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@42838 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2013-09-04 18:46:16 +00:00
usa 6d18cc288a * test/openssl/test_pair.rb
(OpenSSL::TestPair#test_write_nonblock_no_exceptions): on some CIs
  such as Debian 6.0, Ubuntu 10.04, CentOS and vc10-x64 (maybe depend
  on OpenSSL version), writing to SSLSocket after SSL_ERROR_WANT_WRITE
  causes SSL_ERROR_SSL "bad write retry".


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@42790 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2013-09-03 01:08:09 +00:00
tenderlove 988ca60565 * io.c (io_read_nonblock): support non-blocking reads without raising
exceptions. As in: `io.read_nonblock(size, exception: false)`
  [ruby-core:38666] [Feature #5138]
* ext/openssl/ossl_ssl.c (ossl_ssl_read_internal): ditto
* ext/stringio/stringio.c (strio_sysread): ditto
* io.c (rb_io_write_nonblock): support non-blocking writes without
  raising an exception.
* ext/openssl/ossl_ssl.c (ossl_ssl_write_internal): ditto
* test/openssl/test_pair.rb (class OpenSSL): tests
* test/ruby/test_io.rb (class TestIO): ditto
* test/socket/test_nonblock.rb (class TestSocketNonblock): ditto
* test/stringio/test_stringio.rb (class TestStringIO): ditto

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@42695 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2013-08-26 22:41:44 +00:00
headius 0626d9b91c Fix #6154 by introducing new EAGAIN/EWOULDBLOCK/EINPROGRESS
subclasses that include WaitReadable or WaitWritable rather than
extending them into the exception object each time.

* error.c: Capture EGAIN, EWOULDBLOCK, EINPROGRESS exceptions and
  export them for use in WaitReadable/Writable exceptions.
* io.c: Create versions of EAGAIN, EWOULDBLOCK, EINPROGRESS that
  include WaitReadable and WaitWritable. Add rb_readwrite_sys_fail
  for nonblocking failures using those exceptions. Use that
  function in io_getpartial and io_write_nonblock instead of
  rb_mod_sys_fail
* ext/openssl/ossl_ssl.c: Add new SSLError subclasses that include
  WaitReadable and WaitWritable. Use those classes for
  write_would_block and read_would_block instead of rb_mod_sys_fail.
* ext/socket/ancdata.c: Use rb_readwrite_sys_fail instead of
  rb_mod_sys_fail in bsock_sendmsg_internal and
  bsock_recvmsg_internal.
* ext/socket/init.c: Use rb_readwrite_sys_fail instead of
  rb_mod_sys_fail in rsock_s_recvfrom_nonblock and
  rsock_s_connect_nonblock.
* ext/socket/socket.c: Use rb_readwrite_sys_fail instead of
  rb_mod_sys_fail in sock_connect_nonblock.
* include/ruby/ruby.h: Export rb_readwrite_sys_fail for use instead
  of rb_mod_sys_fail. Introduce new constants RB_IO_WAIT_READABLE and
  RB_IO_WAIT_WRITABLE for first arg to rb_readwrite_sys_fail.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@40195 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2013-04-08 19:58:55 +00:00
emboss 9871dd5783 * test/openssl/utils.rb
test/openssl/test_pair.rb
  test/openssl/test_pkey_dh.rb: Use 1024 bit DH parameters to satisfy
  OpenSSL FIPS requirements. Patch by Vit Ondruch.
  [Bug #6938] [ruby-core:47326]


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36843 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2012-08-28 20:03:32 +00:00
nahi ab86f1cffb * ext/openssl/ossl.c (ossl_verify_cb): trap the exception from
verify callback of SSLContext and X509Store and make the 
  verification fail normally. Raising exception directly from callback
  causes orphan resouces in OpenSSL stack. Patched by Ippei Obayashi. 
  See #4445.

* test/openssl/test_ssl.rb
  (test_exception_in_verify_callback_is_ignored): test it.


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32537 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2011-07-14 05:41:05 +00:00
tenderlove e1e671d60d refactor load error rescue to the openssl util file
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@30176 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2010-12-11 01:25:25 +00:00
naruse 7fd6016e1c Set DH Parameter for SSLContext to clean warnings.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@30123 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2010-12-07 14:24:40 +00:00