emboss	2012-12-18 11:02:43 +0900 (Tue, 18 Dec 2012)

  New Revision: 38433

  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=38433

  Log:
    * ext/openssl/lib/ssl.rb: Enable insertion of empty fragments as a
      countermeasure for the BEAST attack by default. The default options
      of OpenSSL::SSL:SSLContext are now:
      OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
      [Bug #5353] [ruby-core:39673]
    
    * test/openssl/test_ssl.rb: Adapt tests to new SSLContext default.
    
    * NEWS: Announce the new default.

  Modified files:
    trunk/ChangeLog
    trunk/NEWS
    trunk/ext/openssl/lib/openssl/ssl.rb
    trunk/test/openssl/test_ssl.rb

Index: ChangeLog
===================================================================
--- ChangeLog	(revision 38432)
+++ ChangeLog	(revision 38433)
@@ -1,3 +1,15 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1
+Tue Dec 18 11:52:34 2012  Martin Bosslet  <Martin.Bosslet@g...>
+
+	* ext/openssl/lib/ssl.rb: Enable insertion of empty fragments as a
+	  countermeasure for the BEAST attack by default. The default options
+	  of OpenSSL::SSL:SSLContext are now:
+	  OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
+	  [Bug #5353] [ruby-core:39673]
+
+	* test/openssl/test_ssl.rb: Adapt tests to new SSLContext default.
+
+	* NEWS: Announce the new default.
+
 Tue Dec 18 06:36:12 2012  Koichi Sasada  <ko1@a...>
 
 	* method.h: remove `VM_METHOD_TYPE_CFUNC_FRAMELESS' method type.
Index: ext/openssl/lib/openssl/ssl.rb
===================================================================
--- ext/openssl/lib/openssl/ssl.rb	(revision 38432)
+++ ext/openssl/lib/openssl/ssl.rb	(revision 38433)
@@ -24,7 +24,9 @@ module OpenSSL https://github.com/ruby/ruby/blob/trunk/ext/openssl/lib/openssl/ssl.rb#L24
         :ssl_version => "SSLv23",
         :verify_mode => OpenSSL::SSL::VERIFY_PEER,
         :ciphers => "ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW",
-        :options => OpenSSL::SSL::OP_ALL,
+        :options => defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS) ?
+          OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS :
+          OpenSSL::SSL::OP_ALL,
       }
 
       DEFAULT_CERT_STORE = OpenSSL::X509::Store.new
Index: NEWS
===================================================================
--- NEWS	(revision 38432)
+++ NEWS	(revision 38433)
@@ -256,7 +256,11 @@ with all sufficient information, see the https://github.com/ruby/ruby/blob/trunk/NEWS#L256
     with OpenSSL 1.0.1 and higher.
   * OpenSSL::OPENSSL_FIPS allows client applications to detect whether OpenSSL
     is running in FIPS mode and to react to the special requirements this
-    might impy.
+    might imply.
+  * The default options for OpenSSL::SSL::SSLContext have changed to
+    OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
+    instead of OpenSSL::SSL::OP_ALL only. This enables the countermeasure for
+    the BEAST attack by default.
 
 * ostruct
   * new methods:
Index: test/openssl/test_ssl.rb
===================================================================
--- test/openssl/test_ssl.rb	(revision 38432)
+++ test/openssl/test_ssl.rb	(revision 38433)
@@ -3,6 +3,11 @@ require_relative "utils" https://github.com/ruby/ruby/blob/trunk/test/openssl/test_ssl.rb#L3
 if defined?(OpenSSL)
 
 class OpenSSL::TestSSL < OpenSSL::SSLTestCase
+
+  TLS_DEFAULT_OPS = defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS) ?
+                    OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS :
+                    OpenSSL::SSL::OP_ALL
+
   def test_ctx_setup
     ctx = OpenSSL::SSL::SSLContext.new
     assert_equal(ctx.setup, true)
@@ -257,7 +262,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTes https://github.com/ruby/ruby/blob/trunk/test/openssl/test_ssl.rb#L262
       ctx = OpenSSL::SSL::SSLContext.new
       ctx.set_params
       assert_equal(OpenSSL::SSL::VERIFY_PEER, ctx.verify_mode)
-      assert_equal(OpenSSL::SSL::OP_ALL, ctx.options)
+      assert_equal(TLS_DEFAULT_OPS, ctx.options)
       ciphers = ctx.ciphers
       ciphers_versions = ciphers.collect{|_, v, _, _| v }
       ciphers_names = ciphers.collect{|v, _, _, _| v }
@@ -398,7 +403,10 @@ class OpenSSL::TestSSL < OpenSSL::SSLTes https://github.com/ruby/ruby/blob/trunk/test/openssl/test_ssl.rb#L403
 
   def test_unset_OP_ALL
     ctx_proc = Proc.new { |ctx|
-      ctx.options = OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
+      # If OP_DONT_INSERT_EMPTY_FRAGMENTS is not defined, this test is
+      # redundant because the default options already are equal to OP_ALL.
+      # But it also degrades gracefully, so keep it
+      ctx.options = OpenSSL::SSL::OP_ALL
     }
     start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true, :ctx_proc => ctx_proc){|server, port|
       server_connect(port) { |ssl|

--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/