ruby-changes:39473

nagachika	2015-08-13 00:16:42 +0900 (Thu, 13 Aug 2015)

  New Revision: 51554

  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=51554

  Log:
    merge revision(s) 51409,51453: [Backport #10910]
    
    * ext/openssl/lib/openssl/ssl.rb (module OpenSSL): raise a more
      helpful exception when verifying the peer connection and an
      anonymous cipher has been selected. [ruby-core:68330] [Bug #10910]
      Thanks to Chris Sinjakli <chris@s...> for the patch.
    
    * test/openssl/test_ssl.rb (class OpenSSL): test for change
    
    * .travis.yml: update libssl before running tests. 
      Thanks to Chris Sinjakli <chris@s...> for figuring out the
      travis settings!

  Modified directories:
    branches/ruby_2_2/
  Modified files:
    branches/ruby_2_2/.travis.yml
    branches/ruby_2_2/ChangeLog
    branches/ruby_2_2/ext/openssl/lib/openssl/ssl.rb
    branches/ruby_2_2/test/openssl/test_ssl.rb
    branches/ruby_2_2/test/openssl/utils.rb
    branches/ruby_2_2/version.h
Index: ruby_2_2/ChangeLog
===================================================================
--- ruby_2_2/ChangeLog	(revision 51553)
+++ ruby_2_2/ChangeLog	(revision 51554)
@@ -1,3 +1,18 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_2/ChangeLog#L1
+Thu Aug 13 00:03:24 2015  Aaron Patterson <tenderlove@r...>
+
+	* .travis.yml: update libssl before running tests. 
+	  Thanks to Chris Sinjakli <chris@s...> for figuring out the
+	  travis settings!
+
+Thu Aug 13 00:03:24 2015  Aaron Patterson <tenderlove@r...>
+
+	* ext/openssl/lib/openssl/ssl.rb (module OpenSSL): raise a more
+	  helpful exception when verifying the peer connection and an
+	  anonymous cipher has been selected. [ruby-core:68330] [Bug #10910]
+	  Thanks to Chris Sinjakli <chris@s...> for the patch.
+
+	* test/openssl/test_ssl.rb (class OpenSSL): test for change
+
 Wed Aug 12 23:57:01 2015  NARUSE, Yui  <naruse@r...>
 
 	* ext/date/extconf.rb: try_cflags("-std=iso9899:1999") [Bug #10906]
Index: ruby_2_2/ext/openssl/lib/openssl/ssl.rb
===================================================================
--- ruby_2_2/ext/openssl/lib/openssl/ssl.rb	(revision 51553)
+++ ruby_2_2/ext/openssl/lib/openssl/ssl.rb	(revision 51554)
@@ -228,6 +228,14 @@ module OpenSSL https://github.com/ruby/ruby/blob/trunk/ruby_2_2/ext/openssl/lib/openssl/ssl.rb#L228
       # This method MUST be called after calling #connect to ensure that the
       # hostname of a remote peer has been verified.
       def post_connection_check(hostname)
+        if peer_cert.nil?
+          msg = "Peer verification enabled, but no certificate received."
+          if using_anon_cipher?
+            msg += " Anonymous cipher suite #{cipher[0]} was negotiated. Anonymous suites must be disabled to use peer verification."
+          end
+          raise SSLError, msg
+        end
+
         unless OpenSSL::SSL.verify_certificate_identity(peer_cert, hostname)
           raise SSLError, "hostname \"#{hostname}\" does not match the server certificate"
         end
@@ -239,6 +247,14 @@ module OpenSSL https://github.com/ruby/ruby/blob/trunk/ruby_2_2/ext/openssl/lib/openssl/ssl.rb#L247
       rescue SSL::Session::SessionError
         nil
       end
+
+      private
+
+      def using_anon_cipher?
+        ctx = OpenSSL::SSL::SSLContext.new
+        ctx.ciphers = "aNULL"
+        ctx.ciphers.include?(cipher)
+      end
     end
 
     ##
Index: ruby_2_2/version.h
===================================================================
--- ruby_2_2/version.h	(revision 51553)
+++ ruby_2_2/version.h	(revision 51554)
@@ -1,10 +1,10 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_2/version.h#L1
 #define RUBY_VERSION "2.2.3"
-#define RUBY_RELEASE_DATE "2015-08-12"
-#define RUBY_PATCHLEVEL 160
+#define RUBY_RELEASE_DATE "2015-08-13"
+#define RUBY_PATCHLEVEL 161
 
 #define RUBY_RELEASE_YEAR 2015
 #define RUBY_RELEASE_MONTH 8
-#define RUBY_RELEASE_DAY 12
+#define RUBY_RELEASE_DAY 13
 
 #include "ruby/version.h"
 
Index: ruby_2_2/test/openssl/utils.rb
===================================================================
--- ruby_2_2/test/openssl/utils.rb	(revision 51553)
+++ ruby_2_2/test/openssl/utils.rb	(revision 51554)
@@ -270,12 +270,14 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOP https://github.com/ruby/ruby/blob/trunk/ruby_2_2/test/openssl/utils.rb#L270
         ctx_proc = args[:ctx_proc]
         server_proc = args[:server_proc]
         ignore_listener_error = args.fetch(:ignore_listener_error, false)
+        use_anon_cipher = args.fetch(:use_anon_cipher, false)
         server_proc ||= method(:readwrite_loop)
 
         store = OpenSSL::X509::Store.new
         store.add_cert(@ca_cert)
         store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
         ctx = OpenSSL::SSL::SSLContext.new
+        ctx.ciphers = "ADH-AES256-GCM-SHA384" if use_anon_cipher
         ctx.cert_store = store
         #ctx.extra_chain_cert = [ ca_cert ]
         ctx.cert = @svr_cert
Index: ruby_2_2/test/openssl/test_ssl.rb
===================================================================
--- ruby_2_2/test/openssl/test_ssl.rb	(revision 51553)
+++ ruby_2_2/test/openssl/test_ssl.rb	(revision 51554)
@@ -351,6 +351,20 @@ class OpenSSL::TestSSL < OpenSSL::SSLTes https://github.com/ruby/ruby/blob/trunk/ruby_2_2/test/openssl/test_ssl.rb#L351
     }
   end
 
+  def test_post_connect_check_with_anon_ciphers
+    sslerr = OpenSSL::SSL::SSLError
+
+    start_server(OpenSSL::SSL::VERIFY_NONE, true, {use_anon_cipher: true}){|server, port|
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.ciphers = "aNULL"
+      server_connect(port, ctx) { |ssl|
+        msg = "Peer verification enabled, but no certificate received. Anonymous cipher suite " \
+          "ADH-AES256-GCM-SHA384 was negotiated. Anonymous suites must be disabled to use peer verification."
+        assert_raise_with_message(sslerr,msg){ssl.post_connection_check("localhost.localdomain")}
+      }
+    }
+  end
+
   def test_post_connection_check
     sslerr = OpenSSL::SSL::SSLError
 
Index: ruby_2_2/.travis.yml
===================================================================
--- ruby_2_2/.travis.yml	(revision 51553)
+++ ruby_2_2/.travis.yml	(revision 51554)
@@ -35,6 +35,8 @@ os: https://github.com/ruby/ruby/blob/trunk/ruby_2_2/.travis.yml#L35
 # far since the 1.9.1 release.
 before_install:
   - "if [[ $TRAVIS_OS_NAME = 'linux' ]]; then sudo apt-get -qq update; fi"
+  # Travis ships an outdated, broken version of libssl by default
+  - "if [[ $TRAVIS_OS_NAME = 'linux' ]]; then sudo apt-get -qq --only-upgrade install '^libssl.*'; fi"
   - "if [[ $TRAVIS_OS_NAME = 'linux' ]]; then sudo apt-get -qq install $CC; fi" # upgrade if any
   - "if [[ $TRAVIS_OS_NAME = 'linux' ]]; then JOBS='-j'; fi"
   - "if [[ $TRAVIS_OS_NAME = 'osx' ]]; then brew install autoconf openssl; fi"

Property changes on: ruby_2_2
___________________________________________________________________
Modified: svn:mergeinfo
   Merged /trunk:r51409,51453


--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/