diff options
author | Zachary Scott <e@zzak.io> | 2015-09-23 09:26:00 -0400 |
---|---|---|
committer | Zachary Scott <e@zzak.io> | 2015-09-23 09:26:00 -0400 |
commit | 03c088b936c1bea55687c6345799b28b98c24ee9 (patch) | |
tree | 8b2e7b7ecc54576ecf321717240429c5f168fb40 /lib | |
parent | 4df76773f42ddedf8e0907615a43b144f63f3a83 (diff) | |
download | ruby-openssl-03c088b936c1bea55687c6345799b28b98c24ee9.tar.gz |
Sync with ruby trunk
Diffstat (limited to 'lib')
-rw-r--r-- | lib/openssl.rb | 6 | ||||
-rw-r--r-- | lib/openssl/bn.rb | 7 | ||||
-rw-r--r-- | lib/openssl/buffering.rb | 7 | ||||
-rw-r--r-- | lib/openssl/cipher.rb | 7 | ||||
-rw-r--r-- | lib/openssl/digest.rb | 8 | ||||
-rw-r--r-- | lib/openssl/pkey.rb | 36 | ||||
-rw-r--r-- | lib/openssl/ssl.rb | 142 | ||||
-rw-r--r-- | lib/openssl/x509.rb | 7 |
8 files changed, 164 insertions, 56 deletions
diff --git a/lib/openssl.rb b/lib/openssl.rb index 1c8feb5c..57f6f970 100644 --- a/lib/openssl.rb +++ b/lib/openssl.rb @@ -1,6 +1,4 @@ =begin -= $RCSfile$ -- Loader for all OpenSSL C-space and Ruby-space definitions - = Info 'OpenSSL for Ruby 2' project Copyright (C) 2002 Michal Rokos <m.rokos@sh.cvut.cz> @@ -9,14 +7,12 @@ = Licence This program is licensed under the same licence as Ruby. (See the file 'LICENCE'.) - -= Version - $Id$ =end require 'openssl.so' require 'openssl/bn' +require 'openssl/pkey' require 'openssl/cipher' require 'openssl/config' require 'openssl/digest' diff --git a/lib/openssl/bn.rb b/lib/openssl/bn.rb index 1adf89f7..17148f96 100644 --- a/lib/openssl/bn.rb +++ b/lib/openssl/bn.rb @@ -1,7 +1,5 @@ #-- # -# $RCSfile$ -# # = Ruby-space definitions that completes C-space funcs for BN # # = Info @@ -12,10 +10,6 @@ # = Licence # This program is licensed under the same licence as Ruby. # (See the file 'LICENCE'.) -# -# = Version -# $Id$ -# #++ module OpenSSL @@ -42,4 +36,3 @@ class Integer OpenSSL::BN::new(self) end end # Integer - diff --git a/lib/openssl/buffering.rb b/lib/openssl/buffering.rb index 099e9603..a97d9ead 100644 --- a/lib/openssl/buffering.rb +++ b/lib/openssl/buffering.rb @@ -1,7 +1,5 @@ # coding: binary #-- -#= $RCSfile$ -- Buffering mix-in module. -# #= Info # 'OpenSSL for Ruby 2' project # Copyright (C) 2001 GOTOU YUUZOU <gotoyuzo@notwork.org> @@ -10,9 +8,6 @@ #= Licence # This program is licensed under the same licence as Ruby. # (See the file 'LICENCE'.) -# -#= Version -# $Id$ #++ ## @@ -213,7 +208,7 @@ module OpenSSL::Buffering else size = idx ? idx+eol.size : nil end - if limit and limit >= 0 + if size && limit && limit >= 0 size = [size, limit].min end consume_rbuff(size) diff --git a/lib/openssl/cipher.rb b/lib/openssl/cipher.rb index aacb02ad..c7f0aec5 100644 --- a/lib/openssl/cipher.rb +++ b/lib/openssl/cipher.rb @@ -1,7 +1,4 @@ #-- -# -# $RCSfile$ -# # = Ruby-space predefined Cipher subclasses # # = Info @@ -12,10 +9,6 @@ # = Licence # This program is licensed under the same licence as Ruby. # (See the file 'LICENCE'.) -# -# = Version -# $Id$ -# #++ module OpenSSL diff --git a/lib/openssl/digest.rb b/lib/openssl/digest.rb index a33ff276..8bf85103 100644 --- a/lib/openssl/digest.rb +++ b/lib/openssl/digest.rb @@ -1,7 +1,4 @@ #-- -# -# $RCSfile$ -# # = Ruby-space predefined Digest subclasses # # = Info @@ -12,10 +9,6 @@ # = Licence # This program is licensed under the same licence as Ruby. # (See the file 'LICENCE'.) -# -# = Version -# $Id$ -# #++ module OpenSSL @@ -85,4 +78,3 @@ module OpenSSL module_function :Digest end # OpenSSL - diff --git a/lib/openssl/pkey.rb b/lib/openssl/pkey.rb new file mode 100644 index 00000000..007934f8 --- /dev/null +++ b/lib/openssl/pkey.rb @@ -0,0 +1,36 @@ +module OpenSSL + module PKey + if defined?(OpenSSL::PKey::DH) + + class DH + DEFAULT_512 = new <<-_end_of_pem_ +-----BEGIN DH PARAMETERS----- +MEYCQQD0zXHljRg/mJ9PYLACLv58Cd8VxBxxY7oEuCeURMiTqEhMym16rhhKgZG2 +zk2O9uUIBIxSj+NKMURHGaFKyIvLAgEC +-----END DH PARAMETERS----- + _end_of_pem_ + + DEFAULT_1024 = new <<-_end_of_pem_ +-----BEGIN DH PARAMETERS----- +MIGHAoGBAJ0lOVy0VIr/JebWn0zDwY2h+rqITFOpdNr6ugsgvkDXuucdcChhYExJ +AV/ZD2AWPbrTqV76mGRgJg4EddgT1zG0jq3rnFdMj2XzkBYx3BVvfR0Arnby0RHR +T4h7KZ/2zmjvV+eF8kBUHBJAojUlzxKj4QeO2x20FP9X5xmNUXeDAgEC +-----END DH PARAMETERS----- + _end_of_pem_ + end + + DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen| + warn "using default DH parameters." if $VERBOSE + case keylen + when 512 then OpenSSL::PKey::DH::DEFAULT_512 + when 1024 then OpenSSL::PKey::DH::DEFAULT_1024 + else + nil + end + } + + else + DEFAULT_TMP_DH_CALLBACK = nil + end + end +end diff --git a/lib/openssl/ssl.rb b/lib/openssl/ssl.rb index 0cab141e..ed19e09a 100644 --- a/lib/openssl/ssl.rb +++ b/lib/openssl/ssl.rb @@ -1,6 +1,4 @@ =begin -= $RCSfile$ -- Ruby-space definitions that completes C-space funcs for SSL - = Info 'OpenSSL for Ruby 2' project Copyright (C) 2001 GOTOU YUUZOU <gotoyuzo@notwork.org> @@ -9,13 +7,10 @@ = Licence This program is licensed under the same licence as Ruby. (See the file 'LICENCE'.) - -= Version - $Id$ =end require "openssl/buffering" -require "fcntl" +require "io/nonblock" module OpenSSL module SSL @@ -74,6 +69,48 @@ module OpenSSL DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL end + INIT_VARS = ["cert", "key", "client_ca", "ca_file", "ca_path", + "timeout", "verify_mode", "verify_depth", "renegotiation_cb", + "verify_callback", "cert_store", "extra_chain_cert", + "client_cert_cb", "session_id_context", "tmp_dh_callback", + "session_get_cb", "session_new_cb", "session_remove_cb", + "tmp_ecdh_callback", "servername_cb", "npn_protocols", + "alpn_protocols", "alpn_select_cb", + "npn_select_cb"].map { |x| "@#{x}" } + + # A callback invoked when DH parameters are required. + # + # The callback is invoked with the Session for the key exchange, an + # flag indicating the use of an export cipher and the keylength + # required. + # + # The callback must return an OpenSSL::PKey::DH instance of the correct + # key length. + + attr_accessor :tmp_dh_callback + + if OpenSSL::ExtConfig::HAVE_TLSEXT_HOST_NAME + # A callback invoked at connect time to distinguish between multiple + # server names. + # + # The callback is invoked with an SSLSocket and a server name. The + # callback must return an SSLContext for the server name or nil. + attr_accessor :servername_cb + end + + # call-seq: + # SSLContext.new => ctx + # SSLContext.new(:TLSv1) => ctx + # SSLContext.new("SSLv23_client") => ctx + # + # You can get a list of valid methods with OpenSSL::SSL::SSLContext::METHODS + def initialize(version = nil) + INIT_VARS.each { |v| instance_variable_set v, nil } + self.options = self.options | OpenSSL::SSL::OP_ALL + return unless version + self.ssl_version = version + end + ## # Sets the parameters for this SSL context to the values in +params+. # The keys in +params+ must be assignment methods on SSLContext. @@ -124,15 +161,6 @@ module OpenSSL end end - module Nonblock - def initialize(*args) - flag = File::NONBLOCK - flag |= @io.fcntl(Fcntl::F_GETFL) if defined?(Fcntl::F_GETFL) - @io.fcntl(Fcntl::F_SETFL, flag) - super - end - end - def verify_certificate_identity(cert, hostname) should_verify_common_name = true cert.extensions.each{|ext| @@ -220,7 +248,53 @@ module OpenSSL class SSLSocket include Buffering include SocketForwarder - include Nonblock + + if OpenSSL::ExtConfig::OPENSSL_NO_SOCK + def initialize(io, ctx = nil); raise NotImplmentedError; end + else + if OpenSSL::ExtConfig::HAVE_TLSEXT_HOST_NAME + attr_accessor :hostname + end + + attr_reader :io, :context + attr_accessor :sync_close + alias :to_io :io + + # call-seq: + # SSLSocket.new(io) => aSSLSocket + # SSLSocket.new(io, ctx) => aSSLSocket + # + # Creates a new SSL socket from +io+ which must be a real ruby object (not an + # IO-like object that responds to read/write). + # + # If +ctx+ is provided the SSL Sockets initial params will be taken from + # the context. + # + # The OpenSSL::Buffering module provides additional IO methods. + # + # This method will freeze the SSLContext if one is provided; + # however, session management is still allowed in the frozen SSLContext. + + def initialize(io, context = OpenSSL::SSL::SSLContext.new) + @io = io + @context = context + @sync_close = false + @hostname = nil + @io.nonblock = true if @io.respond_to?(:nonblock=) + context.setup + super() + end + end + + # call-seq: + # ssl.sysclose => nil + # + # Shuts down the SSL connection and prepares it for another connection. + def sysclose + return if closed? + stop + io.close if sync_close + end ## # Perform hostname verification after an SSL connection is established @@ -228,6 +302,14 @@ module OpenSSL # This method MUST be called after calling #connect to ensure that the # hostname of a remote peer has been verified. def post_connection_check(hostname) + if peer_cert.nil? + msg = "Peer verification enabled, but no certificate received." + if using_anon_cipher? + msg += " Anonymous cipher suite #{cipher[0]} was negotiated. Anonymous suites must be disabled to use peer verification." + end + raise SSLError, msg + end + unless OpenSSL::SSL.verify_certificate_identity(peer_cert, hostname) raise SSLError, "hostname \"#{hostname}\" does not match the server certificate" end @@ -239,6 +321,34 @@ module OpenSSL rescue SSL::Session::SessionError nil end + + private + + def using_anon_cipher? + ctx = OpenSSL::SSL::SSLContext.new + ctx.ciphers = "aNULL" + ctx.ciphers.include?(cipher) + end + + def client_cert_cb + @context.client_cert_cb + end + + def tmp_dh_callback + @context.tmp_dh_callback || OpenSSL::PKey::DEFAULT_TMP_DH_CALLBACK + end + + def tmp_ecdh_callback + @context.tmp_ecdh_callback + end + + def session_new_cb + @context.session_new_cb + end + + def session_get_cb + @context.session_get_cb + end end ## diff --git a/lib/openssl/x509.rb b/lib/openssl/x509.rb index 497ffe0a..e76c6b8c 100644 --- a/lib/openssl/x509.rb +++ b/lib/openssl/x509.rb @@ -1,7 +1,4 @@ #-- -# -# $RCSfile$ -# # = Ruby-space definitions that completes C-space funcs for X509 and subclasses # # = Info @@ -12,10 +9,6 @@ # = Licence # This program is licensed under the same licence as Ruby. # (See the file 'LICENCE'.) -# -# = Version -# $Id$ -# #++ module OpenSSL |