gitlab-puma 4.3.1.gitlab.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/History.md +1537 -0
- data/LICENSE +26 -0
- data/README.md +291 -0
- data/bin/puma +10 -0
- data/bin/puma-wild +31 -0
- data/bin/pumactl +12 -0
- data/docs/architecture.md +37 -0
- data/docs/deployment.md +111 -0
- data/docs/images/puma-connection-flow-no-reactor.png +0 -0
- data/docs/images/puma-connection-flow.png +0 -0
- data/docs/images/puma-general-arch.png +0 -0
- data/docs/nginx.md +80 -0
- data/docs/plugins.md +38 -0
- data/docs/restart.md +41 -0
- data/docs/signals.md +96 -0
- data/docs/systemd.md +290 -0
- data/docs/tcp_mode.md +96 -0
- data/ext/puma_http11/PumaHttp11Service.java +19 -0
- data/ext/puma_http11/ext_help.h +15 -0
- data/ext/puma_http11/extconf.rb +28 -0
- data/ext/puma_http11/http11_parser.c +1044 -0
- data/ext/puma_http11/http11_parser.h +65 -0
- data/ext/puma_http11/http11_parser.java.rl +145 -0
- data/ext/puma_http11/http11_parser.rl +147 -0
- data/ext/puma_http11/http11_parser_common.rl +54 -0
- data/ext/puma_http11/io_buffer.c +155 -0
- data/ext/puma_http11/mini_ssl.c +553 -0
- data/ext/puma_http11/org/jruby/puma/Http11.java +226 -0
- data/ext/puma_http11/org/jruby/puma/Http11Parser.java +455 -0
- data/ext/puma_http11/org/jruby/puma/IOBuffer.java +72 -0
- data/ext/puma_http11/org/jruby/puma/MiniSSL.java +363 -0
- data/ext/puma_http11/puma_http11.c +502 -0
- data/lib/puma.rb +31 -0
- data/lib/puma/accept_nonblock.rb +29 -0
- data/lib/puma/app/status.rb +80 -0
- data/lib/puma/binder.rb +385 -0
- data/lib/puma/cli.rb +239 -0
- data/lib/puma/client.rb +494 -0
- data/lib/puma/cluster.rb +554 -0
- data/lib/puma/commonlogger.rb +108 -0
- data/lib/puma/configuration.rb +362 -0
- data/lib/puma/const.rb +242 -0
- data/lib/puma/control_cli.rb +289 -0
- data/lib/puma/detect.rb +15 -0
- data/lib/puma/dsl.rb +740 -0
- data/lib/puma/events.rb +156 -0
- data/lib/puma/io_buffer.rb +4 -0
- data/lib/puma/jruby_restart.rb +84 -0
- data/lib/puma/launcher.rb +475 -0
- data/lib/puma/minissl.rb +278 -0
- data/lib/puma/minissl/context_builder.rb +76 -0
- data/lib/puma/null_io.rb +44 -0
- data/lib/puma/plugin.rb +120 -0
- data/lib/puma/plugin/tmp_restart.rb +36 -0
- data/lib/puma/rack/builder.rb +301 -0
- data/lib/puma/rack/urlmap.rb +93 -0
- data/lib/puma/rack_default.rb +9 -0
- data/lib/puma/reactor.rb +400 -0
- data/lib/puma/runner.rb +192 -0
- data/lib/puma/server.rb +1053 -0
- data/lib/puma/single.rb +123 -0
- data/lib/puma/state_file.rb +31 -0
- data/lib/puma/tcp_logger.rb +41 -0
- data/lib/puma/thread_pool.rb +348 -0
- data/lib/puma/util.rb +124 -0
- data/lib/rack/handler/puma.rb +115 -0
- data/tools/docker/Dockerfile +16 -0
- data/tools/jungle/README.md +19 -0
- data/tools/jungle/init.d/README.md +61 -0
- data/tools/jungle/init.d/puma +421 -0
- data/tools/jungle/init.d/run-puma +18 -0
- data/tools/jungle/rc.d/README.md +74 -0
- data/tools/jungle/rc.d/puma +61 -0
- data/tools/jungle/rc.d/puma.conf +10 -0
- data/tools/jungle/upstart/README.md +61 -0
- data/tools/jungle/upstart/puma-manager.conf +31 -0
- data/tools/jungle/upstart/puma.conf +69 -0
- data/tools/trickletest.rb +44 -0
- metadata +147 -0
@@ -0,0 +1,553 @@
|
|
1
|
+
#define RSTRING_NOT_MODIFIED 1
|
2
|
+
|
3
|
+
#include <ruby.h>
|
4
|
+
#include <ruby/version.h>
|
5
|
+
|
6
|
+
#if RUBY_API_VERSION_MAJOR == 1
|
7
|
+
#include <rubyio.h>
|
8
|
+
#else
|
9
|
+
#include <ruby/io.h>
|
10
|
+
#endif
|
11
|
+
|
12
|
+
#ifdef HAVE_OPENSSL_BIO_H
|
13
|
+
|
14
|
+
#include <openssl/bio.h>
|
15
|
+
#include <openssl/ssl.h>
|
16
|
+
#include <openssl/dh.h>
|
17
|
+
#include <openssl/err.h>
|
18
|
+
#include <openssl/x509.h>
|
19
|
+
|
20
|
+
#ifndef SSL_OP_NO_COMPRESSION
|
21
|
+
#define SSL_OP_NO_COMPRESSION 0
|
22
|
+
#endif
|
23
|
+
|
24
|
+
typedef struct {
|
25
|
+
BIO* read;
|
26
|
+
BIO* write;
|
27
|
+
SSL* ssl;
|
28
|
+
SSL_CTX* ctx;
|
29
|
+
} ms_conn;
|
30
|
+
|
31
|
+
typedef struct {
|
32
|
+
unsigned char* buf;
|
33
|
+
int bytes;
|
34
|
+
} ms_cert_buf;
|
35
|
+
|
36
|
+
void engine_free(ms_conn* conn) {
|
37
|
+
ms_cert_buf* cert_buf = (ms_cert_buf*)SSL_get_app_data(conn->ssl);
|
38
|
+
if(cert_buf) {
|
39
|
+
OPENSSL_free(cert_buf->buf);
|
40
|
+
free(cert_buf);
|
41
|
+
}
|
42
|
+
SSL_free(conn->ssl);
|
43
|
+
SSL_CTX_free(conn->ctx);
|
44
|
+
|
45
|
+
free(conn);
|
46
|
+
}
|
47
|
+
|
48
|
+
ms_conn* engine_alloc(VALUE klass, VALUE* obj) {
|
49
|
+
ms_conn* conn;
|
50
|
+
|
51
|
+
*obj = Data_Make_Struct(klass, ms_conn, 0, engine_free, conn);
|
52
|
+
|
53
|
+
conn->read = BIO_new(BIO_s_mem());
|
54
|
+
BIO_set_nbio(conn->read, 1);
|
55
|
+
|
56
|
+
conn->write = BIO_new(BIO_s_mem());
|
57
|
+
BIO_set_nbio(conn->write, 1);
|
58
|
+
|
59
|
+
conn->ssl = 0;
|
60
|
+
conn->ctx = 0;
|
61
|
+
|
62
|
+
return conn;
|
63
|
+
}
|
64
|
+
|
65
|
+
DH *get_dh1024() {
|
66
|
+
/* `openssl dhparam 1024 -C`
|
67
|
+
* -----BEGIN DH PARAMETERS-----
|
68
|
+
* MIGHAoGBALPwcEv0OstmQCZdfHw0N5r+07lmXMxkpQacy1blwj0LUqC+Divp6pBk
|
69
|
+
* usTJ9W2/dOYr1X7zi6yXNLp4oLzc/31PUL3D9q8CpGS7vPz5gijKSw9BwCTT5z9+
|
70
|
+
* KF9v46qw8XqT5HHV87sWFlGQcVFq+pEkA2kPikkKZ/X/CCcpCAV7AgEC
|
71
|
+
* -----END DH PARAMETERS-----
|
72
|
+
*/
|
73
|
+
static unsigned char dh1024_p[] = {
|
74
|
+
0xB3,0xF0,0x70,0x4B,0xF4,0x3A,0xCB,0x66,0x40,0x26,0x5D,0x7C,
|
75
|
+
0x7C,0x34,0x37,0x9A,0xFE,0xD3,0xB9,0x66,0x5C,0xCC,0x64,0xA5,
|
76
|
+
0x06,0x9C,0xCB,0x56,0xE5,0xC2,0x3D,0x0B,0x52,0xA0,0xBE,0x0E,
|
77
|
+
0x2B,0xE9,0xEA,0x90,0x64,0xBA,0xC4,0xC9,0xF5,0x6D,0xBF,0x74,
|
78
|
+
0xE6,0x2B,0xD5,0x7E,0xF3,0x8B,0xAC,0x97,0x34,0xBA,0x78,0xA0,
|
79
|
+
0xBC,0xDC,0xFF,0x7D,0x4F,0x50,0xBD,0xC3,0xF6,0xAF,0x02,0xA4,
|
80
|
+
0x64,0xBB,0xBC,0xFC,0xF9,0x82,0x28,0xCA,0x4B,0x0F,0x41,0xC0,
|
81
|
+
0x24,0xD3,0xE7,0x3F,0x7E,0x28,0x5F,0x6F,0xE3,0xAA,0xB0,0xF1,
|
82
|
+
0x7A,0x93,0xE4,0x71,0xD5,0xF3,0xBB,0x16,0x16,0x51,0x90,0x71,
|
83
|
+
0x51,0x6A,0xFA,0x91,0x24,0x03,0x69,0x0F,0x8A,0x49,0x0A,0x67,
|
84
|
+
0xF5,0xFF,0x08,0x27,0x29,0x08,0x05,0x7B
|
85
|
+
};
|
86
|
+
static unsigned char dh1024_g[] = { 0x02 };
|
87
|
+
|
88
|
+
DH *dh;
|
89
|
+
dh = DH_new();
|
90
|
+
|
91
|
+
#if OPENSSL_VERSION_NUMBER < 0x10100005L || defined(LIBRESSL_VERSION_NUMBER)
|
92
|
+
dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
|
93
|
+
dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
|
94
|
+
|
95
|
+
if ((dh->p == NULL) || (dh->g == NULL)) {
|
96
|
+
DH_free(dh);
|
97
|
+
return NULL;
|
98
|
+
}
|
99
|
+
#else
|
100
|
+
BIGNUM *p, *g;
|
101
|
+
p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
|
102
|
+
g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
|
103
|
+
|
104
|
+
if (p == NULL || g == NULL || !DH_set0_pqg(dh, p, NULL, g)) {
|
105
|
+
DH_free(dh);
|
106
|
+
BN_free(p);
|
107
|
+
BN_free(g);
|
108
|
+
return NULL;
|
109
|
+
}
|
110
|
+
#endif
|
111
|
+
|
112
|
+
return dh;
|
113
|
+
}
|
114
|
+
|
115
|
+
static int engine_verify_callback(int preverify_ok, X509_STORE_CTX* ctx) {
|
116
|
+
X509* err_cert;
|
117
|
+
SSL* ssl;
|
118
|
+
int bytes;
|
119
|
+
unsigned char* buf = NULL;
|
120
|
+
|
121
|
+
if(!preverify_ok) {
|
122
|
+
err_cert = X509_STORE_CTX_get_current_cert(ctx);
|
123
|
+
if(err_cert) {
|
124
|
+
/*
|
125
|
+
* Save the failed certificate for inspection/logging.
|
126
|
+
*/
|
127
|
+
bytes = i2d_X509(err_cert, &buf);
|
128
|
+
if(bytes > 0) {
|
129
|
+
ms_cert_buf* cert_buf = (ms_cert_buf*)malloc(sizeof(ms_cert_buf));
|
130
|
+
cert_buf->buf = buf;
|
131
|
+
cert_buf->bytes = bytes;
|
132
|
+
ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
|
133
|
+
SSL_set_app_data(ssl, cert_buf);
|
134
|
+
}
|
135
|
+
}
|
136
|
+
}
|
137
|
+
|
138
|
+
return preverify_ok;
|
139
|
+
}
|
140
|
+
|
141
|
+
VALUE engine_init_server(VALUE self, VALUE mini_ssl_ctx) {
|
142
|
+
VALUE obj;
|
143
|
+
SSL_CTX* ctx;
|
144
|
+
SSL* ssl;
|
145
|
+
int min, ssl_options;
|
146
|
+
|
147
|
+
ms_conn* conn = engine_alloc(self, &obj);
|
148
|
+
|
149
|
+
ID sym_key = rb_intern("key");
|
150
|
+
VALUE key = rb_funcall(mini_ssl_ctx, sym_key, 0);
|
151
|
+
|
152
|
+
StringValue(key);
|
153
|
+
|
154
|
+
ID sym_cert = rb_intern("cert");
|
155
|
+
VALUE cert = rb_funcall(mini_ssl_ctx, sym_cert, 0);
|
156
|
+
|
157
|
+
StringValue(cert);
|
158
|
+
|
159
|
+
ID sym_ca = rb_intern("ca");
|
160
|
+
VALUE ca = rb_funcall(mini_ssl_ctx, sym_ca, 0);
|
161
|
+
|
162
|
+
ID sym_verify_mode = rb_intern("verify_mode");
|
163
|
+
VALUE verify_mode = rb_funcall(mini_ssl_ctx, sym_verify_mode, 0);
|
164
|
+
|
165
|
+
ID sym_ssl_cipher_filter = rb_intern("ssl_cipher_filter");
|
166
|
+
VALUE ssl_cipher_filter = rb_funcall(mini_ssl_ctx, sym_ssl_cipher_filter, 0);
|
167
|
+
|
168
|
+
ID sym_no_tlsv1 = rb_intern("no_tlsv1");
|
169
|
+
VALUE no_tlsv1 = rb_funcall(mini_ssl_ctx, sym_no_tlsv1, 0);
|
170
|
+
|
171
|
+
ID sym_no_tlsv1_1 = rb_intern("no_tlsv1_1");
|
172
|
+
VALUE no_tlsv1_1 = rb_funcall(mini_ssl_ctx, sym_no_tlsv1_1, 0);
|
173
|
+
|
174
|
+
#ifdef HAVE_TLS_SERVER_METHOD
|
175
|
+
ctx = SSL_CTX_new(TLS_server_method());
|
176
|
+
#else
|
177
|
+
ctx = SSL_CTX_new(SSLv23_server_method());
|
178
|
+
#endif
|
179
|
+
conn->ctx = ctx;
|
180
|
+
|
181
|
+
SSL_CTX_use_certificate_chain_file(ctx, RSTRING_PTR(cert));
|
182
|
+
SSL_CTX_use_PrivateKey_file(ctx, RSTRING_PTR(key), SSL_FILETYPE_PEM);
|
183
|
+
|
184
|
+
if (!NIL_P(ca)) {
|
185
|
+
StringValue(ca);
|
186
|
+
SSL_CTX_load_verify_locations(ctx, RSTRING_PTR(ca), NULL);
|
187
|
+
}
|
188
|
+
|
189
|
+
ssl_options = SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_SINGLE_ECDH_USE | SSL_OP_NO_COMPRESSION;
|
190
|
+
|
191
|
+
#ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
|
192
|
+
if (RTEST(no_tlsv1_1)) {
|
193
|
+
min = TLS1_2_VERSION;
|
194
|
+
}
|
195
|
+
else if (RTEST(no_tlsv1)) {
|
196
|
+
min = TLS1_1_VERSION;
|
197
|
+
}
|
198
|
+
else {
|
199
|
+
min = TLS1_VERSION;
|
200
|
+
}
|
201
|
+
|
202
|
+
SSL_CTX_set_min_proto_version(ctx, min);
|
203
|
+
|
204
|
+
SSL_CTX_set_options(ctx, ssl_options);
|
205
|
+
|
206
|
+
#else
|
207
|
+
/* As of 1.0.2f, SSL_OP_SINGLE_DH_USE key use is always on */
|
208
|
+
ssl_options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_SINGLE_DH_USE;
|
209
|
+
|
210
|
+
if (RTEST(no_tlsv1)) {
|
211
|
+
ssl_options |= SSL_OP_NO_TLSv1;
|
212
|
+
}
|
213
|
+
if(RTEST(no_tlsv1_1)) {
|
214
|
+
ssl_options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1;
|
215
|
+
}
|
216
|
+
SSL_CTX_set_options(ctx, ssl_options);
|
217
|
+
#endif
|
218
|
+
|
219
|
+
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
|
220
|
+
|
221
|
+
if (!NIL_P(ssl_cipher_filter)) {
|
222
|
+
StringValue(ssl_cipher_filter);
|
223
|
+
SSL_CTX_set_cipher_list(ctx, RSTRING_PTR(ssl_cipher_filter));
|
224
|
+
}
|
225
|
+
else {
|
226
|
+
SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL@STRENGTH");
|
227
|
+
}
|
228
|
+
|
229
|
+
DH *dh = get_dh1024();
|
230
|
+
SSL_CTX_set_tmp_dh(ctx, dh);
|
231
|
+
|
232
|
+
#if OPENSSL_VERSION_NUMBER < 0x10002000L
|
233
|
+
// Remove this case if OpenSSL 1.0.1 (now EOL) support is no
|
234
|
+
// longer needed.
|
235
|
+
EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
|
236
|
+
if (ecdh) {
|
237
|
+
SSL_CTX_set_tmp_ecdh(ctx, ecdh);
|
238
|
+
EC_KEY_free(ecdh);
|
239
|
+
}
|
240
|
+
#elif OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
241
|
+
// Prior to OpenSSL 1.1.0, servers must manually enable server-side ECDH
|
242
|
+
// negotiation.
|
243
|
+
SSL_CTX_set_ecdh_auto(ctx, 1);
|
244
|
+
#endif
|
245
|
+
|
246
|
+
ssl = SSL_new(ctx);
|
247
|
+
conn->ssl = ssl;
|
248
|
+
SSL_set_app_data(ssl, NULL);
|
249
|
+
|
250
|
+
if (NIL_P(verify_mode)) {
|
251
|
+
/* SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL); */
|
252
|
+
} else {
|
253
|
+
SSL_set_verify(ssl, NUM2INT(verify_mode), engine_verify_callback);
|
254
|
+
}
|
255
|
+
|
256
|
+
SSL_set_bio(ssl, conn->read, conn->write);
|
257
|
+
|
258
|
+
SSL_set_accept_state(ssl);
|
259
|
+
return obj;
|
260
|
+
}
|
261
|
+
|
262
|
+
VALUE engine_init_client(VALUE klass) {
|
263
|
+
VALUE obj;
|
264
|
+
ms_conn* conn = engine_alloc(klass, &obj);
|
265
|
+
#ifdef HAVE_DTLS_METHOD
|
266
|
+
conn->ctx = SSL_CTX_new(DTLS_method());
|
267
|
+
#else
|
268
|
+
conn->ctx = SSL_CTX_new(DTLSv1_method());
|
269
|
+
#endif
|
270
|
+
conn->ssl = SSL_new(conn->ctx);
|
271
|
+
SSL_set_app_data(conn->ssl, NULL);
|
272
|
+
SSL_set_verify(conn->ssl, SSL_VERIFY_NONE, NULL);
|
273
|
+
|
274
|
+
SSL_set_bio(conn->ssl, conn->read, conn->write);
|
275
|
+
|
276
|
+
SSL_set_connect_state(conn->ssl);
|
277
|
+
return obj;
|
278
|
+
}
|
279
|
+
|
280
|
+
VALUE engine_inject(VALUE self, VALUE str) {
|
281
|
+
ms_conn* conn;
|
282
|
+
long used;
|
283
|
+
|
284
|
+
Data_Get_Struct(self, ms_conn, conn);
|
285
|
+
|
286
|
+
StringValue(str);
|
287
|
+
|
288
|
+
used = BIO_write(conn->read, RSTRING_PTR(str), (int)RSTRING_LEN(str));
|
289
|
+
|
290
|
+
if(used == 0 || used == -1) {
|
291
|
+
return Qfalse;
|
292
|
+
}
|
293
|
+
|
294
|
+
return INT2FIX(used);
|
295
|
+
}
|
296
|
+
|
297
|
+
static VALUE eError;
|
298
|
+
|
299
|
+
void raise_error(SSL* ssl, int result) {
|
300
|
+
char buf[512];
|
301
|
+
char msg[512];
|
302
|
+
const char* err_str;
|
303
|
+
int err = errno;
|
304
|
+
int ssl_err = SSL_get_error(ssl, result);
|
305
|
+
int verify_err = (int) SSL_get_verify_result(ssl);
|
306
|
+
|
307
|
+
if(SSL_ERROR_SYSCALL == ssl_err) {
|
308
|
+
snprintf(msg, sizeof(msg), "System error: %s - %d", strerror(err), err);
|
309
|
+
|
310
|
+
} else if(SSL_ERROR_SSL == ssl_err) {
|
311
|
+
if(X509_V_OK != verify_err) {
|
312
|
+
err_str = X509_verify_cert_error_string(verify_err);
|
313
|
+
snprintf(msg, sizeof(msg),
|
314
|
+
"OpenSSL certificate verification error: %s - %d",
|
315
|
+
err_str, verify_err);
|
316
|
+
|
317
|
+
} else {
|
318
|
+
err = (int) ERR_get_error();
|
319
|
+
ERR_error_string_n(err, buf, sizeof(buf));
|
320
|
+
snprintf(msg, sizeof(msg), "OpenSSL error: %s - %d", buf, err);
|
321
|
+
|
322
|
+
}
|
323
|
+
} else {
|
324
|
+
snprintf(msg, sizeof(msg), "Unknown OpenSSL error: %d", ssl_err);
|
325
|
+
}
|
326
|
+
|
327
|
+
ERR_clear_error();
|
328
|
+
rb_raise(eError, "%s", msg);
|
329
|
+
}
|
330
|
+
|
331
|
+
VALUE engine_read(VALUE self) {
|
332
|
+
ms_conn* conn;
|
333
|
+
char buf[512];
|
334
|
+
int bytes, error;
|
335
|
+
|
336
|
+
Data_Get_Struct(self, ms_conn, conn);
|
337
|
+
|
338
|
+
ERR_clear_error();
|
339
|
+
|
340
|
+
bytes = SSL_read(conn->ssl, (void*)buf, sizeof(buf));
|
341
|
+
|
342
|
+
if(bytes > 0) {
|
343
|
+
return rb_str_new(buf, bytes);
|
344
|
+
}
|
345
|
+
|
346
|
+
if(SSL_want_read(conn->ssl)) return Qnil;
|
347
|
+
|
348
|
+
error = SSL_get_error(conn->ssl, bytes);
|
349
|
+
|
350
|
+
if(error == SSL_ERROR_ZERO_RETURN) {
|
351
|
+
rb_eof_error();
|
352
|
+
} else {
|
353
|
+
raise_error(conn->ssl, bytes);
|
354
|
+
}
|
355
|
+
|
356
|
+
return Qnil;
|
357
|
+
}
|
358
|
+
|
359
|
+
VALUE engine_write(VALUE self, VALUE str) {
|
360
|
+
ms_conn* conn;
|
361
|
+
int bytes;
|
362
|
+
|
363
|
+
Data_Get_Struct(self, ms_conn, conn);
|
364
|
+
|
365
|
+
StringValue(str);
|
366
|
+
|
367
|
+
ERR_clear_error();
|
368
|
+
|
369
|
+
bytes = SSL_write(conn->ssl, (void*)RSTRING_PTR(str), (int)RSTRING_LEN(str));
|
370
|
+
if(bytes > 0) {
|
371
|
+
return INT2FIX(bytes);
|
372
|
+
}
|
373
|
+
|
374
|
+
if(SSL_want_write(conn->ssl)) return Qnil;
|
375
|
+
|
376
|
+
raise_error(conn->ssl, bytes);
|
377
|
+
|
378
|
+
return Qnil;
|
379
|
+
}
|
380
|
+
|
381
|
+
VALUE engine_extract(VALUE self) {
|
382
|
+
ms_conn* conn;
|
383
|
+
int bytes;
|
384
|
+
size_t pending;
|
385
|
+
char buf[512];
|
386
|
+
|
387
|
+
Data_Get_Struct(self, ms_conn, conn);
|
388
|
+
|
389
|
+
pending = BIO_pending(conn->write);
|
390
|
+
if(pending > 0) {
|
391
|
+
bytes = BIO_read(conn->write, buf, sizeof(buf));
|
392
|
+
if(bytes > 0) {
|
393
|
+
return rb_str_new(buf, bytes);
|
394
|
+
} else if(!BIO_should_retry(conn->write)) {
|
395
|
+
raise_error(conn->ssl, bytes);
|
396
|
+
}
|
397
|
+
}
|
398
|
+
|
399
|
+
return Qnil;
|
400
|
+
}
|
401
|
+
|
402
|
+
VALUE engine_shutdown(VALUE self) {
|
403
|
+
ms_conn* conn;
|
404
|
+
int ok;
|
405
|
+
|
406
|
+
Data_Get_Struct(self, ms_conn, conn);
|
407
|
+
|
408
|
+
ERR_clear_error();
|
409
|
+
|
410
|
+
ok = SSL_shutdown(conn->ssl);
|
411
|
+
if (ok == 0) {
|
412
|
+
return Qfalse;
|
413
|
+
}
|
414
|
+
|
415
|
+
return Qtrue;
|
416
|
+
}
|
417
|
+
|
418
|
+
VALUE engine_init(VALUE self) {
|
419
|
+
ms_conn* conn;
|
420
|
+
|
421
|
+
Data_Get_Struct(self, ms_conn, conn);
|
422
|
+
|
423
|
+
return SSL_in_init(conn->ssl) ? Qtrue : Qfalse;
|
424
|
+
}
|
425
|
+
|
426
|
+
VALUE engine_peercert(VALUE self) {
|
427
|
+
ms_conn* conn;
|
428
|
+
X509* cert;
|
429
|
+
int bytes;
|
430
|
+
unsigned char* buf = NULL;
|
431
|
+
ms_cert_buf* cert_buf = NULL;
|
432
|
+
VALUE rb_cert_buf;
|
433
|
+
|
434
|
+
Data_Get_Struct(self, ms_conn, conn);
|
435
|
+
|
436
|
+
cert = SSL_get_peer_certificate(conn->ssl);
|
437
|
+
if(!cert) {
|
438
|
+
/*
|
439
|
+
* See if there was a failed certificate associated with this client.
|
440
|
+
*/
|
441
|
+
cert_buf = (ms_cert_buf*)SSL_get_app_data(conn->ssl);
|
442
|
+
if(!cert_buf) {
|
443
|
+
return Qnil;
|
444
|
+
}
|
445
|
+
buf = cert_buf->buf;
|
446
|
+
bytes = cert_buf->bytes;
|
447
|
+
|
448
|
+
} else {
|
449
|
+
bytes = i2d_X509(cert, &buf);
|
450
|
+
X509_free(cert);
|
451
|
+
|
452
|
+
if(bytes < 0) {
|
453
|
+
return Qnil;
|
454
|
+
}
|
455
|
+
}
|
456
|
+
|
457
|
+
rb_cert_buf = rb_str_new((const char*)(buf), bytes);
|
458
|
+
if(!cert_buf) {
|
459
|
+
OPENSSL_free(buf);
|
460
|
+
}
|
461
|
+
|
462
|
+
return rb_cert_buf;
|
463
|
+
}
|
464
|
+
|
465
|
+
VALUE noop(VALUE self) {
|
466
|
+
return Qnil;
|
467
|
+
}
|
468
|
+
|
469
|
+
void Init_mini_ssl(VALUE puma) {
|
470
|
+
VALUE mod, eng;
|
471
|
+
|
472
|
+
/* Fake operation for documentation (RDoc, YARD) */
|
473
|
+
#if 0 == 1
|
474
|
+
puma = rb_define_module("Puma");
|
475
|
+
#endif
|
476
|
+
|
477
|
+
SSL_library_init();
|
478
|
+
OpenSSL_add_ssl_algorithms();
|
479
|
+
SSL_load_error_strings();
|
480
|
+
ERR_load_crypto_strings();
|
481
|
+
|
482
|
+
mod = rb_define_module_under(puma, "MiniSSL");
|
483
|
+
eng = rb_define_class_under(mod, "Engine", rb_cObject);
|
484
|
+
|
485
|
+
// OpenSSL Build / Runtime/Load versions
|
486
|
+
|
487
|
+
/* Version of OpenSSL that Puma was compiled with */
|
488
|
+
rb_define_const(mod, "OPENSSL_VERSION", rb_str_new2(OPENSSL_VERSION_TEXT));
|
489
|
+
|
490
|
+
#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000
|
491
|
+
/* Version of OpenSSL that Puma loaded with */
|
492
|
+
rb_define_const(mod, "OPENSSL_LIBRARY_VERSION", rb_str_new2(OpenSSL_version(OPENSSL_VERSION)));
|
493
|
+
#else
|
494
|
+
rb_define_const(mod, "OPENSSL_LIBRARY_VERSION", rb_str_new2(SSLeay_version(SSLEAY_VERSION)));
|
495
|
+
#endif
|
496
|
+
|
497
|
+
#if defined(OPENSSL_NO_SSL3) || defined(OPENSSL_NO_SSL3_METHOD)
|
498
|
+
/* True if SSL3 is not available */
|
499
|
+
rb_define_const(mod, "OPENSSL_NO_SSL3", Qtrue);
|
500
|
+
#else
|
501
|
+
rb_define_const(mod, "OPENSSL_NO_SSL3", Qfalse);
|
502
|
+
#endif
|
503
|
+
|
504
|
+
#if defined(OPENSSL_NO_TLS1) || defined(OPENSSL_NO_TLS1_METHOD)
|
505
|
+
/* True if TLS1 is not available */
|
506
|
+
rb_define_const(mod, "OPENSSL_NO_TLS1", Qtrue);
|
507
|
+
#else
|
508
|
+
rb_define_const(mod, "OPENSSL_NO_TLS1", Qfalse);
|
509
|
+
#endif
|
510
|
+
|
511
|
+
#if defined(OPENSSL_NO_TLS1_1) || defined(OPENSSL_NO_TLS1_1_METHOD)
|
512
|
+
/* True if TLS1_1 is not available */
|
513
|
+
rb_define_const(mod, "OPENSSL_NO_TLS1_1", Qtrue);
|
514
|
+
#else
|
515
|
+
rb_define_const(mod, "OPENSSL_NO_TLS1_1", Qfalse);
|
516
|
+
#endif
|
517
|
+
|
518
|
+
rb_define_singleton_method(mod, "check", noop, 0);
|
519
|
+
|
520
|
+
eError = rb_define_class_under(mod, "SSLError", rb_eStandardError);
|
521
|
+
|
522
|
+
rb_define_singleton_method(eng, "server", engine_init_server, 1);
|
523
|
+
rb_define_singleton_method(eng, "client", engine_init_client, 0);
|
524
|
+
|
525
|
+
rb_define_method(eng, "inject", engine_inject, 1);
|
526
|
+
rb_define_method(eng, "read", engine_read, 0);
|
527
|
+
|
528
|
+
rb_define_method(eng, "write", engine_write, 1);
|
529
|
+
rb_define_method(eng, "extract", engine_extract, 0);
|
530
|
+
|
531
|
+
rb_define_method(eng, "shutdown", engine_shutdown, 0);
|
532
|
+
|
533
|
+
rb_define_method(eng, "init?", engine_init, 0);
|
534
|
+
|
535
|
+
rb_define_method(eng, "peercert", engine_peercert, 0);
|
536
|
+
}
|
537
|
+
|
538
|
+
#else
|
539
|
+
|
540
|
+
VALUE raise_error(VALUE self) {
|
541
|
+
rb_raise(rb_eStandardError, "SSL not available in this build");
|
542
|
+
return Qnil;
|
543
|
+
}
|
544
|
+
|
545
|
+
void Init_mini_ssl(VALUE puma) {
|
546
|
+
VALUE mod;
|
547
|
+
|
548
|
+
mod = rb_define_module_under(puma, "MiniSSL");
|
549
|
+
rb_define_class_under(mod, "SSLError", rb_eStandardError);
|
550
|
+
|
551
|
+
rb_define_singleton_method(mod, "check", raise_error, 0);
|
552
|
+
}
|
553
|
+
#endif
|