httpclient 2.6.0.1 → 2.7.0

data/lib/httpclient/ssl_config.rb

@@ -1,5 +1,5 @@
 # HTTPClient - HTTP client library.
-# Copyright (C) 2000-2009  NAKAMURA, Hiroshi  <nahi@ruby-lang.org>.
+# Copyright (C) 2000-2015  NAKAMURA, Hiroshi  <nahi@ruby-lang.org>.
 #
 # This program is copyrighted free software by NAKAMURA, Hiroshi.  You can
 # redistribute it and/or modify it under the same terms of Ruby's license;
@@ -20,20 +20,19 @@ class HTTPClient
   #
   # == Trust Anchor Control
   #
-  # SSLConfig loads 'httpclient/cacert.p7s' as a trust anchor
+  # SSLConfig loads 'httpclient/cacert.pem' as a trust anchor
   # (trusted certificate(s)) with add_trust_ca in initialization time.
   # This means that HTTPClient instance trusts some CA certificates by default,
-  # like Web browsers.  'httpclient/cacert.p7s' is created by the author and
-  # included in released package.
-  #
-  # 'cacert.p7s' is automatically generated from JDK 1.6.  Regardless its
-  # filename extension (p7s), HTTPClient doesn't verify the signature in it.
+  # like Web browsers.  'httpclient/cacert.pem' is downloaded from curl web
+  # site by the author and included in released package.
   #
   # You may want to change trust anchor by yourself.  Call clear_cert_store
   # then add_trust_ca for that purpose.
   class SSLConfig
     include OpenSSL if SSLEnabled
 
+    CIPHERS_DEFAULT = "ALL:!aNULL:!eNULL:!SSLv2" # OpenSSL >1.0.0 default
+
     # Which TLS protocol version (also called method) will be used. Defaults
     # to :auto which means that OpenSSL decides (In my tests this resulted 
     # with always the highest available protocol being used).
@@ -42,18 +41,20 @@ class HTTPClient
     # See {OpenSSL::SSL::SSLContext::METHODS} for a list of available versions
     # in your specific Ruby environment.
     attr_reader :ssl_version
-    # OpenSSL::X509::Certificate:: certificate for SSL client authenticateion.
-    # nil by default. (no client authenticateion)
+    # OpenSSL::X509::Certificate:: certificate for SSL client authentication.
+    # nil by default. (no client authentication)
     attr_reader :client_cert
     # OpenSSL::PKey::PKey:: private key for SSL client authentication.
-    # nil by default. (no client authenticateion)
+    # nil by default. (no client authentication)
     attr_reader :client_key
+    attr_reader :client_key_pass
 
     # A number which represents OpenSSL's verify mode.  Default value is
     # OpenSSL::SSL::VERIFY_PEER | OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT.
     attr_reader :verify_mode
     # A number of verify depth.  Certification path which length is longer than
     # this depth is not allowed.
+    # CAUTION: this is OpenSSL specific option and ignored on JRuby.
     attr_reader :verify_depth
     # A callback handler for custom certificate verification.  nil by default.
     # If the handler is set, handler.call is invoked just after general
@@ -65,6 +66,8 @@ class HTTPClient
     attr_reader :timeout
     # A number of OpenSSL's SSL options.  Default value is
     # OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_SSLv2
+    # CAUTION: this is OpenSSL specific option and ignored on JRuby.
+    # Use ssl_version to specify the TLS version you want to use.
     attr_reader :options
     # A String of OpenSSL's cipher configuration.  Default value is
     # ALL:!ADH:!LOW:!EXP:!MD5:+SSLv2:@STRENGTH
@@ -78,11 +81,17 @@ class HTTPClient
     # For server side configuration.  Ignore this.
     attr_reader :client_ca # :nodoc:
 
+    # These array keeps original files/dirs that was added to @cert_store
+    attr_reader :cert_store_items
+    attr_reader :cert_store_crl_items
+
     # Creates a SSLConfig.
     def initialize(client)
       return unless SSLEnabled
       @client = client
       @cert_store = X509::Store.new
+      @cert_store_items = [:default]
+      @cert_store_crl_items = []
       @client_cert = @client_key = @client_ca = nil
       @verify_mode = SSL::VERIFY_PEER | SSL::VERIFY_FAIL_IF_NO_PEER_CERT
       @verify_depth = nil
@@ -97,7 +106,7 @@ class HTTPClient
       @options |= OpenSSL::SSL::OP_NO_SSLv2 if defined?(OpenSSL::SSL::OP_NO_SSLv2)
       @options |= OpenSSL::SSL::OP_NO_SSLv3 if defined?(OpenSSL::SSL::OP_NO_SSLv3)
       # OpenSSL 0.9.8 default: "ALL:!ADH:!LOW:!EXP:!MD5:+SSLv2:@STRENGTH"
-      @ciphers = "ALL:!aNULL:!eNULL:!SSLv2" # OpenSSL >1.0.0 default
+      @ciphers = CIPHERS_DEFAULT
       @cacerts_loaded = false
     end
 
@@ -135,8 +144,7 @@ class HTTPClient
     #
     # Calling this method resets all existing sessions.
     def set_client_cert_file(cert_file, key_file, pass = nil)
-      @client_cert = X509::Certificate.new(File.open(cert_file) { |f| f.read })
-      @client_key = PKey::RSA.new(File.open(key_file) { |f| f.read }, pass)
+      @client_cert, @client_key, @client_key_pass = cert_file, key_file, pass
       change_notify
     end
 
@@ -155,6 +163,7 @@ class HTTPClient
       @cacerts_loaded = true # avoid lazy override
       @cert_store = X509::Store.new
       @cert_store.set_default_paths
+      @cert_store_items = [ENV['SSL_CERT_FILE'] || :default]
       change_notify
     end
 
@@ -165,6 +174,7 @@ class HTTPClient
     def clear_cert_store
       @cacerts_loaded = true # avoid lazy override
       @cert_store = X509::Store.new
+      @cert_store_items.clear
       change_notify
     end
 
@@ -175,6 +185,7 @@ class HTTPClient
     def cert_store=(cert_store)
       @cacerts_loaded = true # avoid lazy override
       @cert_store = cert_store
+      @cert_store_items.clear
       change_notify
     end
 
@@ -188,6 +199,7 @@ class HTTPClient
     def add_trust_ca(trust_ca_file_or_hashed_dir)
       @cacerts_loaded = true # avoid lazy override
       add_trust_ca_to_store(@cert_store, trust_ca_file_or_hashed_dir)
+      @cert_store_items << trust_ca_file_or_hashed_dir
       change_notify
     end
     alias set_trust_ca add_trust_ca
@@ -211,12 +223,20 @@ class HTTPClient
     # crl:: a OpenSSL::X509::CRL or a filename of a PEM/DER formatted
     #       OpenSSL::X509::CRL.
     #
+    # On JRuby, instead of setting CRL by yourself you can set following
+    # options to let HTTPClient to perform revocation check with CRL and OCSP:
+    # -J-Dcom.sun.security.enableCRLDP=true -J-Dcom.sun.net.ssl.checkRevocation=true
+    # ex. jruby -J-Dcom.sun.security.enableCRLDP=true -J-Dcom.sun.net.ssl.checkRevocation=true app.rb
+    #
+    # Revoked cert example: https://test-sspev.verisign.com:2443/test-SSPEV-revoked-verisign.html
+    #
     # Calling this method resets all existing sessions.
     def add_crl(crl)
       unless crl.is_a?(X509::CRL)
         crl = X509::CRL.new(File.open(crl) { |f| f.read })
       end
       @cert_store.add_crl(crl)
+      @cert_store_crl_items << crl
       @cert_store.flags = X509::V_FLAG_CRL_CHECK | X509::V_FLAG_CRL_CHECK_ALL
       change_notify
     end
@@ -278,7 +298,7 @@ class HTTPClient
       change_notify
     end
 
-    # interfaces for SSLSocketWrap.
+    # interfaces for SSLSocket.
     def set_context(ctx) # :nodoc:
       load_trust_ca unless @cacerts_loaded
       @cacerts_loaded = true
@@ -288,8 +308,14 @@ class HTTPClient
       ctx.verify_depth = @verify_depth if @verify_depth
       ctx.verify_callback = @verify_callback || method(:default_verify_callback)
       # SSL config
-      ctx.cert = @client_cert
-      ctx.key = @client_key
+      if @client_cert
+        ctx.cert = @client_cert.is_a?(X509::Certificate) ?  @client_cert :
+          X509::Certificate.new(File.open(@client_cert) { |f| f.read })
+      end
+      if @client_key
+        ctx.key = @client_key.is_a?(PKey::PKey) ? @client_key :
+          PKey::RSA.new(File.open(@client_key) { |f| f.read }, @client_key_pass)
+      end
       ctx.client_ca = @client_ca
       ctx.timeout = @timeout
       ctx.options = @options
@@ -405,9 +431,20 @@ class HTTPClient
       nil
     end
 
+    # Use 2014 bit certs trust anchor if possible.
+    # CVE-2015-1793 requires: OpenSSL >= 1.0.2d or OpenSSL >= 1.0.1p
+    # OpenSSL before 1.0.1 does not have CVE-2015-1793 problem
     def load_cacerts(cert_store)
-      file = File.join(File.dirname(__FILE__), 'cacert.p7s')
+      ver = OpenSSL::OPENSSL_VERSION
+      if (ver.start_with?('OpenSSL 1.0.1') && ver >= 'OpenSSL 1.0.1p') ||
+          (ver.start_with?('OpenSSL ') && ver >= 'OpenSSL 1.0.2d')
+        filename = 'cacert.pem'
+      else
+        filename = 'cacert1024.pem'
+      end
+      file = File.join(File.dirname(__FILE__), filename)
       add_trust_ca_to_store(cert_store, file)
+      @cert_store_items << file
     end
   end
 

data/lib/httpclient/ssl_socket.rb

@@ -0,0 +1,149 @@
+# HTTPClient - HTTP client library.
+# Copyright (C) 2000-2015  NAKAMURA, Hiroshi  <nahi@ruby-lang.org>.
+#
+# This program is copyrighted free software by NAKAMURA, Hiroshi.  You can
+# redistribute it and/or modify it under the same terms of Ruby's license;
+# either the dual license version in 2003, or any later version.
+
+
+require 'httpclient/ssl_config'
+
+
+class HTTPClient
+
+  # Wraps up OpenSSL::SSL::SSLSocket and offers debugging features.
+  class SSLSocket
+    def self.create_socket(session)
+      site = session.proxy || session.dest
+      socket = session.create_socket(site.host, site.port)
+      begin
+        if session.proxy
+          session.connect_ssl_proxy(socket, Util.urify(session.dest.to_s))
+        end
+        ssl_socket = new(socket, session.ssl_config, session.debug_dev)
+        ssl_socket.ssl_connect(session.dest.host)
+        ssl_socket
+      rescue
+        socket.close
+        raise
+      end
+    end
+
+    def initialize(socket, context, debug_dev = nil)
+      unless SSLEnabled
+        raise ConfigurationError.new('Ruby/OpenSSL module is required')
+      end
+      @socket = socket
+      @context = context
+      @ssl_socket = create_openssl_socket(@socket)
+      @debug_dev = debug_dev
+    end
+
+    def ssl_connect(hostname = nil)
+      if hostname && @ssl_socket.respond_to?(:hostname=)
+        @ssl_socket.hostname = hostname
+      end
+      @ssl_socket.connect
+      if $DEBUG
+        if @ssl_socket.respond_to?(:ssl_version)
+          warn("Protocol version: #{@ssl_socket.ssl_version}")
+        end
+        warn("Cipher: #{@ssl_socket.cipher.inspect}")
+        warn("State: #{@ssl_socket.state}")
+      end
+      post_connection_check(hostname)
+    end
+
+    def peer_cert
+      @ssl_socket.peer_cert
+    end
+
+    def close
+      @ssl_socket.close
+      @socket.close
+    end
+
+    def closed?
+      @socket.closed?
+    end
+
+    def eof?
+      @ssl_socket.eof?
+    end
+
+    def gets(rs)
+      str = @ssl_socket.gets(rs)
+      debug(str)
+      str
+    end
+
+    def read(size, buf = nil)
+      str = @ssl_socket.read(size, buf)
+      debug(str)
+      str
+    end
+
+    def readpartial(size, buf = nil)
+      str = @ssl_socket.readpartial(size, buf)
+      debug(str)
+      str
+    end
+
+    def <<(str)
+      rv = @ssl_socket.write(str)
+      debug(str)
+      rv
+    end
+
+    def flush
+      @ssl_socket.flush
+    end
+
+    def sync
+      @ssl_socket.sync
+    end
+
+    def sync=(sync)
+      @ssl_socket.sync = sync
+    end
+
+  private
+
+    def post_connection_check(hostname)
+      verify_mode = @context.verify_mode || OpenSSL::SSL::VERIFY_NONE
+      if verify_mode == OpenSSL::SSL::VERIFY_NONE
+        return
+      elsif @ssl_socket.peer_cert.nil? and
+        check_mask(verify_mode, OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT)
+        raise OpenSSL::SSL::SSLError.new('no peer cert')
+      end
+      if @ssl_socket.respond_to?(:post_connection_check) and RUBY_VERSION > "1.8.4"
+        @ssl_socket.post_connection_check(hostname)
+      else
+        @context.post_connection_check(@ssl_socket.peer_cert, hostname)
+      end
+    end
+
+    def check_mask(value, mask)
+      value & mask == mask
+    end
+
+    def create_openssl_socket(socket)
+      ssl_socket = nil
+      if OpenSSL::SSL.const_defined?("SSLContext")
+        ctx = OpenSSL::SSL::SSLContext.new
+        @context.set_context(ctx)
+        ssl_socket = OpenSSL::SSL::SSLSocket.new(socket, ctx)
+      else
+        ssl_socket = OpenSSL::SSL::SSLSocket.new(socket)
+        @context.set_context(ssl_socket)
+      end
+      ssl_socket
+    end
+
+    def debug(str)
+      @debug_dev << str if @debug_dev && str
+    end
+  end
+
+end

data/lib/httpclient/timeout.rb

@@ -1,5 +1,5 @@
 # HTTPClient - HTTP client library.
-# Copyright (C) 2000-2009  NAKAMURA, Hiroshi  <nahi@ruby-lang.org>.
+# Copyright (C) 2000-2015  NAKAMURA, Hiroshi  <nahi@ruby-lang.org>.
 #
 # This program is copyrighted free software by NAKAMURA, Hiroshi.  You can
 # redistribute it and/or modify it under the same terms of Ruby's license;

data/lib/httpclient/util.rb

@@ -1,5 +1,5 @@
 # HTTPClient - HTTP client library.
-# Copyright (C) 2000-2012  NAKAMURA, Hiroshi  <nahi@ruby-lang.org>.
+# Copyright (C) 2000-2015  NAKAMURA, Hiroshi  <nahi@ruby-lang.org>.
 #
 # This program is copyrighted free software by NAKAMURA, Hiroshi.  You can
 # redistribute it and/or modify it under the same terms of Ruby's license;
@@ -24,6 +24,28 @@ if RUBY_VERSION < "1.9.3"
   end
 end
 
+# With recent JRuby 1.7 + jruby-openssl, X509CRL#extentions_to_text causes
+# StringIndexOOBException when we try to dump SSL Server Certificate.
+# when one of extensions has "" as value.
+if defined?(JRUBY_VERSION)
+  require 'openssl'
+  require 'java'
+  module OpenSSL
+    module X509
+      class Certificate
+        java_import 'java.security.cert.Certificate'
+        java_import 'java.security.cert.CertificateFactory'
+        java_import 'java.io.ByteArrayInputStream'
+        def to_text
+          cf = CertificateFactory.getInstance('X.509')
+          cf.generateCertificate(ByteArrayInputStream.new(self.to_der.to_java_bytes)).toString
+        end
+      end
+    end
+  end
+end
+
+
 class HTTPClient
 
 

data/lib/httpclient/version.rb

@@ -1,3 +1,3 @@
 class HTTPClient
-  VERSION = '2.6.0.1'
+  VERSION = '2.7.0'
 end

data/lib/oauthclient.rb

@@ -1,5 +1,5 @@
 # HTTPClient - HTTP client library.
-# Copyright (C) 2000-2009  NAKAMURA, Hiroshi  <nahi@ruby-lang.org>.
+# Copyright (C) 2000-2015  NAKAMURA, Hiroshi  <nahi@ruby-lang.org>.
 #
 # This program is copyrighted free software by NAKAMURA, Hiroshi.  You can
 # redistribute it and/or modify it under the same terms of Ruby's license;

data/test/helper.rb

@@ -59,11 +59,13 @@ module Helper
     @client = HTTPClient.new
   end
 
-  #def setup_server
-    # override it
-    # @server = WEBrick::HTTPServer.new(...)
-    # @server_thread = start_server_thread(@server)
-  #end
+  def escape_noproxy
+    backup = HTTPClient::NO_PROXY_HOSTS.dup
+    HTTPClient::NO_PROXY_HOSTS.clear
+    yield
+  ensure
+    HTTPClient::NO_PROXY_HOSTS.replace(backup)
+  end
 
   def setup_proxyserver
     @proxyserver = WEBrick::HTTPProxyServer.new(

data/test/test_auth.rb

@@ -124,6 +124,7 @@ class TestAuth < Test::Unit::TestCase
       end
       # Make it work if @value == nil
       class SecurityBuffer < FieldSet
+        remove_method(:data_size) if method_defined?(:data_size)
         def data_size
           @active && @value ? @value.size : 0
         end
@@ -230,7 +231,7 @@ class TestAuth < Test::Unit::TestCase
       c.www_auth.basic_auth.instance_eval { @scheme = "BASIC" }
       c.set_auth("http://localhost:#{serverport}/", 'admin', 'admin')
 
-      threads = 100.times.map { |idx|
+      100.times.map { |idx|
         Thread.new(idx) { |idx2|
           Thread.abort_on_exception = true
           Thread.pass
@@ -251,7 +252,7 @@ class TestAuth < Test::Unit::TestCase
     c.test_loopback_http_response << "HTTP/1.0 200 OK\nContent-Length: 2\n\nOK"
     c.debug_dev = str = ''
     c.get_content("http://localhost:#{serverport}/basic_auth/sub/dir/")
-    assert_match /Authorization: Basic YWRtaW46YWRtaW4=/, str
+    assert_match(/Authorization: Basic YWRtaW46YWRtaW4=/, str)
   end
 
   def test_digest_auth
@@ -267,7 +268,7 @@ class TestAuth < Test::Unit::TestCase
     c.test_loopback_http_response << "HTTP/1.0 200 OK\nContent-Length: 2\n\nOK"
     c.debug_dev = str = ''
     c.get_content("http://localhost:#{serverport}/digest_auth/sub/dir/")
-    assert_match /Authorization: Digest/, str
+    assert_match(/Authorization: Digest/, str)
   end
 
   def test_digest_auth_with_block
@@ -332,6 +333,16 @@ class TestAuth < Test::Unit::TestCase
     assert_match(/Proxy-Authorization: Basic YWRtaW46YWRtaW4=/, str)
   end
 
+  def test_proxy_auth_force
+    c = HTTPClient.new
+    c.set_proxy_auth('admin', 'admin')
+    c.force_basic_auth = true
+    c.test_loopback_http_response << "HTTP/1.0 200 OK\nContent-Length: 2\n\nOK"
+    c.debug_dev = str = ''
+    c.get_content('http://example.com/')
+    assert_match(/Proxy-Authorization: Basic YWRtaW46YWRtaW4=/, str)
+  end
+
   def test_proxy_auth_reuses_credentials
     c = HTTPClient.new
     c.set_proxy_auth('admin', 'admin')
@@ -442,11 +453,19 @@ class TestAuth < Test::Unit::TestCase
   end
 
   def test_basic_auth_post_with_multipart
-    c = HTTPClient.new
-    c.set_auth("http://localhost:#{serverport}/", 'admin', 'admin')
-    File.open(__FILE__) do |f|
-      # read 'f' twice for authorization negotiation
-      assert_equal('basic_auth OK', c.post("http://localhost:#{serverport}/basic_auth", :file => f).content)
+    retry_times = 0
+    begin
+      c = HTTPClient.new
+      c.set_auth("http://localhost:#{serverport}/", 'admin', 'admin')
+      File.open(__FILE__) do |f|
+        # read 'f' twice for authorization negotiation
+        assert_equal('basic_auth OK', c.post("http://localhost:#{serverport}/basic_auth", :file => f).content)
+      end
+    rescue Errno::ECONNRESET, HTTPClient::KeepAliveDisconnected
+      # TODO: WEBrick server returns ECONNRESET/EPIPE before sending Unauthorized response to client?
+      raise if retry_times > 5
+      retry_times += 1
+      retry 
     end
   end