jruby-openssl 0.9.12-java → 0.9.13-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: fec096b2836ecf41ff7fabe0ad5623d2baaefe61
-  data.tar.gz: 7f38c9c23b808c4067a676031dcdf919789a2447
+  metadata.gz: 53cfa91375f8c240492465413cf80832989950be
+  data.tar.gz: 95559557d8c369fc21f72087814edc4b24f0a9db
 SHA512:
-  metadata.gz: e947998f76eb5b88011fad21f5d4f99f89ae5f2998901af639a4d8b7f3c764163b2222928b82832ce5a22d7fdd0309b503336c7b3c3a278069ec271c0bcf27ca
-  data.tar.gz: c6a11ed1cc98646f35f56552c89fe3143621041cbabab2a16f8858b453023430efd0e4ca1292a45b7e815a562456a165f1765263f55023e4be2dc1f1d706ac76
+  metadata.gz: f6ece1c6fc0caa3f4fbb395f0383fba916420d1f0fa038793b94a437afca8c743e3316f37d00a9047ffec419a9ac77f817bcbc14f3f76db4148def5b5fa89093
+  data.tar.gz: 7699d18401244b3ef64ceaf959b46ef21cf689ed251e1476e722831a71c1679dd622463aab74d4c16fb8624bec496e9e35f6b28d6ac0baaad985789b9ccbf849

data/Rakefile

@@ -37,8 +37,9 @@ file('lib/jopenssl.jar') { Rake::Task['jar'].invoke }
 
 require 'rake/testtask'
 Rake::TestTask.new do |task|
-  task.libs << 'lib'
-  task.test_files = FileList['src/test/ruby/**/test*.rb']
+  task.libs << 'src/test/ruby'
+  test_files = FileList['src/test/ruby/**/test*.rb'].to_a
+  task.test_files = test_files.map { |path| path.sub('src/test/ruby/', '') }
   task.verbose = true
   task.loader = :direct
 end
@@ -58,6 +59,8 @@ namespace :integration do
     end
     loader = "ARGV.each { |f| require f }"
     test_files = FileList['src/test/integration/*_test.rb'].to_a
-    ruby "-Ilib -e \"#{loader}\" #{test_files.map { |f| "\"#{f}\"" }.join(' ')}"
+    test_files.map! { |path| path.sub('src/test/integration/', '') }
+    lib = [ 'lib', 'src/test/integration' ]
+    ruby "-I#{lib.join(':')} -e \"#{loader}\" #{test_files.map { |f| "\"#{f}\"" }.join(' ')}"
   end
 end

data/lib/jopenssl/load.rb

@@ -24,7 +24,9 @@ require 'jruby'
 require 'jopenssl.jar'
 org.jruby.ext.openssl.OpenSSL.load(JRuby.runtime)
 
-if RUBY_VERSION > '2.2'
+if RUBY_VERSION > '2.3'
+  load 'jopenssl23/openssl.rb'
+elsif RUBY_VERSION > '2.2'
   load 'jopenssl22/openssl.rb'
 elsif RUBY_VERSION > '2.1'
   load 'jopenssl21/openssl.rb'

data/lib/jopenssl/version.rb

@@ -1,6 +1,11 @@
 module Jopenssl
+  VERSION = '0.9.13'
+  BOUNCY_CASTLE_VERSION = '1.50'
+  # @deprecated
   module Version
-    VERSION = '0.9.12'
-    BOUNCY_CASTLE_VERSION = '1.50'
+    # @private
+    VERSION = Jopenssl::VERSION
+    # @private
+    BOUNCY_CASTLE_VERSION = Jopenssl::BOUNCY_CASTLE_VERSION
   end
-end
+end

data/lib/jopenssl22/openssl/ssl.rb

@@ -15,42 +15,154 @@
 =end
 
 require "openssl/buffering"
-require 'fcntl' # used by OpenSSL::SSL::Nonblock (if loaded)
+require "fcntl"
 
 module OpenSSL
   module SSL
+    class SSLContext
+      DEFAULT_PARAMS = {
+        :ssl_version => "SSLv23",
+        :verify_mode => OpenSSL::SSL::VERIFY_PEER,
+        :ciphers => %w{
+          ECDHE-ECDSA-AES128-GCM-SHA256
+          ECDHE-RSA-AES128-GCM-SHA256
+          ECDHE-ECDSA-AES256-GCM-SHA384
+          ECDHE-RSA-AES256-GCM-SHA384
+          DHE-RSA-AES128-GCM-SHA256
+          DHE-DSS-AES128-GCM-SHA256
+          DHE-RSA-AES256-GCM-SHA384
+          DHE-DSS-AES256-GCM-SHA384
+          ECDHE-ECDSA-AES128-SHA256
+          ECDHE-RSA-AES128-SHA256
+          ECDHE-ECDSA-AES128-SHA
+          ECDHE-RSA-AES128-SHA
+          ECDHE-ECDSA-AES256-SHA384
+          ECDHE-RSA-AES256-SHA384
+          ECDHE-ECDSA-AES256-SHA
+          ECDHE-RSA-AES256-SHA
+          DHE-RSA-AES128-SHA256
+          DHE-RSA-AES256-SHA256
+          DHE-RSA-AES128-SHA
+          DHE-RSA-AES256-SHA
+          DHE-DSS-AES128-SHA256
+          DHE-DSS-AES256-SHA256
+          DHE-DSS-AES128-SHA
+          DHE-DSS-AES256-SHA
+          AES128-GCM-SHA256
+          AES256-GCM-SHA384
+          AES128-SHA256
+          AES256-SHA256
+          AES128-SHA
+          AES256-SHA
+          ECDHE-ECDSA-RC4-SHA
+          ECDHE-RSA-RC4-SHA
+          RC4-SHA
+        }.join(":"),
+        :options => -> {
+          opts = OpenSSL::SSL::OP_ALL
+          opts &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS if defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS)
+          opts |= OpenSSL::SSL::OP_NO_COMPRESSION if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
+          opts |= OpenSSL::SSL::OP_NO_SSLv2 if defined?(OpenSSL::SSL::OP_NO_SSLv2)
+          opts |= OpenSSL::SSL::OP_NO_SSLv3 if defined?(OpenSSL::SSL::OP_NO_SSLv3)
+          opts
+        }.call
+      } unless const_defined? :DEFAULT_PARAMS # JRuby does it in Java
+
+      unless const_defined? :DEFAULT_CERT_STORE # JRuby specific
+      DEFAULT_CERT_STORE = OpenSSL::X509::Store.new
+      DEFAULT_CERT_STORE.set_default_paths
+      if defined?(OpenSSL::X509::V_FLAG_CRL_CHECK_ALL)
+        DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
+      end
+      end
+
+      ##
+      # Sets the parameters for this SSL context to the values in +params+.
+      # The keys in +params+ must be assignment methods on SSLContext.
+      #
+      # If the verify_mode is not VERIFY_NONE and ca_file, ca_path and
+      # cert_store are not set then the system default certificate store is
+      # used.
+      
+      def set_params(params={})
+        params = DEFAULT_PARAMS.merge(params)
+        params.each{|name, value| self.__send__("#{name}=", value) }
+        if self.verify_mode != OpenSSL::SSL::VERIFY_NONE
+          unless self.ca_file or self.ca_path or self.cert_store
+            self.cert_store = DEFAULT_CERT_STORE
+          end
+        end
+        return params
+      end unless method_defined? :set_params # JRuby: hooked up in "native" Java
+    end
+
+    module SocketForwarder
+      def addr
+        to_io.addr
+      end
+
+      def peeraddr
+        to_io.peeraddr
+      end
+
+      def setsockopt(level, optname, optval)
+        to_io.setsockopt(level, optname, optval)
+      end
+
+      def getsockopt(level, optname)
+        to_io.getsockopt(level, optname)
+      end
+
+      def fcntl(*args)
+        to_io.fcntl(*args)
+      end
+
+      def closed?
+        to_io.closed?
+      end
+
+      def do_not_reverse_lookup=(flag)
+        to_io.do_not_reverse_lookup = flag
+      end
+    end unless const_defined? :SocketForwarder # JRuby: hooked up in "native" Java
+
+    module Nonblock
+      def initialize(*args)
+        flag = File::NONBLOCK
+        flag |= @io.fcntl(Fcntl::F_GETFL) if defined?(Fcntl::F_GETFL)
+        @io.fcntl(Fcntl::F_SETFL, flag)
+        super
+      end
+    end unless const_defined? :Nonblock # JRuby: hooked up in "native" Java
 
-    # FIXME: Using the old non-ASN1 logic here because our ASN1 appears to
-    # return the wrong types for some decoded objects.
-    # @see https://github.com/jruby/jruby/issues/1102
-    # @private
     def verify_certificate_identity(cert, hostname)
       should_verify_common_name = true
       cert.extensions.each { |ext|
         next if ext.oid != "subjectAltName"
         ext.value.split(/,\s+/).each { |general_name|
-          # MRI 1.9.3 (since we parse ASN.1 differently)
-          # when 2 # dNSName in GeneralName (RFC5280)
+          #case san.tag
+          # MRI 2.2.3 (JRuby parses ASN.1 differently)
+          #when 2 # dNSName in GeneralName (RFC5280)
           if /\ADNS:(.*)/ =~ general_name
             should_verify_common_name = false
             return true if verify_hostname(hostname, $1)
-          # MRI 1.9.3 (since we parse ASN.1 differently)
-          # when 7 # iPAddress in GeneralName (RFC5280)
+          # MRI 2.2.3 (JRuby parses ASN.1 differently)
+          #when 7 # iPAddress in GeneralName (RFC5280)
           elsif /\AIP(?: Address)?:(.*)/ =~ general_name
             should_verify_common_name = false
             return true if $1 == hostname
-            # NOTE: bellow logic makes little sense as we read exts differently
-            #value = $1 # follows GENERAL_NAME_print() in x509v3/v3_alt.c
-            #if value.size == 4
-            #  return true if value.unpack('C*').join('.') == hostname
-            #elsif value.size == 16
-            #  return true if value.unpack('n*').map { |e| sprintf("%X", e) }.join(':') == hostname
+            # NOTE: bellow logic makes little sense JRuby reads exts differently
+            # follows GENERAL_NAME_print() in x509v3/v3_alt.c
+            #if san.value.size == 4
+            #  return true if san.value.unpack('C*').join('.') == hostname
+            #elsif san.value.size == 16
+            #  return true if san.value.unpack('n*').map { |e| sprintf("%X", e) }.join(':') == hostname
             #end
           end
         }
       }
       if should_verify_common_name
-        cert.subject.to_a.each { |oid, value|
+        cert.subject.to_a.each{|oid, value|
           if oid == "CN"
             return true if verify_hostname(hostname, value)
           end
@@ -122,12 +234,33 @@ module OpenSSL
       # This method MUST be called after calling #connect to ensure that the
       # hostname of a remote peer has been verified.
       def post_connection_check(hostname)
+        if peer_cert.nil?
+          msg = "Peer verification enabled, but no certificate received."
+          if using_anon_cipher?
+            msg += " Anonymous cipher suite #{cipher[0]} was negotiated. Anonymous suites must be disabled to use peer verification."
+          end
+          raise SSLError, msg
+        end
+
         unless OpenSSL::SSL.verify_certificate_identity(peer_cert, hostname)
           raise SSLError, "hostname \"#{hostname}\" does not match the server certificate"
         end
         return true
       end
 
+      #def session
+      #  SSL::Session.new(self)
+      #rescue SSL::Session::SessionError
+      #  nil
+      #end
+
+      private
+
+      def using_anon_cipher?
+        ctx = OpenSSL::SSL::SSLContext.new
+        ctx.ciphers = "aNULL"
+        ctx.ciphers.include?(cipher)
+      end
     end
 
     ##
@@ -178,8 +311,12 @@ module OpenSSL
           ssl.sync_close = true
           ssl.accept if @start_immediately
           ssl
-        rescue SSLError => ex
-          sock.close
+        rescue Exception => ex
+          if ssl
+            ssl.close
+          else
+            sock.close
+          end
           raise ex
         end
       end

data/lib/jopenssl23/openssl.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: false
+=begin
+= Info
+  'OpenSSL for Ruby 2' project
+  Copyright (C) 2002  Michal Rokos <m.rokos@sh.cvut.cz>
+  All rights reserved.
+
+= Licence
+  This program is licensed under the same licence as Ruby.
+  (See the file 'LICENCE'.)
+=end
+
+require 'openssl/bn'
+require 'openssl/pkey'
+require 'openssl/cipher'
+require 'openssl/config'
+require 'openssl/digest'
+require 'openssl/x509'
+require 'openssl/ssl'

data/lib/jopenssl23/openssl/bn.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: false
+#--
+#
+# = Ruby-space definitions that completes C-space funcs for BN
+#
+# = Info
+# 'OpenSSL for Ruby 2' project
+# Copyright (C) 2002  Michal Rokos <m.rokos@sh.cvut.cz>
+# All rights reserved.
+#
+# = Licence
+# This program is licensed under the same licence as Ruby.
+# (See the file 'LICENCE'.)
+#++
+
+module OpenSSL
+  class BN
+    def pretty_print(q)
+      q.object_group(self) {
+        q.text ' '
+        q.text to_i.to_s
+      }
+    end
+  end # BN
+end # OpenSSL
+
+##
+# Add double dispatch to Integer
+#
+class Integer
+  # Casts an Integer as an OpenSSL::BN
+  #
+  # See `man bn` for more info.
+  def to_bn
+    OpenSSL::BN::new(self)
+  end
+end # Integer

data/lib/jopenssl23/openssl/buffering.rb

@@ -0,0 +1,453 @@
+# coding: binary
+# frozen_string_literal: false
+#--
+#= Info
+#  'OpenSSL for Ruby 2' project
+#  Copyright (C) 2001 GOTOU YUUZOU <gotoyuzo@notwork.org>
+#  All rights reserved.
+#
+#= Licence
+#  This program is licensed under the same licence as Ruby.
+#  (See the file 'LICENCE'.)
+#++
+
+##
+# OpenSSL IO buffering mix-in module.
+#
+# This module allows an OpenSSL::SSL::SSLSocket to behave like an IO.
+#
+# You typically won't use this module directly, you can see it implemented in
+# OpenSSL::SSL::SSLSocket.
+
+module OpenSSL::Buffering
+  include Enumerable
+
+  ##
+  # The "sync mode" of the SSLSocket.
+  #
+  # See IO#sync for full details.
+
+  attr_accessor :sync
+
+  ##
+  # Default size to read from or write to the SSLSocket for buffer operations.
+
+  BLOCK_SIZE = 1024*16
+
+  ##
+  # Creates an instance of OpenSSL's buffering IO module.
+
+  def initialize(*)
+    # super
+    @eof = false
+    @rbuffer = ""
+    @sync = @io.sync
+  end
+
+  #
+  # for reading.
+  #
+  private
+
+  ##
+  # Fills the buffer from the underlying SSLSocket
+
+  def fill_rbuff
+    begin
+      @rbuffer << self.sysread(BLOCK_SIZE)
+    rescue Errno::EAGAIN
+      retry
+    rescue EOFError
+      @eof = true
+    end
+  end
+
+  ##
+  # Consumes +size+ bytes from the buffer
+
+  def consume_rbuff(size=nil)
+    if @rbuffer.empty?
+      nil
+    else
+      size = @rbuffer.size unless size
+      ret = @rbuffer[0, size]
+      @rbuffer[0, size] = ""
+      ret
+    end
+  end
+
+  public
+
+  ##
+  # Reads +size+ bytes from the stream.  If +buf+ is provided it must
+  # reference a string which will receive the data.
+  #
+  # See IO#read for full details.
+
+  def read(size=nil, buf=nil)
+    if size == 0
+      if buf
+        buf.clear
+        return buf
+      else
+        return ""
+      end
+    end
+    until @eof
+      break if size && size <= @rbuffer.size
+      fill_rbuff
+    end
+    ret = consume_rbuff(size) || ""
+    if buf
+      buf.replace(ret)
+      ret = buf
+    end
+    (size && ret.empty?) ? nil : ret
+  end
+
+  ##
+  # Reads at most +maxlen+ bytes from the stream.  If +buf+ is provided it
+  # must reference a string which will receive the data.
+  #
+  # See IO#readpartial for full details.
+
+  def readpartial(maxlen, buf=nil)
+    if maxlen == 0
+      if buf
+        buf.clear
+        return buf
+      else
+        return ""
+      end
+    end
+    if @rbuffer.empty?
+      begin
+        return sysread(maxlen, buf)
+      rescue Errno::EAGAIN
+        retry
+      end
+    end
+    ret = consume_rbuff(maxlen)
+    if buf
+      buf.replace(ret)
+      ret = buf
+    end
+    raise EOFError if ret.empty?
+    ret
+  end
+
+  ##
+  # Reads at most +maxlen+ bytes in the non-blocking manner.
+  #
+  # When no data can be read without blocking it raises
+  # OpenSSL::SSL::SSLError extended by IO::WaitReadable or IO::WaitWritable.
+  #
+  # IO::WaitReadable means SSL needs to read internally so read_nonblock
+  # should be called again when the underlying IO is readable.
+  #
+  # IO::WaitWritable means SSL needs to write internally so read_nonblock
+  # should be called again after the underlying IO is writable.
+  #
+  # OpenSSL::Buffering#read_nonblock needs two rescue clause as follows:
+  #
+  #   # emulates blocking read (readpartial).
+  #   begin
+  #     result = ssl.read_nonblock(maxlen)
+  #   rescue IO::WaitReadable
+  #     IO.select([io])
+  #     retry
+  #   rescue IO::WaitWritable
+  #     IO.select(nil, [io])
+  #     retry
+  #   end
+  #
+  # Note that one reason that read_nonblock writes to the underlying IO is
+  # when the peer requests a new TLS/SSL handshake.  See openssl the FAQ for
+  # more details.  http://www.openssl.org/support/faq.html
+
+  def read_nonblock(maxlen, buf=nil, exception: true)
+    if maxlen == 0
+      if buf
+        buf.clear
+        return buf
+      else
+        return ""
+      end
+    end
+    if @rbuffer.empty?
+      return sysread_nonblock(maxlen, buf, exception: exception)
+    end
+    ret = consume_rbuff(maxlen)
+    if buf
+      buf.replace(ret)
+      ret = buf
+    end
+    raise EOFError if ret.empty?
+    ret
+  end
+
+  ##
+  # Reads the next "line+ from the stream.  Lines are separated by +eol+.  If
+  # +limit+ is provided the result will not be longer than the given number of
+  # bytes.
+  #
+  # +eol+ may be a String or Regexp.
+  #
+  # Unlike IO#gets the line read will not be assigned to +$_+.
+  #
+  # Unlike IO#gets the separator must be provided if a limit is provided.
+
+  def gets(eol=$/, limit=nil)
+    idx = @rbuffer.index(eol)
+    until @eof
+      break if idx
+      fill_rbuff
+      idx = @rbuffer.index(eol)
+    end
+    if eol.is_a?(Regexp)
+      size = idx ? idx+$&.size : nil
+    else
+      size = idx ? idx+eol.size : nil
+    end
+    if size && limit && limit >= 0
+      size = [size, limit].min
+    end
+    consume_rbuff(size)
+  end
+
+  ##
+  # Executes the block for every line in the stream where lines are separated
+  # by +eol+.
+  #
+  # See also #gets
+
+  def each(eol=$/)
+    while line = self.gets(eol)
+      yield line
+    end
+  end
+  alias each_line each
+
+  ##
+  # Reads lines from the stream which are separated by +eol+.
+  #
+  # See also #gets
+
+  def readlines(eol=$/)
+    ary = []
+    while line = self.gets(eol)
+      ary << line
+    end
+    ary
+  end
+
+  ##
+  # Reads a line from the stream which is separated by +eol+.
+  #
+  # Raises EOFError if at end of file.
+
+  def readline(eol=$/)
+    raise EOFError if eof?
+    gets(eol)
+  end
+
+  ##
+  # Reads one character from the stream.  Returns nil if called at end of
+  # file.
+
+  def getc
+    read(1)
+  end
+
+  ##
+  # Calls the given block once for each byte in the stream.
+
+  def each_byte # :yields: byte
+    while c = getc
+      yield(c.ord)
+    end
+  end
+
+  ##
+  # Reads a one-character string from the stream.  Raises an EOFError at end
+  # of file.
+
+  def readchar
+    raise EOFError if eof?
+    getc
+  end
+
+  ##
+  # Pushes character +c+ back onto the stream such that a subsequent buffered
+  # character read will return it.
+  #
+  # Unlike IO#getc multiple bytes may be pushed back onto the stream.
+  #
+  # Has no effect on unbuffered reads (such as #sysread).
+
+  def ungetc(c)
+    @rbuffer[0,0] = c.chr
+  end
+
+  ##
+  # Returns true if the stream is at file which means there is no more data to
+  # be read.
+
+  def eof?
+    fill_rbuff if !@eof && @rbuffer.empty?
+    @eof && @rbuffer.empty?
+  end
+  alias eof eof?
+
+  #
+  # for writing.
+  #
+  private
+
+  ##
+  # Writes +s+ to the buffer.  When the buffer is full or #sync is true the
+  # buffer is flushed to the underlying socket.
+
+  def do_write(s)
+    @wbuffer = "" unless defined? @wbuffer
+    @wbuffer << s
+    @wbuffer.force_encoding(Encoding::BINARY)
+    @sync ||= false
+    if @sync or @wbuffer.size > BLOCK_SIZE or idx = @wbuffer.rindex($/)
+      remain = idx ? idx + $/.size : @wbuffer.length
+      nwritten = 0
+      while remain > 0
+        str = @wbuffer[nwritten,remain]
+        begin
+          nwrote = syswrite(str)
+        rescue Errno::EAGAIN
+          retry
+        end
+        remain -= nwrote
+        nwritten += nwrote
+      end
+      @wbuffer[0,nwritten] = ""
+    end
+  end
+
+  public
+
+  ##
+  # Writes +s+ to the stream.  If the argument is not a string it will be
+  # converted using String#to_s.  Returns the number of bytes written.
+
+  def write(s)
+    do_write(s)
+    s.bytesize
+  end
+
+  ##
+  # Writes +str+ in the non-blocking manner.
+  #
+  # If there is buffered data, it is flushed first.  This may block.
+  #
+  # write_nonblock returns number of bytes written to the SSL connection.
+  #
+  # When no data can be written without blocking it raises
+  # OpenSSL::SSL::SSLError extended by IO::WaitReadable or IO::WaitWritable.
+  #
+  # IO::WaitReadable means SSL needs to read internally so write_nonblock
+  # should be called again after the underlying IO is readable.
+  #
+  # IO::WaitWritable means SSL needs to write internally so write_nonblock
+  # should be called again after underlying IO is writable.
+  #
+  # So OpenSSL::Buffering#write_nonblock needs two rescue clause as follows.
+  #
+  #   # emulates blocking write.
+  #   begin
+  #     result = ssl.write_nonblock(str)
+  #   rescue IO::WaitReadable
+  #     IO.select([io])
+  #     retry
+  #   rescue IO::WaitWritable
+  #     IO.select(nil, [io])
+  #     retry
+  #   end
+  #
+  # Note that one reason that write_nonblock reads from the underlying IO
+  # is when the peer requests a new TLS/SSL handshake.  See the openssl FAQ
+  # for more details.  http://www.openssl.org/support/faq.html
+
+  def write_nonblock(s, exception: true)
+    flush
+    syswrite_nonblock(s, exception: exception)
+  end
+
+  ##
+  # Writes +s+ to the stream.  +s+ will be converted to a String using
+  # String#to_s.
+
+  def << (s)
+    do_write(s)
+    self
+  end
+
+  ##
+  # Writes +args+ to the stream along with a record separator.
+  #
+  # See IO#puts for full details.
+
+  def puts(*args)
+    s = ""
+    if args.empty?
+      s << "\n"
+    end
+    args.each{|arg|
+      s << arg.to_s
+      if $/ && /\n\z/ !~ s
+        s << "\n"
+      end
+    }
+    do_write(s)
+    nil
+  end
+
+  ##
+  # Writes +args+ to the stream.
+  #
+  # See IO#print for full details.
+
+  def print(*args)
+    s = ""
+    args.each{ |arg| s << arg.to_s }
+    do_write(s)
+    nil
+  end
+
+  ##
+  # Formats and writes to the stream converting parameters under control of
+  # the format string.
+  #
+  # See Kernel#sprintf for format string details.
+
+  def printf(s, *args)
+    do_write(s % args)
+    nil
+  end
+
+  ##
+  # Flushes buffered data to the SSLSocket.
+
+  def flush
+    osync = @sync
+    @sync = true
+    do_write ""
+    return self
+  ensure
+    @sync = osync
+  end
+
+  ##
+  # Closes the SSLSocket and flushes any unwritten data.
+
+  def close
+    flush rescue nil
+    sysclose
+  end
+end