jun-puma 1.0.1-java → 1.0.2-java

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (81) hide show
  1. checksums.yaml +4 -4
  2. data/lib/puma/puma_http11.jar +0 -0
  3. metadata +3 -81
  4. data/bin/puma-wild +0 -25
  5. data/docs/architecture.md +0 -74
  6. data/docs/compile_options.md +0 -55
  7. data/docs/deployment.md +0 -102
  8. data/docs/fork_worker.md +0 -31
  9. data/docs/images/puma-connection-flow-no-reactor.png +0 -0
  10. data/docs/images/puma-connection-flow.png +0 -0
  11. data/docs/images/puma-general-arch.png +0 -0
  12. data/docs/jungle/README.md +0 -9
  13. data/docs/jungle/rc.d/README.md +0 -74
  14. data/docs/jungle/rc.d/puma +0 -61
  15. data/docs/jungle/rc.d/puma.conf +0 -10
  16. data/docs/kubernetes.md +0 -78
  17. data/docs/nginx.md +0 -80
  18. data/docs/plugins.md +0 -38
  19. data/docs/rails_dev_mode.md +0 -28
  20. data/docs/restart.md +0 -64
  21. data/docs/signals.md +0 -98
  22. data/docs/stats.md +0 -142
  23. data/docs/systemd.md +0 -244
  24. data/docs/testing_benchmarks_local_files.md +0 -150
  25. data/docs/testing_test_rackup_ci_files.md +0 -36
  26. data/ext/puma_http11/PumaHttp11Service.java +0 -17
  27. data/ext/puma_http11/ext_help.h +0 -15
  28. data/ext/puma_http11/http11_parser.c +0 -1057
  29. data/ext/puma_http11/http11_parser.h +0 -65
  30. data/ext/puma_http11/http11_parser.java.rl +0 -145
  31. data/ext/puma_http11/http11_parser.rl +0 -149
  32. data/ext/puma_http11/http11_parser_common.rl +0 -54
  33. data/ext/puma_http11/mini_ssl.c +0 -832
  34. data/ext/puma_http11/no_ssl/PumaHttp11Service.java +0 -15
  35. data/ext/puma_http11/org/jruby/puma/Http11.java +0 -226
  36. data/ext/puma_http11/org/jruby/puma/Http11Parser.java +0 -455
  37. data/ext/puma_http11/org/jruby/puma/MiniSSL.java +0 -508
  38. data/ext/puma_http11/puma_http11.c +0 -492
  39. data/lib/puma/app/status.rb +0 -96
  40. data/lib/puma/binder.rb +0 -501
  41. data/lib/puma/cli.rb +0 -243
  42. data/lib/puma/client.rb +0 -632
  43. data/lib/puma/cluster/worker.rb +0 -182
  44. data/lib/puma/cluster/worker_handle.rb +0 -97
  45. data/lib/puma/cluster.rb +0 -562
  46. data/lib/puma/commonlogger.rb +0 -115
  47. data/lib/puma/configuration.rb +0 -391
  48. data/lib/puma/const.rb +0 -289
  49. data/lib/puma/control_cli.rb +0 -316
  50. data/lib/puma/detect.rb +0 -45
  51. data/lib/puma/dsl.rb +0 -1204
  52. data/lib/puma/error_logger.rb +0 -113
  53. data/lib/puma/events.rb +0 -57
  54. data/lib/puma/io_buffer.rb +0 -46
  55. data/lib/puma/jruby_restart.rb +0 -27
  56. data/lib/puma/json_serialization.rb +0 -96
  57. data/lib/puma/launcher/bundle_pruner.rb +0 -104
  58. data/lib/puma/launcher.rb +0 -484
  59. data/lib/puma/log_writer.rb +0 -147
  60. data/lib/puma/minissl/context_builder.rb +0 -95
  61. data/lib/puma/minissl.rb +0 -458
  62. data/lib/puma/null_io.rb +0 -61
  63. data/lib/puma/plugin/systemd.rb +0 -90
  64. data/lib/puma/plugin/tmp_restart.rb +0 -36
  65. data/lib/puma/plugin.rb +0 -111
  66. data/lib/puma/rack/builder.rb +0 -297
  67. data/lib/puma/rack/urlmap.rb +0 -93
  68. data/lib/puma/rack_default.rb +0 -24
  69. data/lib/puma/reactor.rb +0 -125
  70. data/lib/puma/request.rb +0 -671
  71. data/lib/puma/runner.rb +0 -213
  72. data/lib/puma/sd_notify.rb +0 -149
  73. data/lib/puma/server.rb +0 -664
  74. data/lib/puma/single.rb +0 -69
  75. data/lib/puma/state_file.rb +0 -68
  76. data/lib/puma/thread_pool.rb +0 -434
  77. data/lib/puma/util.rb +0 -141
  78. data/lib/puma.rb +0 -78
  79. data/lib/rack/handler/puma.rb +0 -141
  80. data/tools/Dockerfile +0 -16
  81. data/tools/trickletest.rb +0 -44
@@ -1,832 +0,0 @@
1
- #define RSTRING_NOT_MODIFIED 1
2
-
3
- #include <ruby.h>
4
- #include <ruby/version.h>
5
- #include <ruby/io.h>
6
-
7
- #ifdef HAVE_OPENSSL_BIO_H
8
-
9
- #include <openssl/bio.h>
10
- #include <openssl/ssl.h>
11
- #include <openssl/dh.h>
12
- #include <openssl/err.h>
13
- #include <openssl/x509.h>
14
-
15
- #ifndef SSL_OP_NO_COMPRESSION
16
- #define SSL_OP_NO_COMPRESSION 0
17
- #endif
18
-
19
- typedef struct {
20
- BIO* read;
21
- BIO* write;
22
- SSL* ssl;
23
- SSL_CTX* ctx;
24
- } ms_conn;
25
-
26
- typedef struct {
27
- unsigned char* buf;
28
- int bytes;
29
- } ms_cert_buf;
30
-
31
- VALUE eError;
32
-
33
- NORETURN(void raise_file_error(const char* caller, const char *filename));
34
-
35
- void raise_file_error(const char* caller, const char *filename) {
36
- rb_raise(eError, "%s: error in file '%s': %s", caller, filename, ERR_error_string(ERR_get_error(), NULL));
37
- }
38
-
39
- NORETURN(void raise_param_error(const char* caller, const char *param));
40
-
41
- void raise_param_error(const char* caller, const char *param) {
42
- rb_raise(eError, "%s: error with parameter '%s': %s", caller, param, ERR_error_string(ERR_get_error(), NULL));
43
- }
44
-
45
- void engine_free(void *ptr) {
46
- ms_conn *conn = ptr;
47
- ms_cert_buf* cert_buf = (ms_cert_buf*)SSL_get_app_data(conn->ssl);
48
- if(cert_buf) {
49
- OPENSSL_free(cert_buf->buf);
50
- free(cert_buf);
51
- }
52
- SSL_free(conn->ssl);
53
- SSL_CTX_free(conn->ctx);
54
-
55
- free(conn);
56
- }
57
-
58
- const rb_data_type_t engine_data_type = {
59
- "MiniSSL/ENGINE",
60
- { 0, engine_free, 0 },
61
- 0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
62
- };
63
-
64
- #ifndef HAVE_SSL_CTX_SET_DH_AUTO
65
- DH *get_dh2048(void) {
66
- /* `openssl dhparam -C 2048`
67
- * -----BEGIN DH PARAMETERS-----
68
- * MIIBCAKCAQEAjmh1uQHdTfxOyxEbKAV30fUfzqMDF/ChPzjfyzl2jcrqQMhrk76o
69
- * 2NPNXqxHwsddMZ1RzvU8/jl+uhRuPWjXCFZbhET4N1vrviZM3VJhV8PPHuiVOACO
70
- * y32jFd+Szx4bo2cXSK83hJ6jRd+0asP1awWjz9/06dFkrILCXMIfQLo0D8rqmppn
71
- * EfDDAwuudCpM9kcDmBRAm9JsKbQ6gzZWjkc5+QWSaQofojIHbjvj3xzguaCJn+oQ
72
- * vHWM+hsAnaOgEwCyeZ3xqs+/5lwSbkE/tqJW98cEZGygBUVo9jxZRZx6KOfjpdrb
73
- * yenO9LJr/qtyrZB31WJbqxI0m0AKTAO8UwIBAg==
74
- * -----END DH PARAMETERS-----
75
- */
76
- static unsigned char dh2048_p[] = {
77
- 0x8E, 0x68, 0x75, 0xB9, 0x01, 0xDD, 0x4D, 0xFC, 0x4E, 0xCB,
78
- 0x11, 0x1B, 0x28, 0x05, 0x77, 0xD1, 0xF5, 0x1F, 0xCE, 0xA3,
79
- 0x03, 0x17, 0xF0, 0xA1, 0x3F, 0x38, 0xDF, 0xCB, 0x39, 0x76,
80
- 0x8D, 0xCA, 0xEA, 0x40, 0xC8, 0x6B, 0x93, 0xBE, 0xA8, 0xD8,
81
- 0xD3, 0xCD, 0x5E, 0xAC, 0x47, 0xC2, 0xC7, 0x5D, 0x31, 0x9D,
82
- 0x51, 0xCE, 0xF5, 0x3C, 0xFE, 0x39, 0x7E, 0xBA, 0x14, 0x6E,
83
- 0x3D, 0x68, 0xD7, 0x08, 0x56, 0x5B, 0x84, 0x44, 0xF8, 0x37,
84
- 0x5B, 0xEB, 0xBE, 0x26, 0x4C, 0xDD, 0x52, 0x61, 0x57, 0xC3,
85
- 0xCF, 0x1E, 0xE8, 0x95, 0x38, 0x00, 0x8E, 0xCB, 0x7D, 0xA3,
86
- 0x15, 0xDF, 0x92, 0xCF, 0x1E, 0x1B, 0xA3, 0x67, 0x17, 0x48,
87
- 0xAF, 0x37, 0x84, 0x9E, 0xA3, 0x45, 0xDF, 0xB4, 0x6A, 0xC3,
88
- 0xF5, 0x6B, 0x05, 0xA3, 0xCF, 0xDF, 0xF4, 0xE9, 0xD1, 0x64,
89
- 0xAC, 0x82, 0xC2, 0x5C, 0xC2, 0x1F, 0x40, 0xBA, 0x34, 0x0F,
90
- 0xCA, 0xEA, 0x9A, 0x9A, 0x67, 0x11, 0xF0, 0xC3, 0x03, 0x0B,
91
- 0xAE, 0x74, 0x2A, 0x4C, 0xF6, 0x47, 0x03, 0x98, 0x14, 0x40,
92
- 0x9B, 0xD2, 0x6C, 0x29, 0xB4, 0x3A, 0x83, 0x36, 0x56, 0x8E,
93
- 0x47, 0x39, 0xF9, 0x05, 0x92, 0x69, 0x0A, 0x1F, 0xA2, 0x32,
94
- 0x07, 0x6E, 0x3B, 0xE3, 0xDF, 0x1C, 0xE0, 0xB9, 0xA0, 0x89,
95
- 0x9F, 0xEA, 0x10, 0xBC, 0x75, 0x8C, 0xFA, 0x1B, 0x00, 0x9D,
96
- 0xA3, 0xA0, 0x13, 0x00, 0xB2, 0x79, 0x9D, 0xF1, 0xAA, 0xCF,
97
- 0xBF, 0xE6, 0x5C, 0x12, 0x6E, 0x41, 0x3F, 0xB6, 0xA2, 0x56,
98
- 0xF7, 0xC7, 0x04, 0x64, 0x6C, 0xA0, 0x05, 0x45, 0x68, 0xF6,
99
- 0x3C, 0x59, 0x45, 0x9C, 0x7A, 0x28, 0xE7, 0xE3, 0xA5, 0xDA,
100
- 0xDB, 0xC9, 0xE9, 0xCE, 0xF4, 0xB2, 0x6B, 0xFE, 0xAB, 0x72,
101
- 0xAD, 0x90, 0x77, 0xD5, 0x62, 0x5B, 0xAB, 0x12, 0x34, 0x9B,
102
- 0x40, 0x0A, 0x4C, 0x03, 0xBC, 0x53
103
- };
104
- static unsigned char dh2048_g[] = { 0x02 };
105
-
106
- DH *dh;
107
- #if !(OPENSSL_VERSION_NUMBER < 0x10100005L)
108
- BIGNUM *p, *g;
109
- #endif
110
-
111
- dh = DH_new();
112
-
113
- #if OPENSSL_VERSION_NUMBER < 0x10100005L
114
- dh->p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
115
- dh->g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
116
-
117
- if ((dh->p == NULL) || (dh->g == NULL)) {
118
- DH_free(dh);
119
- return NULL;
120
- }
121
- #else
122
- p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
123
- g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
124
-
125
- if (p == NULL || g == NULL || !DH_set0_pqg(dh, p, NULL, g)) {
126
- DH_free(dh);
127
- BN_free(p);
128
- BN_free(g);
129
- return NULL;
130
- }
131
- #endif
132
-
133
- return dh;
134
- }
135
- #endif
136
-
137
- static void
138
- sslctx_free(void *ptr) {
139
- SSL_CTX *ctx = ptr;
140
- SSL_CTX_free(ctx);
141
- }
142
-
143
- static const rb_data_type_t sslctx_type = {
144
- "MiniSSL/SSLContext",
145
- {
146
- 0, sslctx_free,
147
- },
148
- 0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
149
- };
150
-
151
- ms_conn* engine_alloc(VALUE klass, VALUE* obj) {
152
- ms_conn* conn;
153
-
154
- *obj = TypedData_Make_Struct(klass, ms_conn, &engine_data_type, conn);
155
-
156
- conn->read = BIO_new(BIO_s_mem());
157
- BIO_set_nbio(conn->read, 1);
158
-
159
- conn->write = BIO_new(BIO_s_mem());
160
- BIO_set_nbio(conn->write, 1);
161
-
162
- conn->ssl = 0;
163
- conn->ctx = 0;
164
-
165
- return conn;
166
- }
167
-
168
- static int engine_verify_callback(int preverify_ok, X509_STORE_CTX* ctx) {
169
- X509* err_cert;
170
- SSL* ssl;
171
- int bytes;
172
- unsigned char* buf = NULL;
173
-
174
- if(!preverify_ok) {
175
- err_cert = X509_STORE_CTX_get_current_cert(ctx);
176
- if(err_cert) {
177
- /*
178
- * Save the failed certificate for inspection/logging.
179
- */
180
- bytes = i2d_X509(err_cert, &buf);
181
- if(bytes > 0) {
182
- ms_cert_buf* cert_buf = (ms_cert_buf*)malloc(sizeof(ms_cert_buf));
183
- cert_buf->buf = buf;
184
- cert_buf->bytes = bytes;
185
- ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
186
- SSL_set_app_data(ssl, cert_buf);
187
- }
188
- }
189
- }
190
-
191
- return preverify_ok;
192
- }
193
-
194
- static int password_callback(char *buf, int size, int rwflag, void *userdata) {
195
- const char *password = (const char *) userdata;
196
- size_t len = strlen(password);
197
-
198
- if (len > (size_t) size) {
199
- return 0;
200
- }
201
-
202
- memcpy(buf, password, len);
203
- return (int) len;
204
- }
205
-
206
- static VALUE
207
- sslctx_alloc(VALUE klass) {
208
- SSL_CTX *ctx;
209
- long mode = 0 |
210
- SSL_MODE_ENABLE_PARTIAL_WRITE |
211
- SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
212
- SSL_MODE_RELEASE_BUFFERS;
213
-
214
- #ifdef HAVE_TLS_SERVER_METHOD
215
- ctx = SSL_CTX_new(TLS_method());
216
- // printf("\nctx using TLS_method security_level %d\n", SSL_CTX_get_security_level(ctx));
217
- #else
218
- ctx = SSL_CTX_new(SSLv23_method());
219
- #endif
220
- if (!ctx) {
221
- rb_raise(eError, "SSL_CTX_new");
222
- }
223
- SSL_CTX_set_mode(ctx, mode);
224
-
225
- return TypedData_Wrap_Struct(klass, &sslctx_type, ctx);
226
- }
227
-
228
- VALUE
229
- sslctx_initialize(VALUE self, VALUE mini_ssl_ctx) {
230
- SSL_CTX* ctx;
231
- int ssl_options;
232
- VALUE key, cert, ca, verify_mode, ssl_cipher_filter, no_tlsv1, no_tlsv1_1,
233
- verification_flags, session_id_bytes, cert_pem, key_pem, key_password_command, key_password;
234
- BIO *bio;
235
- X509 *x509 = NULL;
236
- EVP_PKEY *pkey;
237
- pem_password_cb *password_cb = NULL;
238
- const char *password = NULL;
239
- #ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
240
- int min;
241
- #endif
242
- #ifndef HAVE_SSL_CTX_SET_DH_AUTO
243
- DH *dh;
244
- #endif
245
- #if OPENSSL_VERSION_NUMBER < 0x10002000L
246
- EC_KEY *ecdh;
247
- #endif
248
- #ifdef HAVE_SSL_CTX_SET_SESSION_CACHE_MODE
249
- VALUE reuse, reuse_cache_size, reuse_timeout;
250
-
251
- reuse = rb_funcall(mini_ssl_ctx, rb_intern_const("reuse"), 0);
252
- reuse_cache_size = rb_funcall(mini_ssl_ctx, rb_intern_const("reuse_cache_size"), 0);
253
- reuse_timeout = rb_funcall(mini_ssl_ctx, rb_intern_const("reuse_timeout"), 0);
254
- #endif
255
-
256
- key = rb_funcall(mini_ssl_ctx, rb_intern_const("key"), 0);
257
-
258
- key_password_command = rb_funcall(mini_ssl_ctx, rb_intern_const("key_password_command"), 0);
259
-
260
- cert = rb_funcall(mini_ssl_ctx, rb_intern_const("cert"), 0);
261
-
262
- ca = rb_funcall(mini_ssl_ctx, rb_intern_const("ca"), 0);
263
-
264
- cert_pem = rb_funcall(mini_ssl_ctx, rb_intern_const("cert_pem"), 0);
265
-
266
- key_pem = rb_funcall(mini_ssl_ctx, rb_intern_const("key_pem"), 0);
267
-
268
- verify_mode = rb_funcall(mini_ssl_ctx, rb_intern_const("verify_mode"), 0);
269
-
270
- ssl_cipher_filter = rb_funcall(mini_ssl_ctx, rb_intern_const("ssl_cipher_filter"), 0);
271
-
272
- no_tlsv1 = rb_funcall(mini_ssl_ctx, rb_intern_const("no_tlsv1"), 0);
273
-
274
- no_tlsv1_1 = rb_funcall(mini_ssl_ctx, rb_intern_const("no_tlsv1_1"), 0);
275
-
276
- TypedData_Get_Struct(self, SSL_CTX, &sslctx_type, ctx);
277
-
278
- if (!NIL_P(cert)) {
279
- StringValue(cert);
280
-
281
- if (SSL_CTX_use_certificate_chain_file(ctx, RSTRING_PTR(cert)) != 1) {
282
- raise_file_error("SSL_CTX_use_certificate_chain_file", RSTRING_PTR(cert));
283
- }
284
- }
285
-
286
- if (!NIL_P(key_password_command)) {
287
- key_password = rb_funcall(mini_ssl_ctx, rb_intern_const("key_password"), 0);
288
-
289
- if (!NIL_P(key_password)) {
290
- StringValue(key_password);
291
- password_cb = password_callback;
292
- password = RSTRING_PTR(key_password);
293
- SSL_CTX_set_default_passwd_cb(ctx, password_cb);
294
- SSL_CTX_set_default_passwd_cb_userdata(ctx, (void *) password);
295
- }
296
- }
297
-
298
- if (!NIL_P(key)) {
299
- StringValue(key);
300
-
301
- if (SSL_CTX_use_PrivateKey_file(ctx, RSTRING_PTR(key), SSL_FILETYPE_PEM) != 1) {
302
- raise_file_error("SSL_CTX_use_PrivateKey_file", RSTRING_PTR(key));
303
- }
304
- }
305
-
306
- if (!NIL_P(cert_pem)) {
307
- X509 *ca = NULL;
308
- unsigned long err;
309
-
310
- bio = BIO_new(BIO_s_mem());
311
- BIO_puts(bio, RSTRING_PTR(cert_pem));
312
-
313
- /**
314
- * Much of this pulled as a simplified version of the `use_certificate_chain_file` method
315
- * from openssl's `ssl_rsa.c` file.
316
- */
317
-
318
- /* first read the cert as the first item in the pem file */
319
- x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
320
- if (NULL == x509) {
321
- BIO_free_all(bio);
322
- raise_param_error("PEM_read_bio_X509", "cert_pem");
323
- }
324
-
325
- /* Add the cert to the context */
326
- /* 1 is success - otherwise check the error codes */
327
- if (1 != SSL_CTX_use_certificate(ctx, x509)) {
328
- BIO_free_all(bio);
329
- raise_param_error("SSL_CTX_use_certificate", "cert_pem");
330
- }
331
-
332
- X509_free(x509); /* no longer need our reference */
333
-
334
- /* Now lets load up the rest of the certificate chain */
335
- /* 1 is success 0 is error */
336
- if (0 == SSL_CTX_clear_chain_certs(ctx)) {
337
- BIO_free_all(bio);
338
- raise_param_error("SSL_CTX_clear_chain_certs","cert_pem");
339
- }
340
-
341
- while (1) {
342
- ca = PEM_read_bio_X509(bio, NULL, NULL, NULL);
343
-
344
- if (NULL == ca) {
345
- break;
346
- }
347
-
348
- if (0 == SSL_CTX_add0_chain_cert(ctx, ca)) {
349
- BIO_free_all(bio);
350
- raise_param_error("SSL_CTX_add0_chain_cert","cert_pem");
351
- }
352
- /* don't free ca - its now owned by the context */
353
- }
354
-
355
- /* ca is NULL - so its either the end of the file or an error */
356
- err = ERR_peek_last_error();
357
-
358
- /* If its the end of the file - then we are done, in any case free the bio */
359
- BIO_free_all(bio);
360
-
361
- if ((ERR_GET_LIB(err) == ERR_LIB_PEM) && (ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
362
- ERR_clear_error();
363
- } else {
364
- raise_param_error("PEM_read_bio_X509","cert_pem");
365
- }
366
- }
367
-
368
- if (!NIL_P(key_pem)) {
369
- bio = BIO_new(BIO_s_mem());
370
- BIO_puts(bio, RSTRING_PTR(key_pem));
371
- pkey = PEM_read_bio_PrivateKey(bio, NULL, password_cb, (void *) password);
372
-
373
- if (SSL_CTX_use_PrivateKey(ctx, pkey) != 1) {
374
- BIO_free(bio);
375
- raise_file_error("SSL_CTX_use_PrivateKey", RSTRING_PTR(key_pem));
376
- }
377
- EVP_PKEY_free(pkey);
378
- BIO_free(bio);
379
- }
380
-
381
- verification_flags = rb_funcall(mini_ssl_ctx, rb_intern_const("verification_flags"), 0);
382
-
383
- if (!NIL_P(verification_flags)) {
384
- X509_VERIFY_PARAM *param = SSL_CTX_get0_param(ctx);
385
- X509_VERIFY_PARAM_set_flags(param, NUM2INT(verification_flags));
386
- SSL_CTX_set1_param(ctx, param);
387
- }
388
-
389
- if (!NIL_P(ca)) {
390
- StringValue(ca);
391
- if (SSL_CTX_load_verify_locations(ctx, RSTRING_PTR(ca), NULL) != 1) {
392
- raise_file_error("SSL_CTX_load_verify_locations", RSTRING_PTR(ca));
393
- }
394
- }
395
-
396
- ssl_options = SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_SINGLE_ECDH_USE | SSL_OP_NO_COMPRESSION;
397
-
398
- #ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
399
- if (RTEST(no_tlsv1_1)) {
400
- min = TLS1_2_VERSION;
401
- }
402
- else if (RTEST(no_tlsv1)) {
403
- min = TLS1_1_VERSION;
404
- }
405
- else {
406
- min = TLS1_VERSION;
407
- }
408
-
409
- SSL_CTX_set_min_proto_version(ctx, min);
410
-
411
- #else
412
- /* As of 1.0.2f, SSL_OP_SINGLE_DH_USE key use is always on */
413
- ssl_options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_SINGLE_DH_USE;
414
-
415
- if (RTEST(no_tlsv1)) {
416
- ssl_options |= SSL_OP_NO_TLSv1;
417
- }
418
- if(RTEST(no_tlsv1_1)) {
419
- ssl_options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1;
420
- }
421
- #endif
422
-
423
- #ifdef HAVE_SSL_CTX_SET_SESSION_CACHE_MODE
424
- if (!NIL_P(reuse)) {
425
- SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER);
426
- if (!NIL_P(reuse_cache_size)) {
427
- SSL_CTX_sess_set_cache_size(ctx, NUM2INT(reuse_cache_size));
428
- }
429
- if (!NIL_P(reuse_timeout)) {
430
- SSL_CTX_set_timeout(ctx, NUM2INT(reuse_timeout));
431
- }
432
- } else {
433
- SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
434
- }
435
- #endif
436
-
437
- SSL_CTX_set_options(ctx, ssl_options);
438
-
439
- if (!NIL_P(ssl_cipher_filter)) {
440
- StringValue(ssl_cipher_filter);
441
- SSL_CTX_set_cipher_list(ctx, RSTRING_PTR(ssl_cipher_filter));
442
- }
443
- else {
444
- SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL@STRENGTH");
445
- }
446
-
447
- #if OPENSSL_VERSION_NUMBER < 0x10002000L
448
- // Remove this case if OpenSSL 1.0.1 (now EOL) support is no longer needed.
449
- ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
450
- if (ecdh) {
451
- SSL_CTX_set_tmp_ecdh(ctx, ecdh);
452
- EC_KEY_free(ecdh);
453
- }
454
- #elif OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
455
- SSL_CTX_set_ecdh_auto(ctx, 1);
456
- #endif
457
-
458
- if (NIL_P(verify_mode)) {
459
- /* SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL); */
460
- } else {
461
- SSL_CTX_set_verify(ctx, NUM2INT(verify_mode), engine_verify_callback);
462
- }
463
-
464
- // Random.bytes available in Ruby 2.5 and later, Random::DEFAULT deprecated in 3.0
465
- session_id_bytes = rb_funcall(
466
- #ifdef HAVE_RANDOM_BYTES
467
- rb_cRandom,
468
- #else
469
- rb_const_get(rb_cRandom, rb_intern_const("DEFAULT")),
470
- #endif
471
- rb_intern_const("bytes"),
472
- 1, ULL2NUM(SSL_MAX_SSL_SESSION_ID_LENGTH));
473
-
474
- SSL_CTX_set_session_id_context(ctx,
475
- (unsigned char *) RSTRING_PTR(session_id_bytes),
476
- SSL_MAX_SSL_SESSION_ID_LENGTH);
477
-
478
- // printf("\ninitialize end security_level %d\n", SSL_CTX_get_security_level(ctx));
479
-
480
- #ifdef HAVE_SSL_CTX_SET_DH_AUTO
481
- // https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_dh_auto.html
482
- SSL_CTX_set_dh_auto(ctx, 1);
483
- #else
484
- dh = get_dh2048();
485
- SSL_CTX_set_tmp_dh(ctx, dh);
486
- #endif
487
-
488
- rb_obj_freeze(self);
489
- return self;
490
- }
491
-
492
- VALUE engine_init_server(VALUE self, VALUE sslctx) {
493
- ms_conn* conn;
494
- VALUE obj;
495
- SSL_CTX* ctx;
496
- SSL* ssl;
497
-
498
- conn = engine_alloc(self, &obj);
499
-
500
- TypedData_Get_Struct(sslctx, SSL_CTX, &sslctx_type, ctx);
501
-
502
- ssl = SSL_new(ctx);
503
- conn->ssl = ssl;
504
- SSL_set_app_data(ssl, NULL);
505
- SSL_set_bio(ssl, conn->read, conn->write);
506
- SSL_set_accept_state(ssl);
507
- return obj;
508
- }
509
-
510
- VALUE engine_init_client(VALUE klass) {
511
- VALUE obj;
512
- ms_conn* conn = engine_alloc(klass, &obj);
513
- #ifdef HAVE_DTLS_METHOD
514
- conn->ctx = SSL_CTX_new(DTLS_method());
515
- #else
516
- conn->ctx = SSL_CTX_new(DTLSv1_method());
517
- #endif
518
- conn->ssl = SSL_new(conn->ctx);
519
- SSL_set_app_data(conn->ssl, NULL);
520
- SSL_set_verify(conn->ssl, SSL_VERIFY_NONE, NULL);
521
-
522
- SSL_set_bio(conn->ssl, conn->read, conn->write);
523
-
524
- SSL_set_connect_state(conn->ssl);
525
- return obj;
526
- }
527
-
528
- VALUE engine_inject(VALUE self, VALUE str) {
529
- ms_conn* conn;
530
- long used;
531
-
532
- TypedData_Get_Struct(self, ms_conn, &engine_data_type, conn);
533
-
534
- StringValue(str);
535
-
536
- used = BIO_write(conn->read, RSTRING_PTR(str), (int)RSTRING_LEN(str));
537
-
538
- if(used == 0 || used == -1) {
539
- return Qfalse;
540
- }
541
-
542
- return INT2FIX(used);
543
- }
544
-
545
- NORETURN(void raise_error(SSL* ssl, int result));
546
-
547
- void raise_error(SSL* ssl, int result) {
548
- char buf[512];
549
- char msg[512];
550
- const char* err_str;
551
- int err = errno;
552
- int mask = 4095;
553
- int ssl_err = SSL_get_error(ssl, result);
554
- int verify_err = (int) SSL_get_verify_result(ssl);
555
-
556
- if(SSL_ERROR_SYSCALL == ssl_err) {
557
- snprintf(msg, sizeof(msg), "System error: %s - %d", strerror(err), err);
558
-
559
- } else if(SSL_ERROR_SSL == ssl_err) {
560
- if(X509_V_OK != verify_err) {
561
- err_str = X509_verify_cert_error_string(verify_err);
562
- snprintf(msg, sizeof(msg),
563
- "OpenSSL certificate verification error: %s - %d",
564
- err_str, verify_err);
565
-
566
- } else {
567
- err = (int) ERR_get_error();
568
- ERR_error_string_n(err, buf, sizeof(buf));
569
- snprintf(msg, sizeof(msg), "OpenSSL error: %s - %d", buf, err & mask);
570
- }
571
- } else {
572
- snprintf(msg, sizeof(msg), "Unknown OpenSSL error: %d", ssl_err);
573
- }
574
-
575
- ERR_clear_error();
576
- rb_raise(eError, "%s", msg);
577
- }
578
-
579
- VALUE engine_read(VALUE self) {
580
- ms_conn* conn;
581
- char buf[512];
582
- int bytes, error;
583
-
584
- TypedData_Get_Struct(self, ms_conn, &engine_data_type, conn);
585
-
586
- ERR_clear_error();
587
-
588
- bytes = SSL_read(conn->ssl, (void*)buf, sizeof(buf));
589
-
590
- if(bytes > 0) {
591
- return rb_str_new(buf, bytes);
592
- }
593
-
594
- if(SSL_want_read(conn->ssl)) return Qnil;
595
-
596
- error = SSL_get_error(conn->ssl, bytes);
597
-
598
- if(error == SSL_ERROR_ZERO_RETURN) {
599
- rb_eof_error();
600
- } else {
601
- raise_error(conn->ssl, bytes);
602
- }
603
-
604
- return Qnil;
605
- }
606
-
607
- VALUE engine_write(VALUE self, VALUE str) {
608
- ms_conn* conn;
609
- int bytes;
610
-
611
- TypedData_Get_Struct(self, ms_conn, &engine_data_type, conn);
612
-
613
- StringValue(str);
614
-
615
- ERR_clear_error();
616
-
617
- bytes = SSL_write(conn->ssl, (void*)RSTRING_PTR(str), (int)RSTRING_LEN(str));
618
- if(bytes > 0) {
619
- return INT2FIX(bytes);
620
- }
621
-
622
- if(SSL_want_write(conn->ssl)) return Qnil;
623
-
624
- raise_error(conn->ssl, bytes);
625
-
626
- return Qnil;
627
- }
628
-
629
- VALUE engine_extract(VALUE self) {
630
- ms_conn* conn;
631
- int bytes;
632
- size_t pending;
633
- // https://www.openssl.org/docs/manmaster/man3/BIO_f_buffer.html
634
- // crypto/bio/bf_buff.c DEFAULT_BUFFER_SIZE
635
- char buf[4096];
636
-
637
- TypedData_Get_Struct(self, ms_conn, &engine_data_type, conn);
638
-
639
- pending = BIO_pending(conn->write);
640
- if(pending > 0) {
641
- bytes = BIO_read(conn->write, buf, sizeof(buf));
642
- if(bytes > 0) {
643
- return rb_str_new(buf, bytes);
644
- } else if(!BIO_should_retry(conn->write)) {
645
- raise_error(conn->ssl, bytes);
646
- }
647
- }
648
-
649
- return Qnil;
650
- }
651
-
652
- VALUE engine_shutdown(VALUE self) {
653
- ms_conn* conn;
654
- int ok;
655
-
656
- TypedData_Get_Struct(self, ms_conn, &engine_data_type, conn);
657
-
658
- ERR_clear_error();
659
-
660
- ok = SSL_shutdown(conn->ssl);
661
- if (ok == 0) {
662
- return Qfalse;
663
- }
664
-
665
- return Qtrue;
666
- }
667
-
668
- VALUE engine_init(VALUE self) {
669
- ms_conn* conn;
670
-
671
- TypedData_Get_Struct(self, ms_conn, &engine_data_type, conn);
672
-
673
- return SSL_in_init(conn->ssl) ? Qtrue : Qfalse;
674
- }
675
-
676
- VALUE engine_peercert(VALUE self) {
677
- ms_conn* conn;
678
- X509* cert;
679
- int bytes;
680
- unsigned char* buf = NULL;
681
- ms_cert_buf* cert_buf = NULL;
682
- VALUE rb_cert_buf;
683
-
684
- TypedData_Get_Struct(self, ms_conn, &engine_data_type, conn);
685
-
686
- #ifdef HAVE_SSL_GET1_PEER_CERTIFICATE
687
- cert = SSL_get1_peer_certificate(conn->ssl);
688
- #else
689
- cert = SSL_get_peer_certificate(conn->ssl);
690
- #endif
691
- if(!cert) {
692
- /*
693
- * See if there was a failed certificate associated with this client.
694
- */
695
- cert_buf = (ms_cert_buf*)SSL_get_app_data(conn->ssl);
696
- if(!cert_buf) {
697
- return Qnil;
698
- }
699
- buf = cert_buf->buf;
700
- bytes = cert_buf->bytes;
701
-
702
- } else {
703
- bytes = i2d_X509(cert, &buf);
704
- X509_free(cert);
705
-
706
- if(bytes < 0) {
707
- return Qnil;
708
- }
709
- }
710
-
711
- rb_cert_buf = rb_str_new((const char*)(buf), bytes);
712
- if(!cert_buf) {
713
- OPENSSL_free(buf);
714
- }
715
-
716
- return rb_cert_buf;
717
- }
718
-
719
- /* @see Puma::MiniSSL::Socket#ssl_version_state
720
- * @version 5.0.0
721
- */
722
- static VALUE
723
- engine_ssl_vers_st(VALUE self) {
724
- ms_conn* conn;
725
- TypedData_Get_Struct(self, ms_conn, &engine_data_type, conn);
726
- return rb_ary_new3(2, rb_str_new2(SSL_get_version(conn->ssl)), rb_str_new2(SSL_state_string(conn->ssl)));
727
- }
728
-
729
- VALUE noop(VALUE self) {
730
- return Qnil;
731
- }
732
-
733
- void Init_mini_ssl(VALUE puma) {
734
- VALUE mod, eng, sslctx;
735
-
736
- /* Fake operation for documentation (RDoc, YARD) */
737
- #if 0 == 1
738
- puma = rb_define_module("Puma");
739
- #endif
740
-
741
- SSL_library_init();
742
- OpenSSL_add_ssl_algorithms();
743
- SSL_load_error_strings();
744
- ERR_load_crypto_strings();
745
-
746
- mod = rb_define_module_under(puma, "MiniSSL");
747
-
748
- eng = rb_define_class_under(mod, "Engine", rb_cObject);
749
- rb_undef_alloc_func(eng);
750
-
751
- sslctx = rb_define_class_under(mod, "SSLContext", rb_cObject);
752
- rb_define_alloc_func(sslctx, sslctx_alloc);
753
- rb_define_method(sslctx, "initialize", sslctx_initialize, 1);
754
- rb_undef_method(sslctx, "initialize_copy");
755
-
756
-
757
- // OpenSSL Build / Runtime/Load versions
758
-
759
- /* Version of OpenSSL that Puma was compiled with */
760
- rb_define_const(mod, "OPENSSL_VERSION", rb_str_new2(OPENSSL_VERSION_TEXT));
761
-
762
- #if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000
763
- /* Version of OpenSSL that Puma loaded with */
764
- rb_define_const(mod, "OPENSSL_LIBRARY_VERSION", rb_str_new2(OpenSSL_version(OPENSSL_VERSION)));
765
- #else
766
- rb_define_const(mod, "OPENSSL_LIBRARY_VERSION", rb_str_new2(SSLeay_version(SSLEAY_VERSION)));
767
- #endif
768
-
769
- #if defined(OPENSSL_NO_SSL3) || defined(OPENSSL_NO_SSL3_METHOD)
770
- /* True if SSL3 is not available */
771
- rb_define_const(mod, "OPENSSL_NO_SSL3", Qtrue);
772
- #else
773
- rb_define_const(mod, "OPENSSL_NO_SSL3", Qfalse);
774
- #endif
775
-
776
- #if defined(OPENSSL_NO_TLS1) || defined(OPENSSL_NO_TLS1_METHOD)
777
- /* True if TLS1 is not available */
778
- rb_define_const(mod, "OPENSSL_NO_TLS1", Qtrue);
779
- #else
780
- rb_define_const(mod, "OPENSSL_NO_TLS1", Qfalse);
781
- #endif
782
-
783
- #if defined(OPENSSL_NO_TLS1_1) || defined(OPENSSL_NO_TLS1_1_METHOD)
784
- /* True if TLS1_1 is not available */
785
- rb_define_const(mod, "OPENSSL_NO_TLS1_1", Qtrue);
786
- #else
787
- rb_define_const(mod, "OPENSSL_NO_TLS1_1", Qfalse);
788
- #endif
789
-
790
- rb_define_singleton_method(mod, "check", noop, 0);
791
-
792
- eError = rb_define_class_under(mod, "SSLError", rb_eStandardError);
793
-
794
- rb_define_singleton_method(eng, "server", engine_init_server, 1);
795
- rb_define_singleton_method(eng, "client", engine_init_client, 0);
796
-
797
- rb_define_method(eng, "inject", engine_inject, 1);
798
- rb_define_method(eng, "read", engine_read, 0);
799
-
800
- rb_define_method(eng, "write", engine_write, 1);
801
- rb_define_method(eng, "extract", engine_extract, 0);
802
-
803
- rb_define_method(eng, "shutdown", engine_shutdown, 0);
804
-
805
- rb_define_method(eng, "init?", engine_init, 0);
806
-
807
- /* @!attribute [r] peercert
808
- * Returns `nil` when `MiniSSL::Context#verify_mode` is set to `VERIFY_NONE`.
809
- * @return [String, nil] DER encoded cert
810
- */
811
- rb_define_method(eng, "peercert", engine_peercert, 0);
812
-
813
- rb_define_method(eng, "ssl_vers_st", engine_ssl_vers_st, 0);
814
- }
815
-
816
- #else
817
-
818
- NORETURN(VALUE raise_error(VALUE self));
819
-
820
- VALUE raise_error(VALUE self) {
821
- rb_raise(rb_eStandardError, "SSL not available in this build");
822
- }
823
-
824
- void Init_mini_ssl(VALUE puma) {
825
- VALUE mod;
826
-
827
- mod = rb_define_module_under(puma, "MiniSSL");
828
- rb_define_class_under(mod, "SSLError", rb_eStandardError);
829
-
830
- rb_define_singleton_method(mod, "check", raise_error, 0);
831
- }
832
- #endif