openssl 2.1.2 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (60) hide show
  1. checksums.yaml +4 -4
  2. data/CONTRIBUTING.md +35 -45
  3. data/History.md +232 -0
  4. data/README.md +2 -2
  5. data/ext/openssl/extconf.rb +61 -46
  6. data/ext/openssl/openssl_missing.c +0 -66
  7. data/ext/openssl/openssl_missing.h +60 -44
  8. data/ext/openssl/ossl.c +112 -66
  9. data/ext/openssl/ossl.h +28 -11
  10. data/ext/openssl/ossl_asn1.c +42 -5
  11. data/ext/openssl/ossl_bn.c +276 -146
  12. data/ext/openssl/ossl_bn.h +2 -1
  13. data/ext/openssl/ossl_cipher.c +38 -29
  14. data/ext/openssl/ossl_config.c +412 -41
  15. data/ext/openssl/ossl_config.h +4 -7
  16. data/ext/openssl/ossl_digest.c +31 -62
  17. data/ext/openssl/ossl_engine.c +18 -27
  18. data/ext/openssl/ossl_hmac.c +52 -145
  19. data/ext/openssl/ossl_kdf.c +11 -19
  20. data/ext/openssl/ossl_ns_spki.c +1 -1
  21. data/ext/openssl/ossl_ocsp.c +9 -62
  22. data/ext/openssl/ossl_ocsp.h +3 -3
  23. data/ext/openssl/ossl_pkcs12.c +21 -3
  24. data/ext/openssl/ossl_pkcs7.c +45 -78
  25. data/ext/openssl/ossl_pkcs7.h +16 -0
  26. data/ext/openssl/ossl_pkey.c +1255 -178
  27. data/ext/openssl/ossl_pkey.h +40 -77
  28. data/ext/openssl/ossl_pkey_dh.c +125 -335
  29. data/ext/openssl/ossl_pkey_dsa.c +93 -398
  30. data/ext/openssl/ossl_pkey_ec.c +155 -318
  31. data/ext/openssl/ossl_pkey_rsa.c +105 -484
  32. data/ext/openssl/ossl_rand.c +2 -40
  33. data/ext/openssl/ossl_ssl.c +395 -364
  34. data/ext/openssl/ossl_ssl_session.c +24 -29
  35. data/ext/openssl/ossl_ts.c +1539 -0
  36. data/ext/openssl/ossl_ts.h +16 -0
  37. data/ext/openssl/ossl_x509.c +86 -1
  38. data/ext/openssl/ossl_x509cert.c +166 -10
  39. data/ext/openssl/ossl_x509crl.c +10 -7
  40. data/ext/openssl/ossl_x509ext.c +15 -2
  41. data/ext/openssl/ossl_x509name.c +16 -5
  42. data/ext/openssl/ossl_x509req.c +10 -7
  43. data/ext/openssl/ossl_x509store.c +193 -92
  44. data/lib/openssl/bn.rb +1 -1
  45. data/lib/openssl/buffering.rb +42 -17
  46. data/lib/openssl/cipher.rb +1 -1
  47. data/lib/openssl/digest.rb +10 -12
  48. data/lib/openssl/hmac.rb +78 -0
  49. data/lib/openssl/marshal.rb +30 -0
  50. data/lib/openssl/pkcs5.rb +1 -1
  51. data/lib/openssl/pkey.rb +435 -1
  52. data/lib/openssl/ssl.rb +53 -14
  53. data/lib/openssl/version.rb +5 -0
  54. data/lib/openssl/x509.rb +177 -1
  55. data/lib/openssl.rb +24 -9
  56. metadata +13 -69
  57. data/ext/openssl/deprecation.rb +0 -23
  58. data/ext/openssl/ossl_version.h +0 -15
  59. data/ext/openssl/ruby_missing.h +0 -24
  60. data/lib/openssl/config.rb +0 -474
data/lib/openssl/pkey.rb CHANGED
@@ -1,11 +1,290 @@
1
- # frozen_string_literal: false
1
+ # frozen_string_literal: true
2
2
  #--
3
3
  # Ruby/OpenSSL Project
4
4
  # Copyright (C) 2017 Ruby/OpenSSL Project Authors
5
5
  #++
6
6
 
7
+ require_relative 'marshal'
8
+
7
9
  module OpenSSL::PKey
10
+ class DH
11
+ include OpenSSL::Marshal
12
+
13
+ # :call-seq:
14
+ # dh.public_key -> dhnew
15
+ #
16
+ # Returns a new DH instance that carries just the \DH parameters.
17
+ #
18
+ # Contrary to the method name, the returned DH object contains only
19
+ # parameters and not the public key.
20
+ #
21
+ # This method is provided for backwards compatibility. In most cases, there
22
+ # is no need to call this method.
23
+ #
24
+ # For the purpose of re-generating the key pair while keeping the
25
+ # parameters, check OpenSSL::PKey.generate_key.
26
+ #
27
+ # Example:
28
+ # # OpenSSL::PKey::DH.generate by default generates a random key pair
29
+ # dh1 = OpenSSL::PKey::DH.generate(2048)
30
+ # p dh1.priv_key #=> #<OpenSSL::BN 1288347...>
31
+ # dhcopy = dh1.public_key
32
+ # p dhcopy.priv_key #=> nil
33
+ def public_key
34
+ DH.new(to_der)
35
+ end
36
+
37
+ # :call-seq:
38
+ # dh.compute_key(pub_bn) -> string
39
+ #
40
+ # Returns a String containing a shared secret computed from the other
41
+ # party's public value.
42
+ #
43
+ # This method is provided for backwards compatibility, and calls #derive
44
+ # internally.
45
+ #
46
+ # === Parameters
47
+ # * _pub_bn_ is a OpenSSL::BN, *not* the DH instance returned by
48
+ # DH#public_key as that contains the DH parameters only.
49
+ def compute_key(pub_bn)
50
+ # FIXME: This is constructing an X.509 SubjectPublicKeyInfo and is very
51
+ # inefficient
52
+ obj = OpenSSL::ASN1.Sequence([
53
+ OpenSSL::ASN1.Sequence([
54
+ OpenSSL::ASN1.ObjectId("dhKeyAgreement"),
55
+ OpenSSL::ASN1.Sequence([
56
+ OpenSSL::ASN1.Integer(p),
57
+ OpenSSL::ASN1.Integer(g),
58
+ ]),
59
+ ]),
60
+ OpenSSL::ASN1.BitString(OpenSSL::ASN1.Integer(pub_bn).to_der),
61
+ ])
62
+ derive(OpenSSL::PKey.read(obj.to_der))
63
+ end
64
+
65
+ # :call-seq:
66
+ # dh.generate_key! -> self
67
+ #
68
+ # Generates a private and public key unless a private key already exists.
69
+ # If this DH instance was generated from public \DH parameters (e.g. by
70
+ # encoding the result of DH#public_key), then this method needs to be
71
+ # called first in order to generate the per-session keys before performing
72
+ # the actual key exchange.
73
+ #
74
+ # <b>Deprecated in version 3.0</b>. This method is incompatible with
75
+ # OpenSSL 3.0.0 or later.
76
+ #
77
+ # See also OpenSSL::PKey.generate_key.
78
+ #
79
+ # Example:
80
+ # # DEPRECATED USAGE: This will not work on OpenSSL 3.0 or later
81
+ # dh0 = OpenSSL::PKey::DH.new(2048)
82
+ # dh = dh0.public_key # #public_key only copies the DH parameters (contrary to the name)
83
+ # dh.generate_key!
84
+ # puts dh.private? # => true
85
+ # puts dh0.pub_key == dh.pub_key #=> false
86
+ #
87
+ # # With OpenSSL::PKey.generate_key
88
+ # dh0 = OpenSSL::PKey::DH.new(2048)
89
+ # dh = OpenSSL::PKey.generate_key(dh0)
90
+ # puts dh0.pub_key == dh.pub_key #=> false
91
+ def generate_key!
92
+ if OpenSSL::OPENSSL_VERSION_NUMBER >= 0x30000000
93
+ raise DHError, "OpenSSL::PKey::DH is immutable on OpenSSL 3.0; " \
94
+ "use OpenSSL::PKey.generate_key instead"
95
+ end
96
+
97
+ unless priv_key
98
+ tmp = OpenSSL::PKey.generate_key(self)
99
+ set_key(tmp.pub_key, tmp.priv_key)
100
+ end
101
+ self
102
+ end
103
+
104
+ class << self
105
+ # :call-seq:
106
+ # DH.generate(size, generator = 2) -> dh
107
+ #
108
+ # Creates a new DH instance from scratch by generating random parameters
109
+ # and a key pair.
110
+ #
111
+ # See also OpenSSL::PKey.generate_parameters and
112
+ # OpenSSL::PKey.generate_key.
113
+ #
114
+ # +size+::
115
+ # The desired key size in bits.
116
+ # +generator+::
117
+ # The generator.
118
+ def generate(size, generator = 2, &blk)
119
+ dhparams = OpenSSL::PKey.generate_parameters("DH", {
120
+ "dh_paramgen_prime_len" => size,
121
+ "dh_paramgen_generator" => generator,
122
+ }, &blk)
123
+ OpenSSL::PKey.generate_key(dhparams)
124
+ end
125
+
126
+ # Handle DH.new(size, generator) form here; new(str) and new() forms
127
+ # are handled by #initialize
128
+ def new(*args, &blk) # :nodoc:
129
+ if args[0].is_a?(Integer)
130
+ generate(*args, &blk)
131
+ else
132
+ super
133
+ end
134
+ end
135
+ end
136
+ end
137
+
138
+ class DSA
139
+ include OpenSSL::Marshal
140
+
141
+ # :call-seq:
142
+ # dsa.public_key -> dsanew
143
+ #
144
+ # Returns a new DSA instance that carries just the \DSA parameters and the
145
+ # public key.
146
+ #
147
+ # This method is provided for backwards compatibility. In most cases, there
148
+ # is no need to call this method.
149
+ #
150
+ # For the purpose of serializing the public key, to PEM or DER encoding of
151
+ # X.509 SubjectPublicKeyInfo format, check PKey#public_to_pem and
152
+ # PKey#public_to_der.
153
+ def public_key
154
+ OpenSSL::PKey.read(public_to_der)
155
+ end
156
+
157
+ class << self
158
+ # :call-seq:
159
+ # DSA.generate(size) -> dsa
160
+ #
161
+ # Creates a new DSA instance by generating a private/public key pair
162
+ # from scratch.
163
+ #
164
+ # See also OpenSSL::PKey.generate_parameters and
165
+ # OpenSSL::PKey.generate_key.
166
+ #
167
+ # +size+::
168
+ # The desired key size in bits.
169
+ def generate(size, &blk)
170
+ dsaparams = OpenSSL::PKey.generate_parameters("DSA", {
171
+ "dsa_paramgen_bits" => size,
172
+ }, &blk)
173
+ OpenSSL::PKey.generate_key(dsaparams)
174
+ end
175
+
176
+ # Handle DSA.new(size) form here; new(str) and new() forms
177
+ # are handled by #initialize
178
+ def new(*args, &blk) # :nodoc:
179
+ if args[0].is_a?(Integer)
180
+ generate(*args, &blk)
181
+ else
182
+ super
183
+ end
184
+ end
185
+ end
186
+
187
+ # :call-seq:
188
+ # dsa.syssign(string) -> string
189
+ #
190
+ # Computes and returns the \DSA signature of +string+, where +string+ is
191
+ # expected to be an already-computed message digest of the original input
192
+ # data. The signature is issued using the private key of this DSA instance.
193
+ #
194
+ # <b>Deprecated in version 3.0</b>.
195
+ # Consider using PKey::PKey#sign_raw and PKey::PKey#verify_raw instead.
196
+ #
197
+ # +string+::
198
+ # A message digest of the original input data to be signed.
199
+ #
200
+ # Example:
201
+ # dsa = OpenSSL::PKey::DSA.new(2048)
202
+ # doc = "Sign me"
203
+ # digest = OpenSSL::Digest.digest('SHA1', doc)
204
+ #
205
+ # # With legacy #syssign and #sysverify:
206
+ # sig = dsa.syssign(digest)
207
+ # p dsa.sysverify(digest, sig) #=> true
208
+ #
209
+ # # With #sign_raw and #verify_raw:
210
+ # sig = dsa.sign_raw(nil, digest)
211
+ # p dsa.verify_raw(nil, sig, digest) #=> true
212
+ def syssign(string)
213
+ q or raise OpenSSL::PKey::DSAError, "incomplete DSA"
214
+ private? or raise OpenSSL::PKey::DSAError, "Private DSA key needed!"
215
+ begin
216
+ sign_raw(nil, string)
217
+ rescue OpenSSL::PKey::PKeyError
218
+ raise OpenSSL::PKey::DSAError, $!.message
219
+ end
220
+ end
221
+
222
+ # :call-seq:
223
+ # dsa.sysverify(digest, sig) -> true | false
224
+ #
225
+ # Verifies whether the signature is valid given the message digest input.
226
+ # It does so by validating +sig+ using the public key of this DSA instance.
227
+ #
228
+ # <b>Deprecated in version 3.0</b>.
229
+ # Consider using PKey::PKey#sign_raw and PKey::PKey#verify_raw instead.
230
+ #
231
+ # +digest+::
232
+ # A message digest of the original input data to be signed.
233
+ # +sig+::
234
+ # A \DSA signature value.
235
+ def sysverify(digest, sig)
236
+ verify_raw(nil, sig, digest)
237
+ rescue OpenSSL::PKey::PKeyError
238
+ raise OpenSSL::PKey::DSAError, $!.message
239
+ end
240
+ end
241
+
8
242
  if defined?(EC)
243
+ class EC
244
+ include OpenSSL::Marshal
245
+
246
+ # :call-seq:
247
+ # key.dsa_sign_asn1(data) -> String
248
+ #
249
+ # <b>Deprecated in version 3.0</b>.
250
+ # Consider using PKey::PKey#sign_raw and PKey::PKey#verify_raw instead.
251
+ def dsa_sign_asn1(data)
252
+ sign_raw(nil, data)
253
+ rescue OpenSSL::PKey::PKeyError
254
+ raise OpenSSL::PKey::ECError, $!.message
255
+ end
256
+
257
+ # :call-seq:
258
+ # key.dsa_verify_asn1(data, sig) -> true | false
259
+ #
260
+ # <b>Deprecated in version 3.0</b>.
261
+ # Consider using PKey::PKey#sign_raw and PKey::PKey#verify_raw instead.
262
+ def dsa_verify_asn1(data, sig)
263
+ verify_raw(nil, sig, data)
264
+ rescue OpenSSL::PKey::PKeyError
265
+ raise OpenSSL::PKey::ECError, $!.message
266
+ end
267
+
268
+ # :call-seq:
269
+ # ec.dh_compute_key(pubkey) -> string
270
+ #
271
+ # Derives a shared secret by ECDH. _pubkey_ must be an instance of
272
+ # OpenSSL::PKey::EC::Point and must belong to the same group.
273
+ #
274
+ # This method is provided for backwards compatibility, and calls #derive
275
+ # internally.
276
+ def dh_compute_key(pubkey)
277
+ obj = OpenSSL::ASN1.Sequence([
278
+ OpenSSL::ASN1.Sequence([
279
+ OpenSSL::ASN1.ObjectId("id-ecPublicKey"),
280
+ group.to_der,
281
+ ]),
282
+ OpenSSL::ASN1.BitString(pubkey.to_octet_string(:uncompressed)),
283
+ ])
284
+ derive(OpenSSL::PKey.read(obj.to_der))
285
+ end
286
+ end
287
+
9
288
  class EC::Point
10
289
  # :call-seq:
11
290
  # point.to_bn([conversion_form]) -> OpenSSL::BN
@@ -22,4 +301,159 @@ module OpenSSL::PKey
22
301
  end
23
302
  end
24
303
  end
304
+
305
+ class RSA
306
+ include OpenSSL::Marshal
307
+
308
+ # :call-seq:
309
+ # rsa.public_key -> rsanew
310
+ #
311
+ # Returns a new RSA instance that carries just the public key components.
312
+ #
313
+ # This method is provided for backwards compatibility. In most cases, there
314
+ # is no need to call this method.
315
+ #
316
+ # For the purpose of serializing the public key, to PEM or DER encoding of
317
+ # X.509 SubjectPublicKeyInfo format, check PKey#public_to_pem and
318
+ # PKey#public_to_der.
319
+ def public_key
320
+ OpenSSL::PKey.read(public_to_der)
321
+ end
322
+
323
+ class << self
324
+ # :call-seq:
325
+ # RSA.generate(size, exponent = 65537) -> RSA
326
+ #
327
+ # Generates an \RSA keypair.
328
+ #
329
+ # See also OpenSSL::PKey.generate_key.
330
+ #
331
+ # +size+::
332
+ # The desired key size in bits.
333
+ # +exponent+::
334
+ # An odd Integer, normally 3, 17, or 65537.
335
+ def generate(size, exp = 0x10001, &blk)
336
+ OpenSSL::PKey.generate_key("RSA", {
337
+ "rsa_keygen_bits" => size,
338
+ "rsa_keygen_pubexp" => exp,
339
+ }, &blk)
340
+ end
341
+
342
+ # Handle RSA.new(size, exponent) form here; new(str) and new() forms
343
+ # are handled by #initialize
344
+ def new(*args, &blk) # :nodoc:
345
+ if args[0].is_a?(Integer)
346
+ generate(*args, &blk)
347
+ else
348
+ super
349
+ end
350
+ end
351
+ end
352
+
353
+ # :call-seq:
354
+ # rsa.private_encrypt(string) -> String
355
+ # rsa.private_encrypt(string, padding) -> String
356
+ #
357
+ # Encrypt +string+ with the private key. +padding+ defaults to
358
+ # PKCS1_PADDING. The encrypted string output can be decrypted using
359
+ # #public_decrypt.
360
+ #
361
+ # <b>Deprecated in version 3.0</b>.
362
+ # Consider using PKey::PKey#sign_raw and PKey::PKey#verify_raw, and
363
+ # PKey::PKey#verify_recover instead.
364
+ def private_encrypt(string, padding = PKCS1_PADDING)
365
+ n or raise OpenSSL::PKey::RSAError, "incomplete RSA"
366
+ private? or raise OpenSSL::PKey::RSAError, "private key needed."
367
+ begin
368
+ sign_raw(nil, string, {
369
+ "rsa_padding_mode" => translate_padding_mode(padding),
370
+ })
371
+ rescue OpenSSL::PKey::PKeyError
372
+ raise OpenSSL::PKey::RSAError, $!.message
373
+ end
374
+ end
375
+
376
+ # :call-seq:
377
+ # rsa.public_decrypt(string) -> String
378
+ # rsa.public_decrypt(string, padding) -> String
379
+ #
380
+ # Decrypt +string+, which has been encrypted with the private key, with the
381
+ # public key. +padding+ defaults to PKCS1_PADDING.
382
+ #
383
+ # <b>Deprecated in version 3.0</b>.
384
+ # Consider using PKey::PKey#sign_raw and PKey::PKey#verify_raw, and
385
+ # PKey::PKey#verify_recover instead.
386
+ def public_decrypt(string, padding = PKCS1_PADDING)
387
+ n or raise OpenSSL::PKey::RSAError, "incomplete RSA"
388
+ begin
389
+ verify_recover(nil, string, {
390
+ "rsa_padding_mode" => translate_padding_mode(padding),
391
+ })
392
+ rescue OpenSSL::PKey::PKeyError
393
+ raise OpenSSL::PKey::RSAError, $!.message
394
+ end
395
+ end
396
+
397
+ # :call-seq:
398
+ # rsa.public_encrypt(string) -> String
399
+ # rsa.public_encrypt(string, padding) -> String
400
+ #
401
+ # Encrypt +string+ with the public key. +padding+ defaults to
402
+ # PKCS1_PADDING. The encrypted string output can be decrypted using
403
+ # #private_decrypt.
404
+ #
405
+ # <b>Deprecated in version 3.0</b>.
406
+ # Consider using PKey::PKey#encrypt and PKey::PKey#decrypt instead.
407
+ def public_encrypt(data, padding = PKCS1_PADDING)
408
+ n or raise OpenSSL::PKey::RSAError, "incomplete RSA"
409
+ begin
410
+ encrypt(data, {
411
+ "rsa_padding_mode" => translate_padding_mode(padding),
412
+ })
413
+ rescue OpenSSL::PKey::PKeyError
414
+ raise OpenSSL::PKey::RSAError, $!.message
415
+ end
416
+ end
417
+
418
+ # :call-seq:
419
+ # rsa.private_decrypt(string) -> String
420
+ # rsa.private_decrypt(string, padding) -> String
421
+ #
422
+ # Decrypt +string+, which has been encrypted with the public key, with the
423
+ # private key. +padding+ defaults to PKCS1_PADDING.
424
+ #
425
+ # <b>Deprecated in version 3.0</b>.
426
+ # Consider using PKey::PKey#encrypt and PKey::PKey#decrypt instead.
427
+ def private_decrypt(data, padding = PKCS1_PADDING)
428
+ n or raise OpenSSL::PKey::RSAError, "incomplete RSA"
429
+ private? or raise OpenSSL::PKey::RSAError, "private key needed."
430
+ begin
431
+ decrypt(data, {
432
+ "rsa_padding_mode" => translate_padding_mode(padding),
433
+ })
434
+ rescue OpenSSL::PKey::PKeyError
435
+ raise OpenSSL::PKey::RSAError, $!.message
436
+ end
437
+ end
438
+
439
+ PKCS1_PADDING = 1
440
+ SSLV23_PADDING = 2
441
+ NO_PADDING = 3
442
+ PKCS1_OAEP_PADDING = 4
443
+
444
+ private def translate_padding_mode(num)
445
+ case num
446
+ when PKCS1_PADDING
447
+ "pkcs1"
448
+ when SSLV23_PADDING
449
+ "sslv23"
450
+ when NO_PADDING
451
+ "none"
452
+ when PKCS1_OAEP_PADDING
453
+ "oaep"
454
+ else
455
+ raise OpenSSL::PKey::PKeyError, "unsupported padding mode"
456
+ end
457
+ end
458
+ end
25
459
  end
data/lib/openssl/ssl.rb CHANGED
@@ -1,4 +1,4 @@
1
- # frozen_string_literal: false
1
+ # frozen_string_literal: true
2
2
  =begin
3
3
  = Info
4
4
  'OpenSSL for Ruby 2' project
@@ -12,6 +12,8 @@
12
12
 
13
13
  require "openssl/buffering"
14
14
  require "io/nonblock"
15
+ require "ipaddr"
16
+ require "socket"
15
17
 
16
18
  module OpenSSL
17
19
  module SSL
@@ -89,15 +91,17 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
89
91
  DEFAULT_CERT_STORE.set_default_paths
90
92
  DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
91
93
 
92
- # A callback invoked when DH parameters are required.
94
+ # A callback invoked when DH parameters are required for ephemeral DH key
95
+ # exchange.
93
96
  #
94
- # The callback is invoked with the Session for the key exchange, an
97
+ # The callback is invoked with the SSLSocket, a
95
98
  # flag indicating the use of an export cipher and the keylength
96
99
  # required.
97
100
  #
98
101
  # The callback must return an OpenSSL::PKey::DH instance of the correct
99
102
  # key length.
100
-
103
+ #
104
+ # <b>Deprecated in version 3.0.</b> Use #tmp_dh= instead.
101
105
  attr_accessor :tmp_dh_callback
102
106
 
103
107
  # A callback invoked at connect time to distinguish between multiple
@@ -120,6 +124,8 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
120
124
  def initialize(version = nil)
121
125
  self.options |= OpenSSL::SSL::OP_ALL
122
126
  self.ssl_version = version if version
127
+ self.verify_mode = OpenSSL::SSL::VERIFY_NONE
128
+ self.verify_hostname = false
123
129
  end
124
130
 
125
131
  ##
@@ -230,6 +236,11 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
230
236
  end
231
237
 
232
238
  module SocketForwarder
239
+ # The file descriptor for the socket.
240
+ def fileno
241
+ to_io.fileno
242
+ end
243
+
233
244
  def addr
234
245
  to_io.addr
235
246
  end
@@ -272,11 +283,11 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
272
283
  return true if verify_hostname(hostname, san.value)
273
284
  when 7 # iPAddress in GeneralName (RFC5280)
274
285
  should_verify_common_name = false
275
- # follows GENERAL_NAME_print() in x509v3/v3_alt.c
276
- if san.value.size == 4
277
- return true if san.value.unpack('C*').join('.') == hostname
278
- elsif san.value.size == 16
279
- return true if san.value.unpack('n*').map { |e| sprintf("%X", e) }.join(':') == hostname
286
+ if san.value.size == 4 || san.value.size == 16
287
+ begin
288
+ return true if san.value == IPAddr.new(hostname).hton
289
+ rescue IPAddr::InvalidAddressError
290
+ end
280
291
  end
281
292
  end
282
293
  }
@@ -423,10 +434,6 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
423
434
  @context.tmp_dh_callback || OpenSSL::SSL::SSLContext::DEFAULT_TMP_DH_CALLBACK
424
435
  end
425
436
 
426
- def tmp_ecdh_callback
427
- @context.tmp_ecdh_callback
428
- end
429
-
430
437
  def session_new_cb
431
438
  @context.session_new_cb
432
439
  end
@@ -434,6 +441,38 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
434
441
  def session_get_cb
435
442
  @context.session_get_cb
436
443
  end
444
+
445
+ class << self
446
+
447
+ # call-seq:
448
+ # open(remote_host, remote_port, local_host=nil, local_port=nil, context: nil)
449
+ #
450
+ # Creates a new instance of SSLSocket.
451
+ # _remote\_host_ and _remote\_port_ are used to open TCPSocket.
452
+ # If _local\_host_ and _local\_port_ are specified,
453
+ # then those parameters are used on the local end to establish the connection.
454
+ # If _context_ is provided,
455
+ # the SSL Sockets initial params will be taken from the context.
456
+ #
457
+ # === Examples
458
+ #
459
+ # sock = OpenSSL::SSL::SSLSocket.open('localhost', 443)
460
+ # sock.connect # Initiates a connection to localhost:443
461
+ #
462
+ # with SSLContext:
463
+ #
464
+ # ctx = OpenSSL::SSL::SSLContext.new
465
+ # sock = OpenSSL::SSL::SSLSocket.open('localhost', 443, context: ctx)
466
+ # sock.connect # Initiates a connection to localhost:443 with SSLContext
467
+ def open(remote_host, remote_port, local_host=nil, local_port=nil, context: nil)
468
+ sock = ::TCPSocket.open(remote_host, remote_port, local_host, local_port)
469
+ if context.nil?
470
+ return OpenSSL::SSL::SSLSocket.new(sock)
471
+ else
472
+ return OpenSSL::SSL::SSLSocket.new(sock, context)
473
+ end
474
+ end
475
+ end
437
476
  end
438
477
 
439
478
  ##
@@ -464,7 +503,7 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
464
503
  end
465
504
 
466
505
  # See TCPServer#listen for details.
467
- def listen(backlog=5)
506
+ def listen(backlog=Socket::SOMAXCONN)
468
507
  @svr.listen(backlog)
469
508
  end
470
509
 
@@ -0,0 +1,5 @@
1
+ # frozen_string_literal: true
2
+
3
+ module OpenSSL
4
+ VERSION = "3.0.0"
5
+ end