puma 4.3.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of puma might be problematic. Click here for more details.
- checksums.yaml +7 -0
- data/History.md +1532 -0
- data/LICENSE +26 -0
- data/README.md +291 -0
- data/bin/puma +10 -0
- data/bin/puma-wild +31 -0
- data/bin/pumactl +12 -0
- data/docs/architecture.md +37 -0
- data/docs/deployment.md +111 -0
- data/docs/images/puma-connection-flow-no-reactor.png +0 -0
- data/docs/images/puma-connection-flow.png +0 -0
- data/docs/images/puma-general-arch.png +0 -0
- data/docs/nginx.md +80 -0
- data/docs/plugins.md +38 -0
- data/docs/restart.md +41 -0
- data/docs/signals.md +96 -0
- data/docs/systemd.md +290 -0
- data/docs/tcp_mode.md +96 -0
- data/ext/puma_http11/PumaHttp11Service.java +19 -0
- data/ext/puma_http11/ext_help.h +15 -0
- data/ext/puma_http11/extconf.rb +28 -0
- data/ext/puma_http11/http11_parser.c +1044 -0
- data/ext/puma_http11/http11_parser.h +65 -0
- data/ext/puma_http11/http11_parser.java.rl +145 -0
- data/ext/puma_http11/http11_parser.rl +147 -0
- data/ext/puma_http11/http11_parser_common.rl +54 -0
- data/ext/puma_http11/io_buffer.c +155 -0
- data/ext/puma_http11/mini_ssl.c +553 -0
- data/ext/puma_http11/org/jruby/puma/Http11.java +226 -0
- data/ext/puma_http11/org/jruby/puma/Http11Parser.java +455 -0
- data/ext/puma_http11/org/jruby/puma/IOBuffer.java +72 -0
- data/ext/puma_http11/org/jruby/puma/MiniSSL.java +363 -0
- data/ext/puma_http11/puma_http11.c +502 -0
- data/lib/puma.rb +31 -0
- data/lib/puma/accept_nonblock.rb +29 -0
- data/lib/puma/app/status.rb +80 -0
- data/lib/puma/binder.rb +385 -0
- data/lib/puma/cli.rb +239 -0
- data/lib/puma/client.rb +494 -0
- data/lib/puma/cluster.rb +554 -0
- data/lib/puma/commonlogger.rb +108 -0
- data/lib/puma/configuration.rb +362 -0
- data/lib/puma/const.rb +235 -0
- data/lib/puma/control_cli.rb +289 -0
- data/lib/puma/detect.rb +15 -0
- data/lib/puma/dsl.rb +740 -0
- data/lib/puma/events.rb +156 -0
- data/lib/puma/io_buffer.rb +4 -0
- data/lib/puma/jruby_restart.rb +84 -0
- data/lib/puma/launcher.rb +475 -0
- data/lib/puma/minissl.rb +278 -0
- data/lib/puma/minissl/context_builder.rb +76 -0
- data/lib/puma/null_io.rb +44 -0
- data/lib/puma/plugin.rb +120 -0
- data/lib/puma/plugin/tmp_restart.rb +36 -0
- data/lib/puma/rack/builder.rb +301 -0
- data/lib/puma/rack/urlmap.rb +93 -0
- data/lib/puma/rack_default.rb +9 -0
- data/lib/puma/reactor.rb +400 -0
- data/lib/puma/runner.rb +192 -0
- data/lib/puma/server.rb +1030 -0
- data/lib/puma/single.rb +123 -0
- data/lib/puma/state_file.rb +31 -0
- data/lib/puma/tcp_logger.rb +41 -0
- data/lib/puma/thread_pool.rb +328 -0
- data/lib/puma/util.rb +124 -0
- data/lib/rack/handler/puma.rb +115 -0
- data/tools/docker/Dockerfile +16 -0
- data/tools/jungle/README.md +19 -0
- data/tools/jungle/init.d/README.md +61 -0
- data/tools/jungle/init.d/puma +421 -0
- data/tools/jungle/init.d/run-puma +18 -0
- data/tools/jungle/rc.d/README.md +74 -0
- data/tools/jungle/rc.d/puma +61 -0
- data/tools/jungle/rc.d/puma.conf +10 -0
- data/tools/jungle/upstart/README.md +61 -0
- data/tools/jungle/upstart/puma-manager.conf +31 -0
- data/tools/jungle/upstart/puma.conf +69 -0
- data/tools/trickletest.rb +44 -0
- metadata +144 -0
@@ -0,0 +1,553 @@
|
|
1
|
+
#define RSTRING_NOT_MODIFIED 1
|
2
|
+
|
3
|
+
#include <ruby.h>
|
4
|
+
#include <ruby/version.h>
|
5
|
+
|
6
|
+
#if RUBY_API_VERSION_MAJOR == 1
|
7
|
+
#include <rubyio.h>
|
8
|
+
#else
|
9
|
+
#include <ruby/io.h>
|
10
|
+
#endif
|
11
|
+
|
12
|
+
#ifdef HAVE_OPENSSL_BIO_H
|
13
|
+
|
14
|
+
#include <openssl/bio.h>
|
15
|
+
#include <openssl/ssl.h>
|
16
|
+
#include <openssl/dh.h>
|
17
|
+
#include <openssl/err.h>
|
18
|
+
#include <openssl/x509.h>
|
19
|
+
|
20
|
+
#ifndef SSL_OP_NO_COMPRESSION
|
21
|
+
#define SSL_OP_NO_COMPRESSION 0
|
22
|
+
#endif
|
23
|
+
|
24
|
+
typedef struct {
|
25
|
+
BIO* read;
|
26
|
+
BIO* write;
|
27
|
+
SSL* ssl;
|
28
|
+
SSL_CTX* ctx;
|
29
|
+
} ms_conn;
|
30
|
+
|
31
|
+
typedef struct {
|
32
|
+
unsigned char* buf;
|
33
|
+
int bytes;
|
34
|
+
} ms_cert_buf;
|
35
|
+
|
36
|
+
void engine_free(ms_conn* conn) {
|
37
|
+
ms_cert_buf* cert_buf = (ms_cert_buf*)SSL_get_app_data(conn->ssl);
|
38
|
+
if(cert_buf) {
|
39
|
+
OPENSSL_free(cert_buf->buf);
|
40
|
+
free(cert_buf);
|
41
|
+
}
|
42
|
+
SSL_free(conn->ssl);
|
43
|
+
SSL_CTX_free(conn->ctx);
|
44
|
+
|
45
|
+
free(conn);
|
46
|
+
}
|
47
|
+
|
48
|
+
ms_conn* engine_alloc(VALUE klass, VALUE* obj) {
|
49
|
+
ms_conn* conn;
|
50
|
+
|
51
|
+
*obj = Data_Make_Struct(klass, ms_conn, 0, engine_free, conn);
|
52
|
+
|
53
|
+
conn->read = BIO_new(BIO_s_mem());
|
54
|
+
BIO_set_nbio(conn->read, 1);
|
55
|
+
|
56
|
+
conn->write = BIO_new(BIO_s_mem());
|
57
|
+
BIO_set_nbio(conn->write, 1);
|
58
|
+
|
59
|
+
conn->ssl = 0;
|
60
|
+
conn->ctx = 0;
|
61
|
+
|
62
|
+
return conn;
|
63
|
+
}
|
64
|
+
|
65
|
+
DH *get_dh1024() {
|
66
|
+
/* `openssl dhparam 1024 -C`
|
67
|
+
* -----BEGIN DH PARAMETERS-----
|
68
|
+
* MIGHAoGBALPwcEv0OstmQCZdfHw0N5r+07lmXMxkpQacy1blwj0LUqC+Divp6pBk
|
69
|
+
* usTJ9W2/dOYr1X7zi6yXNLp4oLzc/31PUL3D9q8CpGS7vPz5gijKSw9BwCTT5z9+
|
70
|
+
* KF9v46qw8XqT5HHV87sWFlGQcVFq+pEkA2kPikkKZ/X/CCcpCAV7AgEC
|
71
|
+
* -----END DH PARAMETERS-----
|
72
|
+
*/
|
73
|
+
static unsigned char dh1024_p[] = {
|
74
|
+
0xB3,0xF0,0x70,0x4B,0xF4,0x3A,0xCB,0x66,0x40,0x26,0x5D,0x7C,
|
75
|
+
0x7C,0x34,0x37,0x9A,0xFE,0xD3,0xB9,0x66,0x5C,0xCC,0x64,0xA5,
|
76
|
+
0x06,0x9C,0xCB,0x56,0xE5,0xC2,0x3D,0x0B,0x52,0xA0,0xBE,0x0E,
|
77
|
+
0x2B,0xE9,0xEA,0x90,0x64,0xBA,0xC4,0xC9,0xF5,0x6D,0xBF,0x74,
|
78
|
+
0xE6,0x2B,0xD5,0x7E,0xF3,0x8B,0xAC,0x97,0x34,0xBA,0x78,0xA0,
|
79
|
+
0xBC,0xDC,0xFF,0x7D,0x4F,0x50,0xBD,0xC3,0xF6,0xAF,0x02,0xA4,
|
80
|
+
0x64,0xBB,0xBC,0xFC,0xF9,0x82,0x28,0xCA,0x4B,0x0F,0x41,0xC0,
|
81
|
+
0x24,0xD3,0xE7,0x3F,0x7E,0x28,0x5F,0x6F,0xE3,0xAA,0xB0,0xF1,
|
82
|
+
0x7A,0x93,0xE4,0x71,0xD5,0xF3,0xBB,0x16,0x16,0x51,0x90,0x71,
|
83
|
+
0x51,0x6A,0xFA,0x91,0x24,0x03,0x69,0x0F,0x8A,0x49,0x0A,0x67,
|
84
|
+
0xF5,0xFF,0x08,0x27,0x29,0x08,0x05,0x7B
|
85
|
+
};
|
86
|
+
static unsigned char dh1024_g[] = { 0x02 };
|
87
|
+
|
88
|
+
DH *dh;
|
89
|
+
dh = DH_new();
|
90
|
+
|
91
|
+
#if OPENSSL_VERSION_NUMBER < 0x10100005L || defined(LIBRESSL_VERSION_NUMBER)
|
92
|
+
dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
|
93
|
+
dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
|
94
|
+
|
95
|
+
if ((dh->p == NULL) || (dh->g == NULL)) {
|
96
|
+
DH_free(dh);
|
97
|
+
return NULL;
|
98
|
+
}
|
99
|
+
#else
|
100
|
+
BIGNUM *p, *g;
|
101
|
+
p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
|
102
|
+
g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
|
103
|
+
|
104
|
+
if (p == NULL || g == NULL || !DH_set0_pqg(dh, p, NULL, g)) {
|
105
|
+
DH_free(dh);
|
106
|
+
BN_free(p);
|
107
|
+
BN_free(g);
|
108
|
+
return NULL;
|
109
|
+
}
|
110
|
+
#endif
|
111
|
+
|
112
|
+
return dh;
|
113
|
+
}
|
114
|
+
|
115
|
+
static int engine_verify_callback(int preverify_ok, X509_STORE_CTX* ctx) {
|
116
|
+
X509* err_cert;
|
117
|
+
SSL* ssl;
|
118
|
+
int bytes;
|
119
|
+
unsigned char* buf = NULL;
|
120
|
+
|
121
|
+
if(!preverify_ok) {
|
122
|
+
err_cert = X509_STORE_CTX_get_current_cert(ctx);
|
123
|
+
if(err_cert) {
|
124
|
+
/*
|
125
|
+
* Save the failed certificate for inspection/logging.
|
126
|
+
*/
|
127
|
+
bytes = i2d_X509(err_cert, &buf);
|
128
|
+
if(bytes > 0) {
|
129
|
+
ms_cert_buf* cert_buf = (ms_cert_buf*)malloc(sizeof(ms_cert_buf));
|
130
|
+
cert_buf->buf = buf;
|
131
|
+
cert_buf->bytes = bytes;
|
132
|
+
ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
|
133
|
+
SSL_set_app_data(ssl, cert_buf);
|
134
|
+
}
|
135
|
+
}
|
136
|
+
}
|
137
|
+
|
138
|
+
return preverify_ok;
|
139
|
+
}
|
140
|
+
|
141
|
+
VALUE engine_init_server(VALUE self, VALUE mini_ssl_ctx) {
|
142
|
+
VALUE obj;
|
143
|
+
SSL_CTX* ctx;
|
144
|
+
SSL* ssl;
|
145
|
+
int min, ssl_options;
|
146
|
+
|
147
|
+
ms_conn* conn = engine_alloc(self, &obj);
|
148
|
+
|
149
|
+
ID sym_key = rb_intern("key");
|
150
|
+
VALUE key = rb_funcall(mini_ssl_ctx, sym_key, 0);
|
151
|
+
|
152
|
+
StringValue(key);
|
153
|
+
|
154
|
+
ID sym_cert = rb_intern("cert");
|
155
|
+
VALUE cert = rb_funcall(mini_ssl_ctx, sym_cert, 0);
|
156
|
+
|
157
|
+
StringValue(cert);
|
158
|
+
|
159
|
+
ID sym_ca = rb_intern("ca");
|
160
|
+
VALUE ca = rb_funcall(mini_ssl_ctx, sym_ca, 0);
|
161
|
+
|
162
|
+
ID sym_verify_mode = rb_intern("verify_mode");
|
163
|
+
VALUE verify_mode = rb_funcall(mini_ssl_ctx, sym_verify_mode, 0);
|
164
|
+
|
165
|
+
ID sym_ssl_cipher_filter = rb_intern("ssl_cipher_filter");
|
166
|
+
VALUE ssl_cipher_filter = rb_funcall(mini_ssl_ctx, sym_ssl_cipher_filter, 0);
|
167
|
+
|
168
|
+
ID sym_no_tlsv1 = rb_intern("no_tlsv1");
|
169
|
+
VALUE no_tlsv1 = rb_funcall(mini_ssl_ctx, sym_no_tlsv1, 0);
|
170
|
+
|
171
|
+
ID sym_no_tlsv1_1 = rb_intern("no_tlsv1_1");
|
172
|
+
VALUE no_tlsv1_1 = rb_funcall(mini_ssl_ctx, sym_no_tlsv1_1, 0);
|
173
|
+
|
174
|
+
#ifdef HAVE_TLS_SERVER_METHOD
|
175
|
+
ctx = SSL_CTX_new(TLS_server_method());
|
176
|
+
#else
|
177
|
+
ctx = SSL_CTX_new(SSLv23_server_method());
|
178
|
+
#endif
|
179
|
+
conn->ctx = ctx;
|
180
|
+
|
181
|
+
SSL_CTX_use_certificate_chain_file(ctx, RSTRING_PTR(cert));
|
182
|
+
SSL_CTX_use_PrivateKey_file(ctx, RSTRING_PTR(key), SSL_FILETYPE_PEM);
|
183
|
+
|
184
|
+
if (!NIL_P(ca)) {
|
185
|
+
StringValue(ca);
|
186
|
+
SSL_CTX_load_verify_locations(ctx, RSTRING_PTR(ca), NULL);
|
187
|
+
}
|
188
|
+
|
189
|
+
ssl_options = SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_SINGLE_ECDH_USE | SSL_OP_NO_COMPRESSION;
|
190
|
+
|
191
|
+
#ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
|
192
|
+
if (RTEST(no_tlsv1_1)) {
|
193
|
+
min = TLS1_2_VERSION;
|
194
|
+
}
|
195
|
+
else if (RTEST(no_tlsv1)) {
|
196
|
+
min = TLS1_1_VERSION;
|
197
|
+
}
|
198
|
+
else {
|
199
|
+
min = TLS1_VERSION;
|
200
|
+
}
|
201
|
+
|
202
|
+
SSL_CTX_set_min_proto_version(ctx, min);
|
203
|
+
|
204
|
+
SSL_CTX_set_options(ctx, ssl_options);
|
205
|
+
|
206
|
+
#else
|
207
|
+
/* As of 1.0.2f, SSL_OP_SINGLE_DH_USE key use is always on */
|
208
|
+
ssl_options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_SINGLE_DH_USE;
|
209
|
+
|
210
|
+
if (RTEST(no_tlsv1)) {
|
211
|
+
ssl_options |= SSL_OP_NO_TLSv1;
|
212
|
+
}
|
213
|
+
if(RTEST(no_tlsv1_1)) {
|
214
|
+
ssl_options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1;
|
215
|
+
}
|
216
|
+
SSL_CTX_set_options(ctx, ssl_options);
|
217
|
+
#endif
|
218
|
+
|
219
|
+
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
|
220
|
+
|
221
|
+
if (!NIL_P(ssl_cipher_filter)) {
|
222
|
+
StringValue(ssl_cipher_filter);
|
223
|
+
SSL_CTX_set_cipher_list(ctx, RSTRING_PTR(ssl_cipher_filter));
|
224
|
+
}
|
225
|
+
else {
|
226
|
+
SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL@STRENGTH");
|
227
|
+
}
|
228
|
+
|
229
|
+
DH *dh = get_dh1024();
|
230
|
+
SSL_CTX_set_tmp_dh(ctx, dh);
|
231
|
+
|
232
|
+
#if OPENSSL_VERSION_NUMBER < 0x10002000L
|
233
|
+
// Remove this case if OpenSSL 1.0.1 (now EOL) support is no
|
234
|
+
// longer needed.
|
235
|
+
EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
|
236
|
+
if (ecdh) {
|
237
|
+
SSL_CTX_set_tmp_ecdh(ctx, ecdh);
|
238
|
+
EC_KEY_free(ecdh);
|
239
|
+
}
|
240
|
+
#elif OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
241
|
+
// Prior to OpenSSL 1.1.0, servers must manually enable server-side ECDH
|
242
|
+
// negotiation.
|
243
|
+
SSL_CTX_set_ecdh_auto(ctx, 1);
|
244
|
+
#endif
|
245
|
+
|
246
|
+
ssl = SSL_new(ctx);
|
247
|
+
conn->ssl = ssl;
|
248
|
+
SSL_set_app_data(ssl, NULL);
|
249
|
+
|
250
|
+
if (NIL_P(verify_mode)) {
|
251
|
+
/* SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL); */
|
252
|
+
} else {
|
253
|
+
SSL_set_verify(ssl, NUM2INT(verify_mode), engine_verify_callback);
|
254
|
+
}
|
255
|
+
|
256
|
+
SSL_set_bio(ssl, conn->read, conn->write);
|
257
|
+
|
258
|
+
SSL_set_accept_state(ssl);
|
259
|
+
return obj;
|
260
|
+
}
|
261
|
+
|
262
|
+
VALUE engine_init_client(VALUE klass) {
|
263
|
+
VALUE obj;
|
264
|
+
ms_conn* conn = engine_alloc(klass, &obj);
|
265
|
+
#ifdef HAVE_DTLS_METHOD
|
266
|
+
conn->ctx = SSL_CTX_new(DTLS_method());
|
267
|
+
#else
|
268
|
+
conn->ctx = SSL_CTX_new(DTLSv1_method());
|
269
|
+
#endif
|
270
|
+
conn->ssl = SSL_new(conn->ctx);
|
271
|
+
SSL_set_app_data(conn->ssl, NULL);
|
272
|
+
SSL_set_verify(conn->ssl, SSL_VERIFY_NONE, NULL);
|
273
|
+
|
274
|
+
SSL_set_bio(conn->ssl, conn->read, conn->write);
|
275
|
+
|
276
|
+
SSL_set_connect_state(conn->ssl);
|
277
|
+
return obj;
|
278
|
+
}
|
279
|
+
|
280
|
+
VALUE engine_inject(VALUE self, VALUE str) {
|
281
|
+
ms_conn* conn;
|
282
|
+
long used;
|
283
|
+
|
284
|
+
Data_Get_Struct(self, ms_conn, conn);
|
285
|
+
|
286
|
+
StringValue(str);
|
287
|
+
|
288
|
+
used = BIO_write(conn->read, RSTRING_PTR(str), (int)RSTRING_LEN(str));
|
289
|
+
|
290
|
+
if(used == 0 || used == -1) {
|
291
|
+
return Qfalse;
|
292
|
+
}
|
293
|
+
|
294
|
+
return INT2FIX(used);
|
295
|
+
}
|
296
|
+
|
297
|
+
static VALUE eError;
|
298
|
+
|
299
|
+
void raise_error(SSL* ssl, int result) {
|
300
|
+
char buf[512];
|
301
|
+
char msg[512];
|
302
|
+
const char* err_str;
|
303
|
+
int err = errno;
|
304
|
+
int ssl_err = SSL_get_error(ssl, result);
|
305
|
+
int verify_err = (int) SSL_get_verify_result(ssl);
|
306
|
+
|
307
|
+
if(SSL_ERROR_SYSCALL == ssl_err) {
|
308
|
+
snprintf(msg, sizeof(msg), "System error: %s - %d", strerror(err), err);
|
309
|
+
|
310
|
+
} else if(SSL_ERROR_SSL == ssl_err) {
|
311
|
+
if(X509_V_OK != verify_err) {
|
312
|
+
err_str = X509_verify_cert_error_string(verify_err);
|
313
|
+
snprintf(msg, sizeof(msg),
|
314
|
+
"OpenSSL certificate verification error: %s - %d",
|
315
|
+
err_str, verify_err);
|
316
|
+
|
317
|
+
} else {
|
318
|
+
err = (int) ERR_get_error();
|
319
|
+
ERR_error_string_n(err, buf, sizeof(buf));
|
320
|
+
snprintf(msg, sizeof(msg), "OpenSSL error: %s - %d", buf, err);
|
321
|
+
|
322
|
+
}
|
323
|
+
} else {
|
324
|
+
snprintf(msg, sizeof(msg), "Unknown OpenSSL error: %d", ssl_err);
|
325
|
+
}
|
326
|
+
|
327
|
+
ERR_clear_error();
|
328
|
+
rb_raise(eError, "%s", msg);
|
329
|
+
}
|
330
|
+
|
331
|
+
VALUE engine_read(VALUE self) {
|
332
|
+
ms_conn* conn;
|
333
|
+
char buf[512];
|
334
|
+
int bytes, error;
|
335
|
+
|
336
|
+
Data_Get_Struct(self, ms_conn, conn);
|
337
|
+
|
338
|
+
ERR_clear_error();
|
339
|
+
|
340
|
+
bytes = SSL_read(conn->ssl, (void*)buf, sizeof(buf));
|
341
|
+
|
342
|
+
if(bytes > 0) {
|
343
|
+
return rb_str_new(buf, bytes);
|
344
|
+
}
|
345
|
+
|
346
|
+
if(SSL_want_read(conn->ssl)) return Qnil;
|
347
|
+
|
348
|
+
error = SSL_get_error(conn->ssl, bytes);
|
349
|
+
|
350
|
+
if(error == SSL_ERROR_ZERO_RETURN) {
|
351
|
+
rb_eof_error();
|
352
|
+
} else {
|
353
|
+
raise_error(conn->ssl, bytes);
|
354
|
+
}
|
355
|
+
|
356
|
+
return Qnil;
|
357
|
+
}
|
358
|
+
|
359
|
+
VALUE engine_write(VALUE self, VALUE str) {
|
360
|
+
ms_conn* conn;
|
361
|
+
int bytes;
|
362
|
+
|
363
|
+
Data_Get_Struct(self, ms_conn, conn);
|
364
|
+
|
365
|
+
StringValue(str);
|
366
|
+
|
367
|
+
ERR_clear_error();
|
368
|
+
|
369
|
+
bytes = SSL_write(conn->ssl, (void*)RSTRING_PTR(str), (int)RSTRING_LEN(str));
|
370
|
+
if(bytes > 0) {
|
371
|
+
return INT2FIX(bytes);
|
372
|
+
}
|
373
|
+
|
374
|
+
if(SSL_want_write(conn->ssl)) return Qnil;
|
375
|
+
|
376
|
+
raise_error(conn->ssl, bytes);
|
377
|
+
|
378
|
+
return Qnil;
|
379
|
+
}
|
380
|
+
|
381
|
+
VALUE engine_extract(VALUE self) {
|
382
|
+
ms_conn* conn;
|
383
|
+
int bytes;
|
384
|
+
size_t pending;
|
385
|
+
char buf[512];
|
386
|
+
|
387
|
+
Data_Get_Struct(self, ms_conn, conn);
|
388
|
+
|
389
|
+
pending = BIO_pending(conn->write);
|
390
|
+
if(pending > 0) {
|
391
|
+
bytes = BIO_read(conn->write, buf, sizeof(buf));
|
392
|
+
if(bytes > 0) {
|
393
|
+
return rb_str_new(buf, bytes);
|
394
|
+
} else if(!BIO_should_retry(conn->write)) {
|
395
|
+
raise_error(conn->ssl, bytes);
|
396
|
+
}
|
397
|
+
}
|
398
|
+
|
399
|
+
return Qnil;
|
400
|
+
}
|
401
|
+
|
402
|
+
VALUE engine_shutdown(VALUE self) {
|
403
|
+
ms_conn* conn;
|
404
|
+
int ok;
|
405
|
+
|
406
|
+
Data_Get_Struct(self, ms_conn, conn);
|
407
|
+
|
408
|
+
ERR_clear_error();
|
409
|
+
|
410
|
+
ok = SSL_shutdown(conn->ssl);
|
411
|
+
if (ok == 0) {
|
412
|
+
return Qfalse;
|
413
|
+
}
|
414
|
+
|
415
|
+
return Qtrue;
|
416
|
+
}
|
417
|
+
|
418
|
+
VALUE engine_init(VALUE self) {
|
419
|
+
ms_conn* conn;
|
420
|
+
|
421
|
+
Data_Get_Struct(self, ms_conn, conn);
|
422
|
+
|
423
|
+
return SSL_in_init(conn->ssl) ? Qtrue : Qfalse;
|
424
|
+
}
|
425
|
+
|
426
|
+
VALUE engine_peercert(VALUE self) {
|
427
|
+
ms_conn* conn;
|
428
|
+
X509* cert;
|
429
|
+
int bytes;
|
430
|
+
unsigned char* buf = NULL;
|
431
|
+
ms_cert_buf* cert_buf = NULL;
|
432
|
+
VALUE rb_cert_buf;
|
433
|
+
|
434
|
+
Data_Get_Struct(self, ms_conn, conn);
|
435
|
+
|
436
|
+
cert = SSL_get_peer_certificate(conn->ssl);
|
437
|
+
if(!cert) {
|
438
|
+
/*
|
439
|
+
* See if there was a failed certificate associated with this client.
|
440
|
+
*/
|
441
|
+
cert_buf = (ms_cert_buf*)SSL_get_app_data(conn->ssl);
|
442
|
+
if(!cert_buf) {
|
443
|
+
return Qnil;
|
444
|
+
}
|
445
|
+
buf = cert_buf->buf;
|
446
|
+
bytes = cert_buf->bytes;
|
447
|
+
|
448
|
+
} else {
|
449
|
+
bytes = i2d_X509(cert, &buf);
|
450
|
+
X509_free(cert);
|
451
|
+
|
452
|
+
if(bytes < 0) {
|
453
|
+
return Qnil;
|
454
|
+
}
|
455
|
+
}
|
456
|
+
|
457
|
+
rb_cert_buf = rb_str_new((const char*)(buf), bytes);
|
458
|
+
if(!cert_buf) {
|
459
|
+
OPENSSL_free(buf);
|
460
|
+
}
|
461
|
+
|
462
|
+
return rb_cert_buf;
|
463
|
+
}
|
464
|
+
|
465
|
+
VALUE noop(VALUE self) {
|
466
|
+
return Qnil;
|
467
|
+
}
|
468
|
+
|
469
|
+
void Init_mini_ssl(VALUE puma) {
|
470
|
+
VALUE mod, eng;
|
471
|
+
|
472
|
+
/* Fake operation for documentation (RDoc, YARD) */
|
473
|
+
#if 0 == 1
|
474
|
+
puma = rb_define_module("Puma");
|
475
|
+
#endif
|
476
|
+
|
477
|
+
SSL_library_init();
|
478
|
+
OpenSSL_add_ssl_algorithms();
|
479
|
+
SSL_load_error_strings();
|
480
|
+
ERR_load_crypto_strings();
|
481
|
+
|
482
|
+
mod = rb_define_module_under(puma, "MiniSSL");
|
483
|
+
eng = rb_define_class_under(mod, "Engine", rb_cObject);
|
484
|
+
|
485
|
+
// OpenSSL Build / Runtime/Load versions
|
486
|
+
|
487
|
+
/* Version of OpenSSL that Puma was compiled with */
|
488
|
+
rb_define_const(mod, "OPENSSL_VERSION", rb_str_new2(OPENSSL_VERSION_TEXT));
|
489
|
+
|
490
|
+
#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000
|
491
|
+
/* Version of OpenSSL that Puma loaded with */
|
492
|
+
rb_define_const(mod, "OPENSSL_LIBRARY_VERSION", rb_str_new2(OpenSSL_version(OPENSSL_VERSION)));
|
493
|
+
#else
|
494
|
+
rb_define_const(mod, "OPENSSL_LIBRARY_VERSION", rb_str_new2(SSLeay_version(SSLEAY_VERSION)));
|
495
|
+
#endif
|
496
|
+
|
497
|
+
#if defined(OPENSSL_NO_SSL3) || defined(OPENSSL_NO_SSL3_METHOD)
|
498
|
+
/* True if SSL3 is not available */
|
499
|
+
rb_define_const(mod, "OPENSSL_NO_SSL3", Qtrue);
|
500
|
+
#else
|
501
|
+
rb_define_const(mod, "OPENSSL_NO_SSL3", Qfalse);
|
502
|
+
#endif
|
503
|
+
|
504
|
+
#if defined(OPENSSL_NO_TLS1) || defined(OPENSSL_NO_TLS1_METHOD)
|
505
|
+
/* True if TLS1 is not available */
|
506
|
+
rb_define_const(mod, "OPENSSL_NO_TLS1", Qtrue);
|
507
|
+
#else
|
508
|
+
rb_define_const(mod, "OPENSSL_NO_TLS1", Qfalse);
|
509
|
+
#endif
|
510
|
+
|
511
|
+
#if defined(OPENSSL_NO_TLS1_1) || defined(OPENSSL_NO_TLS1_1_METHOD)
|
512
|
+
/* True if TLS1_1 is not available */
|
513
|
+
rb_define_const(mod, "OPENSSL_NO_TLS1_1", Qtrue);
|
514
|
+
#else
|
515
|
+
rb_define_const(mod, "OPENSSL_NO_TLS1_1", Qfalse);
|
516
|
+
#endif
|
517
|
+
|
518
|
+
rb_define_singleton_method(mod, "check", noop, 0);
|
519
|
+
|
520
|
+
eError = rb_define_class_under(mod, "SSLError", rb_eStandardError);
|
521
|
+
|
522
|
+
rb_define_singleton_method(eng, "server", engine_init_server, 1);
|
523
|
+
rb_define_singleton_method(eng, "client", engine_init_client, 0);
|
524
|
+
|
525
|
+
rb_define_method(eng, "inject", engine_inject, 1);
|
526
|
+
rb_define_method(eng, "read", engine_read, 0);
|
527
|
+
|
528
|
+
rb_define_method(eng, "write", engine_write, 1);
|
529
|
+
rb_define_method(eng, "extract", engine_extract, 0);
|
530
|
+
|
531
|
+
rb_define_method(eng, "shutdown", engine_shutdown, 0);
|
532
|
+
|
533
|
+
rb_define_method(eng, "init?", engine_init, 0);
|
534
|
+
|
535
|
+
rb_define_method(eng, "peercert", engine_peercert, 0);
|
536
|
+
}
|
537
|
+
|
538
|
+
#else
|
539
|
+
|
540
|
+
VALUE raise_error(VALUE self) {
|
541
|
+
rb_raise(rb_eStandardError, "SSL not available in this build");
|
542
|
+
return Qnil;
|
543
|
+
}
|
544
|
+
|
545
|
+
void Init_mini_ssl(VALUE puma) {
|
546
|
+
VALUE mod;
|
547
|
+
|
548
|
+
mod = rb_define_module_under(puma, "MiniSSL");
|
549
|
+
rb_define_class_under(mod, "SSLError", rb_eStandardError);
|
550
|
+
|
551
|
+
rb_define_singleton_method(mod, "check", raise_error, 0);
|
552
|
+
}
|
553
|
+
#endif
|