puma 4.3.12 → 5.6.4

data/ext/puma_http11/mini_ssl.c

@@ -2,12 +2,7 @@
 
 #include <ruby.h>
 #include <ruby/version.h>
-
-#if RUBY_API_VERSION_MAJOR == 1
-#include <rubyio.h>
-#else
 #include <ruby/io.h>
-#endif
 
 #ifdef HAVE_OPENSSL_BIO_H
 
@@ -33,7 +28,10 @@ typedef struct {
   int bytes;
 } ms_cert_buf;
 
-void engine_free(ms_conn* conn) {
+VALUE eError;
+
+void engine_free(void *ptr) {
+  ms_conn *conn = ptr;
   ms_cert_buf* cert_buf = (ms_cert_buf*)SSL_get_app_data(conn->ssl);
   if(cert_buf) {
     OPENSSL_free(cert_buf->buf);
@@ -45,23 +43,13 @@ void engine_free(ms_conn* conn) {
   free(conn);
 }
 
-ms_conn* engine_alloc(VALUE klass, VALUE* obj) {
-  ms_conn* conn;
-
-  *obj = Data_Make_Struct(klass, ms_conn, 0, engine_free, conn);
-
-  conn->read = BIO_new(BIO_s_mem());
-  BIO_set_nbio(conn->read, 1);
-
-  conn->write = BIO_new(BIO_s_mem());
-  BIO_set_nbio(conn->write, 1);
-
-  conn->ssl = 0;
-  conn->ctx = 0;
-
-  return conn;
-}
+const rb_data_type_t engine_data_type = {
+    "MiniSSL/ENGINE",
+    { 0, engine_free, 0 },
+    0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
+};
 
+#ifndef HAVE_SSL_GET1_PEER_CERTIFICATE
 DH *get_dh2048(void) {
   /* `openssl dhparam -C 2048`
    * -----BEGIN DH PARAMETERS-----
@@ -132,6 +120,38 @@ DH *get_dh2048(void) {
 
   return dh;
 }
+#endif
+
+static void
+sslctx_free(void *ptr) {
+  SSL_CTX *ctx = ptr;
+  SSL_CTX_free(ctx);
+}
+
+static const rb_data_type_t sslctx_type = {
+  "MiniSSL/SSLContext",
+  {
+    0, sslctx_free,
+  },
+  0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
+};
+
+ms_conn* engine_alloc(VALUE klass, VALUE* obj) {
+  ms_conn* conn;
+
+  *obj = TypedData_Make_Struct(klass, ms_conn, &engine_data_type, conn);
+
+  conn->read = BIO_new(BIO_s_mem());
+  BIO_set_nbio(conn->read, 1);
+
+  conn->write = BIO_new(BIO_s_mem());
+  BIO_set_nbio(conn->write, 1);
+
+  conn->ssl = 0;
+  conn->ctx = 0;
+
+  return conn;
+}
 
 static int engine_verify_callback(int preverify_ok, X509_STORE_CTX* ctx) {
   X509* err_cert;
@@ -159,48 +179,102 @@ static int engine_verify_callback(int preverify_ok, X509_STORE_CTX* ctx) {
   return preverify_ok;
 }
 
-VALUE engine_init_server(VALUE self, VALUE mini_ssl_ctx) {
-  VALUE obj, session_id_bytes;
+static VALUE
+sslctx_alloc(VALUE klass) {
+  SSL_CTX *ctx;
+  long mode = 0 |
+    SSL_MODE_ENABLE_PARTIAL_WRITE |
+    SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
+    SSL_MODE_RELEASE_BUFFERS;
+
+#ifdef HAVE_TLS_SERVER_METHOD
+  ctx = SSL_CTX_new(TLS_method());
+  // printf("\nctx using TLS_method security_level %d\n", SSL_CTX_get_security_level(ctx));
+#else
+  ctx = SSL_CTX_new(SSLv23_method());
+#endif
+  if (!ctx) {
+    rb_raise(eError, "SSL_CTX_new");
+  }
+  SSL_CTX_set_mode(ctx, mode);
+
+  return TypedData_Wrap_Struct(klass, &sslctx_type, ctx);
+}
+
+VALUE
+sslctx_initialize(VALUE self, VALUE mini_ssl_ctx) {
   SSL_CTX* ctx;
-  SSL* ssl;
-  int min, ssl_options;
 
-  ms_conn* conn = engine_alloc(self, &obj);
+#ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
+  int min;
+#endif
+  int ssl_options;
+  VALUE key, cert, ca, verify_mode, ssl_cipher_filter, no_tlsv1, no_tlsv1_1,
+    verification_flags, session_id_bytes, cert_pem, key_pem;
+#ifndef HAVE_SSL_GET1_PEER_CERTIFICATE
+  DH *dh;
+#endif
+  BIO *bio;
+  X509 *x509;
+  EVP_PKEY *pkey;
 
-  ID sym_key = rb_intern("key");
-  VALUE key = rb_funcall(mini_ssl_ctx, sym_key, 0);
+#if OPENSSL_VERSION_NUMBER < 0x10002000L
+  EC_KEY *ecdh;
+#endif
 
-  StringValue(key);
+  TypedData_Get_Struct(self, SSL_CTX, &sslctx_type, ctx);
 
-  ID sym_cert = rb_intern("cert");
-  VALUE cert = rb_funcall(mini_ssl_ctx, sym_cert, 0);
+  key = rb_funcall(mini_ssl_ctx, rb_intern_const("key"), 0);
 
-  StringValue(cert);
+  cert = rb_funcall(mini_ssl_ctx, rb_intern_const("cert"), 0);
 
-  ID sym_ca = rb_intern("ca");
-  VALUE ca = rb_funcall(mini_ssl_ctx, sym_ca, 0);
+  ca = rb_funcall(mini_ssl_ctx, rb_intern_const("ca"), 0);
 
-  ID sym_verify_mode = rb_intern("verify_mode");
-  VALUE verify_mode = rb_funcall(mini_ssl_ctx, sym_verify_mode, 0);
+  cert_pem = rb_funcall(mini_ssl_ctx, rb_intern_const("cert_pem"), 0);
 
-  ID sym_ssl_cipher_filter = rb_intern("ssl_cipher_filter");
-  VALUE ssl_cipher_filter = rb_funcall(mini_ssl_ctx, sym_ssl_cipher_filter, 0);
+  key_pem = rb_funcall(mini_ssl_ctx, rb_intern_const("key_pem"), 0);
 
-  ID sym_no_tlsv1 = rb_intern("no_tlsv1");
-  VALUE no_tlsv1 = rb_funcall(mini_ssl_ctx, sym_no_tlsv1, 0);
+  verify_mode = rb_funcall(mini_ssl_ctx, rb_intern_const("verify_mode"), 0);
 
-  ID sym_no_tlsv1_1 = rb_intern("no_tlsv1_1");
-  VALUE no_tlsv1_1 = rb_funcall(mini_ssl_ctx, sym_no_tlsv1_1, 0);
+  ssl_cipher_filter = rb_funcall(mini_ssl_ctx, rb_intern_const("ssl_cipher_filter"), 0);
 
-#ifdef HAVE_TLS_SERVER_METHOD
-  ctx = SSL_CTX_new(TLS_server_method());
-#else
-  ctx = SSL_CTX_new(SSLv23_server_method());
-#endif
-  conn->ctx = ctx;
+  no_tlsv1 = rb_funcall(mini_ssl_ctx, rb_intern_const("no_tlsv1"), 0);
+
+  no_tlsv1_1 = rb_funcall(mini_ssl_ctx, rb_intern_const("no_tlsv1_1"), 0);
 
-  SSL_CTX_use_certificate_chain_file(ctx, RSTRING_PTR(cert));
-  SSL_CTX_use_PrivateKey_file(ctx, RSTRING_PTR(key), SSL_FILETYPE_PEM);
+  if (!NIL_P(cert)) {
+    StringValue(cert);
+    SSL_CTX_use_certificate_chain_file(ctx, RSTRING_PTR(cert));
+  }
+
+  if (!NIL_P(key)) {
+    StringValue(key);
+    SSL_CTX_use_PrivateKey_file(ctx, RSTRING_PTR(key), SSL_FILETYPE_PEM);
+  }
+
+  if (!NIL_P(cert_pem)) {
+    bio = BIO_new(BIO_s_mem());
+    BIO_puts(bio, RSTRING_PTR(cert_pem));
+    x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
+
+    SSL_CTX_use_certificate(ctx, x509);
+  }
+
+  if (!NIL_P(key_pem)) {
+    bio = BIO_new(BIO_s_mem());
+    BIO_puts(bio, RSTRING_PTR(key_pem));
+    pkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);
+
+    SSL_CTX_use_PrivateKey(ctx, pkey);
+  }
+
+  verification_flags = rb_funcall(mini_ssl_ctx, rb_intern_const("verification_flags"), 0);
+
+  if (!NIL_P(verification_flags)) {
+    X509_VERIFY_PARAM *param = SSL_CTX_get0_param(ctx);
+    X509_VERIFY_PARAM_set_flags(param, NUM2INT(verification_flags));
+    SSL_CTX_set1_param(ctx, param);
+  }
 
   if (!NIL_P(ca)) {
     StringValue(ca);
@@ -247,6 +321,24 @@ VALUE engine_init_server(VALUE self, VALUE mini_ssl_ctx) {
     SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL@STRENGTH");
   }
 
+#if OPENSSL_VERSION_NUMBER < 0x10002000L
+  // Remove this case if OpenSSL 1.0.1 (now EOL) support is no
+  // longer needed.
+  ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+  if (ecdh) {
+    SSL_CTX_set_tmp_ecdh(ctx, ecdh);
+    EC_KEY_free(ecdh);
+  }
+#elif OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+  SSL_CTX_set_ecdh_auto(ctx, 1);
+#endif
+
+  if (NIL_P(verify_mode)) {
+    /* SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL); */
+  } else {
+    SSL_CTX_set_verify(ctx, NUM2INT(verify_mode), engine_verify_callback);
+  }
+
   // Random.bytes available in Ruby 2.5 and later, Random::DEFAULT deprecated in 3.0
   session_id_bytes = rb_funcall(
 #ifdef HAVE_RANDOM_BYTES
@@ -261,35 +353,34 @@ VALUE engine_init_server(VALUE self, VALUE mini_ssl_ctx) {
                                  (unsigned char *) RSTRING_PTR(session_id_bytes),
                                  SSL_MAX_SSL_SESSION_ID_LENGTH);
 
-  DH *dh = get_dh2048();
-  SSL_CTX_set_tmp_dh(ctx, dh);
+  // printf("\ninitialize end security_level %d\n", SSL_CTX_get_security_level(ctx));
 
-#if OPENSSL_VERSION_NUMBER < 0x10002000L
-  // Remove this case if OpenSSL 1.0.1 (now EOL) support is no
-  // longer needed.
-  EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
-  if (ecdh) {
-    SSL_CTX_set_tmp_ecdh(ctx, ecdh);
-    EC_KEY_free(ecdh);
-  }
-#elif OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-  // Prior to OpenSSL 1.1.0, servers must manually enable server-side ECDH
-  // negotiation.
-  SSL_CTX_set_ecdh_auto(ctx, 1);
+#ifdef HAVE_SSL_GET1_PEER_CERTIFICATE
+  // https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_dh_auto.html
+  SSL_CTX_set_dh_auto(ctx, 1);
+#else
+  dh = get_dh2048();
+  SSL_CTX_set_tmp_dh(ctx, dh);
 #endif
 
+  rb_obj_freeze(self);
+  return self;
+}
+
+VALUE engine_init_server(VALUE self, VALUE sslctx) {
+  ms_conn* conn;
+  VALUE obj;
+  SSL_CTX* ctx;
+  SSL* ssl;
+
+  conn = engine_alloc(self, &obj);
+
+  TypedData_Get_Struct(sslctx, SSL_CTX, &sslctx_type, ctx);
+
   ssl = SSL_new(ctx);
   conn->ssl = ssl;
   SSL_set_app_data(ssl, NULL);
-
-  if (NIL_P(verify_mode)) {
-    /* SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL); */
-  } else {
-    SSL_set_verify(ssl, NUM2INT(verify_mode), engine_verify_callback);
-  }
-
   SSL_set_bio(ssl, conn->read, conn->write);
-
   SSL_set_accept_state(ssl);
   return obj;
 }
@@ -316,7 +407,7 @@ VALUE engine_inject(VALUE self, VALUE str) {
   ms_conn* conn;
   long used;
 
-  Data_Get_Struct(self, ms_conn, conn);
+  TypedData_Get_Struct(self, ms_conn, &engine_data_type, conn);
 
   StringValue(str);
 
@@ -329,13 +420,14 @@ VALUE engine_inject(VALUE self, VALUE str) {
   return INT2FIX(used);
 }
 
-static VALUE eError;
+NORETURN(void raise_error(SSL* ssl, int result));
 
 void raise_error(SSL* ssl, int result) {
   char buf[512];
   char msg[512];
   const char* err_str;
   int err = errno;
+  int mask = 4095;
   int ssl_err = SSL_get_error(ssl, result);
   int verify_err = (int) SSL_get_verify_result(ssl);
 
@@ -352,8 +444,7 @@ void raise_error(SSL* ssl, int result) {
     } else {
       err = (int) ERR_get_error();
       ERR_error_string_n(err, buf, sizeof(buf));
-      snprintf(msg, sizeof(msg), "OpenSSL error: %s - %d", buf, err);
-
+      snprintf(msg, sizeof(msg), "OpenSSL error: %s - %d", buf, err & mask);
     }
   } else {
     snprintf(msg, sizeof(msg), "Unknown OpenSSL error: %d", ssl_err);
@@ -368,7 +459,7 @@ VALUE engine_read(VALUE self) {
   char buf[512];
   int bytes, error;
 
-  Data_Get_Struct(self, ms_conn, conn);
+  TypedData_Get_Struct(self, ms_conn, &engine_data_type, conn);
 
   ERR_clear_error();
 
@@ -395,7 +486,7 @@ VALUE engine_write(VALUE self, VALUE str) {
   ms_conn* conn;
   int bytes;
 
-  Data_Get_Struct(self, ms_conn, conn);
+  TypedData_Get_Struct(self, ms_conn, &engine_data_type, conn);
 
   StringValue(str);
 
@@ -417,9 +508,11 @@ VALUE engine_extract(VALUE self) {
   ms_conn* conn;
   int bytes;
   size_t pending;
-  char buf[512];
+  // https://www.openssl.org/docs/manmaster/man3/BIO_f_buffer.html
+  // crypto/bio/bf_buff.c DEFAULT_BUFFER_SIZE
+  char buf[4096];
 
-  Data_Get_Struct(self, ms_conn, conn);
+  TypedData_Get_Struct(self, ms_conn, &engine_data_type, conn);
 
   pending = BIO_pending(conn->write);
   if(pending > 0) {
@@ -438,7 +531,7 @@ VALUE engine_shutdown(VALUE self) {
   ms_conn* conn;
   int ok;
 
-  Data_Get_Struct(self, ms_conn, conn);
+  TypedData_Get_Struct(self, ms_conn, &engine_data_type, conn);
 
   ERR_clear_error();
 
@@ -453,7 +546,7 @@ VALUE engine_shutdown(VALUE self) {
 VALUE engine_init(VALUE self) {
   ms_conn* conn;
 
-  Data_Get_Struct(self, ms_conn, conn);
+  TypedData_Get_Struct(self, ms_conn, &engine_data_type, conn);
 
   return SSL_in_init(conn->ssl) ? Qtrue : Qfalse;
 }
@@ -466,9 +559,13 @@ VALUE engine_peercert(VALUE self) {
   ms_cert_buf* cert_buf = NULL;
   VALUE rb_cert_buf;
 
-  Data_Get_Struct(self, ms_conn, conn);
+  TypedData_Get_Struct(self, ms_conn, &engine_data_type, conn);
 
+#ifdef HAVE_SSL_GET1_PEER_CERTIFICATE
+  cert = SSL_get1_peer_certificate(conn->ssl);
+#else
   cert = SSL_get_peer_certificate(conn->ssl);
+#endif
   if(!cert) {
     /*
      * See if there was a failed certificate associated with this client.
@@ -497,12 +594,22 @@ VALUE engine_peercert(VALUE self) {
   return rb_cert_buf;
 }
 
+/* @see Puma::MiniSSL::Socket#ssl_version_state
+ * @version 5.0.0
+ */
+static VALUE
+engine_ssl_vers_st(VALUE self) {
+  ms_conn* conn;
+  TypedData_Get_Struct(self, ms_conn, &engine_data_type, conn);
+  return rb_ary_new3(2, rb_str_new2(SSL_get_version(conn->ssl)), rb_str_new2(SSL_state_string(conn->ssl)));
+}
+
 VALUE noop(VALUE self) {
   return Qnil;
 }
 
 void Init_mini_ssl(VALUE puma) {
-  VALUE mod, eng;
+  VALUE mod, eng, sslctx;
 
 /* Fake operation for documentation (RDoc, YARD) */
 #if 0 == 1
@@ -515,7 +622,15 @@ void Init_mini_ssl(VALUE puma) {
   ERR_load_crypto_strings();
 
   mod = rb_define_module_under(puma, "MiniSSL");
+
   eng = rb_define_class_under(mod, "Engine", rb_cObject);
+  rb_undef_alloc_func(eng);
+
+  sslctx = rb_define_class_under(mod, "SSLContext", rb_cObject);
+  rb_define_alloc_func(sslctx, sslctx_alloc);
+  rb_define_method(sslctx, "initialize", sslctx_initialize, 1);
+  rb_undef_method(sslctx, "initialize_copy");
+
 
   // OpenSSL Build / Runtime/Load versions
 
@@ -568,13 +683,16 @@ void Init_mini_ssl(VALUE puma) {
   rb_define_method(eng, "init?", engine_init, 0);
 
   rb_define_method(eng, "peercert", engine_peercert, 0);
+
+  rb_define_method(eng, "ssl_vers_st", engine_ssl_vers_st, 0);
 }
 
 #else
 
+NORETURN(VALUE raise_error(VALUE self));
+
 VALUE raise_error(VALUE self) {
   rb_raise(rb_eStandardError, "SSL not available in this build");
-  return Qnil;
 }
 
 void Init_mini_ssl(VALUE puma) {

data/ext/puma_http11/no_ssl/PumaHttp11Service.java

@@ -0,0 +1,15 @@
+package puma;
+
+import java.io.IOException;
+
+import org.jruby.Ruby;
+import org.jruby.runtime.load.BasicLibraryService;
+
+import org.jruby.puma.Http11;
+
+public class PumaHttp11Service implements BasicLibraryService {
+    public boolean basicLoad(final Ruby runtime) throws IOException {
+        Http11.createHttp11(runtime);
+        return true;
+    }
+}

data/ext/puma_http11/org/jruby/puma/Http11.java

@@ -30,8 +30,8 @@ public class Http11 extends RubyObject {
     public final static String MAX_REQUEST_URI_LENGTH_ERR = "HTTP element REQUEST_URI is longer than the 12288 allowed length.";
     public final static int MAX_FRAGMENT_LENGTH = 1024;
     public final static String MAX_FRAGMENT_LENGTH_ERR = "HTTP element REQUEST_PATH is longer than the 1024 allowed length.";
-    public final static int MAX_REQUEST_PATH_LENGTH = 2048;
-    public final static String MAX_REQUEST_PATH_LENGTH_ERR = "HTTP element REQUEST_PATH is longer than the 2048 allowed length.";
+    public final static int MAX_REQUEST_PATH_LENGTH = 8192;
+    public final static String MAX_REQUEST_PATH_LENGTH_ERR = "HTTP element REQUEST_PATH is longer than the 8192 allowed length.";
     public final static int MAX_QUERY_STRING_LENGTH = 1024 * 10;
     public final static String MAX_QUERY_STRING_LENGTH_ERR = "HTTP element QUERY_STRING is longer than the 10240 allowed length.";
     public final static int MAX_HEADER_LENGTH = 1024 * (80 + 32);
@@ -197,7 +197,7 @@ public class Http11 extends RubyObject {
             validateMaxLength(runtime, parser.nread,MAX_HEADER_LENGTH, MAX_HEADER_LENGTH_ERR);
 
             if(hp.has_error()) {
-                throw newHTTPParserError(runtime, "Invalid HTTP format, parsing fails.");
+                throw newHTTPParserError(runtime, "Invalid HTTP format, parsing fails. Are you trying to open an SSL connection to a non-SSL Puma?");
             } else {
                 return runtime.newFixnum(parser.nread);
             }

data/ext/puma_http11/org/jruby/puma/Http11Parser.java

@@ -184,8 +184,6 @@ static final int puma_parser_start = 1;
 static final int puma_parser_first_final = 46;
 static final int puma_parser_error = 0;
 
-static final int puma_parser_en_main = 1;
-
 
 // line 62 "ext/puma_http11/http11_parser.java.rl"
 
@@ -214,7 +212,7 @@ static final int puma_parser_en_main = 1;
           cs = 0;
 
           
-// line 218 "ext/puma_http11/org/jruby/puma/Http11Parser.java"
+// line 216 "ext/puma_http11/org/jruby/puma/Http11Parser.java"
 	{
 	cs = puma_parser_start;
 	}
@@ -246,7 +244,7 @@ static final int puma_parser_en_main = 1;
      parser.buffer = buffer;
 
      
-// line 250 "ext/puma_http11/org/jruby/puma/Http11Parser.java"
+// line 248 "ext/puma_http11/org/jruby/puma/Http11Parser.java"
 	{
 	int _klen;
 	int _trans = 0;
@@ -402,7 +400,7 @@ case 1:
     { p += 1; _goto_targ = 5; if (true)  continue _goto;}
   }
 	break;
-// line 406 "ext/puma_http11/org/jruby/puma/Http11Parser.java"
+// line 404 "ext/puma_http11/org/jruby/puma/Http11Parser.java"
 			}
 		}
 	}