ruby-tls 2.1.2 → 2.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a60db39059fb7d735d7aa9201631628a65cf1291
-  data.tar.gz: dd41be2f38c92d9fedf92aec30620bead91c5c9d
+  metadata.gz: b85f5f85aa66d137ff1ff2bd3894adaf81d07679
+  data.tar.gz: e0034106218aaa3d0ecc11ff067363a364eababa
 SHA512:
-  metadata.gz: f088fbbd7c397ec37dd60efd2a8722b933673b0e21a31003dc67e6f159567e964af3f0fcd568930be60da39546120de6dd8195c59ad3be7ff35f07eaf495260b
-  data.tar.gz: b9293b184946062a3eef3a778c65d269bf28cd7ead8b4e1fe8fca9bfac1aa213adef0c8e20e1d7370e7d2a5036bb54c735697066bc1da45baedf68425bbfb1bc
+  metadata.gz: a4b103bd35d4eeb0f6e88ec95d03cdde3d282256567ac8ae6b6e2a714b8d81d16cc049475499bdca85aa4971ecfdc1f43caeafb73ef5a03509e3f93f125ac813
+  data.tar.gz: 5b50ebc3041e80fdba1fb24bcb55e3a3fc013e22e6ce23b5bb873badff8fa23b79c2e65818955a893081963367da21bf6c266159e02300da04dc1d254d209833

data/lib/ruby-tls.rb

@@ -1,5 +1,6 @@
+# frozen_string_literal: true
 
-require "ruby-tls/ssl"    # Loads OpenSSL using FFI
+require 'ruby-tls/ssl'    # Loads OpenSSL using FFI
 
 module RubyTls
 end

data/lib/ruby-tls/ssl.rb

@@ -1,7 +1,9 @@
+# frozen_string_literal: true
+
 require 'ffi'
 require 'ffi-compiler/loader'
 require 'thread'
-require 'thread_safe'
+require 'concurrent'
 
 
 module RubyTls
@@ -139,6 +141,32 @@ module RubyTls
             SSL_CTX_ctrl(ssl_ctx, SSL_CTRL_SET_SESS_CACHE_SIZE, op, nil)
         end
 
+        attach_function :SSL_ctrl, [:ssl, :int, :long, :pointer], :long
+        SSL_CTRL_SET_TLSEXT_HOSTNAME = 55
+        def self.SSL_set_tlsext_host_name(ssl, host_name)
+            name = FFI::MemoryPointer.from_string(host_name)
+            SSL_ctrl(ssl, SSL_CTRL_SET_TLSEXT_HOSTNAME, TLSEXT_NAMETYPE_host_name, name)
+        end
+
+        # Server Name Indication (SNI) Support
+        # NOTE:: We've hard coded the callback here (SSL defines a NULL callback)
+        callback :ssl_servername_cb, [:ssl, :pointer, :pointer], :int
+        attach_function :SSL_CTX_callback_ctrl, [:ssl_ctx, :int, :ssl_servername_cb], :long
+        SSL_CTRL_SET_TLSEXT_SERVERNAME_CB = 53
+        def self.SSL_CTX_set_tlsext_servername_callback(ctx, callback)
+            SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TLSEXT_SERVERNAME_CB, callback)
+        end
+
+        attach_function :SSL_get_servername, [:ssl, :int], :string
+        TLSEXT_NAMETYPE_host_name = 0
+
+        attach_function :SSL_set_SSL_CTX, [:ssl, :ssl_ctx], :ssl_ctx
+
+        SSL_TLSEXT_ERR_OK = 0
+        SSL_TLSEXT_ERR_ALERT_WARNING = 1
+        SSL_TLSEXT_ERR_ALERT_FATAL = 2
+        SSL_TLSEXT_ERR_NOACK = 3
+
         attach_function :SSL_CTX_use_PrivateKey_file, [:ssl_ctx, :string, :int], :int, :blocking => true
         attach_function :SSL_CTX_use_PrivateKey, [:ssl_ctx, :pointer], :int
         attach_function :ERR_print_errors_fp, [:pointer], :void     # Pointer == File Handle
@@ -153,11 +181,6 @@ module RubyTls
         begin
             attach_function :SSL_CTX_set_alpn_protos, [:ssl_ctx, :string, :uint], :int
 
-            SSL_TLSEXT_ERR_OK = 0
-            SSL_TLSEXT_ERR_ALERT_WARNING = 1
-            SSL_TLSEXT_ERR_ALERT_FATAL = 2
-            SSL_TLSEXT_ERR_NOACK = 3
-
             OPENSSL_NPN_UNSUPPORTED = 0
             OPENSSL_NPN_NEGOTIATED = 1
             OPENSSL_NPN_NO_OVERLAP = 2
@@ -289,11 +312,11 @@ keystr
 
         class Context
             # Based on information from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
-            CIPHERS = 'EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'.freeze
-            SESSION = 'ruby-tls'.freeze
+            CIPHERS = 'EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
+            SESSION = 'ruby-tls'
 
 
-            ALPN_LOOKUP = ThreadSafe::Cache.new
+            ALPN_LOOKUP = ::Concurrent::Map.new
             ALPN_Select_CB = FFI::Function.new(:int, [
                 # array of str, unit8 out,uint8 in,        *arg
                 :pointer, :pointer, :pointer, :string, :uint, :pointer
@@ -317,16 +340,19 @@ keystr
 
             def initialize(server, options = {})
                 @is_server = server
-                @ssl_ctx = SSL.SSL_CTX_new(server ? SSL.SSLv23_server_method : SSL.SSLv23_client_method)
-                SSL.SSL_CTX_set_options(@ssl_ctx, SSL::SSL_OP_ALL)
-                SSL.SSL_CTX_set_mode(@ssl_ctx, SSL::SSL_MODE_RELEASE_BUFFERS)
 
                 if @is_server
+                    @ssl_ctx = SSL.SSL_CTX_new(SSL.SSLv23_server_method)
                     set_private_key(options[:private_key] || SSL::DEFAULT_PRIVATE)
                     set_certificate(options[:cert_chain]  || SSL::DEFAULT_CERT)
                     set_client_ca(options[:client_ca])
+                else
+                    @ssl_ctx = SSL.SSL_CTX_new(SSL.SSLv23_client_method)
                 end
 
+                SSL.SSL_CTX_set_options(@ssl_ctx, SSL::SSL_OP_ALL)
+                SSL.SSL_CTX_set_mode(@ssl_ctx, SSL::SSL_MODE_RELEASE_BUFFERS)
+
                 SSL.SSL_CTX_set_cipher_list(@ssl_ctx, options[:ciphers] || CIPHERS)
                 @alpn_set = false
 
@@ -363,12 +389,30 @@ keystr
             attr_reader :alpn_set
             attr_reader :alpn_str
 
+            def add_server_name_indication
+                raise 'only valid for server mode context' unless @is_server
+                SSL.SSL_CTX_set_tlsext_servername_callback(@ssl_ctx, ServerNameCB)
+            end
+
+            ServerNameCB = FFI::Function.new(:int, [:pointer, :pointer, :pointer]) do |ssl, _, _|
+                ruby_ssl = Box::InstanceLookup[ssl.address]
+                return SSL::SSL_TLSEXT_ERR_NOACK unless ruby_ssl
+
+                ctx = ruby_ssl.hosts[SSL.SSL_get_servername(ssl, SSL::TLSEXT_NAMETYPE_host_name)]
+                if ctx
+                    SSL.SSL_set_SSL_CTX(ssl, ctx.ssl_ctx)
+                    SSL::SSL_TLSEXT_ERR_OK
+                else
+                    SSL::SSL_TLSEXT_ERR_ALERT_FATAL
+                end
+            end
+
 
             private
 
 
             def self.build_alpn_string(protos)
-                protocols = ''.force_encoding('ASCII-8BIT')
+                protocols = String.new.force_encoding('ASCII-8BIT')
                 protos.each do |prot|
                     protocol = prot.to_s
                     protocols << protocol.length
@@ -427,7 +471,7 @@ keystr
 
 
         class Box
-            InstanceLookup = ThreadSafe::Cache.new
+            InstanceLookup = ::Concurrent::Map.new
 
             READ_BUFFER = 2048
 
@@ -459,13 +503,47 @@ keystr
                     SSL.SSL_set_verify(@ssl, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, VerifyCB)
                 end
 
+                # Add Server Name Indication (SNI) for client connections
+                if options[:host_name]
+                    if server
+                        @hosts = ::Concurrent::Map.new
+                        @hosts[options[:host_name].to_s] = @context
+                        @context.add_server_name_indication
+                    else
+                        SSL.SSL_set_tlsext_host_name(@ssl, options[:host_name])
+                    end
+                end
+
                 SSL.SSL_connect(@ssl) unless server
             end
 
 
-            attr_reader :is_server
-            attr_reader :context
+            def add_host(host_name:, **options)
+                raise 'Server Name Indication (SNI) not configured for default host' unless @hosts
+                raise 'only valid for server mode context' unless @is_server
+                context = Context.new(true, options)
+                @hosts[host_name.to_s] = context
+                context.add_server_name_indication
+                nil
+            end
+
+            # Careful with this.
+            # If you remove all the hosts you'll end up with a segfault
+            def remove_host(host_name)
+                raise 'Server Name Indication (SNI) not configured for default host' unless @hosts
+                raise 'only valid for server mode context' unless @is_server
+                context = @hosts[host_name.to_s]
+                if context
+                    @hosts.delete(host_name.to_s)
+                    context.cleanup
+                end
+                nil
+            end
+
+
+            attr_reader :is_server, :context
             attr_reader :handshake_completed
+            attr_reader :hosts
 
 
             def get_peer_cert
@@ -582,7 +660,14 @@ keystr
 
                 SSL.SSL_free @ssl
 
-                @context.cleanup
+                if @hosts
+                    @hosts.each_value do |context|
+                        context.cleanup
+                    end
+                    @hosts = nil
+                else
+                    @context.cleanup
+                end
             end
 
             # Called from class level callback function
@@ -677,7 +762,7 @@ keystr
             end
 
 
-            CIPHER_DISPATCH_FAILED = 'Cipher text dispatch failed'.freeze
+            CIPHER_DISPATCH_FAILED = 'Cipher text dispatch failed'
             def dispatch_cipher_text
                 begin
                     did_work = false

data/lib/ruby-tls/version.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module RubyTls
-    VERSION = "2.1.2"
+    VERSION = '2.3.0'
 end

data/ruby-tls.gemspec

@@ -1,4 +1,6 @@
+# frozen_string_literal: true
 # -*- encoding: utf-8 -*-
+
 $:.push File.expand_path("../lib", __FILE__)
 require "ruby-tls/version"
 
@@ -11,15 +13,15 @@ Gem::Specification.new do |s|
     s.homepage    = "https://github.com/cotag/ruby-tls"
     s.summary     = "Abstract TLS for Ruby"
     s.description = <<-EOF
-        Allows transport layers outside Ruby TCP be secured.
+        Allows transport layers outside Ruby TCP to be secured.
     EOF
 
 
-    s.add_dependency 'ffi-compiler', '>= 0.0.2'
-    s.add_dependency 'thread_safe'
+    s.add_dependency 'ffi-compiler',    '>= 1.0', '< 2.0'
+    s.add_dependency 'concurrent-ruby', '~> 1.0'
 
-    s.add_development_dependency 'rspec'
-    s.add_development_dependency 'yard'
+    s.add_development_dependency 'rspec', '~> 3.5'
+    s.add_development_dependency 'yard',  '~> 0.9'
 
 
     s.files = Dir["{lib}/**/*"] + %w(ruby-tls.gemspec README.md)

data/spec/verify_spec.rb

@@ -6,7 +6,7 @@ describe RubyTls do
     class Client2
         def initialize(client_data, dir)
             @client_data = client_data
-            @ssl = RubyTls::SSL::Box.new(false, self, private_key: dir + 'client.key', cert_chain: dir + 'client.crt')
+            @ssl = RubyTls::SSL::Box.new(false, self, private_key: dir + 'client.key', cert_chain: dir + 'client.crt', host_name: 'just.testing.com')
         end
 
         attr_reader :ssl
@@ -97,6 +97,118 @@ describe RubyTls do
         end
 
 
+        it "should verify the hostname" do
+            @server_data = []
+            @client_data = []
+
+            class Server3
+                def initialize(client, server_data)
+                    @client = client
+                    @server_data = server_data
+                    @ssl = RubyTls::SSL::Box.new(true, self, host_name: 'just.testing.com')
+                end
+
+                attr_reader :ssl
+                attr_accessor :started
+                attr_accessor :stop
+                attr_accessor :cert_from_server
+
+                def close_cb
+                    @server_data << 'close'
+                    @stop = true
+                end
+
+                def dispatch_cb(data)
+                    @server_data << data
+                end
+
+                def transmit_cb(data)
+                    @client.ssl.decrypt(data) unless @stop
+                end
+
+                def handshake_cb(protocol)
+                    @server_data << 'ready'
+                end
+            end
+
+
+            @client = Client2.new(@client_data, @dir)
+            @server = Server3.new(@client, @server_data)
+            @client.server = @server
+
+            @client.ssl.start
+            @client.ssl.cleanup
+            @server.ssl.cleanup
+            
+            expect(@client_data).to eq(['ready'])
+            expect(@server_data).to eq(['ready'])
+        end
+
+        it "should fail if host name not found" do
+            @server_data = []
+            @client_data = []
+
+            class Server4
+                def initialize(client, server_data)
+                    @client = client
+                    @server_data = server_data
+                    @ssl = RubyTls::SSL::Box.new(true, self, host_name: 'testing.com')
+                end
+
+                attr_reader :ssl
+                attr_accessor :started
+                attr_accessor :stop
+                attr_accessor :cert_from_server
+
+                def close_cb
+                    @server_data << 'close'
+                    @stop = true
+                end
+
+                def dispatch_cb(data)
+                    @server_data << data
+                end
+
+                def transmit_cb(data)
+                    @client.ssl.decrypt(data) unless @stop
+                end
+
+                def handshake_cb(protocol)
+                    @server_data << 'ready'
+                end
+            end
+
+
+            @client = Client2.new(@client_data, @dir)
+            @server = Server4.new(@client, @server_data)
+            @client.server = @server
+
+            @client.ssl.start
+            @client.ssl.cleanup
+            @server.ssl.cleanup
+            
+            expect(@client_data).to eq([])
+            expect(@server_data).to eq(['close'])
+        end
+
+        it "test actually adding a second context" do
+            @server_data = []
+            @client_data = []
+
+            @client = Client2.new(@client_data, @dir)
+            @server = Server4.new(@client, @server_data)
+            @client.server = @server
+            @server.ssl.add_host host_name: 'just.testing.com'
+
+            @client.ssl.start
+            @client.ssl.cleanup
+            @server.ssl.cleanup
+            
+            expect(@client_data).to eq(['ready'])
+            expect(@server_data).to eq(['ready'])
+        end
+
+
         it "should deny the connection" do
             @server_data = []
             @client_data = []

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ruby-tls
 version: !ruby/object:Gem::Version
-  version: 2.1.2
+  version: 2.3.0
 platform: ruby
 authors:
 - Stephen von Takach
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-06-19 00:00:00.000000000 Z
+date: 2017-02-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ffi-compiler
@@ -16,57 +16,63 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.0.2
+        version: '1.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.0.2
+        version: '1.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
 - !ruby/object:Gem::Dependency
-  name: thread_safe
+  name: concurrent-ruby
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '3.5'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '3.5'
 - !ruby/object:Gem::Dependency
   name: yard
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.9'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
-description: "        Allows transport layers outside Ruby TCP be secured.\n"
+        version: '0.9'
+description: "        Allows transport layers outside Ruby TCP to be secured.\n"
 email:
 - steve@cotag.me
 executables: []
@@ -114,4 +120,3 @@ test_files:
 - spec/client.key
 - spec/comms_spec.rb
 - spec/verify_spec.rb
-has_rdoc: