rubysl-openssl 0.0.1 → 1.0.1

data/lib/openssl/digest.rb

@@ -0,0 +1,61 @@
+=begin
+= $RCSfile$ -- Ruby-space predefined Digest subclasses
+
+= Info
+  'OpenSSL for Ruby 2' project
+  Copyright (C) 2002  Michal Rokos <m.rokos@sh.cvut.cz>
+  All rights reserved.
+
+= Licence
+  This program is licenced under the same licence as Ruby.
+  (See the file 'LICENCE'.)
+
+= Version
+  $Id: digest.rb 28004 2010-05-24 23:58:49Z shyouhei $
+=end
+
+##
+# Should we care what if somebody require this file directly?
+#require 'openssl'
+
+module OpenSSL
+  class Digest
+
+    alg = %w(DSS DSS1 MD2 MD4 MD5 MDC2 RIPEMD160 SHA SHA1)
+    if OPENSSL_VERSION_NUMBER > 0x00908000
+      alg += %w(SHA224 SHA256 SHA384 SHA512)
+    end
+
+    def self.digest(name, data)
+        super(data, name)
+    end
+
+    alg.each{|name|
+      klass = Class.new(Digest){
+        define_method(:initialize){|*data|
+          if data.length > 1
+            raise ArgumentError,
+              "wrong number of arguments (#{data.length} for 1)"
+          end
+          super(name, data.first)
+        }
+      }
+      singleton = (class << klass; self; end)
+      singleton.class_eval{
+        define_method(:digest){|data| Digest.digest(name, data) }
+        define_method(:hexdigest){|data| Digest.hexdigest(name, data) }
+      }
+      const_set(name, klass)
+    }
+
+    # This class is only provided for backwards compatibility.  Use OpenSSL::Digest in the future.
+    class Digest < Digest
+      def initialize(*args)
+        # add warning
+        super(*args)
+      end
+    end
+
+  end # Digest
+end # OpenSSL
+

data/lib/openssl/net/ftptls.rb

@@ -0,0 +1,53 @@
+=begin
+= $RCSfile$ -- SSL/TLS enhancement for Net::HTTP.
+
+= Info
+  'OpenSSL for Ruby 2' project
+  Copyright (C) 2003 Blaz Grilc <farmer@gmx.co.uk>
+  All rights reserved.
+
+= Licence
+  This program is licenced under the same licence as Ruby.
+  (See the file 'LICENCE'.)
+
+= Requirements
+
+= Version
+  $Id: ftptls.rb 13657 2007-10-08 11:16:54Z gotoyuzo $
+  
+= Notes
+  Tested on FreeBSD 5-CURRENT and 4-STABLE
+  - ruby 1.6.8 (2003-01-17) [i386-freebsd5]
+  - OpenSSL 0.9.7a Feb 19 2003
+  - ruby-openssl-0.2.0.p0
+  tested on ftp server: glftpd 1.30
+=end
+
+require 'socket'
+require 'openssl'
+require 'net/ftp'
+
+module Net
+  class FTPTLS < FTP
+    def connect(host, port=FTP_PORT)
+      @hostname = host
+      super
+    end
+
+    def login(user = "anonymous", passwd = nil, acct = nil)
+       store = OpenSSL::X509::Store.new
+       store.set_default_paths
+       ctx = OpenSSL::SSL::SSLContext.new('SSLv23')
+       ctx.cert_store = store
+       ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
+       ctx.key = nil
+       ctx.cert = nil
+       voidcmd("AUTH TLS")
+       @sock = OpenSSL::SSL::SSLSocket.new(@sock, ctx)
+       @sock.connect
+       @sock.post_connection_check(@hostname)
+       super(user, passwd, acct)
+       voidcmd("PBSZ 0")
+    end
+  end
+end

data/lib/openssl/net/telnets.rb

@@ -0,0 +1,251 @@
+=begin
+= $RCSfile$ -- SSL/TLS enhancement for Net::Telnet.
+
+= Info
+  'OpenSSL for Ruby 2' project
+  Copyright (C) 2001 GOTOU YUUZOU <gotoyuzo@notwork.org>
+  All rights reserved.
+
+= Licence
+  This program is licenced under the same licence as Ruby.
+  (See the file 'LICENCE'.)
+
+= Version
+  $Id: telnets.rb 13657 2007-10-08 11:16:54Z gotoyuzo $
+  
+  2001/11/06: Contiributed to Ruby/OpenSSL project.
+
+== class Net::Telnet
+
+This class will initiate SSL/TLS session automaticaly if the server
+sent OPT_STARTTLS. Some options are added for SSL/TLS.
+
+  host = Net::Telnet::new({
+           "Host"       => "localhost",
+           "Port"       => "telnets",
+           ## follows are new options.
+           'CertFile'   => "user.crt",
+           'KeyFile'    => "user.key",
+           'CAFile'     => "/some/where/certs/casert.pem",
+           'CAPath'     => "/some/where/caserts",
+           'VerifyMode' => SSL::VERIFY_PEER,
+           'VerifyCallback' => verify_proc
+         })
+
+Or, the new options ('Cert', 'Key' and 'CACert') are available from
+Michal Rokos's OpenSSL module.
+
+  cert_data = File.open("user.crt"){|io| io.read }
+  pkey_data = File.open("user.key"){|io| io.read }
+  cacert_data = File.open("your_ca.pem"){|io| io.read }
+  host = Net::Telnet::new({
+           "Host"       => "localhost",
+           "Port"       => "telnets",
+           'Cert'       => OpenSSL::X509::Certificate.new(cert_data)
+           'Key'        => OpenSSL::PKey::RSA.new(pkey_data)
+           'CACert'     => OpenSSL::X509::Certificate.new(cacert_data)
+           'CAFile'     => "/some/where/certs/casert.pem",
+           'CAPath'     => "/some/where/caserts",
+           'VerifyMode' => SSL::VERIFY_PEER,
+           'VerifyCallback' => verify_proc
+         })
+
+This class is expected to be a superset of usual Net::Telnet.
+=end
+
+require "net/telnet"
+require "openssl"
+
+module Net
+  class Telnet
+    attr_reader :ssl
+
+    OPT_STARTTLS       =  46.chr # "\056" # "\x2e" # Start TLS
+    TLS_FOLLOWS        =   1.chr # "\001" # "\x01" # FOLLOWS (for STARTTLS)
+
+    alias preprocess_orig preprocess
+
+    def ssl?; @ssl; end
+
+    def preprocess(string)
+      # combine CR+NULL into CR
+      string = string.gsub(/#{CR}#{NULL}/no, CR) if @options["Telnetmode"]
+
+      # combine EOL into "\n"
+      string = string.gsub(/#{EOL}/no, "\n") unless @options["Binmode"]
+
+      string.gsub(/#{IAC}(
+                   [#{IAC}#{AO}#{AYT}#{DM}#{IP}#{NOP}]|
+                   [#{DO}#{DONT}#{WILL}#{WONT}][#{OPT_BINARY}-#{OPT_EXOPL}]|
+                   #{SB}[#{OPT_BINARY}-#{OPT_EXOPL}]
+                     (#{IAC}#{IAC}|[^#{IAC}])+#{IAC}#{SE}
+                 )/xno) do
+        if    IAC == $1  # handle escaped IAC characters
+          IAC
+        elsif AYT == $1  # respond to "IAC AYT" (are you there)
+          self.write("nobody here but us pigeons" + EOL)
+          ''
+        elsif DO[0] == $1[0]  # respond to "IAC DO x"
+          if    OPT_BINARY[0] == $1[1]
+            @telnet_option["BINARY"] = true
+            self.write(IAC + WILL + OPT_BINARY)
+          elsif OPT_STARTTLS[0] == $1[1]
+            self.write(IAC + WILL + OPT_STARTTLS)
+            self.write(IAC + SB + OPT_STARTTLS + TLS_FOLLOWS + IAC + SE)
+          else
+            self.write(IAC + WONT + $1[1..1])
+          end
+          ''
+        elsif DONT[0] == $1[0]  # respond to "IAC DON'T x" with "IAC WON'T x"
+          self.write(IAC + WONT + $1[1..1])
+          ''
+        elsif WILL[0] == $1[0]  # respond to "IAC WILL x"
+          if    OPT_BINARY[0] == $1[1]
+            self.write(IAC + DO + OPT_BINARY)
+          elsif OPT_ECHO[0] == $1[1]
+            self.write(IAC + DO + OPT_ECHO)
+          elsif OPT_SGA[0]  == $1[1]
+            @telnet_option["SGA"] = true
+            self.write(IAC + DO + OPT_SGA)
+          else
+            self.write(IAC + DONT + $1[1..1])
+          end
+          ''
+        elsif WONT[0] == $1[0]  # respond to "IAC WON'T x"
+          if    OPT_ECHO[0] == $1[1]
+            self.write(IAC + DONT + OPT_ECHO)
+          elsif OPT_SGA[0]  == $1[1]
+            @telnet_option["SGA"] = false
+            self.write(IAC + DONT + OPT_SGA)
+          else
+            self.write(IAC + DONT + $1[1..1])
+          end
+          ''
+        elsif SB[0] == $1[0]    # respond to "IAC SB xxx IAC SE"
+          if    OPT_STARTTLS[0] == $1[1] && TLS_FOLLOWS[0] == $2[0]
+            @sock = OpenSSL::SSL::SSLSocket.new(@sock)
+            @sock.cert            = @options['Cert'] unless @sock.cert
+            @sock.key             = @options['Key'] unless @sock.key
+            @sock.ca_cert         = @options['CACert']
+            @sock.ca_file         = @options['CAFile']
+            @sock.ca_path         = @options['CAPath']
+            @sock.timeout         = @options['Timeout']
+            @sock.verify_mode     = @options['VerifyMode']
+            @sock.verify_callback = @options['VerifyCallback']
+            @sock.verify_depth    = @options['VerifyDepth']
+            @sock.connect
+            if @options['VerifyMode'] != OpenSSL::SSL::VERIFY_NONE
+              @sock.post_connection_check(@options['Host'])
+            end
+            @ssl = true
+          end
+          ''
+        else
+          ''
+        end
+      end
+    end # preprocess
+    
+    alias waitfor_org waitfor
+
+    def waitfor(options)
+      time_out = @options["Timeout"]
+      waittime = @options["Waittime"]
+
+      if options.kind_of?(Hash)
+        prompt   = if options.has_key?("Match")
+                     options["Match"]
+                   elsif options.has_key?("Prompt")
+                     options["Prompt"]
+                   elsif options.has_key?("String")
+                     Regexp.new( Regexp.quote(options["String"]) )
+                   end
+        time_out = options["Timeout"]  if options.has_key?("Timeout")
+        waittime = options["Waittime"] if options.has_key?("Waittime")
+      else
+        prompt = options
+      end
+
+      if time_out == false
+        time_out = nil
+      end
+
+      line = ''
+      buf = ''
+      @rest = '' unless @rest
+
+      until(prompt === line and not IO::select([@sock], nil, nil, waittime))
+        unless IO::select([@sock], nil, nil, time_out)
+          raise TimeoutError, "timed-out; wait for the next data"
+        end
+        begin
+          c = @rest + @sock.sysread(1024 * 1024)
+          @dumplog.log_dump('<', c) if @options.has_key?("Dump_log")
+          if @options["Telnetmode"]   
+            pos = 0
+            catch(:next){
+              while true
+                case c[pos]
+                when IAC[0]
+                  case c[pos+1]
+                  when DO[0], DONT[0], WILL[0], WONT[0]
+                    throw :next unless c[pos+2]
+                    pos += 3
+                  when SB[0]
+                    ret = detect_sub_negotiation(c, pos)
+                    throw :next unless ret
+                    pos = ret
+                  when nil
+                    throw :next
+                  else
+                    pos += 2
+                  end
+                when nil
+                  throw :next
+                else
+                  pos += 1
+                end
+              end
+            }
+
+            buf = preprocess(c[0...pos])
+            @rest = c[pos..-1]
+          end
+          @log.print(buf) if @options.has_key?("Output_log")
+          line.concat(buf)
+          yield buf if block_given?   
+        rescue EOFError # End of file reached
+          if line == ''
+            line = nil
+            yield nil if block_given? 
+          end
+          break
+        end
+      end
+      line
+    end
+
+    private
+
+    def detect_sub_negotiation(data, pos)
+      return nil if data.length < pos+6  # IAC SB x param IAC SE
+      pos += 3
+      while true
+        case data[pos]
+        when IAC[0]
+          if data[pos+1] == SE[0]
+            pos += 2
+            return pos
+          else
+            pos += 2
+          end
+        when nil
+          return nil
+        else
+          pos += 1
+        end
+      end
+    end
+
+  end
+end

data/lib/openssl/pkcs7.rb

@@ -0,0 +1,25 @@
+=begin
+= $RCSfile$ -- PKCS7
+
+= Licence
+  This program is licenced under the same licence as Ruby.
+  (See the file 'LICENCE'.)
+
+= Version
+  $Id: digest.rb 12148 2007-04-05 05:59:22Z technorama $
+=end
+
+module OpenSSL
+  class PKCS7
+    # This class is only provided for backwards compatibility.  Use OpenSSL::PKCS7 in the future.
+    class PKCS7 < PKCS7
+      def initialize(*args)
+        super(*args)
+
+        warn("Warning: OpenSSL::PKCS7::PKCS7 is deprecated after Ruby 1.9; use OpenSSL::PKCS7 instead")
+      end
+    end
+
+  end # PKCS7
+end # OpenSSL
+

data/lib/openssl/ssl-internal.rb

@@ -0,0 +1,187 @@
+=begin
+= $RCSfile$ -- Ruby-space definitions that completes C-space funcs for SSL
+
+= Info
+  'OpenSSL for Ruby 2' project
+  Copyright (C) 2001 GOTOU YUUZOU <gotoyuzo@notwork.org>
+  All rights reserved.
+
+= Licence
+  This program is licenced under the same licence as Ruby.
+  (See the file 'LICENCE'.)
+
+= Version
+  $Id$
+=end
+
+require "openssl/buffering"
+require "fcntl"
+
+module OpenSSL
+  module SSL
+    class SSLContext
+      DEFAULT_PARAMS = {
+        :ssl_version => "SSLv23",
+        :verify_mode => OpenSSL::SSL::VERIFY_PEER,
+        :ciphers => "ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW",
+        :options => OpenSSL::SSL::OP_ALL,
+      }
+
+      DEFAULT_CERT_STORE = OpenSSL::X509::Store.new
+      DEFAULT_CERT_STORE.set_default_paths
+      if defined?(OpenSSL::X509::V_FLAG_CRL_CHECK_ALL)
+        DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
+      end
+
+      def set_params(params={})
+        params = DEFAULT_PARAMS.merge(params)
+        # ssl_version need to be set at first.
+        self.ssl_version = params.delete(:ssl_version)
+        params.each{|name, value| self.__send__("#{name}=", value) }
+        if self.verify_mode != OpenSSL::SSL::VERIFY_NONE
+          unless self.ca_file or self.ca_path or self.cert_store
+            self.cert_store = DEFAULT_CERT_STORE
+          end
+        end
+        return params
+      end
+    end
+
+    module SocketForwarder
+      def addr
+        to_io.addr
+      end
+
+      def peeraddr
+        to_io.peeraddr
+      end
+
+      def setsockopt(level, optname, optval)
+        to_io.setsockopt(level, optname, optval)
+      end
+
+      def getsockopt(level, optname)
+        to_io.getsockopt(level, optname)
+      end
+
+      def fcntl(*args)
+        to_io.fcntl(*args)
+      end
+
+      def closed?
+        to_io.closed?
+      end
+
+      def do_not_reverse_lookup=(flag)
+        to_io.do_not_reverse_lookup = flag
+      end
+    end
+
+    module Nonblock
+      def initialize(*args)
+        flag = File::NONBLOCK
+        flag |= @io.fcntl(Fcntl::F_GETFL) if defined?(Fcntl::F_GETFL)
+        @io.fcntl(Fcntl::F_SETFL, flag)
+        super
+      end
+    end
+
+    def verify_certificate_identity(cert, hostname)
+      should_verify_common_name = true
+      cert.extensions.each{|ext|
+        next if ext.oid != "subjectAltName"
+        ostr = OpenSSL::ASN1.decode(ext.to_der).value.last
+        sequence = OpenSSL::ASN1.decode(ostr.value)
+        sequence.value.each{|san|
+          case san.tag
+          when 2 # dNSName in GeneralName (RFC5280)
+            should_verify_common_name = false
+            reg = Regexp.escape(san.value).gsub(/\\\*/, "[^.]+")
+            return true if /\A#{reg}\z/i =~ hostname
+          when 7 # iPAddress in GeneralName (RFC5280)
+            should_verify_common_name = false
+            # follows GENERAL_NAME_print() in x509v3/v3_alt.c
+            if san.value.size == 4
+              return true if san.value.unpack('C*').join('.') == hostname
+            elsif san.value.size == 16
+              return true if san.value.unpack('n*').map { |e| sprintf("%X", e) }.join(':') == hostname
+            end
+          end
+        }
+      }
+      if should_verify_common_name
+        cert.subject.to_a.each{|oid, value|
+          if oid == "CN"
+            reg = Regexp.escape(value).gsub(/\\\*/, "[^.]+")
+            return true if /\A#{reg}\z/i =~ hostname
+          end
+        }
+      end
+      return false
+    end
+    module_function :verify_certificate_identity
+
+    class SSLSocket
+      include Buffering
+      include SocketForwarder
+      include Nonblock
+
+      def post_connection_check(hostname)
+        unless OpenSSL::SSL.verify_certificate_identity(peer_cert, hostname)
+          raise SSLError, "hostname was not match with the server certificate"
+        end
+        return true
+      end
+
+      def session
+        SSL::Session.new(self)
+      rescue SSL::Session::SessionError
+        nil
+      end
+    end
+
+    class SSLServer
+      include SocketForwarder
+      attr_accessor :start_immediately
+
+      def initialize(svr, ctx)
+        @svr = svr
+        @ctx = ctx
+        unless ctx.session_id_context
+          session_id = OpenSSL::Digest::MD5.hexdigest($0)
+          @ctx.session_id_context = session_id
+        end
+        @start_immediately = true
+      end
+
+      def to_io
+        @svr
+      end
+
+      def listen(backlog=5)
+        @svr.listen(backlog)
+      end
+
+      def shutdown(how=Socket::SHUT_RDWR)
+        @svr.shutdown(how)
+      end
+
+      def accept
+        sock = @svr.accept
+        begin
+          ssl = OpenSSL::SSL::SSLSocket.new(sock, @ctx)
+          ssl.sync_close = true
+          ssl.accept if @start_immediately
+          ssl
+        rescue SSLError => ex
+          sock.close
+          raise ex
+        end
+      end
+
+      def close
+        @svr.close
+      end
+    end
+  end
+end