rubysl-openssl 2.10 → 2.11

data/ext/rubysl/openssl/ruby_missing.h

@@ -13,15 +13,17 @@
 #define rb_define_copy_func(klass, func) \
 	rb_define_method((klass), "initialize_copy", (func), 1)
 
-
-#ifndef GetReadFile
 #define FPTR_TO_FD(fptr) ((fptr)->fd)
-#else
-#define FPTR_TO_FD(fptr) (fileno(GetReadFile(fptr)))
+
+/* Ruby 2.4 */
+#ifndef RB_INTEGER_TYPE_P
+# define RB_INTEGER_TYPE_P(obj) (RB_FIXNUM_P(obj) || RB_TYPE_P(obj, T_BIGNUM))
 #endif
 
-#ifndef HAVE_RB_IO_T
-#define rb_io_t OpenFile
+/* Ruby 2.5 */
+#ifndef ST2FIX
+# define RB_ST2FIX(h) LONG2FIX((long)(h))
+# define ST2FIX(h) RB_ST2FIX(h)
 #endif
 
 #endif /* _OSSL_RUBY_MISSING_H_ */

data/lib/openssl/buffering.rb

@@ -132,7 +132,6 @@ module OpenSSL::Buffering
       buf.replace(ret)
       ret = buf
     end
-    raise EOFError if ret.empty?
     ret
   end
 
@@ -164,6 +163,10 @@ module OpenSSL::Buffering
   # Note that one reason that read_nonblock writes to the underlying IO is
   # when the peer requests a new TLS/SSL handshake.  See openssl the FAQ for
   # more details.  http://www.openssl.org/support/faq.html
+  #
+  # By specifying `exception: false`, the options hash allows you to indicate
+  # that read_nonblock should not raise an IO::Wait*able exception, but
+  # return the symbol :wait_writable or :wait_readable instead.
 
   def read_nonblock(maxlen, buf=nil, exception: true)
     if maxlen == 0
@@ -182,12 +185,11 @@ module OpenSSL::Buffering
       buf.replace(ret)
       ret = buf
     end
-    raise EOFError if ret.empty?
     ret
   end
 
   ##
-  # Reads the next "line+ from the stream.  Lines are separated by +eol+.  If
+  # Reads the next "line" from the stream.  Lines are separated by +eol+.  If
   # +limit+ is provided the result will not be longer than the given number of
   # bytes.
   #
@@ -342,7 +344,7 @@ module OpenSSL::Buffering
   end
 
   ##
-  # Writes +str+ in the non-blocking manner.
+  # Writes +s+ in the non-blocking manner.
   #
   # If there is buffered data, it is flushed first.  This may block.
   #
@@ -373,6 +375,10 @@ module OpenSSL::Buffering
   # Note that one reason that write_nonblock reads from the underlying IO
   # is when the peer requests a new TLS/SSL handshake.  See the openssl FAQ
   # for more details.  http://www.openssl.org/support/faq.html
+  #
+  # By specifying `exception: false`, the options hash allows you to indicate
+  # that write_nonblock should not raise an IO::Wait*able exception, but
+  # return the symbol :wait_writable or :wait_readable instead.
 
   def write_nonblock(s, exception: true)
     flush
@@ -383,7 +389,7 @@ module OpenSSL::Buffering
   # Writes +s+ to the stream.  +s+ will be converted to a String using
   # String#to_s.
 
-  def << (s)
+  def <<(s)
     do_write(s)
     self
   end

data/lib/openssl/cipher.rb

@@ -18,7 +18,7 @@ module OpenSSL
       klass = Class.new(Cipher){
         define_method(:initialize){|*args|
           cipher_name = args.inject(name){|n, arg| "#{n}-#{arg}" }
-          super(cipher_name)
+          super(cipher_name.downcase)
         }
       }
       const_set(name, klass)
@@ -26,34 +26,42 @@ module OpenSSL
 
     %w(128 192 256).each{|keylen|
       klass = Class.new(Cipher){
-        define_method(:initialize){|mode|
-          mode ||= "CBC"
-          cipher_name = "AES-#{keylen}-#{mode}"
-          super(cipher_name)
+        define_method(:initialize){|mode = "CBC"|
+          super("aes-#{keylen}-#{mode}".downcase)
         }
       }
       const_set("AES#{keylen}", klass)
     }
 
-    # Generate, set, and return a random key.
-    # You must call cipher.encrypt or cipher.decrypt before calling this method.
+    # call-seq:
+    #   cipher.random_key -> key
+    #
+    # Generate a random key with OpenSSL::Random.random_bytes and sets it to
+    # the cipher, and returns it.
+    #
+    # You must call #encrypt or #decrypt before calling this method.
     def random_key
       str = OpenSSL::Random.random_bytes(self.key_len)
       self.key = str
-      return str
     end
 
-    # Generate, set, and return a random iv.
-    # You must call cipher.encrypt or cipher.decrypt before calling this method.
+    # call-seq:
+    #   cipher.random_iv -> iv
+    #
+    # Generate a random IV with OpenSSL::Random.random_bytes and sets it to the
+    # cipher, and returns it.
+    #
+    # You must call #encrypt or #decrypt before calling this method.
     def random_iv
       str = OpenSSL::Random.random_bytes(self.iv_len)
       self.iv = str
-      return str
     end
 
-    # This class is only provided for backwards compatibility.  Use OpenSSL::Cipher in the future.
-    class Cipher < Cipher
-      # add warning
-    end
+    # Deprecated.
+    #
+    # This class is only provided for backwards compatibility.
+    # Use OpenSSL::Cipher.
+    class Cipher < Cipher; end
+    deprecate_constant :Cipher
   end # Cipher
 end # OpenSSL

data/lib/openssl/digest.rb

@@ -15,7 +15,10 @@
 module OpenSSL
   class Digest
 
-    alg = %w(DSS DSS1 MD2 MD4 MD5 MDC2 RIPEMD160 SHA SHA1)
+    alg = %w(MD2 MD4 MD5 MDC2 RIPEMD160 SHA1)
+    if OPENSSL_VERSION_NUMBER < 0x10100000
+      alg += %w(DSS DSS1 SHA)
+    end
     if OPENSSL_VERSION_NUMBER > 0x00908000
       alg += %w(SHA224 SHA256 SHA384 SHA512)
     end
@@ -50,15 +53,9 @@ module OpenSSL
     # Deprecated.
     #
     # This class is only provided for backwards compatibility.
-    class Digest < Digest # :nodoc:
-      # Deprecated.
-      #
-      # See OpenSSL::Digest.new
-      def initialize(*args)
-        warn('Digest::Digest is deprecated; use Digest')
-        super(*args)
-      end
-    end
+    # Use OpenSSL::Digest instead.
+    class Digest < Digest; end # :nodoc:
+    deprecate_constant :Digest
 
   end # Digest
 

data/lib/openssl/pkey.rb

@@ -4,27 +4,34 @@ module OpenSSL
     if defined?(OpenSSL::PKey::DH)
 
     class DH
-      DEFAULT_512 = new <<-_end_of_pem_
------BEGIN DH PARAMETERS-----
-MEYCQQD0zXHljRg/mJ9PYLACLv58Cd8VxBxxY7oEuCeURMiTqEhMym16rhhKgZG2
-zk2O9uUIBIxSj+NKMURHGaFKyIvLAgEC
------END DH PARAMETERS-----
-      _end_of_pem_
-
+      # :nodoc:
       DEFAULT_1024 = new <<-_end_of_pem_
 -----BEGIN DH PARAMETERS-----
 MIGHAoGBAJ0lOVy0VIr/JebWn0zDwY2h+rqITFOpdNr6ugsgvkDXuucdcChhYExJ
 AV/ZD2AWPbrTqV76mGRgJg4EddgT1zG0jq3rnFdMj2XzkBYx3BVvfR0Arnby0RHR
 T4h7KZ/2zmjvV+eF8kBUHBJAojUlzxKj4QeO2x20FP9X5xmNUXeDAgEC
+-----END DH PARAMETERS-----
+      _end_of_pem_
+
+      # :nodoc:
+      DEFAULT_2048 = new <<-_end_of_pem_
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA7E6kBrYiyvmKAMzQ7i8WvwVk9Y/+f8S7sCTN712KkK3cqd1jhJDY
+JbrYeNV3kUIKhPxWHhObHKpD1R84UpL+s2b55+iMd6GmL7OYmNIT/FccKhTcveab
+VBmZT86BZKYyf45hUF9FOuUM9xPzuK3Vd8oJQvfYMCd7LPC0taAEljQLR4Edf8E6
+YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
+1bNveX5wInh5GDx1FGhKBZ+s1H+aedudCm7sCgRwv8lKWYGiHzObSma8A86KG+MD
+7Lo5JquQ3DlBodj3IDyPrxIv96lvRPFtAwIBAg==
 -----END DH PARAMETERS-----
       _end_of_pem_
     end
 
+    # :nodoc:
     DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen|
       warn "using default DH parameters." if $VERBOSE
       case keylen
-      when 512  then OpenSSL::PKey::DH::DEFAULT_512
       when 1024 then OpenSSL::PKey::DH::DEFAULT_1024
+      when 2048 then OpenSSL::PKey::DH::DEFAULT_2048
       else
         nil
       end

data/lib/openssl/ssl.rb

@@ -16,68 +16,60 @@ require "io/nonblock"
 module OpenSSL
   module SSL
     class SSLContext
-      DEFAULT_PARAMS = {
+      DEFAULT_PARAMS = { # :nodoc:
         :ssl_version => "SSLv23",
         :verify_mode => OpenSSL::SSL::VERIFY_PEER,
-        :ciphers => %w{
-          ECDHE-ECDSA-AES128-GCM-SHA256
-          ECDHE-RSA-AES128-GCM-SHA256
-          ECDHE-ECDSA-AES256-GCM-SHA384
-          ECDHE-RSA-AES256-GCM-SHA384
-          DHE-RSA-AES128-GCM-SHA256
-          DHE-DSS-AES128-GCM-SHA256
-          DHE-RSA-AES256-GCM-SHA384
-          DHE-DSS-AES256-GCM-SHA384
-          ECDHE-ECDSA-AES128-SHA256
-          ECDHE-RSA-AES128-SHA256
-          ECDHE-ECDSA-AES128-SHA
-          ECDHE-RSA-AES128-SHA
-          ECDHE-ECDSA-AES256-SHA384
-          ECDHE-RSA-AES256-SHA384
-          ECDHE-ECDSA-AES256-SHA
-          ECDHE-RSA-AES256-SHA
-          DHE-RSA-AES128-SHA256
-          DHE-RSA-AES256-SHA256
-          DHE-RSA-AES128-SHA
-          DHE-RSA-AES256-SHA
-          DHE-DSS-AES128-SHA256
-          DHE-DSS-AES256-SHA256
-          DHE-DSS-AES128-SHA
-          DHE-DSS-AES256-SHA
-          AES128-GCM-SHA256
-          AES256-GCM-SHA384
-          AES128-SHA256
-          AES256-SHA256
-          AES128-SHA
-          AES256-SHA
-          ECDHE-ECDSA-RC4-SHA
-          ECDHE-RSA-RC4-SHA
-          RC4-SHA
-        }.join(":"),
+        :verify_hostname => true,
         :options => -> {
           opts = OpenSSL::SSL::OP_ALL
-          opts &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS if defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS)
+          opts &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
           opts |= OpenSSL::SSL::OP_NO_COMPRESSION if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
-          opts |= OpenSSL::SSL::OP_NO_SSLv2 if defined?(OpenSSL::SSL::OP_NO_SSLv2)
-          opts |= OpenSSL::SSL::OP_NO_SSLv3 if defined?(OpenSSL::SSL::OP_NO_SSLv3)
+          opts |= OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3
           opts
         }.call
       }
 
-      DEFAULT_CERT_STORE = OpenSSL::X509::Store.new
-      DEFAULT_CERT_STORE.set_default_paths
-      if defined?(OpenSSL::X509::V_FLAG_CRL_CHECK_ALL)
-        DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
+      if !(OpenSSL::OPENSSL_VERSION.start_with?("OpenSSL") &&
+           OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10100000)
+        DEFAULT_PARAMS.merge!(
+          ciphers: %w{
+            ECDHE-ECDSA-AES128-GCM-SHA256
+            ECDHE-RSA-AES128-GCM-SHA256
+            ECDHE-ECDSA-AES256-GCM-SHA384
+            ECDHE-RSA-AES256-GCM-SHA384
+            DHE-RSA-AES128-GCM-SHA256
+            DHE-DSS-AES128-GCM-SHA256
+            DHE-RSA-AES256-GCM-SHA384
+            DHE-DSS-AES256-GCM-SHA384
+            ECDHE-ECDSA-AES128-SHA256
+            ECDHE-RSA-AES128-SHA256
+            ECDHE-ECDSA-AES128-SHA
+            ECDHE-RSA-AES128-SHA
+            ECDHE-ECDSA-AES256-SHA384
+            ECDHE-RSA-AES256-SHA384
+            ECDHE-ECDSA-AES256-SHA
+            ECDHE-RSA-AES256-SHA
+            DHE-RSA-AES128-SHA256
+            DHE-RSA-AES256-SHA256
+            DHE-RSA-AES128-SHA
+            DHE-RSA-AES256-SHA
+            DHE-DSS-AES128-SHA256
+            DHE-DSS-AES256-SHA256
+            DHE-DSS-AES128-SHA
+            DHE-DSS-AES256-SHA
+            AES128-GCM-SHA256
+            AES256-GCM-SHA384
+            AES128-SHA256
+            AES256-SHA256
+            AES128-SHA
+            AES256-SHA
+          }.join(":"),
+        )
       end
 
-      INIT_VARS = ["cert", "key", "client_ca", "ca_file", "ca_path",
-        "timeout", "verify_mode", "verify_depth", "renegotiation_cb",
-        "verify_callback", "cert_store", "extra_chain_cert",
-        "client_cert_cb", "session_id_context", "tmp_dh_callback",
-        "session_get_cb", "session_new_cb", "session_remove_cb",
-        "tmp_ecdh_callback", "servername_cb", "npn_protocols",
-        "alpn_protocols", "alpn_select_cb",
-        "npn_select_cb"].map { |x| "@#{x}" }
+      DEFAULT_CERT_STORE = OpenSSL::X509::Store.new # :nodoc:
+      DEFAULT_CERT_STORE.set_default_paths
+      DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
 
       # A callback invoked when DH parameters are required.
       #
@@ -90,14 +82,12 @@ module OpenSSL
 
       attr_accessor :tmp_dh_callback
 
-      if ExtConfig::HAVE_TLSEXT_HOST_NAME
-        # A callback invoked at connect time to distinguish between multiple
-        # server names.
-        #
-        # The callback is invoked with an SSLSocket and a server name.  The
-        # callback must return an SSLContext for the server name or nil.
-        attr_accessor :servername_cb
-      end
+      # A callback invoked at connect time to distinguish between multiple
+      # server names.
+      #
+      # The callback is invoked with an SSLSocket and a server name.  The
+      # callback must return an SSLContext for the server name or nil.
+      attr_accessor :servername_cb if ExtConfig::HAVE_TLSEXT_HOST_NAME
 
       # call-seq:
       #    SSLContext.new => ctx
@@ -106,20 +96,22 @@ module OpenSSL
       #
       # You can get a list of valid methods with OpenSSL::SSL::SSLContext::METHODS
       def initialize(version = nil)
-        INIT_VARS.each { |v| instance_variable_set v, nil }
-        self.options = self.options | OpenSSL::SSL::OP_ALL
-        return unless version
-        self.ssl_version = version
+        self.options |= OpenSSL::SSL::OP_ALL
+        self.ssl_version = version if version
       end
 
       ##
-      # Sets the parameters for this SSL context to the values in +params+.
+      # call-seq:
+      #   ctx.set_params(params = {}) -> params
+      #
+      # Sets saner defaults optimized for the use with HTTP-like protocols.
+      #
+      # If a Hash +params+ is given, the parameters are overridden with it.
       # The keys in +params+ must be assignment methods on SSLContext.
       #
       # If the verify_mode is not VERIFY_NONE and ca_file, ca_path and
       # cert_store are not set then the system default certificate store is
       # used.
-
       def set_params(params={})
         params = DEFAULT_PARAMS.merge(params)
         params.each{|name, value| self.__send__("#{name}=", value) }
@@ -252,45 +244,21 @@ module OpenSSL
       include Buffering
       include SocketForwarder
 
-      if ExtConfig::OPENSSL_NO_SOCK
-        def initialize(io, ctx = nil); raise NotImplementedError; end
-      else
-        if ExtConfig::HAVE_TLSEXT_HOST_NAME
-          attr_accessor :hostname
-        end
-
-        attr_reader :io, :context
-        attr_accessor :sync_close
-        alias :to_io :io
-
-        # call-seq:
-        #    SSLSocket.new(io) => aSSLSocket
-        #    SSLSocket.new(io, ctx) => aSSLSocket
-        #
-        # Creates a new SSL socket from +io+ which must be a real ruby object (not an
-        # IO-like object that responds to read/write).
-        #
-        # If +ctx+ is provided the SSL Sockets initial params will be taken from
-        # the context.
-        #
-        # The OpenSSL::Buffering module provides additional IO methods.
-        #
-        # This method will freeze the SSLContext if one is provided;
-        # however, session management is still allowed in the frozen SSLContext.
-
-        def initialize(io, context = OpenSSL::SSL::SSLContext.new)
-          @io         = io
-          @context    = context
-          @sync_close = false
-          @hostname   = nil
-          @io.nonblock = true if @io.respond_to?(:nonblock=)
-          Rubinius.synchronize(SSL) do
-          context.setup
-          end
-          super()
-        end
+      if ExtConfig::HAVE_TLSEXT_HOST_NAME
+        attr_reader :hostname
       end
 
+      # The underlying IO object.
+      attr_reader :io
+      alias :to_io :io
+
+      # The SSLContext object used in this connection.
+      attr_reader :context
+
+      # Whether to close the underlying socket as well, when the SSL/TLS
+      # connection is shut down. This defaults to +false+.
+      attr_accessor :sync_close
+
       # call-seq:
       #    ssl.sysclose => nil
       #
@@ -304,8 +272,10 @@ module OpenSSL
         io.close if sync_close
       end
 
-      ##
-      # Perform hostname verification after an SSL connection is established
+      # call-seq:
+      #   ssl.post_connection_check(hostname) -> true
+      #
+      # Perform hostname verification following RFC 6125.
       #
       # This method MUST be called after calling #connect to ensure that the
       # hostname of a remote peer has been verified.
@@ -313,7 +283,8 @@ module OpenSSL
         if peer_cert.nil?
           msg = "Peer verification enabled, but no certificate received."
           if using_anon_cipher?
-            msg += " Anonymous cipher suite #{cipher[0]} was negotiated. Anonymous suites must be disabled to use peer verification."
+            msg += " Anonymous cipher suite #{cipher[0]} was negotiated. " \
+                   "Anonymous suites must be disabled to use peer verification."
           end
           raise SSLError, msg
         end
@@ -324,6 +295,11 @@ module OpenSSL
         return true
       end
 
+      # call-seq:
+      #   ssl.session -> aSession
+      #
+      # Returns the SSLSession object currently used, or nil if the session is
+      # not established.
       def session
         SSL::Session.new(self)
       rescue SSL::Session::SessionError