rubysl-openssl 2.10 → 2.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (55) hide show
  1. checksums.yaml +5 -5
  2. data/ext/rubysl/openssl/deprecation.rb +7 -3
  3. data/ext/rubysl/openssl/extconf.rb +148 -103
  4. data/ext/rubysl/openssl/openssl_missing.c +94 -275
  5. data/ext/rubysl/openssl/openssl_missing.h +167 -98
  6. data/ext/rubysl/openssl/ossl.c +266 -212
  7. data/ext/rubysl/openssl/ossl.h +27 -89
  8. data/ext/rubysl/openssl/ossl_asn1.c +157 -221
  9. data/ext/rubysl/openssl/ossl_asn1.h +11 -3
  10. data/ext/rubysl/openssl/ossl_bio.c +10 -40
  11. data/ext/rubysl/openssl/ossl_bio.h +1 -2
  12. data/ext/rubysl/openssl/ossl_bn.c +144 -100
  13. data/ext/rubysl/openssl/ossl_bn.h +3 -1
  14. data/ext/rubysl/openssl/ossl_cipher.c +270 -195
  15. data/ext/rubysl/openssl/ossl_config.c +7 -1
  16. data/ext/rubysl/openssl/ossl_config.h +0 -1
  17. data/ext/rubysl/openssl/ossl_digest.c +40 -29
  18. data/ext/rubysl/openssl/ossl_engine.c +23 -62
  19. data/ext/rubysl/openssl/ossl_hmac.c +82 -55
  20. data/ext/rubysl/openssl/ossl_ns_spki.c +22 -22
  21. data/ext/rubysl/openssl/ossl_ocsp.c +894 -144
  22. data/ext/rubysl/openssl/ossl_ocsp.h +1 -1
  23. data/ext/rubysl/openssl/ossl_pkcs12.c +47 -19
  24. data/ext/rubysl/openssl/ossl_pkcs5.c +7 -15
  25. data/ext/rubysl/openssl/ossl_pkcs7.c +38 -15
  26. data/ext/rubysl/openssl/ossl_pkey.c +151 -99
  27. data/ext/rubysl/openssl/ossl_pkey.h +123 -29
  28. data/ext/rubysl/openssl/ossl_pkey_dh.c +143 -92
  29. data/ext/rubysl/openssl/ossl_pkey_dsa.c +149 -104
  30. data/ext/rubysl/openssl/ossl_pkey_ec.c +646 -524
  31. data/ext/rubysl/openssl/ossl_pkey_rsa.c +180 -121
  32. data/ext/rubysl/openssl/ossl_rand.c +25 -21
  33. data/ext/rubysl/openssl/ossl_ssl.c +795 -413
  34. data/ext/rubysl/openssl/ossl_ssl.h +3 -0
  35. data/ext/rubysl/openssl/ossl_ssl_session.c +83 -77
  36. data/ext/rubysl/openssl/ossl_version.h +1 -1
  37. data/ext/rubysl/openssl/ossl_x509.c +92 -8
  38. data/ext/rubysl/openssl/ossl_x509.h +14 -5
  39. data/ext/rubysl/openssl/ossl_x509attr.c +77 -41
  40. data/ext/rubysl/openssl/ossl_x509cert.c +45 -46
  41. data/ext/rubysl/openssl/ossl_x509crl.c +51 -57
  42. data/ext/rubysl/openssl/ossl_x509ext.c +39 -33
  43. data/ext/rubysl/openssl/ossl_x509name.c +68 -45
  44. data/ext/rubysl/openssl/ossl_x509req.c +32 -38
  45. data/ext/rubysl/openssl/ossl_x509revoked.c +43 -9
  46. data/ext/rubysl/openssl/ossl_x509store.c +309 -104
  47. data/ext/rubysl/openssl/ruby_missing.h +8 -6
  48. data/lib/openssl/buffering.rb +11 -5
  49. data/lib/openssl/cipher.rb +23 -15
  50. data/lib/openssl/digest.rb +7 -10
  51. data/lib/openssl/pkey.rb +15 -8
  52. data/lib/openssl/ssl.rb +81 -105
  53. data/lib/rubysl/openssl.rb +1 -4
  54. data/lib/rubysl/openssl/version.rb +1 -1
  55. metadata +3 -4
@@ -13,15 +13,17 @@
13
13
  #define rb_define_copy_func(klass, func) \
14
14
  rb_define_method((klass), "initialize_copy", (func), 1)
15
15
 
16
-
17
- #ifndef GetReadFile
18
16
  #define FPTR_TO_FD(fptr) ((fptr)->fd)
19
- #else
20
- #define FPTR_TO_FD(fptr) (fileno(GetReadFile(fptr)))
17
+
18
+ /* Ruby 2.4 */
19
+ #ifndef RB_INTEGER_TYPE_P
20
+ # define RB_INTEGER_TYPE_P(obj) (RB_FIXNUM_P(obj) || RB_TYPE_P(obj, T_BIGNUM))
21
21
  #endif
22
22
 
23
- #ifndef HAVE_RB_IO_T
24
- #define rb_io_t OpenFile
23
+ /* Ruby 2.5 */
24
+ #ifndef ST2FIX
25
+ # define RB_ST2FIX(h) LONG2FIX((long)(h))
26
+ # define ST2FIX(h) RB_ST2FIX(h)
25
27
  #endif
26
28
 
27
29
  #endif /* _OSSL_RUBY_MISSING_H_ */
@@ -132,7 +132,6 @@ module OpenSSL::Buffering
132
132
  buf.replace(ret)
133
133
  ret = buf
134
134
  end
135
- raise EOFError if ret.empty?
136
135
  ret
137
136
  end
138
137
 
@@ -164,6 +163,10 @@ module OpenSSL::Buffering
164
163
  # Note that one reason that read_nonblock writes to the underlying IO is
165
164
  # when the peer requests a new TLS/SSL handshake. See openssl the FAQ for
166
165
  # more details. http://www.openssl.org/support/faq.html
166
+ #
167
+ # By specifying `exception: false`, the options hash allows you to indicate
168
+ # that read_nonblock should not raise an IO::Wait*able exception, but
169
+ # return the symbol :wait_writable or :wait_readable instead.
167
170
 
168
171
  def read_nonblock(maxlen, buf=nil, exception: true)
169
172
  if maxlen == 0
@@ -182,12 +185,11 @@ module OpenSSL::Buffering
182
185
  buf.replace(ret)
183
186
  ret = buf
184
187
  end
185
- raise EOFError if ret.empty?
186
188
  ret
187
189
  end
188
190
 
189
191
  ##
190
- # Reads the next "line+ from the stream. Lines are separated by +eol+. If
192
+ # Reads the next "line" from the stream. Lines are separated by +eol+. If
191
193
  # +limit+ is provided the result will not be longer than the given number of
192
194
  # bytes.
193
195
  #
@@ -342,7 +344,7 @@ module OpenSSL::Buffering
342
344
  end
343
345
 
344
346
  ##
345
- # Writes +str+ in the non-blocking manner.
347
+ # Writes +s+ in the non-blocking manner.
346
348
  #
347
349
  # If there is buffered data, it is flushed first. This may block.
348
350
  #
@@ -373,6 +375,10 @@ module OpenSSL::Buffering
373
375
  # Note that one reason that write_nonblock reads from the underlying IO
374
376
  # is when the peer requests a new TLS/SSL handshake. See the openssl FAQ
375
377
  # for more details. http://www.openssl.org/support/faq.html
378
+ #
379
+ # By specifying `exception: false`, the options hash allows you to indicate
380
+ # that write_nonblock should not raise an IO::Wait*able exception, but
381
+ # return the symbol :wait_writable or :wait_readable instead.
376
382
 
377
383
  def write_nonblock(s, exception: true)
378
384
  flush
@@ -383,7 +389,7 @@ module OpenSSL::Buffering
383
389
  # Writes +s+ to the stream. +s+ will be converted to a String using
384
390
  # String#to_s.
385
391
 
386
- def << (s)
392
+ def <<(s)
387
393
  do_write(s)
388
394
  self
389
395
  end
@@ -18,7 +18,7 @@ module OpenSSL
18
18
  klass = Class.new(Cipher){
19
19
  define_method(:initialize){|*args|
20
20
  cipher_name = args.inject(name){|n, arg| "#{n}-#{arg}" }
21
- super(cipher_name)
21
+ super(cipher_name.downcase)
22
22
  }
23
23
  }
24
24
  const_set(name, klass)
@@ -26,34 +26,42 @@ module OpenSSL
26
26
 
27
27
  %w(128 192 256).each{|keylen|
28
28
  klass = Class.new(Cipher){
29
- define_method(:initialize){|mode|
30
- mode ||= "CBC"
31
- cipher_name = "AES-#{keylen}-#{mode}"
32
- super(cipher_name)
29
+ define_method(:initialize){|mode = "CBC"|
30
+ super("aes-#{keylen}-#{mode}".downcase)
33
31
  }
34
32
  }
35
33
  const_set("AES#{keylen}", klass)
36
34
  }
37
35
 
38
- # Generate, set, and return a random key.
39
- # You must call cipher.encrypt or cipher.decrypt before calling this method.
36
+ # call-seq:
37
+ # cipher.random_key -> key
38
+ #
39
+ # Generate a random key with OpenSSL::Random.random_bytes and sets it to
40
+ # the cipher, and returns it.
41
+ #
42
+ # You must call #encrypt or #decrypt before calling this method.
40
43
  def random_key
41
44
  str = OpenSSL::Random.random_bytes(self.key_len)
42
45
  self.key = str
43
- return str
44
46
  end
45
47
 
46
- # Generate, set, and return a random iv.
47
- # You must call cipher.encrypt or cipher.decrypt before calling this method.
48
+ # call-seq:
49
+ # cipher.random_iv -> iv
50
+ #
51
+ # Generate a random IV with OpenSSL::Random.random_bytes and sets it to the
52
+ # cipher, and returns it.
53
+ #
54
+ # You must call #encrypt or #decrypt before calling this method.
48
55
  def random_iv
49
56
  str = OpenSSL::Random.random_bytes(self.iv_len)
50
57
  self.iv = str
51
- return str
52
58
  end
53
59
 
54
- # This class is only provided for backwards compatibility. Use OpenSSL::Cipher in the future.
55
- class Cipher < Cipher
56
- # add warning
57
- end
60
+ # Deprecated.
61
+ #
62
+ # This class is only provided for backwards compatibility.
63
+ # Use OpenSSL::Cipher.
64
+ class Cipher < Cipher; end
65
+ deprecate_constant :Cipher
58
66
  end # Cipher
59
67
  end # OpenSSL
@@ -15,7 +15,10 @@
15
15
  module OpenSSL
16
16
  class Digest
17
17
 
18
- alg = %w(DSS DSS1 MD2 MD4 MD5 MDC2 RIPEMD160 SHA SHA1)
18
+ alg = %w(MD2 MD4 MD5 MDC2 RIPEMD160 SHA1)
19
+ if OPENSSL_VERSION_NUMBER < 0x10100000
20
+ alg += %w(DSS DSS1 SHA)
21
+ end
19
22
  if OPENSSL_VERSION_NUMBER > 0x00908000
20
23
  alg += %w(SHA224 SHA256 SHA384 SHA512)
21
24
  end
@@ -50,15 +53,9 @@ module OpenSSL
50
53
  # Deprecated.
51
54
  #
52
55
  # This class is only provided for backwards compatibility.
53
- class Digest < Digest # :nodoc:
54
- # Deprecated.
55
- #
56
- # See OpenSSL::Digest.new
57
- def initialize(*args)
58
- warn('Digest::Digest is deprecated; use Digest')
59
- super(*args)
60
- end
61
- end
56
+ # Use OpenSSL::Digest instead.
57
+ class Digest < Digest; end # :nodoc:
58
+ deprecate_constant :Digest
62
59
 
63
60
  end # Digest
64
61
 
data/lib/openssl/pkey.rb CHANGED
@@ -4,27 +4,34 @@ module OpenSSL
4
4
  if defined?(OpenSSL::PKey::DH)
5
5
 
6
6
  class DH
7
- DEFAULT_512 = new <<-_end_of_pem_
8
- -----BEGIN DH PARAMETERS-----
9
- MEYCQQD0zXHljRg/mJ9PYLACLv58Cd8VxBxxY7oEuCeURMiTqEhMym16rhhKgZG2
10
- zk2O9uUIBIxSj+NKMURHGaFKyIvLAgEC
11
- -----END DH PARAMETERS-----
12
- _end_of_pem_
13
-
7
+ # :nodoc:
14
8
  DEFAULT_1024 = new <<-_end_of_pem_
15
9
  -----BEGIN DH PARAMETERS-----
16
10
  MIGHAoGBAJ0lOVy0VIr/JebWn0zDwY2h+rqITFOpdNr6ugsgvkDXuucdcChhYExJ
17
11
  AV/ZD2AWPbrTqV76mGRgJg4EddgT1zG0jq3rnFdMj2XzkBYx3BVvfR0Arnby0RHR
18
12
  T4h7KZ/2zmjvV+eF8kBUHBJAojUlzxKj4QeO2x20FP9X5xmNUXeDAgEC
13
+ -----END DH PARAMETERS-----
14
+ _end_of_pem_
15
+
16
+ # :nodoc:
17
+ DEFAULT_2048 = new <<-_end_of_pem_
18
+ -----BEGIN DH PARAMETERS-----
19
+ MIIBCAKCAQEA7E6kBrYiyvmKAMzQ7i8WvwVk9Y/+f8S7sCTN712KkK3cqd1jhJDY
20
+ JbrYeNV3kUIKhPxWHhObHKpD1R84UpL+s2b55+iMd6GmL7OYmNIT/FccKhTcveab
21
+ VBmZT86BZKYyf45hUF9FOuUM9xPzuK3Vd8oJQvfYMCd7LPC0taAEljQLR4Edf8E6
22
+ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
23
+ 1bNveX5wInh5GDx1FGhKBZ+s1H+aedudCm7sCgRwv8lKWYGiHzObSma8A86KG+MD
24
+ 7Lo5JquQ3DlBodj3IDyPrxIv96lvRPFtAwIBAg==
19
25
  -----END DH PARAMETERS-----
20
26
  _end_of_pem_
21
27
  end
22
28
 
29
+ # :nodoc:
23
30
  DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen|
24
31
  warn "using default DH parameters." if $VERBOSE
25
32
  case keylen
26
- when 512 then OpenSSL::PKey::DH::DEFAULT_512
27
33
  when 1024 then OpenSSL::PKey::DH::DEFAULT_1024
34
+ when 2048 then OpenSSL::PKey::DH::DEFAULT_2048
28
35
  else
29
36
  nil
30
37
  end
data/lib/openssl/ssl.rb CHANGED
@@ -16,68 +16,60 @@ require "io/nonblock"
16
16
  module OpenSSL
17
17
  module SSL
18
18
  class SSLContext
19
- DEFAULT_PARAMS = {
19
+ DEFAULT_PARAMS = { # :nodoc:
20
20
  :ssl_version => "SSLv23",
21
21
  :verify_mode => OpenSSL::SSL::VERIFY_PEER,
22
- :ciphers => %w{
23
- ECDHE-ECDSA-AES128-GCM-SHA256
24
- ECDHE-RSA-AES128-GCM-SHA256
25
- ECDHE-ECDSA-AES256-GCM-SHA384
26
- ECDHE-RSA-AES256-GCM-SHA384
27
- DHE-RSA-AES128-GCM-SHA256
28
- DHE-DSS-AES128-GCM-SHA256
29
- DHE-RSA-AES256-GCM-SHA384
30
- DHE-DSS-AES256-GCM-SHA384
31
- ECDHE-ECDSA-AES128-SHA256
32
- ECDHE-RSA-AES128-SHA256
33
- ECDHE-ECDSA-AES128-SHA
34
- ECDHE-RSA-AES128-SHA
35
- ECDHE-ECDSA-AES256-SHA384
36
- ECDHE-RSA-AES256-SHA384
37
- ECDHE-ECDSA-AES256-SHA
38
- ECDHE-RSA-AES256-SHA
39
- DHE-RSA-AES128-SHA256
40
- DHE-RSA-AES256-SHA256
41
- DHE-RSA-AES128-SHA
42
- DHE-RSA-AES256-SHA
43
- DHE-DSS-AES128-SHA256
44
- DHE-DSS-AES256-SHA256
45
- DHE-DSS-AES128-SHA
46
- DHE-DSS-AES256-SHA
47
- AES128-GCM-SHA256
48
- AES256-GCM-SHA384
49
- AES128-SHA256
50
- AES256-SHA256
51
- AES128-SHA
52
- AES256-SHA
53
- ECDHE-ECDSA-RC4-SHA
54
- ECDHE-RSA-RC4-SHA
55
- RC4-SHA
56
- }.join(":"),
22
+ :verify_hostname => true,
57
23
  :options => -> {
58
24
  opts = OpenSSL::SSL::OP_ALL
59
- opts &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS if defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS)
25
+ opts &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
60
26
  opts |= OpenSSL::SSL::OP_NO_COMPRESSION if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
61
- opts |= OpenSSL::SSL::OP_NO_SSLv2 if defined?(OpenSSL::SSL::OP_NO_SSLv2)
62
- opts |= OpenSSL::SSL::OP_NO_SSLv3 if defined?(OpenSSL::SSL::OP_NO_SSLv3)
27
+ opts |= OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3
63
28
  opts
64
29
  }.call
65
30
  }
66
31
 
67
- DEFAULT_CERT_STORE = OpenSSL::X509::Store.new
68
- DEFAULT_CERT_STORE.set_default_paths
69
- if defined?(OpenSSL::X509::V_FLAG_CRL_CHECK_ALL)
70
- DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
32
+ if !(OpenSSL::OPENSSL_VERSION.start_with?("OpenSSL") &&
33
+ OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10100000)
34
+ DEFAULT_PARAMS.merge!(
35
+ ciphers: %w{
36
+ ECDHE-ECDSA-AES128-GCM-SHA256
37
+ ECDHE-RSA-AES128-GCM-SHA256
38
+ ECDHE-ECDSA-AES256-GCM-SHA384
39
+ ECDHE-RSA-AES256-GCM-SHA384
40
+ DHE-RSA-AES128-GCM-SHA256
41
+ DHE-DSS-AES128-GCM-SHA256
42
+ DHE-RSA-AES256-GCM-SHA384
43
+ DHE-DSS-AES256-GCM-SHA384
44
+ ECDHE-ECDSA-AES128-SHA256
45
+ ECDHE-RSA-AES128-SHA256
46
+ ECDHE-ECDSA-AES128-SHA
47
+ ECDHE-RSA-AES128-SHA
48
+ ECDHE-ECDSA-AES256-SHA384
49
+ ECDHE-RSA-AES256-SHA384
50
+ ECDHE-ECDSA-AES256-SHA
51
+ ECDHE-RSA-AES256-SHA
52
+ DHE-RSA-AES128-SHA256
53
+ DHE-RSA-AES256-SHA256
54
+ DHE-RSA-AES128-SHA
55
+ DHE-RSA-AES256-SHA
56
+ DHE-DSS-AES128-SHA256
57
+ DHE-DSS-AES256-SHA256
58
+ DHE-DSS-AES128-SHA
59
+ DHE-DSS-AES256-SHA
60
+ AES128-GCM-SHA256
61
+ AES256-GCM-SHA384
62
+ AES128-SHA256
63
+ AES256-SHA256
64
+ AES128-SHA
65
+ AES256-SHA
66
+ }.join(":"),
67
+ )
71
68
  end
72
69
 
73
- INIT_VARS = ["cert", "key", "client_ca", "ca_file", "ca_path",
74
- "timeout", "verify_mode", "verify_depth", "renegotiation_cb",
75
- "verify_callback", "cert_store", "extra_chain_cert",
76
- "client_cert_cb", "session_id_context", "tmp_dh_callback",
77
- "session_get_cb", "session_new_cb", "session_remove_cb",
78
- "tmp_ecdh_callback", "servername_cb", "npn_protocols",
79
- "alpn_protocols", "alpn_select_cb",
80
- "npn_select_cb"].map { |x| "@#{x}" }
70
+ DEFAULT_CERT_STORE = OpenSSL::X509::Store.new # :nodoc:
71
+ DEFAULT_CERT_STORE.set_default_paths
72
+ DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
81
73
 
82
74
  # A callback invoked when DH parameters are required.
83
75
  #
@@ -90,14 +82,12 @@ module OpenSSL
90
82
 
91
83
  attr_accessor :tmp_dh_callback
92
84
 
93
- if ExtConfig::HAVE_TLSEXT_HOST_NAME
94
- # A callback invoked at connect time to distinguish between multiple
95
- # server names.
96
- #
97
- # The callback is invoked with an SSLSocket and a server name. The
98
- # callback must return an SSLContext for the server name or nil.
99
- attr_accessor :servername_cb
100
- end
85
+ # A callback invoked at connect time to distinguish between multiple
86
+ # server names.
87
+ #
88
+ # The callback is invoked with an SSLSocket and a server name. The
89
+ # callback must return an SSLContext for the server name or nil.
90
+ attr_accessor :servername_cb if ExtConfig::HAVE_TLSEXT_HOST_NAME
101
91
 
102
92
  # call-seq:
103
93
  # SSLContext.new => ctx
@@ -106,20 +96,22 @@ module OpenSSL
106
96
  #
107
97
  # You can get a list of valid methods with OpenSSL::SSL::SSLContext::METHODS
108
98
  def initialize(version = nil)
109
- INIT_VARS.each { |v| instance_variable_set v, nil }
110
- self.options = self.options | OpenSSL::SSL::OP_ALL
111
- return unless version
112
- self.ssl_version = version
99
+ self.options |= OpenSSL::SSL::OP_ALL
100
+ self.ssl_version = version if version
113
101
  end
114
102
 
115
103
  ##
116
- # Sets the parameters for this SSL context to the values in +params+.
104
+ # call-seq:
105
+ # ctx.set_params(params = {}) -> params
106
+ #
107
+ # Sets saner defaults optimized for the use with HTTP-like protocols.
108
+ #
109
+ # If a Hash +params+ is given, the parameters are overridden with it.
117
110
  # The keys in +params+ must be assignment methods on SSLContext.
118
111
  #
119
112
  # If the verify_mode is not VERIFY_NONE and ca_file, ca_path and
120
113
  # cert_store are not set then the system default certificate store is
121
114
  # used.
122
-
123
115
  def set_params(params={})
124
116
  params = DEFAULT_PARAMS.merge(params)
125
117
  params.each{|name, value| self.__send__("#{name}=", value) }
@@ -252,45 +244,21 @@ module OpenSSL
252
244
  include Buffering
253
245
  include SocketForwarder
254
246
 
255
- if ExtConfig::OPENSSL_NO_SOCK
256
- def initialize(io, ctx = nil); raise NotImplementedError; end
257
- else
258
- if ExtConfig::HAVE_TLSEXT_HOST_NAME
259
- attr_accessor :hostname
260
- end
261
-
262
- attr_reader :io, :context
263
- attr_accessor :sync_close
264
- alias :to_io :io
265
-
266
- # call-seq:
267
- # SSLSocket.new(io) => aSSLSocket
268
- # SSLSocket.new(io, ctx) => aSSLSocket
269
- #
270
- # Creates a new SSL socket from +io+ which must be a real ruby object (not an
271
- # IO-like object that responds to read/write).
272
- #
273
- # If +ctx+ is provided the SSL Sockets initial params will be taken from
274
- # the context.
275
- #
276
- # The OpenSSL::Buffering module provides additional IO methods.
277
- #
278
- # This method will freeze the SSLContext if one is provided;
279
- # however, session management is still allowed in the frozen SSLContext.
280
-
281
- def initialize(io, context = OpenSSL::SSL::SSLContext.new)
282
- @io = io
283
- @context = context
284
- @sync_close = false
285
- @hostname = nil
286
- @io.nonblock = true if @io.respond_to?(:nonblock=)
287
- Rubinius.synchronize(SSL) do
288
- context.setup
289
- end
290
- super()
291
- end
247
+ if ExtConfig::HAVE_TLSEXT_HOST_NAME
248
+ attr_reader :hostname
292
249
  end
293
250
 
251
+ # The underlying IO object.
252
+ attr_reader :io
253
+ alias :to_io :io
254
+
255
+ # The SSLContext object used in this connection.
256
+ attr_reader :context
257
+
258
+ # Whether to close the underlying socket as well, when the SSL/TLS
259
+ # connection is shut down. This defaults to +false+.
260
+ attr_accessor :sync_close
261
+
294
262
  # call-seq:
295
263
  # ssl.sysclose => nil
296
264
  #
@@ -304,8 +272,10 @@ module OpenSSL
304
272
  io.close if sync_close
305
273
  end
306
274
 
307
- ##
308
- # Perform hostname verification after an SSL connection is established
275
+ # call-seq:
276
+ # ssl.post_connection_check(hostname) -> true
277
+ #
278
+ # Perform hostname verification following RFC 6125.
309
279
  #
310
280
  # This method MUST be called after calling #connect to ensure that the
311
281
  # hostname of a remote peer has been verified.
@@ -313,7 +283,8 @@ module OpenSSL
313
283
  if peer_cert.nil?
314
284
  msg = "Peer verification enabled, but no certificate received."
315
285
  if using_anon_cipher?
316
- msg += " Anonymous cipher suite #{cipher[0]} was negotiated. Anonymous suites must be disabled to use peer verification."
286
+ msg += " Anonymous cipher suite #{cipher[0]} was negotiated. " \
287
+ "Anonymous suites must be disabled to use peer verification."
317
288
  end
318
289
  raise SSLError, msg
319
290
  end
@@ -324,6 +295,11 @@ module OpenSSL
324
295
  return true
325
296
  end
326
297
 
298
+ # call-seq:
299
+ # ssl.session -> aSession
300
+ #
301
+ # Returns the SSLSession object currently used, or nil if the session is
302
+ # not established.
327
303
  def session
328
304
  SSL::Session.new(self)
329
305
  rescue SSL::Session::SessionError