rubysl-openssl 2.10 → 2.11
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +5 -5
- data/ext/rubysl/openssl/deprecation.rb +7 -3
- data/ext/rubysl/openssl/extconf.rb +148 -103
- data/ext/rubysl/openssl/openssl_missing.c +94 -275
- data/ext/rubysl/openssl/openssl_missing.h +167 -98
- data/ext/rubysl/openssl/ossl.c +266 -212
- data/ext/rubysl/openssl/ossl.h +27 -89
- data/ext/rubysl/openssl/ossl_asn1.c +157 -221
- data/ext/rubysl/openssl/ossl_asn1.h +11 -3
- data/ext/rubysl/openssl/ossl_bio.c +10 -40
- data/ext/rubysl/openssl/ossl_bio.h +1 -2
- data/ext/rubysl/openssl/ossl_bn.c +144 -100
- data/ext/rubysl/openssl/ossl_bn.h +3 -1
- data/ext/rubysl/openssl/ossl_cipher.c +270 -195
- data/ext/rubysl/openssl/ossl_config.c +7 -1
- data/ext/rubysl/openssl/ossl_config.h +0 -1
- data/ext/rubysl/openssl/ossl_digest.c +40 -29
- data/ext/rubysl/openssl/ossl_engine.c +23 -62
- data/ext/rubysl/openssl/ossl_hmac.c +82 -55
- data/ext/rubysl/openssl/ossl_ns_spki.c +22 -22
- data/ext/rubysl/openssl/ossl_ocsp.c +894 -144
- data/ext/rubysl/openssl/ossl_ocsp.h +1 -1
- data/ext/rubysl/openssl/ossl_pkcs12.c +47 -19
- data/ext/rubysl/openssl/ossl_pkcs5.c +7 -15
- data/ext/rubysl/openssl/ossl_pkcs7.c +38 -15
- data/ext/rubysl/openssl/ossl_pkey.c +151 -99
- data/ext/rubysl/openssl/ossl_pkey.h +123 -29
- data/ext/rubysl/openssl/ossl_pkey_dh.c +143 -92
- data/ext/rubysl/openssl/ossl_pkey_dsa.c +149 -104
- data/ext/rubysl/openssl/ossl_pkey_ec.c +646 -524
- data/ext/rubysl/openssl/ossl_pkey_rsa.c +180 -121
- data/ext/rubysl/openssl/ossl_rand.c +25 -21
- data/ext/rubysl/openssl/ossl_ssl.c +795 -413
- data/ext/rubysl/openssl/ossl_ssl.h +3 -0
- data/ext/rubysl/openssl/ossl_ssl_session.c +83 -77
- data/ext/rubysl/openssl/ossl_version.h +1 -1
- data/ext/rubysl/openssl/ossl_x509.c +92 -8
- data/ext/rubysl/openssl/ossl_x509.h +14 -5
- data/ext/rubysl/openssl/ossl_x509attr.c +77 -41
- data/ext/rubysl/openssl/ossl_x509cert.c +45 -46
- data/ext/rubysl/openssl/ossl_x509crl.c +51 -57
- data/ext/rubysl/openssl/ossl_x509ext.c +39 -33
- data/ext/rubysl/openssl/ossl_x509name.c +68 -45
- data/ext/rubysl/openssl/ossl_x509req.c +32 -38
- data/ext/rubysl/openssl/ossl_x509revoked.c +43 -9
- data/ext/rubysl/openssl/ossl_x509store.c +309 -104
- data/ext/rubysl/openssl/ruby_missing.h +8 -6
- data/lib/openssl/buffering.rb +11 -5
- data/lib/openssl/cipher.rb +23 -15
- data/lib/openssl/digest.rb +7 -10
- data/lib/openssl/pkey.rb +15 -8
- data/lib/openssl/ssl.rb +81 -105
- data/lib/rubysl/openssl.rb +1 -4
- data/lib/rubysl/openssl/version.rb +1 -1
- metadata +3 -4
@@ -13,15 +13,17 @@
|
|
13
13
|
#define rb_define_copy_func(klass, func) \
|
14
14
|
rb_define_method((klass), "initialize_copy", (func), 1)
|
15
15
|
|
16
|
-
|
17
|
-
#ifndef GetReadFile
|
18
16
|
#define FPTR_TO_FD(fptr) ((fptr)->fd)
|
19
|
-
|
20
|
-
|
17
|
+
|
18
|
+
/* Ruby 2.4 */
|
19
|
+
#ifndef RB_INTEGER_TYPE_P
|
20
|
+
# define RB_INTEGER_TYPE_P(obj) (RB_FIXNUM_P(obj) || RB_TYPE_P(obj, T_BIGNUM))
|
21
21
|
#endif
|
22
22
|
|
23
|
-
|
24
|
-
#
|
23
|
+
/* Ruby 2.5 */
|
24
|
+
#ifndef ST2FIX
|
25
|
+
# define RB_ST2FIX(h) LONG2FIX((long)(h))
|
26
|
+
# define ST2FIX(h) RB_ST2FIX(h)
|
25
27
|
#endif
|
26
28
|
|
27
29
|
#endif /* _OSSL_RUBY_MISSING_H_ */
|
data/lib/openssl/buffering.rb
CHANGED
@@ -132,7 +132,6 @@ module OpenSSL::Buffering
|
|
132
132
|
buf.replace(ret)
|
133
133
|
ret = buf
|
134
134
|
end
|
135
|
-
raise EOFError if ret.empty?
|
136
135
|
ret
|
137
136
|
end
|
138
137
|
|
@@ -164,6 +163,10 @@ module OpenSSL::Buffering
|
|
164
163
|
# Note that one reason that read_nonblock writes to the underlying IO is
|
165
164
|
# when the peer requests a new TLS/SSL handshake. See openssl the FAQ for
|
166
165
|
# more details. http://www.openssl.org/support/faq.html
|
166
|
+
#
|
167
|
+
# By specifying `exception: false`, the options hash allows you to indicate
|
168
|
+
# that read_nonblock should not raise an IO::Wait*able exception, but
|
169
|
+
# return the symbol :wait_writable or :wait_readable instead.
|
167
170
|
|
168
171
|
def read_nonblock(maxlen, buf=nil, exception: true)
|
169
172
|
if maxlen == 0
|
@@ -182,12 +185,11 @@ module OpenSSL::Buffering
|
|
182
185
|
buf.replace(ret)
|
183
186
|
ret = buf
|
184
187
|
end
|
185
|
-
raise EOFError if ret.empty?
|
186
188
|
ret
|
187
189
|
end
|
188
190
|
|
189
191
|
##
|
190
|
-
# Reads the next "line
|
192
|
+
# Reads the next "line" from the stream. Lines are separated by +eol+. If
|
191
193
|
# +limit+ is provided the result will not be longer than the given number of
|
192
194
|
# bytes.
|
193
195
|
#
|
@@ -342,7 +344,7 @@ module OpenSSL::Buffering
|
|
342
344
|
end
|
343
345
|
|
344
346
|
##
|
345
|
-
# Writes +
|
347
|
+
# Writes +s+ in the non-blocking manner.
|
346
348
|
#
|
347
349
|
# If there is buffered data, it is flushed first. This may block.
|
348
350
|
#
|
@@ -373,6 +375,10 @@ module OpenSSL::Buffering
|
|
373
375
|
# Note that one reason that write_nonblock reads from the underlying IO
|
374
376
|
# is when the peer requests a new TLS/SSL handshake. See the openssl FAQ
|
375
377
|
# for more details. http://www.openssl.org/support/faq.html
|
378
|
+
#
|
379
|
+
# By specifying `exception: false`, the options hash allows you to indicate
|
380
|
+
# that write_nonblock should not raise an IO::Wait*able exception, but
|
381
|
+
# return the symbol :wait_writable or :wait_readable instead.
|
376
382
|
|
377
383
|
def write_nonblock(s, exception: true)
|
378
384
|
flush
|
@@ -383,7 +389,7 @@ module OpenSSL::Buffering
|
|
383
389
|
# Writes +s+ to the stream. +s+ will be converted to a String using
|
384
390
|
# String#to_s.
|
385
391
|
|
386
|
-
def <<
|
392
|
+
def <<(s)
|
387
393
|
do_write(s)
|
388
394
|
self
|
389
395
|
end
|
data/lib/openssl/cipher.rb
CHANGED
@@ -18,7 +18,7 @@ module OpenSSL
|
|
18
18
|
klass = Class.new(Cipher){
|
19
19
|
define_method(:initialize){|*args|
|
20
20
|
cipher_name = args.inject(name){|n, arg| "#{n}-#{arg}" }
|
21
|
-
super(cipher_name)
|
21
|
+
super(cipher_name.downcase)
|
22
22
|
}
|
23
23
|
}
|
24
24
|
const_set(name, klass)
|
@@ -26,34 +26,42 @@ module OpenSSL
|
|
26
26
|
|
27
27
|
%w(128 192 256).each{|keylen|
|
28
28
|
klass = Class.new(Cipher){
|
29
|
-
define_method(:initialize){|mode|
|
30
|
-
mode
|
31
|
-
cipher_name = "AES-#{keylen}-#{mode}"
|
32
|
-
super(cipher_name)
|
29
|
+
define_method(:initialize){|mode = "CBC"|
|
30
|
+
super("aes-#{keylen}-#{mode}".downcase)
|
33
31
|
}
|
34
32
|
}
|
35
33
|
const_set("AES#{keylen}", klass)
|
36
34
|
}
|
37
35
|
|
38
|
-
#
|
39
|
-
#
|
36
|
+
# call-seq:
|
37
|
+
# cipher.random_key -> key
|
38
|
+
#
|
39
|
+
# Generate a random key with OpenSSL::Random.random_bytes and sets it to
|
40
|
+
# the cipher, and returns it.
|
41
|
+
#
|
42
|
+
# You must call #encrypt or #decrypt before calling this method.
|
40
43
|
def random_key
|
41
44
|
str = OpenSSL::Random.random_bytes(self.key_len)
|
42
45
|
self.key = str
|
43
|
-
return str
|
44
46
|
end
|
45
47
|
|
46
|
-
#
|
47
|
-
#
|
48
|
+
# call-seq:
|
49
|
+
# cipher.random_iv -> iv
|
50
|
+
#
|
51
|
+
# Generate a random IV with OpenSSL::Random.random_bytes and sets it to the
|
52
|
+
# cipher, and returns it.
|
53
|
+
#
|
54
|
+
# You must call #encrypt or #decrypt before calling this method.
|
48
55
|
def random_iv
|
49
56
|
str = OpenSSL::Random.random_bytes(self.iv_len)
|
50
57
|
self.iv = str
|
51
|
-
return str
|
52
58
|
end
|
53
59
|
|
54
|
-
#
|
55
|
-
|
56
|
-
|
57
|
-
|
60
|
+
# Deprecated.
|
61
|
+
#
|
62
|
+
# This class is only provided for backwards compatibility.
|
63
|
+
# Use OpenSSL::Cipher.
|
64
|
+
class Cipher < Cipher; end
|
65
|
+
deprecate_constant :Cipher
|
58
66
|
end # Cipher
|
59
67
|
end # OpenSSL
|
data/lib/openssl/digest.rb
CHANGED
@@ -15,7 +15,10 @@
|
|
15
15
|
module OpenSSL
|
16
16
|
class Digest
|
17
17
|
|
18
|
-
alg = %w(
|
18
|
+
alg = %w(MD2 MD4 MD5 MDC2 RIPEMD160 SHA1)
|
19
|
+
if OPENSSL_VERSION_NUMBER < 0x10100000
|
20
|
+
alg += %w(DSS DSS1 SHA)
|
21
|
+
end
|
19
22
|
if OPENSSL_VERSION_NUMBER > 0x00908000
|
20
23
|
alg += %w(SHA224 SHA256 SHA384 SHA512)
|
21
24
|
end
|
@@ -50,15 +53,9 @@ module OpenSSL
|
|
50
53
|
# Deprecated.
|
51
54
|
#
|
52
55
|
# This class is only provided for backwards compatibility.
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
# See OpenSSL::Digest.new
|
57
|
-
def initialize(*args)
|
58
|
-
warn('Digest::Digest is deprecated; use Digest')
|
59
|
-
super(*args)
|
60
|
-
end
|
61
|
-
end
|
56
|
+
# Use OpenSSL::Digest instead.
|
57
|
+
class Digest < Digest; end # :nodoc:
|
58
|
+
deprecate_constant :Digest
|
62
59
|
|
63
60
|
end # Digest
|
64
61
|
|
data/lib/openssl/pkey.rb
CHANGED
@@ -4,27 +4,34 @@ module OpenSSL
|
|
4
4
|
if defined?(OpenSSL::PKey::DH)
|
5
5
|
|
6
6
|
class DH
|
7
|
-
|
8
|
-
-----BEGIN DH PARAMETERS-----
|
9
|
-
MEYCQQD0zXHljRg/mJ9PYLACLv58Cd8VxBxxY7oEuCeURMiTqEhMym16rhhKgZG2
|
10
|
-
zk2O9uUIBIxSj+NKMURHGaFKyIvLAgEC
|
11
|
-
-----END DH PARAMETERS-----
|
12
|
-
_end_of_pem_
|
13
|
-
|
7
|
+
# :nodoc:
|
14
8
|
DEFAULT_1024 = new <<-_end_of_pem_
|
15
9
|
-----BEGIN DH PARAMETERS-----
|
16
10
|
MIGHAoGBAJ0lOVy0VIr/JebWn0zDwY2h+rqITFOpdNr6ugsgvkDXuucdcChhYExJ
|
17
11
|
AV/ZD2AWPbrTqV76mGRgJg4EddgT1zG0jq3rnFdMj2XzkBYx3BVvfR0Arnby0RHR
|
18
12
|
T4h7KZ/2zmjvV+eF8kBUHBJAojUlzxKj4QeO2x20FP9X5xmNUXeDAgEC
|
13
|
+
-----END DH PARAMETERS-----
|
14
|
+
_end_of_pem_
|
15
|
+
|
16
|
+
# :nodoc:
|
17
|
+
DEFAULT_2048 = new <<-_end_of_pem_
|
18
|
+
-----BEGIN DH PARAMETERS-----
|
19
|
+
MIIBCAKCAQEA7E6kBrYiyvmKAMzQ7i8WvwVk9Y/+f8S7sCTN712KkK3cqd1jhJDY
|
20
|
+
JbrYeNV3kUIKhPxWHhObHKpD1R84UpL+s2b55+iMd6GmL7OYmNIT/FccKhTcveab
|
21
|
+
VBmZT86BZKYyf45hUF9FOuUM9xPzuK3Vd8oJQvfYMCd7LPC0taAEljQLR4Edf8E6
|
22
|
+
YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
|
23
|
+
1bNveX5wInh5GDx1FGhKBZ+s1H+aedudCm7sCgRwv8lKWYGiHzObSma8A86KG+MD
|
24
|
+
7Lo5JquQ3DlBodj3IDyPrxIv96lvRPFtAwIBAg==
|
19
25
|
-----END DH PARAMETERS-----
|
20
26
|
_end_of_pem_
|
21
27
|
end
|
22
28
|
|
29
|
+
# :nodoc:
|
23
30
|
DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen|
|
24
31
|
warn "using default DH parameters." if $VERBOSE
|
25
32
|
case keylen
|
26
|
-
when 512 then OpenSSL::PKey::DH::DEFAULT_512
|
27
33
|
when 1024 then OpenSSL::PKey::DH::DEFAULT_1024
|
34
|
+
when 2048 then OpenSSL::PKey::DH::DEFAULT_2048
|
28
35
|
else
|
29
36
|
nil
|
30
37
|
end
|
data/lib/openssl/ssl.rb
CHANGED
@@ -16,68 +16,60 @@ require "io/nonblock"
|
|
16
16
|
module OpenSSL
|
17
17
|
module SSL
|
18
18
|
class SSLContext
|
19
|
-
DEFAULT_PARAMS = {
|
19
|
+
DEFAULT_PARAMS = { # :nodoc:
|
20
20
|
:ssl_version => "SSLv23",
|
21
21
|
:verify_mode => OpenSSL::SSL::VERIFY_PEER,
|
22
|
-
:
|
23
|
-
ECDHE-ECDSA-AES128-GCM-SHA256
|
24
|
-
ECDHE-RSA-AES128-GCM-SHA256
|
25
|
-
ECDHE-ECDSA-AES256-GCM-SHA384
|
26
|
-
ECDHE-RSA-AES256-GCM-SHA384
|
27
|
-
DHE-RSA-AES128-GCM-SHA256
|
28
|
-
DHE-DSS-AES128-GCM-SHA256
|
29
|
-
DHE-RSA-AES256-GCM-SHA384
|
30
|
-
DHE-DSS-AES256-GCM-SHA384
|
31
|
-
ECDHE-ECDSA-AES128-SHA256
|
32
|
-
ECDHE-RSA-AES128-SHA256
|
33
|
-
ECDHE-ECDSA-AES128-SHA
|
34
|
-
ECDHE-RSA-AES128-SHA
|
35
|
-
ECDHE-ECDSA-AES256-SHA384
|
36
|
-
ECDHE-RSA-AES256-SHA384
|
37
|
-
ECDHE-ECDSA-AES256-SHA
|
38
|
-
ECDHE-RSA-AES256-SHA
|
39
|
-
DHE-RSA-AES128-SHA256
|
40
|
-
DHE-RSA-AES256-SHA256
|
41
|
-
DHE-RSA-AES128-SHA
|
42
|
-
DHE-RSA-AES256-SHA
|
43
|
-
DHE-DSS-AES128-SHA256
|
44
|
-
DHE-DSS-AES256-SHA256
|
45
|
-
DHE-DSS-AES128-SHA
|
46
|
-
DHE-DSS-AES256-SHA
|
47
|
-
AES128-GCM-SHA256
|
48
|
-
AES256-GCM-SHA384
|
49
|
-
AES128-SHA256
|
50
|
-
AES256-SHA256
|
51
|
-
AES128-SHA
|
52
|
-
AES256-SHA
|
53
|
-
ECDHE-ECDSA-RC4-SHA
|
54
|
-
ECDHE-RSA-RC4-SHA
|
55
|
-
RC4-SHA
|
56
|
-
}.join(":"),
|
22
|
+
:verify_hostname => true,
|
57
23
|
:options => -> {
|
58
24
|
opts = OpenSSL::SSL::OP_ALL
|
59
|
-
opts &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
|
25
|
+
opts &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
|
60
26
|
opts |= OpenSSL::SSL::OP_NO_COMPRESSION if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
|
61
|
-
opts |= OpenSSL::SSL::OP_NO_SSLv2
|
62
|
-
opts |= OpenSSL::SSL::OP_NO_SSLv3 if defined?(OpenSSL::SSL::OP_NO_SSLv3)
|
27
|
+
opts |= OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3
|
63
28
|
opts
|
64
29
|
}.call
|
65
30
|
}
|
66
31
|
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
32
|
+
if !(OpenSSL::OPENSSL_VERSION.start_with?("OpenSSL") &&
|
33
|
+
OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10100000)
|
34
|
+
DEFAULT_PARAMS.merge!(
|
35
|
+
ciphers: %w{
|
36
|
+
ECDHE-ECDSA-AES128-GCM-SHA256
|
37
|
+
ECDHE-RSA-AES128-GCM-SHA256
|
38
|
+
ECDHE-ECDSA-AES256-GCM-SHA384
|
39
|
+
ECDHE-RSA-AES256-GCM-SHA384
|
40
|
+
DHE-RSA-AES128-GCM-SHA256
|
41
|
+
DHE-DSS-AES128-GCM-SHA256
|
42
|
+
DHE-RSA-AES256-GCM-SHA384
|
43
|
+
DHE-DSS-AES256-GCM-SHA384
|
44
|
+
ECDHE-ECDSA-AES128-SHA256
|
45
|
+
ECDHE-RSA-AES128-SHA256
|
46
|
+
ECDHE-ECDSA-AES128-SHA
|
47
|
+
ECDHE-RSA-AES128-SHA
|
48
|
+
ECDHE-ECDSA-AES256-SHA384
|
49
|
+
ECDHE-RSA-AES256-SHA384
|
50
|
+
ECDHE-ECDSA-AES256-SHA
|
51
|
+
ECDHE-RSA-AES256-SHA
|
52
|
+
DHE-RSA-AES128-SHA256
|
53
|
+
DHE-RSA-AES256-SHA256
|
54
|
+
DHE-RSA-AES128-SHA
|
55
|
+
DHE-RSA-AES256-SHA
|
56
|
+
DHE-DSS-AES128-SHA256
|
57
|
+
DHE-DSS-AES256-SHA256
|
58
|
+
DHE-DSS-AES128-SHA
|
59
|
+
DHE-DSS-AES256-SHA
|
60
|
+
AES128-GCM-SHA256
|
61
|
+
AES256-GCM-SHA384
|
62
|
+
AES128-SHA256
|
63
|
+
AES256-SHA256
|
64
|
+
AES128-SHA
|
65
|
+
AES256-SHA
|
66
|
+
}.join(":"),
|
67
|
+
)
|
71
68
|
end
|
72
69
|
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
"client_cert_cb", "session_id_context", "tmp_dh_callback",
|
77
|
-
"session_get_cb", "session_new_cb", "session_remove_cb",
|
78
|
-
"tmp_ecdh_callback", "servername_cb", "npn_protocols",
|
79
|
-
"alpn_protocols", "alpn_select_cb",
|
80
|
-
"npn_select_cb"].map { |x| "@#{x}" }
|
70
|
+
DEFAULT_CERT_STORE = OpenSSL::X509::Store.new # :nodoc:
|
71
|
+
DEFAULT_CERT_STORE.set_default_paths
|
72
|
+
DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
|
81
73
|
|
82
74
|
# A callback invoked when DH parameters are required.
|
83
75
|
#
|
@@ -90,14 +82,12 @@ module OpenSSL
|
|
90
82
|
|
91
83
|
attr_accessor :tmp_dh_callback
|
92
84
|
|
93
|
-
|
94
|
-
|
95
|
-
|
96
|
-
|
97
|
-
|
98
|
-
|
99
|
-
attr_accessor :servername_cb
|
100
|
-
end
|
85
|
+
# A callback invoked at connect time to distinguish between multiple
|
86
|
+
# server names.
|
87
|
+
#
|
88
|
+
# The callback is invoked with an SSLSocket and a server name. The
|
89
|
+
# callback must return an SSLContext for the server name or nil.
|
90
|
+
attr_accessor :servername_cb if ExtConfig::HAVE_TLSEXT_HOST_NAME
|
101
91
|
|
102
92
|
# call-seq:
|
103
93
|
# SSLContext.new => ctx
|
@@ -106,20 +96,22 @@ module OpenSSL
|
|
106
96
|
#
|
107
97
|
# You can get a list of valid methods with OpenSSL::SSL::SSLContext::METHODS
|
108
98
|
def initialize(version = nil)
|
109
|
-
|
110
|
-
self.
|
111
|
-
return unless version
|
112
|
-
self.ssl_version = version
|
99
|
+
self.options |= OpenSSL::SSL::OP_ALL
|
100
|
+
self.ssl_version = version if version
|
113
101
|
end
|
114
102
|
|
115
103
|
##
|
116
|
-
#
|
104
|
+
# call-seq:
|
105
|
+
# ctx.set_params(params = {}) -> params
|
106
|
+
#
|
107
|
+
# Sets saner defaults optimized for the use with HTTP-like protocols.
|
108
|
+
#
|
109
|
+
# If a Hash +params+ is given, the parameters are overridden with it.
|
117
110
|
# The keys in +params+ must be assignment methods on SSLContext.
|
118
111
|
#
|
119
112
|
# If the verify_mode is not VERIFY_NONE and ca_file, ca_path and
|
120
113
|
# cert_store are not set then the system default certificate store is
|
121
114
|
# used.
|
122
|
-
|
123
115
|
def set_params(params={})
|
124
116
|
params = DEFAULT_PARAMS.merge(params)
|
125
117
|
params.each{|name, value| self.__send__("#{name}=", value) }
|
@@ -252,45 +244,21 @@ module OpenSSL
|
|
252
244
|
include Buffering
|
253
245
|
include SocketForwarder
|
254
246
|
|
255
|
-
if ExtConfig::
|
256
|
-
|
257
|
-
else
|
258
|
-
if ExtConfig::HAVE_TLSEXT_HOST_NAME
|
259
|
-
attr_accessor :hostname
|
260
|
-
end
|
261
|
-
|
262
|
-
attr_reader :io, :context
|
263
|
-
attr_accessor :sync_close
|
264
|
-
alias :to_io :io
|
265
|
-
|
266
|
-
# call-seq:
|
267
|
-
# SSLSocket.new(io) => aSSLSocket
|
268
|
-
# SSLSocket.new(io, ctx) => aSSLSocket
|
269
|
-
#
|
270
|
-
# Creates a new SSL socket from +io+ which must be a real ruby object (not an
|
271
|
-
# IO-like object that responds to read/write).
|
272
|
-
#
|
273
|
-
# If +ctx+ is provided the SSL Sockets initial params will be taken from
|
274
|
-
# the context.
|
275
|
-
#
|
276
|
-
# The OpenSSL::Buffering module provides additional IO methods.
|
277
|
-
#
|
278
|
-
# This method will freeze the SSLContext if one is provided;
|
279
|
-
# however, session management is still allowed in the frozen SSLContext.
|
280
|
-
|
281
|
-
def initialize(io, context = OpenSSL::SSL::SSLContext.new)
|
282
|
-
@io = io
|
283
|
-
@context = context
|
284
|
-
@sync_close = false
|
285
|
-
@hostname = nil
|
286
|
-
@io.nonblock = true if @io.respond_to?(:nonblock=)
|
287
|
-
Rubinius.synchronize(SSL) do
|
288
|
-
context.setup
|
289
|
-
end
|
290
|
-
super()
|
291
|
-
end
|
247
|
+
if ExtConfig::HAVE_TLSEXT_HOST_NAME
|
248
|
+
attr_reader :hostname
|
292
249
|
end
|
293
250
|
|
251
|
+
# The underlying IO object.
|
252
|
+
attr_reader :io
|
253
|
+
alias :to_io :io
|
254
|
+
|
255
|
+
# The SSLContext object used in this connection.
|
256
|
+
attr_reader :context
|
257
|
+
|
258
|
+
# Whether to close the underlying socket as well, when the SSL/TLS
|
259
|
+
# connection is shut down. This defaults to +false+.
|
260
|
+
attr_accessor :sync_close
|
261
|
+
|
294
262
|
# call-seq:
|
295
263
|
# ssl.sysclose => nil
|
296
264
|
#
|
@@ -304,8 +272,10 @@ module OpenSSL
|
|
304
272
|
io.close if sync_close
|
305
273
|
end
|
306
274
|
|
307
|
-
|
308
|
-
#
|
275
|
+
# call-seq:
|
276
|
+
# ssl.post_connection_check(hostname) -> true
|
277
|
+
#
|
278
|
+
# Perform hostname verification following RFC 6125.
|
309
279
|
#
|
310
280
|
# This method MUST be called after calling #connect to ensure that the
|
311
281
|
# hostname of a remote peer has been verified.
|
@@ -313,7 +283,8 @@ module OpenSSL
|
|
313
283
|
if peer_cert.nil?
|
314
284
|
msg = "Peer verification enabled, but no certificate received."
|
315
285
|
if using_anon_cipher?
|
316
|
-
msg += " Anonymous cipher suite #{cipher[0]} was negotiated.
|
286
|
+
msg += " Anonymous cipher suite #{cipher[0]} was negotiated. " \
|
287
|
+
"Anonymous suites must be disabled to use peer verification."
|
317
288
|
end
|
318
289
|
raise SSLError, msg
|
319
290
|
end
|
@@ -324,6 +295,11 @@ module OpenSSL
|
|
324
295
|
return true
|
325
296
|
end
|
326
297
|
|
298
|
+
# call-seq:
|
299
|
+
# ssl.session -> aSession
|
300
|
+
#
|
301
|
+
# Returns the SSLSession object currently used, or nil if the session is
|
302
|
+
# not established.
|
327
303
|
def session
|
328
304
|
SSL::Session.new(self)
|
329
305
|
rescue SSL::Session::SessionError
|