rubysl-openssl 2.10 → 2.11
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/ext/rubysl/openssl/deprecation.rb +7 -3
- data/ext/rubysl/openssl/extconf.rb +148 -103
- data/ext/rubysl/openssl/openssl_missing.c +94 -275
- data/ext/rubysl/openssl/openssl_missing.h +167 -98
- data/ext/rubysl/openssl/ossl.c +266 -212
- data/ext/rubysl/openssl/ossl.h +27 -89
- data/ext/rubysl/openssl/ossl_asn1.c +157 -221
- data/ext/rubysl/openssl/ossl_asn1.h +11 -3
- data/ext/rubysl/openssl/ossl_bio.c +10 -40
- data/ext/rubysl/openssl/ossl_bio.h +1 -2
- data/ext/rubysl/openssl/ossl_bn.c +144 -100
- data/ext/rubysl/openssl/ossl_bn.h +3 -1
- data/ext/rubysl/openssl/ossl_cipher.c +270 -195
- data/ext/rubysl/openssl/ossl_config.c +7 -1
- data/ext/rubysl/openssl/ossl_config.h +0 -1
- data/ext/rubysl/openssl/ossl_digest.c +40 -29
- data/ext/rubysl/openssl/ossl_engine.c +23 -62
- data/ext/rubysl/openssl/ossl_hmac.c +82 -55
- data/ext/rubysl/openssl/ossl_ns_spki.c +22 -22
- data/ext/rubysl/openssl/ossl_ocsp.c +894 -144
- data/ext/rubysl/openssl/ossl_ocsp.h +1 -1
- data/ext/rubysl/openssl/ossl_pkcs12.c +47 -19
- data/ext/rubysl/openssl/ossl_pkcs5.c +7 -15
- data/ext/rubysl/openssl/ossl_pkcs7.c +38 -15
- data/ext/rubysl/openssl/ossl_pkey.c +151 -99
- data/ext/rubysl/openssl/ossl_pkey.h +123 -29
- data/ext/rubysl/openssl/ossl_pkey_dh.c +143 -92
- data/ext/rubysl/openssl/ossl_pkey_dsa.c +149 -104
- data/ext/rubysl/openssl/ossl_pkey_ec.c +646 -524
- data/ext/rubysl/openssl/ossl_pkey_rsa.c +180 -121
- data/ext/rubysl/openssl/ossl_rand.c +25 -21
- data/ext/rubysl/openssl/ossl_ssl.c +795 -413
- data/ext/rubysl/openssl/ossl_ssl.h +3 -0
- data/ext/rubysl/openssl/ossl_ssl_session.c +83 -77
- data/ext/rubysl/openssl/ossl_version.h +1 -1
- data/ext/rubysl/openssl/ossl_x509.c +92 -8
- data/ext/rubysl/openssl/ossl_x509.h +14 -5
- data/ext/rubysl/openssl/ossl_x509attr.c +77 -41
- data/ext/rubysl/openssl/ossl_x509cert.c +45 -46
- data/ext/rubysl/openssl/ossl_x509crl.c +51 -57
- data/ext/rubysl/openssl/ossl_x509ext.c +39 -33
- data/ext/rubysl/openssl/ossl_x509name.c +68 -45
- data/ext/rubysl/openssl/ossl_x509req.c +32 -38
- data/ext/rubysl/openssl/ossl_x509revoked.c +43 -9
- data/ext/rubysl/openssl/ossl_x509store.c +309 -104
- data/ext/rubysl/openssl/ruby_missing.h +8 -6
- data/lib/openssl/buffering.rb +11 -5
- data/lib/openssl/cipher.rb +23 -15
- data/lib/openssl/digest.rb +7 -10
- data/lib/openssl/pkey.rb +15 -8
- data/lib/openssl/ssl.rb +81 -105
- data/lib/rubysl/openssl.rb +1 -4
- data/lib/rubysl/openssl/version.rb +1 -1
- metadata +3 -4
@@ -13,15 +13,17 @@
|
|
13
13
|
#define rb_define_copy_func(klass, func) \
|
14
14
|
rb_define_method((klass), "initialize_copy", (func), 1)
|
15
15
|
|
16
|
-
|
17
|
-
#ifndef GetReadFile
|
18
16
|
#define FPTR_TO_FD(fptr) ((fptr)->fd)
|
19
|
-
|
20
|
-
|
17
|
+
|
18
|
+
/* Ruby 2.4 */
|
19
|
+
#ifndef RB_INTEGER_TYPE_P
|
20
|
+
# define RB_INTEGER_TYPE_P(obj) (RB_FIXNUM_P(obj) || RB_TYPE_P(obj, T_BIGNUM))
|
21
21
|
#endif
|
22
22
|
|
23
|
-
|
24
|
-
#
|
23
|
+
/* Ruby 2.5 */
|
24
|
+
#ifndef ST2FIX
|
25
|
+
# define RB_ST2FIX(h) LONG2FIX((long)(h))
|
26
|
+
# define ST2FIX(h) RB_ST2FIX(h)
|
25
27
|
#endif
|
26
28
|
|
27
29
|
#endif /* _OSSL_RUBY_MISSING_H_ */
|
data/lib/openssl/buffering.rb
CHANGED
@@ -132,7 +132,6 @@ module OpenSSL::Buffering
|
|
132
132
|
buf.replace(ret)
|
133
133
|
ret = buf
|
134
134
|
end
|
135
|
-
raise EOFError if ret.empty?
|
136
135
|
ret
|
137
136
|
end
|
138
137
|
|
@@ -164,6 +163,10 @@ module OpenSSL::Buffering
|
|
164
163
|
# Note that one reason that read_nonblock writes to the underlying IO is
|
165
164
|
# when the peer requests a new TLS/SSL handshake. See openssl the FAQ for
|
166
165
|
# more details. http://www.openssl.org/support/faq.html
|
166
|
+
#
|
167
|
+
# By specifying `exception: false`, the options hash allows you to indicate
|
168
|
+
# that read_nonblock should not raise an IO::Wait*able exception, but
|
169
|
+
# return the symbol :wait_writable or :wait_readable instead.
|
167
170
|
|
168
171
|
def read_nonblock(maxlen, buf=nil, exception: true)
|
169
172
|
if maxlen == 0
|
@@ -182,12 +185,11 @@ module OpenSSL::Buffering
|
|
182
185
|
buf.replace(ret)
|
183
186
|
ret = buf
|
184
187
|
end
|
185
|
-
raise EOFError if ret.empty?
|
186
188
|
ret
|
187
189
|
end
|
188
190
|
|
189
191
|
##
|
190
|
-
# Reads the next "line
|
192
|
+
# Reads the next "line" from the stream. Lines are separated by +eol+. If
|
191
193
|
# +limit+ is provided the result will not be longer than the given number of
|
192
194
|
# bytes.
|
193
195
|
#
|
@@ -342,7 +344,7 @@ module OpenSSL::Buffering
|
|
342
344
|
end
|
343
345
|
|
344
346
|
##
|
345
|
-
# Writes +
|
347
|
+
# Writes +s+ in the non-blocking manner.
|
346
348
|
#
|
347
349
|
# If there is buffered data, it is flushed first. This may block.
|
348
350
|
#
|
@@ -373,6 +375,10 @@ module OpenSSL::Buffering
|
|
373
375
|
# Note that one reason that write_nonblock reads from the underlying IO
|
374
376
|
# is when the peer requests a new TLS/SSL handshake. See the openssl FAQ
|
375
377
|
# for more details. http://www.openssl.org/support/faq.html
|
378
|
+
#
|
379
|
+
# By specifying `exception: false`, the options hash allows you to indicate
|
380
|
+
# that write_nonblock should not raise an IO::Wait*able exception, but
|
381
|
+
# return the symbol :wait_writable or :wait_readable instead.
|
376
382
|
|
377
383
|
def write_nonblock(s, exception: true)
|
378
384
|
flush
|
@@ -383,7 +389,7 @@ module OpenSSL::Buffering
|
|
383
389
|
# Writes +s+ to the stream. +s+ will be converted to a String using
|
384
390
|
# String#to_s.
|
385
391
|
|
386
|
-
def <<
|
392
|
+
def <<(s)
|
387
393
|
do_write(s)
|
388
394
|
self
|
389
395
|
end
|
data/lib/openssl/cipher.rb
CHANGED
@@ -18,7 +18,7 @@ module OpenSSL
|
|
18
18
|
klass = Class.new(Cipher){
|
19
19
|
define_method(:initialize){|*args|
|
20
20
|
cipher_name = args.inject(name){|n, arg| "#{n}-#{arg}" }
|
21
|
-
super(cipher_name)
|
21
|
+
super(cipher_name.downcase)
|
22
22
|
}
|
23
23
|
}
|
24
24
|
const_set(name, klass)
|
@@ -26,34 +26,42 @@ module OpenSSL
|
|
26
26
|
|
27
27
|
%w(128 192 256).each{|keylen|
|
28
28
|
klass = Class.new(Cipher){
|
29
|
-
define_method(:initialize){|mode|
|
30
|
-
mode
|
31
|
-
cipher_name = "AES-#{keylen}-#{mode}"
|
32
|
-
super(cipher_name)
|
29
|
+
define_method(:initialize){|mode = "CBC"|
|
30
|
+
super("aes-#{keylen}-#{mode}".downcase)
|
33
31
|
}
|
34
32
|
}
|
35
33
|
const_set("AES#{keylen}", klass)
|
36
34
|
}
|
37
35
|
|
38
|
-
#
|
39
|
-
#
|
36
|
+
# call-seq:
|
37
|
+
# cipher.random_key -> key
|
38
|
+
#
|
39
|
+
# Generate a random key with OpenSSL::Random.random_bytes and sets it to
|
40
|
+
# the cipher, and returns it.
|
41
|
+
#
|
42
|
+
# You must call #encrypt or #decrypt before calling this method.
|
40
43
|
def random_key
|
41
44
|
str = OpenSSL::Random.random_bytes(self.key_len)
|
42
45
|
self.key = str
|
43
|
-
return str
|
44
46
|
end
|
45
47
|
|
46
|
-
#
|
47
|
-
#
|
48
|
+
# call-seq:
|
49
|
+
# cipher.random_iv -> iv
|
50
|
+
#
|
51
|
+
# Generate a random IV with OpenSSL::Random.random_bytes and sets it to the
|
52
|
+
# cipher, and returns it.
|
53
|
+
#
|
54
|
+
# You must call #encrypt or #decrypt before calling this method.
|
48
55
|
def random_iv
|
49
56
|
str = OpenSSL::Random.random_bytes(self.iv_len)
|
50
57
|
self.iv = str
|
51
|
-
return str
|
52
58
|
end
|
53
59
|
|
54
|
-
#
|
55
|
-
|
56
|
-
|
57
|
-
|
60
|
+
# Deprecated.
|
61
|
+
#
|
62
|
+
# This class is only provided for backwards compatibility.
|
63
|
+
# Use OpenSSL::Cipher.
|
64
|
+
class Cipher < Cipher; end
|
65
|
+
deprecate_constant :Cipher
|
58
66
|
end # Cipher
|
59
67
|
end # OpenSSL
|
data/lib/openssl/digest.rb
CHANGED
@@ -15,7 +15,10 @@
|
|
15
15
|
module OpenSSL
|
16
16
|
class Digest
|
17
17
|
|
18
|
-
alg = %w(
|
18
|
+
alg = %w(MD2 MD4 MD5 MDC2 RIPEMD160 SHA1)
|
19
|
+
if OPENSSL_VERSION_NUMBER < 0x10100000
|
20
|
+
alg += %w(DSS DSS1 SHA)
|
21
|
+
end
|
19
22
|
if OPENSSL_VERSION_NUMBER > 0x00908000
|
20
23
|
alg += %w(SHA224 SHA256 SHA384 SHA512)
|
21
24
|
end
|
@@ -50,15 +53,9 @@ module OpenSSL
|
|
50
53
|
# Deprecated.
|
51
54
|
#
|
52
55
|
# This class is only provided for backwards compatibility.
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
# See OpenSSL::Digest.new
|
57
|
-
def initialize(*args)
|
58
|
-
warn('Digest::Digest is deprecated; use Digest')
|
59
|
-
super(*args)
|
60
|
-
end
|
61
|
-
end
|
56
|
+
# Use OpenSSL::Digest instead.
|
57
|
+
class Digest < Digest; end # :nodoc:
|
58
|
+
deprecate_constant :Digest
|
62
59
|
|
63
60
|
end # Digest
|
64
61
|
|
data/lib/openssl/pkey.rb
CHANGED
@@ -4,27 +4,34 @@ module OpenSSL
|
|
4
4
|
if defined?(OpenSSL::PKey::DH)
|
5
5
|
|
6
6
|
class DH
|
7
|
-
|
8
|
-
-----BEGIN DH PARAMETERS-----
|
9
|
-
MEYCQQD0zXHljRg/mJ9PYLACLv58Cd8VxBxxY7oEuCeURMiTqEhMym16rhhKgZG2
|
10
|
-
zk2O9uUIBIxSj+NKMURHGaFKyIvLAgEC
|
11
|
-
-----END DH PARAMETERS-----
|
12
|
-
_end_of_pem_
|
13
|
-
|
7
|
+
# :nodoc:
|
14
8
|
DEFAULT_1024 = new <<-_end_of_pem_
|
15
9
|
-----BEGIN DH PARAMETERS-----
|
16
10
|
MIGHAoGBAJ0lOVy0VIr/JebWn0zDwY2h+rqITFOpdNr6ugsgvkDXuucdcChhYExJ
|
17
11
|
AV/ZD2AWPbrTqV76mGRgJg4EddgT1zG0jq3rnFdMj2XzkBYx3BVvfR0Arnby0RHR
|
18
12
|
T4h7KZ/2zmjvV+eF8kBUHBJAojUlzxKj4QeO2x20FP9X5xmNUXeDAgEC
|
13
|
+
-----END DH PARAMETERS-----
|
14
|
+
_end_of_pem_
|
15
|
+
|
16
|
+
# :nodoc:
|
17
|
+
DEFAULT_2048 = new <<-_end_of_pem_
|
18
|
+
-----BEGIN DH PARAMETERS-----
|
19
|
+
MIIBCAKCAQEA7E6kBrYiyvmKAMzQ7i8WvwVk9Y/+f8S7sCTN712KkK3cqd1jhJDY
|
20
|
+
JbrYeNV3kUIKhPxWHhObHKpD1R84UpL+s2b55+iMd6GmL7OYmNIT/FccKhTcveab
|
21
|
+
VBmZT86BZKYyf45hUF9FOuUM9xPzuK3Vd8oJQvfYMCd7LPC0taAEljQLR4Edf8E6
|
22
|
+
YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
|
23
|
+
1bNveX5wInh5GDx1FGhKBZ+s1H+aedudCm7sCgRwv8lKWYGiHzObSma8A86KG+MD
|
24
|
+
7Lo5JquQ3DlBodj3IDyPrxIv96lvRPFtAwIBAg==
|
19
25
|
-----END DH PARAMETERS-----
|
20
26
|
_end_of_pem_
|
21
27
|
end
|
22
28
|
|
29
|
+
# :nodoc:
|
23
30
|
DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen|
|
24
31
|
warn "using default DH parameters." if $VERBOSE
|
25
32
|
case keylen
|
26
|
-
when 512 then OpenSSL::PKey::DH::DEFAULT_512
|
27
33
|
when 1024 then OpenSSL::PKey::DH::DEFAULT_1024
|
34
|
+
when 2048 then OpenSSL::PKey::DH::DEFAULT_2048
|
28
35
|
else
|
29
36
|
nil
|
30
37
|
end
|
data/lib/openssl/ssl.rb
CHANGED
@@ -16,68 +16,60 @@ require "io/nonblock"
|
|
16
16
|
module OpenSSL
|
17
17
|
module SSL
|
18
18
|
class SSLContext
|
19
|
-
DEFAULT_PARAMS = {
|
19
|
+
DEFAULT_PARAMS = { # :nodoc:
|
20
20
|
:ssl_version => "SSLv23",
|
21
21
|
:verify_mode => OpenSSL::SSL::VERIFY_PEER,
|
22
|
-
:
|
23
|
-
ECDHE-ECDSA-AES128-GCM-SHA256
|
24
|
-
ECDHE-RSA-AES128-GCM-SHA256
|
25
|
-
ECDHE-ECDSA-AES256-GCM-SHA384
|
26
|
-
ECDHE-RSA-AES256-GCM-SHA384
|
27
|
-
DHE-RSA-AES128-GCM-SHA256
|
28
|
-
DHE-DSS-AES128-GCM-SHA256
|
29
|
-
DHE-RSA-AES256-GCM-SHA384
|
30
|
-
DHE-DSS-AES256-GCM-SHA384
|
31
|
-
ECDHE-ECDSA-AES128-SHA256
|
32
|
-
ECDHE-RSA-AES128-SHA256
|
33
|
-
ECDHE-ECDSA-AES128-SHA
|
34
|
-
ECDHE-RSA-AES128-SHA
|
35
|
-
ECDHE-ECDSA-AES256-SHA384
|
36
|
-
ECDHE-RSA-AES256-SHA384
|
37
|
-
ECDHE-ECDSA-AES256-SHA
|
38
|
-
ECDHE-RSA-AES256-SHA
|
39
|
-
DHE-RSA-AES128-SHA256
|
40
|
-
DHE-RSA-AES256-SHA256
|
41
|
-
DHE-RSA-AES128-SHA
|
42
|
-
DHE-RSA-AES256-SHA
|
43
|
-
DHE-DSS-AES128-SHA256
|
44
|
-
DHE-DSS-AES256-SHA256
|
45
|
-
DHE-DSS-AES128-SHA
|
46
|
-
DHE-DSS-AES256-SHA
|
47
|
-
AES128-GCM-SHA256
|
48
|
-
AES256-GCM-SHA384
|
49
|
-
AES128-SHA256
|
50
|
-
AES256-SHA256
|
51
|
-
AES128-SHA
|
52
|
-
AES256-SHA
|
53
|
-
ECDHE-ECDSA-RC4-SHA
|
54
|
-
ECDHE-RSA-RC4-SHA
|
55
|
-
RC4-SHA
|
56
|
-
}.join(":"),
|
22
|
+
:verify_hostname => true,
|
57
23
|
:options => -> {
|
58
24
|
opts = OpenSSL::SSL::OP_ALL
|
59
|
-
opts &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
|
25
|
+
opts &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
|
60
26
|
opts |= OpenSSL::SSL::OP_NO_COMPRESSION if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
|
61
|
-
opts |= OpenSSL::SSL::OP_NO_SSLv2
|
62
|
-
opts |= OpenSSL::SSL::OP_NO_SSLv3 if defined?(OpenSSL::SSL::OP_NO_SSLv3)
|
27
|
+
opts |= OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3
|
63
28
|
opts
|
64
29
|
}.call
|
65
30
|
}
|
66
31
|
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
32
|
+
if !(OpenSSL::OPENSSL_VERSION.start_with?("OpenSSL") &&
|
33
|
+
OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10100000)
|
34
|
+
DEFAULT_PARAMS.merge!(
|
35
|
+
ciphers: %w{
|
36
|
+
ECDHE-ECDSA-AES128-GCM-SHA256
|
37
|
+
ECDHE-RSA-AES128-GCM-SHA256
|
38
|
+
ECDHE-ECDSA-AES256-GCM-SHA384
|
39
|
+
ECDHE-RSA-AES256-GCM-SHA384
|
40
|
+
DHE-RSA-AES128-GCM-SHA256
|
41
|
+
DHE-DSS-AES128-GCM-SHA256
|
42
|
+
DHE-RSA-AES256-GCM-SHA384
|
43
|
+
DHE-DSS-AES256-GCM-SHA384
|
44
|
+
ECDHE-ECDSA-AES128-SHA256
|
45
|
+
ECDHE-RSA-AES128-SHA256
|
46
|
+
ECDHE-ECDSA-AES128-SHA
|
47
|
+
ECDHE-RSA-AES128-SHA
|
48
|
+
ECDHE-ECDSA-AES256-SHA384
|
49
|
+
ECDHE-RSA-AES256-SHA384
|
50
|
+
ECDHE-ECDSA-AES256-SHA
|
51
|
+
ECDHE-RSA-AES256-SHA
|
52
|
+
DHE-RSA-AES128-SHA256
|
53
|
+
DHE-RSA-AES256-SHA256
|
54
|
+
DHE-RSA-AES128-SHA
|
55
|
+
DHE-RSA-AES256-SHA
|
56
|
+
DHE-DSS-AES128-SHA256
|
57
|
+
DHE-DSS-AES256-SHA256
|
58
|
+
DHE-DSS-AES128-SHA
|
59
|
+
DHE-DSS-AES256-SHA
|
60
|
+
AES128-GCM-SHA256
|
61
|
+
AES256-GCM-SHA384
|
62
|
+
AES128-SHA256
|
63
|
+
AES256-SHA256
|
64
|
+
AES128-SHA
|
65
|
+
AES256-SHA
|
66
|
+
}.join(":"),
|
67
|
+
)
|
71
68
|
end
|
72
69
|
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
"client_cert_cb", "session_id_context", "tmp_dh_callback",
|
77
|
-
"session_get_cb", "session_new_cb", "session_remove_cb",
|
78
|
-
"tmp_ecdh_callback", "servername_cb", "npn_protocols",
|
79
|
-
"alpn_protocols", "alpn_select_cb",
|
80
|
-
"npn_select_cb"].map { |x| "@#{x}" }
|
70
|
+
DEFAULT_CERT_STORE = OpenSSL::X509::Store.new # :nodoc:
|
71
|
+
DEFAULT_CERT_STORE.set_default_paths
|
72
|
+
DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
|
81
73
|
|
82
74
|
# A callback invoked when DH parameters are required.
|
83
75
|
#
|
@@ -90,14 +82,12 @@ module OpenSSL
|
|
90
82
|
|
91
83
|
attr_accessor :tmp_dh_callback
|
92
84
|
|
93
|
-
|
94
|
-
|
95
|
-
|
96
|
-
|
97
|
-
|
98
|
-
|
99
|
-
attr_accessor :servername_cb
|
100
|
-
end
|
85
|
+
# A callback invoked at connect time to distinguish between multiple
|
86
|
+
# server names.
|
87
|
+
#
|
88
|
+
# The callback is invoked with an SSLSocket and a server name. The
|
89
|
+
# callback must return an SSLContext for the server name or nil.
|
90
|
+
attr_accessor :servername_cb if ExtConfig::HAVE_TLSEXT_HOST_NAME
|
101
91
|
|
102
92
|
# call-seq:
|
103
93
|
# SSLContext.new => ctx
|
@@ -106,20 +96,22 @@ module OpenSSL
|
|
106
96
|
#
|
107
97
|
# You can get a list of valid methods with OpenSSL::SSL::SSLContext::METHODS
|
108
98
|
def initialize(version = nil)
|
109
|
-
|
110
|
-
self.
|
111
|
-
return unless version
|
112
|
-
self.ssl_version = version
|
99
|
+
self.options |= OpenSSL::SSL::OP_ALL
|
100
|
+
self.ssl_version = version if version
|
113
101
|
end
|
114
102
|
|
115
103
|
##
|
116
|
-
#
|
104
|
+
# call-seq:
|
105
|
+
# ctx.set_params(params = {}) -> params
|
106
|
+
#
|
107
|
+
# Sets saner defaults optimized for the use with HTTP-like protocols.
|
108
|
+
#
|
109
|
+
# If a Hash +params+ is given, the parameters are overridden with it.
|
117
110
|
# The keys in +params+ must be assignment methods on SSLContext.
|
118
111
|
#
|
119
112
|
# If the verify_mode is not VERIFY_NONE and ca_file, ca_path and
|
120
113
|
# cert_store are not set then the system default certificate store is
|
121
114
|
# used.
|
122
|
-
|
123
115
|
def set_params(params={})
|
124
116
|
params = DEFAULT_PARAMS.merge(params)
|
125
117
|
params.each{|name, value| self.__send__("#{name}=", value) }
|
@@ -252,45 +244,21 @@ module OpenSSL
|
|
252
244
|
include Buffering
|
253
245
|
include SocketForwarder
|
254
246
|
|
255
|
-
if ExtConfig::
|
256
|
-
|
257
|
-
else
|
258
|
-
if ExtConfig::HAVE_TLSEXT_HOST_NAME
|
259
|
-
attr_accessor :hostname
|
260
|
-
end
|
261
|
-
|
262
|
-
attr_reader :io, :context
|
263
|
-
attr_accessor :sync_close
|
264
|
-
alias :to_io :io
|
265
|
-
|
266
|
-
# call-seq:
|
267
|
-
# SSLSocket.new(io) => aSSLSocket
|
268
|
-
# SSLSocket.new(io, ctx) => aSSLSocket
|
269
|
-
#
|
270
|
-
# Creates a new SSL socket from +io+ which must be a real ruby object (not an
|
271
|
-
# IO-like object that responds to read/write).
|
272
|
-
#
|
273
|
-
# If +ctx+ is provided the SSL Sockets initial params will be taken from
|
274
|
-
# the context.
|
275
|
-
#
|
276
|
-
# The OpenSSL::Buffering module provides additional IO methods.
|
277
|
-
#
|
278
|
-
# This method will freeze the SSLContext if one is provided;
|
279
|
-
# however, session management is still allowed in the frozen SSLContext.
|
280
|
-
|
281
|
-
def initialize(io, context = OpenSSL::SSL::SSLContext.new)
|
282
|
-
@io = io
|
283
|
-
@context = context
|
284
|
-
@sync_close = false
|
285
|
-
@hostname = nil
|
286
|
-
@io.nonblock = true if @io.respond_to?(:nonblock=)
|
287
|
-
Rubinius.synchronize(SSL) do
|
288
|
-
context.setup
|
289
|
-
end
|
290
|
-
super()
|
291
|
-
end
|
247
|
+
if ExtConfig::HAVE_TLSEXT_HOST_NAME
|
248
|
+
attr_reader :hostname
|
292
249
|
end
|
293
250
|
|
251
|
+
# The underlying IO object.
|
252
|
+
attr_reader :io
|
253
|
+
alias :to_io :io
|
254
|
+
|
255
|
+
# The SSLContext object used in this connection.
|
256
|
+
attr_reader :context
|
257
|
+
|
258
|
+
# Whether to close the underlying socket as well, when the SSL/TLS
|
259
|
+
# connection is shut down. This defaults to +false+.
|
260
|
+
attr_accessor :sync_close
|
261
|
+
|
294
262
|
# call-seq:
|
295
263
|
# ssl.sysclose => nil
|
296
264
|
#
|
@@ -304,8 +272,10 @@ module OpenSSL
|
|
304
272
|
io.close if sync_close
|
305
273
|
end
|
306
274
|
|
307
|
-
|
308
|
-
#
|
275
|
+
# call-seq:
|
276
|
+
# ssl.post_connection_check(hostname) -> true
|
277
|
+
#
|
278
|
+
# Perform hostname verification following RFC 6125.
|
309
279
|
#
|
310
280
|
# This method MUST be called after calling #connect to ensure that the
|
311
281
|
# hostname of a remote peer has been verified.
|
@@ -313,7 +283,8 @@ module OpenSSL
|
|
313
283
|
if peer_cert.nil?
|
314
284
|
msg = "Peer verification enabled, but no certificate received."
|
315
285
|
if using_anon_cipher?
|
316
|
-
msg += " Anonymous cipher suite #{cipher[0]} was negotiated.
|
286
|
+
msg += " Anonymous cipher suite #{cipher[0]} was negotiated. " \
|
287
|
+
"Anonymous suites must be disabled to use peer verification."
|
317
288
|
end
|
318
289
|
raise SSLError, msg
|
319
290
|
end
|
@@ -324,6 +295,11 @@ module OpenSSL
|
|
324
295
|
return true
|
325
296
|
end
|
326
297
|
|
298
|
+
# call-seq:
|
299
|
+
# ssl.session -> aSession
|
300
|
+
#
|
301
|
+
# Returns the SSLSession object currently used, or nil if the session is
|
302
|
+
# not established.
|
327
303
|
def session
|
328
304
|
SSL::Session.new(self)
|
329
305
|
rescue SSL::Session::SessionError
|