rubysl-openssl 2.2.1 → 2.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (64) hide show
  1. checksums.yaml +4 -4
  2. data/.travis.yml +4 -4
  3. data/MRI_LICENSE +56 -0
  4. data/ext/rubysl/openssl/openssl_missing.c +1 -1
  5. data/ext/rubysl/openssl/openssl_missing.h +1 -1
  6. data/ext/rubysl/openssl/ossl.c +17 -16
  7. data/ext/rubysl/openssl/ossl.h +7 -7
  8. data/ext/rubysl/openssl/ossl_asn1.c +5 -5
  9. data/ext/rubysl/openssl/ossl_asn1.h +1 -1
  10. data/ext/rubysl/openssl/ossl_bio.c +2 -2
  11. data/ext/rubysl/openssl/ossl_bio.h +1 -1
  12. data/ext/rubysl/openssl/ossl_bn.c +37 -13
  13. data/ext/rubysl/openssl/ossl_bn.h +1 -1
  14. data/ext/rubysl/openssl/ossl_cipher.c +64 -17
  15. data/ext/rubysl/openssl/ossl_cipher.h +1 -1
  16. data/ext/rubysl/openssl/ossl_config.c +3 -3
  17. data/ext/rubysl/openssl/ossl_config.h +1 -1
  18. data/ext/rubysl/openssl/ossl_digest.c +19 -7
  19. data/ext/rubysl/openssl/ossl_digest.h +1 -1
  20. data/ext/rubysl/openssl/ossl_engine.c +24 -17
  21. data/ext/rubysl/openssl/ossl_engine.h +1 -1
  22. data/ext/rubysl/openssl/ossl_hmac.c +15 -7
  23. data/ext/rubysl/openssl/ossl_hmac.h +1 -1
  24. data/ext/rubysl/openssl/ossl_ns_spki.c +19 -4
  25. data/ext/rubysl/openssl/ossl_ns_spki.h +1 -1
  26. data/ext/rubysl/openssl/ossl_ocsp.c +518 -60
  27. data/ext/rubysl/openssl/ossl_ocsp.h +1 -1
  28. data/ext/rubysl/openssl/ossl_pkcs12.c +18 -4
  29. data/ext/rubysl/openssl/ossl_pkcs12.h +1 -1
  30. data/ext/rubysl/openssl/ossl_pkcs5.c +1 -1
  31. data/ext/rubysl/openssl/ossl_pkcs7.c +59 -15
  32. data/ext/rubysl/openssl/ossl_pkcs7.h +1 -1
  33. data/ext/rubysl/openssl/ossl_pkey.c +16 -2
  34. data/ext/rubysl/openssl/ossl_pkey.h +4 -3
  35. data/ext/rubysl/openssl/ossl_pkey_dh.c +3 -3
  36. data/ext/rubysl/openssl/ossl_pkey_dsa.c +3 -3
  37. data/ext/rubysl/openssl/ossl_pkey_ec.c +32 -12
  38. data/ext/rubysl/openssl/ossl_pkey_rsa.c +3 -3
  39. data/ext/rubysl/openssl/ossl_rand.c +58 -34
  40. data/ext/rubysl/openssl/ossl_rand.h +1 -1
  41. data/ext/rubysl/openssl/ossl_ssl.c +75 -46
  42. data/ext/rubysl/openssl/ossl_ssl.h +8 -2
  43. data/ext/rubysl/openssl/ossl_ssl_session.c +16 -15
  44. data/ext/rubysl/openssl/ossl_version.h +1 -1
  45. data/ext/rubysl/openssl/ossl_x509.c +2 -2
  46. data/ext/rubysl/openssl/ossl_x509.h +1 -1
  47. data/ext/rubysl/openssl/ossl_x509attr.c +18 -4
  48. data/ext/rubysl/openssl/ossl_x509cert.c +27 -33
  49. data/ext/rubysl/openssl/ossl_x509crl.c +18 -4
  50. data/ext/rubysl/openssl/ossl_x509ext.c +29 -7
  51. data/ext/rubysl/openssl/ossl_x509name.c +22 -7
  52. data/ext/rubysl/openssl/ossl_x509req.c +18 -4
  53. data/ext/rubysl/openssl/ossl_x509revoked.c +18 -4
  54. data/ext/rubysl/openssl/ossl_x509store.c +33 -8
  55. data/ext/rubysl/openssl/ruby_missing.h +1 -1
  56. data/lib/openssl/bn.rb +8 -1
  57. data/lib/openssl/buffering.rb +1 -1
  58. data/lib/openssl/cipher.rb +1 -1
  59. data/lib/openssl/digest.rb +1 -1
  60. data/lib/openssl/ssl.rb +65 -7
  61. data/lib/openssl/x509.rb +22 -2
  62. data/lib/rubysl/openssl.rb +1 -1
  63. data/lib/rubysl/openssl/version.rb +1 -1
  64. metadata +4 -3
@@ -1,5 +1,5 @@
1
1
  /*
2
- * $Id$
2
+ * $Id: ossl_x509req.c 48815 2014-12-12 23:59:28Z nobu $
3
3
  * 'OpenSSL for Ruby' project
4
4
  * Copyright (C) 2001-2002 Michal Rokos <m.rokos@sh.cvut.cz>
5
5
  * All rights reserved.
@@ -14,10 +14,10 @@
14
14
  if (!(req)) { \
15
15
  ossl_raise(rb_eRuntimeError, "Req wasn't initialized!"); \
16
16
  } \
17
- (obj) = Data_Wrap_Struct((klass), 0, X509_REQ_free, (req)); \
17
+ (obj) = TypedData_Wrap_Struct((klass), &ossl_x509req_type, (req)); \
18
18
  } while (0)
19
19
  #define GetX509Req(obj, req) do { \
20
- Data_Get_Struct((obj), X509_REQ, (req)); \
20
+ TypedData_Get_Struct((obj), X509_REQ, &ossl_x509req_type, (req)); \
21
21
  if (!(req)) { \
22
22
  ossl_raise(rb_eRuntimeError, "Req wasn't initialized!"); \
23
23
  } \
@@ -33,6 +33,20 @@
33
33
  VALUE cX509Req;
34
34
  VALUE eX509ReqError;
35
35
 
36
+ static void
37
+ ossl_x509req_free(void *ptr)
38
+ {
39
+ X509_REQ_free(ptr);
40
+ }
41
+
42
+ static const rb_data_type_t ossl_x509req_type = {
43
+ "OpenSSL/X509/REQ",
44
+ {
45
+ 0, ossl_x509req_free,
46
+ },
47
+ 0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
48
+ };
49
+
36
50
  /*
37
51
  * Public functions
38
52
  */
@@ -438,7 +452,7 @@ ossl_x509req_add_attribute(VALUE self, VALUE attr)
438
452
  * X509_REQUEST init
439
453
  */
440
454
  void
441
- Init_ossl_x509req()
455
+ Init_ossl_x509req(void)
442
456
  {
443
457
  eX509ReqError = rb_define_class_under(mX509, "RequestError", eOSSLError);
444
458
 
@@ -1,5 +1,5 @@
1
1
  /*
2
- * $Id$
2
+ * $Id: ossl_x509revoked.c 48816 2014-12-12 23:59:36Z nobu $
3
3
  * 'OpenSSL for Ruby' project
4
4
  * Copyright (C) 2001-2002 Michal Rokos <m.rokos@sh.cvut.cz>
5
5
  * All rights reserved.
@@ -14,10 +14,10 @@
14
14
  if (!(rev)) { \
15
15
  ossl_raise(rb_eRuntimeError, "REV wasn't initialized!"); \
16
16
  } \
17
- (obj) = Data_Wrap_Struct((klass), 0, X509_REVOKED_free, (rev)); \
17
+ (obj) = TypedData_Wrap_Struct((klass), &ossl_x509rev_type, (rev)); \
18
18
  } while (0)
19
19
  #define GetX509Rev(obj, rev) do { \
20
- Data_Get_Struct((obj), X509_REVOKED, (rev)); \
20
+ TypedData_Get_Struct((obj), X509_REVOKED, &ossl_x509rev_type, (rev)); \
21
21
  if (!(rev)) { \
22
22
  ossl_raise(rb_eRuntimeError, "REV wasn't initialized!"); \
23
23
  } \
@@ -33,6 +33,20 @@
33
33
  VALUE cX509Rev;
34
34
  VALUE eX509RevError;
35
35
 
36
+ static void
37
+ ossl_x509rev_free(void *ptr)
38
+ {
39
+ X509_REVOKED_free(ptr);
40
+ }
41
+
42
+ static const rb_data_type_t ossl_x509rev_type = {
43
+ "OpenSSL/X509/REV",
44
+ {
45
+ 0, ossl_x509rev_free,
46
+ },
47
+ 0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
48
+ };
49
+
36
50
  /*
37
51
  * PUBLIC
38
52
  */
@@ -209,7 +223,7 @@ ossl_x509revoked_add_extension(VALUE self, VALUE ext)
209
223
  * INIT
210
224
  */
211
225
  void
212
- Init_ossl_x509revoked()
226
+ Init_ossl_x509revoked(void)
213
227
  {
214
228
  eX509RevError = rb_define_class_under(mX509, "RevokedError", eOSSLError);
215
229
 
@@ -1,5 +1,5 @@
1
1
  /*
2
- * $Id$
2
+ * $Id: ossl_x509store.c 48818 2014-12-13 00:06:54Z nobu $
3
3
  * 'OpenSSL for Ruby' project
4
4
  * Copyright (C) 2001-2002 Michal Rokos <m.rokos@sh.cvut.cz>
5
5
  * All rights reserved.
@@ -14,10 +14,10 @@
14
14
  if (!(st)) { \
15
15
  ossl_raise(rb_eRuntimeError, "STORE wasn't initialized!"); \
16
16
  } \
17
- (obj) = Data_Wrap_Struct((klass), 0, X509_STORE_free, (st)); \
17
+ (obj) = TypedData_Wrap_Struct((klass), &ossl_x509store_type, (st)); \
18
18
  } while (0)
19
19
  #define GetX509Store(obj, st) do { \
20
- Data_Get_Struct((obj), X509_STORE, (st)); \
20
+ TypedData_Get_Struct((obj), X509_STORE, &ossl_x509store_type, (st)); \
21
21
  if (!(st)) { \
22
22
  ossl_raise(rb_eRuntimeError, "STORE wasn't initialized!"); \
23
23
  } \
@@ -31,10 +31,10 @@
31
31
  if (!(ctx)) { \
32
32
  ossl_raise(rb_eRuntimeError, "STORE_CTX wasn't initialized!"); \
33
33
  } \
34
- (obj) = Data_Wrap_Struct((klass), 0, ossl_x509stctx_free, (ctx)); \
34
+ (obj) = TypedData_Wrap_Struct((klass), &ossl_x509stctx_type, (ctx)); \
35
35
  } while (0)
36
36
  #define GetX509StCtx(obj, ctx) do { \
37
- Data_Get_Struct((obj), X509_STORE_CTX, (ctx)); \
37
+ TypedData_Get_Struct((obj), X509_STORE_CTX, &ossl_x509stctx_type, (ctx)); \
38
38
  if (!(ctx)) { \
39
39
  ossl_raise(rb_eRuntimeError, "STORE_CTX is out of scope!"); \
40
40
  } \
@@ -51,6 +51,20 @@ VALUE cX509Store;
51
51
  VALUE cX509StoreContext;
52
52
  VALUE eX509StoreError;
53
53
 
54
+ static void
55
+ ossl_x509store_free(void *ptr)
56
+ {
57
+ X509_STORE_free(ptr);
58
+ }
59
+
60
+ static const rb_data_type_t ossl_x509store_type = {
61
+ "OpenSSL/X509/STORE",
62
+ {
63
+ 0, ossl_x509store_free,
64
+ },
65
+ 0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
66
+ };
67
+
54
68
  /*
55
69
  * Public functions
56
70
  */
@@ -342,7 +356,17 @@ ossl_x509store_verify(int argc, VALUE *argv, VALUE self)
342
356
  /*
343
357
  * Public Functions
344
358
  */
345
- static void ossl_x509stctx_free(X509_STORE_CTX*);
359
+ static void ossl_x509stctx_free(void*);
360
+
361
+
362
+ static const rb_data_type_t ossl_x509stctx_type = {
363
+ "OpenSSL/X509/STORE_CTX",
364
+ {
365
+ 0, ossl_x509stctx_free,
366
+ },
367
+ 0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
368
+ };
369
+
346
370
 
347
371
  VALUE
348
372
  ossl_x509stctx_new(X509_STORE_CTX *ctx)
@@ -367,8 +391,9 @@ ossl_x509stctx_clear_ptr(VALUE obj)
367
391
  * Private functions
368
392
  */
369
393
  static void
370
- ossl_x509stctx_free(X509_STORE_CTX *ctx)
394
+ ossl_x509stctx_free(void *ptr)
371
395
  {
396
+ X509_STORE_CTX *ctx = ptr;
372
397
  if(ctx->untrusted)
373
398
  sk_X509_pop_free(ctx->untrusted, X509_free);
374
399
  if(ctx->cert)
@@ -593,7 +618,7 @@ ossl_x509stctx_set_time(VALUE self, VALUE time)
593
618
  * INIT
594
619
  */
595
620
  void
596
- Init_ossl_x509store()
621
+ Init_ossl_x509store(void)
597
622
  {
598
623
  VALUE x509stctx;
599
624
 
@@ -1,5 +1,5 @@
1
1
  /*
2
- * $Id$
2
+ * $Id: ruby_missing.h 33843 2011-11-26 01:49:36Z emboss $
3
3
  * 'OpenSSL for Ruby' project
4
4
  * Copyright (C) 2001-2003 Michal Rokos <m.rokos@sh.cvut.cz>
5
5
  * All rights reserved.
data/lib/openssl/bn.rb CHANGED
@@ -14,13 +14,20 @@
14
14
  # (See the file 'LICENCE'.)
15
15
  #
16
16
  # = Version
17
- # $Id$
17
+ # $Id: bn.rb 47647 2014-09-20 01:17:05Z akr $
18
18
  #
19
19
  #++
20
20
 
21
21
  module OpenSSL
22
22
  class BN
23
23
  include Comparable
24
+
25
+ def pretty_print(q)
26
+ q.object_group(self) {
27
+ q.text ' '
28
+ q.text to_i.to_s
29
+ }
30
+ end
24
31
  end # BN
25
32
  end # OpenSSL
26
33
 
@@ -12,7 +12,7 @@
12
12
  # (See the file 'LICENCE'.)
13
13
  #
14
14
  #= Version
15
- # $Id$
15
+ # $Id: buffering.rb 43964 2013-12-03 01:44:41Z drbrain $
16
16
  #++
17
17
 
18
18
  ##
@@ -14,7 +14,7 @@
14
14
  # (See the file 'LICENCE'.)
15
15
  #
16
16
  # = Version
17
- # $Id$
17
+ # $Id: cipher.rb 36895 2012-09-04 00:57:31Z nobu $
18
18
  #
19
19
  #++
20
20
 
@@ -14,7 +14,7 @@
14
14
  # (See the file 'LICENCE'.)
15
15
  #
16
16
  # = Version
17
- # $Id$
17
+ # $Id: digest.rb 44116 2013-12-10 07:16:03Z nobu $
18
18
  #
19
19
  #++
20
20
 
data/lib/openssl/ssl.rb CHANGED
@@ -11,7 +11,7 @@
11
11
  (See the file 'LICENCE'.)
12
12
 
13
13
  = Version
14
- $Id$
14
+ $Id: ssl.rb 50293 2015-04-13 13:13:01Z nagachika $
15
15
  =end
16
16
 
17
17
  require "openssl/buffering"
@@ -143,8 +143,7 @@ module OpenSSL
143
143
  case san.tag
144
144
  when 2 # dNSName in GeneralName (RFC5280)
145
145
  should_verify_common_name = false
146
- reg = Regexp.escape(san.value).gsub(/\\\*/, "[^.]+")
147
- return true if /\A#{reg}\z/i =~ hostname
146
+ return true if verify_hostname(hostname, san.value)
148
147
  when 7 # iPAddress in GeneralName (RFC5280)
149
148
  should_verify_common_name = false
150
149
  # follows GENERAL_NAME_print() in x509v3/v3_alt.c
@@ -159,8 +158,7 @@ module OpenSSL
159
158
  if should_verify_common_name
160
159
  cert.subject.to_a.each{|oid, value|
161
160
  if oid == "CN"
162
- reg = Regexp.escape(value).gsub(/\\\*/, "[^.]+")
163
- return true if /\A#{reg}\z/i =~ hostname
161
+ return true if verify_hostname(hostname, value)
164
162
  end
165
163
  }
166
164
  end
@@ -168,11 +166,67 @@ module OpenSSL
168
166
  end
169
167
  module_function :verify_certificate_identity
170
168
 
169
+ def verify_hostname(hostname, san) # :nodoc:
170
+ # RFC 5280, IA5String is limited to the set of ASCII characters
171
+ return false unless san.ascii_only?
172
+ return false unless hostname.ascii_only?
173
+
174
+ # See RFC 6125, section 6.4.1
175
+ # Matching is case-insensitive.
176
+ san_parts = san.downcase.split(".")
177
+
178
+ # TODO: this behavior should probably be more strict
179
+ return san == hostname if san_parts.size < 2
180
+
181
+ # Matching is case-insensitive.
182
+ host_parts = hostname.downcase.split(".")
183
+
184
+ # RFC 6125, section 6.4.3, subitem 2.
185
+ # If the wildcard character is the only character of the left-most
186
+ # label in the presented identifier, the client SHOULD NOT compare
187
+ # against anything but the left-most label of the reference
188
+ # identifier (e.g., *.example.com would match foo.example.com but
189
+ # not bar.foo.example.com or example.com).
190
+ return false unless san_parts.size == host_parts.size
191
+
192
+ # RFC 6125, section 6.4.3, subitem 1.
193
+ # The client SHOULD NOT attempt to match a presented identifier in
194
+ # which the wildcard character comprises a label other than the
195
+ # left-most label (e.g., do not match bar.*.example.net).
196
+ return false unless verify_wildcard(host_parts.shift, san_parts.shift)
197
+
198
+ san_parts.join(".") == host_parts.join(".")
199
+ end
200
+ module_function :verify_hostname
201
+
202
+ def verify_wildcard(domain_component, san_component) # :nodoc:
203
+ parts = san_component.split("*", -1)
204
+
205
+ return false if parts.size > 2
206
+ return san_component == domain_component if parts.size == 1
207
+
208
+ # RFC 6125, section 6.4.3, subitem 3.
209
+ # The client SHOULD NOT attempt to match a presented identifier
210
+ # where the wildcard character is embedded within an A-label or
211
+ # U-label of an internationalized domain name.
212
+ return false if domain_component.start_with?("xn--") && san_component != "*"
213
+
214
+ parts[0].length + parts[1].length < domain_component.length &&
215
+ domain_component.start_with?(parts[0]) &&
216
+ domain_component.end_with?(parts[1])
217
+ end
218
+ module_function :verify_wildcard
219
+
171
220
  class SSLSocket
172
221
  include Buffering
173
222
  include SocketForwarder
174
223
  include Nonblock
175
224
 
225
+ ##
226
+ # Perform hostname verification after an SSL connection is established
227
+ #
228
+ # This method MUST be called after calling #connect to ensure that the
229
+ # hostname of a remote peer has been verified.
176
230
  def post_connection_check(hostname)
177
231
  unless OpenSSL::SSL.verify_certificate_identity(peer_cert, hostname)
178
232
  raise SSLError, "hostname \"#{hostname}\" does not match the server certificate"
@@ -235,8 +289,12 @@ module OpenSSL
235
289
  ssl.sync_close = true
236
290
  ssl.accept if @start_immediately
237
291
  ssl
238
- rescue SSLError => ex
239
- sock.close
292
+ rescue Exception => ex
293
+ if ssl
294
+ ssl.close
295
+ else
296
+ sock.close
297
+ end
240
298
  raise ex
241
299
  end
242
300
  end
data/lib/openssl/x509.rb CHANGED
@@ -14,7 +14,7 @@
14
14
  # (See the file 'LICENCE'.)
15
15
  #
16
16
  # = Version
17
- # $Id$
17
+ # $Id: x509.rb 48521 2014-11-20 15:39:03Z usa $
18
18
  #
19
19
  #++
20
20
 
@@ -70,7 +70,7 @@ module OpenSSL
70
70
  HexPair = /#{HexChar}#{HexChar}/
71
71
  HexString = /#{HexPair}+/
72
72
  Pair = /\\(?:[#{Special}]|\\|"|#{HexPair})/
73
- StringChar = /[^#{Special}\\"]/
73
+ StringChar = /[^\\"#{Special}]/
74
74
  QuoteChar = /[^\\"]/
75
75
  AttributeType = /[a-zA-Z][0-9a-zA-Z]*|[0-9]+(?:\.[0-9]+)*/
76
76
  AttributeValue = /
@@ -151,6 +151,13 @@ module OpenSSL
151
151
 
152
152
  alias parse parse_openssl
153
153
  end
154
+
155
+ def pretty_print(q)
156
+ q.object_group(self) {
157
+ q.text ' '
158
+ q.text to_s(OpenSSL::X509::Name::RFC2253)
159
+ }
160
+ end
154
161
  end
155
162
 
156
163
  class StoreContext
@@ -158,5 +165,18 @@ module OpenSSL
158
165
  warn "(#{caller.first}) OpenSSL::X509::StoreContext#cleanup is deprecated with no replacement" if $VERBOSE
159
166
  end
160
167
  end
168
+
169
+ class Certificate
170
+ def pretty_print(q)
171
+ q.object_group(self) {
172
+ q.breakable
173
+ q.text 'subject='; q.pp self.subject; q.text ','; q.breakable
174
+ q.text 'issuer='; q.pp self.issuer; q.text ','; q.breakable
175
+ q.text 'serial='; q.pp self.serial; q.text ','; q.breakable
176
+ q.text 'not_before='; q.pp self.not_before; q.text ','; q.breakable
177
+ q.text 'not_after='; q.pp self.not_after
178
+ }
179
+ end
180
+ end
161
181
  end
162
182
  end
@@ -11,7 +11,7 @@
11
11
  (See the file 'LICENCE'.)
12
12
 
13
13
  = Version
14
- $Id$
14
+ $Id: openssl.rb 32664 2011-07-25 06:30:07Z nahi $
15
15
  =end
16
16
 
17
17
  require 'digest'
@@ -1,5 +1,5 @@
1
1
  module RubySL
2
2
  module OpenSSL
3
- VERSION = "2.2.1"
3
+ VERSION = "2.3.0"
4
4
  end
5
5
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rubysl-openssl
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.2.1
4
+ version: 2.3.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Brian Shirai
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2014-10-29 00:00:00.000000000 Z
11
+ date: 2015-05-13 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
@@ -78,6 +78,7 @@ files:
78
78
  - ".travis.yml"
79
79
  - Gemfile
80
80
  - LICENSE
81
+ - MRI_LICENSE
81
82
  - README.md
82
83
  - Rakefile
83
84
  - ext/rubysl/openssl/.gitignore
@@ -176,7 +177,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
176
177
  version: '0'
177
178
  requirements: []
178
179
  rubyforge_project:
179
- rubygems_version: 2.2.2
180
+ rubygems_version: 2.4.5
180
181
  signing_key:
181
182
  specification_version: 4
182
183
  summary: Ruby standard library OpenSSL.