rubysl-openssl 2.2.1 → 2.3.0

data/ext/rubysl/openssl/ossl_x509req.c

@@ -1,5 +1,5 @@
 /*
- * $Id$
+ * $Id: ossl_x509req.c 48815 2014-12-12 23:59:28Z nobu $
  * 'OpenSSL for Ruby' project
  * Copyright (C) 2001-2002  Michal Rokos <m.rokos@sh.cvut.cz>
  * All rights reserved.
@@ -14,10 +14,10 @@
     if (!(req)) { \
 	ossl_raise(rb_eRuntimeError, "Req wasn't initialized!"); \
     } \
-    (obj) = Data_Wrap_Struct((klass), 0, X509_REQ_free, (req)); \
+    (obj) = TypedData_Wrap_Struct((klass), &ossl_x509req_type, (req)); \
 } while (0)
 #define GetX509Req(obj, req) do { \
-    Data_Get_Struct((obj), X509_REQ, (req)); \
+    TypedData_Get_Struct((obj), X509_REQ, &ossl_x509req_type, (req)); \
     if (!(req)) { \
 	ossl_raise(rb_eRuntimeError, "Req wasn't initialized!"); \
     } \
@@ -33,6 +33,20 @@
 VALUE cX509Req;
 VALUE eX509ReqError;
 
+static void
+ossl_x509req_free(void *ptr)
+{
+    X509_REQ_free(ptr);
+}
+
+static const rb_data_type_t ossl_x509req_type = {
+    "OpenSSL/X509/REQ",
+    {
+	0, ossl_x509req_free,
+    },
+    0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
+};
+
 /*
  * Public functions
  */
@@ -438,7 +452,7 @@ ossl_x509req_add_attribute(VALUE self, VALUE attr)
  * X509_REQUEST init
  */
 void
-Init_ossl_x509req()
+Init_ossl_x509req(void)
 {
     eX509ReqError = rb_define_class_under(mX509, "RequestError", eOSSLError);
 

data/ext/rubysl/openssl/ossl_x509revoked.c

@@ -1,5 +1,5 @@
 /*
- * $Id$
+ * $Id: ossl_x509revoked.c 48816 2014-12-12 23:59:36Z nobu $
  * 'OpenSSL for Ruby' project
  * Copyright (C) 2001-2002  Michal Rokos <m.rokos@sh.cvut.cz>
  * All rights reserved.
@@ -14,10 +14,10 @@
     if (!(rev)) { \
 	ossl_raise(rb_eRuntimeError, "REV wasn't initialized!"); \
     } \
-    (obj) = Data_Wrap_Struct((klass), 0, X509_REVOKED_free, (rev)); \
+    (obj) = TypedData_Wrap_Struct((klass), &ossl_x509rev_type, (rev)); \
 } while (0)
 #define GetX509Rev(obj, rev) do { \
-    Data_Get_Struct((obj), X509_REVOKED, (rev)); \
+    TypedData_Get_Struct((obj), X509_REVOKED, &ossl_x509rev_type, (rev)); \
     if (!(rev)) { \
 	ossl_raise(rb_eRuntimeError, "REV wasn't initialized!"); \
     } \
@@ -33,6 +33,20 @@
 VALUE cX509Rev;
 VALUE eX509RevError;
 
+static void
+ossl_x509rev_free(void *ptr)
+{
+    X509_REVOKED_free(ptr);
+}
+
+static const rb_data_type_t ossl_x509rev_type = {
+    "OpenSSL/X509/REV",
+    {
+	0, ossl_x509rev_free,
+    },
+    0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
+};
+
 /*
  * PUBLIC
  */
@@ -209,7 +223,7 @@ ossl_x509revoked_add_extension(VALUE self, VALUE ext)
  * INIT
  */
 void
-Init_ossl_x509revoked()
+Init_ossl_x509revoked(void)
 {
     eX509RevError = rb_define_class_under(mX509, "RevokedError", eOSSLError);
 

data/ext/rubysl/openssl/ossl_x509store.c

@@ -1,5 +1,5 @@
 /*
- * $Id$
+ * $Id: ossl_x509store.c 48818 2014-12-13 00:06:54Z nobu $
  * 'OpenSSL for Ruby' project
  * Copyright (C) 2001-2002  Michal Rokos <m.rokos@sh.cvut.cz>
  * All rights reserved.
@@ -14,10 +14,10 @@
     if (!(st)) { \
 	ossl_raise(rb_eRuntimeError, "STORE wasn't initialized!"); \
     } \
-    (obj) = Data_Wrap_Struct((klass), 0, X509_STORE_free, (st)); \
+    (obj) = TypedData_Wrap_Struct((klass), &ossl_x509store_type, (st)); \
 } while (0)
 #define GetX509Store(obj, st) do { \
-    Data_Get_Struct((obj), X509_STORE, (st)); \
+    TypedData_Get_Struct((obj), X509_STORE, &ossl_x509store_type, (st)); \
     if (!(st)) { \
 	ossl_raise(rb_eRuntimeError, "STORE wasn't initialized!"); \
     } \
@@ -31,10 +31,10 @@
     if (!(ctx)) { \
 	ossl_raise(rb_eRuntimeError, "STORE_CTX wasn't initialized!"); \
     } \
-    (obj) = Data_Wrap_Struct((klass), 0, ossl_x509stctx_free, (ctx)); \
+    (obj) = TypedData_Wrap_Struct((klass), &ossl_x509stctx_type, (ctx)); \
 } while (0)
 #define GetX509StCtx(obj, ctx) do { \
-    Data_Get_Struct((obj), X509_STORE_CTX, (ctx)); \
+    TypedData_Get_Struct((obj), X509_STORE_CTX, &ossl_x509stctx_type, (ctx)); \
     if (!(ctx)) { \
 	ossl_raise(rb_eRuntimeError, "STORE_CTX is out of scope!"); \
     } \
@@ -51,6 +51,20 @@ VALUE cX509Store;
 VALUE cX509StoreContext;
 VALUE eX509StoreError;
 
+static void
+ossl_x509store_free(void *ptr)
+{
+    X509_STORE_free(ptr);
+}
+
+static const rb_data_type_t ossl_x509store_type = {
+    "OpenSSL/X509/STORE",
+    {
+	0, ossl_x509store_free,
+    },
+    0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
+};
+
 /*
  * Public functions
  */
@@ -342,7 +356,17 @@ ossl_x509store_verify(int argc, VALUE *argv, VALUE self)
 /*
  * Public Functions
  */
-static void ossl_x509stctx_free(X509_STORE_CTX*);
+static void ossl_x509stctx_free(void*);
+
+
+static const rb_data_type_t ossl_x509stctx_type = {
+    "OpenSSL/X509/STORE_CTX",
+    {
+	0, ossl_x509stctx_free,
+    },
+    0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
+};
+
 
 VALUE
 ossl_x509stctx_new(X509_STORE_CTX *ctx)
@@ -367,8 +391,9 @@ ossl_x509stctx_clear_ptr(VALUE obj)
  * Private functions
  */
 static void
-ossl_x509stctx_free(X509_STORE_CTX *ctx)
+ossl_x509stctx_free(void *ptr)
 {
+    X509_STORE_CTX *ctx = ptr;
     if(ctx->untrusted)
 	sk_X509_pop_free(ctx->untrusted, X509_free);
     if(ctx->cert)
@@ -593,7 +618,7 @@ ossl_x509stctx_set_time(VALUE self, VALUE time)
  * INIT
  */
 void
-Init_ossl_x509store()
+Init_ossl_x509store(void)
 {
     VALUE x509stctx;
 

data/ext/rubysl/openssl/ruby_missing.h

@@ -1,5 +1,5 @@
 /*
- * $Id$
+ * $Id: ruby_missing.h 33843 2011-11-26 01:49:36Z emboss $
  * 'OpenSSL for Ruby' project
  * Copyright (C) 2001-2003  Michal Rokos <m.rokos@sh.cvut.cz>
  * All rights reserved.

data/lib/openssl/bn.rb

@@ -14,13 +14,20 @@
 # (See the file 'LICENCE'.)
 #
 # = Version
-# $Id$
+# $Id: bn.rb 47647 2014-09-20 01:17:05Z akr $
 #
 #++
 
 module OpenSSL
   class BN
     include Comparable
+
+    def pretty_print(q)
+      q.object_group(self) {
+        q.text ' '
+        q.text to_i.to_s
+      }
+    end
   end # BN
 end # OpenSSL
 

data/lib/openssl/buffering.rb

@@ -12,7 +12,7 @@
 #  (See the file 'LICENCE'.)
 #
 #= Version
-#  $Id$
+#  $Id: buffering.rb 43964 2013-12-03 01:44:41Z drbrain $
 #++
 
 ##

data/lib/openssl/cipher.rb

@@ -14,7 +14,7 @@
 # (See the file 'LICENCE'.)
 #
 # = Version
-# $Id$
+# $Id: cipher.rb 36895 2012-09-04 00:57:31Z nobu $
 #
 #++
 

data/lib/openssl/digest.rb

@@ -14,7 +14,7 @@
 # (See the file 'LICENCE'.)
 #
 # = Version
-# $Id$
+# $Id: digest.rb 44116 2013-12-10 07:16:03Z nobu $
 #
 #++
 

data/lib/openssl/ssl.rb

@@ -11,7 +11,7 @@
   (See the file 'LICENCE'.)
 
 = Version
-  $Id$
+  $Id: ssl.rb 50293 2015-04-13 13:13:01Z nagachika $
 =end
 
 require "openssl/buffering"
@@ -143,8 +143,7 @@ module OpenSSL
           case san.tag
           when 2 # dNSName in GeneralName (RFC5280)
             should_verify_common_name = false
-            reg = Regexp.escape(san.value).gsub(/\\\*/, "[^.]+")
-            return true if /\A#{reg}\z/i =~ hostname
+            return true if verify_hostname(hostname, san.value)
           when 7 # iPAddress in GeneralName (RFC5280)
             should_verify_common_name = false
             # follows GENERAL_NAME_print() in x509v3/v3_alt.c
@@ -159,8 +158,7 @@ module OpenSSL
       if should_verify_common_name
         cert.subject.to_a.each{|oid, value|
           if oid == "CN"
-            reg = Regexp.escape(value).gsub(/\\\*/, "[^.]+")
-            return true if /\A#{reg}\z/i =~ hostname
+            return true if verify_hostname(hostname, value)
           end
         }
       end
@@ -168,11 +166,67 @@ module OpenSSL
     end
     module_function :verify_certificate_identity
 
+    def verify_hostname(hostname, san) # :nodoc:
+      # RFC 5280, IA5String is limited to the set of ASCII characters
+      return false unless san.ascii_only?
+      return false unless hostname.ascii_only?
+
+      # See RFC 6125, section 6.4.1
+      # Matching is case-insensitive.
+      san_parts = san.downcase.split(".")
+
+      # TODO: this behavior should probably be more strict
+      return san == hostname if san_parts.size < 2
+
+      # Matching is case-insensitive.
+      host_parts = hostname.downcase.split(".")
+
+      # RFC 6125, section 6.4.3, subitem 2.
+      # If the wildcard character is the only character of the left-most
+      # label in the presented identifier, the client SHOULD NOT compare
+      # against anything but the left-most label of the reference
+      # identifier (e.g., *.example.com would match foo.example.com but
+      # not bar.foo.example.com or example.com).
+      return false unless san_parts.size == host_parts.size
+
+      # RFC 6125, section 6.4.3, subitem 1.
+      # The client SHOULD NOT attempt to match a presented identifier in
+      # which the wildcard character comprises a label other than the
+      # left-most label (e.g., do not match bar.*.example.net).
+      return false unless verify_wildcard(host_parts.shift, san_parts.shift)
+
+      san_parts.join(".") == host_parts.join(".")
+    end
+    module_function :verify_hostname
+
+    def verify_wildcard(domain_component, san_component) # :nodoc:
+      parts = san_component.split("*", -1)
+
+      return false if parts.size > 2
+      return san_component == domain_component if parts.size == 1
+
+      # RFC 6125, section 6.4.3, subitem 3.
+      # The client SHOULD NOT attempt to match a presented identifier
+      # where the wildcard character is embedded within an A-label or
+      # U-label of an internationalized domain name.
+      return false if domain_component.start_with?("xn--") && san_component != "*"
+
+      parts[0].length + parts[1].length < domain_component.length &&
+      domain_component.start_with?(parts[0]) &&
+      domain_component.end_with?(parts[1])
+    end
+    module_function :verify_wildcard
+
     class SSLSocket
       include Buffering
       include SocketForwarder
       include Nonblock
 
+      ##
+      # Perform hostname verification after an SSL connection is established
+      #
+      # This method MUST be called after calling #connect to ensure that the
+      # hostname of a remote peer has been verified.
       def post_connection_check(hostname)
         unless OpenSSL::SSL.verify_certificate_identity(peer_cert, hostname)
           raise SSLError, "hostname \"#{hostname}\" does not match the server certificate"
@@ -235,8 +289,12 @@ module OpenSSL
           ssl.sync_close = true
           ssl.accept if @start_immediately
           ssl
-        rescue SSLError => ex
-          sock.close
+        rescue Exception => ex
+          if ssl
+            ssl.close
+          else
+            sock.close
+          end
           raise ex
         end
       end

data/lib/openssl/x509.rb

@@ -14,7 +14,7 @@
 # (See the file 'LICENCE'.)
 #
 # = Version
-# $Id$
+# $Id: x509.rb 48521 2014-11-20 15:39:03Z usa $
 #
 #++
 
@@ -70,7 +70,7 @@ module OpenSSL
         HexPair = /#{HexChar}#{HexChar}/
         HexString = /#{HexPair}+/
         Pair = /\\(?:[#{Special}]|\\|"|#{HexPair})/
-        StringChar = /[^#{Special}\\"]/
+        StringChar = /[^\\"#{Special}]/
         QuoteChar = /[^\\"]/
         AttributeType = /[a-zA-Z][0-9a-zA-Z]*|[0-9]+(?:\.[0-9]+)*/
         AttributeValue = /
@@ -151,6 +151,13 @@ module OpenSSL
 
         alias parse parse_openssl
       end
+
+      def pretty_print(q)
+        q.object_group(self) {
+          q.text ' '
+          q.text to_s(OpenSSL::X509::Name::RFC2253)
+        }
+      end
     end
 
     class StoreContext
@@ -158,5 +165,18 @@ module OpenSSL
         warn "(#{caller.first}) OpenSSL::X509::StoreContext#cleanup is deprecated with no replacement" if $VERBOSE
       end
     end
+
+    class Certificate
+      def pretty_print(q)
+        q.object_group(self) {
+          q.breakable
+          q.text 'subject='; q.pp self.subject; q.text ','; q.breakable
+          q.text 'issuer='; q.pp self.issuer; q.text ','; q.breakable
+          q.text 'serial='; q.pp self.serial; q.text ','; q.breakable
+          q.text 'not_before='; q.pp self.not_before; q.text ','; q.breakable
+          q.text 'not_after='; q.pp self.not_after
+        }
+      end
+    end
   end
 end

data/lib/rubysl/openssl.rb

@@ -11,7 +11,7 @@
   (See the file 'LICENCE'.)
 
 = Version
-  $Id$
+  $Id: openssl.rb 32664 2011-07-25 06:30:07Z nahi $
 =end
 
 require 'digest'

data/lib/rubysl/openssl/version.rb

@@ -1,5 +1,5 @@
 module RubySL
   module OpenSSL
-    VERSION = "2.2.1"
+    VERSION = "2.3.0"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rubysl-openssl
 version: !ruby/object:Gem::Version
-  version: 2.2.1
+  version: 2.3.0
 platform: ruby
 authors:
 - Brian Shirai
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-10-29 00:00:00.000000000 Z
+date: 2015-05-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -78,6 +78,7 @@ files:
 - ".travis.yml"
 - Gemfile
 - LICENSE
+- MRI_LICENSE
 - README.md
 - Rakefile
 - ext/rubysl/openssl/.gitignore
@@ -176,7 +177,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.2.2
+rubygems_version: 2.4.5
 signing_key: 
 specification_version: 4
 summary: Ruby standard library OpenSSL.