rubysl-openssl 2.4.0 → 2.5.0

data/ext/rubysl/openssl/ossl_x509req.c

@@ -1,20 +1,21 @@
 /*
- * $Id: ossl_x509req.c 48815 2014-12-12 23:59:28Z nobu $
  * 'OpenSSL for Ruby' project
  * Copyright (C) 2001-2002  Michal Rokos <m.rokos@sh.cvut.cz>
  * All rights reserved.
  */
 /*
- * This program is licenced under the same licence as Ruby.
+ * This program is licensed under the same licence as Ruby.
  * (See the file 'LICENCE'.)
  */
 #include "ossl.h"
 
-#define WrapX509Req(klass, obj, req) do { \
+#define NewX509Req(klass) \
+    TypedData_Wrap_Struct((klass), &ossl_x509req_type, 0)
+#define SetX509Req(obj, req) do { \
     if (!(req)) { \
 	ossl_raise(rb_eRuntimeError, "Req wasn't initialized!"); \
     } \
-    (obj) = TypedData_Wrap_Struct((klass), &ossl_x509req_type, (req)); \
+    RTYPEDDATA_DATA(obj) = (req); \
 } while (0)
 #define GetX509Req(obj, req) do { \
     TypedData_Get_Struct((obj), X509_REQ, &ossl_x509req_type, (req)); \
@@ -56,6 +57,7 @@ ossl_x509req_new(X509_REQ *req)
     X509_REQ *new;
     VALUE obj;
 
+    obj = NewX509Req(cX509Req);
     if (!req) {
 	new = X509_REQ_new();
     } else {
@@ -64,7 +66,7 @@ ossl_x509req_new(X509_REQ *req)
     if (!new) {
 	ossl_raise(eX509ReqError, NULL);
     }
-    WrapX509Req(cX509Req, obj, new);
+    SetX509Req(obj, new);
 
     return obj;
 }
@@ -101,10 +103,11 @@ ossl_x509req_alloc(VALUE klass)
     X509_REQ *req;
     VALUE obj;
 
+    obj = NewX509Req(klass);
     if (!(req = X509_REQ_new())) {
 	ossl_raise(eX509ReqError, NULL);
     }
-    WrapX509Req(klass, obj, req);
+    SetX509Req(obj, req);
 
     return obj;
 }
@@ -415,18 +418,18 @@ ossl_x509req_set_attributes(VALUE self, VALUE ary)
 {
     X509_REQ *req;
     X509_ATTRIBUTE *attr;
-    int i;
+    long i;
     VALUE item;
 
     Check_Type(ary, T_ARRAY);
     for (i=0;i<RARRAY_LEN(ary); i++) {
-	OSSL_Check_Kind(RARRAY_PTR(ary)[i], cX509Attr);
+	OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Attr);
     }
     GetX509Req(self, req);
     sk_X509_ATTRIBUTE_pop_free(req->req_info->attributes, X509_ATTRIBUTE_free);
     req->req_info->attributes = NULL;
     for (i=0;i<RARRAY_LEN(ary); i++) {
-	item = RARRAY_PTR(ary)[i];
+	item = RARRAY_AREF(ary, i);
 	attr = DupX509AttrPtr(item);
 	if (!X509_REQ_add1_attr(req, attr)) {
 	    ossl_raise(eX509ReqError, NULL);
@@ -479,4 +482,3 @@ Init_ossl_x509req(void)
     rb_define_method(cX509Req, "attributes=", ossl_x509req_set_attributes, 1);
     rb_define_method(cX509Req, "add_attribute", ossl_x509req_add_attribute, 1);
 }
-

data/ext/rubysl/openssl/ossl_x509revoked.c

@@ -1,20 +1,21 @@
 /*
- * $Id: ossl_x509revoked.c 48816 2014-12-12 23:59:36Z nobu $
  * 'OpenSSL for Ruby' project
  * Copyright (C) 2001-2002  Michal Rokos <m.rokos@sh.cvut.cz>
  * All rights reserved.
  */
 /*
- * This program is licenced under the same licence as Ruby.
+ * This program is licensed under the same licence as Ruby.
  * (See the file 'LICENCE'.)
  */
 #include "ossl.h"
 
-#define WrapX509Rev(klass, obj, rev) do { \
+#define NewX509Rev(klass) \
+    TypedData_Wrap_Struct((klass), &ossl_x509rev_type, 0)
+#define SetX509Rev(obj, rev) do { \
     if (!(rev)) { \
 	ossl_raise(rb_eRuntimeError, "REV wasn't initialized!"); \
     } \
-    (obj) = TypedData_Wrap_Struct((klass), &ossl_x509rev_type, (rev)); \
+    RTYPEDDATA_DATA(obj) = (rev); \
 } while (0)
 #define GetX509Rev(obj, rev) do { \
     TypedData_Get_Struct((obj), X509_REVOKED, &ossl_x509rev_type, (rev)); \
@@ -56,6 +57,7 @@ ossl_x509revoked_new(X509_REVOKED *rev)
     X509_REVOKED *new;
     VALUE obj;
 
+    obj = NewX509Rev(cX509Rev);
     if (!rev) {
 	new = X509_REVOKED_new();
     } else {
@@ -64,7 +66,7 @@ ossl_x509revoked_new(X509_REVOKED *rev)
     if (!new) {
 	ossl_raise(eX509RevError, NULL);
     }
-    WrapX509Rev(cX509Rev, obj, new);
+    SetX509Rev(obj, new);
 
     return obj;
 }
@@ -91,10 +93,11 @@ ossl_x509revoked_alloc(VALUE klass)
     X509_REVOKED *rev;
     VALUE obj;
 
+    obj = NewX509Rev(klass);
     if (!(rev = X509_REVOKED_new())) {
 	ossl_raise(eX509RevError, NULL);
     }
-    WrapX509Rev(klass, obj, rev);
+    SetX509Rev(obj, rev);
 
     return obj;
 }
@@ -185,18 +188,18 @@ ossl_x509revoked_set_extensions(VALUE self, VALUE ary)
 {
     X509_REVOKED *rev;
     X509_EXTENSION *ext;
-    int i;
+    long i;
     VALUE item;
 
     Check_Type(ary, T_ARRAY);
     for (i=0; i<RARRAY_LEN(ary); i++) {
-	OSSL_Check_Kind(RARRAY_PTR(ary)[i], cX509Ext);
+	OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Ext);
     }
     GetX509Rev(self, rev);
     sk_X509_EXTENSION_pop_free(rev->extensions, X509_EXTENSION_free);
     rev->extensions = NULL;
     for (i=0; i<RARRAY_LEN(ary); i++) {
-	item = RARRAY_PTR(ary)[i];
+	item = RARRAY_AREF(ary, i);
 	ext = DupX509ExtPtr(item);
 	if(!X509_REVOKED_add_ext(rev, ext, -1)) {
 	    ossl_raise(eX509RevError, NULL);
@@ -240,4 +243,3 @@ Init_ossl_x509revoked(void)
     rb_define_method(cX509Rev, "extensions=", ossl_x509revoked_set_extensions, 1);
     rb_define_method(cX509Rev, "add_extension", ossl_x509revoked_add_extension, 1);
 }
-

data/ext/rubysl/openssl/ossl_x509store.c

@@ -1,20 +1,21 @@
 /*
- * $Id: ossl_x509store.c 48818 2014-12-13 00:06:54Z nobu $
  * 'OpenSSL for Ruby' project
  * Copyright (C) 2001-2002  Michal Rokos <m.rokos@sh.cvut.cz>
  * All rights reserved.
  */
 /*
- * This program is licenced under the same licence as Ruby.
+ * This program is licensed under the same licence as Ruby.
  * (See the file 'LICENCE'.)
  */
 #include "ossl.h"
 
-#define WrapX509Store(klass, obj, st) do { \
+#define NewX509Store(klass) \
+    TypedData_Wrap_Struct((klass), &ossl_x509store_type, 0)
+#define SetX509Store(obj, st) do { \
     if (!(st)) { \
 	ossl_raise(rb_eRuntimeError, "STORE wasn't initialized!"); \
     } \
-    (obj) = TypedData_Wrap_Struct((klass), &ossl_x509store_type, (st)); \
+    RTYPEDDATA_DATA(obj) = (st); \
 } while (0)
 #define GetX509Store(obj, st) do { \
     TypedData_Get_Struct((obj), X509_STORE, &ossl_x509store_type, (st)); \
@@ -27,11 +28,13 @@
     GetX509Store((obj), (st)); \
 } while (0)
 
-#define WrapX509StCtx(klass, obj, ctx) do { \
+#define NewX509StCtx(klass) \
+    TypedData_Wrap_Struct((klass), &ossl_x509stctx_type, 0)
+#define SetX509StCtx(obj, ctx) do { \
     if (!(ctx)) { \
 	ossl_raise(rb_eRuntimeError, "STORE_CTX wasn't initialized!"); \
     } \
-    (obj) = TypedData_Wrap_Struct((klass), &ossl_x509stctx_type, (ctx)); \
+    RTYPEDDATA_DATA(obj) = (ctx); \
 } while (0)
 #define GetX509StCtx(obj, ctx) do { \
     TypedData_Get_Struct((obj), X509_STORE_CTX, &ossl_x509stctx_type, (ctx)); \
@@ -73,7 +76,8 @@ ossl_x509store_new(X509_STORE *store)
 {
     VALUE obj;
 
-    WrapX509Store(cX509Store, obj, store);
+    obj = NewX509Store(cX509Store);
+    SetX509Store(obj, store);
 
     return obj;
 }
@@ -108,10 +112,11 @@ ossl_x509store_alloc(VALUE klass)
     X509_STORE *store;
     VALUE obj;
 
+    obj = NewX509Store(klass);
     if((store = X509_STORE_new()) == NULL){
         ossl_raise(eX509StoreError, NULL);
     }
-    WrapX509Store(klass, obj, store);
+    SetX509Store(obj, store);
 
     return obj;
 }
@@ -373,7 +378,8 @@ ossl_x509stctx_new(X509_STORE_CTX *ctx)
 {
     VALUE obj;
 
-    WrapX509StCtx(cX509StoreContext, obj, ctx);
+    obj = NewX509StCtx(cX509StoreContext);
+    SetX509StCtx(obj, ctx);
 
     return obj;
 }
@@ -407,10 +413,11 @@ ossl_x509stctx_alloc(VALUE klass)
     X509_STORE_CTX *ctx;
     VALUE obj;
 
+    obj = NewX509StCtx(klass);
     if((ctx = X509_STORE_CTX_new()) == NULL){
         ossl_raise(eX509StoreError, NULL);
     }
-    WrapX509StCtx(klass, obj, ctx);
+    SetX509StCtx(obj, ctx);
 
     return obj;
 }

data/ext/rubysl/openssl/ruby_missing.h

@@ -1,11 +1,10 @@
 /*
- * $Id: ruby_missing.h 33843 2011-11-26 01:49:36Z emboss $
  * 'OpenSSL for Ruby' project
  * Copyright (C) 2001-2003  Michal Rokos <m.rokos@sh.cvut.cz>
  * All rights reserved.
  */
 /*
- * This program is licenced under the same licence as Ruby.
+ * This program is licensed under the same licence as Ruby.
  * (See the file 'LICENCE'.)
  */
 #if !defined(_OSSL_RUBY_MISSING_H_)

data/lib/openssl/bn.rb

@@ -1,7 +1,6 @@
+# frozen_string_literal: false
 #--
 #
-# $RCSfile$
-#
 # = Ruby-space definitions that completes C-space funcs for BN
 #
 # = Info
@@ -10,12 +9,8 @@
 # All rights reserved.
 #
 # = Licence
-# This program is licenced under the same licence as Ruby.
+# This program is licensed under the same licence as Ruby.
 # (See the file 'LICENCE'.)
-#
-# = Version
-# $Id: bn.rb 47647 2014-09-20 01:17:05Z akr $
-#
 #++
 
 module OpenSSL
@@ -42,4 +37,3 @@ class Integer
     OpenSSL::BN::new(self)
   end
 end # Integer
-

data/lib/openssl/buffering.rb

@@ -1,18 +1,14 @@
 # coding: binary
+# frozen_string_literal: false
 #--
-#= $RCSfile$ -- Buffering mix-in module.
-#
 #= Info
 #  'OpenSSL for Ruby 2' project
 #  Copyright (C) 2001 GOTOU YUUZOU <gotoyuzo@notwork.org>
 #  All rights reserved.
 #
 #= Licence
-#  This program is licenced under the same licence as Ruby.
+#  This program is licensed under the same licence as Ruby.
 #  (See the file 'LICENCE'.)
-#
-#= Version
-#  $Id: buffering.rb 43964 2013-12-03 01:44:41Z drbrain $
 #++
 
 ##
@@ -213,7 +209,7 @@ module OpenSSL::Buffering
     else
       size = idx ? idx+eol.size : nil
     end
-    if limit and limit >= 0
+    if size && limit && limit >= 0
       size = [size, limit].min
     end
     consume_rbuff(size)

data/lib/openssl/cipher.rb

@@ -1,7 +1,5 @@
+# frozen_string_literal: false
 #--
-#
-# $RCSfile$
-#
 # = Ruby-space predefined Cipher subclasses
 #
 # = Info
@@ -10,12 +8,8 @@
 # All rights reserved.
 #
 # = Licence
-# This program is licenced under the same licence as Ruby.
+# This program is licensed under the same licence as Ruby.
 # (See the file 'LICENCE'.)
-#
-# = Version
-# $Id: cipher.rb 36895 2012-09-04 00:57:31Z nobu $
-#
 #++
 
 module OpenSSL
@@ -58,7 +52,7 @@ module OpenSSL
     end
 
     # This class is only provided for backwards compatibility.  Use OpenSSL::Cipher in the future.
-    class Cipher < ::OpenSSL::Cipher
+    class Cipher < Cipher
       # add warning
     end
   end # Cipher

data/lib/openssl/config.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: false
 =begin
 = Ruby-space definitions that completes C-space funcs for Config
 
@@ -5,7 +6,7 @@
   Copyright (C) 2010  Hiroshi Nakamura <nahi@ruby-lang.org>
 
 = Licence
-  This program is licenced under the same licence as Ruby.
+  This program is licensed under the same licence as Ruby.
   (See the file 'LICENCE'.)
 
 =end

data/lib/openssl/digest.rb

@@ -1,7 +1,5 @@
+# frozen_string_literal: false
 #--
-#
-# $RCSfile$
-#
 # = Ruby-space predefined Digest subclasses
 #
 # = Info
@@ -10,12 +8,8 @@
 # All rights reserved.
 #
 # = Licence
-# This program is licenced under the same licence as Ruby.
+# This program is licensed under the same licence as Ruby.
 # (See the file 'LICENCE'.)
-#
-# = Version
-# $Id: digest.rb 44116 2013-12-10 07:16:03Z nobu $
-#
 #++
 
 module OpenSSL
@@ -56,7 +50,7 @@ module OpenSSL
     # Deprecated.
     #
     # This class is only provided for backwards compatibility.
-    class Digest < ::OpenSSL::Digest # :nodoc:
+    class Digest < Digest # :nodoc:
       # Deprecated.
       #
       # See OpenSSL::Digest.new
@@ -85,4 +79,3 @@ module OpenSSL
   module_function :Digest
 
 end # OpenSSL
-

data/lib/openssl/pkey.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: false
+module OpenSSL
+  module PKey
+    if defined?(OpenSSL::PKey::DH)
+
+    class DH
+      DEFAULT_512 = new <<-_end_of_pem_
+-----BEGIN DH PARAMETERS-----
+MEYCQQD0zXHljRg/mJ9PYLACLv58Cd8VxBxxY7oEuCeURMiTqEhMym16rhhKgZG2
+zk2O9uUIBIxSj+NKMURHGaFKyIvLAgEC
+-----END DH PARAMETERS-----
+      _end_of_pem_
+
+      DEFAULT_1024 = new <<-_end_of_pem_
+-----BEGIN DH PARAMETERS-----
+MIGHAoGBAJ0lOVy0VIr/JebWn0zDwY2h+rqITFOpdNr6ugsgvkDXuucdcChhYExJ
+AV/ZD2AWPbrTqV76mGRgJg4EddgT1zG0jq3rnFdMj2XzkBYx3BVvfR0Arnby0RHR
+T4h7KZ/2zmjvV+eF8kBUHBJAojUlzxKj4QeO2x20FP9X5xmNUXeDAgEC
+-----END DH PARAMETERS-----
+      _end_of_pem_
+    end
+
+    DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen|
+      warn "using default DH parameters." if $VERBOSE
+      case keylen
+      when 512  then OpenSSL::PKey::DH::DEFAULT_512
+      when 1024 then OpenSSL::PKey::DH::DEFAULT_1024
+      else
+        nil
+      end
+    }
+
+    else
+      DEFAULT_TMP_DH_CALLBACK = nil
+    end
+  end
+end

data/lib/openssl/ssl.rb

@@ -1,21 +1,17 @@
+# frozen_string_literal: false
 =begin
-= $RCSfile$ -- Ruby-space definitions that completes C-space funcs for SSL
-
 = Info
   'OpenSSL for Ruby 2' project
   Copyright (C) 2001 GOTOU YUUZOU <gotoyuzo@notwork.org>
   All rights reserved.
 
 = Licence
-  This program is licenced under the same licence as Ruby.
+  This program is licensed under the same licence as Ruby.
   (See the file 'LICENCE'.)
-
-= Version
-  $Id: ssl.rb 50293 2015-04-13 13:13:01Z nagachika $
 =end
 
 require "openssl/buffering"
-require "fcntl"
+require "io/nonblock"
 
 module OpenSSL
   module SSL
@@ -74,6 +70,48 @@ module OpenSSL
         DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
       end
 
+      INIT_VARS = ["cert", "key", "client_ca", "ca_file", "ca_path",
+        "timeout", "verify_mode", "verify_depth", "renegotiation_cb",
+        "verify_callback", "cert_store", "extra_chain_cert",
+        "client_cert_cb", "session_id_context", "tmp_dh_callback",
+        "session_get_cb", "session_new_cb", "session_remove_cb",
+        "tmp_ecdh_callback", "servername_cb", "npn_protocols",
+        "alpn_protocols", "alpn_select_cb",
+        "npn_select_cb"].map { |x| "@#{x}" }
+
+      # A callback invoked when DH parameters are required.
+      #
+      # The callback is invoked with the Session for the key exchange, an
+      # flag indicating the use of an export cipher and the keylength
+      # required.
+      #
+      # The callback must return an OpenSSL::PKey::DH instance of the correct
+      # key length.
+
+      attr_accessor :tmp_dh_callback
+
+      if ExtConfig::HAVE_TLSEXT_HOST_NAME
+        # A callback invoked at connect time to distinguish between multiple
+        # server names.
+        #
+        # The callback is invoked with an SSLSocket and a server name.  The
+        # callback must return an SSLContext for the server name or nil.
+        attr_accessor :servername_cb
+      end
+
+      # call-seq:
+      #    SSLContext.new => ctx
+      #    SSLContext.new(:TLSv1) => ctx
+      #    SSLContext.new("SSLv23_client") => ctx
+      #
+      # You can get a list of valid methods with OpenSSL::SSL::SSLContext::METHODS
+      def initialize(version = nil)
+        INIT_VARS.each { |v| instance_variable_set v, nil }
+        self.options = self.options | OpenSSL::SSL::OP_ALL
+        return unless version
+        self.ssl_version = version
+      end
+
       ##
       # Sets the parameters for this SSL context to the values in +params+.
       # The keys in +params+ must be assignment methods on SSLContext.
@@ -124,15 +162,6 @@ module OpenSSL
       end
     end
 
-    module Nonblock
-      def initialize(*args)
-        flag = File::NONBLOCK
-        flag |= @io.fcntl(Fcntl::F_GETFL) if defined?(Fcntl::F_GETFL)
-        @io.fcntl(Fcntl::F_SETFL, flag)
-        super
-      end
-    end
-
     def verify_certificate_identity(cert, hostname)
       should_verify_common_name = true
       cert.extensions.each{|ext|
@@ -220,7 +249,53 @@ module OpenSSL
     class SSLSocket
       include Buffering
       include SocketForwarder
-      include Nonblock
+
+      if ExtConfig::OPENSSL_NO_SOCK
+        def initialize(io, ctx = nil); raise NotImplmentedError; end
+      else
+        if ExtConfig::HAVE_TLSEXT_HOST_NAME
+          attr_accessor :hostname
+        end
+
+        attr_reader :io, :context
+        attr_accessor :sync_close
+        alias :to_io :io
+
+        # call-seq:
+        #    SSLSocket.new(io) => aSSLSocket
+        #    SSLSocket.new(io, ctx) => aSSLSocket
+        #
+        # Creates a new SSL socket from +io+ which must be a real ruby object (not an
+        # IO-like object that responds to read/write).
+        #
+        # If +ctx+ is provided the SSL Sockets initial params will be taken from
+        # the context.
+        #
+        # The OpenSSL::Buffering module provides additional IO methods.
+        #
+        # This method will freeze the SSLContext if one is provided;
+        # however, session management is still allowed in the frozen SSLContext.
+
+        def initialize(io, context = OpenSSL::SSL::SSLContext.new)
+          @io         = io
+          @context    = context
+          @sync_close = false
+          @hostname   = nil
+          @io.nonblock = true if @io.respond_to?(:nonblock=)
+          context.setup
+          super()
+        end
+      end
+
+      # call-seq:
+      #    ssl.sysclose => nil
+      #
+      # Shuts down the SSL connection and prepares it for another connection.
+      def sysclose
+        return if closed?
+        stop
+        io.close if sync_close
+      end
 
       ##
       # Perform hostname verification after an SSL connection is established
@@ -228,6 +303,14 @@ module OpenSSL
       # This method MUST be called after calling #connect to ensure that the
       # hostname of a remote peer has been verified.
       def post_connection_check(hostname)
+        if peer_cert.nil?
+          msg = "Peer verification enabled, but no certificate received."
+          if using_anon_cipher?
+            msg += " Anonymous cipher suite #{cipher[0]} was negotiated. Anonymous suites must be disabled to use peer verification."
+          end
+          raise SSLError, msg
+        end
+
         unless OpenSSL::SSL.verify_certificate_identity(peer_cert, hostname)
           raise SSLError, "hostname \"#{hostname}\" does not match the server certificate"
         end
@@ -239,6 +322,34 @@ module OpenSSL
       rescue SSL::Session::SessionError
         nil
       end
+
+      private
+
+      def using_anon_cipher?
+        ctx = OpenSSL::SSL::SSLContext.new
+        ctx.ciphers = "aNULL"
+        ctx.ciphers.include?(cipher)
+      end
+
+      def client_cert_cb
+        @context.client_cert_cb
+      end
+
+      def tmp_dh_callback
+        @context.tmp_dh_callback || OpenSSL::PKey::DEFAULT_TMP_DH_CALLBACK
+      end
+
+      def tmp_ecdh_callback
+        @context.tmp_ecdh_callback
+      end
+
+      def session_new_cb
+        @context.session_new_cb
+      end
+
+      def session_get_cb
+        @context.session_get_cb
+      end
     end
 
     ##