tclink_gs 4.5.0

data/ext/tclink/tclink.h

@@ -0,0 +1,72 @@
+/* tclink.h - Header file for TCLink library. */
+
+#ifndef _TCLINK_H
+#define _TCLINK_H
+
+#include "config.h"
+
+/* Handle passed to all TCLink functions.  A unique handle must be created
+ * for each concurrent thread, but the same handle can be shared by transactions
+ * occurring one after another (such as a for loop).
+ */
+#define TCLinkHandle void*
+
+/* Parameter names and values cannot exceed this size.
+ */
+#define PARAM_MAX_LEN 768
+
+/* Create a new TCLinkHandle.
+ */
+TCLinkHandle
+TCLinkCreate();
+
+/* Add a parameter to be sent to the server.
+ */
+void
+TCLinkPushParam(TCLinkHandle handle, const char* name, const char* value);
+
+/* Flush the parameters to the server.
+ */
+void
+TCLinkSend(TCLinkHandle handle);
+
+/* Look up a response value from the server.
+ * Returns NULL if no such parameter, or stores the value in 'value' and
+ * returns a pointer to value.  value should be at least PARAM_MAX_LEN in size.
+ */
+char*
+TCLinkGetResponse(TCLinkHandle handle, const char* name, char* value);
+
+/* Get all response values from the server in one giant string.
+ * Stores the string into buf and returns a pointer to it.  Size should be
+ * sizeof(buf), which will limit the string so that no buffer overruns occur.
+ */
+char*
+TCLinkGetEntireResponse(TCLinkHandle handle, char* buf, int size);
+
+/* Destory a handle, ending that transaction and freeing the memory associated
+ * with it. */
+void
+TCLinkDestroy(TCLinkHandle handle);
+
+/* Store version string into buf.  Returns a pointer to buf. */
+char*
+TCLinkGetVersion(char* buf);
+
+/* The API methods below are subject to change. */
+
+/* Enables (1) or Disables (0) the full SSL close_notify sequence.  By default,
+ * this is set to 1.*/
+int
+TCLinkSetFullClose(TCLinkHandle handle, int full_ssl_close);
+
+/* Provides a method, once the handshake is completed, a means to verify the
+ * contents of that certificate independently. Note that the certificate may not
+ * be set depending on the negotation type (in which case the pointer would be
+ * NULL)
+ */
+void
+TCLinkSetValidateCallback(TCLinkHandle handle,
+                          int (*validate_cert)(int, void*));
+
+#endif

data/ext/tclink/validate.c

@@ -0,0 +1,165 @@
+/*
+COPYRIGHT AND PERMISSION NOTICE
+
+Copyright (c) 1996 - 2010, Daniel Stenberg, <daniel@haxx.se>.
+
+All rights reserved.
+
+Permission to use, copy, modify, and distribute this software for any purpose
+with or without fee is hereby granted, provided that the above copyright
+notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN
+NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE
+OR OTHER DEALINGS IN THE SOFTWARE.
+
+Except as contained in this notice, the name of a copyright holder shall not
+be used in advertising or otherwise to promote the sale, use or other dealings
+in this Software without prior written authorization of the copyright holder.
+*/
+/* simplified to a basic host name check */
+#include <openssl/x509_vfy.h>
+#include <openssl/x509v3.h>
+#include <string.h>
+
+#define bool int
+#define false 0
+#define true 1
+/** @fn static bool cert_hostcheck(const char *hostname, char *pattern)
+ * Verifies that the hostname matches against the pattern specified.
+ * Handles wildcard patterns and ignores the distinction between upper and lower
+ * case letters. Note: Ported over from ssluse.c in curl (7.1.16) lib Note:
+ * Explicit pattern match disabled as we do not use that for processing node
+ * certificate. Note: No longer ignores the distinction between upper and lower
+ * case letters.  Our certificate is generated with lowercase letters.
+ * @return true if matches, false otherwise
+ * @param hostname The hostname we want to check. e.g: vault.trustcommerce.com
+ * @param pattern The pattern we wish to match against. e.g: *.trustcommerce.com
+ */
+bool
+cert_hostcheck(const char* pattern, const char* hostname)
+{
+  if (!hostname || !pattern || !*hostname || !*pattern)
+    return false;
+  if (!strcmp(hostname, pattern))
+    return true;
+  return false;
+}
+/** @fn static bool checkCertificate(X509 *cert, char *host)
+ * Provides validation of the hostname associated with a certificate.
+ * See RFC2818 - Server Identity for an overview of the concept.
+ * This implementation is based off the one found in curl-7.16.1: ssluse.c
+ * but we treat the subjectAltName as a recommendation... so if it fails,
+ * we will proceed to the CN check.
+ * The rationale for this is that we are not always using HTTP (over SSL)
+ * and its more of a certification generation / CA issue and we want
+ * maximum interoperability (as opposed to strict compliance).
+ * @param cert The X509 certificate in question.
+ * @param host The hostname or ip we wish to check.
+ * @return true if matches, false otherwise
+ */
+static bool
+checkCertificate(X509* cert, const char* host)
+{
+  int i, j;
+  bool matched = false;
+  STACK_OF(GENERAL_NAME) * altnames;
+  unsigned char nulstr[] = { '\0' };
+  unsigned char* peer_CN = nulstr;
+  X509_NAME* name;
+  ASN1_STRING* tmp;
+  bool status = false;
+
+  if (!cert || !host)
+    return false;
+
+  altnames = (STACK_OF(GENERAL_NAME)*)(X509_get_ext_d2i(
+    cert, NID_subject_alt_name, NULL, NULL));
+
+  if (altnames != NULL) {
+    int numalts = sk_GENERAL_NAME_num(altnames);
+    for (i = 0; (i < numalts) && (matched == false); i++) {
+      const GENERAL_NAME* check = sk_GENERAL_NAME_value(altnames, i);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+      const char* altptr = (char*)(ASN1_STRING_data(check->d.ia5));
+#else
+      const char* altptr = (char*)(ASN1_STRING_get0_data(check->d.ia5));
+#endif
+      size_t altlen;
+      switch (check->type) {
+        case GEN_DNS:
+          altlen = ASN1_STRING_length(check->d.ia5);
+          if (altlen == strlen(host) && cert_hostcheck(altptr, host))
+            matched = true;
+          break;
+        case GEN_IPADD:
+          altlen = ASN1_STRING_length(check->d.ia5);
+          if (altlen == strlen(host) && !memcmp(altptr, host, altlen))
+            matched = true;
+          break;
+      }
+    }
+    GENERAL_NAMES_free(altnames);
+    if (matched != false)
+      return true;
+  }
+
+  i = j = -1;
+
+  name = X509_get_subject_name(cert);
+  if (!name)
+    return false;
+
+  // get the last CN found in the subject (supposedly its the most distinguished
+  // one)
+  while ((j = X509_NAME_get_index_by_NID(name, NID_commonName, i)) >= 0)
+    i = j;
+
+  if (i < 0)
+    return false;
+
+  tmp = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, i));
+  /* workaround for version of openssl < 0.9.7d */
+  if (tmp && ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
+    j = ASN1_STRING_length(tmp);
+    if (j >= 0) {
+      peer_CN = (unsigned char*)(OPENSSL_malloc(j + 1));
+      if (peer_CN) {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+        memcpy(peer_CN, ASN1_STRING_data(tmp), j);
+#else
+        memcpy(peer_CN, ASN1_STRING_get0_data(tmp), j);
+#endif
+        peer_CN[j] = '\0';
+      }
+    }
+  } else {
+    j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
+  }
+
+  if (peer_CN == nulstr)
+    peer_CN = NULL;
+
+  if (peer_CN == NULL)
+    return false; // the cn isnt missing in virtually all cases
+  else if (!cert_hostcheck((char*)(peer_CN), host))
+    status = false;
+  else
+    status = true;
+
+  if (peer_CN)
+    OPENSSL_free(peer_CN);
+  return status;
+}
+
+int
+TCLinkDefaultValidate(int x, void* cert)
+{
+  if (x != 0 || cert == NULL)
+    return 0;
+  return !checkCertificate((X509*)cert, "pgw1.trustcommerce.com");
+}

data/lib/tclink.rb

@@ -0,0 +1 @@
+require 'tclink/tclink'

data/lib/tclink/version.rb

@@ -0,0 +1,3 @@
+module Tclink
+  VERSION = '0.0.01'
+end

metadata

@@ -0,0 +1,68 @@
+--- !ruby/object:Gem::Specification
+name: tclink_gs
+version: !ruby/object:Gem::Version
+  version: 4.5.0
+platform: ruby
+authors:
+- David Anderson
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2020-06-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rake-compiler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.1.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.1.1
+description: Trust Commerce connectivity layer
+email: david.anderson@gotsport.com
+executables: []
+extensions:
+- ext/tclink/extconf.rb
+extra_rdoc_files: []
+files:
+- LICENSE
+- README
+- doc/TC_Link_API_Developer_Guide_5.4.3.pdf
+- ext/tclink/extconf.rb
+- ext/tclink/openssl_management.c
+- ext/tclink/rb_tclink.c
+- ext/tclink/tclink.c
+- ext/tclink/tclink.h
+- ext/tclink/validate.c
+- lib/tclink.rb
+- lib/tclink/version.rb
+homepage: 
+licenses:
+- LGPL-2.1-only
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 1.8.7
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.6
+signing_key: 
+specification_version: 4
+summary: TCLink Trust Commerce link
+test_files: []