uringmachine 0.5 → 0.6

data/ext/um/um_ssl.h

@@ -0,0 +1,22 @@
+#ifndef UM_SSL_H
+#define UM_SSL_H
+
+#include <ruby.h>
+// #include <openssl/bio.h>
+#include <openssl/ssl.h>
+// #include <openssl/dh.h>
+// #include <openssl/err.h>
+// #include <openssl/x509.h>
+
+enum ssl_role {
+  ROLE_SERVER,
+  ROLE_CLIENT
+};
+
+struct um_ssl_connection {
+  VALUE self;
+
+  enum ssl_role role;
+};
+
+#endif // UM_SSL_H

data/ext/um/um_ssl_class.c

@@ -0,0 +1,138 @@
+/*
+  Adopted from:
+    https://github.com/puma/puma/blob/master/ext/puma_http11/mini_ssl.c
+  
+  License (BSD-3):
+    https://github.com/puma/puma/blob/master/LICENSE
+*/
+
+#include "um.h"
+#include "um_ssl.h"
+// #include <openssl/bio.h>
+#include <openssl/ssl.h>
+// #include <openssl/dh.h>
+// #include <openssl/err.h>
+// #include <openssl/x509.h>
+
+VALUE eSSLError;
+VALUE cSSLConnection;
+
+static void UM_SSL_Connection_mark(void *ptr) {
+  // struct um_ssl_connection *connection = ptr;
+  // rb_gc_mark_movable(connection->self);
+
+  // um_op_list_mark(machine, machine->transient_head);
+  // um_op_list_mark(machine, machine->runqueue_head);
+}
+
+static void UM_SSL_Connection_compact(void *ptr) {
+  // struct um_ssl_connection *connection = ptr;
+  // machine->self = rb_gc_location(machine->self);
+  // machine->poll_fiber = rb_gc_location(machine->poll_fiber);
+
+  // um_op_list_compact(machine, machine->transient_head);
+  // um_op_list_compact(machine, machine->runqueue_head);
+}
+
+static void UM_SSL_Connection_free(void *ptr) {
+  // um_ssl_connection_teardown((struct um_ssl_connection *)ptr);
+  free(ptr);
+}
+
+static size_t UM_SSL_Connection_size(const void *ptr) {
+  return sizeof(struct um_ssl_connection);
+}
+
+static const rb_data_type_t UM_SSL_Connection_type = {
+    "UringMachine::SSL::Connection",
+    {UM_SSL_Connection_mark, UM_SSL_Connection_free, UM_SSL_Connection_size, UM_SSL_Connection_compact},
+    0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED
+};
+
+static VALUE UM_SSL_Connection_allocate(VALUE klass) {
+  struct um_ssl_connection *connection = ALLOC(struct um_ssl_connection);
+  return TypedData_Wrap_Struct(klass, &UM_SSL_Connection_type, connection);
+}
+
+VALUE UM_SSL_Connection_initialize(VALUE self, VALUE machine, VALUE fd, VALUE ctx) {
+  // struct um_ssl_connection *connection = RTYPEDDATA_DATA(self);
+
+  return self;
+}
+
+VALUE UM_SSL_check(VALUE self) {
+  return Qnil;
+}
+
+void Init_SSL(void) {
+  VALUE cUM = rb_define_class("UringMachine", rb_cObject);
+  VALUE cSSL = rb_define_module_under(cUM, "SSL");
+
+  cSSLConnection = rb_define_class_under(cSSL, "Connection", rb_cObject);
+  rb_define_alloc_func(cUM, UM_SSL_Connection_allocate);
+
+  rb_define_method(cSSLConnection, "initialize", UM_SSL_Connection_initialize, 3);
+
+  // cCtx = rb_define_class_under(cSSL, "SSLContext", rb_cObject);
+  // rb_define_alloc_func(cCtx, sslctx_alloc);
+  // rb_define_method(cCtx, "initialize", sslctx_initialize, 1);
+  // rb_undef_method(cCtx, "initialize_copy");
+
+  // OpenSSL Build / Runtime/Load versions
+
+  /* Version of OpenSSL that UringMachine was compiled with */
+  rb_define_const(cSSL, "OPENSSL_VERSION", rb_str_new2(OPENSSL_VERSION_TEXT));
+
+#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000
+  /* Version of OpenSSL that UringMachine loaded with */
+  rb_define_const(cSSL, "OPENSSL_LIBRARY_VERSION", rb_str_new2(OpenSSL_version(OPENSSL_VERSION)));
+#else
+  rb_define_const(cSSL, "OPENSSL_LIBRARY_VERSION", rb_str_new2(SSLeay_version(SSLEAY_VERSION)));
+#endif
+
+#if defined(OPENSSL_NO_SSL3) || defined(OPENSSL_NO_SSL3_METHOD)
+  /* True if SSL3 is not available */
+  rb_define_const(cSSL, "OPENSSL_NO_SSL3", Qtrue);
+#else
+  rb_define_const(cSSL, "OPENSSL_NO_SSL3", Qfalse);
+#endif
+
+#if defined(OPENSSL_NO_TLS1) || defined(OPENSSL_NO_TLS1_METHOD)
+  /* True if TLS1 is not available */
+  rb_define_const(cSSL, "OPENSSL_NO_TLS1", Qtrue);
+#else
+  rb_define_const(cSSL, "OPENSSL_NO_TLS1", Qfalse);
+#endif
+
+#if defined(OPENSSL_NO_TLS1_1) || defined(OPENSSL_NO_TLS1_1_METHOD)
+  /* True if TLS1_1 is not available */
+  rb_define_const(cSSL, "OPENSSL_NO_TLS1_1", Qtrue);
+#else
+  rb_define_const(cSSL, "OPENSSL_NO_TLS1_1", Qfalse);
+#endif
+
+  rb_define_singleton_method(cSSL, "check", UM_SSL_check, 0);
+
+  eSSLError = rb_define_class_under(cSSL, "SSLError", rb_eStandardError);
+
+  // rb_define_singleton_method(cSSLConnection, "server", engine_init_server, 1);
+  // rb_define_singleton_method(cSSLConnection, "client", engine_init_client, 0);
+
+  // rb_define_method(cSSLConnection, "inject", engine_inject, 1);
+  // rb_define_method(cSSLConnection, "read",  engine_read, 0);
+
+  // rb_define_method(cSSLConnection, "write",  engine_write, 1);
+  // rb_define_method(cSSLConnection, "extract", engine_extract, 0);
+
+  // rb_define_method(cSSLConnection, "shutdown", engine_shutdown, 0);
+
+  // rb_define_method(cSSLConnection, "init?", engine_init, 0);
+
+  /* @!attribute [r] peercert
+   * Returns `nil` when `MiniSSL::Context#verify_mode` is set to `VERIFY_NONE`.
+   * @return [String, nil] DER encoded cert
+   */
+  // rb_define_method(cSSLConnection, "peercert", engine_peercert, 0);
+
+  // rb_define_method(cSSLConnection, "ssl_vers_st", engine_ssl_vers_st, 0);
+}

data/lib/uringmachine/actor.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+class UringMachine
+  def spin_actor(mod, *a, **k)
+    target = Object.new.extend(mod)
+    mailbox = UM::Queue.new
+    actor = spin(nil, Actor) { actor.run(self, target, mailbox) }
+    target.setup(*a, **k)
+    snooze
+    actor
+  end
+
+  class Actor < Fiber
+    def run(machine, target, mailbox)
+      @machine = machine
+      @target = target      
+      @mailbox = mailbox
+      while (msg = machine.shift(mailbox))
+        process_message(msg)
+      end
+    ensure
+      @target.teardown if @target.respond_to?(:teardown)
+    end
+
+    def cast(sym, *a, **k)
+      self << [:cast, nil, sym, a, k]
+      self
+    end
+
+    def call(sym, *a, **k)
+      self << [:call, Fiber.current, sym, a, k]
+      @machine.yield
+    end
+
+    private
+
+    def process_message(msg)
+      type, fiber, sym, args, kwargs = msg
+      case type
+      when :cast
+        @target.send(sym, *args, **kwargs)
+      when :call
+        res = @target.send(sym, *args, **kwargs)
+        @machine.schedule(fiber, res)
+      end
+    end
+
+    def <<(msg)
+      @machine.push(@mailbox, msg)
+    end
+  end
+end

data/lib/uringmachine/ssl/context_builder.rb

@@ -0,0 +1,96 @@
+module UringMachine
+  module SSL
+    class ContextBuilder
+      def initialize(params, log_writer)
+        @params = params
+        @log_writer = log_writer
+      end
+
+      def context
+        ctx = SSL::Context.new
+
+        if defined?(JRUBY_VERSION)
+          unless params['keystore']
+            log_writer.error "Please specify the Java keystore via 'keystore='"
+          end
+
+          ctx.keystore = params['keystore']
+
+          unless params['keystore-pass']
+            log_writer.error "Please specify the Java keystore password  via 'keystore-pass='"
+          end
+
+          ctx.keystore_pass = params['keystore-pass']
+          ctx.keystore_type = params['keystore-type']
+
+          if truststore = params['truststore']
+            ctx.truststore = truststore.eql?('default') ? :default : truststore
+            ctx.truststore_pass = params['truststore-pass']
+            ctx.truststore_type = params['truststore-type']
+          end
+
+          ctx.cipher_suites = params['cipher_suites'] || params['ssl_cipher_list']
+          ctx.protocols = params['protocols'] if params['protocols']
+        else
+          if params['key'].nil? && params['key_pem'].nil?
+            log_writer.error "Please specify the SSL key via 'key=' or 'key_pem='"
+          end
+
+          ctx.key = params['key'] if params['key']
+          ctx.key_pem = params['key_pem'] if params['key_pem']
+          ctx.key_password_command = params['key_password_command'] if params['key_password_command']
+
+          if params['cert'].nil? && params['cert_pem'].nil?
+            log_writer.error "Please specify the SSL cert via 'cert=' or 'cert_pem='"
+          end
+
+          ctx.cert = params['cert'] if params['cert']
+          ctx.cert_pem = params['cert_pem'] if params['cert_pem']
+
+          if ['peer', 'force_peer'].include?(params['verify_mode'])
+            unless params['ca']
+              log_writer.error "Please specify the SSL ca via 'ca='"
+            end
+            # needed for UM::SSL::Socket#peercert, env['puma.peercert']
+            require 'openssl'
+          end
+
+          ctx.ca = params['ca'] if params['ca']
+          ctx.ssl_cipher_filter = params['ssl_cipher_filter'] if params['ssl_cipher_filter']
+          ctx.ssl_ciphersuites = params['ssl_ciphersuites'] if params['ssl_ciphersuites'] && HAS_TLS1_3
+
+          ctx.reuse = params['reuse'] if params['reuse']
+        end
+
+        ctx.no_tlsv1   = params['no_tlsv1'] == 'true'
+        ctx.no_tlsv1_1 = params['no_tlsv1_1'] == 'true'
+
+        if params['verify_mode']
+          ctx.verify_mode = case params['verify_mode']
+                            when "peer"
+                              SSL::VERIFY_PEER
+                            when "force_peer"
+                              SSL::VERIFY_PEER | SSL::VERIFY_FAIL_IF_NO_PEER_CERT
+                            when "none"
+                              SSL::VERIFY_NONE
+                            else
+                              log_writer.error "Please specify a valid verify_mode="
+                              SSL::VERIFY_NONE
+                            end
+        end
+
+        if params['verification_flags']
+          ctx.verification_flags = params['verification_flags'].split(',').
+            map { |flag| SSL::VERIFICATION_FLAGS.fetch(flag) }.
+            inject { |sum, flag| sum ? sum | flag : flag }
+        end
+
+        ctx
+      end
+
+      private
+
+      attr_reader :params, :log_writer
+    end
+  end
+end

data/lib/uringmachine/ssl.rb

@@ -0,0 +1,394 @@
+# frozen_string_literal: true
+
+require 'open3'
+# need for Puma::MiniSSL::OPENSSL constants used in `HAS_TLS1_3`
+# use require, see https://github.com/puma/puma/pull/2381
+# require 'puma/puma_http11'
+
+require_relative '../uringmachine'
+
+class UringMachine
+  module SSL
+    # Define constant at runtime, as it's easy to determine at built time,
+    # but Puma could (it shouldn't) be loaded with an older OpenSSL version
+    # @version 5.0.0
+    HAS_TLS1_3 =
+        ((OPENSSL_VERSION[/ \d+\.\d+\.\d+/].split('.').map(&:to_i) <=> [1,1,1]) != -1 &&
+         (OPENSSL_LIBRARY_VERSION[/ \d+\.\d+\.\d+/].split('.').map(&:to_i) <=> [1,1,1]) !=-1)
+
+    class Socket
+      def initialize(socket, engine)
+        @socket = socket
+        @engine = engine
+        @peercert = nil
+        @reuse = nil
+      end
+
+      # @!attribute [r] to_io
+      def to_io
+        @socket
+      end
+
+      def closed?
+        @socket.closed?
+      end
+
+      # Returns a two element array,
+      # first is protocol version (SSL_get_version),
+      # second is 'handshake' state (SSL_state_string)
+      #
+      # Used for dropping tcp connections to ssl.
+      # See OpenSSL ssl/ssl_stat.c SSL_state_string for info
+      # @!attribute [r] ssl_version_state
+      # @version 5.0.0
+      #
+      def ssl_version_state
+        @engine.ssl_vers_st
+      end
+
+      # Used to check the handshake status, in particular when a TCP connection
+      # is made with TLSv1.3 as an available protocol
+      # @version 5.0.0
+      def bad_tlsv1_3?
+        HAS_TLS1_3 && ssl_version_state == ['TLSv1.3', 'SSLERR']
+      end
+      private :bad_tlsv1_3?
+
+      def readpartial(size)
+        while true
+          output = @engine.read
+          return output if output
+
+          data = @socket.readpartial(size)
+          @engine.inject(data)
+          output = @engine.read
+
+          return output if output
+
+          while neg_data = @engine.extract
+            @socket.write neg_data
+          end
+        end
+      end
+
+      def engine_read_all
+        output = @engine.read
+        while output and additional_output = @engine.read
+          output << additional_output
+        end
+        output
+      end
+
+      def read_nonblock(size, *_)
+        # *_ is to deal with keyword args that were added
+        # at some point (and being used in the wild)
+        while true
+          output = engine_read_all
+          return output if output
+
+          data = @socket.read_nonblock(size, exception: false)
+          if data == :wait_readable || data == :wait_writable
+            # It would make more sense to let @socket.read_nonblock raise
+            # EAGAIN if necessary but it seems like it'll misbehave on Windows.
+            # I don't have a Windows machine to debug this so I can't explain
+            # exactly whats happening in that OS. Please let me know if you
+            # find out!
+            #
+            # In the meantime, we can emulate the correct behavior by
+            # capturing :wait_readable & :wait_writable and raising EAGAIN
+            # ourselves.
+            raise IO::EAGAINWaitReadable
+          elsif data.nil?
+            raise SSLError.exception "HTTP connection?" if bad_tlsv1_3?
+            return nil
+          end
+
+          @engine.inject(data)
+          output = engine_read_all
+
+          return output if output
+
+          while neg_data = @engine.extract
+            @socket.write neg_data
+          end
+        end
+      end
+
+      def write(data)
+        return 0 if data.empty?
+
+        data_size = data.bytesize
+        need = data_size
+
+        while true
+          wrote = @engine.write data
+
+          enc_wr = +''
+          while (enc = @engine.extract)
+            enc_wr << enc
+          end
+          @socket.write enc_wr unless enc_wr.empty?
+
+          need -= wrote
+
+          return data_size if need == 0
+
+          data = data.byteslice(wrote..-1)
+        end
+      end
+
+      alias_method :syswrite, :write
+      alias_method :<<, :write
+
+      # This is a temporary fix to deal with websockets code using
+      # write_nonblock.
+
+      # The problem with implementing it properly
+      # is that it means we'd have to have the ability to rewind
+      # an engine because after we write+extract, the socket
+      # write_nonblock call might raise an exception and later
+      # code would pass the same data in, but the engine would think
+      # it had already written the data in.
+      #
+      # So for the time being (and since write blocking is quite rare),
+      # go ahead and actually block in write_nonblock.
+      #
+      def write_nonblock(data, *_)
+        write data
+      end
+
+      def flush
+        @socket.flush
+      end
+
+      def close
+        begin
+          unless @engine.shutdown
+            while alert_data = @engine.extract
+              @socket.write alert_data
+            end
+          end
+        rescue IOError, SystemCallError
+          Puma::Util.purge_interrupt_queue
+          # nothing
+        ensure
+          @socket.close
+        end
+      end
+
+      # @!attribute [r] peeraddr
+      def peeraddr
+        @socket.peeraddr
+      end
+
+      # OpenSSL is loaded in `MicroSSL::ContextBuilder` when
+      # `MicroSSL::Context#verify_mode` is not `VERIFY_NONE`.
+      # When `VERIFY_NONE`, `MicroSSL::Engine#peercert` is nil, regardless of
+      # whether the client sends a cert.
+      # @return [OpenSSL::X509::Certificate, nil]
+      # @!attribute [r] peercert
+      def peercert
+        return @peercert if @peercert
+
+        raw = @engine.peercert
+        return nil unless raw
+
+        @peercert = OpenSSL::X509::Certificate.new raw
+      end
+    end
+
+    class Context
+      attr_accessor :verify_mode
+      attr_reader :no_tlsv1, :no_tlsv1_1
+
+      def initialize
+        @no_tlsv1   = false
+        @no_tlsv1_1 = false
+        @key = nil
+        @cert = nil
+        @key_pem = nil
+        @cert_pem = nil
+        @reuse = nil
+        @reuse_cache_size = nil
+        @reuse_timeout = nil
+      end
+
+      def check_file(file, desc)
+        raise ArgumentError, "#{desc} file '#{file}' does not exist" unless File.exist? file
+        raise ArgumentError, "#{desc} file '#{file}' is not readable" unless File.readable? file
+      end
+
+        # non-jruby Context properties
+        attr_reader :key
+        attr_reader :key_password_command
+        attr_reader :cert
+        attr_reader :ca
+        attr_reader :cert_pem
+        attr_reader :key_pem
+        attr_accessor :ssl_cipher_filter
+        attr_accessor :ssl_ciphersuites
+        attr_accessor :verification_flags
+
+        attr_reader :reuse, :reuse_cache_size, :reuse_timeout
+
+        def key=(key)
+          check_file key, 'Key'
+          @key = key
+        end
+
+        def key_password_command=(key_password_command)
+          @key_password_command = key_password_command
+        end
+
+        def cert=(cert)
+          check_file cert, 'Cert'
+          @cert = cert
+        end
+
+        def ca=(ca)
+          check_file ca, 'ca'
+          @ca = ca
+        end
+
+        def cert_pem=(cert_pem)
+          raise ArgumentError, "'cert_pem' is not a String" unless cert_pem.is_a? String
+          @cert_pem = cert_pem
+        end
+
+        def key_pem=(key_pem)
+          raise ArgumentError, "'key_pem' is not a String" unless key_pem.is_a? String
+          @key_pem = key_pem
+        end
+
+        def check
+          raise "Key not configured" if @key.nil? && @key_pem.nil?
+          raise "Cert not configured" if @cert.nil? && @cert_pem.nil?
+        end
+
+        # Executes the command to return the password needed to decrypt the key.
+        def key_password
+          raise "Key password command not configured" if @key_password_command.nil?
+
+          stdout_str, stderr_str, status = Open3.capture3(@key_password_command)
+
+          return stdout_str.chomp if status.success?
+
+          raise "Key password failed with code #{status.exitstatus}: #{stderr_str}"
+        end
+
+        # Controls session reuse.  Allowed values are as follows:
+        # * 'off' - matches the behavior of Puma 5.6 and earlier.  This is included
+        #   in case reuse 'on' is made the default in future Puma versions.
+        # * 'dflt' - sets session reuse on, with OpenSSL default cache size of
+        #   20k and default timeout of 300 seconds.
+        # * 's,t' - where s and t are integer strings, for size and timeout.
+        # * 's' - where s is an integer strings for size.
+        # * ',t' - where t is an integer strings for timeout.
+        #
+        def reuse=(reuse_str)
+          case reuse_str
+          when 'off'
+            @reuse = nil
+          when 'dflt'
+            @reuse = true
+          when /\A\d+\z/
+            @reuse = true
+            @reuse_cache_size = reuse_str.to_i
+          when /\A\d+,\d+\z/
+            @reuse = true
+            size, time = reuse_str.split ','
+            @reuse_cache_size = size.to_i
+            @reuse_timeout = time.to_i
+          when /\A,\d+\z/
+            @reuse = true
+            @reuse_timeout = reuse_str.delete(',').to_i
+          end
+        end
+      end
+
+      # disables TLSv1
+      # @!attribute [w] no_tlsv1=
+      def no_tlsv1=(tlsv1)
+        raise ArgumentError, "Invalid value of no_tlsv1=" unless ['true', 'false', true, false].include?(tlsv1)
+        @no_tlsv1 = tlsv1
+      end
+
+      # disables TLSv1 and TLSv1.1.  Overrides `#no_tlsv1=`
+      # @!attribute [w] no_tlsv1_1=
+      def no_tlsv1_1=(tlsv1_1)
+        raise ArgumentError, "Invalid value of no_tlsv1_1=" unless ['true', 'false', true, false].include?(tlsv1_1)
+        @no_tlsv1_1 = tlsv1_1
+      end
+
+    VERIFY_NONE = 0
+    VERIFY_PEER = 1
+    VERIFY_FAIL_IF_NO_PEER_CERT = 2
+
+    # https://github.com/openssl/openssl/blob/master/include/openssl/x509_vfy.h.in
+    # /* Certificate verify flags */
+    VERIFICATION_FLAGS = {
+      "USE_CHECK_TIME"       => 0x2,
+      "CRL_CHECK"            => 0x4,
+      "CRL_CHECK_ALL"        => 0x8,
+      "IGNORE_CRITICAL"      => 0x10,
+      "X509_STRICT"          => 0x20,
+      "ALLOW_PROXY_CERTS"    => 0x40,
+      "POLICY_CHECK"         => 0x80,
+      "EXPLICIT_POLICY"      => 0x100,
+      "INHIBIT_ANY"          => 0x200,
+      "INHIBIT_MAP"          => 0x400,
+      "NOTIFY_POLICY"        => 0x800,
+      "EXTENDED_CRL_SUPPORT" => 0x1000,
+      "USE_DELTAS"           => 0x2000,
+      "CHECK_SS_SIGNATURE"   => 0x4000,
+      "TRUSTED_FIRST"        => 0x8000,
+      "SUITEB_128_LOS_ONLY"  => 0x10000,
+      "SUITEB_192_LOS"       => 0x20000,
+      "SUITEB_128_LOS"       => 0x30000,
+      "PARTIAL_CHAIN"        => 0x80000,
+      "NO_ALT_CHAINS"        => 0x100000,
+      "NO_CHECK_TIME"        => 0x200000
+    }.freeze
+
+    class Server
+      def initialize(socket, ctx)
+        @socket = socket
+        @ctx = ctx
+        @eng_ctx = IS_JRUBY ? @ctx : SSLContext.new(ctx)
+      end
+
+      def accept
+        @ctx.check
+        io = @socket.accept
+        engine = Engine.server @eng_ctx
+        Socket.new io, engine
+      end
+
+      def accept_nonblock
+        @ctx.check
+        io = @socket.accept_nonblock
+        engine = Engine.server @eng_ctx
+        Socket.new io, engine
+      end
+
+      # @!attribute [r] to_io
+      def to_io
+        @socket
+      end
+
+      # @!attribute [r] addr
+      # @version 5.0.0
+      def addr
+        @socket.addr
+      end
+
+      def close
+        @socket.close unless @socket.closed?       # closed? call is for Windows
+      end
+
+      def closed?
+        @socket.closed?
+      end
+    end
+  end
+end