webrick 1.3.1 → 1.4.3

data/lib/webrick/ssl.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: false
 #
 # ssl.rb -- SSL/TLS enhancement for GenericServer
 #
@@ -12,6 +13,57 @@ module WEBrick
   module Config
     svrsoft = General[:ServerSoftware]
     osslv = ::OpenSSL::OPENSSL_VERSION.split[1]
+
+    ##
+    # Default SSL server configuration.
+    #
+    # WEBrick can automatically create a self-signed certificate if
+    # <code>:SSLCertName</code> is set.  For more information on the various
+    # SSL options see OpenSSL::SSL::SSLContext.
+    #
+    # :ServerSoftware       ::
+    #   The server software name used in the Server: header.
+    # :SSLEnable            :: false,
+    #   Enable SSL for this server.  Defaults to false.
+    # :SSLCertificate       ::
+    #   The SSL certificate for the server.
+    # :SSLPrivateKey        ::
+    #   The SSL private key for the server certificate.
+    # :SSLClientCA          :: nil,
+    #   Array of certificates that will be sent to the client.
+    # :SSLExtraChainCert    :: nil,
+    #   Array of certificates that will be added to the certificate chain
+    # :SSLCACertificateFile :: nil,
+    #   Path to a CA certificate file
+    # :SSLCACertificatePath :: nil,
+    #   Path to a directory containing CA certificates
+    # :SSLCertificateStore  :: nil,
+    #   OpenSSL::X509::Store used for certificate validation of the client
+    # :SSLTmpDhCallback     :: nil,
+    #   Callback invoked when DH parameters are required.
+    # :SSLVerifyClient      ::
+    #   Sets whether the client is verified.  This defaults to VERIFY_NONE
+    #   which is typical for an HTTPS server.
+    # :SSLVerifyDepth       ::
+    #   Number of CA certificates to walk when verifying a certificate chain
+    # :SSLVerifyCallback    ::
+    #   Custom certificate verification callback
+    # :SSLServerNameCallback::
+    #   Custom servername indication callback
+    # :SSLTimeout           ::
+    #   Maximum session lifetime
+    # :SSLOptions           ::
+    #   Various SSL options
+    # :SSLCiphers           ::
+    #   Ciphers to be used
+    # :SSLStartImmediately  ::
+    #   Immediately start SSL upon connection?  Defaults to true
+    # :SSLCertName          ::
+    #   SSL certificate name.  Must be set to enable automatic certificate
+    #   creation.
+    # :SSLCertComment       ::
+    #   Comment used during automatic certificate creation.
+
     SSL = {
       :ServerSoftware       => "#{svrsoft} OpenSSL/#{osslv}",
       :SSLEnable            => false,
@@ -22,11 +74,13 @@ module WEBrick
       :SSLCACertificateFile => nil,
       :SSLCACertificatePath => nil,
       :SSLCertificateStore  => nil,
+      :SSLTmpDhCallback     => nil,
       :SSLVerifyClient      => ::OpenSSL::SSL::VERIFY_NONE,
       :SSLVerifyDepth       => nil,
       :SSLVerifyCallback    => nil,   # custom verification
       :SSLTimeout           => nil,
       :SSLOptions           => nil,
+      :SSLCiphers           => nil,
       :SSLStartImmediately  => true,
       # Must specify if you use auto generated certificate.
       :SSLCertName          => nil,
@@ -36,6 +90,10 @@ module WEBrick
   end
 
   module Utils
+    ##
+    # Creates a self-signed certificate with the given number of +bits+,
+    # the issuer +cn+ and a +comment+ to be stored in the certificate.
+
     def create_self_signed_cert(bits, cn, comment)
       rsa = OpenSSL::PKey::RSA.new(bits){|p, n|
         case p
@@ -52,7 +110,8 @@ module WEBrick
       cert = OpenSSL::X509::Certificate.new
       cert.version = 2
       cert.serial = 1
-      name = OpenSSL::X509::Name.new(cn)
+      name = (cn.kind_of? String) ? OpenSSL::X509::Name.parse(cn)
+                                  : OpenSSL::X509::Name.new(cn)
       cert.subject = name
       cert.issuer = name
       cert.not_before = Time.now
@@ -71,26 +130,40 @@ module WEBrick
       aki = ef.create_extension("authorityKeyIdentifier",
                                 "keyid:always,issuer:always")
       cert.add_extension(aki)
-      cert.sign(rsa, OpenSSL::Digest::SHA1.new)
+      cert.sign(rsa, OpenSSL::Digest::SHA256.new)
 
       return [ cert, rsa ]
     end
     module_function :create_self_signed_cert
   end
 
+  ##
+  #--
+  # Updates WEBrick::GenericServer with SSL functionality
+
   class GenericServer
-    def ssl_context
-      @ssl_context ||= nil
+
+    ##
+    # SSL context for the server when run in SSL mode
+
+    def ssl_context # :nodoc:
+      @ssl_context ||= begin
+        if @config[:SSLEnable]
+          ssl_context = setup_ssl_context(@config)
+          @logger.info("\n" + @config[:SSLCertificate].to_text)
+          ssl_context
+        end
+      end
     end
 
     undef listen
-    def listen(address, port)
-      listeners = Utils::create_listeners(address, port, @logger)
+
+    ##
+    # Updates +listen+ to enable SSL when the SSL configuration is active.
+
+    def listen(address, port) # :nodoc:
+      listeners = Utils::create_listeners(address, port)
       if @config[:SSLEnable]
-        unless ssl_context
-          @ssl_context = setup_ssl_context(@config)
-          @logger.info("\n" + @config[:SSLCertificate].to_text)
-        end
         listeners.collect!{|svr|
           ssvr = ::OpenSSL::SSL::SSLServer.new(svr, ssl_context)
           ssvr.start_immediately = @config[:SSLStartImmediately]
@@ -98,13 +171,17 @@ module WEBrick
         }
       end
       @listeners += listeners
+      setup_shutdown_pipe
     end
 
-    def setup_ssl_context(config)
+    ##
+    # Sets up an SSL context for +config+
+
+    def setup_ssl_context(config) # :nodoc:
       unless config[:SSLCertificate]
         cn = config[:SSLCertName]
         comment = config[:SSLCertComment]
-        cert, key = Utils::create_self_signed_cert(1024, cn, comment)
+        cert, key = Utils::create_self_signed_cert(2048, cn, comment)
         config[:SSLCertificate] = cert
         config[:SSLPrivateKey] = key
       end
@@ -116,12 +193,23 @@ module WEBrick
       ctx.ca_file = config[:SSLCACertificateFile]
       ctx.ca_path = config[:SSLCACertificatePath]
       ctx.cert_store = config[:SSLCertificateStore]
+      ctx.tmp_dh_callback = config[:SSLTmpDhCallback]
       ctx.verify_mode = config[:SSLVerifyClient]
       ctx.verify_depth = config[:SSLVerifyDepth]
       ctx.verify_callback = config[:SSLVerifyCallback]
+      ctx.servername_cb = config[:SSLServerNameCallback] || proc { |args| ssl_servername_callback(*args) }
       ctx.timeout = config[:SSLTimeout]
       ctx.options = config[:SSLOptions]
+      ctx.ciphers = config[:SSLCiphers]
       ctx
     end
+
+    ##
+    # ServerNameIndication callback
+
+    def ssl_servername_callback(sslsocket, hostname = nil)
+      # default
+    end
+
   end
 end

data/lib/webrick/utils.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: false
 #
 # utils.rb -- Miscellaneous utilities
 #
@@ -9,45 +10,34 @@
 # $IPR: utils.rb,v 1.10 2003/02/16 22:22:54 gotoyuzo Exp $
 
 require 'socket'
-require 'fcntl'
-begin
-  require 'etc'
-rescue LoadError
-  nil
-end
+require 'io/nonblock'
+require 'etc'
 
 module WEBrick
   module Utils
     ##
     # Sets IO operations on +io+ to be non-blocking
     def set_non_blocking(io)
-      flag = File::NONBLOCK
-      if defined?(Fcntl::F_GETFL)
-        flag |= io.fcntl(Fcntl::F_GETFL)
-      end
-      io.fcntl(Fcntl::F_SETFL, flag)
+      io.nonblock = true if io.respond_to?(:nonblock=)
     end
     module_function :set_non_blocking
 
     ##
     # Sets the close on exec flag for +io+
     def set_close_on_exec(io)
-      if defined?(Fcntl::FD_CLOEXEC)
-        io.fcntl(Fcntl::F_SETFD, Fcntl::FD_CLOEXEC)
-      end
+      io.close_on_exec = true if io.respond_to?(:close_on_exec=)
     end
     module_function :set_close_on_exec
 
     ##
     # Changes the process's uid and gid to the ones of +user+
     def su(user)
-      if defined?(Etc)
-        pw = Etc.getpwnam(user)
+      if pw = Etc.getpwnam(user)
         Process::initgroups(user, pw.gid)
         Process::Sys::setgid(pw.gid)
         Process::Sys::setuid(pw.uid)
       else
-        warn("WEBrick::Utils::su doesn't work on this platform")
+        warn("WEBrick::Utils::su doesn't work on this platform", uplevel: 1)
       end
     end
     module_function :su
@@ -68,30 +58,17 @@ module WEBrick
     # Creates TCP server sockets bound to +address+:+port+ and returns them.
     #
     # It will create IPV4 and IPV6 sockets on all interfaces.
-    def create_listeners(address, port, logger=nil)
+    def create_listeners(address, port)
       unless port
         raise ArgumentError, "must specify port"
       end
-      res = Socket::getaddrinfo(address, port,
-                                Socket::AF_UNSPEC,   # address family
-                                Socket::SOCK_STREAM, # socket type
-                                0,                   # protocol
-                                Socket::AI_PASSIVE)  # flag
-      last_error = nil
-      sockets = []
-      res.each{|ai|
-        begin
-          logger.debug("TCPServer.new(#{ai[3]}, #{port})") if logger
-          sock = TCPServer.new(ai[3], port)
-          port = sock.addr[1] if port == 0
-          Utils::set_close_on_exec(sock)
-          sockets << sock
-        rescue => ex
-          logger.warn("TCPServer Error: #{ex}") if logger
-          last_error  = ex
-        end
+      sockets = Socket.tcp_server_sockets(address, port)
+      sockets = sockets.map {|s|
+        s.autoclose = false
+        ts = TCPServer.for_fd(s.fileno)
+        s.close
+        ts
       }
-      raise last_error if sockets.empty?
       return sockets
     end
     module_function :create_listeners
@@ -114,7 +91,6 @@ module WEBrick
 
     ###########
 
-    require "thread"
     require "timeout"
     require "singleton"
 
@@ -149,7 +125,7 @@ module WEBrick
 
       ##
       # Mutex used to synchronize access across threads
-      TimeoutMutex = Mutex.new # :nodoc:
+      TimeoutMutex = Thread::Mutex.new # :nodoc:
 
       ##
       # Registers a new timeout handler
@@ -157,43 +133,82 @@ module WEBrick
       # +time+:: Timeout in seconds
       # +exception+:: Exception to raise when timeout elapsed
       def TimeoutHandler.register(seconds, exception)
-        TimeoutMutex.synchronize{
-          instance.register(Thread.current, Time.now + seconds, exception)
-        }
+        at = Process.clock_gettime(Process::CLOCK_MONOTONIC) + seconds
+        instance.register(Thread.current, at, exception)
       end
 
       ##
       # Cancels the timeout handler +id+
       def TimeoutHandler.cancel(id)
+        instance.cancel(Thread.current, id)
+      end
+
+      def self.terminate
+        instance.terminate
+      end
+
+      ##
+      # Creates a new TimeoutHandler.  You should use ::register and ::cancel
+      # instead of creating the timeout handler directly.
+      def initialize
         TimeoutMutex.synchronize{
-          instance.cancel(Thread.current, id)
+          @timeout_info = Hash.new
         }
+        @queue = Thread::Queue.new
+        @watcher = nil
       end
 
-      def initialize
-        @timeout_info = Hash.new
-        Thread.start{
+      # :nodoc:
+      private \
+        def watch
+          to_interrupt = []
           while true
-            now = Time.now
-            @timeout_info.each{|thread, ary|
-              ary.dup.each{|info|
-                time, exception = *info
-                interrupt(thread, info.object_id, exception) if time < now
+            now = Process.clock_gettime(Process::CLOCK_MONOTONIC)
+            wakeup = nil
+            to_interrupt.clear
+            TimeoutMutex.synchronize{
+              @timeout_info.each {|thread, ary|
+                next unless ary
+                ary.each{|info|
+                  time, exception = *info
+                  if time < now
+                    to_interrupt.push [thread, info.object_id, exception]
+                  elsif !wakeup || time < wakeup
+                    wakeup = time
+                  end
+                }
               }
             }
-            sleep 0.5
+            to_interrupt.each {|arg| interrupt(*arg)}
+            if !wakeup
+              @queue.pop
+            elsif (wakeup -= now) > 0
+              begin
+                (th = Thread.start {@queue.pop}).join(wakeup)
+              ensure
+                th&.kill&.join
+              end
+            end
+            @queue.clear
           end
-        }
-      end
+        end
+
+      # :nodoc:
+      private \
+        def watcher
+          (w = @watcher)&.alive? and return w # usual case
+          TimeoutMutex.synchronize{
+            (w = @watcher)&.alive? and next w # pathological check
+            @watcher = Thread.start(&method(:watch))
+          }
+        end
 
       ##
       # Interrupts the timeout handler +id+ and raises +exception+
       def interrupt(thread, id, exception)
-        TimeoutMutex.synchronize{
-          if cancel(thread, id) && thread.alive?
-            thread.raise(exception, "execution timeout")
-          end
-        }
+        if cancel(thread, id) && thread.alive?
+          thread.raise(exception, "execution timeout")
+        end
       end
 
       ##
@@ -202,22 +217,36 @@ module WEBrick
       # +time+:: Timeout in seconds
       # +exception+:: Exception to raise when timeout elapsed
       def register(thread, time, exception)
-        @timeout_info[thread] ||= Array.new
-        @timeout_info[thread] << [time, exception]
-        return @timeout_info[thread].last.object_id
+        info = nil
+        TimeoutMutex.synchronize{
+          (@timeout_info[thread] ||= []) << (info = [time, exception])
+        }
+        @queue.push nil
+        watcher
+        return info.object_id
       end
 
       ##
       # Cancels the timeout handler +id+
       def cancel(thread, id)
-        if ary = @timeout_info[thread]
-          ary.delete_if{|info| info.object_id == id }
-          if ary.empty?
-            @timeout_info.delete(thread)
+        TimeoutMutex.synchronize{
+          if ary = @timeout_info[thread]
+            ary.delete_if{|info| info.object_id == id }
+            if ary.empty?
+              @timeout_info.delete(thread)
+            end
+            return true
           end
-          return true
-        end
-        return false
+          return false
+        }
+      end
+
+      ##
+      def terminate
+        TimeoutMutex.synchronize{
+          @timeout_info.clear
+          @watcher&.kill&.join
+        }
       end
     end
 

data/lib/webrick/version.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: false
 #--
 # version.rb -- version and release date
 #
@@ -9,5 +10,9 @@
 # $IPR: version.rb,v 1.74 2003/07/22 19:20:43 gotoyuzo Exp $
 
 module WEBrick
-  VERSION      = "1.3.1"
+
+  ##
+  # The WEBrick version
+
+  VERSION      = "1.4.3"
 end