diff options
| author | rhe <rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2017-09-03 12:35:27 +0000 |
|---|---|---|
| committer | rhe <rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2017-09-03 12:35:27 +0000 |
| commit | 609103dbb5fb182eec12f052226c43e39b907682 (patch) | |
| tree | 881cdacc3312e65261ebd34a807c75ee09fdb303 /ext/openssl/lib | |
| parent | b9801bb8b2f5ce91755e0076d79140a72ff94d6a (diff) | |
openssl: import v2.1.0.beta1
Import Ruby/OpenSSL 2.1.0.beta1. The full commit log since v2.0.5
(imported by r59567) can be found at:
https://github.com/ruby/openssl/compare/v2.0.5...v2.1.0.beta1
----------------------------------------------------------------
Antonio Terceiro (1):
test/test_ssl: explicitly accept TLS 1.1 in corresponding test
Colby Swandale (1):
document using secure protocol to fetch git master in Bundler
Colton Jenkins (1):
Add fips_mode_get to return fips_mode
Kazuki Yamaguchi (85):
Start preparing for 2.1.0
Remove support for OpenSSL 0.9.8 and 1.0.0
bn: refine tests
bn: implement unary {plus,minus} operators for OpenSSL::BN
bn: implement OpenSSL::BN#negative?
Don't define main() when built with --enable-debug
test: let OpenSSL::TestCase include OpenSSL::TestUtils
test: prepare test PKey instances on demand
Add OpenSSL.print_mem_leaks
Enable OSSL_MDEBUG on CI builds
ssl: move default DH parameters from OpenSSL::PKey::DH
Make exceptions with the same format regardless of OpenSSL.debug
ssl: show reason of 'certificate verify error' in exception message
ssl: remove OpenSSL::ExtConfig::TLS_DH_anon_WITH_AES_256_GCM_SHA384
ssl: do not confuse different ex_data index registries
ssl: assume SSL/SSL_CTX always have a valid reference to the Ruby object
Fix RDoc markup
ssl: suppress compiler warning
ext/openssl/deprecation.rb: remove broken-apple-openssl
extconf.rb: print informative message if OpenSSL can't be found
Rakefile: compile the extension before test
kdf: introduce OpenSSL::KDF module
ossl.h: add NUM2UINT64T() macro
kdf: add scrypt
Expand rb_define_copy_func() macro
Expand FPTR_TO_FD() macro
Remove SafeGet*() macros
cipher: rename GetCipherPtr() to ossl_evp_get_cipherbyname()
digest: rename GetDigestPtr() to ossl_evp_get_digestbyname()
Add ossl_str_new(), an exception-safe rb_str_new()
bio: simplify ossl_membio2str() using ossl_str_new()
Remove unused functions and macros
Drop support for LibreSSL 2.3
ocsp: add OpenSSL::OCSP::Request#signed?
asn1: infinite length -> indefinite length
asn1: rearrange tests
ssl: remove a needless NULL check in SSL::SSLContext#ciphers
ssl: return nil in SSL::SSLSocket#cipher if session is not started
asn1: remove an unnecessary function prototype
asn1: require tag information when instantiating generic type
asn1: initialize 'unused_bits' attribute of BitString with 0
asn1: check for illegal 'unused_bits' value of BitString
asn1: disallow NULL to be passed to asn1time_to_time()
asn1: avoid truncating OID in OpenSSL::ASN1::ObjectId#oid
asn1: allow constructed encoding with definite length form
asn1: prohibit indefinite length form for primitive encoding
asn1: allow tag number to be >= 32 for universal tag class
asn1: use ossl_asn1_tag()
asn1: clean up OpenSSL::ASN1::Constructive#to_der
asn1: harmonize OpenSSL::ASN1::*#to_der
asn1: prevent EOC octets from being in the middle of the content
asn1: do not treat EOC octets as part of content octets
x509name: add 'loc' and 'set' kwargs to OpenSSL::X509::Name#add_entry
ssl: do not call session_remove_cb during GC
Backport "Merge branch 'topic/test-memory-leak'" to maint
cipher: update the documentation for Cipher#auth_tag=
Rakefile: let sync:to_ruby know about test/openssl/fixtures
test: fix formatting
test/utils: remove OpenSSL::TestUtils.silent
test/utils: add SSLTestCase#tls12_supported?
test/utils: have start_server yield only the port number
test/utils: do not set ecdh_curves in start_server
test/utils: let server_loop close socket
test/utils: improve error handling in start_server
test/utils: add OpenSSL::TestUtils.openssl? and .libressl?
test/utils: do not use DSA certificates in SSL tests
test/test_ssl: remove test_invalid_shutdown_by_gc
test/test_ssl: move test_multibyte_read_write to test_pair
test/test_ssl_session: rearrange tests
test/test_pair, test/test_ssl: fix for TLS 1.3
ssl: remove useless call to rb_thread_wait_fd()
ssl: fix NPN support
ssl: mark OpenSSL::SSL::SSLContext::DEFAULT_{1024,2048} as private
ssl: use 2048-bit group in the default tmp_dh_cb
ssl: ensure that SSL option flags are non-negative
ssl: update OpenSSL::SSL::OP_* flags
ssl: prefer TLS_method() over SSLv23_method()
ssl: add SSLContext#min_version= and #max_version=
ssl: rework SSLContext#ssl_version=
test/test_x509name: change script encoding to ASCII-8BIT
x509name: refactor OpenSSL::X509::Name#to_s
x509name: add OpenSSL::X509::Name#to_utf8
x509name: add OpenSSL::X509::Name#inspect
x509name: update regexp in OpenSSL::X509::Name.parse
Ruby/OpenSSL 2.1.0.beta1
Marcus Stollsteimer (1):
Fix rdoc for core Integer class
nobu (4):
[DOC] {read,write}_nonblock with exception: false
[DOC] keyword argument _exception_
[DOC] mark up literals
Revert r57690 except for read_nonblock
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@59734 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'ext/openssl/lib')
| -rw-r--r-- | ext/openssl/lib/openssl.rb | 1 | ||||
| -rw-r--r-- | ext/openssl/lib/openssl/bn.rb | 3 | ||||
| -rw-r--r-- | ext/openssl/lib/openssl/buffering.rb | 38 | ||||
| -rw-r--r-- | ext/openssl/lib/openssl/config.rb | 23 | ||||
| -rw-r--r-- | ext/openssl/lib/openssl/digest.rb | 9 | ||||
| -rw-r--r-- | ext/openssl/lib/openssl/pkcs5.rb | 22 | ||||
| -rw-r--r-- | ext/openssl/lib/openssl/pkey.rb | 41 | ||||
| -rw-r--r-- | ext/openssl/lib/openssl/ssl.rb | 134 | ||||
| -rw-r--r-- | ext/openssl/lib/openssl/x509.rb | 8 |
9 files changed, 184 insertions, 95 deletions
diff --git a/ext/openssl/lib/openssl.rb b/ext/openssl/lib/openssl.rb index 26d167a9b4..0914282920 100644 --- a/ext/openssl/lib/openssl.rb +++ b/ext/openssl/lib/openssl.rb @@ -19,3 +19,4 @@ require 'openssl/config' require 'openssl/digest' require 'openssl/x509' require 'openssl/ssl' +require 'openssl/pkcs5' diff --git a/ext/openssl/lib/openssl/bn.rb b/ext/openssl/lib/openssl/bn.rb index 6d6c96e42d..8d1ebefb6e 100644 --- a/ext/openssl/lib/openssl/bn.rb +++ b/ext/openssl/lib/openssl/bn.rb @@ -27,8 +27,9 @@ module OpenSSL end # OpenSSL ## +#-- # Add double dispatch to Integer -# +#++ class Integer # Casts an Integer as an OpenSSL::BN # diff --git a/ext/openssl/lib/openssl/buffering.rb b/ext/openssl/lib/openssl/buffering.rb index d773637c0e..8b5dd9da57 100644 --- a/ext/openssl/lib/openssl/buffering.rb +++ b/ext/openssl/lib/openssl/buffering.rb @@ -63,7 +63,7 @@ module OpenSSL::Buffering end ## - # Consumes +size+ bytes from the buffer + # Consumes _size_ bytes from the buffer def consume_rbuff(size=nil) if @rbuffer.empty? @@ -79,7 +79,7 @@ module OpenSSL::Buffering public ## - # Reads +size+ bytes from the stream. If +buf+ is provided it must + # Reads _size_ bytes from the stream. If _buf_ is provided it must # reference a string which will receive the data. # # See IO#read for full details. @@ -106,7 +106,7 @@ module OpenSSL::Buffering end ## - # Reads at most +maxlen+ bytes from the stream. If +buf+ is provided it + # Reads at most _maxlen_ bytes from the stream. If _buf_ is provided it # must reference a string which will receive the data. # # See IO#readpartial for full details. @@ -136,7 +136,7 @@ module OpenSSL::Buffering end ## - # Reads at most +maxlen+ bytes in the non-blocking manner. + # Reads at most _maxlen_ bytes in the non-blocking manner. # # When no data can be read without blocking it raises # OpenSSL::SSL::SSLError extended by IO::WaitReadable or IO::WaitWritable. @@ -190,11 +190,11 @@ module OpenSSL::Buffering end ## - # Reads the next "line" from the stream. Lines are separated by +eol+. If - # +limit+ is provided the result will not be longer than the given number of + # Reads the next "line" from the stream. Lines are separated by _eol_. If + # _limit_ is provided the result will not be longer than the given number of # bytes. # - # +eol+ may be a String or Regexp. + # _eol_ may be a String or Regexp. # # Unlike IO#gets the line read will not be assigned to +$_+. # @@ -220,7 +220,7 @@ module OpenSSL::Buffering ## # Executes the block for every line in the stream where lines are separated - # by +eol+. + # by _eol_. # # See also #gets @@ -232,7 +232,7 @@ module OpenSSL::Buffering alias each_line each ## - # Reads lines from the stream which are separated by +eol+. + # Reads lines from the stream which are separated by _eol_. # # See also #gets @@ -245,7 +245,7 @@ module OpenSSL::Buffering end ## - # Reads a line from the stream which is separated by +eol+. + # Reads a line from the stream which is separated by _eol_. # # Raises EOFError if at end of file. @@ -281,7 +281,7 @@ module OpenSSL::Buffering end ## - # Pushes character +c+ back onto the stream such that a subsequent buffered + # Pushes character _c_ back onto the stream such that a subsequent buffered # character read will return it. # # Unlike IO#getc multiple bytes may be pushed back onto the stream. @@ -308,7 +308,7 @@ module OpenSSL::Buffering private ## - # Writes +s+ to the buffer. When the buffer is full or #sync is true the + # Writes _s_ to the buffer. When the buffer is full or #sync is true the # buffer is flushed to the underlying socket. def do_write(s) @@ -336,8 +336,8 @@ module OpenSSL::Buffering public ## - # Writes +s+ to the stream. If the argument is not a string it will be - # converted using String#to_s. Returns the number of bytes written. + # Writes _s_ to the stream. If the argument is not a String it will be + # converted using +.to_s+ method. Returns the number of bytes written. def write(s) do_write(s) @@ -345,7 +345,7 @@ module OpenSSL::Buffering end ## - # Writes +s+ in the non-blocking manner. + # Writes _s_ in the non-blocking manner. # # If there is buffered data, it is flushed first. This may block. # @@ -387,8 +387,8 @@ module OpenSSL::Buffering end ## - # Writes +s+ to the stream. +s+ will be converted to a String using - # String#to_s. + # Writes _s_ to the stream. _s_ will be converted to a String using + # +.to_s+ method. def <<(s) do_write(s) @@ -396,7 +396,7 @@ module OpenSSL::Buffering end ## - # Writes +args+ to the stream along with a record separator. + # Writes _args_ to the stream along with a record separator. # # See IO#puts for full details. @@ -416,7 +416,7 @@ module OpenSSL::Buffering end ## - # Writes +args+ to the stream. + # Writes _args_ to the stream. # # See IO#print for full details. diff --git a/ext/openssl/lib/openssl/config.rb b/ext/openssl/lib/openssl/config.rb index 8822545192..48d8be0069 100644 --- a/ext/openssl/lib/openssl/config.rb +++ b/ext/openssl/lib/openssl/config.rb @@ -30,7 +30,8 @@ module OpenSSL class << self ## - # Parses a given +string+ as a blob that contains configuration for openssl. + # Parses a given _string_ as a blob that contains configuration for + # OpenSSL. # # If the source of the IO is a file, then consider using #parse_config. def parse(string) @@ -46,7 +47,7 @@ module OpenSSL alias load new ## - # Parses the configuration data read from +io+, see also #parse. + # Parses the configuration data read from _io_, see also #parse. # # Raises a ConfigError on invalid configuration data. def parse_config(io) @@ -236,7 +237,7 @@ module OpenSSL # # This can be used in contexts like OpenSSL::X509::ExtensionFactory.config= # - # If the optional +filename+ parameter is provided, then it is read in and + # If the optional _filename_ parameter is provided, then it is read in and # parsed via #parse_config. # # This can raise IO exceptions based on the access, or availability of the @@ -255,7 +256,7 @@ module OpenSSL end ## - # Gets the value of +key+ from the given +section+ + # Gets the value of _key_ from the given _section_ # # Given the following configurating file being loaded: # @@ -265,8 +266,8 @@ module OpenSSL # #=> [ default ] # # foo=bar # - # You can get a specific value from the config if you know the +section+ - # and +key+ like so: + # You can get a specific value from the config if you know the _section_ + # and _key_ like so: # # config.get_value('default','foo') # #=> "bar" @@ -297,7 +298,7 @@ module OpenSSL end ## - # Set the target +key+ with a given +value+ under a specific +section+. + # Set the target _key_ with a given _value_ under a specific _section_. # # Given the following configurating file being loaded: # @@ -307,7 +308,7 @@ module OpenSSL # #=> [ default ] # # foo=bar # - # You can set the value of +foo+ under the +default+ section to a new + # You can set the value of _foo_ under the _default_ section to a new # value: # # config.add_value('default', 'foo', 'buzz') @@ -322,7 +323,7 @@ module OpenSSL end ## - # Get a specific +section+ from the current configuration + # Get a specific _section_ from the current configuration # # Given the following configurating file being loaded: # @@ -351,7 +352,7 @@ module OpenSSL end ## - # Sets a specific +section+ name with a Hash +pairs+ + # Sets a specific _section_ name with a Hash _pairs_. # # Given the following configuration being created: # @@ -365,7 +366,7 @@ module OpenSSL # # baz=buz # # It's important to note that this will essentially merge any of the keys - # in +pairs+ with the existing +section+. For example: + # in _pairs_ with the existing _section_. For example: # # config['default'] # #=> {"foo"=>"bar", "baz"=>"buz"} diff --git a/ext/openssl/lib/openssl/digest.rb b/ext/openssl/lib/openssl/digest.rb index 97ccbc9569..b6744de6bd 100644 --- a/ext/openssl/lib/openssl/digest.rb +++ b/ext/openssl/lib/openssl/digest.rb @@ -15,15 +15,12 @@ module OpenSSL class Digest - alg = %w(MD2 MD4 MD5 MDC2 RIPEMD160 SHA1) + alg = %w(MD2 MD4 MD5 MDC2 RIPEMD160 SHA1 SHA224 SHA256 SHA384 SHA512) if OPENSSL_VERSION_NUMBER < 0x10100000 alg += %w(DSS DSS1 SHA) end - if OPENSSL_VERSION_NUMBER > 0x00908000 - alg += %w(SHA224 SHA256 SHA384 SHA512) - end - # Return the +data+ hash computed with +name+ Digest. +name+ is either the + # Return the hash value computed with _name_ Digest. _name_ is either the # long name or short name of a supported digest algorithm. # # === Examples @@ -59,7 +56,7 @@ module OpenSSL end # Digest - # Returns a Digest subclass by +name+. + # Returns a Digest subclass by _name_ # # require 'openssl' # diff --git a/ext/openssl/lib/openssl/pkcs5.rb b/ext/openssl/lib/openssl/pkcs5.rb new file mode 100644 index 0000000000..959447df5e --- /dev/null +++ b/ext/openssl/lib/openssl/pkcs5.rb @@ -0,0 +1,22 @@ +# frozen_string_literal: false +#-- +# Ruby/OpenSSL Project +# Copyright (C) 2017 Ruby/OpenSSL Project Authors +#++ + +module OpenSSL + module PKCS5 + module_function + + # OpenSSL::PKCS5.pbkdf2_hmac has been renamed to OpenSSL::KDF.pbkdf2_hmac. + # This method is provided for backwards compatibility. + def pbkdf2_hmac(pass, salt, iter, keylen, digest) + OpenSSL::KDF.pbkdf2_hmac(pass, salt: salt, iterations: iter, + length: keylen, hash: digest) + end + + def pbkdf2_hmac_sha1(pass, salt, iter, keylen) + pbkdf2_hmac(pass, salt, iter, keylen, "sha1") + end + end +end diff --git a/ext/openssl/lib/openssl/pkey.rb b/ext/openssl/lib/openssl/pkey.rb index 9af5f781f9..dcedd849a0 100644 --- a/ext/openssl/lib/openssl/pkey.rb +++ b/ext/openssl/lib/openssl/pkey.rb @@ -1,44 +1,3 @@ # frozen_string_literal: false module OpenSSL - module PKey - if defined?(OpenSSL::PKey::DH) - - class DH - # :nodoc: - DEFAULT_1024 = new <<-_end_of_pem_ ------BEGIN DH PARAMETERS----- -MIGHAoGBAJ0lOVy0VIr/JebWn0zDwY2h+rqITFOpdNr6ugsgvkDXuucdcChhYExJ -AV/ZD2AWPbrTqV76mGRgJg4EddgT1zG0jq3rnFdMj2XzkBYx3BVvfR0Arnby0RHR -T4h7KZ/2zmjvV+eF8kBUHBJAojUlzxKj4QeO2x20FP9X5xmNUXeDAgEC ------END DH PARAMETERS----- - _end_of_pem_ - - # :nodoc: - DEFAULT_2048 = new <<-_end_of_pem_ ------BEGIN DH PARAMETERS----- -MIIBCAKCAQEA7E6kBrYiyvmKAMzQ7i8WvwVk9Y/+f8S7sCTN712KkK3cqd1jhJDY -JbrYeNV3kUIKhPxWHhObHKpD1R84UpL+s2b55+iMd6GmL7OYmNIT/FccKhTcveab -VBmZT86BZKYyf45hUF9FOuUM9xPzuK3Vd8oJQvfYMCd7LPC0taAEljQLR4Edf8E6 -YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3 -1bNveX5wInh5GDx1FGhKBZ+s1H+aedudCm7sCgRwv8lKWYGiHzObSma8A86KG+MD -7Lo5JquQ3DlBodj3IDyPrxIv96lvRPFtAwIBAg== ------END DH PARAMETERS----- - _end_of_pem_ - end - - # :nodoc: - DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen| - warn "using default DH parameters." if $VERBOSE - case keylen - when 1024 then OpenSSL::PKey::DH::DEFAULT_1024 - when 2048 then OpenSSL::PKey::DH::DEFAULT_2048 - else - nil - end - } - - else - DEFAULT_TMP_DH_CALLBACK = nil - end - end end diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb index f40a451439..a628648e71 100644 --- a/ext/openssl/lib/openssl/ssl.rb +++ b/ext/openssl/lib/openssl/ssl.rb @@ -17,18 +17,36 @@ module OpenSSL module SSL class SSLContext DEFAULT_PARAMS = { # :nodoc: - :ssl_version => "SSLv23", + :min_version => OpenSSL::SSL::TLS1_VERSION, :verify_mode => OpenSSL::SSL::VERIFY_PEER, :verify_hostname => true, :options => -> { opts = OpenSSL::SSL::OP_ALL opts &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS - opts |= OpenSSL::SSL::OP_NO_COMPRESSION if defined?(OpenSSL::SSL::OP_NO_COMPRESSION) - opts |= OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3 + opts |= OpenSSL::SSL::OP_NO_COMPRESSION opts }.call } + if defined?(OpenSSL::PKey::DH) + DEFAULT_2048 = OpenSSL::PKey::DH.new <<-_end_of_pem_ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA7E6kBrYiyvmKAMzQ7i8WvwVk9Y/+f8S7sCTN712KkK3cqd1jhJDY +JbrYeNV3kUIKhPxWHhObHKpD1R84UpL+s2b55+iMd6GmL7OYmNIT/FccKhTcveab +VBmZT86BZKYyf45hUF9FOuUM9xPzuK3Vd8oJQvfYMCd7LPC0taAEljQLR4Edf8E6 +YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3 +1bNveX5wInh5GDx1FGhKBZ+s1H+aedudCm7sCgRwv8lKWYGiHzObSma8A86KG+MD +7Lo5JquQ3DlBodj3IDyPrxIv96lvRPFtAwIBAg== +-----END DH PARAMETERS----- + _end_of_pem_ + private_constant :DEFAULT_2048 + + DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen| # :nodoc: + warn "using default DH parameters." if $VERBOSE + DEFAULT_2048 + } + end + if !(OpenSSL::OPENSSL_VERSION.start_with?("OpenSSL") && OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10100000) DEFAULT_PARAMS.merge!( @@ -87,14 +105,18 @@ module OpenSSL # # The callback is invoked with an SSLSocket and a server name. The # callback must return an SSLContext for the server name or nil. - attr_accessor :servername_cb if ExtConfig::HAVE_TLSEXT_HOST_NAME + attr_accessor :servername_cb # call-seq: - # SSLContext.new => ctx - # SSLContext.new(:TLSv1) => ctx - # SSLContext.new("SSLv23_client") => ctx + # SSLContext.new -> ctx + # SSLContext.new(:TLSv1) -> ctx + # SSLContext.new("SSLv23") -> ctx # - # You can get a list of valid methods with OpenSSL::SSL::SSLContext::METHODS + # Creates a new SSL context. + # + # If an argument is given, #ssl_version= is called with the value. Note + # that this form is deprecated. New applications should use #min_version= + # and #max_version= as necessary. def initialize(version = nil) self.options |= OpenSSL::SSL::OP_ALL self.ssl_version = version if version @@ -106,8 +128,8 @@ module OpenSSL # # Sets saner defaults optimized for the use with HTTP-like protocols. # - # If a Hash +params+ is given, the parameters are overridden with it. - # The keys in +params+ must be assignment methods on SSLContext. + # If a Hash _params_ is given, the parameters are overridden with it. + # The keys in _params_ must be assignment methods on SSLContext. # # If the verify_mode is not VERIFY_NONE and ca_file, ca_path and # cert_store are not set then the system default certificate store is @@ -122,6 +144,88 @@ module OpenSSL end return params end + + # call-seq: + # ctx.min_version = OpenSSL::SSL::TLS1_2_VERSION + # ctx.min_version = :TLS1_2 + # ctx.min_version = nil + # + # Sets the lower bound on the supported SSL/TLS protocol version. The + # version may be specified by an integer constant named + # OpenSSL::SSL::*_VERSION, a Symbol, or +nil+ which means "any version". + # + # Be careful that you don't overwrite OpenSSL::SSL::OP_NO_{SSL,TLS}v* + # options by #options= once you have called #min_version= or + # #max_version=. + # + # === Example + # ctx = OpenSSL::SSL::SSLContext.new + # ctx.min_version = OpenSSL::SSL::TLS1_1_VERSION + # ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION + # + # sock = OpenSSL::SSL::SSLSocket.new(tcp_sock, ctx) + # sock.connect # Initiates a connection using either TLS 1.1 or TLS 1.2 + def min_version=(version) + set_minmax_proto_version(version, @max_proto_version ||= nil) + @min_proto_version = version + end + + # call-seq: + # ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION + # ctx.max_version = :TLS1_2 + # ctx.max_version = nil + # + # Sets the upper bound of the supported SSL/TLS protocol version. See + # #min_version= for the possible values. + def max_version=(version) + set_minmax_proto_version(@min_proto_version ||= nil, version) + @max_proto_version = version + end + + # call-seq: + # ctx.ssl_version = :TLSv1 + # ctx.ssl_version = "SSLv23" + # + # Sets the SSL/TLS protocol version for the context. This forces + # connections to use only the specified protocol version. This is + # deprecated and only provided for backwards compatibility. Use + # #min_version= and #max_version= instead. + # + # === History + # As the name hints, this used to call the SSL_CTX_set_ssl_version() + # function which sets the SSL method used for connections created from + # the context. As of Ruby/OpenSSL 2.1, this accessor method is + # implemented to call #min_version= and #max_version= instead. + def ssl_version=(meth) + meth = meth.to_s if meth.is_a?(Symbol) + if /(?<type>_client|_server)\z/ =~ meth + meth = $` + if $VERBOSE + warn "#{caller(1)[0]}: method type #{type.inspect} is ignored" + end + end + version = METHODS_MAP[meth.intern] or + raise ArgumentError, "unknown SSL method `%s'" % meth + set_minmax_proto_version(version, version) + @min_proto_version = @max_proto_version = version + end + + METHODS_MAP = { + SSLv23: 0, + SSLv2: OpenSSL::SSL::SSL2_VERSION, + SSLv3: OpenSSL::SSL::SSL3_VERSION, + TLSv1: OpenSSL::SSL::TLS1_VERSION, + TLSv1_1: OpenSSL::SSL::TLS1_1_VERSION, + TLSv1_2: OpenSSL::SSL::TLS1_2_VERSION, + }.freeze + private_constant :METHODS_MAP + + # The list of available SSL/TLS methods. This constant is only provided + # for backwards compatibility. + METHODS = METHODS_MAP.flat_map { |name,| + [name, :"#{name}_client", :"#{name}_server"] + }.freeze + deprecate_constant :METHODS end module SocketForwarder @@ -242,9 +346,7 @@ module OpenSSL include Buffering include SocketForwarder - if ExtConfig::HAVE_TLSEXT_HOST_NAME - attr_reader :hostname - end + attr_reader :hostname # The underlying IO object. attr_reader :io @@ -317,7 +419,7 @@ module OpenSSL end def tmp_dh_callback - @context.tmp_dh_callback || OpenSSL::PKey::DEFAULT_TMP_DH_CALLBACK + @context.tmp_dh_callback || OpenSSL::SSL::SSLContext::DEFAULT_TMP_DH_CALLBACK end def tmp_ecdh_callback @@ -341,8 +443,8 @@ module OpenSSL attr_accessor :start_immediately # Creates a new instance of SSLServer. - # * +srv+ is an instance of TCPServer. - # * +ctx+ is an instance of OpenSSL::SSL::SSLContext. + # * _srv_ is an instance of TCPServer. + # * _ctx_ is an instance of OpenSSL::SSL::SSLContext. def initialize(svr, ctx) @svr = svr @ctx = ctx diff --git a/ext/openssl/lib/openssl/x509.rb b/ext/openssl/lib/openssl/x509.rb index aef3456e0f..6d31b98c68 100644 --- a/ext/openssl/lib/openssl/x509.rb +++ b/ext/openssl/lib/openssl/x509.rb @@ -139,7 +139,13 @@ module OpenSSL end def parse_openssl(str, template=OBJECT_TYPE_TEMPLATE) - ary = str.scan(/\s*([^\/,]+)\s*/).collect{|i| i[0].split("=", 2) } + if str.start_with?("/") + # /A=B/C=D format + ary = str[1..-1].split("/").map { |i| i.split("=", 2) } + else + # Comma-separated + ary = str.split(",").map { |i| i.strip.split("=", 2) } + end self.new(ary, template) end |