← Back to branch summary

~ubuntu-branches/ubuntu/trusty/ruby1.9/trusty

« back to all changes in this revision

Viewing changes to ext/openssl/lib/openssl/ssl.rb

  • Committer: Bazaar Package Importer
  • Author(s): Stephan Hermann
  • Date: 2008-01-24 11:42:29 UTC
  • mfrom: (1.1.9 upstream)
  • Revision ID: james.westby@ubuntu.com-20080124114229-jw2f87rdxlq6gp11
Tags: 1.9.0.0-2ubuntu1
* Merge from debian unstable, remaining changes:
  - Robustify check for target_os, fixing build failure on lpia.

Show diffs side-by-side

added added

removed removed

Lines of Context:
ext/openssl/lib/openssl/ssl.rb
11
11
  (See the file 'LICENCE'.)
12
12
 
13
13
= Version
14
 
  $Id: ssl.rb 12134 2007-04-02 22:10:12Z technorama $
 
14
  $Id: ssl.rb 14479 2007-12-22 08:31:53Z gotoyuzo $
15
15
=end
16
16
 
17
17
require "openssl"
20
20
 
21
21
module OpenSSL
22
22
  module SSL
 
23
    class SSLContext
 
24
      DEFAULT_PARAMS = {
 
25
        :ssl_version => "SSLv23",
 
26
        :verify_mode => OpenSSL::SSL::VERIFY_PEER,
 
27
        :ciphers => "ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW",
 
28
        :options => OpenSSL::SSL::OP_ALL,
 
29
      }
 
30
 
 
31
      DEFAULT_CERT_STORE = OpenSSL::X509::Store.new
 
32
      DEFAULT_CERT_STORE.set_default_paths
 
33
      if defined?(OpenSSL::X509::V_FLAG_CRL_CHECK_ALL)
 
34
        DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
 
35
      end
 
36
 
 
37
      def set_params(params={})
 
38
        params = DEFAULT_PARAMS.merge(params)
 
39
        params.each{|name, value| self.__send__("#{name}=", value) }
 
40
        if self.verify_mode != OpenSSL::SSL::VERIFY_NONE
 
41
          unless self.ca_file or self.ca_path or self.cert_store
 
42
            self.cert_store = DEFAULT_CERT_STORE
 
43
          end
 
44
        end
 
45
        return params
 
46
      end
 
47
    end
 
48
 
23
49
    module SocketForwarder
24
50
      def addr
25
51
        to_io.addr
59
85
      end
60
86
    end
61
87
 
 
88
    def verify_certificate_identity(cert, hostname)
 
89
      should_verify_common_name = true
 
90
      cert.extensions.each{|ext|
 
91
        next if ext.oid != "subjectAltName"
 
92
        ext.value.split(/,\s+/).each{|general_name|
 
93
          if /\ADNS:(.*)/ =~ general_name
 
94
            should_verify_common_name = false
 
95
            reg = Regexp.escape($1).gsub(/\\\*/, "[^.]+")
 
96
            return true if /\A#{reg}\z/i =~ hostname
 
97
          elsif /\AIP Address:(.*)/ =~ general_name
 
98
            should_verify_common_name = false
 
99
            return true if $1 == hostname
 
100
          end
 
101
        }
 
102
      }
 
103
      if should_verify_common_name
 
104
        cert.subject.to_a.each{|oid, value|
 
105
          if oid == "CN"
 
106
            reg = Regexp.escape(value).gsub(/\\\*/, "[^.]+")
 
107
            return true if /\A#{reg}\z/i =~ hostname
 
108
          end
 
109
        }
 
110
      end
 
111
      return false
 
112
    end
 
113
    module_function :verify_certificate_identity
 
114
 
62
115
    class SSLSocket
63
116
      include Buffering
64
117
      include SocketForwarder
65
118
      include Nonblock
66
119
 
67
120
      def post_connection_check(hostname)
68
 
        check_common_name = true
69
 
        cert = peer_cert
70
 
        cert.extensions.each{|ext|
71
 
          next if ext.oid != "subjectAltName"
72
 
          ext.value.split(/,\s+/).each{|general_name|
73
 
            if /\ADNS:(.*)/ =~ general_name
74
 
              check_common_name = false
75
 
              reg = Regexp.escape($1).gsub(/\\\*/, "[^.]+")
76
 
              return true if /\A#{reg}\z/i =~ hostname
77
 
            elsif /\AIP Address:(.*)/ =~ general_name
78
 
              check_common_name = false
79
 
              return true if $1 == hostname
80
 
            end
81
 
          }
82
 
        }
83
 
        if check_common_name
84
 
          cert.subject.to_a.each{|oid, value|
85
 
            if oid == "CN"
86
 
              reg = Regexp.escape(value).gsub(/\\\*/, "[^.]+")
87
 
              return true if /\A#{reg}\z/i =~ hostname
88
 
            end
89
 
          }
 
121
        unless OpenSSL::SSL.verify_certificate_identity(peer_cert, hostname)
 
122
          raise SSLError, "hostname was not match with the server certificate"
90
123
        end
91
 
        raise SSLError, "hostname not match"
 
124
        return true
92
125
      end
93
126
 
94
127
      def session
120
153
        @svr.listen(backlog)
121
154
      end
122
155
 
 
156
      def shutdown(how=Socket::SHUT_RDWR)
 
157
        @svr.shutdown(how)
 
158
      end
 
159
 
123
160
      def accept
124
161
        sock = @svr.accept
125
162
        begin