1 | =begin
|
---|
2 | = $RCSfile$ -- Ruby-space definitions that completes C-space funcs for SSL
|
---|
3 |
|
---|
4 | = Info
|
---|
5 | 'OpenSSL for Ruby 2' project
|
---|
6 | Copyright (C) 2001 GOTOU YUUZOU <[email protected]>
|
---|
7 | All rights reserved.
|
---|
8 |
|
---|
9 | = Licence
|
---|
10 | This program is licenced under the same licence as Ruby.
|
---|
11 | (See the file 'LICENCE'.)
|
---|
12 |
|
---|
13 | = Version
|
---|
14 | $Id: ssl.rb 11708 2007-02-12 23:01:19Z shyouhei $
|
---|
15 | =end
|
---|
16 |
|
---|
17 | require "openssl"
|
---|
18 | require "openssl/buffering"
|
---|
19 | require "fcntl"
|
---|
20 |
|
---|
21 | module OpenSSL
|
---|
22 | module SSL
|
---|
23 | module SocketForwarder
|
---|
24 | def addr
|
---|
25 | to_io.addr
|
---|
26 | end
|
---|
27 |
|
---|
28 | def peeraddr
|
---|
29 | to_io.peeraddr
|
---|
30 | end
|
---|
31 |
|
---|
32 | def setsockopt(level, optname, optval)
|
---|
33 | to_io.setsockopt(level, optname, optval)
|
---|
34 | end
|
---|
35 |
|
---|
36 | def getsockopt(level, optname)
|
---|
37 | to_io.getsockopt(level, optname)
|
---|
38 | end
|
---|
39 |
|
---|
40 | def fcntl(*args)
|
---|
41 | to_io.fcntl(*args)
|
---|
42 | end
|
---|
43 |
|
---|
44 | def closed?
|
---|
45 | to_io.closed?
|
---|
46 | end
|
---|
47 |
|
---|
48 | def do_not_reverse_lookup=(flag)
|
---|
49 | to_io.do_not_reverse_lookup = flag
|
---|
50 | end
|
---|
51 | end
|
---|
52 |
|
---|
53 | module Nonblock
|
---|
54 | def initialize(*args)
|
---|
55 | flag = File::NONBLOCK
|
---|
56 | flag |= @io.fcntl(Fcntl::F_GETFL) if defined?(Fcntl::F_GETFL)
|
---|
57 | @io.fcntl(Fcntl::F_SETFL, flag)
|
---|
58 | super
|
---|
59 | end
|
---|
60 | end
|
---|
61 |
|
---|
62 | class SSLSocket
|
---|
63 | include Buffering
|
---|
64 | include SocketForwarder
|
---|
65 | include Nonblock
|
---|
66 |
|
---|
67 | def post_connection_check(hostname)
|
---|
68 | check_common_name = true
|
---|
69 | cert = peer_cert
|
---|
70 | cert.extensions.each{|ext|
|
---|
71 | next if ext.oid != "subjectAltName"
|
---|
72 | ext.value.split(/,\s+/).each{|general_name|
|
---|
73 | if /\ADNS:(.*)/ =~ general_name
|
---|
74 | check_common_name = false
|
---|
75 | reg = Regexp.escape($1).gsub(/\\\*/, "[^.]+")
|
---|
76 | return true if /\A#{reg}\z/i =~ hostname
|
---|
77 | elsif /\AIP Address:(.*)/ =~ general_name
|
---|
78 | check_common_name = false
|
---|
79 | return true if $1 == hostname
|
---|
80 | end
|
---|
81 | }
|
---|
82 | }
|
---|
83 | if check_common_name
|
---|
84 | cert.subject.to_a.each{|oid, value|
|
---|
85 | if oid == "CN"
|
---|
86 | reg = Regexp.escape(value).gsub(/\\\*/, "[^.]+")
|
---|
87 | return true if /\A#{reg}\z/i =~ hostname
|
---|
88 | end
|
---|
89 | }
|
---|
90 | end
|
---|
91 | raise SSLError, "hostname not match"
|
---|
92 | end
|
---|
93 | end
|
---|
94 |
|
---|
95 | class SSLServer
|
---|
96 | include SocketForwarder
|
---|
97 | attr_accessor :start_immediately
|
---|
98 |
|
---|
99 | def initialize(svr, ctx)
|
---|
100 | @svr = svr
|
---|
101 | @ctx = ctx
|
---|
102 | unless ctx.session_id_context
|
---|
103 | session_id = OpenSSL::Digest::MD5.hexdigest($0)
|
---|
104 | @ctx.session_id_context = session_id
|
---|
105 | end
|
---|
106 | @start_immediately = true
|
---|
107 | end
|
---|
108 |
|
---|
109 | def to_io
|
---|
110 | @svr
|
---|
111 | end
|
---|
112 |
|
---|
113 | def listen(backlog=5)
|
---|
114 | @svr.listen(backlog)
|
---|
115 | end
|
---|
116 |
|
---|
117 | def accept
|
---|
118 | sock = @svr.accept
|
---|
119 | begin
|
---|
120 | ssl = OpenSSL::SSL::SSLSocket.new(sock, @ctx)
|
---|
121 | ssl.sync_close = true
|
---|
122 | ssl.accept if @start_immediately
|
---|
123 | ssl
|
---|
124 | rescue SSLError => ex
|
---|
125 | sock.close
|
---|
126 | raise ex
|
---|
127 | end
|
---|
128 | end
|
---|
129 |
|
---|
130 | def close
|
---|
131 | @svr.close
|
---|
132 | end
|
---|
133 | end
|
---|
134 | end
|
---|
135 | end
|
---|