* lib/net/imap.rb, lib/net/smtp.rb, lib/net/pop.rb: hostname should

be verified against server's indentity as persented in the server's certificate. [ruby-dev:31960] * ext/openssl/lib/net/telnets.rb, ext/openssl/lib/net/ftptls.rb: ditto. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@13656 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2022-11-09 12:17:21 -05:00 · 2007-10-08 11:14:41 +00:00 · 2007-10-08 11:14:41 +00:00 · 3ecc791ddc
commit 3ecc791ddc
parent 3465feb90b
6 changed files with 50 additions and 25 deletions
--- a/8
+++ b/8
@ -1,3 +1,11 @@
+Mon Oct  8 20:06:29 2007  GOTOU Yuuzou  <gotoyuzo@notwork.org>
+
+	* lib/net/imap.rb, lib/net/smtp.rb, lib/net/pop.rb: hostname should
+	  be verified against server's indentity as persented in the server's
+	  certificate. [ruby-dev:31960]
+
+	* ext/openssl/lib/net/telnets.rb, ext/openssl/lib/net/ftptls.rb: ditto.
+
 Sun Oct  7 22:37:47 2007  Kouhei Sutou  <kou@cozmixng.org>

 	* test/rss/test_taxonomy.rb, test/rss/test_parser_1.0.rb,
--- a/ext/openssl/lib/net/ftptls.rb
+++ b/ext/openssl/lib/net/ftptls.rb
@ -29,13 +29,23 @@ require 'net/ftp'

 module Net
  class FTPTLS < FTP
+    def connect(host, port=FTP_PORT)
+      @hostname = host
+      super
+    end
+
    def login(user = "anonymous", passwd = nil, acct = nil)
+       store = OpenSSL::X509::Store.new
+       store.set_default_paths
       ctx = OpenSSL::SSL::SSLContext.new('SSLv23')
+       ctx.cert_store = store
+       ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
       ctx.key = nil
       ctx.cert = nil
       voidcmd("AUTH TLS")
       @sock = OpenSSL::SSL::SSLSocket.new(@sock, ctx)
       @sock.connect
+       @sock.post_connection_check(@hostname)
       super(user, passwd, acct)
       voidcmd("PBSZ 0")
    end
--- a/ext/openssl/lib/net/telnets.rb
+++ b/ext/openssl/lib/net/telnets.rb
@ -134,6 +134,9 @@ module Net
            @sock.verify_callback = @options['VerifyCallback']
            @sock.verify_depth    = @options['VerifyDepth']
            @sock.connect
+            if @options['VerifyMode'] != OpenSSL::SSL::VERIFY_NONE
+              @sock.post_connection_check(@options['Host'])
+            end
            @ssl = true
          end
          ''
--- a/lib/net/imap.rb
+++ b/lib/net/imap.rb
@ -330,19 +330,10 @@ module Net
    end

    # Sends a STARTTLS command to start TLS session.
-    def starttls(ctx = nil)
-      if @sock.kind_of?(OpenSSL::SSL::SSLSocket)
-        raise RuntimeError, "already using SSL"
-      end
+    def starttls(certs = nil, verify = false)
      send_command("STARTTLS") do |resp|
        if resp.kind_of?(TaggedResponse) && resp.name == "OK"
-          if ctx
-            @sock = OpenSSL::SSL::SSLSocket.new(@sock, ctx)
-          else
-            @sock = OpenSSL::SSL::SSLSocket.new(@sock)
-          end
-          @sock.sync_close = true
-          @sock.connect
+          start_tls_session(certs, verify)
        end
      end
    end
@ -906,21 +897,8 @@ module Net
      @parser = ResponseParser.new
      @sock = TCPSocket.open(host, port)
      if usessl
-        unless defined?(OpenSSL)
-          raise "SSL extension not installed"
-        end
+        start_tls_session(certs, verify)
        @usessl = true
-
-        # verify the server.
-        context = SSLContext::new()
-        context.ca_file = certs if certs && FileTest::file?(certs)
-        context.ca_path = certs if certs && FileTest::directory?(certs)
-        context.verify_mode = VERIFY_PEER if verify
-        if defined?(VerifyCallbackProc)
-          context.verify_callback = VerifyCallbackProc 
-        end
-        @sock = SSLSocket.new(@sock, context)
-        @sock.connect   # start ssl session.
      else
        @usessl = false
      end
@ -1229,6 +1207,26 @@ module Net
      end
    end

+    def start_tls_session(certs, verify)
+      unless defined?(OpenSSL)
+        raise "SSL extension not installed"
+      end
+      if @sock.kind_of?(OpenSSL::SSL::SSLSocket)
+        raise RuntimeError, "already using SSL"
+      end
+      context = SSLContext::new()
+      context.ca_file = certs if certs && FileTest::file?(certs)
+      context.ca_path = certs if certs && FileTest::directory?(certs)
+      context.verify_mode = VERIFY_PEER if verify
+      if defined?(VerifyCallbackProc)
+        context.verify_callback = VerifyCallbackProc 
+      end
+      @sock = SSLSocket.new(@sock, context)
+      @sock.sync_close = true
+      @sock.connect
+      @sock.post_connection_check(@host) if verify
+    end
+
    class RawData # :nodoc:
      def send_data(imap)
        imap.send!(:put_string, @data)
--- a/lib/net/pop.rb
+++ b/lib/net/pop.rb
@ -533,6 +533,9 @@ module Net
        s = OpenSSL::SSL::SSLSocket.new(s, context)
        s.sync_close = true
        s.connect
+        if context.verify_mode != OpenSSL::SSL::VEIFY_NONE
+          s.post_connection_check(@address)
+        end
      end
      @socket = InternetMessageIO.new(s)
      logging "POP session started: #{@address}:#{@port} (#{@apop ? 'APOP' : 'POP'})"
--- a/lib/net/smtp.rb
+++ b/lib/net/smtp.rb
@ -578,6 +578,9 @@ module Net
      logging "TLS connection started"
      s.sync_close = true
      s.connect
+      if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE
+        s.post_connection_check(@address)
+      end
      s
    end