kotovalexarian-likes-github/ruby--ruby
1
0
Fork 0
mirror of https://github.com/ruby/ruby.git synced 2022-11-09 12:17:21 -05:00
Code Releases Activity
ruby--ruby/ext/openssl/lib/openssl/ssl.rb
emboss 699b209cf8 * lib/openssl/ssl.rb: Explicitly whitelist the default 
SSL/TLS ciphers. Forbid SSLv2 and SSLv3, disable
  compression by default.
  Reported by Jeff Hodges.
  [ruby-core:59829] [Bug #9424]


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@45274 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2014-03-06 01:43:53 +00:00

246 lines
7 KiB
Ruby
Raw Blame History

=begin
= $RCSfile$ -- Ruby-space definitions that completes C-space funcs for SSL
= Info
'OpenSSL for Ruby 2' project
Copyright (C) 2001 GOTOU YUUZOU <gotoyuzo@notwork.org>
All rights reserved.
= Licence
This program is licenced under the same licence as Ruby.
(See the file 'LICENCE'.)
= Version
$Id$
=end
require "openssl/buffering"
require "fcntl"
module OpenSSL
module SSL
class SSLContext
DEFAULT_PARAMS = {
:ssl_version => "SSLv23",
:verify_mode => OpenSSL::SSL::VERIFY_PEER,
:ciphers => %w{
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-DSS-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
DHE-DSS-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA
ECDHE-RSA-AES256-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES256-SHA256
DHE-RSA-AES128-SHA
DHE-RSA-AES256-SHA
DHE-DSS-AES128-SHA256
DHE-DSS-AES256-SHA256
DHE-DSS-AES128-SHA
DHE-DSS-AES256-SHA
AES128-GCM-SHA256
AES256-GCM-SHA384
AES128-SHA256
AES256-SHA256
AES128-SHA
AES256-SHA
ECDHE-ECDSA-RC4-SHA
ECDHE-RSA-RC4-SHA
RC4-SHA
}.join(":"),
:options => -> {
opts = OpenSSL::SSL::OP_ALL
opts &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS if defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS)
opts |= OpenSSL::SSL::OP_NO_COMPRESSION if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
opts |= OpenSSL::SSL::OP_NO_SSLv2 if defined?(OpenSSL::SSL::OP_NO_SSLv2)
opts |= OpenSSL::SSL::OP_NO_SSLv3 if defined?(OpenSSL::SSL::OP_NO_SSLv3)
}.call
}
DEFAULT_CERT_STORE = OpenSSL::X509::Store.new
DEFAULT_CERT_STORE.set_default_paths
if defined?(OpenSSL::X509::V_FLAG_CRL_CHECK_ALL)
DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
end
##
# Sets the parameters for this SSL context to the values in +params+.
# The keys in +params+ must be assignment methods on SSLContext.
#
# If the verify_mode is not VERIFY_NONE and ca_file, ca_path and
# cert_store are not set then the system default certificate store is
# used.
def set_params(params={})
params = DEFAULT_PARAMS.merge(params)
params.each{|name, value| self.__send__("#{name}=", value) }
if self.verify_mode != OpenSSL::SSL::VERIFY_NONE
unless self.ca_file or self.ca_path or self.cert_store
self.cert_store = DEFAULT_CERT_STORE
end
end
return params
end
end
module SocketForwarder
def addr
to_io.addr
end
def peeraddr
to_io.peeraddr
end
def setsockopt(level, optname, optval)
to_io.setsockopt(level, optname, optval)
end
def getsockopt(level, optname)
to_io.getsockopt(level, optname)
end
def fcntl(*args)
to_io.fcntl(*args)
end
def closed?
to_io.closed?
end
def do_not_reverse_lookup=(flag)
to_io.do_not_reverse_lookup = flag
end
end
module Nonblock
def initialize(*args)
flag = File::NONBLOCK
flag |= @io.fcntl(Fcntl::F_GETFL) if defined?(Fcntl::F_GETFL)
@io.fcntl(Fcntl::F_SETFL, flag)
super
end
end
def verify_certificate_identity(cert, hostname)
should_verify_common_name = true
cert.extensions.each{|ext|
next if ext.oid != "subjectAltName"
ostr = OpenSSL::ASN1.decode(ext.to_der).value.last
sequence = OpenSSL::ASN1.decode(ostr.value)
sequence.value.each{|san|
case san.tag
when 2 # dNSName in GeneralName (RFC5280)
should_verify_common_name = false
reg = Regexp.escape(san.value).gsub(/\\\*/, "[^.]+")
return true if /\A#{reg}\z/i =~ hostname
when 7 # iPAddress in GeneralName (RFC5280)
should_verify_common_name = false
# follows GENERAL_NAME_print() in x509v3/v3_alt.c
if san.value.size == 4
return true if san.value.unpack('C*').join('.') == hostname
elsif san.value.size == 16
return true if san.value.unpack('n*').map { |e| sprintf("%X", e) }.join(':') == hostname
end
end
}
}
if should_verify_common_name
cert.subject.to_a.each{|oid, value|
if oid == "CN"
reg = Regexp.escape(value).gsub(/\\\*/, "[^.]+")
return true if /\A#{reg}\z/i =~ hostname
end
}
end
return false
end
module_function :verify_certificate_identity
class SSLSocket
include Buffering
include SocketForwarder
include Nonblock
def post_connection_check(hostname)
unless OpenSSL::SSL.verify_certificate_identity(peer_cert, hostname)
raise SSLError, "hostname \"#{hostname}\" does not match the server certificate"
end
return true
end
def session
SSL::Session.new(self)
rescue SSL::Session::SessionError
nil
end
end
##
# SSLServer represents a TCP/IP server socket with Secure Sockets Layer.
class SSLServer
include SocketForwarder
# When true then #accept works exactly the same as TCPServer#accept
attr_accessor :start_immediately
# Creates a new instance of SSLServer.
# * +srv+ is an instance of TCPServer.
# * +ctx+ is an instance of OpenSSL::SSL::SSLContext.
def initialize(svr, ctx)
@svr = svr
@ctx = ctx
unless ctx.session_id_context
# see #6137 - session id may not exceed 32 bytes
prng = ::Random.new($0.hash)
session_id = prng.bytes(16).unpack('H*')[0]
@ctx.session_id_context = session_id
end
@start_immediately = true
end
# Returns the TCPServer passed to the SSLServer when initialized.
def to_io
@svr
end
# See TCPServer#listen for details.
def listen(backlog=5)
@svr.listen(backlog)
end
# See BasicSocket#shutdown for details.
def shutdown(how=Socket::SHUT_RDWR)
@svr.shutdown(how)
end
# Works similar to TCPServer#accept.
def accept
sock = @svr.accept
begin
ssl = OpenSSL::SSL::SSLSocket.new(sock, @ctx)
ssl.sync_close = true
ssl.accept if @start_immediately
ssl
rescue SSLError => ex
sock.close
raise ex
end
end
# See IO#close for details.
def close
@svr.close
end
end
end
end
View git blame Copy permalink