ruby-changes:2165
From: ko1@a...
Date: 8 Oct 2007 20:15:01 +0900
Subject: [ruby-changes:2165] gotoyuzo - Ruby:r13656 (trunk): * lib/net/imap.rb, lib/net/smtp.rb, lib/net/pop.rb: hostname should
gotoyuzo 2007-10-08 20:14:41 +0900 (Mon, 08 Oct 2007) New Revision: 13656 Modified files: trunk/ChangeLog trunk/ext/openssl/lib/net/ftptls.rb trunk/ext/openssl/lib/net/telnets.rb trunk/lib/net/imap.rb trunk/lib/net/pop.rb trunk/lib/net/smtp.rb Log: * lib/net/imap.rb, lib/net/smtp.rb, lib/net/pop.rb: hostname should be verified against server's indentity as persented in the server's certificate. [ruby-dev:31960] * ext/openssl/lib/net/telnets.rb, ext/openssl/lib/net/ftptls.rb: ditto. http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/lib/net/imap.rb?r1=13656&r2=13655 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/ext/openssl/lib/net/telnets.rb?r1=13656&r2=13655 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/ChangeLog?r1=13656&r2=13655 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/lib/net/smtp.rb?r1=13656&r2=13655 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/lib/net/pop.rb?r1=13656&r2=13655 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/ext/openssl/lib/net/ftptls.rb?r1=13656&r2=13655 Index: ChangeLog =================================================================== --- ChangeLog (revision 13655) +++ ChangeLog (revision 13656) @@ -1,3 +1,11 @@ +Mon Oct 8 20:06:29 2007 GOTOU Yuuzou <gotoyuzo@n...> + + * lib/net/imap.rb, lib/net/smtp.rb, lib/net/pop.rb: hostname should + be verified against server's indentity as persented in the server's + certificate. [ruby-dev:31960] + + * ext/openssl/lib/net/telnets.rb, ext/openssl/lib/net/ftptls.rb: ditto. + Sun Oct 7 22:37:47 2007 Kouhei Sutou <kou@c...> * test/rss/test_taxonomy.rb, test/rss/test_parser_1.0.rb, Index: lib/net/pop.rb =================================================================== --- lib/net/pop.rb (revision 13655) +++ lib/net/pop.rb (revision 13656) @@ -533,6 +533,9 @@ s = OpenSSL::SSL::SSLSocket.new(s, context) s.sync_close = true s.connect + if context.verify_mode != OpenSSL::SSL::VEIFY_NONE + s.post_connection_check(@address) + end end @socket = InternetMessageIO.new(s) logging "POP session started: #{@address}:#{@port} (#{@apop ? 'APOP' : 'POP'})" Index: lib/net/smtp.rb =================================================================== --- lib/net/smtp.rb (revision 13655) +++ lib/net/smtp.rb (revision 13656) @@ -578,6 +578,9 @@ logging "TLS connection started" s.sync_close = true s.connect + if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE + s.post_connection_check(@address) + end s end Index: lib/net/imap.rb =================================================================== --- lib/net/imap.rb (revision 13655) +++ lib/net/imap.rb (revision 13656) @@ -330,19 +330,10 @@ end # Sends a STARTTLS command to start TLS session. - def starttls(ctx = nil) - if @sock.kind_of?(OpenSSL::SSL::SSLSocket) - raise RuntimeError, "already using SSL" - end + def starttls(certs = nil, verify = false) send_command("STARTTLS") do |resp| if resp.kind_of?(TaggedResponse) && resp.name == "OK" - if ctx - @sock = OpenSSL::SSL::SSLSocket.new(@sock, ctx) - else - @sock = OpenSSL::SSL::SSLSocket.new(@sock) - end - @sock.sync_close = true - @sock.connect + start_tls_session(certs, verify) end end end @@ -906,21 +897,8 @@ @parser = ResponseParser.new @sock = TCPSocket.open(host, port) if usessl - unless defined?(OpenSSL) - raise "SSL extension not installed" - end + start_tls_session(certs, verify) @usessl = true - - # verify the server. - context = SSLContext::new() - context.ca_file = certs if certs && FileTest::file?(certs) - context.ca_path = certs if certs && FileTest::directory?(certs) - context.verify_mode = VERIFY_PEER if verify - if defined?(VerifyCallbackProc) - context.verify_callback = VerifyCallbackProc - end - @sock = SSLSocket.new(@sock, context) - @sock.connect # start ssl session. else @usessl = false end @@ -1229,6 +1207,26 @@ end end + def start_tls_session(certs, verify) + unless defined?(OpenSSL) + raise "SSL extension not installed" + end + if @sock.kind_of?(OpenSSL::SSL::SSLSocket) + raise RuntimeError, "already using SSL" + end + context = SSLContext::new() + context.ca_file = certs if certs && FileTest::file?(certs) + context.ca_path = certs if certs && FileTest::directory?(certs) + context.verify_mode = VERIFY_PEER if verify + if defined?(VerifyCallbackProc) + context.verify_callback = VerifyCallbackProc + end + @sock = SSLSocket.new(@sock, context) + @sock.sync_close = true + @sock.connect + @sock.post_connection_check(@host) if verify + end + class RawData # :nodoc: def send_data(imap) imap.send!(:put_string, @data) Index: ext/openssl/lib/net/telnets.rb =================================================================== --- ext/openssl/lib/net/telnets.rb (revision 13655) +++ ext/openssl/lib/net/telnets.rb (revision 13656) @@ -134,6 +134,9 @@ @sock.verify_callback = @options['VerifyCallback'] @sock.verify_depth = @options['VerifyDepth'] @sock.connect + if @options['VerifyMode'] != OpenSSL::SSL::VERIFY_NONE + @sock.post_connection_check(@options['Host']) + end @ssl = true end '' Index: ext/openssl/lib/net/ftptls.rb =================================================================== --- ext/openssl/lib/net/ftptls.rb (revision 13655) +++ ext/openssl/lib/net/ftptls.rb (revision 13656) @@ -29,13 +29,23 @@ module Net class FTPTLS < FTP + def connect(host, port=FTP_PORT) + @hostname = host + super + end + def login(user = "anonymous", passwd = nil, acct = nil) + store = OpenSSL::X509::Store.new + store.set_default_paths ctx = OpenSSL::SSL::SSLContext.new('SSLv23') + ctx.cert_store = store + ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER ctx.key = nil ctx.cert = nil voidcmd("AUTH TLS") @sock = OpenSSL::SSL::SSLSocket.new(@sock, ctx) @sock.connect + @sock.post_connection_check(@hostname) super(user, passwd, acct) voidcmd("PBSZ 0") end -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml