[前][次][番号順一覧][スレッド一覧]

ruby-changes:2165

From: ko1@a...
Date: 8 Oct 2007 20:15:01 +0900
Subject: [ruby-changes:2165] gotoyuzo - Ruby:r13656 (trunk): * lib/net/imap.rb, lib/net/smtp.rb, lib/net/pop.rb: hostname should

gotoyuzo	2007-10-08 20:14:41 +0900 (Mon, 08 Oct 2007)

  New Revision: 13656

  Modified files:
    trunk/ChangeLog
    trunk/ext/openssl/lib/net/ftptls.rb
    trunk/ext/openssl/lib/net/telnets.rb
    trunk/lib/net/imap.rb
    trunk/lib/net/pop.rb
    trunk/lib/net/smtp.rb

  Log:
    * lib/net/imap.rb, lib/net/smtp.rb, lib/net/pop.rb: hostname should
      be verified against server's indentity as persented in the server's
      certificate. [ruby-dev:31960]
    
    * ext/openssl/lib/net/telnets.rb, ext/openssl/lib/net/ftptls.rb: ditto.


  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/lib/net/imap.rb?r1=13656&r2=13655
  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/ext/openssl/lib/net/telnets.rb?r1=13656&r2=13655
  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/ChangeLog?r1=13656&r2=13655
  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/lib/net/smtp.rb?r1=13656&r2=13655
  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/lib/net/pop.rb?r1=13656&r2=13655
  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/ext/openssl/lib/net/ftptls.rb?r1=13656&r2=13655

Index: ChangeLog
===================================================================
--- ChangeLog	(revision 13655)
+++ ChangeLog	(revision 13656)
@@ -1,3 +1,11 @@
+Mon Oct  8 20:06:29 2007  GOTOU Yuuzou  <gotoyuzo@n...>
+
+	* lib/net/imap.rb, lib/net/smtp.rb, lib/net/pop.rb: hostname should
+	  be verified against server's indentity as persented in the server's
+	  certificate. [ruby-dev:31960]
+
+	* ext/openssl/lib/net/telnets.rb, ext/openssl/lib/net/ftptls.rb: ditto.
+
 Sun Oct  7 22:37:47 2007  Kouhei Sutou  <kou@c...>
 
 	* test/rss/test_taxonomy.rb, test/rss/test_parser_1.0.rb,
Index: lib/net/pop.rb
===================================================================
--- lib/net/pop.rb	(revision 13655)
+++ lib/net/pop.rb	(revision 13656)
@@ -533,6 +533,9 @@
         s = OpenSSL::SSL::SSLSocket.new(s, context)
         s.sync_close = true
         s.connect
+        if context.verify_mode != OpenSSL::SSL::VEIFY_NONE
+          s.post_connection_check(@address)
+        end
       end
       @socket = InternetMessageIO.new(s)
       logging "POP session started: #{@address}:#{@port} (#{@apop ? 'APOP' : 'POP'})"
Index: lib/net/smtp.rb
===================================================================
--- lib/net/smtp.rb	(revision 13655)
+++ lib/net/smtp.rb	(revision 13656)
@@ -578,6 +578,9 @@
       logging "TLS connection started"
       s.sync_close = true
       s.connect
+      if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE
+        s.post_connection_check(@address)
+      end
       s
     end
 
Index: lib/net/imap.rb
===================================================================
--- lib/net/imap.rb	(revision 13655)
+++ lib/net/imap.rb	(revision 13656)
@@ -330,19 +330,10 @@
     end
 
     # Sends a STARTTLS command to start TLS session.
-    def starttls(ctx = nil)
-      if @sock.kind_of?(OpenSSL::SSL::SSLSocket)
-        raise RuntimeError, "already using SSL"
-      end
+    def starttls(certs = nil, verify = false)
       send_command("STARTTLS") do |resp|
         if resp.kind_of?(TaggedResponse) && resp.name == "OK"
-          if ctx
-            @sock = OpenSSL::SSL::SSLSocket.new(@sock, ctx)
-          else
-            @sock = OpenSSL::SSL::SSLSocket.new(@sock)
-          end
-          @sock.sync_close = true
-          @sock.connect
+          start_tls_session(certs, verify)
         end
       end
     end
@@ -906,21 +897,8 @@
       @parser = ResponseParser.new
       @sock = TCPSocket.open(host, port)
       if usessl
-        unless defined?(OpenSSL)
-          raise "SSL extension not installed"
-        end
+        start_tls_session(certs, verify)
         @usessl = true
-
-        # verify the server.
-        context = SSLContext::new()
-        context.ca_file = certs if certs && FileTest::file?(certs)
-        context.ca_path = certs if certs && FileTest::directory?(certs)
-        context.verify_mode = VERIFY_PEER if verify
-        if defined?(VerifyCallbackProc)
-          context.verify_callback = VerifyCallbackProc 
-        end
-        @sock = SSLSocket.new(@sock, context)
-        @sock.connect   # start ssl session.
       else
         @usessl = false
       end
@@ -1229,6 +1207,26 @@
       end
     end
 
+    def start_tls_session(certs, verify)
+      unless defined?(OpenSSL)
+        raise "SSL extension not installed"
+      end
+      if @sock.kind_of?(OpenSSL::SSL::SSLSocket)
+        raise RuntimeError, "already using SSL"
+      end
+      context = SSLContext::new()
+      context.ca_file = certs if certs && FileTest::file?(certs)
+      context.ca_path = certs if certs && FileTest::directory?(certs)
+      context.verify_mode = VERIFY_PEER if verify
+      if defined?(VerifyCallbackProc)
+        context.verify_callback = VerifyCallbackProc 
+      end
+      @sock = SSLSocket.new(@sock, context)
+      @sock.sync_close = true
+      @sock.connect
+      @sock.post_connection_check(@host) if verify
+    end
+
     class RawData # :nodoc:
       def send_data(imap)
         imap.send!(:put_string, @data)
Index: ext/openssl/lib/net/telnets.rb
===================================================================
--- ext/openssl/lib/net/telnets.rb	(revision 13655)
+++ ext/openssl/lib/net/telnets.rb	(revision 13656)
@@ -134,6 +134,9 @@
             @sock.verify_callback = @options['VerifyCallback']
             @sock.verify_depth    = @options['VerifyDepth']
             @sock.connect
+            if @options['VerifyMode'] != OpenSSL::SSL::VERIFY_NONE
+              @sock.post_connection_check(@options['Host'])
+            end
             @ssl = true
           end
           ''
Index: ext/openssl/lib/net/ftptls.rb
===================================================================
--- ext/openssl/lib/net/ftptls.rb	(revision 13655)
+++ ext/openssl/lib/net/ftptls.rb	(revision 13656)
@@ -29,13 +29,23 @@
 
 module Net
   class FTPTLS < FTP
+    def connect(host, port=FTP_PORT)
+      @hostname = host
+      super
+    end
+
     def login(user = "anonymous", passwd = nil, acct = nil)
+       store = OpenSSL::X509::Store.new
+       store.set_default_paths
        ctx = OpenSSL::SSL::SSLContext.new('SSLv23')
+       ctx.cert_store = store
+       ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
        ctx.key = nil
        ctx.cert = nil
        voidcmd("AUTH TLS")
        @sock = OpenSSL::SSL::SSLSocket.new(@sock, ctx)
        @sock.connect
+       @sock.post_connection_check(@hostname)
        super(user, passwd, acct)
        voidcmd("PBSZ 0")
     end

--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml

[前][次][番号順一覧][スレッド一覧]