# HG changeset patch # User April Chin # Date 1434575639 25200 # Node ID 30be54ba3f0e287f6101d72c8fa637c71f5c74d3 # Parent 72aac4474845ae1b73dededa87adf40cef3655e6 20877842 problem in UTILITY/RUBY 21257154 ruby(1) man page for Ruby 1.8 should note pending obsoletion diff -r 72aac4474845 -r 30be54ba3f0e components/ruby/ruby-18/Solaris/ruby.1.sedscript --- a/components/ruby/ruby-18/Solaris/ruby.1.sedscript Tue Jun 23 09:06:28 2015 -0700 +++ b/components/ruby/ruby-18/Solaris/ruby.1.sedscript Wed Jun 17 14:13:59 2015 -0700 @@ -20,7 +20,7 @@ # # -# Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2007, 2015, Oracle and/or its affiliates. All rights reserved. # 1i\ '\\" t\ @@ -61,6 +61,18 @@ installed on this system. \ .PP\ .SH NOTES\ -Source for ruby is available on http://opensolaris.org.\ +Ruby 1.8 may be removed in a future update.\ +Please migrate to a newer version.\ +.sp\ +If it is desired to keep the obsolete version of Ruby\ +then it should be frozen to prevent its removal by a future update.\ +.sp\ +.in +2\ +pkg freeze 'runtime/ruby-18'\ +pkg change-facet --no-backup-be 'version-lock.runtime/ruby-18=False'\ +.in -2\ +.sp\ +Please note that the freezing of packages may yield an unsupportable system so use with caution.\ +.sp\ The documentation for DTrace probes are available on http://dtrace.joyent.com.\ \.\\" End Oracle update diff -r 72aac4474845 -r 30be54ba3f0e components/ruby/ruby-18/patches/12-ssl-internal_rb.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/ruby/ruby-18/patches/12-ssl-internal_rb.patch Wed Jun 17 14:13:59 2015 -0700 @@ -0,0 +1,245 @@ +# Fix based on upstream fix to Ruby 2.2.x +# https://github.com/ruby/openssl/commit/e9a7bcb8bf2902f907c148a00bbcf21d3fa79596 + +diff -rup ruby-1.8.7-p374-orig/ext/openssl/lib/openssl/ssl-internal.rb ruby-1.8.7-p374/ext/openssl/lib/openssl/ssl-internal.rb +--- ruby-1.8.7-p374-orig/ext/openssl/lib/openssl/ssl-internal.rb 2013-06-27 04:22:26.000000000 -0700 ++++ ruby-1.8.7-p374/ext/openssl/lib/openssl/ssl-internal.rb 2015-05-22 09:37:15.297155498 -0700 +@@ -96,8 +96,7 @@ module OpenSSL + case san.tag + when 2 # dNSName in GeneralName (RFC5280) + should_verify_common_name = false +- reg = Regexp.escape(san.value).gsub(/\\\*/, "[^.]+") +- return true if /\A#{reg}\z/i =~ hostname ++ return true if verify_hostname(hostname, san.value) + when 7 # iPAddress in GeneralName (RFC5280) + should_verify_common_name = false + # follows GENERAL_NAME_print() in x509v3/v3_alt.c +@@ -112,8 +111,7 @@ module OpenSSL + if should_verify_common_name + cert.subject.to_a.each{|oid, value| + if oid == "CN" +- reg = Regexp.escape(value).gsub(/\\\*/, "[^.]+") +- return true if /\A#{reg}\z/i =~ hostname ++ return true if verify_hostname(hostname, value) + end + } + end +@@ -121,6 +119,57 @@ module OpenSSL + end + module_function :verify_certificate_identity + ++ def verify_hostname(hostname, san) # :nodoc: ++ # RFC 5280, IA5String is limited to the set of ASCII characters ++ return false if san =~ /[\x80-\xff]/ ++ return false if hostname =~ /[\x80-\xff]/ ++ ++ # See RFC 6125, section 6.4.1 ++ # Matching is case-insensitive. ++ san_parts = san.downcase.split(".") ++ ++ # TODO: this behavior should probably be more strict ++ return san == hostname if san_parts.size < 2 ++ ++ # Matching is case-insensitive. ++ host_parts = hostname.downcase.split(".") ++ ++ # RFC 6125, section 6.4.3, subitem 2. ++ # If the wildcard character is the only character of the left-most ++ # label in the presented identifier, the client SHOULD NOT compare ++ # against anything but the left-most label of the reference ++ # identifier (e.g., *.example.com would match foo.example.com but ++ # not bar.foo.example.com or example.com). ++ return false unless san_parts.size == host_parts.size ++ ++ # RFC 6125, section 6.4.3, subitem 1. ++ # The client SHOULD NOT attempt to match a presented identifier in ++ # which the wildcard character comprises a label other than the ++ # left-most label (e.g., do not match bar.*.example.net). ++ return false unless verify_wildcard(host_parts.shift, san_parts.shift) ++ ++ san_parts.join(".") == host_parts.join(".") ++ end ++ module_function :verify_hostname ++ ++ def verify_wildcard(domain_component, san_component) # :nodoc: ++ parts = san_component.split("*", -1) ++ ++ return false if parts.size > 2 ++ return san_component == domain_component if parts.size == 1 ++ ++ # RFC 6125, section 6.4.3, subitem 3. ++ # The client SHOULD NOT attempt to match a presented identifier ++ # where the wildcard character is embedded within an A-label or ++ # U-label of an internationalized domain name. ++ return false if domain_component.start_with?("xn--") && san_component != "*" ++ ++ parts[0].length + parts[1].length < domain_component.length && ++ domain_component.start_with?(parts[0]) && ++ domain_component.end_with?(parts[1]) ++ end ++ module_function :verify_wildcard ++ + class SSLSocket + include Buffering + include SocketForwarder +diff -rup ruby-1.8.7-p374-orig/test/openssl/test_ssl.rb ruby-1.8.7-p374/test/openssl/test_ssl.rb +--- ruby-1.8.7-p374-orig/test/openssl/test_ssl.rb 2013-06-27 04:56:26.000000000 -0700 ++++ ruby-1.8.7-p374/test/openssl/test_ssl.rb 2015-05-22 09:20:43.087572444 -0700 +@@ -569,6 +569,157 @@ class OpenSSL::TestSSL < Test::Unit::Tes + assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '13::17')) + assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, '13:0:0:0:0:0:0:17')) + end ++ ++ def test_verify_hostname ++ assert_equal(true, OpenSSL::SSL.verify_hostname("www.example.com", "*.example.com")) ++ assert_equal(false, OpenSSL::SSL.verify_hostname("www.subdomain.example.com", "*.example.com")) ++ end ++ ++ def test_verify_wildcard ++ assert_equal(false, OpenSSL::SSL.verify_wildcard("foo", "x*")) ++ assert_equal(true, OpenSSL::SSL.verify_wildcard("foo", "foo")) ++ assert_equal(true, OpenSSL::SSL.verify_wildcard("foo", "f*")) ++ assert_equal(true, OpenSSL::SSL.verify_wildcard("foo", "*")) ++ assert_equal(false, OpenSSL::SSL.verify_wildcard("abc*bcd", "abcd")) ++ assert_equal(false, OpenSSL::SSL.verify_wildcard("xn--qdk4b9b", "x*")) ++ assert_equal(false, OpenSSL::SSL.verify_wildcard("xn--qdk4b9b", "*--qdk4b9b")) ++ assert_equal(true, OpenSSL::SSL.verify_wildcard("xn--qdk4b9b", "xn--qdk4b9b")) ++ end ++ ++ # Comments in this test is excerpted from http://tools.ietf.org/html/rfc6125#page-27 ++ def test_post_connection_check_wildcard_san ++ # case-insensitive ASCII comparison ++ # RFC 6125, section 6.4.1 ++ # ++ # "..matching of the reference identifier against the presented identifier ++ # is performed by comparing the set of domain name labels using a ++ # case-insensitive ASCII comparison, as clarified by [DNS-CASE] (e.g., ++ # "WWW.Example.Com" would be lower-cased to "www.example.com" for ++ # comparison purposes) ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_san('DNS:*.example.com'), 'www.example.com')) ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_san('DNS:*.Example.COM'), 'www.example.com')) ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_san('DNS:*.example.com'), 'WWW.Example.COM')) ++ # 1. The client SHOULD NOT attempt to match a presented identifier in ++ # which the wildcard character comprises a label other than the ++ # left-most label (e.g., do not match bar.*.example.net). ++ assert_equal(false, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_san('DNS:www.*.com'), 'www.example.com')) ++ # 2. If the wildcard character is the only character of the left-most ++ # label in the presented identifier, the client SHOULD NOT compare ++ # against anything but the left-most label of the reference ++ # identifier (e.g., *.example.com would match foo.example.com but ++ # not bar.foo.example.com or example.com). ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_san('DNS:*.example.com'), 'foo.example.com')) ++ assert_equal(false, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_san('DNS:*.example.com'), 'bar.foo.example.com')) ++ # 3. The client MAY match a presented identifier in which the wildcard ++ # character is not the only character of the label (e.g., ++ # baz*.example.net and *baz.example.net and b*z.example.net would ++ # be taken to match baz1.example.net and foobaz.example.net and ++ # buzz.example.net, respectively). ... ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_san('DNS:baz*.example.com'), 'baz1.example.com')) ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_san('DNS:*baz.example.com'), 'foobaz.example.com')) ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_san('DNS:b*z.example.com'), 'buzz.example.com')) ++ # Section 6.4.3 of RFC6125 states that client should NOT match identifier ++ # where wildcard is other than left-most label. ++ # ++ # Also implicitly mentions the wildcard character only in singular form, ++ # and discourages matching against more than one wildcard. ++ # ++ # See RFC 6125, section 7.2, subitem 2. ++ assert_equal(false, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_san('DNS:*b*.example.com'), 'abc.example.com')) ++ assert_equal(false, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_san('DNS:*b*.example.com'), 'ab.example.com')) ++ assert_equal(false, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_san('DNS:*b*.example.com'), 'bc.example.com')) ++ # ... However, the client SHOULD NOT ++ # attempt to match a presented identifier where the wildcard ++ # character is embedded within an A-label or U-label [IDNA-DEFS] of ++ # an internationalized domain name [IDNA-PROTO]. ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_san('DNS:xn*.example.com'), 'xn1ca.example.com')) ++ # part of A-label ++ assert_equal(false, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_san('DNS:xn--*.example.com'), 'xn--1ca.example.com')) ++ # part of U-label ++ # dNSName in RFC5280 is an IA5String so U-label should NOT be allowed ++ # regardless of wildcard. ++ # ++ # See Section 7.2 of RFC 5280: ++ # IA5String is limited to the set of ASCII characters. ++ assert_equal(false, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_san('DNS:á*.example.com'), 'á1.example.com')) ++ end ++ ++ def test_post_connection_check_wildcard_cn ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_name('*.example.com'), 'www.example.com')) ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_name('*.Example.COM'), 'www.example.com')) ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_name('*.example.com'), 'WWW.Example.COM')) ++ assert_equal(false, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_name('www.*.com'), 'www.example.com')) ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_name('*.example.com'), 'foo.example.com')) ++ assert_equal(false, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_name('*.example.com'), 'bar.foo.example.com')) ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_name('baz*.example.com'), 'baz1.example.com')) ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_name('*baz.example.com'), 'foobaz.example.com')) ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_name('b*z.example.com'), 'buzz.example.com')) ++ # Section 6.4.3 of RFC6125 states that client should NOT match identifier ++ # where wildcard is other than left-most label. ++ # ++ # Also implicitly mentions the wildcard character only in singular form, ++ # and discourages matching against more than one wildcard. ++ # ++ # See RFC 6125, section 7.2, subitem 2. ++ assert_equal(false, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_name('*b*.example.com'), 'abc.example.com')) ++ assert_equal(false, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_name('*b*.example.com'), 'ab.example.com')) ++ assert_equal(false, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_name('*b*.example.com'), 'bc.example.com')) ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_name('xn*.example.com'), 'xn1ca.example.com')) ++ assert_equal(false, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_name('xn--*.example.com'), 'xn--1ca.example.com')) ++ # part of U-label ++ # Subject in RFC5280 states case-insensitive ASCII comparison. ++ # ++ # See Section 7.2 of RFC 5280: ++ # IA5String is limited to the set of ASCII characters. ++ assert_equal(false, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_name('á*.example.com'), 'á1.example.com')) ++ end ++ ++ def create_cert_with_san(san) ++ ef = OpenSSL::X509::ExtensionFactory.new ++ cert = OpenSSL::X509::Certificate.new ++ cert.subject = OpenSSL::X509::Name.parse("/DC=some/DC=site/CN=Some Site") ++ ext = ef.create_ext('subjectAltName', san) ++ cert.add_extension(ext) ++ cert ++ end ++ ++ def create_cert_with_name(name) ++ cert = OpenSSL::X509::Certificate.new ++ cert.subject = OpenSSL::X509::Name.new([['DC', 'some'], ['DC', 'site'], ['CN', name]]) ++ cert ++ end ++ ++ + end + + end