Import net-smtp-0.2.0 from https://github.com/ruby/net-smtp

Author: hsbt

lib/net/smtp.rb

@@ -168,7 +168,7 @@ class SMTPUnsupportedCommand < ProtocolError
   #                     user: 'Your Account', secret: 'Your Password', authtype: :cram_md5)
   #
   class SMTP < Protocol
-    VERSION = "0.1.0"
+    VERSION = "0.2.0"
 
     Revision = %q$Revision$.split[1]
 
@@ -191,8 +191,13 @@ class << self
       alias default_ssl_port default_tls_port
     end
 
-    def SMTP.default_ssl_context
-      OpenSSL::SSL::SSLContext.new
+    def SMTP.default_ssl_context(verify_peer=true)
+      context = OpenSSL::SSL::SSLContext.new
+      context.verify_mode = verify_peer ? OpenSSL::SSL::VERIFY_PEER : OpenSSL::SSL::VERIFY_NONE
+      store = OpenSSL::X509::Store.new
+      store.set_default_paths
+      context.cert_store = store
+      context
     end
 
     #
@@ -218,8 +223,9 @@ def initialize(address, port = nil)
       @error_occurred = false
       @debug_output = nil
       @tls = false
-      @starttls = false
-      @ssl_context = nil
+      @starttls = :auto
+      @ssl_context_tls = nil
+      @ssl_context_starttls = nil
     end
 
     # Provide human-readable stringification of class state.
@@ -294,11 +300,11 @@ def tls?
     # Enables SMTP/TLS (SMTPS: SMTP over direct TLS connection) for
     # this object.  Must be called before the connection is established
     # to have any effect.  +context+ is a OpenSSL::SSL::SSLContext object.
-    def enable_tls(context = SMTP.default_ssl_context)
+    def enable_tls(context = nil)
       raise 'openssl library not installed' unless defined?(OpenSSL)
-      raise ArgumentError, "SMTPS and STARTTLS is exclusive" if @starttls
+      raise ArgumentError, "SMTPS and STARTTLS is exclusive" if @starttls == :always
       @tls = true
-      @ssl_context = context
+      @ssl_context_tls = context
     end
 
     alias enable_ssl enable_tls
@@ -307,7 +313,7 @@ def enable_tls(context = SMTP.default_ssl_context)
     # connection is established to have any effect.
     def disable_tls
       @tls = false
-      @ssl_context = nil
+      @ssl_context_tls = nil
     end
 
     alias disable_ssl disable_tls
@@ -331,27 +337,27 @@ def starttls_auto?
 
     # Enables SMTP/TLS (STARTTLS) for this object.
     # +context+ is a OpenSSL::SSL::SSLContext object.
-    def enable_starttls(context = SMTP.default_ssl_context)
+    def enable_starttls(context = nil)
       raise 'openssl library not installed' unless defined?(OpenSSL)
       raise ArgumentError, "SMTPS and STARTTLS is exclusive" if @tls
       @starttls = :always
-      @ssl_context = context
+      @ssl_context_starttls = context
     end
 
     # Enables SMTP/TLS (STARTTLS) for this object if server accepts.
     # +context+ is a OpenSSL::SSL::SSLContext object.
-    def enable_starttls_auto(context = SMTP.default_ssl_context)
+    def enable_starttls_auto(context = nil)
       raise 'openssl library not installed' unless defined?(OpenSSL)
       raise ArgumentError, "SMTPS and STARTTLS is exclusive" if @tls
       @starttls = :auto
-      @ssl_context = context
+      @ssl_context_starttls = context
     end
 
     # Disables SMTP/TLS (STARTTLS) for this object.  Must be called
     # before the connection is established to have any effect.
     def disable_starttls
       @starttls = false
-      @ssl_context = nil
+      @ssl_context_starttls = nil
     end
 
     # The address of the SMTP server to connect to.
@@ -403,14 +409,14 @@ def debug_output=(arg)
 
     #
     # :call-seq:
-    #  start(address, port = nil, helo: 'localhost', user: nil, secret: nil, authtype: nil) { |smtp| ... }
+    #  start(address, port = nil, helo: 'localhost', user: nil, secret: nil, authtype: nil, tls_verify: true, tls_hostname: nil) { |smtp| ... }
     #  start(address, port = nil, helo = 'localhost', user = nil, secret = nil, authtype = nil) { |smtp| ... }
     #
     # Creates a new Net::SMTP object and connects to the server.
     #
     # This method is equivalent to:
     #
-    #   Net::SMTP.new(address, port).start(helo: helo_domain, user: account, secret: password, authtype: authtype)
+    #   Net::SMTP.new(address, port).start(helo: helo_domain, user: account, secret: password, authtype: authtype, tls_verify: flag, tls_hostname: hostname)
     #
     # === Example
     #
@@ -440,6 +446,9 @@ def debug_output=(arg)
     # or other authentication token; and +authtype+ is the authentication
     # type, one of :plain, :login, or :cram_md5.  See the discussion of
     # SMTP Authentication in the overview notes.
+    # If +tls_verify+ is true, verify the server's certificate. The default is true.
+    # If the hostname in the server certificate is different from +address+,
+    # it can be specified with +tls_hostname+.
     #
     # === Errors
     #
@@ -456,13 +465,14 @@ def debug_output=(arg)
     #
     def SMTP.start(address, port = nil, *args, helo: nil,
                    user: nil, secret: nil, password: nil, authtype: nil,
+                   tls_verify: true, tls_hostname: nil,
                    &block)
       raise ArgumentError, "wrong number of arguments (given #{args.size + 2}, expected 1..6)" if args.size > 4
       helo ||= args[0] || 'localhost'
       user ||= args[1]
       secret ||= password || args[2]
       authtype ||= args[3]
-      new(address, port).start(helo: helo, user: user, secret: secret, authtype: authtype, &block)
+      new(address, port).start(helo: helo, user: user, secret: secret, authtype: authtype, tls_verify: tls_verify, tls_hostname: tls_hostname, &block)
     end
 
     # +true+ if the SMTP session has been started.
@@ -472,7 +482,7 @@ def started?
 
     #
     # :call-seq:
-    #  start(helo: 'localhost', user: nil, secret: nil, authtype: nil) { |smtp| ... }
+    #  start(helo: 'localhost', user: nil, secret: nil, authtype: nil, tls_verify: true, tls_hostname: nil) { |smtp| ... }
     #  start(helo = 'localhost', user = nil, secret = nil, authtype = nil) { |smtp| ... }
     #
     # Opens a TCP connection and starts the SMTP session.
@@ -487,6 +497,9 @@ def started?
     # the type of authentication to attempt; it must be one of
     # :login, :plain, and :cram_md5.  See the notes on SMTP Authentication
     # in the overview.
+    # If +tls_verify+ is true, verify the server's certificate. The default is true.
+    # If the hostname in the server certificate is different from +address+,
+    # it can be specified with +tls_hostname+.
     #
     # === Block Usage
     #
@@ -526,12 +539,19 @@ def started?
     # * IOError
     #
     def start(*args, helo: nil,
-              user: nil, secret: nil, password: nil, authtype: nil)
+              user: nil, secret: nil, password: nil, authtype: nil, tls_verify: true, tls_hostname: nil)
       raise ArgumentError, "wrong number of arguments (given #{args.size}, expected 0..4)" if args.size > 4
       helo ||= args[0] || 'localhost'
       user ||= args[1]
       secret ||= password || args[2]
       authtype ||= args[3]
+      if @tls && @ssl_context_tls.nil?
+        @ssl_context_tls = SMTP.default_ssl_context(tls_verify)
+      end
+      if @starttls && @ssl_context_starttls.nil?
+        @ssl_context_starttls = SMTP.default_ssl_context(tls_verify)
+      end
+      @tls_hostname = tls_hostname
       if block_given?
         begin
           do_start helo, user, secret, authtype
@@ -568,16 +588,16 @@ def do_start(helo_domain, user, secret, authtype)
         tcp_socket(@address, @port)
       end
       logging "Connection opened: #{@address}:#{@port}"
-      @socket = new_internet_message_io(tls? ? tlsconnect(s) : s)
+      @socket = new_internet_message_io(tls? ? tlsconnect(s, @ssl_context_tls) : s)
       check_response critical { recv_response() }
       do_helo helo_domain
-      if starttls_always? or (capable_starttls? and starttls_auto?)
+      if ! tls? and (starttls_always? or (capable_starttls? and starttls_auto?))
         unless capable_starttls?
           raise SMTPUnsupportedCommand,
               "STARTTLS is not supported on this server"
         end
         starttls
-        @socket = new_internet_message_io(tlsconnect(s))
+        @socket = new_internet_message_io(tlsconnect(s, @ssl_context_starttls))
         # helo response may be different after STARTTLS
         do_helo helo_domain
       end
@@ -595,15 +615,15 @@ def ssl_socket(socket, context)
       OpenSSL::SSL::SSLSocket.new socket, context
     end
 
-    def tlsconnect(s)
+    def tlsconnect(s, context)
       verified = false
-      s = ssl_socket(s, @ssl_context)
+      s = ssl_socket(s, context)
       logging "TLS connection started"
       s.sync_close = true
-      s.hostname = @address if s.respond_to? :hostname=
+      s.hostname = @tls_hostname || @address if s.respond_to? :hostname=
       ssl_socket_connect(s, @open_timeout)
-      if @ssl_context.verify_mode && @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE
-        s.post_connection_check(@address)
+      if context.verify_mode && context.verify_mode != OpenSSL::SSL::VERIFY_NONE
+        s.post_connection_check(@tls_hostname || @address)
       end
       verified = true
       s

test/net/smtp/test_smtp.rb

@@ -137,7 +137,7 @@ def test_tls_connect
         smtp = Net::SMTP.new("localhost", servers[0].local_address.ip_port)
         smtp.enable_tls
         smtp.open_timeout = 1
-        smtp.start do
+        smtp.start(tls_verify: false) do
         end
       ensure
         sock.close if sock

test/net/smtp/test_sslcontext.rb

@@ -0,0 +1,128 @@
+require 'net/smtp'
+require 'test/unit'
+
+module Net
+  class TestSSLContext < Test::Unit::TestCase
+    class MySMTP < SMTP
+      attr_reader :__ssl_context, :__tls_hostname
+
+      def initialize(socket)
+        @fake_socket = socket
+        super("smtp.example.com")
+      end
+
+      def tcp_socket(*)
+        @fake_socket
+      end
+
+      def ssl_socket_connect(*)
+      end
+
+      def tlsconnect(*)
+        super
+        @fake_socket
+      end
+
+      def ssl_socket(socket, context)
+        @__ssl_context = context
+        s = super
+        hostname = @__tls_hostname = ''
+        s.define_singleton_method(:post_connection_check){ |name| hostname.replace(name) }
+        s
+      end
+    end
+
+    def teardown
+      @server_thread&.exit
+      @server_socket&.close
+      @client_socket&.close
+    end
+
+    def start_smtpd(starttls)
+      @server_socket, @client_socket = UNIXSocket.pair
+      @starttls_executed = false
+      @server_thread = Thread.new(@server_socket) do |s|
+        s.puts "220 fakeserver\r\n"
+        while cmd = s.gets&.chomp
+          case cmd
+          when /\AEHLO /
+            s.puts "250-fakeserver\r\n"
+            s.puts "250-STARTTLS\r\n" if starttls
+            s.puts "250 8BITMIME\r\n"
+          when /\ASTARTTLS/
+            @starttls_executed = true
+            s.puts "220 2.0.0 Ready to start TLS\r\n"
+          else
+            raise "unsupported command: #{cmd}"
+          end
+        end
+      end
+      @client_socket
+    end
+
+    def test_default
+      smtp = MySMTP.new(start_smtpd(true))
+      smtp.start
+      assert_equal(OpenSSL::SSL::VERIFY_PEER, smtp.__ssl_context.verify_mode)
+    end
+
+    def test_enable_tls
+      smtp = MySMTP.new(start_smtpd(true))
+      context = OpenSSL::SSL::SSLContext.new
+      smtp.enable_tls(context)
+      smtp.start
+      assert_equal(context, smtp.__ssl_context)
+    end
+
+    def test_enable_tls_before_disable_starttls
+      smtp = MySMTP.new(start_smtpd(true))
+      context = OpenSSL::SSL::SSLContext.new
+      smtp.enable_tls(context)
+      smtp.disable_starttls
+      smtp.start
+      assert_equal(context, smtp.__ssl_context)
+    end
+
+    def test_enable_starttls
+      smtp = MySMTP.new(start_smtpd(true))
+      context = OpenSSL::SSL::SSLContext.new
+      smtp.enable_starttls(context)
+      smtp.start
+      assert_equal(context, smtp.__ssl_context)
+    end
+
+    def test_enable_starttls_before_disable_tls
+      smtp = MySMTP.new(start_smtpd(true))
+      context = OpenSSL::SSL::SSLContext.new
+      smtp.enable_starttls(context)
+      smtp.disable_tls
+      smtp.start
+      assert_equal(context, smtp.__ssl_context)
+    end
+
+    def test_start_with_tls_verify_true
+      smtp = MySMTP.new(start_smtpd(true))
+      smtp.start(tls_verify: true)
+      assert_equal(OpenSSL::SSL::VERIFY_PEER, smtp.__ssl_context.verify_mode)
+    end
+
+    def test_start_with_tls_verify_false
+      smtp = MySMTP.new(start_smtpd(true))
+      smtp.start(tls_verify: false)
+      assert_equal(OpenSSL::SSL::VERIFY_NONE, smtp.__ssl_context.verify_mode)
+    end
+
+    def test_start_with_tls_hostname
+      smtp = MySMTP.new(start_smtpd(true))
+      smtp.start(tls_hostname: "localhost")
+      assert_equal("localhost", smtp.__tls_hostname)
+    end
+
+    def test_start_without_tls_hostname
+      smtp = MySMTP.new(start_smtpd(true))
+      smtp.start
+      assert_equal("smtp.example.com", smtp.__tls_hostname)
+    end
+
+  end
+end