openssl 2.0.0.beta.1 → 2.0.0.beta.2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of openssl might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/History.md +29 -13
- data/LICENSE.txt +2 -2
- data/ext/openssl/extconf.rb +1 -3
- data/ext/openssl/ossl_pkcs12.c +11 -9
- data/ext/openssl/ossl_pkey_ec.c +183 -276
- data/ext/openssl/ossl_ssl.c +163 -121
- data/lib/openssl/ssl.rb +2 -14
- metadata +2 -2
data/ext/openssl/ossl_ssl.c
CHANGED
|
@@ -36,50 +36,19 @@ VALUE cSSLSocket;
|
|
|
36
36
|
static VALUE eSSLErrorWaitReadable;
|
|
37
37
|
static VALUE eSSLErrorWaitWritable;
|
|
38
38
|
|
|
39
|
-
#define ossl_sslctx_set_cert(o,v) rb_iv_set((o),"@cert",(v))
|
|
40
|
-
#define ossl_sslctx_set_key(o,v) rb_iv_set((o),"@key",(v))
|
|
41
|
-
#define ossl_sslctx_set_client_ca(o,v) rb_iv_set((o),"@client_ca",(v))
|
|
42
|
-
#define ossl_sslctx_set_ca_file(o,v) rb_iv_set((o),"@ca_file",(v))
|
|
43
|
-
#define ossl_sslctx_set_ca_path(o,v) rb_iv_set((o),"@ca_path",(v))
|
|
44
|
-
#define ossl_sslctx_set_timeout(o,v) rb_iv_set((o),"@timeout",(v))
|
|
45
|
-
#define ossl_sslctx_set_verify_mode(o,v) rb_iv_set((o),"@verify_mode",(v))
|
|
46
|
-
#define ossl_sslctx_set_verify_dep(o,v) rb_iv_set((o),"@verify_depth",(v))
|
|
47
|
-
#define ossl_sslctx_set_verify_cb(o,v) rb_iv_set((o),"@verify_callback",(v))
|
|
48
|
-
#define ossl_sslctx_set_cert_store(o,v) rb_iv_set((o),"@cert_store",(v))
|
|
49
|
-
#define ossl_sslctx_set_extra_cert(o,v) rb_iv_set((o),"@extra_chain_cert",(v))
|
|
50
|
-
#define ossl_sslctx_set_client_cert_cb(o,v) rb_iv_set((o),"@client_cert_cb",(v))
|
|
51
|
-
#define ossl_sslctx_set_sess_id_ctx(o, v) rb_iv_set((o),"@session_id_context",(v))
|
|
52
|
-
|
|
53
|
-
#define ossl_sslctx_get_cert(o) rb_iv_get((o),"@cert")
|
|
54
|
-
#define ossl_sslctx_get_key(o) rb_iv_get((o),"@key")
|
|
55
|
-
#define ossl_sslctx_get_client_ca(o) rb_iv_get((o),"@client_ca")
|
|
56
|
-
#define ossl_sslctx_get_ca_file(o) rb_iv_get((o),"@ca_file")
|
|
57
|
-
#define ossl_sslctx_get_ca_path(o) rb_iv_get((o),"@ca_path")
|
|
58
|
-
#define ossl_sslctx_get_timeout(o) rb_iv_get((o),"@timeout")
|
|
59
|
-
#define ossl_sslctx_get_verify_mode(o) rb_iv_get((o),"@verify_mode")
|
|
60
|
-
#define ossl_sslctx_get_verify_dep(o) rb_iv_get((o),"@verify_depth")
|
|
61
|
-
#define ossl_sslctx_get_verify_cb(o) rb_iv_get((o),"@verify_callback")
|
|
62
|
-
#define ossl_sslctx_get_cert_store(o) rb_iv_get((o),"@cert_store")
|
|
63
|
-
#define ossl_sslctx_get_extra_cert(o) rb_iv_get((o),"@extra_chain_cert")
|
|
64
|
-
#define ossl_sslctx_get_client_cert_cb(o) rb_iv_get((o),"@client_cert_cb")
|
|
65
|
-
#define ossl_sslctx_get_tmp_ecdh_cb(o) rb_iv_get((o),"@tmp_ecdh_callback")
|
|
66
|
-
#define ossl_sslctx_get_sess_id_ctx(o) rb_iv_get((o),"@session_id_context")
|
|
67
|
-
#define ossl_sslctx_get_verify_hostname(o) rb_iv_get((o),"@verify_hostname")
|
|
68
|
-
|
|
69
|
-
#define ossl_ssl_get_io(o) rb_iv_get((o),"@io")
|
|
70
|
-
#define ossl_ssl_get_ctx(o) rb_iv_get((o),"@context")
|
|
71
|
-
|
|
72
|
-
#define ossl_ssl_set_io(o,v) rb_iv_set((o),"@io",(v))
|
|
73
|
-
#define ossl_ssl_set_ctx(o,v) rb_iv_set((o),"@context",(v))
|
|
74
|
-
#define ossl_ssl_set_sync_close(o,v) rb_iv_set((o),"@sync_close",(v))
|
|
75
|
-
#define ossl_ssl_set_hostname_v(o,v) rb_iv_set((o),"@hostname",(v))
|
|
76
|
-
#define ossl_ssl_set_tmp_dh(o,v) rb_iv_set((o),"@tmp_dh",(v))
|
|
77
|
-
#define ossl_ssl_set_tmp_ecdh(o,v) rb_iv_set((o),"@tmp_ecdh",(v))
|
|
78
|
-
|
|
79
39
|
static ID ID_callback_state;
|
|
80
|
-
|
|
81
40
|
static VALUE sym_exception, sym_wait_readable, sym_wait_writable;
|
|
82
41
|
|
|
42
|
+
static ID id_i_cert_store, id_i_ca_file, id_i_ca_path, id_i_verify_mode,
|
|
43
|
+
id_i_verify_depth, id_i_verify_callback, id_i_client_ca,
|
|
44
|
+
id_i_renegotiation_cb, id_i_cert, id_i_key, id_i_extra_chain_cert,
|
|
45
|
+
id_i_client_cert_cb, id_i_tmp_ecdh_callback, id_i_timeout,
|
|
46
|
+
id_i_session_id_context, id_i_session_get_cb, id_i_session_new_cb,
|
|
47
|
+
id_i_session_remove_cb, id_i_npn_select_cb, id_i_npn_protocols,
|
|
48
|
+
id_i_alpn_select_cb, id_i_alpn_protocols, id_i_servername_cb,
|
|
49
|
+
id_i_verify_hostname;
|
|
50
|
+
static ID id_i_io, id_i_context, id_i_hostname;
|
|
51
|
+
|
|
83
52
|
/*
|
|
84
53
|
* SSLContext class
|
|
85
54
|
*/
|
|
@@ -223,9 +192,10 @@ ossl_sslctx_set_ssl_version(VALUE self, VALUE ssl_method)
|
|
|
223
192
|
static VALUE
|
|
224
193
|
ossl_call_client_cert_cb(VALUE obj)
|
|
225
194
|
{
|
|
226
|
-
VALUE cb, ary, cert, key;
|
|
195
|
+
VALUE ctx_obj, cb, ary, cert, key;
|
|
227
196
|
|
|
228
|
-
|
|
197
|
+
ctx_obj = rb_attr_get(obj, id_i_context);
|
|
198
|
+
cb = rb_attr_get(ctx_obj, id_i_client_cert_cb);
|
|
229
199
|
if (NIL_P(cb))
|
|
230
200
|
return Qnil;
|
|
231
201
|
|
|
@@ -281,7 +251,6 @@ ossl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
|
|
|
281
251
|
|
|
282
252
|
dh = rb_protect(ossl_call_tmp_dh_callback, args, NULL);
|
|
283
253
|
if (!RTEST(dh)) return NULL;
|
|
284
|
-
ossl_ssl_set_tmp_dh(rb_ssl, dh);
|
|
285
254
|
|
|
286
255
|
return EVP_PKEY_get0_DH(GetPKeyPtr(dh));
|
|
287
256
|
}
|
|
@@ -315,7 +284,6 @@ ossl_tmp_ecdh_callback(SSL *ssl, int is_export, int keylength)
|
|
|
315
284
|
|
|
316
285
|
ecdh = rb_protect(ossl_call_tmp_ecdh_callback, args, NULL);
|
|
317
286
|
if (!RTEST(ecdh)) return NULL;
|
|
318
|
-
ossl_ssl_set_tmp_ecdh(rb_ssl, ecdh);
|
|
319
287
|
|
|
320
288
|
return EVP_PKEY_get0_EC_KEY(GetPKeyPtr(ecdh));
|
|
321
289
|
}
|
|
@@ -330,7 +298,7 @@ call_verify_certificate_identity(VALUE ctx_v)
|
|
|
330
298
|
|
|
331
299
|
ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
|
|
332
300
|
ssl_obj = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
|
|
333
|
-
hostname = rb_attr_get(ssl_obj,
|
|
301
|
+
hostname = rb_attr_get(ssl_obj, id_i_hostname);
|
|
334
302
|
|
|
335
303
|
if (!RTEST(hostname)) {
|
|
336
304
|
rb_warning("verify_hostname requires hostname to be set");
|
|
@@ -345,14 +313,15 @@ call_verify_certificate_identity(VALUE ctx_v)
|
|
|
345
313
|
static int
|
|
346
314
|
ossl_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
|
|
347
315
|
{
|
|
348
|
-
VALUE cb, ssl_obj, verify_hostname, ret;
|
|
316
|
+
VALUE cb, ssl_obj, sslctx_obj, verify_hostname, ret;
|
|
349
317
|
SSL *ssl;
|
|
350
318
|
int status;
|
|
351
319
|
|
|
352
320
|
ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
|
|
353
321
|
cb = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_vcb_idx);
|
|
354
322
|
ssl_obj = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
|
|
355
|
-
|
|
323
|
+
sslctx_obj = rb_attr_get(ssl_obj, id_i_context);
|
|
324
|
+
verify_hostname = rb_attr_get(sslctx_obj, id_i_verify_hostname);
|
|
356
325
|
|
|
357
326
|
if (preverify_ok && RTEST(verify_hostname) && !SSL_is_server(ssl) &&
|
|
358
327
|
!X509_STORE_CTX_get_error_depth(ctx)) {
|
|
@@ -474,7 +443,7 @@ ossl_call_session_remove_cb(VALUE ary)
|
|
|
474
443
|
Check_Type(ary, T_ARRAY);
|
|
475
444
|
sslctx_obj = rb_ary_entry(ary, 0);
|
|
476
445
|
|
|
477
|
-
cb =
|
|
446
|
+
cb = rb_attr_get(sslctx_obj, id_i_session_remove_cb);
|
|
478
447
|
if (NIL_P(cb)) return Qnil;
|
|
479
448
|
|
|
480
449
|
return rb_funcall(cb, rb_intern("call"), 1, ary);
|
|
@@ -536,9 +505,8 @@ ossl_call_servername_cb(VALUE ary)
|
|
|
536
505
|
Check_Type(ary, T_ARRAY);
|
|
537
506
|
ssl_obj = rb_ary_entry(ary, 0);
|
|
538
507
|
|
|
539
|
-
sslctx_obj =
|
|
540
|
-
|
|
541
|
-
cb = rb_iv_get(sslctx_obj, "@servername_cb");
|
|
508
|
+
sslctx_obj = rb_attr_get(ssl_obj, id_i_context);
|
|
509
|
+
cb = rb_attr_get(sslctx_obj, id_i_servername_cb);
|
|
542
510
|
if (NIL_P(cb)) return Qnil;
|
|
543
511
|
|
|
544
512
|
ret_obj = rb_funcall(cb, rb_intern("call"), 1, ary);
|
|
@@ -550,9 +518,10 @@ ossl_call_servername_cb(VALUE ary)
|
|
|
550
518
|
GetSSL(ssl_obj, ssl);
|
|
551
519
|
GetSSLCTX(ret_obj, ctx2);
|
|
552
520
|
SSL_set_SSL_CTX(ssl, ctx2);
|
|
553
|
-
|
|
521
|
+
rb_ivar_set(ssl_obj, id_i_context, ret_obj);
|
|
554
522
|
} else if (!NIL_P(ret_obj)) {
|
|
555
|
-
|
|
523
|
+
ossl_raise(rb_eArgError, "servername_cb must return an "
|
|
524
|
+
"OpenSSL::SSL::SSLContext object or nil");
|
|
556
525
|
}
|
|
557
526
|
|
|
558
527
|
return ret_obj;
|
|
@@ -596,15 +565,15 @@ ssl_renegotiation_cb(const SSL *ssl)
|
|
|
596
565
|
ossl_raise(eSSLError, "SSL object could not be retrieved");
|
|
597
566
|
ssl_obj = (VALUE)ptr;
|
|
598
567
|
|
|
599
|
-
sslctx_obj =
|
|
600
|
-
|
|
601
|
-
cb = rb_iv_get(sslctx_obj, "@renegotiation_cb");
|
|
568
|
+
sslctx_obj = rb_attr_get(ssl_obj, id_i_context);
|
|
569
|
+
cb = rb_attr_get(sslctx_obj, id_i_renegotiation_cb);
|
|
602
570
|
if (NIL_P(cb)) return;
|
|
603
571
|
|
|
604
572
|
(void) rb_funcall(cb, rb_intern("call"), 1, ssl_obj);
|
|
605
573
|
}
|
|
606
574
|
|
|
607
|
-
#if defined(HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB) ||
|
|
575
|
+
#if defined(HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB) || \
|
|
576
|
+
defined(HAVE_SSL_CTX_SET_ALPN_SELECT_CB)
|
|
608
577
|
static VALUE
|
|
609
578
|
ssl_npn_encode_protocol_i(VALUE cur, VALUE encoded)
|
|
610
579
|
{
|
|
@@ -627,14 +596,20 @@ ssl_encode_npn_protocols(VALUE protocols)
|
|
|
627
596
|
return encoded;
|
|
628
597
|
}
|
|
629
598
|
|
|
630
|
-
|
|
631
|
-
|
|
599
|
+
struct npn_select_cb_common_args {
|
|
600
|
+
VALUE cb;
|
|
601
|
+
const unsigned char *in;
|
|
602
|
+
unsigned inlen;
|
|
603
|
+
};
|
|
604
|
+
|
|
605
|
+
static VALUE
|
|
606
|
+
npn_select_cb_common_i(VALUE tmp)
|
|
632
607
|
{
|
|
633
|
-
|
|
634
|
-
|
|
635
|
-
VALUE protocols = rb_ary_new();
|
|
608
|
+
struct npn_select_cb_common_args *args = (void *)tmp;
|
|
609
|
+
const unsigned char *in = args->in, *in_end = in + args->inlen;
|
|
636
610
|
unsigned char l;
|
|
637
|
-
|
|
611
|
+
long len;
|
|
612
|
+
VALUE selected, protocols = rb_ary_new();
|
|
638
613
|
|
|
639
614
|
/* assume OpenSSL verifies this format */
|
|
640
615
|
/* The format is len_1|proto_1|...|len_n|proto_n */
|
|
@@ -644,21 +619,44 @@ ssl_npn_select_cb_common(VALUE cb, const unsigned char **out, unsigned char *out
|
|
|
644
619
|
in += l;
|
|
645
620
|
}
|
|
646
621
|
|
|
647
|
-
selected = rb_funcall(cb, rb_intern("call"), 1, protocols);
|
|
622
|
+
selected = rb_funcall(args->cb, rb_intern("call"), 1, protocols);
|
|
648
623
|
StringValue(selected);
|
|
649
624
|
len = RSTRING_LEN(selected);
|
|
650
625
|
if (len < 1 || len >= 256) {
|
|
651
626
|
ossl_raise(eSSLError, "Selected protocol name must have length 1..255");
|
|
652
627
|
}
|
|
628
|
+
|
|
629
|
+
return selected;
|
|
630
|
+
}
|
|
631
|
+
|
|
632
|
+
static int
|
|
633
|
+
ssl_npn_select_cb_common(SSL *ssl, VALUE cb, const unsigned char **out,
|
|
634
|
+
unsigned char *outlen, const unsigned char *in,
|
|
635
|
+
unsigned int inlen)
|
|
636
|
+
{
|
|
637
|
+
VALUE selected;
|
|
638
|
+
int status;
|
|
639
|
+
struct npn_select_cb_common_args args = { cb, in, inlen };
|
|
640
|
+
|
|
641
|
+
selected = rb_protect(npn_select_cb_common_i, (VALUE)&args, &status);
|
|
642
|
+
if (status) {
|
|
643
|
+
VALUE ssl_obj = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
|
|
644
|
+
|
|
645
|
+
rb_ivar_set(ssl_obj, ID_callback_state, INT2NUM(status));
|
|
646
|
+
return SSL_TLSEXT_ERR_ALERT_FATAL;
|
|
647
|
+
}
|
|
648
|
+
|
|
653
649
|
*out = (unsigned char *)RSTRING_PTR(selected);
|
|
654
|
-
*outlen = (unsigned char)
|
|
650
|
+
*outlen = (unsigned char)RSTRING_LEN(selected);
|
|
655
651
|
|
|
656
652
|
return SSL_TLSEXT_ERR_OK;
|
|
657
653
|
}
|
|
654
|
+
#endif
|
|
658
655
|
|
|
659
656
|
#ifdef HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB
|
|
660
657
|
static int
|
|
661
|
-
ssl_npn_advertise_cb(SSL *ssl, const unsigned char **out, unsigned int *outlen,
|
|
658
|
+
ssl_npn_advertise_cb(SSL *ssl, const unsigned char **out, unsigned int *outlen,
|
|
659
|
+
void *arg)
|
|
662
660
|
{
|
|
663
661
|
VALUE protocols = (VALUE)arg;
|
|
664
662
|
|
|
@@ -669,30 +667,32 @@ ssl_npn_advertise_cb(SSL *ssl, const unsigned char **out, unsigned int *outlen,
|
|
|
669
667
|
}
|
|
670
668
|
|
|
671
669
|
static int
|
|
672
|
-
ssl_npn_select_cb(SSL *
|
|
670
|
+
ssl_npn_select_cb(SSL *ssl, unsigned char **out, unsigned char *outlen,
|
|
671
|
+
const unsigned char *in, unsigned int inlen, void *arg)
|
|
673
672
|
{
|
|
674
673
|
VALUE sslctx_obj, cb;
|
|
675
674
|
|
|
676
675
|
sslctx_obj = (VALUE) arg;
|
|
677
|
-
cb =
|
|
676
|
+
cb = rb_attr_get(sslctx_obj, id_i_npn_select_cb);
|
|
678
677
|
|
|
679
|
-
return ssl_npn_select_cb_common(cb, (const unsigned char **)out,
|
|
678
|
+
return ssl_npn_select_cb_common(ssl, cb, (const unsigned char **)out,
|
|
679
|
+
outlen, in, inlen);
|
|
680
680
|
}
|
|
681
681
|
#endif
|
|
682
682
|
|
|
683
683
|
#ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
|
|
684
684
|
static int
|
|
685
|
-
ssl_alpn_select_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen,
|
|
685
|
+
ssl_alpn_select_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen,
|
|
686
|
+
const unsigned char *in, unsigned int inlen, void *arg)
|
|
686
687
|
{
|
|
687
688
|
VALUE sslctx_obj, cb;
|
|
688
689
|
|
|
689
690
|
sslctx_obj = (VALUE) arg;
|
|
690
|
-
cb =
|
|
691
|
+
cb = rb_attr_get(sslctx_obj, id_i_alpn_select_cb);
|
|
691
692
|
|
|
692
|
-
return ssl_npn_select_cb_common(cb, out, outlen, in, inlen);
|
|
693
|
+
return ssl_npn_select_cb_common(ssl, cb, out, outlen, in, inlen);
|
|
693
694
|
}
|
|
694
695
|
#endif
|
|
695
|
-
#endif /* HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB || HAVE_SSL_CTX_SET_ALPN_SELECT_CB */
|
|
696
696
|
|
|
697
697
|
/* This function may serve as the entry point to support further callbacks. */
|
|
698
698
|
static void
|
|
@@ -768,7 +768,7 @@ ossl_sslctx_setup(VALUE self)
|
|
|
768
768
|
#if !defined(OPENSSL_NO_EC)
|
|
769
769
|
/* We added SSLContext#tmp_ecdh_callback= in Ruby 2.3.0,
|
|
770
770
|
* but SSL_CTX_set_tmp_ecdh_callback() was removed in OpenSSL 1.1.0. */
|
|
771
|
-
if (RTEST(
|
|
771
|
+
if (RTEST(rb_attr_get(self, id_i_tmp_ecdh_callback))) {
|
|
772
772
|
# if defined(HAVE_SSL_CTX_SET_TMP_ECDH_CALLBACK)
|
|
773
773
|
rb_warn("#tmp_ecdh_callback= is deprecated; use #ecdh_curves= instead");
|
|
774
774
|
SSL_CTX_set_tmp_ecdh_callback(ctx, ossl_tmp_ecdh_callback);
|
|
@@ -785,7 +785,7 @@ ossl_sslctx_setup(VALUE self)
|
|
|
785
785
|
}
|
|
786
786
|
#endif /* OPENSSL_NO_EC */
|
|
787
787
|
|
|
788
|
-
val =
|
|
788
|
+
val = rb_attr_get(self, id_i_cert_store);
|
|
789
789
|
if (!NIL_P(val)) {
|
|
790
790
|
X509_STORE *store = GetX509StorePtr(val); /* NO NEED TO DUP */
|
|
791
791
|
SSL_CTX_set_cert_store(ctx, store);
|
|
@@ -802,15 +802,15 @@ ossl_sslctx_setup(VALUE self)
|
|
|
802
802
|
#endif
|
|
803
803
|
}
|
|
804
804
|
|
|
805
|
-
val =
|
|
805
|
+
val = rb_attr_get(self, id_i_extra_chain_cert);
|
|
806
806
|
if(!NIL_P(val)){
|
|
807
807
|
rb_block_call(val, rb_intern("each"), 0, 0, ossl_sslctx_add_extra_chain_cert_i, self);
|
|
808
808
|
}
|
|
809
809
|
|
|
810
810
|
/* private key may be bundled in certificate file. */
|
|
811
|
-
val =
|
|
811
|
+
val = rb_attr_get(self, id_i_cert);
|
|
812
812
|
cert = NIL_P(val) ? NULL : GetX509CertPtr(val); /* NO DUP NEEDED */
|
|
813
|
-
val =
|
|
813
|
+
val = rb_attr_get(self, id_i_key);
|
|
814
814
|
key = NIL_P(val) ? NULL : GetPrivPKeyPtr(val); /* NO DUP NEEDED */
|
|
815
815
|
if (cert && key) {
|
|
816
816
|
if (!SSL_CTX_use_certificate(ctx, cert)) {
|
|
@@ -826,7 +826,7 @@ ossl_sslctx_setup(VALUE self)
|
|
|
826
826
|
}
|
|
827
827
|
}
|
|
828
828
|
|
|
829
|
-
val =
|
|
829
|
+
val = rb_attr_get(self, id_i_client_ca);
|
|
830
830
|
if(!NIL_P(val)){
|
|
831
831
|
if (RB_TYPE_P(val, T_ARRAY)) {
|
|
832
832
|
for(i = 0; i < RARRAY_LEN(val); i++){
|
|
@@ -846,48 +846,52 @@ ossl_sslctx_setup(VALUE self)
|
|
|
846
846
|
}
|
|
847
847
|
}
|
|
848
848
|
|
|
849
|
-
val =
|
|
849
|
+
val = rb_attr_get(self, id_i_ca_file);
|
|
850
850
|
ca_file = NIL_P(val) ? NULL : StringValueCStr(val);
|
|
851
|
-
val =
|
|
851
|
+
val = rb_attr_get(self, id_i_ca_path);
|
|
852
852
|
ca_path = NIL_P(val) ? NULL : StringValueCStr(val);
|
|
853
853
|
if(ca_file || ca_path){
|
|
854
854
|
if (!SSL_CTX_load_verify_locations(ctx, ca_file, ca_path))
|
|
855
855
|
rb_warning("can't set verify locations");
|
|
856
856
|
}
|
|
857
857
|
|
|
858
|
-
val =
|
|
858
|
+
val = rb_attr_get(self, id_i_verify_mode);
|
|
859
859
|
verify_mode = NIL_P(val) ? SSL_VERIFY_NONE : NUM2INT(val);
|
|
860
860
|
SSL_CTX_set_verify(ctx, verify_mode, ossl_ssl_verify_callback);
|
|
861
|
-
if (RTEST(
|
|
861
|
+
if (RTEST(rb_attr_get(self, id_i_client_cert_cb)))
|
|
862
862
|
SSL_CTX_set_client_cert_cb(ctx, ossl_client_cert_cb);
|
|
863
863
|
|
|
864
|
-
val =
|
|
864
|
+
val = rb_attr_get(self, id_i_timeout);
|
|
865
865
|
if(!NIL_P(val)) SSL_CTX_set_timeout(ctx, NUM2LONG(val));
|
|
866
866
|
|
|
867
|
-
val =
|
|
867
|
+
val = rb_attr_get(self, id_i_verify_depth);
|
|
868
868
|
if(!NIL_P(val)) SSL_CTX_set_verify_depth(ctx, NUM2INT(val));
|
|
869
869
|
|
|
870
870
|
#ifdef HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB
|
|
871
|
-
val =
|
|
871
|
+
val = rb_attr_get(self, id_i_npn_protocols);
|
|
872
872
|
if (!NIL_P(val)) {
|
|
873
873
|
VALUE encoded = ssl_encode_npn_protocols(val);
|
|
874
874
|
SSL_CTX_set_next_protos_advertised_cb(ctx, ssl_npn_advertise_cb, (void *)encoded);
|
|
875
875
|
OSSL_Debug("SSL NPN advertise callback added");
|
|
876
876
|
}
|
|
877
|
-
if (RTEST(
|
|
877
|
+
if (RTEST(rb_attr_get(self, id_i_npn_select_cb))) {
|
|
878
878
|
SSL_CTX_set_next_proto_select_cb(ctx, ssl_npn_select_cb, (void *) self);
|
|
879
879
|
OSSL_Debug("SSL NPN select callback added");
|
|
880
880
|
}
|
|
881
881
|
#endif
|
|
882
882
|
|
|
883
883
|
#ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
|
|
884
|
-
val =
|
|
884
|
+
val = rb_attr_get(self, id_i_alpn_protocols);
|
|
885
885
|
if (!NIL_P(val)) {
|
|
886
886
|
VALUE rprotos = ssl_encode_npn_protocols(val);
|
|
887
|
-
|
|
887
|
+
|
|
888
|
+
/* returns 0 on success */
|
|
889
|
+
if (SSL_CTX_set_alpn_protos(ctx, (unsigned char *)RSTRING_PTR(rprotos),
|
|
890
|
+
RSTRING_LENINT(rprotos)))
|
|
891
|
+
ossl_raise(eSSLError, "SSL_CTX_set_alpn_protos");
|
|
888
892
|
OSSL_Debug("SSL ALPN values added");
|
|
889
893
|
}
|
|
890
|
-
if (RTEST(
|
|
894
|
+
if (RTEST(rb_attr_get(self, id_i_alpn_select_cb))) {
|
|
891
895
|
SSL_CTX_set_alpn_select_cb(ctx, ssl_alpn_select_cb, (void *) self);
|
|
892
896
|
OSSL_Debug("SSL ALPN select callback added");
|
|
893
897
|
}
|
|
@@ -895,7 +899,7 @@ ossl_sslctx_setup(VALUE self)
|
|
|
895
899
|
|
|
896
900
|
rb_obj_freeze(self);
|
|
897
901
|
|
|
898
|
-
val =
|
|
902
|
+
val = rb_attr_get(self, id_i_session_id_context);
|
|
899
903
|
if (!NIL_P(val)){
|
|
900
904
|
StringValue(val);
|
|
901
905
|
if (!SSL_CTX_set_session_id_context(ctx, (unsigned char *)RSTRING_PTR(val),
|
|
@@ -904,21 +908,21 @@ ossl_sslctx_setup(VALUE self)
|
|
|
904
908
|
}
|
|
905
909
|
}
|
|
906
910
|
|
|
907
|
-
if (RTEST(
|
|
911
|
+
if (RTEST(rb_attr_get(self, id_i_session_get_cb))) {
|
|
908
912
|
SSL_CTX_sess_set_get_cb(ctx, ossl_sslctx_session_get_cb);
|
|
909
913
|
OSSL_Debug("SSL SESSION get callback added");
|
|
910
914
|
}
|
|
911
|
-
if (RTEST(
|
|
915
|
+
if (RTEST(rb_attr_get(self, id_i_session_new_cb))) {
|
|
912
916
|
SSL_CTX_sess_set_new_cb(ctx, ossl_sslctx_session_new_cb);
|
|
913
917
|
OSSL_Debug("SSL SESSION new callback added");
|
|
914
918
|
}
|
|
915
|
-
if (RTEST(
|
|
919
|
+
if (RTEST(rb_attr_get(self, id_i_session_remove_cb))) {
|
|
916
920
|
SSL_CTX_sess_set_remove_cb(ctx, ossl_sslctx_session_remove_cb);
|
|
917
921
|
OSSL_Debug("SSL SESSION remove callback added");
|
|
918
922
|
}
|
|
919
923
|
|
|
920
924
|
#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
|
|
921
|
-
val =
|
|
925
|
+
val = rb_attr_get(self, id_i_servername_cb);
|
|
922
926
|
if (!NIL_P(val)) {
|
|
923
927
|
SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
|
|
924
928
|
OSSL_Debug("SSL TLSEXT servername callback added");
|
|
@@ -1437,14 +1441,12 @@ ossl_ssl_initialize(int argc, VALUE *argv, VALUE self)
|
|
|
1437
1441
|
v_ctx = rb_funcall(cSSLContext, rb_intern("new"), 0);
|
|
1438
1442
|
|
|
1439
1443
|
GetSSLCTX(v_ctx, ctx);
|
|
1440
|
-
|
|
1444
|
+
rb_ivar_set(self, id_i_context, v_ctx);
|
|
1441
1445
|
ossl_sslctx_setup(v_ctx);
|
|
1442
1446
|
|
|
1443
1447
|
if (rb_respond_to(io, rb_intern("nonblock=")))
|
|
1444
1448
|
rb_funcall(io, rb_intern("nonblock="), 1, Qtrue);
|
|
1445
|
-
|
|
1446
|
-
|
|
1447
|
-
ossl_ssl_set_sync_close(self, Qfalse);
|
|
1449
|
+
rb_ivar_set(self, id_i_io, io);
|
|
1448
1450
|
|
|
1449
1451
|
ssl = SSL_new(ctx);
|
|
1450
1452
|
if (!ssl)
|
|
@@ -1453,7 +1455,7 @@ ossl_ssl_initialize(int argc, VALUE *argv, VALUE self)
|
|
|
1453
1455
|
|
|
1454
1456
|
SSL_set_ex_data(ssl, ossl_ssl_ex_ptr_idx, (void *)self);
|
|
1455
1457
|
SSL_set_info_callback(ssl, ssl_info_cb);
|
|
1456
|
-
verify_cb =
|
|
1458
|
+
verify_cb = rb_attr_get(v_ctx, id_i_verify_callback);
|
|
1457
1459
|
SSL_set_ex_data(ssl, ossl_ssl_ex_vcb_idx, (void *)verify_cb);
|
|
1458
1460
|
|
|
1459
1461
|
rb_call_super(0, NULL);
|
|
@@ -1472,7 +1474,7 @@ ossl_ssl_setup(VALUE self)
|
|
|
1472
1474
|
if (ssl_started(ssl))
|
|
1473
1475
|
return Qtrue;
|
|
1474
1476
|
|
|
1475
|
-
io =
|
|
1477
|
+
io = rb_attr_get(self, id_i_io);
|
|
1476
1478
|
GetOpenFile(io, fptr);
|
|
1477
1479
|
rb_io_check_readable(fptr);
|
|
1478
1480
|
rb_io_check_writable(fptr);
|
|
@@ -1527,11 +1529,11 @@ ossl_start_ssl(VALUE self, int (*func)(), const char *funcname, VALUE opts)
|
|
|
1527
1529
|
|
|
1528
1530
|
GetSSL(self, ssl);
|
|
1529
1531
|
|
|
1530
|
-
GetOpenFile(
|
|
1532
|
+
GetOpenFile(rb_attr_get(self, id_i_io), fptr);
|
|
1531
1533
|
for(;;){
|
|
1532
1534
|
ret = func(ssl);
|
|
1533
1535
|
|
|
1534
|
-
|
|
1536
|
+
cb_state = rb_attr_get(self, ID_callback_state);
|
|
1535
1537
|
if (!NIL_P(cb_state)) {
|
|
1536
1538
|
/* must cleanup OpenSSL error stack before re-raising */
|
|
1537
1539
|
ossl_clear_error();
|
|
@@ -1666,7 +1668,7 @@ ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
|
|
|
1666
1668
|
int ilen, nread = 0;
|
|
1667
1669
|
VALUE len, str;
|
|
1668
1670
|
rb_io_t *fptr;
|
|
1669
|
-
VALUE opts = Qnil;
|
|
1671
|
+
VALUE io, opts = Qnil;
|
|
1670
1672
|
|
|
1671
1673
|
if (nonblock) {
|
|
1672
1674
|
rb_scan_args(argc, argv, "11:", &len, &str, &opts);
|
|
@@ -1684,7 +1686,8 @@ ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
|
|
|
1684
1686
|
if(ilen == 0) return str;
|
|
1685
1687
|
|
|
1686
1688
|
GetSSL(self, ssl);
|
|
1687
|
-
|
|
1689
|
+
io = rb_attr_get(self, id_i_io);
|
|
1690
|
+
GetOpenFile(io, fptr);
|
|
1688
1691
|
if (ssl_started(ssl)) {
|
|
1689
1692
|
if(!nonblock && SSL_pending(ssl) <= 0)
|
|
1690
1693
|
rb_thread_wait_fd(FPTR_TO_FD(fptr));
|
|
@@ -1718,13 +1721,13 @@ ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
|
|
|
1718
1721
|
}
|
|
1719
1722
|
}
|
|
1720
1723
|
else {
|
|
1721
|
-
|
|
1722
|
-
|
|
1723
|
-
|
|
1724
|
-
|
|
1725
|
-
|
|
1726
|
-
|
|
1727
|
-
|
|
1724
|
+
ID meth = nonblock ? rb_intern("read_nonblock") : rb_intern("sysread");
|
|
1725
|
+
|
|
1726
|
+
rb_warning("SSL session is not started yet.");
|
|
1727
|
+
if (nonblock)
|
|
1728
|
+
return rb_funcall(io, meth, 3, len, str, opts);
|
|
1729
|
+
else
|
|
1730
|
+
return rb_funcall(io, meth, 2, len, str);
|
|
1728
1731
|
}
|
|
1729
1732
|
|
|
1730
1733
|
end:
|
|
@@ -1774,11 +1777,12 @@ ossl_ssl_write_internal(VALUE self, VALUE str, VALUE opts)
|
|
|
1774
1777
|
int nwrite = 0;
|
|
1775
1778
|
rb_io_t *fptr;
|
|
1776
1779
|
int nonblock = opts != Qfalse;
|
|
1780
|
+
VALUE io;
|
|
1777
1781
|
|
|
1778
1782
|
StringValue(str);
|
|
1779
1783
|
GetSSL(self, ssl);
|
|
1780
|
-
|
|
1781
|
-
|
|
1784
|
+
io = rb_attr_get(self, id_i_io);
|
|
1785
|
+
GetOpenFile(io, fptr);
|
|
1782
1786
|
if (ssl_started(ssl)) {
|
|
1783
1787
|
for (;;){
|
|
1784
1788
|
int num = RSTRING_LENINT(str);
|
|
@@ -1809,9 +1813,14 @@ ossl_ssl_write_internal(VALUE self, VALUE str, VALUE opts)
|
|
|
1809
1813
|
}
|
|
1810
1814
|
}
|
|
1811
1815
|
else {
|
|
1812
|
-
|
|
1813
|
-
|
|
1814
|
-
|
|
1816
|
+
ID meth = nonblock ?
|
|
1817
|
+
rb_intern("write_nonblock") : rb_intern("syswrite");
|
|
1818
|
+
|
|
1819
|
+
rb_warning("SSL session is not started yet.");
|
|
1820
|
+
if (nonblock)
|
|
1821
|
+
return rb_funcall(io, meth, 2, str, opts);
|
|
1822
|
+
else
|
|
1823
|
+
return rb_funcall(io, meth, 1, str);
|
|
1815
1824
|
}
|
|
1816
1825
|
|
|
1817
1826
|
end:
|
|
@@ -2082,7 +2091,7 @@ ossl_ssl_set_hostname(VALUE self, VALUE arg)
|
|
|
2082
2091
|
ossl_raise(eSSLError, NULL);
|
|
2083
2092
|
|
|
2084
2093
|
/* for SSLSocket#hostname */
|
|
2085
|
-
|
|
2094
|
+
rb_ivar_set(self, id_i_hostname, arg);
|
|
2086
2095
|
|
|
2087
2096
|
return arg;
|
|
2088
2097
|
}
|
|
@@ -2201,6 +2210,8 @@ ossl_ssl_tmp_key(VALUE self)
|
|
|
2201
2210
|
# endif /* defined(HAVE_SSL_GET_SERVER_TMP_KEY) */
|
|
2202
2211
|
#endif /* !defined(OPENSSL_NO_SOCK) */
|
|
2203
2212
|
|
|
2213
|
+
#undef rb_intern
|
|
2214
|
+
#define rb_intern(s) rb_intern_const(s)
|
|
2204
2215
|
void
|
|
2205
2216
|
Init_ossl_ssl(void)
|
|
2206
2217
|
{
|
|
@@ -2214,7 +2225,7 @@ Init_ossl_ssl(void)
|
|
|
2214
2225
|
rb_mWaitWritable = rb_define_module_under(rb_cIO, "WaitWritable");
|
|
2215
2226
|
#endif
|
|
2216
2227
|
|
|
2217
|
-
ID_callback_state = rb_intern("
|
|
2228
|
+
ID_callback_state = rb_intern("callback_state");
|
|
2218
2229
|
|
|
2219
2230
|
ossl_ssl_ex_vcb_idx = SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_vcb_idx",0,0,0);
|
|
2220
2231
|
ossl_ssl_ex_store_p = SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_store_p",0,0,0);
|
|
@@ -2672,8 +2683,39 @@ Init_ossl_ssl(void)
|
|
|
2672
2683
|
ossl_ssl_def_const(OP_NETSCAPE_CA_DN_BUG);
|
|
2673
2684
|
ossl_ssl_def_const(OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
|
|
2674
2685
|
|
|
2675
|
-
#undef rb_intern
|
|
2676
2686
|
sym_exception = ID2SYM(rb_intern("exception"));
|
|
2677
2687
|
sym_wait_readable = ID2SYM(rb_intern("wait_readable"));
|
|
2678
2688
|
sym_wait_writable = ID2SYM(rb_intern("wait_writable"));
|
|
2689
|
+
|
|
2690
|
+
#define DefIVarID(name) do \
|
|
2691
|
+
id_i_##name = rb_intern("@"#name); while (0)
|
|
2692
|
+
|
|
2693
|
+
DefIVarID(cert_store);
|
|
2694
|
+
DefIVarID(ca_file);
|
|
2695
|
+
DefIVarID(ca_path);
|
|
2696
|
+
DefIVarID(verify_mode);
|
|
2697
|
+
DefIVarID(verify_depth);
|
|
2698
|
+
DefIVarID(verify_callback);
|
|
2699
|
+
DefIVarID(client_ca);
|
|
2700
|
+
DefIVarID(renegotiation_cb);
|
|
2701
|
+
DefIVarID(cert);
|
|
2702
|
+
DefIVarID(key);
|
|
2703
|
+
DefIVarID(extra_chain_cert);
|
|
2704
|
+
DefIVarID(client_cert_cb);
|
|
2705
|
+
DefIVarID(tmp_ecdh_callback);
|
|
2706
|
+
DefIVarID(timeout);
|
|
2707
|
+
DefIVarID(session_id_context);
|
|
2708
|
+
DefIVarID(session_get_cb);
|
|
2709
|
+
DefIVarID(session_new_cb);
|
|
2710
|
+
DefIVarID(session_remove_cb);
|
|
2711
|
+
DefIVarID(npn_select_cb);
|
|
2712
|
+
DefIVarID(npn_protocols);
|
|
2713
|
+
DefIVarID(alpn_protocols);
|
|
2714
|
+
DefIVarID(alpn_select_cb);
|
|
2715
|
+
DefIVarID(servername_cb);
|
|
2716
|
+
DefIVarID(verify_hostname);
|
|
2717
|
+
|
|
2718
|
+
DefIVarID(io);
|
|
2719
|
+
DefIVarID(context);
|
|
2720
|
+
DefIVarID(hostname);
|
|
2679
2721
|
}
|