openssl 2.1.1 → 2.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (53) hide show
  1. checksums.yaml +4 -4
  2. data/CONTRIBUTING.md +9 -7
  3. data/History.md +165 -0
  4. data/README.md +2 -2
  5. data/ext/openssl/extconf.rb +51 -27
  6. data/ext/openssl/openssl_missing.h +39 -4
  7. data/ext/openssl/ossl.c +61 -27
  8. data/ext/openssl/ossl.h +8 -5
  9. data/ext/openssl/ossl_asn1.c +27 -1
  10. data/ext/openssl/ossl_bn.c +92 -24
  11. data/ext/openssl/ossl_bn.h +2 -1
  12. data/ext/openssl/ossl_cipher.c +33 -24
  13. data/ext/openssl/ossl_digest.c +22 -53
  14. data/ext/openssl/ossl_engine.c +2 -12
  15. data/ext/openssl/ossl_hmac.c +5 -11
  16. data/ext/openssl/ossl_kdf.c +3 -19
  17. data/ext/openssl/ossl_ns_spki.c +1 -1
  18. data/ext/openssl/ossl_ocsp.c +6 -11
  19. data/ext/openssl/ossl_ocsp.h +3 -3
  20. data/ext/openssl/ossl_pkcs12.c +1 -0
  21. data/ext/openssl/ossl_pkcs7.c +4 -19
  22. data/ext/openssl/ossl_pkcs7.h +16 -0
  23. data/ext/openssl/ossl_pkey.c +206 -17
  24. data/ext/openssl/ossl_pkey.h +6 -6
  25. data/ext/openssl/ossl_pkey_dh.c +1 -1
  26. data/ext/openssl/ossl_pkey_dsa.c +2 -2
  27. data/ext/openssl/ossl_pkey_ec.c +38 -8
  28. data/ext/openssl/ossl_pkey_rsa.c +17 -9
  29. data/ext/openssl/ossl_rand.c +2 -40
  30. data/ext/openssl/ossl_ssl.c +205 -75
  31. data/ext/openssl/ossl_ts.c +1524 -0
  32. data/ext/openssl/ossl_ts.h +16 -0
  33. data/ext/openssl/ossl_x509.c +91 -0
  34. data/ext/openssl/ossl_x509cert.c +2 -2
  35. data/ext/openssl/ossl_x509ext.c +15 -0
  36. data/ext/openssl/ossl_x509name.c +15 -10
  37. data/ext/openssl/ossl_x509store.c +40 -22
  38. data/lib/openssl/bn.rb +1 -1
  39. data/lib/openssl/buffering.rb +33 -17
  40. data/lib/openssl/cipher.rb +1 -1
  41. data/lib/openssl/config.rb +53 -26
  42. data/lib/openssl/digest.rb +10 -12
  43. data/lib/openssl/hmac.rb +13 -0
  44. data/lib/openssl/marshal.rb +30 -0
  45. data/lib/openssl/pkcs5.rb +1 -1
  46. data/lib/openssl/pkey.rb +18 -1
  47. data/lib/openssl/ssl.rb +46 -7
  48. data/lib/openssl/version.rb +5 -0
  49. data/lib/openssl/x509.rb +155 -1
  50. data/lib/openssl.rb +25 -9
  51. metadata +25 -9
  52. data/ext/openssl/deprecation.rb +0 -23
  53. data/ext/openssl/ossl_version.h +0 -15
@@ -13,6 +13,12 @@
13
13
 
14
14
  #define numberof(ary) (int)(sizeof(ary)/sizeof((ary)[0]))
15
15
 
16
+ #if !defined(TLS1_3_VERSION) && \
17
+ defined(LIBRESSL_VERSION_NUMBER) && \
18
+ LIBRESSL_VERSION_NUMBER >= 0x3020000fL
19
+ # define TLS1_3_VERSION 0x0304
20
+ #endif
21
+
16
22
  #ifdef _WIN32
17
23
  # define TO_SOCKET(s) _get_osfhandle(s)
18
24
  #else
@@ -33,7 +39,7 @@ static VALUE eSSLErrorWaitReadable;
33
39
  static VALUE eSSLErrorWaitWritable;
34
40
 
35
41
  static ID id_call, ID_callback_state, id_tmp_dh_callback, id_tmp_ecdh_callback,
36
- id_npn_protocols_encoded;
42
+ id_npn_protocols_encoded, id_each;
37
43
  static VALUE sym_exception, sym_wait_readable, sym_wait_writable;
38
44
 
39
45
  static ID id_i_cert_store, id_i_ca_file, id_i_ca_path, id_i_verify_mode,
@@ -53,6 +59,13 @@ static int ossl_sslctx_ex_ptr_idx;
53
59
  static int ossl_sslctx_ex_store_p;
54
60
  #endif
55
61
 
62
+ static void
63
+ ossl_sslctx_mark(void *ptr)
64
+ {
65
+ SSL_CTX *ctx = ptr;
66
+ rb_gc_mark((VALUE)SSL_CTX_get_ex_data(ctx, ossl_sslctx_ex_ptr_idx));
67
+ }
68
+
56
69
  static void
57
70
  ossl_sslctx_free(void *ptr)
58
71
  {
@@ -67,7 +80,7 @@ ossl_sslctx_free(void *ptr)
67
80
  static const rb_data_type_t ossl_sslctx_type = {
68
81
  "OpenSSL/SSL/CTX",
69
82
  {
70
- 0, ossl_sslctx_free,
83
+ ossl_sslctx_mark, ossl_sslctx_free,
71
84
  },
72
85
  0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
73
86
  };
@@ -184,8 +197,10 @@ ossl_sslctx_set_minmax_proto_version(VALUE self, VALUE min_v, VALUE max_v)
184
197
 
185
198
  for (i = 0; i < numberof(options_map); i++) {
186
199
  sum |= options_map[i].opts;
187
- if (min && min > options_map[i].ver || max && max < options_map[i].ver)
200
+ if ((min && min > options_map[i].ver) ||
201
+ (max && max < options_map[i].ver)) {
188
202
  opts |= options_map[i].opts;
203
+ }
189
204
  }
190
205
  SSL_CTX_clear_options(ctx, sum);
191
206
  SSL_CTX_set_options(ctx, opts);
@@ -357,7 +372,14 @@ ossl_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
357
372
  rb_ivar_set(ssl_obj, ID_callback_state, INT2NUM(status));
358
373
  return 0;
359
374
  }
360
- preverify_ok = ret == Qtrue;
375
+ if (ret != Qtrue) {
376
+ preverify_ok = 0;
377
+ #if defined(X509_V_ERR_HOSTNAME_MISMATCH)
378
+ X509_STORE_CTX_set_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH);
379
+ #else
380
+ X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REJECTED);
381
+ #endif
382
+ }
361
383
  }
362
384
 
363
385
  return ossl_verify_cb_call(cb, preverify_ok, ctx);
@@ -378,7 +400,7 @@ ossl_call_session_get_cb(VALUE ary)
378
400
  }
379
401
 
380
402
  static SSL_SESSION *
381
- #if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER)
403
+ #if (!defined(LIBRESSL_VERSION_NUMBER) ? OPENSSL_VERSION_NUMBER >= 0x10100000 : LIBRESSL_VERSION_NUMBER >= 0x2080000f)
382
404
  ossl_sslctx_session_get_cb(SSL *ssl, const unsigned char *buf, int len, int *copy)
383
405
  #else
384
406
  ossl_sslctx_session_get_cb(SSL *ssl, unsigned char *buf, int len, int *copy)
@@ -590,7 +612,7 @@ ssl_renegotiation_cb(const SSL *ssl)
590
612
  #if !defined(OPENSSL_NO_NEXTPROTONEG) || \
591
613
  defined(HAVE_SSL_CTX_SET_ALPN_SELECT_CB)
592
614
  static VALUE
593
- ssl_npn_encode_protocol_i(VALUE cur, VALUE encoded)
615
+ ssl_npn_encode_protocol_i(RB_BLOCK_CALL_FUNC_ARGLIST(cur, encoded))
594
616
  {
595
617
  int len = RSTRING_LENINT(cur);
596
618
  char len_byte;
@@ -607,7 +629,7 @@ static VALUE
607
629
  ssl_encode_npn_protocols(VALUE protocols)
608
630
  {
609
631
  VALUE encoded = rb_str_new(NULL, 0);
610
- rb_iterate(rb_each, protocols, ssl_npn_encode_protocol_i, encoded);
632
+ rb_block_call(protocols, id_each, 0, 0, ssl_npn_encode_protocol_i, encoded);
611
633
  return encoded;
612
634
  }
613
635
 
@@ -677,7 +699,7 @@ static int
677
699
  ssl_npn_advertise_cb(SSL *ssl, const unsigned char **out, unsigned int *outlen,
678
700
  void *arg)
679
701
  {
680
- VALUE protocols = (VALUE)arg;
702
+ VALUE protocols = rb_attr_get((VALUE)arg, id_npn_protocols_encoded);
681
703
 
682
704
  *out = (const unsigned char *) RSTRING_PTR(protocols);
683
705
  *outlen = RSTRING_LENINT(protocols);
@@ -808,6 +830,10 @@ ossl_sslctx_setup(VALUE self)
808
830
  }
809
831
  #endif /* OPENSSL_NO_EC */
810
832
 
833
+ #ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
834
+ SSL_CTX_set_post_handshake_auth(ctx, 1);
835
+ #endif
836
+
811
837
  val = rb_attr_get(self, id_i_cert_store);
812
838
  if (!NIL_P(val)) {
813
839
  X509_STORE *store = GetX509StorePtr(val); /* NO NEED TO DUP */
@@ -895,7 +921,7 @@ ossl_sslctx_setup(VALUE self)
895
921
  if (!NIL_P(val)) {
896
922
  VALUE encoded = ssl_encode_npn_protocols(val);
897
923
  rb_ivar_set(self, id_npn_protocols_encoded, encoded);
898
- SSL_CTX_set_next_protos_advertised_cb(ctx, ssl_npn_advertise_cb, (void *)encoded);
924
+ SSL_CTX_set_next_protos_advertised_cb(ctx, ssl_npn_advertise_cb, (void *)self);
899
925
  OSSL_Debug("SSL NPN advertise callback added");
900
926
  }
901
927
  if (RTEST(rb_attr_get(self, id_i_npn_select_cb))) {
@@ -1513,6 +1539,14 @@ ssl_started(SSL *ssl)
1513
1539
  return SSL_get_fd(ssl) >= 0;
1514
1540
  }
1515
1541
 
1542
+ static void
1543
+ ossl_ssl_mark(void *ptr)
1544
+ {
1545
+ SSL *ssl = ptr;
1546
+ rb_gc_mark((VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx));
1547
+ rb_gc_mark((VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_vcb_idx));
1548
+ }
1549
+
1516
1550
  static void
1517
1551
  ossl_ssl_free(void *ssl)
1518
1552
  {
@@ -1522,7 +1556,7 @@ ossl_ssl_free(void *ssl)
1522
1556
  const rb_data_type_t ossl_ssl_type = {
1523
1557
  "OpenSSL/SSL",
1524
1558
  {
1525
- 0, ossl_ssl_free,
1559
+ ossl_ssl_mark, ossl_ssl_free,
1526
1560
  },
1527
1561
  0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
1528
1562
  };
@@ -1678,6 +1712,11 @@ ossl_start_ssl(VALUE self, int (*func)(), const char *funcname, VALUE opts)
1678
1712
  rb_io_wait_readable(fptr->fd);
1679
1713
  continue;
1680
1714
  case SSL_ERROR_SYSCALL:
1715
+ #ifdef __APPLE__
1716
+ /* See ossl_ssl_write_internal() */
1717
+ if (errno == EPROTOTYPE)
1718
+ continue;
1719
+ #endif
1681
1720
  if (errno) rb_sys_fail(funcname);
1682
1721
  ossl_raise(eSSLError, "%s SYSCALL returned=%d errno=%d state=%s", funcname, ret2, errno, SSL_state_string_long(ssl));
1683
1722
  #if defined(SSL_R_CERTIFICATE_VERIFY_FAILED)
@@ -1826,7 +1865,6 @@ ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
1826
1865
  else
1827
1866
  rb_str_modify_expand(str, ilen - RSTRING_LEN(str));
1828
1867
  }
1829
- OBJ_TAINT(str);
1830
1868
  rb_str_set_len(str, 0);
1831
1869
  if (ilen == 0)
1832
1870
  return str;
@@ -1835,26 +1873,36 @@ ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
1835
1873
  io = rb_attr_get(self, id_i_io);
1836
1874
  GetOpenFile(io, fptr);
1837
1875
  if (ssl_started(ssl)) {
1838
- for (;;){
1876
+ rb_str_locktmp(str);
1877
+ for (;;) {
1839
1878
  nread = SSL_read(ssl, RSTRING_PTR(str), ilen);
1840
1879
  switch(ssl_get_error(ssl, nread)){
1841
1880
  case SSL_ERROR_NONE:
1881
+ rb_str_unlocktmp(str);
1842
1882
  goto end;
1843
1883
  case SSL_ERROR_ZERO_RETURN:
1884
+ rb_str_unlocktmp(str);
1844
1885
  if (no_exception_p(opts)) { return Qnil; }
1845
1886
  rb_eof_error();
1846
1887
  case SSL_ERROR_WANT_WRITE:
1847
- if (no_exception_p(opts)) { return sym_wait_writable; }
1848
- write_would_block(nonblock);
1888
+ if (nonblock) {
1889
+ rb_str_unlocktmp(str);
1890
+ if (no_exception_p(opts)) { return sym_wait_writable; }
1891
+ write_would_block(nonblock);
1892
+ }
1849
1893
  rb_io_wait_writable(fptr->fd);
1850
1894
  continue;
1851
1895
  case SSL_ERROR_WANT_READ:
1852
- if (no_exception_p(opts)) { return sym_wait_readable; }
1853
- read_would_block(nonblock);
1896
+ if (nonblock) {
1897
+ rb_str_unlocktmp(str);
1898
+ if (no_exception_p(opts)) { return sym_wait_readable; }
1899
+ read_would_block(nonblock);
1900
+ }
1854
1901
  rb_io_wait_readable(fptr->fd);
1855
1902
  continue;
1856
1903
  case SSL_ERROR_SYSCALL:
1857
1904
  if (!ERR_peek_error()) {
1905
+ rb_str_unlocktmp(str);
1858
1906
  if (errno)
1859
1907
  rb_sys_fail(0);
1860
1908
  else {
@@ -1869,19 +1917,32 @@ ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
1869
1917
  rb_eof_error();
1870
1918
  }
1871
1919
  }
1920
+ /* fall through */
1872
1921
  default:
1922
+ rb_str_unlocktmp(str);
1873
1923
  ossl_raise(eSSLError, "SSL_read");
1874
1924
  }
1875
1925
  }
1876
1926
  }
1877
1927
  else {
1878
- ID meth = nonblock ? rb_intern("read_nonblock") : rb_intern("sysread");
1879
-
1880
- rb_warning("SSL session is not started yet.");
1881
- if (nonblock)
1882
- return rb_funcall(io, meth, 3, len, str, opts);
1883
- else
1884
- return rb_funcall(io, meth, 2, len, str);
1928
+ ID meth = nonblock ? rb_intern("read_nonblock") : rb_intern("sysread");
1929
+
1930
+ rb_warning("SSL session is not started yet.");
1931
+ #if defined(RB_PASS_KEYWORDS)
1932
+ if (nonblock) {
1933
+ VALUE argv[3];
1934
+ argv[0] = len;
1935
+ argv[1] = str;
1936
+ argv[2] = opts;
1937
+ return rb_funcallv_kw(io, meth, 3, argv, RB_PASS_KEYWORDS);
1938
+ }
1939
+ #else
1940
+ if (nonblock) {
1941
+ return rb_funcall(io, meth, 3, len, str, opts);
1942
+ }
1943
+ #endif
1944
+ else
1945
+ return rb_funcall(io, meth, 2, len, str);
1885
1946
  }
1886
1947
 
1887
1948
  end:
@@ -1929,21 +1990,21 @@ ossl_ssl_write_internal(VALUE self, VALUE str, VALUE opts)
1929
1990
  int nwrite = 0;
1930
1991
  rb_io_t *fptr;
1931
1992
  int nonblock = opts != Qfalse;
1932
- VALUE io;
1993
+ VALUE tmp, io;
1933
1994
 
1934
- StringValue(str);
1995
+ tmp = rb_str_new_frozen(StringValue(str));
1935
1996
  GetSSL(self, ssl);
1936
1997
  io = rb_attr_get(self, id_i_io);
1937
1998
  GetOpenFile(io, fptr);
1938
1999
  if (ssl_started(ssl)) {
1939
- for (;;){
1940
- int num = RSTRING_LENINT(str);
2000
+ for (;;) {
2001
+ int num = RSTRING_LENINT(tmp);
1941
2002
 
1942
2003
  /* SSL_write(3ssl) manpage states num == 0 is undefined */
1943
2004
  if (num == 0)
1944
2005
  goto end;
1945
2006
 
1946
- nwrite = SSL_write(ssl, RSTRING_PTR(str), num);
2007
+ nwrite = SSL_write(ssl, RSTRING_PTR(tmp), num);
1947
2008
  switch(ssl_get_error(ssl, nwrite)){
1948
2009
  case SSL_ERROR_NONE:
1949
2010
  goto end;
@@ -1958,6 +2019,16 @@ ossl_ssl_write_internal(VALUE self, VALUE str, VALUE opts)
1958
2019
  rb_io_wait_readable(fptr->fd);
1959
2020
  continue;
1960
2021
  case SSL_ERROR_SYSCALL:
2022
+ #ifdef __APPLE__
2023
+ /*
2024
+ * It appears that send syscall can return EPROTOTYPE if the
2025
+ * socket is being torn down. Retry to get a proper errno to
2026
+ * make the error handling in line with the socket library.
2027
+ * [Bug #14713] https://bugs.ruby-lang.org/issues/14713
2028
+ */
2029
+ if (errno == EPROTOTYPE)
2030
+ continue;
2031
+ #endif
1961
2032
  if (errno) rb_sys_fail(0);
1962
2033
  default:
1963
2034
  ossl_raise(eSSLError, "SSL_write");
@@ -1968,11 +2039,21 @@ ossl_ssl_write_internal(VALUE self, VALUE str, VALUE opts)
1968
2039
  ID meth = nonblock ?
1969
2040
  rb_intern("write_nonblock") : rb_intern("syswrite");
1970
2041
 
1971
- rb_warning("SSL session is not started yet.");
1972
- if (nonblock)
1973
- return rb_funcall(io, meth, 2, str, opts);
1974
- else
1975
- return rb_funcall(io, meth, 1, str);
2042
+ rb_warning("SSL session is not started yet.");
2043
+ #if defined(RB_PASS_KEYWORDS)
2044
+ if (nonblock) {
2045
+ VALUE argv[2];
2046
+ argv[0] = str;
2047
+ argv[1] = opts;
2048
+ return rb_funcallv_kw(io, meth, 2, argv, RB_PASS_KEYWORDS);
2049
+ }
2050
+ #else
2051
+ if (nonblock) {
2052
+ return rb_funcall(io, meth, 2, str, opts);
2053
+ }
2054
+ #endif
2055
+ else
2056
+ return rb_funcall(io, meth, 1, str);
1976
2057
  }
1977
2058
 
1978
2059
  end:
@@ -2275,7 +2356,57 @@ ossl_ssl_get_verify_result(VALUE self)
2275
2356
 
2276
2357
  GetSSL(self, ssl);
2277
2358
 
2278
- return INT2NUM(SSL_get_verify_result(ssl));
2359
+ return LONG2NUM(SSL_get_verify_result(ssl));
2360
+ }
2361
+
2362
+ /*
2363
+ * call-seq:
2364
+ * ssl.finished_message => "finished message"
2365
+ *
2366
+ * Returns the last *Finished* message sent
2367
+ *
2368
+ */
2369
+ static VALUE
2370
+ ossl_ssl_get_finished(VALUE self)
2371
+ {
2372
+ SSL *ssl;
2373
+ char sizer[1], *buf;
2374
+ size_t len;
2375
+
2376
+ GetSSL(self, ssl);
2377
+
2378
+ len = SSL_get_finished(ssl, sizer, 0);
2379
+ if (len == 0)
2380
+ return Qnil;
2381
+
2382
+ buf = ALLOCA_N(char, len);
2383
+ SSL_get_finished(ssl, buf, len);
2384
+ return rb_str_new(buf, len);
2385
+ }
2386
+
2387
+ /*
2388
+ * call-seq:
2389
+ * ssl.peer_finished_message => "peer finished message"
2390
+ *
2391
+ * Returns the last *Finished* message received
2392
+ *
2393
+ */
2394
+ static VALUE
2395
+ ossl_ssl_get_peer_finished(VALUE self)
2396
+ {
2397
+ SSL *ssl;
2398
+ char sizer[1], *buf;
2399
+ size_t len;
2400
+
2401
+ GetSSL(self, ssl);
2402
+
2403
+ len = SSL_get_peer_finished(ssl, sizer, 0);
2404
+ if (len == 0)
2405
+ return Qnil;
2406
+
2407
+ buf = ALLOCA_N(char, len);
2408
+ SSL_get_peer_finished(ssl, buf, len);
2409
+ return rb_str_new(buf, len);
2279
2410
  }
2280
2411
 
2281
2412
  /*
@@ -2372,8 +2503,6 @@ ossl_ssl_tmp_key(VALUE self)
2372
2503
  # endif /* defined(HAVE_SSL_GET_SERVER_TMP_KEY) */
2373
2504
  #endif /* !defined(OPENSSL_NO_SOCK) */
2374
2505
 
2375
- #undef rb_intern
2376
- #define rb_intern(s) rb_intern_const(s)
2377
2506
  void
2378
2507
  Init_ossl_ssl(void)
2379
2508
  {
@@ -2384,8 +2513,8 @@ Init_ossl_ssl(void)
2384
2513
  rb_mWaitWritable = rb_define_module_under(rb_cIO, "WaitWritable");
2385
2514
  #endif
2386
2515
 
2387
- id_call = rb_intern("call");
2388
- ID_callback_state = rb_intern("callback_state");
2516
+ id_call = rb_intern_const("call");
2517
+ ID_callback_state = rb_intern_const("callback_state");
2389
2518
 
2390
2519
  ossl_ssl_ex_vcb_idx = SSL_get_ex_new_index(0, (void *)"ossl_ssl_ex_vcb_idx", 0, 0, 0);
2391
2520
  if (ossl_ssl_ex_vcb_idx < 0)
@@ -2452,7 +2581,7 @@ Init_ossl_ssl(void)
2452
2581
  * The _cert_, _key_, and _extra_chain_cert_ attributes are deprecated.
2453
2582
  * It is recommended to use #add_certificate instead.
2454
2583
  */
2455
- rb_attr(cSSLContext, rb_intern("cert"), 1, 1, Qfalse);
2584
+ rb_attr(cSSLContext, rb_intern_const("cert"), 1, 1, Qfalse);
2456
2585
 
2457
2586
  /*
2458
2587
  * Context private key
@@ -2460,29 +2589,29 @@ Init_ossl_ssl(void)
2460
2589
  * The _cert_, _key_, and _extra_chain_cert_ attributes are deprecated.
2461
2590
  * It is recommended to use #add_certificate instead.
2462
2591
  */
2463
- rb_attr(cSSLContext, rb_intern("key"), 1, 1, Qfalse);
2592
+ rb_attr(cSSLContext, rb_intern_const("key"), 1, 1, Qfalse);
2464
2593
 
2465
2594
  /*
2466
2595
  * A certificate or Array of certificates that will be sent to the client.
2467
2596
  */
2468
- rb_attr(cSSLContext, rb_intern("client_ca"), 1, 1, Qfalse);
2597
+ rb_attr(cSSLContext, rb_intern_const("client_ca"), 1, 1, Qfalse);
2469
2598
 
2470
2599
  /*
2471
2600
  * The path to a file containing a PEM-format CA certificate
2472
2601
  */
2473
- rb_attr(cSSLContext, rb_intern("ca_file"), 1, 1, Qfalse);
2602
+ rb_attr(cSSLContext, rb_intern_const("ca_file"), 1, 1, Qfalse);
2474
2603
 
2475
2604
  /*
2476
2605
  * The path to a directory containing CA certificates in PEM format.
2477
2606
  *
2478
2607
  * Files are looked up by subject's X509 name's hash value.
2479
2608
  */
2480
- rb_attr(cSSLContext, rb_intern("ca_path"), 1, 1, Qfalse);
2609
+ rb_attr(cSSLContext, rb_intern_const("ca_path"), 1, 1, Qfalse);
2481
2610
 
2482
2611
  /*
2483
2612
  * Maximum session lifetime in seconds.
2484
2613
  */
2485
- rb_attr(cSSLContext, rb_intern("timeout"), 1, 1, Qfalse);
2614
+ rb_attr(cSSLContext, rb_intern_const("timeout"), 1, 1, Qfalse);
2486
2615
 
2487
2616
  /*
2488
2617
  * Session verification mode.
@@ -2495,12 +2624,12 @@ Init_ossl_ssl(void)
2495
2624
  *
2496
2625
  * See SSL_CTX_set_verify(3) for details.
2497
2626
  */
2498
- rb_attr(cSSLContext, rb_intern("verify_mode"), 1, 1, Qfalse);
2627
+ rb_attr(cSSLContext, rb_intern_const("verify_mode"), 1, 1, Qfalse);
2499
2628
 
2500
2629
  /*
2501
2630
  * Number of CA certificates to walk when verifying a certificate chain.
2502
2631
  */
2503
- rb_attr(cSSLContext, rb_intern("verify_depth"), 1, 1, Qfalse);
2632
+ rb_attr(cSSLContext, rb_intern_const("verify_depth"), 1, 1, Qfalse);
2504
2633
 
2505
2634
  /*
2506
2635
  * A callback for additional certificate verification. The callback is
@@ -2514,7 +2643,7 @@ Init_ossl_ssl(void)
2514
2643
  * If the callback returns +false+, the chain verification is immediately
2515
2644
  * stopped and a bad_certificate alert is then sent.
2516
2645
  */
2517
- rb_attr(cSSLContext, rb_intern("verify_callback"), 1, 1, Qfalse);
2646
+ rb_attr(cSSLContext, rb_intern_const("verify_callback"), 1, 1, Qfalse);
2518
2647
 
2519
2648
  /*
2520
2649
  * Whether to check the server certificate is valid for the hostname.
@@ -2522,12 +2651,12 @@ Init_ossl_ssl(void)
2522
2651
  * In order to make this work, verify_mode must be set to VERIFY_PEER and
2523
2652
  * the server hostname must be given by OpenSSL::SSL::SSLSocket#hostname=.
2524
2653
  */
2525
- rb_attr(cSSLContext, rb_intern("verify_hostname"), 1, 1, Qfalse);
2654
+ rb_attr(cSSLContext, rb_intern_const("verify_hostname"), 1, 1, Qfalse);
2526
2655
 
2527
2656
  /*
2528
2657
  * An OpenSSL::X509::Store used for certificate verification.
2529
2658
  */
2530
- rb_attr(cSSLContext, rb_intern("cert_store"), 1, 1, Qfalse);
2659
+ rb_attr(cSSLContext, rb_intern_const("cert_store"), 1, 1, Qfalse);
2531
2660
 
2532
2661
  /*
2533
2662
  * An Array of extra X509 certificates to be added to the certificate
@@ -2536,7 +2665,7 @@ Init_ossl_ssl(void)
2536
2665
  * The _cert_, _key_, and _extra_chain_cert_ attributes are deprecated.
2537
2666
  * It is recommended to use #add_certificate instead.
2538
2667
  */
2539
- rb_attr(cSSLContext, rb_intern("extra_chain_cert"), 1, 1, Qfalse);
2668
+ rb_attr(cSSLContext, rb_intern_const("extra_chain_cert"), 1, 1, Qfalse);
2540
2669
 
2541
2670
  /*
2542
2671
  * A callback invoked when a client certificate is requested by a server
@@ -2546,7 +2675,7 @@ Init_ossl_ssl(void)
2546
2675
  * containing an OpenSSL::X509::Certificate and an OpenSSL::PKey. If any
2547
2676
  * other value is returned the handshake is suspended.
2548
2677
  */
2549
- rb_attr(cSSLContext, rb_intern("client_cert_cb"), 1, 1, Qfalse);
2678
+ rb_attr(cSSLContext, rb_intern_const("client_cert_cb"), 1, 1, Qfalse);
2550
2679
 
2551
2680
  #if !defined(OPENSSL_NO_EC) && defined(HAVE_SSL_CTX_SET_TMP_ECDH_CALLBACK)
2552
2681
  /*
@@ -2559,7 +2688,7 @@ Init_ossl_ssl(void)
2559
2688
  * The callback is deprecated. This does not work with recent versions of
2560
2689
  * OpenSSL. Use OpenSSL::SSL::SSLContext#ecdh_curves= instead.
2561
2690
  */
2562
- rb_attr(cSSLContext, rb_intern("tmp_ecdh_callback"), 1, 1, Qfalse);
2691
+ rb_attr(cSSLContext, rb_intern_const("tmp_ecdh_callback"), 1, 1, Qfalse);
2563
2692
  #endif
2564
2693
 
2565
2694
  /*
@@ -2567,7 +2696,7 @@ Init_ossl_ssl(void)
2567
2696
  * sessions for multiple applications to be distinguished, for example, by
2568
2697
  * name.
2569
2698
  */
2570
- rb_attr(cSSLContext, rb_intern("session_id_context"), 1, 1, Qfalse);
2699
+ rb_attr(cSSLContext, rb_intern_const("session_id_context"), 1, 1, Qfalse);
2571
2700
 
2572
2701
  /*
2573
2702
  * A callback invoked on a server when a session is proposed by the client
@@ -2576,7 +2705,7 @@ Init_ossl_ssl(void)
2576
2705
  * The callback is invoked with the SSLSocket and session id. The
2577
2706
  * callback may return a Session from an external cache.
2578
2707
  */
2579
- rb_attr(cSSLContext, rb_intern("session_get_cb"), 1, 1, Qfalse);
2708
+ rb_attr(cSSLContext, rb_intern_const("session_get_cb"), 1, 1, Qfalse);
2580
2709
 
2581
2710
  /*
2582
2711
  * A callback invoked when a new session was negotiated.
@@ -2584,7 +2713,7 @@ Init_ossl_ssl(void)
2584
2713
  * The callback is invoked with an SSLSocket. If +false+ is returned the
2585
2714
  * session will be removed from the internal cache.
2586
2715
  */
2587
- rb_attr(cSSLContext, rb_intern("session_new_cb"), 1, 1, Qfalse);
2716
+ rb_attr(cSSLContext, rb_intern_const("session_new_cb"), 1, 1, Qfalse);
2588
2717
 
2589
2718
  /*
2590
2719
  * A callback invoked when a session is removed from the internal cache.
@@ -2595,18 +2724,18 @@ Init_ossl_ssl(void)
2595
2724
  * multi-threaded application. The callback is called inside a global lock
2596
2725
  * and it can randomly cause deadlock on Ruby thread switching.
2597
2726
  */
2598
- rb_attr(cSSLContext, rb_intern("session_remove_cb"), 1, 1, Qfalse);
2727
+ rb_attr(cSSLContext, rb_intern_const("session_remove_cb"), 1, 1, Qfalse);
2599
2728
 
2600
2729
  rb_define_const(mSSLExtConfig, "HAVE_TLSEXT_HOST_NAME", Qtrue);
2601
2730
 
2602
2731
  /*
2603
- * A callback invoked whenever a new handshake is initiated. May be used
2604
- * to disable renegotiation entirely.
2732
+ * A callback invoked whenever a new handshake is initiated on an
2733
+ * established connection. May be used to disable renegotiation entirely.
2605
2734
  *
2606
2735
  * The callback is invoked with the active SSLSocket. The callback's
2607
- * return value is irrelevant, normal return indicates "approval" of the
2736
+ * return value is ignored. A normal return indicates "approval" of the
2608
2737
  * renegotiation and will continue the process. To forbid renegotiation
2609
- * and to cancel the process, an Error may be raised within the callback.
2738
+ * and to cancel the process, raise an exception within the callback.
2610
2739
  *
2611
2740
  * === Disable client renegotiation
2612
2741
  *
@@ -2614,13 +2743,11 @@ Init_ossl_ssl(void)
2614
2743
  * renegotiation entirely. You may use a callback as follows to implement
2615
2744
  * this feature:
2616
2745
  *
2617
- * num_handshakes = 0
2618
2746
  * ctx.renegotiation_cb = lambda do |ssl|
2619
- * num_handshakes += 1
2620
- * raise RuntimeError.new("Client renegotiation disabled") if num_handshakes > 1
2747
+ * raise RuntimeError, "Client renegotiation disabled"
2621
2748
  * end
2622
2749
  */
2623
- rb_attr(cSSLContext, rb_intern("renegotiation_cb"), 1, 1, Qfalse);
2750
+ rb_attr(cSSLContext, rb_intern_const("renegotiation_cb"), 1, 1, Qfalse);
2624
2751
  #ifndef OPENSSL_NO_NEXTPROTONEG
2625
2752
  /*
2626
2753
  * An Enumerable of Strings. Each String represents a protocol to be
@@ -2633,7 +2760,7 @@ Init_ossl_ssl(void)
2633
2760
  *
2634
2761
  * ctx.npn_protocols = ["http/1.1", "spdy/2"]
2635
2762
  */
2636
- rb_attr(cSSLContext, rb_intern("npn_protocols"), 1, 1, Qfalse);
2763
+ rb_attr(cSSLContext, rb_intern_const("npn_protocols"), 1, 1, Qfalse);
2637
2764
  /*
2638
2765
  * A callback invoked on the client side when the client needs to select
2639
2766
  * a protocol from the list sent by the server. Supported in OpenSSL 1.0.1
@@ -2650,7 +2777,7 @@ Init_ossl_ssl(void)
2650
2777
  * protocols.first
2651
2778
  * end
2652
2779
  */
2653
- rb_attr(cSSLContext, rb_intern("npn_select_cb"), 1, 1, Qfalse);
2780
+ rb_attr(cSSLContext, rb_intern_const("npn_select_cb"), 1, 1, Qfalse);
2654
2781
  #endif
2655
2782
 
2656
2783
  #ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
@@ -2665,7 +2792,7 @@ Init_ossl_ssl(void)
2665
2792
  *
2666
2793
  * ctx.alpn_protocols = ["http/1.1", "spdy/2", "h2"]
2667
2794
  */
2668
- rb_attr(cSSLContext, rb_intern("alpn_protocols"), 1, 1, Qfalse);
2795
+ rb_attr(cSSLContext, rb_intern_const("alpn_protocols"), 1, 1, Qfalse);
2669
2796
  /*
2670
2797
  * A callback invoked on the server side when the server needs to select
2671
2798
  * a protocol from the list sent by the client. Supported in OpenSSL 1.0.2
@@ -2682,7 +2809,7 @@ Init_ossl_ssl(void)
2682
2809
  * protocols.first
2683
2810
  * end
2684
2811
  */
2685
- rb_attr(cSSLContext, rb_intern("alpn_select_cb"), 1, 1, Qfalse);
2812
+ rb_attr(cSSLContext, rb_intern_const("alpn_select_cb"), 1, 1, Qfalse);
2686
2813
  #endif
2687
2814
 
2688
2815
  rb_define_alias(cSSLContext, "ssl_timeout", "timeout");
@@ -2795,6 +2922,8 @@ Init_ossl_ssl(void)
2795
2922
  rb_define_method(cSSLSocket, "client_ca", ossl_ssl_get_client_ca_list, 0);
2796
2923
  /* #hostname is defined in lib/openssl/ssl.rb */
2797
2924
  rb_define_method(cSSLSocket, "hostname=", ossl_ssl_set_hostname, 1);
2925
+ rb_define_method(cSSLSocket, "finished_message", ossl_ssl_get_finished, 0);
2926
+ rb_define_method(cSSLSocket, "peer_finished_message", ossl_ssl_get_peer_finished, 0);
2798
2927
  # ifdef HAVE_SSL_GET_SERVER_TMP_KEY
2799
2928
  rb_define_method(cSSLSocket, "tmp_key", ossl_ssl_tmp_key, 0);
2800
2929
  # endif
@@ -2908,16 +3037,17 @@ Init_ossl_ssl(void)
2908
3037
  #endif
2909
3038
 
2910
3039
 
2911
- sym_exception = ID2SYM(rb_intern("exception"));
2912
- sym_wait_readable = ID2SYM(rb_intern("wait_readable"));
2913
- sym_wait_writable = ID2SYM(rb_intern("wait_writable"));
3040
+ sym_exception = ID2SYM(rb_intern_const("exception"));
3041
+ sym_wait_readable = ID2SYM(rb_intern_const("wait_readable"));
3042
+ sym_wait_writable = ID2SYM(rb_intern_const("wait_writable"));
2914
3043
 
2915
- id_tmp_dh_callback = rb_intern("tmp_dh_callback");
2916
- id_tmp_ecdh_callback = rb_intern("tmp_ecdh_callback");
2917
- id_npn_protocols_encoded = rb_intern("npn_protocols_encoded");
3044
+ id_tmp_dh_callback = rb_intern_const("tmp_dh_callback");
3045
+ id_tmp_ecdh_callback = rb_intern_const("tmp_ecdh_callback");
3046
+ id_npn_protocols_encoded = rb_intern_const("npn_protocols_encoded");
3047
+ id_each = rb_intern_const("each");
2918
3048
 
2919
3049
  #define DefIVarID(name) do \
2920
- id_i_##name = rb_intern("@"#name); while (0)
3050
+ id_i_##name = rb_intern_const("@"#name); while (0)
2921
3051
 
2922
3052
  DefIVarID(cert_store);
2923
3053
  DefIVarID(ca_file);