openssl 2.1.1 → 2.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CONTRIBUTING.md +9 -7
- data/History.md +165 -0
- data/README.md +2 -2
- data/ext/openssl/extconf.rb +51 -27
- data/ext/openssl/openssl_missing.h +39 -4
- data/ext/openssl/ossl.c +61 -27
- data/ext/openssl/ossl.h +8 -5
- data/ext/openssl/ossl_asn1.c +27 -1
- data/ext/openssl/ossl_bn.c +92 -24
- data/ext/openssl/ossl_bn.h +2 -1
- data/ext/openssl/ossl_cipher.c +33 -24
- data/ext/openssl/ossl_digest.c +22 -53
- data/ext/openssl/ossl_engine.c +2 -12
- data/ext/openssl/ossl_hmac.c +5 -11
- data/ext/openssl/ossl_kdf.c +3 -19
- data/ext/openssl/ossl_ns_spki.c +1 -1
- data/ext/openssl/ossl_ocsp.c +6 -11
- data/ext/openssl/ossl_ocsp.h +3 -3
- data/ext/openssl/ossl_pkcs12.c +1 -0
- data/ext/openssl/ossl_pkcs7.c +4 -19
- data/ext/openssl/ossl_pkcs7.h +16 -0
- data/ext/openssl/ossl_pkey.c +206 -17
- data/ext/openssl/ossl_pkey.h +6 -6
- data/ext/openssl/ossl_pkey_dh.c +1 -1
- data/ext/openssl/ossl_pkey_dsa.c +2 -2
- data/ext/openssl/ossl_pkey_ec.c +38 -8
- data/ext/openssl/ossl_pkey_rsa.c +17 -9
- data/ext/openssl/ossl_rand.c +2 -40
- data/ext/openssl/ossl_ssl.c +205 -75
- data/ext/openssl/ossl_ts.c +1524 -0
- data/ext/openssl/ossl_ts.h +16 -0
- data/ext/openssl/ossl_x509.c +91 -0
- data/ext/openssl/ossl_x509cert.c +2 -2
- data/ext/openssl/ossl_x509ext.c +15 -0
- data/ext/openssl/ossl_x509name.c +15 -10
- data/ext/openssl/ossl_x509store.c +40 -22
- data/lib/openssl/bn.rb +1 -1
- data/lib/openssl/buffering.rb +33 -17
- data/lib/openssl/cipher.rb +1 -1
- data/lib/openssl/config.rb +53 -26
- data/lib/openssl/digest.rb +10 -12
- data/lib/openssl/hmac.rb +13 -0
- data/lib/openssl/marshal.rb +30 -0
- data/lib/openssl/pkcs5.rb +1 -1
- data/lib/openssl/pkey.rb +18 -1
- data/lib/openssl/ssl.rb +46 -7
- data/lib/openssl/version.rb +5 -0
- data/lib/openssl/x509.rb +155 -1
- data/lib/openssl.rb +25 -9
- metadata +25 -9
- data/ext/openssl/deprecation.rb +0 -23
- data/ext/openssl/ossl_version.h +0 -15
data/ext/openssl/ossl_ssl.c
CHANGED
@@ -13,6 +13,12 @@
|
|
13
13
|
|
14
14
|
#define numberof(ary) (int)(sizeof(ary)/sizeof((ary)[0]))
|
15
15
|
|
16
|
+
#if !defined(TLS1_3_VERSION) && \
|
17
|
+
defined(LIBRESSL_VERSION_NUMBER) && \
|
18
|
+
LIBRESSL_VERSION_NUMBER >= 0x3020000fL
|
19
|
+
# define TLS1_3_VERSION 0x0304
|
20
|
+
#endif
|
21
|
+
|
16
22
|
#ifdef _WIN32
|
17
23
|
# define TO_SOCKET(s) _get_osfhandle(s)
|
18
24
|
#else
|
@@ -33,7 +39,7 @@ static VALUE eSSLErrorWaitReadable;
|
|
33
39
|
static VALUE eSSLErrorWaitWritable;
|
34
40
|
|
35
41
|
static ID id_call, ID_callback_state, id_tmp_dh_callback, id_tmp_ecdh_callback,
|
36
|
-
id_npn_protocols_encoded;
|
42
|
+
id_npn_protocols_encoded, id_each;
|
37
43
|
static VALUE sym_exception, sym_wait_readable, sym_wait_writable;
|
38
44
|
|
39
45
|
static ID id_i_cert_store, id_i_ca_file, id_i_ca_path, id_i_verify_mode,
|
@@ -53,6 +59,13 @@ static int ossl_sslctx_ex_ptr_idx;
|
|
53
59
|
static int ossl_sslctx_ex_store_p;
|
54
60
|
#endif
|
55
61
|
|
62
|
+
static void
|
63
|
+
ossl_sslctx_mark(void *ptr)
|
64
|
+
{
|
65
|
+
SSL_CTX *ctx = ptr;
|
66
|
+
rb_gc_mark((VALUE)SSL_CTX_get_ex_data(ctx, ossl_sslctx_ex_ptr_idx));
|
67
|
+
}
|
68
|
+
|
56
69
|
static void
|
57
70
|
ossl_sslctx_free(void *ptr)
|
58
71
|
{
|
@@ -67,7 +80,7 @@ ossl_sslctx_free(void *ptr)
|
|
67
80
|
static const rb_data_type_t ossl_sslctx_type = {
|
68
81
|
"OpenSSL/SSL/CTX",
|
69
82
|
{
|
70
|
-
|
83
|
+
ossl_sslctx_mark, ossl_sslctx_free,
|
71
84
|
},
|
72
85
|
0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
|
73
86
|
};
|
@@ -184,8 +197,10 @@ ossl_sslctx_set_minmax_proto_version(VALUE self, VALUE min_v, VALUE max_v)
|
|
184
197
|
|
185
198
|
for (i = 0; i < numberof(options_map); i++) {
|
186
199
|
sum |= options_map[i].opts;
|
187
|
-
|
200
|
+
if ((min && min > options_map[i].ver) ||
|
201
|
+
(max && max < options_map[i].ver)) {
|
188
202
|
opts |= options_map[i].opts;
|
203
|
+
}
|
189
204
|
}
|
190
205
|
SSL_CTX_clear_options(ctx, sum);
|
191
206
|
SSL_CTX_set_options(ctx, opts);
|
@@ -357,7 +372,14 @@ ossl_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
|
|
357
372
|
rb_ivar_set(ssl_obj, ID_callback_state, INT2NUM(status));
|
358
373
|
return 0;
|
359
374
|
}
|
360
|
-
|
375
|
+
if (ret != Qtrue) {
|
376
|
+
preverify_ok = 0;
|
377
|
+
#if defined(X509_V_ERR_HOSTNAME_MISMATCH)
|
378
|
+
X509_STORE_CTX_set_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH);
|
379
|
+
#else
|
380
|
+
X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REJECTED);
|
381
|
+
#endif
|
382
|
+
}
|
361
383
|
}
|
362
384
|
|
363
385
|
return ossl_verify_cb_call(cb, preverify_ok, ctx);
|
@@ -378,7 +400,7 @@ ossl_call_session_get_cb(VALUE ary)
|
|
378
400
|
}
|
379
401
|
|
380
402
|
static SSL_SESSION *
|
381
|
-
#if OPENSSL_VERSION_NUMBER >= 0x10100000
|
403
|
+
#if (!defined(LIBRESSL_VERSION_NUMBER) ? OPENSSL_VERSION_NUMBER >= 0x10100000 : LIBRESSL_VERSION_NUMBER >= 0x2080000f)
|
382
404
|
ossl_sslctx_session_get_cb(SSL *ssl, const unsigned char *buf, int len, int *copy)
|
383
405
|
#else
|
384
406
|
ossl_sslctx_session_get_cb(SSL *ssl, unsigned char *buf, int len, int *copy)
|
@@ -590,7 +612,7 @@ ssl_renegotiation_cb(const SSL *ssl)
|
|
590
612
|
#if !defined(OPENSSL_NO_NEXTPROTONEG) || \
|
591
613
|
defined(HAVE_SSL_CTX_SET_ALPN_SELECT_CB)
|
592
614
|
static VALUE
|
593
|
-
ssl_npn_encode_protocol_i(
|
615
|
+
ssl_npn_encode_protocol_i(RB_BLOCK_CALL_FUNC_ARGLIST(cur, encoded))
|
594
616
|
{
|
595
617
|
int len = RSTRING_LENINT(cur);
|
596
618
|
char len_byte;
|
@@ -607,7 +629,7 @@ static VALUE
|
|
607
629
|
ssl_encode_npn_protocols(VALUE protocols)
|
608
630
|
{
|
609
631
|
VALUE encoded = rb_str_new(NULL, 0);
|
610
|
-
|
632
|
+
rb_block_call(protocols, id_each, 0, 0, ssl_npn_encode_protocol_i, encoded);
|
611
633
|
return encoded;
|
612
634
|
}
|
613
635
|
|
@@ -677,7 +699,7 @@ static int
|
|
677
699
|
ssl_npn_advertise_cb(SSL *ssl, const unsigned char **out, unsigned int *outlen,
|
678
700
|
void *arg)
|
679
701
|
{
|
680
|
-
VALUE protocols = (VALUE)arg;
|
702
|
+
VALUE protocols = rb_attr_get((VALUE)arg, id_npn_protocols_encoded);
|
681
703
|
|
682
704
|
*out = (const unsigned char *) RSTRING_PTR(protocols);
|
683
705
|
*outlen = RSTRING_LENINT(protocols);
|
@@ -808,6 +830,10 @@ ossl_sslctx_setup(VALUE self)
|
|
808
830
|
}
|
809
831
|
#endif /* OPENSSL_NO_EC */
|
810
832
|
|
833
|
+
#ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
|
834
|
+
SSL_CTX_set_post_handshake_auth(ctx, 1);
|
835
|
+
#endif
|
836
|
+
|
811
837
|
val = rb_attr_get(self, id_i_cert_store);
|
812
838
|
if (!NIL_P(val)) {
|
813
839
|
X509_STORE *store = GetX509StorePtr(val); /* NO NEED TO DUP */
|
@@ -895,7 +921,7 @@ ossl_sslctx_setup(VALUE self)
|
|
895
921
|
if (!NIL_P(val)) {
|
896
922
|
VALUE encoded = ssl_encode_npn_protocols(val);
|
897
923
|
rb_ivar_set(self, id_npn_protocols_encoded, encoded);
|
898
|
-
SSL_CTX_set_next_protos_advertised_cb(ctx, ssl_npn_advertise_cb, (void *)
|
924
|
+
SSL_CTX_set_next_protos_advertised_cb(ctx, ssl_npn_advertise_cb, (void *)self);
|
899
925
|
OSSL_Debug("SSL NPN advertise callback added");
|
900
926
|
}
|
901
927
|
if (RTEST(rb_attr_get(self, id_i_npn_select_cb))) {
|
@@ -1513,6 +1539,14 @@ ssl_started(SSL *ssl)
|
|
1513
1539
|
return SSL_get_fd(ssl) >= 0;
|
1514
1540
|
}
|
1515
1541
|
|
1542
|
+
static void
|
1543
|
+
ossl_ssl_mark(void *ptr)
|
1544
|
+
{
|
1545
|
+
SSL *ssl = ptr;
|
1546
|
+
rb_gc_mark((VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx));
|
1547
|
+
rb_gc_mark((VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_vcb_idx));
|
1548
|
+
}
|
1549
|
+
|
1516
1550
|
static void
|
1517
1551
|
ossl_ssl_free(void *ssl)
|
1518
1552
|
{
|
@@ -1522,7 +1556,7 @@ ossl_ssl_free(void *ssl)
|
|
1522
1556
|
const rb_data_type_t ossl_ssl_type = {
|
1523
1557
|
"OpenSSL/SSL",
|
1524
1558
|
{
|
1525
|
-
|
1559
|
+
ossl_ssl_mark, ossl_ssl_free,
|
1526
1560
|
},
|
1527
1561
|
0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
|
1528
1562
|
};
|
@@ -1678,6 +1712,11 @@ ossl_start_ssl(VALUE self, int (*func)(), const char *funcname, VALUE opts)
|
|
1678
1712
|
rb_io_wait_readable(fptr->fd);
|
1679
1713
|
continue;
|
1680
1714
|
case SSL_ERROR_SYSCALL:
|
1715
|
+
#ifdef __APPLE__
|
1716
|
+
/* See ossl_ssl_write_internal() */
|
1717
|
+
if (errno == EPROTOTYPE)
|
1718
|
+
continue;
|
1719
|
+
#endif
|
1681
1720
|
if (errno) rb_sys_fail(funcname);
|
1682
1721
|
ossl_raise(eSSLError, "%s SYSCALL returned=%d errno=%d state=%s", funcname, ret2, errno, SSL_state_string_long(ssl));
|
1683
1722
|
#if defined(SSL_R_CERTIFICATE_VERIFY_FAILED)
|
@@ -1826,7 +1865,6 @@ ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
|
|
1826
1865
|
else
|
1827
1866
|
rb_str_modify_expand(str, ilen - RSTRING_LEN(str));
|
1828
1867
|
}
|
1829
|
-
OBJ_TAINT(str);
|
1830
1868
|
rb_str_set_len(str, 0);
|
1831
1869
|
if (ilen == 0)
|
1832
1870
|
return str;
|
@@ -1835,26 +1873,36 @@ ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
|
|
1835
1873
|
io = rb_attr_get(self, id_i_io);
|
1836
1874
|
GetOpenFile(io, fptr);
|
1837
1875
|
if (ssl_started(ssl)) {
|
1838
|
-
|
1876
|
+
rb_str_locktmp(str);
|
1877
|
+
for (;;) {
|
1839
1878
|
nread = SSL_read(ssl, RSTRING_PTR(str), ilen);
|
1840
1879
|
switch(ssl_get_error(ssl, nread)){
|
1841
1880
|
case SSL_ERROR_NONE:
|
1881
|
+
rb_str_unlocktmp(str);
|
1842
1882
|
goto end;
|
1843
1883
|
case SSL_ERROR_ZERO_RETURN:
|
1884
|
+
rb_str_unlocktmp(str);
|
1844
1885
|
if (no_exception_p(opts)) { return Qnil; }
|
1845
1886
|
rb_eof_error();
|
1846
1887
|
case SSL_ERROR_WANT_WRITE:
|
1847
|
-
|
1848
|
-
|
1888
|
+
if (nonblock) {
|
1889
|
+
rb_str_unlocktmp(str);
|
1890
|
+
if (no_exception_p(opts)) { return sym_wait_writable; }
|
1891
|
+
write_would_block(nonblock);
|
1892
|
+
}
|
1849
1893
|
rb_io_wait_writable(fptr->fd);
|
1850
1894
|
continue;
|
1851
1895
|
case SSL_ERROR_WANT_READ:
|
1852
|
-
|
1853
|
-
|
1896
|
+
if (nonblock) {
|
1897
|
+
rb_str_unlocktmp(str);
|
1898
|
+
if (no_exception_p(opts)) { return sym_wait_readable; }
|
1899
|
+
read_would_block(nonblock);
|
1900
|
+
}
|
1854
1901
|
rb_io_wait_readable(fptr->fd);
|
1855
1902
|
continue;
|
1856
1903
|
case SSL_ERROR_SYSCALL:
|
1857
1904
|
if (!ERR_peek_error()) {
|
1905
|
+
rb_str_unlocktmp(str);
|
1858
1906
|
if (errno)
|
1859
1907
|
rb_sys_fail(0);
|
1860
1908
|
else {
|
@@ -1869,19 +1917,32 @@ ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
|
|
1869
1917
|
rb_eof_error();
|
1870
1918
|
}
|
1871
1919
|
}
|
1920
|
+
/* fall through */
|
1872
1921
|
default:
|
1922
|
+
rb_str_unlocktmp(str);
|
1873
1923
|
ossl_raise(eSSLError, "SSL_read");
|
1874
1924
|
}
|
1875
1925
|
}
|
1876
1926
|
}
|
1877
1927
|
else {
|
1878
|
-
|
1879
|
-
|
1880
|
-
|
1881
|
-
|
1882
|
-
|
1883
|
-
|
1884
|
-
|
1928
|
+
ID meth = nonblock ? rb_intern("read_nonblock") : rb_intern("sysread");
|
1929
|
+
|
1930
|
+
rb_warning("SSL session is not started yet.");
|
1931
|
+
#if defined(RB_PASS_KEYWORDS)
|
1932
|
+
if (nonblock) {
|
1933
|
+
VALUE argv[3];
|
1934
|
+
argv[0] = len;
|
1935
|
+
argv[1] = str;
|
1936
|
+
argv[2] = opts;
|
1937
|
+
return rb_funcallv_kw(io, meth, 3, argv, RB_PASS_KEYWORDS);
|
1938
|
+
}
|
1939
|
+
#else
|
1940
|
+
if (nonblock) {
|
1941
|
+
return rb_funcall(io, meth, 3, len, str, opts);
|
1942
|
+
}
|
1943
|
+
#endif
|
1944
|
+
else
|
1945
|
+
return rb_funcall(io, meth, 2, len, str);
|
1885
1946
|
}
|
1886
1947
|
|
1887
1948
|
end:
|
@@ -1929,21 +1990,21 @@ ossl_ssl_write_internal(VALUE self, VALUE str, VALUE opts)
|
|
1929
1990
|
int nwrite = 0;
|
1930
1991
|
rb_io_t *fptr;
|
1931
1992
|
int nonblock = opts != Qfalse;
|
1932
|
-
VALUE io;
|
1993
|
+
VALUE tmp, io;
|
1933
1994
|
|
1934
|
-
StringValue(str);
|
1995
|
+
tmp = rb_str_new_frozen(StringValue(str));
|
1935
1996
|
GetSSL(self, ssl);
|
1936
1997
|
io = rb_attr_get(self, id_i_io);
|
1937
1998
|
GetOpenFile(io, fptr);
|
1938
1999
|
if (ssl_started(ssl)) {
|
1939
|
-
for (;;){
|
1940
|
-
int num = RSTRING_LENINT(
|
2000
|
+
for (;;) {
|
2001
|
+
int num = RSTRING_LENINT(tmp);
|
1941
2002
|
|
1942
2003
|
/* SSL_write(3ssl) manpage states num == 0 is undefined */
|
1943
2004
|
if (num == 0)
|
1944
2005
|
goto end;
|
1945
2006
|
|
1946
|
-
nwrite = SSL_write(ssl, RSTRING_PTR(
|
2007
|
+
nwrite = SSL_write(ssl, RSTRING_PTR(tmp), num);
|
1947
2008
|
switch(ssl_get_error(ssl, nwrite)){
|
1948
2009
|
case SSL_ERROR_NONE:
|
1949
2010
|
goto end;
|
@@ -1958,6 +2019,16 @@ ossl_ssl_write_internal(VALUE self, VALUE str, VALUE opts)
|
|
1958
2019
|
rb_io_wait_readable(fptr->fd);
|
1959
2020
|
continue;
|
1960
2021
|
case SSL_ERROR_SYSCALL:
|
2022
|
+
#ifdef __APPLE__
|
2023
|
+
/*
|
2024
|
+
* It appears that send syscall can return EPROTOTYPE if the
|
2025
|
+
* socket is being torn down. Retry to get a proper errno to
|
2026
|
+
* make the error handling in line with the socket library.
|
2027
|
+
* [Bug #14713] https://bugs.ruby-lang.org/issues/14713
|
2028
|
+
*/
|
2029
|
+
if (errno == EPROTOTYPE)
|
2030
|
+
continue;
|
2031
|
+
#endif
|
1961
2032
|
if (errno) rb_sys_fail(0);
|
1962
2033
|
default:
|
1963
2034
|
ossl_raise(eSSLError, "SSL_write");
|
@@ -1968,11 +2039,21 @@ ossl_ssl_write_internal(VALUE self, VALUE str, VALUE opts)
|
|
1968
2039
|
ID meth = nonblock ?
|
1969
2040
|
rb_intern("write_nonblock") : rb_intern("syswrite");
|
1970
2041
|
|
1971
|
-
|
1972
|
-
|
1973
|
-
|
1974
|
-
|
1975
|
-
|
2042
|
+
rb_warning("SSL session is not started yet.");
|
2043
|
+
#if defined(RB_PASS_KEYWORDS)
|
2044
|
+
if (nonblock) {
|
2045
|
+
VALUE argv[2];
|
2046
|
+
argv[0] = str;
|
2047
|
+
argv[1] = opts;
|
2048
|
+
return rb_funcallv_kw(io, meth, 2, argv, RB_PASS_KEYWORDS);
|
2049
|
+
}
|
2050
|
+
#else
|
2051
|
+
if (nonblock) {
|
2052
|
+
return rb_funcall(io, meth, 2, str, opts);
|
2053
|
+
}
|
2054
|
+
#endif
|
2055
|
+
else
|
2056
|
+
return rb_funcall(io, meth, 1, str);
|
1976
2057
|
}
|
1977
2058
|
|
1978
2059
|
end:
|
@@ -2275,7 +2356,57 @@ ossl_ssl_get_verify_result(VALUE self)
|
|
2275
2356
|
|
2276
2357
|
GetSSL(self, ssl);
|
2277
2358
|
|
2278
|
-
return
|
2359
|
+
return LONG2NUM(SSL_get_verify_result(ssl));
|
2360
|
+
}
|
2361
|
+
|
2362
|
+
/*
|
2363
|
+
* call-seq:
|
2364
|
+
* ssl.finished_message => "finished message"
|
2365
|
+
*
|
2366
|
+
* Returns the last *Finished* message sent
|
2367
|
+
*
|
2368
|
+
*/
|
2369
|
+
static VALUE
|
2370
|
+
ossl_ssl_get_finished(VALUE self)
|
2371
|
+
{
|
2372
|
+
SSL *ssl;
|
2373
|
+
char sizer[1], *buf;
|
2374
|
+
size_t len;
|
2375
|
+
|
2376
|
+
GetSSL(self, ssl);
|
2377
|
+
|
2378
|
+
len = SSL_get_finished(ssl, sizer, 0);
|
2379
|
+
if (len == 0)
|
2380
|
+
return Qnil;
|
2381
|
+
|
2382
|
+
buf = ALLOCA_N(char, len);
|
2383
|
+
SSL_get_finished(ssl, buf, len);
|
2384
|
+
return rb_str_new(buf, len);
|
2385
|
+
}
|
2386
|
+
|
2387
|
+
/*
|
2388
|
+
* call-seq:
|
2389
|
+
* ssl.peer_finished_message => "peer finished message"
|
2390
|
+
*
|
2391
|
+
* Returns the last *Finished* message received
|
2392
|
+
*
|
2393
|
+
*/
|
2394
|
+
static VALUE
|
2395
|
+
ossl_ssl_get_peer_finished(VALUE self)
|
2396
|
+
{
|
2397
|
+
SSL *ssl;
|
2398
|
+
char sizer[1], *buf;
|
2399
|
+
size_t len;
|
2400
|
+
|
2401
|
+
GetSSL(self, ssl);
|
2402
|
+
|
2403
|
+
len = SSL_get_peer_finished(ssl, sizer, 0);
|
2404
|
+
if (len == 0)
|
2405
|
+
return Qnil;
|
2406
|
+
|
2407
|
+
buf = ALLOCA_N(char, len);
|
2408
|
+
SSL_get_peer_finished(ssl, buf, len);
|
2409
|
+
return rb_str_new(buf, len);
|
2279
2410
|
}
|
2280
2411
|
|
2281
2412
|
/*
|
@@ -2372,8 +2503,6 @@ ossl_ssl_tmp_key(VALUE self)
|
|
2372
2503
|
# endif /* defined(HAVE_SSL_GET_SERVER_TMP_KEY) */
|
2373
2504
|
#endif /* !defined(OPENSSL_NO_SOCK) */
|
2374
2505
|
|
2375
|
-
#undef rb_intern
|
2376
|
-
#define rb_intern(s) rb_intern_const(s)
|
2377
2506
|
void
|
2378
2507
|
Init_ossl_ssl(void)
|
2379
2508
|
{
|
@@ -2384,8 +2513,8 @@ Init_ossl_ssl(void)
|
|
2384
2513
|
rb_mWaitWritable = rb_define_module_under(rb_cIO, "WaitWritable");
|
2385
2514
|
#endif
|
2386
2515
|
|
2387
|
-
id_call =
|
2388
|
-
ID_callback_state =
|
2516
|
+
id_call = rb_intern_const("call");
|
2517
|
+
ID_callback_state = rb_intern_const("callback_state");
|
2389
2518
|
|
2390
2519
|
ossl_ssl_ex_vcb_idx = SSL_get_ex_new_index(0, (void *)"ossl_ssl_ex_vcb_idx", 0, 0, 0);
|
2391
2520
|
if (ossl_ssl_ex_vcb_idx < 0)
|
@@ -2452,7 +2581,7 @@ Init_ossl_ssl(void)
|
|
2452
2581
|
* The _cert_, _key_, and _extra_chain_cert_ attributes are deprecated.
|
2453
2582
|
* It is recommended to use #add_certificate instead.
|
2454
2583
|
*/
|
2455
|
-
rb_attr(cSSLContext,
|
2584
|
+
rb_attr(cSSLContext, rb_intern_const("cert"), 1, 1, Qfalse);
|
2456
2585
|
|
2457
2586
|
/*
|
2458
2587
|
* Context private key
|
@@ -2460,29 +2589,29 @@ Init_ossl_ssl(void)
|
|
2460
2589
|
* The _cert_, _key_, and _extra_chain_cert_ attributes are deprecated.
|
2461
2590
|
* It is recommended to use #add_certificate instead.
|
2462
2591
|
*/
|
2463
|
-
rb_attr(cSSLContext,
|
2592
|
+
rb_attr(cSSLContext, rb_intern_const("key"), 1, 1, Qfalse);
|
2464
2593
|
|
2465
2594
|
/*
|
2466
2595
|
* A certificate or Array of certificates that will be sent to the client.
|
2467
2596
|
*/
|
2468
|
-
rb_attr(cSSLContext,
|
2597
|
+
rb_attr(cSSLContext, rb_intern_const("client_ca"), 1, 1, Qfalse);
|
2469
2598
|
|
2470
2599
|
/*
|
2471
2600
|
* The path to a file containing a PEM-format CA certificate
|
2472
2601
|
*/
|
2473
|
-
rb_attr(cSSLContext,
|
2602
|
+
rb_attr(cSSLContext, rb_intern_const("ca_file"), 1, 1, Qfalse);
|
2474
2603
|
|
2475
2604
|
/*
|
2476
2605
|
* The path to a directory containing CA certificates in PEM format.
|
2477
2606
|
*
|
2478
2607
|
* Files are looked up by subject's X509 name's hash value.
|
2479
2608
|
*/
|
2480
|
-
rb_attr(cSSLContext,
|
2609
|
+
rb_attr(cSSLContext, rb_intern_const("ca_path"), 1, 1, Qfalse);
|
2481
2610
|
|
2482
2611
|
/*
|
2483
2612
|
* Maximum session lifetime in seconds.
|
2484
2613
|
*/
|
2485
|
-
rb_attr(cSSLContext,
|
2614
|
+
rb_attr(cSSLContext, rb_intern_const("timeout"), 1, 1, Qfalse);
|
2486
2615
|
|
2487
2616
|
/*
|
2488
2617
|
* Session verification mode.
|
@@ -2495,12 +2624,12 @@ Init_ossl_ssl(void)
|
|
2495
2624
|
*
|
2496
2625
|
* See SSL_CTX_set_verify(3) for details.
|
2497
2626
|
*/
|
2498
|
-
rb_attr(cSSLContext,
|
2627
|
+
rb_attr(cSSLContext, rb_intern_const("verify_mode"), 1, 1, Qfalse);
|
2499
2628
|
|
2500
2629
|
/*
|
2501
2630
|
* Number of CA certificates to walk when verifying a certificate chain.
|
2502
2631
|
*/
|
2503
|
-
rb_attr(cSSLContext,
|
2632
|
+
rb_attr(cSSLContext, rb_intern_const("verify_depth"), 1, 1, Qfalse);
|
2504
2633
|
|
2505
2634
|
/*
|
2506
2635
|
* A callback for additional certificate verification. The callback is
|
@@ -2514,7 +2643,7 @@ Init_ossl_ssl(void)
|
|
2514
2643
|
* If the callback returns +false+, the chain verification is immediately
|
2515
2644
|
* stopped and a bad_certificate alert is then sent.
|
2516
2645
|
*/
|
2517
|
-
rb_attr(cSSLContext,
|
2646
|
+
rb_attr(cSSLContext, rb_intern_const("verify_callback"), 1, 1, Qfalse);
|
2518
2647
|
|
2519
2648
|
/*
|
2520
2649
|
* Whether to check the server certificate is valid for the hostname.
|
@@ -2522,12 +2651,12 @@ Init_ossl_ssl(void)
|
|
2522
2651
|
* In order to make this work, verify_mode must be set to VERIFY_PEER and
|
2523
2652
|
* the server hostname must be given by OpenSSL::SSL::SSLSocket#hostname=.
|
2524
2653
|
*/
|
2525
|
-
rb_attr(cSSLContext,
|
2654
|
+
rb_attr(cSSLContext, rb_intern_const("verify_hostname"), 1, 1, Qfalse);
|
2526
2655
|
|
2527
2656
|
/*
|
2528
2657
|
* An OpenSSL::X509::Store used for certificate verification.
|
2529
2658
|
*/
|
2530
|
-
rb_attr(cSSLContext,
|
2659
|
+
rb_attr(cSSLContext, rb_intern_const("cert_store"), 1, 1, Qfalse);
|
2531
2660
|
|
2532
2661
|
/*
|
2533
2662
|
* An Array of extra X509 certificates to be added to the certificate
|
@@ -2536,7 +2665,7 @@ Init_ossl_ssl(void)
|
|
2536
2665
|
* The _cert_, _key_, and _extra_chain_cert_ attributes are deprecated.
|
2537
2666
|
* It is recommended to use #add_certificate instead.
|
2538
2667
|
*/
|
2539
|
-
rb_attr(cSSLContext,
|
2668
|
+
rb_attr(cSSLContext, rb_intern_const("extra_chain_cert"), 1, 1, Qfalse);
|
2540
2669
|
|
2541
2670
|
/*
|
2542
2671
|
* A callback invoked when a client certificate is requested by a server
|
@@ -2546,7 +2675,7 @@ Init_ossl_ssl(void)
|
|
2546
2675
|
* containing an OpenSSL::X509::Certificate and an OpenSSL::PKey. If any
|
2547
2676
|
* other value is returned the handshake is suspended.
|
2548
2677
|
*/
|
2549
|
-
rb_attr(cSSLContext,
|
2678
|
+
rb_attr(cSSLContext, rb_intern_const("client_cert_cb"), 1, 1, Qfalse);
|
2550
2679
|
|
2551
2680
|
#if !defined(OPENSSL_NO_EC) && defined(HAVE_SSL_CTX_SET_TMP_ECDH_CALLBACK)
|
2552
2681
|
/*
|
@@ -2559,7 +2688,7 @@ Init_ossl_ssl(void)
|
|
2559
2688
|
* The callback is deprecated. This does not work with recent versions of
|
2560
2689
|
* OpenSSL. Use OpenSSL::SSL::SSLContext#ecdh_curves= instead.
|
2561
2690
|
*/
|
2562
|
-
rb_attr(cSSLContext,
|
2691
|
+
rb_attr(cSSLContext, rb_intern_const("tmp_ecdh_callback"), 1, 1, Qfalse);
|
2563
2692
|
#endif
|
2564
2693
|
|
2565
2694
|
/*
|
@@ -2567,7 +2696,7 @@ Init_ossl_ssl(void)
|
|
2567
2696
|
* sessions for multiple applications to be distinguished, for example, by
|
2568
2697
|
* name.
|
2569
2698
|
*/
|
2570
|
-
rb_attr(cSSLContext,
|
2699
|
+
rb_attr(cSSLContext, rb_intern_const("session_id_context"), 1, 1, Qfalse);
|
2571
2700
|
|
2572
2701
|
/*
|
2573
2702
|
* A callback invoked on a server when a session is proposed by the client
|
@@ -2576,7 +2705,7 @@ Init_ossl_ssl(void)
|
|
2576
2705
|
* The callback is invoked with the SSLSocket and session id. The
|
2577
2706
|
* callback may return a Session from an external cache.
|
2578
2707
|
*/
|
2579
|
-
rb_attr(cSSLContext,
|
2708
|
+
rb_attr(cSSLContext, rb_intern_const("session_get_cb"), 1, 1, Qfalse);
|
2580
2709
|
|
2581
2710
|
/*
|
2582
2711
|
* A callback invoked when a new session was negotiated.
|
@@ -2584,7 +2713,7 @@ Init_ossl_ssl(void)
|
|
2584
2713
|
* The callback is invoked with an SSLSocket. If +false+ is returned the
|
2585
2714
|
* session will be removed from the internal cache.
|
2586
2715
|
*/
|
2587
|
-
rb_attr(cSSLContext,
|
2716
|
+
rb_attr(cSSLContext, rb_intern_const("session_new_cb"), 1, 1, Qfalse);
|
2588
2717
|
|
2589
2718
|
/*
|
2590
2719
|
* A callback invoked when a session is removed from the internal cache.
|
@@ -2595,18 +2724,18 @@ Init_ossl_ssl(void)
|
|
2595
2724
|
* multi-threaded application. The callback is called inside a global lock
|
2596
2725
|
* and it can randomly cause deadlock on Ruby thread switching.
|
2597
2726
|
*/
|
2598
|
-
rb_attr(cSSLContext,
|
2727
|
+
rb_attr(cSSLContext, rb_intern_const("session_remove_cb"), 1, 1, Qfalse);
|
2599
2728
|
|
2600
2729
|
rb_define_const(mSSLExtConfig, "HAVE_TLSEXT_HOST_NAME", Qtrue);
|
2601
2730
|
|
2602
2731
|
/*
|
2603
|
-
* A callback invoked whenever a new handshake is initiated
|
2604
|
-
* to disable renegotiation entirely.
|
2732
|
+
* A callback invoked whenever a new handshake is initiated on an
|
2733
|
+
* established connection. May be used to disable renegotiation entirely.
|
2605
2734
|
*
|
2606
2735
|
* The callback is invoked with the active SSLSocket. The callback's
|
2607
|
-
* return value is
|
2736
|
+
* return value is ignored. A normal return indicates "approval" of the
|
2608
2737
|
* renegotiation and will continue the process. To forbid renegotiation
|
2609
|
-
* and to cancel the process, an
|
2738
|
+
* and to cancel the process, raise an exception within the callback.
|
2610
2739
|
*
|
2611
2740
|
* === Disable client renegotiation
|
2612
2741
|
*
|
@@ -2614,13 +2743,11 @@ Init_ossl_ssl(void)
|
|
2614
2743
|
* renegotiation entirely. You may use a callback as follows to implement
|
2615
2744
|
* this feature:
|
2616
2745
|
*
|
2617
|
-
* num_handshakes = 0
|
2618
2746
|
* ctx.renegotiation_cb = lambda do |ssl|
|
2619
|
-
*
|
2620
|
-
* raise RuntimeError.new("Client renegotiation disabled") if num_handshakes > 1
|
2747
|
+
* raise RuntimeError, "Client renegotiation disabled"
|
2621
2748
|
* end
|
2622
2749
|
*/
|
2623
|
-
rb_attr(cSSLContext,
|
2750
|
+
rb_attr(cSSLContext, rb_intern_const("renegotiation_cb"), 1, 1, Qfalse);
|
2624
2751
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|
2625
2752
|
/*
|
2626
2753
|
* An Enumerable of Strings. Each String represents a protocol to be
|
@@ -2633,7 +2760,7 @@ Init_ossl_ssl(void)
|
|
2633
2760
|
*
|
2634
2761
|
* ctx.npn_protocols = ["http/1.1", "spdy/2"]
|
2635
2762
|
*/
|
2636
|
-
rb_attr(cSSLContext,
|
2763
|
+
rb_attr(cSSLContext, rb_intern_const("npn_protocols"), 1, 1, Qfalse);
|
2637
2764
|
/*
|
2638
2765
|
* A callback invoked on the client side when the client needs to select
|
2639
2766
|
* a protocol from the list sent by the server. Supported in OpenSSL 1.0.1
|
@@ -2650,7 +2777,7 @@ Init_ossl_ssl(void)
|
|
2650
2777
|
* protocols.first
|
2651
2778
|
* end
|
2652
2779
|
*/
|
2653
|
-
rb_attr(cSSLContext,
|
2780
|
+
rb_attr(cSSLContext, rb_intern_const("npn_select_cb"), 1, 1, Qfalse);
|
2654
2781
|
#endif
|
2655
2782
|
|
2656
2783
|
#ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
|
@@ -2665,7 +2792,7 @@ Init_ossl_ssl(void)
|
|
2665
2792
|
*
|
2666
2793
|
* ctx.alpn_protocols = ["http/1.1", "spdy/2", "h2"]
|
2667
2794
|
*/
|
2668
|
-
rb_attr(cSSLContext,
|
2795
|
+
rb_attr(cSSLContext, rb_intern_const("alpn_protocols"), 1, 1, Qfalse);
|
2669
2796
|
/*
|
2670
2797
|
* A callback invoked on the server side when the server needs to select
|
2671
2798
|
* a protocol from the list sent by the client. Supported in OpenSSL 1.0.2
|
@@ -2682,7 +2809,7 @@ Init_ossl_ssl(void)
|
|
2682
2809
|
* protocols.first
|
2683
2810
|
* end
|
2684
2811
|
*/
|
2685
|
-
rb_attr(cSSLContext,
|
2812
|
+
rb_attr(cSSLContext, rb_intern_const("alpn_select_cb"), 1, 1, Qfalse);
|
2686
2813
|
#endif
|
2687
2814
|
|
2688
2815
|
rb_define_alias(cSSLContext, "ssl_timeout", "timeout");
|
@@ -2795,6 +2922,8 @@ Init_ossl_ssl(void)
|
|
2795
2922
|
rb_define_method(cSSLSocket, "client_ca", ossl_ssl_get_client_ca_list, 0);
|
2796
2923
|
/* #hostname is defined in lib/openssl/ssl.rb */
|
2797
2924
|
rb_define_method(cSSLSocket, "hostname=", ossl_ssl_set_hostname, 1);
|
2925
|
+
rb_define_method(cSSLSocket, "finished_message", ossl_ssl_get_finished, 0);
|
2926
|
+
rb_define_method(cSSLSocket, "peer_finished_message", ossl_ssl_get_peer_finished, 0);
|
2798
2927
|
# ifdef HAVE_SSL_GET_SERVER_TMP_KEY
|
2799
2928
|
rb_define_method(cSSLSocket, "tmp_key", ossl_ssl_tmp_key, 0);
|
2800
2929
|
# endif
|
@@ -2908,16 +3037,17 @@ Init_ossl_ssl(void)
|
|
2908
3037
|
#endif
|
2909
3038
|
|
2910
3039
|
|
2911
|
-
sym_exception = ID2SYM(
|
2912
|
-
sym_wait_readable = ID2SYM(
|
2913
|
-
sym_wait_writable = ID2SYM(
|
3040
|
+
sym_exception = ID2SYM(rb_intern_const("exception"));
|
3041
|
+
sym_wait_readable = ID2SYM(rb_intern_const("wait_readable"));
|
3042
|
+
sym_wait_writable = ID2SYM(rb_intern_const("wait_writable"));
|
2914
3043
|
|
2915
|
-
id_tmp_dh_callback =
|
2916
|
-
id_tmp_ecdh_callback =
|
2917
|
-
id_npn_protocols_encoded =
|
3044
|
+
id_tmp_dh_callback = rb_intern_const("tmp_dh_callback");
|
3045
|
+
id_tmp_ecdh_callback = rb_intern_const("tmp_ecdh_callback");
|
3046
|
+
id_npn_protocols_encoded = rb_intern_const("npn_protocols_encoded");
|
3047
|
+
id_each = rb_intern_const("each");
|
2918
3048
|
|
2919
3049
|
#define DefIVarID(name) do \
|
2920
|
-
id_i_##name =
|
3050
|
+
id_i_##name = rb_intern_const("@"#name); while (0)
|
2921
3051
|
|
2922
3052
|
DefIVarID(cert_store);
|
2923
3053
|
DefIVarID(ca_file);
|