openssl 2.1.3 → 3.0.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CONTRIBUTING.md +35 -45
- data/History.md +266 -1
- data/README.md +2 -2
- data/ext/openssl/extconf.rb +46 -38
- data/ext/openssl/openssl_missing.c +0 -66
- data/ext/openssl/openssl_missing.h +59 -43
- data/ext/openssl/ossl.c +110 -64
- data/ext/openssl/ossl.h +27 -10
- data/ext/openssl/ossl_asn1.c +41 -4
- data/ext/openssl/ossl_bn.c +251 -134
- data/ext/openssl/ossl_bn.h +2 -1
- data/ext/openssl/ossl_cipher.c +38 -29
- data/ext/openssl/ossl_config.c +412 -41
- data/ext/openssl/ossl_config.h +4 -7
- data/ext/openssl/ossl_digest.c +25 -60
- data/ext/openssl/ossl_engine.c +18 -27
- data/ext/openssl/ossl_hmac.c +60 -145
- data/ext/openssl/ossl_kdf.c +11 -19
- data/ext/openssl/ossl_ns_spki.c +1 -1
- data/ext/openssl/ossl_ocsp.c +9 -62
- data/ext/openssl/ossl_ocsp.h +3 -3
- data/ext/openssl/ossl_pkcs12.c +21 -3
- data/ext/openssl/ossl_pkcs7.c +45 -78
- data/ext/openssl/ossl_pkcs7.h +16 -0
- data/ext/openssl/ossl_pkey.c +1295 -178
- data/ext/openssl/ossl_pkey.h +35 -72
- data/ext/openssl/ossl_pkey_dh.c +124 -334
- data/ext/openssl/ossl_pkey_dsa.c +93 -398
- data/ext/openssl/ossl_pkey_ec.c +186 -329
- data/ext/openssl/ossl_pkey_rsa.c +105 -484
- data/ext/openssl/ossl_rand.c +2 -32
- data/ext/openssl/ossl_ssl.c +347 -394
- data/ext/openssl/ossl_ssl_session.c +24 -29
- data/ext/openssl/ossl_ts.c +1539 -0
- data/ext/openssl/ossl_ts.h +16 -0
- data/ext/openssl/ossl_x509.c +0 -6
- data/ext/openssl/ossl_x509cert.c +169 -13
- data/ext/openssl/ossl_x509crl.c +13 -10
- data/ext/openssl/ossl_x509ext.c +15 -2
- data/ext/openssl/ossl_x509name.c +15 -4
- data/ext/openssl/ossl_x509req.c +13 -10
- data/ext/openssl/ossl_x509revoked.c +3 -3
- data/ext/openssl/ossl_x509store.c +154 -70
- data/lib/openssl/bn.rb +1 -1
- data/lib/openssl/buffering.rb +37 -5
- data/lib/openssl/cipher.rb +1 -1
- data/lib/openssl/digest.rb +10 -12
- data/lib/openssl/hmac.rb +78 -0
- data/lib/openssl/marshal.rb +30 -0
- data/lib/openssl/pkcs5.rb +1 -1
- data/lib/openssl/pkey.rb +443 -1
- data/lib/openssl/ssl.rb +47 -9
- data/lib/openssl/version.rb +5 -0
- data/lib/openssl/x509.rb +177 -1
- data/lib/openssl.rb +24 -9
- metadata +10 -79
- data/ext/openssl/deprecation.rb +0 -27
- data/ext/openssl/ossl_version.h +0 -15
- data/ext/openssl/ruby_missing.h +0 -24
- data/lib/openssl/config.rb +0 -492
data/ext/openssl/ossl_ssl.c
CHANGED
@@ -38,14 +38,14 @@ VALUE cSSLSocket;
|
|
38
38
|
static VALUE eSSLErrorWaitReadable;
|
39
39
|
static VALUE eSSLErrorWaitWritable;
|
40
40
|
|
41
|
-
static ID id_call, ID_callback_state, id_tmp_dh_callback,
|
41
|
+
static ID id_call, ID_callback_state, id_tmp_dh_callback,
|
42
42
|
id_npn_protocols_encoded, id_each;
|
43
43
|
static VALUE sym_exception, sym_wait_readable, sym_wait_writable;
|
44
44
|
|
45
45
|
static ID id_i_cert_store, id_i_ca_file, id_i_ca_path, id_i_verify_mode,
|
46
46
|
id_i_verify_depth, id_i_verify_callback, id_i_client_ca,
|
47
47
|
id_i_renegotiation_cb, id_i_cert, id_i_key, id_i_extra_chain_cert,
|
48
|
-
id_i_client_cert_cb,
|
48
|
+
id_i_client_cert_cb, id_i_timeout,
|
49
49
|
id_i_session_id_context, id_i_session_get_cb, id_i_session_new_cb,
|
50
50
|
id_i_session_remove_cb, id_i_npn_select_cb, id_i_npn_protocols,
|
51
51
|
id_i_alpn_select_cb, id_i_alpn_protocols, id_i_servername_cb,
|
@@ -55,9 +55,6 @@ static ID id_i_io, id_i_context, id_i_hostname;
|
|
55
55
|
static int ossl_ssl_ex_vcb_idx;
|
56
56
|
static int ossl_ssl_ex_ptr_idx;
|
57
57
|
static int ossl_sslctx_ex_ptr_idx;
|
58
|
-
#if !defined(HAVE_X509_STORE_UP_REF)
|
59
|
-
static int ossl_sslctx_ex_store_p;
|
60
|
-
#endif
|
61
58
|
|
62
59
|
static void
|
63
60
|
ossl_sslctx_mark(void *ptr)
|
@@ -69,12 +66,7 @@ ossl_sslctx_mark(void *ptr)
|
|
69
66
|
static void
|
70
67
|
ossl_sslctx_free(void *ptr)
|
71
68
|
{
|
72
|
-
|
73
|
-
#if !defined(HAVE_X509_STORE_UP_REF)
|
74
|
-
if (ctx && SSL_CTX_get_ex_data(ctx, ossl_sslctx_ex_store_p))
|
75
|
-
ctx->cert_store = NULL;
|
76
|
-
#endif
|
77
|
-
SSL_CTX_free(ctx);
|
69
|
+
SSL_CTX_free(ptr);
|
78
70
|
}
|
79
71
|
|
80
72
|
static const rb_data_type_t ossl_sslctx_type = {
|
@@ -96,7 +88,7 @@ ossl_sslctx_s_alloc(VALUE klass)
|
|
96
88
|
VALUE obj;
|
97
89
|
|
98
90
|
obj = TypedData_Wrap_Struct(klass, &ossl_sslctx_type, 0);
|
99
|
-
#if OPENSSL_VERSION_NUMBER >= 0x10100000
|
91
|
+
#if OPENSSL_VERSION_NUMBER >= 0x10100000 || defined(LIBRESSL_VERSION_NUMBER)
|
100
92
|
ctx = SSL_CTX_new(TLS_method());
|
101
93
|
#else
|
102
94
|
ctx = SSL_CTX_new(SSLv23_method());
|
@@ -108,14 +100,15 @@ ossl_sslctx_s_alloc(VALUE klass)
|
|
108
100
|
RTYPEDDATA_DATA(obj) = ctx;
|
109
101
|
SSL_CTX_set_ex_data(ctx, ossl_sslctx_ex_ptr_idx, (void *)obj);
|
110
102
|
|
111
|
-
#if !defined(OPENSSL_NO_EC) &&
|
103
|
+
#if !defined(OPENSSL_NO_EC) && OPENSSL_VERSION_NUMBER < 0x10100000 && \
|
104
|
+
!defined(LIBRESSL_VERSION_NUMBER)
|
112
105
|
/* We use SSL_CTX_set1_curves_list() to specify the curve used in ECDH. It
|
113
106
|
* allows to specify multiple curve names and OpenSSL will select
|
114
107
|
* automatically from them. In OpenSSL 1.0.2, the automatic selection has to
|
115
|
-
* be enabled explicitly.
|
116
|
-
* always enabled. To uniform the behavior, we enable the
|
117
|
-
* selection also in 1.0.2. Users can still disable ECDH by
|
118
|
-
* cipher suites by SSLContext#ciphers=. */
|
108
|
+
* be enabled explicitly. OpenSSL 1.1.0 and LibreSSL 2.6.1 removed the knob
|
109
|
+
* and it is always enabled. To uniform the behavior, we enable the
|
110
|
+
* automatic selection also in 1.0.2. Users can still disable ECDH by
|
111
|
+
* removing ECDH cipher suites by SSLContext#ciphers=. */
|
119
112
|
if (!SSL_CTX_set_ecdh_auto(ctx, 1))
|
120
113
|
ossl_raise(eSSLError, "SSL_CTX_set_ecdh_auto");
|
121
114
|
#endif
|
@@ -244,8 +237,7 @@ ossl_client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
|
|
244
237
|
return 1;
|
245
238
|
}
|
246
239
|
|
247
|
-
#if !defined(OPENSSL_NO_DH)
|
248
|
-
!defined(OPENSSL_NO_EC) && defined(HAVE_SSL_CTX_SET_TMP_ECDH_CALLBACK)
|
240
|
+
#if !defined(OPENSSL_NO_DH)
|
249
241
|
struct tmp_dh_callback_args {
|
250
242
|
VALUE ssl_obj;
|
251
243
|
ID id;
|
@@ -254,22 +246,23 @@ struct tmp_dh_callback_args {
|
|
254
246
|
int keylength;
|
255
247
|
};
|
256
248
|
|
257
|
-
static
|
258
|
-
ossl_call_tmp_dh_callback(
|
249
|
+
static VALUE
|
250
|
+
ossl_call_tmp_dh_callback(VALUE arg)
|
259
251
|
{
|
252
|
+
struct tmp_dh_callback_args *args = (struct tmp_dh_callback_args *)arg;
|
260
253
|
VALUE cb, dh;
|
261
254
|
EVP_PKEY *pkey;
|
262
255
|
|
263
256
|
cb = rb_funcall(args->ssl_obj, args->id, 0);
|
264
257
|
if (NIL_P(cb))
|
265
|
-
return NULL;
|
258
|
+
return (VALUE)NULL;
|
266
259
|
dh = rb_funcall(cb, id_call, 3, args->ssl_obj, INT2NUM(args->is_export),
|
267
260
|
INT2NUM(args->keylength));
|
268
261
|
pkey = GetPKeyPtr(dh);
|
269
262
|
if (EVP_PKEY_base_id(pkey) != args->type)
|
270
|
-
return NULL;
|
263
|
+
return (VALUE)NULL;
|
271
264
|
|
272
|
-
return pkey;
|
265
|
+
return (VALUE)pkey;
|
273
266
|
}
|
274
267
|
#endif
|
275
268
|
|
@@ -289,7 +282,7 @@ ossl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
|
|
289
282
|
args.keylength = keylength;
|
290
283
|
args.type = EVP_PKEY_DH;
|
291
284
|
|
292
|
-
pkey = (EVP_PKEY *)rb_protect(
|
285
|
+
pkey = (EVP_PKEY *)rb_protect(ossl_call_tmp_dh_callback,
|
293
286
|
(VALUE)&args, &state);
|
294
287
|
if (state) {
|
295
288
|
rb_ivar_set(rb_ssl, ID_callback_state, INT2NUM(state));
|
@@ -302,35 +295,6 @@ ossl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
|
|
302
295
|
}
|
303
296
|
#endif /* OPENSSL_NO_DH */
|
304
297
|
|
305
|
-
#if !defined(OPENSSL_NO_EC) && defined(HAVE_SSL_CTX_SET_TMP_ECDH_CALLBACK)
|
306
|
-
static EC_KEY *
|
307
|
-
ossl_tmp_ecdh_callback(SSL *ssl, int is_export, int keylength)
|
308
|
-
{
|
309
|
-
VALUE rb_ssl;
|
310
|
-
EVP_PKEY *pkey;
|
311
|
-
struct tmp_dh_callback_args args;
|
312
|
-
int state;
|
313
|
-
|
314
|
-
rb_ssl = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
|
315
|
-
args.ssl_obj = rb_ssl;
|
316
|
-
args.id = id_tmp_ecdh_callback;
|
317
|
-
args.is_export = is_export;
|
318
|
-
args.keylength = keylength;
|
319
|
-
args.type = EVP_PKEY_EC;
|
320
|
-
|
321
|
-
pkey = (EVP_PKEY *)rb_protect((VALUE (*)(VALUE))ossl_call_tmp_dh_callback,
|
322
|
-
(VALUE)&args, &state);
|
323
|
-
if (state) {
|
324
|
-
rb_ivar_set(rb_ssl, ID_callback_state, INT2NUM(state));
|
325
|
-
return NULL;
|
326
|
-
}
|
327
|
-
if (!pkey)
|
328
|
-
return NULL;
|
329
|
-
|
330
|
-
return EVP_PKEY_get0_EC_KEY(pkey);
|
331
|
-
}
|
332
|
-
#endif
|
333
|
-
|
334
298
|
static VALUE
|
335
299
|
call_verify_certificate_identity(VALUE ctx_v)
|
336
300
|
{
|
@@ -400,7 +364,7 @@ ossl_call_session_get_cb(VALUE ary)
|
|
400
364
|
}
|
401
365
|
|
402
366
|
static SSL_SESSION *
|
403
|
-
#if
|
367
|
+
#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER >= 0x10100000
|
404
368
|
ossl_sslctx_session_get_cb(SSL *ssl, const unsigned char *buf, int len, int *copy)
|
405
369
|
#else
|
406
370
|
ossl_sslctx_session_get_cb(SSL *ssl, unsigned char *buf, int len, int *copy)
|
@@ -609,8 +573,6 @@ ssl_renegotiation_cb(const SSL *ssl)
|
|
609
573
|
rb_funcallv(cb, id_call, 1, &ssl_obj);
|
610
574
|
}
|
611
575
|
|
612
|
-
#if !defined(OPENSSL_NO_NEXTPROTONEG) || \
|
613
|
-
defined(HAVE_SSL_CTX_SET_ALPN_SELECT_CB)
|
614
576
|
static VALUE
|
615
577
|
ssl_npn_encode_protocol_i(RB_BLOCK_CALL_FUNC_ARGLIST(cur, encoded))
|
616
578
|
{
|
@@ -692,7 +654,6 @@ ssl_npn_select_cb_common(SSL *ssl, VALUE cb, const unsigned char **out,
|
|
692
654
|
|
693
655
|
return SSL_TLSEXT_ERR_OK;
|
694
656
|
}
|
695
|
-
#endif
|
696
657
|
|
697
658
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|
698
659
|
static int
|
@@ -721,7 +682,6 @@ ssl_npn_select_cb(SSL *ssl, unsigned char **out, unsigned char *outlen,
|
|
721
682
|
}
|
722
683
|
#endif
|
723
684
|
|
724
|
-
#ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
|
725
685
|
static int
|
726
686
|
ssl_alpn_select_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen,
|
727
687
|
const unsigned char *in, unsigned int inlen, void *arg)
|
@@ -733,7 +693,6 @@ ssl_alpn_select_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen,
|
|
733
693
|
|
734
694
|
return ssl_npn_select_cb_common(ssl, cb, out, outlen, in, inlen);
|
735
695
|
}
|
736
|
-
#endif
|
737
696
|
|
738
697
|
/* This function may serve as the entry point to support further callbacks. */
|
739
698
|
static void
|
@@ -810,41 +769,15 @@ ossl_sslctx_setup(VALUE self)
|
|
810
769
|
SSL_CTX_set_tmp_dh_callback(ctx, ossl_tmp_dh_callback);
|
811
770
|
#endif
|
812
771
|
|
813
|
-
#
|
814
|
-
|
815
|
-
|
816
|
-
if (RTEST(rb_attr_get(self, id_i_tmp_ecdh_callback))) {
|
817
|
-
# if defined(HAVE_SSL_CTX_SET_TMP_ECDH_CALLBACK)
|
818
|
-
rb_warn("#tmp_ecdh_callback= is deprecated; use #ecdh_curves= instead");
|
819
|
-
SSL_CTX_set_tmp_ecdh_callback(ctx, ossl_tmp_ecdh_callback);
|
820
|
-
# if defined(HAVE_SSL_CTX_SET_ECDH_AUTO)
|
821
|
-
/* tmp_ecdh_callback and ecdh_auto conflict; OpenSSL ignores
|
822
|
-
* tmp_ecdh_callback. So disable ecdh_auto. */
|
823
|
-
if (!SSL_CTX_set_ecdh_auto(ctx, 0))
|
824
|
-
ossl_raise(eSSLError, "SSL_CTX_set_ecdh_auto");
|
825
|
-
# endif
|
826
|
-
# else
|
827
|
-
ossl_raise(eSSLError, "OpenSSL does not support tmp_ecdh_callback; "
|
828
|
-
"use #ecdh_curves= instead");
|
829
|
-
# endif
|
830
|
-
}
|
831
|
-
#endif /* OPENSSL_NO_EC */
|
772
|
+
#ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
|
773
|
+
SSL_CTX_set_post_handshake_auth(ctx, 1);
|
774
|
+
#endif
|
832
775
|
|
833
776
|
val = rb_attr_get(self, id_i_cert_store);
|
834
777
|
if (!NIL_P(val)) {
|
835
778
|
X509_STORE *store = GetX509StorePtr(val); /* NO NEED TO DUP */
|
836
779
|
SSL_CTX_set_cert_store(ctx, store);
|
837
|
-
#if !defined(HAVE_X509_STORE_UP_REF)
|
838
|
-
/*
|
839
|
-
* WORKAROUND:
|
840
|
-
* X509_STORE can count references, but
|
841
|
-
* X509_STORE_free() doesn't care it.
|
842
|
-
* So we won't increment it but mark it by ex_data.
|
843
|
-
*/
|
844
|
-
SSL_CTX_set_ex_data(ctx, ossl_sslctx_ex_store_p, ctx);
|
845
|
-
#else /* Fixed in OpenSSL 1.0.2; bff9ce4db38b (master), 5b4b9ce976fc (1.0.2) */
|
846
780
|
X509_STORE_up_ref(store);
|
847
|
-
#endif
|
848
781
|
}
|
849
782
|
|
850
783
|
val = rb_attr_get(self, id_i_extra_chain_cert);
|
@@ -895,10 +828,17 @@ ossl_sslctx_setup(VALUE self)
|
|
895
828
|
ca_file = NIL_P(val) ? NULL : StringValueCStr(val);
|
896
829
|
val = rb_attr_get(self, id_i_ca_path);
|
897
830
|
ca_path = NIL_P(val) ? NULL : StringValueCStr(val);
|
831
|
+
#ifdef HAVE_SSL_CTX_LOAD_VERIFY_FILE
|
832
|
+
if (ca_file && !SSL_CTX_load_verify_file(ctx, ca_file))
|
833
|
+
ossl_raise(eSSLError, "SSL_CTX_load_verify_file");
|
834
|
+
if (ca_path && !SSL_CTX_load_verify_dir(ctx, ca_path))
|
835
|
+
ossl_raise(eSSLError, "SSL_CTX_load_verify_dir");
|
836
|
+
#else
|
898
837
|
if(ca_file || ca_path){
|
899
838
|
if (!SSL_CTX_load_verify_locations(ctx, ca_file, ca_path))
|
900
839
|
rb_warning("can't set verify locations");
|
901
840
|
}
|
841
|
+
#endif
|
902
842
|
|
903
843
|
val = rb_attr_get(self, id_i_verify_mode);
|
904
844
|
verify_mode = NIL_P(val) ? SSL_VERIFY_NONE : NUM2INT(val);
|
@@ -926,7 +866,6 @@ ossl_sslctx_setup(VALUE self)
|
|
926
866
|
}
|
927
867
|
#endif
|
928
868
|
|
929
|
-
#ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
|
930
869
|
val = rb_attr_get(self, id_i_alpn_protocols);
|
931
870
|
if (!NIL_P(val)) {
|
932
871
|
VALUE rprotos = ssl_encode_npn_protocols(val);
|
@@ -941,7 +880,6 @@ ossl_sslctx_setup(VALUE self)
|
|
941
880
|
SSL_CTX_set_alpn_select_cb(ctx, ssl_alpn_select_cb, (void *) self);
|
942
881
|
OSSL_Debug("SSL ALPN select callback added");
|
943
882
|
}
|
944
|
-
#endif
|
945
883
|
|
946
884
|
rb_obj_freeze(self);
|
947
885
|
|
@@ -1063,6 +1001,52 @@ ossl_sslctx_set_ciphers(VALUE self, VALUE v)
|
|
1063
1001
|
return v;
|
1064
1002
|
}
|
1065
1003
|
|
1004
|
+
#ifndef OPENSSL_NO_DH
|
1005
|
+
/*
|
1006
|
+
* call-seq:
|
1007
|
+
* ctx.tmp_dh = pkey
|
1008
|
+
*
|
1009
|
+
* Sets DH parameters used for ephemeral DH key exchange. This is relevant for
|
1010
|
+
* servers only.
|
1011
|
+
*
|
1012
|
+
* +pkey+ is an instance of OpenSSL::PKey::DH. Note that key components
|
1013
|
+
* contained in the key object, if any, are ignored. The server will always
|
1014
|
+
* generate a new key pair for each handshake.
|
1015
|
+
*
|
1016
|
+
* Added in version 3.0. See also the man page SSL_set0_tmp_dh_pkey(3).
|
1017
|
+
*
|
1018
|
+
* Example:
|
1019
|
+
* ctx = OpenSSL::SSL::SSLContext.new
|
1020
|
+
* ctx.tmp_dh = OpenSSL::DH.generate(2048)
|
1021
|
+
* svr = OpenSSL::SSL::SSLServer.new(tcp_svr, ctx)
|
1022
|
+
* Thread.new { svr.accept }
|
1023
|
+
*/
|
1024
|
+
static VALUE
|
1025
|
+
ossl_sslctx_set_tmp_dh(VALUE self, VALUE arg)
|
1026
|
+
{
|
1027
|
+
SSL_CTX *ctx;
|
1028
|
+
EVP_PKEY *pkey;
|
1029
|
+
|
1030
|
+
rb_check_frozen(self);
|
1031
|
+
GetSSLCTX(self, ctx);
|
1032
|
+
pkey = GetPKeyPtr(arg);
|
1033
|
+
|
1034
|
+
if (EVP_PKEY_base_id(pkey) != EVP_PKEY_DH)
|
1035
|
+
rb_raise(eSSLError, "invalid pkey type %s (expected DH)",
|
1036
|
+
OBJ_nid2sn(EVP_PKEY_base_id(pkey)));
|
1037
|
+
#ifdef HAVE_SSL_SET0_TMP_DH_PKEY
|
1038
|
+
if (!SSL_CTX_set0_tmp_dh_pkey(ctx, pkey))
|
1039
|
+
ossl_raise(eSSLError, "SSL_CTX_set0_tmp_dh_pkey");
|
1040
|
+
EVP_PKEY_up_ref(pkey);
|
1041
|
+
#else
|
1042
|
+
if (!SSL_CTX_set_tmp_dh(ctx, EVP_PKEY_get0_DH(pkey)))
|
1043
|
+
ossl_raise(eSSLError, "SSL_CTX_set_tmp_dh");
|
1044
|
+
#endif
|
1045
|
+
|
1046
|
+
return arg;
|
1047
|
+
}
|
1048
|
+
#endif
|
1049
|
+
|
1066
1050
|
#if !defined(OPENSSL_NO_EC)
|
1067
1051
|
/*
|
1068
1052
|
* call-seq:
|
@@ -1074,9 +1058,6 @@ ossl_sslctx_set_ciphers(VALUE self, VALUE v)
|
|
1074
1058
|
* Extension. For a server, the list is used by OpenSSL to determine the set of
|
1075
1059
|
* shared curves. OpenSSL will pick the most appropriate one from it.
|
1076
1060
|
*
|
1077
|
-
* Note that this works differently with old OpenSSL (<= 1.0.1). Only one curve
|
1078
|
-
* can be set, and this has no effect for TLS clients.
|
1079
|
-
*
|
1080
1061
|
* === Example
|
1081
1062
|
* ctx1 = OpenSSL::SSL::SSLContext.new
|
1082
1063
|
* ctx1.ecdh_curves = "X25519:P-256:P-224"
|
@@ -1100,48 +1081,8 @@ ossl_sslctx_set_ecdh_curves(VALUE self, VALUE arg)
|
|
1100
1081
|
GetSSLCTX(self, ctx);
|
1101
1082
|
StringValueCStr(arg);
|
1102
1083
|
|
1103
|
-
#if defined(HAVE_SSL_CTX_SET1_CURVES_LIST)
|
1104
1084
|
if (!SSL_CTX_set1_curves_list(ctx, RSTRING_PTR(arg)))
|
1105
1085
|
ossl_raise(eSSLError, NULL);
|
1106
|
-
#else
|
1107
|
-
/* OpenSSL does not have SSL_CTX_set1_curves_list()... Fallback to
|
1108
|
-
* SSL_CTX_set_tmp_ecdh(). So only the first curve is used. */
|
1109
|
-
{
|
1110
|
-
VALUE curve, splitted;
|
1111
|
-
EC_KEY *ec;
|
1112
|
-
int nid;
|
1113
|
-
|
1114
|
-
splitted = rb_str_split(arg, ":");
|
1115
|
-
if (!RARRAY_LEN(splitted))
|
1116
|
-
ossl_raise(eSSLError, "invalid input format");
|
1117
|
-
curve = RARRAY_AREF(splitted, 0);
|
1118
|
-
StringValueCStr(curve);
|
1119
|
-
|
1120
|
-
/* SSL_CTX_set1_curves_list() accepts NIST names */
|
1121
|
-
nid = EC_curve_nist2nid(RSTRING_PTR(curve));
|
1122
|
-
if (nid == NID_undef)
|
1123
|
-
nid = OBJ_txt2nid(RSTRING_PTR(curve));
|
1124
|
-
if (nid == NID_undef)
|
1125
|
-
ossl_raise(eSSLError, "unknown curve name");
|
1126
|
-
|
1127
|
-
ec = EC_KEY_new_by_curve_name(nid);
|
1128
|
-
if (!ec)
|
1129
|
-
ossl_raise(eSSLError, NULL);
|
1130
|
-
EC_KEY_set_asn1_flag(ec, OPENSSL_EC_NAMED_CURVE);
|
1131
|
-
if (!SSL_CTX_set_tmp_ecdh(ctx, ec)) {
|
1132
|
-
EC_KEY_free(ec);
|
1133
|
-
ossl_raise(eSSLError, "SSL_CTX_set_tmp_ecdh");
|
1134
|
-
}
|
1135
|
-
EC_KEY_free(ec);
|
1136
|
-
# if defined(HAVE_SSL_CTX_SET_ECDH_AUTO)
|
1137
|
-
/* tmp_ecdh and ecdh_auto conflict. tmp_ecdh is ignored when ecdh_auto
|
1138
|
-
* is enabled. So disable ecdh_auto. */
|
1139
|
-
if (!SSL_CTX_set_ecdh_auto(ctx, 0))
|
1140
|
-
ossl_raise(eSSLError, "SSL_CTX_set_ecdh_auto");
|
1141
|
-
# endif
|
1142
|
-
}
|
1143
|
-
#endif
|
1144
|
-
|
1145
1086
|
return arg;
|
1146
1087
|
}
|
1147
1088
|
#else
|
@@ -1232,7 +1173,7 @@ ossl_sslctx_enable_fallback_scsv(VALUE self)
|
|
1232
1173
|
|
1233
1174
|
/*
|
1234
1175
|
* call-seq:
|
1235
|
-
* ctx.add_certificate(
|
1176
|
+
* ctx.add_certificate(certificate, pkey [, extra_certs]) -> self
|
1236
1177
|
*
|
1237
1178
|
* Adds a certificate to the context. _pkey_ must be a corresponding private
|
1238
1179
|
* key with _certificate_.
|
@@ -1264,10 +1205,6 @@ ossl_sslctx_enable_fallback_scsv(VALUE self)
|
|
1264
1205
|
* ecdsa_pkey = ...
|
1265
1206
|
* another_ca_cert = ...
|
1266
1207
|
* ctx.add_certificate(ecdsa_cert, ecdsa_pkey, [another_ca_cert])
|
1267
|
-
*
|
1268
|
-
* === Note
|
1269
|
-
* OpenSSL before the version 1.0.2 could handle only one extra chain across
|
1270
|
-
* all key types. Calling this method discards the chain set previously.
|
1271
1208
|
*/
|
1272
1209
|
static VALUE
|
1273
1210
|
ossl_sslctx_add_certificate(int argc, VALUE *argv, VALUE self)
|
@@ -1292,7 +1229,7 @@ ossl_sslctx_add_certificate(int argc, VALUE *argv, VALUE self)
|
|
1292
1229
|
EVP_PKEY_free(pub_pkey);
|
1293
1230
|
if (!pub_pkey)
|
1294
1231
|
rb_raise(rb_eArgError, "certificate does not contain public key");
|
1295
|
-
if (
|
1232
|
+
if (EVP_PKEY_eq(pub_pkey, pkey) != 1)
|
1296
1233
|
rb_raise(rb_eArgError, "public key mismatch");
|
1297
1234
|
|
1298
1235
|
if (argc >= 3)
|
@@ -1306,34 +1243,9 @@ ossl_sslctx_add_certificate(int argc, VALUE *argv, VALUE self)
|
|
1306
1243
|
sk_X509_pop_free(extra_chain, X509_free);
|
1307
1244
|
ossl_raise(eSSLError, "SSL_CTX_use_PrivateKey");
|
1308
1245
|
}
|
1309
|
-
|
1310
|
-
|
1311
|
-
|
1312
|
-
if (!SSL_CTX_set0_chain(ctx, extra_chain)) {
|
1313
|
-
sk_X509_pop_free(extra_chain, X509_free);
|
1314
|
-
ossl_raise(eSSLError, "SSL_CTX_set0_chain");
|
1315
|
-
}
|
1316
|
-
#else
|
1317
|
-
STACK_OF(X509) *orig_extra_chain;
|
1318
|
-
X509 *x509_tmp;
|
1319
|
-
|
1320
|
-
/* First, clear the existing chain */
|
1321
|
-
SSL_CTX_get_extra_chain_certs(ctx, &orig_extra_chain);
|
1322
|
-
if (orig_extra_chain && sk_X509_num(orig_extra_chain)) {
|
1323
|
-
rb_warning("SSL_CTX_set0_chain() is not available; " \
|
1324
|
-
"clearing previously set certificate chain");
|
1325
|
-
SSL_CTX_clear_extra_chain_certs(ctx);
|
1326
|
-
}
|
1327
|
-
while ((x509_tmp = sk_X509_shift(extra_chain))) {
|
1328
|
-
/* Transfers ownership */
|
1329
|
-
if (!SSL_CTX_add_extra_chain_cert(ctx, x509_tmp)) {
|
1330
|
-
X509_free(x509_tmp);
|
1331
|
-
sk_X509_pop_free(extra_chain, X509_free);
|
1332
|
-
ossl_raise(eSSLError, "SSL_CTX_add_extra_chain_cert");
|
1333
|
-
}
|
1334
|
-
}
|
1335
|
-
sk_X509_free(extra_chain);
|
1336
|
-
#endif
|
1246
|
+
if (extra_chain && !SSL_CTX_set0_chain(ctx, extra_chain)) {
|
1247
|
+
sk_X509_pop_free(extra_chain, X509_free);
|
1248
|
+
ossl_raise(eSSLError, "SSL_CTX_set0_chain");
|
1337
1249
|
}
|
1338
1250
|
return self;
|
1339
1251
|
}
|
@@ -1531,8 +1443,8 @@ ossl_sslctx_flush_sessions(int argc, VALUE *argv, VALUE self)
|
|
1531
1443
|
static inline int
|
1532
1444
|
ssl_started(SSL *ssl)
|
1533
1445
|
{
|
1534
|
-
/*
|
1535
|
-
return
|
1446
|
+
/* BIO is created through ossl_ssl_setup(), called by #connect or #accept */
|
1447
|
+
return SSL_get_rbio(ssl) != NULL;
|
1536
1448
|
}
|
1537
1449
|
|
1538
1450
|
static void
|
@@ -1563,6 +1475,29 @@ ossl_ssl_s_alloc(VALUE klass)
|
|
1563
1475
|
return TypedData_Wrap_Struct(klass, &ossl_ssl_type, NULL);
|
1564
1476
|
}
|
1565
1477
|
|
1478
|
+
static VALUE
|
1479
|
+
peer_ip_address(VALUE self)
|
1480
|
+
{
|
1481
|
+
VALUE remote_address = rb_funcall(rb_attr_get(self, id_i_io), rb_intern("remote_address"), 0);
|
1482
|
+
|
1483
|
+
return rb_funcall(remote_address, rb_intern("inspect_sockaddr"), 0);
|
1484
|
+
}
|
1485
|
+
|
1486
|
+
static VALUE
|
1487
|
+
fallback_peer_ip_address(VALUE self, VALUE args)
|
1488
|
+
{
|
1489
|
+
return rb_str_new_cstr("(null)");
|
1490
|
+
}
|
1491
|
+
|
1492
|
+
static VALUE
|
1493
|
+
peeraddr_ip_str(VALUE self)
|
1494
|
+
{
|
1495
|
+
VALUE rb_mErrno = rb_const_get(rb_cObject, rb_intern("Errno"));
|
1496
|
+
VALUE rb_eSystemCallError = rb_const_get(rb_mErrno, rb_intern("SystemCallError"));
|
1497
|
+
|
1498
|
+
return rb_rescue2(peer_ip_address, self, fallback_peer_ip_address, (VALUE)0, rb_eSystemCallError, NULL);
|
1499
|
+
}
|
1500
|
+
|
1566
1501
|
/*
|
1567
1502
|
* call-seq:
|
1568
1503
|
* SSLSocket.new(io) => aSSLSocket
|
@@ -1599,6 +1534,7 @@ ossl_ssl_initialize(int argc, VALUE *argv, VALUE self)
|
|
1599
1534
|
|
1600
1535
|
if (rb_respond_to(io, rb_intern("nonblock=")))
|
1601
1536
|
rb_funcall(io, rb_intern("nonblock="), 1, Qtrue);
|
1537
|
+
Check_Type(io, T_FILE);
|
1602
1538
|
rb_ivar_set(self, id_i_io, io);
|
1603
1539
|
|
1604
1540
|
ssl = SSL_new(ctx);
|
@@ -1666,6 +1602,26 @@ no_exception_p(VALUE opts)
|
|
1666
1602
|
return 0;
|
1667
1603
|
}
|
1668
1604
|
|
1605
|
+
static void
|
1606
|
+
io_wait_writable(rb_io_t *fptr)
|
1607
|
+
{
|
1608
|
+
#ifdef HAVE_RB_IO_MAYBE_WAIT
|
1609
|
+
rb_io_maybe_wait_writable(errno, fptr->self, Qnil);
|
1610
|
+
#else
|
1611
|
+
rb_io_wait_writable(fptr->fd);
|
1612
|
+
#endif
|
1613
|
+
}
|
1614
|
+
|
1615
|
+
static void
|
1616
|
+
io_wait_readable(rb_io_t *fptr)
|
1617
|
+
{
|
1618
|
+
#ifdef HAVE_RB_IO_MAYBE_WAIT
|
1619
|
+
rb_io_maybe_wait_readable(errno, fptr->self, Qnil);
|
1620
|
+
#else
|
1621
|
+
rb_io_wait_readable(fptr->fd);
|
1622
|
+
#endif
|
1623
|
+
}
|
1624
|
+
|
1669
1625
|
static VALUE
|
1670
1626
|
ossl_start_ssl(VALUE self, int (*func)(), const char *funcname, VALUE opts)
|
1671
1627
|
{
|
@@ -1700,12 +1656,12 @@ ossl_start_ssl(VALUE self, int (*func)(), const char *funcname, VALUE opts)
|
|
1700
1656
|
case SSL_ERROR_WANT_WRITE:
|
1701
1657
|
if (no_exception_p(opts)) { return sym_wait_writable; }
|
1702
1658
|
write_would_block(nonblock);
|
1703
|
-
|
1659
|
+
io_wait_writable(fptr);
|
1704
1660
|
continue;
|
1705
1661
|
case SSL_ERROR_WANT_READ:
|
1706
1662
|
if (no_exception_p(opts)) { return sym_wait_readable; }
|
1707
1663
|
read_would_block(nonblock);
|
1708
|
-
|
1664
|
+
io_wait_readable(fptr);
|
1709
1665
|
continue;
|
1710
1666
|
case SSL_ERROR_SYSCALL:
|
1711
1667
|
#ifdef __APPLE__
|
@@ -1714,7 +1670,9 @@ ossl_start_ssl(VALUE self, int (*func)(), const char *funcname, VALUE opts)
|
|
1714
1670
|
continue;
|
1715
1671
|
#endif
|
1716
1672
|
if (errno) rb_sys_fail(funcname);
|
1717
|
-
ossl_raise(eSSLError, "%s SYSCALL returned=%d errno=%d state=%s",
|
1673
|
+
ossl_raise(eSSLError, "%s SYSCALL returned=%d errno=%d peeraddr=%"PRIsVALUE" state=%s",
|
1674
|
+
funcname, ret2, errno, peeraddr_ip_str(self), SSL_state_string_long(ssl));
|
1675
|
+
|
1718
1676
|
#if defined(SSL_R_CERTIFICATE_VERIFY_FAILED)
|
1719
1677
|
case SSL_ERROR_SSL:
|
1720
1678
|
err = ERR_peek_last_error();
|
@@ -1727,13 +1685,15 @@ ossl_start_ssl(VALUE self, int (*func)(), const char *funcname, VALUE opts)
|
|
1727
1685
|
if (!verify_msg)
|
1728
1686
|
verify_msg = "(null)";
|
1729
1687
|
ossl_clear_error(); /* let ossl_raise() not append message */
|
1730
|
-
ossl_raise(eSSLError, "%s returned=%d errno=%d state=%s: %s (%s)",
|
1731
|
-
funcname, ret2, errno, SSL_state_string_long(ssl),
|
1688
|
+
ossl_raise(eSSLError, "%s returned=%d errno=%d peeraddr=%"PRIsVALUE" state=%s: %s (%s)",
|
1689
|
+
funcname, ret2, errno, peeraddr_ip_str(self), SSL_state_string_long(ssl),
|
1732
1690
|
err_msg, verify_msg);
|
1733
1691
|
}
|
1734
1692
|
#endif
|
1693
|
+
/* fallthrough */
|
1735
1694
|
default:
|
1736
|
-
ossl_raise(eSSLError, "%s returned=%d errno=%d state=%s",
|
1695
|
+
ossl_raise(eSSLError, "%s returned=%d errno=%d peeraddr=%"PRIsVALUE" state=%s",
|
1696
|
+
funcname, ret2, errno, peeraddr_ip_str(self), SSL_state_string_long(ssl));
|
1737
1697
|
}
|
1738
1698
|
}
|
1739
1699
|
|
@@ -1744,8 +1704,7 @@ ossl_start_ssl(VALUE self, int (*func)(), const char *funcname, VALUE opts)
|
|
1744
1704
|
* call-seq:
|
1745
1705
|
* ssl.connect => self
|
1746
1706
|
*
|
1747
|
-
* Initiates an SSL/TLS handshake with a server.
|
1748
|
-
* after unencrypted data has been sent over the socket.
|
1707
|
+
* Initiates an SSL/TLS handshake with a server.
|
1749
1708
|
*/
|
1750
1709
|
static VALUE
|
1751
1710
|
ossl_ssl_connect(VALUE self)
|
@@ -1792,8 +1751,7 @@ ossl_ssl_connect_nonblock(int argc, VALUE *argv, VALUE self)
|
|
1792
1751
|
* call-seq:
|
1793
1752
|
* ssl.accept => self
|
1794
1753
|
*
|
1795
|
-
* Waits for a SSL/TLS client to initiate a handshake.
|
1796
|
-
* started after unencrypted data has been sent over the socket.
|
1754
|
+
* Waits for a SSL/TLS client to initiate a handshake.
|
1797
1755
|
*/
|
1798
1756
|
static VALUE
|
1799
1757
|
ossl_ssl_accept(VALUE self)
|
@@ -1840,7 +1798,7 @@ static VALUE
|
|
1840
1798
|
ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
|
1841
1799
|
{
|
1842
1800
|
SSL *ssl;
|
1843
|
-
int ilen
|
1801
|
+
int ilen;
|
1844
1802
|
VALUE len, str;
|
1845
1803
|
rb_io_t *fptr;
|
1846
1804
|
VALUE io, opts = Qnil;
|
@@ -1850,6 +1808,9 @@ ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
|
|
1850
1808
|
} else {
|
1851
1809
|
rb_scan_args(argc, argv, "11", &len, &str);
|
1852
1810
|
}
|
1811
|
+
GetSSL(self, ssl);
|
1812
|
+
if (!ssl_started(ssl))
|
1813
|
+
rb_raise(eSSLError, "SSL session is not started yet");
|
1853
1814
|
|
1854
1815
|
ilen = NUM2INT(len);
|
1855
1816
|
if (NIL_P(str))
|
@@ -1865,85 +1826,60 @@ ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
|
|
1865
1826
|
if (ilen == 0)
|
1866
1827
|
return str;
|
1867
1828
|
|
1868
|
-
GetSSL(self, ssl);
|
1869
1829
|
io = rb_attr_get(self, id_i_io);
|
1870
1830
|
GetOpenFile(io, fptr);
|
1871
|
-
|
1872
|
-
|
1873
|
-
|
1874
|
-
|
1875
|
-
|
1876
|
-
|
1831
|
+
|
1832
|
+
rb_str_locktmp(str);
|
1833
|
+
for (;;) {
|
1834
|
+
int nread = SSL_read(ssl, RSTRING_PTR(str), ilen);
|
1835
|
+
switch (ssl_get_error(ssl, nread)) {
|
1836
|
+
case SSL_ERROR_NONE:
|
1837
|
+
rb_str_unlocktmp(str);
|
1838
|
+
rb_str_set_len(str, nread);
|
1839
|
+
return str;
|
1840
|
+
case SSL_ERROR_ZERO_RETURN:
|
1841
|
+
rb_str_unlocktmp(str);
|
1842
|
+
if (no_exception_p(opts)) { return Qnil; }
|
1843
|
+
rb_eof_error();
|
1844
|
+
case SSL_ERROR_WANT_WRITE:
|
1845
|
+
if (nonblock) {
|
1877
1846
|
rb_str_unlocktmp(str);
|
1878
|
-
|
1879
|
-
|
1847
|
+
if (no_exception_p(opts)) { return sym_wait_writable; }
|
1848
|
+
write_would_block(nonblock);
|
1849
|
+
}
|
1850
|
+
io_wait_writable(fptr);
|
1851
|
+
continue;
|
1852
|
+
case SSL_ERROR_WANT_READ:
|
1853
|
+
if (nonblock) {
|
1880
1854
|
rb_str_unlocktmp(str);
|
1881
|
-
|
1882
|
-
|
1883
|
-
|
1884
|
-
|
1885
|
-
|
1886
|
-
|
1887
|
-
|
1888
|
-
}
|
1889
|
-
rb_io_wait_writable(fptr->fd);
|
1890
|
-
continue;
|
1891
|
-
case SSL_ERROR_WANT_READ:
|
1892
|
-
if (nonblock) {
|
1893
|
-
rb_str_unlocktmp(str);
|
1894
|
-
if (no_exception_p(opts)) { return sym_wait_readable; }
|
1895
|
-
read_would_block(nonblock);
|
1896
|
-
}
|
1897
|
-
rb_io_wait_readable(fptr->fd);
|
1898
|
-
continue;
|
1899
|
-
case SSL_ERROR_SYSCALL:
|
1900
|
-
if (!ERR_peek_error()) {
|
1901
|
-
rb_str_unlocktmp(str);
|
1902
|
-
if (errno)
|
1903
|
-
rb_sys_fail(0);
|
1904
|
-
else {
|
1905
|
-
/*
|
1906
|
-
* The underlying BIO returned 0. This is actually a
|
1907
|
-
* protocol error. But unfortunately, not all
|
1908
|
-
* implementations cleanly shutdown the TLS connection
|
1909
|
-
* but just shutdown/close the TCP connection. So report
|
1910
|
-
* EOF for now...
|
1911
|
-
*/
|
1912
|
-
if (no_exception_p(opts)) { return Qnil; }
|
1913
|
-
rb_eof_error();
|
1914
|
-
}
|
1915
|
-
}
|
1916
|
-
/* fall through */
|
1917
|
-
default:
|
1855
|
+
if (no_exception_p(opts)) { return sym_wait_readable; }
|
1856
|
+
read_would_block(nonblock);
|
1857
|
+
}
|
1858
|
+
io_wait_readable(fptr);
|
1859
|
+
continue;
|
1860
|
+
case SSL_ERROR_SYSCALL:
|
1861
|
+
if (!ERR_peek_error()) {
|
1918
1862
|
rb_str_unlocktmp(str);
|
1919
|
-
|
1920
|
-
|
1921
|
-
|
1922
|
-
|
1923
|
-
|
1924
|
-
|
1925
|
-
|
1926
|
-
|
1927
|
-
|
1928
|
-
|
1929
|
-
|
1930
|
-
|
1931
|
-
|
1932
|
-
|
1933
|
-
|
1934
|
-
|
1935
|
-
|
1936
|
-
|
1937
|
-
return rb_funcall(io, meth, 3, len, str, opts);
|
1863
|
+
if (errno)
|
1864
|
+
rb_sys_fail(0);
|
1865
|
+
else {
|
1866
|
+
/*
|
1867
|
+
* The underlying BIO returned 0. This is actually a
|
1868
|
+
* protocol error. But unfortunately, not all
|
1869
|
+
* implementations cleanly shutdown the TLS connection
|
1870
|
+
* but just shutdown/close the TCP connection. So report
|
1871
|
+
* EOF for now...
|
1872
|
+
*/
|
1873
|
+
if (no_exception_p(opts)) { return Qnil; }
|
1874
|
+
rb_eof_error();
|
1875
|
+
}
|
1876
|
+
}
|
1877
|
+
/* fall through */
|
1878
|
+
default:
|
1879
|
+
rb_str_unlocktmp(str);
|
1880
|
+
ossl_raise(eSSLError, "SSL_read");
|
1938
1881
|
}
|
1939
|
-
#endif
|
1940
|
-
else
|
1941
|
-
return rb_funcall(io, meth, 2, len, str);
|
1942
1882
|
}
|
1943
|
-
|
1944
|
-
end:
|
1945
|
-
rb_str_set_len(str, nread);
|
1946
|
-
return str;
|
1947
1883
|
}
|
1948
1884
|
|
1949
1885
|
/*
|
@@ -1983,77 +1919,55 @@ static VALUE
|
|
1983
1919
|
ossl_ssl_write_internal(VALUE self, VALUE str, VALUE opts)
|
1984
1920
|
{
|
1985
1921
|
SSL *ssl;
|
1986
|
-
int nwrite = 0;
|
1987
1922
|
rb_io_t *fptr;
|
1988
|
-
int nonblock = opts != Qfalse;
|
1923
|
+
int num, nonblock = opts != Qfalse;
|
1989
1924
|
VALUE tmp, io;
|
1990
1925
|
|
1991
|
-
tmp = rb_str_new_frozen(StringValue(str));
|
1992
1926
|
GetSSL(self, ssl);
|
1927
|
+
if (!ssl_started(ssl))
|
1928
|
+
rb_raise(eSSLError, "SSL session is not started yet");
|
1929
|
+
|
1930
|
+
tmp = rb_str_new_frozen(StringValue(str));
|
1993
1931
|
io = rb_attr_get(self, id_i_io);
|
1994
1932
|
GetOpenFile(io, fptr);
|
1995
|
-
|
1996
|
-
|
1997
|
-
|
1998
|
-
|
1999
|
-
|
2000
|
-
|
2001
|
-
|
2002
|
-
|
2003
|
-
|
2004
|
-
|
2005
|
-
|
2006
|
-
|
2007
|
-
|
2008
|
-
|
2009
|
-
|
2010
|
-
|
2011
|
-
|
2012
|
-
|
2013
|
-
|
2014
|
-
|
2015
|
-
|
2016
|
-
|
2017
|
-
case SSL_ERROR_SYSCALL:
|
1933
|
+
|
1934
|
+
/* SSL_write(3ssl) manpage states num == 0 is undefined */
|
1935
|
+
num = RSTRING_LENINT(tmp);
|
1936
|
+
if (num == 0)
|
1937
|
+
return INT2FIX(0);
|
1938
|
+
|
1939
|
+
for (;;) {
|
1940
|
+
int nwritten = SSL_write(ssl, RSTRING_PTR(tmp), num);
|
1941
|
+
switch (ssl_get_error(ssl, nwritten)) {
|
1942
|
+
case SSL_ERROR_NONE:
|
1943
|
+
return INT2NUM(nwritten);
|
1944
|
+
case SSL_ERROR_WANT_WRITE:
|
1945
|
+
if (no_exception_p(opts)) { return sym_wait_writable; }
|
1946
|
+
write_would_block(nonblock);
|
1947
|
+
io_wait_writable(fptr);
|
1948
|
+
continue;
|
1949
|
+
case SSL_ERROR_WANT_READ:
|
1950
|
+
if (no_exception_p(opts)) { return sym_wait_readable; }
|
1951
|
+
read_would_block(nonblock);
|
1952
|
+
io_wait_readable(fptr);
|
1953
|
+
continue;
|
1954
|
+
case SSL_ERROR_SYSCALL:
|
2018
1955
|
#ifdef __APPLE__
|
2019
|
-
|
2020
|
-
|
2021
|
-
|
2022
|
-
|
2023
|
-
|
2024
|
-
|
2025
|
-
|
2026
|
-
|
1956
|
+
/*
|
1957
|
+
* It appears that send syscall can return EPROTOTYPE if the
|
1958
|
+
* socket is being torn down. Retry to get a proper errno to
|
1959
|
+
* make the error handling in line with the socket library.
|
1960
|
+
* [Bug #14713] https://bugs.ruby-lang.org/issues/14713
|
1961
|
+
*/
|
1962
|
+
if (errno == EPROTOTYPE)
|
1963
|
+
continue;
|
2027
1964
|
#endif
|
2028
|
-
|
2029
|
-
|
2030
|
-
|
2031
|
-
|
1965
|
+
if (errno) rb_sys_fail(0);
|
1966
|
+
/* fallthrough */
|
1967
|
+
default:
|
1968
|
+
ossl_raise(eSSLError, "SSL_write");
|
2032
1969
|
}
|
2033
1970
|
}
|
2034
|
-
else {
|
2035
|
-
ID meth = nonblock ?
|
2036
|
-
rb_intern("write_nonblock") : rb_intern("syswrite");
|
2037
|
-
|
2038
|
-
rb_warning("SSL session is not started yet.");
|
2039
|
-
#if defined(RB_PASS_KEYWORDS)
|
2040
|
-
if (nonblock) {
|
2041
|
-
VALUE argv[2];
|
2042
|
-
argv[0] = str;
|
2043
|
-
argv[1] = opts;
|
2044
|
-
return rb_funcallv_kw(io, meth, 2, argv, RB_PASS_KEYWORDS);
|
2045
|
-
}
|
2046
|
-
#else
|
2047
|
-
if (nonblock) {
|
2048
|
-
return rb_funcall(io, meth, 2, str, opts);
|
2049
|
-
}
|
2050
|
-
#endif
|
2051
|
-
else
|
2052
|
-
return rb_funcall(io, meth, 1, str);
|
2053
|
-
}
|
2054
|
-
|
2055
|
-
end:
|
2056
|
-
return INT2NUM(nwrite);
|
2057
1971
|
}
|
2058
1972
|
|
2059
1973
|
/*
|
@@ -2352,7 +2266,57 @@ ossl_ssl_get_verify_result(VALUE self)
|
|
2352
2266
|
|
2353
2267
|
GetSSL(self, ssl);
|
2354
2268
|
|
2355
|
-
return
|
2269
|
+
return LONG2NUM(SSL_get_verify_result(ssl));
|
2270
|
+
}
|
2271
|
+
|
2272
|
+
/*
|
2273
|
+
* call-seq:
|
2274
|
+
* ssl.finished_message => "finished message"
|
2275
|
+
*
|
2276
|
+
* Returns the last *Finished* message sent
|
2277
|
+
*
|
2278
|
+
*/
|
2279
|
+
static VALUE
|
2280
|
+
ossl_ssl_get_finished(VALUE self)
|
2281
|
+
{
|
2282
|
+
SSL *ssl;
|
2283
|
+
char sizer[1], *buf;
|
2284
|
+
size_t len;
|
2285
|
+
|
2286
|
+
GetSSL(self, ssl);
|
2287
|
+
|
2288
|
+
len = SSL_get_finished(ssl, sizer, 0);
|
2289
|
+
if (len == 0)
|
2290
|
+
return Qnil;
|
2291
|
+
|
2292
|
+
buf = ALLOCA_N(char, len);
|
2293
|
+
SSL_get_finished(ssl, buf, len);
|
2294
|
+
return rb_str_new(buf, len);
|
2295
|
+
}
|
2296
|
+
|
2297
|
+
/*
|
2298
|
+
* call-seq:
|
2299
|
+
* ssl.peer_finished_message => "peer finished message"
|
2300
|
+
*
|
2301
|
+
* Returns the last *Finished* message received
|
2302
|
+
*
|
2303
|
+
*/
|
2304
|
+
static VALUE
|
2305
|
+
ossl_ssl_get_peer_finished(VALUE self)
|
2306
|
+
{
|
2307
|
+
SSL *ssl;
|
2308
|
+
char sizer[1], *buf;
|
2309
|
+
size_t len;
|
2310
|
+
|
2311
|
+
GetSSL(self, ssl);
|
2312
|
+
|
2313
|
+
len = SSL_get_peer_finished(ssl, sizer, 0);
|
2314
|
+
if (len == 0)
|
2315
|
+
return Qnil;
|
2316
|
+
|
2317
|
+
buf = ALLOCA_N(char, len);
|
2318
|
+
SSL_get_peer_finished(ssl, buf, len);
|
2319
|
+
return rb_str_new(buf, len);
|
2356
2320
|
}
|
2357
2321
|
|
2358
2322
|
/*
|
@@ -2403,7 +2367,6 @@ ossl_ssl_npn_protocol(VALUE self)
|
|
2403
2367
|
}
|
2404
2368
|
# endif
|
2405
2369
|
|
2406
|
-
# ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
|
2407
2370
|
/*
|
2408
2371
|
* call-seq:
|
2409
2372
|
* ssl.alpn_protocol => String | nil
|
@@ -2426,9 +2389,7 @@ ossl_ssl_alpn_protocol(VALUE self)
|
|
2426
2389
|
else
|
2427
2390
|
return rb_str_new((const char *) out, outlen);
|
2428
2391
|
}
|
2429
|
-
# endif
|
2430
2392
|
|
2431
|
-
# ifdef HAVE_SSL_GET_SERVER_TMP_KEY
|
2432
2393
|
/*
|
2433
2394
|
* call-seq:
|
2434
2395
|
* ssl.tmp_key => PKey or nil
|
@@ -2446,11 +2407,8 @@ ossl_ssl_tmp_key(VALUE self)
|
|
2446
2407
|
return Qnil;
|
2447
2408
|
return ossl_pkey_new(key);
|
2448
2409
|
}
|
2449
|
-
# endif /* defined(HAVE_SSL_GET_SERVER_TMP_KEY) */
|
2450
2410
|
#endif /* !defined(OPENSSL_NO_SOCK) */
|
2451
2411
|
|
2452
|
-
#undef rb_intern
|
2453
|
-
#define rb_intern(s) rb_intern_const(s)
|
2454
2412
|
void
|
2455
2413
|
Init_ossl_ssl(void)
|
2456
2414
|
{
|
@@ -2461,8 +2419,8 @@ Init_ossl_ssl(void)
|
|
2461
2419
|
rb_mWaitWritable = rb_define_module_under(rb_cIO, "WaitWritable");
|
2462
2420
|
#endif
|
2463
2421
|
|
2464
|
-
id_call =
|
2465
|
-
ID_callback_state =
|
2422
|
+
id_call = rb_intern_const("call");
|
2423
|
+
ID_callback_state = rb_intern_const("callback_state");
|
2466
2424
|
|
2467
2425
|
ossl_ssl_ex_vcb_idx = SSL_get_ex_new_index(0, (void *)"ossl_ssl_ex_vcb_idx", 0, 0, 0);
|
2468
2426
|
if (ossl_ssl_ex_vcb_idx < 0)
|
@@ -2473,11 +2431,6 @@ Init_ossl_ssl(void)
|
|
2473
2431
|
ossl_sslctx_ex_ptr_idx = SSL_CTX_get_ex_new_index(0, (void *)"ossl_sslctx_ex_ptr_idx", 0, 0, 0);
|
2474
2432
|
if (ossl_sslctx_ex_ptr_idx < 0)
|
2475
2433
|
ossl_raise(rb_eRuntimeError, "SSL_CTX_get_ex_new_index");
|
2476
|
-
#if !defined(HAVE_X509_STORE_UP_REF)
|
2477
|
-
ossl_sslctx_ex_store_p = SSL_CTX_get_ex_new_index(0, (void *)"ossl_sslctx_ex_store_p", 0, 0, 0);
|
2478
|
-
if (ossl_sslctx_ex_store_p < 0)
|
2479
|
-
ossl_raise(rb_eRuntimeError, "SSL_CTX_get_ex_new_index");
|
2480
|
-
#endif
|
2481
2434
|
|
2482
2435
|
/* Document-module: OpenSSL::SSL
|
2483
2436
|
*
|
@@ -2529,7 +2482,7 @@ Init_ossl_ssl(void)
|
|
2529
2482
|
* The _cert_, _key_, and _extra_chain_cert_ attributes are deprecated.
|
2530
2483
|
* It is recommended to use #add_certificate instead.
|
2531
2484
|
*/
|
2532
|
-
rb_attr(cSSLContext,
|
2485
|
+
rb_attr(cSSLContext, rb_intern_const("cert"), 1, 1, Qfalse);
|
2533
2486
|
|
2534
2487
|
/*
|
2535
2488
|
* Context private key
|
@@ -2537,29 +2490,29 @@ Init_ossl_ssl(void)
|
|
2537
2490
|
* The _cert_, _key_, and _extra_chain_cert_ attributes are deprecated.
|
2538
2491
|
* It is recommended to use #add_certificate instead.
|
2539
2492
|
*/
|
2540
|
-
rb_attr(cSSLContext,
|
2493
|
+
rb_attr(cSSLContext, rb_intern_const("key"), 1, 1, Qfalse);
|
2541
2494
|
|
2542
2495
|
/*
|
2543
2496
|
* A certificate or Array of certificates that will be sent to the client.
|
2544
2497
|
*/
|
2545
|
-
rb_attr(cSSLContext,
|
2498
|
+
rb_attr(cSSLContext, rb_intern_const("client_ca"), 1, 1, Qfalse);
|
2546
2499
|
|
2547
2500
|
/*
|
2548
2501
|
* The path to a file containing a PEM-format CA certificate
|
2549
2502
|
*/
|
2550
|
-
rb_attr(cSSLContext,
|
2503
|
+
rb_attr(cSSLContext, rb_intern_const("ca_file"), 1, 1, Qfalse);
|
2551
2504
|
|
2552
2505
|
/*
|
2553
2506
|
* The path to a directory containing CA certificates in PEM format.
|
2554
2507
|
*
|
2555
2508
|
* Files are looked up by subject's X509 name's hash value.
|
2556
2509
|
*/
|
2557
|
-
rb_attr(cSSLContext,
|
2510
|
+
rb_attr(cSSLContext, rb_intern_const("ca_path"), 1, 1, Qfalse);
|
2558
2511
|
|
2559
2512
|
/*
|
2560
2513
|
* Maximum session lifetime in seconds.
|
2561
2514
|
*/
|
2562
|
-
rb_attr(cSSLContext,
|
2515
|
+
rb_attr(cSSLContext, rb_intern_const("timeout"), 1, 1, Qfalse);
|
2563
2516
|
|
2564
2517
|
/*
|
2565
2518
|
* Session verification mode.
|
@@ -2572,12 +2525,12 @@ Init_ossl_ssl(void)
|
|
2572
2525
|
*
|
2573
2526
|
* See SSL_CTX_set_verify(3) for details.
|
2574
2527
|
*/
|
2575
|
-
rb_attr(cSSLContext,
|
2528
|
+
rb_attr(cSSLContext, rb_intern_const("verify_mode"), 1, 1, Qfalse);
|
2576
2529
|
|
2577
2530
|
/*
|
2578
2531
|
* Number of CA certificates to walk when verifying a certificate chain.
|
2579
2532
|
*/
|
2580
|
-
rb_attr(cSSLContext,
|
2533
|
+
rb_attr(cSSLContext, rb_intern_const("verify_depth"), 1, 1, Qfalse);
|
2581
2534
|
|
2582
2535
|
/*
|
2583
2536
|
* A callback for additional certificate verification. The callback is
|
@@ -2591,7 +2544,7 @@ Init_ossl_ssl(void)
|
|
2591
2544
|
* If the callback returns +false+, the chain verification is immediately
|
2592
2545
|
* stopped and a bad_certificate alert is then sent.
|
2593
2546
|
*/
|
2594
|
-
rb_attr(cSSLContext,
|
2547
|
+
rb_attr(cSSLContext, rb_intern_const("verify_callback"), 1, 1, Qfalse);
|
2595
2548
|
|
2596
2549
|
/*
|
2597
2550
|
* Whether to check the server certificate is valid for the hostname.
|
@@ -2599,12 +2552,12 @@ Init_ossl_ssl(void)
|
|
2599
2552
|
* In order to make this work, verify_mode must be set to VERIFY_PEER and
|
2600
2553
|
* the server hostname must be given by OpenSSL::SSL::SSLSocket#hostname=.
|
2601
2554
|
*/
|
2602
|
-
rb_attr(cSSLContext,
|
2555
|
+
rb_attr(cSSLContext, rb_intern_const("verify_hostname"), 1, 1, Qfalse);
|
2603
2556
|
|
2604
2557
|
/*
|
2605
2558
|
* An OpenSSL::X509::Store used for certificate verification.
|
2606
2559
|
*/
|
2607
|
-
rb_attr(cSSLContext,
|
2560
|
+
rb_attr(cSSLContext, rb_intern_const("cert_store"), 1, 1, Qfalse);
|
2608
2561
|
|
2609
2562
|
/*
|
2610
2563
|
* An Array of extra X509 certificates to be added to the certificate
|
@@ -2613,7 +2566,7 @@ Init_ossl_ssl(void)
|
|
2613
2566
|
* The _cert_, _key_, and _extra_chain_cert_ attributes are deprecated.
|
2614
2567
|
* It is recommended to use #add_certificate instead.
|
2615
2568
|
*/
|
2616
|
-
rb_attr(cSSLContext,
|
2569
|
+
rb_attr(cSSLContext, rb_intern_const("extra_chain_cert"), 1, 1, Qfalse);
|
2617
2570
|
|
2618
2571
|
/*
|
2619
2572
|
* A callback invoked when a client certificate is requested by a server
|
@@ -2623,28 +2576,14 @@ Init_ossl_ssl(void)
|
|
2623
2576
|
* containing an OpenSSL::X509::Certificate and an OpenSSL::PKey. If any
|
2624
2577
|
* other value is returned the handshake is suspended.
|
2625
2578
|
*/
|
2626
|
-
rb_attr(cSSLContext,
|
2627
|
-
|
2628
|
-
#if !defined(OPENSSL_NO_EC) && defined(HAVE_SSL_CTX_SET_TMP_ECDH_CALLBACK)
|
2629
|
-
/*
|
2630
|
-
* A callback invoked when ECDH parameters are required.
|
2631
|
-
*
|
2632
|
-
* The callback is invoked with the Session for the key exchange, an
|
2633
|
-
* flag indicating the use of an export cipher and the keylength
|
2634
|
-
* required.
|
2635
|
-
*
|
2636
|
-
* The callback is deprecated. This does not work with recent versions of
|
2637
|
-
* OpenSSL. Use OpenSSL::SSL::SSLContext#ecdh_curves= instead.
|
2638
|
-
*/
|
2639
|
-
rb_attr(cSSLContext, rb_intern("tmp_ecdh_callback"), 1, 1, Qfalse);
|
2640
|
-
#endif
|
2579
|
+
rb_attr(cSSLContext, rb_intern_const("client_cert_cb"), 1, 1, Qfalse);
|
2641
2580
|
|
2642
2581
|
/*
|
2643
2582
|
* Sets the context in which a session can be reused. This allows
|
2644
2583
|
* sessions for multiple applications to be distinguished, for example, by
|
2645
2584
|
* name.
|
2646
2585
|
*/
|
2647
|
-
rb_attr(cSSLContext,
|
2586
|
+
rb_attr(cSSLContext, rb_intern_const("session_id_context"), 1, 1, Qfalse);
|
2648
2587
|
|
2649
2588
|
/*
|
2650
2589
|
* A callback invoked on a server when a session is proposed by the client
|
@@ -2653,7 +2592,7 @@ Init_ossl_ssl(void)
|
|
2653
2592
|
* The callback is invoked with the SSLSocket and session id. The
|
2654
2593
|
* callback may return a Session from an external cache.
|
2655
2594
|
*/
|
2656
|
-
rb_attr(cSSLContext,
|
2595
|
+
rb_attr(cSSLContext, rb_intern_const("session_get_cb"), 1, 1, Qfalse);
|
2657
2596
|
|
2658
2597
|
/*
|
2659
2598
|
* A callback invoked when a new session was negotiated.
|
@@ -2661,7 +2600,7 @@ Init_ossl_ssl(void)
|
|
2661
2600
|
* The callback is invoked with an SSLSocket. If +false+ is returned the
|
2662
2601
|
* session will be removed from the internal cache.
|
2663
2602
|
*/
|
2664
|
-
rb_attr(cSSLContext,
|
2603
|
+
rb_attr(cSSLContext, rb_intern_const("session_new_cb"), 1, 1, Qfalse);
|
2665
2604
|
|
2666
2605
|
/*
|
2667
2606
|
* A callback invoked when a session is removed from the internal cache.
|
@@ -2672,18 +2611,18 @@ Init_ossl_ssl(void)
|
|
2672
2611
|
* multi-threaded application. The callback is called inside a global lock
|
2673
2612
|
* and it can randomly cause deadlock on Ruby thread switching.
|
2674
2613
|
*/
|
2675
|
-
rb_attr(cSSLContext,
|
2614
|
+
rb_attr(cSSLContext, rb_intern_const("session_remove_cb"), 1, 1, Qfalse);
|
2676
2615
|
|
2677
2616
|
rb_define_const(mSSLExtConfig, "HAVE_TLSEXT_HOST_NAME", Qtrue);
|
2678
2617
|
|
2679
2618
|
/*
|
2680
|
-
* A callback invoked whenever a new handshake is initiated
|
2681
|
-
* to disable renegotiation entirely.
|
2619
|
+
* A callback invoked whenever a new handshake is initiated on an
|
2620
|
+
* established connection. May be used to disable renegotiation entirely.
|
2682
2621
|
*
|
2683
2622
|
* The callback is invoked with the active SSLSocket. The callback's
|
2684
|
-
* return value is
|
2623
|
+
* return value is ignored. A normal return indicates "approval" of the
|
2685
2624
|
* renegotiation and will continue the process. To forbid renegotiation
|
2686
|
-
* and to cancel the process, an
|
2625
|
+
* and to cancel the process, raise an exception within the callback.
|
2687
2626
|
*
|
2688
2627
|
* === Disable client renegotiation
|
2689
2628
|
*
|
@@ -2691,13 +2630,11 @@ Init_ossl_ssl(void)
|
|
2691
2630
|
* renegotiation entirely. You may use a callback as follows to implement
|
2692
2631
|
* this feature:
|
2693
2632
|
*
|
2694
|
-
* num_handshakes = 0
|
2695
2633
|
* ctx.renegotiation_cb = lambda do |ssl|
|
2696
|
-
*
|
2697
|
-
* raise RuntimeError.new("Client renegotiation disabled") if num_handshakes > 1
|
2634
|
+
* raise RuntimeError, "Client renegotiation disabled"
|
2698
2635
|
* end
|
2699
2636
|
*/
|
2700
|
-
rb_attr(cSSLContext,
|
2637
|
+
rb_attr(cSSLContext, rb_intern_const("renegotiation_cb"), 1, 1, Qfalse);
|
2701
2638
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|
2702
2639
|
/*
|
2703
2640
|
* An Enumerable of Strings. Each String represents a protocol to be
|
@@ -2710,7 +2647,7 @@ Init_ossl_ssl(void)
|
|
2710
2647
|
*
|
2711
2648
|
* ctx.npn_protocols = ["http/1.1", "spdy/2"]
|
2712
2649
|
*/
|
2713
|
-
rb_attr(cSSLContext,
|
2650
|
+
rb_attr(cSSLContext, rb_intern_const("npn_protocols"), 1, 1, Qfalse);
|
2714
2651
|
/*
|
2715
2652
|
* A callback invoked on the client side when the client needs to select
|
2716
2653
|
* a protocol from the list sent by the server. Supported in OpenSSL 1.0.1
|
@@ -2727,10 +2664,9 @@ Init_ossl_ssl(void)
|
|
2727
2664
|
* protocols.first
|
2728
2665
|
* end
|
2729
2666
|
*/
|
2730
|
-
rb_attr(cSSLContext,
|
2667
|
+
rb_attr(cSSLContext, rb_intern_const("npn_select_cb"), 1, 1, Qfalse);
|
2731
2668
|
#endif
|
2732
2669
|
|
2733
|
-
#ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
|
2734
2670
|
/*
|
2735
2671
|
* An Enumerable of Strings. Each String represents a protocol to be
|
2736
2672
|
* advertised as the list of supported protocols for Application-Layer
|
@@ -2742,7 +2678,7 @@ Init_ossl_ssl(void)
|
|
2742
2678
|
*
|
2743
2679
|
* ctx.alpn_protocols = ["http/1.1", "spdy/2", "h2"]
|
2744
2680
|
*/
|
2745
|
-
rb_attr(cSSLContext,
|
2681
|
+
rb_attr(cSSLContext, rb_intern_const("alpn_protocols"), 1, 1, Qfalse);
|
2746
2682
|
/*
|
2747
2683
|
* A callback invoked on the server side when the server needs to select
|
2748
2684
|
* a protocol from the list sent by the client. Supported in OpenSSL 1.0.2
|
@@ -2759,8 +2695,7 @@ Init_ossl_ssl(void)
|
|
2759
2695
|
* protocols.first
|
2760
2696
|
* end
|
2761
2697
|
*/
|
2762
|
-
rb_attr(cSSLContext,
|
2763
|
-
#endif
|
2698
|
+
rb_attr(cSSLContext, rb_intern_const("alpn_select_cb"), 1, 1, Qfalse);
|
2764
2699
|
|
2765
2700
|
rb_define_alias(cSSLContext, "ssl_timeout", "timeout");
|
2766
2701
|
rb_define_alias(cSSLContext, "ssl_timeout=", "timeout=");
|
@@ -2768,6 +2703,9 @@ Init_ossl_ssl(void)
|
|
2768
2703
|
ossl_sslctx_set_minmax_proto_version, 2);
|
2769
2704
|
rb_define_method(cSSLContext, "ciphers", ossl_sslctx_get_ciphers, 0);
|
2770
2705
|
rb_define_method(cSSLContext, "ciphers=", ossl_sslctx_set_ciphers, 1);
|
2706
|
+
#ifndef OPENSSL_NO_DH
|
2707
|
+
rb_define_method(cSSLContext, "tmp_dh=", ossl_sslctx_set_tmp_dh, 1);
|
2708
|
+
#endif
|
2771
2709
|
rb_define_method(cSSLContext, "ecdh_curves=", ossl_sslctx_set_ecdh_curves, 1);
|
2772
2710
|
rb_define_method(cSSLContext, "security_level", ossl_sslctx_get_security_level, 0);
|
2773
2711
|
rb_define_method(cSSLContext, "security_level=", ossl_sslctx_set_security_level, 1);
|
@@ -2872,12 +2810,10 @@ Init_ossl_ssl(void)
|
|
2872
2810
|
rb_define_method(cSSLSocket, "client_ca", ossl_ssl_get_client_ca_list, 0);
|
2873
2811
|
/* #hostname is defined in lib/openssl/ssl.rb */
|
2874
2812
|
rb_define_method(cSSLSocket, "hostname=", ossl_ssl_set_hostname, 1);
|
2875
|
-
|
2813
|
+
rb_define_method(cSSLSocket, "finished_message", ossl_ssl_get_finished, 0);
|
2814
|
+
rb_define_method(cSSLSocket, "peer_finished_message", ossl_ssl_get_peer_finished, 0);
|
2876
2815
|
rb_define_method(cSSLSocket, "tmp_key", ossl_ssl_tmp_key, 0);
|
2877
|
-
# endif
|
2878
|
-
# ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
|
2879
2816
|
rb_define_method(cSSLSocket, "alpn_protocol", ossl_ssl_alpn_protocol, 0);
|
2880
|
-
# endif
|
2881
2817
|
# ifndef OPENSSL_NO_NEXTPROTONEG
|
2882
2818
|
rb_define_method(cSSLSocket, "npn_protocol", ossl_ssl_npn_protocol, 0);
|
2883
2819
|
# endif
|
@@ -2889,12 +2825,23 @@ Init_ossl_ssl(void)
|
|
2889
2825
|
rb_define_const(mSSL, "VERIFY_CLIENT_ONCE", INT2NUM(SSL_VERIFY_CLIENT_ONCE));
|
2890
2826
|
|
2891
2827
|
rb_define_const(mSSL, "OP_ALL", ULONG2NUM(SSL_OP_ALL));
|
2828
|
+
#ifdef SSL_OP_CLEANSE_PLAINTEXT /* OpenSSL 3.0 */
|
2829
|
+
rb_define_const(mSSL, "OP_CLEANSE_PLAINTEXT", ULONG2NUM(SSL_OP_CLEANSE_PLAINTEXT));
|
2830
|
+
#endif
|
2892
2831
|
rb_define_const(mSSL, "OP_LEGACY_SERVER_CONNECT", ULONG2NUM(SSL_OP_LEGACY_SERVER_CONNECT));
|
2893
|
-
#ifdef
|
2894
|
-
rb_define_const(mSSL, "
|
2832
|
+
#ifdef SSL_OP_ENABLE_KTLS /* OpenSSL 3.0 */
|
2833
|
+
rb_define_const(mSSL, "OP_ENABLE_KTLS", ULONG2NUM(SSL_OP_ENABLE_KTLS));
|
2895
2834
|
#endif
|
2896
|
-
|
2835
|
+
rb_define_const(mSSL, "OP_TLSEXT_PADDING", ULONG2NUM(SSL_OP_TLSEXT_PADDING));
|
2897
2836
|
rb_define_const(mSSL, "OP_SAFARI_ECDHE_ECDSA_BUG", ULONG2NUM(SSL_OP_SAFARI_ECDHE_ECDSA_BUG));
|
2837
|
+
#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF /* OpenSSL 3.0 */
|
2838
|
+
rb_define_const(mSSL, "OP_IGNORE_UNEXPECTED_EOF", ULONG2NUM(SSL_OP_IGNORE_UNEXPECTED_EOF));
|
2839
|
+
#endif
|
2840
|
+
#ifdef SSL_OP_ALLOW_CLIENT_RENEGOTIATION /* OpenSSL 3.0 */
|
2841
|
+
rb_define_const(mSSL, "OP_ALLOW_CLIENT_RENEGOTIATION", ULONG2NUM(SSL_OP_ALLOW_CLIENT_RENEGOTIATION));
|
2842
|
+
#endif
|
2843
|
+
#ifdef SSL_OP_DISABLE_TLSEXT_CA_NAMES /* OpenSSL 3.0 */
|
2844
|
+
rb_define_const(mSSL, "OP_DISABLE_TLSEXT_CA_NAMES", ULONG2NUM(SSL_OP_DISABLE_TLSEXT_CA_NAMES));
|
2898
2845
|
#endif
|
2899
2846
|
#ifdef SSL_OP_ALLOW_NO_DHE_KEX /* OpenSSL 1.1.1 */
|
2900
2847
|
rb_define_const(mSSL, "OP_ALLOW_NO_DHE_KEX", ULONG2NUM(SSL_OP_ALLOW_NO_DHE_KEX));
|
@@ -2907,13 +2854,15 @@ Init_ossl_ssl(void)
|
|
2907
2854
|
#ifdef SSL_OP_NO_ENCRYPT_THEN_MAC /* OpenSSL 1.1.1 */
|
2908
2855
|
rb_define_const(mSSL, "OP_NO_ENCRYPT_THEN_MAC", ULONG2NUM(SSL_OP_NO_ENCRYPT_THEN_MAC));
|
2909
2856
|
#endif
|
2910
|
-
|
2911
|
-
rb_define_const(mSSL, "
|
2912
|
-
#
|
2913
|
-
|
2857
|
+
#ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT /* OpenSSL 1.1.1 */
|
2858
|
+
rb_define_const(mSSL, "OP_ENABLE_MIDDLEBOX_COMPAT", ULONG2NUM(SSL_OP_ENABLE_MIDDLEBOX_COMPAT));
|
2859
|
+
#endif
|
2860
|
+
#ifdef SSL_OP_PRIORITIZE_CHACHA /* OpenSSL 1.1.1 */
|
2861
|
+
rb_define_const(mSSL, "OP_PRIORITIZE_CHACHA", ULONG2NUM(SSL_OP_PRIORITIZE_CHACHA));
|
2862
|
+
#endif
|
2863
|
+
#ifdef SSL_OP_NO_ANTI_REPLAY /* OpenSSL 1.1.1 */
|
2864
|
+
rb_define_const(mSSL, "OP_NO_ANTI_REPLAY", ULONG2NUM(SSL_OP_NO_ANTI_REPLAY));
|
2914
2865
|
#endif
|
2915
|
-
rb_define_const(mSSL, "OP_CRYPTOPRO_TLSEXT_BUG", ULONG2NUM(SSL_OP_CRYPTOPRO_TLSEXT_BUG));
|
2916
|
-
|
2917
2866
|
rb_define_const(mSSL, "OP_NO_SSLv3", ULONG2NUM(SSL_OP_NO_SSLv3));
|
2918
2867
|
rb_define_const(mSSL, "OP_NO_TLSv1", ULONG2NUM(SSL_OP_NO_TLSv1));
|
2919
2868
|
rb_define_const(mSSL, "OP_NO_TLSv1_1", ULONG2NUM(SSL_OP_NO_TLSv1_1));
|
@@ -2921,6 +2870,12 @@ Init_ossl_ssl(void)
|
|
2921
2870
|
#ifdef SSL_OP_NO_TLSv1_3 /* OpenSSL 1.1.1 */
|
2922
2871
|
rb_define_const(mSSL, "OP_NO_TLSv1_3", ULONG2NUM(SSL_OP_NO_TLSv1_3));
|
2923
2872
|
#endif
|
2873
|
+
rb_define_const(mSSL, "OP_CIPHER_SERVER_PREFERENCE", ULONG2NUM(SSL_OP_CIPHER_SERVER_PREFERENCE));
|
2874
|
+
rb_define_const(mSSL, "OP_TLS_ROLLBACK_BUG", ULONG2NUM(SSL_OP_TLS_ROLLBACK_BUG));
|
2875
|
+
#ifdef SSL_OP_NO_RENEGOTIATION /* OpenSSL 1.1.1 */
|
2876
|
+
rb_define_const(mSSL, "OP_NO_RENEGOTIATION", ULONG2NUM(SSL_OP_NO_RENEGOTIATION));
|
2877
|
+
#endif
|
2878
|
+
rb_define_const(mSSL, "OP_CRYPTOPRO_TLSEXT_BUG", ULONG2NUM(SSL_OP_CRYPTOPRO_TLSEXT_BUG));
|
2924
2879
|
|
2925
2880
|
/* SSL_OP_* flags for DTLS */
|
2926
2881
|
#if 0
|
@@ -2985,17 +2940,16 @@ Init_ossl_ssl(void)
|
|
2985
2940
|
#endif
|
2986
2941
|
|
2987
2942
|
|
2988
|
-
sym_exception = ID2SYM(
|
2989
|
-
sym_wait_readable = ID2SYM(
|
2990
|
-
sym_wait_writable = ID2SYM(
|
2943
|
+
sym_exception = ID2SYM(rb_intern_const("exception"));
|
2944
|
+
sym_wait_readable = ID2SYM(rb_intern_const("wait_readable"));
|
2945
|
+
sym_wait_writable = ID2SYM(rb_intern_const("wait_writable"));
|
2991
2946
|
|
2992
|
-
id_tmp_dh_callback =
|
2993
|
-
|
2994
|
-
id_npn_protocols_encoded = rb_intern("npn_protocols_encoded");
|
2947
|
+
id_tmp_dh_callback = rb_intern_const("tmp_dh_callback");
|
2948
|
+
id_npn_protocols_encoded = rb_intern_const("npn_protocols_encoded");
|
2995
2949
|
id_each = rb_intern_const("each");
|
2996
2950
|
|
2997
2951
|
#define DefIVarID(name) do \
|
2998
|
-
id_i_##name =
|
2952
|
+
id_i_##name = rb_intern_const("@"#name); while (0)
|
2999
2953
|
|
3000
2954
|
DefIVarID(cert_store);
|
3001
2955
|
DefIVarID(ca_file);
|
@@ -3009,7 +2963,6 @@ Init_ossl_ssl(void)
|
|
3009
2963
|
DefIVarID(key);
|
3010
2964
|
DefIVarID(extra_chain_cert);
|
3011
2965
|
DefIVarID(client_cert_cb);
|
3012
|
-
DefIVarID(tmp_ecdh_callback);
|
3013
2966
|
DefIVarID(timeout);
|
3014
2967
|
DefIVarID(session_id_context);
|
3015
2968
|
DefIVarID(session_get_cb);
|