openssl 2.2.0 → 3.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CONTRIBUTING.md +32 -44
- data/History.md +155 -0
- data/ext/openssl/extconf.rb +43 -38
- data/ext/openssl/openssl_missing.c +0 -66
- data/ext/openssl/openssl_missing.h +26 -45
- data/ext/openssl/ossl.c +67 -47
- data/ext/openssl/ossl.h +20 -6
- data/ext/openssl/ossl_asn1.c +16 -4
- data/ext/openssl/ossl_bn.c +267 -143
- data/ext/openssl/ossl_bn.h +2 -1
- data/ext/openssl/ossl_cipher.c +11 -11
- data/ext/openssl/ossl_config.c +412 -41
- data/ext/openssl/ossl_config.h +4 -7
- data/ext/openssl/ossl_digest.c +15 -11
- data/ext/openssl/ossl_engine.c +16 -15
- data/ext/openssl/ossl_hmac.c +48 -135
- data/ext/openssl/ossl_kdf.c +8 -0
- data/ext/openssl/ossl_ocsp.c +3 -51
- data/ext/openssl/ossl_pkcs12.c +21 -3
- data/ext/openssl/ossl_pkcs7.c +42 -59
- data/ext/openssl/ossl_pkey.c +1102 -191
- data/ext/openssl/ossl_pkey.h +35 -72
- data/ext/openssl/ossl_pkey_dh.c +124 -334
- data/ext/openssl/ossl_pkey_dsa.c +93 -398
- data/ext/openssl/ossl_pkey_ec.c +126 -318
- data/ext/openssl/ossl_pkey_rsa.c +100 -487
- data/ext/openssl/ossl_ssl.c +322 -375
- data/ext/openssl/ossl_ssl_session.c +24 -29
- data/ext/openssl/ossl_ts.c +64 -39
- data/ext/openssl/ossl_x509.c +0 -6
- data/ext/openssl/ossl_x509cert.c +164 -8
- data/ext/openssl/ossl_x509crl.c +10 -7
- data/ext/openssl/ossl_x509ext.c +1 -2
- data/ext/openssl/ossl_x509name.c +9 -2
- data/ext/openssl/ossl_x509req.c +10 -7
- data/ext/openssl/ossl_x509store.c +193 -90
- data/lib/openssl/buffering.rb +10 -1
- data/lib/openssl/hmac.rb +65 -0
- data/lib/openssl/pkey.rb +417 -0
- data/lib/openssl/ssl.rb +8 -8
- data/lib/openssl/version.rb +1 -1
- data/lib/openssl/x509.rb +22 -0
- data/lib/openssl.rb +0 -1
- metadata +8 -66
- data/ext/openssl/ruby_missing.h +0 -24
- data/lib/openssl/config.rb +0 -501
data/ext/openssl/ossl_ssl.c
CHANGED
|
@@ -13,6 +13,12 @@
|
|
|
13
13
|
|
|
14
14
|
#define numberof(ary) (int)(sizeof(ary)/sizeof((ary)[0]))
|
|
15
15
|
|
|
16
|
+
#if !defined(TLS1_3_VERSION) && \
|
|
17
|
+
defined(LIBRESSL_VERSION_NUMBER) && \
|
|
18
|
+
LIBRESSL_VERSION_NUMBER >= 0x3020000fL
|
|
19
|
+
# define TLS1_3_VERSION 0x0304
|
|
20
|
+
#endif
|
|
21
|
+
|
|
16
22
|
#ifdef _WIN32
|
|
17
23
|
# define TO_SOCKET(s) _get_osfhandle(s)
|
|
18
24
|
#else
|
|
@@ -32,14 +38,14 @@ VALUE cSSLSocket;
|
|
|
32
38
|
static VALUE eSSLErrorWaitReadable;
|
|
33
39
|
static VALUE eSSLErrorWaitWritable;
|
|
34
40
|
|
|
35
|
-
static ID id_call, ID_callback_state, id_tmp_dh_callback,
|
|
36
|
-
id_npn_protocols_encoded;
|
|
41
|
+
static ID id_call, ID_callback_state, id_tmp_dh_callback,
|
|
42
|
+
id_npn_protocols_encoded, id_each;
|
|
37
43
|
static VALUE sym_exception, sym_wait_readable, sym_wait_writable;
|
|
38
44
|
|
|
39
45
|
static ID id_i_cert_store, id_i_ca_file, id_i_ca_path, id_i_verify_mode,
|
|
40
46
|
id_i_verify_depth, id_i_verify_callback, id_i_client_ca,
|
|
41
47
|
id_i_renegotiation_cb, id_i_cert, id_i_key, id_i_extra_chain_cert,
|
|
42
|
-
id_i_client_cert_cb,
|
|
48
|
+
id_i_client_cert_cb, id_i_timeout,
|
|
43
49
|
id_i_session_id_context, id_i_session_get_cb, id_i_session_new_cb,
|
|
44
50
|
id_i_session_remove_cb, id_i_npn_select_cb, id_i_npn_protocols,
|
|
45
51
|
id_i_alpn_select_cb, id_i_alpn_protocols, id_i_servername_cb,
|
|
@@ -49,25 +55,24 @@ static ID id_i_io, id_i_context, id_i_hostname;
|
|
|
49
55
|
static int ossl_ssl_ex_vcb_idx;
|
|
50
56
|
static int ossl_ssl_ex_ptr_idx;
|
|
51
57
|
static int ossl_sslctx_ex_ptr_idx;
|
|
52
|
-
#if !defined(HAVE_X509_STORE_UP_REF)
|
|
53
|
-
static int ossl_sslctx_ex_store_p;
|
|
54
|
-
#endif
|
|
55
58
|
|
|
56
59
|
static void
|
|
57
|
-
|
|
60
|
+
ossl_sslctx_mark(void *ptr)
|
|
58
61
|
{
|
|
59
62
|
SSL_CTX *ctx = ptr;
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
63
|
+
rb_gc_mark((VALUE)SSL_CTX_get_ex_data(ctx, ossl_sslctx_ex_ptr_idx));
|
|
64
|
+
}
|
|
65
|
+
|
|
66
|
+
static void
|
|
67
|
+
ossl_sslctx_free(void *ptr)
|
|
68
|
+
{
|
|
69
|
+
SSL_CTX_free(ptr);
|
|
65
70
|
}
|
|
66
71
|
|
|
67
72
|
static const rb_data_type_t ossl_sslctx_type = {
|
|
68
73
|
"OpenSSL/SSL/CTX",
|
|
69
74
|
{
|
|
70
|
-
|
|
75
|
+
ossl_sslctx_mark, ossl_sslctx_free,
|
|
71
76
|
},
|
|
72
77
|
0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
|
|
73
78
|
};
|
|
@@ -83,7 +88,7 @@ ossl_sslctx_s_alloc(VALUE klass)
|
|
|
83
88
|
VALUE obj;
|
|
84
89
|
|
|
85
90
|
obj = TypedData_Wrap_Struct(klass, &ossl_sslctx_type, 0);
|
|
86
|
-
#if OPENSSL_VERSION_NUMBER >= 0x10100000
|
|
91
|
+
#if OPENSSL_VERSION_NUMBER >= 0x10100000 || defined(LIBRESSL_VERSION_NUMBER)
|
|
87
92
|
ctx = SSL_CTX_new(TLS_method());
|
|
88
93
|
#else
|
|
89
94
|
ctx = SSL_CTX_new(SSLv23_method());
|
|
@@ -95,14 +100,15 @@ ossl_sslctx_s_alloc(VALUE klass)
|
|
|
95
100
|
RTYPEDDATA_DATA(obj) = ctx;
|
|
96
101
|
SSL_CTX_set_ex_data(ctx, ossl_sslctx_ex_ptr_idx, (void *)obj);
|
|
97
102
|
|
|
98
|
-
#if !defined(OPENSSL_NO_EC) &&
|
|
103
|
+
#if !defined(OPENSSL_NO_EC) && OPENSSL_VERSION_NUMBER < 0x10100000 && \
|
|
104
|
+
!defined(LIBRESSL_VERSION_NUMBER)
|
|
99
105
|
/* We use SSL_CTX_set1_curves_list() to specify the curve used in ECDH. It
|
|
100
106
|
* allows to specify multiple curve names and OpenSSL will select
|
|
101
107
|
* automatically from them. In OpenSSL 1.0.2, the automatic selection has to
|
|
102
|
-
* be enabled explicitly.
|
|
103
|
-
* always enabled. To uniform the behavior, we enable the
|
|
104
|
-
* selection also in 1.0.2. Users can still disable ECDH by
|
|
105
|
-
* cipher suites by SSLContext#ciphers=. */
|
|
108
|
+
* be enabled explicitly. OpenSSL 1.1.0 and LibreSSL 2.6.1 removed the knob
|
|
109
|
+
* and it is always enabled. To uniform the behavior, we enable the
|
|
110
|
+
* automatic selection also in 1.0.2. Users can still disable ECDH by
|
|
111
|
+
* removing ECDH cipher suites by SSLContext#ciphers=. */
|
|
106
112
|
if (!SSL_CTX_set_ecdh_auto(ctx, 1))
|
|
107
113
|
ossl_raise(eSSLError, "SSL_CTX_set_ecdh_auto");
|
|
108
114
|
#endif
|
|
@@ -231,8 +237,7 @@ ossl_client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
|
|
|
231
237
|
return 1;
|
|
232
238
|
}
|
|
233
239
|
|
|
234
|
-
#if !defined(OPENSSL_NO_DH)
|
|
235
|
-
!defined(OPENSSL_NO_EC) && defined(HAVE_SSL_CTX_SET_TMP_ECDH_CALLBACK)
|
|
240
|
+
#if !defined(OPENSSL_NO_DH)
|
|
236
241
|
struct tmp_dh_callback_args {
|
|
237
242
|
VALUE ssl_obj;
|
|
238
243
|
ID id;
|
|
@@ -241,22 +246,23 @@ struct tmp_dh_callback_args {
|
|
|
241
246
|
int keylength;
|
|
242
247
|
};
|
|
243
248
|
|
|
244
|
-
static
|
|
245
|
-
ossl_call_tmp_dh_callback(
|
|
249
|
+
static VALUE
|
|
250
|
+
ossl_call_tmp_dh_callback(VALUE arg)
|
|
246
251
|
{
|
|
252
|
+
struct tmp_dh_callback_args *args = (struct tmp_dh_callback_args *)arg;
|
|
247
253
|
VALUE cb, dh;
|
|
248
254
|
EVP_PKEY *pkey;
|
|
249
255
|
|
|
250
256
|
cb = rb_funcall(args->ssl_obj, args->id, 0);
|
|
251
257
|
if (NIL_P(cb))
|
|
252
|
-
return NULL;
|
|
258
|
+
return (VALUE)NULL;
|
|
253
259
|
dh = rb_funcall(cb, id_call, 3, args->ssl_obj, INT2NUM(args->is_export),
|
|
254
260
|
INT2NUM(args->keylength));
|
|
255
261
|
pkey = GetPKeyPtr(dh);
|
|
256
262
|
if (EVP_PKEY_base_id(pkey) != args->type)
|
|
257
|
-
return NULL;
|
|
263
|
+
return (VALUE)NULL;
|
|
258
264
|
|
|
259
|
-
return pkey;
|
|
265
|
+
return (VALUE)pkey;
|
|
260
266
|
}
|
|
261
267
|
#endif
|
|
262
268
|
|
|
@@ -276,7 +282,7 @@ ossl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
|
|
|
276
282
|
args.keylength = keylength;
|
|
277
283
|
args.type = EVP_PKEY_DH;
|
|
278
284
|
|
|
279
|
-
pkey = (EVP_PKEY *)rb_protect(
|
|
285
|
+
pkey = (EVP_PKEY *)rb_protect(ossl_call_tmp_dh_callback,
|
|
280
286
|
(VALUE)&args, &state);
|
|
281
287
|
if (state) {
|
|
282
288
|
rb_ivar_set(rb_ssl, ID_callback_state, INT2NUM(state));
|
|
@@ -289,35 +295,6 @@ ossl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
|
|
|
289
295
|
}
|
|
290
296
|
#endif /* OPENSSL_NO_DH */
|
|
291
297
|
|
|
292
|
-
#if !defined(OPENSSL_NO_EC) && defined(HAVE_SSL_CTX_SET_TMP_ECDH_CALLBACK)
|
|
293
|
-
static EC_KEY *
|
|
294
|
-
ossl_tmp_ecdh_callback(SSL *ssl, int is_export, int keylength)
|
|
295
|
-
{
|
|
296
|
-
VALUE rb_ssl;
|
|
297
|
-
EVP_PKEY *pkey;
|
|
298
|
-
struct tmp_dh_callback_args args;
|
|
299
|
-
int state;
|
|
300
|
-
|
|
301
|
-
rb_ssl = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
|
|
302
|
-
args.ssl_obj = rb_ssl;
|
|
303
|
-
args.id = id_tmp_ecdh_callback;
|
|
304
|
-
args.is_export = is_export;
|
|
305
|
-
args.keylength = keylength;
|
|
306
|
-
args.type = EVP_PKEY_EC;
|
|
307
|
-
|
|
308
|
-
pkey = (EVP_PKEY *)rb_protect((VALUE (*)(VALUE))ossl_call_tmp_dh_callback,
|
|
309
|
-
(VALUE)&args, &state);
|
|
310
|
-
if (state) {
|
|
311
|
-
rb_ivar_set(rb_ssl, ID_callback_state, INT2NUM(state));
|
|
312
|
-
return NULL;
|
|
313
|
-
}
|
|
314
|
-
if (!pkey)
|
|
315
|
-
return NULL;
|
|
316
|
-
|
|
317
|
-
return EVP_PKEY_get0_EC_KEY(pkey);
|
|
318
|
-
}
|
|
319
|
-
#endif
|
|
320
|
-
|
|
321
298
|
static VALUE
|
|
322
299
|
call_verify_certificate_identity(VALUE ctx_v)
|
|
323
300
|
{
|
|
@@ -387,7 +364,7 @@ ossl_call_session_get_cb(VALUE ary)
|
|
|
387
364
|
}
|
|
388
365
|
|
|
389
366
|
static SSL_SESSION *
|
|
390
|
-
#if
|
|
367
|
+
#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER >= 0x10100000
|
|
391
368
|
ossl_sslctx_session_get_cb(SSL *ssl, const unsigned char *buf, int len, int *copy)
|
|
392
369
|
#else
|
|
393
370
|
ossl_sslctx_session_get_cb(SSL *ssl, unsigned char *buf, int len, int *copy)
|
|
@@ -596,8 +573,6 @@ ssl_renegotiation_cb(const SSL *ssl)
|
|
|
596
573
|
rb_funcallv(cb, id_call, 1, &ssl_obj);
|
|
597
574
|
}
|
|
598
575
|
|
|
599
|
-
#if !defined(OPENSSL_NO_NEXTPROTONEG) || \
|
|
600
|
-
defined(HAVE_SSL_CTX_SET_ALPN_SELECT_CB)
|
|
601
576
|
static VALUE
|
|
602
577
|
ssl_npn_encode_protocol_i(RB_BLOCK_CALL_FUNC_ARGLIST(cur, encoded))
|
|
603
578
|
{
|
|
@@ -616,7 +591,7 @@ static VALUE
|
|
|
616
591
|
ssl_encode_npn_protocols(VALUE protocols)
|
|
617
592
|
{
|
|
618
593
|
VALUE encoded = rb_str_new(NULL, 0);
|
|
619
|
-
|
|
594
|
+
rb_block_call(protocols, id_each, 0, 0, ssl_npn_encode_protocol_i, encoded);
|
|
620
595
|
return encoded;
|
|
621
596
|
}
|
|
622
597
|
|
|
@@ -679,14 +654,13 @@ ssl_npn_select_cb_common(SSL *ssl, VALUE cb, const unsigned char **out,
|
|
|
679
654
|
|
|
680
655
|
return SSL_TLSEXT_ERR_OK;
|
|
681
656
|
}
|
|
682
|
-
#endif
|
|
683
657
|
|
|
684
658
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|
|
685
659
|
static int
|
|
686
660
|
ssl_npn_advertise_cb(SSL *ssl, const unsigned char **out, unsigned int *outlen,
|
|
687
661
|
void *arg)
|
|
688
662
|
{
|
|
689
|
-
VALUE protocols = (VALUE)arg;
|
|
663
|
+
VALUE protocols = rb_attr_get((VALUE)arg, id_npn_protocols_encoded);
|
|
690
664
|
|
|
691
665
|
*out = (const unsigned char *) RSTRING_PTR(protocols);
|
|
692
666
|
*outlen = RSTRING_LENINT(protocols);
|
|
@@ -708,7 +682,6 @@ ssl_npn_select_cb(SSL *ssl, unsigned char **out, unsigned char *outlen,
|
|
|
708
682
|
}
|
|
709
683
|
#endif
|
|
710
684
|
|
|
711
|
-
#ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
|
|
712
685
|
static int
|
|
713
686
|
ssl_alpn_select_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen,
|
|
714
687
|
const unsigned char *in, unsigned int inlen, void *arg)
|
|
@@ -720,7 +693,6 @@ ssl_alpn_select_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen,
|
|
|
720
693
|
|
|
721
694
|
return ssl_npn_select_cb_common(ssl, cb, out, outlen, in, inlen);
|
|
722
695
|
}
|
|
723
|
-
#endif
|
|
724
696
|
|
|
725
697
|
/* This function may serve as the entry point to support further callbacks. */
|
|
726
698
|
static void
|
|
@@ -797,26 +769,6 @@ ossl_sslctx_setup(VALUE self)
|
|
|
797
769
|
SSL_CTX_set_tmp_dh_callback(ctx, ossl_tmp_dh_callback);
|
|
798
770
|
#endif
|
|
799
771
|
|
|
800
|
-
#if !defined(OPENSSL_NO_EC)
|
|
801
|
-
/* We added SSLContext#tmp_ecdh_callback= in Ruby 2.3.0,
|
|
802
|
-
* but SSL_CTX_set_tmp_ecdh_callback() was removed in OpenSSL 1.1.0. */
|
|
803
|
-
if (RTEST(rb_attr_get(self, id_i_tmp_ecdh_callback))) {
|
|
804
|
-
# if defined(HAVE_SSL_CTX_SET_TMP_ECDH_CALLBACK)
|
|
805
|
-
rb_warn("#tmp_ecdh_callback= is deprecated; use #ecdh_curves= instead");
|
|
806
|
-
SSL_CTX_set_tmp_ecdh_callback(ctx, ossl_tmp_ecdh_callback);
|
|
807
|
-
# if defined(HAVE_SSL_CTX_SET_ECDH_AUTO)
|
|
808
|
-
/* tmp_ecdh_callback and ecdh_auto conflict; OpenSSL ignores
|
|
809
|
-
* tmp_ecdh_callback. So disable ecdh_auto. */
|
|
810
|
-
if (!SSL_CTX_set_ecdh_auto(ctx, 0))
|
|
811
|
-
ossl_raise(eSSLError, "SSL_CTX_set_ecdh_auto");
|
|
812
|
-
# endif
|
|
813
|
-
# else
|
|
814
|
-
ossl_raise(eSSLError, "OpenSSL does not support tmp_ecdh_callback; "
|
|
815
|
-
"use #ecdh_curves= instead");
|
|
816
|
-
# endif
|
|
817
|
-
}
|
|
818
|
-
#endif /* OPENSSL_NO_EC */
|
|
819
|
-
|
|
820
772
|
#ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
|
|
821
773
|
SSL_CTX_set_post_handshake_auth(ctx, 1);
|
|
822
774
|
#endif
|
|
@@ -825,17 +777,7 @@ ossl_sslctx_setup(VALUE self)
|
|
|
825
777
|
if (!NIL_P(val)) {
|
|
826
778
|
X509_STORE *store = GetX509StorePtr(val); /* NO NEED TO DUP */
|
|
827
779
|
SSL_CTX_set_cert_store(ctx, store);
|
|
828
|
-
#if !defined(HAVE_X509_STORE_UP_REF)
|
|
829
|
-
/*
|
|
830
|
-
* WORKAROUND:
|
|
831
|
-
* X509_STORE can count references, but
|
|
832
|
-
* X509_STORE_free() doesn't care it.
|
|
833
|
-
* So we won't increment it but mark it by ex_data.
|
|
834
|
-
*/
|
|
835
|
-
SSL_CTX_set_ex_data(ctx, ossl_sslctx_ex_store_p, ctx);
|
|
836
|
-
#else /* Fixed in OpenSSL 1.0.2; bff9ce4db38b (master), 5b4b9ce976fc (1.0.2) */
|
|
837
780
|
X509_STORE_up_ref(store);
|
|
838
|
-
#endif
|
|
839
781
|
}
|
|
840
782
|
|
|
841
783
|
val = rb_attr_get(self, id_i_extra_chain_cert);
|
|
@@ -886,10 +828,17 @@ ossl_sslctx_setup(VALUE self)
|
|
|
886
828
|
ca_file = NIL_P(val) ? NULL : StringValueCStr(val);
|
|
887
829
|
val = rb_attr_get(self, id_i_ca_path);
|
|
888
830
|
ca_path = NIL_P(val) ? NULL : StringValueCStr(val);
|
|
831
|
+
#ifdef HAVE_SSL_CTX_LOAD_VERIFY_FILE
|
|
832
|
+
if (ca_file && !SSL_CTX_load_verify_file(ctx, ca_file))
|
|
833
|
+
ossl_raise(eSSLError, "SSL_CTX_load_verify_file");
|
|
834
|
+
if (ca_path && !SSL_CTX_load_verify_dir(ctx, ca_path))
|
|
835
|
+
ossl_raise(eSSLError, "SSL_CTX_load_verify_dir");
|
|
836
|
+
#else
|
|
889
837
|
if(ca_file || ca_path){
|
|
890
838
|
if (!SSL_CTX_load_verify_locations(ctx, ca_file, ca_path))
|
|
891
839
|
rb_warning("can't set verify locations");
|
|
892
840
|
}
|
|
841
|
+
#endif
|
|
893
842
|
|
|
894
843
|
val = rb_attr_get(self, id_i_verify_mode);
|
|
895
844
|
verify_mode = NIL_P(val) ? SSL_VERIFY_NONE : NUM2INT(val);
|
|
@@ -908,7 +857,7 @@ ossl_sslctx_setup(VALUE self)
|
|
|
908
857
|
if (!NIL_P(val)) {
|
|
909
858
|
VALUE encoded = ssl_encode_npn_protocols(val);
|
|
910
859
|
rb_ivar_set(self, id_npn_protocols_encoded, encoded);
|
|
911
|
-
SSL_CTX_set_next_protos_advertised_cb(ctx, ssl_npn_advertise_cb, (void *)
|
|
860
|
+
SSL_CTX_set_next_protos_advertised_cb(ctx, ssl_npn_advertise_cb, (void *)self);
|
|
912
861
|
OSSL_Debug("SSL NPN advertise callback added");
|
|
913
862
|
}
|
|
914
863
|
if (RTEST(rb_attr_get(self, id_i_npn_select_cb))) {
|
|
@@ -917,7 +866,6 @@ ossl_sslctx_setup(VALUE self)
|
|
|
917
866
|
}
|
|
918
867
|
#endif
|
|
919
868
|
|
|
920
|
-
#ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
|
|
921
869
|
val = rb_attr_get(self, id_i_alpn_protocols);
|
|
922
870
|
if (!NIL_P(val)) {
|
|
923
871
|
VALUE rprotos = ssl_encode_npn_protocols(val);
|
|
@@ -932,7 +880,6 @@ ossl_sslctx_setup(VALUE self)
|
|
|
932
880
|
SSL_CTX_set_alpn_select_cb(ctx, ssl_alpn_select_cb, (void *) self);
|
|
933
881
|
OSSL_Debug("SSL ALPN select callback added");
|
|
934
882
|
}
|
|
935
|
-
#endif
|
|
936
883
|
|
|
937
884
|
rb_obj_freeze(self);
|
|
938
885
|
|
|
@@ -1054,6 +1001,52 @@ ossl_sslctx_set_ciphers(VALUE self, VALUE v)
|
|
|
1054
1001
|
return v;
|
|
1055
1002
|
}
|
|
1056
1003
|
|
|
1004
|
+
#ifndef OPENSSL_NO_DH
|
|
1005
|
+
/*
|
|
1006
|
+
* call-seq:
|
|
1007
|
+
* ctx.tmp_dh = pkey
|
|
1008
|
+
*
|
|
1009
|
+
* Sets DH parameters used for ephemeral DH key exchange. This is relevant for
|
|
1010
|
+
* servers only.
|
|
1011
|
+
*
|
|
1012
|
+
* +pkey+ is an instance of OpenSSL::PKey::DH. Note that key components
|
|
1013
|
+
* contained in the key object, if any, are ignored. The server will always
|
|
1014
|
+
* generate a new key pair for each handshake.
|
|
1015
|
+
*
|
|
1016
|
+
* Added in version 3.0. See also the man page SSL_set0_tmp_dh_pkey(3).
|
|
1017
|
+
*
|
|
1018
|
+
* Example:
|
|
1019
|
+
* ctx = OpenSSL::SSL::SSLContext.new
|
|
1020
|
+
* ctx.tmp_dh = OpenSSL::DH.generate(2048)
|
|
1021
|
+
* svr = OpenSSL::SSL::SSLServer.new(tcp_svr, ctx)
|
|
1022
|
+
* Thread.new { svr.accept }
|
|
1023
|
+
*/
|
|
1024
|
+
static VALUE
|
|
1025
|
+
ossl_sslctx_set_tmp_dh(VALUE self, VALUE arg)
|
|
1026
|
+
{
|
|
1027
|
+
SSL_CTX *ctx;
|
|
1028
|
+
EVP_PKEY *pkey;
|
|
1029
|
+
|
|
1030
|
+
rb_check_frozen(self);
|
|
1031
|
+
GetSSLCTX(self, ctx);
|
|
1032
|
+
pkey = GetPKeyPtr(arg);
|
|
1033
|
+
|
|
1034
|
+
if (EVP_PKEY_base_id(pkey) != EVP_PKEY_DH)
|
|
1035
|
+
rb_raise(eSSLError, "invalid pkey type %s (expected DH)",
|
|
1036
|
+
OBJ_nid2sn(EVP_PKEY_base_id(pkey)));
|
|
1037
|
+
#ifdef HAVE_SSL_SET0_TMP_DH_PKEY
|
|
1038
|
+
if (!SSL_CTX_set0_tmp_dh_pkey(ctx, pkey))
|
|
1039
|
+
ossl_raise(eSSLError, "SSL_CTX_set0_tmp_dh_pkey");
|
|
1040
|
+
EVP_PKEY_up_ref(pkey);
|
|
1041
|
+
#else
|
|
1042
|
+
if (!SSL_CTX_set_tmp_dh(ctx, EVP_PKEY_get0_DH(pkey)))
|
|
1043
|
+
ossl_raise(eSSLError, "SSL_CTX_set_tmp_dh");
|
|
1044
|
+
#endif
|
|
1045
|
+
|
|
1046
|
+
return arg;
|
|
1047
|
+
}
|
|
1048
|
+
#endif
|
|
1049
|
+
|
|
1057
1050
|
#if !defined(OPENSSL_NO_EC)
|
|
1058
1051
|
/*
|
|
1059
1052
|
* call-seq:
|
|
@@ -1065,9 +1058,6 @@ ossl_sslctx_set_ciphers(VALUE self, VALUE v)
|
|
|
1065
1058
|
* Extension. For a server, the list is used by OpenSSL to determine the set of
|
|
1066
1059
|
* shared curves. OpenSSL will pick the most appropriate one from it.
|
|
1067
1060
|
*
|
|
1068
|
-
* Note that this works differently with old OpenSSL (<= 1.0.1). Only one curve
|
|
1069
|
-
* can be set, and this has no effect for TLS clients.
|
|
1070
|
-
*
|
|
1071
1061
|
* === Example
|
|
1072
1062
|
* ctx1 = OpenSSL::SSL::SSLContext.new
|
|
1073
1063
|
* ctx1.ecdh_curves = "X25519:P-256:P-224"
|
|
@@ -1091,48 +1081,8 @@ ossl_sslctx_set_ecdh_curves(VALUE self, VALUE arg)
|
|
|
1091
1081
|
GetSSLCTX(self, ctx);
|
|
1092
1082
|
StringValueCStr(arg);
|
|
1093
1083
|
|
|
1094
|
-
#if defined(HAVE_SSL_CTX_SET1_CURVES_LIST)
|
|
1095
1084
|
if (!SSL_CTX_set1_curves_list(ctx, RSTRING_PTR(arg)))
|
|
1096
1085
|
ossl_raise(eSSLError, NULL);
|
|
1097
|
-
#else
|
|
1098
|
-
/* OpenSSL does not have SSL_CTX_set1_curves_list()... Fallback to
|
|
1099
|
-
* SSL_CTX_set_tmp_ecdh(). So only the first curve is used. */
|
|
1100
|
-
{
|
|
1101
|
-
VALUE curve, splitted;
|
|
1102
|
-
EC_KEY *ec;
|
|
1103
|
-
int nid;
|
|
1104
|
-
|
|
1105
|
-
splitted = rb_str_split(arg, ":");
|
|
1106
|
-
if (!RARRAY_LEN(splitted))
|
|
1107
|
-
ossl_raise(eSSLError, "invalid input format");
|
|
1108
|
-
curve = RARRAY_AREF(splitted, 0);
|
|
1109
|
-
StringValueCStr(curve);
|
|
1110
|
-
|
|
1111
|
-
/* SSL_CTX_set1_curves_list() accepts NIST names */
|
|
1112
|
-
nid = EC_curve_nist2nid(RSTRING_PTR(curve));
|
|
1113
|
-
if (nid == NID_undef)
|
|
1114
|
-
nid = OBJ_txt2nid(RSTRING_PTR(curve));
|
|
1115
|
-
if (nid == NID_undef)
|
|
1116
|
-
ossl_raise(eSSLError, "unknown curve name");
|
|
1117
|
-
|
|
1118
|
-
ec = EC_KEY_new_by_curve_name(nid);
|
|
1119
|
-
if (!ec)
|
|
1120
|
-
ossl_raise(eSSLError, NULL);
|
|
1121
|
-
EC_KEY_set_asn1_flag(ec, OPENSSL_EC_NAMED_CURVE);
|
|
1122
|
-
if (!SSL_CTX_set_tmp_ecdh(ctx, ec)) {
|
|
1123
|
-
EC_KEY_free(ec);
|
|
1124
|
-
ossl_raise(eSSLError, "SSL_CTX_set_tmp_ecdh");
|
|
1125
|
-
}
|
|
1126
|
-
EC_KEY_free(ec);
|
|
1127
|
-
# if defined(HAVE_SSL_CTX_SET_ECDH_AUTO)
|
|
1128
|
-
/* tmp_ecdh and ecdh_auto conflict. tmp_ecdh is ignored when ecdh_auto
|
|
1129
|
-
* is enabled. So disable ecdh_auto. */
|
|
1130
|
-
if (!SSL_CTX_set_ecdh_auto(ctx, 0))
|
|
1131
|
-
ossl_raise(eSSLError, "SSL_CTX_set_ecdh_auto");
|
|
1132
|
-
# endif
|
|
1133
|
-
}
|
|
1134
|
-
#endif
|
|
1135
|
-
|
|
1136
1086
|
return arg;
|
|
1137
1087
|
}
|
|
1138
1088
|
#else
|
|
@@ -1223,7 +1173,7 @@ ossl_sslctx_enable_fallback_scsv(VALUE self)
|
|
|
1223
1173
|
|
|
1224
1174
|
/*
|
|
1225
1175
|
* call-seq:
|
|
1226
|
-
* ctx.add_certificate(
|
|
1176
|
+
* ctx.add_certificate(certificate, pkey [, extra_certs]) -> self
|
|
1227
1177
|
*
|
|
1228
1178
|
* Adds a certificate to the context. _pkey_ must be a corresponding private
|
|
1229
1179
|
* key with _certificate_.
|
|
@@ -1255,10 +1205,6 @@ ossl_sslctx_enable_fallback_scsv(VALUE self)
|
|
|
1255
1205
|
* ecdsa_pkey = ...
|
|
1256
1206
|
* another_ca_cert = ...
|
|
1257
1207
|
* ctx.add_certificate(ecdsa_cert, ecdsa_pkey, [another_ca_cert])
|
|
1258
|
-
*
|
|
1259
|
-
* === Note
|
|
1260
|
-
* OpenSSL before the version 1.0.2 could handle only one extra chain across
|
|
1261
|
-
* all key types. Calling this method discards the chain set previously.
|
|
1262
1208
|
*/
|
|
1263
1209
|
static VALUE
|
|
1264
1210
|
ossl_sslctx_add_certificate(int argc, VALUE *argv, VALUE self)
|
|
@@ -1283,7 +1229,7 @@ ossl_sslctx_add_certificate(int argc, VALUE *argv, VALUE self)
|
|
|
1283
1229
|
EVP_PKEY_free(pub_pkey);
|
|
1284
1230
|
if (!pub_pkey)
|
|
1285
1231
|
rb_raise(rb_eArgError, "certificate does not contain public key");
|
|
1286
|
-
if (
|
|
1232
|
+
if (EVP_PKEY_eq(pub_pkey, pkey) != 1)
|
|
1287
1233
|
rb_raise(rb_eArgError, "public key mismatch");
|
|
1288
1234
|
|
|
1289
1235
|
if (argc >= 3)
|
|
@@ -1297,34 +1243,9 @@ ossl_sslctx_add_certificate(int argc, VALUE *argv, VALUE self)
|
|
|
1297
1243
|
sk_X509_pop_free(extra_chain, X509_free);
|
|
1298
1244
|
ossl_raise(eSSLError, "SSL_CTX_use_PrivateKey");
|
|
1299
1245
|
}
|
|
1300
|
-
|
|
1301
|
-
|
|
1302
|
-
|
|
1303
|
-
if (!SSL_CTX_set0_chain(ctx, extra_chain)) {
|
|
1304
|
-
sk_X509_pop_free(extra_chain, X509_free);
|
|
1305
|
-
ossl_raise(eSSLError, "SSL_CTX_set0_chain");
|
|
1306
|
-
}
|
|
1307
|
-
#else
|
|
1308
|
-
STACK_OF(X509) *orig_extra_chain;
|
|
1309
|
-
X509 *x509_tmp;
|
|
1310
|
-
|
|
1311
|
-
/* First, clear the existing chain */
|
|
1312
|
-
SSL_CTX_get_extra_chain_certs(ctx, &orig_extra_chain);
|
|
1313
|
-
if (orig_extra_chain && sk_X509_num(orig_extra_chain)) {
|
|
1314
|
-
rb_warning("SSL_CTX_set0_chain() is not available; " \
|
|
1315
|
-
"clearing previously set certificate chain");
|
|
1316
|
-
SSL_CTX_clear_extra_chain_certs(ctx);
|
|
1317
|
-
}
|
|
1318
|
-
while ((x509_tmp = sk_X509_shift(extra_chain))) {
|
|
1319
|
-
/* Transfers ownership */
|
|
1320
|
-
if (!SSL_CTX_add_extra_chain_cert(ctx, x509_tmp)) {
|
|
1321
|
-
X509_free(x509_tmp);
|
|
1322
|
-
sk_X509_pop_free(extra_chain, X509_free);
|
|
1323
|
-
ossl_raise(eSSLError, "SSL_CTX_add_extra_chain_cert");
|
|
1324
|
-
}
|
|
1325
|
-
}
|
|
1326
|
-
sk_X509_free(extra_chain);
|
|
1327
|
-
#endif
|
|
1246
|
+
if (extra_chain && !SSL_CTX_set0_chain(ctx, extra_chain)) {
|
|
1247
|
+
sk_X509_pop_free(extra_chain, X509_free);
|
|
1248
|
+
ossl_raise(eSSLError, "SSL_CTX_set0_chain");
|
|
1328
1249
|
}
|
|
1329
1250
|
return self;
|
|
1330
1251
|
}
|
|
@@ -1522,8 +1443,16 @@ ossl_sslctx_flush_sessions(int argc, VALUE *argv, VALUE self)
|
|
|
1522
1443
|
static inline int
|
|
1523
1444
|
ssl_started(SSL *ssl)
|
|
1524
1445
|
{
|
|
1525
|
-
/*
|
|
1526
|
-
return
|
|
1446
|
+
/* BIO is created through ossl_ssl_setup(), called by #connect or #accept */
|
|
1447
|
+
return SSL_get_rbio(ssl) != NULL;
|
|
1448
|
+
}
|
|
1449
|
+
|
|
1450
|
+
static void
|
|
1451
|
+
ossl_ssl_mark(void *ptr)
|
|
1452
|
+
{
|
|
1453
|
+
SSL *ssl = ptr;
|
|
1454
|
+
rb_gc_mark((VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx));
|
|
1455
|
+
rb_gc_mark((VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_vcb_idx));
|
|
1527
1456
|
}
|
|
1528
1457
|
|
|
1529
1458
|
static void
|
|
@@ -1535,7 +1464,7 @@ ossl_ssl_free(void *ssl)
|
|
|
1535
1464
|
const rb_data_type_t ossl_ssl_type = {
|
|
1536
1465
|
"OpenSSL/SSL",
|
|
1537
1466
|
{
|
|
1538
|
-
|
|
1467
|
+
ossl_ssl_mark, ossl_ssl_free,
|
|
1539
1468
|
},
|
|
1540
1469
|
0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
|
|
1541
1470
|
};
|
|
@@ -1546,6 +1475,29 @@ ossl_ssl_s_alloc(VALUE klass)
|
|
|
1546
1475
|
return TypedData_Wrap_Struct(klass, &ossl_ssl_type, NULL);
|
|
1547
1476
|
}
|
|
1548
1477
|
|
|
1478
|
+
static VALUE
|
|
1479
|
+
peer_ip_address(VALUE self)
|
|
1480
|
+
{
|
|
1481
|
+
VALUE remote_address = rb_funcall(rb_attr_get(self, id_i_io), rb_intern("remote_address"), 0);
|
|
1482
|
+
|
|
1483
|
+
return rb_funcall(remote_address, rb_intern("inspect_sockaddr"), 0);
|
|
1484
|
+
}
|
|
1485
|
+
|
|
1486
|
+
static VALUE
|
|
1487
|
+
fallback_peer_ip_address(VALUE self, VALUE args)
|
|
1488
|
+
{
|
|
1489
|
+
return rb_str_new_cstr("(null)");
|
|
1490
|
+
}
|
|
1491
|
+
|
|
1492
|
+
static VALUE
|
|
1493
|
+
peeraddr_ip_str(VALUE self)
|
|
1494
|
+
{
|
|
1495
|
+
VALUE rb_mErrno = rb_const_get(rb_cObject, rb_intern("Errno"));
|
|
1496
|
+
VALUE rb_eSystemCallError = rb_const_get(rb_mErrno, rb_intern("SystemCallError"));
|
|
1497
|
+
|
|
1498
|
+
return rb_rescue2(peer_ip_address, self, fallback_peer_ip_address, (VALUE)0, rb_eSystemCallError, NULL);
|
|
1499
|
+
}
|
|
1500
|
+
|
|
1549
1501
|
/*
|
|
1550
1502
|
* call-seq:
|
|
1551
1503
|
* SSLSocket.new(io) => aSSLSocket
|
|
@@ -1582,6 +1534,7 @@ ossl_ssl_initialize(int argc, VALUE *argv, VALUE self)
|
|
|
1582
1534
|
|
|
1583
1535
|
if (rb_respond_to(io, rb_intern("nonblock=")))
|
|
1584
1536
|
rb_funcall(io, rb_intern("nonblock="), 1, Qtrue);
|
|
1537
|
+
Check_Type(io, T_FILE);
|
|
1585
1538
|
rb_ivar_set(self, id_i_io, io);
|
|
1586
1539
|
|
|
1587
1540
|
ssl = SSL_new(ctx);
|
|
@@ -1649,6 +1602,26 @@ no_exception_p(VALUE opts)
|
|
|
1649
1602
|
return 0;
|
|
1650
1603
|
}
|
|
1651
1604
|
|
|
1605
|
+
static void
|
|
1606
|
+
io_wait_writable(rb_io_t *fptr)
|
|
1607
|
+
{
|
|
1608
|
+
#ifdef HAVE_RB_IO_MAYBE_WAIT
|
|
1609
|
+
rb_io_maybe_wait_writable(errno, fptr->self, Qnil);
|
|
1610
|
+
#else
|
|
1611
|
+
rb_io_wait_writable(fptr->fd);
|
|
1612
|
+
#endif
|
|
1613
|
+
}
|
|
1614
|
+
|
|
1615
|
+
static void
|
|
1616
|
+
io_wait_readable(rb_io_t *fptr)
|
|
1617
|
+
{
|
|
1618
|
+
#ifdef HAVE_RB_IO_MAYBE_WAIT
|
|
1619
|
+
rb_io_maybe_wait_readable(errno, fptr->self, Qnil);
|
|
1620
|
+
#else
|
|
1621
|
+
rb_io_wait_readable(fptr->fd);
|
|
1622
|
+
#endif
|
|
1623
|
+
}
|
|
1624
|
+
|
|
1652
1625
|
static VALUE
|
|
1653
1626
|
ossl_start_ssl(VALUE self, int (*func)(), const char *funcname, VALUE opts)
|
|
1654
1627
|
{
|
|
@@ -1683,16 +1656,23 @@ ossl_start_ssl(VALUE self, int (*func)(), const char *funcname, VALUE opts)
|
|
|
1683
1656
|
case SSL_ERROR_WANT_WRITE:
|
|
1684
1657
|
if (no_exception_p(opts)) { return sym_wait_writable; }
|
|
1685
1658
|
write_would_block(nonblock);
|
|
1686
|
-
|
|
1659
|
+
io_wait_writable(fptr);
|
|
1687
1660
|
continue;
|
|
1688
1661
|
case SSL_ERROR_WANT_READ:
|
|
1689
1662
|
if (no_exception_p(opts)) { return sym_wait_readable; }
|
|
1690
1663
|
read_would_block(nonblock);
|
|
1691
|
-
|
|
1664
|
+
io_wait_readable(fptr);
|
|
1692
1665
|
continue;
|
|
1693
1666
|
case SSL_ERROR_SYSCALL:
|
|
1667
|
+
#ifdef __APPLE__
|
|
1668
|
+
/* See ossl_ssl_write_internal() */
|
|
1669
|
+
if (errno == EPROTOTYPE)
|
|
1670
|
+
continue;
|
|
1671
|
+
#endif
|
|
1694
1672
|
if (errno) rb_sys_fail(funcname);
|
|
1695
|
-
ossl_raise(eSSLError, "%s SYSCALL returned=%d errno=%d state=%s",
|
|
1673
|
+
ossl_raise(eSSLError, "%s SYSCALL returned=%d errno=%d peeraddr=%"PRIsVALUE" state=%s",
|
|
1674
|
+
funcname, ret2, errno, peeraddr_ip_str(self), SSL_state_string_long(ssl));
|
|
1675
|
+
|
|
1696
1676
|
#if defined(SSL_R_CERTIFICATE_VERIFY_FAILED)
|
|
1697
1677
|
case SSL_ERROR_SSL:
|
|
1698
1678
|
err = ERR_peek_last_error();
|
|
@@ -1705,13 +1685,15 @@ ossl_start_ssl(VALUE self, int (*func)(), const char *funcname, VALUE opts)
|
|
|
1705
1685
|
if (!verify_msg)
|
|
1706
1686
|
verify_msg = "(null)";
|
|
1707
1687
|
ossl_clear_error(); /* let ossl_raise() not append message */
|
|
1708
|
-
ossl_raise(eSSLError, "%s returned=%d errno=%d state=%s: %s (%s)",
|
|
1709
|
-
funcname, ret2, errno, SSL_state_string_long(ssl),
|
|
1688
|
+
ossl_raise(eSSLError, "%s returned=%d errno=%d peeraddr=%"PRIsVALUE" state=%s: %s (%s)",
|
|
1689
|
+
funcname, ret2, errno, peeraddr_ip_str(self), SSL_state_string_long(ssl),
|
|
1710
1690
|
err_msg, verify_msg);
|
|
1711
1691
|
}
|
|
1712
1692
|
#endif
|
|
1693
|
+
/* fallthrough */
|
|
1713
1694
|
default:
|
|
1714
|
-
ossl_raise(eSSLError, "%s returned=%d errno=%d state=%s",
|
|
1695
|
+
ossl_raise(eSSLError, "%s returned=%d errno=%d peeraddr=%"PRIsVALUE" state=%s",
|
|
1696
|
+
funcname, ret2, errno, peeraddr_ip_str(self), SSL_state_string_long(ssl));
|
|
1715
1697
|
}
|
|
1716
1698
|
}
|
|
1717
1699
|
|
|
@@ -1722,8 +1704,7 @@ ossl_start_ssl(VALUE self, int (*func)(), const char *funcname, VALUE opts)
|
|
|
1722
1704
|
* call-seq:
|
|
1723
1705
|
* ssl.connect => self
|
|
1724
1706
|
*
|
|
1725
|
-
* Initiates an SSL/TLS handshake with a server.
|
|
1726
|
-
* after unencrypted data has been sent over the socket.
|
|
1707
|
+
* Initiates an SSL/TLS handshake with a server.
|
|
1727
1708
|
*/
|
|
1728
1709
|
static VALUE
|
|
1729
1710
|
ossl_ssl_connect(VALUE self)
|
|
@@ -1770,8 +1751,7 @@ ossl_ssl_connect_nonblock(int argc, VALUE *argv, VALUE self)
|
|
|
1770
1751
|
* call-seq:
|
|
1771
1752
|
* ssl.accept => self
|
|
1772
1753
|
*
|
|
1773
|
-
* Waits for a SSL/TLS client to initiate a handshake.
|
|
1774
|
-
* started after unencrypted data has been sent over the socket.
|
|
1754
|
+
* Waits for a SSL/TLS client to initiate a handshake.
|
|
1775
1755
|
*/
|
|
1776
1756
|
static VALUE
|
|
1777
1757
|
ossl_ssl_accept(VALUE self)
|
|
@@ -1818,7 +1798,7 @@ static VALUE
|
|
|
1818
1798
|
ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
|
|
1819
1799
|
{
|
|
1820
1800
|
SSL *ssl;
|
|
1821
|
-
int ilen
|
|
1801
|
+
int ilen;
|
|
1822
1802
|
VALUE len, str;
|
|
1823
1803
|
rb_io_t *fptr;
|
|
1824
1804
|
VALUE io, opts = Qnil;
|
|
@@ -1828,6 +1808,9 @@ ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
|
|
|
1828
1808
|
} else {
|
|
1829
1809
|
rb_scan_args(argc, argv, "11", &len, &str);
|
|
1830
1810
|
}
|
|
1811
|
+
GetSSL(self, ssl);
|
|
1812
|
+
if (!ssl_started(ssl))
|
|
1813
|
+
rb_raise(eSSLError, "SSL session is not started yet");
|
|
1831
1814
|
|
|
1832
1815
|
ilen = NUM2INT(len);
|
|
1833
1816
|
if (NIL_P(str))
|
|
@@ -1843,74 +1826,60 @@ ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
|
|
|
1843
1826
|
if (ilen == 0)
|
|
1844
1827
|
return str;
|
|
1845
1828
|
|
|
1846
|
-
GetSSL(self, ssl);
|
|
1847
1829
|
io = rb_attr_get(self, id_i_io);
|
|
1848
1830
|
GetOpenFile(io, fptr);
|
|
1849
|
-
|
|
1850
|
-
|
|
1851
|
-
|
|
1852
|
-
|
|
1853
|
-
|
|
1854
|
-
|
|
1855
|
-
|
|
1856
|
-
|
|
1857
|
-
|
|
1858
|
-
|
|
1859
|
-
|
|
1831
|
+
|
|
1832
|
+
rb_str_locktmp(str);
|
|
1833
|
+
for (;;) {
|
|
1834
|
+
int nread = SSL_read(ssl, RSTRING_PTR(str), ilen);
|
|
1835
|
+
switch (ssl_get_error(ssl, nread)) {
|
|
1836
|
+
case SSL_ERROR_NONE:
|
|
1837
|
+
rb_str_unlocktmp(str);
|
|
1838
|
+
rb_str_set_len(str, nread);
|
|
1839
|
+
return str;
|
|
1840
|
+
case SSL_ERROR_ZERO_RETURN:
|
|
1841
|
+
rb_str_unlocktmp(str);
|
|
1842
|
+
if (no_exception_p(opts)) { return Qnil; }
|
|
1843
|
+
rb_eof_error();
|
|
1844
|
+
case SSL_ERROR_WANT_WRITE:
|
|
1845
|
+
if (nonblock) {
|
|
1846
|
+
rb_str_unlocktmp(str);
|
|
1847
|
+
if (no_exception_p(opts)) { return sym_wait_writable; }
|
|
1860
1848
|
write_would_block(nonblock);
|
|
1861
|
-
|
|
1862
|
-
|
|
1863
|
-
|
|
1864
|
-
|
|
1849
|
+
}
|
|
1850
|
+
io_wait_writable(fptr);
|
|
1851
|
+
continue;
|
|
1852
|
+
case SSL_ERROR_WANT_READ:
|
|
1853
|
+
if (nonblock) {
|
|
1854
|
+
rb_str_unlocktmp(str);
|
|
1855
|
+
if (no_exception_p(opts)) { return sym_wait_readable; }
|
|
1865
1856
|
read_would_block(nonblock);
|
|
1866
|
-
|
|
1867
|
-
|
|
1868
|
-
|
|
1869
|
-
|
|
1870
|
-
|
|
1871
|
-
|
|
1872
|
-
|
|
1873
|
-
|
|
1874
|
-
|
|
1875
|
-
|
|
1876
|
-
|
|
1877
|
-
|
|
1878
|
-
|
|
1879
|
-
|
|
1880
|
-
|
|
1881
|
-
|
|
1882
|
-
|
|
1883
|
-
|
|
1884
|
-
|
|
1885
|
-
|
|
1886
|
-
|
|
1887
|
-
|
|
1888
|
-
|
|
1889
|
-
|
|
1890
|
-
else {
|
|
1891
|
-
ID meth = nonblock ? rb_intern("read_nonblock") : rb_intern("sysread");
|
|
1892
|
-
|
|
1893
|
-
rb_warning("SSL session is not started yet.");
|
|
1894
|
-
#if defined(RB_PASS_KEYWORDS)
|
|
1895
|
-
if (nonblock) {
|
|
1896
|
-
VALUE argv[3];
|
|
1897
|
-
argv[0] = len;
|
|
1898
|
-
argv[1] = str;
|
|
1899
|
-
argv[2] = opts;
|
|
1900
|
-
return rb_funcallv_kw(io, meth, 3, argv, RB_PASS_KEYWORDS);
|
|
1901
|
-
}
|
|
1902
|
-
#else
|
|
1903
|
-
if (nonblock) {
|
|
1904
|
-
return rb_funcall(io, meth, 3, len, str, opts);
|
|
1857
|
+
}
|
|
1858
|
+
io_wait_readable(fptr);
|
|
1859
|
+
continue;
|
|
1860
|
+
case SSL_ERROR_SYSCALL:
|
|
1861
|
+
if (!ERR_peek_error()) {
|
|
1862
|
+
rb_str_unlocktmp(str);
|
|
1863
|
+
if (errno)
|
|
1864
|
+
rb_sys_fail(0);
|
|
1865
|
+
else {
|
|
1866
|
+
/*
|
|
1867
|
+
* The underlying BIO returned 0. This is actually a
|
|
1868
|
+
* protocol error. But unfortunately, not all
|
|
1869
|
+
* implementations cleanly shutdown the TLS connection
|
|
1870
|
+
* but just shutdown/close the TCP connection. So report
|
|
1871
|
+
* EOF for now...
|
|
1872
|
+
*/
|
|
1873
|
+
if (no_exception_p(opts)) { return Qnil; }
|
|
1874
|
+
rb_eof_error();
|
|
1875
|
+
}
|
|
1876
|
+
}
|
|
1877
|
+
/* fall through */
|
|
1878
|
+
default:
|
|
1879
|
+
rb_str_unlocktmp(str);
|
|
1880
|
+
ossl_raise(eSSLError, "SSL_read");
|
|
1905
1881
|
}
|
|
1906
|
-
#endif
|
|
1907
|
-
else
|
|
1908
|
-
return rb_funcall(io, meth, 2, len, str);
|
|
1909
1882
|
}
|
|
1910
|
-
|
|
1911
|
-
end:
|
|
1912
|
-
rb_str_set_len(str, nread);
|
|
1913
|
-
return str;
|
|
1914
1883
|
}
|
|
1915
1884
|
|
|
1916
1885
|
/*
|
|
@@ -1950,67 +1919,55 @@ static VALUE
|
|
|
1950
1919
|
ossl_ssl_write_internal(VALUE self, VALUE str, VALUE opts)
|
|
1951
1920
|
{
|
|
1952
1921
|
SSL *ssl;
|
|
1953
|
-
int nwrite = 0;
|
|
1954
1922
|
rb_io_t *fptr;
|
|
1955
|
-
int nonblock = opts != Qfalse;
|
|
1956
|
-
VALUE io;
|
|
1923
|
+
int num, nonblock = opts != Qfalse;
|
|
1924
|
+
VALUE tmp, io;
|
|
1957
1925
|
|
|
1958
|
-
StringValue(str);
|
|
1959
1926
|
GetSSL(self, ssl);
|
|
1927
|
+
if (!ssl_started(ssl))
|
|
1928
|
+
rb_raise(eSSLError, "SSL session is not started yet");
|
|
1929
|
+
|
|
1930
|
+
tmp = rb_str_new_frozen(StringValue(str));
|
|
1960
1931
|
io = rb_attr_get(self, id_i_io);
|
|
1961
1932
|
GetOpenFile(io, fptr);
|
|
1962
|
-
|
|
1963
|
-
|
|
1964
|
-
|
|
1965
|
-
|
|
1966
|
-
|
|
1967
|
-
|
|
1968
|
-
|
|
1969
|
-
|
|
1970
|
-
|
|
1971
|
-
|
|
1972
|
-
|
|
1973
|
-
|
|
1974
|
-
|
|
1975
|
-
|
|
1976
|
-
|
|
1977
|
-
|
|
1978
|
-
|
|
1979
|
-
|
|
1980
|
-
|
|
1981
|
-
|
|
1982
|
-
|
|
1933
|
+
|
|
1934
|
+
/* SSL_write(3ssl) manpage states num == 0 is undefined */
|
|
1935
|
+
num = RSTRING_LENINT(tmp);
|
|
1936
|
+
if (num == 0)
|
|
1937
|
+
return INT2FIX(0);
|
|
1938
|
+
|
|
1939
|
+
for (;;) {
|
|
1940
|
+
int nwritten = SSL_write(ssl, RSTRING_PTR(tmp), num);
|
|
1941
|
+
switch (ssl_get_error(ssl, nwritten)) {
|
|
1942
|
+
case SSL_ERROR_NONE:
|
|
1943
|
+
return INT2NUM(nwritten);
|
|
1944
|
+
case SSL_ERROR_WANT_WRITE:
|
|
1945
|
+
if (no_exception_p(opts)) { return sym_wait_writable; }
|
|
1946
|
+
write_would_block(nonblock);
|
|
1947
|
+
io_wait_writable(fptr);
|
|
1948
|
+
continue;
|
|
1949
|
+
case SSL_ERROR_WANT_READ:
|
|
1950
|
+
if (no_exception_p(opts)) { return sym_wait_readable; }
|
|
1951
|
+
read_would_block(nonblock);
|
|
1952
|
+
io_wait_readable(fptr);
|
|
1953
|
+
continue;
|
|
1954
|
+
case SSL_ERROR_SYSCALL:
|
|
1955
|
+
#ifdef __APPLE__
|
|
1956
|
+
/*
|
|
1957
|
+
* It appears that send syscall can return EPROTOTYPE if the
|
|
1958
|
+
* socket is being torn down. Retry to get a proper errno to
|
|
1959
|
+
* make the error handling in line with the socket library.
|
|
1960
|
+
* [Bug #14713] https://bugs.ruby-lang.org/issues/14713
|
|
1961
|
+
*/
|
|
1962
|
+
if (errno == EPROTOTYPE)
|
|
1983
1963
|
continue;
|
|
1984
|
-
case SSL_ERROR_SYSCALL:
|
|
1985
|
-
if (errno) rb_sys_fail(0);
|
|
1986
|
-
default:
|
|
1987
|
-
ossl_raise(eSSLError, "SSL_write");
|
|
1988
|
-
}
|
|
1989
|
-
}
|
|
1990
|
-
}
|
|
1991
|
-
else {
|
|
1992
|
-
ID meth = nonblock ?
|
|
1993
|
-
rb_intern("write_nonblock") : rb_intern("syswrite");
|
|
1994
|
-
|
|
1995
|
-
rb_warning("SSL session is not started yet.");
|
|
1996
|
-
#if defined(RB_PASS_KEYWORDS)
|
|
1997
|
-
if (nonblock) {
|
|
1998
|
-
VALUE argv[2];
|
|
1999
|
-
argv[0] = str;
|
|
2000
|
-
argv[1] = opts;
|
|
2001
|
-
return rb_funcallv_kw(io, meth, 2, argv, RB_PASS_KEYWORDS);
|
|
2002
|
-
}
|
|
2003
|
-
#else
|
|
2004
|
-
if (nonblock) {
|
|
2005
|
-
return rb_funcall(io, meth, 2, str, opts);
|
|
2006
|
-
}
|
|
2007
1964
|
#endif
|
|
2008
|
-
|
|
2009
|
-
|
|
1965
|
+
if (errno) rb_sys_fail(0);
|
|
1966
|
+
/* fallthrough */
|
|
1967
|
+
default:
|
|
1968
|
+
ossl_raise(eSSLError, "SSL_write");
|
|
1969
|
+
}
|
|
2010
1970
|
}
|
|
2011
|
-
|
|
2012
|
-
end:
|
|
2013
|
-
return INT2NUM(nwrite);
|
|
2014
1971
|
}
|
|
2015
1972
|
|
|
2016
1973
|
/*
|
|
@@ -2410,7 +2367,6 @@ ossl_ssl_npn_protocol(VALUE self)
|
|
|
2410
2367
|
}
|
|
2411
2368
|
# endif
|
|
2412
2369
|
|
|
2413
|
-
# ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
|
|
2414
2370
|
/*
|
|
2415
2371
|
* call-seq:
|
|
2416
2372
|
* ssl.alpn_protocol => String | nil
|
|
@@ -2433,9 +2389,7 @@ ossl_ssl_alpn_protocol(VALUE self)
|
|
|
2433
2389
|
else
|
|
2434
2390
|
return rb_str_new((const char *) out, outlen);
|
|
2435
2391
|
}
|
|
2436
|
-
# endif
|
|
2437
2392
|
|
|
2438
|
-
# ifdef HAVE_SSL_GET_SERVER_TMP_KEY
|
|
2439
2393
|
/*
|
|
2440
2394
|
* call-seq:
|
|
2441
2395
|
* ssl.tmp_key => PKey or nil
|
|
@@ -2453,11 +2407,8 @@ ossl_ssl_tmp_key(VALUE self)
|
|
|
2453
2407
|
return Qnil;
|
|
2454
2408
|
return ossl_pkey_new(key);
|
|
2455
2409
|
}
|
|
2456
|
-
# endif /* defined(HAVE_SSL_GET_SERVER_TMP_KEY) */
|
|
2457
2410
|
#endif /* !defined(OPENSSL_NO_SOCK) */
|
|
2458
2411
|
|
|
2459
|
-
#undef rb_intern
|
|
2460
|
-
#define rb_intern(s) rb_intern_const(s)
|
|
2461
2412
|
void
|
|
2462
2413
|
Init_ossl_ssl(void)
|
|
2463
2414
|
{
|
|
@@ -2468,8 +2419,8 @@ Init_ossl_ssl(void)
|
|
|
2468
2419
|
rb_mWaitWritable = rb_define_module_under(rb_cIO, "WaitWritable");
|
|
2469
2420
|
#endif
|
|
2470
2421
|
|
|
2471
|
-
id_call =
|
|
2472
|
-
ID_callback_state =
|
|
2422
|
+
id_call = rb_intern_const("call");
|
|
2423
|
+
ID_callback_state = rb_intern_const("callback_state");
|
|
2473
2424
|
|
|
2474
2425
|
ossl_ssl_ex_vcb_idx = SSL_get_ex_new_index(0, (void *)"ossl_ssl_ex_vcb_idx", 0, 0, 0);
|
|
2475
2426
|
if (ossl_ssl_ex_vcb_idx < 0)
|
|
@@ -2480,11 +2431,6 @@ Init_ossl_ssl(void)
|
|
|
2480
2431
|
ossl_sslctx_ex_ptr_idx = SSL_CTX_get_ex_new_index(0, (void *)"ossl_sslctx_ex_ptr_idx", 0, 0, 0);
|
|
2481
2432
|
if (ossl_sslctx_ex_ptr_idx < 0)
|
|
2482
2433
|
ossl_raise(rb_eRuntimeError, "SSL_CTX_get_ex_new_index");
|
|
2483
|
-
#if !defined(HAVE_X509_STORE_UP_REF)
|
|
2484
|
-
ossl_sslctx_ex_store_p = SSL_CTX_get_ex_new_index(0, (void *)"ossl_sslctx_ex_store_p", 0, 0, 0);
|
|
2485
|
-
if (ossl_sslctx_ex_store_p < 0)
|
|
2486
|
-
ossl_raise(rb_eRuntimeError, "SSL_CTX_get_ex_new_index");
|
|
2487
|
-
#endif
|
|
2488
2434
|
|
|
2489
2435
|
/* Document-module: OpenSSL::SSL
|
|
2490
2436
|
*
|
|
@@ -2536,7 +2482,7 @@ Init_ossl_ssl(void)
|
|
|
2536
2482
|
* The _cert_, _key_, and _extra_chain_cert_ attributes are deprecated.
|
|
2537
2483
|
* It is recommended to use #add_certificate instead.
|
|
2538
2484
|
*/
|
|
2539
|
-
rb_attr(cSSLContext,
|
|
2485
|
+
rb_attr(cSSLContext, rb_intern_const("cert"), 1, 1, Qfalse);
|
|
2540
2486
|
|
|
2541
2487
|
/*
|
|
2542
2488
|
* Context private key
|
|
@@ -2544,29 +2490,29 @@ Init_ossl_ssl(void)
|
|
|
2544
2490
|
* The _cert_, _key_, and _extra_chain_cert_ attributes are deprecated.
|
|
2545
2491
|
* It is recommended to use #add_certificate instead.
|
|
2546
2492
|
*/
|
|
2547
|
-
rb_attr(cSSLContext,
|
|
2493
|
+
rb_attr(cSSLContext, rb_intern_const("key"), 1, 1, Qfalse);
|
|
2548
2494
|
|
|
2549
2495
|
/*
|
|
2550
2496
|
* A certificate or Array of certificates that will be sent to the client.
|
|
2551
2497
|
*/
|
|
2552
|
-
rb_attr(cSSLContext,
|
|
2498
|
+
rb_attr(cSSLContext, rb_intern_const("client_ca"), 1, 1, Qfalse);
|
|
2553
2499
|
|
|
2554
2500
|
/*
|
|
2555
2501
|
* The path to a file containing a PEM-format CA certificate
|
|
2556
2502
|
*/
|
|
2557
|
-
rb_attr(cSSLContext,
|
|
2503
|
+
rb_attr(cSSLContext, rb_intern_const("ca_file"), 1, 1, Qfalse);
|
|
2558
2504
|
|
|
2559
2505
|
/*
|
|
2560
2506
|
* The path to a directory containing CA certificates in PEM format.
|
|
2561
2507
|
*
|
|
2562
2508
|
* Files are looked up by subject's X509 name's hash value.
|
|
2563
2509
|
*/
|
|
2564
|
-
rb_attr(cSSLContext,
|
|
2510
|
+
rb_attr(cSSLContext, rb_intern_const("ca_path"), 1, 1, Qfalse);
|
|
2565
2511
|
|
|
2566
2512
|
/*
|
|
2567
2513
|
* Maximum session lifetime in seconds.
|
|
2568
2514
|
*/
|
|
2569
|
-
rb_attr(cSSLContext,
|
|
2515
|
+
rb_attr(cSSLContext, rb_intern_const("timeout"), 1, 1, Qfalse);
|
|
2570
2516
|
|
|
2571
2517
|
/*
|
|
2572
2518
|
* Session verification mode.
|
|
@@ -2579,12 +2525,12 @@ Init_ossl_ssl(void)
|
|
|
2579
2525
|
*
|
|
2580
2526
|
* See SSL_CTX_set_verify(3) for details.
|
|
2581
2527
|
*/
|
|
2582
|
-
rb_attr(cSSLContext,
|
|
2528
|
+
rb_attr(cSSLContext, rb_intern_const("verify_mode"), 1, 1, Qfalse);
|
|
2583
2529
|
|
|
2584
2530
|
/*
|
|
2585
2531
|
* Number of CA certificates to walk when verifying a certificate chain.
|
|
2586
2532
|
*/
|
|
2587
|
-
rb_attr(cSSLContext,
|
|
2533
|
+
rb_attr(cSSLContext, rb_intern_const("verify_depth"), 1, 1, Qfalse);
|
|
2588
2534
|
|
|
2589
2535
|
/*
|
|
2590
2536
|
* A callback for additional certificate verification. The callback is
|
|
@@ -2598,7 +2544,7 @@ Init_ossl_ssl(void)
|
|
|
2598
2544
|
* If the callback returns +false+, the chain verification is immediately
|
|
2599
2545
|
* stopped and a bad_certificate alert is then sent.
|
|
2600
2546
|
*/
|
|
2601
|
-
rb_attr(cSSLContext,
|
|
2547
|
+
rb_attr(cSSLContext, rb_intern_const("verify_callback"), 1, 1, Qfalse);
|
|
2602
2548
|
|
|
2603
2549
|
/*
|
|
2604
2550
|
* Whether to check the server certificate is valid for the hostname.
|
|
@@ -2606,12 +2552,12 @@ Init_ossl_ssl(void)
|
|
|
2606
2552
|
* In order to make this work, verify_mode must be set to VERIFY_PEER and
|
|
2607
2553
|
* the server hostname must be given by OpenSSL::SSL::SSLSocket#hostname=.
|
|
2608
2554
|
*/
|
|
2609
|
-
rb_attr(cSSLContext,
|
|
2555
|
+
rb_attr(cSSLContext, rb_intern_const("verify_hostname"), 1, 1, Qfalse);
|
|
2610
2556
|
|
|
2611
2557
|
/*
|
|
2612
2558
|
* An OpenSSL::X509::Store used for certificate verification.
|
|
2613
2559
|
*/
|
|
2614
|
-
rb_attr(cSSLContext,
|
|
2560
|
+
rb_attr(cSSLContext, rb_intern_const("cert_store"), 1, 1, Qfalse);
|
|
2615
2561
|
|
|
2616
2562
|
/*
|
|
2617
2563
|
* An Array of extra X509 certificates to be added to the certificate
|
|
@@ -2620,7 +2566,7 @@ Init_ossl_ssl(void)
|
|
|
2620
2566
|
* The _cert_, _key_, and _extra_chain_cert_ attributes are deprecated.
|
|
2621
2567
|
* It is recommended to use #add_certificate instead.
|
|
2622
2568
|
*/
|
|
2623
|
-
rb_attr(cSSLContext,
|
|
2569
|
+
rb_attr(cSSLContext, rb_intern_const("extra_chain_cert"), 1, 1, Qfalse);
|
|
2624
2570
|
|
|
2625
2571
|
/*
|
|
2626
2572
|
* A callback invoked when a client certificate is requested by a server
|
|
@@ -2630,28 +2576,14 @@ Init_ossl_ssl(void)
|
|
|
2630
2576
|
* containing an OpenSSL::X509::Certificate and an OpenSSL::PKey. If any
|
|
2631
2577
|
* other value is returned the handshake is suspended.
|
|
2632
2578
|
*/
|
|
2633
|
-
rb_attr(cSSLContext,
|
|
2634
|
-
|
|
2635
|
-
#if !defined(OPENSSL_NO_EC) && defined(HAVE_SSL_CTX_SET_TMP_ECDH_CALLBACK)
|
|
2636
|
-
/*
|
|
2637
|
-
* A callback invoked when ECDH parameters are required.
|
|
2638
|
-
*
|
|
2639
|
-
* The callback is invoked with the Session for the key exchange, an
|
|
2640
|
-
* flag indicating the use of an export cipher and the keylength
|
|
2641
|
-
* required.
|
|
2642
|
-
*
|
|
2643
|
-
* The callback is deprecated. This does not work with recent versions of
|
|
2644
|
-
* OpenSSL. Use OpenSSL::SSL::SSLContext#ecdh_curves= instead.
|
|
2645
|
-
*/
|
|
2646
|
-
rb_attr(cSSLContext, rb_intern("tmp_ecdh_callback"), 1, 1, Qfalse);
|
|
2647
|
-
#endif
|
|
2579
|
+
rb_attr(cSSLContext, rb_intern_const("client_cert_cb"), 1, 1, Qfalse);
|
|
2648
2580
|
|
|
2649
2581
|
/*
|
|
2650
2582
|
* Sets the context in which a session can be reused. This allows
|
|
2651
2583
|
* sessions for multiple applications to be distinguished, for example, by
|
|
2652
2584
|
* name.
|
|
2653
2585
|
*/
|
|
2654
|
-
rb_attr(cSSLContext,
|
|
2586
|
+
rb_attr(cSSLContext, rb_intern_const("session_id_context"), 1, 1, Qfalse);
|
|
2655
2587
|
|
|
2656
2588
|
/*
|
|
2657
2589
|
* A callback invoked on a server when a session is proposed by the client
|
|
@@ -2660,7 +2592,7 @@ Init_ossl_ssl(void)
|
|
|
2660
2592
|
* The callback is invoked with the SSLSocket and session id. The
|
|
2661
2593
|
* callback may return a Session from an external cache.
|
|
2662
2594
|
*/
|
|
2663
|
-
rb_attr(cSSLContext,
|
|
2595
|
+
rb_attr(cSSLContext, rb_intern_const("session_get_cb"), 1, 1, Qfalse);
|
|
2664
2596
|
|
|
2665
2597
|
/*
|
|
2666
2598
|
* A callback invoked when a new session was negotiated.
|
|
@@ -2668,7 +2600,7 @@ Init_ossl_ssl(void)
|
|
|
2668
2600
|
* The callback is invoked with an SSLSocket. If +false+ is returned the
|
|
2669
2601
|
* session will be removed from the internal cache.
|
|
2670
2602
|
*/
|
|
2671
|
-
rb_attr(cSSLContext,
|
|
2603
|
+
rb_attr(cSSLContext, rb_intern_const("session_new_cb"), 1, 1, Qfalse);
|
|
2672
2604
|
|
|
2673
2605
|
/*
|
|
2674
2606
|
* A callback invoked when a session is removed from the internal cache.
|
|
@@ -2679,7 +2611,7 @@ Init_ossl_ssl(void)
|
|
|
2679
2611
|
* multi-threaded application. The callback is called inside a global lock
|
|
2680
2612
|
* and it can randomly cause deadlock on Ruby thread switching.
|
|
2681
2613
|
*/
|
|
2682
|
-
rb_attr(cSSLContext,
|
|
2614
|
+
rb_attr(cSSLContext, rb_intern_const("session_remove_cb"), 1, 1, Qfalse);
|
|
2683
2615
|
|
|
2684
2616
|
rb_define_const(mSSLExtConfig, "HAVE_TLSEXT_HOST_NAME", Qtrue);
|
|
2685
2617
|
|
|
@@ -2702,7 +2634,7 @@ Init_ossl_ssl(void)
|
|
|
2702
2634
|
* raise RuntimeError, "Client renegotiation disabled"
|
|
2703
2635
|
* end
|
|
2704
2636
|
*/
|
|
2705
|
-
rb_attr(cSSLContext,
|
|
2637
|
+
rb_attr(cSSLContext, rb_intern_const("renegotiation_cb"), 1, 1, Qfalse);
|
|
2706
2638
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|
|
2707
2639
|
/*
|
|
2708
2640
|
* An Enumerable of Strings. Each String represents a protocol to be
|
|
@@ -2715,7 +2647,7 @@ Init_ossl_ssl(void)
|
|
|
2715
2647
|
*
|
|
2716
2648
|
* ctx.npn_protocols = ["http/1.1", "spdy/2"]
|
|
2717
2649
|
*/
|
|
2718
|
-
rb_attr(cSSLContext,
|
|
2650
|
+
rb_attr(cSSLContext, rb_intern_const("npn_protocols"), 1, 1, Qfalse);
|
|
2719
2651
|
/*
|
|
2720
2652
|
* A callback invoked on the client side when the client needs to select
|
|
2721
2653
|
* a protocol from the list sent by the server. Supported in OpenSSL 1.0.1
|
|
@@ -2732,10 +2664,9 @@ Init_ossl_ssl(void)
|
|
|
2732
2664
|
* protocols.first
|
|
2733
2665
|
* end
|
|
2734
2666
|
*/
|
|
2735
|
-
rb_attr(cSSLContext,
|
|
2667
|
+
rb_attr(cSSLContext, rb_intern_const("npn_select_cb"), 1, 1, Qfalse);
|
|
2736
2668
|
#endif
|
|
2737
2669
|
|
|
2738
|
-
#ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
|
|
2739
2670
|
/*
|
|
2740
2671
|
* An Enumerable of Strings. Each String represents a protocol to be
|
|
2741
2672
|
* advertised as the list of supported protocols for Application-Layer
|
|
@@ -2747,7 +2678,7 @@ Init_ossl_ssl(void)
|
|
|
2747
2678
|
*
|
|
2748
2679
|
* ctx.alpn_protocols = ["http/1.1", "spdy/2", "h2"]
|
|
2749
2680
|
*/
|
|
2750
|
-
rb_attr(cSSLContext,
|
|
2681
|
+
rb_attr(cSSLContext, rb_intern_const("alpn_protocols"), 1, 1, Qfalse);
|
|
2751
2682
|
/*
|
|
2752
2683
|
* A callback invoked on the server side when the server needs to select
|
|
2753
2684
|
* a protocol from the list sent by the client. Supported in OpenSSL 1.0.2
|
|
@@ -2764,8 +2695,7 @@ Init_ossl_ssl(void)
|
|
|
2764
2695
|
* protocols.first
|
|
2765
2696
|
* end
|
|
2766
2697
|
*/
|
|
2767
|
-
rb_attr(cSSLContext,
|
|
2768
|
-
#endif
|
|
2698
|
+
rb_attr(cSSLContext, rb_intern_const("alpn_select_cb"), 1, 1, Qfalse);
|
|
2769
2699
|
|
|
2770
2700
|
rb_define_alias(cSSLContext, "ssl_timeout", "timeout");
|
|
2771
2701
|
rb_define_alias(cSSLContext, "ssl_timeout=", "timeout=");
|
|
@@ -2773,6 +2703,9 @@ Init_ossl_ssl(void)
|
|
|
2773
2703
|
ossl_sslctx_set_minmax_proto_version, 2);
|
|
2774
2704
|
rb_define_method(cSSLContext, "ciphers", ossl_sslctx_get_ciphers, 0);
|
|
2775
2705
|
rb_define_method(cSSLContext, "ciphers=", ossl_sslctx_set_ciphers, 1);
|
|
2706
|
+
#ifndef OPENSSL_NO_DH
|
|
2707
|
+
rb_define_method(cSSLContext, "tmp_dh=", ossl_sslctx_set_tmp_dh, 1);
|
|
2708
|
+
#endif
|
|
2776
2709
|
rb_define_method(cSSLContext, "ecdh_curves=", ossl_sslctx_set_ecdh_curves, 1);
|
|
2777
2710
|
rb_define_method(cSSLContext, "security_level", ossl_sslctx_get_security_level, 0);
|
|
2778
2711
|
rb_define_method(cSSLContext, "security_level=", ossl_sslctx_set_security_level, 1);
|
|
@@ -2879,12 +2812,8 @@ Init_ossl_ssl(void)
|
|
|
2879
2812
|
rb_define_method(cSSLSocket, "hostname=", ossl_ssl_set_hostname, 1);
|
|
2880
2813
|
rb_define_method(cSSLSocket, "finished_message", ossl_ssl_get_finished, 0);
|
|
2881
2814
|
rb_define_method(cSSLSocket, "peer_finished_message", ossl_ssl_get_peer_finished, 0);
|
|
2882
|
-
# ifdef HAVE_SSL_GET_SERVER_TMP_KEY
|
|
2883
2815
|
rb_define_method(cSSLSocket, "tmp_key", ossl_ssl_tmp_key, 0);
|
|
2884
|
-
# endif
|
|
2885
|
-
# ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
|
|
2886
2816
|
rb_define_method(cSSLSocket, "alpn_protocol", ossl_ssl_alpn_protocol, 0);
|
|
2887
|
-
# endif
|
|
2888
2817
|
# ifndef OPENSSL_NO_NEXTPROTONEG
|
|
2889
2818
|
rb_define_method(cSSLSocket, "npn_protocol", ossl_ssl_npn_protocol, 0);
|
|
2890
2819
|
# endif
|
|
@@ -2896,12 +2825,23 @@ Init_ossl_ssl(void)
|
|
|
2896
2825
|
rb_define_const(mSSL, "VERIFY_CLIENT_ONCE", INT2NUM(SSL_VERIFY_CLIENT_ONCE));
|
|
2897
2826
|
|
|
2898
2827
|
rb_define_const(mSSL, "OP_ALL", ULONG2NUM(SSL_OP_ALL));
|
|
2828
|
+
#ifdef SSL_OP_CLEANSE_PLAINTEXT /* OpenSSL 3.0 */
|
|
2829
|
+
rb_define_const(mSSL, "OP_CLEANSE_PLAINTEXT", ULONG2NUM(SSL_OP_CLEANSE_PLAINTEXT));
|
|
2830
|
+
#endif
|
|
2899
2831
|
rb_define_const(mSSL, "OP_LEGACY_SERVER_CONNECT", ULONG2NUM(SSL_OP_LEGACY_SERVER_CONNECT));
|
|
2900
|
-
#ifdef
|
|
2901
|
-
rb_define_const(mSSL, "
|
|
2832
|
+
#ifdef SSL_OP_ENABLE_KTLS /* OpenSSL 3.0 */
|
|
2833
|
+
rb_define_const(mSSL, "OP_ENABLE_KTLS", ULONG2NUM(SSL_OP_ENABLE_KTLS));
|
|
2902
2834
|
#endif
|
|
2903
|
-
|
|
2835
|
+
rb_define_const(mSSL, "OP_TLSEXT_PADDING", ULONG2NUM(SSL_OP_TLSEXT_PADDING));
|
|
2904
2836
|
rb_define_const(mSSL, "OP_SAFARI_ECDHE_ECDSA_BUG", ULONG2NUM(SSL_OP_SAFARI_ECDHE_ECDSA_BUG));
|
|
2837
|
+
#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF /* OpenSSL 3.0 */
|
|
2838
|
+
rb_define_const(mSSL, "OP_IGNORE_UNEXPECTED_EOF", ULONG2NUM(SSL_OP_IGNORE_UNEXPECTED_EOF));
|
|
2839
|
+
#endif
|
|
2840
|
+
#ifdef SSL_OP_ALLOW_CLIENT_RENEGOTIATION /* OpenSSL 3.0 */
|
|
2841
|
+
rb_define_const(mSSL, "OP_ALLOW_CLIENT_RENEGOTIATION", ULONG2NUM(SSL_OP_ALLOW_CLIENT_RENEGOTIATION));
|
|
2842
|
+
#endif
|
|
2843
|
+
#ifdef SSL_OP_DISABLE_TLSEXT_CA_NAMES /* OpenSSL 3.0 */
|
|
2844
|
+
rb_define_const(mSSL, "OP_DISABLE_TLSEXT_CA_NAMES", ULONG2NUM(SSL_OP_DISABLE_TLSEXT_CA_NAMES));
|
|
2905
2845
|
#endif
|
|
2906
2846
|
#ifdef SSL_OP_ALLOW_NO_DHE_KEX /* OpenSSL 1.1.1 */
|
|
2907
2847
|
rb_define_const(mSSL, "OP_ALLOW_NO_DHE_KEX", ULONG2NUM(SSL_OP_ALLOW_NO_DHE_KEX));
|
|
@@ -2914,13 +2854,15 @@ Init_ossl_ssl(void)
|
|
|
2914
2854
|
#ifdef SSL_OP_NO_ENCRYPT_THEN_MAC /* OpenSSL 1.1.1 */
|
|
2915
2855
|
rb_define_const(mSSL, "OP_NO_ENCRYPT_THEN_MAC", ULONG2NUM(SSL_OP_NO_ENCRYPT_THEN_MAC));
|
|
2916
2856
|
#endif
|
|
2917
|
-
|
|
2918
|
-
rb_define_const(mSSL, "
|
|
2919
|
-
#
|
|
2920
|
-
|
|
2857
|
+
#ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT /* OpenSSL 1.1.1 */
|
|
2858
|
+
rb_define_const(mSSL, "OP_ENABLE_MIDDLEBOX_COMPAT", ULONG2NUM(SSL_OP_ENABLE_MIDDLEBOX_COMPAT));
|
|
2859
|
+
#endif
|
|
2860
|
+
#ifdef SSL_OP_PRIORITIZE_CHACHA /* OpenSSL 1.1.1 */
|
|
2861
|
+
rb_define_const(mSSL, "OP_PRIORITIZE_CHACHA", ULONG2NUM(SSL_OP_PRIORITIZE_CHACHA));
|
|
2862
|
+
#endif
|
|
2863
|
+
#ifdef SSL_OP_NO_ANTI_REPLAY /* OpenSSL 1.1.1 */
|
|
2864
|
+
rb_define_const(mSSL, "OP_NO_ANTI_REPLAY", ULONG2NUM(SSL_OP_NO_ANTI_REPLAY));
|
|
2921
2865
|
#endif
|
|
2922
|
-
rb_define_const(mSSL, "OP_CRYPTOPRO_TLSEXT_BUG", ULONG2NUM(SSL_OP_CRYPTOPRO_TLSEXT_BUG));
|
|
2923
|
-
|
|
2924
2866
|
rb_define_const(mSSL, "OP_NO_SSLv3", ULONG2NUM(SSL_OP_NO_SSLv3));
|
|
2925
2867
|
rb_define_const(mSSL, "OP_NO_TLSv1", ULONG2NUM(SSL_OP_NO_TLSv1));
|
|
2926
2868
|
rb_define_const(mSSL, "OP_NO_TLSv1_1", ULONG2NUM(SSL_OP_NO_TLSv1_1));
|
|
@@ -2928,6 +2870,12 @@ Init_ossl_ssl(void)
|
|
|
2928
2870
|
#ifdef SSL_OP_NO_TLSv1_3 /* OpenSSL 1.1.1 */
|
|
2929
2871
|
rb_define_const(mSSL, "OP_NO_TLSv1_3", ULONG2NUM(SSL_OP_NO_TLSv1_3));
|
|
2930
2872
|
#endif
|
|
2873
|
+
rb_define_const(mSSL, "OP_CIPHER_SERVER_PREFERENCE", ULONG2NUM(SSL_OP_CIPHER_SERVER_PREFERENCE));
|
|
2874
|
+
rb_define_const(mSSL, "OP_TLS_ROLLBACK_BUG", ULONG2NUM(SSL_OP_TLS_ROLLBACK_BUG));
|
|
2875
|
+
#ifdef SSL_OP_NO_RENEGOTIATION /* OpenSSL 1.1.1 */
|
|
2876
|
+
rb_define_const(mSSL, "OP_NO_RENEGOTIATION", ULONG2NUM(SSL_OP_NO_RENEGOTIATION));
|
|
2877
|
+
#endif
|
|
2878
|
+
rb_define_const(mSSL, "OP_CRYPTOPRO_TLSEXT_BUG", ULONG2NUM(SSL_OP_CRYPTOPRO_TLSEXT_BUG));
|
|
2931
2879
|
|
|
2932
2880
|
/* SSL_OP_* flags for DTLS */
|
|
2933
2881
|
#if 0
|
|
@@ -2992,16 +2940,16 @@ Init_ossl_ssl(void)
|
|
|
2992
2940
|
#endif
|
|
2993
2941
|
|
|
2994
2942
|
|
|
2995
|
-
sym_exception = ID2SYM(
|
|
2996
|
-
sym_wait_readable = ID2SYM(
|
|
2997
|
-
sym_wait_writable = ID2SYM(
|
|
2943
|
+
sym_exception = ID2SYM(rb_intern_const("exception"));
|
|
2944
|
+
sym_wait_readable = ID2SYM(rb_intern_const("wait_readable"));
|
|
2945
|
+
sym_wait_writable = ID2SYM(rb_intern_const("wait_writable"));
|
|
2998
2946
|
|
|
2999
|
-
id_tmp_dh_callback =
|
|
3000
|
-
|
|
3001
|
-
|
|
2947
|
+
id_tmp_dh_callback = rb_intern_const("tmp_dh_callback");
|
|
2948
|
+
id_npn_protocols_encoded = rb_intern_const("npn_protocols_encoded");
|
|
2949
|
+
id_each = rb_intern_const("each");
|
|
3002
2950
|
|
|
3003
2951
|
#define DefIVarID(name) do \
|
|
3004
|
-
id_i_##name =
|
|
2952
|
+
id_i_##name = rb_intern_const("@"#name); while (0)
|
|
3005
2953
|
|
|
3006
2954
|
DefIVarID(cert_store);
|
|
3007
2955
|
DefIVarID(ca_file);
|
|
@@ -3015,7 +2963,6 @@ Init_ossl_ssl(void)
|
|
|
3015
2963
|
DefIVarID(key);
|
|
3016
2964
|
DefIVarID(extra_chain_cert);
|
|
3017
2965
|
DefIVarID(client_cert_cb);
|
|
3018
|
-
DefIVarID(tmp_ecdh_callback);
|
|
3019
2966
|
DefIVarID(timeout);
|
|
3020
2967
|
DefIVarID(session_id_context);
|
|
3021
2968
|
DefIVarID(session_get_cb);
|