openssl 2.2.0 → 3.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CONTRIBUTING.md +32 -44
- data/History.md +155 -0
- data/ext/openssl/extconf.rb +43 -38
- data/ext/openssl/openssl_missing.c +0 -66
- data/ext/openssl/openssl_missing.h +26 -45
- data/ext/openssl/ossl.c +67 -47
- data/ext/openssl/ossl.h +20 -6
- data/ext/openssl/ossl_asn1.c +16 -4
- data/ext/openssl/ossl_bn.c +267 -143
- data/ext/openssl/ossl_bn.h +2 -1
- data/ext/openssl/ossl_cipher.c +11 -11
- data/ext/openssl/ossl_config.c +412 -41
- data/ext/openssl/ossl_config.h +4 -7
- data/ext/openssl/ossl_digest.c +15 -11
- data/ext/openssl/ossl_engine.c +16 -15
- data/ext/openssl/ossl_hmac.c +48 -135
- data/ext/openssl/ossl_kdf.c +8 -0
- data/ext/openssl/ossl_ocsp.c +3 -51
- data/ext/openssl/ossl_pkcs12.c +21 -3
- data/ext/openssl/ossl_pkcs7.c +42 -59
- data/ext/openssl/ossl_pkey.c +1102 -191
- data/ext/openssl/ossl_pkey.h +35 -72
- data/ext/openssl/ossl_pkey_dh.c +124 -334
- data/ext/openssl/ossl_pkey_dsa.c +93 -398
- data/ext/openssl/ossl_pkey_ec.c +126 -318
- data/ext/openssl/ossl_pkey_rsa.c +100 -487
- data/ext/openssl/ossl_ssl.c +322 -375
- data/ext/openssl/ossl_ssl_session.c +24 -29
- data/ext/openssl/ossl_ts.c +64 -39
- data/ext/openssl/ossl_x509.c +0 -6
- data/ext/openssl/ossl_x509cert.c +164 -8
- data/ext/openssl/ossl_x509crl.c +10 -7
- data/ext/openssl/ossl_x509ext.c +1 -2
- data/ext/openssl/ossl_x509name.c +9 -2
- data/ext/openssl/ossl_x509req.c +10 -7
- data/ext/openssl/ossl_x509store.c +193 -90
- data/lib/openssl/buffering.rb +10 -1
- data/lib/openssl/hmac.rb +65 -0
- data/lib/openssl/pkey.rb +417 -0
- data/lib/openssl/ssl.rb +8 -8
- data/lib/openssl/version.rb +1 -1
- data/lib/openssl/x509.rb +22 -0
- data/lib/openssl.rb +0 -1
- metadata +8 -66
- data/ext/openssl/ruby_missing.h +0 -24
- data/lib/openssl/config.rb +0 -501
data/ext/openssl/ossl_ssl.c
CHANGED
|
@@ -13,6 +13,12 @@
|
|
|
13
13
|
|
|
14
14
|
#define numberof(ary) (int)(sizeof(ary)/sizeof((ary)[0]))
|
|
15
15
|
|
|
16
|
+
#if !defined(TLS1_3_VERSION) && \
|
|
17
|
+
defined(LIBRESSL_VERSION_NUMBER) && \
|
|
18
|
+
LIBRESSL_VERSION_NUMBER >= 0x3020000fL
|
|
19
|
+
# define TLS1_3_VERSION 0x0304
|
|
20
|
+
#endif
|
|
21
|
+
|
|
16
22
|
#ifdef _WIN32
|
|
17
23
|
# define TO_SOCKET(s) _get_osfhandle(s)
|
|
18
24
|
#else
|
|
@@ -32,14 +38,14 @@ VALUE cSSLSocket;
|
|
|
32
38
|
static VALUE eSSLErrorWaitReadable;
|
|
33
39
|
static VALUE eSSLErrorWaitWritable;
|
|
34
40
|
|
|
35
|
-
static ID id_call, ID_callback_state, id_tmp_dh_callback,
|
|
36
|
-
id_npn_protocols_encoded;
|
|
41
|
+
static ID id_call, ID_callback_state, id_tmp_dh_callback,
|
|
42
|
+
id_npn_protocols_encoded, id_each;
|
|
37
43
|
static VALUE sym_exception, sym_wait_readable, sym_wait_writable;
|
|
38
44
|
|
|
39
45
|
static ID id_i_cert_store, id_i_ca_file, id_i_ca_path, id_i_verify_mode,
|
|
40
46
|
id_i_verify_depth, id_i_verify_callback, id_i_client_ca,
|
|
41
47
|
id_i_renegotiation_cb, id_i_cert, id_i_key, id_i_extra_chain_cert,
|
|
42
|
-
id_i_client_cert_cb,
|
|
48
|
+
id_i_client_cert_cb, id_i_timeout,
|
|
43
49
|
id_i_session_id_context, id_i_session_get_cb, id_i_session_new_cb,
|
|
44
50
|
id_i_session_remove_cb, id_i_npn_select_cb, id_i_npn_protocols,
|
|
45
51
|
id_i_alpn_select_cb, id_i_alpn_protocols, id_i_servername_cb,
|
|
@@ -49,25 +55,24 @@ static ID id_i_io, id_i_context, id_i_hostname;
|
|
|
49
55
|
static int ossl_ssl_ex_vcb_idx;
|
|
50
56
|
static int ossl_ssl_ex_ptr_idx;
|
|
51
57
|
static int ossl_sslctx_ex_ptr_idx;
|
|
52
|
-
#if !defined(HAVE_X509_STORE_UP_REF)
|
|
53
|
-
static int ossl_sslctx_ex_store_p;
|
|
54
|
-
#endif
|
|
55
58
|
|
|
56
59
|
static void
|
|
57
|
-
|
|
60
|
+
ossl_sslctx_mark(void *ptr)
|
|
58
61
|
{
|
|
59
62
|
SSL_CTX *ctx = ptr;
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
63
|
+
rb_gc_mark((VALUE)SSL_CTX_get_ex_data(ctx, ossl_sslctx_ex_ptr_idx));
|
|
64
|
+
}
|
|
65
|
+
|
|
66
|
+
static void
|
|
67
|
+
ossl_sslctx_free(void *ptr)
|
|
68
|
+
{
|
|
69
|
+
SSL_CTX_free(ptr);
|
|
65
70
|
}
|
|
66
71
|
|
|
67
72
|
static const rb_data_type_t ossl_sslctx_type = {
|
|
68
73
|
"OpenSSL/SSL/CTX",
|
|
69
74
|
{
|
|
70
|
-
|
|
75
|
+
ossl_sslctx_mark, ossl_sslctx_free,
|
|
71
76
|
},
|
|
72
77
|
0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
|
|
73
78
|
};
|
|
@@ -83,7 +88,7 @@ ossl_sslctx_s_alloc(VALUE klass)
|
|
|
83
88
|
VALUE obj;
|
|
84
89
|
|
|
85
90
|
obj = TypedData_Wrap_Struct(klass, &ossl_sslctx_type, 0);
|
|
86
|
-
#if OPENSSL_VERSION_NUMBER >= 0x10100000
|
|
91
|
+
#if OPENSSL_VERSION_NUMBER >= 0x10100000 || defined(LIBRESSL_VERSION_NUMBER)
|
|
87
92
|
ctx = SSL_CTX_new(TLS_method());
|
|
88
93
|
#else
|
|
89
94
|
ctx = SSL_CTX_new(SSLv23_method());
|
|
@@ -95,14 +100,15 @@ ossl_sslctx_s_alloc(VALUE klass)
|
|
|
95
100
|
RTYPEDDATA_DATA(obj) = ctx;
|
|
96
101
|
SSL_CTX_set_ex_data(ctx, ossl_sslctx_ex_ptr_idx, (void *)obj);
|
|
97
102
|
|
|
98
|
-
#if !defined(OPENSSL_NO_EC) &&
|
|
103
|
+
#if !defined(OPENSSL_NO_EC) && OPENSSL_VERSION_NUMBER < 0x10100000 && \
|
|
104
|
+
!defined(LIBRESSL_VERSION_NUMBER)
|
|
99
105
|
/* We use SSL_CTX_set1_curves_list() to specify the curve used in ECDH. It
|
|
100
106
|
* allows to specify multiple curve names and OpenSSL will select
|
|
101
107
|
* automatically from them. In OpenSSL 1.0.2, the automatic selection has to
|
|
102
|
-
* be enabled explicitly.
|
|
103
|
-
* always enabled. To uniform the behavior, we enable the
|
|
104
|
-
* selection also in 1.0.2. Users can still disable ECDH by
|
|
105
|
-
* cipher suites by SSLContext#ciphers=. */
|
|
108
|
+
* be enabled explicitly. OpenSSL 1.1.0 and LibreSSL 2.6.1 removed the knob
|
|
109
|
+
* and it is always enabled. To uniform the behavior, we enable the
|
|
110
|
+
* automatic selection also in 1.0.2. Users can still disable ECDH by
|
|
111
|
+
* removing ECDH cipher suites by SSLContext#ciphers=. */
|
|
106
112
|
if (!SSL_CTX_set_ecdh_auto(ctx, 1))
|
|
107
113
|
ossl_raise(eSSLError, "SSL_CTX_set_ecdh_auto");
|
|
108
114
|
#endif
|
|
@@ -231,8 +237,7 @@ ossl_client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
|
|
|
231
237
|
return 1;
|
|
232
238
|
}
|
|
233
239
|
|
|
234
|
-
#if !defined(OPENSSL_NO_DH)
|
|
235
|
-
!defined(OPENSSL_NO_EC) && defined(HAVE_SSL_CTX_SET_TMP_ECDH_CALLBACK)
|
|
240
|
+
#if !defined(OPENSSL_NO_DH)
|
|
236
241
|
struct tmp_dh_callback_args {
|
|
237
242
|
VALUE ssl_obj;
|
|
238
243
|
ID id;
|
|
@@ -241,22 +246,23 @@ struct tmp_dh_callback_args {
|
|
|
241
246
|
int keylength;
|
|
242
247
|
};
|
|
243
248
|
|
|
244
|
-
static
|
|
245
|
-
ossl_call_tmp_dh_callback(
|
|
249
|
+
static VALUE
|
|
250
|
+
ossl_call_tmp_dh_callback(VALUE arg)
|
|
246
251
|
{
|
|
252
|
+
struct tmp_dh_callback_args *args = (struct tmp_dh_callback_args *)arg;
|
|
247
253
|
VALUE cb, dh;
|
|
248
254
|
EVP_PKEY *pkey;
|
|
249
255
|
|
|
250
256
|
cb = rb_funcall(args->ssl_obj, args->id, 0);
|
|
251
257
|
if (NIL_P(cb))
|
|
252
|
-
return NULL;
|
|
258
|
+
return (VALUE)NULL;
|
|
253
259
|
dh = rb_funcall(cb, id_call, 3, args->ssl_obj, INT2NUM(args->is_export),
|
|
254
260
|
INT2NUM(args->keylength));
|
|
255
261
|
pkey = GetPKeyPtr(dh);
|
|
256
262
|
if (EVP_PKEY_base_id(pkey) != args->type)
|
|
257
|
-
return NULL;
|
|
263
|
+
return (VALUE)NULL;
|
|
258
264
|
|
|
259
|
-
return pkey;
|
|
265
|
+
return (VALUE)pkey;
|
|
260
266
|
}
|
|
261
267
|
#endif
|
|
262
268
|
|
|
@@ -276,7 +282,7 @@ ossl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
|
|
|
276
282
|
args.keylength = keylength;
|
|
277
283
|
args.type = EVP_PKEY_DH;
|
|
278
284
|
|
|
279
|
-
pkey = (EVP_PKEY *)rb_protect(
|
|
285
|
+
pkey = (EVP_PKEY *)rb_protect(ossl_call_tmp_dh_callback,
|
|
280
286
|
(VALUE)&args, &state);
|
|
281
287
|
if (state) {
|
|
282
288
|
rb_ivar_set(rb_ssl, ID_callback_state, INT2NUM(state));
|
|
@@ -289,35 +295,6 @@ ossl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
|
|
|
289
295
|
}
|
|
290
296
|
#endif /* OPENSSL_NO_DH */
|
|
291
297
|
|
|
292
|
-
#if !defined(OPENSSL_NO_EC) && defined(HAVE_SSL_CTX_SET_TMP_ECDH_CALLBACK)
|
|
293
|
-
static EC_KEY *
|
|
294
|
-
ossl_tmp_ecdh_callback(SSL *ssl, int is_export, int keylength)
|
|
295
|
-
{
|
|
296
|
-
VALUE rb_ssl;
|
|
297
|
-
EVP_PKEY *pkey;
|
|
298
|
-
struct tmp_dh_callback_args args;
|
|
299
|
-
int state;
|
|
300
|
-
|
|
301
|
-
rb_ssl = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
|
|
302
|
-
args.ssl_obj = rb_ssl;
|
|
303
|
-
args.id = id_tmp_ecdh_callback;
|
|
304
|
-
args.is_export = is_export;
|
|
305
|
-
args.keylength = keylength;
|
|
306
|
-
args.type = EVP_PKEY_EC;
|
|
307
|
-
|
|
308
|
-
pkey = (EVP_PKEY *)rb_protect((VALUE (*)(VALUE))ossl_call_tmp_dh_callback,
|
|
309
|
-
(VALUE)&args, &state);
|
|
310
|
-
if (state) {
|
|
311
|
-
rb_ivar_set(rb_ssl, ID_callback_state, INT2NUM(state));
|
|
312
|
-
return NULL;
|
|
313
|
-
}
|
|
314
|
-
if (!pkey)
|
|
315
|
-
return NULL;
|
|
316
|
-
|
|
317
|
-
return EVP_PKEY_get0_EC_KEY(pkey);
|
|
318
|
-
}
|
|
319
|
-
#endif
|
|
320
|
-
|
|
321
298
|
static VALUE
|
|
322
299
|
call_verify_certificate_identity(VALUE ctx_v)
|
|
323
300
|
{
|
|
@@ -387,7 +364,7 @@ ossl_call_session_get_cb(VALUE ary)
|
|
|
387
364
|
}
|
|
388
365
|
|
|
389
366
|
static SSL_SESSION *
|
|
390
|
-
#if
|
|
367
|
+
#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER >= 0x10100000
|
|
391
368
|
ossl_sslctx_session_get_cb(SSL *ssl, const unsigned char *buf, int len, int *copy)
|
|
392
369
|
#else
|
|
393
370
|
ossl_sslctx_session_get_cb(SSL *ssl, unsigned char *buf, int len, int *copy)
|
|
@@ -596,8 +573,6 @@ ssl_renegotiation_cb(const SSL *ssl)
|
|
|
596
573
|
rb_funcallv(cb, id_call, 1, &ssl_obj);
|
|
597
574
|
}
|
|
598
575
|
|
|
599
|
-
#if !defined(OPENSSL_NO_NEXTPROTONEG) || \
|
|
600
|
-
defined(HAVE_SSL_CTX_SET_ALPN_SELECT_CB)
|
|
601
576
|
static VALUE
|
|
602
577
|
ssl_npn_encode_protocol_i(RB_BLOCK_CALL_FUNC_ARGLIST(cur, encoded))
|
|
603
578
|
{
|
|
@@ -616,7 +591,7 @@ static VALUE
|
|
|
616
591
|
ssl_encode_npn_protocols(VALUE protocols)
|
|
617
592
|
{
|
|
618
593
|
VALUE encoded = rb_str_new(NULL, 0);
|
|
619
|
-
|
|
594
|
+
rb_block_call(protocols, id_each, 0, 0, ssl_npn_encode_protocol_i, encoded);
|
|
620
595
|
return encoded;
|
|
621
596
|
}
|
|
622
597
|
|
|
@@ -679,14 +654,13 @@ ssl_npn_select_cb_common(SSL *ssl, VALUE cb, const unsigned char **out,
|
|
|
679
654
|
|
|
680
655
|
return SSL_TLSEXT_ERR_OK;
|
|
681
656
|
}
|
|
682
|
-
#endif
|
|
683
657
|
|
|
684
658
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|
|
685
659
|
static int
|
|
686
660
|
ssl_npn_advertise_cb(SSL *ssl, const unsigned char **out, unsigned int *outlen,
|
|
687
661
|
void *arg)
|
|
688
662
|
{
|
|
689
|
-
VALUE protocols = (VALUE)arg;
|
|
663
|
+
VALUE protocols = rb_attr_get((VALUE)arg, id_npn_protocols_encoded);
|
|
690
664
|
|
|
691
665
|
*out = (const unsigned char *) RSTRING_PTR(protocols);
|
|
692
666
|
*outlen = RSTRING_LENINT(protocols);
|
|
@@ -708,7 +682,6 @@ ssl_npn_select_cb(SSL *ssl, unsigned char **out, unsigned char *outlen,
|
|
|
708
682
|
}
|
|
709
683
|
#endif
|
|
710
684
|
|
|
711
|
-
#ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
|
|
712
685
|
static int
|
|
713
686
|
ssl_alpn_select_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen,
|
|
714
687
|
const unsigned char *in, unsigned int inlen, void *arg)
|
|
@@ -720,7 +693,6 @@ ssl_alpn_select_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen,
|
|
|
720
693
|
|
|
721
694
|
return ssl_npn_select_cb_common(ssl, cb, out, outlen, in, inlen);
|
|
722
695
|
}
|
|
723
|
-
#endif
|
|
724
696
|
|
|
725
697
|
/* This function may serve as the entry point to support further callbacks. */
|
|
726
698
|
static void
|
|
@@ -797,26 +769,6 @@ ossl_sslctx_setup(VALUE self)
|
|
|
797
769
|
SSL_CTX_set_tmp_dh_callback(ctx, ossl_tmp_dh_callback);
|
|
798
770
|
#endif
|
|
799
771
|
|
|
800
|
-
#if !defined(OPENSSL_NO_EC)
|
|
801
|
-
/* We added SSLContext#tmp_ecdh_callback= in Ruby 2.3.0,
|
|
802
|
-
* but SSL_CTX_set_tmp_ecdh_callback() was removed in OpenSSL 1.1.0. */
|
|
803
|
-
if (RTEST(rb_attr_get(self, id_i_tmp_ecdh_callback))) {
|
|
804
|
-
# if defined(HAVE_SSL_CTX_SET_TMP_ECDH_CALLBACK)
|
|
805
|
-
rb_warn("#tmp_ecdh_callback= is deprecated; use #ecdh_curves= instead");
|
|
806
|
-
SSL_CTX_set_tmp_ecdh_callback(ctx, ossl_tmp_ecdh_callback);
|
|
807
|
-
# if defined(HAVE_SSL_CTX_SET_ECDH_AUTO)
|
|
808
|
-
/* tmp_ecdh_callback and ecdh_auto conflict; OpenSSL ignores
|
|
809
|
-
* tmp_ecdh_callback. So disable ecdh_auto. */
|
|
810
|
-
if (!SSL_CTX_set_ecdh_auto(ctx, 0))
|
|
811
|
-
ossl_raise(eSSLError, "SSL_CTX_set_ecdh_auto");
|
|
812
|
-
# endif
|
|
813
|
-
# else
|
|
814
|
-
ossl_raise(eSSLError, "OpenSSL does not support tmp_ecdh_callback; "
|
|
815
|
-
"use #ecdh_curves= instead");
|
|
816
|
-
# endif
|
|
817
|
-
}
|
|
818
|
-
#endif /* OPENSSL_NO_EC */
|
|
819
|
-
|
|
820
772
|
#ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
|
|
821
773
|
SSL_CTX_set_post_handshake_auth(ctx, 1);
|
|
822
774
|
#endif
|
|
@@ -825,17 +777,7 @@ ossl_sslctx_setup(VALUE self)
|
|
|
825
777
|
if (!NIL_P(val)) {
|
|
826
778
|
X509_STORE *store = GetX509StorePtr(val); /* NO NEED TO DUP */
|
|
827
779
|
SSL_CTX_set_cert_store(ctx, store);
|
|
828
|
-
#if !defined(HAVE_X509_STORE_UP_REF)
|
|
829
|
-
/*
|
|
830
|
-
* WORKAROUND:
|
|
831
|
-
* X509_STORE can count references, but
|
|
832
|
-
* X509_STORE_free() doesn't care it.
|
|
833
|
-
* So we won't increment it but mark it by ex_data.
|
|
834
|
-
*/
|
|
835
|
-
SSL_CTX_set_ex_data(ctx, ossl_sslctx_ex_store_p, ctx);
|
|
836
|
-
#else /* Fixed in OpenSSL 1.0.2; bff9ce4db38b (master), 5b4b9ce976fc (1.0.2) */
|
|
837
780
|
X509_STORE_up_ref(store);
|
|
838
|
-
#endif
|
|
839
781
|
}
|
|
840
782
|
|
|
841
783
|
val = rb_attr_get(self, id_i_extra_chain_cert);
|
|
@@ -886,10 +828,17 @@ ossl_sslctx_setup(VALUE self)
|
|
|
886
828
|
ca_file = NIL_P(val) ? NULL : StringValueCStr(val);
|
|
887
829
|
val = rb_attr_get(self, id_i_ca_path);
|
|
888
830
|
ca_path = NIL_P(val) ? NULL : StringValueCStr(val);
|
|
831
|
+
#ifdef HAVE_SSL_CTX_LOAD_VERIFY_FILE
|
|
832
|
+
if (ca_file && !SSL_CTX_load_verify_file(ctx, ca_file))
|
|
833
|
+
ossl_raise(eSSLError, "SSL_CTX_load_verify_file");
|
|
834
|
+
if (ca_path && !SSL_CTX_load_verify_dir(ctx, ca_path))
|
|
835
|
+
ossl_raise(eSSLError, "SSL_CTX_load_verify_dir");
|
|
836
|
+
#else
|
|
889
837
|
if(ca_file || ca_path){
|
|
890
838
|
if (!SSL_CTX_load_verify_locations(ctx, ca_file, ca_path))
|
|
891
839
|
rb_warning("can't set verify locations");
|
|
892
840
|
}
|
|
841
|
+
#endif
|
|
893
842
|
|
|
894
843
|
val = rb_attr_get(self, id_i_verify_mode);
|
|
895
844
|
verify_mode = NIL_P(val) ? SSL_VERIFY_NONE : NUM2INT(val);
|
|
@@ -908,7 +857,7 @@ ossl_sslctx_setup(VALUE self)
|
|
|
908
857
|
if (!NIL_P(val)) {
|
|
909
858
|
VALUE encoded = ssl_encode_npn_protocols(val);
|
|
910
859
|
rb_ivar_set(self, id_npn_protocols_encoded, encoded);
|
|
911
|
-
SSL_CTX_set_next_protos_advertised_cb(ctx, ssl_npn_advertise_cb, (void *)
|
|
860
|
+
SSL_CTX_set_next_protos_advertised_cb(ctx, ssl_npn_advertise_cb, (void *)self);
|
|
912
861
|
OSSL_Debug("SSL NPN advertise callback added");
|
|
913
862
|
}
|
|
914
863
|
if (RTEST(rb_attr_get(self, id_i_npn_select_cb))) {
|
|
@@ -917,7 +866,6 @@ ossl_sslctx_setup(VALUE self)
|
|
|
917
866
|
}
|
|
918
867
|
#endif
|
|
919
868
|
|
|
920
|
-
#ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
|
|
921
869
|
val = rb_attr_get(self, id_i_alpn_protocols);
|
|
922
870
|
if (!NIL_P(val)) {
|
|
923
871
|
VALUE rprotos = ssl_encode_npn_protocols(val);
|
|
@@ -932,7 +880,6 @@ ossl_sslctx_setup(VALUE self)
|
|
|
932
880
|
SSL_CTX_set_alpn_select_cb(ctx, ssl_alpn_select_cb, (void *) self);
|
|
933
881
|
OSSL_Debug("SSL ALPN select callback added");
|
|
934
882
|
}
|
|
935
|
-
#endif
|
|
936
883
|
|
|
937
884
|
rb_obj_freeze(self);
|
|
938
885
|
|
|
@@ -1054,6 +1001,52 @@ ossl_sslctx_set_ciphers(VALUE self, VALUE v)
|
|
|
1054
1001
|
return v;
|
|
1055
1002
|
}
|
|
1056
1003
|
|
|
1004
|
+
#ifndef OPENSSL_NO_DH
|
|
1005
|
+
/*
|
|
1006
|
+
* call-seq:
|
|
1007
|
+
* ctx.tmp_dh = pkey
|
|
1008
|
+
*
|
|
1009
|
+
* Sets DH parameters used for ephemeral DH key exchange. This is relevant for
|
|
1010
|
+
* servers only.
|
|
1011
|
+
*
|
|
1012
|
+
* +pkey+ is an instance of OpenSSL::PKey::DH. Note that key components
|
|
1013
|
+
* contained in the key object, if any, are ignored. The server will always
|
|
1014
|
+
* generate a new key pair for each handshake.
|
|
1015
|
+
*
|
|
1016
|
+
* Added in version 3.0. See also the man page SSL_set0_tmp_dh_pkey(3).
|
|
1017
|
+
*
|
|
1018
|
+
* Example:
|
|
1019
|
+
* ctx = OpenSSL::SSL::SSLContext.new
|
|
1020
|
+
* ctx.tmp_dh = OpenSSL::DH.generate(2048)
|
|
1021
|
+
* svr = OpenSSL::SSL::SSLServer.new(tcp_svr, ctx)
|
|
1022
|
+
* Thread.new { svr.accept }
|
|
1023
|
+
*/
|
|
1024
|
+
static VALUE
|
|
1025
|
+
ossl_sslctx_set_tmp_dh(VALUE self, VALUE arg)
|
|
1026
|
+
{
|
|
1027
|
+
SSL_CTX *ctx;
|
|
1028
|
+
EVP_PKEY *pkey;
|
|
1029
|
+
|
|
1030
|
+
rb_check_frozen(self);
|
|
1031
|
+
GetSSLCTX(self, ctx);
|
|
1032
|
+
pkey = GetPKeyPtr(arg);
|
|
1033
|
+
|
|
1034
|
+
if (EVP_PKEY_base_id(pkey) != EVP_PKEY_DH)
|
|
1035
|
+
rb_raise(eSSLError, "invalid pkey type %s (expected DH)",
|
|
1036
|
+
OBJ_nid2sn(EVP_PKEY_base_id(pkey)));
|
|
1037
|
+
#ifdef HAVE_SSL_SET0_TMP_DH_PKEY
|
|
1038
|
+
if (!SSL_CTX_set0_tmp_dh_pkey(ctx, pkey))
|
|
1039
|
+
ossl_raise(eSSLError, "SSL_CTX_set0_tmp_dh_pkey");
|
|
1040
|
+
EVP_PKEY_up_ref(pkey);
|
|
1041
|
+
#else
|
|
1042
|
+
if (!SSL_CTX_set_tmp_dh(ctx, EVP_PKEY_get0_DH(pkey)))
|
|
1043
|
+
ossl_raise(eSSLError, "SSL_CTX_set_tmp_dh");
|
|
1044
|
+
#endif
|
|
1045
|
+
|
|
1046
|
+
return arg;
|
|
1047
|
+
}
|
|
1048
|
+
#endif
|
|
1049
|
+
|
|
1057
1050
|
#if !defined(OPENSSL_NO_EC)
|
|
1058
1051
|
/*
|
|
1059
1052
|
* call-seq:
|
|
@@ -1065,9 +1058,6 @@ ossl_sslctx_set_ciphers(VALUE self, VALUE v)
|
|
|
1065
1058
|
* Extension. For a server, the list is used by OpenSSL to determine the set of
|
|
1066
1059
|
* shared curves. OpenSSL will pick the most appropriate one from it.
|
|
1067
1060
|
*
|
|
1068
|
-
* Note that this works differently with old OpenSSL (<= 1.0.1). Only one curve
|
|
1069
|
-
* can be set, and this has no effect for TLS clients.
|
|
1070
|
-
*
|
|
1071
1061
|
* === Example
|
|
1072
1062
|
* ctx1 = OpenSSL::SSL::SSLContext.new
|
|
1073
1063
|
* ctx1.ecdh_curves = "X25519:P-256:P-224"
|
|
@@ -1091,48 +1081,8 @@ ossl_sslctx_set_ecdh_curves(VALUE self, VALUE arg)
|
|
|
1091
1081
|
GetSSLCTX(self, ctx);
|
|
1092
1082
|
StringValueCStr(arg);
|
|
1093
1083
|
|
|
1094
|
-
#if defined(HAVE_SSL_CTX_SET1_CURVES_LIST)
|
|
1095
1084
|
if (!SSL_CTX_set1_curves_list(ctx, RSTRING_PTR(arg)))
|
|
1096
1085
|
ossl_raise(eSSLError, NULL);
|
|
1097
|
-
#else
|
|
1098
|
-
/* OpenSSL does not have SSL_CTX_set1_curves_list()... Fallback to
|
|
1099
|
-
* SSL_CTX_set_tmp_ecdh(). So only the first curve is used. */
|
|
1100
|
-
{
|
|
1101
|
-
VALUE curve, splitted;
|
|
1102
|
-
EC_KEY *ec;
|
|
1103
|
-
int nid;
|
|
1104
|
-
|
|
1105
|
-
splitted = rb_str_split(arg, ":");
|
|
1106
|
-
if (!RARRAY_LEN(splitted))
|
|
1107
|
-
ossl_raise(eSSLError, "invalid input format");
|
|
1108
|
-
curve = RARRAY_AREF(splitted, 0);
|
|
1109
|
-
StringValueCStr(curve);
|
|
1110
|
-
|
|
1111
|
-
/* SSL_CTX_set1_curves_list() accepts NIST names */
|
|
1112
|
-
nid = EC_curve_nist2nid(RSTRING_PTR(curve));
|
|
1113
|
-
if (nid == NID_undef)
|
|
1114
|
-
nid = OBJ_txt2nid(RSTRING_PTR(curve));
|
|
1115
|
-
if (nid == NID_undef)
|
|
1116
|
-
ossl_raise(eSSLError, "unknown curve name");
|
|
1117
|
-
|
|
1118
|
-
ec = EC_KEY_new_by_curve_name(nid);
|
|
1119
|
-
if (!ec)
|
|
1120
|
-
ossl_raise(eSSLError, NULL);
|
|
1121
|
-
EC_KEY_set_asn1_flag(ec, OPENSSL_EC_NAMED_CURVE);
|
|
1122
|
-
if (!SSL_CTX_set_tmp_ecdh(ctx, ec)) {
|
|
1123
|
-
EC_KEY_free(ec);
|
|
1124
|
-
ossl_raise(eSSLError, "SSL_CTX_set_tmp_ecdh");
|
|
1125
|
-
}
|
|
1126
|
-
EC_KEY_free(ec);
|
|
1127
|
-
# if defined(HAVE_SSL_CTX_SET_ECDH_AUTO)
|
|
1128
|
-
/* tmp_ecdh and ecdh_auto conflict. tmp_ecdh is ignored when ecdh_auto
|
|
1129
|
-
* is enabled. So disable ecdh_auto. */
|
|
1130
|
-
if (!SSL_CTX_set_ecdh_auto(ctx, 0))
|
|
1131
|
-
ossl_raise(eSSLError, "SSL_CTX_set_ecdh_auto");
|
|
1132
|
-
# endif
|
|
1133
|
-
}
|
|
1134
|
-
#endif
|
|
1135
|
-
|
|
1136
1086
|
return arg;
|
|
1137
1087
|
}
|
|
1138
1088
|
#else
|
|
@@ -1223,7 +1173,7 @@ ossl_sslctx_enable_fallback_scsv(VALUE self)
|
|
|
1223
1173
|
|
|
1224
1174
|
/*
|
|
1225
1175
|
* call-seq:
|
|
1226
|
-
* ctx.add_certificate(
|
|
1176
|
+
* ctx.add_certificate(certificate, pkey [, extra_certs]) -> self
|
|
1227
1177
|
*
|
|
1228
1178
|
* Adds a certificate to the context. _pkey_ must be a corresponding private
|
|
1229
1179
|
* key with _certificate_.
|
|
@@ -1255,10 +1205,6 @@ ossl_sslctx_enable_fallback_scsv(VALUE self)
|
|
|
1255
1205
|
* ecdsa_pkey = ...
|
|
1256
1206
|
* another_ca_cert = ...
|
|
1257
1207
|
* ctx.add_certificate(ecdsa_cert, ecdsa_pkey, [another_ca_cert])
|
|
1258
|
-
*
|
|
1259
|
-
* === Note
|
|
1260
|
-
* OpenSSL before the version 1.0.2 could handle only one extra chain across
|
|
1261
|
-
* all key types. Calling this method discards the chain set previously.
|
|
1262
1208
|
*/
|
|
1263
1209
|
static VALUE
|
|
1264
1210
|
ossl_sslctx_add_certificate(int argc, VALUE *argv, VALUE self)
|
|
@@ -1283,7 +1229,7 @@ ossl_sslctx_add_certificate(int argc, VALUE *argv, VALUE self)
|
|
|
1283
1229
|
EVP_PKEY_free(pub_pkey);
|
|
1284
1230
|
if (!pub_pkey)
|
|
1285
1231
|
rb_raise(rb_eArgError, "certificate does not contain public key");
|
|
1286
|
-
if (
|
|
1232
|
+
if (EVP_PKEY_eq(pub_pkey, pkey) != 1)
|
|
1287
1233
|
rb_raise(rb_eArgError, "public key mismatch");
|
|
1288
1234
|
|
|
1289
1235
|
if (argc >= 3)
|
|
@@ -1297,34 +1243,9 @@ ossl_sslctx_add_certificate(int argc, VALUE *argv, VALUE self)
|
|
|
1297
1243
|
sk_X509_pop_free(extra_chain, X509_free);
|
|
1298
1244
|
ossl_raise(eSSLError, "SSL_CTX_use_PrivateKey");
|
|
1299
1245
|
}
|
|
1300
|
-
|
|
1301
|
-
|
|
1302
|
-
|
|
1303
|
-
if (!SSL_CTX_set0_chain(ctx, extra_chain)) {
|
|
1304
|
-
sk_X509_pop_free(extra_chain, X509_free);
|
|
1305
|
-
ossl_raise(eSSLError, "SSL_CTX_set0_chain");
|
|
1306
|
-
}
|
|
1307
|
-
#else
|
|
1308
|
-
STACK_OF(X509) *orig_extra_chain;
|
|
1309
|
-
X509 *x509_tmp;
|
|
1310
|
-
|
|
1311
|
-
/* First, clear the existing chain */
|
|
1312
|
-
SSL_CTX_get_extra_chain_certs(ctx, &orig_extra_chain);
|
|
1313
|
-
if (orig_extra_chain && sk_X509_num(orig_extra_chain)) {
|
|
1314
|
-
rb_warning("SSL_CTX_set0_chain() is not available; " \
|
|
1315
|
-
"clearing previously set certificate chain");
|
|
1316
|
-
SSL_CTX_clear_extra_chain_certs(ctx);
|
|
1317
|
-
}
|
|
1318
|
-
while ((x509_tmp = sk_X509_shift(extra_chain))) {
|
|
1319
|
-
/* Transfers ownership */
|
|
1320
|
-
if (!SSL_CTX_add_extra_chain_cert(ctx, x509_tmp)) {
|
|
1321
|
-
X509_free(x509_tmp);
|
|
1322
|
-
sk_X509_pop_free(extra_chain, X509_free);
|
|
1323
|
-
ossl_raise(eSSLError, "SSL_CTX_add_extra_chain_cert");
|
|
1324
|
-
}
|
|
1325
|
-
}
|
|
1326
|
-
sk_X509_free(extra_chain);
|
|
1327
|
-
#endif
|
|
1246
|
+
if (extra_chain && !SSL_CTX_set0_chain(ctx, extra_chain)) {
|
|
1247
|
+
sk_X509_pop_free(extra_chain, X509_free);
|
|
1248
|
+
ossl_raise(eSSLError, "SSL_CTX_set0_chain");
|
|
1328
1249
|
}
|
|
1329
1250
|
return self;
|
|
1330
1251
|
}
|
|
@@ -1522,8 +1443,16 @@ ossl_sslctx_flush_sessions(int argc, VALUE *argv, VALUE self)
|
|
|
1522
1443
|
static inline int
|
|
1523
1444
|
ssl_started(SSL *ssl)
|
|
1524
1445
|
{
|
|
1525
|
-
/*
|
|
1526
|
-
return
|
|
1446
|
+
/* BIO is created through ossl_ssl_setup(), called by #connect or #accept */
|
|
1447
|
+
return SSL_get_rbio(ssl) != NULL;
|
|
1448
|
+
}
|
|
1449
|
+
|
|
1450
|
+
static void
|
|
1451
|
+
ossl_ssl_mark(void *ptr)
|
|
1452
|
+
{
|
|
1453
|
+
SSL *ssl = ptr;
|
|
1454
|
+
rb_gc_mark((VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx));
|
|
1455
|
+
rb_gc_mark((VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_vcb_idx));
|
|
1527
1456
|
}
|
|
1528
1457
|
|
|
1529
1458
|
static void
|
|
@@ -1535,7 +1464,7 @@ ossl_ssl_free(void *ssl)
|
|
|
1535
1464
|
const rb_data_type_t ossl_ssl_type = {
|
|
1536
1465
|
"OpenSSL/SSL",
|
|
1537
1466
|
{
|
|
1538
|
-
|
|
1467
|
+
ossl_ssl_mark, ossl_ssl_free,
|
|
1539
1468
|
},
|
|
1540
1469
|
0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
|
|
1541
1470
|
};
|
|
@@ -1546,6 +1475,29 @@ ossl_ssl_s_alloc(VALUE klass)
|
|
|
1546
1475
|
return TypedData_Wrap_Struct(klass, &ossl_ssl_type, NULL);
|
|
1547
1476
|
}
|
|
1548
1477
|
|
|
1478
|
+
static VALUE
|
|
1479
|
+
peer_ip_address(VALUE self)
|
|
1480
|
+
{
|
|
1481
|
+
VALUE remote_address = rb_funcall(rb_attr_get(self, id_i_io), rb_intern("remote_address"), 0);
|
|
1482
|
+
|
|
1483
|
+
return rb_funcall(remote_address, rb_intern("inspect_sockaddr"), 0);
|
|
1484
|
+
}
|
|
1485
|
+
|
|
1486
|
+
static VALUE
|
|
1487
|
+
fallback_peer_ip_address(VALUE self, VALUE args)
|
|
1488
|
+
{
|
|
1489
|
+
return rb_str_new_cstr("(null)");
|
|
1490
|
+
}
|
|
1491
|
+
|
|
1492
|
+
static VALUE
|
|
1493
|
+
peeraddr_ip_str(VALUE self)
|
|
1494
|
+
{
|
|
1495
|
+
VALUE rb_mErrno = rb_const_get(rb_cObject, rb_intern("Errno"));
|
|
1496
|
+
VALUE rb_eSystemCallError = rb_const_get(rb_mErrno, rb_intern("SystemCallError"));
|
|
1497
|
+
|
|
1498
|
+
return rb_rescue2(peer_ip_address, self, fallback_peer_ip_address, (VALUE)0, rb_eSystemCallError, NULL);
|
|
1499
|
+
}
|
|
1500
|
+
|
|
1549
1501
|
/*
|
|
1550
1502
|
* call-seq:
|
|
1551
1503
|
* SSLSocket.new(io) => aSSLSocket
|
|
@@ -1582,6 +1534,7 @@ ossl_ssl_initialize(int argc, VALUE *argv, VALUE self)
|
|
|
1582
1534
|
|
|
1583
1535
|
if (rb_respond_to(io, rb_intern("nonblock=")))
|
|
1584
1536
|
rb_funcall(io, rb_intern("nonblock="), 1, Qtrue);
|
|
1537
|
+
Check_Type(io, T_FILE);
|
|
1585
1538
|
rb_ivar_set(self, id_i_io, io);
|
|
1586
1539
|
|
|
1587
1540
|
ssl = SSL_new(ctx);
|
|
@@ -1649,6 +1602,26 @@ no_exception_p(VALUE opts)
|
|
|
1649
1602
|
return 0;
|
|
1650
1603
|
}
|
|
1651
1604
|
|
|
1605
|
+
static void
|
|
1606
|
+
io_wait_writable(rb_io_t *fptr)
|
|
1607
|
+
{
|
|
1608
|
+
#ifdef HAVE_RB_IO_MAYBE_WAIT
|
|
1609
|
+
rb_io_maybe_wait_writable(errno, fptr->self, Qnil);
|
|
1610
|
+
#else
|
|
1611
|
+
rb_io_wait_writable(fptr->fd);
|
|
1612
|
+
#endif
|
|
1613
|
+
}
|
|
1614
|
+
|
|
1615
|
+
static void
|
|
1616
|
+
io_wait_readable(rb_io_t *fptr)
|
|
1617
|
+
{
|
|
1618
|
+
#ifdef HAVE_RB_IO_MAYBE_WAIT
|
|
1619
|
+
rb_io_maybe_wait_readable(errno, fptr->self, Qnil);
|
|
1620
|
+
#else
|
|
1621
|
+
rb_io_wait_readable(fptr->fd);
|
|
1622
|
+
#endif
|
|
1623
|
+
}
|
|
1624
|
+
|
|
1652
1625
|
static VALUE
|
|
1653
1626
|
ossl_start_ssl(VALUE self, int (*func)(), const char *funcname, VALUE opts)
|
|
1654
1627
|
{
|
|
@@ -1683,16 +1656,23 @@ ossl_start_ssl(VALUE self, int (*func)(), const char *funcname, VALUE opts)
|
|
|
1683
1656
|
case SSL_ERROR_WANT_WRITE:
|
|
1684
1657
|
if (no_exception_p(opts)) { return sym_wait_writable; }
|
|
1685
1658
|
write_would_block(nonblock);
|
|
1686
|
-
|
|
1659
|
+
io_wait_writable(fptr);
|
|
1687
1660
|
continue;
|
|
1688
1661
|
case SSL_ERROR_WANT_READ:
|
|
1689
1662
|
if (no_exception_p(opts)) { return sym_wait_readable; }
|
|
1690
1663
|
read_would_block(nonblock);
|
|
1691
|
-
|
|
1664
|
+
io_wait_readable(fptr);
|
|
1692
1665
|
continue;
|
|
1693
1666
|
case SSL_ERROR_SYSCALL:
|
|
1667
|
+
#ifdef __APPLE__
|
|
1668
|
+
/* See ossl_ssl_write_internal() */
|
|
1669
|
+
if (errno == EPROTOTYPE)
|
|
1670
|
+
continue;
|
|
1671
|
+
#endif
|
|
1694
1672
|
if (errno) rb_sys_fail(funcname);
|
|
1695
|
-
ossl_raise(eSSLError, "%s SYSCALL returned=%d errno=%d state=%s",
|
|
1673
|
+
ossl_raise(eSSLError, "%s SYSCALL returned=%d errno=%d peeraddr=%"PRIsVALUE" state=%s",
|
|
1674
|
+
funcname, ret2, errno, peeraddr_ip_str(self), SSL_state_string_long(ssl));
|
|
1675
|
+
|
|
1696
1676
|
#if defined(SSL_R_CERTIFICATE_VERIFY_FAILED)
|
|
1697
1677
|
case SSL_ERROR_SSL:
|
|
1698
1678
|
err = ERR_peek_last_error();
|
|
@@ -1705,13 +1685,15 @@ ossl_start_ssl(VALUE self, int (*func)(), const char *funcname, VALUE opts)
|
|
|
1705
1685
|
if (!verify_msg)
|
|
1706
1686
|
verify_msg = "(null)";
|
|
1707
1687
|
ossl_clear_error(); /* let ossl_raise() not append message */
|
|
1708
|
-
ossl_raise(eSSLError, "%s returned=%d errno=%d state=%s: %s (%s)",
|
|
1709
|
-
funcname, ret2, errno, SSL_state_string_long(ssl),
|
|
1688
|
+
ossl_raise(eSSLError, "%s returned=%d errno=%d peeraddr=%"PRIsVALUE" state=%s: %s (%s)",
|
|
1689
|
+
funcname, ret2, errno, peeraddr_ip_str(self), SSL_state_string_long(ssl),
|
|
1710
1690
|
err_msg, verify_msg);
|
|
1711
1691
|
}
|
|
1712
1692
|
#endif
|
|
1693
|
+
/* fallthrough */
|
|
1713
1694
|
default:
|
|
1714
|
-
ossl_raise(eSSLError, "%s returned=%d errno=%d state=%s",
|
|
1695
|
+
ossl_raise(eSSLError, "%s returned=%d errno=%d peeraddr=%"PRIsVALUE" state=%s",
|
|
1696
|
+
funcname, ret2, errno, peeraddr_ip_str(self), SSL_state_string_long(ssl));
|
|
1715
1697
|
}
|
|
1716
1698
|
}
|
|
1717
1699
|
|
|
@@ -1722,8 +1704,7 @@ ossl_start_ssl(VALUE self, int (*func)(), const char *funcname, VALUE opts)
|
|
|
1722
1704
|
* call-seq:
|
|
1723
1705
|
* ssl.connect => self
|
|
1724
1706
|
*
|
|
1725
|
-
* Initiates an SSL/TLS handshake with a server.
|
|
1726
|
-
* after unencrypted data has been sent over the socket.
|
|
1707
|
+
* Initiates an SSL/TLS handshake with a server.
|
|
1727
1708
|
*/
|
|
1728
1709
|
static VALUE
|
|
1729
1710
|
ossl_ssl_connect(VALUE self)
|
|
@@ -1770,8 +1751,7 @@ ossl_ssl_connect_nonblock(int argc, VALUE *argv, VALUE self)
|
|
|
1770
1751
|
* call-seq:
|
|
1771
1752
|
* ssl.accept => self
|
|
1772
1753
|
*
|
|
1773
|
-
* Waits for a SSL/TLS client to initiate a handshake.
|
|
1774
|
-
* started after unencrypted data has been sent over the socket.
|
|
1754
|
+
* Waits for a SSL/TLS client to initiate a handshake.
|
|
1775
1755
|
*/
|
|
1776
1756
|
static VALUE
|
|
1777
1757
|
ossl_ssl_accept(VALUE self)
|
|
@@ -1818,7 +1798,7 @@ static VALUE
|
|
|
1818
1798
|
ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
|
|
1819
1799
|
{
|
|
1820
1800
|
SSL *ssl;
|
|
1821
|
-
int ilen
|
|
1801
|
+
int ilen;
|
|
1822
1802
|
VALUE len, str;
|
|
1823
1803
|
rb_io_t *fptr;
|
|
1824
1804
|
VALUE io, opts = Qnil;
|
|
@@ -1828,6 +1808,9 @@ ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
|
|
|
1828
1808
|
} else {
|
|
1829
1809
|
rb_scan_args(argc, argv, "11", &len, &str);
|
|
1830
1810
|
}
|
|
1811
|
+
GetSSL(self, ssl);
|
|
1812
|
+
if (!ssl_started(ssl))
|
|
1813
|
+
rb_raise(eSSLError, "SSL session is not started yet");
|
|
1831
1814
|
|
|
1832
1815
|
ilen = NUM2INT(len);
|
|
1833
1816
|
if (NIL_P(str))
|
|
@@ -1843,74 +1826,60 @@ ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
|
|
|
1843
1826
|
if (ilen == 0)
|
|
1844
1827
|
return str;
|
|
1845
1828
|
|
|
1846
|
-
GetSSL(self, ssl);
|
|
1847
1829
|
io = rb_attr_get(self, id_i_io);
|
|
1848
1830
|
GetOpenFile(io, fptr);
|
|
1849
|
-
|
|
1850
|
-
|
|
1851
|
-
|
|
1852
|
-
|
|
1853
|
-
|
|
1854
|
-
|
|
1855
|
-
|
|
1856
|
-
|
|
1857
|
-
|
|
1858
|
-
|
|
1859
|
-
|
|
1831
|
+
|
|
1832
|
+
rb_str_locktmp(str);
|
|
1833
|
+
for (;;) {
|
|
1834
|
+
int nread = SSL_read(ssl, RSTRING_PTR(str), ilen);
|
|
1835
|
+
switch (ssl_get_error(ssl, nread)) {
|
|
1836
|
+
case SSL_ERROR_NONE:
|
|
1837
|
+
rb_str_unlocktmp(str);
|
|
1838
|
+
rb_str_set_len(str, nread);
|
|
1839
|
+
return str;
|
|
1840
|
+
case SSL_ERROR_ZERO_RETURN:
|
|
1841
|
+
rb_str_unlocktmp(str);
|
|
1842
|
+
if (no_exception_p(opts)) { return Qnil; }
|
|
1843
|
+
rb_eof_error();
|
|
1844
|
+
case SSL_ERROR_WANT_WRITE:
|
|
1845
|
+
if (nonblock) {
|
|
1846
|
+
rb_str_unlocktmp(str);
|
|
1847
|
+
if (no_exception_p(opts)) { return sym_wait_writable; }
|
|
1860
1848
|
write_would_block(nonblock);
|
|
1861
|
-
|
|
1862
|
-
|
|
1863
|
-
|
|
1864
|
-
|
|
1849
|
+
}
|
|
1850
|
+
io_wait_writable(fptr);
|
|
1851
|
+
continue;
|
|
1852
|
+
case SSL_ERROR_WANT_READ:
|
|
1853
|
+
if (nonblock) {
|
|
1854
|
+
rb_str_unlocktmp(str);
|
|
1855
|
+
if (no_exception_p(opts)) { return sym_wait_readable; }
|
|
1865
1856
|
read_would_block(nonblock);
|
|
1866
|
-
|
|
1867
|
-
|
|
1868
|
-
|
|
1869
|
-
|
|
1870
|
-
|
|
1871
|
-
|
|
1872
|
-
|
|
1873
|
-
|
|
1874
|
-
|
|
1875
|
-
|
|
1876
|
-
|
|
1877
|
-
|
|
1878
|
-
|
|
1879
|
-
|
|
1880
|
-
|
|
1881
|
-
|
|
1882
|
-
|
|
1883
|
-
|
|
1884
|
-
|
|
1885
|
-
|
|
1886
|
-
|
|
1887
|
-
|
|
1888
|
-
|
|
1889
|
-
|
|
1890
|
-
else {
|
|
1891
|
-
ID meth = nonblock ? rb_intern("read_nonblock") : rb_intern("sysread");
|
|
1892
|
-
|
|
1893
|
-
rb_warning("SSL session is not started yet.");
|
|
1894
|
-
#if defined(RB_PASS_KEYWORDS)
|
|
1895
|
-
if (nonblock) {
|
|
1896
|
-
VALUE argv[3];
|
|
1897
|
-
argv[0] = len;
|
|
1898
|
-
argv[1] = str;
|
|
1899
|
-
argv[2] = opts;
|
|
1900
|
-
return rb_funcallv_kw(io, meth, 3, argv, RB_PASS_KEYWORDS);
|
|
1901
|
-
}
|
|
1902
|
-
#else
|
|
1903
|
-
if (nonblock) {
|
|
1904
|
-
return rb_funcall(io, meth, 3, len, str, opts);
|
|
1857
|
+
}
|
|
1858
|
+
io_wait_readable(fptr);
|
|
1859
|
+
continue;
|
|
1860
|
+
case SSL_ERROR_SYSCALL:
|
|
1861
|
+
if (!ERR_peek_error()) {
|
|
1862
|
+
rb_str_unlocktmp(str);
|
|
1863
|
+
if (errno)
|
|
1864
|
+
rb_sys_fail(0);
|
|
1865
|
+
else {
|
|
1866
|
+
/*
|
|
1867
|
+
* The underlying BIO returned 0. This is actually a
|
|
1868
|
+
* protocol error. But unfortunately, not all
|
|
1869
|
+
* implementations cleanly shutdown the TLS connection
|
|
1870
|
+
* but just shutdown/close the TCP connection. So report
|
|
1871
|
+
* EOF for now...
|
|
1872
|
+
*/
|
|
1873
|
+
if (no_exception_p(opts)) { return Qnil; }
|
|
1874
|
+
rb_eof_error();
|
|
1875
|
+
}
|
|
1876
|
+
}
|
|
1877
|
+
/* fall through */
|
|
1878
|
+
default:
|
|
1879
|
+
rb_str_unlocktmp(str);
|
|
1880
|
+
ossl_raise(eSSLError, "SSL_read");
|
|
1905
1881
|
}
|
|
1906
|
-
#endif
|
|
1907
|
-
else
|
|
1908
|
-
return rb_funcall(io, meth, 2, len, str);
|
|
1909
1882
|
}
|
|
1910
|
-
|
|
1911
|
-
end:
|
|
1912
|
-
rb_str_set_len(str, nread);
|
|
1913
|
-
return str;
|
|
1914
1883
|
}
|
|
1915
1884
|
|
|
1916
1885
|
/*
|
|
@@ -1950,67 +1919,55 @@ static VALUE
|
|
|
1950
1919
|
ossl_ssl_write_internal(VALUE self, VALUE str, VALUE opts)
|
|
1951
1920
|
{
|
|
1952
1921
|
SSL *ssl;
|
|
1953
|
-
int nwrite = 0;
|
|
1954
1922
|
rb_io_t *fptr;
|
|
1955
|
-
int nonblock = opts != Qfalse;
|
|
1956
|
-
VALUE io;
|
|
1923
|
+
int num, nonblock = opts != Qfalse;
|
|
1924
|
+
VALUE tmp, io;
|
|
1957
1925
|
|
|
1958
|
-
StringValue(str);
|
|
1959
1926
|
GetSSL(self, ssl);
|
|
1927
|
+
if (!ssl_started(ssl))
|
|
1928
|
+
rb_raise(eSSLError, "SSL session is not started yet");
|
|
1929
|
+
|
|
1930
|
+
tmp = rb_str_new_frozen(StringValue(str));
|
|
1960
1931
|
io = rb_attr_get(self, id_i_io);
|
|
1961
1932
|
GetOpenFile(io, fptr);
|
|
1962
|
-
|
|
1963
|
-
|
|
1964
|
-
|
|
1965
|
-
|
|
1966
|
-
|
|
1967
|
-
|
|
1968
|
-
|
|
1969
|
-
|
|
1970
|
-
|
|
1971
|
-
|
|
1972
|
-
|
|
1973
|
-
|
|
1974
|
-
|
|
1975
|
-
|
|
1976
|
-
|
|
1977
|
-
|
|
1978
|
-
|
|
1979
|
-
|
|
1980
|
-
|
|
1981
|
-
|
|
1982
|
-
|
|
1933
|
+
|
|
1934
|
+
/* SSL_write(3ssl) manpage states num == 0 is undefined */
|
|
1935
|
+
num = RSTRING_LENINT(tmp);
|
|
1936
|
+
if (num == 0)
|
|
1937
|
+
return INT2FIX(0);
|
|
1938
|
+
|
|
1939
|
+
for (;;) {
|
|
1940
|
+
int nwritten = SSL_write(ssl, RSTRING_PTR(tmp), num);
|
|
1941
|
+
switch (ssl_get_error(ssl, nwritten)) {
|
|
1942
|
+
case SSL_ERROR_NONE:
|
|
1943
|
+
return INT2NUM(nwritten);
|
|
1944
|
+
case SSL_ERROR_WANT_WRITE:
|
|
1945
|
+
if (no_exception_p(opts)) { return sym_wait_writable; }
|
|
1946
|
+
write_would_block(nonblock);
|
|
1947
|
+
io_wait_writable(fptr);
|
|
1948
|
+
continue;
|
|
1949
|
+
case SSL_ERROR_WANT_READ:
|
|
1950
|
+
if (no_exception_p(opts)) { return sym_wait_readable; }
|
|
1951
|
+
read_would_block(nonblock);
|
|
1952
|
+
io_wait_readable(fptr);
|
|
1953
|
+
continue;
|
|
1954
|
+
case SSL_ERROR_SYSCALL:
|
|
1955
|
+
#ifdef __APPLE__
|
|
1956
|
+
/*
|
|
1957
|
+
* It appears that send syscall can return EPROTOTYPE if the
|
|
1958
|
+
* socket is being torn down. Retry to get a proper errno to
|
|
1959
|
+
* make the error handling in line with the socket library.
|
|
1960
|
+
* [Bug #14713] https://bugs.ruby-lang.org/issues/14713
|
|
1961
|
+
*/
|
|
1962
|
+
if (errno == EPROTOTYPE)
|
|
1983
1963
|
continue;
|
|
1984
|
-
case SSL_ERROR_SYSCALL:
|
|
1985
|
-
if (errno) rb_sys_fail(0);
|
|
1986
|
-
default:
|
|
1987
|
-
ossl_raise(eSSLError, "SSL_write");
|
|
1988
|
-
}
|
|
1989
|
-
}
|
|
1990
|
-
}
|
|
1991
|
-
else {
|
|
1992
|
-
ID meth = nonblock ?
|
|
1993
|
-
rb_intern("write_nonblock") : rb_intern("syswrite");
|
|
1994
|
-
|
|
1995
|
-
rb_warning("SSL session is not started yet.");
|
|
1996
|
-
#if defined(RB_PASS_KEYWORDS)
|
|
1997
|
-
if (nonblock) {
|
|
1998
|
-
VALUE argv[2];
|
|
1999
|
-
argv[0] = str;
|
|
2000
|
-
argv[1] = opts;
|
|
2001
|
-
return rb_funcallv_kw(io, meth, 2, argv, RB_PASS_KEYWORDS);
|
|
2002
|
-
}
|
|
2003
|
-
#else
|
|
2004
|
-
if (nonblock) {
|
|
2005
|
-
return rb_funcall(io, meth, 2, str, opts);
|
|
2006
|
-
}
|
|
2007
1964
|
#endif
|
|
2008
|
-
|
|
2009
|
-
|
|
1965
|
+
if (errno) rb_sys_fail(0);
|
|
1966
|
+
/* fallthrough */
|
|
1967
|
+
default:
|
|
1968
|
+
ossl_raise(eSSLError, "SSL_write");
|
|
1969
|
+
}
|
|
2010
1970
|
}
|
|
2011
|
-
|
|
2012
|
-
end:
|
|
2013
|
-
return INT2NUM(nwrite);
|
|
2014
1971
|
}
|
|
2015
1972
|
|
|
2016
1973
|
/*
|
|
@@ -2410,7 +2367,6 @@ ossl_ssl_npn_protocol(VALUE self)
|
|
|
2410
2367
|
}
|
|
2411
2368
|
# endif
|
|
2412
2369
|
|
|
2413
|
-
# ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
|
|
2414
2370
|
/*
|
|
2415
2371
|
* call-seq:
|
|
2416
2372
|
* ssl.alpn_protocol => String | nil
|
|
@@ -2433,9 +2389,7 @@ ossl_ssl_alpn_protocol(VALUE self)
|
|
|
2433
2389
|
else
|
|
2434
2390
|
return rb_str_new((const char *) out, outlen);
|
|
2435
2391
|
}
|
|
2436
|
-
# endif
|
|
2437
2392
|
|
|
2438
|
-
# ifdef HAVE_SSL_GET_SERVER_TMP_KEY
|
|
2439
2393
|
/*
|
|
2440
2394
|
* call-seq:
|
|
2441
2395
|
* ssl.tmp_key => PKey or nil
|
|
@@ -2453,11 +2407,8 @@ ossl_ssl_tmp_key(VALUE self)
|
|
|
2453
2407
|
return Qnil;
|
|
2454
2408
|
return ossl_pkey_new(key);
|
|
2455
2409
|
}
|
|
2456
|
-
# endif /* defined(HAVE_SSL_GET_SERVER_TMP_KEY) */
|
|
2457
2410
|
#endif /* !defined(OPENSSL_NO_SOCK) */
|
|
2458
2411
|
|
|
2459
|
-
#undef rb_intern
|
|
2460
|
-
#define rb_intern(s) rb_intern_const(s)
|
|
2461
2412
|
void
|
|
2462
2413
|
Init_ossl_ssl(void)
|
|
2463
2414
|
{
|
|
@@ -2468,8 +2419,8 @@ Init_ossl_ssl(void)
|
|
|
2468
2419
|
rb_mWaitWritable = rb_define_module_under(rb_cIO, "WaitWritable");
|
|
2469
2420
|
#endif
|
|
2470
2421
|
|
|
2471
|
-
id_call =
|
|
2472
|
-
ID_callback_state =
|
|
2422
|
+
id_call = rb_intern_const("call");
|
|
2423
|
+
ID_callback_state = rb_intern_const("callback_state");
|
|
2473
2424
|
|
|
2474
2425
|
ossl_ssl_ex_vcb_idx = SSL_get_ex_new_index(0, (void *)"ossl_ssl_ex_vcb_idx", 0, 0, 0);
|
|
2475
2426
|
if (ossl_ssl_ex_vcb_idx < 0)
|
|
@@ -2480,11 +2431,6 @@ Init_ossl_ssl(void)
|
|
|
2480
2431
|
ossl_sslctx_ex_ptr_idx = SSL_CTX_get_ex_new_index(0, (void *)"ossl_sslctx_ex_ptr_idx", 0, 0, 0);
|
|
2481
2432
|
if (ossl_sslctx_ex_ptr_idx < 0)
|
|
2482
2433
|
ossl_raise(rb_eRuntimeError, "SSL_CTX_get_ex_new_index");
|
|
2483
|
-
#if !defined(HAVE_X509_STORE_UP_REF)
|
|
2484
|
-
ossl_sslctx_ex_store_p = SSL_CTX_get_ex_new_index(0, (void *)"ossl_sslctx_ex_store_p", 0, 0, 0);
|
|
2485
|
-
if (ossl_sslctx_ex_store_p < 0)
|
|
2486
|
-
ossl_raise(rb_eRuntimeError, "SSL_CTX_get_ex_new_index");
|
|
2487
|
-
#endif
|
|
2488
2434
|
|
|
2489
2435
|
/* Document-module: OpenSSL::SSL
|
|
2490
2436
|
*
|
|
@@ -2536,7 +2482,7 @@ Init_ossl_ssl(void)
|
|
|
2536
2482
|
* The _cert_, _key_, and _extra_chain_cert_ attributes are deprecated.
|
|
2537
2483
|
* It is recommended to use #add_certificate instead.
|
|
2538
2484
|
*/
|
|
2539
|
-
rb_attr(cSSLContext,
|
|
2485
|
+
rb_attr(cSSLContext, rb_intern_const("cert"), 1, 1, Qfalse);
|
|
2540
2486
|
|
|
2541
2487
|
/*
|
|
2542
2488
|
* Context private key
|
|
@@ -2544,29 +2490,29 @@ Init_ossl_ssl(void)
|
|
|
2544
2490
|
* The _cert_, _key_, and _extra_chain_cert_ attributes are deprecated.
|
|
2545
2491
|
* It is recommended to use #add_certificate instead.
|
|
2546
2492
|
*/
|
|
2547
|
-
rb_attr(cSSLContext,
|
|
2493
|
+
rb_attr(cSSLContext, rb_intern_const("key"), 1, 1, Qfalse);
|
|
2548
2494
|
|
|
2549
2495
|
/*
|
|
2550
2496
|
* A certificate or Array of certificates that will be sent to the client.
|
|
2551
2497
|
*/
|
|
2552
|
-
rb_attr(cSSLContext,
|
|
2498
|
+
rb_attr(cSSLContext, rb_intern_const("client_ca"), 1, 1, Qfalse);
|
|
2553
2499
|
|
|
2554
2500
|
/*
|
|
2555
2501
|
* The path to a file containing a PEM-format CA certificate
|
|
2556
2502
|
*/
|
|
2557
|
-
rb_attr(cSSLContext,
|
|
2503
|
+
rb_attr(cSSLContext, rb_intern_const("ca_file"), 1, 1, Qfalse);
|
|
2558
2504
|
|
|
2559
2505
|
/*
|
|
2560
2506
|
* The path to a directory containing CA certificates in PEM format.
|
|
2561
2507
|
*
|
|
2562
2508
|
* Files are looked up by subject's X509 name's hash value.
|
|
2563
2509
|
*/
|
|
2564
|
-
rb_attr(cSSLContext,
|
|
2510
|
+
rb_attr(cSSLContext, rb_intern_const("ca_path"), 1, 1, Qfalse);
|
|
2565
2511
|
|
|
2566
2512
|
/*
|
|
2567
2513
|
* Maximum session lifetime in seconds.
|
|
2568
2514
|
*/
|
|
2569
|
-
rb_attr(cSSLContext,
|
|
2515
|
+
rb_attr(cSSLContext, rb_intern_const("timeout"), 1, 1, Qfalse);
|
|
2570
2516
|
|
|
2571
2517
|
/*
|
|
2572
2518
|
* Session verification mode.
|
|
@@ -2579,12 +2525,12 @@ Init_ossl_ssl(void)
|
|
|
2579
2525
|
*
|
|
2580
2526
|
* See SSL_CTX_set_verify(3) for details.
|
|
2581
2527
|
*/
|
|
2582
|
-
rb_attr(cSSLContext,
|
|
2528
|
+
rb_attr(cSSLContext, rb_intern_const("verify_mode"), 1, 1, Qfalse);
|
|
2583
2529
|
|
|
2584
2530
|
/*
|
|
2585
2531
|
* Number of CA certificates to walk when verifying a certificate chain.
|
|
2586
2532
|
*/
|
|
2587
|
-
rb_attr(cSSLContext,
|
|
2533
|
+
rb_attr(cSSLContext, rb_intern_const("verify_depth"), 1, 1, Qfalse);
|
|
2588
2534
|
|
|
2589
2535
|
/*
|
|
2590
2536
|
* A callback for additional certificate verification. The callback is
|
|
@@ -2598,7 +2544,7 @@ Init_ossl_ssl(void)
|
|
|
2598
2544
|
* If the callback returns +false+, the chain verification is immediately
|
|
2599
2545
|
* stopped and a bad_certificate alert is then sent.
|
|
2600
2546
|
*/
|
|
2601
|
-
rb_attr(cSSLContext,
|
|
2547
|
+
rb_attr(cSSLContext, rb_intern_const("verify_callback"), 1, 1, Qfalse);
|
|
2602
2548
|
|
|
2603
2549
|
/*
|
|
2604
2550
|
* Whether to check the server certificate is valid for the hostname.
|
|
@@ -2606,12 +2552,12 @@ Init_ossl_ssl(void)
|
|
|
2606
2552
|
* In order to make this work, verify_mode must be set to VERIFY_PEER and
|
|
2607
2553
|
* the server hostname must be given by OpenSSL::SSL::SSLSocket#hostname=.
|
|
2608
2554
|
*/
|
|
2609
|
-
rb_attr(cSSLContext,
|
|
2555
|
+
rb_attr(cSSLContext, rb_intern_const("verify_hostname"), 1, 1, Qfalse);
|
|
2610
2556
|
|
|
2611
2557
|
/*
|
|
2612
2558
|
* An OpenSSL::X509::Store used for certificate verification.
|
|
2613
2559
|
*/
|
|
2614
|
-
rb_attr(cSSLContext,
|
|
2560
|
+
rb_attr(cSSLContext, rb_intern_const("cert_store"), 1, 1, Qfalse);
|
|
2615
2561
|
|
|
2616
2562
|
/*
|
|
2617
2563
|
* An Array of extra X509 certificates to be added to the certificate
|
|
@@ -2620,7 +2566,7 @@ Init_ossl_ssl(void)
|
|
|
2620
2566
|
* The _cert_, _key_, and _extra_chain_cert_ attributes are deprecated.
|
|
2621
2567
|
* It is recommended to use #add_certificate instead.
|
|
2622
2568
|
*/
|
|
2623
|
-
rb_attr(cSSLContext,
|
|
2569
|
+
rb_attr(cSSLContext, rb_intern_const("extra_chain_cert"), 1, 1, Qfalse);
|
|
2624
2570
|
|
|
2625
2571
|
/*
|
|
2626
2572
|
* A callback invoked when a client certificate is requested by a server
|
|
@@ -2630,28 +2576,14 @@ Init_ossl_ssl(void)
|
|
|
2630
2576
|
* containing an OpenSSL::X509::Certificate and an OpenSSL::PKey. If any
|
|
2631
2577
|
* other value is returned the handshake is suspended.
|
|
2632
2578
|
*/
|
|
2633
|
-
rb_attr(cSSLContext,
|
|
2634
|
-
|
|
2635
|
-
#if !defined(OPENSSL_NO_EC) && defined(HAVE_SSL_CTX_SET_TMP_ECDH_CALLBACK)
|
|
2636
|
-
/*
|
|
2637
|
-
* A callback invoked when ECDH parameters are required.
|
|
2638
|
-
*
|
|
2639
|
-
* The callback is invoked with the Session for the key exchange, an
|
|
2640
|
-
* flag indicating the use of an export cipher and the keylength
|
|
2641
|
-
* required.
|
|
2642
|
-
*
|
|
2643
|
-
* The callback is deprecated. This does not work with recent versions of
|
|
2644
|
-
* OpenSSL. Use OpenSSL::SSL::SSLContext#ecdh_curves= instead.
|
|
2645
|
-
*/
|
|
2646
|
-
rb_attr(cSSLContext, rb_intern("tmp_ecdh_callback"), 1, 1, Qfalse);
|
|
2647
|
-
#endif
|
|
2579
|
+
rb_attr(cSSLContext, rb_intern_const("client_cert_cb"), 1, 1, Qfalse);
|
|
2648
2580
|
|
|
2649
2581
|
/*
|
|
2650
2582
|
* Sets the context in which a session can be reused. This allows
|
|
2651
2583
|
* sessions for multiple applications to be distinguished, for example, by
|
|
2652
2584
|
* name.
|
|
2653
2585
|
*/
|
|
2654
|
-
rb_attr(cSSLContext,
|
|
2586
|
+
rb_attr(cSSLContext, rb_intern_const("session_id_context"), 1, 1, Qfalse);
|
|
2655
2587
|
|
|
2656
2588
|
/*
|
|
2657
2589
|
* A callback invoked on a server when a session is proposed by the client
|
|
@@ -2660,7 +2592,7 @@ Init_ossl_ssl(void)
|
|
|
2660
2592
|
* The callback is invoked with the SSLSocket and session id. The
|
|
2661
2593
|
* callback may return a Session from an external cache.
|
|
2662
2594
|
*/
|
|
2663
|
-
rb_attr(cSSLContext,
|
|
2595
|
+
rb_attr(cSSLContext, rb_intern_const("session_get_cb"), 1, 1, Qfalse);
|
|
2664
2596
|
|
|
2665
2597
|
/*
|
|
2666
2598
|
* A callback invoked when a new session was negotiated.
|
|
@@ -2668,7 +2600,7 @@ Init_ossl_ssl(void)
|
|
|
2668
2600
|
* The callback is invoked with an SSLSocket. If +false+ is returned the
|
|
2669
2601
|
* session will be removed from the internal cache.
|
|
2670
2602
|
*/
|
|
2671
|
-
rb_attr(cSSLContext,
|
|
2603
|
+
rb_attr(cSSLContext, rb_intern_const("session_new_cb"), 1, 1, Qfalse);
|
|
2672
2604
|
|
|
2673
2605
|
/*
|
|
2674
2606
|
* A callback invoked when a session is removed from the internal cache.
|
|
@@ -2679,7 +2611,7 @@ Init_ossl_ssl(void)
|
|
|
2679
2611
|
* multi-threaded application. The callback is called inside a global lock
|
|
2680
2612
|
* and it can randomly cause deadlock on Ruby thread switching.
|
|
2681
2613
|
*/
|
|
2682
|
-
rb_attr(cSSLContext,
|
|
2614
|
+
rb_attr(cSSLContext, rb_intern_const("session_remove_cb"), 1, 1, Qfalse);
|
|
2683
2615
|
|
|
2684
2616
|
rb_define_const(mSSLExtConfig, "HAVE_TLSEXT_HOST_NAME", Qtrue);
|
|
2685
2617
|
|
|
@@ -2702,7 +2634,7 @@ Init_ossl_ssl(void)
|
|
|
2702
2634
|
* raise RuntimeError, "Client renegotiation disabled"
|
|
2703
2635
|
* end
|
|
2704
2636
|
*/
|
|
2705
|
-
rb_attr(cSSLContext,
|
|
2637
|
+
rb_attr(cSSLContext, rb_intern_const("renegotiation_cb"), 1, 1, Qfalse);
|
|
2706
2638
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|
|
2707
2639
|
/*
|
|
2708
2640
|
* An Enumerable of Strings. Each String represents a protocol to be
|
|
@@ -2715,7 +2647,7 @@ Init_ossl_ssl(void)
|
|
|
2715
2647
|
*
|
|
2716
2648
|
* ctx.npn_protocols = ["http/1.1", "spdy/2"]
|
|
2717
2649
|
*/
|
|
2718
|
-
rb_attr(cSSLContext,
|
|
2650
|
+
rb_attr(cSSLContext, rb_intern_const("npn_protocols"), 1, 1, Qfalse);
|
|
2719
2651
|
/*
|
|
2720
2652
|
* A callback invoked on the client side when the client needs to select
|
|
2721
2653
|
* a protocol from the list sent by the server. Supported in OpenSSL 1.0.1
|
|
@@ -2732,10 +2664,9 @@ Init_ossl_ssl(void)
|
|
|
2732
2664
|
* protocols.first
|
|
2733
2665
|
* end
|
|
2734
2666
|
*/
|
|
2735
|
-
rb_attr(cSSLContext,
|
|
2667
|
+
rb_attr(cSSLContext, rb_intern_const("npn_select_cb"), 1, 1, Qfalse);
|
|
2736
2668
|
#endif
|
|
2737
2669
|
|
|
2738
|
-
#ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
|
|
2739
2670
|
/*
|
|
2740
2671
|
* An Enumerable of Strings. Each String represents a protocol to be
|
|
2741
2672
|
* advertised as the list of supported protocols for Application-Layer
|
|
@@ -2747,7 +2678,7 @@ Init_ossl_ssl(void)
|
|
|
2747
2678
|
*
|
|
2748
2679
|
* ctx.alpn_protocols = ["http/1.1", "spdy/2", "h2"]
|
|
2749
2680
|
*/
|
|
2750
|
-
rb_attr(cSSLContext,
|
|
2681
|
+
rb_attr(cSSLContext, rb_intern_const("alpn_protocols"), 1, 1, Qfalse);
|
|
2751
2682
|
/*
|
|
2752
2683
|
* A callback invoked on the server side when the server needs to select
|
|
2753
2684
|
* a protocol from the list sent by the client. Supported in OpenSSL 1.0.2
|
|
@@ -2764,8 +2695,7 @@ Init_ossl_ssl(void)
|
|
|
2764
2695
|
* protocols.first
|
|
2765
2696
|
* end
|
|
2766
2697
|
*/
|
|
2767
|
-
rb_attr(cSSLContext,
|
|
2768
|
-
#endif
|
|
2698
|
+
rb_attr(cSSLContext, rb_intern_const("alpn_select_cb"), 1, 1, Qfalse);
|
|
2769
2699
|
|
|
2770
2700
|
rb_define_alias(cSSLContext, "ssl_timeout", "timeout");
|
|
2771
2701
|
rb_define_alias(cSSLContext, "ssl_timeout=", "timeout=");
|
|
@@ -2773,6 +2703,9 @@ Init_ossl_ssl(void)
|
|
|
2773
2703
|
ossl_sslctx_set_minmax_proto_version, 2);
|
|
2774
2704
|
rb_define_method(cSSLContext, "ciphers", ossl_sslctx_get_ciphers, 0);
|
|
2775
2705
|
rb_define_method(cSSLContext, "ciphers=", ossl_sslctx_set_ciphers, 1);
|
|
2706
|
+
#ifndef OPENSSL_NO_DH
|
|
2707
|
+
rb_define_method(cSSLContext, "tmp_dh=", ossl_sslctx_set_tmp_dh, 1);
|
|
2708
|
+
#endif
|
|
2776
2709
|
rb_define_method(cSSLContext, "ecdh_curves=", ossl_sslctx_set_ecdh_curves, 1);
|
|
2777
2710
|
rb_define_method(cSSLContext, "security_level", ossl_sslctx_get_security_level, 0);
|
|
2778
2711
|
rb_define_method(cSSLContext, "security_level=", ossl_sslctx_set_security_level, 1);
|
|
@@ -2879,12 +2812,8 @@ Init_ossl_ssl(void)
|
|
|
2879
2812
|
rb_define_method(cSSLSocket, "hostname=", ossl_ssl_set_hostname, 1);
|
|
2880
2813
|
rb_define_method(cSSLSocket, "finished_message", ossl_ssl_get_finished, 0);
|
|
2881
2814
|
rb_define_method(cSSLSocket, "peer_finished_message", ossl_ssl_get_peer_finished, 0);
|
|
2882
|
-
# ifdef HAVE_SSL_GET_SERVER_TMP_KEY
|
|
2883
2815
|
rb_define_method(cSSLSocket, "tmp_key", ossl_ssl_tmp_key, 0);
|
|
2884
|
-
# endif
|
|
2885
|
-
# ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
|
|
2886
2816
|
rb_define_method(cSSLSocket, "alpn_protocol", ossl_ssl_alpn_protocol, 0);
|
|
2887
|
-
# endif
|
|
2888
2817
|
# ifndef OPENSSL_NO_NEXTPROTONEG
|
|
2889
2818
|
rb_define_method(cSSLSocket, "npn_protocol", ossl_ssl_npn_protocol, 0);
|
|
2890
2819
|
# endif
|
|
@@ -2896,12 +2825,23 @@ Init_ossl_ssl(void)
|
|
|
2896
2825
|
rb_define_const(mSSL, "VERIFY_CLIENT_ONCE", INT2NUM(SSL_VERIFY_CLIENT_ONCE));
|
|
2897
2826
|
|
|
2898
2827
|
rb_define_const(mSSL, "OP_ALL", ULONG2NUM(SSL_OP_ALL));
|
|
2828
|
+
#ifdef SSL_OP_CLEANSE_PLAINTEXT /* OpenSSL 3.0 */
|
|
2829
|
+
rb_define_const(mSSL, "OP_CLEANSE_PLAINTEXT", ULONG2NUM(SSL_OP_CLEANSE_PLAINTEXT));
|
|
2830
|
+
#endif
|
|
2899
2831
|
rb_define_const(mSSL, "OP_LEGACY_SERVER_CONNECT", ULONG2NUM(SSL_OP_LEGACY_SERVER_CONNECT));
|
|
2900
|
-
#ifdef
|
|
2901
|
-
rb_define_const(mSSL, "
|
|
2832
|
+
#ifdef SSL_OP_ENABLE_KTLS /* OpenSSL 3.0 */
|
|
2833
|
+
rb_define_const(mSSL, "OP_ENABLE_KTLS", ULONG2NUM(SSL_OP_ENABLE_KTLS));
|
|
2902
2834
|
#endif
|
|
2903
|
-
|
|
2835
|
+
rb_define_const(mSSL, "OP_TLSEXT_PADDING", ULONG2NUM(SSL_OP_TLSEXT_PADDING));
|
|
2904
2836
|
rb_define_const(mSSL, "OP_SAFARI_ECDHE_ECDSA_BUG", ULONG2NUM(SSL_OP_SAFARI_ECDHE_ECDSA_BUG));
|
|
2837
|
+
#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF /* OpenSSL 3.0 */
|
|
2838
|
+
rb_define_const(mSSL, "OP_IGNORE_UNEXPECTED_EOF", ULONG2NUM(SSL_OP_IGNORE_UNEXPECTED_EOF));
|
|
2839
|
+
#endif
|
|
2840
|
+
#ifdef SSL_OP_ALLOW_CLIENT_RENEGOTIATION /* OpenSSL 3.0 */
|
|
2841
|
+
rb_define_const(mSSL, "OP_ALLOW_CLIENT_RENEGOTIATION", ULONG2NUM(SSL_OP_ALLOW_CLIENT_RENEGOTIATION));
|
|
2842
|
+
#endif
|
|
2843
|
+
#ifdef SSL_OP_DISABLE_TLSEXT_CA_NAMES /* OpenSSL 3.0 */
|
|
2844
|
+
rb_define_const(mSSL, "OP_DISABLE_TLSEXT_CA_NAMES", ULONG2NUM(SSL_OP_DISABLE_TLSEXT_CA_NAMES));
|
|
2905
2845
|
#endif
|
|
2906
2846
|
#ifdef SSL_OP_ALLOW_NO_DHE_KEX /* OpenSSL 1.1.1 */
|
|
2907
2847
|
rb_define_const(mSSL, "OP_ALLOW_NO_DHE_KEX", ULONG2NUM(SSL_OP_ALLOW_NO_DHE_KEX));
|
|
@@ -2914,13 +2854,15 @@ Init_ossl_ssl(void)
|
|
|
2914
2854
|
#ifdef SSL_OP_NO_ENCRYPT_THEN_MAC /* OpenSSL 1.1.1 */
|
|
2915
2855
|
rb_define_const(mSSL, "OP_NO_ENCRYPT_THEN_MAC", ULONG2NUM(SSL_OP_NO_ENCRYPT_THEN_MAC));
|
|
2916
2856
|
#endif
|
|
2917
|
-
|
|
2918
|
-
rb_define_const(mSSL, "
|
|
2919
|
-
#
|
|
2920
|
-
|
|
2857
|
+
#ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT /* OpenSSL 1.1.1 */
|
|
2858
|
+
rb_define_const(mSSL, "OP_ENABLE_MIDDLEBOX_COMPAT", ULONG2NUM(SSL_OP_ENABLE_MIDDLEBOX_COMPAT));
|
|
2859
|
+
#endif
|
|
2860
|
+
#ifdef SSL_OP_PRIORITIZE_CHACHA /* OpenSSL 1.1.1 */
|
|
2861
|
+
rb_define_const(mSSL, "OP_PRIORITIZE_CHACHA", ULONG2NUM(SSL_OP_PRIORITIZE_CHACHA));
|
|
2862
|
+
#endif
|
|
2863
|
+
#ifdef SSL_OP_NO_ANTI_REPLAY /* OpenSSL 1.1.1 */
|
|
2864
|
+
rb_define_const(mSSL, "OP_NO_ANTI_REPLAY", ULONG2NUM(SSL_OP_NO_ANTI_REPLAY));
|
|
2921
2865
|
#endif
|
|
2922
|
-
rb_define_const(mSSL, "OP_CRYPTOPRO_TLSEXT_BUG", ULONG2NUM(SSL_OP_CRYPTOPRO_TLSEXT_BUG));
|
|
2923
|
-
|
|
2924
2866
|
rb_define_const(mSSL, "OP_NO_SSLv3", ULONG2NUM(SSL_OP_NO_SSLv3));
|
|
2925
2867
|
rb_define_const(mSSL, "OP_NO_TLSv1", ULONG2NUM(SSL_OP_NO_TLSv1));
|
|
2926
2868
|
rb_define_const(mSSL, "OP_NO_TLSv1_1", ULONG2NUM(SSL_OP_NO_TLSv1_1));
|
|
@@ -2928,6 +2870,12 @@ Init_ossl_ssl(void)
|
|
|
2928
2870
|
#ifdef SSL_OP_NO_TLSv1_3 /* OpenSSL 1.1.1 */
|
|
2929
2871
|
rb_define_const(mSSL, "OP_NO_TLSv1_3", ULONG2NUM(SSL_OP_NO_TLSv1_3));
|
|
2930
2872
|
#endif
|
|
2873
|
+
rb_define_const(mSSL, "OP_CIPHER_SERVER_PREFERENCE", ULONG2NUM(SSL_OP_CIPHER_SERVER_PREFERENCE));
|
|
2874
|
+
rb_define_const(mSSL, "OP_TLS_ROLLBACK_BUG", ULONG2NUM(SSL_OP_TLS_ROLLBACK_BUG));
|
|
2875
|
+
#ifdef SSL_OP_NO_RENEGOTIATION /* OpenSSL 1.1.1 */
|
|
2876
|
+
rb_define_const(mSSL, "OP_NO_RENEGOTIATION", ULONG2NUM(SSL_OP_NO_RENEGOTIATION));
|
|
2877
|
+
#endif
|
|
2878
|
+
rb_define_const(mSSL, "OP_CRYPTOPRO_TLSEXT_BUG", ULONG2NUM(SSL_OP_CRYPTOPRO_TLSEXT_BUG));
|
|
2931
2879
|
|
|
2932
2880
|
/* SSL_OP_* flags for DTLS */
|
|
2933
2881
|
#if 0
|
|
@@ -2992,16 +2940,16 @@ Init_ossl_ssl(void)
|
|
|
2992
2940
|
#endif
|
|
2993
2941
|
|
|
2994
2942
|
|
|
2995
|
-
sym_exception = ID2SYM(
|
|
2996
|
-
sym_wait_readable = ID2SYM(
|
|
2997
|
-
sym_wait_writable = ID2SYM(
|
|
2943
|
+
sym_exception = ID2SYM(rb_intern_const("exception"));
|
|
2944
|
+
sym_wait_readable = ID2SYM(rb_intern_const("wait_readable"));
|
|
2945
|
+
sym_wait_writable = ID2SYM(rb_intern_const("wait_writable"));
|
|
2998
2946
|
|
|
2999
|
-
id_tmp_dh_callback =
|
|
3000
|
-
|
|
3001
|
-
|
|
2947
|
+
id_tmp_dh_callback = rb_intern_const("tmp_dh_callback");
|
|
2948
|
+
id_npn_protocols_encoded = rb_intern_const("npn_protocols_encoded");
|
|
2949
|
+
id_each = rb_intern_const("each");
|
|
3002
2950
|
|
|
3003
2951
|
#define DefIVarID(name) do \
|
|
3004
|
-
id_i_##name =
|
|
2952
|
+
id_i_##name = rb_intern_const("@"#name); while (0)
|
|
3005
2953
|
|
|
3006
2954
|
DefIVarID(cert_store);
|
|
3007
2955
|
DefIVarID(ca_file);
|
|
@@ -3015,7 +2963,6 @@ Init_ossl_ssl(void)
|
|
|
3015
2963
|
DefIVarID(key);
|
|
3016
2964
|
DefIVarID(extra_chain_cert);
|
|
3017
2965
|
DefIVarID(client_cert_cb);
|
|
3018
|
-
DefIVarID(tmp_ecdh_callback);
|
|
3019
2966
|
DefIVarID(timeout);
|
|
3020
2967
|
DefIVarID(session_id_context);
|
|
3021
2968
|
DefIVarID(session_get_cb);
|