diff options
| author | Kazuki Yamaguchi <k@rhe.jp> | 2021-03-18 20:04:59 +0900 |
|---|---|---|
| committer | Kazuki Yamaguchi <k@rhe.jp> | 2021-09-26 17:33:14 +0900 |
| commit | aa43da4f0459308e8767bcaa2ad1fec9b5bcf45f (patch) | |
| tree | 3cc4cbff4359144af07555d91ac71ea885b6fbf9 /ext/openssl | |
| parent | bef9ea84e4adb6b56f4497c0174e2b0270a88086 (diff) | |
| download | ruby-openssl-aa43da4f0459308e8767bcaa2ad1fec9b5bcf45f.tar.gz | |
ssl: add SSLContext#tmp_dh=ky/ssl-set-tmp-dh
Provide a wrapper of SSL_set0_tmp_dh_pkey()/SSL_CTX_set_tmp_dh(), which
sets the DH parameters used for ephemeral DH key exchange.
SSLContext#tmp_dh_callback= already exists for this purpose, as a
wrapper around SSL_CTX_set_tmp_dh_callback(), but it is considered
obsolete and the OpenSSL API is deprecated for future removal. There is
no practical use case where an application needs to use different DH
parameters nowadays. This was originally introduced to support export
grade ciphers.
RDoc for #tmp_dh_callback= is updated to recommend the new #tmp_dh=.
Note that current versions of OpenSSL support automatic ECDHE curve
selection which is enabled by default. SSLContext#tmp_dh= should only be
necessary if you must allow ancient clients which don't support ECDHE.
Diffstat (limited to 'ext/openssl')
| -rw-r--r-- | ext/openssl/extconf.rb | 3 | ||||
| -rw-r--r-- | ext/openssl/ossl_ssl.c | 49 |
2 files changed, 52 insertions, 0 deletions
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb index aa4eae82..9a822f60 100644 --- a/ext/openssl/extconf.rb +++ b/ext/openssl/extconf.rb @@ -170,6 +170,9 @@ have_func("SSL_CTX_set_post_handshake_auth") # added in 1.1.1 have_func("EVP_PKEY_check") +# added in 3.0.0 +have_func("SSL_set0_tmp_dh_pkey") + Logging::message "=== Checking done. ===\n" create_header diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c index a32e1dcd..8ebfac52 100644 --- a/ext/openssl/ossl_ssl.c +++ b/ext/openssl/ossl_ssl.c @@ -987,6 +987,52 @@ ossl_sslctx_set_ciphers(VALUE self, VALUE v) return v; } +#ifndef OPENSSL_NO_DH +/* + * call-seq: + * ctx.tmp_dh = pkey + * + * Sets DH parameters used for ephemeral DH key exchange. This is relevant for + * servers only. + * + * +pkey+ is an instance of OpenSSL::PKey::DH. Note that key components + * contained in the key object, if any, are ignored. The server will always + * generate a new key pair for each handshake. + * + * Added in version 3.0. See also the man page SSL_set0_tmp_dh_pkey(3). + * + * Example: + * ctx = OpenSSL::SSL::SSLContext.new + * ctx.tmp_dh = OpenSSL::DH.generate(2048) + * svr = OpenSSL::SSL::SSLServer.new(tcp_svr, ctx) + * Thread.new { svr.accept } + */ +static VALUE +ossl_sslctx_set_tmp_dh(VALUE self, VALUE arg) +{ + SSL_CTX *ctx; + EVP_PKEY *pkey; + + rb_check_frozen(self); + GetSSLCTX(self, ctx); + pkey = GetPKeyPtr(arg); + + if (EVP_PKEY_base_id(pkey) != EVP_PKEY_DH) + rb_raise(eSSLError, "invalid pkey type %s (expected DH)", + OBJ_nid2sn(EVP_PKEY_base_id(pkey))); +#ifdef HAVE_SSL_SET0_TMP_DH_PKEY + if (!SSL_CTX_set0_tmp_dh_pkey(ctx, pkey)) + ossl_raise(eSSLError, "SSL_CTX_set0_tmp_dh_pkey"); + EVP_PKEY_up_ref(pkey); +#else + if (!SSL_CTX_set_tmp_dh(ctx, EVP_PKEY_get0_DH(pkey))) + ossl_raise(eSSLError, "SSL_CTX_set_tmp_dh"); +#endif + + return arg; +} +#endif + #if !defined(OPENSSL_NO_EC) /* * call-seq: @@ -2670,6 +2716,9 @@ Init_ossl_ssl(void) ossl_sslctx_set_minmax_proto_version, 2); rb_define_method(cSSLContext, "ciphers", ossl_sslctx_get_ciphers, 0); rb_define_method(cSSLContext, "ciphers=", ossl_sslctx_set_ciphers, 1); +#ifndef OPENSSL_NO_DH + rb_define_method(cSSLContext, "tmp_dh=", ossl_sslctx_set_tmp_dh, 1); +#endif rb_define_method(cSSLContext, "ecdh_curves=", ossl_sslctx_set_ecdh_curves, 1); rb_define_method(cSSLContext, "security_level", ossl_sslctx_get_security_level, 0); rb_define_method(cSSLContext, "security_level=", ossl_sslctx_set_security_level, 1); |