openssl: Access to ephemeral TLS session key

* ext/openssl/ossl_ssl.c (ossl_ssl_tmp_key): Access to ephemeral
  TLS session key in case of forward secrecy cipher.  Only
  available since OpenSSL 1.0.2.  [Fix GH-1318]
* ext/openssl/extconf.rb: Check for SSL_get_server_tmp_key.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54485 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

2 files changed, 24 insertions, 0 deletions

diff --git a/test/test_ssl.rb b/test/test_ssl.rb
index 7132dcc1..db7ce33e 100644
--- a/test/test_ssl.rb
+++ b/test/test_ssl.rb
@@ -1169,6 +1169,29 @@ end
     }
   end
 
+  def test_get_ephemeral_key
+    return unless OpenSSL::SSL::SSLSocket.method_defined?(:tmp_key)
+    ciphers = {
+        'ECDHE-RSA-AES128-SHA' => OpenSSL::PKey::EC,
+        'DHE-RSA-AES128-SHA' => OpenSSL::PKey::DH,
+        'AES128-SHA' => nil
+    }
+    conf_proc = Proc.new { |ctx| ctx.ciphers = 'ALL' }
+    start_server(OpenSSL::SSL::VERIFY_NONE, true, :ctx_proc => conf_proc) do |server, port|
+      ciphers.each do |cipher, ephemeral|
+        ctx = OpenSSL::SSL::SSLContext.new
+        ctx.ciphers = cipher
+        server_connect(port, ctx) do |ssl|
+          if ephemeral
+            assert_equal(ephemeral, ssl.tmp_key.class)
+          else
+            assert_nil(ssl.tmp_key)
+          end
+        end
+      end
+    end
+  end
+
   private
 
   def start_server_version(version, ctx_proc=nil, server_proc=nil, &blk)
diff --git a/test/utils.rb b/test/utils.rb
index 2e9b7395..8e21b977 100644
--- a/test/utils.rb
+++ b/test/utils.rb
@@ -278,6 +278,7 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC
         ctx.cert = @svr_cert
         ctx.key = @svr_key
         ctx.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 }
+        ctx.tmp_ecdh_callback = proc { OpenSSL::TestUtils::TEST_KEY_EC_P256V1 }
         ctx.verify_mode = verify_mode
         ctx_proc.call(ctx) if ctx_proc