From 03c088b936c1bea55687c6345799b28b98c24ee9 Mon Sep 17 00:00:00 2001 From: Zachary Scott Date: Wed, 23 Sep 2015 09:26:00 -0400 Subject: Sync with ruby trunk --- ext/openssl/extconf.rb | 8 +- ext/openssl/openssl_missing.c | 2 - ext/openssl/openssl_missing.h | 2 - ext/openssl/ossl.c | 2 - ext/openssl/ossl.h | 2 - ext/openssl/ossl_asn1.c | 1 - ext/openssl/ossl_asn1.h | 1 - ext/openssl/ossl_bio.c | 1 - ext/openssl/ossl_bio.h | 2 - ext/openssl/ossl_bn.c | 2 - ext/openssl/ossl_bn.h | 2 - ext/openssl/ossl_cipher.c | 2 - ext/openssl/ossl_cipher.h | 2 - ext/openssl/ossl_config.c | 1 - ext/openssl/ossl_config.h | 2 - ext/openssl/ossl_digest.c | 1 - ext/openssl/ossl_digest.h | 2 - ext/openssl/ossl_engine.c | 1 - ext/openssl/ossl_engine.h | 1 - ext/openssl/ossl_hmac.c | 1 - ext/openssl/ossl_hmac.h | 1 - ext/openssl/ossl_ns_spki.c | 2 - ext/openssl/ossl_ns_spki.h | 2 - ext/openssl/ossl_ocsp.c | 5 +- ext/openssl/ossl_ocsp.h | 1 - ext/openssl/ossl_pkcs12.c | 1 - ext/openssl/ossl_pkcs12.h | 2 - ext/openssl/ossl_pkcs5.c | 1 - ext/openssl/ossl_pkcs7.c | 1 - ext/openssl/ossl_pkcs7.h | 2 - ext/openssl/ossl_pkey.c | 2 - ext/openssl/ossl_pkey.h | 3 - ext/openssl/ossl_pkey_dh.c | 71 ------- ext/openssl/ossl_pkey_dsa.c | 1 - ext/openssl/ossl_pkey_rsa.c | 2 - ext/openssl/ossl_rand.c | 2 - ext/openssl/ossl_rand.h | 2 - ext/openssl/ossl_ssl.c | 413 ++++++++++++++--------------------------- ext/openssl/ossl_ssl.h | 2 - ext/openssl/ossl_version.h | 1 - ext/openssl/ossl_x509.c | 2 - ext/openssl/ossl_x509.h | 1 - ext/openssl/ossl_x509attr.c | 1 - ext/openssl/ossl_x509cert.c | 2 - ext/openssl/ossl_x509crl.c | 2 - ext/openssl/ossl_x509ext.c | 1 - ext/openssl/ossl_x509name.c | 1 - ext/openssl/ossl_x509req.c | 2 - ext/openssl/ossl_x509revoked.c | 2 - ext/openssl/ossl_x509store.c | 1 - ext/openssl/ruby_missing.h | 1 - lib/openssl.rb | 6 +- lib/openssl/bn.rb | 7 - lib/openssl/buffering.rb | 7 +- lib/openssl/cipher.rb | 7 - lib/openssl/digest.rb | 8 - lib/openssl/pkey.rb | 36 ++++ lib/openssl/ssl.rb | 142 ++++++++++++-- lib/openssl/x509.rb | 7 - test/test_cipher.rb | 2 +- test/test_pair.rb | 130 +++++++++---- test/test_pkey_dh.rb | 21 +++ test/test_ssl.rb | 242 +++++++++++++++++++++++- test/test_ssl_session.rb | 7 +- 64 files changed, 669 insertions(+), 524 deletions(-) create mode 100644 lib/openssl/pkey.rb diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb index 8c04cb56..41dd9bed 100644 --- a/ext/openssl/extconf.rb +++ b/ext/openssl/extconf.rb @@ -1,7 +1,5 @@ # -*- coding: us-ascii -*- =begin -= $RCSfile$ -- Generator for Makefile - = Info 'OpenSSL for Ruby 2' project Copyright (C) 2002 Michal Rokos @@ -10,9 +8,6 @@ = Licence This program is licensed under the same licence as Ruby. (See the file 'LICENCE'.) - -= Version - $Id$ =end require "mkmf" @@ -104,6 +99,9 @@ have_func("OPENSSL_cleanse") have_func("SSLv2_method") have_func("SSLv2_server_method") have_func("SSLv2_client_method") +have_func("SSLv3_method") +have_func("SSLv3_server_method") +have_func("SSLv3_client_method") have_func("TLSv1_1_method") have_func("TLSv1_1_server_method") have_func("TLSv1_1_client_method") diff --git a/ext/openssl/openssl_missing.c b/ext/openssl/openssl_missing.c index 7f879561..bd8eef5e 100644 --- a/ext/openssl/openssl_missing.c +++ b/ext/openssl/openssl_missing.c @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2001-2002 Michal Rokos * All rights reserved. @@ -353,4 +352,3 @@ ASN1_put_eoc(unsigned char **pp) return 2; } #endif - diff --git a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h index 9c06fb7d..2dc49d3f 100644 --- a/ext/openssl/openssl_missing.h +++ b/ext/openssl/openssl_missing.h @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2001-2002 Michal Rokos * All rights reserved. @@ -195,4 +194,3 @@ int ASN1_put_eoc(unsigned char **pp); #endif /* _OSSL_OPENSSL_MISSING_H_ */ - diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c index 1f127ec7..5c14664c 100644 --- a/ext/openssl/ossl.c +++ b/ext/openssl/ossl.c @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2001-2002 Michal Rokos * All rights reserved. @@ -1179,4 +1178,3 @@ main(int argc, char *argv[]) return 0; } #endif /* OSSL_DEBUG */ - diff --git a/ext/openssl/ossl.h b/ext/openssl/ossl.h index f69a9d68..eca0ef94 100644 --- a/ext/openssl/ossl.h +++ b/ext/openssl/ossl.h @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2001-2002 Michal Rokos * All rights reserved. @@ -247,4 +246,3 @@ void Init_openssl(void); #endif #endif /* _OSSL_H_ */ - diff --git a/ext/openssl/ossl_asn1.c b/ext/openssl/ossl_asn1.c index 069a024b..89da5949 100644 --- a/ext/openssl/ossl_asn1.c +++ b/ext/openssl/ossl_asn1.c @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' team members * Copyright (C) 2003 * All rights reserved. diff --git a/ext/openssl/ossl_asn1.h b/ext/openssl/ossl_asn1.h index c854984e..8250746c 100644 --- a/ext/openssl/ossl_asn1.h +++ b/ext/openssl/ossl_asn1.h @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' team members * Copyright (C) 2003 * All rights reserved. diff --git a/ext/openssl/ossl_bio.c b/ext/openssl/ossl_bio.c index 2301c604..7e3b3070 100644 --- a/ext/openssl/ossl_bio.c +++ b/ext/openssl/ossl_bio.c @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' team members * Copyright (C) 2003 * All rights reserved. diff --git a/ext/openssl/ossl_bio.h b/ext/openssl/ossl_bio.h index b1b2dbbb..1705d0ac 100644 --- a/ext/openssl/ossl_bio.h +++ b/ext/openssl/ossl_bio.h @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' team members * Copyright (C) 2003 * All rights reserved. @@ -18,4 +17,3 @@ VALUE ossl_membio2str(BIO*); VALUE ossl_protect_membio2str(BIO*,int*); #endif - diff --git a/ext/openssl/ossl_bn.c b/ext/openssl/ossl_bn.c index 190dbb1a..fba86cdd 100644 --- a/ext/openssl/ossl_bn.c +++ b/ext/openssl/ossl_bn.c @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2001-2002 Technorama team * All rights reserved. @@ -1051,4 +1050,3 @@ Init_ossl_bn(void) */ rb_define_method(cBN, "prime_fasttest?", ossl_bn_is_prime_fasttest, -1); } - diff --git a/ext/openssl/ossl_bn.h b/ext/openssl/ossl_bn.h index 5749ecd4..4cd9d060 100644 --- a/ext/openssl/ossl_bn.h +++ b/ext/openssl/ossl_bn.h @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2001-2002 Michal Rokos * All rights reserved. @@ -22,4 +21,3 @@ void Init_ossl_bn(void); #endif /* _OSS_BN_H_ */ - diff --git a/ext/openssl/ossl_cipher.c b/ext/openssl/ossl_cipher.c index 3e92d656..1318378c 100644 --- a/ext/openssl/ossl_cipher.c +++ b/ext/openssl/ossl_cipher.c @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2001-2002 Michal Rokos * All rights reserved. @@ -1010,4 +1009,3 @@ Init_ossl_cipher(void) rb_define_method(cCipher, "block_size", ossl_cipher_block_size, 0); rb_define_method(cCipher, "padding=", ossl_cipher_set_padding, 1); } - diff --git a/ext/openssl/ossl_cipher.h b/ext/openssl/ossl_cipher.h index 47f47e60..c444089f 100644 --- a/ext/openssl/ossl_cipher.h +++ b/ext/openssl/ossl_cipher.h @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2001-2002 Michal Rokos * All rights reserved. @@ -19,4 +18,3 @@ VALUE ossl_cipher_new(const EVP_CIPHER *); void Init_ossl_cipher(void); #endif /* _OSSL_CIPHER_H_ */ - diff --git a/ext/openssl/ossl_config.c b/ext/openssl/ossl_config.c index f3dce1ed..4e00fbe4 100644 --- a/ext/openssl/ossl_config.c +++ b/ext/openssl/ossl_config.c @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2001-2002 Michal Rokos * All rights reserved. diff --git a/ext/openssl/ossl_config.h b/ext/openssl/ossl_config.h index dcb50aec..077e2f74 100644 --- a/ext/openssl/ossl_config.h +++ b/ext/openssl/ossl_config.h @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2001-2002 Michal Rokos * All rights reserved. @@ -19,4 +18,3 @@ CONF* DupConfigPtr(VALUE obj); void Init_ossl_config(void); #endif /* _OSSL_CONFIG_H_ */ - diff --git a/ext/openssl/ossl_digest.c b/ext/openssl/ossl_digest.c index 0ed12c5a..44968dd9 100644 --- a/ext/openssl/ossl_digest.c +++ b/ext/openssl/ossl_digest.c @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2001-2002 Michal Rokos * All rights reserved. diff --git a/ext/openssl/ossl_digest.h b/ext/openssl/ossl_digest.h index d5abd279..512f7d3a 100644 --- a/ext/openssl/ossl_digest.h +++ b/ext/openssl/ossl_digest.h @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2001-2002 Michal Rokos * All rights reserved. @@ -19,4 +18,3 @@ VALUE ossl_digest_new(const EVP_MD *); void Init_ossl_digest(void); #endif /* _OSSL_DIGEST_H_ */ - diff --git a/ext/openssl/ossl_engine.c b/ext/openssl/ossl_engine.c index 0e9bc96c..890ec724 100644 --- a/ext/openssl/ossl_engine.c +++ b/ext/openssl/ossl_engine.c @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2003 GOTOU Yuuzou * All rights reserved. diff --git a/ext/openssl/ossl_engine.h b/ext/openssl/ossl_engine.h index 10c4553d..cd548bee 100644 --- a/ext/openssl/ossl_engine.h +++ b/ext/openssl/ossl_engine.h @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2003 Michal Rokos * Copyright (C) 2003 GOTOU Yuuzou diff --git a/ext/openssl/ossl_hmac.c b/ext/openssl/ossl_hmac.c index 118af617..5513cb20 100644 --- a/ext/openssl/ossl_hmac.c +++ b/ext/openssl/ossl_hmac.c @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2001-2002 Michal Rokos * All rights reserved. diff --git a/ext/openssl/ossl_hmac.h b/ext/openssl/ossl_hmac.h index 078af7b7..7c51f472 100644 --- a/ext/openssl/ossl_hmac.h +++ b/ext/openssl/ossl_hmac.h @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2001-2002 Michal Rokos * All rights reserved. diff --git a/ext/openssl/ossl_ns_spki.c b/ext/openssl/ossl_ns_spki.c index 94e0667f..35c2e3e5 100644 --- a/ext/openssl/ossl_ns_spki.c +++ b/ext/openssl/ossl_ns_spki.c @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2001-2002 Michal Rokos * All rights reserved. @@ -404,4 +403,3 @@ Init_ossl_ns_spki(void) rb_define_method(cSPKI, "challenge", ossl_spki_get_challenge, 0); rb_define_method(cSPKI, "challenge=", ossl_spki_set_challenge, 1); } - diff --git a/ext/openssl/ossl_ns_spki.h b/ext/openssl/ossl_ns_spki.h index 2c151523..62ba8cb1 100644 --- a/ext/openssl/ossl_ns_spki.h +++ b/ext/openssl/ossl_ns_spki.h @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2001-2002 Michal Rokos * All rights reserved. @@ -18,4 +17,3 @@ extern VALUE eSPKIError; void Init_ossl_ns_spki(void); #endif /* _OSSL_NS_SPKI_H_ */ - diff --git a/ext/openssl/ossl_ocsp.c b/ext/openssl/ossl_ocsp.c index 108fc2f8..af32d99e 100644 --- a/ext/openssl/ossl_ocsp.c +++ b/ext/openssl/ossl_ocsp.c @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2003 Michal Rokos * Copyright (C) 2003 GOTOU Yuuzou @@ -652,7 +651,7 @@ ossl_ocspbres_add_nonce(int argc, VALUE *argv, VALUE self) * call-seq: * basic_response.add_status(certificate_id, status, reason, revocation_time, this_update, next_update, extensions) -> basic_response * - * Adds a validation +status+ (0 for revoked, 1 for success) to this + * Adds a validation +status+ (0 for good, 1 for revoked, 2 for unknown) to this * response for +certificate_id+. +reason+ describes the reason for the * revocation, if any. * @@ -737,7 +736,7 @@ ossl_ocspbres_add_status(VALUE self, VALUE cid, VALUE status, * basic_response.status -> statuses * * Returns an Array of statuses for this response. Each status contains a - * CertificateId, the status (0 for success, 1 for revoked), the reason for + * CertificateId, the status (0 for good, 1 for revoked, 2 for unknown), the reason for * the status, the revocation time, the time of this update, the time for the * next update and a list of OpenSSL::X509::Extensions. */ diff --git a/ext/openssl/ossl_ocsp.h b/ext/openssl/ossl_ocsp.h index cc33de29..c5064fbc 100644 --- a/ext/openssl/ossl_ocsp.h +++ b/ext/openssl/ossl_ocsp.h @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2003 Michal Rokos * Copyright (C) 2003 GOTOU Yuuzou diff --git a/ext/openssl/ossl_pkcs12.c b/ext/openssl/ossl_pkcs12.c index f6ea5627..e5052d47 100644 --- a/ext/openssl/ossl_pkcs12.c +++ b/ext/openssl/ossl_pkcs12.c @@ -1,7 +1,6 @@ /* * This program is licensed under the same licence as Ruby. * (See the file 'LICENCE'.) - * $Id$ */ #include "ossl.h" diff --git a/ext/openssl/ossl_pkcs12.h b/ext/openssl/ossl_pkcs12.h index 0675fc34..fe4f15ef 100644 --- a/ext/openssl/ossl_pkcs12.h +++ b/ext/openssl/ossl_pkcs12.h @@ -1,7 +1,6 @@ /* * This program is licensed under the same licence as Ruby. * (See the file 'LICENCE'.) - * $Id$ */ #if !defined(_OSSL_PKCS12_H_) #define _OSSL_PKCS12_H_ @@ -12,4 +11,3 @@ extern VALUE ePKCS12Error; void Init_ossl_pkcs12(void); #endif /* _OSSL_PKCS12_H_ */ - diff --git a/ext/openssl/ossl_pkcs5.c b/ext/openssl/ossl_pkcs5.c index 6c7738a2..73d989e1 100644 --- a/ext/openssl/ossl_pkcs5.c +++ b/ext/openssl/ossl_pkcs5.c @@ -1,5 +1,4 @@ /* - * $Id$ * Copyright (C) 2007 Technorama Ltd. */ #include "ossl.h" diff --git a/ext/openssl/ossl_pkcs7.c b/ext/openssl/ossl_pkcs7.c index cfc2ccc6..9ca3abd7 100644 --- a/ext/openssl/ossl_pkcs7.c +++ b/ext/openssl/ossl_pkcs7.c @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2001-2002 Michal Rokos * All rights reserved. diff --git a/ext/openssl/ossl_pkcs7.h b/ext/openssl/ossl_pkcs7.h index 0cfea17c..139e00d6 100644 --- a/ext/openssl/ossl_pkcs7.h +++ b/ext/openssl/ossl_pkcs7.h @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2001-2002 Michal Rokos * All rights reserved. @@ -19,4 +18,3 @@ extern VALUE ePKCS7Error; void Init_ossl_pkcs7(void); #endif /* _OSSL_PKCS7_H_ */ - diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c index 01dab285..0b7faf96 100644 --- a/ext/openssl/ossl_pkey.c +++ b/ext/openssl/ossl_pkey.c @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2001-2002 Michal Rokos * All rights reserved. @@ -451,4 +450,3 @@ Init_ossl_pkey(void) Init_ossl_dh(); Init_ossl_ec(); } - diff --git a/ext/openssl/ossl_pkey.h b/ext/openssl/ossl_pkey.h index 951b0de5..7288d5af 100644 --- a/ext/openssl/ossl_pkey.h +++ b/ext/openssl/ossl_pkey.h @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2001 Michal Rokos * All rights reserved. @@ -84,8 +83,6 @@ void Init_ossl_dsa(void); */ extern VALUE cDH; extern VALUE eDHError; -extern DH *OSSL_DEFAULT_DH_512; -extern DH *OSSL_DEFAULT_DH_1024; VALUE ossl_dh_new(EVP_PKEY *); void Init_ossl_dh(void); diff --git a/ext/openssl/ossl_pkey_dh.c b/ext/openssl/ossl_pkey_dh.c index 234cdaa1..2f79bfb2 100644 --- a/ext/openssl/ossl_pkey_dh.c +++ b/ext/openssl/ossl_pkey_dh.c @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2001-2002 Michal Rokos * All rights reserved. @@ -523,69 +522,6 @@ OSSL_PKEY_BN(dh, g) OSSL_PKEY_BN(dh, pub_key) OSSL_PKEY_BN(dh, priv_key) -/* - * -----BEGIN DH PARAMETERS----- - * MEYCQQD0zXHljRg/mJ9PYLACLv58Cd8VxBxxY7oEuCeURMiTqEhMym16rhhKgZG2 - * zk2O9uUIBIxSj+NKMURHGaFKyIvLAgEC - * -----END DH PARAMETERS----- - */ -static unsigned char DEFAULT_DH_512_PRIM[] = { - 0xf4, 0xcd, 0x71, 0xe5, 0x8d, 0x18, 0x3f, 0x98, - 0x9f, 0x4f, 0x60, 0xb0, 0x02, 0x2e, 0xfe, 0x7c, - 0x09, 0xdf, 0x15, 0xc4, 0x1c, 0x71, 0x63, 0xba, - 0x04, 0xb8, 0x27, 0x94, 0x44, 0xc8, 0x93, 0xa8, - 0x48, 0x4c, 0xca, 0x6d, 0x7a, 0xae, 0x18, 0x4a, - 0x81, 0x91, 0xb6, 0xce, 0x4d, 0x8e, 0xf6, 0xe5, - 0x08, 0x04, 0x8c, 0x52, 0x8f, 0xe3, 0x4a, 0x31, - 0x44, 0x47, 0x19, 0xa1, 0x4a, 0xc8, 0x8b, 0xcb, -}; -static unsigned char DEFAULT_DH_512_GEN[] = { 0x02 }; -DH *OSSL_DEFAULT_DH_512 = NULL; - -/* - * -----BEGIN DH PARAMETERS----- - * MIGHAoGBAJ0lOVy0VIr/JebWn0zDwY2h+rqITFOpdNr6ugsgvkDXuucdcChhYExJ - * AV/ZD2AWPbrTqV76mGRgJg4EddgT1zG0jq3rnFdMj2XzkBYx3BVvfR0Arnby0RHR - * T4h7KZ/2zmjvV+eF8kBUHBJAojUlzxKj4QeO2x20FP9X5xmNUXeDAgEC - * -----END DH PARAMETERS----- - */ -static unsigned char DEFAULT_DH_1024_PRIM[] = { - 0x9d, 0x25, 0x39, 0x5c, 0xb4, 0x54, 0x8a, 0xff, - 0x25, 0xe6, 0xd6, 0x9f, 0x4c, 0xc3, 0xc1, 0x8d, - 0xa1, 0xfa, 0xba, 0x88, 0x4c, 0x53, 0xa9, 0x74, - 0xda, 0xfa, 0xba, 0x0b, 0x20, 0xbe, 0x40, 0xd7, - 0xba, 0xe7, 0x1d, 0x70, 0x28, 0x61, 0x60, 0x4c, - 0x49, 0x01, 0x5f, 0xd9, 0x0f, 0x60, 0x16, 0x3d, - 0xba, 0xd3, 0xa9, 0x5e, 0xfa, 0x98, 0x64, 0x60, - 0x26, 0x0e, 0x04, 0x75, 0xd8, 0x13, 0xd7, 0x31, - 0xb4, 0x8e, 0xad, 0xeb, 0x9c, 0x57, 0x4c, 0x8f, - 0x65, 0xf3, 0x90, 0x16, 0x31, 0xdc, 0x15, 0x6f, - 0x7d, 0x1d, 0x00, 0xae, 0x76, 0xf2, 0xd1, 0x11, - 0xd1, 0x4f, 0x88, 0x7b, 0x29, 0x9f, 0xf6, 0xce, - 0x68, 0xef, 0x57, 0xe7, 0x85, 0xf2, 0x40, 0x54, - 0x1c, 0x12, 0x40, 0xa2, 0x35, 0x25, 0xcf, 0x12, - 0xa3, 0xe1, 0x07, 0x8e, 0xdb, 0x1d, 0xb4, 0x14, - 0xff, 0x57, 0xe7, 0x19, 0x8d, 0x51, 0x77, 0x83 -}; -static unsigned char DEFAULT_DH_1024_GEN[] = { 0x02 }; -DH *OSSL_DEFAULT_DH_1024 = NULL; - -static DH* -ossl_create_dh(unsigned char *p, size_t plen, unsigned char *g, size_t glen) -{ - DH *dh; - - if ((dh = DH_new()) == NULL) ossl_raise(eDHError, NULL); - dh->p = BN_bin2bn(p, rb_long2int(plen), NULL); - dh->g = BN_bin2bn(g, rb_long2int(glen), NULL); - if (dh->p == NULL || dh->g == NULL){ - DH_free(dh); - ossl_raise(eDHError, NULL); - } - - return dh; -} - /* * INIT */ @@ -651,13 +587,6 @@ Init_ossl_dh(void) DEF_OSSL_PKEY_BN(cDH, dh, pub_key); DEF_OSSL_PKEY_BN(cDH, dh, priv_key); rb_define_method(cDH, "params", ossl_dh_get_params, 0); - - OSSL_DEFAULT_DH_512 = ossl_create_dh( - DEFAULT_DH_512_PRIM, sizeof(DEFAULT_DH_512_PRIM), - DEFAULT_DH_512_GEN, sizeof(DEFAULT_DH_512_GEN)); - OSSL_DEFAULT_DH_1024 = ossl_create_dh( - DEFAULT_DH_1024_PRIM, sizeof(DEFAULT_DH_1024_PRIM), - DEFAULT_DH_1024_GEN, sizeof(DEFAULT_DH_1024_GEN)); } #else /* defined NO_DH */ diff --git a/ext/openssl/ossl_pkey_dsa.c b/ext/openssl/ossl_pkey_dsa.c index b8e415df..d5d55eec 100644 --- a/ext/openssl/ossl_pkey_dsa.c +++ b/ext/openssl/ossl_pkey_dsa.c @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2001-2002 Michal Rokos * All rights reserved. diff --git a/ext/openssl/ossl_pkey_rsa.c b/ext/openssl/ossl_pkey_rsa.c index 699383f6..20b993ab 100644 --- a/ext/openssl/ossl_pkey_rsa.c +++ b/ext/openssl/ossl_pkey_rsa.c @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2001-2002 Michal Rokos * All rights reserved. @@ -700,4 +699,3 @@ Init_ossl_rsa(void) { } #endif /* NO_RSA */ - diff --git a/ext/openssl/ossl_rand.c b/ext/openssl/ossl_rand.c index 32a4290b..018ef977 100644 --- a/ext/openssl/ossl_rand.c +++ b/ext/openssl/ossl_rand.c @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2001-2002 Michal Rokos * @@ -227,4 +226,3 @@ Init_ossl_rand(void) #endif /* HAVE_RAND_EGD */ rb_define_module_function(mRandom, "status?", ossl_rand_status, 0); } - diff --git a/ext/openssl/ossl_rand.h b/ext/openssl/ossl_rand.h index db635f89..8f77a3b2 100644 --- a/ext/openssl/ossl_rand.h +++ b/ext/openssl/ossl_rand.h @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2001-2002 Michal Rokos * All rights reserved. @@ -17,4 +16,3 @@ extern VALUE eRandomError; void Init_ossl_rand(void); #endif /* _OSSL_RAND_H_ */ - diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c index ed10bb14..3e6e1646 100644 --- a/ext/openssl/ossl_ssl.c +++ b/ext/openssl/ossl_ssl.c @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2000-2002 GOTOU Yuuzou * Copyright (C) 2001-2002 Michal Rokos @@ -29,6 +28,7 @@ } while (0) VALUE mSSL; +VALUE mSSLExtConfig; VALUE eSSLError; VALUE cSSLContext; VALUE cSSLSocket; @@ -45,11 +45,9 @@ static VALUE eSSLErrorWaitWritable; #define ossl_sslctx_set_verify_mode(o,v) rb_iv_set((o),"@verify_mode",(v)) #define ossl_sslctx_set_verify_dep(o,v) rb_iv_set((o),"@verify_depth",(v)) #define ossl_sslctx_set_verify_cb(o,v) rb_iv_set((o),"@verify_callback",(v)) -#define ossl_sslctx_set_options(o,v) rb_iv_set((o),"@options",(v)) #define ossl_sslctx_set_cert_store(o,v) rb_iv_set((o),"@cert_store",(v)) #define ossl_sslctx_set_extra_cert(o,v) rb_iv_set((o),"@extra_chain_cert",(v)) #define ossl_sslctx_set_client_cert_cb(o,v) rb_iv_set((o),"@client_cert_cb",(v)) -#define ossl_sslctx_set_tmp_dh_cb(o,v) rb_iv_set((o),"@tmp_dh_callback",(v)) #define ossl_sslctx_set_sess_id_ctx(o, v) rb_iv_set((o),"@session_id_context",(v)) #define ossl_sslctx_get_cert(o) rb_iv_get((o),"@cert") @@ -61,54 +59,22 @@ static VALUE eSSLErrorWaitWritable; #define ossl_sslctx_get_verify_mode(o) rb_iv_get((o),"@verify_mode") #define ossl_sslctx_get_verify_dep(o) rb_iv_get((o),"@verify_depth") #define ossl_sslctx_get_verify_cb(o) rb_iv_get((o),"@verify_callback") -#define ossl_sslctx_get_options(o) rb_iv_get((o),"@options") #define ossl_sslctx_get_cert_store(o) rb_iv_get((o),"@cert_store") #define ossl_sslctx_get_extra_cert(o) rb_iv_get((o),"@extra_chain_cert") #define ossl_sslctx_get_client_cert_cb(o) rb_iv_get((o),"@client_cert_cb") #define ossl_sslctx_get_tmp_ecdh_cb(o) rb_iv_get((o),"@tmp_ecdh_callback") -#define ossl_sslctx_get_tmp_dh_cb(o) rb_iv_get((o),"@tmp_dh_callback") #define ossl_sslctx_get_sess_id_ctx(o) rb_iv_get((o),"@session_id_context") -static const char *ossl_sslctx_attrs[] = { - "cert", "key", "client_ca", "ca_file", "ca_path", - "timeout", "verify_mode", "verify_depth", "renegotiation_cb", - "verify_callback", "options", "cert_store", "extra_chain_cert", - "client_cert_cb", "tmp_dh_callback", "session_id_context", - "session_get_cb", "session_new_cb", "session_remove_cb", - "tmp_ecdh_callback", -#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME - "servername_cb", -#endif -#ifdef HAVE_OPENSSL_NPN_NEGOTIATED - "npn_protocols", - "npn_select_cb", -#endif -}; - #define ossl_ssl_get_io(o) rb_iv_get((o),"@io") #define ossl_ssl_get_ctx(o) rb_iv_get((o),"@context") -#define ossl_ssl_get_sync_close(o) rb_iv_get((o),"@sync_close") #define ossl_ssl_get_x509(o) rb_iv_get((o),"@x509") #define ossl_ssl_get_key(o) rb_iv_get((o),"@key") -#define ossl_ssl_get_tmp_dh(o) rb_iv_get((o),"@tmp_dh") -#define ossl_ssl_get_tmp_ecdh(o) rb_iv_get((o),"@tmp_ecdh") -#define ossl_ssl_set_io(o,v) rb_iv_set((o),"@io",(v)) -#define ossl_ssl_set_ctx(o,v) rb_iv_set((o),"@context",(v)) -#define ossl_ssl_set_sync_close(o,v) rb_iv_set((o),"@sync_close",(v)) #define ossl_ssl_set_x509(o,v) rb_iv_set((o),"@x509",(v)) #define ossl_ssl_set_key(o,v) rb_iv_set((o),"@key",(v)) #define ossl_ssl_set_tmp_dh(o,v) rb_iv_set((o),"@tmp_dh",(v)) #define ossl_ssl_set_tmp_ecdh(o,v) rb_iv_set((o),"@tmp_ecdh",(v)) -static const char *ossl_ssl_attr_readers[] = { "io", "context", }; -static const char *ossl_ssl_attrs[] = { -#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME - "hostname", -#endif - "sync_close", -}; - ID ID_callback_state; static VALUE sym_exception, sym_wait_readable, sym_wait_writable; @@ -142,9 +108,12 @@ static const struct { OSSL_SSL_METHOD_ENTRY(SSLv2_server), OSSL_SSL_METHOD_ENTRY(SSLv2_client), #endif +#if defined(HAVE_SSLV3_METHOD) && defined(HAVE_SSLV3_SERVER_METHOD) && \ + defined(HAVE_SSLV3_CLIENT_METHOD) OSSL_SSL_METHOD_ENTRY(SSLv3), OSSL_SSL_METHOD_ENTRY(SSLv3_server), OSSL_SSL_METHOD_ENTRY(SSLv3_client), +#endif OSSL_SSL_METHOD_ENTRY(SSLv23), OSSL_SSL_METHOD_ENTRY(SSLv23_server), OSSL_SSL_METHOD_ENTRY(SSLv23_client), @@ -154,9 +123,6 @@ static const struct { int ossl_ssl_ex_vcb_idx; int ossl_ssl_ex_store_p; int ossl_ssl_ex_ptr_idx; -int ossl_ssl_ex_client_cert_cb_idx; -int ossl_ssl_ex_tmp_dh_callback_idx; -int ossl_ssl_ex_tmp_ecdh_callback_idx; static void ossl_sslctx_free(void *ptr) @@ -193,6 +159,8 @@ ossl_sslctx_s_alloc(VALUE klass) } SSL_CTX_set_mode(ctx, mode); RTYPEDDATA_DATA(obj) = ctx; + SSL_CTX_set_ex_data(ctx, ossl_ssl_ex_ptr_idx, (void*)obj); + return obj; } @@ -208,13 +176,13 @@ ossl_sslctx_set_ssl_version(VALUE self, VALUE ssl_method) { SSL_METHOD *method = NULL; const char *s; + VALUE m = ssl_method; int i; SSL_CTX *ctx; if (RB_TYPE_P(ssl_method, T_SYMBOL)) - s = rb_id2name(SYM2ID(ssl_method)); - else - s = StringValuePtr(ssl_method); + m = rb_sym2str(ssl_method); + s = StringValueCStr(m); for (i = 0; i < numberof(ossl_ssl_method_tab); i++) { if (strcmp(ossl_ssl_method_tab[i].name, s) == 0) { method = ossl_ssl_method_tab[i].func(); @@ -222,7 +190,7 @@ ossl_sslctx_set_ssl_version(VALUE self, VALUE ssl_method) } } if (!method) { - ossl_raise(rb_eArgError, "unknown SSL method `%s'.", s); + ossl_raise(rb_eArgError, "unknown SSL method `%"PRIsVALUE"'.", m); } GetSSLCTX(self, ctx); if (SSL_CTX_set_ssl_version(ctx, method) != 1) { @@ -232,41 +200,12 @@ ossl_sslctx_set_ssl_version(VALUE self, VALUE ssl_method) return ssl_method; } -/* - * call-seq: - * SSLContext.new => ctx - * SSLContext.new(:TLSv1) => ctx - * SSLContext.new("SSLv23_client") => ctx - * - * You can get a list of valid methods with OpenSSL::SSL::SSLContext::METHODS - */ -static VALUE -ossl_sslctx_initialize(int argc, VALUE *argv, VALUE self) -{ - VALUE ssl_method; - int i; - - for(i = 0; i < numberof(ossl_sslctx_attrs); i++){ - char buf[32]; - snprintf(buf, sizeof(buf), "@%s", ossl_sslctx_attrs[i]); - rb_iv_set(self, buf, Qnil); - } - if (rb_scan_args(argc, argv, "01", &ssl_method) == 0){ - return self; - } - ossl_sslctx_set_ssl_version(self, ssl_method); - - return self; -} - static VALUE ossl_call_client_cert_cb(VALUE obj) { VALUE cb, ary, cert, key; - SSL *ssl; - GetSSL(obj, ssl); - cb = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_client_cert_cb_idx); + cb = rb_funcall(obj, rb_intern("client_cert_cb"), 0); if (NIL_P(cb)) return Qfalse; ary = rb_funcall(cb, rb_intern("call"), 1, obj); Check_Type(ary, T_ARRAY); @@ -284,8 +223,7 @@ ossl_client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey) VALUE obj, success; obj = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx); - success = rb_protect((VALUE(*)_((VALUE)))ossl_call_client_cert_cb, - obj, NULL); + success = rb_protect(ossl_call_client_cert_cb, obj, NULL); if (!RTEST(success)) return 0; *x509 = DupX509CertPtr(ossl_ssl_get_x509(obj)); *pkey = DupPKeyPtr(ossl_ssl_get_key(obj)); @@ -295,50 +233,35 @@ ossl_client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey) #if !defined(OPENSSL_NO_DH) static VALUE -ossl_call_tmp_dh_callback(VALUE *args) +ossl_call_tmp_dh_callback(VALUE args) { - SSL *ssl; VALUE cb, dh; EVP_PKEY *pkey; - GetSSL(args[0], ssl); - cb = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_tmp_dh_callback_idx); + cb = rb_funcall(rb_ary_entry(args, 0), rb_intern("tmp_dh_callback"), 0); + if (NIL_P(cb)) return Qfalse; - dh = rb_funcall(cb, rb_intern("call"), 3, args[0], args[1], args[2]); + dh = rb_apply(cb, rb_intern("call"), args); pkey = GetPKeyPtr(dh); if (EVP_PKEY_type(pkey->type) != EVP_PKEY_DH) return Qfalse; - ossl_ssl_set_tmp_dh(args[0], dh); - return Qtrue; + return dh; } static DH* ossl_tmp_dh_callback(SSL *ssl, int is_export, int keylength) { - VALUE args[3], success; + VALUE args, dh, rb_ssl; - args[0] = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx); - args[1] = INT2FIX(is_export); - args[2] = INT2FIX(keylength); - success = rb_protect((VALUE(*)_((VALUE)))ossl_call_tmp_dh_callback, - (VALUE)args, NULL); - if (!RTEST(success)) return NULL; + rb_ssl = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx); - return GetPKeyPtr(ossl_ssl_get_tmp_dh(args[0]))->pkey.dh; -} + args = rb_ary_new_from_args(3, rb_ssl, INT2FIX(is_export), INT2FIX(keylength)); -static DH* -ossl_default_tmp_dh_callback(SSL *ssl, int is_export, int keylength) -{ - rb_warning("using default DH parameters."); + dh = rb_protect(ossl_call_tmp_dh_callback, args, NULL); + if (!RTEST(dh)) return NULL; + ossl_ssl_set_tmp_dh(rb_ssl, dh); - switch(keylength){ - case 512: - return OSSL_DEFAULT_DH_512; - case 1024: - return OSSL_DEFAULT_DH_1024; - } - return NULL; + return GetPKeyPtr(dh)->pkey.dh; } #endif /* OPENSSL_NO_DH */ @@ -346,34 +269,33 @@ ossl_default_tmp_dh_callback(SSL *ssl, int is_export, int keylength) static VALUE ossl_call_tmp_ecdh_callback(VALUE args) { - SSL *ssl; VALUE cb, ecdh; EVP_PKEY *pkey; - GetSSL(rb_ary_entry(args, 0), ssl); - cb = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_tmp_ecdh_callback_idx); + cb = rb_funcall(rb_ary_entry(args, 0), rb_intern("tmp_ecdh_callback"), 0); + if (NIL_P(cb)) return Qfalse; ecdh = rb_apply(cb, rb_intern("call"), args); pkey = GetPKeyPtr(ecdh); if (EVP_PKEY_type(pkey->type) != EVP_PKEY_EC) return Qfalse; - ossl_ssl_set_tmp_ecdh(rb_ary_entry(args, 0), ecdh); - return Qtrue; + return ecdh; } static EC_KEY* ossl_tmp_ecdh_callback(SSL *ssl, int is_export, int keylength) { - VALUE args, success, rb_ssl; + VALUE args, ecdh, rb_ssl; rb_ssl = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx); args = rb_ary_new_from_args(3, rb_ssl, INT2FIX(is_export), INT2FIX(keylength)); - success = rb_protect(ossl_call_tmp_ecdh_callback, args, NULL); - if (!RTEST(success)) return NULL; + ecdh = rb_protect(ossl_call_tmp_ecdh_callback, args, NULL); + if (!RTEST(ecdh)) return NULL; + ossl_ssl_set_tmp_ecdh(rb_ssl, ecdh); - return GetPKeyPtr(ossl_ssl_get_tmp_ecdh(rb_ssl))->pkey.ec; + return GetPKeyPtr(ecdh)->pkey.ec; } #endif @@ -392,14 +314,12 @@ ossl_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx) static VALUE ossl_call_session_get_cb(VALUE ary) { - VALUE ssl_obj, sslctx_obj, cb; + VALUE ssl_obj, cb; Check_Type(ary, T_ARRAY); ssl_obj = rb_ary_entry(ary, 0); - sslctx_obj = rb_iv_get(ssl_obj, "@context"); - if (NIL_P(sslctx_obj)) return Qnil; - cb = rb_iv_get(sslctx_obj, "@session_get_cb"); + cb = rb_funcall(ssl_obj, rb_intern("session_get_cb"), 0); if (NIL_P(cb)) return Qnil; return rb_funcall(cb, rb_intern("call"), 1, ary); @@ -422,7 +342,7 @@ ossl_sslctx_session_get_cb(SSL *ssl, unsigned char *buf, int len, int *copy) rb_ary_push(ary, ssl_obj); rb_ary_push(ary, rb_str_new((const char *)buf, len)); - ret_obj = rb_protect((VALUE(*)_((VALUE)))ossl_call_session_get_cb, ary, &state); + ret_obj = rb_protect(ossl_call_session_get_cb, ary, &state); if (state) { rb_ivar_set(ssl_obj, ID_callback_state, INT2NUM(state)); return NULL; @@ -439,14 +359,12 @@ ossl_sslctx_session_get_cb(SSL *ssl, unsigned char *buf, int len, int *copy) static VALUE ossl_call_session_new_cb(VALUE ary) { - VALUE ssl_obj, sslctx_obj, cb; + VALUE ssl_obj, cb; Check_Type(ary, T_ARRAY); ssl_obj = rb_ary_entry(ary, 0); - sslctx_obj = rb_iv_get(ssl_obj, "@context"); - if (NIL_P(sslctx_obj)) return Qnil; - cb = rb_iv_get(sslctx_obj, "@session_new_cb"); + cb = rb_funcall(ssl_obj, rb_intern("session_new_cb"), 0); if (NIL_P(cb)) return Qnil; return rb_funcall(cb, rb_intern("call"), 1, ary); @@ -473,7 +391,7 @@ ossl_sslctx_session_new_cb(SSL *ssl, SSL_SESSION *sess) rb_ary_push(ary, ssl_obj); rb_ary_push(ary, sess_obj); - rb_protect((VALUE(*)_((VALUE)))ossl_call_session_new_cb, ary, &state); + rb_protect(ossl_call_session_new_cb, ary, &state); if (state) { rb_ivar_set(ssl_obj, ID_callback_state, INT2NUM(state)); } @@ -572,6 +490,7 @@ ossl_call_servername_cb(VALUE ary) GetSSL(ssl_obj, ssl); GetSSLCTX(ret_obj, ctx2); SSL_set_SSL_CTX(ssl, ctx2); + rb_iv_set(ssl_obj, "@context", ret_obj); } else if (!NIL_P(ret_obj)) { ossl_raise(rb_eArgError, "servername_cb must return an OpenSSL::SSL::SSLContext object or nil"); } @@ -727,6 +646,39 @@ ssl_info_cb(const SSL *ssl, int where, int val) } } +/* + * Gets various OpenSSL options. + */ +static VALUE +ossl_sslctx_get_options(VALUE self) +{ + SSL_CTX *ctx; + GetSSLCTX(self, ctx); + return LONG2NUM(SSL_CTX_get_options(ctx)); +} + +/* + * Sets various OpenSSL options. + */ +static VALUE +ossl_sslctx_set_options(VALUE self, VALUE options) +{ + SSL_CTX *ctx; + + rb_check_frozen(self); + GetSSLCTX(self, ctx); + + SSL_CTX_clear_options(ctx, SSL_CTX_get_options(ctx)); + + if (NIL_P(options)) { + SSL_CTX_set_options(ctx, SSL_OP_ALL); + } else { + SSL_CTX_set_options(ctx, NUM2LONG(options)); + } + + return self; +} + /* * call-seq: * ctx.setup => Qtrue # first time @@ -751,12 +703,7 @@ ossl_sslctx_setup(VALUE self) GetSSLCTX(self, ctx); #if !defined(OPENSSL_NO_DH) - if (RTEST(ossl_sslctx_get_tmp_dh_cb(self))){ - SSL_CTX_set_tmp_dh_callback(ctx, ossl_tmp_dh_callback); - } - else{ - SSL_CTX_set_tmp_dh_callback(ctx, ossl_default_tmp_dh_callback); - } + SSL_CTX_set_tmp_dh_callback(ctx, ossl_tmp_dh_callback); #endif #if !defined(OPENSSL_NO_EC) @@ -765,8 +712,6 @@ ossl_sslctx_setup(VALUE self) } #endif - SSL_CTX_set_ex_data(ctx, ossl_ssl_ex_ptr_idx, (void*)self); - val = ossl_sslctx_get_cert_store(self); if(!NIL_P(val)){ /* @@ -845,13 +790,6 @@ ossl_sslctx_setup(VALUE self) val = ossl_sslctx_get_verify_dep(self); if(!NIL_P(val)) SSL_CTX_set_verify_depth(ctx, NUM2INT(val)); - val = ossl_sslctx_get_options(self); - if(!NIL_P(val)) { - SSL_CTX_set_options(ctx, NUM2LONG(val)); - } else { - SSL_CTX_set_options(ctx, SSL_OP_ALL); - } - #ifdef HAVE_OPENSSL_NPN_NEGOTIATED val = rb_iv_get(self, "@npn_protocols"); if (!NIL_P(val)) { @@ -1242,44 +1180,6 @@ ossl_ssl_s_alloc(VALUE klass) return TypedData_Wrap_Struct(klass, &ossl_ssl_type, NULL); } -/* - * call-seq: - * SSLSocket.new(io) => aSSLSocket - * SSLSocket.new(io, ctx) => aSSLSocket - * - * Creates a new SSL socket from +io+ which must be a real ruby object (not an - * IO-like object that responds to read/write). - * - * If +ctx+ is provided the SSL Sockets initial params will be taken from - * the context. - * - * The OpenSSL::Buffering module provides additional IO methods. - * - * This method will freeze the SSLContext if one is provided; - * however, session management is still allowed in the frozen SSLContext. - */ -static VALUE -ossl_ssl_initialize(int argc, VALUE *argv, VALUE self) -{ - VALUE io, ctx; - - if (rb_scan_args(argc, argv, "11", &io, &ctx) == 1) { - ctx = rb_funcall(cSSLContext, rb_intern("new"), 0); - } - OSSL_Check_Kind(ctx, cSSLContext); - Check_Type(io, T_FILE); - ossl_ssl_set_io(self, io); - ossl_ssl_set_ctx(self, ctx); - ossl_ssl_set_sync_close(self, Qfalse); - ossl_sslctx_setup(ctx); - - rb_iv_set(self, "@hostname", Qnil); - - rb_call_super(0, 0); - - return self; -} - static VALUE ossl_ssl_setup(VALUE self) { @@ -1317,12 +1217,6 @@ ossl_ssl_setup(VALUE self) SSL_set_ex_data(ssl, ossl_ssl_ex_ptr_idx, (void*)self); cb = ossl_sslctx_get_verify_cb(v_ctx); SSL_set_ex_data(ssl, ossl_ssl_ex_vcb_idx, (void*)cb); - cb = ossl_sslctx_get_client_cert_cb(v_ctx); - SSL_set_ex_data(ssl, ossl_ssl_ex_client_cert_cb_idx, (void*)cb); - cb = ossl_sslctx_get_tmp_dh_cb(v_ctx); - SSL_set_ex_data(ssl, ossl_ssl_ex_tmp_dh_callback_idx, (void*)cb); - cb = ossl_sslctx_get_tmp_ecdh_cb(v_ctx); - SSL_set_ex_data(ssl, ossl_ssl_ex_tmp_ecdh_callback_idx, (void*)cb); SSL_set_info_callback(ssl, ssl_info_cb); } @@ -1362,14 +1256,23 @@ read_would_block(int nonblock) } } +static int +no_exception_p(VALUE opts) +{ + if (RB_TYPE_P(opts, T_HASH) && + rb_hash_lookup2(opts, sym_exception, Qundef) == Qfalse) + return 1; + return 0; +} + static VALUE -ossl_start_ssl(VALUE self, int (*func)(), const char *funcname, - int nonblock, int no_exception) +ossl_start_ssl(VALUE self, int (*func)(), const char *funcname, VALUE opts) { SSL *ssl; rb_io_t *fptr; int ret, ret2; VALUE cb_state; + int nonblock = opts != Qfalse; rb_ivar_set(self, ID_callback_state, Qnil); @@ -1388,12 +1291,12 @@ ossl_start_ssl(VALUE self, int (*func)(), const char *funcname, switch((ret2 = ssl_get_error(ssl, ret))){ case SSL_ERROR_WANT_WRITE: - if (no_exception) { return sym_wait_writable; } + if (no_exception_p(opts)) { return sym_wait_writable; } write_would_block(nonblock); rb_io_wait_writable(FPTR_TO_FD(fptr)); continue; case SSL_ERROR_WANT_READ: - if (no_exception) { return sym_wait_readable; } + if (no_exception_p(opts)) { return sym_wait_readable; } read_would_block(nonblock); rb_io_wait_readable(FPTR_TO_FD(fptr)); continue; @@ -1419,15 +1322,8 @@ static VALUE ossl_ssl_connect(VALUE self) { ossl_ssl_setup(self); - return ossl_start_ssl(self, SSL_connect, "SSL_connect", 0, 0); -} -static int -get_no_exception(VALUE opts) -{ - if (!NIL_P(opts) && Qfalse == rb_hash_lookup2(opts, sym_exception, Qundef)) - return 1; - return 0; + return ossl_start_ssl(self, SSL_connect, "SSL_connect", Qfalse); } /* @@ -1455,14 +1351,12 @@ get_no_exception(VALUE opts) static VALUE ossl_ssl_connect_nonblock(int argc, VALUE *argv, VALUE self) { - int no_exception; - VALUE opts = Qnil; - + VALUE opts; rb_scan_args(argc, argv, "0:", &opts); - no_exception = get_no_exception(opts); ossl_ssl_setup(self); - return ossl_start_ssl(self, SSL_connect, "SSL_connect", 1, no_exception); + + return ossl_start_ssl(self, SSL_connect, "SSL_connect", opts); } /* @@ -1476,7 +1370,8 @@ static VALUE ossl_ssl_accept(VALUE self) { ossl_ssl_setup(self); - return ossl_start_ssl(self, SSL_accept, "SSL_accept", 0, 0); + + return ossl_start_ssl(self, SSL_accept, "SSL_accept", Qfalse); } /* @@ -1504,14 +1399,12 @@ ossl_ssl_accept(VALUE self) static VALUE ossl_ssl_accept_nonblock(int argc, VALUE *argv, VALUE self) { - int no_exception; - VALUE opts = Qnil; + VALUE opts; rb_scan_args(argc, argv, "0:", &opts); - no_exception = get_no_exception(opts); - ossl_ssl_setup(self); - return ossl_start_ssl(self, SSL_accept, "SSL_accept", 1, no_exception); + + return ossl_start_ssl(self, SSL_accept, "SSL_accept", opts); } static VALUE @@ -1519,13 +1412,15 @@ ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock) { SSL *ssl; int ilen, nread = 0; - int no_exception; VALUE len, str; rb_io_t *fptr; VALUE opts = Qnil; - rb_scan_args(argc, argv, "11:", &len, &str, &opts); - no_exception = get_no_exception(opts); + if (nonblock) { + rb_scan_args(argc, argv, "11:", &len, &str, &opts); + } else { + rb_scan_args(argc, argv, "11", &len, &str); + } ilen = NUM2INT(len); if(NIL_P(str)) str = rb_str_new(0, ilen); @@ -1547,21 +1442,21 @@ ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock) case SSL_ERROR_NONE: goto end; case SSL_ERROR_ZERO_RETURN: - if (no_exception) { return Qnil; } + if (no_exception_p(opts)) { return Qnil; } rb_eof_error(); case SSL_ERROR_WANT_WRITE: - if (no_exception) { return sym_wait_writable; } + if (no_exception_p(opts)) { return sym_wait_writable; } write_would_block(nonblock); rb_io_wait_writable(FPTR_TO_FD(fptr)); continue; case SSL_ERROR_WANT_READ: - if (no_exception) { return sym_wait_readable; } + if (no_exception_p(opts)) { return sym_wait_readable; } read_would_block(nonblock); rb_io_wait_readable(FPTR_TO_FD(fptr)); continue; case SSL_ERROR_SYSCALL: if(ERR_peek_error() == 0 && nread == 0) { - if (no_exception) { return Qnil; } + if (no_exception_p(opts)) { return Qnil; } rb_eof_error(); } rb_sys_fail(0); @@ -1621,11 +1516,12 @@ ossl_ssl_read_nonblock(int argc, VALUE *argv, VALUE self) } static VALUE -ossl_ssl_write_internal(VALUE self, VALUE str, int nonblock, int no_exception) +ossl_ssl_write_internal(VALUE self, VALUE str, VALUE opts) { SSL *ssl; int nwrite = 0; rb_io_t *fptr; + int nonblock = opts != Qfalse; StringValue(str); GetSSL(self, ssl); @@ -1638,12 +1534,12 @@ ossl_ssl_write_internal(VALUE self, VALUE str, int nonblock, int no_exception) case SSL_ERROR_NONE: goto end; case SSL_ERROR_WANT_WRITE: - if (no_exception) { return sym_wait_writable; } + if (no_exception_p(opts)) { return sym_wait_writable; } write_would_block(nonblock); rb_io_wait_writable(FPTR_TO_FD(fptr)); continue; case SSL_ERROR_WANT_READ: - if (no_exception) { return sym_wait_readable; } + if (no_exception_p(opts)) { return sym_wait_readable; } read_would_block(nonblock); rb_io_wait_readable(FPTR_TO_FD(fptr)); continue; @@ -1673,7 +1569,7 @@ ossl_ssl_write_internal(VALUE self, VALUE str, int nonblock, int no_exception) static VALUE ossl_ssl_write(VALUE self, VALUE str) { - return ossl_ssl_write_internal(self, str, 0, 0); + return ossl_ssl_write_internal(self, str, Qfalse); } /* @@ -1686,43 +1582,34 @@ ossl_ssl_write(VALUE self, VALUE str) static VALUE ossl_ssl_write_nonblock(int argc, VALUE *argv, VALUE self) { - VALUE str; - VALUE opts = Qnil; - int no_exception; + VALUE str, opts; rb_scan_args(argc, argv, "1:", &str, &opts); - no_exception = get_no_exception(opts); - return ossl_ssl_write_internal(self, str, 1, no_exception); + return ossl_ssl_write_internal(self, str, opts); } /* * call-seq: - * ssl.sysclose => nil + * ssl.stop => nil * - * Shuts down the SSL connection and prepares it for another connection. + * Stops the SSL connection and prepares it for another connection. */ static VALUE -ossl_ssl_close(VALUE self) +ossl_ssl_stop(VALUE self) { SSL *ssl; - VALUE io; /* ossl_ssl_data_get_struct() is not usable here because it may return * from this function; */ GetSSL(self, ssl); - io = ossl_ssl_get_io(self); - if (!RTEST(rb_funcall(io, rb_intern("closed?"), 0))) { - if (ssl) { - ossl_ssl_shutdown(ssl); - SSL_free(ssl); - } - DATA_PTR(self) = NULL; - if (RTEST(ossl_ssl_get_sync_close(self))) - rb_funcall(io, rb_intern("close"), 0); + if (ssl) { + ossl_ssl_shutdown(ssl); + SSL_free(ssl); } + DATA_PTR(self) = NULL; return Qnil; } @@ -1994,7 +1881,9 @@ ossl_ssl_npn_protocol(VALUE self) else return rb_str_new((const char *) out, outlen); } +# endif +# ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB /* * call-seq: * ssl.alpn_protocol => String @@ -2035,12 +1924,6 @@ Init_ossl_ssl(void) ossl_ssl_ex_vcb_idx = SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_vcb_idx",0,0,0); ossl_ssl_ex_store_p = SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_store_p",0,0,0); ossl_ssl_ex_ptr_idx = SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_ptr_idx",0,0,0); - ossl_ssl_ex_client_cert_cb_idx = - SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_client_cert_cb_idx",0,0,0); - ossl_ssl_ex_tmp_dh_callback_idx = - SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_tmp_dh_callback_idx",0,0,0); - ossl_ssl_ex_tmp_ecdh_callback_idx = - SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_tmp_ecdh_callback_idx",0,0,0); /* Document-module: OpenSSL::SSL * @@ -2050,6 +1933,17 @@ Init_ossl_ssl(void) * of SSLContext to set up connections. */ mSSL = rb_define_module_under(mOSSL, "SSL"); + + /* Document-module: OpenSSL::ExtConfig + * + * This module contains configuration information about the SSL extension, + * for example if socket support is enabled, or the host name TLS extension + * is enabled. Constants in this module will always be defined, but contain + * `true` or `false` values depending on the configuration of your OpenSSL + * installation. + */ + mSSLExtConfig = rb_define_module_under(mOSSL, "ExtConfig"); + /* Document-class: OpenSSL::SSL::SSLError * * Generic error class raised by SSLSocket and SSLContext. @@ -2137,11 +2031,6 @@ Init_ossl_ssl(void) */ rb_attr(cSSLContext, rb_intern("verify_callback"), 1, 1, Qfalse); - /* - * Sets various OpenSSL options. - */ - rb_attr(cSSLContext, rb_intern("options"), 1, 1, Qfalse); - /* * An OpenSSL::X509::Store used for certificate verification */ @@ -2175,18 +2064,6 @@ Init_ossl_ssl(void) */ rb_attr(cSSLContext, rb_intern("tmp_ecdh_callback"), 1, 1, Qfalse); - /* - * A callback invoked when DH parameters are required. - * - * The callback is invoked with the Session for the key exchange, an - * flag indicating the use of an export cipher and the keylength - * required. - * - * The callback must return an OpenSSL::PKey::DH instance of the correct - * key length. - */ - rb_attr(cSSLContext, rb_intern("tmp_dh_callback"), 1, 1, Qfalse); - /* * Sets the context in which a session can be reused. This allows * sessions for multiple applications to be distinguished, for example, by @@ -2219,15 +2096,11 @@ Init_ossl_ssl(void) rb_attr(cSSLContext, rb_intern("session_remove_cb"), 1, 1, Qfalse); #ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME - /* - * A callback invoked at connect time to distinguish between multiple - * server names. - * - * The callback is invoked with an SSLSocket and a server name. The - * callback must return an SSLContext for the server name or nil. - */ - rb_attr(cSSLContext, rb_intern("servername_cb"), 1, 1, Qfalse); + rb_define_const(mSSLExtConfig, "HAVE_TLSEXT_HOST_NAME", Qtrue); +#else + rb_define_const(mSSLExtConfig, "HAVE_TLSEXT_HOST_NAME", Qfalse); #endif + /* * A callback invoked whenever a new handshake is initiated. May be used * to disable renegotiation entirely. @@ -2316,7 +2189,6 @@ Init_ossl_ssl(void) rb_define_alias(cSSLContext, "ssl_timeout", "timeout"); rb_define_alias(cSSLContext, "ssl_timeout=", "timeout="); - rb_define_method(cSSLContext, "initialize", ossl_sslctx_initialize, -1); rb_define_method(cSSLContext, "ssl_version=", ossl_sslctx_set_ssl_version, 1); rb_define_method(cSSLContext, "ciphers", ossl_sslctx_get_ciphers, 0); rb_define_method(cSSLContext, "ciphers=", ossl_sslctx_set_ciphers, 1); @@ -2378,6 +2250,8 @@ Init_ossl_ssl(void) rb_define_method(cSSLContext, "session_cache_size=", ossl_sslctx_set_session_cache_size, 1); rb_define_method(cSSLContext, "session_cache_stats", ossl_sslctx_get_session_cache_stats, 0); rb_define_method(cSSLContext, "flush_sessions", ossl_sslctx_flush_sessions, -1); + rb_define_method(cSSLContext, "options", ossl_sslctx_get_options, 0); + rb_define_method(cSSLContext, "options=", ossl_sslctx_set_options, 1); ary = rb_ary_new2(numberof(ossl_ssl_method_tab)); for (i = 0; i < numberof(ossl_ssl_method_tab); i++) { @@ -2396,15 +2270,10 @@ Init_ossl_ssl(void) */ cSSLSocket = rb_define_class_under(mSSL, "SSLSocket", rb_cObject); #ifdef OPENSSL_NO_SOCK - rb_define_method(cSSLSocket, "initialize", rb_notimplement, -1); + rb_define_const(mSSLExtConfig, "OPENSSL_NO_SOCK", Qtrue); #else + rb_define_const(mSSLExtConfig, "OPENSSL_NO_SOCK", Qfalse); rb_define_alloc_func(cSSLSocket, ossl_ssl_s_alloc); - for(i = 0; i < numberof(ossl_ssl_attr_readers); i++) - rb_attr(cSSLSocket, rb_intern(ossl_ssl_attr_readers[i]), 1, 0, Qfalse); - for(i = 0; i < numberof(ossl_ssl_attrs); i++) - rb_attr(cSSLSocket, rb_intern(ossl_ssl_attrs[i]), 1, 1, Qfalse); - rb_define_alias(cSSLSocket, "to_io", "io"); - rb_define_method(cSSLSocket, "initialize", ossl_ssl_initialize, -1); rb_define_method(cSSLSocket, "connect", ossl_ssl_connect, 0); rb_define_method(cSSLSocket, "connect_nonblock", ossl_ssl_connect_nonblock, -1); rb_define_method(cSSLSocket, "accept", ossl_ssl_accept, 0); @@ -2413,7 +2282,7 @@ Init_ossl_ssl(void) rb_define_private_method(cSSLSocket, "sysread_nonblock", ossl_ssl_read_nonblock, -1); rb_define_method(cSSLSocket, "syswrite", ossl_ssl_write, 1); rb_define_private_method(cSSLSocket, "syswrite_nonblock", ossl_ssl_write_nonblock, -1); - rb_define_method(cSSLSocket, "sysclose", ossl_ssl_close, 0); + rb_define_private_method(cSSLSocket, "stop", ossl_ssl_stop, 0); rb_define_method(cSSLSocket, "cert", ossl_ssl_get_cert, 0); rb_define_method(cSSLSocket, "peer_cert", ossl_ssl_get_peer_cert, 0); rb_define_method(cSSLSocket, "peer_cert_chain", ossl_ssl_get_peer_cert_chain, 0); @@ -2434,7 +2303,7 @@ Init_ossl_ssl(void) # endif #endif -#define ossl_ssl_def_const(x) rb_define_const(mSSL, #x, INT2NUM(SSL_##x)) +#define ossl_ssl_def_const(x) rb_define_const(mSSL, #x, LONG2NUM(SSL_##x)) ossl_ssl_def_const(VERIFY_NONE); ossl_ssl_def_const(VERIFY_PEER); diff --git a/ext/openssl/ossl_ssl.h b/ext/openssl/ossl_ssl.h index aa5a550c..f92f0289 100644 --- a/ext/openssl/ossl_ssl.h +++ b/ext/openssl/ossl_ssl.h @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2001-2002 Michal Rokos * All rights reserved. @@ -39,4 +38,3 @@ void Init_ossl_ssl(void); void Init_ossl_ssl_session(void); #endif /* _OSSL_SSL_H_ */ - diff --git a/ext/openssl/ossl_version.h b/ext/openssl/ossl_version.h index 605da19c..dcd026a1 100644 --- a/ext/openssl/ossl_version.h +++ b/ext/openssl/ossl_version.h @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2001-2002 Michal Rokos * All rights reserved. diff --git a/ext/openssl/ossl_x509.c b/ext/openssl/ossl_x509.c index 332146a3..2fd14566 100644 --- a/ext/openssl/ossl_x509.c +++ b/ext/openssl/ossl_x509.c @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2001-2002 Michal Rokos * All rights reserved. @@ -101,4 +100,3 @@ Init_ossl_x509(void) DefX509Default(CERT_FILE_ENV, cert_file_env); DefX509Default(PRIVATE_DIR, private_dir); } - diff --git a/ext/openssl/ossl_x509.h b/ext/openssl/ossl_x509.h index c803a59f..8e9b2330 100644 --- a/ext/openssl/ossl_x509.h +++ b/ext/openssl/ossl_x509.h @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2001-2002 Michal Rokos * All rights reserved. diff --git a/ext/openssl/ossl_x509attr.c b/ext/openssl/ossl_x509attr.c index 10e511d2..d0f41c6b 100644 --- a/ext/openssl/ossl_x509attr.c +++ b/ext/openssl/ossl_x509attr.c @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2001 Michal Rokos * All rights reserved. diff --git a/ext/openssl/ossl_x509cert.c b/ext/openssl/ossl_x509cert.c index 376db679..b1d57bf3 100644 --- a/ext/openssl/ossl_x509cert.c +++ b/ext/openssl/ossl_x509cert.c @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2001-2002 Michal Rokos * All rights reserved. @@ -861,4 +860,3 @@ Init_ossl_x509cert(void) rb_define_method(cX509Cert, "add_extension", ossl_x509_add_extension, 1); rb_define_method(cX509Cert, "inspect", ossl_x509_inspect, 0); } - diff --git a/ext/openssl/ossl_x509crl.c b/ext/openssl/ossl_x509crl.c index 7133c7a9..7293fce5 100644 --- a/ext/openssl/ossl_x509crl.c +++ b/ext/openssl/ossl_x509crl.c @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2001-2002 Michal Rokos * All rights reserved. @@ -552,4 +551,3 @@ Init_ossl_x509crl(void) rb_define_method(cX509CRL, "extensions=", ossl_x509crl_set_extensions, 1); rb_define_method(cX509CRL, "add_extension", ossl_x509crl_add_extension, 1); } - diff --git a/ext/openssl/ossl_x509ext.c b/ext/openssl/ossl_x509ext.c index 1e65f2bc..70a117cc 100644 --- a/ext/openssl/ossl_x509ext.c +++ b/ext/openssl/ossl_x509ext.c @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2001-2002 Michal Rokos * All rights reserved. diff --git a/ext/openssl/ossl_x509name.c b/ext/openssl/ossl_x509name.c index 565a7cd1..a0e28e29 100644 --- a/ext/openssl/ossl_x509name.c +++ b/ext/openssl/ossl_x509name.c @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2001 Michal Rokos * All rights reserved. diff --git a/ext/openssl/ossl_x509req.c b/ext/openssl/ossl_x509req.c index aa5c423c..05d7ef99 100644 --- a/ext/openssl/ossl_x509req.c +++ b/ext/openssl/ossl_x509req.c @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2001-2002 Michal Rokos * All rights reserved. @@ -483,4 +482,3 @@ Init_ossl_x509req(void) rb_define_method(cX509Req, "attributes=", ossl_x509req_set_attributes, 1); rb_define_method(cX509Req, "add_attribute", ossl_x509req_add_attribute, 1); } - diff --git a/ext/openssl/ossl_x509revoked.c b/ext/openssl/ossl_x509revoked.c index 5c257f4f..0a949e76 100644 --- a/ext/openssl/ossl_x509revoked.c +++ b/ext/openssl/ossl_x509revoked.c @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2001-2002 Michal Rokos * All rights reserved. @@ -244,4 +243,3 @@ Init_ossl_x509revoked(void) rb_define_method(cX509Rev, "extensions=", ossl_x509revoked_set_extensions, 1); rb_define_method(cX509Rev, "add_extension", ossl_x509revoked_add_extension, 1); } - diff --git a/ext/openssl/ossl_x509store.c b/ext/openssl/ossl_x509store.c index fbb83159..bb6fe14d 100644 --- a/ext/openssl/ossl_x509store.c +++ b/ext/openssl/ossl_x509store.c @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2001-2002 Michal Rokos * All rights reserved. diff --git a/ext/openssl/ruby_missing.h b/ext/openssl/ruby_missing.h index a43f9425..d7384ec3 100644 --- a/ext/openssl/ruby_missing.h +++ b/ext/openssl/ruby_missing.h @@ -1,5 +1,4 @@ /* - * $Id$ * 'OpenSSL for Ruby' project * Copyright (C) 2001-2003 Michal Rokos * All rights reserved. diff --git a/lib/openssl.rb b/lib/openssl.rb index 1c8feb5c..57f6f970 100644 --- a/lib/openssl.rb +++ b/lib/openssl.rb @@ -1,6 +1,4 @@ =begin -= $RCSfile$ -- Loader for all OpenSSL C-space and Ruby-space definitions - = Info 'OpenSSL for Ruby 2' project Copyright (C) 2002 Michal Rokos @@ -9,14 +7,12 @@ = Licence This program is licensed under the same licence as Ruby. (See the file 'LICENCE'.) - -= Version - $Id$ =end require 'openssl.so' require 'openssl/bn' +require 'openssl/pkey' require 'openssl/cipher' require 'openssl/config' require 'openssl/digest' diff --git a/lib/openssl/bn.rb b/lib/openssl/bn.rb index 1adf89f7..17148f96 100644 --- a/lib/openssl/bn.rb +++ b/lib/openssl/bn.rb @@ -1,7 +1,5 @@ #-- # -# $RCSfile$ -# # = Ruby-space definitions that completes C-space funcs for BN # # = Info @@ -12,10 +10,6 @@ # = Licence # This program is licensed under the same licence as Ruby. # (See the file 'LICENCE'.) -# -# = Version -# $Id$ -# #++ module OpenSSL @@ -42,4 +36,3 @@ class Integer OpenSSL::BN::new(self) end end # Integer - diff --git a/lib/openssl/buffering.rb b/lib/openssl/buffering.rb index 099e9603..a97d9ead 100644 --- a/lib/openssl/buffering.rb +++ b/lib/openssl/buffering.rb @@ -1,7 +1,5 @@ # coding: binary #-- -#= $RCSfile$ -- Buffering mix-in module. -# #= Info # 'OpenSSL for Ruby 2' project # Copyright (C) 2001 GOTOU YUUZOU @@ -10,9 +8,6 @@ #= Licence # This program is licensed under the same licence as Ruby. # (See the file 'LICENCE'.) -# -#= Version -# $Id$ #++ ## @@ -213,7 +208,7 @@ module OpenSSL::Buffering else size = idx ? idx+eol.size : nil end - if limit and limit >= 0 + if size && limit && limit >= 0 size = [size, limit].min end consume_rbuff(size) diff --git a/lib/openssl/cipher.rb b/lib/openssl/cipher.rb index aacb02ad..c7f0aec5 100644 --- a/lib/openssl/cipher.rb +++ b/lib/openssl/cipher.rb @@ -1,7 +1,4 @@ #-- -# -# $RCSfile$ -# # = Ruby-space predefined Cipher subclasses # # = Info @@ -12,10 +9,6 @@ # = Licence # This program is licensed under the same licence as Ruby. # (See the file 'LICENCE'.) -# -# = Version -# $Id$ -# #++ module OpenSSL diff --git a/lib/openssl/digest.rb b/lib/openssl/digest.rb index a33ff276..8bf85103 100644 --- a/lib/openssl/digest.rb +++ b/lib/openssl/digest.rb @@ -1,7 +1,4 @@ #-- -# -# $RCSfile$ -# # = Ruby-space predefined Digest subclasses # # = Info @@ -12,10 +9,6 @@ # = Licence # This program is licensed under the same licence as Ruby. # (See the file 'LICENCE'.) -# -# = Version -# $Id$ -# #++ module OpenSSL @@ -85,4 +78,3 @@ module OpenSSL module_function :Digest end # OpenSSL - diff --git a/lib/openssl/pkey.rb b/lib/openssl/pkey.rb new file mode 100644 index 00000000..007934f8 --- /dev/null +++ b/lib/openssl/pkey.rb @@ -0,0 +1,36 @@ +module OpenSSL + module PKey + if defined?(OpenSSL::PKey::DH) + + class DH + DEFAULT_512 = new <<-_end_of_pem_ +-----BEGIN DH PARAMETERS----- +MEYCQQD0zXHljRg/mJ9PYLACLv58Cd8VxBxxY7oEuCeURMiTqEhMym16rhhKgZG2 +zk2O9uUIBIxSj+NKMURHGaFKyIvLAgEC +-----END DH PARAMETERS----- + _end_of_pem_ + + DEFAULT_1024 = new <<-_end_of_pem_ +-----BEGIN DH PARAMETERS----- +MIGHAoGBAJ0lOVy0VIr/JebWn0zDwY2h+rqITFOpdNr6ugsgvkDXuucdcChhYExJ +AV/ZD2AWPbrTqV76mGRgJg4EddgT1zG0jq3rnFdMj2XzkBYx3BVvfR0Arnby0RHR +T4h7KZ/2zmjvV+eF8kBUHBJAojUlzxKj4QeO2x20FP9X5xmNUXeDAgEC +-----END DH PARAMETERS----- + _end_of_pem_ + end + + DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen| + warn "using default DH parameters." if $VERBOSE + case keylen + when 512 then OpenSSL::PKey::DH::DEFAULT_512 + when 1024 then OpenSSL::PKey::DH::DEFAULT_1024 + else + nil + end + } + + else + DEFAULT_TMP_DH_CALLBACK = nil + end + end +end diff --git a/lib/openssl/ssl.rb b/lib/openssl/ssl.rb index 0cab141e..ed19e09a 100644 --- a/lib/openssl/ssl.rb +++ b/lib/openssl/ssl.rb @@ -1,6 +1,4 @@ =begin -= $RCSfile$ -- Ruby-space definitions that completes C-space funcs for SSL - = Info 'OpenSSL for Ruby 2' project Copyright (C) 2001 GOTOU YUUZOU @@ -9,13 +7,10 @@ = Licence This program is licensed under the same licence as Ruby. (See the file 'LICENCE'.) - -= Version - $Id$ =end require "openssl/buffering" -require "fcntl" +require "io/nonblock" module OpenSSL module SSL @@ -74,6 +69,48 @@ module OpenSSL DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL end + INIT_VARS = ["cert", "key", "client_ca", "ca_file", "ca_path", + "timeout", "verify_mode", "verify_depth", "renegotiation_cb", + "verify_callback", "cert_store", "extra_chain_cert", + "client_cert_cb", "session_id_context", "tmp_dh_callback", + "session_get_cb", "session_new_cb", "session_remove_cb", + "tmp_ecdh_callback", "servername_cb", "npn_protocols", + "alpn_protocols", "alpn_select_cb", + "npn_select_cb"].map { |x| "@#{x}" } + + # A callback invoked when DH parameters are required. + # + # The callback is invoked with the Session for the key exchange, an + # flag indicating the use of an export cipher and the keylength + # required. + # + # The callback must return an OpenSSL::PKey::DH instance of the correct + # key length. + + attr_accessor :tmp_dh_callback + + if OpenSSL::ExtConfig::HAVE_TLSEXT_HOST_NAME + # A callback invoked at connect time to distinguish between multiple + # server names. + # + # The callback is invoked with an SSLSocket and a server name. The + # callback must return an SSLContext for the server name or nil. + attr_accessor :servername_cb + end + + # call-seq: + # SSLContext.new => ctx + # SSLContext.new(:TLSv1) => ctx + # SSLContext.new("SSLv23_client") => ctx + # + # You can get a list of valid methods with OpenSSL::SSL::SSLContext::METHODS + def initialize(version = nil) + INIT_VARS.each { |v| instance_variable_set v, nil } + self.options = self.options | OpenSSL::SSL::OP_ALL + return unless version + self.ssl_version = version + end + ## # Sets the parameters for this SSL context to the values in +params+. # The keys in +params+ must be assignment methods on SSLContext. @@ -124,15 +161,6 @@ module OpenSSL end end - module Nonblock - def initialize(*args) - flag = File::NONBLOCK - flag |= @io.fcntl(Fcntl::F_GETFL) if defined?(Fcntl::F_GETFL) - @io.fcntl(Fcntl::F_SETFL, flag) - super - end - end - def verify_certificate_identity(cert, hostname) should_verify_common_name = true cert.extensions.each{|ext| @@ -220,7 +248,53 @@ module OpenSSL class SSLSocket include Buffering include SocketForwarder - include Nonblock + + if OpenSSL::ExtConfig::OPENSSL_NO_SOCK + def initialize(io, ctx = nil); raise NotImplmentedError; end + else + if OpenSSL::ExtConfig::HAVE_TLSEXT_HOST_NAME + attr_accessor :hostname + end + + attr_reader :io, :context + attr_accessor :sync_close + alias :to_io :io + + # call-seq: + # SSLSocket.new(io) => aSSLSocket + # SSLSocket.new(io, ctx) => aSSLSocket + # + # Creates a new SSL socket from +io+ which must be a real ruby object (not an + # IO-like object that responds to read/write). + # + # If +ctx+ is provided the SSL Sockets initial params will be taken from + # the context. + # + # The OpenSSL::Buffering module provides additional IO methods. + # + # This method will freeze the SSLContext if one is provided; + # however, session management is still allowed in the frozen SSLContext. + + def initialize(io, context = OpenSSL::SSL::SSLContext.new) + @io = io + @context = context + @sync_close = false + @hostname = nil + @io.nonblock = true if @io.respond_to?(:nonblock=) + context.setup + super() + end + end + + # call-seq: + # ssl.sysclose => nil + # + # Shuts down the SSL connection and prepares it for another connection. + def sysclose + return if closed? + stop + io.close if sync_close + end ## # Perform hostname verification after an SSL connection is established @@ -228,6 +302,14 @@ module OpenSSL # This method MUST be called after calling #connect to ensure that the # hostname of a remote peer has been verified. def post_connection_check(hostname) + if peer_cert.nil? + msg = "Peer verification enabled, but no certificate received." + if using_anon_cipher? + msg += " Anonymous cipher suite #{cipher[0]} was negotiated. Anonymous suites must be disabled to use peer verification." + end + raise SSLError, msg + end + unless OpenSSL::SSL.verify_certificate_identity(peer_cert, hostname) raise SSLError, "hostname \"#{hostname}\" does not match the server certificate" end @@ -239,6 +321,34 @@ module OpenSSL rescue SSL::Session::SessionError nil end + + private + + def using_anon_cipher? + ctx = OpenSSL::SSL::SSLContext.new + ctx.ciphers = "aNULL" + ctx.ciphers.include?(cipher) + end + + def client_cert_cb + @context.client_cert_cb + end + + def tmp_dh_callback + @context.tmp_dh_callback || OpenSSL::PKey::DEFAULT_TMP_DH_CALLBACK + end + + def tmp_ecdh_callback + @context.tmp_ecdh_callback + end + + def session_new_cb + @context.session_new_cb + end + + def session_get_cb + @context.session_get_cb + end end ## diff --git a/lib/openssl/x509.rb b/lib/openssl/x509.rb index 497ffe0a..e76c6b8c 100644 --- a/lib/openssl/x509.rb +++ b/lib/openssl/x509.rb @@ -1,7 +1,4 @@ #-- -# -# $RCSfile$ -# # = Ruby-space definitions that completes C-space funcs for X509 and subclasses # # = Info @@ -12,10 +9,6 @@ # = Licence # This program is licensed under the same licence as Ruby. # (See the file 'LICENCE'.) -# -# = Version -# $Id$ -# #++ module OpenSSL diff --git a/test/test_cipher.rb b/test/test_cipher.rb index 81ded0ae..6f92c381 100644 --- a/test/test_cipher.rb +++ b/test/test_cipher.rb @@ -107,7 +107,7 @@ class OpenSSL::TestCipher < Test::Unit::TestCase begin assert_kind_of(OpenSSL::Cipher::Cipher, OpenSSL::Cipher::Cipher.new(name)) rescue OpenSSL::Cipher::CipherError => e - next if /wrap\z/ =~ name and e.message == 'wrap mode not allowed' + next if /wrap/ =~ name and e.message == 'wrap mode not allowed' raise end } diff --git a/test/test_pair.rb b/test/test_pair.rb index 6ad57fed..ee77aebd 100644 --- a/test/test_pair.rb +++ b/test/test_pair.rb @@ -86,7 +86,7 @@ module OpenSSL::TestEOF1M th = Thread.new { s2 << content; s2.close } yield s1 ensure - th.join + th.join if th s1.close end end @@ -97,7 +97,7 @@ module OpenSSL::TestEOF2M th = Thread.new { s1 << content; s1.close } yield s2 ensure - th.join + th.join if th s2.close end end @@ -110,6 +110,14 @@ module OpenSSL::TestPairM } end + def test_gets_eof_limit + ssl_pair {|s1, s2| + s1.write("hello") + s1.close # trigger EOF + assert_match "hello", s2.gets("\n", 6), "[ruby-core:70149] [Bug #11140]" + } + end + def test_readpartial ssl_pair {|s1, s2| s2.write "a\nbcd" @@ -283,45 +291,94 @@ module OpenSSL::TestPairM serv.close if serv && !serv.closed? end - if OpenSSL::SSL::SSLContext.new.respond_to?(:tmp_ecdh_callback) - def test_ecdh_callback - called = false - ctx2 = OpenSSL::SSL::SSLContext.new - ctx2.ciphers = "ECDH" - ctx2.tmp_ecdh_callback = ->(*args) { - called = true - OpenSSL::PKey::EC.new "prime256v1" - } + def test_connect_works_when_setting_dh_callback_to_nil + ctx2 = OpenSSL::SSL::SSLContext.new + ctx2.ciphers = "DH" + ctx2.tmp_dh_callback = nil + sock1, sock2 = tcp_pair + s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2) + accepted = s2.accept_nonblock(exception: false) - sock1, sock2 = tcp_pair + ctx1 = OpenSSL::SSL::SSLContext.new + ctx1.ciphers = "DH" + ctx1.tmp_dh_callback = nil + s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1) + t = Thread.new { s1.connect } - s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2) - ctx1 = OpenSSL::SSL::SSLContext.new - ctx1.ciphers = "ECDH" + accept = s2.accept + assert_equal s1, t.value + assert accept + ensure + t.join if t + s1.close if s1 + s2.close if s2 + sock1.close if sock1 + sock2.close if sock2 + accepted.close if accepted.respond_to?(:close) + end - s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1) - th = Thread.new do - begin - rv = s1.connect_nonblock(exception: false) - case rv - when :wait_writable - IO.select(nil, [s1], nil, 5) - when :wait_readable - IO.select([s1], nil, nil, 5) - end - end until rv == s1 - end + def test_connect_without_setting_dh_callback + ctx2 = OpenSSL::SSL::SSLContext.new + ctx2.ciphers = "DH" + sock1, sock2 = tcp_pair + s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2) + accepted = s2.accept_nonblock(exception: false) - accepted = s2.accept + ctx1 = OpenSSL::SSL::SSLContext.new + ctx1.ciphers = "DH" + s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1) + t = Thread.new { s1.connect } - assert called, 'ecdh callback should be called' - ensure - s1.close if s1 - s2.close if s2 - sock1.close if sock1 - sock2.close if sock2 - accepted.close if accepted.respond_to?(:close) + accept = s2.accept + assert_equal s1, t.value + assert accept + ensure + t.join if t + s1.close if s1 + s2.close if s2 + sock1.close if sock1 + sock2.close if sock2 + accepted.close if accepted.respond_to?(:close) + end + + def test_ecdh_callback + called = false + ctx2 = OpenSSL::SSL::SSLContext.new + ctx2.ciphers = "ECDH" + ctx2.tmp_ecdh_callback = ->(*args) { + called = true + OpenSSL::PKey::EC.new "prime256v1" + } + + sock1, sock2 = tcp_pair + + s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2) + ctx1 = OpenSSL::SSL::SSLContext.new + ctx1.ciphers = "ECDH" + + s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1) + th = Thread.new do + begin + rv = s1.connect_nonblock(exception: false) + case rv + when :wait_writable + IO.select(nil, [s1], nil, 5) + when :wait_readable + IO.select([s1], nil, nil, 5) + end + end until rv == s1 end + + accepted = s2.accept + + assert called, 'ecdh callback should be called' + ensure + th.join if th + s1.close if s1 + s2.close if s2 + sock1.close if sock1 + sock2.close if sock2 + accepted.close if accepted.respond_to?(:close) end def test_connect_accept_nonblock_no_exception @@ -364,6 +421,7 @@ module OpenSSL::TestPairM assert_includes([s1, :wait_readable, :wait_writable ], rv) end ensure + th.join if th s1.close if s1 s2.close if s2 sock1.close if sock1 @@ -415,7 +473,7 @@ module OpenSSL::TestPairM s1.print "a\ndef" assert_equal("a\n", s2.gets) ensure - th.join + th.join if th s1.close if s1 && !s1.closed? s2.close if s2 && !s2.closed? sock1.close if sock1 && !sock1.closed? diff --git a/test/test_pkey_dh.rb b/test/test_pkey_dh.rb index 8bf98166..040d0309 100644 --- a/test/test_pkey_dh.rb +++ b/test/test_pkey_dh.rb @@ -6,6 +6,27 @@ class OpenSSL::TestPKeyDH < Test::Unit::TestCase NEW_KEYLEN = 256 + def test_DEFAULT_512 + params = <<-eop +-----BEGIN DH PARAMETERS----- +MEYCQQD0zXHljRg/mJ9PYLACLv58Cd8VxBxxY7oEuCeURMiTqEhMym16rhhKgZG2 +zk2O9uUIBIxSj+NKMURHGaFKyIvLAgEC +-----END DH PARAMETERS----- + eop + assert_equal params, OpenSSL::PKey::DH::DEFAULT_512.to_s + end + + def test_DEFAULT_1024 + params = <<-eop +-----BEGIN DH PARAMETERS----- +MIGHAoGBAJ0lOVy0VIr/JebWn0zDwY2h+rqITFOpdNr6ugsgvkDXuucdcChhYExJ +AV/ZD2AWPbrTqV76mGRgJg4EddgT1zG0jq3rnFdMj2XzkBYx3BVvfR0Arnby0RHR +T4h7KZ/2zmjvV+eF8kBUHBJAojUlzxKj4QeO2x20FP9X5xmNUXeDAgEC +-----END DH PARAMETERS----- + eop + assert_equal params, OpenSSL::PKey::DH::DEFAULT_1024.to_s + end + def test_new dh = OpenSSL::PKey::DH.new(NEW_KEYLEN) assert_key(dh) diff --git a/test/test_ssl.rb b/test/test_ssl.rb index 07ae6f5c..f11190b8 100644 --- a/test/test_ssl.rb +++ b/test/test_ssl.rb @@ -10,6 +10,44 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase assert_equal(ctx.setup, nil) end + def test_ctx_setup_invalid + m = OpenSSL::SSL::SSLContext::METHODS.first + assert_raise(ArgumentError.new("string contains null byte")) { + OpenSSL::SSL::SSLContext.new("#{m}\0") + } + assert_raise(ArgumentError.new("unknown SSL method `\u{ff33 ff33 ff2c}'.")) { + OpenSSL::SSL::SSLContext.new("\u{ff33 ff33 ff2c}") + } + end + + def test_options_defaults_to_OP_ALL_on + ctx = OpenSSL::SSL::SSLContext.new + assert_equal(OpenSSL::SSL::OP_ALL, (OpenSSL::SSL::OP_ALL & ctx.options)) + end + + def test_setting_twice + ctx = OpenSSL::SSL::SSLContext.new + ctx.options = 4 + assert_equal 4, ctx.options + ctx.options = OpenSSL::SSL::OP_ALL + assert_equal OpenSSL::SSL::OP_ALL, ctx.options + end + + def test_options_setting_nil_means_all + ctx = OpenSSL::SSL::SSLContext.new + ctx.options = nil + assert_equal OpenSSL::SSL::OP_ALL, ctx.options + end + + def test_setting_options_raises_after_setup + ctx = OpenSSL::SSL::SSLContext.new + options = ctx.options + ctx.setup + assert_raise(RuntimeError) do + ctx.options = options + end + end + def test_ctx_setup_no_compression ctx = OpenSSL::SSL::SSLContext.new ctx.options = OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_COMPRESSION @@ -29,7 +67,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase def test_not_started_session pend "non socket argument of SSLSocket.new is not supported on this platform" if /mswin|mingw/ =~ RUBY_PLATFORM open(__FILE__) do |f| - assert_nil OpenSSL::SSL::SSLSocket.new(f).cert + assert_nil EnvUtil.suppress_warning { OpenSSL::SSL::SSLSocket.new(f).cert } end end @@ -60,6 +98,20 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase } end + def test_ssl_sysread_blocking_error + start_server(OpenSSL::SSL::VERIFY_NONE, true) { |server, port| + server_connect(port) { |ssl| + ssl.write("abc\n") + assert_raise(TypeError) { ssl.sysread(4, exception: false) } + buf = '' + assert_raise(ArgumentError) { ssl.sysread(4, buf, exception: false) } + assert_equal '', buf + assert_equal buf.object_id, ssl.sysread(4, buf).object_id + assert_equal "abc\n", buf + } + } + end + def test_connect_and_close start_server(OpenSSL::SSL::VERIFY_NONE, true){|server, port| sock = TCPSocket.new("127.0.0.1", port) @@ -351,6 +403,20 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase } end + def test_post_connect_check_with_anon_ciphers + sslerr = OpenSSL::SSL::SSLError + + start_server(OpenSSL::SSL::VERIFY_NONE, true, {use_anon_cipher: true}){|server, port| + ctx = OpenSSL::SSL::SSLContext.new + ctx.ciphers = "aNULL" + server_connect(port, ctx) { |ssl| + msg = "Peer verification enabled, but no certificate received. Anonymous cipher suite " \ + "ADH-AES256-GCM-SHA384 was negotiated. Anonymous suites must be disabled to use peer verification." + assert_raise_with_message(sslerr,msg){ssl.post_connection_check("localhost.localdomain")} + } + } + end + def test_post_connection_check sslerr = OpenSSL::SSL::SSLError @@ -593,6 +659,176 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase cert end + def socketpair + if defined? UNIXSocket + UNIXSocket.pair + else + Socket.pair(Socket::AF_INET, Socket::SOCK_STREAM, 0) + end + end + + def test_servername_cb_sets_context_on_the_socket + hostname = 'example.org' + + ctx3 = OpenSSL::SSL::SSLContext.new + ctx3.ciphers = "DH" + + ctx2 = OpenSSL::SSL::SSLContext.new + ctx2.ciphers = "DH" + ctx2.servername_cb = lambda { |args| ctx3 } + + sock1, sock2 = socketpair + + s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2) + + ctx1 = OpenSSL::SSL::SSLContext.new + ctx1.ciphers = "DH" + + s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1) + s1.hostname = hostname + t = Thread.new { s1.connect } + + assert_equal ctx2, s2.context + accepted = s2.accept + assert_equal ctx3, s2.context + assert t.value + ensure + s1.close if s1 + s2.close if s2 + sock1.close if sock1 + sock2.close if sock2 + accepted.close if accepted.respond_to?(:close) + end + + def test_servername_cb_raises_an_exception_on_unknown_objects + hostname = 'example.org' + + ctx2 = OpenSSL::SSL::SSLContext.new + ctx2.ciphers = "DH" + ctx2.servername_cb = lambda { |args| Object.new } + + sock1, sock2 = socketpair + + s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2) + + ctx1 = OpenSSL::SSL::SSLContext.new + ctx1.ciphers = "DH" + + s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1) + s1.hostname = hostname + t = Thread.new { + assert_raise(OpenSSL::SSL::SSLError) do + s1.connect + end + } + + assert_raise(ArgumentError) do + s2.accept + end + + assert t.join + ensure + sock1.close if sock1 + sock2.close if sock2 + end + + def test_servername_cb_calls_setup_on_returned_ctx + hostname = 'example.org' + + ctx3 = OpenSSL::SSL::SSLContext.new + ctx3.ciphers = "DH" + refute_predicate ctx3, :frozen? + + ctx2 = OpenSSL::SSL::SSLContext.new + ctx2.ciphers = "DH" + ctx2.servername_cb = lambda { |args| ctx3 } + + sock1, sock2 = socketpair + + s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2) + + ctx1 = OpenSSL::SSL::SSLContext.new + ctx1.ciphers = "DH" + + s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1) + s1.hostname = hostname + t = Thread.new { s1.connect } + + accepted = s2.accept + assert t.value + assert_predicate ctx3, :frozen? + ensure + s1.close if s1 + s2.close if s2 + sock1.close if sock1 + sock2.close if sock2 + accepted.close if accepted.respond_to?(:close) + end + + def test_servername_cb_can_return_nil + hostname = 'example.org' + + ctx2 = OpenSSL::SSL::SSLContext.new + ctx2.ciphers = "DH" + ctx2.servername_cb = lambda { |args| nil } + + sock1, sock2 = socketpair + + s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2) + + ctx1 = OpenSSL::SSL::SSLContext.new + ctx1.ciphers = "DH" + + s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1) + s1.hostname = hostname + t = Thread.new { s1.connect } + + accepted = s2.accept + assert t.value + ensure + s1.close if s1 + s2.close if s2 + sock1.close if sock1 + sock2.close if sock2 + accepted.close if accepted.respond_to?(:close) + end + + def test_servername_cb + lambda_called = nil + cb_socket = nil + hostname = 'example.org' + + ctx2 = OpenSSL::SSL::SSLContext.new + ctx2.ciphers = "DH" + ctx2.servername_cb = lambda do |args| + cb_socket = args[0] + lambda_called = args[1] + ctx2 + end + + sock1, sock2 = socketpair + + s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2) + + ctx1 = OpenSSL::SSL::SSLContext.new + ctx1.ciphers = "DH" + + s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1) + s1.hostname = hostname + t = Thread.new { s1.connect } + + accepted = s2.accept + assert t.value + assert_equal hostname, lambda_called + assert_equal s2, cb_socket + ensure + s1.close if s1 + s2.close if s2 + sock1.close if sock1 + sock2.close if sock2 + accepted.close if accepted.respond_to?(:close) + end + def test_tlsext_hostname return unless OpenSSL::SSL::SSLSocket.instance_methods.include?(:hostname) @@ -676,7 +912,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase # that has been marked as forbidden, therefore either of these may be raised HANDSHAKE_ERRORS = [OpenSSL::SSL::SSLError, Errno::ECONNRESET] -if OpenSSL::SSL::SSLContext::METHODS.include? :TLSv1 +if OpenSSL::SSL::SSLContext::METHODS.include?(:TLSv1) && OpenSSL::SSL::SSLContext::METHODS.include?(:SSLv3) def test_forbid_ssl_v3_for_client ctx_proc = Proc.new { |ctx| ctx.options = OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_SSLv3 } @@ -938,7 +1174,7 @@ end ssl = ctx ? OpenSSL::SSL::SSLSocket.new(sock, ctx) : OpenSSL::SSL::SSLSocket.new(sock) ssl.sync_close = true ssl.connect - yield ssl + yield ssl if block_given? ensure if ssl ssl.close diff --git a/test/test_ssl_session.rb b/test/test_ssl_session.rb index 16432bcb..28d268e7 100644 --- a/test/test_ssl_session.rb +++ b/test/test_ssl_session.rb @@ -44,7 +44,7 @@ tddwpBAEDjcwMzA5NTYzMTU1MzAwpQMCARM= end def test_session - timeout(5) do + Timeout.timeout(5) do start_server(OpenSSL::SSL::VERIFY_NONE, true) do |server, port| sock = TCPSocket.new("127.0.0.1", port) ctx = OpenSSL::SSL::SSLContext.new("TLSv1") @@ -316,6 +316,7 @@ __EOS__ ctx_proc = Proc.new { |ctx, ssl| ctx.session_cache_mode = OpenSSL::SSL::SSLContext::SESSION_CACHE_SERVER + ctx.options = OpenSSL::SSL::OP_NO_TICKET last_server_session = nil # get_cb is called whenever a client proposed to resume a session but @@ -355,13 +356,13 @@ __EOS__ 3.times do sock = TCPSocket.new("127.0.0.1", port) begin - ssl = OpenSSL::SSL::SSLSocket.new(sock, OpenSSL::SSL::SSLContext.new("SSLv3")) + ssl = OpenSSL::SSL::SSLSocket.new(sock, OpenSSL::SSL::SSLContext.new()) ssl.sync_close = true ssl.session = last_client_session if last_client_session ssl.connect last_client_session = ssl.session ssl.close - timeout(5) do + Timeout.timeout(5) do Thread.pass until called.key?(:new) assert(called.delete(:new)) Thread.pass until called.key?(:remove) -- cgit v1.2.3