diff options
| author | Kazuki Yamaguchi <k@rhe.jp> | 2016-05-31 23:25:07 +0900 |
|---|---|---|
| committer | Kazuki Yamaguchi <k@rhe.jp> | 2016-06-06 11:29:39 +0900 |
| commit | 62e5c73e03eb780a23d551672bea7ec92b0047ac (patch) | |
| tree | da0b603f4e3c45d55b5e85e65d8a5e0a4c258ca9 /ext/openssl/ossl_ssl.c | |
| parent | 3d47d055b304de38da732ee9895933580ed98bd6 (diff) | |
| download | ruby-62e5c73e03eb780a23d551672bea7ec92b0047ac.tar.gz | |
ext/openssl: add SSLContext#security_level, #security_level=
OpenSSL 1.1.0 introduced "security level" and these methods deal with
it.
This patch includes many test changes: setting the level to 0.
The default security level is 1 and this prohibits aNULL ciphers.
Diffstat (limited to 'ext/openssl/ossl_ssl.c')
| -rw-r--r-- | ext/openssl/ossl_ssl.c | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c index f0b8d80cb4..d9dd4b5c9f 100644 --- a/ext/openssl/ossl_ssl.c +++ b/ext/openssl/ossl_ssl.c @@ -1074,6 +1074,66 @@ ossl_sslctx_set_ecdh_curves(VALUE self, VALUE arg) #endif /* + * call-seq: + * ctx.security_level => 0, .., 5 + * + * The security level for this context. This is new in OpenSSL 1.1.0 and + * always returns 0 if using older OpenSSL. + */ +static VALUE +ossl_sslctx_get_security_level(VALUE self) +{ + SSL_CTX *ctx; + int i; + + GetSSLCTX(self, ctx); + if (!ctx) { + rb_warning("SSL_CTX is not initialized."); + return Qnil; + } + +#if defined(HAVE_SSL_CTX_GET_SECURITY_LEVEL) + i = SSL_CTX_get_security_level(ctx); +#else + i = 0; +#endif + return INT2FIX(i); +} + +/* + * call-seq: + * ctx.security_level = 0 + * ctx.security_level = 5 + * + * Sets the security level for this context. This is new in OpenSSL 1.1.0. + * If using older OpenSSL, setting a value other than 0 raises + * NotImplementedError. + * + * See the manpage of SSL_CTX_set_security_level(3) for details. + */ +static VALUE +ossl_sslctx_set_security_level(VALUE self, VALUE v) +{ + SSL_CTX *ctx; + + rb_check_frozen(self); + + GetSSLCTX(self, ctx); + if (!ctx) + ossl_raise(eSSLError, "SSL_CTX is not initialized."); + +#if defined(HAVE_SSL_CTX_GET_SECURITY_LEVEL) + SSL_CTX_set_security_level(ctx, NUM2INT(v)); +#else + if (NUM2INT(v) != 0) + ossl_raise(rb_eNotImpError, "setting security level != 0 is not " + "supported in this version of OpenSSL"); +#endif + + return v; +} + +/* * call-seq: * ctx.session_add(session) -> true | false * @@ -2388,6 +2448,8 @@ Init_ossl_ssl(void) rb_define_method(cSSLContext, "ciphers", ossl_sslctx_get_ciphers, 0); rb_define_method(cSSLContext, "ciphers=", ossl_sslctx_set_ciphers, 1); rb_define_method(cSSLContext, "ecdh_curves=", ossl_sslctx_set_ecdh_curves, 1); + rb_define_method(cSSLContext, "security_level", ossl_sslctx_get_security_level, 0); + rb_define_method(cSSLContext, "security_level=", ossl_sslctx_set_security_level, 1); rb_define_method(cSSLContext, "setup", ossl_sslctx_setup, 0); |