diff options
| author | nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2016-04-04 15:06:46 +0000 |
|---|---|---|
| committer | nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2016-04-04 15:06:46 +0000 |
| commit | 176976db33fd8dd7b03c3dc23006b56d06cf1e8f (patch) | |
| tree | 1d7b341793099e68419425a1bcb877fbb7a79dfc /ext | |
| parent | 990d709eeb04640f1909ba23ec81031c75408bac (diff) | |
| download | ruby-176976db33fd8dd7b03c3dc23006b56d06cf1e8f.tar.gz | |
openssl: Access to ephemeral TLS session key
* ext/openssl/ossl_ssl.c (ossl_ssl_tmp_key): Access to ephemeral
TLS session key in case of forward secrecy cipher. Only
available since OpenSSL 1.0.2. [Fix GH-1318]
* ext/openssl/extconf.rb: Check for SSL_get_server_tmp_key.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54485 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'ext')
| -rw-r--r-- | ext/openssl/extconf.rb | 1 | ||||
| -rw-r--r-- | ext/openssl/ossl_ssl.c | 22 |
2 files changed, 23 insertions, 0 deletions
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb index 0b7fa2aaf9..c36a7021e4 100644 --- a/ext/openssl/extconf.rb +++ b/ext/openssl/extconf.rb @@ -111,6 +111,7 @@ have_func("TLSv1_2_server_method") have_func("TLSv1_2_client_method") have_func("SSL_CTX_set_alpn_select_cb") have_func("SSL_CTX_set_next_proto_select_cb") +have_macro("SSL_get_server_tmp_key", ['openssl/ssl.h']) && $defs.push("-DHAVE_SSL_GET_SERVER_TMP_KEY") unless have_func("SSL_set_tlsext_host_name", ['openssl/ssl.h']) have_macro("SSL_set_tlsext_host_name", ['openssl/ssl.h']) && $defs.push("-DHAVE_SSL_SET_TLSEXT_HOST_NAME") end diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c index 5fcd2145c3..96c7990046 100644 --- a/ext/openssl/ossl_ssl.c +++ b/ext/openssl/ossl_ssl.c @@ -1912,6 +1912,25 @@ ossl_ssl_alpn_protocol(VALUE self) return rb_str_new((const char *) out, outlen); } # endif + +# ifdef HAVE_SSL_GET_SERVER_TMP_KEY +/* + * call-seq: + * ssl.tmp_key => PKey or nil + * + * Returns the ephemeral key used in case of forward secrecy cipher + */ +static VALUE +ossl_ssl_tmp_key(VALUE self) +{ + SSL *ssl; + EVP_PKEY *key; + ossl_ssl_data_get_struct(self, ssl); + if (!SSL_get_server_tmp_key(ssl, &key)) + return Qnil; + return ossl_pkey_new(key); +} +# endif /* defined(HAVE_SSL_GET_SERVER_TMP_KEY) */ #endif /* !defined(OPENSSL_NO_SOCK) */ void @@ -2306,6 +2325,9 @@ Init_ossl_ssl(void) rb_define_method(cSSLSocket, "session=", ossl_ssl_set_session, 1); rb_define_method(cSSLSocket, "verify_result", ossl_ssl_get_verify_result, 0); rb_define_method(cSSLSocket, "client_ca", ossl_ssl_get_client_ca_list, 0); +# ifdef HAVE_SSL_GET_SERVER_TMP_KEY + rb_define_method(cSSLSocket, "tmp_key", ossl_ssl_tmp_key, 0); +# endif # ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB rb_define_method(cSSLSocket, "alpn_protocol", ossl_ssl_alpn_protocol, 0); # endif |