From 0d0067f3d03ef1bedf0a1e9da66606a381c77d7c Mon Sep 17 00:00:00 2001
From: Kazuki Yamaguchi <k@rhe.jp>
Date: Tue, 26 Apr 2016 16:29:40 +0900
Subject: ext/openssl: add SSLContext#security_level, #security_level=

OpenSSL 1.1.0 introduced "security level" and these methods deal with
it.

This patch includes many test changes: setting the level to 0.
The default security level is 1 and this prohibits aNULL ciphers.
---
 ext/openssl/ossl_ssl.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)

(limited to 'ext/openssl/ossl_ssl.c')

diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
index 2af2fc0824..c4ed30591c 100644
--- a/ext/openssl/ossl_ssl.c
+++ b/ext/openssl/ossl_ssl.c
@@ -962,6 +962,59 @@ ossl_sslctx_set_ciphers(VALUE self, VALUE v)
     return v;
 }
 
+/*
+ * call-seq:
+ *    ctx.security_level => 0, .., 5
+ *
+ * The security level for this context. This is new in OpenSSL 1.1.0 and
+ * always returns 0 if using older OpenSSL.
+ */
+static VALUE
+ossl_sslctx_get_security_level(VALUE self)
+{
+    SSL_CTX *ctx;
+    int i;
+
+    GetSSLCTX(self, ctx);
+    if (!ctx) {
+	rb_warning("SSL_CTX is not initialized.");
+	return Qnil;
+    }
+
+#if defined(HAVE_SSL_CTX_GET_SECURITY_LEVEL)
+    i = SSL_CTX_get_security_level(ctx);
+#else
+    i = 0;
+#endif
+    return INT2FIX(i);
+}
+
+/*
+ * call-seq:
+ *    ctx.security_level = 0
+ *    ctx.security_level = 5
+ *
+ * Sets the security level for this context. This is new in OpenSSL 1.1.0 and
+ * no-op if using older OpenSSL.
+ */
+static VALUE
+ossl_sslctx_set_security_level(VALUE self, VALUE v)
+{
+    SSL_CTX *ctx;
+
+    rb_check_frozen(self);
+
+    GetSSLCTX(self, ctx);
+    if (!ctx)
+	ossl_raise(eSSLError, "SSL_CTX is not initialized.");
+
+#if defined(HAVE_SSL_CTX_GET_SECURITY_LEVEL)
+    SSL_CTX_set_security_level(ctx, NUM2INT(v));
+#endif
+
+    return v;
+}
+
 /*
  *  call-seq:
  *     ctx.session_add(session) -> true | false
@@ -2230,6 +2283,8 @@ Init_ossl_ssl(void)
     rb_define_method(cSSLContext, "ssl_version=", ossl_sslctx_set_ssl_version, 1);
     rb_define_method(cSSLContext, "ciphers",     ossl_sslctx_get_ciphers, 0);
     rb_define_method(cSSLContext, "ciphers=",    ossl_sslctx_set_ciphers, 1);
+    rb_define_method(cSSLContext, "security_level", ossl_sslctx_get_security_level, 0);
+    rb_define_method(cSSLContext, "security_level=", ossl_sslctx_set_security_level, 1);
 
     rb_define_method(cSSLContext, "setup", ossl_sslctx_setup, 0);
 
-- 
cgit v1.2.3