diff --git a/ChangeLog b/ChangeLog index 0431efc8b7..30bf0d4e1c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,28 @@ +Wed Mar 9 19:42:21 2005 GOTOU Yuuzou + + * ext/openssl/ossl_ssl.c: OpenSSL::SSL::SSLContexts suports callbacks: + - SSLContext#client_cert_cb is a Proc. it is called when a client + certificate is requested by a server and no certificate was yet + set for the SSLContext. it must return an Array which includes + OpenSSL::X509::Certificate and OpenSSL::PKey::RSA/DSA objects. + - SSLContext#tmp_dh_callback is called in key exchange with DH + algorithm. it must return an OpenSSL::PKey::DH object. + + * ext/openssl/ossl_ssl.c: + (ossl_sslctx_set_ciphers): ignore the argument if it's nil. + (ossl_start_ssl, ossl_ssl_write): call rb_sys_fail if errno isn't 0. + [ruby-dev:25831] + + * ext/openssl/ossl_pkey.c + (GetPrivPKeyPtr, ossl_pkey_sign): should call rb_funcall first. + (DupPrivPKeyPtr): new function. + + * ext/openssl/ossl_pkey_dh.c: add default DH parameters. + + * ext/openssl/ossl_pkey.h: ditto. + + * ext/openssl/lib/openssl/cipher.rb: fix typo. [ruby-dev:24285] + Wed Mar 9 18:09:51 2005 Yukihiro Matsumoto * parse.y (gettable_gen): warns if VCALL name is used as diff --git a/ext/openssl/lib/openssl/cipher.rb b/ext/openssl/lib/openssl/cipher.rb index 11153104ee..9f8776d6fc 100644 --- a/ext/openssl/lib/openssl/cipher.rb +++ b/ext/openssl/lib/openssl/cipher.rb @@ -20,7 +20,7 @@ module OpenSSL module Cipher - %w(AES Cast5 BF DES Idea RC2 RC4 RC5).each{|cipher| + %w(AES CAST5 BF DES IDEA RC2 RC4 RC5).each{|cipher| eval(<<-EOD) class #{cipher} < Cipher def initialize(*args) diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c index 1a38a2c1d7..c338cbfd82 100644 --- a/ext/openssl/ossl_pkey.c +++ b/ext/openssl/ossl_pkey.c @@ -96,10 +96,21 @@ GetPrivPKeyPtr(VALUE obj) { EVP_PKEY *pkey; - SafeGetPKey(obj, pkey); - if (rb_funcall(obj, id_private_q, 0, NULL) != Qtrue) { /* returns Qtrue */ + if (rb_funcall(obj, id_private_q, 0, NULL) != Qtrue) { ossl_raise(rb_eArgError, "Private key is needed."); } + SafeGetPKey(obj, pkey); + + return pkey; +} + +EVP_PKEY * +DupPKeyPtr(VALUE obj) +{ + EVP_PKEY *pkey; + + SafeGetPKey(obj, pkey); + CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY); return pkey; } @@ -109,10 +120,10 @@ DupPrivPKeyPtr(VALUE obj) { EVP_PKEY *pkey; - SafeGetPKey(obj, pkey); - if (rb_funcall(obj, id_private_q, 0, NULL) != Qtrue) { /* returns Qtrue */ + if (rb_funcall(obj, id_private_q, 0, NULL) != Qtrue) { ossl_raise(rb_eArgError, "Private key is needed."); } + SafeGetPKey(obj, pkey); CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY); return pkey; @@ -152,10 +163,10 @@ ossl_pkey_sign(VALUE self, VALUE digest, VALUE data) int buf_len; VALUE str; - GetPKey(self, pkey); if (rb_funcall(self, id_private_q, 0, NULL) != Qtrue) { ossl_raise(rb_eArgError, "Private key is needed."); } + GetPKey(self, pkey); EVP_SignInit(&ctx, GetDigestPtr(digest)); StringValue(data); EVP_SignUpdate(&ctx, RSTRING(data)->ptr, RSTRING(data)->len); diff --git a/ext/openssl/ossl_pkey.h b/ext/openssl/ossl_pkey.h index 189573546e..db4d3cf19d 100644 --- a/ext/openssl/ossl_pkey.h +++ b/ext/openssl/ossl_pkey.h @@ -38,7 +38,7 @@ void ossl_generate_cb(int, int, void *); VALUE ossl_pkey_new(EVP_PKEY *); VALUE ossl_pkey_new_from_file(VALUE); EVP_PKEY *GetPKeyPtr(VALUE); -/*EVP_PKEY *DupPKeyPtr(VALUE);*/ +EVP_PKEY *DupPKeyPtr(VALUE); EVP_PKEY *GetPrivPKeyPtr(VALUE); EVP_PKEY *DupPrivPKeyPtr(VALUE); void Init_ossl_pkey(void); @@ -66,6 +66,8 @@ void Init_ossl_dsa(void); */ extern VALUE cDH; extern VALUE eDHError; +extern DH *OSSL_DEFAULT_DH_512; +extern DH *OSSL_DEFAULT_DH_1024; VALUE ossl_dh_new(EVP_PKEY *); void Init_ossl_dh(void); @@ -104,10 +106,10 @@ static VALUE ossl_##keytype##_set_##name(VALUE self, VALUE bignum) \ return bignum; \ } -#define DEF_OSSL_PKEY_BN(class, keytype, name) \ -do { \ +#define DEF_OSSL_PKEY_BN(class, keytype, name) \ +do { \ rb_define_method(class, #name, ossl_##keytype##_get_##name, 0); \ - rb_define_method(class, #name "=", ossl_##keytype##_set_##name, 1); \ + rb_define_method(class, #name "=", ossl_##keytype##_set_##name, 1);\ } while (0) #endif /* _OSSL_PKEY_H_ */ diff --git a/ext/openssl/ossl_pkey_dh.c b/ext/openssl/ossl_pkey_dh.c index 7070cf03f4..529ca0d57a 100644 --- a/ext/openssl/ossl_pkey_dh.c +++ b/ext/openssl/ossl_pkey_dh.c @@ -349,6 +349,69 @@ OSSL_PKEY_BN(dh, g); OSSL_PKEY_BN(dh, pub_key); OSSL_PKEY_BN(dh, priv_key); +/* + * -----BEGIN DH PARAMETERS----- + * MEYCQQD0zXHljRg/mJ9PYLACLv58Cd8VxBxxY7oEuCeURMiTqEhMym16rhhKgZG2 + * zk2O9uUIBIxSj+NKMURHGaFKyIvLAgEC + * -----END DH PARAMETERS----- + */ +static unsigned char DEFAULT_DH_512_PRIM[] = { + 0xf4, 0xcd, 0x71, 0xe5, 0x8d, 0x18, 0x3f, 0x98, + 0x9f, 0x4f, 0x60, 0xb0, 0x02, 0x2e, 0xfe, 0x7c, + 0x09, 0xdf, 0x15, 0xc4, 0x1c, 0x71, 0x63, 0xba, + 0x04, 0xb8, 0x27, 0x94, 0x44, 0xc8, 0x93, 0xa8, + 0x48, 0x4c, 0xca, 0x6d, 0x7a, 0xae, 0x18, 0x4a, + 0x81, 0x91, 0xb6, 0xce, 0x4d, 0x8e, 0xf6, 0xe5, + 0x08, 0x04, 0x8c, 0x52, 0x8f, 0xe3, 0x4a, 0x31, + 0x44, 0x47, 0x19, 0xa1, 0x4a, 0xc8, 0x8b, 0xcb, +}; +static unsigned char DEFAULT_DH_512_GEN[] = { 0x02 }; +DH *OSSL_DEFAULT_DH_512 = NULL; + +/* + * -----BEGIN DH PARAMETERS----- + * MIGHAoGBAJ0lOVy0VIr/JebWn0zDwY2h+rqITFOpdNr6ugsgvkDXuucdcChhYExJ + * AV/ZD2AWPbrTqV76mGRgJg4EddgT1zG0jq3rnFdMj2XzkBYx3BVvfR0Arnby0RHR + * T4h7KZ/2zmjvV+eF8kBUHBJAojUlzxKj4QeO2x20FP9X5xmNUXeDAgEC + * -----END DH PARAMETERS----- + */ +static unsigned char DEFAULT_DH_1024_PRIM[] = { + 0x9d, 0x25, 0x39, 0x5c, 0xb4, 0x54, 0x8a, 0xff, + 0x25, 0xe6, 0xd6, 0x9f, 0x4c, 0xc3, 0xc1, 0x8d, + 0xa1, 0xfa, 0xba, 0x88, 0x4c, 0x53, 0xa9, 0x74, + 0xda, 0xfa, 0xba, 0x0b, 0x20, 0xbe, 0x40, 0xd7, + 0xba, 0xe7, 0x1d, 0x70, 0x28, 0x61, 0x60, 0x4c, + 0x49, 0x01, 0x5f, 0xd9, 0x0f, 0x60, 0x16, 0x3d, + 0xba, 0xd3, 0xa9, 0x5e, 0xfa, 0x98, 0x64, 0x60, + 0x26, 0x0e, 0x04, 0x75, 0xd8, 0x13, 0xd7, 0x31, + 0xb4, 0x8e, 0xad, 0xeb, 0x9c, 0x57, 0x4c, 0x8f, + 0x65, 0xf3, 0x90, 0x16, 0x31, 0xdc, 0x15, 0x6f, + 0x7d, 0x1d, 0x00, 0xae, 0x76, 0xf2, 0xd1, 0x11, + 0xd1, 0x4f, 0x88, 0x7b, 0x29, 0x9f, 0xf6, 0xce, + 0x68, 0xef, 0x57, 0xe7, 0x85, 0xf2, 0x40, 0x54, + 0x1c, 0x12, 0x40, 0xa2, 0x35, 0x25, 0xcf, 0x12, + 0xa3, 0xe1, 0x07, 0x8e, 0xdb, 0x1d, 0xb4, 0x14, + 0xff, 0x57, 0xe7, 0x19, 0x8d, 0x51, 0x77, 0x83 +}; +static unsigned char DEFAULT_DH_1024_GEN[] = { 0x02 }; +DH *OSSL_DEFAULT_DH_1024 = NULL; + +static DH* +ossl_create_dh(unsigned char *p, size_t plen, unsigned char *g, size_t glen) +{ + DH *dh; + + if ((dh = DH_new()) == NULL) ossl_irase(eDHError, NULL); + dh->p = BN_bin2bn(p, plen, NULL); + dh->g = BN_bin2bn(g, glen, NULL); + if (dh->p == NULL || dh->g == NULL){ + DH_free(dh); + ossl_irase(eDHError, NULL); + } + + return dh; +} + /* * INIT */ @@ -356,12 +419,9 @@ void Init_ossl_dh() { eDHError = rb_define_class_under(mPKey, "DHError", ePKeyError); - cDH = rb_define_class_under(mPKey, "DH", cPKey); - rb_define_singleton_method(cDH, "generate", ossl_dh_s_generate, -1); rb_define_method(cDH, "initialize", ossl_dh_initialize, -1); - rb_define_method(cDH, "public?", ossl_dh_is_public, 0); rb_define_method(cDH, "private?", ossl_dh_is_private, 0); rb_define_method(cDH, "to_text", ossl_dh_to_text, 0); @@ -370,22 +430,25 @@ Init_ossl_dh() rb_define_alias(cDH, "to_s", "export"); rb_define_method(cDH, "to_der", ossl_dh_to_der, 0); rb_define_method(cDH, "public_key", ossl_dh_to_public_key, 0); - rb_define_method(cDH, "params_ok?", ossl_dh_check_params, 0); rb_define_method(cDH, "generate_key!", ossl_dh_generate_key, 0); rb_define_method(cDH, "compute_key", ossl_dh_compute_key, 1); - DEF_OSSL_PKEY_BN(cDH, dh, p); DEF_OSSL_PKEY_BN(cDH, dh, g); DEF_OSSL_PKEY_BN(cDH, dh, pub_key); DEF_OSSL_PKEY_BN(cDH, dh, priv_key); - rb_define_method(cDH, "params", ossl_dh_get_params, 0); + + OSSL_DEFAULT_DH_512 = ossl_create_dh( + DEFAULT_DH_512_PRIM, sizeof(DEFAULT_DH_512_PRIM), + DEFAULT_DH_512_GEN, sizeof(DEFAULT_DH_512_GEN)); + OSSL_DEFAULT_DH_1024 = ossl_create_dh( + DEFAULT_DH_1024_PRIM, sizeof(DEFAULT_DH_1024_PRIM), + DEFAULT_DH_1024_GEN, sizeof(DEFAULT_DH_1024_GEN)); } #else /* defined NO_DH */ # warning >>> OpenSSL is compiled without DH support <<< - void Init_ossl_dh() { diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c index ca3fb19085..1283c6d608 100644 --- a/ext/openssl/ossl_ssl.c +++ b/ext/openssl/ossl_ssl.c @@ -30,9 +30,6 @@ VALUE eSSLError; VALUE cSSLContext; VALUE cSSLSocket; -/* - * SSLContext class - */ #define ossl_sslctx_set_cert(o,v) rb_iv_set((o),"@cert",(v)) #define ossl_sslctx_set_key(o,v) rb_iv_set((o),"@key",(v)) #define ossl_sslctx_set_client_ca(o,v) rb_iv_set((o),"@client_ca",(v)) @@ -45,6 +42,8 @@ VALUE cSSLSocket; #define ossl_sslctx_set_options(o,v) rb_iv_set((o),"@options",(v)) #define ossl_sslctx_set_cert_store(o,v) rb_iv_set((o),"@cert_store",(v)) #define ossl_sslctx_set_extra_cert(o,v) rb_iv_set((o),"@extra_chain_cert",(v)) +#define ossl_sslctx_set_client_cert_cb(o,v) rb_iv_set((o),"@client_cert_cb",(v)) +#define ossl_sslctx_set_tmp_dh_cb(o,v) rb_iv_set((o),"@tmp_dh_callback",(v)) #define ossl_sslctx_get_cert(o) rb_iv_get((o),"@cert") #define ossl_sslctx_get_key(o) rb_iv_get((o),"@key") @@ -58,13 +57,37 @@ VALUE cSSLSocket; #define ossl_sslctx_get_options(o) rb_iv_get((o),"@options") #define ossl_sslctx_get_cert_store(o) rb_iv_get((o),"@cert_store") #define ossl_sslctx_get_extra_cert(o) rb_iv_get((o),"@extra_chain_cert") +#define ossl_sslctx_get_client_cert_cb(o) rb_iv_get((o),"@client_cert_cb") +#define ossl_sslctx_get_tmp_dh_cb(o) rb_iv_get((o),"@tmp_dh_callback") static char *ossl_sslctx_attrs[] = { "cert", "key", "client_ca", "ca_file", "ca_path", "timeout", "verify_mode", "verify_depth", - "verify_callback", "options", "cert_store", "extra_chain_cert" + "verify_callback", "options", "cert_store", "extra_chain_cert", + "client_cert_cb", + "tmp_dh_callback", }; +#define ossl_ssl_get_io(o) rb_iv_get((o),"@io") +#define ossl_ssl_get_ctx(o) rb_iv_get((o),"@context") +#define ossl_ssl_get_sync_close(o) rb_iv_get((o),"@sync_close") +#define ossl_ssl_get_x509(o) rb_iv_get((o),"@x509") +#define ossl_ssl_get_key(o) rb_iv_get((o),"@key") +#define ossl_ssl_get_tmp_dh(o) rb_iv_get((o),"@tmp_dh") + +#define ossl_ssl_set_io(o,v) rb_iv_set((o),"@io",(v)) +#define ossl_ssl_set_ctx(o,v) rb_iv_set((o),"@context",(v)) +#define ossl_ssl_set_sync_close(o,v) rb_iv_set((o),"@sync_close",(v)) +#define ossl_ssl_set_x509(o,v) rb_iv_set((o),"@x509",(v)) +#define ossl_ssl_set_key(o,v) rb_iv_set((o),"@key",(v)) +#define ossl_ssl_set_tmp_dh(o,v) rb_iv_set((o),"@tmp_dh",(v)) + +static char *ossl_ssl_attr_readers[] = { "io", "context", }; +static char *ossl_ssl_attrs[] = { "sync_close", }; + +/* + * SSLContext class + */ struct { const char *name; SSL_METHOD *(*func)(void); @@ -87,6 +110,9 @@ struct { int ossl_ssl_ex_vcb_idx; int ossl_ssl_ex_store_p; +int ossl_ssl_ex_ptr_idx; +int ossl_ssl_ex_client_cert_cb_idx; +int ossl_ssl_ex_tmp_dh_callback_idx; static void ossl_sslctx_free(SSL_CTX *ctx) @@ -148,6 +174,89 @@ ossl_sslctx_initialize(int argc, VALUE *argv, VALUE self) return self; } +static VALUE +ossl_call_client_cert_cb(VALUE obj) +{ + VALUE cb, ary, cert, key; + SSL *ssl; + + Data_Get_Struct(obj, SSL, ssl); + cb = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_client_cert_cb_idx); + if (NIL_P(cb)) return Qfalse; + ary = rb_funcall(cb, rb_intern("call"), 1, obj); + Check_Type(ary, T_ARRAY); + GetX509CertPtr(cert = rb_ary_entry(ary, 0)); + GetPKeyPtr(key = rb_ary_entry(ary, 1)); + ossl_ssl_set_x509(obj, cert); + ossl_ssl_set_key(obj, key); + + return Qtrue; +} + +static int +ossl_client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey) +{ + VALUE obj; + int status, success; + + obj = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx); + success = rb_protect((VALUE(*)_((VALUE)))ossl_call_client_cert_cb, + obj, &status); + if (status || !success) return 0; + *x509 = DupX509CertPtr(ossl_ssl_get_x509(obj)); + *pkey = DupPKeyPtr(ossl_ssl_get_key(obj)); + + return 1; +} + +#if !defined(OPENSSL_NO_DH) +static VALUE +ossl_call_tmp_dh_callback(VALUE *args) +{ + SSL *ssl; + VALUE cb, dh; + EVP_PKEY *pkey; + + Data_Get_Struct(args[0], SSL, ssl); + cb = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_tmp_dh_callback_idx); + if (NIL_P(cb)) return Qfalse; + dh = rb_funcall(cb, rb_intern("call"), 3, args[0], args[1], args[2]); + pkey = GetPKeyPtr(dh); + if (EVP_PKEY_type(pkey->type) != EVP_PKEY_DH) return Qfalse; + ossl_ssl_set_tmp_dh_key(args[0], dh); + + return Qtrue; +} + +static DH* +ossl_tmp_dh_callback(SSL *ssl, int is_export, int keylength) +{ + VALUE obj, args[3]; + int status, success; + + args[0] = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx); + args[1] = INT2FIX(is_export); + args[2] = INT2FIX(keylength); + success = rb_protect((VALUE(*)_((VALUE)))ossl_call_tmp_dh_callback, + (VALUE)args, &status); + if (status || !success) return NULL; + + return GetPKeyPtr(ossl_ssl_get_dh(obj))->pkey.dh; +} + +static DH* +ossl_default_tmp_dh_callback(SSL *ssl, int is_export, int keylength) +{ + switch(keylength){ + case 512: + return OSSL_DEFAULT_DH_512; + case 1024: + return OSSL_DEFAULT_DH_1024; + } + return NULL; +} +#endif /* OPENSSL_NO_DH */ + static int ossl_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx) { @@ -189,6 +298,16 @@ ossl_sslctx_setup(VALUE self) if(OBJ_FROZEN(self)) return Qnil; Data_Get_Struct(self, SSL_CTX, ctx); +#if !defined(OPENSSL_NO_DH) + if (RTEST(ossl_sslctx_get_tmp_dh_cb(self))){ + SSL_CTX_set_tmp_dh_callback(ctx, ossl_tmp_dh_callback); + } + else{ + rb_warning("using default DH parameters."); + SSL_CTX_set_tmp_dh_callback(ctx, ossl_default_tmp_dh_callback); + } +#endif + val = ossl_sslctx_get_cert_store(self); if(!NIL_P(val)){ /* @@ -258,6 +377,8 @@ ossl_sslctx_setup(VALUE self) val = ossl_sslctx_get_verify_mode(self); verify_mode = NIL_P(val) ? SSL_VERIFY_NONE : NUM2INT(val); SSL_CTX_set_verify(ctx, verify_mode, ossl_ssl_verify_callback); + if (RTEST(ossl_sslctx_get_client_cert_cb(self))) + SSL_CTX_set_client_cert_cb(ctx, ossl_client_cert_cb); val = ossl_sslctx_get_timeout(self); if(!NIL_P(val)) SSL_CTX_set_timeout(ctx, NUM2LONG(val)); @@ -324,7 +445,9 @@ ossl_sslctx_set_ciphers(VALUE self, VALUE v) int i; rb_check_frozen(self); - if (TYPE(v) == T_ARRAY) { + if (NIL_P(v)) + return v; + else if (TYPE(v) == T_ARRAY) { str = rb_str_new2(NULL); for (i = 0; i < RARRAY(v)->len; i++) { elem = rb_ary_entry(v, i); @@ -346,23 +469,13 @@ ossl_sslctx_set_ciphers(VALUE self, VALUE v) if (!SSL_CTX_set_cipher_list(ctx, RSTRING(str)->ptr)) { ossl_raise(eSSLError, "SSL_CTX_set_ciphers:"); } - return Qnil; + + return v; } /* * SSLSocket class */ -#define ossl_ssl_get_io(o) rb_iv_get((o),"@io") -#define ossl_ssl_get_ctx(o) rb_iv_get((o),"@context") -#define ossl_ssl_get_sync_close(o) rb_iv_get((o),"@sync_close") - -#define ossl_ssl_set_io(o,v) rb_iv_set((o),"@io",(v)) -#define ossl_ssl_set_ctx(o,v) rb_iv_set((o),"@context",(v)) -#define ossl_ssl_set_sync_close(o,v) rb_iv_set((o),"@sync_close",(v)) - -static char *ossl_ssl_attr_readers[] = { "io", "context", }; -static char *ossl_ssl_attrs[] = { "sync_close", }; - static void ossl_ssl_shutdown(SSL *ssl) { @@ -407,7 +520,7 @@ ossl_ssl_initialize(int argc, VALUE *argv, VALUE self) static VALUE ossl_ssl_setup(VALUE self) { - VALUE io, v_ctx; + VALUE io, v_ctx, cb; SSL_CTX *ctx; SSL *ssl; OpenFile *fptr; @@ -428,6 +541,13 @@ ossl_ssl_setup(VALUE self) rb_io_check_readable(fptr); rb_io_check_writable(fptr); SSL_set_fd(ssl, TO_SOCKET(fptr->fd)); + SSL_set_ex_data(ssl, ossl_ssl_ex_ptr_idx, (void*)self); + cb = ossl_sslctx_get_verify_cb(v_ctx); + SSL_set_ex_data(ssl, ossl_ssl_ex_vcb_idx, (void*)cb); + cb = ossl_sslctx_get_client_cert_cb(v_ctx); + SSL_set_ex_data(ssl, ossl_ssl_ex_client_cert_cb_idx, (void*)cb); + cb = ossl_sslctx_get_tmp_dh_cb(v_ctx); + SSL_set_ex_data(ssl, ossl_ssl_ex_tmp_dh_callback_idx, (void*)cb); } return Qtrue; @@ -449,8 +569,6 @@ ossl_start_ssl(VALUE self, int (*func)()) Data_Get_Struct(self, SSL, ssl); GetOpenFile(ossl_ssl_get_io(self), fptr); - cb = ossl_sslctx_get_verify_cb(ossl_ssl_get_ctx(self)); - SSL_set_ex_data(ssl, ossl_ssl_ex_vcb_idx, (void *)cb); for(;;){ if((ret = func(ssl)) > 0) break; switch(ssl_get_error(ssl, ret)){ @@ -461,7 +579,7 @@ ossl_start_ssl(VALUE self, int (*func)()) rb_io_wait_readable(fptr->fd); continue; case SSL_ERROR_SYSCALL: - rb_sys_fail(0); + if (errno) rb_sys_fail(0); default: ossl_raise(eSSLError, NULL); } @@ -566,7 +684,7 @@ ossl_ssl_write(VALUE self, VALUE str) rb_io_wait_readable(fptr->fd); continue; case SSL_ERROR_SYSCALL: - rb_sys_fail(0); + if (errno) rb_sys_fail(0); default: ossl_raise(eSSLError, "SSL_write:"); } @@ -726,6 +844,11 @@ Init_ossl_ssl() ossl_ssl_ex_vcb_idx = SSL_get_ex_new_index(0,"ossl_ssl_ex_vcb_idx",0,0,0); ossl_ssl_ex_store_p = SSL_get_ex_new_index(0,"ossl_ssl_ex_store_p",0,0,0); + ossl_ssl_ex_ptr_idx = SSL_get_ex_new_index(0,"ossl_ssl_ex_ptr_idx",0,0,0); + ossl_ssl_ex_client_cert_cb_idx = + SSL_get_ex_new_index(0,"ossl_ssl_ex_client_cert_cb_idx",0,0,0); + ossl_ssl_ex_tmp_dh_callback_idx = + SSL_get_ex_new_index(0,"ossl_ssl_ex_tmp_dh_callback_idx",0,0,0); mSSL = rb_define_module_under(mOSSL, "SSL"); eSSLError = rb_define_class_under(mSSL, "SSLError", eOSSLError); diff --git a/test/openssl/ssl_server.rb b/test/openssl/ssl_server.rb index 556c28b84c..6e620629c5 100644 --- a/test/openssl/ssl_server.rb +++ b/test/openssl/ssl_server.rb @@ -64,7 +64,8 @@ $stdout.puts Process.pid $stdout.puts port loop do - Thread.start(ssls.accept) {|ssl| + ssl = ssls.accept rescue next + Thread.start{ q = Queue.new th = Thread.start{ ssl.write(q.shift) while true } while line = ssl.gets diff --git a/test/openssl/test_pair.rb b/test/openssl/test_pair.rb index 7dd658b825..7273554362 100644 --- a/test/openssl/test_pair.rb +++ b/test/openssl/test_pair.rb @@ -16,197 +16,8 @@ module SSLPair def server host = "127.0.0.1" port = 0 - key = OpenSSL::PKey::RSA.new(512) - cert = OpenSSL::X509::Certificate.new - cert.version = 2 - cert.serial = 0 - name = OpenSSL::X509::Name.new([["C","JP"],["O","TEST"],["CN","localhost"]]) - cert.subject = name - cert.issuer = name - cert.not_before = Time.now - cert.not_after = Time.now + 3600 - cert.public_key = key.public_key - ef = OpenSSL::X509::ExtensionFactory.new(nil,cert) - cert.extensions = [ - ef.create_extension("basicConstraints","CA:FALSE"), - ef.create_extension("subjectKeyIdentifier","hash"), - ef.create_extension("extendedKeyUsage","serverAuth"), - ef.create_extension("keyUsage", - "keyEncipherment,dataEncipherment,digitalSignature") - ] - ef.issuer_certificate = cert - cert.add_extension ef.create_extension("authorityKeyIdentifier", - "keyid:always,issuer:always") - cert.sign(key, OpenSSL::Digest::SHA1.new) ctx = OpenSSL::SSL::SSLContext.new() - ctx.key = key - ctx.cert = cert - tcps = TCPServer.new(host, port) - ssls = OpenSSL::SSL::SSLServer.new(tcps, ctx) - return ssls - end - - def client(port) - host = "127.0.0.1" - ctx = OpenSSL::SSL::SSLContext.new() - s = TCPSocket.new(host, port) - ssl = OpenSSL::SSL::SSLSocket.new(s, ctx) - ssl.connect - ssl.sync_close = true - ssl - end - - def ssl_pair - ssls = server - th = Thread.new { - ns = ssls.accept - ssls.close - ns - } - port = ssls.to_io.addr[1] - c = client(port) - s = th.value - if block_given? - begin - yield c, s - ensure - c.close unless c.closed? - s.close unless s.closed? - end - else - return c, s - end - end -end - -class OpenSSL::TestEOF1 < Test::Unit::TestCase - include TestEOF - include SSLPair - - def open_file(content) - s1, s2 = ssl_pair - Thread.new { s2 << content; s2.close } - yield s1 - end -end - -class OpenSSL::TestEOF2 < Test::Unit::TestCase - include TestEOF - include SSLPair - - def open_file(content) - s1, s2 = ssl_pair - Thread.new { s1 << content; s1.close } - yield s2 - end -end - -class OpenSSL::TestPair < Test::Unit::TestCase - include SSLPair - - def test_getc - ssl_pair {|s1, s2| - s1 << "a" - assert_equal(?a, s2.getc) - } - end - - def test_readpartial - ssl_pair {|s1, s2| - s2.write "a\nbcd" - assert_equal("a\n", s1.gets) - assert_equal("bcd", s1.readpartial(10)) - s2.write "efg" - assert_equal("efg", s1.readpartial(10)) - s2.close - assert_raise(EOFError) { s1.readpartial(10) } - assert_raise(EOFError) { s1.readpartial(10) } - assert_equal("", s1.readpartial(0)) - } - end - - def test_readall - ssl_pair {|s1, s2| - s2.close - assert_equal("", s1.read) - } - end - - def test_readline - ssl_pair {|s1, s2| - s2.close - assert_raise(EOFError) { s1.readline } - } - end - - def test_puts_meta - ssl_pair {|s1, s2| - begin - old = $/ - $/ = '*' - s1.puts 'a' - ensure - $/ = old - end - s1.close - assert_equal("a\n", s2.read) - } - end - - def test_puts_empty - ssl_pair {|s1, s2| - s1.puts - s1.close - assert_equal("\n", s2.read) - } - end - -end - -end -begin - require "openssl" -rescue LoadError -end -require 'test/unit' - -if defined?(OpenSSL) - -require 'socket' -dir = File.expand_path(__FILE__) -2.times {dir = File.dirname(dir)} -$:.replace([File.join(dir, "ruby")] | $:) -require 'ut_eof' - -module SSLPair - def server - host = "127.0.0.1" - port = 0 - key = OpenSSL::PKey::RSA.new(512) - cert = OpenSSL::X509::Certificate.new - cert.version = 2 - cert.serial = 0 - name = OpenSSL::X509::Name.new([["C","JP"],["O","TEST"],["CN","localhost"]]) - cert.subject = name - cert.issuer = name - cert.not_before = Time.now - cert.not_after = Time.now + 3600 - cert.public_key = key.public_key - ef = OpenSSL::X509::ExtensionFactory.new(nil,cert) - cert.extensions = [ - ef.create_extension("basicConstraints","CA:FALSE"), - ef.create_extension("subjectKeyIdentifier","hash"), - ef.create_extension("extendedKeyUsage","serverAuth"), - ef.create_extension("keyUsage", - "keyEncipherment,dataEncipherment,digitalSignature") - ] - ef.issuer_certificate = cert - cert.add_extension ef.create_extension("authorityKeyIdentifier", - "keyid:always,issuer:always") - cert.sign(key, OpenSSL::Digest::SHA1.new) - ctx = OpenSSL::SSL::SSLContext.new() - ctx.key = key - ctx.cert = cert + ctx.ciphers = "ADH" tcps = TCPServer.new(host, port) ssls = OpenSSL::SSL::SSLServer.new(tcps, ctx) return ssls @@ -215,6 +26,7 @@ module SSLPair def client(port) host = "127.0.0.1" ctx = OpenSSL::SSL::SSLContext.new() + ctx.ciphers = "ADH" s = TCPSocket.new(host, port) ssl = OpenSSL::SSL::SSLSocket.new(s, ctx) ssl.connect diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb index 8f440076e8..08c18f440b 100644 --- a/test/openssl/test_ssl.rb +++ b/test/openssl/test_ssl.rb @@ -155,6 +155,43 @@ class OpenSSL::TestSSL < Test::Unit::TestCase } end + def test_client_auth + vflag = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT + start_server(PORT, vflag, true){|s, p| + assert_raises(OpenSSL::SSL::SSLError){ + sock = TCPSocket.new("127.0.0.1", p) + ssl = OpenSSL::SSL::SSLSocket.new(sock) + ssl.connect + } + + ctx = OpenSSL::SSL::SSLContext.new + ctx.key = @cli_key + ctx.cert = @cli_cert + sock = TCPSocket.new("127.0.0.1", p) + ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx) + ssl.sync_close = true + ssl.connect + ssl.puts("foo") + assert_equal("foo\n", ssl.gets) + ssl.close + + called = nil + ctx = OpenSSL::SSL::SSLContext.new + ctx.client_cert_cb = Proc.new{|ssl| + called = true + [@cli_cert, @cli_key] + } + sock = TCPSocket.new("127.0.0.1", p) + ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx) + ssl.sync_close = true + ssl.connect + assert(called) + ssl.puts("foo") + assert_equal("foo\n", ssl.gets) + ssl.close + } + end + def test_starttls start_server(PORT, OpenSSL::SSL::VERIFY_NONE, false){|s, p| sock = TCPSocket.new("127.0.0.1", p)