mirror of
https://github.com/ruby/ruby.git
synced 2022-11-09 12:17:21 -05:00
* ext/openssl/ossl_ssl.c: OpenSSL::SSL::SSLContexts suports callbacks:
- SSLContext#client_cert_cb is a Proc. it is called when a client certificate is requested by a server and no certificate was yet set for the SSLContext. it must return an Array which includes OpenSSL::X509::Certificate and OpenSSL::PKey::RSA/DSA objects. - SSLContext#tmp_dh_callback is called in key exchange with DH algorithm. it must return an OpenSSL::PKey::DH object. * ext/openssl/ossl_ssl.c: (ossl_sslctx_set_ciphers): ignore the argument if it's nil. (ossl_start_ssl, ossl_ssl_write): call rb_sys_fail if errno isn't 0. [ruby-dev:25831] * ext/openssl/ossl_pkey.c (GetPrivPKeyPtr, ossl_pkey_sign): should call rb_funcall first. (DupPrivPKeyPtr): new function. * ext/openssl/ossl_pkey_dh.c: add default DH parameters. * ext/openssl/ossl_pkey.h: ditto. * ext/openssl/lib/openssl/cipher.rb: fix typo. [ruby-dev:24285] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@8129 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
This commit is contained in:
parent
f43cae2b05
commit
5505449793
9 changed files with 304 additions and 230 deletions
25
ChangeLog
25
ChangeLog
|
@ -1,3 +1,28 @@
|
|||
Wed Mar 9 19:42:21 2005 GOTOU Yuuzou <gotoyuzo@notwork.org>
|
||||
|
||||
* ext/openssl/ossl_ssl.c: OpenSSL::SSL::SSLContexts suports callbacks:
|
||||
- SSLContext#client_cert_cb is a Proc. it is called when a client
|
||||
certificate is requested by a server and no certificate was yet
|
||||
set for the SSLContext. it must return an Array which includes
|
||||
OpenSSL::X509::Certificate and OpenSSL::PKey::RSA/DSA objects.
|
||||
- SSLContext#tmp_dh_callback is called in key exchange with DH
|
||||
algorithm. it must return an OpenSSL::PKey::DH object.
|
||||
|
||||
* ext/openssl/ossl_ssl.c:
|
||||
(ossl_sslctx_set_ciphers): ignore the argument if it's nil.
|
||||
(ossl_start_ssl, ossl_ssl_write): call rb_sys_fail if errno isn't 0.
|
||||
[ruby-dev:25831]
|
||||
|
||||
* ext/openssl/ossl_pkey.c
|
||||
(GetPrivPKeyPtr, ossl_pkey_sign): should call rb_funcall first.
|
||||
(DupPrivPKeyPtr): new function.
|
||||
|
||||
* ext/openssl/ossl_pkey_dh.c: add default DH parameters.
|
||||
|
||||
* ext/openssl/ossl_pkey.h: ditto.
|
||||
|
||||
* ext/openssl/lib/openssl/cipher.rb: fix typo. [ruby-dev:24285]
|
||||
|
||||
Wed Mar 9 18:09:51 2005 Yukihiro Matsumoto <matz@ruby-lang.org>
|
||||
|
||||
* parse.y (gettable_gen): warns if VCALL name is used as
|
||||
|
|
|
@ -20,7 +20,7 @@
|
|||
|
||||
module OpenSSL
|
||||
module Cipher
|
||||
%w(AES Cast5 BF DES Idea RC2 RC4 RC5).each{|cipher|
|
||||
%w(AES CAST5 BF DES IDEA RC2 RC4 RC5).each{|cipher|
|
||||
eval(<<-EOD)
|
||||
class #{cipher} < Cipher
|
||||
def initialize(*args)
|
||||
|
|
|
@ -96,10 +96,21 @@ GetPrivPKeyPtr(VALUE obj)
|
|||
{
|
||||
EVP_PKEY *pkey;
|
||||
|
||||
SafeGetPKey(obj, pkey);
|
||||
if (rb_funcall(obj, id_private_q, 0, NULL) != Qtrue) { /* returns Qtrue */
|
||||
if (rb_funcall(obj, id_private_q, 0, NULL) != Qtrue) {
|
||||
ossl_raise(rb_eArgError, "Private key is needed.");
|
||||
}
|
||||
SafeGetPKey(obj, pkey);
|
||||
|
||||
return pkey;
|
||||
}
|
||||
|
||||
EVP_PKEY *
|
||||
DupPKeyPtr(VALUE obj)
|
||||
{
|
||||
EVP_PKEY *pkey;
|
||||
|
||||
SafeGetPKey(obj, pkey);
|
||||
CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
|
||||
|
||||
return pkey;
|
||||
}
|
||||
|
@ -109,10 +120,10 @@ DupPrivPKeyPtr(VALUE obj)
|
|||
{
|
||||
EVP_PKEY *pkey;
|
||||
|
||||
SafeGetPKey(obj, pkey);
|
||||
if (rb_funcall(obj, id_private_q, 0, NULL) != Qtrue) { /* returns Qtrue */
|
||||
if (rb_funcall(obj, id_private_q, 0, NULL) != Qtrue) {
|
||||
ossl_raise(rb_eArgError, "Private key is needed.");
|
||||
}
|
||||
SafeGetPKey(obj, pkey);
|
||||
CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
|
||||
|
||||
return pkey;
|
||||
|
@ -152,10 +163,10 @@ ossl_pkey_sign(VALUE self, VALUE digest, VALUE data)
|
|||
int buf_len;
|
||||
VALUE str;
|
||||
|
||||
GetPKey(self, pkey);
|
||||
if (rb_funcall(self, id_private_q, 0, NULL) != Qtrue) {
|
||||
ossl_raise(rb_eArgError, "Private key is needed.");
|
||||
}
|
||||
GetPKey(self, pkey);
|
||||
EVP_SignInit(&ctx, GetDigestPtr(digest));
|
||||
StringValue(data);
|
||||
EVP_SignUpdate(&ctx, RSTRING(data)->ptr, RSTRING(data)->len);
|
||||
|
|
|
@ -38,7 +38,7 @@ void ossl_generate_cb(int, int, void *);
|
|||
VALUE ossl_pkey_new(EVP_PKEY *);
|
||||
VALUE ossl_pkey_new_from_file(VALUE);
|
||||
EVP_PKEY *GetPKeyPtr(VALUE);
|
||||
/*EVP_PKEY *DupPKeyPtr(VALUE);*/
|
||||
EVP_PKEY *DupPKeyPtr(VALUE);
|
||||
EVP_PKEY *GetPrivPKeyPtr(VALUE);
|
||||
EVP_PKEY *DupPrivPKeyPtr(VALUE);
|
||||
void Init_ossl_pkey(void);
|
||||
|
@ -66,6 +66,8 @@ void Init_ossl_dsa(void);
|
|||
*/
|
||||
extern VALUE cDH;
|
||||
extern VALUE eDHError;
|
||||
extern DH *OSSL_DEFAULT_DH_512;
|
||||
extern DH *OSSL_DEFAULT_DH_1024;
|
||||
|
||||
VALUE ossl_dh_new(EVP_PKEY *);
|
||||
void Init_ossl_dh(void);
|
||||
|
@ -107,7 +109,7 @@ static VALUE ossl_##keytype##_set_##name(VALUE self, VALUE bignum) \
|
|||
#define DEF_OSSL_PKEY_BN(class, keytype, name) \
|
||||
do { \
|
||||
rb_define_method(class, #name, ossl_##keytype##_get_##name, 0); \
|
||||
rb_define_method(class, #name "=", ossl_##keytype##_set_##name, 1); \
|
||||
rb_define_method(class, #name "=", ossl_##keytype##_set_##name, 1);\
|
||||
} while (0)
|
||||
|
||||
#endif /* _OSSL_PKEY_H_ */
|
||||
|
|
|
@ -349,6 +349,69 @@ OSSL_PKEY_BN(dh, g);
|
|||
OSSL_PKEY_BN(dh, pub_key);
|
||||
OSSL_PKEY_BN(dh, priv_key);
|
||||
|
||||
/*
|
||||
* -----BEGIN DH PARAMETERS-----
|
||||
* MEYCQQD0zXHljRg/mJ9PYLACLv58Cd8VxBxxY7oEuCeURMiTqEhMym16rhhKgZG2
|
||||
* zk2O9uUIBIxSj+NKMURHGaFKyIvLAgEC
|
||||
* -----END DH PARAMETERS-----
|
||||
*/
|
||||
static unsigned char DEFAULT_DH_512_PRIM[] = {
|
||||
0xf4, 0xcd, 0x71, 0xe5, 0x8d, 0x18, 0x3f, 0x98,
|
||||
0x9f, 0x4f, 0x60, 0xb0, 0x02, 0x2e, 0xfe, 0x7c,
|
||||
0x09, 0xdf, 0x15, 0xc4, 0x1c, 0x71, 0x63, 0xba,
|
||||
0x04, 0xb8, 0x27, 0x94, 0x44, 0xc8, 0x93, 0xa8,
|
||||
0x48, 0x4c, 0xca, 0x6d, 0x7a, 0xae, 0x18, 0x4a,
|
||||
0x81, 0x91, 0xb6, 0xce, 0x4d, 0x8e, 0xf6, 0xe5,
|
||||
0x08, 0x04, 0x8c, 0x52, 0x8f, 0xe3, 0x4a, 0x31,
|
||||
0x44, 0x47, 0x19, 0xa1, 0x4a, 0xc8, 0x8b, 0xcb,
|
||||
};
|
||||
static unsigned char DEFAULT_DH_512_GEN[] = { 0x02 };
|
||||
DH *OSSL_DEFAULT_DH_512 = NULL;
|
||||
|
||||
/*
|
||||
* -----BEGIN DH PARAMETERS-----
|
||||
* MIGHAoGBAJ0lOVy0VIr/JebWn0zDwY2h+rqITFOpdNr6ugsgvkDXuucdcChhYExJ
|
||||
* AV/ZD2AWPbrTqV76mGRgJg4EddgT1zG0jq3rnFdMj2XzkBYx3BVvfR0Arnby0RHR
|
||||
* T4h7KZ/2zmjvV+eF8kBUHBJAojUlzxKj4QeO2x20FP9X5xmNUXeDAgEC
|
||||
* -----END DH PARAMETERS-----
|
||||
*/
|
||||
static unsigned char DEFAULT_DH_1024_PRIM[] = {
|
||||
0x9d, 0x25, 0x39, 0x5c, 0xb4, 0x54, 0x8a, 0xff,
|
||||
0x25, 0xe6, 0xd6, 0x9f, 0x4c, 0xc3, 0xc1, 0x8d,
|
||||
0xa1, 0xfa, 0xba, 0x88, 0x4c, 0x53, 0xa9, 0x74,
|
||||
0xda, 0xfa, 0xba, 0x0b, 0x20, 0xbe, 0x40, 0xd7,
|
||||
0xba, 0xe7, 0x1d, 0x70, 0x28, 0x61, 0x60, 0x4c,
|
||||
0x49, 0x01, 0x5f, 0xd9, 0x0f, 0x60, 0x16, 0x3d,
|
||||
0xba, 0xd3, 0xa9, 0x5e, 0xfa, 0x98, 0x64, 0x60,
|
||||
0x26, 0x0e, 0x04, 0x75, 0xd8, 0x13, 0xd7, 0x31,
|
||||
0xb4, 0x8e, 0xad, 0xeb, 0x9c, 0x57, 0x4c, 0x8f,
|
||||
0x65, 0xf3, 0x90, 0x16, 0x31, 0xdc, 0x15, 0x6f,
|
||||
0x7d, 0x1d, 0x00, 0xae, 0x76, 0xf2, 0xd1, 0x11,
|
||||
0xd1, 0x4f, 0x88, 0x7b, 0x29, 0x9f, 0xf6, 0xce,
|
||||
0x68, 0xef, 0x57, 0xe7, 0x85, 0xf2, 0x40, 0x54,
|
||||
0x1c, 0x12, 0x40, 0xa2, 0x35, 0x25, 0xcf, 0x12,
|
||||
0xa3, 0xe1, 0x07, 0x8e, 0xdb, 0x1d, 0xb4, 0x14,
|
||||
0xff, 0x57, 0xe7, 0x19, 0x8d, 0x51, 0x77, 0x83
|
||||
};
|
||||
static unsigned char DEFAULT_DH_1024_GEN[] = { 0x02 };
|
||||
DH *OSSL_DEFAULT_DH_1024 = NULL;
|
||||
|
||||
static DH*
|
||||
ossl_create_dh(unsigned char *p, size_t plen, unsigned char *g, size_t glen)
|
||||
{
|
||||
DH *dh;
|
||||
|
||||
if ((dh = DH_new()) == NULL) ossl_irase(eDHError, NULL);
|
||||
dh->p = BN_bin2bn(p, plen, NULL);
|
||||
dh->g = BN_bin2bn(g, glen, NULL);
|
||||
if (dh->p == NULL || dh->g == NULL){
|
||||
DH_free(dh);
|
||||
ossl_irase(eDHError, NULL);
|
||||
}
|
||||
|
||||
return dh;
|
||||
}
|
||||
|
||||
/*
|
||||
* INIT
|
||||
*/
|
||||
|
@ -356,12 +419,9 @@ void
|
|||
Init_ossl_dh()
|
||||
{
|
||||
eDHError = rb_define_class_under(mPKey, "DHError", ePKeyError);
|
||||
|
||||
cDH = rb_define_class_under(mPKey, "DH", cPKey);
|
||||
|
||||
rb_define_singleton_method(cDH, "generate", ossl_dh_s_generate, -1);
|
||||
rb_define_method(cDH, "initialize", ossl_dh_initialize, -1);
|
||||
|
||||
rb_define_method(cDH, "public?", ossl_dh_is_public, 0);
|
||||
rb_define_method(cDH, "private?", ossl_dh_is_private, 0);
|
||||
rb_define_method(cDH, "to_text", ossl_dh_to_text, 0);
|
||||
|
@ -370,22 +430,25 @@ Init_ossl_dh()
|
|||
rb_define_alias(cDH, "to_s", "export");
|
||||
rb_define_method(cDH, "to_der", ossl_dh_to_der, 0);
|
||||
rb_define_method(cDH, "public_key", ossl_dh_to_public_key, 0);
|
||||
|
||||
rb_define_method(cDH, "params_ok?", ossl_dh_check_params, 0);
|
||||
rb_define_method(cDH, "generate_key!", ossl_dh_generate_key, 0);
|
||||
rb_define_method(cDH, "compute_key", ossl_dh_compute_key, 1);
|
||||
|
||||
DEF_OSSL_PKEY_BN(cDH, dh, p);
|
||||
DEF_OSSL_PKEY_BN(cDH, dh, g);
|
||||
DEF_OSSL_PKEY_BN(cDH, dh, pub_key);
|
||||
DEF_OSSL_PKEY_BN(cDH, dh, priv_key);
|
||||
|
||||
rb_define_method(cDH, "params", ossl_dh_get_params, 0);
|
||||
|
||||
OSSL_DEFAULT_DH_512 = ossl_create_dh(
|
||||
DEFAULT_DH_512_PRIM, sizeof(DEFAULT_DH_512_PRIM),
|
||||
DEFAULT_DH_512_GEN, sizeof(DEFAULT_DH_512_GEN));
|
||||
OSSL_DEFAULT_DH_1024 = ossl_create_dh(
|
||||
DEFAULT_DH_1024_PRIM, sizeof(DEFAULT_DH_1024_PRIM),
|
||||
DEFAULT_DH_1024_GEN, sizeof(DEFAULT_DH_1024_GEN));
|
||||
}
|
||||
|
||||
#else /* defined NO_DH */
|
||||
# warning >>> OpenSSL is compiled without DH support <<<
|
||||
|
||||
void
|
||||
Init_ossl_dh()
|
||||
{
|
||||
|
|
|
@ -30,9 +30,6 @@ VALUE eSSLError;
|
|||
VALUE cSSLContext;
|
||||
VALUE cSSLSocket;
|
||||
|
||||
/*
|
||||
* SSLContext class
|
||||
*/
|
||||
#define ossl_sslctx_set_cert(o,v) rb_iv_set((o),"@cert",(v))
|
||||
#define ossl_sslctx_set_key(o,v) rb_iv_set((o),"@key",(v))
|
||||
#define ossl_sslctx_set_client_ca(o,v) rb_iv_set((o),"@client_ca",(v))
|
||||
|
@ -45,6 +42,8 @@ VALUE cSSLSocket;
|
|||
#define ossl_sslctx_set_options(o,v) rb_iv_set((o),"@options",(v))
|
||||
#define ossl_sslctx_set_cert_store(o,v) rb_iv_set((o),"@cert_store",(v))
|
||||
#define ossl_sslctx_set_extra_cert(o,v) rb_iv_set((o),"@extra_chain_cert",(v))
|
||||
#define ossl_sslctx_set_client_cert_cb(o,v) rb_iv_set((o),"@client_cert_cb",(v))
|
||||
#define ossl_sslctx_set_tmp_dh_cb(o,v) rb_iv_set((o),"@tmp_dh_callback",(v))
|
||||
|
||||
#define ossl_sslctx_get_cert(o) rb_iv_get((o),"@cert")
|
||||
#define ossl_sslctx_get_key(o) rb_iv_get((o),"@key")
|
||||
|
@ -58,13 +57,37 @@ VALUE cSSLSocket;
|
|||
#define ossl_sslctx_get_options(o) rb_iv_get((o),"@options")
|
||||
#define ossl_sslctx_get_cert_store(o) rb_iv_get((o),"@cert_store")
|
||||
#define ossl_sslctx_get_extra_cert(o) rb_iv_get((o),"@extra_chain_cert")
|
||||
#define ossl_sslctx_get_client_cert_cb(o) rb_iv_get((o),"@client_cert_cb")
|
||||
#define ossl_sslctx_get_tmp_dh_cb(o) rb_iv_get((o),"@tmp_dh_callback")
|
||||
|
||||
static char *ossl_sslctx_attrs[] = {
|
||||
"cert", "key", "client_ca", "ca_file", "ca_path",
|
||||
"timeout", "verify_mode", "verify_depth",
|
||||
"verify_callback", "options", "cert_store", "extra_chain_cert"
|
||||
"verify_callback", "options", "cert_store", "extra_chain_cert",
|
||||
"client_cert_cb",
|
||||
"tmp_dh_callback",
|
||||
};
|
||||
|
||||
#define ossl_ssl_get_io(o) rb_iv_get((o),"@io")
|
||||
#define ossl_ssl_get_ctx(o) rb_iv_get((o),"@context")
|
||||
#define ossl_ssl_get_sync_close(o) rb_iv_get((o),"@sync_close")
|
||||
#define ossl_ssl_get_x509(o) rb_iv_get((o),"@x509")
|
||||
#define ossl_ssl_get_key(o) rb_iv_get((o),"@key")
|
||||
#define ossl_ssl_get_tmp_dh(o) rb_iv_get((o),"@tmp_dh")
|
||||
|
||||
#define ossl_ssl_set_io(o,v) rb_iv_set((o),"@io",(v))
|
||||
#define ossl_ssl_set_ctx(o,v) rb_iv_set((o),"@context",(v))
|
||||
#define ossl_ssl_set_sync_close(o,v) rb_iv_set((o),"@sync_close",(v))
|
||||
#define ossl_ssl_set_x509(o,v) rb_iv_set((o),"@x509",(v))
|
||||
#define ossl_ssl_set_key(o,v) rb_iv_set((o),"@key",(v))
|
||||
#define ossl_ssl_set_tmp_dh(o,v) rb_iv_set((o),"@tmp_dh",(v))
|
||||
|
||||
static char *ossl_ssl_attr_readers[] = { "io", "context", };
|
||||
static char *ossl_ssl_attrs[] = { "sync_close", };
|
||||
|
||||
/*
|
||||
* SSLContext class
|
||||
*/
|
||||
struct {
|
||||
const char *name;
|
||||
SSL_METHOD *(*func)(void);
|
||||
|
@ -87,6 +110,9 @@ struct {
|
|||
|
||||
int ossl_ssl_ex_vcb_idx;
|
||||
int ossl_ssl_ex_store_p;
|
||||
int ossl_ssl_ex_ptr_idx;
|
||||
int ossl_ssl_ex_client_cert_cb_idx;
|
||||
int ossl_ssl_ex_tmp_dh_callback_idx;
|
||||
|
||||
static void
|
||||
ossl_sslctx_free(SSL_CTX *ctx)
|
||||
|
@ -148,6 +174,89 @@ ossl_sslctx_initialize(int argc, VALUE *argv, VALUE self)
|
|||
return self;
|
||||
}
|
||||
|
||||
static VALUE
|
||||
ossl_call_client_cert_cb(VALUE obj)
|
||||
{
|
||||
VALUE cb, ary, cert, key;
|
||||
SSL *ssl;
|
||||
|
||||
Data_Get_Struct(obj, SSL, ssl);
|
||||
cb = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_client_cert_cb_idx);
|
||||
if (NIL_P(cb)) return Qfalse;
|
||||
ary = rb_funcall(cb, rb_intern("call"), 1, obj);
|
||||
Check_Type(ary, T_ARRAY);
|
||||
GetX509CertPtr(cert = rb_ary_entry(ary, 0));
|
||||
GetPKeyPtr(key = rb_ary_entry(ary, 1));
|
||||
ossl_ssl_set_x509(obj, cert);
|
||||
ossl_ssl_set_key(obj, key);
|
||||
|
||||
return Qtrue;
|
||||
}
|
||||
|
||||
static int
|
||||
ossl_client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
|
||||
{
|
||||
VALUE obj;
|
||||
int status, success;
|
||||
|
||||
obj = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
|
||||
success = rb_protect((VALUE(*)_((VALUE)))ossl_call_client_cert_cb,
|
||||
obj, &status);
|
||||
if (status || !success) return 0;
|
||||
*x509 = DupX509CertPtr(ossl_ssl_get_x509(obj));
|
||||
*pkey = DupPKeyPtr(ossl_ssl_get_key(obj));
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
#if !defined(OPENSSL_NO_DH)
|
||||
static VALUE
|
||||
ossl_call_tmp_dh_callback(VALUE *args)
|
||||
{
|
||||
SSL *ssl;
|
||||
VALUE cb, dh;
|
||||
EVP_PKEY *pkey;
|
||||
|
||||
Data_Get_Struct(args[0], SSL, ssl);
|
||||
cb = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_tmp_dh_callback_idx);
|
||||
if (NIL_P(cb)) return Qfalse;
|
||||
dh = rb_funcall(cb, rb_intern("call"), 3, args[0], args[1], args[2]);
|
||||
pkey = GetPKeyPtr(dh);
|
||||
if (EVP_PKEY_type(pkey->type) != EVP_PKEY_DH) return Qfalse;
|
||||
ossl_ssl_set_tmp_dh_key(args[0], dh);
|
||||
|
||||
return Qtrue;
|
||||
}
|
||||
|
||||
static DH*
|
||||
ossl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
|
||||
{
|
||||
VALUE obj, args[3];
|
||||
int status, success;
|
||||
|
||||
args[0] = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
|
||||
args[1] = INT2FIX(is_export);
|
||||
args[2] = INT2FIX(keylength);
|
||||
success = rb_protect((VALUE(*)_((VALUE)))ossl_call_tmp_dh_callback,
|
||||
(VALUE)args, &status);
|
||||
if (status || !success) return NULL;
|
||||
|
||||
return GetPKeyPtr(ossl_ssl_get_dh(obj))->pkey.dh;
|
||||
}
|
||||
|
||||
static DH*
|
||||
ossl_default_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
|
||||
{
|
||||
switch(keylength){
|
||||
case 512:
|
||||
return OSSL_DEFAULT_DH_512;
|
||||
case 1024:
|
||||
return OSSL_DEFAULT_DH_1024;
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
#endif /* OPENSSL_NO_DH */
|
||||
|
||||
static int
|
||||
ossl_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
|
||||
{
|
||||
|
@ -189,6 +298,16 @@ ossl_sslctx_setup(VALUE self)
|
|||
if(OBJ_FROZEN(self)) return Qnil;
|
||||
Data_Get_Struct(self, SSL_CTX, ctx);
|
||||
|
||||
#if !defined(OPENSSL_NO_DH)
|
||||
if (RTEST(ossl_sslctx_get_tmp_dh_cb(self))){
|
||||
SSL_CTX_set_tmp_dh_callback(ctx, ossl_tmp_dh_callback);
|
||||
}
|
||||
else{
|
||||
rb_warning("using default DH parameters.");
|
||||
SSL_CTX_set_tmp_dh_callback(ctx, ossl_default_tmp_dh_callback);
|
||||
}
|
||||
#endif
|
||||
|
||||
val = ossl_sslctx_get_cert_store(self);
|
||||
if(!NIL_P(val)){
|
||||
/*
|
||||
|
@ -258,6 +377,8 @@ ossl_sslctx_setup(VALUE self)
|
|||
val = ossl_sslctx_get_verify_mode(self);
|
||||
verify_mode = NIL_P(val) ? SSL_VERIFY_NONE : NUM2INT(val);
|
||||
SSL_CTX_set_verify(ctx, verify_mode, ossl_ssl_verify_callback);
|
||||
if (RTEST(ossl_sslctx_get_client_cert_cb(self)))
|
||||
SSL_CTX_set_client_cert_cb(ctx, ossl_client_cert_cb);
|
||||
|
||||
val = ossl_sslctx_get_timeout(self);
|
||||
if(!NIL_P(val)) SSL_CTX_set_timeout(ctx, NUM2LONG(val));
|
||||
|
@ -324,7 +445,9 @@ ossl_sslctx_set_ciphers(VALUE self, VALUE v)
|
|||
int i;
|
||||
|
||||
rb_check_frozen(self);
|
||||
if (TYPE(v) == T_ARRAY) {
|
||||
if (NIL_P(v))
|
||||
return v;
|
||||
else if (TYPE(v) == T_ARRAY) {
|
||||
str = rb_str_new2(NULL);
|
||||
for (i = 0; i < RARRAY(v)->len; i++) {
|
||||
elem = rb_ary_entry(v, i);
|
||||
|
@ -346,23 +469,13 @@ ossl_sslctx_set_ciphers(VALUE self, VALUE v)
|
|||
if (!SSL_CTX_set_cipher_list(ctx, RSTRING(str)->ptr)) {
|
||||
ossl_raise(eSSLError, "SSL_CTX_set_ciphers:");
|
||||
}
|
||||
return Qnil;
|
||||
|
||||
return v;
|
||||
}
|
||||
|
||||
/*
|
||||
* SSLSocket class
|
||||
*/
|
||||
#define ossl_ssl_get_io(o) rb_iv_get((o),"@io")
|
||||
#define ossl_ssl_get_ctx(o) rb_iv_get((o),"@context")
|
||||
#define ossl_ssl_get_sync_close(o) rb_iv_get((o),"@sync_close")
|
||||
|
||||
#define ossl_ssl_set_io(o,v) rb_iv_set((o),"@io",(v))
|
||||
#define ossl_ssl_set_ctx(o,v) rb_iv_set((o),"@context",(v))
|
||||
#define ossl_ssl_set_sync_close(o,v) rb_iv_set((o),"@sync_close",(v))
|
||||
|
||||
static char *ossl_ssl_attr_readers[] = { "io", "context", };
|
||||
static char *ossl_ssl_attrs[] = { "sync_close", };
|
||||
|
||||
static void
|
||||
ossl_ssl_shutdown(SSL *ssl)
|
||||
{
|
||||
|
@ -407,7 +520,7 @@ ossl_ssl_initialize(int argc, VALUE *argv, VALUE self)
|
|||
static VALUE
|
||||
ossl_ssl_setup(VALUE self)
|
||||
{
|
||||
VALUE io, v_ctx;
|
||||
VALUE io, v_ctx, cb;
|
||||
SSL_CTX *ctx;
|
||||
SSL *ssl;
|
||||
OpenFile *fptr;
|
||||
|
@ -428,6 +541,13 @@ ossl_ssl_setup(VALUE self)
|
|||
rb_io_check_readable(fptr);
|
||||
rb_io_check_writable(fptr);
|
||||
SSL_set_fd(ssl, TO_SOCKET(fptr->fd));
|
||||
SSL_set_ex_data(ssl, ossl_ssl_ex_ptr_idx, (void*)self);
|
||||
cb = ossl_sslctx_get_verify_cb(v_ctx);
|
||||
SSL_set_ex_data(ssl, ossl_ssl_ex_vcb_idx, (void*)cb);
|
||||
cb = ossl_sslctx_get_client_cert_cb(v_ctx);
|
||||
SSL_set_ex_data(ssl, ossl_ssl_ex_client_cert_cb_idx, (void*)cb);
|
||||
cb = ossl_sslctx_get_tmp_dh_cb(v_ctx);
|
||||
SSL_set_ex_data(ssl, ossl_ssl_ex_tmp_dh_callback_idx, (void*)cb);
|
||||
}
|
||||
|
||||
return Qtrue;
|
||||
|
@ -449,8 +569,6 @@ ossl_start_ssl(VALUE self, int (*func)())
|
|||
|
||||
Data_Get_Struct(self, SSL, ssl);
|
||||
GetOpenFile(ossl_ssl_get_io(self), fptr);
|
||||
cb = ossl_sslctx_get_verify_cb(ossl_ssl_get_ctx(self));
|
||||
SSL_set_ex_data(ssl, ossl_ssl_ex_vcb_idx, (void *)cb);
|
||||
for(;;){
|
||||
if((ret = func(ssl)) > 0) break;
|
||||
switch(ssl_get_error(ssl, ret)){
|
||||
|
@ -461,7 +579,7 @@ ossl_start_ssl(VALUE self, int (*func)())
|
|||
rb_io_wait_readable(fptr->fd);
|
||||
continue;
|
||||
case SSL_ERROR_SYSCALL:
|
||||
rb_sys_fail(0);
|
||||
if (errno) rb_sys_fail(0);
|
||||
default:
|
||||
ossl_raise(eSSLError, NULL);
|
||||
}
|
||||
|
@ -566,7 +684,7 @@ ossl_ssl_write(VALUE self, VALUE str)
|
|||
rb_io_wait_readable(fptr->fd);
|
||||
continue;
|
||||
case SSL_ERROR_SYSCALL:
|
||||
rb_sys_fail(0);
|
||||
if (errno) rb_sys_fail(0);
|
||||
default:
|
||||
ossl_raise(eSSLError, "SSL_write:");
|
||||
}
|
||||
|
@ -726,6 +844,11 @@ Init_ossl_ssl()
|
|||
|
||||
ossl_ssl_ex_vcb_idx = SSL_get_ex_new_index(0,"ossl_ssl_ex_vcb_idx",0,0,0);
|
||||
ossl_ssl_ex_store_p = SSL_get_ex_new_index(0,"ossl_ssl_ex_store_p",0,0,0);
|
||||
ossl_ssl_ex_ptr_idx = SSL_get_ex_new_index(0,"ossl_ssl_ex_ptr_idx",0,0,0);
|
||||
ossl_ssl_ex_client_cert_cb_idx =
|
||||
SSL_get_ex_new_index(0,"ossl_ssl_ex_client_cert_cb_idx",0,0,0);
|
||||
ossl_ssl_ex_tmp_dh_callback_idx =
|
||||
SSL_get_ex_new_index(0,"ossl_ssl_ex_tmp_dh_callback_idx",0,0,0);
|
||||
|
||||
mSSL = rb_define_module_under(mOSSL, "SSL");
|
||||
eSSLError = rb_define_class_under(mSSL, "SSLError", eOSSLError);
|
||||
|
|
|
@ -64,7 +64,8 @@ $stdout.puts Process.pid
|
|||
$stdout.puts port
|
||||
|
||||
loop do
|
||||
Thread.start(ssls.accept) {|ssl|
|
||||
ssl = ssls.accept rescue next
|
||||
Thread.start{
|
||||
q = Queue.new
|
||||
th = Thread.start{ ssl.write(q.shift) while true }
|
||||
while line = ssl.gets
|
||||
|
|
|
@ -16,197 +16,8 @@ module SSLPair
|
|||
def server
|
||||
host = "127.0.0.1"
|
||||
port = 0
|
||||
key = OpenSSL::PKey::RSA.new(512)
|
||||
cert = OpenSSL::X509::Certificate.new
|
||||
cert.version = 2
|
||||
cert.serial = 0
|
||||
name = OpenSSL::X509::Name.new([["C","JP"],["O","TEST"],["CN","localhost"]])
|
||||
cert.subject = name
|
||||
cert.issuer = name
|
||||
cert.not_before = Time.now
|
||||
cert.not_after = Time.now + 3600
|
||||
cert.public_key = key.public_key
|
||||
ef = OpenSSL::X509::ExtensionFactory.new(nil,cert)
|
||||
cert.extensions = [
|
||||
ef.create_extension("basicConstraints","CA:FALSE"),
|
||||
ef.create_extension("subjectKeyIdentifier","hash"),
|
||||
ef.create_extension("extendedKeyUsage","serverAuth"),
|
||||
ef.create_extension("keyUsage",
|
||||
"keyEncipherment,dataEncipherment,digitalSignature")
|
||||
]
|
||||
ef.issuer_certificate = cert
|
||||
cert.add_extension ef.create_extension("authorityKeyIdentifier",
|
||||
"keyid:always,issuer:always")
|
||||
cert.sign(key, OpenSSL::Digest::SHA1.new)
|
||||
ctx = OpenSSL::SSL::SSLContext.new()
|
||||
ctx.key = key
|
||||
ctx.cert = cert
|
||||
tcps = TCPServer.new(host, port)
|
||||
ssls = OpenSSL::SSL::SSLServer.new(tcps, ctx)
|
||||
return ssls
|
||||
end
|
||||
|
||||
def client(port)
|
||||
host = "127.0.0.1"
|
||||
ctx = OpenSSL::SSL::SSLContext.new()
|
||||
s = TCPSocket.new(host, port)
|
||||
ssl = OpenSSL::SSL::SSLSocket.new(s, ctx)
|
||||
ssl.connect
|
||||
ssl.sync_close = true
|
||||
ssl
|
||||
end
|
||||
|
||||
def ssl_pair
|
||||
ssls = server
|
||||
th = Thread.new {
|
||||
ns = ssls.accept
|
||||
ssls.close
|
||||
ns
|
||||
}
|
||||
port = ssls.to_io.addr[1]
|
||||
c = client(port)
|
||||
s = th.value
|
||||
if block_given?
|
||||
begin
|
||||
yield c, s
|
||||
ensure
|
||||
c.close unless c.closed?
|
||||
s.close unless s.closed?
|
||||
end
|
||||
else
|
||||
return c, s
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
class OpenSSL::TestEOF1 < Test::Unit::TestCase
|
||||
include TestEOF
|
||||
include SSLPair
|
||||
|
||||
def open_file(content)
|
||||
s1, s2 = ssl_pair
|
||||
Thread.new { s2 << content; s2.close }
|
||||
yield s1
|
||||
end
|
||||
end
|
||||
|
||||
class OpenSSL::TestEOF2 < Test::Unit::TestCase
|
||||
include TestEOF
|
||||
include SSLPair
|
||||
|
||||
def open_file(content)
|
||||
s1, s2 = ssl_pair
|
||||
Thread.new { s1 << content; s1.close }
|
||||
yield s2
|
||||
end
|
||||
end
|
||||
|
||||
class OpenSSL::TestPair < Test::Unit::TestCase
|
||||
include SSLPair
|
||||
|
||||
def test_getc
|
||||
ssl_pair {|s1, s2|
|
||||
s1 << "a"
|
||||
assert_equal(?a, s2.getc)
|
||||
}
|
||||
end
|
||||
|
||||
def test_readpartial
|
||||
ssl_pair {|s1, s2|
|
||||
s2.write "a\nbcd"
|
||||
assert_equal("a\n", s1.gets)
|
||||
assert_equal("bcd", s1.readpartial(10))
|
||||
s2.write "efg"
|
||||
assert_equal("efg", s1.readpartial(10))
|
||||
s2.close
|
||||
assert_raise(EOFError) { s1.readpartial(10) }
|
||||
assert_raise(EOFError) { s1.readpartial(10) }
|
||||
assert_equal("", s1.readpartial(0))
|
||||
}
|
||||
end
|
||||
|
||||
def test_readall
|
||||
ssl_pair {|s1, s2|
|
||||
s2.close
|
||||
assert_equal("", s1.read)
|
||||
}
|
||||
end
|
||||
|
||||
def test_readline
|
||||
ssl_pair {|s1, s2|
|
||||
s2.close
|
||||
assert_raise(EOFError) { s1.readline }
|
||||
}
|
||||
end
|
||||
|
||||
def test_puts_meta
|
||||
ssl_pair {|s1, s2|
|
||||
begin
|
||||
old = $/
|
||||
$/ = '*'
|
||||
s1.puts 'a'
|
||||
ensure
|
||||
$/ = old
|
||||
end
|
||||
s1.close
|
||||
assert_equal("a\n", s2.read)
|
||||
}
|
||||
end
|
||||
|
||||
def test_puts_empty
|
||||
ssl_pair {|s1, s2|
|
||||
s1.puts
|
||||
s1.close
|
||||
assert_equal("\n", s2.read)
|
||||
}
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
begin
|
||||
require "openssl"
|
||||
rescue LoadError
|
||||
end
|
||||
require 'test/unit'
|
||||
|
||||
if defined?(OpenSSL)
|
||||
|
||||
require 'socket'
|
||||
dir = File.expand_path(__FILE__)
|
||||
2.times {dir = File.dirname(dir)}
|
||||
$:.replace([File.join(dir, "ruby")] | $:)
|
||||
require 'ut_eof'
|
||||
|
||||
module SSLPair
|
||||
def server
|
||||
host = "127.0.0.1"
|
||||
port = 0
|
||||
key = OpenSSL::PKey::RSA.new(512)
|
||||
cert = OpenSSL::X509::Certificate.new
|
||||
cert.version = 2
|
||||
cert.serial = 0
|
||||
name = OpenSSL::X509::Name.new([["C","JP"],["O","TEST"],["CN","localhost"]])
|
||||
cert.subject = name
|
||||
cert.issuer = name
|
||||
cert.not_before = Time.now
|
||||
cert.not_after = Time.now + 3600
|
||||
cert.public_key = key.public_key
|
||||
ef = OpenSSL::X509::ExtensionFactory.new(nil,cert)
|
||||
cert.extensions = [
|
||||
ef.create_extension("basicConstraints","CA:FALSE"),
|
||||
ef.create_extension("subjectKeyIdentifier","hash"),
|
||||
ef.create_extension("extendedKeyUsage","serverAuth"),
|
||||
ef.create_extension("keyUsage",
|
||||
"keyEncipherment,dataEncipherment,digitalSignature")
|
||||
]
|
||||
ef.issuer_certificate = cert
|
||||
cert.add_extension ef.create_extension("authorityKeyIdentifier",
|
||||
"keyid:always,issuer:always")
|
||||
cert.sign(key, OpenSSL::Digest::SHA1.new)
|
||||
ctx = OpenSSL::SSL::SSLContext.new()
|
||||
ctx.key = key
|
||||
ctx.cert = cert
|
||||
ctx.ciphers = "ADH"
|
||||
tcps = TCPServer.new(host, port)
|
||||
ssls = OpenSSL::SSL::SSLServer.new(tcps, ctx)
|
||||
return ssls
|
||||
|
@ -215,6 +26,7 @@ module SSLPair
|
|||
def client(port)
|
||||
host = "127.0.0.1"
|
||||
ctx = OpenSSL::SSL::SSLContext.new()
|
||||
ctx.ciphers = "ADH"
|
||||
s = TCPSocket.new(host, port)
|
||||
ssl = OpenSSL::SSL::SSLSocket.new(s, ctx)
|
||||
ssl.connect
|
||||
|
|
|
@ -155,6 +155,43 @@ class OpenSSL::TestSSL < Test::Unit::TestCase
|
|||
}
|
||||
end
|
||||
|
||||
def test_client_auth
|
||||
vflag = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
|
||||
start_server(PORT, vflag, true){|s, p|
|
||||
assert_raises(OpenSSL::SSL::SSLError){
|
||||
sock = TCPSocket.new("127.0.0.1", p)
|
||||
ssl = OpenSSL::SSL::SSLSocket.new(sock)
|
||||
ssl.connect
|
||||
}
|
||||
|
||||
ctx = OpenSSL::SSL::SSLContext.new
|
||||
ctx.key = @cli_key
|
||||
ctx.cert = @cli_cert
|
||||
sock = TCPSocket.new("127.0.0.1", p)
|
||||
ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
|
||||
ssl.sync_close = true
|
||||
ssl.connect
|
||||
ssl.puts("foo")
|
||||
assert_equal("foo\n", ssl.gets)
|
||||
ssl.close
|
||||
|
||||
called = nil
|
||||
ctx = OpenSSL::SSL::SSLContext.new
|
||||
ctx.client_cert_cb = Proc.new{|ssl|
|
||||
called = true
|
||||
[@cli_cert, @cli_key]
|
||||
}
|
||||
sock = TCPSocket.new("127.0.0.1", p)
|
||||
ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
|
||||
ssl.sync_close = true
|
||||
ssl.connect
|
||||
assert(called)
|
||||
ssl.puts("foo")
|
||||
assert_equal("foo\n", ssl.gets)
|
||||
ssl.close
|
||||
}
|
||||
end
|
||||
|
||||
def test_starttls
|
||||
start_server(PORT, OpenSSL::SSL::VERIFY_NONE, false){|s, p|
|
||||
sock = TCPSocket.new("127.0.0.1", p)
|
||||
|
|
Loading…
Reference in a new issue