summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authornobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2016-04-04 15:06:46 +0000
committernobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2016-04-04 15:06:46 +0000
commit176976db33fd8dd7b03c3dc23006b56d06cf1e8f (patch)
tree1d7b341793099e68419425a1bcb877fbb7a79dfc
parent990d709eeb04640f1909ba23ec81031c75408bac (diff)
openssl: Access to ephemeral TLS session key
* ext/openssl/ossl_ssl.c (ossl_ssl_tmp_key): Access to ephemeral TLS session key in case of forward secrecy cipher. Only available since OpenSSL 1.0.2. [Fix GH-1318] * ext/openssl/extconf.rb: Check for SSL_get_server_tmp_key. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54485 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
-rw-r--r--ChangeLog8
-rw-r--r--ext/openssl/extconf.rb1
-rw-r--r--ext/openssl/ossl_ssl.c22
-rw-r--r--test/openssl/test_ssl.rb23
-rw-r--r--test/openssl/utils.rb1
5 files changed, 55 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index e8668799a1..6ffd918749 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+Tue Apr 5 00:06:44 2016 Aeris <aeris@imirhil.fr>
+
+ * ext/openssl/ossl_ssl.c (ossl_ssl_tmp_key): Access to ephemeral
+ TLS session key in case of forward secrecy cipher. Only
+ available since OpenSSL 1.0.2. [Fix GH-1318]
+
+ * ext/openssl/extconf.rb: Check for SSL_get_server_tmp_key.
+
Mon Apr 4 23:37:05 2016 Nobuyoshi Nakada <nobu@ruby-lang.org>
* vm_core.h (rb_vm_struct): make at_exit a single linked list but
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
index 0b7fa2aaf9..c36a7021e4 100644
--- a/ext/openssl/extconf.rb
+++ b/ext/openssl/extconf.rb
@@ -111,6 +111,7 @@ have_func("TLSv1_2_server_method")
have_func("TLSv1_2_client_method")
have_func("SSL_CTX_set_alpn_select_cb")
have_func("SSL_CTX_set_next_proto_select_cb")
+have_macro("SSL_get_server_tmp_key", ['openssl/ssl.h']) && $defs.push("-DHAVE_SSL_GET_SERVER_TMP_KEY")
unless have_func("SSL_set_tlsext_host_name", ['openssl/ssl.h'])
have_macro("SSL_set_tlsext_host_name", ['openssl/ssl.h']) && $defs.push("-DHAVE_SSL_SET_TLSEXT_HOST_NAME")
end
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
index 5fcd2145c3..96c7990046 100644
--- a/ext/openssl/ossl_ssl.c
+++ b/ext/openssl/ossl_ssl.c
@@ -1912,6 +1912,25 @@ ossl_ssl_alpn_protocol(VALUE self)
return rb_str_new((const char *) out, outlen);
}
# endif
+
+# ifdef HAVE_SSL_GET_SERVER_TMP_KEY
+/*
+ * call-seq:
+ * ssl.tmp_key => PKey or nil
+ *
+ * Returns the ephemeral key used in case of forward secrecy cipher
+ */
+static VALUE
+ossl_ssl_tmp_key(VALUE self)
+{
+ SSL *ssl;
+ EVP_PKEY *key;
+ ossl_ssl_data_get_struct(self, ssl);
+ if (!SSL_get_server_tmp_key(ssl, &key))
+ return Qnil;
+ return ossl_pkey_new(key);
+}
+# endif /* defined(HAVE_SSL_GET_SERVER_TMP_KEY) */
#endif /* !defined(OPENSSL_NO_SOCK) */
void
@@ -2306,6 +2325,9 @@ Init_ossl_ssl(void)
rb_define_method(cSSLSocket, "session=", ossl_ssl_set_session, 1);
rb_define_method(cSSLSocket, "verify_result", ossl_ssl_get_verify_result, 0);
rb_define_method(cSSLSocket, "client_ca", ossl_ssl_get_client_ca_list, 0);
+# ifdef HAVE_SSL_GET_SERVER_TMP_KEY
+ rb_define_method(cSSLSocket, "tmp_key", ossl_ssl_tmp_key, 0);
+# endif
# ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
rb_define_method(cSSLSocket, "alpn_protocol", ossl_ssl_alpn_protocol, 0);
# endif
diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
index 28f5141cb0..b3f5661e5c 100644
--- a/test/openssl/test_ssl.rb
+++ b/test/openssl/test_ssl.rb
@@ -1169,6 +1169,29 @@ end
}
end
+ def test_get_ephemeral_key
+ return unless OpenSSL::SSL::SSLSocket.method_defined?(:tmp_key)
+ ciphers = {
+ 'ECDHE-RSA-AES128-SHA' => OpenSSL::PKey::EC,
+ 'DHE-RSA-AES128-SHA' => OpenSSL::PKey::DH,
+ 'AES128-SHA' => nil
+ }
+ conf_proc = Proc.new { |ctx| ctx.ciphers = 'ALL' }
+ start_server(OpenSSL::SSL::VERIFY_NONE, true, :ctx_proc => conf_proc) do |server, port|
+ ciphers.each do |cipher, ephemeral|
+ ctx = OpenSSL::SSL::SSLContext.new
+ ctx.ciphers = cipher
+ server_connect(port, ctx) do |ssl|
+ if ephemeral
+ assert_equal(ephemeral, ssl.tmp_key.class)
+ else
+ assert_nil(ssl.tmp_key)
+ end
+ end
+ end
+ end
+ end
+
private
def start_server_version(version, ctx_proc=nil, server_proc=nil, &blk)
diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb
index d4f0443511..6909854cad 100644
--- a/test/openssl/utils.rb
+++ b/test/openssl/utils.rb
@@ -277,6 +277,7 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC
ctx.cert = @svr_cert
ctx.key = @svr_key
ctx.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 }
+ ctx.tmp_ecdh_callback = proc { OpenSSL::TestUtils::TEST_KEY_EC_P256V1 }
ctx.verify_mode = verify_mode
ctx_proc.call(ctx) if ctx_proc