summaryrefslogtreecommitdiff
path: root/ext/openssl
diff options
context:
space:
mode:
authorKazuki Yamaguchi <k@rhe.jp>2021-03-18 20:04:59 +0900
committerKazuki Yamaguchi <k@rhe.jp>2021-10-16 18:19:52 +0900
commit6105ef7629c297c94f9e85f26adf7c0426089ca5 (patch)
treef7673285256b524380e42581c2daa78334d5c020 /ext/openssl
parent49217086adf262f63078c65e693796dc892c5216 (diff)
[ruby/openssl] ssl: add SSLContext#tmp_dh=
Provide a wrapper of SSL_set0_tmp_dh_pkey()/SSL_CTX_set_tmp_dh(), which sets the DH parameters used for ephemeral DH key exchange. SSLContext#tmp_dh_callback= already exists for this purpose, as a wrapper around SSL_CTX_set_tmp_dh_callback(), but it is considered obsolete and the OpenSSL API is deprecated for future removal. There is no practical use case where an application needs to use different DH parameters nowadays. This was originally introduced to support export grade ciphers. RDoc for #tmp_dh_callback= is updated to recommend the new #tmp_dh=. Note that current versions of OpenSSL support automatic ECDHE curve selection which is enabled by default. SSLContext#tmp_dh= should only be necessary if you must allow ancient clients which don't support ECDHE. https://github.com/ruby/openssl/commit/aa43da4f04
Diffstat (limited to 'ext/openssl')
-rw-r--r--ext/openssl/extconf.rb3
-rw-r--r--ext/openssl/lib/openssl/ssl.rb8
-rw-r--r--ext/openssl/ossl_ssl.c49
3 files changed, 57 insertions, 3 deletions
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
index aa4eae824c7..9a822f60ac7 100644
--- a/ext/openssl/extconf.rb
+++ b/ext/openssl/extconf.rb
@@ -170,6 +170,9 @@ have_func("SSL_CTX_set_post_handshake_auth")
# added in 1.1.1
have_func("EVP_PKEY_check")
+# added in 3.0.0
+have_func("SSL_set0_tmp_dh_pkey")
+
Logging::message "=== Checking done. ===\n"
create_header
diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb
index f729a765098..a9103ecd278 100644
--- a/ext/openssl/lib/openssl/ssl.rb
+++ b/ext/openssl/lib/openssl/ssl.rb
@@ -91,15 +91,17 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
DEFAULT_CERT_STORE.set_default_paths
DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
- # A callback invoked when DH parameters are required.
+ # A callback invoked when DH parameters are required for ephemeral DH key
+ # exchange.
#
- # The callback is invoked with the Session for the key exchange, an
+ # The callback is invoked with the SSLSocket, a
# flag indicating the use of an export cipher and the keylength
# required.
#
# The callback must return an OpenSSL::PKey::DH instance of the correct
# key length.
-
+ #
+ # <b>Deprecated in version 3.0.</b> Use #tmp_dh= instead.
attr_accessor :tmp_dh_callback
# A callback invoked at connect time to distinguish between multiple
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
index a32e1dcd185..8ebfac52b41 100644
--- a/ext/openssl/ossl_ssl.c
+++ b/ext/openssl/ossl_ssl.c
@@ -987,6 +987,52 @@ ossl_sslctx_set_ciphers(VALUE self, VALUE v)
return v;
}
+#ifndef OPENSSL_NO_DH
+/*
+ * call-seq:
+ * ctx.tmp_dh = pkey
+ *
+ * Sets DH parameters used for ephemeral DH key exchange. This is relevant for
+ * servers only.
+ *
+ * +pkey+ is an instance of OpenSSL::PKey::DH. Note that key components
+ * contained in the key object, if any, are ignored. The server will always
+ * generate a new key pair for each handshake.
+ *
+ * Added in version 3.0. See also the man page SSL_set0_tmp_dh_pkey(3).
+ *
+ * Example:
+ * ctx = OpenSSL::SSL::SSLContext.new
+ * ctx.tmp_dh = OpenSSL::DH.generate(2048)
+ * svr = OpenSSL::SSL::SSLServer.new(tcp_svr, ctx)
+ * Thread.new { svr.accept }
+ */
+static VALUE
+ossl_sslctx_set_tmp_dh(VALUE self, VALUE arg)
+{
+ SSL_CTX *ctx;
+ EVP_PKEY *pkey;
+
+ rb_check_frozen(self);
+ GetSSLCTX(self, ctx);
+ pkey = GetPKeyPtr(arg);
+
+ if (EVP_PKEY_base_id(pkey) != EVP_PKEY_DH)
+ rb_raise(eSSLError, "invalid pkey type %s (expected DH)",
+ OBJ_nid2sn(EVP_PKEY_base_id(pkey)));
+#ifdef HAVE_SSL_SET0_TMP_DH_PKEY
+ if (!SSL_CTX_set0_tmp_dh_pkey(ctx, pkey))
+ ossl_raise(eSSLError, "SSL_CTX_set0_tmp_dh_pkey");
+ EVP_PKEY_up_ref(pkey);
+#else
+ if (!SSL_CTX_set_tmp_dh(ctx, EVP_PKEY_get0_DH(pkey)))
+ ossl_raise(eSSLError, "SSL_CTX_set_tmp_dh");
+#endif
+
+ return arg;
+}
+#endif
+
#if !defined(OPENSSL_NO_EC)
/*
* call-seq:
@@ -2670,6 +2716,9 @@ Init_ossl_ssl(void)
ossl_sslctx_set_minmax_proto_version, 2);
rb_define_method(cSSLContext, "ciphers", ossl_sslctx_get_ciphers, 0);
rb_define_method(cSSLContext, "ciphers=", ossl_sslctx_set_ciphers, 1);
+#ifndef OPENSSL_NO_DH
+ rb_define_method(cSSLContext, "tmp_dh=", ossl_sslctx_set_tmp_dh, 1);
+#endif
rb_define_method(cSSLContext, "ecdh_curves=", ossl_sslctx_set_ecdh_curves, 1);
rb_define_method(cSSLContext, "security_level", ossl_sslctx_get_security_level, 0);
rb_define_method(cSSLContext, "security_level=", ossl_sslctx_set_security_level, 1);