* ext/openssl/ossl_ssl.c: OpenSSL::SSL::SSLContexts suports callbacks:

  - SSLContext#client_cert_cb is a Proc. it is called when a client
    certificate is requested by a server and no certificate was yet
    set for the SSLContext. it must return an Array which includes
    OpenSSL::X509::Certificate and OpenSSL::PKey::RSA/DSA objects.
  - SSLContext#tmp_dh_callback is called in key exchange with DH
    algorithm. it must return an OpenSSL::PKey::DH object.

* ext/openssl/ossl_ssl.c:
  (ossl_sslctx_set_ciphers): ignore the argument if it's nil.
  (ossl_start_ssl, ossl_ssl_write): call rb_sys_fail if errno isn't 0.
  [ruby-dev:25831]

* ext/openssl/ossl_pkey.c
  (GetPrivPKeyPtr, ossl_pkey_sign): should call rb_funcall first.
  (DupPrivPKeyPtr): new function.

* ext/openssl/ossl_pkey_dh.c: add default DH parameters.

* ext/openssl/ossl_pkey.h: ditto.

* ext/openssl/lib/openssl/cipher.rb: fix typo. [ruby-dev:24285]


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@8129 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

3 files changed, 41 insertions, 191 deletions

diff --git a/test/openssl/ssl_server.rb b/test/openssl/ssl_server.rb
index 556c28b84c..6e620629c5 100644
--- a/test/openssl/ssl_server.rb
+++ b/test/openssl/ssl_server.rb
@@ -64,7 +64,8 @@ $stdout.puts Process.pid
 $stdout.puts port
 
 loop do
-  Thread.start(ssls.accept) {|ssl|
+  ssl = ssls.accept rescue next
+  Thread.start{
     q = Queue.new
     th = Thread.start{ ssl.write(q.shift) while true }
     while line = ssl.gets
diff --git a/test/openssl/test_pair.rb b/test/openssl/test_pair.rb
index 7dd658b825..7273554362 100644
--- a/test/openssl/test_pair.rb
+++ b/test/openssl/test_pair.rb
@@ -16,197 +16,8 @@ module SSLPair
   def server
     host = "127.0.0.1"
     port = 0
-    key = OpenSSL::PKey::RSA.new(512)
-    cert = OpenSSL::X509::Certificate.new
-    cert.version = 2
-    cert.serial = 0
-    name = OpenSSL::X509::Name.new([["C","JP"],["O","TEST"],["CN","localhost"]])
-    cert.subject = name
-    cert.issuer = name
-    cert.not_before = Time.now
-    cert.not_after = Time.now + 3600
-    cert.public_key = key.public_key
-    ef = OpenSSL::X509::ExtensionFactory.new(nil,cert)
-    cert.extensions = [
-      ef.create_extension("basicConstraints","CA:FALSE"),
-      ef.create_extension("subjectKeyIdentifier","hash"),
-      ef.create_extension("extendedKeyUsage","serverAuth"),
-      ef.create_extension("keyUsage",
-                          "keyEncipherment,dataEncipherment,digitalSignature")
-    ]
-    ef.issuer_certificate = cert
-    cert.add_extension ef.create_extension("authorityKeyIdentifier",
-                                           "keyid:always,issuer:always")
-    cert.sign(key, OpenSSL::Digest::SHA1.new)
     ctx = OpenSSL::SSL::SSLContext.new()
-    ctx.key = key
-    ctx.cert = cert
-    tcps = TCPServer.new(host, port)
-    ssls = OpenSSL::SSL::SSLServer.new(tcps, ctx)
-    return ssls
-  end
-
-  def client(port)
-    host = "127.0.0.1"
-    ctx = OpenSSL::SSL::SSLContext.new()
-    s = TCPSocket.new(host, port)
-    ssl = OpenSSL::SSL::SSLSocket.new(s, ctx)
-    ssl.connect
-    ssl.sync_close = true
-    ssl
-  end
-
-  def ssl_pair
-    ssls = server
-    th = Thread.new {
-      ns = ssls.accept
-      ssls.close
-      ns
-    }
-    port = ssls.to_io.addr[1]
-    c = client(port)
-    s = th.value
-    if block_given?
-      begin
-        yield c, s
-      ensure
-        c.close unless c.closed?
-        s.close unless s.closed?
-      end
-    else
-      return c, s
-    end
-  end
-end
-
-class OpenSSL::TestEOF1 < Test::Unit::TestCase
-  include TestEOF
-  include SSLPair
-
-  def open_file(content)
-    s1, s2 = ssl_pair
-    Thread.new { s2 << content; s2.close }
-    yield s1
-  end
-end
-
-class OpenSSL::TestEOF2 < Test::Unit::TestCase
-  include TestEOF
-  include SSLPair
-
-  def open_file(content)
-    s1, s2 = ssl_pair
-    Thread.new { s1 << content; s1.close }
-    yield s2
-  end
-end
-
-class OpenSSL::TestPair < Test::Unit::TestCase
-  include SSLPair
-
-  def test_getc
-    ssl_pair {|s1, s2|
-      s1 << "a"
-      assert_equal(?a, s2.getc)
-    }
-  end
-
-  def test_readpartial
-    ssl_pair {|s1, s2|
-      s2.write "a\nbcd"
-      assert_equal("a\n", s1.gets)
-      assert_equal("bcd", s1.readpartial(10))
-      s2.write "efg"
-      assert_equal("efg", s1.readpartial(10))
-      s2.close
-      assert_raise(EOFError) { s1.readpartial(10) }
-      assert_raise(EOFError) { s1.readpartial(10) }
-      assert_equal("", s1.readpartial(0))
-    }
-  end
-
-  def test_readall
-    ssl_pair {|s1, s2|
-      s2.close
-      assert_equal("", s1.read)
-    }
-  end
-
-  def test_readline
-    ssl_pair {|s1, s2|
-      s2.close
-      assert_raise(EOFError) { s1.readline }
-    }
-  end
-
-  def test_puts_meta
-    ssl_pair {|s1, s2|
-      begin
-        old = $/
-        $/ = '*'
-        s1.puts 'a'
-      ensure
-        $/ = old
-      end
-      s1.close
-      assert_equal("a\n", s2.read)
-    }
-  end
-
-  def test_puts_empty
-    ssl_pair {|s1, s2|
-      s1.puts
-      s1.close
-      assert_equal("\n", s2.read)
-    }
-  end
-
-end
-
-end
-begin
-  require "openssl"
-rescue LoadError
-end
-require 'test/unit'
-
-if defined?(OpenSSL)
-
-require 'socket'
-dir = File.expand_path(__FILE__)
-2.times {dir = File.dirname(dir)}
-$:.replace([File.join(dir, "ruby")] | $:)
-require 'ut_eof'
-
-module SSLPair
-  def server
-    host = "127.0.0.1"
-    port = 0
-    key = OpenSSL::PKey::RSA.new(512)
-    cert = OpenSSL::X509::Certificate.new
-    cert.version = 2
-    cert.serial = 0
-    name = OpenSSL::X509::Name.new([["C","JP"],["O","TEST"],["CN","localhost"]])
-    cert.subject = name
-    cert.issuer = name
-    cert.not_before = Time.now
-    cert.not_after = Time.now + 3600
-    cert.public_key = key.public_key
-    ef = OpenSSL::X509::ExtensionFactory.new(nil,cert)
-    cert.extensions = [
-      ef.create_extension("basicConstraints","CA:FALSE"),
-      ef.create_extension("subjectKeyIdentifier","hash"),
-      ef.create_extension("extendedKeyUsage","serverAuth"),
-      ef.create_extension("keyUsage",
-                          "keyEncipherment,dataEncipherment,digitalSignature")
-    ]
-    ef.issuer_certificate = cert
-    cert.add_extension ef.create_extension("authorityKeyIdentifier",
-                                           "keyid:always,issuer:always")
-    cert.sign(key, OpenSSL::Digest::SHA1.new)
-    ctx = OpenSSL::SSL::SSLContext.new()
-    ctx.key = key
-    ctx.cert = cert
+    ctx.ciphers = "ADH"
     tcps = TCPServer.new(host, port)
     ssls = OpenSSL::SSL::SSLServer.new(tcps, ctx)
     return ssls
@@ -215,6 +26,7 @@ module SSLPair
   def client(port)
     host = "127.0.0.1"
     ctx = OpenSSL::SSL::SSLContext.new()
+    ctx.ciphers = "ADH"
     s = TCPSocket.new(host, port)
     ssl = OpenSSL::SSL::SSLSocket.new(s, ctx)
     ssl.connect
diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
index 8f440076e8..08c18f440b 100644
--- a/test/openssl/test_ssl.rb
+++ b/test/openssl/test_ssl.rb
@@ -155,6 +155,43 @@ class OpenSSL::TestSSL < Test::Unit::TestCase
     }
   end
 
+  def test_client_auth
+    vflag = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
+    start_server(PORT, vflag, true){|s, p|
+      assert_raises(OpenSSL::SSL::SSLError){
+        sock = TCPSocket.new("127.0.0.1", p)
+        ssl = OpenSSL::SSL::SSLSocket.new(sock)
+        ssl.connect
+      }
+
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.key = @cli_key
+      ctx.cert = @cli_cert
+      sock = TCPSocket.new("127.0.0.1", p)
+      ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+      ssl.sync_close = true
+      ssl.connect
+      ssl.puts("foo")
+      assert_equal("foo\n", ssl.gets)
+      ssl.close
+
+      called = nil
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.client_cert_cb = Proc.new{|ssl|
+        called = true
+        [@cli_cert, @cli_key]
+      }
+      sock = TCPSocket.new("127.0.0.1", p)
+      ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+      ssl.sync_close = true
+      ssl.connect
+      assert(called)
+      ssl.puts("foo")
+      assert_equal("foo\n", ssl.gets)
+      ssl.close
+    }
+  end
+
   def test_starttls
     start_server(PORT, OpenSSL::SSL::VERIFY_NONE, false){|s, p|
       sock = TCPSocket.new("127.0.0.1", p)