diff options
Diffstat (limited to 'ext/openssl')
| -rw-r--r-- | ext/openssl/lib/openssl/ssl.rb | 17 | ||||
| -rw-r--r-- | ext/openssl/ossl_pkey.h | 2 | ||||
| -rw-r--r-- | ext/openssl/ossl_pkey_dh.c | 7 | ||||
| -rw-r--r-- | ext/openssl/ossl_ssl.c | 21 |
4 files changed, 22 insertions, 25 deletions
diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb index aef465b684..ef2b3f1c64 100644 --- a/ext/openssl/lib/openssl/ssl.rb +++ b/ext/openssl/lib/openssl/ssl.rb @@ -74,10 +74,24 @@ module OpenSSL DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL end + if defined?(OpenSSL::PKey::DH) + DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen| + warn "using default DH parameters." if $VERBOSE + case keylen + when 512 then OpenSSL::PKey::DH::DEFAULT_512 + when 1024 then OpenSSL::PKey::DH::DEFAULT_1024 + else + nil + end + } + else + DEFAULT_TMP_DH_CALLBACK = nil + end + INIT_VARS = ["cert", "key", "client_ca", "ca_file", "ca_path", "timeout", "verify_mode", "verify_depth", "renegotiation_cb", "verify_callback", "options", "cert_store", "extra_chain_cert", - "client_cert_cb", "tmp_dh_callback", "session_id_context", + "client_cert_cb", "session_id_context", "session_get_cb", "session_new_cb", "session_remove_cb", "tmp_ecdh_callback", "servername_cb", "npn_protocols", "alpn_protocols", "alpn_select_cb", @@ -91,6 +105,7 @@ module OpenSSL # You can get a list of valid methods with OpenSSL::SSL::SSLContext::METHODS def initialize(version = nil) INIT_VARS.each { |v| instance_variable_set v, nil } + @tmp_dh_callback = DEFAULT_TMP_DH_CALLBACK return unless version self.ssl_version = version end diff --git a/ext/openssl/ossl_pkey.h b/ext/openssl/ossl_pkey.h index 951b0de567..6ba4ed5e59 100644 --- a/ext/openssl/ossl_pkey.h +++ b/ext/openssl/ossl_pkey.h @@ -84,8 +84,6 @@ void Init_ossl_dsa(void); */ extern VALUE cDH; extern VALUE eDHError; -extern DH *OSSL_DEFAULT_DH_512; -extern DH *OSSL_DEFAULT_DH_1024; VALUE ossl_dh_new(EVP_PKEY *); void Init_ossl_dh(void); diff --git a/ext/openssl/ossl_pkey_dh.c b/ext/openssl/ossl_pkey_dh.c index 234cdaa1c5..d622fc3c16 100644 --- a/ext/openssl/ossl_pkey_dh.c +++ b/ext/openssl/ossl_pkey_dh.c @@ -540,7 +540,6 @@ static unsigned char DEFAULT_DH_512_PRIM[] = { 0x44, 0x47, 0x19, 0xa1, 0x4a, 0xc8, 0x8b, 0xcb, }; static unsigned char DEFAULT_DH_512_GEN[] = { 0x02 }; -DH *OSSL_DEFAULT_DH_512 = NULL; /* * -----BEGIN DH PARAMETERS----- @@ -568,7 +567,6 @@ static unsigned char DEFAULT_DH_1024_PRIM[] = { 0xff, 0x57, 0xe7, 0x19, 0x8d, 0x51, 0x77, 0x83 }; static unsigned char DEFAULT_DH_1024_GEN[] = { 0x02 }; -DH *OSSL_DEFAULT_DH_1024 = NULL; static DH* ossl_create_dh(unsigned char *p, size_t plen, unsigned char *g, size_t glen) @@ -596,6 +594,8 @@ Init_ossl_dh(void) mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL and mPKey */ mPKey = rb_define_module_under(mOSSL, "PKey"); #endif + DH *OSSL_DEFAULT_DH_512; + DH *OSSL_DEFAULT_DH_1024; /* Document-class: OpenSSL::PKey::DHError * @@ -658,6 +658,9 @@ Init_ossl_dh(void) OSSL_DEFAULT_DH_1024 = ossl_create_dh( DEFAULT_DH_1024_PRIM, sizeof(DEFAULT_DH_1024_PRIM), DEFAULT_DH_1024_GEN, sizeof(DEFAULT_DH_1024_GEN)); + + rb_define_const(cDH, "DEFAULT_512", dh_instance(cDH, OSSL_DEFAULT_DH_512)); + rb_define_const(cDH, "DEFAULT_1024", dh_instance(cDH, OSSL_DEFAULT_DH_1024)); } #else /* defined NO_DH */ diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c index 205b196647..3e756eae5f 100644 --- a/ext/openssl/ossl_ssl.c +++ b/ext/openssl/ossl_ssl.c @@ -283,20 +283,6 @@ ossl_tmp_dh_callback(SSL *ssl, int is_export, int keylength) return GetPKeyPtr(ossl_ssl_get_tmp_dh(args[0]))->pkey.dh; } - -static DH* -ossl_default_tmp_dh_callback(SSL *ssl, int is_export, int keylength) -{ - rb_warning("using default DH parameters."); - - switch(keylength){ - case 512: - return OSSL_DEFAULT_DH_512; - case 1024: - return OSSL_DEFAULT_DH_1024; - } - return NULL; -} #endif /* OPENSSL_NO_DH */ #if !defined(OPENSSL_NO_EC) @@ -708,12 +694,7 @@ ossl_sslctx_setup(VALUE self) GetSSLCTX(self, ctx); #if !defined(OPENSSL_NO_DH) - if (RTEST(ossl_sslctx_get_tmp_dh_cb(self))){ - SSL_CTX_set_tmp_dh_callback(ctx, ossl_tmp_dh_callback); - } - else{ - SSL_CTX_set_tmp_dh_callback(ctx, ossl_default_tmp_dh_callback); - } + SSL_CTX_set_tmp_dh_callback(ctx, ossl_tmp_dh_callback); #endif #if !defined(OPENSSL_NO_EC) |