summaryrefslogtreecommitdiff
path: root/ext
diff options
context:
space:
mode:
Diffstat (limited to 'ext')
-rw-r--r--ext/openssl/ossl_pkey.c21
-rw-r--r--ext/openssl/ossl_pkey.h10
-rw-r--r--ext/openssl/ossl_pkey_dh.c77
-rw-r--r--ext/openssl/ossl_ssl.c159
4 files changed, 234 insertions, 33 deletions
diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c
index 1a38a2c1d7..db70333047 100644
--- a/ext/openssl/ossl_pkey.c
+++ b/ext/openssl/ossl_pkey.c
@@ -96,10 +96,21 @@ GetPrivPKeyPtr(VALUE obj)
{
EVP_PKEY *pkey;
- SafeGetPKey(obj, pkey);
- if (rb_funcall(obj, id_private_q, 0, NULL) != Qtrue) { /* returns Qtrue */
+ if (rb_funcall(obj, id_private_q, 0, NULL) != Qtrue) {
ossl_raise(rb_eArgError, "Private key is needed.");
}
+ SafeGetPKey(obj, pkey);
+
+ return pkey;
+}
+
+EVP_PKEY *
+DupPKeyPtr(VALUE obj)
+{
+ EVP_PKEY *pkey;
+
+ SafeGetPKey(obj, pkey);
+ CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
return pkey;
}
@@ -109,10 +120,10 @@ DupPrivPKeyPtr(VALUE obj)
{
EVP_PKEY *pkey;
- SafeGetPKey(obj, pkey);
- if (rb_funcall(obj, id_private_q, 0, NULL) != Qtrue) { /* returns Qtrue */
+ if (rb_funcall(obj, id_private_q, 0, NULL) != Qtrue) {
ossl_raise(rb_eArgError, "Private key is needed.");
}
+ SafeGetPKey(obj, pkey);
CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
return pkey;
@@ -152,10 +163,10 @@ ossl_pkey_sign(VALUE self, VALUE digest, VALUE data)
int buf_len;
VALUE str;
- GetPKey(self, pkey);
if (rb_funcall(self, id_private_q, 0, NULL) != Qtrue) {
ossl_raise(rb_eArgError, "Private key is needed.");
}
+ GetPKey(self, pkey);
EVP_SignInit(&ctx, GetDigestPtr(digest));
StringValue(data);
EVP_SignUpdate(&ctx, RSTRING(data)->ptr, RSTRING(data)->len);
diff --git a/ext/openssl/ossl_pkey.h b/ext/openssl/ossl_pkey.h
index 189573546e..db4d3cf19d 100644
--- a/ext/openssl/ossl_pkey.h
+++ b/ext/openssl/ossl_pkey.h
@@ -38,7 +38,7 @@ void ossl_generate_cb(int, int, void *);
VALUE ossl_pkey_new(EVP_PKEY *);
VALUE ossl_pkey_new_from_file(VALUE);
EVP_PKEY *GetPKeyPtr(VALUE);
-/*EVP_PKEY *DupPKeyPtr(VALUE);*/
+EVP_PKEY *DupPKeyPtr(VALUE);
EVP_PKEY *GetPrivPKeyPtr(VALUE);
EVP_PKEY *DupPrivPKeyPtr(VALUE);
void Init_ossl_pkey(void);
@@ -66,6 +66,8 @@ void Init_ossl_dsa(void);
*/
extern VALUE cDH;
extern VALUE eDHError;
+extern DH *OSSL_DEFAULT_DH_512;
+extern DH *OSSL_DEFAULT_DH_1024;
VALUE ossl_dh_new(EVP_PKEY *);
void Init_ossl_dh(void);
@@ -104,10 +106,10 @@ static VALUE ossl_##keytype##_set_##name(VALUE self, VALUE bignum) \
return bignum; \
}
-#define DEF_OSSL_PKEY_BN(class, keytype, name) \
-do { \
+#define DEF_OSSL_PKEY_BN(class, keytype, name) \
+do { \
rb_define_method(class, #name, ossl_##keytype##_get_##name, 0); \
- rb_define_method(class, #name "=", ossl_##keytype##_set_##name, 1); \
+ rb_define_method(class, #name "=", ossl_##keytype##_set_##name, 1);\
} while (0)
#endif /* _OSSL_PKEY_H_ */
diff --git a/ext/openssl/ossl_pkey_dh.c b/ext/openssl/ossl_pkey_dh.c
index 7070cf03f4..5b728ba353 100644
--- a/ext/openssl/ossl_pkey_dh.c
+++ b/ext/openssl/ossl_pkey_dh.c
@@ -350,18 +350,78 @@ OSSL_PKEY_BN(dh, pub_key);
OSSL_PKEY_BN(dh, priv_key);
/*
+ * -----BEGIN DH PARAMETERS-----
+ * MEYCQQD0zXHljRg/mJ9PYLACLv58Cd8VxBxxY7oEuCeURMiTqEhMym16rhhKgZG2
+ * zk2O9uUIBIxSj+NKMURHGaFKyIvLAgEC
+ * -----END DH PARAMETERS-----
+ */
+static unsigned char DEFAULT_DH_512_PRIM[] = {
+ 0xf4, 0xcd, 0x71, 0xe5, 0x8d, 0x18, 0x3f, 0x98,
+ 0x9f, 0x4f, 0x60, 0xb0, 0x02, 0x2e, 0xfe, 0x7c,
+ 0x09, 0xdf, 0x15, 0xc4, 0x1c, 0x71, 0x63, 0xba,
+ 0x04, 0xb8, 0x27, 0x94, 0x44, 0xc8, 0x93, 0xa8,
+ 0x48, 0x4c, 0xca, 0x6d, 0x7a, 0xae, 0x18, 0x4a,
+ 0x81, 0x91, 0xb6, 0xce, 0x4d, 0x8e, 0xf6, 0xe5,
+ 0x08, 0x04, 0x8c, 0x52, 0x8f, 0xe3, 0x4a, 0x31,
+ 0x44, 0x47, 0x19, 0xa1, 0x4a, 0xc8, 0x8b, 0xcb,
+};
+static unsigned char DEFAULT_DH_512_GEN[] = { 0x02 };
+DH *OSSL_DEFAULT_DH_512 = NULL;
+
+/*
+ * -----BEGIN DH PARAMETERS-----
+ * MIGHAoGBAJ0lOVy0VIr/JebWn0zDwY2h+rqITFOpdNr6ugsgvkDXuucdcChhYExJ
+ * AV/ZD2AWPbrTqV76mGRgJg4EddgT1zG0jq3rnFdMj2XzkBYx3BVvfR0Arnby0RHR
+ * T4h7KZ/2zmjvV+eF8kBUHBJAojUlzxKj4QeO2x20FP9X5xmNUXeDAgEC
+ * -----END DH PARAMETERS-----
+ */
+static unsigned char DEFAULT_DH_1024_PRIM[] = {
+ 0x9d, 0x25, 0x39, 0x5c, 0xb4, 0x54, 0x8a, 0xff,
+ 0x25, 0xe6, 0xd6, 0x9f, 0x4c, 0xc3, 0xc1, 0x8d,
+ 0xa1, 0xfa, 0xba, 0x88, 0x4c, 0x53, 0xa9, 0x74,
+ 0xda, 0xfa, 0xba, 0x0b, 0x20, 0xbe, 0x40, 0xd7,
+ 0xba, 0xe7, 0x1d, 0x70, 0x28, 0x61, 0x60, 0x4c,
+ 0x49, 0x01, 0x5f, 0xd9, 0x0f, 0x60, 0x16, 0x3d,
+ 0xba, 0xd3, 0xa9, 0x5e, 0xfa, 0x98, 0x64, 0x60,
+ 0x26, 0x0e, 0x04, 0x75, 0xd8, 0x13, 0xd7, 0x31,
+ 0xb4, 0x8e, 0xad, 0xeb, 0x9c, 0x57, 0x4c, 0x8f,
+ 0x65, 0xf3, 0x90, 0x16, 0x31, 0xdc, 0x15, 0x6f,
+ 0x7d, 0x1d, 0x00, 0xae, 0x76, 0xf2, 0xd1, 0x11,
+ 0xd1, 0x4f, 0x88, 0x7b, 0x29, 0x9f, 0xf6, 0xce,
+ 0x68, 0xef, 0x57, 0xe7, 0x85, 0xf2, 0x40, 0x54,
+ 0x1c, 0x12, 0x40, 0xa2, 0x35, 0x25, 0xcf, 0x12,
+ 0xa3, 0xe1, 0x07, 0x8e, 0xdb, 0x1d, 0xb4, 0x14,
+ 0xff, 0x57, 0xe7, 0x19, 0x8d, 0x51, 0x77, 0x83
+};
+static unsigned char DEFAULT_DH_1024_GEN[] = { 0x02 };
+DH *OSSL_DEFAULT_DH_1024 = NULL;
+
+static DH*
+ossl_create_dh(unsigned char *p, size_t plen, unsigned char *g, size_t glen)
+{
+ DH *dh;
+
+ if ((dh = DH_new()) == NULL) ossl_raise(eDHError, NULL);
+ dh->p = BN_bin2bn(p, plen, NULL);
+ dh->g = BN_bin2bn(g, glen, NULL);
+ if (dh->p == NULL || dh->g == NULL){
+ DH_free(dh);
+ ossl_raise(eDHError, NULL);
+ }
+
+ return dh;
+}
+
+/*
* INIT
*/
void
Init_ossl_dh()
{
eDHError = rb_define_class_under(mPKey, "DHError", ePKeyError);
-
cDH = rb_define_class_under(mPKey, "DH", cPKey);
-
rb_define_singleton_method(cDH, "generate", ossl_dh_s_generate, -1);
rb_define_method(cDH, "initialize", ossl_dh_initialize, -1);
-
rb_define_method(cDH, "public?", ossl_dh_is_public, 0);
rb_define_method(cDH, "private?", ossl_dh_is_private, 0);
rb_define_method(cDH, "to_text", ossl_dh_to_text, 0);
@@ -370,22 +430,25 @@ Init_ossl_dh()
rb_define_alias(cDH, "to_s", "export");
rb_define_method(cDH, "to_der", ossl_dh_to_der, 0);
rb_define_method(cDH, "public_key", ossl_dh_to_public_key, 0);
-
rb_define_method(cDH, "params_ok?", ossl_dh_check_params, 0);
rb_define_method(cDH, "generate_key!", ossl_dh_generate_key, 0);
rb_define_method(cDH, "compute_key", ossl_dh_compute_key, 1);
-
DEF_OSSL_PKEY_BN(cDH, dh, p);
DEF_OSSL_PKEY_BN(cDH, dh, g);
DEF_OSSL_PKEY_BN(cDH, dh, pub_key);
DEF_OSSL_PKEY_BN(cDH, dh, priv_key);
-
rb_define_method(cDH, "params", ossl_dh_get_params, 0);
+
+ OSSL_DEFAULT_DH_512 = ossl_create_dh(
+ DEFAULT_DH_512_PRIM, sizeof(DEFAULT_DH_512_PRIM),
+ DEFAULT_DH_512_GEN, sizeof(DEFAULT_DH_512_GEN));
+ OSSL_DEFAULT_DH_1024 = ossl_create_dh(
+ DEFAULT_DH_1024_PRIM, sizeof(DEFAULT_DH_1024_PRIM),
+ DEFAULT_DH_1024_GEN, sizeof(DEFAULT_DH_1024_GEN));
}
#else /* defined NO_DH */
# warning >>> OpenSSL is compiled without DH support <<<
-
void
Init_ossl_dh()
{
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
index efe2eb83ab..9af3abfeec 100644
--- a/ext/openssl/ossl_ssl.c
+++ b/ext/openssl/ossl_ssl.c
@@ -45,6 +45,8 @@ VALUE cSSLSocket;
#define ossl_sslctx_set_options(o,v) rb_iv_set((o),"@options",(v))
#define ossl_sslctx_set_cert_store(o,v) rb_iv_set((o),"@cert_store",(v))
#define ossl_sslctx_set_extra_cert(o,v) rb_iv_set((o),"@extra_chain_cert",(v))
+#define ossl_sslctx_set_client_cert_cb(o,v) rb_iv_set((o),"@client_cert_cb",(v))
+#define ossl_sslctx_set_tmp_dh_cb(o,v) rb_iv_set((o),"@tmp_dh_callback",(v))
#define ossl_sslctx_get_cert(o) rb_iv_get((o),"@cert")
#define ossl_sslctx_get_key(o) rb_iv_get((o),"@key")
@@ -58,13 +60,36 @@ VALUE cSSLSocket;
#define ossl_sslctx_get_options(o) rb_iv_get((o),"@options")
#define ossl_sslctx_get_cert_store(o) rb_iv_get((o),"@cert_store")
#define ossl_sslctx_get_extra_cert(o) rb_iv_get((o),"@extra_chain_cert")
+#define ossl_sslctx_get_client_cert_cb(o) rb_iv_get((o),"@client_cert_cb")
+#define ossl_sslctx_get_tmp_dh_cb(o) rb_iv_get((o),"@tmp_dh_callback")
static char *ossl_sslctx_attrs[] = {
"cert", "key", "client_ca", "ca_file", "ca_path",
"timeout", "verify_mode", "verify_depth",
- "verify_callback", "options", "cert_store", "extra_chain_cert"
+ "verify_callback", "options", "cert_store", "extra_chain_cert",
+ "client_cert_cb", "tmp_dh_callback",
};
+#define ossl_ssl_get_io(o) rb_iv_get((o),"@io")
+#define ossl_ssl_get_ctx(o) rb_iv_get((o),"@context")
+#define ossl_ssl_get_sync_close(o) rb_iv_get((o),"@sync_close")
+#define ossl_ssl_get_x509(o) rb_iv_get((o),"@x509")
+#define ossl_ssl_get_key(o) rb_iv_get((o),"@key")
+#define ossl_ssl_get_tmp_dh(o) rb_iv_get((o),"@tmp_dh")
+
+#define ossl_ssl_set_io(o,v) rb_iv_set((o),"@io",(v))
+#define ossl_ssl_set_ctx(o,v) rb_iv_set((o),"@context",(v))
+#define ossl_ssl_set_sync_close(o,v) rb_iv_set((o),"@sync_close",(v))
+#define ossl_ssl_set_x509(o,v) rb_iv_set((o),"@x509",(v))
+#define ossl_ssl_set_key(o,v) rb_iv_set((o),"@key",(v))
+#define ossl_ssl_set_tmp_dh(o,v) rb_iv_set((o),"@tmp_dh",(v))
+
+static char *ossl_ssl_attr_readers[] = { "io", "context", };
+static char *ossl_ssl_attrs[] = { "sync_close", };
+
+/*
+ * SSLContext class
+ */
struct {
const char *name;
SSL_METHOD *(*func)(void);
@@ -87,6 +112,9 @@ struct {
int ossl_ssl_ex_vcb_idx;
int ossl_ssl_ex_store_p;
+int ossl_ssl_ex_ptr_idx;
+int ossl_ssl_ex_client_cert_cb_idx;
+int ossl_ssl_ex_tmp_dh_callback_idx;
static void
ossl_sslctx_free(SSL_CTX *ctx)
@@ -148,6 +176,89 @@ ossl_sslctx_initialize(int argc, VALUE *argv, VALUE self)
return self;
}
+static VALUE
+ossl_call_client_cert_cb(VALUE obj)
+{
+ VALUE cb, ary, cert, key;
+ SSL *ssl;
+
+ Data_Get_Struct(obj, SSL, ssl);
+ cb = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_client_cert_cb_idx);
+ if (NIL_P(cb)) return Qfalse;
+ ary = rb_funcall(cb, rb_intern("call"), 1, obj);
+ Check_Type(ary, T_ARRAY);
+ GetX509CertPtr(cert = rb_ary_entry(ary, 0));
+ GetPKeyPtr(key = rb_ary_entry(ary, 1));
+ ossl_ssl_set_x509(obj, cert);
+ ossl_ssl_set_key(obj, key);
+
+ return Qtrue;
+}
+
+static int
+ossl_client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
+{
+ VALUE obj;
+ int status, success;
+
+ obj = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
+ success = rb_protect((VALUE(*)_((VALUE)))ossl_call_client_cert_cb,
+ obj, &status);
+ if (status || !success) return 0;
+ *x509 = DupX509CertPtr(ossl_ssl_get_x509(obj));
+ *pkey = DupPKeyPtr(ossl_ssl_get_key(obj));
+
+ return 1;
+}
+
+#if !defined(OPENSSL_NO_DH)
+static VALUE
+ossl_call_tmp_dh_callback(VALUE *args)
+{
+ SSL *ssl;
+ VALUE cb, dh;
+ EVP_PKEY *pkey;
+
+ Data_Get_Struct(args[0], SSL, ssl);
+ cb = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_tmp_dh_callback_idx);
+ if (NIL_P(cb)) return Qfalse;
+ dh = rb_funcall(cb, rb_intern("call"), 3, args[0], args[1], args[2]);
+ pkey = GetPKeyPtr(dh);
+ if (EVP_PKEY_type(pkey->type) != EVP_PKEY_DH) return Qfalse;
+ ossl_ssl_set_tmp_dh(args[0], dh);
+
+ return Qtrue;
+}
+
+static DH*
+ossl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
+{
+ VALUE args[3];
+ int status, success;
+
+ args[0] = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
+ args[1] = INT2FIX(is_export);
+ args[2] = INT2FIX(keylength);
+ success = rb_protect((VALUE(*)_((VALUE)))ossl_call_tmp_dh_callback,
+ (VALUE)args, &status);
+ if (status || !success) return NULL;
+
+ return GetPKeyPtr(ossl_ssl_get_tmp_dh(args[0]))->pkey.dh;
+}
+
+static DH*
+ossl_default_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
+{
+ switch(keylength){
+ case 512:
+ return OSSL_DEFAULT_DH_512;
+ case 1024:
+ return OSSL_DEFAULT_DH_1024;
+ }
+ return NULL;
+}
+#endif /* OPENSSL_NO_DH */
+
static int
ossl_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
{
@@ -189,6 +300,16 @@ ossl_sslctx_setup(VALUE self)
if(OBJ_FROZEN(self)) return Qnil;
Data_Get_Struct(self, SSL_CTX, ctx);
+#if !defined(OPENSSL_NO_DH)
+ if (RTEST(ossl_sslctx_get_tmp_dh_cb(self))){
+ SSL_CTX_set_tmp_dh_callback(ctx, ossl_tmp_dh_callback);
+ }
+ else{
+ rb_warning("using default DH parameters.");
+ SSL_CTX_set_tmp_dh_callback(ctx, ossl_default_tmp_dh_callback);
+ }
+#endif
+
val = ossl_sslctx_get_cert_store(self);
if(!NIL_P(val)){
/*
@@ -258,6 +379,8 @@ ossl_sslctx_setup(VALUE self)
val = ossl_sslctx_get_verify_mode(self);
verify_mode = NIL_P(val) ? SSL_VERIFY_NONE : NUM2INT(val);
SSL_CTX_set_verify(ctx, verify_mode, ossl_ssl_verify_callback);
+ if (RTEST(ossl_sslctx_get_client_cert_cb(self)))
+ SSL_CTX_set_client_cert_cb(ctx, ossl_client_cert_cb);
val = ossl_sslctx_get_timeout(self);
if(!NIL_P(val)) SSL_CTX_set_timeout(ctx, NUM2LONG(val));
@@ -324,7 +447,9 @@ ossl_sslctx_set_ciphers(VALUE self, VALUE v)
int i;
rb_check_frozen(self);
- if (TYPE(v) == T_ARRAY) {
+ if (NIL_P(v))
+ return v;
+ else if (TYPE(v) == T_ARRAY) {
str = rb_str_new2(NULL);
for (i = 0; i < RARRAY(v)->len; i++) {
elem = rb_ary_entry(v, i);
@@ -346,23 +471,13 @@ ossl_sslctx_set_ciphers(VALUE self, VALUE v)
if (!SSL_CTX_set_cipher_list(ctx, RSTRING(str)->ptr)) {
ossl_raise(eSSLError, "SSL_CTX_set_ciphers:");
}
- return Qnil;
+
+ return v;
}
/*
* SSLSocket class
*/
-#define ossl_ssl_get_io(o) rb_iv_get((o),"@io")
-#define ossl_ssl_get_ctx(o) rb_iv_get((o),"@context")
-#define ossl_ssl_get_sync_close(o) rb_iv_get((o),"@sync_close")
-
-#define ossl_ssl_set_io(o,v) rb_iv_set((o),"@io",(v))
-#define ossl_ssl_set_ctx(o,v) rb_iv_set((o),"@context",(v))
-#define ossl_ssl_set_sync_close(o,v) rb_iv_set((o),"@sync_close",(v))
-
-static char *ossl_ssl_attr_readers[] = { "io", "context", };
-static char *ossl_ssl_attrs[] = { "sync_close", };
-
static void
ossl_ssl_shutdown(SSL *ssl)
{
@@ -407,7 +522,7 @@ ossl_ssl_initialize(int argc, VALUE *argv, VALUE self)
static VALUE
ossl_ssl_setup(VALUE self)
{
- VALUE io, v_ctx;
+ VALUE io, v_ctx, cb;
SSL_CTX *ctx;
SSL *ssl;
OpenFile *fptr;
@@ -428,6 +543,13 @@ ossl_ssl_setup(VALUE self)
rb_io_check_readable(fptr);
rb_io_check_writable(fptr);
SSL_set_fd(ssl, TO_SOCKET(fileno(fptr->f)));
+ SSL_set_ex_data(ssl, ossl_ssl_ex_ptr_idx, (void*)self);
+ cb = ossl_sslctx_get_verify_cb(v_ctx);
+ SSL_set_ex_data(ssl, ossl_ssl_ex_vcb_idx, (void*)cb);
+ cb = ossl_sslctx_get_client_cert_cb(v_ctx);
+ SSL_set_ex_data(ssl, ossl_ssl_ex_client_cert_cb_idx, (void*)cb);
+ cb = ossl_sslctx_get_tmp_dh_cb(v_ctx);
+ SSL_set_ex_data(ssl, ossl_ssl_ex_tmp_dh_callback_idx, (void*)cb);
}
return Qtrue;
@@ -450,8 +572,6 @@ ossl_start_ssl(VALUE self, int (*func)())
Data_Get_Struct(self, SSL, ssl);
GetOpenFile(ossl_ssl_get_io(self), fptr);
- cb = ossl_sslctx_get_verify_cb(ossl_ssl_get_ctx(self));
- SSL_set_ex_data(ssl, ossl_ssl_ex_vcb_idx, (void *)cb);
for(;;){
if((ret = func(ssl)) > 0) break;
switch(ssl_get_error(ssl, ret)){
@@ -727,6 +847,11 @@ Init_ossl_ssl()
ossl_ssl_ex_vcb_idx = SSL_get_ex_new_index(0,"ossl_ssl_ex_vcb_idx",0,0,0);
ossl_ssl_ex_store_p = SSL_get_ex_new_index(0,"ossl_ssl_ex_store_p",0,0,0);
+ ossl_ssl_ex_ptr_idx = SSL_get_ex_new_index(0,"ossl_ssl_ex_ptr_idx",0,0,0);
+ ossl_ssl_ex_client_cert_cb_idx =
+ SSL_get_ex_new_index(0,"ossl_ssl_ex_client_cert_cb_idx",0,0,0);
+ ossl_ssl_ex_tmp_dh_callback_idx =
+ SSL_get_ex_new_index(0,"ossl_ssl_ex_tmp_dh_callback_idx",0,0,0);
mSSL = rb_define_module_under(mOSSL, "SSL");
eSSLError = rb_define_class_under(mSSL, "SSLError", eOSSLError);