Feature #11356 » 0001-add-ecdh-support.patch
| ext/openssl/ossl_ssl.c | ||
|---|---|---|
|
#define ossl_sslctx_get_cert_store(o) rb_iv_get((o),"@cert_store")
|
||
|
#define ossl_sslctx_get_extra_cert(o) rb_iv_get((o),"@extra_chain_cert")
|
||
|
#define ossl_sslctx_get_client_cert_cb(o) rb_iv_get((o),"@client_cert_cb")
|
||
|
#define ossl_sslctx_get_tmp_ecdh_cb(o) rb_iv_get((o),"@tmp_ecdh_callback")
|
||
|
#define ossl_sslctx_get_tmp_dh_cb(o) rb_iv_get((o),"@tmp_dh_callback")
|
||
|
#define ossl_sslctx_get_sess_id_ctx(o) rb_iv_get((o),"@session_id_context")
|
||
| ... | ... | |
|
"verify_callback", "options", "cert_store", "extra_chain_cert",
|
||
|
"client_cert_cb", "tmp_dh_callback", "session_id_context",
|
||
|
"session_get_cb", "session_new_cb", "session_remove_cb",
|
||
|
"tmp_ecdh_callback",
|
||
|
#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
|
||
|
"servername_cb",
|
||
|
#endif
|
||
| ... | ... | |
|
#define ossl_ssl_get_x509(o) rb_iv_get((o),"@x509")
|
||
|
#define ossl_ssl_get_key(o) rb_iv_get((o),"@key")
|
||
|
#define ossl_ssl_get_tmp_dh(o) rb_iv_get((o),"@tmp_dh")
|
||
|
#define ossl_ssl_get_tmp_ecdh(o) rb_iv_get((o),"@tmp_ecdh")
|
||
|
#define ossl_ssl_set_io(o,v) rb_iv_set((o),"@io",(v))
|
||
|
#define ossl_ssl_set_ctx(o,v) rb_iv_set((o),"@context",(v))
|
||
| ... | ... | |
|
#define ossl_ssl_set_x509(o,v) rb_iv_set((o),"@x509",(v))
|
||
|
#define ossl_ssl_set_key(o,v) rb_iv_set((o),"@key",(v))
|
||
|
#define ossl_ssl_set_tmp_dh(o,v) rb_iv_set((o),"@tmp_dh",(v))
|
||
|
#define ossl_ssl_set_tmp_ecdh(o,v) rb_iv_set((o),"@tmp_ecdh",(v))
|
||
|
static const char *ossl_ssl_attr_readers[] = { "io", "context", };
|
||
|
static const char *ossl_ssl_attrs[] = {
|
||
| ... | ... | |
|
int ossl_ssl_ex_ptr_idx;
|
||
|
int ossl_ssl_ex_client_cert_cb_idx;
|
||
|
int ossl_ssl_ex_tmp_dh_callback_idx;
|
||
|
int ossl_ssl_ex_tmp_ecdh_callback_idx;
|
||
|
static void
|
||
|
ossl_sslctx_free(void *ptr)
|
||
| ... | ... | |
|
}
|
||
|
#endif /* OPENSSL_NO_DH */
|
||
|
#if !defined(OPENSSL_NO_EC)
|
||
|
static VALUE
|
||
|
ossl_call_tmp_ecdh_callback(VALUE *args)
|
||
|
{
|
||
|
SSL *ssl;
|
||
|
VALUE cb, ecdh;
|
||
|
EVP_PKEY *pkey;
|
||
|
GetSSL(args[0], ssl);
|
||
|
cb = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_tmp_ecdh_callback_idx);
|
||
|
if (NIL_P(cb)) return Qfalse;
|
||
|
ecdh = rb_funcall(cb, rb_intern("call"), 3, args[0], args[1], args[2]);
|
||
|
pkey = GetPKeyPtr(ecdh);
|
||
|
if (EVP_PKEY_type(pkey->type) != EVP_PKEY_EC) return Qfalse;
|
||
|
ossl_ssl_set_tmp_ecdh(args[0], ecdh);
|
||
|
return Qtrue;
|
||
|
}
|
||
|
static EC_KEY*
|
||
|
ossl_tmp_ecdh_callback(SSL *ssl, int is_export, int keylength)
|
||
|
{
|
||
|
VALUE args[3], success;
|
||
|
args[0] = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
|
||
|
args[1] = INT2FIX(is_export);
|
||
|
args[2] = INT2FIX(keylength);
|
||
|
success = rb_protect((VALUE(*)_((VALUE)))ossl_call_tmp_ecdh_callback,
|
||
|
(VALUE)args, NULL);
|
||
|
if (!RTEST(success)) return NULL;
|
||
|
return GetPKeyPtr(ossl_ssl_get_tmp_ecdh(args[0]))->pkey.ec;
|
||
|
}
|
||
|
#endif
|
||
|
static int
|
||
|
ossl_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
|
||
|
{
|
||
| ... | ... | |
|
SSL_CTX_set_tmp_dh_callback(ctx, ossl_default_tmp_dh_callback);
|
||
|
}
|
||
|
#endif
|
||
|
#if !defined(OPENSSL_NO_EC)
|
||
|
if (RTEST(ossl_sslctx_get_tmp_ecdh_cb(self))){
|
||
|
SSL_CTX_set_tmp_ecdh_callback(ctx, ossl_tmp_ecdh_callback);
|
||
|
}
|
||
|
#endif
|
||
|
SSL_CTX_set_ex_data(ctx, ossl_ssl_ex_ptr_idx, (void*)self);
|
||
|
val = ossl_sslctx_get_cert_store(self);
|
||
| ... | ... | |
|
SSL_set_ex_data(ssl, ossl_ssl_ex_client_cert_cb_idx, (void*)cb);
|
||
|
cb = ossl_sslctx_get_tmp_dh_cb(v_ctx);
|
||
|
SSL_set_ex_data(ssl, ossl_ssl_ex_tmp_dh_callback_idx, (void*)cb);
|
||
|
cb = ossl_sslctx_get_tmp_ecdh_cb(v_ctx);
|
||
|
SSL_set_ex_data(ssl, ossl_ssl_ex_tmp_ecdh_callback_idx, (void*)cb);
|
||
|
SSL_set_info_callback(ssl, ssl_info_cb);
|
||
|
}
|
||
| ... | ... | |
|
SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_client_cert_cb_idx",0,0,0);
|
||
|
ossl_ssl_ex_tmp_dh_callback_idx =
|
||
|
SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_tmp_dh_callback_idx",0,0,0);
|
||
|
ossl_ssl_ex_tmp_ecdh_callback_idx =
|
||
|
SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_tmp_ecdh_callback_idx",0,0,0);
|
||
|
/* Document-module: OpenSSL::SSL
|
||
|
*
|
||
| ... | ... | |
|
rb_attr(cSSLContext, rb_intern("client_cert_cb"), 1, 1, Qfalse);
|
||
|
/*
|
||
|
* A callback invoked when ECDH parameters are required.
|
||
|
*
|
||
|
* The callback is invoked with the Session for the key exchange, an
|
||
|
* flag indicating the use of an export cipher and the keylength
|
||
|
* required.
|
||
|
*
|
||
|
* The callback must return an OpenSSL::PKey::EC instance of the correct
|
||
|
* key length.
|
||
|
*/
|
||
|
rb_attr(cSSLContext, rb_intern("tmp_ecdh_callback"), 1, 1, Qfalse);
|
||
|
/*
|
||
|
* A callback invoked when DH parameters are required.
|
||
|
*
|
||
|
* The callback is invoked with the Session for the key exchange, an
|
||
| test/openssl/test_pair.rb | ||
|---|---|---|
|
serv.close if serv && !serv.closed?
|
||
|
end
|
||
|
def test_ecdh_callback
|
||
|
called = false
|
||
|
ctx2 = OpenSSL::SSL::SSLContext.new
|
||
|
ctx2.ciphers = "ECDH"
|
||
|
ctx2.tmp_ecdh_callback = ->(*args) {
|
||
|
called = true
|
||
|
OpenSSL::PKey::EC.new "prime256v1"
|
||
|
}
|
||
|
sock1, sock2 = tcp_pair
|
||
|
s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
|
||
|
ctx1 = OpenSSL::SSL::SSLContext.new
|
||
|
ctx1.ciphers = "ECDH"
|
||
|
s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
|
||
|
th = Thread.new do
|
||
|
begin
|
||
|
rv = s1.connect_nonblock(exception: false)
|
||
|
case rv
|
||
|
when :wait_writable
|
||
|
IO.select(nil, [s1], nil, 5)
|
||
|
when :wait_readable
|
||
|
IO.select([s1], nil, nil, 5)
|
||
|
end
|
||
|
end until rv == s1
|
||
|
end
|
||
|
accepted = s2.accept
|
||
|
assert called, 'ecdh callback should be called'
|
||
|
ensure
|
||
|
s1.close if s1
|
||
|
s2.close if s2
|
||
|
sock1.close if sock1
|
||
|
sock2.close if sock2
|
||
|
accepted.close if accepted.respond_to?(:close)
|
||
|
end
|
||
|
def test_connect_accept_nonblock_no_exception
|
||
|
ctx2 = OpenSSL::SSL::SSLContext.new
|
||
|
ctx2.ciphers = "ADH"
|
||