From a7cd385a2defc98d3b0d12e3cfd7ff89a28c8f54 Mon Sep 17 00:00:00 2001 From: Aaron Patterson Date: Wed, 15 Jul 2015 13:51:55 -0700 Subject: [PATCH] add ecdh support --- ext/openssl/ossl_ssl.c | 63 +++++++++++++++++++++++++++++++++++++++++++++++ test/openssl/test_pair.rb | 39 +++++++++++++++++++++++++++++ 2 files changed, 102 insertions(+) diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c index 143189e..019f796 100644 --- a/ext/openssl/ossl_ssl.c +++ b/ext/openssl/ossl_ssl.c @@ -65,6 +65,7 @@ static VALUE eSSLErrorWaitWritable; #define ossl_sslctx_get_cert_store(o) rb_iv_get((o),"@cert_store") #define ossl_sslctx_get_extra_cert(o) rb_iv_get((o),"@extra_chain_cert") #define ossl_sslctx_get_client_cert_cb(o) rb_iv_get((o),"@client_cert_cb") +#define ossl_sslctx_get_tmp_ecdh_cb(o) rb_iv_get((o),"@tmp_ecdh_callback") #define ossl_sslctx_get_tmp_dh_cb(o) rb_iv_get((o),"@tmp_dh_callback") #define ossl_sslctx_get_sess_id_ctx(o) rb_iv_get((o),"@session_id_context") @@ -74,6 +75,7 @@ static const char *ossl_sslctx_attrs[] = { "verify_callback", "options", "cert_store", "extra_chain_cert", "client_cert_cb", "tmp_dh_callback", "session_id_context", "session_get_cb", "session_new_cb", "session_remove_cb", + "tmp_ecdh_callback", #ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME "servername_cb", #endif @@ -89,6 +91,7 @@ static const char *ossl_sslctx_attrs[] = { #define ossl_ssl_get_x509(o) rb_iv_get((o),"@x509") #define ossl_ssl_get_key(o) rb_iv_get((o),"@key") #define ossl_ssl_get_tmp_dh(o) rb_iv_get((o),"@tmp_dh") +#define ossl_ssl_get_tmp_ecdh(o) rb_iv_get((o),"@tmp_ecdh") #define ossl_ssl_set_io(o,v) rb_iv_set((o),"@io",(v)) #define ossl_ssl_set_ctx(o,v) rb_iv_set((o),"@context",(v)) @@ -96,6 +99,7 @@ static const char *ossl_sslctx_attrs[] = { #define ossl_ssl_set_x509(o,v) rb_iv_set((o),"@x509",(v)) #define ossl_ssl_set_key(o,v) rb_iv_set((o),"@key",(v)) #define ossl_ssl_set_tmp_dh(o,v) rb_iv_set((o),"@tmp_dh",(v)) +#define ossl_ssl_set_tmp_ecdh(o,v) rb_iv_set((o),"@tmp_ecdh",(v)) static const char *ossl_ssl_attr_readers[] = { "io", "context", }; static const char *ossl_ssl_attrs[] = { @@ -152,6 +156,7 @@ int ossl_ssl_ex_store_p; int ossl_ssl_ex_ptr_idx; int ossl_ssl_ex_client_cert_cb_idx; int ossl_ssl_ex_tmp_dh_callback_idx; +int ossl_ssl_ex_tmp_ecdh_callback_idx; static void ossl_sslctx_free(void *ptr) @@ -337,6 +342,41 @@ ossl_default_tmp_dh_callback(SSL *ssl, int is_export, int keylength) } #endif /* OPENSSL_NO_DH */ +#if !defined(OPENSSL_NO_EC) +static VALUE +ossl_call_tmp_ecdh_callback(VALUE args) +{ + SSL *ssl; + VALUE cb, ecdh; + EVP_PKEY *pkey; + + GetSSL(rb_ary_entry(args, 0), ssl); + cb = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_tmp_ecdh_callback_idx); + if (NIL_P(cb)) return Qfalse; + ecdh = rb_apply(cb, rb_intern("call"), args); + pkey = GetPKeyPtr(ecdh); + if (EVP_PKEY_type(pkey->type) != EVP_PKEY_EC) return Qfalse; + ossl_ssl_set_tmp_ecdh(rb_ary_entry(args, 0), ecdh); + + return Qtrue; +} + +static EC_KEY* +ossl_tmp_ecdh_callback(SSL *ssl, int is_export, int keylength) +{ + VALUE args, success, rb_ssl; + + rb_ssl = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx); + + args = rb_ary_new_from_args(3, rb_ssl, INT2FIX(is_export), INT2FIX(keylength)); + + success = rb_protect(ossl_call_tmp_ecdh_callback, args, NULL); + if (!RTEST(success)) return NULL; + + return GetPKeyPtr(ossl_ssl_get_tmp_ecdh(rb_ssl))->pkey.ec; +} +#endif + static int ossl_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx) { @@ -691,6 +731,13 @@ ossl_sslctx_setup(VALUE self) SSL_CTX_set_tmp_dh_callback(ctx, ossl_default_tmp_dh_callback); } #endif + +#if !defined(OPENSSL_NO_EC) + if (RTEST(ossl_sslctx_get_tmp_ecdh_cb(self))){ + SSL_CTX_set_tmp_ecdh_callback(ctx, ossl_tmp_ecdh_callback); + } +#endif + SSL_CTX_set_ex_data(ctx, ossl_ssl_ex_ptr_idx, (void*)self); val = ossl_sslctx_get_cert_store(self); @@ -1234,6 +1281,8 @@ ossl_ssl_setup(VALUE self) SSL_set_ex_data(ssl, ossl_ssl_ex_client_cert_cb_idx, (void*)cb); cb = ossl_sslctx_get_tmp_dh_cb(v_ctx); SSL_set_ex_data(ssl, ossl_ssl_ex_tmp_dh_callback_idx, (void*)cb); + cb = ossl_sslctx_get_tmp_ecdh_cb(v_ctx); + SSL_set_ex_data(ssl, ossl_ssl_ex_tmp_ecdh_callback_idx, (void*)cb); SSL_set_info_callback(ssl, ssl_info_cb); } @@ -1926,6 +1975,8 @@ Init_ossl_ssl(void) SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_client_cert_cb_idx",0,0,0); ossl_ssl_ex_tmp_dh_callback_idx = SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_tmp_dh_callback_idx",0,0,0); + ossl_ssl_ex_tmp_ecdh_callback_idx = + SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_tmp_ecdh_callback_idx",0,0,0); /* Document-module: OpenSSL::SSL * @@ -2049,6 +2100,18 @@ Init_ossl_ssl(void) rb_attr(cSSLContext, rb_intern("client_cert_cb"), 1, 1, Qfalse); /* + * A callback invoked when ECDH parameters are required. + * + * The callback is invoked with the Session for the key exchange, an + * flag indicating the use of an export cipher and the keylength + * required. + * + * The callback must return an OpenSSL::PKey::EC instance of the correct + * key length. + */ + rb_attr(cSSLContext, rb_intern("tmp_ecdh_callback"), 1, 1, Qfalse); + + /* * A callback invoked when DH parameters are required. * * The callback is invoked with the Session for the key exchange, an diff --git a/test/openssl/test_pair.rb b/test/openssl/test_pair.rb index cfcfa7a..6357cdc 100644 --- a/test/openssl/test_pair.rb +++ b/test/openssl/test_pair.rb @@ -283,6 +283,45 @@ module OpenSSL::TestPairM serv.close if serv && !serv.closed? end + def test_ecdh_callback + called = false + ctx2 = OpenSSL::SSL::SSLContext.new + ctx2.ciphers = "ECDH" + ctx2.tmp_ecdh_callback = ->(*args) { + called = true + OpenSSL::PKey::EC.new "prime256v1" + } + + sock1, sock2 = tcp_pair + + s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2) + ctx1 = OpenSSL::SSL::SSLContext.new + ctx1.ciphers = "ECDH" + + s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1) + th = Thread.new do + begin + rv = s1.connect_nonblock(exception: false) + case rv + when :wait_writable + IO.select(nil, [s1], nil, 5) + when :wait_readable + IO.select([s1], nil, nil, 5) + end + end until rv == s1 + end + + accepted = s2.accept + + assert called, 'ecdh callback should be called' + ensure + s1.close if s1 + s2.close if s2 + sock1.close if sock1 + sock2.close if sock2 + accepted.close if accepted.respond_to?(:close) + end + def test_connect_accept_nonblock_no_exception ctx2 = OpenSSL::SSL::SSLContext.new ctx2.ciphers = "ADH" -- 2.2.1