You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

tmp_key.patch 3.4KB

3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798
  1. diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
  2. index 0b7fa2a..76487f7 100644
  3. --- a/ext/openssl/extconf.rb
  4. +++ b/ext/openssl/extconf.rb
  5. @@ -114,6 +114,7 @@
  6. unless have_func("SSL_set_tlsext_host_name", ['openssl/ssl.h'])
  7. have_macro("SSL_set_tlsext_host_name", ['openssl/ssl.h']) && $defs.push("-DHAVE_SSL_SET_TLSEXT_HOST_NAME")
  8. end
  9. +have_macro("SSL_get_server_tmp_key", ['openssl/ssl.h']) && $defs.push("-DHAVE_SSL_GET_SERVER_TMP_KEY")
  10. if have_header("openssl/engine.h")
  11. have_func("ENGINE_add")
  12. have_func("ENGINE_load_builtin_engines")
  13. diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
  14. index 7a0eb4e..dc35d5a 100644
  15. --- a/ext/openssl/ossl_ssl.c
  16. +++ b/ext/openssl/ossl_ssl.c
  17. @@ -1911,6 +1911,25 @@ ossl_ssl_alpn_protocol(VALUE self)
  18. return rb_str_new((const char *) out, outlen);
  19. }
  20. # endif
  21. +
  22. +# ifdef HAVE_SSL_GET_SERVER_TMP_KEY
  23. +/*
  24. + * call-seq:
  25. + * ssl.tmp_key => PKey or nil
  26. + *
  27. + * Returns the ephemeral key used in case of forward secrecy cipher
  28. + */
  29. +static VALUE
  30. +ossl_ssl_tmp_key(VALUE self)
  31. +{
  32. + SSL *ssl;
  33. + EVP_PKEY *key;
  34. + ossl_ssl_data_get_struct(self, ssl);
  35. + if (!SSL_get_server_tmp_key(ssl, &key))
  36. + return Qnil;
  37. + return ossl_pkey_new(key);
  38. +}
  39. +# endif /* defined(HAVE_SSL_GET_SERVER_TMP_KEY) */
  40. #endif /* !defined(OPENSSL_NO_SOCK) */
  41. void
  42. @@ -2305,6 +2324,9 @@ Init_ossl_ssl(void)
  43. rb_define_method(cSSLSocket, "session=", ossl_ssl_set_session, 1);
  44. rb_define_method(cSSLSocket, "verify_result", ossl_ssl_get_verify_result, 0);
  45. rb_define_method(cSSLSocket, "client_ca", ossl_ssl_get_client_ca_list, 0);
  46. +# ifdef HAVE_SSL_GET_SERVER_TMP_KEY
  47. + rb_define_method(cSSLSocket, "tmp_key", ossl_ssl_tmp_key, 0);
  48. +# endif
  49. # ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
  50. rb_define_method(cSSLSocket, "alpn_protocol", ossl_ssl_alpn_protocol, 0);
  51. # endif
  52. diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
  53. index 2247847..7958f17 100644
  54. --- a/test/openssl/test_ssl.rb
  55. +++ b/test/openssl/test_ssl.rb
  56. @@ -1191,6 +1191,29 @@ def test_close_and_socket_close_while_connecting
  57. sock2.close if sock2
  58. end
  59. + def test_get_ephemeral_key
  60. + return unless OpenSSL::SSL::SSLSocket.method_defined?(:tmp_key)
  61. + ciphers = {
  62. + 'ECDHE-RSA-AES128-SHA' => OpenSSL::PKey::EC,
  63. + 'DHE-RSA-AES128-SHA' => OpenSSL::PKey::DH,
  64. + 'AES128-SHA' => nil
  65. + }
  66. + conf_proc = Proc.new { |ctx| ctx.ciphers = 'ALL' }
  67. + start_server(OpenSSL::SSL::VERIFY_NONE, true, :ctx_proc => conf_proc){|server, port|
  68. + ciphers.each do |cipher, ephemeral|
  69. + ctx = OpenSSL::SSL::SSLContext.new
  70. + ctx.ciphers = cipher
  71. + server_connect(port, ctx) { |ssl|
  72. + if ephemeral
  73. + assert_equal(ephemeral, ssl.tmp_key.class)
  74. + else
  75. + assert_nil(ssl.tmp_key)
  76. + end
  77. + }
  78. + end
  79. + }
  80. + end
  81. +
  82. private
  83. def start_server_version(version, ctx_proc=nil, server_proc=nil, &blk)
  84. diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb
  85. index 0802c1b..c081e4f 100644
  86. --- a/test/openssl/utils.rb
  87. +++ b/test/openssl/utils.rb
  88. @@ -284,6 +284,7 @@ def start_server(verify_mode, start_immediately, args = {}, &block)
  89. ctx.cert = @svr_cert
  90. ctx.key = @svr_key
  91. ctx.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 }
  92. + ctx.tmp_ecdh_callback = proc { OpenSSL::TestUtils::TEST_KEY_EC_P256V1 }
  93. ctx.verify_mode = verify_mode
  94. ctx_proc.call(ctx) if ctx_proc