No Description https://cryptcheck.fr/
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

multiple_certs.patch 5.6KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151
  1. diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb
  2. index bcb167e..5f688db 100644
  3. --- a/ext/openssl/lib/openssl/ssl.rb
  4. +++ b/ext/openssl/lib/openssl/ssl.rb
  5. @@ -70,7 +70,7 @@ class SSLContext
  6. DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
  7. end
  8. - INIT_VARS = ["cert", "key", "client_ca", "ca_file", "ca_path",
  9. + INIT_VARS = ["client_ca", "ca_file", "ca_path",
  10. "timeout", "verify_mode", "verify_depth", "renegotiation_cb",
  11. "verify_callback", "cert_store", "extra_chain_cert",
  12. "client_cert_cb", "session_id_context", "tmp_dh_callback",
  13. @@ -106,6 +106,8 @@ class SSLContext
  14. #
  15. # You can get a list of valid methods with OpenSSL::SSL::SSLContext::METHODS
  16. def initialize(version = nil, fallback_scsv: false)
  17. + @certs = []
  18. + @keys = []
  19. INIT_VARS.each { |v| instance_variable_set v, nil }
  20. self.options = self.options | OpenSSL::SSL::OP_ALL
  21. return unless version
  22. @@ -131,6 +132,22 @@ def set_params(params={})
  23. end
  24. return params
  25. end
  26. +
  27. + # Compatibility with previous version supporting a single certificate
  28. + def cert=(cert)
  29. + self.certs = [cert]
  30. + end
  31. + def cert
  32. +
  33. + self.certs.first
  34. + end
  35. +
  36. + def key=(key)
  37. + self.keys = [key]
  38. + end
  39. + def key
  40. + self.keys.first
  41. + end
  42. end
  43. module SocketForwarder
  44. diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
  45. index 9f7ee0b..9437793 100644
  46. --- a/ext/openssl/ossl_ssl.c
  47. +++ b/ext/openssl/ossl_ssl.c
  48. @@ -36,8 +36,8 @@ VALUE cSSLSocket;
  49. static VALUE eSSLErrorWaitReadable;
  50. static VALUE eSSLErrorWaitWritable;
  51. -#define ossl_sslctx_set_cert(o,v) rb_iv_set((o),"@cert",(v))
  52. -#define ossl_sslctx_set_key(o,v) rb_iv_set((o),"@key",(v))
  53. +#define ossl_sslctx_set_certs(o,v) rb_iv_set((o),"@certs",(v))
  54. +#define ossl_sslctx_set_keys(o,v) rb_iv_set((o),"@keys",(v))
  55. #define ossl_sslctx_set_client_ca(o,v) rb_iv_set((o),"@client_ca",(v))
  56. #define ossl_sslctx_set_ca_file(o,v) rb_iv_set((o),"@ca_file",(v))
  57. #define ossl_sslctx_set_ca_path(o,v) rb_iv_set((o),"@ca_path",(v))
  58. @@ -50,8 +50,8 @@ static VALUE eSSLErrorWaitWritable;
  59. #define ossl_sslctx_set_client_cert_cb(o,v) rb_iv_set((o),"@client_cert_cb",(v))
  60. #define ossl_sslctx_set_sess_id_ctx(o, v) rb_iv_set((o),"@session_id_context",(v))
  61. -#define ossl_sslctx_get_cert(o) rb_iv_get((o),"@cert")
  62. -#define ossl_sslctx_get_key(o) rb_iv_get((o),"@key")
  63. +#define ossl_sslctx_get_certs(o) rb_iv_get((o),"@certs")
  64. +#define ossl_sslctx_get_keys(o) rb_iv_get((o),"@keys")
  65. #define ossl_sslctx_get_client_ca(o) rb_iv_get((o),"@client_ca")
  66. #define ossl_sslctx_get_ca_file(o) rb_iv_get((o),"@ca_file")
  67. #define ossl_sslctx_get_ca_path(o) rb_iv_get((o),"@ca_path")
  68. @@ -713,7 +713,8 @@ ossl_sslctx_setup(VALUE self)
  69. char *ca_path = NULL, *ca_file = NULL;
  70. int verify_mode;
  71. long i;
  72. - VALUE val;
  73. + VALUE val, val2;
  74. + int cert_defined = 0, key_defined = 0;
  75. if(OBJ_FROZEN(self)) return Qnil;
  76. GetSSLCTX(self, ctx);
  77. @@ -761,19 +762,39 @@ ossl_sslctx_setup(VALUE self)
  78. }
  79. /* private key may be bundled in certificate file. */
  80. - val = ossl_sslctx_get_cert(self);
  81. - cert = NIL_P(val) ? NULL : GetX509CertPtr(val); /* NO DUP NEEDED */
  82. - val = ossl_sslctx_get_key(self);
  83. - key = NIL_P(val) ? NULL : GetPKeyPtr(val); /* NO DUP NEEDED */
  84. - if (cert && key) {
  85. - if (!SSL_CTX_use_certificate(ctx, cert)) {
  86. - /* Adds a ref => Safe to FREE */
  87. - ossl_raise(eSSLError, "SSL_CTX_use_certificate");
  88. + val = ossl_sslctx_get_certs(self);
  89. + if (!NIL_P(val)) {
  90. + Check_Type(val, T_ARRAY);
  91. + for (i = 0; i < RARRAY_LEN(val); i++) {
  92. + val2 = rb_ary_entry(val, i);
  93. + cert = NIL_P(val2) ? NULL : GetX509CertPtr(val2); /* NO DUP NEEDED */
  94. + if (cert) {
  95. + cert_defined = 1;
  96. + if (!SSL_CTX_use_certificate(ctx, cert)) {
  97. + /* Adds a ref => Safe to FREE */
  98. + ossl_raise(eSSLError, "SSL_CTX_use_certificate");
  99. + }
  100. + }
  101. }
  102. - if (!SSL_CTX_use_PrivateKey(ctx, key)) {
  103. - /* Adds a ref => Safe to FREE */
  104. - ossl_raise(eSSLError, "SSL_CTX_use_PrivateKey");
  105. + }
  106. +
  107. + val = ossl_sslctx_get_keys(self);
  108. + if (!NIL_P(val)) {
  109. + Check_Type(val, T_ARRAY);
  110. + for (i = 0; i < RARRAY_LEN(val); i++) {
  111. + val2 = rb_ary_entry(val, i);
  112. + key = NIL_P(val2) ? NULL : GetPKeyPtr(val2); /* NO DUP NEEDED */
  113. + if (cert) {
  114. + key_defined = 1;
  115. + if (!SSL_CTX_use_PrivateKey(ctx, key)) {
  116. + /* Adds a ref => Safe to FREE */
  117. + ossl_raise(eSSLError, "SSL_CTX_use_certificate");
  118. + }
  119. + }
  120. }
  121. + }
  122. +
  123. + if (cert_defined && key_defined) {
  124. if (!SSL_CTX_check_private_key(ctx)) {
  125. ossl_raise(eSSLError, "SSL_CTX_check_private_key");
  126. }
  127. @@ -2128,14 +2149,14 @@ Init_ossl_ssl(void)
  128. rb_define_alloc_func(cSSLContext, ossl_sslctx_s_alloc);
  129. /*
  130. - * Context certificate
  131. + * Context certificates
  132. */
  133. - rb_attr(cSSLContext, rb_intern("cert"), 1, 1, Qfalse);
  134. + rb_attr(cSSLContext, rb_intern("certs"), 1, 1, Qfalse);
  135. /*
  136. - * Context private key
  137. + * Context private keys
  138. */
  139. - rb_attr(cSSLContext, rb_intern("key"), 1, 1, Qfalse);
  140. + rb_attr(cSSLContext, rb_intern("keys"), 1, 1, Qfalse);
  141. /*
  142. * A certificate or Array of certificates that will be sent to the client.