aeris
/
cryptcheck
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
146 Commits
3 Branches
572KB
Tree: d4850e4a26
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'd4850e4a26'
${ noResults }
cryptcheck/multiple_certs.patch

152 lines
5.6KB
Raw Blame History 

  1. diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb

  2. index bcb167e..5f688db 100644

  3. --- a/ext/openssl/lib/openssl/ssl.rb

  4. +++ b/ext/openssl/lib/openssl/ssl.rb

  5. @@ -70,7 +70,7 @@ class SSLContext

  6.          DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL

  7.        end

  8. 

  9. -      INIT_VARS = ["cert", "key", "client_ca", "ca_file", "ca_path",

  10. +      INIT_VARS = ["client_ca", "ca_file", "ca_path",

  11.          "timeout", "verify_mode", "verify_depth", "renegotiation_cb",

  12.          "verify_callback", "cert_store", "extra_chain_cert",

  13.          "client_cert_cb", "session_id_context", "tmp_dh_callback",

  14. @@ -106,6 +106,8 @@ class SSLContext

  15.        #

  16.        # You can get a list of valid methods with OpenSSL::SSL::SSLContext::METHODS

  17.        def initialize(version = nil, fallback_scsv: false)

  18. +        @certs = []

  19. +         @keys = []

  20.          INIT_VARS.each { |v| instance_variable_set v, nil }

  21.          self.options = self.options | OpenSSL::SSL::OP_ALL

  22.          return unless version

  23. @@ -131,6 +132,22 @@ def set_params(params={})

  24.          end

  25.          return params

  26.        end

  27. +

  28. +      # Compatibility with previous version supporting a single certificate

  29. +      def cert=(cert)

  30. +        self.certs = [cert]

  31. +      end

  32. +      def cert

  33. +

  34. +        self.certs.first

  35. +      end

  36. +

  37. +      def key=(key)

  38. +        self.keys = [key]

  39. +      end

  40. +      def key

  41. +        self.keys.first

  42. +      end

  43.      end

  44. 

  45.      module SocketForwarder

  46. diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c

  47. index 9f7ee0b..9437793 100644

  48. --- a/ext/openssl/ossl_ssl.c

  49. +++ b/ext/openssl/ossl_ssl.c

  50. @@ -36,8 +36,8 @@ VALUE cSSLSocket;

  51.  static VALUE eSSLErrorWaitReadable;

  52.  static VALUE eSSLErrorWaitWritable;

  53. 

  54. -#define ossl_sslctx_set_cert(o,v)        	rb_iv_set((o),"@cert",(v))

  55. -#define ossl_sslctx_set_key(o,v)         	rb_iv_set((o),"@key",(v))

  56. +#define ossl_sslctx_set_certs(o,v)        	rb_iv_set((o),"@certs",(v))

  57. +#define ossl_sslctx_set_keys(o,v)         	rb_iv_set((o),"@keys",(v))

  58.  #define ossl_sslctx_set_client_ca(o,v)   	rb_iv_set((o),"@client_ca",(v))

  59.  #define ossl_sslctx_set_ca_file(o,v)     	rb_iv_set((o),"@ca_file",(v))

  60.  #define ossl_sslctx_set_ca_path(o,v)     	rb_iv_set((o),"@ca_path",(v))

  61. @@ -50,8 +50,8 @@ static VALUE eSSLErrorWaitWritable;

  62.  #define ossl_sslctx_set_client_cert_cb(o,v) 	rb_iv_set((o),"@client_cert_cb",(v))

  63.  #define ossl_sslctx_set_sess_id_ctx(o, v) 	rb_iv_set((o),"@session_id_context",(v))

  64. 

  65. -#define ossl_sslctx_get_cert(o)          	rb_iv_get((o),"@cert")

  66. -#define ossl_sslctx_get_key(o)           	rb_iv_get((o),"@key")

  67. +#define ossl_sslctx_get_certs(o)          	rb_iv_get((o),"@certs")

  68. +#define ossl_sslctx_get_keys(o)           	rb_iv_get((o),"@keys")

  69.  #define ossl_sslctx_get_client_ca(o)     	rb_iv_get((o),"@client_ca")

  70.  #define ossl_sslctx_get_ca_file(o)       	rb_iv_get((o),"@ca_file")

  71.  #define ossl_sslctx_get_ca_path(o)       	rb_iv_get((o),"@ca_path")

  72. @@ -713,7 +713,8 @@ ossl_sslctx_setup(VALUE self)

  73.      char *ca_path = NULL, *ca_file = NULL;

  74.      int verify_mode;

  75.      long i;

  76. -    VALUE val;

  77. +    VALUE val, val2;

  78. +    int cert_defined = 0, key_defined = 0;

  79. 

  80.      if(OBJ_FROZEN(self)) return Qnil;

  81.      GetSSLCTX(self, ctx);

  82. @@ -761,19 +762,39 @@ ossl_sslctx_setup(VALUE self)

  83.      }

  84. 

  85.      /* private key may be bundled in certificate file. */

  86. -    val = ossl_sslctx_get_cert(self);

  87. -    cert = NIL_P(val) ? NULL : GetX509CertPtr(val); /* NO DUP NEEDED */

  88. -    val = ossl_sslctx_get_key(self);

  89. -    key = NIL_P(val) ? NULL : GetPKeyPtr(val); /* NO DUP NEEDED */

  90. -    if (cert && key) {

  91. -        if (!SSL_CTX_use_certificate(ctx, cert)) {

  92. -            /* Adds a ref => Safe to FREE */

  93. -            ossl_raise(eSSLError, "SSL_CTX_use_certificate");

  94. +    val = ossl_sslctx_get_certs(self);

  95. +    if (!NIL_P(val)) {

  96. +        Check_Type(val, T_ARRAY);

  97. +        for (i = 0; i < RARRAY_LEN(val); i++) {

  98. +            val2 = rb_ary_entry(val, i);

  99. +            cert = NIL_P(val2) ? NULL : GetX509CertPtr(val2); /* NO DUP NEEDED */

  100. +            if (cert) {

  101. +                cert_defined = 1;

  102. +                if (!SSL_CTX_use_certificate(ctx, cert)) {

  103. +                    /* Adds a ref => Safe to FREE */

  104. +                    ossl_raise(eSSLError, "SSL_CTX_use_certificate");

  105. +                }

  106. +            }

  107.          }

  108. -        if (!SSL_CTX_use_PrivateKey(ctx, key)) {

  109. -            /* Adds a ref => Safe to FREE */

  110. -            ossl_raise(eSSLError, "SSL_CTX_use_PrivateKey");

  111. +    }

  112. +

  113. +    val = ossl_sslctx_get_keys(self);

  114. +    if (!NIL_P(val)) {

  115. +        Check_Type(val, T_ARRAY);

  116. +        for (i = 0; i < RARRAY_LEN(val); i++) {

  117. +            val2 = rb_ary_entry(val, i);

  118. +            key = NIL_P(val2) ? NULL : GetPKeyPtr(val2); /* NO DUP NEEDED */

  119. +            if (cert) {

  120. +                key_defined = 1;

  121. +                if (!SSL_CTX_use_PrivateKey(ctx, key)) {

  122. +                    /* Adds a ref => Safe to FREE */

  123. +                    ossl_raise(eSSLError, "SSL_CTX_use_certificate");

  124. +                }

  125. +            }

  126.          }

  127. +    }

  128. +

  129. +    if (cert_defined && key_defined) {

  130.          if (!SSL_CTX_check_private_key(ctx)) {

  131.              ossl_raise(eSSLError, "SSL_CTX_check_private_key");

  132.          }

  133. @@ -2128,14 +2149,14 @@ Init_ossl_ssl(void)

  134.      rb_define_alloc_func(cSSLContext, ossl_sslctx_s_alloc);

  135. 

  136.      /*

  137. -     * Context certificate

  138. +     * Context certificates

  139.       */

  140. -    rb_attr(cSSLContext, rb_intern("cert"), 1, 1, Qfalse);

  141. +    rb_attr(cSSLContext, rb_intern("certs"), 1, 1, Qfalse);

  142. 

  143.      /*

  144. -     * Context private key

  145. +     * Context private keys

  146.       */

  147. -    rb_attr(cSSLContext, rb_intern("key"), 1, 1, Qfalse);

  148. +    rb_attr(cSSLContext, rb_intern("keys"), 1, 1, Qfalse);

  149. 

  150.      /*

  151.       * A certificate or Array of certificates that will be sent to the client.