Ruby  2.1.10p492(2016-04-01revision54464)
ossl_ssl.c
Go to the documentation of this file.
1 /*
2  * $Id: ossl_ssl.c 54397 2016-03-29 12:17:03Z usa $
3  * 'OpenSSL for Ruby' project
4  * Copyright (C) 2000-2002 GOTOU Yuuzou <gotoyuzo@notwork.org>
5  * Copyright (C) 2001-2002 Michal Rokos <m.rokos@sh.cvut.cz>
6  * Copyright (C) 2001-2007 Technorama Ltd. <oss-ruby@technorama.net>
7  * All rights reserved.
8  */
9 /*
10  * This program is licenced under the same licence as Ruby.
11  * (See the file 'LICENCE'.)
12  */
13 #include "ossl.h"
14 
15 #if defined(HAVE_UNISTD_H)
16 # include <unistd.h> /* for read(), and write() */
17 #endif
18 
19 #define numberof(ary) (int)(sizeof(ary)/sizeof((ary)[0]))
20 
21 #ifdef _WIN32
22 # define TO_SOCKET(s) _get_osfhandle(s)
23 #else
24 # define TO_SOCKET(s) (s)
25 #endif
26 
31 
34 
35 #define ossl_sslctx_set_cert(o,v) rb_iv_set((o),"@cert",(v))
36 #define ossl_sslctx_set_key(o,v) rb_iv_set((o),"@key",(v))
37 #define ossl_sslctx_set_client_ca(o,v) rb_iv_set((o),"@client_ca",(v))
38 #define ossl_sslctx_set_ca_file(o,v) rb_iv_set((o),"@ca_file",(v))
39 #define ossl_sslctx_set_ca_path(o,v) rb_iv_set((o),"@ca_path",(v))
40 #define ossl_sslctx_set_timeout(o,v) rb_iv_set((o),"@timeout",(v))
41 #define ossl_sslctx_set_verify_mode(o,v) rb_iv_set((o),"@verify_mode",(v))
42 #define ossl_sslctx_set_verify_dep(o,v) rb_iv_set((o),"@verify_depth",(v))
43 #define ossl_sslctx_set_verify_cb(o,v) rb_iv_set((o),"@verify_callback",(v))
44 #define ossl_sslctx_set_options(o,v) rb_iv_set((o),"@options",(v))
45 #define ossl_sslctx_set_cert_store(o,v) rb_iv_set((o),"@cert_store",(v))
46 #define ossl_sslctx_set_extra_cert(o,v) rb_iv_set((o),"@extra_chain_cert",(v))
47 #define ossl_sslctx_set_client_cert_cb(o,v) rb_iv_set((o),"@client_cert_cb",(v))
48 #define ossl_sslctx_set_tmp_dh_cb(o,v) rb_iv_set((o),"@tmp_dh_callback",(v))
49 #define ossl_sslctx_set_sess_id_ctx(o, v) rb_iv_set((o),"@session_id_context",(v))
50 
51 #define ossl_sslctx_get_cert(o) rb_iv_get((o),"@cert")
52 #define ossl_sslctx_get_key(o) rb_iv_get((o),"@key")
53 #define ossl_sslctx_get_client_ca(o) rb_iv_get((o),"@client_ca")
54 #define ossl_sslctx_get_ca_file(o) rb_iv_get((o),"@ca_file")
55 #define ossl_sslctx_get_ca_path(o) rb_iv_get((o),"@ca_path")
56 #define ossl_sslctx_get_timeout(o) rb_iv_get((o),"@timeout")
57 #define ossl_sslctx_get_verify_mode(o) rb_iv_get((o),"@verify_mode")
58 #define ossl_sslctx_get_verify_dep(o) rb_iv_get((o),"@verify_depth")
59 #define ossl_sslctx_get_verify_cb(o) rb_iv_get((o),"@verify_callback")
60 #define ossl_sslctx_get_options(o) rb_iv_get((o),"@options")
61 #define ossl_sslctx_get_cert_store(o) rb_iv_get((o),"@cert_store")
62 #define ossl_sslctx_get_extra_cert(o) rb_iv_get((o),"@extra_chain_cert")
63 #define ossl_sslctx_get_client_cert_cb(o) rb_iv_get((o),"@client_cert_cb")
64 #define ossl_sslctx_get_tmp_dh_cb(o) rb_iv_get((o),"@tmp_dh_callback")
65 #define ossl_sslctx_get_sess_id_ctx(o) rb_iv_get((o),"@session_id_context")
66 
67 static const char *ossl_sslctx_attrs[] = {
68  "cert", "key", "client_ca", "ca_file", "ca_path",
69  "timeout", "verify_mode", "verify_depth", "renegotiation_cb",
70  "verify_callback", "options", "cert_store", "extra_chain_cert",
71  "client_cert_cb", "tmp_dh_callback", "session_id_context",
72  "session_get_cb", "session_new_cb", "session_remove_cb",
73 #ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
74  "servername_cb",
75 #endif
76 #ifdef HAVE_OPENSSL_NPN_NEGOTIATED
77  "npn_protocols",
78  "npn_select_cb",
79 #endif
80 };
81 
82 #define ossl_ssl_get_io(o) rb_iv_get((o),"@io")
83 #define ossl_ssl_get_ctx(o) rb_iv_get((o),"@context")
84 #define ossl_ssl_get_sync_close(o) rb_iv_get((o),"@sync_close")
85 #define ossl_ssl_get_x509(o) rb_iv_get((o),"@x509")
86 #define ossl_ssl_get_key(o) rb_iv_get((o),"@key")
87 #define ossl_ssl_get_tmp_dh(o) rb_iv_get((o),"@tmp_dh")
88 
89 #define ossl_ssl_set_io(o,v) rb_iv_set((o),"@io",(v))
90 #define ossl_ssl_set_ctx(o,v) rb_iv_set((o),"@context",(v))
91 #define ossl_ssl_set_sync_close(o,v) rb_iv_set((o),"@sync_close",(v))
92 #define ossl_ssl_set_x509(o,v) rb_iv_set((o),"@x509",(v))
93 #define ossl_ssl_set_key(o,v) rb_iv_set((o),"@key",(v))
94 #define ossl_ssl_set_tmp_dh(o,v) rb_iv_set((o),"@tmp_dh",(v))
95 
96 static const char *ossl_ssl_attr_readers[] = { "io", "context", };
97 static const char *ossl_ssl_attrs[] = {
98 #ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
99  "hostname",
100 #endif
101  "sync_close",
102 };
103 
105 
107 
108 /*
109  * SSLContext class
110  */
111 struct {
112  const char *name;
113  SSL_METHOD *(*func)(void);
114 } ossl_ssl_method_tab[] = {
115 #define OSSL_SSL_METHOD_ENTRY(name) { #name, (SSL_METHOD *(*)(void))name##_method }
116  OSSL_SSL_METHOD_ENTRY(TLSv1),
117  OSSL_SSL_METHOD_ENTRY(TLSv1_server),
118  OSSL_SSL_METHOD_ENTRY(TLSv1_client),
119 #if defined(HAVE_TLSV1_2_METHOD) && defined(HAVE_TLSV1_2_SERVER_METHOD) && \
120  defined(HAVE_TLSV1_2_CLIENT_METHOD)
121  OSSL_SSL_METHOD_ENTRY(TLSv1_2),
122  OSSL_SSL_METHOD_ENTRY(TLSv1_2_server),
123  OSSL_SSL_METHOD_ENTRY(TLSv1_2_client),
124 #endif
125 #if defined(HAVE_TLSV1_1_METHOD) && defined(HAVE_TLSV1_1_SERVER_METHOD) && \
126  defined(HAVE_TLSV1_1_CLIENT_METHOD)
127  OSSL_SSL_METHOD_ENTRY(TLSv1_1),
128  OSSL_SSL_METHOD_ENTRY(TLSv1_1_server),
129  OSSL_SSL_METHOD_ENTRY(TLSv1_1_client),
130 #endif
131 #if defined(HAVE_SSLV2_METHOD) && defined(HAVE_SSLV2_SERVER_METHOD) && \
132  defined(HAVE_SSLV2_CLIENT_METHOD)
133  OSSL_SSL_METHOD_ENTRY(SSLv2),
134  OSSL_SSL_METHOD_ENTRY(SSLv2_server),
135  OSSL_SSL_METHOD_ENTRY(SSLv2_client),
136 #endif
137 #if defined(HAVE_SSLV3_METHOD) && defined(HAVE_SSLV3_SERVER_METHOD) && \
138  defined(HAVE_SSLV3_CLIENT_METHOD)
139  OSSL_SSL_METHOD_ENTRY(SSLv3),
140  OSSL_SSL_METHOD_ENTRY(SSLv3_server),
141  OSSL_SSL_METHOD_ENTRY(SSLv3_client),
142 #endif
143  OSSL_SSL_METHOD_ENTRY(SSLv23),
144  OSSL_SSL_METHOD_ENTRY(SSLv23_server),
145  OSSL_SSL_METHOD_ENTRY(SSLv23_client),
146 #undef OSSL_SSL_METHOD_ENTRY
147 };
148 
154 
155 static void
157 {
158  if(ctx && SSL_CTX_get_ex_data(ctx, ossl_ssl_ex_store_p)== (void*)1)
159  ctx->cert_store = NULL;
160  SSL_CTX_free(ctx);
161 }
162 
163 static VALUE
165 {
166  SSL_CTX *ctx;
167  long mode = SSL_MODE_ENABLE_PARTIAL_WRITE;
168 
169 #ifdef SSL_MODE_RELEASE_BUFFERS
170  mode |= SSL_MODE_RELEASE_BUFFERS;
171 #endif
172 
173  ctx = SSL_CTX_new(SSLv23_method());
174  if (!ctx) {
175  ossl_raise(eSSLError, "SSL_CTX_new");
176  }
177  SSL_CTX_set_mode(ctx, mode);
178  return Data_Wrap_Struct(klass, 0, ossl_sslctx_free, ctx);
179 }
180 
181 /*
182  * call-seq:
183  * ctx.ssl_version = :TLSv1
184  * ctx.ssl_version = "SSLv23_client"
185  *
186  * You can get a list of valid versions with OpenSSL::SSL::SSLContext::METHODS
187  */
188 static VALUE
190 {
191  SSL_METHOD *method = NULL;
192  const char *s;
193  int i;
194 
195  SSL_CTX *ctx;
196  if(TYPE(ssl_method) == T_SYMBOL)
197  s = rb_id2name(SYM2ID(ssl_method));
198  else
199  s = StringValuePtr(ssl_method);
200  for (i = 0; i < numberof(ossl_ssl_method_tab); i++) {
201  if (strcmp(ossl_ssl_method_tab[i].name, s) == 0) {
202  method = ossl_ssl_method_tab[i].func();
203  break;
204  }
205  }
206  if (!method) {
207  ossl_raise(rb_eArgError, "unknown SSL method `%s'.", s);
208  }
209  Data_Get_Struct(self, SSL_CTX, ctx);
210  if (SSL_CTX_set_ssl_version(ctx, method) != 1) {
211  ossl_raise(eSSLError, "SSL_CTX_set_ssl_version");
212  }
213 
214  return ssl_method;
215 }
216 
217 /*
218  * call-seq:
219  * SSLContext.new => ctx
220  * SSLContext.new(:TLSv1) => ctx
221  * SSLContext.new("SSLv23_client") => ctx
222  *
223  * You can get a list of valid methods with OpenSSL::SSL::SSLContext::METHODS
224  */
225 static VALUE
227 {
228  VALUE ssl_method;
229  int i;
230 
231  for(i = 0; i < numberof(ossl_sslctx_attrs); i++){
232  char buf[32];
233  snprintf(buf, sizeof(buf), "@%s", ossl_sslctx_attrs[i]);
234  rb_iv_set(self, buf, Qnil);
235  }
236  if (rb_scan_args(argc, argv, "01", &ssl_method) == 0){
237  return self;
238  }
239  ossl_sslctx_set_ssl_version(self, ssl_method);
240 
241  return self;
242 }
243 
244 static VALUE
246 {
247  VALUE cb, ary, cert, key;
248  SSL *ssl;
249 
250  Data_Get_Struct(obj, SSL, ssl);
251  cb = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_client_cert_cb_idx);
252  if (NIL_P(cb)) return Qfalse;
253  ary = rb_funcall(cb, rb_intern("call"), 1, obj);
254  Check_Type(ary, T_ARRAY);
255  GetX509CertPtr(cert = rb_ary_entry(ary, 0));
256  GetPKeyPtr(key = rb_ary_entry(ary, 1));
257  ossl_ssl_set_x509(obj, cert);
258  ossl_ssl_set_key(obj, key);
259 
260  return Qtrue;
261 }
262 
263 static int
264 ossl_client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
265 {
266  VALUE obj, success;
267 
268  obj = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
270  obj, NULL);
271  if (!RTEST(success)) return 0;
272  *x509 = DupX509CertPtr(ossl_ssl_get_x509(obj));
273  *pkey = DupPKeyPtr(ossl_ssl_get_key(obj));
274 
275  return 1;
276 }
277 
278 #if !defined(OPENSSL_NO_DH)
279 static VALUE
281 {
282  SSL *ssl;
283  VALUE cb, dh;
284  EVP_PKEY *pkey;
285 
286  Data_Get_Struct(args[0], SSL, ssl);
287  cb = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_tmp_dh_callback_idx);
288  if (NIL_P(cb)) return Qfalse;
289  dh = rb_funcall(cb, rb_intern("call"), 3, args[0], args[1], args[2]);
290  pkey = GetPKeyPtr(dh);
291  if (EVP_PKEY_type(pkey->type) != EVP_PKEY_DH) return Qfalse;
292  ossl_ssl_set_tmp_dh(args[0], dh);
293 
294  return Qtrue;
295 }
296 
297 static DH*
298 ossl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
299 {
300  VALUE args[3], success;
301 
302  args[0] = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
303  args[1] = INT2FIX(is_export);
304  args[2] = INT2FIX(keylength);
306  (VALUE)args, NULL);
307  if (!RTEST(success)) return NULL;
308 
309  return GetPKeyPtr(ossl_ssl_get_tmp_dh(args[0]))->pkey.dh;
310 }
311 
312 static DH*
313 ossl_default_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
314 {
315  rb_warning("using default DH parameters.");
316 
317  switch(keylength){
318  case 512:
319  return OSSL_DEFAULT_DH_512;
320  case 1024:
321  return OSSL_DEFAULT_DH_1024;
322  }
323  return NULL;
324 }
325 #endif /* OPENSSL_NO_DH */
326 
327 static int
328 ossl_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
329 {
330  VALUE cb;
331  SSL *ssl;
332 
333  ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
334  cb = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_vcb_idx);
335  X509_STORE_CTX_set_ex_data(ctx, ossl_verify_cb_idx, (void*)cb);
336  return ossl_verify_cb(preverify_ok, ctx);
337 }
338 
339 static VALUE
341 {
342  VALUE ssl_obj, sslctx_obj, cb;
343 
344  Check_Type(ary, T_ARRAY);
345  ssl_obj = rb_ary_entry(ary, 0);
346 
347  sslctx_obj = rb_iv_get(ssl_obj, "@context");
348  if (NIL_P(sslctx_obj)) return Qnil;
349  cb = rb_iv_get(sslctx_obj, "@session_get_cb");
350  if (NIL_P(cb)) return Qnil;
351 
352  return rb_funcall(cb, rb_intern("call"), 1, ary);
353 }
354 
355 /* this method is currently only called for servers (in OpenSSL <= 0.9.8e) */
356 static SSL_SESSION *
357 ossl_sslctx_session_get_cb(SSL *ssl, unsigned char *buf, int len, int *copy)
358 {
359  VALUE ary, ssl_obj, ret_obj;
360  SSL_SESSION *sess;
361  void *ptr;
362  int state = 0;
363 
364  OSSL_Debug("SSL SESSION get callback entered");
365  if ((ptr = SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx)) == NULL)
366  return NULL;
367  ssl_obj = (VALUE)ptr;
368  ary = rb_ary_new2(2);
369  rb_ary_push(ary, ssl_obj);
370  rb_ary_push(ary, rb_str_new((const char *)buf, len));
371 
372  ret_obj = rb_protect((VALUE(*)_((VALUE)))ossl_call_session_get_cb, ary, &state);
373  if (state) {
374  rb_ivar_set(ssl_obj, ID_callback_state, INT2NUM(state));
375  return NULL;
376  }
377  if (!rb_obj_is_instance_of(ret_obj, cSSLSession))
378  return NULL;
379 
380  SafeGetSSLSession(ret_obj, sess);
381  *copy = 1;
382 
383  return sess;
384 }
385 
386 static VALUE
388 {
389  VALUE ssl_obj, sslctx_obj, cb;
390 
391  Check_Type(ary, T_ARRAY);
392  ssl_obj = rb_ary_entry(ary, 0);
393 
394  sslctx_obj = rb_iv_get(ssl_obj, "@context");
395  if (NIL_P(sslctx_obj)) return Qnil;
396  cb = rb_iv_get(sslctx_obj, "@session_new_cb");
397  if (NIL_P(cb)) return Qnil;
398 
399  return rb_funcall(cb, rb_intern("call"), 1, ary);
400 }
401 
402 /* return 1 normal. return 0 removes the session */
403 static int
404 ossl_sslctx_session_new_cb(SSL *ssl, SSL_SESSION *sess)
405 {
406  VALUE ary, ssl_obj, sess_obj;
407  void *ptr;
408  int state = 0;
409 
410  OSSL_Debug("SSL SESSION new callback entered");
411 
412  if ((ptr = SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx)) == NULL)
413  return 1;
414  ssl_obj = (VALUE)ptr;
415  sess_obj = rb_obj_alloc(cSSLSession);
416  CRYPTO_add(&sess->references, 1, CRYPTO_LOCK_SSL_SESSION);
417  DATA_PTR(sess_obj) = sess;
418 
419  ary = rb_ary_new2(2);
420  rb_ary_push(ary, ssl_obj);
421  rb_ary_push(ary, sess_obj);
422 
423  rb_protect((VALUE(*)_((VALUE)))ossl_call_session_new_cb, ary, &state);
424  if (state) {
425  rb_ivar_set(ssl_obj, ID_callback_state, INT2NUM(state));
426  }
427 
428  /*
429  * return 0 which means to OpenSSL that the session is still
430  * valid (since we created Ruby Session object) and was not freed by us
431  * with SSL_SESSION_free(). Call SSLContext#remove_session(sess) in
432  * session_get_cb block if you don't want OpenSSL to cache the session
433  * internally.
434  */
435  return 0;
436 }
437 
438 static VALUE
440 {
441  VALUE sslctx_obj, cb;
442 
443  Check_Type(ary, T_ARRAY);
444  sslctx_obj = rb_ary_entry(ary, 0);
445 
446  cb = rb_iv_get(sslctx_obj, "@session_remove_cb");
447  if (NIL_P(cb)) return Qnil;
448 
449  return rb_funcall(cb, rb_intern("call"), 1, ary);
450 }
451 
452 static void
453 ossl_sslctx_session_remove_cb(SSL_CTX *ctx, SSL_SESSION *sess)
454 {
455  VALUE ary, sslctx_obj, sess_obj;
456  void *ptr;
457  int state = 0;
458 
459  OSSL_Debug("SSL SESSION remove callback entered");
460 
461  if ((ptr = SSL_CTX_get_ex_data(ctx, ossl_ssl_ex_ptr_idx)) == NULL)
462  return;
463  sslctx_obj = (VALUE)ptr;
464  sess_obj = rb_obj_alloc(cSSLSession);
465  CRYPTO_add(&sess->references, 1, CRYPTO_LOCK_SSL_SESSION);
466  DATA_PTR(sess_obj) = sess;
467 
468  ary = rb_ary_new2(2);
469  rb_ary_push(ary, sslctx_obj);
470  rb_ary_push(ary, sess_obj);
471 
472  rb_protect((VALUE(*)_((VALUE)))ossl_call_session_remove_cb, ary, &state);
473  if (state) {
474 /*
475  the SSL_CTX is frozen, nowhere to save state.
476  there is no common accessor method to check it either.
477  rb_ivar_set(sslctx_obj, ID_callback_state, INT2NUM(state));
478 */
479  }
480 }
481 
482 static VALUE
483 ossl_sslctx_add_extra_chain_cert_i(RB_BLOCK_CALL_FUNC_ARGLIST(i, arg))
484 {
485  X509 *x509;
486  SSL_CTX *ctx;
487 
488  Data_Get_Struct(arg, SSL_CTX, ctx);
489  x509 = DupX509CertPtr(i);
490  if(!SSL_CTX_add_extra_chain_cert(ctx, x509)){
492  }
493 
494  return i;
495 }
496 
497 static VALUE ossl_sslctx_setup(VALUE self);
498 
499 #ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
500 static VALUE
501 ossl_call_servername_cb(VALUE ary)
502 {
503  VALUE ssl_obj, sslctx_obj, cb, ret_obj;
504 
505  Check_Type(ary, T_ARRAY);
506  ssl_obj = rb_ary_entry(ary, 0);
507 
508  sslctx_obj = rb_iv_get(ssl_obj, "@context");
509  if (NIL_P(sslctx_obj)) return Qnil;
510  cb = rb_iv_get(sslctx_obj, "@servername_cb");
511  if (NIL_P(cb)) return Qnil;
512 
513  ret_obj = rb_funcall(cb, rb_intern("call"), 1, ary);
514  if (rb_obj_is_kind_of(ret_obj, cSSLContext)) {
515  SSL *ssl;
516  SSL_CTX *ctx2;
517 
518  ossl_sslctx_setup(ret_obj);
519  Data_Get_Struct(ssl_obj, SSL, ssl);
520  Data_Get_Struct(ret_obj, SSL_CTX, ctx2);
521  SSL_set_SSL_CTX(ssl, ctx2);
522  } else if (!NIL_P(ret_obj)) {
523  ossl_raise(rb_eArgError, "servername_cb must return an OpenSSL::SSL::SSLContext object or nil");
524  }
525 
526  return ret_obj;
527 }
528 
529 static int
530 ssl_servername_cb(SSL *ssl, int *ad, void *arg)
531 {
532  VALUE ary, ssl_obj;
533  void *ptr;
534  int state = 0;
535  const char *servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
536 
537  if (!servername)
538  return SSL_TLSEXT_ERR_OK;
539 
540  if ((ptr = SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx)) == NULL)
541  return SSL_TLSEXT_ERR_ALERT_FATAL;
542  ssl_obj = (VALUE)ptr;
543  ary = rb_ary_new2(2);
544  rb_ary_push(ary, ssl_obj);
545  rb_ary_push(ary, rb_str_new2(servername));
546 
547  rb_protect((VALUE(*)_((VALUE)))ossl_call_servername_cb, ary, &state);
548  if (state) {
549  rb_ivar_set(ssl_obj, ID_callback_state, INT2NUM(state));
550  return SSL_TLSEXT_ERR_ALERT_FATAL;
551  }
552 
553  return SSL_TLSEXT_ERR_OK;
554 }
555 #endif
556 
557 static void
558 ssl_renegotiation_cb(const SSL *ssl)
559 {
560  VALUE ssl_obj, sslctx_obj, cb;
561  void *ptr;
562 
563  if ((ptr = SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx)) == NULL)
564  ossl_raise(eSSLError, "SSL object could not be retrieved");
565  ssl_obj = (VALUE)ptr;
566 
567  sslctx_obj = rb_iv_get(ssl_obj, "@context");
568  if (NIL_P(sslctx_obj)) return;
569  cb = rb_iv_get(sslctx_obj, "@renegotiation_cb");
570  if (NIL_P(cb)) return;
571 
572  (void) rb_funcall(cb, rb_intern("call"), 1, ssl_obj);
573 }
574 
575 #if defined(HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB) || defined(HAVE_SSL_CTX_SET_ALPN_SELECT_CB)
576 static VALUE
577 ssl_npn_encode_protocol_i(VALUE cur, VALUE encoded)
578 {
579  int len = RSTRING_LENINT(cur);
580  char len_byte;
581  if (len < 1 || len > 255)
582  ossl_raise(eSSLError, "Advertised protocol must have length 1..255");
583  /* Encode the length byte */
584  len_byte = len;
585  rb_str_buf_cat(encoded, &len_byte, 1);
586  rb_str_buf_cat(encoded, RSTRING_PTR(cur), len);
587  return Qnil;
588 }
589 
590 static void
591 ssl_npn_encode_protocols(VALUE sslctx, VALUE protocols)
592 {
593  VALUE encoded = rb_str_new2("");
594  rb_iterate(rb_each, protocols, ssl_npn_encode_protocol_i, encoded);
595  StringValueCStr(encoded);
596  rb_iv_set(sslctx, "@_protocols", encoded);
597 }
598 
599 static int
600 ssl_npn_select_cb_common(VALUE cb, const unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen)
601 {
602  VALUE selected;
603  long len;
604  unsigned char l;
605  VALUE protocols = rb_ary_new();
606 
607  /* The format is len_1|proto_1|...|len_n|proto_n\0 */
608  while (l = *in++) {
609  VALUE protocol;
610  if (l > inlen) {
611  ossl_raise(eSSLError, "Invalid protocol name list");
612  }
613  protocol = rb_str_new((const char *)in, l);
614  rb_ary_push(protocols, protocol);
615  in += l;
616  inlen -= l;
617  }
618 
619  selected = rb_funcall(cb, rb_intern("call"), 1, protocols);
620  StringValue(selected);
621  len = RSTRING_LEN(selected);
622  if (len < 1 || len >= 256) {
623  ossl_raise(eSSLError, "Selected protocol name must have length 1..255");
624  }
625  *out = (unsigned char *)RSTRING_PTR(selected);
626  *outlen = (unsigned char)len;
627 
628  return SSL_TLSEXT_ERR_OK;
629 }
630 
631 #ifdef HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB
632 static int
633 ssl_npn_advertise_cb(SSL *ssl, const unsigned char **out, unsigned int *outlen, void *arg)
634 {
635  VALUE sslctx_obj = (VALUE) arg;
636  VALUE protocols = rb_iv_get(sslctx_obj, "@_protocols");
637 
638  *out = (const unsigned char *) RSTRING_PTR(protocols);
639  *outlen = RSTRING_LENINT(protocols);
640 
641  return SSL_TLSEXT_ERR_OK;
642 }
643 
644 static int
645 ssl_npn_select_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
646 {
647  VALUE sslctx_obj, cb;
648 
649  sslctx_obj = (VALUE) arg;
650  cb = rb_iv_get(sslctx_obj, "@npn_select_cb");
651 
652  return ssl_npn_select_cb_common(cb, (const unsigned char **)out, outlen, in, inlen);
653 }
654 #endif
655 #endif /* HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB || HAVE_SSL_CTX_SET_ALPN_SELECT_CB */
656 
657 /* This function may serve as the entry point to support further
658  * callbacks. */
659 static void
660 ssl_info_cb(const SSL *ssl, int where, int val)
661 {
662  int state = SSL_state(ssl);
663 
664  if ((where & SSL_CB_HANDSHAKE_START) &&
665  (state & SSL_ST_ACCEPT)) {
667  }
668 }
669 
670 /*
671  * call-seq:
672  * ctx.setup => Qtrue # first time
673  * ctx.setup => nil # thereafter
674  *
675  * This method is called automatically when a new SSLSocket is created.
676  * However, it is not thread-safe and must be called before creating
677  * SSLSocket objects in a multi-threaded program.
678  */
679 static VALUE
681 {
682  SSL_CTX *ctx;
683  X509 *cert = NULL, *client_ca = NULL;
684  X509_STORE *store;
685  EVP_PKEY *key = NULL;
686  char *ca_path = NULL, *ca_file = NULL;
687  int i, verify_mode;
688  VALUE val;
689 
690  if(OBJ_FROZEN(self)) return Qnil;
691  Data_Get_Struct(self, SSL_CTX, ctx);
692 
693 #if !defined(OPENSSL_NO_DH)
694  if (RTEST(ossl_sslctx_get_tmp_dh_cb(self))){
695  SSL_CTX_set_tmp_dh_callback(ctx, ossl_tmp_dh_callback);
696  }
697  else{
698  SSL_CTX_set_tmp_dh_callback(ctx, ossl_default_tmp_dh_callback);
699  }
700 #endif
701  SSL_CTX_set_ex_data(ctx, ossl_ssl_ex_ptr_idx, (void*)self);
702 
703  val = ossl_sslctx_get_cert_store(self);
704  if(!NIL_P(val)){
705  /*
706  * WORKAROUND:
707  * X509_STORE can count references, but
708  * X509_STORE_free() doesn't care it.
709  * So we won't increment it but mark it by ex_data.
710  */
711  store = GetX509StorePtr(val); /* NO NEED TO DUP */
712  SSL_CTX_set_cert_store(ctx, store);
713  SSL_CTX_set_ex_data(ctx, ossl_ssl_ex_store_p, (void*)1);
714  }
715 
716  val = ossl_sslctx_get_extra_cert(self);
717  if(!NIL_P(val)){
718  rb_block_call(val, rb_intern("each"), 0, 0, ossl_sslctx_add_extra_chain_cert_i, self);
719  }
720 
721  /* private key may be bundled in certificate file. */
722  val = ossl_sslctx_get_cert(self);
723  cert = NIL_P(val) ? NULL : GetX509CertPtr(val); /* NO DUP NEEDED */
724  val = ossl_sslctx_get_key(self);
725  key = NIL_P(val) ? NULL : GetPKeyPtr(val); /* NO DUP NEEDED */
726  if (cert && key) {
727  if (!SSL_CTX_use_certificate(ctx, cert)) {
728  /* Adds a ref => Safe to FREE */
729  ossl_raise(eSSLError, "SSL_CTX_use_certificate");
730  }
731  if (!SSL_CTX_use_PrivateKey(ctx, key)) {
732  /* Adds a ref => Safe to FREE */
733  ossl_raise(eSSLError, "SSL_CTX_use_PrivateKey");
734  }
735  if (!SSL_CTX_check_private_key(ctx)) {
736  ossl_raise(eSSLError, "SSL_CTX_check_private_key");
737  }
738  }
739 
740  val = ossl_sslctx_get_client_ca(self);
741  if(!NIL_P(val)){
742  if(TYPE(val) == T_ARRAY){
743  for(i = 0; i < RARRAY_LEN(val); i++){
744  client_ca = GetX509CertPtr(RARRAY_PTR(val)[i]);
745  if (!SSL_CTX_add_client_CA(ctx, client_ca)){
746  /* Copies X509_NAME => FREE it. */
747  ossl_raise(eSSLError, "SSL_CTX_add_client_CA");
748  }
749  }
750  }
751  else{
752  client_ca = GetX509CertPtr(val); /* NO DUP NEEDED. */
753  if (!SSL_CTX_add_client_CA(ctx, client_ca)){
754  /* Copies X509_NAME => FREE it. */
755  ossl_raise(eSSLError, "SSL_CTX_add_client_CA");
756  }
757  }
758  }
759 
760  val = ossl_sslctx_get_ca_file(self);
761  ca_file = NIL_P(val) ? NULL : StringValuePtr(val);
762  val = ossl_sslctx_get_ca_path(self);
763  ca_path = NIL_P(val) ? NULL : StringValuePtr(val);
764  if(ca_file || ca_path){
765  if (!SSL_CTX_load_verify_locations(ctx, ca_file, ca_path))
766  rb_warning("can't set verify locations");
767  }
768 
769  val = ossl_sslctx_get_verify_mode(self);
770  verify_mode = NIL_P(val) ? SSL_VERIFY_NONE : NUM2INT(val);
771  SSL_CTX_set_verify(ctx, verify_mode, ossl_ssl_verify_callback);
773  SSL_CTX_set_client_cert_cb(ctx, ossl_client_cert_cb);
774 
775  val = ossl_sslctx_get_timeout(self);
776  if(!NIL_P(val)) SSL_CTX_set_timeout(ctx, NUM2LONG(val));
777 
778  val = ossl_sslctx_get_verify_dep(self);
779  if(!NIL_P(val)) SSL_CTX_set_verify_depth(ctx, NUM2INT(val));
780 
781  val = ossl_sslctx_get_options(self);
782  if(!NIL_P(val)) {
783  SSL_CTX_set_options(ctx, NUM2LONG(val));
784  } else {
785  SSL_CTX_set_options(ctx, SSL_OP_ALL);
786  }
787 
788 #ifdef HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB
789  val = rb_iv_get(self, "@npn_protocols");
790  if (!NIL_P(val)) {
791  ssl_npn_encode_protocols(self, val);
792  SSL_CTX_set_next_protos_advertised_cb(ctx, ssl_npn_advertise_cb, (void *) self);
793  OSSL_Debug("SSL NPN advertise callback added");
794  }
795  if (RTEST(rb_iv_get(self, "@npn_select_cb"))) {
796  SSL_CTX_set_next_proto_select_cb(ctx, ssl_npn_select_cb, (void *) self);
797  OSSL_Debug("SSL NPN select callback added");
798  }
799 #endif
800 
801  rb_obj_freeze(self);
802 
803  val = ossl_sslctx_get_sess_id_ctx(self);
804  if (!NIL_P(val)){
805  StringValue(val);
806  if (!SSL_CTX_set_session_id_context(ctx, (unsigned char *)RSTRING_PTR(val),
807  RSTRING_LENINT(val))){
808  ossl_raise(eSSLError, "SSL_CTX_set_session_id_context");
809  }
810  }
811 
812  if (RTEST(rb_iv_get(self, "@session_get_cb"))) {
813  SSL_CTX_sess_set_get_cb(ctx, ossl_sslctx_session_get_cb);
814  OSSL_Debug("SSL SESSION get callback added");
815  }
816  if (RTEST(rb_iv_get(self, "@session_new_cb"))) {
817  SSL_CTX_sess_set_new_cb(ctx, ossl_sslctx_session_new_cb);
818  OSSL_Debug("SSL SESSION new callback added");
819  }
820  if (RTEST(rb_iv_get(self, "@session_remove_cb"))) {
821  SSL_CTX_sess_set_remove_cb(ctx, ossl_sslctx_session_remove_cb);
822  OSSL_Debug("SSL SESSION remove callback added");
823  }
824 
825 #ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
826  val = rb_iv_get(self, "@servername_cb");
827  if (!NIL_P(val)) {
828  SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
829  OSSL_Debug("SSL TLSEXT servername callback added");
830  }
831 #endif
832 
833  return Qtrue;
834 }
835 
836 static VALUE
837 ossl_ssl_cipher_to_ary(SSL_CIPHER *cipher)
838 {
839  VALUE ary;
840  int bits, alg_bits;
841 
842  ary = rb_ary_new2(4);
843  rb_ary_push(ary, rb_str_new2(SSL_CIPHER_get_name(cipher)));
844  rb_ary_push(ary, rb_str_new2(SSL_CIPHER_get_version(cipher)));
845  bits = SSL_CIPHER_get_bits(cipher, &alg_bits);
846  rb_ary_push(ary, INT2FIX(bits));
847  rb_ary_push(ary, INT2FIX(alg_bits));
848 
849  return ary;
850 }
851 
852 /*
853  * call-seq:
854  * ctx.ciphers => [[name, version, bits, alg_bits], ...]
855  *
856  * The list of ciphers configured for this context.
857  */
858 static VALUE
860 {
861  SSL_CTX *ctx;
862  STACK_OF(SSL_CIPHER) *ciphers;
863  SSL_CIPHER *cipher;
864  VALUE ary;
865  int i, num;
866 
867  Data_Get_Struct(self, SSL_CTX, ctx);
868  if(!ctx){
869  rb_warning("SSL_CTX is not initialized.");
870  return Qnil;
871  }
872  ciphers = ctx->cipher_list;
873 
874  if (!ciphers)
875  return rb_ary_new();
876 
877  num = sk_SSL_CIPHER_num(ciphers);
878  ary = rb_ary_new2(num);
879  for(i = 0; i < num; i++){
880  cipher = sk_SSL_CIPHER_value(ciphers, i);
881  rb_ary_push(ary, ossl_ssl_cipher_to_ary(cipher));
882  }
883  return ary;
884 }
885 
886 /*
887  * call-seq:
888  * ctx.ciphers = "cipher1:cipher2:..."
889  * ctx.ciphers = [name, ...]
890  * ctx.ciphers = [[name, version, bits, alg_bits], ...]
891  *
892  * Sets the list of available ciphers for this context. Note in a server
893  * context some ciphers require the appropriate certificates. For example, an
894  * RSA cipher can only be chosen when an RSA certificate is available.
895  *
896  * See also OpenSSL::Cipher and OpenSSL::Cipher::ciphers
897  */
898 static VALUE
900 {
901  SSL_CTX *ctx;
902  VALUE str, elem;
903  int i;
904 
905  rb_check_frozen(self);
906  if (NIL_P(v))
907  return v;
908  else if (TYPE(v) == T_ARRAY) {
909  str = rb_str_new(0, 0);
910  for (i = 0; i < RARRAY_LEN(v); i++) {
911  elem = rb_ary_entry(v, i);
912  if (TYPE(elem) == T_ARRAY) elem = rb_ary_entry(elem, 0);
913  elem = rb_String(elem);
914  rb_str_append(str, elem);
915  if (i < RARRAY_LEN(v)-1) rb_str_cat2(str, ":");
916  }
917  } else {
918  str = v;
919  StringValue(str);
920  }
921 
922  Data_Get_Struct(self, SSL_CTX, ctx);
923  if(!ctx){
924  ossl_raise(eSSLError, "SSL_CTX is not initialized.");
925  return Qnil;
926  }
927  if (!SSL_CTX_set_cipher_list(ctx, RSTRING_PTR(str))) {
928  ossl_raise(eSSLError, "SSL_CTX_set_cipher_list");
929  }
930 
931  return v;
932 }
933 
934 /*
935  * call-seq:
936  * ctx.session_add(session) -> true | false
937  *
938  * Adds +session+ to the session cache
939  */
940 static VALUE
942 {
943  SSL_CTX *ctx;
944  SSL_SESSION *sess;
945 
946  Data_Get_Struct(self, SSL_CTX, ctx);
947  SafeGetSSLSession(arg, sess);
948 
949  return SSL_CTX_add_session(ctx, sess) == 1 ? Qtrue : Qfalse;
950 }
951 
952 /*
953  * call-seq:
954  * ctx.session_remove(session) -> true | false
955  *
956  * Removes +session+ from the session cache
957  */
958 static VALUE
960 {
961  SSL_CTX *ctx;
962  SSL_SESSION *sess;
963 
964  Data_Get_Struct(self, SSL_CTX, ctx);
965  SafeGetSSLSession(arg, sess);
966 
967  return SSL_CTX_remove_session(ctx, sess) == 1 ? Qtrue : Qfalse;
968 }
969 
970 /*
971  * call-seq:
972  * ctx.session_cache_mode -> Integer
973  *
974  * The current session cache mode.
975  */
976 static VALUE
978 {
979  SSL_CTX *ctx;
980 
981  Data_Get_Struct(self, SSL_CTX, ctx);
982 
983  return LONG2NUM(SSL_CTX_get_session_cache_mode(ctx));
984 }
985 
986 /*
987  * call-seq:
988  * ctx.session_cache_mode=(integer) -> Integer
989  *
990  * Sets the SSL session cache mode. Bitwise-or together the desired
991  * SESSION_CACHE_* constants to set. See SSL_CTX_set_session_cache_mode(3) for
992  * details.
993  */
994 static VALUE
996 {
997  SSL_CTX *ctx;
998 
999  Data_Get_Struct(self, SSL_CTX, ctx);
1000 
1001  SSL_CTX_set_session_cache_mode(ctx, NUM2LONG(arg));
1002 
1003  return arg;
1004 }
1005 
1006 /*
1007  * call-seq:
1008  * ctx.session_cache_size -> Integer
1009  *
1010  * Returns the current session cache size. Zero is used to represent an
1011  * unlimited cache size.
1012  */
1013 static VALUE
1015 {
1016  SSL_CTX *ctx;
1017 
1018  Data_Get_Struct(self, SSL_CTX, ctx);
1019 
1020  return LONG2NUM(SSL_CTX_sess_get_cache_size(ctx));
1021 }
1022 
1023 /*
1024  * call-seq:
1025  * ctx.session_cache_size=(integer) -> Integer
1026  *
1027  * Sets the session cache size. Returns the previously valid session cache
1028  * size. Zero is used to represent an unlimited session cache size.
1029  */
1030 static VALUE
1032 {
1033  SSL_CTX *ctx;
1034 
1035  Data_Get_Struct(self, SSL_CTX, ctx);
1036 
1037  SSL_CTX_sess_set_cache_size(ctx, NUM2LONG(arg));
1038 
1039  return arg;
1040 }
1041 
1042 /*
1043  * call-seq:
1044  * ctx.session_cache_stats -> Hash
1045  *
1046  * Returns a Hash containing the following keys:
1047  *
1048  * :accept:: Number of started SSL/TLS handshakes in server mode
1049  * :accept_good:: Number of established SSL/TLS sessions in server mode
1050  * :accept_renegotiate:: Number of start renegotiations in server mode
1051  * :cache_full:: Number of sessions that were removed due to cache overflow
1052  * :cache_hits:: Number of successfully reused connections
1053  * :cache_misses:: Number of sessions proposed by clients that were not found
1054  * in the cache
1055  * :cache_num:: Number of sessions in the internal session cache
1056  * :cb_hits:: Number of sessions retrieved from the external cache in server
1057  * mode
1058  * :connect:: Number of started SSL/TLS handshakes in client mode
1059  * :connect_good:: Number of established SSL/TLS sessions in client mode
1060  * :connect_renegotiate:: Number of start renegotiations in client mode
1061  * :timeouts:: Number of sessions proposed by clients that were found in the
1062  * cache but had expired due to timeouts
1063  */
1064 static VALUE
1066 {
1067  SSL_CTX *ctx;
1068  VALUE hash;
1069 
1070  Data_Get_Struct(self, SSL_CTX, ctx);
1071 
1072  hash = rb_hash_new();
1073  rb_hash_aset(hash, ID2SYM(rb_intern("cache_num")), LONG2NUM(SSL_CTX_sess_number(ctx)));
1074  rb_hash_aset(hash, ID2SYM(rb_intern("connect")), LONG2NUM(SSL_CTX_sess_connect(ctx)));
1075  rb_hash_aset(hash, ID2SYM(rb_intern("connect_good")), LONG2NUM(SSL_CTX_sess_connect_good(ctx)));
1076  rb_hash_aset(hash, ID2SYM(rb_intern("connect_renegotiate")), LONG2NUM(SSL_CTX_sess_connect_renegotiate(ctx)));
1077  rb_hash_aset(hash, ID2SYM(rb_intern("accept")), LONG2NUM(SSL_CTX_sess_accept(ctx)));
1078  rb_hash_aset(hash, ID2SYM(rb_intern("accept_good")), LONG2NUM(SSL_CTX_sess_accept_good(ctx)));
1079  rb_hash_aset(hash, ID2SYM(rb_intern("accept_renegotiate")), LONG2NUM(SSL_CTX_sess_accept_renegotiate(ctx)));
1080  rb_hash_aset(hash, ID2SYM(rb_intern("cache_hits")), LONG2NUM(SSL_CTX_sess_hits(ctx)));
1081  rb_hash_aset(hash, ID2SYM(rb_intern("cb_hits")), LONG2NUM(SSL_CTX_sess_cb_hits(ctx)));
1082  rb_hash_aset(hash, ID2SYM(rb_intern("cache_misses")), LONG2NUM(SSL_CTX_sess_misses(ctx)));
1083  rb_hash_aset(hash, ID2SYM(rb_intern("cache_full")), LONG2NUM(SSL_CTX_sess_cache_full(ctx)));
1084  rb_hash_aset(hash, ID2SYM(rb_intern("timeouts")), LONG2NUM(SSL_CTX_sess_timeouts(ctx)));
1085 
1086  return hash;
1087 }
1088 
1089 
1090 /*
1091  * call-seq:
1092  * ctx.flush_sessions(time | nil) -> self
1093  *
1094  * Removes sessions in the internal cache that have expired at +time+.
1095  */
1096 static VALUE
1098 {
1099  VALUE arg1;
1100  SSL_CTX *ctx;
1101  time_t tm = 0;
1102 
1103  rb_scan_args(argc, argv, "01", &arg1);
1104 
1105  Data_Get_Struct(self, SSL_CTX, ctx);
1106 
1107  if (NIL_P(arg1)) {
1108  tm = time(0);
1109  } else if (rb_obj_is_instance_of(arg1, rb_cTime)) {
1110  tm = NUM2LONG(rb_funcall(arg1, rb_intern("to_i"), 0));
1111  } else {
1112  ossl_raise(rb_eArgError, "arg must be Time or nil");
1113  }
1114 
1115  SSL_CTX_flush_sessions(ctx, (long)tm);
1116 
1117  return self;
1118 }
1119 
1120 /*
1121  * SSLSocket class
1122  */
1123 #ifndef OPENSSL_NO_SOCK
1124 static void
1126 {
1127  int i, rc;
1128 
1129  if (ssl) {
1130  /* 4 is from SSL_smart_shutdown() of mod_ssl.c (v2.2.19) */
1131  /* It says max 2x pending + 2x data = 4 */
1132  for (i = 0; i < 4; ++i) {
1133  /*
1134  * Ignore the case SSL_shutdown returns -1. Empty handshake_func
1135  * must not happen.
1136  */
1137  if (rc = SSL_shutdown(ssl))
1138  break;
1139  }
1140  SSL_clear(ssl);
1141  ERR_clear_error();
1142  }
1143 }
1144 
1145 static void
1146 ossl_ssl_free(SSL *ssl)
1147 {
1148  SSL_free(ssl);
1149 }
1150 
1151 static VALUE
1153 {
1154  return Data_Wrap_Struct(klass, 0, ossl_ssl_free, NULL);
1155 }
1156 
1157 /*
1158  * call-seq:
1159  * SSLSocket.new(io) => aSSLSocket
1160  * SSLSocket.new(io, ctx) => aSSLSocket
1161  *
1162  * Creates a new SSL socket from +io+ which must be a real ruby object (not an
1163  * IO-like object that responds to read/write).
1164  *
1165  * If +ctx+ is provided the SSL Sockets initial params will be taken from
1166  * the context.
1167  *
1168  * The OpenSSL::Buffering module provides additional IO methods.
1169  *
1170  * This method will freeze the SSLContext if one is provided;
1171  * however, session management is still allowed in the frozen SSLContext.
1172  */
1173 static VALUE
1175 {
1176  VALUE io, ctx;
1177 
1178  if (rb_scan_args(argc, argv, "11", &io, &ctx) == 1) {
1179  ctx = rb_funcall(cSSLContext, rb_intern("new"), 0);
1180  }
1182  Check_Type(io, T_FILE);
1183  ossl_ssl_set_io(self, io);
1184  ossl_ssl_set_ctx(self, ctx);
1186  ossl_sslctx_setup(ctx);
1187 
1188  rb_iv_set(self, "@hostname", Qnil);
1189 
1190  rb_call_super(0, 0);
1191 
1192  return self;
1193 }
1194 
1195 static VALUE
1197 {
1198  VALUE io, v_ctx, cb;
1199  SSL_CTX *ctx;
1200  SSL *ssl;
1201  rb_io_t *fptr;
1202 
1203  Data_Get_Struct(self, SSL, ssl);
1204  if(!ssl){
1205 #ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
1206  VALUE hostname = rb_iv_get(self, "@hostname");
1207 #endif
1208 
1209  v_ctx = ossl_ssl_get_ctx(self);
1210  Data_Get_Struct(v_ctx, SSL_CTX, ctx);
1211 
1212  ssl = SSL_new(ctx);
1213  if (!ssl) {
1214  ossl_raise(eSSLError, "SSL_new");
1215  }
1216  DATA_PTR(self) = ssl;
1217 
1218 #ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
1219  if (!NIL_P(hostname)) {
1220  if (SSL_set_tlsext_host_name(ssl, StringValuePtr(hostname)) != 1)
1221  ossl_raise(eSSLError, "SSL_set_tlsext_host_name");
1222  }
1223 #endif
1224  io = ossl_ssl_get_io(self);
1225  GetOpenFile(io, fptr);
1226  rb_io_check_readable(fptr);
1227  rb_io_check_writable(fptr);
1228  SSL_set_fd(ssl, TO_SOCKET(FPTR_TO_FD(fptr)));
1229  SSL_set_ex_data(ssl, ossl_ssl_ex_ptr_idx, (void*)self);
1230  cb = ossl_sslctx_get_verify_cb(v_ctx);
1231  SSL_set_ex_data(ssl, ossl_ssl_ex_vcb_idx, (void*)cb);
1232  cb = ossl_sslctx_get_client_cert_cb(v_ctx);
1233  SSL_set_ex_data(ssl, ossl_ssl_ex_client_cert_cb_idx, (void*)cb);
1234  cb = ossl_sslctx_get_tmp_dh_cb(v_ctx);
1235  SSL_set_ex_data(ssl, ossl_ssl_ex_tmp_dh_callback_idx, (void*)cb);
1236  SSL_set_info_callback(ssl, ssl_info_cb);
1237  }
1238 
1239  return Qtrue;
1240 }
1241 
1242 #ifdef _WIN32
1243 #define ssl_get_error(ssl, ret) (errno = rb_w32_map_errno(WSAGetLastError()), SSL_get_error((ssl), (ret)))
1244 #else
1245 #define ssl_get_error(ssl, ret) SSL_get_error((ssl), (ret))
1246 #endif
1247 
1248 #define ossl_ssl_data_get_struct(v, ssl) \
1249 do { \
1250  Data_Get_Struct((v), SSL, (ssl)); \
1251  if (!(ssl)) { \
1252  rb_warning("SSL session is not started yet."); \
1253  return Qnil; \
1254  } \
1255 } while (0)
1256 
1257 static void
1258 write_would_block(int nonblock)
1259 {
1260  if (nonblock) {
1261  VALUE exc = ossl_exc_new(eSSLErrorWaitWritable, "write would block");
1262  rb_exc_raise(exc);
1263  }
1264 }
1265 
1266 static void
1267 read_would_block(int nonblock)
1268 {
1269  if (nonblock) {
1270  VALUE exc = ossl_exc_new(eSSLErrorWaitReadable, "read would block");
1271  rb_exc_raise(exc);
1272  }
1273 }
1274 
1275 static VALUE
1276 ossl_start_ssl(VALUE self, int (*func)(), const char *funcname, int nonblock)
1277 {
1278  SSL *ssl;
1279  rb_io_t *fptr;
1280  int ret, ret2;
1281  VALUE cb_state;
1282 
1284 
1285  ossl_ssl_data_get_struct(self, ssl);
1286 
1287  GetOpenFile(ossl_ssl_get_io(self), fptr);
1288  for(;;){
1289  ret = func(ssl);
1290 
1291  cb_state = rb_ivar_get(self, ID_callback_state);
1292  if (!NIL_P(cb_state))
1293  rb_jump_tag(NUM2INT(cb_state));
1294 
1295  if (ret > 0)
1296  break;
1297 
1298  switch((ret2 = ssl_get_error(ssl, ret))){
1299  case SSL_ERROR_WANT_WRITE:
1300  write_would_block(nonblock);
1302  continue;
1303  case SSL_ERROR_WANT_READ:
1304  read_would_block(nonblock);
1306  continue;
1307  case SSL_ERROR_SYSCALL:
1308  if (errno) rb_sys_fail(funcname);
1309  ossl_raise(eSSLError, "%s SYSCALL returned=%d errno=%d state=%s", funcname, ret2, errno, SSL_state_string_long(ssl));
1310  default:
1311  ossl_raise(eSSLError, "%s returned=%d errno=%d state=%s", funcname, ret2, errno, SSL_state_string_long(ssl));
1312  }
1313  }
1314 
1315  return self;
1316 }
1317 
1318 /*
1319  * call-seq:
1320  * ssl.connect => self
1321  *
1322  * Initiates an SSL/TLS handshake with a server. The handshake may be started
1323  * after unencrypted data has been sent over the socket.
1324  */
1325 static VALUE
1327 {
1328  ossl_ssl_setup(self);
1329  return ossl_start_ssl(self, SSL_connect, "SSL_connect", 0);
1330 }
1331 
1332 /*
1333  * call-seq:
1334  * ssl.connect_nonblock => self
1335  *
1336  * Initiates the SSL/TLS handshake as a client in non-blocking manner.
1337  *
1338  * # emulates blocking connect
1339  * begin
1340  * ssl.connect_nonblock
1341  * rescue IO::WaitReadable
1342  * IO.select([s2])
1343  * retry
1344  * rescue IO::WaitWritable
1345  * IO.select(nil, [s2])
1346  * retry
1347  * end
1348  *
1349  */
1350 static VALUE
1352 {
1353  ossl_ssl_setup(self);
1354  return ossl_start_ssl(self, SSL_connect, "SSL_connect", 1);
1355 }
1356 
1357 /*
1358  * call-seq:
1359  * ssl.accept => self
1360  *
1361  * Waits for a SSL/TLS client to initiate a handshake. The handshake may be
1362  * started after unencrypted data has been sent over the socket.
1363  */
1364 static VALUE
1366 {
1367  ossl_ssl_setup(self);
1368  return ossl_start_ssl(self, SSL_accept, "SSL_accept", 0);
1369 }
1370 
1371 /*
1372  * call-seq:
1373  * ssl.accept_nonblock => self
1374  *
1375  * Initiates the SSL/TLS handshake as a server in non-blocking manner.
1376  *
1377  * # emulates blocking accept
1378  * begin
1379  * ssl.accept_nonblock
1380  * rescue IO::WaitReadable
1381  * IO.select([s2])
1382  * retry
1383  * rescue IO::WaitWritable
1384  * IO.select(nil, [s2])
1385  * retry
1386  * end
1387  *
1388  */
1389 static VALUE
1391 {
1392  ossl_ssl_setup(self);
1393  return ossl_start_ssl(self, SSL_accept, "SSL_accept", 1);
1394 }
1395 
1396 static VALUE
1397 ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
1398 {
1399  SSL *ssl;
1400  int ilen, nread = 0;
1401  int no_exception = 0;
1402  VALUE len, str;
1403  rb_io_t *fptr;
1404  VALUE opts = Qnil;
1405 
1406  rb_scan_args(argc, argv, "11:", &len, &str, &opts);
1407 
1408  if (!NIL_P(opts) && Qfalse == rb_hash_aref(opts, sym_exception))
1409  no_exception = 1;
1410 
1411  ilen = NUM2INT(len);
1412  if(NIL_P(str)) str = rb_str_new(0, ilen);
1413  else{
1414  StringValue(str);
1415  rb_str_modify(str);
1416  rb_str_resize(str, ilen);
1417  }
1418  if(ilen == 0) return str;
1419 
1420  Data_Get_Struct(self, SSL, ssl);
1421  GetOpenFile(ossl_ssl_get_io(self), fptr);
1422  if (ssl) {
1423  if(!nonblock && SSL_pending(ssl) <= 0)
1425  for (;;){
1426  nread = SSL_read(ssl, RSTRING_PTR(str), RSTRING_LENINT(str));
1427  switch(ssl_get_error(ssl, nread)){
1428  case SSL_ERROR_NONE:
1429  goto end;
1430  case SSL_ERROR_ZERO_RETURN:
1431  if (no_exception) { return Qnil; }
1432  rb_eof_error();
1433  case SSL_ERROR_WANT_WRITE:
1434  if (no_exception) { return ID2SYM(rb_intern("wait_writable")); }
1435  write_would_block(nonblock);
1437  continue;
1438  case SSL_ERROR_WANT_READ:
1439  if (no_exception) { return ID2SYM(rb_intern("wait_readable")); }
1440  read_would_block(nonblock);
1442  continue;
1443  case SSL_ERROR_SYSCALL:
1444  if(ERR_peek_error() == 0 && nread == 0) {
1445  if (no_exception) { return Qnil; }
1446  rb_eof_error();
1447  }
1448  rb_sys_fail(0);
1449  default:
1450  ossl_raise(eSSLError, "SSL_read");
1451  }
1452  }
1453  }
1454  else {
1455  ID meth = nonblock ? rb_intern("read_nonblock") : rb_intern("sysread");
1456  rb_warning("SSL session is not started yet.");
1457  return rb_funcall(ossl_ssl_get_io(self), meth, 2, len, str);
1458  }
1459 
1460  end:
1461  rb_str_set_len(str, nread);
1462  OBJ_TAINT(str);
1463 
1464  return str;
1465 }
1466 
1467 /*
1468  * call-seq:
1469  * ssl.sysread(length) => string
1470  * ssl.sysread(length, buffer) => buffer
1471  *
1472  * Reads +length+ bytes from the SSL connection. If a pre-allocated +buffer+
1473  * is provided the data will be written into it.
1474  */
1475 static VALUE
1477 {
1478  return ossl_ssl_read_internal(argc, argv, self, 0);
1479 }
1480 
1481 /*
1482  * call-seq:
1483  * ssl.sysread_nonblock(length) => string
1484  * ssl.sysread_nonblock(length, buffer) => buffer
1485  * ssl.sysread_nonblock(length[, buffer [, opts]) => buffer
1486  *
1487  * A non-blocking version of #sysread. Raises an SSLError if reading would
1488  * block. If "exception: false" is passed, this method returns a symbol of
1489  * :wait_readable, :wait_writable, or nil, rather than raising an exception.
1490  *
1491  * Reads +length+ bytes from the SSL connection. If a pre-allocated +buffer+
1492  * is provided the data will be written into it.
1493  */
1494 static VALUE
1496 {
1497  return ossl_ssl_read_internal(argc, argv, self, 1);
1498 }
1499 
1500 static VALUE
1501 ossl_ssl_write_internal(VALUE self, VALUE str, int nonblock, int no_exception)
1502 {
1503  SSL *ssl;
1504  int nwrite = 0;
1505  rb_io_t *fptr;
1506 
1507  StringValue(str);
1508  Data_Get_Struct(self, SSL, ssl);
1509  GetOpenFile(ossl_ssl_get_io(self), fptr);
1510 
1511  if (ssl) {
1512  for (;;){
1513  nwrite = SSL_write(ssl, RSTRING_PTR(str), RSTRING_LENINT(str));
1514  switch(ssl_get_error(ssl, nwrite)){
1515  case SSL_ERROR_NONE:
1516  goto end;
1517  case SSL_ERROR_WANT_WRITE:
1518  if (no_exception) { return ID2SYM(rb_intern("wait_writable")); }
1519  write_would_block(nonblock);
1521  continue;
1522  case SSL_ERROR_WANT_READ:
1523  if (no_exception) { return ID2SYM(rb_intern("wait_readable")); }
1524  read_would_block(nonblock);
1526  continue;
1527  case SSL_ERROR_SYSCALL:
1528  if (errno) rb_sys_fail(0);
1529  default:
1530  ossl_raise(eSSLError, "SSL_write");
1531  }
1532  }
1533  }
1534  else {
1535  ID id_syswrite = rb_intern("syswrite");
1536  rb_warning("SSL session is not started yet.");
1537  return rb_funcall(ossl_ssl_get_io(self), id_syswrite, 1, str);
1538  }
1539 
1540  end:
1541  return INT2NUM(nwrite);
1542 }
1543 
1544 /*
1545  * call-seq:
1546  * ssl.syswrite(string) => Integer
1547  *
1548  * Writes +string+ to the SSL connection.
1549  */
1550 static VALUE
1552 {
1553  return ossl_ssl_write_internal(self, str, 0, 0);
1554 }
1555 
1556 /*
1557  * call-seq:
1558  * ssl.syswrite_nonblock(string) => Integer
1559  *
1560  * Writes +string+ to the SSL connection in a non-blocking manner. Raises an
1561  * SSLError if writing would block.
1562  */
1563 static VALUE
1565 {
1566  VALUE str;
1567  VALUE opts = Qnil;
1568  int no_exception = 0;
1569 
1570  rb_scan_args(argc, argv, "1:", &str, &opts);
1571 
1572  if (!NIL_P(opts) && Qfalse == rb_hash_aref(opts, sym_exception))
1573  no_exception = 1;
1574 
1575  return ossl_ssl_write_internal(self, str, 1, no_exception);
1576 }
1577 
1578 /*
1579  * call-seq:
1580  * ssl.sysclose => nil
1581  *
1582  * Shuts down the SSL connection and prepares it for another connection.
1583  */
1584 static VALUE
1586 {
1587  SSL *ssl;
1588  VALUE io;
1589 
1590  /* ossl_ssl_data_get_struct() is not usable here because it may return
1591  * from this function; */
1592 
1593  Data_Get_Struct(self, SSL, ssl);
1594 
1595  io = ossl_ssl_get_io(self);
1596  if (!RTEST(rb_funcall(io, rb_intern("closed?"), 0))) {
1597  if (ssl) {
1598  ossl_ssl_shutdown(ssl);
1599  SSL_free(ssl);
1600  }
1601  DATA_PTR(self) = NULL;
1602  if (RTEST(ossl_ssl_get_sync_close(self)))
1603  rb_funcall(io, rb_intern("close"), 0);
1604  }
1605 
1606  return Qnil;
1607 }
1608 
1609 /*
1610  * call-seq:
1611  * ssl.cert => cert or nil
1612  *
1613  * The X509 certificate for this socket endpoint.
1614  */
1615 static VALUE
1617 {
1618  SSL *ssl;
1619  X509 *cert = NULL;
1620 
1621  ossl_ssl_data_get_struct(self, ssl);
1622 
1623  /*
1624  * Is this OpenSSL bug? Should add a ref?
1625  * TODO: Ask for.
1626  */
1627  cert = SSL_get_certificate(ssl); /* NO DUPs => DON'T FREE. */
1628 
1629  if (!cert) {
1630  return Qnil;
1631  }
1632  return ossl_x509_new(cert);
1633 }
1634 
1635 /*
1636  * call-seq:
1637  * ssl.peer_cert => cert or nil
1638  *
1639  * The X509 certificate for this socket's peer.
1640  */
1641 static VALUE
1643 {
1644  SSL *ssl;
1645  X509 *cert = NULL;
1646  VALUE obj;
1647 
1648  ossl_ssl_data_get_struct(self, ssl);
1649 
1650  cert = SSL_get_peer_certificate(ssl); /* Adds a ref => Safe to FREE. */
1651 
1652  if (!cert) {
1653  return Qnil;
1654  }
1655  obj = ossl_x509_new(cert);
1656  X509_free(cert);
1657 
1658  return obj;
1659 }
1660 
1661 /*
1662  * call-seq:
1663  * ssl.peer_cert_chain => [cert, ...] or nil
1664  *
1665  * The X509 certificate chain for this socket's peer.
1666  */
1667 static VALUE
1669 {
1670  SSL *ssl;
1671  STACK_OF(X509) *chain;
1672  X509 *cert;
1673  VALUE ary;
1674  int i, num;
1675 
1676  ossl_ssl_data_get_struct(self, ssl);
1677 
1678  chain = SSL_get_peer_cert_chain(ssl);
1679  if(!chain) return Qnil;
1680  num = sk_X509_num(chain);
1681  ary = rb_ary_new2(num);
1682  for (i = 0; i < num; i++){
1683  cert = sk_X509_value(chain, i);
1684  rb_ary_push(ary, ossl_x509_new(cert));
1685  }
1686 
1687  return ary;
1688 }
1689 
1690 /*
1691 * call-seq:
1692 * ssl.ssl_version => String
1693 *
1694 * Returns a String representing the SSL/TLS version that was negotiated
1695 * for the connection, for example "TLSv1.2".
1696 */
1697 static VALUE
1699 {
1700  SSL *ssl;
1701 
1702  ossl_ssl_data_get_struct(self, ssl);
1703 
1704  return rb_str_new2(SSL_get_version(ssl));
1705 }
1706 
1707 /*
1708 * call-seq:
1709 * ssl.cipher => [name, version, bits, alg_bits]
1710 *
1711 * The cipher being used for the current connection
1712 */
1713 static VALUE
1715 {
1716  SSL *ssl;
1717  SSL_CIPHER *cipher;
1718 
1719  ossl_ssl_data_get_struct(self, ssl);
1720 
1721  cipher = (SSL_CIPHER *)SSL_get_current_cipher(ssl);
1722 
1723  return ossl_ssl_cipher_to_ary(cipher);
1724 }
1725 
1726 /*
1727  * call-seq:
1728  * ssl.state => string
1729  *
1730  * A description of the current connection state.
1731  */
1732 static VALUE
1734 {
1735  SSL *ssl;
1736  VALUE ret;
1737 
1738  ossl_ssl_data_get_struct(self, ssl);
1739 
1740  ret = rb_str_new2(SSL_state_string(ssl));
1741  if (ruby_verbose) {
1742  rb_str_cat2(ret, ": ");
1743  rb_str_cat2(ret, SSL_state_string_long(ssl));
1744  }
1745  return ret;
1746 }
1747 
1748 /*
1749  * call-seq:
1750  * ssl.pending => Integer
1751  *
1752  * The number of bytes that are immediately available for reading
1753  */
1754 static VALUE
1756 {
1757  SSL *ssl;
1758 
1759  ossl_ssl_data_get_struct(self, ssl);
1760 
1761  return INT2NUM(SSL_pending(ssl));
1762 }
1763 
1764 /*
1765  * call-seq:
1766  * ssl.session_reused? -> true | false
1767  *
1768  * Returns true if a reused session was negotiated during the handshake.
1769  */
1770 static VALUE
1772 {
1773  SSL *ssl;
1774 
1775  ossl_ssl_data_get_struct(self, ssl);
1776 
1777  switch(SSL_session_reused(ssl)) {
1778  case 1: return Qtrue;
1779  case 0: return Qfalse;
1780  default: ossl_raise(eSSLError, "SSL_session_reused");
1781  }
1782 
1783  UNREACHABLE;
1784 }
1785 
1786 /*
1787  * call-seq:
1788  * ssl.session = session -> session
1789  *
1790  * Sets the Session to be used when the connection is established.
1791  */
1792 static VALUE
1794 {
1795  SSL *ssl;
1796  SSL_SESSION *sess;
1797 
1798 /* why is ossl_ssl_setup delayed? */
1799  ossl_ssl_setup(self);
1800 
1801  ossl_ssl_data_get_struct(self, ssl);
1802 
1803  SafeGetSSLSession(arg1, sess);
1804 
1805  if (SSL_set_session(ssl, sess) != 1)
1806  ossl_raise(eSSLError, "SSL_set_session");
1807 
1808  return arg1;
1809 }
1810 
1811 /*
1812  * call-seq:
1813  * ssl.verify_result => Integer
1814  *
1815  * Returns the result of the peer certificates verification. See verify(1)
1816  * for error values and descriptions.
1817  *
1818  * If no peer certificate was presented X509_V_OK is returned.
1819  */
1820 static VALUE
1822 {
1823  SSL *ssl;
1824 
1825  ossl_ssl_data_get_struct(self, ssl);
1826 
1827  return INT2FIX(SSL_get_verify_result(ssl));
1828 }
1829 
1830 /*
1831  * call-seq:
1832  * ssl.client_ca => [x509name, ...]
1833  *
1834  * Returns the list of client CAs. Please note that in contrast to
1835  * SSLContext#client_ca= no array of X509::Certificate is returned but
1836  * X509::Name instances of the CA's subject distinguished name.
1837  *
1838  * In server mode, returns the list set by SSLContext#client_ca=.
1839  * In client mode, returns the list of client CAs sent from the server.
1840  */
1841 static VALUE
1843 {
1844  SSL *ssl;
1845  STACK_OF(X509_NAME) *ca;
1846 
1847  ossl_ssl_data_get_struct(self, ssl);
1848 
1849  ca = SSL_get_client_CA_list(ssl);
1850  return ossl_x509name_sk2ary(ca);
1851 }
1852 
1853 # ifdef HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB
1854 /*
1855  * call-seq:
1856  * ssl.npn_protocol => String
1857  *
1858  * Returns the protocol string that was finally selected by the client
1859  * during the handshake.
1860  */
1861 static VALUE
1862 ossl_ssl_npn_protocol(VALUE self)
1863 {
1864  SSL *ssl;
1865  const unsigned char *out;
1866  unsigned int outlen;
1867 
1868  ossl_ssl_data_get_struct(self, ssl);
1869 
1870  SSL_get0_next_proto_negotiated(ssl, &out, &outlen);
1871  if (!outlen)
1872  return Qnil;
1873  else
1874  return rb_str_new((const char *) out, outlen);
1875 }
1876 # endif
1877 #endif /* !defined(OPENSSL_NO_SOCK) */
1878 
1879 void
1881 {
1882  int i;
1883  VALUE ary;
1884 
1885 #if 0
1886  mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
1887 #endif
1888 
1889  ID_callback_state = rb_intern("@callback_state");
1890 
1891  ossl_ssl_ex_vcb_idx = SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_vcb_idx",0,0,0);
1892  ossl_ssl_ex_store_p = SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_store_p",0,0,0);
1893  ossl_ssl_ex_ptr_idx = SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_ptr_idx",0,0,0);
1895  SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_client_cert_cb_idx",0,0,0);
1897  SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_tmp_dh_callback_idx",0,0,0);
1898 
1899  /* Document-module: OpenSSL::SSL
1900  *
1901  * Use SSLContext to set up the parameters for a TLS (former SSL)
1902  * connection. Both client and server TLS connections are supported,
1903  * SSLSocket and SSLServer may be used in conjunction with an instance
1904  * of SSLContext to set up connections.
1905  */
1906  mSSL = rb_define_module_under(mOSSL, "SSL");
1907  /* Document-class: OpenSSL::SSL::SSLError
1908  *
1909  * Generic error class raised by SSLSocket and SSLContext.
1910  */
1912  eSSLErrorWaitReadable = rb_define_class_under(mSSL, "SSLErrorWaitReadable", eSSLError);
1914  eSSLErrorWaitWritable = rb_define_class_under(mSSL, "SSLErrorWaitWritable", eSSLError);
1916 
1918 
1919  /* Document-class: OpenSSL::SSL::SSLContext
1920  *
1921  * An SSLContext is used to set various options regarding certificates,
1922  * algorithms, verification, session caching, etc. The SSLContext is
1923  * used to create an SSLSocket.
1924  *
1925  * All attributes must be set before creating an SSLSocket as the
1926  * SSLContext will be frozen afterward.
1927  *
1928  * The following attributes are available but don't show up in rdoc:
1929  * * ssl_version, cert, key, client_ca, ca_file, ca_path, timeout,
1930  * * verify_mode, verify_depth client_cert_cb, tmp_dh_callback,
1931  * * session_id_context, session_add_cb, session_new_cb, session_remove_cb
1932  */
1935 
1936  /*
1937  * Context certificate
1938  */
1939  rb_attr(cSSLContext, rb_intern("cert"), 1, 1, Qfalse);
1940 
1941  /*
1942  * Context private key
1943  */
1944  rb_attr(cSSLContext, rb_intern("key"), 1, 1, Qfalse);
1945 
1946  /*
1947  * A certificate or Array of certificates that will be sent to the client.
1948  */
1949  rb_attr(cSSLContext, rb_intern("client_ca"), 1, 1, Qfalse);
1950 
1951  /*
1952  * The path to a file containing a PEM-format CA certificate
1953  */
1954  rb_attr(cSSLContext, rb_intern("ca_file"), 1, 1, Qfalse);
1955 
1956  /*
1957  * The path to a directory containing CA certificates in PEM format.
1958  *
1959  * Files are looked up by subject's X509 name's hash value.
1960  */
1961  rb_attr(cSSLContext, rb_intern("ca_path"), 1, 1, Qfalse);
1962 
1963  /*
1964  * Maximum session lifetime.
1965  */
1966  rb_attr(cSSLContext, rb_intern("timeout"), 1, 1, Qfalse);
1967 
1968  /*
1969  * Session verification mode.
1970  *
1971  * Valid modes are VERIFY_NONE, VERIFY_PEER, VERIFY_CLIENT_ONCE,
1972  * VERIFY_FAIL_IF_NO_PEER_CERT and defined on OpenSSL::SSL
1973  */
1974  rb_attr(cSSLContext, rb_intern("verify_mode"), 1, 1, Qfalse);
1975 
1976  /*
1977  * Number of CA certificates to walk when verifying a certificate chain.
1978  */
1979  rb_attr(cSSLContext, rb_intern("verify_depth"), 1, 1, Qfalse);
1980 
1981  /*
1982  * A callback for additional certificate verification. The callback is
1983  * invoked for each certificate in the chain.
1984  *
1985  * The callback is invoked with two values. +preverify_ok+ indicates
1986  * indicates if the verification was passed (true) or not (false).
1987  * +store_context+ is an OpenSSL::X509::StoreContext containing the
1988  * context used for certificate verification.
1989  *
1990  * If the callback returns false verification is stopped.
1991  */
1992  rb_attr(cSSLContext, rb_intern("verify_callback"), 1, 1, Qfalse);
1993 
1994  /*
1995  * Sets various OpenSSL options.
1996  */
1997  rb_attr(cSSLContext, rb_intern("options"), 1, 1, Qfalse);
1998 
1999  /*
2000  * An OpenSSL::X509::Store used for certificate verification
2001  */
2002  rb_attr(cSSLContext, rb_intern("cert_store"), 1, 1, Qfalse);
2003 
2004  /*
2005  * An Array of extra X509 certificates to be added to the certificate
2006  * chain.
2007  */
2008  rb_attr(cSSLContext, rb_intern("extra_chain_cert"), 1, 1, Qfalse);
2009 
2010  /*
2011  * A callback invoked when a client certificate is requested by a server
2012  * and no certificate has been set.
2013  *
2014  * The callback is invoked with a Session and must return an Array
2015  * containing an OpenSSL::X509::Certificate and an OpenSSL::PKey. If any
2016  * other value is returned the handshake is suspended.
2017  */
2018  rb_attr(cSSLContext, rb_intern("client_cert_cb"), 1, 1, Qfalse);
2019 
2020  /*
2021  * A callback invoked when DH parameters are required.
2022  *
2023  * The callback is invoked with the Session for the key exchange, an
2024  * flag indicating the use of an export cipher and the keylength
2025  * required.
2026  *
2027  * The callback must return an OpenSSL::PKey::DH instance of the correct
2028  * key length.
2029  */
2030  rb_attr(cSSLContext, rb_intern("tmp_dh_callback"), 1, 1, Qfalse);
2031 
2032  /*
2033  * Sets the context in which a session can be reused. This allows
2034  * sessions for multiple applications to be distinguished, for example, by
2035  * name.
2036  */
2037  rb_attr(cSSLContext, rb_intern("session_id_context"), 1, 1, Qfalse);
2038 
2039  /*
2040  * A callback invoked on a server when a session is proposed by the client
2041  * but the session could not be found in the server's internal cache.
2042  *
2043  * The callback is invoked with the SSLSocket and session id. The
2044  * callback may return a Session from an external cache.
2045  */
2046  rb_attr(cSSLContext, rb_intern("session_get_cb"), 1, 1, Qfalse);
2047 
2048  /*
2049  * A callback invoked when a new session was negotiatied.
2050  *
2051  * The callback is invoked with an SSLSocket. If false is returned the
2052  * session will be removed from the internal cache.
2053  */
2054  rb_attr(cSSLContext, rb_intern("session_new_cb"), 1, 1, Qfalse);
2055 
2056  /*
2057  * A callback invoked when a session is removed from the internal cache.
2058  *
2059  * The callback is invoked with an SSLContext and a Session.
2060  */
2061  rb_attr(cSSLContext, rb_intern("session_remove_cb"), 1, 1, Qfalse);
2062 
2063 #ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
2064  /*
2065  * A callback invoked at connect time to distinguish between multiple
2066  * server names.
2067  *
2068  * The callback is invoked with an SSLSocket and a server name. The
2069  * callback must return an SSLContext for the server name or nil.
2070  */
2071  rb_attr(cSSLContext, rb_intern("servername_cb"), 1, 1, Qfalse);
2072 #endif
2073  /*
2074  * A callback invoked whenever a new handshake is initiated. May be used
2075  * to disable renegotiation entirely.
2076  *
2077  * The callback is invoked with the active SSLSocket. The callback's
2078  * return value is irrelevant, normal return indicates "approval" of the
2079  * renegotiation and will continue the process. To forbid renegotiation
2080  * and to cancel the process, an Error may be raised within the callback.
2081  *
2082  * === Disable client renegotiation
2083  *
2084  * When running a server, it is often desirable to disable client
2085  * renegotiation entirely. You may use a callback as follows to implement
2086  * this feature:
2087  *
2088  * num_handshakes = 0
2089  * ctx.renegotiation_cb = lambda do |ssl|
2090  * num_handshakes += 1
2091  * raise RuntimeError.new("Client renegotiation disabled") if num_handshakes > 1
2092  * end
2093  */
2094  rb_attr(cSSLContext, rb_intern("renegotiation_cb"), 1, 1, Qfalse);
2095 #ifdef HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB
2096  /*
2097  * An Enumerable of Strings. Each String represents a protocol to be
2098  * advertised as the list of supported protocols for Next Protocol
2099  * Negotiation. Supported in OpenSSL 1.0.1 and higher. Has no effect
2100  * on the client side. If not set explicitly, the NPN extension will
2101  * not be sent by the server in the handshake.
2102  *
2103  * === Example
2104  *
2105  * ctx.npn_protocols = ["http/1.1", "spdy/2"]
2106  */
2107  rb_attr(cSSLContext, rb_intern("npn_protocols"), 1, 1, Qfalse);
2108  /*
2109  * A callback invoked on the client side when the client needs to select
2110  * a protocol from the list sent by the server. Supported in OpenSSL 1.0.1
2111  * and higher. The client MUST select a protocol of those advertised by
2112  * the server. If none is acceptable, raising an error in the callback
2113  * will cause the handshake to fail. Not setting this callback explicitly
2114  * means not supporting the NPN extension on the client - any protocols
2115  * advertised by the server will be ignored.
2116  *
2117  * === Example
2118  *
2119  * ctx.npn_select_cb = lambda do |protocols|
2120  * #inspect the protocols and select one
2121  * protocols.first
2122  * end
2123  */
2124  rb_attr(cSSLContext, rb_intern("npn_select_cb"), 1, 1, Qfalse);
2125 #endif
2126 
2127  rb_define_alias(cSSLContext, "ssl_timeout", "timeout");
2128  rb_define_alias(cSSLContext, "ssl_timeout=", "timeout=");
2133 
2135 
2136  /*
2137  * No session caching for client or server
2138  */
2139  rb_define_const(cSSLContext, "SESSION_CACHE_OFF", LONG2FIX(SSL_SESS_CACHE_OFF));
2140 
2141  /*
2142  * Client sessions are added to the session cache
2143  */
2144  rb_define_const(cSSLContext, "SESSION_CACHE_CLIENT", LONG2FIX(SSL_SESS_CACHE_CLIENT)); /* doesn't actually do anything in 0.9.8e */
2145 
2146  /*
2147  * Server sessions are added to the session cache
2148  */
2149  rb_define_const(cSSLContext, "SESSION_CACHE_SERVER", LONG2FIX(SSL_SESS_CACHE_SERVER));
2150 
2151  /*
2152  * Both client and server sessions are added to the session cache
2153  */
2154  rb_define_const(cSSLContext, "SESSION_CACHE_BOTH", LONG2FIX(SSL_SESS_CACHE_BOTH)); /* no different than CACHE_SERVER in 0.9.8e */
2155 
2156  /*
2157  * Normally the session cache is checked for expired sessions every 255
2158  * connections. Since this may lead to a delay that cannot be controlled,
2159  * the automatic flushing may be disabled and #flush_sessions can be
2160  * called explicitly.
2161  */
2162  rb_define_const(cSSLContext, "SESSION_CACHE_NO_AUTO_CLEAR", LONG2FIX(SSL_SESS_CACHE_NO_AUTO_CLEAR));
2163 
2164  /*
2165  * Always perform external lookups of sessions even if they are in the
2166  * internal cache.
2167  *
2168  * This flag has no effect on clients
2169  */
2170  rb_define_const(cSSLContext, "SESSION_CACHE_NO_INTERNAL_LOOKUP", LONG2FIX(SSL_SESS_CACHE_NO_INTERNAL_LOOKUP));
2171 
2172  /*
2173  * Never automatically store sessions in the internal store.
2174  */
2175  rb_define_const(cSSLContext, "SESSION_CACHE_NO_INTERNAL_STORE", LONG2FIX(SSL_SESS_CACHE_NO_INTERNAL_STORE));
2176 
2177  /*
2178  * Enables both SESSION_CACHE_NO_INTERNAL_LOOKUP and
2179  * SESSION_CACHE_NO_INTERNAL_STORE.
2180  */
2181  rb_define_const(cSSLContext, "SESSION_CACHE_NO_INTERNAL", LONG2FIX(SSL_SESS_CACHE_NO_INTERNAL));
2182 
2191 
2193  for (i = 0; i < numberof(ossl_ssl_method_tab); i++) {
2195  }
2196  rb_obj_freeze(ary);
2197  /* The list of available SSL/TLS methods */
2198  rb_define_const(cSSLContext, "METHODS", ary);
2199 
2200  /*
2201  * Document-class: OpenSSL::SSL::SSLSocket
2202  *
2203  * The following attributes are available but don't show up in rdoc.
2204  * * io, context, sync_close
2205  *
2206  */
2208 #ifdef OPENSSL_NO_SOCK
2209  rb_define_method(cSSLSocket, "initialize", rb_notimplement, -1);
2210 #else
2212  for(i = 0; i < numberof(ossl_ssl_attr_readers); i++)
2214  for(i = 0; i < numberof(ossl_ssl_attrs); i++)
2216  rb_define_alias(cSSLSocket, "to_io", "io");
2217  rb_define_method(cSSLSocket, "initialize", ossl_ssl_initialize, -1);
2219  rb_define_method(cSSLSocket, "connect_nonblock", ossl_ssl_connect_nonblock, 0);
2221  rb_define_method(cSSLSocket, "accept_nonblock", ossl_ssl_accept_nonblock, 0);
2222  rb_define_method(cSSLSocket, "sysread", ossl_ssl_read, -1);
2224  rb_define_method(cSSLSocket, "syswrite", ossl_ssl_write, 1);
2225  rb_define_private_method(cSSLSocket, "syswrite_nonblock", ossl_ssl_write_nonblock, -1);
2226  rb_define_method(cSSLSocket, "sysclose", ossl_ssl_close, 0);
2230  rb_define_method(cSSLSocket, "ssl_version", ossl_ssl_get_version, 0);
2234  rb_define_method(cSSLSocket, "session_reused?", ossl_ssl_session_reused, 0);
2235  /* implementation of OpenSSL::SSL::SSLSocket#session is in lib/openssl/ssl.rb */
2239 # ifdef HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB
2240  rb_define_method(cSSLSocket, "npn_protocol", ossl_ssl_npn_protocol, 0);
2241 # endif
2242 #endif
2243 
2244 #define ossl_ssl_def_const(x) rb_define_const(mSSL, #x, INT2NUM(SSL_##x))
2245 
2246  ossl_ssl_def_const(VERIFY_NONE);
2247  ossl_ssl_def_const(VERIFY_PEER);
2248  ossl_ssl_def_const(VERIFY_FAIL_IF_NO_PEER_CERT);
2249  ossl_ssl_def_const(VERIFY_CLIENT_ONCE);
2250  /* Introduce constants included in OP_ALL. These constants are mostly for
2251  * unset some bits in OP_ALL such as;
2252  * ctx.options = OP_ALL & ~OP_DONT_INSERT_EMPTY_FRAGMENTS
2253  */
2254  ossl_ssl_def_const(OP_MICROSOFT_SESS_ID_BUG);
2255  ossl_ssl_def_const(OP_NETSCAPE_CHALLENGE_BUG);
2256  ossl_ssl_def_const(OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG);
2257  ossl_ssl_def_const(OP_SSLREF2_REUSE_CERT_TYPE_BUG);
2258  ossl_ssl_def_const(OP_MICROSOFT_BIG_SSLV3_BUFFER);
2259 #if defined(SSL_OP_MSIE_SSLV2_RSA_PADDING)
2260  ossl_ssl_def_const(OP_MSIE_SSLV2_RSA_PADDING);
2261 #endif
2262  ossl_ssl_def_const(OP_SSLEAY_080_CLIENT_DH_BUG);
2263  ossl_ssl_def_const(OP_TLS_D5_BUG);
2264  ossl_ssl_def_const(OP_TLS_BLOCK_PADDING_BUG);
2265  ossl_ssl_def_const(OP_DONT_INSERT_EMPTY_FRAGMENTS);
2266  ossl_ssl_def_const(OP_ALL);
2267 #if defined(SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)
2268  ossl_ssl_def_const(OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
2269 #endif
2270 #if defined(SSL_OP_SINGLE_ECDH_USE)
2271  ossl_ssl_def_const(OP_SINGLE_ECDH_USE);
2272 #endif
2273  ossl_ssl_def_const(OP_SINGLE_DH_USE);
2274  ossl_ssl_def_const(OP_EPHEMERAL_RSA);
2275 #if defined(SSL_OP_CIPHER_SERVER_PREFERENCE)
2276  ossl_ssl_def_const(OP_CIPHER_SERVER_PREFERENCE);
2277 #endif
2278  ossl_ssl_def_const(OP_TLS_ROLLBACK_BUG);
2279  ossl_ssl_def_const(OP_NO_SSLv2);
2280  ossl_ssl_def_const(OP_NO_SSLv3);
2281  ossl_ssl_def_const(OP_NO_TLSv1);
2282 #if defined(SSL_OP_NO_TLSv1_1)
2283  ossl_ssl_def_const(OP_NO_TLSv1_1);
2284 #endif
2285 #if defined(SSL_OP_NO_TLSv1_2)
2286  ossl_ssl_def_const(OP_NO_TLSv1_2);
2287 #endif
2288 #if defined(SSL_OP_NO_TICKET)
2289  ossl_ssl_def_const(OP_NO_TICKET);
2290 #endif
2291 #if defined(SSL_OP_NO_COMPRESSION)
2292  ossl_ssl_def_const(OP_NO_COMPRESSION);
2293 #endif
2294  ossl_ssl_def_const(OP_PKCS1_CHECK_1);
2295  ossl_ssl_def_const(OP_PKCS1_CHECK_2);
2296  ossl_ssl_def_const(OP_NETSCAPE_CA_DN_BUG);
2297  ossl_ssl_def_const(OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
2298 
2299  sym_exception = ID2SYM(rb_intern("exception"));
2300 }
static VALUE ossl_ssl_get_cipher(VALUE self)
Definition: ossl_ssl.c:1714
ID ID_callback_state
Definition: ossl_ssl.c:104
RARRAY_PTR(q->result)[0]
static VALUE ossl_sslctx_session_add(VALUE self, VALUE arg)
Definition: ossl_ssl.c:941
static VALUE ossl_sslctx_get_session_cache_stats(VALUE self)
Definition: ossl_ssl.c:1065
VALUE mOSSL
Definition: ossl.c:259
static DH * ossl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
Definition: ossl_ssl.c:298
VALUE rb_ary_entry(VALUE ary, long offset)
Definition: array.c:1179
#define ssl_get_error(ssl, ret)
Definition: ossl_ssl.c:1245
void rb_io_check_readable(rb_io_t *)
Definition: io.c:794
#define ossl_sslctx_get_key(o)
Definition: ossl_ssl.c:52
int ossl_ssl_ex_store_p
Definition: ossl_ssl.c:150
void rb_thread_wait_fd(int)
Definition: thread.c:3523
VALUE rb_iv_set(VALUE, const char *, VALUE)
Definition: variable.c:2612
static VALUE ossl_sslctx_initialize(int argc, VALUE *argv, VALUE self)
Definition: ossl_ssl.c:226
#define ossl_ssl_get_tmp_dh(o)
Definition: ossl_ssl.c:87
static VALUE ossl_ssl_s_alloc(VALUE klass)
Definition: ossl_ssl.c:1152
static VALUE ossl_ssl_read(int argc, VALUE *argv, VALUE self)
Definition: ossl_ssl.c:1476
static VALUE eSSLErrorWaitReadable
Definition: ossl_ssl.c:32
C_block * out
Definition: crypt.c:308
rb_funcall(memo->yielder, id_lshift, 1, rb_assoc_new(memo->prev_value, memo->prev_elts))
SSL_METHOD *(* func)(void)
Definition: ossl_ssl.c:113
RUBY_EXTERN VALUE rb_mWaitReadable
Definition: ripper.y:1557
static void ossl_sslctx_free(SSL_CTX *ctx)
Definition: ossl_ssl.c:156
Definition: io.h:61
#define rb_check_frozen(obj)
RUBY_EXTERN VALUE rb_cTime
Definition: ripper.y:1595
int ret
Definition: tcltklib.c:285
#define ossl_ssl_set_key(o, v)
Definition: ossl_ssl.c:93
VALUE rb_iv_get(VALUE, const char *)
Definition: variable.c:2604
void rb_define_private_method(VALUE klass, const char *name, VALUE(*func)(ANYARGS), int argc)
Definition: class.c:1491
int ossl_ssl_ex_tmp_dh_callback_idx
Definition: ossl_ssl.c:153
int ossl_ssl_ex_vcb_idx
Definition: ossl_ssl.c:149
VALUE rb_obj_freeze(VALUE)
Definition: object.c:1070
void rb_define_alloc_func(VALUE, rb_alloc_func_t)
#define UNREACHABLE
Definition: ruby.h:42
static VALUE ossl_call_tmp_dh_callback(VALUE *args)
Definition: ossl_ssl.c:280
VALUE exc
Definition: tcltklib.c:3088
VALUE rb_ary_push(VALUE ary, VALUE item)
Definition: array.c:900
#define ossl_sslctx_get_client_cert_cb(o)
Definition: ossl_ssl.c:63
static VALUE ossl_ssl_get_cert(VALUE self)
Definition: ossl_ssl.c:1616
int ossl_ssl_ex_ptr_idx
Definition: ossl_ssl.c:151
#define TYPE(x)
VALUE ossl_x509name_sk2ary(STACK_OF(X509_NAME)*names)
rb_str_append(str, i)
#define RSTRING_PTR(str)
NIL_P(eventloop_thread)
Definition: tcltklib.c:4056
#define T_ARRAY
int const char * in
Definition: crypt.c:639
#define FPTR_TO_FD(fptr)
Definition: ruby_missing.h:19
VALUE rb_protect(VALUE(*proc)(VALUE), VALUE data, int *state)
Definition: eval.c:807
VALUE rb_define_class_under(VALUE outer, const char *name, VALUE super)
Defines a class under the namespace of outer.
Definition: class.c:657
return Qtrue
Definition: tcltklib.c:9618
#define T_FILE
void rb_include_module(VALUE klass, VALUE module)
Definition: class.c:808
#define ossl_ssl_set_tmp_dh(o, v)
Definition: ossl_ssl.c:94
#define ossl_sslctx_get_client_ca(o)
Definition: ossl_ssl.c:53
#define rb_str_new2
static VALUE ossl_ssl_connect_nonblock(VALUE self)
Definition: ossl_ssl.c:1351
static VALUE ossl_ssl_read_nonblock(int argc, VALUE *argv, VALUE self)
Definition: ossl_ssl.c:1495
static VALUE ossl_ssl_close(VALUE self)
Definition: ossl_ssl.c:1585
int ossl_verify_cb_idx
Definition: ossl.c:201
#define ID2SYM(x)
#define ossl_ssl_get_io(o)
Definition: ossl_ssl.c:82
VALUE rb_iterate(VALUE(*)(VALUE), VALUE, VALUE(*)(ANYARGS), VALUE)
Definition: vm_eval.c:1059
memo state
Definition: enum.c:2432
#define rb_ary_new2
#define GetOpenFile(obj, fp)
Definition: io.h:118
#define LONG2NUM(x)
VALUE rb_ivar_get(VALUE, ID)
Definition: variable.c:1115
static void ossl_ssl_shutdown(SSL *ssl)
Definition: ossl_ssl.c:1125
RUBY_EXTERN VALUE rb_mWaitWritable
Definition: ripper.y:1558
i
Definition: enum.c:446
VALUE ary
Definition: enum.c:674
static VALUE sym_exception
Definition: ossl_ssl.c:106
static VALUE ossl_ssl_write(VALUE self, VALUE str)
Definition: ossl_ssl.c:1551
static VALUE ossl_call_client_cert_cb(VALUE obj)
Definition: ossl_ssl.c:245
VALUE ossl_exc_new(VALUE exc, const char *fmt,...)
Definition: ossl.c:344
void rb_exc_raise(VALUE mesg)
Definition: eval.c:567
void Init_ossl_ssl_session(void)
STACK_OF(X509)*ossl_x509_ary2sk0(VALUE)
VALUE hash
Definition: tkutil.c:267
DH * OSSL_DEFAULT_DH_512
Definition: ossl_pkey_dh.c:541
VALUE mSSL
Definition: ossl_ssl.c:27
X509 * GetX509CertPtr(VALUE)
Definition: ossl_x509cert.c:92
VALUE rb_obj_is_instance_of(VALUE, VALUE)
Definition: object.c:609
static VALUE ossl_ssl_accept(VALUE self)
Definition: ossl_ssl.c:1365
return Data_Wrap_Struct(CLASS_OF(interp), 0, ip_free, slave)
static VALUE ossl_sslctx_get_ciphers(VALUE self)
Definition: ossl_ssl.c:859
return Qfalse
Definition: tcltklib.c:6790
#define numberof(ary)
Definition: ossl_ssl.c:19
#define RARRAY_LEN(a)
void Init_ossl_ssl()
Definition: ossl_ssl.c:1880
#define Qnil
Definition: enum.c:67
#define StringValuePtr(v)
volatile VALUE elem
Definition: tcltklib.c:9721
#define val
Definition: tcltklib.c:1935
#define ossl_sslctx_get_cert(o)
Definition: ossl_ssl.c:51
static VALUE ossl_ssl_session_reused(VALUE self)
Definition: ossl_ssl.c:1771
#define ossl_ssl_get_ctx(o)
Definition: ossl_ssl.c:83
static VALUE ossl_call_session_remove_cb(VALUE ary)
Definition: ossl_ssl.c:439
static const char * ossl_ssl_attrs[]
Definition: ossl_ssl.c:97
static VALUE char * str
Definition: tcltklib.c:3539
#define ossl_sslctx_get_extra_cert(o)
Definition: ossl_ssl.c:62
VALUE rb_ary_new(void)
Definition: array.c:499
#define StringValueCStr(v)
unsigned long ID
Definition: ripper.y:89
void rb_define_const(VALUE, const char *, VALUE)
Definition: variable.c:2228
Check_Type(i, T_ARRAY)
VALUE rb_str_cat2(VALUE, const char *)
Definition: string.c:2158
static VALUE ossl_ssl_accept_nonblock(VALUE self)
Definition: ossl_ssl.c:1390
static VALUE VALUE obj
Definition: tcltklib.c:3150
#define RSTRING_LEN(str)
#define INT2FIX(i)
#define ossl_sslctx_get_sess_id_ctx(o)
Definition: ossl_ssl.c:65
static const char * ossl_sslctx_attrs[]
Definition: ossl_ssl.c:67
#define ossl_sslctx_get_ca_file(o)
Definition: ossl_ssl.c:54
static VALUE ossl_ssl_write_internal(VALUE self, VALUE str, int nonblock, int no_exception)
Definition: ossl_ssl.c:1501
int rb_io_wait_writable(int)
Definition: io.c:1103
#define ossl_sslctx_get_verify_dep(o)
Definition: ossl_ssl.c:58
VALUE eOSSLError
Definition: ossl.c:264
static VALUE ossl_ssl_pending(VALUE self)
Definition: ossl_ssl.c:1755
static VALUE ossl_sslctx_setup(VALUE self)
Definition: ossl_ssl.c:680
volatile ID method
Definition: tcltklib.c:3591
VALUE rb_call_super(int, const VALUE *)
Definition: vm_eval.c:275
VALUE ossl_x509_new(X509 *)
Definition: ossl_x509cert.c:40
static VALUE ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
Definition: ossl_ssl.c:1397
unsigned char buf[MIME_BUF_SIZE]
Definition: nkf.c:4308
x509
Definition: ossl_ssl.c:489
#define ossl_ssl_set_sync_close(o, v)
Definition: ossl_ssl.c:91
static VALUE ossl_ssl_set_session(VALUE self, VALUE arg1)
Definition: ossl_ssl.c:1793
#define ossl_sslctx_get_verify_cb(o)
Definition: ossl_ssl.c:59
static int VALUE key
Definition: tkutil.c:265
int len
Definition: enumerator.c:1332
static VALUE ossl_ssl_get_verify_result(VALUE self)
Definition: ossl_ssl.c:1821
static VALUE ossl_ssl_get_state(VALUE self)
Definition: ossl_ssl.c:1733
VALUE arg
Definition: enum.c:2427
static VALUE ossl_sslctx_get_session_cache_mode(VALUE self)
Definition: ossl_ssl.c:977
static SSL_SESSION * ossl_sslctx_session_get_cb(SSL *ssl, unsigned char *buf, int len, int *copy)
Definition: ossl_ssl.c:357
VALUE rb_str_buf_cat(VALUE, const char *, long)
Definition: string.c:2123
#define ossl_sslctx_get_verify_mode(o)
Definition: ossl_ssl.c:57
#define TO_SOCKET(s)
Definition: ossl_ssl.c:24
VALUE * argv
Definition: tcltklib.c:1969
void rb_define_alias(VALUE klass, const char *name1, const char *name2)
Defines an alias of a method.
Definition: class.c:1688
VALUE rb_str_resize(VALUE, long)
Definition: string.c:2024
static VALUE ossl_ssl_get_client_ca_list(VALUE self)
Definition: ossl_ssl.c:1842
#define RTEST(v)
static void write_would_block(int nonblock)
Definition: ossl_ssl.c:1258
static VALUE ossl_ssl_setup(VALUE self)
Definition: ossl_ssl.c:1196
int errno
#define StringValue(v)
rb_block_call(enumerable, id_each, 0, 0, chunk_ii, arg)
VALUE cSSLContext
Definition: ossl_ssl.c:29
#define OSSL_SSL_METHOD_ENTRY(name)
static VALUE ossl_ssl_initialize(int argc, VALUE *argv, VALUE self)
Definition: ossl_ssl.c:1174
#define ossl_sslctx_get_cert_store(o)
Definition: ossl_ssl.c:61
VALUE v
Definition: enum.c:845
register char * s
Definition: os2.c:56
VALUE cSSLSocket
Definition: ossl_ssl.c:30
VALUE rb_String(VALUE)
Definition: object.c:3009
VP_EXPORT void
Definition: bigdecimal.c:5207
VALUE mode
Definition: tcltklib.c:1668
#define ossl_ssl_set_x509(o, v)
Definition: ossl_ssl.c:92
#define ossl_sslctx_get_timeout(o)
Definition: ossl_ssl.c:56
static VALUE ossl_sslctx_session_remove(VALUE self, VALUE arg)
Definition: ossl_ssl.c:959
int rb_scan_args(int argc, const VALUE *argv, const char *fmt,...)
Definition: class.c:1719
void rb_attr(VALUE, ID, int, int, int)
Definition: vm_method.c:872
#define ossl_ssl_data_get_struct(v, ssl)
Definition: ossl_ssl.c:1248
#define OBJ_FROZEN(x)
static VALUE ossl_ssl_write_nonblock(int argc, VALUE *argv, VALUE self)
Definition: ossl_ssl.c:1564
#define ossl_ssl_get_x509(o)
Definition: ossl_ssl.c:85
#define ossl_sslctx_get_options(o)
Definition: ossl_ssl.c:60
int argc
Definition: tcltklib.c:1968
static VALUE ossl_call_session_new_cb(VALUE ary)
Definition: ossl_ssl.c:387
static VALUE ossl_sslctx_set_ciphers(VALUE self, VALUE v)
Definition: ossl_ssl.c:899
static int ossl_client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
Definition: ossl_ssl.c:264
rb_hash_aset(hash, RARRAY_AREF(key_value_pair, 0), RARRAY_AREF(key_value_pair, 1))
static VALUE ossl_sslctx_set_session_cache_mode(VALUE self, VALUE arg)
Definition: ossl_ssl.c:995
#define ossl_ssl_get_key(o)
Definition: ossl_ssl.c:86
static VALUE eSSLErrorWaitWritable
Definition: ossl_ssl.c:33
static void ssl_renegotiation_cb(const SSL *ssl)
Definition: ossl_ssl.c:558
void rb_sys_fail(const char *mesg)
Definition: error.c:1976
#define OSSL_Debug
Definition: ossl.h:211
ruby_verbose
Definition: tcltklib.c:5796
void rb_jump_tag(int tag)
Definition: eval.c:706
return ptr
Definition: tcltklib.c:789
VALUE rb_each(VALUE)
Definition: vm_eval.c:1182
#define _(args)
Definition: dln.h:28
X509_STORE * GetX509StorePtr(VALUE)
VALUE rb_define_module_under(VALUE outer, const char *name)
Definition: class.c:747
#define ossl_sslctx_get_tmp_dh_cb(o)
Definition: ossl_ssl.c:64
gz end
Definition: zlib.c:2272
#define ossl_sslctx_get_ca_path(o)
Definition: ossl_ssl.c:55
static VALUE ossl_ssl_get_peer_cert(VALUE self)
Definition: ossl_ssl.c:1642
SSL_CTX * ctx
Definition: ossl_ssl.c:486
void rb_str_modify(VALUE)
Definition: string.c:1483
#define T_SYMBOL
static VALUE ossl_call_session_get_cb(VALUE ary)
Definition: ossl_ssl.c:340
#define NUM2LONG(x)
VALUE rb_obj_is_kind_of(VALUE, VALUE)
Definition: object.c:646
VALUE name
Definition: enum.c:572
DATA_PTR(self)
args[0]
Definition: enum.c:585
static void ossl_ssl_free(SSL *ssl)
Definition: ossl_ssl.c:1146
#define OSSL_Check_Kind(obj, klass)
Definition: ossl.h:96
RUBY_EXTERN VALUE rb_cObject
Definition: ripper.y:1561
#define LONG2FIX(i)
static void ssl_info_cb(const SSL *ssl, int where, int val)
Definition: ossl_ssl.c:660
klass
Definition: tcltklib.c:3496
#define ossl_ssl_set_io(o, v)
Definition: ossl_ssl.c:89
#define INT2NUM(x)
#define Data_Get_Struct(obj, type, sval)
#define ossl_ssl_def_const(x)
VALUE cSSLSession
void ossl_raise(VALUE exc, const char *fmt,...)
Definition: ossl.c:333
static int ossl_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
Definition: ossl_ssl.c:328
gz io
Definition: zlib.c:2263
EVP_PKEY * GetPKeyPtr(VALUE obj)
Definition: ossl_pkey.c:174
void rb_notimplement(void)
Definition: error.c:1903
static VALUE ossl_ssl_get_version(VALUE self)
Definition: ossl_ssl.c:1698
static VALUE ossl_sslctx_set_session_cache_size(VALUE self, VALUE arg)
Definition: ossl_ssl.c:1031
#define RSTRING_LENINT(str)
rb_ivar_set(yielder, id_memo, LONG2NUM(++count))
EVP_PKEY * DupPKeyPtr(VALUE obj)
Definition: ossl_pkey.c:197
X509 * DupX509CertPtr(VALUE)
VALUE rb_str_new(const char *, long)
Definition: string.c:534
void rb_io_check_writable(rb_io_t *)
Definition: io.c:818
VALUE eSSLError
Definition: ossl_ssl.c:28
#define NUM2INT(x)
VALUE rb_hash_new(void)
Definition: hash.c:307
VALUE rb_obj_alloc(VALUE)
Definition: object.c:1804
static VALUE ossl_ssl_get_peer_cert_chain(VALUE self)
Definition: ossl_ssl.c:1668
const char * rb_id2name(ID id)
Definition: ripper.c:17271
static const char * ossl_ssl_attr_readers[]
Definition: ossl_ssl.c:96
static VALUE ossl_sslctx_flush_sessions(int argc, VALUE *argv, VALUE self)
Definition: ossl_ssl.c:1097
VALUE rb_hash_aref(VALUE, VALUE)
Definition: hash.c:706
VALUE opts
Definition: tcltklib.c:6160
unsigned long VALUE
Definition: ripper.y:88
void rb_warning(const char *fmt,...)
Definition: error.c:236
#define SafeGetSSLSession(obj, sess)
Definition: ossl_ssl.h:21
static void ossl_sslctx_session_remove_cb(SSL_CTX *ctx, SSL_SESSION *sess)
Definition: ossl_ssl.c:453
static VALUE ossl_sslctx_set_ssl_version(VALUE self, VALUE ssl_method)
Definition: ossl_ssl.c:189
#define snprintf
#define OBJ_TAINT(x)
VALUE rb_define_module(const char *name)
Definition: class.c:727
static int ossl_sslctx_session_new_cb(SSL *ssl, SSL_SESSION *sess)
Definition: ossl_ssl.c:404
static void read_would_block(int nonblock)
Definition: ossl_ssl.c:1267
#define rb_intern(str)
#define RB_BLOCK_CALL_FUNC_ARGLIST(yielded_arg, callback_arg)
static VALUE ossl_ssl_connect(VALUE self)
Definition: ossl_ssl.c:1326
#define NULL
Definition: _sdbm.c:102
VALUE time
Definition: tcltklib.c:1866
int rb_io_wait_readable(int)
Definition: io.c:1077
static VALUE ossl_sslctx_s_alloc(VALUE klass)
Definition: ossl_ssl.c:164
DH * OSSL_DEFAULT_DH_1024
Definition: ossl_pkey_dh.c:569
void rb_define_method(VALUE klass, const char *name, VALUE(*func)(ANYARGS), int argc)
Definition: class.c:1479
static VALUE ossl_ssl_cipher_to_ary(SSL_CIPHER *cipher)
Definition: ossl_ssl.c:837
#define SYM2ID(x)
static VALUE ossl_start_ssl(VALUE self, int(*func)(), const char *funcname, int nonblock)
Definition: ossl_ssl.c:1276
VALUE rb_eArgError
Definition: error.c:549
int ossl_verify_cb(int ok, X509_STORE_CTX *ctx)
Definition: ossl.c:211
#define ossl_ssl_set_ctx(o, v)
Definition: ossl_ssl.c:90
static DH * ossl_default_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
Definition: ossl_ssl.c:313
static VALUE ossl_sslctx_get_session_cache_size(VALUE self)
Definition: ossl_ssl.c:1014
int ossl_ssl_ex_client_cert_cb_idx
Definition: ossl_ssl.c:152
#define ossl_ssl_get_sync_close(o)
Definition: ossl_ssl.c:84
struct @43 ossl_ssl_method_tab[]
void rb_eof_error(void)
Definition: io.c:596
void rb_str_set_len(VALUE, long)
Definition: string.c:2007