Ruby  2.4.2p198(2017-09-14revision59899)
ossl_ssl.c
Go to the documentation of this file.
1 /*
2  * 'OpenSSL for Ruby' project
3  * Copyright (C) 2000-2002 GOTOU Yuuzou <gotoyuzo@notwork.org>
4  * Copyright (C) 2001-2002 Michal Rokos <m.rokos@sh.cvut.cz>
5  * Copyright (C) 2001-2007 Technorama Ltd. <oss-ruby@technorama.net>
6  * All rights reserved.
7  */
8 /*
9  * This program is licensed under the same licence as Ruby.
10  * (See the file 'LICENCE'.)
11  */
12 #include "ossl.h"
13 
14 #define numberof(ary) (int)(sizeof(ary)/sizeof((ary)[0]))
15 
16 #ifdef _WIN32
17 # define TO_SOCKET(s) _get_osfhandle(s)
18 #else
19 # define TO_SOCKET(s) (s)
20 #endif
21 
22 #define GetSSLCTX(obj, ctx) do { \
23  TypedData_Get_Struct((obj), SSL_CTX, &ossl_sslctx_type, (ctx)); \
24 } while (0)
25 
31 
34 
38 
48 
49 /*
50  * SSLContext class
51  */
52 static const struct {
53  const char *name;
54  SSL_METHOD *(*func)(void); /* FIXME: constify when dropping 0.9.8 */
55  int version;
56 } ossl_ssl_method_tab[] = {
57 #if defined(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION)
58 #define OSSL_SSL_METHOD_ENTRY(name, version) \
59  { #name, (SSL_METHOD *(*)(void))TLS_method, version }, \
60  { #name"_server", (SSL_METHOD *(*)(void))TLS_server_method, version }, \
61  { #name"_client", (SSL_METHOD *(*)(void))TLS_client_method, version }
62 #else
63 #define OSSL_SSL_METHOD_ENTRY(name, version) \
64  { #name, (SSL_METHOD *(*)(void))name##_method, version }, \
65  { #name"_server", (SSL_METHOD *(*)(void))name##_server_method, version }, \
66  { #name"_client", (SSL_METHOD *(*)(void))name##_client_method, version }
67 #endif
68 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL2_METHOD) && defined(HAVE_SSLV2_METHOD)
69  OSSL_SSL_METHOD_ENTRY(SSLv2, SSL2_VERSION),
70 #endif
71 #if !defined(OPENSSL_NO_SSL3) && !defined(OPENSSL_NO_SSL3_METHOD) && defined(HAVE_SSLV3_METHOD)
72  OSSL_SSL_METHOD_ENTRY(SSLv3, SSL3_VERSION),
73 #endif
74 #if !defined(OPENSSL_NO_TLS1) && !defined(OPENSSL_NO_TLS1_METHOD)
75  OSSL_SSL_METHOD_ENTRY(TLSv1, TLS1_VERSION),
76 #endif
77 #if !defined(OPENSSL_NO_TLS1_1) && !defined(OPENSSL_NO_TLS1_1_METHOD) && defined(HAVE_TLSV1_1_METHOD)
78  OSSL_SSL_METHOD_ENTRY(TLSv1_1, TLS1_1_VERSION),
79 #endif
80 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_2_METHOD) && defined(HAVE_TLSV1_2_METHOD)
81  OSSL_SSL_METHOD_ENTRY(TLSv1_2, TLS1_2_VERSION),
82 #endif
83  OSSL_SSL_METHOD_ENTRY(SSLv23, 0),
84 #undef OSSL_SSL_METHOD_ENTRY
85 };
86 
90 
91 static void
92 ossl_sslctx_free(void *ptr)
93 {
94  SSL_CTX *ctx = ptr;
95 #if !defined(HAVE_X509_STORE_UP_REF)
96  if(ctx && SSL_CTX_get_ex_data(ctx, ossl_ssl_ex_store_p)== (void*)1)
97  ctx->cert_store = NULL;
98 #endif
99  SSL_CTX_free(ctx);
100 }
101 
103  "OpenSSL/SSL/CTX",
104  {
105  0, ossl_sslctx_free,
106  },
108 };
109 
110 static VALUE
112 {
113  SSL_CTX *ctx;
114  long mode = SSL_MODE_ENABLE_PARTIAL_WRITE |
115  SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER;
116  VALUE obj;
117 
118 #ifdef SSL_MODE_RELEASE_BUFFERS
119  mode |= SSL_MODE_RELEASE_BUFFERS;
120 #endif
121 
122  obj = TypedData_Wrap_Struct(klass, &ossl_sslctx_type, 0);
123  ctx = SSL_CTX_new(SSLv23_method());
124  if (!ctx) {
125  ossl_raise(eSSLError, "SSL_CTX_new");
126  }
127  SSL_CTX_set_mode(ctx, mode);
128  RTYPEDDATA_DATA(obj) = ctx;
129  SSL_CTX_set_ex_data(ctx, ossl_ssl_ex_ptr_idx, (void*)obj);
130 
131 #if !defined(OPENSSL_NO_EC) && defined(HAVE_SSL_CTX_SET_ECDH_AUTO)
132  /* We use SSL_CTX_set1_curves_list() to specify the curve used in ECDH. It
133  * allows to specify multiple curve names and OpenSSL will select
134  * automatically from them. In OpenSSL 1.0.2, the automatic selection has to
135  * be enabled explicitly. But OpenSSL 1.1.0 removed the knob and it is
136  * always enabled. To uniform the behavior, we enable the automatic
137  * selection also in 1.0.2. Users can still disable ECDH by removing ECDH
138  * cipher suites by SSLContext#ciphers=. */
139  if (!SSL_CTX_set_ecdh_auto(ctx, 1))
140  ossl_raise(eSSLError, "SSL_CTX_set_ecdh_auto");
141 #endif
142 
143  return obj;
144 }
145 
146 /*
147  * call-seq:
148  * ctx.ssl_version = :TLSv1
149  * ctx.ssl_version = "SSLv23_client"
150  *
151  * Sets the SSL/TLS protocol version for the context. This forces connections to
152  * use only the specified protocol version.
153  *
154  * You can get a list of valid versions with OpenSSL::SSL::SSLContext::METHODS
155  */
156 static VALUE
158 {
159  SSL_CTX *ctx;
160  const char *s;
161  VALUE m = ssl_method;
162  int i;
163 
164  GetSSLCTX(self, ctx);
165  if (RB_TYPE_P(ssl_method, T_SYMBOL))
166  m = rb_sym2str(ssl_method);
167  s = StringValueCStr(m);
168  for (i = 0; i < numberof(ossl_ssl_method_tab); i++) {
169  if (strcmp(ossl_ssl_method_tab[i].name, s) == 0) {
170 #if defined(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION)
171  int version = ossl_ssl_method_tab[i].version;
172 #endif
173  SSL_METHOD *method = ossl_ssl_method_tab[i].func();
174 
175  if (SSL_CTX_set_ssl_version(ctx, method) != 1)
176  ossl_raise(eSSLError, "SSL_CTX_set_ssl_version");
177 
178 #if defined(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION)
179  if (!SSL_CTX_set_min_proto_version(ctx, version))
180  ossl_raise(eSSLError, "SSL_CTX_set_min_proto_version");
181  if (!SSL_CTX_set_max_proto_version(ctx, version))
182  ossl_raise(eSSLError, "SSL_CTX_set_max_proto_version");
183 #endif
184  return ssl_method;
185  }
186  }
187 
188  ossl_raise(rb_eArgError, "unknown SSL method `%"PRIsVALUE"'.", m);
189 }
190 
191 static VALUE
193 {
194  VALUE ctx_obj, cb, ary, cert, key;
195 
196  ctx_obj = rb_attr_get(obj, id_i_context);
197  cb = rb_attr_get(ctx_obj, id_i_client_cert_cb);
198  if (NIL_P(cb))
199  return Qnil;
200 
201  ary = rb_funcall(cb, rb_intern("call"), 1, obj);
202  Check_Type(ary, T_ARRAY);
203  GetX509CertPtr(cert = rb_ary_entry(ary, 0));
204  GetPrivPKeyPtr(key = rb_ary_entry(ary, 1));
205 
206  return rb_ary_new3(2, cert, key);
207 }
208 
209 static int
210 ossl_client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
211 {
212  VALUE obj, ret;
213 
214  obj = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
216  if (NIL_P(ret))
217  return 0;
218 
219  *x509 = DupX509CertPtr(RARRAY_AREF(ret, 0));
220  *pkey = DupPKeyPtr(RARRAY_AREF(ret, 1));
221 
222  return 1;
223 }
224 
225 #if !defined(OPENSSL_NO_DH) || \
226  !defined(OPENSSL_NO_EC) && defined(HAVE_SSL_CTX_SET_TMP_ECDH_CALLBACK)
230  int type;
233 };
234 
235 static EVP_PKEY *
237 {
238  VALUE cb, dh;
239  EVP_PKEY *pkey;
240 
241  cb = rb_funcall(args->ssl_obj, args->id, 0);
242  if (NIL_P(cb))
243  return NULL;
244  dh = rb_funcall(cb, rb_intern("call"), 3,
245  args->ssl_obj, INT2NUM(args->is_export), INT2NUM(args->keylength));
246  pkey = GetPKeyPtr(dh);
247  if (EVP_PKEY_base_id(pkey) != args->type)
248  return NULL;
249 
250  return pkey;
251 }
252 #endif
253 
254 #if !defined(OPENSSL_NO_DH)
255 static DH *
256 ossl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
257 {
258  VALUE rb_ssl;
259  EVP_PKEY *pkey;
260  struct tmp_dh_callback_args args;
261  int state;
262 
263  rb_ssl = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
264  args.ssl_obj = rb_ssl;
265  args.id = id_tmp_dh_callback;
266  args.is_export = is_export;
267  args.keylength = keylength;
268  args.type = EVP_PKEY_DH;
269 
270  pkey = (EVP_PKEY *)rb_protect((VALUE (*)(VALUE))ossl_call_tmp_dh_callback,
271  (VALUE)&args, &state);
272  if (state) {
273  rb_ivar_set(rb_ssl, ID_callback_state, INT2NUM(state));
274  return NULL;
275  }
276  if (!pkey)
277  return NULL;
278 
279  return EVP_PKEY_get0_DH(pkey);
280 }
281 #endif /* OPENSSL_NO_DH */
282 
283 #if !defined(OPENSSL_NO_EC) && defined(HAVE_SSL_CTX_SET_TMP_ECDH_CALLBACK)
284 static EC_KEY *
285 ossl_tmp_ecdh_callback(SSL *ssl, int is_export, int keylength)
286 {
287  VALUE rb_ssl;
288  EVP_PKEY *pkey;
289  struct tmp_dh_callback_args args;
290  int state;
291 
292  rb_ssl = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
293  args.ssl_obj = rb_ssl;
294  args.id = id_tmp_ecdh_callback;
295  args.is_export = is_export;
296  args.keylength = keylength;
297  args.type = EVP_PKEY_EC;
298 
299  pkey = (EVP_PKEY *)rb_protect((VALUE (*)(VALUE))ossl_call_tmp_dh_callback,
300  (VALUE)&args, &state);
301  if (state) {
302  rb_ivar_set(rb_ssl, ID_callback_state, INT2NUM(state));
303  return NULL;
304  }
305  if (!pkey)
306  return NULL;
307 
308  return EVP_PKEY_get0_EC_KEY(pkey);
309 }
310 #endif
311 
312 static VALUE
314 {
315  X509_STORE_CTX *ctx = (X509_STORE_CTX *)ctx_v;
316  SSL *ssl;
317  VALUE ssl_obj, hostname, cert_obj;
318 
319  ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
320  ssl_obj = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
321  hostname = rb_attr_get(ssl_obj, id_i_hostname);
322 
323  if (!RTEST(hostname)) {
324  rb_warning("verify_hostname requires hostname to be set");
325  return Qtrue;
326  }
327 
328  cert_obj = ossl_x509_new(X509_STORE_CTX_get_current_cert(ctx));
329  return rb_funcall(mSSL, rb_intern("verify_certificate_identity"), 2,
330  cert_obj, hostname);
331 }
332 
333 static int
334 ossl_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
335 {
336  VALUE cb, ssl_obj, sslctx_obj, verify_hostname, ret;
337  SSL *ssl;
338  int status;
339 
340  ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
341  cb = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_vcb_idx);
342  ssl_obj = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
343  sslctx_obj = rb_attr_get(ssl_obj, id_i_context);
344  verify_hostname = rb_attr_get(sslctx_obj, id_i_verify_hostname);
345 
346  if (preverify_ok && RTEST(verify_hostname) && !SSL_is_server(ssl) &&
347  !X509_STORE_CTX_get_error_depth(ctx)) {
348  ret = rb_protect(call_verify_certificate_identity, (VALUE)ctx, &status);
349  if (status) {
350  rb_ivar_set(ssl_obj, ID_callback_state, INT2NUM(status));
351  return 0;
352  }
353  preverify_ok = ret == Qtrue;
354  }
355 
356  return ossl_verify_cb_call(cb, preverify_ok, ctx);
357 }
358 
359 static VALUE
361 {
362  VALUE ssl_obj, cb;
363 
364  Check_Type(ary, T_ARRAY);
365  ssl_obj = rb_ary_entry(ary, 0);
366 
367  cb = rb_funcall(ssl_obj, rb_intern("session_get_cb"), 0);
368  if (NIL_P(cb)) return Qnil;
369 
370  return rb_funcall(cb, rb_intern("call"), 1, ary);
371 }
372 
373 /* this method is currently only called for servers (in OpenSSL <= 0.9.8e) */
374 static SSL_SESSION *
375 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
376 ossl_sslctx_session_get_cb(SSL *ssl, const unsigned char *buf, int len, int *copy)
377 #else
378 ossl_sslctx_session_get_cb(SSL *ssl, unsigned char *buf, int len, int *copy)
379 #endif
380 {
381  VALUE ary, ssl_obj, ret_obj;
382  SSL_SESSION *sess;
383  void *ptr;
384  int state = 0;
385 
386  OSSL_Debug("SSL SESSION get callback entered");
387  if ((ptr = SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx)) == NULL)
388  return NULL;
389  ssl_obj = (VALUE)ptr;
390  ary = rb_ary_new2(2);
391  rb_ary_push(ary, ssl_obj);
392  rb_ary_push(ary, rb_str_new((const char *)buf, len));
393 
394  ret_obj = rb_protect(ossl_call_session_get_cb, ary, &state);
395  if (state) {
396  rb_ivar_set(ssl_obj, ID_callback_state, INT2NUM(state));
397  return NULL;
398  }
399  if (!rb_obj_is_instance_of(ret_obj, cSSLSession))
400  return NULL;
401 
402  SafeGetSSLSession(ret_obj, sess);
403  *copy = 1;
404 
405  return sess;
406 }
407 
408 static VALUE
410 {
411  VALUE ssl_obj, cb;
412 
413  Check_Type(ary, T_ARRAY);
414  ssl_obj = rb_ary_entry(ary, 0);
415 
416  cb = rb_funcall(ssl_obj, rb_intern("session_new_cb"), 0);
417  if (NIL_P(cb)) return Qnil;
418 
419  return rb_funcall(cb, rb_intern("call"), 1, ary);
420 }
421 
422 /* return 1 normal. return 0 removes the session */
423 static int
424 ossl_sslctx_session_new_cb(SSL *ssl, SSL_SESSION *sess)
425 {
426  VALUE ary, ssl_obj, sess_obj;
427  void *ptr;
428  int state = 0;
429 
430  OSSL_Debug("SSL SESSION new callback entered");
431 
432  if ((ptr = SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx)) == NULL)
433  return 1;
434  ssl_obj = (VALUE)ptr;
435  sess_obj = rb_obj_alloc(cSSLSession);
436  SSL_SESSION_up_ref(sess);
437  DATA_PTR(sess_obj) = sess;
438 
439  ary = rb_ary_new2(2);
440  rb_ary_push(ary, ssl_obj);
441  rb_ary_push(ary, sess_obj);
442 
443  rb_protect(ossl_call_session_new_cb, ary, &state);
444  if (state) {
445  rb_ivar_set(ssl_obj, ID_callback_state, INT2NUM(state));
446  }
447 
448  /*
449  * return 0 which means to OpenSSL that the session is still
450  * valid (since we created Ruby Session object) and was not freed by us
451  * with SSL_SESSION_free(). Call SSLContext#remove_session(sess) in
452  * session_get_cb block if you don't want OpenSSL to cache the session
453  * internally.
454  */
455  return 0;
456 }
457 
458 static VALUE
460 {
461  VALUE sslctx_obj, cb;
462 
463  Check_Type(ary, T_ARRAY);
464  sslctx_obj = rb_ary_entry(ary, 0);
465 
466  cb = rb_attr_get(sslctx_obj, id_i_session_remove_cb);
467  if (NIL_P(cb)) return Qnil;
468 
469  return rb_funcall(cb, rb_intern("call"), 1, ary);
470 }
471 
472 static void
473 ossl_sslctx_session_remove_cb(SSL_CTX *ctx, SSL_SESSION *sess)
474 {
475  VALUE ary, sslctx_obj, sess_obj;
476  void *ptr;
477  int state = 0;
478 
479  OSSL_Debug("SSL SESSION remove callback entered");
480 
481  if ((ptr = SSL_CTX_get_ex_data(ctx, ossl_ssl_ex_ptr_idx)) == NULL)
482  return;
483  sslctx_obj = (VALUE)ptr;
484  sess_obj = rb_obj_alloc(cSSLSession);
485  SSL_SESSION_up_ref(sess);
486  DATA_PTR(sess_obj) = sess;
487 
488  ary = rb_ary_new2(2);
489  rb_ary_push(ary, sslctx_obj);
490  rb_ary_push(ary, sess_obj);
491 
493  if (state) {
494 /*
495  the SSL_CTX is frozen, nowhere to save state.
496  there is no common accessor method to check it either.
497  rb_ivar_set(sslctx_obj, ID_callback_state, INT2NUM(state));
498 */
499  }
500 }
501 
502 static VALUE
504 {
505  X509 *x509;
506  SSL_CTX *ctx;
507 
508  GetSSLCTX(arg, ctx);
509  x509 = DupX509CertPtr(i);
510  if(!SSL_CTX_add_extra_chain_cert(ctx, x509)){
512  }
513 
514  return i;
515 }
516 
517 static VALUE ossl_sslctx_setup(VALUE self);
518 
519 #ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
520 static VALUE
521 ossl_call_servername_cb(VALUE ary)
522 {
523  VALUE ssl_obj, sslctx_obj, cb, ret_obj;
524 
525  Check_Type(ary, T_ARRAY);
526  ssl_obj = rb_ary_entry(ary, 0);
527 
528  sslctx_obj = rb_attr_get(ssl_obj, id_i_context);
529  cb = rb_attr_get(sslctx_obj, id_i_servername_cb);
530  if (NIL_P(cb)) return Qnil;
531 
532  ret_obj = rb_funcall(cb, rb_intern("call"), 1, ary);
533  if (rb_obj_is_kind_of(ret_obj, cSSLContext)) {
534  SSL *ssl;
535  SSL_CTX *ctx2;
536 
537  ossl_sslctx_setup(ret_obj);
538  GetSSL(ssl_obj, ssl);
539  GetSSLCTX(ret_obj, ctx2);
540  SSL_set_SSL_CTX(ssl, ctx2);
541  rb_ivar_set(ssl_obj, id_i_context, ret_obj);
542  } else if (!NIL_P(ret_obj)) {
543  ossl_raise(rb_eArgError, "servername_cb must return an "
544  "OpenSSL::SSL::SSLContext object or nil");
545  }
546 
547  return ret_obj;
548 }
549 
550 static int
551 ssl_servername_cb(SSL *ssl, int *ad, void *arg)
552 {
553  VALUE ary, ssl_obj;
554  void *ptr;
555  int state = 0;
556  const char *servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
557 
558  if (!servername)
559  return SSL_TLSEXT_ERR_OK;
560 
561  if ((ptr = SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx)) == NULL)
562  return SSL_TLSEXT_ERR_ALERT_FATAL;
563  ssl_obj = (VALUE)ptr;
564  ary = rb_ary_new2(2);
565  rb_ary_push(ary, ssl_obj);
566  rb_ary_push(ary, rb_str_new2(servername));
567 
568  rb_protect(ossl_call_servername_cb, ary, &state);
569  if (state) {
570  rb_ivar_set(ssl_obj, ID_callback_state, INT2NUM(state));
571  return SSL_TLSEXT_ERR_ALERT_FATAL;
572  }
573 
574  return SSL_TLSEXT_ERR_OK;
575 }
576 #endif
577 
578 static void
579 ssl_renegotiation_cb(const SSL *ssl)
580 {
581  VALUE ssl_obj, sslctx_obj, cb;
582  void *ptr;
583 
584  if ((ptr = SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx)) == NULL)
585  ossl_raise(eSSLError, "SSL object could not be retrieved");
586  ssl_obj = (VALUE)ptr;
587 
588  sslctx_obj = rb_attr_get(ssl_obj, id_i_context);
589  cb = rb_attr_get(sslctx_obj, id_i_renegotiation_cb);
590  if (NIL_P(cb)) return;
591 
592  (void) rb_funcall(cb, rb_intern("call"), 1, ssl_obj);
593 }
594 
595 #if defined(HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB) || \
596  defined(HAVE_SSL_CTX_SET_ALPN_SELECT_CB)
597 static VALUE
598 ssl_npn_encode_protocol_i(VALUE cur, VALUE encoded)
599 {
600  int len = RSTRING_LENINT(cur);
601  char len_byte;
602  if (len < 1 || len > 255)
603  ossl_raise(eSSLError, "Advertised protocol must have length 1..255");
604  /* Encode the length byte */
605  len_byte = len;
606  rb_str_buf_cat(encoded, &len_byte, 1);
607  rb_str_buf_cat(encoded, RSTRING_PTR(cur), len);
608  return Qnil;
609 }
610 
611 static VALUE
612 ssl_encode_npn_protocols(VALUE protocols)
613 {
614  VALUE encoded = rb_str_new(NULL, 0);
615  rb_iterate(rb_each, protocols, ssl_npn_encode_protocol_i, encoded);
616  return encoded;
617 }
618 
619 struct npn_select_cb_common_args {
620  VALUE cb;
621  const unsigned char *in;
622  unsigned inlen;
623 };
624 
625 static VALUE
626 npn_select_cb_common_i(VALUE tmp)
627 {
628  struct npn_select_cb_common_args *args = (void *)tmp;
629  const unsigned char *in = args->in, *in_end = in + args->inlen;
630  unsigned char l;
631  long len;
632  VALUE selected, protocols = rb_ary_new();
633 
634  /* assume OpenSSL verifies this format */
635  /* The format is len_1|proto_1|...|len_n|proto_n */
636  while (in < in_end) {
637  l = *in++;
638  rb_ary_push(protocols, rb_str_new((const char *)in, l));
639  in += l;
640  }
641 
642  selected = rb_funcall(args->cb, rb_intern("call"), 1, protocols);
643  StringValue(selected);
644  len = RSTRING_LEN(selected);
645  if (len < 1 || len >= 256) {
646  ossl_raise(eSSLError, "Selected protocol name must have length 1..255");
647  }
648 
649  return selected;
650 }
651 
652 static int
653 ssl_npn_select_cb_common(SSL *ssl, VALUE cb, const unsigned char **out,
654  unsigned char *outlen, const unsigned char *in,
655  unsigned int inlen)
656 {
657  VALUE selected;
658  int status;
659  struct npn_select_cb_common_args args;
660 
661  args.cb = cb;
662  args.in = in;
663  args.inlen = inlen;
664 
665  selected = rb_protect(npn_select_cb_common_i, (VALUE)&args, &status);
666  if (status) {
667  VALUE ssl_obj = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
668 
669  rb_ivar_set(ssl_obj, ID_callback_state, INT2NUM(status));
670  return SSL_TLSEXT_ERR_ALERT_FATAL;
671  }
672 
673  *out = (unsigned char *)RSTRING_PTR(selected);
674  *outlen = (unsigned char)RSTRING_LEN(selected);
675 
676  return SSL_TLSEXT_ERR_OK;
677 }
678 #endif
679 
680 #ifdef HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB
681 static int
682 ssl_npn_advertise_cb(SSL *ssl, const unsigned char **out, unsigned int *outlen,
683  void *arg)
684 {
685  VALUE protocols = (VALUE)arg;
686 
687  *out = (const unsigned char *) RSTRING_PTR(protocols);
688  *outlen = RSTRING_LENINT(protocols);
689 
690  return SSL_TLSEXT_ERR_OK;
691 }
692 
693 static int
694 ssl_npn_select_cb(SSL *ssl, unsigned char **out, unsigned char *outlen,
695  const unsigned char *in, unsigned int inlen, void *arg)
696 {
697  VALUE sslctx_obj, cb;
698 
699  sslctx_obj = (VALUE) arg;
700  cb = rb_attr_get(sslctx_obj, id_i_npn_select_cb);
701 
702  return ssl_npn_select_cb_common(ssl, cb, (const unsigned char **)out,
703  outlen, in, inlen);
704 }
705 #endif
706 
707 #ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
708 static int
709 ssl_alpn_select_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen,
710  const unsigned char *in, unsigned int inlen, void *arg)
711 {
712  VALUE sslctx_obj, cb;
713 
714  sslctx_obj = (VALUE) arg;
715  cb = rb_attr_get(sslctx_obj, id_i_alpn_select_cb);
716 
717  return ssl_npn_select_cb_common(ssl, cb, out, outlen, in, inlen);
718 }
719 #endif
720 
721 /* This function may serve as the entry point to support further callbacks. */
722 static void
723 ssl_info_cb(const SSL *ssl, int where, int val)
724 {
725  int is_server = SSL_is_server((SSL *)ssl);
726 
727  if (is_server && where & SSL_CB_HANDSHAKE_START) {
729  }
730 }
731 
732 /*
733  * Gets various OpenSSL options.
734  */
735 static VALUE
737 {
738  SSL_CTX *ctx;
739  GetSSLCTX(self, ctx);
740  return LONG2NUM(SSL_CTX_get_options(ctx));
741 }
742 
743 /*
744  * Sets various OpenSSL options.
745  */
746 static VALUE
748 {
749  SSL_CTX *ctx;
750 
751  rb_check_frozen(self);
752  GetSSLCTX(self, ctx);
753 
754  SSL_CTX_clear_options(ctx, SSL_CTX_get_options(ctx));
755 
756  if (NIL_P(options)) {
757  SSL_CTX_set_options(ctx, SSL_OP_ALL);
758  } else {
759  SSL_CTX_set_options(ctx, NUM2LONG(options));
760  }
761 
762  return self;
763 }
764 
765 /*
766  * call-seq:
767  * ctx.setup => Qtrue # first time
768  * ctx.setup => nil # thereafter
769  *
770  * This method is called automatically when a new SSLSocket is created.
771  * However, it is not thread-safe and must be called before creating
772  * SSLSocket objects in a multi-threaded program.
773  */
774 static VALUE
776 {
777  SSL_CTX *ctx;
778  X509 *cert = NULL, *client_ca = NULL;
779  EVP_PKEY *key = NULL;
780  char *ca_path = NULL, *ca_file = NULL;
781  int verify_mode;
782  long i;
783  VALUE val;
784 
785  if(OBJ_FROZEN(self)) return Qnil;
786  GetSSLCTX(self, ctx);
787 
788 #if !defined(OPENSSL_NO_DH)
789  SSL_CTX_set_tmp_dh_callback(ctx, ossl_tmp_dh_callback);
790 #endif
791 
792 #if !defined(OPENSSL_NO_EC)
793  /* We added SSLContext#tmp_ecdh_callback= in Ruby 2.3.0,
794  * but SSL_CTX_set_tmp_ecdh_callback() was removed in OpenSSL 1.1.0. */
796 # if defined(HAVE_SSL_CTX_SET_TMP_ECDH_CALLBACK)
797  rb_warn("#tmp_ecdh_callback= is deprecated; use #ecdh_curves= instead");
798  SSL_CTX_set_tmp_ecdh_callback(ctx, ossl_tmp_ecdh_callback);
799 # if defined(HAVE_SSL_CTX_SET_ECDH_AUTO)
800  /* tmp_ecdh_callback and ecdh_auto conflict; OpenSSL ignores
801  * tmp_ecdh_callback. So disable ecdh_auto. */
802  if (!SSL_CTX_set_ecdh_auto(ctx, 0))
803  ossl_raise(eSSLError, "SSL_CTX_set_ecdh_auto");
804 # endif
805 # else
806  ossl_raise(eSSLError, "OpenSSL does not support tmp_ecdh_callback; "
807  "use #ecdh_curves= instead");
808 # endif
809  }
810 #endif /* OPENSSL_NO_EC */
811 
812  val = rb_attr_get(self, id_i_cert_store);
813  if (!NIL_P(val)) {
814  X509_STORE *store = GetX509StorePtr(val); /* NO NEED TO DUP */
815  SSL_CTX_set_cert_store(ctx, store);
816 #if !defined(HAVE_X509_STORE_UP_REF)
817  /*
818  * WORKAROUND:
819  * X509_STORE can count references, but
820  * X509_STORE_free() doesn't care it.
821  * So we won't increment it but mark it by ex_data.
822  */
823  SSL_CTX_set_ex_data(ctx, ossl_ssl_ex_store_p, (void *)1);
824 #else /* Fixed in OpenSSL 1.0.2; bff9ce4db38b (master), 5b4b9ce976fc (1.0.2) */
825  X509_STORE_up_ref(store);
826 #endif
827  }
828 
829  val = rb_attr_get(self, id_i_extra_chain_cert);
830  if(!NIL_P(val)){
832  }
833 
834  /* private key may be bundled in certificate file. */
835  val = rb_attr_get(self, id_i_cert);
836  cert = NIL_P(val) ? NULL : GetX509CertPtr(val); /* NO DUP NEEDED */
837  val = rb_attr_get(self, id_i_key);
838  key = NIL_P(val) ? NULL : GetPrivPKeyPtr(val); /* NO DUP NEEDED */
839  if (cert && key) {
840  if (!SSL_CTX_use_certificate(ctx, cert)) {
841  /* Adds a ref => Safe to FREE */
842  ossl_raise(eSSLError, "SSL_CTX_use_certificate");
843  }
844  if (!SSL_CTX_use_PrivateKey(ctx, key)) {
845  /* Adds a ref => Safe to FREE */
846  ossl_raise(eSSLError, "SSL_CTX_use_PrivateKey");
847  }
848  if (!SSL_CTX_check_private_key(ctx)) {
849  ossl_raise(eSSLError, "SSL_CTX_check_private_key");
850  }
851  }
852 
853  val = rb_attr_get(self, id_i_client_ca);
854  if(!NIL_P(val)){
855  if (RB_TYPE_P(val, T_ARRAY)) {
856  for(i = 0; i < RARRAY_LEN(val); i++){
857  client_ca = GetX509CertPtr(RARRAY_AREF(val, i));
858  if (!SSL_CTX_add_client_CA(ctx, client_ca)){
859  /* Copies X509_NAME => FREE it. */
860  ossl_raise(eSSLError, "SSL_CTX_add_client_CA");
861  }
862  }
863  }
864  else{
865  client_ca = GetX509CertPtr(val); /* NO DUP NEEDED. */
866  if (!SSL_CTX_add_client_CA(ctx, client_ca)){
867  /* Copies X509_NAME => FREE it. */
868  ossl_raise(eSSLError, "SSL_CTX_add_client_CA");
869  }
870  }
871  }
872 
873  val = rb_attr_get(self, id_i_ca_file);
874  ca_file = NIL_P(val) ? NULL : StringValueCStr(val);
875  val = rb_attr_get(self, id_i_ca_path);
876  ca_path = NIL_P(val) ? NULL : StringValueCStr(val);
877  if(ca_file || ca_path){
878  if (!SSL_CTX_load_verify_locations(ctx, ca_file, ca_path))
879  rb_warning("can't set verify locations");
880  }
881 
882  val = rb_attr_get(self, id_i_verify_mode);
883  verify_mode = NIL_P(val) ? SSL_VERIFY_NONE : NUM2INT(val);
884  SSL_CTX_set_verify(ctx, verify_mode, ossl_ssl_verify_callback);
886  SSL_CTX_set_client_cert_cb(ctx, ossl_client_cert_cb);
887 
888  val = rb_attr_get(self, id_i_timeout);
889  if(!NIL_P(val)) SSL_CTX_set_timeout(ctx, NUM2LONG(val));
890 
891  val = rb_attr_get(self, id_i_verify_depth);
892  if(!NIL_P(val)) SSL_CTX_set_verify_depth(ctx, NUM2INT(val));
893 
894 #ifdef HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB
895  val = rb_attr_get(self, id_i_npn_protocols);
896  if (!NIL_P(val)) {
897  VALUE encoded = ssl_encode_npn_protocols(val);
898  rb_ivar_set(self, id_npn_protocols_encoded, encoded);
899  SSL_CTX_set_next_protos_advertised_cb(ctx, ssl_npn_advertise_cb, (void *)encoded);
900  OSSL_Debug("SSL NPN advertise callback added");
901  }
902  if (RTEST(rb_attr_get(self, id_i_npn_select_cb))) {
903  SSL_CTX_set_next_proto_select_cb(ctx, ssl_npn_select_cb, (void *) self);
904  OSSL_Debug("SSL NPN select callback added");
905  }
906 #endif
907 
908 #ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
909  val = rb_attr_get(self, id_i_alpn_protocols);
910  if (!NIL_P(val)) {
911  VALUE rprotos = ssl_encode_npn_protocols(val);
912 
913  /* returns 0 on success */
914  if (SSL_CTX_set_alpn_protos(ctx, (unsigned char *)RSTRING_PTR(rprotos),
915  RSTRING_LENINT(rprotos)))
916  ossl_raise(eSSLError, "SSL_CTX_set_alpn_protos");
917  OSSL_Debug("SSL ALPN values added");
918  }
919  if (RTEST(rb_attr_get(self, id_i_alpn_select_cb))) {
920  SSL_CTX_set_alpn_select_cb(ctx, ssl_alpn_select_cb, (void *) self);
921  OSSL_Debug("SSL ALPN select callback added");
922  }
923 #endif
924 
925  rb_obj_freeze(self);
926 
928  if (!NIL_P(val)){
929  StringValue(val);
930  if (!SSL_CTX_set_session_id_context(ctx, (unsigned char *)RSTRING_PTR(val),
931  RSTRING_LENINT(val))){
932  ossl_raise(eSSLError, "SSL_CTX_set_session_id_context");
933  }
934  }
935 
936  if (RTEST(rb_attr_get(self, id_i_session_get_cb))) {
937  SSL_CTX_sess_set_get_cb(ctx, ossl_sslctx_session_get_cb);
938  OSSL_Debug("SSL SESSION get callback added");
939  }
940  if (RTEST(rb_attr_get(self, id_i_session_new_cb))) {
941  SSL_CTX_sess_set_new_cb(ctx, ossl_sslctx_session_new_cb);
942  OSSL_Debug("SSL SESSION new callback added");
943  }
945  SSL_CTX_sess_set_remove_cb(ctx, ossl_sslctx_session_remove_cb);
946  OSSL_Debug("SSL SESSION remove callback added");
947  }
948 
949 #ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
950  val = rb_attr_get(self, id_i_servername_cb);
951  if (!NIL_P(val)) {
952  SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
953  OSSL_Debug("SSL TLSEXT servername callback added");
954  }
955 #endif
956 
957  return Qtrue;
958 }
959 
960 static VALUE
961 ossl_ssl_cipher_to_ary(const SSL_CIPHER *cipher)
962 {
963  VALUE ary;
964  int bits, alg_bits;
965 
966  ary = rb_ary_new2(4);
967  rb_ary_push(ary, rb_str_new2(SSL_CIPHER_get_name(cipher)));
968  rb_ary_push(ary, rb_str_new2(SSL_CIPHER_get_version(cipher)));
969  bits = SSL_CIPHER_get_bits(cipher, &alg_bits);
970  rb_ary_push(ary, INT2NUM(bits));
971  rb_ary_push(ary, INT2NUM(alg_bits));
972 
973  return ary;
974 }
975 
976 /*
977  * call-seq:
978  * ctx.ciphers => [[name, version, bits, alg_bits], ...]
979  *
980  * The list of cipher suites configured for this context.
981  */
982 static VALUE
984 {
985  SSL_CTX *ctx;
986  STACK_OF(SSL_CIPHER) *ciphers;
987  const SSL_CIPHER *cipher;
988  VALUE ary;
989  int i, num;
990 
991  GetSSLCTX(self, ctx);
992  if(!ctx){
993  rb_warning("SSL_CTX is not initialized.");
994  return Qnil;
995  }
996  ciphers = SSL_CTX_get_ciphers(ctx);
997 
998  if (!ciphers)
999  return rb_ary_new();
1000 
1001  num = sk_SSL_CIPHER_num(ciphers);
1002  ary = rb_ary_new2(num);
1003  for(i = 0; i < num; i++){
1004  cipher = sk_SSL_CIPHER_value(ciphers, i);
1005  rb_ary_push(ary, ossl_ssl_cipher_to_ary(cipher));
1006  }
1007  return ary;
1008 }
1009 
1010 /*
1011  * call-seq:
1012  * ctx.ciphers = "cipher1:cipher2:..."
1013  * ctx.ciphers = [name, ...]
1014  * ctx.ciphers = [[name, version, bits, alg_bits], ...]
1015  *
1016  * Sets the list of available cipher suites for this context. Note in a server
1017  * context some ciphers require the appropriate certificates. For example, an
1018  * RSA cipher suite can only be chosen when an RSA certificate is available.
1019  */
1020 static VALUE
1022 {
1023  SSL_CTX *ctx;
1024  VALUE str, elem;
1025  int i;
1026 
1027  rb_check_frozen(self);
1028  if (NIL_P(v))
1029  return v;
1030  else if (RB_TYPE_P(v, T_ARRAY)) {
1031  str = rb_str_new(0, 0);
1032  for (i = 0; i < RARRAY_LEN(v); i++) {
1033  elem = rb_ary_entry(v, i);
1034  if (RB_TYPE_P(elem, T_ARRAY)) elem = rb_ary_entry(elem, 0);
1035  elem = rb_String(elem);
1036  rb_str_append(str, elem);
1037  if (i < RARRAY_LEN(v)-1) rb_str_cat2(str, ":");
1038  }
1039  } else {
1040  str = v;
1041  StringValue(str);
1042  }
1043 
1044  GetSSLCTX(self, ctx);
1045  if(!ctx){
1046  ossl_raise(eSSLError, "SSL_CTX is not initialized.");
1047  return Qnil;
1048  }
1049  if (!SSL_CTX_set_cipher_list(ctx, StringValueCStr(str))) {
1050  ossl_raise(eSSLError, "SSL_CTX_set_cipher_list");
1051  }
1052 
1053  return v;
1054 }
1055 
1056 #if !defined(OPENSSL_NO_EC)
1057 /*
1058  * call-seq:
1059  * ctx.ecdh_curves = curve_list -> curve_list
1060  *
1061  * Sets the list of "supported elliptic curves" for this context.
1062  *
1063  * For a TLS client, the list is directly used in the Supported Elliptic Curves
1064  * Extension. For a server, the list is used by OpenSSL to determine the set of
1065  * shared curves. OpenSSL will pick the most appropriate one from it.
1066  *
1067  * Note that this works differently with old OpenSSL (<= 1.0.1). Only one curve
1068  * can be set, and this has no effect for TLS clients.
1069  *
1070  * === Example
1071  * ctx1 = OpenSSL::SSL::SSLContext.new
1072  * ctx1.ecdh_curves = "X25519:P-256:P-224"
1073  * svr = OpenSSL::SSL::SSLServer.new(tcp_svr, ctx1)
1074  * Thread.new { svr.accept }
1075  *
1076  * ctx2 = OpenSSL::SSL::SSLContext.new
1077  * ctx2.ecdh_curves = "P-256"
1078  * cli = OpenSSL::SSL::SSLSocket.new(tcp_sock, ctx2)
1079  * cli.connect
1080  *
1081  * p cli.tmp_key.group.curve_name
1082  * # => "prime256v1" (is an alias for NIST P-256)
1083  */
1084 static VALUE
1086 {
1087  SSL_CTX *ctx;
1088 
1089  rb_check_frozen(self);
1090  GetSSLCTX(self, ctx);
1091  StringValueCStr(arg);
1092 
1093 #if defined(HAVE_SSL_CTX_SET1_CURVES_LIST)
1094  if (!SSL_CTX_set1_curves_list(ctx, RSTRING_PTR(arg)))
1096 #else
1097  /* OpenSSL does not have SSL_CTX_set1_curves_list()... Fallback to
1098  * SSL_CTX_set_tmp_ecdh(). So only the first curve is used. */
1099  {
1100  VALUE curve, splitted;
1101  EC_KEY *ec;
1102  int nid;
1103 
1104  splitted = rb_str_split(arg, ":");
1105  if (!RARRAY_LEN(splitted))
1106  ossl_raise(eSSLError, "invalid input format");
1107  curve = RARRAY_AREF(splitted, 0);
1108  StringValueCStr(curve);
1109 
1110  /* SSL_CTX_set1_curves_list() accepts NIST names */
1111  nid = EC_curve_nist2nid(RSTRING_PTR(curve));
1112  if (nid == NID_undef)
1113  nid = OBJ_txt2nid(RSTRING_PTR(curve));
1114  if (nid == NID_undef)
1115  ossl_raise(eSSLError, "unknown curve name");
1116 
1117  ec = EC_KEY_new_by_curve_name(nid);
1118  if (!ec)
1120  EC_KEY_set_asn1_flag(ec, OPENSSL_EC_NAMED_CURVE);
1121  if (!SSL_CTX_set_tmp_ecdh(ctx, ec)) {
1122  EC_KEY_free(ec);
1123  ossl_raise(eSSLError, "SSL_CTX_set_tmp_ecdh");
1124  }
1125  EC_KEY_free(ec);
1126 # if defined(HAVE_SSL_CTX_SET_ECDH_AUTO)
1127  /* tmp_ecdh and ecdh_auto conflict. tmp_ecdh is ignored when ecdh_auto
1128  * is enabled. So disable ecdh_auto. */
1129  if (!SSL_CTX_set_ecdh_auto(ctx, 0))
1130  ossl_raise(eSSLError, "SSL_CTX_set_ecdh_auto");
1131 # endif
1132  }
1133 #endif
1134 
1135  return arg;
1136 }
1137 #else
1138 #define ossl_sslctx_set_ecdh_curves rb_f_notimplement
1139 #endif
1140 
1141 /*
1142  * call-seq:
1143  * ctx.security_level -> Integer
1144  *
1145  * Returns the security level for the context.
1146  *
1147  * See also OpenSSL::SSL::SSLContext#security_level=.
1148  */
1149 static VALUE
1151 {
1152  SSL_CTX *ctx;
1153 
1154  GetSSLCTX(self, ctx);
1155 
1156 #if defined(HAVE_SSL_CTX_GET_SECURITY_LEVEL)
1157  return INT2NUM(SSL_CTX_get_security_level(ctx));
1158 #else
1159  (void)ctx;
1160  return INT2FIX(0);
1161 #endif
1162 }
1163 
1164 /*
1165  * call-seq:
1166  * ctx.security_level = integer
1167  *
1168  * Sets the security level for the context. OpenSSL limits parameters according
1169  * to the level. The "parameters" include: ciphersuites, curves, key sizes,
1170  * certificate signature algorithms, protocol version and so on. For example,
1171  * level 1 rejects parameters offering below 80 bits of security, such as
1172  * ciphersuites using MD5 for the MAC or RSA keys shorter than 1024 bits.
1173  *
1174  * Note that attempts to set such parameters with insufficient security are
1175  * also blocked. You need to lower the level first.
1176  *
1177  * This feature is not supported in OpenSSL < 1.1.0, and setting the level to
1178  * other than 0 will raise NotImplementedError. Level 0 means everything is
1179  * permitted, the same behavior as previous versions of OpenSSL.
1180  *
1181  * See the manpage of SSL_CTX_set_security_level(3) for details.
1182  */
1183 static VALUE
1185 {
1186  SSL_CTX *ctx;
1187 
1188  rb_check_frozen(self);
1189  GetSSLCTX(self, ctx);
1190 
1191 #if defined(HAVE_SSL_CTX_GET_SECURITY_LEVEL)
1192  SSL_CTX_set_security_level(ctx, NUM2INT(value));
1193 #else
1194  (void)ctx;
1195  if (NUM2INT(value) != 0)
1196  ossl_raise(rb_eNotImpError, "setting security level to other than 0 is "
1197  "not supported in this version of OpenSSL");
1198 #endif
1199 
1200  return value;
1201 }
1202 
1203 /*
1204  * call-seq:
1205  * ctx.session_add(session) -> true | false
1206  *
1207  * Adds +session+ to the session cache.
1208  */
1209 static VALUE
1211 {
1212  SSL_CTX *ctx;
1213  SSL_SESSION *sess;
1214 
1215  GetSSLCTX(self, ctx);
1216  SafeGetSSLSession(arg, sess);
1217 
1218  return SSL_CTX_add_session(ctx, sess) == 1 ? Qtrue : Qfalse;
1219 }
1220 
1221 /*
1222  * call-seq:
1223  * ctx.session_remove(session) -> true | false
1224  *
1225  * Removes +session+ from the session cache.
1226  */
1227 static VALUE
1229 {
1230  SSL_CTX *ctx;
1231  SSL_SESSION *sess;
1232 
1233  GetSSLCTX(self, ctx);
1234  SafeGetSSLSession(arg, sess);
1235 
1236  return SSL_CTX_remove_session(ctx, sess) == 1 ? Qtrue : Qfalse;
1237 }
1238 
1239 /*
1240  * call-seq:
1241  * ctx.session_cache_mode -> Integer
1242  *
1243  * The current session cache mode.
1244  */
1245 static VALUE
1247 {
1248  SSL_CTX *ctx;
1249 
1250  GetSSLCTX(self, ctx);
1251 
1252  return LONG2NUM(SSL_CTX_get_session_cache_mode(ctx));
1253 }
1254 
1255 /*
1256  * call-seq:
1257  * ctx.session_cache_mode=(integer) -> Integer
1258  *
1259  * Sets the SSL session cache mode. Bitwise-or together the desired
1260  * SESSION_CACHE_* constants to set. See SSL_CTX_set_session_cache_mode(3) for
1261  * details.
1262  */
1263 static VALUE
1265 {
1266  SSL_CTX *ctx;
1267 
1268  GetSSLCTX(self, ctx);
1269 
1270  SSL_CTX_set_session_cache_mode(ctx, NUM2LONG(arg));
1271 
1272  return arg;
1273 }
1274 
1275 /*
1276  * call-seq:
1277  * ctx.session_cache_size -> Integer
1278  *
1279  * Returns the current session cache size. Zero is used to represent an
1280  * unlimited cache size.
1281  */
1282 static VALUE
1284 {
1285  SSL_CTX *ctx;
1286 
1287  GetSSLCTX(self, ctx);
1288 
1289  return LONG2NUM(SSL_CTX_sess_get_cache_size(ctx));
1290 }
1291 
1292 /*
1293  * call-seq:
1294  * ctx.session_cache_size=(integer) -> Integer
1295  *
1296  * Sets the session cache size. Returns the previously valid session cache
1297  * size. Zero is used to represent an unlimited session cache size.
1298  */
1299 static VALUE
1301 {
1302  SSL_CTX *ctx;
1303 
1304  GetSSLCTX(self, ctx);
1305 
1306  SSL_CTX_sess_set_cache_size(ctx, NUM2LONG(arg));
1307 
1308  return arg;
1309 }
1310 
1311 /*
1312  * call-seq:
1313  * ctx.session_cache_stats -> Hash
1314  *
1315  * Returns a Hash containing the following keys:
1316  *
1317  * :accept:: Number of started SSL/TLS handshakes in server mode
1318  * :accept_good:: Number of established SSL/TLS sessions in server mode
1319  * :accept_renegotiate:: Number of start renegotiations in server mode
1320  * :cache_full:: Number of sessions that were removed due to cache overflow
1321  * :cache_hits:: Number of successfully reused connections
1322  * :cache_misses:: Number of sessions proposed by clients that were not found
1323  * in the cache
1324  * :cache_num:: Number of sessions in the internal session cache
1325  * :cb_hits:: Number of sessions retrieved from the external cache in server
1326  * mode
1327  * :connect:: Number of started SSL/TLS handshakes in client mode
1328  * :connect_good:: Number of established SSL/TLS sessions in client mode
1329  * :connect_renegotiate:: Number of start renegotiations in client mode
1330  * :timeouts:: Number of sessions proposed by clients that were found in the
1331  * cache but had expired due to timeouts
1332  */
1333 static VALUE
1335 {
1336  SSL_CTX *ctx;
1337  VALUE hash;
1338 
1339  GetSSLCTX(self, ctx);
1340 
1341  hash = rb_hash_new();
1342  rb_hash_aset(hash, ID2SYM(rb_intern("cache_num")), LONG2NUM(SSL_CTX_sess_number(ctx)));
1343  rb_hash_aset(hash, ID2SYM(rb_intern("connect")), LONG2NUM(SSL_CTX_sess_connect(ctx)));
1344  rb_hash_aset(hash, ID2SYM(rb_intern("connect_good")), LONG2NUM(SSL_CTX_sess_connect_good(ctx)));
1345  rb_hash_aset(hash, ID2SYM(rb_intern("connect_renegotiate")), LONG2NUM(SSL_CTX_sess_connect_renegotiate(ctx)));
1346  rb_hash_aset(hash, ID2SYM(rb_intern("accept")), LONG2NUM(SSL_CTX_sess_accept(ctx)));
1347  rb_hash_aset(hash, ID2SYM(rb_intern("accept_good")), LONG2NUM(SSL_CTX_sess_accept_good(ctx)));
1348  rb_hash_aset(hash, ID2SYM(rb_intern("accept_renegotiate")), LONG2NUM(SSL_CTX_sess_accept_renegotiate(ctx)));
1349  rb_hash_aset(hash, ID2SYM(rb_intern("cache_hits")), LONG2NUM(SSL_CTX_sess_hits(ctx)));
1350  rb_hash_aset(hash, ID2SYM(rb_intern("cb_hits")), LONG2NUM(SSL_CTX_sess_cb_hits(ctx)));
1351  rb_hash_aset(hash, ID2SYM(rb_intern("cache_misses")), LONG2NUM(SSL_CTX_sess_misses(ctx)));
1352  rb_hash_aset(hash, ID2SYM(rb_intern("cache_full")), LONG2NUM(SSL_CTX_sess_cache_full(ctx)));
1353  rb_hash_aset(hash, ID2SYM(rb_intern("timeouts")), LONG2NUM(SSL_CTX_sess_timeouts(ctx)));
1354 
1355  return hash;
1356 }
1357 
1358 
1359 /*
1360  * call-seq:
1361  * ctx.flush_sessions(time | nil) -> self
1362  *
1363  * Removes sessions in the internal cache that have expired at +time+.
1364  */
1365 static VALUE
1367 {
1368  VALUE arg1;
1369  SSL_CTX *ctx;
1370  time_t tm = 0;
1371 
1372  rb_scan_args(argc, argv, "01", &arg1);
1373 
1374  GetSSLCTX(self, ctx);
1375 
1376  if (NIL_P(arg1)) {
1377  tm = time(0);
1378  } else if (rb_obj_is_instance_of(arg1, rb_cTime)) {
1379  tm = NUM2LONG(rb_funcall(arg1, rb_intern("to_i"), 0));
1380  } else {
1381  ossl_raise(rb_eArgError, "arg must be Time or nil");
1382  }
1383 
1384  SSL_CTX_flush_sessions(ctx, (long)tm);
1385 
1386  return self;
1387 }
1388 
1389 /*
1390  * SSLSocket class
1391  */
1392 #ifndef OPENSSL_NO_SOCK
1393 static inline int
1394 ssl_started(SSL *ssl)
1395 {
1396  /* the FD is set in ossl_ssl_setup(), called by #connect or #accept */
1397  return SSL_get_fd(ssl) >= 0;
1398 }
1399 
1400 static void
1401 ossl_ssl_free(void *ssl)
1402 {
1403  SSL_free(ssl);
1404 }
1405 
1407  "OpenSSL/SSL",
1408  {
1409  0, ossl_ssl_free,
1410  },
1412 };
1413 
1414 static VALUE
1416 {
1417  return TypedData_Wrap_Struct(klass, &ossl_ssl_type, NULL);
1418 }
1419 
1420 /*
1421  * call-seq:
1422  * SSLSocket.new(io) => aSSLSocket
1423  * SSLSocket.new(io, ctx) => aSSLSocket
1424  *
1425  * Creates a new SSL socket from +io+ which must be a real IO object (not an
1426  * IO-like object that responds to read/write).
1427  *
1428  * If +ctx+ is provided the SSL Sockets initial params will be taken from
1429  * the context.
1430  *
1431  * The OpenSSL::Buffering module provides additional IO methods.
1432  *
1433  * This method will freeze the SSLContext if one is provided;
1434  * however, session management is still allowed in the frozen SSLContext.
1435  */
1436 static VALUE
1438 {
1439  VALUE io, v_ctx, verify_cb;
1440  SSL *ssl;
1441  SSL_CTX *ctx;
1442 
1443  TypedData_Get_Struct(self, SSL, &ossl_ssl_type, ssl);
1444  if (ssl)
1445  ossl_raise(eSSLError, "SSL already initialized");
1446 
1447  if (rb_scan_args(argc, argv, "11", &io, &v_ctx) == 1)
1448  v_ctx = rb_funcall(cSSLContext, rb_intern("new"), 0);
1449 
1450  GetSSLCTX(v_ctx, ctx);
1451  rb_ivar_set(self, id_i_context, v_ctx);
1452  ossl_sslctx_setup(v_ctx);
1453 
1454  if (rb_respond_to(io, rb_intern("nonblock=")))
1455  rb_funcall(io, rb_intern("nonblock="), 1, Qtrue);
1456  rb_ivar_set(self, id_i_io, io);
1457 
1458  ssl = SSL_new(ctx);
1459  if (!ssl)
1461  RTYPEDDATA_DATA(self) = ssl;
1462 
1463  SSL_set_ex_data(ssl, ossl_ssl_ex_ptr_idx, (void *)self);
1464  SSL_set_info_callback(ssl, ssl_info_cb);
1465  verify_cb = rb_attr_get(v_ctx, id_i_verify_callback);
1466  SSL_set_ex_data(ssl, ossl_ssl_ex_vcb_idx, (void *)verify_cb);
1467 
1468  rb_call_super(0, NULL);
1469 
1470  return self;
1471 }
1472 
1473 static VALUE
1475 {
1476  VALUE io;
1477  SSL *ssl;
1478  rb_io_t *fptr;
1479 
1480  GetSSL(self, ssl);
1481  if (ssl_started(ssl))
1482  return Qtrue;
1483 
1484  io = rb_attr_get(self, id_i_io);
1485  GetOpenFile(io, fptr);
1486  rb_io_check_readable(fptr);
1487  rb_io_check_writable(fptr);
1488  if (!SSL_set_fd(ssl, TO_SOCKET(FPTR_TO_FD(fptr))))
1489  ossl_raise(eSSLError, "SSL_set_fd");
1490 
1491  return Qtrue;
1492 }
1493 
1494 #ifdef _WIN32
1495 #define ssl_get_error(ssl, ret) (errno = rb_w32_map_errno(WSAGetLastError()), SSL_get_error((ssl), (ret)))
1496 #else
1497 #define ssl_get_error(ssl, ret) SSL_get_error((ssl), (ret))
1498 #endif
1499 
1500 static void
1501 write_would_block(int nonblock)
1502 {
1503  if (nonblock)
1504  ossl_raise(eSSLErrorWaitWritable, "write would block");
1505 }
1506 
1507 static void
1508 read_would_block(int nonblock)
1509 {
1510  if (nonblock)
1511  ossl_raise(eSSLErrorWaitReadable, "read would block");
1512 }
1513 
1514 static int
1516 {
1517  if (RB_TYPE_P(opts, T_HASH) &&
1519  return 1;
1520  return 0;
1521 }
1522 
1523 static VALUE
1524 ossl_start_ssl(VALUE self, int (*func)(), const char *funcname, VALUE opts)
1525 {
1526  SSL *ssl;
1527  rb_io_t *fptr;
1528  int ret, ret2;
1529  VALUE cb_state;
1530  int nonblock = opts != Qfalse;
1531 
1533 
1534  GetSSL(self, ssl);
1535 
1536  GetOpenFile(rb_attr_get(self, id_i_io), fptr);
1537  for(;;){
1538  ret = func(ssl);
1539 
1540  cb_state = rb_attr_get(self, ID_callback_state);
1541  if (!NIL_P(cb_state)) {
1542  /* must cleanup OpenSSL error stack before re-raising */
1543  ossl_clear_error();
1544  rb_jump_tag(NUM2INT(cb_state));
1545  }
1546 
1547  if (ret > 0)
1548  break;
1549 
1550  switch((ret2 = ssl_get_error(ssl, ret))){
1551  case SSL_ERROR_WANT_WRITE:
1552  if (no_exception_p(opts)) { return sym_wait_writable; }
1553  write_would_block(nonblock);
1555  continue;
1556  case SSL_ERROR_WANT_READ:
1557  if (no_exception_p(opts)) { return sym_wait_readable; }
1558  read_would_block(nonblock);
1560  continue;
1561  case SSL_ERROR_SYSCALL:
1562  if (errno) rb_sys_fail(funcname);
1563  ossl_raise(eSSLError, "%s SYSCALL returned=%d errno=%d state=%s", funcname, ret2, errno, SSL_state_string_long(ssl));
1564  default:
1565  ossl_raise(eSSLError, "%s returned=%d errno=%d state=%s", funcname, ret2, errno, SSL_state_string_long(ssl));
1566  }
1567  }
1568 
1569  return self;
1570 }
1571 
1572 /*
1573  * call-seq:
1574  * ssl.connect => self
1575  *
1576  * Initiates an SSL/TLS handshake with a server. The handshake may be started
1577  * after unencrypted data has been sent over the socket.
1578  */
1579 static VALUE
1581 {
1582  ossl_ssl_setup(self);
1583 
1584  return ossl_start_ssl(self, SSL_connect, "SSL_connect", Qfalse);
1585 }
1586 
1587 /*
1588  * call-seq:
1589  * ssl.connect_nonblock([options]) => self
1590  *
1591  * Initiates the SSL/TLS handshake as a client in non-blocking manner.
1592  *
1593  * # emulates blocking connect
1594  * begin
1595  * ssl.connect_nonblock
1596  * rescue IO::WaitReadable
1597  * IO.select([s2])
1598  * retry
1599  * rescue IO::WaitWritable
1600  * IO.select(nil, [s2])
1601  * retry
1602  * end
1603  *
1604  * By specifying a keyword argument _exception_ to +false+, you can indicate
1605  * that connect_nonblock should not raise an IO::WaitReadable or
1606  * IO::WaitWritable exception, but return the symbol +:wait_readable+ or
1607  * +:wait_writable+ instead.
1608  */
1609 static VALUE
1611 {
1612  VALUE opts;
1613  rb_scan_args(argc, argv, "0:", &opts);
1614 
1615  ossl_ssl_setup(self);
1616 
1617  return ossl_start_ssl(self, SSL_connect, "SSL_connect", opts);
1618 }
1619 
1620 /*
1621  * call-seq:
1622  * ssl.accept => self
1623  *
1624  * Waits for a SSL/TLS client to initiate a handshake. The handshake may be
1625  * started after unencrypted data has been sent over the socket.
1626  */
1627 static VALUE
1629 {
1630  ossl_ssl_setup(self);
1631 
1632  return ossl_start_ssl(self, SSL_accept, "SSL_accept", Qfalse);
1633 }
1634 
1635 /*
1636  * call-seq:
1637  * ssl.accept_nonblock([options]) => self
1638  *
1639  * Initiates the SSL/TLS handshake as a server in non-blocking manner.
1640  *
1641  * # emulates blocking accept
1642  * begin
1643  * ssl.accept_nonblock
1644  * rescue IO::WaitReadable
1645  * IO.select([s2])
1646  * retry
1647  * rescue IO::WaitWritable
1648  * IO.select(nil, [s2])
1649  * retry
1650  * end
1651  *
1652  * By specifying a keyword argument _exception_ to +false+, you can indicate
1653  * that accept_nonblock should not raise an IO::WaitReadable or
1654  * IO::WaitWritable exception, but return the symbol +:wait_readable+ or
1655  * +:wait_writable+ instead.
1656  */
1657 static VALUE
1659 {
1660  VALUE opts;
1661 
1662  rb_scan_args(argc, argv, "0:", &opts);
1663  ossl_ssl_setup(self);
1664 
1665  return ossl_start_ssl(self, SSL_accept, "SSL_accept", opts);
1666 }
1667 
1668 static VALUE
1669 ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
1670 {
1671  SSL *ssl;
1672  int ilen, nread = 0;
1673  VALUE len, str;
1674  rb_io_t *fptr;
1675  VALUE io, opts = Qnil;
1676 
1677  if (nonblock) {
1678  rb_scan_args(argc, argv, "11:", &len, &str, &opts);
1679  } else {
1680  rb_scan_args(argc, argv, "11", &len, &str);
1681  }
1682 
1683  ilen = NUM2INT(len);
1684  if(NIL_P(str)) str = rb_str_new(0, ilen);
1685  else{
1686  StringValue(str);
1687  rb_str_modify(str);
1688  rb_str_resize(str, ilen);
1689  }
1690  if(ilen == 0) return str;
1691 
1692  GetSSL(self, ssl);
1693  io = rb_attr_get(self, id_i_io);
1694  GetOpenFile(io, fptr);
1695  if (ssl_started(ssl)) {
1696  if(!nonblock && SSL_pending(ssl) <= 0)
1698  for (;;){
1699  nread = SSL_read(ssl, RSTRING_PTR(str), RSTRING_LENINT(str));
1700  switch(ssl_get_error(ssl, nread)){
1701  case SSL_ERROR_NONE:
1702  goto end;
1703  case SSL_ERROR_ZERO_RETURN:
1704  if (no_exception_p(opts)) { return Qnil; }
1705  rb_eof_error();
1706  case SSL_ERROR_WANT_WRITE:
1707  if (no_exception_p(opts)) { return sym_wait_writable; }
1708  write_would_block(nonblock);
1710  continue;
1711  case SSL_ERROR_WANT_READ:
1712  if (no_exception_p(opts)) { return sym_wait_readable; }
1713  read_would_block(nonblock);
1715  continue;
1716  case SSL_ERROR_SYSCALL:
1717  if (!ERR_peek_error()) {
1718  if (errno)
1719  rb_sys_fail(0);
1720  else {
1721  /*
1722  * The underlying BIO returned 0. This is actually a
1723  * protocol error. But unfortunately, not all
1724  * implementations cleanly shutdown the TLS connection
1725  * but just shutdown/close the TCP connection. So report
1726  * EOF for now...
1727  */
1728  if (no_exception_p(opts)) { return Qnil; }
1729  rb_eof_error();
1730  }
1731  }
1732  default:
1733  ossl_raise(eSSLError, "SSL_read");
1734  }
1735  }
1736  }
1737  else {
1738  ID meth = nonblock ? rb_intern("read_nonblock") : rb_intern("sysread");
1739 
1740  rb_warning("SSL session is not started yet.");
1741  if (nonblock)
1742  return rb_funcall(io, meth, 3, len, str, opts);
1743  else
1744  return rb_funcall(io, meth, 2, len, str);
1745  }
1746 
1747  end:
1748  rb_str_set_len(str, nread);
1749  OBJ_TAINT(str);
1750 
1751  return str;
1752 }
1753 
1754 /*
1755  * call-seq:
1756  * ssl.sysread(length) => string
1757  * ssl.sysread(length, buffer) => buffer
1758  *
1759  * Reads +length+ bytes from the SSL connection. If a pre-allocated +buffer+
1760  * is provided the data will be written into it.
1761  */
1762 static VALUE
1764 {
1765  return ossl_ssl_read_internal(argc, argv, self, 0);
1766 }
1767 
1768 /*
1769  * call-seq:
1770  * ssl.sysread_nonblock(length) => string
1771  * ssl.sysread_nonblock(length, buffer) => buffer
1772  * ssl.sysread_nonblock(length[, buffer [, opts]) => buffer
1773  *
1774  * A non-blocking version of #sysread. Raises an SSLError if reading would
1775  * block. If "exception: false" is passed, this method returns a symbol of
1776  * :wait_readable, :wait_writable, or nil, rather than raising an exception.
1777  *
1778  * Reads +length+ bytes from the SSL connection. If a pre-allocated +buffer+
1779  * is provided the data will be written into it.
1780  */
1781 static VALUE
1783 {
1784  return ossl_ssl_read_internal(argc, argv, self, 1);
1785 }
1786 
1787 static VALUE
1789 {
1790  SSL *ssl;
1791  int nwrite = 0;
1792  rb_io_t *fptr;
1793  int nonblock = opts != Qfalse;
1794  VALUE io;
1795 
1796  StringValue(str);
1797  GetSSL(self, ssl);
1798  io = rb_attr_get(self, id_i_io);
1799  GetOpenFile(io, fptr);
1800  if (ssl_started(ssl)) {
1801  for (;;){
1802  int num = RSTRING_LENINT(str);
1803 
1804  /* SSL_write(3ssl) manpage states num == 0 is undefined */
1805  if (num == 0)
1806  goto end;
1807 
1808  nwrite = SSL_write(ssl, RSTRING_PTR(str), num);
1809  switch(ssl_get_error(ssl, nwrite)){
1810  case SSL_ERROR_NONE:
1811  goto end;
1812  case SSL_ERROR_WANT_WRITE:
1813  if (no_exception_p(opts)) { return sym_wait_writable; }
1814  write_would_block(nonblock);
1816  continue;
1817  case SSL_ERROR_WANT_READ:
1818  if (no_exception_p(opts)) { return sym_wait_readable; }
1819  read_would_block(nonblock);
1821  continue;
1822  case SSL_ERROR_SYSCALL:
1823  if (errno) rb_sys_fail(0);
1824  default:
1825  ossl_raise(eSSLError, "SSL_write");
1826  }
1827  }
1828  }
1829  else {
1830  ID meth = nonblock ?
1831  rb_intern("write_nonblock") : rb_intern("syswrite");
1832 
1833  rb_warning("SSL session is not started yet.");
1834  if (nonblock)
1835  return rb_funcall(io, meth, 2, str, opts);
1836  else
1837  return rb_funcall(io, meth, 1, str);
1838  }
1839 
1840  end:
1841  return INT2NUM(nwrite);
1842 }
1843 
1844 /*
1845  * call-seq:
1846  * ssl.syswrite(string) => Integer
1847  *
1848  * Writes +string+ to the SSL connection.
1849  */
1850 static VALUE
1852 {
1853  return ossl_ssl_write_internal(self, str, Qfalse);
1854 }
1855 
1856 /*
1857  * call-seq:
1858  * ssl.syswrite_nonblock(string) => Integer
1859  *
1860  * Writes +string+ to the SSL connection in a non-blocking manner. Raises an
1861  * SSLError if writing would block.
1862  */
1863 static VALUE
1865 {
1866  VALUE str, opts;
1867 
1868  rb_scan_args(argc, argv, "1:", &str, &opts);
1869 
1870  return ossl_ssl_write_internal(self, str, opts);
1871 }
1872 
1873 /*
1874  * call-seq:
1875  * ssl.stop => nil
1876  *
1877  * Sends "close notify" to the peer and tries to shut down the SSL connection
1878  * gracefully.
1879  */
1880 static VALUE
1882 {
1883  SSL *ssl;
1884  int ret;
1885 
1886  GetSSL(self, ssl);
1887  if (!ssl_started(ssl))
1888  return Qnil;
1889  ret = SSL_shutdown(ssl);
1890  if (ret == 1) /* Have already received close_notify */
1891  return Qnil;
1892  if (ret == 0) /* Sent close_notify, but we don't wait for reply */
1893  return Qnil;
1894 
1895  /*
1896  * XXX: Something happened. Possibly it failed because the underlying socket
1897  * is not writable/readable, since it is in non-blocking mode. We should do
1898  * some proper error handling using SSL_get_error() and maybe retry, but we
1899  * can't block here. Give up for now.
1900  */
1901  ossl_clear_error();
1902  return Qnil;
1903 }
1904 
1905 /*
1906  * call-seq:
1907  * ssl.cert => cert or nil
1908  *
1909  * The X509 certificate for this socket endpoint.
1910  */
1911 static VALUE
1913 {
1914  SSL *ssl;
1915  X509 *cert = NULL;
1916 
1917  GetSSL(self, ssl);
1918 
1919  /*
1920  * Is this OpenSSL bug? Should add a ref?
1921  * TODO: Ask for.
1922  */
1923  cert = SSL_get_certificate(ssl); /* NO DUPs => DON'T FREE. */
1924 
1925  if (!cert) {
1926  return Qnil;
1927  }
1928  return ossl_x509_new(cert);
1929 }
1930 
1931 /*
1932  * call-seq:
1933  * ssl.peer_cert => cert or nil
1934  *
1935  * The X509 certificate for this socket's peer.
1936  */
1937 static VALUE
1939 {
1940  SSL *ssl;
1941  X509 *cert = NULL;
1942  VALUE obj;
1943 
1944  GetSSL(self, ssl);
1945 
1946  cert = SSL_get_peer_certificate(ssl); /* Adds a ref => Safe to FREE. */
1947 
1948  if (!cert) {
1949  return Qnil;
1950  }
1951  obj = ossl_x509_new(cert);
1952  X509_free(cert);
1953 
1954  return obj;
1955 }
1956 
1957 /*
1958  * call-seq:
1959  * ssl.peer_cert_chain => [cert, ...] or nil
1960  *
1961  * The X509 certificate chain for this socket's peer.
1962  */
1963 static VALUE
1965 {
1966  SSL *ssl;
1967  STACK_OF(X509) *chain;
1968  X509 *cert;
1969  VALUE ary;
1970  int i, num;
1971 
1972  GetSSL(self, ssl);
1973 
1974  chain = SSL_get_peer_cert_chain(ssl);
1975  if(!chain) return Qnil;
1976  num = sk_X509_num(chain);
1977  ary = rb_ary_new2(num);
1978  for (i = 0; i < num; i++){
1979  cert = sk_X509_value(chain, i);
1980  rb_ary_push(ary, ossl_x509_new(cert));
1981  }
1982 
1983  return ary;
1984 }
1985 
1986 /*
1987 * call-seq:
1988 * ssl.ssl_version => String
1989 *
1990 * Returns a String representing the SSL/TLS version that was negotiated
1991 * for the connection, for example "TLSv1.2".
1992 */
1993 static VALUE
1995 {
1996  SSL *ssl;
1997 
1998  GetSSL(self, ssl);
1999 
2000  return rb_str_new2(SSL_get_version(ssl));
2001 }
2002 
2003 /*
2004 * call-seq:
2005 * ssl.cipher => [name, version, bits, alg_bits]
2006 *
2007 * The cipher being used for the current connection
2008 */
2009 static VALUE
2011 {
2012  SSL *ssl;
2013  SSL_CIPHER *cipher;
2014 
2015  GetSSL(self, ssl);
2016 
2017  cipher = (SSL_CIPHER *)SSL_get_current_cipher(ssl);
2018 
2019  return ossl_ssl_cipher_to_ary(cipher);
2020 }
2021 
2022 /*
2023  * call-seq:
2024  * ssl.state => string
2025  *
2026  * A description of the current connection state. This is for diagnostic
2027  * purposes only.
2028  */
2029 static VALUE
2031 {
2032  SSL *ssl;
2033  VALUE ret;
2034 
2035  GetSSL(self, ssl);
2036 
2037  ret = rb_str_new2(SSL_state_string(ssl));
2038  if (ruby_verbose) {
2039  rb_str_cat2(ret, ": ");
2040  rb_str_cat2(ret, SSL_state_string_long(ssl));
2041  }
2042  return ret;
2043 }
2044 
2045 /*
2046  * call-seq:
2047  * ssl.pending => Integer
2048  *
2049  * The number of bytes that are immediately available for reading.
2050  */
2051 static VALUE
2053 {
2054  SSL *ssl;
2055 
2056  GetSSL(self, ssl);
2057 
2058  return INT2NUM(SSL_pending(ssl));
2059 }
2060 
2061 /*
2062  * call-seq:
2063  * ssl.session_reused? -> true | false
2064  *
2065  * Returns true if a reused session was negotiated during the handshake.
2066  */
2067 static VALUE
2069 {
2070  SSL *ssl;
2071 
2072  GetSSL(self, ssl);
2073 
2074  return SSL_session_reused(ssl) ? Qtrue : Qfalse;
2075 }
2076 
2077 /*
2078  * call-seq:
2079  * ssl.session = session -> session
2080  *
2081  * Sets the Session to be used when the connection is established.
2082  */
2083 static VALUE
2085 {
2086  SSL *ssl;
2087  SSL_SESSION *sess;
2088 
2089  GetSSL(self, ssl);
2090  SafeGetSSLSession(arg1, sess);
2091 
2092  if (SSL_set_session(ssl, sess) != 1)
2093  ossl_raise(eSSLError, "SSL_set_session");
2094 
2095  return arg1;
2096 }
2097 
2098 #ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
2099 /*
2100  * call-seq:
2101  * ssl.hostname = hostname -> hostname
2102  *
2103  * Sets the server hostname used for SNI. This needs to be set before
2104  * SSLSocket#connect.
2105  */
2106 static VALUE
2107 ossl_ssl_set_hostname(VALUE self, VALUE arg)
2108 {
2109  SSL *ssl;
2110  char *hostname = NULL;
2111 
2112  GetSSL(self, ssl);
2113 
2114  if (!NIL_P(arg))
2115  hostname = StringValueCStr(arg);
2116 
2117  if (!SSL_set_tlsext_host_name(ssl, hostname))
2119 
2120  /* for SSLSocket#hostname */
2121  rb_ivar_set(self, id_i_hostname, arg);
2122 
2123  return arg;
2124 }
2125 #endif
2126 
2127 /*
2128  * call-seq:
2129  * ssl.verify_result => Integer
2130  *
2131  * Returns the result of the peer certificates verification. See verify(1)
2132  * for error values and descriptions.
2133  *
2134  * If no peer certificate was presented X509_V_OK is returned.
2135  */
2136 static VALUE
2138 {
2139  SSL *ssl;
2140 
2141  GetSSL(self, ssl);
2142 
2143  return INT2NUM(SSL_get_verify_result(ssl));
2144 }
2145 
2146 /*
2147  * call-seq:
2148  * ssl.client_ca => [x509name, ...]
2149  *
2150  * Returns the list of client CAs. Please note that in contrast to
2151  * SSLContext#client_ca= no array of X509::Certificate is returned but
2152  * X509::Name instances of the CA's subject distinguished name.
2153  *
2154  * In server mode, returns the list set by SSLContext#client_ca=.
2155  * In client mode, returns the list of client CAs sent from the server.
2156  */
2157 static VALUE
2159 {
2160  SSL *ssl;
2161  STACK_OF(X509_NAME) *ca;
2162 
2163  GetSSL(self, ssl);
2164 
2165  ca = SSL_get_client_CA_list(ssl);
2166  return ossl_x509name_sk2ary(ca);
2167 }
2168 
2169 # ifdef HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB
2170 /*
2171  * call-seq:
2172  * ssl.npn_protocol => String | nil
2173  *
2174  * Returns the protocol string that was finally selected by the client
2175  * during the handshake.
2176  */
2177 static VALUE
2178 ossl_ssl_npn_protocol(VALUE self)
2179 {
2180  SSL *ssl;
2181  const unsigned char *out;
2182  unsigned int outlen;
2183 
2184  GetSSL(self, ssl);
2185 
2186  SSL_get0_next_proto_negotiated(ssl, &out, &outlen);
2187  if (!outlen)
2188  return Qnil;
2189  else
2190  return rb_str_new((const char *) out, outlen);
2191 }
2192 # endif
2193 
2194 # ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
2195 /*
2196  * call-seq:
2197  * ssl.alpn_protocol => String | nil
2198  *
2199  * Returns the ALPN protocol string that was finally selected by the server
2200  * during the handshake.
2201  */
2202 static VALUE
2203 ossl_ssl_alpn_protocol(VALUE self)
2204 {
2205  SSL *ssl;
2206  const unsigned char *out;
2207  unsigned int outlen;
2208 
2209  GetSSL(self, ssl);
2210 
2211  SSL_get0_alpn_selected(ssl, &out, &outlen);
2212  if (!outlen)
2213  return Qnil;
2214  else
2215  return rb_str_new((const char *) out, outlen);
2216 }
2217 # endif
2218 
2219 # ifdef HAVE_SSL_GET_SERVER_TMP_KEY
2220 /*
2221  * call-seq:
2222  * ssl.tmp_key => PKey or nil
2223  *
2224  * Returns the ephemeral key used in case of forward secrecy cipher.
2225  */
2226 static VALUE
2227 ossl_ssl_tmp_key(VALUE self)
2228 {
2229  SSL *ssl;
2230  EVP_PKEY *key;
2231 
2232  GetSSL(self, ssl);
2233  if (!SSL_get_server_tmp_key(ssl, &key))
2234  return Qnil;
2235  return ossl_pkey_new(key);
2236 }
2237 # endif /* defined(HAVE_SSL_GET_SERVER_TMP_KEY) */
2238 #endif /* !defined(OPENSSL_NO_SOCK) */
2239 
2240 #undef rb_intern
2241 #define rb_intern(s) rb_intern_const(s)
2242 void
2244 {
2245  int i;
2246  VALUE ary;
2247 
2248 #if 0
2249  mOSSL = rb_define_module("OpenSSL");
2251  rb_mWaitReadable = rb_define_module_under(rb_cIO, "WaitReadable");
2252  rb_mWaitWritable = rb_define_module_under(rb_cIO, "WaitWritable");
2253 #endif
2254 
2255  ID_callback_state = rb_intern("callback_state");
2256 
2257  ossl_ssl_ex_vcb_idx = SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_vcb_idx",0,0,0);
2258  ossl_ssl_ex_store_p = SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_store_p",0,0,0);
2259  ossl_ssl_ex_ptr_idx = SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_ptr_idx",0,0,0);
2260 
2261  /* Document-module: OpenSSL::SSL
2262  *
2263  * Use SSLContext to set up the parameters for a TLS (former SSL)
2264  * connection. Both client and server TLS connections are supported,
2265  * SSLSocket and SSLServer may be used in conjunction with an instance
2266  * of SSLContext to set up connections.
2267  */
2268  mSSL = rb_define_module_under(mOSSL, "SSL");
2269 
2270  /* Document-module: OpenSSL::ExtConfig
2271  *
2272  * This module contains configuration information about the SSL extension,
2273  * for example if socket support is enabled, or the host name TLS extension
2274  * is enabled. Constants in this module will always be defined, but contain
2275  * `true` or `false` values depending on the configuration of your OpenSSL
2276  * installation.
2277  */
2278  mSSLExtConfig = rb_define_module_under(mOSSL, "ExtConfig");
2279 
2280  /* Document-class: OpenSSL::SSL::SSLError
2281  *
2282  * Generic error class raised by SSLSocket and SSLContext.
2283  */
2285  eSSLErrorWaitReadable = rb_define_class_under(mSSL, "SSLErrorWaitReadable", eSSLError);
2287  eSSLErrorWaitWritable = rb_define_class_under(mSSL, "SSLErrorWaitWritable", eSSLError);
2289 
2291 
2292  /* Document-class: OpenSSL::SSL::SSLContext
2293  *
2294  * An SSLContext is used to set various options regarding certificates,
2295  * algorithms, verification, session caching, etc. The SSLContext is
2296  * used to create an SSLSocket.
2297  *
2298  * All attributes must be set before creating an SSLSocket as the
2299  * SSLContext will be frozen afterward.
2300  */
2303  rb_undef_method(cSSLContext, "initialize_copy");
2304 
2305  /*
2306  * Context certificate
2307  */
2308  rb_attr(cSSLContext, rb_intern("cert"), 1, 1, Qfalse);
2309 
2310  /*
2311  * Context private key
2312  */
2313  rb_attr(cSSLContext, rb_intern("key"), 1, 1, Qfalse);
2314 
2315  /*
2316  * A certificate or Array of certificates that will be sent to the client.
2317  */
2318  rb_attr(cSSLContext, rb_intern("client_ca"), 1, 1, Qfalse);
2319 
2320  /*
2321  * The path to a file containing a PEM-format CA certificate
2322  */
2323  rb_attr(cSSLContext, rb_intern("ca_file"), 1, 1, Qfalse);
2324 
2325  /*
2326  * The path to a directory containing CA certificates in PEM format.
2327  *
2328  * Files are looked up by subject's X509 name's hash value.
2329  */
2330  rb_attr(cSSLContext, rb_intern("ca_path"), 1, 1, Qfalse);
2331 
2332  /*
2333  * Maximum session lifetime in seconds.
2334  */
2335  rb_attr(cSSLContext, rb_intern("timeout"), 1, 1, Qfalse);
2336 
2337  /*
2338  * Session verification mode.
2339  *
2340  * Valid modes are VERIFY_NONE, VERIFY_PEER, VERIFY_CLIENT_ONCE,
2341  * VERIFY_FAIL_IF_NO_PEER_CERT and defined on OpenSSL::SSL
2342  *
2343  * The default mode is VERIFY_NONE, which does not perform any verification
2344  * at all.
2345  *
2346  * See SSL_CTX_set_verify(3) for details.
2347  */
2348  rb_attr(cSSLContext, rb_intern("verify_mode"), 1, 1, Qfalse);
2349 
2350  /*
2351  * Number of CA certificates to walk when verifying a certificate chain.
2352  */
2353  rb_attr(cSSLContext, rb_intern("verify_depth"), 1, 1, Qfalse);
2354 
2355  /*
2356  * A callback for additional certificate verification. The callback is
2357  * invoked for each certificate in the chain.
2358  *
2359  * The callback is invoked with two values. +preverify_ok+ indicates
2360  * indicates if the verification was passed (true) or not (false).
2361  * +store_context+ is an OpenSSL::X509::StoreContext containing the
2362  * context used for certificate verification.
2363  *
2364  * If the callback returns false, the chain verification is immediately
2365  * stopped and a bad_certificate alert is then sent.
2366  */
2367  rb_attr(cSSLContext, rb_intern("verify_callback"), 1, 1, Qfalse);
2368 
2369  /*
2370  * Whether to check the server certificate is valid for the hostname.
2371  *
2372  * In order to make this work, verify_mode must be set to VERIFY_PEER and
2373  * the server hostname must be given by OpenSSL::SSL::SSLSocket#hostname=.
2374  */
2375  rb_attr(cSSLContext, rb_intern("verify_hostname"), 1, 1, Qfalse);
2376 
2377  /*
2378  * An OpenSSL::X509::Store used for certificate verification.
2379  */
2380  rb_attr(cSSLContext, rb_intern("cert_store"), 1, 1, Qfalse);
2381 
2382  /*
2383  * An Array of extra X509 certificates to be added to the certificate
2384  * chain.
2385  */
2386  rb_attr(cSSLContext, rb_intern("extra_chain_cert"), 1, 1, Qfalse);
2387 
2388  /*
2389  * A callback invoked when a client certificate is requested by a server
2390  * and no certificate has been set.
2391  *
2392  * The callback is invoked with a Session and must return an Array
2393  * containing an OpenSSL::X509::Certificate and an OpenSSL::PKey. If any
2394  * other value is returned the handshake is suspended.
2395  */
2396  rb_attr(cSSLContext, rb_intern("client_cert_cb"), 1, 1, Qfalse);
2397 
2398 #if !defined(OPENSSL_NO_EC) && defined(HAVE_SSL_CTX_SET_TMP_ECDH_CALLBACK)
2399  /*
2400  * A callback invoked when ECDH parameters are required.
2401  *
2402  * The callback is invoked with the Session for the key exchange, an
2403  * flag indicating the use of an export cipher and the keylength
2404  * required.
2405  *
2406  * The callback is deprecated. This does not work with recent versions of
2407  * OpenSSL. Use OpenSSL::SSL::SSLContext#ecdh_curves= instead.
2408  */
2409  rb_attr(cSSLContext, rb_intern("tmp_ecdh_callback"), 1, 1, Qfalse);
2410 #endif
2411 
2412  /*
2413  * Sets the context in which a session can be reused. This allows
2414  * sessions for multiple applications to be distinguished, for example, by
2415  * name.
2416  */
2417  rb_attr(cSSLContext, rb_intern("session_id_context"), 1, 1, Qfalse);
2418 
2419  /*
2420  * A callback invoked on a server when a session is proposed by the client
2421  * but the session could not be found in the server's internal cache.
2422  *
2423  * The callback is invoked with the SSLSocket and session id. The
2424  * callback may return a Session from an external cache.
2425  */
2426  rb_attr(cSSLContext, rb_intern("session_get_cb"), 1, 1, Qfalse);
2427 
2428  /*
2429  * A callback invoked when a new session was negotiated.
2430  *
2431  * The callback is invoked with an SSLSocket. If false is returned the
2432  * session will be removed from the internal cache.
2433  */
2434  rb_attr(cSSLContext, rb_intern("session_new_cb"), 1, 1, Qfalse);
2435 
2436  /*
2437  * A callback invoked when a session is removed from the internal cache.
2438  *
2439  * The callback is invoked with an SSLContext and a Session.
2440  */
2441  rb_attr(cSSLContext, rb_intern("session_remove_cb"), 1, 1, Qfalse);
2442 
2443 #ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
2444  rb_define_const(mSSLExtConfig, "HAVE_TLSEXT_HOST_NAME", Qtrue);
2445 #else
2446  rb_define_const(mSSLExtConfig, "HAVE_TLSEXT_HOST_NAME", Qfalse);
2447 #endif
2448 
2449 #ifdef TLS_DH_anon_WITH_AES_256_GCM_SHA384
2450  rb_define_const(mSSLExtConfig, "TLS_DH_anon_WITH_AES_256_GCM_SHA384", Qtrue);
2451 #else
2452  rb_define_const(mSSLExtConfig, "TLS_DH_anon_WITH_AES_256_GCM_SHA384", Qfalse);
2453 #endif
2454 
2455  /*
2456  * A callback invoked whenever a new handshake is initiated. May be used
2457  * to disable renegotiation entirely.
2458  *
2459  * The callback is invoked with the active SSLSocket. The callback's
2460  * return value is irrelevant, normal return indicates "approval" of the
2461  * renegotiation and will continue the process. To forbid renegotiation
2462  * and to cancel the process, an Error may be raised within the callback.
2463  *
2464  * === Disable client renegotiation
2465  *
2466  * When running a server, it is often desirable to disable client
2467  * renegotiation entirely. You may use a callback as follows to implement
2468  * this feature:
2469  *
2470  * num_handshakes = 0
2471  * ctx.renegotiation_cb = lambda do |ssl|
2472  * num_handshakes += 1
2473  * raise RuntimeError.new("Client renegotiation disabled") if num_handshakes > 1
2474  * end
2475  */
2476  rb_attr(cSSLContext, rb_intern("renegotiation_cb"), 1, 1, Qfalse);
2477 #ifdef HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB
2478  /*
2479  * An Enumerable of Strings. Each String represents a protocol to be
2480  * advertised as the list of supported protocols for Next Protocol
2481  * Negotiation. Supported in OpenSSL 1.0.1 and higher. Has no effect
2482  * on the client side. If not set explicitly, the NPN extension will
2483  * not be sent by the server in the handshake.
2484  *
2485  * === Example
2486  *
2487  * ctx.npn_protocols = ["http/1.1", "spdy/2"]
2488  */
2489  rb_attr(cSSLContext, rb_intern("npn_protocols"), 1, 1, Qfalse);
2490  /*
2491  * A callback invoked on the client side when the client needs to select
2492  * a protocol from the list sent by the server. Supported in OpenSSL 1.0.1
2493  * and higher. The client MUST select a protocol of those advertised by
2494  * the server. If none is acceptable, raising an error in the callback
2495  * will cause the handshake to fail. Not setting this callback explicitly
2496  * means not supporting the NPN extension on the client - any protocols
2497  * advertised by the server will be ignored.
2498  *
2499  * === Example
2500  *
2501  * ctx.npn_select_cb = lambda do |protocols|
2502  * # inspect the protocols and select one
2503  * protocols.first
2504  * end
2505  */
2506  rb_attr(cSSLContext, rb_intern("npn_select_cb"), 1, 1, Qfalse);
2507 #endif
2508 
2509 #ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
2510  /*
2511  * An Enumerable of Strings. Each String represents a protocol to be
2512  * advertised as the list of supported protocols for Application-Layer
2513  * Protocol Negotiation. Supported in OpenSSL 1.0.2 and higher. Has no
2514  * effect on the server side. If not set explicitly, the ALPN extension will
2515  * not be included in the handshake.
2516  *
2517  * === Example
2518  *
2519  * ctx.alpn_protocols = ["http/1.1", "spdy/2", "h2"]
2520  */
2521  rb_attr(cSSLContext, rb_intern("alpn_protocols"), 1, 1, Qfalse);
2522  /*
2523  * A callback invoked on the server side when the server needs to select
2524  * a protocol from the list sent by the client. Supported in OpenSSL 1.0.2
2525  * and higher. The callback must return a protocol of those advertised by
2526  * the client. If none is acceptable, raising an error in the callback
2527  * will cause the handshake to fail. Not setting this callback explicitly
2528  * means not supporting the ALPN extension on the server - any protocols
2529  * advertised by the client will be ignored.
2530  *
2531  * === Example
2532  *
2533  * ctx.alpn_select_cb = lambda do |protocols|
2534  * # inspect the protocols and select one
2535  * protocols.first
2536  * end
2537  */
2538  rb_attr(cSSLContext, rb_intern("alpn_select_cb"), 1, 1, Qfalse);
2539 #endif
2540 
2541  rb_define_alias(cSSLContext, "ssl_timeout", "timeout");
2542  rb_define_alias(cSSLContext, "ssl_timeout=", "timeout=");
2549 
2550  rb_define_method(cSSLContext, "setup", ossl_sslctx_setup, 0);
2551  rb_define_alias(cSSLContext, "freeze", "setup");
2552 
2553  /*
2554  * No session caching for client or server
2555  */
2556  rb_define_const(cSSLContext, "SESSION_CACHE_OFF", LONG2NUM(SSL_SESS_CACHE_OFF));
2557 
2558  /*
2559  * Client sessions are added to the session cache
2560  */
2561  rb_define_const(cSSLContext, "SESSION_CACHE_CLIENT", LONG2NUM(SSL_SESS_CACHE_CLIENT)); /* doesn't actually do anything in 0.9.8e */
2562 
2563  /*
2564  * Server sessions are added to the session cache
2565  */
2566  rb_define_const(cSSLContext, "SESSION_CACHE_SERVER", LONG2NUM(SSL_SESS_CACHE_SERVER));
2567 
2568  /*
2569  * Both client and server sessions are added to the session cache
2570  */
2571  rb_define_const(cSSLContext, "SESSION_CACHE_BOTH", LONG2NUM(SSL_SESS_CACHE_BOTH)); /* no different than CACHE_SERVER in 0.9.8e */
2572 
2573  /*
2574  * Normally the session cache is checked for expired sessions every 255
2575  * connections. Since this may lead to a delay that cannot be controlled,
2576  * the automatic flushing may be disabled and #flush_sessions can be
2577  * called explicitly.
2578  */
2579  rb_define_const(cSSLContext, "SESSION_CACHE_NO_AUTO_CLEAR", LONG2NUM(SSL_SESS_CACHE_NO_AUTO_CLEAR));
2580 
2581  /*
2582  * Always perform external lookups of sessions even if they are in the
2583  * internal cache.
2584  *
2585  * This flag has no effect on clients
2586  */
2587  rb_define_const(cSSLContext, "SESSION_CACHE_NO_INTERNAL_LOOKUP", LONG2NUM(SSL_SESS_CACHE_NO_INTERNAL_LOOKUP));
2588 
2589  /*
2590  * Never automatically store sessions in the internal store.
2591  */
2592  rb_define_const(cSSLContext, "SESSION_CACHE_NO_INTERNAL_STORE", LONG2NUM(SSL_SESS_CACHE_NO_INTERNAL_STORE));
2593 
2594  /*
2595  * Enables both SESSION_CACHE_NO_INTERNAL_LOOKUP and
2596  * SESSION_CACHE_NO_INTERNAL_STORE.
2597  */
2598  rb_define_const(cSSLContext, "SESSION_CACHE_NO_INTERNAL", LONG2NUM(SSL_SESS_CACHE_NO_INTERNAL));
2599 
2610 
2612  for (i = 0; i < numberof(ossl_ssl_method_tab); i++) {
2614  }
2615  rb_obj_freeze(ary);
2616  /* The list of available SSL/TLS methods */
2617  rb_define_const(cSSLContext, "METHODS", ary);
2618 
2619  /*
2620  * Document-class: OpenSSL::SSL::SSLSocket
2621  */
2623 #ifdef OPENSSL_NO_SOCK
2624  rb_define_const(mSSLExtConfig, "OPENSSL_NO_SOCK", Qtrue);
2625  rb_define_method(cSSLSocket, "initialize", rb_f_notimplement, -1);
2626 #else
2627  rb_define_const(mSSLExtConfig, "OPENSSL_NO_SOCK", Qfalse);
2629  rb_define_method(cSSLSocket, "initialize", ossl_ssl_initialize, -1);
2630  rb_undef_method(cSSLSocket, "initialize_copy");
2632  rb_define_method(cSSLSocket, "connect_nonblock", ossl_ssl_connect_nonblock, -1);
2634  rb_define_method(cSSLSocket, "accept_nonblock", ossl_ssl_accept_nonblock, -1);
2635  rb_define_method(cSSLSocket, "sysread", ossl_ssl_read, -1);
2637  rb_define_method(cSSLSocket, "syswrite", ossl_ssl_write, 1);
2638  rb_define_private_method(cSSLSocket, "syswrite_nonblock", ossl_ssl_write_nonblock, -1);
2643  rb_define_method(cSSLSocket, "ssl_version", ossl_ssl_get_version, 0);
2647  rb_define_method(cSSLSocket, "session_reused?", ossl_ssl_session_reused, 0);
2648  /* implementation of OpenSSL::SSL::SSLSocket#session is in lib/openssl/ssl.rb */
2652 #ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
2653  /* #hostname is defined in lib/openssl/ssl.rb */
2654  rb_define_method(cSSLSocket, "hostname=", ossl_ssl_set_hostname, 1);
2655 #endif
2656 # ifdef HAVE_SSL_GET_SERVER_TMP_KEY
2657  rb_define_method(cSSLSocket, "tmp_key", ossl_ssl_tmp_key, 0);
2658 # endif
2659 # ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
2660  rb_define_method(cSSLSocket, "alpn_protocol", ossl_ssl_alpn_protocol, 0);
2661 # endif
2662 # ifdef HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB
2663  rb_define_method(cSSLSocket, "npn_protocol", ossl_ssl_npn_protocol, 0);
2664 # endif
2665 #endif
2666 
2667 #define ossl_ssl_def_const(x) rb_define_const(mSSL, #x, LONG2NUM(SSL_##x))
2668 
2669  ossl_ssl_def_const(VERIFY_NONE);
2670  ossl_ssl_def_const(VERIFY_PEER);
2671  ossl_ssl_def_const(VERIFY_FAIL_IF_NO_PEER_CERT);
2672  ossl_ssl_def_const(VERIFY_CLIENT_ONCE);
2673  /* Introduce constants included in OP_ALL. These constants are mostly for
2674  * unset some bits in OP_ALL such as;
2675  * ctx.options = OP_ALL & ~OP_DONT_INSERT_EMPTY_FRAGMENTS
2676  */
2677  ossl_ssl_def_const(OP_MICROSOFT_SESS_ID_BUG);
2678  ossl_ssl_def_const(OP_NETSCAPE_CHALLENGE_BUG);
2679  ossl_ssl_def_const(OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG);
2680  ossl_ssl_def_const(OP_SSLREF2_REUSE_CERT_TYPE_BUG);
2681  ossl_ssl_def_const(OP_MICROSOFT_BIG_SSLV3_BUFFER);
2682  ossl_ssl_def_const(OP_MSIE_SSLV2_RSA_PADDING);
2683  ossl_ssl_def_const(OP_SSLEAY_080_CLIENT_DH_BUG);
2684  ossl_ssl_def_const(OP_TLS_D5_BUG);
2685  ossl_ssl_def_const(OP_TLS_BLOCK_PADDING_BUG);
2686  ossl_ssl_def_const(OP_DONT_INSERT_EMPTY_FRAGMENTS);
2687  ossl_ssl_def_const(OP_ALL);
2688  ossl_ssl_def_const(OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
2689  ossl_ssl_def_const(OP_SINGLE_ECDH_USE);
2690  ossl_ssl_def_const(OP_SINGLE_DH_USE);
2691  ossl_ssl_def_const(OP_EPHEMERAL_RSA);
2692  ossl_ssl_def_const(OP_CIPHER_SERVER_PREFERENCE);
2693  ossl_ssl_def_const(OP_TLS_ROLLBACK_BUG);
2694  ossl_ssl_def_const(OP_NO_SSLv2);
2695  ossl_ssl_def_const(OP_NO_SSLv3);
2696  ossl_ssl_def_const(OP_NO_TLSv1);
2697 #if defined(SSL_OP_NO_TLSv1_1)
2698  ossl_ssl_def_const(OP_NO_TLSv1_1);
2699 #endif
2700 #if defined(SSL_OP_NO_TLSv1_2)
2701  ossl_ssl_def_const(OP_NO_TLSv1_2);
2702 #endif
2703 #if defined(SSL_OP_NO_TICKET)
2704  ossl_ssl_def_const(OP_NO_TICKET);
2705 #endif
2706 #if defined(SSL_OP_NO_COMPRESSION)
2707  ossl_ssl_def_const(OP_NO_COMPRESSION);
2708 #endif
2709  ossl_ssl_def_const(OP_PKCS1_CHECK_1);
2710  ossl_ssl_def_const(OP_PKCS1_CHECK_2);
2711  ossl_ssl_def_const(OP_NETSCAPE_CA_DN_BUG);
2712  ossl_ssl_def_const(OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
2713 
2714  sym_exception = ID2SYM(rb_intern("exception"));
2715  sym_wait_readable = ID2SYM(rb_intern("wait_readable"));
2716  sym_wait_writable = ID2SYM(rb_intern("wait_writable"));
2717 
2718  id_tmp_dh_callback = rb_intern("tmp_dh_callback");
2719  id_tmp_ecdh_callback = rb_intern("tmp_ecdh_callback");
2720  id_npn_protocols_encoded = rb_intern("npn_protocols_encoded");
2721 
2722 #define DefIVarID(name) do \
2723  id_i_##name = rb_intern("@"#name); while (0)
2724 
2725  DefIVarID(cert_store);
2726  DefIVarID(ca_file);
2727  DefIVarID(ca_path);
2728  DefIVarID(verify_mode);
2729  DefIVarID(verify_depth);
2730  DefIVarID(verify_callback);
2731  DefIVarID(client_ca);
2732  DefIVarID(renegotiation_cb);
2733  DefIVarID(cert);
2734  DefIVarID(key);
2735  DefIVarID(extra_chain_cert);
2736  DefIVarID(client_cert_cb);
2737  DefIVarID(tmp_ecdh_callback);
2738  DefIVarID(timeout);
2739  DefIVarID(session_id_context);
2740  DefIVarID(session_get_cb);
2741  DefIVarID(session_new_cb);
2742  DefIVarID(session_remove_cb);
2743  DefIVarID(npn_select_cb);
2744  DefIVarID(npn_protocols);
2745  DefIVarID(alpn_protocols);
2746  DefIVarID(alpn_select_cb);
2747  DefIVarID(servername_cb);
2748  DefIVarID(verify_hostname);
2749 
2750  DefIVarID(io);
2751  DefIVarID(context);
2752  DefIVarID(hostname);
2753 }
#define OSSL_SSL_METHOD_ENTRY(name, version)
static VALUE ossl_ssl_get_cipher(VALUE self)
Definition: ossl_ssl.c:2010
static ID ID_callback_state
Definition: ossl_ssl.c:35
#define T_SYMBOL
Definition: ruby.h:508
static VALUE ossl_sslctx_session_add(VALUE self, VALUE arg)
Definition: ossl_ssl.c:1210
VALUE rb_eStandardError
Definition: error.c:760
static VALUE ossl_sslctx_get_session_cache_stats(VALUE self)
Definition: ossl_ssl.c:1334
VALUE mOSSL
Definition: ossl.c:213
static VALUE ossl_ssl_stop(VALUE self)
Definition: ossl_ssl.c:1881
static DH * ossl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
Definition: ossl_ssl.c:256
VALUE rb_ary_entry(VALUE ary, long offset)
Definition: array.c:1196
#define RARRAY_LEN(a)
Definition: ruby.h:1026
#define RUBY_TYPED_FREE_IMMEDIATELY
Definition: ruby.h:1145
#define ssl_get_error(ssl, ret)
Definition: ossl_ssl.c:1497
void rb_io_check_readable(rb_io_t *)
Definition: io.c:822
static int ossl_ssl_ex_store_p
Definition: ossl_ssl.c:88
#define INT2NUM(x)
Definition: ruby.h:1538
VALUE rb_String(VALUE)
Definition: object.c:3097
static ID id_npn_protocols_encoded
Definition: ossl_ssl.c:35
#define NUM2INT(x)
Definition: ruby.h:684
const rb_data_type_t ossl_ssl_type
Definition: ossl_ssl.c:1406
static unsigned int hash(str, len) register const char *str
static VALUE ossl_ssl_s_alloc(VALUE klass)
Definition: ossl_ssl.c:1415
static ID id_i_hostname
Definition: ossl_ssl.c:47
static VALUE ossl_ssl_read(int argc, VALUE *argv, VALUE self)
Definition: ossl_ssl.c:1763
static VALUE eSSLErrorWaitReadable
Definition: ossl_ssl.c:32
#define Qtrue
Definition: ruby.h:437
EVP_PKEY * GetPrivPKeyPtr(VALUE obj)
Definition: ossl_pkey.c:216
Definition: io.h:62
#define TypedData_Wrap_Struct(klass, data_type, sval)
Definition: ruby.h:1169
static ID id_i_key
Definition: ossl_ssl.c:39
#define TypedData_Get_Struct(obj, type, data_type, sval)
Definition: ruby.h:1190
void rb_define_private_method(VALUE klass, const char *name, VALUE(*func)(ANYARGS), int argc)
Definition: class.c:1527
VALUE rb_iterate(VALUE(*)(VALUE), VALUE, VALUE(*)(ANYARGS), VALUE)
Definition: vm_eval.c:1202
static int ossl_ssl_ex_vcb_idx
Definition: ossl_ssl.c:87
static ID id_i_client_ca
Definition: ossl_ssl.c:39
VALUE rb_ary_push(VALUE ary, VALUE item)
Definition: array.c:905
static VALUE ossl_ssl_get_cert(VALUE self)
Definition: ossl_ssl.c:1912
SSL_METHOD *(* func)(void)
Definition: ossl_ssl.c:54
static void ossl_sslctx_free(void *ptr)
Definition: ossl_ssl.c:92
static int ossl_ssl_ex_ptr_idx
Definition: ossl_ssl.c:89
static ID id_i_servername_cb
Definition: ossl_ssl.c:39
VALUE rb_funcall(VALUE, ID, int,...)
Calls a method.
Definition: vm_eval.c:821
VALUE ossl_x509name_sk2ary(const STACK_OF(X509_NAME) *names)
void rb_str_set_len(VALUE, long)
Definition: string.c:2545
#define FPTR_TO_FD(fptr)
Definition: ruby_missing.h:16
VALUE rb_protect(VALUE(*proc)(VALUE), VALUE data, int *state)
Definition: eval.c:891
VALUE rb_define_class_under(VALUE outer, const char *name, VALUE super)
Defines a class under the namespace of outer.
Definition: class.c:693
#define Check_Type(v, t)
Definition: ruby.h:562
static ID id_i_cert
Definition: ossl_ssl.c:39
static ID id_i_timeout
Definition: ossl_ssl.c:39
void rb_define_alloc_func(VALUE, rb_alloc_func_t)
VALUE rb_obj_is_kind_of(VALUE, VALUE)
Definition: object.c:690
#define T_HASH
Definition: ruby.h:499
STACK_OF(X509) *ossl_x509_ary2sk0(VALUE)
static EVP_PKEY * ossl_call_tmp_dh_callback(struct tmp_dh_callback_args *args)
Definition: ossl_ssl.c:236
#define DATA_PTR(dta)
Definition: ruby.h:1113
#define SSL_SESSION_up_ref(x)
void rb_include_module(VALUE klass, VALUE module)
Definition: class.c:864
VALUE rb_block_call(VALUE, ID, int, const VALUE *, rb_block_call_func_t, VALUE)
#define T_ARRAY
Definition: ruby.h:498
static VALUE call_verify_certificate_identity(VALUE ctx_v)
Definition: ossl_ssl.c:313
static VALUE ossl_sslctx_get_options(VALUE self)
Definition: ossl_ssl.c:736
static VALUE ossl_ssl_read_nonblock(int argc, VALUE *argv, VALUE self)
Definition: ossl_ssl.c:1782
static ID id_i_renegotiation_cb
Definition: ossl_ssl.c:39
static VALUE ossl_ssl_accept_nonblock(int argc, VALUE *argv, VALUE self)
Definition: ossl_ssl.c:1658
VALUE ossl_pkey_new(EVP_PKEY *pkey)
Definition: ossl_pkey.c:107
void rb_undef_method(VALUE klass, const char *name)
Definition: class.c:1533
#define GetSSLCTX(obj, ctx)
Definition: ossl_ssl.c:22
VALUE rb_f_notimplement(int argc, const VALUE *argv, VALUE obj)
Definition: vm_method.c:122
#define GetOpenFile(obj, fp)
Definition: io.h:120
#define rb_ary_new2
Definition: intern.h:90
static ID id_i_client_cert_cb
Definition: ossl_ssl.c:39
static VALUE sym_exception
Definition: ossl_ssl.c:37
VALUE rb_str_buf_cat(VALUE, const char *, long)
static VALUE ossl_ssl_write(VALUE self, VALUE str)
Definition: ossl_ssl.c:1851
static VALUE ossl_call_client_cert_cb(VALUE obj)
Definition: ossl_ssl.c:192
static VALUE ossl_ssl_connect_nonblock(int argc, VALUE *argv, VALUE self)
Definition: ossl_ssl.c:1610
static const struct @49 ossl_ssl_method_tab[]
#define RB_BLOCK_CALL_FUNC_ARGLIST(yielded_arg, callback_arg)
Definition: ruby.h:1830
void Init_ossl_ssl_session(void)
static ID id_i_npn_protocols
Definition: ossl_ssl.c:39
#define RB_TYPE_P(obj, type)
Definition: ruby.h:527
#define EC_curve_nist2nid
VALUE mSSL
Definition: ossl_ssl.c:26
X509 * GetX509CertPtr(VALUE)
RUBY_EXTERN VALUE rb_mWaitReadable
Definition: ruby.h:1868
static VALUE ossl_ssl_accept(VALUE self)
Definition: ossl_ssl.c:1628
static VALUE ossl_sslctx_get_ciphers(VALUE self)
Definition: ossl_ssl.c:983
static int ssl_started(SSL *ssl)
Definition: ossl_ssl.c:1394
void ossl_clear_error(void)
Definition: ossl.c:289
#define numberof(ary)
Definition: ossl_ssl.c:14
VALUE rb_hash_aset(VALUE hash, VALUE key, VALUE val)
Definition: hash.c:1576
#define val
RUBY_EXTERN VALUE rb_cObject
Definition: ruby.h:1872
static ID id_i_session_get_cb
Definition: ossl_ssl.c:39
static VALUE ossl_ssl_session_reused(VALUE self)
Definition: ossl_ssl.c:2068
void rb_attr(VALUE, ID, int, int, int)
Definition: vm_method.c:1138
static VALUE ossl_call_session_remove_cb(VALUE ary)
Definition: ossl_ssl.c:459
static VALUE ossl_sslctx_add_extra_chain_cert_i(RB_BLOCK_CALL_FUNC_ARGLIST(i, arg))
Definition: ossl_ssl.c:503
static ID id_i_verify_hostname
Definition: ossl_ssl.c:39
VALUE rb_str_cat2(VALUE, const char *)
VALUE rb_ary_new(void)
Definition: array.c:493
static void ossl_ssl_free(void *ssl)
Definition: ossl_ssl.c:1401
#define GetSSL(obj, ssl)
Definition: ossl_ssl.h:13
static ID id_i_alpn_select_cb
Definition: ossl_ssl.c:39
#define NIL_P(v)
Definition: ruby.h:451
static ID id_i_tmp_ecdh_callback
Definition: ossl_ssl.c:39
void rb_define_const(VALUE, const char *, VALUE)
Definition: variable.c:2734
int rb_io_wait_writable(int)
Definition: io.c:1130
#define OBJ_FROZEN(x)
Definition: ruby.h:1306
VALUE eOSSLError
Definition: ossl.c:218
static VALUE ossl_ssl_pending(VALUE self)
Definition: ossl_ssl.c:2052
static VALUE ossl_sslctx_setup(VALUE self)
Definition: ossl_ssl.c:775
int argc
Definition: ruby.c:183
static VALUE ossl_sslctx_set_security_level(VALUE self, VALUE value)
Definition: ossl_ssl.c:1184
#define Qfalse
Definition: ruby.h:436
VALUE ossl_x509_new(X509 *)
Definition: ossl_x509cert.c:55
static VALUE ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
Definition: ossl_ssl.c:1669
#define rb_str_new2
Definition: intern.h:857
VALUE rb_obj_alloc(VALUE)
Definition: object.c:1845
VALUE rb_str_split(VALUE, const char *)
Definition: string.c:7450
static VALUE ossl_ssl_set_session(VALUE self, VALUE arg1)
Definition: ossl_ssl.c:2084
static VALUE ossl_sslctx_set_options(VALUE self, VALUE options)
Definition: ossl_ssl.c:747
static VALUE ossl_ssl_get_verify_result(VALUE self)
Definition: ossl_ssl.c:2137
static VALUE ossl_ssl_get_state(VALUE self)
Definition: ossl_ssl.c:2030
static const rb_data_type_t ossl_sslctx_type
Definition: ossl_ssl.c:102
static VALUE ossl_sslctx_get_session_cache_mode(VALUE self)
Definition: ossl_ssl.c:1246
static SSL_SESSION * ossl_sslctx_session_get_cb(SSL *ssl, unsigned char *buf, int len, int *copy)
Definition: ossl_ssl.c:378
VALUE rb_str_resize(VALUE, long)
Definition: string.c:2562
#define TO_SOCKET(s)
Definition: ossl_ssl.c:19
static ID id_i_verify_depth
Definition: ossl_ssl.c:39
void rb_define_alias(VALUE klass, const char *name1, const char *name2)
Defines an alias of a method.
Definition: class.c:1758
RUBY_EXTERN VALUE rb_cIO
Definition: ruby.h:1892
static ID id_i_session_new_cb
Definition: ossl_ssl.c:39
#define RSTRING_LEN(str)
Definition: ruby.h:978
static VALUE ossl_ssl_get_client_ca_list(VALUE self)
Definition: ossl_ssl.c:2158
static void write_would_block(int nonblock)
Definition: ossl_ssl.c:1501
static VALUE ossl_ssl_setup(VALUE self)
Definition: ossl_ssl.c:1474
#define DefIVarID(name)
int errno
VALUE cSSLContext
Definition: ossl_ssl.c:29
static VALUE ossl_ssl_initialize(int argc, VALUE *argv, VALUE self)
Definition: ossl_ssl.c:1437
VALUE cSSLSocket
Definition: ossl_ssl.c:30
RUBY_EXTERN VALUE rb_mWaitWritable
Definition: ruby.h:1869
VALUE rb_hash_new(void)
Definition: hash.c:441
static VALUE ossl_sslctx_session_remove(VALUE self, VALUE arg)
Definition: ossl_ssl.c:1228
int rb_scan_args(int argc, const VALUE *argv, const char *fmt,...)
Definition: class.c:1919
int ossl_verify_cb_call(VALUE, int, X509_STORE_CTX *)
VALUE rb_ivar_set(VALUE, ID, VALUE)
Definition: variable.c:1364
unsigned char buf[MIME_BUF_SIZE]
Definition: nkf.c:4309
#define PRIsVALUE
Definition: ruby.h:135
unsigned long ID
Definition: ruby.h:86
void rb_thread_wait_fd(int)
Definition: thread.c:3782
#define Qnil
Definition: ruby.h:438
static VALUE ossl_ssl_write_nonblock(int argc, VALUE *argv, VALUE self)
Definition: ossl_ssl.c:1864
static int options(unsigned char *cp)
Definition: nkf.c:6358
#define OBJ_TAINT(x)
Definition: ruby.h:1300
unsigned long VALUE
Definition: ruby.h:85
static VALUE ossl_call_session_new_cb(VALUE ary)
Definition: ossl_ssl.c:409
static VALUE ossl_sslctx_set_ciphers(VALUE self, VALUE v)
Definition: ossl_ssl.c:1021
static int ossl_client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
Definition: ossl_ssl.c:210
static VALUE ossl_sslctx_set_session_cache_mode(VALUE self, VALUE arg)
Definition: ossl_ssl.c:1264
static VALUE ossl_start_ssl(VALUE self, int(*func)(), const char *funcname, VALUE opts)
Definition: ossl_ssl.c:1524
void Init_ossl_ssl(void)
Definition: ossl_ssl.c:2243
#define rb_ary_new3
Definition: intern.h:91
VALUE rb_call_super(int, const VALUE *)
Definition: vm_eval.c:287
static VALUE eSSLErrorWaitWritable
Definition: ossl_ssl.c:33
static VALUE ossl_sslctx_set_ecdh_curves(VALUE self, VALUE arg)
Definition: ossl_ssl.c:1085
static void ssl_renegotiation_cb(const SSL *ssl)
Definition: ossl_ssl.c:579
void rb_sys_fail(const char *mesg)
Definition: error.c:2326
#define OSSL_Debug
Definition: ossl.h:155
void rb_jump_tag(int tag)
Definition: eval.c:788
static ID id_i_session_remove_cb
Definition: ossl_ssl.c:39
X509_STORE * GetX509StorePtr(VALUE)
#define LONG2NUM(x)
Definition: ruby.h:1573
int rb_respond_to(VALUE, ID)
Definition: vm_method.c:1995
register unsigned int len
Definition: zonetab.h:51
VALUE rb_define_module_under(VALUE outer, const char *name)
Definition: class.c:790
#define X509_STORE_up_ref(x)
static ID id_i_io
Definition: ossl_ssl.c:47
#define StringValueCStr(v)
Definition: ruby.h:571
#define RSTRING_PTR(str)
Definition: ruby.h:982
VALUE rb_obj_is_instance_of(VALUE, VALUE)
Definition: object.c:653
static VALUE ossl_ssl_get_peer_cert(VALUE self)
Definition: ossl_ssl.c:1938
void rb_str_modify(VALUE)
Definition: string.c:1980
static ID id_tmp_ecdh_callback
Definition: ossl_ssl.c:35
static VALUE sym_wait_writable
Definition: ossl_ssl.c:37
static ID id_tmp_dh_callback
Definition: ossl_ssl.c:35
static VALUE ossl_call_session_get_cb(VALUE ary)
Definition: ossl_ssl.c:360
VALUE rb_hash_lookup2(VALUE hash, VALUE key, VALUE def)
Definition: hash.c:856
#define INT2FIX(i)
Definition: ruby.h:232
#define RARRAY_AREF(a, i)
Definition: ruby.h:1040
static ID id_i_ca_file
Definition: ossl_ssl.c:39
static void ssl_info_cb(const SSL *ssl, int where, int val)
Definition: ossl_ssl.c:723
#define RTEST(v)
Definition: ruby.h:450
static VALUE mSSLExtConfig
Definition: ossl_ssl.c:27
#define ossl_ssl_def_const(x)
static VALUE ossl_ssl_write_internal(VALUE self, VALUE str, VALUE opts)
Definition: ossl_ssl.c:1788
VALUE rb_each(VALUE)
Definition: vm_eval.c:1279
VALUE cSSLSession
static int no_exception_p(VALUE opts)
Definition: ossl_ssl.c:1515
static ID id_i_npn_select_cb
Definition: ossl_ssl.c:39
static ID id_i_ca_path
Definition: ossl_ssl.c:39
void ossl_raise(VALUE exc, const char *fmt,...)
Definition: ossl.c:278
static int ossl_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
Definition: ossl_ssl.c:334
EVP_PKEY * GetPKeyPtr(VALUE obj)
Definition: ossl_pkey.c:206
static VALUE ossl_ssl_cipher_to_ary(const SSL_CIPHER *cipher)
Definition: ossl_ssl.c:961
static VALUE ossl_ssl_get_version(VALUE self)
Definition: ossl_ssl.c:1994
static VALUE ossl_sslctx_set_session_cache_size(VALUE self, VALUE arg)
Definition: ossl_ssl.c:1300
VALUE rb_eNotImpError
Definition: error.c:772
EVP_PKEY * DupPKeyPtr(VALUE obj)
Definition: ossl_pkey.c:229
X509 * DupX509CertPtr(VALUE)
static ID id_i_session_id_context
Definition: ossl_ssl.c:39
#define SSL_is_server(s)
void rb_io_check_writable(rb_io_t *)
Definition: io.c:846
static VALUE sym_wait_readable
Definition: ossl_ssl.c:37
static ID id_i_verify_callback
Definition: ossl_ssl.c:39
static VALUE eSSLError
Definition: ossl_ssl.c:28
#define ID2SYM(x)
Definition: ruby.h:383
static VALUE ossl_ssl_get_peer_cert_chain(VALUE self)
Definition: ossl_ssl.c:1964
static ID id_i_extra_chain_cert
Definition: ossl_ssl.c:39
static VALUE ossl_sslctx_flush_sessions(int argc, VALUE *argv, VALUE self)
Definition: ossl_ssl.c:1366
int nid
#define SSL_CTX_get_ciphers(ctx)
static ID id_i_alpn_protocols
Definition: ossl_ssl.c:39
#define RTYPEDDATA_DATA(v)
Definition: ruby.h:1117
static ID id_i_context
Definition: ossl_ssl.c:47
#define EVP_PKEY_base_id(pkey)
void rb_warning(const char *fmt,...)
Definition: error.c:250
#define RSTRING_LENINT(str)
Definition: ruby.h:990
#define SafeGetSSLSession(obj, sess)
Definition: ossl_ssl.h:27
#define rb_check_frozen(obj)
Definition: intern.h:276
const char * name
Definition: ossl_ssl.c:53
VALUE rb_obj_freeze(VALUE)
Definition: object.c:1111
static void ossl_sslctx_session_remove_cb(SSL_CTX *ctx, SSL_SESSION *sess)
Definition: ossl_ssl.c:473
static VALUE ossl_sslctx_set_ssl_version(VALUE self, VALUE ssl_method)
Definition: ossl_ssl.c:157
static VALUE ossl_sslctx_get_security_level(VALUE self)
Definition: ossl_ssl.c:1150
VALUE rb_define_module(const char *name)
Definition: class.c:768
static int ossl_sslctx_session_new_cb(SSL *ssl, SSL_SESSION *sess)
Definition: ossl_ssl.c:424
static void read_would_block(int nonblock)
Definition: ossl_ssl.c:1508
#define rb_intern(s)
Definition: ossl_ssl.c:2241
static VALUE ossl_ssl_connect(VALUE self)
Definition: ossl_ssl.c:1580
#define NULL
Definition: _sdbm.c:102
#define Qundef
Definition: ruby.h:439
int rb_io_wait_readable(int)
Definition: io.c:1104
RUBY_EXTERN VALUE rb_cTime
Definition: ruby.h:1910
static VALUE ossl_sslctx_s_alloc(VALUE klass)
Definition: ossl_ssl.c:111
void rb_define_method(VALUE klass, const char *name, VALUE(*func)(ANYARGS), int argc)
Definition: class.c:1515
#define ruby_verbose
Definition: ruby.h:1792
VALUE rb_str_append(VALUE, VALUE)
Definition: string.c:2818
void rb_warn(const char *fmt,...)
Definition: error.c:221
int version
Definition: ossl_ssl.c:55
VALUE rb_eArgError
Definition: error.c:763
#define SSL_CTX_clear_options(ctx, op)
#define NUM2LONG(x)
Definition: ruby.h:648
static ID id_i_verify_mode
Definition: ossl_ssl.c:39
VALUE rb_attr_get(VALUE, ID)
Definition: variable.c:1273
char ** argv
Definition: ruby.c:184
static VALUE ossl_sslctx_get_session_cache_size(VALUE self)
Definition: ossl_ssl.c:1283
#define StringValue(v)
Definition: ruby.h:569
static ID id_i_cert_store
Definition: ossl_ssl.c:39
#define rb_sym2str(sym)
Definition: console.c:107
VALUE rb_str_new(const char *, long)
Definition: string.c:736
void rb_eof_error(void)
Definition: io.c:618