diff --git a/ChangeLog b/ChangeLog index e8668799a15768..6ffd918749599a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +Tue Apr 5 00:06:44 2016 Aeris + + * ext/openssl/ossl_ssl.c (ossl_ssl_tmp_key): Access to ephemeral + TLS session key in case of forward secrecy cipher. Only + available since OpenSSL 1.0.2. [Fix GH-1318] + + * ext/openssl/extconf.rb: Check for SSL_get_server_tmp_key. + Mon Apr 4 23:37:05 2016 Nobuyoshi Nakada * vm_core.h (rb_vm_struct): make at_exit a single linked list but diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb index 0b7fa2aaf92653..c36a7021e49a76 100644 --- a/ext/openssl/extconf.rb +++ b/ext/openssl/extconf.rb @@ -111,6 +111,7 @@ have_func("TLSv1_2_client_method") have_func("SSL_CTX_set_alpn_select_cb") have_func("SSL_CTX_set_next_proto_select_cb") +have_macro("SSL_get_server_tmp_key", ['openssl/ssl.h']) && $defs.push("-DHAVE_SSL_GET_SERVER_TMP_KEY") unless have_func("SSL_set_tlsext_host_name", ['openssl/ssl.h']) have_macro("SSL_set_tlsext_host_name", ['openssl/ssl.h']) && $defs.push("-DHAVE_SSL_SET_TLSEXT_HOST_NAME") end diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c index 5fcd2145c31df3..96c7990046e58f 100644 --- a/ext/openssl/ossl_ssl.c +++ b/ext/openssl/ossl_ssl.c @@ -1912,6 +1912,25 @@ ossl_ssl_alpn_protocol(VALUE self) return rb_str_new((const char *) out, outlen); } # endif + +# ifdef HAVE_SSL_GET_SERVER_TMP_KEY +/* + * call-seq: + * ssl.tmp_key => PKey or nil + * + * Returns the ephemeral key used in case of forward secrecy cipher + */ +static VALUE +ossl_ssl_tmp_key(VALUE self) +{ + SSL *ssl; + EVP_PKEY *key; + ossl_ssl_data_get_struct(self, ssl); + if (!SSL_get_server_tmp_key(ssl, &key)) + return Qnil; + return ossl_pkey_new(key); +} +# endif /* defined(HAVE_SSL_GET_SERVER_TMP_KEY) */ #endif /* !defined(OPENSSL_NO_SOCK) */ void @@ -2306,6 +2325,9 @@ Init_ossl_ssl(void) rb_define_method(cSSLSocket, "session=", ossl_ssl_set_session, 1); rb_define_method(cSSLSocket, "verify_result", ossl_ssl_get_verify_result, 0); rb_define_method(cSSLSocket, "client_ca", ossl_ssl_get_client_ca_list, 0); +# ifdef HAVE_SSL_GET_SERVER_TMP_KEY + rb_define_method(cSSLSocket, "tmp_key", ossl_ssl_tmp_key, 0); +# endif # ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB rb_define_method(cSSLSocket, "alpn_protocol", ossl_ssl_alpn_protocol, 0); # endif diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb index 28f5141cb0b85f..b3f5661e5c3c95 100644 --- a/test/openssl/test_ssl.rb +++ b/test/openssl/test_ssl.rb @@ -1169,6 +1169,29 @@ def test_sync_close_without_connect } end + def test_get_ephemeral_key + return unless OpenSSL::SSL::SSLSocket.method_defined?(:tmp_key) + ciphers = { + 'ECDHE-RSA-AES128-SHA' => OpenSSL::PKey::EC, + 'DHE-RSA-AES128-SHA' => OpenSSL::PKey::DH, + 'AES128-SHA' => nil + } + conf_proc = Proc.new { |ctx| ctx.ciphers = 'ALL' } + start_server(OpenSSL::SSL::VERIFY_NONE, true, :ctx_proc => conf_proc) do |server, port| + ciphers.each do |cipher, ephemeral| + ctx = OpenSSL::SSL::SSLContext.new + ctx.ciphers = cipher + server_connect(port, ctx) do |ssl| + if ephemeral + assert_equal(ephemeral, ssl.tmp_key.class) + else + assert_nil(ssl.tmp_key) + end + end + end + end + end + private def start_server_version(version, ctx_proc=nil, server_proc=nil, &blk) diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb index d4f0443511655e..6909854cad7850 100644 --- a/test/openssl/utils.rb +++ b/test/openssl/utils.rb @@ -277,6 +277,7 @@ def start_server(verify_mode, start_immediately, args = {}, &block) ctx.cert = @svr_cert ctx.key = @svr_key ctx.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 } + ctx.tmp_ecdh_callback = proc { OpenSSL::TestUtils::TEST_KEY_EC_P256V1 } ctx.verify_mode = verify_mode ctx_proc.call(ctx) if ctx_proc