Skip to content
Permalink
Browse files

openssl: Access to ephemeral TLS session key

* ext/openssl/ossl_ssl.c (ossl_ssl_tmp_key): Access to ephemeral
  TLS session key in case of forward secrecy cipher.  Only
  available since OpenSSL 1.0.2.  [Fix GH-1318]
* ext/openssl/extconf.rb: Check for SSL_get_server_tmp_key.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54485 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
  • Loading branch information...
nobu authored and rhenium committed Apr 4, 2016
1 parent b0996b8 commit bd6a4954382b7b742575d5688bd9b93a597bcc24
Showing with 47 additions and 0 deletions.
  1. +1 −0 ext/openssl/extconf.rb
  2. +22 −0 ext/openssl/ossl_ssl.c
  3. +23 −0 test/test_ssl.rb
  4. +1 −0 test/utils.rb
@@ -111,6 +111,7 @@
have_func("TLSv1_2_client_method")
have_func("SSL_CTX_set_alpn_select_cb")
have_func("SSL_CTX_set_next_proto_select_cb")
have_macro("SSL_get_server_tmp_key", ['openssl/ssl.h']) && $defs.push("-DHAVE_SSL_GET_SERVER_TMP_KEY")
unless have_func("SSL_set_tlsext_host_name", ['openssl/ssl.h'])
have_macro("SSL_set_tlsext_host_name", ['openssl/ssl.h']) && $defs.push("-DHAVE_SSL_SET_TLSEXT_HOST_NAME")
end
@@ -1912,6 +1912,25 @@ ossl_ssl_alpn_protocol(VALUE self)
return rb_str_new((const char *) out, outlen);
}
# endif

# ifdef HAVE_SSL_GET_SERVER_TMP_KEY
/*
* call-seq:
* ssl.tmp_key => PKey or nil
*
* Returns the ephemeral key used in case of forward secrecy cipher
*/
static VALUE
ossl_ssl_tmp_key(VALUE self)
{
SSL *ssl;
EVP_PKEY *key;
ossl_ssl_data_get_struct(self, ssl);
if (!SSL_get_server_tmp_key(ssl, &key))
return Qnil;
return ossl_pkey_new(key);
}
# endif /* defined(HAVE_SSL_GET_SERVER_TMP_KEY) */
#endif /* !defined(OPENSSL_NO_SOCK) */

void
@@ -2306,6 +2325,9 @@ Init_ossl_ssl(void)
rb_define_method(cSSLSocket, "session=", ossl_ssl_set_session, 1);
rb_define_method(cSSLSocket, "verify_result", ossl_ssl_get_verify_result, 0);
rb_define_method(cSSLSocket, "client_ca", ossl_ssl_get_client_ca_list, 0);
# ifdef HAVE_SSL_GET_SERVER_TMP_KEY
rb_define_method(cSSLSocket, "tmp_key", ossl_ssl_tmp_key, 0);
# endif
# ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
rb_define_method(cSSLSocket, "alpn_protocol", ossl_ssl_alpn_protocol, 0);
# endif
@@ -1169,6 +1169,29 @@ def test_sync_close_without_connect
}
end

def test_get_ephemeral_key
return unless OpenSSL::SSL::SSLSocket.method_defined?(:tmp_key)
ciphers = {
'ECDHE-RSA-AES128-SHA' => OpenSSL::PKey::EC,
'DHE-RSA-AES128-SHA' => OpenSSL::PKey::DH,
'AES128-SHA' => nil
}
conf_proc = Proc.new { |ctx| ctx.ciphers = 'ALL' }
start_server(OpenSSL::SSL::VERIFY_NONE, true, :ctx_proc => conf_proc) do |server, port|
ciphers.each do |cipher, ephemeral|
ctx = OpenSSL::SSL::SSLContext.new
ctx.ciphers = cipher
server_connect(port, ctx) do |ssl|
if ephemeral
assert_equal(ephemeral, ssl.tmp_key.class)
else
assert_nil(ssl.tmp_key)
end
end
end
end
end

private

def start_server_version(version, ctx_proc=nil, server_proc=nil, &blk)
@@ -278,6 +278,7 @@ def start_server(verify_mode, start_immediately, args = {}, &block)
ctx.cert = @svr_cert
ctx.key = @svr_key
ctx.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 }
ctx.tmp_ecdh_callback = proc { OpenSSL::TestUtils::TEST_KEY_EC_P256V1 }
ctx.verify_mode = verify_mode
ctx_proc.call(ctx) if ctx_proc

0 comments on commit bd6a495

Please sign in to comment.
You can’t perform that action at this time.