Ruby  1.9.3p429(2013-05-15revision40747)
ossl_ssl.c
Go to the documentation of this file.
1 /*
2  * $Id: ossl_ssl.c 40717 2013-05-14 02:35:39Z usa $
3  * 'OpenSSL for Ruby' project
4  * Copyright (C) 2000-2002 GOTOU Yuuzou <gotoyuzo@notwork.org>
5  * Copyright (C) 2001-2002 Michal Rokos <m.rokos@sh.cvut.cz>
6  * Copyright (C) 2001-2007 Technorama Ltd. <oss-ruby@technorama.net>
7  * All rights reserved.
8  */
9 /*
10  * This program is licenced under the same licence as Ruby.
11  * (See the file 'LICENCE'.)
12  */
13 #include "ossl.h"
14 
15 #if defined(HAVE_UNISTD_H)
16 # include <unistd.h> /* for read(), and write() */
17 #endif
18 
19 #define numberof(ary) (int)(sizeof(ary)/sizeof((ary)[0]))
20 
21 #ifdef _WIN32
22 # define TO_SOCKET(s) _get_osfhandle(s)
23 #else
24 # define TO_SOCKET(s) (s)
25 #endif
26 
31 
32 #define ossl_sslctx_set_cert(o,v) rb_iv_set((o),"@cert",(v))
33 #define ossl_sslctx_set_key(o,v) rb_iv_set((o),"@key",(v))
34 #define ossl_sslctx_set_client_ca(o,v) rb_iv_set((o),"@client_ca",(v))
35 #define ossl_sslctx_set_ca_file(o,v) rb_iv_set((o),"@ca_file",(v))
36 #define ossl_sslctx_set_ca_path(o,v) rb_iv_set((o),"@ca_path",(v))
37 #define ossl_sslctx_set_timeout(o,v) rb_iv_set((o),"@timeout",(v))
38 #define ossl_sslctx_set_verify_mode(o,v) rb_iv_set((o),"@verify_mode",(v))
39 #define ossl_sslctx_set_verify_dep(o,v) rb_iv_set((o),"@verify_depth",(v))
40 #define ossl_sslctx_set_verify_cb(o,v) rb_iv_set((o),"@verify_callback",(v))
41 #define ossl_sslctx_set_options(o,v) rb_iv_set((o),"@options",(v))
42 #define ossl_sslctx_set_cert_store(o,v) rb_iv_set((o),"@cert_store",(v))
43 #define ossl_sslctx_set_extra_cert(o,v) rb_iv_set((o),"@extra_chain_cert",(v))
44 #define ossl_sslctx_set_client_cert_cb(o,v) rb_iv_set((o),"@client_cert_cb",(v))
45 #define ossl_sslctx_set_tmp_dh_cb(o,v) rb_iv_set((o),"@tmp_dh_callback",(v))
46 #define ossl_sslctx_set_sess_id_ctx(o, v) rb_iv_get((o),"@session_id_context"(v))
47 
48 #define ossl_sslctx_get_cert(o) rb_iv_get((o),"@cert")
49 #define ossl_sslctx_get_key(o) rb_iv_get((o),"@key")
50 #define ossl_sslctx_get_client_ca(o) rb_iv_get((o),"@client_ca")
51 #define ossl_sslctx_get_ca_file(o) rb_iv_get((o),"@ca_file")
52 #define ossl_sslctx_get_ca_path(o) rb_iv_get((o),"@ca_path")
53 #define ossl_sslctx_get_timeout(o) rb_iv_get((o),"@timeout")
54 #define ossl_sslctx_get_verify_mode(o) rb_iv_get((o),"@verify_mode")
55 #define ossl_sslctx_get_verify_dep(o) rb_iv_get((o),"@verify_depth")
56 #define ossl_sslctx_get_verify_cb(o) rb_iv_get((o),"@verify_callback")
57 #define ossl_sslctx_get_options(o) rb_iv_get((o),"@options")
58 #define ossl_sslctx_get_cert_store(o) rb_iv_get((o),"@cert_store")
59 #define ossl_sslctx_get_extra_cert(o) rb_iv_get((o),"@extra_chain_cert")
60 #define ossl_sslctx_get_client_cert_cb(o) rb_iv_get((o),"@client_cert_cb")
61 #define ossl_sslctx_get_tmp_dh_cb(o) rb_iv_get((o),"@tmp_dh_callback")
62 #define ossl_sslctx_get_sess_id_ctx(o) rb_iv_get((o),"@session_id_context")
63 
64 static const char *ossl_sslctx_attrs[] = {
65  "cert", "key", "client_ca", "ca_file", "ca_path",
66  "timeout", "verify_mode", "verify_depth",
67  "verify_callback", "options", "cert_store", "extra_chain_cert",
68  "client_cert_cb", "tmp_dh_callback", "session_id_context",
69  "session_get_cb", "session_new_cb", "session_remove_cb",
70 #ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
71  "servername_cb",
72 #endif
73 };
74 
75 #define ossl_ssl_get_io(o) rb_iv_get((o),"@io")
76 #define ossl_ssl_get_ctx(o) rb_iv_get((o),"@context")
77 #define ossl_ssl_get_sync_close(o) rb_iv_get((o),"@sync_close")
78 #define ossl_ssl_get_x509(o) rb_iv_get((o),"@x509")
79 #define ossl_ssl_get_key(o) rb_iv_get((o),"@key")
80 #define ossl_ssl_get_tmp_dh(o) rb_iv_get((o),"@tmp_dh")
81 
82 #define ossl_ssl_set_io(o,v) rb_iv_set((o),"@io",(v))
83 #define ossl_ssl_set_ctx(o,v) rb_iv_set((o),"@context",(v))
84 #define ossl_ssl_set_sync_close(o,v) rb_iv_set((o),"@sync_close",(v))
85 #define ossl_ssl_set_x509(o,v) rb_iv_set((o),"@x509",(v))
86 #define ossl_ssl_set_key(o,v) rb_iv_set((o),"@key",(v))
87 #define ossl_ssl_set_tmp_dh(o,v) rb_iv_set((o),"@tmp_dh",(v))
88 
89 static const char *ossl_ssl_attr_readers[] = { "io", "context", };
90 static const char *ossl_ssl_attrs[] = {
91 #ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
92  "hostname",
93 #endif
94  "sync_close",
95 };
96 
98 
99 /*
100  * SSLContext class
101  */
102 struct {
103  const char *name;
104  SSL_METHOD *(*func)(void);
105 } ossl_ssl_method_tab[] = {
106 #define OSSL_SSL_METHOD_ENTRY(name) { #name, (SSL_METHOD *(*)(void))name##_method }
107  OSSL_SSL_METHOD_ENTRY(TLSv1),
108  OSSL_SSL_METHOD_ENTRY(TLSv1_server),
109  OSSL_SSL_METHOD_ENTRY(TLSv1_client),
110 #if defined(HAVE_SSLV2_METHOD) && defined(HAVE_SSLV2_SERVER_METHOD) && \
111  defined(HAVE_SSLV2_CLIENT_METHOD)
112  OSSL_SSL_METHOD_ENTRY(SSLv2),
113  OSSL_SSL_METHOD_ENTRY(SSLv2_server),
114  OSSL_SSL_METHOD_ENTRY(SSLv2_client),
115 #endif
116  OSSL_SSL_METHOD_ENTRY(SSLv3),
117  OSSL_SSL_METHOD_ENTRY(SSLv3_server),
118  OSSL_SSL_METHOD_ENTRY(SSLv3_client),
119  OSSL_SSL_METHOD_ENTRY(SSLv23),
120  OSSL_SSL_METHOD_ENTRY(SSLv23_server),
121  OSSL_SSL_METHOD_ENTRY(SSLv23_client),
122 #undef OSSL_SSL_METHOD_ENTRY
123 };
124 
130 
131 static void
132 ossl_sslctx_free(SSL_CTX *ctx)
133 {
134  if(ctx && SSL_CTX_get_ex_data(ctx, ossl_ssl_ex_store_p)== (void*)1)
135  ctx->cert_store = NULL;
136  SSL_CTX_free(ctx);
137 }
138 
139 static VALUE
141 {
142  SSL_CTX *ctx;
143  long mode = SSL_MODE_ENABLE_PARTIAL_WRITE;
144 
145 #ifdef SSL_MODE_RELEASE_BUFFERS
146  mode |= SSL_MODE_RELEASE_BUFFERS;
147 #endif
148 
149  ctx = SSL_CTX_new(SSLv23_method());
150  if (!ctx) {
151  ossl_raise(eSSLError, "SSL_CTX_new:");
152  }
153  SSL_CTX_set_mode(ctx, mode);
154  return Data_Wrap_Struct(klass, 0, ossl_sslctx_free, ctx);
155 }
156 
157 /*
158  * call-seq:
159  * ctx.ssl_version = :TLSv1
160  * ctx.ssl_version = "SSLv23_client"
161  *
162  * You can get a list of valid versions with OpenSSL::SSL::SSLContext::METHODS
163  */
164 static VALUE
166 {
167  SSL_METHOD *method = NULL;
168  const char *s;
169  int i;
170 
171  SSL_CTX *ctx;
172  if(TYPE(ssl_method) == T_SYMBOL)
173  s = rb_id2name(SYM2ID(ssl_method));
174  else
175  s = StringValuePtr(ssl_method);
176  for (i = 0; i < numberof(ossl_ssl_method_tab); i++) {
177  if (strcmp(ossl_ssl_method_tab[i].name, s) == 0) {
178  method = ossl_ssl_method_tab[i].func();
179  break;
180  }
181  }
182  if (!method) {
183  ossl_raise(rb_eArgError, "unknown SSL method `%s'.", s);
184  }
185  Data_Get_Struct(self, SSL_CTX, ctx);
186  if (SSL_CTX_set_ssl_version(ctx, method) != 1) {
187  ossl_raise(eSSLError, "SSL_CTX_set_ssl_version:");
188  }
189 
190  return ssl_method;
191 }
192 
193 /*
194  * call-seq:
195  * SSLContext.new => ctx
196  * SSLContext.new(:TLSv1) => ctx
197  * SSLContext.new("SSLv23_client") => ctx
198  *
199  * You can get a list of valid methods with OpenSSL::SSL::SSLContext::METHODS
200  */
201 static VALUE
203 {
204  VALUE ssl_method;
205  int i;
206 
207  for(i = 0; i < numberof(ossl_sslctx_attrs); i++){
208  char buf[32];
209  snprintf(buf, sizeof(buf), "@%s", ossl_sslctx_attrs[i]);
210  rb_iv_set(self, buf, Qnil);
211  }
212  if (rb_scan_args(argc, argv, "01", &ssl_method) == 0){
213  return self;
214  }
215  ossl_sslctx_set_ssl_version(self, ssl_method);
216 
217  return self;
218 }
219 
220 static VALUE
222 {
223  VALUE cb, ary, cert, key;
224  SSL *ssl;
225 
226  Data_Get_Struct(obj, SSL, ssl);
227  cb = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_client_cert_cb_idx);
228  if (NIL_P(cb)) return Qfalse;
229  ary = rb_funcall(cb, rb_intern("call"), 1, obj);
230  Check_Type(ary, T_ARRAY);
231  GetX509CertPtr(cert = rb_ary_entry(ary, 0));
232  GetPKeyPtr(key = rb_ary_entry(ary, 1));
233  ossl_ssl_set_x509(obj, cert);
234  ossl_ssl_set_key(obj, key);
235 
236  return Qtrue;
237 }
238 
239 static int
240 ossl_client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
241 {
242  VALUE obj, success;
243 
244  obj = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
246  obj, NULL);
247  if (!RTEST(success)) return 0;
248  *x509 = DupX509CertPtr(ossl_ssl_get_x509(obj));
249  *pkey = DupPKeyPtr(ossl_ssl_get_key(obj));
250 
251  return 1;
252 }
253 
254 #if !defined(OPENSSL_NO_DH)
255 static VALUE
257 {
258  SSL *ssl;
259  VALUE cb, dh;
260  EVP_PKEY *pkey;
261 
262  Data_Get_Struct(args[0], SSL, ssl);
263  cb = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_tmp_dh_callback_idx);
264  if (NIL_P(cb)) return Qfalse;
265  dh = rb_funcall(cb, rb_intern("call"), 3, args[0], args[1], args[2]);
266  pkey = GetPKeyPtr(dh);
267  if (EVP_PKEY_type(pkey->type) != EVP_PKEY_DH) return Qfalse;
268  ossl_ssl_set_tmp_dh(args[0], dh);
269 
270  return Qtrue;
271 }
272 
273 static DH*
274 ossl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
275 {
276  VALUE args[3], success;
277 
278  args[0] = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
279  args[1] = INT2FIX(is_export);
280  args[2] = INT2FIX(keylength);
282  (VALUE)args, NULL);
283  if (!RTEST(success)) return NULL;
284 
285  return GetPKeyPtr(ossl_ssl_get_tmp_dh(args[0]))->pkey.dh;
286 }
287 
288 static DH*
289 ossl_default_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
290 {
291  rb_warning("using default DH parameters.");
292 
293  switch(keylength){
294  case 512:
295  return OSSL_DEFAULT_DH_512;
296  case 1024:
297  return OSSL_DEFAULT_DH_1024;
298  }
299  return NULL;
300 }
301 #endif /* OPENSSL_NO_DH */
302 
303 static int
304 ossl_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
305 {
306  VALUE cb;
307  SSL *ssl;
308 
309  ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
310  cb = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_vcb_idx);
311  X509_STORE_CTX_set_ex_data(ctx, ossl_verify_cb_idx, (void*)cb);
312  return ossl_verify_cb(preverify_ok, ctx);
313 }
314 
315 static VALUE
317 {
318  VALUE ssl_obj, sslctx_obj, cb;
319 
320  Check_Type(ary, T_ARRAY);
321  ssl_obj = rb_ary_entry(ary, 0);
322 
323  sslctx_obj = rb_iv_get(ssl_obj, "@context");
324  if (NIL_P(sslctx_obj)) return Qnil;
325  cb = rb_iv_get(sslctx_obj, "@session_get_cb");
326  if (NIL_P(cb)) return Qnil;
327 
328  return rb_funcall(cb, rb_intern("call"), 1, ary);
329 }
330 
331 /* this method is currently only called for servers (in OpenSSL <= 0.9.8e) */
332 static SSL_SESSION *
333 ossl_sslctx_session_get_cb(SSL *ssl, unsigned char *buf, int len, int *copy)
334 {
335  VALUE ary, ssl_obj, ret_obj;
336  SSL_SESSION *sess;
337  void *ptr;
338  int state = 0;
339 
340  OSSL_Debug("SSL SESSION get callback entered");
341  if ((ptr = SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx)) == NULL)
342  return NULL;
343  ssl_obj = (VALUE)ptr;
344  ary = rb_ary_new2(2);
345  rb_ary_push(ary, ssl_obj);
346  rb_ary_push(ary, rb_str_new((const char *)buf, len));
347 
348  ret_obj = rb_protect((VALUE(*)_((VALUE)))ossl_call_session_get_cb, ary, &state);
349  if (state) {
350  rb_ivar_set(ssl_obj, ID_callback_state, INT2NUM(state));
351  return NULL;
352  }
353  if (!rb_obj_is_instance_of(ret_obj, cSSLSession))
354  return NULL;
355 
356  SafeGetSSLSession(ret_obj, sess);
357  *copy = 1;
358 
359  return sess;
360 }
361 
362 static VALUE
364 {
365  VALUE ssl_obj, sslctx_obj, cb;
366 
367  Check_Type(ary, T_ARRAY);
368  ssl_obj = rb_ary_entry(ary, 0);
369 
370  sslctx_obj = rb_iv_get(ssl_obj, "@context");
371  if (NIL_P(sslctx_obj)) return Qnil;
372  cb = rb_iv_get(sslctx_obj, "@session_new_cb");
373  if (NIL_P(cb)) return Qnil;
374 
375  return rb_funcall(cb, rb_intern("call"), 1, ary);
376 }
377 
378 /* return 1 normal. return 0 removes the session */
379 static int
380 ossl_sslctx_session_new_cb(SSL *ssl, SSL_SESSION *sess)
381 {
382  VALUE ary, ssl_obj, sess_obj, ret_obj;
383  void *ptr;
384  int state = 0;
385 
386  OSSL_Debug("SSL SESSION new callback entered");
387 
388  if ((ptr = SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx)) == NULL)
389  return 1;
390  ssl_obj = (VALUE)ptr;
391  sess_obj = rb_obj_alloc(cSSLSession);
392  CRYPTO_add(&sess->references, 1, CRYPTO_LOCK_SSL_SESSION);
393  DATA_PTR(sess_obj) = sess;
394 
395  ary = rb_ary_new2(2);
396  rb_ary_push(ary, ssl_obj);
397  rb_ary_push(ary, sess_obj);
398 
399  ret_obj = rb_protect((VALUE(*)_((VALUE)))ossl_call_session_new_cb, ary, &state);
400  if (state) {
401  rb_ivar_set(ssl_obj, ID_callback_state, INT2NUM(state));
402  }
403 
404  /*
405  * return 0 which means to OpenSSL that the the session is still
406  * valid (since we created Ruby Session object) and was not freed by us
407  * with SSL_SESSION_free(). Call SSLContext#remove_session(sess) in
408  * session_get_cb block if you don't want OpenSSL to cache the session
409  * internally.
410  */
411  return 0;
412 }
413 
414 static VALUE
416 {
417  VALUE sslctx_obj, cb;
418 
419  Check_Type(ary, T_ARRAY);
420  sslctx_obj = rb_ary_entry(ary, 0);
421 
422  cb = rb_iv_get(sslctx_obj, "@session_remove_cb");
423  if (NIL_P(cb)) return Qnil;
424 
425  return rb_funcall(cb, rb_intern("call"), 1, ary);
426 }
427 
428 static void
429 ossl_sslctx_session_remove_cb(SSL_CTX *ctx, SSL_SESSION *sess)
430 {
431  VALUE ary, sslctx_obj, sess_obj, ret_obj;
432  void *ptr;
433  int state = 0;
434 
435  OSSL_Debug("SSL SESSION remove callback entered");
436 
437  if ((ptr = SSL_CTX_get_ex_data(ctx, ossl_ssl_ex_ptr_idx)) == NULL)
438  return;
439  sslctx_obj = (VALUE)ptr;
440  sess_obj = rb_obj_alloc(cSSLSession);
441  CRYPTO_add(&sess->references, 1, CRYPTO_LOCK_SSL_SESSION);
442  DATA_PTR(sess_obj) = sess;
443 
444  ary = rb_ary_new2(2);
445  rb_ary_push(ary, sslctx_obj);
446  rb_ary_push(ary, sess_obj);
447 
448  ret_obj = rb_protect((VALUE(*)_((VALUE)))ossl_call_session_remove_cb, ary, &state);
449  if (state) {
450 /*
451  the SSL_CTX is frozen, nowhere to save state.
452  there is no common accessor method to check it either.
453  rb_ivar_set(sslctx_obj, ID_callback_state, INT2NUM(state));
454 */
455  }
456 }
457 
458 static VALUE
460 {
461  X509 *x509;
462  SSL_CTX *ctx;
463 
464  Data_Get_Struct(arg, SSL_CTX, ctx);
465  x509 = DupX509CertPtr(i);
466  if(!SSL_CTX_add_extra_chain_cert(ctx, x509)){
468  }
469 
470  return i;
471 }
472 
473 static VALUE ossl_sslctx_setup(VALUE self);
474 
475 #ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
476 static VALUE
477 ossl_call_servername_cb(VALUE ary)
478 {
479  VALUE ssl_obj, sslctx_obj, cb, ret_obj;
480 
481  Check_Type(ary, T_ARRAY);
482  ssl_obj = rb_ary_entry(ary, 0);
483 
484  sslctx_obj = rb_iv_get(ssl_obj, "@context");
485  if (NIL_P(sslctx_obj)) return Qnil;
486  cb = rb_iv_get(sslctx_obj, "@servername_cb");
487  if (NIL_P(cb)) return Qnil;
488 
489  ret_obj = rb_funcall(cb, rb_intern("call"), 1, ary);
490  if (rb_obj_is_kind_of(ret_obj, cSSLContext)) {
491  SSL *ssl;
492  SSL_CTX *ctx2;
493 
494  ossl_sslctx_setup(ret_obj);
495  Data_Get_Struct(ssl_obj, SSL, ssl);
496  Data_Get_Struct(ret_obj, SSL_CTX, ctx2);
497  SSL_set_SSL_CTX(ssl, ctx2);
498  } else if (!NIL_P(ret_obj)) {
499  ossl_raise(rb_eArgError, "servername_cb must return an OpenSSL::SSL::SSLContext object or nil");
500  }
501 
502  return ret_obj;
503 }
504 
505 static int
506 ssl_servername_cb(SSL *ssl, int *ad, void *arg)
507 {
508  VALUE ary, ssl_obj, ret_obj;
509  void *ptr;
510  int state = 0;
511  const char *servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
512 
513  if (!servername)
514  return SSL_TLSEXT_ERR_OK;
515 
516  if ((ptr = SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx)) == NULL)
517  return SSL_TLSEXT_ERR_ALERT_FATAL;
518  ssl_obj = (VALUE)ptr;
519  ary = rb_ary_new2(2);
520  rb_ary_push(ary, ssl_obj);
521  rb_ary_push(ary, rb_str_new2(servername));
522 
523  ret_obj = rb_protect((VALUE(*)_((VALUE)))ossl_call_servername_cb, ary, &state);
524  if (state) {
525  rb_ivar_set(ssl_obj, ID_callback_state, INT2NUM(state));
526  return SSL_TLSEXT_ERR_ALERT_FATAL;
527  }
528 
529  return SSL_TLSEXT_ERR_OK;
530 }
531 #endif
532 
533 /*
534  * call-seq:
535  * ctx.setup => Qtrue # first time
536  * ctx.setup => nil # thereafter
537  *
538  * This method is called automatically when a new SSLSocket is created.
539  * Normally you do not need to call this method (unless you are writing an
540  * extension in C).
541  */
542 static VALUE
544 {
545  SSL_CTX *ctx;
546  X509 *cert = NULL, *client_ca = NULL;
547  X509_STORE *store;
548  EVP_PKEY *key = NULL;
549  char *ca_path = NULL, *ca_file = NULL;
550  int i, verify_mode;
551  VALUE val;
552 
553  if(OBJ_FROZEN(self)) return Qnil;
554  Data_Get_Struct(self, SSL_CTX, ctx);
555 
556 #if !defined(OPENSSL_NO_DH)
557  if (RTEST(ossl_sslctx_get_tmp_dh_cb(self))){
558  SSL_CTX_set_tmp_dh_callback(ctx, ossl_tmp_dh_callback);
559  }
560  else{
561  SSL_CTX_set_tmp_dh_callback(ctx, ossl_default_tmp_dh_callback);
562  }
563 #endif
564  SSL_CTX_set_ex_data(ctx, ossl_ssl_ex_ptr_idx, (void*)self);
565 
566  val = ossl_sslctx_get_cert_store(self);
567  if(!NIL_P(val)){
568  /*
569  * WORKAROUND:
570  * X509_STORE can count references, but
571  * X509_STORE_free() doesn't care it.
572  * So we won't increment it but mark it by ex_data.
573  */
574  store = GetX509StorePtr(val); /* NO NEED TO DUP */
575  SSL_CTX_set_cert_store(ctx, store);
576  SSL_CTX_set_ex_data(ctx, ossl_ssl_ex_store_p, (void*)1);
577  }
578 
579  val = ossl_sslctx_get_extra_cert(self);
580  if(!NIL_P(val)){
582  }
583 
584  /* private key may be bundled in certificate file. */
585  val = ossl_sslctx_get_cert(self);
586  cert = NIL_P(val) ? NULL : GetX509CertPtr(val); /* NO DUP NEEDED */
587  val = ossl_sslctx_get_key(self);
588  key = NIL_P(val) ? NULL : GetPKeyPtr(val); /* NO DUP NEEDED */
589  if (cert && key) {
590  if (!SSL_CTX_use_certificate(ctx, cert)) {
591  /* Adds a ref => Safe to FREE */
592  ossl_raise(eSSLError, "SSL_CTX_use_certificate:");
593  }
594  if (!SSL_CTX_use_PrivateKey(ctx, key)) {
595  /* Adds a ref => Safe to FREE */
596  ossl_raise(eSSLError, "SSL_CTX_use_PrivateKey:");
597  }
598  if (!SSL_CTX_check_private_key(ctx)) {
599  ossl_raise(eSSLError, "SSL_CTX_check_private_key:");
600  }
601  }
602 
603  val = ossl_sslctx_get_client_ca(self);
604  if(!NIL_P(val)){
605  if(TYPE(val) == T_ARRAY){
606  for(i = 0; i < RARRAY_LEN(val); i++){
607  client_ca = GetX509CertPtr(RARRAY_PTR(val)[i]);
608  if (!SSL_CTX_add_client_CA(ctx, client_ca)){
609  /* Copies X509_NAME => FREE it. */
610  ossl_raise(eSSLError, "SSL_CTX_add_client_CA");
611  }
612  }
613  }
614  else{
615  client_ca = GetX509CertPtr(val); /* NO DUP NEEDED. */
616  if (!SSL_CTX_add_client_CA(ctx, client_ca)){
617  /* Copies X509_NAME => FREE it. */
618  ossl_raise(eSSLError, "SSL_CTX_add_client_CA");
619  }
620  }
621  }
622 
623  val = ossl_sslctx_get_ca_file(self);
624  ca_file = NIL_P(val) ? NULL : StringValuePtr(val);
625  val = ossl_sslctx_get_ca_path(self);
626  ca_path = NIL_P(val) ? NULL : StringValuePtr(val);
627  if(ca_file || ca_path){
628  if (!SSL_CTX_load_verify_locations(ctx, ca_file, ca_path))
629  rb_warning("can't set verify locations");
630  }
631 
632  val = ossl_sslctx_get_verify_mode(self);
633  verify_mode = NIL_P(val) ? SSL_VERIFY_NONE : NUM2INT(val);
634  SSL_CTX_set_verify(ctx, verify_mode, ossl_ssl_verify_callback);
636  SSL_CTX_set_client_cert_cb(ctx, ossl_client_cert_cb);
637 
638  val = ossl_sslctx_get_timeout(self);
639  if(!NIL_P(val)) SSL_CTX_set_timeout(ctx, NUM2LONG(val));
640 
641  val = ossl_sslctx_get_verify_dep(self);
642  if(!NIL_P(val)) SSL_CTX_set_verify_depth(ctx, NUM2INT(val));
643 
644  val = ossl_sslctx_get_options(self);
645  if(!NIL_P(val)) {
646  SSL_CTX_set_options(ctx, NUM2LONG(val));
647  }
648  else {
649  SSL_CTX_set_options(ctx, SSL_OP_ALL);
650  }
651  rb_obj_freeze(self);
652 
653  val = ossl_sslctx_get_sess_id_ctx(self);
654  if (!NIL_P(val)){
655  StringValue(val);
656  if (!SSL_CTX_set_session_id_context(ctx, (unsigned char *)RSTRING_PTR(val),
657  RSTRING_LENINT(val))){
658  ossl_raise(eSSLError, "SSL_CTX_set_session_id_context:");
659  }
660  }
661 
662  if (RTEST(rb_iv_get(self, "@session_get_cb"))) {
663  SSL_CTX_sess_set_get_cb(ctx, ossl_sslctx_session_get_cb);
664  OSSL_Debug("SSL SESSION get callback added");
665  }
666  if (RTEST(rb_iv_get(self, "@session_new_cb"))) {
667  SSL_CTX_sess_set_new_cb(ctx, ossl_sslctx_session_new_cb);
668  OSSL_Debug("SSL SESSION new callback added");
669  }
670  if (RTEST(rb_iv_get(self, "@session_remove_cb"))) {
671  SSL_CTX_sess_set_remove_cb(ctx, ossl_sslctx_session_remove_cb);
672  OSSL_Debug("SSL SESSION remove callback added");
673  }
674 
675 #ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
676  val = rb_iv_get(self, "@servername_cb");
677  if (!NIL_P(val)) {
678  SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
679  OSSL_Debug("SSL TLSEXT servername callback added");
680  }
681 #endif
682 
683  return Qtrue;
684 }
685 
686 static VALUE
687 ossl_ssl_cipher_to_ary(SSL_CIPHER *cipher)
688 {
689  VALUE ary;
690  int bits, alg_bits;
691 
692  ary = rb_ary_new2(4);
693  rb_ary_push(ary, rb_str_new2(SSL_CIPHER_get_name(cipher)));
694  rb_ary_push(ary, rb_str_new2(SSL_CIPHER_get_version(cipher)));
695  bits = SSL_CIPHER_get_bits(cipher, &alg_bits);
696  rb_ary_push(ary, INT2FIX(bits));
697  rb_ary_push(ary, INT2FIX(alg_bits));
698 
699  return ary;
700 }
701 
702 /*
703  * call-seq:
704  * ctx.ciphers => [[name, version, bits, alg_bits], ...]
705  *
706  * The list of ciphers configured for this context.
707  */
708 static VALUE
710 {
711  SSL_CTX *ctx;
712  STACK_OF(SSL_CIPHER) *ciphers;
713  SSL_CIPHER *cipher;
714  VALUE ary;
715  int i, num;
716 
717  Data_Get_Struct(self, SSL_CTX, ctx);
718  if(!ctx){
719  rb_warning("SSL_CTX is not initialized.");
720  return Qnil;
721  }
722  ciphers = ctx->cipher_list;
723 
724  if (!ciphers)
725  return rb_ary_new();
726 
727  num = sk_SSL_CIPHER_num(ciphers);
728  ary = rb_ary_new2(num);
729  for(i = 0; i < num; i++){
730  cipher = sk_SSL_CIPHER_value(ciphers, i);
731  rb_ary_push(ary, ossl_ssl_cipher_to_ary(cipher));
732  }
733  return ary;
734 }
735 
736 /*
737  * call-seq:
738  * ctx.ciphers = "cipher1:cipher2:..."
739  * ctx.ciphers = [name, ...]
740  * ctx.ciphers = [[name, version, bits, alg_bits], ...]
741  *
742  * Sets the list of available ciphers for this context. Note in a server
743  * context some ciphers require the appropriate certificates. For example, an
744  * RSA cipher can only be chosen when an RSA certificate is available.
745  *
746  * See also OpenSSL::Cipher and OpenSSL::Cipher::ciphers
747  */
748 static VALUE
750 {
751  SSL_CTX *ctx;
752  VALUE str, elem;
753  int i;
754 
755  rb_check_frozen(self);
756  if (NIL_P(v))
757  return v;
758  else if (TYPE(v) == T_ARRAY) {
759  str = rb_str_new(0, 0);
760  for (i = 0; i < RARRAY_LEN(v); i++) {
761  elem = rb_ary_entry(v, i);
762  if (TYPE(elem) == T_ARRAY) elem = rb_ary_entry(elem, 0);
763  elem = rb_String(elem);
764  rb_str_append(str, elem);
765  if (i < RARRAY_LEN(v)-1) rb_str_cat2(str, ":");
766  }
767  } else {
768  str = v;
769  StringValue(str);
770  }
771 
772  Data_Get_Struct(self, SSL_CTX, ctx);
773  if(!ctx){
774  ossl_raise(eSSLError, "SSL_CTX is not initialized.");
775  return Qnil;
776  }
777  if (!SSL_CTX_set_cipher_list(ctx, RSTRING_PTR(str))) {
778  ossl_raise(eSSLError, "SSL_CTX_set_cipher_list:");
779  }
780 
781  return v;
782 }
783 
784 
785 /*
786  * call-seq:
787  * ctx.session_add(session) -> true | false
788  *
789  * Adds +session+ to the session cache
790  */
791 static VALUE
793 {
794  SSL_CTX *ctx;
795  SSL_SESSION *sess;
796 
797  Data_Get_Struct(self, SSL_CTX, ctx);
798  SafeGetSSLSession(arg, sess);
799 
800  return SSL_CTX_add_session(ctx, sess) == 1 ? Qtrue : Qfalse;
801 }
802 
803 /*
804  * call-seq:
805  * ctx.session_remove(session) -> true | false
806  *
807  * Removes +session+ from the session cache
808  */
809 static VALUE
811 {
812  SSL_CTX *ctx;
813  SSL_SESSION *sess;
814 
815  Data_Get_Struct(self, SSL_CTX, ctx);
816  SafeGetSSLSession(arg, sess);
817 
818  return SSL_CTX_remove_session(ctx, sess) == 1 ? Qtrue : Qfalse;
819 }
820 
821 /*
822  * call-seq:
823  * ctx.session_cache_mode -> Integer
824  *
825  * The current session cache mode.
826  */
827 static VALUE
829 {
830  SSL_CTX *ctx;
831 
832  Data_Get_Struct(self, SSL_CTX, ctx);
833 
834  return LONG2NUM(SSL_CTX_get_session_cache_mode(ctx));
835 }
836 
837 /*
838  * call-seq:
839  * ctx.session_cache_mode=(integer) -> Integer
840  *
841  * Sets the SSL session cache mode. Bitwise-or together the desired
842  * SESSION_CACHE_* constants to set. See SSL_CTX_set_session_cache_mode(3) for
843  * details.
844  */
845 static VALUE
847 {
848  SSL_CTX *ctx;
849 
850  Data_Get_Struct(self, SSL_CTX, ctx);
851 
852  SSL_CTX_set_session_cache_mode(ctx, NUM2LONG(arg));
853 
854  return arg;
855 }
856 
857 /*
858  * call-seq:
859  * ctx.session_cache_size -> Integer
860  *
861  * Returns the current session cache size. Zero is used to represent an
862  * unlimited cache size.
863  */
864 static VALUE
866 {
867  SSL_CTX *ctx;
868 
869  Data_Get_Struct(self, SSL_CTX, ctx);
870 
871  return LONG2NUM(SSL_CTX_sess_get_cache_size(ctx));
872 }
873 
874 /*
875  * call-seq:
876  * ctx.session_cache_size=(integer) -> Integer
877  *
878  * Sets the session cache size. Returns the previously valid session cache
879  * size. Zero is used to represent an unlimited session cache size.
880  */
881 static VALUE
883 {
884  SSL_CTX *ctx;
885 
886  Data_Get_Struct(self, SSL_CTX, ctx);
887 
888  SSL_CTX_sess_set_cache_size(ctx, NUM2LONG(arg));
889 
890  return arg;
891 }
892 
893 /*
894  * call-seq:
895  * ctx.session_cache_stats -> Hash
896  *
897  * Returns a Hash containing the following keys:
898  *
899  * :accept:: Number of started SSL/TLS handshakes in server mode
900  * :accept_good:: Number of established SSL/TLS sessions in server mode
901  * :accept_renegotiate:: Number of start renegotiations in server mode
902  * :cache_full:: Number of sessions that were removed due to cache overflow
903  * :cache_hits:: Number of successfully reused connections
904  * :cache_misses:: Number of sessions proposed by clients that were not found
905  * in the cache
906  * :cache_num:: Number of sessions in the internal session cache
907  * :cb_hits:: Number of sessions retrieved from the external cache in server
908  * mode
909  * :connect:: Number of started SSL/TLS handshakes in client mode
910  * :connect_good:: Number of established SSL/TLS sessions in client mode
911  * :connect_renegotiate:: Number of start renegotiations in client mode
912  * :timeouts:: Number of sessions proposed by clients that were found in the
913  * cache but had expired due to timeouts
914  */
915 static VALUE
917 {
918  SSL_CTX *ctx;
919  VALUE hash;
920 
921  Data_Get_Struct(self, SSL_CTX, ctx);
922 
923  hash = rb_hash_new();
924  rb_hash_aset(hash, ID2SYM(rb_intern("cache_num")), LONG2NUM(SSL_CTX_sess_number(ctx)));
925  rb_hash_aset(hash, ID2SYM(rb_intern("connect")), LONG2NUM(SSL_CTX_sess_connect(ctx)));
926  rb_hash_aset(hash, ID2SYM(rb_intern("connect_good")), LONG2NUM(SSL_CTX_sess_connect_good(ctx)));
927  rb_hash_aset(hash, ID2SYM(rb_intern("connect_renegotiate")), LONG2NUM(SSL_CTX_sess_connect_renegotiate(ctx)));
928  rb_hash_aset(hash, ID2SYM(rb_intern("accept")), LONG2NUM(SSL_CTX_sess_accept(ctx)));
929  rb_hash_aset(hash, ID2SYM(rb_intern("accept_good")), LONG2NUM(SSL_CTX_sess_accept_good(ctx)));
930  rb_hash_aset(hash, ID2SYM(rb_intern("accept_renegotiate")), LONG2NUM(SSL_CTX_sess_accept_renegotiate(ctx)));
931  rb_hash_aset(hash, ID2SYM(rb_intern("cache_hits")), LONG2NUM(SSL_CTX_sess_hits(ctx)));
932  rb_hash_aset(hash, ID2SYM(rb_intern("cb_hits")), LONG2NUM(SSL_CTX_sess_cb_hits(ctx)));
933  rb_hash_aset(hash, ID2SYM(rb_intern("cache_misses")), LONG2NUM(SSL_CTX_sess_misses(ctx)));
934  rb_hash_aset(hash, ID2SYM(rb_intern("cache_full")), LONG2NUM(SSL_CTX_sess_cache_full(ctx)));
935  rb_hash_aset(hash, ID2SYM(rb_intern("timeouts")), LONG2NUM(SSL_CTX_sess_timeouts(ctx)));
936 
937  return hash;
938 }
939 
940 
941 /*
942  * call-seq:
943  * ctx.flush_sessions(time | nil) -> self
944  *
945  * Removes sessions in the internal cache that have expired at +time+.
946  */
947 static VALUE
949 {
950  VALUE arg1;
951  SSL_CTX *ctx;
952  time_t tm = 0;
953 
954  rb_scan_args(argc, argv, "01", &arg1);
955 
956  Data_Get_Struct(self, SSL_CTX, ctx);
957 
958  if (NIL_P(arg1)) {
959  tm = time(0);
960  } else if (rb_obj_is_instance_of(arg1, rb_cTime)) {
961  tm = NUM2LONG(rb_funcall(arg1, rb_intern("to_i"), 0));
962  } else {
963  ossl_raise(rb_eArgError, "arg must be Time or nil");
964  }
965 
966  SSL_CTX_flush_sessions(ctx, (long)tm);
967 
968  return self;
969 }
970 
971 /*
972  * SSLSocket class
973  */
974 static void
976 {
977  int i, rc;
978 
979  if (ssl) {
980  /* 4 is from SSL_smart_shutdown() of mod_ssl.c (v2.2.19) */
981  /* It says max 2x pending + 2x data = 4 */
982  for (i = 0; i < 4; ++i) {
983  /*
984  * Ignore the case SSL_shutdown returns -1. Empty handshake_func
985  * must not happen.
986  */
987  if (rc = SSL_shutdown(ssl))
988  break;
989  }
990  ERR_clear_error();
991  SSL_clear(ssl);
992  }
993 }
994 
995 static void
996 ossl_ssl_free(SSL *ssl)
997 {
998  SSL_free(ssl);
999 }
1000 
1001 static VALUE
1003 {
1004  return Data_Wrap_Struct(klass, 0, ossl_ssl_free, NULL);
1005 }
1006 
1007 /*
1008  * call-seq:
1009  * SSLSocket.new(io) => aSSLSocket
1010  * SSLSocket.new(io, ctx) => aSSLSocket
1011  *
1012  * Creates a new SSL socket from +io+ which must be a real ruby object (not an
1013  * IO-like object that responds to read/write.
1014  *
1015  * If +ctx+ is provided the SSL Sockets initial params will be taken from
1016  * the context.
1017  *
1018  * The OpenSSL::Buffering module provides additional IO methods.
1019  *
1020  * This method will freeze the SSLContext if one is provided;
1021  * however, session management is still allowed in the frozen SSLContext.
1022  */
1023 static VALUE
1025 {
1026  VALUE io, ctx;
1027 
1028  if (rb_scan_args(argc, argv, "11", &io, &ctx) == 1) {
1029  ctx = rb_funcall(cSSLContext, rb_intern("new"), 0);
1030  }
1032  Check_Type(io, T_FILE);
1033  ossl_ssl_set_io(self, io);
1034  ossl_ssl_set_ctx(self, ctx);
1036  ossl_sslctx_setup(ctx);
1037 
1038  rb_iv_set(self, "@hostname", Qnil);
1039 
1040  rb_call_super(0, 0);
1041 
1042  return self;
1043 }
1044 
1045 static VALUE
1047 {
1048  VALUE io, v_ctx, cb;
1049  SSL_CTX *ctx;
1050  SSL *ssl;
1051  rb_io_t *fptr;
1052 
1053  Data_Get_Struct(self, SSL, ssl);
1054  if(!ssl){
1055 #ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
1056  VALUE hostname = rb_iv_get(self, "@hostname");
1057 #endif
1058 
1059  v_ctx = ossl_ssl_get_ctx(self);
1060  Data_Get_Struct(v_ctx, SSL_CTX, ctx);
1061 
1062  ssl = SSL_new(ctx);
1063  if (!ssl) {
1064  ossl_raise(eSSLError, "SSL_new:");
1065  }
1066  DATA_PTR(self) = ssl;
1067 
1068 #ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
1069  if (!NIL_P(hostname)) {
1070  if (SSL_set_tlsext_host_name(ssl, StringValuePtr(hostname)) != 1)
1071  ossl_raise(eSSLError, "SSL_set_tlsext_host_name:");
1072  }
1073 #endif
1074  io = ossl_ssl_get_io(self);
1075  GetOpenFile(io, fptr);
1076  rb_io_check_readable(fptr);
1077  rb_io_check_writable(fptr);
1078  SSL_set_fd(ssl, TO_SOCKET(FPTR_TO_FD(fptr)));
1079  SSL_set_ex_data(ssl, ossl_ssl_ex_ptr_idx, (void*)self);
1080  cb = ossl_sslctx_get_verify_cb(v_ctx);
1081  SSL_set_ex_data(ssl, ossl_ssl_ex_vcb_idx, (void*)cb);
1082  cb = ossl_sslctx_get_client_cert_cb(v_ctx);
1083  SSL_set_ex_data(ssl, ossl_ssl_ex_client_cert_cb_idx, (void*)cb);
1084  cb = ossl_sslctx_get_tmp_dh_cb(v_ctx);
1085  SSL_set_ex_data(ssl, ossl_ssl_ex_tmp_dh_callback_idx, (void*)cb);
1086  }
1087 
1088  return Qtrue;
1089 }
1090 
1091 #ifdef _WIN32
1092 #define ssl_get_error(ssl, ret) (errno = rb_w32_map_errno(WSAGetLastError()), SSL_get_error((ssl), (ret)))
1093 #else
1094 #define ssl_get_error(ssl, ret) SSL_get_error((ssl), (ret))
1095 #endif
1096 
1097 static void
1098 write_would_block(int nonblock)
1099 {
1100  if (nonblock) {
1101  VALUE exc = ossl_exc_new(eSSLError, "write would block");
1103  rb_exc_raise(exc);
1104  }
1105 }
1106 
1107 static void
1108 read_would_block(int nonblock)
1109 {
1110  if (nonblock) {
1111  VALUE exc = ossl_exc_new(eSSLError, "read would block");
1113  rb_exc_raise(exc);
1114  }
1115 }
1116 
1117 static VALUE
1118 ossl_start_ssl(VALUE self, int (*func)(), const char *funcname, int nonblock)
1119 {
1120  SSL *ssl;
1121  rb_io_t *fptr;
1122  int ret, ret2;
1123  VALUE cb_state;
1124 
1126 
1127  Data_Get_Struct(self, SSL, ssl);
1128  GetOpenFile(ossl_ssl_get_io(self), fptr);
1129  for(;;){
1130  ret = func(ssl);
1131 
1132  cb_state = rb_ivar_get(self, ID_callback_state);
1133  if (!NIL_P(cb_state))
1134  rb_jump_tag(NUM2INT(cb_state));
1135 
1136  if (ret > 0)
1137  break;
1138 
1139  switch((ret2 = ssl_get_error(ssl, ret))){
1140  case SSL_ERROR_WANT_WRITE:
1141  write_would_block(nonblock);
1143  continue;
1144  case SSL_ERROR_WANT_READ:
1145  read_would_block(nonblock);
1147  continue;
1148  case SSL_ERROR_SYSCALL:
1149  if (errno) rb_sys_fail(funcname);
1150  ossl_raise(eSSLError, "%s SYSCALL returned=%d errno=%d state=%s", funcname, ret2, errno, SSL_state_string_long(ssl));
1151  default:
1152  ossl_raise(eSSLError, "%s returned=%d errno=%d state=%s", funcname, ret2, errno, SSL_state_string_long(ssl));
1153  }
1154  }
1155 
1156  return self;
1157 }
1158 
1159 /*
1160  * call-seq:
1161  * ssl.connect => self
1162  *
1163  * Initiates an SSL/TLS handshake with a server. The handshake may be started
1164  * after unencrypted data has been sent over the socket.
1165  */
1166 static VALUE
1168 {
1169  ossl_ssl_setup(self);
1170  return ossl_start_ssl(self, SSL_connect, "SSL_connect", 0);
1171 }
1172 
1173 /*
1174  * call-seq:
1175  * ssl.connect_nonblock => self
1176  *
1177  * Initiates the SSL/TLS handshake as a client in non-blocking manner.
1178  *
1179  * # emulates blocking connect
1180  * begin
1181  * ssl.connect_nonblock
1182  * rescue IO::WaitReadable
1183  * IO.select([s2])
1184  * retry
1185  * rescue IO::WaitWritable
1186  * IO.select(nil, [s2])
1187  * retry
1188  * end
1189  *
1190  */
1191 static VALUE
1193 {
1194  ossl_ssl_setup(self);
1195  return ossl_start_ssl(self, SSL_connect, "SSL_connect", 1);
1196 }
1197 
1198 /*
1199  * call-seq:
1200  * ssl.accept => self
1201  *
1202  * Waits for a SSL/TLS client to initiate a handshake. The handshake may be
1203  * started after unencrypted data has been sent over the socket.
1204  */
1205 static VALUE
1207 {
1208  ossl_ssl_setup(self);
1209  return ossl_start_ssl(self, SSL_accept, "SSL_accept", 0);
1210 }
1211 
1212 /*
1213  * call-seq:
1214  * ssl.accept_nonblock => self
1215  *
1216  * Initiates the SSL/TLS handshake as a server in non-blocking manner.
1217  *
1218  * # emulates blocking accept
1219  * begin
1220  * ssl.accept_nonblock
1221  * rescue IO::WaitReadable
1222  * IO.select([s2])
1223  * retry
1224  * rescue IO::WaitWritable
1225  * IO.select(nil, [s2])
1226  * retry
1227  * end
1228  *
1229  */
1230 static VALUE
1232 {
1233  ossl_ssl_setup(self);
1234  return ossl_start_ssl(self, SSL_accept, "SSL_accept", 1);
1235 }
1236 
1237 static VALUE
1238 ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
1239 {
1240  SSL *ssl;
1241  int ilen, nread = 0;
1242  VALUE len, str;
1243  rb_io_t *fptr;
1244 
1245  rb_scan_args(argc, argv, "11", &len, &str);
1246  ilen = NUM2INT(len);
1247  if(NIL_P(str)) str = rb_str_new(0, ilen);
1248  else{
1249  StringValue(str);
1250  rb_str_modify(str);
1251  rb_str_resize(str, ilen);
1252  }
1253  if(ilen == 0) return str;
1254 
1255  Data_Get_Struct(self, SSL, ssl);
1256  GetOpenFile(ossl_ssl_get_io(self), fptr);
1257  if (ssl) {
1258  if(!nonblock && SSL_pending(ssl) <= 0)
1260  for (;;){
1261  nread = SSL_read(ssl, RSTRING_PTR(str), RSTRING_LENINT(str));
1262  switch(ssl_get_error(ssl, nread)){
1263  case SSL_ERROR_NONE:
1264  goto end;
1265  case SSL_ERROR_ZERO_RETURN:
1266  rb_eof_error();
1267  case SSL_ERROR_WANT_WRITE:
1268  write_would_block(nonblock);
1270  continue;
1271  case SSL_ERROR_WANT_READ:
1272  read_would_block(nonblock);
1274  continue;
1275  case SSL_ERROR_SYSCALL:
1276  if(ERR_peek_error() == 0 && nread == 0) rb_eof_error();
1277  rb_sys_fail(0);
1278  default:
1279  ossl_raise(eSSLError, "SSL_read:");
1280  }
1281  }
1282  }
1283  else {
1284  ID meth = nonblock ? rb_intern("read_nonblock") : rb_intern("sysread");
1285  rb_warning("SSL session is not started yet.");
1286  return rb_funcall(ossl_ssl_get_io(self), meth, 2, len, str);
1287  }
1288 
1289  end:
1290  rb_str_set_len(str, nread);
1291  OBJ_TAINT(str);
1292 
1293  return str;
1294 }
1295 
1296 
1297 /*
1298  * call-seq:
1299  * ssl.sysread(length) => string
1300  * ssl.sysread(length, buffer) => buffer
1301  *
1302  * Reads +length+ bytes from the SSL connection. If a pre-allocated +buffer+
1303  * is provided the data will be written into it.
1304  */
1305 static VALUE
1307 {
1308  return ossl_ssl_read_internal(argc, argv, self, 0);
1309 }
1310 
1311 /*
1312  * call-seq:
1313  * ssl.sysread_nonblock(length) => string
1314  * ssl.sysread_nonblock(length, buffer) => buffer
1315  *
1316  * A non-blocking version of #sysread. Raises an SSLError if reading would
1317  * block.
1318  *
1319  * Reads +length+ bytes from the SSL connection. If a pre-allocated +buffer+
1320  * is provided the data will be written into it.
1321  */
1322 static VALUE
1324 {
1325  return ossl_ssl_read_internal(argc, argv, self, 1);
1326 }
1327 
1328 static VALUE
1329 ossl_ssl_write_internal(VALUE self, VALUE str, int nonblock)
1330 {
1331  SSL *ssl;
1332  int nwrite = 0;
1333  rb_io_t *fptr;
1334 
1335  StringValue(str);
1336  Data_Get_Struct(self, SSL, ssl);
1337  GetOpenFile(ossl_ssl_get_io(self), fptr);
1338 
1339  if (ssl) {
1340  for (;;){
1341  nwrite = SSL_write(ssl, RSTRING_PTR(str), RSTRING_LENINT(str));
1342  switch(ssl_get_error(ssl, nwrite)){
1343  case SSL_ERROR_NONE:
1344  goto end;
1345  case SSL_ERROR_WANT_WRITE:
1346  write_would_block(nonblock);
1348  continue;
1349  case SSL_ERROR_WANT_READ:
1350  read_would_block(nonblock);
1352  continue;
1353  case SSL_ERROR_SYSCALL:
1354  if (errno) rb_sys_fail(0);
1355  default:
1356  ossl_raise(eSSLError, "SSL_write:");
1357  }
1358  }
1359  }
1360  else {
1361  ID id_syswrite = rb_intern("syswrite");
1362  rb_warning("SSL session is not started yet.");
1363  return rb_funcall(ossl_ssl_get_io(self), id_syswrite, 1, str);
1364  }
1365 
1366  end:
1367  return INT2NUM(nwrite);
1368 }
1369 
1370 /*
1371  * call-seq:
1372  * ssl.syswrite(string) => Integer
1373  *
1374  * Writes +string+ to the SSL connection.
1375  */
1376 static VALUE
1378 {
1379  return ossl_ssl_write_internal(self, str, 0);
1380 }
1381 
1382 /*
1383  * call-seq:
1384  * ssl.syswrite_nonblock(string) => Integer
1385  *
1386  * Writes +string+ to the SSL connection in a non-blocking manner. Raises an
1387  * SSLError if writing would block.
1388  */
1389 static VALUE
1391 {
1392  return ossl_ssl_write_internal(self, str, 1);
1393 }
1394 
1395 /*
1396  * call-seq:
1397  * ssl.sysclose => nil
1398  *
1399  * Shuts down the SSL connection and prepares it for another connection.
1400  */
1401 static VALUE
1403 {
1404  SSL *ssl;
1405 
1406  Data_Get_Struct(self, SSL, ssl);
1407  if (ssl) {
1408  VALUE io = ossl_ssl_get_io(self);
1409  if (!RTEST(rb_funcall(io, rb_intern("closed?"), 0))) {
1410  ossl_ssl_shutdown(ssl);
1411  SSL_free(ssl);
1412  DATA_PTR(self) = NULL;
1413  if (RTEST(ossl_ssl_get_sync_close(self)))
1414  rb_funcall(io, rb_intern("close"), 0);
1415  }
1416  }
1417 
1418  return Qnil;
1419 }
1420 
1421 /*
1422  * call-seq:
1423  * ssl.cert => cert or nil
1424  *
1425  * The X509 certificate for this socket endpoint.
1426  */
1427 static VALUE
1429 {
1430  SSL *ssl;
1431  X509 *cert = NULL;
1432 
1433  Data_Get_Struct(self, SSL, ssl);
1434  if (!ssl) {
1435  rb_warning("SSL session is not started yet.");
1436  return Qnil;
1437  }
1438 
1439  /*
1440  * Is this OpenSSL bug? Should add a ref?
1441  * TODO: Ask for.
1442  */
1443  cert = SSL_get_certificate(ssl); /* NO DUPs => DON'T FREE. */
1444 
1445  if (!cert) {
1446  return Qnil;
1447  }
1448  return ossl_x509_new(cert);
1449 }
1450 
1451 /*
1452  * call-seq:
1453  * ssl.peer_cert => cert or nil
1454  *
1455  * The X509 certificate for this socket's peer.
1456  */
1457 static VALUE
1459 {
1460  SSL *ssl;
1461  X509 *cert = NULL;
1462  VALUE obj;
1463 
1464  Data_Get_Struct(self, SSL, ssl);
1465 
1466  if (!ssl){
1467  rb_warning("SSL session is not started yet.");
1468  return Qnil;
1469  }
1470 
1471  cert = SSL_get_peer_certificate(ssl); /* Adds a ref => Safe to FREE. */
1472 
1473  if (!cert) {
1474  return Qnil;
1475  }
1476  obj = ossl_x509_new(cert);
1477  X509_free(cert);
1478 
1479  return obj;
1480 }
1481 
1482 /*
1483  * call-seq:
1484  * ssl.peer_cert_chain => [cert, ...] or nil
1485  *
1486  * The X509 certificate chain for this socket's peer.
1487  */
1488 static VALUE
1490 {
1491  SSL *ssl;
1492  STACK_OF(X509) *chain;
1493  X509 *cert;
1494  VALUE ary;
1495  int i, num;
1496 
1497  Data_Get_Struct(self, SSL, ssl);
1498  if(!ssl){
1499  rb_warning("SSL session is not started yet.");
1500  return Qnil;
1501  }
1502  chain = SSL_get_peer_cert_chain(ssl);
1503  if(!chain) return Qnil;
1504  num = sk_X509_num(chain);
1505  ary = rb_ary_new2(num);
1506  for (i = 0; i < num; i++){
1507  cert = sk_X509_value(chain, i);
1508  rb_ary_push(ary, ossl_x509_new(cert));
1509  }
1510 
1511  return ary;
1512 }
1513 
1514 /*
1515  * call-seq:
1516  * ssl.cipher => [name, version, bits, alg_bits]
1517  *
1518  * The cipher being used for the current connection
1519  */
1520 static VALUE
1522 {
1523  SSL *ssl;
1524  SSL_CIPHER *cipher;
1525 
1526  Data_Get_Struct(self, SSL, ssl);
1527  if (!ssl) {
1528  rb_warning("SSL session is not started yet.");
1529  return Qnil;
1530  }
1531  cipher = (SSL_CIPHER *)SSL_get_current_cipher(ssl);
1532 
1533  return ossl_ssl_cipher_to_ary(cipher);
1534 }
1535 
1536 /*
1537  * call-seq:
1538  * ssl.state => string
1539  *
1540  * A description of the current connection state.
1541  */
1542 static VALUE
1544 {
1545  SSL *ssl;
1546  VALUE ret;
1547 
1548  Data_Get_Struct(self, SSL, ssl);
1549  if (!ssl) {
1550  rb_warning("SSL session is not started yet.");
1551  return Qnil;
1552  }
1553  ret = rb_str_new2(SSL_state_string(ssl));
1554  if (ruby_verbose) {
1555  rb_str_cat2(ret, ": ");
1556  rb_str_cat2(ret, SSL_state_string_long(ssl));
1557  }
1558  return ret;
1559 }
1560 
1561 /*
1562  * call-seq:
1563  * ssl.pending => Integer
1564  *
1565  * The number of bytes that are immediately available for reading
1566  */
1567 static VALUE
1569 {
1570  SSL *ssl;
1571 
1572  Data_Get_Struct(self, SSL, ssl);
1573  if (!ssl) {
1574  rb_warning("SSL session is not started yet.");
1575  return Qnil;
1576  }
1577 
1578  return INT2NUM(SSL_pending(ssl));
1579 }
1580 
1581 /*
1582  * call-seq:
1583  * ssl.session_reused? -> true | false
1584  *
1585  * Returns true if a reused session was negotiated during the handshake.
1586  */
1587 static VALUE
1589 {
1590  SSL *ssl;
1591 
1592  Data_Get_Struct(self, SSL, ssl);
1593  if (!ssl) {
1594  rb_warning("SSL session is not started yet.");
1595  return Qnil;
1596  }
1597 
1598  switch(SSL_session_reused(ssl)) {
1599  case 1: return Qtrue;
1600  case 0: return Qfalse;
1601  default: ossl_raise(eSSLError, "SSL_session_reused");
1602  }
1603 }
1604 
1605 /*
1606  * call-seq:
1607  * ssl.session = session -> session
1608  *
1609  * Sets the Session to be used when the connection is established.
1610  */
1611 static VALUE
1613 {
1614  SSL *ssl;
1615  SSL_SESSION *sess;
1616 
1617 /* why is ossl_ssl_setup delayed? */
1618  ossl_ssl_setup(self);
1619 
1620  Data_Get_Struct(self, SSL, ssl);
1621  if (!ssl) {
1622  rb_warning("SSL session is not started yet.");
1623  return Qnil;
1624  }
1625 
1626  SafeGetSSLSession(arg1, sess);
1627 
1628  if (SSL_set_session(ssl, sess) != 1)
1629  ossl_raise(eSSLError, "SSL_set_session");
1630 
1631  return arg1;
1632 }
1633 
1634 /*
1635  * call-seq:
1636  * ssl.verify_result => Integer
1637  *
1638  * Returns the result of the peer certificates verification. See verify(1)
1639  * for error values and descriptions.
1640  *
1641  * If no peer certificate was presented X509_V_OK is returned.
1642  */
1643 static VALUE
1645 {
1646  SSL *ssl;
1647 
1648  Data_Get_Struct(self, SSL, ssl);
1649  if (!ssl) {
1650  rb_warning("SSL session is not started yet.");
1651  return Qnil;
1652  }
1653 
1654  return INT2FIX(SSL_get_verify_result(ssl));
1655 }
1656 
1657 /*
1658  * call-seq:
1659  * ssl.client_ca => [x509name, ...]
1660  *
1661  * Returns the list of client CAs. Please note that in contrast to
1662  * SSLContext#client_ca= no array of X509::Certificate is returned but
1663  * X509::Name instances of the CA's subject distinguished name.
1664  *
1665  * In server mode, returns the list set by SSLContext#client_ca=.
1666  * In client mode, returns the list of client CAs sent from the server.
1667  */
1668 static VALUE
1670 {
1671  SSL *ssl;
1672  STACK_OF(X509_NAME) *ca;
1673 
1674  Data_Get_Struct(self, SSL, ssl);
1675  if (!ssl) {
1676  rb_warning("SSL session is not started yet.");
1677  return Qnil;
1678  }
1679 
1680  ca = SSL_get_client_CA_list(ssl);
1681  return ossl_x509name_sk2ary(ca);
1682 }
1683 
1684 void
1686 {
1687  int i;
1688  VALUE ary;
1689 
1690 #if 0
1691  mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
1692 #endif
1693 
1694  ID_callback_state = rb_intern("@callback_state");
1695 
1696  ossl_ssl_ex_vcb_idx = SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_vcb_idx",0,0,0);
1697  ossl_ssl_ex_store_p = SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_store_p",0,0,0);
1698  ossl_ssl_ex_ptr_idx = SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_ptr_idx",0,0,0);
1700  SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_client_cert_cb_idx",0,0,0);
1702  SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_tmp_dh_callback_idx",0,0,0);
1703 
1704  mSSL = rb_define_module_under(mOSSL, "SSL");
1706 
1708 
1709  /* Document-class: OpenSSL::SSL::SSLContext
1710  *
1711  * An SSLContext is used to set various options regarding certificates,
1712  * algorithms, verification, session caching, etc. The SSLContext is
1713  * used to create an SSLSocket.
1714  *
1715  * All attributes must be set before creating an SSLSocket as the
1716  * SSLContext will be frozen afterward.
1717  *
1718  * The following attributes are available but don't show up in rdoc:
1719  * * ssl_version, cert, key, client_ca, ca_file, ca_path, timeout,
1720  * * verify_mode, verify_depth client_cert_cb, tmp_dh_callback,
1721  * * session_id_context, session_add_cb, session_new_cb, session_remove_cb
1722  */
1725 
1726  /*
1727  * Context certificate
1728  */
1729  rb_attr(cSSLContext, rb_intern("cert"), 1, 1, Qfalse);
1730 
1731  /*
1732  * Context private key
1733  */
1734  rb_attr(cSSLContext, rb_intern("key"), 1, 1, Qfalse);
1735 
1736  /*
1737  * A certificate or Array of certificates that will be sent to the client.
1738  */
1739  rb_attr(cSSLContext, rb_intern("client_ca"), 1, 1, Qfalse);
1740 
1741  /*
1742  * The path to a file containing a PEM-format CA certificate
1743  */
1744  rb_attr(cSSLContext, rb_intern("ca_file"), 1, 1, Qfalse);
1745 
1746  /*
1747  * The path to a directory containing CA certificates in PEM format.
1748  *
1749  * Files are looked up by subject's X509 name's hash value.
1750  */
1751  rb_attr(cSSLContext, rb_intern("ca_path"), 1, 1, Qfalse);
1752 
1753  /*
1754  * Maximum session lifetime.
1755  */
1756  rb_attr(cSSLContext, rb_intern("timeout"), 1, 1, Qfalse);
1757 
1758  /*
1759  * Session verification mode.
1760  *
1761  * Valid modes are VERIFY_NONE, VERIFY_PEER, VERIFY_CLIENT_ONCE,
1762  * VERIFY_FAIL_IF_NO_PEER_CERT and defined on OpenSSL::SSL
1763  */
1764  rb_attr(cSSLContext, rb_intern("verify_mode"), 1, 1, Qfalse);
1765 
1766  /*
1767  * Number of CA certificates to walk when verifying a certificate chain.
1768  */
1769  rb_attr(cSSLContext, rb_intern("verify_depth"), 1, 1, Qfalse);
1770 
1771  /*
1772  * A callback for additional certificate verification. The callback is
1773  * invoked for each certificate in the chain.
1774  *
1775  * The callback is invoked with two values. +preverify_ok+ indicates
1776  * indicates if the verification was passed (true) or not (false).
1777  * +store_context+ is an OpenSSL::X509::StoreContext containing the
1778  * context used for certificate verification.
1779  *
1780  * If the callback returns false verification is stopped.
1781  */
1782  rb_attr(cSSLContext, rb_intern("verify_callback"), 1, 1, Qfalse);
1783 
1784  /*
1785  * Sets various OpenSSL options.
1786  */
1787  rb_attr(cSSLContext, rb_intern("options"), 1, 1, Qfalse);
1788 
1789  /*
1790  * An OpenSSL::X509::Store used for certificate verification
1791  */
1792  rb_attr(cSSLContext, rb_intern("cert_store"), 1, 1, Qfalse);
1793 
1794  /*
1795  * An Array of extra X509 certificates to be added to the certificate
1796  * chain.
1797  */
1798  rb_attr(cSSLContext, rb_intern("extra_chain_cert"), 1, 1, Qfalse);
1799 
1800  /*
1801  * A callback invoked when a client certificate is requested by a server
1802  * and no certificate has been set.
1803  *
1804  * The callback is invoked with a Session and must return an Array
1805  * containing an OpenSSL::X509::Certificate and an OpenSSL::PKey. If any
1806  * other value is returned the handshake is suspended.
1807  */
1808  rb_attr(cSSLContext, rb_intern("client_cert_cb"), 1, 1, Qfalse);
1809 
1810  /*
1811  * A callback invoked when DH parameters are required.
1812  *
1813  * The callback is invoked with the Session for the key exchange, an
1814  * flag indicating the use of an export cipher and the keylength
1815  * required.
1816  *
1817  * The callback must return an OpenSSL::PKey::DH instance of the correct
1818  * key length.
1819  */
1820  rb_attr(cSSLContext, rb_intern("tmp_dh_callback"), 1, 1, Qfalse);
1821 
1822  /*
1823  * Sets the context in which a session can be reused. This allows
1824  * sessions for multiple applications to be distinguished, for exapmle, by
1825  * name.
1826  */
1827  rb_attr(cSSLContext, rb_intern("session_id_context"), 1, 1, Qfalse);
1828 
1829  /*
1830  * A callback invoked on a server when a session is proposed by the client
1831  * but the session could not be found in the server's internal cache.
1832  *
1833  * The callback is invoked with the SSLSocket and session id. The
1834  * callback may return a Session from an external cache.
1835  */
1836  rb_attr(cSSLContext, rb_intern("session_get_cb"), 1, 1, Qfalse);
1837 
1838  /*
1839  * A callback invoked when a new session was negotiatied.
1840  *
1841  * The callback is invoked with an SSLSocket. If false is returned the
1842  * session will be removed from the internal cache.
1843  */
1844  rb_attr(cSSLContext, rb_intern("session_new_cb"), 1, 1, Qfalse);
1845 
1846  /*
1847  * A callback invoked when a session is removed from the internal cache.
1848  *
1849  * The callback is invoked with an SSLContext and a Session.
1850  */
1851  rb_attr(cSSLContext, rb_intern("session_remove_cb"), 1, 1, Qfalse);
1852 
1853 #ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
1854  /*
1855  * A callback invoked at connect time to distinguish between multiple
1856  * server names.
1857  *
1858  * The callback is invoked with an SSLSocket and a server name. The
1859  * callback must return an SSLContext for the server name or nil.
1860  */
1861  rb_attr(cSSLContext, rb_intern("servername_cb"), 1, 1, Qfalse);
1862 #endif
1863 
1864  rb_define_alias(cSSLContext, "ssl_timeout", "timeout");
1865  rb_define_alias(cSSLContext, "ssl_timeout=", "timeout=");
1870 
1872 
1873 
1874  /*
1875  * No session caching for client or server
1876  */
1877  rb_define_const(cSSLContext, "SESSION_CACHE_OFF", LONG2FIX(SSL_SESS_CACHE_OFF));
1878 
1879  /*
1880  * Client sessions are added to the session cache
1881  */
1882  rb_define_const(cSSLContext, "SESSION_CACHE_CLIENT", LONG2FIX(SSL_SESS_CACHE_CLIENT)); /* doesn't actually do anything in 0.9.8e */
1883 
1884  /*
1885  * Server sessions are added to the session cache
1886  */
1887  rb_define_const(cSSLContext, "SESSION_CACHE_SERVER", LONG2FIX(SSL_SESS_CACHE_SERVER));
1888 
1889  /*
1890  * Both client and server sessions are added to the session cache
1891  */
1892  rb_define_const(cSSLContext, "SESSION_CACHE_BOTH", LONG2FIX(SSL_SESS_CACHE_BOTH)); /* no different than CACHE_SERVER in 0.9.8e */
1893 
1894  /*
1895  * Normally the sesison cache is checked for expired sessions every 255
1896  * connections. Since this may lead to a delay that cannot be controlled,
1897  * the automatic flushing may be disabled and #flush_sessions can be
1898  * called explicitly.
1899  */
1900  rb_define_const(cSSLContext, "SESSION_CACHE_NO_AUTO_CLEAR", LONG2FIX(SSL_SESS_CACHE_NO_AUTO_CLEAR));
1901 
1902  /*
1903  * Always perform external lookups of sessions even if they are in the
1904  * internal cache.
1905  *
1906  * This flag has no effect on clients
1907  */
1908  rb_define_const(cSSLContext, "SESSION_CACHE_NO_INTERNAL_LOOKUP", LONG2FIX(SSL_SESS_CACHE_NO_INTERNAL_LOOKUP));
1909 
1910  /*
1911  * Never automatically store sessions in the internal store.
1912  */
1913  rb_define_const(cSSLContext, "SESSION_CACHE_NO_INTERNAL_STORE", LONG2FIX(SSL_SESS_CACHE_NO_INTERNAL_STORE));
1914 
1915  /*
1916  * Enables both SESSION_CACHE_NO_INTERNAL_LOOKUP and
1917  * SESSION_CACHE_NO_INTERNAL_STORE.
1918  */
1919  rb_define_const(cSSLContext, "SESSION_CACHE_NO_INTERNAL", LONG2FIX(SSL_SESS_CACHE_NO_INTERNAL));
1920 
1929 
1931  for (i = 0; i < numberof(ossl_ssl_method_tab); i++) {
1933  }
1934  rb_obj_freeze(ary);
1935  /* The list of available SSL/TLS methods */
1936  rb_define_const(cSSLContext, "METHODS", ary);
1937 
1938  /*
1939  * Document-class: OpenSSL::SSL::SSLSocket
1940  *
1941  * The following attributes are available but don't show up in rdoc.
1942  * * io, context, sync_close
1943  *
1944  */
1947  for(i = 0; i < numberof(ossl_ssl_attr_readers); i++)
1949  for(i = 0; i < numberof(ossl_ssl_attrs); i++)
1951  rb_define_alias(cSSLSocket, "to_io", "io");
1952  rb_define_method(cSSLSocket, "initialize", ossl_ssl_initialize, -1);
1954  rb_define_method(cSSLSocket, "connect_nonblock", ossl_ssl_connect_nonblock, 0);
1956  rb_define_method(cSSLSocket, "accept_nonblock", ossl_ssl_accept_nonblock, 0);
1957  rb_define_method(cSSLSocket, "sysread", ossl_ssl_read, -1);
1959  rb_define_method(cSSLSocket, "syswrite", ossl_ssl_write, 1);
1961  rb_define_method(cSSLSocket, "sysclose", ossl_ssl_close, 0);
1968  rb_define_method(cSSLSocket, "session_reused?", ossl_ssl_session_reused, 0);
1972 
1973 #define ossl_ssl_def_const(x) rb_define_const(mSSL, #x, INT2NUM(SSL_##x))
1974 
1975  ossl_ssl_def_const(VERIFY_NONE);
1976  ossl_ssl_def_const(VERIFY_PEER);
1977  ossl_ssl_def_const(VERIFY_FAIL_IF_NO_PEER_CERT);
1978  ossl_ssl_def_const(VERIFY_CLIENT_ONCE);
1979  /* Introduce constants included in OP_ALL. These constants are mostly for
1980  * unset some bits in OP_ALL such as:
1981  * ctx.options = OP_ALL & ~OP_DONT_INSERT_EMPTY_FRAGMENTS
1982  */
1983  ossl_ssl_def_const(OP_MICROSOFT_SESS_ID_BUG);
1984  ossl_ssl_def_const(OP_NETSCAPE_CHALLENGE_BUG);
1985  ossl_ssl_def_const(OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG);
1986  ossl_ssl_def_const(OP_SSLREF2_REUSE_CERT_TYPE_BUG);
1987  ossl_ssl_def_const(OP_MICROSOFT_BIG_SSLV3_BUFFER);
1988  ossl_ssl_def_const(OP_MSIE_SSLV2_RSA_PADDING);
1989  ossl_ssl_def_const(OP_SSLEAY_080_CLIENT_DH_BUG);
1990  ossl_ssl_def_const(OP_TLS_D5_BUG);
1991  ossl_ssl_def_const(OP_TLS_BLOCK_PADDING_BUG);
1992  ossl_ssl_def_const(OP_DONT_INSERT_EMPTY_FRAGMENTS);
1993  ossl_ssl_def_const(OP_ALL);
1994 #if defined(SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)
1995  ossl_ssl_def_const(OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
1996 #endif
1997 #if defined(SSL_OP_SINGLE_ECDH_USE)
1998  ossl_ssl_def_const(OP_SINGLE_ECDH_USE);
1999 #endif
2000  ossl_ssl_def_const(OP_SINGLE_DH_USE);
2001  ossl_ssl_def_const(OP_EPHEMERAL_RSA);
2002 #if defined(SSL_OP_CIPHER_SERVER_PREFERENCE)
2003  ossl_ssl_def_const(OP_CIPHER_SERVER_PREFERENCE);
2004 #endif
2005  ossl_ssl_def_const(OP_TLS_ROLLBACK_BUG);
2006  ossl_ssl_def_const(OP_NO_SSLv2);
2007  ossl_ssl_def_const(OP_NO_SSLv3);
2008  ossl_ssl_def_const(OP_NO_TLSv1);
2009 #if defined(SSL_OP_NO_TICKET)
2010  ossl_ssl_def_const(OP_NO_TICKET);
2011 #endif
2012 #if defined(SSL_OP_NO_COMPRESSION)
2013  ossl_ssl_def_const(OP_NO_COMPRESSION);
2014 #endif
2015  ossl_ssl_def_const(OP_PKCS1_CHECK_1);
2016  ossl_ssl_def_const(OP_PKCS1_CHECK_2);
2017  ossl_ssl_def_const(OP_NETSCAPE_CA_DN_BUG);
2018  ossl_ssl_def_const(OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
2019 }
2020