Ruby  1.9.3p392(2013-02-22revision39386)
ossl_ssl.c
Go to the documentation of this file.
1 /*
2  * $Id: ossl_ssl.c 34524 2012-02-09 17:04:41Z emboss $
3  * 'OpenSSL for Ruby' project
4  * Copyright (C) 2000-2002 GOTOU Yuuzou <gotoyuzo@notwork.org>
5  * Copyright (C) 2001-2002 Michal Rokos <m.rokos@sh.cvut.cz>
6  * Copyright (C) 2001-2007 Technorama Ltd. <oss-ruby@technorama.net>
7  * All rights reserved.
8  */
9 /*
10  * This program is licenced under the same licence as Ruby.
11  * (See the file 'LICENCE'.)
12  */
13 #include "ossl.h"
14 
15 #if defined(HAVE_UNISTD_H)
16 # include <unistd.h> /* for read(), and write() */
17 #endif
18 
19 #define numberof(ary) (int)(sizeof(ary)/sizeof((ary)[0]))
20 
21 #ifdef _WIN32
22 # define TO_SOCKET(s) _get_osfhandle(s)
23 #else
24 # define TO_SOCKET(s) (s)
25 #endif
26 
31 
32 #define ossl_sslctx_set_cert(o,v) rb_iv_set((o),"@cert",(v))
33 #define ossl_sslctx_set_key(o,v) rb_iv_set((o),"@key",(v))
34 #define ossl_sslctx_set_client_ca(o,v) rb_iv_set((o),"@client_ca",(v))
35 #define ossl_sslctx_set_ca_file(o,v) rb_iv_set((o),"@ca_file",(v))
36 #define ossl_sslctx_set_ca_path(o,v) rb_iv_set((o),"@ca_path",(v))
37 #define ossl_sslctx_set_timeout(o,v) rb_iv_set((o),"@timeout",(v))
38 #define ossl_sslctx_set_verify_mode(o,v) rb_iv_set((o),"@verify_mode",(v))
39 #define ossl_sslctx_set_verify_dep(o,v) rb_iv_set((o),"@verify_depth",(v))
40 #define ossl_sslctx_set_verify_cb(o,v) rb_iv_set((o),"@verify_callback",(v))
41 #define ossl_sslctx_set_options(o,v) rb_iv_set((o),"@options",(v))
42 #define ossl_sslctx_set_cert_store(o,v) rb_iv_set((o),"@cert_store",(v))
43 #define ossl_sslctx_set_extra_cert(o,v) rb_iv_set((o),"@extra_chain_cert",(v))
44 #define ossl_sslctx_set_client_cert_cb(o,v) rb_iv_set((o),"@client_cert_cb",(v))
45 #define ossl_sslctx_set_tmp_dh_cb(o,v) rb_iv_set((o),"@tmp_dh_callback",(v))
46 #define ossl_sslctx_set_sess_id_ctx(o, v) rb_iv_get((o),"@session_id_context"(v))
47 
48 #define ossl_sslctx_get_cert(o) rb_iv_get((o),"@cert")
49 #define ossl_sslctx_get_key(o) rb_iv_get((o),"@key")
50 #define ossl_sslctx_get_client_ca(o) rb_iv_get((o),"@client_ca")
51 #define ossl_sslctx_get_ca_file(o) rb_iv_get((o),"@ca_file")
52 #define ossl_sslctx_get_ca_path(o) rb_iv_get((o),"@ca_path")
53 #define ossl_sslctx_get_timeout(o) rb_iv_get((o),"@timeout")
54 #define ossl_sslctx_get_verify_mode(o) rb_iv_get((o),"@verify_mode")
55 #define ossl_sslctx_get_verify_dep(o) rb_iv_get((o),"@verify_depth")
56 #define ossl_sslctx_get_verify_cb(o) rb_iv_get((o),"@verify_callback")
57 #define ossl_sslctx_get_options(o) rb_iv_get((o),"@options")
58 #define ossl_sslctx_get_cert_store(o) rb_iv_get((o),"@cert_store")
59 #define ossl_sslctx_get_extra_cert(o) rb_iv_get((o),"@extra_chain_cert")
60 #define ossl_sslctx_get_client_cert_cb(o) rb_iv_get((o),"@client_cert_cb")
61 #define ossl_sslctx_get_tmp_dh_cb(o) rb_iv_get((o),"@tmp_dh_callback")
62 #define ossl_sslctx_get_sess_id_ctx(o) rb_iv_get((o),"@session_id_context")
63 
64 static const char *ossl_sslctx_attrs[] = {
65  "cert", "key", "client_ca", "ca_file", "ca_path",
66  "timeout", "verify_mode", "verify_depth",
67  "verify_callback", "options", "cert_store", "extra_chain_cert",
68  "client_cert_cb", "tmp_dh_callback", "session_id_context",
69  "session_get_cb", "session_new_cb", "session_remove_cb",
70 #ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
71  "servername_cb",
72 #endif
73 };
74 
75 #define ossl_ssl_get_io(o) rb_iv_get((o),"@io")
76 #define ossl_ssl_get_ctx(o) rb_iv_get((o),"@context")
77 #define ossl_ssl_get_sync_close(o) rb_iv_get((o),"@sync_close")
78 #define ossl_ssl_get_x509(o) rb_iv_get((o),"@x509")
79 #define ossl_ssl_get_key(o) rb_iv_get((o),"@key")
80 #define ossl_ssl_get_tmp_dh(o) rb_iv_get((o),"@tmp_dh")
81 
82 #define ossl_ssl_set_io(o,v) rb_iv_set((o),"@io",(v))
83 #define ossl_ssl_set_ctx(o,v) rb_iv_set((o),"@context",(v))
84 #define ossl_ssl_set_sync_close(o,v) rb_iv_set((o),"@sync_close",(v))
85 #define ossl_ssl_set_x509(o,v) rb_iv_set((o),"@x509",(v))
86 #define ossl_ssl_set_key(o,v) rb_iv_set((o),"@key",(v))
87 #define ossl_ssl_set_tmp_dh(o,v) rb_iv_set((o),"@tmp_dh",(v))
88 
89 static const char *ossl_ssl_attr_readers[] = { "io", "context", };
90 static const char *ossl_ssl_attrs[] = {
91 #ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
92  "hostname",
93 #endif
94  "sync_close",
95 };
96 
98 
99 /*
100  * SSLContext class
101  */
102 struct {
103  const char *name;
104  SSL_METHOD *(*func)(void);
105 } ossl_ssl_method_tab[] = {
106 #define OSSL_SSL_METHOD_ENTRY(name) { #name, (SSL_METHOD *(*)(void))name##_method }
107  OSSL_SSL_METHOD_ENTRY(TLSv1),
108  OSSL_SSL_METHOD_ENTRY(TLSv1_server),
109  OSSL_SSL_METHOD_ENTRY(TLSv1_client),
110 #if defined(HAVE_SSLV2_METHOD) && defined(HAVE_SSLV2_SERVER_METHOD) && \
111  defined(HAVE_SSLV2_CLIENT_METHOD)
112  OSSL_SSL_METHOD_ENTRY(SSLv2),
113  OSSL_SSL_METHOD_ENTRY(SSLv2_server),
114  OSSL_SSL_METHOD_ENTRY(SSLv2_client),
115 #endif
116  OSSL_SSL_METHOD_ENTRY(SSLv3),
117  OSSL_SSL_METHOD_ENTRY(SSLv3_server),
118  OSSL_SSL_METHOD_ENTRY(SSLv3_client),
119  OSSL_SSL_METHOD_ENTRY(SSLv23),
120  OSSL_SSL_METHOD_ENTRY(SSLv23_server),
121  OSSL_SSL_METHOD_ENTRY(SSLv23_client),
122 #undef OSSL_SSL_METHOD_ENTRY
123 };
124 
130 
131 static void
132 ossl_sslctx_free(SSL_CTX *ctx)
133 {
134  if(ctx && SSL_CTX_get_ex_data(ctx, ossl_ssl_ex_store_p)== (void*)1)
135  ctx->cert_store = NULL;
136  SSL_CTX_free(ctx);
137 }
138 
139 static VALUE
141 {
142  SSL_CTX *ctx;
143  long mode = SSL_MODE_ENABLE_PARTIAL_WRITE;
144 
145 #ifdef SSL_MODE_RELEASE_BUFFERS
146  mode |= SSL_MODE_RELEASE_BUFFERS;
147 #endif
148 
149  ctx = SSL_CTX_new(SSLv23_method());
150  if (!ctx) {
151  ossl_raise(eSSLError, "SSL_CTX_new:");
152  }
153  SSL_CTX_set_mode(ctx, mode);
154  return Data_Wrap_Struct(klass, 0, ossl_sslctx_free, ctx);
155 }
156 
157 /*
158  * call-seq:
159  * ctx.ssl_version = :TLSv1
160  * ctx.ssl_version = "SSLv23_client"
161  *
162  * You can get a list of valid versions with OpenSSL::SSL::SSLContext::METHODS
163  */
164 static VALUE
166 {
167  SSL_METHOD *method = NULL;
168  const char *s;
169  int i;
170 
171  SSL_CTX *ctx;
172  if(TYPE(ssl_method) == T_SYMBOL)
173  s = rb_id2name(SYM2ID(ssl_method));
174  else
175  s = StringValuePtr(ssl_method);
176  for (i = 0; i < numberof(ossl_ssl_method_tab); i++) {
177  if (strcmp(ossl_ssl_method_tab[i].name, s) == 0) {
178  method = ossl_ssl_method_tab[i].func();
179  break;
180  }
181  }
182  if (!method) {
183  ossl_raise(rb_eArgError, "unknown SSL method `%s'.", s);
184  }
185  Data_Get_Struct(self, SSL_CTX, ctx);
186  if (SSL_CTX_set_ssl_version(ctx, method) != 1) {
187  ossl_raise(eSSLError, "SSL_CTX_set_ssl_version:");
188  }
189 
190  return ssl_method;
191 }
192 
193 /*
194  * call-seq:
195  * SSLContext.new => ctx
196  * SSLContext.new(:TLSv1) => ctx
197  * SSLContext.new("SSLv23_client") => ctx
198  *
199  * You can get a list of valid methods with OpenSSL::SSL::SSLContext::METHODS
200  */
201 static VALUE
203 {
204  VALUE ssl_method;
205  int i;
206 
207  for(i = 0; i < numberof(ossl_sslctx_attrs); i++){
208  char buf[32];
209  snprintf(buf, sizeof(buf), "@%s", ossl_sslctx_attrs[i]);
210  rb_iv_set(self, buf, Qnil);
211  }
212  if (rb_scan_args(argc, argv, "01", &ssl_method) == 0){
213  return self;
214  }
215  ossl_sslctx_set_ssl_version(self, ssl_method);
216 
217  return self;
218 }
219 
220 static VALUE
222 {
223  VALUE cb, ary, cert, key;
224  SSL *ssl;
225 
226  Data_Get_Struct(obj, SSL, ssl);
227  cb = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_client_cert_cb_idx);
228  if (NIL_P(cb)) return Qfalse;
229  ary = rb_funcall(cb, rb_intern("call"), 1, obj);
230  Check_Type(ary, T_ARRAY);
231  GetX509CertPtr(cert = rb_ary_entry(ary, 0));
232  GetPKeyPtr(key = rb_ary_entry(ary, 1));
233  ossl_ssl_set_x509(obj, cert);
234  ossl_ssl_set_key(obj, key);
235 
236  return Qtrue;
237 }
238 
239 static int
240 ossl_client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
241 {
242  VALUE obj, success;
243 
244  obj = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
246  obj, NULL);
247  if (!RTEST(success)) return 0;
248  *x509 = DupX509CertPtr(ossl_ssl_get_x509(obj));
249  *pkey = DupPKeyPtr(ossl_ssl_get_key(obj));
250 
251  return 1;
252 }
253 
254 #if !defined(OPENSSL_NO_DH)
255 static VALUE
257 {
258  SSL *ssl;
259  VALUE cb, dh;
260  EVP_PKEY *pkey;
261 
262  Data_Get_Struct(args[0], SSL, ssl);
263  cb = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_tmp_dh_callback_idx);
264  if (NIL_P(cb)) return Qfalse;
265  dh = rb_funcall(cb, rb_intern("call"), 3, args[0], args[1], args[2]);
266  pkey = GetPKeyPtr(dh);
267  if (EVP_PKEY_type(pkey->type) != EVP_PKEY_DH) return Qfalse;
268  ossl_ssl_set_tmp_dh(args[0], dh);
269 
270  return Qtrue;
271 }
272 
273 static DH*
274 ossl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
275 {
276  VALUE args[3], success;
277 
278  args[0] = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx);
279  args[1] = INT2FIX(is_export);
280  args[2] = INT2FIX(keylength);
282  (VALUE)args, NULL);
283  if (!RTEST(success)) return NULL;
284 
285  return GetPKeyPtr(ossl_ssl_get_tmp_dh(args[0]))->pkey.dh;
286 }
287 
288 static DH*
289 ossl_default_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
290 {
291  rb_warning("using default DH parameters.");
292 
293  switch(keylength){
294  case 512:
295  return OSSL_DEFAULT_DH_512;
296  case 1024:
297  return OSSL_DEFAULT_DH_1024;
298  }
299  return NULL;
300 }
301 #endif /* OPENSSL_NO_DH */
302 
303 static int
304 ossl_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
305 {
306  VALUE cb;
307  SSL *ssl;
308 
309  ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
310  cb = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_vcb_idx);
311  X509_STORE_CTX_set_ex_data(ctx, ossl_verify_cb_idx, (void*)cb);
312  return ossl_verify_cb(preverify_ok, ctx);
313 }
314 
315 static VALUE
317 {
318  VALUE ssl_obj, sslctx_obj, cb;
319 
320  Check_Type(ary, T_ARRAY);
321  ssl_obj = rb_ary_entry(ary, 0);
322 
323  sslctx_obj = rb_iv_get(ssl_obj, "@context");
324  if (NIL_P(sslctx_obj)) return Qnil;
325  cb = rb_iv_get(sslctx_obj, "@session_get_cb");
326  if (NIL_P(cb)) return Qnil;
327 
328  return rb_funcall(cb, rb_intern("call"), 1, ary);
329 }
330 
331 /* this method is currently only called for servers (in OpenSSL <= 0.9.8e) */
332 static SSL_SESSION *
333 ossl_sslctx_session_get_cb(SSL *ssl, unsigned char *buf, int len, int *copy)
334 {
335  VALUE ary, ssl_obj, ret_obj;
336  SSL_SESSION *sess;
337  void *ptr;
338  int state = 0;
339 
340  OSSL_Debug("SSL SESSION get callback entered");
341  if ((ptr = SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx)) == NULL)
342  return NULL;
343  ssl_obj = (VALUE)ptr;
344  ary = rb_ary_new2(2);
345  rb_ary_push(ary, ssl_obj);
346  rb_ary_push(ary, rb_str_new((const char *)buf, len));
347 
348  ret_obj = rb_protect((VALUE(*)_((VALUE)))ossl_call_session_get_cb, ary, &state);
349  if (state) {
350  rb_ivar_set(ssl_obj, ID_callback_state, INT2NUM(state));
351  return NULL;
352  }
353  if (!rb_obj_is_instance_of(ret_obj, cSSLSession))
354  return NULL;
355 
356  SafeGetSSLSession(ret_obj, sess);
357  *copy = 1;
358 
359  return sess;
360 }
361 
362 static VALUE
364 {
365  VALUE ssl_obj, sslctx_obj, cb;
366 
367  Check_Type(ary, T_ARRAY);
368  ssl_obj = rb_ary_entry(ary, 0);
369 
370  sslctx_obj = rb_iv_get(ssl_obj, "@context");
371  if (NIL_P(sslctx_obj)) return Qnil;
372  cb = rb_iv_get(sslctx_obj, "@session_new_cb");
373  if (NIL_P(cb)) return Qnil;
374 
375  return rb_funcall(cb, rb_intern("call"), 1, ary);
376 }
377 
378 /* return 1 normal. return 0 removes the session */
379 static int
380 ossl_sslctx_session_new_cb(SSL *ssl, SSL_SESSION *sess)
381 {
382  VALUE ary, ssl_obj, sess_obj, ret_obj;
383  void *ptr;
384  int state = 0;
385 
386  OSSL_Debug("SSL SESSION new callback entered");
387 
388  if ((ptr = SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx)) == NULL)
389  return 1;
390  ssl_obj = (VALUE)ptr;
391  sess_obj = rb_obj_alloc(cSSLSession);
392  CRYPTO_add(&sess->references, 1, CRYPTO_LOCK_SSL_SESSION);
393  DATA_PTR(sess_obj) = sess;
394 
395  ary = rb_ary_new2(2);
396  rb_ary_push(ary, ssl_obj);
397  rb_ary_push(ary, sess_obj);
398 
399  ret_obj = rb_protect((VALUE(*)_((VALUE)))ossl_call_session_new_cb, ary, &state);
400  if (state) {
401  rb_ivar_set(ssl_obj, ID_callback_state, INT2NUM(state));
402  }
403 
404  /*
405  * return 0 which means to OpenSSL that the the session is still
406  * valid (since we created Ruby Session object) and was not freed by us
407  * with SSL_SESSION_free(). Call SSLContext#remove_session(sess) in
408  * session_get_cb block if you don't want OpenSSL to cache the session
409  * internally.
410  */
411  return 0;
412 }
413 
414 static VALUE
416 {
417  VALUE sslctx_obj, cb;
418 
419  Check_Type(ary, T_ARRAY);
420  sslctx_obj = rb_ary_entry(ary, 0);
421 
422  cb = rb_iv_get(sslctx_obj, "@session_remove_cb");
423  if (NIL_P(cb)) return Qnil;
424 
425  return rb_funcall(cb, rb_intern("call"), 1, ary);
426 }
427 
428 static void
429 ossl_sslctx_session_remove_cb(SSL_CTX *ctx, SSL_SESSION *sess)
430 {
431  VALUE ary, sslctx_obj, sess_obj, ret_obj;
432  void *ptr;
433  int state = 0;
434 
435  OSSL_Debug("SSL SESSION remove callback entered");
436 
437  if ((ptr = SSL_CTX_get_ex_data(ctx, ossl_ssl_ex_ptr_idx)) == NULL)
438  return;
439  sslctx_obj = (VALUE)ptr;
440  sess_obj = rb_obj_alloc(cSSLSession);
441  CRYPTO_add(&sess->references, 1, CRYPTO_LOCK_SSL_SESSION);
442  DATA_PTR(sess_obj) = sess;
443 
444  ary = rb_ary_new2(2);
445  rb_ary_push(ary, sslctx_obj);
446  rb_ary_push(ary, sess_obj);
447 
448  ret_obj = rb_protect((VALUE(*)_((VALUE)))ossl_call_session_remove_cb, ary, &state);
449  if (state) {
450 /*
451  the SSL_CTX is frozen, nowhere to save state.
452  there is no common accessor method to check it either.
453  rb_ivar_set(sslctx_obj, ID_callback_state, INT2NUM(state));
454 */
455  }
456 }
457 
458 static VALUE
460 {
461  X509 *x509;
462  SSL_CTX *ctx;
463 
464  Data_Get_Struct(arg, SSL_CTX, ctx);
465  x509 = DupX509CertPtr(i);
466  if(!SSL_CTX_add_extra_chain_cert(ctx, x509)){
468  }
469 
470  return i;
471 }
472 
473 static VALUE ossl_sslctx_setup(VALUE self);
474 
475 #ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
476 static VALUE
477 ossl_call_servername_cb(VALUE ary)
478 {
479  VALUE ssl_obj, sslctx_obj, cb, ret_obj;
480 
481  Check_Type(ary, T_ARRAY);
482  ssl_obj = rb_ary_entry(ary, 0);
483 
484  sslctx_obj = rb_iv_get(ssl_obj, "@context");
485  if (NIL_P(sslctx_obj)) return Qnil;
486  cb = rb_iv_get(sslctx_obj, "@servername_cb");
487  if (NIL_P(cb)) return Qnil;
488 
489  ret_obj = rb_funcall(cb, rb_intern("call"), 1, ary);
490  if (rb_obj_is_kind_of(ret_obj, cSSLContext)) {
491  SSL *ssl;
492  SSL_CTX *ctx2;
493 
494  ossl_sslctx_setup(ret_obj);
495  Data_Get_Struct(ssl_obj, SSL, ssl);
496  Data_Get_Struct(ret_obj, SSL_CTX, ctx2);
497  SSL_set_SSL_CTX(ssl, ctx2);
498  } else if (!NIL_P(ret_obj)) {
499  ossl_raise(rb_eArgError, "servername_cb must return an OpenSSL::SSL::SSLContext object or nil");
500  }
501 
502  return ret_obj;
503 }
504 
505 static int
506 ssl_servername_cb(SSL *ssl, int *ad, void *arg)
507 {
508  VALUE ary, ssl_obj, ret_obj;
509  void *ptr;
510  int state = 0;
511  const char *servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
512 
513  if (!servername)
514  return SSL_TLSEXT_ERR_OK;
515 
516  if ((ptr = SSL_get_ex_data(ssl, ossl_ssl_ex_ptr_idx)) == NULL)
517  return SSL_TLSEXT_ERR_ALERT_FATAL;
518  ssl_obj = (VALUE)ptr;
519  ary = rb_ary_new2(2);
520  rb_ary_push(ary, ssl_obj);
521  rb_ary_push(ary, rb_str_new2(servername));
522 
523  ret_obj = rb_protect((VALUE(*)_((VALUE)))ossl_call_servername_cb, ary, &state);
524  if (state) {
525  rb_ivar_set(ssl_obj, ID_callback_state, INT2NUM(state));
526  return SSL_TLSEXT_ERR_ALERT_FATAL;
527  }
528 
529  return SSL_TLSEXT_ERR_OK;
530 }
531 #endif
532 
533 /*
534  * call-seq:
535  * ctx.setup => Qtrue # first time
536  * ctx.setup => nil # thereafter
537  *
538  * This method is called automatically when a new SSLSocket is created.
539  * Normally you do not need to call this method (unless you are writing an
540  * extension in C).
541  */
542 static VALUE
544 {
545  SSL_CTX *ctx;
546  X509 *cert = NULL, *client_ca = NULL;
547  X509_STORE *store;
548  EVP_PKEY *key = NULL;
549  char *ca_path = NULL, *ca_file = NULL;
550  int i, verify_mode;
551  VALUE val;
552 
553  if(OBJ_FROZEN(self)) return Qnil;
554  Data_Get_Struct(self, SSL_CTX, ctx);
555 
556 #if !defined(OPENSSL_NO_DH)
557  if (RTEST(ossl_sslctx_get_tmp_dh_cb(self))){
558  SSL_CTX_set_tmp_dh_callback(ctx, ossl_tmp_dh_callback);
559  }
560  else{
561  SSL_CTX_set_tmp_dh_callback(ctx, ossl_default_tmp_dh_callback);
562  }
563 #endif
564  SSL_CTX_set_ex_data(ctx, ossl_ssl_ex_ptr_idx, (void*)self);
565 
566  val = ossl_sslctx_get_cert_store(self);
567  if(!NIL_P(val)){
568  /*
569  * WORKAROUND:
570  * X509_STORE can count references, but
571  * X509_STORE_free() doesn't care it.
572  * So we won't increment it but mark it by ex_data.
573  */
574  store = GetX509StorePtr(val); /* NO NEED TO DUP */
575  SSL_CTX_set_cert_store(ctx, store);
576  SSL_CTX_set_ex_data(ctx, ossl_ssl_ex_store_p, (void*)1);
577  }
578 
579  val = ossl_sslctx_get_extra_cert(self);
580  if(!NIL_P(val)){
582  }
583 
584  /* private key may be bundled in certificate file. */
585  val = ossl_sslctx_get_cert(self);
586  cert = NIL_P(val) ? NULL : GetX509CertPtr(val); /* NO DUP NEEDED */
587  val = ossl_sslctx_get_key(self);
588  key = NIL_P(val) ? NULL : GetPKeyPtr(val); /* NO DUP NEEDED */
589  if (cert && key) {
590  if (!SSL_CTX_use_certificate(ctx, cert)) {
591  /* Adds a ref => Safe to FREE */
592  ossl_raise(eSSLError, "SSL_CTX_use_certificate:");
593  }
594  if (!SSL_CTX_use_PrivateKey(ctx, key)) {
595  /* Adds a ref => Safe to FREE */
596  ossl_raise(eSSLError, "SSL_CTX_use_PrivateKey:");
597  }
598  if (!SSL_CTX_check_private_key(ctx)) {
599  ossl_raise(eSSLError, "SSL_CTX_check_private_key:");
600  }
601  }
602 
603  val = ossl_sslctx_get_client_ca(self);
604  if(!NIL_P(val)){
605  if(TYPE(val) == T_ARRAY){
606  for(i = 0; i < RARRAY_LEN(val); i++){
607  client_ca = GetX509CertPtr(RARRAY_PTR(val)[i]);
608  if (!SSL_CTX_add_client_CA(ctx, client_ca)){
609  /* Copies X509_NAME => FREE it. */
610  ossl_raise(eSSLError, "SSL_CTX_add_client_CA");
611  }
612  }
613  }
614  else{
615  client_ca = GetX509CertPtr(val); /* NO DUP NEEDED. */
616  if (!SSL_CTX_add_client_CA(ctx, client_ca)){
617  /* Copies X509_NAME => FREE it. */
618  ossl_raise(eSSLError, "SSL_CTX_add_client_CA");
619  }
620  }
621  }
622 
623  val = ossl_sslctx_get_ca_file(self);
624  ca_file = NIL_P(val) ? NULL : StringValuePtr(val);
625  val = ossl_sslctx_get_ca_path(self);
626  ca_path = NIL_P(val) ? NULL : StringValuePtr(val);
627  if(ca_file || ca_path){
628  if (!SSL_CTX_load_verify_locations(ctx, ca_file, ca_path))
629  rb_warning("can't set verify locations");
630  }
631 
632  val = ossl_sslctx_get_verify_mode(self);
633  verify_mode = NIL_P(val) ? SSL_VERIFY_NONE : NUM2INT(val);
634  SSL_CTX_set_verify(ctx, verify_mode, ossl_ssl_verify_callback);
636  SSL_CTX_set_client_cert_cb(ctx, ossl_client_cert_cb);
637 
638  val = ossl_sslctx_get_timeout(self);
639  if(!NIL_P(val)) SSL_CTX_set_timeout(ctx, NUM2LONG(val));
640 
641  val = ossl_sslctx_get_verify_dep(self);
642  if(!NIL_P(val)) SSL_CTX_set_verify_depth(ctx, NUM2INT(val));
643 
644  val = ossl_sslctx_get_options(self);
645  if(!NIL_P(val)) {
646  SSL_CTX_set_options(ctx, NUM2LONG(val));
647  }
648  else {
649  SSL_CTX_set_options(ctx, SSL_OP_ALL);
650  }
651  rb_obj_freeze(self);
652 
653  val = ossl_sslctx_get_sess_id_ctx(self);
654  if (!NIL_P(val)){
655  StringValue(val);
656  if (!SSL_CTX_set_session_id_context(ctx, (unsigned char *)RSTRING_PTR(val),
657  RSTRING_LENINT(val))){
658  ossl_raise(eSSLError, "SSL_CTX_set_session_id_context:");
659  }
660  }
661 
662  if (RTEST(rb_iv_get(self, "@session_get_cb"))) {
663  SSL_CTX_sess_set_get_cb(ctx, ossl_sslctx_session_get_cb);
664  OSSL_Debug("SSL SESSION get callback added");
665  }
666  if (RTEST(rb_iv_get(self, "@session_new_cb"))) {
667  SSL_CTX_sess_set_new_cb(ctx, ossl_sslctx_session_new_cb);
668  OSSL_Debug("SSL SESSION new callback added");
669  }
670  if (RTEST(rb_iv_get(self, "@session_remove_cb"))) {
671  SSL_CTX_sess_set_remove_cb(ctx, ossl_sslctx_session_remove_cb);
672  OSSL_Debug("SSL SESSION remove callback added");
673  }
674 
675 #ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
676  val = rb_iv_get(self, "@servername_cb");
677  if (!NIL_P(val)) {
678  SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
679  OSSL_Debug("SSL TLSEXT servername callback added");
680  }
681 #endif
682 
683  return Qtrue;
684 }
685 
686 static VALUE
687 ossl_ssl_cipher_to_ary(SSL_CIPHER *cipher)
688 {
689  VALUE ary;
690  int bits, alg_bits;
691 
692  ary = rb_ary_new2(4);
693  rb_ary_push(ary, rb_str_new2(SSL_CIPHER_get_name(cipher)));
694  rb_ary_push(ary, rb_str_new2(SSL_CIPHER_get_version(cipher)));
695  bits = SSL_CIPHER_get_bits(cipher, &alg_bits);
696  rb_ary_push(ary, INT2FIX(bits));
697  rb_ary_push(ary, INT2FIX(alg_bits));
698 
699  return ary;
700 }
701 
702 /*
703  * call-seq:
704  * ctx.ciphers => [[name, version, bits, alg_bits], ...]
705  *
706  * The list of ciphers configured for this context.
707  */
708 static VALUE
710 {
711  SSL_CTX *ctx;
712  STACK_OF(SSL_CIPHER) *ciphers;
713  SSL_CIPHER *cipher;
714  VALUE ary;
715  int i, num;
716 
717  Data_Get_Struct(self, SSL_CTX, ctx);
718  if(!ctx){
719  rb_warning("SSL_CTX is not initialized.");
720  return Qnil;
721  }
722  ciphers = ctx->cipher_list;
723 
724  if (!ciphers)
725  return rb_ary_new();
726 
727  num = sk_SSL_CIPHER_num(ciphers);
728  ary = rb_ary_new2(num);
729  for(i = 0; i < num; i++){
730  cipher = sk_SSL_CIPHER_value(ciphers, i);
731  rb_ary_push(ary, ossl_ssl_cipher_to_ary(cipher));
732  }
733  return ary;
734 }
735 
736 /*
737  * call-seq:
738  * ctx.ciphers = "cipher1:cipher2:..."
739  * ctx.ciphers = [name, ...]
740  * ctx.ciphers = [[name, version, bits, alg_bits], ...]
741  *
742  * Sets the list of available ciphers for this context. Note in a server
743  * context some ciphers require the appropriate certificates. For example, an
744  * RSA cipher can only be chosen when an RSA certificate is available.
745  *
746  * See also OpenSSL::Cipher and OpenSSL::Cipher::ciphers
747  */
748 static VALUE
750 {
751  SSL_CTX *ctx;
752  VALUE str, elem;
753  int i;
754 
755  rb_check_frozen(self);
756  if (NIL_P(v))
757  return v;
758  else if (TYPE(v) == T_ARRAY) {
759  str = rb_str_new(0, 0);
760  for (i = 0; i < RARRAY_LEN(v); i++) {
761  elem = rb_ary_entry(v, i);
762  if (TYPE(elem) == T_ARRAY) elem = rb_ary_entry(elem, 0);
763  elem = rb_String(elem);
764  rb_str_append(str, elem);
765  if (i < RARRAY_LEN(v)-1) rb_str_cat2(str, ":");
766  }
767  } else {
768  str = v;
769  StringValue(str);
770  }
771 
772  Data_Get_Struct(self, SSL_CTX, ctx);
773  if(!ctx){
774  ossl_raise(eSSLError, "SSL_CTX is not initialized.");
775  return Qnil;
776  }
777  if (!SSL_CTX_set_cipher_list(ctx, RSTRING_PTR(str))) {
778  ossl_raise(eSSLError, "SSL_CTX_set_cipher_list:");
779  }
780 
781  return v;
782 }
783 
784 
785 /*
786  * call-seq:
787  * ctx.session_add(session) -> true | false
788  *
789  * Adds +session+ to the session cache
790  */
791 static VALUE
793 {
794  SSL_CTX *ctx;
795  SSL_SESSION *sess;
796 
797  Data_Get_Struct(self, SSL_CTX, ctx);
798  SafeGetSSLSession(arg, sess);
799 
800  return SSL_CTX_add_session(ctx, sess) == 1 ? Qtrue : Qfalse;
801 }
802 
803 /*
804  * call-seq:
805  * ctx.session_remove(session) -> true | false
806  *
807  * Removes +session+ from the session cache
808  */
809 static VALUE
811 {
812  SSL_CTX *ctx;
813  SSL_SESSION *sess;
814 
815  Data_Get_Struct(self, SSL_CTX, ctx);
816  SafeGetSSLSession(arg, sess);
817 
818  return SSL_CTX_remove_session(ctx, sess) == 1 ? Qtrue : Qfalse;
819 }
820 
821 /*
822  * call-seq:
823  * ctx.session_cache_mode -> Integer
824  *
825  * The current session cache mode.
826  */
827 static VALUE
829 {
830  SSL_CTX *ctx;
831 
832  Data_Get_Struct(self, SSL_CTX, ctx);
833 
834  return LONG2NUM(SSL_CTX_get_session_cache_mode(ctx));
835 }
836 
837 /*
838  * call-seq:
839  * ctx.session_cache_mode=(integer) -> Integer
840  *
841  * Sets the SSL session cache mode. Bitwise-or together the desired
842  * SESSION_CACHE_* constants to set. See SSL_CTX_set_session_cache_mode(3) for
843  * details.
844  */
845 static VALUE
847 {
848  SSL_CTX *ctx;
849 
850  Data_Get_Struct(self, SSL_CTX, ctx);
851 
852  SSL_CTX_set_session_cache_mode(ctx, NUM2LONG(arg));
853 
854  return arg;
855 }
856 
857 /*
858  * call-seq:
859  * ctx.session_cache_size -> Integer
860  *
861  * Returns the current session cache size. Zero is used to represent an
862  * unlimited cache size.
863  */
864 static VALUE
866 {
867  SSL_CTX *ctx;
868 
869  Data_Get_Struct(self, SSL_CTX, ctx);
870 
871  return LONG2NUM(SSL_CTX_sess_get_cache_size(ctx));
872 }
873 
874 /*
875  * call-seq:
876  * ctx.session_cache_size=(integer) -> Integer
877  *
878  * Sets the session cache size. Returns the previously valid session cache
879  * size. Zero is used to represent an unlimited session cache size.
880  */
881 static VALUE
883 {
884  SSL_CTX *ctx;
885 
886  Data_Get_Struct(self, SSL_CTX, ctx);
887 
888  SSL_CTX_sess_set_cache_size(ctx, NUM2LONG(arg));
889 
890  return arg;
891 }
892 
893 /*
894  * call-seq:
895  * ctx.session_cache_stats -> Hash
896  *
897  * Returns a Hash containing the following keys:
898  *
899  * :accept:: Number of started SSL/TLS handshakes in server mode
900  * :accept_good:: Number of established SSL/TLS sessions in server mode
901  * :accept_renegotiate:: Number of start renegotiations in server mode
902  * :cache_full:: Number of sessions that were removed due to cache overflow
903  * :cache_hits:: Number of successfully reused connections
904  * :cache_misses:: Number of sessions proposed by clients that were not found
905  * in the cache
906  * :cache_num:: Number of sessions in the internal session cache
907  * :cb_hits:: Number of sessions retrieved from the external cache in server
908  * mode
909  * :connect:: Number of started SSL/TLS handshakes in client mode
910  * :connect_good:: Number of established SSL/TLS sessions in client mode
911  * :connect_renegotiate:: Number of start renegotiations in client mode
912  * :timeouts:: Number of sessions proposed by clients that were found in the
913  * cache but had expired due to timeouts
914  */
915 static VALUE
917 {
918  SSL_CTX *ctx;
919  VALUE hash;
920 
921  Data_Get_Struct(self, SSL_CTX, ctx);
922 
923  hash = rb_hash_new();
924  rb_hash_aset(hash, ID2SYM(rb_intern("cache_num")), LONG2NUM(SSL_CTX_sess_number(ctx)));
925  rb_hash_aset(hash, ID2SYM(rb_intern("connect")), LONG2NUM(SSL_CTX_sess_connect(ctx)));
926  rb_hash_aset(hash, ID2SYM(rb_intern("connect_good")), LONG2NUM(SSL_CTX_sess_connect_good(ctx)));
927  rb_hash_aset(hash, ID2SYM(rb_intern("connect_renegotiate")), LONG2NUM(SSL_CTX_sess_connect_renegotiate(ctx)));
928  rb_hash_aset(hash, ID2SYM(rb_intern("accept")), LONG2NUM(SSL_CTX_sess_accept(ctx)));
929  rb_hash_aset(hash, ID2SYM(rb_intern("accept_good")), LONG2NUM(SSL_CTX_sess_accept_good(ctx)));
930  rb_hash_aset(hash, ID2SYM(rb_intern("accept_renegotiate")), LONG2NUM(SSL_CTX_sess_accept_renegotiate(ctx)));
931  rb_hash_aset(hash, ID2SYM(rb_intern("cache_hits")), LONG2NUM(SSL_CTX_sess_hits(ctx)));
932  rb_hash_aset(hash, ID2SYM(rb_intern("cb_hits")), LONG2NUM(SSL_CTX_sess_cb_hits(ctx)));
933  rb_hash_aset(hash, ID2SYM(rb_intern("cache_misses")), LONG2NUM(SSL_CTX_sess_misses(ctx)));
934  rb_hash_aset(hash, ID2SYM(rb_intern("cache_full")), LONG2NUM(SSL_CTX_sess_cache_full(ctx)));
935  rb_hash_aset(hash, ID2SYM(rb_intern("timeouts")), LONG2NUM(SSL_CTX_sess_timeouts(ctx)));
936 
937  return hash;
938 }
939 
940 
941 /*
942  * call-seq:
943  * ctx.flush_sessions(time | nil) -> self
944  *
945  * Removes sessions in the internal cache that have expired at +time+.
946  */
947 static VALUE
949 {
950  VALUE arg1;
951  SSL_CTX *ctx;
952  time_t tm = 0;
953 
954  rb_scan_args(argc, argv, "01", &arg1);
955 
956  Data_Get_Struct(self, SSL_CTX, ctx);
957 
958  if (NIL_P(arg1)) {
959  tm = time(0);
960  } else if (rb_obj_is_instance_of(arg1, rb_cTime)) {
961  tm = NUM2LONG(rb_funcall(arg1, rb_intern("to_i"), 0));
962  } else {
963  ossl_raise(rb_eArgError, "arg must be Time or nil");
964  }
965 
966  SSL_CTX_flush_sessions(ctx, (long)tm);
967 
968  return self;
969 }
970 
971 /*
972  * SSLSocket class
973  */
974 static void
976 {
977  int i, rc;
978 
979  if (ssl) {
980  /* 4 is from SSL_smart_shutdown() of mod_ssl.c (v2.2.19) */
981  /* It says max 2x pending + 2x data = 4 */
982  for (i = 0; i < 4; ++i) {
983  /*
984  * Ignore the case SSL_shutdown returns -1. Empty handshake_func
985  * must not happen.
986  */
987  if (rc = SSL_shutdown(ssl))
988  break;
989  }
990  ERR_clear_error();
991  SSL_clear(ssl);
992  }
993 }
994 
995 static void
996 ossl_ssl_free(SSL *ssl)
997 {
998  ossl_ssl_shutdown(ssl);
999  SSL_free(ssl);
1000 }
1001 
1002 static VALUE
1004 {
1005  return Data_Wrap_Struct(klass, 0, ossl_ssl_free, NULL);
1006 }
1007 
1008 /*
1009  * call-seq:
1010  * SSLSocket.new(io) => aSSLSocket
1011  * SSLSocket.new(io, ctx) => aSSLSocket
1012  *
1013  * Creates a new SSL socket from +io+ which must be a real ruby object (not an
1014  * IO-like object that responds to read/write.
1015  *
1016  * If +ctx+ is provided the SSL Sockets initial params will be taken from
1017  * the context.
1018  *
1019  * The OpenSSL::Buffering module provides additional IO methods.
1020  *
1021  * This method will freeze the SSLContext if one is provided;
1022  * however, session management is still allowed in the frozen SSLContext.
1023  */
1024 static VALUE
1026 {
1027  VALUE io, ctx;
1028 
1029  if (rb_scan_args(argc, argv, "11", &io, &ctx) == 1) {
1030  ctx = rb_funcall(cSSLContext, rb_intern("new"), 0);
1031  }
1033  Check_Type(io, T_FILE);
1034  ossl_ssl_set_io(self, io);
1035  ossl_ssl_set_ctx(self, ctx);
1037  ossl_sslctx_setup(ctx);
1038 
1039  rb_iv_set(self, "@hostname", Qnil);
1040 
1041  rb_call_super(0, 0);
1042 
1043  return self;
1044 }
1045 
1046 static VALUE
1048 {
1049  VALUE io, v_ctx, cb;
1050  SSL_CTX *ctx;
1051  SSL *ssl;
1052  rb_io_t *fptr;
1053 
1054  Data_Get_Struct(self, SSL, ssl);
1055  if(!ssl){
1056 #ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
1057  VALUE hostname = rb_iv_get(self, "@hostname");
1058 #endif
1059 
1060  v_ctx = ossl_ssl_get_ctx(self);
1061  Data_Get_Struct(v_ctx, SSL_CTX, ctx);
1062 
1063  ssl = SSL_new(ctx);
1064  if (!ssl) {
1065  ossl_raise(eSSLError, "SSL_new:");
1066  }
1067  DATA_PTR(self) = ssl;
1068 
1069 #ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
1070  if (!NIL_P(hostname)) {
1071  if (SSL_set_tlsext_host_name(ssl, StringValuePtr(hostname)) != 1)
1072  ossl_raise(eSSLError, "SSL_set_tlsext_host_name:");
1073  }
1074 #endif
1075  io = ossl_ssl_get_io(self);
1076  GetOpenFile(io, fptr);
1077  rb_io_check_readable(fptr);
1078  rb_io_check_writable(fptr);
1079  SSL_set_fd(ssl, TO_SOCKET(FPTR_TO_FD(fptr)));
1080  SSL_set_ex_data(ssl, ossl_ssl_ex_ptr_idx, (void*)self);
1081  cb = ossl_sslctx_get_verify_cb(v_ctx);
1082  SSL_set_ex_data(ssl, ossl_ssl_ex_vcb_idx, (void*)cb);
1083  cb = ossl_sslctx_get_client_cert_cb(v_ctx);
1084  SSL_set_ex_data(ssl, ossl_ssl_ex_client_cert_cb_idx, (void*)cb);
1085  cb = ossl_sslctx_get_tmp_dh_cb(v_ctx);
1086  SSL_set_ex_data(ssl, ossl_ssl_ex_tmp_dh_callback_idx, (void*)cb);
1087  }
1088 
1089  return Qtrue;
1090 }
1091 
1092 #ifdef _WIN32
1093 #define ssl_get_error(ssl, ret) (errno = rb_w32_map_errno(WSAGetLastError()), SSL_get_error((ssl), (ret)))
1094 #else
1095 #define ssl_get_error(ssl, ret) SSL_get_error((ssl), (ret))
1096 #endif
1097 
1098 static void
1099 write_would_block(int nonblock)
1100 {
1101  if (nonblock) {
1102  VALUE exc = ossl_exc_new(eSSLError, "write would block");
1104  rb_exc_raise(exc);
1105  }
1106 }
1107 
1108 static void
1109 read_would_block(int nonblock)
1110 {
1111  if (nonblock) {
1112  VALUE exc = ossl_exc_new(eSSLError, "read would block");
1114  rb_exc_raise(exc);
1115  }
1116 }
1117 
1118 static VALUE
1119 ossl_start_ssl(VALUE self, int (*func)(), const char *funcname, int nonblock)
1120 {
1121  SSL *ssl;
1122  rb_io_t *fptr;
1123  int ret, ret2;
1124  VALUE cb_state;
1125 
1127 
1128  Data_Get_Struct(self, SSL, ssl);
1129  GetOpenFile(ossl_ssl_get_io(self), fptr);
1130  for(;;){
1131  ret = func(ssl);
1132 
1133  cb_state = rb_ivar_get(self, ID_callback_state);
1134  if (!NIL_P(cb_state))
1135  rb_jump_tag(NUM2INT(cb_state));
1136 
1137  if (ret > 0)
1138  break;
1139 
1140  switch((ret2 = ssl_get_error(ssl, ret))){
1141  case SSL_ERROR_WANT_WRITE:
1142  write_would_block(nonblock);
1144  continue;
1145  case SSL_ERROR_WANT_READ:
1146  read_would_block(nonblock);
1148  continue;
1149  case SSL_ERROR_SYSCALL:
1150  if (errno) rb_sys_fail(funcname);
1151  ossl_raise(eSSLError, "%s SYSCALL returned=%d errno=%d state=%s", funcname, ret2, errno, SSL_state_string_long(ssl));
1152  default:
1153  ossl_raise(eSSLError, "%s returned=%d errno=%d state=%s", funcname, ret2, errno, SSL_state_string_long(ssl));
1154  }
1155  }
1156 
1157  return self;
1158 }
1159 
1160 /*
1161  * call-seq:
1162  * ssl.connect => self
1163  *
1164  * Initiates an SSL/TLS handshake with a server. The handshake may be started
1165  * after unencrypted data has been sent over the socket.
1166  */
1167 static VALUE
1169 {
1170  ossl_ssl_setup(self);
1171  return ossl_start_ssl(self, SSL_connect, "SSL_connect", 0);
1172 }
1173 
1174 /*
1175  * call-seq:
1176  * ssl.connect_nonblock => self
1177  *
1178  * Initiates the SSL/TLS handshake as a client in non-blocking manner.
1179  *
1180  * # emulates blocking connect
1181  * begin
1182  * ssl.connect_nonblock
1183  * rescue IO::WaitReadable
1184  * IO.select([s2])
1185  * retry
1186  * rescue IO::WaitWritable
1187  * IO.select(nil, [s2])
1188  * retry
1189  * end
1190  *
1191  */
1192 static VALUE
1194 {
1195  ossl_ssl_setup(self);
1196  return ossl_start_ssl(self, SSL_connect, "SSL_connect", 1);
1197 }
1198 
1199 /*
1200  * call-seq:
1201  * ssl.accept => self
1202  *
1203  * Waits for a SSL/TLS client to initiate a handshake. The handshake may be
1204  * started after unencrypted data has been sent over the socket.
1205  */
1206 static VALUE
1208 {
1209  ossl_ssl_setup(self);
1210  return ossl_start_ssl(self, SSL_accept, "SSL_accept", 0);
1211 }
1212 
1213 /*
1214  * call-seq:
1215  * ssl.accept_nonblock => self
1216  *
1217  * Initiates the SSL/TLS handshake as a server in non-blocking manner.
1218  *
1219  * # emulates blocking accept
1220  * begin
1221  * ssl.accept_nonblock
1222  * rescue IO::WaitReadable
1223  * IO.select([s2])
1224  * retry
1225  * rescue IO::WaitWritable
1226  * IO.select(nil, [s2])
1227  * retry
1228  * end
1229  *
1230  */
1231 static VALUE
1233 {
1234  ossl_ssl_setup(self);
1235  return ossl_start_ssl(self, SSL_accept, "SSL_accept", 1);
1236 }
1237 
1238 static VALUE
1239 ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)
1240 {
1241  SSL *ssl;
1242  int ilen, nread = 0;
1243  VALUE len, str;
1244  rb_io_t *fptr;
1245 
1246  rb_scan_args(argc, argv, "11", &len, &str);
1247  ilen = NUM2INT(len);
1248  if(NIL_P(str)) str = rb_str_new(0, ilen);
1249  else{
1250  StringValue(str);
1251  rb_str_modify(str);
1252  rb_str_resize(str, ilen);
1253  }
1254  if(ilen == 0) return str;
1255 
1256  Data_Get_Struct(self, SSL, ssl);
1257  GetOpenFile(ossl_ssl_get_io(self), fptr);
1258  if (ssl) {
1259  if(!nonblock && SSL_pending(ssl) <= 0)
1261  for (;;){
1262  nread = SSL_read(ssl, RSTRING_PTR(str), RSTRING_LENINT(str));
1263  switch(ssl_get_error(ssl, nread)){
1264  case SSL_ERROR_NONE:
1265  goto end;
1266  case SSL_ERROR_ZERO_RETURN:
1267  rb_eof_error();
1268  case SSL_ERROR_WANT_WRITE:
1269  write_would_block(nonblock);
1271  continue;
1272  case SSL_ERROR_WANT_READ:
1273  read_would_block(nonblock);
1275  continue;
1276  case SSL_ERROR_SYSCALL:
1277  if(ERR_peek_error() == 0 && nread == 0) rb_eof_error();
1278  rb_sys_fail(0);
1279  default:
1280  ossl_raise(eSSLError, "SSL_read:");
1281  }
1282  }
1283  }
1284  else {
1285  ID meth = nonblock ? rb_intern("read_nonblock") : rb_intern("sysread");
1286  rb_warning("SSL session is not started yet.");
1287  return rb_funcall(ossl_ssl_get_io(self), meth, 2, len, str);
1288  }
1289 
1290  end:
1291  rb_str_set_len(str, nread);
1292  OBJ_TAINT(str);
1293 
1294  return str;
1295 }
1296 
1297 
1298 /*
1299  * call-seq:
1300  * ssl.sysread(length) => string
1301  * ssl.sysread(length, buffer) => buffer
1302  *
1303  * Reads +length+ bytes from the SSL connection. If a pre-allocated +buffer+
1304  * is provided the data will be written into it.
1305  */
1306 static VALUE
1308 {
1309  return ossl_ssl_read_internal(argc, argv, self, 0);
1310 }
1311 
1312 /*
1313  * call-seq:
1314  * ssl.sysread_nonblock(length) => string
1315  * ssl.sysread_nonblock(length, buffer) => buffer
1316  *
1317  * A non-blocking version of #sysread. Raises an SSLError if reading would
1318  * block.
1319  *
1320  * Reads +length+ bytes from the SSL connection. If a pre-allocated +buffer+
1321  * is provided the data will be written into it.
1322  */
1323 static VALUE
1325 {
1326  return ossl_ssl_read_internal(argc, argv, self, 1);
1327 }
1328 
1329 static VALUE
1330 ossl_ssl_write_internal(VALUE self, VALUE str, int nonblock)
1331 {
1332  SSL *ssl;
1333  int nwrite = 0;
1334  rb_io_t *fptr;
1335 
1336  StringValue(str);
1337  Data_Get_Struct(self, SSL, ssl);
1338  GetOpenFile(ossl_ssl_get_io(self), fptr);
1339 
1340  if (ssl) {
1341  for (;;){
1342  nwrite = SSL_write(ssl, RSTRING_PTR(str), RSTRING_LENINT(str));
1343  switch(ssl_get_error(ssl, nwrite)){
1344  case SSL_ERROR_NONE:
1345  goto end;
1346  case SSL_ERROR_WANT_WRITE:
1347  write_would_block(nonblock);
1349  continue;
1350  case SSL_ERROR_WANT_READ:
1351  read_would_block(nonblock);
1353  continue;
1354  case SSL_ERROR_SYSCALL:
1355  if (errno) rb_sys_fail(0);
1356  default:
1357  ossl_raise(eSSLError, "SSL_write:");
1358  }
1359  }
1360  }
1361  else {
1362  ID id_syswrite = rb_intern("syswrite");
1363  rb_warning("SSL session is not started yet.");
1364  return rb_funcall(ossl_ssl_get_io(self), id_syswrite, 1, str);
1365  }
1366 
1367  end:
1368  return INT2NUM(nwrite);
1369 }
1370 
1371 /*
1372  * call-seq:
1373  * ssl.syswrite(string) => Integer
1374  *
1375  * Writes +string+ to the SSL connection.
1376  */
1377 static VALUE
1379 {
1380  return ossl_ssl_write_internal(self, str, 0);
1381 }
1382 
1383 /*
1384  * call-seq:
1385  * ssl.syswrite_nonblock(string) => Integer
1386  *
1387  * Writes +string+ to the SSL connection in a non-blocking manner. Raises an
1388  * SSLError if writing would block.
1389  */
1390 static VALUE
1392 {
1393  return ossl_ssl_write_internal(self, str, 1);
1394 }
1395 
1396 /*
1397  * call-seq:
1398  * ssl.sysclose => nil
1399  *
1400  * Shuts down the SSL connection and prepares it for another connection.
1401  */
1402 static VALUE
1404 {
1405  SSL *ssl;
1406 
1407  Data_Get_Struct(self, SSL, ssl);
1408  ossl_ssl_shutdown(ssl);
1409  if (RTEST(ossl_ssl_get_sync_close(self)))
1410  rb_funcall(ossl_ssl_get_io(self), rb_intern("close"), 0);
1411 
1412  return Qnil;
1413 }
1414 
1415 /*
1416  * call-seq:
1417  * ssl.cert => cert or nil
1418  *
1419  * The X509 certificate for this socket endpoint.
1420  */
1421 static VALUE
1423 {
1424  SSL *ssl;
1425  X509 *cert = NULL;
1426 
1427  Data_Get_Struct(self, SSL, ssl);
1428  if (!ssl) {
1429  rb_warning("SSL session is not started yet.");
1430  return Qnil;
1431  }
1432 
1433  /*
1434  * Is this OpenSSL bug? Should add a ref?
1435  * TODO: Ask for.
1436  */
1437  cert = SSL_get_certificate(ssl); /* NO DUPs => DON'T FREE. */
1438 
1439  if (!cert) {
1440  return Qnil;
1441  }
1442  return ossl_x509_new(cert);
1443 }
1444 
1445 /*
1446  * call-seq:
1447  * ssl.peer_cert => cert or nil
1448  *
1449  * The X509 certificate for this socket's peer.
1450  */
1451 static VALUE
1453 {
1454  SSL *ssl;
1455  X509 *cert = NULL;
1456  VALUE obj;
1457 
1458  Data_Get_Struct(self, SSL, ssl);
1459 
1460  if (!ssl){
1461  rb_warning("SSL session is not started yet.");
1462  return Qnil;
1463  }
1464 
1465  cert = SSL_get_peer_certificate(ssl); /* Adds a ref => Safe to FREE. */
1466 
1467  if (!cert) {
1468  return Qnil;
1469  }
1470  obj = ossl_x509_new(cert);
1471  X509_free(cert);
1472 
1473  return obj;
1474 }
1475 
1476 /*
1477  * call-seq:
1478  * ssl.peer_cert_chain => [cert, ...] or nil
1479  *
1480  * The X509 certificate chain for this socket's peer.
1481  */
1482 static VALUE
1484 {
1485  SSL *ssl;
1486  STACK_OF(X509) *chain;
1487  X509 *cert;
1488  VALUE ary;
1489  int i, num;
1490 
1491  Data_Get_Struct(self, SSL, ssl);
1492  if(!ssl){
1493  rb_warning("SSL session is not started yet.");
1494  return Qnil;
1495  }
1496  chain = SSL_get_peer_cert_chain(ssl);
1497  if(!chain) return Qnil;
1498  num = sk_X509_num(chain);
1499  ary = rb_ary_new2(num);
1500  for (i = 0; i < num; i++){
1501  cert = sk_X509_value(chain, i);
1502  rb_ary_push(ary, ossl_x509_new(cert));
1503  }
1504 
1505  return ary;
1506 }
1507 
1508 /*
1509  * call-seq:
1510  * ssl.cipher => [name, version, bits, alg_bits]
1511  *
1512  * The cipher being used for the current connection
1513  */
1514 static VALUE
1516 {
1517  SSL *ssl;
1518  SSL_CIPHER *cipher;
1519 
1520  Data_Get_Struct(self, SSL, ssl);
1521  if (!ssl) {
1522  rb_warning("SSL session is not started yet.");
1523  return Qnil;
1524  }
1525  cipher = (SSL_CIPHER *)SSL_get_current_cipher(ssl);
1526 
1527  return ossl_ssl_cipher_to_ary(cipher);
1528 }
1529 
1530 /*
1531  * call-seq:
1532  * ssl.state => string
1533  *
1534  * A description of the current connection state.
1535  */
1536 static VALUE
1538 {
1539  SSL *ssl;
1540  VALUE ret;
1541 
1542  Data_Get_Struct(self, SSL, ssl);
1543  if (!ssl) {
1544  rb_warning("SSL session is not started yet.");
1545  return Qnil;
1546  }
1547  ret = rb_str_new2(SSL_state_string(ssl));
1548  if (ruby_verbose) {
1549  rb_str_cat2(ret, ": ");
1550  rb_str_cat2(ret, SSL_state_string_long(ssl));
1551  }
1552  return ret;
1553 }
1554 
1555 /*
1556  * call-seq:
1557  * ssl.pending => Integer
1558  *
1559  * The number of bytes that are immediately available for reading
1560  */
1561 static VALUE
1563 {
1564  SSL *ssl;
1565 
1566  Data_Get_Struct(self, SSL, ssl);
1567  if (!ssl) {
1568  rb_warning("SSL session is not started yet.");
1569  return Qnil;
1570  }
1571 
1572  return INT2NUM(SSL_pending(ssl));
1573 }
1574 
1575 /*
1576  * call-seq:
1577  * ssl.session_reused? -> true | false
1578  *
1579  * Returns true if a reused session was negotiated during the handshake.
1580  */
1581 static VALUE
1583 {
1584  SSL *ssl;
1585 
1586  Data_Get_Struct(self, SSL, ssl);
1587  if (!ssl) {
1588  rb_warning("SSL session is not started yet.");
1589  return Qnil;
1590  }
1591 
1592  switch(SSL_session_reused(ssl)) {
1593  case 1: return Qtrue;
1594  case 0: return Qfalse;
1595  default: ossl_raise(eSSLError, "SSL_session_reused");
1596  }
1597 }
1598 
1599 /*
1600  * call-seq:
1601  * ssl.session = session -> session
1602  *
1603  * Sets the Session to be used when the connection is established.
1604  */
1605 static VALUE
1607 {
1608  SSL *ssl;
1609  SSL_SESSION *sess;
1610 
1611 /* why is ossl_ssl_setup delayed? */
1612  ossl_ssl_setup(self);
1613 
1614  Data_Get_Struct(self, SSL, ssl);
1615  if (!ssl) {
1616  rb_warning("SSL session is not started yet.");
1617  return Qnil;
1618  }
1619 
1620  SafeGetSSLSession(arg1, sess);
1621 
1622  if (SSL_set_session(ssl, sess) != 1)
1623  ossl_raise(eSSLError, "SSL_set_session");
1624 
1625  return arg1;
1626 }
1627 
1628 /*
1629  * call-seq:
1630  * ssl.verify_result => Integer
1631  *
1632  * Returns the result of the peer certificates verification. See verify(1)
1633  * for error values and descriptions.
1634  *
1635  * If no peer certificate was presented X509_V_OK is returned.
1636  */
1637 static VALUE
1639 {
1640  SSL *ssl;
1641 
1642  Data_Get_Struct(self, SSL, ssl);
1643  if (!ssl) {
1644  rb_warning("SSL session is not started yet.");
1645  return Qnil;
1646  }
1647 
1648  return INT2FIX(SSL_get_verify_result(ssl));
1649 }
1650 
1651 /*
1652  * call-seq:
1653  * ssl.client_ca => [x509name, ...]
1654  *
1655  * Returns the list of client CAs. Please note that in contrast to
1656  * SSLContext#client_ca= no array of X509::Certificate is returned but
1657  * X509::Name instances of the CA's subject distinguished name.
1658  *
1659  * In server mode, returns the list set by SSLContext#client_ca=.
1660  * In client mode, returns the list of client CAs sent from the server.
1661  */
1662 static VALUE
1664 {
1665  SSL *ssl;
1666  STACK_OF(X509_NAME) *ca;
1667 
1668  Data_Get_Struct(self, SSL, ssl);
1669  if (!ssl) {
1670  rb_warning("SSL session is not started yet.");
1671  return Qnil;
1672  }
1673 
1674  ca = SSL_get_client_CA_list(ssl);
1675  return ossl_x509name_sk2ary(ca);
1676 }
1677 
1678 void
1680 {
1681  int i;
1682  VALUE ary;
1683 
1684 #if 0
1685  mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
1686 #endif
1687 
1688  ID_callback_state = rb_intern("@callback_state");
1689 
1690  ossl_ssl_ex_vcb_idx = SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_vcb_idx",0,0,0);
1691  ossl_ssl_ex_store_p = SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_store_p",0,0,0);
1692  ossl_ssl_ex_ptr_idx = SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_ptr_idx",0,0,0);
1694  SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_client_cert_cb_idx",0,0,0);
1696  SSL_get_ex_new_index(0,(void *)"ossl_ssl_ex_tmp_dh_callback_idx",0,0,0);
1697 
1698  mSSL = rb_define_module_under(mOSSL, "SSL");
1700 
1702 
1703  /* Document-class: OpenSSL::SSL::SSLContext
1704  *
1705  * An SSLContext is used to set various options regarding certificates,
1706  * algorithms, verification, session caching, etc. The SSLContext is
1707  * used to create an SSLSocket.
1708  *
1709  * All attributes must be set before creating an SSLSocket as the
1710  * SSLContext will be frozen afterward.
1711  *
1712  * The following attributes are available but don't show up in rdoc:
1713  * * ssl_version, cert, key, client_ca, ca_file, ca_path, timeout,
1714  * * verify_mode, verify_depth client_cert_cb, tmp_dh_callback,
1715  * * session_id_context, session_add_cb, session_new_cb, session_remove_cb
1716  */
1719 
1720  /*
1721  * Context certificate
1722  */
1723  rb_attr(cSSLContext, rb_intern("cert"), 1, 1, Qfalse);
1724 
1725  /*
1726  * Context private key
1727  */
1728  rb_attr(cSSLContext, rb_intern("key"), 1, 1, Qfalse);
1729 
1730  /*
1731  * A certificate or Array of certificates that will be sent to the client.
1732  */
1733  rb_attr(cSSLContext, rb_intern("client_ca"), 1, 1, Qfalse);
1734 
1735  /*
1736  * The path to a file containing a PEM-format CA certificate
1737  */
1738  rb_attr(cSSLContext, rb_intern("ca_file"), 1, 1, Qfalse);
1739 
1740  /*
1741  * The path to a directory containing CA certificates in PEM format.
1742  *
1743  * Files are looked up by subject's X509 name's hash value.
1744  */
1745  rb_attr(cSSLContext, rb_intern("ca_path"), 1, 1, Qfalse);
1746 
1747  /*
1748  * Maximum session lifetime.
1749  */
1750  rb_attr(cSSLContext, rb_intern("timeout"), 1, 1, Qfalse);
1751 
1752  /*
1753  * Session verification mode.
1754  *
1755  * Valid modes are VERIFY_NONE, VERIFY_PEER, VERIFY_CLIENT_ONCE,
1756  * VERIFY_FAIL_IF_NO_PEER_CERT and defined on OpenSSL::SSL
1757  */
1758  rb_attr(cSSLContext, rb_intern("verify_mode"), 1, 1, Qfalse);
1759 
1760  /*
1761  * Number of CA certificates to walk when verifying a certificate chain.
1762  */
1763  rb_attr(cSSLContext, rb_intern("verify_depth"), 1, 1, Qfalse);
1764 
1765  /*
1766  * A callback for additional certificate verification. The callback is
1767  * invoked for each certificate in the chain.
1768  *
1769  * The callback is invoked with two values. +preverify_ok+ indicates
1770  * indicates if the verification was passed (true) or not (false).
1771  * +store_context+ is an OpenSSL::X509::StoreContext containing the
1772  * context used for certificate verification.
1773  *
1774  * If the callback returns false verification is stopped.
1775  */
1776  rb_attr(cSSLContext, rb_intern("verify_callback"), 1, 1, Qfalse);
1777 
1778  /*
1779  * Sets various OpenSSL options.
1780  */
1781  rb_attr(cSSLContext, rb_intern("options"), 1, 1, Qfalse);
1782 
1783  /*
1784  * An OpenSSL::X509::Store used for certificate verification
1785  */
1786  rb_attr(cSSLContext, rb_intern("cert_store"), 1, 1, Qfalse);
1787 
1788  /*
1789  * An Array of extra X509 certificates to be added to the certificate
1790  * chain.
1791  */
1792  rb_attr(cSSLContext, rb_intern("extra_chain_cert"), 1, 1, Qfalse);
1793 
1794  /*
1795  * A callback invoked when a client certificate is requested by a server
1796  * and no certificate has been set.
1797  *
1798  * The callback is invoked with a Session and must return an Array
1799  * containing an OpenSSL::X509::Certificate and an OpenSSL::PKey. If any
1800  * other value is returned the handshake is suspended.
1801  */
1802  rb_attr(cSSLContext, rb_intern("client_cert_cb"), 1, 1, Qfalse);
1803 
1804  /*
1805  * A callback invoked when DH parameters are required.
1806  *
1807  * The callback is invoked with the Session for the key exchange, an
1808  * flag indicating the use of an export cipher and the keylength
1809  * required.
1810  *
1811  * The callback must return an OpenSSL::PKey::DH instance of the correct
1812  * key length.
1813  */
1814  rb_attr(cSSLContext, rb_intern("tmp_dh_callback"), 1, 1, Qfalse);
1815 
1816  /*
1817  * Sets the context in which a session can be reused. This allows
1818  * sessions for multiple applications to be distinguished, for exapmle, by
1819  * name.
1820  */
1821  rb_attr(cSSLContext, rb_intern("session_id_context"), 1, 1, Qfalse);
1822 
1823  /*
1824  * A callback invoked on a server when a session is proposed by the client
1825  * but the session could not be found in the server's internal cache.
1826  *
1827  * The callback is invoked with the SSLSocket and session id. The
1828  * callback may return a Session from an external cache.
1829  */
1830  rb_attr(cSSLContext, rb_intern("session_get_cb"), 1, 1, Qfalse);
1831 
1832  /*
1833  * A callback invoked when a new session was negotiatied.
1834  *
1835  * The callback is invoked with an SSLSocket. If false is returned the
1836  * session will be removed from the internal cache.
1837  */
1838  rb_attr(cSSLContext, rb_intern("session_new_cb"), 1, 1, Qfalse);
1839 
1840  /*
1841  * A callback invoked when a session is removed from the internal cache.
1842  *
1843  * The callback is invoked with an SSLContext and a Session.
1844  */
1845  rb_attr(cSSLContext, rb_intern("session_remove_cb"), 1, 1, Qfalse);
1846 
1847 #ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
1848  /*
1849  * A callback invoked at connect time to distinguish between multiple
1850  * server names.
1851  *
1852  * The callback is invoked with an SSLSocket and a server name. The
1853  * callback must return an SSLContext for the server name or nil.
1854  */
1855  rb_attr(cSSLContext, rb_intern("servername_cb"), 1, 1, Qfalse);
1856 #endif
1857 
1858  rb_define_alias(cSSLContext, "ssl_timeout", "timeout");
1859  rb_define_alias(cSSLContext, "ssl_timeout=", "timeout=");
1864 
1866 
1867 
1868  /*
1869  * No session caching for client or server
1870  */
1871  rb_define_const(cSSLContext, "SESSION_CACHE_OFF", LONG2FIX(SSL_SESS_CACHE_OFF));
1872 
1873  /*
1874  * Client sessions are added to the session cache
1875  */
1876  rb_define_const(cSSLContext, "SESSION_CACHE_CLIENT", LONG2FIX(SSL_SESS_CACHE_CLIENT)); /* doesn't actually do anything in 0.9.8e */
1877 
1878  /*
1879  * Server sessions are added to the session cache
1880  */
1881  rb_define_const(cSSLContext, "SESSION_CACHE_SERVER", LONG2FIX(SSL_SESS_CACHE_SERVER));
1882 
1883  /*
1884  * Both client and server sessions are added to the session cache
1885  */
1886  rb_define_const(cSSLContext, "SESSION_CACHE_BOTH", LONG2FIX(SSL_SESS_CACHE_BOTH)); /* no different than CACHE_SERVER in 0.9.8e */
1887 
1888  /*
1889  * Normally the sesison cache is checked for expired sessions every 255
1890  * connections. Since this may lead to a delay that cannot be controlled,
1891  * the automatic flushing may be disabled and #flush_sessions can be
1892  * called explicitly.
1893  */
1894  rb_define_const(cSSLContext, "SESSION_CACHE_NO_AUTO_CLEAR", LONG2FIX(SSL_SESS_CACHE_NO_AUTO_CLEAR));
1895 
1896  /*
1897  * Always perform external lookups of sessions even if they are in the
1898  * internal cache.
1899  *
1900  * This flag has no effect on clients
1901  */
1902  rb_define_const(cSSLContext, "SESSION_CACHE_NO_INTERNAL_LOOKUP", LONG2FIX(SSL_SESS_CACHE_NO_INTERNAL_LOOKUP));
1903 
1904  /*
1905  * Never automatically store sessions in the internal store.
1906  */
1907  rb_define_const(cSSLContext, "SESSION_CACHE_NO_INTERNAL_STORE", LONG2FIX(SSL_SESS_CACHE_NO_INTERNAL_STORE));
1908 
1909  /*
1910  * Enables both SESSION_CACHE_NO_INTERNAL_LOOKUP and
1911  * SESSION_CACHE_NO_INTERNAL_STORE.
1912  */
1913  rb_define_const(cSSLContext, "SESSION_CACHE_NO_INTERNAL", LONG2FIX(SSL_SESS_CACHE_NO_INTERNAL));
1914 
1923 
1925  for (i = 0; i < numberof(ossl_ssl_method_tab); i++) {
1927  }
1928  rb_obj_freeze(ary);
1929  /* The list of available SSL/TLS methods */
1930  rb_define_const(cSSLContext, "METHODS", ary);
1931 
1932  /*
1933  * Document-class: OpenSSL::SSL::SSLSocket
1934  *
1935  * The following attributes are available but don't show up in rdoc.
1936  * * io, context, sync_close
1937  *
1938  */
1941  for(i = 0; i < numberof(ossl_ssl_attr_readers); i++)
1943  for(i = 0; i < numberof(ossl_ssl_attrs); i++)
1945  rb_define_alias(cSSLSocket, "to_io", "io");
1946  rb_define_method(cSSLSocket, "initialize", ossl_ssl_initialize, -1);
1948  rb_define_method(cSSLSocket, "connect_nonblock", ossl_ssl_connect_nonblock, 0);
1950  rb_define_method(cSSLSocket, "accept_nonblock", ossl_ssl_accept_nonblock, 0);
1951  rb_define_method(cSSLSocket, "sysread", ossl_ssl_read, -1);
1953  rb_define_method(cSSLSocket, "syswrite", ossl_ssl_write, 1);
1955  rb_define_method(cSSLSocket, "sysclose", ossl_ssl_close, 0);
1962  rb_define_method(cSSLSocket, "session_reused?", ossl_ssl_session_reused, 0);
1966 
1967 #define ossl_ssl_def_const(x) rb_define_const(mSSL, #x, INT2NUM(SSL_##x))
1968 
1969  ossl_ssl_def_const(VERIFY_NONE);
1970  ossl_ssl_def_const(VERIFY_PEER);
1971  ossl_ssl_def_const(VERIFY_FAIL_IF_NO_PEER_CERT);
1972  ossl_ssl_def_const(VERIFY_CLIENT_ONCE);
1973  /* Introduce constants included in OP_ALL. These constants are mostly for
1974  * unset some bits in OP_ALL such as:
1975  * ctx.options = OP_ALL & ~OP_DONT_INSERT_EMPTY_FRAGMENTS
1976  */
1977  ossl_ssl_def_const(OP_MICROSOFT_SESS_ID_BUG);
1978  ossl_ssl_def_const(OP_NETSCAPE_CHALLENGE_BUG);
1979  ossl_ssl_def_const(OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG);
1980  ossl_ssl_def_const(OP_SSLREF2_REUSE_CERT_TYPE_BUG);
1981  ossl_ssl_def_const(OP_MICROSOFT_BIG_SSLV3_BUFFER);
1982  ossl_ssl_def_const(OP_MSIE_SSLV2_RSA_PADDING);
1983  ossl_ssl_def_const(OP_SSLEAY_080_CLIENT_DH_BUG);
1984  ossl_ssl_def_const(OP_TLS_D5_BUG);
1985  ossl_ssl_def_const(OP_TLS_BLOCK_PADDING_BUG);
1986  ossl_ssl_def_const(OP_DONT_INSERT_EMPTY_FRAGMENTS);
1987  ossl_ssl_def_const(OP_ALL);
1988 #if defined(SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)
1989  ossl_ssl_def_const(OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
1990 #endif
1991 #if defined(SSL_OP_SINGLE_ECDH_USE)
1992  ossl_ssl_def_const(OP_SINGLE_ECDH_USE);
1993 #endif
1994  ossl_ssl_def_const(OP_SINGLE_DH_USE);
1995  ossl_ssl_def_const(OP_EPHEMERAL_RSA);
1996 #if defined(SSL_OP_CIPHER_SERVER_PREFERENCE)
1997  ossl_ssl_def_const(OP_CIPHER_SERVER_PREFERENCE);
1998 #endif
1999  ossl_ssl_def_const(OP_TLS_ROLLBACK_BUG);
2000  ossl_ssl_def_const(OP_NO_SSLv2);
2001  ossl_ssl_def_const(OP_NO_SSLv3);
2002  ossl_ssl_def_const(OP_NO_TLSv1);
2003 #if defined(SSL_OP_NO_TICKET)
2004  ossl_ssl_def_const(OP_NO_TICKET);
2005 #endif
2006 #if defined(SSL_OP_NO_COMPRESSION)
2007  ossl_ssl_def_const(OP_NO_COMPRESSION);
2008 #endif
2009  ossl_ssl_def_const(OP_PKCS1_CHECK_1);
2010  ossl_ssl_def_const(OP_PKCS1_CHECK_2);
2011  ossl_ssl_def_const(OP_NETSCAPE_CA_DN_BUG);
2012  ossl_ssl_def_const(OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
2013 }
2014