* ext/openssl/lib/openssl/ssl.rb (module OpenSSL): move the default

tmp_dh_callback Ruby code and set it as a default in `initialize`.

* ext/openssl/ossl_pkey_dh.c (static unsigned char DEFAULT_DH_512_GEN):
  move this constant to Ruby.

* ext/openssl/ossl_pkey_dh.c (static unsigned char DEFAULT_DH_1024_GEN):
  ditto

* ext/openssl/ossl_pkey_dh.c (Init_ossl_dh): ditto

* ext/openssl/ossl_ssl.c (ossl_tmp_dh_callback): ditto

* ext/openssl/ossl_ssl.c (ossl_sslctx_setup): tmp_dh_callback should
  always be set, so we can remove this conditional

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51380 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

ChangeLog

@@ -1,3 +1,21 @@
+Sun Jul 26 07:47:14 2015  Aaron Patterson <tenderlove@ruby-lang.org>
+
+	* ext/openssl/lib/openssl/ssl.rb (module OpenSSL): move the default
+	  tmp_dh_callback Ruby code and set it as a default in `initialize`.
+
+	* ext/openssl/ossl_pkey_dh.c (static unsigned char DEFAULT_DH_512_GEN):
+	  move this constant to Ruby.
+
+	* ext/openssl/ossl_pkey_dh.c (static unsigned char DEFAULT_DH_1024_GEN):
+	  ditto
+
+	* ext/openssl/ossl_pkey_dh.c (Init_ossl_dh): ditto
+
+	* ext/openssl/ossl_ssl.c (ossl_tmp_dh_callback): ditto
+
+	* ext/openssl/ossl_ssl.c (ossl_sslctx_setup): tmp_dh_callback should
+	  always be set, so we can remove this conditional
+
 Sun Jul 26 06:22:24 2015  Aaron Patterson <tenderlove@ruby-lang.org>
 
 	* test/openssl/test_pair.rb: add a test ensuring that the default DH

ext/openssl/lib/openssl/ssl.rb

@@ -74,10 +74,24 @@ module OpenSSL
         DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
       end
 
+      if defined?(OpenSSL::PKey::DH)
+        DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen|
+          warn "using default DH parameters." if $VERBOSE
+          case keylen
+          when 512  then OpenSSL::PKey::DH::DEFAULT_512
+          when 1024 then OpenSSL::PKey::DH::DEFAULT_1024
+          else
+            nil
+          end
+        }
+      else
+        DEFAULT_TMP_DH_CALLBACK = nil
+      end
+
       INIT_VARS = ["cert", "key", "client_ca", "ca_file", "ca_path",
         "timeout", "verify_mode", "verify_depth", "renegotiation_cb",
         "verify_callback", "options", "cert_store", "extra_chain_cert",
-        "client_cert_cb", "tmp_dh_callback", "session_id_context",
+        "client_cert_cb", "session_id_context",
         "session_get_cb", "session_new_cb", "session_remove_cb",
         "tmp_ecdh_callback", "servername_cb", "npn_protocols",
         "alpn_protocols", "alpn_select_cb",
@@ -91,6 +105,7 @@ module OpenSSL
       # You can get a list of valid methods with OpenSSL::SSL::SSLContext::METHODS
       def initialize(version = nil)
         INIT_VARS.each { |v| instance_variable_set v, nil }
+        @tmp_dh_callback = DEFAULT_TMP_DH_CALLBACK
         return unless version
         self.ssl_version = version
       end

ext/openssl/ossl_pkey.h

@@ -84,8 +84,6 @@ void Init_ossl_dsa(void);
  */
 extern VALUE cDH;
 extern VALUE eDHError;
-extern DH *OSSL_DEFAULT_DH_512;
-extern DH *OSSL_DEFAULT_DH_1024;
 
 VALUE ossl_dh_new(EVP_PKEY *);
 void Init_ossl_dh(void);

ext/openssl/ossl_pkey_dh.c

@@ -540,7 +540,6 @@ static unsigned char DEFAULT_DH_512_PRIM[] = {
     0x44, 0x47, 0x19, 0xa1, 0x4a, 0xc8, 0x8b, 0xcb,
 };
 static unsigned char DEFAULT_DH_512_GEN[] = { 0x02 };
-DH *OSSL_DEFAULT_DH_512 = NULL;
 
 /*
  * -----BEGIN DH PARAMETERS-----
@@ -568,7 +567,6 @@ static unsigned char DEFAULT_DH_1024_PRIM[] = {
     0xff, 0x57, 0xe7, 0x19, 0x8d, 0x51, 0x77, 0x83
 };
 static unsigned char DEFAULT_DH_1024_GEN[] = { 0x02 };
-DH *OSSL_DEFAULT_DH_1024 = NULL;
 
 static DH*
 ossl_create_dh(unsigned char *p, size_t plen, unsigned char *g, size_t glen)
@@ -596,6 +594,8 @@ Init_ossl_dh(void)
     mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL and mPKey */
     mPKey = rb_define_module_under(mOSSL, "PKey");
 #endif
+    DH *OSSL_DEFAULT_DH_512;
+    DH *OSSL_DEFAULT_DH_1024;
 
     /* Document-class: OpenSSL::PKey::DHError
      *
@@ -658,6 +658,9 @@ Init_ossl_dh(void)
     OSSL_DEFAULT_DH_1024 = ossl_create_dh(
 	DEFAULT_DH_1024_PRIM, sizeof(DEFAULT_DH_1024_PRIM),
 	DEFAULT_DH_1024_GEN, sizeof(DEFAULT_DH_1024_GEN));
+
+    rb_define_const(cDH, "DEFAULT_512", dh_instance(cDH, OSSL_DEFAULT_DH_512));
+    rb_define_const(cDH, "DEFAULT_1024", dh_instance(cDH, OSSL_DEFAULT_DH_1024));
 }
 
 #else /* defined NO_DH */

ext/openssl/ossl_ssl.c

@@ -283,20 +283,6 @@ ossl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
 
     return GetPKeyPtr(ossl_ssl_get_tmp_dh(args[0]))->pkey.dh;
 }
-
-static DH*
-ossl_default_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
-{
-    rb_warning("using default DH parameters.");
-
-    switch(keylength){
-    case 512:
-	return OSSL_DEFAULT_DH_512;
-    case 1024:
-	return OSSL_DEFAULT_DH_1024;
-    }
-    return NULL;
-}
 #endif /* OPENSSL_NO_DH */
 
 #if !defined(OPENSSL_NO_EC)
@@ -708,12 +694,7 @@ ossl_sslctx_setup(VALUE self)
     GetSSLCTX(self, ctx);
 
 #if !defined(OPENSSL_NO_DH)
-    if (RTEST(ossl_sslctx_get_tmp_dh_cb(self))){
+    SSL_CTX_set_tmp_dh_callback(ctx, ossl_tmp_dh_callback);
-	SSL_CTX_set_tmp_dh_callback(ctx, ossl_tmp_dh_callback);
-    }
-    else{
-	SSL_CTX_set_tmp_dh_callback(ctx, ossl_default_tmp_dh_callback);
-    }
 #endif
 
 #if !defined(OPENSSL_NO_EC)