openssl: ssl-dh4096-param-path -> ssl-dh4096-param-bytes

This is a backward-incompatible changed, but no packages currently registered at pkgs.racket-lang.org refer to `ssl-dh4096-param-path`. Providing `ssl-dh4096-param-bytes`, instead, avoids carrying along an extra file with any stand-alone executable that depends on `openssl`.
2020-05-04 20:19:48 -06:00 · 2020-05-04 20:19:48 -06:00 · 83f27f637b
commit 83f27f637b
parent 5f6269cb19
3 changed files with 31 additions and 15 deletions
--- a/pkgs/racket-doc/openssl/openssl.scrbl
+++ b/pkgs/racket-doc/openssl/openssl.scrbl
@ -652,7 +652,7 @@ collection for testing purposes where the peer identifies itself using
@deftogether[[
@defproc[(ssl-server-context-enable-dhe!
           [context ssl-server-context?]
-           [dh-param-path path-string? ssl-dh4096-param-path])
+           [dh-param (or/c path-string? bytes?) ssl-dh4096-param-bytes])
         void?]
@defproc[(ssl-server-context-enable-ecdhe!
           [context ssl-server-context?]
@ -665,8 +665,9 @@ Enables cipher suites that provide
 forward secrecy} via ephemeral Diffie-Hellman (DHE) or ephemeral
 elliptic-curve Diffie-Hellman (ECDHE) key exchange, respectively.

-For DHE, the @racket[dh-param-path] must be a path to a PEM file
-containing DH parameters.
+For DHE, the @racket[dh-param] must be a path to a @filepath{.pem}
+file containing DH parameters or the content of such a file as a byte
+string.

 For ECDHE, the @racket[curve-name] must be one of the following
 symbols naming a standard elliptic curve:
@ -677,12 +678,16 @@ symbols naming a standard elliptic curve:
         secp160k1 secp160r1 secp160r2 secp192k1 secp224k1 secp224r1 secp256k1
         secp384r1 secp521r1 prime192v prime256v))
  ", ").
-}

-@defthing[ssl-dh4096-param-path path?]{
+@history[#:changed "7.7.0.4" @elem{Allow a byte string as the @racket[dh-param]
+                                   argument to @racket[ssl-server-context-enable-dhe!].}]}

-Path for 4096-bit Diffie-Hellman parameters.
-}
+@defthing[ssl-dh4096-param-bytes bytes?]{
+
+Byte string describing 4096-bit Diffie-Hellman parameters in @filepath{.pem} format.
+
+@history[#:changed "7.7.0.4" @elem{Added as a replacement for
+                                   @racketidfont{ssl-dh4096-param-path}.}]}

@defproc[(ssl-set-server-name-identification-callback!
           [context ssl-server-context?]
--- a/pkgs/racket-test/tests/openssl/test-ephemeral.rkt
+++ b/pkgs/racket-test/tests/openssl/test-ephemeral.rkt
@ -47,7 +47,7 @@
 [(memq 'tls12 (supported-server-protocols))
  ;; Test DHE ciphers (note: cipher spec is "EDH", contrary to openssl ciphers docs)
  (test-ephemeral (lambda (server-ctx)
-                    (ssl-server-context-enable-dhe! server-ctx ssl-dh4096-param-path))
+                    (ssl-server-context-enable-dhe! server-ctx ssl-dh4096-param-bytes))
                  "AES+EDH")

  ;; Test ECDHE ciphers
--- a/racket/collects/openssl/mzssl.rkt
+++ b/racket/collects/openssl/mzssl.rkt
@ -36,9 +36,10 @@ TO DO:
         racket/tcp
         racket/string
         racket/lazy-require
-         racket/runtime-path
+         racket/include
         "libcrypto.rkt"
-         "libssl.rkt")
+         "libssl.rkt"
+         (for-syntax racket/base))
 (lazy-require
 ["private/win32.rkt" (load-win32-store)]
 ["private/macosx.rkt" (load-macosx-keychain)])
@ -84,7 +85,7 @@ TO DO:
        (list/c 'macosx-keychain path-string?)))

 (provide
- ssl-dh4096-param-path
+ ssl-dh4096-param-bytes
 (contract-out
  [ssl-available? boolean?]
  [ssl-load-fail-reason (or/c #f string?)]
@ -103,7 +104,7 @@ TO DO:
         #:certificate-chain (or/c path-string? #f))
        ssl-server-context?)]
  [ssl-server-context-enable-dhe!
-   (->* (ssl-server-context?) (path-string?) void?)]
+   (->* (ssl-server-context?) ((or/c path-string? bytes?)) void?)]
  [ssl-server-context-enable-ecdhe!
   (->* (ssl-server-context?) (curve/c) void?)]
  [ssl-client-context?
@ -473,7 +474,15 @@ TO DO:
 (define SSL_TLSEXT_ERR_OK 0)
 (define SSL_TLSEXT_ERR_NOACK 3)

-(define-runtime-path ssl-dh4096-param-path "dh4096.pem")
+(define ssl-dh4096-param-bytes
+  (include/reader "dh4096.pem" (lambda (src port)
+                                 (let loop ([accum '()])
+                                   (define bstr (read-bytes 4096 port))
+                                   (if (eof-object? bstr)
+                                       (if (null? accum)
+                                           eof
+                                           (datum->syntax #'here (apply bytes-append (reverse accum))))
+                                       (loop (cons bstr accum)))))))

 ;; Make this bigger than 4096 to accommodate at least
 ;; 4096 of unencrypted data
@ -744,8 +753,10 @@ TO DO:
  (SSL_CTX_ctrl ctx SSL_CTRL_OPTIONS SSL_OP_SINGLE_ECDH_USE #f)
  (void))

-(define (ssl-server-context-enable-dhe! context [path ssl-dh4096-param-path])
-  (define params (call-with-input-file path port->bytes))
+(define (ssl-server-context-enable-dhe! context [ssl-dh4096-param ssl-dh4096-param-bytes])
+  (define params (if (bytes? ssl-dh4096-param)
+                     ssl-dh4096-param
+                     (call-with-input-file* ssl-dh4096-param port->bytes)))
  (define params-bio (BIO_new_mem_buf params (bytes-length params)))
  (check-valid params-bio 'ssl-server-context-enable-dhe! "loading Diffie-Hellman parameters")
  (with-failure