Compare commits
No commits in common. 'c9' and 'c8-stream-3.0' have entirely different histories.
c9
...
c8-stream-
File diff suppressed because it is too large
Load Diff
@ -1,630 +0,0 @@
|
|||||||
From 316cb2a41f154e4663d7e7fead60cfc0bfa86af9 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Mon, 12 Apr 2021 13:55:10 +0900
|
|
||||||
Subject: [PATCH 1/2] pkey: do not check NULL argument in ossl_pkey_new()
|
|
||||||
|
|
||||||
Passing NULL to ossl_pkey_new() makes no sense in the first place, and
|
|
||||||
in fact it is ensured not to be NULL in all cases.
|
|
||||||
---
|
|
||||||
ext/openssl/ossl_pkey.c | 6 +-----
|
|
||||||
ext/openssl/ossl_pkey.h | 1 +
|
|
||||||
2 files changed, 2 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c
|
|
||||||
index f9f5162e..820e4a2c 100644
|
|
||||||
--- a/ext/openssl/ossl_pkey.c
|
|
||||||
+++ b/ext/openssl/ossl_pkey.c
|
|
||||||
@@ -38,12 +38,8 @@ static VALUE
|
|
||||||
pkey_new0(EVP_PKEY *pkey)
|
|
||||||
{
|
|
||||||
VALUE klass, obj;
|
|
||||||
- int type;
|
|
||||||
|
|
||||||
- if (!pkey || (type = EVP_PKEY_base_id(pkey)) == EVP_PKEY_NONE)
|
|
||||||
- ossl_raise(rb_eRuntimeError, "pkey is empty");
|
|
||||||
-
|
|
||||||
- switch (type) {
|
|
||||||
+ switch (EVP_PKEY_base_id(pkey)) {
|
|
||||||
#if !defined(OPENSSL_NO_RSA)
|
|
||||||
case EVP_PKEY_RSA: klass = cRSA; break;
|
|
||||||
#endif
|
|
||||||
diff --git a/ext/openssl/ossl_pkey.h b/ext/openssl/ossl_pkey.h
|
|
||||||
index 4beede22..f0476780 100644
|
|
||||||
--- a/ext/openssl/ossl_pkey.h
|
|
||||||
+++ b/ext/openssl/ossl_pkey.h
|
|
||||||
@@ -35,6 +35,7 @@ extern const rb_data_type_t ossl_evp_pkey_type;
|
|
||||||
} \
|
|
||||||
} while (0)
|
|
||||||
|
|
||||||
+/* Takes ownership of the EVP_PKEY */
|
|
||||||
VALUE ossl_pkey_new(EVP_PKEY *);
|
|
||||||
void ossl_pkey_check_public_key(const EVP_PKEY *);
|
|
||||||
EVP_PKEY *ossl_pkey_read_generic(BIO *, VALUE);
|
|
||||||
|
|
||||||
From 74f6c6175688502a5bf27ae35367616858630c0f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Mon, 12 Apr 2021 18:32:40 +0900
|
|
||||||
Subject: [PATCH 2/2] pkey: allocate EVP_PKEY on #initialize
|
|
||||||
|
|
||||||
Allocate an EVP_PKEY when the content is ready: when #initialize
|
|
||||||
or #initialize_copy is called, rather than when a T_DATA is allocated.
|
|
||||||
This is more natural because the lower level API has been deprecated
|
|
||||||
and an EVP_PKEY is becoming the minimum unit of handling keys.
|
|
||||||
---
|
|
||||||
ext/openssl/ossl_pkey.c | 15 ++----
|
|
||||||
ext/openssl/ossl_pkey.h | 15 ++----
|
|
||||||
ext/openssl/ossl_pkey_dh.c | 71 +++++++++++++++++++--------
|
|
||||||
ext/openssl/ossl_pkey_dsa.c | 93 ++++++++++++++++++++---------------
|
|
||||||
ext/openssl/ossl_pkey_ec.c | 91 +++++++++++++++++++----------------
|
|
||||||
ext/openssl/ossl_pkey_rsa.c | 96 ++++++++++++++++++++++---------------
|
|
||||||
6 files changed, 218 insertions(+), 163 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c
|
|
||||||
index 820e4a2c..ea75d63f 100644
|
|
||||||
--- a/ext/openssl/ossl_pkey.c
|
|
||||||
+++ b/ext/openssl/ossl_pkey.c
|
|
||||||
@@ -54,8 +54,8 @@ pkey_new0(EVP_PKEY *pkey)
|
|
||||||
#endif
|
|
||||||
default: klass = cPKey; break;
|
|
||||||
}
|
|
||||||
- obj = NewPKey(klass);
|
|
||||||
- SetPKey(obj, pkey);
|
|
||||||
+ obj = rb_obj_alloc(klass);
|
|
||||||
+ RTYPEDDATA_DATA(obj) = pkey;
|
|
||||||
return obj;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -511,16 +511,7 @@ DupPKeyPtr(VALUE obj)
|
|
||||||
static VALUE
|
|
||||||
ossl_pkey_alloc(VALUE klass)
|
|
||||||
{
|
|
||||||
- EVP_PKEY *pkey;
|
|
||||||
- VALUE obj;
|
|
||||||
-
|
|
||||||
- obj = NewPKey(klass);
|
|
||||||
- if (!(pkey = EVP_PKEY_new())) {
|
|
||||||
- ossl_raise(ePKeyError, NULL);
|
|
||||||
- }
|
|
||||||
- SetPKey(obj, pkey);
|
|
||||||
-
|
|
||||||
- return obj;
|
|
||||||
+ return TypedData_Wrap_Struct(klass, &ossl_evp_pkey_type, NULL);
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
diff --git a/ext/openssl/ossl_pkey.h b/ext/openssl/ossl_pkey.h
|
|
||||||
index f0476780..ed18bc69 100644
|
|
||||||
--- a/ext/openssl/ossl_pkey.h
|
|
||||||
+++ b/ext/openssl/ossl_pkey.h
|
|
||||||
@@ -15,19 +15,10 @@ extern VALUE cPKey;
|
|
||||||
extern VALUE ePKeyError;
|
|
||||||
extern const rb_data_type_t ossl_evp_pkey_type;
|
|
||||||
|
|
||||||
-#define OSSL_PKEY_SET_PRIVATE(obj) rb_iv_set((obj), "private", Qtrue)
|
|
||||||
-#define OSSL_PKEY_SET_PUBLIC(obj) rb_iv_set((obj), "private", Qfalse)
|
|
||||||
-#define OSSL_PKEY_IS_PRIVATE(obj) (rb_iv_get((obj), "private") == Qtrue)
|
|
||||||
+/* For ENGINE */
|
|
||||||
+#define OSSL_PKEY_SET_PRIVATE(obj) rb_ivar_set((obj), rb_intern("private"), Qtrue)
|
|
||||||
+#define OSSL_PKEY_IS_PRIVATE(obj) (rb_attr_get((obj), rb_intern("private")) == Qtrue)
|
|
||||||
|
|
||||||
-#define NewPKey(klass) \
|
|
||||||
- TypedData_Wrap_Struct((klass), &ossl_evp_pkey_type, 0)
|
|
||||||
-#define SetPKey(obj, pkey) do { \
|
|
||||||
- if (!(pkey)) { \
|
|
||||||
- rb_raise(rb_eRuntimeError, "PKEY wasn't initialized!"); \
|
|
||||||
- } \
|
|
||||||
- RTYPEDDATA_DATA(obj) = (pkey); \
|
|
||||||
- OSSL_PKEY_SET_PUBLIC(obj); \
|
|
||||||
-} while (0)
|
|
||||||
#define GetPKey(obj, pkey) do {\
|
|
||||||
TypedData_Get_Struct((obj), EVP_PKEY, &ossl_evp_pkey_type, (pkey)); \
|
|
||||||
if (!(pkey)) { \
|
|
||||||
diff --git a/ext/openssl/ossl_pkey_dh.c b/ext/openssl/ossl_pkey_dh.c
|
|
||||||
index ca782bbe..04c11b21 100644
|
|
||||||
--- a/ext/openssl/ossl_pkey_dh.c
|
|
||||||
+++ b/ext/openssl/ossl_pkey_dh.c
|
|
||||||
@@ -72,34 +72,57 @@ static VALUE
|
|
||||||
ossl_dh_initialize(int argc, VALUE *argv, VALUE self)
|
|
||||||
{
|
|
||||||
EVP_PKEY *pkey;
|
|
||||||
+ int type;
|
|
||||||
DH *dh;
|
|
||||||
- BIO *in;
|
|
||||||
+ BIO *in = NULL;
|
|
||||||
VALUE arg;
|
|
||||||
|
|
||||||
- GetPKey(self, pkey);
|
|
||||||
+ TypedData_Get_Struct(self, EVP_PKEY, &ossl_evp_pkey_type, pkey);
|
|
||||||
+ if (pkey)
|
|
||||||
+ rb_raise(rb_eTypeError, "pkey already initialized");
|
|
||||||
+
|
|
||||||
/* The DH.new(size, generator) form is handled by lib/openssl/pkey.rb */
|
|
||||||
if (rb_scan_args(argc, argv, "01", &arg) == 0) {
|
|
||||||
dh = DH_new();
|
|
||||||
if (!dh)
|
|
||||||
ossl_raise(eDHError, "DH_new");
|
|
||||||
+ goto legacy;
|
|
||||||
}
|
|
||||||
- else {
|
|
||||||
- arg = ossl_to_der_if_possible(arg);
|
|
||||||
- in = ossl_obj2bio(&arg);
|
|
||||||
- dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL);
|
|
||||||
- if (!dh){
|
|
||||||
- OSSL_BIO_reset(in);
|
|
||||||
- dh = d2i_DHparams_bio(in, NULL);
|
|
||||||
- }
|
|
||||||
- BIO_free(in);
|
|
||||||
- if (!dh) {
|
|
||||||
- ossl_raise(eDHError, NULL);
|
|
||||||
- }
|
|
||||||
+
|
|
||||||
+ arg = ossl_to_der_if_possible(arg);
|
|
||||||
+ in = ossl_obj2bio(&arg);
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * On OpenSSL <= 1.1.1 and current versions of LibreSSL, the generic
|
|
||||||
+ * routine does not support DER-encoded parameters
|
|
||||||
+ */
|
|
||||||
+ dh = d2i_DHparams_bio(in, NULL);
|
|
||||||
+ if (dh)
|
|
||||||
+ goto legacy;
|
|
||||||
+ OSSL_BIO_reset(in);
|
|
||||||
+
|
|
||||||
+ pkey = ossl_pkey_read_generic(in, Qnil);
|
|
||||||
+ BIO_free(in);
|
|
||||||
+ if (!pkey)
|
|
||||||
+ ossl_raise(eDHError, "could not parse pkey");
|
|
||||||
+
|
|
||||||
+ type = EVP_PKEY_base_id(pkey);
|
|
||||||
+ if (type != EVP_PKEY_DH) {
|
|
||||||
+ EVP_PKEY_free(pkey);
|
|
||||||
+ rb_raise(eDHError, "incorrect pkey type: %s", OBJ_nid2sn(type));
|
|
||||||
}
|
|
||||||
- if (!EVP_PKEY_assign_DH(pkey, dh)) {
|
|
||||||
- DH_free(dh);
|
|
||||||
- ossl_raise(eDHError, NULL);
|
|
||||||
+ RTYPEDDATA_DATA(self) = pkey;
|
|
||||||
+ return self;
|
|
||||||
+
|
|
||||||
+ legacy:
|
|
||||||
+ BIO_free(in);
|
|
||||||
+ pkey = EVP_PKEY_new();
|
|
||||||
+ if (!pkey || EVP_PKEY_assign_DH(pkey, dh) != 1) {
|
|
||||||
+ EVP_PKEY_free(pkey);
|
|
||||||
+ DH_free(dh);
|
|
||||||
+ ossl_raise(eDHError, "EVP_PKEY_assign_DH");
|
|
||||||
}
|
|
||||||
+ RTYPEDDATA_DATA(self) = pkey;
|
|
||||||
return self;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -110,15 +133,14 @@ ossl_dh_initialize_copy(VALUE self, VALUE other)
|
|
||||||
DH *dh, *dh_other;
|
|
||||||
const BIGNUM *pub, *priv;
|
|
||||||
|
|
||||||
- GetPKey(self, pkey);
|
|
||||||
- if (EVP_PKEY_base_id(pkey) != EVP_PKEY_NONE)
|
|
||||||
- ossl_raise(eDHError, "DH already initialized");
|
|
||||||
+ TypedData_Get_Struct(self, EVP_PKEY, &ossl_evp_pkey_type, pkey);
|
|
||||||
+ if (pkey)
|
|
||||||
+ rb_raise(rb_eTypeError, "pkey already initialized");
|
|
||||||
GetDH(other, dh_other);
|
|
||||||
|
|
||||||
dh = DHparams_dup(dh_other);
|
|
||||||
if (!dh)
|
|
||||||
ossl_raise(eDHError, "DHparams_dup");
|
|
||||||
- EVP_PKEY_assign_DH(pkey, dh);
|
|
||||||
|
|
||||||
DH_get0_key(dh_other, &pub, &priv);
|
|
||||||
if (pub) {
|
|
||||||
@@ -133,6 +155,13 @@ ossl_dh_initialize_copy(VALUE self, VALUE other)
|
|
||||||
DH_set0_key(dh, pub2, priv2);
|
|
||||||
}
|
|
||||||
|
|
||||||
+ pkey = EVP_PKEY_new();
|
|
||||||
+ if (!pkey || EVP_PKEY_assign_DH(pkey, dh) != 1) {
|
|
||||||
+ EVP_PKEY_free(pkey);
|
|
||||||
+ DH_free(dh);
|
|
||||||
+ ossl_raise(eDHError, "EVP_PKEY_assign_DH");
|
|
||||||
+ }
|
|
||||||
+ RTYPEDDATA_DATA(self) = pkey;
|
|
||||||
return self;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/ext/openssl/ossl_pkey_dsa.c b/ext/openssl/ossl_pkey_dsa.c
|
|
||||||
index 7af00eeb..15724548 100644
|
|
||||||
--- a/ext/openssl/ossl_pkey_dsa.c
|
|
||||||
+++ b/ext/openssl/ossl_pkey_dsa.c
|
|
||||||
@@ -83,50 +83,59 @@ VALUE eDSAError;
|
|
||||||
static VALUE
|
|
||||||
ossl_dsa_initialize(int argc, VALUE *argv, VALUE self)
|
|
||||||
{
|
|
||||||
- EVP_PKEY *pkey, *tmp;
|
|
||||||
- DSA *dsa = NULL;
|
|
||||||
- BIO *in;
|
|
||||||
+ EVP_PKEY *pkey;
|
|
||||||
+ DSA *dsa;
|
|
||||||
+ BIO *in = NULL;
|
|
||||||
VALUE arg, pass;
|
|
||||||
+ int type;
|
|
||||||
+
|
|
||||||
+ TypedData_Get_Struct(self, EVP_PKEY, &ossl_evp_pkey_type, pkey);
|
|
||||||
+ if (pkey)
|
|
||||||
+ rb_raise(rb_eTypeError, "pkey already initialized");
|
|
||||||
|
|
||||||
- GetPKey(self, pkey);
|
|
||||||
/* The DSA.new(size, generator) form is handled by lib/openssl/pkey.rb */
|
|
||||||
rb_scan_args(argc, argv, "02", &arg, &pass);
|
|
||||||
if (argc == 0) {
|
|
||||||
dsa = DSA_new();
|
|
||||||
if (!dsa)
|
|
||||||
ossl_raise(eDSAError, "DSA_new");
|
|
||||||
+ goto legacy;
|
|
||||||
}
|
|
||||||
- else {
|
|
||||||
- pass = ossl_pem_passwd_value(pass);
|
|
||||||
- arg = ossl_to_der_if_possible(arg);
|
|
||||||
- in = ossl_obj2bio(&arg);
|
|
||||||
-
|
|
||||||
- tmp = ossl_pkey_read_generic(in, pass);
|
|
||||||
- if (tmp) {
|
|
||||||
- if (EVP_PKEY_base_id(tmp) != EVP_PKEY_DSA)
|
|
||||||
- rb_raise(eDSAError, "incorrect pkey type: %s",
|
|
||||||
- OBJ_nid2sn(EVP_PKEY_base_id(tmp)));
|
|
||||||
- dsa = EVP_PKEY_get1_DSA(tmp);
|
|
||||||
- EVP_PKEY_free(tmp);
|
|
||||||
- }
|
|
||||||
- if (!dsa) {
|
|
||||||
- OSSL_BIO_reset(in);
|
|
||||||
-#define PEM_read_bio_DSAPublicKey(bp,x,cb,u) (DSA *)PEM_ASN1_read_bio( \
|
|
||||||
- (d2i_of_void *)d2i_DSAPublicKey, PEM_STRING_DSA_PUBLIC, (bp), (void **)(x), (cb), (u))
|
|
||||||
- dsa = PEM_read_bio_DSAPublicKey(in, NULL, NULL, NULL);
|
|
||||||
-#undef PEM_read_bio_DSAPublicKey
|
|
||||||
- }
|
|
||||||
- BIO_free(in);
|
|
||||||
- if (!dsa) {
|
|
||||||
- ossl_clear_error();
|
|
||||||
- ossl_raise(eDSAError, "Neither PUB key nor PRIV key");
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
- if (!EVP_PKEY_assign_DSA(pkey, dsa)) {
|
|
||||||
- DSA_free(dsa);
|
|
||||||
- ossl_raise(eDSAError, NULL);
|
|
||||||
+
|
|
||||||
+ pass = ossl_pem_passwd_value(pass);
|
|
||||||
+ arg = ossl_to_der_if_possible(arg);
|
|
||||||
+ in = ossl_obj2bio(&arg);
|
|
||||||
+
|
|
||||||
+ /* DER-encoded DSAPublicKey format isn't supported by the generic routine */
|
|
||||||
+ dsa = (DSA *)PEM_ASN1_read_bio((d2i_of_void *)d2i_DSAPublicKey,
|
|
||||||
+ PEM_STRING_DSA_PUBLIC,
|
|
||||||
+ in, NULL, NULL, NULL);
|
|
||||||
+ if (dsa)
|
|
||||||
+ goto legacy;
|
|
||||||
+ OSSL_BIO_reset(in);
|
|
||||||
+
|
|
||||||
+ pkey = ossl_pkey_read_generic(in, pass);
|
|
||||||
+ BIO_free(in);
|
|
||||||
+ if (!pkey)
|
|
||||||
+ ossl_raise(eDSAError, "Neither PUB key nor PRIV key");
|
|
||||||
+
|
|
||||||
+ type = EVP_PKEY_base_id(pkey);
|
|
||||||
+ if (type != EVP_PKEY_DSA) {
|
|
||||||
+ EVP_PKEY_free(pkey);
|
|
||||||
+ rb_raise(eDSAError, "incorrect pkey type: %s", OBJ_nid2sn(type));
|
|
||||||
}
|
|
||||||
+ RTYPEDDATA_DATA(self) = pkey;
|
|
||||||
+ return self;
|
|
||||||
|
|
||||||
+ legacy:
|
|
||||||
+ BIO_free(in);
|
|
||||||
+ pkey = EVP_PKEY_new();
|
|
||||||
+ if (!pkey || EVP_PKEY_assign_DSA(pkey, dsa) != 1) {
|
|
||||||
+ EVP_PKEY_free(pkey);
|
|
||||||
+ DSA_free(dsa);
|
|
||||||
+ ossl_raise(eDSAError, "EVP_PKEY_assign_DSA");
|
|
||||||
+ }
|
|
||||||
+ RTYPEDDATA_DATA(self) = pkey;
|
|
||||||
return self;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -136,16 +145,24 @@ ossl_dsa_initialize_copy(VALUE self, VALUE other)
|
|
||||||
EVP_PKEY *pkey;
|
|
||||||
DSA *dsa, *dsa_new;
|
|
||||||
|
|
||||||
- GetPKey(self, pkey);
|
|
||||||
- if (EVP_PKEY_base_id(pkey) != EVP_PKEY_NONE)
|
|
||||||
- ossl_raise(eDSAError, "DSA already initialized");
|
|
||||||
+ TypedData_Get_Struct(self, EVP_PKEY, &ossl_evp_pkey_type, pkey);
|
|
||||||
+ if (pkey)
|
|
||||||
+ rb_raise(rb_eTypeError, "pkey already initialized");
|
|
||||||
GetDSA(other, dsa);
|
|
||||||
|
|
||||||
- dsa_new = ASN1_dup((i2d_of_void *)i2d_DSAPrivateKey, (d2i_of_void *)d2i_DSAPrivateKey, (char *)dsa);
|
|
||||||
+ dsa_new = (DSA *)ASN1_dup((i2d_of_void *)i2d_DSAPrivateKey,
|
|
||||||
+ (d2i_of_void *)d2i_DSAPrivateKey,
|
|
||||||
+ (char *)dsa);
|
|
||||||
if (!dsa_new)
|
|
||||||
ossl_raise(eDSAError, "ASN1_dup");
|
|
||||||
|
|
||||||
- EVP_PKEY_assign_DSA(pkey, dsa_new);
|
|
||||||
+ pkey = EVP_PKEY_new();
|
|
||||||
+ if (!pkey || EVP_PKEY_assign_DSA(pkey, dsa_new) != 1) {
|
|
||||||
+ EVP_PKEY_free(pkey);
|
|
||||||
+ DSA_free(dsa_new);
|
|
||||||
+ ossl_raise(eDSAError, "EVP_PKEY_assign_DSA");
|
|
||||||
+ }
|
|
||||||
+ RTYPEDDATA_DATA(self) = pkey;
|
|
||||||
|
|
||||||
return self;
|
|
||||||
}
|
|
||||||
diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c
|
|
||||||
index db80d112..71e63969 100644
|
|
||||||
--- a/ext/openssl/ossl_pkey_ec.c
|
|
||||||
+++ b/ext/openssl/ossl_pkey_ec.c
|
|
||||||
@@ -114,13 +114,16 @@ ossl_ec_key_s_generate(VALUE klass, VALUE arg)
|
|
||||||
VALUE obj;
|
|
||||||
|
|
||||||
obj = rb_obj_alloc(klass);
|
|
||||||
- GetPKey(obj, pkey);
|
|
||||||
|
|
||||||
ec = ec_key_new_from_group(arg);
|
|
||||||
- if (!EVP_PKEY_assign_EC_KEY(pkey, ec)) {
|
|
||||||
+ pkey = EVP_PKEY_new();
|
|
||||||
+ if (!pkey || EVP_PKEY_assign_EC_KEY(pkey, ec) != 1) {
|
|
||||||
+ EVP_PKEY_free(pkey);
|
|
||||||
EC_KEY_free(ec);
|
|
||||||
ossl_raise(eECError, "EVP_PKEY_assign_EC_KEY");
|
|
||||||
}
|
|
||||||
+ RTYPEDDATA_DATA(obj) = pkey;
|
|
||||||
+
|
|
||||||
if (!EC_KEY_generate_key(ec))
|
|
||||||
ossl_raise(eECError, "EC_KEY_generate_key");
|
|
||||||
|
|
||||||
@@ -141,51 +144,54 @@ ossl_ec_key_s_generate(VALUE klass, VALUE arg)
|
|
||||||
static VALUE ossl_ec_key_initialize(int argc, VALUE *argv, VALUE self)
|
|
||||||
{
|
|
||||||
EVP_PKEY *pkey;
|
|
||||||
- EC_KEY *ec = NULL;
|
|
||||||
+ EC_KEY *ec;
|
|
||||||
+ BIO *in;
|
|
||||||
VALUE arg, pass;
|
|
||||||
+ int type;
|
|
||||||
|
|
||||||
- GetPKey(self, pkey);
|
|
||||||
- if (EVP_PKEY_base_id(pkey) != EVP_PKEY_NONE)
|
|
||||||
- ossl_raise(eECError, "EC_KEY already initialized");
|
|
||||||
+ TypedData_Get_Struct(self, EVP_PKEY, &ossl_evp_pkey_type, pkey);
|
|
||||||
+ if (pkey)
|
|
||||||
+ rb_raise(rb_eTypeError, "pkey already initialized");
|
|
||||||
|
|
||||||
rb_scan_args(argc, argv, "02", &arg, &pass);
|
|
||||||
-
|
|
||||||
if (NIL_P(arg)) {
|
|
||||||
if (!(ec = EC_KEY_new()))
|
|
||||||
- ossl_raise(eECError, NULL);
|
|
||||||
- } else if (rb_obj_is_kind_of(arg, cEC)) {
|
|
||||||
- EC_KEY *other_ec = NULL;
|
|
||||||
+ ossl_raise(eECError, "EC_KEY_new");
|
|
||||||
+ goto legacy;
|
|
||||||
+ }
|
|
||||||
+ else if (rb_obj_is_kind_of(arg, cEC_GROUP)) {
|
|
||||||
+ ec = ec_key_new_from_group(arg);
|
|
||||||
+ goto legacy;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- GetEC(arg, other_ec);
|
|
||||||
- if (!(ec = EC_KEY_dup(other_ec)))
|
|
||||||
- ossl_raise(eECError, NULL);
|
|
||||||
- } else if (rb_obj_is_kind_of(arg, cEC_GROUP)) {
|
|
||||||
- ec = ec_key_new_from_group(arg);
|
|
||||||
- } else {
|
|
||||||
- BIO *in = ossl_obj2bio(&arg);
|
|
||||||
- EVP_PKEY *tmp;
|
|
||||||
- pass = ossl_pem_passwd_value(pass);
|
|
||||||
- tmp = ossl_pkey_read_generic(in, pass);
|
|
||||||
- if (tmp) {
|
|
||||||
- if (EVP_PKEY_base_id(tmp) != EVP_PKEY_EC)
|
|
||||||
- rb_raise(eECError, "incorrect pkey type: %s",
|
|
||||||
- OBJ_nid2sn(EVP_PKEY_base_id(tmp)));
|
|
||||||
- ec = EVP_PKEY_get1_EC_KEY(tmp);
|
|
||||||
- EVP_PKEY_free(tmp);
|
|
||||||
- }
|
|
||||||
- BIO_free(in);
|
|
||||||
+ pass = ossl_pem_passwd_value(pass);
|
|
||||||
+ arg = ossl_to_der_if_possible(arg);
|
|
||||||
+ in = ossl_obj2bio(&arg);
|
|
||||||
|
|
||||||
- if (!ec) {
|
|
||||||
- ossl_clear_error();
|
|
||||||
- ec = ec_key_new_from_group(arg);
|
|
||||||
- }
|
|
||||||
+ pkey = ossl_pkey_read_generic(in, pass);
|
|
||||||
+ BIO_free(in);
|
|
||||||
+ if (!pkey) {
|
|
||||||
+ ossl_clear_error();
|
|
||||||
+ ec = ec_key_new_from_group(arg);
|
|
||||||
+ goto legacy;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (!EVP_PKEY_assign_EC_KEY(pkey, ec)) {
|
|
||||||
- EC_KEY_free(ec);
|
|
||||||
- ossl_raise(eECError, "EVP_PKEY_assign_EC_KEY");
|
|
||||||
+ type = EVP_PKEY_base_id(pkey);
|
|
||||||
+ if (type != EVP_PKEY_EC) {
|
|
||||||
+ EVP_PKEY_free(pkey);
|
|
||||||
+ rb_raise(eDSAError, "incorrect pkey type: %s", OBJ_nid2sn(type));
|
|
||||||
}
|
|
||||||
+ RTYPEDDATA_DATA(self) = pkey;
|
|
||||||
+ return self;
|
|
||||||
|
|
||||||
+ legacy:
|
|
||||||
+ pkey = EVP_PKEY_new();
|
|
||||||
+ if (!pkey || EVP_PKEY_assign_EC_KEY(pkey, ec) != 1) {
|
|
||||||
+ EVP_PKEY_free(pkey);
|
|
||||||
+ EC_KEY_free(ec);
|
|
||||||
+ ossl_raise(eECError, "EVP_PKEY_assign_EC_KEY");
|
|
||||||
+ }
|
|
||||||
+ RTYPEDDATA_DATA(self) = pkey;
|
|
||||||
return self;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -195,18 +201,21 @@ ossl_ec_key_initialize_copy(VALUE self, VALUE other)
|
|
||||||
EVP_PKEY *pkey;
|
|
||||||
EC_KEY *ec, *ec_new;
|
|
||||||
|
|
||||||
- GetPKey(self, pkey);
|
|
||||||
- if (EVP_PKEY_base_id(pkey) != EVP_PKEY_NONE)
|
|
||||||
- ossl_raise(eECError, "EC already initialized");
|
|
||||||
+ TypedData_Get_Struct(self, EVP_PKEY, &ossl_evp_pkey_type, pkey);
|
|
||||||
+ if (pkey)
|
|
||||||
+ rb_raise(rb_eTypeError, "pkey already initialized");
|
|
||||||
GetEC(other, ec);
|
|
||||||
|
|
||||||
ec_new = EC_KEY_dup(ec);
|
|
||||||
if (!ec_new)
|
|
||||||
ossl_raise(eECError, "EC_KEY_dup");
|
|
||||||
- if (!EVP_PKEY_assign_EC_KEY(pkey, ec_new)) {
|
|
||||||
- EC_KEY_free(ec_new);
|
|
||||||
- ossl_raise(eECError, "EVP_PKEY_assign_EC_KEY");
|
|
||||||
+
|
|
||||||
+ pkey = EVP_PKEY_new();
|
|
||||||
+ if (!pkey || EVP_PKEY_assign_EC_KEY(pkey, ec_new) != 1) {
|
|
||||||
+ EC_KEY_free(ec_new);
|
|
||||||
+ ossl_raise(eECError, "EVP_PKEY_assign_EC_KEY");
|
|
||||||
}
|
|
||||||
+ RTYPEDDATA_DATA(self) = pkey;
|
|
||||||
|
|
||||||
return self;
|
|
||||||
}
|
|
||||||
diff --git a/ext/openssl/ossl_pkey_rsa.c b/ext/openssl/ossl_pkey_rsa.c
|
|
||||||
index 8ebd3ec5..b8dbc0e1 100644
|
|
||||||
--- a/ext/openssl/ossl_pkey_rsa.c
|
|
||||||
+++ b/ext/openssl/ossl_pkey_rsa.c
|
|
||||||
@@ -76,51 +76,62 @@ VALUE eRSAError;
|
|
||||||
static VALUE
|
|
||||||
ossl_rsa_initialize(int argc, VALUE *argv, VALUE self)
|
|
||||||
{
|
|
||||||
- EVP_PKEY *pkey, *tmp;
|
|
||||||
- RSA *rsa = NULL;
|
|
||||||
- BIO *in;
|
|
||||||
+ EVP_PKEY *pkey;
|
|
||||||
+ RSA *rsa;
|
|
||||||
+ BIO *in = NULL;
|
|
||||||
VALUE arg, pass;
|
|
||||||
+ int type;
|
|
||||||
+
|
|
||||||
+ TypedData_Get_Struct(self, EVP_PKEY, &ossl_evp_pkey_type, pkey);
|
|
||||||
+ if (pkey)
|
|
||||||
+ rb_raise(rb_eTypeError, "pkey already initialized");
|
|
||||||
|
|
||||||
- GetPKey(self, pkey);
|
|
||||||
/* The RSA.new(size, generator) form is handled by lib/openssl/pkey.rb */
|
|
||||||
rb_scan_args(argc, argv, "02", &arg, &pass);
|
|
||||||
if (argc == 0) {
|
|
||||||
rsa = RSA_new();
|
|
||||||
if (!rsa)
|
|
||||||
ossl_raise(eRSAError, "RSA_new");
|
|
||||||
+ goto legacy;
|
|
||||||
}
|
|
||||||
- else {
|
|
||||||
- pass = ossl_pem_passwd_value(pass);
|
|
||||||
- arg = ossl_to_der_if_possible(arg);
|
|
||||||
- in = ossl_obj2bio(&arg);
|
|
||||||
-
|
|
||||||
- tmp = ossl_pkey_read_generic(in, pass);
|
|
||||||
- if (tmp) {
|
|
||||||
- if (EVP_PKEY_base_id(tmp) != EVP_PKEY_RSA)
|
|
||||||
- rb_raise(eRSAError, "incorrect pkey type: %s",
|
|
||||||
- OBJ_nid2sn(EVP_PKEY_base_id(tmp)));
|
|
||||||
- rsa = EVP_PKEY_get1_RSA(tmp);
|
|
||||||
- EVP_PKEY_free(tmp);
|
|
||||||
- }
|
|
||||||
- if (!rsa) {
|
|
||||||
- OSSL_BIO_reset(in);
|
|
||||||
- rsa = PEM_read_bio_RSAPublicKey(in, NULL, NULL, NULL);
|
|
||||||
- }
|
|
||||||
- if (!rsa) {
|
|
||||||
- OSSL_BIO_reset(in);
|
|
||||||
- rsa = d2i_RSAPublicKey_bio(in, NULL);
|
|
||||||
- }
|
|
||||||
- BIO_free(in);
|
|
||||||
- if (!rsa) {
|
|
||||||
- ossl_clear_error();
|
|
||||||
- ossl_raise(eRSAError, "Neither PUB key nor PRIV key");
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
- if (!EVP_PKEY_assign_RSA(pkey, rsa)) {
|
|
||||||
- RSA_free(rsa);
|
|
||||||
- ossl_raise(eRSAError, "EVP_PKEY_assign_RSA");
|
|
||||||
+
|
|
||||||
+ pass = ossl_pem_passwd_value(pass);
|
|
||||||
+ arg = ossl_to_der_if_possible(arg);
|
|
||||||
+ in = ossl_obj2bio(&arg);
|
|
||||||
+
|
|
||||||
+ /* First try RSAPublicKey format */
|
|
||||||
+ rsa = d2i_RSAPublicKey_bio(in, NULL);
|
|
||||||
+ if (rsa)
|
|
||||||
+ goto legacy;
|
|
||||||
+ OSSL_BIO_reset(in);
|
|
||||||
+ rsa = PEM_read_bio_RSAPublicKey(in, NULL, NULL, NULL);
|
|
||||||
+ if (rsa)
|
|
||||||
+ goto legacy;
|
|
||||||
+ OSSL_BIO_reset(in);
|
|
||||||
+
|
|
||||||
+ /* Use the generic routine */
|
|
||||||
+ pkey = ossl_pkey_read_generic(in, pass);
|
|
||||||
+ BIO_free(in);
|
|
||||||
+ if (!pkey)
|
|
||||||
+ ossl_raise(eRSAError, "Neither PUB key nor PRIV key");
|
|
||||||
+
|
|
||||||
+ type = EVP_PKEY_base_id(pkey);
|
|
||||||
+ if (type != EVP_PKEY_RSA) {
|
|
||||||
+ EVP_PKEY_free(pkey);
|
|
||||||
+ rb_raise(eRSAError, "incorrect pkey type: %s", OBJ_nid2sn(type));
|
|
||||||
}
|
|
||||||
+ RTYPEDDATA_DATA(self) = pkey;
|
|
||||||
+ return self;
|
|
||||||
|
|
||||||
+ legacy:
|
|
||||||
+ BIO_free(in);
|
|
||||||
+ pkey = EVP_PKEY_new();
|
|
||||||
+ if (!pkey || EVP_PKEY_assign_RSA(pkey, rsa) != 1) {
|
|
||||||
+ EVP_PKEY_free(pkey);
|
|
||||||
+ RSA_free(rsa);
|
|
||||||
+ ossl_raise(eRSAError, "EVP_PKEY_assign_RSA");
|
|
||||||
+ }
|
|
||||||
+ RTYPEDDATA_DATA(self) = pkey;
|
|
||||||
return self;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -130,16 +141,23 @@ ossl_rsa_initialize_copy(VALUE self, VALUE other)
|
|
||||||
EVP_PKEY *pkey;
|
|
||||||
RSA *rsa, *rsa_new;
|
|
||||||
|
|
||||||
- GetPKey(self, pkey);
|
|
||||||
- if (EVP_PKEY_base_id(pkey) != EVP_PKEY_NONE)
|
|
||||||
- ossl_raise(eRSAError, "RSA already initialized");
|
|
||||||
+ TypedData_Get_Struct(self, EVP_PKEY, &ossl_evp_pkey_type, pkey);
|
|
||||||
+ if (pkey)
|
|
||||||
+ rb_raise(rb_eTypeError, "pkey already initialized");
|
|
||||||
GetRSA(other, rsa);
|
|
||||||
|
|
||||||
- rsa_new = ASN1_dup((i2d_of_void *)i2d_RSAPrivateKey, (d2i_of_void *)d2i_RSAPrivateKey, (char *)rsa);
|
|
||||||
+ rsa_new = (RSA *)ASN1_dup((i2d_of_void *)i2d_RSAPrivateKey,
|
|
||||||
+ (d2i_of_void *)d2i_RSAPrivateKey,
|
|
||||||
+ (char *)rsa);
|
|
||||||
if (!rsa_new)
|
|
||||||
ossl_raise(eRSAError, "ASN1_dup");
|
|
||||||
|
|
||||||
- EVP_PKEY_assign_RSA(pkey, rsa_new);
|
|
||||||
+ pkey = EVP_PKEY_new();
|
|
||||||
+ if (!pkey || EVP_PKEY_assign_RSA(pkey, rsa_new) != 1) {
|
|
||||||
+ RSA_free(rsa_new);
|
|
||||||
+ ossl_raise(eRSAError, "EVP_PKEY_assign_RSA");
|
|
||||||
+ }
|
|
||||||
+ RTYPEDDATA_DATA(self) = pkey;
|
|
||||||
|
|
||||||
return self;
|
|
||||||
}
|
|
||||||
|
|
@ -1,358 +0,0 @@
|
|||||||
From f2cf3afc6fa1e13e960f732c0bc658ad408ee219 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Fri, 12 Jun 2020 14:12:59 +0900
|
|
||||||
Subject: [PATCH 1/3] pkey: fix potential memory leak in PKey#sign
|
|
||||||
|
|
||||||
Fix potential leak of EVP_MD_CTX object in an error path. This path is
|
|
||||||
normally unreachable, since the size of a signature generated by any
|
|
||||||
supported algorithms would not be larger than LONG_MAX.
|
|
||||||
---
|
|
||||||
ext/openssl/ossl_pkey.c | 8 ++++++--
|
|
||||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c
|
|
||||||
index df8b425a0f..7488190e0e 100644
|
|
||||||
--- a/ext/openssl/ossl_pkey.c
|
|
||||||
+++ b/ext/openssl/ossl_pkey.c
|
|
||||||
@@ -777,8 +777,10 @@ ossl_pkey_sign(VALUE self, VALUE digest, VALUE data)
|
|
||||||
EVP_MD_CTX_free(ctx);
|
|
||||||
ossl_raise(ePKeyError, "EVP_DigestSign");
|
|
||||||
}
|
|
||||||
- if (siglen > LONG_MAX)
|
|
||||||
+ if (siglen > LONG_MAX) {
|
|
||||||
+ EVP_MD_CTX_free(ctx);
|
|
||||||
rb_raise(ePKeyError, "signature would be too large");
|
|
||||||
+ }
|
|
||||||
sig = ossl_str_new(NULL, (long)siglen, &state);
|
|
||||||
if (state) {
|
|
||||||
EVP_MD_CTX_free(ctx);
|
|
||||||
@@ -799,8 +801,10 @@ ossl_pkey_sign(VALUE self, VALUE digest, VALUE data)
|
|
||||||
EVP_MD_CTX_free(ctx);
|
|
||||||
ossl_raise(ePKeyError, "EVP_DigestSignFinal");
|
|
||||||
}
|
|
||||||
- if (siglen > LONG_MAX)
|
|
||||||
+ if (siglen > LONG_MAX) {
|
|
||||||
+ EVP_MD_CTX_free(ctx);
|
|
||||||
rb_raise(ePKeyError, "signature would be too large");
|
|
||||||
+ }
|
|
||||||
sig = ossl_str_new(NULL, (long)siglen, &state);
|
|
||||||
if (state) {
|
|
||||||
EVP_MD_CTX_free(ctx);
|
|
||||||
--
|
|
||||||
2.32.0
|
|
||||||
|
|
||||||
|
|
||||||
From 8b30ce20eb9e03180c28288e29a96308e594f860 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Fri, 2 Apr 2021 23:58:48 +0900
|
|
||||||
Subject: [PATCH 2/3] pkey: prepare pkey_ctx_apply_options() for usage by other
|
|
||||||
operations
|
|
||||||
|
|
||||||
The routine to apply Hash to EVP_PKEY_CTX_ctrl_str() is currently used
|
|
||||||
by key generation, but it is useful for other operations too. Let's
|
|
||||||
change it to a slightly more generic name.
|
|
||||||
---
|
|
||||||
ext/openssl/ossl_pkey.c | 22 ++++++++++++++--------
|
|
||||||
1 file changed, 14 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c
|
|
||||||
index 7488190e0e..fed4a2b81f 100644
|
|
||||||
--- a/ext/openssl/ossl_pkey.c
|
|
||||||
+++ b/ext/openssl/ossl_pkey.c
|
|
||||||
@@ -198,7 +198,7 @@ ossl_pkey_new_from_data(int argc, VALUE *argv, VALUE self)
|
|
||||||
}
|
|
||||||
|
|
||||||
static VALUE
|
|
||||||
-pkey_gen_apply_options_i(RB_BLOCK_CALL_FUNC_ARGLIST(i, ctx_v))
|
|
||||||
+pkey_ctx_apply_options_i(RB_BLOCK_CALL_FUNC_ARGLIST(i, ctx_v))
|
|
||||||
{
|
|
||||||
VALUE key = rb_ary_entry(i, 0), value = rb_ary_entry(i, 1);
|
|
||||||
EVP_PKEY_CTX *ctx = (EVP_PKEY_CTX *)ctx_v;
|
|
||||||
@@ -214,15 +214,25 @@ pkey_gen_apply_options_i(RB_BLOCK_CALL_FUNC_ARGLIST(i, ctx_v))
|
|
||||||
}
|
|
||||||
|
|
||||||
static VALUE
|
|
||||||
-pkey_gen_apply_options0(VALUE args_v)
|
|
||||||
+pkey_ctx_apply_options0(VALUE args_v)
|
|
||||||
{
|
|
||||||
VALUE *args = (VALUE *)args_v;
|
|
||||||
|
|
||||||
rb_block_call(args[1], rb_intern("each"), 0, NULL,
|
|
||||||
- pkey_gen_apply_options_i, args[0]);
|
|
||||||
+ pkey_ctx_apply_options_i, args[0]);
|
|
||||||
return Qnil;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static void
|
|
||||||
+pkey_ctx_apply_options(EVP_PKEY_CTX *ctx, VALUE options, int *state)
|
|
||||||
+{
|
|
||||||
+ VALUE args[2];
|
|
||||||
+ args[0] = (VALUE)ctx;
|
|
||||||
+ args[1] = options;
|
|
||||||
+
|
|
||||||
+ rb_protect(pkey_ctx_apply_options0, (VALUE)args, state);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
struct pkey_blocking_generate_arg {
|
|
||||||
EVP_PKEY_CTX *ctx;
|
|
||||||
EVP_PKEY *pkey;
|
|
||||||
@@ -330,11 +340,7 @@ pkey_generate(int argc, VALUE *argv, VALUE self, int genparam)
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!NIL_P(options)) {
|
|
||||||
- VALUE args[2];
|
|
||||||
-
|
|
||||||
- args[0] = (VALUE)ctx;
|
|
||||||
- args[1] = options;
|
|
||||||
- rb_protect(pkey_gen_apply_options0, (VALUE)args, &state);
|
|
||||||
+ pkey_ctx_apply_options(ctx, options, &state);
|
|
||||||
if (state) {
|
|
||||||
EVP_PKEY_CTX_free(ctx);
|
|
||||||
rb_jump_tag(state);
|
|
||||||
--
|
|
||||||
2.32.0
|
|
||||||
|
|
||||||
|
|
||||||
From 4c7b0f91da666961d11908b94520db4e09ce4e67 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Sat, 18 Jul 2020 20:40:39 +0900
|
|
||||||
Subject: [PATCH 3/3] pkey: allow setting algorithm-specific options in #sign
|
|
||||||
and #verify
|
|
||||||
|
|
||||||
Similarly to OpenSSL::PKey.generate_key and .generate_parameters, let
|
|
||||||
OpenSSL::PKey::PKey#sign and #verify take an optional parameter for
|
|
||||||
specifying control strings for EVP_PKEY_CTX_ctrl_str().
|
|
||||||
---
|
|
||||||
ext/openssl/ossl_pkey.c | 113 ++++++++++++++++++++++------------
|
|
||||||
test/openssl/test_pkey_rsa.rb | 34 +++++-----
|
|
||||||
2 files changed, 89 insertions(+), 58 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c
|
|
||||||
index fed4a2b81f..22e9f19982 100644
|
|
||||||
--- a/ext/openssl/ossl_pkey.c
|
|
||||||
+++ b/ext/openssl/ossl_pkey.c
|
|
||||||
@@ -739,33 +739,51 @@ ossl_pkey_public_to_pem(VALUE self)
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
- * call-seq:
|
|
||||||
- * pkey.sign(digest, data) -> String
|
|
||||||
+ * call-seq:
|
|
||||||
+ * pkey.sign(digest, data [, options]) -> string
|
|
||||||
*
|
|
||||||
- * To sign the String _data_, _digest_, an instance of OpenSSL::Digest, must
|
|
||||||
- * be provided. The return value is again a String containing the signature.
|
|
||||||
- * A PKeyError is raised should errors occur.
|
|
||||||
- * Any previous state of the Digest instance is irrelevant to the signature
|
|
||||||
- * outcome, the digest instance is reset to its initial state during the
|
|
||||||
- * operation.
|
|
||||||
+ * Hashes and signs the +data+ using a message digest algorithm +digest+ and
|
|
||||||
+ * a private key +pkey+.
|
|
||||||
*
|
|
||||||
- * == Example
|
|
||||||
- * data = 'Sign me!'
|
|
||||||
- * digest = OpenSSL::Digest.new('SHA256')
|
|
||||||
- * pkey = OpenSSL::PKey::RSA.new(2048)
|
|
||||||
- * signature = pkey.sign(digest, data)
|
|
||||||
+ * See #verify for the verification operation.
|
|
||||||
+ *
|
|
||||||
+ * See also the man page EVP_DigestSign(3).
|
|
||||||
+ *
|
|
||||||
+ * +digest+::
|
|
||||||
+ * A String that represents the message digest algorithm name, or +nil+
|
|
||||||
+ * if the PKey type requires no digest algorithm.
|
|
||||||
+ * For backwards compatibility, this can be an instance of OpenSSL::Digest.
|
|
||||||
+ * Its state will not affect the signature.
|
|
||||||
+ * +data+::
|
|
||||||
+ * A String. The data to be hashed and signed.
|
|
||||||
+ * +options+::
|
|
||||||
+ * A Hash that contains algorithm specific control operations to \OpenSSL.
|
|
||||||
+ * See OpenSSL's man page EVP_PKEY_CTX_ctrl_str(3) for details.
|
|
||||||
+ * +options+ parameter was added in version 2.3.
|
|
||||||
+ *
|
|
||||||
+ * Example:
|
|
||||||
+ * data = "Sign me!"
|
|
||||||
+ * pkey = OpenSSL::PKey.generate_key("RSA", rsa_keygen_bits: 2048)
|
|
||||||
+ * signopts = { rsa_padding_mode: "pss" }
|
|
||||||
+ * signature = pkey.sign("SHA256", data, signopts)
|
|
||||||
+ *
|
|
||||||
+ * # Creates a copy of the RSA key pkey, but without the private components
|
|
||||||
+ * pub_key = pkey.public_key
|
|
||||||
+ * puts pub_key.verify("SHA256", signature, data, signopts) # => true
|
|
||||||
*/
|
|
||||||
static VALUE
|
|
||||||
-ossl_pkey_sign(VALUE self, VALUE digest, VALUE data)
|
|
||||||
+ossl_pkey_sign(int argc, VALUE *argv, VALUE self)
|
|
||||||
{
|
|
||||||
EVP_PKEY *pkey;
|
|
||||||
+ VALUE digest, data, options, sig;
|
|
||||||
const EVP_MD *md = NULL;
|
|
||||||
EVP_MD_CTX *ctx;
|
|
||||||
+ EVP_PKEY_CTX *pctx;
|
|
||||||
size_t siglen;
|
|
||||||
int state;
|
|
||||||
- VALUE sig;
|
|
||||||
|
|
||||||
pkey = GetPrivPKeyPtr(self);
|
|
||||||
+ rb_scan_args(argc, argv, "21", &digest, &data, &options);
|
|
||||||
if (!NIL_P(digest))
|
|
||||||
md = ossl_evp_get_digestbyname(digest);
|
|
||||||
StringValue(data);
|
|
||||||
@@ -773,10 +791,17 @@ ossl_pkey_sign(VALUE self, VALUE digest, VALUE data)
|
|
||||||
ctx = EVP_MD_CTX_new();
|
|
||||||
if (!ctx)
|
|
||||||
ossl_raise(ePKeyError, "EVP_MD_CTX_new");
|
|
||||||
- if (EVP_DigestSignInit(ctx, NULL, md, /* engine */NULL, pkey) < 1) {
|
|
||||||
+ if (EVP_DigestSignInit(ctx, &pctx, md, /* engine */NULL, pkey) < 1) {
|
|
||||||
EVP_MD_CTX_free(ctx);
|
|
||||||
ossl_raise(ePKeyError, "EVP_DigestSignInit");
|
|
||||||
}
|
|
||||||
+ if (!NIL_P(options)) {
|
|
||||||
+ pkey_ctx_apply_options(pctx, options, &state);
|
|
||||||
+ if (state) {
|
|
||||||
+ EVP_MD_CTX_free(ctx);
|
|
||||||
+ rb_jump_tag(state);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
#if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER)
|
|
||||||
if (EVP_DigestSign(ctx, NULL, &siglen, (unsigned char *)RSTRING_PTR(data),
|
|
||||||
RSTRING_LEN(data)) < 1) {
|
|
||||||
@@ -828,35 +853,40 @@ ossl_pkey_sign(VALUE self, VALUE digest, VALUE data)
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
- * call-seq:
|
|
||||||
- * pkey.verify(digest, signature, data) -> String
|
|
||||||
+ * call-seq:
|
|
||||||
+ * pkey.verify(digest, signature, data [, options]) -> true or false
|
|
||||||
*
|
|
||||||
- * To verify the String _signature_, _digest_, an instance of
|
|
||||||
- * OpenSSL::Digest, must be provided to re-compute the message digest of the
|
|
||||||
- * original _data_, also a String. The return value is +true+ if the
|
|
||||||
- * signature is valid, +false+ otherwise. A PKeyError is raised should errors
|
|
||||||
- * occur.
|
|
||||||
- * Any previous state of the Digest instance is irrelevant to the validation
|
|
||||||
- * outcome, the digest instance is reset to its initial state during the
|
|
||||||
- * operation.
|
|
||||||
+ * Verifies the +signature+ for the +data+ using a message digest algorithm
|
|
||||||
+ * +digest+ and a public key +pkey+.
|
|
||||||
*
|
|
||||||
- * == Example
|
|
||||||
- * data = 'Sign me!'
|
|
||||||
- * digest = OpenSSL::Digest.new('SHA256')
|
|
||||||
- * pkey = OpenSSL::PKey::RSA.new(2048)
|
|
||||||
- * signature = pkey.sign(digest, data)
|
|
||||||
- * pub_key = pkey.public_key
|
|
||||||
- * puts pub_key.verify(digest, signature, data) # => true
|
|
||||||
+ * Returns +true+ if the signature is successfully verified, +false+ otherwise.
|
|
||||||
+ * The caller must check the return value.
|
|
||||||
+ *
|
|
||||||
+ * See #sign for the signing operation and an example.
|
|
||||||
+ *
|
|
||||||
+ * See also the man page EVP_DigestVerify(3).
|
|
||||||
+ *
|
|
||||||
+ * +digest+::
|
|
||||||
+ * See #sign.
|
|
||||||
+ * +signature+::
|
|
||||||
+ * A String containing the signature to be verified.
|
|
||||||
+ * +data+::
|
|
||||||
+ * See #sign.
|
|
||||||
+ * +options+::
|
|
||||||
+ * See #sign. +options+ parameter was added in version 2.3.
|
|
||||||
*/
|
|
||||||
static VALUE
|
|
||||||
-ossl_pkey_verify(VALUE self, VALUE digest, VALUE sig, VALUE data)
|
|
||||||
+ossl_pkey_verify(int argc, VALUE *argv, VALUE self)
|
|
||||||
{
|
|
||||||
EVP_PKEY *pkey;
|
|
||||||
+ VALUE digest, sig, data, options;
|
|
||||||
const EVP_MD *md = NULL;
|
|
||||||
EVP_MD_CTX *ctx;
|
|
||||||
- int ret;
|
|
||||||
+ EVP_PKEY_CTX *pctx;
|
|
||||||
+ int state, ret;
|
|
||||||
|
|
||||||
GetPKey(self, pkey);
|
|
||||||
+ rb_scan_args(argc, argv, "31", &digest, &sig, &data, &options);
|
|
||||||
ossl_pkey_check_public_key(pkey);
|
|
||||||
if (!NIL_P(digest))
|
|
||||||
md = ossl_evp_get_digestbyname(digest);
|
|
||||||
@@ -866,10 +896,17 @@ ossl_pkey_verify(VALUE self, VALUE digest, VALUE sig, VALUE data)
|
|
||||||
ctx = EVP_MD_CTX_new();
|
|
||||||
if (!ctx)
|
|
||||||
ossl_raise(ePKeyError, "EVP_MD_CTX_new");
|
|
||||||
- if (EVP_DigestVerifyInit(ctx, NULL, md, /* engine */NULL, pkey) < 1) {
|
|
||||||
+ if (EVP_DigestVerifyInit(ctx, &pctx, md, /* engine */NULL, pkey) < 1) {
|
|
||||||
EVP_MD_CTX_free(ctx);
|
|
||||||
ossl_raise(ePKeyError, "EVP_DigestVerifyInit");
|
|
||||||
}
|
|
||||||
+ if (!NIL_P(options)) {
|
|
||||||
+ pkey_ctx_apply_options(pctx, options, &state);
|
|
||||||
+ if (state) {
|
|
||||||
+ EVP_MD_CTX_free(ctx);
|
|
||||||
+ rb_jump_tag(state);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
#if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER)
|
|
||||||
ret = EVP_DigestVerify(ctx, (unsigned char *)RSTRING_PTR(sig),
|
|
||||||
RSTRING_LEN(sig), (unsigned char *)RSTRING_PTR(data),
|
|
||||||
@@ -1042,8 +1079,8 @@ Init_ossl_pkey(void)
|
|
||||||
rb_define_method(cPKey, "public_to_der", ossl_pkey_public_to_der, 0);
|
|
||||||
rb_define_method(cPKey, "public_to_pem", ossl_pkey_public_to_pem, 0);
|
|
||||||
|
|
||||||
- rb_define_method(cPKey, "sign", ossl_pkey_sign, 2);
|
|
||||||
- rb_define_method(cPKey, "verify", ossl_pkey_verify, 3);
|
|
||||||
+ rb_define_method(cPKey, "sign", ossl_pkey_sign, -1);
|
|
||||||
+ rb_define_method(cPKey, "verify", ossl_pkey_verify, -1);
|
|
||||||
rb_define_method(cPKey, "derive", ossl_pkey_derive, -1);
|
|
||||||
|
|
||||||
id_private_q = rb_intern("private?");
|
|
||||||
diff --git a/test/openssl/test_pkey_rsa.rb b/test/openssl/test_pkey_rsa.rb
|
|
||||||
index 88164c3b52..d1e68dbc9f 100644
|
|
||||||
--- a/test/openssl/test_pkey_rsa.rb
|
|
||||||
+++ b/test/openssl/test_pkey_rsa.rb
|
|
||||||
@@ -117,27 +117,21 @@ def test_sign_verify
|
|
||||||
assert_equal false, rsa1024.verify("SHA256", signature1, data)
|
|
||||||
end
|
|
||||||
|
|
||||||
- def test_digest_state_irrelevant_sign
|
|
||||||
+ def test_sign_verify_options
|
|
||||||
key = Fixtures.pkey("rsa1024")
|
|
||||||
- digest1 = OpenSSL::Digest.new('SHA1')
|
|
||||||
- digest2 = OpenSSL::Digest.new('SHA1')
|
|
||||||
- data = 'Sign me!'
|
|
||||||
- digest1 << 'Change state of digest1'
|
|
||||||
- sig1 = key.sign(digest1, data)
|
|
||||||
- sig2 = key.sign(digest2, data)
|
|
||||||
- assert_equal(sig1, sig2)
|
|
||||||
- end
|
|
||||||
-
|
|
||||||
- def test_digest_state_irrelevant_verify
|
|
||||||
- key = Fixtures.pkey("rsa1024")
|
|
||||||
- digest1 = OpenSSL::Digest.new('SHA1')
|
|
||||||
- digest2 = OpenSSL::Digest.new('SHA1')
|
|
||||||
- data = 'Sign me!'
|
|
||||||
- sig = key.sign(digest1, data)
|
|
||||||
- digest1.reset
|
|
||||||
- digest1 << 'Change state of digest1'
|
|
||||||
- assert(key.verify(digest1, sig, data))
|
|
||||||
- assert(key.verify(digest2, sig, data))
|
|
||||||
+ data = "Sign me!"
|
|
||||||
+ pssopts = {
|
|
||||||
+ "rsa_padding_mode" => "pss",
|
|
||||||
+ "rsa_pss_saltlen" => 20,
|
|
||||||
+ "rsa_mgf1_md" => "SHA1"
|
|
||||||
+ }
|
|
||||||
+ sig_pss = key.sign("SHA256", data, pssopts)
|
|
||||||
+ assert_equal 128, sig_pss.bytesize
|
|
||||||
+ assert_equal true, key.verify("SHA256", sig_pss, data, pssopts)
|
|
||||||
+ assert_equal true, key.verify_pss("SHA256", sig_pss, data,
|
|
||||||
+ salt_length: 20, mgf1_hash: "SHA1")
|
|
||||||
+ # Defaults to PKCS #1 v1.5 padding => verification failure
|
|
||||||
+ assert_equal false, key.verify("SHA256", sig_pss, data)
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_verify_empty_rsa
|
|
||||||
--
|
|
||||||
2.32.0
|
|
||||||
|
|
@ -1,719 +0,0 @@
|
|||||||
From 46ca47060ca8ef3419ec36c2326a81b442d9b43b Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Sun, 12 Dec 2021 01:25:20 +0900
|
|
||||||
Subject: [PATCH 1/5] pkey/dh: avoid using DH#set_key in DH#compute_key
|
|
||||||
|
|
||||||
DH#set_key will not work on OpenSSL 3.0 because keys are immutable.
|
|
||||||
For now, let's reimplement DH#compute_key by manually constructing a
|
|
||||||
DER-encoded SubjectPublicKeyInfo structure and feeding it to
|
|
||||||
OpenSSL::PKey.read.
|
|
||||||
|
|
||||||
Eventually, we should implement a new method around EVP_PKEY_fromdata()
|
|
||||||
and use it instead.
|
|
||||||
---
|
|
||||||
ext/openssl/lib/openssl/pkey.rb | 16 +++++++++++++---
|
|
||||||
1 file changed, 13 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ext/openssl/lib/openssl/pkey.rb b/ext/openssl/lib/openssl/pkey.rb
|
|
||||||
index f6bf5892..5864faa9 100644
|
|
||||||
--- a/ext/openssl/lib/openssl/pkey.rb
|
|
||||||
+++ b/ext/openssl/lib/openssl/pkey.rb
|
|
||||||
@@ -47,9 +47,19 @@ def public_key
|
|
||||||
# * _pub_bn_ is a OpenSSL::BN, *not* the DH instance returned by
|
|
||||||
# DH#public_key as that contains the DH parameters only.
|
|
||||||
def compute_key(pub_bn)
|
|
||||||
- peer = dup
|
|
||||||
- peer.set_key(pub_bn, nil)
|
|
||||||
- derive(peer)
|
|
||||||
+ # FIXME: This is constructing an X.509 SubjectPublicKeyInfo and is very
|
|
||||||
+ # inefficient
|
|
||||||
+ obj = OpenSSL::ASN1.Sequence([
|
|
||||||
+ OpenSSL::ASN1.Sequence([
|
|
||||||
+ OpenSSL::ASN1.ObjectId("dhKeyAgreement"),
|
|
||||||
+ OpenSSL::ASN1.Sequence([
|
|
||||||
+ OpenSSL::ASN1.Integer(p),
|
|
||||||
+ OpenSSL::ASN1.Integer(g),
|
|
||||||
+ ]),
|
|
||||||
+ ]),
|
|
||||||
+ OpenSSL::ASN1.BitString(OpenSSL::ASN1.Integer(pub_bn).to_der),
|
|
||||||
+ ])
|
|
||||||
+ derive(OpenSSL::PKey.read(obj.to_der))
|
|
||||||
end
|
|
||||||
|
|
||||||
# :call-seq:
|
|
||||||
|
|
||||||
From fc9aabc18df3c189cc6a76a1470ca908c4f16480 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Fri, 17 Dec 2021 02:22:25 +0900
|
|
||||||
Subject: [PATCH 2/5] pkey/ec: avoid using EC#public_key= in EC#dh_compute_key
|
|
||||||
|
|
||||||
Similarly to DH#compute_key, work around it by constructing a
|
|
||||||
SubjectPublicKeyInfo. This should be considered as a temporary
|
|
||||||
implementation.
|
|
||||||
---
|
|
||||||
ext/openssl/lib/openssl/pkey.rb | 11 ++++++++---
|
|
||||||
1 file changed, 8 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ext/openssl/lib/openssl/pkey.rb b/ext/openssl/lib/openssl/pkey.rb
|
|
||||||
index 5864faa9..ba04cf4b 100644
|
|
||||||
--- a/ext/openssl/lib/openssl/pkey.rb
|
|
||||||
+++ b/ext/openssl/lib/openssl/pkey.rb
|
|
||||||
@@ -259,9 +259,14 @@ def dsa_verify_asn1(data, sig)
|
|
||||||
# This method is provided for backwards compatibility, and calls #derive
|
|
||||||
# internally.
|
|
||||||
def dh_compute_key(pubkey)
|
|
||||||
- peer = OpenSSL::PKey::EC.new(group)
|
|
||||||
- peer.public_key = pubkey
|
|
||||||
- derive(peer)
|
|
||||||
+ obj = OpenSSL::ASN1.Sequence([
|
|
||||||
+ OpenSSL::ASN1.Sequence([
|
|
||||||
+ OpenSSL::ASN1.ObjectId("id-ecPublicKey"),
|
|
||||||
+ group.to_der,
|
|
||||||
+ ]),
|
|
||||||
+ OpenSSL::ASN1.BitString(pubkey.to_octet_string(:uncompressed)),
|
|
||||||
+ ])
|
|
||||||
+ derive(OpenSSL::PKey.read(obj.to_der))
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
|
|
||||||
From 8ee6a582c7e4614eec4f5ca5ab59898fbcb50d2a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Fri, 22 Oct 2021 16:24:07 +0900
|
|
||||||
Subject: [PATCH 3/5] pkey/dh: deprecate OpenSSL::PKey::DH#generate_key!
|
|
||||||
|
|
||||||
OpenSSL::PKey::DH#generate_key! will not work on OpenSSL 3.0 because
|
|
||||||
keys are made immutable. Users should use OpenSSL::PKey.generate_key
|
|
||||||
instead.
|
|
||||||
---
|
|
||||||
ext/openssl/lib/openssl/pkey.rb | 23 +++++++++++++++++++----
|
|
||||||
ext/openssl/ossl_pkey_dh.c | 9 +++++----
|
|
||||||
test/openssl/test_pkey_dh.rb | 18 ++++++++++--------
|
|
||||||
3 files changed, 34 insertions(+), 16 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ext/openssl/lib/openssl/pkey.rb b/ext/openssl/lib/openssl/pkey.rb
|
|
||||||
index ba04cf4b..c3e06290 100644
|
|
||||||
--- a/ext/openssl/lib/openssl/pkey.rb
|
|
||||||
+++ b/ext/openssl/lib/openssl/pkey.rb
|
|
||||||
@@ -71,14 +71,29 @@ def compute_key(pub_bn)
|
|
||||||
# called first in order to generate the per-session keys before performing
|
|
||||||
# the actual key exchange.
|
|
||||||
#
|
|
||||||
+ # <b>Deprecated in version 3.0</b>. This method is incompatible with
|
|
||||||
+ # OpenSSL 3.0.0 or later.
|
|
||||||
+ #
|
|
||||||
# See also OpenSSL::PKey.generate_key.
|
|
||||||
#
|
|
||||||
# Example:
|
|
||||||
- # dh = OpenSSL::PKey::DH.new(2048)
|
|
||||||
- # public_key = dh.public_key #contains no private/public key yet
|
|
||||||
- # public_key.generate_key!
|
|
||||||
- # puts public_key.private? # => true
|
|
||||||
+ # # DEPRECATED USAGE: This will not work on OpenSSL 3.0 or later
|
|
||||||
+ # dh0 = OpenSSL::PKey::DH.new(2048)
|
|
||||||
+ # dh = dh0.public_key # #public_key only copies the DH parameters (contrary to the name)
|
|
||||||
+ # dh.generate_key!
|
|
||||||
+ # puts dh.private? # => true
|
|
||||||
+ # puts dh0.pub_key == dh.pub_key #=> false
|
|
||||||
+ #
|
|
||||||
+ # # With OpenSSL::PKey.generate_key
|
|
||||||
+ # dh0 = OpenSSL::PKey::DH.new(2048)
|
|
||||||
+ # dh = OpenSSL::PKey.generate_key(dh0)
|
|
||||||
+ # puts dh0.pub_key == dh.pub_key #=> false
|
|
||||||
def generate_key!
|
|
||||||
+ if OpenSSL::OPENSSL_VERSION_NUMBER >= 0x30000000
|
|
||||||
+ raise DHError, "OpenSSL::PKey::DH is immutable on OpenSSL 3.0; " \
|
|
||||||
+ "use OpenSSL::PKey.generate_key instead"
|
|
||||||
+ end
|
|
||||||
+
|
|
||||||
unless priv_key
|
|
||||||
tmp = OpenSSL::PKey.generate_key(self)
|
|
||||||
set_key(tmp.pub_key, tmp.priv_key)
|
|
||||||
diff --git a/ext/openssl/ossl_pkey_dh.c b/ext/openssl/ossl_pkey_dh.c
|
|
||||||
index 04c11b2157..e70d60ed19 100644
|
|
||||||
--- a/ext/openssl/ossl_pkey_dh.c
|
|
||||||
+++ b/ext/openssl/ossl_pkey_dh.c
|
|
||||||
@@ -58,15 +58,16 @@ VALUE eDHError;
|
|
||||||
*
|
|
||||||
* Examples:
|
|
||||||
* # Creating an instance from scratch
|
|
||||||
- * dh = DH.new
|
|
||||||
+ * # Note that this is deprecated and will not work on OpenSSL 3.0 or later.
|
|
||||||
+ * dh = OpenSSL::PKey::DH.new
|
|
||||||
* dh.set_pqg(bn_p, nil, bn_g)
|
|
||||||
*
|
|
||||||
* # Generating a parameters and a key pair
|
|
||||||
- * dh = DH.new(2048) # An alias of DH.generate(2048)
|
|
||||||
+ * dh = OpenSSL::PKey::DH.new(2048) # An alias of OpenSSL::PKey::DH.generate(2048)
|
|
||||||
*
|
|
||||||
* # Reading DH parameters
|
|
||||||
- * dh = DH.new(File.read('parameters.pem')) # -> dh, but no public/private key yet
|
|
||||||
- * dh.generate_key! # -> dh with public and private key
|
|
||||||
+ * dh_params = OpenSSL::PKey::DH.new(File.read('parameters.pem')) # loads parameters only
|
|
||||||
+ * dh = OpenSSL::PKey.generate_key(dh_params) # generates a key pair
|
|
||||||
*/
|
|
||||||
static VALUE
|
|
||||||
ossl_dh_initialize(int argc, VALUE *argv, VALUE self)
|
|
||||||
diff --git a/test/openssl/test_pkey_dh.rb b/test/openssl/test_pkey_dh.rb
|
|
||||||
index 757704ca..ac11af38 100644
|
|
||||||
--- a/test/openssl/test_pkey_dh.rb
|
|
||||||
+++ b/test/openssl/test_pkey_dh.rb
|
|
||||||
@@ -26,14 +26,19 @@ def test_new_break
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_derive_key
|
|
||||||
- dh1 = Fixtures.pkey("dh1024").generate_key!
|
|
||||||
- dh2 = Fixtures.pkey("dh1024").generate_key!
|
|
||||||
+ params = Fixtures.pkey("dh1024")
|
|
||||||
+ dh1 = OpenSSL::PKey.generate_key(params)
|
|
||||||
+ dh2 = OpenSSL::PKey.generate_key(params)
|
|
||||||
dh1_pub = OpenSSL::PKey.read(dh1.public_to_der)
|
|
||||||
dh2_pub = OpenSSL::PKey.read(dh2.public_to_der)
|
|
||||||
+
|
|
||||||
z = dh1.g.mod_exp(dh1.priv_key, dh1.p).mod_exp(dh2.priv_key, dh1.p).to_s(2)
|
|
||||||
assert_equal z, dh1.derive(dh2_pub)
|
|
||||||
assert_equal z, dh2.derive(dh1_pub)
|
|
||||||
|
|
||||||
+ assert_raise(OpenSSL::PKey::PKeyError) { params.derive(dh1_pub) }
|
|
||||||
+ assert_raise(OpenSSL::PKey::PKeyError) { dh1_pub.derive(params) }
|
|
||||||
+
|
|
||||||
assert_equal z, dh1.compute_key(dh2.pub_key)
|
|
||||||
assert_equal z, dh2.compute_key(dh1.pub_key)
|
|
||||||
end
|
|
||||||
@@ -74,19 +79,16 @@ def test_public_key
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_generate_key
|
|
||||||
- dh = Fixtures.pkey("dh1024").public_key # creates a copy
|
|
||||||
+ # Deprecated in v3.0.0; incompatible with OpenSSL 3.0
|
|
||||||
+ dh = Fixtures.pkey("dh1024").public_key # creates a copy with params only
|
|
||||||
assert_no_key(dh)
|
|
||||||
dh.generate_key!
|
|
||||||
assert_key(dh)
|
|
||||||
- end
|
|
||||||
|
|
||||||
- def test_key_exchange
|
|
||||||
- dh = Fixtures.pkey("dh1024")
|
|
||||||
dh2 = dh.public_key
|
|
||||||
- dh.generate_key!
|
|
||||||
dh2.generate_key!
|
|
||||||
assert_equal(dh.compute_key(dh2.pub_key), dh2.compute_key(dh.pub_key))
|
|
||||||
- end
|
|
||||||
+ end if !openssl?(3, 0, 0)
|
|
||||||
|
|
||||||
def test_params_ok?
|
|
||||||
dh0 = Fixtures.pkey("dh1024")
|
|
||||||
|
|
||||||
From 5e2e66cce870ea86001dbb0eaa3092badfd37994 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Fri, 17 Dec 2021 02:21:42 +0900
|
|
||||||
Subject: [PATCH 4/5] pkey/ec: deprecate OpenSSL::PKey::EC#generate_key!
|
|
||||||
|
|
||||||
OpenSSL::PKey::EC#generate_key! will not work on OpenSSL 3.0 because
|
|
||||||
keys are made immutable. Users should use OpenSSL::PKey.generate_key
|
|
||||||
instead.
|
|
||||||
---
|
|
||||||
ext/openssl/ossl_pkey_ec.c | 4 ++++
|
|
||||||
test/openssl/test_pkey_ec.rb | 21 +++++++++++++--------
|
|
||||||
2 files changed, 17 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c
|
|
||||||
index db80d112..398a550a 100644
|
|
||||||
--- a/ext/openssl/ossl_pkey_ec.c
|
|
||||||
+++ b/ext/openssl/ossl_pkey_ec.c
|
|
||||||
@@ -442,6 +442,9 @@ ossl_ec_key_to_der(VALUE self)
|
|
||||||
*/
|
|
||||||
static VALUE ossl_ec_key_generate_key(VALUE self)
|
|
||||||
{
|
|
||||||
+#if OSSL_OPENSSL_PREREQ(3, 0, 0)
|
|
||||||
+ rb_raise(ePKeyError, "pkeys are immutable on OpenSSL 3.0");
|
|
||||||
+#else
|
|
||||||
EC_KEY *ec;
|
|
||||||
|
|
||||||
GetEC(self, ec);
|
|
||||||
@@ -449,6 +452,7 @@ static VALUE ossl_ec_key_generate_key(VALUE self)
|
|
||||||
ossl_raise(eECError, "EC_KEY_generate_key");
|
|
||||||
|
|
||||||
return self;
|
|
||||||
+#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
diff --git a/test/openssl/test_pkey_ec.rb b/test/openssl/test_pkey_ec.rb
|
|
||||||
index 3f5958af..33f78a4c 100644
|
|
||||||
--- a/test/openssl/test_pkey_ec.rb
|
|
||||||
+++ b/test/openssl/test_pkey_ec.rb
|
|
||||||
@@ -13,15 +13,13 @@ def test_ec_key
|
|
||||||
# FIPS-selftest failure on some environment, so skip for now.
|
|
||||||
next if ["Oakley", "X25519"].any? { |n| curve_name.start_with?(n) }
|
|
||||||
|
|
||||||
- key = OpenSSL::PKey::EC.new(curve_name)
|
|
||||||
- key.generate_key!
|
|
||||||
-
|
|
||||||
+ key = OpenSSL::PKey::EC.generate(curve_name)
|
|
||||||
assert_predicate key, :private?
|
|
||||||
assert_predicate key, :public?
|
|
||||||
assert_nothing_raised { key.check_key }
|
|
||||||
end
|
|
||||||
|
|
||||||
- key1 = OpenSSL::PKey::EC.new("prime256v1").generate_key!
|
|
||||||
+ key1 = OpenSSL::PKey::EC.generate("prime256v1")
|
|
||||||
|
|
||||||
key2 = OpenSSL::PKey::EC.new
|
|
||||||
key2.group = key1.group
|
|
||||||
@@ -52,6 +50,13 @@ def test_generate
|
|
||||||
assert_equal(true, ec.private?)
|
|
||||||
end
|
|
||||||
|
|
||||||
+ def test_generate_key
|
|
||||||
+ ec = OpenSSL::PKey::EC.new("prime256v1")
|
|
||||||
+ assert_equal false, ec.private?
|
|
||||||
+ ec.generate_key!
|
|
||||||
+ assert_equal true, ec.private?
|
|
||||||
+ end if !openssl?(3, 0, 0)
|
|
||||||
+
|
|
||||||
def test_marshal
|
|
||||||
key = Fixtures.pkey("p256")
|
|
||||||
deserialized = Marshal.load(Marshal.dump(key))
|
|
||||||
@@ -136,7 +141,7 @@ def test_sign_verify_raw
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_dsa_sign_asn1_FIPS186_3
|
|
||||||
- key = OpenSSL::PKey::EC.new("prime256v1").generate_key!
|
|
||||||
+ key = OpenSSL::PKey::EC.generate("prime256v1")
|
|
||||||
size = key.group.order.num_bits / 8 + 1
|
|
||||||
dgst = (1..size).to_a.pack('C*')
|
|
||||||
sig = key.dsa_sign_asn1(dgst)
|
|
||||||
@@ -145,8 +150,8 @@ def test_dsa_sign_asn1_FIPS186_3
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_dh_compute_key
|
|
||||||
- key_a = OpenSSL::PKey::EC.new("prime256v1").generate_key!
|
|
||||||
- key_b = OpenSSL::PKey::EC.new(key_a.group).generate_key!
|
|
||||||
+ key_a = OpenSSL::PKey::EC.generate("prime256v1")
|
|
||||||
+ key_b = OpenSSL::PKey::EC.generate(key_a.group)
|
|
||||||
|
|
||||||
pub_a = key_a.public_key
|
|
||||||
pub_b = key_b.public_key
|
|
||||||
@@ -276,7 +281,7 @@ def test_ec_group
|
|
||||||
|
|
||||||
def test_ec_point
|
|
||||||
group = OpenSSL::PKey::EC::Group.new("prime256v1")
|
|
||||||
- key = OpenSSL::PKey::EC.new(group).generate_key!
|
|
||||||
+ key = OpenSSL::PKey::EC.generate(group)
|
|
||||||
point = key.public_key
|
|
||||||
|
|
||||||
point2 = OpenSSL::PKey::EC::Point.new(group, point.to_bn)
|
|
||||||
|
|
||||||
From 6848d2d969d90e6a400d89848ecec21076b87888 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Tue, 21 Sep 2021 18:29:59 +0900
|
|
||||||
Subject: [PATCH 5/5] pkey: deprecate PKey#set_* methods
|
|
||||||
|
|
||||||
OpenSSL 3.0 made EVP_PKEY immutable. This means we can only have a const
|
|
||||||
pointer of the low level struct and the following methods can no longer
|
|
||||||
be provided when linked against OpenSSL 3.0:
|
|
||||||
|
|
||||||
- OpenSSL::PKey::RSA#set_key
|
|
||||||
- OpenSSL::PKey::RSA#set_factors
|
|
||||||
- OpenSSL::PKey::RSA#set_crt_params
|
|
||||||
- OpenSSL::PKey::DSA#set_pqg
|
|
||||||
- OpenSSL::PKey::DSA#set_key
|
|
||||||
- OpenSSL::PKey::DH#set_pqg
|
|
||||||
- OpenSSL::PKey::DH#set_key
|
|
||||||
- OpenSSL::PKey::EC#group=
|
|
||||||
- OpenSSL::PKey::EC#private_key=
|
|
||||||
- OpenSSL::PKey::EC#public_key=
|
|
||||||
|
|
||||||
There is no direct replacement for this functionality at the moment.
|
|
||||||
I plan to introduce a wrapper around EVP_PKEY_fromdata(), which takes
|
|
||||||
all key components at once to construct an EVP_PKEY.
|
|
||||||
---
|
|
||||||
ext/openssl/ossl_pkey.h | 16 +++++++
|
|
||||||
ext/openssl/ossl_pkey_ec.c | 12 +++++
|
|
||||||
test/openssl/test_pkey_dh.rb | 38 +++++++++++-----
|
|
||||||
test/openssl/test_pkey_dsa.rb | 8 +++-
|
|
||||||
test/openssl/test_pkey_ec.rb | 58 ++++++++++++++----------
|
|
||||||
test/openssl/test_pkey_rsa.rb | 85 ++++++++++++++++++++++-------------
|
|
||||||
6 files changed, 149 insertions(+), 68 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ext/openssl/ossl_pkey.h b/ext/openssl/ossl_pkey.h
|
|
||||||
index 4beede22..4536e58e 100644
|
|
||||||
--- a/ext/openssl/ossl_pkey.h
|
|
||||||
+++ b/ext/openssl/ossl_pkey.h
|
|
||||||
@@ -116,6 +116,7 @@ static VALUE ossl_##_keytype##_get_##_name(VALUE self) \
|
|
||||||
OSSL_PKEY_BN_DEF_GETTER0(_keytype, _type, a2, \
|
|
||||||
_type##_get0_##_group(obj, NULL, &bn))
|
|
||||||
|
|
||||||
+#if !OSSL_OPENSSL_PREREQ(3, 0, 0)
|
|
||||||
#define OSSL_PKEY_BN_DEF_SETTER3(_keytype, _type, _group, a1, a2, a3) \
|
|
||||||
/* \
|
|
||||||
* call-seq: \
|
|
||||||
@@ -173,6 +174,21 @@ static VALUE ossl_##_keytype##_set_##_group(VALUE self, VALUE v1, VALUE v2) \
|
|
||||||
} \
|
|
||||||
return self; \
|
|
||||||
}
|
|
||||||
+#else
|
|
||||||
+#define OSSL_PKEY_BN_DEF_SETTER3(_keytype, _type, _group, a1, a2, a3) \
|
|
||||||
+static VALUE ossl_##_keytype##_set_##_group(VALUE self, VALUE v1, VALUE v2, VALUE v3) \
|
|
||||||
+{ \
|
|
||||||
+ rb_raise(ePKeyError, \
|
|
||||||
+ #_keytype"#set_"#_group"= is incompatible with OpenSSL 3.0"); \
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#define OSSL_PKEY_BN_DEF_SETTER2(_keytype, _type, _group, a1, a2) \
|
|
||||||
+static VALUE ossl_##_keytype##_set_##_group(VALUE self, VALUE v1, VALUE v2) \
|
|
||||||
+{ \
|
|
||||||
+ rb_raise(ePKeyError, \
|
|
||||||
+ #_keytype"#set_"#_group"= is incompatible with OpenSSL 3.0"); \
|
|
||||||
+}
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
#define OSSL_PKEY_BN_DEF_SETTER_OLD(_keytype, _type, _group, _name) \
|
|
||||||
/* \
|
|
||||||
diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c
|
|
||||||
index 398a550a..7a6ed1c9 100644
|
|
||||||
--- a/ext/openssl/ossl_pkey_ec.c
|
|
||||||
+++ b/ext/openssl/ossl_pkey_ec.c
|
|
||||||
@@ -251,6 +251,9 @@ ossl_ec_key_get_group(VALUE self)
|
|
||||||
static VALUE
|
|
||||||
ossl_ec_key_set_group(VALUE self, VALUE group_v)
|
|
||||||
{
|
|
||||||
+#if OSSL_OPENSSL_PREREQ(3, 0, 0)
|
|
||||||
+ rb_raise(ePKeyError, "pkeys are immutable on OpenSSL 3.0");
|
|
||||||
+#else
|
|
||||||
EC_KEY *ec;
|
|
||||||
EC_GROUP *group;
|
|
||||||
|
|
||||||
@@ -261,6 +264,7 @@ ossl_ec_key_set_group(VALUE self, VALUE group_v)
|
|
||||||
ossl_raise(eECError, "EC_KEY_set_group");
|
|
||||||
|
|
||||||
return group_v;
|
|
||||||
+#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
@@ -289,6 +293,9 @@ static VALUE ossl_ec_key_get_private_key(VALUE self)
|
|
||||||
*/
|
|
||||||
static VALUE ossl_ec_key_set_private_key(VALUE self, VALUE private_key)
|
|
||||||
{
|
|
||||||
+#if OSSL_OPENSSL_PREREQ(3, 0, 0)
|
|
||||||
+ rb_raise(ePKeyError, "pkeys are immutable on OpenSSL 3.0");
|
|
||||||
+#else
|
|
||||||
EC_KEY *ec;
|
|
||||||
BIGNUM *bn = NULL;
|
|
||||||
|
|
||||||
@@ -307,6 +314,7 @@ static VALUE ossl_ec_key_set_private_key(VALUE self, VALUE private_key)
|
|
||||||
}
|
|
||||||
|
|
||||||
return private_key;
|
|
||||||
+#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
@@ -335,6 +343,9 @@ static VALUE ossl_ec_key_get_public_key(VALUE self)
|
|
||||||
*/
|
|
||||||
static VALUE ossl_ec_key_set_public_key(VALUE self, VALUE public_key)
|
|
||||||
{
|
|
||||||
+#if OSSL_OPENSSL_PREREQ(3, 0, 0)
|
|
||||||
+ rb_raise(ePKeyError, "pkeys are immutable on OpenSSL 3.0");
|
|
||||||
+#else
|
|
||||||
EC_KEY *ec;
|
|
||||||
EC_POINT *point = NULL;
|
|
||||||
|
|
||||||
@@ -353,6 +364,7 @@ static VALUE ossl_ec_key_set_public_key(VALUE self, VALUE public_key)
|
|
||||||
}
|
|
||||||
|
|
||||||
return public_key;
|
|
||||||
+#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
diff --git a/test/openssl/test_pkey_dh.rb b/test/openssl/test_pkey_dh.rb
|
|
||||||
index ac11af38..161af189 100644
|
|
||||||
--- a/test/openssl/test_pkey_dh.rb
|
|
||||||
+++ b/test/openssl/test_pkey_dh.rb
|
|
||||||
@@ -107,13 +107,32 @@ def test_params_ok?
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_dup
|
|
||||||
- dh = Fixtures.pkey("dh1024")
|
|
||||||
- dh2 = dh.dup
|
|
||||||
- assert_equal dh.to_der, dh2.to_der # params
|
|
||||||
- assert_equal_params dh, dh2 # keys
|
|
||||||
- dh2.set_pqg(dh2.p + 1, nil, dh2.g)
|
|
||||||
- assert_not_equal dh2.p, dh.p
|
|
||||||
- assert_equal dh2.g, dh.g
|
|
||||||
+ # Parameters only
|
|
||||||
+ dh1 = Fixtures.pkey("dh1024")
|
|
||||||
+ dh2 = dh1.dup
|
|
||||||
+ assert_equal dh1.to_der, dh2.to_der
|
|
||||||
+ assert_not_equal nil, dh1.p
|
|
||||||
+ assert_not_equal nil, dh1.g
|
|
||||||
+ assert_equal [dh1.p, dh1.g], [dh2.p, dh2.g]
|
|
||||||
+ assert_equal nil, dh1.pub_key
|
|
||||||
+ assert_equal nil, dh1.priv_key
|
|
||||||
+ assert_equal [dh1.pub_key, dh1.priv_key], [dh2.pub_key, dh2.priv_key]
|
|
||||||
+
|
|
||||||
+ # PKey is immutable in OpenSSL >= 3.0
|
|
||||||
+ if !openssl?(3, 0, 0)
|
|
||||||
+ dh2.set_pqg(dh2.p + 1, nil, dh2.g)
|
|
||||||
+ assert_not_equal dh2.p, dh1.p
|
|
||||||
+ end
|
|
||||||
+
|
|
||||||
+ # With a key pair
|
|
||||||
+ dh3 = OpenSSL::PKey.generate_key(Fixtures.pkey("dh1024"))
|
|
||||||
+ dh4 = dh3.dup
|
|
||||||
+ assert_equal dh3.to_der, dh4.to_der
|
|
||||||
+ assert_equal dh1.to_der, dh4.to_der # encodes parameters only
|
|
||||||
+ assert_equal [dh1.p, dh1.g], [dh4.p, dh4.g]
|
|
||||||
+ assert_not_equal nil, dh3.pub_key
|
|
||||||
+ assert_not_equal nil, dh3.priv_key
|
|
||||||
+ assert_equal [dh3.pub_key, dh3.priv_key], [dh4.pub_key, dh4.priv_key]
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_marshal
|
|
||||||
@@ -125,11 +144,6 @@ def test_marshal
|
|
||||||
|
|
||||||
private
|
|
||||||
|
|
||||||
- def assert_equal_params(dh1, dh2)
|
|
||||||
- assert_equal(dh1.g, dh2.g)
|
|
||||||
- assert_equal(dh1.p, dh2.p)
|
|
||||||
- end
|
|
||||||
-
|
|
||||||
def assert_no_key(dh)
|
|
||||||
assert_equal(false, dh.public?)
|
|
||||||
assert_equal(false, dh.private?)
|
|
||||||
diff --git a/test/openssl/test_pkey_dsa.rb b/test/openssl/test_pkey_dsa.rb
|
|
||||||
index 0994607f..726b7dbf 100644
|
|
||||||
--- a/test/openssl/test_pkey_dsa.rb
|
|
||||||
+++ b/test/openssl/test_pkey_dsa.rb
|
|
||||||
@@ -208,8 +208,12 @@ def test_dup
|
|
||||||
key = Fixtures.pkey("dsa1024")
|
|
||||||
key2 = key.dup
|
|
||||||
assert_equal key.params, key2.params
|
|
||||||
- key2.set_pqg(key2.p + 1, key2.q, key2.g)
|
|
||||||
- assert_not_equal key.params, key2.params
|
|
||||||
+
|
|
||||||
+ # PKey is immutable in OpenSSL >= 3.0
|
|
||||||
+ if !openssl?(3, 0, 0)
|
|
||||||
+ key2.set_pqg(key2.p + 1, key2.q, key2.g)
|
|
||||||
+ assert_not_equal key.params, key2.params
|
|
||||||
+ end
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_marshal
|
|
||||||
diff --git a/test/openssl/test_pkey_ec.rb b/test/openssl/test_pkey_ec.rb
|
|
||||||
index 33f78a4c..ffe5a94e 100644
|
|
||||||
--- a/test/openssl/test_pkey_ec.rb
|
|
||||||
+++ b/test/openssl/test_pkey_ec.rb
|
|
||||||
@@ -21,11 +21,15 @@ def test_ec_key
|
|
||||||
|
|
||||||
key1 = OpenSSL::PKey::EC.generate("prime256v1")
|
|
||||||
|
|
||||||
- key2 = OpenSSL::PKey::EC.new
|
|
||||||
- key2.group = key1.group
|
|
||||||
- key2.private_key = key1.private_key
|
|
||||||
- key2.public_key = key1.public_key
|
|
||||||
- assert_equal key1.to_der, key2.to_der
|
|
||||||
+ # PKey is immutable in OpenSSL >= 3.0; constructing an empty EC object is
|
|
||||||
+ # deprecated
|
|
||||||
+ if !openssl?(3, 0, 0)
|
|
||||||
+ key2 = OpenSSL::PKey::EC.new
|
|
||||||
+ key2.group = key1.group
|
|
||||||
+ key2.private_key = key1.private_key
|
|
||||||
+ key2.public_key = key1.public_key
|
|
||||||
+ assert_equal key1.to_der, key2.to_der
|
|
||||||
+ end
|
|
||||||
|
|
||||||
key3 = OpenSSL::PKey::EC.new(key1)
|
|
||||||
assert_equal key1.to_der, key3.to_der
|
|
||||||
@@ -35,10 +39,14 @@ def test_ec_key
|
|
||||||
|
|
||||||
key5 = key1.dup
|
|
||||||
assert_equal key1.to_der, key5.to_der
|
|
||||||
- key_tmp = OpenSSL::PKey::EC.new("prime256v1").generate_key!
|
|
||||||
- key5.private_key = key_tmp.private_key
|
|
||||||
- key5.public_key = key_tmp.public_key
|
|
||||||
- assert_not_equal key1.to_der, key5.to_der
|
|
||||||
+
|
|
||||||
+ # PKey is immutable in OpenSSL >= 3.0; EC object should not be modified
|
|
||||||
+ if !openssl?(3, 0, 0)
|
|
||||||
+ key_tmp = OpenSSL::PKey::EC.generate("prime256v1")
|
|
||||||
+ key5.private_key = key_tmp.private_key
|
|
||||||
+ key5.public_key = key_tmp.public_key
|
|
||||||
+ assert_not_equal key1.to_der, key5.to_der
|
|
||||||
+ end
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_generate
|
|
||||||
@@ -65,22 +73,26 @@ def test_marshal
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_check_key
|
|
||||||
- key = OpenSSL::PKey::EC.new("prime256v1").generate_key!
|
|
||||||
- assert_equal(true, key.check_key)
|
|
||||||
- assert_equal(true, key.private?)
|
|
||||||
- assert_equal(true, key.public?)
|
|
||||||
- key2 = OpenSSL::PKey::EC.new(key.group)
|
|
||||||
- assert_equal(false, key2.private?)
|
|
||||||
- assert_equal(false, key2.public?)
|
|
||||||
- key2.public_key = key.public_key
|
|
||||||
- assert_equal(false, key2.private?)
|
|
||||||
- assert_equal(true, key2.public?)
|
|
||||||
- key2.private_key = key.private_key
|
|
||||||
+ key0 = Fixtures.pkey("p256")
|
|
||||||
+ assert_equal(true, key0.check_key)
|
|
||||||
+ assert_equal(true, key0.private?)
|
|
||||||
+ assert_equal(true, key0.public?)
|
|
||||||
+
|
|
||||||
+ key1 = OpenSSL::PKey.read(key0.public_to_der)
|
|
||||||
+ assert_equal(true, key1.check_key)
|
|
||||||
+ assert_equal(false, key1.private?)
|
|
||||||
+ assert_equal(true, key1.public?)
|
|
||||||
+
|
|
||||||
+ key2 = OpenSSL::PKey.read(key0.private_to_der)
|
|
||||||
assert_equal(true, key2.private?)
|
|
||||||
assert_equal(true, key2.public?)
|
|
||||||
assert_equal(true, key2.check_key)
|
|
||||||
- key2.private_key += 1
|
|
||||||
- assert_raise(OpenSSL::PKey::ECError) { key2.check_key }
|
|
||||||
+
|
|
||||||
+ # EC#private_key= is deprecated in 3.0 and won't work on OpenSSL 3.0
|
|
||||||
+ if !openssl?(3, 0, 0)
|
|
||||||
+ key2.private_key += 1
|
|
||||||
+ assert_raise(OpenSSL::PKey::ECError) { key2.check_key }
|
|
||||||
+ end
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_sign_verify
|
|
||||||
@@ -112,7 +124,7 @@ def test_derive_key
|
|
||||||
assert_equal [zIUT].pack("H*"), a.derive(b)
|
|
||||||
|
|
||||||
assert_equal a.derive(b), a.dh_compute_key(b.public_key)
|
|
||||||
- end
|
|
||||||
+ end if !openssl?(3, 0, 0) # TODO: Test it without using #private_key=
|
|
||||||
|
|
||||||
def test_sign_verify_raw
|
|
||||||
key = Fixtures.pkey("p256")
|
|
||||||
diff --git a/test/openssl/test_pkey_rsa.rb b/test/openssl/test_pkey_rsa.rb
|
|
||||||
index dbe87ba4..1c7f9ccf 100644
|
|
||||||
--- a/test/openssl/test_pkey_rsa.rb
|
|
||||||
+++ b/test/openssl/test_pkey_rsa.rb
|
|
||||||
@@ -31,15 +31,18 @@ def test_private
|
|
||||||
assert(!key4.private?)
|
|
||||||
rsa1024 = Fixtures.pkey("rsa1024")
|
|
||||||
|
|
||||||
- # Generated by RSA#set_key
|
|
||||||
- key5 = OpenSSL::PKey::RSA.new
|
|
||||||
- key5.set_key(rsa1024.n, rsa1024.e, rsa1024.d)
|
|
||||||
- assert(key5.private?)
|
|
||||||
-
|
|
||||||
- # Generated by RSA#set_key, without d
|
|
||||||
- key6 = OpenSSL::PKey::RSA.new
|
|
||||||
- key6.set_key(rsa1024.n, rsa1024.e, nil)
|
|
||||||
- assert(!key6.private?)
|
|
||||||
+ if !openssl?(3, 0, 0)
|
|
||||||
+ key = OpenSSL::PKey::RSA.new
|
|
||||||
+ # Generated by RSA#set_key
|
|
||||||
+ key5 = OpenSSL::PKey::RSA.new
|
|
||||||
+ key5.set_key(rsa1024.n, rsa1024.e, rsa1024.d)
|
|
||||||
+ assert(key5.private?)
|
|
||||||
+
|
|
||||||
+ # Generated by RSA#set_key, without d
|
|
||||||
+ key6 = OpenSSL::PKey::RSA.new
|
|
||||||
+ key6.set_key(rsa1024.n, rsa1024.e, nil)
|
|
||||||
+ assert(!key6.private?)
|
|
||||||
+ end
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_new
|
|
||||||
@@ -235,36 +238,52 @@ def test_encrypt_decrypt_legacy
|
|
||||||
|
|
||||||
def test_export
|
|
||||||
rsa1024 = Fixtures.pkey("rsa1024")
|
|
||||||
- key = OpenSSL::PKey::RSA.new
|
|
||||||
|
|
||||||
- # key has only n, e and d
|
|
||||||
- key.set_key(rsa1024.n, rsa1024.e, rsa1024.d)
|
|
||||||
- assert_equal rsa1024.public_key.export, key.export
|
|
||||||
+ pub = OpenSSL::PKey.read(rsa1024.public_to_der)
|
|
||||||
+ assert_not_equal rsa1024.export, pub.export
|
|
||||||
+ assert_equal rsa1024.public_to_pem, pub.export
|
|
||||||
+
|
|
||||||
+ # PKey is immutable in OpenSSL >= 3.0
|
|
||||||
+ if !openssl?(3, 0, 0)
|
|
||||||
+ key = OpenSSL::PKey::RSA.new
|
|
||||||
|
|
||||||
- # key has only n, e, d, p and q
|
|
||||||
- key.set_factors(rsa1024.p, rsa1024.q)
|
|
||||||
- assert_equal rsa1024.public_key.export, key.export
|
|
||||||
+ # key has only n, e and d
|
|
||||||
+ key.set_key(rsa1024.n, rsa1024.e, rsa1024.d)
|
|
||||||
+ assert_equal rsa1024.public_key.export, key.export
|
|
||||||
|
|
||||||
- # key has n, e, d, p, q, dmp1, dmq1 and iqmp
|
|
||||||
- key.set_crt_params(rsa1024.dmp1, rsa1024.dmq1, rsa1024.iqmp)
|
|
||||||
- assert_equal rsa1024.export, key.export
|
|
||||||
+ # key has only n, e, d, p and q
|
|
||||||
+ key.set_factors(rsa1024.p, rsa1024.q)
|
|
||||||
+ assert_equal rsa1024.public_key.export, key.export
|
|
||||||
+
|
|
||||||
+ # key has n, e, d, p, q, dmp1, dmq1 and iqmp
|
|
||||||
+ key.set_crt_params(rsa1024.dmp1, rsa1024.dmq1, rsa1024.iqmp)
|
|
||||||
+ assert_equal rsa1024.export, key.export
|
|
||||||
+ end
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_to_der
|
|
||||||
rsa1024 = Fixtures.pkey("rsa1024")
|
|
||||||
- key = OpenSSL::PKey::RSA.new
|
|
||||||
|
|
||||||
- # key has only n, e and d
|
|
||||||
- key.set_key(rsa1024.n, rsa1024.e, rsa1024.d)
|
|
||||||
- assert_equal rsa1024.public_key.to_der, key.to_der
|
|
||||||
+ pub = OpenSSL::PKey.read(rsa1024.public_to_der)
|
|
||||||
+ assert_not_equal rsa1024.to_der, pub.to_der
|
|
||||||
+ assert_equal rsa1024.public_to_der, pub.to_der
|
|
||||||
|
|
||||||
- # key has only n, e, d, p and q
|
|
||||||
- key.set_factors(rsa1024.p, rsa1024.q)
|
|
||||||
- assert_equal rsa1024.public_key.to_der, key.to_der
|
|
||||||
+ # PKey is immutable in OpenSSL >= 3.0
|
|
||||||
+ if !openssl?(3, 0, 0)
|
|
||||||
+ key = OpenSSL::PKey::RSA.new
|
|
||||||
|
|
||||||
- # key has n, e, d, p, q, dmp1, dmq1 and iqmp
|
|
||||||
- key.set_crt_params(rsa1024.dmp1, rsa1024.dmq1, rsa1024.iqmp)
|
|
||||||
- assert_equal rsa1024.to_der, key.to_der
|
|
||||||
+ # key has only n, e and d
|
|
||||||
+ key.set_key(rsa1024.n, rsa1024.e, rsa1024.d)
|
|
||||||
+ assert_equal rsa1024.public_key.to_der, key.to_der
|
|
||||||
+
|
|
||||||
+ # key has only n, e, d, p and q
|
|
||||||
+ key.set_factors(rsa1024.p, rsa1024.q)
|
|
||||||
+ assert_equal rsa1024.public_key.to_der, key.to_der
|
|
||||||
+
|
|
||||||
+ # key has n, e, d, p, q, dmp1, dmq1 and iqmp
|
|
||||||
+ key.set_crt_params(rsa1024.dmp1, rsa1024.dmq1, rsa1024.iqmp)
|
|
||||||
+ assert_equal rsa1024.to_der, key.to_der
|
|
||||||
+ end
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_RSAPrivateKey
|
|
||||||
@@ -501,8 +520,12 @@ def test_dup
|
|
||||||
key = Fixtures.pkey("rsa1024")
|
|
||||||
key2 = key.dup
|
|
||||||
assert_equal key.params, key2.params
|
|
||||||
- key2.set_key(key2.n, 3, key2.d)
|
|
||||||
- assert_not_equal key.params, key2.params
|
|
||||||
+
|
|
||||||
+ # PKey is immutable in OpenSSL >= 3.0
|
|
||||||
+ if !openssl?(3, 0, 0)
|
|
||||||
+ key2.set_key(key2.n, 3, key2.d)
|
|
||||||
+ assert_not_equal key.params, key2.params
|
|
||||||
+ end
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_marshal
|
|
@ -1,27 +0,0 @@
|
|||||||
From 47975ece4096cdab16b3f200f93ea2377dfb41ac Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Mon, 31 May 2021 14:17:21 +0900
|
|
||||||
Subject: [PATCH] test/openssl/test_pkey_rsa: disable test_no_private_exp on
|
|
||||||
OpenSSL 3.0
|
|
||||||
|
|
||||||
OpenSSL::PKey::RSA#set_key does not exist when built with OpenSSL 3.0,
|
|
||||||
so it is not possible to create an RSA object with incomplete state.
|
|
||||||
|
|
||||||
https://github.com/ruby/openssl/commit/ca03c9c070
|
|
||||||
---
|
|
||||||
test/openssl/test_pkey_rsa.rb | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/test/openssl/test_pkey_rsa.rb b/test/openssl/test_pkey_rsa.rb
|
|
||||||
index 4548bdb2cfa6..dbe87ba4c1b0 100644
|
|
||||||
--- a/test/openssl/test_pkey_rsa.rb
|
|
||||||
+++ b/test/openssl/test_pkey_rsa.rb
|
|
||||||
@@ -11,7 +11,7 @@ def test_no_private_exp
|
|
||||||
key.set_factors(rsa.p, rsa.q)
|
|
||||||
assert_raise(OpenSSL::PKey::RSAError){ key.private_encrypt("foo") }
|
|
||||||
assert_raise(OpenSSL::PKey::RSAError){ key.private_decrypt("foo") }
|
|
||||||
- end
|
|
||||||
+ end if !openssl?(3, 0, 0) # Impossible state in OpenSSL 3.0
|
|
||||||
|
|
||||||
def test_private
|
|
||||||
# Generated by key size and public exponent
|
|
@ -1,186 +0,0 @@
|
|||||||
From 104b009e26c050584e4d186c8cc4e1496a14061b Mon Sep 17 00:00:00 2001
|
|
||||||
From: Nobuyoshi Nakada <nobu@ruby-lang.org>
|
|
||||||
Date: Thu, 5 Aug 2021 20:09:25 +0900
|
|
||||||
Subject: [PATCH] Get rid of type-punning pointer casts [Bug #18062]
|
|
||||||
|
|
||||||
---
|
|
||||||
vm_eval.c | 4 +++-
|
|
||||||
vm_insnhelper.c | 7 +++++--
|
|
||||||
vm_method.c | 41 ++++++++++++++++++++++++++---------------
|
|
||||||
3 files changed, 34 insertions(+), 18 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/vm_eval.c b/vm_eval.c
|
|
||||||
index 6d4b5c3c0b28..7ce9f157e671 100644
|
|
||||||
--- a/vm_eval.c
|
|
||||||
+++ b/vm_eval.c
|
|
||||||
@@ -350,9 +350,11 @@ cc_new(VALUE klass, ID mid, int argc, const rb_callable_method_entry_t *cme)
|
|
||||||
{
|
|
||||||
struct rb_class_cc_entries *ccs;
|
|
||||||
struct rb_id_table *cc_tbl = RCLASS_CC_TBL(klass);
|
|
||||||
+ VALUE ccs_data;
|
|
||||||
|
|
||||||
- if (rb_id_table_lookup(cc_tbl, mid, (VALUE*)&ccs)) {
|
|
||||||
+ if (rb_id_table_lookup(cc_tbl, mid, &ccs_data)) {
|
|
||||||
// ok
|
|
||||||
+ ccs = (struct rb_class_cc_entries *)ccs_data;
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
ccs = vm_ccs_create(klass, cme);
|
|
||||||
diff --git a/vm_insnhelper.c b/vm_insnhelper.c
|
|
||||||
index 14928b2afe8e..e186376b24d7 100644
|
|
||||||
--- a/vm_insnhelper.c
|
|
||||||
+++ b/vm_insnhelper.c
|
|
||||||
@@ -1637,9 +1637,11 @@ vm_search_cc(const VALUE klass, const struct rb_callinfo * const ci)
|
|
||||||
const ID mid = vm_ci_mid(ci);
|
|
||||||
struct rb_id_table *cc_tbl = RCLASS_CC_TBL(klass);
|
|
||||||
struct rb_class_cc_entries *ccs = NULL;
|
|
||||||
+ VALUE ccs_data;
|
|
||||||
|
|
||||||
if (cc_tbl) {
|
|
||||||
- if (rb_id_table_lookup(cc_tbl, mid, (VALUE *)&ccs)) {
|
|
||||||
+ if (rb_id_table_lookup(cc_tbl, mid, &ccs_data)) {
|
|
||||||
+ ccs = (struct rb_class_cc_entries *)ccs_data;
|
|
||||||
const int ccs_len = ccs->len;
|
|
||||||
VM_ASSERT(vm_ccs_verify(ccs, mid, klass));
|
|
||||||
|
|
||||||
@@ -1706,8 +1708,9 @@ vm_search_cc(const VALUE klass, const struct rb_callinfo * const ci)
|
|
||||||
if (ccs == NULL) {
|
|
||||||
VM_ASSERT(cc_tbl != NULL);
|
|
||||||
|
|
||||||
- if (LIKELY(rb_id_table_lookup(cc_tbl, mid, (VALUE*)&ccs))) {
|
|
||||||
+ if (LIKELY(rb_id_table_lookup(cc_tbl, mid, &ccs_data))) {
|
|
||||||
// rb_callable_method_entry() prepares ccs.
|
|
||||||
+ ccs = (struct rb_class_cc_entries *)ccs_data;
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
// TODO: required?
|
|
||||||
diff --git a/vm_method.c b/vm_method.c
|
|
||||||
index 016dba1dbb18..1fd0bd57f7ca 100644
|
|
||||||
--- a/vm_method.c
|
|
||||||
+++ b/vm_method.c
|
|
||||||
@@ -42,11 +42,11 @@ vm_ccs_dump(VALUE klass, ID target_mid)
|
|
||||||
{
|
|
||||||
struct rb_id_table *cc_tbl = RCLASS_CC_TBL(klass);
|
|
||||||
if (cc_tbl) {
|
|
||||||
- const struct rb_class_cc_entries *ccs;
|
|
||||||
+ VALUE ccs;
|
|
||||||
if (target_mid) {
|
|
||||||
- if (rb_id_table_lookup(cc_tbl, target_mid, (VALUE *)&ccs)) {
|
|
||||||
+ if (rb_id_table_lookup(cc_tbl, target_mid, &ccs)) {
|
|
||||||
fprintf(stderr, " [CCTB] %p\n", (void *)cc_tbl);
|
|
||||||
- vm_ccs_dump_i(target_mid, (VALUE)ccs, NULL);
|
|
||||||
+ vm_ccs_dump_i(target_mid, ccs, NULL);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
@@ -72,11 +72,11 @@ vm_mtbl_dump(VALUE klass, ID target_mid)
|
|
||||||
fprintf(stderr, "# vm_mtbl\n");
|
|
||||||
while (klass) {
|
|
||||||
rp_m(" -> ", klass);
|
|
||||||
- rb_method_entry_t *me;
|
|
||||||
+ VALUE me;
|
|
||||||
|
|
||||||
if (RCLASS_M_TBL(klass)) {
|
|
||||||
if (target_mid != 0) {
|
|
||||||
- if (rb_id_table_lookup(RCLASS_M_TBL(klass), target_mid, (VALUE *)&me)) {
|
|
||||||
+ if (rb_id_table_lookup(RCLASS_M_TBL(klass), target_mid, &me)) {
|
|
||||||
rp_m(" [MTBL] ", me);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -90,7 +90,7 @@ vm_mtbl_dump(VALUE klass, ID target_mid)
|
|
||||||
}
|
|
||||||
if (RCLASS_CALLABLE_M_TBL(klass)) {
|
|
||||||
if (target_mid != 0) {
|
|
||||||
- if (rb_id_table_lookup(RCLASS_CALLABLE_M_TBL(klass), target_mid, (VALUE *)&me)) {
|
|
||||||
+ if (rb_id_table_lookup(RCLASS_CALLABLE_M_TBL(klass), target_mid, &me)) {
|
|
||||||
rp_m(" [CM**] ", me);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -144,10 +144,11 @@ clear_method_cache_by_id_in_class(VALUE klass, ID mid)
|
|
||||||
// check only current class
|
|
||||||
|
|
||||||
struct rb_id_table *cc_tbl = RCLASS_CC_TBL(klass);
|
|
||||||
- struct rb_class_cc_entries *ccs;
|
|
||||||
+ VALUE ccs_data;
|
|
||||||
|
|
||||||
// invalidate CCs
|
|
||||||
- if (cc_tbl && rb_id_table_lookup(cc_tbl, mid, (VALUE *)&ccs)) {
|
|
||||||
+ if (cc_tbl && rb_id_table_lookup(cc_tbl, mid, &ccs_data)) {
|
|
||||||
+ struct rb_class_cc_entries *ccs = (struct rb_class_cc_entries *)ccs_data;
|
|
||||||
rb_vm_ccs_free(ccs);
|
|
||||||
rb_id_table_delete(cc_tbl, mid);
|
|
||||||
RB_DEBUG_COUNTER_INC(cc_invalidate_leaf_ccs);
|
|
||||||
@@ -205,9 +206,10 @@ clear_method_cache_by_id_in_class(VALUE klass, ID mid)
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
rb_vm_t *vm = GET_VM();
|
|
||||||
- if (rb_id_table_lookup(vm->negative_cme_table, mid, (VALUE *)&cme)) {
|
|
||||||
+ VALUE cme_data = (VALUE) cme;
|
|
||||||
+ if (rb_id_table_lookup(vm->negative_cme_table, mid, &cme_data)) {
|
|
||||||
rb_id_table_delete(vm->negative_cme_table, mid);
|
|
||||||
- vm_me_invalidate_cache((rb_callable_method_entry_t *)cme);
|
|
||||||
+ vm_me_invalidate_cache((rb_callable_method_entry_t *)cme_data);
|
|
||||||
|
|
||||||
RB_DEBUG_COUNTER_INC(cc_invalidate_negative);
|
|
||||||
}
|
|
||||||
@@ -1030,6 +1032,7 @@ prepare_callable_method_entry(VALUE defined_class, ID id, const rb_method_entry_
|
|
||||||
{
|
|
||||||
struct rb_id_table *mtbl;
|
|
||||||
const rb_callable_method_entry_t *cme;
|
|
||||||
+ VALUE cme_data;
|
|
||||||
|
|
||||||
if (me) {
|
|
||||||
if (me->defined_class == 0) {
|
|
||||||
@@ -1039,7 +1042,8 @@ prepare_callable_method_entry(VALUE defined_class, ID id, const rb_method_entry_
|
|
||||||
|
|
||||||
mtbl = RCLASS_CALLABLE_M_TBL(defined_class);
|
|
||||||
|
|
||||||
- if (mtbl && rb_id_table_lookup(mtbl, id, (VALUE *)&cme)) {
|
|
||||||
+ if (mtbl && rb_id_table_lookup(mtbl, id, &cme_data)) {
|
|
||||||
+ cme = (rb_callable_method_entry_t *)cme_data;
|
|
||||||
RB_DEBUG_COUNTER_INC(mc_cme_complement_hit);
|
|
||||||
VM_ASSERT(callable_method_entry_p(cme));
|
|
||||||
VM_ASSERT(!METHOD_ENTRY_INVALIDATED(cme));
|
|
||||||
@@ -1083,9 +1087,10 @@ cached_callable_method_entry(VALUE klass, ID mid)
|
|
||||||
ASSERT_vm_locking();
|
|
||||||
|
|
||||||
struct rb_id_table *cc_tbl = RCLASS_CC_TBL(klass);
|
|
||||||
- struct rb_class_cc_entries *ccs;
|
|
||||||
+ VALUE ccs_data;
|
|
||||||
|
|
||||||
- if (cc_tbl && rb_id_table_lookup(cc_tbl, mid, (VALUE *)&ccs)) {
|
|
||||||
+ if (cc_tbl && rb_id_table_lookup(cc_tbl, mid, &ccs_data)) {
|
|
||||||
+ struct rb_class_cc_entries *ccs = (struct rb_class_cc_entries *)ccs_data;
|
|
||||||
VM_ASSERT(vm_ccs_p(ccs));
|
|
||||||
|
|
||||||
if (LIKELY(!METHOD_ENTRY_INVALIDATED(ccs->cme))) {
|
|
||||||
@@ -1111,12 +1116,14 @@ cache_callable_method_entry(VALUE klass, ID mid, const rb_callable_method_entry_
|
|
||||||
|
|
||||||
struct rb_id_table *cc_tbl = RCLASS_CC_TBL(klass);
|
|
||||||
struct rb_class_cc_entries *ccs;
|
|
||||||
+ VALUE ccs_data;
|
|
||||||
|
|
||||||
if (!cc_tbl) {
|
|
||||||
cc_tbl = RCLASS_CC_TBL(klass) = rb_id_table_create(2);
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (rb_id_table_lookup(cc_tbl, mid, (VALUE *)&ccs)) {
|
|
||||||
+ if (rb_id_table_lookup(cc_tbl, mid, &ccs_data)) {
|
|
||||||
+ ccs = (struct rb_class_cc_entries *)ccs_data;
|
|
||||||
VM_ASSERT(ccs->cme == cme);
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
@@ -1130,8 +1137,12 @@ negative_cme(ID mid)
|
|
||||||
{
|
|
||||||
rb_vm_t *vm = GET_VM();
|
|
||||||
const rb_callable_method_entry_t *cme;
|
|
||||||
+ VALUE cme_data;
|
|
||||||
|
|
||||||
- if (!rb_id_table_lookup(vm->negative_cme_table, mid, (VALUE *)&cme)) {
|
|
||||||
+ if (rb_id_table_lookup(vm->negative_cme_table, mid, &cme_data)) {
|
|
||||||
+ cme = (rb_callable_method_entry_t *)cme_data;
|
|
||||||
+ }
|
|
||||||
+ else {
|
|
||||||
cme = (rb_callable_method_entry_t *)rb_method_entry_alloc(mid, Qnil, Qnil, NULL);
|
|
||||||
rb_id_table_insert(vm->negative_cme_table, mid, (VALUE)cme);
|
|
||||||
}
|
|
@ -1,58 +0,0 @@
|
|||||||
From 72317b333b85eed483ad00bcd4f40944019a7c13 Mon Sep 17 00:00:00 2001
|
|
||||||
From: "xtkoba+ruby@gmail.com" <xtkoba+ruby@gmail.com>
|
|
||||||
Date: Fri, 13 Aug 2021 13:45:53 +0000
|
|
||||||
Subject: [PATCH] Ignore `DW_FORM_ref_addr` [Bug #17052]
|
|
||||||
|
|
||||||
Ignore `DW_FORM_ref_addr` form and other forms that are not supposed
|
|
||||||
to be used currently.
|
|
||||||
---
|
|
||||||
addr2line.c | 23 ++++++++++++++++++++---
|
|
||||||
1 file changed, 20 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/addr2line.c b/addr2line.c
|
|
||||||
index fed1a8da84e5..92c6da5e3bea 100644
|
|
||||||
--- a/addr2line.c
|
|
||||||
+++ b/addr2line.c
|
|
||||||
@@ -1593,14 +1593,31 @@ di_read_cu(DebugInfoReader *reader)
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
||||||
-read_abstract_origin(DebugInfoReader *reader, uint64_t abstract_origin, line_info_t *line)
|
|
||||||
+read_abstract_origin(DebugInfoReader *reader, uint64_t form, uint64_t abstract_origin, line_info_t *line)
|
|
||||||
{
|
|
||||||
char *p = reader->p;
|
|
||||||
char *q = reader->q;
|
|
||||||
int level = reader->level;
|
|
||||||
DIE die;
|
|
||||||
|
|
||||||
- reader->p = reader->current_cu + abstract_origin;
|
|
||||||
+ switch (form) {
|
|
||||||
+ case DW_FORM_ref1:
|
|
||||||
+ case DW_FORM_ref2:
|
|
||||||
+ case DW_FORM_ref4:
|
|
||||||
+ case DW_FORM_ref8:
|
|
||||||
+ case DW_FORM_ref_udata:
|
|
||||||
+ reader->p = reader->current_cu + abstract_origin;
|
|
||||||
+ break;
|
|
||||||
+ case DW_FORM_ref_addr:
|
|
||||||
+ goto finish; /* not supported yet */
|
|
||||||
+ case DW_FORM_ref_sig8:
|
|
||||||
+ goto finish; /* not supported yet */
|
|
||||||
+ case DW_FORM_ref_sup4:
|
|
||||||
+ case DW_FORM_ref_sup8:
|
|
||||||
+ goto finish; /* not supported yet */
|
|
||||||
+ default:
|
|
||||||
+ goto finish;
|
|
||||||
+ }
|
|
||||||
if (!di_read_die(reader, &die)) goto finish;
|
|
||||||
|
|
||||||
/* enumerate abbrev */
|
|
||||||
@@ -1665,7 +1682,7 @@ debug_info_read(DebugInfoReader *reader, int num_traces, void **traces,
|
|
||||||
/* 1 or 3 */
|
|
||||||
break; /* goto skip_die; */
|
|
||||||
case DW_AT_abstract_origin:
|
|
||||||
- read_abstract_origin(reader, v.as.uint64, &line);
|
|
||||||
+ read_abstract_origin(reader, v.form, v.as.uint64, &line);
|
|
||||||
break; /* goto skip_die; */
|
|
||||||
}
|
|
||||||
}
|
|
File diff suppressed because it is too large
Load Diff
@ -1,523 +0,0 @@
|
|||||||
From 8253d7c9cea16c2aa009b59db4f5d93afb74c6eb Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Tue, 30 Jun 2020 14:27:13 +0900
|
|
||||||
Subject: [PATCH 1/2] hmac: add a test case for OpenSSL::HMAC singleton methods
|
|
||||||
|
|
||||||
---
|
|
||||||
test/openssl/test_hmac.rb | 9 +++++++++
|
|
||||||
1 file changed, 9 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/test/openssl/test_hmac.rb b/test/openssl/test_hmac.rb
|
|
||||||
index 9cb3c5a86..7202a5902 100644
|
|
||||||
--- a/test/openssl/test_hmac.rb
|
|
||||||
+++ b/test/openssl/test_hmac.rb
|
|
||||||
@@ -49,6 +49,15 @@ def test_eq
|
|
||||||
refute_equal h1, h2.digest
|
|
||||||
refute_equal h1, h3
|
|
||||||
end
|
|
||||||
+
|
|
||||||
+ def test_singleton_methods
|
|
||||||
+ # RFC 2202 2. Test Cases for HMAC-MD5
|
|
||||||
+ key = ["0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"].pack("H*")
|
|
||||||
+ digest = OpenSSL::HMAC.digest("MD5", key, "Hi There")
|
|
||||||
+ assert_equal ["9294727a3638bb1c13f48ef8158bfc9d"].pack("H*"), digest
|
|
||||||
+ hexdigest = OpenSSL::HMAC.hexdigest("MD5", key, "Hi There")
|
|
||||||
+ assert_equal "9294727a3638bb1c13f48ef8158bfc9d", hexdigest
|
|
||||||
+ end
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
|
||||||
|
|
||||||
From 0317e2fc028be40a7d64d0e4337d3e21539613ce Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Mon, 18 May 2020 16:15:07 +0900
|
|
||||||
Subject: [PATCH 2/2] hmac: migrate from the low-level HMAC API to the EVP API
|
|
||||||
|
|
||||||
Use the EVP API instead of the low-level HMAC API. Use of the HMAC API
|
|
||||||
has been discouraged and is being marked as deprecated starting from
|
|
||||||
OpenSSL 3.0.0.
|
|
||||||
|
|
||||||
The two singleton methods OpenSSL::HMAC, HMAC.digest and HMAC.hexdigest
|
|
||||||
are now in lib/openssl/hmac.rb.
|
|
||||||
---
|
|
||||||
ext/openssl/extconf.rb | 3 +-
|
|
||||||
ext/openssl/lib/openssl/hmac.rb | 40 +++++++
|
|
||||||
ext/openssl/openssl_missing.c | 26 -----
|
|
||||||
ext/openssl/openssl_missing.h | 10 +-
|
|
||||||
ext/openssl/ossl.h | 1 -
|
|
||||||
ext/openssl/ossl_hmac.c | 179 ++++++++------------------------
|
|
||||||
6 files changed, 89 insertions(+), 170 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
|
|
||||||
index 693e55cd9..063498a76 100644
|
|
||||||
--- a/ext/openssl/extconf.rb
|
|
||||||
+++ b/ext/openssl/extconf.rb
|
|
||||||
@@ -148,8 +148,7 @@ def find_openssl_library
|
|
||||||
have_func("BN_GENCB_get_arg")
|
|
||||||
have_func("EVP_MD_CTX_new")
|
|
||||||
have_func("EVP_MD_CTX_free")
|
|
||||||
-have_func("HMAC_CTX_new")
|
|
||||||
-have_func("HMAC_CTX_free")
|
|
||||||
+have_func("EVP_MD_CTX_pkey_ctx")
|
|
||||||
have_func("X509_STORE_get_ex_data")
|
|
||||||
have_func("X509_STORE_set_ex_data")
|
|
||||||
have_func("X509_STORE_get_ex_new_index")
|
|
||||||
diff --git a/ext/openssl/lib/openssl/hmac.rb b/ext/openssl/lib/openssl/hmac.rb
|
|
||||||
index 3d4427611d..9bc8bc8df3 100644
|
|
||||||
--- a/ext/openssl/lib/openssl/hmac.rb
|
|
||||||
+++ b/ext/openssl/lib/openssl/hmac.rb
|
|
||||||
@@ -9,5 +9,45 @@ def ==(other)
|
|
||||||
|
|
||||||
OpenSSL.fixed_length_secure_compare(self.digest, other.digest)
|
|
||||||
end
|
|
||||||
+
|
|
||||||
+ class << self
|
|
||||||
+ # :call-seq:
|
|
||||||
+ # HMAC.digest(digest, key, data) -> aString
|
|
||||||
+ #
|
|
||||||
+ # Returns the authentication code as a binary string. The _digest_ parameter
|
|
||||||
+ # specifies the digest algorithm to use. This may be a String representing
|
|
||||||
+ # the algorithm name or an instance of OpenSSL::Digest.
|
|
||||||
+ #
|
|
||||||
+ # === Example
|
|
||||||
+ # key = 'key'
|
|
||||||
+ # data = 'The quick brown fox jumps over the lazy dog'
|
|
||||||
+ #
|
|
||||||
+ # hmac = OpenSSL::HMAC.digest('SHA1', key, data)
|
|
||||||
+ # #=> "\xDE|\x9B\x85\xB8\xB7\x8A\xA6\xBC\x8Az6\xF7\n\x90p\x1C\x9D\xB4\xD9"
|
|
||||||
+ def digest(digest, key, data)
|
|
||||||
+ hmac = new(key, digest)
|
|
||||||
+ hmac << data
|
|
||||||
+ hmac.digest
|
|
||||||
+ end
|
|
||||||
+
|
|
||||||
+ # :call-seq:
|
|
||||||
+ # HMAC.hexdigest(digest, key, data) -> aString
|
|
||||||
+ #
|
|
||||||
+ # Returns the authentication code as a hex-encoded string. The _digest_
|
|
||||||
+ # parameter specifies the digest algorithm to use. This may be a String
|
|
||||||
+ # representing the algorithm name or an instance of OpenSSL::Digest.
|
|
||||||
+ #
|
|
||||||
+ # === Example
|
|
||||||
+ # key = 'key'
|
|
||||||
+ # data = 'The quick brown fox jumps over the lazy dog'
|
|
||||||
+ #
|
|
||||||
+ # hmac = OpenSSL::HMAC.hexdigest('SHA1', key, data)
|
|
||||||
+ # #=> "de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9"
|
|
||||||
+ def hexdigest(digest, key, data)
|
|
||||||
+ hmac = new(key, digest)
|
|
||||||
+ hmac << data
|
|
||||||
+ hmac.hexdigest
|
|
||||||
+ end
|
|
||||||
+ end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
diff --git a/ext/openssl/openssl_missing.c b/ext/openssl/openssl_missing.c
|
|
||||||
index b36ef0288..010c158dc 100644
|
|
||||||
--- a/ext/openssl/openssl_missing.c
|
|
||||||
+++ b/ext/openssl/openssl_missing.c
|
|
||||||
@@ -13,9 +13,6 @@
|
|
||||||
#if !defined(OPENSSL_NO_ENGINE)
|
|
||||||
# include <openssl/engine.h>
|
|
||||||
#endif
|
|
||||||
-#if !defined(OPENSSL_NO_HMAC)
|
|
||||||
-# include <openssl/hmac.h>
|
|
||||||
-#endif
|
|
||||||
#include <openssl/x509_vfy.h>
|
|
||||||
|
|
||||||
#include "openssl_missing.h"
|
|
||||||
@@ -58,29 +55,6 @@ ossl_EC_curve_nist2nid(const char *name)
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/*** added in 1.1.0 ***/
|
|
||||||
-#if !defined(HAVE_HMAC_CTX_NEW)
|
|
||||||
-HMAC_CTX *
|
|
||||||
-ossl_HMAC_CTX_new(void)
|
|
||||||
-{
|
|
||||||
- HMAC_CTX *ctx = OPENSSL_malloc(sizeof(HMAC_CTX));
|
|
||||||
- if (!ctx)
|
|
||||||
- return NULL;
|
|
||||||
- HMAC_CTX_init(ctx);
|
|
||||||
- return ctx;
|
|
||||||
-}
|
|
||||||
-#endif
|
|
||||||
-
|
|
||||||
-#if !defined(HAVE_HMAC_CTX_FREE)
|
|
||||||
-void
|
|
||||||
-ossl_HMAC_CTX_free(HMAC_CTX *ctx)
|
|
||||||
-{
|
|
||||||
- if (ctx) {
|
|
||||||
- HMAC_CTX_cleanup(ctx);
|
|
||||||
- OPENSSL_free(ctx);
|
|
||||||
- }
|
|
||||||
-}
|
|
||||||
-#endif
|
|
||||||
-
|
|
||||||
#if !defined(HAVE_X509_CRL_GET0_SIGNATURE)
|
|
||||||
void
|
|
||||||
ossl_X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig,
|
|
||||||
diff --git a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h
|
|
||||||
index 7d218f86f..06d2a9082 100644
|
|
||||||
--- a/ext/openssl/openssl_missing.h
|
|
||||||
+++ b/ext/openssl/openssl_missing.h
|
|
||||||
@@ -54,14 +54,8 @@ int ossl_EC_curve_nist2nid(const char *);
|
|
||||||
# define EVP_MD_CTX_free EVP_MD_CTX_destroy
|
|
||||||
#endif
|
|
||||||
|
|
||||||
-#if !defined(HAVE_HMAC_CTX_NEW)
|
|
||||||
-HMAC_CTX *ossl_HMAC_CTX_new(void);
|
|
||||||
-# define HMAC_CTX_new ossl_HMAC_CTX_new
|
|
||||||
-#endif
|
|
||||||
-
|
|
||||||
-#if !defined(HAVE_HMAC_CTX_FREE)
|
|
||||||
-void ossl_HMAC_CTX_free(HMAC_CTX *);
|
|
||||||
-# define HMAC_CTX_free ossl_HMAC_CTX_free
|
|
||||||
+#if !defined(HAVE_EVP_MD_CTX_PKEY_CTX)
|
|
||||||
+# define EVP_MD_CTX_pkey_ctx(x) (x)->pctx
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#if !defined(HAVE_X509_STORE_GET_EX_DATA)
|
|
||||||
diff --git a/ext/openssl/ossl.h b/ext/openssl/ossl.h
|
|
||||||
index c20f506bd..577eb6d6b 100644
|
|
||||||
--- a/ext/openssl/ossl.h
|
|
||||||
+++ b/ext/openssl/ossl.h
|
|
||||||
@@ -24,7 +24,6 @@
|
|
||||||
#include <openssl/ssl.h>
|
|
||||||
#include <openssl/pkcs12.h>
|
|
||||||
#include <openssl/pkcs7.h>
|
|
||||||
-#include <openssl/hmac.h>
|
|
||||||
#include <openssl/rand.h>
|
|
||||||
#include <openssl/conf.h>
|
|
||||||
#ifndef OPENSSL_NO_TS
|
|
||||||
diff --git a/ext/openssl/ossl_hmac.c b/ext/openssl/ossl_hmac.c
|
|
||||||
index 70e9fb819..a21db6c48 100644
|
|
||||||
--- a/ext/openssl/ossl_hmac.c
|
|
||||||
+++ b/ext/openssl/ossl_hmac.c
|
|
||||||
@@ -7,14 +7,12 @@
|
|
||||||
* This program is licensed under the same licence as Ruby.
|
|
||||||
* (See the file 'LICENCE'.)
|
|
||||||
*/
|
|
||||||
-#if !defined(OPENSSL_NO_HMAC)
|
|
||||||
-
|
|
||||||
#include "ossl.h"
|
|
||||||
|
|
||||||
#define NewHMAC(klass) \
|
|
||||||
TypedData_Wrap_Struct((klass), &ossl_hmac_type, 0)
|
|
||||||
#define GetHMAC(obj, ctx) do { \
|
|
||||||
- TypedData_Get_Struct((obj), HMAC_CTX, &ossl_hmac_type, (ctx)); \
|
|
||||||
+ TypedData_Get_Struct((obj), EVP_MD_CTX, &ossl_hmac_type, (ctx)); \
|
|
||||||
if (!(ctx)) { \
|
|
||||||
ossl_raise(rb_eRuntimeError, "HMAC wasn't initialized"); \
|
|
||||||
} \
|
|
||||||
@@ -36,7 +34,7 @@ VALUE eHMACError;
|
|
||||||
static void
|
|
||||||
ossl_hmac_free(void *ctx)
|
|
||||||
{
|
|
||||||
- HMAC_CTX_free(ctx);
|
|
||||||
+ EVP_MD_CTX_free(ctx);
|
|
||||||
}
|
|
||||||
|
|
||||||
static const rb_data_type_t ossl_hmac_type = {
|
|
||||||
@@ -51,12 +49,12 @@ static VALUE
|
|
||||||
ossl_hmac_alloc(VALUE klass)
|
|
||||||
{
|
|
||||||
VALUE obj;
|
|
||||||
- HMAC_CTX *ctx;
|
|
||||||
+ EVP_MD_CTX *ctx;
|
|
||||||
|
|
||||||
obj = NewHMAC(klass);
|
|
||||||
- ctx = HMAC_CTX_new();
|
|
||||||
+ ctx = EVP_MD_CTX_new();
|
|
||||||
if (!ctx)
|
|
||||||
- ossl_raise(eHMACError, NULL);
|
|
||||||
+ ossl_raise(eHMACError, "EVP_MD_CTX");
|
|
||||||
RTYPEDDATA_DATA(obj) = ctx;
|
|
||||||
|
|
||||||
return obj;
|
|
||||||
@@ -76,8 +74,7 @@ ossl_hmac_alloc(VALUE klass)
|
|
||||||
* === Example
|
|
||||||
*
|
|
||||||
* key = 'key'
|
|
||||||
- * digest = OpenSSL::Digest.new('sha1')
|
|
||||||
- * instance = OpenSSL::HMAC.new(key, digest)
|
|
||||||
+ * instance = OpenSSL::HMAC.new(key, 'SHA1')
|
|
||||||
* #=> f42bb0eeb018ebbd4597ae7213711ec60760843f
|
|
||||||
* instance.class
|
|
||||||
* #=> OpenSSL::HMAC
|
|
||||||
@@ -86,7 +83,7 @@ ossl_hmac_alloc(VALUE klass)
|
|
||||||
*
|
|
||||||
* Two instances can be securely compared with #== in constant time:
|
|
||||||
*
|
|
||||||
- * other_instance = OpenSSL::HMAC.new('key', OpenSSL::Digest.new('sha1'))
|
|
||||||
+ * other_instance = OpenSSL::HMAC.new('key', 'SHA1')
|
|
||||||
* #=> f42bb0eeb018ebbd4597ae7213711ec60760843f
|
|
||||||
* instance == other_instance
|
|
||||||
* #=> true
|
|
||||||
@@ -95,12 +92,23 @@ ossl_hmac_alloc(VALUE klass)
|
|
||||||
static VALUE
|
|
||||||
ossl_hmac_initialize(VALUE self, VALUE key, VALUE digest)
|
|
||||||
{
|
|
||||||
- HMAC_CTX *ctx;
|
|
||||||
+ EVP_MD_CTX *ctx;
|
|
||||||
+ EVP_PKEY *pkey;
|
|
||||||
|
|
||||||
- StringValue(key);
|
|
||||||
GetHMAC(self, ctx);
|
|
||||||
- HMAC_Init_ex(ctx, RSTRING_PTR(key), RSTRING_LENINT(key),
|
|
||||||
- ossl_evp_get_digestbyname(digest), NULL);
|
|
||||||
+ StringValue(key);
|
|
||||||
+ pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
|
|
||||||
+ (unsigned char *)RSTRING_PTR(key),
|
|
||||||
+ RSTRING_LENINT(key));
|
|
||||||
+ if (!pkey)
|
|
||||||
+ ossl_raise(eHMACError, "EVP_PKEY_new_mac_key");
|
|
||||||
+ if (EVP_DigestSignInit(ctx, NULL, ossl_evp_get_digestbyname(digest),
|
|
||||||
+ NULL, pkey) != 1) {
|
|
||||||
+ EVP_PKEY_free(pkey);
|
|
||||||
+ ossl_raise(eHMACError, "EVP_DigestSignInit");
|
|
||||||
+ }
|
|
||||||
+ /* Decrement reference counter; EVP_MD_CTX still keeps it */
|
|
||||||
+ EVP_PKEY_free(pkey);
|
|
||||||
|
|
||||||
return self;
|
|
||||||
}
|
|
||||||
@@ -108,16 +116,15 @@ ossl_hmac_initialize(VALUE self, VALUE key, VALUE digest)
|
|
||||||
static VALUE
|
|
||||||
ossl_hmac_copy(VALUE self, VALUE other)
|
|
||||||
{
|
|
||||||
- HMAC_CTX *ctx1, *ctx2;
|
|
||||||
+ EVP_MD_CTX *ctx1, *ctx2;
|
|
||||||
|
|
||||||
rb_check_frozen(self);
|
|
||||||
if (self == other) return self;
|
|
||||||
|
|
||||||
GetHMAC(self, ctx1);
|
|
||||||
GetHMAC(other, ctx2);
|
|
||||||
-
|
|
||||||
- if (!HMAC_CTX_copy(ctx1, ctx2))
|
|
||||||
- ossl_raise(eHMACError, "HMAC_CTX_copy");
|
|
||||||
+ if (EVP_MD_CTX_copy(ctx1, ctx2) != 1)
|
|
||||||
+ ossl_raise(eHMACError, "EVP_MD_CTX_copy");
|
|
||||||
return self;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -142,33 +149,16 @@ ossl_hmac_copy(VALUE self, VALUE other)
|
|
||||||
static VALUE
|
|
||||||
ossl_hmac_update(VALUE self, VALUE data)
|
|
||||||
{
|
|
||||||
- HMAC_CTX *ctx;
|
|
||||||
+ EVP_MD_CTX *ctx;
|
|
||||||
|
|
||||||
StringValue(data);
|
|
||||||
GetHMAC(self, ctx);
|
|
||||||
- HMAC_Update(ctx, (unsigned char *)RSTRING_PTR(data), RSTRING_LEN(data));
|
|
||||||
+ if (EVP_DigestSignUpdate(ctx, RSTRING_PTR(data), RSTRING_LEN(data)) != 1)
|
|
||||||
+ ossl_raise(eHMACError, "EVP_DigestSignUpdate");
|
|
||||||
|
|
||||||
return self;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static void
|
|
||||||
-hmac_final(HMAC_CTX *ctx, unsigned char *buf, unsigned int *buf_len)
|
|
||||||
-{
|
|
||||||
- HMAC_CTX *final;
|
|
||||||
-
|
|
||||||
- final = HMAC_CTX_new();
|
|
||||||
- if (!final)
|
|
||||||
- ossl_raise(eHMACError, "HMAC_CTX_new");
|
|
||||||
-
|
|
||||||
- if (!HMAC_CTX_copy(final, ctx)) {
|
|
||||||
- HMAC_CTX_free(final);
|
|
||||||
- ossl_raise(eHMACError, "HMAC_CTX_copy");
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- HMAC_Final(final, buf, buf_len);
|
|
||||||
- HMAC_CTX_free(final);
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
/*
|
|
||||||
* call-seq:
|
|
||||||
* hmac.digest -> string
|
|
||||||
@@ -176,7 +166,7 @@ hmac_final(HMAC_CTX *ctx, unsigned char *buf, unsigned int *buf_len)
|
|
||||||
* Returns the authentication code an instance represents as a binary string.
|
|
||||||
*
|
|
||||||
* === Example
|
|
||||||
- * instance = OpenSSL::HMAC.new('key', OpenSSL::Digest.new('sha1'))
|
|
||||||
+ * instance = OpenSSL::HMAC.new('key', 'SHA1')
|
|
||||||
* #=> f42bb0eeb018ebbd4597ae7213711ec60760843f
|
|
||||||
* instance.digest
|
|
||||||
* #=> "\xF4+\xB0\xEE\xB0\x18\xEB\xBDE\x97\xAEr\x13q\x1E\xC6\a`\x84?"
|
|
||||||
@@ -184,15 +174,16 @@ hmac_final(HMAC_CTX *ctx, unsigned char *buf, unsigned int *buf_len)
|
|
||||||
static VALUE
|
|
||||||
ossl_hmac_digest(VALUE self)
|
|
||||||
{
|
|
||||||
- HMAC_CTX *ctx;
|
|
||||||
- unsigned int buf_len;
|
|
||||||
+ EVP_MD_CTX *ctx;
|
|
||||||
+ size_t buf_len;
|
|
||||||
VALUE ret;
|
|
||||||
|
|
||||||
GetHMAC(self, ctx);
|
|
||||||
ret = rb_str_new(NULL, EVP_MAX_MD_SIZE);
|
|
||||||
- hmac_final(ctx, (unsigned char *)RSTRING_PTR(ret), &buf_len);
|
|
||||||
- assert(buf_len <= EVP_MAX_MD_SIZE);
|
|
||||||
- rb_str_set_len(ret, buf_len);
|
|
||||||
+ if (EVP_DigestSignFinal(ctx, (unsigned char *)RSTRING_PTR(ret),
|
|
||||||
+ &buf_len) != 1)
|
|
||||||
+ ossl_raise(eHMACError, "EVP_DigestSignFinal");
|
|
||||||
+ rb_str_set_len(ret, (long)buf_len);
|
|
||||||
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
@@ -207,13 +198,14 @@ ossl_hmac_digest(VALUE self)
|
|
||||||
static VALUE
|
|
||||||
ossl_hmac_hexdigest(VALUE self)
|
|
||||||
{
|
|
||||||
- HMAC_CTX *ctx;
|
|
||||||
+ EVP_MD_CTX *ctx;
|
|
||||||
unsigned char buf[EVP_MAX_MD_SIZE];
|
|
||||||
- unsigned int buf_len;
|
|
||||||
+ size_t buf_len;
|
|
||||||
VALUE ret;
|
|
||||||
|
|
||||||
GetHMAC(self, ctx);
|
|
||||||
- hmac_final(ctx, buf, &buf_len);
|
|
||||||
+ if (EVP_DigestSignFinal(ctx, buf, &buf_len) != 1)
|
|
||||||
+ ossl_raise(eHMACError, "EVP_DigestSignFinal");
|
|
||||||
ret = rb_str_new(NULL, buf_len * 2);
|
|
||||||
ossl_bin2hex(buf, RSTRING_PTR(ret), buf_len);
|
|
||||||
|
|
||||||
@@ -230,7 +222,7 @@ ossl_hmac_hexdigest(VALUE self)
|
|
||||||
* === Example
|
|
||||||
*
|
|
||||||
* data = "The quick brown fox jumps over the lazy dog"
|
|
||||||
- * instance = OpenSSL::HMAC.new('key', OpenSSL::Digest.new('sha1'))
|
|
||||||
+ * instance = OpenSSL::HMAC.new('key', 'SHA1')
|
|
||||||
* #=> f42bb0eeb018ebbd4597ae7213711ec60760843f
|
|
||||||
*
|
|
||||||
* instance.update(data)
|
|
||||||
@@ -242,84 +234,17 @@ ossl_hmac_hexdigest(VALUE self)
|
|
||||||
static VALUE
|
|
||||||
ossl_hmac_reset(VALUE self)
|
|
||||||
{
|
|
||||||
- HMAC_CTX *ctx;
|
|
||||||
+ EVP_MD_CTX *ctx;
|
|
||||||
+ EVP_PKEY *pkey;
|
|
||||||
|
|
||||||
GetHMAC(self, ctx);
|
|
||||||
- HMAC_Init_ex(ctx, NULL, 0, NULL, NULL);
|
|
||||||
+ pkey = EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx));
|
|
||||||
+ if (EVP_DigestSignInit(ctx, NULL, EVP_MD_CTX_md(ctx), NULL, pkey) != 1)
|
|
||||||
+ ossl_raise(eHMACError, "EVP_DigestSignInit");
|
|
||||||
|
|
||||||
return self;
|
|
||||||
}
|
|
||||||
|
|
||||||
-/*
|
|
||||||
- * call-seq:
|
|
||||||
- * HMAC.digest(digest, key, data) -> aString
|
|
||||||
- *
|
|
||||||
- * Returns the authentication code as a binary string. The _digest_ parameter
|
|
||||||
- * specifies the digest algorithm to use. This may be a String representing
|
|
||||||
- * the algorithm name or an instance of OpenSSL::Digest.
|
|
||||||
- *
|
|
||||||
- * === Example
|
|
||||||
- *
|
|
||||||
- * key = 'key'
|
|
||||||
- * data = 'The quick brown fox jumps over the lazy dog'
|
|
||||||
- *
|
|
||||||
- * hmac = OpenSSL::HMAC.digest('sha1', key, data)
|
|
||||||
- * #=> "\xDE|\x9B\x85\xB8\xB7\x8A\xA6\xBC\x8Az6\xF7\n\x90p\x1C\x9D\xB4\xD9"
|
|
||||||
- *
|
|
||||||
- */
|
|
||||||
-static VALUE
|
|
||||||
-ossl_hmac_s_digest(VALUE klass, VALUE digest, VALUE key, VALUE data)
|
|
||||||
-{
|
|
||||||
- unsigned char *buf;
|
|
||||||
- unsigned int buf_len;
|
|
||||||
-
|
|
||||||
- StringValue(key);
|
|
||||||
- StringValue(data);
|
|
||||||
- buf = HMAC(ossl_evp_get_digestbyname(digest), RSTRING_PTR(key),
|
|
||||||
- RSTRING_LENINT(key), (unsigned char *)RSTRING_PTR(data),
|
|
||||||
- RSTRING_LEN(data), NULL, &buf_len);
|
|
||||||
-
|
|
||||||
- return rb_str_new((const char *)buf, buf_len);
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
-/*
|
|
||||||
- * call-seq:
|
|
||||||
- * HMAC.hexdigest(digest, key, data) -> aString
|
|
||||||
- *
|
|
||||||
- * Returns the authentication code as a hex-encoded string. The _digest_
|
|
||||||
- * parameter specifies the digest algorithm to use. This may be a String
|
|
||||||
- * representing the algorithm name or an instance of OpenSSL::Digest.
|
|
||||||
- *
|
|
||||||
- * === Example
|
|
||||||
- *
|
|
||||||
- * key = 'key'
|
|
||||||
- * data = 'The quick brown fox jumps over the lazy dog'
|
|
||||||
- *
|
|
||||||
- * hmac = OpenSSL::HMAC.hexdigest('sha1', key, data)
|
|
||||||
- * #=> "de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9"
|
|
||||||
- *
|
|
||||||
- */
|
|
||||||
-static VALUE
|
|
||||||
-ossl_hmac_s_hexdigest(VALUE klass, VALUE digest, VALUE key, VALUE data)
|
|
||||||
-{
|
|
||||||
- unsigned char buf[EVP_MAX_MD_SIZE];
|
|
||||||
- unsigned int buf_len;
|
|
||||||
- VALUE ret;
|
|
||||||
-
|
|
||||||
- StringValue(key);
|
|
||||||
- StringValue(data);
|
|
||||||
-
|
|
||||||
- if (!HMAC(ossl_evp_get_digestbyname(digest), RSTRING_PTR(key),
|
|
||||||
- RSTRING_LENINT(key), (unsigned char *)RSTRING_PTR(data),
|
|
||||||
- RSTRING_LEN(data), buf, &buf_len))
|
|
||||||
- ossl_raise(eHMACError, "HMAC");
|
|
||||||
-
|
|
||||||
- ret = rb_str_new(NULL, buf_len * 2);
|
|
||||||
- ossl_bin2hex(buf, RSTRING_PTR(ret), buf_len);
|
|
||||||
-
|
|
||||||
- return ret;
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
/*
|
|
||||||
* INIT
|
|
||||||
*/
|
|
||||||
@@ -353,8 +278,7 @@ Init_ossl_hmac(void)
|
|
||||||
* data1 = File.read("file1")
|
|
||||||
* data2 = File.read("file2")
|
|
||||||
* key = "key"
|
|
||||||
- * digest = OpenSSL::Digest.new('SHA256')
|
|
||||||
- * hmac = OpenSSL::HMAC.new(key, digest)
|
|
||||||
+ * hmac = OpenSSL::HMAC.new(key, 'SHA256')
|
|
||||||
* hmac << data1
|
|
||||||
* hmac << data2
|
|
||||||
* mac = hmac.digest
|
|
||||||
@@ -364,8 +288,6 @@ Init_ossl_hmac(void)
|
|
||||||
cHMAC = rb_define_class_under(mOSSL, "HMAC", rb_cObject);
|
|
||||||
|
|
||||||
rb_define_alloc_func(cHMAC, ossl_hmac_alloc);
|
|
||||||
- rb_define_singleton_method(cHMAC, "digest", ossl_hmac_s_digest, 3);
|
|
||||||
- rb_define_singleton_method(cHMAC, "hexdigest", ossl_hmac_s_hexdigest, 3);
|
|
||||||
|
|
||||||
rb_define_method(cHMAC, "initialize", ossl_hmac_initialize, 2);
|
|
||||||
rb_define_method(cHMAC, "initialize_copy", ossl_hmac_copy, 1);
|
|
||||||
@@ -378,12 +300,3 @@ Init_ossl_hmac(void)
|
|
||||||
rb_define_alias(cHMAC, "inspect", "hexdigest");
|
|
||||||
rb_define_alias(cHMAC, "to_s", "hexdigest");
|
|
||||||
}
|
|
||||||
-
|
|
||||||
-#else /* NO_HMAC */
|
|
||||||
-# warning >>> OpenSSL is compiled without HMAC support <<<
|
|
||||||
-void
|
|
||||||
-Init_ossl_hmac(void)
|
|
||||||
-{
|
|
||||||
- rb_warning("HMAC is not available: OpenSSL is compiled without HMAC.");
|
|
||||||
-}
|
|
||||||
-#endif /* NO_HMAC */
|
|
||||||
--
|
|
||||||
2.34.1
|
|
||||||
|
|
@ -1,458 +0,0 @@
|
|||||||
From 91d04f991f8b9910efea7bbe5aecb0fea2bbd5fa Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Sun, 24 Oct 2021 17:50:18 +0900
|
|
||||||
Subject: [PATCH 1/8] cipher: update test_ciphers
|
|
||||||
|
|
||||||
Do not attempt to actually use all algorithms. Not all algorithms listed
|
|
||||||
in OpenSSL::Cipher.ciphers are always available.
|
|
||||||
---
|
|
||||||
test/openssl/test_cipher.rb | 13 +++++--------
|
|
||||||
1 file changed, 5 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/test/openssl/test_cipher.rb b/test/openssl/test_cipher.rb
|
|
||||||
index 6d18c0c8..b5fdf0b3 100644
|
|
||||||
--- a/test/openssl/test_cipher.rb
|
|
||||||
+++ b/test/openssl/test_cipher.rb
|
|
||||||
@@ -135,14 +135,11 @@ def test_ctr_if_exists
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_ciphers
|
|
||||||
- OpenSSL::Cipher.ciphers.each{|name|
|
|
||||||
- next if /netbsd/ =~ RUBY_PLATFORM && /idea|rc5/i =~ name
|
|
||||||
- begin
|
|
||||||
- assert_kind_of(OpenSSL::Cipher, OpenSSL::Cipher.new(name))
|
|
||||||
- rescue OpenSSL::Cipher::CipherError => e
|
|
||||||
- raise unless /wrap/ =~ name and /wrap mode not allowed/ =~ e.message
|
|
||||||
- end
|
|
||||||
- }
|
|
||||||
+ ciphers = OpenSSL::Cipher.ciphers
|
|
||||||
+ assert_kind_of Array, ciphers
|
|
||||||
+ assert_include ciphers, "aes-128-cbc"
|
|
||||||
+ assert_include ciphers, "aes128" # alias of aes-128-cbc
|
|
||||||
+ assert_include ciphers, "aes-128-gcm"
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_AES
|
|
||||||
|
|
||||||
From 6a60c7b2e7b6afe8b8c98d864ef2740094d86e1d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Sat, 11 Dec 2021 16:27:42 +0900
|
|
||||||
Subject: [PATCH 2/8] hmac: fix wrong usage of EVP_DigestSignFinal()
|
|
||||||
|
|
||||||
According to the manpage, the "siglen" parameter must be initialized
|
|
||||||
beforehand.
|
|
||||||
---
|
|
||||||
ext/openssl/ossl_hmac.c | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ext/openssl/ossl_hmac.c b/ext/openssl/ossl_hmac.c
|
|
||||||
index f89ff2f9..bfe3a74b 100644
|
|
||||||
--- a/ext/openssl/ossl_hmac.c
|
|
||||||
+++ b/ext/openssl/ossl_hmac.c
|
|
||||||
@@ -175,7 +175,7 @@ static VALUE
|
|
||||||
ossl_hmac_digest(VALUE self)
|
|
||||||
{
|
|
||||||
EVP_MD_CTX *ctx;
|
|
||||||
- size_t buf_len;
|
|
||||||
+ size_t buf_len = EVP_MAX_MD_SIZE;
|
|
||||||
VALUE ret;
|
|
||||||
|
|
||||||
GetHMAC(self, ctx);
|
|
||||||
@@ -200,7 +200,7 @@ ossl_hmac_hexdigest(VALUE self)
|
|
||||||
{
|
|
||||||
EVP_MD_CTX *ctx;
|
|
||||||
unsigned char buf[EVP_MAX_MD_SIZE];
|
|
||||||
- size_t buf_len;
|
|
||||||
+ size_t buf_len = EVP_MAX_MD_SIZE;
|
|
||||||
VALUE ret;
|
|
||||||
|
|
||||||
GetHMAC(self, ctx);
|
|
||||||
|
|
||||||
From 46995816392a79d037df5550b2fb226652c06f42 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Sat, 11 Dec 2021 16:30:30 +0900
|
|
||||||
Subject: [PATCH 3/8] hmac: skip test_dup on OpenSSL 3.0 for now
|
|
||||||
|
|
||||||
EVP_MD_CTX_copy() doesn't seem to work as intended on HMAC EVP_MD_CTX
|
|
||||||
on OpenSSL 3.0.0 and causes a double free. I haven't found the root
|
|
||||||
problem yet, but let's skip the test case for now.
|
|
||||||
---
|
|
||||||
test/openssl/test_hmac.rb | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/test/openssl/test_hmac.rb b/test/openssl/test_hmac.rb
|
|
||||||
index 2f53a813..47cb3718 100644
|
|
||||||
--- a/test/openssl/test_hmac.rb
|
|
||||||
+++ b/test/openssl/test_hmac.rb
|
|
||||||
@@ -19,6 +19,7 @@ def test_hmac
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_dup
|
|
||||||
+ pend "HMAC#initialize_copy is currently broken on OpenSSL 3.0.0" if openssl?(3, 0, 0)
|
|
||||||
h1 = OpenSSL::HMAC.new("KEY", "MD5")
|
|
||||||
h1.update("DATA")
|
|
||||||
h = h1.dup
|
|
||||||
|
|
||||||
From 69a27d8de4bd291cb4eb21a4d715b197e7da5a06 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Thu, 15 Apr 2021 00:51:58 +0900
|
|
||||||
Subject: [PATCH 4/8] engine: disable OpenSSL::Engine on OpenSSL 3.0
|
|
||||||
|
|
||||||
The entire ENGINE API is deprecated in OpenSSL 3.0 in favor of the new
|
|
||||||
"Provider" concept.
|
|
||||||
|
|
||||||
OpenSSL::Engine will not be defined when compiled with OpenSSL 3.0.
|
|
||||||
We would need a way to interact with providers from Ruby programs, but
|
|
||||||
since the concept is completely different from the ENGINE API, it will
|
|
||||||
not be through the current OpenSSL::Engine interface.
|
|
||||||
---
|
|
||||||
ext/openssl/openssl_missing.c | 3 ---
|
|
||||||
ext/openssl/ossl.h | 8 +++++---
|
|
||||||
ext/openssl/ossl_engine.c | 3 ++-
|
|
||||||
ext/openssl/ossl_pkey.c | 4 ++++
|
|
||||||
4 files changed, 11 insertions(+), 7 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ext/openssl/openssl_missing.c b/ext/openssl/openssl_missing.c
|
|
||||||
index 8b93cba6..4415703d 100644
|
|
||||||
--- a/ext/openssl/openssl_missing.c
|
|
||||||
+++ b/ext/openssl/openssl_missing.c
|
|
||||||
@@ -10,9 +10,6 @@
|
|
||||||
#include RUBY_EXTCONF_H
|
|
||||||
|
|
||||||
#include <string.h> /* memcpy() */
|
|
||||||
-#if !defined(OPENSSL_NO_ENGINE)
|
|
||||||
-# include <openssl/engine.h>
|
|
||||||
-#endif
|
|
||||||
#include <openssl/x509_vfy.h>
|
|
||||||
|
|
||||||
#include "openssl_missing.h"
|
|
||||||
diff --git a/ext/openssl/ossl.h b/ext/openssl/ossl.h
|
|
||||||
index 3a0ab1e5..4b512689 100644
|
|
||||||
--- a/ext/openssl/ossl.h
|
|
||||||
+++ b/ext/openssl/ossl.h
|
|
||||||
@@ -18,6 +18,7 @@
|
|
||||||
#include <ruby/io.h>
|
|
||||||
#include <ruby/thread.h>
|
|
||||||
#include <openssl/opensslv.h>
|
|
||||||
+
|
|
||||||
#include <openssl/err.h>
|
|
||||||
#include <openssl/asn1.h>
|
|
||||||
#include <openssl/x509v3.h>
|
|
||||||
@@ -30,9 +31,6 @@
|
|
||||||
#include <openssl/ts.h>
|
|
||||||
#endif
|
|
||||||
#include <openssl/crypto.h>
|
|
||||||
-#if !defined(OPENSSL_NO_ENGINE)
|
|
||||||
-# include <openssl/engine.h>
|
|
||||||
-#endif
|
|
||||||
#if !defined(OPENSSL_NO_OCSP)
|
|
||||||
# include <openssl/ocsp.h>
|
|
||||||
#endif
|
|
||||||
@@ -54,6 +52,10 @@
|
|
||||||
(LIBRESSL_VERSION_NUMBER >= (maj << 28) | (min << 20) | (pat << 12))
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+#if !defined(OPENSSL_NO_ENGINE) && !OSSL_OPENSSL_PREREQ(3, 0, 0)
|
|
||||||
+# define OSSL_USE_ENGINE
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* Common Module
|
|
||||||
*/
|
|
||||||
diff --git a/ext/openssl/ossl_engine.c b/ext/openssl/ossl_engine.c
|
|
||||||
index 661a1368..1abde7f7 100644
|
|
||||||
--- a/ext/openssl/ossl_engine.c
|
|
||||||
+++ b/ext/openssl/ossl_engine.c
|
|
||||||
@@ -9,7 +9,8 @@
|
|
||||||
*/
|
|
||||||
#include "ossl.h"
|
|
||||||
|
|
||||||
-#if !defined(OPENSSL_NO_ENGINE)
|
|
||||||
+#ifdef OSSL_USE_ENGINE
|
|
||||||
+# include <openssl/engine.h>
|
|
||||||
|
|
||||||
#define NewEngine(klass) \
|
|
||||||
TypedData_Wrap_Struct((klass), &ossl_engine_type, 0)
|
|
||||||
diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c
|
|
||||||
index 7030be3c..94760d32 100644
|
|
||||||
--- a/ext/openssl/ossl_pkey.c
|
|
||||||
+++ b/ext/openssl/ossl_pkey.c
|
|
||||||
@@ -9,6 +9,10 @@
|
|
||||||
*/
|
|
||||||
#include "ossl.h"
|
|
||||||
|
|
||||||
+#ifdef OSSL_USE_ENGINE
|
|
||||||
+# include <openssl/engine.h>
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* Classes
|
|
||||||
*/
|
|
||||||
|
|
||||||
From b1ee2f23b28c2d0b14fd9b4b9fef13e870370746 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Wed, 17 Nov 2021 11:39:06 +0900
|
|
||||||
Subject: [PATCH 5/8] ssl: add constants for new SSL_OP_* flags
|
|
||||||
|
|
||||||
Add all SSL_OP_* constants defined in OpenSSL 3.0.0 which are not
|
|
||||||
specific to DTLS.
|
|
||||||
---
|
|
||||||
ext/openssl/ossl_ssl.c | 35 +++++++++++++++++++++++++++++------
|
|
||||||
1 file changed, 29 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
|
|
||||||
index 3b425ca7..9a0682a7 100644
|
|
||||||
--- a/ext/openssl/ossl_ssl.c
|
|
||||||
+++ b/ext/openssl/ossl_ssl.c
|
|
||||||
@@ -2941,13 +2941,28 @@ Init_ossl_ssl(void)
|
|
||||||
rb_define_const(mSSL, "VERIFY_CLIENT_ONCE", INT2NUM(SSL_VERIFY_CLIENT_ONCE));
|
|
||||||
|
|
||||||
rb_define_const(mSSL, "OP_ALL", ULONG2NUM(SSL_OP_ALL));
|
|
||||||
+#ifdef SSL_OP_CLEANSE_PLAINTEXT /* OpenSSL 3.0 */
|
|
||||||
+ rb_define_const(mSSL, "OP_CLEANSE_PLAINTEXT", ULONG2NUM(SSL_OP_CLEANSE_PLAINTEXT));
|
|
||||||
+#endif
|
|
||||||
rb_define_const(mSSL, "OP_LEGACY_SERVER_CONNECT", ULONG2NUM(SSL_OP_LEGACY_SERVER_CONNECT));
|
|
||||||
+#ifdef SSL_OP_ENABLE_KTLS /* OpenSSL 3.0 */
|
|
||||||
+ rb_define_const(mSSL, "OP_ENABLE_KTLS", ULONG2NUM(SSL_OP_ENABLE_KTLS));
|
|
||||||
+#endif
|
|
||||||
#ifdef SSL_OP_TLSEXT_PADDING /* OpenSSL 1.0.1h and OpenSSL 1.0.2 */
|
|
||||||
rb_define_const(mSSL, "OP_TLSEXT_PADDING", ULONG2NUM(SSL_OP_TLSEXT_PADDING));
|
|
||||||
#endif
|
|
||||||
#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG /* OpenSSL 1.0.1f and OpenSSL 1.0.2 */
|
|
||||||
rb_define_const(mSSL, "OP_SAFARI_ECDHE_ECDSA_BUG", ULONG2NUM(SSL_OP_SAFARI_ECDHE_ECDSA_BUG));
|
|
||||||
#endif
|
|
||||||
+#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF /* OpenSSL 3.0 */
|
|
||||||
+ rb_define_const(mSSL, "OP_IGNORE_UNEXPECTED_EOF", ULONG2NUM(SSL_OP_IGNORE_UNEXPECTED_EOF));
|
|
||||||
+#endif
|
|
||||||
+#ifdef SSL_OP_ALLOW_CLIENT_RENEGOTIATION /* OpenSSL 3.0 */
|
|
||||||
+ rb_define_const(mSSL, "OP_ALLOW_CLIENT_RENEGOTIATION", ULONG2NUM(SSL_OP_ALLOW_CLIENT_RENEGOTIATION));
|
|
||||||
+#endif
|
|
||||||
+#ifdef SSL_OP_DISABLE_TLSEXT_CA_NAMES /* OpenSSL 3.0 */
|
|
||||||
+ rb_define_const(mSSL, "OP_DISABLE_TLSEXT_CA_NAMES", ULONG2NUM(SSL_OP_DISABLE_TLSEXT_CA_NAMES));
|
|
||||||
+#endif
|
|
||||||
#ifdef SSL_OP_ALLOW_NO_DHE_KEX /* OpenSSL 1.1.1 */
|
|
||||||
rb_define_const(mSSL, "OP_ALLOW_NO_DHE_KEX", ULONG2NUM(SSL_OP_ALLOW_NO_DHE_KEX));
|
|
||||||
#endif
|
|
||||||
@@ -2959,13 +2974,15 @@ Init_ossl_ssl(void)
|
|
||||||
#ifdef SSL_OP_NO_ENCRYPT_THEN_MAC /* OpenSSL 1.1.1 */
|
|
||||||
rb_define_const(mSSL, "OP_NO_ENCRYPT_THEN_MAC", ULONG2NUM(SSL_OP_NO_ENCRYPT_THEN_MAC));
|
|
||||||
#endif
|
|
||||||
- rb_define_const(mSSL, "OP_CIPHER_SERVER_PREFERENCE", ULONG2NUM(SSL_OP_CIPHER_SERVER_PREFERENCE));
|
|
||||||
- rb_define_const(mSSL, "OP_TLS_ROLLBACK_BUG", ULONG2NUM(SSL_OP_TLS_ROLLBACK_BUG));
|
|
||||||
-#ifdef SSL_OP_NO_RENEGOTIATION /* OpenSSL 1.1.1 */
|
|
||||||
- rb_define_const(mSSL, "OP_NO_RENEGOTIATION", ULONG2NUM(SSL_OP_NO_RENEGOTIATION));
|
|
||||||
+#ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT /* OpenSSL 1.1.1 */
|
|
||||||
+ rb_define_const(mSSL, "OP_ENABLE_MIDDLEBOX_COMPAT", ULONG2NUM(SSL_OP_ENABLE_MIDDLEBOX_COMPAT));
|
|
||||||
+#endif
|
|
||||||
+#ifdef SSL_OP_PRIORITIZE_CHACHA /* OpenSSL 1.1.1 */
|
|
||||||
+ rb_define_const(mSSL, "OP_PRIORITIZE_CHACHA", ULONG2NUM(SSL_OP_PRIORITIZE_CHACHA));
|
|
||||||
+#endif
|
|
||||||
+#ifdef SSL_OP_NO_ANTI_REPLAY /* OpenSSL 1.1.1 */
|
|
||||||
+ rb_define_const(mSSL, "OP_NO_ANTI_REPLAY", ULONG2NUM(SSL_OP_NO_ANTI_REPLAY));
|
|
||||||
#endif
|
|
||||||
- rb_define_const(mSSL, "OP_CRYPTOPRO_TLSEXT_BUG", ULONG2NUM(SSL_OP_CRYPTOPRO_TLSEXT_BUG));
|
|
||||||
-
|
|
||||||
rb_define_const(mSSL, "OP_NO_SSLv3", ULONG2NUM(SSL_OP_NO_SSLv3));
|
|
||||||
rb_define_const(mSSL, "OP_NO_TLSv1", ULONG2NUM(SSL_OP_NO_TLSv1));
|
|
||||||
rb_define_const(mSSL, "OP_NO_TLSv1_1", ULONG2NUM(SSL_OP_NO_TLSv1_1));
|
|
||||||
@@ -2973,6 +2990,12 @@ Init_ossl_ssl(void)
|
|
||||||
#ifdef SSL_OP_NO_TLSv1_3 /* OpenSSL 1.1.1 */
|
|
||||||
rb_define_const(mSSL, "OP_NO_TLSv1_3", ULONG2NUM(SSL_OP_NO_TLSv1_3));
|
|
||||||
#endif
|
|
||||||
+ rb_define_const(mSSL, "OP_CIPHER_SERVER_PREFERENCE", ULONG2NUM(SSL_OP_CIPHER_SERVER_PREFERENCE));
|
|
||||||
+ rb_define_const(mSSL, "OP_TLS_ROLLBACK_BUG", ULONG2NUM(SSL_OP_TLS_ROLLBACK_BUG));
|
|
||||||
+#ifdef SSL_OP_NO_RENEGOTIATION /* OpenSSL 1.1.1 */
|
|
||||||
+ rb_define_const(mSSL, "OP_NO_RENEGOTIATION", ULONG2NUM(SSL_OP_NO_RENEGOTIATION));
|
|
||||||
+#endif
|
|
||||||
+ rb_define_const(mSSL, "OP_CRYPTOPRO_TLSEXT_BUG", ULONG2NUM(SSL_OP_CRYPTOPRO_TLSEXT_BUG));
|
|
||||||
|
|
||||||
/* SSL_OP_* flags for DTLS */
|
|
||||||
#if 0
|
|
||||||
|
|
||||||
From e168df0f3570709bfb38e9a39838bd0a7e78164c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Sun, 12 Dec 2021 00:47:35 +0900
|
|
||||||
Subject: [PATCH 6/8] ssl: update test_options_disable_versions
|
|
||||||
|
|
||||||
Use the combination of TLS 1.2 and TLS 1.3 instead of TLS 1.1 and TLS
|
|
||||||
1.2 so that will the test case will be run on latest platforms.
|
|
||||||
---
|
|
||||||
test/openssl/test_ssl.rb | 75 +++++++++++++++++++++-------------------
|
|
||||||
1 file changed, 40 insertions(+), 35 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
|
|
||||||
index 22691292..2abade06 100644
|
|
||||||
--- a/test/openssl/test_ssl.rb
|
|
||||||
+++ b/test/openssl/test_ssl.rb
|
|
||||||
@@ -1180,46 +1180,51 @@ def test_minmax_version
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_options_disable_versions
|
|
||||||
- # Note: Use of these OP_* flags has been deprecated since OpenSSL 1.1.0.
|
|
||||||
+ # It's recommended to use SSLContext#{min,max}_version= instead in real
|
|
||||||
+ # applications. The purpose of this test case is to check that SSL options
|
|
||||||
+ # are properly propagated to OpenSSL library.
|
|
||||||
supported = check_supported_protocol_versions
|
|
||||||
+ if !defined?(OpenSSL::SSL::TLS1_3_VERSION) ||
|
|
||||||
+ !supported.include?(OpenSSL::SSL::TLS1_2_VERSION) ||
|
|
||||||
+ !supported.include?(OpenSSL::SSL::TLS1_3_VERSION) ||
|
|
||||||
+ !defined?(OpenSSL::SSL::OP_NO_TLSv1_3) # LibreSSL < 3.4
|
|
||||||
+ pend "this test case requires both TLS 1.2 and TLS 1.3 to be supported " \
|
|
||||||
+ "and enabled by default"
|
|
||||||
+ end
|
|
||||||
|
|
||||||
- if supported.include?(OpenSSL::SSL::TLS1_1_VERSION) &&
|
|
||||||
- supported.include?(OpenSSL::SSL::TLS1_2_VERSION)
|
|
||||||
- # Server disables ~ TLS 1.1
|
|
||||||
- ctx_proc = proc { |ctx|
|
|
||||||
- ctx.options |= OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3 |
|
|
||||||
- OpenSSL::SSL::OP_NO_TLSv1 | OpenSSL::SSL::OP_NO_TLSv1_1
|
|
||||||
- }
|
|
||||||
- start_server(ctx_proc: ctx_proc, ignore_listener_error: true) { |port|
|
|
||||||
- # Client only supports TLS 1.1
|
|
||||||
- ctx1 = OpenSSL::SSL::SSLContext.new
|
|
||||||
- ctx1.min_version = ctx1.max_version = OpenSSL::SSL::TLS1_1_VERSION
|
|
||||||
- assert_handshake_error { server_connect(port, ctx1) { } }
|
|
||||||
+ # Server disables TLS 1.2 and earlier
|
|
||||||
+ ctx_proc = proc { |ctx|
|
|
||||||
+ ctx.options |= OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3 |
|
|
||||||
+ OpenSSL::SSL::OP_NO_TLSv1 | OpenSSL::SSL::OP_NO_TLSv1_1 |
|
|
||||||
+ OpenSSL::SSL::OP_NO_TLSv1_2
|
|
||||||
+ }
|
|
||||||
+ start_server(ctx_proc: ctx_proc, ignore_listener_error: true) { |port|
|
|
||||||
+ # Client only supports TLS 1.2
|
|
||||||
+ ctx1 = OpenSSL::SSL::SSLContext.new
|
|
||||||
+ ctx1.min_version = ctx1.max_version = OpenSSL::SSL::TLS1_2_VERSION
|
|
||||||
+ assert_handshake_error { server_connect(port, ctx1) { } }
|
|
||||||
|
|
||||||
- # Client only supports TLS 1.2
|
|
||||||
- ctx2 = OpenSSL::SSL::SSLContext.new
|
|
||||||
- ctx2.min_version = ctx2.max_version = OpenSSL::SSL::TLS1_2_VERSION
|
|
||||||
- assert_nothing_raised { server_connect(port, ctx2) { } }
|
|
||||||
- }
|
|
||||||
+ # Client only supports TLS 1.3
|
|
||||||
+ ctx2 = OpenSSL::SSL::SSLContext.new
|
|
||||||
+ ctx2.min_version = ctx2.max_version = OpenSSL::SSL::TLS1_3_VERSION
|
|
||||||
+ assert_nothing_raised { server_connect(port, ctx2) { } }
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- # Server only supports TLS 1.1
|
|
||||||
- ctx_proc = proc { |ctx|
|
|
||||||
- ctx.min_version = ctx.max_version = OpenSSL::SSL::TLS1_1_VERSION
|
|
||||||
- }
|
|
||||||
- start_server(ctx_proc: ctx_proc, ignore_listener_error: true) { |port|
|
|
||||||
- # Client disables TLS 1.1
|
|
||||||
- ctx1 = OpenSSL::SSL::SSLContext.new
|
|
||||||
- ctx1.options |= OpenSSL::SSL::OP_NO_TLSv1_1
|
|
||||||
- assert_handshake_error { server_connect(port, ctx1) { } }
|
|
||||||
+ # Server only supports TLS 1.2
|
|
||||||
+ ctx_proc = proc { |ctx|
|
|
||||||
+ ctx.min_version = ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION
|
|
||||||
+ }
|
|
||||||
+ start_server(ctx_proc: ctx_proc, ignore_listener_error: true) { |port|
|
|
||||||
+ # Client doesn't support TLS 1.2
|
|
||||||
+ ctx1 = OpenSSL::SSL::SSLContext.new
|
|
||||||
+ ctx1.options |= OpenSSL::SSL::OP_NO_TLSv1_2
|
|
||||||
+ assert_handshake_error { server_connect(port, ctx1) { } }
|
|
||||||
|
|
||||||
- # Client disables TLS 1.2
|
|
||||||
- ctx2 = OpenSSL::SSL::SSLContext.new
|
|
||||||
- ctx2.options |= OpenSSL::SSL::OP_NO_TLSv1_2
|
|
||||||
- assert_nothing_raised { server_connect(port, ctx2) { } }
|
|
||||||
- }
|
|
||||||
- else
|
|
||||||
- pend "TLS 1.1 and TLS 1.2 must be supported; skipping"
|
|
||||||
- end
|
|
||||||
+ # Client supports TLS 1.2 by default
|
|
||||||
+ ctx2 = OpenSSL::SSL::SSLContext.new
|
|
||||||
+ ctx2.options |= OpenSSL::SSL::OP_NO_TLSv1_3
|
|
||||||
+ assert_nothing_raised { server_connect(port, ctx2) { } }
|
|
||||||
+ }
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_ssl_methods_constant
|
|
||||||
|
|
||||||
From ccdb6f7bfa5f988a07beecedbf2b6205b6ab8492 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Sat, 20 Mar 2021 23:16:41 +0900
|
|
||||||
Subject: [PATCH 7/8] pkey: assume a pkey always has public key components on
|
|
||||||
OpenSSL 3.0
|
|
||||||
|
|
||||||
OpenSSL 3.0's EVP_PKEY_get0() returns NULL for provider-backed pkeys.
|
|
||||||
This causes segfault because it was supposed to never return NULL
|
|
||||||
before.
|
|
||||||
|
|
||||||
We can't check the existence of public key components in this way on
|
|
||||||
OpenSSL 3.0. Let's just skip it for now.
|
|
||||||
---
|
|
||||||
ext/openssl/ossl_pkey.c | 11 +++++++++++
|
|
||||||
1 file changed, 11 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c
|
|
||||||
index 94760d32..09d45d85 100644
|
|
||||||
--- a/ext/openssl/ossl_pkey.c
|
|
||||||
+++ b/ext/openssl/ossl_pkey.c
|
|
||||||
@@ -428,9 +428,19 @@ ossl_pkey_s_generate_key(int argc, VALUE *argv, VALUE self)
|
|
||||||
return pkey_generate(argc, argv, self, 0);
|
|
||||||
}
|
|
||||||
|
|
||||||
+/*
|
|
||||||
+ * TODO: There is no convenient way to check the presence of public key
|
|
||||||
+ * components on OpenSSL 3.0. But since keys are immutable on 3.0, pkeys without
|
|
||||||
+ * these should only be created by OpenSSL::PKey.generate_parameters or by
|
|
||||||
+ * parsing DER-/PEM-encoded string. We would need another flag for that.
|
|
||||||
+ */
|
|
||||||
void
|
|
||||||
ossl_pkey_check_public_key(const EVP_PKEY *pkey)
|
|
||||||
{
|
|
||||||
+#if OSSL_OPENSSL_PREREQ(3, 0, 0)
|
|
||||||
+ if (EVP_PKEY_missing_parameters(pkey))
|
|
||||||
+ ossl_raise(ePKeyError, "parameters missing");
|
|
||||||
+#else
|
|
||||||
void *ptr;
|
|
||||||
const BIGNUM *n, *e, *pubkey;
|
|
||||||
|
|
||||||
@@ -466,6 +476,7 @@ ossl_pkey_check_public_key(const EVP_PKEY *pkey)
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
ossl_raise(ePKeyError, "public key missing");
|
|
||||||
+#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
EVP_PKEY *
|
|
||||||
|
|
||||||
From d6535d13d174cd87ae99f3e60e97f7a00e1474e5 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Mon, 12 Apr 2021 10:43:46 +0900
|
|
||||||
Subject: [PATCH 8/8] pkey: use EVP_PKEY_CTX_new_from_name() on OpenSSL 3.0
|
|
||||||
|
|
||||||
Replace EVP_PKEY_CTX_new_id() with the new EVP_PKEY_CTX_new_from_name()
|
|
||||||
which takes the algorithm name in a string instead of in an NID.
|
|
||||||
---
|
|
||||||
ext/openssl/ossl_pkey.c | 6 ++++++
|
|
||||||
1 file changed, 6 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c
|
|
||||||
index 09d45d85..2a4835a2 100644
|
|
||||||
--- a/ext/openssl/ossl_pkey.c
|
|
||||||
+++ b/ext/openssl/ossl_pkey.c
|
|
||||||
@@ -315,6 +315,11 @@ pkey_generate(int argc, VALUE *argv, VALUE self, int genparam)
|
|
||||||
ossl_raise(ePKeyError, "EVP_PKEY_CTX_new");
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
+#if OSSL_OPENSSL_PREREQ(3, 0, 0)
|
|
||||||
+ ctx = EVP_PKEY_CTX_new_from_name(NULL, StringValueCStr(alg), NULL);
|
|
||||||
+ if (!ctx)
|
|
||||||
+ ossl_raise(ePKeyError, "EVP_PKEY_CTX_new_from_name");
|
|
||||||
+#else
|
|
||||||
const EVP_PKEY_ASN1_METHOD *ameth;
|
|
||||||
ENGINE *tmpeng;
|
|
||||||
int pkey_id;
|
|
||||||
@@ -333,6 +338,7 @@ pkey_generate(int argc, VALUE *argv, VALUE self, int genparam)
|
|
||||||
ctx = EVP_PKEY_CTX_new_id(pkey_id, NULL/* engine */);
|
|
||||||
if (!ctx)
|
|
||||||
ossl_raise(ePKeyError, "EVP_PKEY_CTX_new_id");
|
|
||||||
+#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
if (genparam && EVP_PKEY_paramgen_init(ctx) <= 0) {
|
|
@ -1,304 +0,0 @@
|
|||||||
From 8f948ed68a4ed6c05ff66d822711e3b70ae4bb3f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Mon, 27 Sep 2021 13:32:03 +0900
|
|
||||||
Subject: [PATCH 1/5] ext/openssl/ossl.h: add helper macros for
|
|
||||||
OpenSSL/LibreSSL versions
|
|
||||||
|
|
||||||
Add following convenient macros:
|
|
||||||
|
|
||||||
- OSSL_IS_LIBRESSL
|
|
||||||
- OSSL_OPENSSL_PREREQ(maj, min, pat)
|
|
||||||
- OSSL_LIBRESSL_PREREQ(maj, min, pat)
|
|
||||||
---
|
|
||||||
ext/openssl/ossl.h | 12 ++++++++++++
|
|
||||||
1 file changed, 12 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ext/openssl/ossl.h b/ext/openssl/ossl.h
|
|
||||||
index c20f506bda..a0cef29d74 100644
|
|
||||||
--- a/ext/openssl/ossl.h
|
|
||||||
+++ b/ext/openssl/ossl.h
|
|
||||||
@@ -42,6 +42,18 @@
|
|
||||||
#include <openssl/evp.h>
|
|
||||||
#include <openssl/dh.h>
|
|
||||||
|
|
||||||
+#ifndef LIBRESSL_VERSION_NUMBER
|
|
||||||
+# define OSSL_IS_LIBRESSL 0
|
|
||||||
+# define OSSL_OPENSSL_PREREQ(maj, min, pat) \
|
|
||||||
+ (OPENSSL_VERSION_NUMBER >= (maj << 28) | (min << 20) | (pat << 12))
|
|
||||||
+# define OSSL_LIBRESSL_PREREQ(maj, min, pat) 0
|
|
||||||
+#else
|
|
||||||
+# define OSSL_IS_LIBRESSL 1
|
|
||||||
+# define OSSL_OPENSSL_PREREQ(maj, min, pat) 0
|
|
||||||
+# define OSSL_LIBRESSL_PREREQ(maj, min, pat) \
|
|
||||||
+ (LIBRESSL_VERSION_NUMBER >= (maj << 28) | (min << 20) | (pat << 12))
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* Common Module
|
|
||||||
*/
|
|
||||||
--
|
|
||||||
2.32.0
|
|
||||||
|
|
||||||
|
|
||||||
From bbf235091e49807ece8f3a3df95bbfcc9d3ab43d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Sat, 22 Feb 2020 05:37:01 +0900
|
|
||||||
Subject: [PATCH 2/5] ts: use TS_VERIFY_CTX_set_certs instead of
|
|
||||||
TS_VERIFY_CTS_set_certs
|
|
||||||
|
|
||||||
OpenSSL 3.0 fixed the typo in the function name and replaced the
|
|
||||||
current 'CTS' version with a macro.
|
|
||||||
---
|
|
||||||
ext/openssl/extconf.rb | 5 ++++-
|
|
||||||
ext/openssl/openssl_missing.h | 5 +++++
|
|
||||||
ext/openssl/ossl_ts.c | 2 +-
|
|
||||||
3 files changed, 10 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
|
|
||||||
index 17d93443fc..09cae05b72 100644
|
|
||||||
--- a/ext/openssl/extconf.rb
|
|
||||||
+++ b/ext/openssl/extconf.rb
|
|
||||||
@@ -172,7 +172,7 @@ def find_openssl_library
|
|
||||||
have_func("TS_STATUS_INFO_get0_status")
|
|
||||||
have_func("TS_STATUS_INFO_get0_text")
|
|
||||||
have_func("TS_STATUS_INFO_get0_failure_info")
|
|
||||||
-have_func("TS_VERIFY_CTS_set_certs")
|
|
||||||
+have_func("TS_VERIFY_CTS_set_certs(NULL, NULL)", "openssl/ts.h")
|
|
||||||
have_func("TS_VERIFY_CTX_set_store")
|
|
||||||
have_func("TS_VERIFY_CTX_add_flags")
|
|
||||||
have_func("TS_RESP_CTX_set_time_cb")
|
|
||||||
@@ -181,6 +181,9 @@ def find_openssl_library
|
|
||||||
|
|
||||||
# added in 1.1.1
|
|
||||||
have_func("EVP_PKEY_check")
|
|
||||||
+
|
|
||||||
+# added in 3.0.0
|
|
||||||
+have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", "openssl/ts.h")
|
|
||||||
|
|
||||||
Logging::message "=== Checking done. ===\n"
|
|
||||||
|
|
||||||
diff --git a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h
|
|
||||||
index e575415f49..fe486bcfcf 100644
|
|
||||||
--- a/ext/openssl/openssl_missing.h
|
|
||||||
+++ b/ext/openssl/openssl_missing.h
|
|
||||||
@@ -236,4 +236,9 @@ IMPL_PKEY_GETTER(EC_KEY, ec)
|
|
||||||
} while (0)
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+/* added in 3.0.0 */
|
|
||||||
+#if !defined(HAVE_TS_VERIFY_CTX_SET_CERTS)
|
|
||||||
+# define TS_VERIFY_CTX_set_certs(ctx, crts) TS_VERIFY_CTS_set_certs(ctx, crts)
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
#endif /* _OSSL_OPENSSL_MISSING_H_ */
|
|
||||||
diff --git a/ext/openssl/ossl_ts.c b/ext/openssl/ossl_ts.c
|
|
||||||
index 692c0d620f..f1da7c1947 100644
|
|
||||||
--- a/ext/openssl/ossl_ts.c
|
|
||||||
+++ b/ext/openssl/ossl_ts.c
|
|
||||||
@@ -820,7 +820,7 @@ ossl_ts_resp_verify(int argc, VALUE *argv, VALUE self)
|
|
||||||
X509_up_ref(cert);
|
|
||||||
}
|
|
||||||
|
|
||||||
- TS_VERIFY_CTS_set_certs(ctx, x509inter);
|
|
||||||
+ TS_VERIFY_CTX_set_certs(ctx, x509inter);
|
|
||||||
TS_VERIFY_CTX_add_flags(ctx, TS_VFY_SIGNATURE);
|
|
||||||
TS_VERIFY_CTX_set_store(ctx, x509st);
|
|
||||||
|
|
||||||
--
|
|
||||||
2.32.0
|
|
||||||
|
|
||||||
|
|
||||||
From 5fba3bc1df93ab6abc3ea53be3393480f36ea259 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Fri, 19 Mar 2021 19:18:25 +0900
|
|
||||||
Subject: [PATCH 3/5] ssl: use SSL_get_rbio() to check if SSL is started or not
|
|
||||||
|
|
||||||
Use SSL_get_rbio() instead of SSL_get_fd(). SSL_get_fd() internally
|
|
||||||
calls SSL_get_rbio() and it's enough for our purpose.
|
|
||||||
|
|
||||||
In OpenSSL 3.0, SSL_get_fd() leaves an entry in the OpenSSL error queue
|
|
||||||
if BIO has not been set up yet, and we would have to clean it up.
|
|
||||||
---
|
|
||||||
ext/openssl/ossl_ssl.c | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
|
|
||||||
index 4b7efa39f5..ec430bfb0c 100644
|
|
||||||
--- a/ext/openssl/ossl_ssl.c
|
|
||||||
+++ b/ext/openssl/ossl_ssl.c
|
|
||||||
@@ -1535,8 +1535,8 @@ ossl_sslctx_flush_sessions(int argc, VALUE *argv, VALUE self)
|
|
||||||
static inline int
|
|
||||||
ssl_started(SSL *ssl)
|
|
||||||
{
|
|
||||||
- /* the FD is set in ossl_ssl_setup(), called by #connect or #accept */
|
|
||||||
- return SSL_get_fd(ssl) >= 0;
|
|
||||||
+ /* BIO is created through ossl_ssl_setup(), called by #connect or #accept */
|
|
||||||
+ return SSL_get_rbio(ssl) != NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
||||||
--
|
|
||||||
2.32.0
|
|
||||||
|
|
||||||
From 0a253027e6be47c0b7fd8b664f1048f24d7ca657 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Thu, 22 Apr 2021 13:57:47 +0900
|
|
||||||
Subject: [PATCH 4/5] digest: use EVP_MD_CTX_get0_md() instead of
|
|
||||||
EVP_MD_CTX_md() if exists
|
|
||||||
|
|
||||||
The function was renamed in OpenSSL 3.0 due to the change of the
|
|
||||||
lifetime of EVP_MD objects. They are no longer necessarily statically
|
|
||||||
allocated and can be reference-counted -- when an EVP_MD_CTX is free'd,
|
|
||||||
the associated EVP_MD can also become inaccessible.
|
|
||||||
|
|
||||||
Currently Ruby/OpenSSL only handles builtin algorithms, so no special
|
|
||||||
handling is needed except for adapting to the rename.
|
|
||||||
---
|
|
||||||
ext/openssl/extconf.rb | 1 +
|
|
||||||
ext/openssl/openssl_missing.h | 4 ++++
|
|
||||||
ext/openssl/ossl_digest.c | 6 +++---
|
|
||||||
ext/openssl/ossl_hmac.c | 2 +-
|
|
||||||
4 files changed, 9 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
|
|
||||||
index 98f96afe..842b7f5b 100644
|
|
||||||
--- a/ext/openssl/extconf.rb
|
|
||||||
+++ b/ext/openssl/extconf.rb
|
|
||||||
@@ -184,6 +184,7 @@ def find_openssl_library
|
|
||||||
|
|
||||||
# added in 3.0.0
|
|
||||||
have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", "openssl/ts.h")
|
|
||||||
+have_func("EVP_MD_CTX_get0_md")
|
|
||||||
|
|
||||||
Logging::message "=== Checking done. ===\n"
|
|
||||||
|
|
||||||
diff --git a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h
|
|
||||||
index 1b1a54a8..64212349 100644
|
|
||||||
--- a/ext/openssl/openssl_missing.h
|
|
||||||
+++ b/ext/openssl/openssl_missing.h
|
|
||||||
@@ -241,4 +241,8 @@ IMPL_PKEY_GETTER(EC_KEY, ec)
|
|
||||||
# define TS_VERIFY_CTX_set_certs(ctx, crts) TS_VERIFY_CTS_set_certs(ctx, crts)
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+#ifndef HAVE_EVP_MD_CTX_GET0_MD
|
|
||||||
+# define EVP_MD_CTX_get0_md(ctx) EVP_MD_CTX_md(ctx)
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
#endif /* _OSSL_OPENSSL_MISSING_H_ */
|
|
||||||
diff --git a/ext/openssl/ossl_digest.c b/ext/openssl/ossl_digest.c
|
|
||||||
index b2506de7..fc326ec1 100644
|
|
||||||
--- a/ext/openssl/ossl_digest.c
|
|
||||||
+++ b/ext/openssl/ossl_digest.c
|
|
||||||
@@ -63,7 +63,7 @@ ossl_evp_get_digestbyname(VALUE obj)
|
|
||||||
|
|
||||||
GetDigest(obj, ctx);
|
|
||||||
|
|
||||||
- md = EVP_MD_CTX_md(ctx);
|
|
||||||
+ md = EVP_MD_CTX_get0_md(ctx);
|
|
||||||
}
|
|
||||||
|
|
||||||
return md;
|
|
||||||
@@ -176,7 +176,7 @@ ossl_digest_reset(VALUE self)
|
|
||||||
EVP_MD_CTX *ctx;
|
|
||||||
|
|
||||||
GetDigest(self, ctx);
|
|
||||||
- if (EVP_DigestInit_ex(ctx, EVP_MD_CTX_md(ctx), NULL) != 1) {
|
|
||||||
+ if (EVP_DigestInit_ex(ctx, EVP_MD_CTX_get0_md(ctx), NULL) != 1) {
|
|
||||||
ossl_raise(eDigestError, "Digest initialization failed.");
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -259,7 +259,7 @@ ossl_digest_name(VALUE self)
|
|
||||||
|
|
||||||
GetDigest(self, ctx);
|
|
||||||
|
|
||||||
- return rb_str_new2(EVP_MD_name(EVP_MD_CTX_md(ctx)));
|
|
||||||
+ return rb_str_new_cstr(EVP_MD_name(EVP_MD_CTX_get0_md(ctx)));
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
diff --git a/ext/openssl/ossl_hmac.c b/ext/openssl/ossl_hmac.c
|
|
||||||
index a21db6c4..2642728b 100644
|
|
||||||
--- a/ext/openssl/ossl_hmac.c
|
|
||||||
+++ b/ext/openssl/ossl_hmac.c
|
|
||||||
@@ -239,7 +239,7 @@ ossl_hmac_reset(VALUE self)
|
|
||||||
|
|
||||||
GetHMAC(self, ctx);
|
|
||||||
pkey = EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx));
|
|
||||||
- if (EVP_DigestSignInit(ctx, NULL, EVP_MD_CTX_md(ctx), NULL, pkey) != 1)
|
|
||||||
+ if (EVP_DigestSignInit(ctx, NULL, EVP_MD_CTX_get0_md(ctx), NULL, pkey) != 1)
|
|
||||||
ossl_raise(eHMACError, "EVP_DigestSignInit");
|
|
||||||
|
|
||||||
return self;
|
|
||||||
|
|
||||||
From c106d888c62e44a11cdbba5e4d2d0cb837ec3e52 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Tue, 22 Jun 2021 18:50:17 +0900
|
|
||||||
Subject: [PATCH 5/5] hmac: use EVP_MD_CTX_get_pkey_ctx() instead of
|
|
||||||
EVP_MD_CTX_pkey_ctx()
|
|
||||||
|
|
||||||
OpenSSL 3.0 renamed EVP_MD_CTX_pkey_ctx() to include "get" in the
|
|
||||||
function name. Adjust compatibility macro so that we can use the new
|
|
||||||
function name for all OpenSSL 1.0.2-3.0.
|
|
||||||
---
|
|
||||||
ext/openssl/extconf.rb | 1 +
|
|
||||||
ext/openssl/openssl_missing.h | 16 ++++++++++++----
|
|
||||||
ext/openssl/ossl_hmac.c | 2 +-
|
|
||||||
3 files changed, 14 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
|
|
||||||
index 842b7f5b..d9d34b7c 100644
|
|
||||||
--- a/ext/openssl/extconf.rb
|
|
||||||
+++ b/ext/openssl/extconf.rb
|
|
||||||
@@ -185,6 +185,7 @@ def find_openssl_library
|
|
||||||
# added in 3.0.0
|
|
||||||
have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", "openssl/ts.h")
|
|
||||||
have_func("EVP_MD_CTX_get0_md")
|
|
||||||
+have_func("EVP_MD_CTX_get_pkey_ctx")
|
|
||||||
|
|
||||||
Logging::message "=== Checking done. ===\n"
|
|
||||||
|
|
||||||
diff --git a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h
|
|
||||||
index 64212349..55c4f378 100644
|
|
||||||
--- a/ext/openssl/openssl_missing.h
|
|
||||||
+++ b/ext/openssl/openssl_missing.h
|
|
||||||
@@ -42,10 +42,6 @@ int ossl_EC_curve_nist2nid(const char *);
|
|
||||||
# define EVP_MD_CTX_free EVP_MD_CTX_destroy
|
|
||||||
#endif
|
|
||||||
|
|
||||||
-#if !defined(HAVE_EVP_MD_CTX_PKEY_CTX)
|
|
||||||
-# define EVP_MD_CTX_pkey_ctx(x) (x)->pctx
|
|
||||||
-#endif
|
|
||||||
-
|
|
||||||
#if !defined(HAVE_X509_STORE_GET_EX_DATA)
|
|
||||||
# define X509_STORE_get_ex_data(x, idx) \
|
|
||||||
CRYPTO_get_ex_data(&(x)->ex_data, (idx))
|
|
||||||
@@ -245,4 +241,16 @@ IMPL_PKEY_GETTER(EC_KEY, ec)
|
|
||||||
# define EVP_MD_CTX_get0_md(ctx) EVP_MD_CTX_md(ctx)
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+/*
|
|
||||||
+ * OpenSSL 1.1.0 added EVP_MD_CTX_pkey_ctx(), and then it was renamed to
|
|
||||||
+ * EVP_MD_CTX_get_pkey_ctx(x) in OpenSSL 3.0.
|
|
||||||
+ */
|
|
||||||
+#ifndef HAVE_EVP_MD_CTX_GET_PKEY_CTX
|
|
||||||
+# ifdef HAVE_EVP_MD_CTX_PKEY_CTX
|
|
||||||
+# define EVP_MD_CTX_get_pkey_ctx(x) EVP_MD_CTX_pkey_ctx(x)
|
|
||||||
+# else
|
|
||||||
+# define EVP_MD_CTX_get_pkey_ctx(x) (x)->pctx
|
|
||||||
+# endif
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
#endif /* _OSSL_OPENSSL_MISSING_H_ */
|
|
||||||
diff --git a/ext/openssl/ossl_hmac.c b/ext/openssl/ossl_hmac.c
|
|
||||||
index 2642728b..f89ff2f9 100644
|
|
||||||
--- a/ext/openssl/ossl_hmac.c
|
|
||||||
+++ b/ext/openssl/ossl_hmac.c
|
|
||||||
@@ -238,7 +238,7 @@ ossl_hmac_reset(VALUE self)
|
|
||||||
EVP_PKEY *pkey;
|
|
||||||
|
|
||||||
GetHMAC(self, ctx);
|
|
||||||
- pkey = EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx));
|
|
||||||
+ pkey = EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_get_pkey_ctx(ctx));
|
|
||||||
if (EVP_DigestSignInit(ctx, NULL, EVP_MD_CTX_get0_md(ctx), NULL, pkey) != 1)
|
|
||||||
ossl_raise(eHMACError, "EVP_DigestSignInit");
|
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
@ -1,831 +0,0 @@
|
|||||||
From cf070378020088cd7e69b1cb08be68152ab8a078 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Sun, 17 May 2020 18:25:38 +0900
|
|
||||||
Subject: [PATCH 1/3] pkey: implement #to_text using EVP API
|
|
||||||
|
|
||||||
Use EVP_PKEY_print_private() instead of the low-level API *_print()
|
|
||||||
functions, such as RSA_print().
|
|
||||||
|
|
||||||
EVP_PKEY_print_*() family was added in OpenSSL 1.0.0.
|
|
||||||
|
|
||||||
Note that it falls back to EVP_PKEY_print_public() and
|
|
||||||
EVP_PKEY_print_params() as necessary. This is required for EVP_PKEY_DH
|
|
||||||
type for which _private() fails if the private component is not set in
|
|
||||||
the pkey object.
|
|
||||||
|
|
||||||
Since the new API works in the same way for all key types, we now
|
|
||||||
implement #to_text in the base class OpenSSL::PKey::PKey rather than in
|
|
||||||
each subclass.
|
|
||||||
---
|
|
||||||
ext/openssl/ossl_pkey.c | 38 +++++++++++++++++++++++++++++++++++++
|
|
||||||
ext/openssl/ossl_pkey_dh.c | 29 ----------------------------
|
|
||||||
ext/openssl/ossl_pkey_dsa.c | 29 ----------------------------
|
|
||||||
ext/openssl/ossl_pkey_ec.c | 27 --------------------------
|
|
||||||
ext/openssl/ossl_pkey_rsa.c | 31 ------------------------------
|
|
||||||
test/openssl/test_pkey.rb | 5 +++++
|
|
||||||
6 files changed, 43 insertions(+), 116 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c
|
|
||||||
index f9282b9417..21cd4b2cda 100644
|
|
||||||
--- a/ext/openssl/ossl_pkey.c
|
|
||||||
+++ b/ext/openssl/ossl_pkey.c
|
|
||||||
@@ -539,6 +539,43 @@ ossl_pkey_inspect(VALUE self)
|
|
||||||
OBJ_nid2sn(nid));
|
|
||||||
}
|
|
||||||
|
|
||||||
+/*
|
|
||||||
+ * call-seq:
|
|
||||||
+ * pkey.to_text -> string
|
|
||||||
+ *
|
|
||||||
+ * Dumps key parameters, public key, and private key components contained in
|
|
||||||
+ * the key into a human-readable text.
|
|
||||||
+ *
|
|
||||||
+ * This is intended for debugging purpose.
|
|
||||||
+ *
|
|
||||||
+ * See also the man page EVP_PKEY_print_private(3).
|
|
||||||
+ */
|
|
||||||
+static VALUE
|
|
||||||
+ossl_pkey_to_text(VALUE self)
|
|
||||||
+{
|
|
||||||
+ EVP_PKEY *pkey;
|
|
||||||
+ BIO *bio;
|
|
||||||
+
|
|
||||||
+ GetPKey(self, pkey);
|
|
||||||
+ if (!(bio = BIO_new(BIO_s_mem())))
|
|
||||||
+ ossl_raise(ePKeyError, "BIO_new");
|
|
||||||
+
|
|
||||||
+ if (EVP_PKEY_print_private(bio, pkey, 0, NULL) == 1)
|
|
||||||
+ goto out;
|
|
||||||
+ OSSL_BIO_reset(bio);
|
|
||||||
+ if (EVP_PKEY_print_public(bio, pkey, 0, NULL) == 1)
|
|
||||||
+ goto out;
|
|
||||||
+ OSSL_BIO_reset(bio);
|
|
||||||
+ if (EVP_PKEY_print_params(bio, pkey, 0, NULL) == 1)
|
|
||||||
+ goto out;
|
|
||||||
+
|
|
||||||
+ BIO_free(bio);
|
|
||||||
+ ossl_raise(ePKeyError, "EVP_PKEY_print_params");
|
|
||||||
+
|
|
||||||
+ out:
|
|
||||||
+ return ossl_membio2str(bio);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
VALUE
|
|
||||||
ossl_pkey_export_traditional(int argc, VALUE *argv, VALUE self, int to_der)
|
|
||||||
{
|
|
||||||
@@ -1039,6 +1076,7 @@ Init_ossl_pkey(void)
|
|
||||||
rb_define_method(cPKey, "initialize", ossl_pkey_initialize, 0);
|
|
||||||
rb_define_method(cPKey, "oid", ossl_pkey_oid, 0);
|
|
||||||
rb_define_method(cPKey, "inspect", ossl_pkey_inspect, 0);
|
|
||||||
+ rb_define_method(cPKey, "to_text", ossl_pkey_to_text, 0);
|
|
||||||
rb_define_method(cPKey, "private_to_der", ossl_pkey_private_to_der, -1);
|
|
||||||
rb_define_method(cPKey, "private_to_pem", ossl_pkey_private_to_pem, -1);
|
|
||||||
rb_define_method(cPKey, "public_to_der", ossl_pkey_public_to_der, 0);
|
|
||||||
diff --git a/ext/openssl/ossl_pkey_dh.c b/ext/openssl/ossl_pkey_dh.c
|
|
||||||
index 6b477b077c..acd3bf474e 100644
|
|
||||||
--- a/ext/openssl/ossl_pkey_dh.c
|
|
||||||
+++ b/ext/openssl/ossl_pkey_dh.c
|
|
||||||
@@ -266,34 +266,6 @@ ossl_dh_get_params(VALUE self)
|
|
||||||
return hash;
|
|
||||||
}
|
|
||||||
|
|
||||||
-/*
|
|
||||||
- * call-seq:
|
|
||||||
- * dh.to_text -> aString
|
|
||||||
- *
|
|
||||||
- * Prints all parameters of key to buffer
|
|
||||||
- * INSECURE: PRIVATE INFORMATIONS CAN LEAK OUT!!!
|
|
||||||
- * Don't use :-)) (I's up to you)
|
|
||||||
- */
|
|
||||||
-static VALUE
|
|
||||||
-ossl_dh_to_text(VALUE self)
|
|
||||||
-{
|
|
||||||
- DH *dh;
|
|
||||||
- BIO *out;
|
|
||||||
- VALUE str;
|
|
||||||
-
|
|
||||||
- GetDH(self, dh);
|
|
||||||
- if (!(out = BIO_new(BIO_s_mem()))) {
|
|
||||||
- ossl_raise(eDHError, NULL);
|
|
||||||
- }
|
|
||||||
- if (!DHparams_print(out, dh)) {
|
|
||||||
- BIO_free(out);
|
|
||||||
- ossl_raise(eDHError, NULL);
|
|
||||||
- }
|
|
||||||
- str = ossl_membio2str(out);
|
|
||||||
-
|
|
||||||
- return str;
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
/*
|
|
||||||
* call-seq:
|
|
||||||
* dh.public_key -> aDH
|
|
||||||
@@ -426,7 +398,6 @@ Init_ossl_dh(void)
|
|
||||||
rb_define_method(cDH, "initialize_copy", ossl_dh_initialize_copy, 1);
|
|
||||||
rb_define_method(cDH, "public?", ossl_dh_is_public, 0);
|
|
||||||
rb_define_method(cDH, "private?", ossl_dh_is_private, 0);
|
|
||||||
- rb_define_method(cDH, "to_text", ossl_dh_to_text, 0);
|
|
||||||
rb_define_method(cDH, "export", ossl_dh_export, 0);
|
|
||||||
rb_define_alias(cDH, "to_pem", "export");
|
|
||||||
rb_define_alias(cDH, "to_s", "export");
|
|
||||||
diff --git a/ext/openssl/ossl_pkey_dsa.c b/ext/openssl/ossl_pkey_dsa.c
|
|
||||||
index 1c5a8a737e..f017cceb4a 100644
|
|
||||||
--- a/ext/openssl/ossl_pkey_dsa.c
|
|
||||||
+++ b/ext/openssl/ossl_pkey_dsa.c
|
|
||||||
@@ -264,34 +264,6 @@ ossl_dsa_get_params(VALUE self)
|
|
||||||
return hash;
|
|
||||||
}
|
|
||||||
|
|
||||||
-/*
|
|
||||||
- * call-seq:
|
|
||||||
- * dsa.to_text -> aString
|
|
||||||
- *
|
|
||||||
- * Prints all parameters of key to buffer
|
|
||||||
- * INSECURE: PRIVATE INFORMATIONS CAN LEAK OUT!!!
|
|
||||||
- * Don't use :-)) (I's up to you)
|
|
||||||
- */
|
|
||||||
-static VALUE
|
|
||||||
-ossl_dsa_to_text(VALUE self)
|
|
||||||
-{
|
|
||||||
- DSA *dsa;
|
|
||||||
- BIO *out;
|
|
||||||
- VALUE str;
|
|
||||||
-
|
|
||||||
- GetDSA(self, dsa);
|
|
||||||
- if (!(out = BIO_new(BIO_s_mem()))) {
|
|
||||||
- ossl_raise(eDSAError, NULL);
|
|
||||||
- }
|
|
||||||
- if (!DSA_print(out, dsa, 0)) { /* offset = 0 */
|
|
||||||
- BIO_free(out);
|
|
||||||
- ossl_raise(eDSAError, NULL);
|
|
||||||
- }
|
|
||||||
- str = ossl_membio2str(out);
|
|
||||||
-
|
|
||||||
- return str;
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
/*
|
|
||||||
* call-seq:
|
|
||||||
* dsa.public_key -> aDSA
|
|
||||||
@@ -469,7 +441,6 @@ Init_ossl_dsa(void)
|
|
||||||
|
|
||||||
rb_define_method(cDSA, "public?", ossl_dsa_is_public, 0);
|
|
||||||
rb_define_method(cDSA, "private?", ossl_dsa_is_private, 0);
|
|
||||||
- rb_define_method(cDSA, "to_text", ossl_dsa_to_text, 0);
|
|
||||||
rb_define_method(cDSA, "export", ossl_dsa_export, -1);
|
|
||||||
rb_define_alias(cDSA, "to_pem", "export");
|
|
||||||
rb_define_alias(cDSA, "to_s", "export");
|
|
||||||
diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c
|
|
||||||
index c2534251c3..ecb8305184 100644
|
|
||||||
--- a/ext/openssl/ossl_pkey_ec.c
|
|
||||||
+++ b/ext/openssl/ossl_pkey_ec.c
|
|
||||||
@@ -417,32 +417,6 @@ ossl_ec_key_to_der(VALUE self)
|
|
||||||
else
|
|
||||||
return ossl_pkey_export_spki(self, 1);
|
|
||||||
}
|
|
||||||
-
|
|
||||||
-/*
|
|
||||||
- * call-seq:
|
|
||||||
- * key.to_text => String
|
|
||||||
- *
|
|
||||||
- * See the OpenSSL documentation for EC_KEY_print()
|
|
||||||
- */
|
|
||||||
-static VALUE ossl_ec_key_to_text(VALUE self)
|
|
||||||
-{
|
|
||||||
- EC_KEY *ec;
|
|
||||||
- BIO *out;
|
|
||||||
- VALUE str;
|
|
||||||
-
|
|
||||||
- GetEC(self, ec);
|
|
||||||
- if (!(out = BIO_new(BIO_s_mem()))) {
|
|
||||||
- ossl_raise(eECError, "BIO_new(BIO_s_mem())");
|
|
||||||
- }
|
|
||||||
- if (!EC_KEY_print(out, ec, 0)) {
|
|
||||||
- BIO_free(out);
|
|
||||||
- ossl_raise(eECError, "EC_KEY_print");
|
|
||||||
- }
|
|
||||||
- str = ossl_membio2str(out);
|
|
||||||
-
|
|
||||||
- return str;
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
/*
|
|
||||||
* call-seq:
|
|
||||||
* key.generate_key! => self
|
|
||||||
@@ -1633,7 +1607,6 @@ void Init_ossl_ec(void)
|
|
||||||
rb_define_method(cEC, "export", ossl_ec_key_export, -1);
|
|
||||||
rb_define_alias(cEC, "to_pem", "export");
|
|
||||||
rb_define_method(cEC, "to_der", ossl_ec_key_to_der, 0);
|
|
||||||
- rb_define_method(cEC, "to_text", ossl_ec_key_to_text, 0);
|
|
||||||
|
|
||||||
|
|
||||||
rb_define_alloc_func(cEC_GROUP, ossl_ec_group_alloc);
|
|
||||||
diff --git a/ext/openssl/ossl_pkey_rsa.c b/ext/openssl/ossl_pkey_rsa.c
|
|
||||||
index 43f82cb29e..7a7e66dbda 100644
|
|
||||||
--- a/ext/openssl/ossl_pkey_rsa.c
|
|
||||||
+++ b/ext/openssl/ossl_pkey_rsa.c
|
|
||||||
@@ -587,36 +587,6 @@ ossl_rsa_get_params(VALUE self)
|
|
||||||
return hash;
|
|
||||||
}
|
|
||||||
|
|
||||||
-/*
|
|
||||||
- * call-seq:
|
|
||||||
- * rsa.to_text => String
|
|
||||||
- *
|
|
||||||
- * THIS METHOD IS INSECURE, PRIVATE INFORMATION CAN LEAK OUT!!!
|
|
||||||
- *
|
|
||||||
- * Dumps all parameters of a keypair to a String
|
|
||||||
- *
|
|
||||||
- * Don't use :-)) (It's up to you)
|
|
||||||
- */
|
|
||||||
-static VALUE
|
|
||||||
-ossl_rsa_to_text(VALUE self)
|
|
||||||
-{
|
|
||||||
- RSA *rsa;
|
|
||||||
- BIO *out;
|
|
||||||
- VALUE str;
|
|
||||||
-
|
|
||||||
- GetRSA(self, rsa);
|
|
||||||
- if (!(out = BIO_new(BIO_s_mem()))) {
|
|
||||||
- ossl_raise(eRSAError, NULL);
|
|
||||||
- }
|
|
||||||
- if (!RSA_print(out, rsa, 0)) { /* offset = 0 */
|
|
||||||
- BIO_free(out);
|
|
||||||
- ossl_raise(eRSAError, NULL);
|
|
||||||
- }
|
|
||||||
- str = ossl_membio2str(out);
|
|
||||||
-
|
|
||||||
- return str;
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
/*
|
|
||||||
* call-seq:
|
|
||||||
* rsa.public_key -> RSA
|
|
||||||
@@ -738,7 +708,6 @@ Init_ossl_rsa(void)
|
|
||||||
|
|
||||||
rb_define_method(cRSA, "public?", ossl_rsa_is_public, 0);
|
|
||||||
rb_define_method(cRSA, "private?", ossl_rsa_is_private, 0);
|
|
||||||
- rb_define_method(cRSA, "to_text", ossl_rsa_to_text, 0);
|
|
||||||
rb_define_method(cRSA, "export", ossl_rsa_export, -1);
|
|
||||||
rb_define_alias(cRSA, "to_pem", "export");
|
|
||||||
rb_define_alias(cRSA, "to_s", "export");
|
|
||||||
diff --git a/test/openssl/test_pkey.rb b/test/openssl/test_pkey.rb
|
|
||||||
index 5307fe5b08..3630458b3c 100644
|
|
||||||
--- a/test/openssl/test_pkey.rb
|
|
||||||
+++ b/test/openssl/test_pkey.rb
|
|
||||||
@@ -151,4 +151,9 @@ def test_x25519
|
|
||||||
assert_equal bob_pem, bob.public_to_pem
|
|
||||||
assert_equal [shared_secret].pack("H*"), alice.derive(bob)
|
|
||||||
end
|
|
||||||
+
|
|
||||||
+ def test_to_text
|
|
||||||
+ rsa = Fixtures.pkey("rsa1024")
|
|
||||||
+ assert_include rsa.to_text, "publicExponent"
|
|
||||||
+ end
|
|
||||||
end
|
|
||||||
--
|
|
||||||
2.32.0
|
|
||||||
|
|
||||||
|
|
||||||
From 0c45b22e485bfa62f4d704b08e3704e6444118c4 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Thu, 15 Apr 2021 19:11:32 +0900
|
|
||||||
Subject: [PATCH 2/3] pkey: implement {DH,DSA,RSA}#public_key in Ruby
|
|
||||||
|
|
||||||
The low-level API that is used to implement #public_key is deprecated
|
|
||||||
in OpenSSL 3.0. It is actually very simple to implement in another way,
|
|
||||||
using existing methods only, in much shorter code. Let's do it.
|
|
||||||
|
|
||||||
While we are at it, the documentation is updated to recommend against
|
|
||||||
using #public_key. Now that OpenSSL::PKey::PKey implements public_to_der
|
|
||||||
method, there is no real use case for #public_key in newly written Ruby
|
|
||||||
programs.
|
|
||||||
---
|
|
||||||
ext/openssl/lib/openssl/pkey.rb | 55 ++++++++++++++++++++++++++++
|
|
||||||
ext/openssl/ossl_pkey_dh.c | 63 +++++++--------------------------
|
|
||||||
ext/openssl/ossl_pkey_dsa.c | 42 ----------------------
|
|
||||||
ext/openssl/ossl_pkey_rsa.c | 58 +-----------------------------
|
|
||||||
test/openssl/test_pkey_rsa.rb | 37 ++++++++++---------
|
|
||||||
5 files changed, 87 insertions(+), 168 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ext/openssl/lib/openssl/pkey.rb b/ext/openssl/lib/openssl/pkey.rb
|
|
||||||
index 53ee52f98b..569559e1ce 100644
|
|
||||||
--- a/ext/openssl/lib/openssl/pkey.rb
|
|
||||||
+++ b/ext/openssl/lib/openssl/pkey.rb
|
|
||||||
@@ -10,6 +10,30 @@ module OpenSSL::PKey
|
|
||||||
class DH
|
|
||||||
include OpenSSL::Marshal
|
|
||||||
|
|
||||||
+ # :call-seq:
|
|
||||||
+ # dh.public_key -> dhnew
|
|
||||||
+ #
|
|
||||||
+ # Returns a new DH instance that carries just the \DH parameters.
|
|
||||||
+ #
|
|
||||||
+ # Contrary to the method name, the returned DH object contains only
|
|
||||||
+ # parameters and not the public key.
|
|
||||||
+ #
|
|
||||||
+ # This method is provided for backwards compatibility. In most cases, there
|
|
||||||
+ # is no need to call this method.
|
|
||||||
+ #
|
|
||||||
+ # For the purpose of re-generating the key pair while keeping the
|
|
||||||
+ # parameters, check OpenSSL::PKey.generate_key.
|
|
||||||
+ #
|
|
||||||
+ # Example:
|
|
||||||
+ # # OpenSSL::PKey::DH.generate by default generates a random key pair
|
|
||||||
+ # dh1 = OpenSSL::PKey::DH.generate(2048)
|
|
||||||
+ # p dh1.priv_key #=> #<OpenSSL::BN 1288347...>
|
|
||||||
+ # dhcopy = dh1.public_key
|
|
||||||
+ # p dhcopy.priv_key #=> nil
|
|
||||||
+ def public_key
|
|
||||||
+ DH.new(to_der)
|
|
||||||
+ end
|
|
||||||
+
|
|
||||||
# :call-seq:
|
|
||||||
# dh.compute_key(pub_bn) -> string
|
|
||||||
#
|
|
||||||
@@ -89,6 +113,22 @@ def new(*args, &blk) # :nodoc:
|
|
||||||
class DSA
|
|
||||||
include OpenSSL::Marshal
|
|
||||||
|
|
||||||
+ # :call-seq:
|
|
||||||
+ # dsa.public_key -> dsanew
|
|
||||||
+ #
|
|
||||||
+ # Returns a new DSA instance that carries just the \DSA parameters and the
|
|
||||||
+ # public key.
|
|
||||||
+ #
|
|
||||||
+ # This method is provided for backwards compatibility. In most cases, there
|
|
||||||
+ # is no need to call this method.
|
|
||||||
+ #
|
|
||||||
+ # For the purpose of serializing the public key, to PEM or DER encoding of
|
|
||||||
+ # X.509 SubjectPublicKeyInfo format, check PKey#public_to_pem and
|
|
||||||
+ # PKey#public_to_der.
|
|
||||||
+ def public_key
|
|
||||||
+ OpenSSL::PKey.read(public_to_der)
|
|
||||||
+ end
|
|
||||||
+
|
|
||||||
class << self
|
|
||||||
# :call-seq:
|
|
||||||
# DSA.generate(size) -> dsa
|
|
||||||
@@ -159,6 +199,21 @@ def to_bn(conversion_form = group.point_conversion_form)
|
|
||||||
class RSA
|
|
||||||
include OpenSSL::Marshal
|
|
||||||
|
|
||||||
+ # :call-seq:
|
|
||||||
+ # rsa.public_key -> rsanew
|
|
||||||
+ #
|
|
||||||
+ # Returns a new RSA instance that carries just the public key components.
|
|
||||||
+ #
|
|
||||||
+ # This method is provided for backwards compatibility. In most cases, there
|
|
||||||
+ # is no need to call this method.
|
|
||||||
+ #
|
|
||||||
+ # For the purpose of serializing the public key, to PEM or DER encoding of
|
|
||||||
+ # X.509 SubjectPublicKeyInfo format, check PKey#public_to_pem and
|
|
||||||
+ # PKey#public_to_der.
|
|
||||||
+ def public_key
|
|
||||||
+ OpenSSL::PKey.read(public_to_der)
|
|
||||||
+ end
|
|
||||||
+
|
|
||||||
class << self
|
|
||||||
# :call-seq:
|
|
||||||
# RSA.generate(size, exponent = 65537) -> RSA
|
|
||||||
diff --git a/ext/openssl/ossl_pkey_dh.c b/ext/openssl/ossl_pkey_dh.c
|
|
||||||
index acd3bf474e..a512b209d3 100644
|
|
||||||
--- a/ext/openssl/ossl_pkey_dh.c
|
|
||||||
+++ b/ext/openssl/ossl_pkey_dh.c
|
|
||||||
@@ -266,48 +266,6 @@ ossl_dh_get_params(VALUE self)
|
|
||||||
return hash;
|
|
||||||
}
|
|
||||||
|
|
||||||
-/*
|
|
||||||
- * call-seq:
|
|
||||||
- * dh.public_key -> aDH
|
|
||||||
- *
|
|
||||||
- * Returns a new DH instance that carries just the public information, i.e.
|
|
||||||
- * the prime _p_ and the generator _g_, but no public/private key yet. Such
|
|
||||||
- * a pair may be generated using DH#generate_key!. The "public key" needed
|
|
||||||
- * for a key exchange with DH#compute_key is considered as per-session
|
|
||||||
- * information and may be retrieved with DH#pub_key once a key pair has
|
|
||||||
- * been generated.
|
|
||||||
- * If the current instance already contains private information (and thus a
|
|
||||||
- * valid public/private key pair), this information will no longer be present
|
|
||||||
- * in the new instance generated by DH#public_key. This feature is helpful for
|
|
||||||
- * publishing the Diffie-Hellman parameters without leaking any of the private
|
|
||||||
- * per-session information.
|
|
||||||
- *
|
|
||||||
- * === Example
|
|
||||||
- * dh = OpenSSL::PKey::DH.new(2048) # has public and private key set
|
|
||||||
- * public_key = dh.public_key # contains only prime and generator
|
|
||||||
- * parameters = public_key.to_der # it's safe to publish this
|
|
||||||
- */
|
|
||||||
-static VALUE
|
|
||||||
-ossl_dh_to_public_key(VALUE self)
|
|
||||||
-{
|
|
||||||
- EVP_PKEY *pkey;
|
|
||||||
- DH *orig_dh, *dh;
|
|
||||||
- VALUE obj;
|
|
||||||
-
|
|
||||||
- obj = rb_obj_alloc(rb_obj_class(self));
|
|
||||||
- GetPKey(obj, pkey);
|
|
||||||
-
|
|
||||||
- GetDH(self, orig_dh);
|
|
||||||
- dh = DHparams_dup(orig_dh);
|
|
||||||
- if (!dh)
|
|
||||||
- ossl_raise(eDHError, "DHparams_dup");
|
|
||||||
- if (!EVP_PKEY_assign_DH(pkey, dh)) {
|
|
||||||
- DH_free(dh);
|
|
||||||
- ossl_raise(eDHError, "EVP_PKEY_assign_DH");
|
|
||||||
- }
|
|
||||||
- return obj;
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
/*
|
|
||||||
* call-seq:
|
|
||||||
* dh.params_ok? -> true | false
|
|
||||||
@@ -384,14 +342,20 @@ Init_ossl_dh(void)
|
|
||||||
* The per-session private key, an OpenSSL::BN.
|
|
||||||
*
|
|
||||||
* === Example of a key exchange
|
|
||||||
- * dh1 = OpenSSL::PKey::DH.new(2048)
|
|
||||||
- * der = dh1.public_key.to_der #you may send this publicly to the participating party
|
|
||||||
- * dh2 = OpenSSL::PKey::DH.new(der)
|
|
||||||
- * dh2.generate_key! #generate the per-session key pair
|
|
||||||
- * symm_key1 = dh1.compute_key(dh2.pub_key)
|
|
||||||
- * symm_key2 = dh2.compute_key(dh1.pub_key)
|
|
||||||
+ * # you may send the parameters (der) and own public key (pub1) publicly
|
|
||||||
+ * # to the participating party
|
|
||||||
+ * dh1 = OpenSSL::PKey::DH.new(2048)
|
|
||||||
+ * der = dh1.to_der
|
|
||||||
+ * pub1 = dh1.pub_key
|
|
||||||
+ *
|
|
||||||
+ * # the other party generates its per-session key pair
|
|
||||||
+ * dhparams = OpenSSL::PKey::DH.new(der)
|
|
||||||
+ * dh2 = OpenSSL::PKey.generate_key(dhparams)
|
|
||||||
+ * pub2 = dh2.pub_key
|
|
||||||
*
|
|
||||||
- * puts symm_key1 == symm_key2 # => true
|
|
||||||
+ * symm_key1 = dh1.compute_key(pub2)
|
|
||||||
+ * symm_key2 = dh2.compute_key(pub1)
|
|
||||||
+ * puts symm_key1 == symm_key2 # => true
|
|
||||||
*/
|
|
||||||
cDH = rb_define_class_under(mPKey, "DH", cPKey);
|
|
||||||
rb_define_method(cDH, "initialize", ossl_dh_initialize, -1);
|
|
||||||
@@ -402,7 +366,6 @@ Init_ossl_dh(void)
|
|
||||||
rb_define_alias(cDH, "to_pem", "export");
|
|
||||||
rb_define_alias(cDH, "to_s", "export");
|
|
||||||
rb_define_method(cDH, "to_der", ossl_dh_to_der, 0);
|
|
||||||
- rb_define_method(cDH, "public_key", ossl_dh_to_public_key, 0);
|
|
||||||
rb_define_method(cDH, "params_ok?", ossl_dh_check_params, 0);
|
|
||||||
|
|
||||||
DEF_OSSL_PKEY_BN(cDH, dh, p);
|
|
||||||
diff --git a/ext/openssl/ossl_pkey_dsa.c b/ext/openssl/ossl_pkey_dsa.c
|
|
||||||
index f017cceb4a..ab9ac781e8 100644
|
|
||||||
--- a/ext/openssl/ossl_pkey_dsa.c
|
|
||||||
+++ b/ext/openssl/ossl_pkey_dsa.c
|
|
||||||
@@ -264,47 +264,6 @@ ossl_dsa_get_params(VALUE self)
|
|
||||||
return hash;
|
|
||||||
}
|
|
||||||
|
|
||||||
-/*
|
|
||||||
- * call-seq:
|
|
||||||
- * dsa.public_key -> aDSA
|
|
||||||
- *
|
|
||||||
- * Returns a new DSA instance that carries just the public key information.
|
|
||||||
- * If the current instance has also private key information, this will no
|
|
||||||
- * longer be present in the new instance. This feature is helpful for
|
|
||||||
- * publishing the public key information without leaking any of the private
|
|
||||||
- * information.
|
|
||||||
- *
|
|
||||||
- * === Example
|
|
||||||
- * dsa = OpenSSL::PKey::DSA.new(2048) # has public and private information
|
|
||||||
- * pub_key = dsa.public_key # has only the public part available
|
|
||||||
- * pub_key_der = pub_key.to_der # it's safe to publish this
|
|
||||||
- *
|
|
||||||
- *
|
|
||||||
- */
|
|
||||||
-static VALUE
|
|
||||||
-ossl_dsa_to_public_key(VALUE self)
|
|
||||||
-{
|
|
||||||
- EVP_PKEY *pkey, *pkey_new;
|
|
||||||
- DSA *dsa;
|
|
||||||
- VALUE obj;
|
|
||||||
-
|
|
||||||
- GetPKeyDSA(self, pkey);
|
|
||||||
- obj = rb_obj_alloc(rb_obj_class(self));
|
|
||||||
- GetPKey(obj, pkey_new);
|
|
||||||
-
|
|
||||||
-#define DSAPublicKey_dup(dsa) (DSA *)ASN1_dup( \
|
|
||||||
- (i2d_of_void *)i2d_DSAPublicKey, (d2i_of_void *)d2i_DSAPublicKey, (char *)(dsa))
|
|
||||||
- dsa = DSAPublicKey_dup(EVP_PKEY_get0_DSA(pkey));
|
|
||||||
-#undef DSAPublicKey_dup
|
|
||||||
- if (!dsa)
|
|
||||||
- ossl_raise(eDSAError, "DSAPublicKey_dup");
|
|
||||||
- if (!EVP_PKEY_assign_DSA(pkey_new, dsa)) {
|
|
||||||
- DSA_free(dsa);
|
|
||||||
- ossl_raise(eDSAError, "EVP_PKEY_assign_DSA");
|
|
||||||
- }
|
|
||||||
- return obj;
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
/*
|
|
||||||
* call-seq:
|
|
||||||
* dsa.syssign(string) -> aString
|
|
||||||
@@ -445,7 +404,6 @@ Init_ossl_dsa(void)
|
|
||||||
rb_define_alias(cDSA, "to_pem", "export");
|
|
||||||
rb_define_alias(cDSA, "to_s", "export");
|
|
||||||
rb_define_method(cDSA, "to_der", ossl_dsa_to_der, 0);
|
|
||||||
- rb_define_method(cDSA, "public_key", ossl_dsa_to_public_key, 0);
|
|
||||||
rb_define_method(cDSA, "syssign", ossl_dsa_sign, 1);
|
|
||||||
rb_define_method(cDSA, "sysverify", ossl_dsa_verify, 2);
|
|
||||||
|
|
||||||
diff --git a/ext/openssl/ossl_pkey_rsa.c b/ext/openssl/ossl_pkey_rsa.c
|
|
||||||
index 7a7e66dbda..1c5476cdcd 100644
|
|
||||||
--- a/ext/openssl/ossl_pkey_rsa.c
|
|
||||||
+++ b/ext/openssl/ossl_pkey_rsa.c
|
|
||||||
@@ -390,7 +390,7 @@ ossl_rsa_private_decrypt(int argc, VALUE *argv, VALUE self)
|
|
||||||
* data = "Sign me!"
|
|
||||||
* pkey = OpenSSL::PKey::RSA.new(2048)
|
|
||||||
* signature = pkey.sign_pss("SHA256", data, salt_length: :max, mgf1_hash: "SHA256")
|
|
||||||
- * pub_key = pkey.public_key
|
|
||||||
+ * pub_key = OpenSSL::PKey.read(pkey.public_to_der)
|
|
||||||
* puts pub_key.verify_pss("SHA256", signature, data,
|
|
||||||
* salt_length: :auto, mgf1_hash: "SHA256") # => true
|
|
||||||
*/
|
|
||||||
@@ -587,61 +587,6 @@ ossl_rsa_get_params(VALUE self)
|
|
||||||
return hash;
|
|
||||||
}
|
|
||||||
|
|
||||||
-/*
|
|
||||||
- * call-seq:
|
|
||||||
- * rsa.public_key -> RSA
|
|
||||||
- *
|
|
||||||
- * Makes new RSA instance containing the public key from the private key.
|
|
||||||
- */
|
|
||||||
-static VALUE
|
|
||||||
-ossl_rsa_to_public_key(VALUE self)
|
|
||||||
-{
|
|
||||||
- EVP_PKEY *pkey, *pkey_new;
|
|
||||||
- RSA *rsa;
|
|
||||||
- VALUE obj;
|
|
||||||
-
|
|
||||||
- GetPKeyRSA(self, pkey);
|
|
||||||
- obj = rb_obj_alloc(rb_obj_class(self));
|
|
||||||
- GetPKey(obj, pkey_new);
|
|
||||||
-
|
|
||||||
- rsa = RSAPublicKey_dup(EVP_PKEY_get0_RSA(pkey));
|
|
||||||
- if (!rsa)
|
|
||||||
- ossl_raise(eRSAError, "RSAPublicKey_dup");
|
|
||||||
- if (!EVP_PKEY_assign_RSA(pkey_new, rsa)) {
|
|
||||||
- RSA_free(rsa);
|
|
||||||
- ossl_raise(eRSAError, "EVP_PKEY_assign_RSA");
|
|
||||||
- }
|
|
||||||
- return obj;
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
-/*
|
|
||||||
- * TODO: Test me
|
|
||||||
-
|
|
||||||
-static VALUE
|
|
||||||
-ossl_rsa_blinding_on(VALUE self)
|
|
||||||
-{
|
|
||||||
- RSA *rsa;
|
|
||||||
-
|
|
||||||
- GetRSA(self, rsa);
|
|
||||||
-
|
|
||||||
- if (RSA_blinding_on(rsa, ossl_bn_ctx) != 1) {
|
|
||||||
- ossl_raise(eRSAError, NULL);
|
|
||||||
- }
|
|
||||||
- return self;
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
-static VALUE
|
|
||||||
-ossl_rsa_blinding_off(VALUE self)
|
|
||||||
-{
|
|
||||||
- RSA *rsa;
|
|
||||||
-
|
|
||||||
- GetRSA(self, rsa);
|
|
||||||
- RSA_blinding_off(rsa);
|
|
||||||
-
|
|
||||||
- return self;
|
|
||||||
-}
|
|
||||||
- */
|
|
||||||
-
|
|
||||||
/*
|
|
||||||
* Document-method: OpenSSL::PKey::RSA#set_key
|
|
||||||
* call-seq:
|
|
||||||
@@ -712,7 +657,6 @@ Init_ossl_rsa(void)
|
|
||||||
rb_define_alias(cRSA, "to_pem", "export");
|
|
||||||
rb_define_alias(cRSA, "to_s", "export");
|
|
||||||
rb_define_method(cRSA, "to_der", ossl_rsa_to_der, 0);
|
|
||||||
- rb_define_method(cRSA, "public_key", ossl_rsa_to_public_key, 0);
|
|
||||||
rb_define_method(cRSA, "public_encrypt", ossl_rsa_public_encrypt, -1);
|
|
||||||
rb_define_method(cRSA, "public_decrypt", ossl_rsa_public_decrypt, -1);
|
|
||||||
rb_define_method(cRSA, "private_encrypt", ossl_rsa_private_encrypt, -1);
|
|
||||||
diff --git a/test/openssl/test_pkey_rsa.rb b/test/openssl/test_pkey_rsa.rb
|
|
||||||
index d1e68dbc9f..5f8d04e754 100644
|
|
||||||
--- a/test/openssl/test_pkey_rsa.rb
|
|
||||||
+++ b/test/openssl/test_pkey_rsa.rb
|
|
||||||
@@ -69,29 +69,28 @@ def test_private
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_new
|
|
||||||
- key = OpenSSL::PKey::RSA.new 512
|
|
||||||
- pem = key.public_key.to_pem
|
|
||||||
- OpenSSL::PKey::RSA.new pem
|
|
||||||
- assert_equal([], OpenSSL.errors)
|
|
||||||
- end
|
|
||||||
+ key = OpenSSL::PKey::RSA.new(512)
|
|
||||||
+ assert_equal 512, key.n.num_bits
|
|
||||||
+ assert_equal 65537, key.e
|
|
||||||
+ assert_not_nil key.d
|
|
||||||
|
|
||||||
- def test_new_exponent_default
|
|
||||||
- assert_equal(65537, OpenSSL::PKey::RSA.new(512).e)
|
|
||||||
+ # Specify public exponent
|
|
||||||
+ key2 = OpenSSL::PKey::RSA.new(512, 3)
|
|
||||||
+ assert_equal 512, key2.n.num_bits
|
|
||||||
+ assert_equal 3, key2.e
|
|
||||||
+ assert_not_nil key2.d
|
|
||||||
end
|
|
||||||
|
|
||||||
- def test_new_with_exponent
|
|
||||||
- 1.upto(30) do |idx|
|
|
||||||
- e = (2 ** idx) + 1
|
|
||||||
- key = OpenSSL::PKey::RSA.new(512, e)
|
|
||||||
- assert_equal(e, key.e)
|
|
||||||
- end
|
|
||||||
- end
|
|
||||||
+ def test_s_generate
|
|
||||||
+ key1 = OpenSSL::PKey::RSA.generate(512)
|
|
||||||
+ assert_equal 512, key1.n.num_bits
|
|
||||||
+ assert_equal 65537, key1.e
|
|
||||||
|
|
||||||
- def test_generate
|
|
||||||
- key = OpenSSL::PKey::RSA.generate(512, 17)
|
|
||||||
- assert_equal 512, key.n.num_bits
|
|
||||||
- assert_equal 17, key.e
|
|
||||||
- assert_not_nil key.d
|
|
||||||
+ # Specify public exponent
|
|
||||||
+ key2 = OpenSSL::PKey::RSA.generate(512, 3)
|
|
||||||
+ assert_equal 512, key2.n.num_bits
|
|
||||||
+ assert_equal 3, key2.e
|
|
||||||
+ assert_not_nil key2.d
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_new_break
|
|
||||||
--
|
|
||||||
2.32.0
|
|
||||||
|
|
||||||
|
|
||||||
From 2150af0e55b2a25c24f62006e27e0aec3dc81b57 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Fri, 10 Jul 2020 14:34:51 +0900
|
|
||||||
Subject: [PATCH 3/3] pkey/dh, pkey/ec: use EVP_PKEY_check() family
|
|
||||||
|
|
||||||
Use EVP_PKEY_param_check() instead of DH_check() if available. Also,
|
|
||||||
use EVP_PKEY_public_check() instead of EC_KEY_check_key().
|
|
||||||
|
|
||||||
EVP_PKEY_*check() is part of the EVP API and is meant to replace those
|
|
||||||
low-level functions. They were added by OpenSSL 1.1.1. It is currently
|
|
||||||
not provided by LibreSSL.
|
|
||||||
---
|
|
||||||
ext/openssl/extconf.rb | 3 +++
|
|
||||||
ext/openssl/ossl_pkey_dh.c | 27 +++++++++++++++++++++++----
|
|
||||||
ext/openssl/ossl_pkey_ec.c | 23 +++++++++++++++++++----
|
|
||||||
test/openssl/test_pkey_dh.rb | 16 ++++++++++++++++
|
|
||||||
4 files changed, 61 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
|
|
||||||
index b3c6647faf..17d93443fc 100644
|
|
||||||
--- a/ext/openssl/extconf.rb
|
|
||||||
+++ b/ext/openssl/extconf.rb
|
|
||||||
@@ -179,6 +179,9 @@ def find_openssl_library
|
|
||||||
have_func("EVP_PBE_scrypt")
|
|
||||||
have_func("SSL_CTX_set_post_handshake_auth")
|
|
||||||
|
|
||||||
+# added in 1.1.1
|
|
||||||
+have_func("EVP_PKEY_check")
|
|
||||||
+
|
|
||||||
Logging::message "=== Checking done. ===\n"
|
|
||||||
|
|
||||||
create_header
|
|
||||||
diff --git a/ext/openssl/ossl_pkey_dh.c b/ext/openssl/ossl_pkey_dh.c
|
|
||||||
index a512b209d3..ca782bbe59 100644
|
|
||||||
--- a/ext/openssl/ossl_pkey_dh.c
|
|
||||||
+++ b/ext/openssl/ossl_pkey_dh.c
|
|
||||||
@@ -273,19 +273,38 @@ ossl_dh_get_params(VALUE self)
|
|
||||||
* Validates the Diffie-Hellman parameters associated with this instance.
|
|
||||||
* It checks whether a safe prime and a suitable generator are used. If this
|
|
||||||
* is not the case, +false+ is returned.
|
|
||||||
+ *
|
|
||||||
+ * See also the man page EVP_PKEY_param_check(3).
|
|
||||||
*/
|
|
||||||
static VALUE
|
|
||||||
ossl_dh_check_params(VALUE self)
|
|
||||||
{
|
|
||||||
+ int ret;
|
|
||||||
+#ifdef HAVE_EVP_PKEY_CHECK
|
|
||||||
+ EVP_PKEY *pkey;
|
|
||||||
+ EVP_PKEY_CTX *pctx;
|
|
||||||
+
|
|
||||||
+ GetPKey(self, pkey);
|
|
||||||
+ pctx = EVP_PKEY_CTX_new(pkey, /* engine */NULL);
|
|
||||||
+ if (!pctx)
|
|
||||||
+ ossl_raise(eDHError, "EVP_PKEY_CTX_new");
|
|
||||||
+ ret = EVP_PKEY_param_check(pctx);
|
|
||||||
+ EVP_PKEY_CTX_free(pctx);
|
|
||||||
+#else
|
|
||||||
DH *dh;
|
|
||||||
int codes;
|
|
||||||
|
|
||||||
GetDH(self, dh);
|
|
||||||
- if (!DH_check(dh, &codes)) {
|
|
||||||
- return Qfalse;
|
|
||||||
- }
|
|
||||||
+ ret = DH_check(dh, &codes) == 1 && codes == 0;
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
- return codes == 0 ? Qtrue : Qfalse;
|
|
||||||
+ if (ret == 1)
|
|
||||||
+ return Qtrue;
|
|
||||||
+ else {
|
|
||||||
+ /* DH_check_ex() will put error entry on failure */
|
|
||||||
+ ossl_clear_error();
|
|
||||||
+ return Qfalse;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c
|
|
||||||
index ecb8305184..829529d4b9 100644
|
|
||||||
--- a/ext/openssl/ossl_pkey_ec.c
|
|
||||||
+++ b/ext/openssl/ossl_pkey_ec.c
|
|
||||||
@@ -443,20 +443,35 @@ static VALUE ossl_ec_key_generate_key(VALUE self)
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
- * call-seq:
|
|
||||||
- * key.check_key => true
|
|
||||||
+ * call-seq:
|
|
||||||
+ * key.check_key => true
|
|
||||||
*
|
|
||||||
- * Raises an exception if the key is invalid.
|
|
||||||
+ * Raises an exception if the key is invalid.
|
|
||||||
*
|
|
||||||
- * See the OpenSSL documentation for EC_KEY_check_key()
|
|
||||||
+ * See also the man page EVP_PKEY_public_check(3).
|
|
||||||
*/
|
|
||||||
static VALUE ossl_ec_key_check_key(VALUE self)
|
|
||||||
{
|
|
||||||
+#ifdef HAVE_EVP_PKEY_CHECK
|
|
||||||
+ EVP_PKEY *pkey;
|
|
||||||
+ EVP_PKEY_CTX *pctx;
|
|
||||||
+ int ret;
|
|
||||||
+
|
|
||||||
+ GetPKey(self, pkey);
|
|
||||||
+ pctx = EVP_PKEY_CTX_new(pkey, /* engine */NULL);
|
|
||||||
+ if (!pctx)
|
|
||||||
+ ossl_raise(eDHError, "EVP_PKEY_CTX_new");
|
|
||||||
+ ret = EVP_PKEY_public_check(pctx);
|
|
||||||
+ EVP_PKEY_CTX_free(pctx);
|
|
||||||
+ if (ret != 1)
|
|
||||||
+ ossl_raise(eECError, "EVP_PKEY_public_check");
|
|
||||||
+#else
|
|
||||||
EC_KEY *ec;
|
|
||||||
|
|
||||||
GetEC(self, ec);
|
|
||||||
if (EC_KEY_check_key(ec) != 1)
|
|
||||||
ossl_raise(eECError, "EC_KEY_check_key");
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
return Qtrue;
|
|
||||||
}
|
|
||||||
diff --git a/test/openssl/test_pkey_dh.rb b/test/openssl/test_pkey_dh.rb
|
|
||||||
index 279ce1984c..f80af8f841 100644
|
|
||||||
--- a/test/openssl/test_pkey_dh.rb
|
|
||||||
+++ b/test/openssl/test_pkey_dh.rb
|
|
||||||
@@ -86,6 +86,22 @@ def test_key_exchange
|
|
||||||
assert_equal(dh.compute_key(dh2.pub_key), dh2.compute_key(dh.pub_key))
|
|
||||||
end
|
|
||||||
|
|
||||||
+ def test_params_ok?
|
|
||||||
+ dh0 = Fixtures.pkey("dh1024")
|
|
||||||
+
|
|
||||||
+ dh1 = OpenSSL::PKey::DH.new(OpenSSL::ASN1::Sequence([
|
|
||||||
+ OpenSSL::ASN1::Integer(dh0.p),
|
|
||||||
+ OpenSSL::ASN1::Integer(dh0.g)
|
|
||||||
+ ]))
|
|
||||||
+ assert_equal(true, dh1.params_ok?)
|
|
||||||
+
|
|
||||||
+ dh2 = OpenSSL::PKey::DH.new(OpenSSL::ASN1::Sequence([
|
|
||||||
+ OpenSSL::ASN1::Integer(dh0.p + 1),
|
|
||||||
+ OpenSSL::ASN1::Integer(dh0.g)
|
|
||||||
+ ]))
|
|
||||||
+ assert_equal(false, dh2.params_ok?)
|
|
||||||
+ end
|
|
||||||
+
|
|
||||||
def test_dup
|
|
||||||
dh = Fixtures.pkey("dh1024")
|
|
||||||
dh2 = dh.dup
|
|
||||||
--
|
|
||||||
2.32.0
|
|
||||||
|
|
@ -1,114 +0,0 @@
|
|||||||
From 8c185e0ae5e42bf5f3d76a1a0898946671116fa3 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Wed, 3 Nov 2021 23:31:29 +0900
|
|
||||||
Subject: [PATCH 1/2] pkey: test parsing concatenated PEM string
|
|
||||||
|
|
||||||
PEM-encoded private keys are sometimes stored together with irrelevant
|
|
||||||
PEM blocks, such as the corresponding X.509 certificate.
|
|
||||||
|
|
||||||
PEM_read_bio_*() family automatically skips unknown PEM blocks, but on
|
|
||||||
OpenSSL 3.0 we will be using the new OSSL_DECODER API instead due to
|
|
||||||
some breaking changes around the password callback.
|
|
||||||
|
|
||||||
Let's add a test case so that we won't break the current behavior.
|
|
||||||
---
|
|
||||||
test/openssl/test_pkey_rsa.rb | 6 ++++++
|
|
||||||
1 file changed, 6 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/test/openssl/test_pkey_rsa.rb b/test/openssl/test_pkey_rsa.rb
|
|
||||||
index dbe87ba4..7510658d 100644
|
|
||||||
--- a/test/openssl/test_pkey_rsa.rb
|
|
||||||
+++ b/test/openssl/test_pkey_rsa.rb
|
|
||||||
@@ -306,6 +306,12 @@ def test_RSAPrivateKey
|
|
||||||
|
|
||||||
assert_equal asn1.to_der, rsa1024.to_der
|
|
||||||
assert_equal pem, rsa1024.export
|
|
||||||
+
|
|
||||||
+ # Unknown PEM prepended
|
|
||||||
+ cert = issue_cert(OpenSSL::X509::Name.new([["CN", "nobody"]]), rsa1024, 1, [], nil, nil)
|
|
||||||
+ str = cert.to_text + cert.to_pem + rsa1024.to_pem
|
|
||||||
+ key = OpenSSL::PKey::RSA.new(str)
|
|
||||||
+ assert_same_rsa rsa1024, key
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_RSAPrivateKey_encrypted
|
|
||||||
|
|
||||||
From a84ea531bbd080c3f58fe8d3dc9ffb1af2251f35 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Sat, 20 Mar 2021 23:16:16 +0900
|
|
||||||
Subject: [PATCH 2/2] pkey: use OSSL_DECODER to load encrypted PEM on OpenSSL
|
|
||||||
3.0
|
|
||||||
|
|
||||||
OpenSSL 3.0 has rewritten routines to load pkeys (PEM_read_bio_* and
|
|
||||||
d2i_* functions) around the newly introduced OSSL_DECODER API.
|
|
||||||
|
|
||||||
This comes with a slight behavior change. They now decrypt and parse
|
|
||||||
each encountered PEM block, then check the kind of the block. This used
|
|
||||||
to be the reverse: they checked the PEM header to see the kind, and then
|
|
||||||
decrypted the content. This means that the password callback may now be
|
|
||||||
called repeatedly.
|
|
||||||
|
|
||||||
Let's use the OSSL_DECODER API directly on OpenSSL 3.0 so that the
|
|
||||||
return value from the password callback will be reused automatically.
|
|
||||||
---
|
|
||||||
ext/openssl/ossl_pkey.c | 40 ++++++++++++++++++++++++++++++++++++++++
|
|
||||||
1 file changed, 40 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c
|
|
||||||
index f9f5162e..b08168a5 100644
|
|
||||||
--- a/ext/openssl/ossl_pkey.c
|
|
||||||
+++ b/ext/openssl/ossl_pkey.c
|
|
||||||
@@ -78,6 +78,45 @@ ossl_pkey_new(EVP_PKEY *pkey)
|
|
||||||
return obj;
|
|
||||||
}
|
|
||||||
|
|
||||||
+#if OSSL_OPENSSL_PREREQ(3, 0, 0)
|
|
||||||
+# include <openssl/decoder.h>
|
|
||||||
+
|
|
||||||
+EVP_PKEY *
|
|
||||||
+ossl_pkey_read_generic(BIO *bio, VALUE pass)
|
|
||||||
+{
|
|
||||||
+ void *ppass = (void *)pass;
|
|
||||||
+ OSSL_DECODER_CTX *dctx;
|
|
||||||
+ EVP_PKEY *pkey = NULL;
|
|
||||||
+ int pos = 0, pos2;
|
|
||||||
+
|
|
||||||
+ dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "DER", NULL, NULL, 0, NULL, NULL);
|
|
||||||
+ if (!dctx)
|
|
||||||
+ goto out;
|
|
||||||
+ if (OSSL_DECODER_CTX_set_pem_password_cb(dctx, ossl_pem_passwd_cb, ppass) != 1)
|
|
||||||
+ goto out;
|
|
||||||
+
|
|
||||||
+ /* First check DER */
|
|
||||||
+ if (OSSL_DECODER_from_bio(dctx, bio) == 1)
|
|
||||||
+ goto out;
|
|
||||||
+
|
|
||||||
+ /* Then check PEM; multiple OSSL_DECODER_from_bio() calls may be needed */
|
|
||||||
+ OSSL_BIO_reset(bio);
|
|
||||||
+ if (OSSL_DECODER_CTX_set_input_type(dctx, "PEM") != 1)
|
|
||||||
+ goto out;
|
|
||||||
+ while (OSSL_DECODER_from_bio(dctx, bio) != 1) {
|
|
||||||
+ if (BIO_eof(bio))
|
|
||||||
+ goto out;
|
|
||||||
+ pos2 = BIO_tell(bio);
|
|
||||||
+ if (pos2 < 0 || pos2 <= pos)
|
|
||||||
+ goto out;
|
|
||||||
+ pos = pos2;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ out:
|
|
||||||
+ OSSL_DECODER_CTX_free(dctx);
|
|
||||||
+ return pkey;
|
|
||||||
+}
|
|
||||||
+#else
|
|
||||||
EVP_PKEY *
|
|
||||||
ossl_pkey_read_generic(BIO *bio, VALUE pass)
|
|
||||||
{
|
|
||||||
@@ -106,6 +145,7 @@ ossl_pkey_read_generic(BIO *bio, VALUE pass)
|
|
||||||
out:
|
|
||||||
return pkey;
|
|
||||||
}
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
/*
|
|
||||||
* call-seq:
|
|
File diff suppressed because it is too large
Load Diff
@ -1,29 +0,0 @@
|
|||||||
From a9977ba2f9863e3fb1b2346589ebbca67d80536c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Nobuyoshi Nakada <nobu@ruby-lang.org>
|
|
||||||
Date: Sat, 14 Aug 2021 10:08:19 +0900
|
|
||||||
Subject: [PATCH] Constified addr2line.c
|
|
||||||
|
|
||||||
---
|
|
||||||
addr2line.c | 6 +++---
|
|
||||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/addr2line.c b/addr2line.c
|
|
||||||
index 8ee4416650d3..fed1a8da84e5 100644
|
|
||||||
--- a/addr2line.c
|
|
||||||
+++ b/addr2line.c
|
|
||||||
@@ -1138,12 +1138,12 @@ debug_info_reader_read_value(DebugInfoReader *reader, uint64_t form, DebugInfoVa
|
|
||||||
set_uint_value(v, read_uleb128(reader));
|
|
||||||
break;
|
|
||||||
case DW_FORM_ref_addr:
|
|
||||||
- if (reader->address_size == 4) {
|
|
||||||
+ if (reader->format == 4) {
|
|
||||||
set_uint_value(v, read_uint32(&reader->p));
|
|
||||||
- } else if (reader->address_size == 8) {
|
|
||||||
+ } else if (reader->format == 8) {
|
|
||||||
set_uint_value(v, read_uint64(&reader->p));
|
|
||||||
} else {
|
|
||||||
- fprintf(stderr,"unknown address_size:%d", reader->address_size);
|
|
||||||
+ fprintf(stderr,"unknown format:%d", reader->format);
|
|
||||||
abort();
|
|
||||||
}
|
|
||||||
break;
|
|
@ -1,29 +0,0 @@
|
|||||||
From b4b5eab2a5fd0e9ac62c01102dd26d0a433c5683 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Mon, 18 May 2020 02:17:28 +0900
|
|
||||||
Subject: [PATCH] test/openssl/test_digest: do not test constants for legacy
|
|
||||||
algorithms
|
|
||||||
|
|
||||||
Remove availability test for MD4 and RIPEMD160 as they are considered
|
|
||||||
legacy and may be missing depending on the compile-time options of
|
|
||||||
OpenSSL. OpenSSL 3.0 by default disables them.
|
|
||||||
---
|
|
||||||
test/openssl/test_digest.rb | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/test/openssl/test_digest.rb b/test/openssl/test_digest.rb
|
|
||||||
index 8d7046e831..84c128c12f 100644
|
|
||||||
--- a/test/openssl/test_digest.rb
|
|
||||||
+++ b/test/openssl/test_digest.rb
|
|
||||||
@@ -54,7 +54,7 @@ def test_reset
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_digest_constants
|
|
||||||
- %w{MD4 MD5 RIPEMD160 SHA1 SHA224 SHA256 SHA384 SHA512}.each do |name|
|
|
||||||
+ %w{MD5 SHA1 SHA224 SHA256 SHA384 SHA512}.each do |name|
|
|
||||||
assert_not_nil(OpenSSL::Digest.new(name))
|
|
||||||
klass = OpenSSL::Digest.const_get(name.tr('-', '_'))
|
|
||||||
assert_not_nil(klass.new)
|
|
||||||
--
|
|
||||||
2.32.0
|
|
||||||
|
|
@ -1,439 +0,0 @@
|
|||||||
From 9596788bdd2d061bef042485af14262e9fc4020c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Thu, 13 Aug 2020 23:20:55 +0900
|
|
||||||
Subject: [PATCH] test/openssl/test_pkcs12: fix test failures with OpenSSL 3.0
|
|
||||||
|
|
||||||
OpenSSL's PKCS12_create() by default uses pbewithSHAAnd40BitRC2-CBC for
|
|
||||||
encryption of the certificates. However, in OpenSSL 3.0, the algorithm
|
|
||||||
is part of the legacy provider and is not enabled by default.
|
|
||||||
|
|
||||||
Specify another algorithm that is still in the default provider for
|
|
||||||
these test cases.
|
|
||||||
---
|
|
||||||
test/openssl/test_pkcs12.rb | 297 ++++++++++++++++++------------------
|
|
||||||
1 file changed, 149 insertions(+), 148 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/test/openssl/test_pkcs12.rb b/test/openssl/test_pkcs12.rb
|
|
||||||
index fdbe753b17..ec676743bc 100644
|
|
||||||
--- a/test/openssl/test_pkcs12.rb
|
|
||||||
+++ b/test/openssl/test_pkcs12.rb
|
|
||||||
@@ -5,6 +5,9 @@
|
|
||||||
|
|
||||||
module OpenSSL
|
|
||||||
class TestPKCS12 < OpenSSL::TestCase
|
|
||||||
+ DEFAULT_PBE_PKEYS = "PBE-SHA1-3DES"
|
|
||||||
+ DEFAULT_PBE_CERTS = "PBE-SHA1-3DES"
|
|
||||||
+
|
|
||||||
def setup
|
|
||||||
super
|
|
||||||
ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
|
|
||||||
@@ -14,47 +17,41 @@ def setup
|
|
||||||
["subjectKeyIdentifier","hash",false],
|
|
||||||
["authorityKeyIdentifier","keyid:always",false],
|
|
||||||
]
|
|
||||||
- @cacert = issue_cert(ca, Fixtures.pkey("rsa2048"), 1, ca_exts, nil, nil)
|
|
||||||
+ ca_key = Fixtures.pkey("rsa-1")
|
|
||||||
+ @cacert = issue_cert(ca, ca_key, 1, ca_exts, nil, nil)
|
|
||||||
|
|
||||||
inter_ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=Intermediate CA")
|
|
||||||
- inter_ca_key = OpenSSL::PKey.read <<-_EOS_
|
|
||||||
------BEGIN RSA PRIVATE KEY-----
|
|
||||||
-MIICXAIBAAKBgQDp7hIG0SFMG/VWv1dBUWziAPrNmkMXJgTCAoB7jffzRtyyN04K
|
|
||||||
-oq/89HAszTMStZoMigQURfokzKsjpUp8OYCAEsBtt9d5zPndWMz/gHN73GrXk3LT
|
|
||||||
-ZsxEn7Xv5Da+Y9F/Hx2QZUHarV5cdZixq2NbzWGwrToogOQMh2pxN3Z/0wIDAQAB
|
|
||||||
-AoGBAJysUyx3olpsGzv3OMRJeahASbmsSKTXVLZvoIefxOINosBFpCIhZccAG6UV
|
|
||||||
-5c/xCvS89xBw8aD15uUfziw3AuT8QPEtHCgfSjeT7aWzBfYswEgOW4XPuWr7EeI9
|
|
||||||
-iNHGD6z+hCN/IQr7FiEBgTp6A+i/hffcSdR83fHWKyb4M7TRAkEA+y4BNd668HmC
|
|
||||||
-G5MPRx25n6LixuBxrNp1umfjEI6UZgEFVpYOg4agNuimN6NqM253kcTR94QNTUs5
|
|
||||||
-Kj3EhG1YWwJBAO5rUjiOyCNVX2WUQrOMYK/c1lU7fvrkdygXkvIGkhsPoNRzLPeA
|
|
||||||
-HGJszKtrKD8bNihWpWNIyqKRHfKVD7yXT+kCQGCAhVCIGTRoypcDghwljHqLnysf
|
|
||||||
-ci0h5ZdPcIqc7ODfxYhFsJ/Rql5ONgYsT5Ig/+lOQAkjf+TRYM4c2xKx2/8CQBvG
|
|
||||||
-jv6dy70qDgIUgqzONtlmHeYyFzn9cdBO5sShdVYHvRHjFSMEXsosqK9zvW2UqvuK
|
|
||||||
-FJx7d3f29gkzynCLJDkCQGQZlEZJC4vWmWJGRKJ24P6MyQn3VsPfErSKOg4lvyM3
|
|
||||||
-Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es=
|
|
||||||
------END RSA PRIVATE KEY-----
|
|
||||||
- _EOS_
|
|
||||||
- @inter_cacert = issue_cert(inter_ca, inter_ca_key, 2, ca_exts, @cacert, Fixtures.pkey("rsa2048"))
|
|
||||||
+ inter_ca_key = Fixtures.pkey("rsa-2")
|
|
||||||
+ @inter_cacert = issue_cert(inter_ca, inter_ca_key, 2, ca_exts, @cacert, ca_key)
|
|
||||||
|
|
||||||
exts = [
|
|
||||||
["keyUsage","digitalSignature",true],
|
|
||||||
["subjectKeyIdentifier","hash",false],
|
|
||||||
]
|
|
||||||
ee = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=Ruby PKCS12 Test Certificate")
|
|
||||||
- @mykey = Fixtures.pkey("rsa1024")
|
|
||||||
+ @mykey = Fixtures.pkey("rsa-3")
|
|
||||||
@mycert = issue_cert(ee, @mykey, 3, exts, @inter_cacert, inter_ca_key)
|
|
||||||
end
|
|
||||||
|
|
||||||
- def test_create
|
|
||||||
+ def test_create_single_key_single_cert
|
|
||||||
pkcs12 = OpenSSL::PKCS12.create(
|
|
||||||
"omg",
|
|
||||||
"hello",
|
|
||||||
@mykey,
|
|
||||||
- @mycert
|
|
||||||
+ @mycert,
|
|
||||||
+ nil,
|
|
||||||
+ DEFAULT_PBE_PKEYS,
|
|
||||||
+ DEFAULT_PBE_CERTS,
|
|
||||||
)
|
|
||||||
- assert_equal @mycert.to_der, pkcs12.certificate.to_der
|
|
||||||
+ assert_equal @mycert, pkcs12.certificate
|
|
||||||
assert_equal @mykey.to_der, pkcs12.key.to_der
|
|
||||||
assert_nil pkcs12.ca_certs
|
|
||||||
+
|
|
||||||
+ der = pkcs12.to_der
|
|
||||||
+ decoded = OpenSSL::PKCS12.new(der, "omg")
|
|
||||||
+ assert_equal @mykey.to_der, decoded.key.to_der
|
|
||||||
+ assert_equal @mycert, decoded.certificate
|
|
||||||
+ assert_equal [], Array(decoded.ca_certs)
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_create_no_pass
|
|
||||||
@@ -62,14 +59,17 @@ def test_create_no_pass
|
|
||||||
nil,
|
|
||||||
"hello",
|
|
||||||
@mykey,
|
|
||||||
- @mycert
|
|
||||||
+ @mycert,
|
|
||||||
+ nil,
|
|
||||||
+ DEFAULT_PBE_PKEYS,
|
|
||||||
+ DEFAULT_PBE_CERTS,
|
|
||||||
)
|
|
||||||
- assert_equal @mycert.to_der, pkcs12.certificate.to_der
|
|
||||||
+ assert_equal @mycert, pkcs12.certificate
|
|
||||||
assert_equal @mykey.to_der, pkcs12.key.to_der
|
|
||||||
assert_nil pkcs12.ca_certs
|
|
||||||
|
|
||||||
decoded = OpenSSL::PKCS12.new(pkcs12.to_der)
|
|
||||||
- assert_cert @mycert, decoded.certificate
|
|
||||||
+ assert_equal @mycert, decoded.certificate
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_create_with_chain
|
|
||||||
@@ -80,7 +80,9 @@ def test_create_with_chain
|
|
||||||
"hello",
|
|
||||||
@mykey,
|
|
||||||
@mycert,
|
|
||||||
- chain
|
|
||||||
+ chain,
|
|
||||||
+ DEFAULT_PBE_PKEYS,
|
|
||||||
+ DEFAULT_PBE_CERTS,
|
|
||||||
)
|
|
||||||
assert_equal chain, pkcs12.ca_certs
|
|
||||||
end
|
|
||||||
@@ -95,14 +97,16 @@ def test_create_with_chain_decode
|
|
||||||
"hello",
|
|
||||||
@mykey,
|
|
||||||
@mycert,
|
|
||||||
- chain
|
|
||||||
+ chain,
|
|
||||||
+ DEFAULT_PBE_PKEYS,
|
|
||||||
+ DEFAULT_PBE_CERTS,
|
|
||||||
)
|
|
||||||
|
|
||||||
decoded = OpenSSL::PKCS12.new(pkcs12.to_der, passwd)
|
|
||||||
assert_equal chain.size, decoded.ca_certs.size
|
|
||||||
- assert_include_cert @cacert, decoded.ca_certs
|
|
||||||
- assert_include_cert @inter_cacert, decoded.ca_certs
|
|
||||||
- assert_cert @mycert, decoded.certificate
|
|
||||||
+ assert_include decoded.ca_certs, @cacert
|
|
||||||
+ assert_include decoded.ca_certs, @inter_cacert
|
|
||||||
+ assert_equal @mycert, decoded.certificate
|
|
||||||
assert_equal @mykey.to_der, decoded.key.to_der
|
|
||||||
end
|
|
||||||
|
|
||||||
@@ -126,8 +130,8 @@ def test_create_with_itr
|
|
||||||
@mykey,
|
|
||||||
@mycert,
|
|
||||||
[],
|
|
||||||
- nil,
|
|
||||||
- nil,
|
|
||||||
+ DEFAULT_PBE_PKEYS,
|
|
||||||
+ DEFAULT_PBE_CERTS,
|
|
||||||
2048
|
|
||||||
)
|
|
||||||
|
|
||||||
@@ -138,8 +142,8 @@ def test_create_with_itr
|
|
||||||
@mykey,
|
|
||||||
@mycert,
|
|
||||||
[],
|
|
||||||
- nil,
|
|
||||||
- nil,
|
|
||||||
+ DEFAULT_PBE_PKEYS,
|
|
||||||
+ DEFAULT_PBE_CERTS,
|
|
||||||
"omg"
|
|
||||||
)
|
|
||||||
end
|
|
||||||
@@ -152,7 +156,8 @@ def test_create_with_mac_itr
|
|
||||||
@mykey,
|
|
||||||
@mycert,
|
|
||||||
[],
|
|
||||||
- nil,
|
|
||||||
+ DEFAULT_PBE_PKEYS,
|
|
||||||
+ DEFAULT_PBE_CERTS,
|
|
||||||
nil,
|
|
||||||
nil,
|
|
||||||
2048
|
|
||||||
@@ -165,148 +170,144 @@ def test_create_with_mac_itr
|
|
||||||
@mykey,
|
|
||||||
@mycert,
|
|
||||||
[],
|
|
||||||
- nil,
|
|
||||||
- nil,
|
|
||||||
+ DEFAULT_PBE_PKEYS,
|
|
||||||
+ DEFAULT_PBE_CERTS,
|
|
||||||
nil,
|
|
||||||
"omg"
|
|
||||||
)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
- def test_new_with_one_key_and_one_cert
|
|
||||||
- # generated with:
|
|
||||||
- # openssl version #=> OpenSSL 1.0.2h 3 May 2016
|
|
||||||
- # openssl pkcs12 -in <@mycert> -inkey <RSA1024> -export -out <out>
|
|
||||||
- str = <<~EOF.unpack("m").first
|
|
||||||
-MIIGQQIBAzCCBgcGCSqGSIb3DQEHAaCCBfgEggX0MIIF8DCCAu8GCSqGSIb3DQEH
|
|
||||||
-BqCCAuAwggLcAgEAMIIC1QYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIeZPM
|
|
||||||
-Rh6KiXgCAggAgIICqL6O+LCZmBzdIg6mozPF3FpY0hVbWHvTNMiDHieW3CrAanhN
|
|
||||||
-YCH2/wHqH8WpFpEWwF0qEEXAWjHsIlYB4Cfqo6b7XpuZe5eVESsjNTOTMF1JCUJj
|
|
||||||
-A6iNefXmCFLync1JK5LUodRDhTlKLU1WPK20X9X4vuEwHn8wt5RUb8P0E+Xh6rpS
|
|
||||||
-XC4LkZKT45zF3cJa/n5+dW65ohVGNVnF9D1bCNEKHMOllK1V9omutQ9slW88hpga
|
|
||||||
-LGiFsJoFOb/ESGb78KO+bd6zbX1MdKdBV+WD6t1uF/cgU65y+2A4nXs1urda+MJ7
|
|
||||||
-7iVqiB7Vnc9cANTbAkTSGNyoUDVM/NZde782/8IvddLAzUZ2EftoRDke6PvuBOVL
|
|
||||||
-ljBhNWmdamrtBqzuzVZCRdWq44KZkF2Xoc9asepwIkdVmntzQF7f1Z+Ta5yg6HFp
|
|
||||||
-xnr7CuM+MlHEShXkMgYtHnwAq10fDMSXIvjhi/AA5XUAusDO3D+hbtcRDcJ4uUes
|
|
||||||
-dm5dhQE2qJ02Ysn4aH3o1F3RYNOzrxejHJwl0D2TCE8Ww2X342xib57+z9u03ufj
|
|
||||||
-jswhiMKxy67f1LhUMq3XrT3uV6kCVXk/KUOUPcXPlPVNA5JmZeFhMp6GrtB5xJJ9
|
|
||||||
-wwBZD8UL5A2U2Mxi2OZsdUBv8eo3jnjZ284aFpt+mCjIHrLW5O0jwY8OCwSlYUoY
|
|
||||||
-IY00wlabX0s82kBcIQNZbC1RSV2267ro/7A0MClc8YQ/zWN0FKY6apgtUkHJI1cL
|
|
||||||
-1dc77mhnjETjwW94iLMDFy4zQfVu7IfCBqOBzygRNnqqUG66UhTs1xFnWM0mWXl/
|
|
||||||
-Zh9+AMpbRLIPaKCktIjl5juzzm+KEgkhD+707XRCFIGUYGP5bSHzGaz8PK9hj0u1
|
|
||||||
-E2SpZHUvYOcawmxtA7pmpSxl5uQjMIIC+QYJKoZIhvcNAQcBoIIC6gSCAuYwggLi
|
|
||||||
-MIIC3gYLKoZIhvcNAQwKAQKgggKmMIICojAcBgoqhkiG9w0BDAEDMA4ECKB338m8
|
|
||||||
-qSzHAgIIAASCAoACFhJeqA3xx+s1qIH6udNQYY5hAL6oz7SXoGwFhDiceSyJjmAD
|
|
||||||
-Dby9XWM0bPl1Gj5nqdsuI/lAM++fJeoETk+rxw8q6Ofk2zUaRRE39qgpwBwSk44o
|
|
||||||
-0SAFJ6bzHpc5CFh6sZmDaUX5Lm9GtjnGFmmsPTSJT5an5JuJ9WczGBEd0nSBQhJq
|
|
||||||
-xHbTGZiN8i3SXcIH531Sub+CBIFWy5lyCKgDYh/kgJFGQAaWUOjLI+7dCEESonXn
|
|
||||||
-F3Jh2uPbnDF9MGJyAFoNgWFhgSpi1cf6AUi87GY4Oyur88ddJ1o0D0Kz2uw8/bpG
|
|
||||||
-s3O4PYnIW5naZ8mozzbnYByEFk7PoTwM7VhoFBfYNtBoAI8+hBnPY/Y71YUojEXf
|
|
||||||
-SeX6QbtkIANfzS1XuFNKElShC3DPQIHpKzaatEsfxHfP+8VOav6zcn4mioao7NHA
|
|
||||||
-x7Dp6R1enFGoQOq4UNjBT8YjnkG5vW8zQHW2dAHLTJBq6x2Fzm/4Pjo/8vM1FiGl
|
|
||||||
-BQdW5vfDeJ/l6NgQm3xR9ka2E2HaDqIcj1zWbN8jy/bHPFJYuF/HH8MBV/ngMIXE
|
|
||||||
-vFEW/ToYv8eif0+EpUtzBsCKD4a7qYYYh87RmEVoQU96q6m+UbhpD2WztYfAPkfo
|
|
||||||
-OSL9j2QHhVczhL7OAgqNeM95pOsjA9YMe7exTeqK31LYnTX8oH8WJD1xGbRSJYgu
|
|
||||||
-SY6PQbumcJkc/TFPn0GeVUpiDdf83SeG50lo/i7UKQi2l1hi5Y51fQhnBnyMr68D
|
|
||||||
-llSZEvSWqfDxBJkBpeg6PIYvkTpEwKRJpVQoM3uYvdqVSSnW6rydqIb+snfOrlhd
|
|
||||||
-f+xCtq9xr+kHeTSqLIDRRAnMfgFRhY3IBlj6MSUwIwYJKoZIhvcNAQkVMRYEFBdb
|
|
||||||
-8XGWehZ6oPj56Pf/uId46M9AMDEwITAJBgUrDgMCGgUABBRvSCB04/f8f13pp2PF
|
|
||||||
-vyl2WuMdEwQIMWFFphPkIUICAggA
|
|
||||||
- EOF
|
|
||||||
- p12 = OpenSSL::PKCS12.new(str, "abc123")
|
|
||||||
-
|
|
||||||
- assert_equal @mykey.to_der, p12.key.to_der
|
|
||||||
- assert_equal @mycert.subject.to_der, p12.certificate.subject.to_der
|
|
||||||
- assert_equal [], Array(p12.ca_certs)
|
|
||||||
- end
|
|
||||||
-
|
|
||||||
def test_new_with_no_keys
|
|
||||||
# generated with:
|
|
||||||
- # openssl pkcs12 -in <@mycert> -nokeys -export -out <out>
|
|
||||||
+ # openssl pkcs12 -certpbe PBE-SHA1-3DES -in <@mycert> -nokeys -export
|
|
||||||
str = <<~EOF.unpack("m").first
|
|
||||||
-MIIDHAIBAzCCAuIGCSqGSIb3DQEHAaCCAtMEggLPMIICyzCCAscGCSqGSIb3DQEH
|
|
||||||
-BqCCArgwggK0AgEAMIICrQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIX4+W
|
|
||||||
-irqwH40CAggAgIICgOaCyo+5+6IOVoGCCL80c50bkkzAwqdXxvkKExJSdcJz2uMU
|
|
||||||
-0gRrKnZEjL5wrUsN8RwZu8DvgQTEhNEkKsUgM7AWainmN/EnwohIdHZAHpm6WD67
|
|
||||||
-I9kLGp0/DHrqZrV9P2dLfhXLUSQE8PI0tqZPZ8UEABhizkViw4eISTkrOUN7pGbN
|
|
||||||
-Qtx/oqgitXDuX2polbxYYDwt9vfHZhykHoKgew26SeJyZfeMs/WZ6olEI4cQUAFr
|
|
||||||
-mvYGuC1AxEGTo9ERmU8Pm16j9Hr9PFk50WYe+rnk9oX3wJogQ7XUWS5kYf7XRycd
|
|
||||||
-NDkNiwV/ts94bbuaGZp1YA6I48FXpIc8b5fX7t9tY0umGaWy0bARe1L7o0Y89EPe
|
|
||||||
-lMg25rOM7j3uPtFG8whbSfdETSy57UxzzTcJ6UwexeaK6wb2jqEmj5AOoPLWeaX0
|
|
||||||
-LyOAszR3v7OPAcjIDYZGdrbb3MZ2f2vo2pdQfu9698BrWhXuM7Odh73RLhJVreNI
|
|
||||||
-aezNOAtPyBlvGiBQBGTzRIYHSLL5Y5aVj2vWLAa7hjm5qTL5C5mFdDIo6TkEMr6I
|
|
||||||
-OsexNQofEGs19kr8nARXDlcbEimk2VsPj4efQC2CEXZNzURsKca82pa62MJ8WosB
|
|
||||||
-DTFd8X06zZZ4nED50vLopZvyW4fyW60lELwOyThAdG8UchoAaz2baqP0K4de44yM
|
|
||||||
-Y5/yPFDu4+GoimipJfbiYviRwbzkBxYW8+958ILh0RtagLbvIGxbpaym9PqGjOzx
|
|
||||||
-ShNXjLK2aAFZsEizQ8kd09quJHU/ogq2cUXdqqhmOqPnUWrJVi/VCoRB3Pv1/lE4
|
|
||||||
-mrUgr2YZ11rYvBw6g5XvNvFcSc53OKyV7SLn0dwwMTAhMAkGBSsOAwIaBQAEFEWP
|
|
||||||
-1WRQykaoD4uJCpTx/wv0SLLBBAiDKI26LJK7xgICCAA=
|
|
||||||
+MIIGJAIBAzCCBeoGCSqGSIb3DQEHAaCCBdsEggXXMIIF0zCCBc8GCSqGSIb3
|
|
||||||
+DQEHBqCCBcAwggW8AgEAMIIFtQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMw
|
|
||||||
+DgQIjv5c3OHvnBgCAggAgIIFiMJa8Z/w7errRvCQPXh9dGQz3eJaFq3S2gXD
|
|
||||||
+rh6oiwsgIRJZvYAWgU6ll9NV7N5SgvS2DDNVuc3tsP8TPWjp+bIxzS9qmGUV
|
|
||||||
+kYWuURWLMKhpF12ZRDab8jcIwBgKoSGiDJk8xHjx6L613/XcRM6ln3VeQK+C
|
|
||||||
+hlW5kXniNAUAgTft25Fn61Xa8xnhmsz/fk1ycGnyGjKCnr7Mgy7KV0C1vs23
|
|
||||||
+18n8+b1ktDWLZPYgpmXuMFVh0o+HJTV3O86mkIhJonMcnOMgKZ+i8KeXaocN
|
|
||||||
+JQlAPBG4+HOip7FbQT/h6reXv8/J+hgjLfqAb5aV3m03rUX9mXx66nR1tQU0
|
|
||||||
+Jq+XPfDh5+V4akIczLlMyyo/xZjI1/qupcMjr+giOGnGd8BA3cuXW+ueLQiA
|
|
||||||
+PpTp+DQLVHRfz9XTZbyqOReNEtEXvO9gOlKSEY5lp65ItXVEs2Oqyf9PfU9y
|
|
||||||
+DUltN6fCMilwPyyrsIBKXCu2ZLM5h65KVCXAYEX9lNqj9zrQ7vTqvCNN8RhS
|
|
||||||
+ScYouTX2Eqa4Z+gTZWLHa8RCQFoyP6hd+97/Tg2Gv2UTH0myQxIVcnpdi1wy
|
|
||||||
+cqb+er7tyKbcO96uSlUjpj/JvjlodtjJcX+oinEqGb/caj4UepbBwiG3vv70
|
|
||||||
+63bS3jTsOLNjDRsR9if3LxIhLa6DW8zOJiGC+EvMD1o4dzHcGVpQ/pZWCHZC
|
|
||||||
++YiNJpQOBApiZluE+UZ0m3XrtHFQYk7xblTrh+FJF91wBsok0rZXLAKd8m4p
|
|
||||||
+OJsc7quCq3cuHRRTzJQ4nSe01uqbwGDAYwLvi6VWy3svU5qa05eDRmgzEFTG
|
|
||||||
+e84Gp/1LQCtpQFr4txkjFchO2whWS80KoQKqmLPyGm1D9Lv53Q4ZsKMgNihs
|
|
||||||
+rEepuaOZMKHl4yMAYFoOXZCAYzfbhN6b2phcFAHjMUHUw9e3F0QuDk9D0tsr
|
|
||||||
+riYTrkocqlOKfK4QTomx27O0ON2J6f1rtEojGgfl9RNykN7iKGzjS3914QjW
|
|
||||||
+W6gGiZejxHsDPEAa4gUp0WiSUSXtD5WJgoyAzLydR2dKWsQ4WlaUXi01CuGy
|
|
||||||
++xvncSn2nO3bbot8VD5H6XU1CjREVtnIfbeRYO/uofyLUP3olK5RqN6ne6Xo
|
|
||||||
+eXnJ/bjYphA8NGuuuvuW1SCITmINkZDLC9cGlER9+K65RR/DR3TigkexXMeN
|
|
||||||
+aJ70ivZYAl0OuhZt3TGIlAzS64TIoyORe3z7Ta1Pp9PZQarYJpF9BBIZIFor
|
|
||||||
+757PHHuQKRuugiRkp8B7v4eq1BQ+VeAxCKpyZ7XrgEtbY/AWDiaKcGPKPjc3
|
|
||||||
+AqQraVeQm7kMBT163wFmZArCphzkDOI3bz2oEO8YArMgLq2Vto9jAZlqKyWr
|
|
||||||
+pi2bSJxuoP1aoD58CHcWMrf8/j1LVdQhKgHQXSik2ID0H2Wc/XnglhzlVFuJ
|
|
||||||
+JsNIW/EGJlZh/5WDez9U0bXqnBlu3uasPEOezdoKlcCmQlmTO5+uLHYLEtNA
|
|
||||||
+EH9MtnGZebi9XS5meTuS6z5LILt8O9IHZxmT3JRPHYj287FEzotlLdcJ4Ee5
|
|
||||||
+enW41UHjLrfv4OaITO1hVuoLRGdzjESx/fHMWmxroZ1nVClxECOdT42zvIYJ
|
|
||||||
+J3xBZ0gppzQ5fjoYiKjJpxTflRxUuxshk3ih6VUoKtqj/W18tBQ3g5SOlkgT
|
|
||||||
+yCW8r74yZlfYmNrPyDMUQYpLUPWj2n71GF0KyPfTU5yOatRgvheh262w5BG3
|
|
||||||
+omFY7mb3tCv8/U2jdMIoukRKacpZiagofz3SxojOJq52cHnCri+gTHBMX0cO
|
|
||||||
+j58ygfntHWRzst0pV7Ze2X3fdCAJ4DokH6bNJNthcgmolFJ/y3V1tJjgsdtQ
|
|
||||||
+7Pjn/vE6xUV0HXE2x4yoVYNirbAMIvkN/X+atxrN0dA4AchN+zGp8TAxMCEw
|
|
||||||
+CQYFKw4DAhoFAAQUQ+6XXkyhf6uYgtbibILN2IjKnOAECLiqoY45MPCrAgII
|
|
||||||
+AA==
|
|
||||||
EOF
|
|
||||||
p12 = OpenSSL::PKCS12.new(str, "abc123")
|
|
||||||
|
|
||||||
assert_equal nil, p12.key
|
|
||||||
assert_equal nil, p12.certificate
|
|
||||||
assert_equal 1, p12.ca_certs.size
|
|
||||||
- assert_equal @mycert.subject.to_der, p12.ca_certs[0].subject.to_der
|
|
||||||
+ assert_equal @mycert.subject, p12.ca_certs[0].subject
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_new_with_no_certs
|
|
||||||
# generated with:
|
|
||||||
- # openssl pkcs12 -inkey <RSA1024> -nocerts -export -out <out>
|
|
||||||
+ # openssl pkcs12 -inkey fixtures/openssl/pkey/rsa-1.pem -nocerts -export
|
|
||||||
str = <<~EOF.unpack("m").first
|
|
||||||
-MIIDJwIBAzCCAu0GCSqGSIb3DQEHAaCCAt4EggLaMIIC1jCCAtIGCSqGSIb3DQEH
|
|
||||||
-AaCCAsMEggK/MIICuzCCArcGCyqGSIb3DQEMCgECoIICpjCCAqIwHAYKKoZIhvcN
|
|
||||||
-AQwBAzAOBAg6AaYnJs84SwICCAAEggKAQzZH+fWSpcQYD1J7PsGSune85A++fLCQ
|
|
||||||
-V7tacp2iv95GJkxwYmfTP176pJdgs00mceB9UJ/u9EX5nD0djdjjQjwo6sgKjY0q
|
|
||||||
-cpVhZw8CMxw7kBD2dhtui0zT8z5hy03LePxsjEKsGiSbeVeeGbSfw/I6AAYbv+Uh
|
|
||||||
-O/YPBGumeHj/D2WKnfsHJLQ9GAV3H6dv5VKYNxjciK7f/JEyZCuUQGIN64QFHDhJ
|
|
||||||
-7fzLqd/ul3FZzJZO6a+dwvcgux09SKVXDRSeFmRCEX4b486iWhJJVspCo9P2KNne
|
|
||||||
-ORrpybr3ZSwxyoICmjyo8gj0OSnEfdx9790Ej1takPqSA1wIdSdBLekbZqB0RBQg
|
|
||||||
-DEuPOsXNo3QFi8ji1vu0WBRJZZSNC2hr5NL6lNR+DKxG8yzDll2j4W4BBIp22mAE
|
|
||||||
-7QRX7kVxu17QJXQhOUac4Dd1qXmzebP8t6xkAxD9L7BWEN5OdiXWwSWGjVjMBneX
|
|
||||||
-nYObi/3UT/aVc5WHMHK2BhCI1bwH51E6yZh06d5m0TQpYGUTWDJdWGBSrp3A+8jN
|
|
||||||
-N2PMQkWBFrXP3smHoTEN4oZC4FWiPsIEyAkQsfKRhcV9lGKl2Xgq54ROTFLnwKoj
|
|
||||||
-Z3zJScnq9qmNzvVZSMmDLkjLyDq0pxRxGKBvgouKkWY7VFFIwwBIJM39iDJ5NbBY
|
|
||||||
-i1AQFTRsRSsZrNVPasCXrIq7bhMoJZb/YZOGBLNyJVqKUoYXhtwsajzSq54VlWft
|
|
||||||
-JxsPayEd4Vi6O9EU1ahnj6qFEZiKFzsicgK2J1Rb8cYagrp0XWjHW0SBn5GVUWCg
|
|
||||||
-GUokSFG/0JTdeYTo/sQuG4qNgJkOolRjpeI48Fciq5VUWLvVdKioXzAxMCEwCQYF
|
|
||||||
-Kw4DAhoFAAQUYAuwVtGD1TdgbFK4Yal2XBgwUR4ECEawsN3rNaa6AgIIAA==
|
|
||||||
+MIIJ7wIBAzCCCbUGCSqGSIb3DQEHAaCCCaYEggmiMIIJnjCCCZoGCSqGSIb3
|
|
||||||
+DQEHAaCCCYsEggmHMIIJgzCCCX8GCyqGSIb3DQEMCgECoIIJbjCCCWowHAYK
|
|
||||||
+KoZIhvcNAQwBAzAOBAjX5nN8jyRKwQICCAAEgglIBIRLHfiY1mNHpl3FdX6+
|
|
||||||
+72L+ZOVXnlZ1MY9HSeg0RMkCJcm0mJ2UD7INUOGXvwpK9fr6WJUZM1IqTihQ
|
|
||||||
+1dM0crRC2m23aP7KtAlXh2DYD3otseDtwoN/NE19RsiJzeIiy5TSW1d47weU
|
|
||||||
++D4Ig/9FYVFPTDgMzdCxXujhvO/MTbZIjqtcS+IOyF+91KkXrHkfkGjZC7KS
|
|
||||||
+WRmYw9BBuIPQEewdTI35sAJcxT8rK7JIiL/9mewbSE+Z28Wq1WXwmjL3oZm9
|
|
||||||
+lw6+f515b197GYEGomr6LQqJJamSYpwQbTGHonku6Tf3ylB4NLFqOnRCKE4K
|
|
||||||
+zRSSYIqJBlKHmQ4pDm5awoupHYxMZLZKZvXNYyYN3kV8r1iiNVlY7KBR4CsX
|
|
||||||
+rqUkXehRmcPnuqEMW8aOpuYe/HWf8PYI93oiDZjcEZMwW2IZFFrgBbqUeNCM
|
|
||||||
+CQTkjAYxi5FyoaoTnHrj/aRtdLOg1xIJe4KKcmOXAVMmVM9QEPNfUwiXJrE7
|
|
||||||
+n42gl4NyzcZpxqwWBT++9TnQGZ/lEpwR6dzkZwICNQLdQ+elsdT7mumywP+1
|
|
||||||
+WaFqg9kpurimaiBu515vJNp9Iqv1Nmke6R8Lk6WVRKPg4Akw0fkuy6HS+LyN
|
|
||||||
+ofdCfVUkPGN6zkjAxGZP9ZBwvXUbLRC5W3N5qZuAy5WcsS75z+oVeX9ePV63
|
|
||||||
+cue23sClu8JSJcw3HFgPaAE4sfkQ4MoihPY5kezgT7F7Lw/j86S0ebrDNp4N
|
|
||||||
+Y685ec81NRHJ80CAM55f3kGCOEhoifD4VZrvr1TdHZY9Gm3b1RYaJCit2huF
|
|
||||||
+nlOfzeimdcv/tkjb6UsbpXx3JKkF2NFFip0yEBERRCdWRYMUpBRcl3ad6XHy
|
|
||||||
+w0pVTgIjTxGlbbtOCi3siqMOK0GNt6UgjoEFc1xqjsgLwU0Ta2quRu7RFPGM
|
|
||||||
+GoEwoC6VH23p9Hr4uTFOL0uHfkKWKunNN+7YPi6LT6IKmTQwrp+fTO61N6Xh
|
|
||||||
+KlqTpwESKsIJB2iMnc8wBkjXJtmG/e2n5oTqfhICIrxYmEb7zKDyK3eqeTj3
|
|
||||||
+FhQh2t7cUIiqcT52AckUqniPmlE6hf82yBjhaQUPfi/ExTBtTDSmFfRPUzq+
|
|
||||||
+Rlla4OHllPRzUXJExyansgCxZbPqlw46AtygSWRGcWoYAKUKwwoYjerqIV5g
|
|
||||||
+JoZICV9BOU9TXco1dHXZQTs/nnTwoRmYiL/Ly5XpvUAnQOhYeCPjBeFnPSBR
|
|
||||||
+R/hRNqrDH2MOV57v5KQIH2+mvy26tRG+tVGHmLMaOJeQkjLdxx+az8RfXIrH
|
|
||||||
+7hpAsoBb+g9jUDY1mUVavPk1T45GMpQH8u3kkzRvChfOst6533GyIZhE7FhN
|
|
||||||
+KanC6ACabVFDUs6P9pK9RPQMp1qJfpA0XJFx5TCbVbPkvnkZd8K5Tl/tzNM1
|
|
||||||
+n32eRao4MKr9KDwoDL93S1yJgYTlYjy1XW/ewdedtX+B4koAoz/wSXDYO+GQ
|
|
||||||
+Zu6ZSpKSEHTRPhchsJ4oICvpriVaJkn0/Z7H3YjNMB9U5RR9+GiIg1wY1Oa1
|
|
||||||
+S3WfuwrrI6eqfbQwj6PDNu3IKy6srEgvJwaofQALNBPSYWbauM2brc8qsD+t
|
|
||||||
+n8jC/aD1aMcy00+9t3H/RVCjEOb3yKfUpAldIkEA2NTTnZpoDQDXeNYU2F/W
|
|
||||||
+yhmFjJy8A0O4QOk2xnZK9kcxSRs0v8vI8HivvgWENoVPscsDC4742SSIe6SL
|
|
||||||
+f/T08reIX11f0K70rMtLhtFMQdHdYOTNl6JzhkHPLr/f9MEZsBEQx52depnF
|
|
||||||
+ARb3gXGbCt7BAi0OeCEBSbLr2yWuW4r55N0wRZSOBtgqgjsiHP7CDQSkbL6p
|
|
||||||
+FPlQS1do9gBSHiNYvsmN1LN5bG+mhcVb0UjZub4mL0EqGadjDfDdRJmWqlX0
|
|
||||||
+r5dyMcOWQVy4O2cPqYFlcP9lk8buc5otcyVI2isrAFdlvBK29oK6jc52Aq5Q
|
|
||||||
+0b2ESDlgX8WRgiOPPxK8dySKEeuIwngCtJyNTecP9Ug06TDsu0znZGCXJ+3P
|
|
||||||
+8JOpykgA8EQdOZOYHbo76ZfB2SkklI5KeRA5IBjGs9G3TZ4PHLy2DIwsbWzS
|
|
||||||
+H1g01o1x264nx1cJ+eEgUN/KIiGFIib42RS8Af4D5e+Vj54Rt3axq+ag3kI+
|
|
||||||
+53p8uotyu+SpvvXUP7Kv4xpQ/L6k41VM0rfrd9+DrlDVvSfxP2uh6I1TKF7A
|
|
||||||
+CT5n8zguMbng4PGjxvyPBM5k62t6hN5fuw6Af0aZFexh+IjB/5wFQ6onSz23
|
|
||||||
+fBzMW4St7RgSs8fDg3lrM+5rwXiey1jxY1ddaxOoUsWRMvvdd7rZxRZQoN5v
|
|
||||||
+AcI5iMkK/vvpQgC/sfzhtXtrJ2XOPZ+GVgi7VcuDLKSkdFMcPbGzO8SdxUnS
|
|
||||||
+SLV5XTKqKND+Lrfx7DAoKi5wbDFHu5496/MHK5qP4tBe6sJ5bZc+KDJIH46e
|
|
||||||
+wTV1oWtB5tV4q46hOb5WRcn/Wjz3HSKaGZgx5QbK1MfKTzD5CTUn+ArMockX
|
|
||||||
+2wJhPnFK85U4rgv8iBuh9bRjyw+YaKf7Z3loXRiE1eRG6RzuPF0ZecFiDumk
|
|
||||||
+AC/VUXynJhzePBLqzrQj0exanACdullN+pSfHiRWBxR2VFUkjoFP5X45GK3z
|
|
||||||
+OstSH6FOkMVU4afqEmjsIwozDFIyin5EyWTtdhJe3szdJSGY23Tut+9hUatx
|
|
||||||
+9FDFLESOd8z3tyQSNiLk/Hib+e/lbjxqbXBG/p/oyvP3N999PLUPtpKqtYkV
|
|
||||||
+H0+18sNh9CVfojiJl44fzxe8yCnuefBjut2PxEN0EFRBPv9P2wWlmOxkPKUq
|
|
||||||
+NrCJP0rDj5aONLrNZPrR8bZNdIShkZ/rKkoTuA0WMZ+xUlDRxAupdMkWAlrz
|
|
||||||
+8IcwNcdDjPnkGObpN5Ctm3vK7UGSBmPeNqkXOYf3QTJ9gStJEd0F6+DzTN5C
|
|
||||||
+KGt1IyuGwZqL2Yk51FDIIkr9ykEnBMaA39LS7GFHEDNGlW+fKC7AzA0zfoOr
|
|
||||||
+fXZlHMBuqHtXqk3zrsHRqGGoocigg4ctrhD1UREYKj+eIj1TBiRdf7c6+COf
|
|
||||||
+NIOmej8pX3FmZ4ui+dDA8r2ctgsWHrb4A6iiH+v1DRA61GtoaA/tNRggewXW
|
|
||||||
+VXCZCGWyyTuyHGOqq5ozrv5MlzZLWD/KV/uDsAWmy20RAed1C4AzcXlpX25O
|
|
||||||
+M4SNl47g5VRNJRtMqokc8j6TjZrzMDEwITAJBgUrDgMCGgUABBRrkIRuS5qg
|
|
||||||
+BC8fv38mue8LZVcbHQQIUNrWKEnskCoCAggA
|
|
||||||
EOF
|
|
||||||
p12 = OpenSSL::PKCS12.new(str, "abc123")
|
|
||||||
|
|
||||||
- assert_equal @mykey.to_der, p12.key.to_der
|
|
||||||
+ assert_equal Fixtures.pkey("rsa-1").to_der, p12.key.to_der
|
|
||||||
assert_equal nil, p12.certificate
|
|
||||||
assert_equal [], Array(p12.ca_certs)
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_dup
|
|
||||||
- p12 = OpenSSL::PKCS12.create("pass", "name", @mykey, @mycert)
|
|
||||||
+ p12 = OpenSSL::PKCS12.create(
|
|
||||||
+ "pass",
|
|
||||||
+ "name",
|
|
||||||
+ @mykey,
|
|
||||||
+ @mycert,
|
|
||||||
+ nil,
|
|
||||||
+ DEFAULT_PBE_PKEYS,
|
|
||||||
+ DEFAULT_PBE_CERTS,
|
|
||||||
+ )
|
|
||||||
assert_equal p12.to_der, p12.dup.to_der
|
|
||||||
end
|
|
||||||
-
|
|
||||||
- private
|
|
||||||
- def assert_cert expected, actual
|
|
||||||
- [
|
|
||||||
- :subject,
|
|
||||||
- :issuer,
|
|
||||||
- :serial,
|
|
||||||
- :not_before,
|
|
||||||
- :not_after,
|
|
||||||
- ].each do |attribute|
|
|
||||||
- assert_equal expected.send(attribute), actual.send(attribute)
|
|
||||||
- end
|
|
||||||
- assert_equal expected.to_der, actual.to_der
|
|
||||||
- end
|
|
||||||
-
|
|
||||||
- def assert_include_cert cert, ary
|
|
||||||
- der = cert.to_der
|
|
||||||
- ary.each do |candidate|
|
|
||||||
- if candidate.to_der == der
|
|
||||||
- return true
|
|
||||||
- end
|
|
||||||
- end
|
|
||||||
- false
|
|
||||||
- end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
--
|
|
||||||
2.32.0
|
|
||||||
|
|
@ -1,67 +0,0 @@
|
|||||||
From 10d2216b2f35a31777a099d9f765b0b6ea34a63e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Mon, 18 May 2020 02:35:35 +0900
|
|
||||||
Subject: [PATCH] test/openssl/test_pkey: use EC keys for
|
|
||||||
PKey.generate_parameters tests
|
|
||||||
|
|
||||||
OpenSSL 3.0 refuses to generate DSA parameters shorter than 2048 bits,
|
|
||||||
but generating 2048 bits parameters takes very long time. Let's use EC
|
|
||||||
in these test cases instead.
|
|
||||||
---
|
|
||||||
test/openssl/test_pkey.rb | 27 +++++++++++----------------
|
|
||||||
1 file changed, 11 insertions(+), 16 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/test/openssl/test_pkey.rb b/test/openssl/test_pkey.rb
|
|
||||||
index 3630458b3c..88a6e04581 100644
|
|
||||||
--- a/test/openssl/test_pkey.rb
|
|
||||||
+++ b/test/openssl/test_pkey.rb
|
|
||||||
@@ -27,20 +27,16 @@ def test_generic_oid_inspect
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_s_generate_parameters
|
|
||||||
- # 512 is non-default; 1024 is used if 'dsa_paramgen_bits' is not specified
|
|
||||||
- # with OpenSSL 1.1.0.
|
|
||||||
- pkey = OpenSSL::PKey.generate_parameters("DSA", {
|
|
||||||
- "dsa_paramgen_bits" => 512,
|
|
||||||
- "dsa_paramgen_q_bits" => 256,
|
|
||||||
+ pkey = OpenSSL::PKey.generate_parameters("EC", {
|
|
||||||
+ "ec_paramgen_curve" => "secp384r1",
|
|
||||||
})
|
|
||||||
- assert_instance_of OpenSSL::PKey::DSA, pkey
|
|
||||||
- assert_equal 512, pkey.p.num_bits
|
|
||||||
- assert_equal 256, pkey.q.num_bits
|
|
||||||
- assert_equal nil, pkey.priv_key
|
|
||||||
+ assert_instance_of OpenSSL::PKey::EC, pkey
|
|
||||||
+ assert_equal "secp384r1", pkey.group.curve_name
|
|
||||||
+ assert_equal nil, pkey.private_key
|
|
||||||
|
|
||||||
# Invalid options are checked
|
|
||||||
assert_raise(OpenSSL::PKey::PKeyError) {
|
|
||||||
- OpenSSL::PKey.generate_parameters("DSA", "invalid" => "option")
|
|
||||||
+ OpenSSL::PKey.generate_parameters("EC", "invalid" => "option")
|
|
||||||
}
|
|
||||||
|
|
||||||
# Parameter generation callback is called
|
|
||||||
@@ -59,14 +55,13 @@ def test_s_generate_key
|
|
||||||
# DSA key pair cannot be generated without parameters
|
|
||||||
OpenSSL::PKey.generate_key("DSA")
|
|
||||||
}
|
|
||||||
- pkey_params = OpenSSL::PKey.generate_parameters("DSA", {
|
|
||||||
- "dsa_paramgen_bits" => 512,
|
|
||||||
- "dsa_paramgen_q_bits" => 256,
|
|
||||||
+ pkey_params = OpenSSL::PKey.generate_parameters("EC", {
|
|
||||||
+ "ec_paramgen_curve" => "secp384r1",
|
|
||||||
})
|
|
||||||
pkey = OpenSSL::PKey.generate_key(pkey_params)
|
|
||||||
- assert_instance_of OpenSSL::PKey::DSA, pkey
|
|
||||||
- assert_equal 512, pkey.p.num_bits
|
|
||||||
- assert_not_equal nil, pkey.priv_key
|
|
||||||
+ assert_instance_of OpenSSL::PKey::EC, pkey
|
|
||||||
+ assert_equal "secp384r1", pkey.group.curve_name
|
|
||||||
+ assert_not_equal nil, pkey.private_key
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_hmac_sign_verify
|
|
||||||
--
|
|
||||||
2.32.0
|
|
||||||
|
|
@ -1,31 +0,0 @@
|
|||||||
From 05fd14aea7eff2a6911a6f529f1237276482c6e7 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Fri, 10 Jul 2020 13:56:38 +0900
|
|
||||||
Subject: [PATCH] test/openssl/test_ssl: relax regex to match OpenSSL's error
|
|
||||||
message
|
|
||||||
|
|
||||||
OpenSSL 3.0 slightly changed the error message for a certificate
|
|
||||||
verification failure when an untrusted self-signed certificate is found
|
|
||||||
in the chain.
|
|
||||||
---
|
|
||||||
test/openssl/test_ssl.rb | 4 +++-
|
|
||||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
|
|
||||||
index 6095d545b5..9e9b8b9b69 100644
|
|
||||||
--- a/test/openssl/test_ssl.rb
|
|
||||||
+++ b/test/openssl/test_ssl.rb
|
|
||||||
@@ -964,7 +964,9 @@ def test_connect_certificate_verify_failed_exception_message
|
|
||||||
start_server(ignore_listener_error: true) { |port|
|
|
||||||
ctx = OpenSSL::SSL::SSLContext.new
|
|
||||||
ctx.set_params
|
|
||||||
- assert_raise_with_message(OpenSSL::SSL::SSLError, /self signed/) {
|
|
||||||
+ # OpenSSL <= 1.1.0: "self signed certificate in certificate chain"
|
|
||||||
+ # OpenSSL >= 3.0.0: "self-signed certificate in certificate chain"
|
|
||||||
+ assert_raise_with_message(OpenSSL::SSL::SSLError, /self.signed/) {
|
|
||||||
server_connect(port, ctx)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.32.0
|
|
||||||
|
|
@ -1,265 +0,0 @@
|
|||||||
From 2c6797bc97d7c92284dc3c0ed27f97ace4e5cfb9 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Mon, 31 May 2021 11:44:05 +0900
|
|
||||||
Subject: [PATCH] test/openssl/utils: remove dup_public helper method
|
|
||||||
|
|
||||||
It uses deprecated PKey::{RSA,DSA,DH}#set_* methods, which will not
|
|
||||||
work with OpenSSL 3.0. The same can easily be achieved using
|
|
||||||
PKey#public_to_der regardless of the key kind.
|
|
||||||
---
|
|
||||||
test/openssl/test_pkey_dh.rb | 8 +++++---
|
|
||||||
test/openssl/test_pkey_dsa.rb | 15 +++++++++++----
|
|
||||||
test/openssl/test_pkey_ec.rb | 15 +++++++++++----
|
|
||||||
test/openssl/test_pkey_rsa.rb | 31 +++++++++++++++++--------------
|
|
||||||
test/openssl/utils.rb | 26 --------------------------
|
|
||||||
5 files changed, 44 insertions(+), 51 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/test/openssl/test_pkey_dh.rb b/test/openssl/test_pkey_dh.rb
|
|
||||||
index f80af8f841..757704caf6 100644
|
|
||||||
--- a/test/openssl/test_pkey_dh.rb
|
|
||||||
+++ b/test/openssl/test_pkey_dh.rb
|
|
||||||
@@ -40,12 +40,14 @@ def test_derive_key
|
|
||||||
|
|
||||||
def test_DHparams
|
|
||||||
dh1024 = Fixtures.pkey("dh1024")
|
|
||||||
+ dh1024params = dh1024.public_key
|
|
||||||
+
|
|
||||||
asn1 = OpenSSL::ASN1::Sequence([
|
|
||||||
OpenSSL::ASN1::Integer(dh1024.p),
|
|
||||||
OpenSSL::ASN1::Integer(dh1024.g)
|
|
||||||
])
|
|
||||||
key = OpenSSL::PKey::DH.new(asn1.to_der)
|
|
||||||
- assert_same_dh dup_public(dh1024), key
|
|
||||||
+ assert_same_dh dh1024params, key
|
|
||||||
|
|
||||||
pem = <<~EOF
|
|
||||||
-----BEGIN DH PARAMETERS-----
|
|
||||||
@@ -55,9 +57,9 @@ def test_DHparams
|
|
||||||
-----END DH PARAMETERS-----
|
|
||||||
EOF
|
|
||||||
key = OpenSSL::PKey::DH.new(pem)
|
|
||||||
- assert_same_dh dup_public(dh1024), key
|
|
||||||
+ assert_same_dh dh1024params, key
|
|
||||||
key = OpenSSL::PKey.read(pem)
|
|
||||||
- assert_same_dh dup_public(dh1024), key
|
|
||||||
+ assert_same_dh dh1024params, key
|
|
||||||
|
|
||||||
assert_equal asn1.to_der, dh1024.to_der
|
|
||||||
assert_equal pem, dh1024.export
|
|
||||||
diff --git a/test/openssl/test_pkey_dsa.rb b/test/openssl/test_pkey_dsa.rb
|
|
||||||
index 147e50176b..0994607f21 100644
|
|
||||||
--- a/test/openssl/test_pkey_dsa.rb
|
|
||||||
+++ b/test/openssl/test_pkey_dsa.rb
|
|
||||||
@@ -138,6 +138,8 @@ def test_DSAPrivateKey_encrypted
|
|
||||||
|
|
||||||
def test_PUBKEY
|
|
||||||
dsa512 = Fixtures.pkey("dsa512")
|
|
||||||
+ dsa512pub = OpenSSL::PKey::DSA.new(dsa512.public_to_der)
|
|
||||||
+
|
|
||||||
asn1 = OpenSSL::ASN1::Sequence([
|
|
||||||
OpenSSL::ASN1::Sequence([
|
|
||||||
OpenSSL::ASN1::ObjectId("DSA"),
|
|
||||||
@@ -153,7 +155,7 @@ def test_PUBKEY
|
|
||||||
])
|
|
||||||
key = OpenSSL::PKey::DSA.new(asn1.to_der)
|
|
||||||
assert_not_predicate key, :private?
|
|
||||||
- assert_same_dsa dup_public(dsa512), key
|
|
||||||
+ assert_same_dsa dsa512pub, key
|
|
||||||
|
|
||||||
pem = <<~EOF
|
|
||||||
-----BEGIN PUBLIC KEY-----
|
|
||||||
@@ -166,10 +168,15 @@ def test_PUBKEY
|
|
||||||
-----END PUBLIC KEY-----
|
|
||||||
EOF
|
|
||||||
key = OpenSSL::PKey::DSA.new(pem)
|
|
||||||
- assert_same_dsa dup_public(dsa512), key
|
|
||||||
+ assert_same_dsa dsa512pub, key
|
|
||||||
+
|
|
||||||
+ assert_equal asn1.to_der, key.to_der
|
|
||||||
+ assert_equal pem, key.export
|
|
||||||
|
|
||||||
- assert_equal asn1.to_der, dup_public(dsa512).to_der
|
|
||||||
- assert_equal pem, dup_public(dsa512).export
|
|
||||||
+ assert_equal asn1.to_der, dsa512.public_to_der
|
|
||||||
+ assert_equal asn1.to_der, key.public_to_der
|
|
||||||
+ assert_equal pem, dsa512.public_to_pem
|
|
||||||
+ assert_equal pem, key.public_to_pem
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_read_DSAPublicKey_pem
|
|
||||||
diff --git a/test/openssl/test_pkey_ec.rb b/test/openssl/test_pkey_ec.rb
|
|
||||||
index 4b6df0290f..d62f1b5eb8 100644
|
|
||||||
--- a/test/openssl/test_pkey_ec.rb
|
|
||||||
+++ b/test/openssl/test_pkey_ec.rb
|
|
||||||
@@ -210,6 +210,8 @@ def test_ECPrivateKey_encrypted
|
|
||||||
|
|
||||||
def test_PUBKEY
|
|
||||||
p256 = Fixtures.pkey("p256")
|
|
||||||
+ p256pub = OpenSSL::PKey::EC.new(p256.public_to_der)
|
|
||||||
+
|
|
||||||
asn1 = OpenSSL::ASN1::Sequence([
|
|
||||||
OpenSSL::ASN1::Sequence([
|
|
||||||
OpenSSL::ASN1::ObjectId("id-ecPublicKey"),
|
|
||||||
@@ -221,7 +223,7 @@ def test_PUBKEY
|
|
||||||
])
|
|
||||||
key = OpenSSL::PKey::EC.new(asn1.to_der)
|
|
||||||
assert_not_predicate key, :private?
|
|
||||||
- assert_same_ec dup_public(p256), key
|
|
||||||
+ assert_same_ec p256pub, key
|
|
||||||
|
|
||||||
pem = <<~EOF
|
|
||||||
-----BEGIN PUBLIC KEY-----
|
|
||||||
@@ -230,10 +232,15 @@ def test_PUBKEY
|
|
||||||
-----END PUBLIC KEY-----
|
|
||||||
EOF
|
|
||||||
key = OpenSSL::PKey::EC.new(pem)
|
|
||||||
- assert_same_ec dup_public(p256), key
|
|
||||||
+ assert_same_ec p256pub, key
|
|
||||||
+
|
|
||||||
+ assert_equal asn1.to_der, key.to_der
|
|
||||||
+ assert_equal pem, key.export
|
|
||||||
|
|
||||||
- assert_equal asn1.to_der, dup_public(p256).to_der
|
|
||||||
- assert_equal pem, dup_public(p256).export
|
|
||||||
+ assert_equal asn1.to_der, p256.public_to_der
|
|
||||||
+ assert_equal asn1.to_der, key.public_to_der
|
|
||||||
+ assert_equal pem, p256.public_to_pem
|
|
||||||
+ assert_equal pem, key.public_to_pem
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_ec_group
|
|
||||||
diff --git a/test/openssl/test_pkey_rsa.rb b/test/openssl/test_pkey_rsa.rb
|
|
||||||
index 5e127f5407..4548bdb2cf 100644
|
|
||||||
--- a/test/openssl/test_pkey_rsa.rb
|
|
||||||
+++ b/test/openssl/test_pkey_rsa.rb
|
|
||||||
@@ -201,7 +201,7 @@ def test_sign_verify_pss
|
|
||||||
|
|
||||||
def test_encrypt_decrypt
|
|
||||||
rsapriv = Fixtures.pkey("rsa-1")
|
|
||||||
- rsapub = dup_public(rsapriv)
|
|
||||||
+ rsapub = OpenSSL::PKey.read(rsapriv.public_to_der)
|
|
||||||
|
|
||||||
# Defaults to PKCS #1 v1.5
|
|
||||||
raw = "data"
|
|
||||||
@@ -216,7 +216,7 @@ def test_encrypt_decrypt
|
|
||||||
|
|
||||||
def test_encrypt_decrypt_legacy
|
|
||||||
rsapriv = Fixtures.pkey("rsa-1")
|
|
||||||
- rsapub = dup_public(rsapriv)
|
|
||||||
+ rsapub = OpenSSL::PKey.read(rsapriv.public_to_der)
|
|
||||||
|
|
||||||
# Defaults to PKCS #1 v1.5
|
|
||||||
raw = "data"
|
|
||||||
@@ -346,13 +346,15 @@ def test_RSAPrivateKey_encrypted
|
|
||||||
|
|
||||||
def test_RSAPublicKey
|
|
||||||
rsa1024 = Fixtures.pkey("rsa1024")
|
|
||||||
+ rsa1024pub = OpenSSL::PKey::RSA.new(rsa1024.public_to_der)
|
|
||||||
+
|
|
||||||
asn1 = OpenSSL::ASN1::Sequence([
|
|
||||||
OpenSSL::ASN1::Integer(rsa1024.n),
|
|
||||||
OpenSSL::ASN1::Integer(rsa1024.e)
|
|
||||||
])
|
|
||||||
key = OpenSSL::PKey::RSA.new(asn1.to_der)
|
|
||||||
assert_not_predicate key, :private?
|
|
||||||
- assert_same_rsa dup_public(rsa1024), key
|
|
||||||
+ assert_same_rsa rsa1024pub, key
|
|
||||||
|
|
||||||
pem = <<~EOF
|
|
||||||
-----BEGIN RSA PUBLIC KEY-----
|
|
||||||
@@ -362,11 +364,13 @@ def test_RSAPublicKey
|
|
||||||
-----END RSA PUBLIC KEY-----
|
|
||||||
EOF
|
|
||||||
key = OpenSSL::PKey::RSA.new(pem)
|
|
||||||
- assert_same_rsa dup_public(rsa1024), key
|
|
||||||
+ assert_same_rsa rsa1024pub, key
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_PUBKEY
|
|
||||||
rsa1024 = Fixtures.pkey("rsa1024")
|
|
||||||
+ rsa1024pub = OpenSSL::PKey::RSA.new(rsa1024.public_to_der)
|
|
||||||
+
|
|
||||||
asn1 = OpenSSL::ASN1::Sequence([
|
|
||||||
OpenSSL::ASN1::Sequence([
|
|
||||||
OpenSSL::ASN1::ObjectId("rsaEncryption"),
|
|
||||||
@@ -381,7 +385,7 @@ def test_PUBKEY
|
|
||||||
])
|
|
||||||
key = OpenSSL::PKey::RSA.new(asn1.to_der)
|
|
||||||
assert_not_predicate key, :private?
|
|
||||||
- assert_same_rsa dup_public(rsa1024), key
|
|
||||||
+ assert_same_rsa rsa1024pub, key
|
|
||||||
|
|
||||||
pem = <<~EOF
|
|
||||||
-----BEGIN PUBLIC KEY-----
|
|
||||||
@@ -392,10 +396,15 @@ def test_PUBKEY
|
|
||||||
-----END PUBLIC KEY-----
|
|
||||||
EOF
|
|
||||||
key = OpenSSL::PKey::RSA.new(pem)
|
|
||||||
- assert_same_rsa dup_public(rsa1024), key
|
|
||||||
+ assert_same_rsa rsa1024pub, key
|
|
||||||
+
|
|
||||||
+ assert_equal asn1.to_der, key.to_der
|
|
||||||
+ assert_equal pem, key.export
|
|
||||||
|
|
||||||
- assert_equal asn1.to_der, dup_public(rsa1024).to_der
|
|
||||||
- assert_equal pem, dup_public(rsa1024).export
|
|
||||||
+ assert_equal asn1.to_der, rsa1024.public_to_der
|
|
||||||
+ assert_equal asn1.to_der, key.public_to_der
|
|
||||||
+ assert_equal pem, rsa1024.public_to_pem
|
|
||||||
+ assert_equal pem, key.public_to_pem
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_pem_passwd
|
|
||||||
@@ -482,12 +491,6 @@ def test_private_encoding_encrypted
|
|
||||||
assert_same_rsa rsa1024, OpenSSL::PKey.read(pem, "abcdef")
|
|
||||||
end
|
|
||||||
|
|
||||||
- def test_public_encoding
|
|
||||||
- rsa1024 = Fixtures.pkey("rsa1024")
|
|
||||||
- assert_equal dup_public(rsa1024).to_der, rsa1024.public_to_der
|
|
||||||
- assert_equal dup_public(rsa1024).to_pem, rsa1024.public_to_pem
|
|
||||||
- end
|
|
||||||
-
|
|
||||||
def test_dup
|
|
||||||
key = Fixtures.pkey("rsa1024")
|
|
||||||
key2 = key.dup
|
|
||||||
diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb
|
|
||||||
index c1d737b2ab..f664bd3074 100644
|
|
||||||
--- a/test/openssl/utils.rb
|
|
||||||
+++ b/test/openssl/utils.rb
|
|
||||||
@@ -313,32 +313,6 @@ def check_component(base, test, keys)
|
|
||||||
assert_equal base.send(comp), test.send(comp)
|
|
||||||
}
|
|
||||||
end
|
|
||||||
-
|
|
||||||
- def dup_public(key)
|
|
||||||
- case key
|
|
||||||
- when OpenSSL::PKey::RSA
|
|
||||||
- rsa = OpenSSL::PKey::RSA.new
|
|
||||||
- rsa.set_key(key.n, key.e, nil)
|
|
||||||
- rsa
|
|
||||||
- when OpenSSL::PKey::DSA
|
|
||||||
- dsa = OpenSSL::PKey::DSA.new
|
|
||||||
- dsa.set_pqg(key.p, key.q, key.g)
|
|
||||||
- dsa.set_key(key.pub_key, nil)
|
|
||||||
- dsa
|
|
||||||
- when OpenSSL::PKey::DH
|
|
||||||
- dh = OpenSSL::PKey::DH.new
|
|
||||||
- dh.set_pqg(key.p, nil, key.g)
|
|
||||||
- dh
|
|
||||||
- else
|
|
||||||
- if defined?(OpenSSL::PKey::EC) && OpenSSL::PKey::EC === key
|
|
||||||
- ec = OpenSSL::PKey::EC.new(key.group)
|
|
||||||
- ec.public_key = key.public_key
|
|
||||||
- ec
|
|
||||||
- else
|
|
||||||
- raise "unknown key type"
|
|
||||||
- end
|
|
||||||
- end
|
|
||||||
- end
|
|
||||||
end
|
|
||||||
|
|
||||||
module OpenSSL::Certs
|
|
||||||
--
|
|
||||||
2.32.0
|
|
||||||
|
|
@ -1,31 +0,0 @@
|
|||||||
--- ext/openssl/ossl_ocsp.c.orig 2022-04-07 16:40:13.263752886 +0200
|
|
||||||
+++ ext/openssl/ossl_ocsp.c 2022-04-07 16:45:56.818971187 +0200
|
|
||||||
@@ -382,7 +382,7 @@
|
|
||||||
if (!NIL_P(flags))
|
|
||||||
flg = NUM2INT(flags);
|
|
||||||
if (NIL_P(digest))
|
|
||||||
- md = EVP_sha1();
|
|
||||||
+ md = NULL;
|
|
||||||
else
|
|
||||||
md = ossl_evp_get_digestbyname(digest);
|
|
||||||
if (NIL_P(certs))
|
|
||||||
@@ -1033,7 +1033,7 @@
|
|
||||||
if (!NIL_P(flags))
|
|
||||||
flg = NUM2INT(flags);
|
|
||||||
if (NIL_P(digest))
|
|
||||||
- md = EVP_sha1();
|
|
||||||
+ md = NULL;
|
|
||||||
else
|
|
||||||
md = ossl_evp_get_digestbyname(digest);
|
|
||||||
if (NIL_P(certs))
|
|
||||||
--- test/openssl/test_ocsp.rb.orig 2022-04-08 08:20:31.400739869 +0200
|
|
||||||
+++ test/openssl/test_ocsp.rb 2022-04-08 08:20:37.208727488 +0200
|
|
||||||
@@ -99,7 +99,7 @@
|
|
||||||
request.sign(@cert, @cert_key, [@ca_cert], 0)
|
|
||||||
asn1 = OpenSSL::ASN1.decode(request.to_der)
|
|
||||||
assert_equal cid.to_der, asn1.value[0].value.find { |a| a.tag_class == :UNIVERSAL }.value[0].value[0].to_der
|
|
||||||
- assert_equal OpenSSL::ASN1.ObjectId("sha1WithRSAEncryption").to_der, asn1.value[1].value[0].value[0].value[0].to_der
|
|
||||||
+ assert_equal OpenSSL::ASN1.ObjectId("sha256WithRSAEncryption").to_der, asn1.value[1].value[0].value[0].value[0].to_der
|
|
||||||
assert_equal @cert.to_der, asn1.value[1].value[0].value[2].value[0].value[0].to_der
|
|
||||||
assert_equal @ca_cert.to_der, asn1.value[1].value[0].value[2].value[0].value[1].to_der
|
|
||||||
assert_equal asn1.to_der, OpenSSL::OCSP::Request.new(asn1.to_der).to_der
|
|
@ -1,647 +0,0 @@
|
|||||||
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
|
|
||||||
index fedcb93..53ad621 100644
|
|
||||||
--- a/ext/openssl/extconf.rb
|
|
||||||
+++ b/ext/openssl/extconf.rb
|
|
||||||
@@ -181,6 +181,7 @@ have_func("SSL_CTX_set_post_handshake_auth")
|
|
||||||
|
|
||||||
# added in 1.1.1
|
|
||||||
have_func("EVP_PKEY_check")
|
|
||||||
+have_func("SSL_CTX_set_ciphersuites")
|
|
||||||
|
|
||||||
# added in 3.0.0
|
|
||||||
have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", "openssl/ts.h")
|
|
||||||
diff --git a/ext/openssl/ossl.h b/ext/openssl/ossl.h
|
|
||||||
index 4b51268..2ab8aea 100644
|
|
||||||
--- a/ext/openssl/ossl.h
|
|
||||||
+++ b/ext/openssl/ossl.h
|
|
||||||
@@ -43,13 +43,13 @@
|
|
||||||
#ifndef LIBRESSL_VERSION_NUMBER
|
|
||||||
# define OSSL_IS_LIBRESSL 0
|
|
||||||
# define OSSL_OPENSSL_PREREQ(maj, min, pat) \
|
|
||||||
- (OPENSSL_VERSION_NUMBER >= (maj << 28) | (min << 20) | (pat << 12))
|
|
||||||
+ (OPENSSL_VERSION_NUMBER >= ((maj << 28) | (min << 20) | (pat << 12)))
|
|
||||||
# define OSSL_LIBRESSL_PREREQ(maj, min, pat) 0
|
|
||||||
#else
|
|
||||||
# define OSSL_IS_LIBRESSL 1
|
|
||||||
# define OSSL_OPENSSL_PREREQ(maj, min, pat) 0
|
|
||||||
# define OSSL_LIBRESSL_PREREQ(maj, min, pat) \
|
|
||||||
- (LIBRESSL_VERSION_NUMBER >= (maj << 28) | (min << 20) | (pat << 12))
|
|
||||||
+ (LIBRESSL_VERSION_NUMBER >= ((maj << 28) | (min << 20) | (pat << 12)))
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#if !defined(OPENSSL_NO_ENGINE) && !OSSL_OPENSSL_PREREQ(3, 0, 0)
|
|
||||||
diff --git a/ext/openssl/ossl_asn1.c b/ext/openssl/ossl_asn1.c
|
|
||||||
index a61d3ee..0d3fa9a 100644
|
|
||||||
--- a/ext/openssl/ossl_asn1.c
|
|
||||||
+++ b/ext/openssl/ossl_asn1.c
|
|
||||||
@@ -1510,7 +1510,7 @@ Init_ossl_asn1(void)
|
|
||||||
*
|
|
||||||
* An Array that stores the name of a given tag number. These names are
|
|
||||||
* the same as the name of the tag constant that is additionally defined,
|
|
||||||
- * e.g. UNIVERSAL_TAG_NAME[2] = "INTEGER" and OpenSSL::ASN1::INTEGER = 2.
|
|
||||||
+ * e.g. <tt>UNIVERSAL_TAG_NAME[2] = "INTEGER"</tt> and <tt>OpenSSL::ASN1::INTEGER = 2</tt>.
|
|
||||||
*
|
|
||||||
* == Example usage
|
|
||||||
*
|
|
||||||
diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c
|
|
||||||
index 2a4835a..24d0da4 100644
|
|
||||||
--- a/ext/openssl/ossl_pkey.c
|
|
||||||
+++ b/ext/openssl/ossl_pkey.c
|
|
||||||
@@ -649,7 +649,7 @@ ossl_pkey_export_traditional(int argc, VALUE *argv, VALUE self, int to_der)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
-#if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER)
|
|
||||||
+#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_LIBRESSL_PREREQ(3, 5, 0)
|
|
||||||
if (!PEM_write_bio_PrivateKey_traditional(bio, pkey, enc, NULL, 0,
|
|
||||||
ossl_pem_passwd_cb,
|
|
||||||
(void *)pass)) {
|
|
||||||
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
|
|
||||||
index 9a0682a..af262d9 100644
|
|
||||||
--- a/ext/openssl/ossl_ssl.c
|
|
||||||
+++ b/ext/openssl/ossl_ssl.c
|
|
||||||
@@ -1025,27 +1025,13 @@ ossl_sslctx_get_ciphers(VALUE self)
|
|
||||||
return ary;
|
|
||||||
}
|
|
||||||
|
|
||||||
-/*
|
|
||||||
- * call-seq:
|
|
||||||
- * ctx.ciphers = "cipher1:cipher2:..."
|
|
||||||
- * ctx.ciphers = [name, ...]
|
|
||||||
- * ctx.ciphers = [[name, version, bits, alg_bits], ...]
|
|
||||||
- *
|
|
||||||
- * Sets the list of available cipher suites for this context. Note in a server
|
|
||||||
- * context some ciphers require the appropriate certificates. For example, an
|
|
||||||
- * RSA cipher suite can only be chosen when an RSA certificate is available.
|
|
||||||
- */
|
|
||||||
static VALUE
|
|
||||||
-ossl_sslctx_set_ciphers(VALUE self, VALUE v)
|
|
||||||
+build_cipher_string(VALUE v)
|
|
||||||
{
|
|
||||||
- SSL_CTX *ctx;
|
|
||||||
VALUE str, elem;
|
|
||||||
int i;
|
|
||||||
|
|
||||||
- rb_check_frozen(self);
|
|
||||||
- if (NIL_P(v))
|
|
||||||
- return v;
|
|
||||||
- else if (RB_TYPE_P(v, T_ARRAY)) {
|
|
||||||
+ if (RB_TYPE_P(v, T_ARRAY)) {
|
|
||||||
str = rb_str_new(0, 0);
|
|
||||||
for (i = 0; i < RARRAY_LEN(v); i++) {
|
|
||||||
elem = rb_ary_entry(v, i);
|
|
||||||
@@ -1059,14 +1059,67 @@ ossl_sslctx_set_ciphers(VALUE self, VALUE v)
|
|
||||||
StringValue(str);
|
|
||||||
}
|
|
||||||
|
|
||||||
+ return str;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * call-seq:
|
|
||||||
+ * ctx.ciphers = "cipher1:cipher2:..."
|
|
||||||
+ * ctx.ciphers = [name, ...]
|
|
||||||
+ * ctx.ciphers = [[name, version, bits, alg_bits], ...]
|
|
||||||
+ *
|
|
||||||
+ * Sets the list of available cipher suites for this context. Note in a server
|
|
||||||
+ * context some ciphers require the appropriate certificates. For example, an
|
|
||||||
+ * RSA cipher suite can only be chosen when an RSA certificate is available.
|
|
||||||
+ */
|
|
||||||
+static VALUE
|
|
||||||
+ossl_sslctx_set_ciphers(VALUE self, VALUE v)
|
|
||||||
+{
|
|
||||||
+ SSL_CTX *ctx;
|
|
||||||
+ VALUE str;
|
|
||||||
+
|
|
||||||
+ rb_check_frozen(self);
|
|
||||||
+ if (NIL_P(v))
|
|
||||||
+ return v;
|
|
||||||
+
|
|
||||||
+ str = build_cipher_string(v);
|
|
||||||
+
|
|
||||||
GetSSLCTX(self, ctx);
|
|
||||||
- if (!SSL_CTX_set_cipher_list(ctx, StringValueCStr(str))) {
|
|
||||||
+ if (!SSL_CTX_set_cipher_list(ctx, StringValueCStr(str)))
|
|
||||||
ossl_raise(eSSLError, "SSL_CTX_set_cipher_list");
|
|
||||||
- }
|
|
||||||
|
|
||||||
return v;
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
|
|
||||||
+/*
|
|
||||||
+ * call-seq:
|
|
||||||
+ * ctx.ciphersuites = "cipher1:cipher2:..."
|
|
||||||
+ * ctx.ciphersuites = [name, ...]
|
|
||||||
+ * ctx.ciphersuites = [[name, version, bits, alg_bits], ...]
|
|
||||||
+ *
|
|
||||||
+ * Sets the list of available TLSv1.3 cipher suites for this context.
|
|
||||||
+ */
|
|
||||||
+static VALUE
|
|
||||||
+ossl_sslctx_set_ciphersuites(VALUE self, VALUE v)
|
|
||||||
+{
|
|
||||||
+ SSL_CTX *ctx;
|
|
||||||
+ VALUE str;
|
|
||||||
+
|
|
||||||
+ rb_check_frozen(self);
|
|
||||||
+ if (NIL_P(v))
|
|
||||||
+ return v;
|
|
||||||
+
|
|
||||||
+ str = build_cipher_string(v);
|
|
||||||
+
|
|
||||||
+ GetSSLCTX(self, ctx);
|
|
||||||
+ if (!SSL_CTX_set_ciphersuites(ctx, StringValueCStr(str)))
|
|
||||||
+ ossl_raise(eSSLError, "SSL_CTX_set_ciphersuites");
|
|
||||||
+
|
|
||||||
+ return v;
|
|
||||||
+}
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
#if !defined(OPENSSL_NO_EC)
|
|
||||||
/*
|
|
||||||
* call-seq:
|
|
||||||
@@ -2818,6 +2857,9 @@ Init_ossl_ssl(void)
|
|
||||||
ossl_sslctx_set_minmax_proto_version, 2);
|
|
||||||
rb_define_method(cSSLContext, "ciphers", ossl_sslctx_get_ciphers, 0);
|
|
||||||
rb_define_method(cSSLContext, "ciphers=", ossl_sslctx_set_ciphers, 1);
|
|
||||||
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
|
|
||||||
+ rb_define_method(cSSLContext, "ciphersuites=", ossl_sslctx_set_ciphersuites, 1);
|
|
||||||
+#endif
|
|
||||||
rb_define_method(cSSLContext, "ecdh_curves=", ossl_sslctx_set_ecdh_curves, 1);
|
|
||||||
rb_define_method(cSSLContext, "security_level", ossl_sslctx_get_security_level, 0);
|
|
||||||
rb_define_method(cSSLContext, "security_level=", ossl_sslctx_set_security_level, 1);
|
|
||||||
diff --git a/test/openssl/test_asn1.rb b/test/openssl/test_asn1.rb
|
|
||||||
index 0fd7971..c79bc14 100644
|
|
||||||
--- a/test/openssl/test_asn1.rb
|
|
||||||
+++ b/test/openssl/test_asn1.rb
|
|
||||||
@@ -14,7 +14,7 @@ class OpenSSL::TestASN1 < OpenSSL::TestCase
|
|
||||||
["keyUsage","keyCertSign, cRLSign",true],
|
|
||||||
["subjectKeyIdentifier","hash",false],
|
|
||||||
]
|
|
||||||
- dgst = OpenSSL::Digest.new('SHA1')
|
|
||||||
+ dgst = OpenSSL::Digest.new('SHA256')
|
|
||||||
cert = OpenSSL::TestUtils.issue_cert(
|
|
||||||
subj, key, s, exts, nil, nil, digest: dgst, not_before: now, not_after: now+3600)
|
|
||||||
|
|
||||||
@@ -42,7 +42,7 @@ class OpenSSL::TestASN1 < OpenSSL::TestCase
|
|
||||||
assert_equal(OpenSSL::ASN1::Sequence, sig.class)
|
|
||||||
assert_equal(2, sig.value.size)
|
|
||||||
assert_equal(OpenSSL::ASN1::ObjectId, sig.value[0].class)
|
|
||||||
- assert_equal("1.2.840.113549.1.1.5", sig.value[0].oid)
|
|
||||||
+ assert_equal("1.2.840.113549.1.1.11", sig.value[0].oid)
|
|
||||||
assert_equal(OpenSSL::ASN1::Null, sig.value[1].class)
|
|
||||||
|
|
||||||
dn = tbs_cert.value[3] # issuer
|
|
||||||
@@ -189,7 +189,7 @@ class OpenSSL::TestASN1 < OpenSSL::TestCase
|
|
||||||
assert_equal(OpenSSL::ASN1::Null, pkey.value[0].value[1].class)
|
|
||||||
|
|
||||||
assert_equal(OpenSSL::ASN1::BitString, sig_val.class)
|
|
||||||
- cululated_sig = key.sign(OpenSSL::Digest.new('SHA1'), tbs_cert.to_der)
|
|
||||||
+ cululated_sig = key.sign(OpenSSL::Digest.new('SHA256'), tbs_cert.to_der)
|
|
||||||
assert_equal(cululated_sig, sig_val.value)
|
|
||||||
end
|
|
||||||
|
|
||||||
diff --git a/test/openssl/test_ns_spki.rb b/test/openssl/test_ns_spki.rb
|
|
||||||
index ed3be86..383931b 100644
|
|
||||||
--- a/test/openssl/test_ns_spki.rb
|
|
||||||
+++ b/test/openssl/test_ns_spki.rb
|
|
||||||
@@ -22,7 +22,7 @@ class OpenSSL::TestNSSPI < OpenSSL::TestCase
|
|
||||||
spki = OpenSSL::Netscape::SPKI.new
|
|
||||||
spki.challenge = "RandomString"
|
|
||||||
spki.public_key = key1.public_key
|
|
||||||
- spki.sign(key1, OpenSSL::Digest.new('SHA1'))
|
|
||||||
+ spki.sign(key1, OpenSSL::Digest.new('SHA256'))
|
|
||||||
assert(spki.verify(spki.public_key))
|
|
||||||
assert(spki.verify(key1.public_key))
|
|
||||||
assert(!spki.verify(key2.public_key))
|
|
||||||
diff --git a/test/openssl/test_pkey_dsa.rb b/test/openssl/test_pkey_dsa.rb
|
|
||||||
index 726b7db..08213df 100644
|
|
||||||
--- a/test/openssl/test_pkey_dsa.rb
|
|
||||||
+++ b/test/openssl/test_pkey_dsa.rb
|
|
||||||
@@ -36,8 +36,8 @@ class OpenSSL::TestPKeyDSA < OpenSSL::PKeyTestCase
|
|
||||||
assert_equal true, dsa512.verify(OpenSSL::Digest.new('DSS1'), signature, data)
|
|
||||||
end
|
|
||||||
|
|
||||||
- signature = dsa512.sign("SHA1", data)
|
|
||||||
- assert_equal true, dsa512.verify("SHA1", signature, data)
|
|
||||||
+ signature = dsa512.sign("SHA256", data)
|
|
||||||
+ assert_equal true, dsa512.verify("SHA256", signature, data)
|
|
||||||
|
|
||||||
signature0 = (<<~'end;').unpack("m")[0]
|
|
||||||
MCwCFH5h40plgU5Fh0Z4wvEEpz0eE9SnAhRPbkRB8ggsN/vsSEYMXvJwjGg/
|
|
||||||
diff --git a/test/openssl/test_pkey_ec.rb b/test/openssl/test_pkey_ec.rb
|
|
||||||
index ffe5a94..c06fe6f 100644
|
|
||||||
--- a/test/openssl/test_pkey_ec.rb
|
|
||||||
+++ b/test/openssl/test_pkey_ec.rb
|
|
||||||
@@ -98,8 +98,8 @@ class OpenSSL::TestEC < OpenSSL::PKeyTestCase
|
|
||||||
def test_sign_verify
|
|
||||||
p256 = Fixtures.pkey("p256")
|
|
||||||
data = "Sign me!"
|
|
||||||
- signature = p256.sign("SHA1", data)
|
|
||||||
- assert_equal true, p256.verify("SHA1", signature, data)
|
|
||||||
+ signature = p256.sign("SHA256", data)
|
|
||||||
+ assert_equal true, p256.verify("SHA256", signature, data)
|
|
||||||
|
|
||||||
signature0 = (<<~'end;').unpack("m")[0]
|
|
||||||
MEQCIEOTY/hD7eI8a0qlzxkIt8LLZ8uwiaSfVbjX2dPAvN11AiAQdCYx56Fq
|
|
||||||
diff --git a/test/openssl/test_pkey_rsa.rb b/test/openssl/test_pkey_rsa.rb
|
|
||||||
index 4bb39ed..9e06e43 100644
|
|
||||||
--- a/test/openssl/test_pkey_rsa.rb
|
|
||||||
+++ b/test/openssl/test_pkey_rsa.rb
|
|
||||||
@@ -80,8 +80,8 @@ class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase
|
|
||||||
def test_sign_verify
|
|
||||||
rsa1024 = Fixtures.pkey("rsa1024")
|
|
||||||
data = "Sign me!"
|
|
||||||
- signature = rsa1024.sign("SHA1", data)
|
|
||||||
- assert_equal true, rsa1024.verify("SHA1", signature, data)
|
|
||||||
+ signature = rsa1024.sign("SHA256", data)
|
|
||||||
+ assert_equal true, rsa1024.verify("SHA256", signature, data)
|
|
||||||
|
|
||||||
signature0 = (<<~'end;').unpack("m")[0]
|
|
||||||
oLCgbprPvfhM4pjFQiDTFeWI9Sk+Og7Nh9TmIZ/xSxf2CGXQrptlwo7NQ28+
|
|
||||||
@@ -113,10 +113,10 @@ class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase
|
|
||||||
def test_sign_verify_raw
|
|
||||||
key = Fixtures.pkey("rsa-1")
|
|
||||||
data = "Sign me!"
|
|
||||||
- hash = OpenSSL::Digest.digest("SHA1", data)
|
|
||||||
- signature = key.sign_raw("SHA1", hash)
|
|
||||||
- assert_equal true, key.verify_raw("SHA1", signature, hash)
|
|
||||||
- assert_equal true, key.verify("SHA1", signature, data)
|
|
||||||
+ hash = OpenSSL::Digest.digest("SHA256", data)
|
|
||||||
+ signature = key.sign_raw("SHA256", hash)
|
|
||||||
+ assert_equal true, key.verify_raw("SHA256", signature, hash)
|
|
||||||
+ assert_equal true, key.verify("SHA256", signature, data)
|
|
||||||
|
|
||||||
# Too long data
|
|
||||||
assert_raise(OpenSSL::PKey::PKeyError) {
|
|
||||||
@@ -129,9 +129,9 @@ class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase
|
|
||||||
"rsa_pss_saltlen" => 20,
|
|
||||||
"rsa_mgf1_md" => "SHA256"
|
|
||||||
}
|
|
||||||
- sig_pss = key.sign_raw("SHA1", hash, pssopts)
|
|
||||||
- assert_equal true, key.verify("SHA1", sig_pss, data, pssopts)
|
|
||||||
- assert_equal true, key.verify_raw("SHA1", sig_pss, hash, pssopts)
|
|
||||||
+ sig_pss = key.sign_raw("SHA256", hash, pssopts)
|
|
||||||
+ assert_equal true, key.verify("SHA256", sig_pss, data, pssopts)
|
|
||||||
+ assert_equal true, key.verify_raw("SHA256", sig_pss, hash, pssopts)
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_sign_verify_raw_legacy
|
|
||||||
diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
|
|
||||||
index a7607da..3ba8b39 100644
|
|
||||||
--- a/test/openssl/test_ssl.rb
|
|
||||||
+++ b/test/openssl/test_ssl.rb
|
|
||||||
@@ -669,10 +669,16 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
|
|
||||||
# buzz.example.net, respectively). ...
|
|
||||||
assert_equal(true, OpenSSL::SSL.verify_certificate_identity(
|
|
||||||
create_cert_with_san('DNS:baz*.example.com'), 'baz1.example.com'))
|
|
||||||
+
|
|
||||||
+ # LibreSSL 3.5.0+ doesn't support other wildcard certificates
|
|
||||||
+ # (it isn't required to, as RFC states MAY, not MUST)
|
|
||||||
+ return if libressl?(3, 5, 0)
|
|
||||||
+
|
|
||||||
assert_equal(true, OpenSSL::SSL.verify_certificate_identity(
|
|
||||||
create_cert_with_san('DNS:*baz.example.com'), 'foobaz.example.com'))
|
|
||||||
assert_equal(true, OpenSSL::SSL.verify_certificate_identity(
|
|
||||||
create_cert_with_san('DNS:b*z.example.com'), 'buzz.example.com'))
|
|
||||||
+
|
|
||||||
# Section 6.4.3 of RFC6125 states that client should NOT match identifier
|
|
||||||
# where wildcard is other than left-most label.
|
|
||||||
#
|
|
||||||
@@ -1556,8 +1562,101 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
+ def test_ciphersuites_method_tls_connection
|
|
||||||
+ ssl_ctx = OpenSSL::SSL::SSLContext.new
|
|
||||||
+ if !tls13_supported? || !ssl_ctx.respond_to?(:ciphersuites=)
|
|
||||||
+ pend 'TLS 1.3 not supported'
|
|
||||||
+ end
|
|
||||||
+
|
|
||||||
+ csuite = ['TLS_AES_128_GCM_SHA256', 'TLSv1.3', 128, 128]
|
|
||||||
+ inputs = [csuite[0], [csuite[0]], [csuite]]
|
|
||||||
+
|
|
||||||
+ start_server do |port|
|
|
||||||
+ inputs.each do |input|
|
|
||||||
+ cli_ctx = OpenSSL::SSL::SSLContext.new
|
|
||||||
+ cli_ctx.min_version = cli_ctx.max_version = OpenSSL::SSL::TLS1_3_VERSION
|
|
||||||
+ cli_ctx.ciphersuites = input
|
|
||||||
+
|
|
||||||
+ server_connect(port, cli_ctx) do |ssl|
|
|
||||||
+ assert_equal('TLSv1.3', ssl.ssl_version)
|
|
||||||
+ if libressl?(3, 4, 0) && !libressl?(3, 5, 0)
|
|
||||||
+ assert_equal("AEAD-AES128-GCM-SHA256", ssl.cipher[0])
|
|
||||||
+ else
|
|
||||||
+ assert_equal(csuite[0], ssl.cipher[0])
|
|
||||||
+ end
|
|
||||||
+ ssl.puts('abc'); assert_equal("abc\n", ssl.gets)
|
|
||||||
+ end
|
|
||||||
+ end
|
|
||||||
+ end
|
|
||||||
+ end
|
|
||||||
+
|
|
||||||
+ def test_ciphersuites_method_nil_argument
|
|
||||||
+ ssl_ctx = OpenSSL::SSL::SSLContext.new
|
|
||||||
+ pend 'ciphersuites= method is missing' unless ssl_ctx.respond_to?(:ciphersuites=)
|
|
||||||
+
|
|
||||||
+ assert_nothing_raised { ssl_ctx.ciphersuites = nil }
|
|
||||||
+ end
|
|
||||||
+
|
|
||||||
+ def test_ciphersuites_method_frozen_object
|
|
||||||
+ ssl_ctx = OpenSSL::SSL::SSLContext.new
|
|
||||||
+ pend 'ciphersuites= method is missing' unless ssl_ctx.respond_to?(:ciphersuites=)
|
|
||||||
+
|
|
||||||
+ ssl_ctx.freeze
|
|
||||||
+ assert_raise(FrozenError) { ssl_ctx.ciphersuites = 'TLS_AES_256_GCM_SHA384' }
|
|
||||||
+ end
|
|
||||||
+
|
|
||||||
+ def test_ciphersuites_method_bogus_csuite
|
|
||||||
+ ssl_ctx = OpenSSL::SSL::SSLContext.new
|
|
||||||
+ pend 'ciphersuites= method is missing' unless ssl_ctx.respond_to?(:ciphersuites=)
|
|
||||||
+
|
|
||||||
+ assert_raise_with_message(
|
|
||||||
+ OpenSSL::SSL::SSLError,
|
|
||||||
+ /SSL_CTX_set_ciphersuites: no cipher match/i
|
|
||||||
+ ) { ssl_ctx.ciphersuites = 'BOGUS' }
|
|
||||||
+ end
|
|
||||||
+
|
|
||||||
+ def test_ciphers_method_tls_connection
|
|
||||||
+ csuite = ['ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256, 256]
|
|
||||||
+ inputs = [csuite[0], [csuite[0]], [csuite]]
|
|
||||||
+
|
|
||||||
+ start_server do |port|
|
|
||||||
+ inputs.each do |input|
|
|
||||||
+ cli_ctx = OpenSSL::SSL::SSLContext.new
|
|
||||||
+ cli_ctx.min_version = cli_ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION
|
|
||||||
+ cli_ctx.ciphers = input
|
|
||||||
+
|
|
||||||
+ server_connect(port, cli_ctx) do |ssl|
|
|
||||||
+ assert_equal('TLSv1.2', ssl.ssl_version)
|
|
||||||
+ assert_equal(csuite[0], ssl.cipher[0])
|
|
||||||
+ ssl.puts('abc'); assert_equal("abc\n", ssl.gets)
|
|
||||||
+ end
|
|
||||||
+ end
|
|
||||||
+ end
|
|
||||||
+ end
|
|
||||||
+
|
|
||||||
+ def test_ciphers_method_nil_argument
|
|
||||||
+ ssl_ctx = OpenSSL::SSL::SSLContext.new
|
|
||||||
+ assert_nothing_raised { ssl_ctx.ciphers = nil }
|
|
||||||
+ end
|
|
||||||
+
|
|
||||||
+ def test_ciphers_method_frozen_object
|
|
||||||
+ ssl_ctx = OpenSSL::SSL::SSLContext.new
|
|
||||||
+
|
|
||||||
+ ssl_ctx.freeze
|
|
||||||
+ assert_raise(FrozenError) { ssl_ctx.ciphers = 'ECDHE-RSA-AES128-SHA' }
|
|
||||||
+ end
|
|
||||||
+
|
|
||||||
+ def test_ciphers_method_bogus_csuite
|
|
||||||
+ ssl_ctx = OpenSSL::SSL::SSLContext.new
|
|
||||||
+
|
|
||||||
+ assert_raise_with_message(
|
|
||||||
+ OpenSSL::SSL::SSLError,
|
|
||||||
+ /SSL_CTX_set_cipher_list: no cipher match/i
|
|
||||||
+ ) { ssl_ctx.ciphers = 'BOGUS' }
|
|
||||||
+ end
|
|
||||||
+
|
|
||||||
def test_connect_works_when_setting_dh_callback_to_nil
|
|
||||||
pend "TLS 1.2 is not supported" unless tls12_supported?
|
|
||||||
|
|
||||||
ctx_proc = -> ctx {
|
|
||||||
ctx.ssl_version = :TLSv1_2
|
|
||||||
diff --git a/test/openssl/test_x509cert.rb b/test/openssl/test_x509cert.rb
|
|
||||||
index d696b98..4e2bd0c 100644
|
|
||||||
--- a/test/openssl/test_x509cert.rb
|
|
||||||
+++ b/test/openssl/test_x509cert.rb
|
|
||||||
@@ -180,6 +180,7 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
|
|
||||||
assert_equal(false, certificate_error_returns_false { cert.verify(@dsa512) })
|
|
||||||
cert.serial = 2
|
|
||||||
assert_equal(false, cert.verify(@rsa2048))
|
|
||||||
+ rescue OpenSSL::X509::CertificateError # RHEL 9 disables SHA1
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_sign_and_verify_rsa_md5
|
|
||||||
@@ -226,9 +227,8 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
|
|
||||||
assert_equal("dsa_with_SHA256", cert.signature_algorithm)
|
|
||||||
# TODO: need more tests for dsa + sha2
|
|
||||||
|
|
||||||
- # SHA1 is allowed from OpenSSL 1.0.0 (0.9.8 requires DSS1)
|
|
||||||
- cert = issue_cert(@ca, @dsa256, 1, [], nil, nil, digest: "sha1")
|
|
||||||
- assert_equal("dsaWithSHA1", cert.signature_algorithm)
|
|
||||||
+ cert = issue_cert(@ca, @dsa256, 1, [], nil, nil, digest: "sha512")
|
|
||||||
+ assert_equal("dsa_with_SHA512", cert.signature_algorithm)
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_check_private_key
|
|
||||||
diff --git a/test/openssl/test_x509crl.rb b/test/openssl/test_x509crl.rb
|
|
||||||
index bcdb0a6..146ee07 100644
|
|
||||||
--- a/test/openssl/test_x509crl.rb
|
|
||||||
+++ b/test/openssl/test_x509crl.rb
|
|
||||||
@@ -20,7 +20,7 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase
|
|
||||||
|
|
||||||
cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil)
|
|
||||||
crl = issue_crl([], 1, now, now+1600, [],
|
|
||||||
- cert, @rsa2048, OpenSSL::Digest.new('SHA1'))
|
|
||||||
+ cert, @rsa2048, OpenSSL::Digest.new('SHA256'))
|
|
||||||
assert_equal(1, crl.version)
|
|
||||||
assert_equal(cert.issuer.to_der, crl.issuer.to_der)
|
|
||||||
assert_equal(now, crl.last_update)
|
|
||||||
@@ -57,7 +57,7 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase
|
|
||||||
]
|
|
||||||
cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil)
|
|
||||||
crl = issue_crl(revoke_info, 1, Time.now, Time.now+1600, [],
|
|
||||||
- cert, @rsa2048, OpenSSL::Digest.new('SHA1'))
|
|
||||||
+ cert, @rsa2048, OpenSSL::Digest.new('SHA256'))
|
|
||||||
revoked = crl.revoked
|
|
||||||
assert_equal(5, revoked.size)
|
|
||||||
assert_equal(1, revoked[0].serial)
|
|
||||||
@@ -98,7 +98,7 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase
|
|
||||||
|
|
||||||
revoke_info = (1..1000).collect{|i| [i, now, 0] }
|
|
||||||
crl = issue_crl(revoke_info, 1, Time.now, Time.now+1600, [],
|
|
||||||
- cert, @rsa2048, OpenSSL::Digest.new('SHA1'))
|
|
||||||
+ cert, @rsa2048, OpenSSL::Digest.new('SHA256'))
|
|
||||||
revoked = crl.revoked
|
|
||||||
assert_equal(1000, revoked.size)
|
|
||||||
assert_equal(1, revoked[0].serial)
|
|
||||||
@@ -124,7 +124,7 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase
|
|
||||||
|
|
||||||
cert = issue_cert(@ca, @rsa2048, 1, cert_exts, nil, nil)
|
|
||||||
crl = issue_crl([], 1, Time.now, Time.now+1600, crl_exts,
|
|
||||||
- cert, @rsa2048, OpenSSL::Digest.new('SHA1'))
|
|
||||||
+ cert, @rsa2048, OpenSSL::Digest.new('SHA256'))
|
|
||||||
exts = crl.extensions
|
|
||||||
assert_equal(3, exts.size)
|
|
||||||
assert_equal("1", exts[0].value)
|
|
||||||
@@ -160,24 +160,24 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase
|
|
||||||
assert_equal(false, exts[2].critical?)
|
|
||||||
|
|
||||||
no_ext_crl = issue_crl([], 1, Time.now, Time.now+1600, [],
|
|
||||||
- cert, @rsa2048, OpenSSL::Digest.new('SHA1'))
|
|
||||||
+ cert, @rsa2048, OpenSSL::Digest.new('SHA256'))
|
|
||||||
assert_equal nil, no_ext_crl.authority_key_identifier
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_crlnumber
|
|
||||||
cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil)
|
|
||||||
crl = issue_crl([], 1, Time.now, Time.now+1600, [],
|
|
||||||
- cert, @rsa2048, OpenSSL::Digest.new('SHA1'))
|
|
||||||
+ cert, @rsa2048, OpenSSL::Digest.new('SHA256'))
|
|
||||||
assert_match(1.to_s, crl.extensions[0].value)
|
|
||||||
assert_match(/X509v3 CRL Number:\s+#{1}/m, crl.to_text)
|
|
||||||
|
|
||||||
crl = issue_crl([], 2**32, Time.now, Time.now+1600, [],
|
|
||||||
- cert, @rsa2048, OpenSSL::Digest.new('SHA1'))
|
|
||||||
+ cert, @rsa2048, OpenSSL::Digest.new('SHA256'))
|
|
||||||
assert_match((2**32).to_s, crl.extensions[0].value)
|
|
||||||
assert_match(/X509v3 CRL Number:\s+#{2**32}/m, crl.to_text)
|
|
||||||
|
|
||||||
crl = issue_crl([], 2**100, Time.now, Time.now+1600, [],
|
|
||||||
- cert, @rsa2048, OpenSSL::Digest.new('SHA1'))
|
|
||||||
+ cert, @rsa2048, OpenSSL::Digest.new('SHA256'))
|
|
||||||
assert_match(/X509v3 CRL Number:\s+#{2**100}/m, crl.to_text)
|
|
||||||
assert_match((2**100).to_s, crl.extensions[0].value)
|
|
||||||
end
|
|
||||||
@@ -185,7 +185,7 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase
|
|
||||||
def test_sign_and_verify
|
|
||||||
cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil)
|
|
||||||
crl = issue_crl([], 1, Time.now, Time.now+1600, [],
|
|
||||||
- cert, @rsa2048, OpenSSL::Digest.new('SHA1'))
|
|
||||||
+ cert, @rsa2048, OpenSSL::Digest.new('SHA256'))
|
|
||||||
assert_equal(false, crl.verify(@rsa1024))
|
|
||||||
assert_equal(true, crl.verify(@rsa2048))
|
|
||||||
assert_equal(false, crl_error_returns_false { crl.verify(@dsa256) })
|
|
||||||
@@ -195,7 +195,7 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase
|
|
||||||
|
|
||||||
cert = issue_cert(@ca, @dsa512, 1, [], nil, nil)
|
|
||||||
crl = issue_crl([], 1, Time.now, Time.now+1600, [],
|
|
||||||
- cert, @dsa512, OpenSSL::Digest.new('SHA1'))
|
|
||||||
+ cert, @dsa512, OpenSSL::Digest.new('SHA256'))
|
|
||||||
assert_equal(false, crl_error_returns_false { crl.verify(@rsa1024) })
|
|
||||||
assert_equal(false, crl_error_returns_false { crl.verify(@rsa2048) })
|
|
||||||
assert_equal(false, crl.verify(@dsa256))
|
|
||||||
diff --git a/test/openssl/test_x509req.rb b/test/openssl/test_x509req.rb
|
|
||||||
index ee9c678..a84b162 100644
|
|
||||||
--- a/test/openssl/test_x509req.rb
|
|
||||||
+++ b/test/openssl/test_x509req.rb
|
|
||||||
@@ -23,31 +23,31 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_public_key
|
|
||||||
- req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA1'))
|
|
||||||
+ req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
|
|
||||||
assert_equal(@rsa1024.public_key.to_der, req.public_key.to_der)
|
|
||||||
req = OpenSSL::X509::Request.new(req.to_der)
|
|
||||||
assert_equal(@rsa1024.public_key.to_der, req.public_key.to_der)
|
|
||||||
|
|
||||||
- req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest.new('SHA1'))
|
|
||||||
+ req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest.new('SHA256'))
|
|
||||||
assert_equal(@dsa512.public_key.to_der, req.public_key.to_der)
|
|
||||||
req = OpenSSL::X509::Request.new(req.to_der)
|
|
||||||
assert_equal(@dsa512.public_key.to_der, req.public_key.to_der)
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_version
|
|
||||||
- req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA1'))
|
|
||||||
+ req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
|
|
||||||
assert_equal(0, req.version)
|
|
||||||
req = OpenSSL::X509::Request.new(req.to_der)
|
|
||||||
assert_equal(0, req.version)
|
|
||||||
|
|
||||||
- req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA1'))
|
|
||||||
+ req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
|
|
||||||
assert_equal(1, req.version)
|
|
||||||
req = OpenSSL::X509::Request.new(req.to_der)
|
|
||||||
assert_equal(1, req.version)
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_subject
|
|
||||||
- req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA1'))
|
|
||||||
+ req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
|
|
||||||
assert_equal(@dn.to_der, req.subject.to_der)
|
|
||||||
req = OpenSSL::X509::Request.new(req.to_der)
|
|
||||||
assert_equal(@dn.to_der, req.subject.to_der)
|
|
||||||
@@ -78,9 +78,9 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase
|
|
||||||
OpenSSL::X509::Attribute.new("msExtReq", attrval),
|
|
||||||
]
|
|
||||||
|
|
||||||
- req0 = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA1'))
|
|
||||||
+ req0 = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
|
|
||||||
attrs.each{|attr| req0.add_attribute(attr) }
|
|
||||||
- req1 = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA1'))
|
|
||||||
+ req1 = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
|
|
||||||
req1.attributes = attrs
|
|
||||||
assert_equal(req0.to_der, req1.to_der)
|
|
||||||
|
|
||||||
@@ -101,7 +101,7 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_sign_and_verify_rsa_sha1
|
|
||||||
- req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA1'))
|
|
||||||
+ req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
|
|
||||||
assert_equal(true, req.verify(@rsa1024))
|
|
||||||
assert_equal(false, req.verify(@rsa2048))
|
|
||||||
assert_equal(false, request_error_returns_false { req.verify(@dsa256) })
|
|
||||||
@@ -122,7 +122,7 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_sign_and_verify_dsa
|
|
||||||
- req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest.new('SHA1'))
|
|
||||||
+ req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest.new('SHA256'))
|
|
||||||
assert_equal(false, request_error_returns_false { req.verify(@rsa1024) })
|
|
||||||
assert_equal(false, request_error_returns_false { req.verify(@rsa2048) })
|
|
||||||
assert_equal(false, req.verify(@dsa256))
|
|
||||||
@@ -137,13 +137,13 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_dup
|
|
||||||
- req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA1'))
|
|
||||||
+ req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
|
|
||||||
assert_equal(req.to_der, req.dup.to_der)
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_eq
|
|
||||||
- req1 = issue_csr(0, @dn, @rsa1024, "sha1")
|
|
||||||
- req2 = issue_csr(0, @dn, @rsa1024, "sha1")
|
|
||||||
+ req1 = issue_csr(0, @dn, @rsa1024, "sha512")
|
|
||||||
+ req2 = issue_csr(0, @dn, @rsa1024, "sha512")
|
|
||||||
req3 = issue_csr(0, @dn, @rsa1024, "sha256")
|
|
||||||
|
|
||||||
assert_equal false, req1 == 12345
|
|
||||||
--- a/test/openssl/test_x509store.rb.orig 2022-07-14 14:07:32.468809273 +0200
|
|
||||||
+++ b/test/openssl/test_x509store.rb 2022-07-13 17:27:58.115363595 +0200
|
|
||||||
@@ -72,16 +72,16 @@
|
|
||||||
|
|
||||||
revoke_info = []
|
|
||||||
crl1 = issue_crl(revoke_info, 1, now, now+1800, [],
|
|
||||||
- ca1_cert, @rsa2048, OpenSSL::Digest.new('SHA1'))
|
|
||||||
+ ca1_cert, @rsa2048, OpenSSL::Digest.new('SHA256'))
|
|
||||||
revoke_info = [ [2, now, 1], ]
|
|
||||||
crl1_2 = issue_crl(revoke_info, 2, now, now+1800, [],
|
|
||||||
- ca1_cert, @rsa2048, OpenSSL::Digest.new('SHA1'))
|
|
||||||
+ ca1_cert, @rsa2048, OpenSSL::Digest.new('SHA256'))
|
|
||||||
revoke_info = [ [20, now, 1], ]
|
|
||||||
crl2 = issue_crl(revoke_info, 1, now, now+1800, [],
|
|
||||||
- ca2_cert, @rsa1024, OpenSSL::Digest.new('SHA1'))
|
|
||||||
+ ca2_cert, @rsa1024, OpenSSL::Digest.new('SHA256'))
|
|
||||||
revoke_info = []
|
|
||||||
crl2_2 = issue_crl(revoke_info, 2, now-100, now-1, [],
|
|
||||||
- ca2_cert, @rsa1024, OpenSSL::Digest.new('SHA1'))
|
|
||||||
+ ca2_cert, @rsa1024, OpenSSL::Digest.new('SHA256'))
|
|
||||||
|
|
||||||
assert_equal(true, ca1_cert.verify(ca1_cert.public_key)) # self signed
|
|
||||||
assert_equal(true, ca2_cert.verify(ca1_cert.public_key)) # issued by ca1
|
|
||||||
@@ -220,10 +220,10 @@
|
|
||||||
|
|
||||||
revoke_info = []
|
|
||||||
crl1 = issue_crl(revoke_info, 1, now, now+1800, [],
|
|
||||||
- ca1_cert, @rsa2048, OpenSSL::Digest.new('SHA1'))
|
|
||||||
+ ca1_cert, @rsa2048, OpenSSL::Digest.new('SHA256'))
|
|
||||||
revoke_info = [ [2, now, 1], ]
|
|
||||||
crl2 = issue_crl(revoke_info, 2, now+1800, now+3600, [],
|
|
||||||
- ca1_cert, @rsa2048, OpenSSL::Digest.new('SHA1'))
|
|
||||||
+ ca1_cert, @rsa2048, OpenSSL::Digest.new('SHA256'))
|
|
||||||
store.add_crl(crl1)
|
|
||||||
assert_raise(OpenSSL::X509::StoreError){
|
|
||||||
store.add_crl(crl2) # add CRL issued by same CA twice.
|
|
@ -1,32 +0,0 @@
|
|||||||
From f0b254f1f6610294821bbfc06b414d2af452db5b Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jun Aruga <jaruga@redhat.com>
|
|
||||||
Date: Thu, 13 Apr 2023 17:28:27 +0200
|
|
||||||
Subject: [PATCH] [ruby/openssl] Drop a common logic disabling the FIPS mode in
|
|
||||||
the tests.
|
|
||||||
|
|
||||||
We want to run the unit tests in the FIPS mode too.
|
|
||||||
|
|
||||||
https://github.com/ruby/openssl/commit/ab92baff34
|
|
||||||
---
|
|
||||||
test/openssl/utils.rb | 5 -----
|
|
||||||
1 file changed, 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb
|
|
||||||
index 4ebcb9837b..8a0be0d154 100644
|
|
||||||
--- a/test/openssl/utils.rb
|
|
||||||
+++ b/test/openssl/utils.rb
|
|
||||||
@@ -1,11 +1,6 @@
|
|
||||||
# frozen_string_literal: true
|
|
||||||
begin
|
|
||||||
require "openssl"
|
|
||||||
-
|
|
||||||
- # Disable FIPS mode for tests for installations
|
|
||||||
- # where FIPS mode would be enabled by default.
|
|
||||||
- # Has no effect on all other installations.
|
|
||||||
- OpenSSL.fips_mode=false
|
|
||||||
rescue LoadError
|
|
||||||
end
|
|
||||||
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -1,73 +0,0 @@
|
|||||||
From b6d7cdc2bad0eadbca73f3486917f0ec7a475814 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Tue, 29 Aug 2023 19:46:02 +0900
|
|
||||||
Subject: [PATCH] [ruby/openssl] ssl: use ffdhe2048 from RFC 7919 as the
|
|
||||||
default DH group parameters
|
|
||||||
|
|
||||||
In TLS 1.2 or before, if DH group parameters for DHE are not supplied
|
|
||||||
with SSLContext#tmp_dh= or #tmp_dh_callback=, we currently use the
|
|
||||||
self-generated parameters added in commit https://github.com/ruby/openssl/commit/bb3399a61c03 ("support 2048
|
|
||||||
bit length DH-key", 2016-01-15) as the fallback.
|
|
||||||
|
|
||||||
While there is no known weakness in the current parameters, it would be
|
|
||||||
a good idea to switch to pre-defined, more well audited parameters.
|
|
||||||
|
|
||||||
This also allows the fallback to work in the FIPS mode.
|
|
||||||
|
|
||||||
The PEM encoding was derived with:
|
|
||||||
|
|
||||||
# RFC 7919 Appendix A.1. ffdhe2048
|
|
||||||
print OpenSSL::PKey.read(OpenSSL::ASN1::Sequence([OpenSSL::ASN1::Integer((<<-END).split.join.to_i(16)), OpenSSL::ASN1::Integer(2)]).to_der).to_pem
|
|
||||||
FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1
|
|
||||||
D8B9C583 CE2D3695 A9E13641 146433FB CC939DCE 249B3EF9
|
|
||||||
7D2FE363 630C75D8 F681B202 AEC4617A D3DF1ED5 D5FD6561
|
|
||||||
2433F51F 5F066ED0 85636555 3DED1AF3 B557135E 7F57C935
|
|
||||||
984F0C70 E0E68B77 E2A689DA F3EFE872 1DF158A1 36ADE735
|
|
||||||
30ACCA4F 483A797A BC0AB182 B324FB61 D108A94B B2C8E3FB
|
|
||||||
B96ADAB7 60D7F468 1D4F42A3 DE394DF4 AE56EDE7 6372BB19
|
|
||||||
0B07A7C8 EE0A6D70 9E02FCE1 CDF7E2EC C03404CD 28342F61
|
|
||||||
9172FE9C E98583FF 8E4F1232 EEF28183 C3FE3B1B 4C6FAD73
|
|
||||||
3BB5FCBC 2EC22005 C58EF183 7D1683B2 C6F34A26 C1B2EFFA
|
|
||||||
886B4238 61285C97 FFFFFFFF FFFFFFFF
|
|
||||||
END
|
|
||||||
|
|
||||||
https://github.com/ruby/openssl/commit/a5527cb4f4
|
|
||||||
---
|
|
||||||
ext/openssl/lib/openssl/ssl.rb | 18 +++++++++---------
|
|
||||||
1 file changed, 9 insertions(+), 9 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb
|
|
||||||
index ea8bb2a18e533..94be6ba80b894 100644
|
|
||||||
--- a/ext/openssl/lib/openssl/ssl.rb
|
|
||||||
+++ b/ext/openssl/lib/openssl/ssl.rb
|
|
||||||
@@ -31,21 +31,21 @@ class SSLContext
|
|
||||||
}
|
|
||||||
|
|
||||||
if defined?(OpenSSL::PKey::DH)
|
|
||||||
- DEFAULT_2048 = OpenSSL::PKey::DH.new <<-_end_of_pem_
|
|
||||||
+ DH_ffdhe2048 = OpenSSL::PKey::DH.new <<-_end_of_pem_
|
|
||||||
-----BEGIN DH PARAMETERS-----
|
|
||||||
-MIIBCAKCAQEA7E6kBrYiyvmKAMzQ7i8WvwVk9Y/+f8S7sCTN712KkK3cqd1jhJDY
|
|
||||||
-JbrYeNV3kUIKhPxWHhObHKpD1R84UpL+s2b55+iMd6GmL7OYmNIT/FccKhTcveab
|
|
||||||
-VBmZT86BZKYyf45hUF9FOuUM9xPzuK3Vd8oJQvfYMCd7LPC0taAEljQLR4Edf8E6
|
|
||||||
-YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
|
|
||||||
-1bNveX5wInh5GDx1FGhKBZ+s1H+aedudCm7sCgRwv8lKWYGiHzObSma8A86KG+MD
|
|
||||||
-7Lo5JquQ3DlBodj3IDyPrxIv96lvRPFtAwIBAg==
|
|
||||||
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
|
|
||||||
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
|
|
||||||
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
|
|
||||||
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
|
|
||||||
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
|
|
||||||
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
|
|
||||||
-----END DH PARAMETERS-----
|
|
||||||
_end_of_pem_
|
|
||||||
- private_constant :DEFAULT_2048
|
|
||||||
+ private_constant :DH_ffdhe2048
|
|
||||||
|
|
||||||
DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen| # :nodoc:
|
|
||||||
warn "using default DH parameters." if $VERBOSE
|
|
||||||
- DEFAULT_2048
|
|
||||||
+ DH_ffdhe2048
|
|
||||||
}
|
|
||||||
end
|
|
||||||
|
|
@ -1,160 +0,0 @@
|
|||||||
From 40451afa279c52ce7a508f8a9ec553cfe7a76a10 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jun Aruga <jaruga@redhat.com>
|
|
||||||
Date: Wed, 12 Apr 2023 17:15:21 +0200
|
|
||||||
Subject: [PATCH] Fix OpenSSL::PKey.read in OpenSSL 3 FIPS module.
|
|
||||||
|
|
||||||
This is a combination of the following 2 commits. Because the combined patch is
|
|
||||||
easy to merge.
|
|
||||||
|
|
||||||
This is the 1st commit message:
|
|
||||||
|
|
||||||
[ruby/openssl] Workaround: Fix OpenSSL::PKey.read that cannot parse PKey in the FIPS mode.
|
|
||||||
|
|
||||||
This commit is a workaround to avoid the error below that the
|
|
||||||
`OpenSSL::PKey.read` fails with the OpenSSL 3.0 FIPS mode.
|
|
||||||
|
|
||||||
```
|
|
||||||
$ openssl genrsa -out key.pem 4096
|
|
||||||
|
|
||||||
$ ruby -e "require 'openssl'; OpenSSL::PKey.read(File.read('key.pem'))"
|
|
||||||
-e:1:in `read': Could not parse PKey (OpenSSL::PKey::PKeyError)
|
|
||||||
from -e:1:in `<main>'
|
|
||||||
```
|
|
||||||
|
|
||||||
The root cause is on the OpenSSL side. The `OSSL_DECODER_CTX_set_selection`
|
|
||||||
doesn't apply the selection value properly if there are multiple providers, and
|
|
||||||
a provider (e.g. "base" provider) handles the decoder implementation, and
|
|
||||||
another provider (e.g. "fips" provider) handles the keys.
|
|
||||||
|
|
||||||
The workaround is to create `OSSL_DECODER_CTX` variable each time without using
|
|
||||||
the `OSSL_DECODER_CTX_set_selection`.
|
|
||||||
|
|
||||||
https://github.com/ruby/openssl/commit/5ff4a31621
|
|
||||||
|
|
||||||
This is the commit message #2:
|
|
||||||
|
|
||||||
[ruby/openssl] ossl_pkey.c: Workaround: Decode with non-zero selections.
|
|
||||||
|
|
||||||
This is a workaround for the decoding issue in ossl_pkey_read_generic().
|
|
||||||
The issue happens in the case that a key management provider is different from
|
|
||||||
a decoding provider.
|
|
||||||
|
|
||||||
Try all the non-zero selections in order, instead of selection 0 for OpenSSL 3
|
|
||||||
to avoid the issue.
|
|
||||||
|
|
||||||
https://github.com/ruby/openssl/commit/db688fa739
|
|
||||||
---
|
|
||||||
ext/openssl/ossl_pkey.c | 78 ++++++++++++++++++++++++++++++++++++++---
|
|
||||||
1 file changed, 73 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c
|
|
||||||
index 24d0da4683..15854aeca1 100644
|
|
||||||
--- a/ext/openssl/ossl_pkey.c
|
|
||||||
+++ b/ext/openssl/ossl_pkey.c
|
|
||||||
@@ -81,18 +81,20 @@ ossl_pkey_new(EVP_PKEY *pkey)
|
|
||||||
#if OSSL_OPENSSL_PREREQ(3, 0, 0)
|
|
||||||
# include <openssl/decoder.h>
|
|
||||||
|
|
||||||
-EVP_PKEY *
|
|
||||||
-ossl_pkey_read_generic(BIO *bio, VALUE pass)
|
|
||||||
+static EVP_PKEY *
|
|
||||||
+ossl_pkey_read(BIO *bio, const char *input_type, int selection, VALUE pass)
|
|
||||||
{
|
|
||||||
void *ppass = (void *)pass;
|
|
||||||
OSSL_DECODER_CTX *dctx;
|
|
||||||
EVP_PKEY *pkey = NULL;
|
|
||||||
int pos = 0, pos2;
|
|
||||||
|
|
||||||
- dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "DER", NULL, NULL, 0, NULL, NULL);
|
|
||||||
+ dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, input_type, NULL, NULL,
|
|
||||||
+ selection, NULL, NULL);
|
|
||||||
if (!dctx)
|
|
||||||
goto out;
|
|
||||||
- if (OSSL_DECODER_CTX_set_pem_password_cb(dctx, ossl_pem_passwd_cb, ppass) != 1)
|
|
||||||
+ if (OSSL_DECODER_CTX_set_pem_password_cb(dctx, ossl_pem_passwd_cb,
|
|
||||||
+ ppass) != 1)
|
|
||||||
goto out;
|
|
||||||
|
|
||||||
/* First check DER */
|
|
||||||
@@ -111,11 +113,77 @@ ossl_pkey_read_generic(BIO *bio, VALUE pass)
|
|
||||||
goto out;
|
|
||||||
pos = pos2;
|
|
||||||
}
|
|
||||||
-
|
|
||||||
out:
|
|
||||||
+ OSSL_BIO_reset(bio);
|
|
||||||
OSSL_DECODER_CTX_free(dctx);
|
|
||||||
return pkey;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+EVP_PKEY *
|
|
||||||
+ossl_pkey_read_generic(BIO *bio, VALUE pass)
|
|
||||||
+{
|
|
||||||
+ EVP_PKEY *pkey = NULL;
|
|
||||||
+ /* First check DER, then check PEM. */
|
|
||||||
+ const char *input_types[] = {"DER", "PEM"};
|
|
||||||
+ int input_type_num = (int)(sizeof(input_types) / sizeof(char *));
|
|
||||||
+ /*
|
|
||||||
+ * Non-zero selections to try to decode.
|
|
||||||
+ *
|
|
||||||
+ * See EVP_PKEY_fromdata(3) - Selections to see all the selections.
|
|
||||||
+ *
|
|
||||||
+ * This is a workaround for the decoder failing to decode or returning
|
|
||||||
+ * bogus keys with selection 0, if a key management provider is different
|
|
||||||
+ * from a decoder provider. The workaround is to avoid using selection 0.
|
|
||||||
+ *
|
|
||||||
+ * Affected OpenSSL versions: >= 3.1.0, <= 3.1.2, or >= 3.0.0, <= 3.0.10
|
|
||||||
+ * Fixed OpenSSL versions: 3.2, next release of the 3.1.z and 3.0.z
|
|
||||||
+ *
|
|
||||||
+ * See https://github.com/openssl/openssl/pull/21519 for details.
|
|
||||||
+ *
|
|
||||||
+ * First check for private key formats (EVP_PKEY_KEYPAIR). This is to keep
|
|
||||||
+ * compatibility with ruby/openssl < 3.0 which decoded the following as a
|
|
||||||
+ * private key.
|
|
||||||
+ *
|
|
||||||
+ * $ openssl ecparam -name prime256v1 -genkey -outform PEM
|
|
||||||
+ * -----BEGIN EC PARAMETERS-----
|
|
||||||
+ * BggqhkjOPQMBBw==
|
|
||||||
+ * -----END EC PARAMETERS-----
|
|
||||||
+ * -----BEGIN EC PRIVATE KEY-----
|
|
||||||
+ * MHcCAQEEIAG8ugBbA5MHkqnZ9ujQF93OyUfL9tk8sxqM5Wv5tKg5oAoGCCqGSM49
|
|
||||||
+ * AwEHoUQDQgAEVcjhJfkwqh5C7kGuhAf8XaAjVuG5ADwb5ayg/cJijCgs+GcXeedj
|
|
||||||
+ * 86avKpGH84DXUlB23C/kPt+6fXYlitUmXQ==
|
|
||||||
+ * -----END EC PRIVATE KEY-----
|
|
||||||
+ *
|
|
||||||
+ * While the first PEM block is a proper encoding of ECParameters, thus
|
|
||||||
+ * OSSL_DECODER_from_bio() would pick it up, ruby/openssl used to return
|
|
||||||
+ * the latter instead. Existing applications expect this behavior.
|
|
||||||
+ *
|
|
||||||
+ * Note that normally, the input is supposed to contain a single decodable
|
|
||||||
+ * PEM block only, so this special handling should not create a new problem.
|
|
||||||
+ *
|
|
||||||
+ * Note that we need to create the OSSL_DECODER_CTX variable each time when
|
|
||||||
+ * we use the different selection as a workaround.
|
|
||||||
+ * See https://github.com/openssl/openssl/issues/20657 for details.
|
|
||||||
+ */
|
|
||||||
+ int selections[] = {
|
|
||||||
+ EVP_PKEY_KEYPAIR,
|
|
||||||
+ EVP_PKEY_KEY_PARAMETERS,
|
|
||||||
+ EVP_PKEY_PUBLIC_KEY
|
|
||||||
+ };
|
|
||||||
+ int selection_num = (int)(sizeof(selections) / sizeof(int));
|
|
||||||
+ int i, j;
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < input_type_num; i++) {
|
|
||||||
+ for (j = 0; j < selection_num; j++) {
|
|
||||||
+ pkey = ossl_pkey_read(bio, input_types[i], selections[j], pass);
|
|
||||||
+ if (pkey) {
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ out:
|
|
||||||
+ return pkey;
|
|
||||||
+}
|
|
||||||
#else
|
|
||||||
EVP_PKEY *
|
|
||||||
ossl_pkey_read_generic(BIO *bio, VALUE pass)
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -1,142 +0,0 @@
|
|||||||
From 29920ec109751459a65c6478525f2e59c644891f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jun Aruga <jaruga@redhat.com>
|
|
||||||
Date: Thu, 16 Mar 2023 21:36:43 +0100
|
|
||||||
Subject: [PATCH] [ruby/openssl] Implement FIPS functions on OpenSSL 3.
|
|
||||||
|
|
||||||
This commit is to implement the `OpenSSL::OPENSSL_FIPS`, `ossl_fips_mode_get`
|
|
||||||
and `ossl_fips_mode_set` to pass the test `test/openssl/test_fips.rb`.
|
|
||||||
|
|
||||||
It seems that the `OPENSSL_FIPS` macro is not used on the FIPS mode case any
|
|
||||||
more, and some FIPS related APIs also were removed in OpenSSL 3.
|
|
||||||
|
|
||||||
See the document <https://github.com/openssl/openssl/blob/master/doc/man7/migration_guide.pod#removed-fips_mode-and-fips_mode_set>
|
|
||||||
the section OPENSSL 3.0 > Main Changes from OpenSSL 1.1.1 >
|
|
||||||
Other notable deprecations and changes - Removed FIPS_mode() and FIPS_mode_set() .
|
|
||||||
|
|
||||||
The `OpenSSL::OPENSSL_FIPS` returns always true in OpenSSL 3 because the used
|
|
||||||
functions `EVP_default_properties_enable_fips` and `EVP_default_properties_is_fips_enabled`
|
|
||||||
works with the OpenSSL installed without FIPS option.
|
|
||||||
|
|
||||||
The `TEST_RUBY_OPENSSL_FIPS_ENABLED` is set on the FIPS mode case on the CI.
|
|
||||||
Because I want to test that the `OpenSSL.fips_mode` returns the `true` or
|
|
||||||
'false' surely in the CI. You can test the FIPS mode case by setting
|
|
||||||
`TEST_RUBY_OPENSSL_FIPS_ENABLED` on local too. Right now I don't find a better
|
|
||||||
way to get the status of the FIPS mode enabled or disabled for this purpose. I
|
|
||||||
am afraid of the possibility that the FIPS test case is unintentionally skipped.
|
|
||||||
|
|
||||||
I also replaced the ambiguous "returns" with "should return" in the tests.
|
|
||||||
|
|
||||||
https://github.com/ruby/openssl/commit/c5b2bc1268
|
|
||||||
---
|
|
||||||
ext/openssl/ossl.c | 25 +++++++++++++++++++++----
|
|
||||||
test/openssl/test_fips.rb | 32 ++++++++++++++++++++++++++++----
|
|
||||||
2 files changed, 49 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c
|
|
||||||
index 6c532aca94..fcf3744c65 100644
|
|
||||||
--- a/ext/openssl/ossl.c
|
|
||||||
+++ b/ext/openssl/ossl.c
|
|
||||||
@@ -405,7 +405,11 @@ static VALUE
|
|
||||||
ossl_fips_mode_get(VALUE self)
|
|
||||||
{
|
|
||||||
|
|
||||||
-#ifdef OPENSSL_FIPS
|
|
||||||
+#if OSSL_OPENSSL_PREREQ(3, 0, 0)
|
|
||||||
+ VALUE enabled;
|
|
||||||
+ enabled = EVP_default_properties_is_fips_enabled(NULL) ? Qtrue : Qfalse;
|
|
||||||
+ return enabled;
|
|
||||||
+#elif OPENSSL_FIPS
|
|
||||||
VALUE enabled;
|
|
||||||
enabled = FIPS_mode() ? Qtrue : Qfalse;
|
|
||||||
return enabled;
|
|
||||||
@@ -429,8 +433,18 @@ ossl_fips_mode_get(VALUE self)
|
|
||||||
static VALUE
|
|
||||||
ossl_fips_mode_set(VALUE self, VALUE enabled)
|
|
||||||
{
|
|
||||||
-
|
|
||||||
-#ifdef OPENSSL_FIPS
|
|
||||||
+#if OSSL_OPENSSL_PREREQ(3, 0, 0)
|
|
||||||
+ if (RTEST(enabled)) {
|
|
||||||
+ if (!EVP_default_properties_enable_fips(NULL, 1)) {
|
|
||||||
+ ossl_raise(eOSSLError, "Turning on FIPS mode failed");
|
|
||||||
+ }
|
|
||||||
+ } else {
|
|
||||||
+ if (!EVP_default_properties_enable_fips(NULL, 0)) {
|
|
||||||
+ ossl_raise(eOSSLError, "Turning off FIPS mode failed");
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ return enabled;
|
|
||||||
+#elif OPENSSL_FIPS
|
|
||||||
if (RTEST(enabled)) {
|
|
||||||
int mode = FIPS_mode();
|
|
||||||
if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */
|
|
||||||
@@ -1185,7 +1199,10 @@ Init_openssl(void)
|
|
||||||
* Boolean indicating whether OpenSSL is FIPS-capable or not
|
|
||||||
*/
|
|
||||||
rb_define_const(mOSSL, "OPENSSL_FIPS",
|
|
||||||
-#ifdef OPENSSL_FIPS
|
|
||||||
+/* OpenSSL 3 is FIPS-capable even when it is installed without fips option */
|
|
||||||
+#if OSSL_OPENSSL_PREREQ(3, 0, 0)
|
|
||||||
+ Qtrue
|
|
||||||
+#elif OPENSSL_FIPS
|
|
||||||
Qtrue
|
|
||||||
#else
|
|
||||||
Qfalse
|
|
||||||
diff --git a/test/openssl/test_fips.rb b/test/openssl/test_fips.rb
|
|
||||||
index 8cd474f9a3..56a12a94ce 100644
|
|
||||||
--- a/test/openssl/test_fips.rb
|
|
||||||
+++ b/test/openssl/test_fips.rb
|
|
||||||
@@ -4,22 +4,46 @@
|
|
||||||
if defined?(OpenSSL)
|
|
||||||
|
|
||||||
class OpenSSL::TestFIPS < OpenSSL::TestCase
|
|
||||||
+ def test_fips_mode_get_is_true_on_fips_mode_enabled
|
|
||||||
+ unless ENV["TEST_RUBY_OPENSSL_FIPS_ENABLED"]
|
|
||||||
+ omit "Only for FIPS mode environment"
|
|
||||||
+ end
|
|
||||||
+
|
|
||||||
+ assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;")
|
|
||||||
+ assert OpenSSL.fips_mode == true, ".fips_mode should return true on FIPS mode enabled"
|
|
||||||
+ end;
|
|
||||||
+ end
|
|
||||||
+
|
|
||||||
+ def test_fips_mode_get_is_false_on_fips_mode_disabled
|
|
||||||
+ if ENV["TEST_RUBY_OPENSSL_FIPS_ENABLED"]
|
|
||||||
+ omit "Only for non-FIPS mode environment"
|
|
||||||
+ end
|
|
||||||
+
|
|
||||||
+ assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;")
|
|
||||||
+ message = ".fips_mode should return false on FIPS mode disabled. " \
|
|
||||||
+ "If you run the test on FIPS mode, please set " \
|
|
||||||
+ "TEST_RUBY_OPENSSL_FIPS_ENABLED=true"
|
|
||||||
+ assert OpenSSL.fips_mode == false, message
|
|
||||||
+ end;
|
|
||||||
+ end
|
|
||||||
+
|
|
||||||
def test_fips_mode_is_reentrant
|
|
||||||
OpenSSL.fips_mode = false
|
|
||||||
OpenSSL.fips_mode = false
|
|
||||||
end
|
|
||||||
|
|
||||||
- def test_fips_mode_get
|
|
||||||
- return unless OpenSSL::OPENSSL_FIPS
|
|
||||||
+ def test_fips_mode_get_with_fips_mode_set
|
|
||||||
+ omit('OpenSSL is not FIPS-capable') unless OpenSSL::OPENSSL_FIPS
|
|
||||||
+
|
|
||||||
assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;")
|
|
||||||
require #{__FILE__.dump}
|
|
||||||
|
|
||||||
begin
|
|
||||||
OpenSSL.fips_mode = true
|
|
||||||
- assert OpenSSL.fips_mode == true, ".fips_mode returns true when .fips_mode=true"
|
|
||||||
+ assert OpenSSL.fips_mode == true, ".fips_mode should return true when .fips_mode=true"
|
|
||||||
|
|
||||||
OpenSSL.fips_mode = false
|
|
||||||
- assert OpenSSL.fips_mode == false, ".fips_mode returns false when .fips_mode=false"
|
|
||||||
+ assert OpenSSL.fips_mode == false, ".fips_mode should return false when .fips_mode=false"
|
|
||||||
rescue OpenSSL::OpenSSLError
|
|
||||||
pend "Could not set FIPS mode (OpenSSL::OpenSSLError: \#$!); skipping"
|
|
||||||
end
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -1,36 +0,0 @@
|
|||||||
From 8d1109c03bacc952b6218af2e4ae9b74c9855273 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
|
|
||||||
Date: Wed, 22 Mar 2023 16:10:06 +0900
|
|
||||||
Subject: [PATCH] Added assertion values for Amazon Linux 2023
|
|
||||||
|
|
||||||
---
|
|
||||||
spec/ruby/core/file/utime_spec.rb | 8 +++++---
|
|
||||||
1 file changed, 5 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/spec/ruby/core/file/utime_spec.rb b/spec/ruby/core/file/utime_spec.rb
|
|
||||||
index a191e2924037c..0b0e4f979c935 100644
|
|
||||||
--- a/spec/ruby/core/file/utime_spec.rb
|
|
||||||
+++ b/spec/ruby/core/file/utime_spec.rb
|
|
||||||
@@ -72,17 +72,19 @@
|
|
||||||
|
|
||||||
platform_is :linux do
|
|
||||||
platform_is wordsize: 64 do
|
|
||||||
- it "allows Time instances in the far future to set mtime and atime (but some filesystems limit it up to 2446-05-10 or 2038-01-19)" do
|
|
||||||
+ it "allows Time instances in the far future to set mtime and atime (but some filesystems limit it up to 2446-05-10 or 2038-01-19 or 2486-07-02)" do
|
|
||||||
# https://ext4.wiki.kernel.org/index.php/Ext4_Disk_Layout#Inode_Timestamps
|
|
||||||
# "Therefore, timestamps should not overflow until May 2446."
|
|
||||||
# https://lwn.net/Articles/804382/
|
|
||||||
# "On-disk timestamps hitting the y2038 limit..."
|
|
||||||
# The problem seems to be being improved, but currently it actually fails on XFS on RHEL8
|
|
||||||
# https://rubyci.org/logs/rubyci.s3.amazonaws.com/rhel8/ruby-master/log/20201112T123004Z.fail.html.gz
|
|
||||||
+ # Amazon Linux 2023 returns 2486-07-02 in this example
|
|
||||||
+ # http://rubyci.s3.amazonaws.com/amazon2023/ruby-master/log/20230322T063004Z.fail.html.gz
|
|
||||||
time = Time.at(1<<44)
|
|
||||||
File.utime(time, time, @file1)
|
|
||||||
- [559444, 2446, 2038].should.include? File.atime(@file1).year
|
|
||||||
- [559444, 2446, 2038].should.include? File.mtime(@file1).year
|
|
||||||
+ [559444, 2486, 2446, 2038].should.include? File.atime(@file1).year
|
|
||||||
+ [559444, 2486, 2446, 2038].should.include? File.mtime(@file1).year
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
@ -1,28 +0,0 @@
|
|||||||
From 1816c142a4d66a75c23ccf6fd89a06cbe422e34f Mon Sep 17 00:00:00 2001
|
|
||||||
From: "NARUSE, Yui" <nurse@users.noreply.github.com>
|
|
||||||
Date: Sat, 3 Feb 2024 22:35:44 +0900
|
|
||||||
Subject: [PATCH] Fix test session reuse but expire (#9824)
|
|
||||||
|
|
||||||
* OpenSSL 3.2.1 30 Jan 2024 is also broken
|
|
||||||
|
|
||||||
Import 45064610725ddd81a5ea3775da35aa46985bc789 from ruby_3_3 branch
|
|
||||||
tentatively.
|
|
||||||
---
|
|
||||||
test/net/http/test_https.rb | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/test/net/http/test_https.rb b/test/net/http/test_https.rb
|
|
||||||
index 7b97e39586..aef748dfa0 100644
|
|
||||||
--- a/test/net/http/test_https.rb
|
|
||||||
+++ b/test/net/http/test_https.rb
|
|
||||||
@@ -178,6 +178,7 @@ def test_session_reuse
|
|
||||||
def test_session_reuse_but_expire
|
|
||||||
# FIXME: The new_session_cb is known broken for clients in OpenSSL 1.1.0h.
|
|
||||||
skip if OpenSSL::OPENSSL_LIBRARY_VERSION =~ /OpenSSL 1.1.0h/
|
|
||||||
+ omit if OpenSSL::OPENSSL_LIBRARY_VERSION.include?('OpenSSL 3.2.')
|
|
||||||
|
|
||||||
http = Net::HTTP.new("localhost", config("port"))
|
|
||||||
http.use_ssl = true
|
|
||||||
--
|
|
||||||
2.44.0
|
|
||||||
|
|
@ -1,25 +0,0 @@
|
|||||||
From 58ebf0f84a1dcb148f21aa589693d49d4e3be7de Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jun Aruga <jaruga@redhat.com>
|
|
||||||
Date: Thu, 2 May 2024 17:23:09 +0200
|
|
||||||
Subject: [PATCH] Allow OpenSSL 3 in Ruby OpenSSL 2.x.
|
|
||||||
|
|
||||||
---
|
|
||||||
ext/openssl/extconf.rb | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
|
|
||||||
index 0dc1a5eb43..51de0d6e39 100644
|
|
||||||
--- a/ext/openssl/extconf.rb
|
|
||||||
+++ b/ext/openssl/extconf.rb
|
|
||||||
@@ -110,7 +110,7 @@ def find_openssl_library
|
|
||||||
!try_static_assert("OPENSSL_VERSION_MAJOR >= 3", "openssl/opensslv.h") }
|
|
||||||
end
|
|
||||||
unless version_ok
|
|
||||||
- raise "OpenSSL >= 1.0.1, < 3.0.0 or LibreSSL >= 2.5.0 is required"
|
|
||||||
+ # raise "OpenSSL >= 1.0.1, < 3.0.0 or LibreSSL >= 2.5.0 is required"
|
|
||||||
end
|
|
||||||
|
|
||||||
# Prevent wincrypt.h from being included, which defines conflicting macro with openssl/x509.h
|
|
||||||
--
|
|
||||||
2.44.0
|
|
||||||
|
|
@ -1,48 +0,0 @@
|
|||||||
From 7e9ec8a20b0f7469b415283d2ec0c22087f8eb2b Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jun Aruga <jaruga@redhat.com>
|
|
||||||
Date: Wed, 24 Aug 2022 12:02:56 +0200
|
|
||||||
Subject: [PATCH] Fix tests with Europe/Amsterdam pre-1970 time on tzdata
|
|
||||||
version 2022b.
|
|
||||||
|
|
||||||
The Time Zone Database (tzdata) changed the pre-1970 timestamps in some zones
|
|
||||||
including Europe/Amsterdam on tzdata version 2022b or later.
|
|
||||||
See <https://github.com/eggert/tz/commit/35fa37fbbb152f5dbed4fd5edfdc968e3584fe12>.
|
|
||||||
|
|
||||||
The tzdata RPM package maintainer on Fedora project suggested changing the Ruby
|
|
||||||
test, because the change is intentional.
|
|
||||||
See <https://bugzilla.redhat.com/show_bug.cgi?id=2118259#c1>.
|
|
||||||
|
|
||||||
We use post-1970 time test data to simplify the test.
|
|
||||||
---
|
|
||||||
spec/ruby/core/time/shared/local.rb | 8 +++-----
|
|
||||||
1 file changed, 3 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/spec/ruby/core/time/shared/local.rb b/spec/ruby/core/time/shared/local.rb
|
|
||||||
index 997b7186f1..c4aa7a7ea9 100644
|
|
||||||
--- a/spec/ruby/core/time/shared/local.rb
|
|
||||||
+++ b/spec/ruby/core/time/shared/local.rb
|
|
||||||
@@ -6,18 +6,16 @@
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
-=begin
|
|
||||||
platform_is_not :windows do
|
|
||||||
describe "timezone changes" do
|
|
||||||
- it "correctly adjusts the timezone change to 'CEST' on 'Europe/Amsterdam'" do
|
|
||||||
+ it "correctly adjusts the timezone change to 'CET' on 'Europe/Amsterdam'" do
|
|
||||||
with_timezone("Europe/Amsterdam") do
|
|
||||||
- Time.send(@method, 1940, 5, 16).to_a.should ==
|
|
||||||
- [0, 40, 1, 16, 5, 1940, 4, 137, true, "CEST"]
|
|
||||||
+ Time.send(@method, 1970, 5, 16).to_a.should ==
|
|
||||||
+ [0, 0, 0, 16, 5, 1970, 6, 136, false, "CET"]
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
-=end
|
|
||||||
end
|
|
||||||
|
|
||||||
describe :time_local_10_arg, shared: true do
|
|
||||||
--
|
|
||||||
2.36.1
|
|
||||||
|
|
@ -1,44 +0,0 @@
|
|||||||
From bb0f57aeb4de36a3b2b8b8cb01d25b32af0357d3 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com>
|
|
||||||
Date: Wed, 27 Oct 2021 16:28:24 +0200
|
|
||||||
Subject: [PATCH] Provide distinguished name which will be correctly parsed.
|
|
||||||
|
|
||||||
It seems that since ruby openssl 2.1.0 [[1]], the distinguished name
|
|
||||||
submitted to `OpenSSL::X509::Name.parse` is not correctly parsed if it
|
|
||||||
does not contain the first slash:
|
|
||||||
|
|
||||||
~~~
|
|
||||||
$ ruby -v
|
|
||||||
ruby 3.0.2p107 (2021-07-07 revision 0db68f0233) [x86_64-linux]
|
|
||||||
|
|
||||||
$ gem list | grep openssl
|
|
||||||
openssl (default: 2.2.0)
|
|
||||||
|
|
||||||
$ irb -r openssl
|
|
||||||
irb(main):001:0> OpenSSL::X509::Name.parse("CN=nobody/DC=example").to_s(OpenSSL::X509::Name::ONELINE)
|
|
||||||
=> "CN = nobody/DC=example"
|
|
||||||
irb(main):002:0> OpenSSL::X509::Name.parse("/CN=nobody/DC=example").to_s(OpenSSL::X509::Name::ONELINE)
|
|
||||||
=> "CN = nobody, DC = example"
|
|
||||||
~~~
|
|
||||||
|
|
||||||
[1]: https://github.com/ruby/openssl/commit/19c67cd10c57f3ab7b13966c36431ebc3fdd653b
|
|
||||||
---
|
|
||||||
lib/rubygems/security.rb | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/lib/rubygems/security.rb b/lib/rubygems/security.rb
|
|
||||||
index c80639af6d..12de141f36 100644
|
|
||||||
--- a/lib/rubygems/security.rb
|
|
||||||
+++ b/lib/rubygems/security.rb
|
|
||||||
@@ -510,7 +510,7 @@ def self.email_to_name(email_address)
|
|
||||||
|
|
||||||
dcs = dcs.split '.'
|
|
||||||
|
|
||||||
- name = "CN=#{cn}/#{dcs.map {|dc| "DC=#{dc}" }.join '/'}"
|
|
||||||
+ name = "/CN=#{cn}/#{dcs.map {|dc| "DC=#{dc}" }.join '/'}"
|
|
||||||
|
|
||||||
OpenSSL::X509::Name.parse name
|
|
||||||
end
|
|
||||||
--
|
|
||||||
2.32.0
|
|
||||||
|
|
@ -1,105 +0,0 @@
|
|||||||
From 558128594de16add5b453833fd5b043a24c1b7f5 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Wed, 22 Dec 2021 01:38:47 +0900
|
|
||||||
Subject: [PATCH 1/3] Use OpenSSL::PKey::EC.generate to generate ECC key pairs
|
|
||||||
|
|
||||||
When Ruby/OpenSSL is built against OpenSSL 3.0, OpenSSL::PKey::PKey
|
|
||||||
instances are immutable and OpenSSL::PKey::EC#generate_key cannot work
|
|
||||||
because it modifies the receiver.
|
|
||||||
|
|
||||||
OpenSSL::PKey::EC.generate is available on Ruby 2.4 (Ruby/OpenSSL 2.0)
|
|
||||||
or later.
|
|
||||||
---
|
|
||||||
lib/rubygems/security.rb | 10 +++++++---
|
|
||||||
1 file changed, 7 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/rubygems/security.rb b/lib/rubygems/security.rb
|
|
||||||
index 22759972070..2aa07381d69 100644
|
|
||||||
--- a/lib/rubygems/security.rb
|
|
||||||
+++ b/lib/rubygems/security.rb
|
|
||||||
@@ -490,9 +490,13 @@ def self.create_key(algorithm)
|
|
||||||
when 'rsa'
|
|
||||||
OpenSSL::PKey::RSA.new(RSA_DSA_KEY_LENGTH)
|
|
||||||
when 'ec'
|
|
||||||
- domain_key = OpenSSL::PKey::EC.new(EC_NAME)
|
|
||||||
- domain_key.generate_key
|
|
||||||
- domain_key
|
|
||||||
+ if RUBY_VERSION >= "2.4.0"
|
|
||||||
+ OpenSSL::PKey::EC.generate(EC_NAME)
|
|
||||||
+ else
|
|
||||||
+ domain_key = OpenSSL::PKey::EC.new(EC_NAME)
|
|
||||||
+ domain_key.generate_key
|
|
||||||
+ domain_key
|
|
||||||
+ end
|
|
||||||
else
|
|
||||||
raise Gem::Security::Exception,
|
|
||||||
"#{algorithm} algorithm not found. RSA, DSA, and EC algorithms are supported."
|
|
||||||
|
|
||||||
From 60067d4f09b7fb9c23bed38e91acfde0293f29a0 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Wed, 22 Dec 2021 01:49:05 +0900
|
|
||||||
Subject: [PATCH 2/3] Use OpenSSL::X509::Certificate#check_private_key
|
|
||||||
|
|
||||||
The method is for the exact purpose: to check that an instance of
|
|
||||||
OpenSSL::PKey::PKey matches the public key in a certificate.
|
|
||||||
---
|
|
||||||
lib/rubygems/security.rb | 2 +-
|
|
||||||
lib/rubygems/security/policy.rb | 4 +---
|
|
||||||
2 files changed, 2 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/rubygems/security.rb b/lib/rubygems/security.rb
|
|
||||||
index 2aa07381d69..2906819bd34 100644
|
|
||||||
--- a/lib/rubygems/security.rb
|
|
||||||
+++ b/lib/rubygems/security.rb
|
|
||||||
@@ -530,7 +530,7 @@ def self.re_sign(expired_certificate, private_key, age = ONE_YEAR,
|
|
||||||
raise Gem::Security::Exception,
|
|
||||||
"incorrect signing key for re-signing " +
|
|
||||||
"#{expired_certificate.subject}" unless
|
|
||||||
- expired_certificate.public_key.to_pem == get_public_key(private_key).to_pem
|
|
||||||
+ expired_certificate.check_private_key(private_key)
|
|
||||||
|
|
||||||
unless expired_certificate.subject.to_s ==
|
|
||||||
expired_certificate.issuer.to_s
|
|
||||||
diff --git a/lib/rubygems/security/policy.rb b/lib/rubygems/security/policy.rb
|
|
||||||
index 3c3cb647ee3..06eae073f4a 100644
|
|
||||||
--- a/lib/rubygems/security/policy.rb
|
|
||||||
+++ b/lib/rubygems/security/policy.rb
|
|
||||||
@@ -115,11 +115,9 @@ def check_key(signer, key)
|
|
||||||
raise Gem::Security::Exception, 'missing key or signature'
|
|
||||||
end
|
|
||||||
|
|
||||||
- public_key = Gem::Security.get_public_key(key)
|
|
||||||
-
|
|
||||||
raise Gem::Security::Exception,
|
|
||||||
"certificate #{signer.subject} does not match the signing key" unless
|
|
||||||
- signer.public_key.to_pem == public_key.to_pem
|
|
||||||
+ signer.check_private_key(key)
|
|
||||||
|
|
||||||
true
|
|
||||||
end
|
|
||||||
|
|
||||||
From 6819e3d0fadc10ce8d10919402eedb730cf0e43f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
||||||
Date: Wed, 22 Dec 2021 01:54:10 +0900
|
|
||||||
Subject: [PATCH 3/3] Fix Gem::Security.get_public_key on OpenSSL 3.0
|
|
||||||
|
|
||||||
Ruby/OpenSSL 2.2 added OpenSSL::PKey::PKey#public_to_der for serializing
|
|
||||||
only the public key components contained in the instance. This works
|
|
||||||
for all possible key types.
|
|
||||||
---
|
|
||||||
lib/rubygems/security.rb | 2 ++
|
|
||||||
1 file changed, 2 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/lib/rubygems/security.rb b/lib/rubygems/security.rb
|
|
||||||
index 2906819bd34..f21c1756422 100644
|
|
||||||
--- a/lib/rubygems/security.rb
|
|
||||||
+++ b/lib/rubygems/security.rb
|
|
||||||
@@ -424,6 +424,8 @@ def self.create_cert(subject, key, age = ONE_YEAR, extensions = EXTENSIONS,
|
|
||||||
# Gets the right public key from a PKey instance
|
|
||||||
|
|
||||||
def self.get_public_key(key)
|
|
||||||
+ # Ruby 3.0 (Ruby/OpenSSL 2.2) or later
|
|
||||||
+ return OpenSSL::PKey.read(key.public_to_der) if key.respond_to?(:public_to_der)
|
|
||||||
return key.public_key unless key.is_a?(OpenSSL::PKey::EC)
|
|
||||||
|
|
||||||
ec_key = OpenSSL::PKey::EC.new(key.group.curve_name)
|
|
@ -1,34 +0,0 @@
|
|||||||
require 'openssl'
|
|
||||||
|
|
||||||
# Run openssl tests in OpenSSL FIPS. See the link below for how to test.
|
|
||||||
# https://github.com/ruby/openssl/blob/master/.github/workflows/test.yml
|
|
||||||
# - step name: test on fips module
|
|
||||||
|
|
||||||
# Listing the testing files by an array explicitly rather than the `Dir.glob`
|
|
||||||
# to prevent the test files from not loading unintentionally.
|
|
||||||
TEST_FILES = %w[
|
|
||||||
test/openssl/test_fips.rb
|
|
||||||
test/openssl/test_pkey.rb
|
|
||||||
].freeze
|
|
||||||
|
|
||||||
if ARGV.empty?
|
|
||||||
puts 'ERROR: Argument base_dir required.'
|
|
||||||
puts "Usage: #{__FILE__} base_dir [options]"
|
|
||||||
exit false
|
|
||||||
end
|
|
||||||
BASE_DIR = ARGV[0]
|
|
||||||
abs_test_files = TEST_FILES.map { |file| File.join(BASE_DIR, file) }
|
|
||||||
|
|
||||||
# Set Fedora/RHEL downstream OpenSSL downstream environment variable to enable
|
|
||||||
# FIPS module in non-FIPS OS environment. It is available in Fedora 38 or later
|
|
||||||
# versions.
|
|
||||||
# https://src.fedoraproject.org/rpms/openssl/blob/rawhide/f/0009-Add-Kernel-FIPS-mode-flag-support.patch
|
|
||||||
ENV['OPENSSL_FORCE_FIPS_MODE'] = '1'
|
|
||||||
# A flag to tell the tests the current environment is FIPS enabled.
|
|
||||||
# https://github.com/ruby/openssl/blob/master/test/openssl/test_fips.rb
|
|
||||||
ENV['TEST_RUBY_OPENSSL_FIPS_ENABLED'] = 'true'
|
|
||||||
|
|
||||||
abs_test_files.each do |file|
|
|
||||||
puts "INFO: Loading #{file}."
|
|
||||||
require file
|
|
||||||
end
|
|
Loading…
Reference in new issue