4 changed files with 93 additions and 70 deletions
Split View
Diff Options
-
+31 -13Makefile
-
+21 -7fallback_scsv.patch
-
+32 -41set_ecdh_curves.patch
-
+9 -9tmp_key.patch
+ 31
- 13
Makefile
View File
| @@ -1,20 +1,18 @@ | |||
| PWD = $(shell pwd) | |||
| export CPATH = $(PWD)/openssl/include | |||
| export LIBRARY_PATH = $(PWD)/openssl | |||
| OPENSSL_LIB_VERSION = 1.0.0 | |||
| OPENSSL_VERSION = 1.0.2g | |||
| #OPENSSL_LIB_VERSION = 1.1 | |||
| #OPENSSL_VERSION = 1.1.0-pre5 | |||
| OPENSSL_NAME = openssl-$(OPENSSL_VERSION) | |||
| OPENSSL_DIR = build/$(OPENSSL_NAME) | |||
| #OPENSSL_DIR = openssl | |||
| RUBY_MAJOR_VERSION = 2.3 | |||
| RUBY_VERSION = $(RUBY_MAJOR_VERSION).1 | |||
| RUBY_VERSION = $(RUBY_MAJOR_VERSION).3 | |||
| RUBY_NAME = ruby-$(RUBY_VERSION) | |||
| RUBY_DIR = build/$(RUBY_NAME) | |||
| RUBY_OPENSSL_EXT_DIR = $(RUBY_DIR)/ext/openssl | |||
| RUBY_LIB_DIR = $(RBENV_ROOT)/versions/$(RUBY_VERSION)-cryptcheck/lib/ruby/$(RUBY_MAJOR_VERSION).0 | |||
| RBENV_ROOT ?= ~/.rbenv | |||
| export LIBRARY_PATH = $(PWD)/lib | |||
| export C_INCLUDE_PATH = $(PWD)/$(OPENSSL_DIR)/include | |||
| export LD_LIBRARY_PATH = $(PWD)/lib | |||
| .SECONDARY: | |||
| @@ -45,25 +43,45 @@ build/$(OPENSSL_NAME).tar.gz: | build/ | |||
| $(OPENSSL_DIR)/: build/$(OPENSSL_NAME).tar.gz build/chacha-poly.patch | |||
| tar -C build -xf build/$(OPENSSL_NAME).tar.gz | |||
| patch -d $(OPENSSL_DIR) -p1 < build/chacha-poly.patch | |||
| #patch -d $(OPENSSL_DIR) -p1 < build/chacha-poly.patch | |||
| $(OPENSSL_DIR)/Makefile: | $(OPENSSL_DIR)/ | |||
| cd $(OPENSSL_DIR) && ./Configure enable-ssl2 enable-ssl3 enable-weak-ssl-ciphers enable-shared linux-x86_64 | |||
| #cd $(OPENSSL_DIR) && ./Configure enable-ssl2 enable-ssl3 enable-weak-ssl-ciphers enable-zlib enable-rc5 enable-rc2 enable-gost enable-md2 enable-mdc2 enable-shared linux-x86_64 | |||
| #cd $(OPENSSL_DIR) && ./config enable-ssl2 enable-ssl3 enable-md2 enable-rc5 enable-weak-ssl-ciphers shared | |||
| cd $(OPENSSL_DIR) && ./config enable-ssl2 enable-ssl3 enable-ssl3-method enable-md2 enable-rc5 enable-weak-ssl-ciphers enable-shared | |||
| $(OPENSSL_DIR)/libssl.so \ | |||
| $(OPENSSL_DIR)/libcrypto.so: $(OPENSSL_DIR)/Makefile | |||
| $(MAKE) -C $(OPENSSL_DIR) | |||
| LIBS = lib/libssl.so lib/libcrypto.so lib/libssl.so.$(OPENSSL_LIB_VERSION) lib/libcrypto.so.$(OPENSSL_LIB_VERSION) | |||
| lib/%.so: $(OPENSSL_DIR)/%.so | |||
| cp $< $@ | |||
| lib/%.so.$(OPENSSL_LIB_VERSION): lib/%.so | |||
| ln -fs $(notdir $(subst .$(OPENSSL_LIB_VERSION),,$@)) $@ | |||
| libs: lib/libssl.so lib/libcrypto.so lib/libssl.so.$(OPENSSL_LIB_VERSION) lib/libcrypto.so.$(OPENSSL_LIB_VERSION) | |||
| libs: $(LIBS) | |||
| build/$(RUBY_NAME).tar.gz: | build/ | |||
| wget http://cache.ruby-lang.org/pub/ruby/$(RUBY_MAJOR_VERSION)/$(RUBY_NAME).tar.gz -O $@ | |||
| build/$(RUBY_VERSION)-cryptcheck: $(RBENV_ROOT)/plugins/ruby-build/share/ruby-build/$(RUBY_VERSION) | |||
| cp $< $@ | |||
| install-ruby: build/$(RUBY_VERSION)-cryptcheck $(LIBS) | $(OPENSSL_DIR)/ | |||
| cat tmp_key.patch set_ecdh_curves.patch fallback_scsv.patch | \ | |||
| RUBY_BUILD_CACHE_PATH=$(PWD)/build \ | |||
| RUBY_BUILD_DEFINITIONS=$(PWD)/build \ | |||
| rbenv install -fp $(RUBY_VERSION)-cryptcheck | |||
| rbenv sequester $(RUBY_VERSION)-cryptcheck | |||
| rbenv local $(RUBY_VERSION)-cryptcheck | |||
| gem install bundler | |||
| bundle | |||
| $(RUBY_LIB_DIR)/openssl/ssl.rb: $(RUBY_OPENSSL_EXT_DIR)/lib/openssl/ssl.rb | |||
| cp $< $@ | |||
| $(RUBY_LIB_DIR)/x86_64-linux/openssl.so: $(RUBY_OPENSSL_EXT_DIR)/openssl.so | |||
| cp $< $@ | |||
| sync-ruby: $(RUBY_LIB_DIR)/openssl/ssl.rb $(RUBY_LIB_DIR)/x86_64-linux/openssl.so | |||
| build/$(RUBY_NAME).tar.xz: | build/ | |||
| wget http://cache.ruby-lang.org/pub/ruby/$(RUBY_MAJOR_VERSION)/$(RUBY_NAME).tar.xz -O $@ | |||
| $(RUBY_DIR)/: build/$(RUBY_NAME).tar.gz | |||
| $(RUBY_DIR)/: build/$(RUBY_NAME).tar.xz | |||
| tar -C build -xf $< | |||
| $(RUBY_OPENSSL_EXT_DIR)/Makefile: libs | $(RUBY_DIR)/ | |||
| @@ -72,7 +90,7 @@ $(RUBY_OPENSSL_EXT_DIR)/Makefile: libs | $(RUBY_DIR)/ | |||
| patch -d $(RUBY_DIR)/ -p1 < fallback_scsv.patch | |||
| cd $(RUBY_OPENSSL_EXT_DIR) && ruby extconf.rb | |||
| $(RUBY_OPENSSL_EXT_DIR)/openssl.so: libs $(RUBY_OPENSSL_EXT_DIR)/Makefile | |||
| $(RUBY_OPENSSL_EXT_DIR)/openssl.so: $(LIBS) $(RUBY_OPENSSL_EXT_DIR)/Makefile | |||
| top_srcdir=../.. $(MAKE) -C $(RUBY_OPENSSL_EXT_DIR) | |||
| lib/openssl.so: $(RUBY_OPENSSL_EXT_DIR)/openssl.so | |||
+ 21
- 7
fallback_scsv.patch
View File
| @@ -1,5 +1,19 @@ | |||
| diff --git a/ext/openssl/deprecation.rb b/ext/openssl/deprecation.rb | |||
| index d773536..f4a6c4b 100644 | |||
| --- a/ext/openssl/deprecation.rb | |||
| +++ b/ext/openssl/deprecation.rb | |||
| @@ -19,4 +19,9 @@ def self.check_func(func, header) | |||
| have_func(func, header, deprecated_warning_flag) and | |||
| have_header(header, nil, deprecated_warning_flag) | |||
| end | |||
| + | |||
| + def self.check_func_or_macro(func, header) | |||
| + check_func(func, header) or | |||
| + have_macro(func, header) && $defs.push("-DHAVE_#{func.upcase}") | |||
| + end | |||
| end | |||
| diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb | |||
| index 57519f2..c5b0c8b 100644 | |||
| index 9893757..bcb167e 100644 | |||
| --- a/ext/openssl/lib/openssl/ssl.rb | |||
| +++ b/ext/openssl/lib/openssl/ssl.rb | |||
| @@ -105,11 +105,12 @@ class SSLContext | |||
| @@ -7,23 +21,23 @@ index 57519f2..c5b0c8b 100644 | |||
| # | |||
| # You can get a list of valid methods with OpenSSL::SSL::SSLContext::METHODS | |||
| - def initialize(version = nil) | |||
| + def initialize(version = nil, fallback_scsv = false) | |||
| + def initialize(version = nil, fallback_scsv: false) | |||
| INIT_VARS.each { |v| instance_variable_set v, nil } | |||
| self.options = self.options | OpenSSL::SSL::OP_ALL | |||
| return unless version | |||
| self.ssl_version = version | |||
| + self.enable_fallback_scsv if fallback_scsv | |||
| end | |||
| ## | |||
| diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c | |||
| index bcc624f..0c1780b 100644 | |||
| index cc17a0c..9f7ee0b 100644 | |||
| --- a/ext/openssl/ossl_ssl.c | |||
| +++ b/ext/openssl/ossl_ssl.c | |||
| @@ -978,6 +978,31 @@ ossl_sslctx_set_ciphers(VALUE self, VALUE v) | |||
| return v; | |||
| } | |||
| +/* | |||
| + * call-seq: | |||
| + * ctx.enable_fallback_scsv() => nil | |||
| @@ -57,6 +71,6 @@ index bcc624f..0c1780b 100644 | |||
| rb_define_method(cSSLContext, "ciphers=", ossl_sslctx_set_ciphers, 1); | |||
| rb_define_method(cSSLContext, "ecdh_curves=", ossl_sslctx_set_ecdh_curves, 1); | |||
| + rb_define_method(cSSLContext, "enable_fallback_scsv", ossl_sslctx_enable_fallback_scsv, 0); | |||
| rb_define_method(cSSLContext, "setup", ossl_sslctx_setup, 0); | |||
+ 32
- 41
set_ecdh_curves.patch
View File
| @@ -1,19 +1,7 @@ | |||
| diff -ur a/ext/openssl/deprecation.rb b/ext/openssl/deprecation.rb | |||
| --- a/ext/openssl/deprecation.rb 2016-11-11 14:41:20.866580715 +0100 | |||
| +++ b/ext/openssl/deprecation.rb 2016-11-11 14:41:37.570583620 +0100 | |||
| @@ -19,4 +19,9 @@ | |||
| have_func(func, header, deprecated_warning_flag) and | |||
| have_header(header, nil, deprecated_warning_flag) | |||
| end | |||
| + | |||
| + def self.check_func_or_macro(func, header) | |||
| + check_func(func, header) or | |||
| + have_macro(func, header) && $defs.push("-DHAVE_#{func.upcase}") | |||
| + end | |||
| end | |||
| diff -ur a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb | |||
| --- a/ext/openssl/extconf.rb 2016-11-11 12:05:50.490942389 +0100 | |||
| +++ b/ext/openssl/extconf.rb 2016-11-11 12:08:46.323026500 +0100 | |||
| diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb | |||
| index 76487f7..2a4d3a7 100644 | |||
| --- a/ext/openssl/extconf.rb | |||
| +++ b/ext/openssl/extconf.rb | |||
| @@ -93,6 +93,7 @@ | |||
| have_func("X509_NAME_hash_old") | |||
| have_func("X509_STORE_get_ex_data") | |||
| @@ -33,10 +21,11 @@ diff -ur a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb | |||
| have_func("SSL_CTX_set_next_proto_select_cb") | |||
| unless have_func("SSL_set_tlsext_host_name", ['openssl/ssl.h']) | |||
| have_macro("SSL_set_tlsext_host_name", ['openssl/ssl.h']) && $defs.push("-DHAVE_SSL_SET_TLSEXT_HOST_NAME") | |||
| diff -ur a/ext/openssl/openssl_missing.c b/ext/openssl/openssl_missing.c | |||
| --- a/ext/openssl/openssl_missing.c 2016-11-11 12:05:50.858942585 +0100 | |||
| +++ b/ext/openssl/openssl_missing.c 2016-11-11 12:10:17.575063207 +0100 | |||
| @@ -34,6 +34,43 @@ | |||
| diff --git a/ext/openssl/openssl_missing.c b/ext/openssl/openssl_missing.c | |||
| index 31f2d0a..bc61a96 100644 | |||
| --- a/ext/openssl/openssl_missing.c | |||
| +++ b/ext/openssl/openssl_missing.c | |||
| @@ -34,6 +34,43 @@ HMAC_CTX_copy(HMAC_CTX *out, HMAC_CTX *in) | |||
| #endif /* HAVE_HMAC_CTX_COPY */ | |||
| #endif /* NO_HMAC */ | |||
| @@ -77,13 +66,14 @@ diff -ur a/ext/openssl/openssl_missing.c b/ext/openssl/openssl_missing.c | |||
| +#endif | |||
| +#endif | |||
| + | |||
| #if !defined(HAVE_X509_STORE_SET_EX_DATA) | |||
| int X509_STORE_set_ex_data(X509_STORE *str, int idx, void *data) | |||
| { | |||
| diff -ur a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h | |||
| --- a/ext/openssl/openssl_missing.h 2016-11-11 12:05:51.210942773 +0100 | |||
| +++ b/ext/openssl/openssl_missing.h 2016-11-11 12:10:49.307074964 +0100 | |||
| @@ -70,6 +70,12 @@ | |||
| #if !defined(HAVE_EVP_MD_CTX_CREATE) | |||
| EVP_MD_CTX * | |||
| EVP_MD_CTX_create(void) | |||
| diff --git a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h | |||
| index 955579c..6e2f5b5 100644 | |||
| --- a/ext/openssl/openssl_missing.h | |||
| +++ b/ext/openssl/openssl_missing.h | |||
| @@ -70,6 +70,12 @@ void HMAC_CTX_init(HMAC_CTX *ctx); | |||
| void HMAC_CTX_copy(HMAC_CTX *out, HMAC_CTX *in); | |||
| #endif | |||
| @@ -96,10 +86,11 @@ diff -ur a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h | |||
| #if !defined(HAVE_HMAC_CTX_CLEANUP) | |||
| void HMAC_CTX_cleanup(HMAC_CTX *ctx); | |||
| #endif | |||
| diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c | |||
| --- a/ext/openssl/ossl_ssl.c 2016-11-11 12:05:51.590942974 +0100 | |||
| +++ b/ext/openssl/ossl_ssl.c 2016-11-11 14:47:24.746639981 +0100 | |||
| @@ -161,6 +161,18 @@ | |||
| diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c | |||
| index dc35d5a..cc17a0c 100644 | |||
| --- a/ext/openssl/ossl_ssl.c | |||
| +++ b/ext/openssl/ossl_ssl.c | |||
| @@ -161,6 +161,18 @@ ossl_sslctx_s_alloc(VALUE klass) | |||
| RTYPEDDATA_DATA(obj) = ctx; | |||
| SSL_CTX_set_ex_data(ctx, ossl_ssl_ex_ptr_idx, (void*)obj); | |||
| @@ -118,7 +109,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c | |||
| return obj; | |||
| } | |||
| @@ -711,19 +723,33 @@ | |||
| @@ -711,19 +723,33 @@ ossl_sslctx_setup(VALUE self) | |||
| #endif | |||
| #if !defined(OPENSSL_NO_EC) | |||
| @@ -162,7 +153,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c | |||
| store = GetX509StorePtr(val); /* NO NEED TO DUP */ | |||
| SSL_CTX_set_cert_store(ctx, store); | |||
| SSL_CTX_set_ex_data(ctx, ossl_ssl_ex_store_p, (void*)1); | |||
| @@ -731,7 +757,7 @@ | |||
| @@ -731,7 +757,7 @@ ossl_sslctx_setup(VALUE self) | |||
| val = ossl_sslctx_get_extra_cert(self); | |||
| if(!NIL_P(val)){ | |||
| @@ -171,7 +162,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c | |||
| } | |||
| /* private key may be bundled in certificate file. */ | |||
| @@ -755,22 +781,21 @@ | |||
| @@ -755,22 +781,21 @@ ossl_sslctx_setup(VALUE self) | |||
| val = ossl_sslctx_get_client_ca(self); | |||
| if(!NIL_P(val)){ | |||
| @@ -207,7 +198,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c | |||
| } | |||
| val = ossl_sslctx_get_ca_file(self); | |||
| @@ -778,15 +803,15 @@ | |||
| @@ -778,15 +803,15 @@ ossl_sslctx_setup(VALUE self) | |||
| val = ossl_sslctx_get_ca_path(self); | |||
| ca_path = NIL_P(val) ? NULL : StringValuePtr(val); | |||
| if(ca_file || ca_path){ | |||
| @@ -226,7 +217,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c | |||
| val = ossl_sslctx_get_timeout(self); | |||
| if(!NIL_P(val)) SSL_CTX_set_timeout(ctx, NUM2LONG(val)); | |||
| @@ -797,26 +822,26 @@ | |||
| @@ -797,26 +822,26 @@ ossl_sslctx_setup(VALUE self) | |||
| #ifdef HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB | |||
| val = rb_iv_get(self, "@npn_protocols"); | |||
| if (!NIL_P(val)) { | |||
| @@ -263,7 +254,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c | |||
| } | |||
| #endif | |||
| @@ -824,31 +849,31 @@ | |||
| @@ -824,31 +849,31 @@ ossl_sslctx_setup(VALUE self) | |||
| val = ossl_sslctx_get_sess_id_ctx(self); | |||
| if (!NIL_P(val)){ | |||
| @@ -307,7 +298,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c | |||
| } | |||
| #endif | |||
| @@ -953,6 +978,87 @@ | |||
| @@ -953,6 +978,87 @@ ossl_sslctx_set_ciphers(VALUE self, VALUE v) | |||
| return v; | |||
| } | |||
| @@ -395,7 +386,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c | |||
| /* | |||
| * call-seq: | |||
| * ctx.session_add(session) -> true | false | |||
| @@ -2075,6 +2181,7 @@ | |||
| @@ -2075,6 +2181,7 @@ Init_ossl_ssl(void) | |||
| */ | |||
| rb_attr(cSSLContext, rb_intern("client_cert_cb"), 1, 1, Qfalse); | |||
| @@ -403,7 +394,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c | |||
| /* | |||
| * A callback invoked when ECDH parameters are required. | |||
| * | |||
| @@ -2082,10 +2189,11 @@ | |||
| @@ -2082,10 +2189,11 @@ Init_ossl_ssl(void) | |||
| * flag indicating the use of an export cipher and the keylength | |||
| * required. | |||
| * | |||
| @@ -417,7 +408,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c | |||
| /* | |||
| * Sets the context in which a session can be reused. This allows | |||
| @@ -2221,6 +2329,7 @@ | |||
| @@ -2221,6 +2329,7 @@ Init_ossl_ssl(void) | |||
| rb_define_method(cSSLContext, "ssl_version=", ossl_sslctx_set_ssl_version, 1); | |||
| rb_define_method(cSSLContext, "ciphers", ossl_sslctx_get_ciphers, 0); | |||
| rb_define_method(cSSLContext, "ciphers=", ossl_sslctx_set_ciphers, 1); | |||
+ 9
- 9
tmp_key.patch
View File
| @@ -1,5 +1,5 @@ | |||
| diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb | |||
| index 7bb6cd8..3b18a53 100644 | |||
| index 0b7fa2a..76487f7 100644 | |||
| --- a/ext/openssl/extconf.rb | |||
| +++ b/ext/openssl/extconf.rb | |||
| @@ -114,6 +114,7 @@ | |||
| @@ -11,7 +11,7 @@ index 7bb6cd8..3b18a53 100644 | |||
| have_func("ENGINE_add") | |||
| have_func("ENGINE_load_builtin_engines") | |||
| diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c | |||
| index 4075d6f..982e011 100644 | |||
| index 7a0eb4e..dc35d5a 100644 | |||
| --- a/ext/openssl/ossl_ssl.c | |||
| +++ b/ext/openssl/ossl_ssl.c | |||
| @@ -1911,6 +1911,25 @@ ossl_ssl_alpn_protocol(VALUE self) | |||
| @@ -38,7 +38,7 @@ index 4075d6f..982e011 100644 | |||
| +} | |||
| +# endif /* defined(HAVE_SSL_GET_SERVER_TMP_KEY) */ | |||
| #endif /* !defined(OPENSSL_NO_SOCK) */ | |||
| void | |||
| @@ -2305,6 +2324,9 @@ Init_ossl_ssl(void) | |||
| rb_define_method(cSSLSocket, "session=", ossl_ssl_set_session, 1); | |||
| @@ -51,13 +51,13 @@ index 4075d6f..982e011 100644 | |||
| rb_define_method(cSSLSocket, "alpn_protocol", ossl_ssl_alpn_protocol, 0); | |||
| # endif | |||
| diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb | |||
| index 58fcc08..3ce4e21 100644 | |||
| index 2247847..7958f17 100644 | |||
| --- a/test/openssl/test_ssl.rb | |||
| +++ b/test/openssl/test_ssl.rb | |||
| @@ -1169,6 +1169,29 @@ def test_sync_close_without_connect | |||
| } | |||
| @@ -1191,6 +1191,29 @@ def test_close_and_socket_close_while_connecting | |||
| sock2.close if sock2 | |||
| end | |||
| + def test_get_ephemeral_key | |||
| + return unless OpenSSL::SSL::SSLSocket.method_defined?(:tmp_key) | |||
| + ciphers = { | |||
| @@ -82,7 +82,7 @@ index 58fcc08..3ce4e21 100644 | |||
| + end | |||
| + | |||
| private | |||
| def start_server_version(version, ctx_proc=nil, server_proc=nil, &blk) | |||
| diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb | |||
| index 0802c1b..c081e4f 100644 | |||
| @@ -95,4 +95,4 @@ index 0802c1b..c081e4f 100644 | |||
| + ctx.tmp_ecdh_callback = proc { OpenSSL::TestUtils::TEST_KEY_EC_P256V1 } | |||
| ctx.verify_mode = verify_mode | |||
| ctx_proc.call(ctx) if ctx_proc | |||