@@ -1,20 +1,18 @@ | |||
PWD = $(shell pwd) | |||
export CPATH = $(PWD)/openssl/include | |||
export LIBRARY_PATH = $(PWD)/openssl | |||
OPENSSL_LIB_VERSION = 1.0.0 | |||
OPENSSL_VERSION = 1.0.2g | |||
#OPENSSL_LIB_VERSION = 1.1 | |||
#OPENSSL_VERSION = 1.1.0-pre5 | |||
OPENSSL_NAME = openssl-$(OPENSSL_VERSION) | |||
OPENSSL_DIR = build/$(OPENSSL_NAME) | |||
#OPENSSL_DIR = openssl | |||
RUBY_MAJOR_VERSION = 2.3 | |||
RUBY_VERSION = $(RUBY_MAJOR_VERSION).1 | |||
RUBY_VERSION = $(RUBY_MAJOR_VERSION).3 | |||
RUBY_NAME = ruby-$(RUBY_VERSION) | |||
RUBY_DIR = build/$(RUBY_NAME) | |||
RUBY_OPENSSL_EXT_DIR = $(RUBY_DIR)/ext/openssl | |||
RUBY_LIB_DIR = $(RBENV_ROOT)/versions/$(RUBY_VERSION)-cryptcheck/lib/ruby/$(RUBY_MAJOR_VERSION).0 | |||
RBENV_ROOT ?= ~/.rbenv | |||
export LIBRARY_PATH = $(PWD)/lib | |||
export C_INCLUDE_PATH = $(PWD)/$(OPENSSL_DIR)/include | |||
export LD_LIBRARY_PATH = $(PWD)/lib | |||
.SECONDARY: | |||
@@ -45,25 +43,45 @@ build/$(OPENSSL_NAME).tar.gz: | build/ | |||
$(OPENSSL_DIR)/: build/$(OPENSSL_NAME).tar.gz build/chacha-poly.patch | |||
tar -C build -xf build/$(OPENSSL_NAME).tar.gz | |||
patch -d $(OPENSSL_DIR) -p1 < build/chacha-poly.patch | |||
#patch -d $(OPENSSL_DIR) -p1 < build/chacha-poly.patch | |||
$(OPENSSL_DIR)/Makefile: | $(OPENSSL_DIR)/ | |||
cd $(OPENSSL_DIR) && ./Configure enable-ssl2 enable-ssl3 enable-weak-ssl-ciphers enable-shared linux-x86_64 | |||
#cd $(OPENSSL_DIR) && ./Configure enable-ssl2 enable-ssl3 enable-weak-ssl-ciphers enable-zlib enable-rc5 enable-rc2 enable-gost enable-md2 enable-mdc2 enable-shared linux-x86_64 | |||
#cd $(OPENSSL_DIR) && ./config enable-ssl2 enable-ssl3 enable-md2 enable-rc5 enable-weak-ssl-ciphers shared | |||
cd $(OPENSSL_DIR) && ./config enable-ssl2 enable-ssl3 enable-ssl3-method enable-md2 enable-rc5 enable-weak-ssl-ciphers enable-shared | |||
$(OPENSSL_DIR)/libssl.so \ | |||
$(OPENSSL_DIR)/libcrypto.so: $(OPENSSL_DIR)/Makefile | |||
$(MAKE) -C $(OPENSSL_DIR) | |||
LIBS = lib/libssl.so lib/libcrypto.so lib/libssl.so.$(OPENSSL_LIB_VERSION) lib/libcrypto.so.$(OPENSSL_LIB_VERSION) | |||
lib/%.so: $(OPENSSL_DIR)/%.so | |||
cp $< $@ | |||
lib/%.so.$(OPENSSL_LIB_VERSION): lib/%.so | |||
ln -fs $(notdir $(subst .$(OPENSSL_LIB_VERSION),,$@)) $@ | |||
libs: lib/libssl.so lib/libcrypto.so lib/libssl.so.$(OPENSSL_LIB_VERSION) lib/libcrypto.so.$(OPENSSL_LIB_VERSION) | |||
libs: $(LIBS) | |||
build/$(RUBY_NAME).tar.gz: | build/ | |||
wget http://cache.ruby-lang.org/pub/ruby/$(RUBY_MAJOR_VERSION)/$(RUBY_NAME).tar.gz -O $@ | |||
build/$(RUBY_VERSION)-cryptcheck: $(RBENV_ROOT)/plugins/ruby-build/share/ruby-build/$(RUBY_VERSION) | |||
cp $< $@ | |||
install-ruby: build/$(RUBY_VERSION)-cryptcheck $(LIBS) | $(OPENSSL_DIR)/ | |||
cat tmp_key.patch set_ecdh_curves.patch fallback_scsv.patch | \ | |||
RUBY_BUILD_CACHE_PATH=$(PWD)/build \ | |||
RUBY_BUILD_DEFINITIONS=$(PWD)/build \ | |||
rbenv install -fp $(RUBY_VERSION)-cryptcheck | |||
rbenv sequester $(RUBY_VERSION)-cryptcheck | |||
rbenv local $(RUBY_VERSION)-cryptcheck | |||
gem install bundler | |||
bundle | |||
$(RUBY_LIB_DIR)/openssl/ssl.rb: $(RUBY_OPENSSL_EXT_DIR)/lib/openssl/ssl.rb | |||
cp $< $@ | |||
$(RUBY_LIB_DIR)/x86_64-linux/openssl.so: $(RUBY_OPENSSL_EXT_DIR)/openssl.so | |||
cp $< $@ | |||
sync-ruby: $(RUBY_LIB_DIR)/openssl/ssl.rb $(RUBY_LIB_DIR)/x86_64-linux/openssl.so | |||
build/$(RUBY_NAME).tar.xz: | build/ | |||
wget http://cache.ruby-lang.org/pub/ruby/$(RUBY_MAJOR_VERSION)/$(RUBY_NAME).tar.xz -O $@ | |||
$(RUBY_DIR)/: build/$(RUBY_NAME).tar.gz | |||
$(RUBY_DIR)/: build/$(RUBY_NAME).tar.xz | |||
tar -C build -xf $< | |||
$(RUBY_OPENSSL_EXT_DIR)/Makefile: libs | $(RUBY_DIR)/ | |||
@@ -72,7 +90,7 @@ $(RUBY_OPENSSL_EXT_DIR)/Makefile: libs | $(RUBY_DIR)/ | |||
patch -d $(RUBY_DIR)/ -p1 < fallback_scsv.patch | |||
cd $(RUBY_OPENSSL_EXT_DIR) && ruby extconf.rb | |||
$(RUBY_OPENSSL_EXT_DIR)/openssl.so: libs $(RUBY_OPENSSL_EXT_DIR)/Makefile | |||
$(RUBY_OPENSSL_EXT_DIR)/openssl.so: $(LIBS) $(RUBY_OPENSSL_EXT_DIR)/Makefile | |||
top_srcdir=../.. $(MAKE) -C $(RUBY_OPENSSL_EXT_DIR) | |||
lib/openssl.so: $(RUBY_OPENSSL_EXT_DIR)/openssl.so | |||
@@ -1,5 +1,19 @@ | |||
diff --git a/ext/openssl/deprecation.rb b/ext/openssl/deprecation.rb | |||
index d773536..f4a6c4b 100644 | |||
--- a/ext/openssl/deprecation.rb | |||
+++ b/ext/openssl/deprecation.rb | |||
@@ -19,4 +19,9 @@ def self.check_func(func, header) | |||
have_func(func, header, deprecated_warning_flag) and | |||
have_header(header, nil, deprecated_warning_flag) | |||
end | |||
+ | |||
+ def self.check_func_or_macro(func, header) | |||
+ check_func(func, header) or | |||
+ have_macro(func, header) && $defs.push("-DHAVE_#{func.upcase}") | |||
+ end | |||
end | |||
diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb | |||
index 57519f2..c5b0c8b 100644 | |||
index 9893757..bcb167e 100644 | |||
--- a/ext/openssl/lib/openssl/ssl.rb | |||
+++ b/ext/openssl/lib/openssl/ssl.rb | |||
@@ -105,11 +105,12 @@ class SSLContext | |||
@@ -7,23 +21,23 @@ index 57519f2..c5b0c8b 100644 | |||
# | |||
# You can get a list of valid methods with OpenSSL::SSL::SSLContext::METHODS | |||
- def initialize(version = nil) | |||
+ def initialize(version = nil, fallback_scsv = false) | |||
+ def initialize(version = nil, fallback_scsv: false) | |||
INIT_VARS.each { |v| instance_variable_set v, nil } | |||
self.options = self.options | OpenSSL::SSL::OP_ALL | |||
return unless version | |||
self.ssl_version = version | |||
+ self.enable_fallback_scsv if fallback_scsv | |||
end | |||
## | |||
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c | |||
index bcc624f..0c1780b 100644 | |||
index cc17a0c..9f7ee0b 100644 | |||
--- a/ext/openssl/ossl_ssl.c | |||
+++ b/ext/openssl/ossl_ssl.c | |||
@@ -978,6 +978,31 @@ ossl_sslctx_set_ciphers(VALUE self, VALUE v) | |||
return v; | |||
} | |||
+/* | |||
+ * call-seq: | |||
+ * ctx.enable_fallback_scsv() => nil | |||
@@ -57,6 +71,6 @@ index bcc624f..0c1780b 100644 | |||
rb_define_method(cSSLContext, "ciphers=", ossl_sslctx_set_ciphers, 1); | |||
rb_define_method(cSSLContext, "ecdh_curves=", ossl_sslctx_set_ecdh_curves, 1); | |||
+ rb_define_method(cSSLContext, "enable_fallback_scsv", ossl_sslctx_enable_fallback_scsv, 0); | |||
rb_define_method(cSSLContext, "setup", ossl_sslctx_setup, 0); | |||
@@ -1,19 +1,7 @@ | |||
diff -ur a/ext/openssl/deprecation.rb b/ext/openssl/deprecation.rb | |||
--- a/ext/openssl/deprecation.rb 2016-11-11 14:41:20.866580715 +0100 | |||
+++ b/ext/openssl/deprecation.rb 2016-11-11 14:41:37.570583620 +0100 | |||
@@ -19,4 +19,9 @@ | |||
have_func(func, header, deprecated_warning_flag) and | |||
have_header(header, nil, deprecated_warning_flag) | |||
end | |||
+ | |||
+ def self.check_func_or_macro(func, header) | |||
+ check_func(func, header) or | |||
+ have_macro(func, header) && $defs.push("-DHAVE_#{func.upcase}") | |||
+ end | |||
end | |||
diff -ur a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb | |||
--- a/ext/openssl/extconf.rb 2016-11-11 12:05:50.490942389 +0100 | |||
+++ b/ext/openssl/extconf.rb 2016-11-11 12:08:46.323026500 +0100 | |||
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb | |||
index 76487f7..2a4d3a7 100644 | |||
--- a/ext/openssl/extconf.rb | |||
+++ b/ext/openssl/extconf.rb | |||
@@ -93,6 +93,7 @@ | |||
have_func("X509_NAME_hash_old") | |||
have_func("X509_STORE_get_ex_data") | |||
@@ -33,10 +21,11 @@ diff -ur a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb | |||
have_func("SSL_CTX_set_next_proto_select_cb") | |||
unless have_func("SSL_set_tlsext_host_name", ['openssl/ssl.h']) | |||
have_macro("SSL_set_tlsext_host_name", ['openssl/ssl.h']) && $defs.push("-DHAVE_SSL_SET_TLSEXT_HOST_NAME") | |||
diff -ur a/ext/openssl/openssl_missing.c b/ext/openssl/openssl_missing.c | |||
--- a/ext/openssl/openssl_missing.c 2016-11-11 12:05:50.858942585 +0100 | |||
+++ b/ext/openssl/openssl_missing.c 2016-11-11 12:10:17.575063207 +0100 | |||
@@ -34,6 +34,43 @@ | |||
diff --git a/ext/openssl/openssl_missing.c b/ext/openssl/openssl_missing.c | |||
index 31f2d0a..bc61a96 100644 | |||
--- a/ext/openssl/openssl_missing.c | |||
+++ b/ext/openssl/openssl_missing.c | |||
@@ -34,6 +34,43 @@ HMAC_CTX_copy(HMAC_CTX *out, HMAC_CTX *in) | |||
#endif /* HAVE_HMAC_CTX_COPY */ | |||
#endif /* NO_HMAC */ | |||
@@ -77,13 +66,14 @@ diff -ur a/ext/openssl/openssl_missing.c b/ext/openssl/openssl_missing.c | |||
+#endif | |||
+#endif | |||
+ | |||
#if !defined(HAVE_X509_STORE_SET_EX_DATA) | |||
int X509_STORE_set_ex_data(X509_STORE *str, int idx, void *data) | |||
{ | |||
diff -ur a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h | |||
--- a/ext/openssl/openssl_missing.h 2016-11-11 12:05:51.210942773 +0100 | |||
+++ b/ext/openssl/openssl_missing.h 2016-11-11 12:10:49.307074964 +0100 | |||
@@ -70,6 +70,12 @@ | |||
#if !defined(HAVE_EVP_MD_CTX_CREATE) | |||
EVP_MD_CTX * | |||
EVP_MD_CTX_create(void) | |||
diff --git a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h | |||
index 955579c..6e2f5b5 100644 | |||
--- a/ext/openssl/openssl_missing.h | |||
+++ b/ext/openssl/openssl_missing.h | |||
@@ -70,6 +70,12 @@ void HMAC_CTX_init(HMAC_CTX *ctx); | |||
void HMAC_CTX_copy(HMAC_CTX *out, HMAC_CTX *in); | |||
#endif | |||
@@ -96,10 +86,11 @@ diff -ur a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h | |||
#if !defined(HAVE_HMAC_CTX_CLEANUP) | |||
void HMAC_CTX_cleanup(HMAC_CTX *ctx); | |||
#endif | |||
diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c | |||
--- a/ext/openssl/ossl_ssl.c 2016-11-11 12:05:51.590942974 +0100 | |||
+++ b/ext/openssl/ossl_ssl.c 2016-11-11 14:47:24.746639981 +0100 | |||
@@ -161,6 +161,18 @@ | |||
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c | |||
index dc35d5a..cc17a0c 100644 | |||
--- a/ext/openssl/ossl_ssl.c | |||
+++ b/ext/openssl/ossl_ssl.c | |||
@@ -161,6 +161,18 @@ ossl_sslctx_s_alloc(VALUE klass) | |||
RTYPEDDATA_DATA(obj) = ctx; | |||
SSL_CTX_set_ex_data(ctx, ossl_ssl_ex_ptr_idx, (void*)obj); | |||
@@ -118,7 +109,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c | |||
return obj; | |||
} | |||
@@ -711,19 +723,33 @@ | |||
@@ -711,19 +723,33 @@ ossl_sslctx_setup(VALUE self) | |||
#endif | |||
#if !defined(OPENSSL_NO_EC) | |||
@@ -162,7 +153,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c | |||
store = GetX509StorePtr(val); /* NO NEED TO DUP */ | |||
SSL_CTX_set_cert_store(ctx, store); | |||
SSL_CTX_set_ex_data(ctx, ossl_ssl_ex_store_p, (void*)1); | |||
@@ -731,7 +757,7 @@ | |||
@@ -731,7 +757,7 @@ ossl_sslctx_setup(VALUE self) | |||
val = ossl_sslctx_get_extra_cert(self); | |||
if(!NIL_P(val)){ | |||
@@ -171,7 +162,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c | |||
} | |||
/* private key may be bundled in certificate file. */ | |||
@@ -755,22 +781,21 @@ | |||
@@ -755,22 +781,21 @@ ossl_sslctx_setup(VALUE self) | |||
val = ossl_sslctx_get_client_ca(self); | |||
if(!NIL_P(val)){ | |||
@@ -207,7 +198,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c | |||
} | |||
val = ossl_sslctx_get_ca_file(self); | |||
@@ -778,15 +803,15 @@ | |||
@@ -778,15 +803,15 @@ ossl_sslctx_setup(VALUE self) | |||
val = ossl_sslctx_get_ca_path(self); | |||
ca_path = NIL_P(val) ? NULL : StringValuePtr(val); | |||
if(ca_file || ca_path){ | |||
@@ -226,7 +217,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c | |||
val = ossl_sslctx_get_timeout(self); | |||
if(!NIL_P(val)) SSL_CTX_set_timeout(ctx, NUM2LONG(val)); | |||
@@ -797,26 +822,26 @@ | |||
@@ -797,26 +822,26 @@ ossl_sslctx_setup(VALUE self) | |||
#ifdef HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB | |||
val = rb_iv_get(self, "@npn_protocols"); | |||
if (!NIL_P(val)) { | |||
@@ -263,7 +254,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c | |||
} | |||
#endif | |||
@@ -824,31 +849,31 @@ | |||
@@ -824,31 +849,31 @@ ossl_sslctx_setup(VALUE self) | |||
val = ossl_sslctx_get_sess_id_ctx(self); | |||
if (!NIL_P(val)){ | |||
@@ -307,7 +298,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c | |||
} | |||
#endif | |||
@@ -953,6 +978,87 @@ | |||
@@ -953,6 +978,87 @@ ossl_sslctx_set_ciphers(VALUE self, VALUE v) | |||
return v; | |||
} | |||
@@ -395,7 +386,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c | |||
/* | |||
* call-seq: | |||
* ctx.session_add(session) -> true | false | |||
@@ -2075,6 +2181,7 @@ | |||
@@ -2075,6 +2181,7 @@ Init_ossl_ssl(void) | |||
*/ | |||
rb_attr(cSSLContext, rb_intern("client_cert_cb"), 1, 1, Qfalse); | |||
@@ -403,7 +394,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c | |||
/* | |||
* A callback invoked when ECDH parameters are required. | |||
* | |||
@@ -2082,10 +2189,11 @@ | |||
@@ -2082,10 +2189,11 @@ Init_ossl_ssl(void) | |||
* flag indicating the use of an export cipher and the keylength | |||
* required. | |||
* | |||
@@ -417,7 +408,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c | |||
/* | |||
* Sets the context in which a session can be reused. This allows | |||
@@ -2221,6 +2329,7 @@ | |||
@@ -2221,6 +2329,7 @@ Init_ossl_ssl(void) | |||
rb_define_method(cSSLContext, "ssl_version=", ossl_sslctx_set_ssl_version, 1); | |||
rb_define_method(cSSLContext, "ciphers", ossl_sslctx_get_ciphers, 0); | |||
rb_define_method(cSSLContext, "ciphers=", ossl_sslctx_set_ciphers, 1); | |||
@@ -1,5 +1,5 @@ | |||
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb | |||
index 7bb6cd8..3b18a53 100644 | |||
index 0b7fa2a..76487f7 100644 | |||
--- a/ext/openssl/extconf.rb | |||
+++ b/ext/openssl/extconf.rb | |||
@@ -114,6 +114,7 @@ | |||
@@ -11,7 +11,7 @@ index 7bb6cd8..3b18a53 100644 | |||
have_func("ENGINE_add") | |||
have_func("ENGINE_load_builtin_engines") | |||
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c | |||
index 4075d6f..982e011 100644 | |||
index 7a0eb4e..dc35d5a 100644 | |||
--- a/ext/openssl/ossl_ssl.c | |||
+++ b/ext/openssl/ossl_ssl.c | |||
@@ -1911,6 +1911,25 @@ ossl_ssl_alpn_protocol(VALUE self) | |||
@@ -38,7 +38,7 @@ index 4075d6f..982e011 100644 | |||
+} | |||
+# endif /* defined(HAVE_SSL_GET_SERVER_TMP_KEY) */ | |||
#endif /* !defined(OPENSSL_NO_SOCK) */ | |||
void | |||
@@ -2305,6 +2324,9 @@ Init_ossl_ssl(void) | |||
rb_define_method(cSSLSocket, "session=", ossl_ssl_set_session, 1); | |||
@@ -51,13 +51,13 @@ index 4075d6f..982e011 100644 | |||
rb_define_method(cSSLSocket, "alpn_protocol", ossl_ssl_alpn_protocol, 0); | |||
# endif | |||
diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb | |||
index 58fcc08..3ce4e21 100644 | |||
index 2247847..7958f17 100644 | |||
--- a/test/openssl/test_ssl.rb | |||
+++ b/test/openssl/test_ssl.rb | |||
@@ -1169,6 +1169,29 @@ def test_sync_close_without_connect | |||
} | |||
@@ -1191,6 +1191,29 @@ def test_close_and_socket_close_while_connecting | |||
sock2.close if sock2 | |||
end | |||
+ def test_get_ephemeral_key | |||
+ return unless OpenSSL::SSL::SSLSocket.method_defined?(:tmp_key) | |||
+ ciphers = { | |||
@@ -82,7 +82,7 @@ index 58fcc08..3ce4e21 100644 | |||
+ end | |||
+ | |||
private | |||
def start_server_version(version, ctx_proc=nil, server_proc=nil, &blk) | |||
diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb | |||
index 0802c1b..c081e4f 100644 | |||
@@ -95,4 +95,4 @@ index 0802c1b..c081e4f 100644 | |||
+ ctx.tmp_ecdh_callback = proc { OpenSSL::TestUtils::TEST_KEY_EC_P256V1 } | |||
ctx.verify_mode = verify_mode | |||
ctx_proc.call(ctx) if ctx_proc | |||