aeris
/
cryptcheck
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update patches

Browse Source
new-scoring
aeris 6 years ago
parent a212aa0711
commit 7ec4b5a45f
4 changed files with 93 additions and 70 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 44
      Makefile
  2. 28
      fallback_scsv.patch
  3. 73
      set_ecdh_curves.patch
  4. 18
      tmp_key.patch

44
Makefile
Unescape View File

@ -1,20 +1,18 @@
PWD = $(shell pwd)
export CPATH = $(PWD)/openssl/include
export LIBRARY_PATH = $(PWD)/openssl
OPENSSL_LIB_VERSION = 1.0.0
OPENSSL_VERSION = 1.0.2g
#OPENSSL_LIB_VERSION = 1.1
#OPENSSL_VERSION = 1.1.0-pre5
OPENSSL_NAME = openssl-$(OPENSSL_VERSION)
OPENSSL_DIR = build/$(OPENSSL_NAME)
#OPENSSL_DIR = openssl
RUBY_MAJOR_VERSION = 2.3
RUBY_VERSION = $(RUBY_MAJOR_VERSION).1
RUBY_VERSION = $(RUBY_MAJOR_VERSION).3
RUBY_NAME = ruby-$(RUBY_VERSION)
RUBY_DIR = build/$(RUBY_NAME)
RUBY_OPENSSL_EXT_DIR = $(RUBY_DIR)/ext/openssl
RUBY_LIB_DIR = $(RBENV_ROOT)/versions/$(RUBY_VERSION)-cryptcheck/lib/ruby/$(RUBY_MAJOR_VERSION).0
RBENV_ROOT ?= ~/.rbenv
export LIBRARY_PATH = $(PWD)/lib
export C_INCLUDE_PATH = $(PWD)/$(OPENSSL_DIR)/include
export LD_LIBRARY_PATH = $(PWD)/lib
.SECONDARY:
@ -45,25 +43,45 @@ build/$(OPENSSL_NAME).tar.gz: | build/
$(OPENSSL_DIR)/: build/$(OPENSSL_NAME).tar.gz build/chacha-poly.patch
tar -C build -xf build/$(OPENSSL_NAME).tar.gz
patch -d $(OPENSSL_DIR) -p1 < build/chacha-poly.patch
#patch -d $(OPENSSL_DIR) -p1 < build/chacha-poly.patch
$(OPENSSL_DIR)/Makefile: | $(OPENSSL_DIR)/
cd $(OPENSSL_DIR) && ./Configure enable-ssl2 enable-ssl3 enable-weak-ssl-ciphers enable-shared linux-x86_64
#cd $(OPENSSL_DIR) && ./Configure enable-ssl2 enable-ssl3 enable-weak-ssl-ciphers enable-zlib enable-rc5 enable-rc2 enable-gost enable-md2 enable-mdc2 enable-shared linux-x86_64
#cd $(OPENSSL_DIR) && ./config enable-ssl2 enable-ssl3 enable-md2 enable-rc5 enable-weak-ssl-ciphers shared
cd $(OPENSSL_DIR) && ./config enable-ssl2 enable-ssl3 enable-ssl3-method enable-md2 enable-rc5 enable-weak-ssl-ciphers enable-shared
$(OPENSSL_DIR)/libssl.so \
$(OPENSSL_DIR)/libcrypto.so: $(OPENSSL_DIR)/Makefile
$(MAKE) -C $(OPENSSL_DIR)
LIBS = lib/libssl.so lib/libcrypto.so lib/libssl.so.$(OPENSSL_LIB_VERSION) lib/libcrypto.so.$(OPENSSL_LIB_VERSION)
lib/%.so: $(OPENSSL_DIR)/%.so
cp $< $@
lib/%.so.$(OPENSSL_LIB_VERSION): lib/%.so
ln -fs $(notdir $(subst .$(OPENSSL_LIB_VERSION),,$@)) $@
libs: lib/libssl.so lib/libcrypto.so lib/libssl.so.$(OPENSSL_LIB_VERSION) lib/libcrypto.so.$(OPENSSL_LIB_VERSION)
libs: $(LIBS)
build/$(RUBY_NAME).tar.gz: | build/
wget http://cache.ruby-lang.org/pub/ruby/$(RUBY_MAJOR_VERSION)/$(RUBY_NAME).tar.gz -O $@
build/$(RUBY_VERSION)-cryptcheck: $(RBENV_ROOT)/plugins/ruby-build/share/ruby-build/$(RUBY_VERSION)
cp $< $@
install-ruby: build/$(RUBY_VERSION)-cryptcheck $(LIBS) | $(OPENSSL_DIR)/
cat tmp_key.patch set_ecdh_curves.patch fallback_scsv.patch | \
RUBY_BUILD_CACHE_PATH=$(PWD)/build \
RUBY_BUILD_DEFINITIONS=$(PWD)/build \
rbenv install -fp $(RUBY_VERSION)-cryptcheck
rbenv sequester $(RUBY_VERSION)-cryptcheck
rbenv local $(RUBY_VERSION)-cryptcheck
gem install bundler
bundle
$(RUBY_LIB_DIR)/openssl/ssl.rb: $(RUBY_OPENSSL_EXT_DIR)/lib/openssl/ssl.rb
cp $< $@
$(RUBY_LIB_DIR)/x86_64-linux/openssl.so: $(RUBY_OPENSSL_EXT_DIR)/openssl.so
cp $< $@
sync-ruby: $(RUBY_LIB_DIR)/openssl/ssl.rb $(RUBY_LIB_DIR)/x86_64-linux/openssl.so
build/$(RUBY_NAME).tar.xz: | build/
wget http://cache.ruby-lang.org/pub/ruby/$(RUBY_MAJOR_VERSION)/$(RUBY_NAME).tar.xz -O $@
$(RUBY_DIR)/: build/$(RUBY_NAME).tar.gz
$(RUBY_DIR)/: build/$(RUBY_NAME).tar.xz
tar -C build -xf $<
$(RUBY_OPENSSL_EXT_DIR)/Makefile: libs | $(RUBY_DIR)/
@ -72,7 +90,7 @@ $(RUBY_OPENSSL_EXT_DIR)/Makefile: libs | $(RUBY_DIR)/
patch -d $(RUBY_DIR)/ -p1 < fallback_scsv.patch
cd $(RUBY_OPENSSL_EXT_DIR) && ruby extconf.rb
$(RUBY_OPENSSL_EXT_DIR)/openssl.so: libs $(RUBY_OPENSSL_EXT_DIR)/Makefile
$(RUBY_OPENSSL_EXT_DIR)/openssl.so: $(LIBS) $(RUBY_OPENSSL_EXT_DIR)/Makefile
top_srcdir=../.. $(MAKE) -C $(RUBY_OPENSSL_EXT_DIR)
lib/openssl.so: $(RUBY_OPENSSL_EXT_DIR)/openssl.so

28
fallback_scsv.patch
Unescape View File

@ -1,5 +1,19 @@
diff --git a/ext/openssl/deprecation.rb b/ext/openssl/deprecation.rb
index d773536..f4a6c4b 100644
--- a/ext/openssl/deprecation.rb
+++ b/ext/openssl/deprecation.rb
@@ -19,4 +19,9 @@ def self.check_func(func, header)
have_func(func, header, deprecated_warning_flag) and
have_header(header, nil, deprecated_warning_flag)
end
+
+ def self.check_func_or_macro(func, header)
+ check_func(func, header) or
+ have_macro(func, header) && $defs.push("-DHAVE_#{func.upcase}")
+ end
end
diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb
index 57519f2..c5b0c8b 100644
index 9893757..bcb167e 100644
--- a/ext/openssl/lib/openssl/ssl.rb
+++ b/ext/openssl/lib/openssl/ssl.rb
@@ -105,11 +105,12 @@ class SSLContext
@ -7,23 +21,23 @@ index 57519f2..c5b0c8b 100644
#
# You can get a list of valid methods with OpenSSL::SSL::SSLContext::METHODS
- def initialize(version = nil)
+ def initialize(version = nil, fallback_scsv = false)
+ def initialize(version = nil, fallback_scsv: false)
INIT_VARS.each { |v| instance_variable_set v, nil }
self.options = self.options | OpenSSL::SSL::OP_ALL
return unless version
self.ssl_version = version
+ self.enable_fallback_scsv if fallback_scsv
end
##
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
index bcc624f..0c1780b 100644
index cc17a0c..9f7ee0b 100644
--- a/ext/openssl/ossl_ssl.c
+++ b/ext/openssl/ossl_ssl.c
@@ -978,6 +978,31 @@ ossl_sslctx_set_ciphers(VALUE self, VALUE v)
return v;
}
+/*
+ * call-seq:
+ * ctx.enable_fallback_scsv() => nil
@ -57,6 +71,6 @@ index bcc624f..0c1780b 100644
rb_define_method(cSSLContext, "ciphers=", ossl_sslctx_set_ciphers, 1);
rb_define_method(cSSLContext, "ecdh_curves=", ossl_sslctx_set_ecdh_curves, 1);
+ rb_define_method(cSSLContext, "enable_fallback_scsv", ossl_sslctx_enable_fallback_scsv, 0);
rb_define_method(cSSLContext, "setup", ossl_sslctx_setup, 0);

73
set_ecdh_curves.patch
Unescape View File

@ -1,19 +1,7 @@
diff -ur a/ext/openssl/deprecation.rb b/ext/openssl/deprecation.rb
--- a/ext/openssl/deprecation.rb 2016-11-11 14:41:20.866580715 +0100
+++ b/ext/openssl/deprecation.rb 2016-11-11 14:41:37.570583620 +0100
@@ -19,4 +19,9 @@
have_func(func, header, deprecated_warning_flag) and
have_header(header, nil, deprecated_warning_flag)
end
+
+ def self.check_func_or_macro(func, header)
+ check_func(func, header) or
+ have_macro(func, header) && $defs.push("-DHAVE_#{func.upcase}")
+ end
end
diff -ur a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
--- a/ext/openssl/extconf.rb 2016-11-11 12:05:50.490942389 +0100
+++ b/ext/openssl/extconf.rb 2016-11-11 12:08:46.323026500 +0100
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
index 76487f7..2a4d3a7 100644
--- a/ext/openssl/extconf.rb
+++ b/ext/openssl/extconf.rb
@@ -93,6 +93,7 @@
have_func("X509_NAME_hash_old")
have_func("X509_STORE_get_ex_data")
@ -33,10 +21,11 @@ diff -ur a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
have_func("SSL_CTX_set_next_proto_select_cb")
unless have_func("SSL_set_tlsext_host_name", ['openssl/ssl.h'])
have_macro("SSL_set_tlsext_host_name", ['openssl/ssl.h']) && $defs.push("-DHAVE_SSL_SET_TLSEXT_HOST_NAME")
diff -ur a/ext/openssl/openssl_missing.c b/ext/openssl/openssl_missing.c
--- a/ext/openssl/openssl_missing.c 2016-11-11 12:05:50.858942585 +0100
+++ b/ext/openssl/openssl_missing.c 2016-11-11 12:10:17.575063207 +0100
@@ -34,6 +34,43 @@
diff --git a/ext/openssl/openssl_missing.c b/ext/openssl/openssl_missing.c
index 31f2d0a..bc61a96 100644
--- a/ext/openssl/openssl_missing.c
+++ b/ext/openssl/openssl_missing.c
@@ -34,6 +34,43 @@ HMAC_CTX_copy(HMAC_CTX *out, HMAC_CTX *in)
#endif /* HAVE_HMAC_CTX_COPY */
#endif /* NO_HMAC */
@ -77,13 +66,14 @@ diff -ur a/ext/openssl/openssl_missing.c b/ext/openssl/openssl_missing.c
+#endif
+#endif
+
#if !defined(HAVE_X509_STORE_SET_EX_DATA)
int X509_STORE_set_ex_data(X509_STORE *str, int idx, void *data)
{
diff -ur a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h
--- a/ext/openssl/openssl_missing.h 2016-11-11 12:05:51.210942773 +0100
+++ b/ext/openssl/openssl_missing.h 2016-11-11 12:10:49.307074964 +0100
@@ -70,6 +70,12 @@
#if !defined(HAVE_EVP_MD_CTX_CREATE)
EVP_MD_CTX *
EVP_MD_CTX_create(void)
diff --git a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h
index 955579c..6e2f5b5 100644
--- a/ext/openssl/openssl_missing.h
+++ b/ext/openssl/openssl_missing.h
@@ -70,6 +70,12 @@ void HMAC_CTX_init(HMAC_CTX *ctx);
void HMAC_CTX_copy(HMAC_CTX *out, HMAC_CTX *in);
#endif
@ -96,10 +86,11 @@ diff -ur a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h
#if !defined(HAVE_HMAC_CTX_CLEANUP)
void HMAC_CTX_cleanup(HMAC_CTX *ctx);
#endif
diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
--- a/ext/openssl/ossl_ssl.c 2016-11-11 12:05:51.590942974 +0100
+++ b/ext/openssl/ossl_ssl.c 2016-11-11 14:47:24.746639981 +0100
@@ -161,6 +161,18 @@
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
index dc35d5a..cc17a0c 100644
--- a/ext/openssl/ossl_ssl.c
+++ b/ext/openssl/ossl_ssl.c
@@ -161,6 +161,18 @@ ossl_sslctx_s_alloc(VALUE klass)
RTYPEDDATA_DATA(obj) = ctx;
SSL_CTX_set_ex_data(ctx, ossl_ssl_ex_ptr_idx, (void*)obj);
@ -118,7 +109,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
return obj;
}
@@ -711,19 +723,33 @@
@@ -711,19 +723,33 @@ ossl_sslctx_setup(VALUE self)
#endif
#if !defined(OPENSSL_NO_EC)
@ -162,7 +153,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
store = GetX509StorePtr(val); /* NO NEED TO DUP */
SSL_CTX_set_cert_store(ctx, store);
SSL_CTX_set_ex_data(ctx, ossl_ssl_ex_store_p, (void*)1);
@@ -731,7 +757,7 @@
@@ -731,7 +757,7 @@ ossl_sslctx_setup(VALUE self)
val = ossl_sslctx_get_extra_cert(self);
if(!NIL_P(val)){
@ -171,7 +162,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
}
/* private key may be bundled in certificate file. */
@@ -755,22 +781,21 @@
@@ -755,22 +781,21 @@ ossl_sslctx_setup(VALUE self)
val = ossl_sslctx_get_client_ca(self);
if(!NIL_P(val)){
@ -207,7 +198,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
}
val = ossl_sslctx_get_ca_file(self);
@@ -778,15 +803,15 @@
@@ -778,15 +803,15 @@ ossl_sslctx_setup(VALUE self)
val = ossl_sslctx_get_ca_path(self);
ca_path = NIL_P(val) ? NULL : StringValuePtr(val);
if(ca_file || ca_path){
@ -226,7 +217,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
val = ossl_sslctx_get_timeout(self);
if(!NIL_P(val)) SSL_CTX_set_timeout(ctx, NUM2LONG(val));
@@ -797,26 +822,26 @@
@@ -797,26 +822,26 @@ ossl_sslctx_setup(VALUE self)
#ifdef HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB
val = rb_iv_get(self, "@npn_protocols");
if (!NIL_P(val)) {
@ -263,7 +254,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
}
#endif
@@ -824,31 +849,31 @@
@@ -824,31 +849,31 @@ ossl_sslctx_setup(VALUE self)
val = ossl_sslctx_get_sess_id_ctx(self);
if (!NIL_P(val)){
@ -307,7 +298,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
}
#endif
@@ -953,6 +978,87 @@
@@ -953,6 +978,87 @@ ossl_sslctx_set_ciphers(VALUE self, VALUE v)
return v;
}
@ -395,7 +386,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
/*
* call-seq:
* ctx.session_add(session) -> true | false
@@ -2075,6 +2181,7 @@
@@ -2075,6 +2181,7 @@ Init_ossl_ssl(void)
*/
rb_attr(cSSLContext, rb_intern("client_cert_cb"), 1, 1, Qfalse);
@ -403,7 +394,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
/*
* A callback invoked when ECDH parameters are required.
*
@@ -2082,10 +2189,11 @@
@@ -2082,10 +2189,11 @@ Init_ossl_ssl(void)
* flag indicating the use of an export cipher and the keylength
* required.
*
@ -417,7 +408,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
/*
* Sets the context in which a session can be reused. This allows
@@ -2221,6 +2329,7 @@
@@ -2221,6 +2329,7 @@ Init_ossl_ssl(void)
rb_define_method(cSSLContext, "ssl_version=", ossl_sslctx_set_ssl_version, 1);
rb_define_method(cSSLContext, "ciphers", ossl_sslctx_get_ciphers, 0);
rb_define_method(cSSLContext, "ciphers=", ossl_sslctx_set_ciphers, 1);

18
tmp_key.patch
Unescape View File

@ -1,5 +1,5 @@
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
index 7bb6cd8..3b18a53 100644
index 0b7fa2a..76487f7 100644
--- a/ext/openssl/extconf.rb
+++ b/ext/openssl/extconf.rb
@@ -114,6 +114,7 @@
@ -11,7 +11,7 @@ index 7bb6cd8..3b18a53 100644
have_func("ENGINE_add")
have_func("ENGINE_load_builtin_engines")
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
index 4075d6f..982e011 100644
index 7a0eb4e..dc35d5a 100644
--- a/ext/openssl/ossl_ssl.c
+++ b/ext/openssl/ossl_ssl.c
@@ -1911,6 +1911,25 @@ ossl_ssl_alpn_protocol(VALUE self)
@ -38,7 +38,7 @@ index 4075d6f..982e011 100644
+}
+# endif /* defined(HAVE_SSL_GET_SERVER_TMP_KEY) */
#endif /* !defined(OPENSSL_NO_SOCK) */
void
@@ -2305,6 +2324,9 @@ Init_ossl_ssl(void)
rb_define_method(cSSLSocket, "session=", ossl_ssl_set_session, 1);
@ -51,13 +51,13 @@ index 4075d6f..982e011 100644
rb_define_method(cSSLSocket, "alpn_protocol", ossl_ssl_alpn_protocol, 0);
# endif
diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
index 58fcc08..3ce4e21 100644
index 2247847..7958f17 100644
--- a/test/openssl/test_ssl.rb
+++ b/test/openssl/test_ssl.rb
@@ -1169,6 +1169,29 @@ def test_sync_close_without_connect
}
@@ -1191,6 +1191,29 @@ def test_close_and_socket_close_while_connecting
sock2.close if sock2
end
+ def test_get_ephemeral_key
+ return unless OpenSSL::SSL::SSLSocket.method_defined?(:tmp_key)
+ ciphers = {
@ -82,7 +82,7 @@ index 58fcc08..3ce4e21 100644
+ end
+
private
def start_server_version(version, ctx_proc=nil, server_proc=nil, &blk)
diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb
index 0802c1b..c081e4f 100644
@ -95,4 +95,4 @@ index 0802c1b..c081e4f 100644
+ ctx.tmp_ecdh_callback = proc { OpenSSL::TestUtils::TEST_KEY_EC_P256V1 }
ctx.verify_mode = verify_mode
ctx_proc.call(ctx) if ctx_proc

Write Preview
Loading…
Cancel
Save