Update patches

Makefile

@@ -1,20 +1,18 @@
 PWD = $(shell pwd)
-export CPATH = $(PWD)/openssl/include
-export LIBRARY_PATH = $(PWD)/openssl
 OPENSSL_LIB_VERSION = 1.0.0
 OPENSSL_VERSION = 1.0.2g
-#OPENSSL_LIB_VERSION = 1.1
-#OPENSSL_VERSION = 1.1.0-pre5
 OPENSSL_NAME = openssl-$(OPENSSL_VERSION)
 OPENSSL_DIR = build/$(OPENSSL_NAME)
-#OPENSSL_DIR = openssl
 RUBY_MAJOR_VERSION = 2.3
-RUBY_VERSION = $(RUBY_MAJOR_VERSION).1
+RUBY_VERSION = $(RUBY_MAJOR_VERSION).3
 RUBY_NAME = ruby-$(RUBY_VERSION)
 RUBY_DIR = build/$(RUBY_NAME)
 RUBY_OPENSSL_EXT_DIR = $(RUBY_DIR)/ext/openssl
+RUBY_LIB_DIR = $(RBENV_ROOT)/versions/$(RUBY_VERSION)-cryptcheck/lib/ruby/$(RUBY_MAJOR_VERSION).0
+RBENV_ROOT ?= ~/.rbenv
 export LIBRARY_PATH = $(PWD)/lib
 export C_INCLUDE_PATH = $(PWD)/$(OPENSSL_DIR)/include
+export LD_LIBRARY_PATH = $(PWD)/lib
 
 .SECONDARY:
 
@@ -45,25 +43,45 @@ build/$(OPENSSL_NAME).tar.gz: | build/
 
 $(OPENSSL_DIR)/: build/$(OPENSSL_NAME).tar.gz build/chacha-poly.patch
 	tar -C build -xf build/$(OPENSSL_NAME).tar.gz
-	patch -d $(OPENSSL_DIR) -p1 < build/chacha-poly.patch
+	#patch -d $(OPENSSL_DIR) -p1 < build/chacha-poly.patch
 
 $(OPENSSL_DIR)/Makefile: | $(OPENSSL_DIR)/
-	cd $(OPENSSL_DIR) && ./Configure enable-ssl2 enable-ssl3 enable-weak-ssl-ciphers enable-shared linux-x86_64
+	#cd $(OPENSSL_DIR) && ./Configure enable-ssl2 enable-ssl3 enable-weak-ssl-ciphers enable-zlib enable-rc5 enable-rc2 enable-gost enable-md2 enable-mdc2 enable-shared linux-x86_64
+	#cd $(OPENSSL_DIR) && ./config enable-ssl2 enable-ssl3 enable-md2 enable-rc5 enable-weak-ssl-ciphers shared
+	cd $(OPENSSL_DIR) && ./config enable-ssl2 enable-ssl3 enable-ssl3-method enable-md2 enable-rc5 enable-weak-ssl-ciphers enable-shared
 
 $(OPENSSL_DIR)/libssl.so \
 $(OPENSSL_DIR)/libcrypto.so: $(OPENSSL_DIR)/Makefile
 	$(MAKE) -C $(OPENSSL_DIR)
 
+LIBS = lib/libssl.so lib/libcrypto.so lib/libssl.so.$(OPENSSL_LIB_VERSION) lib/libcrypto.so.$(OPENSSL_LIB_VERSION)
 lib/%.so: $(OPENSSL_DIR)/%.so
 	cp $< $@
 lib/%.so.$(OPENSSL_LIB_VERSION): lib/%.so
 	ln -fs $(notdir $(subst .$(OPENSSL_LIB_VERSION),,$@)) $@
-libs: lib/libssl.so lib/libcrypto.so lib/libssl.so.$(OPENSSL_LIB_VERSION) lib/libcrypto.so.$(OPENSSL_LIB_VERSION)
+libs: $(LIBS)
 
-build/$(RUBY_NAME).tar.gz: | build/
-	wget http://cache.ruby-lang.org/pub/ruby/$(RUBY_MAJOR_VERSION)/$(RUBY_NAME).tar.gz -O $@
+build/$(RUBY_VERSION)-cryptcheck: $(RBENV_ROOT)/plugins/ruby-build/share/ruby-build/$(RUBY_VERSION)
+	cp $< $@
+install-ruby: build/$(RUBY_VERSION)-cryptcheck $(LIBS) | $(OPENSSL_DIR)/
+	cat tmp_key.patch set_ecdh_curves.patch fallback_scsv.patch | \
+	RUBY_BUILD_CACHE_PATH=$(PWD)/build \
+	RUBY_BUILD_DEFINITIONS=$(PWD)/build \
+	rbenv install -fp $(RUBY_VERSION)-cryptcheck
+	rbenv sequester $(RUBY_VERSION)-cryptcheck
+	rbenv local $(RUBY_VERSION)-cryptcheck
+	gem install bundler
+	bundle
+$(RUBY_LIB_DIR)/openssl/ssl.rb: $(RUBY_OPENSSL_EXT_DIR)/lib/openssl/ssl.rb
+	cp $< $@
+$(RUBY_LIB_DIR)/x86_64-linux/openssl.so: $(RUBY_OPENSSL_EXT_DIR)/openssl.so
+	cp $< $@
+sync-ruby: $(RUBY_LIB_DIR)/openssl/ssl.rb $(RUBY_LIB_DIR)/x86_64-linux/openssl.so
+
+build/$(RUBY_NAME).tar.xz: | build/
+	wget http://cache.ruby-lang.org/pub/ruby/$(RUBY_MAJOR_VERSION)/$(RUBY_NAME).tar.xz -O $@
 
-$(RUBY_DIR)/: build/$(RUBY_NAME).tar.gz
+$(RUBY_DIR)/: build/$(RUBY_NAME).tar.xz
 	tar -C build -xf $<
 
 $(RUBY_OPENSSL_EXT_DIR)/Makefile: libs | $(RUBY_DIR)/
@@ -72,7 +90,7 @@ $(RUBY_OPENSSL_EXT_DIR)/Makefile: libs | $(RUBY_DIR)/
 	patch -d $(RUBY_DIR)/ -p1 < fallback_scsv.patch
 	cd $(RUBY_OPENSSL_EXT_DIR) && ruby extconf.rb
 
-$(RUBY_OPENSSL_EXT_DIR)/openssl.so: libs $(RUBY_OPENSSL_EXT_DIR)/Makefile
+$(RUBY_OPENSSL_EXT_DIR)/openssl.so: $(LIBS) $(RUBY_OPENSSL_EXT_DIR)/Makefile
 	top_srcdir=../.. $(MAKE) -C $(RUBY_OPENSSL_EXT_DIR)
 
 lib/openssl.so: $(RUBY_OPENSSL_EXT_DIR)/openssl.so

fallback_scsv.patch

@@ -1,5 +1,19 @@
+diff --git a/ext/openssl/deprecation.rb b/ext/openssl/deprecation.rb
+index d773536..f4a6c4b 100644
+--- a/ext/openssl/deprecation.rb
++++ b/ext/openssl/deprecation.rb
+@@ -19,4 +19,9 @@ def self.check_func(func, header)
+     have_func(func, header, deprecated_warning_flag) and
+       have_header(header, nil, deprecated_warning_flag)
+   end
++
++  def self.check_func_or_macro(func, header)
++    check_func(func, header) or
++    have_macro(func, header) && $defs.push("-DHAVE_#{func.upcase}")
++  end
+ end
 diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb
-index 57519f2..c5b0c8b 100644
+index 9893757..bcb167e 100644
 --- a/ext/openssl/lib/openssl/ssl.rb
 +++ b/ext/openssl/lib/openssl/ssl.rb
 @@ -105,11 +105,12 @@ class SSLContext
@@ -7,23 +21,23 @@ index 57519f2..c5b0c8b 100644
        #
        # You can get a list of valid methods with OpenSSL::SSL::SSLContext::METHODS
 -      def initialize(version = nil)
-+      def initialize(version = nil, fallback_scsv = false)
++      def initialize(version = nil, fallback_scsv: false)
          INIT_VARS.each { |v| instance_variable_set v, nil }
          self.options = self.options | OpenSSL::SSL::OP_ALL
          return unless version
          self.ssl_version = version
 +        self.enable_fallback_scsv if fallback_scsv
        end
-
+ 
        ##
 diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
-index bcc624f..0c1780b 100644
+index cc17a0c..9f7ee0b 100644
 --- a/ext/openssl/ossl_ssl.c
 +++ b/ext/openssl/ossl_ssl.c
 @@ -978,6 +978,31 @@ ossl_sslctx_set_ciphers(VALUE self, VALUE v)
      return v;
  }
-
+ 
 +/*
 + * call-seq:
 + *    ctx.enable_fallback_scsv() => nil
@@ -57,6 +71,6 @@ index bcc624f..0c1780b 100644
      rb_define_method(cSSLContext, "ciphers=",    ossl_sslctx_set_ciphers, 1);
      rb_define_method(cSSLContext, "ecdh_curves=", ossl_sslctx_set_ecdh_curves, 1);
 +    rb_define_method(cSSLContext, "enable_fallback_scsv", ossl_sslctx_enable_fallback_scsv, 0);
-
+ 
      rb_define_method(cSSLContext, "setup", ossl_sslctx_setup, 0);
-
+ 

set_ecdh_curves.patch

@@ -1,19 +1,7 @@
-diff -ur a/ext/openssl/deprecation.rb b/ext/openssl/deprecation.rb
---- a/ext/openssl/deprecation.rb	2016-11-11 14:41:20.866580715 +0100
-+++ b/ext/openssl/deprecation.rb	2016-11-11 14:41:37.570583620 +0100
-@@ -19,4 +19,9 @@
-     have_func(func, header, deprecated_warning_flag) and
-       have_header(header, nil, deprecated_warning_flag)
-   end
-+
-+  def self.check_func_or_macro(func, header)
-+    check_func(func, header) or
-+      have_macro(func, header) && $defs.push("-DHAVE_#{func.upcase}")
-+  end
- end
-diff -ur a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
---- a/ext/openssl/extconf.rb	2016-11-11 12:05:50.490942389 +0100
-+++ b/ext/openssl/extconf.rb	2016-11-11 12:08:46.323026500 +0100
+diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
+index 76487f7..2a4d3a7 100644
+--- a/ext/openssl/extconf.rb
++++ b/ext/openssl/extconf.rb
 @@ -93,6 +93,7 @@
  have_func("X509_NAME_hash_old")
  have_func("X509_STORE_get_ex_data")
@@ -33,10 +21,11 @@ diff -ur a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
  have_func("SSL_CTX_set_next_proto_select_cb")
  unless have_func("SSL_set_tlsext_host_name", ['openssl/ssl.h'])
    have_macro("SSL_set_tlsext_host_name", ['openssl/ssl.h']) && $defs.push("-DHAVE_SSL_SET_TLSEXT_HOST_NAME")
-diff -ur a/ext/openssl/openssl_missing.c b/ext/openssl/openssl_missing.c
---- a/ext/openssl/openssl_missing.c	2016-11-11 12:05:50.858942585 +0100
-+++ b/ext/openssl/openssl_missing.c	2016-11-11 12:10:17.575063207 +0100
-@@ -34,6 +34,43 @@
+diff --git a/ext/openssl/openssl_missing.c b/ext/openssl/openssl_missing.c
+index 31f2d0a..bc61a96 100644
+--- a/ext/openssl/openssl_missing.c
++++ b/ext/openssl/openssl_missing.c
+@@ -34,6 +34,43 @@ HMAC_CTX_copy(HMAC_CTX *out, HMAC_CTX *in)
  #endif /* HAVE_HMAC_CTX_COPY */
  #endif /* NO_HMAC */
  
@@ -77,13 +66,14 @@ diff -ur a/ext/openssl/openssl_missing.c b/ext/openssl/openssl_missing.c
 +#endif
 +#endif
 +
- #if !defined(HAVE_X509_STORE_SET_EX_DATA)
- int X509_STORE_set_ex_data(X509_STORE *str, int idx, void *data)
- {
-diff -ur a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h
---- a/ext/openssl/openssl_missing.h	2016-11-11 12:05:51.210942773 +0100
-+++ b/ext/openssl/openssl_missing.h	2016-11-11 12:10:49.307074964 +0100
-@@ -70,6 +70,12 @@
+ #if !defined(HAVE_EVP_MD_CTX_CREATE)
+ EVP_MD_CTX *
+ EVP_MD_CTX_create(void)
+diff --git a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h
+index 955579c..6e2f5b5 100644
+--- a/ext/openssl/openssl_missing.h
++++ b/ext/openssl/openssl_missing.h
+@@ -70,6 +70,12 @@ void HMAC_CTX_init(HMAC_CTX *ctx);
  void HMAC_CTX_copy(HMAC_CTX *out, HMAC_CTX *in);
  #endif
  
@@ -96,10 +86,11 @@ diff -ur a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h
  #if !defined(HAVE_HMAC_CTX_CLEANUP)
  void HMAC_CTX_cleanup(HMAC_CTX *ctx);
  #endif
-diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
---- a/ext/openssl/ossl_ssl.c	2016-11-11 12:05:51.590942974 +0100
-+++ b/ext/openssl/ossl_ssl.c	2016-11-11 14:47:24.746639981 +0100
-@@ -161,6 +161,18 @@
+diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
+index dc35d5a..cc17a0c 100644
+--- a/ext/openssl/ossl_ssl.c
++++ b/ext/openssl/ossl_ssl.c
+@@ -161,6 +161,18 @@ ossl_sslctx_s_alloc(VALUE klass)
      RTYPEDDATA_DATA(obj) = ctx;
      SSL_CTX_set_ex_data(ctx, ossl_ssl_ex_ptr_idx, (void*)obj);
  
@@ -118,7 +109,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
      return obj;
  }
  
-@@ -711,19 +723,33 @@
+@@ -711,19 +723,33 @@ ossl_sslctx_setup(VALUE self)
  #endif
  
  #if !defined(OPENSSL_NO_EC)
@@ -162,7 +153,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
          store = GetX509StorePtr(val); /* NO NEED TO DUP */
          SSL_CTX_set_cert_store(ctx, store);
          SSL_CTX_set_ex_data(ctx, ossl_ssl_ex_store_p, (void*)1);
-@@ -731,7 +757,7 @@
+@@ -731,7 +757,7 @@ ossl_sslctx_setup(VALUE self)
  
      val = ossl_sslctx_get_extra_cert(self);
      if(!NIL_P(val)){
@@ -171,7 +162,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
      }
  
      /* private key may be bundled in certificate file. */
-@@ -755,22 +781,21 @@
+@@ -755,22 +781,21 @@ ossl_sslctx_setup(VALUE self)
  
      val = ossl_sslctx_get_client_ca(self);
      if(!NIL_P(val)){
@@ -207,7 +198,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
      }
  
      val = ossl_sslctx_get_ca_file(self);
-@@ -778,15 +803,15 @@
+@@ -778,15 +803,15 @@ ossl_sslctx_setup(VALUE self)
      val = ossl_sslctx_get_ca_path(self);
      ca_path = NIL_P(val) ? NULL : StringValuePtr(val);
      if(ca_file || ca_path){
@@ -226,7 +217,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
  
      val = ossl_sslctx_get_timeout(self);
      if(!NIL_P(val)) SSL_CTX_set_timeout(ctx, NUM2LONG(val));
-@@ -797,26 +822,26 @@
+@@ -797,26 +822,26 @@ ossl_sslctx_setup(VALUE self)
  #ifdef HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB
      val = rb_iv_get(self, "@npn_protocols");
      if (!NIL_P(val)) {
@@ -263,7 +254,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
      }
  #endif
  
-@@ -824,31 +849,31 @@
+@@ -824,31 +849,31 @@ ossl_sslctx_setup(VALUE self)
  
      val = ossl_sslctx_get_sess_id_ctx(self);
      if (!NIL_P(val)){
@@ -307,7 +298,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
      }
  #endif
  
-@@ -953,6 +978,87 @@
+@@ -953,6 +978,87 @@ ossl_sslctx_set_ciphers(VALUE self, VALUE v)
      return v;
  }
  
@@ -395,7 +386,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
  /*
   *  call-seq:
   *     ctx.session_add(session) -> true | false
-@@ -2075,6 +2181,7 @@
+@@ -2075,6 +2181,7 @@ Init_ossl_ssl(void)
       */
      rb_attr(cSSLContext, rb_intern("client_cert_cb"), 1, 1, Qfalse);
  
@@ -403,7 +394,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
      /*
       * A callback invoked when ECDH parameters are required.
       *
-@@ -2082,10 +2189,11 @@
+@@ -2082,10 +2189,11 @@ Init_ossl_ssl(void)
       * flag indicating the use of an export cipher and the keylength
       * required.
       *
@@ -417,7 +408,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
  
      /*
       * Sets the context in which a session can be reused.  This allows
-@@ -2221,6 +2329,7 @@
+@@ -2221,6 +2329,7 @@ Init_ossl_ssl(void)
      rb_define_method(cSSLContext, "ssl_version=", ossl_sslctx_set_ssl_version, 1);
      rb_define_method(cSSLContext, "ciphers",     ossl_sslctx_get_ciphers, 0);
      rb_define_method(cSSLContext, "ciphers=",    ossl_sslctx_set_ciphers, 1);

tmp_key.patch

@@ -1,5 +1,5 @@
 diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
-index 7bb6cd8..3b18a53 100644
+index 0b7fa2a..76487f7 100644
 --- a/ext/openssl/extconf.rb
 +++ b/ext/openssl/extconf.rb
 @@ -114,6 +114,7 @@
@@ -11,7 +11,7 @@ index 7bb6cd8..3b18a53 100644
    have_func("ENGINE_add")
    have_func("ENGINE_load_builtin_engines")
 diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
-index 4075d6f..982e011 100644
+index 7a0eb4e..dc35d5a 100644
 --- a/ext/openssl/ossl_ssl.c
 +++ b/ext/openssl/ossl_ssl.c
 @@ -1911,6 +1911,25 @@ ossl_ssl_alpn_protocol(VALUE self)
@@ -38,7 +38,7 @@ index 4075d6f..982e011 100644
 +}
 +# endif /* defined(HAVE_SSL_GET_SERVER_TMP_KEY) */
  #endif /* !defined(OPENSSL_NO_SOCK) */
-
+ 
  void
 @@ -2305,6 +2324,9 @@ Init_ossl_ssl(void)
      rb_define_method(cSSLSocket, "session=",    ossl_ssl_set_session, 1);
@@ -51,13 +51,13 @@ index 4075d6f..982e011 100644
      rb_define_method(cSSLSocket, "alpn_protocol", ossl_ssl_alpn_protocol, 0);
  # endif
 diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
-index 58fcc08..3ce4e21 100644
+index 2247847..7958f17 100644
 --- a/test/openssl/test_ssl.rb
 +++ b/test/openssl/test_ssl.rb
-@@ -1169,6 +1169,29 @@ def test_sync_close_without_connect
-     }
+@@ -1191,6 +1191,29 @@ def test_close_and_socket_close_while_connecting
+     sock2.close if sock2
    end
-
+ 
 +  def test_get_ephemeral_key
 +    return unless OpenSSL::SSL::SSLSocket.method_defined?(:tmp_key)
 +    ciphers = {
@@ -82,7 +82,7 @@ index 58fcc08..3ce4e21 100644
 +  end
 +
    private
-
+ 
    def start_server_version(version, ctx_proc=nil, server_proc=nil, &blk)
 diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb
 index 0802c1b..c081e4f 100644
@@ -95,4 +95,4 @@ index 0802c1b..c081e4f 100644
 +        ctx.tmp_ecdh_callback = proc { OpenSSL::TestUtils::TEST_KEY_EC_P256V1 }
          ctx.verify_mode = verify_mode
          ctx_proc.call(ctx) if ctx_proc
-
+