Browse Source

Update patches

new-scoring
aeris 2 years ago
parent
commit
7ec4b5a45f
4 changed files with 93 additions and 70 deletions
  1. 31
    13
      Makefile
  2. 21
    7
      fallback_scsv.patch
  3. 32
    41
      set_ecdh_curves.patch
  4. 9
    9
      tmp_key.patch

+ 31
- 13
Makefile View File

@@ -1,20 +1,18 @@
PWD = $(shell pwd)
export CPATH = $(PWD)/openssl/include
export LIBRARY_PATH = $(PWD)/openssl
OPENSSL_LIB_VERSION = 1.0.0
OPENSSL_VERSION = 1.0.2g
#OPENSSL_LIB_VERSION = 1.1
#OPENSSL_VERSION = 1.1.0-pre5
OPENSSL_NAME = openssl-$(OPENSSL_VERSION)
OPENSSL_DIR = build/$(OPENSSL_NAME)
#OPENSSL_DIR = openssl
RUBY_MAJOR_VERSION = 2.3
RUBY_VERSION = $(RUBY_MAJOR_VERSION).1
RUBY_VERSION = $(RUBY_MAJOR_VERSION).3
RUBY_NAME = ruby-$(RUBY_VERSION)
RUBY_DIR = build/$(RUBY_NAME)
RUBY_OPENSSL_EXT_DIR = $(RUBY_DIR)/ext/openssl
RUBY_LIB_DIR = $(RBENV_ROOT)/versions/$(RUBY_VERSION)-cryptcheck/lib/ruby/$(RUBY_MAJOR_VERSION).0
RBENV_ROOT ?= ~/.rbenv
export LIBRARY_PATH = $(PWD)/lib
export C_INCLUDE_PATH = $(PWD)/$(OPENSSL_DIR)/include
export LD_LIBRARY_PATH = $(PWD)/lib

.SECONDARY:

@@ -45,25 +43,45 @@ build/$(OPENSSL_NAME).tar.gz: | build/

$(OPENSSL_DIR)/: build/$(OPENSSL_NAME).tar.gz build/chacha-poly.patch
tar -C build -xf build/$(OPENSSL_NAME).tar.gz
patch -d $(OPENSSL_DIR) -p1 < build/chacha-poly.patch
#patch -d $(OPENSSL_DIR) -p1 < build/chacha-poly.patch

$(OPENSSL_DIR)/Makefile: | $(OPENSSL_DIR)/
cd $(OPENSSL_DIR) && ./Configure enable-ssl2 enable-ssl3 enable-weak-ssl-ciphers enable-shared linux-x86_64
#cd $(OPENSSL_DIR) && ./Configure enable-ssl2 enable-ssl3 enable-weak-ssl-ciphers enable-zlib enable-rc5 enable-rc2 enable-gost enable-md2 enable-mdc2 enable-shared linux-x86_64
#cd $(OPENSSL_DIR) && ./config enable-ssl2 enable-ssl3 enable-md2 enable-rc5 enable-weak-ssl-ciphers shared
cd $(OPENSSL_DIR) && ./config enable-ssl2 enable-ssl3 enable-ssl3-method enable-md2 enable-rc5 enable-weak-ssl-ciphers enable-shared

$(OPENSSL_DIR)/libssl.so \
$(OPENSSL_DIR)/libcrypto.so: $(OPENSSL_DIR)/Makefile
$(MAKE) -C $(OPENSSL_DIR)

LIBS = lib/libssl.so lib/libcrypto.so lib/libssl.so.$(OPENSSL_LIB_VERSION) lib/libcrypto.so.$(OPENSSL_LIB_VERSION)
lib/%.so: $(OPENSSL_DIR)/%.so
cp $< $@
lib/%.so.$(OPENSSL_LIB_VERSION): lib/%.so
ln -fs $(notdir $(subst .$(OPENSSL_LIB_VERSION),,$@)) $@
libs: lib/libssl.so lib/libcrypto.so lib/libssl.so.$(OPENSSL_LIB_VERSION) lib/libcrypto.so.$(OPENSSL_LIB_VERSION)
libs: $(LIBS)

build/$(RUBY_NAME).tar.gz: | build/
wget http://cache.ruby-lang.org/pub/ruby/$(RUBY_MAJOR_VERSION)/$(RUBY_NAME).tar.gz -O $@
build/$(RUBY_VERSION)-cryptcheck: $(RBENV_ROOT)/plugins/ruby-build/share/ruby-build/$(RUBY_VERSION)
cp $< $@
install-ruby: build/$(RUBY_VERSION)-cryptcheck $(LIBS) | $(OPENSSL_DIR)/
cat tmp_key.patch set_ecdh_curves.patch fallback_scsv.patch | \
RUBY_BUILD_CACHE_PATH=$(PWD)/build \
RUBY_BUILD_DEFINITIONS=$(PWD)/build \
rbenv install -fp $(RUBY_VERSION)-cryptcheck
rbenv sequester $(RUBY_VERSION)-cryptcheck
rbenv local $(RUBY_VERSION)-cryptcheck
gem install bundler
bundle
$(RUBY_LIB_DIR)/openssl/ssl.rb: $(RUBY_OPENSSL_EXT_DIR)/lib/openssl/ssl.rb
cp $< $@
$(RUBY_LIB_DIR)/x86_64-linux/openssl.so: $(RUBY_OPENSSL_EXT_DIR)/openssl.so
cp $< $@
sync-ruby: $(RUBY_LIB_DIR)/openssl/ssl.rb $(RUBY_LIB_DIR)/x86_64-linux/openssl.so

build/$(RUBY_NAME).tar.xz: | build/
wget http://cache.ruby-lang.org/pub/ruby/$(RUBY_MAJOR_VERSION)/$(RUBY_NAME).tar.xz -O $@

$(RUBY_DIR)/: build/$(RUBY_NAME).tar.gz
$(RUBY_DIR)/: build/$(RUBY_NAME).tar.xz
tar -C build -xf $<

$(RUBY_OPENSSL_EXT_DIR)/Makefile: libs | $(RUBY_DIR)/
@@ -72,7 +90,7 @@ $(RUBY_OPENSSL_EXT_DIR)/Makefile: libs | $(RUBY_DIR)/
patch -d $(RUBY_DIR)/ -p1 < fallback_scsv.patch
cd $(RUBY_OPENSSL_EXT_DIR) && ruby extconf.rb

$(RUBY_OPENSSL_EXT_DIR)/openssl.so: libs $(RUBY_OPENSSL_EXT_DIR)/Makefile
$(RUBY_OPENSSL_EXT_DIR)/openssl.so: $(LIBS) $(RUBY_OPENSSL_EXT_DIR)/Makefile
top_srcdir=../.. $(MAKE) -C $(RUBY_OPENSSL_EXT_DIR)

lib/openssl.so: $(RUBY_OPENSSL_EXT_DIR)/openssl.so

+ 21
- 7
fallback_scsv.patch View File

@@ -1,5 +1,19 @@
diff --git a/ext/openssl/deprecation.rb b/ext/openssl/deprecation.rb
index d773536..f4a6c4b 100644
--- a/ext/openssl/deprecation.rb
+++ b/ext/openssl/deprecation.rb
@@ -19,4 +19,9 @@ def self.check_func(func, header)
have_func(func, header, deprecated_warning_flag) and
have_header(header, nil, deprecated_warning_flag)
end
+
+ def self.check_func_or_macro(func, header)
+ check_func(func, header) or
+ have_macro(func, header) && $defs.push("-DHAVE_#{func.upcase}")
+ end
end
diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb
index 57519f2..c5b0c8b 100644
index 9893757..bcb167e 100644
--- a/ext/openssl/lib/openssl/ssl.rb
+++ b/ext/openssl/lib/openssl/ssl.rb
@@ -105,11 +105,12 @@ class SSLContext
@@ -7,23 +21,23 @@ index 57519f2..c5b0c8b 100644
#
# You can get a list of valid methods with OpenSSL::SSL::SSLContext::METHODS
- def initialize(version = nil)
+ def initialize(version = nil, fallback_scsv = false)
+ def initialize(version = nil, fallback_scsv: false)
INIT_VARS.each { |v| instance_variable_set v, nil }
self.options = self.options | OpenSSL::SSL::OP_ALL
return unless version
self.ssl_version = version
+ self.enable_fallback_scsv if fallback_scsv
end
##
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
index bcc624f..0c1780b 100644
index cc17a0c..9f7ee0b 100644
--- a/ext/openssl/ossl_ssl.c
+++ b/ext/openssl/ossl_ssl.c
@@ -978,6 +978,31 @@ ossl_sslctx_set_ciphers(VALUE self, VALUE v)
return v;
}
+/*
+ * call-seq:
+ * ctx.enable_fallback_scsv() => nil
@@ -57,6 +71,6 @@ index bcc624f..0c1780b 100644
rb_define_method(cSSLContext, "ciphers=", ossl_sslctx_set_ciphers, 1);
rb_define_method(cSSLContext, "ecdh_curves=", ossl_sslctx_set_ecdh_curves, 1);
+ rb_define_method(cSSLContext, "enable_fallback_scsv", ossl_sslctx_enable_fallback_scsv, 0);
rb_define_method(cSSLContext, "setup", ossl_sslctx_setup, 0);

+ 32
- 41
set_ecdh_curves.patch View File

@@ -1,19 +1,7 @@
diff -ur a/ext/openssl/deprecation.rb b/ext/openssl/deprecation.rb
--- a/ext/openssl/deprecation.rb 2016-11-11 14:41:20.866580715 +0100
+++ b/ext/openssl/deprecation.rb 2016-11-11 14:41:37.570583620 +0100
@@ -19,4 +19,9 @@
have_func(func, header, deprecated_warning_flag) and
have_header(header, nil, deprecated_warning_flag)
end
+
+ def self.check_func_or_macro(func, header)
+ check_func(func, header) or
+ have_macro(func, header) && $defs.push("-DHAVE_#{func.upcase}")
+ end
end
diff -ur a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
--- a/ext/openssl/extconf.rb 2016-11-11 12:05:50.490942389 +0100
+++ b/ext/openssl/extconf.rb 2016-11-11 12:08:46.323026500 +0100
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
index 76487f7..2a4d3a7 100644
--- a/ext/openssl/extconf.rb
+++ b/ext/openssl/extconf.rb
@@ -93,6 +93,7 @@
have_func("X509_NAME_hash_old")
have_func("X509_STORE_get_ex_data")
@@ -33,10 +21,11 @@ diff -ur a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
have_func("SSL_CTX_set_next_proto_select_cb")
unless have_func("SSL_set_tlsext_host_name", ['openssl/ssl.h'])
have_macro("SSL_set_tlsext_host_name", ['openssl/ssl.h']) && $defs.push("-DHAVE_SSL_SET_TLSEXT_HOST_NAME")
diff -ur a/ext/openssl/openssl_missing.c b/ext/openssl/openssl_missing.c
--- a/ext/openssl/openssl_missing.c 2016-11-11 12:05:50.858942585 +0100
+++ b/ext/openssl/openssl_missing.c 2016-11-11 12:10:17.575063207 +0100
@@ -34,6 +34,43 @@
diff --git a/ext/openssl/openssl_missing.c b/ext/openssl/openssl_missing.c
index 31f2d0a..bc61a96 100644
--- a/ext/openssl/openssl_missing.c
+++ b/ext/openssl/openssl_missing.c
@@ -34,6 +34,43 @@ HMAC_CTX_copy(HMAC_CTX *out, HMAC_CTX *in)
#endif /* HAVE_HMAC_CTX_COPY */
#endif /* NO_HMAC */
@@ -77,13 +66,14 @@ diff -ur a/ext/openssl/openssl_missing.c b/ext/openssl/openssl_missing.c
+#endif
+#endif
+
#if !defined(HAVE_X509_STORE_SET_EX_DATA)
int X509_STORE_set_ex_data(X509_STORE *str, int idx, void *data)
{
diff -ur a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h
--- a/ext/openssl/openssl_missing.h 2016-11-11 12:05:51.210942773 +0100
+++ b/ext/openssl/openssl_missing.h 2016-11-11 12:10:49.307074964 +0100
@@ -70,6 +70,12 @@
#if !defined(HAVE_EVP_MD_CTX_CREATE)
EVP_MD_CTX *
EVP_MD_CTX_create(void)
diff --git a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h
index 955579c..6e2f5b5 100644
--- a/ext/openssl/openssl_missing.h
+++ b/ext/openssl/openssl_missing.h
@@ -70,6 +70,12 @@ void HMAC_CTX_init(HMAC_CTX *ctx);
void HMAC_CTX_copy(HMAC_CTX *out, HMAC_CTX *in);
#endif
@@ -96,10 +86,11 @@ diff -ur a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h
#if !defined(HAVE_HMAC_CTX_CLEANUP)
void HMAC_CTX_cleanup(HMAC_CTX *ctx);
#endif
diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
--- a/ext/openssl/ossl_ssl.c 2016-11-11 12:05:51.590942974 +0100
+++ b/ext/openssl/ossl_ssl.c 2016-11-11 14:47:24.746639981 +0100
@@ -161,6 +161,18 @@
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
index dc35d5a..cc17a0c 100644
--- a/ext/openssl/ossl_ssl.c
+++ b/ext/openssl/ossl_ssl.c
@@ -161,6 +161,18 @@ ossl_sslctx_s_alloc(VALUE klass)
RTYPEDDATA_DATA(obj) = ctx;
SSL_CTX_set_ex_data(ctx, ossl_ssl_ex_ptr_idx, (void*)obj);
@@ -118,7 +109,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
return obj;
}
@@ -711,19 +723,33 @@
@@ -711,19 +723,33 @@ ossl_sslctx_setup(VALUE self)
#endif
#if !defined(OPENSSL_NO_EC)
@@ -162,7 +153,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
store = GetX509StorePtr(val); /* NO NEED TO DUP */
SSL_CTX_set_cert_store(ctx, store);
SSL_CTX_set_ex_data(ctx, ossl_ssl_ex_store_p, (void*)1);
@@ -731,7 +757,7 @@
@@ -731,7 +757,7 @@ ossl_sslctx_setup(VALUE self)
val = ossl_sslctx_get_extra_cert(self);
if(!NIL_P(val)){
@@ -171,7 +162,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
}
/* private key may be bundled in certificate file. */
@@ -755,22 +781,21 @@
@@ -755,22 +781,21 @@ ossl_sslctx_setup(VALUE self)
val = ossl_sslctx_get_client_ca(self);
if(!NIL_P(val)){
@@ -207,7 +198,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
}
val = ossl_sslctx_get_ca_file(self);
@@ -778,15 +803,15 @@
@@ -778,15 +803,15 @@ ossl_sslctx_setup(VALUE self)
val = ossl_sslctx_get_ca_path(self);
ca_path = NIL_P(val) ? NULL : StringValuePtr(val);
if(ca_file || ca_path){
@@ -226,7 +217,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
val = ossl_sslctx_get_timeout(self);
if(!NIL_P(val)) SSL_CTX_set_timeout(ctx, NUM2LONG(val));
@@ -797,26 +822,26 @@
@@ -797,26 +822,26 @@ ossl_sslctx_setup(VALUE self)
#ifdef HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB
val = rb_iv_get(self, "@npn_protocols");
if (!NIL_P(val)) {
@@ -263,7 +254,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
}
#endif
@@ -824,31 +849,31 @@
@@ -824,31 +849,31 @@ ossl_sslctx_setup(VALUE self)
val = ossl_sslctx_get_sess_id_ctx(self);
if (!NIL_P(val)){
@@ -307,7 +298,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
}
#endif
@@ -953,6 +978,87 @@
@@ -953,6 +978,87 @@ ossl_sslctx_set_ciphers(VALUE self, VALUE v)
return v;
}
@@ -395,7 +386,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
/*
* call-seq:
* ctx.session_add(session) -> true | false
@@ -2075,6 +2181,7 @@
@@ -2075,6 +2181,7 @@ Init_ossl_ssl(void)
*/
rb_attr(cSSLContext, rb_intern("client_cert_cb"), 1, 1, Qfalse);
@@ -403,7 +394,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
/*
* A callback invoked when ECDH parameters are required.
*
@@ -2082,10 +2189,11 @@
@@ -2082,10 +2189,11 @@ Init_ossl_ssl(void)
* flag indicating the use of an export cipher and the keylength
* required.
*
@@ -417,7 +408,7 @@ diff -ur a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
/*
* Sets the context in which a session can be reused. This allows
@@ -2221,6 +2329,7 @@
@@ -2221,6 +2329,7 @@ Init_ossl_ssl(void)
rb_define_method(cSSLContext, "ssl_version=", ossl_sslctx_set_ssl_version, 1);
rb_define_method(cSSLContext, "ciphers", ossl_sslctx_get_ciphers, 0);
rb_define_method(cSSLContext, "ciphers=", ossl_sslctx_set_ciphers, 1);

+ 9
- 9
tmp_key.patch View File

@@ -1,5 +1,5 @@
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
index 7bb6cd8..3b18a53 100644
index 0b7fa2a..76487f7 100644
--- a/ext/openssl/extconf.rb
+++ b/ext/openssl/extconf.rb
@@ -114,6 +114,7 @@
@@ -11,7 +11,7 @@ index 7bb6cd8..3b18a53 100644
have_func("ENGINE_add")
have_func("ENGINE_load_builtin_engines")
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
index 4075d6f..982e011 100644
index 7a0eb4e..dc35d5a 100644
--- a/ext/openssl/ossl_ssl.c
+++ b/ext/openssl/ossl_ssl.c
@@ -1911,6 +1911,25 @@ ossl_ssl_alpn_protocol(VALUE self)
@@ -38,7 +38,7 @@ index 4075d6f..982e011 100644
+}
+# endif /* defined(HAVE_SSL_GET_SERVER_TMP_KEY) */
#endif /* !defined(OPENSSL_NO_SOCK) */
void
@@ -2305,6 +2324,9 @@ Init_ossl_ssl(void)
rb_define_method(cSSLSocket, "session=", ossl_ssl_set_session, 1);
@@ -51,13 +51,13 @@ index 4075d6f..982e011 100644
rb_define_method(cSSLSocket, "alpn_protocol", ossl_ssl_alpn_protocol, 0);
# endif
diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
index 58fcc08..3ce4e21 100644
index 2247847..7958f17 100644
--- a/test/openssl/test_ssl.rb
+++ b/test/openssl/test_ssl.rb
@@ -1169,6 +1169,29 @@ def test_sync_close_without_connect
}
@@ -1191,6 +1191,29 @@ def test_close_and_socket_close_while_connecting
sock2.close if sock2
end
+ def test_get_ephemeral_key
+ return unless OpenSSL::SSL::SSLSocket.method_defined?(:tmp_key)
+ ciphers = {
@@ -82,7 +82,7 @@ index 58fcc08..3ce4e21 100644
+ end
+
private
def start_server_version(version, ctx_proc=nil, server_proc=nil, &blk)
diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb
index 0802c1b..c081e4f 100644
@@ -95,4 +95,4 @@ index 0802c1b..c081e4f 100644
+ ctx.tmp_ecdh_callback = proc { OpenSSL::TestUtils::TEST_KEY_EC_P256V1 }
ctx.verify_mode = verify_mode
ctx_proc.call(ctx) if ctx_proc

Loading…
Cancel
Save