Debian

Available patches from Ubuntu

To see Ubuntu differences wrt. to Debian, write down a grep-dctrl query identifying the packages you're interested in:
grep-dctrl -n -sPackage Sources.Debian
(e.g. -FPackage linux-ntfs or linux-ntfs)

Modified packages are listed below:

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: openssl

openssl (1.1.0h-4ubuntu1) cosmic; urgency=medium * Merge from Debian unstable, remaining changes: - Replace duplicate files in the doc directory with symlinks. - debian/libssl1.1.postinst: + Display a system restart required notification on libssl1.1 upgrade on servers. + Use a different priority for libssl1.1/restart-services depending on whether a desktop, or server dist-upgrade is being performed. - s390x: Add support for CPACF enhancements to openssl, for IBM z14. - grab fixes for CVE-2018-0495 and CVE-2018-0732 -- Gianfranco Costamagna <locutusofborg@debian.org> Sun, 26 Aug 2018 19:31:06 +0200

Modifications :
  1. Download patch debian/rules

    --- 1.1.0h-4/debian/rules 2018-05-23 12:42:14.000000000 +0000 +++ 1.1.0h-4ubuntu1/debian/rules 2018-08-26 17:05:45.000000000 +0000 @@ -128,6 +128,15 @@ override_dh_fixperms: fi dh_fixperms -a -X etc/ssl/private +override_dh_compress: + dh_compress + # symlink doc files + for p in openssl libssl-dev; do \ + for f in changelog.Debian.gz changelog.gz copyright; do \ + ln -sf ../libssl1.1/$$f debian/$$p/usr/share/doc/$$p/$$f; \ + done; \ + done + override_dh_perl: dh_perl -d
  2. Download patch debian/patches/1c3a23e44648524755b74595ad816f5cc881102c.patch

    --- 1.1.0h-4/debian/patches/1c3a23e44648524755b74595ad816f5cc881102c.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.0h-4ubuntu1/debian/patches/1c3a23e44648524755b74595ad816f5cc881102c.patch 2018-08-26 17:05:45.000000000 +0000 @@ -0,0 +1,81 @@ +From 1c3a23e44648524755b74595ad816f5cc881102c Mon Sep 17 00:00:00 2001 +From: Patrick Steuer <patrick.steuer@de.ibm.com> +Date: Tue, 14 Feb 2017 02:07:37 +0100 +Subject: [PATCH] s390x assembly pack: add KMA code path for aes-ctr. + +Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> + +Reviewed-by: Andy Polyakov <appro@openssl.org> +Reviewed-by: Tim Hudson <tjh@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/4634) +--- + crypto/aes/asm/aes-s390x.pl | 56 ++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 55 insertions(+), 1 deletion(-) + +diff --git a/crypto/aes/asm/aes-s390x.pl b/crypto/aes/asm/aes-s390x.pl +index 0ef1f6b50ab..cfbe1321320 100644 +--- a/crypto/aes/asm/aes-s390x.pl ++++ b/crypto/aes/asm/aes-s390x.pl +@@ -1405,7 +1405,61 @@ () + clr %r0,%r1 + jl .Lctr32_software + +- stm${g} %r6,$s3,6*$SIZE_T($sp) ++ st${g} $s2,10*$SIZE_T($sp) ++ st${g} $s3,11*$SIZE_T($sp) ++ ++ clr $len,%r1 # does work even in 64-bit mode ++ jle .Lctr32_nokma # kma is slower for <= 16 blocks ++ ++ larl %r1,OPENSSL_s390xcap_P ++ lr $s2,%r0 ++ llihh $s3,0x8000 ++ srlg $s3,$s3,0($s2) ++ ng $s3,S390X_KMA(%r1) # check kma capability vector ++ jz .Lctr32_nokma ++ ++ l${g}hi %r1,-$stdframe-112 ++ l${g}r $s3,$sp ++ la $sp,0(%r1,$sp) # prepare parameter block ++ ++ lhi %r1,0x0600 ++ sllg $len,$len,4 ++ or %r0,%r1 # set HS and LAAD flags ++ ++ st${g} $s3,0($sp) # backchain ++ la %r1,$stdframe($sp) ++ ++ lmg $s2,$s3,0($key) # copy key ++ stg $s2,$stdframe+80($sp) ++ stg $s3,$stdframe+88($sp) ++ lmg $s2,$s3,16($key) ++ stg $s2,$stdframe+96($sp) ++ stg $s3,$stdframe+104($sp) ++ ++ lmg $s2,$s3,0($ivp) # copy iv ++ stg $s2,$stdframe+64($sp) ++ ahi $s3,-1 # kma requires counter-1 ++ stg $s3,$stdframe+72($sp) ++ st $s3,$stdframe+12($sp) # copy counter ++ ++ lghi $s2,0 # no AAD ++ lghi $s3,0 ++ ++ .long 0xb929a042 # kma $out,$s2,$inp ++ brc 1,.-4 # pay attention to "partial completion" ++ ++ stg %r0,$stdframe+80($sp) # wipe key ++ stg %r0,$stdframe+88($sp) ++ stg %r0,$stdframe+96($sp) ++ stg %r0,$stdframe+104($sp) ++ la $sp,$stdframe+112($sp) ++ ++ lm${g} $s2,$s3,10*$SIZE_T($sp) ++ br $ra ++ ++.align 16 ++.Lctr32_nokma: ++ stm${g} %r6,$s1,6*$SIZE_T($sp) + + slgr $out,$inp + la %r1,0($key) # %r1 is permanent copy of $key
  3. Download patch debian/patches/c0dba2cca4d2bf3526d90a2050bdb17148ce803f.patch

    --- 1.1.0h-4/debian/patches/c0dba2cca4d2bf3526d90a2050bdb17148ce803f.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.0h-4ubuntu1/debian/patches/c0dba2cca4d2bf3526d90a2050bdb17148ce803f.patch 2018-08-26 17:05:45.000000000 +0000 @@ -0,0 +1,29 @@ +From c0dba2cca4d2bf3526d90a2050bdb17148ce803f Mon Sep 17 00:00:00 2001 +From: Patrick Steuer <psteuer@mail.de> +Date: Sat, 15 Oct 2016 17:41:41 +0200 +Subject: [PATCH] Fix strict-warnings build + +crypto/s390xcap.c: internal/cryptlib.h needs to be included for +OPENSSL_cpuid_setup function prototype is located there to avoid +build error due to -Werror=missing-prototypes. + +Signed-off-by: Patrick Steuer <psteuer@mail.de> + +Reviewed-by: Rich Salz <rsalz@openssl.org> +Reviewed-by: Richard Levitte <levitte@openssl.org> +Reviewed-by: Matt Caswell <matt@openssl.org> +CLA: trivial +--- + crypto/s390xcap.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/crypto/s390xcap.c ++++ b/crypto/s390xcap.c +@@ -12,6 +12,7 @@ + #include <string.h> + #include <setjmp.h> + #include <signal.h> ++#include "internal/cryptlib.h" + + unsigned long long OPENSSL_s390xcap_P[10]; +
  4. Download patch debian/libssl1.1.postinst

    --- 1.1.0h-4/debian/libssl1.1.postinst 2018-05-23 12:42:14.000000000 +0000 +++ 1.1.0h-4ubuntu1/debian/libssl1.1.postinst 2018-08-26 17:05:45.000000000 +0000 @@ -57,6 +57,8 @@ filerc() { if [ "$1" = "configure" ] then if [ ! -z "$2" ]; then + # This triggers services restarting, so limit this to major upgrades + # only. Security updates should not restart services automatically. if dpkg --compare-versions "$2" lt 1.0.1g-2; then echo -n "Checking for services that may need to be restarted..." check="amanda-server anon-proxy apache2 apache-ssl" @@ -152,7 +154,11 @@ then if [ "x$RET" != xtrue ]; then db_reset libssl1.1/restart-services db_set libssl1.1/restart-services "$services" - db_input critical libssl1.1/restart-services || true + if [ "$RELEASE_UPGRADE_MODE" = desktop ]; then + db_input medium libssl1.1/restart-services || true + else + db_input critical libssl1.1/restart-services || true + fi db_go || true db_get libssl1.1/restart-services @@ -200,7 +206,20 @@ then # Shut down the frontend, to make sure none of the # restarted services keep a connection open to it db_stop + fi # end upgrading and $2 lt 0.9.8c-2 + + # Here we issue the reboot notification for upgrades and + # security updates. We do want services to be restarted when we + # update for a security issue, but planned by the sysadmin, not + # automatically. + + # Only issue the reboot notification for servers; we proxy this by + # testing that the X server is not running (LP: #244250) + if ! pidof /usr/bin/X > /dev/null && [ -x /usr/share/update-notifier/notify-reboot-required ]; then + /usr/share/update-notifier/notify-reboot-required + fi + fi # Upgrading fi
  5. Download patch debian/patches/series

    --- 1.1.0h-4/debian/patches/series 2018-05-23 12:42:14.000000000 +0000 +++ 1.1.0h-4ubuntu1/debian/patches/series 2018-08-26 17:31:06.000000000 +0000 @@ -9,3 +9,12 @@ Revert-util-dofile.pl-only-quote-stuff-t Fix-regression-with-session-cache-use-by-clients.patch openssl-rehash-exit-0-on-warnings-same-as-c_rehash.patch RSA-key-generation-ensure-BN_mod_inverse-and-BN_mod_exp_m.patch + +# s390x CPACF enchancements +c0dba2cca4d2bf3526d90a2050bdb17148ce803f.patch +bc4e831ccd81a1d22a7462df645c884ce33ea7c0.patch +1c3a23e44648524755b74595ad816f5cc881102c.patch +e21a84308c02df63715f8867beb4a2b1036bcb35.patch +96530eea93d27e536f4e93956256cf8dcda7d469.patch +CVE-2018-0495.patch +CVE-2018-0732.patch
  6. Download patch debian/patches/CVE-2018-0732.patch

    --- 1.1.0h-4/debian/patches/CVE-2018-0732.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.0h-4ubuntu1/debian/patches/CVE-2018-0732.patch 2018-08-26 17:05:45.000000000 +0000 @@ -0,0 +1,42 @@ +From ea7abeeabf92b7aca160bdd0208636d4da69f4f4 Mon Sep 17 00:00:00 2001 +From: Guido Vranken <guidovranken@gmail.com> +Date: Mon, 11 Jun 2018 19:38:54 +0200 +Subject: [PATCH] Reject excessively large primes in DH key generation. + +CVE-2018-0732 + +Signed-off-by: Guido Vranken <guidovranken@gmail.com> + +(cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe) + +Reviewed-by: Tim Hudson <tjh@openssl.org> +Reviewed-by: Matt Caswell <matt@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/6457) +--- + crypto/dh/dh_key.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c +index fce9ff4..58003d7 100644 +--- a/crypto/dh/dh_key.c ++++ b/crypto/dh/dh_key.c +@@ -78,10 +78,15 @@ static int generate_key(DH *dh) + int ok = 0; + int generate_new_key = 0; + unsigned l; +- BN_CTX *ctx; ++ BN_CTX *ctx = NULL; + BN_MONT_CTX *mont = NULL; + BIGNUM *pub_key = NULL, *priv_key = NULL; + ++ if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { ++ DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE); ++ return 0; ++ } ++ + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; +-- +2.7.4 +
  7. Download patch debian/patches/96530eea93d27e536f4e93956256cf8dcda7d469.patch
  8. Download patch debian/patches/bc4e831ccd81a1d22a7462df645c884ce33ea7c0.patch
  9. Download patch debian/patches/e21a84308c02df63715f8867beb4a2b1036bcb35.patch

    --- 1.1.0h-4/debian/patches/e21a84308c02df63715f8867beb4a2b1036bcb35.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.0h-4ubuntu1/debian/patches/e21a84308c02df63715f8867beb4a2b1036bcb35.patch 2018-08-26 17:05:45.000000000 +0000 @@ -0,0 +1,36 @@ +From e21a84308c02df63715f8867beb4a2b1036bcb35 Mon Sep 17 00:00:00 2001 +From: Patrick Steuer <patrick.steuer@de.ibm.com> +Date: Tue, 24 Oct 2017 13:29:40 +0200 +Subject: [PATCH] crypto/aes/asm/aes-s390x.pl: replace decrypt flag by macro. + +Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> + +Reviewed-by: Andy Polyakov <appro@openssl.org> +Reviewed-by: Tim Hudson <tjh@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/4634) +--- + crypto/aes/asm/aes-s390x.pl | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/crypto/aes/asm/aes-s390x.pl b/crypto/aes/asm/aes-s390x.pl +index cfbe1321320..bab566223bc 100644 +--- a/crypto/aes/asm/aes-s390x.pl ++++ b/crypto/aes/asm/aes-s390x.pl +@@ -1086,7 +1086,7 @@ () + lhi $t1,16 + cr $t0,$t1 + jl .Lgo +- oill $t0,0x80 # set "decrypt" bit ++ oill $t0,S390X_DECRYPT # set "decrypt" bit + st $t0,240($key) + br $ra + ___ +@@ -1225,7 +1225,7 @@ () + .align 16 + .Lkmc_truncated: + ahi $key,-1 # it's the way it's encoded in mvc +- tmll %r0,0x80 ++ tmll %r0,S390X_DECRYPT + jnz .Lkmc_truncated_dec + lghi %r1,0 + stg %r1,16*$SIZE_T($sp)
  10. Download patch debian/patches/CVE-2018-0495.patch

    --- 1.1.0h-4/debian/patches/CVE-2018-0495.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.0h-4ubuntu1/debian/patches/CVE-2018-0495.patch 2018-08-26 17:05:45.000000000 +0000 @@ -0,0 +1,158 @@ +From 0c27d793745c7837b13646302b6890a556b7017a Mon Sep 17 00:00:00 2001 +From: Matt Caswell <matt@openssl.org> +Date: Fri, 25 May 2018 12:10:13 +0100 +Subject: [PATCH] Add blinding to an ECDSA signature + +Keegan Ryan (NCC Group) has demonstrated a side channel attack on an +ECDSA signature operation. During signing the signer calculates: + +s:= k^-1 * (m + r * priv_key) mod order + +The addition operation above provides a sufficient signal for a +flush+reload attack to derive the private key given sufficient signature +operations. + +As a mitigation (based on a suggestion from Keegan) we add blinding to +the operation so that: + +s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order + +Since this attack is a localhost side channel only no CVE is assigned. + +Reviewed-by: Rich Salz <rsalz@openssl.org> +--- + CHANGES | 4 +++ + crypto/ec/ecdsa_ossl.c | 70 +++++++++++++++++++++++++++++++++++++++++++++----- + 2 files changed, 67 insertions(+), 7 deletions(-) + +#diff --git a/CHANGES b/CHANGES +#index bfd0bcd..b749d9e 100644 +#--- a/CHANGES +#+++ b/CHANGES +#@@ -9,6 +9,10 @@ +# +# Changes between 1.1.0h and 1.1.0i [xx XXX xxxx] +# +#+ *) Add blinding to an ECDSA signature to protect against side channel attacks +#+ discovered by Keegan Ryan (NCC Group). +#+ [Matt Caswell] +#+ +# *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we +# now allow empty (zero character) pass phrases. +# [Richard Levitte] +diff --git a/crypto/ec/ecdsa_ossl.c b/crypto/ec/ecdsa_ossl.c +index 72e2f0f..449be0e 100644 +--- a/crypto/ec/ecdsa_ossl.c ++++ b/crypto/ec/ecdsa_ossl.c +@@ -210,7 +210,8 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, + EC_KEY *eckey) + { + int ok = 0, i; +- BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL; ++ BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL, *blind = NULL; ++ BIGNUM *blindm = NULL; + const BIGNUM *order, *ckinv; + BN_CTX *ctx = NULL; + const EC_GROUP *group; +@@ -243,8 +244,18 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, + } + s = ret->s; + +- if ((ctx = BN_CTX_new()) == NULL || +- (tmp = BN_new()) == NULL || (m = BN_new()) == NULL) { ++ ctx = BN_CTX_secure_new(); ++ if (ctx == NULL) { ++ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ BN_CTX_start(ctx); ++ tmp = BN_CTX_get(ctx); ++ m = BN_CTX_get(ctx); ++ blind = BN_CTX_get(ctx); ++ blindm = BN_CTX_get(ctx); ++ if (blindm == NULL) { + ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE); + goto err; + } +@@ -284,18 +295,64 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, + } + } + +- if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) { ++ /* ++ * The normal signature calculation is: ++ * ++ * s := k^-1 * (m + r * priv_key) mod order ++ * ++ * We will blind this to protect against side channel attacks ++ * ++ * s := k^-1 * blind^-1 * (blind * m + blind * r * priv_key) mod order ++ */ ++ ++ /* Generate a blinding value */ ++ do { ++ if (!BN_rand(blind, BN_num_bits(order) - 1, BN_RAND_TOP_ANY, ++ BN_RAND_BOTTOM_ANY)) ++ goto err; ++ } while (BN_is_zero(blind)); ++ BN_set_flags(blind, BN_FLG_CONSTTIME); ++ BN_set_flags(blindm, BN_FLG_CONSTTIME); ++ BN_set_flags(tmp, BN_FLG_CONSTTIME); ++ ++ /* tmp := blind * priv_key * r mod order */ ++ if (!BN_mod_mul(tmp, blind, priv_key, order, ctx)) { + ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); + goto err; + } +- if (!BN_mod_add_quick(s, tmp, m, order)) { ++ if (!BN_mod_mul(tmp, tmp, ret->r, order, ctx)) { + ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); + goto err; + } ++ ++ /* blindm := blind * m mod order */ ++ if (!BN_mod_mul(blindm, blind, m, order, ctx)) { ++ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ goto err; ++ } ++ ++ /* s : = (blind * priv_key * r) + (blind * m) mod order */ ++ if (!BN_mod_add_quick(s, tmp, blindm, order)) { ++ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ goto err; ++ } ++ ++ /* s:= s * blind^-1 mod order */ ++ if (BN_mod_inverse(blind, blind, order, ctx) == NULL) { ++ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ goto err; ++ } ++ if (!BN_mod_mul(s, s, blind, order, ctx)) { ++ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ goto err; ++ } ++ ++ /* s := s * k^-1 mod order */ + if (!BN_mod_mul(s, s, ckinv, order, ctx)) { + ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); + goto err; + } ++ + if (BN_is_zero(s)) { + /* + * if kinv and r have been supplied by the caller don't to +@@ -317,9 +374,8 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, + ECDSA_SIG_free(ret); + ret = NULL; + } ++ BN_CTX_end(ctx); + BN_CTX_free(ctx); +- BN_clear_free(m); +- BN_clear_free(tmp); + BN_clear_free(kinv); + return ret; + } +-- +2.7.4 +

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: openssl-ibmca

openssl-ibmca (2.0.0-0ubuntu2) cosmic; urgency=medium * Disable test-suite, as it appears to fail on launchpad builders, yet passes locally when uncontained. -- Dimitri John Ledkov 🌈 <xnox@ubuntu.com> Fri, 15 Jun 2018 12:44:40 +0100 openssl-ibmca (2.0.0-0ubuntu1) cosmic; urgency=medium * New upstream release. LP: #1776209 * Update debian/copyright to Apache-2 -- Dimitri John Ledkov 🌈 <xnox@ubuntu.com> Thu, 14 Jun 2018 12:10:32 +0100 openssl-ibmca (1.4.1-0ubuntu1) bionic; urgency=medium * New upstream release * Update watch file to point at github * Build against openssl1.1 with openssl1.1 engine paths LP: #1747626 -- Dimitri John Ledkov <xnox@ubuntu.com> Fri, 23 Feb 2018 18:06:36 +0000 openssl-ibmca (1.4.0-0ubuntu2) bionic; urgency=high * No change rebuild against openssl1.1. -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 06 Feb 2018 17:54:51 +0000 openssl-ibmca (1.4.0-0ubuntu1) artful; urgency=medium * New upstream release * Drop patches applied upstream -- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 28 Sep 2017 11:13:14 -0400 openssl-ibmca (1.3.0-0ubuntu5) artful; urgency=medium * Apply upstream patch to resolve crashes when libssl attempts to initialise engine a few times too many. LP: #1543455 -- Dimitri John Ledkov <xnox@ubuntu.com> Wed, 26 Jul 2017 08:48:51 +0100 openssl-ibmca (1.3.0-0ubuntu4) zesty; urgency=medium * Build against libica.so.3. -- Dimitri John Ledkov <xnox@ubuntu.com> Wed, 30 Nov 2016 10:24:29 +0000 openssl-ibmca (1.3.0-0ubuntu3) zesty; urgency=medium * Attempt to dlopen libica.so.2, if libica.so (or ctrl provided one) fails. LP: #1605511 * Add depends on libica2. -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 04 Oct 2016 15:25:59 +0100 openssl-ibmca (1.3.0-0ubuntu2) xenial; urgency=medium * Correct license information. LP: 1543682 * Add watch file. * Resolves LP: #1538864 -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 15 Feb 2016 16:32:05 +0000 openssl-ibmca (1.3.0-0ubuntu1) xenial; urgency=medium * Initial release. -- Dimitri John Ledkov <xnox@ubuntu.com> Fri, 05 Feb 2016 06:16:50 +0000

Modifications :
  1. Download patch README.md

    --- 1.4.0-1/README.md 2017-09-08 17:54:06.000000000 +0000 +++ 2.0.0-0ubuntu2/README.md 2018-06-08 13:47:56.000000000 +0000 @@ -8,14 +8,14 @@ cryptographic operations. The build requirements are: * openssl-devel >= 0.9.8 - * libica-devel >= 3.1.1 + * libica-devel >= 3.3.0 * autoconf * automake * libtool The runtime requirements are: * openssl >= 0.9.8 - * libica >= 3.1.1 + * libica >= 3.3.0 ## Installing @@ -27,8 +27,8 @@ $ sudo make install ``` This will configure, build and install the package in a default location, -which is `/usr/local/lib`. It means that the libibmca.so will be installed in -`/usr/local/lib/libibmca.so` by default. If you want to install it anywhere +which is `/usr/local/lib`. It means that the ibmca.so will be installed in +`/usr/local/lib/ibmca.so` by default. If you want to install it anywhere else, run "configure" passing the new location via prefix argument, for example: @@ -48,8 +48,8 @@ in the host by the OpenSSL package. **WA original `openssl.cnf` file before changing it. In `openssl.cnf.sample`, the *dynamic_path* variable is set to the default -location, which is `/usr/local/lib/libibmca.so` by default. However, if the -libibmca.so library has been installed anywhere else, then update the +location, which is `/usr/local/lib/ibmca.so` by default. However, if the +ibmca.so library has been installed anywhere else, then update the *dynamic_path* variable. Locate where the `openssl.cnf` file has been installed in the host and append
  2. Download patch src/ibmca_digest.c
  3. Download patch test/3des-cbc-test.pl

    --- 1.4.0-1/test/3des-cbc-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/3des-cbc-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-ede3-cbc", 24, 8);
  4. Download patch test/Makefile.am

    --- 1.4.0-1/test/Makefile.am 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/Makefile.am 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,24 @@ +TESTS = \ +des-ecb-test.pl \ +des-cbc-test.pl \ +des-cfb-test.pl \ +des-ofb-test.pl \ +3des-ecb-test.pl \ +3des-cbc-test.pl \ +3des-cfb-test.pl \ +3des-ofb-test.pl \ +aes-128-ecb-test.pl \ +aes-128-cbc-test.pl \ +aes-128-cfb-test.pl \ +aes-128-ofb-test.pl \ +aes-192-ecb-test.pl \ +aes-192-cbc-test.pl \ +aes-192-cfb-test.pl \ +aes-192-ofb-test.pl \ +aes-256-ecb-test.pl \ +aes-256-cbc-test.pl \ +aes-256-cfb-test.pl \ +aes-256-ofb-test.pl + +AM_TESTS_ENVIRONMENT = export IBMCA_TEST_PATH=${top_builddir}/src/.libs/ibmca.so IBMCA_OPENSSL_TEST_CONF=${srcdir}/openssl-test.cnf PERL5LIB=${srcdir}; +EXTRA_DIST = ${TESTS} test.pm openssl-test.cnf
  5. Download patch test/aes-128-ofb-test.pl

    --- 1.4.0-1/test/aes-128-ofb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/aes-128-ofb-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-128-ofb", 16, 16);
  6. Download patch src/ibmca_cipher.c
  7. Download patch debian/README.source

    --- 1.4.0-1/debian/README.source 2017-09-20 14:18:57.000000000 +0000 +++ 2.0.0-0ubuntu2/debian/README.source 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -# OpenSSL-ibmca - -OpenSSL engine that uses the libica library under s390x to accelerate -cryptographic operations. - - -## Requirements - -The build requirements are: - * openssl-devel >= 0.9.8 - * libica-devel >= 3.1.1 - * autoconf - * automake - * libtool - -The runtime requirements are: - * openssl >= 0.9.8 - * libica >= 3.1.1 - - -## Installing - -``` -$ ./configure [--enable-debug] -$ make -$ sudo make install -``` - -This will configure, build and install the package in a default location, -which is `/usr/local/lib`. It means that the libibmca.so will be installed in -`/usr/local/lib/libibmca.so` by default. If you want to install it anywhere -else, run "configure" passing the new location via prefix argument, for -example: - -``` -$ ./configure --prefix=/usr --libdir=/usr/lib64/openssl/engines -``` - - -## Support - -To report a bug please submit a - [ticket](https://github.com/opencryptoki/openssl-ibmca/issues) including the - following information in the issue description: - -* bug description -* distro release -* openssl-ibmca package version -* libica package version -* steps to reproduce the bug - -Regarding technical or usage questions, send email to - [opencryptoki-tech]( - https://sourceforge.net/p/opencryptoki/mailman/opencryptoki-tech) or - [opencryptoki-users]( - https://sourceforge.net/p/opencryptoki/mailman/opencryptoki-users) - mailing list respectively. - - -## Contributing - -See [CONTRIBUTING.md](https://github.com/opencryptoki/openssl-ibmca/blob/master/CONTRIBUTING.md). - - -- Paulo Vital <pvital@gmail.com> Wed, 20 Sep 2017 11:10:45 -0300
  8. Download patch debian/rules

    --- 1.4.0-1/debian/rules 2017-09-20 14:18:57.000000000 +0000 +++ 2.0.0-0ubuntu2/debian/rules 2018-06-15 11:44:33.000000000 +0000 @@ -1,31 +1,15 @@ #!/usr/bin/make -f -# See debhelper(7) (uncomment to enable) -# output every command that modifies files on the build system. -#export DH_VERBOSE = 1 - -# see FEATURE AREAS in dpkg-buildflags(1) export DEB_BUILD_MAINT_OPTIONS = hardening=+all -# see ENVIRONMENT in dpkg-buildflags(1) -# package maintainers to append CFLAGS -#export DEB_CFLAGS_MAINT_APPEND = -Wall -pedantic -# package maintainers to append LDFLAGS -#export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed - %: - dh $@ - -# dh_make generated override targets -# This is example for Cmake (See https://bugs.debian.org/641051 ) -#override_dh_auto_configure: -# dh_auto_configure -- # -DCMAKE_LIBRARY_PATH=$(DEB_HOST_MULTIARCH) + dh $@ --with autoreconf override_dh_auto_configure: - dh_auto_configure -- --libdir=/usr/lib/$(DEB_HOST_MULTIARCH)/openssl-1.0.2/engines/ + dh_auto_configure -- --libdir=/usr/lib/$(DEB_HOST_MULTIARCH)/engines-1.1 override_dh_auto_install: dh_auto_install - - # Remove useless files find debian -name '*.la' -delete +override_dh_auto_test: + -dh_auto_test
  9. Download patch test/openssl-test.cnf

    --- 1.4.0-1/test/openssl-test.cnf 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/openssl-test.cnf 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,20 @@ +openssl_conf = openssl_def + +[openssl_def] +engines = engine_section + +[engine_section] +ibmca = ibmca_section + +[ibmca_section] +dynamic_path = $ENV::IBMCA_TEST_PATH +engine_id = ibmca +init = 1 + +# OpenSSL < 1.1.0 +# ALL = RSA,DSA,DH,RAND,CIPHERS,DIGESTS,PKEY,ECDH,ECDSA +# PKEY = PKEY_CRYPTO,PKEY_ASN1 +# OpenSSL >= 1.1.0 +# ALL = RSA,DSA,DH,RAND,CIPHERS,DIGESTS,PKEY,EC +# PKEY = PKEY_CRYPTO,PKEY_ASN1 +default_algorithms = ALL
  10. Download patch debian/dirs

    --- 1.4.0-1/debian/dirs 2017-09-20 14:18:57.000000000 +0000 +++ 2.0.0-0ubuntu2/debian/dirs 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -usr/lib
  11. Download patch debian/patches/libica_soname.patch

    --- 1.4.0-1/debian/patches/libica_soname.patch 2017-09-20 14:18:57.000000000 +0000 +++ 2.0.0-0ubuntu2/debian/patches/libica_soname.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,15 +0,0 @@ -Description: Setting libica so name to libica.so.3 -Author: Paulo Vital <pvital@gmail.com> -Last-Update: 2017-09-20 - ---- a/src/e_ibmca.c -+++ b/src/e_ibmca.c -@@ -46,7 +46,7 @@ - #include "e_ibmca_err.h" - - #define IBMCA_LIB_NAME "ibmca engine" --#define LIBICA_SHARED_LIB "libica.so" -+#define LIBICA_SHARED_LIB "libica.so.3" - - #define AP_PATH "/sys/devices/ap" -
  12. Download patch src/openssl.cnf.sample

    --- 1.4.0-1/src/openssl.cnf.sample 2017-09-08 17:54:06.000000000 +0000 +++ 2.0.0-0ubuntu2/src/openssl.cnf.sample 2018-06-08 13:47:56.000000000 +0000 @@ -20,10 +20,10 @@ ibmca = ibmca_section [ibmca_section] -# The openssl engine path for libibmca.so. -# Set the dynamic_path to where the libibmca.so engine +# The openssl engine path for ibmca.so. +# Set the dynamic_path to where the ibmca.so engine # resides on the system. -dynamic_path = /usr/local/lib/libibmca.so +dynamic_path = /usr/local/lib/ibmca.so engine_id = ibmca init = 1 @@ -36,17 +36,33 @@ init = 1 # RSA # - RSA encrypt, decrypt, sign and verify, key lengths 512-4096 # +# DH +# - DH key exchange +# +# DSA +# - DSA sign and verify +# # RAND # - Hardware random number generation # +# ECDSA (OpenSSL < 1.1.0) +# - Elliptic Curve DSA sign and verify +# +# ECDH (OpenSSL < 1.1.0) +# - Elliptic Curve DH key exchange +# +# EC (OpenSSL >= 1.1.0) +# - Elliptic Curve DSA sign and verify, Elliptic Curve DH key exchange +# # CIPHERS -# - DES-ECB, DES-CBC, DES-CFB, DES-OFB, DES-EDE3, DES-EDE3-CBC, DES-EDE3-CFB, -# DES-EDE3-OFB, AES-128-ECB, AES-128-CBC, AES-128-CFB, AES-128-OFB, -# AES-192-ECB, AES-192-CBC, AES-192-CFB, AES-192-OFB, AES-256-ECB, -# AES-256-CBC, AES-256-CFB, AES-256-OFB symmetric crypto +# - DES-ECB, DES-CBC, DES-CFB, DES-OFB, +# DES-EDE3, DES-EDE3-CBC, DES-EDE3-CFB, DES-EDE3-OFB, +# AES-128-ECB, AES-128-CBC, AES-128-CFB, AES-128-OFB, id-aes128-GCM, +# AES-192-ECB, AES-192-CBC, AES-192-CFB, AES-192-OFB, id-aes192-GCM, +# AES-256-ECB, AES-256-CBC, AES-256-CFB, AES-256-OFB, id-aes256-GCM ciphers # # DIGESTS # - SHA1, SHA256, SHA512 digests # default_algorithms = ALL -#default_algorithms = RAND,RSA,CIPHERS,DIGESTS +#default_algorithms = RAND,RSA,DH,DSA,CIPHERS,DIGESTS
  13. Download patch src/e_ibmca_err.c

    --- 1.4.0-1/src/e_ibmca_err.c 2017-09-08 17:54:06.000000000 +0000 +++ 2.0.0-0ubuntu2/src/e_ibmca_err.c 2018-06-08 13:47:56.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright [2005-2017] International Business Machines Corp. + * Copyright [2005-2018] International Business Machines Corp. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -15,11 +15,6 @@ * */ -/* NOTE: this file was auto generated by the mkerr.pl script: any changes - * made to it will be overwritten when the script next updates this file, - * only reason strings will be preserved. - */ - #include <stdio.h> #include <openssl/err.h> #include "e_ibmca_err.h" @@ -27,54 +22,73 @@ /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR static ERR_STRING_DATA IBMCA_str_functs[] = { - {ERR_PACK(0, IBMCA_F_IBMCA_CTRL, 0), "IBMCA_CTRL"}, - {ERR_PACK(0, IBMCA_F_IBMCA_FINISH, 0), "IBMCA_FINISH"}, - {ERR_PACK(0, IBMCA_F_IBMCA_INIT, 0), "IBMCA_INIT"}, - {ERR_PACK(0, IBMCA_F_IBMCA_MOD_EXP, 0), "IBMCA_MOD_EXP"}, - {ERR_PACK(0, IBMCA_F_IBMCA_MOD_EXP_CRT, 0), "IBMCA_MOD_EXP_CRT"}, - {ERR_PACK(0, IBMCA_F_IBMCA_RAND_BYTES, 0), "IBMCA_RAND_BYTES"}, - {ERR_PACK(0, IBMCA_F_IBMCA_RSA_MOD_EXP, 0), "IBMCA_RSA_MOD_EXP"}, - {ERR_PACK(0, IBMCA_F_IBMCA_DES_CIPHER, 0), "IBMCA_DES_CIPHER"}, - {ERR_PACK(0, IBMCA_F_IBMCA_TDES_CIPHER, 0), "IBMCA_TDES_CIPHER"}, - {ERR_PACK(0, IBMCA_F_IBMCA_SHA1_UPDATE, 0), "IBMCA_SHA1_UPDATE"}, - {ERR_PACK(0, IBMCA_F_IBMCA_SHA1_FINAL, 0), "IBMCA_SHA1_FINAL"}, - {ERR_PACK(0, IBMCA_F_IBMCA_AES_128_CIPHER, 0), "IBMCA_AES_128_CIPHER"}, - {ERR_PACK(0, IBMCA_F_IBMCA_AES_192_CIPHER, 0), "IBMCA_AES_192_CIPHER"}, - {ERR_PACK(0, IBMCA_F_IBMCA_AES_256_CIPHER, 0), "IBMCA_AES_256_CIPHER"}, - {ERR_PACK(0, IBMCA_F_IBMCA_SHA256_UPDATE, 0), "IBMCA_SHA256_UPDATE"}, - {ERR_PACK(0, IBMCA_F_IBMCA_SHA256_FINAL, 0), "IBMCA_SHA256_FINAL"}, - {ERR_PACK(0, IBMCA_F_IBMCA_SHA512_UPDATE, 0), "IBMCA_SHA512_UPDATE"}, - {ERR_PACK(0, IBMCA_F_IBMCA_SHA512_FINAL, 0), "IBMCA_SHA512_FINAL"}, - {0, NULL} + {ERR_PACK(0, IBMCA_F_IBMCA_CTRL, 0), "IBMCA_CTRL"}, + {ERR_PACK(0, IBMCA_F_IBMCA_FINISH, 0), "IBMCA_FINISH"}, + {ERR_PACK(0, IBMCA_F_IBMCA_INIT, 0), "IBMCA_INIT"}, + {ERR_PACK(0, IBMCA_F_IBMCA_MOD_EXP, 0), "IBMCA_MOD_EXP"}, + {ERR_PACK(0, IBMCA_F_IBMCA_MOD_EXP_CRT, 0), "IBMCA_MOD_EXP_CRT"}, + {ERR_PACK(0, IBMCA_F_IBMCA_RAND_BYTES, 0), "IBMCA_RAND_BYTES"}, + {ERR_PACK(0, IBMCA_F_IBMCA_RSA_MOD_EXP, 0), "IBMCA_RSA_MOD_EXP"}, + {ERR_PACK(0, IBMCA_F_IBMCA_DES_CIPHER, 0), "IBMCA_DES_CIPHER"}, + {ERR_PACK(0, IBMCA_F_IBMCA_TDES_CIPHER, 0), "IBMCA_TDES_CIPHER"}, + {ERR_PACK(0, IBMCA_F_IBMCA_SHA1_UPDATE, 0), "IBMCA_SHA1_UPDATE"}, + {ERR_PACK(0, IBMCA_F_IBMCA_SHA1_FINAL, 0), "IBMCA_SHA1_FINAL"}, + {ERR_PACK(0, IBMCA_F_IBMCA_AES_128_CIPHER, 0), "IBMCA_AES_128_CIPHER"}, + {ERR_PACK(0, IBMCA_F_IBMCA_AES_192_CIPHER, 0), "IBMCA_AES_192_CIPHER"}, + {ERR_PACK(0, IBMCA_F_IBMCA_AES_256_CIPHER, 0), "IBMCA_AES_256_CIPHER"}, + {ERR_PACK(0, IBMCA_F_IBMCA_SHA256_UPDATE, 0), "IBMCA_SHA256_UPDATE"}, + {ERR_PACK(0, IBMCA_F_IBMCA_SHA256_FINAL, 0), "IBMCA_SHA256_FINAL"}, + {ERR_PACK(0, IBMCA_F_IBMCA_SHA512_UPDATE, 0), "IBMCA_SHA512_UPDATE"}, + {ERR_PACK(0, IBMCA_F_IBMCA_SHA512_FINAL, 0), "IBMCA_SHA512_FINAL"}, + {ERR_PACK(0, IBMCA_F_IBMCA_EC_KEY_GEN, 0), "IBMCA_EC_KEY_GEN"}, + {ERR_PACK(0, IBMCA_F_IBMCA_ECDH_COMPUTE_KEY, 0), "IBMCA_ECDH_COMPUTE_KEY"}, + {ERR_PACK(0, IBMCA_F_IBMCA_ECDSA_SIGN, 0), "IBMCA_ECDSA_SIGN"}, + {ERR_PACK(0, IBMCA_F_IBMCA_ECDSA_SIGN_SIG, 0), "IBMCA_ECDSA_SIGN_SIG"}, + {ERR_PACK(0, IBMCA_F_IBMCA_ECDSA_DO_SIGN, 0), "IBMCA_ECDSA_DO_SIGN"}, + {ERR_PACK(0, IBMCA_F_IBMCA_ECDSA_VERIFY, 0), "IBMCA_ECDSA_VERIFY"}, + {ERR_PACK(0, IBMCA_F_IBMCA_ECDSA_VERIFY_SIG, 0), "IBMCA_ECDSA_VERIFY_SIG"}, + {ERR_PACK(0, IBMCA_F_ICA_EC_KEY_NEW, 0), "ICA_EC_KEY_NEW"}, + {ERR_PACK(0, IBMCA_F_ICA_EC_KEY_INIT, 0), "ICA_EC_KEY_INIT"}, + {ERR_PACK(0, IBMCA_F_ICA_EC_KEY_GENERATE, 0), "ICA_EC_KEY_GENERATE"}, + {ERR_PACK(0, IBMCA_F_ICA_EC_KEY_GET_PUBLIC_KEY, 0), "ICA_EC_KEY_GET_PUBLIC_KEY"}, + {ERR_PACK(0, IBMCA_F_ICA_EC_KEY_GET_PRIVATE_KEY, 0), "ICA_EC_KEY_GET_PRIVATE_KEY"}, + {ERR_PACK(0, IBMCA_F_ICA_ECDH_DERIVE_SECRET, 0), "ICA_ECDH_DERIVE_SECRET"}, + {ERR_PACK(0, IBMCA_F_ICA_ECDSA_SIGN, 0), "ICA_ECDSA_SIGN"}, + {ERR_PACK(0, IBMCA_F_ICA_ECDSA_VERIFY, 0), "ICA_ECDSA_VERIFY"}, + {0, NULL} }; static ERR_STRING_DATA IBMCA_str_reasons[] = { - {IBMCA_R_ALREADY_LOADED, "already loaded"}, - {IBMCA_R_BN_CTX_FULL, "bn ctx full"}, - {IBMCA_R_BN_EXPAND_FAIL, "bn expand fail"}, - {IBMCA_R_CTRL_COMMAND_NOT_IMPLEMENTED, - "ctrl command not implemented"}, - {IBMCA_R_DSO_FAILURE, "dso failure"}, - {IBMCA_R_MEXP_LENGTH_TO_LARGE, "mexp length to large"}, - {IBMCA_R_MISSING_KEY_COMPONENTS, "missing key components"}, - {IBMCA_R_NOT_INITIALISED, "not initialised"}, - {IBMCA_R_NOT_LOADED, "not loaded"}, - {IBMCA_R_OPERANDS_TO_LARGE, "operands to large"}, - {IBMCA_R_OUTLEN_TO_LARGE, "outlen to large"}, - {IBMCA_R_REQUEST_FAILED, "request failed"}, - {IBMCA_R_UNDERFLOW_CONDITION, "underflow condition"}, - {IBMCA_R_UNDERFLOW_KEYRECORD, "underflow keyrecord"}, - {IBMCA_R_UNIT_FAILURE, "unit failure"}, - {IBMCA_R_CIPHER_MODE_NOT_SUPPORTED, "cipher mode not supported"}, - {0, NULL} + {IBMCA_R_ALREADY_LOADED, "already loaded"}, + {IBMCA_R_BN_CTX_FULL, "bn ctx full"}, + {IBMCA_R_BN_EXPAND_FAIL, "bn expand fail"}, + {IBMCA_R_CTRL_COMMAND_NOT_IMPLEMENTED, "ctrl command not implemented"}, + {IBMCA_R_DSO_FAILURE, "dso failure"}, + {IBMCA_R_MEXP_LENGTH_TO_LARGE, "mexp length to large"}, + {IBMCA_R_MISSING_KEY_COMPONENTS, "missing key components"}, + {IBMCA_R_NOT_INITIALISED, "not initialised"}, + {IBMCA_R_NOT_LOADED, "not loaded"}, + {IBMCA_R_OPERANDS_TO_LARGE, "operands to large"}, + {IBMCA_R_OUTLEN_TO_LARGE, "outlen to large"}, + {IBMCA_R_REQUEST_FAILED, "request failed"}, + {IBMCA_R_UNDERFLOW_CONDITION, "underflow condition"}, + {IBMCA_R_UNDERFLOW_KEYRECORD, "underflow keyrecord"}, + {IBMCA_R_UNIT_FAILURE, "unit failure"}, + {IBMCA_R_CIPHER_MODE_NOT_SUPPORTED, "cipher mode not supported"}, + {IBMCA_R_EC_INVALID_PARM, "ec invalid parameter"}, + {IBMCA_R_EC_UNSUPPORTED_CURVE, "ec unsupported curve"}, + {IBMCA_R_EC_INTERNAL_ERROR, "ec internal error"}, + {IBMCA_R_EC_ICA_EC_KEY_INIT, "ec ica ec key init"}, + {IBMCA_R_EC_CURVE_DOES_NOT_SUPPORT_SIGNING, "ec curve does not support signing"}, + {0, NULL} }; #endif #ifdef IBMCA_LIB_NAME static ERR_STRING_DATA IBMCA_lib_name[] = { - {0, IBMCA_LIB_NAME}, - {0, NULL} + {0, IBMCA_LIB_NAME}, + {0, NULL} }; #endif @@ -84,43 +98,41 @@ static int IBMCA_error_init = 1; void ERR_load_IBMCA_strings(void) { - if (IBMCA_lib_error_code == 0) - IBMCA_lib_error_code = ERR_get_next_error_library(); + if (IBMCA_lib_error_code == 0) + IBMCA_lib_error_code = ERR_get_next_error_library(); - if (IBMCA_error_init) { - IBMCA_error_init = 0; + if (IBMCA_error_init) { + IBMCA_error_init = 0; #ifndef OPENSSL_NO_ERR - ERR_load_strings(IBMCA_lib_error_code, IBMCA_str_functs); - ERR_load_strings(IBMCA_lib_error_code, IBMCA_str_reasons); + ERR_load_strings(IBMCA_lib_error_code, IBMCA_str_functs); + ERR_load_strings(IBMCA_lib_error_code, IBMCA_str_reasons); #endif #ifdef IBMCA_LIB_NAME - IBMCA_lib_name->error = - ERR_PACK(IBMCA_lib_error_code, 0, 0); - ERR_load_strings(0, IBMCA_lib_name); + IBMCA_lib_name->error = ERR_PACK(IBMCA_lib_error_code, 0, 0); + ERR_load_strings(0, IBMCA_lib_name); #endif - } + } } void ERR_unload_IBMCA_strings(void) { - if (IBMCA_error_init == 0) { + if (IBMCA_error_init == 0) { #ifndef OPENSSL_NO_ERR - ERR_unload_strings(IBMCA_lib_error_code, IBMCA_str_functs); - ERR_unload_strings(IBMCA_lib_error_code, - IBMCA_str_reasons); + ERR_unload_strings(IBMCA_lib_error_code, IBMCA_str_functs); + ERR_unload_strings(IBMCA_lib_error_code, IBMCA_str_reasons); #endif #ifdef IBMCA_LIB_NAME - ERR_unload_strings(0, IBMCA_lib_name); + ERR_unload_strings(0, IBMCA_lib_name); #endif - IBMCA_error_init = 1; - } + IBMCA_error_init = 1; + } } void ERR_IBMCA_error(int function, int reason, char *file, int line) { - if (IBMCA_lib_error_code == 0) - IBMCA_lib_error_code = ERR_get_next_error_library(); - ERR_PUT_error(IBMCA_lib_error_code, function, reason, file, line); + if (IBMCA_lib_error_code == 0) + IBMCA_lib_error_code = ERR_get_next_error_library(); + ERR_PUT_error(IBMCA_lib_error_code, function, reason, file, line); }
  14. Download patch debian/control

    --- 1.4.0-1/debian/control 2017-09-20 14:18:57.000000000 +0000 +++ 2.0.0-0ubuntu2/debian/control 2018-06-14 11:10:32.000000000 +0000 @@ -1,17 +1,15 @@ Source: openssl-ibmca Priority: optional -Maintainer: Paulo Vital <pvital@gmail.com> -Build-Depends: debhelper (>= 10), dh-autoreconf, libica-dev, libssl-dev -Standards-Version: 4.0.0 +Maintainer: Dimitri John Ledkov <xnox@ubuntu.com> +Build-Depends: debhelper (>=10), libica-dev, libssl-dev +Standards-Version: 4.1.4 Section: libs -Homepage: https://github.com/opencryptoki/openssl-ibmca +Homepage: http://sourceforge.net/projects/opencryptoki/files/libica%20OpenSSL%20Engine Package: openssl-ibmca Architecture: s390 s390x Depends: libica3, ${shlibs:Depends}, ${misc:Depends} -Description: libica engine for OpenSSL - This package provides an OpenSSL engine to enable hardware acceleration - of cryptographic functions in OpenSSL, and all applications that use - OpenSSL. - . - This package is specific for s390x architecture. +Description: libica based hardware acceleration engine for OpenSSL + This package provides an OpenSSL engine to enable hardware + acceleration of cryptographic functions in OpenSSL, and all + applications that use OpenSSL.
  15. Download patch test/des-ecb-test.pl

    --- 1.4.0-1/test/des-ecb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/des-ecb-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-ecb", 8, 0);
  16. Download patch debian/patches/dlopen-soname.patch

    --- 1.4.0-1/debian/patches/dlopen-soname.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/debian/patches/dlopen-soname.patch 2018-06-14 11:10:32.000000000 +0000 @@ -0,0 +1,18 @@ +Description: Attempt to dlopen libica.so.3, if libica.so (or ctrl provided one) fails +Author: Dimitri John Ledkov <xnox@ubuntu.com> +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1605511 + +--- a/src/e_ibmca.c ++++ b/src/e_ibmca.c +@@ -666,7 +666,10 @@ + + /* WJH XXX check name translation */ + +- ibmca_dso = dlopen(LIBICA_SHARED_LIB, RTLD_NOW); ++ ibmca_dso = dlopen("libica.so.3", RTLD_NOW); ++ if (ibmca_dso == NULL) { ++ ibmca_dso = dlopen(LIBICA_SHARED_LIB, RTLD_NOW); ++ } + if (ibmca_dso == NULL) { + DEBUG_PRINTF("%s: dlopen(%s) failed\n", __func__, LIBICA_SHARED_LIB); + IBMCAerr(IBMCA_F_IBMCA_INIT, IBMCA_R_DSO_FAILURE);
  17. Download patch test/aes-128-cfb-test.pl

    --- 1.4.0-1/test/aes-128-cfb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/aes-128-cfb-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-128-cfb", 16, 16);
  18. Download patch debian/examples

    --- 1.4.0-1/debian/examples 2017-09-20 14:18:57.000000000 +0000 +++ 2.0.0-0ubuntu2/debian/examples 2016-02-05 07:52:14.000000000 +0000 @@ -1 +1 @@ - src/openssl.cnf.sample +src/openssl.cnf.sample
  19. Download patch ibmca.map

    --- 1.4.0-1/ibmca.map 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/ibmca.map 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,9 @@ +IBMCA_2.0.0 { + global: + v_check; + bind_engine; + ENGINE_load_ibmca; + + local: + *; +};
  20. Download patch ChangeLog

    --- 1.4.0-1/ChangeLog 2017-09-08 17:54:06.000000000 +0000 +++ 2.0.0-0ubuntu2/ChangeLog 2018-06-08 13:47:56.000000000 +0000 @@ -1,3 +1,20 @@ +* openssl-ibmca 2.0.0 +- Add ECC support. +- Add check and distcheck make-targets. +- Project cleanup, code was broken into multiple files and coding style cleanup. +- Improvements to compat macros for openssl. +- Don't disable libica sw fallbacks. +- Fix dlclose logic. + +* openssl-ibmca 1.4.1 +- Fix structure size for aes-256-ecb/cbc/cfb/ofb +- Update man page +- Switch to ibmca.so filename to allow standalone use +- Switch off Libica fallback mode if available +- Make sure ibmca_init only runs once +- Provide simple macro for DEBUG_PRINTF possibility +- Cleanup and slight rework of function set_supported_meths + * openssl-ibmca 1.4.0 - Re-license to Apache License v2.0 - Fix aes_gcm initialization.
  21. Download patch src/e_ibmca_err.h

    --- 1.4.0-1/src/e_ibmca_err.h 2017-09-08 17:54:06.000000000 +0000 +++ 2.0.0-0ubuntu2/src/e_ibmca_err.h 2018-06-08 13:47:56.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright [2005-2017] International Business Machines Corp. + * Copyright [2005-2018] International Business Machines Corp. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -19,9 +19,6 @@ #define HEADER_IBMCA_ERR_H /* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ void ERR_load_IBMCA_strings(void); void ERR_unload_IBMCA_strings(void); void ERR_IBMCA_error(int function, int reason, char *file, int line); @@ -30,41 +27,61 @@ void ERR_IBMCA_error(int function, int r /* Error codes for the IBMCA functions. */ /* Function codes. */ -#define IBMCA_F_IBMCA_CTRL 100 -#define IBMCA_F_IBMCA_FINISH 101 -#define IBMCA_F_IBMCA_INIT 102 -#define IBMCA_F_IBMCA_MOD_EXP 103 -#define IBMCA_F_IBMCA_MOD_EXP_CRT 104 -#define IBMCA_F_IBMCA_RAND_BYTES 105 -#define IBMCA_F_IBMCA_RSA_MOD_EXP 106 -#define IBMCA_F_IBMCA_DES_CIPHER 107 -#define IBMCA_F_IBMCA_TDES_CIPHER 108 -#define IBMCA_F_IBMCA_SHA1_UPDATE 109 -#define IBMCA_F_IBMCA_SHA1_FINAL 110 -#define IBMCA_F_IBMCA_AES_128_CIPHER 111 -#define IBMCA_F_IBMCA_AES_192_CIPHER 112 -#define IBMCA_F_IBMCA_AES_256_CIPHER 113 -#define IBMCA_F_IBMCA_SHA256_UPDATE 114 -#define IBMCA_F_IBMCA_SHA256_FINAL 115 -#define IBMCA_F_IBMCA_SHA512_UPDATE 116 -#define IBMCA_F_IBMCA_SHA512_FINAL 117 +#define IBMCA_F_IBMCA_CTRL 100 +#define IBMCA_F_IBMCA_FINISH 101 +#define IBMCA_F_IBMCA_INIT 102 +#define IBMCA_F_IBMCA_MOD_EXP 103 +#define IBMCA_F_IBMCA_MOD_EXP_CRT 104 +#define IBMCA_F_IBMCA_RAND_BYTES 105 +#define IBMCA_F_IBMCA_RSA_MOD_EXP 106 +#define IBMCA_F_IBMCA_DES_CIPHER 107 +#define IBMCA_F_IBMCA_TDES_CIPHER 108 +#define IBMCA_F_IBMCA_SHA1_UPDATE 109 +#define IBMCA_F_IBMCA_SHA1_FINAL 110 +#define IBMCA_F_IBMCA_AES_128_CIPHER 111 +#define IBMCA_F_IBMCA_AES_192_CIPHER 112 +#define IBMCA_F_IBMCA_AES_256_CIPHER 113 +#define IBMCA_F_IBMCA_SHA256_UPDATE 114 +#define IBMCA_F_IBMCA_SHA256_FINAL 115 +#define IBMCA_F_IBMCA_SHA512_UPDATE 116 +#define IBMCA_F_IBMCA_SHA512_FINAL 117 +#define IBMCA_F_IBMCA_EC_KEY_GEN 120 +#define IBMCA_F_IBMCA_ECDH_COMPUTE_KEY 121 +#define IBMCA_F_IBMCA_ECDSA_SIGN 122 +#define IBMCA_F_IBMCA_ECDSA_SIGN_SIG 123 +#define IBMCA_F_IBMCA_ECDSA_DO_SIGN 124 +#define IBMCA_F_IBMCA_ECDSA_VERIFY 125 +#define IBMCA_F_IBMCA_ECDSA_VERIFY_SIG 126 +#define IBMCA_F_ICA_EC_KEY_NEW 127 +#define IBMCA_F_ICA_EC_KEY_INIT 128 +#define IBMCA_F_ICA_EC_KEY_GENERATE 129 +#define IBMCA_F_ICA_EC_KEY_GET_PUBLIC_KEY 130 +#define IBMCA_F_ICA_EC_KEY_GET_PRIVATE_KEY 131 +#define IBMCA_F_ICA_ECDH_DERIVE_SECRET 132 +#define IBMCA_F_ICA_ECDSA_SIGN 133 +#define IBMCA_F_ICA_ECDSA_VERIFY 134 /* Reason codes. */ -#define IBMCA_R_ALREADY_LOADED 100 -#define IBMCA_R_BN_CTX_FULL 101 -#define IBMCA_R_BN_EXPAND_FAIL 102 -#define IBMCA_R_CTRL_COMMAND_NOT_IMPLEMENTED 103 -#define IBMCA_R_DSO_FAILURE 104 -#define IBMCA_R_MEXP_LENGTH_TO_LARGE 110 -#define IBMCA_R_MISSING_KEY_COMPONENTS 105 -#define IBMCA_R_NOT_INITIALISED 106 -#define IBMCA_R_NOT_LOADED 107 -#define IBMCA_R_OPERANDS_TO_LARGE 111 -#define IBMCA_R_OUTLEN_TO_LARGE 112 -#define IBMCA_R_REQUEST_FAILED 108 -#define IBMCA_R_UNDERFLOW_CONDITION 113 -#define IBMCA_R_UNDERFLOW_KEYRECORD 114 -#define IBMCA_R_UNIT_FAILURE 109 -#define IBMCA_R_CIPHER_MODE_NOT_SUPPORTED 115 +#define IBMCA_R_ALREADY_LOADED 100 +#define IBMCA_R_BN_CTX_FULL 101 +#define IBMCA_R_BN_EXPAND_FAIL 102 +#define IBMCA_R_CTRL_COMMAND_NOT_IMPLEMENTED 103 +#define IBMCA_R_DSO_FAILURE 104 +#define IBMCA_R_MEXP_LENGTH_TO_LARGE 110 +#define IBMCA_R_MISSING_KEY_COMPONENTS 105 +#define IBMCA_R_NOT_INITIALISED 106 +#define IBMCA_R_NOT_LOADED 107 +#define IBMCA_R_OPERANDS_TO_LARGE 111 +#define IBMCA_R_OUTLEN_TO_LARGE 112 +#define IBMCA_R_REQUEST_FAILED 108 +#define IBMCA_R_UNDERFLOW_CONDITION 113 +#define IBMCA_R_UNDERFLOW_KEYRECORD 114 +#define IBMCA_R_UNIT_FAILURE 109 +#define IBMCA_R_CIPHER_MODE_NOT_SUPPORTED 115 +#define IBMCA_R_EC_INVALID_PARM 120 +#define IBMCA_R_EC_UNSUPPORTED_CURVE 121 +#define IBMCA_R_EC_INTERNAL_ERROR 122 +#define IBMCA_R_EC_ICA_EC_KEY_INIT 123 +#define IBMCA_R_EC_CURVE_DOES_NOT_SUPPORT_SIGNING 159 #endif
  22. Download patch configure.ac

    --- 1.4.0-1/configure.ac 2017-09-08 17:54:06.000000000 +0000 +++ 2.0.0-0ubuntu2/configure.ac 2018-06-08 13:47:56.000000000 +0000 @@ -2,7 +2,7 @@ # Process this file with autoconf to produce a configure script. # See autoconf and autoscan online documentation for details. -AC_INIT([openssl-ibmca], [1.4.0], [opencryptoki-users@lists.sf.net]) +AC_INIT([openssl-ibmca], [2.0.0], [opencryptoki-users@lists.sf.net]) AC_CONFIG_SRCDIR([src/e_ibmca.c]) # sanity check AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_AUX_DIR([build-aux]) @@ -23,16 +23,16 @@ fi # Checks for programs. AC_DISABLE_STATIC AC_PROG_CC -AC_PROG_LIBTOOL +LT_INIT # Checks for libraries. AC_CHECK_LIB([crypto], [RAND_add], [], AC_MSG_ERROR([*** openssl >= 0.9.8 is required ***])) -AC_CHECK_LIB([ica], [ica_get_functionlist], [], AC_MSG_ERROR([*** libica >= 2.4.0 is required ***])) +AC_CHECK_LIB([ica], [ica_get_functionlist], [], AC_MSG_ERROR([*** libica >= 3.3.0 is required ***])) # Checks for header files. AC_CHECK_HEADERS([arpa/inet.h fcntl.h malloc.h netdb.h netinet/in.h stddef.h stdlib.h \ string.h strings.h sys/ioctl.h sys/param.h sys/socket.h sys/time.h unistd.h]) -AC_CHECK_HEADER([ica_api.h], [], AC_MSG_ERROR([*** libica-devel >= 2.4.0 is required ***])) +AC_CHECK_HEADER([ica_api.h], [], AC_MSG_ERROR([*** libica-devel >= 3.3.0 is required ***])) # Checks for typedefs, structures, and compiler characteristics. @@ -44,12 +44,13 @@ AC_TYPE_SSIZE_T # Checks for library functions. AC_CHECK_FUNCS([gethostbyaddr gethostbyname memset strcasecmp strncasecmp strstr malloc]) AC_CHECK_DECLS([ICA_FLAG_DHW,ica_get_functionlist,ica_open_adapter,DES_ECB], [], - AC_MSG_ERROR([*** libica >= 2.4.0 and libica-devel >= 2.4.0 are required ***]), + AC_MSG_ERROR([*** libica >= 3.3.0 and libica-devel >= 3.3.0 are required ***]), [#include <ica_api.h>]) AC_CONFIG_FILES([ Makefile src/Makefile + test/Makefile src/doc/Makefile]) AC_OUTPUT
  23. Download patch src/ibmca_dsa.c

    --- 1.4.0-1/src/ibmca_dsa.c 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/src/ibmca_dsa.c 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,135 @@ +/* + * Copyright [2005-2018] International Business Machines Corp. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +#include <openssl/dsa.h> +#include "ibmca.h" + +#ifndef OPENSSL_NO_DSA + +/* This code was liberated and adapted from the commented-out code in + * dsa_ossl.c. Because of the unoptimised form of the Ibmca acceleration + * (it doesn't have a CRT form for RSA), this function means that an + * Ibmca system running with a DSA server certificate can handshake + * around 5 or 6 times faster/more than an equivalent system running with + * RSA. Just check out the "signs" statistics from the RSA and DSA parts + * of "openssl speed -engine ibmca dsa1024 rsa1024". */ +#ifdef OLDER_OPENSSL +static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1, + BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, + BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) +#else +static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, const BIGNUM *a1, + const BIGNUM *p1, const BIGNUM *a2, + const BIGNUM *p2, const BIGNUM *m, + BN_CTX *ctx, BN_MONT_CTX *in_mont) +#endif +{ + BIGNUM *t; + int to_return = 0; + + t = BN_new(); + /* let rr = a1 ^ p1 mod m */ + if (!ibmca_mod_exp(rr, a1, p1, m, ctx)) + goto end; + /* let t = a2 ^ p2 mod m */ + if (!ibmca_mod_exp(t, a2, p2, m, ctx)) + goto end; + /* let rr = rr * t mod m */ + if (!BN_mod_mul(rr, rr, t, m, ctx)) + goto end; + + to_return = 1; + +end: + BN_free(t); + + return to_return; +} + +#ifdef OLDER_OPENSSL +static int ibmca_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a, + const BIGNUM *p, const BIGNUM *m, + BN_CTX *ctx, BN_MONT_CTX *m_ctx) +#else +static int ibmca_mod_exp_dsa(DSA *dsa, BIGNUM *r, const BIGNUM *a, + const BIGNUM *p, const BIGNUM *m, + BN_CTX *ctx, BN_MONT_CTX *m_ctx) +#endif +{ + return ibmca_mod_exp(r, a, p, m, ctx); +} + + +#ifdef OLDER_OPENSSL +static DSA_METHOD dsa_m = { + "Ibmca DSA method", /* name */ + NULL, /* dsa_do_sign */ + NULL, /* dsa_sign_setup */ + NULL, /* dsa_do_verify */ + ibmca_dsa_mod_exp, /* dsa_mod_exp */ + ibmca_mod_exp_dsa, /* bn_mod_exp */ + NULL, /* init */ + NULL, /* finish */ + 0, /* flags */ + NULL /* app_data */ +}; + +DSA_METHOD *ibmca_dsa(void) +{ + const DSA_METHOD *meth1 = DSA_OpenSSL(); + + dsa_m.dsa_do_sign = meth1->dsa_do_sign; + dsa_m.dsa_sign_setup = meth1->dsa_sign_setup; + dsa_m.dsa_do_verify = meth1->dsa_do_verify; + + return &dsa_m; +} + +#else +static DSA_METHOD *dsa_m = NULL; +DSA_METHOD *ibmca_dsa(void) +{ + const DSA_METHOD *meth1; + DSA_METHOD *method; + + if (dsa_m != NULL) + goto done; + + if ((method = DSA_meth_new("Ibmca DSA method", 0)) == NULL + || (meth1 = DSA_OpenSSL()) == NULL + || !DSA_meth_set_sign(method, DSA_meth_get_sign(meth1)) + || !DSA_meth_set_sign_setup(method, DSA_meth_get_sign_setup(meth1)) + || !DSA_meth_set_verify(method, DSA_meth_get_verify(meth1)) + || !DSA_meth_set_mod_exp(method, ibmca_dsa_mod_exp) + || !DSA_meth_set_bn_mod_exp(method, ibmca_mod_exp_dsa)) { + DSA_meth_free(method); + method = NULL; + meth1 = NULL; + } + + dsa_m = method; + +done: + return dsa_m; +} + +void ibmca_dsa_destroy(void) +{ + DSA_meth_free(dsa_m); +} +#endif +#endif /* endif OPENSSL_NO_DSA */
  24. Download patch test/des-ofb-test.pl

    --- 1.4.0-1/test/des-ofb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/des-ofb-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-ofb", 8, 8);
  25. Download patch test/aes-128-cbc-test.pl

    --- 1.4.0-1/test/aes-128-cbc-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/aes-128-cbc-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-128-cbc", 16, 16);
  26. Download patch test/aes-256-ecb-test.pl

    --- 1.4.0-1/test/aes-256-ecb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/aes-256-ecb-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-256-ecb", 32, 0);
  27. Download patch test/aes-192-ecb-test.pl

    --- 1.4.0-1/test/aes-192-ecb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/aes-192-ecb-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-192-ecb", 24, 0);
  28. Download patch src/ibmca_rsa.c
  29. Download patch test/aes-256-ofb-test.pl

    --- 1.4.0-1/test/aes-256-ofb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/aes-256-ofb-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-256-ofb", 32, 16);
  30. Download patch test/aes-192-ofb-test.pl

    --- 1.4.0-1/test/aes-192-ofb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/aes-192-ofb-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-192-ofb", 24, 16);
  31. Download patch src/ibmca_dh.c

    --- 1.4.0-1/src/ibmca_dh.c 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/src/ibmca_dh.c 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,86 @@ +/* + * Copyright [2005-2018] International Business Machines Corp. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +#include <openssl/dh.h> +#include "ibmca.h" + +#ifndef OPENSSL_NO_DH + +/* This function is aliased to mod_exp (with the dh and mont dropped). */ +static int ibmca_mod_exp_dh(DH const *dh, BIGNUM *r, + const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx) +{ + return ibmca_mod_exp(r, a, p, m, ctx); +} + + +#ifdef OLDER_OPENSSL +static DH_METHOD dh_m = { + "Ibmca DH method", /* name */ + NULL, /* generate_key */ + NULL, /* compute_key */ + ibmca_mod_exp_dh, /* bn_mod_exp */ + NULL, /* init */ + NULL, /* finish */ + 0, /* flags */ + NULL /* app_data */ +}; + +DH_METHOD *ibmca_dh(void) +{ + const DH_METHOD *meth1 = DH_OpenSSL(); + + dh_m.generate_key = meth1->generate_key; + dh_m.compute_key = meth1->compute_key; + + return &dh_m; +} + +#else +static DH_METHOD *dh_m = NULL; +DH_METHOD *ibmca_dh(void) +{ + const DH_METHOD *meth1; + DH_METHOD *method; + + if (dh_m != NULL) + goto done; + + if ((method = DH_meth_new("Ibmca DH method", 0)) == NULL + || (meth1 = DH_OpenSSL()) == NULL + || !DH_meth_set_generate_key(method, DH_meth_get_generate_key(meth1)) + || !DH_meth_set_compute_key(method, DH_meth_get_compute_key(meth1)) + || !DH_meth_set_bn_mod_exp(method, ibmca_mod_exp_dh)) { + DH_meth_free(method); + method = NULL; + meth1 = NULL; + } + + dh_m = method; + +done: + return dh_m; +} + +void ibmca_dh_destroy(void) +{ + DH_meth_free(dh_m); +} +#endif + +#endif /* end OPENSSL_NO_DH */
  32. Download patch src/test/ibmca_mechaList_test.c
  33. Download patch test/test.pm

    --- 1.4.0-1/test/test.pm 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/test.pm 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,47 @@ +#!/usr/bin/env perl + +use strict; +use warnings; + +package test; + +sub cipher { + my $tests = 50; + my $max_file_size = 1024; + my $eng = "OPENSSL_CONF=$ENV{IBMCA_OPENSSL_TEST_CONF}"; + my @hex = ("a".."f", "0".."9"); + + my ($cipher,$keylen,$ivlen) = @_; + + # skip if engine not loaded + exit(77) unless (`$eng openssl engine -c` =~ m/ibmca/); + + for my $i (1..$tests) { + my $bytes = 1 + int(rand($max_file_size)); + my $key = ""; + $key .= $hex[rand(@hex)] for (1..$keylen); + my $iv = ""; + if ($ivlen > 0) { + $iv .= $hex[rand(@hex)] for (1..$ivlen); + $iv = "-iv $iv"; + } + + # engine enc, no-engine dec + `openssl rand $bytes > data.in`; + `$eng openssl $cipher -e -K $key $iv -in data.in -out data.enc`; + `openssl $cipher -d -K $key $iv -in data.enc -out data.dec`; + `cmp data.in data.dec`; + exit(1) if ($?); + + # no-engine enc, engine dec + `openssl rand $bytes > data.in`; + `openssl $cipher -e -K $key $iv -in data.in -out data.enc`; + `$eng openssl $cipher -d -K $key $iv -in data.enc -out data.dec`; + `cmp data.in data.dec`; + exit(1) if ($?); + } + + `rm -f data.in data.enc data.dec`; +} + +1;
  34. Download patch src/Makefile.am

    --- 1.4.0-1/src/Makefile.am 2017-09-08 17:54:06.000000000 +0000 +++ 2.0.0-0ubuntu2/src/Makefile.am 2018-06-08 13:47:56.000000000 +0000 @@ -1,10 +1,21 @@ -lib_LTLIBRARIES=libibmca.la +VERSION = 2:0:0 -libibmca_la_SOURCES=e_ibmca.c e_ibmca_err.c -libibmca_la_LIBADD=-ldl -libibmca_la_LDFLAGS=-module -version-info 0:2:0 -shared -no-undefined -avoid-version +lib_LTLIBRARIES=ibmca.la -dist_libibmca_la_SOURCES=e_ibmca_err.h e_os.h cryptlib.h +ibmca_la_SOURCES=e_ibmca.c \ + e_ibmca_err.c \ + ibmca_cipher.c \ + ibmca_digest.c \ + ibmca_rsa.c \ + ibmca_dsa.c \ + ibmca_dh.c \ + ibmca_ec.c + +ibmca_la_LIBADD=-ldl +ibmca_la_LDFLAGS=-module -version-info ${VERSION} -shared -no-undefined \ + -Wl,--version-script=${srcdir}/../ibmca.map + +dist_ibmca_la_SOURCES=ibmca.h e_ibmca_err.h EXTRA_DIST = openssl.cnf.sample ACLOCAL_AMFLAGS = -I m4
  35. Download patch test/des-cfb-test.pl

    --- 1.4.0-1/test/des-cfb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/des-cfb-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-cfb", 8, 8);
  36. Download patch test/3des-ecb-test.pl

    --- 1.4.0-1/test/3des-ecb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/3des-ecb-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-ede3", 24, 0);
  37. Download patch src/e_ibmca.c
  38. Download patch debian/watch

    --- 1.4.0-1/debian/watch 2017-09-20 14:18:57.000000000 +0000 +++ 2.0.0-0ubuntu2/debian/watch 2016-02-15 16:29:52.000000000 +0000 @@ -1,4 +1,2 @@ -version=4 -opts="mode=git, pgpmode=none" \ -https://github.com/opencryptoki/openssl-ibmca.git refs/tags/v?(.*) \ -debian /bin/sh uupdate +version=3 +http://sf.net/opencryptoki/openssl-ibmca-(.+)\.tar.bz2
  39. Download patch test/des-cbc-test.pl

    --- 1.4.0-1/test/des-cbc-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/des-cbc-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-cbc", 8, 8);
  40. Download patch debian/patches/series

    --- 1.4.0-1/debian/patches/series 2017-09-20 13:40:30.000000000 +0000 +++ 2.0.0-0ubuntu2/debian/patches/series 2017-09-28 15:13:14.000000000 +0000 @@ -1,2 +1,2 @@ openssl-config.patch -libica_soname.patch +dlopen-soname.patch
  41. Download patch test/aes-256-cfb-test.pl

    --- 1.4.0-1/test/aes-256-cfb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/aes-256-cfb-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-256-cfb", 32, 16);
  42. Download patch test/aes-192-cfb-test.pl

    --- 1.4.0-1/test/aes-192-cfb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/aes-192-cfb-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-192-cfb", 24, 16);
  43. Download patch debian/README.Debian

    --- 1.4.0-1/debian/README.Debian 2017-09-20 14:18:57.000000000 +0000 +++ 2.0.0-0ubuntu2/debian/README.Debian 1970-01-01 00:00:00.000000000 +0000 @@ -1,42 +0,0 @@ -openssl-ibmca for Debian ------------------------ - -In order to enable IBMCA, use the following instructions to apply the -configurations from `openssl.cnf.sample` to the `openssl.cnf` file installed -in the host by the OpenSSL package. **WARNING:** you may want to save the -original `openssl.cnf` file before changing it. - -In `openssl.cnf.sample`, the *dynamic_path* variable is set to the default -location in Debian, which is -/usr/lib/s390x-linux-gnu/openssl-1.0.2/engine/libibmca.so - -Append the `openssl.cnf.sample` file to it `/etc/ssl/openssl.cnf` file; - -``` -$ cat /usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample >> /etc/ssl/openssl.cnf -``` - -In `openssl.cnf` file, move the *openssl_conf* variable from the bottom to the -top of the file, such as in the example below: - -``` -HOME = . -RANDFILE = $ENV::HOME/.rnd -openssl_conf = openssl_def -``` - -Finally, check if the IBMCA is now enabled. The command below should return the -IBMCA engine and all the supported cryptographic methods. - -``` -$ openssl engine -c -(dynamic) Dynamic engine loading support -(ibmca) Ibmca hardware engine support -[RAND, DES-ECB, DES-CBC, DES-OFB, DES-CFB, DES-EDE3, DES-EDE3-CBC, DES-EDE3-OFB, - DES-EDE3-CFB, AES-128-ECB, AES-192-ECB, AES-256-ECB, AES-128-CBC, AES-192-CBC, - AES-256-CBC, AES-128-OFB, AES-192-OFB, AES-256-OFB, AES-128-CFB, AES-192-CFB, - AES-256-CFB, id-aes128-GCM, id-aes192-GCM, id-aes256-GCM, SHA1, SHA256, SHA512] -$ -``` - - -- Paulo Vital <pvital@gmail.com> Wed, 20 Sep 2017 10:47:45 -0300
  44. Download patch test/3des-ofb-test.pl

    --- 1.4.0-1/test/3des-ofb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/3des-ofb-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-ede3-ofb", 24, 8);
  45. Download patch debian/patches/openssl-config.patch

    --- 1.4.0-1/debian/patches/openssl-config.patch 2017-09-20 14:18:57.000000000 +0000 +++ 2.0.0-0ubuntu2/debian/patches/openssl-config.patch 2018-02-23 18:06:36.000000000 +0000 @@ -1,15 +1,14 @@ -Description: correct engine location to the multiarch location -Author: Paulo Vital <pvital@gmail.com> -Last-Update: 2017-09-20 - +Description: correct engine location to the multiarch locationIndex: openssl-ibmca-1.3.0/src/openssl.cnf.sample +=================================================================== --- a/src/openssl.cnf.sample +++ b/src/openssl.cnf.sample -@@ -23,7 +23,7 @@ - # The openssl engine path for libibmca.so. - # Set the dynamic_path to where the libibmca.so engine +@@ -23,7 +23,8 @@ + # The openssl engine path for ibmca.so. + # Set the dynamic_path to where the ibmca.so engine # resides on the system. --dynamic_path = /usr/local/lib/libibmca.so -+dynamic_path = /usr/lib/s390x-linux-gnu/openssl-1.0.2/engines/libibmca.so +-dynamic_path = /usr/local/lib/ibmca.so ++dynamic_path = /usr/lib/s390x-linux-gnu/engines-1.1/ibmca.so ++ engine_id = ibmca init = 1
  46. Download patch src/ibmca_ec.c
  47. Download patch test/aes-256-cbc-test.pl

    --- 1.4.0-1/test/aes-256-cbc-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/aes-256-cbc-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-256-cbc", 32, 16);
  48. Download patch test/aes-192-cbc-test.pl

    --- 1.4.0-1/test/aes-192-cbc-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/aes-192-cbc-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-192-cbc", 24, 16);
  49. Download patch debian/docs

    --- 1.4.0-1/debian/docs 2017-09-20 14:18:57.000000000 +0000 +++ 2.0.0-0ubuntu2/debian/docs 1970-01-01 00:00:00.000000000 +0000 @@ -1,2 +0,0 @@ -debian/README.source -debian/README.Debian
  50. Download patch src/doc/ibmca.man

    --- 1.4.0-1/src/doc/ibmca.man 2017-09-08 17:54:06.000000000 +0000 +++ 2.0.0-0ubuntu2/src/doc/ibmca.man 2018-06-08 13:47:56.000000000 +0000 @@ -7,8 +7,7 @@ accelerate cryptographic operations. .SH DESCRIPTION IBMCA accelerates cryptographic operations of applications that use OpenSSL. -The engine can be configured by the IBMCA configuration file. The OpenSSL -configuration file is only needed to attach the engine. +The engine can be configured by the OpenSSL configuration file. .SS openssl.cnf The OpenSSL configuration file can have an IBMCA section. This section includes @@ -25,7 +24,7 @@ discover control commands. Options for the IBMCA section in openssl.cnf: .PP dynamic_path = -.I /path/to/libibmca.so +.I /path/to/ibmca.so .RS Set the path to the IBMCA shared object file allowing OpenSSL to find the file. .RE
  51. Download patch test/3des-cfb-test.pl

    --- 1.4.0-1/test/3des-cfb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/3des-cfb-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-ede3-cfb", 24, 8);
  52. Download patch test/aes-128-ecb-test.pl

    --- 1.4.0-1/test/aes-128-ecb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.0.0-0ubuntu2/test/aes-128-ecb-test.pl 2018-06-08 13:47:56.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-128-ecb", 16, 0);
  53. Download patch Makefile.am

    --- 1.4.0-1/Makefile.am 2017-09-08 17:54:06.000000000 +0000 +++ 2.0.0-0ubuntu2/Makefile.am 2018-06-08 13:47:56.000000000 +0000 @@ -1,4 +1,4 @@ ACLOCAL_AMFLAGS = -I m4 -SUBDIRS = src +SUBDIRS = src test -EXTRA_DIST = openssl-ibmca.spec bootstrap.sh cleanup.sh +EXTRA_DIST = openssl-ibmca.spec bootstrap.sh cleanup.sh
  54. Download patch src/ibmca.h
  55. Download patch openssl-ibmca.spec

    --- 1.4.0-1/openssl-ibmca.spec 2017-09-08 17:54:06.000000000 +0000 +++ 2.0.0-0ubuntu2/openssl-ibmca.spec 2018-06-08 13:47:56.000000000 +0000 @@ -1,19 +1,17 @@ +%global enginesdir %(pkg-config --variable=enginesdir libcrypto) + Name: openssl-ibmca -Version: 1.4.0 -Release: 0 +Version: 2.0.0 +Release: 1%{?dist} Summary: An IBMCA OpenSSL dynamic engine -Group: Hardware/Other License: ASL 2.0 -Source: https://github.com/opencryptoki/%{name}/archive/v%{version}.tar.gz +URL: https://github.com/opencryptoki/openssl-ibmca +Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz -BuildRequires: openssl-devel >= 0.9.8, - libica-devel >= 3.1.1, - autoconf, - automake, - libtool -Requires: openssl >= 0.9.8, - libica >= 3.1.1 +Requires: openssl >= 0.9.8 libica >= 3.3.0 +BuildRequires: openssl-devel >= 0.9.8 libica-devel >= 3.3.0 +BuildRequires: autoconf automake libtool ExclusiveArch: s390 s390x @@ -22,28 +20,46 @@ This package contains a shared object Op to libica, a library enabling the IBM s390/x CPACF crypto instructions. %prep -%setup -q +%setup -q -n %{name}-%{version} + +./bootstrap.sh %build -%configure -make +%configure --libdir=%{enginesdir} +%make_build %install -%makeinstall -rm -f $RPM_BUILD_ROOT%{_libdir}/libibmca.la -mkdir -p $RPM_BUILD_ROOT%{_libdir}/openssl/engines -mv $RPM_BUILD_ROOT%{_libdir}/lib* $RPM_BUILD_ROOT%{_libdir}/openssl/engines +%make_install +rm -f $RPM_BUILD_ROOT%{enginesdir}/ibmca.la -%post -p /sbin/ldconfig +pushd src +sed -e 's|/usr/local/lib|%{_libdir}/openssl/engines|' openssl.cnf.sample > openssl.cnf.sample.%{_arch} +popd -%postun -p /sbin/ldconfig %files -%doc README INSTALL src/openssl.cnf.sample -%{_mandir}/man5/* -%{_libdir}/openssl/engines/* +%license LICENSE +%doc ChangeLog README.md src/openssl.cnf.sample.%{_arch} +%{enginesdir}/ibmca.so +%{_mandir}/man5/ibmca.5* %changelog +* Wed Jun 06 2018 Eduardo Barretto <ebarretto@linux.vnet.ibm.com> 2.0.0 +- Update Version +- Update libica version required for building ibmca + +* Wed Feb 21 2018 Eduardo Barretto <ebarretto@linux.vnet.ibm.com> 1.4.1 +- Updated to 1.4.1 + +* Thu Jan 25 2018 Eduardo Barretto <ebarretto@linux.vnet.ibm.com> +- Update engine filename +- Spec cleanup + +* Thu Oct 26 2017 Patrick Steuer <patrick.steuer@de.ibm.com> +- Fix build warning about comma and newlines +- Remove INSTALL file from doc +- Fix README name on doc + * Fri Sep 8 2017 Paulo Vital <pvital@linux.vnet.ibm.com> 1.4.0 - Update new License - Update Source and URL pointing to GitHub
  56. Download patch debian/copyright

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: r-cran-openssl

r-cran-openssl (1.0.1+dfsg-1ubuntu1) cosmic; urgency=medium * Merge with Debian unstable, remaining changes: + Disable test_google.R requiring network access -- Graham Inggs <ginggs@ubuntu.com> Sat, 14 Jul 2018 05:52:44 +0000

Modifications :
  1. Download patch debian/control

    --- 1.0.1+dfsg-1/debian/control 2018-06-17 21:06:44.000000000 +0000 +++ 1.0.1+dfsg-1ubuntu1/debian/control 2018-07-14 05:52:44.000000000 +0000 @@ -1,5 +1,6 @@ Source: r-cran-openssl -Maintainer: Debian R Packages Maintainers <r-pkg-team@alioth-lists.debian.net> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Debian R Packages Maintainers <r-pkg-team@alioth-lists.debian.net> Uploaders: Andreas Tille <tille@debian.org> Section: gnu-r Priority: optional
  2. Download patch debian/tests/run-unit-test

    --- 1.0.1+dfsg-1/debian/tests/run-unit-test 2018-06-17 21:06:44.000000000 +0000 +++ 1.0.1+dfsg-1ubuntu1/debian/tests/run-unit-test 2018-07-14 05:52:44.000000000 +0000 @@ -8,5 +8,6 @@ if [ "$ADTTMP" = "" ] ; then fi cd $ADTTMP cp -a /usr/share/doc/${pkg}/tests/* $ADTTMP +rm -f testthat/test_google.R LC_ALL=C R --no-save < testthat.R rm -fr $ADTTMP/*

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: ruby-openssl

ruby-openssl (2.1.1-0ubuntu1) cosmic; urgency=medium * New upstream release -- Dimitri John Ledkov <xnox@ubuntu.com> Sun, 23 Sep 2018 23:06:52 +0100 ruby-openssl (2.0.5-1build3) bionic; urgency=high * No change rebuild against ruby-defaults without ruby2.3 support. -- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 01 Mar 2018 09:36:03 +0000 ruby-openssl (2.0.5-1build2) bionic; urgency=high * No change rebuild against openssl1.1. -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 05 Feb 2018 16:53:07 +0000 ruby-openssl (2.0.5-1build1) bionic; urgency=medium * No-change rebuild for ruby2.5 update. -- Matthias Klose <doko@ubuntu.com> Thu, 01 Feb 2018 19:02:49 +0000

Modifications :
  1. Download patch ext/openssl/ossl_kdf.h

    --- 2.0.5-1/ext/openssl/ossl_kdf.h 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.1-0ubuntu1/ext/openssl/ossl_kdf.h 2018-05-12 06:51:09.000000000 +0000 @@ -0,0 +1,6 @@ +#if !defined(OSSL_KDF_H) +#define OSSL_KDF_H + +void Init_ossl_kdf(void); + +#endif
  2. Download patch ext/openssl/extconf.rb

    --- 2.0.5-1/ext/openssl/extconf.rb 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/ext/openssl/extconf.rb 2018-05-12 06:51:09.000000000 +0000 @@ -91,30 +91,19 @@ unless result unless find_openssl_library Logging::message "=== Checking for required stuff failed. ===\n" Logging::message "Makefile wasn't created. Fix the errors above.\n" - exit 1 + raise "OpenSSL library could not be found. You might want to use " \ + "--with-openssl-dir=<dir> option to specify the prefix where OpenSSL " \ + "is installed." end end -result = checking_for("OpenSSL version is 0.9.8 or later") { - try_static_assert("OPENSSL_VERSION_NUMBER >= 0x00908000L", "openssl/opensslv.h") -} -unless result - raise "OpenSSL 0.9.8 or later required." -end - -if /darwin/ =~ RUBY_PLATFORM and !OpenSSL.check_func("SSL_library_init()", "openssl/ssl.h") - raise "Ignore OpenSSL broken by Apple.\nPlease use another openssl. (e.g. using `configure --with-openssl-dir=/path/to/openssl')" +unless checking_for("OpenSSL version is 1.0.1 or later") { + try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10001000L", "openssl/opensslv.h") } + raise "OpenSSL >= 1.0.1 or LibreSSL is required" end Logging::message "=== Checking for OpenSSL features... ===\n" # compile options - -# SSLv2 and SSLv3 may be removed in future versions of OpenSSL, and even macros -# like OPENSSL_NO_SSL2 may not be defined. -have_func("SSLv2_method") -have_func("SSLv3_method") -have_func("TLSv1_1_method") -have_func("TLSv1_2_method") have_func("RAND_egd") engines = %w{builtin_engines openbsd_dev_crypto dynamic 4758cca aep atalla chil cswift nuron sureware ubsec padlock capi gmp gost cryptodev aesni} @@ -122,30 +111,6 @@ engines.each { |name| OpenSSL.check_func_or_macro("ENGINE_load_#{name}", "openssl/engine.h") } -# added in 0.9.8X -have_func("EVP_CIPHER_CTX_new") -have_func("EVP_CIPHER_CTX_free") -OpenSSL.check_func_or_macro("SSL_CTX_clear_options", "openssl/ssl.h") - -# added in 1.0.0 -have_func("ASN1_TIME_adj") -have_func("EVP_CIPHER_CTX_copy") -have_func("EVP_PKEY_base_id") -have_func("HMAC_CTX_copy") -have_func("PKCS5_PBKDF2_HMAC") -have_func("X509_NAME_hash_old") -have_func("X509_STORE_CTX_get0_current_crl") -have_func("X509_STORE_set_verify_cb") -have_func("i2d_ASN1_SET_ANY") -have_func("SSL_SESSION_cmp") # removed -OpenSSL.check_func_or_macro("SSL_set_tlsext_host_name", "openssl/ssl.h") -have_struct_member("CRYPTO_THREADID", "ptr", "openssl/crypto.h") -have_func("EVP_PKEY_get0") - -# added in 1.0.1 -have_func("SSL_CTX_set_next_proto_select_cb") -have_macro("EVP_CTRL_GCM_GET_TAG", ['openssl/evp.h']) && $defs.push("-DHAVE_AUTHENTICATED_ENCRYPTION") - # added in 1.0.2 have_func("EC_curve_nist2nid") have_func("X509_REVOKED_dup") @@ -157,8 +122,11 @@ OpenSSL.check_func_or_macro("SSL_get_ser have_func("SSL_is_server") # added in 1.1.0 +if !have_struct_member("SSL", "ctx", "openssl/ssl.h") || + try_static_assert("LIBRESSL_VERSION_NUMBER >= 0x2070000fL", "openssl/opensslv.h") + $defs.push("-DHAVE_OPAQUE_OPENSSL") +end have_func("CRYPTO_lock") || $defs.push("-DHAVE_OPENSSL_110_THREADING_API") -have_struct_member("SSL", "ctx", "openssl/ssl.h") || $defs.push("-DHAVE_OPAQUE_OPENSSL") have_func("BN_GENCB_new") have_func("BN_GENCB_free") have_func("BN_GENCB_get_arg") @@ -189,6 +157,7 @@ OpenSSL.check_func_or_macro("SSL_CTX_set have_func("SSL_CTX_get_security_level") have_func("X509_get0_notBefore") have_func("SSL_SESSION_get_protocol_version") +have_func("EVP_PBE_scrypt") Logging::message "=== Checking done. ===\n"
  3. Download patch test/test_ssl_session.rb
  4. Download patch ext/openssl/ossl_x509.h

    --- 2.0.5-1/ext/openssl/ossl_x509.h 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/ext/openssl/ossl_x509.h 2018-05-12 06:51:09.000000000 +0000 @@ -41,7 +41,6 @@ extern VALUE cX509Cert; extern VALUE eX509CertError; VALUE ossl_x509_new(X509 *); -VALUE ossl_x509_new_from_file(VALUE); X509 *GetX509CertPtr(VALUE); X509 *DupX509CertPtr(VALUE); void Init_ossl_x509cert(void); @@ -54,7 +53,6 @@ extern VALUE eX509CRLError; VALUE ossl_x509crl_new(X509_CRL *); X509_CRL *GetX509CRLPtr(VALUE); -X509_CRL *DupX509CRLPtr(VALUE); void Init_ossl_x509crl(void); /* @@ -84,9 +82,7 @@ void Init_ossl_x509name(void); extern VALUE cX509Req; extern VALUE eX509ReqError; -VALUE ossl_x509req_new(X509_REQ *); X509_REQ *GetX509ReqPtr(VALUE); -X509_REQ *DupX509ReqPtr(VALUE); void Init_ossl_x509req(void); /* @@ -106,11 +102,8 @@ extern VALUE cX509Store; extern VALUE cX509StoreContext; extern VALUE eX509StoreError; -VALUE ossl_x509store_new(X509_STORE *); X509_STORE *GetX509StorePtr(VALUE); -X509_STORE *DupX509StorePtr(VALUE); -X509_STORE_CTX *GetX509StCtxtPtr(VALUE); void Init_ossl_x509store(void); /*
  5. Download patch ext/openssl/ossl_pkcs5.c

    --- 2.0.5-1/ext/openssl/ossl_pkcs5.c 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/ext/openssl/ossl_pkcs5.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,180 +0,0 @@ -/* - * Copyright (C) 2007 Technorama Ltd. <oss-ruby@technorama.net> - */ -#include "ossl.h" - -VALUE mPKCS5; -VALUE ePKCS5; - -#ifdef HAVE_PKCS5_PBKDF2_HMAC -/* - * call-seq: - * PKCS5.pbkdf2_hmac(pass, salt, iter, keylen, digest) => string - * - * === Parameters - * * +pass+ - string - * * +salt+ - string - should be at least 8 bytes long. - * * +iter+ - integer - should be greater than 1000. 20000 is better. - * * +keylen+ - integer - * * +digest+ - a string or OpenSSL::Digest object. - * - * Available in OpenSSL >= 1.0.0. - * - * Digests other than SHA1 may not be supported by other cryptography libraries. - */ -static VALUE -ossl_pkcs5_pbkdf2_hmac(VALUE self, VALUE pass, VALUE salt, VALUE iter, VALUE keylen, VALUE digest) -{ - VALUE str; - const EVP_MD *md; - int len = NUM2INT(keylen); - - StringValue(pass); - StringValue(salt); - md = GetDigestPtr(digest); - - str = rb_str_new(0, len); - - if (PKCS5_PBKDF2_HMAC(RSTRING_PTR(pass), RSTRING_LENINT(pass), - (unsigned char *)RSTRING_PTR(salt), RSTRING_LENINT(salt), - NUM2INT(iter), md, len, - (unsigned char *)RSTRING_PTR(str)) != 1) - ossl_raise(ePKCS5, "PKCS5_PBKDF2_HMAC"); - - return str; -} -#else -#define ossl_pkcs5_pbkdf2_hmac rb_f_notimplement -#endif - - -/* - * call-seq: - * PKCS5.pbkdf2_hmac_sha1(pass, salt, iter, keylen) => string - * - * === Parameters - * * +pass+ - string - * * +salt+ - string - should be at least 8 bytes long. - * * +iter+ - integer - should be greater than 1000. 20000 is better. - * * +keylen+ - integer - * - * This method is available in almost any version of OpenSSL. - * - * Conforms to RFC 2898. - */ -static VALUE -ossl_pkcs5_pbkdf2_hmac_sha1(VALUE self, VALUE pass, VALUE salt, VALUE iter, VALUE keylen) -{ - VALUE str; - int len = NUM2INT(keylen); - - StringValue(pass); - StringValue(salt); - - str = rb_str_new(0, len); - - if (PKCS5_PBKDF2_HMAC_SHA1(RSTRING_PTR(pass), RSTRING_LENINT(pass), - (const unsigned char *)RSTRING_PTR(salt), RSTRING_LENINT(salt), NUM2INT(iter), - len, (unsigned char *)RSTRING_PTR(str)) != 1) - ossl_raise(ePKCS5, "PKCS5_PBKDF2_HMAC_SHA1"); - - return str; -} - -void -Init_ossl_pkcs5(void) -{ -#if 0 - mOSSL = rb_define_module("OpenSSL"); - eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError); -#endif - - /* Document-class: OpenSSL::PKCS5 - * - * Provides password-based encryption functionality based on PKCS#5. - * Typically used for securely deriving arbitrary length symmetric keys - * to be used with an OpenSSL::Cipher from passwords. Another use case - * is for storing passwords: Due to the ability to tweak the effort of - * computation by increasing the iteration count, computation can be - * slowed down artificially in order to render possible attacks infeasible. - * - * PKCS5 offers support for PBKDF2 with an OpenSSL::Digest::SHA1-based - * HMAC, or an arbitrary Digest if the underlying version of OpenSSL - * already supports it (>= 1.0.0). - * - * === Parameters - * ==== Password - * Typically an arbitrary String that represents the password to be used - * for deriving a key. - * ==== Salt - * Prevents attacks based on dictionaries of common passwords. It is a - * public value that can be safely stored along with the password (e.g. - * if PBKDF2 is used for password storage). For maximum security, a fresh, - * random salt should be generated for each stored password. According - * to PKCS#5, a salt should be at least 8 bytes long. - * ==== Iteration Count - * Allows to tweak the length that the actual computation will take. The - * larger the iteration count, the longer it will take. - * ==== Key Length - * Specifies the length in bytes of the output that will be generated. - * Typically, the key length should be larger than or equal to the output - * length of the underlying digest function, otherwise an attacker could - * simply try to brute-force the key. According to PKCS#5, security is - * limited by the output length of the underlying digest function, i.e. - * security is not improved if a key length strictly larger than the - * digest output length is chosen. Therefore, when using PKCS5 for - * password storage, it suffices to store values equal to the digest - * output length, nothing is gained by storing larger values. - * - * == Examples - * === Generating a 128 bit key for a Cipher (e.g. AES) - * pass = "secret" - * salt = OpenSSL::Random.random_bytes(16) - * iter = 20000 - * key_len = 16 - * key = OpenSSL::PKCS5.pbkdf2_hmac_sha1(pass, salt, iter, key_len) - * - * === Storing Passwords - * pass = "secret" - * salt = OpenSSL::Random.random_bytes(16) #store this with the generated value - * iter = 20000 - * digest = OpenSSL::Digest::SHA256.new - * len = digest.digest_length - * #the final value to be stored - * value = OpenSSL::PKCS5.pbkdf2_hmac(pass, salt, iter, len, digest) - * - * === Important Note on Checking Passwords - * When comparing passwords provided by the user with previously stored - * values, a common mistake made is comparing the two values using "==". - * Typically, "==" short-circuits on evaluation, and is therefore - * vulnerable to timing attacks. The proper way is to use a method that - * always takes the same amount of time when comparing two values, thus - * not leaking any information to potential attackers. To compare two - * values, the following could be used: - * def eql_time_cmp(a, b) - * unless a.length == b.length - * return false - * end - * cmp = b.bytes.to_a - * result = 0 - * a.bytes.each_with_index {|c,i| - * result |= c ^ cmp[i] - * } - * result == 0 - * end - * Please note that the premature return in case of differing lengths - * typically does not leak valuable information - when using PKCS#5, the - * length of the values to be compared is of fixed size. - */ - - mPKCS5 = rb_define_module_under(mOSSL, "PKCS5"); - /* Document-class: OpenSSL::PKCS5::PKCS5Error - * - * Generic Exception class that is raised if an error occurs during a - * computation. - */ - ePKCS5 = rb_define_class_under(mPKCS5, "PKCS5Error", eOSSLError); - - rb_define_module_function(mPKCS5, "pbkdf2_hmac", ossl_pkcs5_pbkdf2_hmac, 5); - rb_define_module_function(mPKCS5, "pbkdf2_hmac_sha1", ossl_pkcs5_pbkdf2_hmac_sha1, 4); -}
  6. Download patch ext/openssl/ossl_digest.c

    --- 2.0.5-1/ext/openssl/ossl_digest.c 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/ext/openssl/ossl_digest.c 2018-05-12 06:51:09.000000000 +0000 @@ -15,10 +15,6 @@ ossl_raise(rb_eRuntimeError, "Digest CTX wasn't initialized!"); \ } \ } while (0) -#define SafeGetDigest(obj, ctx) do { \ - OSSL_Check_Kind((obj), cDigest); \ - GetDigest((obj), (ctx)); \ -} while (0) /* * Classes @@ -46,7 +42,7 @@ static const rb_data_type_t ossl_digest_ * Public */ const EVP_MD * -GetDigestPtr(VALUE obj) +ossl_evp_get_digestbyname(VALUE obj) { const EVP_MD *md; ASN1_OBJECT *oid = NULL; @@ -65,7 +61,7 @@ GetDigestPtr(VALUE obj) } else { EVP_MD_CTX *ctx; - SafeGetDigest(obj, ctx); + GetDigest(obj, ctx); md = EVP_MD_CTX_md(ctx); } @@ -106,15 +102,15 @@ VALUE ossl_digest_update(VALUE, VALUE); * call-seq: * Digest.new(string [, data]) -> Digest * - * Creates a Digest instance based on +string+, which is either the ln + * Creates a Digest instance based on _string_, which is either the ln * (long name) or sn (short name) of a supported digest algorithm. * - * If +data+ (a +String+) is given, it is used as the initial input to the + * If _data_ (a String) is given, it is used as the initial input to the * Digest instance, i.e. * * digest = OpenSSL::Digest.new('sha256', 'digestdata') * - * is equal to + * is equivalent to * * digest = OpenSSL::Digest.new('sha256') * digest.update('digestdata') @@ -127,7 +123,7 @@ ossl_digest_initialize(int argc, VALUE * VALUE type, data; rb_scan_args(argc, argv, "11", &type, &data); - md = GetDigestPtr(type); + md = ossl_evp_get_digestbyname(type); if (!NIL_P(data)) StringValue(data); TypedData_Get_Struct(self, EVP_MD_CTX, &ossl_digest_type, ctx); @@ -158,7 +154,7 @@ ossl_digest_copy(VALUE self, VALUE other if (!ctx1) ossl_raise(eDigestError, "EVP_MD_CTX_new"); } - SafeGetDigest(other, ctx2); + GetDigest(other, ctx2); if (!EVP_MD_CTX_copy(ctx1, ctx2)) { ossl_raise(eDigestError, NULL); @@ -448,7 +444,7 @@ Init_ossl_digest(void) rb_define_alloc_func(cDigest, ossl_digest_alloc); rb_define_method(cDigest, "initialize", ossl_digest_initialize, -1); - rb_define_copy_func(cDigest, ossl_digest_copy); + rb_define_method(cDigest, "initialize_copy", ossl_digest_copy, 1); rb_define_method(cDigest, "reset", ossl_digest_reset, 0); rb_define_method(cDigest, "update", ossl_digest_update, 1); rb_define_alias(cDigest, "<<", "update");
  7. Download patch test/envutil.rb

    --- 2.0.5-1/test/envutil.rb 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/test/envutil.rb 2018-05-12 06:51:09.000000000 +0000 @@ -92,6 +92,18 @@ module EnvUtil end module_function :invoke_ruby + def verbose_warning + class << (stderr = "".dup) + alias write << + end + stderr, $stderr, verbose, $VERBOSE = $stderr, stderr, $VERBOSE, true + yield stderr + return $stderr + ensure + stderr, $stderr, $VERBOSE = $stderr, stderr, verbose + end + module_function :verbose_warning + def suppress_warning verbose, $VERBOSE = $VERBOSE, nil yield @@ -220,6 +232,17 @@ eom raise marshal_error if marshal_error end + def assert_warning(pat, msg = nil) + stderr = EnvUtil.verbose_warning { + yield + } + if Regexp === pat + assert_match pat, stderr, msg + else + assert_equal pat, stderr, msg + end + end + def message msg = nil, ending = ".", &default proc { msg = msg.call.chomp(".") if Proc === msg
  8. Download patch README.md

    --- 2.0.5-1/README.md 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/README.md 2018-05-12 06:51:09.000000000 +0000 @@ -27,7 +27,7 @@ Alternatively, you can install the gem w # Gemfile gem 'openssl' # or specify git master -gem 'openssl', github: 'ruby/openssl' +gem 'openssl', git: 'https://github.com/ruby/openssl' ``` After doing `bundle install`, you should have the gem installed in your bundle.
  9. Download patch ext/openssl/ossl_pkcs5.h

    --- 2.0.5-1/ext/openssl/ossl_pkcs5.h 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/ext/openssl/ossl_pkcs5.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,6 +0,0 @@ -#if !defined(_OSSL_PKCS5_H_) -#define _OSSL_PKCS5_H_ - -void Init_ossl_pkcs5(void); - -#endif /* _OSSL_PKCS5_H_ */
  10. Download patch ext/openssl/ossl_digest.h

    --- 2.0.5-1/ext/openssl/ossl_digest.h 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/ext/openssl/ossl_digest.h 2018-05-12 06:51:09.000000000 +0000 @@ -13,7 +13,7 @@ extern VALUE cDigest; extern VALUE eDigestError; -const EVP_MD *GetDigestPtr(VALUE); +const EVP_MD *ossl_evp_get_digestbyname(VALUE); VALUE ossl_digest_new(const EVP_MD *); void Init_ossl_digest(void);
  11. Download patch test/test_pkcs7.rb

    --- 2.0.5-1/test/test_pkcs7.rb 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/test/test_pkcs7.rb 2018-05-12 06:51:09.000000000 +0000 @@ -1,13 +1,13 @@ # frozen_string_literal: false require_relative 'utils' -if defined?(OpenSSL::TestUtils) +if defined?(OpenSSL) class OpenSSL::TestPKCS7 < OpenSSL::TestCase def setup super - @rsa1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024 - @rsa2048 = OpenSSL::TestUtils::TEST_KEY_RSA2048 + @rsa1024 = Fixtures.pkey("rsa1024") + @rsa2048 = Fixtures.pkey("rsa2048") ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA") ee1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE1") ee2 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE2") @@ -28,10 +28,6 @@ class OpenSSL::TestPKCS7 < OpenSSL::Test @ee2_cert = issue_cert(ee2, @rsa1024, 3, ee_exts, @ca_cert, @rsa2048) end - def issue_cert(*args) - OpenSSL::TestUtils.issue_cert(*args) - end - def test_signed store = OpenSSL::X509::Store.new store.add_cert(@ca_cert)
  12. Download patch lib/openssl/config.rb

    --- 2.0.5-1/lib/openssl/config.rb 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/lib/openssl/config.rb 2018-05-12 06:51:09.000000000 +0000 @@ -30,7 +30,8 @@ module OpenSSL class << self ## - # Parses a given +string+ as a blob that contains configuration for openssl. + # Parses a given _string_ as a blob that contains configuration for + # OpenSSL. # # If the source of the IO is a file, then consider using #parse_config. def parse(string) @@ -46,7 +47,7 @@ module OpenSSL alias load new ## - # Parses the configuration data read from +io+, see also #parse. + # Parses the configuration data read from _io_, see also #parse. # # Raises a ConfigError on invalid configuration data. def parse_config(io) @@ -236,7 +237,7 @@ module OpenSSL # # This can be used in contexts like OpenSSL::X509::ExtensionFactory.config= # - # If the optional +filename+ parameter is provided, then it is read in and + # If the optional _filename_ parameter is provided, then it is read in and # parsed via #parse_config. # # This can raise IO exceptions based on the access, or availability of the @@ -255,7 +256,7 @@ module OpenSSL end ## - # Gets the value of +key+ from the given +section+ + # Gets the value of _key_ from the given _section_ # # Given the following configurating file being loaded: # @@ -265,8 +266,8 @@ module OpenSSL # #=> [ default ] # # foo=bar # - # You can get a specific value from the config if you know the +section+ - # and +key+ like so: + # You can get a specific value from the config if you know the _section_ + # and _key_ like so: # # config.get_value('default','foo') # #=> "bar" @@ -297,7 +298,7 @@ module OpenSSL end ## - # Set the target +key+ with a given +value+ under a specific +section+. + # Set the target _key_ with a given _value_ under a specific _section_. # # Given the following configurating file being loaded: # @@ -307,7 +308,7 @@ module OpenSSL # #=> [ default ] # # foo=bar # - # You can set the value of +foo+ under the +default+ section to a new + # You can set the value of _foo_ under the _default_ section to a new # value: # # config.add_value('default', 'foo', 'buzz') @@ -322,7 +323,7 @@ module OpenSSL end ## - # Get a specific +section+ from the current configuration + # Get a specific _section_ from the current configuration # # Given the following configurating file being loaded: # @@ -351,7 +352,7 @@ module OpenSSL end ## - # Sets a specific +section+ name with a Hash +pairs+ + # Sets a specific _section_ name with a Hash _pairs_. # # Given the following configuration being created: # @@ -365,7 +366,7 @@ module OpenSSL # # baz=buz # # It's important to note that this will essentially merge any of the keys - # in +pairs+ with the existing +section+. For example: + # in _pairs_ with the existing _section_. For example: # # config['default'] # #=> {"foo"=>"bar", "baz"=>"buz"}
  13. Download patch test/fixtures/pkey/rsa2048.pem

    --- 2.0.5-1/test/fixtures/pkey/rsa2048.pem 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.1-0ubuntu1/test/fixtures/pkey/rsa2048.pem 2018-05-12 06:51:09.000000000 +0000 @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAuV9ht9J7k4NBs38jOXvvTKY9gW8nLICSno5EETR1cuF7i4pN +s9I1QJGAFAX0BEO4KbzXmuOvfCpD3CU+Slp1enenfzq/t/e/1IRW0wkJUJUFQign +4CtrkJL+P07yx18UjyPlBXb81ApEmAB5mrJVSrWmqbjs07JbuS4QQGGXLc+Su96D +kYKmSNVjBiLxVVSpyZfAY3hD37d60uG+X8xdW5v68JkRFIhdGlb6JL8fllf/A/bl +NwdJOhVr9mESHhwGjwfSeTDPfd8ZLE027E5lyAVX9KZYcU00mOX+fdxOSnGqS/8J +DRh0EPHDL15RcJjV2J6vZjPb0rOYGDoMcH+94wIDAQABAoIBAAzsamqfYQAqwXTb +I0CJtGg6msUgU7HVkOM+9d3hM2L791oGHV6xBAdpXW2H8LgvZHJ8eOeSghR8+dgq +PIqAffo4x1Oma+FOg3A0fb0evyiACyrOk+EcBdbBeLo/LcvahBtqnDfiUMQTpy6V +seSoFCwuN91TSCeGIsDpRjbG1vxZgtx+uI+oH5+ytqJOmfCksRDCkMglGkzyfcl0 +Xc5CUhIJ0my53xijEUQl19rtWdMnNnnkdbG8PT3LZlOta5Do86BElzUYka0C6dUc +VsBDQ0Nup0P6rEQgy7tephHoRlUGTYamsajGJaAo1F3IQVIrRSuagi7+YpSpCqsW +wORqorkCgYEA7RdX6MDVrbw7LePnhyuaqTiMK+055/R1TqhB1JvvxJ1CXk2rDL6G +0TLHQ7oGofd5LYiemg4ZVtWdJe43BPZlVgT6lvL/iGo8JnrncB9Da6L7nrq/+Rvj +XGjf1qODCK+LmreZWEsaLPURIoR/Ewwxb9J2zd0CaMjeTwafJo1CZvcCgYEAyCgb +aqoWvUecX8VvARfuA593Lsi50t4MEArnOXXcd1RnXoZWhbx5rgO8/ATKfXr0BK/n +h2GF9PfKzHFm/4V6e82OL7gu/kLy2u9bXN74vOvWFL5NOrOKPM7Kg+9I131kNYOw +Ivnr/VtHE5s0dY7JChYWE1F3vArrOw3T00a4CXUCgYEA0SqY+dS2LvIzW4cHCe9k +IQqsT0yYm5TFsUEr4sA3xcPfe4cV8sZb9k/QEGYb1+SWWZ+AHPV3UW5fl8kTbSNb +v4ng8i8rVVQ0ANbJO9e5CUrepein2MPL0AkOATR8M7t7dGGpvYV0cFk8ZrFx0oId +U0PgYDotF/iueBWlbsOM430CgYEAqYI95dFyPI5/AiSkY5queeb8+mQH62sdcCCr +vd/w/CZA/K5sbAo4SoTj8dLk4evU6HtIa0DOP63y071eaxvRpTNqLUOgmLh+D6gS +Cc7TfLuFrD+WDBatBd5jZ+SoHccVrLR/4L8jeodo5FPW05A+9gnKXEXsTxY4LOUC +9bS4e1kCgYAqVXZh63JsMwoaxCYmQ66eJojKa47VNrOeIZDZvd2BPVf30glBOT41 +gBoDG3WMPZoQj9pb7uMcrnvs4APj2FIhMU8U15LcPAj59cD6S6rWnAxO8NFK7HQG +4Jxg3JNNf8ErQoCHb1B3oVdXJkmbJkARoDpBKmTCgKtP8ADYLmVPQw== +-----END RSA PRIVATE KEY-----
  14. Download patch ext/openssl/ossl_version.h

    --- 2.0.5-1/ext/openssl/ossl_version.h 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/ext/openssl/ossl_version.h 2018-05-12 06:51:09.000000000 +0000 @@ -10,6 +10,6 @@ #if !defined(_OSSL_VERSION_H_) #define _OSSL_VERSION_H_ -#define OSSL_VERSION "2.0.5" +#define OSSL_VERSION "2.1.1" #endif /* _OSSL_VERSION_H_ */
  15. Download patch test/test_x509crl.rb

    --- 2.0.5-1/test/test_x509crl.rb 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/test/test_x509crl.rb 2018-05-12 06:51:09.000000000 +0000 @@ -1,28 +1,20 @@ # frozen_string_literal: false require_relative "utils" -if defined?(OpenSSL::TestUtils) +if defined?(OpenSSL) class OpenSSL::TestX509CRL < OpenSSL::TestCase def setup super - @rsa1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024 - @rsa2048 = OpenSSL::TestUtils::TEST_KEY_RSA2048 - @dsa256 = OpenSSL::TestUtils::TEST_KEY_DSA256 - @dsa512 = OpenSSL::TestUtils::TEST_KEY_DSA512 + @rsa1024 = Fixtures.pkey("rsa1024") + @rsa2048 = Fixtures.pkey("rsa2048") + @dsa256 = Fixtures.pkey("dsa256") + @dsa512 = Fixtures.pkey("dsa512") @ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA") @ee1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE1") @ee2 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE2") end - def issue_crl(*args) - OpenSSL::TestUtils.issue_crl(*args) - end - - def issue_cert(*args) - OpenSSL::TestUtils.issue_cert(*args) - end - def test_basic now = Time.at(Time.now.to_i) @@ -196,7 +188,7 @@ class OpenSSL::TestX509CRL < OpenSSL::Te cert = issue_cert(@ca, @dsa512, 1, [], nil, nil) crl = issue_crl([], 1, Time.now, Time.now+1600, [], - cert, @dsa512, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new) + cert, @dsa512, OpenSSL::Digest::SHA1.new) assert_equal(false, crl_error_returns_false { crl.verify(@rsa1024) }) assert_equal(false, crl_error_returns_false { crl.verify(@rsa2048) }) assert_equal(false, crl.verify(@dsa256)) @@ -205,6 +197,58 @@ class OpenSSL::TestX509CRL < OpenSSL::Te assert_equal(false, crl.verify(@dsa512)) end + def test_revoked_to_der + # revokedCertificates SEQUENCE OF SEQUENCE { + # userCertificate CertificateSerialNumber, + # revocationDate Time, + # crlEntryExtensions Extensions OPTIONAL + # -- if present, version MUST be v2 + # } OPTIONAL, + + now = Time.utc(2000, 1, 1) + rev1 = OpenSSL::X509::Revoked.new + rev1.serial = 123 + rev1.time = now + ext = OpenSSL::X509::Extension.new("CRLReason", OpenSSL::ASN1::Enumerated(1)) + rev1.extensions = [ext] + asn1 = OpenSSL::ASN1::Sequence([ + OpenSSL::ASN1::Integer(123), + OpenSSL::ASN1::UTCTime(now), + OpenSSL::ASN1::Sequence([ext.to_der]) + ]) + + assert_equal asn1.to_der, rev1.to_der + end + + def test_eq + now = Time.now + + cacert = issue_cert(@ca, @rsa1024, 1, [], nil, nil) + crl1 = issue_crl([], 1, now, now + 3600, [], cacert, @rsa1024, "sha256") + rev1 = OpenSSL::X509::Revoked.new.tap { |rev| + rev.serial = 1 + rev.time = now + } + crl1.add_revoked(rev1) + crl2 = OpenSSL::X509::CRL.new(crl1.to_der) + + # CRL + assert_equal false, crl1 == 12345 + assert_equal true, crl1 == crl2 + rev2 = OpenSSL::X509::Revoked.new.tap { |rev| + rev.serial = 2 + rev.time = now + } + crl2.add_revoked(rev2) + assert_equal false, crl1 == crl2 + + # Revoked + assert_equal false, rev1 == 12345 + assert_equal true, rev1 == crl2.revoked[0] + assert_equal false, rev1 == crl2.revoked[1] + assert_equal true, rev2 == crl2.revoked[1] + end + private def crl_error_returns_false
  16. Download patch ext/openssl/ossl_bio.c

    --- 2.0.5-1/ext/openssl/ossl_bio.c 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/ext/openssl/ossl_bio.c 2018-05-12 06:51:09.000000000 +0000 @@ -26,32 +26,17 @@ ossl_obj2bio(volatile VALUE *pobj) } VALUE -ossl_membio2str0(BIO *bio) +ossl_membio2str(BIO *bio) { VALUE ret; + int state; BUF_MEM *buf; BIO_get_mem_ptr(bio, &buf); - ret = rb_str_new(buf->data, buf->length); - - return ret; -} - -VALUE -ossl_protect_membio2str(BIO *bio, int *status) -{ - return rb_protect((VALUE (*)(VALUE))ossl_membio2str0, (VALUE)bio, status); -} - -VALUE -ossl_membio2str(BIO *bio) -{ - VALUE ret; - int status = 0; - - ret = ossl_protect_membio2str(bio, &status); + ret = ossl_str_new(buf->data, buf->length, &state); BIO_free(bio); - if(status) rb_jump_tag(status); + if (state) + rb_jump_tag(state); return ret; }
  17. Download patch test/test_pair.rb
  18. Download patch ext/openssl/ossl_x509name.c
  19. Download patch ext/openssl/ossl_x509crl.c

    --- 2.0.5-1/ext/openssl/ossl_x509crl.c 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/ext/openssl/ossl_x509crl.c 2018-05-12 06:51:09.000000000 +0000 @@ -23,10 +23,6 @@ ossl_raise(rb_eRuntimeError, "CRL wasn't initialized!"); \ } \ } while (0) -#define SafeGetX509CRL(obj, crl) do { \ - OSSL_Check_Kind((obj), cX509CRL); \ - GetX509CRL((obj), (crl)); \ -} while (0) /* * Classes @@ -56,18 +52,7 @@ GetX509CRLPtr(VALUE obj) { X509_CRL *crl; - SafeGetX509CRL(obj, crl); - - return crl; -} - -X509_CRL * -DupX509CRLPtr(VALUE obj) -{ - X509_CRL *crl; - - SafeGetX509CRL(obj, crl); - X509_CRL_up_ref(crl); + GetX509CRL(obj, crl); return crl; } @@ -137,7 +122,7 @@ ossl_x509crl_copy(VALUE self, VALUE othe rb_check_frozen(self); if (self == other) return self; GetX509CRL(self, a); - SafeGetX509CRL(other, b); + GetX509CRL(other, b); if (!(crl = X509_CRL_dup(b))) { ossl_raise(eX509CRLError, NULL); } @@ -223,10 +208,14 @@ static VALUE ossl_x509crl_get_last_update(VALUE self) { X509_CRL *crl; + const ASN1_TIME *time; GetX509CRL(self, crl); + time = X509_CRL_get0_lastUpdate(crl); + if (!time) + return Qnil; - return asn1time_to_time(X509_CRL_get0_lastUpdate(crl)); + return asn1time_to_time(time); } static VALUE @@ -237,7 +226,7 @@ ossl_x509crl_set_last_update(VALUE self, GetX509CRL(self, crl); asn1time = ossl_x509_time_adjust(NULL, time); - if (!X509_CRL_set_lastUpdate(crl, asn1time)) { + if (!X509_CRL_set1_lastUpdate(crl, asn1time)) { ASN1_TIME_free(asn1time); ossl_raise(eX509CRLError, "X509_CRL_set_lastUpdate"); } @@ -250,10 +239,14 @@ static VALUE ossl_x509crl_get_next_update(VALUE self) { X509_CRL *crl; + const ASN1_TIME *time; GetX509CRL(self, crl); + time = X509_CRL_get0_nextUpdate(crl); + if (!time) + return Qnil; - return asn1time_to_time(X509_CRL_get0_nextUpdate(crl)); + return asn1time_to_time(time); } static VALUE @@ -264,7 +257,7 @@ ossl_x509crl_set_next_update(VALUE self, GetX509CRL(self, crl); asn1time = ossl_x509_time_adjust(NULL, time); - if (!X509_CRL_set_nextUpdate(crl, asn1time)) { + if (!X509_CRL_set1_nextUpdate(crl, asn1time)) { ASN1_TIME_free(asn1time); ossl_raise(eX509CRLError, "X509_CRL_set_nextUpdate"); } @@ -354,7 +347,7 @@ ossl_x509crl_sign(VALUE self, VALUE key, GetX509CRL(self, crl); pkey = GetPrivPKeyPtr(key); /* NO NEED TO DUP */ - md = GetDigestPtr(digest); + md = ossl_evp_get_digestbyname(digest); if (!X509_CRL_sign(crl, pkey, md)) { ossl_raise(eX509CRLError, NULL); } @@ -366,9 +359,12 @@ static VALUE ossl_x509crl_verify(VALUE self, VALUE key) { X509_CRL *crl; + EVP_PKEY *pkey; GetX509CRL(self, crl); - switch (X509_CRL_verify(crl, GetPKeyPtr(key))) { + pkey = GetPKeyPtr(key); + ossl_pkey_check_public_key(pkey); + switch (X509_CRL_verify(crl, pkey)) { case 1: return Qtrue; case 0: @@ -520,7 +516,7 @@ Init_ossl_x509crl(void) rb_define_alloc_func(cX509CRL, ossl_x509crl_alloc); rb_define_method(cX509CRL, "initialize", ossl_x509crl_initialize, -1); - rb_define_copy_func(cX509CRL, ossl_x509crl_copy); + rb_define_method(cX509CRL, "initialize_copy", ossl_x509crl_copy, 1); rb_define_method(cX509CRL, "version", ossl_x509crl_get_version, 0); rb_define_method(cX509CRL, "version=", ossl_x509crl_set_version, 1);
  20. Download patch test/test_bn.rb
  21. Download patch ext/openssl/ossl_pkcs7.c

    --- 2.0.5-1/ext/openssl/ossl_pkcs7.c 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/ext/openssl/ossl_pkcs7.c 2018-05-12 06:51:09.000000000 +0000 @@ -23,10 +23,6 @@ ossl_raise(rb_eRuntimeError, "PKCS7 wasn't initialized."); \ } \ } while (0) -#define SafeGetPKCS7(obj, pkcs7) do { \ - OSSL_Check_Kind((obj), cPKCS7); \ - GetPKCS7((obj), (pkcs7)); \ -} while (0) #define NewPKCS7si(klass) \ TypedData_Wrap_Struct((klass), &ossl_pkcs7_signer_info_type, 0) @@ -42,10 +38,6 @@ ossl_raise(rb_eRuntimeError, "PKCS7si wasn't initialized."); \ } \ } while (0) -#define SafeGetPKCS7si(obj, p7si) do { \ - OSSL_Check_Kind((obj), cPKCS7Signer); \ - GetPKCS7si((obj), (p7si)); \ -} while (0) #define NewPKCS7ri(klass) \ TypedData_Wrap_Struct((klass), &ossl_pkcs7_recip_info_type, 0) @@ -61,10 +53,6 @@ ossl_raise(rb_eRuntimeError, "PKCS7ri wasn't initialized."); \ } \ } while (0) -#define SafeGetPKCS7ri(obj, p7ri) do { \ - OSSL_Check_Kind((obj), cPKCS7Recipient); \ - GetPKCS7ri((obj), (p7ri)); \ -} while (0) #define numberof(ary) (int)(sizeof(ary)/sizeof((ary)[0])) @@ -162,7 +150,7 @@ DupPKCS7SignerPtr(VALUE obj) { PKCS7_SIGNER_INFO *p7si, *pkcs7; - SafeGetPKCS7si(obj, p7si); + GetPKCS7si(obj, p7si); if (!(pkcs7 = ossl_PKCS7_SIGNER_INFO_dup(p7si))) { ossl_raise(ePKCS7Error, NULL); } @@ -189,7 +177,7 @@ DupPKCS7RecipientPtr(VALUE obj) { PKCS7_RECIP_INFO *p7ri, *pkcs7; - SafeGetPKCS7ri(obj, p7ri); + GetPKCS7ri(obj, p7ri); if (!(pkcs7 = ossl_PKCS7_RECIP_INFO_dup(p7ri))) { ossl_raise(ePKCS7Error, NULL); } @@ -238,7 +226,7 @@ ossl_pkcs7_s_write_smime(int argc, VALUE rb_scan_args(argc, argv, "12", &pkcs7, &data, &flags); flg = NIL_P(flags) ? 0 : NUM2INT(flags); if(NIL_P(data)) data = ossl_pkcs7_get_data(pkcs7); - SafeGetPKCS7(pkcs7, p7); + GetPKCS7(pkcs7, p7); if(!NIL_P(data) && PKCS7_is_detached(p7)) flg |= PKCS7_DETACHED; in = NIL_P(data) ? NULL : ossl_obj2bio(&data); @@ -331,7 +319,7 @@ ossl_pkcs7_s_encrypt(int argc, VALUE *ar #endif } - else ciph = GetCipherPtr(cipher); /* NO NEED TO DUP */ + else ciph = ossl_evp_get_cipherbyname(cipher); flg = NIL_P(flags) ? 0 : NUM2INT(flags); ret = NewPKCS7(cPKCS7); in = ossl_obj2bio(&data); @@ -414,7 +402,7 @@ ossl_pkcs7_copy(VALUE self, VALUE other) if (self == other) return self; GetPKCS7(self, a); - SafeGetPKCS7(other, b); + GetPKCS7(other, b); pkcs7 = PKCS7_dup(b); if (!pkcs7) { @@ -537,7 +525,7 @@ ossl_pkcs7_set_cipher(VALUE self, VALUE PKCS7 *pkcs7; GetPKCS7(self, pkcs7); - if (!PKCS7_set_cipher(pkcs7, GetCipherPtr(cipher))) { + if (!PKCS7_set_cipher(pkcs7, ossl_evp_get_cipherbyname(cipher))) { ossl_raise(ePKCS7Error, NULL); } @@ -933,7 +921,7 @@ ossl_pkcs7si_initialize(VALUE self, VALU pkey = GetPrivPKeyPtr(key); /* NO NEED TO DUP */ x509 = GetX509CertPtr(cert); /* NO NEED TO DUP */ - md = GetDigestPtr(digest); + md = ossl_evp_get_digestbyname(digest); GetPKCS7si(self, p7si); if (!(PKCS7_SIGNER_INFO_set(p7si, x509, pkey, (EVP_MD*)md))) { ossl_raise(ePKCS7Error, NULL); @@ -1068,7 +1056,7 @@ Init_ossl_pkcs7(void) rb_attr(cPKCS7, rb_intern("data"), 1, 0, Qfalse); rb_attr(cPKCS7, rb_intern("error_string"), 1, 1, Qfalse); rb_define_alloc_func(cPKCS7, ossl_pkcs7_alloc); - rb_define_copy_func(cPKCS7, ossl_pkcs7_copy); + rb_define_method(cPKCS7, "initialize_copy", ossl_pkcs7_copy, 1); rb_define_method(cPKCS7, "initialize", ossl_pkcs7_initialize, -1); rb_define_method(cPKCS7, "type=", ossl_pkcs7_set_type, 1); rb_define_method(cPKCS7, "type", ossl_pkcs7_get_type, 0);
  22. Download patch ext/openssl/ossl_bio.h

    --- 2.0.5-1/ext/openssl/ossl_bio.h 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/ext/openssl/ossl_bio.h 2018-05-12 06:51:09.000000000 +0000 @@ -11,8 +11,6 @@ #define _OSSL_BIO_H_ BIO *ossl_obj2bio(volatile VALUE *); -VALUE ossl_membio2str0(BIO*); VALUE ossl_membio2str(BIO*); -VALUE ossl_protect_membio2str(BIO*,int*); #endif
  23. Download patch test/test_ocsp.rb

    --- 2.0.5-1/test/test_ocsp.rb 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/test/test_ocsp.rb 2018-05-12 06:51:09.000000000 +0000 @@ -1,7 +1,7 @@ # frozen_string_literal: false require_relative "utils" -if defined?(OpenSSL::TestUtils) +if defined?(OpenSSL) class OpenSSL::TestOCSP < OpenSSL::TestCase def setup @@ -13,7 +13,7 @@ class OpenSSL::TestOCSP < OpenSSL::TestC # @cert2 @ocsp_cert ca_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCA") - @ca_key = OpenSSL::TestUtils::TEST_KEY_RSA1024 + @ca_key = Fixtures.pkey("rsa1024") ca_exts = [ ["basicConstraints", "CA:TRUE", true], ["keyUsage", "cRLSign,keyCertSign", true], @@ -22,7 +22,7 @@ class OpenSSL::TestOCSP < OpenSSL::TestC ca_subj, @ca_key, 1, ca_exts, nil, nil) cert_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCA2") - @cert_key = OpenSSL::TestUtils::TEST_KEY_RSA1024 + @cert_key = Fixtures.pkey("rsa1024") cert_exts = [ ["basicConstraints", "CA:TRUE", true], ["keyUsage", "cRLSign,keyCertSign", true], @@ -31,14 +31,14 @@ class OpenSSL::TestOCSP < OpenSSL::TestC cert_subj, @cert_key, 5, cert_exts, @ca_cert, @ca_key) cert2_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCert") - @cert2_key = OpenSSL::TestUtils::TEST_KEY_RSA1024 + @cert2_key = Fixtures.pkey("rsa1024") cert2_exts = [ ] @cert2 = OpenSSL::TestUtils.issue_cert( cert2_subj, @cert2_key, 10, cert2_exts, @cert, @cert_key) ocsp_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCAOCSP") - @ocsp_key = OpenSSL::TestUtils::TEST_KEY_RSA2048 + @ocsp_key = Fixtures.pkey("rsa2048") ocsp_exts = [ ["extendedKeyUsage", "OCSPSigning", true], ] @@ -122,14 +122,29 @@ class OpenSSL::TestOCSP < OpenSSL::TestC assert_equal true, req.verify([@cert], store, OpenSSL::OCSP::NOINTERN) ret = req.verify([@cert], store) - if ret || OpenSSL::OPENSSL_VERSION =~ /OpenSSL/ && OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10002000 + if ret || openssl?(1, 0, 2) assert_equal true, ret else # RT2560; OCSP_request_verify() does not find signer cert from 'certs' when # OCSP_NOINTERN is not specified. - # fixed by OpenSSL 1.0.1j, 1.0.2 and LibreSSL 2.4.2 + # fixed by OpenSSL 1.0.1j, 1.0.2 pend "RT2560: ocsp_req_find_signer" end + + # not signed + req = OpenSSL::OCSP::Request.new.add_certid(cid) + assert_equal false, req.verify([], store) + end + + def test_request_is_signed + cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert) + req = OpenSSL::OCSP::Request.new + req.add_certid(cid) + assert_equal false, req.signed? + assert_equal false, OpenSSL::OCSP::Request.new(req.to_der).signed? + req.sign(@cert, @cert_key, []) + assert_equal true, req.signed? + assert_equal true, OpenSSL::OCSP::Request.new(req.to_der).signed? end def test_request_nonce @@ -247,11 +262,6 @@ class OpenSSL::TestOCSP < OpenSSL::TestC bres.add_status(cid2, OpenSSL::OCSP::V_CERTSTATUS_REVOKED, OpenSSL::OCSP::REVOKED_STATUS_UNSPECIFIED, -400, -300, nil, []) bres.add_status(cid2, OpenSSL::OCSP::V_CERTSTATUS_GOOD, nil, nil, Time.now + 100, nil, nil) - if bres.responses[2].check_validity # thisUpdate is in future; must fail - # LibreSSL bug; skip for now - pend "OCSP_check_validity() is broken" - end - single1 = bres.responses[0] assert_equal false, single1.check_validity assert_equal false, single1.check_validity(30) @@ -260,6 +270,8 @@ class OpenSSL::TestOCSP < OpenSSL::TestC assert_equal true, single2.check_validity assert_equal true, single2.check_validity(0, 500) assert_equal false, single2.check_validity(0, 200) + single3 = bres.responses[2] + assert_equal false, single3.check_validity end def test_response
  24. Download patch test/test_fips.rb

    --- 2.0.5-1/test/test_fips.rb 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/test/test_fips.rb 2018-05-12 06:51:09.000000000 +0000 @@ -1,15 +1,30 @@ # frozen_string_literal: false require_relative 'utils' -if defined?(OpenSSL::TestUtils) +if defined?(OpenSSL) class OpenSSL::TestFIPS < OpenSSL::TestCase - def test_fips_mode_is_reentrant OpenSSL.fips_mode = false OpenSSL.fips_mode = false end + def test_fips_mode_get + return unless OpenSSL::OPENSSL_FIPS + assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;") + require #{__FILE__.dump} + + begin + OpenSSL.fips_mode = true + assert OpenSSL.fips_mode == true, ".fips_mode returns true when .fips_mode=true" + + OpenSSL.fips_mode = false + assert OpenSSL.fips_mode == false, ".fips_mode returns false when .fips_mode=false" + rescue OpenSSL::OpenSSLError + pend "Could not set FIPS mode (OpenSSL::OpenSSLError: \#$!); skipping" + end + end; + end end end
  25. Download patch debian/control

    --- 2.0.5-1/debian/control 2017-08-25 17:39:14.000000000 +0000 +++ 2.1.1-0ubuntu1/debian/control 2018-02-05 16:53:07.000000000 +0000 @@ -1,7 +1,8 @@ Source: ruby-openssl Section: ruby Priority: optional -Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org> Uploaders: Antonio Terceiro <terceiro@debian.org> Build-Depends: debhelper (>= 10~), gem2deb,
  26. Download patch ext/openssl/ossl_ssl_session.c

    --- 2.0.5-1/ext/openssl/ossl_ssl_session.c 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/ext/openssl/ossl_ssl_session.c 2018-05-12 06:51:09.000000000 +0000 @@ -80,7 +80,7 @@ ossl_ssl_session_initialize_copy(VALUE s rb_check_frozen(self); sess = RTYPEDDATA_DATA(self); /* XXX */ - SafeGetSSLSession(other, sess_other); + GetSSLSession(other, sess_other); sess_new = ASN1_dup((i2d_of_void *)i2d_SSL_SESSION, (d2i_of_void *)d2i_SSL_SESSION, (char *)sess_other); @@ -93,8 +93,8 @@ ossl_ssl_session_initialize_copy(VALUE s return self; } -#if !defined(HAVE_SSL_SESSION_CMP) -int ossl_SSL_SESSION_cmp(const SSL_SESSION *a, const SSL_SESSION *b) +static int +ossl_SSL_SESSION_cmp(const SSL_SESSION *a, const SSL_SESSION *b) { unsigned int a_len; const unsigned char *a_sid = SSL_SESSION_get_id(a, &a_len); @@ -108,23 +108,21 @@ int ossl_SSL_SESSION_cmp(const SSL_SESSI return CRYPTO_memcmp(a_sid, b_sid, a_len); } -#define SSL_SESSION_cmp(a, b) ossl_SSL_SESSION_cmp(a, b) -#endif /* * call-seq: * session1 == session2 -> boolean * - * Returns true if the two Session is the same, false if not. + * Returns +true+ if the two Session is the same, +false+ if not. */ static VALUE ossl_ssl_session_eq(VALUE val1, VALUE val2) { SSL_SESSION *ctx1, *ctx2; GetSSLSession(val1, ctx1); - SafeGetSSLSession(val2, ctx2); + GetSSLSession(val2, ctx2); - switch (SSL_SESSION_cmp(ctx1, ctx2)) { + switch (ossl_SSL_SESSION_cmp(ctx1, ctx2)) { case 0: return Qtrue; default: return Qfalse; } @@ -319,7 +317,7 @@ void Init_ossl_ssl_session(void) rb_define_alloc_func(cSSLSession, ossl_ssl_session_alloc); rb_define_method(cSSLSession, "initialize", ossl_ssl_session_initialize, 1); - rb_define_copy_func(cSSLSession, ossl_ssl_session_initialize_copy); + rb_define_method(cSSLSession, "initialize_copy", ossl_ssl_session_initialize_copy, 1); rb_define_method(cSSLSession, "==", ossl_ssl_session_eq, 1);
  27. Download patch ext/openssl/ossl_pkey_dsa.c

    --- 2.0.5-1/ext/openssl/ossl_pkey_dsa.c 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/ext/openssl/ossl_pkey_dsa.c 2018-05-12 06:51:09.000000000 +0000 @@ -172,7 +172,7 @@ dsa_generate(int size) * from scratch. * * === Parameters - * * +size+ is an integer representing the desired key size. + * * _size_ is an integer representing the desired key size. * */ static VALUE @@ -195,12 +195,12 @@ ossl_dsa_s_generate(VALUE klass, VALUE s * DSA.new(size) -> dsa * DSA.new(string [, pass]) -> dsa * - * Creates a new DSA instance by reading an existing key from +string+. + * Creates a new DSA instance by reading an existing key from _string_. * * === Parameters - * * +size+ is an integer representing the desired key size. - * * +string+ contains a DER or PEM encoded key. - * * +pass+ is a string that contains an optional password. + * * _size_ is an integer representing the desired key size. + * * _string_ contains a DER or PEM encoded key. + * * _pass_ is a string that contains an optional password. * * === Examples * DSA.new -> dsa @@ -329,8 +329,8 @@ ossl_dsa_is_private(VALUE self) * Encodes this DSA to its PEM encoding. * * === Parameters - * * +cipher+ is an OpenSSL::Cipher. - * * +password+ is a string containing your password. + * * _cipher_ is an OpenSSL::Cipher. + * * _password_ is a string containing your password. * * === Examples * DSA.to_pem -> aString @@ -348,7 +348,7 @@ ossl_dsa_export(int argc, VALUE *argv, V GetDSA(self, dsa); rb_scan_args(argc, argv, "02", &cipher, &pass); if (!NIL_P(cipher)) { - ciph = GetCipherPtr(cipher); + ciph = ossl_evp_get_cipherbyname(cipher); pass = ossl_pem_passwd_value(pass); } if (!(out = BIO_new(BIO_s_mem()))) { @@ -503,12 +503,12 @@ ossl_dsa_to_public_key(VALUE self) * call-seq: * dsa.syssign(string) -> aString * - * Computes and returns the DSA signature of +string+, where +string+ is + * Computes and returns the DSA signature of _string_, where _string_ is * expected to be an already-computed message digest of the original input * data. The signature is issued using the private key of this DSA instance. * * === Parameters - * * +string+ is a message digest of the original input data to be signed + * * _string_ is a message digest of the original input data to be signed. * * === Example * dsa = OpenSSL::PKey::DSA.new(2048) @@ -549,11 +549,11 @@ ossl_dsa_sign(VALUE self, VALUE data) * dsa.sysverify(digest, sig) -> true | false * * Verifies whether the signature is valid given the message digest input. It - * does so by validating +sig+ using the public key of this DSA instance. + * does so by validating _sig_ using the public key of this DSA instance. * * === Parameters - * * +digest+ is a message digest of the original input data to be signed - * * +sig+ is a DSA signature value + * * _digest_ is a message digest of the original input data to be signed + * * _sig_ is a DSA signature value * * === Example * dsa = OpenSSL::PKey::DSA.new(2048) @@ -590,7 +590,7 @@ ossl_dsa_verify(VALUE self, VALUE digest * call-seq: * dsa.set_pqg(p, q, g) -> self * - * Sets +p+, +q+, +g+ for the DSA instance. + * Sets _p_, _q_, _g_ to the DSA instance. */ OSSL_PKEY_BN_DEF3(dsa, DSA, pqg, p, q, g) /* @@ -598,7 +598,7 @@ OSSL_PKEY_BN_DEF3(dsa, DSA, pqg, p, q, g * call-seq: * dsa.set_key(pub_key, priv_key) -> self * - * Sets +pub_key+ and +priv_key+ for the DSA instance. +priv_key+ may be nil. + * Sets _pub_key_ and _priv_key_ for the DSA instance. _priv_key_ may be +nil+. */ OSSL_PKEY_BN_DEF2(dsa, DSA, key, pub_key, priv_key) @@ -627,18 +627,12 @@ Init_ossl_dsa(void) * DSA, the Digital Signature Algorithm, is specified in NIST's * FIPS 186-3. It is an asymmetric public key algorithm that may be used * similar to e.g. RSA. - * Please note that for OpenSSL versions prior to 1.0.0 the digest - * algorithms OpenSSL::Digest::DSS (equivalent to SHA) or - * OpenSSL::Digest::DSS1 (equivalent to SHA-1) must be used for issuing - * signatures with a DSA key using OpenSSL::PKey#sign. - * Starting with OpenSSL 1.0.0, digest algorithms are no longer restricted, - * any Digest may be used for signing. */ cDSA = rb_define_class_under(mPKey, "DSA", cPKey); rb_define_singleton_method(cDSA, "generate", ossl_dsa_s_generate, 1); rb_define_method(cDSA, "initialize", ossl_dsa_initialize, -1); - rb_define_copy_func(cDSA, ossl_dsa_initialize_copy); + rb_define_method(cDSA, "initialize_copy", ossl_dsa_initialize_copy, 1); rb_define_method(cDSA, "public?", ossl_dsa_is_public, 0); rb_define_method(cDSA, "private?", ossl_dsa_is_private, 0);
  28. Download patch test/test_config.rb

    --- 2.0.5-1/test/test_config.rb 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/test/test_config.rb 2018-05-12 06:51:09.000000000 +0000 @@ -1,6 +1,8 @@ # frozen_string_literal: false require_relative 'utils' +if defined?(OpenSSL) + class OpenSSL::TestConfig < OpenSSL::TestCase def setup super @@ -171,7 +173,7 @@ __EOC__ def test_value # suppress deprecation warnings - OpenSSL::TestUtils.silent do + EnvUtil.suppress_warning do assert_equal('CA_default', @it.value('ca', 'default_ca')) assert_equal(nil, @it.value('ca', 'no such key')) assert_equal(nil, @it.value('no such section', 'no such key')) @@ -184,7 +186,7 @@ __EOC__ end def test_value_ENV - OpenSSL::TestUtils.silent do + EnvUtil.suppress_warning do key = ENV.keys.first assert_not_nil(key) # make sure we have at least one ENV var. assert_equal(ENV[key], @it.value('ENV', key)) @@ -199,7 +201,7 @@ __EOC__ end def test_section - OpenSSL::TestUtils.silent do + EnvUtil.suppress_warning do assert_equal({'HOME' => '.'}, @it.section('default')) assert_equal({'dir' => './demoCA', 'certs' => './certs'}, @it.section('CA_default')) assert_equal({}, @it.section('no_such_section')) @@ -297,4 +299,6 @@ __EOC__ @it['newsection'] = {'a' => 'b'} assert_not_equal(@it.sections.sort, c.sections.sort) end -end if defined?(OpenSSL::TestUtils) +end + +end
  29. Download patch History.md

    --- 2.0.5-1/History.md 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/History.md 2018-05-12 06:51:09.000000000 +0000 @@ -1,3 +1,109 @@ +Version 2.1.0 +============= + +Notable changes +--------------- + +* Support for OpenSSL versions before 1.0.1 and LibreSSL versions before 2.5 + is removed. + [[GitHub #86]](https://github.com/ruby/openssl/pull/86) +* OpenSSL::BN#negative?, #+@, and #-@ are added. +* OpenSSL::SSL::SSLSocket#connect raises a more informative exception when + certificate verification fails. + [[GitHub #99]](https://github.com/ruby/openssl/pull/99) +* OpenSSL::KDF module is newly added. In addition to PBKDF2-HMAC that has moved + from OpenSSL::PKCS5, scrypt and HKDF are supported. + [[GitHub #109]](https://github.com/ruby/openssl/pull/109) + [[GitHub #173]](https://github.com/ruby/openssl/pull/173) +* OpenSSL.fips_mode is added. We had the setter, but not the getter. + [[GitHub #125]](https://github.com/ruby/openssl/pull/125) +* OpenSSL::OCSP::Request#signed? is added. +* OpenSSL::ASN1 handles the indefinite length form better. OpenSSL::ASN1.decode + no longer wrongly treats the end-of-contents octets as part of the content. + OpenSSL::ASN1::ASN1Data#infinite_length is renamed to #indefinite_length. + [[GitHub #98]](https://github.com/ruby/openssl/pull/98) +* OpenSSL::X509::Name#add_entry now accepts two additional keyword arguments + 'loc' and 'set'. + [[GitHub #94]](https://github.com/ruby/openssl/issues/94) +* OpenSSL::SSL::SSLContext#min_version= and #max_version= are added to replace + #ssl_version= that was built on top of the deprecated OpenSSL C API. Use of + that method and the constant OpenSSL::SSL::SSLContext::METHODS is now + deprecated. + [[GitHub #142]](https://github.com/ruby/openssl/pull/142) +* OpenSSL::X509::Name#to_utf8 is added. + [[GitHub #26]](https://github.com/ruby/openssl/issues/26) + [[GitHub #143]](https://github.com/ruby/openssl/pull/143) +* OpenSSL::X509::{Extension,Attribute,Certificate,CRL,Revoked,Request} can be + compared with == operator. + [[GitHub #161]](https://github.com/ruby/openssl/pull/161) +* TLS Fallback Signaling Cipher Suite Value (SCSV) support is added. + [[GitHub #165]](https://github.com/ruby/openssl/pull/165) +* Build failure with OpenSSL 1.1 built with no-deprecated is fixed. + [[GitHub #160]](https://github.com/ruby/openssl/pull/160) +* OpenSSL::Buffering#write accepts an arbitrary number of arguments. + [[Feature #9323]](https://bugs.ruby-lang.org/issues/9323) + [[GitHub #162]](https://github.com/ruby/openssl/pull/162) +* OpenSSL::PKey::RSA#sign_pss and #verify_pss are added. They perform RSA-PSS + signature and verification. + [[GitHub #75]](https://github.com/ruby/openssl/issues/75) + [[GitHub #76]](https://github.com/ruby/openssl/pull/76) + [[GitHub #169]](https://github.com/ruby/openssl/pull/169) +* OpenSSL::SSL::SSLContext#add_certificate is added. + [[GitHub #167]](https://github.com/ruby/openssl/pull/167) +* OpenSSL::PKey::EC::Point#to_octet_string is added. + OpenSSL::PKey::EC::Point.new can now take String as the second argument. + [[GitHub #177]](https://github.com/ruby/openssl/pull/177) + + +Version 2.0.8 +============= + +Bug fixes +--------- + +* OpenSSL::Cipher#pkcs5_keyivgen raises an error when a negative iteration + count is given. + [[GitHub #184]](https://github.com/ruby/openssl/pull/184) +* Fixed build with LibreSSL 2.7. + [[GitHub #192]](https://github.com/ruby/openssl/issues/192) + [[GitHub #193]](https://github.com/ruby/openssl/pull/193) + + +Version 2.0.7 +============= + +Bug fixes +--------- + +* OpenSSL::Cipher#auth_data= could segfault if called against a non-AEAD cipher. + [[Bug #14024]](https://bugs.ruby-lang.org/issues/14024) +* OpenSSL::X509::Certificate#public_key= (and similar methods) could segfault + when an instance of OpenSSL::PKey::PKey with no public key components is + passed. + [[Bug #14087]](https://bugs.ruby-lang.org/issues/14087) + [[GitHub #168]](https://github.com/ruby/openssl/pull/168) + + +Version 2.0.6 +============= + +Bug fixes +--------- + +* The session_remove_cb set to an OpenSSL::SSL::SSLContext is no longer called + during GC. +* A possible deadlock in OpenSSL::SSL::SSLSocket#sysread is fixed. + [[GitHub #139]](https://github.com/ruby/openssl/pull/139) +* OpenSSL::BN#hash could return an unnormalized fixnum value on Windows. + [[Bug #13877]](https://bugs.ruby-lang.org/issues/13877) +* OpenSSL::SSL::SSLSocket#sysread and #sysread_nonblock set the length of the + destination buffer String to 0 on error. + [[GitHub #153]](https://github.com/ruby/openssl/pull/153) +* Possible deadlock is fixed. This happened only when built with older versions + of OpenSSL (before 1.1.0) or LibreSSL. + [[GitHub #155]](https://github.com/ruby/openssl/pull/155) + + Version 2.0.5 ============= @@ -150,7 +256,7 @@ Notable changes - A new option 'verify_hostname' is added to OpenSSL::SSL::SSLContext. When it is enabled, and the SNI hostname is also set, the hostname verification on the server certificate is automatically performed. It is now enabled by - OpenSSL::SSL::Context#set_params. + OpenSSL::SSL::SSLContext#set_params. [[GH ruby/openssl#60]](https://github.com/ruby/openssl/pull/60) Removals
  30. Download patch test/test_x509ext.rb

    --- 2.0.5-1/test/test_x509ext.rb 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/test/test_x509ext.rb 2018-05-12 06:51:09.000000000 +0000 @@ -1,7 +1,7 @@ # frozen_string_literal: false require_relative 'utils' -if defined?(OpenSSL::TestUtils) +if defined?(OpenSSL) class OpenSSL::TestX509Extension < OpenSSL::TestCase def setup @@ -75,6 +75,17 @@ class OpenSSL::TestX509Extension < OpenS assert_equal(@basic_constraints.to_der, ext.to_der) assert_equal(ext.to_der, ext.dup.to_der) end + + def test_eq + ext1 = OpenSSL::X509::Extension.new(@basic_constraints.to_der) + ef = OpenSSL::X509::ExtensionFactory.new + ext2 = ef.create_extension("basicConstraints", "critical, CA:TRUE, pathlen:2") + ext3 = ef.create_extension("basicConstraints", "critical, CA:TRUE") + + assert_equal false, ext1 == 12345 + assert_equal true, ext1 == ext2 + assert_equal false, ext1 == ext3 + end end end
  31. Download patch test/fixtures/pkey/rsa1024.pem

    --- 2.0.5-1/test/fixtures/pkey/rsa1024.pem 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.1-0ubuntu1/test/fixtures/pkey/rsa1024.pem 2018-05-12 06:51:09.000000000 +0000 @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXgIBAAKBgQDLwsSw1ECnPtT+PkOgHhcGA71nwC2/nL85VBGnRqDxOqjVh7Cx +aKPERYHsk4BPCkE3brtThPWc9kjHEQQ7uf9Y1rbCz0layNqHyywQEVLFmp1cpIt/ +Q3geLv8ZD9pihowKJDyMDiN6ArYUmZczvW4976MU3+l54E6lF/JfFEU5hwIDAQAB +AoGBAKSl/MQarye1yOysqX6P8fDFQt68VvtXkNmlSiKOGuzyho0M+UVSFcs6k1L0 +maDE25AMZUiGzuWHyaU55d7RXDgeskDMakD1v6ZejYtxJkSXbETOTLDwUWTn618T +gnb17tU1jktUtU67xK/08i/XodlgnQhs6VoHTuCh3Hu77O6RAkEA7+gxqBuZR572 +74/akiW/SuXm0SXPEviyO1MuSRwtI87B02D0qgV8D1UHRm4AhMnJ8MCs1809kMQE +JiQUCrp9mQJBANlt2ngBO14us6NnhuAseFDTBzCHXwUUu1YKHpMMmxpnGqaldGgX +sOZB3lgJsT9VlGf3YGYdkLTNVbogQKlKpB8CQQDiSwkb4vyQfDe8/NpU5Not0fII +8jsDUCb+opWUTMmfbxWRR3FBNu8wnym/m19N4fFj8LqYzHX4KY0oVPu6qvJxAkEA +wa5snNekFcqONLIE4G5cosrIrb74sqL8GbGb+KuTAprzj5z1K8Bm0UW9lTjVDjDi +qRYgZfZSL+x1P/54+xTFSwJAY1FxA/N3QPCXCjPh5YqFxAMQs2VVYTfg+t0MEcJD +dPMQD5JX6g5HKnHFg2mZtoXQrWmJSn7p8GJK8yNTopEErA== +-----END RSA PRIVATE KEY-----
  32. Download patch lib/openssl/x509.rb

    --- 2.0.5-1/lib/openssl/x509.rb 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/lib/openssl/x509.rb 2018-05-12 06:51:09.000000000 +0000 @@ -41,6 +41,11 @@ module OpenSSL end class Extension + def ==(other) + return false unless Extension === other + to_der == other.to_der + end + def to_s # "oid = critical, value" str = self.oid str << " = " @@ -139,7 +144,13 @@ module OpenSSL end def parse_openssl(str, template=OBJECT_TYPE_TEMPLATE) - ary = str.scan(/\s*([^\/,]+)\s*/).collect{|i| i[0].split("=", 2) } + if str.start_with?("/") + # /A=B/C=D format + ary = str[1..-1].split("/").map { |i| i.split("=", 2) } + else + # Comma-separated + ary = str.split(",").map { |i| i.strip.split("=", 2) } + end self.new(ary, template) end @@ -154,6 +165,13 @@ module OpenSSL end end + class Attribute + def ==(other) + return false unless Attribute === other + to_der == other.to_der + end + end + class StoreContext def cleanup warn "(#{caller.first}) OpenSSL::X509::StoreContext#cleanup is deprecated with no replacement" if $VERBOSE @@ -172,5 +190,26 @@ module OpenSSL } end end + + class CRL + def ==(other) + return false unless CRL === other + to_der == other.to_der + end + end + + class Revoked + def ==(other) + return false unless Revoked === other + to_der == other.to_der + end + end + + class Request + def ==(other) + return false unless Request === other + to_der == other.to_der + end + end end end
  33. Download patch test/fixtures/pkey/dsa1024.pem

    --- 2.0.5-1/test/fixtures/pkey/dsa1024.pem 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.1-0ubuntu1/test/fixtures/pkey/dsa1024.pem 2018-05-12 06:51:09.000000000 +0000 @@ -0,0 +1,12 @@ +-----BEGIN DSA PRIVATE KEY----- +MIIBugIBAAKBgQCH9aAoXvWWThIjkA6D+nI1F9ksF9iDq594rkiGNOT9sPDOdB+n +D+qeeeeloRlj19ymCSADPI0ZLRgkchkAEnY2RnqnhHOjVf/roGgRbW+iQDMbQ9wa +/pvc6/fAbsu1goE1hBYjm98/sZEeXavj8tR56IXnjF1b6Nx0+sgeUKFKEQIVAMiz +4BJUFeTtddyM4uadBM7HKLPRAoGAZdLBSYNGiij7vAjesF5mGUKTIgPd+JKuBEDx +OaBclsgfdoyoF/TMOkIty+PVlYD+//Vl2xnoUEIRaMXHwHfm0r2xUX++oeRaSScg +YizJdUxe5jvBuBszGPRc/mGpb9YvP0sB+FL1KmuxYmdODfCe51zl8uM/CVhouJ3w +DjmRGscCgYAuFlfC7p+e8huCKydfcv/beftqjewiOPpQ3u5uI6KPCtCJPpDhs3+4 +IihH2cPsAlqwGF4tlibW1+/z/OZ1AZinPK3y7b2jSJASEaPeEltVzB92hcd1khk2 +jTYcmSsV4VddplOPK9czytR/GbbibxsrhhgZUbd8LPbvIgaiadJ1PgIUBnJ/5vN2 +CVArsEzlPUCbohPvZnE= +-----END DSA PRIVATE KEY-----
  34. Download patch test/test_ns_spki.rb

    --- 2.0.5-1/test/test_ns_spki.rb 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/test/test_ns_spki.rb 2018-05-12 06:51:09.000000000 +0000 @@ -1,7 +1,7 @@ # frozen_string_literal: false require_relative 'utils' -if defined?(OpenSSL::TestUtils) +if defined?(OpenSSL) class OpenSSL::TestNSSPI < OpenSSL::TestCase def setup @@ -17,8 +17,8 @@ class OpenSSL::TestNSSPI < OpenSSL::Test end def test_build_data - key1 = OpenSSL::TestUtils::TEST_KEY_RSA1024 - key2 = OpenSSL::TestUtils::TEST_KEY_RSA2048 + key1 = Fixtures.pkey("rsa1024") + key2 = Fixtures.pkey("rsa2048") spki = OpenSSL::Netscape::SPKI.new spki.challenge = "RandomString" spki.public_key = key1.public_key
  35. Download patch test/fixtures/pkey/dh1024.pem

    --- 2.0.5-1/test/fixtures/pkey/dh1024.pem 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.1-0ubuntu1/test/fixtures/pkey/dh1024.pem 2018-05-12 06:51:09.000000000 +0000 @@ -0,0 +1,5 @@ +-----BEGIN DH PARAMETERS----- +MIGHAoGBAKnKQ8MNK6nYZzLrrcuTsLxuiJGXoOO5gT+tljOTbHBuiktdMTITzIY0 +pFxIvjG05D7HoBZQfrR0c92NGWPkAiCkhQKB8JCbPVzwNLDy6DZ0pmofDKrEsYHG +AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC +-----END DH PARAMETERS-----
  36. Download patch ext/openssl/ossl_x509store.c

    --- 2.0.5-1/ext/openssl/ossl_x509store.c 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/ext/openssl/ossl_x509store.c 2018-05-12 06:51:09.000000000 +0000 @@ -23,10 +23,6 @@ ossl_raise(rb_eRuntimeError, "STORE wasn't initialized!"); \ } \ } while (0) -#define SafeGetX509Store(obj, st) do { \ - OSSL_Check_Kind((obj), cX509Store); \ - GetX509Store((obj), (st)); \ -} while (0) #define NewX509StCtx(klass) \ TypedData_Wrap_Struct((klass), &ossl_x509stctx_type, 0) @@ -42,10 +38,6 @@ ossl_raise(rb_eRuntimeError, "STORE_CTX is out of scope!"); \ } \ } while (0) -#define SafeGetX509StCtx(obj, storep) do { \ - OSSL_Check_Kind((obj), cX509StoreContext); \ - GetX509Store((obj), (ctx)); \ -} while (0) /* * Verify callback stuff @@ -130,34 +122,12 @@ static const rb_data_type_t ossl_x509sto /* * Public functions */ -VALUE -ossl_x509store_new(X509_STORE *store) -{ - VALUE obj; - - obj = NewX509Store(cX509Store); - SetX509Store(obj, store); - - return obj; -} - X509_STORE * GetX509StorePtr(VALUE obj) { X509_STORE *store; - SafeGetX509Store(obj, store); - - return store; -} - -X509_STORE * -DupX509StorePtr(VALUE obj) -{ - X509_STORE *store; - - SafeGetX509Store(obj, store); - X509_STORE_up_ref(store); + GetX509Store(obj, store); return store; } @@ -242,9 +212,9 @@ ossl_x509store_initialize(int argc, VALU /* * call-seq: - * store.flags = flag + * store.flags = flags * - * Sets +flag+ to the Store. +flag+ consists of zero or more of the constants + * Sets _flags_ to the Store. _flags_ consists of zero or more of the constants * defined in with name V_FLAG_* or'ed together. */ static VALUE @@ -263,7 +233,7 @@ ossl_x509store_set_flags(VALUE self, VAL * call-seq: * store.purpose = purpose * - * Sets the store's purpose to +purpose+. If specified, the verifications on + * Sets the store's purpose to _purpose_. If specified, the verifications on * the store will check every untrusted certificate's extensions are consistent * with the purpose. The purpose is specified by constants: * @@ -322,8 +292,9 @@ ossl_x509store_set_time(VALUE self, VALU * call-seq: * store.add_file(file) -> self * - * Adds the certificates in +file+ to the certificate store. The +file+ can - * contain multiple PEM-encoded certificates. + * Adds the certificates in _file_ to the certificate store. _file_ is the path + * to the file, and the file contains one or more certificates in PEM format + * concatenated together. */ static VALUE ossl_x509store_add_file(VALUE self, VALUE file) @@ -359,7 +330,7 @@ ossl_x509store_add_file(VALUE self, VALU * call-seq: * store.add_path(path) -> self * - * Adds +path+ as the hash dir to be looked up by the store. + * Adds _path_ as the hash dir to be looked up by the store. */ static VALUE ossl_x509store_add_path(VALUE self, VALUE dir) @@ -386,7 +357,7 @@ ossl_x509store_add_path(VALUE self, VALU * call-seq: * store.set_default_paths * - * Configures +store+ to look up CA certificates from the system default + * Configures _store_ to look up CA certificates from the system default * certificate store as needed basis. The location of the store can usually be * determined by: * @@ -410,7 +381,7 @@ ossl_x509store_set_default_paths(VALUE s * call-seq: * store.add_cert(cert) * - * Adds the OpenSSL::X509::Certificate +cert+ to the certificate store. + * Adds the OpenSSL::X509::Certificate _cert_ to the certificate store. */ static VALUE ossl_x509store_add_cert(VALUE self, VALUE arg) @@ -431,7 +402,7 @@ ossl_x509store_add_cert(VALUE self, VALU * call-seq: * store.add_crl(crl) -> self * - * Adds the OpenSSL::X509::CRL +crl+ to the store. + * Adds the OpenSSL::X509::CRL _crl_ to the store. */ static VALUE ossl_x509store_add_crl(VALUE self, VALUE arg) @@ -456,15 +427,15 @@ static VALUE ossl_x509stctx_get_chain(VA * call-seq: * store.verify(cert, chain = nil) -> true | false * - * Performs a certificate verification on the OpenSSL::X509::Certificate +cert+. + * Performs a certificate verification on the OpenSSL::X509::Certificate _cert_. * - * +chain+ can be an array of OpenSSL::X509::Certificate that is used to + * _chain_ can be an array of OpenSSL::X509::Certificate that is used to * construct the certificate chain. * * If a block is given, it overrides the callback set by #verify_callback=. * * After finishing the verification, the error information can be retrieved by - * #error, #error_string, and the resuting complete certificate chain can be + * #error, #error_string, and the resulting complete certificate chain can be * retrieved by #chain. */ static VALUE @@ -561,7 +532,7 @@ ossl_x509stctx_initialize(int argc, VALU rb_scan_args(argc, argv, "12", &store, &cert, &chain); GetX509StCtx(self, ctx); - SafeGetX509Store(store, x509st); + GetX509Store(store, x509st); if(!NIL_P(cert)) x509 = DupX509CertPtr(cert); /* NEED TO DUP */ if(!NIL_P(chain)) x509s = ossl_x509_ary2sk(chain); if(X509_STORE_CTX_init(ctx, x509st, x509, x509s) != 1){
  37. Download patch ext/openssl/ossl_x509req.c

    --- 2.0.5-1/ext/openssl/ossl_x509req.c 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/ext/openssl/ossl_x509req.c 2018-05-12 06:51:09.000000000 +0000 @@ -23,10 +23,6 @@ ossl_raise(rb_eRuntimeError, "Req wasn't initialized!"); \ } \ } while (0) -#define SafeGetX509Req(obj, req) do { \ - OSSL_Check_Kind((obj), cX509Req); \ - GetX509Req((obj), (req)); \ -} while (0) /* * Classes @@ -51,49 +47,16 @@ static const rb_data_type_t ossl_x509req /* * Public functions */ -VALUE -ossl_x509req_new(X509_REQ *req) -{ - X509_REQ *new; - VALUE obj; - - obj = NewX509Req(cX509Req); - if (!req) { - new = X509_REQ_new(); - } else { - new = X509_REQ_dup(req); - } - if (!new) { - ossl_raise(eX509ReqError, NULL); - } - SetX509Req(obj, new); - - return obj; -} - X509_REQ * GetX509ReqPtr(VALUE obj) { X509_REQ *req; - SafeGetX509Req(obj, req); + GetX509Req(obj, req); return req; } -X509_REQ * -DupX509ReqPtr(VALUE obj) -{ - X509_REQ *req, *new; - - SafeGetX509Req(obj, req); - if (!(new = X509_REQ_dup(req))) { - ossl_raise(eX509ReqError, NULL); - } - - return new; -} - /* * Private functions */ @@ -145,7 +108,7 @@ ossl_x509req_copy(VALUE self, VALUE othe rb_check_frozen(self); if (self == other) return self; GetX509Req(self, a); - SafeGetX509Req(other, b); + GetX509Req(other, b); if (!(req = X509_REQ_dup(b))) { ossl_raise(eX509ReqError, NULL); } @@ -330,11 +293,10 @@ ossl_x509req_set_public_key(VALUE self, EVP_PKEY *pkey; GetX509Req(self, req); - pkey = GetPKeyPtr(key); /* NO NEED TO DUP */ - if (!X509_REQ_set_pubkey(req, pkey)) { - ossl_raise(eX509ReqError, NULL); - } - + pkey = GetPKeyPtr(key); + ossl_pkey_check_public_key(pkey); + if (!X509_REQ_set_pubkey(req, pkey)) + ossl_raise(eX509ReqError, "X509_REQ_set_pubkey"); return key; } @@ -347,7 +309,7 @@ ossl_x509req_sign(VALUE self, VALUE key, GetX509Req(self, req); pkey = GetPrivPKeyPtr(key); /* NO NEED TO DUP */ - md = GetDigestPtr(digest); + md = ossl_evp_get_digestbyname(digest); if (!X509_REQ_sign(req, pkey, md)) { ossl_raise(eX509ReqError, NULL); } @@ -365,7 +327,8 @@ ossl_x509req_verify(VALUE self, VALUE ke EVP_PKEY *pkey; GetX509Req(self, req); - pkey = GetPKeyPtr(key); /* NO NEED TO DUP */ + pkey = GetPKeyPtr(key); + ossl_pkey_check_public_key(pkey); switch (X509_REQ_verify(req, pkey)) { case 1: return Qtrue; @@ -457,7 +420,7 @@ Init_ossl_x509req(void) rb_define_alloc_func(cX509Req, ossl_x509req_alloc); rb_define_method(cX509Req, "initialize", ossl_x509req_initialize, -1); - rb_define_copy_func(cX509Req, ossl_x509req_copy); + rb_define_method(cX509Req, "initialize_copy", ossl_x509req_copy, 1); rb_define_method(cX509Req, "to_pem", ossl_x509req_to_pem, 0); rb_define_method(cX509Req, "to_der", ossl_x509req_to_der, 0);
  38. Download patch test/test_pkey_ec.rb
  39. Download patch ext/openssl/ossl_pkey_rsa.c
  40. Download patch test/fixtures/pkey/dsa256.pem

    --- 2.0.5-1/test/fixtures/pkey/dsa256.pem 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.1-0ubuntu1/test/fixtures/pkey/dsa256.pem 2018-05-12 06:51:09.000000000 +0000 @@ -0,0 +1,8 @@ +-----BEGIN DSA PRIVATE KEY----- +MIH3AgEAAkEAhk2libbY2a8y2Pt21+YPYGZeW6wzaW2yfj5oiClXro9XMR7XWLkE +9B7XxLNFCS2gmCCdMsMW1HulaHtLFQmB2wIVAM43JZrcgpu6ajZ01VkLc93gu/Ed +AkAOhujZrrKV5CzBKutKLb0GVyVWmdC7InoNSMZEeGU72rT96IjM59YzoqmD0pGM +3I1o4cGqg1D1DfM1rQlnN1eSAkBq6xXfEDwJ1mLNxF6q8Zm/ugFYWR5xcX/3wFiT +b4+EjHP/DbNh9Vm5wcfnDBJ1zKvrMEf2xqngYdrV/3CiGJeKAhRvL57QvJZcQGvn +ISNX5cMzFHRW3Q== +-----END DSA PRIVATE KEY-----
  41. Download patch test/test_kdf.rb

    --- 2.0.5-1/test/test_kdf.rb 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.1-0ubuntu1/test/test_kdf.rb 2018-05-12 06:51:09.000000000 +0000 @@ -0,0 +1,183 @@ +# frozen_string_literal: false +require_relative 'utils' + +if defined?(OpenSSL) + +class OpenSSL::TestKDF < OpenSSL::TestCase + def test_pkcs5_pbkdf2_hmac_compatibility + expected = OpenSSL::KDF.pbkdf2_hmac("password", salt: "salt", iterations: 1, length: 20, hash: "sha1") + assert_equal(expected, OpenSSL::PKCS5.pbkdf2_hmac("password", "salt", 1, 20, "sha1")) + assert_equal(expected, OpenSSL::PKCS5.pbkdf2_hmac_sha1("password", "salt", 1, 20)) + end + + def test_pbkdf2_hmac_sha1_rfc6070_c_1_len_20 + p ="password" + s = "salt" + c = 1 + dk_len = 20 + raw = %w{ 0c 60 c8 0f 96 1f 0e 71 + f3 a9 b5 24 af 60 12 06 + 2f e0 37 a6 } + expected = [raw.join('')].pack('H*') + value = OpenSSL::KDF.pbkdf2_hmac(p, salt: s, iterations: c, length: dk_len, hash: "sha1") + assert_equal(expected, value) + end + + def test_pbkdf2_hmac_sha1_rfc6070_c_2_len_20 + p ="password" + s = "salt" + c = 2 + dk_len = 20 + raw = %w{ ea 6c 01 4d c7 2d 6f 8c + cd 1e d9 2a ce 1d 41 f0 + d8 de 89 57 } + expected = [raw.join('')].pack('H*') + value = OpenSSL::KDF.pbkdf2_hmac(p, salt: s, iterations: c, length: dk_len, hash: "sha1") + assert_equal(expected, value) + end + + def test_pbkdf2_hmac_sha1_rfc6070_c_4096_len_20 + p ="password" + s = "salt" + c = 4096 + dk_len = 20 + raw = %w{ 4b 00 79 01 b7 65 48 9a + be ad 49 d9 26 f7 21 d0 + 65 a4 29 c1 } + expected = [raw.join('')].pack('H*') + value = OpenSSL::KDF.pbkdf2_hmac(p, salt: s, iterations: c, length: dk_len, hash: "sha1") + assert_equal(expected, value) + end + +# takes too long! +# def test_pbkdf2_hmac_sha1_rfc6070_c_16777216_len_20 +# p ="password" +# s = "salt" +# c = 16777216 +# dk_len = 20 +# raw = %w{ ee fe 3d 61 cd 4d a4 e4 +# e9 94 5b 3d 6b a2 15 8c +# 26 34 e9 84 } +# expected = [raw.join('')].pack('H*') +# value = OpenSSL::KDF.pbkdf2_hmac(p, salt: s, iterations: c, length: dk_len, hash: "sha1") +# assert_equal(expected, value) +# end + + def test_pbkdf2_hmac_sha1_rfc6070_c_4096_len_25 + p ="passwordPASSWORDpassword" + s = "saltSALTsaltSALTsaltSALTsaltSALTsalt" + c = 4096 + dk_len = 25 + + raw = %w{ 3d 2e ec 4f e4 1c 84 9b + 80 c8 d8 36 62 c0 e4 4a + 8b 29 1a 96 4c f2 f0 70 + 38 } + expected = [raw.join('')].pack('H*') + value = OpenSSL::KDF.pbkdf2_hmac(p, salt: s, iterations: c, length: dk_len, hash: "sha1") + assert_equal(expected, value) + end + + def test_pbkdf2_hmac_sha1_rfc6070_c_4096_len_16 + p ="pass\0word" + s = "sa\0lt" + c = 4096 + dk_len = 16 + raw = %w{ 56 fa 6a a7 55 48 09 9d + cc 37 d7 f0 34 25 e0 c3 } + expected = [raw.join('')].pack('H*') + value = OpenSSL::KDF.pbkdf2_hmac(p, salt: s, iterations: c, length: dk_len, hash: "sha1") + assert_equal(expected, value) + end + + def test_pbkdf2_hmac_sha256_c_20000_len_32 + #unfortunately no official test vectors available yet for SHA-2 + p ="password" + s = OpenSSL::Random.random_bytes(16) + c = 20000 + dk_len = 32 + value1 = OpenSSL::KDF.pbkdf2_hmac(p, salt: s, iterations: c, length: dk_len, hash: "sha256") + value2 = OpenSSL::KDF.pbkdf2_hmac(p, salt: s, iterations: c, length: dk_len, hash: "sha256") + assert_equal(value1, value2) + end + + def test_scrypt_rfc7914_first + pend "scrypt is not implemented" unless OpenSSL::KDF.respond_to?(:scrypt) # OpenSSL >= 1.1.0 + pass = "" + salt = "" + n = 16 + r = 1 + p = 1 + dklen = 64 + expected = B(%w{ 77 d6 57 62 38 65 7b 20 3b 19 ca 42 c1 8a 04 97 + f1 6b 48 44 e3 07 4a e8 df df fa 3f ed e2 14 42 + fc d0 06 9d ed 09 48 f8 32 6a 75 3a 0f c8 1f 17 + e8 d3 e0 fb 2e 0d 36 28 cf 35 e2 0c 38 d1 89 06 }) + assert_equal(expected, OpenSSL::KDF.scrypt(pass, salt: salt, N: n, r: r, p: p, length: dklen)) + end + + def test_scrypt_rfc7914_second + pend "scrypt is not implemented" unless OpenSSL::KDF.respond_to?(:scrypt) # OpenSSL >= 1.1.0 + pass = "password" + salt = "NaCl" + n = 1024 + r = 8 + p = 16 + dklen = 64 + expected = B(%w{ fd ba be 1c 9d 34 72 00 78 56 e7 19 0d 01 e9 fe + 7c 6a d7 cb c8 23 78 30 e7 73 76 63 4b 37 31 62 + 2e af 30 d9 2e 22 a3 88 6f f1 09 27 9d 98 30 da + c7 27 af b9 4a 83 ee 6d 83 60 cb df a2 cc 06 40 }) + assert_equal(expected, OpenSSL::KDF.scrypt(pass, salt: salt, N: n, r: r, p: p, length: dklen)) + end + + def test_hkdf_rfc5869_test_case_1 + pend "HKDF is not implemented" unless OpenSSL::KDF.respond_to?(:hkdf) # OpenSSL >= 1.1.0 + hash = "sha256" + ikm = B("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b") + salt = B("000102030405060708090a0b0c") + info = B("f0f1f2f3f4f5f6f7f8f9") + l = 42 + + okm = B("3cb25f25faacd57a90434f64d0362f2a" \ + "2d2d0a90cf1a5a4c5db02d56ecc4c5bf" \ + "34007208d5b887185865") + assert_equal(okm, OpenSSL::KDF.hkdf(ikm, salt: salt, info: info, length: l, hash: hash)) + end + + def test_hkdf_rfc5869_test_case_3 + pend "HKDF is not implemented" unless OpenSSL::KDF.respond_to?(:hkdf) # OpenSSL >= 1.1.0 + hash = "sha256" + ikm = B("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b") + salt = B("") + info = B("") + l = 42 + + okm = B("8da4e775a563c18f715f802a063c5a31" \ + "b8a11f5c5ee1879ec3454e5f3c738d2d" \ + "9d201395faa4b61a96c8") + assert_equal(okm, OpenSSL::KDF.hkdf(ikm, salt: salt, info: info, length: l, hash: hash)) + end + + def test_hkdf_rfc5869_test_case_4 + pend "HKDF is not implemented" unless OpenSSL::KDF.respond_to?(:hkdf) # OpenSSL >= 1.1.0 + hash = "sha1" + ikm = B("0b0b0b0b0b0b0b0b0b0b0b") + salt = B("000102030405060708090a0b0c") + info = B("f0f1f2f3f4f5f6f7f8f9") + l = 42 + + okm = B("085a01ea1b10f36933068b56efa5ad81" \ + "a4f14b822f5b091568a9cdd4f155fda2" \ + "c22e422478d305f3f896") + assert_equal(okm, OpenSSL::KDF.hkdf(ikm, salt: salt, info: info, length: l, hash: hash)) + end + + private + + def B(ary) + [Array(ary).join].pack("H*") + end +end + +end
  42. Download patch test/test_asn1.rb
  43. Download patch openssl.gemspec

    --- 2.0.5-1/openssl.gemspec 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/openssl.gemspec 2018-05-12 06:51:09.000000000 +0000 @@ -1,11 +1,11 @@ Gem::Specification.new do |spec| spec.name = "openssl" - spec.version = "2.0.5" + spec.version = "2.1.1" spec.authors = ["Martin Bosslet", "SHIBATA Hiroshi", "Zachary Scott", "Kazuki Yamaguchi"] spec.email = ["ruby-core@ruby-lang.org"] spec.summary = %q{OpenSSL provides SSL, TLS and general purpose cryptography.} spec.description = %q{It wraps the OpenSSL library.} - spec.homepage = "https://www.ruby-lang.org/" + spec.homepage = "https://github.com/ruby/openssl" spec.license = "Ruby" spec.files = Dir["lib/**/*.rb", "ext/**/*.{c,h,rb}", "*.md", "BSDL", "LICENSE.txt"]
  44. Download patch lib/openssl/bn.rb

    --- 2.0.5-1/lib/openssl/bn.rb 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/lib/openssl/bn.rb 2018-05-12 06:51:09.000000000 +0000 @@ -27,8 +27,9 @@ module OpenSSL end # OpenSSL ## +#-- # Add double dispatch to Integer -# +#++ class Integer # Casts an Integer as an OpenSSL::BN #
  45. Download patch ext/openssl/ossl_hmac.c

    --- 2.0.5-1/ext/openssl/ossl_hmac.c 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/ext/openssl/ossl_hmac.c 2018-05-12 06:51:09.000000000 +0000 @@ -19,10 +19,6 @@ ossl_raise(rb_eRuntimeError, "HMAC wasn't initialized"); \ } \ } while (0) -#define SafeGetHMAC(obj, ctx) do { \ - OSSL_Check_Kind((obj), cHMAC); \ - GetHMAC((obj), (ctx)); \ -} while (0) /* * Classes @@ -110,7 +106,7 @@ ossl_hmac_initialize(VALUE self, VALUE k StringValue(key); GetHMAC(self, ctx); HMAC_Init_ex(ctx, RSTRING_PTR(key), RSTRING_LENINT(key), - GetDigestPtr(digest), NULL); + ossl_evp_get_digestbyname(digest), NULL); return self; } @@ -124,7 +120,7 @@ ossl_hmac_copy(VALUE self, VALUE other) if (self == other) return self; GetHMAC(self, ctx1); - SafeGetHMAC(other, ctx2); + GetHMAC(other, ctx2); if (!HMAC_CTX_copy(ctx1, ctx2)) ossl_raise(eHMACError, "HMAC_CTX_copy"); @@ -135,7 +131,7 @@ ossl_hmac_copy(VALUE self, VALUE other) * call-seq: * hmac.update(string) -> self * - * Returns +self+ updated with the message to be authenticated. + * Returns _hmac_ updated with the message to be authenticated. * Can be called repeatedly with chunks of the message. * * === Example @@ -234,7 +230,7 @@ ossl_hmac_hexdigest(VALUE self) * call-seq: * hmac.reset -> self * - * Returns +self+ as it was when it was first initialized, with all processed + * Returns _hmac_ as it was when it was first initialized, with all processed * data cleared from it. * * === Example @@ -264,16 +260,16 @@ ossl_hmac_reset(VALUE self) * call-seq: * HMAC.digest(digest, key, data) -> aString * - * Returns the authentication code as a binary string. The +digest+ parameter - * must be an instance of OpenSSL::Digest. + * Returns the authentication code as a binary string. The _digest_ parameter + * specifies the digest algorithm to use. This may be a String representing + * the algorithm name or an instance of OpenSSL::Digest. * * === Example * * key = 'key' * data = 'The quick brown fox jumps over the lazy dog' - * digest = OpenSSL::Digest.new('sha1') * - * hmac = OpenSSL::HMAC.digest(digest, key, data) + * hmac = OpenSSL::HMAC.digest('sha1', key, data) * #=> "\xDE|\x9B\x85\xB8\xB7\x8A\xA6\xBC\x8Az6\xF7\n\x90p\x1C\x9D\xB4\xD9" * */ @@ -285,8 +281,9 @@ ossl_hmac_s_digest(VALUE klass, VALUE di StringValue(key); StringValue(data); - buf = HMAC(GetDigestPtr(digest), RSTRING_PTR(key), RSTRING_LENINT(key), - (unsigned char *)RSTRING_PTR(data), RSTRING_LEN(data), NULL, &buf_len); + buf = HMAC(ossl_evp_get_digestbyname(digest), RSTRING_PTR(key), + RSTRING_LENINT(key), (unsigned char *)RSTRING_PTR(data), + RSTRING_LEN(data), NULL, &buf_len); return rb_str_new((const char *)buf, buf_len); } @@ -295,16 +292,16 @@ ossl_hmac_s_digest(VALUE klass, VALUE di * call-seq: * HMAC.hexdigest(digest, key, data) -> aString * - * Returns the authentication code as a hex-encoded string. The +digest+ - * parameter must be an instance of OpenSSL::Digest. + * Returns the authentication code as a hex-encoded string. The _digest_ + * parameter specifies the digest algorithm to use. This may be a String + * representing the algorithm name or an instance of OpenSSL::Digest. * * === Example * * key = 'key' * data = 'The quick brown fox jumps over the lazy dog' - * digest = OpenSSL::Digest.new('sha1') * - * hmac = OpenSSL::HMAC.hexdigest(digest, key, data) + * hmac = OpenSSL::HMAC.hexdigest('sha1', key, data) * #=> "de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9" * */ @@ -318,9 +315,9 @@ ossl_hmac_s_hexdigest(VALUE klass, VALUE StringValue(key); StringValue(data); - if (!HMAC(GetDigestPtr(digest), RSTRING_PTR(key), RSTRING_LENINT(key), - (unsigned char *)RSTRING_PTR(data), RSTRING_LEN(data), - buf, &buf_len)) + if (!HMAC(ossl_evp_get_digestbyname(digest), RSTRING_PTR(key), + RSTRING_LENINT(key), (unsigned char *)RSTRING_PTR(data), + RSTRING_LEN(data), buf, &buf_len)) ossl_raise(eHMACError, "HMAC"); ret = rb_str_new(NULL, buf_len * 2); @@ -377,7 +374,7 @@ Init_ossl_hmac(void) rb_define_singleton_method(cHMAC, "hexdigest", ossl_hmac_s_hexdigest, 3); rb_define_method(cHMAC, "initialize", ossl_hmac_initialize, 2); - rb_define_copy_func(cHMAC, ossl_hmac_copy); + rb_define_method(cHMAC, "initialize_copy", ossl_hmac_copy, 1); rb_define_method(cHMAC, "reset", ossl_hmac_reset, 0); rb_define_method(cHMAC, "update", ossl_hmac_update, 1);
  46. Download patch test/test_engine.rb

    --- 2.0.5-1/test/test_engine.rb 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/test/test_engine.rb 2018-05-12 06:51:09.000000000 +0000 @@ -1,8 +1,9 @@ # frozen_string_literal: false require_relative 'utils' -class OpenSSL::TestEngine < OpenSSL::TestCase +if defined?(OpenSSL) && defined?(OpenSSL::Engine) +class OpenSSL::TestEngine < OpenSSL::TestCase def test_engines_free # [ruby-dev:44173] with_openssl <<-'end;' OpenSSL::Engine.load("openssl") @@ -51,32 +52,28 @@ class OpenSSL::TestEngine < OpenSSL::Tes end def test_openssl_engine_cipher_rc4 - with_openssl <<-'end;' - begin - engine = get_engine - algo = "RC4" #AES is not supported by openssl Engine (<=1.0.0e) - data = "a" * 1000 - key = OpenSSL::Random.random_bytes(16) - # suppress message from openssl Engine's RC4 cipher [ruby-core:41026] - err_back = $stderr.dup - $stderr.reopen(IO::NULL) - encrypted = crypt_data(data, key, :encrypt) { engine.cipher(algo) } - decrypted = crypt_data(encrypted, key, :decrypt) { OpenSSL::Cipher.new(algo) } - assert_equal(data, decrypted) - ensure - if err_back - $stderr.reopen(err_back) - err_back.close - end - end + begin + OpenSSL::Cipher.new("rc4") + rescue OpenSSL::Cipher::CipherError + pend "RC4 is not supported" + end + + with_openssl(<<-'end;', ignore_stderr: true) + engine = get_engine + algo = "RC4" + data = "a" * 1000 + key = OpenSSL::Random.random_bytes(16) + encrypted = crypt_data(data, key, :encrypt) { engine.cipher(algo) } + decrypted = crypt_data(encrypted, key, :decrypt) { OpenSSL::Cipher.new(algo) } + assert_equal(data, decrypted) end; end private # this is required because OpenSSL::Engine methods change global state - def with_openssl(code) - assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;") + def with_openssl(code, **opts) + assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;", **opts) require #{__FILE__.dump} include OpenSSL::TestEngine::Utils #{code} @@ -95,5 +92,6 @@ class OpenSSL::TestEngine < OpenSSL::Tes cipher.update(data) + cipher.final end end +end -end if defined?(OpenSSL::TestUtils) && defined?(OpenSSL::Engine) +end
  47. Download patch lib/openssl.rb

    --- 2.0.5-1/lib/openssl.rb 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/lib/openssl.rb 2018-05-12 06:51:09.000000000 +0000 @@ -19,3 +19,4 @@ require 'openssl/config' require 'openssl/digest' require 'openssl/x509' require 'openssl/ssl' +require 'openssl/pkcs5'
  48. Download patch ext/openssl/ossl_engine.c
  49. Download patch ext/openssl/ossl_x509ext.c

    --- 2.0.5-1/ext/openssl/ossl_x509ext.c 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/ext/openssl/ossl_x509ext.c 2018-05-12 06:51:09.000000000 +0000 @@ -23,10 +23,6 @@ ossl_raise(rb_eRuntimeError, "EXT wasn't initialized!"); \ } \ } while (0) -#define SafeGetX509Ext(obj, ext) do { \ - OSSL_Check_Kind((obj), cX509Ext); \ - GetX509Ext((obj), (ext)); \ -} while (0) #define MakeX509ExtFactory(klass, obj, ctx) do { \ (obj) = TypedData_Wrap_Struct((klass), &ossl_x509extfactory_type, 0); \ if (!((ctx) = OPENSSL_malloc(sizeof(X509V3_CTX)))) \ @@ -90,7 +86,7 @@ GetX509ExtPtr(VALUE obj) { X509_EXTENSION *ext; - SafeGetX509Ext(obj, ext); + GetX509Ext(obj, ext); return ext; } @@ -263,15 +259,15 @@ ossl_x509ext_alloc(VALUE klass) /* * call-seq: - * OpenSSL::X509::Extension.new asn1 - * OpenSSL::X509::Extension.new name, value - * OpenSSL::X509::Extension.new name, value, critical + * OpenSSL::X509::Extension.new(der) + * OpenSSL::X509::Extension.new(oid, value) + * OpenSSL::X509::Extension.new(oid, value, critical) * * Creates an X509 extension. * - * The extension may be created from +asn1+ data or from an extension +name+ - * and +value+. The +name+ may be either an OID or an extension name. If - * +critical+ is true the extension is marked critical. + * The extension may be created from _der_ data or from an extension _oid_ + * and _value_. The _oid_ may be either an OID or an extension name. If + * _critical_ is +true+ the extension is marked critical. */ static VALUE ossl_x509ext_initialize(int argc, VALUE *argv, VALUE self) @@ -305,7 +301,7 @@ ossl_x509ext_initialize_copy(VALUE self, rb_check_frozen(self); GetX509Ext(self, ext); - SafeGetX509Ext(other, ext_other); + GetX509Ext(other, ext_other); ext_new = X509_EXTENSION_dup(ext_other); if (!ext_new) @@ -469,7 +465,7 @@ Init_ossl_x509ext(void) cX509Ext = rb_define_class_under(mX509, "Extension", rb_cObject); rb_define_alloc_func(cX509Ext, ossl_x509ext_alloc); rb_define_method(cX509Ext, "initialize", ossl_x509ext_initialize, -1); - rb_define_copy_func(cX509Ext, ossl_x509ext_initialize_copy); + rb_define_method(cX509Ext, "initialize_copy", ossl_x509ext_initialize_copy, 1); rb_define_method(cX509Ext, "oid=", ossl_x509ext_set_oid, 1); rb_define_method(cX509Ext, "value=", ossl_x509ext_set_value, 1); rb_define_method(cX509Ext, "critical=", ossl_x509ext_set_critical, 1);
  50. Download patch ext/openssl/ossl_x509cert.c
  51. Download patch test/test_pkey_rsa.rb
  52. Download patch ext/openssl/ossl_ssl.c
  53. Download patch ext/openssl/ossl_ns_spki.c

    --- 2.0.5-1/ext/openssl/ossl_ns_spki.c 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/ext/openssl/ossl_ns_spki.c 2018-05-12 06:51:09.000000000 +0000 @@ -73,7 +73,7 @@ ossl_spki_alloc(VALUE klass) * SPKI.new([request]) => spki * * === Parameters - * * +request+ - optional raw request, either in PEM or DER format. + * * _request_ - optional raw request, either in PEM or DER format. */ static VALUE ossl_spki_initialize(int argc, VALUE *argv, VALUE self) @@ -198,7 +198,7 @@ ossl_spki_get_public_key(VALUE self) * spki.public_key = pub => pkey * * === Parameters - * * +pub+ - the public key to be set for this instance + * * _pub_ - the public key to be set for this instance * * Sets the public key to be associated with the SPKI, an instance of * OpenSSL::PKey. This should be the public key corresponding to the @@ -208,12 +208,13 @@ static VALUE ossl_spki_set_public_key(VALUE self, VALUE key) { NETSCAPE_SPKI *spki; + EVP_PKEY *pkey; GetSPKI(self, spki); - if (!NETSCAPE_SPKI_set_pubkey(spki, GetPKeyPtr(key))) { /* NO NEED TO DUP */ - ossl_raise(eSPKIError, NULL); - } - + pkey = GetPKeyPtr(key); + ossl_pkey_check_public_key(pkey); + if (!NETSCAPE_SPKI_set_pubkey(spki, pkey)) + ossl_raise(eSPKIError, "NETSCAPE_SPKI_set_pubkey"); return key; } @@ -243,7 +244,7 @@ ossl_spki_get_challenge(VALUE self) * spki.challenge = str => string * * === Parameters - * * +str+ - the challenge string to be set for this instance + * * _str_ - the challenge string to be set for this instance * * Sets the challenge to be associated with the SPKI. May be used by the * server, e.g. to prevent replay. @@ -268,8 +269,8 @@ ossl_spki_set_challenge(VALUE self, VALU * spki.sign(key, digest) => spki * * === Parameters - * * +key+ - the private key to be used for signing this instance - * * +digest+ - the digest to be used for signing this instance + * * _key_ - the private key to be used for signing this instance + * * _digest_ - the digest to be used for signing this instance * * To sign an SPKI, the private key corresponding to the public key set * for this instance should be used, in addition to a digest algorithm in @@ -284,7 +285,7 @@ ossl_spki_sign(VALUE self, VALUE key, VA const EVP_MD *md; pkey = GetPrivPKeyPtr(key); /* NO NEED TO DUP */ - md = GetDigestPtr(digest); + md = ossl_evp_get_digestbyname(digest); GetSPKI(self, spki); if (!NETSCAPE_SPKI_sign(spki, pkey, md)) { ossl_raise(eSPKIError, NULL); @@ -298,7 +299,7 @@ ossl_spki_sign(VALUE self, VALUE key, VA * spki.verify(key) => boolean * * === Parameters - * * +key+ - the public key to be used for verifying the SPKI signature + * * _key_ - the public key to be used for verifying the SPKI signature * * Returns +true+ if the signature is valid, +false+ otherwise. To verify an * SPKI, the public key contained within the SPKI should be used. @@ -307,17 +308,20 @@ static VALUE ossl_spki_verify(VALUE self, VALUE key) { NETSCAPE_SPKI *spki; + EVP_PKEY *pkey; GetSPKI(self, spki); - switch (NETSCAPE_SPKI_verify(spki, GetPKeyPtr(key))) { /* NO NEED TO DUP */ - case 0: + pkey = GetPKeyPtr(key); + ossl_pkey_check_public_key(pkey); + switch (NETSCAPE_SPKI_verify(spki, pkey)) { + case 0: + ossl_clear_error(); return Qfalse; - case 1: + case 1: return Qtrue; - default: - ossl_raise(eSPKIError, NULL); + default: + ossl_raise(eSPKIError, "NETSCAPE_SPKI_verify"); } - return Qnil; /* dummy */ } /* Document-class: OpenSSL::Netscape::SPKI
  54. Download patch test/test_hmac.rb

    --- 2.0.5-1/test/test_hmac.rb 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/test/test_hmac.rb 2018-05-12 06:51:09.000000000 +0000 @@ -1,6 +1,8 @@ # frozen_string_literal: false require_relative 'utils' +if defined?(OpenSSL) + class OpenSSL::TestHMAC < OpenSSL::TestCase def test_hmac # RFC 2202 2. Test Cases for HMAC-MD5 @@ -37,4 +39,6 @@ class OpenSSL::TestHMAC < OpenSSL::TestC second = h1.update("test").hexdigest assert_equal first, second end -end if defined?(OpenSSL::TestUtils) +end + +end
  55. Download patch test/test_random.rb

    --- 2.0.5-1/test/test_random.rb 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/test/test_random.rb 2018-05-12 06:51:09.000000000 +0000 @@ -1,6 +1,8 @@ # frozen_string_literal: false require_relative "utils" +if defined?(OpenSSL) + class OpenSSL::TestRandom < OpenSSL::TestCase def test_random_bytes assert_equal("", OpenSSL::Random.random_bytes(0)) @@ -12,4 +14,6 @@ class OpenSSL::TestRandom < OpenSSL::Tes assert_equal("", OpenSSL::Random.pseudo_bytes(0)) assert_equal(12, OpenSSL::Random.pseudo_bytes(12).bytesize) end if OpenSSL::Random.methods.include?(:pseudo_bytes) -end if defined?(OpenSSL::TestCase) +end + +end
  56. Download patch debian/patches/series

    --- 2.0.5-1/debian/patches/series 2017-08-25 17:39:14.000000000 +0000 +++ 2.1.1-0ubuntu1/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -0001-test-test_ssl-explicitly-accept-TLS-1.1-in-correspon.patch
  57. Download patch ext/openssl/ruby_missing.h

    --- 2.0.5-1/ext/openssl/ruby_missing.h 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/ext/openssl/ruby_missing.h 2018-05-12 06:51:09.000000000 +0000 @@ -10,14 +10,15 @@ #if !defined(_OSSL_RUBY_MISSING_H_) #define _OSSL_RUBY_MISSING_H_ -#define rb_define_copy_func(klass, func) \ - rb_define_method((klass), "initialize_copy", (func), 1) - -#define FPTR_TO_FD(fptr) ((fptr)->fd) - +/* Ruby 2.4 */ #ifndef RB_INTEGER_TYPE_P -/* for Ruby 2.3 compatibility */ -#define RB_INTEGER_TYPE_P(obj) (RB_FIXNUM_P(obj) || RB_TYPE_P(obj, T_BIGNUM)) +# define RB_INTEGER_TYPE_P(obj) (RB_FIXNUM_P(obj) || RB_TYPE_P(obj, T_BIGNUM)) +#endif + +/* Ruby 2.5 */ +#ifndef ST2FIX +# define RB_ST2FIX(h) LONG2FIX((long)(h)) +# define ST2FIX(h) RB_ST2FIX(h) #endif #endif /* _OSSL_RUBY_MISSING_H_ */
  58. Download patch test/test_x509cert.rb

    --- 2.0.5-1/test/test_x509cert.rb 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/test/test_x509cert.rb 2018-05-12 06:51:09.000000000 +0000 @@ -1,23 +1,19 @@ # frozen_string_literal: false require_relative "utils" -if defined?(OpenSSL::TestUtils) +if defined?(OpenSSL) class OpenSSL::TestX509Certificate < OpenSSL::TestCase def setup super - @rsa1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024 - @rsa2048 = OpenSSL::TestUtils::TEST_KEY_RSA2048 - @dsa256 = OpenSSL::TestUtils::TEST_KEY_DSA256 - @dsa512 = OpenSSL::TestUtils::TEST_KEY_DSA512 + @rsa1024 = Fixtures.pkey("rsa1024") + @rsa2048 = Fixtures.pkey("rsa2048") + @dsa256 = Fixtures.pkey("dsa256") + @dsa512 = Fixtures.pkey("dsa512") @ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA") @ee1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE1") end - def issue_cert(*args) - OpenSSL::TestUtils.issue_cert(*args) - end - def test_serial [1, 2**32, 2**100].each{|s| cert = issue_cert(@ca, @rsa2048, s, [], nil, nil) @@ -34,13 +30,10 @@ class OpenSSL::TestX509Certificate < Ope ["authorityKeyIdentifier","keyid:always",false], ] - sha1 = OpenSSL::Digest::SHA1.new - dsa_digest = OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new - [ - [@rsa1024, sha1], [@rsa2048, sha1], [@dsa256, dsa_digest], [@dsa512, dsa_digest] - ].each{|pk, digest| - cert = issue_cert(@ca, pk, 1, exts, nil, nil, digest: digest) + @rsa1024, @rsa2048, @dsa256, @dsa512, + ].each{|pk| + cert = issue_cert(@ca, pk, 1, exts, nil, nil) assert_equal(cert.extensions.sort_by(&:to_s)[2].value, OpenSSL::TestUtils.get_subject_key_id(cert)) cert = OpenSSL::X509::Certificate.new(cert.to_der) @@ -152,26 +145,15 @@ class OpenSSL::TestX509Certificate < Ope } end - def test_dsig_algorithm_mismatch - assert_raise(OpenSSL::X509::CertificateError) do - issue_cert(@ca, @rsa2048, 1, [], nil, nil, digest: OpenSSL::Digest::DSS1.new) - end if OpenSSL::OPENSSL_VERSION_NUMBER < 0x10001000 # [ruby-core:42949] - end - def test_dsa_with_sha2 - begin - cert = issue_cert(@ca, @dsa256, 1, [], nil, nil, digest: "sha256") - assert_equal("dsa_with_SHA256", cert.signature_algorithm) - rescue OpenSSL::X509::CertificateError - # dsa_with_sha2 not supported. skip following test. - return - end + cert = issue_cert(@ca, @dsa256, 1, [], nil, nil, digest: "sha256") + assert_equal("dsa_with_SHA256", cert.signature_algorithm) # TODO: need more tests for dsa + sha2 # SHA1 is allowed from OpenSSL 1.0.0 (0.9.8 requires DSS1) cert = issue_cert(@ca, @dsa256, 1, [], nil, nil, digest: "sha1") assert_equal("dsaWithSHA1", cert.signature_algorithm) - end if defined?(OpenSSL::Digest::SHA256) + end def test_check_private_key cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil) @@ -187,6 +169,26 @@ class OpenSSL::TestX509Certificate < Ope } end + def test_eq + now = Time.now + cacert = issue_cert(@ca, @rsa1024, 1, [], nil, nil, + not_before: now, not_after: now + 3600) + cert1 = issue_cert(@ee1, @rsa2048, 2, [], cacert, @rsa1024, + not_before: now, not_after: now + 3600) + cert2 = issue_cert(@ee1, @rsa2048, 2, [], cacert, @rsa1024, + not_before: now, not_after: now + 3600) + cert3 = issue_cert(@ee1, @rsa2048, 3, [], cacert, @rsa1024, + not_before: now, not_after: now + 3600) + cert4 = issue_cert(@ee1, @rsa2048, 2, [], cacert, @rsa1024, + digest: "sha512", not_before: now, not_after: now + 3600) + + assert_equal false, cert1 == 12345 + assert_equal true, cert1 == cert2 + assert_equal false, cert1 == cert3 + assert_equal false, cert1 == cert4 + assert_equal false, cert3 == cert4 + end + private def certificate_error_returns_false
  59. Download patch Rakefile

    --- 2.0.5-1/Rakefile 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/Rakefile 2018-05-12 06:51:09.000000000 +0000 @@ -20,7 +20,7 @@ RDoc::Task.new do |rdoc| rdoc.rdoc_files.include("*.md", "lib/**/*.rb", "ext/**/*.c") end -task :test => :debug +task :test => [:compile, :debug] task :debug do ruby "-I./lib -ropenssl -ve'puts OpenSSL::OPENSSL_VERSION, OpenSSL::OPENSSL_LIBRARY_VERSION'" end @@ -58,11 +58,12 @@ namespace :sync do paths = [ ["ext/openssl/", "ext/openssl/"], + ["lib/", "ext/openssl/lib/"], + ["sample/", "sample/openssl/"], + ["test/fixtures/", "test/openssl/fixtures/"], ["test/utils.rb", "test/openssl/"], ["test/ut_eof.rb", "test/openssl/"], ["test/test_*", "test/openssl/"], - ["lib/", "ext/openssl/lib/"], - ["sample/", "sample/openssl/"], ["History.md", "ext/openssl/"], ] paths.each do |src, dst| @@ -76,3 +77,5 @@ namespace :sync do puts "Don't forget to update ext/openssl/depend" end end + +task :default => :test
  60. Download patch ext/openssl/ossl_ssl.h

    --- 2.0.5-1/ext/openssl/ossl_ssl.h 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/ext/openssl/ossl_ssl.h 2018-05-12 06:51:09.000000000 +0000 @@ -24,11 +24,6 @@ } \ } while (0) -#define SafeGetSSLSession(obj, sess) do { \ - OSSL_Check_Kind((obj), cSSLSession); \ - GetSSLSession((obj), (sess)); \ -} while (0) - extern const rb_data_type_t ossl_ssl_type; extern const rb_data_type_t ossl_ssl_session_type; extern VALUE mSSL;
  61. Download patch ext/openssl/ossl_rand.c

    --- 2.0.5-1/ext/openssl/ossl_rand.c 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/ext/openssl/ossl_rand.c 2018-05-12 06:51:09.000000000 +0000 @@ -16,7 +16,7 @@ VALUE eRandomError; * call-seq: * seed(str) -> str * - * ::seed is equivalent to ::add where +entropy+ is length of +str+. + * ::seed is equivalent to ::add where _entropy_ is length of _str_. */ static VALUE ossl_rand_seed(VALUE self, VALUE str) @@ -31,15 +31,15 @@ ossl_rand_seed(VALUE self, VALUE str) * call-seq: * add(str, entropy) -> self * - * Mixes the bytes from +str+ into the Pseudo Random Number Generator(PRNG) + * Mixes the bytes from _str_ into the Pseudo Random Number Generator(PRNG) * state. * - * Thus, if the data from +str+ are unpredictable to an adversary, this + * Thus, if the data from _str_ are unpredictable to an adversary, this * increases the uncertainty about the state and makes the PRNG output less * predictable. * - * The +entropy+ argument is (the lower bound of) an estimate of how much - * randomness is contained in +str+, measured in bytes. + * The _entropy_ argument is (the lower bound of) an estimate of how much + * randomness is contained in _str_, measured in bytes. * * === Example * @@ -62,7 +62,7 @@ ossl_rand_add(VALUE self, VALUE str, VAL * call-seq: * load_random_file(filename) -> true * - * Reads bytes from +filename+ and adds them to the PRNG. + * Reads bytes from _filename_ and adds them to the PRNG. */ static VALUE ossl_rand_load_file(VALUE self, VALUE filename) @@ -79,7 +79,7 @@ ossl_rand_load_file(VALUE self, VALUE fi * call-seq: * write_random_file(filename) -> true * - * Writes a number of random generated bytes (currently 1024) to +filename+ + * Writes a number of random generated bytes (currently 1024) to _filename_ * which can be used to initialize the PRNG by calling ::load_random_file in a * later session. */ @@ -98,7 +98,7 @@ ossl_rand_write_file(VALUE self, VALUE f * call-seq: * random_bytes(length) -> string * - * Generates +string+ with +length+ number of cryptographically strong + * Generates a String with _length_ number of cryptographically strong * pseudo-random bytes. * * === Example @@ -129,7 +129,7 @@ ossl_rand_bytes(VALUE self, VALUE len) * call-seq: * pseudo_bytes(length) -> string * - * Generates +string+ with +length+ number of pseudo-random bytes. + * Generates a String with _length_ number of pseudo-random bytes. * * Pseudo-random byte sequences generated by ::pseudo_bytes will be unique if * they are of sufficient length, but are not necessarily unpredictable. @@ -176,9 +176,9 @@ ossl_rand_egd(VALUE self, VALUE filename * call-seq: * egd_bytes(filename, length) -> true * - * Queries the entropy gathering daemon EGD on socket path given by +filename+. + * Queries the entropy gathering daemon EGD on socket path given by _filename_. * - * Fetches +length+ number of bytes and uses ::add to seed the OpenSSL built-in + * Fetches _length_ number of bytes and uses ::add to seed the OpenSSL built-in * PRNG. */ static VALUE @@ -199,7 +199,7 @@ ossl_rand_egd_bytes(VALUE self, VALUE fi * call-seq: * status? => true | false * - * Return true if the PRNG has been seeded with enough data, false otherwise. + * Return +true+ if the PRNG has been seeded with enough data, +false+ otherwise. */ static VALUE ossl_rand_status(VALUE self)
  62. Download patch test/test_pkey_dsa.rb

    --- 2.0.5-1/test/test_pkey_dsa.rb 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/test/test_pkey_dsa.rb 2018-05-12 06:51:09.000000000 +0000 @@ -1,12 +1,9 @@ # frozen_string_literal: false require_relative 'utils' -require 'base64' -if defined?(OpenSSL::TestUtils) +if defined?(OpenSSL) && defined?(OpenSSL::PKey::DSA) class OpenSSL::TestPKeyDSA < OpenSSL::PKeyTestCase - DSA512 = OpenSSL::TestUtils::TEST_KEY_DSA512 - def test_private key = OpenSSL::PKey::DSA.new(256) assert(key.private?) @@ -37,27 +34,27 @@ class OpenSSL::TestPKeyDSA < OpenSSL::PK end def test_sign_verify + dsa512 = Fixtures.pkey("dsa512") data = "Sign me!" if defined?(OpenSSL::Digest::DSS1) - signature = DSA512.sign(OpenSSL::Digest::DSS1.new, data) - assert_equal true, DSA512.verify(OpenSSL::Digest::DSS1.new, signature, data) + signature = dsa512.sign(OpenSSL::Digest::DSS1.new, data) + assert_equal true, dsa512.verify(OpenSSL::Digest::DSS1.new, signature, data) end - return if OpenSSL::OPENSSL_VERSION_NUMBER <= 0x010000000 - signature = DSA512.sign("SHA1", data) - assert_equal true, DSA512.verify("SHA1", signature, data) + signature = dsa512.sign("SHA1", data) + assert_equal true, dsa512.verify("SHA1", signature, data) signature0 = (<<~'end;').unpack("m")[0] MCwCFH5h40plgU5Fh0Z4wvEEpz0eE9SnAhRPbkRB8ggsN/vsSEYMXvJwjGg/ 6g== end; - assert_equal true, DSA512.verify("SHA256", signature0, data) + assert_equal true, dsa512.verify("SHA256", signature0, data) signature1 = signature0.succ - assert_equal false, DSA512.verify("SHA256", signature1, data) + assert_equal false, dsa512.verify("SHA256", signature1, data) end def test_sys_sign_verify - key = OpenSSL::TestUtils::TEST_KEY_DSA256 + key = Fixtures.pkey("dsa256") data = 'Sign me!' digest = OpenSSL::Digest::SHA1.digest(data) sig = key.syssign(digest) @@ -66,17 +63,18 @@ class OpenSSL::TestPKeyDSA < OpenSSL::PK def test_DSAPrivateKey # OpenSSL DSAPrivateKey format; similar to RSAPrivateKey + dsa512 = Fixtures.pkey("dsa512") asn1 = OpenSSL::ASN1::Sequence([ OpenSSL::ASN1::Integer(0), - OpenSSL::ASN1::Integer(DSA512.p), - OpenSSL::ASN1::Integer(DSA512.q), - OpenSSL::ASN1::Integer(DSA512.g), - OpenSSL::ASN1::Integer(DSA512.pub_key), - OpenSSL::ASN1::Integer(DSA512.priv_key) + OpenSSL::ASN1::Integer(dsa512.p), + OpenSSL::ASN1::Integer(dsa512.q), + OpenSSL::ASN1::Integer(dsa512.g), + OpenSSL::ASN1::Integer(dsa512.pub_key), + OpenSSL::ASN1::Integer(dsa512.priv_key) ]) key = OpenSSL::PKey::DSA.new(asn1.to_der) assert_predicate key, :private? - assert_same_dsa DSA512, key + assert_same_dsa dsa512, key pem = <<~EOF -----BEGIN DSA PRIVATE KEY----- @@ -89,14 +87,15 @@ class OpenSSL::TestPKeyDSA < OpenSSL::PK -----END DSA PRIVATE KEY----- EOF key = OpenSSL::PKey::DSA.new(pem) - assert_same_dsa DSA512, key + assert_same_dsa dsa512, key - assert_equal asn1.to_der, DSA512.to_der - assert_equal pem, DSA512.export + assert_equal asn1.to_der, dsa512.to_der + assert_equal pem, dsa512.export end def test_DSAPrivateKey_encrypted # key = abcdef + dsa512 = Fixtures.pkey("dsa512") pem = <<~EOF -----BEGIN DSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED @@ -111,35 +110,36 @@ class OpenSSL::TestPKeyDSA < OpenSSL::PK -----END DSA PRIVATE KEY----- EOF key = OpenSSL::PKey::DSA.new(pem, "abcdef") - assert_same_dsa DSA512, key + assert_same_dsa dsa512, key key = OpenSSL::PKey::DSA.new(pem) { "abcdef" } - assert_same_dsa DSA512, key + assert_same_dsa dsa512, key cipher = OpenSSL::Cipher.new("aes-128-cbc") - exported = DSA512.to_pem(cipher, "abcdef\0\1") - assert_same_dsa DSA512, OpenSSL::PKey::DSA.new(exported, "abcdef\0\1") + exported = dsa512.to_pem(cipher, "abcdef\0\1") + assert_same_dsa dsa512, OpenSSL::PKey::DSA.new(exported, "abcdef\0\1") assert_raise(OpenSSL::PKey::DSAError) { OpenSSL::PKey::DSA.new(exported, "abcdef") } end def test_PUBKEY + dsa512 = Fixtures.pkey("dsa512") asn1 = OpenSSL::ASN1::Sequence([ OpenSSL::ASN1::Sequence([ OpenSSL::ASN1::ObjectId("DSA"), OpenSSL::ASN1::Sequence([ - OpenSSL::ASN1::Integer(DSA512.p), - OpenSSL::ASN1::Integer(DSA512.q), - OpenSSL::ASN1::Integer(DSA512.g) + OpenSSL::ASN1::Integer(dsa512.p), + OpenSSL::ASN1::Integer(dsa512.q), + OpenSSL::ASN1::Integer(dsa512.g) ]) ]), OpenSSL::ASN1::BitString( - OpenSSL::ASN1::Integer(DSA512.pub_key).to_der + OpenSSL::ASN1::Integer(dsa512.pub_key).to_der ) ]) key = OpenSSL::PKey::DSA.new(asn1.to_der) assert_not_predicate key, :private? - assert_same_dsa dup_public(DSA512), key + assert_same_dsa dup_public(dsa512), key pem = <<~EOF -----BEGIN PUBLIC KEY----- @@ -152,10 +152,10 @@ class OpenSSL::TestPKeyDSA < OpenSSL::PK -----END PUBLIC KEY----- EOF key = OpenSSL::PKey::DSA.new(pem) - assert_same_dsa dup_public(DSA512), key + assert_same_dsa dup_public(dsa512), key - assert_equal asn1.to_der, dup_public(DSA512).to_der - assert_equal pem, dup_public(DSA512).export + assert_equal asn1.to_der, dup_public(dsa512).to_der + assert_equal pem, dup_public(dsa512).export end def test_read_DSAPublicKey_pem
  63. Download patch ext/openssl/ossl_asn1.c
  64. Download patch test/test_ssl.rb
  65. Download patch test/fixtures/pkey/p256.pem

    --- 2.0.5-1/test/fixtures/pkey/p256.pem 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.1-0ubuntu1/test/fixtures/pkey/p256.pem 2018-05-12 06:51:09.000000000 +0000 @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIID49FDqcf1O1eO8saTgG70UbXQw9Fqwseliit2aWhH1oAoGCCqGSM49 +AwEHoUQDQgAEFglk2c+oVUIKQ64eZG9bhLNPWB7lSZ/ArK41eGy5wAzU/0G51Xtt +CeBUl+MahZtn9fO1JKdF4qJmS39dXnpENg== +-----END EC PRIVATE KEY-----
  66. Download patch ext/openssl/ossl_pkey_dh.c

    --- 2.0.5-1/ext/openssl/ossl_pkey_dh.c 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/ext/openssl/ossl_pkey_dh.c 2018-05-12 06:51:09.000000000 +0000 @@ -150,8 +150,8 @@ dh_generate(int size, int gen) * components alike. * * === Parameters - * * +size+ is an integer representing the desired key size. Keys smaller than 1024 bits should be considered insecure. - * * +generator+ is a small number > 1, typically 2 or 5. + * * _size_ is an integer representing the desired key size. Keys smaller than 1024 bits should be considered insecure. + * * _generator_ is a small number > 1, typically 2 or 5. * */ static VALUE @@ -181,15 +181,15 @@ ossl_dh_s_generate(int argc, VALUE *argv * DH.new(size [, generator]) -> dh * * Either generates a DH instance from scratch or by reading already existing - * DH parameters from +string+. Note that when reading a DH instance from + * DH parameters from _string_. Note that when reading a DH instance from * data that was encoded from a DH instance by using DH#to_pem or DH#to_der * the result will *not* contain a public/private key pair yet. This needs to * be generated using DH#generate_key! first. * * === Parameters - * * +size+ is an integer representing the desired key size. Keys smaller than 1024 bits should be considered insecure. - * * +generator+ is a small number > 1, typically 2 or 5. - * * +string+ contains the DER or PEM encoded key. + * * _size_ is an integer representing the desired key size. Keys smaller than 1024 bits should be considered insecure. + * * _generator_ is a small number > 1, typically 2 or 5. + * * _string_ contains the DER or PEM encoded key. * * === Examples * DH.new # -> dh @@ -436,7 +436,7 @@ ossl_dh_to_text(VALUE self) * dh.public_key -> aDH * * Returns a new DH instance that carries just the public information, i.e. - * the prime +p+ and the generator +g+, but no public/private key yet. Such + * the prime _p_ and the generator _g_, but no public/private key yet. Such * a pair may be generated using DH#generate_key!. The "public key" needed * for a key exchange with DH#compute_key is considered as per-session * information and may be retrieved with DH#pub_key once a key pair has @@ -526,7 +526,7 @@ ossl_dh_generate_key(VALUE self) * See DH_compute_key() for further information. * * === Parameters - * * +pub_bn+ is a OpenSSL::BN, *not* the DH instance returned by + * * _pub_bn_ is a OpenSSL::BN, *not* the DH instance returned by * DH#public_key as that contains the DH parameters only. */ static VALUE @@ -557,7 +557,7 @@ ossl_dh_compute_key(VALUE self, VALUE pu * call-seq: * dh.set_pqg(p, q, g) -> self * - * Sets +p+, +q+, +g+ for the DH instance. + * Sets _p_, _q_, _g_ to the DH instance. */ OSSL_PKEY_BN_DEF3(dh, DH, pqg, p, q, g) /* @@ -565,7 +565,7 @@ OSSL_PKEY_BN_DEF3(dh, DH, pqg, p, q, g) * call-seq: * dh.set_key(pub_key, priv_key) -> self * - * Sets +pub_key+ and +priv_key+ for the DH instance. +priv_key+ may be nil. + * Sets _pub_key_ and _priv_key_ for the DH instance. _priv_key_ may be +nil+. */ OSSL_PKEY_BN_DEF2(dh, DH, key, pub_key, priv_key) @@ -618,7 +618,7 @@ Init_ossl_dh(void) cDH = rb_define_class_under(mPKey, "DH", cPKey); rb_define_singleton_method(cDH, "generate", ossl_dh_s_generate, -1); rb_define_method(cDH, "initialize", ossl_dh_initialize, -1); - rb_define_copy_func(cDH, ossl_dh_initialize_copy); + rb_define_method(cDH, "initialize_copy", ossl_dh_initialize_copy, 1); rb_define_method(cDH, "public?", ossl_dh_is_public, 0); rb_define_method(cDH, "private?", ossl_dh_is_private, 0); rb_define_method(cDH, "to_text", ossl_dh_to_text, 0);
  67. Download patch ext/openssl/ossl_x509revoked.c

    --- 2.0.5-1/ext/openssl/ossl_x509revoked.c 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/ext/openssl/ossl_x509revoked.c 2018-05-12 06:51:09.000000000 +0000 @@ -23,10 +23,6 @@ ossl_raise(rb_eRuntimeError, "REV wasn't initialized!"); \ } \ } while (0) -#define SafeGetX509Rev(obj, rev) do { \ - OSSL_Check_Kind((obj), cX509Rev); \ - GetX509Rev((obj), (rev)); \ -} while (0) /* * Classes @@ -76,7 +72,7 @@ DupX509RevokedPtr(VALUE obj) { X509_REVOKED *rev, *new; - SafeGetX509Rev(obj, rev); + GetX509Rev(obj, rev); if (!(new = X509_REVOKED_dup(rev))) { ossl_raise(eX509RevError, NULL); } @@ -116,7 +112,7 @@ ossl_x509revoked_initialize_copy(VALUE s rb_check_frozen(self); GetX509Rev(self, rev); - SafeGetX509Rev(other, rev_other); + GetX509Rev(other, rev_other); rev_new = X509_REVOKED_dup(rev_other); if (!rev_new) @@ -159,10 +155,14 @@ static VALUE ossl_x509revoked_get_time(VALUE self) { X509_REVOKED *rev; + const ASN1_TIME *time; GetX509Rev(self, rev); + time = X509_REVOKED_get0_revocationDate(rev); + if (!time) + return Qnil; - return asn1time_to_time(X509_REVOKED_get0_revocationDate(rev)); + return asn1time_to_time(time); } static VALUE @@ -249,6 +249,26 @@ ossl_x509revoked_add_extension(VALUE sel return ext; } +static VALUE +ossl_x509revoked_to_der(VALUE self) +{ + X509_REVOKED *rev; + VALUE str; + int len; + unsigned char *p; + + GetX509Rev(self, rev); + len = i2d_X509_REVOKED(rev, NULL); + if (len <= 0) + ossl_raise(eX509RevError, "i2d_X509_REVOKED"); + str = rb_str_new(NULL, len); + p = (unsigned char *)RSTRING_PTR(str); + if (i2d_X509_REVOKED(rev, &p) <= 0) + ossl_raise(eX509RevError, "i2d_X509_REVOKED"); + ossl_str_adjust(str, p); + return str; +} + /* * INIT */ @@ -267,7 +287,7 @@ Init_ossl_x509revoked(void) rb_define_alloc_func(cX509Rev, ossl_x509revoked_alloc); rb_define_method(cX509Rev, "initialize", ossl_x509revoked_initialize, -1); - rb_define_copy_func(cX509Rev, ossl_x509revoked_initialize_copy); + rb_define_method(cX509Rev, "initialize_copy", ossl_x509revoked_initialize_copy, 1); rb_define_method(cX509Rev, "serial", ossl_x509revoked_get_serial, 0); rb_define_method(cX509Rev, "serial=", ossl_x509revoked_set_serial, 1); @@ -276,4 +296,5 @@ Init_ossl_x509revoked(void) rb_define_method(cX509Rev, "extensions", ossl_x509revoked_get_extensions, 0); rb_define_method(cX509Rev, "extensions=", ossl_x509revoked_set_extensions, 1); rb_define_method(cX509Rev, "add_extension", ossl_x509revoked_add_extension, 1); + rb_define_method(cX509Rev, "to_der", ossl_x509revoked_to_der, 0); }
  68. Download patch ext/openssl/openssl_missing.c

    --- 2.0.5-1/ext/openssl/openssl_missing.c 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/ext/openssl/openssl_missing.c 2018-05-12 06:51:09.000000000 +0000 @@ -20,73 +20,6 @@ #include "openssl_missing.h" -/* added in 0.9.8X */ -#if !defined(HAVE_EVP_CIPHER_CTX_NEW) -EVP_CIPHER_CTX * -ossl_EVP_CIPHER_CTX_new(void) -{ - EVP_CIPHER_CTX *ctx = OPENSSL_malloc(sizeof(EVP_CIPHER_CTX)); - if (!ctx) - return NULL; - EVP_CIPHER_CTX_init(ctx); - return ctx; -} -#endif - -#if !defined(HAVE_EVP_CIPHER_CTX_FREE) -void -ossl_EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx) -{ - if (ctx) { - EVP_CIPHER_CTX_cleanup(ctx); - OPENSSL_free(ctx); - } -} -#endif - -/* added in 1.0.0 */ -#if !defined(HAVE_EVP_CIPHER_CTX_COPY) -/* - * this function does not exist in OpenSSL yet... or ever?. - * a future version may break this function. - * tested on 0.9.7d. - */ -int -ossl_EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in) -{ - memcpy(out, in, sizeof(EVP_CIPHER_CTX)); - -#if !defined(OPENSSL_NO_ENGINE) - if (in->engine) ENGINE_add(out->engine); - if (in->cipher_data) { - out->cipher_data = OPENSSL_malloc(in->cipher->ctx_size); - memcpy(out->cipher_data, in->cipher_data, in->cipher->ctx_size); - } -#endif - - return 1; -} -#endif - -#if !defined(OPENSSL_NO_HMAC) -#if !defined(HAVE_HMAC_CTX_COPY) -int -ossl_HMAC_CTX_copy(HMAC_CTX *out, HMAC_CTX *in) -{ - if (!out || !in) - return 0; - - memcpy(out, in, sizeof(HMAC_CTX)); - - EVP_MD_CTX_copy(&out->md_ctx, &in->md_ctx); - EVP_MD_CTX_copy(&out->i_ctx, &in->i_ctx); - EVP_MD_CTX_copy(&out->o_ctx, &in->o_ctx); - - return 1; -} -#endif /* HAVE_HMAC_CTX_COPY */ -#endif /* NO_HMAC */ - /* added in 1.0.2 */ #if !defined(OPENSSL_NO_EC) #if !defined(HAVE_EC_CURVE_NIST2NID)
  69. Download patch test/test_pkcs12.rb

    --- 2.0.5-1/test/test_pkcs12.rb 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/test/test_pkcs12.rb 2018-05-12 06:51:09.000000000 +0000 @@ -1,12 +1,10 @@ # frozen_string_literal: false require_relative "utils" -if defined?(OpenSSL::TestUtils) +if defined?(OpenSSL) module OpenSSL class TestPKCS12 < OpenSSL::TestCase - include OpenSSL::TestUtils - def setup super ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA") @@ -16,7 +14,7 @@ module OpenSSL ["subjectKeyIdentifier","hash",false], ["authorityKeyIdentifier","keyid:always",false], ] - @cacert = issue_cert(ca, TEST_KEY_RSA2048, 1, ca_exts, nil, nil) + @cacert = issue_cert(ca, Fixtures.pkey("rsa2048"), 1, ca_exts, nil, nil) inter_ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=Intermediate CA") inter_ca_key = OpenSSL::PKey.read <<-_EOS_ @@ -36,25 +34,26 @@ FJx7d3f29gkzynCLJDkCQGQZlEZJC4vWmWJGRKJ2 Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es= -----END RSA PRIVATE KEY----- _EOS_ - @inter_cacert = issue_cert(inter_ca, inter_ca_key, 2, ca_exts, @cacert, TEST_KEY_RSA2048) + @inter_cacert = issue_cert(inter_ca, inter_ca_key, 2, ca_exts, @cacert, Fixtures.pkey("rsa2048")) exts = [ ["keyUsage","digitalSignature",true], ["subjectKeyIdentifier","hash",false], ] ee = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=Ruby PKCS12 Test Certificate") - @mycert = issue_cert(ee, TEST_KEY_RSA1024, 3, exts, @inter_cacert, inter_ca_key) + @mykey = Fixtures.pkey("rsa1024") + @mycert = issue_cert(ee, @mykey, 3, exts, @inter_cacert, inter_ca_key) end def test_create pkcs12 = OpenSSL::PKCS12.create( "omg", "hello", - TEST_KEY_RSA1024, + @mykey, @mycert ) - assert_equal @mycert, pkcs12.certificate - assert_equal TEST_KEY_RSA1024, pkcs12.key + assert_equal @mycert.to_der, pkcs12.certificate.to_der + assert_equal @mykey.to_der, pkcs12.key.to_der assert_nil pkcs12.ca_certs end @@ -62,11 +61,11 @@ Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ pkcs12 = OpenSSL::PKCS12.create( nil, "hello", - TEST_KEY_RSA1024, + @mykey, @mycert ) - assert_equal @mycert, pkcs12.certificate - assert_equal TEST_KEY_RSA1024, pkcs12.key + assert_equal @mycert.to_der, pkcs12.certificate.to_der + assert_equal @mykey.to_der, pkcs12.key.to_der assert_nil pkcs12.ca_certs decoded = OpenSSL::PKCS12.new(pkcs12.to_der) @@ -79,7 +78,7 @@ Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ pkcs12 = OpenSSL::PKCS12.create( "omg", "hello", - TEST_KEY_RSA1024, + @mykey, @mycert, chain ) @@ -94,7 +93,7 @@ Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ pkcs12 = OpenSSL::PKCS12.create( passwd, "hello", - TEST_KEY_RSA1024, + @mykey, @mycert, chain ) @@ -104,7 +103,7 @@ Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ assert_include_cert @cacert, decoded.ca_certs assert_include_cert @inter_cacert, decoded.ca_certs assert_cert @mycert, decoded.certificate - assert_equal TEST_KEY_RSA1024.to_der, decoded.key.to_der + assert_equal @mykey.to_der, decoded.key.to_der end def test_create_with_bad_nid @@ -112,7 +111,7 @@ Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ OpenSSL::PKCS12.create( "omg", "hello", - TEST_KEY_RSA1024, + @mykey, @mycert, [], "foo" @@ -124,7 +123,7 @@ Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ OpenSSL::PKCS12.create( "omg", "hello", - TEST_KEY_RSA1024, + @mykey, @mycert, [], nil, @@ -136,7 +135,7 @@ Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ OpenSSL::PKCS12.create( "omg", "hello", - TEST_KEY_RSA1024, + @mykey, @mycert, [], nil, @@ -150,7 +149,7 @@ Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ OpenSSL::PKCS12.create( "omg", "hello", - TEST_KEY_RSA1024, + @mykey, @mycert, [], nil, @@ -163,7 +162,7 @@ Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ OpenSSL::PKCS12.create( "omg", "hello", - TEST_KEY_RSA1024, + @mykey, @mycert, [], nil, @@ -216,7 +215,7 @@ vyl2WuMdEwQIMWFFphPkIUICAggA EOF p12 = OpenSSL::PKCS12.new(str, "abc123") - assert_equal TEST_KEY_RSA1024.to_der, p12.key.to_der + assert_equal @mykey.to_der, p12.key.to_der assert_equal @mycert.subject.to_der, p12.certificate.subject.to_der assert_equal [], Array(p12.ca_certs) end @@ -275,13 +274,13 @@ Kw4DAhoFAAQUYAuwVtGD1TdgbFK4Yal2XBgwUR4E EOF p12 = OpenSSL::PKCS12.new(str, "abc123") - assert_equal TEST_KEY_RSA1024.to_der, p12.key.to_der + assert_equal @mykey.to_der, p12.key.to_der assert_equal nil, p12.certificate assert_equal [], Array(p12.ca_certs) end def test_dup - p12 = OpenSSL::PKCS12.create("pass", "name", TEST_KEY_RSA1024, @mycert) + p12 = OpenSSL::PKCS12.create("pass", "name", @mykey, @mycert) assert_equal p12.to_der, p12.dup.to_der end @@ -308,7 +307,6 @@ Kw4DAhoFAAQUYAuwVtGD1TdgbFK4Yal2XBgwUR4E end false end - end end
  70. Download patch lib/openssl/digest.rb

    --- 2.0.5-1/lib/openssl/digest.rb 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/lib/openssl/digest.rb 2018-05-12 06:51:09.000000000 +0000 @@ -15,15 +15,12 @@ module OpenSSL class Digest - alg = %w(MD2 MD4 MD5 MDC2 RIPEMD160 SHA1) + alg = %w(MD2 MD4 MD5 MDC2 RIPEMD160 SHA1 SHA224 SHA256 SHA384 SHA512) if OPENSSL_VERSION_NUMBER < 0x10100000 alg += %w(DSS DSS1 SHA) end - if OPENSSL_VERSION_NUMBER > 0x00908000 - alg += %w(SHA224 SHA256 SHA384 SHA512) - end - # Return the +data+ hash computed with +name+ Digest. +name+ is either the + # Return the hash value computed with _name_ Digest. _name_ is either the # long name or short name of a supported digest algorithm. # # === Examples @@ -59,7 +56,7 @@ module OpenSSL end # Digest - # Returns a Digest subclass by +name+. + # Returns a Digest subclass by _name_ # # require 'openssl' #
  71. Download patch ext/openssl/ossl_bn.c
  72. Download patch ext/openssl/ossl_asn1.h

    --- 2.0.5-1/ext/openssl/ossl_asn1.h 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/ext/openssl/ossl_asn1.h 2018-05-12 06:51:09.000000000 +0000 @@ -14,15 +14,11 @@ * ASN1_DATE conversions */ VALUE asn1time_to_time(const ASN1_TIME *); -#if defined(HAVE_ASN1_TIME_ADJ) /* Splits VALUE to seconds and offset days. VALUE is typically a Time or an * Integer. This is used when updating ASN1_*TIME with ASN1_TIME_adj() or * X509_time_adj_ex(). We can't use ASN1_TIME_set() and X509_time_adj() because * they have the Year 2038 issue on sizeof(time_t) == 4 environment */ void ossl_time_split(VALUE, time_t *, int *); -#else -time_t time_to_time_t(VALUE); -#endif /* * ASN1_STRING conversions
  73. Download patch ext/openssl/ossl_pkey.c

    --- 2.0.5-1/ext/openssl/ossl_pkey.c 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/ext/openssl/ossl_pkey.c 2018-05-12 06:51:09.000000000 +0000 @@ -92,7 +92,7 @@ pkey_new0(EVP_PKEY *pkey) case EVP_PKEY_DH: return ossl_dh_new(pkey); #endif -#if !defined(OPENSSL_NO_EC) && (OPENSSL_VERSION_NUMBER >= 0x0090802fL) +#if !defined(OPENSSL_NO_EC) case EVP_PKEY_EC: return ossl_ec_new(pkey); #endif @@ -123,15 +123,15 @@ ossl_pkey_new(EVP_PKEY *pkey) * OpenSSL::PKey.read(string [, pwd ]) -> PKey * OpenSSL::PKey.read(io [, pwd ]) -> PKey * - * Reads a DER or PEM encoded string from +string+ or +io+ and returns an + * Reads a DER or PEM encoded string from _string_ or _io_ and returns an * instance of the appropriate PKey class. * * === Parameters - * * +string+ is a DER- or PEM-encoded string containing an arbitrary private + * * _string+ is a DER- or PEM-encoded string containing an arbitrary private * or public key. - * * +io+ is an instance of +IO+ containing a DER- or PEM-encoded + * * _io_ is an instance of IO containing a DER- or PEM-encoded * arbitrary private or public key. - * * +pwd+ is an optional password in case +string+ or +file+ is an encrypted + * * _pwd_ is an optional password in case _string_ or _io_ is an encrypted * PEM resource. */ static VALUE @@ -163,8 +163,8 @@ ossl_pkey_new_from_data(int argc, VALUE return ossl_pkey_new(pkey); } -static void -pkey_check_public_key(EVP_PKEY *pkey) +void +ossl_pkey_check_public_key(const EVP_PKEY *pkey) { void *ptr; const BIGNUM *n, *e, *pubkey; @@ -172,7 +172,8 @@ pkey_check_public_key(EVP_PKEY *pkey) if (EVP_PKEY_missing_parameters(pkey)) ossl_raise(ePKeyError, "parameters missing"); - ptr = EVP_PKEY_get0(pkey); + /* OpenSSL < 1.1.0 takes non-const pointer */ + ptr = EVP_PKEY_get0((EVP_PKEY *)pkey); switch (EVP_PKEY_base_id(pkey)) { case EVP_PKEY_RSA: RSA_get0_key(ptr, &n, &e, NULL); @@ -207,7 +208,7 @@ GetPKeyPtr(VALUE obj) { EVP_PKEY *pkey; - SafeGetPKey(obj, pkey); + GetPKey(obj, pkey); return pkey; } @@ -220,7 +221,7 @@ GetPrivPKeyPtr(VALUE obj) if (rb_funcallv(obj, id_private_q, 0, NULL) != Qtrue) { ossl_raise(rb_eArgError, "Private key is needed."); } - SafeGetPKey(obj, pkey); + GetPKey(obj, pkey); return pkey; } @@ -230,7 +231,7 @@ DupPKeyPtr(VALUE obj) { EVP_PKEY *pkey; - SafeGetPKey(obj, pkey); + GetPKey(obj, pkey); EVP_PKEY_up_ref(pkey); return pkey; @@ -259,7 +260,7 @@ ossl_pkey_alloc(VALUE klass) * PKeyClass.new -> self * * Because PKey is an abstract class, actually calling this method explicitly - * will raise a +NotImplementedError+. + * will raise a NotImplementedError. */ static VALUE ossl_pkey_initialize(VALUE self) @@ -274,10 +275,10 @@ ossl_pkey_initialize(VALUE self) * call-seq: * pkey.sign(digest, data) -> String * - * To sign the +String+ +data+, +digest+, an instance of OpenSSL::Digest, must - * be provided. The return value is again a +String+ containing the signature. + * To sign the String _data_, _digest_, an instance of OpenSSL::Digest, must + * be provided. The return value is again a String containing the signature. * A PKeyError is raised should errors occur. - * Any previous state of the +Digest+ instance is irrelevant to the signature + * Any previous state of the Digest instance is irrelevant to the signature * outcome, the digest instance is reset to its initial state during the * operation. * @@ -298,7 +299,7 @@ ossl_pkey_sign(VALUE self, VALUE digest, int result; pkey = GetPrivPKeyPtr(self); - md = GetDigestPtr(digest); + md = ossl_evp_get_digestbyname(digest); StringValue(data); str = rb_str_new(0, EVP_PKEY_size(pkey)); @@ -326,12 +327,12 @@ ossl_pkey_sign(VALUE self, VALUE digest, * call-seq: * pkey.verify(digest, signature, data) -> String * - * To verify the +String+ +signature+, +digest+, an instance of + * To verify the String _signature_, _digest_, an instance of * OpenSSL::Digest, must be provided to re-compute the message digest of the - * original +data+, also a +String+. The return value is +true+ if the + * original _data_, also a String. The return value is +true+ if the * signature is valid, +false+ otherwise. A PKeyError is raised should errors * occur. - * Any previous state of the +Digest+ instance is irrelevant to the validation + * Any previous state of the Digest instance is irrelevant to the validation * outcome, the digest instance is reset to its initial state during the * operation. * @@ -352,8 +353,8 @@ ossl_pkey_verify(VALUE self, VALUE diges int siglen, result; GetPKey(self, pkey); - pkey_check_public_key(pkey); - md = GetDigestPtr(digest); + ossl_pkey_check_public_key(pkey); + md = ossl_evp_get_digestbyname(digest); StringValue(sig); siglen = RSTRING_LENINT(sig); StringValue(data);
  74. Download patch test/test_buffering.rb

    --- 2.0.5-1/test/test_buffering.rb 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/test/test_buffering.rb 2018-05-12 06:51:09.000000000 +0000 @@ -1,9 +1,9 @@ # frozen_string_literal: false require_relative 'utils' -require 'stringio' -class OpenSSL::TestBuffering < OpenSSL::TestCase +if defined?(OpenSSL) +class OpenSSL::TestBuffering < OpenSSL::TestCase class IO include OpenSSL::Buffering @@ -85,5 +85,6 @@ class OpenSSL::TestBuffering < OpenSSL:: end assert_equal([97, 98, 99], res) end +end -end if defined?(OpenSSL::TestUtils) +end
  75. Download patch ext/openssl/ossl_ocsp.c
  76. Download patch ext/openssl/ossl_cipher.c
  77. Download patch ext/openssl/openssl_missing.h

    --- 2.0.5-1/ext/openssl/openssl_missing.h 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/ext/openssl/openssl_missing.h 2018-05-12 06:51:09.000000000 +0000 @@ -12,53 +12,6 @@ #include "ruby/config.h" -/* added in 0.9.8X */ -#if !defined(HAVE_EVP_CIPHER_CTX_NEW) -EVP_CIPHER_CTX *ossl_EVP_CIPHER_CTX_new(void); -# define EVP_CIPHER_CTX_new ossl_EVP_CIPHER_CTX_new -#endif - -#if !defined(HAVE_EVP_CIPHER_CTX_FREE) -void ossl_EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *); -# define EVP_CIPHER_CTX_free ossl_EVP_CIPHER_CTX_free -#endif - -#if !defined(HAVE_SSL_CTX_CLEAR_OPTIONS) -# define SSL_CTX_clear_options(ctx, op) ((ctx)->options &= ~(op)) -#endif - -/* added in 1.0.0 */ -#if !defined(HAVE_EVP_PKEY_BASE_ID) -# define EVP_PKEY_base_id(pkey) EVP_PKEY_type((pkey)->type) -#endif - -#if !defined(HAVE_EVP_CIPHER_CTX_COPY) -int ossl_EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *, const EVP_CIPHER_CTX *); -# define EVP_CIPHER_CTX_copy ossl_EVP_CIPHER_CTX_copy -#endif - -#if !defined(HAVE_HMAC_CTX_COPY) -int ossl_HMAC_CTX_copy(HMAC_CTX *out, HMAC_CTX *in); -# define HMAC_CTX_copy ossl_HMAC_CTX_copy -#endif - -#if !defined(HAVE_X509_STORE_CTX_GET0_CURRENT_CRL) -# define X509_STORE_CTX_get0_current_crl(x) ((x)->current_crl) -#endif - -#if !defined(HAVE_X509_STORE_SET_VERIFY_CB) -# define X509_STORE_set_verify_cb X509_STORE_set_verify_cb_func -#endif - -#if !defined(HAVE_I2D_ASN1_SET_ANY) -# define i2d_ASN1_SET_ANY(sk, x) i2d_ASN1_SET_OF_ASN1_TYPE((sk), (x), \ - i2d_ASN1_TYPE, V_ASN1_SET, V_ASN1_UNIVERSAL, 0) -#endif - -#if !defined(HAVE_EVP_PKEY_GET0) -# define EVP_PKEY_get0(pk) (pk->pkey.ptr) -#endif - /* added in 1.0.2 */ #if !defined(OPENSSL_NO_EC) #if !defined(HAVE_EC_CURVE_NIST2NID) @@ -245,7 +198,7 @@ IMPL_PKEY_GETTER(EC_KEY, ec) #undef IMPL_KEY_ACCESSOR3 #endif /* HAVE_OPAQUE_OPENSSL */ -#if defined(HAVE_AUTHENTICATED_ENCRYPTION) && !defined(EVP_CTRL_AEAD_GET_TAG) +#if !defined(EVP_CTRL_AEAD_GET_TAG) # define EVP_CTRL_AEAD_GET_TAG EVP_CTRL_GCM_GET_TAG # define EVP_CTRL_AEAD_SET_TAG EVP_CTRL_GCM_SET_TAG # define EVP_CTRL_AEAD_SET_IVLEN EVP_CTRL_GCM_SET_IVLEN @@ -256,6 +209,10 @@ IMPL_PKEY_GETTER(EC_KEY, ec) # define X509_get0_notAfter(x) X509_get_notAfter(x) # define X509_CRL_get0_lastUpdate(x) X509_CRL_get_lastUpdate(x) # define X509_CRL_get0_nextUpdate(x) X509_CRL_get_nextUpdate(x) +# define X509_set1_notBefore(x, t) X509_set_notBefore(x, t) +# define X509_set1_notAfter(x, t) X509_set_notAfter(x, t) +# define X509_CRL_set1_lastUpdate(x, t) X509_CRL_set_lastUpdate(x, t) +# define X509_CRL_set1_nextUpdate(x, t) X509_CRL_set_nextUpdate(x, t) #endif #if !defined(HAVE_SSL_SESSION_GET_PROTOCOL_VERSION)
  78. Download patch appveyor.yml

    --- 2.0.5-1/appveyor.yml 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/appveyor.yml 2018-05-12 06:51:09.000000000 +0000 @@ -14,12 +14,11 @@ install: $Env:openssl_dir = "C:\msys64\mingw64" } - ruby -v - - openssl version - rake install_dependencies build_script: - - rake -rdevkit compile -- --with-openssl-dir=%openssl_dir% + - rake -rdevkit compile -- --with-openssl-dir=%openssl_dir% --enable-debug test_script: - - rake test + - rake test OSSL_MDEBUG=1 deploy: off environment: matrix:
  79. Download patch lib/openssl/pkey.rb

    --- 2.0.5-1/lib/openssl/pkey.rb 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/lib/openssl/pkey.rb 2018-05-12 06:51:09.000000000 +0000 @@ -1,44 +1,25 @@ # frozen_string_literal: false -module OpenSSL - module PKey - if defined?(OpenSSL::PKey::DH) +#-- +# Ruby/OpenSSL Project +# Copyright (C) 2017 Ruby/OpenSSL Project Authors +#++ - class DH - # :nodoc: - DEFAULT_1024 = new <<-_end_of_pem_ ------BEGIN DH PARAMETERS----- -MIGHAoGBAJ0lOVy0VIr/JebWn0zDwY2h+rqITFOpdNr6ugsgvkDXuucdcChhYExJ -AV/ZD2AWPbrTqV76mGRgJg4EddgT1zG0jq3rnFdMj2XzkBYx3BVvfR0Arnby0RHR -T4h7KZ/2zmjvV+eF8kBUHBJAojUlzxKj4QeO2x20FP9X5xmNUXeDAgEC ------END DH PARAMETERS----- - _end_of_pem_ - - # :nodoc: - DEFAULT_2048 = new <<-_end_of_pem_ ------BEGIN DH PARAMETERS----- -MIIBCAKCAQEA7E6kBrYiyvmKAMzQ7i8WvwVk9Y/+f8S7sCTN712KkK3cqd1jhJDY -JbrYeNV3kUIKhPxWHhObHKpD1R84UpL+s2b55+iMd6GmL7OYmNIT/FccKhTcveab -VBmZT86BZKYyf45hUF9FOuUM9xPzuK3Vd8oJQvfYMCd7LPC0taAEljQLR4Edf8E6 -YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3 -1bNveX5wInh5GDx1FGhKBZ+s1H+aedudCm7sCgRwv8lKWYGiHzObSma8A86KG+MD -7Lo5JquQ3DlBodj3IDyPrxIv96lvRPFtAwIBAg== ------END DH PARAMETERS----- - _end_of_pem_ - end - - # :nodoc: - DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen| - warn "using default DH parameters." if $VERBOSE - case keylen - when 1024 then OpenSSL::PKey::DH::DEFAULT_1024 - when 2048 then OpenSSL::PKey::DH::DEFAULT_2048 - else - nil - end - } - - else - DEFAULT_TMP_DH_CALLBACK = nil +module OpenSSL::PKey + if defined?(EC) + class EC::Point + # :call-seq: + # point.to_bn([conversion_form]) -> OpenSSL::BN + # + # Returns the octet string representation of the EC point as an instance of + # OpenSSL::BN. + # + # If _conversion_form_ is not given, the _point_conversion_form_ attribute + # set to the group is used. + # + # See #to_octet_string for more information. + def to_bn(conversion_form = group.point_conversion_form) + OpenSSL::BN.new(to_octet_string(conversion_form), 2) end end + end end
  80. Download patch ext/openssl/ossl.c
  81. Download patch ext/openssl/deprecation.rb

    --- 2.0.5-1/ext/openssl/deprecation.rb 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/ext/openssl/deprecation.rb 2018-05-12 06:51:09.000000000 +0000 @@ -3,9 +3,6 @@ module OpenSSL def self.deprecated_warning_flag unless flag = (@deprecated_warning_flag ||= nil) if try_compile("", flag = "-Werror=deprecated-declarations") - if /darwin/ =~ RUBY_PLATFORM and with_config("broken-apple-openssl") - flag = "-Wno-deprecated-declarations" - end $warnflags << " #{flag}" else flag = ""
  82. Download patch lib/openssl/ssl.rb
  83. Download patch ext/openssl/ossl_pkey.h

    --- 2.0.5-1/ext/openssl/ossl_pkey.h 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/ext/openssl/ossl_pkey.h 2018-05-12 06:51:09.000000000 +0000 @@ -34,10 +34,6 @@ extern const rb_data_type_t ossl_evp_pke rb_raise(rb_eRuntimeError, "PKEY wasn't initialized!");\ } \ } while (0) -#define SafeGetPKey(obj, pkey) do { \ - OSSL_Check_Kind((obj), cPKey); \ - GetPKey((obj), (pkey)); \ -} while (0) struct ossl_generate_cb_arg { int yield; @@ -48,6 +44,7 @@ int ossl_generate_cb_2(int p, int n, BN_ void ossl_generate_cb_stop(void *ptr); VALUE ossl_pkey_new(EVP_PKEY *); +void ossl_pkey_check_public_key(const EVP_PKEY *); EVP_PKEY *GetPKeyPtr(VALUE); EVP_PKEY *DupPKeyPtr(VALUE); EVP_PKEY *GetPrivPKeyPtr(VALUE);
  84. Download patch test/test_x509attr.rb

    --- 2.0.5-1/test/test_x509attr.rb 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/test/test_x509attr.rb 2018-05-12 06:51:09.000000000 +0000 @@ -1,7 +1,7 @@ # frozen_string_literal: false require_relative "utils" -if defined?(OpenSSL::TestUtils) +if defined?(OpenSSL) class OpenSSL::TestX509Attribute < OpenSSL::TestCase def test_new @@ -62,6 +62,23 @@ class OpenSSL::TestX509Attribute < OpenS attr = OpenSSL::X509::Attribute.new("challengePassword", val) assert_equal(attr.to_der, attr.dup.to_der) end + + def test_eq + val1 = OpenSSL::ASN1::Set([ + OpenSSL::ASN1::UTF8String("abc123") + ]) + attr1 = OpenSSL::X509::Attribute.new("challengePassword", val1) + attr2 = OpenSSL::X509::Attribute.new("challengePassword", val1) + ef = OpenSSL::X509::ExtensionFactory.new + val2 = OpenSSL::ASN1::Set.new([OpenSSL::ASN1::Sequence.new([ + ef.create_extension("keyUsage", "keyCertSign", true) + ])]) + attr3 = OpenSSL::X509::Attribute.new("extReq", val2) + + assert_equal false, attr1 == 12345 + assert_equal true, attr1 == attr2 + assert_equal false, attr1 == attr3 + end end end
  85. Download patch test/test_cipher.rb

    --- 2.0.5-1/test/test_cipher.rb 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/test/test_cipher.rb 2018-05-12 06:51:09.000000000 +0000 @@ -1,7 +1,7 @@ # frozen_string_literal: false require_relative 'utils' -if defined?(OpenSSL::TestUtils) +if defined?(OpenSSL) class OpenSSL::TestCipher < OpenSSL::TestCase module Helper @@ -44,6 +44,9 @@ class OpenSSL::TestCipher < OpenSSL::Tes s2 = cipher.update(pt) << cipher.final assert_equal s1, s2 + + cipher2 = OpenSSL::Cipher.new("DES-EDE3-CBC").encrypt + assert_raise(ArgumentError) { cipher2.pkcs5_keyivgen(pass, salt, -1, "MD5") } end def test_info @@ -129,7 +132,7 @@ class OpenSSL::TestCipher < OpenSSL::Tes assert_equal ct, cipher.update(pt) << cipher.final cipher = new_decryptor("aes-128-ctr", key: key, iv: iv, padding: 0) assert_equal pt, cipher.update(ct) << cipher.final - end if has_cipher?('aes-128-ctr') + end def test_ciphers OpenSSL::Cipher.ciphers.each{|name| @@ -165,10 +168,8 @@ class OpenSSL::TestCipher < OpenSSL::Tes end def test_authenticated - if has_cipher?('aes-128-gcm') - cipher = OpenSSL::Cipher.new('aes-128-gcm') - assert_predicate(cipher, :authenticated?) - end + cipher = OpenSSL::Cipher.new('aes-128-gcm') + assert_predicate(cipher, :authenticated?) cipher = OpenSSL::Cipher.new('aes-128-cbc') assert_not_predicate(cipher, :authenticated?) end @@ -220,7 +221,7 @@ class OpenSSL::TestCipher < OpenSSL::Tes cipher = new_decryptor("aes-128-gcm", key: key, iv: iv, auth_tag: tag, auth_data: aad) cipher.update(ct2) assert_raise(OpenSSL::Cipher::CipherError) { cipher.final } - end if has_cipher?("aes-128-gcm") + end def test_aes_gcm_variable_iv_len # GCM spec Appendix B Test Case 5 @@ -243,7 +244,7 @@ class OpenSSL::TestCipher < OpenSSL::Tes assert_equal tag, cipher.auth_tag cipher = new_decryptor("aes-128-gcm", key: key, iv_len: 8, iv: iv, auth_tag: tag, auth_data: aad) assert_equal pt, cipher.update(ct) << cipher.final - end if has_cipher?("aes-128-gcm") + end def test_aes_ocb_tag_len # RFC 7253 Appendix A; the second sample @@ -295,7 +296,14 @@ class OpenSSL::TestCipher < OpenSSL::Tes assert_equal ct1, ct2 assert_equal tag1, tag2 - end if has_cipher?("aes-128-gcm") + end + + def test_non_aead_cipher_set_auth_data + assert_raise(OpenSSL::Cipher::CipherError) { + cipher = OpenSSL::Cipher.new("aes-128-cfb").encrypt + cipher.auth_data = "123" + } + end private @@ -312,7 +320,6 @@ class OpenSSL::TestCipher < OpenSSL::Tes kwargs.each {|k, v| cipher.send(:"#{k}=", v) } end end - end end
  86. Download patch test/test_pkey_dh.rb

    --- 2.0.5-1/test/test_pkey_dh.rb 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/test/test_pkey_dh.rb 2018-05-12 06:51:09.000000000 +0000 @@ -1,29 +1,11 @@ # frozen_string_literal: false require_relative 'utils' -if defined?(OpenSSL::TestUtils) +if defined?(OpenSSL) && defined?(OpenSSL::PKey::DH) class OpenSSL::TestPKeyDH < OpenSSL::PKeyTestCase - DH1024 = OpenSSL::TestUtils::TEST_KEY_DH1024 - NEW_KEYLEN = 256 - def test_DEFAULT_parameters - list = { - 1024 => OpenSSL::PKey::DH::DEFAULT_1024, - 2048 => OpenSSL::PKey::DH::DEFAULT_2048, - } - - list.each do |expected_size, dh| - assert_equal expected_size, dh.p.num_bits - assert_predicate dh.p, :prime? - result, remainder = (dh.p - 1) / 2 - assert_predicate result, :prime? - assert_equal 0, remainder - assert_no_key dh - end - end - def test_new dh = OpenSSL::PKey::DH.new(NEW_KEYLEN) assert_key(dh) @@ -37,12 +19,13 @@ class OpenSSL::TestPKeyDH < OpenSSL::PKe end def test_DHparams + dh1024 = Fixtures.pkey_dh("dh1024") asn1 = OpenSSL::ASN1::Sequence([ - OpenSSL::ASN1::Integer(DH1024.p), - OpenSSL::ASN1::Integer(DH1024.g) + OpenSSL::ASN1::Integer(dh1024.p), + OpenSSL::ASN1::Integer(dh1024.g) ]) key = OpenSSL::PKey::DH.new(asn1.to_der) - assert_same_dh dup_public(DH1024), key + assert_same_dh dup_public(dh1024), key pem = <<~EOF -----BEGIN DH PARAMETERS----- @@ -52,14 +35,14 @@ class OpenSSL::TestPKeyDH < OpenSSL::PKe -----END DH PARAMETERS----- EOF key = OpenSSL::PKey::DH.new(pem) - assert_same_dh dup_public(DH1024), key + assert_same_dh dup_public(dh1024), key - assert_equal asn1.to_der, DH1024.to_der - assert_equal pem, DH1024.export + assert_equal asn1.to_der, dh1024.to_der + assert_equal pem, dh1024.export end def test_public_key - dh = OpenSSL::TestUtils::TEST_KEY_DH1024 + dh = Fixtures.pkey_dh("dh1024") public_key = dh.public_key assert_no_key(public_key) #implies public_key.public? is false! assert_equal(dh.to_der, public_key.to_der) @@ -67,14 +50,14 @@ class OpenSSL::TestPKeyDH < OpenSSL::PKe end def test_generate_key - dh = OpenSSL::TestUtils::TEST_KEY_DH1024.public_key # creates a copy + dh = Fixtures.pkey_dh("dh1024").public_key # creates a copy assert_no_key(dh) dh.generate_key! assert_key(dh) end def test_key_exchange - dh = OpenSSL::TestUtils::TEST_KEY_DH1024 + dh = Fixtures.pkey_dh("dh1024") dh2 = dh.public_key dh.generate_key! dh2.generate_key!
  87. Download patch ext/openssl/ossl_cipher.h

    --- 2.0.5-1/ext/openssl/ossl_cipher.h 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/ext/openssl/ossl_cipher.h 2018-05-12 06:51:09.000000000 +0000 @@ -13,7 +13,7 @@ extern VALUE cCipher; extern VALUE eCipherError; -const EVP_CIPHER *GetCipherPtr(VALUE); +const EVP_CIPHER *ossl_evp_get_cipherbyname(VALUE); VALUE ossl_cipher_new(const EVP_CIPHER *); void Init_ossl_cipher(void);
  88. Download patch debian/patches/0001-test-test_ssl-explicitly-accept-TLS-1.1-in-correspon.patch

    --- 2.0.5-1/debian/patches/0001-test-test_ssl-explicitly-accept-TLS-1.1-in-correspon.patch 2017-08-25 17:39:14.000000000 +0000 +++ 2.1.1-0ubuntu1/debian/patches/0001-test-test_ssl-explicitly-accept-TLS-1.1-in-correspon.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,25 +0,0 @@ -From: Antonio Terceiro <terceiro@softwarelivre.org> -Date: Fri, 25 Aug 2017 16:21:44 -0300 -Subject: test/test_ssl: explicitly accept TLS 1.1 in corresponding test - -OpenSSL in Debian sid has recently disabled TLS < 1.2 by default, so in -order to test that TLS 1.1 works, we need to explicitly make our test -client accept it. ---- - test/test_ssl.rb | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/test/test_ssl.rb b/test/test_ssl.rb -index 8c65df9..77dddf5 100644 ---- a/test/test_ssl.rb -+++ b/test/test_ssl.rb -@@ -814,7 +814,8 @@ if OpenSSL::SSL::SSLContext::METHODS.include?(:TLSv1_1) && OpenSSL::SSL::SSLCont - - def test_tls_v1_1 - start_server_version(:TLSv1_1) { |server, port| -- server_connect(port) { |ssl| assert_equal("TLSv1.1", ssl.ssl_version) } -+ ctx = OpenSSL::SSL::SSLContext.new(:TLSv1_1) -+ server_connect(port, ctx) { |ssl| assert_equal("TLSv1.1", ssl.ssl_version) } - } - end -
  89. Download patch lib/openssl/pkcs5.rb

    --- 2.0.5-1/lib/openssl/pkcs5.rb 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.1-0ubuntu1/lib/openssl/pkcs5.rb 2018-05-12 06:51:09.000000000 +0000 @@ -0,0 +1,22 @@ +# frozen_string_literal: false +#-- +# Ruby/OpenSSL Project +# Copyright (C) 2017 Ruby/OpenSSL Project Authors +#++ + +module OpenSSL + module PKCS5 + module_function + + # OpenSSL::PKCS5.pbkdf2_hmac has been renamed to OpenSSL::KDF.pbkdf2_hmac. + # This method is provided for backwards compatibility. + def pbkdf2_hmac(pass, salt, iter, keylen, digest) + OpenSSL::KDF.pbkdf2_hmac(pass, salt: salt, iterations: iter, + length: keylen, hash: digest) + end + + def pbkdf2_hmac_sha1(pass, salt, iter, keylen) + pbkdf2_hmac(pass, salt, iter, keylen, "sha1") + end + end +end
  90. Download patch test/test_pkcs5.rb

    --- 2.0.5-1/test/test_pkcs5.rb 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/test/test_pkcs5.rb 1970-01-01 00:00:00.000000000 +0000 @@ -1,98 +0,0 @@ -# frozen_string_literal: false -require_relative 'utils' - -class OpenSSL::TestPKCS5 < OpenSSL::TestCase - - def test_pbkdf2_hmac_sha1_rfc6070_c_1_len_20 - p ="password" - s = "salt" - c = 1 - dk_len = 20 - raw = %w{ 0c 60 c8 0f 96 1f 0e 71 - f3 a9 b5 24 af 60 12 06 - 2f e0 37 a6 } - expected = [raw.join('')].pack('H*') - value = OpenSSL::PKCS5.pbkdf2_hmac_sha1(p, s, c, dk_len) - assert_equal(expected, value) - end - - def test_pbkdf2_hmac_sha1_rfc6070_c_2_len_20 - p ="password" - s = "salt" - c = 2 - dk_len = 20 - raw = %w{ ea 6c 01 4d c7 2d 6f 8c - cd 1e d9 2a ce 1d 41 f0 - d8 de 89 57 } - expected = [raw.join('')].pack('H*') - value = OpenSSL::PKCS5.pbkdf2_hmac_sha1(p, s, c, dk_len) - assert_equal(expected, value) - end - - def test_pbkdf2_hmac_sha1_rfc6070_c_4096_len_20 - p ="password" - s = "salt" - c = 4096 - dk_len = 20 - raw = %w{ 4b 00 79 01 b7 65 48 9a - be ad 49 d9 26 f7 21 d0 - 65 a4 29 c1 } - expected = [raw.join('')].pack('H*') - value = OpenSSL::PKCS5.pbkdf2_hmac_sha1(p, s, c, dk_len) - assert_equal(expected, value) - end - -# takes too long! -# def test_pbkdf2_hmac_sha1_rfc6070_c_16777216_len_20 -# p ="password" -# s = "salt" -# c = 16777216 -# dk_len = 20 -# raw = %w{ ee fe 3d 61 cd 4d a4 e4 -# e9 94 5b 3d 6b a2 15 8c -# 26 34 e9 84 } -# expected = [raw.join('')].pack('H*') -# value = OpenSSL::PKCS5.pbkdf2_hmac_sha1(p, s, c, dk_len) -# assert_equal(expected, value) -# end - - def test_pbkdf2_hmac_sha1_rfc6070_c_4096_len_25 - p ="passwordPASSWORDpassword" - s = "saltSALTsaltSALTsaltSALTsaltSALTsalt" - c = 4096 - dk_len = 25 - - raw = %w{ 3d 2e ec 4f e4 1c 84 9b - 80 c8 d8 36 62 c0 e4 4a - 8b 29 1a 96 4c f2 f0 70 - 38 } - expected = [raw.join('')].pack('H*') - value = OpenSSL::PKCS5.pbkdf2_hmac_sha1(p, s, c, dk_len) - assert_equal(expected, value) - end - - def test_pbkdf2_hmac_sha1_rfc6070_c_4096_len_16 - p ="pass\0word" - s = "sa\0lt" - c = 4096 - dk_len = 16 - raw = %w{ 56 fa 6a a7 55 48 09 9d - cc 37 d7 f0 34 25 e0 c3 } - expected = [raw.join('')].pack('H*') - value = OpenSSL::PKCS5.pbkdf2_hmac_sha1(p, s, c, dk_len) - assert_equal(expected, value) - end - - def test_pbkdf2_hmac_sha256_c_20000_len_32 - #unfortunately no official test vectors available yet for SHA-2 - p ="password" - s = OpenSSL::Random.random_bytes(16) - c = 20000 - dk_len = 32 - digest = OpenSSL::Digest::SHA256.new - value1 = OpenSSL::PKCS5.pbkdf2_hmac(p, s, c, dk_len, digest) - value2 = OpenSSL::PKCS5.pbkdf2_hmac(p, s, c, dk_len, digest) - assert_equal(value1, value2) - end if OpenSSL::PKCS5.respond_to?(:pbkdf2_hmac) - -end if defined?(OpenSSL::TestUtils)
  91. Download patch lib/openssl/buffering.rb

    --- 2.0.5-1/lib/openssl/buffering.rb 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/lib/openssl/buffering.rb 2018-05-12 06:51:09.000000000 +0000 @@ -63,7 +63,7 @@ module OpenSSL::Buffering end ## - # Consumes +size+ bytes from the buffer + # Consumes _size_ bytes from the buffer def consume_rbuff(size=nil) if @rbuffer.empty? @@ -79,7 +79,7 @@ module OpenSSL::Buffering public ## - # Reads +size+ bytes from the stream. If +buf+ is provided it must + # Reads _size_ bytes from the stream. If _buf_ is provided it must # reference a string which will receive the data. # # See IO#read for full details. @@ -106,7 +106,7 @@ module OpenSSL::Buffering end ## - # Reads at most +maxlen+ bytes from the stream. If +buf+ is provided it + # Reads at most _maxlen_ bytes from the stream. If _buf_ is provided it # must reference a string which will receive the data. # # See IO#readpartial for full details. @@ -136,7 +136,7 @@ module OpenSSL::Buffering end ## - # Reads at most +maxlen+ bytes in the non-blocking manner. + # Reads at most _maxlen_ bytes in the non-blocking manner. # # When no data can be read without blocking it raises # OpenSSL::SSL::SSLError extended by IO::WaitReadable or IO::WaitWritable. @@ -164,9 +164,10 @@ module OpenSSL::Buffering # when the peer requests a new TLS/SSL handshake. See openssl the FAQ for # more details. http://www.openssl.org/support/faq.html # - # By specifying `exception: false`, the options hash allows you to indicate + # By specifying a keyword argument _exception_ to +false+, you can indicate # that read_nonblock should not raise an IO::Wait*able exception, but - # return the symbol :wait_writable or :wait_readable instead. + # return the symbol +:wait_writable+ or +:wait_readable+ instead. At EOF, + # it will return +nil+ instead of raising EOFError. def read_nonblock(maxlen, buf=nil, exception: true) if maxlen == 0 @@ -189,11 +190,11 @@ module OpenSSL::Buffering end ## - # Reads the next "line" from the stream. Lines are separated by +eol+. If - # +limit+ is provided the result will not be longer than the given number of + # Reads the next "line" from the stream. Lines are separated by _eol_. If + # _limit_ is provided the result will not be longer than the given number of # bytes. # - # +eol+ may be a String or Regexp. + # _eol_ may be a String or Regexp. # # Unlike IO#gets the line read will not be assigned to +$_+. # @@ -219,7 +220,7 @@ module OpenSSL::Buffering ## # Executes the block for every line in the stream where lines are separated - # by +eol+. + # by _eol_. # # See also #gets @@ -231,7 +232,7 @@ module OpenSSL::Buffering alias each_line each ## - # Reads lines from the stream which are separated by +eol+. + # Reads lines from the stream which are separated by _eol_. # # See also #gets @@ -244,7 +245,7 @@ module OpenSSL::Buffering end ## - # Reads a line from the stream which is separated by +eol+. + # Reads a line from the stream which is separated by _eol_. # # Raises EOFError if at end of file. @@ -280,7 +281,7 @@ module OpenSSL::Buffering end ## - # Pushes character +c+ back onto the stream such that a subsequent buffered + # Pushes character _c_ back onto the stream such that a subsequent buffered # character read will return it. # # Unlike IO#getc multiple bytes may be pushed back onto the stream. @@ -307,7 +308,7 @@ module OpenSSL::Buffering private ## - # Writes +s+ to the buffer. When the buffer is full or #sync is true the + # Writes _s_ to the buffer. When the buffer is full or #sync is true the # buffer is flushed to the underlying socket. def do_write(s) @@ -335,16 +336,18 @@ module OpenSSL::Buffering public ## - # Writes +s+ to the stream. If the argument is not a string it will be - # converted using String#to_s. Returns the number of bytes written. + # Writes _s_ to the stream. If the argument is not a String it will be + # converted using +.to_s+ method. Returns the number of bytes written. - def write(s) - do_write(s) - s.bytesize + def write(*s) + s.inject(0) do |written, str| + do_write(str) + written + str.bytesize + end end ## - # Writes +s+ in the non-blocking manner. + # Writes _s_ in the non-blocking manner. # # If there is buffered data, it is flushed first. This may block. # @@ -376,9 +379,9 @@ module OpenSSL::Buffering # is when the peer requests a new TLS/SSL handshake. See the openssl FAQ # for more details. http://www.openssl.org/support/faq.html # - # By specifying `exception: false`, the options hash allows you to indicate + # By specifying a keyword argument _exception_ to +false+, you can indicate # that write_nonblock should not raise an IO::Wait*able exception, but - # return the symbol :wait_writable or :wait_readable instead. + # return the symbol +:wait_writable+ or +:wait_readable+ instead. def write_nonblock(s, exception: true) flush @@ -386,8 +389,8 @@ module OpenSSL::Buffering end ## - # Writes +s+ to the stream. +s+ will be converted to a String using - # String#to_s. + # Writes _s_ to the stream. _s_ will be converted to a String using + # +.to_s+ method. def <<(s) do_write(s) @@ -395,7 +398,7 @@ module OpenSSL::Buffering end ## - # Writes +args+ to the stream along with a record separator. + # Writes _args_ to the stream along with a record separator. # # See IO#puts for full details. @@ -415,7 +418,7 @@ module OpenSSL::Buffering end ## - # Writes +args+ to the stream. + # Writes _args_ to the stream. # # See IO#print for full details.
  92. Download patch ext/openssl/ossl_x509attr.c

    --- 2.0.5-1/ext/openssl/ossl_x509attr.c 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/ext/openssl/ossl_x509attr.c 2018-05-12 06:51:09.000000000 +0000 @@ -23,10 +23,6 @@ ossl_raise(rb_eRuntimeError, "ATTR wasn't initialized!"); \ } \ } while (0) -#define SafeGetX509Attr(obj, attr) do { \ - OSSL_Check_Kind((obj), cX509Attr); \ - GetX509Attr((obj), (attr)); \ -} while (0) /* * Classes @@ -76,7 +72,7 @@ GetX509AttrPtr(VALUE obj) { X509_ATTRIBUTE *attr; - SafeGetX509Attr(obj, attr); + GetX509Attr(obj, attr); return attr; } @@ -134,7 +130,7 @@ ossl_x509attr_initialize_copy(VALUE self rb_check_frozen(self); GetX509Attr(self, attr); - SafeGetX509Attr(other, attr_other); + GetX509Attr(other, attr_other); attr_new = X509_ATTRIBUTE_dup(attr_other); if (!attr_new) @@ -319,7 +315,7 @@ Init_ossl_x509attr(void) cX509Attr = rb_define_class_under(mX509, "Attribute", rb_cObject); rb_define_alloc_func(cX509Attr, ossl_x509attr_alloc); rb_define_method(cX509Attr, "initialize", ossl_x509attr_initialize, -1); - rb_define_copy_func(cX509Attr, ossl_x509attr_initialize_copy); + rb_define_method(cX509Attr, "initialize_copy", ossl_x509attr_initialize_copy, 1); rb_define_method(cX509Attr, "oid=", ossl_x509attr_set_oid, 1); rb_define_method(cX509Attr, "oid", ossl_x509attr_get_oid, 0); rb_define_method(cX509Attr, "value=", ossl_x509attr_set_value, 1);
  93. Download patch ext/openssl/ossl_pkey_ec.c
  94. Download patch ext/openssl/ossl.h

    --- 2.0.5-1/ext/openssl/ossl.h 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/ext/openssl/ossl.h 2018-05-12 06:51:09.000000000 +0000 @@ -35,6 +35,11 @@ #if !defined(OPENSSL_NO_OCSP) # include <openssl/ocsp.h> #endif +#include <openssl/bn.h> +#include <openssl/rsa.h> +#include <openssl/dsa.h> +#include <openssl/evp.h> +#include <openssl/dh.h> /* * Common Module @@ -56,29 +61,29 @@ extern VALUE eOSSLError; }\ } while (0) -#define OSSL_Check_Instance(obj, klass) do {\ - if (!rb_obj_is_instance_of((obj), (klass))) {\ - ossl_raise(rb_eTypeError, "wrong argument (%"PRIsVALUE")! (Expected instance of %"PRIsVALUE")",\ - rb_obj_class(obj), (klass));\ - }\ -} while (0) - -#define OSSL_Check_Same_Class(obj1, obj2) do {\ - if (!rb_obj_is_instance_of((obj1), rb_obj_class(obj2))) {\ - ossl_raise(rb_eTypeError, "wrong argument type");\ - }\ -} while (0) +/* + * Type conversions + */ +#if !defined(NUM2UINT64T) /* in case Ruby starts to provide */ +# if SIZEOF_LONG == 8 +# define NUM2UINT64T(x) ((uint64_t)NUM2ULONG(x)) +# elif defined(HAVE_LONG_LONG) && SIZEOF_LONG_LONG == 8 +# define NUM2UINT64T(x) ((uint64_t)NUM2ULL(x)) +# else +# error "unknown platform; no 64-bit width integer" +# endif +#endif /* * Data Conversion */ -STACK_OF(X509) *ossl_x509_ary2sk0(VALUE); STACK_OF(X509) *ossl_x509_ary2sk(VALUE); STACK_OF(X509) *ossl_protect_x509_ary2sk(VALUE,int*); VALUE ossl_x509_sk2ary(const STACK_OF(X509) *certs); VALUE ossl_x509crl_sk2ary(const STACK_OF(X509_CRL) *crl); VALUE ossl_x509name_sk2ary(const STACK_OF(X509_NAME) *names); VALUE ossl_buf2str(char *buf, int len); +VALUE ossl_str_new(const char *, long, int *); #define ossl_str_adjust(str, p) \ do{\ long len = RSTRING_LEN(str);\ @@ -115,7 +120,6 @@ int ossl_pem_passwd_cb(char *, int, int, /* * ERRor messages */ -#define OSSL_ErrMsg() ERR_reason_error_string(ERR_get_error()) NORETURN(void ossl_raise(VALUE, const char *, ...)); /* Clear OpenSSL error queue. If dOSSL is set, rb_warn() them. */ void ossl_clear_error(void); @@ -123,7 +127,6 @@ void ossl_clear_error(void); /* * String to DER String */ -extern ID ossl_s_to_der; VALUE ossl_to_der(VALUE); VALUE ossl_to_der_if_possible(VALUE); @@ -141,20 +144,9 @@ extern VALUE dOSSL; } \ } while (0) -#define OSSL_Warning(fmt, ...) do { \ - OSSL_Debug((fmt), ##__VA_ARGS__); \ - rb_warning((fmt), ##__VA_ARGS__); \ -} while (0) - -#define OSSL_Warn(fmt, ...) do { \ - OSSL_Debug((fmt), ##__VA_ARGS__); \ - rb_warn((fmt), ##__VA_ARGS__); \ -} while (0) #else void ossl_debug(const char *, ...); #define OSSL_Debug ossl_debug -#define OSSL_Warning rb_warning -#define OSSL_Warn rb_warn #endif /* @@ -173,13 +165,13 @@ void ossl_debug(const char *, ...); #include "ossl_ocsp.h" #include "ossl_pkcs12.h" #include "ossl_pkcs7.h" -#include "ossl_pkcs5.h" #include "ossl_pkey.h" #include "ossl_rand.h" #include "ossl_ssl.h" #include "ossl_version.h" #include "ossl_x509.h" #include "ossl_engine.h" +#include "ossl_kdf.h" void Init_openssl(void);
  95. Download patch test/test_digest.rb

    --- 2.0.5-1/test/test_digest.rb 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/test/test_digest.rb 2018-05-12 06:51:09.000000000 +0000 @@ -1,7 +1,7 @@ # frozen_string_literal: false require_relative 'utils' -if defined?(OpenSSL::TestUtils) +if defined?(OpenSSL) class OpenSSL::TestDigest < OpenSSL::TestCase def setup @@ -54,13 +54,10 @@ class OpenSSL::TestDigest < OpenSSL::Tes end def test_digest_constants - algs = %w(MD4 MD5 RIPEMD160 SHA1) - if OpenSSL::OPENSSL_VERSION_NUMBER < 0x10100000 + algs = %w(MD4 MD5 RIPEMD160 SHA1 SHA224 SHA256 SHA384 SHA512) + if !libressl? && !openssl?(1, 1, 0) algs += %w(DSS1 SHA) end - if OpenSSL::OPENSSL_VERSION_NUMBER > 0x00908000 - algs += %w(SHA224 SHA256 SHA384 SHA512) - end algs.each do |alg| assert_not_nil(OpenSSL::Digest.new(alg)) klass = OpenSSL::Digest.const_get(alg) @@ -73,34 +70,32 @@ class OpenSSL::TestDigest < OpenSSL::Tes check_digest(OpenSSL::ASN1::ObjectId.new("SHA1")) end - if OpenSSL::OPENSSL_VERSION_NUMBER > 0x00908000 - def encode16(str) - str.unpack("H*").first - end - - def test_098_features - sha224_a = "abd37534c7d9a2efb9465de931cd7055ffdb8879563ae98078d6d6d5" - sha256_a = "ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb" - sha384_a = "54a59b9f22b0b80880d8427e548b7c23abd873486e1f035dce9cd697e85175033caa88e6d57bc35efae0b5afd3145f31" - sha512_a = "1f40fc92da241694750979ee6cf582f2d5d7d28e18335de05abc54d0560e0f5302860c652bf08d560252aa5e74210546f369fbbbce8c12cfc7957b2652fe9a75" - - assert_equal(sha224_a, OpenSSL::Digest::SHA224.hexdigest("a")) - assert_equal(sha256_a, OpenSSL::Digest::SHA256.hexdigest("a")) - assert_equal(sha384_a, OpenSSL::Digest::SHA384.hexdigest("a")) - assert_equal(sha512_a, OpenSSL::Digest::SHA512.hexdigest("a")) - - assert_equal(sha224_a, encode16(OpenSSL::Digest::SHA224.digest("a"))) - assert_equal(sha256_a, encode16(OpenSSL::Digest::SHA256.digest("a"))) - assert_equal(sha384_a, encode16(OpenSSL::Digest::SHA384.digest("a"))) - assert_equal(sha512_a, encode16(OpenSSL::Digest::SHA512.digest("a"))) - end + def encode16(str) + str.unpack("H*").first + end - def test_digest_by_oid_and_name_sha2 - check_digest(OpenSSL::ASN1::ObjectId.new("SHA224")) - check_digest(OpenSSL::ASN1::ObjectId.new("SHA256")) - check_digest(OpenSSL::ASN1::ObjectId.new("SHA384")) - check_digest(OpenSSL::ASN1::ObjectId.new("SHA512")) - end + def test_sha2 + sha224_a = "abd37534c7d9a2efb9465de931cd7055ffdb8879563ae98078d6d6d5" + sha256_a = "ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb" + sha384_a = "54a59b9f22b0b80880d8427e548b7c23abd873486e1f035dce9cd697e85175033caa88e6d57bc35efae0b5afd3145f31" + sha512_a = "1f40fc92da241694750979ee6cf582f2d5d7d28e18335de05abc54d0560e0f5302860c652bf08d560252aa5e74210546f369fbbbce8c12cfc7957b2652fe9a75" + + assert_equal(sha224_a, OpenSSL::Digest::SHA224.hexdigest("a")) + assert_equal(sha256_a, OpenSSL::Digest::SHA256.hexdigest("a")) + assert_equal(sha384_a, OpenSSL::Digest::SHA384.hexdigest("a")) + assert_equal(sha512_a, OpenSSL::Digest::SHA512.hexdigest("a")) + + assert_equal(sha224_a, encode16(OpenSSL::Digest::SHA224.digest("a"))) + assert_equal(sha256_a, encode16(OpenSSL::Digest::SHA256.digest("a"))) + assert_equal(sha384_a, encode16(OpenSSL::Digest::SHA384.digest("a"))) + assert_equal(sha512_a, encode16(OpenSSL::Digest::SHA512.digest("a"))) + end + + def test_digest_by_oid_and_name_sha2 + check_digest(OpenSSL::ASN1::ObjectId.new("SHA224")) + check_digest(OpenSSL::ASN1::ObjectId.new("SHA256")) + check_digest(OpenSSL::ASN1::ObjectId.new("SHA384")) + check_digest(OpenSSL::ASN1::ObjectId.new("SHA512")) end def test_openssl_digest @@ -121,14 +116,6 @@ class OpenSSL::TestDigest < OpenSSL::Tes d = OpenSSL::Digest.new(oid.oid) assert_not_nil(d) end - - def libressl? - OpenSSL::OPENSSL_VERSION.include?('LibreSSL') - end - - def version_since(verary) - (OpenSSL::OPENSSL_LIBRARY_VERSION.scan(/\d+/).map(&:to_i) <=> verary) != -1 - end end end
  96. Download patch ext/openssl/ossl_kdf.c
  97. Download patch test/fixtures/pkey/dsa512.pem

    --- 2.0.5-1/test/fixtures/pkey/dsa512.pem 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.1-0ubuntu1/test/fixtures/pkey/dsa512.pem 2018-05-12 06:51:09.000000000 +0000 @@ -0,0 +1,8 @@ +-----BEGIN DSA PRIVATE KEY----- +MIH4AgEAAkEA5lB4GvEwjrsMlGDqGsxrbqeFRh6o9OWt6FgTYiEEHaOYhkIxv0Ok +RZPDNwOG997mDjBnvDJ1i56OmS3MbTnovwIVAJgub/aDrSDB4DZGH7UyarcaGy6D +AkB9HdFw/3td8K4l1FZHv7TCZeJ3ZLb7dF3TWoGUP003RCqoji3/lHdKoVdTQNuR +S/m6DlCwhjRjiQ/lBRgCLCcaAkEAjN891JBjzpMj4bWgsACmMggFf57DS0Ti+5++ +Q1VB8qkJN7rA7/2HrCR3gTsWNb1YhAsnFsoeRscC+LxXoXi9OAIUBG98h4tilg6S +55jreJD3Se3slps= +-----END DSA PRIVATE KEY-----
  98. Download patch ext/openssl/ossl_pkcs12.c

    --- 2.0.5-1/ext/openssl/ossl_pkcs12.c 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/ext/openssl/ossl_pkcs12.c 2018-05-12 06:51:09.000000000 +0000 @@ -17,11 +17,6 @@ if(!(p12)) ossl_raise(rb_eRuntimeError, "PKCS12 wasn't initialized."); \ } while (0) -#define SafeGetPKCS12(obj, p12) do { \ - OSSL_Check_Kind((obj), cPKCS12); \ - GetPKCS12((obj), (p12)); \ -} while (0) - #define ossl_pkcs12_set_key(o,v) rb_iv_set((o), "@key", (v)) #define ossl_pkcs12_set_cert(o,v) rb_iv_set((o), "@certificate", (v)) #define ossl_pkcs12_set_ca_certs(o,v) rb_iv_set((o), "@ca_certs", (v)) @@ -72,7 +67,7 @@ ossl_pkcs12_initialize_copy(VALUE self, rb_check_frozen(self); GetPKCS12(self, p12_old); - SafeGetPKCS12(other, p12); + GetPKCS12(other, p12); p12_new = ASN1_dup((i2d_of_void *)i2d_PKCS12, (d2i_of_void *)d2i_PKCS12, (char *)p12); if (!p12_new) @@ -89,20 +84,20 @@ ossl_pkcs12_initialize_copy(VALUE self, * PKCS12.create(pass, name, key, cert [, ca, [, key_pbe [, cert_pbe [, key_iter [, mac_iter [, keytype]]]]]]) * * === Parameters - * * +pass+ - string - * * +name+ - A string describing the key. - * * +key+ - Any PKey. - * * +cert+ - A X509::Certificate. + * * _pass_ - string + * * _name_ - A string describing the key. + * * _key_ - Any PKey. + * * _cert_ - A X509::Certificate. * * The public_key portion of the certificate must contain a valid public key. * * The not_before and not_after fields must be filled in. - * * +ca+ - An optional array of X509::Certificate's. - * * +key_pbe+ - string - * * +cert_pbe+ - string - * * +key_iter+ - integer - * * +mac_iter+ - integer - * * +keytype+ - An integer representing an MSIE specific extension. + * * _ca_ - An optional array of X509::Certificate's. + * * _key_pbe_ - string + * * _cert_pbe_ - string + * * _key_iter_ - integer + * * _mac_iter_ - integer + * * _keytype_ - An integer representing an MSIE specific extension. * - * Any optional arguments may be supplied as nil to preserve the OpenSSL defaults. + * Any optional arguments may be supplied as +nil+ to preserve the OpenSSL defaults. * * See the OpenSSL documentation for PKCS12_create(). */ @@ -161,8 +156,8 @@ ossl_pkcs12_s_create(int argc, VALUE *ar * PKCS12.new(str, pass) -> pkcs12 * * === Parameters - * * +str+ - Must be a DER encoded PKCS12 string. - * * +pass+ - string + * * _str_ - Must be a DER encoded PKCS12 string. + * * _pass_ - string */ static VALUE ossl_pkcs12_initialize(int argc, VALUE *argv, VALUE self) @@ -252,7 +247,7 @@ Init_ossl_pkcs12(void) rb_define_singleton_method(cPKCS12, "create", ossl_pkcs12_s_create, -1); rb_define_alloc_func(cPKCS12, ossl_pkcs12_s_allocate); - rb_define_copy_func(cPKCS12, ossl_pkcs12_initialize_copy); + rb_define_method(cPKCS12, "initialize_copy", ossl_pkcs12_initialize_copy, 1); rb_attr(cPKCS12, rb_intern("key"), 1, 0, Qfalse); rb_attr(cPKCS12, rb_intern("certificate"), 1, 0, Qfalse); rb_attr(cPKCS12, rb_intern("ca_certs"), 1, 0, Qfalse);
  99. Download patch ext/openssl/ossl_x509.c

    --- 2.0.5-1/ext/openssl/ossl_x509.c 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/ext/openssl/ossl_x509.c 2018-05-12 06:51:09.000000000 +0000 @@ -20,15 +20,10 @@ ossl_x509_time_adjust(ASN1_TIME *s, VALU { time_t sec; -#if defined(HAVE_ASN1_TIME_ADJ) int off_days; ossl_time_split(time, &sec, &off_days); return X509_time_adj_ex(s, off_days, 0, &sec); -#else - sec = time_to_time_t(time); - return X509_time_adj(s, 0, &sec); -#endif } void @@ -112,21 +107,15 @@ Init_ossl_x509(void) DefX509Const(V_FLAG_INHIBIT_MAP); /* Set by Store#flags= and StoreContext#flags=. */ DefX509Const(V_FLAG_NOTIFY_POLICY); -#if defined(X509_V_FLAG_EXTENDED_CRL_SUPPORT) /* Set by Store#flags= and StoreContext#flags=. Enables some additional * features including support for indirect signed CRLs. */ DefX509Const(V_FLAG_EXTENDED_CRL_SUPPORT); -#endif -#if defined(X509_V_FLAG_USE_DELTAS) /* Set by Store#flags= and StoreContext#flags=. Uses delta CRLs. If not * specified, deltas are ignored. */ DefX509Const(V_FLAG_USE_DELTAS); -#endif -#if defined(X509_V_FLAG_CHECK_SS_SIGNATURE) /* Set by Store#flags= and StoreContext#flags=. Enables checking of the * signature of the root self-signed CA. */ DefX509Const(V_FLAG_CHECK_SS_SIGNATURE); -#endif #if defined(X509_V_FLAG_TRUSTED_FIRST) /* Set by Store#flags= and StoreContext#flags=. When constructing a * certificate chain, search the Store first for the issuer certificate. @@ -161,10 +150,8 @@ Init_ossl_x509(void) DefX509Const(PURPOSE_ANY); /* Set by Store#purpose=. OCSP helper. */ DefX509Const(PURPOSE_OCSP_HELPER); -#if defined(X509_PURPOSE_TIMESTAMP_SIGN) /* Set by Store#purpose=. Time stamps signer. */ DefX509Const(PURPOSE_TIMESTAMP_SIGN); -#endif DefX509Const(TRUST_COMPAT); DefX509Const(TRUST_SSL_CLIENT); @@ -173,9 +160,7 @@ Init_ossl_x509(void) DefX509Const(TRUST_OBJECT_SIGN); DefX509Const(TRUST_OCSP_SIGN); DefX509Const(TRUST_OCSP_REQUEST); -#if defined(X509_TRUST_TSA) DefX509Const(TRUST_TSA); -#endif DefX509Default(CERT_AREA, cert_area); DefX509Default(CERT_DIR, cert_dir);
  100. Download patch docker-compose.yml

    --- 2.0.5-1/docker-compose.yml 2017-08-08 09:29:07.000000000 +0000 +++ 2.1.1-0ubuntu1/docker-compose.yml 2018-05-12 06:51:09.000000000 +0000 @@ -3,11 +3,10 @@ compile: &defaults environment: RUBY_VERSION: OPENSSL_VERSION: - MDEBUG: command: rake compile test: <<: *defaults - command: rake compile test + command: rake compile test OSSL_MDEBUG=1 -- --enable-debug debug: <<: *defaults command: /bin/bash
  101. ...
  1. openssl
  2. openssl-ibmca
  3. r-cran-openssl
  4. ruby-openssl